forked from rpms/openssl
f4c397c598
Signed-off-by: Sahana Prasad <sahana@redhat.com>
429 lines
15 KiB
Diff
429 lines
15 KiB
Diff
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
|
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
|
|
|
|
Patch-name: 0033-FIPS-embed-hmac.patch
|
|
Patch-id: 33
|
|
Patch-status: |
|
|
# # Embed HMAC into the fips.so
|
|
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
|
---
|
|
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
|
|
test/fipsmodule.cnf | 2 +
|
|
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
|
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
|
test/recipes/03-test_fipsinstall.t | 2 +-
|
|
test/recipes/30-test_defltfips.t | 2 +-
|
|
test/recipes/80-test_ssl_new.t | 2 +-
|
|
test/recipes/90-test_sslapi.t | 2 +-
|
|
8 files changed, 71 insertions(+), 13 deletions(-)
|
|
create mode 100644 test/fipsmodule.cnf
|
|
|
|
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
|
index b8dc9817b2..e3a629018a 100644
|
|
--- a/providers/fips/self_test.c
|
|
+++ b/providers/fips/self_test.c
|
|
@@ -230,11 +230,27 @@ err:
|
|
return ok;
|
|
}
|
|
|
|
+#define HMAC_LEN 32
|
|
+/*
|
|
+ * The __attribute__ ensures we've created the .rodata1 section
|
|
+ * static ensures it's zero filled
|
|
+*/
|
|
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
|
+
|
|
/*
|
|
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
|
* the result matches the expected value.
|
|
* Return 1 if verified, or 0 if it fails.
|
|
*/
|
|
+#ifndef __USE_GNU
|
|
+#define __USE_GNU
|
|
+#include <dlfcn.h>
|
|
+#undef __USE_GNU
|
|
+#else
|
|
+#include <dlfcn.h>
|
|
+#endif
|
|
+#include <link.h>
|
|
+
|
|
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
unsigned char *expected, size_t expected_len,
|
|
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
EVP_MAC *mac = NULL;
|
|
EVP_MAC_CTX *ctx = NULL;
|
|
OSSL_PARAM params[2], *p = params;
|
|
+ Dl_info info;
|
|
+ void *extra_info = NULL;
|
|
+ struct link_map *lm = NULL;
|
|
+ unsigned long paddr;
|
|
+ unsigned long off = 0;
|
|
|
|
if (!integrity_self_test(ev, libctx))
|
|
goto err;
|
|
|
|
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
|
|
|
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
|
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
|
+ goto err;
|
|
+ lm = extra_info;
|
|
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
+
|
|
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
if (mac == NULL)
|
|
goto err;
|
|
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
goto err;
|
|
|
|
- while (1) {
|
|
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
|
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
+ if (status != 1)
|
|
+ break;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+ }
|
|
+
|
|
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
|
+ int delta = paddr - off;
|
|
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
|
+ if (status != 1)
|
|
+ goto err;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+
|
|
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
|
+ memset(buf, 0, HMAC_LEN);
|
|
+ if (status != 1)
|
|
+ goto err;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+ }
|
|
+
|
|
+ while (bytes_read > 0) {
|
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
if (status != 1)
|
|
break;
|
|
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
goto err;
|
|
+ off += bytes_read;
|
|
}
|
|
+
|
|
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
goto err;
|
|
|
|
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
goto err;
|
|
ret = 1;
|
|
err:
|
|
+ OPENSSL_cleanse(out, sizeof(out));
|
|
OSSL_SELF_TEST_onend(ev, ret);
|
|
EVP_MAC_CTX_free(ctx);
|
|
EVP_MAC_free(mac);
|
|
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
return 0;
|
|
}
|
|
|
|
- if (st == NULL
|
|
- || st->module_checksum_data == NULL) {
|
|
+ if (st == NULL) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
|
goto end;
|
|
}
|
|
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
if (ev == NULL)
|
|
goto end;
|
|
|
|
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
|
- &checksum_len);
|
|
+ module_checksum = fips_hmac_container;
|
|
+ checksum_len = sizeof(fips_hmac_container);
|
|
+
|
|
if (module_checksum == NULL) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
|
goto end;
|
|
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
end:
|
|
EVP_RAND_free(testrand);
|
|
OSSL_SELF_TEST_free(ev);
|
|
- OPENSSL_free(module_checksum);
|
|
OPENSSL_free(indicator_checksum);
|
|
|
|
if (st != NULL) {
|
|
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
|
new file mode 100644
|
|
index 0000000000..f05d0dedbe
|
|
--- /dev/null
|
|
+++ b/test/fipsmodule.cnf
|
|
@@ -0,0 +1,2 @@
|
|
+[fips_sect]
|
|
+activate = 1
|
|
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
index 4e3a6d85e8..e8255ba974 100644
|
|
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
|
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
use platform;
|
|
|
|
-my $no_check = disabled("fips");
|
|
+my $no_check = 1;
|
|
plan skip_all => "FIPS module config file only supported in a fips build"
|
|
if $no_check;
|
|
|
|
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
|
index ce594817d5..00cebacff8 100644
|
|
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
|
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
|
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
use platform;
|
|
|
|
-my $no_check = disabled("fips");
|
|
+my $no_check = 1;
|
|
plan skip_all => "Test only supported in a fips build"
|
|
if $no_check;
|
|
plan tests => 1;
|
|
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
|
index b8b136d110..8242f4ebc3 100644
|
|
--- a/test/recipes/03-test_fipsinstall.t
|
|
+++ b/test/recipes/03-test_fipsinstall.t
|
|
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
use platform;
|
|
|
|
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
|
+plan skip_all => "Test only supported in a fips build" if 1;
|
|
|
|
# Compatible options for pedantic FIPS compliance
|
|
my @pedantic_okay =
|
|
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
|
index c8f145405b..56a2ec5dc4 100644
|
|
--- a/test/recipes/30-test_defltfips.t
|
|
+++ b/test/recipes/30-test_defltfips.t
|
|
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
plan skip_all => "Configuration loading is turned off"
|
|
if disabled("autoload-config");
|
|
|
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
|
|
plan tests =>
|
|
($no_fips ? 1 : 5);
|
|
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
|
index 0c6d6402d9..e45f9cb560 100644
|
|
--- a/test/recipes/80-test_ssl_new.t
|
|
+++ b/test/recipes/80-test_ssl_new.t
|
|
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
|
use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
|
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
|
|
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
|
|
|
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
|
index 9e9e32b51e..1a1a7159b5 100644
|
|
--- a/test/recipes/90-test_sslapi.t
|
|
+++ b/test/recipes/90-test_sslapi.t
|
|
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
|
use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
|
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
|
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
|
|
|
--
|
|
2.41.0
|
|
|
|
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c
|
|
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:36:27.970983419 +0100
|
|
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:39:19.788685051 +0100
|
|
@@ -242,6 +242,7 @@ static const unsigned char __attribute__
|
|
* the result matches the expected value.
|
|
* Return 1 if verified, or 0 if it fails.
|
|
*/
|
|
+
|
|
#ifndef __USE_GNU
|
|
#define __USE_GNU
|
|
#include <dlfcn.h>
|
|
@@ -251,6 +252,111 @@ static const unsigned char __attribute__
|
|
#endif
|
|
#include <link.h>
|
|
|
|
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
|
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
+ unsigned char *expected, size_t expected_len,
|
|
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
+ const char *event_type)
|
|
+{
|
|
+ int ret = 0, status;
|
|
+ unsigned char out[MAX_MD_SIZE];
|
|
+ unsigned char buf[INTEGRITY_BUF_SIZE];
|
|
+ size_t bytes_read = 0, out_len = 0;
|
|
+ EVP_MAC *mac = NULL;
|
|
+ EVP_MAC_CTX *ctx = NULL;
|
|
+ OSSL_PARAM params[2], *p = params;
|
|
+ Dl_info info;
|
|
+ void *extra_info = NULL;
|
|
+ struct link_map *lm = NULL;
|
|
+ unsigned long paddr;
|
|
+ unsigned long off = 0;
|
|
+
|
|
+ if (expected_len != HMAC_LEN)
|
|
+ goto err;
|
|
+
|
|
+ if (!integrity_self_test(ev, libctx))
|
|
+ goto err;
|
|
+
|
|
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
|
+
|
|
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
|
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
|
+ goto err;
|
|
+ lm = extra_info;
|
|
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
+
|
|
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
+ if (mac == NULL)
|
|
+ goto err;
|
|
+ ctx = EVP_MAC_CTX_new(mac);
|
|
+ if (ctx == NULL)
|
|
+ goto err;
|
|
+
|
|
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
|
|
+ *p = OSSL_PARAM_construct_end();
|
|
+
|
|
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
+ goto err;
|
|
+
|
|
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
+ if (status != 1)
|
|
+ break;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+ }
|
|
+
|
|
+ if (off < paddr) {
|
|
+ int delta = paddr - off;
|
|
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
|
+ if (status != 1)
|
|
+ goto err;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+ }
|
|
+
|
|
+ /* read away the buffer */
|
|
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
|
+ if (status != 1)
|
|
+ goto err;
|
|
+
|
|
+ /* check that it is the expect bytes, no point in continuing otherwise */
|
|
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
|
|
+ goto err;
|
|
+
|
|
+ /* replace in-file HMAC buffer with the original zeros */
|
|
+ memset(buf, 0, HMAC_LEN);
|
|
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
|
|
+ goto err;
|
|
+ off += HMAC_LEN;
|
|
+
|
|
+ while (bytes_read > 0) {
|
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
+ if (status != 1)
|
|
+ break;
|
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
+ goto err;
|
|
+ off += bytes_read;
|
|
+ }
|
|
+
|
|
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
+ goto err;
|
|
+
|
|
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
|
|
+ if (expected_len != out_len
|
|
+ || memcmp(expected, out, out_len) != 0)
|
|
+ goto err;
|
|
+ ret = 1;
|
|
+err:
|
|
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
|
|
+ OSSL_SELF_TEST_onend(ev, ret);
|
|
+ EVP_MAC_CTX_free(ctx);
|
|
+ EVP_MAC_free(mac);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
unsigned char *expected, size_t expected_len,
|
|
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c
|
|
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:40:54.926627242 +0100
|
|
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:45:58.939636676 +0100
|
|
@@ -527,14 +527,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
|
|
|
/* Always check the integrity of the fips module */
|
|
- if (bio_module == NULL
|
|
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
|
|
- module_checksum, checksum_len, st->libctx,
|
|
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
+ if (bio_module == NULL) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
goto end;
|
|
}
|
|
-
|
|
+ if (st->module_checksum_data == NULL) {
|
|
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
|
|
+ module_checksum, checksum_len,
|
|
+ st->libctx, ev,
|
|
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
+ goto end;
|
|
+ }
|
|
+ } else {
|
|
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
|
|
+ module_checksum, checksum_len,
|
|
+ st->libctx, ev,
|
|
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
+ goto end;
|
|
+ }
|
|
+ }
|
|
/* This will be NULL during installation - so the self test KATS will run */
|
|
if (st->indicator_data != NULL) {
|
|
/*
|
|
diff -up openssl-3.2.0/providers/fips/self_test.c.fips-self openssl-3.2.0/providers/fips/self_test.c
|
|
--- openssl-3.2.0/providers/fips/self_test.c.fips-self 2024-02-06 12:20:56.963719115 +0100
|
|
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-06 12:22:23.705604045 +0100
|
|
@@ -517,8 +517,13 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
if (ev == NULL)
|
|
goto end;
|
|
|
|
- module_checksum = fips_hmac_container;
|
|
- checksum_len = sizeof(fips_hmac_container);
|
|
+ if (st->module_checksum_data == NULL) {
|
|
+ module_checksum = fips_hmac_container;
|
|
+ checksum_len = sizeof(fips_hmac_container);
|
|
+ } else {
|
|
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
|
+ &checksum_len);
|
|
+ }
|
|
|
|
if (module_checksum == NULL) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|