|
Packit Service |
084de1 |
/*
|
|
Packit Service |
084de1 |
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
|
|
Packit Service |
084de1 |
*
|
|
Packit Service |
084de1 |
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
Packit Service |
084de1 |
* this file except in compliance with the License. You can obtain a copy
|
|
Packit Service |
084de1 |
* in the file LICENSE in the source distribution or at
|
|
Packit Service |
084de1 |
* https://www.openssl.org/source/license.html
|
|
Packit Service |
084de1 |
*/
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
/* for secure_getenv */
|
|
Packit Service |
084de1 |
#define _GNU_SOURCE
|
|
Packit Service |
084de1 |
#include "e_os.h"
|
|
Packit Service |
084de1 |
#include <openssl/err.h>
|
|
Packit Service |
084de1 |
#ifdef OPENSSL_FIPS
|
|
Packit Service |
084de1 |
# include <sys/types.h>
|
|
Packit Service |
084de1 |
# include <sys/stat.h>
|
|
Packit Service |
084de1 |
# include <fcntl.h>
|
|
Packit Service |
084de1 |
# include <unistd.h>
|
|
Packit Service |
084de1 |
# include <errno.h>
|
|
Packit Service |
084de1 |
# include <stdlib.h>
|
|
Packit Service |
084de1 |
# include <openssl/rand.h>
|
|
Packit Service |
084de1 |
# include <openssl/fips.h>
|
|
Packit Service |
084de1 |
# include "crypto/fips.h"
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
static void init_fips_mode(void)
|
|
Packit Service |
084de1 |
{
|
|
Packit Service |
084de1 |
char buf[2] = "0";
|
|
Packit Service |
084de1 |
int fd;
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
|
Packit Service |
084de1 |
buf[0] = '1';
|
|
Packit Service |
084de1 |
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
|
Packit Service |
084de1 |
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
|
Packit Service |
084de1 |
close(fd);
|
|
Packit Service |
084de1 |
}
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
if (buf[0] != '1' && !FIPS_module_installed())
|
|
Packit Service |
084de1 |
return;
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
/* Ensure the selftests always run */
|
|
Packit Service |
084de1 |
/* XXX: TO SOLVE - premature initialization due to selftests */
|
|
Packit Service |
084de1 |
FIPS_mode_set(1);
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
/* Failure reading the fips mode switch file means just not
|
|
Packit Service |
084de1 |
* switching into FIPS mode. We would break too many things
|
|
Packit Service |
084de1 |
* otherwise..
|
|
Packit Service |
084de1 |
*/
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
if (buf[0] != '1') {
|
|
Packit Service |
084de1 |
/* drop down to non-FIPS mode if it is not requested */
|
|
Packit Service |
084de1 |
FIPS_mode_set(0);
|
|
Packit Service |
084de1 |
} else {
|
|
Packit Service |
084de1 |
/* abort if selftest failed */
|
|
Packit Service |
084de1 |
FIPS_selftest_check();
|
|
Packit Service |
084de1 |
}
|
|
Packit Service |
084de1 |
}
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
/*
|
|
Packit Service |
084de1 |
* Perform FIPS module power on selftest and automatic FIPS mode switch.
|
|
Packit Service |
084de1 |
*/
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
|
Packit Service |
084de1 |
{
|
|
Packit Service |
084de1 |
static int done = 0;
|
|
Packit Service |
084de1 |
if (done)
|
|
Packit Service |
084de1 |
return;
|
|
Packit Service |
084de1 |
done = 1;
|
|
Packit Service |
084de1 |
init_fips_mode();
|
|
Packit Service |
084de1 |
}
|
|
Packit Service |
084de1 |
#endif
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
/*
|
|
Packit Service |
084de1 |
* Perform any essential OpenSSL initialization operations. Currently does
|
|
Packit Service |
084de1 |
* nothing.
|
|
Packit Service |
084de1 |
*/
|
|
Packit Service |
084de1 |
|
|
Packit Service |
084de1 |
void OPENSSL_init(void)
|
|
Packit Service |
084de1 |
{
|
|
Packit Service |
084de1 |
return;
|
|
Packit Service |
084de1 |
}
|