diff --git a/.gitignore b/.gitignore index b0eec8c..2bb538f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-4.1.1.tar.gz +SOURCES/libica-4.2.3.tar.gz diff --git a/.libica.metadata b/.libica.metadata deleted file mode 100644 index 6020dad..0000000 --- a/.libica.metadata +++ /dev/null @@ -1 +0,0 @@ -a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz diff --git a/SOURCES/libica-4.1.1-revert-abi.patch b/SOURCES/libica-4.1.1-revert-abi.patch index abf8be2..d08d299 100644 --- a/SOURCES/libica-4.1.1-revert-abi.patch +++ b/SOURCES/libica-4.1.1-revert-abi.patch @@ -26,7 +26,7 @@ diff --git a/include/ica_api.h b/include/ica_api.h index 0263d2f..8f7bbdb 100644 --- a/include/ica_api.h +++ b/include/ica_api.h -@@ -1447,6 +1447,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, +@@ -1480,6 +1480,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, ICA_EXPORT unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key); @@ -254,7 +254,7 @@ index 0263d2f..8f7bbdb 100644 /** * Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB) * mode as described in NIST Special Publication 800-38A Chapter 6.1. -@@ -3485,6 +3706,15 @@ void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx); +@@ -3599,6 +3820,15 @@ int ica_get_hw_info(libica_hw_info *hw_info); ICA_EXPORT unsigned int ica_get_version(libica_version_info *version_info); @@ -268,8 +268,8 @@ index 0263d2f..8f7bbdb 100644 + unsigned int *pmech_list_len); + /** - * Function that returns a list of crypto mechanisms supported by libica. - * @param pmech_list + * Return libica build information. + * diff --git a/libica.map b/libica.map index 0a64d4c..0a71832 100644 --- a/libica.map @@ -312,7 +312,7 @@ diff --git a/src/ica_api.c b/src/ica_api.c index 42d9baf..3e13a29 100644 --- a/src/ica_api.c +++ b/src/ica_api.c -@@ -2436,6 +2436,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx) +@@ -2452,6 +2452,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx) * ******************************************************************************/ @@ -581,9 +581,9 @@ diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h index 49cbb09..76f530f 100644 --- a/src/include/s390_crypto.h +++ b/src/include/s390_crypto.h -@@ -25,11 +25,6 @@ - - #include +@@ -30,11 +30,6 @@ int s390_get_fips_indicator(libica_fips_indicator_element *fips_list, + unsigned int *fips_list_len); + #endif -/* major 4.0: no more exported, now internal */ -int s390_initialize_functionlist(void); @@ -619,7 +619,7 @@ index f220205..f756597 100644 aes_ecb_test \ aes_cbc_test \ aes_ctr_test \ -@@ -71,10 +76,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c +@@ -72,10 +77,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread check_PROGRAMS = fips_test icastats_test get_functionlist_test \ @@ -1596,7 +1596,7 @@ diff --git a/src/ica_api.c b/src/ica_api.c index 3e13a29..1bd81bb 100644 --- a/src/ica_api.c +++ b/src/ica_api.c -@@ -91,6 +91,16 @@ void ica_set_stats_mode(int stats_mode) +@@ -93,6 +93,16 @@ void ica_set_stats_mode(int stats_mode) } #ifndef NO_CPACF diff --git a/SOURCES/libica-4.1.1-shmem.patch b/SOURCES/libica-4.1.1-shmem.patch deleted file mode 100644 index 0343471..0000000 --- a/SOURCES/libica-4.1.1-shmem.patch +++ /dev/null @@ -1,35 +0,0 @@ -From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 1 Feb 2023 10:54:33 +0100 -Subject: [libica PATCH] bugfix: permission denied on shared memory segments - -A change to the Linux kernel in 4.19 for added security is -changing the behavior when opening shared memory segments. -The O_CREAT flag must not be used for existing segments. - -Signed-off-by: Joerg Schmidbauer ---- - src/icastats_shared.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/icastats_shared.c b/src/icastats_shared.c -index bbc8d0e..8290239 100644 ---- a/src/icastats_shared.c -+++ b/src/icastats_shared.c -@@ -54,9 +54,10 @@ int stats_mmap(int user) - sprintf(shm_id, "icastats_%d", - user == -1 ? geteuid() : (uid_t)user); - -- stats_shm_handle = shm_open(shm_id, -- O_CREAT | O_RDWR, -- S_IRUSR | S_IWUSR); -+ stats_shm_handle = shm_open(shm_id, O_RDWR, S_IRUSR | S_IWUSR); -+ -+ if (stats_shm_handle == -1) -+ stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); - - if (stats_shm_handle == -1) - return rc; --- -2.39.1 - diff --git a/SOURCES/libica-4.2.3-fips.patch b/SOURCES/libica-4.2.3-fips.patch new file mode 100644 index 0000000..5bddfb9 --- /dev/null +++ b/SOURCES/libica-4.2.3-fips.patch @@ -0,0 +1,35 @@ +From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Tue, 10 Oct 2023 14:10:22 +0200 +Subject: [PATCH] fips: use openssl lib context in compute_file_hmac + +Before calling any openssl EVP function, libica's own openssl lib ctx +must be made the current one. This was missing in compute_file_hmac. + +Suggested-by: Ingo Franzki +Signed-off-by: Joerg Schmidbauer +--- + src/fips.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/fips.c b/src/fips.c +index f09dc77..3bbc325 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + void *fdata = NULL; + struct stat fdata_stat; + ++ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); ++ + pkey = get_pkey(); + if (!pkey) + goto end; +@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + EVP_MD_CTX_destroy(mdctx); + + OPENSSL_cleanse(tmp, sizeof(tmp)); ++ END_OPENSSL_LIBCTX(rc); + + return rc; + } diff --git a/SPECS/libica.spec b/SPECS/libica.spec index e2bd787..26c25d1 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -4,8 +4,8 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 4.1.1 -Release: 2%{?dist} +Version: 4.2.3 +Release: 1%{?dist} License: CPL Group: System Environment/Libraries URL: https://github.com/opencryptoki/ @@ -17,9 +17,9 @@ Patch0: %{name}-4.0.1-annotate.patch # - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048 # - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2 Patch1: %{name}-4.1.1-revert-abi.patch -# fix permissions for shared memory segments -# https://bugzilla.redhat.com/show_bug.cgi?id=2167363 -Patch2: %{name}-4.1.1-shmem.patch +# https://issues.redhat.com/browse/RHEL-14892 +# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6 +Patch2: %{name}-4.2.3-fips.patch BuildRequires: gcc BuildRequires: openssl BuildRequires: openssl-devel @@ -110,6 +110,20 @@ fi %changelog +* Fri Oct 27 2023 Dan Horák - 4.2.3-1 +- updated to 4.2.3 (RHEL-11411) +- fix selfcheck in FIPS mode (RHEL-14892) +- Resolves: RHEL-11411 RHEL-14892 + +* Wed Jul 19 2023 Dan Horák - 4.2.2-2 +- icastats: Fix summary option (#2223697) +- Resolves: #2223697 + +* Wed May 24 2023 Dan Horák - 4.2.2-1 +- updated to 4.2.2 (#2159718) +- FIPS 140-3 compliance (#2159748) +- Resolves: #2159718 #2159748 + * Tue Feb 07 2023 Dan Horák - 4.1.1-2 - fix permissions for shared memory segments (#2167363) - Resolves: #2167363