From ccf8343aedd49b1250bee761f5c1ba8465b7dadb Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 10 Jan 2019 14:04:02 +0100 Subject: [PATCH 1/2] fips140: Fix the names of files used in integrity checks The names of the libraries haven't been updated when the soname version were bumped. Signed-off-by: Anderson Toshiyuki Sasaki --- lib/fips.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/fips.c b/lib/fips.c index 2715af599..fb2d596c2 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -135,9 +135,9 @@ void _gnutls_fips_mode_reset_zombie(void) } } -#define GNUTLS_LIBRARY_NAME "libgnutls.so.28" -#define NETTLE_LIBRARY_NAME "libnettle.so.4" -#define HOGWEED_LIBRARY_NAME "libhogweed.so.2" +#define GNUTLS_LIBRARY_NAME "libgnutls.so.30" +#define NETTLE_LIBRARY_NAME "libnettle.so.6" +#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" #define GMP_LIBRARY_NAME "libgmp.so.10" #define HMAC_SUFFIX ".hmac" -- 2.20.1 From 8bac499469af3fb39a5ad59f1defe9f3824d5119 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Fri, 11 Jan 2019 11:23:21 +0100 Subject: [PATCH 2/2] fips140: Ignore newlines read at the end of HMAC file This makes the integrity check to ignore newlines appended after the HMAC value. Signed-off-by: Anderson Toshiyuki Sasaki --- lib/fips.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/fips.c b/lib/fips.c index fb2d596c2..0169ab171 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -250,6 +250,13 @@ static unsigned check_binary_integrity(const char* libname, const char* symbol) } hmac_size = hex_data_size(data.size); + + /* trim eventual newlines from the end of the data read from file */ + while ((data.size > 0) && (data.data[data.size - 1] == '\n')) { + data.data[data.size - 1] = 0; + data.size--; + } + ret = gnutls_hex_decode(&data, hmac, &hmac_size); gnutls_free(data.data); -- 2.20.1