diff --git a/004-hasher-target-option.patch b/004-hasher-target-option.patch new file mode 100644 index 0000000..69f84c7 --- /dev/null +++ b/004-hasher-target-option.patch @@ -0,0 +1,160 @@ +diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c +index f5caf77..a934fd9 100644 +--- a/apps/kcapi-hasher.c ++++ b/apps/kcapi-hasher.c +@@ -153,15 +153,17 @@ static void usage(char *name, int fipscheck) + if (fipscheck) + fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base); + else { +- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base); + fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base); + } + fprintf(stderr, "\nOptions:\n"); + fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n"); + fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); + fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); +- if (!fipscheck) ++ if (!fipscheck) { + fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n"); ++ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n"); ++ } + fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n"); + fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n"); + fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n"); +@@ -543,7 +545,7 @@ static int hash_files(const struct hash_params *params, + #define CHK_STATUS (2) + + static int process_checkfile(const struct hash_params *params, +- const char *checkfile, const char *targetfile, int log) ++ const char *checkfile, const char *targetfile, int log, int fipscheck) + { + FILE *file = NULL; + int ret = 0; +@@ -583,7 +585,7 @@ static int process_checkfile(const struct hash_params *params, + } + + while (fgets(buf, sizeof(buf), file)) { +- char *filename = NULL; // parsed file name ++ const char *filename = NULL; // parsed file name + char *hexhash = NULL; // parsed hex value of hash + uint32_t hexhashlen = 0; // length of hash hex value + uint32_t linelen = (uint32_t)strlen(buf); +@@ -658,17 +660,7 @@ static int process_checkfile(const struct hash_params *params, + goto out; + } + +- /* fipscheck does not have the filename in the check file */ +- if (targetfile) { +- ret = hasher(handle, params, targetfile, +- hexhash, hexhashlen, stdout); +- checked_any = 1; +- goto out; +- } +- + if (filename) { +- int r; +- + if (!bsd_style) { + if (!isblank(filename[0]) || + (!isblank(filename[1]) && filename[1] != '*')) { +@@ -678,20 +670,28 @@ static int process_checkfile(const struct hash_params *params, + } + filename += 2; + } ++ } ++ ++ /* ++ * if targetfile is specified, use it instead of the filename ++ * found inside the checkfile ++ */ ++ if (targetfile) ++ filename = targetfile; + +- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout); ++ if (filename) { ++ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout); ++ checked_any = 1; ++ if (fipscheck) ++ goto out; + +- if (r == 0) { ++ if (ret == 0) { + if (log < CHK_QUIET) + printf("%s: OK\n", filename); + } else { + if (log < CHK_STATUS) +- printf("%s: Not OK\n", +- filename); +- if (ret >= 0) +- ret++; ++ printf("%s: Not OK\n", filename); + } +- checked_any = 1; + } + } + +@@ -783,7 +783,7 @@ static int fipscheck_self(const struct hash_params *params_bin, + goto out; + } + +- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); ++ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1); + if (ret) + goto out; + } +@@ -823,7 +823,7 @@ static int fipscheck_self(const struct hash_params *params_bin, + goto out; + } + +- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); ++ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1); + } + + out: +@@ -878,12 +878,13 @@ int main(int argc, char *argv[]) + {0, 0, 0, 0} + }; + +- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz"; ++ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz"; + static const struct option opts[] = { + {"help", 0, 0, 0}, + {"tag", 0, 0, 0}, + {"quiet", 0, 0, 0}, + {"check", 1, 0, 'c'}, ++ {"target", 1, 0, 'T'}, + {"unkeyed", 0, 0, 'u'}, + {"hash", 1, 0, 'h'}, + {"truncate", 1, 0, 't'}, +@@ -1129,6 +1130,9 @@ int main(int argc, char *argv[]) + version(argv[0]); + ret = 0; + goto out; ++ case 'T': ++ targetfile = optarg; ++ break; + case 'd': + checkdir = optarg; + break; +@@ -1198,6 +1202,11 @@ int main(int argc, char *argv[]) + ret = 1; + goto out; + } ++ if (targetfile) { ++ fprintf(stderr, "-T is not valid for fipscheck\n"); ++ ret = 1; ++ goto out; ++ } + + targetfile = argv[optind]; + if (checkfile) +@@ -1215,7 +1224,7 @@ int main(int argc, char *argv[]) + (uint32_t)(argc - optind), + fipshmac, checkdir, 0); + else if (optind == argc) +- ret = process_checkfile(¶ms, checkfile, targetfile, loglevel); ++ ret = process_checkfile(¶ms, checkfile, targetfile, loglevel, fipscheck); + else { + fprintf(stderr, "-c cannot be used with input files\n"); + ret = 1; diff --git a/libkcapi.spec b/libkcapi.spec index 2006edd..c06775c 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -136,6 +136,7 @@ Source3: fipshmac-openssl.sh Patch1: 001-tests-kernel-version.patch Patch2: 002-fips-disable-ansi_cprng.patch Patch3: 003-zeroize-hasher.patch +Patch4: 004-hasher-target-option.patch BuildRequires: bash BuildRequires: coreutils @@ -525,6 +526,8 @@ popd Resolves: RHEL-2405 - Add a patch to zeroize kcapi-hasher for FIPS 140-3 Resolves: RHEL-15112 +- Add a patch to allow overriding target file in kcapi-hasher + Resolves: RHEL-15298 * Mon Aug 09 2021 Mohan Boddu - 1.3.1-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags