Blame SOURCES/0033-FIPS-embed-hmac.patch

1ac26c
diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
1ac26c
--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac	2023-01-05 10:03:44.864869710 +0100
1ac26c
+++ openssl-3.0.7/providers/fips/self_test.c	2023-01-05 10:15:17.041606472 +0100
1ac26c
@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
6ed7c9
 }
6ed7c9
 #endif
6ed7c9
 
6ed7c9
+#define HMAC_LEN 32
6ed7c9
+/*
6ed7c9
+ * The __attribute__ ensures we've created the .rodata1 section
6ed7c9
+ * static ensures it's zero filled
6ed7c9
+*/
a74baf
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
6ed7c9
+
6ed7c9
 /*
6ed7c9
  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
6ed7c9
  * the result matches the expected value.
6ed7c9
  * Return 1 if verified, or 0 if it fails.
6ed7c9
  */
6ed7c9
+#ifndef __USE_GNU
6ed7c9
+#define __USE_GNU
6ed7c9
+#include <dlfcn.h>
6ed7c9
+#undef __USE_GNU
6ed7c9
+#else
6ed7c9
+#include <dlfcn.h>
6ed7c9
+#endif
6ed7c9
+#include <link.h>
6ed7c9
+
6ed7c9
 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
6ed7c9
                             unsigned char *expected, size_t expected_len,
6ed7c9
                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
1ac26c
@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
6ed7c9
     EVP_MAC *mac = NULL;
6ed7c9
     EVP_MAC_CTX *ctx = NULL;
6ed7c9
     OSSL_PARAM params[2], *p = params;
6ed7c9
+    Dl_info info;
6ed7c9
+    void *extra_info = NULL;
6ed7c9
+    struct link_map *lm = NULL;
6ed7c9
+    unsigned long paddr;
6ed7c9
+    unsigned long off = 0;
6ed7c9
 
6ed7c9
     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
6ed7c9
 
6ed7c9
+    if (!dladdr1 ((const void *)fips_hmac_container,
6ed7c9
+                &info, &extra_info, RTLD_DL_LINKMAP))
6ed7c9
+        goto err;
6ed7c9
+    lm = extra_info;
6ed7c9
+    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
6ed7c9
+
6ed7c9
     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
6ed7c9
     if (mac == NULL)
6ed7c9
         goto err;
1ac26c
@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
6ed7c9
     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
6ed7c9
         goto err;
6ed7c9
 
1ac26c
-    while (1) {
6ed7c9
-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
1ac26c
+    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
1ac26c
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
1ac26c
         if (status != 1)
6ed7c9
             break;
1ac26c
         if (!EVP_MAC_update(ctx, buf, bytes_read))
6ed7c9
             goto err;
1ac26c
+	off += bytes_read;
6ed7c9
     }
1ac26c
+
1ac26c
+    if (off + INTEGRITY_BUF_SIZE > paddr) {
1ac26c
+        int delta = paddr - off;
1ac26c
+        status = read_ex_cb(bio, buf, delta, &bytes_read);
1ac26c
+        if (status != 1)
1ac26c
+            goto err;
1ac26c
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
1ac26c
+            goto err;
1ac26c
+	off += bytes_read;
1ac26c
+
1ac26c
+        status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
1ac26c
+        memset(buf, 0, HMAC_LEN);
1ac26c
+        if (status != 1)
1ac26c
+            goto err;
1ac26c
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
1ac26c
+            goto err;
1ac26c
+	off += bytes_read;
1ac26c
+    }
1ac26c
+
1ac26c
+    while (bytes_read > 0) {
1ac26c
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
1ac26c
+        if (status != 1)
1ac26c
+            break;
1ac26c
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
1ac26c
+            goto err;
1ac26c
+	off += bytes_read;
1ac26c
+    }
1ac26c
+
6ed7c9
     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
6ed7c9
         goto err;
1ac26c
 
1ac26c
@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
6ed7c9
         CRYPTO_THREAD_unlock(fips_state_lock);
6ed7c9
     }
6ed7c9
 
6ed7c9
-    if (st == NULL
6ed7c9
-            || st->module_checksum_data == NULL) {
6ed7c9
+    if (st == NULL) {
6ed7c9
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
6ed7c9
         goto end;
6ed7c9
     }
1ac26c
@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
6ed7c9
     if (ev == NULL)
6ed7c9
         goto end;
6ed7c9
 
6ed7c9
-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
6ed7c9
-                                         &checksum_len);
6ed7c9
+    module_checksum = fips_hmac_container;
6ed7c9
+    checksum_len = sizeof(fips_hmac_container);
6ed7c9
+
6ed7c9
     if (module_checksum == NULL) {
6ed7c9
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
6ed7c9
         goto end;
1ac26c
@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
6ed7c9
     ok = 1;
6ed7c9
 end:
6ed7c9
     OSSL_SELF_TEST_free(ev);
6ed7c9
-    OPENSSL_free(module_checksum);
6ed7c9
     OPENSSL_free(indicator_checksum);
6ed7c9
 
6ed7c9
     if (st != NULL) {
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
6ed7c9
--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t	2021-09-07 13:46:32.000000000 +0200
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t	2021-11-18 09:39:53.386817874 +0100
6ed7c9
@@ -20,7 +20,7 @@
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 use platform;
6ed7c9
 
6ed7c9
-my $no_check = disabled("fips");
6ed7c9
+my $no_check = 1;
6ed7c9
 plan skip_all => "FIPS module config file only supported in a fips build"
6ed7c9
     if $no_check;
6ed7c9
 
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
6ed7c9
--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t	2021-09-07 13:46:32.000000000 +0200
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t	2021-11-18 09:59:02.315619486 +0100
6ed7c9
@@ -23,7 +23,7 @@
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 use platform;
6ed7c9
 
6ed7c9
-my $no_check = disabled("fips");
6ed7c9
+my $no_check = 1;
6ed7c9
 plan skip_all => "Test only supported in a fips build"
6ed7c9
     if $no_check;
6ed7c9
 plan tests => 1;
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
6ed7c9
--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t	2021-09-07 13:46:32.000000000 +0200
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t	2021-11-18 09:59:55.365072074 +0100
6ed7c9
@@ -22,7 +22,7 @@
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 use platform;
6ed7c9
 
6ed7c9
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
6ed7c9
+plan skip_all => "Test only supported in a fips build" if 1;
6ed7c9
 
6ed7c9
 plan tests => 29;
6ed7c9
 
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
6ed7c9
--- openssl-3.0.0/test/recipes/30-test_defltfips.t	2021-09-07 13:46:32.000000000 +0200
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t	2021-11-18 10:22:54.179659682 +0100
6ed7c9
@@ -21,7 +21,7 @@
6ed7c9
 use lib srctop_dir('Configurations');
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 
6ed7c9
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
 
6ed7c9
 plan tests =>
6ed7c9
     ($no_fips ? 1 : 5);
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
6ed7c9
--- openssl-3.0.0/test/recipes/80-test_ssl_new.t	2021-09-07 13:46:32.000000000 +0200
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t	2021-11-18 10:18:53.391721164 +0100
6ed7c9
@@ -23,7 +23,7 @@
6ed7c9
 use lib srctop_dir('Configurations');
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 
6ed7c9
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
 
6ed7c9
 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
6ed7c9
 
6ed7c9
diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
6ed7c9
--- openssl-3.0.0/test/recipes/90-test_sslapi.t	2021-11-18 10:32:17.734196705 +0100
6ed7c9
+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t	2021-11-18 10:18:30.695538445 +0100
6ed7c9
@@ -18,7 +18,7 @@
6ed7c9
 use lib srctop_dir('Configurations');
6ed7c9
 use lib bldtop_dir('.');
6ed7c9
 
6ed7c9
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
6ed7c9
 
6ed7c9
 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
6ed7c9
     if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
6ed7c9
--- /dev/null	2021-11-16 15:27:32.915000000 +0100
6ed7c9
+++ openssl-3.0.0/test/fipsmodule.cnf	2021-11-18 11:15:34.538060408 +0100
6ed7c9
@@ -0,0 +1,2 @@
6ed7c9
+[fips_sect]
6ed7c9
+activate = 1