From a362a8c8591c6901572a745d694760d7d667031c944fb5d8c9efc374436025ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 1 Oct 2019 15:19:02 +0000 Subject: [PATCH] Accepting request 734377 from home:vitezslav_cizek:branches:security:tls - Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) OBS-URL: https://build.opensuse.org/request/show/734377 OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=9 --- libnettle.changes | 6 ++++++ libnettle.spec | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/libnettle.changes b/libnettle.changes index e8417aa..eb787ee 100644 --- a/libnettle.changes +++ b/libnettle.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 1 15:08:36 UTC 2019 - Vítězslav Čížek + +- Install checksums for binary integrity verification which are + required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) + ------------------------------------------------------------------- Thu Aug 1 10:26:28 UTC 2019 - Andreas Stieger diff --git a/libnettle.spec b/libnettle.spec index de7e289..fef24ca 100644 --- a/libnettle.spec +++ b/libnettle.spec @@ -31,6 +31,7 @@ Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM respect cflags while building Patch0: nettle-respect-cflags.patch +BuildRequires: fipscheck BuildRequires: gmp-devel BuildRequires: m4 BuildRequires: makeinfo @@ -105,6 +106,22 @@ make %{?_smp_mflags} %install %make_install +# the hmac hashes: +# +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +# remark: This is the same as running +# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP' +%{expand:%%global __os_install_post {%__os_install_post +%{_bindir}/fipshmac %{buildroot}%{_libdir}/libnettle.so.%{soname} +%{_bindir}/fipshmac %{buildroot}%{_libdir}/libhogweed.so.%{hogweed_soname} +}} + %post -n libnettle%{soname} -p /sbin/ldconfig %postun -n libnettle%{soname} -p /sbin/ldconfig %post -n libhogweed%{hogweed_soname} -p /sbin/ldconfig @@ -123,10 +140,12 @@ make check %{?_smp_mflags} %doc AUTHORS ChangeLog NEWS README %{_libdir}/libnettle.so.%{soname} %{_libdir}/libnettle.so.%{soname}.* +%{_libdir}/.libnettle.so.%{soname}.hmac %files -n libhogweed%{hogweed_soname} %{_libdir}/libhogweed.so.%{hogweed_soname} %{_libdir}/libhogweed.so.%{hogweed_soname}.* +%{_libdir}/.libhogweed.so.%{hogweed_soname}.hmac %files -n libnettle-devel %{_includedir}/nettle