pkgs/raven
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
raven/base/openssl3/0033-FIPS-embed-hmac.patch

194 lines
6.3 KiB
Diff
Raw Normal View History

initial commit
2024-02-21 13:47:54 +06:00
diff -Naur a/providers/fips/self_test.c b/providers/fips/self_test.c
--- a/providers/fips/self_test.c 2023-10-24 19:48:41.000000000 +0600
+++ b/providers/fips/self_test.c 2023-10-25 10:59:50.765775085 +0600
@@ -170,11 +170,27 @@
}
#endif
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
/*
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -187,9 +203,20 @@
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -203,13 +230,42 @@
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -270,8 +326,7 @@
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -280,8 +335,9 @@
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -343,7 +399,6 @@
ok = 1;
end:
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
OPENSSL_free(indicator_checksum);
if (st != NULL) {
diff -Naur a/test/fipsmodule.cnf b/test/fipsmodule.cnf
--- a/test/fipsmodule.cnf 1970-01-01 06:00:00.000000000 +0600
+++ b/test/fipsmodule.cnf 2023-10-25 11:05:07.545759285 +0600
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
diff -Naur a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
--- a/test/recipes/00-prep_fipsmodule_cnf.t 2023-10-24 19:48:41.000000000 +0600
+++ b/test/recipes/00-prep_fipsmodule_cnf.t 2023-10-25 11:01:37.845768662 +0600
@@ -20,7 +20,7 @@
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
diff -Naur a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
--- a/test/recipes/01-test_fipsmodule_cnf.t 2023-10-24 19:48:41.000000000 +0600
+++ b/test/recipes/01-test_fipsmodule_cnf.t 2023-10-25 11:01:54.413767667 +0600
@@ -23,7 +23,7 @@
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
diff -Naur a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
--- a/test/recipes/03-test_fipsinstall.t 2023-10-24 19:48:41.000000000 +0600
+++ b/test/recipes/03-test_fipsinstall.t 2023-10-25 11:02:48.795764404 +0600
@@ -22,7 +22,7 @@
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
plan tests => 29;
diff -Naur a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
--- a/test/recipes/80-test_ssl_new.t 2023-10-24 19:48:41.000000000 +0600
+++ b/test/recipes/80-test_ssl_new.t 2023-10-25 11:03:56.581760491 +0600
@@ -27,7 +27,7 @@
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; # disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
diff -Naur a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
--- a/test/recipes/90-test_sslapi.t 2023-10-25 11:06:55.189757458 +0600
+++ b/test/recipes/90-test_sslapi.t 2023-10-25 11:04:17.205760140 +0600
@@ -18,7 +18,7 @@
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; # disabled('fips') || ($ENV{NO_FIPS} // 0);
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
Reference in New Issue Copy Permalink