Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssl/openssl-0.9.8-fips-140/patches/26-openssl_fips.patch
author Ron Jordan <ron.jordan@oracle.com>
Mon, 20 Feb 2012 15:10:50 -0800
branchs11-sru
changeset 2245 33f69d07ad8a
parent 363 9c0cad004039
permissions -rw-r--r--
7131685 Need to upgrade openssl to 1.0.0g for CVE-2012-0050 7146824 S11 SRU openssl-1.0.0 Makefile variables unnecessarily differ from S11 Update

--- openssl-0.9.8m/apps/openssl.c	Thu Oct 15 19:28:02 2009
+++ openssl-0.9.8m/apps/openssl.c	Fri Feb 26 16:12:30 2010
@@ -130,6 +130,9 @@
 #include "s_apps.h"
 #include <openssl/err.h>
 
+/* Solaris OpenSSL */
+#include <dlfcn.h>
+
 /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
  * base prototypes (we cast each variable inside the function to the required
  * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper
@@ -151,9 +154,10 @@
 #endif
 
 
+static int *modes;
+
 static void lock_dbg_cb(int mode, int type, const char *file, int line)
 	{
-	static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
 	const char *errstr = NULL;
 	int rw;
 	
@@ -164,7 +168,7 @@
 		goto err;
 		}
 
-	if (type < 0 || type >= CRYPTO_NUM_LOCKS)
+	if (type < 0 || type >= CRYPTO_num_locks())
 		{
 		errstr = "type out of bounds";
 		goto err;
@@ -235,19 +239,29 @@
 
 	in_FIPS_mode = 0;
 
+/*
+ * Solaris OpenSSL
+ * Add a further check for the FIPS_mode_set() symbol before calling to
+ * allow openssl(1openssl) to be run against both fips and non-fips libraries.
+ */
 	if(getenv("OPENSSL_FIPS")) {
-#ifdef OPENSSL_FIPS
-		if (!FIPS_mode_set(1)) {
+
+	int (*FIPS_mode_set)(int);
+	FIPS_mode_set = (int (*)(int)) dlsym(RTLD_NEXT, "FIPS_mode_set");
+
+	if (FIPS_mode_set != NULL) {
+		if (!(*FIPS_mode_set)(1)) {
 			ERR_load_crypto_strings();
 			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 			EXIT(1);
 		}
 		in_FIPS_mode = 1;
-#else
-		fprintf(stderr, "FIPS mode not supported.\n");
+	} else {
+			fprintf(stderr, "Failed to enable FIPS mode. "
+			    "For more information about running in FIPS mode see openssl(5).\n");
 		EXIT(1);
-#endif
 		}
+		}
 
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
@@ -272,6 +286,14 @@
 	if (getenv("OPENSSL_DEBUG_LOCKING") != NULL)
 #endif
 		{
+		modes = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (int));
+		if (modes == NULL) {
+			ERR_load_crypto_strings();
+			BIO_printf(bio_err,"Memory allocation failure\n");
+			ERR_print_errors(bio_err);
+			EXIT(1);
+		}
+		memset(modes, 0, CRYPTO_num_locks() * sizeof (int));
 		CRYPTO_set_locking_callback(lock_dbg_cb);
 		}
 
@@ -379,6 +401,8 @@
 		BIO_free(bio_err);
 		bio_err=NULL;
 		}
+
+	if (modes != NULL) OPENSSL_free(modes);
 	OPENSSL_EXIT(ret);
 	}
upstream/oracle/userland-gate