From 742ba25f6d4fc8f3762ee88b23c36bbe018ca5120aff98b7b885e892762e034e Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 3 Sep 2020 06:23:31 +0000 Subject: [PATCH] Accepting request 830821 from home:dirkmueller:branches:security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - update to 1.2.0: * enhancement: kcapi-hasher: add madvise and 64 bit support by Brandur Simonsen * fix: fix clang warnding in KDF implementation by Khem Raj * fix: fix inverted logic in kcapi-main test logic reported by Ondrej Mosnáček * fix: return error when iteration count is zero for PBKDF as reported by Guido Vranken * enhancement: add function kcapi_cipher_stream_update_last to indicate the last block of a symmetric cipher stream operation * disable XTS multithreaded tests as it triggers a race discussed in https://github.com/smuellerDD/libkcapi/issues/92. The conclusion is the following: xts(aes) doesn't support chaining requests like for other ciphers such as CBC (at least as implemented in the kernel Crypto API). That can be seen in `crypto/testmgr.h` - the ciphers that are expected to return IVs usable for chaining have the `.iv_out` entries filled in in their test vectors (and those that don't support it do not). One can see that only CTR and CBC test vectors have them, not XTS. Looking again at how XTS is defined, it seems one could implement transparent chaining by simply decrypting the final tweak using the tweak key and return it as the output IV... but I believe this has never been mandated nor implemented in the Crypto API (likely because of the overhead of the final tweak decryption, which would be pointless if you're not going to use the output IV - and there is currently no way to signal to the driver that you are going to need it). * disable AIO parallel tests due to undefined behavior OBS-URL: https://build.opensuse.org/request/show/830821 OBS-URL: https://build.opensuse.org/package/show/security/libkcapi?expand=0&rev=35 --- libkcapi-1.1.5.tar.xz | 3 --- libkcapi-1.1.5.tar.xz.asc | 11 ----------- libkcapi-1.2.0.tar.xz | 3 +++ libkcapi-1.2.0.tar.xz.asc | 11 +++++++++++ libkcapi.changes | 28 ++++++++++++++++++++++++++++ libkcapi.spec | 2 +- 6 files changed, 43 insertions(+), 15 deletions(-) delete mode 100644 libkcapi-1.1.5.tar.xz delete mode 100644 libkcapi-1.1.5.tar.xz.asc create mode 100644 libkcapi-1.2.0.tar.xz create mode 100644 libkcapi-1.2.0.tar.xz.asc diff --git a/libkcapi-1.1.5.tar.xz b/libkcapi-1.1.5.tar.xz deleted file mode 100644 index f3835e0..0000000 --- a/libkcapi-1.1.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8a08dcbb4d05ede4357cdc9d61c7f2a7f2cd96b7ce2eb41b28e45b2e378267ad -size 320016 diff --git a/libkcapi-1.1.5.tar.xz.asc b/libkcapi-1.1.5.tar.xz.asc deleted file mode 100644 index 07a2cd2..0000000 --- a/libkcapi-1.1.5.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAl1BSvEACgkQQh7pNjJq -wVtOogf/UzYn7DUB4x0QQxODtaVbXrZ5FfFWDpKJxCVXWI64VK1kF6SSm+qD305h -Dj0lA7+TpIKhwKlc4kofaLjW/yeUPEoZCBjFSTeLc+A/7XP5m1Xqnz6fuH2lZwRK -o1p8ICPj9bOW9rj2K59pdHVTdXW1fj5sJOi25n9fLf5PcaPMxoawHG4l18tp7qNd -XXrqcfeSe+IF3Z4MJQee4lnsQE37wOJC8lanNDMXs7XZJ4RGUrJWfMWzVhVbh+D4 -n6Ow6H0ZaJDUksSh6faKBwAlo+c9J2CRe80+EIiAcYCKzQOH6ylnhdU1qKVD/kNK -7XMwTY3intV9FP3mhM/RPSLSOw7NLA== -=UN86 ------END PGP SIGNATURE----- diff --git a/libkcapi-1.2.0.tar.xz b/libkcapi-1.2.0.tar.xz new file mode 100644 index 0000000..d794125 --- /dev/null +++ b/libkcapi-1.2.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:782430512195f146e0e16e6bb689d9a7e61387afcfedc4340c433284b8b66049 +size 318948 diff --git a/libkcapi-1.2.0.tar.xz.asc b/libkcapi-1.2.0.tar.xz.asc new file mode 100644 index 0000000..7c216af --- /dev/null +++ b/libkcapi-1.2.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAl7K1MMACgkQQh7pNjJq +wVueDgf/SEJfcgYYYcnND38nawuTXequkiq5TrhAb7AY/kx6LDQzXLRHlqLvjppV +QMUQyiiLypo+NF/qrsLhyGi2IwRePaieLfXTZWcE4eO/sqss9CbYsUtk7bcByFvG +YEDjTYooZU4NYx3WtpwegKF+ImBLmadDDbfkcGWcmNG5EEnh1Rtw0agg/5BxCxKy +F5aEdXWs/mU6CxgDi2EFT+8FAD2Lv80Kpn0qWAVWb03IbtzvAZ36CzP4lEywDqV2 +lZq3hZeOvBecjmGDFthMNB0CfknCHdPYvEhXuR6cSiYrmY3heUeS6Py1cPosab3A +xDePoFm3iYY4nALhCWOfp2/vPhZtgw== +=ZgIv +-----END PGP SIGNATURE----- diff --git a/libkcapi.changes b/libkcapi.changes index 37d5b20..15c2257 100644 --- a/libkcapi.changes +++ b/libkcapi.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Mon Aug 31 13:30:58 UTC 2020 - Dirk Mueller + +- update to 1.2.0: + * enhancement: kcapi-hasher: add madvise and 64 bit support by Brandur Simonsen + * fix: fix clang warnding in KDF implementation by Khem Raj + * fix: fix inverted logic in kcapi-main test logic reported by Ondrej Mosnáček + * fix: return error when iteration count is zero for PBKDF as reported by + Guido Vranken + * enhancement: add function kcapi_cipher_stream_update_last to indicate the + last block of a symmetric cipher stream operation + * disable XTS multithreaded tests as it triggers a race discussed in + https://github.com/smuellerDD/libkcapi/issues/92. The conclusion is + the following: xts(aes) doesn't support chaining requests like for other + ciphers such as CBC (at least as implemented in the kernel Crypto API). + That can be seen in `crypto/testmgr.h` - the ciphers that are expected to + return IVs usable for chaining have the `.iv_out` entries filled in in their + test vectors (and those that don't support it do not). One can see that only + CTR and CBC test vectors have them, not XTS. + Looking again at how XTS is defined, it seems one could implement + transparent chaining by simply decrypting the final tweak using the tweak + key and return it as the output IV... but I believe this has never been + mandated nor implemented in the Crypto API (likely because of the overhead + of the final tweak decryption, which would be pointless if you're not going + to use the output IV - and there is currently no way to signal to the driver + that you are going to need it). + * disable AIO parallel tests due to undefined behavior + ------------------------------------------------------------------- Wed Jan 8 07:23:22 UTC 2020 - Marcus Meissner diff --git a/libkcapi.spec b/libkcapi.spec index cbc4b2b..5ffc807 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -17,7 +17,7 @@ Name: libkcapi -Version: 1.1.5 +Version: 1.2.0 Release: 0 Summary: Linux Kernel Crypto API User Space Interface Library License: GPL-2.0-only