diff --git a/000-Kern-5.8-fix-MSG_MORE-usage.patch b/000-Kern-5.8-fix-MSG_MORE-usage.patch deleted file mode 100644 index 5841ef6..0000000 --- a/000-Kern-5.8-fix-MSG_MORE-usage.patch +++ /dev/null @@ -1,163 +0,0 @@ -From b612c52c5ccf021d01e6c786db1a31a697f21d97 Mon Sep 17 00:00:00 2001 -From: Stephan Mueller -Date: Thu, 13 Aug 2020 21:58:07 +0200 -Subject: [PATCH] Kern 5.8: fix MSG_MORE usage - -With kernel 5.8, a precise use of MSG_MORE is mandatory to support -a stream cipher approach (init -> update -> update -> ... -> final). -All but the last update operations must use MSG_MORE, the last update -operation must not use MSG_MORE. - -Reported-by: Ondrej Mosnacek -Signed-off-by: Stephan Mueller ---- - lib/kcapi-aead.c | 24 ++++++++++++++---------- - lib/kcapi-kernel-if.c | 6 ++---- - test/kcapi-main.c | 31 +++++++++++++++++-------------- - 3 files changed, 33 insertions(+), 28 deletions(-) - -diff --git a/lib/kcapi-aead.c b/lib/kcapi-aead.c -index d241618..45a0bd7 100644 ---- a/lib/kcapi-aead.c -+++ b/lib/kcapi-aead.c -@@ -210,13 +210,15 @@ _kcapi_aead_encrypt_aio_fallback(struct kcapi_handle *handle, - uint32_t iovlen, const uint8_t *iv) - { - uint32_t i; -- int32_t ret = kcapi_aead_stream_init_enc(handle, iv, NULL, 0); -- -- if (ret < 0) -- return ret; -+ int32_t ret = 0; - - for (i = 0; i < iovlen; i++) { -- int rc = kcapi_aead_stream_update_last(handle, iniov, 1); -+ int rc = kcapi_aead_stream_init_enc(handle, iv, NULL, 0); -+ -+ if (rc < 0) -+ return rc; -+ -+ rc = kcapi_aead_stream_update_last(handle, iniov, 1); - if (rc < 0) - return rc; - -@@ -271,13 +273,15 @@ _kcapi_aead_decrypt_aio_fallback(struct kcapi_handle *handle, - uint32_t iovlen, const uint8_t *iv) - { - uint32_t i; -- int32_t ret = kcapi_aead_stream_init_dec(handle, iv, NULL, 0); -- -- if (ret < 0) -- return ret; -+ int32_t ret = 0; - - for (i = 0; i < iovlen; i++) { -- int rc = kcapi_aead_stream_update_last(handle, iniov, 1); -+ int rc = kcapi_aead_stream_init_dec(handle, iv, NULL, 0); -+ -+ if (rc < 0) -+ return rc; -+ -+ rc = kcapi_aead_stream_update_last(handle, iniov, 1); - if (rc < 0) - return rc; - -diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c -index bea994f..42cf1ad 100644 ---- a/lib/kcapi-kernel-if.c -+++ b/lib/kcapi-kernel-if.c -@@ -439,8 +439,7 @@ int _kcapi_aio_send_iov(struct kcapi_handle *handle, struct iovec *iov, - if (0 > ret) - return ret; - } else { -- ret = _kcapi_common_send_meta(handle, NULL, 0, enc, -- len ? MSG_MORE : 0); -+ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE); - if (0 > ret) - return ret; - ret = _kcapi_common_vmsplice_iov(handle, iov, iovlen, 0); -@@ -1246,8 +1245,7 @@ int32_t _kcapi_cipher_crypt(struct kcapi_handle *handle, const uint8_t *in, - if (0 > ret) - return ret; - } else { -- ret = _kcapi_common_send_meta(handle, NULL, 0, enc, -- inlen ? MSG_MORE : 0); -+ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE); - if (0 > ret) - return ret; - ret = _kcapi_common_vmsplice_chunk(handle, in, inlen, 0); -diff --git a/test/kcapi-main.c b/test/kcapi-main.c -index 51f6ec7..64e466c 100644 ---- a/test/kcapi-main.c -+++ b/test/kcapi-main.c -@@ -846,7 +846,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops, - goto out; - } - -- for(i = 0; i < loops; i++) { -+ for (i = 0; i < loops; i++) { - _get_time(&begin); - if (cavs_test->enc) { - ret = kcapi_cipher_encrypt(handle, -@@ -886,7 +886,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops, - } - - static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov, -- int forking) -+ int forking, int last) - { - int ret; - -@@ -899,7 +899,10 @@ static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov, - return; - } - -- ret = kcapi_cipher_stream_update_last(handle, iov, 1); -+ if (last) -+ ret = kcapi_cipher_stream_update_last(handle, iov, 1); -+ else -+ ret = kcapi_cipher_stream_update(handle, iov, 1); - if (0 > ret) - printf("Sending of data failed\n"); - -@@ -1004,7 +1007,7 @@ static int cavs_sym_stream(struct kcapi_cavs *cavs_test, uint32_t loops, - iov.iov_len = cavs_test->ctlen; - } - -- mt_sym_writer(handle_ptr, &iov, forking); -+ mt_sym_writer(handle_ptr, &iov, forking, i == (loops * 2 - 1)); - - outiov.iov_base = outbuf_ptr; - outiov.iov_len = outbuflen; -@@ -1636,21 +1639,21 @@ static int cavs_aead_stream(struct kcapi_cavs *cavs_test, uint32_t loops, - if (ret) - goto out; - -- if (cavs_test->enc) -- ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0); -- -- else -- ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0); -- if (0 > ret) { -- printf("Initialization of cipher buffer failed\n"); -- goto out; -- } -- - for (i = 0; i < loops; i++) { - int errsv = 0; - - memset(outbuf, 0, outbuflen); - -+ if (cavs_test->enc) -+ ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0); -+ else -+ ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0); -+ if (0 > ret) { -+ printf("Initialization of cipher buffer failed\n"); -+ goto out; -+ } -+ -+ - iov.iov_base = cavs_test->assoc; - iov.iov_len = cavs_test->assoclen; - if (cavs_test->enc) { diff --git a/001-fix-fuzz-test.patch b/001-fix-fuzz-test.patch new file mode 100644 index 0000000..c1fdbc5 --- /dev/null +++ b/001-fix-fuzz-test.patch @@ -0,0 +1,37 @@ +From e8c22fe01c6dd46399396694cd1d72a6988dc287 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Sat, 27 Mar 2021 13:46:45 +0100 +Subject: [PATCH] kcapi: Fix hang in fuzz tests with recent kernels + +After kernel commit f3c802a1f300 ("crypto: algif_aead - Only wake up +when..."), the fuzz tests hang indefinitely, because they request more +output data than the operation can produce. Fix this by requesting at +most the expected size of the output data. + +Signed-off-by: Ondrej Mosnacek +--- + test/kcapi-main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/kcapi-main.c b/test/kcapi-main.c +index 64e466c..975e8d1 100644 +--- a/test/kcapi-main.c ++++ b/test/kcapi-main.c +@@ -380,7 +380,7 @@ static int fuzz_cipher(struct kcapi_cavs *cavs_test, unsigned long flags, + } + + for (i = 0; i < sizeof(indata); i++) { +- unsigned int outlen = sizeof(outdata); ++ unsigned int outlen = i; + uint8_t *out = outdata; + uint8_t *iv = indata; + uint8_t *in = indata; +@@ -474,7 +474,7 @@ static int fuzz_aead(struct kcapi_cavs *cavs_test, unsigned long flags, + } + + for (i = 0; i < sizeof(indata); i++) { +- unsigned int outlen = sizeof(outdata); ++ unsigned int outlen = i; + uint8_t *out = outdata; + uint8_t *iv = indata; + uint8_t *in = indata; diff --git a/libkcapi.spec b/libkcapi.spec index aa95389..7058918 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -1,7 +1,7 @@ # Shared object version of libkcapi. %global vmajor 1 %global vminor 2 -%global vpatch 0 +%global vpatch 1 # Do we build the replacements packages? %bcond_with replace_coreutils @@ -22,6 +22,23 @@ %else %bcond_with test_package %endif +# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518 +%if 0%{?rhel} +%bcond_with cppcheck +%else +# Temporarily disable cppcheck on Fedora until bz#1923600 is fixed in rawhide +%bcond_with cppcheck +#bcond_without cppcheck +%endif + +# Use `--without test` to build without running the tests +%bcond_without test +# Use `--without fuzz_test` to skip the fuzz test during build +%bcond_without fuzz_test +# Use `--without doc` to build without the -doc subpackage +%bcond_without doc +# Use `--without clang_sa` to skip clang static analysis during build +%bcond_without clang_sa # This package needs at least Linux Kernel v4.10.0. %global min_kernel_ver 4.10.0 @@ -77,8 +94,8 @@ %global sha512hmac bin/kcapi-hasher -n sha512hmac %global fipshmac bin/kcapi-hasher -n fipshmac %else -%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%global fipshmac bash %{_sourcedir}/fipshmac-openssl.sh +%global sha512hmac bash %{SOURCE2} +%global fipshmac bash %{SOURCE3} %endif # Add generation of HMAC checksums of the final stripped @@ -106,35 +123,41 @@ done \ "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ %{nil} - Name: libkcapi Version: %{vmajor}.%{vminor}.%{vpatch} -Release: 3%{?dist} +Release: 1%{?dist} Summary: User space interface to the Linux Kernel Crypto API License: BSD or GPLv2 -URL: http://www.chronox.de/%{name}.html -Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz -Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc +URL: https://www.chronox.de/%{name}.html +Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz +Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source2: sha512hmac-openssl.sh Source3: fipshmac-openssl.sh -Patch0: %{giturl}/commit/b612c52c5ccf.patch#/000-Kern-5.8-fix-MSG_MORE-usage.patch +Patch001: %{giturl}/pull/110.patch#/001-fix-fuzz-test.patch BuildRequires: bash -BuildRequires: clang BuildRequires: coreutils -BuildRequires: cppcheck -BuildRequires: docbook-utils-pdf BuildRequires: gcc -BuildRequires: git +BuildRequires: git-core BuildRequires: hardlink BuildRequires: kernel-headers >= %{min_kernel_ver} BuildRequires: libtool +BuildRequires: make BuildRequires: openssl BuildRequires: perl-interpreter BuildRequires: systemd BuildRequires: xmlto +%if %{with doc} +BuildRequires: docbook-utils-pdf +%endif +%if %{with clang_sa} +BuildRequires: clang +%endif +%if %{with cppcheck} +BuildRequires: cppcheck +%endif # For ownership of %%{_sysctldir}. Requires: systemd @@ -164,6 +187,7 @@ Requires: %{name}%{?_isa} == %{version}-%{release} Header files for applications that use %{name}. +%if %{with doc} %package doc Summary: User documentation for the %{name} package BuildArch: noarch @@ -174,6 +198,7 @@ Requires: %{name} == %{version}-%{release} %description doc User documentation for %{name}. +%endif %if %{with replace_coreutils} @@ -319,7 +344,11 @@ EOF --enable-sum-prefix= \ --enable-sum-dir=/%{_lib} \ --with-pkgconfigdir=%{_libdir}/pkgconfig +%if %{with doc} %make_build all doc +%else +%make_build all man +%endif %install @@ -336,8 +365,14 @@ EOF %if %{with_sysctl_tweak} README.%{distroname_ext} \ %endif - README.md CHANGES.md TODO doc/%{name}.p{df,s} +%if %{with doc} + doc/%{name}.p{df,s} \ +%endif + README.md CHANGES.md TODO + +%if %{with doc} %{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir} +%endif # Install replacement tools, if enabled. %if !%{with replace_coreutils} @@ -363,11 +398,13 @@ EOF # Remove 0-size files. %{_bindir}/find %{buildroot} -type f -size 0 -print -delete +%if %{with doc} # Make sure all docs have non-exec permissions, except for the dirs. %{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \ %{_bindir}/xargs %{__chmod} -c 0644 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \ %{_bindir}/xargs %{__chmod} -c 0755 +%endif # Possibly save some space by hardlinking. for d in %{_mandir} %{_pkgdocdir}; do @@ -377,10 +414,14 @@ done %check # Some basic sanity checks. -for t in cppcheck scan; do - %make_build $t -done +%if %{with clang_sa} +%make_build scan +%endif +%if %{with cppcheck} +%make_build cppcheck +%endif +%if %{with test} # On some arches `/proc/sys/net/core/optmem_max` is lower than 20480, # which is the lowest limit needed to run the testsuite. If that limit # is not met, we do not run it. @@ -389,12 +430,15 @@ done %if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0 # Real testsuite. pushd test +%if %{with fuzz_test} ENABLE_FUZZ_TEST=1 \ +%endif NO_32BIT_TEST=1 \ ./test-invocation.sh popd %endif %endif +%endif %ldconfig_scriptlets @@ -423,10 +467,12 @@ popd %{_libdir}/pkgconfig/%{name}.pc +%if %{with doc} %files doc %doc %{_pkgdocdir}/html %doc %{_pkgdocdir}/%{name}.pdf %doc %{_pkgdocdir}/%{name}.ps +%endif %if %{with replace_coreutils} @@ -466,6 +512,15 @@ popd %changelog +* Mon Mar 15 2021 Sahana Prasad - 1.2.1-1 +- Update to upstream version 1.2.1 +- Remove patch fix MSG_MORE uasge as it is added upstream +- Remove cppcheck dependency for rhel bz#1931518 +- Add a patch to fix fuzz tests + +* Tue Jan 26 2021 Fedora Release Engineering - 1.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Fri Aug 14 2020 Ondrej Mosnáček - 1.2.0-3 - Require perl-interpreter instead of full perl - Backport fix for 5.9 kernels diff --git a/sources b/sources index a634ca6..8e514ec 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 -SHA512 (libkcapi-1.2.0.tar.xz.asc) = 336769b04c75ee23d4cae98697a6ea14e5bd244bcefaa2396d80dab95538620c9353100685bd0568f61b8dfa3089c6ff7e4fdcdde949012ba0d7fe6aac650577 +SHA512 (libkcapi-1.2.1.tar.xz) = bfe5e4fa4368973cfcadbde3b2a278e31bc5c36a6afba9fc92fdd5903e4e8050d09000a195c764c981753896ef543635add98bbb930dbe52a56d2f6318bc1241 +SHA512 (libkcapi-1.2.1.tar.xz.asc) = f2823add4528e16c45ccb59e2124da29007b0285faed5194fe5969f4928411faa63b3b6586bd103085b666a4dfb977cfdf0d20db6588d426ab92e29e360a37e7