Fix FIPS integrity self tests
Add a description of the new feature/bug fix. Reference any relevant bugs.
This is a fix for a bug originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1665061
There were 2 issues:
- The libraries names in libs/fips.c have not been updated when the sonames were bumped:
libgnutls.so.28 -> libgnutls.so.30
libnettle.so.4 -> libnettle.so.6
libhogweed.so.2 -> libhogweed.so.4
- The decoding of the HMAC fails when there is a '\n' at the end of the file. The newline makes the file to hold 65 bytes instead of the expected 64 bytes. At the end of the processing (lib/extras/hex.c:39) it checks if all input bytes were processed, but the last remaining byte makes the check to fail. This is not exactly a bug, but allowing newlines at the end of the file makes the format of the accepted files more flexible, and the integrity check more robust.
Checklist
-
Code modified for feature -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated / NEWS entry present (for non-trivial changes)
Reviewer's checklist:
-
Any issues marked for closing are addressed -
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code
Merge request reports
Activity
@ansasaki added test job fails on multiple tests.
@lumag Yes, sorry about this. I will fix it, but it may take some time. I will hopefully get back to this in the next weeks.
Checking what caused the errors, I saw that libgmp.so.10.hmac is missing in Fedora which makes the integrity tests to fail. I opened this bug to track the issue in Fedora.
For now, I can workaround this by manually creating the hmac files. What do you think about this approach?
added 131 commits
-
cb0558ca...c94db0e0 - 128 commits from branch
gnutls:master
- 22c06ac4 - fips140: Fix the names of files used in integrity checks
- 7ee11118 - fips140: Ignore newlines read at the end of HMAC file
- 51e679e5 - .gitlab-ci.yml: Test FIPS HMAC self-test
Toggle commit list-
cb0558ca...c94db0e0 - 128 commits from branch
The missing HMAC file for libgmp is now installed in Fedora after applying this update: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1cfd03ca89
I verified that the build image for Fedora 29 has been already updated, so there is no more blockers for this PR.
I changed the previous approach of adding a whole new build to run with the integrity checks enabled and enabled the integrity checks in the existing FIPS140-2 build instead. I also added a line in the build script to generate the HMAC files for the fresh compiled libgnutls so that the integrity tests can be performed.
I'll remove the WIP status from this.
changed milestone to %Release of GnuTLS 3.6.7
assigned to @nmav
added 15 commits
-
357a2520...d0c9b129 - 12 commits from branch
gnutls:master
- 6138a0c8 - fips140: Fix the names of files used in integrity checks
- abd54456 - fips140: Ignore newlines read at the end of HMAC file
- 59f3b879 - .gitlab-ci.yml: Test FIPS HMAC self-test
Toggle commit list-
357a2520...d0c9b129 - 12 commits from branch
mentioned in commit 3c5cb6f6