diff --git a/libnettle.changes b/libnettle.changes index e8417aa..eb787ee 100644 --- a/libnettle.changes +++ b/libnettle.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 1 15:08:36 UTC 2019 - Vítězslav Čížek + +- Install checksums for binary integrity verification which are + required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) + ------------------------------------------------------------------- Thu Aug 1 10:26:28 UTC 2019 - Andreas Stieger diff --git a/libnettle.spec b/libnettle.spec index de7e289..fef24ca 100644 --- a/libnettle.spec +++ b/libnettle.spec @@ -31,6 +31,7 @@ Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM respect cflags while building Patch0: nettle-respect-cflags.patch +BuildRequires: fipscheck BuildRequires: gmp-devel BuildRequires: m4 BuildRequires: makeinfo @@ -105,6 +106,22 @@ make %{?_smp_mflags} %install %make_install +# the hmac hashes: +# +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +# remark: This is the same as running +# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP' +%{expand:%%global __os_install_post {%__os_install_post +%{_bindir}/fipshmac %{buildroot}%{_libdir}/libnettle.so.%{soname} +%{_bindir}/fipshmac %{buildroot}%{_libdir}/libhogweed.so.%{hogweed_soname} +}} + %post -n libnettle%{soname} -p /sbin/ldconfig %postun -n libnettle%{soname} -p /sbin/ldconfig %post -n libhogweed%{hogweed_soname} -p /sbin/ldconfig @@ -123,10 +140,12 @@ make check %{?_smp_mflags} %doc AUTHORS ChangeLog NEWS README %{_libdir}/libnettle.so.%{soname} %{_libdir}/libnettle.so.%{soname}.* +%{_libdir}/.libnettle.so.%{soname}.hmac %files -n libhogweed%{hogweed_soname} %{_libdir}/libhogweed.so.%{hogweed_soname} %{_libdir}/libhogweed.so.%{hogweed_soname}.* +%{_libdir}/.libhogweed.so.%{hogweed_soname}.hmac %files -n libnettle-devel %{_includedir}/nettle