Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
compat-openssl098.503
openssl-fips__0300_run_selftests_if_hmac_files_...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-fips__0300_run_selftests_if_hmac_files_present.diff of Package compat-openssl098.503
diff -rNU 50 ../openssl-0.9.8j-o/crypto/o_init.c ./crypto/o_init.c --- ../openssl-0.9.8j-o/crypto/o_init.c 2012-07-10 02:06:00.000000000 +0200 +++ ./crypto/o_init.c 2012-07-10 03:01:34.000000000 +0200 @@ -29,96 +29,128 @@ * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include <e_os.h> #include <openssl/err.h> #ifdef OPENSSL_FIPS #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <stdlib.h> #include <openssl/fips.h> #include <openssl/evp.h> #include <openssl/rand.h> #define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" static void init_fips_mode(void) { char buf[2] = "0"; int fd; - + + /* Check if we have already been initialized by FIPS_mode_set(1) + * called directly from the app. If this was the case, calling + * FIPS_mode_set(1) a second time will lead to a failure + * in fips/fips.c:486, so we better avoid that with this mimic + * to switch via kernel cmdline and/or environment without the + * app knowing. + * + * Note that if we are in fips mode already, there is no need to + * run through the self-tests (further down) either. + * + */ + + if(FIPS_mode()) + return; + + /* The following must be without the app knowing. Including the + * forced self-test if the .hmac files are present, marking the + * complete installation of the module. + * + */ + if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); close(fd); } /* Failure reading the fips mode switch file means just not - * switching into FIPS mode. We would break too many things - * otherwise. + * switching into FIPS mode. + * + * If we don't switch into FIPS mode, we MUST run the self-tests + * anyway, provided that the module is installed completely. + * This will check if the .hmac files for the integrity check + * in fips/fips.c:FIPSCHECK_verify() exist. If so, the selftests + * are executed, if no .hmac files are present, the selftests are + * aborted gracefully. + * */ if (buf[0] == '1') { FIPS_mode_set(1); } + else + { + FIPS_mode_set(0); + } } #endif /* Perform any essential OpenSSL initialization operations. * Currently only sets FIPS callbacks */ void OPENSSL_init(void) { #ifdef OPENSSL_FIPS static int done = 0; if (!done) { int_ERR_lib_init(); #ifdef CRYPTO_MDEBUG CRYPTO_malloc_debug_init(); #endif init_fips_mode(); int_EVP_MD_init_engine_callbacks(); int_EVP_CIPHER_init_engine_callbacks(); int_RAND_init_engine_callbacks(); done = 1; } #endif } diff -rNU 50 ../openssl-0.9.8j-o/fips/fips.c ./fips/fips.c --- ../openssl-0.9.8j-o/fips/fips.c 2012-07-10 02:06:00.000000000 +0200 +++ ./fips/fips.c 2012-07-10 02:06:21.000000000 +0200 @@ -346,253 +346,304 @@ static const char hmackey[] = "ppaksykemnsecgtsttplmamstKMEs"; static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) { FILE *f = NULL; int rv = -1; unsigned char rbuf[READ_BUFFER_LENGTH]; size_t len; unsigned int hlen; HMAC_CTX c; HMAC_CTX_init(&c); f = fopen(path, "r"); if (f == NULL) { goto end; } HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { HMAC_Update(&c, rbuf, len); } len = sizeof(rbuf); /* reuse rbuf for hmac */ HMAC_Final(&c, rbuf, &hlen); *buf = malloc(hlen); if (*buf == NULL) { goto end; } *hmaclen = hlen; memcpy(*buf, rbuf, hlen); rv = 0; end: HMAC_CTX_cleanup(&c); if (f) fclose(f); return rv; } static int -FIPSCHECK_verify(const char *libname, const char *symbolname) +FIPSCHECK_verify(const char *libname, const char *symbolname, int check_hmac_file_open_only) { char path[PATH_MAX+1]; int rv; FILE *hf; char *hmacpath, *p; char *hmac = NULL; size_t n; rv = get_library_path(libname, symbolname, path, sizeof(path)); if (rv < 0) return 0; hmacpath = make_hmac_path(path); if ( hmacpath == NULL ) return 0; hf = fopen(hmacpath, "r"); if (hf == NULL) { free(hmacpath); return 0; } + if (check_hmac_file_open_only == 1) { + fclose(hf); + free(hmacpath); + return 1; + } + if (getline(&hmac, &n, hf) > 0) { void *buf; size_t hmaclen; char *hex; if ((p=strchr(hmac, '\n')) != NULL) *p = '\0'; if (compute_file_hmac(path, &buf, &hmaclen) < 0) { rv = -4; goto end; } if ((hex=bin2hex(buf, hmaclen)) == NULL) { free(buf); rv = -5; goto end; } if (strcmp(hex, hmac) != 0) { rv = -1; } free(buf); free(hex); } end: free(hmac); free(hmacpath); fclose(hf); if (rv < 0) return 0; /* check successful */ return 1; } #endif int FIPS_mode_set(int onoff) { int fips_set_owning_thread(); int fips_clear_owning_thread(); int ret = 0; fips_w_lock(); fips_set_started(); fips_set_owning_thread(); if(onoff) { unsigned char buf[48]; fips_selftest_fail = 0; /* Don't go into FIPS mode twice, just so we can do automagic seeding */ if(FIPS_mode()) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); fips_selftest_fail = 1; ret = 0; goto end; } #ifdef OPENSSL_IA32_SSE2 if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); fips_selftest_fail = 1; ret = 0; goto end; } #endif - if(!FIPSCHECK_verify("libcrypto.so.0.9.8","FIPS_mode_set")) + if(!FIPSCHECK_verify("libcrypto.so.0.9.8","FIPS_mode_set", 0 )) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; ret = 0; goto end; } - if(!FIPSCHECK_verify("libssl.so.0.9.8","SSL_CTX_new")) + if(!FIPSCHECK_verify("libssl.so.0.9.8","SSL_CTX_new", 0 )) { FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; ret = 0; goto end; } /* Perform RNG KAT before seeding */ if (!FIPS_selftest_rng()) { fips_selftest_fail = 1; ret = 0; goto end; } /* now switch into FIPS mode */ fips_set_rand_check(FIPS_rand_method()); RAND_set_rand_method(FIPS_rand_method()); /* automagically seed PRNG if not already seeded */ if(!FIPS_rand_status()) { RAND_poll(); if (!FIPS_rand_status()) { fips_selftest_fail = 1; ret = 0; goto end; } } if(FIPS_selftest()) fips_set_mode(1); else { fips_selftest_fail = 1; ret = 0; goto end; } ret = 1; goto end; - } + } else { + /* + * onoff == 0, we need to do the self-tests. + * + * check if the .hmac files are there. If not, then abort + * running the self-tests gracefully. + * + */ + if( FIPSCHECK_verify("libcrypto.so.0.9.8","FIPS_mode_set", 1) && + FIPSCHECK_verify("libssl.so.0.9.8","SSL_CTX_new", 1) ) { + +/* hmac files are present. */ + + if(!FIPSCHECK_verify("libcrypto.so.0.9.8","FIPS_mode_set", 0 )) + { + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + + if(!FIPSCHECK_verify("libssl.so.0.9.8","SSL_CTX_new", 0 )) + { + FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + + /* Perform RNG KAT */ + if (!FIPS_selftest_rng()) + { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + + if( ! FIPS_selftest()) + { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + } + } /* onoff == 0 */ + fips_set_mode(0); fips_selftest_fail = 0; ret = 1; end: fips_clear_owning_thread(); fips_w_unlock(); return ret; } void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } static int fips_started = 0; static unsigned long fips_thread = 0; void fips_set_started(void) { fips_started = 1; } int fips_is_started(void) { return fips_started; } int fips_is_owning_thread(void) { int ret = 0; if (fips_is_started()) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) ret = 1; CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); } return ret; } int fips_set_owning_thread(void) { int ret = 0; if (fips_is_started()) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); if (fips_thread == 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor