openssl3/contribs10/0033-FIPS-embed-hmac.patch

diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100
+++ openssl-3.0.7/providers/fips/self_test.c    2023-01-05 10:15:17.041606472 +0100
@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
 }
 #endif
 
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
 /*
  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
  * the result matches the expected value.
  * Return 1 if verified, or 0 if it fails.
  */
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
                             unsigned char *expected, size_t expected_len,
                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
     EVP_MAC *mac = NULL;
     EVP_MAC_CTX *ctx = NULL;
     OSSL_PARAM params[2], *p = params;
+    Dl_info info;
+    void *extra_info = NULL;
+    struct link_map *lm = NULL;
+    unsigned long paddr;
+    unsigned long off = 0;
 
     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
 
+    if (!dladdr1 ((const void *)fips_hmac_container,
+                &info, &extra_info, RTLD_DL_LINKMAP))
+        goto err;
+    lm = extra_info;
+    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
     if (mac == NULL)
         goto err;
@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
         goto err;
 
-    while (1) {
-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
         if (status != 1)
             break;
         if (!EVP_MAC_update(ctx, buf, bytes_read))
             goto err;
+       off += bytes_read;
     }
+
+    if (off + INTEGRITY_BUF_SIZE > paddr) {
+        int delta = paddr - off;
+        status = read_ex_cb(bio, buf, delta, &bytes_read);
+        if (status != 1)
+            goto err;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+       off += bytes_read;
+
+        status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+        memset(buf, 0, HMAC_LEN);
+        if (status != 1)
+            goto err;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+       off += bytes_read;
+    }
+
+    while (bytes_read > 0) {
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+        if (status != 1)
+            break;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+       off += bytes_read;
+    }
+
     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
         goto err;
 
@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
         CRYPTO_THREAD_unlock(fips_state_lock);
     }
 
-    if (st == NULL
-            || st->module_checksum_data == NULL) {
+    if (st == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
         goto end;
     }
@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
     if (ev == NULL)
         goto end;
 
-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
-                                         &checksum_len);
+    module_checksum = fips_hmac_container;
+    checksum_len = sizeof(fips_hmac_container);
+
     if (module_checksum == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
         goto end;
@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
     ok = 1;
 end:
     OSSL_SELF_TEST_free(ev);
-    OPENSSL_free(module_checksum);
     OPENSSL_free(indicator_checksum);
 
     if (st != NULL) {
diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t     2021-11-18 09:39:53.386817874 +0100
@@ -20,7 +20,7 @@
 use lib bldtop_dir('.');
 use platform;
 
-my $no_check = disabled("fips");
+my $no_check = 1;
 plan skip_all => "FIPS module config file only supported in a fips build"
     if $no_check;
 
diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t     2021-11-18 09:59:02.315619486 +0100
@@ -23,7 +23,7 @@
 use lib bldtop_dir('.');
 use platform;
 
-my $no_check = disabled("fips");
+my $no_check = 1;
 plan skip_all => "Test only supported in a fips build"
     if $no_check;
 plan tests => 1;
diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t    2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t        2021-11-18 09:59:55.365072074 +0100
@@ -22,7 +22,7 @@
 use lib bldtop_dir('.');
 use platform;
 
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
 
 plan tests => 29;
 
diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
--- openssl-3.0.0/test/recipes/30-test_defltfips.t      2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t  2021-11-18 10:22:54.179659682 +0100
@@ -21,7 +21,7 @@
 use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan tests =>
     ($no_fips ? 1 : 5);
diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
--- openssl-3.0.0/test/recipes/80-test_ssl_new.t        2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t    2021-11-18 10:18:53.391721164 +0100
@@ -23,7 +23,7 @@
 use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
 
diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t     2021-11-18 10:18:30.695538445 +0100
@@ -18,7 +18,7 @@
 use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
     if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
--- /dev/null   2021-11-16 15:27:32.915000000 +0100
+++ openssl-3.0.0/test/fipsmodule.cnf   2021-11-18 11:15:34.538060408 +0100
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
1	jpp	1.1	diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
2			--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100
3			+++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100
4			@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
5			}
6			#endif
7
8			+#define HMAC_LEN 32
9			+/*
10			+ * The __attribute__ ensures we've created the .rodata1 section
11			+ * static ensures it's zero filled
12			+*/
13			+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
14			+
15			/*
16			* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
17			* the result matches the expected value.
18			* Return 1 if verified, or 0 if it fails.
19			*/
20			+#ifndef __USE_GNU
21			+#define __USE_GNU
22			+#include <dlfcn.h>
23			+#undef __USE_GNU
24			+#else
25			+#include <dlfcn.h>
26			+#endif
27			+#include <link.h>
28			+
29			static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
30			unsigned char *expected, size_t expected_len,
31			OSSL_LIB_CTX libctx, OSSL_SELF_TEST ev,
32			@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
33			EVP_MAC *mac = NULL;
34			EVP_MAC_CTX *ctx = NULL;
35			OSSL_PARAM params[2], *p = params;
36			+ Dl_info info;
37			+ void *extra_info = NULL;
38			+ struct link_map *lm = NULL;
39			+ unsigned long paddr;
40			+ unsigned long off = 0;
41
42			OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
43
44			+ if (!dladdr1 ((const void *)fips_hmac_container,
45			+ &info, &extra_info, RTLD_DL_LINKMAP))
46			+ goto err;
47			+ lm = extra_info;
48			+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
49			+
50			mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
51			if (mac == NULL)
52			goto err;
53			@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
54			if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
55			goto err;
56
57			- while (1) {
58			- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
59			+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
60			+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
61			if (status != 1)
62			break;
63			if (!EVP_MAC_update(ctx, buf, bytes_read))
64			goto err;
65			+ off += bytes_read;
66			}
67			+
68			+ if (off + INTEGRITY_BUF_SIZE > paddr) {
69			+ int delta = paddr - off;
70			+ status = read_ex_cb(bio, buf, delta, &bytes_read);
71			+ if (status != 1)
72			+ goto err;
73			+ if (!EVP_MAC_update(ctx, buf, bytes_read))
74			+ goto err;
75			+ off += bytes_read;
76			+
77			+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
78			+ memset(buf, 0, HMAC_LEN);
79			+ if (status != 1)
80			+ goto err;
81			+ if (!EVP_MAC_update(ctx, buf, bytes_read))
82			+ goto err;
83			+ off += bytes_read;
84			+ }
85			+
86			+ while (bytes_read > 0) {
87			+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
88			+ if (status != 1)
89			+ break;
90			+ if (!EVP_MAC_update(ctx, buf, bytes_read))
91			+ goto err;
92			+ off += bytes_read;
93			+ }
94			+
95			if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
96			goto err;
97
98			@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
99			CRYPTO_THREAD_unlock(fips_state_lock);
100			}
101
102			- if (st == NULL
103			- \|\| st->module_checksum_data == NULL) {
104			+ if (st == NULL) {
105			ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
106			goto end;
107			}
108			@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
109			if (ev == NULL)
110			goto end;
111
112			- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
113			- &checksum_len);
114			+ module_checksum = fips_hmac_container;
115			+ checksum_len = sizeof(fips_hmac_container);
116			+
117			if (module_checksum == NULL) {
118			ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
119			goto end;
120			@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
121			ok = 1;
122			end:
123			OSSL_SELF_TEST_free(ev);
124			- OPENSSL_free(module_checksum);
125			OPENSSL_free(indicator_checksum);
126
127			if (st != NULL) {
128			diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
129			--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
130			+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100
131			@@ -20,7 +20,7 @@
132			use lib bldtop_dir('.');
133			use platform;
134
135			-my $no_check = disabled("fips");
136			+my $no_check = 1;
137			plan skip_all => "FIPS module config file only supported in a fips build"
138			if $no_check;
139
140			diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
141			--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
142			+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100
143			@@ -23,7 +23,7 @@
144			use lib bldtop_dir('.');
145			use platform;
146
147			-my $no_check = disabled("fips");
148			+my $no_check = 1;
149			plan skip_all => "Test only supported in a fips build"
150			if $no_check;
151			plan tests => 1;
152			diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
153			--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200
154			+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100
155			@@ -22,7 +22,7 @@
156			use lib bldtop_dir('.');
157			use platform;
158
159			-plan skip_all => "Test only supported in a fips build" if disabled("fips");
160			+plan skip_all => "Test only supported in a fips build" if 1;
161
162			plan tests => 29;
163
164			diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
165			--- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200
166			+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100
167			@@ -21,7 +21,7 @@
168			use lib srctop_dir('Configurations');
169			use lib bldtop_dir('.');
170
171			-my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
172			+my $no_fips = 1; #disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
173
174			plan tests =>
175			($no_fips ? 1 : 5);
176			diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
177			--- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200
178			+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100
179			@@ -23,7 +23,7 @@
180			use lib srctop_dir('Configurations');
181			use lib bldtop_dir('.');
182
183			-my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
184			+my $no_fips = 1; #disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
185
186			$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
187
188			diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
189			--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
190			+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100
191			@@ -18,7 +18,7 @@
192			use lib srctop_dir('Configurations');
193			use lib bldtop_dir('.');
194
195			-my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
196			+my $no_fips = 1; #disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
197
198			plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
199			if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
200			--- /dev/null 2021-11-16 15:27:32.915000000 +0100
201			+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100
202			@@ -0,0 +1,2 @@
203			+[fips_sect]
204			+activate = 1