rpms/libkcapi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Put .hmac files into a separate directory

Browse Source 
Putting the .hmac files into the same directory as the checked binary
causes rpmlint errors and is generaly not a good idea (there could be a
multilib conflict).

Since dracut is already hard-coded to search for them in
/lib(64)?/fipscheck and /lib(64)?/hmaccalc, let's just drop them there.
This commit is contained in:
Ondrej Mosnacek 2018-05-03 09:17:17 +02:00
parent 17d760e698
commit 28355f75fe
2 changed files with 205 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
libkcapi-1.1.1-kcapi-hasher_Add_missing_-d_option_to_fipshmac.patch Normal file
View File

@ -0,0 +1,186 @@
From 2a0642407dd227d24e646c170d8afd47ab917899 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 16 Jul 2018 15:17:29 +0200
Subject: [PATCH] kcapi-hasher: Add missing -d option to fipshmac
---
apps/kcapi-hasher.c | 61 ++++++++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 29 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 6782dbc..2fc3ddc 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -71,7 +71,7 @@ struct hash_name {
};
struct hash_key {
- const char *subdir;
+ const char *checkdir;
const uint8_t *data;
uint32_t len;
};
@@ -108,12 +108,20 @@ static const char hmaccalc_hmackey[] = "FIPS-FTW-RHT2009";
static const struct hash_key KEY_FIPSCHECK = {
.data = (const uint8_t *)fipscheck_hmackey,
.len = sizeof(fipscheck_hmackey) - 1,
- .subdir = "fipscheck",
+#ifdef CHECK_DIR
+ .checkdir = CHECK_DIR"/fipscheck",
+#else
+ .checkdir = NULL,
+#endif
};
static const struct hash_key KEY_HMACCALC = {
.data = (const uint8_t *)hmaccalc_hmackey,
.len = sizeof(hmaccalc_hmackey) - 1,
- .subdir = "hmaccalc",
+#ifdef CHECK_DIR
+ .checkdir = CHECK_DIR"/hmaccalc",
+#else
+ .checkdir = NULL,
+#endif
};
static void usage(char *name, int fipscheck)
@@ -142,7 +150,8 @@ static void usage(char *name, int fipscheck)
fprintf(stderr, "\t-k --key-file FILE\tUse HMAC key from given file\n");
fprintf(stderr, "\t-K --key KEY\t\tUse KEY as the HMAC key\n");
fprintf(stderr, "\t --tag\t\tCreate a BSD-style checksum\n");
- fprintf(stderr, "\t-b, -d, -P\t\tCompatibility hmaccalc options; ignored\n");
+ fprintf(stderr, "\t-d\t\t\tCheck directory for fipshmac; otherwise ignored\n");
+ fprintf(stderr, "\t-b, -P\t\t\tCompatibility hmaccalc options; ignored\n");
fprintf(stderr, "\t --help\t\tPrint this help text\n");
fprintf(stderr, "\t-v --version\t\tShow version\n");
}
@@ -368,7 +377,7 @@ static char *paste(char *dst, const char *src, size_t size)
* return: NULL when malloc failed, a pointer that the caller must free
* otherwise.
*/
-static char *get_hmac_file(const char *filename, const char *subdir)
+static char *get_hmac_file(const char *filename, const char *checkdir)
{
size_t i, filelen, pathlen, namelen, basenamestart = 0;
size_t prefixlen = strlen(CHECK_PREFIX);
@@ -386,12 +395,7 @@ static char *get_hmac_file(const char *filename, const char *subdir)
}
namelen = filelen - basenamestart;
-#ifdef CHECK_DIR
- pathlen = strlen(CHECK_DIR"/") + strlen(subdir) + 1;
-#else
- (void)subdir; // avoid parameter unused warning
- pathlen = basenamestart;
-#endif
+ pathlen = checkdir ? strlen(checkdir) + 1 : basenamestart;
checkfile = malloc(pathlen + namelen + prefixlen + 1 /* "." */ +
suffixlen + 1 /* null character */);
@@ -399,14 +403,12 @@ static char *get_hmac_file(const char *filename, const char *subdir)
return NULL;
cursor = checkfile;
-#ifdef CHECK_DIR
- cursor = paste(cursor, CHECK_DIR"/", strlen(CHECK_DIR"/"));
- cursor = paste(cursor, subdir, strlen(subdir));
- cursor = paste(cursor, "/", 1);
-#else
- if (pathlen > 0)
+ if (checkdir) {
+ cursor = paste(cursor, checkdir, strlen(checkdir));
+ cursor = paste(cursor, "/", 1);
+ } else if (pathlen > 0)
cursor = paste(cursor, filename, pathlen);
-#endif
+
cursor = paste(cursor, CHECK_PREFIX, prefixlen);
cursor = paste(cursor, filename + basenamestart, namelen);
cursor = paste(cursor, "."CHECK_SUFFIX, 1 + suffixlen);
@@ -417,7 +419,7 @@ static char *get_hmac_file(const char *filename, const char *subdir)
static int hash_files(const struct hash_params *params,
char *filenames[], uint32_t files,
- int fipshmac, int just_print)
+ int fipshmac, const char *checkdir, int just_print)
{
struct kcapi_handle *handle;
const char *hashname = params->name.kcapiname;
@@ -446,9 +448,7 @@ static int hash_files(const struct hash_params *params,
const char *filename = filenames[i];
if (fipshmac) {
- char *outfile = get_hmac_file(filenames[i],
- params->key.subdir);
-
+ char *outfile = get_hmac_file(filenames[i], checkdir);
if (!outfile) {
fprintf(stderr,
"Cannot create HMAC file name\n");
@@ -712,11 +712,11 @@ static int fipscheck_self(const struct hash_params *params_bin,
}
if (mode == SELFCHECK_PRINT_SELF) {
- ret = hash_files(params_bin, names, 1, 0, 1);
+ ret = hash_files(params_bin, names, 1, 0, NULL, 1);
goto out;
}
- checkfile = get_hmac_file(selfname, params_bin->key.subdir);
+ checkfile = get_hmac_file(selfname, params_bin->key.checkdir);
if (!checkfile) {
ret = -ENOMEM;
goto out;
@@ -750,13 +750,13 @@ static int fipscheck_self(const struct hash_params *params_bin,
strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
if (mode == SELFCHECK_PRINT_LIB) {
- ret = hash_files(params_lib, names, 1, 0, 1);
+ ret = hash_files(params_lib, names, 1, 0, NULL, 1);
goto out;
}
if (checkfile)
free(checkfile);
- checkfile = get_hmac_file(selfname, params_lib->key.subdir);
+ checkfile = get_hmac_file(selfname, params_lib->key.checkdir);
if (!checkfile) {
ret = -ENOMEM;
goto out;
@@ -799,6 +799,7 @@ int main(int argc, char *argv[])
char *checkfile = NULL;
const char *targetfile = NULL;
+ const char *checkdir = NULL;
uint8_t *hmackey_alloc = NULL;
uint8_t *hmackey_mmap = NULL;
int opt_index = 0;
@@ -1055,8 +1056,10 @@ int main(int argc, char *argv[])
version(argv[0]);
ret = 0;
goto out;
- case 'b':
case 'd':
+ checkdir = optarg;
+ break;
+ case 'b':
case 'P':
/* Compatibility options, just ignore */
break;
@@ -1110,7 +1113,7 @@ int main(int argc, char *argv[])
targetfile = argv[optind];
if (checkfile)
free(checkfile);
- checkfile = get_hmac_file(targetfile, params.key.subdir);
+ checkfile = get_hmac_file(targetfile, params.key.checkdir);
if (!checkfile) {
ret = 1;
goto out;
@@ -1120,7 +1123,7 @@ int main(int argc, char *argv[])
if (!checkfile)
ret = hash_files(&params, argv + optind, (argc - optind),
- fipshmac, 0);
+ fipshmac, checkdir, 0);
else if (optind == argc)
ret = process_checkfile(&params, checkfile, targetfile, loglevel);
else {

33
libkcapi.spec
View File

@ -75,23 +75,24 @@ lib_path=%{buildroot}/%{_lib} \
for app in %{apps_hmaccalc}; do \ for app in %{apps_hmaccalc}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
{ bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\ { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
| cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \ | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \
done \ done \
for app in %{apps_fipscheck}; do \ for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
bin/kcapi-hasher -n fipshmac "$bin_path"/$app || exit 1 \ bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck \\\
"$bin_path"/$app || exit 1 \
done \ done \
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ %{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\ bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck \\\
|| exit 1 \ "$lib_path"/libkcapi.so.%{version} || exit 1 \
%{__ln_s} .libkcapi.so.%{version}.hmac \\\ %{__ln_s} libkcapi.so.%{version}.hmac \\\
"$lib_path"/.libkcapi.so.%{vmajor}.hmac \ "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
%{nil} %{nil}
Name: libkcapi Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch} Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 5%{?dist} Release: 6%{?dist}
Summary: User space interface to the Linux Kernel Crypto API Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2 License: BSD or GPLv2
@ -101,6 +102,7 @@ Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Patch0: %{giturl}/pull/60.patch#/%{name}-1.1.1-kcapi-hasher_Fix_command-line_parsing.patch Patch0: %{giturl}/pull/60.patch#/%{name}-1.1.1-kcapi-hasher_Fix_command-line_parsing.patch
Patch1: %{giturl}/pull/61.patch#/%{name}-1.1.1-kcapi-hasher_Fix_off-by-one_error.patch Patch1: %{giturl}/pull/61.patch#/%{name}-1.1.1-kcapi-hasher_Fix_off-by-one_error.patch
Patch2: %{giturl}/pull/64.patch#/%{name}-1.1.1-kcapi-hasher_Add_missing_-d_option_to_fipshmac.patch
# Workaround for failing builds on rawhide (F29). # Workaround for failing builds on rawhide (F29).
# To be removed when this issue is patched in the kernel: # To be removed when this issue is patched in the kernel:
@ -285,7 +287,7 @@ EOF
--enable-kcapi-test \ --enable-kcapi-test \
--enable-shared \ --enable-shared \
--enable-static \ --enable-static \
--enable-sum-prefix=. \ --enable-sum-dir=/%{_lib} \
--with-pkgconfigdir=%{_libdir}/pkgconfig --with-pkgconfigdir=%{_libdir}/pkgconfig
%make_build all doc %make_build all doc
@ -371,8 +373,8 @@ popd
%license COPYING* %license COPYING*
/%{_lib}/%{name}.so.%{vmajor} /%{_lib}/%{name}.so.%{vmajor}
/%{_lib}/%{name}.so.%{version} /%{_lib}/%{name}.so.%{version}
/%{_lib}/.%{name}.so.%{vmajor}.hmac /%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
/%{_lib}/.%{name}.so.%{version}.hmac /%{_lib}/fipscheck/%{name}.so.%{version}.hmac
%if %{with_sysctl_tweak} %if %{with_sysctl_tweak}
%doc %{_pkgdocdir}/README.%{distroname_ext} %doc %{_pkgdocdir}/README.%{distroname_ext}
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf %{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
@ -396,21 +398,21 @@ popd
%if %{with replace_coreutils} %if %{with replace_coreutils}
%files checksum %files checksum
%{_bindir}/md5sum %{_bindir}/md5sum
%{_bindir}/.md5sum.hmac
%{_bindir}/sha*sum %{_bindir}/sha*sum
%{_bindir}/.sha*sum.hmac /%{_lib}/fipscheck/md5sum.hmac
/%{_lib}/fipscheck/sha*sum.hmac
%endif %endif
%if %{with replace_fipscheck} %if %{with replace_fipscheck}
%files fipscheck %files fipscheck
%{_bindir}/fips* %{_bindir}/fips*
%{_bindir}/.fips*.hmac /%{_lib}/fipscheck/fips*.hmac
%endif %endif
%if %{with replace_hmaccalc} %if %{with replace_hmaccalc}
%files hmaccalc %files hmaccalc
%{_bindir}/sha*hmac %{_bindir}/sha*hmac
%{_bindir}/.sha*hmac.hmac /%{_lib}/hmaccalc/sha*hmac.hmac
%endif %endif
@ -424,6 +426,9 @@ popd
%changelog %changelog
* Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6
- Put .hmac files into a separate directory
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-5 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild