- fix running in FIPS mode (#2084097)

- Resolves: #2084097
2022-05-16 16:28:02 +02:00 · 2022-05-16 16:28:02 +02:00 · 6181c82c75
commit 6181c82c75
parent 573d552172
2 changed files with 43 additions and 5 deletions
--- a/libica-no-fips-config.patch
+++ b/libica-no-fips-config.patch
@ -0,0 +1,33 @@
+From 56b6ca219ecd37ba2c7e520ddac83eb801ce76ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 16 May 2022 15:44:06 +0200
+Subject: [libica PATCH] FIPS specific openssl config is not required in
+ RHEL/Fedora
+
+---
+ src/fips.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index 129a1a7..6466133 100644
+--- a/src/fips.c
+++ b/src/fips.c
+@@ -235,12 +235,15 @@ fips_init(void)
+ 		FIPS_mode_set(1);
+ #else
+ 		fips = 0;
+		/* FIPS specific openssl config is not required in RHEL/Fedora */
+#if 0
+ 		if (!OSSL_LIB_CTX_load_config(openssl_libctx, LIBICA_FIPS_CONFIG)) {
+ 			syslog(LOG_ERR, "Libica failed to load openssl fips config %s\n",
+ 					LIBICA_FIPS_CONFIG);
+ 			fips |= ICA_FIPS_INTEGRITY;
+ 			return;
+ 		}
+#endif
+ 
+ 		openssl_provider = OSSL_PROVIDER_load(openssl_libctx, "fips");
+ 		if (openssl_provider == NULL) {
+-- 
+2.34.3
+
--- a/libica.spec
+++ b/libica.spec
@ -3,7 +3,7 @@
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
 Version: 4.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -11,8 +11,11 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
+# FIPS openssl config is not needed on RHEL/Fedora
+# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
+Patch1: %{name}-no-fips-config.patch
 # post GA fixes
-Patch1: %{name}-%{version}-fixes.patch
+Patch2: %{name}-%{version}-fixes.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@ -86,9 +89,7 @@ fi
 %{_bindir}/icastats
 %if %{with_fips}
 %if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
-# openssl 3.0 is available since Fedora 36 and RHEL 9
-%dir %{_sysconfdir}/libica
-%{_sysconfdir}/libica/openssl3-fips.cnf
+%exclude %{_sysconfdir}/libica/openssl3-fips.cnf
 %endif
 %{_libdir}/.libica.*.hmac
 %{_libdir}/.libica-cex.*.hmac
@ -106,6 +107,10 @@ fi


 %changelog
+* Mon May 16 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-2
+- fix running in FIPS mode (#2084097)
+- Resolves: #2084097
+
 * Thu May 12 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
 - updated to 4.0.1 (#2044178)
 - Resolves: #2044178 #2044174