Remove library path checking from FIPS integrity check
Resolves: rhbz#2140908 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
		
							parent
							
								
									ec0dad9c1f
								
							
						
					
					
						commit
						7dd34fb86b
					
				
							
								
								
									
										54
									
								
								gnutls-3.7.8-integrity-check.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										54
									
								
								gnutls-3.7.8-integrity-check.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,54 @@ | |||||||
|  | diff --color -ruNp a/lib/fips.c b/lib/fips.c
 | ||||||
|  | --- a/lib/fips.c	2022-11-15 16:10:56.183185457 +0100
 | ||||||
|  | +++ b/lib/fips.c	2022-11-15 16:10:23.488530716 +0100
 | ||||||
|  | @@ -360,11 +360,6 @@ static int check_lib_hmac(struct hmac_en
 | ||||||
|  |  		return gnutls_assert_val(ret); | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -	if (strncmp(entry->path, path, GNUTLS_PATH_MAX)) {
 | ||||||
|  | -		_gnutls_debug_log("Library path for %s does not match with HMAC file\n", lib);
 | ||||||
|  | -		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
 | ||||||
|  | -	}
 | ||||||
|  | -
 | ||||||
|  |  	_gnutls_debug_log("Loading: %s\n", path); | ||||||
|  |  	ret = gnutls_load_file(path, &data); | ||||||
|  |  	if (ret < 0) { | ||||||
|  | diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
 | ||||||
|  | --- a/lib/fipshmac.c	2022-11-15 16:10:56.183185457 +0100
 | ||||||
|  | +++ b/lib/fipshmac.c	2022-11-15 16:10:23.489530737 +0100
 | ||||||
|  | @@ -102,20 +102,30 @@ static int get_hmac(const char *path, ch
 | ||||||
|  |  static int print_lib_path(const char *path) | ||||||
|  |  { | ||||||
|  |  	int ret; | ||||||
|  | +	char *real_path = NULL;
 | ||||||
|  |  	char hmac[HMAC_STR_SIZE]; | ||||||
|  |   | ||||||
|  | -	ret = get_hmac(path, hmac, sizeof(hmac));
 | ||||||
|  | +	real_path = canonicalize_file_name(path);
 | ||||||
|  | +	if (real_path == NULL) {
 | ||||||
|  | +		fprintf(stderr, "Could not get realpath from %s\n", path);
 | ||||||
|  | +		ret = GNUTLS_E_FILE_ERROR;
 | ||||||
|  | +		goto cleanup;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	ret = get_hmac(real_path, hmac, sizeof(hmac));
 | ||||||
|  |  	if (ret < 0) { | ||||||
|  |  		fprintf(stderr, "Could not calculate HMAC for %s: %s\n", | ||||||
|  | -                        last_component(path), gnutls_strerror(ret));
 | ||||||
|  | -		return ret;
 | ||||||
|  | +                        last_component(real_path), gnutls_strerror(ret));
 | ||||||
|  | +		goto cleanup;
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  	printf("[%s]\n", last_component(path)); | ||||||
|  | -	printf("path = %s\n", path);
 | ||||||
|  | +	printf("path = %s\n", real_path);
 | ||||||
|  |  	printf("hmac = %s\n", hmac); | ||||||
|  |   | ||||||
|  | -	return 0;
 | ||||||
|  | +cleanup:
 | ||||||
|  | +	free(real_path);
 | ||||||
|  | +	return ret;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  static int print_lib_dl(const char *lib, const char *sym) | ||||||
| @ -33,6 +33,7 @@ Patch: gnutls-3.7.6-fips-ecdsa-hash-check.patch | |||||||
| Patch: gnutls-3.7.8-xts-key-check.patch | Patch: gnutls-3.7.8-xts-key-check.patch | ||||||
| Patch: gnutls-3.7.8-clear-session-ticket.patch | Patch: gnutls-3.7.8-clear-session-ticket.patch | ||||||
| Patch: gnutls-3.7.7-aes-cbc-padding-support.patch | Patch: gnutls-3.7.7-aes-cbc-padding-support.patch | ||||||
|  | Patch: gnutls-3.7.8-integrity-check.patch | ||||||
| 
 | 
 | ||||||
| # not upstreamed | # not upstreamed | ||||||
| Patch: gnutls-3.7.3-disable-config-reload.patch | Patch: gnutls-3.7.3-disable-config-reload.patch | ||||||
| @ -402,6 +403,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null | |||||||
| - enable source archive verification again (#2127094) | - enable source archive verification again (#2127094) | ||||||
| - clear server's session ticket indication at rehandshake (#2136072) | - clear server's session ticket indication at rehandshake (#2136072) | ||||||
| - crypto-api: add block cipher API with automatic padding (#2084161) | - crypto-api: add block cipher API with automatic padding (#2084161) | ||||||
|  | - fips: remove library path checking from FIPS integrity check (#2140908) | ||||||
| 
 | 
 | ||||||
| * Tue Sep 27 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-12 | * Tue Sep 27 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-12 | ||||||
| - fips: mark PBKDF2 with short key and output sizes non-approved | - fips: mark PBKDF2 with short key and output sizes non-approved | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user