diff --git a/.gitignore b/.gitignore index 9d729e1..676babc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-3.7.0.tar.gz +SOURCES/libica-3.8.0.tar.gz diff --git a/.libica.metadata b/.libica.metadata index 3f4c297..0df4829 100644 --- a/.libica.metadata +++ b/.libica.metadata @@ -1 +1 @@ -8192d14867a4f7bf812ef48e830431a5e471270f SOURCES/libica-3.7.0.tar.gz +84db4d350fe1b142cc84adf8c3cce86777147e60 SOURCES/libica-3.8.0.tar.gz diff --git a/SOURCES/libica-3.7.0-annotate.patch b/SOURCES/libica-3.7.0-annotate.patch deleted file mode 100644 index 95d76fe..0000000 --- a/SOURCES/libica-3.7.0-annotate.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up libica-3.7.0/src/Makefile.am.annotate libica-3.7.0/src/Makefile.am ---- libica-3.7.0/src/Makefile.am.annotate 2020-05-22 09:28:25.945954296 +0200 -+++ libica-3.7.0/src/Makefile.am 2020-05-22 09:28:33.784975197 +0200 -@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la - - libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ - -fvisibility=hidden -pthread --libica_la_CCASFLAGS = ${AM_CFLAGS} -+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes - libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl - libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \ - -version-number ${VERSION} diff --git a/SOURCES/libica-3.7.0-fips.patch b/SOURCES/libica-3.7.0-fips.patch deleted file mode 100644 index f6b0d7e..0000000 --- a/SOURCES/libica-3.7.0-fips.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 34ae2c50cbe595ae475f5e3491c39f3b2dbe8a67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Wed, 15 Jul 2020 10:58:10 +0200 -Subject: [libica PATCH] fix library filename for FIPS integrity check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: https://github.com/opencryptoki/libica/issues/45 - -Signed-off-by: Dan Horák ---- - src/fips.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/fips.c b/src/fips.c -index 07310c3..2bf11f5 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -306,7 +306,7 @@ static void fips_lib_integrity_check(void) - { - int rc; - char path[PATH_MAX]; -- const char *libname = "libica.so"; -+ const char *libname = "libica.so.3"; - const char *symbolname = "ica_sha256"; - - rc = get_library_path(libname, symbolname, path, sizeof(path)); --- -2.26.2 - diff --git a/SOURCES/libica-3.8.0-annotate.patch b/SOURCES/libica-3.8.0-annotate.patch new file mode 100644 index 0000000..9ccc86c --- /dev/null +++ b/SOURCES/libica-3.8.0-annotate.patch @@ -0,0 +1,19 @@ +diff -up libica-3.8.0/src/Makefile.am.orig libica-3.8.0/src/Makefile.am +--- libica-3.8.0/src/Makefile.am.orig 2021-07-08 12:20:00.123572020 +0200 ++++ libica-3.8.0/src/Makefile.am 2021-07-08 12:20:13.611929256 +0200 +@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icasta + include/rng.h + + libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" +-libica_la_CCASFLAGS = ${AM_CFLAGS} ++libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes + libica_la_LIBADD = ${LIBS_common} + libica_la_LDFLAGS = ${LDFLAGS_common} + libica_la_SOURCES = ${SOURCES_common} + + libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\" +-libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes + libica_cex_la_LIBADD = ${LIBS_common} + libica_cex_la_LDFLAGS = ${LDFLAGS_common} + libica_cex_la_SOURCES = ${SOURCES_common} diff --git a/SOURCES/libica-3.8.0-configure.patch b/SOURCES/libica-3.8.0-configure.patch new file mode 100644 index 0000000..d157510 --- /dev/null +++ b/SOURCES/libica-3.8.0-configure.patch @@ -0,0 +1,67 @@ +From a70dfe13b7dd2914ad29175ae026284bd5461e0e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 24 May 2021 12:21:55 +0000 +Subject: [PATCH] fix handling of --disable-foo options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently passing eg. --disable-debug actually enables the debug build +as one would expect from --enable-debug. The fix is to omit setting the +enable_foo variable as the "action-if-given" parameter of AC_ARG_ENABLE, +because it handles both the --enable and --disable forms. + +Signed-off-by: Dan Horák +--- + configure.ac | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ae6370c..9dc4786 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -35,7 +35,7 @@ FLAGS="-Wall -Wextra -mzarch" + dnl --- enable_debug + AC_ARG_ENABLE(debug, + [ --enable-debug turn on debugging flags], +- [enable_debug="yes"],[enable_debug="no"]) ++ [],[enable_debug="no"]) + AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes) + + if test "x$enable_debug" = xyes; then +@@ -46,7 +46,7 @@ fi + dnl --- enable_coverage + AC_ARG_ENABLE(coverage, + [ --enable-coverage turn on coverage testing], +- [enable_coverage="yes"],[enable_coverage="no"]) ++ [],[enable_coverage="no"]) + AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes) + + if test "x$enable_coverage" = xyes; then +@@ -57,7 +57,7 @@ fi + dnl --- enable_fips + AC_ARG_ENABLE(fips, + [ --enable-fips built with FIPS mode support], +- [enable_fips="yes"],[enable_fips="no"]) ++ [],[enable_fips="no"]) + AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes) + + if test "x$enable_fips" = xyes; then +@@ -74,7 +74,7 @@ fi + dnl --- enable_sanitizer + AC_ARG_ENABLE(sanitizer, + [ --enable-sanitizer turn on sanitizer (may not work on all systems)], +- [enable_sanitizer="yes"],[enable_sanitizer="no"]) ++ [],[enable_sanitizer="no"]) + AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes) + + if test "x$enable_sanitizer" = xyes; then +@@ -86,7 +86,7 @@ fi + dnl --- enable_internal tests + AC_ARG_ENABLE(internal_tests, + [ --enable-internal-tests built internal tests], +- [enable_internal_tests="yes"],[enable_internal_tests="no"]) ++ [],[enable_internal_tests="no"]) + AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes) + + if test "x$enable_internal_tests" = xyes; then diff --git a/SOURCES/libica-3.8.0-free.patch b/SOURCES/libica-3.8.0-free.patch new file mode 100644 index 0000000..a3d67ea --- /dev/null +++ b/SOURCES/libica-3.8.0-free.patch @@ -0,0 +1,84 @@ +From fc5dae7936d7182692d80fce8502abf6f3937046 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Fri, 9 Jul 2021 09:38:19 +0200 +Subject: [PATCH] buffer must be freed with OPENSSL_free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +OPENSSL_hexstr2buf() allocates the output buffer using OPENSSL_malloc() +and it means the buffer must be freed with OPENSSL_free(). Usually it's +not a problem, but an application can pass its own malloc/free +implementation to OpenSSL and the allocation/de-allocation functions must +match. + +With ibmca engine installed and configured we have experienced a crash +in DNS related tools (host, dig, ...) in RHEL, because they provide +their own malloc/free. + +[root@ibm-z-110 ~]# gdb /usr/bin/host +GNU gdb (GDB) Red Hat Enterprise Linux 8.2-15.el8 +(gdb) set args localhost +(gdb) run +Starting program: /usr/bin/host localhost +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +[New Thread 0x3fffc67f910 (LWP 65794)] +[New Thread 0x3fffbe7e910 (LWP 65795)] +[New Thread 0x3fffb67d910 (LWP 65796)] +free(): invalid pointer + +Thread 1 "host" received signal SIGABRT, Aborted. +0x000003fffccbe9e4 in raise () from /lib64/libc.so.6 +(gdb) where +0 0x000003fffccbe9e4 in raise () from /lib64/libc.so.6 +1 0x000003fffcca3218 in abort () from /lib64/libc.so.6 +2 0x000003fffcd0279c in __libc_message () from /lib64/libc.so.6 +3 0x000003fffcd0a348 in malloc_printerr () from /lib64/libc.so.6 +4 0x000003fffcd0bd2a in _int_free () from /lib64/libc.so.6 +5 0x000003fffada7d9c in compute_file_hmac (hmaclen=, buf=, path=) at fips.c:291 +6 FIPSCHECK_verify (path=) at fips.c:333 +7 fips_lib_integrity_check () at fips.c:417 +8 0x000003fffadaa070 in fips_powerup_tests () at fips.c:460 +9 0x000003fffad89ea4 in icainit () at init.c:97 +10 0x000003fffdf9028e in call_init.part () from /lib/ld64.so.1 +11 0x000003fffdf9039c in _dl_init () from /lib/ld64.so.1 +12 0x000003fffcdbfc98 in _dl_catch_exception () from /lib64/libc.so.6 +13 0x000003fffdf94bc6 in dl_open_worker () from /lib/ld64.so.1 +14 0x000003fffcdbfc1e in _dl_catch_exception () from /lib64/libc.so.6 +15 0x000003fffdf94364 in _dl_open () from /lib/ld64.so.1 +16 0x000003fffd30114e in dlopen_doit () from /lib64/libdl.so.2 +17 0x000003fffcdbfc1e in _dl_catch_exception () from /lib64/libc.so.6 +18 0x000003fffcdbfd36 in _dl_catch_error () from /lib64/libc.so.6 +19 0x000003fffd301910 in _dlerror_run () from /lib64/libdl.so.2 +20 0x000003fffd3011d8 in dlopen@@GLIBC_2.2 () from /lib64/libdl.so.2 +21 0x000003fffdf05f70 in ibmca_init () from /usr/lib64/engines-1.1/ibmca.so +22 0x000003fffd50dcbe in engine_unlocked_init () from /lib64/libcrypto.so.1.1 +23 0x000003fffd50de4e in ENGINE_init () from /lib64/libcrypto.so.1.1 +24 0x000003fffd50bfae in int_engine_init () from /lib64/libcrypto.so.1.1 +25 0x000003fffd50c406 in int_engine_module_init () from /lib64/libcrypto.so.1.1 +26 0x000003fffd4d21ec in CONF_modules_load () from /lib64/libcrypto.so.1.1 +27 0x000003fffd4d2850 in CONF_modules_load_file () from /lib64/libcrypto.so.1.1 +28 0x000003fffde2b02c in dst.openssl_init () from /lib64/libdns.so.1112 +29 0x000003fffde32b54 in dst_lib_init2 () from /lib64/libdns.so.1112 +30 0x000002aa0000f728 in setup_libs () +31 0x000002aa00009bfa in main () + +Signed-off-by: Dan Horák +--- + src/fips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fips.c b/src/fips.c +index c1ebee5..35767e2 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -288,7 +288,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + if (pkey != NULL) + EVP_PKEY_free(pkey); + +- free(keybuf); ++ OPENSSL_free(keybuf); + EVP_MD_CTX_destroy(mdctx); + if (fp) + fclose(fp); diff --git a/SOURCES/libica-3.8.0-hmac.patch b/SOURCES/libica-3.8.0-hmac.patch new file mode 100644 index 0000000..eaaf279 --- /dev/null +++ b/SOURCES/libica-3.8.0-hmac.patch @@ -0,0 +1,66 @@ +From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 2 Jun 2021 09:40:47 +0200 +Subject: [PATCH] Compute HMAC from installed library + +The HMAC hash was computed from the libica in the build tree, but +the runtime check is run against the installed libica and those 2 +files were different. The runtime one has debuginfo stripped +(and placed into a separate file), thus the hashes are different. + +Signed-off-by: Joerg Schmidbauer +--- + Makefile.am | 9 ++++----- + src/Makefile.am | 8 +++++++- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index c86cdd3..55de3b2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -17,11 +17,8 @@ coverage: check + cd ${top_builddir}/src && gcov .libs/*.gcda + + if ICA_FIPS +-install-data-hook: +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac ++fipsinstall: ++ $(AM_V_GEN)$(MAKE) -C src fipsinstall + + uninstall-hook: + rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac +@@ -30,3 +27,5 @@ uninstall-hook: + rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac + endif + ++.PHONY: fipsinstall ++ +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..5367d49 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -46,6 +46,12 @@ mp.S : mp.pl + ./mp.pl mp.S + + if ICA_FIPS ++fipsinstall: ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac ++ + hmac-file-lnk: hmac-file + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac +@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \ + include/rng.h ../test/testcase.h + endif + +-.PHONY: hmac-file hmac-file-lnk ++.PHONY: hmac-file hmac-file-lnk fipsinstall +-- +2.29.2.windows.2 + diff --git a/SPECS/libica.spec b/SPECS/libica.spec index 5b71c62..f144c0d 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -1,18 +1,24 @@ +%global with_fips 1 + Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 3.7.0 -Release: 2%{?dist} +Version: 3.8.0 +Release: 1%{?dist} License: CPL Group: System Environment/Libraries URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 -Patch0: %{name}-3.7.0-annotate.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1857130 -# https://github.com/opencryptoki/libica/pull/46 -Patch1: %{name}-3.7.0-fips.patch +Patch0: %{name}-3.8.0-annotate.patch +# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e +Patch1: %{name}-3.8.0-configure.patch +# https://github.com/opencryptoki/libica/issues/62 +Patch2: %{name}-3.8.0-hmac.patch +# https://github.com/opencryptoki/libica/pull/67 +Patch3: %{name}-3.8.0-free.patch BuildRequires: gcc +BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: autoconf BuildRequires: automake @@ -43,13 +49,19 @@ sh ./bootstrap.sh %build -%configure --disable-static --enable-fips +%configure --disable-static \ +%if %{with_fips} + --enable-fips +%else + --disable-fips +%endif make %{?_smp_mflags} %install make install DESTDIR=$RPM_BUILD_ROOT -rm $RPM_BUILD_ROOT%{_libdir}/libica.la +rm %{buildroot}%{_libdir}/libica*.la +rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md} %check @@ -64,22 +76,42 @@ fi %postun -p /sbin/ldconfig +%if %{with_fips} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + make fipsinstall DESTDIR=%{buildroot} + %{nil} +%endif %files %doc AUTHORS LICENSE ChangeLog -%exclude %{_pkgdocdir}/{INSTALL,README.md} %{_bindir}/icainfo +%{_bindir}/icainfo-cex %{_bindir}/icastats +%if %{with_fips} +%{_libdir}/.libica.*.hmac +%{_libdir}/.libica-cex.*.hmac +%endif %{_libdir}/libica.so.* +%{_libdir}/libica-cex.so.* %{_mandir}/man1/icainfo.1* +%{_mandir}/man1/icainfo-cex.1* %{_mandir}/man1/icastats.1* %files devel %{_includedir}/* %{_libdir}/libica.so +%{_libdir}/libica-cex.so %changelog +* Thu Jul 08 2021 Dan Horák - 3.8.0-1 +- updated to 3.8.0 (#1919224) +- make software fallback call to openSSL/libcrypto (#1922205) +- Resolves: #1919224 #1922205 + * Mon Jul 20 2020 Dan Horák - 3.7.0-2 - fix FIPS integrity validation (#1857130) - Resolves: #1857130