Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
dracut.4966
0137-Switch-from-Mozilla-NSS-sha256hmac-checkin...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0137-Switch-from-Mozilla-NSS-sha256hmac-checking-to-fipsc.patch of Package dracut.4966
From 6a85f188d671723ad76bb729307c12e89199b7bd Mon Sep 17 00:00:00 2001 From: Marcus Meissner <meissner@suse.com> Date: Thu, 14 Aug 2014 16:13:55 +0200 Subject: Switch from Mozilla NSS sha256hmac checking to fipscheck as recommended Signed-off-by: Thomas Renninger <trenn@suse.de> --- modules.d/01fips/fips.sh | 6 ++---- modules.d/01fips/module-setup.sh | 13 +++++++------ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh index 07bd1da..19a2d8e 100755 --- a/modules.d/01fips/fips.sh +++ b/modules.d/01fips/fips.sh @@ -61,9 +61,7 @@ do_rhevh_check() kpath=${1} # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0 - HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done) - HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1) - if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then + if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then warn "HMAC sum mismatch" return 1 fi @@ -128,7 +126,7 @@ do_fips() elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1 else - sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1 + fipscheck "/boot/vmlinuz-${KERNEL}" || return 1 fi info "All initrd crypto checks done" diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh index 8437e56..009b2ca 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -23,7 +23,7 @@ installkernel() { _fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 " _fipsmodules+="ghash-clmulni-intel " - _fipsmodules+="drbg " + _fipsmodules+="drbg" mkdir -m 0755 -p "${initdir}/etc/modprobe.d" @@ -42,15 +42,16 @@ install() { inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" inst_script "$moddir/fips.sh" /sbin/fips.sh - inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck + inst_multiple rmmod insmod mount uname umount fipscheck strace - inst_libdir_file libsoftokn3.so libsoftokn3.so \ - libsoftokn3.chk libfreebl3.so libfreebl3.chk \ - libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \ + inst_libdir_file \ + fipscheck .fipscheck.hmac \ + libfipscheck.so.1 \ + .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \ + libcrypto.so.1.0.0 libssl.so.1.0.0 \ .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \ .libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \ .libgcrypt.so.20.hmac \ - .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac # we do not use prelink at SUSE #inst_multiple -o prelink -- 1.7.6.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor