a1fb60
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
a1fb60
--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor	2015-04-21 17:42:18.702765856 +0200
a1fb60
+++ openssl-1.0.2a/crypto/fips/fips.c	2015-04-21 17:42:18.742766794 +0200
a1fb60
@@ -60,6 +60,8 @@
a1fb60
 #include <dlfcn.h>
a1fb60
 #include <stdio.h>
a1fb60
 #include <stdlib.h>
a1fb60
+#include <unistd.h>
a1fb60
+#include <errno.h>
a1fb60
 #include "fips_locl.h"
a1fb60
 
a1fb60
 #ifdef OPENSSL_FIPS
a1fb60
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
a1fb60
 }
a1fb60
 
a1fb60
 # define HMAC_PREFIX "."
a1fb60
-# define HMAC_SUFFIX ".hmac"
a1fb60
+# ifndef HMAC_SUFFIX
a1fb60
+#  define HMAC_SUFFIX ".hmac"
a1fb60
+# endif
a1fb60
 # define READ_BUFFER_LENGTH 16384
a1fb60
 
a1fb60
 static char *make_hmac_path(const char *origpath)
a1fb60
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
a1fb60
     return rv;
a1fb60
 }
a1fb60
 
a1fb60
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
a1fb60
+static int FIPSCHECK_verify(const char *path)
a1fb60
 {
a1fb60
-    char path[PATH_MAX + 1];
a1fb60
-    int rv;
a1fb60
+    int rv = 0;
a1fb60
     FILE *hf;
a1fb60
     char *hmacpath, *p;
a1fb60
     char *hmac = NULL;
a1fb60
     size_t n;
a1fb60
 
a1fb60
-    rv = get_library_path(libname, symbolname, path, sizeof(path));
a1fb60
-
a1fb60
-    if (rv < 0)
a1fb60
-        return 0;
a1fb60
-
a1fb60
     hmacpath = make_hmac_path(path);
a1fb60
     if (hmacpath == NULL)
a1fb60
         return 0;
a1fb60
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
a1fb60
     return 1;
a1fb60
 }
a1fb60
 
a1fb60
+static int verify_checksums(void)
a1fb60
+{
a1fb60
+    int rv;
a1fb60
+    char path[PATH_MAX + 1];
a1fb60
+    char *p;
a1fb60
+
a1fb60
+    /* we need to avoid dlopening libssl, assume both libcrypto and libssl
a1fb60
+       are in the same directory */
a1fb60
+
a1fb60
+    rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
a1fb60
+                          "FIPS_mode_set", path, sizeof(path));
a1fb60
+    if (rv < 0)
a1fb60
+        return 0;
a1fb60
+
a1fb60
+    rv = FIPSCHECK_verify(path);
a1fb60
+    if (!rv)
a1fb60
+        return 0;
a1fb60
+
a1fb60
+    /* replace libcrypto with libssl */
a1fb60
+    while ((p = strstr(path, "libcrypto.so")) != NULL) {
a1fb60
+        p = stpcpy(p, "libssl");
a1fb60
+        memmove(p, p + 3, strlen(p + 2));
a1fb60
+    }
a1fb60
+
a1fb60
+    rv = FIPSCHECK_verify(path);
a1fb60
+    if (!rv)
a1fb60
+        return 0;
a1fb60
+    return 1;
a1fb60
+}
a1fb60
+
a1fb60
+# ifndef FIPS_MODULE_PATH
a1fb60
+#  define FIPS_MODULE_PATH "/etc/system-fips"
a1fb60
+# endif
a1fb60
+
a1fb60
+int FIPS_module_installed(void)
a1fb60
+{
a1fb60
+    int rv;
a1fb60
+    rv = access(FIPS_MODULE_PATH, F_OK);
a1fb60
+    if (rv < 0 && errno != ENOENT)
a1fb60
+        rv = 0;
a1fb60
+
a1fb60
+    /* Installed == true */
a1fb60
+    return !rv;
a1fb60
+}
a1fb60
+
a1fb60
 int FIPS_module_mode_set(int onoff, const char *auth)
a1fb60
 {
a1fb60
     int ret = 0;
a1fb60
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
a1fb60
         }
a1fb60
 # endif
a1fb60
 
a1fb60
-        if (!FIPSCHECK_verify
a1fb60
-            ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
a1fb60
-            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
a1fb60
-                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
a1fb60
-            fips_selftest_fail = 1;
a1fb60
-            ret = 0;
a1fb60
-            goto end;
a1fb60
-        }
a1fb60
-
a1fb60
-        if (!FIPSCHECK_verify
a1fb60
-            ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
a1fb60
+        if (!verify_checksums()) {
a1fb60
             FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
a1fb60
                     FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
a1fb60
             fips_selftest_fail = 1;
a1fb60
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
a1fb60
--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor	2015-04-21 17:42:18.739766724 +0200
a1fb60
+++ openssl-1.0.2a/crypto/fips/fips.h	2015-04-21 17:42:18.743766818 +0200
a1fb60
@@ -74,6 +74,7 @@ extern "C" {
a1fb60
 
a1fb60
     int FIPS_module_mode_set(int onoff, const char *auth);
a1fb60
     int FIPS_module_mode(void);
a1fb60
+    int FIPS_module_installed(void);
a1fb60
     const void *FIPS_rand_check(void);
a1fb60
     int FIPS_selftest(void);
a1fb60
     int FIPS_selftest_failed(void);
a1fb60
diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
a1fb60
--- openssl-1.0.2a/crypto/o_init.c.fips-ctor	2015-04-21 17:42:18.732766559 +0200
a1fb60
+++ openssl-1.0.2a/crypto/o_init.c	2015-04-21 17:45:02.662613173 +0200
a1fb60
@@ -74,6 +74,9 @@ static void init_fips_mode(void)
a1fb60
     char buf[2] = "0";
a1fb60
     int fd;
a1fb60
 
a1fb60
+    /* Ensure the selftests always run */
a1fb60
+    FIPS_mode_set(1);
a1fb60
+
a1fb60
     if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
a1fb60
         buf[0] = '1';
a1fb60
     } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
a1fb60
@@ -85,8 +88,12 @@ static void init_fips_mode(void)
a1fb60
      * otherwise..
a1fb60
      */
a1fb60
 
a1fb60
-    if (buf[0] == '1') {
a1fb60
-        FIPS_mode_set(1);
a1fb60
+    if (buf[0] != '1') {
a1fb60
+        /* drop down to non-FIPS mode if it is not requested */
a1fb60
+        FIPS_mode_set(0);
a1fb60
+    } else {
a1fb60
+        /* abort if selftest failed */
a1fb60
+        FIPS_selftest_check();
a1fb60
     }
a1fb60
 }
a1fb60
 #endif
a1fb60
@@ -96,13 +103,16 @@ static void init_fips_mode(void)
a1fb60
  * sets FIPS callbacks
a1fb60
  */
a1fb60
 
a1fb60
-void OPENSSL_init_library(void)
a1fb60
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
a1fb60
 {
a1fb60
     static int done = 0;
a1fb60
     if (done)
a1fb60
         return;
a1fb60
     done = 1;
a1fb60
 #ifdef OPENSSL_FIPS
a1fb60
+    if (!FIPS_module_installed()) {
a1fb60
+        return;
a1fb60
+    }
a1fb60
     RAND_init_fips();
a1fb60
     init_fips_mode();
a1fb60
     if (!FIPS_mode()) {