- re-enable FIPS support
This commit is contained in:
Dan Horák
parent
a4853ef26b
commit
4284ce6512
|
|
@ -0,0 +1,66 @@
|
|||
From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Wed, 2 Jun 2021 09:40:47 +0200
|
||||
Subject: [PATCH] Compute HMAC from installed library
|
||||
|
||||
The HMAC hash was computed from the libica in the build tree, but
|
||||
the runtime check is run against the installed libica and those 2
|
||||
files were different. The runtime one has debuginfo stripped
|
||||
(and placed into a separate file), thus the hashes are different.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
Makefile.am | 9 ++++-----
|
||||
src/Makefile.am | 8 +++++++-
|
||||
2 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index c86cdd3..55de3b2 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -17,11 +17,8 @@ coverage: check
|
||||
cd ${top_builddir}/src && gcov .libs/*.gcda
|
||||
|
||||
if ICA_FIPS
|
||||
-install-data-hook:
|
||||
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir)
|
||||
- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac
|
||||
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir)
|
||||
- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac
|
||||
+fipsinstall:
|
||||
+ $(AM_V_GEN)$(MAKE) -C src fipsinstall
|
||||
|
||||
uninstall-hook:
|
||||
rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac
|
||||
@@ -30,3 +27,5 @@ uninstall-hook:
|
||||
rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac
|
||||
endif
|
||||
|
||||
+.PHONY: fipsinstall
|
||||
+
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index 4a1ef14..5367d49 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -46,6 +46,12 @@ mp.S : mp.pl
|
||||
./mp.pl mp.S
|
||||
|
||||
if ICA_FIPS
|
||||
+fipsinstall:
|
||||
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
|
||||
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
|
||||
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||
+
|
||||
hmac-file-lnk: hmac-file
|
||||
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||
@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \
|
||||
include/rng.h ../test/testcase.h
|
||||
endif
|
||||
|
||||
-.PHONY: hmac-file hmac-file-lnk
|
||||
+.PHONY: hmac-file hmac-file-lnk fipsinstall
|
||||
--
|
||||
2.29.2.windows.2
|
||||
|
||||
17
libica.spec
17
libica.spec
|
|
@ -1,9 +1,9 @@
|
|||
%global with_fips 0
|
||||
%global with_fips 1
|
||||
|
||||
Summary: Library for accessing ICA hardware crypto on IBM z Systems
|
||||
Name: libica
|
||||
Version: 3.8.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: CPL
|
||||
URL: https://github.com/opencryptoki/
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
|
|
@ -13,6 +13,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
|
|||
Patch0: %{name}-3.8.0-annotate.patch
|
||||
# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e
|
||||
Patch1: %{name}-3.8.0-configure.patch
|
||||
# https://github.com/opencryptoki/libica/issues/62
|
||||
Patch2: %{name}-3.8.0-hmac.patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openssl
|
||||
|
|
@ -70,6 +72,14 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then
|
|||
make check
|
||||
fi
|
||||
|
||||
%if %{with_fips}
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
make fipsinstall DESTDIR=%{buildroot}
|
||||
%{nil}
|
||||
%endif
|
||||
|
||||
%files
|
||||
%doc AUTHORS LICENSE ChangeLog
|
||||
|
|
@ -93,6 +103,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Jun 02 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-4
|
||||
- re-enable FIPS support
|
||||
|
||||
* Mon May 31 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-3
|
||||
- disable FIPS support (broken)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue