From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001 From: Joerg Schmidbauer Date: Wed, 2 Jun 2021 09:40:47 +0200 Subject: [PATCH] Compute HMAC from installed library The HMAC hash was computed from the libica in the build tree, but the runtime check is run against the installed libica and those 2 files were different. The runtime one has debuginfo stripped (and placed into a separate file), thus the hashes are different. Signed-off-by: Joerg Schmidbauer --- Makefile.am | 9 ++++----- src/Makefile.am | 8 +++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 4a1ef14..5367d49 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -46,6 +46,12 @@ mp.S : mp.pl ./mp.pl mp.S if ICA_FIPS +fipsinstall: + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac + $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + hmac-file-lnk: hmac-file $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac @@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \ include/rng.h ../test/testcase.h endif -.PHONY: hmac-file hmac-file-lnk +.PHONY: hmac-file hmac-file-lnk fipsinstall -- 2.29.2.windows.2 diff -up libica-3.9.0/Makefile.am.orig libica-3.9.0/Makefile.am --- libica-3.9.0/Makefile.am.orig 2022-02-08 09:50:48.320207446 +0100 +++ libica-3.9.0/Makefile.am 2022-02-08 09:51:25.945624410 +0100 @@ -17,11 +17,8 @@ coverage: check cd ${top_builddir}/src && gcov .libs/*.gcda if ICA_FIPS -install-data-hook: - $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) - cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac - $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) - cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac +fipsinstall: + $(AM_V_GEN)$(MAKE) -C src fipsinstall if ICA_OPENSSL3 test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true @@ -38,3 +35,4 @@ if ICA_OPENSSL3 endif endif +.PHONY: fipsinstall