d894bcceca
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276) - [UPDATE] syslog msgs only in error cases - [UPDATE] don't count statistics in fips power-on self tests - [PATCH] various fixes and some new tests - Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet - Prefix /etc/libica with %dir to ensure we don't package unversioned files in libica4, as otherwise we violate SLPP. - Add /etc/libica directory into %files section. - Upgrade to version 4.2.1 (jsc#PED-2872) - [PATCH] fix regression opening shared memory - Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365). - [FEATURE] Display build info via icainfo -v - [FEATURE] New API function ica_get_build_version() - [FEATURE] Display fips indication via icainfo -f - [FEATURE] New API function ica_get_fips_indicator() - [FEATURE] New API function ica_aes_gcm_initialize_fips() - [FEATURE] New API function ica_aes_gcm_kma_get_iv() - [FEATURE] New API function ica_get_msa_level() - [PATCH] icainfo: check for malloc error when getting functionlist - Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365). v4.1.1 - [PATCH] Fix aes-xts multi-part operations [PATCH] Fix make dist v4.1.0 - [FEATURE] FIPS: make libica FIPS 140-3 compliant [FEATURE] New API function ica_ecdsa_sign_ex() [FEATURE] New icainfo output option -r - [PATCH] Various bug fixes - Removed the following obsolete files: baselibs.conf icaioctl.h - Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629) v4.0.3 - [PATCH] Reduce the number of open file descriptors - [PATCH] Various bug fixes v4.0.2 - [PATCH] Various bug fixes v4.0.1 - [PATCH] Various bug fixes - [PATCH] Compute HMAC from installed library v4.0.0 - [UPDATE] NO_SW_FALLBACKS is now the default for libica.so [UPDATE] Removed deprecated API functions including tests [UPDATE] Introduced 'const' for some API function parameters [FEATURE] icastats: new parm -k to display detailed counters - Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated version named libica-sles15sp5-FIPS-hmac-key.patch. - Updated the libica-rpmlintrc file to suppress warnings about the libica-cex hmac files being hidden. - Updated the spec file to properly both obsolete and provide two older versions of the package. - Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564) - [FEATURE] Add support for OpenSSL 3.0 - [FEATURE] icainfo: new parm -c to display available EC curves - Replaced the obsolete PreReq: %fillup_prereq with Requires(post): %fillup_prereq in the spec file. - Update to version 3.8.0 (jsc#SLE-18334) - [FEATURE] provide libica-cex module to satisfy special security requirements - [FEATURE] FIPS: enforce the HMAC check - Remove upstreamed patches: - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch - libica-sles15sp2-Zeroize-local-variables.patch - Remove patches obsoleted by upstrea developent: * FIPS: Find libica from phdrs. - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch * FIPS: enforce the hmac check - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch - Fix up tests and hmac generation + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch - Remove obsolete attributes from filelists - Upgraded to version 3.7.0 (jsc#SLE-13708) * Version 3.7.0 - [FEATURE] FIPS: Add HMAC based library integrity check - [PATCH] icainfo: bugfix for RSA and EC related info for software column. - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests - [PATCH] FIPS: Fix DES and TDES key length - [PATCH] icastats: Fix stats counter format * Version 3.6.1 - [PATCH] Fix x25519 and x448 handling of non-canonical values - Removed the following obsolete patches * libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch * libica-sles15sp2-Build-with-pthread-flag.patch * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch - Fix lack of SHA3 KATs in "make check" processing (bsc#1175277) * Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch * Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch - Fix FIPS hmac check (bsc#1175356). * Update FIPS support to upstream - Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch from upstream. - Add libica-sles15sp2-Build-with-pthread-flag.patch - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch - Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch * FIPS check should fail when hmac is missing - Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch - Create an hmac for the selftest - Check that selftest fails without a hmac - Hash libica.so.3 rather than libica.so.3.6.0 * Fix hmac key format. It should be hexadecimal, not ASCII - Refresh libica-sles15sp2-FIPS-hmac-key.patch - Fix Some internal variables used to store sensitive information (keys) were not zeroized before returning to the calling application. (bsc#1175357) * Added libica-sles15sp2-Zeroize-local-variables.patch - Updated libica-rpmlintrc to eliminate the warning about the HMAC file being a hidden file. It is supposed to be hidden. - Added the following patches for FIPS certification (bsc#1162533) * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch * libica-sles15sp2-FIPS-hmac-key.patch - Added a BuildRequires for the fipscheck package. - Made a couple of changes to the spec file based upon recommendations by spec-cleaner. - Added the following patches for FIPS certification. * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch (bsc#1166071) Although a DES key has only 56 effective bits, all 64 bits must be considered, because the parity bits are spread over all 8 bytes of the key. * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch (bsc#1166210) FIPS tests require the output iv to be the iv resulting from decrypting the last block with a zero iv as input. * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch (bsc#1166224) The output from icainfo never shows 'yes' for RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN, due to the missing ICA_FLAG_SW flag in the icaList. - Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch (bsc#1156768) - Upgraded to version 3.6.0 (jsc#SLE-7584) * [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448 - Upgraded to version 3.5.0 (Fate#327840) - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify - Reworked how libica-tools loads and unloads kernel modules to avoid spurious error messages (bsc#1134004): * Converted the boot.z90crypt sysV init script to a systemd unit file. * Removed any references to insserv in the spec file. * Updated the z90crypt script itself to properly load and unload the kernel modules as they exist today. * Eliminated the obsolete libica-SuSE.tar.bz2 archive. - Updated the README.SUSE file to reflect the change from sysV init style script to systemd. - Made numerous changes to the spec file, based on the output from the spec-cleaner command. - Run testsuite during build - Upgraded to version 3.4.0 (Fate#325690) * v3.4.0 [FEATURE] Add SHA-512/224 and SHA-512/256 support - Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch - Made numerous updates to spec file based on spec-cleanup run. - Upgraded to version 3.3.3 (Fate#325690) * v3.3.3 [PATCH] Various bug fixes * v3.3.2 [PATCH] Skip ECC tests if required HW is not available [PATCH] Update spec file * v3.3.1 [PATCH] Fix configure.ac to honour CFLAGS * v3.3.0 [FEATURE] Add CEX supported elliptic-curve crypto interfaces [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces [FEATURE] Add interface to enable/disable SW fallbacks [FEATURE] Add 'make check' target, test-suite rework * v3.2.1 [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG. [PATCH] Various bug fixes. - Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch - Removed COPYING from %files, since it is no longer in the tarball. - Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch (bsc#1103493). - Made multiple changes to the spec file based on the output of spec-cleaner - Added "Obsoletes: libica-2_3_0" to the libica-tools package to fix a problem with upgrading from SLES12 SP2 to either SLES12 SP3/SP4, or SLES15. (bsc#1112655) - Added "Obsoletes: libica2" to the libica-tools package to fix a problem with upgrading from SLES12 SP2 to either SLES12 SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638) - Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756) - Updated boot.z90crypt script to fix a problem with the modprobe command not being found. (bsc#1040229). - Added "Recommends: libica-tools" (bsc#1046435). - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Added "--enable-fips" to the %configure parms (Fate#324115) - Upgraded to version 3.2 (Fate#321517) * v3.2.0 [FEATURE] New AES-GCM interface. [UPDATE] Add symbol versioning. * v3.1.1 [PATCH] Various bug fixes related to old and new AES-GCM implementations. [UPDATE] Add SHA3 test cases. Improved and extended test suite. * v3.1.0 [FEATURE] Add KMA support for AES-GCM. [FEATURE] Add SHA-3 support. [PATCH] Reject RSA keys with invalid key-length. [PATCH] Allow zero output length for ica_random_number_generate. [PATCH] icastats: Correct owner of shared segment when root creates it. * Removed the following obsolete patches: libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch libica-3.0.2-03-fix-aes-ctr.patch libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch - libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567) - Added the following patches (bsc#1058567) - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch - libica-3.0.2-03-fix-aes-ctr.patch - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch - baselibs.conf doesn't need any additional provides/conflicts for libica3. - Update baselibs.conf with proper name for library package name, stop providing/obsoleting libica-2_1_0/libica-2_3-0. - Upgraded to version 3.0.2 (Fate#322025). - v3.0.2 - Fix locking callbacks for openSSL APIs. - v3.0.1 - Fixed msa level detection on zEC/BC12 GA1 and predecessors. - v3.0.0 - Added FIPS mode. - Sanitized exported symbols. - Removed deprecated APIs. Marked some APIs as deprecated. - Adapted to OpenSSL v1.1.0. - RSA key generation is thread-safe now. - Removed the following obsolete patches: - fix-initialization-of-s390-hardware-switches-1.patch - fix-initialization-of-s390-hardware-switches-2.patch - fix-msa-level-detection.patch - fix-segfault-during-multithread-keygen.patch - rng-performance.patch - Made the following packaging changes: - Implemented the shared library packaging guidelines. - Consolidated double invocation of %setup into just one. - Dropped redundant %ifarch, the package is already ExclusiveArch. - Updated descriptions. - Added an libica-rpmlintrc file. - Added the following two patches: - fix-segfault-during-multithread-keygen.patch (bsc#991485) - fix-msa-level-detection.patch (bsc#1010927) - Added rng-performance.patch (bsc#990850). - Updated baselibs.conf to obsolete prior versions of the 32bit package. (bsc#983897): provides "libica-<targettype> = <version>" obsoletes "libica-<targettype> < <version>" provides "libica-2_1_0-<targettype> = <version>" obsoletes "libica-2_1_0-<targettype> < <version>" provides "libica-2_3_0-<targettype> = <version>" obsoletes "libica-2_3_0-<targettype> < <version>" - Added fix-initialization-of-s390-hardware-switches-1.patch and fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548) - Upgraded to version 2.6.2 (FATE#319610). - Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to naming standards. - Found the original location of the icaioctl.h file and downloaded it to replace what we had previously. - Removed the unnecessary libica2.la file - Removed unnecessary Requires for glibc-devel - Added Requires libica2 to the -devel package - Converted call to configure to %configure macro - Removed obsolete and unnecessary INSROOT and bindir parameters from the make install command - Add Provides/Obsoletes for libica-2_3_0 so that the package from SLE12 GA is replaced (bsc#953096). - move the .so file to the mainpackage, the openssl-ibmca engine will only load "libica.so" (bsc#952871) - Update to libica v2.4.2 (FATE#318035) - Removed outdated libica-aes_ccm-31-bit-compatibility.patch - Moved init script into libica-SuSE.tar.bz2 archive - sanitize release line in specfile - Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root - Removed libica-SuSE.tar.bz2 - z90crypt now starts and stops ap kernel module (bnc#888943) - libica-aes_ccm-31-bit-compatibility.patch: AES_CCM: fixed 64/31 bit compatibility - add obsoletes and provides for older libica versions - update to 2.3.0 (fate#315342) - obsolete/upstreamed patches: libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch libica-2_1_0-msa4-extension.patch libica-2_1_0-synchronize_shared_memory_ref_counting.patch - Added COPYING to %files - Fixed build dependency errors by requiring autoconf, automake and libtool - Changed license to CPL-1.0 - Created devel package - Support for MSA4 extension (bnc#794518, fate#314078) - synchronize shared memory reference counting for library statistics (bnc#719659) - fix temporary buffer allocation in ica_get_version() (bnc#719660) - update -> 2.1.0 (fate#311914) - Moved icainfo into /usr/bin (bnc#448643) - obsolete old -XXbit packages (bnc#437293) - fix build on all platforms - Added CPL license to include/z90crypt.h, removed GPL reference (This patch is upstream) - Changed package name to libica-1_3_9 to conform to rpmlint requirements. (bnc#433432) - Removed soname filter for rpmlint - Several RPM fixes to help satisfy rpmlint - Updated to libica 1.3.9 - added baselibs.conf file to build xxbit packages for multilib support - remove inclusion of linux/config.h - z90crypt: handle errors (bug #247799) - Add gcc-c++ to BuildRequires. - fix build for the rest of platforms - Update to libica 1.3.7 (#160036 - LTC22571) - Increasing # of open handles with symmetric crypto support (#165323 - LTC23095) - converted neededforbuild to BuildRequires - include string.h and unistd.h in icalinux.c - Port package from SLES9 SP3 - Update to libica 1.3.6-rc3. - Close all filehandles (#130060 - LTC19221). - downgrade to libica 1.3.6-rc2 (contains AES software fallback, bug #117336) - Update to libica 1.3.6 (#117336) - fix implicit declaration - Changing the default value from 0 to -1 in rcz90crypt (#114371) - Finally fix 'reload' messages (#81824 - LTC15733). - Fix sigill patch. - Remove printf output from sigill patch (#81829 - LTC15731). - Use correct default value for z90crypt (#81825 - LTC15732). - Fix messages for 'reload' (#81824 - LTC15733). - Fixed SIGILL on z900 (#46422). - Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005). - Fix module loading error (#42006). - Add sysconfig variable to set the 'domain' parameter (#42005). - update -> 1.3.5-3 (bug #42122) - Update README.SuSE and correct name as well - Use modprobe instead of insmod and fix module load error(#40526) - Fix error checking for no hardware found case and hw error on load - Update Readme again for the correct name (SUSE LINUX Server). - Moved README.SuSE to README.SUSE. - Update Readme to refer to the correct name (SUSE Linux Server). - Update to 1.3.5-2 (#38511, #39693). - Update Readme to refer to SUSE Linux Server instead of SuSE Linux Enterprise Server. - Update to 1.3.5 - export CFLAGS & CPPFLAGS for configure - Exclude S/390-specific files for other archs (#37183) - add "-I./include" to CFLAGS and use RPM_OPT_FLAGS - fix build - build as user - update to 1.3.4 - update to 1.3.2 - update to 1.3.1: now supports DES, TDES and SHA, as well as RSA. - throw libica.patch away, since autoversion and Makefile.am have similar changes now, and the renaming from _LINUX_S390_ to __s390__ is not really necessary - use %defattr - checked that icaioctl.h is still current - dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone open source meanwhile and comes with the kernel sources - added documentation how to set up crypto hardware support, esp. S/390 and zSeries. (#16011, #22056) - upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5 actually work. (#20737) - Correct PreReq - fixed src/Makefile.am and ugly ./autoversion to honor %_lib and to build on non-s390 - updated to current libica - hacked in icaioctl.h for build, 'til we have the module in the kernel. - add %run_ldconfig - fix for current automake/autoconf - removed old fillup-template and START_ variable - modified etc/init.d/z90crypt-script to report result at start. - Added openssl to #neededforbuild, which is needed in addition to openssl-devel - initial version OBS-URL: https://build.opensuse.org/request/show/1088541 OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=10
16 lines
713 B
Diff
16 lines
713 B
Diff
--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
|
|
+++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
|
|
@@ -65,10 +65,9 @@
|
|
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
|
|
* The known HMAC is supposed to be provided as hex string in a file
|
|
* .libica.so.VERSION.hmac in the same directory as the .so module.
|
|
- */
|
|
+ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */
|
|
static const char hmackey[] =
|
|
- "0000000000000000000000000000000000000000000000000000000000000000"
|
|
- "0000000000000000000000000000000000000000000000000000000000000000";
|
|
+ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
|
|
|
|
#endif /* ICA_INTERNAL_TEST */
|
|
|