File openssl-fips__0090_hmac_key_change.diff of Package compat-openssl098.1637
diff -rNU 20 ../openssl-0.9.8j-o/apps/dgst.c ./apps/dgst.c
--- ../openssl-0.9.8j-o/apps/dgst.c 2008-10-22 20:51:37.000000000 +0200
+++ ./apps/dgst.c 2011-08-09 17:17:57.000000000 +0200
@@ -199,41 +199,41 @@
{
if (--argc < 1) break;
keyform=str2fmt(*(++argv));
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) break;
engine= *(++argv);
}
#endif
else if (strcmp(*argv,"-hex") == 0)
out_bin = 0;
else if (strcmp(*argv,"-binary") == 0)
out_bin = 1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow=1;
else if (!strcmp(*argv,"-fips-fingerprint"))
- hmac_key = "etaonrishdlcupfm";
+ hmac_key = "ppaksykemnsecgtsttplmamstKMEs";
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
break;
hmac_key=*++argv;
}
else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
md=m;
else
break;
argc--;
argv++;
}
if (md == NULL)
md=EVP_md5();
if(do_verify && !sigfile) {
BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
err = 1;
diff -rNU 20 ../openssl-0.9.8j-o/fips/fips.c ./fips/fips.c
--- ../openssl-0.9.8j-o/fips/fips.c 2011-08-09 17:02:07.000000000 +0200
+++ ./fips/fips.c 2011-08-09 17:17:57.000000000 +0200
@@ -324,41 +324,41 @@
if(path == NULL) {
return NULL;
}
fn = strrchr(origpath, '/');
if (fn == NULL) {
fn = origpath;
} else {
++fn;
}
strncpy(path, origpath, fn-origpath);
p = path + (fn - origpath);
p = stpcpy(p, HMAC_PREFIX);
p = stpcpy(p, fn);
p = stpcpy(p, HMAC_SUFFIX);
return path;
}
-static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+static const char hmackey[] = "ppaksykemnsecgtsttplmamstKMEs";
static int
compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
{
FILE *f = NULL;
int rv = -1;
unsigned char rbuf[READ_BUFFER_LENGTH];
size_t len;
unsigned int hlen;
HMAC_CTX c;
HMAC_CTX_init(&c);
f = fopen(path, "r");
if (f == NULL) {
goto end;
}
HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
diff -rNU 20 ../openssl-0.9.8j-o/fips/fipsld ./fips/fipsld
--- ../openssl-0.9.8j-o/fips/fipsld 2008-09-16 12:12:10.000000000 +0200
+++ ./fips/fipsld 2011-08-09 17:17:57.000000000 +0200
@@ -52,41 +52,41 @@
THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
# fipscanister.o can appear in command line
CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
if [ -z "${CANISTER_O}" ]; then
# If set, FIPSLIBDIR is location of installed validated FIPS module
if [ -n "${FIPSLIBDIR}" ]; then
CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
elif [ -f "${THERE}/fips/fipscanister.o" ]; then
CANISTER_O="${THERE}/fips/fipscanister.o"
elif [ -f "${THERE}/lib/fipscanister.o" ]; then
CANISTER_O="${THERE}/lib/fipscanister.o"
fi
CANISTER_O_CMD="${CANISTER_O}"
fi
[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
-HMAC_KEY="etaonrishdlcupfm"
+HMAC_KEY="ppaksykemnsecgtsttplmamstKMEs"
case "`(uname -s) 2>/dev/null`" in
OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
[ $# -ge 1 ]
) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
esac
case "${TARGET}" in
[!/]*) TARGET=./${TARGET} ;;
esac
case `basename "${TARGET}"` in
lib*|*.dll) # must be linking a shared lib...
# Shared lib creation can be taking place in the source
# directory only, but fipscanister.o can reside elsewhere...
FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
diff -rNU 20 ../openssl-0.9.8j-o/fips/openssl_fips_fingerprint ./fips/openssl_fips_fingerprint
--- ../openssl-0.9.8j-o/fips/openssl_fips_fingerprint 2008-09-16 12:12:10.000000000 +0200
+++ ./fips/openssl_fips_fingerprint 2011-08-09 17:17:57.000000000 +0200
@@ -6,26 +6,26 @@
lib=$1
exe=$2
ext=${HMAC_EXT:-sha1}
# deal with the case where we're run from within the build and OpenSSL is
# not yet installed. Also, make sure LD_LIBRARY_PATH is properly set in
# case shared libraries are built.
if [ "X$TOP" != "X" ]
then
if test "$OSTYPE" = msdosdjgpp; then
PATH="$TOP/apps;$TOP;$PATH"
else
PATH="$TOP/apps:$TOP:$PATH"
fi
LD_LIBRARY_PATH=$TOP; export LD_LIBRARY_PATH
else
LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH
fi
echo "Checking library fingerprint for $lib"
-openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff -w $lib.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
+openssl sha1 -hmac ppaksykemnsecgtsttplmamstKMEs $lib | sed "s/(.*\//(/" | diff -w $lib.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; }
[ -x $exe.exe ] && exe=$exe.exe
echo "Making fingerprint for $exe"
-openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.$ext || rm $exe.$ext
+openssl sha1 -hmac ppaksykemnsecgtsttplmamstKMEs -binary $exe > $exe.$ext || rm $exe.$ext
diff -rNU 20 ../openssl-0.9.8j-o/fips/sha/fips_standalone_sha1.c ./fips/sha/fips_standalone_sha1.c
--- ../openssl-0.9.8j-o/fips/sha/fips_standalone_sha1.c 2011-08-09 17:13:04.000000000 +0200
+++ ./fips/sha/fips_standalone_sha1.c 2011-08-09 17:18:29.000000000 +0200
@@ -89,41 +89,41 @@
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
pad[i]=0x5c^keymd[i];
SHA256_Init(o_ctx);
SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
}
static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
{
unsigned char buf[SHA256_DIGEST_LENGTH];
SHA256_Final(buf,md_ctx);
SHA256_Update(o_ctx,buf,sizeof buf);
SHA256_Final(md,o_ctx);
}
#endif
int main(int argc,char **argv)
{
#ifdef OPENSSL_FIPS
- static char key[]="etaonrishdlcupfm";
+ static char key[]="ppaksykemnsecgtsttplmamstKMEs";
int n,binary=0;
if(argc < 2)
{
fprintf(stderr,"%s [<file>]+\n",argv[0]);
exit(1);
}
n=1;
if (!strcmp(argv[n],"-binary"))
{
n++;
binary=1; /* emit binary fingerprint... */
}
for(; n < argc ; ++n)
{
FILE *f=fopen(argv[n],"rb");
SHA256_CTX md_ctx,o_ctx;
unsigned char md[SHA256_DIGEST_LENGTH];
