import libica-3.8.0-1.el8

.gitignore

@@ -1 +1 @@
-SOURCES/libica-3.7.0.tar.gz
+SOURCES/libica-3.8.0.tar.gz

.libica.metadata

@@ -1 +1 @@
-8192d14867a4f7bf812ef48e830431a5e471270f SOURCES/libica-3.7.0.tar.gz
+84db4d350fe1b142cc84adf8c3cce86777147e60 SOURCES/libica-3.8.0.tar.gz

SOURCES/libica-3.7.0-annotate.patch

@@ -1,12 +0,0 @@
-diff -up libica-3.7.0/src/Makefile.am.annotate libica-3.7.0/src/Makefile.am
---- libica-3.7.0/src/Makefile.am.annotate	2020-05-22 09:28:25.945954296 +0200
-+++ libica-3.7.0/src/Makefile.am	2020-05-22 09:28:33.784975197 +0200
-@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la
- 
- libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
- 		   -fvisibility=hidden -pthread
--libica_la_CCASFLAGS = ${AM_CFLAGS}
-+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
- libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl
- libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
- 		    -version-number ${VERSION}

SOURCES/libica-3.7.0-fips.patch

@@ -1,31 +0,0 @@
-From 34ae2c50cbe595ae475f5e3491c39f3b2dbe8a67 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
-Date: Wed, 15 Jul 2020 10:58:10 +0200
-Subject: [libica PATCH] fix library filename for FIPS integrity check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://github.com/opencryptoki/libica/issues/45
-
-Signed-off-by: Dan Horák <dan@danny.cz>
----
- src/fips.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/fips.c b/src/fips.c
-index 07310c3..2bf11f5 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -306,7 +306,7 @@ static void fips_lib_integrity_check(void)
- {
- 	int rc;
- 	char path[PATH_MAX];
--	const char *libname = "libica.so";
-+	const char *libname = "libica.so.3";
- 	const char *symbolname = "ica_sha256";
- 
- 	rc = get_library_path(libname, symbolname, path, sizeof(path));
--- 
-2.26.2
-

SOURCES/libica-3.8.0-annotate.patch

@@ -0,0 +1,19 @@
+diff -up libica-3.8.0/src/Makefile.am.orig libica-3.8.0/src/Makefile.am
+--- libica-3.8.0/src/Makefile.am.orig	2021-07-08 12:20:00.123572020 +0200
++++ libica-3.8.0/src/Makefile.am	2021-07-08 12:20:13.611929256 +0200
+@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icasta
+ 		    include/rng.h
+ 
+ libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
+-libica_la_CCASFLAGS = ${AM_CFLAGS}
++libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
+ libica_la_LIBADD = ${LIBS_common}
+ libica_la_LDFLAGS = ${LDFLAGS_common}
+ libica_la_SOURCES = ${SOURCES_common}
+ 
+ libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\"
+-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
+ libica_cex_la_LIBADD = ${LIBS_common}
+ libica_cex_la_LDFLAGS = ${LDFLAGS_common}
+ libica_cex_la_SOURCES = ${SOURCES_common}

SOURCES/libica-3.8.0-configure.patch

@@ -0,0 +1,67 @@
+From a70dfe13b7dd2914ad29175ae026284bd5461e0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 24 May 2021 12:21:55 +0000
+Subject: [PATCH] fix handling of --disable-foo options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently passing eg. --disable-debug actually enables the debug build
+as one would expect from --enable-debug. The fix is to omit setting the
+enable_foo variable as the "action-if-given" parameter of AC_ARG_ENABLE,
+because it handles both the --enable and --disable forms.
+
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ configure.ac | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ae6370c..9dc4786 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,7 @@ FLAGS="-Wall -Wextra -mzarch"
+ dnl --- enable_debug
+ AC_ARG_ENABLE(debug,
+               [  --enable-debug          turn on debugging flags],
+-              [enable_debug="yes"],[enable_debug="no"])
++              [],[enable_debug="no"])
+ AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes)
+ 
+ if test "x$enable_debug" = xyes; then
+@@ -46,7 +46,7 @@ fi
+ dnl --- enable_coverage
+ AC_ARG_ENABLE(coverage,
+               [  --enable-coverage       turn on coverage testing],
+-              [enable_coverage="yes"],[enable_coverage="no"])
++              [],[enable_coverage="no"])
+ AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes)
+ 
+ if test "x$enable_coverage" = xyes; then
+@@ -57,7 +57,7 @@ fi
+ dnl --- enable_fips
+ AC_ARG_ENABLE(fips,
+               [  --enable-fips           built with FIPS mode support],
+-              [enable_fips="yes"],[enable_fips="no"])
++              [],[enable_fips="no"])
+ AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes)
+ 
+ if test "x$enable_fips" = xyes; then
+@@ -74,7 +74,7 @@ fi
+ dnl --- enable_sanitizer
+ AC_ARG_ENABLE(sanitizer,
+               [  --enable-sanitizer      turn on sanitizer (may not work on all systems)],
+-              [enable_sanitizer="yes"],[enable_sanitizer="no"])
++              [],[enable_sanitizer="no"])
+ AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes)
+ 
+ if test "x$enable_sanitizer" = xyes; then
+@@ -86,7 +86,7 @@ fi
+ dnl --- enable_internal tests
+ AC_ARG_ENABLE(internal_tests,
+               [  --enable-internal-tests built internal tests],
+-              [enable_internal_tests="yes"],[enable_internal_tests="no"])
++              [],[enable_internal_tests="no"])
+ AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes)
+ 
+ if test "x$enable_internal_tests" = xyes; then

SOURCES/libica-3.8.0-free.patch

@@ -0,0 +1,84 @@
+From fc5dae7936d7182692d80fce8502abf6f3937046 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Fri, 9 Jul 2021 09:38:19 +0200
+Subject: [PATCH] buffer must be freed with OPENSSL_free()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+OPENSSL_hexstr2buf() allocates the output buffer using OPENSSL_malloc()
+and it means the buffer must be freed with OPENSSL_free(). Usually it's
+not a problem, but an application can pass its own malloc/free
+implementation to OpenSSL and the allocation/de-allocation functions must
+match.
+
+With ibmca engine installed and configured we have experienced a crash
+in DNS related tools (host, dig, ...) in RHEL, because they provide
+their own malloc/free.
+
+[root@ibm-z-110 ~]# gdb /usr/bin/host
+GNU gdb (GDB) Red Hat Enterprise Linux 8.2-15.el8
+(gdb) set args localhost
+(gdb) run
+Starting program: /usr/bin/host localhost
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+[New Thread 0x3fffc67f910 (LWP 65794)]
+[New Thread 0x3fffbe7e910 (LWP 65795)]
+[New Thread 0x3fffb67d910 (LWP 65796)]
+free(): invalid pointer
+
+Thread 1 "host" received signal SIGABRT, Aborted.
+0x000003fffccbe9e4 in raise () from /lib64/libc.so.6
+(gdb) where
+0  0x000003fffccbe9e4 in raise () from /lib64/libc.so.6
+1  0x000003fffcca3218 in abort () from /lib64/libc.so.6
+2  0x000003fffcd0279c in __libc_message () from /lib64/libc.so.6
+3  0x000003fffcd0a348 in malloc_printerr () from /lib64/libc.so.6
+4  0x000003fffcd0bd2a in _int_free () from /lib64/libc.so.6
+5  0x000003fffada7d9c in compute_file_hmac (hmaclen=<optimized out>, buf=<optimized out>, path=<optimized out>) at fips.c:291
+6  FIPSCHECK_verify (path=<optimized out>) at fips.c:333
+7  fips_lib_integrity_check () at fips.c:417
+8  0x000003fffadaa070 in fips_powerup_tests () at fips.c:460
+9  0x000003fffad89ea4 in icainit () at init.c:97
+10 0x000003fffdf9028e in call_init.part () from /lib/ld64.so.1
+11 0x000003fffdf9039c in _dl_init () from /lib/ld64.so.1
+12 0x000003fffcdbfc98 in _dl_catch_exception () from /lib64/libc.so.6
+13 0x000003fffdf94bc6 in dl_open_worker () from /lib/ld64.so.1
+14 0x000003fffcdbfc1e in _dl_catch_exception () from /lib64/libc.so.6
+15 0x000003fffdf94364 in _dl_open () from /lib/ld64.so.1
+16 0x000003fffd30114e in dlopen_doit () from /lib64/libdl.so.2
+17 0x000003fffcdbfc1e in _dl_catch_exception () from /lib64/libc.so.6
+18 0x000003fffcdbfd36 in _dl_catch_error () from /lib64/libc.so.6
+19 0x000003fffd301910 in _dlerror_run () from /lib64/libdl.so.2
+20 0x000003fffd3011d8 in dlopen@@GLIBC_2.2 () from /lib64/libdl.so.2
+21 0x000003fffdf05f70 in ibmca_init () from /usr/lib64/engines-1.1/ibmca.so
+22 0x000003fffd50dcbe in engine_unlocked_init () from /lib64/libcrypto.so.1.1
+23 0x000003fffd50de4e in ENGINE_init () from /lib64/libcrypto.so.1.1
+24 0x000003fffd50bfae in int_engine_init () from /lib64/libcrypto.so.1.1
+25 0x000003fffd50c406 in int_engine_module_init () from /lib64/libcrypto.so.1.1
+26 0x000003fffd4d21ec in CONF_modules_load () from /lib64/libcrypto.so.1.1
+27 0x000003fffd4d2850 in CONF_modules_load_file () from /lib64/libcrypto.so.1.1
+28 0x000003fffde2b02c in dst.openssl_init () from /lib64/libdns.so.1112
+29 0x000003fffde32b54 in dst_lib_init2 () from /lib64/libdns.so.1112
+30 0x000002aa0000f728 in setup_libs ()
+31 0x000002aa00009bfa in main ()
+
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ src/fips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fips.c b/src/fips.c
+index c1ebee5..35767e2 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -288,7 +288,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 	if (pkey != NULL)
+ 		EVP_PKEY_free(pkey);
+ 
+-	free(keybuf);
++	OPENSSL_free(keybuf);
+ 	EVP_MD_CTX_destroy(mdctx);
+ 	if (fp)
+ 		fclose(fp);

SOURCES/libica-3.8.0-hmac.patch

@@ -0,0 +1,66 @@
+From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 2 Jun 2021 09:40:47 +0200
+Subject: [PATCH] Compute HMAC from installed library
+
+The HMAC hash was computed from the libica in the build tree, but
+the runtime check is run against the installed libica and those 2
+files were different. The runtime one has debuginfo stripped
+(and placed into a separate file), thus the hashes are different.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ Makefile.am     | 9 ++++-----
+ src/Makefile.am | 8 +++++++-
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index c86cdd3..55de3b2 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -17,11 +17,8 @@ coverage: check
+ 	cd ${top_builddir}/src && gcov .libs/*.gcda
+ 
+ if ICA_FIPS
+-install-data-hook:
+-	$(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir)
+-	cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac
+-	$(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir)
+-	cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac
++fipsinstall:
++	 $(AM_V_GEN)$(MAKE) -C src fipsinstall
+ 
+ uninstall-hook:
+ 	rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac
+@@ -30,3 +27,5 @@ uninstall-hook:
+ 	rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac
+ endif
+ 
++.PHONY: fipsinstall
++
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 4a1ef14..5367d49 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -46,6 +46,12 @@ mp.S	: mp.pl
+ 	./mp.pl mp.S
+ 
+ if ICA_FIPS
++fipsinstall:
++	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
++	$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
++	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
++	$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
++
+ hmac-file-lnk: hmac-file
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
+@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \
+ 		    include/rng.h ../test/testcase.h
+ endif
+ 
+-.PHONY: hmac-file hmac-file-lnk
++.PHONY: hmac-file hmac-file-lnk fipsinstall
+-- 
+2.29.2.windows.2
+

SPECS/libica.spec

@@ -1,18 +1,24 @@
+%global with_fips 1
+
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 3.7.0
+Version: 3.8.0
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: CPL
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # annotate assembler source
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
-Patch0: %{name}-3.7.0-annotate.patch
+Patch0: %{name}-3.8.0-annotate.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1857130
+# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e
-# https://github.com/opencryptoki/libica/pull/46
+Patch1: %{name}-3.8.0-configure.patch
-Patch1: %{name}-3.7.0-fips.patch
+# https://github.com/opencryptoki/libica/issues/62
+Patch2: %{name}-3.8.0-hmac.patch
+# https://github.com/opencryptoki/libica/pull/67
+Patch3: %{name}-3.8.0-free.patch
 BuildRequires: gcc
+BuildRequires: openssl
 BuildRequires: openssl-devel
 BuildRequires: autoconf
 BuildRequires: automake
@@ -43,13 +49,19 @@ sh ./bootstrap.sh
 
 
 %build
-%configure --disable-static --enable-fips
+%configure --disable-static \
+%if %{with_fips}
+    --enable-fips
+%else
+    --disable-fips
+%endif
 make %{?_smp_mflags}
 
 
 %install
 make install DESTDIR=$RPM_BUILD_ROOT
-rm $RPM_BUILD_ROOT%{_libdir}/libica.la
+rm %{buildroot}%{_libdir}/libica*.la
+rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
 
 
 %check
@@ -64,22 +76,42 @@ fi
 
 %postun -p /sbin/ldconfig
 
+%if %{with_fips}
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    make fipsinstall DESTDIR=%{buildroot}
+    %{nil}
+%endif
 
 %files
 %doc AUTHORS LICENSE ChangeLog
-%exclude %{_pkgdocdir}/{INSTALL,README.md}
 %{_bindir}/icainfo
+%{_bindir}/icainfo-cex
 %{_bindir}/icastats
+%if %{with_fips}
+%{_libdir}/.libica.*.hmac
+%{_libdir}/.libica-cex.*.hmac
+%endif
 %{_libdir}/libica.so.*
+%{_libdir}/libica-cex.so.*
 %{_mandir}/man1/icainfo.1*
+%{_mandir}/man1/icainfo-cex.1*
 %{_mandir}/man1/icastats.1*
 
 %files devel
 %{_includedir}/*
 %{_libdir}/libica.so
+%{_libdir}/libica-cex.so
 
 
 %changelog
+* Thu Jul 08 2021 Dan Horák <dhorak@redhat.com> - 3.8.0-1
+- updated to 3.8.0 (#1919224)
+- make software fallback call to openSSL/libcrypto (#1922205)
+- Resolves: #1919224 #1922205
+
 * Mon Jul 20 2020 Dan Horák <dhorak@redhat.com> - 3.7.0-2
 - fix FIPS integrity validation (#1857130)
 - Resolves: #1857130