openssl3/contribs10/0032-Force-fips.patch

#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
#(partial) of the function provider_conf_load() under the 'if (activate) section.
#If there is any change to this section, after deleting it in provider_conf_load()
#ensure that you also add those changes to the provider_conf_activate() function.
#additionally please add this check for cnf explicitly as shown below.
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
--- openssl-3.0.1/crypto/provider_conf.c.fipsact        2022-05-12 12:44:31.199034948 +0200
+++ openssl-3.0.1/crypto/provider_conf.c        2022-05-12 12:49:17.468318373 +0200
@@ -136,58 +136,18 @@ static int prov_already_activated(const
     return 0;
 }
 
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
-                              const char *value, const CONF *cnf)
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
+                                  const char *value, const char *path,
+                                  int soft, const CONF *cnf)
 {
-    int i;
-    STACK_OF(CONF_VALUE) *ecmds;
-    int soft = 0;
-    OSSL_PROVIDER *prov = NULL, *actual = NULL;
-    const char *path = NULL;
-    long activate = 0;
     int ok = 0;
-
-    name = skip_dot(name);
-    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
-    /* Value is a section containing PROVIDER commands */
-    ecmds = NCONF_get_section(cnf, value);
-
-    if (!ecmds) {
-        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
-                       "section=%s not found", value);
-        return 0;
-    }
-
-    /* Find the needed data first */
-    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
-        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
-        const char *confname = skip_dot(ecmd->name);
-        const char *confvalue = ecmd->value;
-
-        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
-                    confname, confvalue);
-
-        /* First handle some special pseudo confs */
-
-        /* Override provider name to use */
-        if (strcmp(confname, "identity") == 0)
-            name = confvalue;
-        else if (strcmp(confname, "soft_load") == 0)
-            soft = 1;
-        /* Load a dynamic PROVIDER */
-        else if (strcmp(confname, "module") == 0)
-            path = confvalue;
-        else if (strcmp(confname, "activate") == 0)
-            activate = 1;
-    }
-
-    if (activate) {
-        PROVIDER_CONF_GLOBAL *pcgbl
-            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
-                                    &provider_conf_ossl_ctx_method);
+    OSSL_PROVIDER *prov = NULL, *actual = NULL;
+    PROVIDER_CONF_GLOBAL *pcgbl
+        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
+                                &provider_conf_ossl_ctx_method);
 
         if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
-            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+           ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
             return 0;
         }
         if (!prov_already_activated(name, pcgbl->activated_providers)) {
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
             if (path != NULL)
                 ossl_provider_set_module_path(prov, path);
 
-            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+            ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
 
             if (ok) {
                 if (!ossl_provider_activate(prov, 1, 0)) {
@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
             }
             if (!ok)
                 ossl_provider_free(prov);
+        } else { /* No reason to activate the provider twice, returning OK */
+            ok = 1;
         }
         CRYPTO_THREAD_unlock(pcgbl->lock);
+    return ok;
+}
+
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
+                              const char *value, const CONF *cnf)
+{
+    int i;
+    STACK_OF(CONF_VALUE) *ecmds;
+    int soft = 0;
+    const char *path = NULL;
+    long activate = 0;
+    int ok = 0;
+
+    name = skip_dot(name);
+    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
+    /* Value is a section containing PROVIDER commands */
+    ecmds = NCONF_get_section(cnf, value);
+
+    if (!ecmds) {
+        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
+                       "section=%s not found", value);
+        return 0;
+    }
+
+    /* Find the needed data first */
+    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
+        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
+        const char *confname = skip_dot(ecmd->name);
+        const char *confvalue = ecmd->value;
+
+        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
+                    confname, confvalue);
+
+        /* First handle some special pseudo confs */
+
+        /* Override provider name to use */
+        if (strcmp(confname, "identity") == 0)
+            name = confvalue;
+        else if (strcmp(confname, "soft_load") == 0)
+            soft = 1;
+        /* Load a dynamic PROVIDER */
+        else if (strcmp(confname, "module") == 0)
+            path = confvalue;
+        else if (strcmp(confname, "activate") == 0)
+            activate = 1;
+    }
+
+    if (activate) {
+       ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
     } else {
         OSSL_PROVIDER_INFO entry;
 
@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
             return 0;
     }
 
+    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
+        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
+        PROVIDER_CONF_GLOBAL *pcgbl
+            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
+                                    &provider_conf_ossl_ctx_method);
+        if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+            return 0;
+        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+            return 0;
+        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
+            return 0;
+    }
+
     return 1;
 }
 
1	#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
2	#(partial) of the function provider_conf_load() under the 'if (activate) section.
3	#If there is any change to this section, after deleting it in provider_conf_load()
4	#ensure that you also add those changes to the provider_conf_activate() function.
5	#additionally please add this check for cnf explicitly as shown below.
6	#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
7	diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
8	--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
9	+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
10	@@ -136,58 +136,18 @@ static int prov_already_activated(const
11	return 0;
12	}
13
14	-static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,
15	- const char value, const CONF cnf)
16	+static int provider_conf_activate(OSSL_LIB_CTX libctx,const char name,
17	+ const char value, const char path,
18	+ int soft, const CONF *cnf)
19	{
20	- int i;
21	- STACK_OF(CONF_VALUE) *ecmds;
22	- int soft = 0;
23	- OSSL_PROVIDER prov = NULL, actual = NULL;
24	- const char *path = NULL;
25	- long activate = 0;
26	int ok = 0;
27	-
28	- name = skip_dot(name);
29	- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
30	- /* Value is a section containing PROVIDER commands */
31	- ecmds = NCONF_get_section(cnf, value);
32	-
33	- if (!ecmds) {
34	- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
35	- "section=%s not found", value);
36	- return 0;
37	- }
38	-
39	- /* Find the needed data first */
40	- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
41	- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
42	- const char *confname = skip_dot(ecmd->name);
43	- const char *confvalue = ecmd->value;
44	-
45	- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
46	- confname, confvalue);
47	-
48	- /* First handle some special pseudo confs */
49	-
50	- /* Override provider name to use */
51	- if (strcmp(confname, "identity") == 0)
52	- name = confvalue;
53	- else if (strcmp(confname, "soft_load") == 0)
54	- soft = 1;
55	- /* Load a dynamic PROVIDER */
56	- else if (strcmp(confname, "module") == 0)
57	- path = confvalue;
58	- else if (strcmp(confname, "activate") == 0)
59	- activate = 1;
60	- }
61	-
62	- if (activate) {
63	- PROVIDER_CONF_GLOBAL *pcgbl
64	- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
65	- &provider_conf_ossl_ctx_method);
66	+ OSSL_PROVIDER prov = NULL, actual = NULL;
67	+ PROVIDER_CONF_GLOBAL *pcgbl
68	+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
69	+ &provider_conf_ossl_ctx_method);
70
71	if (pcgbl == NULL \|\| !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
72	- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
73	+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
74	return 0;
75	}
76	if (!prov_already_activated(name, pcgbl->activated_providers)) {
77	@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
78	if (path != NULL)
79	ossl_provider_set_module_path(prov, path);
80
81	- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
82	+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
83
84	if (ok) {
85	if (!ossl_provider_activate(prov, 1, 0)) {
86	@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
87	}
88	if (!ok)
89	ossl_provider_free(prov);
90	+ } else { /* No reason to activate the provider twice, returning OK */
91	+ ok = 1;
92	}
93	CRYPTO_THREAD_unlock(pcgbl->lock);
94	+ return ok;
95	+}
96	+
97	+static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,
98	+ const char value, const CONF cnf)
99	+{
100	+ int i;
101	+ STACK_OF(CONF_VALUE) *ecmds;
102	+ int soft = 0;
103	+ const char *path = NULL;
104	+ long activate = 0;
105	+ int ok = 0;
106	+
107	+ name = skip_dot(name);
108	+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
109	+ /* Value is a section containing PROVIDER commands */
110	+ ecmds = NCONF_get_section(cnf, value);
111	+
112	+ if (!ecmds) {
113	+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
114	+ "section=%s not found", value);
115	+ return 0;
116	+ }
117	+
118	+ /* Find the needed data first */
119	+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
120	+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
121	+ const char *confname = skip_dot(ecmd->name);
122	+ const char *confvalue = ecmd->value;
123	+
124	+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
125	+ confname, confvalue);
126	+
127	+ /* First handle some special pseudo confs */
128	+
129	+ /* Override provider name to use */
130	+ if (strcmp(confname, "identity") == 0)
131	+ name = confvalue;
132	+ else if (strcmp(confname, "soft_load") == 0)
133	+ soft = 1;
134	+ /* Load a dynamic PROVIDER */
135	+ else if (strcmp(confname, "module") == 0)
136	+ path = confvalue;
137	+ else if (strcmp(confname, "activate") == 0)
138	+ activate = 1;
139	+ }
140	+
141	+ if (activate) {
142	+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
143	} else {
144	OSSL_PROVIDER_INFO entry;
145
146	@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
147	return 0;
148	}
149
150	+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
151	+ OSSL_LIB_CTX libctx = NCONF_get0_libctx((CONF )cnf);
152	+ PROVIDER_CONF_GLOBAL *pcgbl
153	+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
154	+ &provider_conf_ossl_ctx_method);
155	+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
156	+ return 0;
157	+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
158	+ return 0;
159	+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
160	+ return 0;
161	+ }
162	+
163	return 1;
164	}
165