From 0efdf6a30a427739dc78ec091a872978bca35702 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 15 Dec 2022 10:30:55 +0100 Subject: [PATCH] fips: rename hmac file to its previous name Resolves: rhbz#2148269 Signed-off-by: Zoltan Fridrich --- gnutls-3.7.6-gmp-static.patch | 120 ++++--- gnutls-3.7.8-revert-hmac-name.patch | 534 ++++++++++++++++++++++++++++ gnutls.spec | 14 +- 3 files changed, 612 insertions(+), 56 deletions(-) create mode 100644 gnutls-3.7.8-revert-hmac-name.patch diff --git a/gnutls-3.7.6-gmp-static.patch b/gnutls-3.7.6-gmp-static.patch index 6d4bba4..df74247 100644 --- a/gnutls-3.7.6-gmp-static.patch +++ b/gnutls-3.7.6-gmp-static.patch @@ -1,4 +1,3 @@ -From 88808f0b8906bdc32579c144a2c44401ee97798a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 19 Aug 2022 12:32:27 +0900 Subject: [PATCH] build: allow GMP to be statically linked @@ -17,17 +16,10 @@ and libhogweed in Nettle is also linked to the static library of GMP. Signed-off-by: Daiki Ueno --- - configure.ac | 14 +++++++++++++- - lib/fips.c | 10 ++++++++++ - lib/fipshmac.c | 5 ++++- - lib/global.c | 2 ++ - 4 files changed, 29 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 96894b0be3..e4cf5eab81 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -742,6 +742,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_update) +diff --color -ruNp a/configure.ac b/configure.ac +--- a/configure.ac 2022-12-15 11:06:16.782726043 +0100 ++++ b/configure.ac 2022-12-15 11:08:35.603451427 +0100 +@@ -744,6 +744,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_up LIBS=$save_LIBS # Check sonames of the linked libraries needed for FIPS selftests. @@ -36,7 +28,7 @@ index 96894b0be3..e4cf5eab81 100644 save_LIBS=$LIBS LIBS="$LIBS $GMP_LIBS" AC_MSG_CHECKING([gmp soname]) -@@ -755,9 +757,14 @@ if test -z "$gmp_so"; then +@@ -757,9 +759,14 @@ if test -z "$gmp_so"; then gmp_so=none fi AC_MSG_RESULT($gmp_so) @@ -52,7 +44,7 @@ index 96894b0be3..e4cf5eab81 100644 save_LIBS=$LIBS LIBS="$LIBS $NETTLE_LIBS" AC_MSG_CHECKING([nettle soname]) -@@ -773,7 +780,11 @@ fi +@@ -775,7 +782,11 @@ fi AC_MSG_RESULT($nettle_so) AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library]) LIBS=$save_LIBS @@ -64,7 +56,7 @@ index 96894b0be3..e4cf5eab81 100644 save_LIBS=$LIBS LIBS="$LIBS $HOGWEED_LIBS" AC_MSG_CHECKING([hogweed soname]) -@@ -789,6 +800,7 @@ fi +@@ -791,6 +802,7 @@ fi AC_MSG_RESULT($hogweed_so) AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library]) LIBS=$save_LIBS @@ -72,33 +64,42 @@ index 96894b0be3..e4cf5eab81 100644 gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"` AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library]) -diff --git a/lib/fips.c b/lib/fips.c -index 54eb4a37d4..42124ecf4e 100644 ---- a/lib/fips.c -+++ b/lib/fips.c -@@ -149,7 +149,11 @@ void _gnutls_fips_mode_reset_zombie(void) +diff --color -ruNp a/lib/fips.c b/lib/fips.c +--- a/lib/fips.c 2022-12-15 11:06:16.868727731 +0100 ++++ b/lib/fips.c 2022-12-15 11:12:42.744303409 +0100 +@@ -155,7 +155,11 @@ void _gnutls_fips_mode_reset_zombie(void #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME + -+/* GMP can be statically linked. */ ++/* GMP can be statically linked */ +#ifdef GMP_LIBRARY_SONAME #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME +#endif #define HMAC_SIZE 32 #define HMAC_ALGO GNUTLS_MAC_SHA256 -@@ -168,7 +172,9 @@ typedef struct +@@ -173,7 +177,9 @@ struct hmac_file struct hmac_entry gnutls; struct hmac_entry nettle; struct hmac_entry hogweed; +#ifdef GMP_LIBRARY_SONAME struct hmac_entry gmp; +#endif - } hmac_file; + }; - static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size) -@@ -259,8 +265,10 @@ static int handler(void *user, const char *section, const char *name, const char + struct lib_paths +@@ -181,7 +187,9 @@ struct lib_paths + char gnutls[GNUTLS_PATH_MAX]; + char nettle[GNUTLS_PATH_MAX]; + char hogweed[GNUTLS_PATH_MAX]; ++#ifdef GMP_LIBRARY_SONAME + char gmp[GNUTLS_PATH_MAX]; ++#endif + }; + + /* +@@ -245,8 +253,10 @@ static int handler(void *user, const cha return lib_handler(&p->nettle, section, name, value); } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { return lib_handler(&p->hogweed, section, name, value); @@ -109,42 +110,60 @@ index 54eb4a37d4..42124ecf4e 100644 } else { return 0; } -@@ -408,9 +416,11 @@ static int check_binary_integrity(void) - ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); +@@ -389,8 +399,10 @@ static int callback(struct dl_phdr_info + _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); + else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); ++#ifdef GMP_LIBRARY_SONAME + else if (!strcmp(soname, GMP_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); ++#endif + return 0; + } + +@@ -411,10 +423,12 @@ static int load_lib_paths(struct lib_pat + _gnutls_debug_log("Hogweed library path was not found\n"); + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + } ++#ifdef GMP_LIBRARY_SONAME + if (paths->gmp[0] == '\0') { + _gnutls_debug_log("Gmp library path was not found\n"); + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + } ++#endif + + return GNUTLS_E_SUCCESS; + } +@@ -467,9 +481,11 @@ static int check_binary_integrity(void) + ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); if (ret < 0) return ret; +#ifdef GMP_LIBRARY_SONAME - ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); + ret = check_lib_hmac(&hmac.gmp, paths.gmp); if (ret < 0) return ret; +#endif return 0; } -diff --git a/lib/fipshmac.c b/lib/fipshmac.c -index b091572bdf..363077f3e2 100644 ---- a/lib/fipshmac.c -+++ b/lib/fipshmac.c -@@ -159,10 +159,13 @@ int main(int argc, char **argv) - ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u"); - if (ret < 0) - return EXIT_FAILURE; -- -+ -+ /* GMP can be statically linked. */ +diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c +--- a/lib/fipshmac.c 2022-12-15 11:06:16.785726102 +0100 ++++ b/lib/fipshmac.c 2022-12-15 11:13:34.533320156 +0100 +@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info + return print_lib(path, soname); + if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) + return print_lib(path, soname); +#ifdef GMP_LIBRARY_SONAME - ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init"); - if (ret < 0) - return EXIT_FAILURE; + if (!strcmp(soname, GMP_LIBRARY_SONAME)) + return print_lib(path, soname); +#endif - - return EXIT_SUCCESS; + return 0; } -diff --git a/lib/global.c b/lib/global.c -index 1b372c15bd..9f3c7b22bd 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -548,7 +548,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = { + +diff --color -ruNp a/lib/global.c b/lib/global.c +--- a/lib/global.c 2022-12-15 11:06:16.061711888 +0100 ++++ b/lib/global.c 2022-12-15 11:08:35.604451446 +0100 +@@ -540,7 +540,9 @@ static const struct gnutls_library_confi { "libgnutls-soname", GNUTLS_LIBRARY_SONAME }, { "libnettle-soname", NETTLE_LIBRARY_SONAME }, { "libhogweed-soname", HOGWEED_LIBRARY_SONAME }, @@ -154,6 +173,3 @@ index 1b372c15bd..9f3c7b22bd 100644 { "hardware-features", HW_FEATURES }, { "tls-features", TLS_FEATURES }, { NULL, NULL } --- -2.37.1 - diff --git a/gnutls-3.7.8-revert-hmac-name.patch b/gnutls-3.7.8-revert-hmac-name.patch new file mode 100644 index 0000000..fa1a672 --- /dev/null +++ b/gnutls-3.7.8-revert-hmac-name.patch @@ -0,0 +1,534 @@ +diff --color -ruNp a/configure.ac b/configure.ac +--- a/configure.ac 2022-05-27 09:17:26.000000000 +0200 ++++ b/configure.ac 2022-12-15 11:00:18.830698584 +0100 +@@ -619,6 +619,8 @@ if [ test "$enable_fips" = "yes" ];then + if test "x$fips_module_version" != xnone; then + AC_DEFINE_UNQUOTED([FIPS_MODULE_VERSION], ["$fips_module_version"], [The FIPS140 module version]) + fi ++ ++ AC_CHECK_FUNCS(dl_iterate_phdr) + else + enable_fips=no + AC_MSG_WARN([[ +diff --color -ruNp a/lib/fips.c b/lib/fips.c +--- a/lib/fips.c 2022-12-15 10:59:57.460279029 +0100 ++++ b/lib/fips.c 2022-12-15 11:00:18.831698604 +0100 +@@ -23,9 +23,11 @@ + #include + #include + #include ++#include "dirname.h" + #include "errors.h" + #include "file.h" + #include "inih/ini.h" ++#include "str.h" + #include + #include + #include +@@ -34,6 +36,10 @@ + + #include "gthreads.h" + ++#ifdef HAVE_DL_ITERATE_PHDR ++#include ++#endif ++ + unsigned int _gnutls_lib_state = LIB_STATE_POWERON; + + struct gnutls_fips140_context_st { +@@ -153,7 +159,6 @@ void _gnutls_fips_mode_reset_zombie(void + + #define HMAC_SIZE 32 + #define HMAC_ALGO GNUTLS_MAC_SHA256 +-#define HMAC_FILE_NAME ".gnutls.hmac" + #define HMAC_FORMAT_VERSION 1 + + struct hmac_entry +@@ -162,51 +167,32 @@ struct hmac_entry + uint8_t hmac[HMAC_SIZE]; + }; + +-typedef struct ++struct hmac_file + { + int version; + struct hmac_entry gnutls; + struct hmac_entry nettle; + struct hmac_entry hogweed; + struct hmac_entry gmp; +-} hmac_file; ++}; + +-static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size) ++struct lib_paths + { +- int ret; +- void *dl, *sym; +- Dl_info info; +- +- dl = dlopen(lib, RTLD_LAZY); +- if (dl == NULL) +- return gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- +- sym = dlsym(dl, symbol); +- if (sym == NULL) { +- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- goto cleanup; +- } +- +- ret = dladdr(sym, &info); +- if (ret == 0) { +- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- goto cleanup; +- } +- +- ret = snprintf(path, path_size, "%s", info.dli_fname); +- if ((size_t)ret >= path_size) { +- ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); +- goto cleanup; +- } +- +- ret = 0; +-cleanup: +- dlclose(dl); +- return ret; +-} ++ char gnutls[GNUTLS_PATH_MAX]; ++ char nettle[GNUTLS_PATH_MAX]; ++ char hogweed[GNUTLS_PATH_MAX]; ++ char gmp[GNUTLS_PATH_MAX]; ++}; + +-/* Parses hmac data and copies hex value into dest. ++/* ++ * get_hmac: ++ * @dest: buffer for the hex value ++ * @value: hmac value ++ * ++ * Parses hmac data and copies hex value into dest. + * dest must point to at least HMAC_SIZE amount of memory ++ * ++ * Returns: 0 on success, a negative error code otherwise + */ + static int get_hmac(uint8_t *dest, const char *value) + { +@@ -245,7 +231,7 @@ lib_handler(struct hmac_entry *entry, + + static int handler(void *user, const char *section, const char *name, const char *value) + { +- hmac_file *p = (hmac_file *)user; ++ struct hmac_file *p = (struct hmac_file *)user; + + if (!strcmp(section, "global")) { + if (!strcmp(name, "format-version")) { +@@ -267,24 +253,29 @@ static int handler(void *user, const cha + return 1; + } + +-static int get_hmac_path(char *mac_file, size_t mac_file_size) ++/* ++ * get_hmac_path: ++ * @mac_file: buffer where the hmac file path will be written to ++ * @mac_file_size: size of the mac_file buffer ++ * @gnutls_path: path to the gnutls library, used to deduce hmac file path ++ * ++ * Deduces hmac file path from the gnutls library path. ++ * ++ * Returns: 0 on success, a negative error code otherwise ++ */ ++static int get_hmac_path(char *mac_file, size_t mac_file_size, const char *gnutls_path) + { + int ret; + char *p; +- char file[GNUTLS_PATH_MAX]; + +- ret = get_library_path(GNUTLS_LIBRARY_NAME, "gnutls_global_init", +- file, sizeof(file)); +- if (ret < 0) +- return ret; +- +- p = strrchr(file, '/'); ++ p = strrchr(gnutls_path, '/'); + + if (p == NULL) +- ret = snprintf(mac_file, mac_file_size, HMAC_FILE_NAME); ++ ret = snprintf(mac_file, mac_file_size, ".%s.hmac", gnutls_path); + else +- ret = snprintf(mac_file, mac_file_size, +- "%.*s/"HMAC_FILE_NAME, (int)(p - file), file); ++ ret = snprintf(mac_file, mac_file_size, "%.*s/.%s.hmac", ++ (int)(p - gnutls_path), gnutls_path, p + 1); ++ + if ((size_t)ret >= mac_file_size) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + +@@ -293,10 +284,11 @@ static int get_hmac_path(char *mac_file, + return GNUTLS_E_SUCCESS; + + if (p == NULL) +- ret = snprintf(mac_file, mac_file_size, "fipscheck/"HMAC_FILE_NAME); ++ ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", gnutls_path); + else +- ret = snprintf(mac_file, mac_file_size, +- "%.*s/fipscheck/"HMAC_FILE_NAME, (int)(p - file), file); ++ ret = snprintf(mac_file, mac_file_size, "%.*s/fipscheck/.%s.hmac", ++ (int)(p - gnutls_path), gnutls_path, p + 1); ++ + if ((size_t)ret >= mac_file_size) + return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + +@@ -307,51 +299,52 @@ static int get_hmac_path(char *mac_file, + return GNUTLS_E_FILE_ERROR; + } + +-static int load_hmac_file(hmac_file *p) ++/* ++ * load_hmac_file: ++ * @hmac_file: hmac file structure ++ * @hmac_path: path to the hmac file ++ * ++ * Loads the hmac file into the hmac file structure. ++ * ++ * Returns: 0 on success, a negative error code otherwise ++ */ ++static int load_hmac_file(struct hmac_file *hmac_file, const char *hmac_path) + { + int ret; + FILE *stream; +- char hmac_path[GNUTLS_PATH_MAX]; +- +- ret = get_hmac_path(hmac_path, sizeof(hmac_path)); +- if (ret < 0) +- return gnutls_assert_val(ret); + + stream = fopen(hmac_path, "r"); + if (stream == NULL) + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + +- gnutls_memset(p, 0, sizeof(*p)); +- ret = ini_parse_file(stream, handler, p); ++ gnutls_memset(hmac_file, 0, sizeof(*hmac_file)); ++ ret = ini_parse_file(stream, handler, hmac_file); + fclose(stream); + if (ret < 0) + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + +- if (p->version != HMAC_FORMAT_VERSION) ++ if (hmac_file->version != HMAC_FORMAT_VERSION) + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + + return 0; + } + +-/* Run an HMAC using the key above on the library binary data. +- * Returns 0 on success and negative value on error. ++/* ++ * check_lib_hmac: ++ * @entry: hmac file entry ++ * @path: path to the library which hmac should be compared ++ * ++ * Verify that HMAC from hmac file entry matches HMAC of given library. ++ * ++ * Returns: 0 on successful HMAC verification, a negative error code otherwise + */ +-static int check_lib_hmac(struct hmac_entry *entry, +- const char *lib, const char *sym) ++static int check_lib_hmac(struct hmac_entry *entry, const char *path) + { + int ret; + unsigned prev; +- char path[GNUTLS_PATH_MAX]; + uint8_t hmac[HMAC_SIZE]; + gnutls_datum_t data; + +- ret = get_library_path(lib, sym, path, sizeof(path)); +- if (ret < 0) { +- _gnutls_debug_log("Could not get lib path for %s: %s\n", +- lib, gnutls_strerror(ret)); +- return gnutls_assert_val(ret); +- } +- + _gnutls_debug_log("Loading: %s\n", path); + ret = gnutls_load_file(path, &data); + if (ret < 0) { +@@ -382,28 +375,99 @@ static int check_lib_hmac(struct hmac_en + return 0; + } + ++#ifdef HAVE_DL_ITERATE_PHDR ++ ++static int callback(struct dl_phdr_info *info, size_t size, void *data) ++{ ++ const char *path = info->dlpi_name; ++ const char *soname = last_component(path); ++ struct lib_paths *paths = (struct lib_paths *)data; ++ ++ if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) ++ _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); ++ else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) ++ _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); ++ else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) ++ _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); ++ else if (!strcmp(soname, GMP_LIBRARY_SONAME)) ++ _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); ++ return 0; ++} ++ ++static int load_lib_paths(struct lib_paths *paths) ++{ ++ memset(paths, 0, sizeof(*paths)); ++ dl_iterate_phdr(callback, paths); ++ ++ if (paths->gnutls[0] == '\0') { ++ _gnutls_debug_log("Gnutls library path was not found\n"); ++ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); ++ } ++ if (paths->nettle[0] == '\0') { ++ _gnutls_debug_log("Nettle library path was not found\n"); ++ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); ++ } ++ if (paths->hogweed[0] == '\0') { ++ _gnutls_debug_log("Hogweed library path was not found\n"); ++ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); ++ } ++ if (paths->gmp[0] == '\0') { ++ _gnutls_debug_log("Gmp library path was not found\n"); ++ return gnutls_assert_val(GNUTLS_E_FILE_ERROR); ++ } ++ ++ return GNUTLS_E_SUCCESS; ++} ++ ++#else ++ ++static int load_lib_paths(struct lib_paths *paths) ++{ ++ (void)paths; ++ _gnutls_debug_log("Function dl_iterate_phdr is missing\n"); ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++} ++ ++#endif /* HAVE_DL_ITERATE_PHDR */ ++ + static int check_binary_integrity(void) + { + int ret; +- hmac_file file; ++ struct lib_paths paths; ++ struct hmac_file hmac; ++ char hmac_path[GNUTLS_PATH_MAX]; ++ ++ ret = load_lib_paths(&paths); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not load library paths: %s\n", ++ gnutls_strerror(ret)); ++ return ret; ++ } ++ ++ ret = get_hmac_path(hmac_path, sizeof(hmac_path), paths.gnutls); ++ if (ret < 0) { ++ _gnutls_debug_log("Could not get hmac file path: %s\n", ++ gnutls_strerror(ret)); ++ return ret; ++ } + +- ret = load_hmac_file(&file); ++ ret = load_hmac_file(&hmac, hmac_path); + if (ret < 0) { + _gnutls_debug_log("Could not load hmac file: %s\n", + gnutls_strerror(ret)); + return ret; + } + +- ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init"); ++ ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); + if (ret < 0) + return ret; +- ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); ++ ret = check_lib_hmac(&hmac.nettle, paths.nettle); + if (ret < 0) + return ret; +- ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u"); ++ ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); + if (ret < 0) + return ret; +- ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); ++ ret = check_lib_hmac(&hmac.gmp, paths.gmp); + if (ret < 0) + return ret; + +diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c +--- a/lib/fipshmac.c 2022-12-15 10:59:57.461279049 +0100 ++++ b/lib/fipshmac.c 2022-12-15 11:00:18.832698623 +0100 +@@ -22,12 +22,14 @@ + + #include "config.h" + +-#include +-#include +-#include +-#include + #include + #include ++ ++#ifdef HAVE_DL_ITERATE_PHDR ++ ++#include ++#include ++#include + #include "dirname.h" + #include "errors.h" + +@@ -36,40 +38,6 @@ + #define HMAC_ALGO GNUTLS_MAC_SHA256 + #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1) + +-static int get_path(const char *lib, const char *symbol, char *path, size_t path_size) +-{ +- int ret; +- void *dl, *sym; +- Dl_info info; +- +- dl = dlopen(lib, RTLD_LAZY); +- if (dl == NULL) +- return gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- +- sym = dlsym(dl, symbol); +- if (sym == NULL) { +- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- goto cleanup; +- } +- +- ret = dladdr(sym, &info); +- if (ret == 0) { +- ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR); +- goto cleanup; +- } +- +- ret = snprintf(path, path_size, "%s", info.dli_fname); +- if ((size_t)ret >= path_size) { +- ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); +- goto cleanup; +- } +- +- ret = 0; +-cleanup: +- dlclose(dl); +- return ret; +-} +- + static int get_hmac(const char *path, char *hmac, size_t hmac_size) + { + int ret; +@@ -99,7 +67,7 @@ static int get_hmac(const char *path, ch + return 0; + } + +-static int print_lib_path(const char *path) ++static int print_lib(const char *path, const char *soname) + { + int ret; + char *real_path = NULL; +@@ -119,7 +87,7 @@ static int print_lib_path(const char *pa + goto cleanup; + } + +- printf("[%s]\n", last_component(path)); ++ printf("[%s]\n", soname); + printf("path = %s\n", real_path); + printf("hmac = %s\n", hmac); + +@@ -128,25 +96,24 @@ cleanup: + return ret; + } + +-static int print_lib_dl(const char *lib, const char *sym) ++static int callback(struct dl_phdr_info *info, size_t size, void *data) + { +- int ret; +- char path[GNUTLS_PATH_MAX]; +- +- ret = get_path(lib, sym, path, sizeof(path)); +- if (ret < 0) { +- fprintf(stderr, "Could not get lib path for %s: %s\n", +- lib, gnutls_strerror(ret)); +- return ret; +- } ++ const char *path = info->dlpi_name; ++ const char *soname = last_component(path); + +- return print_lib_path(path); ++ if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) ++ return print_lib(data ? data : path, soname); ++ if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) ++ return print_lib(path, soname); ++ if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) ++ return print_lib(path, soname); ++ if (!strcmp(soname, GMP_LIBRARY_SONAME)) ++ return print_lib(path, soname); ++ return 0; + } + + int main(int argc, char **argv) + { +- int ret; +- + if (argc != 1 && argc != 2) { + fprintf(stderr, "Usage: %s [gnutls_so_path]\n", last_component(argv[0])); + return EXIT_FAILURE; +@@ -155,24 +122,15 @@ int main(int argc, char **argv) + printf("[global]\n"); + printf("format-version = %d\n", FORMAT_VERSION); + +- if (argc == 2) +- ret = print_lib_path(argv[1]); +- else +- ret = print_lib_dl(GNUTLS_LIBRARY_SONAME, "gnutls_global_init"); +- if (ret < 0) +- return EXIT_FAILURE; ++ return dl_iterate_phdr(callback, argc == 2 ? argv[1] : NULL); ++} + +- ret = print_lib_dl(NETTLE_LIBRARY_SONAME, "nettle_aes_set_encrypt_key"); +- if (ret < 0) +- return EXIT_FAILURE; +- +- ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u"); +- if (ret < 0) +- return EXIT_FAILURE; +- +- ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init"); +- if (ret < 0) +- return EXIT_FAILURE; ++#else + +- return EXIT_SUCCESS; ++int main(void) ++{ ++ fprintf(stderr, "Function dl_iterate_phdr is missing\n"); ++ return EXIT_FAILURE; + } ++ ++#endif /* HAVE_DL_ITERATE_PHDR */ +diff --color -ruNp a/lib/Makefile.am b/lib/Makefile.am +--- a/lib/Makefile.am 2022-05-18 16:46:00.000000000 +0200 ++++ b/lib/Makefile.am 2022-12-15 11:00:18.789697779 +0100 +@@ -202,14 +202,14 @@ noinst_PROGRAMS = fipshmac + fipshmac_SOURCES = fipshmac.c + fipshmac_LDADD = libgnutls.la ../gl/libgnu.la + +-hmac_files = .libs/.gnutls.hmac ++hmac_file = .libs/.$(gnutls_so).hmac + +-all-local: $(hmac_files) ++all-local: $(hmac_file) + +-.libs/.gnutls.hmac: libgnutls.la fipshmac ++$(hmac_file): libgnutls.la fipshmac + $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@ + +-CLEANFILES = $(hmac_files) ++CLEANFILES = $(hmac_file) + endif + + if NEED_LTLIBDL diff --git a/gnutls.spec b/gnutls.spec index 95c6e49..f1dbf3a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.7.6 -Release: 14%{?dist} +Release: 15%{?dist} # not upstreamed Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch @@ -37,6 +37,7 @@ Patch: gnutls-3.7.8-integrity-check.patch Patch: gnutls-3.7.6-fips-service-indicator-test-functions.patch Patch: gnutls-3.7.6-fips-ccm-taglen.patch Patch: gnutls-3.7.6-fips-rsa-pss-saltlen.patch +Patch: gnutls-3.7.8-revert-hmac-name.patch # not upstreamed Patch: gnutls-3.7.3-disable-config-reload.patch @@ -331,8 +332,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc # doing it twice should be a no-op the second time, # and this way we avoid redefining it and missing a future change %{__spec_install_post} -./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac -sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*` +./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %endif %if %{with fips} @@ -353,7 +356,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files -f gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} -%{_libdir}/.gnutls.hmac +%{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -401,6 +404,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Dec 15 2022 Zoltan Fridrich - 3.7.6-15 +- fips: rename hmac file to its previous name (#2148269) + * Tue Nov 22 2022 Daiki Ueno - 3.7.6-14 - cipher: add restriction on CCM tag length under FIPS mode (#2137807) - nettle: mark non-compliant RSA-PSS salt length to be not-approved (#2143266)