rpms/libkcapi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Use own sha512hmac and fipscheck

Browse Source 
Use the freshly-built binaries to recompute the checksums in the
post-install hook. This allows us to drop the build-time dependencies
on hmaccalc (i.e. itself) and fipscheck.
This commit is contained in:
Ondrej Mosnacek 2018-05-24 09:16:56 +02:00
parent e25f34d86d
commit a96229f2c0
2 changed files with 363 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

341
libkcapi-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch Normal file
View File

@ -0,0 +1,341 @@
From 4986c2c95422f97ca0f8db94ce422a01f9a9fa5e Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 24 May 2018 08:28:02 +0200
Subject: [PATCH] kcapi-hasher: Allow picking basename via cmdline
This makes it possible to run the kcapi-hasher binary directly when
needed (even via the libtool wrapper) and to simplify the hasher tests.
---
apps/kcapi-hasher.c | 22 ++++++++---
test/hasher-test.sh | 108 +++++++++++++++++++---------------------------------
2 files changed, 57 insertions(+), 73 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 9a5d2ee..ae88211 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -117,14 +117,15 @@ static void usage(char *name, int fipscheck)
const char *base = basename(name);
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
fprintf(stderr, "\nUsage:\n");
- fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -S|-L\n", base);
if (fipscheck)
- fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
else {
- fprintf(stderr, "\t%s [OPTION]... -c FILE\n", base);
- fprintf(stderr, "\t%s [OPTION]... FILE...\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
}
fprintf(stderr, "\nOptions:\n");
+ fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
if (!fipscheck)
@@ -781,12 +782,19 @@ int main(int argc, char *argv[])
const char *targetfile = NULL;
uint8_t *hmackey_alloc = NULL;
uint8_t *hmackey_mmap = NULL;
+ int opt_index = 0;
int loglevel = 0;
int hmac = 0;
int fipscheck = 0;
int fipshmac = 0;
int selfcheck_mode = SELFCHECK_CHECK;
+ static const char *opts_name_short = "n:";
+ static const struct option opts_name[] = {
+ {"name", 1, 0, 'n'},
+ {0, 0, 0, 0}
+ };
+
static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
static const struct option opts[] = {
{"help", 0, 0, 0},
@@ -833,6 +841,11 @@ int main(int argc, char *argv[])
}
basen = basename(basec);
+ if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n')
+ basen = optarg;
+ else
+ opt_index = 0;
+
params_self = &PARAMS_SELF_FIPSCHECK;
if (0 == strncmp(basen, "sha256sum", 9)) {
names = NAMES_SHA256;
@@ -888,7 +901,6 @@ int main(int argc, char *argv[])
}
while (1) {
- int opt_index = 0;
int c = getopt_long(argc, argv, opts_short, opts, &opt_index);
if (-1 == c)
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
index 28c6b5a..f36897b 100755
--- a/test/hasher-test.sh
+++ b/test/hasher-test.sh
@@ -22,15 +22,18 @@
HASHERBIN="${APPDIR}/kcapi-hasher"
find_platform $HASHERBIN
-HASHERBIN=$(get_binlocation $HASHERBIN)
-SUMHASHER="${TMPDIR}/md5sum ${TMPDIR}/sha1sum ${TMPDIR}/sha256sum ${TMPDIR}/sha384sum ${TMPDIR}/sha512sum"
-HMACHASHER="${TMPDIR}/sha1hmac ${TMPDIR}/sha256hmac ${TMPDIR}/sha384hmac ${TMPDIR}/sha512hmac"
+function run_hasher() {
+ "$HASHERBIN" -n "$@"
+}
+
+SUMHASHER="md5sum sha1sum sha256sum sha384sum sha512sum"
+HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
CHKFILE="${TMPDIR}/chk.$$"
ANOTHER="${TMPDIR}/test.$$"
touch $ANOTHER
-trap "rm -f $ANOTHER $CHKFILE $SUMHASHER $HMACHASHER" 0 1 2 3 15
+trap "rm -f $ANOTHER $CHKFILE" 0 1 2 3 15
if [ ! -e $HASHERBIN ]
then
@@ -38,20 +41,10 @@ then
exit 1
fi
-#although a hard link suffices, we need to copy it
-for i in $SUMHASHER $HMACHASHER
-do
- #ln $HASHERBIN $i
- cp -f $HASHERBIN $i
-done
-
-libdir=$(dirname $(realpath ../.libs/libkcapi.so))
-libname=$(realpath ../.libs/libkcapi.so)
-
for hasher in $SUMHASHER $HMACHASHER
do
>$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
+ run_hasher $hasher -c $CHKFILE
if [ $? -eq 0 ]
then
echo_fail "Verification of empty checker file with hasher $hasher did not fail"
@@ -60,7 +53,7 @@ do
fi
echo >$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
+ run_hasher $hasher -c $CHKFILE
if [ $? -eq 0 ]
then
echo_fail "Verification of empty line checker file with hasher $hasher did not fail"
@@ -68,9 +61,8 @@ do
echo_pass "Failure on empty line checker file for $hasher"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
- sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
+ run_hasher $hasher $0 $ANOTHER | sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
+ run_hasher $hasher -q -c $CHKFILE
if [ $? -eq 0 ]
then
echo_pass "Parsing checker file with asterisk with $hasher"
@@ -78,8 +70,7 @@ do
echo_fail "Parsing checker file with asterisk (binary mode) with $hasher failed"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c -
+ run_hasher $hasher $0 $ANOTHER | run_hasher $hasher -q -c -
if [ $? -eq 0 ]
then
echo_pass "Checker file '-' interpretation with $hasher"
@@ -87,7 +78,7 @@ do
echo_fail "Checker file '-' interpretation with $hasher failed"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 - <$ANOTHER >/dev/null
+ run_hasher $hasher $0 - <$ANOTHER >/dev/null
if [ $? -eq 0 ]
then
echo_pass "Input file '-' interpretation with $hasher"
@@ -100,16 +91,16 @@ done
for i in $SUMHASHER
do
- hash=$(basename $i)
- hash=${hash%%sum}
hasher=$i
- i=$(basename $i)
- [ ! -e "$hasher" ] && {
- echo_deact "Hasher $hasher does not exist"
+ hash=${hasher%%sum}
+ i=$(command -v $i)
+
+ [ -z "$i" ] && {
+ echo_deact "reference application $hasher missing"
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
[ $? -ne 0 ] && {
echo_fail "Generation of hashes with hasher $hasher failed"
continue
@@ -131,14 +122,14 @@ do
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher --status -c $CHKFILE
+ run_hasher $hasher --status -c $CHKFILE
[ $? -ne 0 ] && echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
echo -n 123 >$CHKFILE
a=$(openssl dgst -$hash -hmac 123 $0 | cut -f 2 -d" ")
- b=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -K 123 $0 | cut -f 1 -d" ")
- c=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
+ b=$(run_hasher $hasher -K 123 $0 | cut -f 1 -d" ")
+ c=$(run_hasher $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
[ x"$a" != x"$b" ] && {
echo_fail "HMAC calculation for $hasher failed (cmdline key)"
continue
@@ -153,23 +144,16 @@ done
for i in $HMACHASHER
do
- hash=$(basename $i)
- hash=${hash%%hmac}
hasher=$i
- t=$(basename $i)
- i=$(command -v $t)
+ hash=${hasher%%hmac}
+ i=$(command -v $i)
[ -z "$i" ] && {
- echo_deact "hmaccalc reference application $t missing"
- continue
- }
-
- [ ! -e "$hasher" ] && {
- echo_fail "Hasher $hasher does not exist"
+ echo_deact "hmaccalc reference application $hasher missing"
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
[ $? -ne 0 ] && {
echo_fail "Generation of hashes with hasher $hasher failed"
continue
@@ -191,7 +175,7 @@ do
continue
}
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
+ run_hasher $hasher -q -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
@@ -210,13 +194,8 @@ do
ref=${i%%hmac}sum
hasher=$i
- [ ! -e "$hasher" ] && {
- echo_fail "Hasher $hasher does not exist"
- continue
- }
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref $0 $ANOTHER > $CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u -q -c $CHKFILE
+ run_hasher $ref $0 $ANOTHER > $CHKFILE
+ run_hasher $hasher -u -q -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Unkeyed verification with hasher $hasher failed"
@@ -224,8 +203,8 @@ do
echo_pass "Unkeyed verification with hasher $hasher"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u $0 $ANOTHER > $CHKFILE
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref --status -c $CHKFILE
+ run_hasher $hasher -u $0 $ANOTHER > $CHKFILE
+ run_hasher $ref --status -c $CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Unkeyed generation of checker file with hasher $hasher failed"
@@ -239,12 +218,10 @@ done
#
# Test hmaccalc's ignored compatibility options:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
compat="-d -P -b"
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $compat $0 $ANOTHER > /dev/null
+ run_hasher $hasher $compat $0 $ANOTHER > /dev/null
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept compatiblity options: $compat"
@@ -256,11 +233,9 @@ done
#
# Test hmaccalc's -S option:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -S >$CHKFILE
+ run_hasher $hasher -S >$CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept the -S option"
@@ -277,11 +252,9 @@ done
#
# Test hmaccalc's -h option:
#
-for i in $HMACHASHER
+for hasher in $HMACHASHER
do
- hasher=$i
-
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -h sha1 $0 $ANOTHER >$CHKFILE
+ run_hasher $hasher -h sha1 $0 $ANOTHER >$CHKFILE
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not accept the -h option"
@@ -289,8 +262,7 @@ do
continue
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $TMPDIR/sha1hmac $0 $ANOTHER | \
- diff $CHKFILE -
+ run_hasher sha1hmac $0 $ANOTHER | diff $CHKFILE -
if [ $? -ne 0 ]
then
echo_fail "Hasher $hasher does not work correctly with the -h option"
@@ -328,7 +300,7 @@ function run_kat() {
expand_string "$data" >"$ANOTHER"
echo "${result#0x} $ANOTHER" >"$CHKFILE"
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
+ run_hasher $hasher -q \
-k <(expand_string "$key") -c "$CHKFILE" $truncate_opt
if [ $? -ne 0 ]
then
@@ -337,7 +309,7 @@ function run_kat() {
echo_pass "Verification of hasher $hasher -c ... with KAT '$id'"
fi
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
+ run_hasher $hasher -q \
-k <(expand_string "$key") "$ANOTHER" $truncate_opt \
| diff - "$CHKFILE"
if [ $? -ne 0 ]

44
libkcapi.spec
View File

@ -66,26 +66,26 @@
# Add generation of HMAC checksums of the final stripped # Add generation of HMAC checksums of the final stripped
# binaries. %%define with lazy globbing is used here # binaries. %%define with lazy globbing is used here
# intentionally, because using %%global does not work. # intentionally, because using %%global does not work.
%define __spec_install_post \ %define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \ %{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
bin_path=%{buildroot}%{_bindir} \ bin_path=%{buildroot}%{_bindir} \
lib_path=%{buildroot}/%{_lib} \ lib_path=%{buildroot}/%{_lib} \
for app in %{apps_hmaccalc}; do \ for app in %{apps_hmaccalc}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
{ %{_bindir}/sha512hmac "$bin_path"/$app || exit 1; } \\\ { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
| cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \ | cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \
done \ done \
for app in %{apps_fipscheck}; do \ for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
%{_bindir}/fipshmac "$bin_path"/$app || exit 1 \ bin/kcapi-hasher -n fipshmac "$bin_path"/$app || exit 1 \
done \ done \
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ %{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
%{_bindir}/fipshmac "$lib_path"/libkcapi.so.%{version} \\\ bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\
|| exit 1 \ || exit 1 \
%{__ln_s} .libkcapi.so.%{version}.hmac \\\ %{__ln_s} .libkcapi.so.%{version}.hmac \\\
"$lib_path"/.libkcapi.so.%{vmajor}.hmac \ "$lib_path"/.libkcapi.so.%{vmajor}.hmac \
%{nil} %{nil}
@ -102,16 +102,15 @@ Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
Patch3: %{giturl}/pull/57.patch#/%{name}-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch
BuildRequires: clang BuildRequires: clang
BuildRequires: coreutils BuildRequires: coreutils
BuildRequires: cppcheck BuildRequires: cppcheck
BuildRequires: docbook-utils-pdf BuildRequires: docbook-utils-pdf
BuildRequires: fipscheck
BuildRequires: gcc BuildRequires: gcc
BuildRequires: git BuildRequires: git
BuildRequires: hardlink BuildRequires: hardlink
BuildRequires: hmaccalc
BuildRequires: libtool BuildRequires: libtool
BuildRequires: openssl BuildRequires: openssl
BuildRequires: systemd BuildRequires: systemd
@ -425,6 +424,7 @@ popd
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5 * Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
- Skip CLang static analysis in RHEL - Skip CLang static analysis in RHEL
- Revert "Skip CLang static analysis in RHEL" - Revert "Skip CLang static analysis in RHEL"
- Use own sha512hmac and fipscheck
* Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4 * Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4
- Fix description lines being too long - Fix description lines being too long