rpms/libkcapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream version 1.1.1

Browse Source
This commit is contained in:
Ondrej Mosnacek 2018-06-18 11:17:46 +02:00
parent a96229f2c0
commit b5f3088903
6 changed files with 7 additions and 780 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

341
libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch
View File

@ -1,341 +0,0 @@
From 4986c2c95422f97ca0f8db94ce422a01f9a9fa5e Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 24 May 2018 08:28:02 +0200
Subject: [PATCH] kcapi-hasher: Allow picking basename via cmdline
This makes it possible to run the kcapi-hasher binary directly when
needed (even via the libtool wrapper) and to simplify the hasher tests.
---
apps/kcapi-hasher.c | 22 ++++++++---
test/hasher-test.sh | 108 +++++++++++++++++++---------------------------------
2 files changed, 57 insertions(+), 73 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 9a5d2ee..ae88211 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -117,14 +117,15 @@ static void usage(char *name, int fipscheck)
const char *base = basename(name);
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
fprintf(stderr, "\nUsage:\n");
- fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -S|-L\n", base);
if (fipscheck)
- fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
else {
- fprintf(stderr, "\t%s [OPTION]... -c FILE\n", base);
- fprintf(stderr, "\t%s [OPTION]... FILE...\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
}
fprintf(stderr, "\nOptions:\n");
+ fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
if (!fipscheck)
@@ -781,12 +782,19 @@ int main(int argc, char *argv[])
const char *targetfile = NULL;
uint8_t *hmackey_alloc = NULL;
uint8_t *hmackey_mmap = NULL;
+ int opt_index = 0;
int loglevel = 0;
int hmac = 0;
int fipscheck = 0;
int fipshmac = 0;
int selfcheck_mode = SELFCHECK_CHECK;
+ static const char *opts_name_short = "n:";
+ static const struct option opts_name[] = {
+ {"name", 1, 0, 'n'},
+ {0, 0, 0, 0}
+ };
+
static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
static const struct option opts[] = {
{"help", 0, 0, 0},
@@ -833,6 +841,11 @@ int main(int argc, char *argv[])
}
basen = basename(basec);
+ if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n')
+ basen = optarg;
+ else
+ opt_index = 0;
+
params_self = &PARAMS_SELF_FIPSCHECK;
if (0 == strncmp(basen, "sha256sum", 9)) {
names = NAMES_SHA256;
@@ -888,7 +901,6 @@ int main(int argc, char *argv[])
}
while (1) {
- int opt_index = 0;
int c = getopt_long(argc, argv, opts_short, opts, &opt_index);
if (-1 == c)
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
index 28c6b5a..f36897b 100755
--- a/test/hasher-test.sh
+++ b/test/hasher-test.sh
@@ -22,15 +22,18 @@
HASHERBIN="${APPDIR}/kcapi-hasher"
find_platform $HASHERBIN
-HASHERBIN=$(get_binlocation $HASHERBIN)
-SUMHASHER="${TMPDIR}/md5sum ${TMPDIR}/sha1sum ${TMPDIR}/sha256sum ${TMPDIR}/sha384sum ${TMPDIR}/sha512sum"
-HMACHASHER="${TMPDIR}/sha1hmac ${TMPDIR}/sha256hmac ${TMPDIR}/sha384hmac ${TMPDIR}/sha512hmac"
+function run_hasher() {
+ "$HASHERBIN" -n "$@"
+}
+
+SUMHASHER="md5sum sha1sum sha256sum sha384sum sha512sum"
+HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
CHKFILE="${TMPDIR}/chk.$$"
ANOTHER="${TMPDIR}/test.$$"
touch $ANOTHER
-trap "rm -f $ANOTHER $CHKFILE $SUMHASHER $HMACHASHER" 0 1 2 3 15
+trap "rm -f $ANOTHER $CHKFILE" 0 1 2 3 15
if [ ! -e $HASHERBIN ]
then
@@ -38,20 +41,10 @@ then
exit 1
fi
-#although a hard link suffices, we need to copy it
-for i in $SUMHASHER $HMACHASHER
-do
- #ln $HASHERBIN $i
- cp -f $HASHERBIN $i
-done
-
-libdir=$(dirname $(realpath ../.libs/libkcapi.so))
-libname=$(realpath ../.libs/libkcapi.so)
-
for hasher in $SUMHASHER $HMACHASHER
do
>$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
+ run_hasher $hasher -c $CHKFILE
if [ $? -eq 0 ]
then
echo_fail "Verification of empty checker file with hasher $hasher did not fail"
@@ -60,7 +53,7 @@ do
fi
echo >$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
+ run_hasher $hasher -c $CHKFILE
if [ $? -eq 0 ]
then
echo_fail "Verification of empty line checker file with hasher $hasher did not fail"
@@ -68,9 +61,8 @@ do
echo_pass "Failure on empty line checker file for $hasher"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
- sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
+ run_hasher $hasher $0 $ANOTHER | sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
+ run_hasher $hasher -q -c $CHKFILE
if [ $? -eq 0 ]
then
echo_pass "Parsing checker file with asterisk with $hasher"
@@ -78,8 +70,7 @@ do
echo_fail "Parsing checker file with asterisk (binary mode) with $hasher failed"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c -
+ run_hasher $hasher $0 $ANOTHER | run_hasher $hasher -q -c -
if [ $? -eq 0 ]
then
echo_pass "Checker file '-' interpretation with $hasher"
@@ -87,7 +78,7 @@ do
echo_fail "Checker file '-' interpretation with $hasher failed"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 - <$ANOTHER >/dev/null
+ run_hasher $hasher $0 - <$ANOTHER >/dev/null
if [ $? -eq 0 ]
then
echo_pass "Input file '-' interpretation with $hasher"
@@ -100,16 +91,16 @@ done
for i in $SUMHASHER
do
- hash=$(basename $i)
- hash=${hash%%sum}
hasher=$i
- i=$(basename $i)
- [ ! -e "$hasher" ] && {
- echo_deact "Hasher $hasher does not exist"
+ hash=${hasher%%sum}
+ i=$(command -v $i)
+
+ [ -z "$i" ] && {
+ echo_deact "reference application $hasher missing"
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
[ $? -ne 0 ] && {
echo_fail "Generation of hashes with hasher $hasher failed"
continue
@@ -131,14 +122,14 @@ do
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher --status -c $CHKFILE
+ run_hasher $hasher --status -c $CHKFILE
[ $? -ne 0 ] && echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
echo -n 123 >$CHKFILE
a=$(openssl dgst -$hash -hmac 123 $0 | cut -f 2 -d" ")
- b=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -K 123 $0 | cut -f 1 -d" ")
- c=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
+ b=$(run_hasher $hasher -K 123 $0 | cut -f 1 -d" ")
+ c=$(run_hasher $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
[ x"$a" != x"$b" ] && {
echo_fail "HMAC calculation for $hasher failed (cmdline key)"
continue
@@ -153,23 +144,16 @@ done
for i in $HMACHASHER
do
- hash=$(basename $i)
- hash=${hash%%hmac}
hasher=$i
- t=$(basename $i)
- i=$(command -v $t)
+ hash=${hasher%%hmac}
+ i=$(command -v $i)
[ -z "$i" ] && {
- echo_deact "hmaccalc reference application $t missing"
- continue
- }
-
- [ ! -e "$hasher" ] && {
- echo_fail "Hasher $hasher does not exist"
+ echo_deact "hmaccalc reference application $hasher missing"
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
[ $? -ne 0 ] && {
echo_fail "Generation of hashes with hasher $hasher failed"
continue
@@ -191,7 +175,7 @@ do
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
+ run_hasher $hasher -q -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
@@ -210,13 +194,8 @@ do
ref=${i%%hmac}sum
hasher=$i
- [ ! -e "$hasher" ] && {
- echo_fail "Hasher $hasher does not exist"
- continue
- }
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref $0 $ANOTHER > $CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u -q -c $CHKFILE
+ run_hasher $ref $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher -u -q -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Unkeyed verification with hasher $hasher failed"
@@ -224,8 +203,8 @@ do
echo_pass "Unkeyed verification with hasher $hasher"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u $0 $ANOTHER > $CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref --status -c $CHKFILE
+ run_hasher $hasher -u $0 $ANOTHER > $CHKFILE
+ run_hasher $ref --status -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Unkeyed generation of checker file with hasher $hasher failed"
@@ -239,12 +218,10 @@ done
#
# Test hmaccalc's ignored compatibility options:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
compat="-d -P -b"
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $compat $0 $ANOTHER > /dev/null
+ run_hasher $hasher $compat $0 $ANOTHER > /dev/null
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept compatiblity options: $compat"
@@ -256,11 +233,9 @@ done
#
# Test hmaccalc's -S option:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -S >$CHKFILE
+ run_hasher $hasher -S >$CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept the -S option"
@@ -277,11 +252,9 @@ done
#
# Test hmaccalc's -h option:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -h sha1 $0 $ANOTHER >$CHKFILE
+ run_hasher $hasher -h sha1 $0 $ANOTHER >$CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept the -h option"
@@ -289,8 +262,7 @@ do
continue
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $TMPDIR/sha1hmac $0 $ANOTHER | \
- diff $CHKFILE -
+ run_hasher sha1hmac $0 $ANOTHER | diff $CHKFILE -
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not work correctly with the -h option"
@@ -328,7 +300,7 @@ function run_kat() {
expand_string "$data" >"$ANOTHER"
echo "${result#0x} $ANOTHER" >"$CHKFILE"
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
+ run_hasher $hasher -q \
-k <(expand_string "$key") -c "$CHKFILE" $truncate_opt
if [ $? -ne 0 ]
then
@@ -337,7 +309,7 @@ function run_kat() {
echo_pass "Verification of hasher $hasher -c ... with KAT '$id'"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
+ run_hasher $hasher -q \
-k <(expand_string "$key") "$ANOTHER" $truncate_opt \
| diff - "$CHKFILE"
if [ $? -ne 0 ]

34
libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
View File

@ -1,34 +0,0 @@
From 3a860a5d5231e4912d4611397752f2010467a578 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 16 Apr 2018 19:35:57 +0200
Subject: [PATCH] kcapi-hasher: Fix FIPS self-check always failing
---
apps/kcapi-hasher.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 861db79..a5e9c71 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -583,6 +583,7 @@ static int process_checkfile(const struct hash_params *params,
if (ret >= 0)
ret++;
}
+ checked_any = 1;
} else {
/*
* fipscheck does not have the filename in the check
@@ -591,11 +592,10 @@ static int process_checkfile(const struct hash_params *params,
if (targetfile) {
ret = hasher(handle, params, targetfile,
hexhash, hexhashlen + 1, stdout);
+ checked_any = 1;
goto out;
}
}
-
- checked_any = 1;
}
out:

373
libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
View File

@ -1,373 +0,0 @@
From 1ce0b18e588e226f4e9dcc3897236ae938b9d4dd Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 10:03:49 +0200
Subject: [PATCH 1/4] kcapi-hasher: Use consistent lib self-check params
Since the various hasher tools use different HMAC parameters (hash,
key) and they all need to check the libkcapi library, it is necessary
to use a consistent set of parameters for the library itself.
This patch changes the behavior to always check the library using the
fipscheck hash and key.
---
apps/kcapi-hasher.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 480a019..1d76e1d 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -611,7 +611,8 @@ static int process_checkfile(const struct hash_params *params,
}
-static int fipscheck_self(const struct hash_params *params, int just_print)
+static int fipscheck_self(const struct hash_params *params_bin,
+ const struct hash_params *params_lib, int just_print)
{
char *checkfile = NULL;
uint32_t n = 0;
@@ -668,7 +669,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
}
if (just_print) {
- ret = hash_files(params, names, 1, 0, 1);
+ ret = hash_files(params_bin, names, 1, 0, 1);
goto out;
}
@@ -678,7 +679,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
goto out;
}
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
if (ret)
goto out;
@@ -710,7 +711,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
goto out;
}
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
out:
if (checkfile)
@@ -1010,7 +1011,8 @@ int main(int argc, char *argv[])
}
}
- if (fipscheck_self(params_self, print_self_hash)) {
+ /* library self-check must be consistent across apps: */
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
fprintf(stderr, "Integrity check of application %s failed\n",
basen);
ret = 1;
From c69e77d4abd5b77a3f396abb816af1df8c9a7733 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 11:59:11 +0200
Subject: [PATCH 2/4] Makefile.am: Properly install checksum files
---
Makefile.am | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index ed724fe..07e2451 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -139,16 +139,25 @@ EXTRA_bin_kcapi_hasher_DEPENDENCIES = libtool
SCAN_FILES += $(bin_kcapi_hasher_SOURCES)
-kcapi_hasher_links = sha1sum sha224sum sha256sum sha384sum sha512sum \
- md5sum fipscheck fipshmac \
- sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
+hasher_links_fc = sha1sum sha224sum sha256sum sha384sum sha512sum \
+ md5sum fipscheck fipshmac
+hasher_links_hc = sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
+hasher_links = $(hasher_links_fc) $(hasher_links_hc)
+
+CHECKSUM_CMD_FC = $(OPENSSL) sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP
+CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
install-exec-hook:
(cd $(DESTDIR)$(bindir) && \
- ($(foreach link, $(kcapi_hasher_links), $(LN) -f kcapi-hasher $(link);)))
+ ($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
if HAVE_OPENSSL
(cd $(DESTDIR)$(bindir) && \
- ($(foreach link, $(kcapi_hasher_links), $(OPENSSL) sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);)))
+ ($(foreach link, $(hasher_links_fc), \
+ $(CHECKSUM_CMD_FC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);) \
+ $(foreach link, $(hasher_links_hc), \
+ $(CHECKSUM_CMD_HC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);):))
+ ($(foreach lib, $(wildcard $(DESTDIR)$(libdir)/libkcapi.so*), \
+ $(CHECKSUM_CMD_FC) $(lib) > $(CHECK_PREFIX)$(lib).$(CHECK_SUFFIX);):)
endif
endif
From a90c618490385d9d6214dd4918dd679b0be0df9f Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 12:17:59 +0200
Subject: [PATCH 3/4] kcapi-hasher: Add -L option for completeness
Since kcapi-hasher also checks the checksum of the libkcapi library, add
-L option to print the checksum of the library.
---
apps/kcapi-hasher.c | 130 ++++++++++++++++++++++++++++++----------------------
1 file changed, 75 insertions(+), 55 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 1d76e1d..7890060 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -114,7 +114,7 @@ static void usage(char *name, int fipscheck)
const char *base = basename(name);
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
fprintf(stderr, "\nUsage:\n");
- fprintf(stderr, "\t%s [OPTION]... -S\n", base);
+ fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
if (fipscheck)
fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
else {
@@ -123,6 +123,7 @@ static void usage(char *name, int fipscheck)
}
fprintf(stderr, "\nOptions:\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
+ fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
if (!fipscheck)
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
@@ -611,8 +612,13 @@ static int process_checkfile(const struct hash_params *params,
}
+/* self-check modes: */
+#define SELFCHECK_CHECK 0
+#define SELFCHECK_PRINT_SELF 1
+#define SELFCHECK_PRINT_LIB 2
+
static int fipscheck_self(const struct hash_params *params_bin,
- const struct hash_params *params_lib, int just_print)
+ const struct hash_params *params_lib, int mode)
{
char *checkfile = NULL;
uint32_t n = 0;
@@ -626,9 +632,9 @@ static int fipscheck_self(const struct hash_params *params_bin,
void *dl = NULL, *sym;
#ifdef HAVE_SECURE_GETENV
- if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
+ if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
#else
- if (getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
+ if (getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
#endif
fipsflag[0] = 1;
} else {
@@ -660,58 +666,68 @@ static int fipscheck_self(const struct hash_params *params_bin,
}
/* Integrity check of our application. */
- memset(selfname, 0, sizeof(selfname));
- selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
- if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
- fprintf(stderr, "Cannot obtain my filename\n");
- ret = -EFAULT;
- goto out;
- }
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_SELF) {
+ memset(selfname, 0, sizeof(selfname));
+ selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
+ if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
+ fprintf(stderr, "Cannot obtain my filename\n");
+ ret = -EFAULT;
+ goto out;
+ }
- if (just_print) {
- ret = hash_files(params_bin, names, 1, 0, 1);
- goto out;
- }
+ if (mode == SELFCHECK_PRINT_SELF) {
+ ret = hash_files(params_bin, names, 1, 0, 1);
+ goto out;
+ }
- checkfile = get_hmac_file(selfname);
- if (!checkfile) {
- ret = -ENOMEM;
- goto out;
- }
+ checkfile = get_hmac_file(selfname);
+ if (!checkfile) {
+ ret = -ENOMEM;
+ goto out;
+ }
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
- if (ret)
- goto out;
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
+ if (ret)
+ goto out;
+ }
/* Integrity check of shared libkcapi.so file. */
- memset(selfname, 0, sizeof(selfname));
- snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
- KCAPI_MAJVERSION);
- dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
- if (dl == NULL) {
- fprintf(stderr, "dlopen of file %s failed\n", selfname);
- ret = -EFAULT;
- goto out;
- }
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_LIB) {
+ memset(selfname, 0, sizeof(selfname));
+ snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
+ KCAPI_MAJVERSION);
+ dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
+ if (dl == NULL) {
+ fprintf(stderr, "dlopen of file %s failed\n", selfname);
+ ret = -EFAULT;
+ goto out;
+ }
- memset(selfname, 0, sizeof(selfname));
- sym = dlsym(dl, "kcapi_md_init");
- if (sym == NULL || !dladdr(sym, &info)) {
- fprintf(stderr, "finding symbol kcapi_md_init failed\n");
- ret = -EFAULT;
- goto out;
- }
+ memset(selfname, 0, sizeof(selfname));
+ sym = dlsym(dl, "kcapi_md_init");
+ if (sym == NULL || !dladdr(sym, &info)) {
+ fprintf(stderr, "finding symbol kcapi_md_init failed\n");
+ ret = -EFAULT;
+ goto out;
+ }
- strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
+ strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
- free(checkfile);
- checkfile = get_hmac_file(selfname);
- if (!checkfile) {
- ret = -ENOMEM;
- goto out;
- }
+ if (mode == SELFCHECK_PRINT_LIB) {
+ ret = hash_files(params_lib, names, 1, 0, 1);
+ goto out;
+ }
+
+ if (checkfile)
+ free(checkfile);
+ checkfile = get_hmac_file(selfname);
+ if (!checkfile) {
+ ret = -ENOMEM;
+ goto out;
+ }
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ }
out:
if (checkfile)
@@ -753,9 +769,9 @@ int main(int argc, char *argv[])
int hmac = 0;
int fipscheck = 0;
int fipshmac = 0;
- int print_self_hash = 0;
+ int selfcheck_mode = SELFCHECK_CHECK;
- static const char *opts_short = "c:uh:t:Sqk:K:vbd:P";
+ static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
static const struct option opts[] = {
{"help", 0, 0, 0},
{"tag", 0, 0, 0},
@@ -765,6 +781,7 @@ int main(int argc, char *argv[])
{"hash", 1, 0, 'h'},
{"truncate", 1, 0, 't'},
{"self-sum", 0, 0, 'S'},
+ {"self-sum-lib", 0, 0, 'L'},
{"status", 0, 0, 'q'},
{"key-file", 1, 0, 'k'},
{"key", 1, 0, 'K'},
@@ -932,7 +949,10 @@ int main(int argc, char *argv[])
params.hashlen /= 8;
break;
case 'S':
- print_self_hash = 1;
+ selfcheck_mode = SELFCHECK_PRINT_SELF;
+ break;
+ case 'L':
+ selfcheck_mode = SELFCHECK_PRINT_LIB;
break;
case 'q':
loglevel = CHK_STATUS;
@@ -998,28 +1018,28 @@ int main(int argc, char *argv[])
}
}
- if (print_self_hash) {
+ if (selfcheck_mode != SELFCHECK_CHECK) {
if (checkfile) {
- fprintf(stderr, "-S and -c cannot be combined\n");
+ fprintf(stderr, "-S/-L and -c cannot be combined\n");
ret = 1;
goto out;
}
if (optind != argc) {
- fprintf(stderr, "-S cannot be used with input files\n");
+ fprintf(stderr, "-S/-L cannot be used with input files\n");
ret = 1;
goto out;
}
}
/* library self-check must be consistent across apps: */
- if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, selfcheck_mode)) {
fprintf(stderr, "Integrity check of application %s failed\n",
basen);
ret = 1;
goto out;
}
- if (print_self_hash) {
+ if (selfcheck_mode != SELFCHECK_CHECK) {
ret = 0;
goto out;
}
From 7b176840ff60bc596a7c80685ef0a81adbc00e4b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 19 Apr 2018 10:39:12 +0200
Subject: [PATCH 4/4] Makefile.am: Do not install kcapi-hasher binary
The kcapi-hasher binary is not usable on its own so it can be removed
after hard-linking the actual hasher tools.
---
Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.am b/Makefile.am
index 07e2451..383da75 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -150,6 +150,7 @@ CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
install-exec-hook:
(cd $(DESTDIR)$(bindir) && \
($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
+ -rm -f $(DESTDIR)$(bindir)/kcapi-hasher
if HAVE_OPENSSL
(cd $(DESTDIR)$(bindir) && \
($(foreach link, $(hasher_links_fc), \

23
libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
View File

@ -1,23 +0,0 @@
From f8e032f150522c17094e36dcf62ec3ebc77e69d8 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 16 Apr 2018 15:39:03 +0200
Subject: [PATCH] kcapi-hasher: Fix buffer overrun in get_hmac_file
We need to allocate space also for the terminating null character...
---
apps/kcapi-hasher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 861db79..2b87a45 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -360,7 +360,7 @@ static char *get_hmac_file(const char *filename)
fprintf(stderr, "File too long\n");
return NULL;
}
- checkfile = malloc(filelen + prefixlen + 1 + suffixlen);
+ checkfile = malloc(filelen + prefixlen + 1 + suffixlen + 1);
if (!checkfile)
return NULL;

12
libkcapi.spec
View File

@ -1,7 +1,7 @@
# Shared object version of libkcapi.
%global vmajor 1
%global vminor 1
%global vpatch 0
%global vpatch 1
# Do we build the replacements packages?
%bcond_with replace_coreutils
@ -91,7 +91,7 @@ bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\
Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 5%{?dist}
Release: 1%{?dist}
Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2
@ -99,11 +99,6 @@ URL: http://www.chronox.de/%{name}.html
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
Patch3: %{giturl}/pull/57.patch#/%{name}-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch
BuildRequires: clang
BuildRequires: coreutils
BuildRequires: cppcheck
@ -421,6 +416,9 @@ popd
%changelog
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1
- Update to upstream version 1.1.1
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
- Skip CLang static analysis in RHEL
- Revert "Skip CLang static analysis in RHEL"

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (libkcapi-1.1.0.tar.xz) = 8d7a775a7ac3a16e006cc21a40e0dbc2c068879fb277ef7a96f706aa0a822ee6c29dba59e34a42cc2e3da926ee242fb47b6c1486d846d9028d662bc71e8f25fd
SHA512 (libkcapi-1.1.0.tar.xz.asc) = f2ecc4bc477231a5f2b91476f4d300be32d796cf5f49b0b89e3f5c5735690fe4b6baec3739aa8df99eaac6eac66a63b23ce25e9b16bec17f8748fcac19843968
SHA512 (libkcapi-1.1.1.tar.xz) = 245740660a78e8581dfc3d5272f6a27396ef6ec987b25ee86b517979bf3d8bba2dd9c8a35ab8ddb6e370d7f5a346f0940fcc59f815adb9c44530ff2d7dfe0b4e
SHA512 (libkcapi-1.1.1.tar.xz.asc) = 4aaa34b60ef13ae4fae4e29e5f8e0d71f3ba9d63141508787e52fb96974b0b477d3433109470fc3cca46b67434cca667135a3d4682f4b161b28cf2f37091b6a1