diff --git a/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch b/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch new file mode 100644 index 0000000..cc33cd6 --- /dev/null +++ b/libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch @@ -0,0 +1,341 @@ +From 4986c2c95422f97ca0f8db94ce422a01f9a9fa5e Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 24 May 2018 08:28:02 +0200 +Subject: [PATCH] kcapi-hasher: Allow picking basename via cmdline + +This makes it possible to run the kcapi-hasher binary directly when +needed (even via the libtool wrapper) and to simplify the hasher tests. +--- + apps/kcapi-hasher.c | 22 ++++++++--- + test/hasher-test.sh | 108 +++++++++++++++++++--------------------------------- + 2 files changed, 57 insertions(+), 73 deletions(-) + +diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c +index 9a5d2ee..ae88211 100644 +--- a/apps/kcapi-hasher.c ++++ b/apps/kcapi-hasher.c +@@ -117,14 +117,15 @@ static void usage(char *name, int fipscheck) + const char *base = basename(name); + fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name)); + fprintf(stderr, "\nUsage:\n"); +- fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -S|-L\n", base); + if (fipscheck) +- fprintf(stderr, "\t%s [OPTION]... FILE\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base); + else { +- fprintf(stderr, "\t%s [OPTION]... -c FILE\n", base); +- fprintf(stderr, "\t%s [OPTION]... FILE...\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base); + } + fprintf(stderr, "\nOptions:\n"); ++ fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n"); + fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); + fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); + if (!fipscheck) +@@ -781,12 +782,19 @@ int main(int argc, char *argv[]) + const char *targetfile = NULL; + uint8_t *hmackey_alloc = NULL; + uint8_t *hmackey_mmap = NULL; ++ int opt_index = 0; + int loglevel = 0; + int hmac = 0; + int fipscheck = 0; + int fipshmac = 0; + int selfcheck_mode = SELFCHECK_CHECK; + ++ static const char *opts_name_short = "n:"; ++ static const struct option opts_name[] = { ++ {"name", 1, 0, 'n'}, ++ {0, 0, 0, 0} ++ }; ++ + static const char *opts_short = "c:uh:t:SLqk:K:vbd:P"; + static const struct option opts[] = { + {"help", 0, 0, 0}, +@@ -833,6 +841,11 @@ int main(int argc, char *argv[]) + } + basen = basename(basec); + ++ if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n') ++ basen = optarg; ++ else ++ opt_index = 0; ++ + params_self = &PARAMS_SELF_FIPSCHECK; + if (0 == strncmp(basen, "sha256sum", 9)) { + names = NAMES_SHA256; +@@ -888,7 +901,6 @@ int main(int argc, char *argv[]) + } + + while (1) { +- int opt_index = 0; + int c = getopt_long(argc, argv, opts_short, opts, &opt_index); + + if (-1 == c) +diff --git a/test/hasher-test.sh b/test/hasher-test.sh +index 28c6b5a..f36897b 100755 +--- a/test/hasher-test.sh ++++ b/test/hasher-test.sh +@@ -22,15 +22,18 @@ + + HASHERBIN="${APPDIR}/kcapi-hasher" + find_platform $HASHERBIN +-HASHERBIN=$(get_binlocation $HASHERBIN) + +-SUMHASHER="${TMPDIR}/md5sum ${TMPDIR}/sha1sum ${TMPDIR}/sha256sum ${TMPDIR}/sha384sum ${TMPDIR}/sha512sum" +-HMACHASHER="${TMPDIR}/sha1hmac ${TMPDIR}/sha256hmac ${TMPDIR}/sha384hmac ${TMPDIR}/sha512hmac" ++function run_hasher() { ++ "$HASHERBIN" -n "$@" ++} ++ ++SUMHASHER="md5sum sha1sum sha256sum sha384sum sha512sum" ++HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac" + CHKFILE="${TMPDIR}/chk.$$" + ANOTHER="${TMPDIR}/test.$$" + + touch $ANOTHER +-trap "rm -f $ANOTHER $CHKFILE $SUMHASHER $HMACHASHER" 0 1 2 3 15 ++trap "rm -f $ANOTHER $CHKFILE" 0 1 2 3 15 + + if [ ! -e $HASHERBIN ] + then +@@ -38,20 +41,10 @@ then + exit 1 + fi + +-#although a hard link suffices, we need to copy it +-for i in $SUMHASHER $HMACHASHER +-do +- #ln $HASHERBIN $i +- cp -f $HASHERBIN $i +-done +- +-libdir=$(dirname $(realpath ../.libs/libkcapi.so)) +-libname=$(realpath ../.libs/libkcapi.so) +- + for hasher in $SUMHASHER $HMACHASHER + do + >$CHKFILE +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE ++ run_hasher $hasher -c $CHKFILE + if [ $? -eq 0 ] + then + echo_fail "Verification of empty checker file with hasher $hasher did not fail" +@@ -60,7 +53,7 @@ do + fi + + echo >$CHKFILE +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE ++ run_hasher $hasher -c $CHKFILE + if [ $? -eq 0 ] + then + echo_fail "Verification of empty line checker file with hasher $hasher did not fail" +@@ -68,9 +61,8 @@ do + echo_pass "Failure on empty line checker file for $hasher" + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \ +- sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE ++ run_hasher $hasher $0 $ANOTHER | sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE ++ run_hasher $hasher -q -c $CHKFILE + if [ $? -eq 0 ] + then + echo_pass "Parsing checker file with asterisk with $hasher" +@@ -78,8 +70,7 @@ do + echo_fail "Parsing checker file with asterisk (binary mode) with $hasher failed" + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \ +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c - ++ run_hasher $hasher $0 $ANOTHER | run_hasher $hasher -q -c - + if [ $? -eq 0 ] + then + echo_pass "Checker file '-' interpretation with $hasher" +@@ -87,7 +78,7 @@ do + echo_fail "Checker file '-' interpretation with $hasher failed" + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 - <$ANOTHER >/dev/null ++ run_hasher $hasher $0 - <$ANOTHER >/dev/null + if [ $? -eq 0 ] + then + echo_pass "Input file '-' interpretation with $hasher" +@@ -100,16 +91,16 @@ done + + for i in $SUMHASHER + do +- hash=$(basename $i) +- hash=${hash%%sum} + hasher=$i +- i=$(basename $i) +- [ ! -e "$hasher" ] && { +- echo_deact "Hasher $hasher does not exist" ++ hash=${hasher%%sum} ++ i=$(command -v $i) ++ ++ [ -z "$i" ] && { ++ echo_deact "reference application $hasher missing" + continue + } + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE ++ run_hasher $hasher $0 $ANOTHER > $CHKFILE + [ $? -ne 0 ] && { + echo_fail "Generation of hashes with hasher $hasher failed" + continue +@@ -131,14 +122,14 @@ do + continue + } + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher --status -c $CHKFILE ++ run_hasher $hasher --status -c $CHKFILE + [ $? -ne 0 ] && echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed" + + echo -n 123 >$CHKFILE + + a=$(openssl dgst -$hash -hmac 123 $0 | cut -f 2 -d" ") +- b=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -K 123 $0 | cut -f 1 -d" ") +- c=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -k $CHKFILE $0 | cut -f 1 -d" ") ++ b=$(run_hasher $hasher -K 123 $0 | cut -f 1 -d" ") ++ c=$(run_hasher $hasher -k $CHKFILE $0 | cut -f 1 -d" ") + [ x"$a" != x"$b" ] && { + echo_fail "HMAC calculation for $hasher failed (cmdline key)" + continue +@@ -153,23 +144,16 @@ done + + for i in $HMACHASHER + do +- hash=$(basename $i) +- hash=${hash%%hmac} + hasher=$i +- t=$(basename $i) +- i=$(command -v $t) ++ hash=${hasher%%hmac} ++ i=$(command -v $i) + + [ -z "$i" ] && { +- echo_deact "hmaccalc reference application $t missing" +- continue +- } +- +- [ ! -e "$hasher" ] && { +- echo_fail "Hasher $hasher does not exist" ++ echo_deact "hmaccalc reference application $hasher missing" + continue + } + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE ++ run_hasher $hasher $0 $ANOTHER > $CHKFILE + [ $? -ne 0 ] && { + echo_fail "Generation of hashes with hasher $hasher failed" + continue +@@ -191,7 +175,7 @@ do + continue + } + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE ++ run_hasher $hasher -q -c $CHKFILE + if [ $? -ne 0 ] + then + echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed" +@@ -210,13 +194,8 @@ do + ref=${i%%hmac}sum + hasher=$i + +- [ ! -e "$hasher" ] && { +- echo_fail "Hasher $hasher does not exist" +- continue +- } +- +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref $0 $ANOTHER > $CHKFILE +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u -q -c $CHKFILE ++ run_hasher $ref $0 $ANOTHER > $CHKFILE ++ run_hasher $hasher -u -q -c $CHKFILE + if [ $? -ne 0 ] + then + echo_fail "Unkeyed verification with hasher $hasher failed" +@@ -224,8 +203,8 @@ do + echo_pass "Unkeyed verification with hasher $hasher" + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u $0 $ANOTHER > $CHKFILE +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref --status -c $CHKFILE ++ run_hasher $hasher -u $0 $ANOTHER > $CHKFILE ++ run_hasher $ref --status -c $CHKFILE + if [ $? -ne 0 ] + then + echo_fail "Unkeyed generation of checker file with hasher $hasher failed" +@@ -239,12 +218,10 @@ done + # + # Test hmaccalc's ignored compatibility options: + # +-for i in $HMACHASHER ++for hasher in $HMACHASHER + do +- hasher=$i +- + compat="-d -P -b" +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $compat $0 $ANOTHER > /dev/null ++ run_hasher $hasher $compat $0 $ANOTHER > /dev/null + if [ $? -ne 0 ] + then + echo_fail "Hasher $hasher does not accept compatiblity options: $compat" +@@ -256,11 +233,9 @@ done + # + # Test hmaccalc's -S option: + # +-for i in $HMACHASHER ++for hasher in $HMACHASHER + do +- hasher=$i +- +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -S >$CHKFILE ++ run_hasher $hasher -S >$CHKFILE + if [ $? -ne 0 ] + then + echo_fail "Hasher $hasher does not accept the -S option" +@@ -277,11 +252,9 @@ done + # + # Test hmaccalc's -h option: + # +-for i in $HMACHASHER ++for hasher in $HMACHASHER + do +- hasher=$i +- +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -h sha1 $0 $ANOTHER >$CHKFILE ++ run_hasher $hasher -h sha1 $0 $ANOTHER >$CHKFILE + if [ $? -ne 0 ] + then + echo_fail "Hasher $hasher does not accept the -h option" +@@ -289,8 +262,7 @@ do + continue + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $TMPDIR/sha1hmac $0 $ANOTHER | \ +- diff $CHKFILE - ++ run_hasher sha1hmac $0 $ANOTHER | diff $CHKFILE - + if [ $? -ne 0 ] + then + echo_fail "Hasher $hasher does not work correctly with the -h option" +@@ -328,7 +300,7 @@ function run_kat() { + expand_string "$data" >"$ANOTHER" + echo "${result#0x} $ANOTHER" >"$CHKFILE" + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \ ++ run_hasher $hasher -q \ + -k <(expand_string "$key") -c "$CHKFILE" $truncate_opt + if [ $? -ne 0 ] + then +@@ -337,7 +309,7 @@ function run_kat() { + echo_pass "Verification of hasher $hasher -c ... with KAT '$id'" + fi + +- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \ ++ run_hasher $hasher -q \ + -k <(expand_string "$key") "$ANOTHER" $truncate_opt \ + | diff - "$CHKFILE" + if [ $? -ne 0 ] diff --git a/libkcapi.spec b/libkcapi.spec index cea8341..75f9318 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -66,26 +66,26 @@ # Add generation of HMAC checksums of the final stripped # binaries. %%define with lazy globbing is used here # intentionally, because using %%global does not work. -%define __spec_install_post \ -%{?__debug_package:%{__debug_install_post}} \ -%{__arch_install_post} \ -%{__os_install_post} \ -bin_path=%{buildroot}%{_bindir} \ -lib_path=%{buildroot}/%{_lib} \ -for app in %{apps_hmaccalc}; do \ - test -e "$bin_path"/$app || continue \ - { %{_bindir}/sha512hmac "$bin_path"/$app || exit 1; } \\\ - | cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \ -done \ -for app in %{apps_fipscheck}; do \ - test -e "$bin_path"/$app || continue \ - %{_bindir}/fipshmac "$bin_path"/$app || exit 1 \ -done \ -%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ -%{_bindir}/fipshmac "$lib_path"/libkcapi.so.%{version} \\\ - || exit 1 \ -%{__ln_s} .libkcapi.so.%{version}.hmac \\\ - "$lib_path"/.libkcapi.so.%{vmajor}.hmac \ +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +bin_path=%{buildroot}%{_bindir} \ +lib_path=%{buildroot}/%{_lib} \ +for app in %{apps_hmaccalc}; do \ + test -e "$bin_path"/$app || continue \ + { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\ + | cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \ +done \ +for app in %{apps_fipscheck}; do \ + test -e "$bin_path"/$app || continue \ + bin/kcapi-hasher -n fipshmac "$bin_path"/$app || exit 1 \ +done \ +%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ +bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\ + || exit 1 \ +%{__ln_s} .libkcapi.so.%{version}.hmac \\\ + "$lib_path"/.libkcapi.so.%{vmajor}.hmac \ %{nil} @@ -102,16 +102,15 @@ Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch +Patch3: %{giturl}/pull/57.patch#/%{name}-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch BuildRequires: clang BuildRequires: coreutils BuildRequires: cppcheck BuildRequires: docbook-utils-pdf -BuildRequires: fipscheck BuildRequires: gcc BuildRequires: git BuildRequires: hardlink -BuildRequires: hmaccalc BuildRequires: libtool BuildRequires: openssl BuildRequires: systemd @@ -425,6 +424,7 @@ popd * Wed May 09 2018 Ondrej Mosnáček - 1.1.0-5 - Skip CLang static analysis in RHEL - Revert "Skip CLang static analysis in RHEL" +- Use own sha512hmac and fipscheck * Wed May 02 2018 Ondrej Mosnáček - 1.1.0-4 - Fix description lines being too long