diff --git a/.gitignore b/.gitignore index e69de29..6473ae7 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,3 @@ +/libkcapi-*.tar.xz +/libkcapi-*.tar.xz.asc +/*.src.rpm diff --git a/000-Kern-5.8-fix-MSG_MORE-usage.patch b/000-Kern-5.8-fix-MSG_MORE-usage.patch new file mode 100644 index 0000000..5841ef6 --- /dev/null +++ b/000-Kern-5.8-fix-MSG_MORE-usage.patch @@ -0,0 +1,163 @@ +From b612c52c5ccf021d01e6c786db1a31a697f21d97 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 13 Aug 2020 21:58:07 +0200 +Subject: [PATCH] Kern 5.8: fix MSG_MORE usage + +With kernel 5.8, a precise use of MSG_MORE is mandatory to support +a stream cipher approach (init -> update -> update -> ... -> final). +All but the last update operations must use MSG_MORE, the last update +operation must not use MSG_MORE. + +Reported-by: Ondrej Mosnacek +Signed-off-by: Stephan Mueller +--- + lib/kcapi-aead.c | 24 ++++++++++++++---------- + lib/kcapi-kernel-if.c | 6 ++---- + test/kcapi-main.c | 31 +++++++++++++++++-------------- + 3 files changed, 33 insertions(+), 28 deletions(-) + +diff --git a/lib/kcapi-aead.c b/lib/kcapi-aead.c +index d241618..45a0bd7 100644 +--- a/lib/kcapi-aead.c ++++ b/lib/kcapi-aead.c +@@ -210,13 +210,15 @@ _kcapi_aead_encrypt_aio_fallback(struct kcapi_handle *handle, + uint32_t iovlen, const uint8_t *iv) + { + uint32_t i; +- int32_t ret = kcapi_aead_stream_init_enc(handle, iv, NULL, 0); +- +- if (ret < 0) +- return ret; ++ int32_t ret = 0; + + for (i = 0; i < iovlen; i++) { +- int rc = kcapi_aead_stream_update_last(handle, iniov, 1); ++ int rc = kcapi_aead_stream_init_enc(handle, iv, NULL, 0); ++ ++ if (rc < 0) ++ return rc; ++ ++ rc = kcapi_aead_stream_update_last(handle, iniov, 1); + if (rc < 0) + return rc; + +@@ -271,13 +273,15 @@ _kcapi_aead_decrypt_aio_fallback(struct kcapi_handle *handle, + uint32_t iovlen, const uint8_t *iv) + { + uint32_t i; +- int32_t ret = kcapi_aead_stream_init_dec(handle, iv, NULL, 0); +- +- if (ret < 0) +- return ret; ++ int32_t ret = 0; + + for (i = 0; i < iovlen; i++) { +- int rc = kcapi_aead_stream_update_last(handle, iniov, 1); ++ int rc = kcapi_aead_stream_init_dec(handle, iv, NULL, 0); ++ ++ if (rc < 0) ++ return rc; ++ ++ rc = kcapi_aead_stream_update_last(handle, iniov, 1); + if (rc < 0) + return rc; + +diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c +index bea994f..42cf1ad 100644 +--- a/lib/kcapi-kernel-if.c ++++ b/lib/kcapi-kernel-if.c +@@ -439,8 +439,7 @@ int _kcapi_aio_send_iov(struct kcapi_handle *handle, struct iovec *iov, + if (0 > ret) + return ret; + } else { +- ret = _kcapi_common_send_meta(handle, NULL, 0, enc, +- len ? MSG_MORE : 0); ++ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE); + if (0 > ret) + return ret; + ret = _kcapi_common_vmsplice_iov(handle, iov, iovlen, 0); +@@ -1246,8 +1245,7 @@ int32_t _kcapi_cipher_crypt(struct kcapi_handle *handle, const uint8_t *in, + if (0 > ret) + return ret; + } else { +- ret = _kcapi_common_send_meta(handle, NULL, 0, enc, +- inlen ? MSG_MORE : 0); ++ ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE); + if (0 > ret) + return ret; + ret = _kcapi_common_vmsplice_chunk(handle, in, inlen, 0); +diff --git a/test/kcapi-main.c b/test/kcapi-main.c +index 51f6ec7..64e466c 100644 +--- a/test/kcapi-main.c ++++ b/test/kcapi-main.c +@@ -846,7 +846,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops, + goto out; + } + +- for(i = 0; i < loops; i++) { ++ for (i = 0; i < loops; i++) { + _get_time(&begin); + if (cavs_test->enc) { + ret = kcapi_cipher_encrypt(handle, +@@ -886,7 +886,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops, + } + + static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov, +- int forking) ++ int forking, int last) + { + int ret; + +@@ -899,7 +899,10 @@ static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov, + return; + } + +- ret = kcapi_cipher_stream_update_last(handle, iov, 1); ++ if (last) ++ ret = kcapi_cipher_stream_update_last(handle, iov, 1); ++ else ++ ret = kcapi_cipher_stream_update(handle, iov, 1); + if (0 > ret) + printf("Sending of data failed\n"); + +@@ -1004,7 +1007,7 @@ static int cavs_sym_stream(struct kcapi_cavs *cavs_test, uint32_t loops, + iov.iov_len = cavs_test->ctlen; + } + +- mt_sym_writer(handle_ptr, &iov, forking); ++ mt_sym_writer(handle_ptr, &iov, forking, i == (loops * 2 - 1)); + + outiov.iov_base = outbuf_ptr; + outiov.iov_len = outbuflen; +@@ -1636,21 +1639,21 @@ static int cavs_aead_stream(struct kcapi_cavs *cavs_test, uint32_t loops, + if (ret) + goto out; + +- if (cavs_test->enc) +- ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0); +- +- else +- ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0); +- if (0 > ret) { +- printf("Initialization of cipher buffer failed\n"); +- goto out; +- } +- + for (i = 0; i < loops; i++) { + int errsv = 0; + + memset(outbuf, 0, outbuflen); + ++ if (cavs_test->enc) ++ ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0); ++ else ++ ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0); ++ if (0 > ret) { ++ printf("Initialization of cipher buffer failed\n"); ++ goto out; ++ } ++ ++ + iov.iov_base = cavs_test->assoc; + iov.iov_len = cavs_test->assoclen; + if (cavs_test->enc) { diff --git a/README.md b/README.md new file mode 100644 index 0000000..75bd6a5 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# libkcapi + +The libkcapi package \ No newline at end of file diff --git a/fipshmac-openssl.sh b/fipshmac-openssl.sh new file mode 100644 index 0000000..c554434 --- /dev/null +++ b/fipshmac-openssl.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Mocks fipshmac using the openssl tool. +# Only for use during RPM build. + +[ "$1" = '-d' ] || exit 1 + +openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \ + >"$2/$(basename "$3").hmac" diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..c2182c7 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,6 @@ +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_stable +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/libkcapi.spec b/libkcapi.spec new file mode 100644 index 0000000..aa95389 --- /dev/null +++ b/libkcapi.spec @@ -0,0 +1,680 @@ +# Shared object version of libkcapi. +%global vmajor 1 +%global vminor 2 +%global vpatch 0 + +# Do we build the replacements packages? +%bcond_with replace_coreutils +# Replace fipscheck by default in Fedora 33+: +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 +%bcond_without replace_fipscheck +%else +%bcond_with replace_fipscheck +%endif +# Replace hmaccalc by default in Fedora 28+: +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8 +%bcond_without replace_hmaccalc +%else +%bcond_with replace_hmaccalc +%endif +%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8 +%bcond_without test_package +%else +%bcond_with test_package +%endif + +# This package needs at least Linux Kernel v4.10.0. +%global min_kernel_ver 4.10.0 + +# Do we need to tweak sysctl.d? In newer versions of the Linux +# Kernel the default ancillary buffer size is set high enough. +# TODO: Adapt this when the patch for net/core/sock.c is merged. +%if %{lua:print(rpm.vercmp('99.0.0', posix.uname('%r')));} >= 0 +%global with_sysctl_tweak 1 +%else +%global with_sysctl_tweak 0 +%endif + +%if %{with_sysctl_tweak} +# Priority for the sysctl.d preset. +%global sysctl_prio 50 + +# Value used for the sysctl.d preset. +%global sysctl_optmem_max 81920 + +# Extension for the README.distro file. +%global distroname_ext %{?fedora:fedora}%{?rhel:redhat} +%endif + +# Lowest limit to run the testsuite. If we cannot obtain this +# value, we asume the testsuite cannot be run. +%global test_optmem_max %(%{__cat} /proc/sys/net/core/optmem_max || echo 0) + +# For picking patches from upstream commits or pull requests. +%global giturl https://github.com/smuellerDD/%{name} + +# Do we replace some coreutils? +%if %{with replace_coreutils} +# TODO: Adapt this when replacing some coreutils initially. +%global coreutils_evr 8.29-1%{?dist} +%endif + +# Do we replace fipscheck? +%if %{with replace_fipscheck} +%global fipscheck_evr 1.5.0-9 +%endif + +# Do we replace hmaccalc? +%if %{with replace_hmaccalc} +%global hmaccalc_evr 0.9.14-10%{?dist} +%endif + +%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac +%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac + +# On old kernels use mock hashers implemented via openssl +%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 +%global sha512hmac bin/kcapi-hasher -n sha512hmac +%global fipshmac bin/kcapi-hasher -n fipshmac +%else +%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh +%global fipshmac bash %{_sourcedir}/fipshmac-openssl.sh +%endif + +# Add generation of HMAC checksums of the final stripped +# binaries. %%define with lazy globbing is used here +# intentionally, because using %%global does not work. +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +bin_path=%{buildroot}%{_bindir} \ +lib_path=%{buildroot}/%{_lib} \ +for app in %{apps_hmaccalc}; do \ + test -e "$bin_path"/$app || continue \ + { %sha512hmac "$bin_path"/$app || exit 1; } \\\ + | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \ +done \ +for app in %{apps_fipscheck}; do \ + test -e "$bin_path"/$app || continue \ + %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \ +done \ +%{_bindir}/hardlink -cfv %{buildroot}%{_bindir} \ +%fipshmac -d "$lib_path"/fipscheck \\\ + "$lib_path"/libkcapi.so.%{version} || exit 1 \ +%{__ln_s} libkcapi.so.%{version}.hmac \\\ + "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ +%{nil} + + +Name: libkcapi +Version: %{vmajor}.%{vminor}.%{vpatch} +Release: 3%{?dist} +Summary: User space interface to the Linux Kernel Crypto API + +License: BSD or GPLv2 +URL: http://www.chronox.de/%{name}.html +Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz +Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc +Source2: sha512hmac-openssl.sh +Source3: fipshmac-openssl.sh + +Patch0: %{giturl}/commit/b612c52c5ccf.patch#/000-Kern-5.8-fix-MSG_MORE-usage.patch + +BuildRequires: bash +BuildRequires: clang +BuildRequires: coreutils +BuildRequires: cppcheck +BuildRequires: docbook-utils-pdf +BuildRequires: gcc +BuildRequires: git +BuildRequires: hardlink +BuildRequires: kernel-headers >= %{min_kernel_ver} +BuildRequires: libtool +BuildRequires: openssl +BuildRequires: perl-interpreter +BuildRequires: systemd +BuildRequires: xmlto + +# For ownership of %%{_sysctldir}. +Requires: systemd + +Obsoletes: %{name}-replacements <= %{version}-%{release} + +%description +libkcapi allows user-space to access the Linux kernel crypto API. + +This library uses the netlink interface and exports easy to use APIs +so that a developer does not need to consider the low-level netlink +interface handling. + +The library does not implement any cipher algorithms. All consumer +requests are sent to the kernel for processing. Results from the +kernel crypto API are returned to the consumer via the library API. + +The kernel interface and therefore this library can be used by +unprivileged processes. + + +%package devel +Summary: Development files for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description devel +Header files for applications that use %{name}. + + +%package doc +Summary: User documentation for the %{name} package +BuildArch: noarch +# Depend on one of the base packages because they have the license files +# We cannot just bundle them into doc because they might conflict with an +# older or newer version of the base package. +Requires: %{name} == %{version}-%{release} + +%description doc +User documentation for %{name}. + + +%if %{with replace_coreutils} +%package checksum +Summary: Drop-in replacement for *sum utils provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Requires: coreutils%{?_isa} >= %{coreutils_evr} + +Conflicts: coreutils < %{coreutils_evr} +Conflicts: coreutils-single + +%description checksum +Provides drop-in replacements for sha*sum tools (from package +coreutils) using %{name}. +%endif + + +%if %{with replace_fipscheck} +%package fipscheck +Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Obsoletes: fipscheck <= %{fipscheck_evr} + +Provides: fipscheck == %{fipscheck_evr}.1 +Provides: fipscheck%{?_isa} == %{fipscheck_evr}.1 + +%description fipscheck +Provides drop-in replacements for fipscheck and fipshmac tools (from +package fipscheck) using %{name}. +%endif + + +%if %{with replace_hmaccalc} +%package hmaccalc +Summary: Drop-in replacements for hmaccalc provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Obsoletes: hmaccalc <= %{hmaccalc_evr} + +Provides: hmaccalc == %{hmaccalc_evr}.1 +Provides: hmaccalc%{?_isa} == %{hmaccalc_evr}.1 + +%description hmaccalc +Provides drop-in replacements for sha*hmac tools (from package +hmaccalc) using %{name}. +%endif + + +%package static +Summary: Static library for -static linking with %{name} +Requires: %{name}-devel%{?_isa} == %{version}-%{release} + +%description static +This package contains the %{name} static libraries for -static +linking. You don't need this, unless you link statically, which +is highly discouraged. + + +%package tools +Summary: Utility applications for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description tools +Utility applications that are provided with %{name}. This includes +tools to use message digests, symmetric ciphers and random number +generators implemented in the Linux kernel from command line. + + +%if %{with test_package} +%package tests +Summary: Testing scripts for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-tools%{?_isa} == %{version}-%{release} +%if %{with replace_hmaccalc} +Requires: %{name}-hmaccalc%{?_isa} == %{version}-%{release} +%endif +%if %{with replace_coreutils} +Requires: %{name}-checksum%{?_isa} == %{version}-%{release} +%endif +Requires: coreutils +Requires: openssl +Requires: perl-interpreter + +%description tests +Auxiliary scripts for testing %{name}. +%endif + + +%prep +%autosetup -p 1 -S git + +%if %{with_sysctl_tweak} +%{__cat} << EOF > README.%{distroname_ext} +This package increases the default limit of the ancillary buffer size +per kernel socket defined in \`net.core.optmem_max\` to %{sysctl_optmem_max} bytes. + +For this preset to become active it requires a reboot after the +installation of this package. You can also manually increase this +limit by invocing \`sysctl net.core.optmem_max=%{sysctl_optmem_max}\` as the +super-user, e.g. using \`su\` or \`sudo\` on the terminal. + +This is done to provide consumers of the new Linux Kernel Crypto API +User Space Interface a well sufficient and reasonable maximum limit +by default, especially when using AIO with a larger amount of IOVECs. + +For further information about the AF_ALG kernel socket and AIO, see +the discussion at the kernel-crypto mailing-list: +https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30417.html + +See the instructions given in '%{_sysctldir}/50-default.conf', +if you need or want to override the preset made by this package. +EOF + +%{__cat} << EOF > %{sysctl_prio}-%{name}-optmem_max.conf +# See the 'README.%{distroname_ext}' file shipped in %%doc +# with the %{name} package. +# +# See '%{_sysctldir}/50-default.conf', +# if you need or want to override this preset. + +# Increase the ancillary buffer size per socket. +net.core.optmem_max = %{sysctl_optmem_max} +EOF +%endif + +%{_bindir}/autoreconf -fiv + + +%build +%configure \ + --libdir=/%{_lib} \ + --disable-silent-rules \ + --enable-kcapi-encapp \ + --enable-kcapi-dgstapp \ + --enable-kcapi-hasher \ + --enable-kcapi-rngapp \ + --enable-kcapi-speed \ + --enable-kcapi-test \ + --enable-shared \ + --enable-static \ + --enable-sum-prefix= \ + --enable-sum-dir=/%{_lib} \ + --with-pkgconfigdir=%{_libdir}/pkgconfig +%make_build all doc + + +%install +%make_install + +# Install sysctl.d preset. +%{__mkdir_p} %{buildroot}%{_sysctldir} +%{__install} -Dpm 0644 -t %{buildroot}%{_sysctldir} \ + %{sysctl_prio}-%{name}-optmem_max.conf + +# Install into proper location for inclusion by %%doc. +%{__mkdir_p} %{buildroot}%{_pkgdocdir} +%{__install} -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \ +%if %{with_sysctl_tweak} + README.%{distroname_ext} \ +%endif + README.md CHANGES.md TODO doc/%{name}.p{df,s} +%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir} + +# Install replacement tools, if enabled. +%if !%{with replace_coreutils} +%{__rm} -f \ + %{buildroot}%{_bindir}/md5sum \ + %{buildroot}%{_bindir}/sha*sum +%endif + +%if !%{with replace_fipscheck} +%{__rm} -f %{buildroot}%{_bindir}/fips* +%endif + +%if !%{with replace_hmaccalc} +%{__rm} -f %{buildroot}%{_bindir}/sha*hmac +%endif + +# We don't ship autocrap dumplings. +%{_bindir}/find %{buildroot} -type f -name '*.la' -print -delete + +# HMAC checksums are generated during __spec_install_post. +%{_bindir}/find %{buildroot} -type f -name '*.hmac' -print -delete + +# Remove 0-size files. +%{_bindir}/find %{buildroot} -type f -size 0 -print -delete + +# Make sure all docs have non-exec permissions, except for the dirs. +%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \ + %{_bindir}/xargs %{__chmod} -c 0644 +%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \ + %{_bindir}/xargs %{__chmod} -c 0755 + +# Possibly save some space by hardlinking. +for d in %{_mandir} %{_pkgdocdir}; do + %{_bindir}/hardlink -cfv %{buildroot}$d +done + + +%check +# Some basic sanity checks. +for t in cppcheck scan; do + %make_build $t +done + +# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480, +# which is the lowest limit needed to run the testsuite. If that limit +# is not met, we do not run it. +%if %{test_optmem_max} >= 20480 +# Skip the testsuite on old kernels. +%if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0 +# Real testsuite. +pushd test +ENABLE_FUZZ_TEST=1 \ +NO_32BIT_TEST=1 \ + ./test-invocation.sh +popd +%endif +%endif + + +%ldconfig_scriptlets + + +%files +%doc %dir %{_pkgdocdir} +%doc %{_pkgdocdir}/README.md +%license COPYING* +/%{_lib}/%{name}.so.%{vmajor} +/%{_lib}/%{name}.so.%{version} +/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac +/%{_lib}/fipscheck/%{name}.so.%{version}.hmac +%if %{with_sysctl_tweak} +%doc %{_pkgdocdir}/README.%{distroname_ext} +%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf +%endif + + +%files devel +%doc %{_pkgdocdir}/CHANGES.md +%doc %{_pkgdocdir}/TODO +%{_includedir}/kcapi.h +%{_mandir}/man3/kcapi_*.3.* +/%{_lib}/%{name}.so +%{_libdir}/pkgconfig/%{name}.pc + + +%files doc +%doc %{_pkgdocdir}/html +%doc %{_pkgdocdir}/%{name}.pdf +%doc %{_pkgdocdir}/%{name}.ps + + +%if %{with replace_coreutils} +%files checksum +%{_bindir}/md5sum +%{_bindir}/sha*sum +/%{_lib}/fipscheck/md5sum.hmac +/%{_lib}/fipscheck/sha*sum.hmac +%endif + +%if %{with replace_fipscheck} +%files fipscheck +%{_bindir}/fips* +/%{_lib}/fipscheck/fips*.hmac +%endif + +%if %{with replace_hmaccalc} +%files hmaccalc +%{_bindir}/sha*hmac +/%{_lib}/hmaccalc/sha*hmac.hmac +%endif + + +%files static +/%{_lib}/%{name}.a + + +%files tools +%{_bindir}/kcapi* +%{_mandir}/man1/kcapi*.1.* + + +%if %{with test_package} +%files tests +%{_libexecdir}/%{name}/* +%endif + + +%changelog +* Fri Aug 14 2020 Ondrej Mosnáček - 1.2.0-3 +- Require perl-interpreter instead of full perl +- Backport fix for 5.9 kernels + +* Tue Jul 28 2020 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon May 25 2020 Sahana Prasad - 1.2.0-1 +- Update to upstream version 1.2.0 tracked by BZ 1839592. +- Enable kcapi-enc tests as libkcapi BZ 1826022 is fixed. +- Remove 110-fipshmac-compat.patch as the changes are merged upstream. +- Remove 100-workaround-cppcheck-bug.patch as the changes are merged upstream. + +* Tue May 05 2020 Ondrej Mosnáček - 1.1.5-5 +- Fix the CI test failures +- Enable building on old kernels +- Avoid conflicts between different versions of packages + +* Thu Apr 23 2020 Tomáš Mráz - 1.1.5-4 +- Add . prefix to files created by fipshmac if -d option is not specified + +* Wed Apr 22 2020 Sahana Prasad - 1.1.5-3 +- Disables kcapi-enc tests until the kernel bug bz 1826022 is fixed. +- Produce also the fipscheck replacement package + +* Wed Jan 29 2020 Fedora Release Engineering - 1.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Aug 13 2019 Ondrej Mosnáček - 1.1.5-1 +- Update to upstream version 1.1.5 + +* Sat Jul 27 2019 Ondrej Mosnáček - 1.1.4-6 +- Backport patch to fix test failure on aarch64 +- Remove no longer needed ppc64 workaround + +* Sat Jul 27 2019 Ondrej Mosnáček - 1.1.4-5 +- Backport patch to fix tests + +* Thu Jul 25 2019 Ondrej Mosnáček - 1.1.4-4 +- Work around cppcheck issue +- Enable gating + +* Thu Jul 25 2019 Fedora Release Engineering - 1.1.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon May 27 2019 Ondrej Mosnáček - 1.1.4-2 +- Fix FTBFS: hardlink is now in bindir + +* Sat Feb 02 2019 Ondrej Mosnáček - 1.1.4-1 +- Update to upstream version 1.1.4 + +* Fri Feb 01 2019 Ondrej Mosnáček - 1.1.3-3 +- Fix build with new GCC + +* Fri Feb 01 2019 Fedora Release Engineering - 1.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Aug 23 2018 Ondrej Mosnáček - 1.1.3-1 +- Update to upstream version 1.1.3 + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-16 +- Add missing dependencies to the tests package +- Update patch from upstream + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-15 +- Build and tests require perl + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14 +- Add missing script to the 'tests' package + +* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-13 +- Add missing requires to the 'tests' subpackage + +* Tue Aug 07 2018 Ondrej Mosnáček - 1.1.1-12 +- Produce a subpackage with test scripts +- Build the 'tests' subpackage conditionally + +* Wed Aug 01 2018 Ondrej Mosnáček - 1.1.1-11 +- Add patch to fix unwanted closing of FD 0 + +* Tue Jul 31 2018 Ondrej Mosnáček - 1.1.1-10 +- Remove the kernel headers workaround + +* Fri Jul 27 2018 Igor Gnatenko - 1.1.1-9 +- Rebuild for new binutils + +* Fri Jul 27 2018 Ondrej Mosnáček - 1.1.1-8 +- Add more Coverity fixes from upstream +- Add patch to fix AEAD fuzz test for BE arches +- Fixup specfile + +* Mon Jul 23 2018 Ondrej Mosnáček - 1.1.1-7 +- Add various fixes from upstream +- Drop the Requires on kernel package + +* Mon Jul 16 2018 Ondrej Mosnáček - 1.1.1-6 +- Put .hmac files into a separate directory + +* Fri Jul 13 2018 Fedora Release Engineering - 1.1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Ondrej Mosnáček - 1.1.1-4 +- Add patch to work around FTBFS on rawhide + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-3 +- Fix off-by-one error in checkfile parsing + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2 +- Fix command-line parsing in libkcapi-hmaccalc + +* Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1 +- Update to upstream version 1.1.1 + +* Wed May 09 2018 Ondrej Mosnáček - 1.1.0-5 +- Skip CLang static analysis in RHEL +- Revert "Skip CLang static analysis in RHEL" +- Use own sha512hmac and fipscheck + +* Wed May 02 2018 Ondrej Mosnáček - 1.1.0-4 +- Fix description lines being too long + +* Fri Apr 27 2018 Björn Esser - 1.1.0-3 +- Fix conditional for hmaccalc replacement + +* Mon Apr 16 2018 Ondrej Mosnáček - 1.1.0-2 +- Enable hmaccalc replacements in Fedora 28+ + +* Thu Apr 12 2018 Ondrej Mosnáček - 1.1.0-1 +- Update to upstream version 1.1.0 + +* Sat Mar 31 2018 Björn Esser - 1.0.3-10 +- Replace single patches with a monolitic one from upstream +- Obsolete replacements subpackage +- Ignore failing tests on %%{power64} temporarily + +* Thu Mar 08 2018 Ondrej Mosnáček - 1.0.3-9 +- Split up the replacements subpackage + +* Mon Feb 26 2018 Björn Esser - 1.0.3-8 +- Increase optmem_max preset to 81920 + +* Mon Feb 26 2018 Björn Esser - 1.0.3-7 +- Obsoletes work by package name, not by provides (rhbz#1537225) + +* Sun Feb 25 2018 Björn Esser - 1.0.3-6 +- Add patch to fix a copy-paste typo + +* Sat Feb 17 2018 Björn Esser - 1.0.3-5 +- Add patch to fix build with -Werror + +* Wed Feb 07 2018 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Feb 04 2018 Björn Esser - 1.0.3-3 +- Switch to %%ldconfig_scriptlets + +* Wed Jan 17 2018 Björn Esser - 1.0.3-2 +- Decrease optmem_max preset to 40960 +- Let the build fail, if the minimum kernel version cannot be met +- Conditionalize the sysctl.d tweak on version of the kernel +- Conditionalize the name of README.distro on the distro + +* Tue Jan 16 2018 Björn Esser - 1.0.3-1 +- Initial import (rhbz#1533929) + +* Tue Jan 16 2018 Björn Esser - 1.0.3-0.13 +- Increase optmem_max preset to 81920 + +* Tue Jan 16 2018 Björn Esser - 1.0.3-0.12 +- Add sysctl.d preset and README.fedora + +* Mon Jan 15 2018 Björn Esser - 1.0.3-0.11 +- Make the contents of the -replacements package configurable + +* Mon Jan 15 2018 Björn Esser - 1.0.3-0.10 +- Fix Obsoletes of the -replacements package + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.9 +- Disable the -replacements package until we have a plan for it + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.8 +- Move the kcapi-hasher binary to -replacements package, since it is + not of much use without the linked invocation names and saves the + extra Requires on the -tools package + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.7 +- Fix internal Requires of sub-packages +- Hardlink files in %%{_bindir} + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.6 +- Add patches from upstream + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.5 +- Add patches from upstream + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.4 +- Asume the testsuite cannot be run, if the value of optmem_max cannot + be obtained + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.3 +- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful + during boot when the library might be needed before a potentially + seperate /usr partition is mounted + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.2 +- Asume optmem_max is at least 20480, if the real value cannot be obtained + +* Fri Jan 12 2018 Björn Esser - 1.0.3-0.1 +- New upstream release + +* Wed Jan 10 2018 Björn Esser - 1.0.2-0.1 +- Initial rpm release (rhbz#1533929) diff --git a/sha512hmac-openssl.sh b/sha512hmac-openssl.sh new file mode 100644 index 0000000..6496394 --- /dev/null +++ b/sha512hmac-openssl.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Mocks sha512hmac using the openssl tool. +# Only for use during RPM build. + +openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' diff --git a/sources b/sources new file mode 100644 index 0000000..a634ca6 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 +SHA512 (libkcapi-1.2.0.tar.xz.asc) = 336769b04c75ee23d4cae98697a6ea14e5bd244bcefaa2396d80dab95538620c9353100685bd0568f61b8dfa3089c6ff7e4fdcdde949012ba0d7fe6aac650577 diff --git a/tests/fipscheck-smoke-test/Makefile b/tests/fipscheck-smoke-test/Makefile new file mode 100644 index 0000000..0e0dda3 --- /dev/null +++ b/tests/fipscheck-smoke-test/Makefile @@ -0,0 +1,71 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/libgcrypt/smoke-test +# Description: Test calls upstream test suite. +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2010 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/libgcrypt/smoke-test +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test calls upstream test suite." >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: libgcrypt" >> $(METADATA) + @echo "Requires: libgcrypt" >> $(METADATA) + @echo "Requires: nfs-utils" >> $(METADATA) + @echo "Requires: rpm-build" >> $(METADATA) + @echo "Requires: gawk" >> $(METADATA) + @echo "Requires: gcc-c++ fipscheck" >> $(METADATA) + @echo "Requires: libgpg-error-devel wget" >> $(METADATA) + @echo "Requires: pkgconfig texinfo libselinux-utils" >> $(METADATA) + @echo "Releases: -RHEL3 -RHEL4" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "Architectures: i386 x86_64 s390x ia64" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/fipscheck-smoke-test/PURPOSE b/tests/fipscheck-smoke-test/PURPOSE new file mode 100644 index 0000000..5df6ca9 --- /dev/null +++ b/tests/fipscheck-smoke-test/PURPOSE @@ -0,0 +1,3 @@ +PURPOSE of /CoreOS/libgcrypt/Sanity/smoke-test +Description: Test calls upstream test suite. +Author: Ondrej Moris diff --git a/tests/fipscheck-smoke-test/runtest.sh b/tests/fipscheck-smoke-test/runtest.sh new file mode 100755 index 0000000..dd1803d --- /dev/null +++ b/tests/fipscheck-smoke-test/runtest.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/libgcrypt/smoke-test +# Description: Test calls upstream test suite. +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2010 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +#. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="libgcrypt" + +rlJournalStart + + rlPhaseStartSetup + TmpDir=`mktemp -d` + rlAssertRpm $PACKAGE + rlFileBackup --clean "/etc/gcrypt/fips_enabled" + rlRun "pushd $TmpDir" 0 + rlFetchSrcForInstalled $PACKAGE + rlRun "rpm -ihv `ls *.rpm`" 0 + if grep '1' /proc/sys/crypto/fips_enabled; then + rlRun "echo '1' > /etc/gcrypt/fips_enabled" 0 + fi + rlPhaseEnd + + rlPhaseStartTest + TOPDIR=`rpm --eval %_topdir` + rlRun "pushd $TOPDIR" 0 + rlRun "rm -rf BUILD/libgcrypt-*" 0-255 + rlRun "rpmbuild -vv -bc SPECS/libgcrypt.spec" 0 + rlRun "pushd BUILD/libgcrypt-*" 0 + rlRun "fipshmac src/.libs/libgcrypt.so.??" 0 + rlRun "make check > $TmpDir/make_check.out" 0 + rlRun "popd" 0 + rlRun "popd" 0 + rlRun "grep \"All [0-9]\+ tests passed\" $TmpDir/make_check.out" 0 \ + "All tests passed" + rlRun "cat $TmpDir/make_check.out" 0 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" 0 + rlRun "rm -r $TmpDir" 0 + rlFileRestore + rlPhaseEnd + +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..1a0db89 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,45 @@ +- hosts: localhost + tags: + - classic + - container + roles: + - role: standard-test-basic + required_packages: + - libkcapi-tests + tests: + - upstream-basic-test: + run: /usr/libexec/libkcapi/test.sh + - upstream-enc-test: + run: /usr/libexec/libkcapi/kcapi-enc-test.sh + - upstream-enc-test-large: + run: /usr/libexec/libkcapi/kcapi-enc-test-large.sh + - upstream-dgst-test: + run: /usr/libexec/libkcapi/kcapi-dgst-test.sh + - upstream-hasher-test: + run: /usr/libexec/libkcapi/hasher-test.sh + - upstream-convenience-test: + run: /usr/libexec/libkcapi/kcapi-convenience.sh + - upstream-fuzz-test: + run: /usr/libexec/libkcapi/kcapi-fuzz-test.sh + +- hosts: localhost + tags: + - classic + - container + roles: + - role: standard-test-beakerlib + required_packages: + - fipscheck + - gawk + - gcc-c++ + - libgcrypt + - libgpg-error-devel + - libselinux-utils + - libtool + - nfs-utils + - pkgconfig + - rpm-build + - texinfo + - wget + tests: + - fipscheck-smoke-test