/[smecontribs]/rpms/openssl3/contribs10/0033-FIPS-embed-hmac.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0033-FIPS-embed-hmac.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:36 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
2 --- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100
3 +++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100
4 @@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
5 }
6 #endif
7
8 +#define HMAC_LEN 32
9 +/*
10 + * The __attribute__ ensures we've created the .rodata1 section
11 + * static ensures it's zero filled
12 +*/
13 +static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
14 +
15 /*
16 * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
17 * the result matches the expected value.
18 * Return 1 if verified, or 0 if it fails.
19 */
20 +#ifndef __USE_GNU
21 +#define __USE_GNU
22 +#include <dlfcn.h>
23 +#undef __USE_GNU
24 +#else
25 +#include <dlfcn.h>
26 +#endif
27 +#include <link.h>
28 +
29 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
30 unsigned char *expected, size_t expected_len,
31 OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
32 @@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
33 EVP_MAC *mac = NULL;
34 EVP_MAC_CTX *ctx = NULL;
35 OSSL_PARAM params[2], *p = params;
36 + Dl_info info;
37 + void *extra_info = NULL;
38 + struct link_map *lm = NULL;
39 + unsigned long paddr;
40 + unsigned long off = 0;
41
42 OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
43
44 + if (!dladdr1 ((const void *)fips_hmac_container,
45 + &info, &extra_info, RTLD_DL_LINKMAP))
46 + goto err;
47 + lm = extra_info;
48 + paddr = (unsigned long)fips_hmac_container - lm->l_addr;
49 +
50 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
51 if (mac == NULL)
52 goto err;
53 @@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
54 if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
55 goto err;
56
57 - while (1) {
58 - status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
59 + while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
60 + status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
61 if (status != 1)
62 break;
63 if (!EVP_MAC_update(ctx, buf, bytes_read))
64 goto err;
65 + off += bytes_read;
66 }
67 +
68 + if (off + INTEGRITY_BUF_SIZE > paddr) {
69 + int delta = paddr - off;
70 + status = read_ex_cb(bio, buf, delta, &bytes_read);
71 + if (status != 1)
72 + goto err;
73 + if (!EVP_MAC_update(ctx, buf, bytes_read))
74 + goto err;
75 + off += bytes_read;
76 +
77 + status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
78 + memset(buf, 0, HMAC_LEN);
79 + if (status != 1)
80 + goto err;
81 + if (!EVP_MAC_update(ctx, buf, bytes_read))
82 + goto err;
83 + off += bytes_read;
84 + }
85 +
86 + while (bytes_read > 0) {
87 + status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
88 + if (status != 1)
89 + break;
90 + if (!EVP_MAC_update(ctx, buf, bytes_read))
91 + goto err;
92 + off += bytes_read;
93 + }
94 +
95 if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
96 goto err;
97
98 @@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
99 CRYPTO_THREAD_unlock(fips_state_lock);
100 }
101
102 - if (st == NULL
103 - || st->module_checksum_data == NULL) {
104 + if (st == NULL) {
105 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
106 goto end;
107 }
108 @@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
109 if (ev == NULL)
110 goto end;
111
112 - module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
113 - &checksum_len);
114 + module_checksum = fips_hmac_container;
115 + checksum_len = sizeof(fips_hmac_container);
116 +
117 if (module_checksum == NULL) {
118 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
119 goto end;
120 @@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
121 ok = 1;
122 end:
123 OSSL_SELF_TEST_free(ev);
124 - OPENSSL_free(module_checksum);
125 OPENSSL_free(indicator_checksum);
126
127 if (st != NULL) {
128 diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
129 --- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
130 +++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100
131 @@ -20,7 +20,7 @@
132 use lib bldtop_dir('.');
133 use platform;
134
135 -my $no_check = disabled("fips");
136 +my $no_check = 1;
137 plan skip_all => "FIPS module config file only supported in a fips build"
138 if $no_check;
139
140 diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
141 --- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
142 +++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100
143 @@ -23,7 +23,7 @@
144 use lib bldtop_dir('.');
145 use platform;
146
147 -my $no_check = disabled("fips");
148 +my $no_check = 1;
149 plan skip_all => "Test only supported in a fips build"
150 if $no_check;
151 plan tests => 1;
152 diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
153 --- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200
154 +++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100
155 @@ -22,7 +22,7 @@
156 use lib bldtop_dir('.');
157 use platform;
158
159 -plan skip_all => "Test only supported in a fips build" if disabled("fips");
160 +plan skip_all => "Test only supported in a fips build" if 1;
161
162 plan tests => 29;
163
164 diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
165 --- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200
166 +++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100
167 @@ -21,7 +21,7 @@
168 use lib srctop_dir('Configurations');
169 use lib bldtop_dir('.');
170
171 -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
172 +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
173
174 plan tests =>
175 ($no_fips ? 1 : 5);
176 diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
177 --- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200
178 +++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100
179 @@ -23,7 +23,7 @@
180 use lib srctop_dir('Configurations');
181 use lib bldtop_dir('.');
182
183 -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
184 +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
185
186 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
187
188 diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
189 --- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
190 +++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100
191 @@ -18,7 +18,7 @@
192 use lib srctop_dir('Configurations');
193 use lib bldtop_dir('.');
194
195 -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
196 +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
197
198 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
199 if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
200 --- /dev/null 2021-11-16 15:27:32.915000000 +0100
201 +++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100
202 @@ -0,0 +1,2 @@
203 +[fips_sect]
204 +activate = 1

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed