/[smecontribs]/rpms/openssl3/contribs10/0032-Force-fips.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0032-Force-fips.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:36 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 #Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
2 #(partial) of the function provider_conf_load() under the 'if (activate) section.
3 #If there is any change to this section, after deleting it in provider_conf_load()
4 #ensure that you also add those changes to the provider_conf_activate() function.
5 #additionally please add this check for cnf explicitly as shown below.
6 #'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
7 diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
8 --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
9 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
10 @@ -136,58 +136,18 @@ static int prov_already_activated(const
11 return 0;
12 }
13
14 -static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
15 - const char *value, const CONF *cnf)
16 +static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
17 + const char *value, const char *path,
18 + int soft, const CONF *cnf)
19 {
20 - int i;
21 - STACK_OF(CONF_VALUE) *ecmds;
22 - int soft = 0;
23 - OSSL_PROVIDER *prov = NULL, *actual = NULL;
24 - const char *path = NULL;
25 - long activate = 0;
26 int ok = 0;
27 -
28 - name = skip_dot(name);
29 - OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
30 - /* Value is a section containing PROVIDER commands */
31 - ecmds = NCONF_get_section(cnf, value);
32 -
33 - if (!ecmds) {
34 - ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
35 - "section=%s not found", value);
36 - return 0;
37 - }
38 -
39 - /* Find the needed data first */
40 - for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
41 - CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
42 - const char *confname = skip_dot(ecmd->name);
43 - const char *confvalue = ecmd->value;
44 -
45 - OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
46 - confname, confvalue);
47 -
48 - /* First handle some special pseudo confs */
49 -
50 - /* Override provider name to use */
51 - if (strcmp(confname, "identity") == 0)
52 - name = confvalue;
53 - else if (strcmp(confname, "soft_load") == 0)
54 - soft = 1;
55 - /* Load a dynamic PROVIDER */
56 - else if (strcmp(confname, "module") == 0)
57 - path = confvalue;
58 - else if (strcmp(confname, "activate") == 0)
59 - activate = 1;
60 - }
61 -
62 - if (activate) {
63 - PROVIDER_CONF_GLOBAL *pcgbl
64 - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
65 - &provider_conf_ossl_ctx_method);
66 + OSSL_PROVIDER *prov = NULL, *actual = NULL;
67 + PROVIDER_CONF_GLOBAL *pcgbl
68 + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
69 + &provider_conf_ossl_ctx_method);
70
71 if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
72 - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
73 + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
74 return 0;
75 }
76 if (!prov_already_activated(name, pcgbl->activated_providers)) {
77 @@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
78 if (path != NULL)
79 ossl_provider_set_module_path(prov, path);
80
81 - ok = provider_conf_params(prov, NULL, NULL, value, cnf);
82 + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
83
84 if (ok) {
85 if (!ossl_provider_activate(prov, 1, 0)) {
86 @@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
87 }
88 if (!ok)
89 ossl_provider_free(prov);
90 + } else { /* No reason to activate the provider twice, returning OK */
91 + ok = 1;
92 }
93 CRYPTO_THREAD_unlock(pcgbl->lock);
94 + return ok;
95 +}
96 +
97 +static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
98 + const char *value, const CONF *cnf)
99 +{
100 + int i;
101 + STACK_OF(CONF_VALUE) *ecmds;
102 + int soft = 0;
103 + const char *path = NULL;
104 + long activate = 0;
105 + int ok = 0;
106 +
107 + name = skip_dot(name);
108 + OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
109 + /* Value is a section containing PROVIDER commands */
110 + ecmds = NCONF_get_section(cnf, value);
111 +
112 + if (!ecmds) {
113 + ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
114 + "section=%s not found", value);
115 + return 0;
116 + }
117 +
118 + /* Find the needed data first */
119 + for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
120 + CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
121 + const char *confname = skip_dot(ecmd->name);
122 + const char *confvalue = ecmd->value;
123 +
124 + OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
125 + confname, confvalue);
126 +
127 + /* First handle some special pseudo confs */
128 +
129 + /* Override provider name to use */
130 + if (strcmp(confname, "identity") == 0)
131 + name = confvalue;
132 + else if (strcmp(confname, "soft_load") == 0)
133 + soft = 1;
134 + /* Load a dynamic PROVIDER */
135 + else if (strcmp(confname, "module") == 0)
136 + path = confvalue;
137 + else if (strcmp(confname, "activate") == 0)
138 + activate = 1;
139 + }
140 +
141 + if (activate) {
142 + ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
143 } else {
144 OSSL_PROVIDER_INFO entry;
145
146 @@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
147 return 0;
148 }
149
150 + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
151 + OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
152 + PROVIDER_CONF_GLOBAL *pcgbl
153 + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
154 + &provider_conf_ossl_ctx_method);
155 + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
156 + return 0;
157 + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
158 + return 0;
159 + if (EVP_default_properties_enable_fips(libctx, 1) != 1)
160 + return 0;
161 + }
162 +
163 return 1;
164 }
165

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed