From ccf8343aedd49b1250bee761f5c1ba8465b7dadb Mon Sep 17 00:00:00 2001

From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Date: Thu, 10 Jan 2019 14:04:02 +0100

Subject: [PATCH 1/2] fips140: Fix the names of files used in integrity checks

The names of the libraries haven't been updated when the soname version

were bumped.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

---

 lib/fips.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/fips.c b/lib/fips.c

index 2715af599..fb2d596c2 100644

--- a/lib/fips.c

+++ b/lib/fips.c

@@ -135,9 +135,9 @@ void _gnutls_fips_mode_reset_zombie(void)

 	}

 }

-#define GNUTLS_LIBRARY_NAME "libgnutls.so.28"

-#define NETTLE_LIBRARY_NAME "libnettle.so.4"

-#define HOGWEED_LIBRARY_NAME "libhogweed.so.2"

+#define GNUTLS_LIBRARY_NAME "libgnutls.so.30"

+#define NETTLE_LIBRARY_NAME "libnettle.so.6"

+#define HOGWEED_LIBRARY_NAME "libhogweed.so.4"

 #define GMP_LIBRARY_NAME "libgmp.so.10"

 #define HMAC_SUFFIX ".hmac"

-- 

2.20.1

From 8bac499469af3fb39a5ad59f1defe9f3824d5119 Mon Sep 17 00:00:00 2001

From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Date: Fri, 11 Jan 2019 11:23:21 +0100

Subject: [PATCH 2/2] fips140: Ignore newlines read at the end of HMAC file

This makes the integrity check to ignore newlines appended after the

HMAC value.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

---

 lib/fips.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/lib/fips.c b/lib/fips.c

index fb2d596c2..0169ab171 100644

--- a/lib/fips.c

+++ b/lib/fips.c

@@ -250,6 +250,13 @@ static unsigned check_binary_integrity(const char* libname, const char* symbol)

 	}

 	hmac_size = hex_data_size(data.size);

+

+	/* trim eventual newlines from the end of the data read from file */

+	while ((data.size > 0) && (data.data[data.size - 1] == '\n')) {

+		data.data[data.size - 1] = 0;

+		data.size--;

+	}

+

 	ret = gnutls_hex_decode(&data, hmac, &hmac_size);

 	gnutls_free(data.data);

-- 

2.20.1