Change-Id: I4a297a54f3c0bc9350d0befba7d2da73c8de2031
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3363
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,79 @@ |
0 |
+diff -rup openssl-1.0.2k/crypto/o_init.c openssl-1.0.2k-new/crypto/o_init.c |
|
1 |
+--- openssl-1.0.2k/crypto/o_init.c 2017-01-26 05:22:03.000000000 -0800 |
|
2 |
+@@ -57,10 +57,57 @@ |
|
3 |
+ #include <openssl/err.h> |
|
4 |
+ #ifdef OPENSSL_FIPS |
|
5 |
+ # include <openssl/fips.h> |
|
6 |
++# include <openssl/fips_rand.h> |
|
7 |
+ # include <openssl/rand.h> |
|
8 |
+ #endif |
|
9 |
+ |
|
10 |
+ /* |
|
11 |
++ * |
|
12 |
++ * Enable FIPS mode based on host FIPS mode / env variable. |
|
13 |
++ */ |
|
14 |
++#if defined(OPENSSL_FIPS) |
|
15 |
++#include <sys/types.h> |
|
16 |
++#include <sys/stat.h> |
|
17 |
++#include <fcntl.h> |
|
18 |
++#include <unistd.h> |
|
19 |
++#include <errno.h> |
|
20 |
++#include <stdlib.h> |
|
21 |
++ |
|
22 |
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" |
|
23 |
++#define FIPS_MODE_SWITCH_FILE2 "/etc/vmware/system_fips" |
|
24 |
++ |
|
25 |
++static void init_fips_mode(void) |
|
26 |
++{ |
|
27 |
++ char buf[2] = "0"; |
|
28 |
++ int fd; |
|
29 |
++ |
|
30 |
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) |
|
31 |
++ { |
|
32 |
++ buf[0] = '1'; |
|
33 |
++ } |
|
34 |
++ else if (access(FIPS_MODE_SWITCH_FILE2, F_OK) != -1) |
|
35 |
++ { |
|
36 |
++ buf[0] = '1'; |
|
37 |
++ } |
|
38 |
++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) |
|
39 |
++ { |
|
40 |
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); |
|
41 |
++ close(fd); |
|
42 |
++ } |
|
43 |
++ /* Failure reading the fips mode switch file means just not |
|
44 |
++ * switching into FIPS mode. We would break too many things |
|
45 |
++ * otherwise. |
|
46 |
++ */ |
|
47 |
++ |
|
48 |
++ if (buf[0] == '1') |
|
49 |
++ { |
|
50 |
++ FIPS_mode_set(1); |
|
51 |
++ } |
|
52 |
++} |
|
53 |
++#endif |
|
54 |
++ |
|
55 |
++ |
|
56 |
++/* |
|
57 |
+ * Perform any essential OpenSSL initialization operations. Currently only |
|
58 |
+ * sets FIPS callbacks |
|
59 |
+ */ |
|
60 |
+@@ -79,6 +126,17 @@ void OPENSSL_init(void) |
|
61 |
+ FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); |
|
62 |
+ FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); |
|
63 |
+ RAND_init_fips(); |
|
64 |
++ /* |
|
65 |
++ * VMware patch |
|
66 |
++ * |
|
67 |
++ * Calling RAND_init_fips() followed by |
|
68 |
++ * RAND_set_rand_method(FIPS_rand_get_method()) will |
|
69 |
++ * cause OpenSSL to use the FIPS default DRBG |
|
70 |
++ * in lieu of the non-compliant OpenSSL default RAND. This |
|
71 |
++ * requires FIPS-capable OpenSSL. |
|
72 |
++ */ |
|
73 |
++ RAND_set_rand_method(FIPS_rand_get_method()); |
|
74 |
++ init_fips_mode(); /* VMware patch -- check a system file */ |
|
75 |
+ #endif |
|
76 |
+ #if 0 |
|
77 |
+ fprintf(stderr, "Called OPENSSL_init\n"); |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Management tools and libraries relating to cryptography |
2 | 2 |
Name: openssl |
3 | 3 |
Version: 1.0.2k |
4 |
-Release: 2%{?dist} |
|
4 |
+Release: 3%{?dist} |
|
5 | 5 |
License: OpenSSL |
6 | 6 |
URL: http://www.openssl.org |
7 | 7 |
Group: System Environment/Security |
... | ... |
@@ -12,7 +12,7 @@ Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz |
12 | 12 |
Patch0: c_rehash.patch |
13 | 13 |
Patch1: openssl-1.0.2f-ipv6apps.patch |
14 | 14 |
Patch2: openssl-init-conslidate.patch |
15 |
-Patch3: openssl-use-fips-drbg-by-default.patch |
|
15 |
+Patch3: openssl-drbg-default-read-system-fips.patch |
|
16 | 16 |
Requires: bash glibc libgcc |
17 | 17 |
|
18 | 18 |
%description |
... | ... |
@@ -112,6 +112,8 @@ rm -rf %{buildroot}/* |
112 | 112 |
/%{_bindir}/c_rehash |
113 | 113 |
|
114 | 114 |
%changelog |
115 |
+* Fri Jul 28 2017 Anish Swaminathan <anishs@vmware.com> 1.0.2k-3 |
|
116 |
+- Patch to support enabling FIPS_mode through kernel parameter |
|
115 | 117 |
* Sun Jun 04 2017 Bo Gan <ganb@vmware.com> 1.0.2k-2 |
116 | 118 |
- Fix symlink |
117 | 119 |
* Fri Apr 07 2017 Anish Swaminathan <anishs@vmware.com> 1.0.2k-1 |