From 778f847545c6b876a97468c7124a259dc1a7f983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Fri, 27 Oct 2023 11:36:44 +0200 Subject: [PATCH] - updated to 4.2.3 (RHEL-11411) - fix selfcheck in FIPS mode (RHEL-14892) - Resolves: RHEL-11411 RHEL-14892 --- libica-4.2.3-fips.patch | 35 +++++++++++++++++++++++++++++++++++ libica.spec | 15 ++++++++++----- sources | 2 +- 3 files changed, 46 insertions(+), 6 deletions(-) create mode 100644 libica-4.2.3-fips.patch diff --git a/libica-4.2.3-fips.patch b/libica-4.2.3-fips.patch new file mode 100644 index 0000000..5bddfb9 --- /dev/null +++ b/libica-4.2.3-fips.patch @@ -0,0 +1,35 @@ +From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Tue, 10 Oct 2023 14:10:22 +0200 +Subject: [PATCH] fips: use openssl lib context in compute_file_hmac + +Before calling any openssl EVP function, libica's own openssl lib ctx +must be made the current one. This was missing in compute_file_hmac. + +Suggested-by: Ingo Franzki +Signed-off-by: Joerg Schmidbauer +--- + src/fips.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/fips.c b/src/fips.c +index f09dc77..3bbc325 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + void *fdata = NULL; + struct stat fdata_stat; + ++ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); ++ + pkey = get_pkey(); + if (!pkey) + goto end; +@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + EVP_MD_CTX_destroy(mdctx); + + OPENSSL_cleanse(tmp, sizeof(tmp)); ++ END_OPENSSL_LIBCTX(rc); + + return rc; + } diff --git a/libica.spec b/libica.spec index d58a3e6..26c25d1 100644 --- a/libica.spec +++ b/libica.spec @@ -4,8 +4,8 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 4.2.2 -Release: 2%{?dist} +Version: 4.2.3 +Release: 1%{?dist} License: CPL Group: System Environment/Libraries URL: https://github.com/opencryptoki/ @@ -17,9 +17,9 @@ Patch0: %{name}-4.0.1-annotate.patch # - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048 # - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2 Patch1: %{name}-4.1.1-revert-abi.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2223697 -# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 -Patch2: %{name}-4.2.2-icastats-summary.patch +# https://issues.redhat.com/browse/RHEL-14892 +# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6 +Patch2: %{name}-4.2.3-fips.patch BuildRequires: gcc BuildRequires: openssl BuildRequires: openssl-devel @@ -110,6 +110,11 @@ fi %changelog +* Fri Oct 27 2023 Dan Horák - 4.2.3-1 +- updated to 4.2.3 (RHEL-11411) +- fix selfcheck in FIPS mode (RHEL-14892) +- Resolves: RHEL-11411 RHEL-14892 + * Wed Jul 19 2023 Dan Horák - 4.2.2-2 - icastats: Fix summary option (#2223697) - Resolves: #2223697 diff --git a/sources b/sources index 1b7e52f..5ee2876 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079 +SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035