Merge ~tobhe/ubuntu/+source/openssl:noble-fips-patches into ubuntu/+source/openssl:ubuntu/devel
- Git
- lp:~tobhe/ubuntu/+source/openssl
- noble-fips-patches
- Merge into ubuntu/devel
Status: | Merged |
---|---|
Merge reported by: | Tobias Heider |
Merged at revision: | 50071b5b8d2c868c1b1d216c0a2c80a16276af50 |
Proposed branch: | ~tobhe/ubuntu/+source/openssl:noble-fips-patches |
Merge into: | ubuntu/+source/openssl:ubuntu/devel |
Diff against target: |
944 lines (+898/-0) 7 files modified
debian/changelog (+17/-0) debian/patches/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch (+38/-0) debian/patches/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch (+130/-0) debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch (+154/-0) debian/patches/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch (+495/-0) debian/patches/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch (+57/-0) debian/patches/series (+7/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Simon Chopin (community) | Needs Fixing | ||
Adrien Nader (community) | Needs Fixing | ||
Chris Coulson | Pending | ||
Review via email: mp+460953@code.launchpad.net |
Commit message
Description of the change
Here are a few patches we are currently shipping in our FIPS archive that we would like to instead add to the regular package. This would allow us to stop maintaining a separate OpenSSL version for FIPS and deduplicate our CVE fixing work.
The actual FIPS magic happens in a separate provider package.
The changes proposed in this PR shouldn't change any default behaviour. Instead they make OpenSSL aware of FIPS mode and change some default settings to comply with FIPS to prevent crashes if the only enabled provider is the FIPS provider.
Tobias Heider (tobhe) wrote : | # |
Adrien Nader (adrien) wrote : | # |
I'm only halfway through the diff but wanted to submit this now since it will be faster for everyone but also for the question related to #ifndef !FIPS_MODULE.
Adrien Nader (adrien) wrote : | # |
No further comment actually (DEP-3 headers should be for all patches however).
Tobias Heider (tobhe) wrote : | # |
Replies inline. I will push an update with better headers and commit messages
Adrien Nader (adrien) : | # |
- 7f75686... by Tobias Heider
-
* Add fips-mode detection and adjust defaults when run in fips mode.
- d/p/fips/crypto- Add-kernel- FIPS-mode- detection. patch:
Detect if kernel fips mode is enabled
- d/p/fips/crypto- Automatically- use-the- FIPS-provider- when-the- kerne.patch:
Load FIPS provider if running in FIPS mode
- d/p/fips/apps-speed- Omit-unavailabl e-algorithms- in-FIPS- mode.patch:
Limit openssl-speed to FIPS compliant algorithms when running in FIPS mode
- d/p/fips/apps-pass- propquery- arg-to- the-libctx- DRBG-fetches. patch
Make sure DRBG respects query properties
- d/p/fips/test-Ensure- encoding- runs-with- the-correct- context- during. patch:
Make sure encoding runs with correct library context and provider - 7c9b1a6... by Tobias Heider
-
Changelog for 3.0.13-1ubuntu2
Tobias Heider (tobhe) wrote : | # |
Now rebased onto 3.0.13-1ubuntu1 and with Adrien's ifndef comment addressed.
Simon Chopin (schopin) wrote : | # |
I'd like Adrien's ACK on the changes before uploading. Also, please add the (LP: #XXXXXXX) stanza to the changelog, so that the FFe bug gets closed and we get an easy reference later on when manipulating those patches (which should probably also include a Bug-Ubuntu: DEP-3 field ;) )
- f990ecf... by Tobias Heider
-
Add launchpad bug ID to changelog and patches
Tobias Heider (tobhe) wrote : | # |
> I'd like Adrien's ACK on the changes before uploading. Also, please add the
> (LP: #XXXXXXX) stanza to the changelog, so that the FFe bug gets closed and we
> get an easy reference later on when manipulating those patches (which should
> probably also include a Bug-Ubuntu: DEP-3 field ;) )
Added LP bug reference to the changelog and Bug-Ubuntu to each of the patch headers with the last update
Adrien Nader (adrien) : | # |
- 50071b5... by Tobias Heider
-
Fix version number 3.0.13-1ubuntu2 > 3.0.13-0ubuntu2
Tobias Heider (tobhe) wrote : | # |
Should be fixed with the latest upload
Adrien Nader (adrien) wrote : | # |
I am now including this MR in https:/
Chris Coulson (chrisccoulson) wrote : | # |
I've added a couple of comments to this
Chris Coulson (chrisccoulson) wrote : | # |
Oh, huh, apparently you can only submit comments on a single commit at a time, so here's the other one.
Adrien Nader (adrien) wrote : | # |
Chris, thanks for your comments, they're very informative. Just to be clear also: this change is actually now uploaded but that was done as part of another MR (version is currently in noble-proposed: https:/
Tobias, can you update the status of this MR to make this visible?
Tobias Heider (tobhe) wrote : | # |
Thanks for the feedback Chris, as far as I can tell OpenSSL speed worked fine last I tried it but I can check.
Updated the status to merged.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 06dd500..136ef9c 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,20 @@ |
6 | +openssl (3.0.13-0ubuntu2) noble; urgency=medium |
7 | + |
8 | + * Add fips-mode detection and adjust defaults when running in fips mode |
9 | + (LP: #2056593): |
10 | + - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: |
11 | + Detect if kernel fips mode is enabled |
12 | + - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: |
13 | + Load FIPS provider if running in FIPS mode |
14 | + - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: |
15 | + Limit openssl-speed to FIPS compliant algorithms when running in FIPS mode |
16 | + - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch |
17 | + Make sure DRBG respects query properties |
18 | + - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: |
19 | + Make sure encoding runs with correct library context and provider |
20 | + |
21 | + -- Tobias Heider <tobias.heider@canonical.com> Wed, 13 Mar 2024 11:40:11 +0100 |
22 | + |
23 | openssl (3.0.13-0ubuntu1) noble; urgency=medium |
24 | |
25 | * Import 3.0.13 |
26 | diff --git a/debian/patches/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch b/debian/patches/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch |
27 | new file mode 100644 |
28 | index 0000000..fce1415 |
29 | --- /dev/null |
30 | +++ b/debian/patches/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch |
31 | @@ -0,0 +1,38 @@ |
32 | +From: Chris Coulson <chris.coulson@canonical.com> |
33 | +Date: Thu, 13 Oct 2022 00:02:26 +0100 |
34 | +Subject: apps: pass -propquery arg to the libctx DRBG fetches |
35 | + |
36 | +Forwarded: no |
37 | +Applied-Upstream: no |
38 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 |
39 | + |
40 | +The -propquery argument might be used to define a preference for which provider |
41 | +an algorithm is fetched from. Set the query properties for the library context |
42 | +DRBG fetches as well so that they are fetched with the same properties. |
43 | +--- |
44 | + apps/lib/app_libctx.c | 5 +++++ |
45 | + 1 file changed, 5 insertions(+) |
46 | + |
47 | +diff --git a/apps/lib/app_libctx.c b/apps/lib/app_libctx.c |
48 | +index 4b9ec40e8527..d1c9909165b4 100644 |
49 | +--- a/apps/lib/app_libctx.c |
50 | ++++ b/apps/lib/app_libctx.c |
51 | +@@ -6,6 +6,7 @@ |
52 | + * in the file LICENSE in the source distribution or at |
53 | + * https://www.openssl.org/source/license.html |
54 | + */ |
55 | ++#include <openssl/rand.h> |
56 | + #include "app_libctx.h" |
57 | + #include "apps.h" |
58 | + |
59 | +@@ -15,6 +16,10 @@ static const char *app_propq = NULL; |
60 | + int app_set_propq(const char *arg) |
61 | + { |
62 | + app_propq = arg; |
63 | ++ if (!RAND_set_DRBG_type(app_libctx, NULL, arg, NULL, NULL)) |
64 | ++ return 0; |
65 | ++ if (!RAND_set_seed_source_type(app_libctx, NULL, arg)) |
66 | ++ return 0; |
67 | + return 1; |
68 | + } |
69 | + |
70 | diff --git a/debian/patches/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch b/debian/patches/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch |
71 | new file mode 100644 |
72 | index 0000000..2aa9810 |
73 | --- /dev/null |
74 | +++ b/debian/patches/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch |
75 | @@ -0,0 +1,130 @@ |
76 | +From: Chris Coulson <chris.coulson@canonical.com> |
77 | +Date: Thu, 21 Apr 2022 13:11:18 +0100 |
78 | +Subject: apps/speed: Omit unavailable algorithms in FIPS mode |
79 | + |
80 | +Forwarded: no |
81 | +Applied-Upstream: no |
82 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 |
83 | +--- |
84 | + apps/speed.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
85 | + 1 file changed, 66 insertions(+) |
86 | + |
87 | +diff --git a/apps/speed.c b/apps/speed.c |
88 | +index 1113d775b8ab..9bdab90186b3 100644 |
89 | +--- a/apps/speed.c |
90 | ++++ b/apps/speed.c |
91 | +@@ -1496,6 +1496,9 @@ int speed_main(int argc, char **argv) |
92 | + OPENSSL_assert(strcmp(sm2_choices[SM2_NUM - 1].name, "curveSM2") == 0); |
93 | + #endif |
94 | + |
95 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) |
96 | ++ evp_mac_mdname = "sha1"; |
97 | ++ |
98 | + prog = opt_init(argc, argv, speed_options); |
99 | + while ((o = opt_next()) != OPT_EOF) { |
100 | + switch (o) { |
101 | +@@ -1647,6 +1650,8 @@ int speed_main(int argc, char **argv) |
102 | + } |
103 | + if (strcmp(algo, "des") == 0) { |
104 | + doit[D_CBC_DES] = doit[D_EDE3_DES] = 1; |
105 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) |
106 | ++ doit[D_CBC_DES] = 0; |
107 | + continue; |
108 | + } |
109 | + if (strcmp(algo, "sha") == 0) { |
110 | +@@ -1660,6 +1665,8 @@ int speed_main(int argc, char **argv) |
111 | + if (strncmp(algo, "rsa", 3) == 0) { |
112 | + if (algo[3] == '\0') { |
113 | + memset(rsa_doit, 1, sizeof(rsa_doit)); |
114 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) |
115 | ++ rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = 0; |
116 | + continue; |
117 | + } |
118 | + if (opt_found(algo, rsa_choices, &i)) { |
119 | +@@ -1682,6 +1689,10 @@ int speed_main(int argc, char **argv) |
120 | + if (strncmp(algo, "dsa", 3) == 0) { |
121 | + if (algo[3] == '\0') { |
122 | + memset(dsa_doit, 1, sizeof(dsa_doit)); |
123 | ++ /* R_DSA_512 and R_DSA_1024 should be disabled in FIPS mode, |
124 | ++ * but actually, none of the DSA benchmarks work because the |
125 | ++ * compiled-in keys fail the necessary checks. Just return an |
126 | ++ * error if the DSA benchmarks are invoked explicitly. */ |
127 | + continue; |
128 | + } |
129 | + if (opt_found(algo, dsa_choices, &i)) { |
130 | +@@ -1700,6 +1711,18 @@ int speed_main(int argc, char **argv) |
131 | + if (strncmp(algo, "ecdsa", 5) == 0) { |
132 | + if (algo[5] == '\0') { |
133 | + memset(ecdsa_doit, 1, sizeof(ecdsa_doit)); |
134 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) { |
135 | ++ ecdsa_doit[R_EC_P160] = ecdsa_doit[R_EC_P192] = 0; |
136 | ++#ifndef OPENSSL_NO_EC2M |
137 | ++ ecdsa_doit[R_EC_K163] = ecdsa_doit[R_EC_B163] = 0; |
138 | ++#endif |
139 | ++ ecdsa_doit[R_EC_BRP256R1] = |
140 | ++ ecdsa_doit[R_EC_BRP256T1] = |
141 | ++ ecdsa_doit[R_EC_BRP384R1] = |
142 | ++ ecdsa_doit[R_EC_BRP384T1] = |
143 | ++ ecdsa_doit[R_EC_BRP512R1] = |
144 | ++ ecdsa_doit[R_EC_BRP512T1] = 0; |
145 | ++ } |
146 | + continue; |
147 | + } |
148 | + if (opt_found(algo, ecdsa_choices, &i)) { |
149 | +@@ -1710,6 +1733,18 @@ int speed_main(int argc, char **argv) |
150 | + if (strncmp(algo, "ecdh", 4) == 0) { |
151 | + if (algo[4] == '\0') { |
152 | + memset(ecdh_doit, 1, sizeof(ecdh_doit)); |
153 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) { |
154 | ++ ecdh_doit[R_EC_P160] = ecdh_doit[R_EC_P192] = 0; |
155 | ++#ifndef OPENSSL_NO_EC2M |
156 | ++ ecdh_doit[R_EC_K163] = ecdh_doit[R_EC_B163] = 0; |
157 | ++#endif |
158 | ++ ecdh_doit[R_EC_BRP256R1] = |
159 | ++ ecdh_doit[R_EC_BRP256T1] = |
160 | ++ ecdh_doit[R_EC_BRP384R1] = |
161 | ++ ecdh_doit[R_EC_BRP384T1] = |
162 | ++ ecdh_doit[R_EC_BRP512R1] = |
163 | ++ ecdh_doit[R_EC_BRP512T1] = 0; |
164 | ++ } |
165 | + continue; |
166 | + } |
167 | + if (opt_found(algo, ecdh_choices, &i)) { |
168 | +@@ -1863,6 +1898,37 @@ int speed_main(int argc, char **argv) |
169 | + #ifndef OPENSSL_NO_SM2 |
170 | + memset(sm2_doit, 1, sizeof(sm2_doit)); |
171 | + #endif |
172 | ++ if (EVP_default_properties_is_fips_enabled(app_get0_libctx())) { |
173 | ++ rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = 0; |
174 | ++ |
175 | ++ memset(dsa_doit, 0, sizeof(dsa_doit)); |
176 | ++ |
177 | ++ ecdsa_doit[R_EC_P160] = ecdsa_doit[R_EC_P192] = 0; |
178 | ++#ifndef OPENSSL_NO_EC2M |
179 | ++ ecdsa_doit[R_EC_K163] = ecdsa_doit[R_EC_B163] = 0; |
180 | ++#endif |
181 | ++ ecdsa_doit[R_EC_BRP256R1] = |
182 | ++ ecdsa_doit[R_EC_BRP256T1] = |
183 | ++ ecdsa_doit[R_EC_BRP384R1] = |
184 | ++ ecdsa_doit[R_EC_BRP384T1] = |
185 | ++ ecdsa_doit[R_EC_BRP512R1] = |
186 | ++ ecdsa_doit[R_EC_BRP512T1] = 0; |
187 | ++ |
188 | ++ ecdh_doit[R_EC_P160] = ecdh_doit[R_EC_P192] = 0; |
189 | ++#ifndef OPENSSL_NO_EC2M |
190 | ++ ecdh_doit[R_EC_K163] = ecdh_doit[R_EC_B163] = 0; |
191 | ++#endif |
192 | ++ ecdh_doit[R_EC_BRP256R1] = |
193 | ++ ecdh_doit[R_EC_BRP256T1] = |
194 | ++ ecdh_doit[R_EC_BRP384R1] = |
195 | ++ ecdh_doit[R_EC_BRP384T1] = |
196 | ++ ecdh_doit[R_EC_BRP512R1] = |
197 | ++ ecdh_doit[R_EC_BRP512T1] = 0; |
198 | ++ |
199 | ++#ifndef OPENSSL_NO_SM2 |
200 | ++ memset(sm2_doit, 0, sizeof(sm2_doit)); |
201 | ++#endif |
202 | ++ } |
203 | + } |
204 | + for (i = 0; i < ALGOR_NUM; i++) |
205 | + if (doit[i]) |
206 | diff --git a/debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch b/debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch |
207 | new file mode 100644 |
208 | index 0000000..25c5184 |
209 | --- /dev/null |
210 | +++ b/debian/patches/fips/crypto-Add-kernel-FIPS-mode-detection.patch |
211 | @@ -0,0 +1,154 @@ |
212 | +From: Chris Coulson <chris.coulson@canonical.com> |
213 | +Date: Thu, 14 Apr 2022 14:57:44 +0100 |
214 | +Subject: crypto: Add kernel FIPS mode detection |
215 | + |
216 | +Forwarded: no |
217 | +Applied-Upstream: no |
218 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 |
219 | + |
220 | +This adds a new internal API to determine whether the kernel has been booted |
221 | +in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE |
222 | +environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an |
223 | +alternative path for the fips_enabled file and is used in tests. |
224 | +The FIPS_MODULE switch can be used to enable build of the the FIPS provider |
225 | +module specific parts which are not needed in the OpenSSL library itself. |
226 | +--- |
227 | + crypto/build.info | 2 +- |
228 | + crypto/context.c | 20 ++++++++++++++++++++ |
229 | + crypto/fips_mode.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ |
230 | + crypto/fips_mode.h | 17 +++++++++++++++++ |
231 | + 4 files changed, 84 insertions(+), 1 deletion(-) |
232 | + create mode 100644 crypto/fips_mode.c |
233 | + create mode 100644 crypto/fips_mode.h |
234 | + |
235 | +diff --git a/crypto/build.info b/crypto/build.info |
236 | +index a45bf8deefd5..a128c645667e 100644 |
237 | +--- a/crypto/build.info |
238 | ++++ b/crypto/build.info |
239 | +@@ -101,7 +101,7 @@ SOURCE[../libcrypto]=$UTIL_COMMON \ |
240 | + mem.c mem_sec.c \ |
241 | + cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ |
242 | + o_fopen.c getenv.c o_init.c init.c trace.c provider.c provider_child.c \ |
243 | +- punycode.c passphrase.c |
244 | ++ punycode.c passphrase.c fips_mode.c |
245 | + SOURCE[../providers/libfips.a]=$UTIL_COMMON |
246 | + |
247 | + SOURCE[../libcrypto]=$UPLINKSRC |
248 | +diff --git a/crypto/context.c b/crypto/context.c |
249 | +index 548665fba265..83e255cb2563 100644 |
250 | +--- a/crypto/context.c |
251 | ++++ b/crypto/context.c |
252 | +@@ -17,6 +17,11 @@ |
253 | + #include "crypto/ctype.h" |
254 | + #include "crypto/rand.h" |
255 | + |
256 | ++#ifndef FIPS_MODULE |
257 | ++# include "crypto/evp.h" |
258 | ++# include "fips_mode.h" |
259 | ++#endif |
260 | ++ |
261 | + struct ossl_lib_ctx_onfree_list_st { |
262 | + ossl_lib_ctx_onfree_fn *fn; |
263 | + struct ossl_lib_ctx_onfree_list_st *next; |
264 | +@@ -69,11 +74,26 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx) |
265 | + return ctx->ischild; |
266 | + } |
267 | + |
268 | ++#if !defined(FIPS_MODULE) |
269 | ++static CRYPTO_ONCE init_fips = CRYPTO_ONCE_STATIC_INIT; |
270 | ++ |
271 | ++DEFINE_RUN_ONCE_STATIC(do_init_fips) |
272 | ++{ |
273 | ++ ossl_init_fips(); |
274 | ++ return 1; |
275 | ++} |
276 | ++#endif |
277 | ++ |
278 | + static int context_init(OSSL_LIB_CTX *ctx) |
279 | + { |
280 | + size_t i; |
281 | + int exdata_done = 0; |
282 | + |
283 | ++#if !defined(FIPS_MODULE) |
284 | ++ if (!RUN_ONCE(&init_fips, do_init_fips)) |
285 | ++ return 0; |
286 | ++#endif |
287 | ++ |
288 | + ctx->lock = CRYPTO_THREAD_lock_new(); |
289 | + if (ctx->lock == NULL) |
290 | + return 0; |
291 | +diff --git a/crypto/fips_mode.c b/crypto/fips_mode.c |
292 | +new file mode 100644 |
293 | +index 000000000000..0131075ed764 |
294 | +--- /dev/null |
295 | ++++ b/crypto/fips_mode.c |
296 | +@@ -0,0 +1,46 @@ |
297 | ++#define _GNU_SOURCE |
298 | ++#include <errno.h> |
299 | ++#include <fcntl.h> |
300 | ++#include <stdlib.h> |
301 | ++#include <string.h> |
302 | ++#include <sys/types.h> |
303 | ++#include <sys/stat.h> |
304 | ++#include <unistd.h> |
305 | ++#include "fips_mode.h" |
306 | ++ |
307 | ++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" |
308 | ++ |
309 | ++static int fips_mode; |
310 | ++ |
311 | ++int ossl_fips_mode(void) |
312 | ++{ |
313 | ++ return fips_mode; |
314 | ++} |
315 | ++ |
316 | ++void ossl_init_fips(void) |
317 | ++{ |
318 | ++ const char *switch_path = FIPS_MODE_SWITCH_FILE; |
319 | ++ char *v; |
320 | ++ char c; |
321 | ++ int fd; |
322 | ++ |
323 | ++ if ((v = secure_getenv("OPENSSL_FORCE_FIPS_MODE")) != NULL) { |
324 | ++ fips_mode = strcmp(v, "0") == 0 ? 0 : 1; |
325 | ++ return; |
326 | ++ } |
327 | ++ |
328 | ++ if ((v = secure_getenv("OPENSSL_FIPS_MODE_SWITCH_PATH")) != NULL) { |
329 | ++ switch_path = v; |
330 | ++ } |
331 | ++ |
332 | ++ fd = open(switch_path, O_RDONLY); |
333 | ++ if (fd < 0) { |
334 | ++ fips_mode = 0; |
335 | ++ return; |
336 | ++ } |
337 | ++ |
338 | ++ while (read(fd, &c, sizeof(c)) < 0 && errno == EINTR); |
339 | ++ close(fd); |
340 | ++ |
341 | ++ fips_mode = c == '1' ? 1 : 0; |
342 | ++} |
343 | +diff --git a/crypto/fips_mode.h b/crypto/fips_mode.h |
344 | +new file mode 100644 |
345 | +index 000000000000..5f0607ba9d70 |
346 | +--- /dev/null |
347 | ++++ b/crypto/fips_mode.h |
348 | +@@ -0,0 +1,17 @@ |
349 | ++/* |
350 | ++ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. |
351 | ++ * |
352 | ++ * Licensed under the Apache License 2.0 (the "License"). You may not use |
353 | ++ * this file except in compliance with the License. You can obtain a copy |
354 | ++ * in the file LICENSE in the source distribution or at |
355 | ++ * https://www.openssl.org/source/license.html |
356 | ++ */ |
357 | ++ |
358 | ++#ifndef OSSL_FIPS_MODE_H |
359 | ++# define OSSL_FIPS_MODE_H |
360 | ++# pragma once |
361 | ++ |
362 | ++int ossl_fips_mode(void); |
363 | ++void ossl_init_fips(void); |
364 | ++ |
365 | ++#endif |
366 | diff --git a/debian/patches/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch b/debian/patches/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch |
367 | new file mode 100644 |
368 | index 0000000..4d2eb9d |
369 | --- /dev/null |
370 | +++ b/debian/patches/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch |
371 | @@ -0,0 +1,495 @@ |
372 | +From: Chris Coulson <chris.coulson@canonical.com> |
373 | +Date: Thu, 14 Apr 2022 15:40:56 +0100 |
374 | +Subject: crypto: Automatically use the FIPS provider when the kernel is |
375 | + booted in FIPS mode |
376 | + |
377 | +Forwarded: no |
378 | +Applied-Upstream: no |
379 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 |
380 | + |
381 | +This automatically configures all library contexts to use the FIPS provider when |
382 | +the kernel is booted in FIPS mode by: |
383 | +- Setting "fips=yes" as the default property for algorithm fetches |
384 | +- Loading and activating the FIPS provider as the fallback provider. |
385 | + |
386 | +If applications load providers via a configuration either because the default |
387 | +configuration is modified or they override the default configuration, this |
388 | +disables loading of the fallback providers. In this case, the configuration |
389 | +must load the FIPS provider when FIPS mode is enabled, else algorithm fetches |
390 | +will fail |
391 | + |
392 | +Applications can choose to use non-FIPS approved algorithms by specifying the |
393 | +"-fips" or "fips=no" property for algorithm fetches and loading the default |
394 | +provider. |
395 | +--- |
396 | + crypto/context.c | 5 ++ |
397 | + crypto/provider_core.c | 4 +- |
398 | + crypto/provider_local.h | 2 +- |
399 | + crypto/provider_predefined.c | 25 +++++++- |
400 | + doc/man3/EVP_set_default_properties.pod | 3 +- |
401 | + doc/man5/config.pod | 8 ++- |
402 | + doc/man7/OSSL_PROVIDER-default.pod | 7 ++- |
403 | + doc/man7/crypto.pod | 30 +++++++-- |
404 | + doc/man7/fips_module.pod | 15 +++++ |
405 | + test/build.info | 6 +- |
406 | + test/fips_auto_enable_test.c | 106 ++++++++++++++++++++++++++++++++ |
407 | + test/recipes/04-test_auto_fips_mode.t | 50 +++++++++++++++ |
408 | + test/recipes/04-test_auto_fips_mode/off | 1 + |
409 | + test/recipes/04-test_auto_fips_mode/on | 1 + |
410 | + test/run_tests.pl | 1 + |
411 | + 15 files changed, 247 insertions(+), 17 deletions(-) |
412 | + create mode 100644 test/fips_auto_enable_test.c |
413 | + create mode 100644 test/recipes/04-test_auto_fips_mode.t |
414 | + create mode 100644 test/recipes/04-test_auto_fips_mode/off |
415 | + create mode 100644 test/recipes/04-test_auto_fips_mode/on |
416 | + |
417 | +diff --git a/crypto/context.c b/crypto/context.c |
418 | +index 83e255cb2563..457ebb0880b4 100644 |
419 | +--- a/crypto/context.c |
420 | ++++ b/crypto/context.c |
421 | +@@ -122,6 +122,11 @@ static int context_init(OSSL_LIB_CTX *ctx) |
422 | + if (!ossl_property_parse_init(ctx)) |
423 | + goto err; |
424 | + |
425 | ++#if !defined(FIPS_MODULE) |
426 | ++ if (ossl_fips_mode() == 1 && !evp_default_properties_enable_fips_int(ctx, 1, 0)) |
427 | ++ goto err; |
428 | ++#endif |
429 | ++ |
430 | + return 1; |
431 | + err: |
432 | + if (exdata_done) |
433 | +diff --git a/crypto/provider_core.c b/crypto/provider_core.c |
434 | +index 4cadb6a9f02e..ecfa1e1dd902 100644 |
435 | +--- a/crypto/provider_core.c |
436 | ++++ b/crypto/provider_core.c |
437 | +@@ -544,7 +544,7 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, |
438 | + size_t i; |
439 | + |
440 | + /* Check if this is a predefined builtin provider */ |
441 | +- for (p = ossl_predefined_providers; p->name != NULL; p++) { |
442 | ++ for (p = ossl_predefined_providers(); p->name != NULL; p++) { |
443 | + if (strcmp(p->name, name) == 0) { |
444 | + template = *p; |
445 | + break; |
446 | +@@ -1305,7 +1305,7 @@ static int provider_activate_fallbacks(struct provider_store_st *store) |
447 | + return 1; |
448 | + } |
449 | + |
450 | +- for (p = ossl_predefined_providers; p->name != NULL; p++) { |
451 | ++ for (p = ossl_predefined_providers(); p->name != NULL; p++) { |
452 | + OSSL_PROVIDER *prov = NULL; |
453 | + |
454 | + if (!p->is_fallback) |
455 | +diff --git a/crypto/provider_local.h b/crypto/provider_local.h |
456 | +index e0bcbcb9f94e..bfde4dd7cc25 100644 |
457 | +--- a/crypto/provider_local.h |
458 | ++++ b/crypto/provider_local.h |
459 | +@@ -23,7 +23,7 @@ typedef struct { |
460 | + unsigned int is_fallback:1; |
461 | + } OSSL_PROVIDER_INFO; |
462 | + |
463 | +-extern const OSSL_PROVIDER_INFO ossl_predefined_providers[]; |
464 | ++const OSSL_PROVIDER_INFO *ossl_predefined_providers(void); |
465 | + |
466 | + void ossl_provider_info_clear(OSSL_PROVIDER_INFO *info); |
467 | + int ossl_provider_info_add_to_store(OSSL_LIB_CTX *libctx, |
468 | +diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c |
469 | +index 068e0b7cd96a..0ee2158a7c47 100644 |
470 | +--- a/crypto/provider_predefined.c |
471 | ++++ b/crypto/provider_predefined.c |
472 | +@@ -9,6 +9,9 @@ |
473 | + |
474 | + #include <openssl/core.h> |
475 | + #include "provider_local.h" |
476 | ++#if !defined(FIPS_MODULE) |
477 | ++# include "fips_mode.h" |
478 | ++#endif |
479 | + |
480 | + OSSL_provider_init_fn ossl_default_provider_init; |
481 | + OSSL_provider_init_fn ossl_base_provider_init; |
482 | +@@ -17,7 +20,7 @@ OSSL_provider_init_fn ossl_fips_intern_provider_init; |
483 | + #ifdef STATIC_LEGACY |
484 | + OSSL_provider_init_fn ossl_legacy_provider_init; |
485 | + #endif |
486 | +-const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { |
487 | ++const OSSL_PROVIDER_INFO providers[] = { |
488 | + #ifdef FIPS_MODULE |
489 | + { "fips", NULL, ossl_fips_intern_provider_init, NULL, 1 }, |
490 | + #else |
491 | +@@ -30,3 +33,23 @@ const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { |
492 | + #endif |
493 | + { NULL, NULL, NULL, NULL, 0 } |
494 | + }; |
495 | ++ |
496 | ++#if !defined(FIPS_MODULE) |
497 | ++const OSSL_PROVIDER_INFO fips_providers[] = { |
498 | ++ { "fips", NULL, NULL, NULL, 1 }, |
499 | ++ { "base", NULL, ossl_base_provider_init, NULL, 1 }, |
500 | ++ { "default", NULL, ossl_default_provider_init, NULL, 0 }, |
501 | ++ { "null", NULL, ossl_null_provider_init, NULL, 0 }, |
502 | ++ { NULL, NULL, NULL, NULL, 0 } |
503 | ++}; |
504 | ++#endif |
505 | ++ |
506 | ++const OSSL_PROVIDER_INFO *ossl_predefined_providers(void) |
507 | ++{ |
508 | ++#if !defined(FIPS_MODULE) |
509 | ++ if (ossl_fips_mode() == 1) |
510 | ++ return fips_providers; |
511 | ++#endif |
512 | ++ |
513 | ++ return providers; |
514 | ++} |
515 | +diff --git a/doc/man3/EVP_set_default_properties.pod b/doc/man3/EVP_set_default_properties.pod |
516 | +index 2d862772c251..3ee3f10566dd 100644 |
517 | +--- a/doc/man3/EVP_set_default_properties.pod |
518 | ++++ b/doc/man3/EVP_set_default_properties.pod |
519 | +@@ -34,7 +34,8 @@ query for the given I<libctx>. It merges the fips default property query with an |
520 | + existing query strings that have been set via EVP_set_default_properties(). |
521 | + |
522 | + EVP_default_properties_is_fips_enabled() indicates if 'fips=yes' is a default |
523 | +-property for the given I<libctx>. |
524 | ++property for the given I<libctx>. This is the default for every I<libctx> on |
525 | ++systems that are operaring in FIPS-approved mode. |
526 | + |
527 | + =head1 NOTES |
528 | + |
529 | +diff --git a/doc/man5/config.pod b/doc/man5/config.pod |
530 | +index 8d312c661fa0..e35368c13da1 100644 |
531 | +--- a/doc/man5/config.pod |
532 | ++++ b/doc/man5/config.pod |
533 | +@@ -275,11 +275,13 @@ available to the provider. |
534 | + |
535 | + =head3 Default provider and its activation |
536 | + |
537 | +-If no providers are activated explicitly, the default one is activated implicitly. |
538 | +-See L<OSSL_PROVIDER-default(7)> for more details. |
539 | ++If no providers are activated explicitly, either the default provider or |
540 | ++FIPS provider are activated implicitly depending on the environment. |
541 | ++See L<crypto(7)>, L<OSSL_PROVIDER-default(7)> and L<OSSL_PROVIDER-FIPS(7)> for |
542 | ++more details. |
543 | + |
544 | + If you add a section explicitly activating any other provider(s), |
545 | +-you most probably need to explicitly activate the default provider, |
546 | ++you most probably need to explicitly activate the default or FIPS provider, |
547 | + otherwise it becomes unavailable in openssl. It may make the system remotely unavailable. |
548 | + |
549 | + =head2 EVP Configuration |
550 | +diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod |
551 | +index e39d76abdbb8..e6ff52241632 100644 |
552 | +--- a/doc/man7/OSSL_PROVIDER-default.pod |
553 | ++++ b/doc/man7/OSSL_PROVIDER-default.pod |
554 | +@@ -9,9 +9,10 @@ OSSL_PROVIDER-default - OpenSSL default provider |
555 | + The OpenSSL default provider supplies the majority of OpenSSL's diverse |
556 | + algorithm implementations. If an application doesn't specify anything else |
557 | + explicitly (e.g. in the application or via config), then this is the |
558 | +-provider that will be used as fallback: It is loaded automatically the |
559 | +-first time that an algorithm is fetched from a provider or a function |
560 | +-acting on providers is called and no other provider has been loaded yet. |
561 | ++provider that will be used as fallback on systems that are not operating in |
562 | ++FIPS-approved mode: It is loaded automatically the first time that an algorithm |
563 | ++is fetched from a provider or a function acting on providers is called and no |
564 | ++other provider has been loaded yet. |
565 | + |
566 | + If an attempt to load a provider has already been made (whether successful |
567 | + or not) then the default provider won't be loaded automatically. Therefore |
568 | +diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod |
569 | +index c31e10ac29a5..40e421583675 100644 |
570 | +--- a/doc/man7/crypto.pod |
571 | ++++ b/doc/man7/crypto.pod |
572 | +@@ -48,8 +48,22 @@ A provider in OpenSSL is a component that collects together algorithm |
573 | + implementations. In order to use an algorithm you must have at least one |
574 | + provider loaded that contains an implementation of it. OpenSSL comes with a |
575 | + number of providers and they may also be obtained from third parties. If you |
576 | +-don't load a provider explicitly (either in program code or via config) then the |
577 | +-OpenSSL built-in "default" provider will be automatically loaded. |
578 | ++don't load a provider explicitly (either in program code or via config) then one |
579 | ++of the following OpenSSL providers will be loaded automatically: |
580 | ++ |
581 | ++=over 4 |
582 | ++ |
583 | ++=item * |
584 | ++ |
585 | ++The built-in "default" provider when running on a system that is not operating |
586 | ++in FIPS-approved mode. |
587 | ++ |
588 | ++=item * |
589 | ++ |
590 | ++The "fips" provider when running on a system that is operating in FIPS-approved |
591 | ++mode. |
592 | ++ |
593 | ++=back |
594 | + |
595 | + =head2 Library contexts |
596 | + |
597 | +@@ -364,9 +378,10 @@ algorithms), the property query string "provider=default" can be used as a |
598 | + search criterion for these implementations. The default provider includes all |
599 | + of the functionality in the base provider below. |
600 | + |
601 | +-If you don't load any providers at all then the "default" provider will be |
602 | +-automatically loaded. If you explicitly load any provider then the "default" |
603 | +-provider would also need to be explicitly loaded if it is required. |
604 | ++If you don't load any providers at all and the system is not running in |
605 | ++FIPS-approved mode, then the "default" provider will be automatically loaded. |
606 | ++If you explicitly load any provider then the "default" provider would also need |
607 | ++to be explicitly loaded if it is required. |
608 | + |
609 | + See L<OSSL_PROVIDER-default(7)>. |
610 | + |
611 | +@@ -397,6 +412,11 @@ provider can also be selected with the property "fips=yes". The FIPS provider |
612 | + may also contain non-approved algorithm implementations and these can be |
613 | + selected with the property "fips=no". |
614 | + |
615 | ++If you don't load any providers at all and the system is running in |
616 | ++FIPS-approved mode, then the FIPS provider will be automatically loaded. |
617 | ++If you explicitly load any provider then the FIPS provider would also need |
618 | ++to be explicitly loaded if it is required. |
619 | ++ |
620 | + See L<OSSL_PROVIDER-FIPS(7)> and L<fips_module(7)>. |
621 | + |
622 | + =head2 Legacy provider |
623 | +diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod |
624 | +index d0861a9dcecc..801075d9d05e 100644 |
625 | +--- a/doc/man7/fips_module.pod |
626 | ++++ b/doc/man7/fips_module.pod |
627 | +@@ -45,6 +45,21 @@ All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to |
628 | + avoid using all deprecated functions. See L<migration_guide(7)> for a list of |
629 | + deprecated functions. |
630 | + |
631 | ++=head2 Applications running on systems operating in FIPS-approved mode |
632 | ++ |
633 | ++When running on systems that are operating in FIPS-approved mode and no |
634 | ++providers are loaded explicitly via the application or config, the FIPS module |
635 | ++is loaded implicitly as a fallback provider whenever an algorithm is fetched |
636 | ++for the first time. The "default" provider is not loaded implicitly in this |
637 | ++case, and must be loaded explicitly if it is required by an application. |
638 | ++ |
639 | ++Every L<OSSL_LIB_CTX(3)> is created with "fips=yes" as a default property in |
640 | ++this mode so that algorithm fetches will only fetch algorithms that define |
641 | ++this property and are FIPS-approved. To use algorithms that are not FIPS |
642 | ++approved, either specify "-fips" or "fips=no" as a property query string with |
643 | ++fetching functions, or use the L<EVP_default_properties_enable_fips(3)> function |
644 | ++to remove the default property for a specific B<OSSL_LIB_CTX>. |
645 | ++ |
646 | + =head2 Making all applications use the FIPS module by default |
647 | + |
648 | + One simple approach is to cause all applications that are using OpenSSL to only |
649 | +diff --git a/test/build.info b/test/build.info |
650 | +index 416c2270771a..02d9f082d072 100644 |
651 | +--- a/test/build.info |
652 | ++++ b/test/build.info |
653 | +@@ -61,7 +61,7 @@ IF[{- !$disabled{tests} -}] |
654 | + keymgmt_internal_test hexstr_test provider_status_test defltfips_test \ |
655 | + bio_readbuffer_test user_property_test pkcs7_test upcallstest \ |
656 | + provfetchtest prov_config_test rand_test fips_version_test \ |
657 | +- nodefltctxtest |
658 | ++ nodefltctxtest fips_auto_enable_test |
659 | + |
660 | + IF[{- !$disabled{'deprecated-3.0'} -}] |
661 | + PROGRAMS{noinst}=enginetest |
662 | +@@ -599,6 +599,10 @@ IF[{- !$disabled{tests} -}] |
663 | + INCLUDE[cmp_client_test]=.. ../include ../apps/include |
664 | + DEPEND[cmp_client_test]=../libcrypto.a libtestutil.a |
665 | + |
666 | ++ SOURCE[fips_auto_enable_test]=fips_auto_enable_test.c |
667 | ++ INCLUDE[fips_auto_enable_test]=../include ../apps/include |
668 | ++ DEPEND[fips_auto_enable_test]=../libcrypto libtestutil.a |
669 | ++ |
670 | + # Internal test programs. These are essentially a collection of internal |
671 | + # test routines. Some of them need to reach internal symbols that aren't |
672 | + # available through the shared library (at least on Linux, Solaris, Windows |
673 | +diff --git a/test/fips_auto_enable_test.c b/test/fips_auto_enable_test.c |
674 | +new file mode 100644 |
675 | +index 000000000000..5135ab1b5772 |
676 | +--- /dev/null |
677 | ++++ b/test/fips_auto_enable_test.c |
678 | +@@ -0,0 +1,106 @@ |
679 | ++/* |
680 | ++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. |
681 | ++ * |
682 | ++ * Licensed under the Apache License 2.0 (the "License"). You may not use |
683 | ++ * this file except in compliance with the License. You can obtain a copy |
684 | ++ * in the file LICENSE in the source distribution or at |
685 | ++ * https://www.openssl.org/source/license.html |
686 | ++ */ |
687 | ++ |
688 | ++#include <openssl/evp.h> |
689 | ++#include <openssl/provider.h> |
690 | ++#include "testutil.h" |
691 | ++ |
692 | ++static int badfips; |
693 | ++static int context; |
694 | ++static int fips; |
695 | ++ |
696 | ++static int test_fips_auto(void) |
697 | ++{ |
698 | ++ OSSL_LIB_CTX *libctx = NULL; |
699 | ++ EVP_MD *sha256 = NULL; |
700 | ++ int is_fips_enabled, fips_loaded, default_loaded; |
701 | ++ const char *prov_name, *expected_prov_name = fips ? "fips" : "default"; |
702 | ++ int testresult = 0; |
703 | ++ |
704 | ++ if (context) { |
705 | ++ if (!TEST_ptr(libctx = OSSL_LIB_CTX_new())) |
706 | ++ goto err; |
707 | ++ } |
708 | ++ |
709 | ++ is_fips_enabled = EVP_default_properties_is_fips_enabled(libctx); |
710 | ++ |
711 | ++ if (!TEST_int_eq(is_fips_enabled, fips)) |
712 | ++ goto err; |
713 | ++ |
714 | ++ sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL); |
715 | ++ if (!fips || !badfips) { |
716 | ++ if (!TEST_ptr(sha256)) |
717 | ++ goto err; |
718 | ++ |
719 | ++ prov_name = OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)); |
720 | ++ if (!TEST_str_eq(prov_name, expected_prov_name)) |
721 | ++ goto err; |
722 | ++ } else if (!TEST_ptr_null(sha256)) |
723 | ++ goto err; |
724 | ++ |
725 | ++ fips_loaded = OSSL_PROVIDER_available(libctx, "fips"); |
726 | ++ default_loaded = OSSL_PROVIDER_available(libctx, "default"); |
727 | ++ |
728 | ++ if (!TEST_int_eq(fips_loaded, fips && !badfips) || |
729 | ++ !TEST_int_eq(default_loaded, !fips && !badfips)) |
730 | ++ goto err; |
731 | ++ |
732 | ++ testresult = 1; |
733 | ++ err: |
734 | ++ EVP_MD_free(sha256); |
735 | ++ OSSL_LIB_CTX_free(libctx); |
736 | ++ return testresult; |
737 | ++} |
738 | ++ |
739 | ++typedef enum OPTION_choice { |
740 | ++ OPT_ERR = -1, |
741 | ++ OPT_EOF = 0, |
742 | ++ OPT_FIPS, |
743 | ++ OPT_BAD_FIPS, |
744 | ++ OPT_CONTEXT, |
745 | ++ OPT_TEST_ENUM |
746 | ++} OPTION_CHOICE; |
747 | ++ |
748 | ++const OPTIONS *test_get_options(void) |
749 | ++{ |
750 | ++ static const OPTIONS options[] = { |
751 | ++ OPT_TEST_OPTIONS_DEFAULT_USAGE, |
752 | ++ { "fips", OPT_FIPS, '-', "Test library context in FIPS mode" }, |
753 | ++ { "badfips", OPT_BAD_FIPS, '-', "Expect FIPS mode not to work correctly" }, |
754 | ++ { "context", OPT_CONTEXT, '-', "Explicitly use a non-default library context" }, |
755 | ++ { NULL } |
756 | ++ }; |
757 | ++ return options; |
758 | ++} |
759 | ++ |
760 | ++int setup_tests(void) |
761 | ++{ |
762 | ++ OPTION_CHOICE o; |
763 | ++ |
764 | ++ while ((o = opt_next()) != OPT_EOF) { |
765 | ++ switch (o) { |
766 | ++ case OPT_FIPS: |
767 | ++ fips = 1; |
768 | ++ break; |
769 | ++ case OPT_BAD_FIPS: |
770 | ++ badfips = 1; |
771 | ++ break; |
772 | ++ case OPT_CONTEXT: |
773 | ++ context = 1; |
774 | ++ break; |
775 | ++ case OPT_TEST_CASES: |
776 | ++ break; |
777 | ++ default: |
778 | ++ return 0; |
779 | ++ } |
780 | ++ } |
781 | ++ |
782 | ++ ADD_TEST(test_fips_auto); |
783 | ++ return 1; |
784 | ++} |
785 | +diff --git a/test/recipes/04-test_auto_fips_mode.t b/test/recipes/04-test_auto_fips_mode.t |
786 | +new file mode 100644 |
787 | +index 000000000000..fcd4b3d4e8a3 |
788 | +--- /dev/null |
789 | ++++ b/test/recipes/04-test_auto_fips_mode.t |
790 | +@@ -0,0 +1,50 @@ |
791 | ++#! /usr/bin/env perl |
792 | ++# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. |
793 | ++# |
794 | ++# Licensed under the Apache License 2.0 (the "License"). You may not use |
795 | ++# this file except in compliance with the License. You can obtain a copy |
796 | ++# in the file LICENSE in the source distribution or at |
797 | ++# https://www.openssl.org/source/license.html |
798 | ++ |
799 | ++use strict; |
800 | ++use warnings; |
801 | ++ |
802 | ++use File::Spec::Functions qw/curdir/; |
803 | ++use OpenSSL::Test qw/:DEFAULT srctop_dir/; |
804 | ++use OpenSSL::Test::Utils; |
805 | ++use Cwd qw(abs_path); |
806 | ++ |
807 | ++BEGIN { |
808 | ++ setup("test_auto_fips_mode"); |
809 | ++} |
810 | ++ |
811 | ++my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); |
812 | ++ |
813 | ++plan tests => ($no_fips ? 5 : 7); |
814 | ++ |
815 | ++$ENV{OPENSSL_FIPS_MODE_SWITCH_PATH} = abs_path(srctop_dir("test", "recipes", |
816 | ++ "04-test_auto_fips_mode", "notexist")); |
817 | ++ok(run(test(["fips_auto_enable_test"])), "running fips_auto_enable_test"); |
818 | ++ok(run(test(["fips_auto_enable_test", "-context"])), |
819 | ++ "running fips_auto_enable_test -context"); |
820 | ++ |
821 | ++$ENV{OPENSSL_FIPS_MODE_SWITCH_PATH} = abs_path(srctop_dir("test", "recipes", |
822 | ++ "04-test_auto_fips_mode", "off")); |
823 | ++ok(run(test(["fips_auto_enable_test"])), |
824 | ++ "running fips_auto_enable_test with FIPS mode off"); |
825 | ++ok(run(test(["fips_auto_enable_test", "-context"])), |
826 | ++ "running fips_auto_enable_test -context with FIPS mode off"); |
827 | ++ |
828 | ++$ENV{OPENSSL_FIPS_MODE_SWITCH_PATH} = abs_path(srctop_dir("test", "recipes", |
829 | ++ "04-test_auto_fips_mode", "on")); |
830 | ++ |
831 | ++unless($no_fips) { |
832 | ++ ok(run(test(["fips_auto_enable_test", "-fips"])), |
833 | ++ "running fips_auto_enable_test -fips"); |
834 | ++ ok(run(test(["fips_auto_enable_test", "-context", "-fips"])), |
835 | ++ "running fips_auto_enable_test -context -fips"); |
836 | ++} |
837 | ++ |
838 | ++$ENV{OPENSSL_MODULES} = curdir(); |
839 | ++ok(run(test(["fips_auto_enable_test", "-fips", "-badfips"])), |
840 | ++ "running fips_auto_enable_test -fips -badfips"); |
841 | +diff --git a/test/recipes/04-test_auto_fips_mode/off b/test/recipes/04-test_auto_fips_mode/off |
842 | +new file mode 100644 |
843 | +index 000000000000..573541ac9702 |
844 | +--- /dev/null |
845 | ++++ b/test/recipes/04-test_auto_fips_mode/off |
846 | +@@ -0,0 +1 @@ |
847 | ++0 |
848 | +diff --git a/test/recipes/04-test_auto_fips_mode/on b/test/recipes/04-test_auto_fips_mode/on |
849 | +new file mode 100644 |
850 | +index 000000000000..d00491fd7e5b |
851 | +--- /dev/null |
852 | ++++ b/test/recipes/04-test_auto_fips_mode/on |
853 | +@@ -0,0 +1 @@ |
854 | ++1 |
855 | +diff --git a/test/run_tests.pl b/test/run_tests.pl |
856 | +index 4384ebe28e0d..b52d5b7ee05e 100644 |
857 | +--- a/test/run_tests.pl |
858 | ++++ b/test/run_tests.pl |
859 | +@@ -37,6 +37,7 @@ $ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf")); |
860 | + $ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test")); |
861 | + $ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers")); |
862 | + $ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines")); |
863 | ++$ENV{OPENSSL_FIPS_MODE_SWITCH_PATH} = "/nonexistant"; |
864 | + $ENV{CTLOG_FILE} = rel2abs(catfile($srctop, "test", "ct", "log_list.cnf")); |
865 | + |
866 | + my %tapargs = |
867 | diff --git a/debian/patches/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch b/debian/patches/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch |
868 | new file mode 100644 |
869 | index 0000000..3b2b15f |
870 | --- /dev/null |
871 | +++ b/debian/patches/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch |
872 | @@ -0,0 +1,57 @@ |
873 | +From: Chris Coulson <chris.coulson@canonical.com> |
874 | +Date: Thu, 30 Mar 2023 16:10:16 +0100 |
875 | +Subject: test: Ensure encoding runs with the correct context during |
876 | + test_encoder_decoder |
877 | + |
878 | +Forwarded: no |
879 | +Applied-Upstream: no |
880 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 |
881 | + |
882 | +This test uses 2 library contexts - one context for creating initial test keys, |
883 | +and then another context (or the default context) for running tests. There is an |
884 | +issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the |
885 | +created EVP_PKEYs, which are associated with the library context used to create |
886 | +the keys. This means that encoding tests run with the wrong library context, |
887 | +which always uses the default provider. |
888 | +--- |
889 | + test/endecode_test.c | 15 +++++++++++++-- |
890 | + 1 file changed, 13 insertions(+), 2 deletions(-) |
891 | + |
892 | +diff --git a/test/endecode_test.c b/test/endecode_test.c |
893 | +index 5158b39ee41f..ce6febe619a8 100644 |
894 | +--- a/test/endecode_test.c |
895 | ++++ b/test/endecode_test.c |
896 | +@@ -105,11 +105,12 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) |
897 | + static EVP_PKEY *make_key(const char *type, EVP_PKEY *template, |
898 | + OSSL_PARAM *genparams) |
899 | + { |
900 | +- EVP_PKEY *pkey = NULL; |
901 | ++ EVP_PKEY *tmp_pkey = NULL, *pkey = NULL; |
902 | + EVP_PKEY_CTX *ctx = |
903 | + template != NULL |
904 | + ? EVP_PKEY_CTX_new_from_pkey(keyctx, template, testpropq) |
905 | + : EVP_PKEY_CTX_new_from_name(keyctx, type, testpropq); |
906 | ++ OSSL_PARAM *params = NULL; |
907 | + |
908 | + /* |
909 | + * No real need to check the errors other than for the cascade |
910 | +@@ -119,8 +120,18 @@ static EVP_PKEY *make_key(const char *type, EVP_PKEY *template, |
911 | + && EVP_PKEY_keygen_init(ctx) > 0 |
912 | + && (genparams == NULL |
913 | + || EVP_PKEY_CTX_set_params(ctx, genparams) > 0) |
914 | +- && EVP_PKEY_keygen(ctx, &pkey) > 0); |
915 | ++ && EVP_PKEY_keygen(ctx, &tmp_pkey) > 0); |
916 | ++ EVP_PKEY_CTX_free(ctx); |
917 | ++ |
918 | ++ (void)(tmp_pkey != NULL |
919 | ++ && ((ctx = EVP_PKEY_CTX_new_from_name(testctx, type, testpropq)) != NULL) |
920 | ++ && EVP_PKEY_todata(pkey, EVP_PKEY_KEYPAIR, ¶ms) > 0 |
921 | ++ && EVP_PKEY_fromdata_init(ctx) > 0 |
922 | ++ && EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) > 0); |
923 | ++ OSSL_PARAM_free(params); |
924 | + EVP_PKEY_CTX_free(ctx); |
925 | ++ EVP_PKEY_free(tmp_pkey); |
926 | ++ |
927 | + return pkey; |
928 | + } |
929 | + #endif |
930 | diff --git a/debian/patches/series b/debian/patches/series |
931 | index 7c3b688..c8b1797 100644 |
932 | --- a/debian/patches/series |
933 | +++ b/debian/patches/series |
934 | @@ -18,3 +18,10 @@ intel/0001-Dual-1536-2048-bit-exponentiation-optimization-for-I.patch |
935 | # Skipped due to issues appearing in the testsuite on 3.0.13 following dupctx |
936 | # changes in 3.0.13 |
937 | # intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch |
938 | + |
939 | +# FIPS patches |
940 | +fips/crypto-Add-kernel-FIPS-mode-detection.patch |
941 | +fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch |
942 | +fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch |
943 | +fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch |
944 | +fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch |
Built deb is available at https:/ /launchpad. net/~tobhe/ +archive/ ubuntu/ openssl- test/+packages