[rpms/openssl] rebase_40beta: FIPS module installed state definition is modified

[Tomas Mraz <tmraz@fedoraproject.org>]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 89a24d69fca3f59d40038cc30e9bbf74cd38a6e1
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2020-05-15T17:45:44+02:00
Stats  : +14/-10 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/89a24d69fca3f59d40038cc30e9bbf74cd38a6e1?branch=rebase_40beta

Log:
FIPS module installed state definition is modified

---
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index 7a0580f..4fd1117 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -2303,7 +2303,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.
 +        rv = 0;
 +
 +    /* Installed == true */
-+    return !rv;
++    return !rv || FIPS_module_mode();
 +}
 +
 +int FIPS_module_mode_set(int onoff)
@@ -9865,7 +9865,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
 diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
 --- openssl-1.1.1e/crypto/o_init.c.fips	2020-03-17 15:31:17.000000000 +0100
 +++ openssl-1.1.1e/crypto/o_init.c	2020-03-17 17:30:52.052566939 +0100
-@@ -7,8 +7,68 @@
+@@ -7,8 +7,69 @@
   * https://www.openssl.org/source/license.html
   */
  
@@ -9891,16 +9891,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
 +    char buf[2] = "0";
 +    int fd;
 +
-+    /* Ensure the selftests always run */
-+    /* XXX: TO SOLVE - premature initialization due to selftests */
-+    FIPS_mode_set(1);
-+
 +    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
 +        buf[0] = '1';
 +    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
 +        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
 +        close(fd);
 +    }
++
++    if (buf[0] != '1' && !FIPS_module_installed())
++        return;
++
++    /* Ensure the selftests always run */
++    /* XXX: TO SOLVE - premature initialization due to selftests */
++    FIPS_mode_set(1);
++
 +    /* Failure reading the fips mode switch file means just not
 +     * switching into FIPS mode. We would break too many things
 +     * otherwise..
@@ -9925,9 +9929,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
 +    if (done)
 +        return;
 +    done = 1;
-+    if (!FIPS_module_installed()) {
-+        return;
-+    }
 +    init_fips_mode();
 +}
 +#endif

diff --git a/openssl.spec b/openssl.spec
index a3a2e23..e4c2cba 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1g
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -457,6 +457,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
+- FIPS module installed state definition is modified
+
 * Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
 - update to the 1.1.1g release