diff --git a/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch new file mode 100644 index 0000000..b1e8b0c --- /dev/null +++ b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch @@ -0,0 +1,55 @@ +From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Mon, 7 Jun 2021 21:12:01 +0200 +Subject: [PATCH] FIPS: make it possible to specify fipshmac binary. + +Signed-off-by: Michal Suchanek +--- + openssl-fipshmac | 12 ++++++++++++ + src/Makefile.am | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + create mode 100755 openssl-fipshmac + +diff --git a/openssl-fipshmac b/openssl-fipshmac +new file mode 100755 +index 0000000..60fd505 +--- /dev/null ++++ b/openssl-fipshmac +@@ -0,0 +1,12 @@ ++#!/bin/sh -e ++ ++if [ "$#" -eq 0 ] ; then ++ echo "No library to hash specified." >&2 ++ exit 22 ++fi ++ ++while [ -n "$1" ] ; do ++ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")" ++ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac ++ shift ++done +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..2be01a5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -47,6 +47,7 @@ + ./mp.pl mp.S + + if ICA_FIPS ++FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac + fipsinstall: + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac +@@ -58,8 +59,7 @@ + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + + hmac-file: libica.la libica-cex.la +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) + + hmac_files = hmac-file hmac-file-lnk + +-- +2.31.1 + diff --git a/libica-sles15sp5-FIPS-hmac-key.patch b/libica-sles15sp5-FIPS-hmac-key.patch new file mode 100644 index 0000000..c473357 --- /dev/null +++ b/libica-sles15sp5-FIPS-hmac-key.patch @@ -0,0 +1,15 @@ +--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400 ++++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400 +@@ -65,10 +65,9 @@ + * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes. + * The known HMAC is supposed to be provided as hex string in a file + * .libica.so.VERSION.hmac in the same directory as the .so module. +- */ ++ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */ + static const char hmackey[] = +- "0000000000000000000000000000000000000000000000000000000000000000" +- "0000000000000000000000000000000000000000000000000000000000000000"; ++ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250"; + + #endif /* ICA_INTERNAL_TEST */ + diff --git a/libica.changes b/libica.changes index bc5a599..52793ed 100644 --- a/libica.changes +++ b/libica.changes @@ -1,13 +1,10 @@ ------------------------------------------------------------------- -Tue May 23 06:27:43 UTC 2023 - Nikolay Gueorguiev +Tue May 23 07:19:01 UTC 2023 - Nikolay Gueorguiev - Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276) - [UPDATE] syslog msgs only in error cases - [UPDATE] don't count statistics in fips power-on self tests - [PATCH] various fixes and some new tests -- Removed patches - * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch - * libica-sles15sp5-FIPS-hmac-key.patch ------------------------------------------------------------------- Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann diff --git a/libica.spec b/libica.spec index f909795..a1d691d 100644 --- a/libica.spec +++ b/libica.spec @@ -34,7 +34,9 @@ Source2: sysconfig.z90crypt Source3: z90crypt Source4: z90crypt.service Source5: %{name}-rpmlintrc -### +Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +Patch99: libica-sles15sp5-FIPS-hmac-key.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: fipscheck