openssl/openssl-0.9.8j-fipscheck-hmac.patch

Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
We use the binary just during the OpenSSL build to checksum the libcrypto.
diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac	2008-10-26 19:42:05.000000000 +0100
+++ openssl-0.9.8j/fips/sha/Makefile	2009-01-14 16:39:41.000000000 +0100
@@ -46,7 +46,7 @@ lib:	$(LIBOBJ)
 	@echo $(LIBOBJ) > lib
 
 ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
-	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
 	$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
 
 files:
diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac	2008-09-16 12:12:23.000000000 +0200
+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c	2009-01-14 17:07:56.000000000 +0100
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
 
 #ifdef OPENSSL_FIPS
 
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
 		      const char *key)
     {
     int len=strlen(key);
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 
     if (len > SHA_CBLOCK)
 	{
-	SHA1_Init(md_ctx);
-	SHA1_Update(md_ctx,key,len);
-	SHA1_Final(keymd,md_ctx);
-	len=20;
+	SHA256_Init(md_ctx);
+	SHA256_Update(md_ctx,key,len);
+	SHA256_Final(keymd,md_ctx);
+	len=SHA256_DIGEST_LENGTH;
 	}
     else
 	memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
 	pad[i]=0x36^keymd[i];
-    SHA1_Init(md_ctx);
-    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(md_ctx);
+    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
 
     for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
 	pad[i]=0x5c^keymd[i];
-    SHA1_Init(o_ctx);
-    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
+    SHA256_Init(o_ctx);
+    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
     }
 
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
     {
-    unsigned char buf[20];
+    unsigned char buf[SHA256_DIGEST_LENGTH];
 
-    SHA1_Final(buf,md_ctx);
-    SHA1_Update(o_ctx,buf,sizeof buf);
-    SHA1_Final(md,o_ctx);
+    SHA256_Final(buf,md_ctx);
+    SHA256_Update(o_ctx,buf,sizeof buf);
+    SHA256_Final(md,o_ctx);
     }
 
 #endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
 int main(int argc,char **argv)
     {
 #ifdef OPENSSL_FIPS
-    static char key[]="etaonrishdlcupfm";
+    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
     int n,binary=0;
 
     if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
     for(; n < argc ; ++n)
 	{
 	FILE *f=fopen(argv[n],"rb");
-	SHA_CTX md_ctx,o_ctx;
-	unsigned char md[20];
+	SHA256_CTX md_ctx,o_ctx;
+	unsigned char md[SHA256_DIGEST_LENGTH];
 	int i;
 
 	if(!f)
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
 	for( ; ; )
 	    {
 	    char buf[1024];
-	    int l=fread(buf,1,sizeof buf,f);
+	    size_t l=fread(buf,1,sizeof buf,f);
 
 	    if(l == 0)
 		{
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
 		else
 		    break;
 		}
-	    SHA1_Update(&md_ctx,buf,l);
+	    SHA256_Update(&md_ctx,buf,l);
 	    }
 	hmac_final(md,&md_ctx,&o_ctx);
 
 	if (binary)
 	    {
-	    fwrite(md,20,1,stdout);
+	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
 	    break;	/* ... for single(!) file */
 	    }
 
-	printf("HMAC-SHA1(%s)= ",argv[n]);
-	for(i=0 ; i < 20 ; ++i)
+/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
+	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
 	    printf("%02x",md[i]);
 	printf("\n");
 	}
- new upstream version with necessary soname bump (#455753) - temporarily provide symlink to old soname to make it possible to rebuild the dependent packages in rawhide - add eap-fast support (#428181) - add possibility to disable zlib by setting - add fips mode support for testing purposes - do not null dereference on some invalid smime files - add buildrequires pkgconfig (#479493) 2009-01-15 09:10:25 +00:00			`Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.`
			`We use the binary just during the OpenSSL build to checksum the libcrypto.`
			`diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile`
			`--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100`
			`+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100`
			`@@ -46,7 +46,7 @@ lib: $(LIBOBJ)`
			`@echo $(LIBOBJ) > lib`

			`../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o`
			`- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \`
			`+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \`
			`$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM`

			`files:`
			`diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c`
			`--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200`
			`+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100`
			`@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)`

			`#ifdef OPENSSL_FIPS`

			`-static void hmac_init(SHA_CTX md_ctx,SHA_CTX o_ctx,`
			`+static void hmac_init(SHA256_CTX md_ctx,SHA256_CTX o_ctx,`
			`const char *key)`
			`{`
			`int len=strlen(key);`
			`@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH`

			`if (len > SHA_CBLOCK)`
			`{`
			`- SHA1_Init(md_ctx);`
			`- SHA1_Update(md_ctx,key,len);`
			`- SHA1_Final(keymd,md_ctx);`
			`- len=20;`
			`+ SHA256_Init(md_ctx);`
			`+ SHA256_Update(md_ctx,key,len);`
			`+ SHA256_Final(keymd,md_ctx);`
			`+ len=SHA256_DIGEST_LENGTH;`
			`}`
			`else`
			`memcpy(keymd,key,len);`
			`@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH`

			`for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)`
			`pad[i]=0x36^keymd[i];`
			`- SHA1_Init(md_ctx);`
			`- SHA1_Update(md_ctx,pad,SHA_CBLOCK);`
			`+ SHA256_Init(md_ctx);`
			`+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);`

			`for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)`
			`pad[i]=0x5c^keymd[i];`
			`- SHA1_Init(o_ctx);`
			`- SHA1_Update(o_ctx,pad,SHA_CBLOCK);`
			`+ SHA256_Init(o_ctx);`
			`+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);`
			`}`

			`-static void hmac_final(unsigned char md,SHA_CTX md_ctx,SHA_CTX *o_ctx)`
			`+static void hmac_final(unsigned char md,SHA256_CTX md_ctx,SHA256_CTX *o_ctx)`
			`{`
			`- unsigned char buf[20];`
			`+ unsigned char buf[SHA256_DIGEST_LENGTH];`

			`- SHA1_Final(buf,md_ctx);`
			`- SHA1_Update(o_ctx,buf,sizeof buf);`
			`- SHA1_Final(md,o_ctx);`
			`+ SHA256_Final(buf,md_ctx);`
			`+ SHA256_Update(o_ctx,buf,sizeof buf);`
			`+ SHA256_Final(md,o_ctx);`
			`}`

			`#endif`
			`@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md`
			`int main(int argc,char **argv)`
			`{`
			`#ifdef OPENSSL_FIPS`
			`- static char key[]="etaonrishdlcupfm";`
			`+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";`
			`int n,binary=0;`

			`if(argc < 2)`
			`@@ -125,8 +125,8 @@ int main(int argc,char **argv)`
			`for(; n < argc ; ++n)`
			`{`
			`FILE *f=fopen(argv[n],"rb");`
			`- SHA_CTX md_ctx,o_ctx;`
			`- unsigned char md[20];`
			`+ SHA256_CTX md_ctx,o_ctx;`
			`+ unsigned char md[SHA256_DIGEST_LENGTH];`
			`int i;`

			`if(!f)`
			`@@ -139,7 +139,7 @@ int main(int argc,char **argv)`
			`for( ; ; )`
			`{`
			`char buf[1024];`
			`- int l=fread(buf,1,sizeof buf,f);`
			`+ size_t l=fread(buf,1,sizeof buf,f);`

			`if(l == 0)`
			`{`
			`@@ -151,18 +151,18 @@ int main(int argc,char **argv)`
			`else`
			`break;`
			`}`
			`- SHA1_Update(&md_ctx,buf,l);`
			`+ SHA256_Update(&md_ctx,buf,l);`
			`}`
			`hmac_final(md,&md_ctx,&o_ctx);`

			`if (binary)`
			`{`
			`- fwrite(md,20,1,stdout);`
			`+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);`
			`break; /* ... for single(!) file */`
			`}`

			`- printf("HMAC-SHA1(%s)= ",argv[n]);`
			`- for(i=0 ; i < 20 ; ++i)`
			`+/* printf("HMAC-SHA1(%s)= ",argv[n]); */`
			`+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)`
			`printf("%02x",md[i]);`
			`printf("\n");`
			`}`