- Backport upstream patches fipscheck-fix_check_openssl_version.patch

and fipscheck-fix_incorrect_length_type.patch to fix C99 violations which are errors by default with GCC 14 [boo#1221714] - although the first one looks like it possibly fixes some more substantial error. Please (assuming the request is OK), forward this to Factory soonish so that we can switch the default compiler. OBS-URL: https://build.opensuse.org/package/show/security/fipscheck?expand=0&rev=27
2024-07-16 07:53:54 +00:00 · 2024-07-16 07:53:54 +00:00 · 0bd9b7e9e1
commit 0bd9b7e9e1
8 changed files with 283 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/baselibs.conf
+++ b/baselibs.conf
@ -0,0 +1 @@
+libfipscheck1
--- a/fipscheck-1.7.0.tar.bz2
+++ b/fipscheck-1.7.0.tar.bz2
--- a/fipscheck-fix_check_openssl_version.patch
+++ b/fipscheck-fix_check_openssl_version.patch
@ -0,0 +1,36 @@
+From 8e8fb5a47d19bc4bb589af06623e710d755bb963 Mon Sep 17 00:00:00 2001
+From: "Doug.Smith" <doug.smith@lairdconnect.com>
+Date: Tue, 23 Aug 2022 15:13:02 -0400
+Subject: [PATCH] BZ22308: fipscheck for openssl-3 fails
+
+Fix openssl version check -- missing include
+of version <opensslv.h> before check.
+
+Fix loading of openssl fips provider.
+
+Bug: 22308
+---
+ src/filehmac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index 87ad15f..f9b5310 100644
+--- a/src/filehmac.c
+++ b/src/filehmac.c
+@@ -41,6 +41,7 @@
+ #include <sys/wait.h>
+ 
+ #if defined(WITH_OPENSSL)
+#include <openssl/opensslv.h>
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #include <openssl/provider.h>
+ #include <openssl/evp.h>
+@@ -215,7 +216,7 @@ compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips)
+ 	size_t len;
+ 	unsigned int hlen;
+ 
+-	if (force_fips && fips != NULL) {
+	if (force_fips && fips == NULL) {
+ 		fips = OSSL_PROVIDER_load(NULL, "fips");
+ 		if (fips == NULL) {
+ 			debug_log("Failed to load FIPS provider\n");
--- a/fipscheck-fix_incorrect_length_type.patch
+++ b/fipscheck-fix_incorrect_length_type.patch
@ -0,0 +1,26 @@
+From 05f84f7ec315f1251ffaa151e3b69df68f31c9e9 Mon Sep 17 00:00:00 2001
+From: Isaac Lee <isaac.lee@alliedtelesis.co.nz>
+Date: Thu, 16 Feb 2023 19:21:59 +1300
+Subject: [PATCH] filehmac: fix incorrect length type
+
+EVP_MAC_final() expects a size_t type variable for storing the number of
+bytes written, but the the variable was declared as unsigned int, causing
+the function to write 0 to the variable while the actual hmac computation
+actually successfully completes.
+---
+ src/filehmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index f9b5310..f59f09e 100644
+--- a/src/filehmac.c
+++ b/src/filehmac.c
+@@ -214,7 +214,7 @@ compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips)
+ 	OSSL_PARAM params[2];
+ 	unsigned char rbuf[READ_BUFFER_LENGTH];
+ 	size_t len;
+-	unsigned int hlen;
+	size_t hlen;
+ 
+ 	if (force_fips && fips == NULL) {
+ 		fips = OSSL_PROVIDER_load(NULL, "fips");
--- a/fipscheck.changes
+++ b/fipscheck.changes
@ -0,0 +1,89 @@
+-------------------------------------------------------------------
+Mon Jul  8 15:29:36 UTC 2024 - Martin Jambor <mjambor@suse.com>
+
+- Backport upstream patches fipscheck-fix_check_openssl_version.patch
+  and fipscheck-fix_incorrect_length_type.patch to fix C99 violations
+  which are errors by default with GCC 14 [boo#1221714] - although the
+  first one looks like it possibly fixes some more substantial error.
+
+-------------------------------------------------------------------
+Wed Nov  2 14:30:29 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- updated to 1.7.0 (from a different supplier)
+  - openssl 3 support
+- dropped fipscheck-dont_generate_manpages.patch (not needed)
+- dropped fipscheck-fips.h_not_needed.patch (not needed)
+
+-------------------------------------------------------------------
+Fri Nov 20 09:50:32 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
+
+- move libs to %_libdir (boo#1029961)
+
+-------------------------------------------------------------------
+Mon Sep 16 10:48:51 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Remove #include of unused fips.h to fix build with OpenSSL 1.1.1
+  (bsc#1149792)
+  * add fipscheck-fips.h_not_needed.patch
+- Drop obsolete openssl-1_1-port.patch (upstream)
+
+-------------------------------------------------------------------
+Thu Jan  3 11:08:27 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Use the shipped manpages instead of building them with xmlto
+  in order to avoid a build cycle (fipscheck, xmlto, libxslt, libgcrypt)
+  * add fipscheck-dont_generate_manpages.patch
+- fix build on older distributions
+
+-------------------------------------------------------------------
+Thu Sep 20 17:16:11 UTC 2018 - Jason Sikes <jsikes@suse.de>
+
+- Changed source back to http now that current release folder
+  has current tarball.
+
+-------------------------------------------------------------------
+Tue Sep 11 23:51:42 UTC 2018 - Jason Sikes <jsikes@suse.de>
+
+- Updated fipscheck to 1.5.0
+  * Changed source to local file since latest official release
+    is not in the official releases directory.
+  * Downgraded libopenssl-devel to libopenssl-1_0_0-devel because
+    1.0.2 supports FIPS.
+
+-------------------------------------------------------------------
+Mon Jun 12 14:21:41 UTC 2017 - daniel.molkentin@suse.com
+
+- Port to OpenSSL 1.1 (bsc#1042649)
+  Adds openssl-1_1-port.patch
+
+-------------------------------------------------------------------
+Mon Apr 13 08:50:02 UTC 2015 - jengelh@inai.de
+
+- Set RPM groups anew. Drop implicit cleaning parts.
+
+-------------------------------------------------------------------
+Mon Jun  2 10:01:01 UTC 2014 - meissner@suse.com
+
+- add baselibs.conf
+
+-------------------------------------------------------------------
+Tue May 27 14:13:38 UTC 2014 - meissner@suse.com
+
+- updated to 1.4.1
+  - added manpages
+  - fipscheck/fipshmac: Add -s option to specify the hmac suffix
+  - fipshmac: Add '-d' option to specify where to put the .hmac files
+  - various bugfixes
+
+-------------------------------------------------------------------
+Tue Jan 21 14:21:27 UTC 2014 - cfarrell@suse.com
+
+- license update: BSD-2-Clause
+  See LICENSE
+
+-------------------------------------------------------------------
+Mon Jan 20 09:37:18 UTC 2014 - meissner@suse.com
+
+- imported a generic fips helper to verify fips modules, linked
+  to openssl.
+
--- a/fipscheck.spec
+++ b/fipscheck.spec
@ -0,0 +1,104 @@
+#
+# spec file for package fipscheck
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define lname libfipscheck1
+%global soversion 1.2.1
+%global somajor 1
+Name:           fipscheck
+Version:        1.7.0
+Release:        0
+Summary:        A library for integrity verification of FIPS validated modules
+License:        BSD-2-Clause
+Group:          Development/Libraries/C and C++
+URL:            https://github.com/LairdCP/fipscheck
+Source0:        fipscheck-%version.tar.bz2
+Source1:        baselibs.conf
+Patch0:         fipscheck-fix_check_openssl_version.patch
+Patch1:         fipscheck-fix_incorrect_length_type.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  pkgconfig(openssl)
+Requires:       %{lname} = %{version}
+
+%description
+FIPSCheck is a library for integrity verification of FIPS validated
+modules. The package also provides helper binaries for creation and
+verification of the HMAC-SHA256 checksum files.
+
+%package -n %{lname}
+Summary:        Library files for %{name}
+Group:          System/Libraries
+Requires:       %{_bindir}/fipscheck
+
+%description -n %{lname}
+This package contains the FIPSCheck library.
+
+%package devel
+Summary:        Development files for %{name}
+Group:          Development/Libraries/C and C++
+Requires:       %{lname} = %{version}
+
+%description devel
+This package contains development files for %{name}.
+
+%prep
+%setup -q
+%patch -P0 -p1
+%patch -P1 -p1
+
+%build
+%configure --disable-static
+
+make %{?_smp_mflags} LDFLAGS="-Wl,-z,relro"
+
+# Add generation of HMAC checksums of the final stripped binaries
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %__os_install_post \
+    %{buildroot}%{_bindir}/fipshmac %{buildroot}%{_bindir}/fipscheck \
+    %{buildroot}%{_bindir}/fipshmac %{buildroot}/%{_libdir}/libfipscheck.so.%{soversion} \
+    ln -s .libfipscheck.so.%{soversion}.hmac %{buildroot}/%{_libdir}/.libfipscheck.so.%{somajor}.hmac \
+%{nil}
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%post -n %{lname} -p /sbin/ldconfig
+%postun -n %{lname} -p /sbin/ldconfig
+
+%files
+%license COPYING
+%doc ChangeLog README AUTHORS
+%{_bindir}/fipscheck
+%{_bindir}/.fipscheck.hmac
+%{_bindir}/fipshmac
+
+%files -n %{lname}
+%{_libdir}/libfipscheck.so.*
+%{_libdir}/.libfipscheck.so.*
+%{_mandir}/man8/*.8%{?ext_man}
+
+%files devel
+%{_includedir}/fipscheck.h
+%{_libdir}/libfipscheck.so
+%{_mandir}/man3/*.3%{?ext_man}
+
+%changelog