diff --git a/.fipscheck.metadata b/.fipscheck.metadata new file mode 100644 index 0000000..6855bcb --- /dev/null +++ b/.fipscheck.metadata @@ -0,0 +1 @@ +283df125482e6f3b004af59364a822e3860073aa SOURCES/fipscheck-1.4.1.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1f8e093 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/fipscheck-1.4.1.tar.bz2 diff --git a/SOURCES/fipscheck-1.4.1-empty-hmac.patch b/SOURCES/fipscheck-1.4.1-empty-hmac.patch new file mode 100644 index 0000000..c240e2a --- /dev/null +++ b/SOURCES/fipscheck-1.4.1-empty-hmac.patch @@ -0,0 +1,50 @@ +diff -up fipscheck-1.4.1/src/fipscheck.c.empty-hmac fipscheck-1.4.1/src/fipscheck.c +--- fipscheck-1.4.1/src/fipscheck.c.empty-hmac 2013-09-10 10:54:30.000000000 +0200 ++++ fipscheck-1.4.1/src/fipscheck.c 2017-02-21 14:30:27.616371594 +0100 +@@ -34,13 +34,15 @@ + #include "filehmac.h" + #include "fipscheck.h" + ++#define MAX_HMAC_LEN 1024 ++ + static int + verify_hmac(const char *path, const char *hmac_suffix) + { + FILE *hf = NULL; + char *hmacpath, *p; +- int rv = 0; +- char *hmac = NULL; ++ int rv = 1; ++ char hmac[MAX_HMAC_LEN]; + size_t n; + const char *hmacdir = PATH_HMACDIR; + +@@ -62,7 +64,7 @@ verify_hmac(const char *path, const char + hmacdir = NULL; + } while (hf == NULL); + +- if (getline(&hmac, &n, hf) > 0) { ++ if (fgets(hmac, sizeof(hmac), hf) != NULL) { + void *buf; + size_t hmaclen; + char *hex; +@@ -84,14 +86,17 @@ verify_hmac(const char *path, const char + + if (strcmp(hex, hmac) != 0) { + debug_log("Hmac mismatch on file '%s'", path); +- rv = 1; ++ } else { ++ /* checksum matched */ ++ rv = 0; + } + free(buf); + free(hex); ++ } else { ++ debug_log("Empty or broken hmac on file '%s'", path); + } + + end: +- free(hmac); + fclose(hf); + return rv; + } diff --git a/SOURCES/fipscheck.conf b/SOURCES/fipscheck.conf new file mode 100644 index 0000000..8476d12 --- /dev/null +++ b/SOURCES/fipscheck.conf @@ -0,0 +1,2 @@ +-b /usr/lib{,64}/libfipscheck.so.* +-b /usr/bin/fipscheck diff --git a/SPECS/fipscheck.spec b/SPECS/fipscheck.spec new file mode 100644 index 0000000..05713c3 --- /dev/null +++ b/SPECS/fipscheck.spec @@ -0,0 +1,162 @@ +Summary: A library for integrity verification of FIPS validated modules +Name: fipscheck +Version: 1.4.1 +Release: 6%{?dist} +License: BSD +Group: System Environment/Libraries +# This is a Red Hat maintained package which is specific to +# our distribution. +URL: http://fedorahosted.org/fipscheck/ +Source0: http://fedorahosted.org/releases/f/i/%{name}/%{name}-%{version}.tar.bz2 +# Prelink blacklist +Source1: fipscheck.conf +Patch1: fipscheck-1.4.1-empty-hmac.patch + +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +BuildRequires: openssl-devel >= 0.9.8j + +Requires: %{name}-lib%{?_isa} = %{version}-%{release} + +%description +FIPSCheck is a library for integrity verification of FIPS validated +modules. The package also provides helper binaries for creation and +verification of the HMAC-SHA256 checksum files. + +%package lib +Summary: Library files for %{name} +Group: System Environment/Libraries + +Requires: %{_bindir}/fipscheck + +%description lib +This package contains the FIPSCheck library. + +%package devel +Summary: Development files for %{name} +Group: System Environment/Libraries + +Requires: %{name}-lib%{?_isa} = %{version}-%{release} + +%description devel +This package contains development files for %{name}. + +%prep +%setup -q +%patch1 -p1 -b .empty-hmac + +%build +%configure --disable-static + +make %{?_smp_mflags} + +# Add generation of HMAC checksums of the final stripped binaries +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT%{_bindir}/fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/fipscheck $RPM_BUILD_ROOT%{_libdir}/libfipscheck.so.1.2.1 \ + ln -s libfipscheck.so.1.2.1.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/libfipscheck.so.1.hmac \ +%{nil} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT + +find $RPM_BUILD_ROOT -type f -name "*.la" -delete + +mkdir -p $RPM_BUILD_ROOT%{_libdir}/fipscheck + +# Prelink blacklist +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d +install -m644 %{SOURCE1} \ + $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/fipscheck.conf + +%clean +rm -rf $RPM_BUILD_ROOT + +%post lib -p /sbin/ldconfig + +%postun lib -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc ChangeLog COPYING README AUTHORS +%{_bindir}/fipscheck +%{_bindir}/fipshmac +%{_libdir}/fipscheck/fipscheck.hmac +%{_mandir}/man8/* + +%files lib +%defattr(-,root,root,-) +%{_libdir}/libfipscheck.so.* +%dir %{_libdir}/fipscheck +%{_libdir}/fipscheck/libfipscheck.so.*.hmac +%dir %{_sysconfdir}/prelink.conf.d +%{_sysconfdir}/prelink.conf.d/fipscheck.conf + +%files devel +%defattr(-,root,root,-) +%{_includedir}/fipscheck.h +%{_libdir}/libfipscheck.so +%{_mandir}/man3/* + +%changelog +* Tue Feb 21 2017 Tomáš Mráz - 1.4.1-6 +- handle empty hmac file as checksum mismatch + +* Mon Feb 10 2014 Tomáš Mráz - 1.4.1-5 +- fix the library path in prelink blacklist + +* Fri Jan 24 2014 Daniel Mach - 1.4.1-4 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Tomáš Mráz - 1.4.1-3 +- add versioned dependency to -lib on base package (#1010349) +- add prelink blacklist + +* Fri Dec 27 2013 Daniel Mach - 1.4.1-2 +- Mass rebuild 2013-12-27 + +* Tue Sep 10 2013 Tomáš Mráz - 1.4.1-1 +- fix inverted condition in FIPSCHECK_verify_ex() + +* Fri Sep 6 2013 Tomáš Mráz - 1.4.0-1 +- added new API calls to support setting hmac suffix + +* Mon Apr 16 2012 Tomas Mraz - 1.3.1-1 +- manual pages added by Paul Wouters + +* Tue Sep 7 2010 Tomas Mraz - 1.3.0-1 +- look up the hmac files in the _libdir/fipscheck first + +* Tue May 26 2009 Tomas Mraz - 1.2.0-1 +- add lib subpackage to avoid multilib on the base package +- add ability to compute hmacs on multiple files at once +- improved debugging with FIPSCHECK_DEBUG + +* Thu Mar 19 2009 Tomas Mraz - 1.1.1-1 +- move binaries and libraries to /usr + +* Wed Mar 18 2009 Tomas Mraz - 1.1.0-1 +- hmac check itself as required by FIPS + +* Mon Feb 9 2009 Tomas Mraz - 1.0.4-1 +- add some docs to the README, require current openssl in Fedora + +* Fri Oct 24 2008 Tomas Mraz - 1.0.3-1 +- use OpenSSL in FIPS mode to do the HMAC checksum instead of NSS + +* Tue Sep 9 2008 Tomas Mraz - 1.0.2-1 +- fix test for prelink + +* Mon Sep 8 2008 Tomas Mraz - 1.0.1-1 +- put binaries in /bin and libraries in /lib as fipscheck + will be used by modules in /lib + +* Mon Sep 8 2008 Tomas Mraz - 1.0.0-2 +- minor fixes for package review + +* Wed Sep 3 2008 Tomas Mraz - 1.0.0-1 +- Initial spec file