rpms / openssl

Clone
Source Code
GIT

Blame openssl-1.0.0-beta3-fipscheck.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_strcasecmp main minimize_test_skip no_engine openssl_rebase_308to311 rawhide
  1.   0b4cee3bc2d236f36c69998e559495cb1ad5bf3d
  2.   openssl-1.0.0-beta3-fipscheck.patch
Blob History Raw
2ccfa6b 
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
2ccfa6b 
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
2ccfa6b 
+++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-10 20:11:59.000000000 +0200
2ccfa6b 
@@ -47,6 +47,7 @@
2ccfa6b 
  *
2ccfa6b 
  */
2ccfa6b
2ccfa6b 
+#define _GNU_SOURCE
2ccfa6b
2ccfa6b 
 #include <openssl/rand.h>
2ccfa6b 
 #include <openssl/fips_rand.h>
2ccfa6b 
@@ -56,6 +57,9 @@
2ccfa6b 
 #include <openssl/rsa.h>
2ccfa6b 
 #include <string.h>
2ccfa6b 
 #include <limits.h>
2ccfa6b 
+#include <dlfcn.h>
2ccfa6b 
+#include <stdio.h>
2ccfa6b 
+#include <stdlib.h>
2ccfa6b 
 #include "fips_locl.h"
2ccfa6b
2ccfa6b 
 #ifdef OPENSSL_FIPS
2ccfa6b 
@@ -165,6 +169,204 @@ int FIPS_selftest()
2ccfa6b 
 	&& FIPS_selftest_dsa();
2ccfa6b 
     }
2ccfa6b
2ccfa6b 
+/* we implement what libfipscheck does ourselves */
2ccfa6b 
+
2ccfa6b 
+static int
2ccfa6b 
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
2ccfa6b 
+{
2ccfa6b 
+	Dl_info info;
2ccfa6b 
+	void *dl, *sym;
2ccfa6b 
+	int rv = -1;
2ccfa6b 
+
2ccfa6b 
+        dl = dlopen(libname, RTLD_LAZY);
2ccfa6b 
+        if (dl == NULL) {
2ccfa6b 
+	        return -1;
2ccfa6b 
+        }
2ccfa6b 
+
2ccfa6b 
+	sym = dlsym(dl, symbolname);
2ccfa6b 
+
2ccfa6b 
+	if (sym != NULL && dladdr(sym, &info)) {
2ccfa6b 
+		strncpy(path, info.dli_fname, pathlen-1);
2ccfa6b 
+		path[pathlen-1] = '\0';
2ccfa6b 
+		rv = 0;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	dlclose(dl);
2ccfa6b 
+
2ccfa6b 
+	return rv;
2ccfa6b 
+}
2ccfa6b 
+
2ccfa6b 
+static const char conv[] = "0123456789abcdef";
2ccfa6b 
+
2ccfa6b 
+static char *
2ccfa6b 
+bin2hex(void *buf, size_t len)
2ccfa6b 
+{
2ccfa6b 
+	char *hex, *p;
2ccfa6b 
+	unsigned char *src = buf;
2ccfa6b 
+
2ccfa6b 
+	hex = malloc(len * 2 + 1);
2ccfa6b 
+	if (hex == NULL)
2ccfa6b 
+		return NULL;
2ccfa6b 
+
2ccfa6b 
+	p = hex;
2ccfa6b 
+
2ccfa6b 
+	while (len > 0) {
2ccfa6b 
+		unsigned c;
2ccfa6b 
+
2ccfa6b 
+		c = *src;
2ccfa6b 
+		src++;
2ccfa6b 
+
2ccfa6b 
+		*p = conv[c >> 4];
2ccfa6b 
+		++p;
2ccfa6b 
+		*p = conv[c & 0x0f];
2ccfa6b 
+		++p;
2ccfa6b 
+		--len;
2ccfa6b 
+	}
2ccfa6b 
+	*p = '\0';
2ccfa6b 
+	return hex;
2ccfa6b 
+}
2ccfa6b 
+
2ccfa6b 
+#define HMAC_PREFIX "."
2ccfa6b 
+#define HMAC_SUFFIX ".hmac"
2ccfa6b 
+#define READ_BUFFER_LENGTH 16384
2ccfa6b 
+
2ccfa6b 
+static char *
2ccfa6b 
+make_hmac_path(const char *origpath)
2ccfa6b 
+{
2ccfa6b 
+	char *path, *p;
2ccfa6b 
+	const char *fn;
2ccfa6b 
+
2ccfa6b 
+	path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
2ccfa6b 
+	if(path == NULL) {
2ccfa6b 
+		return NULL;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	fn = strrchr(origpath, '/');
2ccfa6b 
+	if (fn == NULL) {
2ccfa6b 
+		fn = origpath;
2ccfa6b 
+	} else {
2ccfa6b 
+		++fn;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	strncpy(path, origpath, fn-origpath);
2ccfa6b 
+	p = path + (fn - origpath);
2ccfa6b 
+	p = stpcpy(p, HMAC_PREFIX);
2ccfa6b 
+	p = stpcpy(p, fn);
2ccfa6b 
+	p = stpcpy(p, HMAC_SUFFIX);
2ccfa6b 
+
2ccfa6b 
+	return path;
2ccfa6b 
+}
2ccfa6b 
+
2ccfa6b 
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
2ccfa6b 
+
2ccfa6b 
+static int
2ccfa6b 
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
2ccfa6b 
+{
2ccfa6b 
+	FILE *f = NULL;
2ccfa6b 
+	int rv = -1;
2ccfa6b 
+	unsigned char rbuf[READ_BUFFER_LENGTH];
2ccfa6b 
+	size_t len;
2ccfa6b 
+	unsigned int hlen;
2ccfa6b 
+	HMAC_CTX c;
2ccfa6b 
+
2ccfa6b 
+	HMAC_CTX_init(&c);
2ccfa6b 
+
2ccfa6b 
+	f = fopen(path, "r");
2ccfa6b 
+
2ccfa6b 
+	if (f == NULL) {
2ccfa6b 
+		goto end;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
2ccfa6b 
+
2ccfa6b 
+	while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
2ccfa6b 
+		HMAC_Update(&c, rbuf, len);
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	len = sizeof(rbuf);
2ccfa6b 
+	/* reuse rbuf for hmac */
2ccfa6b 
+	HMAC_Final(&c, rbuf, &hlen);
2ccfa6b 
+
2ccfa6b 
+	*buf = malloc(hlen);
2ccfa6b 
+	if (*buf == NULL) {
2ccfa6b 
+		goto end;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	*hmaclen = hlen;
2ccfa6b 
+
2ccfa6b 
+	memcpy(*buf, rbuf, hlen);
2ccfa6b 
+
2ccfa6b 
+	rv = 0;
2ccfa6b 
+end:
2ccfa6b 
+	HMAC_CTX_cleanup(&c);
2ccfa6b 
+
2ccfa6b 
+	if (f)
2ccfa6b 
+		fclose(f);
2ccfa6b 
+
2ccfa6b 
+	return rv;
2ccfa6b 
+}
2ccfa6b 
+
2ccfa6b 
+static int
2ccfa6b 
+FIPSCHECK_verify(const char *libname, const char *symbolname)
2ccfa6b 
+{
2ccfa6b 
+	char path[PATH_MAX+1];
2ccfa6b 
+	int rv;
2ccfa6b 
+	FILE *hf;
2ccfa6b 
+	char *hmacpath, *p;
2ccfa6b 
+	char *hmac = NULL;
2ccfa6b 
+	size_t n;
2ccfa6b 
+
2ccfa6b 
+	rv = get_library_path(libname, symbolname, path, sizeof(path));
2ccfa6b 
+
2ccfa6b 
+	if (rv < 0)
2ccfa6b 
+		return 0;
2ccfa6b 
+
2ccfa6b 
+	hmacpath = make_hmac_path(path);
2ccfa6b 
+
2ccfa6b 
+	hf = fopen(hmacpath, "r");
2ccfa6b 
+	if (hf == NULL) {
2ccfa6b 
+		free(hmacpath);
2ccfa6b 
+		return 0;
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+	if (getline(&hmac, &n, hf) > 0) {
2ccfa6b 
+		void *buf;
2ccfa6b 
+		size_t hmaclen;
2ccfa6b 
+		char *hex;
2ccfa6b 
+
2ccfa6b 
+		if ((p=strchr(hmac, '\n')) != NULL)
2ccfa6b 
+			*p = '\0';
2ccfa6b 
+
2ccfa6b 
+		if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
2ccfa6b 
+			rv = -4;
2ccfa6b 
+			goto end;
2ccfa6b 
+		}
2ccfa6b 
+
2ccfa6b 
+		if ((hex=bin2hex(buf, hmaclen)) == NULL) {
2ccfa6b 
+			free(buf);
2ccfa6b 
+			rv = -5;
2ccfa6b 
+			goto end;
2ccfa6b 
+		}
2ccfa6b 
+
2ccfa6b 
+		if (strcmp(hex, hmac) != 0) {
2ccfa6b 
+			rv = -1;
2ccfa6b 
+		}
2ccfa6b 
+		free(buf);
2ccfa6b 
+		free(hex);
2ccfa6b 
+	}
2ccfa6b 
+
2ccfa6b 
+end:
2ccfa6b 
+	free(hmac);
2ccfa6b 
+	free(hmacpath);
2ccfa6b 
+	fclose(hf);
2ccfa6b 
+
2ccfa6b 
+	if (rv < 0)
2ccfa6b 
+		return 0;
2ccfa6b 
+
2ccfa6b 
+	/* check successful */
2ccfa6b 
+	return 1;
2ccfa6b 
+}
2ccfa6b 
+
2ccfa6b 
 int FIPS_mode_set(int onoff)
2ccfa6b 
     {
2ccfa6b 
     int fips_set_owning_thread();
2ccfa6b 
@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
2ccfa6b 
 	    }
2ccfa6b 
 #endif
2ccfa6b
2ccfa6b 
+	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
2ccfa6b 
+	    {
2ccfa6b 
+	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
2ccfa6b 
+	    fips_selftest_fail = 1;
2ccfa6b 
+	    ret = 0;
2ccfa6b 
+	    goto end;
2ccfa6b 
+	    }
2ccfa6b 
+
2ccfa6b 
+	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
2ccfa6b 
+	    {
2ccfa6b 
+	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
2ccfa6b 
+	    fips_selftest_fail = 1;
2ccfa6b 
+	    ret = 0;
2ccfa6b 
+	    goto end;
2ccfa6b 
+	    }
2ccfa6b 
+
2ccfa6b 
 	/* Perform RNG KAT before seeding */
2ccfa6b 
 	if (!FIPS_selftest_rng())
2ccfa6b 
 	    {
2ccfa6b 
diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
2ccfa6b 
--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
2ccfa6b 
+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c	2009-08-10 20:11:59.000000000 +0200
2ccfa6b 
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
2ccfa6b
2ccfa6b 
 #ifdef OPENSSL_FIPS
2ccfa6b
2ccfa6b 
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
2ccfa6b 
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
2ccfa6b 
 		      const char *key)
2ccfa6b 
     {
2ccfa6b 
     size_t len=strlen(key);
2ccfa6b 
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
2ccfa6b
2ccfa6b 
     if (len > SHA_CBLOCK)
2ccfa6b 
 	{
2ccfa6b 
-	SHA1_Init(md_ctx);
2ccfa6b 
-	SHA1_Update(md_ctx,key,len);
2ccfa6b 
-	SHA1_Final(keymd,md_ctx);
2ccfa6b 
-	len=20;
2ccfa6b 
+	SHA256_Init(md_ctx);
2ccfa6b 
+	SHA256_Update(md_ctx,key,len);
2ccfa6b 
+	SHA256_Final(keymd,md_ctx);
2ccfa6b 
+	len=SHA256_DIGEST_LENGTH;
2ccfa6b 
 	}
2ccfa6b 
     else
2ccfa6b 
 	memcpy(keymd,key,len);
2ccfa6b 
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
2ccfa6b
2ccfa6b 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
2ccfa6b 
 	pad[i]=0x36^keymd[i];
2ccfa6b 
-    SHA1_Init(md_ctx);
2ccfa6b 
-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
2ccfa6b 
+    SHA256_Init(md_ctx);
2ccfa6b 
+    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
2ccfa6b
2ccfa6b 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
2ccfa6b 
 	pad[i]=0x5c^keymd[i];
2ccfa6b 
-    SHA1_Init(o_ctx);
2ccfa6b 
-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
2ccfa6b 
+    SHA256_Init(o_ctx);
2ccfa6b 
+    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
2ccfa6b 
     }
2ccfa6b
2ccfa6b 
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
2ccfa6b 
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
2ccfa6b 
     {
2ccfa6b 
-    unsigned char buf[20];
2ccfa6b 
+    unsigned char buf[SHA256_DIGEST_LENGTH];
2ccfa6b
2ccfa6b 
-    SHA1_Final(buf,md_ctx);
2ccfa6b 
-    SHA1_Update(o_ctx,buf,sizeof buf);
2ccfa6b 
-    SHA1_Final(md,o_ctx);
2ccfa6b 
+    SHA256_Final(buf,md_ctx);
2ccfa6b 
+    SHA256_Update(o_ctx,buf,sizeof buf);
2ccfa6b 
+    SHA256_Final(md,o_ctx);
2ccfa6b 
     }
2ccfa6b
2ccfa6b 
 #endif
2ccfa6b 
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
2ccfa6b 
 int main(int argc,char **argv)
2ccfa6b 
     {
2ccfa6b 
 #ifdef OPENSSL_FIPS
2ccfa6b 
-    static char key[]="etaonrishdlcupfm";
2ccfa6b 
+    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
2ccfa6b 
     int n,binary=0;
2ccfa6b
2ccfa6b 
     if(argc < 2)
2ccfa6b 
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
2ccfa6b 
     for(; n < argc ; ++n)
2ccfa6b 
 	{
2ccfa6b 
 	FILE *f=fopen(argv[n],"rb");
2ccfa6b 
-	SHA_CTX md_ctx,o_ctx;
2ccfa6b 
-	unsigned char md[20];
2ccfa6b 
+	SHA256_CTX md_ctx,o_ctx;
2ccfa6b 
+	unsigned char md[SHA256_DIGEST_LENGTH];
2ccfa6b 
 	int i;
2ccfa6b
2ccfa6b 
 	if(!f)
2ccfa6b 
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
2ccfa6b 
 		else
2ccfa6b 
 		    break;
2ccfa6b 
 		}
2ccfa6b 
-	    SHA1_Update(&md_ctx,buf,l);
2ccfa6b 
+	    SHA256_Update(&md_ctx,buf,l);
2ccfa6b 
 	    }
2ccfa6b 
 	hmac_final(md,&md_ctx,&o_ctx);
2ccfa6b
2ccfa6b 
 	if (binary)
2ccfa6b 
 	    {
2ccfa6b 
-	    fwrite(md,20,1,stdout);
2ccfa6b 
+	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
2ccfa6b 
 	    break;	/* ... for single(!) file */
2ccfa6b 
 	    }
2ccfa6b
2ccfa6b 
-	printf("HMAC-SHA1(%s)= ",argv[n]);
2ccfa6b 
-	for(i=0 ; i < 20 ; ++i)
2ccfa6b 
+/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
2ccfa6b 
+	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
2ccfa6b 
 	    printf("%02x",md[i]);
2ccfa6b 
 	printf("\n");
2ccfa6b 
 	}
2ccfa6b 
diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
2ccfa6b 
--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck	2009-08-10 20:11:59.000000000 +0200
2ccfa6b 
+++ openssl-1.0.0-beta3/crypto/fips/Makefile	2009-08-10 20:27:45.000000000 +0200
2ccfa6b 
@@ -16,6 +16,9 @@ GENERAL=Makefile
2ccfa6b 
 TEST=fips_test_suite.c fips_randtest.c
2ccfa6b 
 APPS=
2ccfa6b
2ccfa6b 
+PROGRAM= fips_standalone_sha1
2ccfa6b 
+EXE= $(PROGRAM)$(EXE_EXT)
2ccfa6b 
+
2ccfa6b 
 LIB=$(TOP)/libcrypto.a
2ccfa6b 
 LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
2ccfa6b 
     fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \
2ccfa6b 
@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
2ccfa6b 
     fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o  fips_rand.o \
2ccfa6b 
     fips_rsa_x931g.o
2ccfa6b
2ccfa6b 
+LIBCRYPTO=-L.. -lcrypto
2ccfa6b 
+
2ccfa6b 
 SRC= $(LIBSRC) fips_standalone_sha1.c
2ccfa6b
2ccfa6b 
 EXHEADER= fips.h fips_rand.h
2ccfa6b 
@@ -35,13 +40,15 @@ ALL=    $(GENERAL) $(SRC) $(HEADER)
2ccfa6b 
 top:
2ccfa6b 
 	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
2ccfa6b
2ccfa6b 
-all:	lib
2ccfa6b 
+all:	lib exe
2ccfa6b
2ccfa6b 
 lib:	$(LIBOBJ)
2ccfa6b 
 	$(AR) $(LIB) $(LIBOBJ)
2ccfa6b 
 	$(RANLIB) $(LIB) || echo Never mind.
2ccfa6b 
 	@touch lib
2ccfa6b
2ccfa6b 
+exe:	$(EXE)
2ccfa6b 
+
2ccfa6b 
 files:
2ccfa6b 
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
2ccfa6b
2ccfa6b 
@@ -77,5 +84,9 @@ dclean:
2ccfa6b 
 clean:
2ccfa6b 
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
2ccfa6b
2ccfa6b 
+$(EXE): $(PROGRAM).o
2ccfa6b 
+	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
2ccfa6b 
+	$(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
2ccfa6b 
+
2ccfa6b 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
2ccfa6b
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.