diff --git a/fipscheck-openssl3.patch b/fipscheck-openssl3.patch new file mode 100644 index 0000000000000000000000000000000000000000..9086633b85c995d2511c021fc42d2297fd6057da --- /dev/null +++ b/fipscheck-openssl3.patch @@ -0,0 +1,247 @@ +--- a/src/filehmac.c 2017-02-23 22:31:42.000000000 +0800 ++++ b/src/filehmac.c 2025-02-01 01:19:39.329175000 +0800 +@@ -41,9 +41,13 @@ + #include + + #if defined(WITH_OPENSSL) +-#include ++#include ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include + #include ++#else + #include ++#endif + #elif defined(WITH_NSS) + #include + #include +@@ -196,10 +200,110 @@ + } + #endif + ++#if defined(WITH_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L ++int ++compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips) ++{ ++ static OSSL_PROVIDER *fips = NULL; ++ FILE *f = NULL; ++ ++#ifdef CALL_PRELINK ++ int prelink = 0; ++#endif ++ int rv = -1; ++ OSSL_PARAM params[2]; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ size_t hlen; ++ ++ if (force_fips && fips == NULL) { ++ fips = OSSL_PROVIDER_load(NULL, "fips"); ++ if (fips == NULL) { ++ debug_log("Failed to load FIPS provider\n"); ++ return -1; ++ } ++ } ++ ++#ifdef CALL_PRELINK ++ if (access(PATH_PRELINK, X_OK) == 0) { ++ f = spawn_prelink(path, &prelink); ++ } ++ ++ if (!prelink && f == NULL) { ++ f = fopen(path, "r"); ++ } ++#else ++ f = fopen(path, "r"); ++#endif ++ ++ if (f == NULL) { ++ debug_log("Failed to open '%s'", path); ++ goto end; ++ } ++ ++ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", force_fips ? "provider=fips" : NULL); ++ if (mac == NULL) { ++ debug_log("Failed to allocate memory for HMAC"); ++ goto end; ++ } ++ ++ EVP_MAC_CTX *c = EVP_MAC_CTX_new(mac); ++ if (c == NULL) { ++ debug_log("Failed to allocate memory for HMAC_CTX"); ++ goto end; ++ } ++ ++ EVP_MAC_free(mac); ++ ++ params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ EVP_MAC_init(c, hmackey, sizeof(hmackey) - 1, params); ++ ++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) ++ EVP_MAC_update(c, rbuf, len); ++ ++ EVP_MAC_final(c, rbuf, &hlen, sizeof(rbuf)); ++ EVP_MAC_CTX_free(c); ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ debug_log("Failed to allocate memory"); ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++ ++end: ++ if (f) ++ fclose(f); ++ ++#ifdef CALL_PRELINK ++ if (prelink) { ++ int ret; ++ int status; ++ ++ while ((ret = waitpid(prelink, &status, 0)) == -1 && /* wait for prelink to complete */ ++ errno == EINTR); ++ if (ret <= 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) { ++ debug_log("prelink failed"); ++ rv = -1; ++ } ++ } ++#endif ++ ++ return rv; ++} ++#else + int + compute_file_hmac(const char *path, void **buf, size_t *hmaclen, int force_fips) + { + FILE *f = NULL; ++ + #ifdef CALL_PRELINK + int prelink = 0; + #endif +@@ -216,7 +320,7 @@ + + #if defined(WITH_NSS) + /* +- * While, technically, NSS_NoDB_Init() is idenpotent, perform ++ * While, technically, NSS_NoDB_Init() is idempotent, perform + * an explicit test. + */ + if (!NSS_IsInitialized()) { +@@ -278,7 +382,7 @@ + debug_log("Failed to allocate memory for HMAC_CTX"); + goto end; + } +- HMAC_Init(c, hmackey, sizeof(hmackey)-1, EVP_sha256()); ++ HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL); + #elif defined(WITH_NSS) + errno = 0; + hash = HASH_GetHashObject(HASH_AlgSHA256); +@@ -297,9 +401,8 @@ + HMAC_Begin(c); + #endif + +- while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) + HMAC_Update(c, rbuf, len); +- } + + len = sizeof(rbuf); + /* reuse rbuf for hmac */ +@@ -321,13 +424,13 @@ + + rv = 0; + end: ++ if (c != NULL) { + #if defined(WITH_OPENSSL) + HMAC_CTX_free(c); + #elif defined(WITH_NSS) +- if (c != NULL) { + HMAC_Destroy(c, PR_TRUE); +- } + #endif ++ } + + if (f) + fclose(f); +@@ -348,6 +451,7 @@ + + return rv; + } ++#endif + + static const char conv[] = "0123456789abcdef"; + +--- a/configure.ac 2017-02-23 22:40:43.000000000 +0800 ++++ b/configure.ac 2025-02-01 01:19:39.327091200 +0800 +@@ -25,17 +26,29 @@ + # of the authors and should not be interpreted as representing official policies, + # either expressed or implied, of Red Hat, Inc. + +-AC_INIT([fipscheck],[1.5.0],[tmraz@redhat.com]) +-AC_CONFIG_HEADER([config.h]) +-AC_PREREQ(2.60) ++AC_INIT([fipscheck],[1.7.0],[support@lairdconnect.com]) ++AC_CONFIG_HEADERS([config.h]) ++AC_PREREQ([2.69]) + + AC_CONFIG_MACRO_DIR([m4]) + AM_INIT_AUTOMAKE([dist-bzip2 no-dist-gzip]) + ++AC_ARG_ENABLE([docs], ++ AS_HELP_STRING([--enable-docs], [Enable man genereation @<:@default=yes@:>@]), ++ [case "${enableval}" in ++ yes) enable_docs=true ;; ++ no) enable_docs=false ;; ++ *) AC_MSG_ERROR([bad value ${enableval} for --enable-docs]) ;; ++ esac],[enable_docs=true]) ++AM_CONDITIONAL([ENABLE_DOCS], [test x$enable_docs = xtrue]) ++ + dnl Check for _GNU_SOURCE + AC_USE_SYSTEM_EXTENSIONS + +-AM_PROG_LIBTOOL ++LT_INIT([disable-static]) ++ ++_LT_TAGVAR(hardcode_libdir_flag_spec, )="" ++_LT_TAGVAR(hardcode_minus_L, )=yes + + PKG_PROG_PKG_CONFIG() + +@@ -66,7 +79,6 @@ + + dnl Checks for typedefs, structures, and compiler characteristics. + AC_C_CONST +-AC_TYPE_SIGNAL + AC_TYPE_UID_T + AC_TYPE_MODE_T + AC_TYPE_OFF_T +@@ -78,8 +90,7 @@ + AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="") + AC_SUBST(LIBDL) + +- +-dnl This isn't a strictly correct use of --with, OTOH it is better ++dnl This is not a strictly correct use of --with, OTOH it is better + dnl than having separate and conflicting --with-nss and --with-openssl + dnl options. Rather than be "smart" and guess the crypto library + dnl based on what is installed, this logic simply barfs on an error. +@@ -93,9 +104,9 @@ + dnl Check for the existence of the slected crypto library with FIPS mode + AS_CASE($with_crypto, + [openssl|ssl], [ ++ PKG_CHECK_MODULES([CRYPTO],[libcrypto],[],[AC_MSG_ERROR([OpenSSL library with FIPS mode support is required])]) ++ CRYPTO_LIBS=-lcrypto + AC_DEFINE([WITH_OPENSSL], [1], [use HMAC from the OpenSSL crypto library]) +- AC_CHECK_LIB([crypto], [FIPS_mode], [CRYPTO_LIBS=-lcrypto], +- [AC_MSG_ERROR([OpenSSL library with FIPS mode support is required])]) + ], + [nss], [ + PKG_CHECK_MODULES([CRYPTO],[nss],[],[AC_MSG_ERROR([NSS library with FIPS mode support is required])]) diff --git a/fipscheck.spec b/fipscheck.spec index 55c437c79312cf91e87716cb7ff519e8f39ef959..0567d4654a55831aebb27c8085af3f0385d45482 100644 --- a/fipscheck.spec +++ b/fipscheck.spec @@ -1,12 +1,16 @@ Name: fipscheck Version: 1.5.0 -Release: 11 +Release: 12 Summary: Helper library for FIPS integrity checking License: BSD-2-Clause URL: https://pagure.io/fipscheck Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.bz2 +# Patch from https://github.com/Ezurio/fipscheck +# opensuse have switched to this fork +Patch0: fipscheck-openssl3.patch -BuildRequires: gcc compat-openssl11-devel >= 1.0.0 +BuildRequires: gcc openssl-devel >= 1.0.0 +BuildRequires: autoconf automake libtool Obsoletes: %{name}-lib < %{version}-%{release} Provides: %{name}-lib = %{version}-%{release} Provides: %{name}-lib%{_isa} = %{version}-%{release} @@ -29,6 +33,7 @@ Development headers and libraries for %{name} %autosetup -n %{name}-%{version} -p1 %build +autoreconf -fi %configure --enable-static %make_build @@ -68,6 +73,9 @@ mkdir -p %{buildroot}%{_libdir}/fipscheck %{_mandir}/man3/* %changelog +* Sat Feb 01 2025 Funda Wang - 1.5.0-12 +- build with openssl3 + * Mon Oct 21 2024 Funda Wang - 1.5.0-11 - cleanup spec