Accepting request 734381 from security:tls

OBS-URL: https://build.opensuse.org/request/show/734381 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnettle?expand=0&rev=33
2019-10-05 14:18:33 +00:00 · 2019-10-05 14:18:33 +00:00 · e8a9d55aa3
commit e8a9d55aa3
parent 844aade98c a362a8c859
2 changed files with 25 additions and 0 deletions
--- a/libnettle.changes
+++ b/libnettle.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct  1 15:08:36 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Install checksums for binary integrity verification which are
+  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
+
 -------------------------------------------------------------------
 Thu Aug  1 10:26:28 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/libnettle.spec
+++ b/libnettle.spec
@ -31,6 +31,7 @@ Source2:        %{name}.keyring
 Source3:        baselibs.conf
 # PATCH-FIX-UPSTREAM respect cflags while building
 Patch0:         nettle-respect-cflags.patch
+BuildRequires:  fipscheck
 BuildRequires:  gmp-devel
 BuildRequires:  m4
 BuildRequires:  makeinfo
@ -105,6 +106,22 @@ make %{?_smp_mflags}
 %install
 %make_install

+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+%{expand:%%global __os_install_post {%__os_install_post
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libnettle.so.%{soname}
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libhogweed.so.%{hogweed_soname}
+}}
+
 %post   -n libnettle%{soname} -p /sbin/ldconfig
 %postun -n libnettle%{soname} -p /sbin/ldconfig
 %post   -n libhogweed%{hogweed_soname} -p /sbin/ldconfig
@ -123,10 +140,12 @@ make check %{?_smp_mflags}
 %doc AUTHORS ChangeLog NEWS README
 %{_libdir}/libnettle.so.%{soname}
 %{_libdir}/libnettle.so.%{soname}.*
+%{_libdir}/.libnettle.so.%{soname}.hmac

 %files -n libhogweed%{hogweed_soname}
 %{_libdir}/libhogweed.so.%{hogweed_soname}
 %{_libdir}/libhogweed.so.%{hogweed_soname}.*
+%{_libdir}/.libhogweed.so.%{hogweed_soname}.hmac

 %files -n libnettle-devel
 %{_includedir}/nettle