Use own sha512hmac and fipscheck
Use the freshly-built binaries to recompute the checksums in the post-install hook. This allows us to drop the build-time dependencies on hmaccalc (i.e. itself) and fipscheck.
This commit is contained in:
Ondrej Mosnacek
parent
e25f34d86d
commit
a96229f2c0
@ -0,0 +1,341 @@
|
||||
From 4986c2c95422f97ca0f8db94ce422a01f9a9fa5e Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Thu, 24 May 2018 08:28:02 +0200
|
||||
Subject: [PATCH] kcapi-hasher: Allow picking basename via cmdline
|
||||
|
||||
This makes it possible to run the kcapi-hasher binary directly when
|
||||
needed (even via the libtool wrapper) and to simplify the hasher tests.
|
||||
---
|
||||
apps/kcapi-hasher.c | 22 ++++++++---
|
||||
test/hasher-test.sh | 108 +++++++++++++++++++---------------------------------
|
||||
2 files changed, 57 insertions(+), 73 deletions(-)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 9a5d2ee..ae88211 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -117,14 +117,15 @@ static void usage(char *name, int fipscheck)
|
||||
const char *base = basename(name);
|
||||
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
|
||||
fprintf(stderr, "\nUsage:\n");
|
||||
- fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
|
||||
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -S|-L\n", base);
|
||||
if (fipscheck)
|
||||
- fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
|
||||
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
|
||||
else {
|
||||
- fprintf(stderr, "\t%s [OPTION]... -c FILE\n", base);
|
||||
- fprintf(stderr, "\t%s [OPTION]... FILE...\n", base);
|
||||
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
|
||||
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
|
||||
}
|
||||
fprintf(stderr, "\nOptions:\n");
|
||||
+ fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
|
||||
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
|
||||
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
|
||||
if (!fipscheck)
|
||||
@@ -781,12 +782,19 @@ int main(int argc, char *argv[])
|
||||
const char *targetfile = NULL;
|
||||
uint8_t *hmackey_alloc = NULL;
|
||||
uint8_t *hmackey_mmap = NULL;
|
||||
+ int opt_index = 0;
|
||||
int loglevel = 0;
|
||||
int hmac = 0;
|
||||
int fipscheck = 0;
|
||||
int fipshmac = 0;
|
||||
int selfcheck_mode = SELFCHECK_CHECK;
|
||||
|
||||
+ static const char *opts_name_short = "n:";
|
||||
+ static const struct option opts_name[] = {
|
||||
+ {"name", 1, 0, 'n'},
|
||||
+ {0, 0, 0, 0}
|
||||
+ };
|
||||
+
|
||||
static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
|
||||
static const struct option opts[] = {
|
||||
{"help", 0, 0, 0},
|
||||
@@ -833,6 +841,11 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
basen = basename(basec);
|
||||
|
||||
+ if (getopt_long(argc, argv, opts_name_short, opts_name, &opt_index) == 'n')
|
||||
+ basen = optarg;
|
||||
+ else
|
||||
+ opt_index = 0;
|
||||
+
|
||||
params_self = &PARAMS_SELF_FIPSCHECK;
|
||||
if (0 == strncmp(basen, "sha256sum", 9)) {
|
||||
names = NAMES_SHA256;
|
||||
@@ -888,7 +901,6 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
|
||||
while (1) {
|
||||
- int opt_index = 0;
|
||||
int c = getopt_long(argc, argv, opts_short, opts, &opt_index);
|
||||
|
||||
if (-1 == c)
|
||||
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
|
||||
index 28c6b5a..f36897b 100755
|
||||
--- a/test/hasher-test.sh
|
||||
+++ b/test/hasher-test.sh
|
||||
@@ -22,15 +22,18 @@
|
||||
|
||||
HASHERBIN="${APPDIR}/kcapi-hasher"
|
||||
find_platform $HASHERBIN
|
||||
-HASHERBIN=$(get_binlocation $HASHERBIN)
|
||||
|
||||
-SUMHASHER="${TMPDIR}/md5sum ${TMPDIR}/sha1sum ${TMPDIR}/sha256sum ${TMPDIR}/sha384sum ${TMPDIR}/sha512sum"
|
||||
-HMACHASHER="${TMPDIR}/sha1hmac ${TMPDIR}/sha256hmac ${TMPDIR}/sha384hmac ${TMPDIR}/sha512hmac"
|
||||
+function run_hasher() {
|
||||
+ "$HASHERBIN" -n "$@"
|
||||
+}
|
||||
+
|
||||
+SUMHASHER="md5sum sha1sum sha256sum sha384sum sha512sum"
|
||||
+HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
|
||||
CHKFILE="${TMPDIR}/chk.$$"
|
||||
ANOTHER="${TMPDIR}/test.$$"
|
||||
|
||||
touch $ANOTHER
|
||||
-trap "rm -f $ANOTHER $CHKFILE $SUMHASHER $HMACHASHER" 0 1 2 3 15
|
||||
+trap "rm -f $ANOTHER $CHKFILE" 0 1 2 3 15
|
||||
|
||||
if [ ! -e $HASHERBIN ]
|
||||
then
|
||||
@@ -38,20 +41,10 @@ then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-#although a hard link suffices, we need to copy it
|
||||
-for i in $SUMHASHER $HMACHASHER
|
||||
-do
|
||||
- #ln $HASHERBIN $i
|
||||
- cp -f $HASHERBIN $i
|
||||
-done
|
||||
-
|
||||
-libdir=$(dirname $(realpath ../.libs/libkcapi.so))
|
||||
-libname=$(realpath ../.libs/libkcapi.so)
|
||||
-
|
||||
for hasher in $SUMHASHER $HMACHASHER
|
||||
do
|
||||
>$CHKFILE
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
|
||||
+ run_hasher $hasher -c $CHKFILE
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo_fail "Verification of empty checker file with hasher $hasher did not fail"
|
||||
@@ -60,7 +53,7 @@ do
|
||||
fi
|
||||
|
||||
echo >$CHKFILE
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -c $CHKFILE
|
||||
+ run_hasher $hasher -c $CHKFILE
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo_fail "Verification of empty line checker file with hasher $hasher did not fail"
|
||||
@@ -68,9 +61,8 @@ do
|
||||
echo_pass "Failure on empty line checker file for $hasher"
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
|
||||
- sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
|
||||
+ run_hasher $hasher $0 $ANOTHER | sed -E 's/(\w+\s)\s/\1*/' >$CHKFILE
|
||||
+ run_hasher $hasher -q -c $CHKFILE
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo_pass "Parsing checker file with asterisk with $hasher"
|
||||
@@ -78,8 +70,7 @@ do
|
||||
echo_fail "Parsing checker file with asterisk (binary mode) with $hasher failed"
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER | \
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c -
|
||||
+ run_hasher $hasher $0 $ANOTHER | run_hasher $hasher -q -c -
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo_pass "Checker file '-' interpretation with $hasher"
|
||||
@@ -87,7 +78,7 @@ do
|
||||
echo_fail "Checker file '-' interpretation with $hasher failed"
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 - <$ANOTHER >/dev/null
|
||||
+ run_hasher $hasher $0 - <$ANOTHER >/dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
echo_pass "Input file '-' interpretation with $hasher"
|
||||
@@ -100,16 +91,16 @@ done
|
||||
|
||||
for i in $SUMHASHER
|
||||
do
|
||||
- hash=$(basename $i)
|
||||
- hash=${hash%%sum}
|
||||
hasher=$i
|
||||
- i=$(basename $i)
|
||||
- [ ! -e "$hasher" ] && {
|
||||
- echo_deact "Hasher $hasher does not exist"
|
||||
+ hash=${hasher%%sum}
|
||||
+ i=$(command -v $i)
|
||||
+
|
||||
+ [ -z "$i" ] && {
|
||||
+ echo_deact "reference application $hasher missing"
|
||||
continue
|
||||
}
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
|
||||
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
|
||||
[ $? -ne 0 ] && {
|
||||
echo_fail "Generation of hashes with hasher $hasher failed"
|
||||
continue
|
||||
@@ -131,14 +122,14 @@ do
|
||||
continue
|
||||
}
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher --status -c $CHKFILE
|
||||
+ run_hasher $hasher --status -c $CHKFILE
|
||||
[ $? -ne 0 ] && echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
|
||||
|
||||
echo -n 123 >$CHKFILE
|
||||
|
||||
a=$(openssl dgst -$hash -hmac 123 $0 | cut -f 2 -d" ")
|
||||
- b=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -K 123 $0 | cut -f 1 -d" ")
|
||||
- c=$(LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
|
||||
+ b=$(run_hasher $hasher -K 123 $0 | cut -f 1 -d" ")
|
||||
+ c=$(run_hasher $hasher -k $CHKFILE $0 | cut -f 1 -d" ")
|
||||
[ x"$a" != x"$b" ] && {
|
||||
echo_fail "HMAC calculation for $hasher failed (cmdline key)"
|
||||
continue
|
||||
@@ -153,23 +144,16 @@ done
|
||||
|
||||
for i in $HMACHASHER
|
||||
do
|
||||
- hash=$(basename $i)
|
||||
- hash=${hash%%hmac}
|
||||
hasher=$i
|
||||
- t=$(basename $i)
|
||||
- i=$(command -v $t)
|
||||
+ hash=${hasher%%hmac}
|
||||
+ i=$(command -v $i)
|
||||
|
||||
[ -z "$i" ] && {
|
||||
- echo_deact "hmaccalc reference application $t missing"
|
||||
- continue
|
||||
- }
|
||||
-
|
||||
- [ ! -e "$hasher" ] && {
|
||||
- echo_fail "Hasher $hasher does not exist"
|
||||
+ echo_deact "hmaccalc reference application $hasher missing"
|
||||
continue
|
||||
}
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $0 $ANOTHER > $CHKFILE
|
||||
+ run_hasher $hasher $0 $ANOTHER > $CHKFILE
|
||||
[ $? -ne 0 ] && {
|
||||
echo_fail "Generation of hashes with hasher $hasher failed"
|
||||
continue
|
||||
@@ -191,7 +175,7 @@ do
|
||||
continue
|
||||
}
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -q -c $CHKFILE
|
||||
+ run_hasher $hasher -q -c $CHKFILE
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Verification of checker file $CHKFILE with hasher $hasher failed"
|
||||
@@ -210,13 +194,8 @@ do
|
||||
ref=${i%%hmac}sum
|
||||
hasher=$i
|
||||
|
||||
- [ ! -e "$hasher" ] && {
|
||||
- echo_fail "Hasher $hasher does not exist"
|
||||
- continue
|
||||
- }
|
||||
-
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref $0 $ANOTHER > $CHKFILE
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u -q -c $CHKFILE
|
||||
+ run_hasher $ref $0 $ANOTHER > $CHKFILE
|
||||
+ run_hasher $hasher -u -q -c $CHKFILE
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Unkeyed verification with hasher $hasher failed"
|
||||
@@ -224,8 +203,8 @@ do
|
||||
echo_pass "Unkeyed verification with hasher $hasher"
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -u $0 $ANOTHER > $CHKFILE
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $ref --status -c $CHKFILE
|
||||
+ run_hasher $hasher -u $0 $ANOTHER > $CHKFILE
|
||||
+ run_hasher $ref --status -c $CHKFILE
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Unkeyed generation of checker file with hasher $hasher failed"
|
||||
@@ -239,12 +218,10 @@ done
|
||||
#
|
||||
# Test hmaccalc's ignored compatibility options:
|
||||
#
|
||||
-for i in $HMACHASHER
|
||||
+for hasher in $HMACHASHER
|
||||
do
|
||||
- hasher=$i
|
||||
-
|
||||
compat="-d -P -b"
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher $compat $0 $ANOTHER > /dev/null
|
||||
+ run_hasher $hasher $compat $0 $ANOTHER > /dev/null
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Hasher $hasher does not accept compatiblity options: $compat"
|
||||
@@ -256,11 +233,9 @@ done
|
||||
#
|
||||
# Test hmaccalc's -S option:
|
||||
#
|
||||
-for i in $HMACHASHER
|
||||
+for hasher in $HMACHASHER
|
||||
do
|
||||
- hasher=$i
|
||||
-
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -S >$CHKFILE
|
||||
+ run_hasher $hasher -S >$CHKFILE
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Hasher $hasher does not accept the -S option"
|
||||
@@ -277,11 +252,9 @@ done
|
||||
#
|
||||
# Test hmaccalc's -h option:
|
||||
#
|
||||
-for i in $HMACHASHER
|
||||
+for hasher in $HMACHASHER
|
||||
do
|
||||
- hasher=$i
|
||||
-
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $hasher -h sha1 $0 $ANOTHER >$CHKFILE
|
||||
+ run_hasher $hasher -h sha1 $0 $ANOTHER >$CHKFILE
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Hasher $hasher does not accept the -h option"
|
||||
@@ -289,8 +262,7 @@ do
|
||||
continue
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname $TMPDIR/sha1hmac $0 $ANOTHER | \
|
||||
- diff $CHKFILE -
|
||||
+ run_hasher sha1hmac $0 $ANOTHER | diff $CHKFILE -
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo_fail "Hasher $hasher does not work correctly with the -h option"
|
||||
@@ -328,7 +300,7 @@ function run_kat() {
|
||||
expand_string "$data" >"$ANOTHER"
|
||||
echo "${result#0x} $ANOTHER" >"$CHKFILE"
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
|
||||
+ run_hasher $hasher -q \
|
||||
-k <(expand_string "$key") -c "$CHKFILE" $truncate_opt
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
@@ -337,7 +309,7 @@ function run_kat() {
|
||||
echo_pass "Verification of hasher $hasher -c ... with KAT '$id'"
|
||||
fi
|
||||
|
||||
- LD_LIBRARY_PATH=$libdir LD_PRELOAD=$libname "${TMPDIR}/$hasher" -q \
|
||||
+ run_hasher $hasher -q \
|
||||
-k <(expand_string "$key") "$ANOTHER" $truncate_opt \
|
||||
| diff - "$CHKFILE"
|
||||
if [ $? -ne 0 ]
|
||||
@ -74,15 +74,15 @@ bin_path=%{buildroot}%{_bindir} \
|
||||
lib_path=%{buildroot}/%{_lib} \
|
||||
for app in %{apps_hmaccalc}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
{ %{_bindir}/sha512hmac "$bin_path"/$app || exit 1; } \\\
|
||||
{ bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
|
||||
| cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \
|
||||
done \
|
||||
for app in %{apps_fipscheck}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
%{_bindir}/fipshmac "$bin_path"/$app || exit 1 \
|
||||
bin/kcapi-hasher -n fipshmac "$bin_path"/$app || exit 1 \
|
||||
done \
|
||||
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
||||
%{_bindir}/fipshmac "$lib_path"/libkcapi.so.%{version} \\\
|
||||
bin/kcapi-hasher -n fipshmac "$lib_path"/libkcapi.so.%{version} \\\
|
||||
|| exit 1 \
|
||||
%{__ln_s} .libkcapi.so.%{version}.hmac \\\
|
||||
"$lib_path"/.libkcapi.so.%{vmajor}.hmac \
|
||||
@ -102,16 +102,15 @@ Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
||||
Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
|
||||
Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
|
||||
Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
|
||||
Patch3: %{giturl}/pull/57.patch#/%{name}-1.1.0-kcapi-hasher_Allow_picking_basename_via_cmdline.patch
|
||||
|
||||
BuildRequires: clang
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: cppcheck
|
||||
BuildRequires: docbook-utils-pdf
|
||||
BuildRequires: fipscheck
|
||||
BuildRequires: gcc
|
||||
BuildRequires: git
|
||||
BuildRequires: hardlink
|
||||
BuildRequires: hmaccalc
|
||||
BuildRequires: libtool
|
||||
BuildRequires: openssl
|
||||
BuildRequires: systemd
|
||||
@ -425,6 +424,7 @@ popd
|
||||
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
|
||||
- Skip CLang static analysis in RHEL
|
||||
- Revert "Skip CLang static analysis in RHEL"
|
||||
- Use own sha512hmac and fipscheck
|
||||
|
||||
* Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4
|
||||
- Fix description lines being too long
|
||||
|
||||
Loading…
Reference in New Issue
Block a user