Enable building on old kernels

This adds scripts that mock sha512hmac and fipshmac using openssl. These are used instead of the built hashers to hash libkcapi binaries on kernels that don't suport the userspace Crypto API interface properly (e.g. RHEL-7 kernels). Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-04-29 09:07:49 +02:00 · 2020-04-29 09:07:49 +02:00 · 7393454a2f
commit 7393454a2f
parent 538d7604c9
3 changed files with 31 additions and 5 deletions
--- a/fipshmac-openssl.sh
+++ b/fipshmac-openssl.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Mocks fipshmac using the openssl tool.
+# Only for use during RPM build.
+
+[ "$1" = '-d' ] || exit 1
+
+openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \
+	>"$2/$(basename "$3").hmac"
--- a/libkcapi.spec
+++ b/libkcapi.spec
@ -72,6 +72,15 @@
 %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
 %global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac

+# On old kernels use mock hashers implemented via openssl
+%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
+%global sha512hmac bin/kcapi-hasher -n sha512hmac
+%global fipshmac   bin/kcapi-hasher -n fipshmac
+%else
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%global fipshmac   bash %{_sourcedir}/fipshmac-openssl.sh
+%endif
+
 # Add generation of HMAC checksums of the final stripped
 # binaries.  %%define with lazy globbing is used here
 # intentionally, because using %%global does not work.
@ -83,16 +92,15 @@ bin_path=%{buildroot}%{_bindir}                                  \
 lib_path=%{buildroot}/%{_lib}                                    \
 for app in %{apps_hmaccalc}; do                                  \
  test -e "$bin_path"/$app || continue                           \
-  { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
+  { %sha512hmac "$bin_path"/$app || exit 1; }                    \\\
    | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac            \
 done                                                             \
 for app in %{apps_fipscheck}; do                                 \
  test -e "$bin_path"/$app || continue                           \
-  bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck          \\\
-    "$bin_path"/$app || exit 1                                   \
+  %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1  \
 done                                                             \
-%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                 \
-bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck            \\\
+%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                  \
+%fipshmac -d "$lib_path"/fipscheck                               \\\
  "$lib_path"/libkcapi.so.%{version} || exit 1                   \
 %{__ln_s} libkcapi.so.%{version}.hmac                            \\\
  "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac               \
@ -108,10 +116,13 @@ License:        BSD or GPLv2
 URL:            http://www.chronox.de/%{name}.html
 Source0:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
 Source1:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+Source2:        sha512hmac-openssl.sh
+Source3:        fipshmac-openssl.sh

 Patch100:       100-workaround-cppcheck-bug.patch
 Patch110:       110-fipshmac-compat.patch

+BuildRequires:  bash
 BuildRequires:  clang
 BuildRequires:  coreutils
 BuildRequires:  cppcheck
--- a/sha512hmac-openssl.sh
+++ b/sha512hmac-openssl.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' '