rpm/libica
SHA256
1
0
Fork 0
forked from pool/libica
Code Pull Requests Activity

Accepting request 1088509 from home:ngueorguiev:branches:security:tls

Browse Source 
- Upgrade to version 4.2.2 (jsc#PED-3277)
  - [UPDATE] syslog msgs only in error cases
  - [UPDATE] don't count statistics in fips power-on self tests
  - [PATCH] various fixes and some new tests

OBS-URL: https://build.opensuse.org/request/show/1088509
OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=7
This commit is contained in:
Nikolay Gueorguiev 2023-05-23 06:08:56 +00:00 committed by Git OBS Bridge
parent 28dea1df41
commit 8f54dd4884
6 changed files with 14 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libica-4.2.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b75b5813261b3969d5190a73555dd6eab894698613ceb48edbbeab3ecda3a51e
size 564553

3
libica-4.2.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a12a6a1d67f799b564266610a8f6af1ac4c574292e533a294c75eab9789edee
size 574439

55
libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
View File

@ -1,55 +0,0 @@
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Mon, 7 Jun 2021 21:12:01 +0200
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
openssl-fipshmac | 12 ++++++++++++
src/Makefile.am | 4 ++--
2 files changed, 14 insertions(+), 2 deletions(-)
create mode 100755 openssl-fipshmac
diff --git a/openssl-fipshmac b/openssl-fipshmac
new file mode 100755
index 0000000..60fd505
--- /dev/null
+++ b/openssl-fipshmac
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+if [ "$#" -eq 0 ] ; then
+ echo "No library to hash specified." >&2
+ exit 22
+fi
+
+while [ -n "$1" ] ; do
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
+ shift
+done
diff --git a/src/Makefile.am b/src/Makefile.am
index 4a1ef14..2be01a5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -47,6 +47,7 @@
./mp.pl mp.S
if ICA_FIPS
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
fipsinstall:
$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
@@ -58,8 +59,7 @@
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
hmac-file: libica.la libica-cex.la
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
hmac_files = hmac-file hmac-file-lnk
--
2.31.1

15
libica-sles15sp5-FIPS-hmac-key.patch
View File

@ -1,15 +0,0 @@
--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
+++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
@@ -65,10 +65,9 @@
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
* The known HMAC is supposed to be provided as hex string in a file
* .libica.so.VERSION.hmac in the same directory as the .so module.
- */
+ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */
static const char hmackey[] =
- "0000000000000000000000000000000000000000000000000000000000000000"
- "0000000000000000000000000000000000000000000000000000000000000000";
+ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
#endif /* ICA_INTERNAL_TEST */

8
libica.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue May 23 05:56:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 4.2.2 (jsc#PED-3277)
- [UPDATE] syslog msgs only in error cases
- [UPDATE] don't count statistics in fips power-on self tests
- [PATCH] various fixes and some new tests
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com> Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

8
libica.spec
View File

@ -22,21 +22,19 @@
%endif %endif
Name: libica Name: libica
Version: 4.2.1 Version: 4.2.2
Release: 0 Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0 License: CPL-1.0
Group: Hardware/Other Group: Hardware/Other
URL: https://github.com/opencryptoki/libica URL: https://github.com/opencryptoki/libica
Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/opencryptoki/%{name}/releases/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: README.SUSE Source1: README.SUSE
Source2: sysconfig.z90crypt Source2: sysconfig.z90crypt
Source3: z90crypt Source3: z90crypt
Source4: z90crypt.service Source4: z90crypt.service
Source5: %{name}-rpmlintrc Source5: %{name}-rpmlintrc
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch ###
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: fipscheck BuildRequires: fipscheck