/[smecontribs]/rpms/openssl3/contribs10/0032-Force-fips.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0032-Force-fips.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:36 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 #Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
2     #(partial) of the function provider_conf_load() under the 'if (activate) section.
3     #If there is any change to this section, after deleting it in provider_conf_load()
4     #ensure that you also add those changes to the provider_conf_activate() function.
5     #additionally please add this check for cnf explicitly as shown below.
6     #'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
7     diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
8     --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
9     +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
10     @@ -136,58 +136,18 @@ static int prov_already_activated(const
11     return 0;
12     }
13    
14     -static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
15     - const char *value, const CONF *cnf)
16     +static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
17     + const char *value, const char *path,
18     + int soft, const CONF *cnf)
19     {
20     - int i;
21     - STACK_OF(CONF_VALUE) *ecmds;
22     - int soft = 0;
23     - OSSL_PROVIDER *prov = NULL, *actual = NULL;
24     - const char *path = NULL;
25     - long activate = 0;
26     int ok = 0;
27     -
28     - name = skip_dot(name);
29     - OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
30     - /* Value is a section containing PROVIDER commands */
31     - ecmds = NCONF_get_section(cnf, value);
32     -
33     - if (!ecmds) {
34     - ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
35     - "section=%s not found", value);
36     - return 0;
37     - }
38     -
39     - /* Find the needed data first */
40     - for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
41     - CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
42     - const char *confname = skip_dot(ecmd->name);
43     - const char *confvalue = ecmd->value;
44     -
45     - OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
46     - confname, confvalue);
47     -
48     - /* First handle some special pseudo confs */
49     -
50     - /* Override provider name to use */
51     - if (strcmp(confname, "identity") == 0)
52     - name = confvalue;
53     - else if (strcmp(confname, "soft_load") == 0)
54     - soft = 1;
55     - /* Load a dynamic PROVIDER */
56     - else if (strcmp(confname, "module") == 0)
57     - path = confvalue;
58     - else if (strcmp(confname, "activate") == 0)
59     - activate = 1;
60     - }
61     -
62     - if (activate) {
63     - PROVIDER_CONF_GLOBAL *pcgbl
64     - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
65     - &provider_conf_ossl_ctx_method);
66     + OSSL_PROVIDER *prov = NULL, *actual = NULL;
67     + PROVIDER_CONF_GLOBAL *pcgbl
68     + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
69     + &provider_conf_ossl_ctx_method);
70    
71     if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
72     - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
73     + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
74     return 0;
75     }
76     if (!prov_already_activated(name, pcgbl->activated_providers)) {
77     @@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
78     if (path != NULL)
79     ossl_provider_set_module_path(prov, path);
80    
81     - ok = provider_conf_params(prov, NULL, NULL, value, cnf);
82     + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
83    
84     if (ok) {
85     if (!ossl_provider_activate(prov, 1, 0)) {
86     @@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
87     }
88     if (!ok)
89     ossl_provider_free(prov);
90     + } else { /* No reason to activate the provider twice, returning OK */
91     + ok = 1;
92     }
93     CRYPTO_THREAD_unlock(pcgbl->lock);
94     + return ok;
95     +}
96     +
97     +static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
98     + const char *value, const CONF *cnf)
99     +{
100     + int i;
101     + STACK_OF(CONF_VALUE) *ecmds;
102     + int soft = 0;
103     + const char *path = NULL;
104     + long activate = 0;
105     + int ok = 0;
106     +
107     + name = skip_dot(name);
108     + OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
109     + /* Value is a section containing PROVIDER commands */
110     + ecmds = NCONF_get_section(cnf, value);
111     +
112     + if (!ecmds) {
113     + ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
114     + "section=%s not found", value);
115     + return 0;
116     + }
117     +
118     + /* Find the needed data first */
119     + for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
120     + CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
121     + const char *confname = skip_dot(ecmd->name);
122     + const char *confvalue = ecmd->value;
123     +
124     + OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
125     + confname, confvalue);
126     +
127     + /* First handle some special pseudo confs */
128     +
129     + /* Override provider name to use */
130     + if (strcmp(confname, "identity") == 0)
131     + name = confvalue;
132     + else if (strcmp(confname, "soft_load") == 0)
133     + soft = 1;
134     + /* Load a dynamic PROVIDER */
135     + else if (strcmp(confname, "module") == 0)
136     + path = confvalue;
137     + else if (strcmp(confname, "activate") == 0)
138     + activate = 1;
139     + }
140     +
141     + if (activate) {
142     + ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
143     } else {
144     OSSL_PROVIDER_INFO entry;
145    
146     @@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
147     return 0;
148     }
149    
150     + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
151     + OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
152     + PROVIDER_CONF_GLOBAL *pcgbl
153     + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
154     + &provider_conf_ossl_ctx_method);
155     + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
156     + return 0;
157     + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
158     + return 0;
159     + if (EVP_default_properties_enable_fips(libctx, 1) != 1)
160     + return 0;
161     + }
162     +
163     return 1;
164     }
165    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed