Accepting request 509804 from security

- Change the signing to use openssl sha256/sha512 directly, to avoid fipscheck / hmaccalc. OBS-URL: https://build.opensuse.org/request/show/509804 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libkcapi?expand=0&rev=3
2017-07-17 07:08:58 +00:00 · 2017-07-17 07:08:58 +00:00 · 23298e13ac
commit 23298e13ac
parent 557970aefc 2c65ca3bff
2 changed files with 20 additions and 4 deletions
--- a/libkcapi.changes
+++ b/libkcapi.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Wed Jul 12 14:51:26 UTC 2017 - meissner@suse.com
 - Change the signing to use openssl sha256/sha512 directly, to
  avoid fipscheck / hmaccalc.
 -------------------------------------------------------------------
 Sat Jul  8 14:04:41 UTC 2017 - bwiedemann@suse.com
--- a/libkcapi.spec
+++ b/libkcapi.spec
@ -25,13 +25,15 @@ Group:          Productivity/Security
 Url:            http://www.chronox.de/libkcapi.html
 #Source:		https://github.com/smuellerDD/libkcapi/archive/v0.13.0.zip
 Source:         libkcapi-0.13.0.tar.bz2
-Patch0:		libkcapi-use-external-fipshmac.patch
+Patch0:         libkcapi-use-external-fipshmac.patch
 # PATCH-FIX-UPSTREAM rewritten upstream in https://github.com/smuellerDD/libkcapi/commit/0e7b2b0300782
 Patch1:         reproduciblesort.patch
 # PATCH-FIX-UPSTREAM https://github.com/smuellerDD/libkcapi/pull/12
 Patch2:         reproducibledate.patch
-BuildRequires:  docbook-utils xmlto
+BuildRequires:  docbook-utils
 BuildRequires:  fipscheck
 BuildRequires:  openssl
 BuildRequires:  xmlto
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -98,8 +100,16 @@ make install DESTDIR=%{buildroot} %{?_smp_mflags} BINDIR=/usr/%_lib/libkcapi/
 	%{?__debug_package:%{__debug_install_post}} \
 	%{__arch_install_post} \
 	%{__os_install_post} \
-	/usr/bin/fipshmac $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipscheck \
+	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipscheck |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.fipscheck.hmac \
-	/usr/bin/fipshmac $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipshmac \
+	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/fipshmac  |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.fipshmac.hmac \
 	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha1sum   |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha1sum.hmac \
 	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha256sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha256sum.hmac \
 	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha384sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha384sum.hmac \
 	openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha512sum |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha512sum.hmac \
 	openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha1hmac   |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha1hmac.hmac \
 	openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha256hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha256hmac.hmac \
 	openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha384hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha384hmac.hmac \
 	openssl sha512 -hmac FIPS-FTW-RHT2009 $RPM_BUILD_ROOT/usr/%_lib/libkcapi/sha512hmac |sed -e 's/.* //;' > $RPM_BUILD_ROOT/usr/%_lib/libkcapi/.sha512hmac.hmac \
 	%{nil}
 %post -n libkcapi0 -p /sbin/ldconfig