diff --git a/.gitignore b/.gitignore index 96afd96..7f8765c 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ libica-2.0.3.tar.gz /libica-3.2.0.tgz /libica-3.3.2.tar.gz /libica-3.3.3.tar.gz +/libica-3.4.0.tar.gz diff --git a/libica-3.3.3-annotate.patch b/libica-3.3.3-annotate.patch deleted file mode 100644 index 4474f88..0000000 --- a/libica-3.3.3-annotate.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up libica-3.3.3/src/Makefile.am.annotate libica-3.3.3/src/Makefile.am ---- libica-3.3.3/src/Makefile.am.annotate 2018-09-20 08:25:50.892538076 -0400 -+++ libica-3.3.3/src/Makefile.am 2018-09-20 08:26:14.162538076 -0400 -@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la - - libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ - -fvisibility=hidden --libica_la_CCASFLAGS = ${AM_CFLAGS} -+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes - libica_la_LIBADD = @LIBS@ -lrt -lcrypto - libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \ - -version-number ${VERSION} diff --git a/libica-3.3.3-noexecstack.patch b/libica-3.3.3-noexecstack.patch deleted file mode 100644 index c3962b0..0000000 --- a/libica-3.3.3-noexecstack.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 524659f8e042aed45015e1aca930a3cfe5ffa628 Mon Sep 17 00:00:00 2001 -From: Patrick Steuer -Date: Tue, 12 Jun 2018 14:36:45 +0200 -Subject: [PATCH] Add non-executable gnu stack markings in the assembly. - -Signed-off-by: Patrick Steuer ---- - src/mp.pl | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/mp.pl b/src/mp.pl -index 3c73736..e249f61 100755 ---- a/src/mp.pl -+++ b/src/mp.pl -@@ -505,4 +505,8 @@ - LONG (0x10000102,0x03040506,0x10071819,0x1a1b1c1d); - LONG (0x00000000,0x00000018,0x00191a1b,0x1c1d1e1f); - -+VERBATIM("#if defined(__linux__) && defined(__ELF__)\n"); -+SECTION (".note.GNU-stack,\"\",%progbits"); -+VERBATIM("#endif\n"); -+ - PERLASM_END(); diff --git a/libica-3.4.0-annotate.patch b/libica-3.4.0-annotate.patch new file mode 100644 index 0000000..2d7bbfc --- /dev/null +++ b/libica-3.4.0-annotate.patch @@ -0,0 +1,76 @@ +From c69c32061cb864e8934041bb48f3c241a78cb05f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Tue, 25 Sep 2018 13:44:32 +0200 +Subject: [PATCH] add build note to assembler sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When distros use the annobin compiler plugin [1], they have complete overview +what compiler flags were used for compilation and they are able to perform +security checks on the produced binaries. Compiling assembler source can't +provide this kind of information by default, so we need the explicit +-Wa,--generate-missing-build-notes=yes option during build. When the option is +missing, then the annocheck tool reports "GAPS" in the resulting binary. + +binutils >= 2.31 or older with backport is needed + +[1] https://fedoraproject.org/wiki/Changes/Annobin + +Signed-off-by: Dan Horák +--- + configure.ac | 4 ++++ + libica.spec | 2 +- + src/Makefile.am | 2 +- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 48f8242..18df2b0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -80,12 +80,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab + FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2" + fi + ++# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed ++AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"]) ++ + # restore cmdline flags (ignore PROG_AS/PROG_CC defaults) + CFLAGS="$cmdline_CFLAGS" + CCASFLAGS="$cmdline_CFLAGS" + + AC_SUBST([FLAGS], $FLAGS) + AC_SUBST([LIBS], $LIBS) ++AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS) + AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile]) + AC_OUTPUT + +diff --git a/libica.spec b/libica.spec +index 022f6c2..66d82cf 100644 +--- a/libica.spec ++++ b/libica.spec +@@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica + Source0: %{name}-%{version}.tar.gz + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +-BuildRequires: autoconf automake libtool openssl-devel ++BuildRequires: autoconf automake libtool openssl-devel autoconf-archive + + %description + Interface library on Linux for IBM System z to utilize CPACF +diff --git a/src/Makefile.am b/src/Makefile.am +index c7cecf6..a21ba00 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la + + libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ + -fvisibility=hidden +-libica_la_CCASFLAGS = ${AM_CFLAGS} ++libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS} + libica_la_LIBADD = @LIBS@ -lrt -lcrypto + libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \ + -version-number ${VERSION} +-- +2.14.5 + diff --git a/libica.spec b/libica.spec index 55dff30..d071da5 100644 --- a/libica.spec +++ b/libica.spec @@ -1,21 +1,21 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 3.3.3 -Release: 4%{?dist} +Version: 3.4.0 +Release: 1%{?dist} License: CPL Group: System Environment/Libraries URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/opencryptoki/libica/commit/524659f8e042aed45015e1aca930a3cfe5ffa628 -Patch0: %{name}-3.3.3-noexecstack.patch # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 -Patch1: %{name}-3.3.3-annotate.patch +# https://github.com/opencryptoki/libica/pull/24 +Patch0: %{name}-3.4.0-annotate.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool +BuildRequires: autoconf-archive ExclusiveArch: s390 s390x %description @@ -79,6 +79,9 @@ fi %changelog +* Fri Nov 16 2018 Dan Horák - 3.4.0-1 +- updated to 3.4.0 + * Fri Sep 21 2018 Dan Horák - 3.3.3-4 - annotate assembler file (#1630582) diff --git a/sources b/sources index b31f8a5..b40b9f8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libica-3.3.3.tar.gz) = 15f519545106d5c75a54b32a543c5108687a1460e5893613c1c1bd188c59d5e1ba262efdc7ef15e23ec8dc6cc0fe6902a30f4aec907cf5a71445bbb494969f39 +SHA512 (libica-3.4.0.tar.gz) = d3f6198e1a0ac1300fd728db7e47a38f4b250c9d6b0cf9cc0f30c3c557aa898a927a9d3ec38d7f78239297bfe37ea58218990f88cc4f02569ea1b04bc052af31