Accepting request 1187682 from security

OBS-URL: https://build.opensuse.org/request/show/1187682
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fipscheck?expand=0&rev=12

fipscheck-fix_check_openssl_version.patch

@@ -0,0 +1,36 @@
+From 8e8fb5a47d19bc4bb589af06623e710d755bb963 Mon Sep 17 00:00:00 2001
+From: "Doug.Smith" <doug.smith@lairdconnect.com>
+Date: Tue, 23 Aug 2022 15:13:02 -0400
+Subject: [PATCH] BZ22308: fipscheck for openssl-3 fails
+
+Fix openssl version check -- missing include
+of version <opensslv.h> before check.
+
+Fix loading of openssl fips provider.
+
+Bug: 22308
+---
+ src/filehmac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index 87ad15f..f9b5310 100644
+--- a/src/filehmac.c
++++ b/src/filehmac.c
+@@ -41,6 +41,7 @@
+ #include <sys/wait.h>
+ 
+ #if defined(WITH_OPENSSL)
++#include <openssl/opensslv.h>
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #include <openssl/provider.h>
+ #include <openssl/evp.h>
+@@ -215,7 +216,7 @@ compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips)
+ 	size_t len;
+ 	unsigned int hlen;
+ 
+-	if (force_fips && fips != NULL) {
++	if (force_fips && fips == NULL) {
+ 		fips = OSSL_PROVIDER_load(NULL, "fips");
+ 		if (fips == NULL) {
+ 			debug_log("Failed to load FIPS provider\n");

fipscheck-fix_incorrect_length_type.patch

@@ -0,0 +1,26 @@
+From 05f84f7ec315f1251ffaa151e3b69df68f31c9e9 Mon Sep 17 00:00:00 2001
+From: Isaac Lee <isaac.lee@alliedtelesis.co.nz>
+Date: Thu, 16 Feb 2023 19:21:59 +1300
+Subject: [PATCH] filehmac: fix incorrect length type
+
+EVP_MAC_final() expects a size_t type variable for storing the number of
+bytes written, but the the variable was declared as unsigned int, causing
+the function to write 0 to the variable while the actual hmac computation
+actually successfully completes.
+---
+ src/filehmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index f9b5310..f59f09e 100644
+--- a/src/filehmac.c
++++ b/src/filehmac.c
+@@ -214,7 +214,7 @@ compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips)
+ 	OSSL_PARAM params[2];
+ 	unsigned char rbuf[READ_BUFFER_LENGTH];
+ 	size_t len;
+-	unsigned int hlen;
++	size_t hlen;
+ 
+ 	if (force_fips && fips == NULL) {
+ 		fips = OSSL_PROVIDER_load(NULL, "fips");

fipscheck.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul  8 15:29:36 UTC 2024 - Martin Jambor <mjambor@suse.com>
+
+- Backport upstream patches fipscheck-fix_check_openssl_version.patch
+  and fipscheck-fix_incorrect_length_type.patch to fix C99 violations
+  which are errors by default with GCC 14 [boo#1221714] - although the
+  first one looks like it possibly fixes some more substantial error.
+
 -------------------------------------------------------------------
 Wed Nov  2 14:30:29 UTC 2022 - Marcus Meissner <meissner@suse.com>
 

fipscheck.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fipscheck
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,8 @@ Group:          Development/Libraries/C and C++
 URL:            https://github.com/LairdCP/fipscheck
 Source0:        fipscheck-%version.tar.bz2
 Source1:        baselibs.conf
+Patch0:         fipscheck-fix_check_openssl_version.patch
+Patch1:         fipscheck-fix_incorrect_length_type.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -57,6 +59,8 @@ This package contains development files for %{name}.
 
 %prep
 %setup -q
+%patch -P0 -p1
+%patch -P1 -p1
 
 %build
 %configure --disable-static