rpms/libgcrypt/devel libgcrypt-1.4.4-use-fipscheck.patch, NONE, 1.1 libgcrypt.spec, 1.34, 1.35

Tomáš Mráz tmraz at fedoraproject.org
Tue Mar 3 20:33:07 UTC 2009


Author: tmraz

Update of /cvs/pkgs/rpms/libgcrypt/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19030

Modified Files:
	libgcrypt.spec 
Added Files:
	libgcrypt-1.4.4-use-fipscheck.patch 
Log Message:
* Tue Mar  3 2009 Tomas Mraz <tmraz at redhat.com> 1.4.4-2
- add hmac FIPS integrity verification check


libgcrypt-1.4.4-use-fipscheck.patch:

--- NEW FILE libgcrypt-1.4.4-use-fipscheck.patch ---
diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
--- libgcrypt-1.4.4/src/fips.c.use-fipscheck	2009-03-03 18:10:49.000000000 +0100
+++ libgcrypt-1.4.4/src/fips.c	2009-03-03 18:51:31.000000000 +0100
@@ -570,23 +570,48 @@ run_random_selftests (void)
   return !!err;
 }
 
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+    Dl_info info;
+    void *dl, *sym;
+    int rv = -1;
+
+        dl = dlopen(libname, RTLD_LAZY);
+        if (dl == NULL) {
+            return -1;
+        }       
+
+    sym = dlsym(dl, symbolname);
+
+    if (sym != NULL && dladdr(sym, &info)) {
+	strncpy(path, info.dli_fname, pathlen-1);
+	path[pathlen-1] = '\0';
+	rv = 0;
+    }
+
+    dlclose(dl);	
+    
+    return rv;
+}
+
 /* Run an integrity check on the binary.  Returns 0 on success.  */
 static int
 check_binary_integrity (void)
 {
 #ifdef ENABLE_HMAC_BINARY_CHECK
   gpg_error_t err;
-  Dl_info info;
+  char libpath[4096];
   unsigned char digest[32];
   int dlen;
   char *fname = NULL;
-  const char key[] = "What am I, a doctor or a moonshuttle conductor?";
+  const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
   
-  if (!dladdr ("gcry_check_version", &info))
+  if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
     err = gpg_error_from_syserror ();
   else
     {
-      dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname,
+      dlen = _gcry_hmac256_file (digest, sizeof digest, libpath,
                                  key, strlen (key));
       if (dlen < 0)
         err = gpg_error_from_syserror ();
@@ -594,7 +619,7 @@ check_binary_integrity (void)
         err = gpg_error (GPG_ERR_INTERNAL);
       else
         {
-          fname = gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
+          fname = gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
           if (!fname)
             err = gpg_error_from_syserror ();
           else
@@ -603,7 +628,7 @@ check_binary_integrity (void)
               char *p;
 
               /* Prefix the basename with a dot.  */
-              strcpy (fname, info.dli_fname);
+              strcpy (fname, libpath);
               p = strrchr (fname, '/');
               if (p)
                 p++;


Index: libgcrypt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libgcrypt/devel/libgcrypt.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- libgcrypt.spec	25 Feb 2009 15:00:17 -0000	1.34
+++ libgcrypt.spec	3 Mar 2009 20:32:37 -0000	1.35
@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.4.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 Source0: libgcrypt-%{version}-hobbled.tar.bz2
 # The original libgcrypt sources now contain potentially patented ECC
 # cipher support. We have to remove it in the tarball we ship with
@@ -10,12 +10,14 @@
 Source2: wk at g10code.com
 Source3: hobble-libgcrypt
 Patch1: libgcrypt-1.4.4-fips-no-access.patch
+Patch2: libgcrypt-1.4.4-use-fipscheck.patch
 
 # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
 License: LGPLv2+
 Summary: A general-purpose cryptography library
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: gawk, libgpg-error-devel >= 1.4, pkgconfig
+BuildRequires: fipscheck
 Group: System Environment/Libraries
 
 %package devel
@@ -38,6 +40,7 @@
 %setup -q
 %{SOURCE3}
 %patch1 -p1 -b .no-access
+%patch2 -p1 -b .use-fipscheck
 
 %build
 %configure --disable-static \
@@ -45,12 +48,22 @@
      --disable-asm \
 %endif
      --enable-noexecstack \
+     --enable-hmac-binary-check \
      --enable-pubkey-ciphers='dsa elgamal rsa'
 make %{?_smp_mflags}
 
 %check
+fipshmac src/.libs/libgcrypt.so.??
 make check
 
+# Add generation of HMAC checksums of the final stripped binaries 
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    fipshmac $RPM_BUILD_ROOT/%{_lib}/*.so.?? \
+%{nil}
+
 %install
 rm -fr $RPM_BUILD_ROOT
 %makeinstall
@@ -117,8 +130,8 @@
 %files
 %defattr(-,root,root)
 %dir /etc/gcrypt
-/%{_lib}/*.so.*
-#%{_libdir}/%{name}
+/%{_lib}/libgcrypt.so.*
+/%{_lib}/.libgcrypt.so.*.hmac
 
 %files devel
 %defattr(-,root,root)
@@ -128,11 +141,13 @@
 %{_includedir}/*
 %{_libdir}/*.so
 %{_datadir}/aclocal/*
-#%{_datadir}/%{name}
 
 %{_infodir}/gcrypt.info*
 
 %changelog
+* Tue Mar  3 2009 Tomas Mraz <tmraz at redhat.com> 1.4.4-3
+- add hmac FIPS integrity verification check
+
 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.4.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
 




More information about the fedora-extras-commits mailing list