[yocto] [meta-openssl102-fips][PATCH 1/15] fipscheck: add 1.5.0

Mark Hatle mark.hatle at kernel.crashing.org
Mon Sep 23 07:14:31 PDT 2019 

Please include the commit id of the Fedora version that was included.  It will
help us review changes in the future.

On 9/22/19 9:56 AM, Hongxu Jia wrote:
> Port it from fedora:
> https://src.fedoraproject.org/rpms/fipscheck
> 
> It is required by openssh fips.
> 
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>  .../0001-compat-fip-with-openssl-1.0.2.patch       | 34 ++++++++++++++++++++++
>  recipes-connectivity/openssh/fipscheck_1.5.0.bb    | 30 +++++++++++++++++++
>  templates/feature/openssl-fips/template.conf       |  2 +-
>  3 files changed, 65 insertions(+), 1 deletion(-)
>  create mode 100644 recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
>  create mode 100644 recipes-connectivity/openssh/fipscheck_1.5.0.bb
> 
> diff --git a/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
> new file mode 100644
> index 0000000..22e5a62
> --- /dev/null
> +++ b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
> @@ -0,0 +1,34 @@
> +From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001
> +From: Hongxu Jia <hongxu.jia at windriver.com>
> +Date: Fri, 20 Sep 2019 17:51:09 +0800
> +Subject: [PATCH] compat fip with openssl 1.0.2
> +
> +In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h
> +...
> +define OPENSSL_VERSION_NUMBER  0x10100000L
> +...
> +Since fips include file compat with openssl 1.1.0, do not include it
> +in Yocto
> +
> +Upstream-Status: Inappropriate [oe specific]
> +
> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> +---
> + src/filehmac.c | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/src/filehmac.c b/src/filehmac.c
> +index a8eef00..0b36cec 100644
> +--- a/src/filehmac.c
> ++++ b/src/filehmac.c
> +@@ -41,7 +41,6 @@
> + #include <sys/wait.h>
> + 
> + #if defined(WITH_OPENSSL)
> +-#include <openssl/fips.h>
> + #include <openssl/evp.h>
> + #include <openssl/hmac.h>
> + #elif defined(WITH_NSS)
> +-- 
> +2.7.4
> +
> diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> new file mode 100644
> index 0000000..68051d2
> --- /dev/null
> +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> @@ -0,0 +1,30 @@
> +SUMMARY = "A library for integrity verification of FIPS validated modules"
> +DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS validated \
> +modules. The package also provides helper binaries for creation and \
> +verification of the HMAC-SHA256 checksum files."
> +HOMEPAGE = "https://pagure.io/fipscheck"
> +SECTION = "libs/network"
> +
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf"
> +
> +SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \
> +           file://0001-compat-fip-with-openssl-1.0.2.patch \
> +"
> +SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b"
> +SRC_URI[sha256sum] = "7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5"
> +
> +DEPENDS = " \
> +    openssl \
> +    openssl-fips \
> +"
> +
> +inherit autotools pkgconfig
> +
> +EXTRA_OECONF += " \
> +    --disable-static \
> +"
> +EXTRA_OEMAKE += " \
> +    -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
> +"
> +
> diff --git a/templates/feature/openssl-fips/template.conf b/templates/feature/openssl-fips/template.conf
> index 6da678c..9a551c3 100644
> --- a/templates/feature/openssl-fips/template.conf
> +++ b/templates/feature/openssl-fips/template.conf
> @@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= ""
>  
>  PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips'
>  PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example'
> -
> +PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck'
>

More information about the yocto mailing list