Enable building on old kernels

This adds scripts that mock sha512hmac and fipshmac using openssl. These
are used instead of the built hashers to hash libkcapi binaries on
kernels that don't suport the userspace Crypto API interface properly
(e.g. RHEL-7 kernels).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

fipshmac-openssl.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Mocks fipshmac using the openssl tool.
+# Only for use during RPM build.
+
+[ "$1" = '-d' ] || exit 1
+
+openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \
+	>"$2/$(basename "$3").hmac"

libkcapi.spec

@@ -72,6 +72,15 @@
 %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
 %global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
 
+# On old kernels use mock hashers implemented via openssl
+%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
+%global sha512hmac bin/kcapi-hasher -n sha512hmac
+%global fipshmac   bin/kcapi-hasher -n fipshmac
+%else
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%global fipshmac   bash %{_sourcedir}/fipshmac-openssl.sh
+%endif
+
 # Add generation of HMAC checksums of the final stripped
 # binaries.  %%define with lazy globbing is used here
 # intentionally, because using %%global does not work.
@@ -83,16 +92,15 @@ bin_path=%{buildroot}%{_bindir}                                  \
 lib_path=%{buildroot}/%{_lib}                                    \
 for app in %{apps_hmaccalc}; do                                  \
   test -e "$bin_path"/$app || continue                           \
-  { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
+  { %sha512hmac "$bin_path"/$app || exit 1; }                    \\\
     | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac            \
 done                                                             \
 for app in %{apps_fipscheck}; do                                 \
   test -e "$bin_path"/$app || continue                           \
-  bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck          \\\
+  %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1  \
-    "$bin_path"/$app || exit 1                                   \
 done                                                             \
-%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                 \
+%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                  \
-bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck            \\\
+%fipshmac -d "$lib_path"/fipscheck                               \\\
   "$lib_path"/libkcapi.so.%{version} || exit 1                   \
 %{__ln_s} libkcapi.so.%{version}.hmac                            \\\
   "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac               \
@@ -108,10 +116,13 @@ License:        BSD or GPLv2
 URL:            http://www.chronox.de/%{name}.html
 Source0:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
 Source1:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+Source2:        sha512hmac-openssl.sh
+Source3:        fipshmac-openssl.sh
 
 Patch100:       100-workaround-cppcheck-bug.patch
 Patch110:       110-fipshmac-compat.patch
 
+BuildRequires:  bash
 BuildRequires:  clang
 BuildRequires:  coreutils
 BuildRequires:  cppcheck

sha512hmac-openssl.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' '