From 70e82f26c079266736eb650f1d2476c78c8647a83ab7a92f5bef7cc53e5cc911 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 29 Jun 2021 12:41:58 +0000 Subject: [PATCH 1/3] Accepting request 902188 from home:michals - Update to version 3.8.0 (jsc#SLE-18334) - [FEATURE] provide libica-cex module to satisfy special security requirements - [FEATURE] FIPS: enforce the HMAC check - Remove upstreamed patches: - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch - libica-sles15sp2-Zeroize-local-variables.patch - Remove patches obsoleted by upstrea developent: * FIPS: Find libica from phdrs. - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch * FIPS: enforce the hmac check - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch - Fix up tests and hmac generation + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch - Remove obsolete attributes from filelists OBS-URL: https://build.opensuse.org/request/show/902188 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=58 --- libica-3.7.0.tar.gz | 3 - libica-3.8.0.tar.gz | 3 + ...-possible-to-specify-fipshmac-binary.patch | 53 ++++++ ...-add-SHA3-KATs-to-fips_powerup_tests.patch | 160 ------------------ ...FIPS-fix-inconsistent-error-handling.patch | 31 ---- ...ests-if-running-on-hardware-without-.patch | 44 ----- ...ll-library-version-for-hmac-filename.patch | 38 ----- ...ca-sles15sp2-Zeroize-local-variables.patch | 99 ----------- libica.changes | 19 +++ libica.spec | 43 ++--- 10 files changed, 99 insertions(+), 394 deletions(-) delete mode 100644 libica-3.7.0.tar.gz create mode 100644 libica-3.8.0.tar.gz create mode 100644 libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch delete mode 100644 libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch delete mode 100644 libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch delete mode 100644 libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch delete mode 100644 libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch delete mode 100644 libica-sles15sp2-Zeroize-local-variables.patch diff --git a/libica-3.7.0.tar.gz b/libica-3.7.0.tar.gz deleted file mode 100644 index 6a52926..0000000 --- a/libica-3.7.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a08fe8a3a5cb1fe75f2488d47f4785e92966c43bf8405f638fa1b2990823a505 -size 542422 diff --git a/libica-3.8.0.tar.gz b/libica-3.8.0.tar.gz new file mode 100644 index 0000000..39fe126 --- /dev/null +++ b/libica-3.8.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab8dabc40d939fbef7a6e1a88ffb53db433795a38a2dde42ba3063b32195d3b +size 548378 diff --git a/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch new file mode 100644 index 0000000..7dd262c --- /dev/null +++ b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch @@ -0,0 +1,53 @@ +From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Mon, 7 Jun 2021 21:12:01 +0200 +Subject: [PATCH] FIPS: make it possible to specify fipshmac binary. + +Signed-off-by: Michal Suchanek +--- + openssl-fipshmac | 12 ++++++++++++ + src/Makefile.am | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + create mode 100755 openssl-fipshmac + +diff --git a/openssl-fipshmac b/openssl-fipshmac +new file mode 100755 +index 0000000..60fd505 +--- /dev/null ++++ b/openssl-fipshmac +@@ -0,0 +1,12 @@ ++#!/bin/sh -e ++ ++if [ "$#" -eq 0 ] ; then ++ echo "No library to hash specified." >&2 ++ exit 22 ++fi ++ ++while [ -n "$1" ] ; do ++ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")" ++ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac ++ shift ++done +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..2be01a5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -46,13 +46,13 @@ mp.S : mp.pl + ./mp.pl mp.S + + if ICA_FIPS ++FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac + hmac-file-lnk: hmac-file + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + + hmac-file: libica.la libica-cex.la +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) + + hmac_files = hmac-file hmac-file-lnk + +-- +2.31.1 + diff --git a/libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch b/libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch deleted file mode 100644 index 309a49a..0000000 --- a/libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 23a647aab7b44442b63345bdf70da0696b7fcd5a Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Fri, 21 Aug 2020 15:29:49 +0200 -Subject: [PATCH] FIPS: add SHA3 KATs to fips_powerup_tests - -Signed-off-by: Joerg Schmidbauer ---- - src/fips.c | 26 ++++++++++++++++++- - src/include/test_vec.h | 13 ++++++++++ - src/test_vec.c | 59 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 97 insertions(+), 1 deletion(-) - -diff --git a/src/fips.c b/src/fips.c -index 2bf11f5..13a550b 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -95,6 +95,29 @@ SHA_KAT(384, 512); - SHA_KAT(512, 512); - #undef SHA_KAT - -+#define SHA3_KAT(_sha_, _ctx_) \ -+static int sha3_##_sha_##_kat(void) { \ -+ sha3_##_ctx_##_context_t ctx; \ -+ size_t i; \ -+ unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \ -+ for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \ -+ if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \ -+ SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \ -+ &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out, \ -+ SHA3_##_sha_##_HASH_LENGTH)) { \ -+ syslog(LOG_ERR, "Libica SHA-3%d test failed.", \ -+ _sha_); \ -+ return 1; \ -+ } \ -+ } \ -+ return 0; \ -+} -+SHA3_KAT(224, 224); -+SHA3_KAT(256, 256); -+SHA3_KAT(384, 384); -+SHA3_KAT(512, 512); -+#undef SHA3_KAT -+ - void - fips_init(void) - { -@@ -328,7 +351,8 @@ fips_powerup_tests(void) - /* Cryptographic algorithm test. */ - if (ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512) - || sha1_kat() || sha224_kat() || sha256_kat() || sha384_kat() -- || sha512_kat() || des3_ecb_kat() || des3_cbc_kat() -+ || sha512_kat() || sha3_224_kat() || sha3_256_kat() || sha3_384_kat() -+ || sha3_512_kat() || des3_ecb_kat() || des3_cbc_kat() - || des3_cbc_cs_kat() || des3_cfb_kat() || des3_ofb_kat() - || des3_ctr_kat() || des3_cmac_kat() || aes_ecb_kat() - || aes_cbc_kat() || aes_cbc_cs_kat() || aes_cfb_kat() -diff --git a/src/include/test_vec.h b/src/include/test_vec.h -index bba6ea9..692afbc 100644 ---- a/src/include/test_vec.h -+++ b/src/include/test_vec.h -@@ -366,6 +366,19 @@ extern const size_t SHA384_TV_LEN; - - extern const struct sha_tv SHA512_TV[]; - extern const size_t SHA512_TV_LEN; -+ -+extern const struct sha_tv SHA3_224_TV[]; -+extern const size_t SHA3_224_TV_LEN; -+ -+extern const struct sha_tv SHA3_256_TV[]; -+extern const size_t SHA3_256_TV_LEN; -+ -+extern const struct sha_tv SHA3_384_TV[]; -+extern const size_t SHA3_384_TV_LEN; -+ -+extern const struct sha_tv SHA3_512_TV[]; -+extern const size_t SHA3_512_TV_LEN; -+ - #endif /* ICA_FIPS */ - - #ifdef ICA_INTERNAL_TEST_EC -diff --git a/src/test_vec.c b/src/test_vec.c -index ab260dc..f282dbb 100644 ---- a/src/test_vec.c -+++ b/src/test_vec.c -@@ -2449,6 +2449,61 @@ const struct sha_tv SHA512_TV[] = { - } - }, - }; -+ -+const struct sha_tv SHA3_224_TV[] = { -+{ -+.msg_len = 3, -+.msg = (unsigned char []){ -+0x61, 0x62, 0x63, -+}, -+.md = (unsigned char []){ -+0xe6,0x42,0x82,0x4c,0x3f,0x8c,0xf2,0x4a,0xd0,0x92,0x34,0xee,0x7d,0x3c,0x76,0x6f, -+0xc9,0xa3,0xa5,0x16,0x8d,0x0c,0x94,0xad,0x73,0xb4,0x6f,0xdf, -+} -+}, -+}; -+ -+const struct sha_tv SHA3_256_TV[] = { -+{ -+.msg_len = 3, -+.msg = (unsigned char []){ -+0x61, 0x62, 0x63, -+}, -+.md = (unsigned char []){ -+0x3A,0x98,0x5D,0xA7,0x4F,0xE2,0x25,0xB2,0x04,0x5C,0x17,0x2D,0x6B,0xD3,0x90,0xBD, -+0x85,0x5F,0x08,0x6E,0x3E,0x9D,0x52,0x5B,0x46,0xBF,0xE2,0x45,0x11,0x43,0x15,0x32, -+} -+}, -+}; -+ -+const struct sha_tv SHA3_384_TV[] = { -+{ -+.msg_len = 3, -+.msg = (unsigned char []){ -+0x61, 0x62, 0x63, -+}, -+.md = (unsigned char []){ -+0xEC,0x01,0x49,0x82,0x88,0x51,0x6F,0xC9,0x26,0x45,0x9F,0x58,0xE2,0xC6,0xAD,0x8D, -+0xF9,0xB4,0x73,0xCB,0x0F,0xC0,0x8C,0x25,0x96,0xDA,0x7C,0xF0,0xE4,0x9B,0xE4,0xB2, -+0x98,0xD8,0x8C,0xEA,0x92,0x7A,0xC7,0xF5,0x39,0xF1,0xED,0xF2,0x28,0x37,0x6D,0x25, -+} -+}, -+}; -+ -+const struct sha_tv SHA3_512_TV[] = { -+{ -+.msg_len = 3, -+.msg = (unsigned char []){ -+0x61, 0x62, 0x63, -+}, -+.md = (unsigned char []){ -+0xB7,0x51,0x85,0x0B,0x1A,0x57,0x16,0x8A,0x56,0x93,0xCD,0x92,0x4B,0x6B,0x09,0x6E, -+0x08,0xF6,0x21,0x82,0x74,0x44,0xF7,0x0D,0x88,0x4F,0x5D,0x02,0x40,0xD2,0x71,0x2E, -+0x10,0xE1,0x16,0xE9,0x19,0x2A,0xF3,0xC9,0x1A,0x7E,0xC5,0x76,0x47,0xE3,0x93,0x40, -+0x57,0x34,0x0B,0x4C,0xF4,0x08,0xD5,0xA5,0x65,0x92,0xF8,0x27,0x4E,0xEC,0x53,0xF0, -+} -+}, -+}; - #endif /* ICA_FIPS */ - - #ifdef ICA_INTERNAL_TEST_EC -@@ -5759,6 +5814,10 @@ const size_t SHA224_TV_LEN = sizeof(SHA224_TV) / sizeof(SHA224_TV[0]); - const size_t SHA256_TV_LEN = sizeof(SHA256_TV) / sizeof(SHA256_TV[0]); - const size_t SHA384_TV_LEN = sizeof(SHA384_TV) / sizeof(SHA384_TV[0]); - const size_t SHA512_TV_LEN = sizeof(SHA512_TV) / sizeof(SHA512_TV[0]); -+const size_t SHA3_224_TV_LEN = sizeof(SHA3_224_TV) / sizeof(SHA3_224_TV[0]); -+const size_t SHA3_256_TV_LEN = sizeof(SHA3_256_TV) / sizeof(SHA3_256_TV[0]); -+const size_t SHA3_384_TV_LEN = sizeof(SHA3_384_TV) / sizeof(SHA3_384_TV[0]); -+const size_t SHA3_512_TV_LEN = sizeof(SHA3_512_TV) / sizeof(SHA3_512_TV[0]); - #endif /* ICA_FIPS */ - #ifdef ICA_INTERNAL_TEST_EC - const size_t ECDSA_TV_LEN = sizeof(ECDSA_TV) / sizeof(ECDSA_TV[0]); --- -2.26.2 - diff --git a/libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch b/libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch deleted file mode 100644 index 3cf81f0..0000000 --- a/libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8acba8fc09a91831172658c9c0810aa45ab39245 Mon Sep 17 00:00:00 2001 -From: Michal Suchanek -Date: Tue, 1 Sep 2020 10:03:38 +0200 -Subject: [PATCH] FIPS: fix inconsistent error handling. - -when the HMAC file is not present/readable it is also an error. - -Signed-off-by: Michal Suchanek ---- - src/fips.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/src/fips.c b/src/fips.c -index c0055b719bff..71a417e8de40 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -295,10 +295,8 @@ static int FIPSCHECK_verify(const char *path) - return 0; - - fp = fopen(hmacpath, "r"); -- if (fp == NULL) { -- rc = 1; -+ if (fp == NULL) - goto end; -- } - - if (getline(&known_hmac_str, &n, fp) <= 0) - goto end; --- -2.28.0 - diff --git a/libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch b/libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch deleted file mode 100644 index 361833a..0000000 --- a/libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 54c1a5341c9a5cb5513e52548ab0490f8dafbff6 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Thu, 27 Aug 2020 17:08:29 +0200 -Subject: [PATCH] FIPS: skip SHA3 tests if running on hardware without SHA3 - -Signed-off-by: Joerg Schmidbauer ---- - src/fips.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/src/fips.c b/src/fips.c -index 13a550b..facffee 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -95,11 +95,26 @@ SHA_KAT(384, 512); - SHA_KAT(512, 512); - #undef SHA_KAT - -+static inline int sha3_available(void) -+{ -+ sha3_224_context_t sha3_224_context; -+ unsigned char output_hash[SHA3_224_HASH_LENGTH]; -+ unsigned char test_data[] = { 0x61,0x62,0x63 }; -+ int rc = 0; -+ -+ rc = ica_sha3_224(SHA_MSG_PART_ONLY, sizeof(test_data), test_data, -+ &sha3_224_context, output_hash); -+ -+ return (rc == ENODEV ? 0 : 1); -+} -+ - #define SHA3_KAT(_sha_, _ctx_) \ - static int sha3_##_sha_##_kat(void) { \ - sha3_##_ctx_##_context_t ctx; \ - size_t i; \ - unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \ -+ if (!sha3_available()) \ -+ return 0; \ - for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \ - if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \ - SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \ --- -2.26.2 - diff --git a/libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch b/libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch deleted file mode 100644 index 0c1c8fd..0000000 --- a/libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 71a04ed492f6cb9dd2de91ff28d0327d17fe702a Mon Sep 17 00:00:00 2001 -From: Michal Suchanek -Date: Fri, 28 Aug 2020 14:08:53 +0200 -Subject: [PATCH] FIPS: use full library version for hmac filename. - -Fixes: 231bba3b32bd ("FIPS: introduce HMAC based library integrity check") -Fixes: f9f148487fad ("fix library filename for FIPS integrity check") - -Signed-off-by: Michal Suchanek ---- - src/fips.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/fips.c b/src/fips.c -index facffee..c0055b7 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -42,7 +42,7 @@ - * The hard-coded HMAC key to be optionally provided for the library - * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes. - * The known HMAC is supposed to be provided as hex string in a file -- * libica.so.MAJOR.hmac in the same directory as the .so module. -+ * .libica.so.VERSION.hmac in the same directory as the .so module. - */ - static const char hmackey[] = - "0000000000000000000000000000000000000000000000000000000000000000" -@@ -344,7 +344,7 @@ static void fips_lib_integrity_check(void) - { - int rc; - char path[PATH_MAX]; -- const char *libname = "libica.so"; -+ const char *libname = "libica.so." VERSION; - const char *symbolname = "ica_sha256"; - - rc = get_library_path(libname, symbolname, path, sizeof(path)); --- -2.26.2 - diff --git a/libica-sles15sp2-Zeroize-local-variables.patch b/libica-sles15sp2-Zeroize-local-variables.patch deleted file mode 100644 index 6188c42..0000000 --- a/libica-sles15sp2-Zeroize-local-variables.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 47a98c0f37af62783d59699b5e10830385817ec2 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Fri, 21 Aug 2020 11:29:11 +0200 -Subject: [PATCH] Zeroize local variables - -Some internal variables used to store sensitive information (keys) -were not zeroized before returning to the calling application. - -Signed-off-by: Joerg Schmidbauer ---- - src/ica_api.c | 8 ++++++++ - src/include/s390_aes.h | 4 ++++ - src/include/s390_des.h | 8 ++++++++ - 3 files changed, 20 insertions(+) - -diff --git a/src/ica_api.c b/src/ica_api.c -index eb6b154..5bdf24e 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -1034,6 +1034,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, - if (rc == 0) - stats_increment(ICA_STATS_RSA_ME, hardware, ENCRYPT); - -+ OPENSSL_cleanse(&rb, sizeof(rb)); -+ - return rc; - } - -@@ -1089,6 +1091,10 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key) - - free(tmp_buf); - -+ BN_clear_free(bn_p); -+ BN_clear_free(bn_q); -+ BN_clear_free(bn_invq); -+ - return 1; - } - return 0; -@@ -1147,6 +1153,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, - if (rc == 0) - stats_increment(ICA_STATS_RSA_CRT, hardware, ENCRYPT); - -+ OPENSSL_cleanse(&rb, sizeof(rb)); -+ - return rc; - } - -diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h -index 2e2f325..4a02a4c 100644 ---- a/src/include/s390_aes.h -+++ b/src/include/s390_aes.h -@@ -327,6 +327,8 @@ static inline int s390_aes_ecb_sw(unsigned int function_code, - &aes_key, direction); - } - -+ OPENSSL_cleanse(&aes_key, sizeof(aes_key)); -+ - return 0; - } - -@@ -388,6 +390,8 @@ static inline int s390_aes_cbc_sw(unsigned int function_code, - AES_cbc_encrypt(input_data, output_data, input_length, - &aes_key, (unsigned char *) iv, direction); - -+ OPENSSL_cleanse(&aes_key, sizeof(aes_key)); -+ - return 0; - } - -diff --git a/src/include/s390_des.h b/src/include/s390_des.h -index 811de4d..81d8ed0 100644 ---- a/src/include/s390_des.h -+++ b/src/include/s390_des.h -@@ -112,6 +112,10 @@ static inline int s390_des_ecb_sw(unsigned int function_code, unsigned long inpu - break; - } - -+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1)); -+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2)); -+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3)); -+ - return 0; - } - -@@ -193,6 +197,10 @@ static inline int s390_des_cbc_sw(unsigned int function_code, - break; - }; - -+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1)); -+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2)); -+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3)); -+ - return 0; - } - --- -2.26.2 - diff --git a/libica.changes b/libica.changes index 34db439..152a5f5 100644 --- a/libica.changes +++ b/libica.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek + +- Update to version 3.8.0 (jsc#SLE-18334) + - [FEATURE] provide libica-cex module to satisfy special security requirements + - [FEATURE] FIPS: enforce the HMAC check +- Remove upstreamed patches: + - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch + - libica-sles15sp2-Zeroize-local-variables.patch +- Remove patches obsoleted by upstrea developent: + * FIPS: Find libica from phdrs. + - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS: enforce the hmac check + - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +- Fix up tests and hmac generation + + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +- Remove obsolete attributes from filelists + ------------------------------------------------------------------- Fri Sep 18 20:59:39 UTC 2020 - Mark Post diff --git a/libica.spec b/libica.spec index 5f36a72..9510b6c 100644 --- a/libica.spec +++ b/libica.spec @@ -1,7 +1,7 @@ # # spec file for package libica # -# Copyright (c) 2018-2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %endif Name: libica -Version: 3.7.0 +Version: 3.8.0 Release: 0 Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 @@ -37,11 +37,7 @@ Source4: z90crypt Source5: z90crypt.service Source6: baselibs.conf Source7: %{name}-rpmlintrc -Patch01: libica-sles15sp2-Zeroize-local-variables.patch -Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch -Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch -Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch -Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch Patch99: libica-sles15sp2-FIPS-hmac-key.patch BuildRequires: autoconf @@ -123,14 +119,14 @@ autoreconf --force --install %configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \ --enable-fips %make_build clean -%make_build +%make_build FIPSHMAC=fipshmac %define major %(echo %{version} | sed -e 's/[.].*//') -%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }} +%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }} %install -%make_install +%make_install FIPSHMAC=fipshmac mkdir -p %{buildroot}%{_includedir} cp -p include/ica_api.h %{buildroot}%{_includedir} mkdir -p %{buildroot}%{_sbindir} @@ -138,17 +134,18 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service +# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped +# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it +# and the dangling symlink test would fail +chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac cp -a %{SOURCE2} . -rm -f %{buildroot}%{_libdir}/libica.la +rm -vf %{buildroot}%{_libdir}/lib*.la rm -f %{buildroot}%{_datadir}/doc/libica/* rmdir %{buildroot}%{_datadir}/doc/libica %check -echo Tests should fail without a hash file -! %make_build check -fipshmac src/.libs/libica.so.%{major} -%make_build check +%make_build check FIPSHMAC=fipshmac %pre tools %service_add_pre z90crypt.service @@ -167,19 +164,25 @@ fipshmac src/.libs/libica.so.%{major} %postun -n libica3 -p /sbin/ldconfig %files -n libica3 -%defattr(-,root,root) %{_libdir}/libica.so.%{version} %{_libdir}/libica.so.%{major} +%{_libdir}/.libica.so.%{version}.hmac %{_libdir}/.libica.so.%{major}.hmac +%{_libdir}/libica-cex.so.%{version} +%{_libdir}/libica-cex.so.%{major} +%{_libdir}/.libica-cex.so.%{version}.hmac +%{_libdir}/.libica-cex.so.%{major}.hmac %files tools %license LICENSE %doc README.SUSE %{_sbindir}/rcz90crypt -%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt +%{_fillupdir}/sysconfig.z90crypt %{_bindir}/icainfo +%{_bindir}/icainfo-cex %{_bindir}/icastats %{_mandir}/man1/icainfo.1%{?ext_man} +%{_mandir}/man1/icainfo-cex.1%{?ext_man} %{_mandir}/man1/icastats.1%{?ext_man} %dir %{_prefix}/lib/systemd/scripts %{_prefix}/lib/systemd/scripts/z90crypt @@ -188,9 +191,11 @@ fipshmac src/.libs/libica.so.%{major} %{_libdir}/libica.so %files devel -%attr(0644,root,root) %{_includedir}/ica_api.h +%{_includedir}/ica_api.h +%{_libdir}/libica-cex.so %files devel-static -%attr(0644,root,root) %{_libdir}/libica.a +%{_libdir}/libica.a +%{_libdir}/libica-cex.a %changelog From 6d7a36bc5c28a4569f4a6c97ac3e818adc0636e493890985dfb5a2746562e820 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 29 Jun 2021 14:47:22 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=59 --- libica.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libica.spec b/libica.spec index 9510b6c..cde211d 100644 --- a/libica.spec +++ b/libica.spec @@ -140,7 +140,7 @@ install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt. chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac cp -a %{SOURCE2} . -rm -vf %{buildroot}%{_libdir}/lib*.la +rm -vf %{buildroot}%{_libdir}/libica*.la rm -f %{buildroot}%{_datadir}/doc/libica/* rmdir %{buildroot}%{_datadir}/doc/libica From 479816679ca5d9311862533dbeafba0e3cf6831fb43ca8ab6f63a08a209eee45 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 29 Jun 2021 14:47:34 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=60 --- libica.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libica.spec b/libica.spec index cde211d..53a1dfe 100644 --- a/libica.spec +++ b/libica.spec @@ -1,7 +1,7 @@ # # spec file for package libica # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2018-2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed