Accepting request 734378 from home:vitezslav_cizek:branches:security:tls

- Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) OBS-URL: https://build.opensuse.org/request/show/734378 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=24
2019-10-01 15:18:43 +00:00 · 2019-10-01 15:18:43 +00:00 · 8ed96b3590
commit 8ed96b3590
parent ef95c81a37
2 changed files with 23 additions and 0 deletions
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 24 13:16:02 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Install checksums for binary integrity verification which are
+  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
+
 -------------------------------------------------------------------
 Wed Jul 31 17:05:53 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -44,6 +44,7 @@ BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
 BuildRequires:  fdupes
+BuildRequires:  fipscheck
 BuildRequires:  gcc-c++
 # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
 BuildRequires:  iproute2
@ -185,6 +186,21 @@ export CXXFLAGS="%{optflags} -fPIE"
 	%{nil}
 make %{?_smp_mflags}

+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+%{expand:%%global __os_install_post {%__os_install_post
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
+}}
+
 %install
 %make_install
 rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
@ -252,6 +268,7 @@ make %{?_smp_mflags} check || {

 %files -n libgnutls%{gnutls_sover}
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
+%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac

 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}