Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
compat-openssl098.16428
openssl-fips__0040_use_fipscheck_internal.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-fips__0040_use_fipscheck_internal.diff of Package compat-openssl098.16428
diff -rNU 20 ../openssl-0.9.8j-o/Makefile.org ./Makefile.org --- ../openssl-0.9.8j-o/Makefile.org 2011-08-09 14:10:24.000000000 +0200 +++ ./Makefile.org 2011-08-09 14:14:42.000000000 +0200 @@ -339,67 +339,62 @@ @dir=engines; target=all; $(BUILD_ONE_CMD) build_apps: @dir=apps; target=all; $(BUILD_ONE_CMD) build_tests: @dir=test; target=all; $(BUILD_ONE_CMD) build_tools: @dir=tools; target=all; $(BUILD_ONE_CMD) all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) build_shared: $(SHARED_LIBS) libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ $(ARD) libcrypto.a fipscanister.o ; \ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ $(AR) libcrypto.a fips/fipscanister.o ; \ else \ - if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ - FIPSLD_CC=$(CC); CC=fips/fipsld; \ - export CC FIPSLD_CC; \ - fi; \ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ fi \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ shlibdeps=-lcrypto; \ [ "$(FIPSCANLIB)" = "libfips" ] && shlibdeps="$$shlibdeps -lfips"; \ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS="$$shlibdeps" build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2 ; \ exit 1; \ fi fips/fipscanister.o: build_fips libfips$(SHLIB_EXT): fips/fipscanister.o @if [ "$(SHLIB_TARGET)" != "" ]; then \ - FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ $(MAKE) -f Makefile.shared -e $(BUILDENV) \ - CC="$${CC}" LIBNAME=fips THIS=$@ \ + CC=$(CC) LIBNAME=fips THIS=$@ \ LIBEXTRAS=fips/fipscanister.o \ LIBDEPS="$(EX_LIBS)" \ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ fi libfips.a: dir=fips; target=all; $(BUILD_ONE_CMD) clean-shared: @set -e; for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for j in $${tmp:-x}; do \ ( set -x; rm -f lib$$i$$j ); \ done; \ fi; \ diff -rNU 20 ../openssl-0.9.8j-o/apps/Makefile ./apps/Makefile --- ../openssl-0.9.8j-o/apps/Makefile 2011-08-09 14:10:24.000000000 +0200 +++ ./apps/Makefile 2011-08-09 14:14:42.000000000 +0200 @@ -135,42 +135,40 @@ fi dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) rm -f req $(DLIBSSL): (cd ..; $(MAKE) DIRS=ssl all) $(DLIBCRYPTO): (cd ..; $(MAKE) DIRS=crypto all) $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(EXE) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} -(cd ..; \ OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ $(PERL) tools/c_rehash certs) progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h $(RM) $(PROGRAM).o # DO NOT DELETE THIS LINE -- make depend depends on it. app_rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h diff -rNU 20 ../openssl-0.9.8j-o/fips/Makefile ./fips/Makefile --- ../openssl-0.9.8j-o/fips/Makefile 2008-09-23 13:21:17.000000000 +0200 +++ ./fips/Makefile 2011-08-09 14:14:42.000000000 +0200 @@ -45,43 +45,43 @@ LIBOBJ=fips.o FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib SRC= $(LIBSRC) EXHEADER=fips.h HEADER=$(EXHEADER) fips_utl.h fips_locl.h EXE=fipsld ALL= $(GENERAL) $(SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) testapps: @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi all: @if [ -z "$(FIPSLIBDIR)" ]; then \ - $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ + $(MAKE) -e subdirs lib; \ else \ - $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ + $(MAKE) -e lib; \ fi # Idea behind fipscanister.o is to "seize" the sequestered code between # known symbols for fingerprinting purposes, which would be commonly # done with ld -r start.o ... end.o. The latter however presents a minor # challenge on multi-ABI platforms. As just implied, we'd rather use ld, # but the trouble is that we don't generally know how ABI-selection # compiler flag is translated to corresponding linker flag. All compiler # drivers seem to recognize -r flag and pass it down to linker, but some # of them, including gcc, erroneously add -lc, as well as run-time # components, such as crt1.o and alike. Fortunately among those vendor # compilers which were observed to misinterpret -r flag multi-ABI ones # are equipped with smart linkers, which don't require any ABI-selection # flag and simply assume that all objects are of the same type as first # one in command line. So the idea is to identify gcc and deficient # vendor compiler drivers... fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o FIPS_ASM=""; \ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ @@ -92,114 +92,125 @@ CPUID=../crypto/$(CPUID_OBJ) ; \ else \ CPUID="" ; \ fi ; \ objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ for i in $(FIPS_OBJ_LISTS); do \ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ objs="$$objs `sed "$$script" $$i`"; \ done; \ objs="$$objs fips_end.o" ; \ os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \ [ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \ if [ -n "${FIPS_SITE_LD}" ]; then \ set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \ elif $(CC) -dumpversion >/dev/null 2>&1; then \ set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \ else case "$$os" in \ HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ esac fi - ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 # If another exception is immediately required, assign approprite # site-specific ld command to FIPS_SITE_LD environment variable. fips_start.o: fips_canister.c $(CC) $(CFLAGS) -DFIPS_START -c -o $@ fips_canister.c fips_end.o: fips_canister.c $(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c fips_premain_dso$(EXE_EXT): fips_premain.c $(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \ $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) # this is executed only when linking with external fipscanister.o fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o subdirs: @target=all; $(RECURSIVE_MAKE) files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO @target=files; $(RECURSIVE_MAKE) links: @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) @target=links; $(RECURSIVE_MAKE) # lib: and $(LIB): are splitted to avoid end-less loop lib: $(LIB) if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi @touch lib -$(LIB): $(FIPSLIBDIR)fipscanister.o - $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o +$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS) + FIPS_ASM=""; \ + list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ + list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ + list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ + list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ + if [ -n "$(CPUID_OBJ)" ]; then \ + CPUID=../crypto/$(CPUID_OBJ) ; \ + else \ + CPUID="" ; \ + fi ; \ + objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ + for i in $(FIPS_OBJ_LISTS); do \ + dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ + objs="$$objs `sed "$$script" $$i`"; \ + done; \ + objs="$$objs" ; \ + $(AR) $(LIB) $$objs $(RANLIB) $(LIB) || echo Never mind. $(FIPSCANLIB): $(FIPSCANLOC) $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC) if [ "$(FIPSCANLIB)" = "libfips" ]; then \ $(AR) $(LIB) $(FIPSCANLOC) ; \ $(RANLIB) $(LIB) || echo Never Mind. ; \ fi $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. @touch lib -shared: lib subdirs fips_premain_dso$(EXE_EXT) +shared: lib subdirs libs: @target=lib; $(RECURSIVE_MAKE) fips_test: top @target=fips_test; $(RECURSIVE_MAKE) fips_test_diff: @if diff -b -B -I '^\#' -cr -X fips-nodiff.txt $(FIPS_TVDIR) $(FIPS_TVOK) ; then \ echo "FIPS diff OK" ; \ else \ echo "***FIPS DIFF ERROR***" ; exit 1 ; \ fi install: @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... @headerlist="$(EXHEADER)"; for i in $$headerlist ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @target=install; $(RECURSIVE_MAKE) - @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ - fips_premain.c.sha1 \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ - chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* lint: @target=lint; $(RECURSIVE_MAKE) depend: @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi clean: rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \ *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff @target=clean; $(RECURSIVE_MAKE) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) @target=dclean; $(RECURSIVE_MAKE) # DO NOT DELETE THIS LINE -- make depend depends on it. diff -rNU 20 ../openssl-0.9.8j-o/fips/fips.c ./fips/fips.c --- ../openssl-0.9.8j-o/fips/fips.c 2011-08-09 14:13:55.000000000 +0200 +++ ./fips/fips.c 2011-08-09 14:25:33.000000000 +0200 @@ -30,53 +30,59 @@ * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * */ +#define _GNU_SOURCE #include <openssl/rand.h> #include <openssl/fips_rand.h> #include <openssl/err.h> #include <openssl/bio.h> #include <openssl/hmac.h> #include <openssl/rsa.h> #include <string.h> #include <limits.h> +#include <dlfcn.h> +#include <stdio.h> +#include <stdlib.h> + #include "fips_locl.h" #ifdef OPENSSL_FIPS + #include <openssl/fips.h> #ifndef PATH_MAX #define PATH_MAX 1024 #endif static int fips_selftest_fail; static int fips_mode; static const void *fips_rand_check; static void fips_set_mode(int onoff) { int owning_thread = fips_is_owning_thread(); if (fips_is_started()) { if (!owning_thread) fips_w_lock(); fips_mode = onoff; if (!owning_thread) fips_w_unlock(); } @@ -148,40 +154,41 @@ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); } } void fips_set_selftest_fail(void) { fips_selftest_fail = 1; } int FIPS_selftest() { return FIPS_selftest_sha1() && FIPS_selftest_hmac() && FIPS_selftest_aes() && FIPS_selftest_des() && FIPS_selftest_rsa() && FIPS_selftest_dsa(); } +#if 0 extern const void *FIPS_text_start(), *FIPS_text_end(); extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; unsigned char FIPS_signature [20] = { 0 }; static const char FIPS_hmac_key[]="etaonrishdlcupfm"; unsigned int FIPS_incore_fingerprint(unsigned char *sig,unsigned int len) { const unsigned char *p1 = FIPS_text_start(); const unsigned char *p2 = FIPS_text_end(); const unsigned char *p3 = FIPS_rodata_start; const unsigned char *p4 = FIPS_rodata_end; HMAC_CTX c; HMAC_CTX_init(&c); HMAC_Init(&c,FIPS_hmac_key,strlen(FIPS_hmac_key),EVP_sha1()); /* detect overlapping regions */ if (p1<=p3 && p2>=p3) p3=p1, p4=p2>p4?p2:p4, p1=NULL, p2=NULL; else if (p3<=p1 && p4>=p1) @@ -227,86 +234,290 @@ if (len!=sizeof(FIPS_signature) || memcmp(FIPS_signature,sig,sizeof(FIPS_signature))) { if (FIPS_signature>=FIPS_rodata_start && FIPS_signature<FIPS_rodata_end) FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING); #if defined(__sgi) && (defined(__mips) || defined(mips)) else if (__dso_displacement!=NULL) #else else if (OPENSSL_NONPIC_relocated) #endif FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED); else FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); return 0; } return 1; } +#else /* incore_fingerprint */ + +/* we implement what libfipscheck does ourselves */ + +static int +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) +{ + Dl_info info; + void *dl, *sym; + int rv = -1; + + dl = dlopen(libname, RTLD_LAZY); + if (dl == NULL) { + return -1; + } + + sym = dlsym(dl, symbolname); + + if (sym != NULL && dladdr(sym, &info)) { + strncpy(path, info.dli_fname, pathlen-1); + path[pathlen-1] = '\0'; + rv = 0; + } + + dlclose(dl); + + return rv; +} + +static const char conv[] = "0123456789abcdef"; + +static char * +bin2hex(void *buf, size_t len) +{ + char *hex, *p; + unsigned char *src = buf; + + hex = malloc(len * 2 + 1); + if (hex == NULL) + return NULL; + + p = hex; + + while (len > 0) { + unsigned c; + + c = *src; + src++; + + *p = conv[c >> 4]; + ++p; + *p = conv[c & 0x0f]; + ++p; + --len; + } + *p = '\0'; + return hex; +} + +#define HMAC_PREFIX "." +#define HMAC_SUFFIX ".hmac" +#define READ_BUFFER_LENGTH 16384 + +static char * +make_hmac_path(const char *origpath) +{ + char *path, *p; + const char *fn; + + path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); + if(path == NULL) { + return NULL; + } + + fn = strrchr(origpath, '/'); + if (fn == NULL) { + fn = origpath; + } else { + ++fn; + } + + strncpy(path, origpath, fn-origpath); + p = path + (fn - origpath); + p = stpcpy(p, HMAC_PREFIX); + p = stpcpy(p, fn); + p = stpcpy(p, HMAC_SUFFIX); + + return path; +} + +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; + +static int +compute_file_hmac(const char *path, void **buf, size_t *hmaclen) +{ + FILE *f = NULL; + int rv = -1; + unsigned char rbuf[READ_BUFFER_LENGTH]; + size_t len; + unsigned int hlen; + HMAC_CTX c; + + HMAC_CTX_init(&c); + + f = fopen(path, "r"); + + if (f == NULL) { + goto end; + } + + HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); + + while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { + HMAC_Update(&c, rbuf, len); + } + + len = sizeof(rbuf); + /* reuse rbuf for hmac */ + HMAC_Final(&c, rbuf, &hlen); + + *buf = malloc(hlen); + if (*buf == NULL) { + goto end; + } + + *hmaclen = hlen; + + memcpy(*buf, rbuf, hlen); + + rv = 0; +end: + HMAC_CTX_cleanup(&c); + + if (f) + fclose(f); + + return rv; +} + +static int +FIPSCHECK_verify(const char *libname, const char *symbolname) +{ + char path[PATH_MAX+1]; + int rv; + FILE *hf; + char *hmacpath, *p; + char *hmac = NULL; + size_t n; + + rv = get_library_path(libname, symbolname, path, sizeof(path)); + + if (rv < 0) + return 0; + + hmacpath = make_hmac_path(path); + + hf = fopen(hmacpath, "r"); + if (hf == NULL) { + free(hmacpath); + return 0; + } + + if (getline(&hmac, &n, hf) > 0) { + void *buf; + size_t hmaclen; + char *hex; + + if ((p=strchr(hmac, '\n')) != NULL) + *p = '\0'; + + if (compute_file_hmac(path, &buf, &hmaclen) < 0) { + rv = -4; + goto end; + } + + if ((hex=bin2hex(buf, hmaclen)) == NULL) { + free(buf); + rv = -5; + goto end; + } + + if (strcmp(hex, hmac) != 0) { + rv = -1; + } + free(buf); + free(hex); + } + +end: + free(hmac); + free(hmacpath); + fclose(hf); + + if (rv < 0) + return 0; + + /* check successful */ + return 1; +} + +#endif + + int FIPS_mode_set(int onoff) { int fips_set_owning_thread(); int fips_clear_owning_thread(); int ret = 0; fips_w_lock(); fips_set_started(); fips_set_owning_thread(); if(onoff) { unsigned char buf[48]; fips_selftest_fail = 0; /* Don't go into FIPS mode twice, just so we can do automagic seeding */ if(FIPS_mode()) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); fips_selftest_fail = 1; ret = 0; goto end; } #ifdef OPENSSL_IA32_SSE2 if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); fips_selftest_fail = 1; ret = 0; goto end; } #endif - if(fips_signature_witness() != FIPS_signature) + if(!FIPSCHECK_verify("libcrypto.so.0.9.8","FIPS_mode_set")) { - FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; ret = 0; goto end; } - if(!FIPS_check_incore_fingerprint()) + if(!FIPSCHECK_verify("libssl.so.0.9.8","SSL_CTX_new")) { + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; ret = 0; goto end; } /* Perform RNG KAT before seeding */ if (!FIPS_selftest_rng()) { fips_selftest_fail = 1; ret = 0; goto end; } /* now switch into FIPS mode */ fips_set_rand_check(FIPS_rand_method()); RAND_set_rand_method(FIPS_rand_method()); /* automagically seed PRNG if not already seeded */ if(!FIPS_rand_status()) { @@ -388,45 +599,47 @@ return ret; } int fips_clear_owning_thread(void) { int ret = 0; if (fips_is_started()) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); if (fips_thread == CRYPTO_thread_id()) { fips_thread = 0; ret = 1; } CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); } return ret; } +#if 0 unsigned char *fips_signature_witness(void) { extern unsigned char FIPS_signature[]; return FIPS_signature; } +#endif /* Generalized public key test routine. Signs and verifies the data * supplied in tbs using mesage digest md and setting option digest * flags md_flags. If the 'kat' parameter is not NULL it will * additionally check the signature matches it: a known answer test * The string "fail_str" is used for identification purposes in case * of failure. */ int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, unsigned int katlen, const EVP_MD *digest, unsigned int md_flags, const char *fail_str) { int ret = 0; unsigned char sigtmp[256], *sig = sigtmp; unsigned int siglen; EVP_MD_CTX mctx; EVP_MD_CTX_init(&mctx); diff -rNU 20 ../openssl-0.9.8j-o/fips/fips_locl.h ./fips/fips_locl.h --- ../openssl-0.9.8j-o/fips/fips_locl.h 2008-09-16 12:12:10.000000000 +0200 +++ ./fips/fips_locl.h 2011-08-09 14:14:42.000000000 +0200 @@ -46,28 +46,30 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. * */ #ifdef OPENSSL_FIPS #ifdef __cplusplus extern "C" { #endif void fips_w_lock(void); void fips_w_unlock(void); void fips_r_lock(void); void fips_r_unlock(void); int fips_is_started(void); void fips_set_started(void); int fips_is_owning_thread(void); int fips_set_owning_thread(void); void fips_set_selftest_fail(void); int fips_clear_owning_thread(void); +#if 0 unsigned char *fips_signature_witness(void); +#endif #define FIPS_MAX_CIPHER_TEST_SIZE 16 #ifdef __cplusplus } #endif #endif diff -rNU 20 ../openssl-0.9.8j-o/test/Makefile ./test/Makefile --- ../openssl-0.9.8j-o/test/Makefile 2011-08-09 14:10:24.000000000 +0200 +++ ./test/Makefile 2011-08-09 14:14:42.000000000 +0200 @@ -384,56 +384,52 @@ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO) @target=$(MD2TEST); $(BUILD_CMD) $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO) @target=$(SHATEST); $(BUILD_CMD) $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO) @target=$(SHA1TEST); $(BUILD_CMD) $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO) @target=$(SHA256TEST); $(BUILD_CMD) $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO) @target=$(SHA512TEST); $(BUILD_CMD) FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ if [ "$(FIPSCANLIB)" = "libfips" ]; then \ LIBRARIES="-L$(TOP) -lfips"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ - LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ + else \ + LIBRARIES="$(LIBCRYPTO)"; \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} FIPS_CRYPTO_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ - if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ - FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ - fi; \ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} $(FIPS_SHATEST)$(EXE_EXT): $(FIPS_SHATEST).o $(DLIBCRYPTO) @target=$(FIPS_SHATEST); $(FIPS_BUILD_CMD) $(FIPS_AESTEST)$(EXE_EXT): $(FIPS_AESTEST).o $(DLIBCRYPTO) @target=$(FIPS_AESTEST); $(FIPS_BUILD_CMD) $(FIPS_DESTEST)$(EXE_EXT): $(FIPS_DESTEST).o $(DLIBCRYPTO) @target=$(FIPS_DESTEST); $(FIPS_BUILD_CMD) $(FIPS_HMACTEST)$(EXE_EXT): $(FIPS_HMACTEST).o $(DLIBCRYPTO) @target=$(FIPS_HMACTEST); $(FIPS_BUILD_CMD) $(FIPS_RANDTEST)$(EXE_EXT): $(FIPS_RANDTEST).o $(DLIBCRYPTO) @target=$(FIPS_RANDTEST); $(FIPS_BUILD_CMD)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
