From 2c65ca3bff8c3e2e18fd85d60c649b2d6e93fcbcdaa58a1ce6e5aa4926b3bebe Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 12 Jul 2017 15:00:35 +0000 Subject: [PATCH] - Change the signing to use openssl sha256/sha512 directly, to avoid fipscheck / hmaccalc. OBS-URL: https://build.opensuse.org/package/show/security/libkcapi?expand=0&rev=14 --- libkcapi.changes | 6 ++++++ libkcapi.spec | 18 ++++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/libkcapi.changes b/libkcapi.changes index 596cce9..72de42d 100644 --- a/libkcapi.changes +++ b/libkcapi.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jul 12 14:51:26 UTC 2017 - meissner@suse.com + +- Change the signing to use openssl sha256/sha512 directly, to + avoid fipscheck / hmaccalc. + ------------------------------------------------------------------- Sat Jul 8 14:04:41 UTC 2017 - bwiedemann@suse.com diff --git a/libkcapi.spec b/libkcapi.spec index 47c3cfd..78a70b6 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -25,13 +25,15 @@ Group: Productivity/Security Url: http://www.chronox.de/libkcapi.html #Source: https://github.com/smuellerDD/libkcapi/archive/v0.13.0.zip Source: libkcapi-0.13.0.tar.bz2 -Patch0: libkcapi-use-external-fipshmac.patch +Patch0: libkcapi-use-external-fipshmac.patch # PATCH-FIX-UPSTREAM rewritten upstream in https://github.com/smuellerDD/libkcapi/commit/0e7b2b0300782 Patch1: reproduciblesort.patch # PATCH-FIX-UPSTREAM https://github.com/smuellerDD/libkcapi/pull/12 Patch2: reproducibledate.patch -BuildRequires: docbook-utils xmlto +BuildRequires: docbook-utils BuildRequires: fipscheck +BuildRequires: openssl +BuildRequires: xmlto BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -98,8 +100,16 @@ make install DESTDIR=%{buildroot} %{?_smp_mflags} BINDIR=/usr/%_lib/libkcapi/ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - /usr/bin/fipshmac $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipscheck \ - /usr/bin/fipshmac $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipshmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipscheck |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.fipscheck.hmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipshmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.fipshmac.hmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha1sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha1sum.hmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha256sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha256sum.hmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha384sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha384sum.hmac \ + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha512sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha512sum.hmac \ + openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha1hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha1hmac.hmac \ + openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha256hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha256hmac.hmac \ + openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha384hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha384hmac.hmac \ + openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha512hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha512hmac.hmac \ %{nil} %post -n libkcapi0 -p /sbin/ldconfig