- updated to 4.2.3 (RHEL-11411)

- fix selfcheck in FIPS mode (RHEL-14892) - Resolves: RHEL-11411 RHEL-14892
2023-10-27 11:36:44 +02:00 · 2023-10-27 11:36:44 +02:00 · 778f847545
commit 778f847545
parent bd770c7d65
3 changed files with 46 additions and 6 deletions
--- a/libica-4.2.3-fips.patch
+++ b/libica-4.2.3-fips.patch
@ -0,0 +1,35 @@
+From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Tue, 10 Oct 2023 14:10:22 +0200
+Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
+
+Before calling any openssl EVP function, libica's own openssl lib ctx
+must be made the current one. This was missing in compute_file_hmac.
+
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/fips.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index f09dc77..3bbc325 100644
+--- a/src/fips.c
+++ b/src/fips.c
+@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 	void *fdata = NULL;
+ 	struct stat fdata_stat;
+ 
+	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
+
+ 	pkey = get_pkey();
+ 	if (!pkey)
+ 		goto end;
+@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 		EVP_MD_CTX_destroy(mdctx);
+ 
+ 	OPENSSL_cleanse(tmp, sizeof(tmp));
+	END_OPENSSL_LIBCTX(rc);
+ 
+ 	return rc;
+ }
--- a/libica.spec
+++ b/libica.spec
@ -4,8 +4,8 @@

 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.2.2
-Release: 2%{?dist}
+Version: 4.2.3
+Release: 1%{?dist}
 License: CPL
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki/
@ -17,9 +17,9 @@ Patch0: %{name}-4.0.1-annotate.patch
 # - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048
 # - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2
 Patch1: %{name}-4.1.1-revert-abi.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2223697
-# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1
-Patch2: %{name}-4.2.2-icastats-summary.patch
+# https://issues.redhat.com/browse/RHEL-14892
+# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
+Patch2: %{name}-4.2.3-fips.patch
 BuildRequires: gcc
 BuildRequires: openssl
 BuildRequires: openssl-devel
@ -110,6 +110,11 @@ fi


 %changelog
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
+- updated to 4.2.3 (RHEL-11411)
+- fix selfcheck in FIPS mode (RHEL-14892)
+- Resolves: RHEL-11411 RHEL-14892
+
 * Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
 - icastats: Fix summary option (#2223697)
 - Resolves: #2223697
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079
+SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035