diff --git a/libica-3.8.0-hmac.patch b/libica-3.8.0-hmac.patch new file mode 100644 index 0000000..eaaf279 --- /dev/null +++ b/libica-3.8.0-hmac.patch @@ -0,0 +1,66 @@ +From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 2 Jun 2021 09:40:47 +0200 +Subject: [PATCH] Compute HMAC from installed library + +The HMAC hash was computed from the libica in the build tree, but +the runtime check is run against the installed libica and those 2 +files were different. The runtime one has debuginfo stripped +(and placed into a separate file), thus the hashes are different. + +Signed-off-by: Joerg Schmidbauer +--- + Makefile.am | 9 ++++----- + src/Makefile.am | 8 +++++++- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index c86cdd3..55de3b2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -17,11 +17,8 @@ coverage: check + cd ${top_builddir}/src && gcov .libs/*.gcda + + if ICA_FIPS +-install-data-hook: +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac ++fipsinstall: ++ $(AM_V_GEN)$(MAKE) -C src fipsinstall + + uninstall-hook: + rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac +@@ -30,3 +27,5 @@ uninstall-hook: + rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac + endif + ++.PHONY: fipsinstall ++ +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..5367d49 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -46,6 +46,12 @@ mp.S : mp.pl + ./mp.pl mp.S + + if ICA_FIPS ++fipsinstall: ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac ++ + hmac-file-lnk: hmac-file + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac +@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \ + include/rng.h ../test/testcase.h + endif + +-.PHONY: hmac-file hmac-file-lnk ++.PHONY: hmac-file hmac-file-lnk fipsinstall +-- +2.29.2.windows.2 + diff --git a/libica.spec b/libica.spec index eef558c..f585ce3 100644 --- a/libica.spec +++ b/libica.spec @@ -1,9 +1,9 @@ -%global with_fips 0 +%global with_fips 1 Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica Version: 3.8.0 -Release: 3%{?dist} +Release: 4%{?dist} License: CPL URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -13,6 +13,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v Patch0: %{name}-3.8.0-annotate.patch # https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e Patch1: %{name}-3.8.0-configure.patch +# https://github.com/opencryptoki/libica/issues/62 +Patch2: %{name}-3.8.0-hmac.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -70,6 +72,14 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then make check fi +%if %{with_fips} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + make fipsinstall DESTDIR=%{buildroot} + %{nil} +%endif %files %doc AUTHORS LICENSE ChangeLog @@ -93,6 +103,9 @@ fi %changelog +* Wed Jun 02 2021 Dan Horák - 3.8.0-4 +- re-enable FIPS support + * Mon May 31 2021 Dan Horák - 3.8.0-3 - disable FIPS support (broken)