25067463 The 'test4/5/6' in hmactest.c dumped core in FIPS mode
authorMisaki Miyashita <misaki.miyashita@oracle.com>
Thu, 17 Nov 2016 13:20:16 -0800
changeset 7342 3291c8473ecd
parent 7339 46c33b1954eb
child 7343 a6cfc180f5e8
25067463 The 'test4/5/6' in hmactest.c dumped core in FIPS mode
components/openssl/openssl-fips-140/patches/206-hmac-ctx-check.patch
components/openssl/openssl-fips/patches/303-hmac-ctx.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-fips-140/patches/206-hmac-ctx-check.patch	Thu Nov 17 13:20:16 2016 -0800
@@ -0,0 +1,61 @@
+# Developed in house.
+# It checks the validity of the context.
+# The issue was reported to the upstream by QE: #4679
+--- a/crypto/hmac/hmac.c	2016-11-09 12:52:40.755645360 -0800
++++ b/crypto/hmac/hmac.c	2016-11-09 12:53:17.872944235 -0800
[email protected]@ -71,6 +71,10 @@
+     int i, j, reset = 0;
+     unsigned char pad[HMAC_MAX_MD_CBLOCK];
+ 
++    /* If we are changing MD then we must have a key */
++    if (md != NULL && md != ctx->md && (key == NULL || len < 0))
++        return 0;
++
+ #ifdef OPENSSL_FIPS
+     /* If FIPS mode switch to approved implementation if possible */
+     if (FIPS_mode()) {
[email protected]@ -97,9 +101,6 @@
+             return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+     }
+ #endif
+-    /* If we are changing MD then we must have a key */
+-    if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+-        return 0;
+ 
+     if (md != NULL) {
+         reset = 1;
[email protected]@ -164,12 +165,13 @@
+ 
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+ {
++    if (!ctx->md)
++        return 0;
++
+ #ifdef OPENSSL_FIPS
+     if (FIPS_mode() && !ctx->i_ctx.engine)
+         return FIPS_hmac_update(ctx, data, len);
+ #endif
+-    if (!ctx->md)
+-        return 0;
+ 
+     return EVP_DigestUpdate(&ctx->md_ctx, data, len);
+ }
[email protected]@ -178,14 +180,15 @@
+ {
+     unsigned int i;
+     unsigned char buf[EVP_MAX_MD_SIZE];
++
++    if (!ctx->md)
++        goto err;
++
+ #ifdef OPENSSL_FIPS
+     if (FIPS_mode() && !ctx->i_ctx.engine)
+         return FIPS_hmac_final(ctx, md, len);
+ #endif
+ 
+-    if (!ctx->md)
+-        goto err;
+-
+     if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
+         goto err;
+     if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx))
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-fips/patches/303-hmac-ctx.patch	Thu Nov 17 13:20:16 2016 -0800
@@ -0,0 +1,18 @@
+# Developed in house: Solaris specific
+# It checks the validity of the context.
+# This change is inside the FIPS canister; thus, not applicable to
+# the upstream.
+--- a/crypto/hmac/hmac.c	2016-11-09 14:41:31.820245175 -0800
++++ b/crypto/hmac/hmac.c	2016-11-09 14:42:13.816500695 -0800
[email protected]@ -75,8 +75,10 @@
+ 		reset=1;
+ 		ctx->md=md;
+ 		}
+-	else
++	else if (ctx->md != NULL)
+ 		md=ctx->md;
++	else
++		goto err;
+ 
+ 	if (key != NULL)
+ 		{