diff --git a/libica-4.2.3-fips.patch b/libica-4.2.3-fips.patch new file mode 100644 index 0000000..5bddfb9 --- /dev/null +++ b/libica-4.2.3-fips.patch @@ -0,0 +1,35 @@ +From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Tue, 10 Oct 2023 14:10:22 +0200 +Subject: [PATCH] fips: use openssl lib context in compute_file_hmac + +Before calling any openssl EVP function, libica's own openssl lib ctx +must be made the current one. This was missing in compute_file_hmac. + +Suggested-by: Ingo Franzki +Signed-off-by: Joerg Schmidbauer +--- + src/fips.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/fips.c b/src/fips.c +index f09dc77..3bbc325 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + void *fdata = NULL; + struct stat fdata_stat; + ++ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); ++ + pkey = get_pkey(); + if (!pkey) + goto end; +@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + EVP_MD_CTX_destroy(mdctx); + + OPENSSL_cleanse(tmp, sizeof(tmp)); ++ END_OPENSSL_LIBCTX(rc); + + return rc; + } diff --git a/libica.spec b/libica.spec index 38de7aa..8cfa134 100644 --- a/libica.spec +++ b/libica.spec @@ -11,6 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://github.com/opencryptoki/libica/pull/24 Patch0: %{name}-4.0.0-annotate.patch +# https://issues.redhat.com/browse/RHEL-9918 +# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6 +Patch1: %{name}-4.2.3-fips.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -107,6 +110,9 @@ fi %changelog +* Fri Oct 27 2023 Dan Horák - 4.2.3-2 +- fix selfcheck in FIPS mode (RHEL-9918) + * Thu Sep 21 2023 Dan Horák - 4.2.3-1 - updated to 4.2.3