From 1950bdf88246211ff5d908ca13324e2caa52d822 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Thu, 19 Jan 2023 15:45:00 +0100 Subject: [PATCH] Resolves: #2083581 - capinfos aborts in FIPS --- rpminspect.yaml | 5 ++- wireshark-0010-fips-ripemd160.patch | 56 +++++++++++++++++++++++++++++ wireshark.spec | 28 +++++++++------ 3 files changed, 76 insertions(+), 13 deletions(-) create mode 100644 wireshark-0010-fips-ripemd160.patch diff --git a/rpminspect.yaml b/rpminspect.yaml index a3d3d52..c1c92dc 100644 --- a/rpminspect.yaml +++ b/rpminspect.yaml @@ -1,9 +1,8 @@ --- ownership: - bin_paths: + #dumpcap is the only binary that has group wireshark + ignore: - /usr/bin/dumpcap - bin_group: wireshark - inspections: xml: off diff --git a/wireshark-0010-fips-ripemd160.patch b/wireshark-0010-fips-ripemd160.patch new file mode 100644 index 0000000..cf7f134 --- /dev/null +++ b/wireshark-0010-fips-ripemd160.patch @@ -0,0 +1,56 @@ +diff --git a/capinfos.c b/capinfos.c +index 5536766..12b141e 100644 +--- a/capinfos.c ++++ b/capinfos.c +@@ -739,7 +739,8 @@ print_stats(const gchar *filename, capture_info *cf_info) + } + if (cap_file_hashes) { + printf ("SHA256: %s\n", file_sha256); +- printf ("RIPEMD160: %s\n", file_rmd160); ++ if(!gcry_fips_mode_active()) ++ printf ("RIPEMD160: %s\n", file_rmd160); + printf ("SHA1: %s\n", file_sha1); + } + if (cap_order) printf ("Strict time order: %s\n", order_string(cf_info->order)); +@@ -851,7 +852,8 @@ print_stats_table_header(void) + if (cap_packet_rate) print_stats_table_header_label("Average packet rate (packets/sec)"); + if (cap_file_hashes) { + print_stats_table_header_label("SHA256"); +- print_stats_table_header_label("RIPEMD160"); ++ if(!gcry_fips_mode_active()) ++ print_stats_table_header_label("RIPEMD160"); + print_stats_table_header_label("SHA1"); + } + if (cap_order) print_stats_table_header_label("Strict time order"); +@@ -1447,7 +1449,10 @@ print_usage(FILE *output) + fprintf(output, " -E display the capture file encapsulation\n"); + fprintf(output, " -I display the capture file interface information\n"); + fprintf(output, " -F display additional capture file information\n"); +- fprintf(output, " -H display the SHA256, RMD160, and SHA1 hashes of the file\n"); ++ if(!gcry_fips_mode_active()) ++ fprintf(output, " -H display the SHA256 and SHA1 hashes of the file\n"); ++ else ++ fprintf(output, " -H display the SHA256, RMD160, and SHA1 hashes of the file\n"); + fprintf(output, " -k display the capture comment\n"); + fprintf(output, "\n"); + fprintf(output, "Size infos:\n"); +@@ -1795,7 +1800,8 @@ main(int argc, char *argv[]) + gcry_check_version(NULL); + gcry_md_open(&hd, GCRY_MD_SHA256, 0); + if (hd) { +- gcry_md_enable(hd, GCRY_MD_RMD160); ++ if(!gcry_fips_mode_active()) ++ gcry_md_enable(hd, GCRY_MD_RMD160); + gcry_md_enable(hd, GCRY_MD_SHA1); + } + hash_buf = (char *)g_malloc(HASH_BUF_SIZE); +@@ -1817,7 +1823,8 @@ main(int argc, char *argv[]) + } + gcry_md_final(hd); + hash_to_str(gcry_md_read(hd, GCRY_MD_SHA256), HASH_SIZE_SHA256, file_sha256); +- hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, file_rmd160); ++ if(!gcry_fips_mode_active()) ++ hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, file_rmd160); + hash_to_str(gcry_md_read(hd, GCRY_MD_SHA1), HASH_SIZE_SHA1, file_sha1); + } + if (fh) fclose(fh); diff --git a/wireshark.spec b/wireshark.spec index 2667698..fbf0074 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -6,7 +6,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.4.10 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -16,18 +16,19 @@ Source1: https://www.wireshark.org/download/src/all-versions/SIGNATURES-% Source2: 90-wireshark-usbmon.rules # Fedora-specific -Patch2: wireshark-0002-Customize-permission-denied-error.patch +Patch0002: wireshark-0002-Customize-permission-denied-error.patch # Will be proposed upstream -Patch3: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch +Patch0003: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch # Fedora-specific -Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch +Patch0004: wireshark-0004-Restore-Fedora-specific-groups.patch # Fedora-specific -Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch +Patch0005: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch # Fedora-specific -Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch -Patch7: wireshark-0007-cmakelists.patch -#Patch8: wireshark-0008-move-glib.patch -Patch9: wireshark-0009-smc-support.patch +Patch0006: wireshark-0006-Move-tmp-to-var-tmp.patch +Patch0007: wireshark-0007-cmakelists.patch +#Patch0008: wireshark-0008-move-glib.patch +Patch0009: wireshark-0009-smc-support.patch +Patch0010: wireshark-0010-fips-ripemd160.patch #install tshark together with wireshark GUI Requires: %{name}-cli = %{epoch}:%{version}-%{release} @@ -104,7 +105,11 @@ Wireshark. %package devel Summary: Development headers and libraries for wireshark -Requires: %{name} = %{epoch}:%{version}-%{release} glibc-devel glib2-devel +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: %{name}-cli = %{epoch}:%{version}-%{release} +Requires: glibc-devel +Requires: glib2-devel + %description devel The wireshark-devel package contains the header files, developer @@ -271,6 +276,9 @@ fi %{_libdir}/pkgconfig/%{name}.pc %changelog +* Thu Jan 19 2023 Michal Ruprich - 1:3.4.10-3 +- Resolves: #2083581 - capinfos aborts in FIPS + * Thu Jan 19 2023 Michal Ruprich - 1:3.4.10-2 - Resolves: #2160648 - Enhanced TMT testing for centos-stream