Compare commits
No commits in common. "imports/c8-beta/libkcapi-1.1.1-16_1.el8" and "c8" have entirely different histories.
imports/c8
...
c8
|
@ -1 +1 @@
|
||||||
SOURCES/libkcapi-1.1.1.tar.xz
|
SOURCES/libkcapi-1.4.0.tar.xz
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
688085e96a576a7de0c8f6b58a93dc7364e6318a SOURCES/libkcapi-1.1.1.tar.xz
|
526dca7d8eb8ddc29395f0716ba1233e27bf2ab5 SOURCES/libkcapi-1.4.0.tar.xz
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
Date: Mon, 15 Aug 2022 10:19:50 +0200
|
||||||
|
Subject: [PATCH] tests: fix overly-optimistic kernel version checks
|
||||||
|
|
||||||
|
The mainline kernel is now at version 6.0 so these >= 5.99 checks are
|
||||||
|
now incorrectly enabling tests that don't work. Instead of bumping the
|
||||||
|
imaginary version and face the same problem again in a couple years,
|
||||||
|
replace the checks with 'false' and a TODO comment.
|
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||||
|
---
|
||||||
|
test/test.sh | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/test.sh b/test/test.sh
|
||||||
|
index 1d9be73..a75b802 100755
|
||||||
|
--- a/test/test.sh
|
||||||
|
+++ b/test/test.sh
|
||||||
|
@@ -1560,7 +1560,8 @@ else
|
||||||
|
echo_deact "AEAD tests of copied AAD deactivated"
|
||||||
|
fi
|
||||||
|
|
||||||
|
-if $(check_min_kernelver 5 99); then
|
||||||
|
+# TODO add version check when supported upstream
|
||||||
|
+if false; then
|
||||||
|
asymfunc 4
|
||||||
|
asymfunc 4 -s
|
||||||
|
asymfunc 4 -v
|
||||||
|
@@ -1583,7 +1584,8 @@ else
|
||||||
|
echo_deact "All asymmetric tests deactivated"
|
||||||
|
fi
|
||||||
|
|
||||||
|
-if $(check_min_kernelver 5 99); then
|
||||||
|
+# TODO add version check when supported upstream
|
||||||
|
+if false; then
|
||||||
|
kppfunc 13
|
||||||
|
kppfunc 13 X -m
|
||||||
|
kppfunc 13 -v
|
|
@ -0,0 +1,74 @@
|
||||||
|
From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
Date: Fri, 11 Aug 2023 12:20:22 +0200
|
||||||
|
Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode
|
||||||
|
|
||||||
|
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||||
|
---
|
||||||
|
test/kcapi-main.c | 45 ++++++++++++++++++++++-----------------------
|
||||||
|
1 file changed, 22 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
||||||
|
index 67fb53f..23fc8ed 100644
|
||||||
|
--- a/test/kcapi-main.c
|
||||||
|
+++ b/test/kcapi-main.c
|
||||||
|
@@ -652,8 +652,6 @@ static int is_fips_mode(void)
|
||||||
|
static int auxiliary_tests(void)
|
||||||
|
{
|
||||||
|
struct kcapi_handle *handle = NULL;
|
||||||
|
- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)"
|
||||||
|
- : "ansi_cprng";
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
if (kcapi_aead_init(&handle, "ccm(aes)", 0)) {
|
||||||
|
@@ -711,27 +709,28 @@ static int auxiliary_tests(void)
|
||||||
|
if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0))
|
||||||
|
ret++;
|
||||||
|
|
||||||
|
- /* X9.31 RNG must require seed */
|
||||||
|
- printf("X9.31 missing seeding: ");
|
||||||
|
- if (!aux_test_rng(ansi_cprng_name, NULL, 0))
|
||||||
|
- ret++;
|
||||||
|
- /* X9.31 seed too short */
|
||||||
|
- printf("X9.31 insufficient seeding: ");
|
||||||
|
- if (!aux_test_rng(ansi_cprng_name,
|
||||||
|
- (uint8_t *)
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
|
||||||
|
- ret++;
|
||||||
|
- /* X9.31 seed right sized short */
|
||||||
|
- if (aux_test_rng(ansi_cprng_name,
|
||||||
|
- (uint8_t *)
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
|
||||||
|
- printf("Error for %s: kernel module ansi_cprng present?\n",
|
||||||
|
- ansi_cprng_name);
|
||||||
|
- ret++;
|
||||||
|
+ if (!is_fips_mode()) {
|
||||||
|
+ /* X9.31 RNG must require seed */
|
||||||
|
+ printf("X9.31 missing seeding: ");
|
||||||
|
+ if (!aux_test_rng("ansi_cprng", NULL, 0))
|
||||||
|
+ ret++;
|
||||||
|
+ /* X9.31 seed too short */
|
||||||
|
+ printf("X9.31 insufficient seeding: ");
|
||||||
|
+ if (!aux_test_rng("ansi_cprng",
|
||||||
|
+ (uint8_t *)
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
|
||||||
|
+ ret++;
|
||||||
|
+ /* X9.31 seed right sized short */
|
||||||
|
+ if (aux_test_rng("ansi_cprng",
|
||||||
|
+ (uint8_t *)
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||||
|
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
|
||||||
|
+ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n");
|
||||||
|
+ ret++;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
|
@ -0,0 +1,58 @@
|
||||||
|
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
Date: Wed, 1 Nov 2023 10:54:03 +0100
|
||||||
|
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Requirement introduced by AS05.10:
|
||||||
|
"The temporary value(s) generated during the integrity test of the
|
||||||
|
module’s software or firmware shall [05.10] be zeroised from the module
|
||||||
|
upon completion of the integrity test;"
|
||||||
|
|
||||||
|
As some modules use fipscheck or sha*hmac for integrity tests, these
|
||||||
|
temporary values need to be zeroised from the hasher.
|
||||||
|
|
||||||
|
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||||
|
---
|
||||||
|
apps/kcapi-hasher.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||||
|
index 098b655..f5caf77 100644
|
||||||
|
--- a/apps/kcapi-hasher.c
|
||||||
|
+++ b/apps/kcapi-hasher.c
|
||||||
|
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||||
|
if (hashlen > (uint32_t)ret) {
|
||||||
|
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
|
||||||
|
(unsigned long)hashlen, ret);
|
||||||
|
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||||
|
return (int)ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||||
|
ret = 1;
|
||||||
|
else
|
||||||
|
ret = 0;
|
||||||
|
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
|
||||||
|
} else {
|
||||||
|
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
|
||||||
|
bin2print(md, hashlen, NULL, stdout,
|
||||||
|
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||||
|
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
|
||||||
|
filename ? filename : "stdin", ret);
|
||||||
|
}
|
||||||
|
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||||
|
return (int)ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
|
||||||
|
if (file)
|
||||||
|
fclose(file);
|
||||||
|
kcapi_md_destroy(handle);
|
||||||
|
+ kcapi_memset_secure(buf, 0, sizeof(buf));
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If we found no lines to check, return an error.
|
|
@ -0,0 +1,185 @@
|
||||||
|
diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||||
|
--- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100
|
||||||
|
+++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100
|
||||||
|
@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch
|
||||||
|
if (fipscheck)
|
||||||
|
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
|
||||||
|
else {
|
||||||
|
- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
|
||||||
|
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base);
|
||||||
|
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
|
||||||
|
}
|
||||||
|
fprintf(stderr, "\nOptions:\n");
|
||||||
|
fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
|
||||||
|
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
|
||||||
|
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
|
||||||
|
- if (!fipscheck)
|
||||||
|
+ if (!fipscheck) {
|
||||||
|
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
|
||||||
|
+ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n");
|
||||||
|
+ }
|
||||||
|
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
|
||||||
|
fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n");
|
||||||
|
fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n");
|
||||||
|
@@ -530,11 +532,12 @@ static int hash_files(const struct hash_
|
||||||
|
#define CHK_STATUS (2)
|
||||||
|
|
||||||
|
static int process_checkfile(const struct hash_params *params,
|
||||||
|
- const char *checkfile, const char *targetfile, int log)
|
||||||
|
+ const char *checkfile, const char *targetfile, int log, int fipscheck)
|
||||||
|
{
|
||||||
|
FILE *file = NULL;
|
||||||
|
int ret = 0;
|
||||||
|
int checked_any = 0;
|
||||||
|
+ int failed_any = 0;
|
||||||
|
struct kcapi_handle *handle;
|
||||||
|
const char *hashname = params->name.kcapiname;
|
||||||
|
|
||||||
|
@@ -570,7 +573,7 @@ static int process_checkfile(const struc
|
||||||
|
}
|
||||||
|
|
||||||
|
while (fgets(buf, sizeof(buf), file)) {
|
||||||
|
- char *filename = NULL; // parsed file name
|
||||||
|
+ const char *filename = NULL; // parsed file name
|
||||||
|
char *hexhash = NULL; // parsed hex value of hash
|
||||||
|
uint32_t hexhashlen = 0; // length of hash hex value
|
||||||
|
uint32_t linelen = (uint32_t)strlen(buf);
|
||||||
|
@@ -645,17 +648,7 @@ static int process_checkfile(const struc
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* fipscheck does not have the filename in the check file */
|
||||||
|
- if (targetfile) {
|
||||||
|
- ret = hasher(handle, params, targetfile,
|
||||||
|
- hexhash, hexhashlen, stdout);
|
||||||
|
- checked_any = 1;
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (filename) {
|
||||||
|
- int r;
|
||||||
|
-
|
||||||
|
if (!bsd_style) {
|
||||||
|
if (!isblank(filename[0]) ||
|
||||||
|
(!isblank(filename[1]) && filename[1] != '*')) {
|
||||||
|
@@ -665,20 +658,29 @@ static int process_checkfile(const struc
|
||||||
|
}
|
||||||
|
filename += 2;
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * if targetfile is specified, use it instead of the filename
|
||||||
|
+ * found inside the checkfile
|
||||||
|
+ */
|
||||||
|
+ if (targetfile)
|
||||||
|
+ filename = targetfile;
|
||||||
|
|
||||||
|
- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
|
||||||
|
+ if (filename) {
|
||||||
|
+ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
|
||||||
|
+ checked_any = 1;
|
||||||
|
+ if (fipscheck)
|
||||||
|
+ goto out;
|
||||||
|
|
||||||
|
- if (r == 0) {
|
||||||
|
+ if (ret == 0) {
|
||||||
|
if (log < CHK_QUIET)
|
||||||
|
printf("%s: OK\n", filename);
|
||||||
|
} else {
|
||||||
|
+ failed_any = 1;
|
||||||
|
if (log < CHK_STATUS)
|
||||||
|
- printf("%s: Not OK\n",
|
||||||
|
- filename);
|
||||||
|
- if (ret >= 0)
|
||||||
|
- ret++;
|
||||||
|
+ printf("%s: Not OK\n", filename);
|
||||||
|
}
|
||||||
|
- checked_any = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -692,7 +694,7 @@ out:
|
||||||
|
* If we found no lines to check, return an error.
|
||||||
|
* (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c)
|
||||||
|
*/
|
||||||
|
- return ret != 0 ? ret : !checked_any;
|
||||||
|
+ return ret != 0 ? ret : !(checked_any && !failed_any);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
|
||||||
|
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1);
|
||||||
|
if (ret)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
|
||||||
|
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
@@ -866,12 +868,13 @@ int main(int argc, char *argv[])
|
||||||
|
{0, 0, 0, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz";
|
||||||
|
+ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz";
|
||||||
|
static const struct option opts[] = {
|
||||||
|
{"help", 0, 0, 0},
|
||||||
|
{"tag", 0, 0, 0},
|
||||||
|
{"quiet", 0, 0, 0},
|
||||||
|
{"check", 1, 0, 'c'},
|
||||||
|
+ {"target", 1, 0, 'T'},
|
||||||
|
{"unkeyed", 0, 0, 'u'},
|
||||||
|
{"hash", 1, 0, 'h'},
|
||||||
|
{"truncate", 1, 0, 't'},
|
||||||
|
@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[])
|
||||||
|
version(argv[0]);
|
||||||
|
ret = 0;
|
||||||
|
goto out;
|
||||||
|
+ case 'T':
|
||||||
|
+ targetfile = optarg;
|
||||||
|
+ break;
|
||||||
|
case 'd':
|
||||||
|
checkdir = optarg;
|
||||||
|
break;
|
||||||
|
@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[])
|
||||||
|
ret = 1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ if (targetfile) {
|
||||||
|
+ fprintf(stderr, "-T is not valid for fipscheck\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
targetfile = argv[optind];
|
||||||
|
if (checkfile)
|
||||||
|
@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[])
|
||||||
|
optind++;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (targetfile && !checkfile) {
|
||||||
|
+ fprintf(stderr, "-T cannot be used without -c\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!checkfile)
|
||||||
|
ret = hash_files(¶ms, argv + optind,
|
||||||
|
(uint32_t)(argc - optind),
|
||||||
|
fipshmac, checkdir, 0);
|
||||||
|
else if (optind == argc)
|
||||||
|
- ret = process_checkfile(¶ms, checkfile, targetfile, loglevel);
|
||||||
|
+ ret = process_checkfile(¶ms, checkfile, targetfile, loglevel, fipscheck);
|
||||||
|
else {
|
||||||
|
fprintf(stderr, "-c cannot be used with input files\n");
|
||||||
|
ret = 1;
|
|
@ -0,0 +1,320 @@
|
||||||
|
From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
Date: Tue, 28 Nov 2023 09:34:29 +0100
|
||||||
|
Subject: [PATCH] Fix kcapi tests in FIPS mode
|
||||||
|
|
||||||
|
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||||
|
---
|
||||||
|
test/hasher-test.sh | 23 +++++++++++---
|
||||||
|
test/kcapi-convenience.c | 2 +-
|
||||||
|
test/kcapi-dgst-test.sh | 16 +++++-----
|
||||||
|
test/kcapi-enc-test.sh | 16 +++++-----
|
||||||
|
test/test.sh | 67 ++++++++++++++++++++++++++++++----------
|
||||||
|
5 files changed, 86 insertions(+), 38 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
|
||||||
|
index c90fcc9..e97127e 100755
|
||||||
|
--- a/test/hasher-test.sh
|
||||||
|
+++ b/test/hasher-test.sh
|
||||||
|
@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
|
||||||
|
CHKFILE="${TMPDIR}/chk.$$"
|
||||||
|
ANOTHER="${TMPDIR}/test.$$"
|
||||||
|
|
||||||
|
+is_fips_enabled()
|
||||||
|
+{
|
||||||
|
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then
|
||||||
|
find_platform kcapi-hasher
|
||||||
|
function run_hasher() {
|
||||||
|
@@ -365,7 +370,11 @@ fi
|
||||||
|
for suffix in $KAT_SUFFIXES
|
||||||
|
do
|
||||||
|
run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00
|
||||||
|
- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS"
|
||||||
|
+ else
|
||||||
|
+ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
|
||||||
|
+ fi
|
||||||
|
run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3
|
||||||
|
run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da
|
||||||
|
run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
|
||||||
|
@@ -374,9 +383,15 @@ do
|
||||||
|
run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7
|
||||||
|
run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6
|
||||||
|
run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854
|
||||||
|
- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
|
||||||
|
- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
|
||||||
|
- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS"
|
||||||
|
+ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS"
|
||||||
|
+ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS"
|
||||||
|
+ else
|
||||||
|
+ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
|
||||||
|
+ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
|
||||||
|
+ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
|
||||||
|
+ fi
|
||||||
|
run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe
|
||||||
|
run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27
|
||||||
|
run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb
|
||||||
|
diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c
|
||||||
|
index c5ff4b4..1cdaebe 100644
|
||||||
|
--- a/test/kcapi-convenience.c
|
||||||
|
+++ b/test/kcapi-convenience.c
|
||||||
|
@@ -63,7 +63,7 @@ static int hashtest(void)
|
||||||
|
|
||||||
|
static int hmactest(void)
|
||||||
|
{
|
||||||
|
- char *in = "teststring";
|
||||||
|
+ char *in = "longteststring";
|
||||||
|
uint8_t out[64];
|
||||||
|
ssize_t ret;
|
||||||
|
|
||||||
|
diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh
|
||||||
|
index 0ad5ed3..67576b3 100755
|
||||||
|
--- a/test/kcapi-dgst-test.sh
|
||||||
|
+++ b/test/kcapi-dgst-test.sh
|
||||||
|
@@ -105,8 +105,8 @@ test_stdin_stdout()
|
||||||
|
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||||
|
diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)"
|
||||||
|
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
|
||||||
|
|
||||||
|
diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)"
|
||||||
|
}
|
||||||
|
@@ -135,8 +135,8 @@ test_stdin_fileout()
|
||||||
|
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||||
|
diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)"
|
||||||
|
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
|
||||||
|
|
||||||
|
diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)"
|
||||||
|
}
|
||||||
|
@@ -165,8 +165,8 @@ test_filein_stdout()
|
||||||
|
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||||
|
diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)"
|
||||||
|
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
|
||||||
|
|
||||||
|
diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)"
|
||||||
|
}
|
||||||
|
@@ -197,8 +197,8 @@ test_filein_fileout()
|
||||||
|
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||||
|
diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)"
|
||||||
|
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
|
||||||
|
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
|
||||||
|
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
|
||||||
|
|
||||||
|
diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)"
|
||||||
|
}
|
||||||
|
diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh
|
||||||
|
index 3ace39c..63d2b23 100755
|
||||||
|
--- a/test/kcapi-enc-test.sh
|
||||||
|
+++ b/test/kcapi-enc-test.sh
|
||||||
|
@@ -163,8 +163,8 @@ test_stdin_stdout()
|
||||||
|
diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
|
||||||
|
diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
|
||||||
|
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
|
||||||
|
|
||||||
|
diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)"
|
||||||
|
}
|
||||||
|
@@ -195,8 +195,8 @@ test_stdin_fileout()
|
||||||
|
diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
|
||||||
|
diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
|
||||||
|
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
|
||||||
|
|
||||||
|
diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)"
|
||||||
|
}
|
||||||
|
@@ -227,8 +227,8 @@ test_filein_stdout()
|
||||||
|
diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
|
||||||
|
diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
|
||||||
|
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
|
||||||
|
|
||||||
|
diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)"
|
||||||
|
}
|
||||||
|
@@ -271,8 +271,8 @@ test_filein_fileout()
|
||||||
|
diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
|
||||||
|
diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
|
||||||
|
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
|
||||||
|
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
|
||||||
|
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
|
||||||
|
|
||||||
|
diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)"
|
||||||
|
}
|
||||||
|
diff --git a/test/test.sh b/test/test.sh
|
||||||
|
index b889335..e07589e 100755
|
||||||
|
--- a/test/test.sh
|
||||||
|
+++ b/test/test.sh
|
||||||
|
@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797"
|
||||||
|
|
||||||
|
PBKDF_name_8="hmac(sha256)"
|
||||||
|
PBKDF_salt_8="73616c74"
|
||||||
|
-PBKDF_pw_8="70617373776f7264"
|
||||||
|
+PBKDF_pw_8="70617373776f726470617373776f7264"
|
||||||
|
PBKDF_count_8=4096
|
||||||
|
-PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0"
|
||||||
|
+PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca"
|
||||||
|
|
||||||
|
PBKDF_name_9="hmac(sha224)"
|
||||||
|
PBKDF_salt_9="73616c74"
|
||||||
|
-PBKDF_pw_9="70617373776f7264"
|
||||||
|
+PBKDF_pw_9="70617373776f726470617373776f7264"
|
||||||
|
PBKDF_count_9=4096
|
||||||
|
-PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60"
|
||||||
|
+PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70"
|
||||||
|
|
||||||
|
PBKDF_name_10="hmac(sha384)"
|
||||||
|
PBKDF_salt_10="73616c74"
|
||||||
|
-PBKDF_pw_10="70617373776f7264"
|
||||||
|
+PBKDF_pw_10="70617373776f726470617373776f7264"
|
||||||
|
PBKDF_count_10=4096
|
||||||
|
-PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c"
|
||||||
|
+PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d"
|
||||||
|
|
||||||
|
PBKDF_name_11="hmac(sha512)"
|
||||||
|
PBKDF_salt_11="73616c74"
|
||||||
|
-PBKDF_pw_11="70617373776f7264"
|
||||||
|
+PBKDF_pw_11="70617373776f726470617373776f7264"
|
||||||
|
PBKDF_count_11=4096
|
||||||
|
-PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc"
|
||||||
|
+PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b"
|
||||||
|
|
||||||
|
PBKDF_name_12="cmac(aes)"
|
||||||
|
PBKDF_salt_12="73616c74"
|
||||||
|
@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7"
|
||||||
|
|
||||||
|
PBKDF_name_13="hmac(sha512)"
|
||||||
|
PBKDF_salt_13="73616c74"
|
||||||
|
-PBKDF_pw_13="70617373776f7264"
|
||||||
|
+PBKDF_pw_13="70617373776f726470617373776f7264"
|
||||||
|
PBKDF_count_13=4096
|
||||||
|
-PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e"
|
||||||
|
+PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a"
|
||||||
|
|
||||||
|
###########################################################################
|
||||||
|
###########################################################################
|
||||||
|
@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514
|
||||||
|
#RFC 5869 Appendix A vectors
|
||||||
|
HKDF_name_1="hmac(sha256)"
|
||||||
|
HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"
|
||||||
|
-HKDF_salt_1="000102030405060708090a0b0c"
|
||||||
|
+HKDF_salt_1="000102030405060708090a0b0c0d"
|
||||||
|
HKDF_info_1="f0f1f2f3f4f5f6f7f8f9"
|
||||||
|
-HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
|
||||||
|
+HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd"
|
||||||
|
|
||||||
|
HKDF_name_2="hmac(sha256)"
|
||||||
|
HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"
|
||||||
|
@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a
|
||||||
|
###########################################################################
|
||||||
|
###########################################################################
|
||||||
|
|
||||||
|
+is_fips_enabled()
|
||||||
|
+{
|
||||||
|
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
# Test required for test with multiple IOVECs on i686
|
||||||
|
check_memory() {
|
||||||
|
if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ]
|
||||||
|
@@ -576,7 +581,14 @@ check_memory_soft() {
|
||||||
|
hashfunc()
|
||||||
|
{
|
||||||
|
stream=$1
|
||||||
|
- HASHEXEC="1 2 3 4 5 6 7 8 9"
|
||||||
|
+
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "Hash tests using 3DES are disabled in FIPS"
|
||||||
|
+ HASHEXEC="2 3 4 5 6 7 8 9"
|
||||||
|
+ else
|
||||||
|
+ HASHEXEC="1 2 3 4 5 6 7 8 9"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
for i in $HASHEXEC
|
||||||
|
do
|
||||||
|
eval HASH_name=\$HASH_name_$i
|
||||||
|
@@ -630,7 +642,12 @@ symfunc()
|
||||||
|
aligned=$3
|
||||||
|
aiofallback=$4
|
||||||
|
|
||||||
|
- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "Symmetric tests using 3DES are disabled in FIPS"
|
||||||
|
+ SYMEXEC="1 2 3 8 9 10 11 12"
|
||||||
|
+ else
|
||||||
|
+ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
if [ x"$stream" = x"X" ]
|
||||||
|
then
|
||||||
|
@@ -666,7 +683,11 @@ symfunc()
|
||||||
|
|
||||||
|
# Disable XTS tests for multi-threading due to the issue
|
||||||
|
# discussed in https://github.com/smuellerDD/libkcapi/issues/92
|
||||||
|
- SYMEXEC="1 2 3 4 5 6 7"
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ SYMEXEC="1 2 3"
|
||||||
|
+ else
|
||||||
|
+ SYMEXEC="1 2 3 4 5 6 7"
|
||||||
|
+ fi
|
||||||
|
else
|
||||||
|
sout="one shot"
|
||||||
|
fi
|
||||||
|
@@ -1148,7 +1169,13 @@ pbkdftest()
|
||||||
|
{
|
||||||
|
aligned=$1
|
||||||
|
|
||||||
|
- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "PBKDF tests using SHA1 are disabled in FIPS"
|
||||||
|
+ PBKDFEXEC="8 9 10 11 12 13"
|
||||||
|
+ else
|
||||||
|
+ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
for i in $PBKDFEXEC
|
||||||
|
do
|
||||||
|
eval PBKDF_name=\$PBKDF_name_$i
|
||||||
|
@@ -1185,7 +1212,13 @@ hkdftest()
|
||||||
|
{
|
||||||
|
aligned=$1
|
||||||
|
|
||||||
|
- HKDFEXEC="1 2 3 4 5 6 7"
|
||||||
|
+ if is_fips_enabled; then
|
||||||
|
+ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS"
|
||||||
|
+ HKDFEXEC="1 2"
|
||||||
|
+ else
|
||||||
|
+ HKDFEXEC="1 2 3 4 5 6 7"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
for i in $HKDFEXEC
|
||||||
|
do
|
||||||
|
eval HKDF_name=\$HKDF_name_$i
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Mocks fipshmac using the openssl tool.
|
||||||
|
# Only for use during RPM build.
|
||||||
|
|
||||||
|
[ "$1" = '-d' ] || exit 1
|
||||||
|
|
||||||
|
openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \
|
||||||
|
>"$2/$(basename "$3").hmac"
|
|
@ -1,272 +0,0 @@
|
||||||
From f24f3435be39cab2aa54a49d31968a023ab6d1d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Thu, 26 Jul 2018 14:09:27 +0200
|
|
||||||
Subject: [PATCH 1/3] kcapi-kdf: Clear the whole out buffer on error
|
|
||||||
|
|
||||||
The KDF functions were decrementing the output length variable in the
|
|
||||||
loop, but on error they would clear the output buffer based on this
|
|
||||||
decremented value. This patch backs up the original length and uses it
|
|
||||||
when clearing the output buffer.
|
|
||||||
|
|
||||||
The kcapi_pbkdf() function also used an incremented output buffer
|
|
||||||
pointer. This one is now also backed-up and the original value is used
|
|
||||||
when clearing the output.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kdf.c | 16 +++++++++++-----
|
|
||||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kdf.c b/lib/kcapi-kdf.c
|
|
||||||
index 78a7e0d..6eccbe1 100644
|
|
||||||
--- a/lib/kcapi-kdf.c
|
|
||||||
+++ b/lib/kcapi-kdf.c
|
|
||||||
@@ -99,6 +99,7 @@ int32_t kcapi_kdf_dpi(struct kcapi_handle *handle,
|
|
||||||
uint32_t h = kcapi_md_digestsize(handle);
|
|
||||||
int32_t err = 0;
|
|
||||||
uint8_t *dst_orig = dst;
|
|
||||||
+ uint32_t dlen_orig = dlen;
|
|
||||||
uint8_t Ai[h];
|
|
||||||
uint32_t i = 1;
|
|
||||||
|
|
||||||
@@ -161,7 +162,7 @@ int32_t kcapi_kdf_dpi(struct kcapi_handle *handle,
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
err:
|
|
||||||
- kcapi_memset_secure(dst_orig, 0, dlen);
|
|
||||||
+ kcapi_memset_secure(dst_orig, 0, dlen_orig);
|
|
||||||
kcapi_memset_secure(Ai, 0, h);
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
@@ -174,6 +175,7 @@ int32_t kcapi_kdf_fb(struct kcapi_handle *handle,
|
|
||||||
uint32_t h = kcapi_md_digestsize(handle);
|
|
||||||
int32_t err = 0;
|
|
||||||
uint8_t *dst_orig = dst;
|
|
||||||
+ uint32_t dlen_orig = dlen;
|
|
||||||
const uint8_t *label;
|
|
||||||
uint32_t labellen = 0;
|
|
||||||
uint32_t i = 1;
|
|
||||||
@@ -238,7 +240,7 @@ int32_t kcapi_kdf_fb(struct kcapi_handle *handle,
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
err:
|
|
||||||
- kcapi_memset_secure(dst_orig, 0, dlen);
|
|
||||||
+ kcapi_memset_secure(dst_orig, 0, dlen_orig);
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -250,6 +252,7 @@ int32_t kcapi_kdf_ctr(struct kcapi_handle *handle,
|
|
||||||
uint32_t h = kcapi_md_digestsize(handle);
|
|
||||||
int32_t err = 0;
|
|
||||||
uint8_t *dst_orig = dst;
|
|
||||||
+ uint32_t dlen_orig = dlen;
|
|
||||||
uint32_t i = 1;
|
|
||||||
|
|
||||||
if (dlen > INT_MAX)
|
|
||||||
@@ -295,7 +298,7 @@ int32_t kcapi_kdf_ctr(struct kcapi_handle *handle,
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
err:
|
|
||||||
- kcapi_memset_secure(dst_orig, 0, dlen);
|
|
||||||
+ kcapi_memset_secure(dst_orig, 0, dlen_orig);
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -316,6 +319,7 @@ int32_t kcapi_hkdf(const char *hashname,
|
|
||||||
uint8_t *prev = NULL;
|
|
||||||
int32_t err = 0;
|
|
||||||
uint8_t *dst_orig = dst;
|
|
||||||
+ uint32_t dlen_orig = dlen;
|
|
||||||
uint8_t ctr = 0x01;
|
|
||||||
struct kcapi_handle *handle = NULL;
|
|
||||||
|
|
||||||
@@ -415,7 +419,7 @@ int32_t kcapi_hkdf(const char *hashname,
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
err:
|
|
||||||
- kcapi_memset_secure(dst_orig, 0, dlen);
|
|
||||||
+ kcapi_memset_secure(dst_orig, 0, dlen_orig);
|
|
||||||
out:
|
|
||||||
kcapi_memset_secure(prk_tmp, 0, h);
|
|
||||||
kcapi_md_destroy(handle);
|
|
||||||
@@ -552,6 +556,8 @@ int32_t kcapi_pbkdf(const char *hashname,
|
|
||||||
uint8_t *key, uint32_t keylen)
|
|
||||||
{
|
|
||||||
struct kcapi_handle *handle;
|
|
||||||
+ uint8_t *key_orig = key;
|
|
||||||
+ uint32_t keylen_orig = keylen;
|
|
||||||
uint32_t h, i = 1;
|
|
||||||
#define MAX_DIGESTSIZE 64
|
|
||||||
uint8_t u[MAX_DIGESTSIZE] __attribute__ ((aligned (sizeof(uint64_t))));
|
|
||||||
@@ -633,7 +639,7 @@ int32_t kcapi_pbkdf(const char *hashname,
|
|
||||||
err:
|
|
||||||
kcapi_memset_secure(u, 0, h);
|
|
||||||
if (err)
|
|
||||||
- kcapi_memset_secure(key, 0, keylen);
|
|
||||||
+ kcapi_memset_secure(key_orig, 0, keylen_orig);
|
|
||||||
kcapi_md_destroy(handle);
|
|
||||||
|
|
||||||
return err;
|
|
||||||
|
|
||||||
From eacb82b193a94d46d2ea70c621176d79a5486008 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Thu, 26 Jul 2018 14:12:51 +0200
|
|
||||||
Subject: [PATCH 2/3] kcapi-kdf: Simplify handling of final blocks
|
|
||||||
|
|
||||||
This patch avoids the use of temporary buffers when handling the last
|
|
||||||
block in the KDF functions, taking advantage of the fact that
|
|
||||||
kcapi_md_final() can be used to retrieve also a truncated hash directly.
|
|
||||||
|
|
||||||
The new code no longer produces a false-positive warning with CLang
|
|
||||||
static analysis, so the workaround (which Coverity identifies as
|
|
||||||
unreachable code) can be removed.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kdf.c | 43 +++++++++----------------------------------
|
|
||||||
1 file changed, 9 insertions(+), 34 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kdf.c b/lib/kcapi-kdf.c
|
|
||||||
index 6eccbe1..afa6eb3 100644
|
|
||||||
--- a/lib/kcapi-kdf.c
|
|
||||||
+++ b/lib/kcapi-kdf.c
|
|
||||||
@@ -140,13 +140,9 @@ int32_t kcapi_kdf_dpi(struct kcapi_handle *handle,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (dlen < h) {
|
|
||||||
- uint8_t tmpbuffer[h];
|
|
||||||
-
|
|
||||||
- err = kcapi_md_final(handle, tmpbuffer, h);
|
|
||||||
+ err = kcapi_md_final(handle, dst, dlen);
|
|
||||||
if (err < 0)
|
|
||||||
goto err;
|
|
||||||
- memcpy(dst, tmpbuffer, dlen);
|
|
||||||
- kcapi_memset_secure(tmpbuffer, 0, h);
|
|
||||||
dlen = 0;
|
|
||||||
} else {
|
|
||||||
err = kcapi_md_final(handle, dst, h);
|
|
||||||
@@ -219,14 +215,10 @@ int32_t kcapi_kdf_fb(struct kcapi_handle *handle,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (dlen < h) {
|
|
||||||
- uint8_t tmpbuffer[h];
|
|
||||||
-
|
|
||||||
- err = kcapi_md_final(handle, tmpbuffer, h);
|
|
||||||
+ err = kcapi_md_final(handle, dst, dlen);
|
|
||||||
if (err < 0)
|
|
||||||
goto err;
|
|
||||||
- memcpy(dst, tmpbuffer, dlen);
|
|
||||||
- kcapi_memset_secure(tmpbuffer, 0, h);
|
|
||||||
- return 0;
|
|
||||||
+ dlen = 0;
|
|
||||||
} else {
|
|
||||||
err = kcapi_md_final(handle, dst, h);
|
|
||||||
if (err < 0)
|
|
||||||
@@ -276,14 +268,10 @@ int32_t kcapi_kdf_ctr(struct kcapi_handle *handle,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (dlen < h) {
|
|
||||||
- uint8_t tmpbuffer[h];
|
|
||||||
-
|
|
||||||
- err = kcapi_md_final(handle, tmpbuffer, h);
|
|
||||||
+ err = kcapi_md_final(handle, dst, dlen);
|
|
||||||
if (err < 0)
|
|
||||||
goto err;
|
|
||||||
- memcpy(dst, tmpbuffer, dlen);
|
|
||||||
- kcapi_memset_secure(tmpbuffer, 0, h);
|
|
||||||
- return 0;
|
|
||||||
+ dlen = 0;
|
|
||||||
} else {
|
|
||||||
err = kcapi_md_final(handle, dst, h);
|
|
||||||
if (err < 0)
|
|
||||||
@@ -392,16 +380,10 @@ int32_t kcapi_hkdf(const char *hashname,
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
if (dlen < h) {
|
|
||||||
- err = kcapi_md_final(handle, prk_tmp, h);
|
|
||||||
+ err = kcapi_md_final(handle, dst, dlen);
|
|
||||||
if (err < 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- /* Shut up Clang */
|
|
||||||
- if (!dst) {
|
|
||||||
- err = -EFAULT;
|
|
||||||
- goto err;
|
|
||||||
- }
|
|
||||||
- memcpy(dst, prk_tmp, dlen);
|
|
||||||
dlen = 0;
|
|
||||||
} else {
|
|
||||||
err = kcapi_md_final(handle, dst, h);
|
|
||||||
@@ -561,8 +543,6 @@ int32_t kcapi_pbkdf(const char *hashname,
|
|
||||||
uint32_t h, i = 1;
|
|
||||||
#define MAX_DIGESTSIZE 64
|
|
||||||
uint8_t u[MAX_DIGESTSIZE] __attribute__ ((aligned (sizeof(uint64_t))));
|
|
||||||
- uint8_t T[MAX_DIGESTSIZE] __attribute__ ((aligned (sizeof(uint64_t)))) =
|
|
||||||
- { 0 };
|
|
||||||
int32_t err = 0;
|
|
||||||
|
|
||||||
if (keylen > INT_MAX)
|
|
||||||
@@ -617,17 +597,12 @@ int32_t kcapi_pbkdf(const char *hashname,
|
|
||||||
if (err < 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- if (keylen < h)
|
|
||||||
- kcapi_xor_64_aligned(T, u, h);
|
|
||||||
- else
|
|
||||||
- kcapi_xor_64(key, u, h);
|
|
||||||
+ kcapi_xor_64(key, u, keylen < h ? keylen : h);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (keylen < h) {
|
|
||||||
- memcpy(key, T, keylen);
|
|
||||||
- kcapi_memset_secure(T, 0, keylen);
|
|
||||||
+ if (keylen < h)
|
|
||||||
keylen = 0;
|
|
||||||
- } else {
|
|
||||||
+ else {
|
|
||||||
keylen -= h;
|
|
||||||
key += h;
|
|
||||||
i++;
|
|
||||||
|
|
||||||
From c9ed6b2c07026e9bafd99e6c288cfbd175fd237f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Thu, 26 Jul 2018 14:28:53 +0200
|
|
||||||
Subject: [PATCH 3/3] kcapi-kdf: Fix unused function warning on 32-bit
|
|
||||||
|
|
||||||
The kcapi_xor_64_aligned() is now unused when compiling in 32-bit mode,
|
|
||||||
so we need to define it only in the 64-bit case, otherwise the build
|
|
||||||
fails under CLang due to an usnused function warning.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kdf.c | 6 ++----
|
|
||||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kdf.c b/lib/kcapi-kdf.c
|
|
||||||
index afa6eb3..a219d63 100644
|
|
||||||
--- a/lib/kcapi-kdf.c
|
|
||||||
+++ b/lib/kcapi-kdf.c
|
|
||||||
@@ -503,10 +503,10 @@ static inline void kcapi_xor_32(uint8_t *dst, const uint8_t *src, uint32_t size)
|
|
||||||
kcapi_xor_8(dst, src, size);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef __LP64__
|
|
||||||
static inline void kcapi_xor_64_aligned(uint8_t *dst, const uint8_t *src,
|
|
||||||
uint32_t size)
|
|
||||||
{
|
|
||||||
-#ifdef __LP64__
|
|
||||||
uint64_t *dst_dword = (uint64_t *)dst;
|
|
||||||
uint64_t *src_dword = (uint64_t *)src;
|
|
||||||
|
|
||||||
@@ -514,10 +514,8 @@ static inline void kcapi_xor_64_aligned(uint8_t *dst, const uint8_t *src,
|
|
||||||
*dst_dword++ ^= *src_dword++;
|
|
||||||
|
|
||||||
kcapi_xor_32_aligned((uint8_t *)dst_dword, (uint8_t *)src_dword, size);
|
|
||||||
-#else
|
|
||||||
- kcapi_xor_32_aligned(dst, src, size);
|
|
||||||
-#endif
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
static inline void kcapi_xor_64(uint8_t *dst, const uint8_t *src, uint32_t size)
|
|
||||||
{
|
|
|
@ -1,47 +0,0 @@
|
||||||
From 3e388ac4eba63b466bf6b14b2088ea44c8a2bfe4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Krzysztof Kozlowski <krzk@kernel.org>
|
|
||||||
Date: Thu, 12 Jul 2018 18:13:16 +0200
|
|
||||||
Subject: [PATCH] Fix possible buffer overflow with strncpy and
|
|
||||||
-Wstringop-truncation warning
|
|
||||||
|
|
||||||
If valid cipher name (to which netlink socket was bound) is longer than
|
|
||||||
CRYPTO_MAX_ALG_NAME defined in lib/cryptouser.h, then the strncpy() will
|
|
||||||
try to copy length of this cipher name into smaller buffer.
|
|
||||||
|
|
||||||
In libkcapi the CRYPTO_MAX_ALG_NAME (thus the size of the buffer) is
|
|
||||||
defined as 64 but since commit f437a3f477cc ("crypto: api - Extend
|
|
||||||
algorithm name limit to 128 bytes") in Linux kernel (v4.12), the kernel
|
|
||||||
defines it as 128.
|
|
||||||
|
|
||||||
It is error-prone to use source buffer length as limit of dst buffer.
|
|
||||||
Instead choose sizeof(dst buffer).
|
|
||||||
|
|
||||||
This also fixes the warning with GCC v8.1.0:
|
|
||||||
|
|
||||||
lib/kcapi-kernel-if.c: In function '__kcapi_common_getinfo.isra.2':
|
|
||||||
lib/kcapi-kernel-if.c:632:3: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
|
|
||||||
strncpy(req.cru.cru_name, ciphername, strlen(ciphername));
|
|
||||||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kernel-if.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c
|
|
||||||
index 2481f8a..807cbfe 100644
|
|
||||||
--- a/lib/kcapi-kernel-if.c
|
|
||||||
+++ b/lib/kcapi-kernel-if.c
|
|
||||||
@@ -627,9 +627,9 @@ static int __kcapi_common_getinfo(struct kcapi_handle *handle,
|
|
||||||
|
|
||||||
if (drivername)
|
|
||||||
strncpy(req.cru.cru_driver_name, ciphername,
|
|
||||||
- strlen(ciphername));
|
|
||||||
+ sizeof(req.cru.cru_driver_name) - 1);
|
|
||||||
else
|
|
||||||
- strncpy(req.cru.cru_name, ciphername, strlen(ciphername));
|
|
||||||
+ strncpy(req.cru.cru_name, ciphername, sizeof(req.cru.cru_name) - 1);
|
|
||||||
|
|
||||||
/* talk to netlink socket */
|
|
||||||
sd = socket(AF_NETLINK, SOCK_RAW, NETLINK_CRYPTO);
|
|
|
@ -1,801 +0,0 @@
|
||||||
From 633569b273d63244fccf1a1e65acc8c8252c2f48 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 08:39:32 +0200
|
|
||||||
Subject: [PATCH 01/16] apps: Check return code of fstat()
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
apps/app-internal.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/app-internal.c b/apps/app-internal.c
|
|
||||||
index 25cef80..e80c304 100644
|
|
||||||
--- a/apps/app-internal.c
|
|
||||||
+++ b/apps/app-internal.c
|
|
||||||
@@ -255,7 +255,12 @@ int read_complete(int fd, uint8_t *buf, uint32_t buflen)
|
|
||||||
|
|
||||||
int check_filetype(int fd, struct stat *sb, const char *filename)
|
|
||||||
{
|
|
||||||
- fstat(fd, sb);
|
|
||||||
+ int ret = fstat(fd, sb);
|
|
||||||
+ if (ret) {
|
|
||||||
+ dolog(KCAPI_LOG_ERR,
|
|
||||||
+ "fstat() failed: %s", strerror(errno));
|
|
||||||
+ return -errno;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Do not return an error in case we cannot validate the data. */
|
|
||||||
if ((sb->st_mode & S_IFMT) != S_IFREG &&
|
|
||||||
|
|
||||||
From bb1685801cf3f2c94c4591808a1a8499147b0249 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 08:45:48 +0200
|
|
||||||
Subject: [PATCH 02/16] kcapi-hasher: Fix strerror() call
|
|
||||||
|
|
||||||
strerror() expects a nonnegative error number. Here we can just pass
|
|
||||||
errno instead of decoding the error from the return value of read().
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index 2fc3ddc..5769502 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -227,7 +227,7 @@ static int load_file(const char *filename, uint8_t **memory, uint32_t *size)
|
|
||||||
while ((rdbytes = read(fd, buffer + offset, buffer_size - offset)) != 0) {
|
|
||||||
if (rdbytes < 0) {
|
|
||||||
fprintf(stderr, "Error reading file %s: %s\n", filename,
|
|
||||||
- strerror((int)rdbytes));
|
|
||||||
+ strerror(errno));
|
|
||||||
ret = -EIO;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
From fadc3f42bbd44bd78f78f58c935ae7126b6eb2ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 08:50:36 +0200
|
|
||||||
Subject: [PATCH 03/16] kcapi-hasher: Fix fd leak in load_file()
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index 5769502..52fca78 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -258,6 +258,8 @@ static int load_file(const char *filename, uint8_t **memory, uint32_t *size)
|
|
||||||
|
|
||||||
*memory = buffer;
|
|
||||||
*size = (uint32_t)offset;
|
|
||||||
+
|
|
||||||
+ close(fd);
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
out:
|
|
||||||
|
|
||||||
From 5ee2bc94de5e70703ed6ad288b3c664a1cff4fcf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 08:53:13 +0200
|
|
||||||
Subject: [PATCH 04/16] kcapi-hasher: Fix buffer overrun in process_checkfile()
|
|
||||||
|
|
||||||
The 'buf[(bsd_style - 4)]' access on line 593 can overrun the buffer if
|
|
||||||
bsd_style is exactly 3, which can theoretically happen if the BSD-style
|
|
||||||
separator is found at the very beginning of the line. Fix this by
|
|
||||||
starting to search for the separator at index 1 (it can't really be at
|
|
||||||
index 0 anyway).
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index 52fca78..daab735 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -544,7 +544,7 @@ static int process_checkfile(const struct hash_params *params,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (i = 0; i < linelen; i++) {
|
|
||||||
+ for (i = 1; i < linelen; i++) {
|
|
||||||
/*
|
|
||||||
* Check for BSD-style separator between file name and
|
|
||||||
* hash value.
|
|
||||||
|
|
||||||
From 1520fca1f9b2231bcb5101eab32e8e859b33a66c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 09:05:45 +0200
|
|
||||||
Subject: [PATCH 05/16] docproc: Use correct sizeof() argument for clarity
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/doc/bin/docproc.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/doc/bin/docproc.c b/lib/doc/bin/docproc.c
|
|
||||||
index 4e52c1b..2313592 100644
|
|
||||||
--- a/lib/doc/bin/docproc.c
|
|
||||||
+++ b/lib/doc/bin/docproc.c
|
|
||||||
@@ -154,7 +154,8 @@ int symfilecnt = 0;
|
|
||||||
static void add_new_symbol(struct symfile *sym, char * symname)
|
|
||||||
{
|
|
||||||
sym->symbollist =
|
|
||||||
- realloc(sym->symbollist, (sym->symbolcnt + 1) * sizeof(char *));
|
|
||||||
+ realloc(sym->symbollist,
|
|
||||||
+ (sym->symbolcnt + 1) * sizeof(struct symbols));
|
|
||||||
sym->symbollist[sym->symbolcnt++].name = strdup(symname);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
From ed6c64434d42ba43efd839d4b0c693623442968f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 09:09:44 +0200
|
|
||||||
Subject: [PATCH 06/16] docproc: Fail early on malloc/realloc failures
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/doc/bin/docproc.c | 16 ++++++++++++++++
|
|
||||||
1 file changed, 16 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/doc/bin/docproc.c b/lib/doc/bin/docproc.c
|
|
||||||
index 2313592..9a0a931 100644
|
|
||||||
--- a/lib/doc/bin/docproc.c
|
|
||||||
+++ b/lib/doc/bin/docproc.c
|
|
||||||
@@ -156,6 +156,10 @@ static void add_new_symbol(struct symfile *sym, char * symname)
|
|
||||||
sym->symbollist =
|
|
||||||
realloc(sym->symbollist,
|
|
||||||
(sym->symbolcnt + 1) * sizeof(struct symbols));
|
|
||||||
+ if (!sym->symbollist) {
|
|
||||||
+ perror("realloc");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
sym->symbollist[sym->symbolcnt++].name = strdup(symname);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -391,12 +395,20 @@ static void find_all_symbols(char *filename)
|
|
||||||
default:
|
|
||||||
close(pipefd[1]);
|
|
||||||
data = malloc(4096);
|
|
||||||
+ if (!data) {
|
|
||||||
+ perror("malloc");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
do {
|
|
||||||
while ((ret = read(pipefd[0],
|
|
||||||
data + data_len,
|
|
||||||
4096)) > 0) {
|
|
||||||
data_len += ret;
|
|
||||||
data = realloc(data, data_len + 4096);
|
|
||||||
+ if (!data) {
|
|
||||||
+ perror("realloc");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} while (ret == -EAGAIN);
|
|
||||||
if (ret != 0) {
|
|
||||||
@@ -421,6 +433,10 @@ static void find_all_symbols(char *filename)
|
|
||||||
start = all_list_len;
|
|
||||||
all_list_len += count;
|
|
||||||
all_list = realloc(all_list, sizeof(char *) * all_list_len);
|
|
||||||
+ if (!all_list) {
|
|
||||||
+ perror("realloc");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
str = data;
|
|
||||||
for (i = 0; i < (int)data_len && start != all_list_len; i++) {
|
|
||||||
if (data[i] == '\0') {
|
|
||||||
|
|
||||||
From 1beccc4fa0af3ce57e0ff21d42907e774c4eb8fe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 09:15:36 +0200
|
|
||||||
Subject: [PATCH 07/16] cryptoperf: Fix check of return value of open()
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
speed-test/cryptoperf-base.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/speed-test/cryptoperf-base.c b/speed-test/cryptoperf-base.c
|
|
||||||
index 55cd7ea..b564e19 100644
|
|
||||||
--- a/speed-test/cryptoperf-base.c
|
|
||||||
+++ b/speed-test/cryptoperf-base.c
|
|
||||||
@@ -179,7 +179,7 @@ int cp_read_random(unsigned char *buf, size_t buflen)
|
|
||||||
size_t len = 0;
|
|
||||||
|
|
||||||
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
|
|
||||||
- if(0 >= fd)
|
|
||||||
+ if(0 > fd)
|
|
||||||
return fd;
|
|
||||||
do {
|
|
||||||
ret = read(fd, (buf + len), (buflen - len));
|
|
||||||
|
|
||||||
From d41a21125e72e9ad611451bb9753489a1f96af5e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 09:30:01 +0200
|
|
||||||
Subject: [PATCH 08/16] cryptoperf: Fix buffer overrun in cp_print_status()
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
speed-test/cryptoperf-base.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/speed-test/cryptoperf-base.c b/speed-test/cryptoperf-base.c
|
|
||||||
index b564e19..c56c2ce 100644
|
|
||||||
--- a/speed-test/cryptoperf-base.c
|
|
||||||
+++ b/speed-test/cryptoperf-base.c
|
|
||||||
@@ -159,7 +159,7 @@ char *cp_print_status(struct cp_test *test, int raw)
|
|
||||||
|
|
||||||
memset(byteseconds, 0, sizeof(byteseconds));
|
|
||||||
cp_bytes2string((processed_bytes / totaltime), byteseconds,
|
|
||||||
- (VALLEN + 1));
|
|
||||||
+ VALLEN);
|
|
||||||
snprintf(str, 120, "%-24s|%s|%8lu bytes|%*s/s|%lu ops/s",
|
|
||||||
test->testname,
|
|
||||||
test->enc ? "e" : "d",
|
|
||||||
|
|
||||||
From 5d17c564f7edae17b355f8cec7fa4c9685b10422 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 23 Jul 2018 10:05:50 +0200
|
|
||||||
Subject: [PATCH 09/16] test/cryptoperf: Check the return value of sysconf()
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
speed-test/cryptoperf-aead.c | 10 ++++++--
|
|
||||||
speed-test/cryptoperf-skcipher.c | 8 +++++-
|
|
||||||
test/kcapi-main.c | 53 +++++++++++++++++++---------------------
|
|
||||||
3 files changed, 40 insertions(+), 31 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/speed-test/cryptoperf-aead.c b/speed-test/cryptoperf-aead.c
|
|
||||||
index b2c0010..5a0446a 100644
|
|
||||||
--- a/speed-test/cryptoperf-aead.c
|
|
||||||
+++ b/speed-test/cryptoperf-aead.c
|
|
||||||
@@ -36,6 +36,12 @@ static int cp_aead_init_test(struct cp_test *test, int enc, int ccm)
|
|
||||||
unsigned char ivrand[MAX_KEYLEN];
|
|
||||||
unsigned char *ivdata = NULL;
|
|
||||||
uint32_t ivlen = 0;
|
|
||||||
+ long pagesize = sysconf(_SC_PAGESIZE);
|
|
||||||
+
|
|
||||||
+ if (pagesize < 0) {
|
|
||||||
+ printf(DRIVER_NAME": unable to determine the page size\n");
|
|
||||||
+ return -errno;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
dbg("Initializing AEAD test %s\n", test->testname);
|
|
||||||
if (!test->driver_name) {
|
|
||||||
@@ -97,14 +103,14 @@ static int cp_aead_init_test(struct cp_test *test, int enc, int ccm)
|
|
||||||
test->u.aead.assoclen, TAGLEN);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (posix_memalign((void *)&input, sysconf(_SC_PAGESIZE),
|
|
||||||
+ if (posix_memalign((void *)&input, pagesize,
|
|
||||||
test->u.aead.indatalen *
|
|
||||||
(params->aio ? params->aio : 1))) {
|
|
||||||
printf(DRIVER_NAME": could not allocate input buffer for "
|
|
||||||
"%s\n", test->driver_name);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
- if (posix_memalign((void *)&output, sysconf(_SC_PAGESIZE),
|
|
||||||
+ if (posix_memalign((void *)&output, pagesize,
|
|
||||||
test->u.aead.outdatalen *
|
|
||||||
(params->aio ? params->aio : 1))) {
|
|
||||||
printf(DRIVER_NAME": could not allocate output buffer for "
|
|
||||||
diff --git a/speed-test/cryptoperf-skcipher.c b/speed-test/cryptoperf-skcipher.c
|
|
||||||
index a2db369..fb7123b 100644
|
|
||||||
--- a/speed-test/cryptoperf-skcipher.c
|
|
||||||
+++ b/speed-test/cryptoperf-skcipher.c
|
|
||||||
@@ -34,6 +34,12 @@ static int cp_skcipher_init_test(struct cp_test *test)
|
|
||||||
unsigned char *ivdata = NULL;
|
|
||||||
unsigned int bs;
|
|
||||||
int err;
|
|
||||||
+ long pagesize = sysconf(_SC_PAGESIZE);
|
|
||||||
+
|
|
||||||
+ if (pagesize < 0) {
|
|
||||||
+ printf(DRIVER_NAME": unable to determine the page size\n");
|
|
||||||
+ return -errno;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
dbg("Initializing symmetric test %s\n", test->testname);
|
|
||||||
if (!test->driver_name) {
|
|
||||||
@@ -75,7 +81,7 @@ static int cp_skcipher_init_test(struct cp_test *test)
|
|
||||||
cp_read_random(ivdata, kcapi_cipher_blocksize(test->u.skcipher.handle));
|
|
||||||
test->u.skcipher.iv = ivdata;
|
|
||||||
|
|
||||||
- err = posix_memalign((void *)&scratchpad, sysconf(_SC_PAGESIZE),
|
|
||||||
+ err = posix_memalign((void *)&scratchpad, pagesize,
|
|
||||||
kcapi_cipher_blocksize(test->u.skcipher.handle) * params->len *
|
|
||||||
(params->aio ? params->aio : 1));
|
|
||||||
if (err) {
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index c167b7f..b0ec2ca 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -86,6 +86,8 @@ struct kcapi_cavs {
|
|
||||||
uint32_t outlen;
|
|
||||||
};
|
|
||||||
|
|
||||||
+static long pagesize;
|
|
||||||
+
|
|
||||||
static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
|
||||||
static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
@@ -808,8 +810,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
outbuflen = cavs_test->ctlen;
|
|
||||||
}
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- outbuflen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, outbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, outbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -918,12 +919,10 @@ static int cavs_sym_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
outbuflen = cavs_test->ctlen;
|
|
||||||
}
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- outbuflen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, outbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, outbuflen);
|
|
||||||
- if (posix_memalign((void *)&outbuf2, sysconf(_SC_PAGESIZE),
|
|
||||||
- outbuflen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf2, pagesize, outbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf2, 0, outbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -1072,7 +1071,7 @@ static int cavs_sym_aio(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE), outbuflen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, outbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, outbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -1241,7 +1240,7 @@ static int cavs_aead(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
fullbuflen = (inbuflen > outbuflen) ? inbuflen : outbuflen;
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&inbuf, sysconf(_SC_PAGESIZE), fullbuflen))
|
|
||||||
+ if (posix_memalign((void *)&inbuf, pagesize, fullbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(inbuf, 0, fullbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -1425,8 +1424,7 @@ static int cavs_aead_aio(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
maxbuflen = (inbuflen > outbuflen) ? inbuflen : outbuflen;
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&inbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- loops * maxbuflen))
|
|
||||||
+ if (posix_memalign((void *)&inbuf, pagesize, loops * maxbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(inbuf, 0, loops * maxbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -1596,7 +1594,7 @@ static int cavs_aead_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
|
|
||||||
maxbuflen = (inbuflen > outbuflen) ? inbuflen : outbuflen;
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE), maxbuflen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, maxbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, maxbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -1830,9 +1828,9 @@ static int cavs_aead_large(int stream, uint32_t loops, int splice)
|
|
||||||
test.keylen = len / 2;
|
|
||||||
|
|
||||||
len = strlen(aad);
|
|
||||||
- if (posix_memalign((void *)&test.assoc, sysconf(_SC_PAGESIZE), (16 * sysconf(_SC_PAGESIZE))))
|
|
||||||
+ if (posix_memalign((void *)&test.assoc, pagesize, (16 * pagesize)))
|
|
||||||
goto out;
|
|
||||||
- hex2bin(aad, len, test.assoc, (sysconf(_SC_PAGESIZE) * 16));
|
|
||||||
+ hex2bin(aad, len, test.assoc, (pagesize * 16));
|
|
||||||
test.assoclen = len / 2;
|
|
||||||
|
|
||||||
test.taglen = 16;
|
|
||||||
@@ -2052,8 +2050,7 @@ static int cavs_asym(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- maxsize))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, maxsize))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, maxsize);
|
|
||||||
} else {
|
|
||||||
@@ -2164,11 +2161,10 @@ static int cavs_asym_aio(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- maxsize * loops))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, maxsize * loops))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, maxsize * loops);
|
|
||||||
- if (posix_memalign((void *)&inbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
+ if (posix_memalign((void *)&inbuf, pagesize,
|
|
||||||
cavs_test->ptlen * loops))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, cavs_test->ptlen * loops);
|
|
||||||
@@ -2294,10 +2290,10 @@ static int cavs_asym_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE), maxsize * NUMIOVECS))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, maxsize * NUMIOVECS))
|
|
||||||
goto out;
|
|
||||||
memset(outbuf, 0, maxsize);
|
|
||||||
- if (posix_memalign((void *)&inbuf, sysconf(_SC_PAGESIZE), inbuflen))
|
|
||||||
+ if (posix_memalign((void *)&inbuf, pagesize, inbuflen))
|
|
||||||
goto out;
|
|
||||||
memset(inbuf, 0, inbuflen);
|
|
||||||
} else {
|
|
||||||
@@ -2489,8 +2485,7 @@ static int cavs_kdf_common(struct kcapi_cavs *cavs_test, uint32_t loops)
|
|
||||||
uint32_t i = 0;
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- cavs_test->outlen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, cavs_test->outlen))
|
|
||||||
return -ENOMEM;
|
|
||||||
memset(outbuf, 0, cavs_test->outlen);
|
|
||||||
} else {
|
|
||||||
@@ -2571,8 +2566,7 @@ static int cavs_hkdf(struct kcapi_cavs *cavs_test, uint32_t loops)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- cavs_test->outlen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, cavs_test->outlen))
|
|
||||||
return -ENOMEM;
|
|
||||||
memset(outbuf, 0, cavs_test->outlen);
|
|
||||||
} else {
|
|
||||||
@@ -2671,8 +2665,7 @@ static int cavs_pbkdf(struct kcapi_cavs *cavs_test, uint32_t loops)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE),
|
|
||||||
- cavs_test->outlen))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, cavs_test->outlen))
|
|
||||||
return -ENOMEM;
|
|
||||||
memset(outbuf, 0, cavs_test->outlen);
|
|
||||||
} else {
|
|
||||||
@@ -2928,7 +2921,7 @@ static int kpp(struct kcapi_cavs *cavs_test, uint32_t loops, int splice)
|
|
||||||
|
|
||||||
outbuflen = ret;
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE), ret))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, ret))
|
|
||||||
return -ENOMEM;
|
|
||||||
memset(outbuf, 0, ret);
|
|
||||||
} else {
|
|
||||||
@@ -3001,7 +2994,7 @@ static int kpp_aio(struct kcapi_cavs *cavs_test, uint32_t loops, int splice)
|
|
||||||
|
|
||||||
outbuflen = ret;
|
|
||||||
if (cavs_test->aligned) {
|
|
||||||
- if (posix_memalign((void *)&outbuf, sysconf(_SC_PAGESIZE), ret))
|
|
||||||
+ if (posix_memalign((void *)&outbuf, pagesize, ret))
|
|
||||||
return -ENOMEM;
|
|
||||||
memset(outbuf, 0, ret);
|
|
||||||
} else {
|
|
||||||
@@ -3072,6 +3065,10 @@ int main(int argc, char *argv[])
|
|
||||||
int splice = KCAPI_ACCESS_SENDMSG;
|
|
||||||
struct kcapi_cavs cavs_test;
|
|
||||||
|
|
||||||
+ pagesize = sysconf(_SC_PAGESIZE);
|
|
||||||
+ if (pagesize < 0)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
memset(&cavs_test, 0, sizeof(struct kcapi_cavs));
|
|
||||||
kcapi_set_verbosity(KCAPI_LOG_WARN);
|
|
||||||
|
|
||||||
|
|
||||||
From 4c904fbf621b0fb01d79c1b01d28c296f36e6d8a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 11:10:01 +0200
|
|
||||||
Subject: [PATCH 10/16] docproc: Fix memory leak
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/doc/bin/docproc.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/lib/doc/bin/docproc.c b/lib/doc/bin/docproc.c
|
|
||||||
index 9a0a931..ad8d3a0 100644
|
|
||||||
--- a/lib/doc/bin/docproc.c
|
|
||||||
+++ b/lib/doc/bin/docproc.c
|
|
||||||
@@ -445,6 +445,7 @@ static void find_all_symbols(char *filename)
|
|
||||||
start++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ free(data);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
|
|
||||||
From 6092ff27886b7d40ea056f6c02a9c3fd5803df0d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 11:10:35 +0200
|
|
||||||
Subject: [PATCH 11/16] kcapi-aead: Remove an unreachable statement
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-aead.c | 2 --
|
|
||||||
1 file changed, 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-aead.c b/lib/kcapi-aead.c
|
|
||||||
index 7f8348f..d32c1e4 100644
|
|
||||||
--- a/lib/kcapi-aead.c
|
|
||||||
+++ b/lib/kcapi-aead.c
|
|
||||||
@@ -249,8 +249,6 @@ int32_t kcapi_aead_encrypt_aio(struct kcapi_handle *handle, struct iovec *iniov,
|
|
||||||
|
|
||||||
return _kcapi_aead_encrypt_aio_fallback(handle, iniov, outiov, iovlen,
|
|
||||||
iv);
|
|
||||||
-
|
|
||||||
- return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
DSO_PUBLIC
|
|
||||||
|
|
||||||
From 41a64a4363da4cce0f8de654f7dceef5c3fd6285 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 12:23:18 +0200
|
|
||||||
Subject: [PATCH 12/16] kcapi-kdf: Fix buffer overruns in error paths
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kdf.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kdf.c b/lib/kcapi-kdf.c
|
|
||||||
index bf150c1..78a7e0d 100644
|
|
||||||
--- a/lib/kcapi-kdf.c
|
|
||||||
+++ b/lib/kcapi-kdf.c
|
|
||||||
@@ -336,6 +336,7 @@ int32_t kcapi_hkdf(const char *hashname,
|
|
||||||
if (h > HKDF_MAXHASH) {
|
|
||||||
kcapi_dolog(KCAPI_LOG_ERR,
|
|
||||||
"Null salt size too small for hash\n");
|
|
||||||
+ h = HKDF_MAXHASH;
|
|
||||||
err = -EFAULT;
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -570,6 +571,7 @@ int32_t kcapi_pbkdf(const char *hashname,
|
|
||||||
kcapi_dolog(KCAPI_LOG_ERR,
|
|
||||||
"Programming error in file %s at line %u\n",
|
|
||||||
__FILE__, __LINE__);
|
|
||||||
+ h = MAX_DIGESTSIZE;
|
|
||||||
err = -EFAULT;
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
From 33c3b71ba5577c0b2bcdf8eb880642e0ab461079 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 12:26:55 +0200
|
|
||||||
Subject: [PATCH 13/16] kcapi-kernel-if: Simplify iovec validity check
|
|
||||||
|
|
||||||
Current check is awkward, just checking iov for NULL seems to make CLang
|
|
||||||
happy.
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
lib/kcapi-kernel-if.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c
|
|
||||||
index 807cbfe..595ce68 100644
|
|
||||||
--- a/lib/kcapi-kernel-if.c
|
|
||||||
+++ b/lib/kcapi-kernel-if.c
|
|
||||||
@@ -257,11 +257,11 @@ int32_t _kcapi_common_vmsplice_iov(struct kcapi_handle *handle,
|
|
||||||
uint32_t inlen = 0;
|
|
||||||
unsigned long i;
|
|
||||||
|
|
||||||
- for (i = 0; i < iovlen; i++) {
|
|
||||||
- if (!(iov + i))
|
|
||||||
- return -EINVAL;
|
|
||||||
+ if (iovlen && !iov)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < iovlen; i++)
|
|
||||||
inlen += iov[i].iov_len;
|
|
||||||
- }
|
|
||||||
|
|
||||||
/* kernel processes input data with max size of one page */
|
|
||||||
handle->processed_sg += ((inlen + sysconf(_SC_PAGESIZE) - 1) /
|
|
||||||
|
|
||||||
From c1f82d3b78031037f7098bd26b5da00eceecc00a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 12:37:15 +0200
|
|
||||||
Subject: [PATCH 14/16] test: Allocate name even if size is zero
|
|
||||||
|
|
||||||
We still need one byte for the terminating null character.
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
test/kcapi-main.c | 10 ++++------
|
|
||||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index b0ec2ca..d20e74c 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -275,13 +275,11 @@ static int fuzz_init_test(unsigned int size)
|
|
||||||
|
|
||||||
kcapi_set_verbosity(KCAPI_LOG_NONE);
|
|
||||||
|
|
||||||
- if (size) {
|
|
||||||
- name = calloc(1, size + 1);
|
|
||||||
+ name = calloc(1, size + 1);
|
|
||||||
|
|
||||||
- if (!name) {
|
|
||||||
- printf("Allocation of %u bytes failed", size);
|
|
||||||
- return 1;
|
|
||||||
- }
|
|
||||||
+ if (!name) {
|
|
||||||
+ printf("Allocation of %u bytes failed", size);
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (get_random(name, size, 0)) {
|
|
||||||
|
|
||||||
From 698fcb68572b5d315b27294bd3e9ee2c058920f6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 12:41:37 +0200
|
|
||||||
Subject: [PATCH 15/16] test: Fix resource leak and error handling
|
|
||||||
|
|
||||||
The fuzz_cipher() and fuzz_aead() functions did not always return error
|
|
||||||
when it should and it did not always release the cipher handle on
|
|
||||||
return. This patch fixes both issues.
|
|
||||||
|
|
||||||
Found by Coverity.
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
test/kcapi-main.c | 16 ++++++++--------
|
|
||||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index d20e74c..b3f6ae9 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -352,11 +352,11 @@ static int fuzz_cipher(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
uint8_t indata[4096];
|
|
||||||
uint8_t outdata[4096];
|
|
||||||
unsigned int i;
|
|
||||||
- int ret = 0;
|
|
||||||
+ int ret = 1;
|
|
||||||
|
|
||||||
if (kcapi_cipher_init(&handle, cavs_test->cipher, 0)) {
|
|
||||||
printf("Allocation of %s cipher failed\n", cavs_test->cipher);
|
|
||||||
- return -EFAULT;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Set key */
|
|
||||||
@@ -366,7 +366,7 @@ static int fuzz_cipher(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
for (i = 0; i < sizeof(key); i++) {
|
|
||||||
if (get_random(key, i, 0)) {
|
|
||||||
printf("get_random call failed\n");
|
|
||||||
- return 1;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
kcapi_cipher_setkey(handle, key, i);
|
|
||||||
}
|
|
||||||
@@ -388,7 +388,7 @@ static int fuzz_cipher(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
|
|
||||||
if (get_random(indata, i, 0)) {
|
|
||||||
printf("get_random call failed\n");
|
|
||||||
- return 1;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (flags & FUZZ_LESSOUT)
|
|
||||||
@@ -429,11 +429,11 @@ static int fuzz_aead(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
uint8_t indata[4096];
|
|
||||||
uint8_t outdata[4096];
|
|
||||||
unsigned int i;
|
|
||||||
- int ret = 0;
|
|
||||||
+ int ret = 1;
|
|
||||||
|
|
||||||
if (kcapi_aead_init(&handle, cavs_test->cipher, 0)) {
|
|
||||||
printf("Allocation of %s cipher failed\n", cavs_test->cipher);
|
|
||||||
- return -EFAULT;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Set key */
|
|
||||||
@@ -443,7 +443,7 @@ static int fuzz_aead(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
for (i = 0; i < sizeof(key); i++) {
|
|
||||||
if (get_random(key, i, 0)) {
|
|
||||||
printf("get_random call failed\n");
|
|
||||||
- return 1;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
kcapi_aead_setkey(handle, key, i);
|
|
||||||
}
|
|
||||||
@@ -479,7 +479,7 @@ static int fuzz_aead(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
|
|
||||||
if (get_random(indata, i, 0)) {
|
|
||||||
printf("get_random call failed\n");
|
|
||||||
- return 1;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (flags & FUZZ_LESSOUT)
|
|
||||||
|
|
||||||
From ec9c36216623b94684c9e5ca8be26455b490bdef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 25 Jul 2018 16:52:13 +0200
|
|
||||||
Subject: [PATCH 16/16] test: Clean up after NULL string fix
|
|
||||||
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
test/kcapi-main.c | 10 ++++------
|
|
||||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index b3f6ae9..3cba467 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -271,14 +271,12 @@ static int fuzz_init_test(unsigned int size)
|
|
||||||
{
|
|
||||||
struct kcapi_handle *handle;
|
|
||||||
int ret = 0;
|
|
||||||
- uint8_t *name = NULL;
|
|
||||||
+ uint8_t *name = calloc(1, size + 1);
|
|
||||||
|
|
||||||
kcapi_set_verbosity(KCAPI_LOG_NONE);
|
|
||||||
|
|
||||||
- name = calloc(1, size + 1);
|
|
||||||
-
|
|
||||||
if (!name) {
|
|
||||||
- printf("Allocation of %u bytes failed", size);
|
|
||||||
+ printf("Allocation of %u bytes failed", size + 1);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -317,10 +315,10 @@ static int fuzz_init_test(unsigned int size)
|
|
||||||
|
|
||||||
fail:
|
|
||||||
fprintf(stdout, "allocation success of nonsense string ");
|
|
||||||
- if (name)
|
|
||||||
+ if (size)
|
|
||||||
bin2print(name, size);
|
|
||||||
else
|
|
||||||
- fprintf(stdout, "NULL\n");
|
|
||||||
+ fprintf(stdout, "EMPTY\n");
|
|
||||||
free(name);
|
|
||||||
return 1;
|
|
||||||
}
|
|
|
@ -1,186 +0,0 @@
|
||||||
From 2a0642407dd227d24e646c170d8afd47ab917899 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 16 Jul 2018 15:17:29 +0200
|
|
||||||
Subject: [PATCH] kcapi-hasher: Add missing -d option to fipshmac
|
|
||||||
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 61 ++++++++++++++++++++++++++++-------------------------
|
|
||||||
1 file changed, 32 insertions(+), 29 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index 6782dbc..2fc3ddc 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -71,7 +71,7 @@ struct hash_name {
|
|
||||||
};
|
|
||||||
|
|
||||||
struct hash_key {
|
|
||||||
- const char *subdir;
|
|
||||||
+ const char *checkdir;
|
|
||||||
const uint8_t *data;
|
|
||||||
uint32_t len;
|
|
||||||
};
|
|
||||||
@@ -108,12 +108,20 @@ static const char hmaccalc_hmackey[] = "FIPS-FTW-RHT2009";
|
|
||||||
static const struct hash_key KEY_FIPSCHECK = {
|
|
||||||
.data = (const uint8_t *)fipscheck_hmackey,
|
|
||||||
.len = sizeof(fipscheck_hmackey) - 1,
|
|
||||||
- .subdir = "fipscheck",
|
|
||||||
+#ifdef CHECK_DIR
|
|
||||||
+ .checkdir = CHECK_DIR"/fipscheck",
|
|
||||||
+#else
|
|
||||||
+ .checkdir = NULL,
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
static const struct hash_key KEY_HMACCALC = {
|
|
||||||
.data = (const uint8_t *)hmaccalc_hmackey,
|
|
||||||
.len = sizeof(hmaccalc_hmackey) - 1,
|
|
||||||
- .subdir = "hmaccalc",
|
|
||||||
+#ifdef CHECK_DIR
|
|
||||||
+ .checkdir = CHECK_DIR"/hmaccalc",
|
|
||||||
+#else
|
|
||||||
+ .checkdir = NULL,
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
static void usage(char *name, int fipscheck)
|
|
||||||
@@ -142,7 +150,8 @@ static void usage(char *name, int fipscheck)
|
|
||||||
fprintf(stderr, "\t-k --key-file FILE\tUse HMAC key from given file\n");
|
|
||||||
fprintf(stderr, "\t-K --key KEY\t\tUse KEY as the HMAC key\n");
|
|
||||||
fprintf(stderr, "\t --tag\t\tCreate a BSD-style checksum\n");
|
|
||||||
- fprintf(stderr, "\t-b, -d, -P\t\tCompatibility hmaccalc options; ignored\n");
|
|
||||||
+ fprintf(stderr, "\t-d\t\t\tCheck directory for fipshmac; otherwise ignored\n");
|
|
||||||
+ fprintf(stderr, "\t-b, -P\t\t\tCompatibility hmaccalc options; ignored\n");
|
|
||||||
fprintf(stderr, "\t --help\t\tPrint this help text\n");
|
|
||||||
fprintf(stderr, "\t-v --version\t\tShow version\n");
|
|
||||||
}
|
|
||||||
@@ -368,7 +377,7 @@ static char *paste(char *dst, const char *src, size_t size)
|
|
||||||
* return: NULL when malloc failed, a pointer that the caller must free
|
|
||||||
* otherwise.
|
|
||||||
*/
|
|
||||||
-static char *get_hmac_file(const char *filename, const char *subdir)
|
|
||||||
+static char *get_hmac_file(const char *filename, const char *checkdir)
|
|
||||||
{
|
|
||||||
size_t i, filelen, pathlen, namelen, basenamestart = 0;
|
|
||||||
size_t prefixlen = strlen(CHECK_PREFIX);
|
|
||||||
@@ -386,12 +395,7 @@ static char *get_hmac_file(const char *filename, const char *subdir)
|
|
||||||
}
|
|
||||||
|
|
||||||
namelen = filelen - basenamestart;
|
|
||||||
-#ifdef CHECK_DIR
|
|
||||||
- pathlen = strlen(CHECK_DIR"/") + strlen(subdir) + 1;
|
|
||||||
-#else
|
|
||||||
- (void)subdir; // avoid parameter unused warning
|
|
||||||
- pathlen = basenamestart;
|
|
||||||
-#endif
|
|
||||||
+ pathlen = checkdir ? strlen(checkdir) + 1 : basenamestart;
|
|
||||||
|
|
||||||
checkfile = malloc(pathlen + namelen + prefixlen + 1 /* "." */ +
|
|
||||||
suffixlen + 1 /* null character */);
|
|
||||||
@@ -399,14 +403,12 @@ static char *get_hmac_file(const char *filename, const char *subdir)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
cursor = checkfile;
|
|
||||||
-#ifdef CHECK_DIR
|
|
||||||
- cursor = paste(cursor, CHECK_DIR"/", strlen(CHECK_DIR"/"));
|
|
||||||
- cursor = paste(cursor, subdir, strlen(subdir));
|
|
||||||
- cursor = paste(cursor, "/", 1);
|
|
||||||
-#else
|
|
||||||
- if (pathlen > 0)
|
|
||||||
+ if (checkdir) {
|
|
||||||
+ cursor = paste(cursor, checkdir, strlen(checkdir));
|
|
||||||
+ cursor = paste(cursor, "/", 1);
|
|
||||||
+ } else if (pathlen > 0)
|
|
||||||
cursor = paste(cursor, filename, pathlen);
|
|
||||||
-#endif
|
|
||||||
+
|
|
||||||
cursor = paste(cursor, CHECK_PREFIX, prefixlen);
|
|
||||||
cursor = paste(cursor, filename + basenamestart, namelen);
|
|
||||||
cursor = paste(cursor, "."CHECK_SUFFIX, 1 + suffixlen);
|
|
||||||
@@ -417,7 +419,7 @@ static char *get_hmac_file(const char *filename, const char *subdir)
|
|
||||||
|
|
||||||
static int hash_files(const struct hash_params *params,
|
|
||||||
char *filenames[], uint32_t files,
|
|
||||||
- int fipshmac, int just_print)
|
|
||||||
+ int fipshmac, const char *checkdir, int just_print)
|
|
||||||
{
|
|
||||||
struct kcapi_handle *handle;
|
|
||||||
const char *hashname = params->name.kcapiname;
|
|
||||||
@@ -446,9 +448,7 @@ static int hash_files(const struct hash_params *params,
|
|
||||||
const char *filename = filenames[i];
|
|
||||||
|
|
||||||
if (fipshmac) {
|
|
||||||
- char *outfile = get_hmac_file(filenames[i],
|
|
||||||
- params->key.subdir);
|
|
||||||
-
|
|
||||||
+ char *outfile = get_hmac_file(filenames[i], checkdir);
|
|
||||||
if (!outfile) {
|
|
||||||
fprintf(stderr,
|
|
||||||
"Cannot create HMAC file name\n");
|
|
||||||
@@ -712,11 +712,11 @@ static int fipscheck_self(const struct hash_params *params_bin,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (mode == SELFCHECK_PRINT_SELF) {
|
|
||||||
- ret = hash_files(params_bin, names, 1, 0, 1);
|
|
||||||
+ ret = hash_files(params_bin, names, 1, 0, NULL, 1);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- checkfile = get_hmac_file(selfname, params_bin->key.subdir);
|
|
||||||
+ checkfile = get_hmac_file(selfname, params_bin->key.checkdir);
|
|
||||||
if (!checkfile) {
|
|
||||||
ret = -ENOMEM;
|
|
||||||
goto out;
|
|
||||||
@@ -750,13 +750,13 @@ static int fipscheck_self(const struct hash_params *params_bin,
|
|
||||||
strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
|
|
||||||
|
|
||||||
if (mode == SELFCHECK_PRINT_LIB) {
|
|
||||||
- ret = hash_files(params_lib, names, 1, 0, 1);
|
|
||||||
+ ret = hash_files(params_lib, names, 1, 0, NULL, 1);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (checkfile)
|
|
||||||
free(checkfile);
|
|
||||||
- checkfile = get_hmac_file(selfname, params_lib->key.subdir);
|
|
||||||
+ checkfile = get_hmac_file(selfname, params_lib->key.checkdir);
|
|
||||||
if (!checkfile) {
|
|
||||||
ret = -ENOMEM;
|
|
||||||
goto out;
|
|
||||||
@@ -799,6 +799,7 @@ int main(int argc, char *argv[])
|
|
||||||
|
|
||||||
char *checkfile = NULL;
|
|
||||||
const char *targetfile = NULL;
|
|
||||||
+ const char *checkdir = NULL;
|
|
||||||
uint8_t *hmackey_alloc = NULL;
|
|
||||||
uint8_t *hmackey_mmap = NULL;
|
|
||||||
int opt_index = 0;
|
|
||||||
@@ -1055,8 +1056,10 @@ int main(int argc, char *argv[])
|
|
||||||
version(argv[0]);
|
|
||||||
ret = 0;
|
|
||||||
goto out;
|
|
||||||
- case 'b':
|
|
||||||
case 'd':
|
|
||||||
+ checkdir = optarg;
|
|
||||||
+ break;
|
|
||||||
+ case 'b':
|
|
||||||
case 'P':
|
|
||||||
/* Compatibility options, just ignore */
|
|
||||||
break;
|
|
||||||
@@ -1110,7 +1113,7 @@ int main(int argc, char *argv[])
|
|
||||||
targetfile = argv[optind];
|
|
||||||
if (checkfile)
|
|
||||||
free(checkfile);
|
|
||||||
- checkfile = get_hmac_file(targetfile, params.key.subdir);
|
|
||||||
+ checkfile = get_hmac_file(targetfile, params.key.checkdir);
|
|
||||||
if (!checkfile) {
|
|
||||||
ret = 1;
|
|
||||||
goto out;
|
|
||||||
@@ -1120,7 +1123,7 @@ int main(int argc, char *argv[])
|
|
||||||
|
|
||||||
if (!checkfile)
|
|
||||||
ret = hash_files(¶ms, argv + optind, (argc - optind),
|
|
||||||
- fipshmac, 0);
|
|
||||||
+ fipshmac, checkdir, 0);
|
|
||||||
else if (optind == argc)
|
|
||||||
ret = process_checkfile(¶ms, checkfile, targetfile, loglevel);
|
|
||||||
else {
|
|
|
@ -1,34 +0,0 @@
|
||||||
From 912ab6d55ef5af594d22d01a39cf7e035c797335 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 11 Jul 2018 09:42:26 +0200
|
|
||||||
Subject: [PATCH] kcapi-hasher: Fix command-line parsing
|
|
||||||
|
|
||||||
I made a mistake in commit 3be3e18d4a2e ("kcapi-hasher: Allow picking
|
|
||||||
basename via cmdline"), which apparently broke command-line parsing when
|
|
||||||
the '-n' options is not used. This patch fixes the issue by resetting
|
|
||||||
the right variable and also silences error messages when checking for
|
|
||||||
the '-n' option.
|
|
||||||
|
|
||||||
Fedora BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1599831
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index ae88211..90707a6 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -841,10 +841,12 @@ int main(int argc, char *argv[])
|
|
||||||
}
|
|
||||||
basen = basename(basec);
|
|
||||||
|
|
||||||
+ opterr = 0;
|
|
||||||
if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n')
|
|
||||||
basen = optarg;
|
|
||||||
else
|
|
||||||
- opt_index = 0;
|
|
||||||
+ optind = 1;
|
|
||||||
+ opterr = 1;
|
|
||||||
|
|
||||||
params_self = &PARAMS_SELF_FIPSCHECK;
|
|
||||||
if (0 == strncmp(basen, "sha256sum", 9)) {
|
|
|
@ -1,29 +0,0 @@
|
||||||
From 94c8277dd8fbd2193cb3804c304e965c9238951d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Wed, 11 Jul 2018 14:41:14 +0200
|
|
||||||
Subject: [PATCH] kcapi-hasher: Fix off-by-one error
|
|
||||||
|
|
||||||
There was an off-by-one error in process_checkfile() that caused the
|
|
||||||
hasher to misparse checkfiles that contain only the hash (for
|
|
||||||
self-check).
|
|
||||||
---
|
|
||||||
apps/kcapi-hasher.c | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
||||||
index ae88211..00f0373 100644
|
|
||||||
--- a/apps/kcapi-hasher.c
|
|
||||||
+++ b/apps/kcapi-hasher.c
|
|
||||||
@@ -514,8 +514,11 @@ static int process_checkfile(const struct hash_params *params,
|
|
||||||
uint32_t i;
|
|
||||||
uint32_t bsd_style = 0; // >0 if --tag formatted style
|
|
||||||
|
|
||||||
+ if (linelen == 0)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
/* remove trailing CR and reduce buffer length */
|
|
||||||
- for (i = linelen; i > 0; i--) {
|
|
||||||
+ for (i = linelen - 1; i > 0; i--) {
|
|
||||||
if (!isprint(buf[i])) {
|
|
||||||
buf[i] = '\0';
|
|
||||||
linelen--;
|
|
|
@ -1,33 +0,0 @@
|
||||||
From b2e9360dab74de1ffcb8527610e88b0da87c701e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Mon, 30 Jul 2018 17:17:59 +0200
|
|
||||||
Subject: [PATCH] lib: Fix _kcapi_handle_destroy() closing FD 0
|
|
||||||
|
|
||||||
The kcapi_handle structure is initialized with zeroes at allocation.
|
|
||||||
However, since it contains several file descriptor variables, it may
|
|
||||||
happen that _kcapi_handle_destroy() is executed while some of these are
|
|
||||||
set to 0, causing an unwanted call to close(0).
|
|
||||||
|
|
||||||
This patch prevents it by initializing all FD variables to -1 right
|
|
||||||
after handle allocation.
|
|
||||||
---
|
|
||||||
lib/kcapi-kernel-if.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c
|
|
||||||
index 595ce68..dfa94b4 100644
|
|
||||||
--- a/lib/kcapi-kernel-if.c
|
|
||||||
+++ b/lib/kcapi-kernel-if.c
|
|
||||||
@@ -1146,6 +1146,12 @@ int _kcapi_handle_init(struct kcapi_handle **caller, const char *type,
|
|
||||||
|
|
||||||
handle->tfm = tfm;
|
|
||||||
|
|
||||||
+ /* Initialize all fd vars to -1 to avoid unwanted close(0) */
|
|
||||||
+ handle->pipes[0] = -1;
|
|
||||||
+ handle->pipes[1] = -1;
|
|
||||||
+ handle->opfd = -1;
|
|
||||||
+ handle->aio.efd = -1;
|
|
||||||
+
|
|
||||||
ret = _kcapi_handle_init_tfm(handle, type, ciphername);
|
|
||||||
if (ret)
|
|
||||||
goto err;
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,34 +0,0 @@
|
||||||
From a10e5ff7f8f69e1ed5cd4151f3e71f4783c40c68 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Krzysztof Kozlowski <krzk@kernel.org>
|
|
||||||
Date: Thu, 12 Jul 2018 18:13:32 +0200
|
|
||||||
Subject: [PATCH] test: Be sure to terminate strncpy() copied string
|
|
||||||
(-Wstringop-truncation)
|
|
||||||
|
|
||||||
strncpy() might not NULL-terminate the buffer. This fixes GCC v8.1.0 warning:
|
|
||||||
|
|
||||||
test/kcapi-main.c: In function 'main':
|
|
||||||
test/kcapi-main.c:3123:5: error: 'strncpy' specified bound 63 equals destination size [-Werror=stringop-truncation]
|
|
||||||
strncpy(cavs_test.cipher, optarg,
|
|
||||||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
CIPHERMAXNAME);
|
|
||||||
~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
|
|
||||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
|
||||||
---
|
|
||||||
test/kcapi-main.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index 8352499..c167b7f 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -3121,7 +3121,7 @@ int main(int argc, char *argv[])
|
|
||||||
break;
|
|
||||||
case 'c':
|
|
||||||
strncpy(cavs_test.cipher, optarg,
|
|
||||||
- CIPHERMAXNAME);
|
|
||||||
+ CIPHERMAXNAME - 1);
|
|
||||||
break;
|
|
||||||
case 'p':
|
|
||||||
len = strlen(optarg);
|
|
|
@ -1,42 +0,0 @@
|
||||||
From def2282fd28390f4a8afd0f43be6c3b3b1586f41 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Date: Fri, 27 Jul 2018 10:53:00 +0200
|
|
||||||
Subject: [PATCH] test: Fix AEAD fuzz test for big-endian archs
|
|
||||||
|
|
||||||
The stupid authenc() key format contains fields that need to be in the
|
|
||||||
machine's endianity. Right now, they are hard-coded in the LE format.
|
|
||||||
This patch makes them always be in the right format.
|
|
||||||
---
|
|
||||||
test/kcapi-main.c | 19 +++++++++++--------
|
|
||||||
1 file changed, 11 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
|
||||||
index e24956c..d62c91a 100644
|
|
||||||
--- a/test/kcapi-main.c
|
|
||||||
+++ b/test/kcapi-main.c
|
|
||||||
@@ -451,14 +451,17 @@ static int fuzz_aead(struct kcapi_cavs *cavs_test, unsigned long flags,
|
|
||||||
|
|
||||||
if (kcapi_aead_setkey(handle, key, 16)) {
|
|
||||||
if (!strncmp(cavs_test->cipher, "authenc", 7)) {
|
|
||||||
- uint8_t *k = (uint8_t *)
|
|
||||||
- "\x08\x00\x01\x00\x00\x00\x00\x10"
|
|
||||||
- "\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
||||||
- "\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
||||||
- "\x00\x00\x00\x00\x06\xa9\x21\x40"
|
|
||||||
- "\x36\xb8\xa1\x5b\x51\x2e\x03\xd5"
|
|
||||||
- "\x34\x12\x00\x06";
|
|
||||||
- if (kcapi_aead_setkey(handle, k, 44)) {
|
|
||||||
+ uint8_t k[44];
|
|
||||||
+ memcpy(k, "\x00\x00\x00\x00\x00\x00\x00\x10"
|
|
||||||
+ "\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
||||||
+ "\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
||||||
+ "\x00\x00\x00\x00\x06\xa9\x21\x40"
|
|
||||||
+ "\x36\xb8\xa1\x5b\x51\x2e\x03\xd5"
|
|
||||||
+ "\x34\x12\x00\x06", sizeof(k));
|
|
||||||
+ /* These need to be in machine's endianity: */
|
|
||||||
+ *(uint16_t *)(k + 0) = 8;
|
|
||||||
+ *(uint16_t *)(k + 2) = 1;
|
|
||||||
+ if (kcapi_aead_setkey(handle, k, sizeof(k))) {
|
|
||||||
printf("AEAD setkey failed\n");
|
|
||||||
goto out;
|
|
||||||
}
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAlsmv5gACgkQQh7pNjJq
|
|
||||||
wVv+2AgAg5Clqx2IB4/pN21IZxwU9+aIxiHxm+EZIbR+odc7eSymmQlQre0HLI4n
|
|
||||||
XDkfw9Zhes/Ih6dIRkAWVWm8fCQL7xrlgpkBW2Y3bxXxC99gQB4DSVn/Mdjasq2I
|
|
||||||
5pfiTe9CPNbevUwHgIe0GkGLfZJLlHL29Hjzl5TLfodVHayjDpY9v1jIRkWm2vLo
|
|
||||||
rgRmxMCt3L2csOM2ZYyeLBoHzXv3f1W6t68BzPeQQ8Pgmf+kSjW6iUXCTixBIKGz
|
|
||||||
enus3L0vJLigVtY2WZ583JZHkhvw9/KO7Z0d3fH8JuEnhMX1Vc+vnFxTWGsf8KSe
|
|
||||||
TDuu0nF3SpKTtNPaDVPgbhSZs4JZTg==
|
|
||||||
=dhAX
|
|
||||||
-----END PGP SIGNATURE-----
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmISvaAACgkQQh7pNjJq
|
||||||
|
wVv6jggAh7UpchOXZ1THbDZ0PE+YGWSr3Y3qKHMls9ixNn/RDSYxPvyZqc6pIAKQ
|
||||||
|
zVA6bGtB9kqcSexmrk2EyiUYgi1lo+5HwsfAfHBQaq7vD1S8Q/FYx/XVRv2GQfkj
|
||||||
|
/E1ivlcdcInlpn+vu+7Hei+H/IXtETh8QPwGwRI1Je84pIt7K4K4VPwWpur0su6E
|
||||||
|
oF1AFT6ldlMczsoDTCi3eP3rZWKvMmX5718W9F6eKuTkKoIiipCUxdMBy4f6YpDB
|
||||||
|
1ZmQPHjSgG4URlclQnFiGXYAbMBRHYfguJRl/HjZWSQMigRzqGSdvJR8wrfMeQzr
|
||||||
|
Bk0z0nGayzHgcC7gPz8CsAMJj5C9eQ==
|
||||||
|
=OA3o
|
||||||
|
-----END PGP SIGNATURE-----
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Mocks sha512hmac using the openssl tool.
|
||||||
|
# Only for use during RPM build.
|
||||||
|
|
||||||
|
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' '
|
|
@ -1,11 +1,16 @@
|
||||||
# Shared object version of libkcapi.
|
# Shared object version of libkcapi.
|
||||||
%global vmajor 1
|
%global vmajor 1
|
||||||
%global vminor 1
|
%global vminor 4
|
||||||
%global vpatch 1
|
%global vpatch 0
|
||||||
|
|
||||||
# Do we build the replacements packages?
|
# Do we build the replacements packages?
|
||||||
%bcond_with replace_coreutils
|
%bcond_with replace_coreutils
|
||||||
|
# Replace fipscheck by default in Fedora 33+:
|
||||||
|
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
|
||||||
|
%bcond_without replace_fipscheck
|
||||||
|
%else
|
||||||
%bcond_with replace_fipscheck
|
%bcond_with replace_fipscheck
|
||||||
|
%endif
|
||||||
# Replace hmaccalc by default in Fedora 28+:
|
# Replace hmaccalc by default in Fedora 28+:
|
||||||
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
||||||
%bcond_without replace_hmaccalc
|
%bcond_without replace_hmaccalc
|
||||||
|
@ -17,13 +22,22 @@
|
||||||
%else
|
%else
|
||||||
%bcond_with test_package
|
%bcond_with test_package
|
||||||
%endif
|
%endif
|
||||||
|
# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518
|
||||||
%if 0%{?fedora}
|
%if 0%{?rhel}
|
||||||
%global use_clang 1
|
%bcond_with cppcheck
|
||||||
%else
|
%else
|
||||||
%global use_clang 0
|
%bcond_without cppcheck
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Use `--without test` to build without running the tests
|
||||||
|
%bcond_without test
|
||||||
|
# Use `--without fuzz_test` to skip the fuzz test during build
|
||||||
|
%bcond_without fuzz_test
|
||||||
|
# Use `--without doc` to build without the -doc subpackage
|
||||||
|
%bcond_without doc
|
||||||
|
# Use `--without clang_sa` to skip clang static analysis during build
|
||||||
|
%bcond_without clang_sa
|
||||||
|
|
||||||
# This package needs at least Linux Kernel v4.10.0.
|
# This package needs at least Linux Kernel v4.10.0.
|
||||||
%global min_kernel_ver 4.10.0
|
%global min_kernel_ver 4.10.0
|
||||||
|
|
||||||
|
@ -62,8 +76,7 @@
|
||||||
|
|
||||||
# Do we replace fipscheck?
|
# Do we replace fipscheck?
|
||||||
%if %{with replace_fipscheck}
|
%if %{with replace_fipscheck}
|
||||||
# TODO: Adapt this when replacing fipscheck initially.
|
%global fipscheck_evr 1.5.0-9
|
||||||
%global fipscheck_evr 1.5.0-3%{?dist}
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Do we replace hmaccalc?
|
# Do we replace hmaccalc?
|
||||||
|
@ -71,8 +84,17 @@
|
||||||
%global hmaccalc_evr 0.9.14-10%{?dist}
|
%global hmaccalc_evr 0.9.14-10%{?dist}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
|
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
|
||||||
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
|
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac
|
||||||
|
|
||||||
|
# On old kernels use mock hashers implemented via openssl
|
||||||
|
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
|
||||||
|
%global sha512hmac bin/kcapi-hasher -n sha512hmac
|
||||||
|
%global fipshmac bin/kcapi-hasher -n fipshmac
|
||||||
|
%else
|
||||||
|
%global sha512hmac bash %{SOURCE2}
|
||||||
|
%global fipshmac bash %{SOURCE3}
|
||||||
|
%endif
|
||||||
|
|
||||||
# Add generation of HMAC checksums of the final stripped
|
# Add generation of HMAC checksums of the final stripped
|
||||||
# binaries. %%define with lazy globbing is used here
|
# binaries. %%define with lazy globbing is used here
|
||||||
|
@ -85,16 +107,15 @@ bin_path=%{buildroot}%{_bindir} \
|
||||||
lib_path=%{buildroot}/%{_lib} \
|
lib_path=%{buildroot}/%{_lib} \
|
||||||
for app in %{apps_hmaccalc}; do \
|
for app in %{apps_hmaccalc}; do \
|
||||||
test -e "$bin_path"/$app || continue \
|
test -e "$bin_path"/$app || continue \
|
||||||
{ bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
|
{ %sha512hmac "$bin_path"/$app || exit 1; } \\\
|
||||||
| cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \
|
| cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \
|
||||||
done \
|
done \
|
||||||
for app in %{apps_fipscheck}; do \
|
for app in %{apps_fipscheck}; do \
|
||||||
test -e "$bin_path"/$app || continue \
|
test -e "$bin_path"/$app || continue \
|
||||||
bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck \\\
|
%fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \
|
||||||
"$bin_path"/$app || exit 1 \
|
|
||||||
done \
|
done \
|
||||||
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
||||||
bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck \\\
|
%fipshmac -d "$lib_path"/fipscheck \\\
|
||||||
"$lib_path"/libkcapi.so.%{version} || exit 1 \
|
"$lib_path"/libkcapi.so.%{version} || exit 1 \
|
||||||
%{__ln_s} libkcapi.so.%{version}.hmac \\\
|
%{__ln_s} libkcapi.so.%{version}.hmac \\\
|
||||||
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
|
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
|
||||||
|
@ -103,42 +124,43 @@ bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck \\\
|
||||||
|
|
||||||
Name: libkcapi
|
Name: libkcapi
|
||||||
Version: %{vmajor}.%{vminor}.%{vpatch}
|
Version: %{vmajor}.%{vminor}.%{vpatch}
|
||||||
Release: 16_1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: User space interface to the Linux Kernel Crypto API
|
Summary: User space interface to the Linux Kernel Crypto API
|
||||||
|
|
||||||
License: BSD or GPLv2
|
License: BSD-3-Clause OR GPL-2.0-only
|
||||||
URL: http://www.chronox.de/%{name}.html
|
URL: https://www.chronox.de/%{name}.html
|
||||||
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
|
Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
|
||||||
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
||||||
|
Source2: sha512hmac-openssl.sh
|
||||||
|
Source3: fipshmac-openssl.sh
|
||||||
|
|
||||||
Patch0: %{giturl}/pull/60.patch#/%{name}-1.1.1-kcapi-hasher_Fix_command-line_parsing.patch
|
Patch1: 001-tests-kernel-version.patch
|
||||||
Patch1: %{giturl}/pull/61.patch#/%{name}-1.1.1-kcapi-hasher_Fix_off-by-one_error.patch
|
Patch2: 002-fips-disable-ansi_cprng.patch
|
||||||
Patch2: %{giturl}/pull/64.patch#/%{name}-1.1.1-kcapi-hasher_Add_missing_-d_option_to_fipshmac.patch
|
Patch3: 003-zeroize-hasher.patch
|
||||||
Patch3: %{giturl}/commit/3e388ac4eba63b466bf6b14b2088ea44c8a2bfe4.patch#/%{name}-1.1.1-Fix_possible_buffer_overflow_with_strncpy.patch
|
Patch4: 004-hasher-target-option.patch
|
||||||
Patch4: %{giturl}/commit/a10e5ff7f8f69e1ed5cd4151f3e71f4783c40c68.patch#/%{name}-1.1.1-test_Be_sure_to_terminate_strncpy_copied_string.patch
|
Patch5: 005-fips-mode-tests.patch
|
||||||
Patch5: %{giturl}/compare/decf850ab9bb...ec9c36216623.patch#/%{name}-1.1.1-Fix_various_issues_reported_by_Coverity.patch
|
|
||||||
Patch6: %{giturl}/compare/4a1a30f75e70...c9ed6b2c0702.patch#/%{name}-1.1.1-Coverity_PR_follow-up.patch
|
|
||||||
Patch7: %{giturl}/pull/68.patch#/%{name}-1.1.1-test_Fix_AEAD_fuzz_test_for_big-endian_archs.patch
|
|
||||||
Patch8: %{giturl}/pull/70.patch#/%{name}-1.1.1-lib_Fix_kcapi_handle_destroy_closing_FD_0.patch
|
|
||||||
Patch9: %{giturl}/pull/71.patch#/%{name}-1.1.1-test_Allow_running_tests_outside_of_build_environment.patch
|
|
||||||
|
|
||||||
Patch9001: 9001-split-up-huge-string.patch
|
BuildRequires: bash
|
||||||
|
|
||||||
%if %{use_clang}
|
|
||||||
BuildRequires: clang
|
|
||||||
%endif
|
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
BuildRequires: cppcheck
|
|
||||||
BuildRequires: docbook-utils-pdf
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: git
|
BuildRequires: git-core
|
||||||
BuildRequires: hardlink
|
BuildRequires: hardlink
|
||||||
BuildRequires: kernel-headers >= %{min_kernel_ver}
|
BuildRequires: kernel-headers >= %{min_kernel_ver}
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
|
BuildRequires: make
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: perl
|
BuildRequires: perl-interpreter
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
BuildRequires: xmlto
|
BuildRequires: xmlto
|
||||||
|
%if %{with doc}
|
||||||
|
BuildRequires: docbook-utils-pdf
|
||||||
|
%endif
|
||||||
|
%if %{with clang_sa}
|
||||||
|
BuildRequires: clang
|
||||||
|
%endif
|
||||||
|
%if %{with cppcheck}
|
||||||
|
BuildRequires: cppcheck >= 2.4
|
||||||
|
%endif
|
||||||
|
|
||||||
# For ownership of %%{_sysctldir}.
|
# For ownership of %%{_sysctldir}.
|
||||||
Requires: systemd
|
Requires: systemd
|
||||||
|
@ -168,12 +190,14 @@ Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||||
Header files for applications that use %{name}.
|
Header files for applications that use %{name}.
|
||||||
|
|
||||||
|
|
||||||
|
%if %{with doc}
|
||||||
%package doc
|
%package doc
|
||||||
Summary: User documentation for the %{name} package
|
Summary: User documentation for the %{name} package
|
||||||
BuildArch: noarch
|
Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
User documentation for %{name}.
|
User documentation for %{name}.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%if %{with replace_coreutils}
|
%if %{with replace_coreutils}
|
||||||
|
@ -257,7 +281,7 @@ Requires: %{name}-checksum%{?_isa} == %{version}-%{release}
|
||||||
%endif
|
%endif
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: openssl
|
Requires: openssl
|
||||||
Requires: perl
|
Requires: perl-interpreter
|
||||||
|
|
||||||
%description tests
|
%description tests
|
||||||
Auxiliary scripts for testing %{name}.
|
Auxiliary scripts for testing %{name}.
|
||||||
|
@ -316,9 +340,14 @@ EOF
|
||||||
--enable-kcapi-test \
|
--enable-kcapi-test \
|
||||||
--enable-shared \
|
--enable-shared \
|
||||||
--enable-static \
|
--enable-static \
|
||||||
|
--enable-sum-prefix= \
|
||||||
--enable-sum-dir=/%{_lib} \
|
--enable-sum-dir=/%{_lib} \
|
||||||
--with-pkgconfigdir=%{_libdir}/pkgconfig
|
--with-pkgconfigdir=%{_libdir}/pkgconfig
|
||||||
|
%if %{with doc}
|
||||||
%make_build all doc
|
%make_build all doc
|
||||||
|
%else
|
||||||
|
%make_build all man
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
@ -335,14 +364,21 @@ EOF
|
||||||
%if %{with_sysctl_tweak}
|
%if %{with_sysctl_tweak}
|
||||||
README.%{distroname_ext} \
|
README.%{distroname_ext} \
|
||||||
%endif
|
%endif
|
||||||
README.md CHANGES TODO doc/%{name}.p{df,s}
|
%if %{with doc}
|
||||||
|
doc/%{name}.p{df,s} \
|
||||||
|
%endif
|
||||||
|
README.md CHANGES.md TODO
|
||||||
|
|
||||||
|
%if %{with doc}
|
||||||
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
|
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
|
||||||
|
%endif
|
||||||
|
|
||||||
# Install replacement tools, if enabled.
|
# Install replacement tools, if enabled.
|
||||||
%if !%{with replace_coreutils}
|
%if !%{with replace_coreutils}
|
||||||
%{__rm} -f \
|
%{__rm} -f \
|
||||||
%{buildroot}%{_bindir}/md5sum \
|
%{buildroot}%{_bindir}/md5sum \
|
||||||
%{buildroot}%{_bindir}/sha*sum
|
%{buildroot}%{_bindir}/sha*sum \
|
||||||
|
%{buildroot}%{_bindir}/sm*sum
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if !%{with replace_fipscheck}
|
%if !%{with replace_fipscheck}
|
||||||
|
@ -351,6 +387,7 @@ EOF
|
||||||
|
|
||||||
%if !%{with replace_hmaccalc}
|
%if !%{with replace_hmaccalc}
|
||||||
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac
|
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac
|
||||||
|
%{__rm} -f %{buildroot}%{_bindir}/sm*hmac
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# We don't ship autocrap dumplings.
|
# We don't ship autocrap dumplings.
|
||||||
|
@ -362,11 +399,13 @@ EOF
|
||||||
# Remove 0-size files.
|
# Remove 0-size files.
|
||||||
%{_bindir}/find %{buildroot} -type f -size 0 -print -delete
|
%{_bindir}/find %{buildroot} -type f -size 0 -print -delete
|
||||||
|
|
||||||
|
%if %{with doc}
|
||||||
# Make sure all docs have non-exec permissions, except for the dirs.
|
# Make sure all docs have non-exec permissions, except for the dirs.
|
||||||
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
|
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
|
||||||
%{_bindir}/xargs %{__chmod} -c 0644
|
%{_bindir}/xargs %{__chmod} -c 0644
|
||||||
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
|
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
|
||||||
%{_bindir}/xargs %{__chmod} -c 0755
|
%{_bindir}/xargs %{__chmod} -c 0755
|
||||||
|
%endif
|
||||||
|
|
||||||
# Possibly save some space by hardlinking.
|
# Possibly save some space by hardlinking.
|
||||||
for d in %{_mandir} %{_pkgdocdir}; do
|
for d in %{_mandir} %{_pkgdocdir}; do
|
||||||
|
@ -376,22 +415,31 @@ done
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# Some basic sanity checks.
|
# Some basic sanity checks.
|
||||||
%make_build cppcheck
|
%if %{with clang_sa}
|
||||||
%if %{use_clang}
|
|
||||||
%make_build scan
|
%make_build scan
|
||||||
%endif
|
%endif
|
||||||
|
%if %{with cppcheck}
|
||||||
|
%make_build cppcheck
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with test}
|
||||||
# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
|
# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
|
||||||
# which is the lowest limit needed to run the testsuite. If that limit
|
# which is the lowest limit needed to run the testsuite. If that limit
|
||||||
# is not met, we do not run it.
|
# is not met, we do not run it.
|
||||||
%if %{test_optmem_max} >= 20480
|
%if %{test_optmem_max} >= 20480
|
||||||
|
# Skip the testsuite on old kernels.
|
||||||
|
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0
|
||||||
# Real testsuite.
|
# Real testsuite.
|
||||||
pushd test
|
pushd test
|
||||||
# Ignore test result since the CI will do better testing anyway
|
%if %{with fuzz_test}
|
||||||
|
ENABLE_FUZZ_TEST=1 \
|
||||||
|
%endif
|
||||||
NO_32BIT_TEST=1 \
|
NO_32BIT_TEST=1 \
|
||||||
./test-invocation.sh || true
|
./test-invocation.sh
|
||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
|
@ -412,7 +460,7 @@ popd
|
||||||
|
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%doc %{_pkgdocdir}/CHANGES
|
%doc %{_pkgdocdir}/CHANGES.md
|
||||||
%doc %{_pkgdocdir}/TODO
|
%doc %{_pkgdocdir}/TODO
|
||||||
%{_includedir}/kcapi.h
|
%{_includedir}/kcapi.h
|
||||||
%{_mandir}/man3/kcapi_*.3.*
|
%{_mandir}/man3/kcapi_*.3.*
|
||||||
|
@ -420,17 +468,22 @@ popd
|
||||||
%{_libdir}/pkgconfig/%{name}.pc
|
%{_libdir}/pkgconfig/%{name}.pc
|
||||||
|
|
||||||
|
|
||||||
|
%if %{with doc}
|
||||||
%files doc
|
%files doc
|
||||||
%doc %{_pkgdocdir}
|
%doc %{_pkgdocdir}/html
|
||||||
%license %{_datadir}/licenses/%{name}*
|
%doc %{_pkgdocdir}/%{name}.pdf
|
||||||
|
%doc %{_pkgdocdir}/%{name}.ps
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%if %{with replace_coreutils}
|
%if %{with replace_coreutils}
|
||||||
%files checksum
|
%files checksum
|
||||||
%{_bindir}/md5sum
|
%{_bindir}/md5sum
|
||||||
%{_bindir}/sha*sum
|
%{_bindir}/sha*sum
|
||||||
|
%{_bindir}/sm*sum
|
||||||
/%{_lib}/fipscheck/md5sum.hmac
|
/%{_lib}/fipscheck/md5sum.hmac
|
||||||
/%{_lib}/fipscheck/sha*sum.hmac
|
/%{_lib}/fipscheck/sha*sum.hmac
|
||||||
|
/%{_lib}/fipscheck/sm*sum.hmac
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with replace_fipscheck}
|
%if %{with replace_fipscheck}
|
||||||
|
@ -442,7 +495,9 @@ popd
|
||||||
%if %{with replace_hmaccalc}
|
%if %{with replace_hmaccalc}
|
||||||
%files hmaccalc
|
%files hmaccalc
|
||||||
%{_bindir}/sha*hmac
|
%{_bindir}/sha*hmac
|
||||||
|
%{_bindir}/sm*hmac
|
||||||
/%{_lib}/hmaccalc/sha*hmac.hmac
|
/%{_lib}/hmaccalc/sha*hmac.hmac
|
||||||
|
/%{_lib}/hmaccalc/sm*hmac.hmac
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
@ -462,6 +517,39 @@ popd
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-2
|
||||||
|
- Backport fixes for kcapi-hasher target option
|
||||||
|
Related: RHEL-15300
|
||||||
|
- Fix kcapi tests in FIPS mode
|
||||||
|
Resolves: RHEL-2406
|
||||||
|
|
||||||
|
* Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
|
||||||
|
- Update to new upstream release 1.4.0
|
||||||
|
Resolves: RHEL-5366
|
||||||
|
- Add a patch to fix auxiliary tests in FIPS mode
|
||||||
|
Resolves: RHEL-2406
|
||||||
|
- Add a patch to zeroize kcapi-hasher for FIPS 140-3
|
||||||
|
Resolves: RHEL-15290
|
||||||
|
- Add a patch to allow overriding target file in kcapi-hasher
|
||||||
|
Resolves: RHEL-15300
|
||||||
|
|
||||||
|
* Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
|
||||||
|
- Fix double free issue in hasher()
|
||||||
|
|
||||||
|
* Mon May 25 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-1
|
||||||
|
- [RHEL] Update to upstream version 1.2.0
|
||||||
|
|
||||||
|
* Thu Apr 30 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
|
||||||
|
- Enables building on old kernels [sync fix in Fedora from omosnance].
|
||||||
|
- This is required for covscans as they run on RHEL7 machines.
|
||||||
|
|
||||||
|
* Wed Apr 29 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-2
|
||||||
|
- Drop the license from the doc subpackage to avoid conflicts
|
||||||
|
|
||||||
|
* Mon Apr 27 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-1
|
||||||
|
- [RHEL] Update to upstream version 1.1.5
|
||||||
|
- [RHEL] Sync with Fedora branch
|
||||||
|
|
||||||
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16_1
|
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16_1
|
||||||
- [RHEL] Apply 'Add missing dependencies to the tests package'
|
- [RHEL] Apply 'Add missing dependencies to the tests package'
|
||||||
- [RHEL] Apply 'Update patch from upstream'
|
- [RHEL] Apply 'Update patch from upstream'
|
||||||
|
|
Loading…
Reference in New Issue