- updated to 4.2.2 (#2159718)

- FIPS 140-3 compliance (#2159748) - Resolves: #2159718 #2159748
2023-05-24 10:49:28 +02:00 · 2023-05-24 10:49:28 +02:00 · c3cd5a5a4e
commit c3cd5a5a4e
parent 609716aa27
5 changed files with 30 additions and 62 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-/libica-4.1.1.tar.gz
+/libica-*.tgz
+/libica-*.tar.gz
--- a/libica-4.1.1-revert-abi.patch
+++ b/libica-4.1.1-revert-abi.patch
@ -1,4 +1,4 @@
-From 2945363230c1d76d21327e12995a8789ec9df514 Mon Sep 17 00:00:00 2001
+From 8f05d0eb92956c2e3e6dce529be9292906beeef8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Tue, 22 Mar 2022 12:43:19 +0100
 Subject: [libica PATCH 1/2] Revert "Remove deprecated API functions"
@ -23,10 +23,10 @@ This reverts commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048.
 create mode 100644 test/tdes_test.c

 diff --git a/include/ica_api.h b/include/ica_api.h
-index 0263d2f..8f7bbdb 100644
+index 99e624f..9b3f14b 100644
 --- a/include/ica_api.h
 +++ b/include/ica_api.h
-@@ -1447,6 +1447,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
+@@ -1480,6 +1480,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
 ICA_EXPORT
 unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key);
 
@ -254,7 +254,7 @@ index 0263d2f..8f7bbdb 100644
 /**
  * Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB)
  * mode as described in NIST Special Publication 800-38A Chapter 6.1.
-@@ -3485,6 +3706,15 @@ void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx);
+@@ -3599,6 +3820,15 @@ int ica_get_hw_info(libica_hw_info *hw_info);
 ICA_EXPORT
 unsigned int ica_get_version(libica_version_info *version_info);
 
@ -268,10 +268,10 @@ index 0263d2f..8f7bbdb 100644
 +			  unsigned int *pmech_list_len);
 +
 /**
-  * Function that returns a list of crypto mechanisms supported by libica.
-  * @param pmech_list
+  * Return libica build information.
+  *
 diff --git a/libica.map b/libica.map
-index 0a64d4c..0a71832 100644
+index 4c4ce1f..df6aef4 100644
 --- a/libica.map
 +++ b/libica.map
@@ -3,11 +3,15 @@ LIBICA_3.0.0 {
@ -309,10 +309,10 @@ index 0a64d4c..0a71832 100644
 	ica_aes_cbc;
 	ica_aes_cbc_cs;
 diff --git a/src/ica_api.c b/src/ica_api.c
-index 42d9baf..3e13a29 100644
+index c9ea1ad..257a8c5 100644
 --- a/src/ica_api.c
 +++ b/src/ica_api.c
-@@ -2436,6 +2436,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx)
+@@ -2452,6 +2452,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx)
  *
  ******************************************************************************/
 
@ -578,12 +578,12 @@ index 42d9baf..3e13a29 100644
 			 unsigned long data_length, unsigned char *key,
 			 unsigned int direction)
 diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
-index 49cbb09..76f530f 100644
+index f34241f..d708e8f 100644
 --- a/src/include/s390_crypto.h
 +++ b/src/include/s390_crypto.h
-@@ -25,11 +25,6 @@
- 
- #include <openssl/opensslv.h>
+@@ -30,11 +30,6 @@ int s390_get_fips_indicator(libica_fips_indicator_element *fips_list,
+ 				unsigned int *fips_list_len);
+ #endif
 
 -/* major 4.0: no more exported, now internal */
 -int s390_initialize_functionlist(void);
@ -594,7 +594,7 @@ index 49cbb09..76f530f 100644
     #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR)
         #define OPENSSL_VERSION_PREREQ(maj, min)        \
 diff --git a/test/Makefile.am b/test/Makefile.am
-index f220205..f756597 100644
+index dddfc90..bc6b9fd 100644
 --- a/test/Makefile.am
 +++ b/test/Makefile.am
@@ -7,16 +7,21 @@ get_version_test \
@ -619,7 +619,7 @@ index f220205..f756597 100644
 aes_ecb_test \
 aes_cbc_test \
 aes_ctr_test \
-@@ -71,10 +76,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c
+@@ -72,10 +77,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c
 get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread
 
 check_PROGRAMS = fips_test icastats_test get_functionlist_test \
@ -1578,10 +1578,10 @@ index 0000000..bfa33c2
 +}
 +
 -- 
-2.38.1
+2.40.1


-From 740531ec03c7dd79e185136b0b1970aa1cd1d924 Mon Sep 17 00:00:00 2001
+From 234a63495a2f9d5170d49b8f5d11cd3ac6056fde Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Tue, 25 Oct 2022 13:54:11 +0200
 Subject: [libica PATCH 2/2] add back fips_check_3des_key()
@ -1593,10 +1593,10 @@ a function that's required by the previously reverted code.
 1 file changed, 10 insertions(+)

 diff --git a/src/ica_api.c b/src/ica_api.c
-index 3e13a29..1bd81bb 100644
+index 257a8c5..9564610 100644
 --- a/src/ica_api.c
 +++ b/src/ica_api.c
-@@ -91,6 +91,16 @@ void ica_set_stats_mode(int stats_mode)
+@@ -93,6 +93,16 @@ void ica_set_stats_mode(int stats_mode)
 }
 
 #ifndef NO_CPACF
@ -1614,5 +1614,5 @@ index 3e13a29..1bd81bb 100644
 static unsigned int check_des_parms(unsigned int mode,
 				    unsigned long data_length,
 -- 
-2.38.1
+2.40.1

--- a/libica-4.1.1-shmem.patch
+++ b/libica-4.1.1-shmem.patch
@ -1,35 +0,0 @@
-From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Wed, 1 Feb 2023 10:54:33 +0100
-Subject: [libica PATCH] bugfix: permission denied on shared memory segments
-
-A change to the Linux kernel in 4.19 for added security is
-changing the behavior when opening shared memory segments.
-The O_CREAT flag must not be used for existing segments.
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
- src/icastats_shared.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/icastats_shared.c b/src/icastats_shared.c
-index bbc8d0e..8290239 100644
--- a/src/icastats_shared.c
-+++ b/src/icastats_shared.c
-@@ -54,9 +54,10 @@ int stats_mmap(int user)
- 	sprintf(shm_id, "icastats_%d",
- 		user == -1 ? geteuid() : (uid_t)user);
- 
-	stats_shm_handle = shm_open(shm_id,
-				    O_CREAT | O_RDWR,
-				    S_IRUSR | S_IWUSR);
-+	stats_shm_handle = shm_open(shm_id, O_RDWR,  S_IRUSR | S_IWUSR);
-+
-+	if (stats_shm_handle == -1)
-+		stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
- 
- 	if (stats_shm_handle == -1)
- 		return rc;
-- 
-2.39.1
-
--- a/libica.spec
+++ b/libica.spec
@ -4,8 +4,8 @@

 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.1.1
-Release: 2%{?dist}
+Version: 4.2.2
+Release: 1%{?dist}
 License: CPL
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki/
@ -17,9 +17,6 @@ Patch0: %{name}-4.0.1-annotate.patch
 # - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048
 # - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2
 Patch1: %{name}-4.1.1-revert-abi.patch
-# fix permissions for shared memory segments
-# https://bugzilla.redhat.com/show_bug.cgi?id=2167363
-Patch2: %{name}-4.1.1-shmem.patch
 BuildRequires: gcc
 BuildRequires: openssl
 BuildRequires: openssl-devel
@ -110,6 +107,11 @@ fi


 %changelog
+* Wed May 24 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
+- updated to 4.2.2 (#2159718)
+- FIPS 140-3 compliance (#2159748)
+- Resolves: #2159718 #2159748
+
 * Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
 - fix permissions for shared memory segments (#2167363)
 - Resolves: #2167363
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libica-4.1.1.tar.gz) = 49b9bc106e83ec8336339c783a14b8599a93b9b1061efea7354f954e59aeeb18371946a013f7aecdaf1286d77b48644ca4894c8099809753e2f21286acdf3ef5
+SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079