From f55279240468b2e6f371d12f6329b5d146ea89c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Tue, 18 Jan 2022 13:13:32 +0000 Subject: [PATCH] - updated to 4.0.0 --- libica-3.8.0-configure.patch | 67 ------------------- ...otate.patch => libica-4.0.0-annotate.patch | 16 ++--- ....8.0-hmac.patch => libica-4.0.0-hmac.patch | 30 +++++---- libica.spec | 18 +++-- sources | 2 +- 5 files changed, 37 insertions(+), 96 deletions(-) delete mode 100644 libica-3.8.0-configure.patch rename libica-3.8.0-annotate.patch => libica-4.0.0-annotate.patch (86%) rename libica-3.8.0-hmac.patch => libica-4.0.0-hmac.patch (72%) diff --git a/libica-3.8.0-configure.patch b/libica-3.8.0-configure.patch deleted file mode 100644 index d157510..0000000 --- a/libica-3.8.0-configure.patch +++ /dev/null @@ -1,67 +0,0 @@ -From a70dfe13b7dd2914ad29175ae026284bd5461e0e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Mon, 24 May 2021 12:21:55 +0000 -Subject: [PATCH] fix handling of --disable-foo options -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently passing eg. --disable-debug actually enables the debug build -as one would expect from --enable-debug. The fix is to omit setting the -enable_foo variable as the "action-if-given" parameter of AC_ARG_ENABLE, -because it handles both the --enable and --disable forms. - -Signed-off-by: Dan Horák ---- - configure.ac | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ae6370c..9dc4786 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -35,7 +35,7 @@ FLAGS="-Wall -Wextra -mzarch" - dnl --- enable_debug - AC_ARG_ENABLE(debug, - [ --enable-debug turn on debugging flags], -- [enable_debug="yes"],[enable_debug="no"]) -+ [],[enable_debug="no"]) - AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes) - - if test "x$enable_debug" = xyes; then -@@ -46,7 +46,7 @@ fi - dnl --- enable_coverage - AC_ARG_ENABLE(coverage, - [ --enable-coverage turn on coverage testing], -- [enable_coverage="yes"],[enable_coverage="no"]) -+ [],[enable_coverage="no"]) - AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes) - - if test "x$enable_coverage" = xyes; then -@@ -57,7 +57,7 @@ fi - dnl --- enable_fips - AC_ARG_ENABLE(fips, - [ --enable-fips built with FIPS mode support], -- [enable_fips="yes"],[enable_fips="no"]) -+ [],[enable_fips="no"]) - AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes) - - if test "x$enable_fips" = xyes; then -@@ -74,7 +74,7 @@ fi - dnl --- enable_sanitizer - AC_ARG_ENABLE(sanitizer, - [ --enable-sanitizer turn on sanitizer (may not work on all systems)], -- [enable_sanitizer="yes"],[enable_sanitizer="no"]) -+ [],[enable_sanitizer="no"]) - AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes) - - if test "x$enable_sanitizer" = xyes; then -@@ -86,7 +86,7 @@ fi - dnl --- enable_internal tests - AC_ARG_ENABLE(internal_tests, - [ --enable-internal-tests built internal tests], -- [enable_internal_tests="yes"],[enable_internal_tests="no"]) -+ [],[enable_internal_tests="no"]) - AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes) - - if test "x$enable_internal_tests" = xyes; then diff --git a/libica-3.8.0-annotate.patch b/libica-4.0.0-annotate.patch similarity index 86% rename from libica-3.8.0-annotate.patch rename to libica-4.0.0-annotate.patch index b0cc196..3ad0e64 100644 --- a/libica-3.8.0-annotate.patch +++ b/libica-4.0.0-annotate.patch @@ -1,4 +1,4 @@ -From 0e4592f46c6c4a94eef66257af423d57c73af134 Mon Sep 17 00:00:00 2001 +From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Tue, 25 Sep 2018 13:44:32 +0200 Subject: [libica PATCH] add build note to assembler sources @@ -25,10 +25,10 @@ Signed-off-by: Dan Horák 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac -index ae6370c..bc2fff4 100644 +index 958371c..b8d0e42 100644 --- a/configure.ac +++ b/configure.ac -@@ -99,12 +99,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab +@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2" fi @@ -46,7 +46,7 @@ index ae6370c..bc2fff4 100644 AC_OUTPUT diff --git a/libica.spec b/libica.spec -index 812b73d..3461b65 100644 +index d71890a..e51430e 100644 --- a/libica.spec +++ b/libica.spec @@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica @@ -59,10 +59,10 @@ index 812b73d..3461b65 100644 %description Interface library on Linux for IBM System z to utilize CPACF diff --git a/src/Makefile.am b/src/Makefile.am -index 4a1ef14..d6f7f7f 100644 +index c630048..1b5ec71 100644 --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ +@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ include/rng.h libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" @@ -72,12 +72,12 @@ index 4a1ef14..d6f7f7f 100644 libica_la_LDFLAGS = ${LDFLAGS_common} libica_la_SOURCES = ${SOURCES_common} - libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\" + libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\" -libica_cex_la_CCASFLAGS = ${AM_CFLAGS} +libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS} libica_cex_la_LIBADD = ${LIBS_common} libica_cex_la_LDFLAGS = ${LDFLAGS_common} libica_cex_la_SOURCES = ${SOURCES_common} -- -2.26.3 +2.31.1 diff --git a/libica-3.8.0-hmac.patch b/libica-4.0.0-hmac.patch similarity index 72% rename from libica-3.8.0-hmac.patch rename to libica-4.0.0-hmac.patch index eaaf279..060ef58 100644 --- a/libica-3.8.0-hmac.patch +++ b/libica-4.0.0-hmac.patch @@ -1,12 +1,14 @@ -From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001 +From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001 From: Joerg Schmidbauer -Date: Wed, 2 Jun 2021 09:40:47 +0200 +Date: Tue, 11 Jan 2022 16:04:15 +0100 Subject: [PATCH] Compute HMAC from installed library The HMAC hash was computed from the libica in the build tree, but the runtime check is run against the installed libica and those 2 -files were different. The runtime one has debuginfo stripped -(and placed into a separate file), thus the hashes are different. +files may be different. E.g. if the runtime one has debuginfo stripped +(and placed into a separate file), the hashes are different. +This commit introduces a new make target: fipsinstall, which creates +the HMAC files in the install directory. Signed-off-by: Joerg Schmidbauer --- @@ -15,7 +17,7 @@ Signed-off-by: Joerg Schmidbauer 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/Makefile.am b/Makefile.am -index c86cdd3..55de3b2 100644 +index 2d8ab9e..e14abb5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -17,11 +17,8 @@ coverage: check @@ -29,20 +31,20 @@ index c86cdd3..55de3b2 100644 - cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac +fipsinstall: + $(AM_V_GEN)$(MAKE) -C src fipsinstall - - uninstall-hook: - rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac -@@ -30,3 +27,5 @@ uninstall-hook: - rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac + if ICA_OPENSSL3 + test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica + test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true +@@ -38,3 +35,5 @@ if ICA_OPENSSL3 + endif endif +.PHONY: fipsinstall + diff --git a/src/Makefile.am b/src/Makefile.am -index 4a1ef14..5367d49 100644 +index c630048..4c92c96 100644 --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -46,6 +46,12 @@ mp.S : mp.pl +@@ -47,6 +47,12 @@ mp.S : mp.pl ./mp.pl mp.S if ICA_FIPS @@ -55,12 +57,12 @@ index 4a1ef14..5367d49 100644 hmac-file-lnk: hmac-file $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac -@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \ +@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \ include/rng.h ../test/testcase.h endif -.PHONY: hmac-file hmac-file-lnk +.PHONY: hmac-file hmac-file-lnk fipsinstall -- -2.29.2.windows.2 +2.34.1 diff --git a/libica.spec b/libica.spec index 92b7585..1ead10e 100644 --- a/libica.spec +++ b/libica.spec @@ -2,19 +2,17 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 3.8.0 -Release: 5%{?dist} +Version: 4.0.0 +Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://github.com/opencryptoki/libica/pull/24 -Patch0: %{name}-3.8.0-annotate.patch -# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e -Patch1: %{name}-3.8.0-configure.patch +Patch0: %{name}-4.0.0-annotate.patch # https://github.com/opencryptoki/libica/issues/62 -Patch2: %{name}-3.8.0-hmac.patch +Patch1: %{name}-4.0.0-hmac.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -87,6 +85,11 @@ fi %{_bindir}/icainfo-cex %{_bindir}/icastats %if %{with_fips} +%if 0%{?fedora} >= 36 +# openssl 3.0 is available since Fedora 36 +%dir %{_sysconfdir}/libica +%{_sysconfdir}/libica/openssl3-fips.cnf +%endif %{_libdir}/.libica.*.hmac %{_libdir}/.libica-cex.*.hmac %endif @@ -103,6 +106,9 @@ fi %changelog +* Thu Jan 13 2022 Dan Horák - 4.0.0-1 +- updated to 4.0.0 + * Thu Jul 22 2021 Fedora Release Engineering - 3.8.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index 98a29cb..038762d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libica-3.8.0.tar.gz) = 18441420c5a8a6b79151146c982f6fac4b346f8dfd60c17aee488fc982509281754ae8e81636a653cc094f4e34c007dab2e764f16b6fef022a584ce9110c6994 +SHA512 (libica-4.0.0.tar.gz) = ce950ce591d023b93bf8acbec4ef9eefbf2e3f4fc22a289ebb8d93d180655bb79e433c245d00d4a94828deaefd586bfd96907c55a88fcec86aef3eddfb0687b9