From 7393454a2fa1ef2cd320609aeb05ca3aacf8ab3c Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Apr 30 2020 06:35:22 +0000
Subject: Enable building on old kernels


This adds scripts that mock sha512hmac and fipshmac using openssl. These
are used instead of the built hashers to hash libkcapi binaries on
kernels that don't suport the userspace Crypto API interface properly
(e.g. RHEL-7 kernels).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

---

diff --git a/fipshmac-openssl.sh b/fipshmac-openssl.sh
new file mode 100644
index 0000000..c554434
--- /dev/null
+++ b/fipshmac-openssl.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Mocks fipshmac using the openssl tool.
+# Only for use during RPM build.
+
+[ "$1" = '-d' ] || exit 1
+
+openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \
+	>"$2/$(basename "$3").hmac"
diff --git a/libkcapi.spec b/libkcapi.spec
index 57613bf..b449fe2 100644
--- a/libkcapi.spec
+++ b/libkcapi.spec
@@ -72,6 +72,15 @@
 %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
 %global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
 
+# On old kernels use mock hashers implemented via openssl
+%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
+%global sha512hmac bin/kcapi-hasher -n sha512hmac
+%global fipshmac   bin/kcapi-hasher -n fipshmac
+%else
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%global fipshmac   bash %{_sourcedir}/fipshmac-openssl.sh
+%endif
+
 # Add generation of HMAC checksums of the final stripped
 # binaries.  %%define with lazy globbing is used here
 # intentionally, because using %%global does not work.
@@ -83,16 +92,15 @@ bin_path=%{buildroot}%{_bindir}                                  \
 lib_path=%{buildroot}/%{_lib}                                    \
 for app in %{apps_hmaccalc}; do                                  \
   test -e "$bin_path"/$app || continue                           \
-  { bin/kcapi-hasher -n sha512hmac "$bin_path"/$app || exit 1; } \\\
+  { %sha512hmac "$bin_path"/$app || exit 1; }                    \\\
     | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac            \
 done                                                             \
 for app in %{apps_fipscheck}; do                                 \
   test -e "$bin_path"/$app || continue                           \
-  bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck          \\\
-    "$bin_path"/$app || exit 1                                   \
+  %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1  \
 done                                                             \
-%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                 \
-bin/kcapi-hasher -n fipshmac -d "$lib_path"/fipscheck            \\\
+%{_bindir}/hardlink -cfv %{buildroot}%{_bindir}                  \
+%fipshmac -d "$lib_path"/fipscheck                               \\\
   "$lib_path"/libkcapi.so.%{version} || exit 1                   \
 %{__ln_s} libkcapi.so.%{version}.hmac                            \\\
   "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac               \
@@ -108,10 +116,13 @@ License:        BSD or GPLv2
 URL:            http://www.chronox.de/%{name}.html
 Source0:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
 Source1:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+Source2:        sha512hmac-openssl.sh
+Source3:        fipshmac-openssl.sh
 
 Patch100:       100-workaround-cppcheck-bug.patch
 Patch110:       110-fipshmac-compat.patch
 
+BuildRequires:  bash
 BuildRequires:  clang
 BuildRequires:  coreutils
 BuildRequires:  cppcheck
diff --git a/sha512hmac-openssl.sh b/sha512hmac-openssl.sh
new file mode 100644
index 0000000..6496394
--- /dev/null
+++ b/sha512hmac-openssl.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' '