File 0137-Switch-from-Mozilla-NSS-sha256hmac-checking-to-fipsc.patch of Package dracut.244

From 6a85f188d671723ad76bb729307c12e89199b7bd Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Thu, 14 Aug 2014 16:13:55 +0200
Subject: Switch from Mozilla NSS sha256hmac checking to fipscheck as
 recommended

Signed-off-by: Thomas Renninger <trenn@suse.de>
---
 modules.d/01fips/fips.sh         |    6 ++----
 modules.d/01fips/module-setup.sh |   13 +++++++------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 07bd1da..19a2d8e 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -61,9 +61,7 @@ do_rhevh_check()
     kpath=${1}
 
     # If we're on RHEV-H, the kernel is in /run/initramfs/live/vmlinuz0
-    HMAC_SUM_ORIG=$(cat $NEWROOT/boot/.vmlinuz-${KERNEL}.hmac | while read a b; do printf "%s\n" $a; done)
-    HMAC_SUM_CALC=$(sha512hmac $kpath | while read a b; do printf "%s\n" $a; done || return 1)
-    if [ -z "$HMAC_SUM_ORIG" ] || [ -z "$HMAC_SUM_CALC" ] || [ "${HMAC_SUM_ORIG}" != "${HMAC_SUM_CALC}" ]; then
+    if fipscheck $NEWROOT/boot/vmlinuz-${KERNEL} ; then
         warn "HMAC sum mismatch"
         return 1
     fi
@@ -128,7 +126,7 @@ do_fips()
     elif [ -e "/run/initramfs/live/isolinux/vmlinuz0" ]; then
         do_rhevh_check /run/initramfs/live/isolinux/vmlinuz0 || return 1
     else
-        sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+        fipscheck "/boot/vmlinuz-${KERNEL}" || return 1
     fi
 
     info "All initrd crypto checks done"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 8437e56..009b2ca 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -23,7 +23,7 @@ installkernel() {
     _fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 "
     _fipsmodules+="ghash-clmulni-intel "
 
-    _fipsmodules+="drbg "
+    _fipsmodules+="drbg"
 
     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
 
@@ -42,15 +42,16 @@ install() {
     inst_hook pre-pivot 01 "$moddir/fips-noboot.sh"
     inst_script "$moddir/fips.sh" /sbin/fips.sh
 
-    inst_multiple sha512hmac rmmod insmod mount uname umount fipscheck
+    inst_multiple rmmod insmod mount uname umount fipscheck strace
 
-    inst_libdir_file libsoftokn3.so libsoftokn3.so \
-        libsoftokn3.chk libfreebl3.so libfreebl3.chk \
-        libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
+    inst_libdir_file \
+        fipscheck .fipscheck.hmac \
+         libfipscheck.so.1 \
+        .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac \
+         libcrypto.so.1.0.0       libssl.so.1.0.0 \
         .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac \
         .libcryptsetup.so.4.5.0.hmac .libcryptsetup.so.4.hmac \
         .libgcrypt.so.20.hmac \
-        .libfipscheck.so.1.hmac .libfipscheck.so.1.1.0.hmac
 
     # we do not use prelink at SUSE
     #inst_multiple -o prelink
-- 
1.7.6.1