rpms/libgcrypt/devel libgcrypt-1.4.4-use-fipscheck.patch, NONE, 1.1 libgcrypt.spec, 1.34, 1.35
Tomáš Mráz
tmraz at fedoraproject.org
Tue Mar 3 20:33:07 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/libgcrypt/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19030
Modified Files:
libgcrypt.spec
Added Files:
libgcrypt-1.4.4-use-fipscheck.patch
Log Message:
* Tue Mar 3 2009 Tomas Mraz <tmraz at redhat.com> 1.4.4-2
- add hmac FIPS integrity verification check
libgcrypt-1.4.4-use-fipscheck.patch:
--- NEW FILE libgcrypt-1.4.4-use-fipscheck.patch ---
diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
--- libgcrypt-1.4.4/src/fips.c.use-fipscheck 2009-03-03 18:10:49.000000000 +0100
+++ libgcrypt-1.4.4/src/fips.c 2009-03-03 18:51:31.000000000 +0100
@@ -570,23 +570,48 @@ run_random_selftests (void)
return !!err;
}
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
/* Run an integrity check on the binary. Returns 0 on success. */
static int
check_binary_integrity (void)
{
#ifdef ENABLE_HMAC_BINARY_CHECK
gpg_error_t err;
- Dl_info info;
+ char libpath[4096];
unsigned char digest[32];
int dlen;
char *fname = NULL;
- const char key[] = "What am I, a doctor or a moonshuttle conductor?";
+ const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
- if (!dladdr ("gcry_check_version", &info))
+ if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
err = gpg_error_from_syserror ();
else
{
- dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname,
+ dlen = _gcry_hmac256_file (digest, sizeof digest, libpath,
key, strlen (key));
if (dlen < 0)
err = gpg_error_from_syserror ();
@@ -594,7 +619,7 @@ check_binary_integrity (void)
err = gpg_error (GPG_ERR_INTERNAL);
else
{
- fname = gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
+ fname = gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
if (!fname)
err = gpg_error_from_syserror ();
else
@@ -603,7 +628,7 @@ check_binary_integrity (void)
char *p;
/* Prefix the basename with a dot. */
- strcpy (fname, info.dli_fname);
+ strcpy (fname, libpath);
p = strrchr (fname, '/');
if (p)
p++;
Index: libgcrypt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libgcrypt/devel/libgcrypt.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- libgcrypt.spec 25 Feb 2009 15:00:17 -0000 1.34
+++ libgcrypt.spec 3 Mar 2009 20:32:37 -0000 1.35
@@ -1,6 +1,6 @@
Name: libgcrypt
Version: 1.4.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC
# cipher support. We have to remove it in the tarball we ship with
@@ -10,12 +10,14 @@
Source2: wk at g10code.com
Source3: hobble-libgcrypt
Patch1: libgcrypt-1.4.4-fips-no-access.patch
+Patch2: libgcrypt-1.4.4-use-fipscheck.patch
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
License: LGPLv2+
Summary: A general-purpose cryptography library
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: gawk, libgpg-error-devel >= 1.4, pkgconfig
+BuildRequires: fipscheck
Group: System Environment/Libraries
%package devel
@@ -38,6 +40,7 @@
%setup -q
%{SOURCE3}
%patch1 -p1 -b .no-access
+%patch2 -p1 -b .use-fipscheck
%build
%configure --disable-static \
@@ -45,12 +48,22 @@
--disable-asm \
%endif
--enable-noexecstack \
+ --enable-hmac-binary-check \
--enable-pubkey-ciphers='dsa elgamal rsa'
make %{?_smp_mflags}
%check
+fipshmac src/.libs/libgcrypt.so.??
make check
+# Add generation of HMAC checksums of the final stripped binaries
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+ fipshmac $RPM_BUILD_ROOT/%{_lib}/*.so.?? \
+%{nil}
+
%install
rm -fr $RPM_BUILD_ROOT
%makeinstall
@@ -117,8 +130,8 @@
%files
%defattr(-,root,root)
%dir /etc/gcrypt
-/%{_lib}/*.so.*
-#%{_libdir}/%{name}
+/%{_lib}/libgcrypt.so.*
+/%{_lib}/.libgcrypt.so.*.hmac
%files devel
%defattr(-,root,root)
@@ -128,11 +141,13 @@
%{_includedir}/*
%{_libdir}/*.so
%{_datadir}/aclocal/*
-#%{_datadir}/%{name}
%{_infodir}/gcrypt.info*
%changelog
+* Tue Mar 3 2009 Tomas Mraz <tmraz at redhat.com> 1.4.4-3
+- add hmac FIPS integrity verification check
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.4.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
More information about the fedora-extras-commits
mailing list