isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/0032-Force-fips.patch

6ed7c9
diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/provider_conf.c
6ed7c9
--- openssl-3.0.0/crypto/provider_conf.c.fips-force	2021-11-12 14:21:01.878339467 +0100
6ed7c9
+++ openssl-3.0.0/crypto/provider_conf.c	2021-11-12 16:13:19.301542866 +0100
6ed7c9
@@ -136,13 +136,73 @@ static int prov_already_activated(const
6ed7c9
     return 0;
6ed7c9
 }
6ed7c9
 
6ed7c9
+static int provider_conf_activate(OSSL_LIB_CTX *libctx, PROVIDER_CONF_GLOBAL *pcgbl,
6ed7c9
+                                  const char *name, const char *value, const char *path,
6ed7c9
+                                  int soft, const CONF *cnf)
6ed7c9
+{
6ed7c9
+    int ok = 0;
6ed7c9
+    OSSL_PROVIDER *prov = NULL, *actual = NULL;
6ed7c9
+
6ed7c9
+    if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
6ed7c9
+        ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
6ed7c9
+        return 0;
6ed7c9
+    }
6ed7c9
+    if (!prov_already_activated(name, pcgbl->activated_providers)) {
6ed7c9
+        /*
6ed7c9
+        * There is an attempt to activate a provider, so we should disable
6ed7c9
+        * loading of fallbacks. Otherwise a misconfiguration could mean the
6ed7c9
+        * intended provider does not get loaded. Subsequent fetches could
6ed7c9
+        * then fallback to the default provider - which may be the wrong
6ed7c9
+        * thing.
6ed7c9
+        */
6ed7c9
+        if (!ossl_provider_disable_fallback_loading(libctx)) {
6ed7c9
+            CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
+            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
6ed7c9
+            return 0;
6ed7c9
+        }
6ed7c9
+        prov = ossl_provider_find(libctx, name, 1);
6ed7c9
+        if (prov == NULL)
6ed7c9
+            prov = ossl_provider_new(libctx, name, NULL, 1);
6ed7c9
+        if (prov == NULL) {
6ed7c9
+            CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
+            if (soft)
6ed7c9
+                ERR_clear_error();
6ed7c9
+            return 0;
6ed7c9
+        }
6ed7c9
+
6ed7c9
+        if (path != NULL)
6ed7c9
+            ossl_provider_set_module_path(prov, path);
6ed7c9
+
6ed7c9
+        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
6ed7c9
+
6ed7c9
+        if (ok) {
6ed7c9
+            if (!ossl_provider_activate(prov, 1, 0)) {
6ed7c9
+                ok = 0;
6ed7c9
+            } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
6ed7c9
+                ossl_provider_deactivate(prov);
6ed7c9
+                ok = 0;
6ed7c9
+            } else {
6ed7c9
+                if (pcgbl->activated_providers == NULL)
6ed7c9
+                    pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
6ed7c9
+                sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
6ed7c9
+                ok = 1;
6ed7c9
+            }
6ed7c9
+        }
6ed7c9
+        if (!ok)
6ed7c9
+            ossl_provider_free(prov);
6ed7c9
+    }
6ed7c9
+    CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
+    return ok;
6ed7c9
+}
6ed7c9
+
6ed7c9
+
6ed7c9
+
6ed7c9
 static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
6ed7c9
                               const char *value, const CONF *cnf)
6ed7c9
 {
6ed7c9
     int i;
6ed7c9
     STACK_OF(CONF_VALUE) *ecmds;
6ed7c9
     int soft = 0;
6ed7c9
-    OSSL_PROVIDER *prov = NULL, *actual = NULL;
6ed7c9
     const char *path = NULL;
6ed7c9
     long activate = 0;
6ed7c9
     int ok = 0;
6ed7c9
@@ -185,55 +245,7 @@ static int provider_conf_load(OSSL_LIB_C
6ed7c9
     }
6ed7c9
 
6ed7c9
     if (activate) {
6ed7c9
-        if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
6ed7c9
-            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
6ed7c9
-            return 0;
6ed7c9
-        }
6ed7c9
-        if (!prov_already_activated(name, pcgbl->activated_providers)) {
6ed7c9
-            /*
6ed7c9
-            * There is an attempt to activate a provider, so we should disable
6ed7c9
-            * loading of fallbacks. Otherwise a misconfiguration could mean the
6ed7c9
-            * intended provider does not get loaded. Subsequent fetches could
6ed7c9
-            * then fallback to the default provider - which may be the wrong
6ed7c9
-            * thing.
6ed7c9
-            */
6ed7c9
-            if (!ossl_provider_disable_fallback_loading(libctx)) {
6ed7c9
-                CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
-                ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
6ed7c9
-                return 0;
6ed7c9
-            }
6ed7c9
-            prov = ossl_provider_find(libctx, name, 1);
6ed7c9
-            if (prov == NULL)
6ed7c9
-                prov = ossl_provider_new(libctx, name, NULL, 1);
6ed7c9
-            if (prov == NULL) {
6ed7c9
-                CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
-                if (soft)
6ed7c9
-                    ERR_clear_error();
6ed7c9
-                return 0;
6ed7c9
-            }
6ed7c9
-
6ed7c9
-            if (path != NULL)
6ed7c9
-                ossl_provider_set_module_path(prov, path);
6ed7c9
-
6ed7c9
-            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
6ed7c9
-
6ed7c9
-            if (ok) {
6ed7c9
-                if (!ossl_provider_activate(prov, 1, 0)) {
6ed7c9
-                    ok = 0;
6ed7c9
-                } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
6ed7c9
-                    ossl_provider_deactivate(prov);
6ed7c9
-                    ok = 0;
6ed7c9
-                } else {
6ed7c9
-                    if (pcgbl->activated_providers == NULL)
6ed7c9
-                        pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
6ed7c9
-                    sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
6ed7c9
-                    ok = 1;
6ed7c9
-                }
6ed7c9
-            }
6ed7c9
-            if (!ok)
6ed7c9
-                ossl_provider_free(prov);
6ed7c9
-        }
6ed7c9
-        CRYPTO_THREAD_unlock(pcgbl->lock);
6ed7c9
+        ok = provider_conf_activate(libctx, pcgbl, name, value, path, soft, cnf);
6ed7c9
     } else {
6ed7c9
         OSSL_PROVIDER_INFO entry;
6ed7c9
 
6ed7c9
@@ -294,6 +306,19 @@ static int provider_conf_init(CONF_IMODU
6ed7c9
             return 0;
6ed7c9
     }
6ed7c9
 
6ed7c9
+    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
6ed7c9
+        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
6ed7c9
+        PROVIDER_CONF_GLOBAL *pcgbl
6ed7c9
+            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
6ed7c9
+                                    &provider_conf_ossl_ctx_method);
6ed7c9
+        if (provider_conf_activate(libctx, pcgbl, "fips", NULL, NULL, 0, NULL) != 1)
6ed7c9
+            return 0;
6ed7c9
+        if (provider_conf_activate(libctx, pcgbl, "base", NULL, NULL, 0, NULL) != 1)
6ed7c9
+            return 0;
6ed7c9
+        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
6ed7c9
+            return 0;
6ed7c9
+    }
6ed7c9
+
6ed7c9
     return 1;
6ed7c9
 }
6ed7c9