File openssl-1.1.1-fips_list_ciphers.patch of Package openssl-1_1.21011
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index d6cbc27..ebb1948 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -14,11 +14,13 @@
#include <openssl/pkcs12.h>
#include <openssl/objects.h>
+extern int init_will_enter_fips_mode;
+
void openssl_add_all_ciphers_int(void)
{
#ifdef OPENSSL_FIPS
- if (!FIPS_mode()) {
+ if (init_will_enter_fips_mode == 0) {
#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c
index 9d88bd2..5ee51a1 100644
--- a/crypto/fips/fips.c
+++ b/crypto/fips/fips.c
@@ -73,6 +73,9 @@
# define PATH_MAX 1024
# endif
+/* Not static because it will be accessed outside this file. */
+int init_will_enter_fips_mode = 0;
+
static int fips_selftest_fail = 0;
static int fips_mode = 0;
static int fips_started = 0;
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 4118938..72a7eea 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -24,21 +24,30 @@
# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+extern int init_will_enter_fips_mode;
+
static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
- /* Ensure the selftests always run */
- /* XXX: TO SOLVE - premature initialization due to selftests */
- FIPS_mode_set(1);
-
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
close(fd);
}
+
+ /* Even though we hacked this so that we do the FIPS tests when we */
+ /* are not going to be in FIPS mode, some elements need to know if we */
+ /* are TRULY going to be in FIPS mode. */
+ if (buf[0] == '1')
+ init_will_enter_fips_mode = 1;
+
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
/* Failure reading the fips mode switch file means just not
* switching into FIPS mode. We would break too many things
* otherwise..