From 7dd34fb86b9da821e498ea9f3af1049d665a5478 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 15 Nov 2022 16:14:17 +0100 Subject: [PATCH] Remove library path checking from FIPS integrity check Resolves: rhbz#2140908 Signed-off-by: Zoltan Fridrich --- gnutls-3.7.8-integrity-check.patch | 54 ++++++++++++++++++++++++++++++ gnutls.spec | 2 ++ 2 files changed, 56 insertions(+) create mode 100644 gnutls-3.7.8-integrity-check.patch diff --git a/gnutls-3.7.8-integrity-check.patch b/gnutls-3.7.8-integrity-check.patch new file mode 100644 index 0000000..8ff5fb0 --- /dev/null +++ b/gnutls-3.7.8-integrity-check.patch @@ -0,0 +1,54 @@ +diff --color -ruNp a/lib/fips.c b/lib/fips.c +--- a/lib/fips.c 2022-11-15 16:10:56.183185457 +0100 ++++ b/lib/fips.c 2022-11-15 16:10:23.488530716 +0100 +@@ -360,11 +360,6 @@ static int check_lib_hmac(struct hmac_en + return gnutls_assert_val(ret); + } + +- if (strncmp(entry->path, path, GNUTLS_PATH_MAX)) { +- _gnutls_debug_log("Library path for %s does not match with HMAC file\n", lib); +- return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); +- } +- + _gnutls_debug_log("Loading: %s\n", path); + ret = gnutls_load_file(path, &data); + if (ret < 0) { +diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c +--- a/lib/fipshmac.c 2022-11-15 16:10:56.183185457 +0100 ++++ b/lib/fipshmac.c 2022-11-15 16:10:23.489530737 +0100 +@@ -102,20 +102,30 @@ static int get_hmac(const char *path, ch + static int print_lib_path(const char *path) + { + int ret; ++ char *real_path = NULL; + char hmac[HMAC_STR_SIZE]; + +- ret = get_hmac(path, hmac, sizeof(hmac)); ++ real_path = canonicalize_file_name(path); ++ if (real_path == NULL) { ++ fprintf(stderr, "Could not get realpath from %s\n", path); ++ ret = GNUTLS_E_FILE_ERROR; ++ goto cleanup; ++ } ++ ++ ret = get_hmac(real_path, hmac, sizeof(hmac)); + if (ret < 0) { + fprintf(stderr, "Could not calculate HMAC for %s: %s\n", +- last_component(path), gnutls_strerror(ret)); +- return ret; ++ last_component(real_path), gnutls_strerror(ret)); ++ goto cleanup; + } + + printf("[%s]\n", last_component(path)); +- printf("path = %s\n", path); ++ printf("path = %s\n", real_path); + printf("hmac = %s\n", hmac); + +- return 0; ++cleanup: ++ free(real_path); ++ return ret; + } + + static int print_lib_dl(const char *lib, const char *sym) diff --git a/gnutls.spec b/gnutls.spec index caaf770..ca636aa 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -33,6 +33,7 @@ Patch: gnutls-3.7.6-fips-ecdsa-hash-check.patch Patch: gnutls-3.7.8-xts-key-check.patch Patch: gnutls-3.7.8-clear-session-ticket.patch Patch: gnutls-3.7.7-aes-cbc-padding-support.patch +Patch: gnutls-3.7.8-integrity-check.patch # not upstreamed Patch: gnutls-3.7.3-disable-config-reload.patch @@ -402,6 +403,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null - enable source archive verification again (#2127094) - clear server's session ticket indication at rehandshake (#2136072) - crypto-api: add block cipher API with automatic padding (#2084161) +- fips: remove library path checking from FIPS integrity check (#2140908) * Tue Sep 27 2022 Daiki Ueno - 3.7.6-12 - fips: mark PBKDF2 with short key and output sizes non-approved