Rebase to 1.5.0
Resolves: RHEL-50457, RHEL-50459 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
parent
9724829fa5
commit
a03bc9dfb1
12
001-revert-docbook-version.patch
Normal file
12
001-revert-docbook-version.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --color -ruNp a/lib/doc/libkcapi.tmpl b/lib/doc/libkcapi.tmpl
|
||||
--- a/lib/doc/libkcapi.tmpl 2023-07-29 17:47:11.011047980 +0200
|
||||
+++ b/lib/doc/libkcapi.tmpl 2024-07-26 09:29:17.777668566 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V45//EN"
|
||||
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" []>
|
||||
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []>
|
||||
|
||||
<book id="libkcapi" revision="@@LIBVERSION@@">
|
||||
<bookinfo>
|
@ -1,40 +0,0 @@
|
||||
From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 10:19:50 +0200
|
||||
Subject: [PATCH] tests: fix overly-optimistic kernel version checks
|
||||
|
||||
The mainline kernel is now at version 6.0 so these >= 5.99 checks are
|
||||
now incorrectly enabling tests that don't work. Instead of bumping the
|
||||
imaginary version and face the same problem again in a couple years,
|
||||
replace the checks with 'false' and a TODO comment.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||
---
|
||||
test/test.sh | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/test/test.sh b/test/test.sh
|
||||
index 1d9be73..a75b802 100755
|
||||
--- a/test/test.sh
|
||||
+++ b/test/test.sh
|
||||
@@ -1560,7 +1560,8 @@ else
|
||||
echo_deact "AEAD tests of copied AAD deactivated"
|
||||
fi
|
||||
|
||||
-if $(check_min_kernelver 5 99); then
|
||||
+# TODO add version check when supported upstream
|
||||
+if false; then
|
||||
asymfunc 4
|
||||
asymfunc 4 -s
|
||||
asymfunc 4 -v
|
||||
@@ -1583,7 +1584,8 @@ else
|
||||
echo_deact "All asymmetric tests deactivated"
|
||||
fi
|
||||
|
||||
-if $(check_min_kernelver 5 99); then
|
||||
+# TODO add version check when supported upstream
|
||||
+if false; then
|
||||
kppfunc 13
|
||||
kppfunc 13 X -m
|
||||
kppfunc 13 -v
|
@ -1,74 +0,0 @@
|
||||
From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Fri, 11 Aug 2023 12:20:22 +0200
|
||||
Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode
|
||||
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||
---
|
||||
test/kcapi-main.c | 45 ++++++++++++++++++++++-----------------------
|
||||
1 file changed, 22 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
|
||||
index 67fb53f..23fc8ed 100644
|
||||
--- a/test/kcapi-main.c
|
||||
+++ b/test/kcapi-main.c
|
||||
@@ -652,8 +652,6 @@ static int is_fips_mode(void)
|
||||
static int auxiliary_tests(void)
|
||||
{
|
||||
struct kcapi_handle *handle = NULL;
|
||||
- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)"
|
||||
- : "ansi_cprng";
|
||||
int ret = 0;
|
||||
|
||||
if (kcapi_aead_init(&handle, "ccm(aes)", 0)) {
|
||||
@@ -711,27 +709,28 @@ static int auxiliary_tests(void)
|
||||
if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0))
|
||||
ret++;
|
||||
|
||||
- /* X9.31 RNG must require seed */
|
||||
- printf("X9.31 missing seeding: ");
|
||||
- if (!aux_test_rng(ansi_cprng_name, NULL, 0))
|
||||
- ret++;
|
||||
- /* X9.31 seed too short */
|
||||
- printf("X9.31 insufficient seeding: ");
|
||||
- if (!aux_test_rng(ansi_cprng_name,
|
||||
- (uint8_t *)
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
|
||||
- ret++;
|
||||
- /* X9.31 seed right sized short */
|
||||
- if (aux_test_rng(ansi_cprng_name,
|
||||
- (uint8_t *)
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
|
||||
- printf("Error for %s: kernel module ansi_cprng present?\n",
|
||||
- ansi_cprng_name);
|
||||
- ret++;
|
||||
+ if (!is_fips_mode()) {
|
||||
+ /* X9.31 RNG must require seed */
|
||||
+ printf("X9.31 missing seeding: ");
|
||||
+ if (!aux_test_rng("ansi_cprng", NULL, 0))
|
||||
+ ret++;
|
||||
+ /* X9.31 seed too short */
|
||||
+ printf("X9.31 insufficient seeding: ");
|
||||
+ if (!aux_test_rng("ansi_cprng",
|
||||
+ (uint8_t *)
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
|
||||
+ ret++;
|
||||
+ /* X9.31 seed right sized short */
|
||||
+ if (aux_test_rng("ansi_cprng",
|
||||
+ (uint8_t *)
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
|
||||
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
|
||||
+ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n");
|
||||
+ ret++;
|
||||
+ }
|
||||
}
|
||||
|
||||
return ret;
|
@ -1,58 +0,0 @@
|
||||
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Wed, 1 Nov 2023 10:54:03 +0100
|
||||
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Requirement introduced by AS05.10:
|
||||
"The temporary value(s) generated during the integrity test of the
|
||||
module’s software or firmware shall [05.10] be zeroised from the module
|
||||
upon completion of the integrity test;"
|
||||
|
||||
As some modules use fipscheck or sha*hmac for integrity tests, these
|
||||
temporary values need to be zeroised from the hasher.
|
||||
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
||||
---
|
||||
apps/kcapi-hasher.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 098b655..f5caf77 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
if (hashlen > (uint32_t)ret) {
|
||||
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
|
||||
(unsigned long)hashlen, ret);
|
||||
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||
return (int)ret;
|
||||
}
|
||||
|
||||
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
ret = 1;
|
||||
else
|
||||
ret = 0;
|
||||
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
|
||||
} else {
|
||||
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
|
||||
bin2print(md, hashlen, NULL, stdout,
|
||||
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
|
||||
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
|
||||
filename ? filename : "stdin", ret);
|
||||
}
|
||||
+ kcapi_memset_secure(md, 0, sizeof(md));
|
||||
return (int)ret;
|
||||
}
|
||||
|
||||
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
|
||||
if (file)
|
||||
fclose(file);
|
||||
kcapi_md_destroy(handle);
|
||||
+ kcapi_memset_secure(buf, 0, sizeof(buf));
|
||||
|
||||
/*
|
||||
* If we found no lines to check, return an error.
|
@ -1,185 +0,0 @@
|
||||
diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
--- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100
|
||||
+++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100
|
||||
@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch
|
||||
if (fipscheck)
|
||||
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
|
||||
else {
|
||||
- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
|
||||
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base);
|
||||
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
|
||||
}
|
||||
fprintf(stderr, "\nOptions:\n");
|
||||
fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
|
||||
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
|
||||
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
|
||||
- if (!fipscheck)
|
||||
+ if (!fipscheck) {
|
||||
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
|
||||
+ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n");
|
||||
+ }
|
||||
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
|
||||
fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n");
|
||||
fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n");
|
||||
@@ -530,11 +532,12 @@ static int hash_files(const struct hash_
|
||||
#define CHK_STATUS (2)
|
||||
|
||||
static int process_checkfile(const struct hash_params *params,
|
||||
- const char *checkfile, const char *targetfile, int log)
|
||||
+ const char *checkfile, const char *targetfile, int log, int fipscheck)
|
||||
{
|
||||
FILE *file = NULL;
|
||||
int ret = 0;
|
||||
int checked_any = 0;
|
||||
+ int failed_any = 0;
|
||||
struct kcapi_handle *handle;
|
||||
const char *hashname = params->name.kcapiname;
|
||||
|
||||
@@ -570,7 +573,7 @@ static int process_checkfile(const struc
|
||||
}
|
||||
|
||||
while (fgets(buf, sizeof(buf), file)) {
|
||||
- char *filename = NULL; // parsed file name
|
||||
+ const char *filename = NULL; // parsed file name
|
||||
char *hexhash = NULL; // parsed hex value of hash
|
||||
uint32_t hexhashlen = 0; // length of hash hex value
|
||||
uint32_t linelen = (uint32_t)strlen(buf);
|
||||
@@ -645,17 +648,7 @@ static int process_checkfile(const struc
|
||||
goto out;
|
||||
}
|
||||
|
||||
- /* fipscheck does not have the filename in the check file */
|
||||
- if (targetfile) {
|
||||
- ret = hasher(handle, params, targetfile,
|
||||
- hexhash, hexhashlen, stdout);
|
||||
- checked_any = 1;
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
if (filename) {
|
||||
- int r;
|
||||
-
|
||||
if (!bsd_style) {
|
||||
if (!isblank(filename[0]) ||
|
||||
(!isblank(filename[1]) && filename[1] != '*')) {
|
||||
@@ -665,20 +658,29 @@ static int process_checkfile(const struc
|
||||
}
|
||||
filename += 2;
|
||||
}
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * if targetfile is specified, use it instead of the filename
|
||||
+ * found inside the checkfile
|
||||
+ */
|
||||
+ if (targetfile)
|
||||
+ filename = targetfile;
|
||||
|
||||
- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
|
||||
+ if (filename) {
|
||||
+ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
|
||||
+ checked_any = 1;
|
||||
+ if (fipscheck)
|
||||
+ goto out;
|
||||
|
||||
- if (r == 0) {
|
||||
+ if (ret == 0) {
|
||||
if (log < CHK_QUIET)
|
||||
printf("%s: OK\n", filename);
|
||||
} else {
|
||||
+ failed_any = 1;
|
||||
if (log < CHK_STATUS)
|
||||
- printf("%s: Not OK\n",
|
||||
- filename);
|
||||
- if (ret >= 0)
|
||||
- ret++;
|
||||
+ printf("%s: Not OK\n", filename);
|
||||
}
|
||||
- checked_any = 1;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -692,7 +694,7 @@ out:
|
||||
* If we found no lines to check, return an error.
|
||||
* (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c)
|
||||
*/
|
||||
- return ret != 0 ? ret : !checked_any;
|
||||
+ return ret != 0 ? ret : !(checked_any && !failed_any);
|
||||
|
||||
}
|
||||
|
||||
@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
|
||||
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
|
||||
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1);
|
||||
}
|
||||
|
||||
out:
|
||||
@@ -866,12 +868,13 @@ int main(int argc, char *argv[])
|
||||
{0, 0, 0, 0}
|
||||
};
|
||||
|
||||
- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz";
|
||||
+ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz";
|
||||
static const struct option opts[] = {
|
||||
{"help", 0, 0, 0},
|
||||
{"tag", 0, 0, 0},
|
||||
{"quiet", 0, 0, 0},
|
||||
{"check", 1, 0, 'c'},
|
||||
+ {"target", 1, 0, 'T'},
|
||||
{"unkeyed", 0, 0, 'u'},
|
||||
{"hash", 1, 0, 'h'},
|
||||
{"truncate", 1, 0, 't'},
|
||||
@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[])
|
||||
version(argv[0]);
|
||||
ret = 0;
|
||||
goto out;
|
||||
+ case 'T':
|
||||
+ targetfile = optarg;
|
||||
+ break;
|
||||
case 'd':
|
||||
checkdir = optarg;
|
||||
break;
|
||||
@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[])
|
||||
ret = 1;
|
||||
goto out;
|
||||
}
|
||||
+ if (targetfile) {
|
||||
+ fprintf(stderr, "-T is not valid for fipscheck\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
targetfile = argv[optind];
|
||||
if (checkfile)
|
||||
@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[])
|
||||
optind++;
|
||||
}
|
||||
|
||||
+ if (targetfile && !checkfile) {
|
||||
+ fprintf(stderr, "-T cannot be used without -c\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
if (!checkfile)
|
||||
ret = hash_files(¶ms, argv + optind,
|
||||
(uint32_t)(argc - optind),
|
||||
fipshmac, checkdir, 0);
|
||||
else if (optind == argc)
|
||||
- ret = process_checkfile(¶ms, checkfile, targetfile, loglevel);
|
||||
+ ret = process_checkfile(¶ms, checkfile, targetfile, loglevel, fipscheck);
|
||||
else {
|
||||
fprintf(stderr, "-c cannot be used with input files\n");
|
||||
ret = 1;
|
@ -1,320 +0,0 @@
|
||||
From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001
|
||||
From: Zoltan Fridrich <zfridric@redhat.com>
|
||||
Date: Tue, 28 Nov 2023 09:34:29 +0100
|
||||
Subject: [PATCH] Fix kcapi tests in FIPS mode
|
||||
|
||||
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
||||
---
|
||||
test/hasher-test.sh | 23 +++++++++++---
|
||||
test/kcapi-convenience.c | 2 +-
|
||||
test/kcapi-dgst-test.sh | 16 +++++-----
|
||||
test/kcapi-enc-test.sh | 16 +++++-----
|
||||
test/test.sh | 67 ++++++++++++++++++++++++++++++----------
|
||||
5 files changed, 86 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
|
||||
index c90fcc9..e97127e 100755
|
||||
--- a/test/hasher-test.sh
|
||||
+++ b/test/hasher-test.sh
|
||||
@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
|
||||
CHKFILE="${TMPDIR}/chk.$$"
|
||||
ANOTHER="${TMPDIR}/test.$$"
|
||||
|
||||
+is_fips_enabled()
|
||||
+{
|
||||
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
|
||||
+}
|
||||
+
|
||||
if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then
|
||||
find_platform kcapi-hasher
|
||||
function run_hasher() {
|
||||
@@ -365,7 +370,11 @@ fi
|
||||
for suffix in $KAT_SUFFIXES
|
||||
do
|
||||
run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00
|
||||
- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS"
|
||||
+ else
|
||||
+ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
|
||||
+ fi
|
||||
run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3
|
||||
run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da
|
||||
run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
|
||||
@@ -374,9 +383,15 @@ do
|
||||
run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7
|
||||
run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6
|
||||
run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854
|
||||
- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
|
||||
- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
|
||||
- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS"
|
||||
+ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS"
|
||||
+ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS"
|
||||
+ else
|
||||
+ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
|
||||
+ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
|
||||
+ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
|
||||
+ fi
|
||||
run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe
|
||||
run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27
|
||||
run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb
|
||||
diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c
|
||||
index c5ff4b4..1cdaebe 100644
|
||||
--- a/test/kcapi-convenience.c
|
||||
+++ b/test/kcapi-convenience.c
|
||||
@@ -63,7 +63,7 @@ static int hashtest(void)
|
||||
|
||||
static int hmactest(void)
|
||||
{
|
||||
- char *in = "teststring";
|
||||
+ char *in = "longteststring";
|
||||
uint8_t out[64];
|
||||
ssize_t ret;
|
||||
|
||||
diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh
|
||||
index 0ad5ed3..67576b3 100755
|
||||
--- a/test/kcapi-dgst-test.sh
|
||||
+++ b/test/kcapi-dgst-test.sh
|
||||
@@ -105,8 +105,8 @@ test_stdin_stdout()
|
||||
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||
diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)"
|
||||
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
|
||||
|
||||
diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)"
|
||||
}
|
||||
@@ -135,8 +135,8 @@ test_stdin_fileout()
|
||||
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||
diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)"
|
||||
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
|
||||
|
||||
diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)"
|
||||
}
|
||||
@@ -165,8 +165,8 @@ test_filein_stdout()
|
||||
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||
diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)"
|
||||
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
|
||||
|
||||
diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)"
|
||||
}
|
||||
@@ -197,8 +197,8 @@ test_filein_fileout()
|
||||
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
|
||||
diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)"
|
||||
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
|
||||
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
|
||||
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
|
||||
|
||||
diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)"
|
||||
}
|
||||
diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh
|
||||
index 3ace39c..63d2b23 100755
|
||||
--- a/test/kcapi-enc-test.sh
|
||||
+++ b/test/kcapi-enc-test.sh
|
||||
@@ -163,8 +163,8 @@ test_stdin_stdout()
|
||||
diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
|
||||
diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
|
||||
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
|
||||
|
||||
diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)"
|
||||
}
|
||||
@@ -195,8 +195,8 @@ test_stdin_fileout()
|
||||
diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
|
||||
diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
|
||||
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
|
||||
|
||||
diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)"
|
||||
}
|
||||
@@ -227,8 +227,8 @@ test_filein_stdout()
|
||||
diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
|
||||
diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
|
||||
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
|
||||
|
||||
diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)"
|
||||
}
|
||||
@@ -271,8 +271,8 @@ test_filein_fileout()
|
||||
diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
|
||||
diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
|
||||
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
|
||||
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
|
||||
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
|
||||
|
||||
diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)"
|
||||
}
|
||||
diff --git a/test/test.sh b/test/test.sh
|
||||
index b889335..e07589e 100755
|
||||
--- a/test/test.sh
|
||||
+++ b/test/test.sh
|
||||
@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797"
|
||||
|
||||
PBKDF_name_8="hmac(sha256)"
|
||||
PBKDF_salt_8="73616c74"
|
||||
-PBKDF_pw_8="70617373776f7264"
|
||||
+PBKDF_pw_8="70617373776f726470617373776f7264"
|
||||
PBKDF_count_8=4096
|
||||
-PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0"
|
||||
+PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca"
|
||||
|
||||
PBKDF_name_9="hmac(sha224)"
|
||||
PBKDF_salt_9="73616c74"
|
||||
-PBKDF_pw_9="70617373776f7264"
|
||||
+PBKDF_pw_9="70617373776f726470617373776f7264"
|
||||
PBKDF_count_9=4096
|
||||
-PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60"
|
||||
+PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70"
|
||||
|
||||
PBKDF_name_10="hmac(sha384)"
|
||||
PBKDF_salt_10="73616c74"
|
||||
-PBKDF_pw_10="70617373776f7264"
|
||||
+PBKDF_pw_10="70617373776f726470617373776f7264"
|
||||
PBKDF_count_10=4096
|
||||
-PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c"
|
||||
+PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d"
|
||||
|
||||
PBKDF_name_11="hmac(sha512)"
|
||||
PBKDF_salt_11="73616c74"
|
||||
-PBKDF_pw_11="70617373776f7264"
|
||||
+PBKDF_pw_11="70617373776f726470617373776f7264"
|
||||
PBKDF_count_11=4096
|
||||
-PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc"
|
||||
+PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b"
|
||||
|
||||
PBKDF_name_12="cmac(aes)"
|
||||
PBKDF_salt_12="73616c74"
|
||||
@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7"
|
||||
|
||||
PBKDF_name_13="hmac(sha512)"
|
||||
PBKDF_salt_13="73616c74"
|
||||
-PBKDF_pw_13="70617373776f7264"
|
||||
+PBKDF_pw_13="70617373776f726470617373776f7264"
|
||||
PBKDF_count_13=4096
|
||||
-PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e"
|
||||
+PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a"
|
||||
|
||||
###########################################################################
|
||||
###########################################################################
|
||||
@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514
|
||||
#RFC 5869 Appendix A vectors
|
||||
HKDF_name_1="hmac(sha256)"
|
||||
HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"
|
||||
-HKDF_salt_1="000102030405060708090a0b0c"
|
||||
+HKDF_salt_1="000102030405060708090a0b0c0d"
|
||||
HKDF_info_1="f0f1f2f3f4f5f6f7f8f9"
|
||||
-HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
|
||||
+HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd"
|
||||
|
||||
HKDF_name_2="hmac(sha256)"
|
||||
HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"
|
||||
@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a
|
||||
###########################################################################
|
||||
###########################################################################
|
||||
|
||||
+is_fips_enabled()
|
||||
+{
|
||||
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
|
||||
+}
|
||||
+
|
||||
# Test required for test with multiple IOVECs on i686
|
||||
check_memory() {
|
||||
if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ]
|
||||
@@ -576,7 +581,14 @@ check_memory_soft() {
|
||||
hashfunc()
|
||||
{
|
||||
stream=$1
|
||||
- HASHEXEC="1 2 3 4 5 6 7 8 9"
|
||||
+
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "Hash tests using 3DES are disabled in FIPS"
|
||||
+ HASHEXEC="2 3 4 5 6 7 8 9"
|
||||
+ else
|
||||
+ HASHEXEC="1 2 3 4 5 6 7 8 9"
|
||||
+ fi
|
||||
+
|
||||
for i in $HASHEXEC
|
||||
do
|
||||
eval HASH_name=\$HASH_name_$i
|
||||
@@ -630,7 +642,12 @@ symfunc()
|
||||
aligned=$3
|
||||
aiofallback=$4
|
||||
|
||||
- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "Symmetric tests using 3DES are disabled in FIPS"
|
||||
+ SYMEXEC="1 2 3 8 9 10 11 12"
|
||||
+ else
|
||||
+ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
|
||||
+ fi
|
||||
|
||||
if [ x"$stream" = x"X" ]
|
||||
then
|
||||
@@ -666,7 +683,11 @@ symfunc()
|
||||
|
||||
# Disable XTS tests for multi-threading due to the issue
|
||||
# discussed in https://github.com/smuellerDD/libkcapi/issues/92
|
||||
- SYMEXEC="1 2 3 4 5 6 7"
|
||||
+ if is_fips_enabled; then
|
||||
+ SYMEXEC="1 2 3"
|
||||
+ else
|
||||
+ SYMEXEC="1 2 3 4 5 6 7"
|
||||
+ fi
|
||||
else
|
||||
sout="one shot"
|
||||
fi
|
||||
@@ -1148,7 +1169,13 @@ pbkdftest()
|
||||
{
|
||||
aligned=$1
|
||||
|
||||
- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "PBKDF tests using SHA1 are disabled in FIPS"
|
||||
+ PBKDFEXEC="8 9 10 11 12 13"
|
||||
+ else
|
||||
+ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
|
||||
+ fi
|
||||
+
|
||||
for i in $PBKDFEXEC
|
||||
do
|
||||
eval PBKDF_name=\$PBKDF_name_$i
|
||||
@@ -1185,7 +1212,13 @@ hkdftest()
|
||||
{
|
||||
aligned=$1
|
||||
|
||||
- HKDFEXEC="1 2 3 4 5 6 7"
|
||||
+ if is_fips_enabled; then
|
||||
+ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS"
|
||||
+ HKDFEXEC="1 2"
|
||||
+ else
|
||||
+ HKDFEXEC="1 2 3 4 5 6 7"
|
||||
+ fi
|
||||
+
|
||||
for i in $HKDFEXEC
|
||||
do
|
||||
eval HKDF_name=\$HKDF_name_$i
|
@ -1,6 +1,6 @@
|
||||
# Shared object version of libkcapi.
|
||||
%global vmajor 1
|
||||
%global vminor 4
|
||||
%global vminor 5
|
||||
%global vpatch 0
|
||||
|
||||
# Do we build the replacements packages?
|
||||
@ -84,9 +84,6 @@
|
||||
%global hmaccalc_evr 0.9.14-10%{?dist}
|
||||
%endif
|
||||
|
||||
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
|
||||
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac
|
||||
|
||||
# On old kernels use mock hashers implemented via openssl
|
||||
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
|
||||
%global sha512hmac bin/kcapi-hasher -n sha512hmac
|
||||
@ -96,8 +93,8 @@
|
||||
%global fipshmac bash %{SOURCE3}
|
||||
%endif
|
||||
|
||||
# Add generation of HMAC checksums of the final stripped
|
||||
# binaries. %%define with lazy globbing is used here
|
||||
# Add generation of HMAC checksum of the final stripped
|
||||
# binary. %%define with lazy globbing is used here
|
||||
# intentionally, because using %%global does not work.
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
@ -105,20 +102,12 @@
|
||||
%{__os_install_post} \
|
||||
bin_path=%{buildroot}%{_bindir} \
|
||||
lib_path=%{buildroot}%{_libdir} \
|
||||
for app in %{apps_hmaccalc}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
{ %sha512hmac "$bin_path"/$app || exit 1; } \\\
|
||||
| cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \
|
||||
done \
|
||||
for app in %{apps_fipscheck}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
%fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \
|
||||
done \
|
||||
%{_bindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
||||
%fipshmac -d "$lib_path"/fipscheck \\\
|
||||
{ %sha512hmac "$bin_path"/kcapi-hasher || exit 1; } | \\\
|
||||
cut -f 1 -d ' ' >"$lib_path"/hmaccalc/.kcapi-hasher.hmac \
|
||||
%fipshmac -d "$lib_path"/hmaccalc \\\
|
||||
"$lib_path"/libkcapi.so.%{version} || exit 1 \
|
||||
%{__ln_s} libkcapi.so.%{version}.hmac \\\
|
||||
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
|
||||
"$lib_path"/hmaccalc/libkcapi.so.%{vmajor}.hmac \
|
||||
%{nil}
|
||||
|
||||
Name: libkcapi
|
||||
@ -133,11 +122,7 @@ Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
||||
Source2: sha512hmac-openssl.sh
|
||||
Source3: fipshmac-openssl.sh
|
||||
|
||||
Patch: 001-tests-kernel-version.patch
|
||||
Patch: 002-fips-disable-ansi_cprng.patch
|
||||
Patch: 003-zeroize-hasher.patch
|
||||
Patch: 004-hasher-target-option.patch
|
||||
Patch: 005-fips-mode-tests.patch
|
||||
Patch: 001-revert-docbook-version.patch
|
||||
|
||||
BuildRequires: bash
|
||||
BuildRequires: coreutils
|
||||
@ -379,18 +364,18 @@ EOF
|
||||
# Install replacement tools, if enabled.
|
||||
%if !%{with replace_coreutils}
|
||||
%{__rm} -f \
|
||||
%{buildroot}%{_bindir}/md5sum \
|
||||
%{buildroot}%{_bindir}/sha*sum \
|
||||
%{buildroot}%{_bindir}/sm*sum
|
||||
%{buildroot}%{_libexecdir}/md5sum \
|
||||
%{buildroot}%{_libexecdir}/sha*sum \
|
||||
%{buildroot}%{_libexecdir}/sm*sum
|
||||
%endif
|
||||
|
||||
%if !%{with replace_fipscheck}
|
||||
%{__rm} -f %{buildroot}%{_bindir}/fips*
|
||||
%{__rm} -f %{buildroot}%{_libexecdir}/fips*
|
||||
%endif
|
||||
|
||||
%if !%{with replace_hmaccalc}
|
||||
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac
|
||||
%{__rm} -f %{buildroot}%{_bindir}/sm*hmac
|
||||
%{__rm} -f %{buildroot}%{_libexecdir}/sha*hmac
|
||||
%{__rm} -f %{buildroot}%{_libexecdir}/sm*hmac
|
||||
%endif
|
||||
|
||||
# We don't ship autocrap dumplings.
|
||||
@ -456,8 +441,8 @@ popd
|
||||
%license COPYING*
|
||||
%{_libdir}/%{name}.so.%{vmajor}
|
||||
%{_libdir}/%{name}.so.%{version}
|
||||
%{_libdir}/fipscheck/%{name}.so.%{vmajor}.hmac
|
||||
%{_libdir}/fipscheck/%{name}.so.%{version}.hmac
|
||||
%{_libdir}/hmaccalc/%{name}.so.%{vmajor}.hmac
|
||||
%{_libdir}/hmaccalc/%{name}.so.%{version}.hmac
|
||||
%if %{with_sysctl_tweak}
|
||||
%doc %{_pkgdocdir}/README.%{distroname_ext}
|
||||
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
|
||||
@ -483,26 +468,26 @@ popd
|
||||
|
||||
%if %{with replace_coreutils}
|
||||
%files checksum
|
||||
%{_bindir}/md5sum
|
||||
%{_bindir}/sha*sum
|
||||
%{_bindir}/sm*sum
|
||||
%{_libdir}/fipscheck/md5sum.hmac
|
||||
%{_libdir}/fipscheck/sha*sum.hmac
|
||||
%{_libdir}/fipscheck/sm*sum.hmac
|
||||
%{_bindir}/kcapi-hasher
|
||||
%{_libexecdir}/%{name}/md5sum
|
||||
%{_libexecdir}/%{name}/sha*sum
|
||||
%{_libexecdir}/%{name}/sm*sum
|
||||
%{_libdir}/hmaccalc/.kcapi-hasher.hmac
|
||||
%endif
|
||||
|
||||
%if %{with replace_fipscheck}
|
||||
%files fipscheck
|
||||
%{_bindir}/fips*
|
||||
%{_libdir}/fipscheck/fips*.hmac
|
||||
%{_bindir}/kcapi-hasher
|
||||
%{_libexecdir}/%{name}/fips*
|
||||
%{_libdir}/hmaccalc/.kcapi-hasher.hmac
|
||||
%endif
|
||||
|
||||
%if %{with replace_hmaccalc}
|
||||
%files hmaccalc
|
||||
%{_bindir}/sha*hmac
|
||||
%{_bindir}/sm*hmac
|
||||
%{_libdir}/hmaccalc/sha*hmac.hmac
|
||||
%{_libdir}/hmaccalc/sm*hmac.hmac
|
||||
%{_bindir}/kcapi-hasher
|
||||
%{_libexecdir}/%{name}/sha*hmac
|
||||
%{_libexecdir}/%{name}/sm*hmac
|
||||
%{_libdir}/hmaccalc/.kcapi-hasher.hmac
|
||||
%endif
|
||||
|
||||
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (libkcapi-1.4.0.tar.xz) = fa3df1fe22eba32585de5df044f907d3ad189c33f5704fe29b0fdeda92e772ef077055b80e17bc1646a8cdedaf4f195aadf0b133f493597f0f7657b04ea93a99
|
||||
SHA512 (libkcapi-1.4.0.tar.xz.asc) = a41303cba88b214c82537bb5de2584a72a239670318753ba6873a2c3ebe3b56ffd381fdf7ae266aa21857e850bebdfbfdec487c98655ddbc2b9a0ba0d4f383ca
|
||||
SHA512 (libkcapi-1.5.0.tar.xz) = db156ee94fc63815a31876ab072aca72a806b26961c43f2caf8495c53b95484de71cd3be84dc9e5c9560e9ee704979be059ff6c102b4893d6bbdf9a8a69a667a
|
||||
SHA512 (libkcapi-1.5.0.tar.xz.asc) = 69cfb6bf98f89c503e7fda07a54eddb9fcc2dafe418f1bc1216c051565c214a6caab83495c19b650a5c6e46e22080f8df4dd2152ab364993ed5badd256495159
|
||||
|
Loading…
Reference in New Issue
Block a user