rpms/libkcapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/libkcapi#ba6b846bc343b2bab9fe27b664a4980d5a57c6f4
This commit is contained in:
Petr Šabata 2020-10-15 16:25:03 +02:00
parent b6a8ac6521
commit 66e8475791
12 changed files with 1062 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -0,0 +1,3 @@
/libkcapi-*.tar.xz
/libkcapi-*.tar.xz.asc
/*.src.rpm

163
000-Kern-5.8-fix-MSG_MORE-usage.patch Normal file
View File

@ -0,0 +1,163 @@
From b612c52c5ccf021d01e6c786db1a31a697f21d97 Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Thu, 13 Aug 2020 21:58:07 +0200
Subject: [PATCH] Kern 5.8: fix MSG_MORE usage
With kernel 5.8, a precise use of MSG_MORE is mandatory to support
a stream cipher approach (init -> update -> update -> ... -> final).
All but the last update operations must use MSG_MORE, the last update
operation must not use MSG_MORE.
Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
lib/kcapi-aead.c | 24 ++++++++++++++----------
lib/kcapi-kernel-if.c | 6 ++----
test/kcapi-main.c | 31 +++++++++++++++++--------------
3 files changed, 33 insertions(+), 28 deletions(-)
diff --git a/lib/kcapi-aead.c b/lib/kcapi-aead.c
index d241618..45a0bd7 100644
--- a/lib/kcapi-aead.c
+++ b/lib/kcapi-aead.c
@@ -210,13 +210,15 @@ _kcapi_aead_encrypt_aio_fallback(struct kcapi_handle *handle,
uint32_t iovlen, const uint8_t *iv)
{
uint32_t i;
- int32_t ret = kcapi_aead_stream_init_enc(handle, iv, NULL, 0);
-
- if (ret < 0)
- return ret;
+ int32_t ret = 0;
for (i = 0; i < iovlen; i++) {
- int rc = kcapi_aead_stream_update_last(handle, iniov, 1);
+ int rc = kcapi_aead_stream_init_enc(handle, iv, NULL, 0);
+
+ if (rc < 0)
+ return rc;
+
+ rc = kcapi_aead_stream_update_last(handle, iniov, 1);
if (rc < 0)
return rc;
@@ -271,13 +273,15 @@ _kcapi_aead_decrypt_aio_fallback(struct kcapi_handle *handle,
uint32_t iovlen, const uint8_t *iv)
{
uint32_t i;
- int32_t ret = kcapi_aead_stream_init_dec(handle, iv, NULL, 0);
-
- if (ret < 0)
- return ret;
+ int32_t ret = 0;
for (i = 0; i < iovlen; i++) {
- int rc = kcapi_aead_stream_update_last(handle, iniov, 1);
+ int rc = kcapi_aead_stream_init_dec(handle, iv, NULL, 0);
+
+ if (rc < 0)
+ return rc;
+
+ rc = kcapi_aead_stream_update_last(handle, iniov, 1);
if (rc < 0)
return rc;
diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c
index bea994f..42cf1ad 100644
--- a/lib/kcapi-kernel-if.c
+++ b/lib/kcapi-kernel-if.c
@@ -439,8 +439,7 @@ int _kcapi_aio_send_iov(struct kcapi_handle *handle, struct iovec *iov,
if (0 > ret)
return ret;
} else {
- ret = _kcapi_common_send_meta(handle, NULL, 0, enc,
- len ? MSG_MORE : 0);
+ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE);
if (0 > ret)
return ret;
ret = _kcapi_common_vmsplice_iov(handle, iov, iovlen, 0);
@@ -1246,8 +1245,7 @@ int32_t _kcapi_cipher_crypt(struct kcapi_handle *handle, const uint8_t *in,
if (0 > ret)
return ret;
} else {
- ret = _kcapi_common_send_meta(handle, NULL, 0, enc,
- inlen ? MSG_MORE : 0);
+ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE);
if (0 > ret)
return ret;
ret = _kcapi_common_vmsplice_chunk(handle, in, inlen, 0);
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
index 51f6ec7..64e466c 100644
--- a/test/kcapi-main.c
+++ b/test/kcapi-main.c
@@ -846,7 +846,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops,
goto out;
}
- for(i = 0; i < loops; i++) {
+ for (i = 0; i < loops; i++) {
_get_time(&begin);
if (cavs_test->enc) {
ret = kcapi_cipher_encrypt(handle,
@@ -886,7 +886,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops,
}
static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov,
- int forking)
+ int forking, int last)
{
int ret;
@@ -899,7 +899,10 @@ static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov,
return;
}
- ret = kcapi_cipher_stream_update_last(handle, iov, 1);
+ if (last)
+ ret = kcapi_cipher_stream_update_last(handle, iov, 1);
+ else
+ ret = kcapi_cipher_stream_update(handle, iov, 1);
if (0 > ret)
printf("Sending of data failed\n");
@@ -1004,7 +1007,7 @@ static int cavs_sym_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
iov.iov_len = cavs_test->ctlen;
}
- mt_sym_writer(handle_ptr, &iov, forking);
+ mt_sym_writer(handle_ptr, &iov, forking, i == (loops * 2 - 1));
outiov.iov_base = outbuf_ptr;
outiov.iov_len = outbuflen;
@@ -1636,21 +1639,21 @@ static int cavs_aead_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
if (ret)
goto out;
- if (cavs_test->enc)
- ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0);
-
- else
- ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0);
- if (0 > ret) {
- printf("Initialization of cipher buffer failed\n");
- goto out;
- }
-
for (i = 0; i < loops; i++) {
int errsv = 0;
memset(outbuf, 0, outbuflen);
+ if (cavs_test->enc)
+ ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0);
+ else
+ ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0);
+ if (0 > ret) {
+ printf("Initialization of cipher buffer failed\n");
+ goto out;
+ }
+
+
iov.iov_base = cavs_test->assoc;
iov.iov_len = cavs_test->assoclen;
if (cavs_test->enc) {

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# libkcapi
The libkcapi package

9
fipshmac-openssl.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
# Mocks fipshmac using the openssl tool.
# Only for use during RPM build.
[ "$1" = '-d' ] || exit 1
openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \
>"$2/$(basename "$3").hmac"

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

680
libkcapi.spec Normal file
View File

@ -0,0 +1,680 @@
# Shared object version of libkcapi.
%global vmajor 1
%global vminor 2
%global vpatch 0
# Do we build the replacements packages?
%bcond_with replace_coreutils
# Replace fipscheck by default in Fedora 33+:
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
%bcond_without replace_fipscheck
%else
%bcond_with replace_fipscheck
%endif
# Replace hmaccalc by default in Fedora 28+:
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
%bcond_without replace_hmaccalc
%else
%bcond_with replace_hmaccalc
%endif
%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8
%bcond_without test_package
%else
%bcond_with test_package
%endif
# This package needs at least Linux Kernel v4.10.0.
%global min_kernel_ver 4.10.0
# Do we need to tweak sysctl.d? In newer versions of the Linux
# Kernel the default ancillary buffer size is set high enough.
# TODO: Adapt this when the patch for net/core/sock.c is merged.
%if %{lua:print(rpm.vercmp('99.0.0', posix.uname('%r')));} >= 0
%global with_sysctl_tweak 1
%else
%global with_sysctl_tweak 0
%endif
%if %{with_sysctl_tweak}
# Priority for the sysctl.d preset.
%global sysctl_prio 50
# Value used for the sysctl.d preset.
%global sysctl_optmem_max 81920
# Extension for the README.distro file.
%global distroname_ext %{?fedora:fedora}%{?rhel:redhat}
%endif
# Lowest limit to run the testsuite. If we cannot obtain this
# value, we asume the testsuite cannot be run.
%global test_optmem_max %(%{__cat} /proc/sys/net/core/optmem_max || echo 0)
# For picking patches from upstream commits or pull requests.
%global giturl https://github.com/smuellerDD/%{name}
# Do we replace some coreutils?
%if %{with replace_coreutils}
# TODO: Adapt this when replacing some coreutils initially.
%global coreutils_evr 8.29-1%{?dist}
%endif
# Do we replace fipscheck?
%if %{with replace_fipscheck}
%global fipscheck_evr 1.5.0-9
%endif
# Do we replace hmaccalc?
%if %{with replace_hmaccalc}
%global hmaccalc_evr 0.9.14-10%{?dist}
%endif
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
# On old kernels use mock hashers implemented via openssl
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
%global sha512hmac bin/kcapi-hasher -n sha512hmac
%global fipshmac bin/kcapi-hasher -n fipshmac
%else
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
%global fipshmac bash %{_sourcedir}/fipshmac-openssl.sh
%endif
# Add generation of HMAC checksums of the final stripped
# binaries. %%define with lazy globbing is used here
# intentionally, because using %%global does not work.
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
bin_path=%{buildroot}%{_bindir} \
lib_path=%{buildroot}/%{_lib} \
for app in %{apps_hmaccalc}; do \
test -e "$bin_path"/$app || continue \
{ %sha512hmac "$bin_path"/$app || exit 1; } \\\
| cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \
done \
for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \
%fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \
done \
%{_bindir}/hardlink -cfv %{buildroot}%{_bindir} \
%fipshmac -d "$lib_path"/fipscheck \\\
"$lib_path"/libkcapi.so.%{version} || exit 1 \
%{__ln_s} libkcapi.so.%{version}.hmac \\\
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
%{nil}
Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 3%{?dist}
Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2
URL: http://www.chronox.de/%{name}.html
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Source2: sha512hmac-openssl.sh
Source3: fipshmac-openssl.sh
Patch0: %{giturl}/commit/b612c52c5ccf.patch#/000-Kern-5.8-fix-MSG_MORE-usage.patch
BuildRequires: bash
BuildRequires: clang
BuildRequires: coreutils
BuildRequires: cppcheck
BuildRequires: docbook-utils-pdf
BuildRequires: gcc
BuildRequires: git
BuildRequires: hardlink
BuildRequires: kernel-headers >= %{min_kernel_ver}
BuildRequires: libtool
BuildRequires: openssl
BuildRequires: perl-interpreter
BuildRequires: systemd
BuildRequires: xmlto
# For ownership of %%{_sysctldir}.
Requires: systemd
Obsoletes: %{name}-replacements <= %{version}-%{release}
%description
libkcapi allows user-space to access the Linux kernel crypto API.
This library uses the netlink interface and exports easy to use APIs
so that a developer does not need to consider the low-level netlink
interface handling.
The library does not implement any cipher algorithms. All consumer
requests are sent to the kernel for processing. Results from the
kernel crypto API are returned to the consumer via the library API.
The kernel interface and therefore this library can be used by
unprivileged processes.
%package devel
Summary: Development files for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
%description devel
Header files for applications that use %{name}.
%package doc
Summary: User documentation for the %{name} package
BuildArch: noarch
# Depend on one of the base packages because they have the license files
# We cannot just bundle them into doc because they might conflict with an
# older or newer version of the base package.
Requires: %{name} == %{version}-%{release}
%description doc
User documentation for %{name}.
%if %{with replace_coreutils}
%package checksum
Summary: Drop-in replacement for *sum utils provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
Requires: coreutils%{?_isa} >= %{coreutils_evr}
Conflicts: coreutils < %{coreutils_evr}
Conflicts: coreutils-single
%description checksum
Provides drop-in replacements for sha*sum tools (from package
coreutils) using %{name}.
%endif
%if %{with replace_fipscheck}
%package fipscheck
Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
Obsoletes: fipscheck <= %{fipscheck_evr}
Provides: fipscheck == %{fipscheck_evr}.1
Provides: fipscheck%{?_isa} == %{fipscheck_evr}.1
%description fipscheck
Provides drop-in replacements for fipscheck and fipshmac tools (from
package fipscheck) using %{name}.
%endif
%if %{with replace_hmaccalc}
%package hmaccalc
Summary: Drop-in replacements for hmaccalc provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
Obsoletes: hmaccalc <= %{hmaccalc_evr}
Provides: hmaccalc == %{hmaccalc_evr}.1
Provides: hmaccalc%{?_isa} == %{hmaccalc_evr}.1
%description hmaccalc
Provides drop-in replacements for sha*hmac tools (from package
hmaccalc) using %{name}.
%endif
%package static
Summary: Static library for -static linking with %{name}
Requires: %{name}-devel%{?_isa} == %{version}-%{release}
%description static
This package contains the %{name} static libraries for -static
linking. You don't need this, unless you link statically, which
is highly discouraged.
%package tools
Summary: Utility applications for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
%description tools
Utility applications that are provided with %{name}. This includes
tools to use message digests, symmetric ciphers and random number
generators implemented in the Linux kernel from command line.
%if %{with test_package}
%package tests
Summary: Testing scripts for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release}
Requires: %{name}-tools%{?_isa} == %{version}-%{release}
%if %{with replace_hmaccalc}
Requires: %{name}-hmaccalc%{?_isa} == %{version}-%{release}
%endif
%if %{with replace_coreutils}
Requires: %{name}-checksum%{?_isa} == %{version}-%{release}
%endif
Requires: coreutils
Requires: openssl
Requires: perl-interpreter
%description tests
Auxiliary scripts for testing %{name}.
%endif
%prep
%autosetup -p 1 -S git
%if %{with_sysctl_tweak}
%{__cat} << EOF > README.%{distroname_ext}
This package increases the default limit of the ancillary buffer size
per kernel socket defined in \`net.core.optmem_max\` to %{sysctl_optmem_max} bytes.
For this preset to become active it requires a reboot after the
installation of this package. You can also manually increase this
limit by invocing \`sysctl net.core.optmem_max=%{sysctl_optmem_max}\` as the
super-user, e.g. using \`su\` or \`sudo\` on the terminal.
This is done to provide consumers of the new Linux Kernel Crypto API
User Space Interface a well sufficient and reasonable maximum limit
by default, especially when using AIO with a larger amount of IOVECs.
For further information about the AF_ALG kernel socket and AIO, see
the discussion at the kernel-crypto mailing-list:
https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30417.html
See the instructions given in '%{_sysctldir}/50-default.conf',
if you need or want to override the preset made by this package.
EOF
%{__cat} << EOF > %{sysctl_prio}-%{name}-optmem_max.conf
# See the 'README.%{distroname_ext}' file shipped in %%doc
# with the %{name} package.
#
# See '%{_sysctldir}/50-default.conf',
# if you need or want to override this preset.
# Increase the ancillary buffer size per socket.
net.core.optmem_max = %{sysctl_optmem_max}
EOF
%endif
%{_bindir}/autoreconf -fiv
%build
%configure \
--libdir=/%{_lib} \
--disable-silent-rules \
--enable-kcapi-encapp \
--enable-kcapi-dgstapp \
--enable-kcapi-hasher \
--enable-kcapi-rngapp \
--enable-kcapi-speed \
--enable-kcapi-test \
--enable-shared \
--enable-static \
--enable-sum-prefix= \
--enable-sum-dir=/%{_lib} \
--with-pkgconfigdir=%{_libdir}/pkgconfig
%make_build all doc
%install
%make_install
# Install sysctl.d preset.
%{__mkdir_p} %{buildroot}%{_sysctldir}
%{__install} -Dpm 0644 -t %{buildroot}%{_sysctldir} \
%{sysctl_prio}-%{name}-optmem_max.conf
# Install into proper location for inclusion by %%doc.
%{__mkdir_p} %{buildroot}%{_pkgdocdir}
%{__install} -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \
%if %{with_sysctl_tweak}
README.%{distroname_ext} \
%endif
README.md CHANGES.md TODO doc/%{name}.p{df,s}
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
# Install replacement tools, if enabled.
%if !%{with replace_coreutils}
%{__rm} -f \
%{buildroot}%{_bindir}/md5sum \
%{buildroot}%{_bindir}/sha*sum
%endif
%if !%{with replace_fipscheck}
%{__rm} -f %{buildroot}%{_bindir}/fips*
%endif
%if !%{with replace_hmaccalc}
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac
%endif
# We don't ship autocrap dumplings.
%{_bindir}/find %{buildroot} -type f -name '*.la' -print -delete
# HMAC checksums are generated during __spec_install_post.
%{_bindir}/find %{buildroot} -type f -name '*.hmac' -print -delete
# Remove 0-size files.
%{_bindir}/find %{buildroot} -type f -size 0 -print -delete
# Make sure all docs have non-exec permissions, except for the dirs.
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
%{_bindir}/xargs %{__chmod} -c 0644
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
%{_bindir}/xargs %{__chmod} -c 0755
# Possibly save some space by hardlinking.
for d in %{_mandir} %{_pkgdocdir}; do
%{_bindir}/hardlink -cfv %{buildroot}$d
done
%check
# Some basic sanity checks.
for t in cppcheck scan; do
%make_build $t
done
# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
# which is the lowest limit needed to run the testsuite. If that limit
# is not met, we do not run it.
%if %{test_optmem_max} >= 20480
# Skip the testsuite on old kernels.
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0
# Real testsuite.
pushd test
ENABLE_FUZZ_TEST=1 \
NO_32BIT_TEST=1 \
./test-invocation.sh
popd
%endif
%endif
%ldconfig_scriptlets
%files
%doc %dir %{_pkgdocdir}
%doc %{_pkgdocdir}/README.md
%license COPYING*
/%{_lib}/%{name}.so.%{vmajor}
/%{_lib}/%{name}.so.%{version}
/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
/%{_lib}/fipscheck/%{name}.so.%{version}.hmac
%if %{with_sysctl_tweak}
%doc %{_pkgdocdir}/README.%{distroname_ext}
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
%endif
%files devel
%doc %{_pkgdocdir}/CHANGES.md
%doc %{_pkgdocdir}/TODO
%{_includedir}/kcapi.h
%{_mandir}/man3/kcapi_*.3.*
/%{_lib}/%{name}.so
%{_libdir}/pkgconfig/%{name}.pc
%files doc
%doc %{_pkgdocdir}/html
%doc %{_pkgdocdir}/%{name}.pdf
%doc %{_pkgdocdir}/%{name}.ps
%if %{with replace_coreutils}
%files checksum
%{_bindir}/md5sum
%{_bindir}/sha*sum
/%{_lib}/fipscheck/md5sum.hmac
/%{_lib}/fipscheck/sha*sum.hmac
%endif
%if %{with replace_fipscheck}
%files fipscheck
%{_bindir}/fips*
/%{_lib}/fipscheck/fips*.hmac
%endif
%if %{with replace_hmaccalc}
%files hmaccalc
%{_bindir}/sha*hmac
/%{_lib}/hmaccalc/sha*hmac.hmac
%endif
%files static
/%{_lib}/%{name}.a
%files tools
%{_bindir}/kcapi*
%{_mandir}/man1/kcapi*.1.*
%if %{with test_package}
%files tests
%{_libexecdir}/%{name}/*
%endif
%changelog
* Fri Aug 14 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.2.0-3
- Require perl-interpreter instead of full perl
- Backport fix for 5.9 kernels
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 25 2020 Sahana Prasad <omosnace@redhat.com> - 1.2.0-1
- Update to upstream version 1.2.0 tracked by BZ 1839592.
- Enable kcapi-enc tests as libkcapi BZ 1826022 is fixed.
- Remove 110-fipshmac-compat.patch as the changes are merged upstream.
- Remove 100-workaround-cppcheck-bug.patch as the changes are merged upstream.
* Tue May 05 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-5
- Fix the CI test failures
- Enable building on old kernels
- Avoid conflicts between different versions of packages
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> - 1.1.5-4
- Add . prefix to files created by fipshmac if -d option is not specified
* Wed Apr 22 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
- Disables kcapi-enc tests until the kernel bug bz 1826022 is fixed.
- Produce also the fipscheck replacement package
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Aug 13 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-1
- Update to upstream version 1.1.5
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-6
- Backport patch to fix test failure on aarch64
- Remove no longer needed ppc64 workaround
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-5
- Backport patch to fix tests
* Thu Jul 25 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-4
- Work around cppcheck issue
- Enable gating
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-2
- Fix FTBFS: hardlink is now in bindir
* Sat Feb 02 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-1
- Update to upstream version 1.1.4
* Fri Feb 01 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-3
- Fix build with new GCC
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Aug 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-1
- Update to upstream version 1.1.3
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16
- Add missing dependencies to the tests package
- Update patch from upstream
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15
- Build and tests require perl
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14
- Add missing script to the 'tests' package
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13
- Add missing requires to the 'tests' subpackage
* Tue Aug 07 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12
- Produce a subpackage with test scripts
- Build the 'tests' subpackage conditionally
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11
- Add patch to fix unwanted closing of FD 0
* Tue Jul 31 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-10
- Remove the kernel headers workaround
* Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.1.1-9
- Rebuild for new binutils
* Fri Jul 27 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-8
- Add more Coverity fixes from upstream
- Add patch to fix AEAD fuzz test for BE arches
- Fixup specfile
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7
- Add various fixes from upstream
- Drop the Requires on kernel package
* Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6
- Put .hmac files into a separate directory
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-4
- Add patch to work around FTBFS on rawhide
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3
- Fix off-by-one error in checkfile parsing
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2
- Fix command-line parsing in libkcapi-hmaccalc
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1
- Update to upstream version 1.1.1
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
- Skip CLang static analysis in RHEL
- Revert "Skip CLang static analysis in RHEL"
- Use own sha512hmac and fipscheck
* Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4
- Fix description lines being too long
* Fri Apr 27 2018 Björn Esser <besser82@fedoraproject.org> - 1.1.0-3
- Fix conditional for hmaccalc replacement
* Mon Apr 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-2
- Enable hmaccalc replacements in Fedora 28+
* Thu Apr 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-1
- Update to upstream version 1.1.0
* Sat Mar 31 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-10
- Replace single patches with a monolitic one from upstream
- Obsolete replacements subpackage
- Ignore failing tests on %%{power64} temporarily
* Thu Mar 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.0.3-9
- Split up the replacements subpackage
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-8
- Increase optmem_max preset to 81920
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-7
- Obsoletes work by package name, not by provides (rhbz#1537225)
* Sun Feb 25 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-6
- Add patch to fix a copy-paste typo
* Sat Feb 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-5
- Add patch to fix build with -Werror
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org>
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Feb 04 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-3
- Switch to %%ldconfig_scriptlets
* Wed Jan 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-2
- Decrease optmem_max preset to 40960
- Let the build fail, if the minimum kernel version cannot be met
- Conditionalize the sysctl.d tweak on version of the kernel
- Conditionalize the name of README.distro on the distro
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-1
- Initial import (rhbz#1533929)
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.13
- Increase optmem_max preset to 81920
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.12
- Add sysctl.d preset and README.fedora
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.11
- Make the contents of the -replacements package configurable
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.10
- Fix Obsoletes of the -replacements package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.9
- Disable the -replacements package until we have a plan for it
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.8
- Move the kcapi-hasher binary to -replacements package, since it is
not of much use without the linked invocation names and saves the
extra Requires on the -tools package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.7
- Fix internal Requires of sub-packages
- Hardlink files in %%{_bindir}
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.6
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.5
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.4
- Asume the testsuite cannot be run, if the value of optmem_max cannot
be obtained
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.3
- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful
during boot when the library might be needed before a potentially
seperate /usr partition is mounted
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.2
- Asume optmem_max is at least 20480, if the real value cannot be obtained
* Fri Jan 12 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.1
- New upstream release
* Wed Jan 10 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.2-0.1
- Initial rpm release (rhbz#1533929)

6
sha512hmac-openssl.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
# Mocks sha512hmac using the openssl tool.
# Only for use during RPM build.
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' '

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289
SHA512 (libkcapi-1.2.0.tar.xz.asc) = 336769b04c75ee23d4cae98697a6ea14e5bd244bcefaa2396d80dab95538620c9353100685bd0568f61b8dfa3089c6ff7e4fdcdde949012ba0d7fe6aac650577

71
tests/fipscheck-smoke-test/Makefile Normal file
View File

@ -0,0 +1,71 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libgcrypt/smoke-test
# Description: Test calls upstream test suite.
# Author: Ondrej Moris <omoris@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libgcrypt/smoke-test
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ondrej Moris <omoris@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test calls upstream test suite." >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: libgcrypt" >> $(METADATA)
@echo "Requires: libgcrypt" >> $(METADATA)
@echo "Requires: nfs-utils" >> $(METADATA)
@echo "Requires: rpm-build" >> $(METADATA)
@echo "Requires: gawk" >> $(METADATA)
@echo "Requires: gcc-c++ fipscheck" >> $(METADATA)
@echo "Requires: libgpg-error-devel wget" >> $(METADATA)
@echo "Requires: pkgconfig texinfo libselinux-utils" >> $(METADATA)
@echo "Releases: -RHEL3 -RHEL4" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "Architectures: i386 x86_64 s390x ia64" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/fipscheck-smoke-test/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/libgcrypt/Sanity/smoke-test
Description: Test calls upstream test suite.
Author: Ondrej Moris <omoris@redhat.com>

71
tests/fipscheck-smoke-test/runtest.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/libgcrypt/smoke-test
# Description: Test calls upstream test suite.
# Author: Ondrej Moris <omoris@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include rhts environment
#. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="libgcrypt"
rlJournalStart
rlPhaseStartSetup
TmpDir=`mktemp -d`
rlAssertRpm $PACKAGE
rlFileBackup --clean "/etc/gcrypt/fips_enabled"
rlRun "pushd $TmpDir" 0
rlFetchSrcForInstalled $PACKAGE
rlRun "rpm -ihv `ls *.rpm`" 0
if grep '1' /proc/sys/crypto/fips_enabled; then
rlRun "echo '1' > /etc/gcrypt/fips_enabled" 0
fi
rlPhaseEnd
rlPhaseStartTest
TOPDIR=`rpm --eval %_topdir`
rlRun "pushd $TOPDIR" 0
rlRun "rm -rf BUILD/libgcrypt-*" 0-255
rlRun "rpmbuild -vv -bc SPECS/libgcrypt.spec" 0
rlRun "pushd BUILD/libgcrypt-*" 0
rlRun "fipshmac src/.libs/libgcrypt.so.??" 0
rlRun "make check > $TmpDir/make_check.out" 0
rlRun "popd" 0
rlRun "popd" 0
rlRun "grep \"All [0-9]\+ tests passed\" $TmpDir/make_check.out" 0 \
"All tests passed"
rlRun "cat $TmpDir/make_check.out" 0
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd" 0
rlRun "rm -r $TmpDir" 0
rlFileRestore
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

45
tests/tests.yml Normal file
View File

@ -0,0 +1,45 @@
- hosts: localhost
tags:
- classic
- container
roles:
- role: standard-test-basic
required_packages:
- libkcapi-tests
tests:
- upstream-basic-test:
run: /usr/libexec/libkcapi/test.sh
- upstream-enc-test:
run: /usr/libexec/libkcapi/kcapi-enc-test.sh
- upstream-enc-test-large:
run: /usr/libexec/libkcapi/kcapi-enc-test-large.sh
- upstream-dgst-test:
run: /usr/libexec/libkcapi/kcapi-dgst-test.sh
- upstream-hasher-test:
run: /usr/libexec/libkcapi/hasher-test.sh
- upstream-convenience-test:
run: /usr/libexec/libkcapi/kcapi-convenience.sh
- upstream-fuzz-test:
run: /usr/libexec/libkcapi/kcapi-fuzz-test.sh
- hosts: localhost
tags:
- classic
- container
roles:
- role: standard-test-beakerlib
required_packages:
- fipscheck
- gawk
- gcc-c++
- libgcrypt
- libgpg-error-devel
- libselinux-utils
- libtool
- nfs-utils
- pkgconfig
- rpm-build
- texinfo
- wget
tests:
- fipscheck-smoke-test