From b5f3088903639b7bd460532f50b351c51449b3d1 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Mon, 18 Jun 2018 11:17:46 +0200 Subject: [PATCH] Update to upstream version 1.1.1 --- ...r_Allow_picking_basename_via_cmdline.patch | 341 ---------------- ...r_Fix_FIPS_self-check_always_failing.patch | 34 -- ...S_self-check_of_the_libkcapi_library.patch | 373 ------------------ ..._Fix_buffer_overrun_in_get_hmac_file.patch | 23 -- libkcapi.spec | 12 +- sources | 4 +- 6 files changed, 7 insertions(+), 780 deletions(-) delete mode 100644 libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch delete mode 100644 libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch delete mode 100644 libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch delete mode 100644 libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch diff --git a/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch b/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch deleted file mode 100644 index cc33cd6..0000000 --- a/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 4986c2c95422f97ca0f8db94ce422a01f9a9fa5e Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 24 May 2018 08:28:02 +0200 -Subject: [PATCH] kcapi-hasher: Allow picking basename via cmdline - -This makes it possible to run the kcapi-hasher binary directly when -needed (even via the libtool wrapper) and to simplify the hasher tests. ---- - apps/kcapi-hasher.c | 22 ++++++++--- - test/hasher-test.sh | 108 +++++++++++++++++++--------------------------------- - 2 files changed, 57 insertions(+), 73 deletions(-) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 9a5d2ee..ae88211 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -117,14 +117,15 @@ static void usage(char *name, int fipscheck) - const char *base = basename(name); - fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name)); - fprintf(stderr, "\nUsage:\n"); -- fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base); -+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -S|-L\n", base); - if (fipscheck) -- fprintf(stderr, "\t%s [OPTION]... FILE\n", base); -+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base); - else { -- fprintf(stderr, "\t%s [OPTION]... -c FILE\n", base); -- fprintf(stderr, "\t%s [OPTION]... FILE...\n", base); -+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base); -+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base); - } - fprintf(stderr, "\nOptions:\n"); -+ fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n"); - fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); - fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); - if (!fipscheck) -@@ -781,12 +782,19 @@ int main(int argc, char *argv[]) - const char *targetfile = NULL; - uint8_t *hmackey_alloc = NULL; - uint8_t *hmackey_mmap = NULL; -+ int opt_index = 0; - int loglevel = 0; - int hmac = 0; - int fipscheck = 0; - int fipshmac = 0; - int selfcheck_mode = SELFCHECK_CHECK; - -+ static const char *opts_name_short = "n:"; -+ static const struct option opts_name[] = { -+ {"name", 1, 0, 'n'}, -+ {0, 0, 0, 0} -+ }; -+ - static const char *opts_short = "c:uh:t:SLqk:K:vbd:P"; - static const struct option opts[] = { - {"help", 0, 0, 0}, -@@ -833,6 +841,11 @@ int main(int argc, char *argv[]) - } - basen = basename(basec); - -+ if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n') -+ basen = optarg; -+ else -+ opt_index = 0; -+ - params_self = &PARAMS_SELF_FIPSCHECK; - if (0 == strncmp(basen, "sha256sum", 9)) { - names = NAMES_SHA256; -@@ -888,7 +901,6 @@ int main(int argc, char *argv[]) - } - - while (1) { -- int opt_index = 0; - int c = getopt_long(argc, argv, opts_short, opts, &opt_index); - - if (-1 == c) -diff --git a/test/hasher-test.sh b/test/hasher-test.sh -index 28c6b5a..f36897b 100755 ---- a/test/hasher-test.sh -+++ b/test/hasher-test.sh -@@ -22,15 +22,18 @@ - - HASHERBIN="${APPDIR}/kcapi-hasher" - find_platform $HASHERBIN --HASHERBIN=$(get_binlocation $HASHERBIN) - --SUMHASHER="${TMPDIR}/md5sum ${TMPDIR}/sha1sum ${TMPDIR}/sha256sum ${TMPDIR}/sha384sum ${TMPDIR}/sha512sum" --HMACHASHER="${TMPDIR}/sha1hmac ${TMPDIR}/sha256hmac ${TMPDIR}/sha384hmac ${TMPDIR}/sha512hmac" -+function run_hasher() { -+ "$HASHERBIN" -n "$@" -+} -+ -+SUMHASHER="md5sum sha1sum sha256sum sha384sum sha512sum" -+HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac" - CHKFILE="${TMPDIR}/chk.$$" - ANOTHER="${TMPDIR}/test.$$" - - touch $ANOTHER --trap "rm -f $ANOTHER $CHKFILE $SUMHASHER $HMACHASHER" 0 1 2 3 15 -+trap "rm -f $ANOTHER $CHKFILE" 0 1 2 3 15 - - if [ ! -e $HASHERBIN ] - then -@@ -38,20 +41,10 @@ then - exit 1 - fi - --#although a hard link suffices, we need to copy it --for i in $SUMHASHER $HMACHASHER --do -- #ln $HASHERBIN $i -- cp -f $HASHERBIN $i --done -- --libdir=$(dirname $(realpath ../.libs/libkcapi.so)) --libname=$(realpath ../.libs/libkcapi.so) -- - for hasher in $SUMHASHER $HMACHASHER - do - >$CHKFILE -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE -+ run_hasher $hasher -c $CHKFILE - if [ $? -eq 0 ] - then - echo_fail "Verification of empty checker file with hasher $hasher did not fail" -@@ -60,7 +53,7 @@ do - fi - - echo >$CHKFILE -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE -+ run_hasher $hasher -c $CHKFILE - if [ $? -eq 0 ] - then - echo_fail "Verification of empty line checker file with hasher $hasher did not fail" -@@ -68,9 +61,8 @@ do - echo_pass "Failure on empty line checker file for $hasher" - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \ -- sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE -+ run_hasher $hasher $0 $ANOTHER | sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE -+ run_hasher $hasher -q -c $CHKFILE - if [ $? -eq 0 ] - then - echo_pass "Parsing checker file with asterisk with $hasher" -@@ -78,8 +70,7 @@ do - echo_fail "Parsing checker file with asterisk (binary mode) with $hasher failed" - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \ -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c - -+ run_hasher $hasher $0 $ANOTHER | run_hasher $hasher -q -c - - if [ $? -eq 0 ] - then - echo_pass "Checker file '-' interpretation with $hasher" -@@ -87,7 +78,7 @@ do - echo_fail "Checker file '-' interpretation with $hasher failed" - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 - <$ANOTHER >/dev/null -+ run_hasher $hasher $0 - <$ANOTHER >/dev/null - if [ $? -eq 0 ] - then - echo_pass "Input file '-' interpretation with $hasher" -@@ -100,16 +91,16 @@ done - - for i in $SUMHASHER - do -- hash=$(basename $i) -- hash=${hash%%sum} - hasher=$i -- i=$(basename $i) -- [ ! -e "$hasher" ] && { -- echo_deact "Hasher $hasher does not exist" -+ hash=${hasher%%sum} -+ i=$(command -v $i) -+ -+ [ -z "$i" ] && { -+ echo_deact "reference application $hasher missing" - continue - } - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE -+ run_hasher $hasher $0 $ANOTHER > $CHKFILE - [ $? -ne 0 ] && { - echo_fail "Generation of hashes with hasher $hasher failed" - continue -@@ -131,14 +122,14 @@ do - continue - } - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher --status -c $CHKFILE -+ run_hasher $hasher --status -c $CHKFILE - [ $? -ne 0 ] && echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed" - - echo -n 123 >$CHKFILE - - a=$(openssl dgst -$hash -hmac 123 $0 | cut -f 2 -d" ") -- b=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -K 123 $0 | cut -f 1 -d" ") -- c=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -k $CHKFILE $0 | cut -f 1 -d" ") -+ b=$(run_hasher $hasher -K 123 $0 | cut -f 1 -d" ") -+ c=$(run_hasher $hasher -k $CHKFILE $0 | cut -f 1 -d" ") - [ x"$a" != x"$b" ] && { - echo_fail "HMAC calculation for $hasher failed (cmdline key)" - continue -@@ -153,23 +144,16 @@ done - - for i in $HMACHASHER - do -- hash=$(basename $i) -- hash=${hash%%hmac} - hasher=$i -- t=$(basename $i) -- i=$(command -v $t) -+ hash=${hasher%%hmac} -+ i=$(command -v $i) - - [ -z "$i" ] && { -- echo_deact "hmaccalc reference application $t missing" -- continue -- } -- -- [ ! -e "$hasher" ] && { -- echo_fail "Hasher $hasher does not exist" -+ echo_deact "hmaccalc reference application $hasher missing" - continue - } - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE -+ run_hasher $hasher $0 $ANOTHER > $CHKFILE - [ $? -ne 0 ] && { - echo_fail "Generation of hashes with hasher $hasher failed" - continue -@@ -191,7 +175,7 @@ do - continue - } - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE -+ run_hasher $hasher -q -c $CHKFILE - if [ $? -ne 0 ] - then - echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed" -@@ -210,13 +194,8 @@ do - ref=${i%%hmac}sum - hasher=$i - -- [ ! -e "$hasher" ] && { -- echo_fail "Hasher $hasher does not exist" -- continue -- } -- -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref $0 $ANOTHER > $CHKFILE -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u -q -c $CHKFILE -+ run_hasher $ref $0 $ANOTHER > $CHKFILE -+ run_hasher $hasher -u -q -c $CHKFILE - if [ $? -ne 0 ] - then - echo_fail "Unkeyed verification with hasher $hasher failed" -@@ -224,8 +203,8 @@ do - echo_pass "Unkeyed verification with hasher $hasher" - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u $0 $ANOTHER > $CHKFILE -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref --status -c $CHKFILE -+ run_hasher $hasher -u $0 $ANOTHER > $CHKFILE -+ run_hasher $ref --status -c $CHKFILE - if [ $? -ne 0 ] - then - echo_fail "Unkeyed generation of checker file with hasher $hasher failed" -@@ -239,12 +218,10 @@ done - # - # Test hmaccalc's ignored compatibility options: - # --for i in $HMACHASHER -+for hasher in $HMACHASHER - do -- hasher=$i -- - compat="-d -P -b" -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $compat $0 $ANOTHER > /dev/null -+ run_hasher $hasher $compat $0 $ANOTHER > /dev/null - if [ $? -ne 0 ] - then - echo_fail "Hasher $hasher does not accept compatiblity options: $compat" -@@ -256,11 +233,9 @@ done - # - # Test hmaccalc's -S option: - # --for i in $HMACHASHER -+for hasher in $HMACHASHER - do -- hasher=$i -- -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -S >$CHKFILE -+ run_hasher $hasher -S >$CHKFILE - if [ $? -ne 0 ] - then - echo_fail "Hasher $hasher does not accept the -S option" -@@ -277,11 +252,9 @@ done - # - # Test hmaccalc's -h option: - # --for i in $HMACHASHER -+for hasher in $HMACHASHER - do -- hasher=$i -- -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -h sha1 $0 $ANOTHER >$CHKFILE -+ run_hasher $hasher -h sha1 $0 $ANOTHER >$CHKFILE - if [ $? -ne 0 ] - then - echo_fail "Hasher $hasher does not accept the -h option" -@@ -289,8 +262,7 @@ do - continue - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $TMPDIR/sha1hmac $0 $ANOTHER | \ -- diff $CHKFILE - -+ run_hasher sha1hmac $0 $ANOTHER | diff $CHKFILE - - if [ $? -ne 0 ] - then - echo_fail "Hasher $hasher does not work correctly with the -h option" -@@ -328,7 +300,7 @@ function run_kat() { - expand_string "$data" >"$ANOTHER" - echo "${result#0x} $ANOTHER" >"$CHKFILE" - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \ -+ run_hasher $hasher -q \ - -k <(expand_string "$key") -c "$CHKFILE" $truncate_opt - if [ $? -ne 0 ] - then -@@ -337,7 +309,7 @@ function run_kat() { - echo_pass "Verification of hasher $hasher -c ... with KAT '$id'" - fi - -- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \ -+ run_hasher $hasher -q \ - -k <(expand_string "$key") "$ANOTHER" $truncate_opt \ - | diff - "$CHKFILE" - if [ $? -ne 0 ] diff --git a/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch b/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch deleted file mode 100644 index 6c9b72f..0000000 --- a/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 3a860a5d5231e4912d4611397752f2010467a578 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 16 Apr 2018 19:35:57 +0200 -Subject: [PATCH] kcapi-hasher: Fix FIPS self-check always failing - ---- - apps/kcapi-hasher.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 861db79..a5e9c71 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -583,6 +583,7 @@ static int process_checkfile(const struct hash_params *params, - if (ret >= 0) - ret++; - } -+ checked_any = 1; - } else { - /* - * fipscheck does not have the filename in the check -@@ -591,11 +592,10 @@ static int process_checkfile(const struct hash_params *params, - if (targetfile) { - ret = hasher(handle, params, targetfile, - hexhash, hexhashlen + 1, stdout); -+ checked_any = 1; - goto out; - } - } -- -- checked_any = 1; - } - - out: diff --git a/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch b/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch deleted file mode 100644 index de5bb83..0000000 --- a/libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch +++ /dev/null @@ -1,373 +0,0 @@ -From 1ce0b18e588e226f4e9dcc3897236ae938b9d4dd Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 18 Apr 2018 10:03:49 +0200 -Subject: [PATCH 1/4] kcapi-hasher: Use consistent lib self-check params - -Since the various hasher tools use different HMAC parameters (hash, -key) and they all need to check the libkcapi library, it is necessary -to use a consistent set of parameters for the library itself. - -This patch changes the behavior to always check the library using the -fipscheck hash and key. ---- - apps/kcapi-hasher.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 480a019..1d76e1d 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -611,7 +611,8 @@ static int process_checkfile(const struct hash_params *params, - - } - --static int fipscheck_self(const struct hash_params *params, int just_print) -+static int fipscheck_self(const struct hash_params *params_bin, -+ const struct hash_params *params_lib, int just_print) - { - char *checkfile = NULL; - uint32_t n = 0; -@@ -668,7 +669,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print) - } - - if (just_print) { -- ret = hash_files(params, names, 1, 0, 1); -+ ret = hash_files(params_bin, names, 1, 0, 1); - goto out; - } - -@@ -678,7 +679,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print) - goto out; - } - -- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS); -+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); - if (ret) - goto out; - -@@ -710,7 +711,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print) - goto out; - } - -- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS); -+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); - - out: - if (checkfile) -@@ -1010,7 +1011,8 @@ int main(int argc, char *argv[]) - } - } - -- if (fipscheck_self(params_self, print_self_hash)) { -+ /* library self-check must be consistent across apps: */ -+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) { - fprintf(stderr, "Integrity check of application %s failed\n", - basen); - ret = 1; - -From c69e77d4abd5b77a3f396abb816af1df8c9a7733 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 18 Apr 2018 11:59:11 +0200 -Subject: [PATCH 2/4] Makefile.am: Properly install checksum files - ---- - Makefile.am | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index ed724fe..07e2451 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -139,16 +139,25 @@ EXTRA_bin_kcapi_hasher_DEPENDENCIES = libtool - - SCAN_FILES += $(bin_kcapi_hasher_SOURCES) - --kcapi_hasher_links = sha1sum sha224sum sha256sum sha384sum sha512sum \ -- md5sum fipscheck fipshmac \ -- sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac -+hasher_links_fc = sha1sum sha224sum sha256sum sha384sum sha512sum \ -+ md5sum fipscheck fipshmac -+hasher_links_hc = sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac -+hasher_links = $(hasher_links_fc) $(hasher_links_hc) -+ -+CHECKSUM_CMD_FC = $(OPENSSL) sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP -+CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009 - - install-exec-hook: - (cd $(DESTDIR)$(bindir) && \ -- ($(foreach link, $(kcapi_hasher_links), $(LN) -f kcapi-hasher $(link);))) -+ ($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);))) - if HAVE_OPENSSL - (cd $(DESTDIR)$(bindir) && \ -- ($(foreach link, $(kcapi_hasher_links), $(OPENSSL) sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);))) -+ ($(foreach link, $(hasher_links_fc), \ -+ $(CHECKSUM_CMD_FC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);) \ -+ $(foreach link, $(hasher_links_hc), \ -+ $(CHECKSUM_CMD_HC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);):)) -+ ($(foreach lib, $(wildcard $(DESTDIR)$(libdir)/libkcapi.so*), \ -+ $(CHECKSUM_CMD_FC) $(lib) > $(CHECK_PREFIX)$(lib).$(CHECK_SUFFIX);):) - endif - endif - - -From a90c618490385d9d6214dd4918dd679b0be0df9f Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 18 Apr 2018 12:17:59 +0200 -Subject: [PATCH 3/4] kcapi-hasher: Add -L option for completeness - -Since kcapi-hasher also checks the checksum of the libkcapi library, add --L option to print the checksum of the library. ---- - apps/kcapi-hasher.c | 130 ++++++++++++++++++++++++++++++---------------------- - 1 file changed, 75 insertions(+), 55 deletions(-) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 1d76e1d..7890060 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -114,7 +114,7 @@ static void usage(char *name, int fipscheck) - const char *base = basename(name); - fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name)); - fprintf(stderr, "\nUsage:\n"); -- fprintf(stderr, "\t%s [OPTION]... -S\n", base); -+ fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base); - if (fipscheck) - fprintf(stderr, "\t%s [OPTION]... FILE\n", base); - else { -@@ -123,6 +123,7 @@ static void usage(char *name, int fipscheck) - } - fprintf(stderr, "\nOptions:\n"); - fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); -+ fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); - if (!fipscheck) - fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n"); - fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n"); -@@ -611,8 +612,13 @@ static int process_checkfile(const struct hash_params *params, - - } - -+/* self-check modes: */ -+#define SELFCHECK_CHECK 0 -+#define SELFCHECK_PRINT_SELF 1 -+#define SELFCHECK_PRINT_LIB 2 -+ - static int fipscheck_self(const struct hash_params *params_bin, -- const struct hash_params *params_lib, int just_print) -+ const struct hash_params *params_lib, int mode) - { - char *checkfile = NULL; - uint32_t n = 0; -@@ -626,9 +632,9 @@ static int fipscheck_self(const struct hash_params *params_bin, - void *dl = NULL, *sym; - - #ifdef HAVE_SECURE_GETENV -- if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) { -+ if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) { - #else -- if (getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) { -+ if (getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) { - #endif - fipsflag[0] = 1; - } else { -@@ -660,58 +666,68 @@ static int fipscheck_self(const struct hash_params *params_bin, - } - - /* Integrity check of our application. */ -- memset(selfname, 0, sizeof(selfname)); -- selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE); -- if (selfnamesize >= BUFSIZE || selfnamesize < 0) { -- fprintf(stderr, "Cannot obtain my filename\n"); -- ret = -EFAULT; -- goto out; -- } -+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_SELF) { -+ memset(selfname, 0, sizeof(selfname)); -+ selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE); -+ if (selfnamesize >= BUFSIZE || selfnamesize < 0) { -+ fprintf(stderr, "Cannot obtain my filename\n"); -+ ret = -EFAULT; -+ goto out; -+ } - -- if (just_print) { -- ret = hash_files(params_bin, names, 1, 0, 1); -- goto out; -- } -+ if (mode == SELFCHECK_PRINT_SELF) { -+ ret = hash_files(params_bin, names, 1, 0, 1); -+ goto out; -+ } - -- checkfile = get_hmac_file(selfname); -- if (!checkfile) { -- ret = -ENOMEM; -- goto out; -- } -+ checkfile = get_hmac_file(selfname); -+ if (!checkfile) { -+ ret = -ENOMEM; -+ goto out; -+ } - -- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); -- if (ret) -- goto out; -+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); -+ if (ret) -+ goto out; -+ } - - /* Integrity check of shared libkcapi.so file. */ -- memset(selfname, 0, sizeof(selfname)); -- snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u", -- KCAPI_MAJVERSION); -- dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); -- if (dl == NULL) { -- fprintf(stderr, "dlopen of file %s failed\n", selfname); -- ret = -EFAULT; -- goto out; -- } -+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_LIB) { -+ memset(selfname, 0, sizeof(selfname)); -+ snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u", -+ KCAPI_MAJVERSION); -+ dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); -+ if (dl == NULL) { -+ fprintf(stderr, "dlopen of file %s failed\n", selfname); -+ ret = -EFAULT; -+ goto out; -+ } - -- memset(selfname, 0, sizeof(selfname)); -- sym = dlsym(dl, "kcapi_md_init"); -- if (sym == NULL || !dladdr(sym, &info)) { -- fprintf(stderr, "finding symbol kcapi_md_init failed\n"); -- ret = -EFAULT; -- goto out; -- } -+ memset(selfname, 0, sizeof(selfname)); -+ sym = dlsym(dl, "kcapi_md_init"); -+ if (sym == NULL || !dladdr(sym, &info)) { -+ fprintf(stderr, "finding symbol kcapi_md_init failed\n"); -+ ret = -EFAULT; -+ goto out; -+ } - -- strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1)); -+ strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1)); - -- free(checkfile); -- checkfile = get_hmac_file(selfname); -- if (!checkfile) { -- ret = -ENOMEM; -- goto out; -- } -+ if (mode == SELFCHECK_PRINT_LIB) { -+ ret = hash_files(params_lib, names, 1, 0, 1); -+ goto out; -+ } -+ -+ if (checkfile) -+ free(checkfile); -+ checkfile = get_hmac_file(selfname); -+ if (!checkfile) { -+ ret = -ENOMEM; -+ goto out; -+ } - -- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); -+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); -+ } - - out: - if (checkfile) -@@ -753,9 +769,9 @@ int main(int argc, char *argv[]) - int hmac = 0; - int fipscheck = 0; - int fipshmac = 0; -- int print_self_hash = 0; -+ int selfcheck_mode = SELFCHECK_CHECK; - -- static const char *opts_short = "c:uh:t:Sqk:K:vbd:P"; -+ static const char *opts_short = "c:uh:t:SLqk:K:vbd:P"; - static const struct option opts[] = { - {"help", 0, 0, 0}, - {"tag", 0, 0, 0}, -@@ -765,6 +781,7 @@ int main(int argc, char *argv[]) - {"hash", 1, 0, 'h'}, - {"truncate", 1, 0, 't'}, - {"self-sum", 0, 0, 'S'}, -+ {"self-sum-lib", 0, 0, 'L'}, - {"status", 0, 0, 'q'}, - {"key-file", 1, 0, 'k'}, - {"key", 1, 0, 'K'}, -@@ -932,7 +949,10 @@ int main(int argc, char *argv[]) - params.hashlen /= 8; - break; - case 'S': -- print_self_hash = 1; -+ selfcheck_mode = SELFCHECK_PRINT_SELF; -+ break; -+ case 'L': -+ selfcheck_mode = SELFCHECK_PRINT_LIB; - break; - case 'q': - loglevel = CHK_STATUS; -@@ -998,28 +1018,28 @@ int main(int argc, char *argv[]) - } - } - -- if (print_self_hash) { -+ if (selfcheck_mode != SELFCHECK_CHECK) { - if (checkfile) { -- fprintf(stderr, "-S and -c cannot be combined\n"); -+ fprintf(stderr, "-S/-L and -c cannot be combined\n"); - ret = 1; - goto out; - } - if (optind != argc) { -- fprintf(stderr, "-S cannot be used with input files\n"); -+ fprintf(stderr, "-S/-L cannot be used with input files\n"); - ret = 1; - goto out; - } - } - - /* library self-check must be consistent across apps: */ -- if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) { -+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, selfcheck_mode)) { - fprintf(stderr, "Integrity check of application %s failed\n", - basen); - ret = 1; - goto out; - } - -- if (print_self_hash) { -+ if (selfcheck_mode != SELFCHECK_CHECK) { - ret = 0; - goto out; - } - -From 7b176840ff60bc596a7c80685ef0a81adbc00e4b Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 19 Apr 2018 10:39:12 +0200 -Subject: [PATCH 4/4] Makefile.am: Do not install kcapi-hasher binary - -The kcapi-hasher binary is not usable on its own so it can be removed -after hard-linking the actual hasher tools. ---- - Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/Makefile.am b/Makefile.am -index 07e2451..383da75 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -150,6 +150,7 @@ CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009 - install-exec-hook: - (cd $(DESTDIR)$(bindir) && \ - ($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);))) -+ -rm -f $(DESTDIR)$(bindir)/kcapi-hasher - if HAVE_OPENSSL - (cd $(DESTDIR)$(bindir) && \ - ($(foreach link, $(hasher_links_fc), \ diff --git a/libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch b/libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch deleted file mode 100644 index eaea641..0000000 --- a/libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch +++ /dev/null @@ -1,23 +0,0 @@ -From f8e032f150522c17094e36dcf62ec3ebc77e69d8 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 16 Apr 2018 15:39:03 +0200 -Subject: [PATCH] kcapi-hasher: Fix buffer overrun in get_hmac_file - -We need to allocate space also for the terminating null character... ---- - apps/kcapi-hasher.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 861db79..2b87a45 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -360,7 +360,7 @@ static char *get_hmac_file(const char *filename) - fprintf(stderr, "File too long\n"); - return NULL; - } -- checkfile = malloc(filelen + prefixlen + 1 + suffixlen); -+ checkfile = malloc(filelen + prefixlen + 1 + suffixlen + 1); - if (!checkfile) - return NULL; - diff --git a/libkcapi.spec b/libkcapi.spec index 75f9318..c46b46f 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -1,7 +1,7 @@ # Shared object version of libkcapi. %global vmajor 1 %global vminor 1 -%global vpatch 0 +%global vpatch 1 # Do we build the replacements packages? %bcond_with replace_coreutils @@ -91,7 +91,7 @@ bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\ Name: libkcapi Version: %{vmajor}.%{vminor}.%{vpatch} -Release: 5%{?dist} +Release: 1%{?dist} Summary: User space interface to the Linux Kernel Crypto API License: BSD or GPLv2 @@ -99,11 +99,6 @@ URL: http://www.chronox.de/%{name}.html Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc -Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch -Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch -Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch -Patch3: %{giturl}/pull/57.patch#/%{name}-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch - BuildRequires: clang BuildRequires: coreutils BuildRequires: cppcheck @@ -421,6 +416,9 @@ popd %changelog +* Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1 +- Update to upstream version 1.1.1 + * Wed May 09 2018 Ondrej Mosnáček - 1.1.0-5 - Skip CLang static analysis in RHEL - Revert "Skip CLang static analysis in RHEL" diff --git a/sources b/sources index f1a22ba..a7ceacf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libkcapi-1.1.0.tar.xz) = 8d7a775a7ac3a16e006cc21a40e0dbc2c068879fb277ef7a96f706aa0a822ee6c29dba59e34a42cc2e3da926ee242fb47b6c1486d846d9028d662bc71e8f25fd -SHA512 (libkcapi-1.1.0.tar.xz.asc) = f2ecc4bc477231a5f2b91476f4d300be32d796cf5f49b0b89e3f5c5735690fe4b6baec3739aa8df99eaac6eac66a63b23ce25e9b16bec17f8748fcac19843968 +SHA512 (libkcapi-1.1.1.tar.xz) = 245740660a78e8581dfc3d5272f6a27396ef6ec987b25ee86b517979bf3d8bba2dd9c8a35ab8ddb6e370d7f5a346f0940fcc59f815adb9c44530ff2d7dfe0b4e +SHA512 (libkcapi-1.1.1.tar.xz.asc) = 4aaa34b60ef13ae4fae4e29e5f8e0d71f3ba9d63141508787e52fb96974b0b477d3433109470fc3cca46b67434cca667135a3d4682f4b161b28cf2f37091b6a1