--- /dev/null
+Use fipscheck compatible way of verification of the integrity of the libcrypto
+shared library.
+diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
+--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
++++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
+@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ LIBRARIES="-L$(TOP) -lfips"; \
+ elif [ -n "$(FIPSCANLIB)" ]; then \
+- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
++ LIBRARIES="$(LIBCRYPTO)"; \
+ fi; \
+ $(MAKE) -f $(TOP)/Makefile.shared -e \
+ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
+ shlib_target="$(SHLIB_TARGET)"; \
+ fi; \
+ LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
+- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+- fi; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
+ $(MAKE) -f $(TOP)/Makefile.shared -e \
+ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
+--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
++++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
+@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips/fipscanister.o ; \
+ else \
+- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
+- FIPSLD_CC=$(CC); CC=fips/fipsld; \
+- export CC FIPSLD_CC; \
+- fi; \
+ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
+ fi \
+ else \
+@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
+ fips/fipscanister.o: build_fips
+ libfips$(SHLIB_EXT): fips/fipscanister.o
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+ $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- CC=$${CC} LIBNAME=fips THIS=$@ \
++ CC=$(CC) LIBNAME=fips THIS=$@ \
+ LIBEXTRAS=fips/fipscanister.o \
+ LIBDEPS="$(EX_LIBS)" \
+ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+@@ -469,7 +464,7 @@ openssl.pc: Makefile
+ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+ echo 'Version: '$(VERSION); \
+ echo 'Requires: '; \
+- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
++ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
+ Makefile: Makefile.org Configure config
+diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
+--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
++++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
+@@ -47,6 +47,7 @@
+ *
+ */
+
++#define _GNU_SOURCE
+
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+@@ -56,6 +57,9 @@
+ #include <openssl/rsa.h>
+ #include <string.h>
+ #include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -165,6 +169,7 @@ int FIPS_selftest()
+ && FIPS_selftest_dsa();
+ }
+
++#if 0
+ extern const void *FIPS_text_start(), *FIPS_text_end();
+ extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
+ unsigned char FIPS_signature [20] = { 0 };
+@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
+
+ return 1;
+ }
++#else
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen-1);
++ path[pathlen-1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *
++bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++#define HMAC_PREFIX "."
++#define HMAC_SUFFIX ".hmac"
++#define READ_BUFFER_LENGTH 16384
++
++static char *
++make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if(path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn-origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int
++compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
++
++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int
++FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX+1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p=strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ }
++
++end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++#endif
+
+ int FIPS_mode_set(int onoff)
+ {
+@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
+ }
+ #endif
+
+- if(fips_signature_witness() != FIPS_signature)
+- {
+- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if(!FIPS_check_incore_fingerprint())
++ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
+ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
+ return ret;
+ }
+
++#if 0
+ unsigned char *fips_signature_witness(void)
+ {
+ extern unsigned char FIPS_signature[];
+ return FIPS_signature;
+ }
++#endif
+
+ /* Generalized public key test routine. Signs and verifies the data
+ * supplied in tbs using mesage digest md and setting option digest
+diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
+--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
+@@ -62,9 +62,9 @@ testapps:
+
+ all:
+ @if [ -z "$(FIPSLIBDIR)" ]; then \
+- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
++ $(MAKE) -e subdirs lib; \
+ else \
+- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
++ $(MAKE) -e lib; \
+ fi
+
+ # Idea behind fipscanister.o is to "seize" the sequestered code between
+@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
+ HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
+ *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
+ esac fi
+- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
+ # If another exception is immediately required, assign approprite
+ # site-specific ld command to FIPS_SITE_LD environment variable.
+@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
+ $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
+ @touch lib
+
+-shared: lib subdirs fips_premain_dso$(EXE_EXT)
++shared: lib subdirs
+
+ libs:
+ @target=lib; $(RECURSIVE_MAKE)
+@@ -195,10 +194,6 @@ install:
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+ @target=install; $(RECURSIVE_MAKE)
+- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
+- fips_premain.c.sha1 \
+- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
+- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
+
+ lint:
+ @target=lint; $(RECURSIVE_MAKE)
+diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
+--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
++++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
+@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
+ int fips_set_owning_thread(void);
+ void fips_set_selftest_fail(void);
+ int fips_clear_owning_thread(void);
++#if 0
+ unsigned char *fips_signature_witness(void);
++#endif
+
+ #define FIPS_MAX_CIPHER_TEST_SIZE 16
+
git.annexia.org / fedora-mingw.git / blobdiff