955e81c3c4
This patch also fixes the computation of self-check .hmac files. Before, fipshmac was used for all binaries but since the hmaccalc tools use different parameters (SHA-512 instead of SHA-256 and a different key, this would lead to self-check failures for hmaccalc. The new post-install script calculates the hmaccalc files using sha512hmac and other .hmac files using fipshmac. The parameters for the self-check of the library were also consolidated upstream to use a single parameter set across tools (the fipscheck parameters) so that the library is checked correctly by all tools. I also dropped the kcapi-hasher binary and the hasher subpackage as it is really useless on its own (and the other hasher tools are always created as hard links). It would also be impossible to add a universally correct .hmac file since different tools would check against it with different parameters.
35 lines
946 B
Diff
35 lines
946 B
Diff
From 3a860a5d5231e4912d4611397752f2010467a578 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
Date: Mon, 16 Apr 2018 19:35:57 +0200
|
|
Subject: [PATCH] kcapi-hasher: Fix FIPS self-check always failing
|
|
|
|
---
|
|
apps/kcapi-hasher.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
|
index 861db79..a5e9c71 100644
|
|
--- a/apps/kcapi-hasher.c
|
|
+++ b/apps/kcapi-hasher.c
|
|
@@ -583,6 +583,7 @@ static int process_checkfile(const struct hash_params *params,
|
|
if (ret >= 0)
|
|
ret++;
|
|
}
|
|
+ checked_any = 1;
|
|
} else {
|
|
/*
|
|
* fipscheck does not have the filename in the check
|
|
@@ -591,11 +592,10 @@ static int process_checkfile(const struct hash_params *params,
|
|
if (targetfile) {
|
|
ret = hasher(handle, params, targetfile,
|
|
hexhash, hexhashlen + 1, stdout);
|
|
+ checked_any = 1;
|
|
goto out;
|
|
}
|
|
}
|
|
-
|
|
- checked_any = 1;
|
|
}
|
|
|
|
out:
|