From 65e88ae7dd2c05c50cb6643a701a55745b61de38 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 10:56:58 -0400 Subject: [PATCH] import libica-4.0.2-1.el9 --- .gitignore | 2 +- .libica.metadata | 2 +- SOURCES/libica-4.0.0-fixes.patch | 646 ---------------------------- SOURCES/libica-no-fips-config.patch | 33 ++ SPECS/libica.spec | 23 +- 5 files changed, 52 insertions(+), 654 deletions(-) delete mode 100644 SOURCES/libica-4.0.0-fixes.patch create mode 100644 SOURCES/libica-no-fips-config.patch diff --git a/.gitignore b/.gitignore index 3621386..4330df8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-4.0.0.tar.gz +SOURCES/libica-4.0.2.tar.gz diff --git a/.libica.metadata b/.libica.metadata index b44dc46..435c11f 100644 --- a/.libica.metadata +++ b/.libica.metadata @@ -1 +1 @@ -9c18c8b990f8e21162364006cb60a3c9104eae19 SOURCES/libica-4.0.0.tar.gz +a9137e070966cefc5a2078893edc4693ee62088f SOURCES/libica-4.0.2.tar.gz diff --git a/SOURCES/libica-4.0.0-fixes.patch b/SOURCES/libica-4.0.0-fixes.patch deleted file mode 100644 index 67c41da..0000000 --- a/SOURCES/libica-4.0.0-fixes.patch +++ /dev/null @@ -1,646 +0,0 @@ -From 977fe8ac713f9ff3101ce9882e23d0183fb46ec8 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 15 Dec 2021 16:29:57 +0100 -Subject: [libica PATCH 01/10] RSA: limit RSA key length to 4096 - -CEX adapters support RSA up to 4096 bits. Although RSA key generation -in libica is done via openssl, and therefore even greater key lengths -would be supported, such keys could not be processed on CEX adapters -afterwards. With the removal of sw fallbacks this is now a hard -restriction. - -Signed-off-by: Joerg Schmidbauer ---- - include/ica_api.h | 4 ++++ - src/ica_api.c | 13 ++++++++++++- - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/include/ica_api.h b/include/ica_api.h -index ce27261..6137c4a 100644 ---- a/include/ica_api.h -+++ b/include/ica_api.h -@@ -1291,6 +1291,7 @@ int ica_ed448_ctx_del(ICA_ED448_CTX **ctx); - * - * @return 0 if successful. - * EINVAL if at least one invalid parameter is given. -+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction). - * EFAULT if OpenSSL key generation should fail. - */ - ICA_EXPORT -@@ -1319,6 +1320,7 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, - * - * @return 0 if successful. - * EINVAL if at least one invalid parameter is given. -+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction). - * EFAULT if OpenSSL key generation should fail. - */ - ICA_EXPORT -@@ -1346,6 +1348,7 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, - * - * @return 0 if successful. - * EINVAL if at least one invalid parameter is given. -+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction). - * ENOMEM if memory allocation fails. - * EIO if the operation fails. This should never happen. - */ -@@ -1375,6 +1378,7 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, - * - * @return 0 if successful. - * EINVAL if at least one invalid parameter is given. -+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction). - * ENOMEM if memory allocation fails. - * EIO if the operation fails. This should never happen. - */ -diff --git a/src/ica_api.c b/src/ica_api.c -index 445b0ab..a412052 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -52,6 +52,8 @@ - - #define MAX_VERSION_LENGTH 16 - -+#define MAX_RSA_KEY_BITS 4096 -+ - #ifndef NO_SW_FALLBACKS - int ica_fallbacks_enabled = 1; - #else -@@ -1071,9 +1073,12 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, - /* Keys should comply with modulus_bit_length */ - if ((modulus_bit_length + 7) / 8 != public_key->key_length) - return EINVAL; -- /* Minimum length for public exponent is sizeof(unsigned long) */ -+ /* Minimum key length is sizeof(unsigned long) */ - if (public_key->key_length < sizeof(unsigned long)) - return EINVAL; -+ /* Max key bit length is 4096 because of CEX adapter restriction */ -+ if (modulus_bit_length > MAX_RSA_KEY_BITS) -+ return EPERM; - - /* OpenSSL takes only exponents of type unsigned long, so we have to - * be sure that we give a value of the right size to OpenSSL. -@@ -1111,6 +1116,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, - return EINVAL; - if (public_key->key_length < sizeof(unsigned long)) - return EINVAL; -+ if (modulus_bit_length > MAX_RSA_KEY_BITS) -+ return EPERM; - - num_ignored_bytes = public_key->key_length - sizeof(unsigned long); - public_exponent = public_key->exponent; -@@ -1145,6 +1152,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, - - if (rsa_key->key_length < sizeof(unsigned long)) - return EINVAL; -+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS) -+ return EPERM; - - /* fill driver structure */ - rb.inputdata = (unsigned char *)input_data; -@@ -1264,6 +1273,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, - - if (rsa_key->key_length < sizeof(unsigned long)) - return EINVAL; -+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS) -+ return EPERM; - - /* fill driver structure */ - rb.inputdata = (unsigned char *)input_data; --- -2.34.1 - - -From 553977ef505b43c7d17056369ed518a971d43d68 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 5 Jan 2022 09:07:51 +0100 -Subject: [libica PATCH 02/10] ECC: fix memory leaks in make_eckey() - -Signed-off-by: Ingo Franzki ---- - src/s390_ecc.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/src/s390_ecc.c b/src/s390_ecc.c -index bb13944..af121b0 100644 ---- a/src/s390_ecc.c -+++ b/src/s390_ecc.c -@@ -146,12 +146,12 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) - EC_GROUP *group = NULL; - EC_POINT *point = NULL; - BIGNUM *bn_priv = NULL; -- unsigned char *pub_key = NULL; -- unsigned int pub_key_len; -- point_conversion_form_t form; - #if !OPENSSL_VERSION_PREREQ(3, 0) - EC_KEY *ec_key; - #else -+ unsigned char *pub_key = NULL; -+ unsigned int pub_key_len; -+ point_conversion_form_t form; - OSSL_PARAM_BLD *tmpl = NULL; - int rc; - #endif -@@ -175,18 +175,13 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) - goto err; - } - -- form = EC_GROUP_get_point_conversion_form(group); -- pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL); -- if (pub_key_len == 0) { -- goto err; -- } -- - #if !OPENSSL_VERSION_PREREQ(3, 0) - ec_key = EC_KEY_new_by_curve_name(nid); - if (ec_key == NULL) { - goto err; - } - -+ EC_POINT_free(point); - point = EC_POINT_new(EC_KEY_get0_group(ec_key)); - if (point == NULL) { - goto err; -@@ -209,6 +204,11 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) - } - - #else -+ form = EC_GROUP_get_point_conversion_form(group); -+ pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL); -+ if (pub_key_len == 0) { -+ goto err; -+ } - - tmpl = OSSL_PARAM_BLD_new(); - if (tmpl == NULL) { -@@ -243,6 +243,8 @@ err: - #else - if (tmpl) - OSSL_PARAM_BLD_free(tmpl); -+ if (pub_key) -+ OPENSSL_free(pub_key); - #endif - - if (ok) --- -2.34.1 - - -From b41addd200c0938c6c10202da08ad5f7df940e18 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 5 Jan 2022 09:15:58 +0100 -Subject: [libica PATCH 03/10] ECC: Avoid recursive loop in ec_key_check() with - OpenSSL 3.0 - -Use libica's OpenSSL library context in ec_key_check(), otherwise -calling EVP_PKEY_fromdata() in build_pkey_from_params() may cause -a recursive loop, when a provider is used that calls ica_ec_key_init() -(and thus ec_key_check()) within its key import function. - -Signed-off-by: Ingo Franzki ---- - src/s390_ecc.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/s390_ecc.c b/src/s390_ecc.c -index af121b0..c0c1549 100644 ---- a/src/s390_ecc.c -+++ b/src/s390_ecc.c -@@ -2458,6 +2458,8 @@ int ec_key_check(ICA_EC_KEY *ica_key) - BIGNUM *d = NULL, *x = NULL, *y = NULL; - int privlen, rc = EINVAL; - -+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); -+ - if (!ica_key) - goto done; - -@@ -2489,6 +2491,7 @@ done: - if (privkey) - EVP_PKEY_free(privkey); - -+ END_OPENSSL_LIBCTX(rc); - return rc; - } - --- -2.34.1 - - -From 6031ec80a5ada52609822fed4a6bd2cccafe5563 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 5 Jan 2022 09:26:26 +0100 -Subject: [libica PATCH 04/10] RSA: Fix memory leaks in - rsa_key_generate_mod_expo()/crt() - -Also fix a compiler warning in rsa_key_generate(). - -Signed-off-by: Ingo Franzki ---- - src/s390_rsa.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/s390_rsa.c b/src/s390_rsa.c -index 360c374..cea2ba2 100644 ---- a/src/s390_rsa.c -+++ b/src/s390_rsa.c -@@ -128,7 +128,8 @@ EVP_PKEY* rsa_key_generate(unsigned int modulus_bit_length, - } while (*public_exponent <= 2 || !(*public_exponent % 2)); - } - -- e = BN_bin2bn(public_exponent, sizeof(unsigned long), NULL); -+ e = BN_bin2bn((const unsigned char *)public_exponent, -+ sizeof(unsigned long), NULL); - if (e == NULL) { - goto done; - } -@@ -259,6 +260,8 @@ err: - #if !OPENSSL_VERSION_PREREQ(3, 0) - RSA_free(rsa); - #else -+ BN_free(n); -+ BN_free(d); - EVP_PKEY_free(pkey); - #endif - -@@ -410,6 +413,12 @@ err: - #if !OPENSSL_VERSION_PREREQ(3, 0) - RSA_free(rsa); - #else -+ BN_free(n); -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); - EVP_PKEY_free(pkey); - #endif - --- -2.34.1 - - -From b49cf457659a4baf382b3828d89823497bb00f6e Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 13 Jan 2022 10:42:02 +0100 -Subject: [libica PATCH 05/10] EC: Handle unsupported EC curve in - ica_ec_key_new() - -In case of an unsupported curve nid, privlen_from_nid() returns -1. -The subsequent calloc() will fail with a size of -3 (0xfffffffffffffffd). - -Also free the already allocated key in case of an error to avoid a -memory leak. - -Signed-off-by: Ingo Franzki ---- - src/ica_api.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/ica_api.c b/src/ica_api.c -index a412052..0a885e2 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -1336,9 +1336,15 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) - - /* allocate clear memory for the 3 key parts */ - len = privlen_from_nid(nid); -+ if (len <= 0) { -+ free(key); -+ return NULL; -+ } - key->X = calloc(1, 3*len); -- if (!key->X) -+ if (!key->X) { -+ free(key); - return NULL; -+ } - - key->nid = nid; - key->Y = key->X + len; --- -2.34.1 - - -From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Tue, 11 Jan 2022 16:04:15 +0100 -Subject: [libica PATCH 06/10] Compute HMAC from installed library - -The HMAC hash was computed from the libica in the build tree, but -the runtime check is run against the installed libica and those 2 -files may be different. E.g. if the runtime one has debuginfo stripped -(and placed into a separate file), the hashes are different. -This commit introduces a new make target: fipsinstall, which creates -the HMAC files in the install directory. - -Signed-off-by: Joerg Schmidbauer ---- - Makefile.am | 9 ++++----- - src/Makefile.am | 8 +++++++- - 2 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 2d8ab9e..e14abb5 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -17,11 +17,8 @@ coverage: check - cd ${top_builddir}/src && gcov .libs/*.gcda - - if ICA_FIPS --install-data-hook: -- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) -- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac -- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) -- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac -+fipsinstall: -+ $(AM_V_GEN)$(MAKE) -C src fipsinstall - if ICA_OPENSSL3 - test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica - test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true -@@ -38,3 +35,5 @@ if ICA_OPENSSL3 - endif - endif - -+.PHONY: fipsinstall -+ -diff --git a/src/Makefile.am b/src/Makefile.am -index c630048..4c92c96 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -47,6 +47,12 @@ mp.S : mp.pl - ./mp.pl mp.S - - if ICA_FIPS -+fipsinstall: -+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac -+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac -+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac -+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac -+ - hmac-file-lnk: hmac-file - $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac - $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac -@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \ - include/rng.h ../test/testcase.h - endif - --.PHONY: hmac-file hmac-file-lnk -+.PHONY: hmac-file hmac-file-lnk fipsinstall --- -2.34.1 - - -From 28fa931bed9e6847137829952a3e7cc6091bd071 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 24 Jan 2022 10:24:44 +0100 -Subject: [libica PATCH 07/10] Fix compile warnings - -... like potentially uninitialized variables or unused functions. - -Signed-off-by: Ingo Franzki ---- - src/fips.c | 4 ++-- - src/ica_api.c | 2 +- - src/s390_ecc.c | 4 ++-- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/fips.c b/src/fips.c -index 934f6f7..505dd0b 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -1304,8 +1304,8 @@ rsa_kat(void) - ica_adapter_handle_t ah; - const struct rsa_tv *tv; - size_t i, keylen, crtparamlen; -- unsigned char *out; -- libica_func_list_element* libica_func_list; -+ unsigned char *out = NULL; -+ libica_func_list_element* libica_func_list = NULL; - unsigned int count; - - if (ica_open_adapter(&ah)) -diff --git a/src/ica_api.c b/src/ica_api.c -index 0a885e2..a10e139 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -90,6 +90,7 @@ void ica_set_stats_mode(int stats_mode) - ica_stats_enabled = stats_mode ? 1 : 0; - } - -+#ifndef NO_CPACF - #ifdef ICA_FIPS - static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { - if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64) -@@ -101,7 +102,6 @@ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { - } - #endif - --#ifndef NO_CPACF - static unsigned int check_des_parms(unsigned int mode, - unsigned long data_length, - const unsigned char *in_data, -diff --git a/src/s390_ecc.c b/src/s390_ecc.c -index c0c1549..211db01 100644 ---- a/src/s390_ecc.c -+++ b/src/s390_ecc.c -@@ -147,7 +147,7 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) - EC_POINT *point = NULL; - BIGNUM *bn_priv = NULL; - #if !OPENSSL_VERSION_PREREQ(3, 0) -- EC_KEY *ec_key; -+ EC_KEY *ec_key = NULL; - #else - unsigned char *pub_key = NULL; - unsigned int pub_key_len; -@@ -262,7 +262,7 @@ static EVP_PKEY *make_public_eckey(int nid, unsigned char *pubkey, size_t publen - { - int ok = 0; - #if !OPENSSL_VERSION_PREREQ(3, 0) -- EC_KEY *ec_key; -+ EC_KEY *ec_key = NULL; - #else - OSSL_PARAM_BLD *tmpl = NULL; - int rc; --- -2.34.1 - - -From cc44f18383ec6dc01a05abd6c25a1dec8efe84cb Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 24 Jan 2022 10:32:47 +0100 -Subject: [libica PATCH 08/10] Fix memory leaks in test programs - -When configured with --enable-sanitizer some tests fail because -the address sanitizer reports memory leaks. - -Signed-off-by: Ingo Franzki ---- - test/ec_keygen_test.c | 6 +++++- - test/ecdh_test.c | 13 ++++++++++++- - test/ecdsa_test.c | 3 +++ - test/icastats_test.c.in | 1 + - 4 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/test/ec_keygen_test.c b/test/ec_keygen_test.c -index 43c6092..0445c41 100644 ---- a/test/ec_keygen_test.c -+++ b/test/ec_keygen_test.c -@@ -115,6 +115,8 @@ int main(int argc, char **argv) - - rc = ica_ec_key_generate(adapter_handle, eckey); - if (rc) { -+ ica_ec_key_free(eckey); -+ eckey = NULL; - if (rc == EPERM) { - V_(printf("Curve %d not supported on this system, skipping ...\n", eckeygen_tests[i].nid)); - continue; -@@ -156,12 +158,14 @@ int main(int argc, char **argv) - } - } - } -+ -+ ica_ec_key_free(eckey); -+ eckey = NULL; - } - - if (test_failed) - errors++; - -- ica_ec_key_free(eckey); - unset_env_icapath(); - } - -diff --git a/test/ecdh_test.c b/test/ecdh_test.c -index 9a81036..e1191d0 100644 ---- a/test/ecdh_test.c -+++ b/test/ecdh_test.c -@@ -339,6 +339,8 @@ int main(int argc, char **argv) - - rc = ica_ec_key_init(ecdh_kats[i].xa, ecdh_kats[i].ya, ecdh_kats[i].da, eckey_A); - if (rc != 0) { -+ ica_ec_key_free(eckey_A); -+ eckey_A = NULL; - if (rc == EPERM) { - V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid)); - continue; -@@ -350,11 +352,18 @@ int main(int argc, char **argv) - } - - eckey_B = ica_ec_key_new(ecdh_kats[i].nid, &privlen); -- if (!eckey_B) -+ if (!eckey_B) { -+ ica_ec_key_free(eckey_A); -+ eckey_A = NULL; - continue; -+ } - - rc = ica_ec_key_init(ecdh_kats[i].xb, ecdh_kats[i].yb, ecdh_kats[i].db, eckey_B); - if (rc != 0) { -+ ica_ec_key_free(eckey_B); -+ eckey_B = NULL; -+ ica_ec_key_free(eckey_A); -+ eckey_A = NULL; - if (rc == EPERM) { - V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid)); - continue; -@@ -415,7 +424,9 @@ int main(int argc, char **argv) - errors++; - - ica_ec_key_free(eckey_A); -+ eckey_A = NULL; - ica_ec_key_free(eckey_B); -+ eckey_B = NULL; - unset_env_icapath(); - } - -diff --git a/test/ecdsa_test.c b/test/ecdsa_test.c -index 3b6bda3..2393882 100644 ---- a/test/ecdsa_test.c -+++ b/test/ecdsa_test.c -@@ -225,6 +225,8 @@ int main(int argc, char **argv) - - rc = ica_ec_key_init(ecdsa_kats[i].x, ecdsa_kats[i].y, ecdsa_kats[i].d, eckey); - if (rc != 0) { -+ ica_ec_key_free(eckey); -+ eckey = NULL; - if (rc == EPERM) { - V_(printf("Curve %d not supported on this system, skipping ...\n", ecdsa_kats[i].nid)); - continue; -@@ -274,6 +276,7 @@ int main(int argc, char **argv) - errors++; - - ica_ec_key_free(eckey); -+ eckey = NULL; - unset_env_icapath(); - } - -diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in -index 98905a9..f0d1212 100644 ---- a/test/icastats_test.c.in -+++ b/test/icastats_test.c.in -@@ -186,6 +186,7 @@ int is_crypto_card_loaded() - } - if((c = fgetc(file)) == '1'){ - fclose(file); -+ closedir(sysDir); - return 1; - } - fclose(file); --- -2.34.1 - - -From 9c6431f49a9fe0d574722954e018b4cba6ab085b Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 24 Jan 2022 14:33:57 +0100 -Subject: [libica PATCH 09/10] FIPS: Calculation of library HMAC may fail - -Initialize length variable before calling EVP_DigestSignFinal(). -If hlen is uninitialized it may cause EVP_DigestSignFinal() to fail. - -Signed-off-by: Ingo Franzki ---- - src/fips.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/fips.c b/src/fips.c -index 505dd0b..129a1a7 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -333,6 +333,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) - } - } - -+ hlen = sizeof(rbuf); - if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0) - goto end; - --- -2.34.1 - - -From 5aa9366c236a6d17570403ef81c65e4f5f91a8af Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 26 Jan 2022 09:29:27 +0100 -Subject: [libica PATCH 10/10] MAKEFILE: Do not install ec_internal_test - -Signed-off-by: Ingo Franzki ---- - src/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 4c92c96..d6f5c52 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -90,7 +90,7 @@ icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h - # internal tests - - if ICA_INTERNAL_TESTS --bin_PROGRAMS += internal_tests/ec_internal_test -+noinst_PROGRAMS = internal_tests/ec_internal_test - - internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \ - -I${srcdir}/../include \ --- -2.34.1 - diff --git a/SOURCES/libica-no-fips-config.patch b/SOURCES/libica-no-fips-config.patch new file mode 100644 index 0000000..04a4885 --- /dev/null +++ b/SOURCES/libica-no-fips-config.patch @@ -0,0 +1,33 @@ +From 56b6ca219ecd37ba2c7e520ddac83eb801ce76ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 16 May 2022 15:44:06 +0200 +Subject: [libica PATCH] FIPS specific openssl config is not required in + RHEL/Fedora + +--- + src/fips.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/fips.c b/src/fips.c +index 129a1a7..6466133 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -235,12 +235,15 @@ fips_init(void) + FIPS_mode_set(1); + #else + fips = 0; ++ /* FIPS specific openssl config is not required in RHEL/Fedora */ ++#if 0 + if (!OSSL_LIB_CTX_load_config(openssl_libctx, LIBICA_FIPS_CONFIG)) { + syslog(LOG_ERR, "Libica failed to load openssl fips config %s\n", + LIBICA_FIPS_CONFIG); + fips |= ICA_FIPS_INTEGRITY; + return; + } ++#endif + + openssl_provider = OSSL_PROVIDER_load(openssl_libctx, "fips"); + if (openssl_provider == NULL) { +-- +2.34.3 + diff --git a/SPECS/libica.spec b/SPECS/libica.spec index adf5c4e..465ec55 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -2,7 +2,7 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 4.0.0 +Version: 4.0.2 Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/ @@ -11,8 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://github.com/opencryptoki/libica/pull/24 Patch0: %{name}-4.0.0-annotate.patch -# post GA fixes, includes HMAC calculation -Patch1: %{name}-4.0.0-fixes.patch +# FIPS openssl config is not needed on RHEL/Fedora +# https://bugzilla.redhat.com/show_bug.cgi?id=2084097 +Patch1: %{name}-no-fips-config.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -86,9 +87,7 @@ fi %{_bindir}/icastats %if %{with_fips} %if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 -# openssl 3.0 is available since Fedora 36 and RHEL 9 -%dir %{_sysconfdir}/libica -%{_sysconfdir}/libica/openssl3-fips.cnf +%exclude %{_sysconfdir}/libica/openssl3-fips.cnf %endif %{_libdir}/.libica.*.hmac %{_libdir}/.libica-cex.*.hmac @@ -106,6 +105,18 @@ fi %changelog +* Thu Jun 30 2022 Dan Horák - 4.0.2-1 +- updated to 4.0.2 (#2101767) +- Resolves: #2101767 + +* Mon May 16 2022 Dan Horák - 4.0.1-2 +- fix running in FIPS mode (#2084097) +- Resolves: #2084097 + +* Thu May 12 2022 Dan Horák - 4.0.1-1 +- updated to 4.0.1 (#2044178) +- Resolves: #2044178 #2044174 + * Tue Feb 01 2022 Dan Horák - 4.0.0-1 - updated to 4.0.0 (#2040237) - Resolves: #2040237