diff --git a/.gitignore b/.gitignore index 8d18e03..d0ac82d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libkcapi-1.4.0.tar.xz +libkcapi-1.5.0.tar.xz diff --git a/.libkcapi.metadata b/.libkcapi.metadata deleted file mode 100644 index 56c3b99..0000000 --- a/.libkcapi.metadata +++ /dev/null @@ -1 +0,0 @@ -526dca7d8eb8ddc29395f0716ba1233e27bf2ab5 SOURCES/libkcapi-1.4.0.tar.xz diff --git a/SOURCES/001-tests-kernel-version.patch b/SOURCES/001-tests-kernel-version.patch deleted file mode 100644 index aa21536..0000000 --- a/SOURCES/001-tests-kernel-version.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 15 Aug 2022 10:19:50 +0200 -Subject: [PATCH] tests: fix overly-optimistic kernel version checks - -The mainline kernel is now at version 6.0 so these >= 5.99 checks are -now incorrectly enabling tests that don't work. Instead of bumping the -imaginary version and face the same problem again in a couple years, -replace the checks with 'false' and a TODO comment. - -Signed-off-by: Ondrej Mosnacek -Signed-off-by: Stephan Mueller ---- - test/test.sh | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/test/test.sh b/test/test.sh -index 1d9be73..a75b802 100755 ---- a/test/test.sh -+++ b/test/test.sh -@@ -1560,7 +1560,8 @@ else - echo_deact "AEAD tests of copied AAD deactivated" - fi - --if $(check_min_kernelver 5 99); then -+# TODO add version check when supported upstream -+if false; then - asymfunc 4 - asymfunc 4 -s - asymfunc 4 -v -@@ -1583,7 +1584,8 @@ else - echo_deact "All asymmetric tests deactivated" - fi - --if $(check_min_kernelver 5 99); then -+# TODO add version check when supported upstream -+if false; then - kppfunc 13 - kppfunc 13 X -m - kppfunc 13 -v diff --git a/SOURCES/002-fips-disable-ansi_cprng.patch b/SOURCES/002-fips-disable-ansi_cprng.patch deleted file mode 100644 index b7f2980..0000000 --- a/SOURCES/002-fips-disable-ansi_cprng.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Fri, 11 Aug 2023 12:20:22 +0200 -Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode - -Signed-off-by: Zoltan Fridrich -Signed-off-by: Stephan Mueller ---- - test/kcapi-main.c | 45 ++++++++++++++++++++++----------------------- - 1 file changed, 22 insertions(+), 23 deletions(-) - -diff --git a/test/kcapi-main.c b/test/kcapi-main.c -index 67fb53f..23fc8ed 100644 ---- a/test/kcapi-main.c -+++ b/test/kcapi-main.c -@@ -652,8 +652,6 @@ static int is_fips_mode(void) - static int auxiliary_tests(void) - { - struct kcapi_handle *handle = NULL; -- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)" -- : "ansi_cprng"; - int ret = 0; - - if (kcapi_aead_init(&handle, "ccm(aes)", 0)) { -@@ -711,27 +709,28 @@ static int auxiliary_tests(void) - if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0)) - ret++; - -- /* X9.31 RNG must require seed */ -- printf("X9.31 missing seeding: "); -- if (!aux_test_rng(ansi_cprng_name, NULL, 0)) -- ret++; -- /* X9.31 seed too short */ -- printf("X9.31 insufficient seeding: "); -- if (!aux_test_rng(ansi_cprng_name, -- (uint8_t *) -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16)) -- ret++; -- /* X9.31 seed right sized short */ -- if (aux_test_rng(ansi_cprng_name, -- (uint8_t *) -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) { -- printf("Error for %s: kernel module ansi_cprng present?\n", -- ansi_cprng_name); -- ret++; -+ if (!is_fips_mode()) { -+ /* X9.31 RNG must require seed */ -+ printf("X9.31 missing seeding: "); -+ if (!aux_test_rng("ansi_cprng", NULL, 0)) -+ ret++; -+ /* X9.31 seed too short */ -+ printf("X9.31 insufficient seeding: "); -+ if (!aux_test_rng("ansi_cprng", -+ (uint8_t *) -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16)) -+ ret++; -+ /* X9.31 seed right sized short */ -+ if (aux_test_rng("ansi_cprng", -+ (uint8_t *) -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" -+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) { -+ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n"); -+ ret++; -+ } - } - - return ret; diff --git a/SOURCES/003-zeroize-hasher.patch b/SOURCES/003-zeroize-hasher.patch deleted file mode 100644 index 7db6a0e..0000000 --- a/SOURCES/003-zeroize-hasher.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Wed, 1 Nov 2023 10:54:03 +0100 -Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Requirement introduced by AS05.10: -"The temporary value(s) generated during the integrity test of the -module’s software or firmware shall [05.10] be zeroised from the module -upon completion of the integrity test;" - -As some modules use fipscheck or sha*hmac for integrity tests, these -temporary values need to be zeroised from the hasher. - -Signed-off-by: Zoltan Fridrich -Signed-off-by: Stephan Mueller ---- - apps/kcapi-hasher.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c -index 098b655..f5caf77 100644 ---- a/apps/kcapi-hasher.c -+++ b/apps/kcapi-hasher.c -@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, - if (hashlen > (uint32_t)ret) { - fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n", - (unsigned long)hashlen, ret); -+ kcapi_memset_secure(md, 0, sizeof(md)); - return (int)ret; - } - -@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, - ret = 1; - else - ret = 0; -+ kcapi_memset_secure(compmd, 0, sizeof(compmd)); - } else { - if (outfile == NULL) { /* only print hash (hmaccalc -S) */ - bin2print(md, hashlen, NULL, stdout, -@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, - fprintf(stderr, "Generation of hash for file %s failed (%zd)\n", - filename ? filename : "stdin", ret); - } -+ kcapi_memset_secure(md, 0, sizeof(md)); - return (int)ret; - } - -@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params, - if (file) - fclose(file); - kcapi_md_destroy(handle); -+ kcapi_memset_secure(buf, 0, sizeof(buf)); - - /* - * If we found no lines to check, return an error. diff --git a/SOURCES/004-hasher-target-option.patch b/SOURCES/004-hasher-target-option.patch deleted file mode 100644 index 945fcc3..0000000 --- a/SOURCES/004-hasher-target-option.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c ---- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100 -+++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100 -@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch - if (fipscheck) - fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base); - else { -- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base); -+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base); - fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base); - } - fprintf(stderr, "\nOptions:\n"); - fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n"); - fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); - fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); -- if (!fipscheck) -+ if (!fipscheck) { - fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n"); -+ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n"); -+ } - fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n"); - fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n"); - fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n"); -@@ -530,11 +532,12 @@ static int hash_files(const struct hash_ - #define CHK_STATUS (2) - - static int process_checkfile(const struct hash_params *params, -- const char *checkfile, const char *targetfile, int log) -+ const char *checkfile, const char *targetfile, int log, int fipscheck) - { - FILE *file = NULL; - int ret = 0; - int checked_any = 0; -+ int failed_any = 0; - struct kcapi_handle *handle; - const char *hashname = params->name.kcapiname; - -@@ -570,7 +573,7 @@ static int process_checkfile(const struc - } - - while (fgets(buf, sizeof(buf), file)) { -- char *filename = NULL; // parsed file name -+ const char *filename = NULL; // parsed file name - char *hexhash = NULL; // parsed hex value of hash - uint32_t hexhashlen = 0; // length of hash hex value - uint32_t linelen = (uint32_t)strlen(buf); -@@ -645,17 +648,7 @@ static int process_checkfile(const struc - goto out; - } - -- /* fipscheck does not have the filename in the check file */ -- if (targetfile) { -- ret = hasher(handle, params, targetfile, -- hexhash, hexhashlen, stdout); -- checked_any = 1; -- goto out; -- } -- - if (filename) { -- int r; -- - if (!bsd_style) { - if (!isblank(filename[0]) || - (!isblank(filename[1]) && filename[1] != '*')) { -@@ -665,20 +658,29 @@ static int process_checkfile(const struc - } - filename += 2; - } -+ } -+ -+ /* -+ * if targetfile is specified, use it instead of the filename -+ * found inside the checkfile -+ */ -+ if (targetfile) -+ filename = targetfile; - -- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout); -+ if (filename) { -+ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout); -+ checked_any = 1; -+ if (fipscheck) -+ goto out; - -- if (r == 0) { -+ if (ret == 0) { - if (log < CHK_QUIET) - printf("%s: OK\n", filename); - } else { -+ failed_any = 1; - if (log < CHK_STATUS) -- printf("%s: Not OK\n", -- filename); -- if (ret >= 0) -- ret++; -+ printf("%s: Not OK\n", filename); - } -- checked_any = 1; - } - } - -@@ -692,7 +694,7 @@ out: - * If we found no lines to check, return an error. - * (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c) - */ -- return ret != 0 ? ret : !checked_any; -+ return ret != 0 ? ret : !(checked_any && !failed_any); - - } - -@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h - goto out; - } - -- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); -+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1); - if (ret) - goto out; - } -@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h - goto out; - } - -- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); -+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1); - } - - out: -@@ -866,12 +868,13 @@ int main(int argc, char *argv[]) - {0, 0, 0, 0} - }; - -- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz"; -+ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz"; - static const struct option opts[] = { - {"help", 0, 0, 0}, - {"tag", 0, 0, 0}, - {"quiet", 0, 0, 0}, - {"check", 1, 0, 'c'}, -+ {"target", 1, 0, 'T'}, - {"unkeyed", 0, 0, 'u'}, - {"hash", 1, 0, 'h'}, - {"truncate", 1, 0, 't'}, -@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[]) - version(argv[0]); - ret = 0; - goto out; -+ case 'T': -+ targetfile = optarg; -+ break; - case 'd': - checkdir = optarg; - break; -@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[]) - ret = 1; - goto out; - } -+ if (targetfile) { -+ fprintf(stderr, "-T is not valid for fipscheck\n"); -+ ret = 1; -+ goto out; -+ } - - targetfile = argv[optind]; - if (checkfile) -@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[]) - optind++; - } - -+ if (targetfile && !checkfile) { -+ fprintf(stderr, "-T cannot be used without -c\n"); -+ ret = 1; -+ goto out; -+ } -+ - if (!checkfile) - ret = hash_files(¶ms, argv + optind, - (uint32_t)(argc - optind), - fipshmac, checkdir, 0); - else if (optind == argc) -- ret = process_checkfile(¶ms, checkfile, targetfile, loglevel); -+ ret = process_checkfile(¶ms, checkfile, targetfile, loglevel, fipscheck); - else { - fprintf(stderr, "-c cannot be used with input files\n"); - ret = 1; diff --git a/SOURCES/005-fips-mode-tests.patch b/SOURCES/005-fips-mode-tests.patch deleted file mode 100644 index 71a8979..0000000 --- a/SOURCES/005-fips-mode-tests.patch +++ /dev/null @@ -1,320 +0,0 @@ -From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001 -From: Zoltan Fridrich -Date: Tue, 28 Nov 2023 09:34:29 +0100 -Subject: [PATCH] Fix kcapi tests in FIPS mode - -Signed-off-by: Zoltan Fridrich ---- - test/hasher-test.sh | 23 +++++++++++--- - test/kcapi-convenience.c | 2 +- - test/kcapi-dgst-test.sh | 16 +++++----- - test/kcapi-enc-test.sh | 16 +++++----- - test/test.sh | 67 ++++++++++++++++++++++++++++++---------- - 5 files changed, 86 insertions(+), 38 deletions(-) - -diff --git a/test/hasher-test.sh b/test/hasher-test.sh -index c90fcc9..e97127e 100755 ---- a/test/hasher-test.sh -+++ b/test/hasher-test.sh -@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac" - CHKFILE="${TMPDIR}/chk.$$" - ANOTHER="${TMPDIR}/test.$$" - -+is_fips_enabled() -+{ -+ test $(cat /proc/sys/crypto/fips_enabled) = "1" -+} -+ - if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then - find_platform kcapi-hasher - function run_hasher() { -@@ -365,7 +370,11 @@ fi - for suffix in $KAT_SUFFIXES - do - run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00 -- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79 -+ if is_fips_enabled; then -+ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS" -+ else -+ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79 -+ fi - run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3 - run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da - run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04 -@@ -374,9 +383,15 @@ do - run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7 - run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6 - run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854 -- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843 -- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649 -- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737 -+ if is_fips_enabled; then -+ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS" -+ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS" -+ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS" -+ else -+ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843 -+ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649 -+ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737 -+ fi - run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe - run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27 - run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb -diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c -index c5ff4b4..1cdaebe 100644 ---- a/test/kcapi-convenience.c -+++ b/test/kcapi-convenience.c -@@ -63,7 +63,7 @@ static int hashtest(void) - - static int hmactest(void) - { -- char *in = "teststring"; -+ char *in = "longteststring"; - uint8_t out[64]; - ssize_t ret; - -diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh -index 0ad5ed3..67576b3 100755 ---- a/test/kcapi-dgst-test.sh -+++ b/test/kcapi-dgst-test.sh -@@ -105,8 +105,8 @@ test_stdin_stdout() - openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl - diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)" - -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2 -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2 - - diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)" - } -@@ -135,8 +135,8 @@ test_stdin_fileout() - openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl - diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)" - -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT - - diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)" - } -@@ -165,8 +165,8 @@ test_filein_stdout() - openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl - diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)" - -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2 -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2 - - diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)" - } -@@ -197,8 +197,8 @@ test_filein_fileout() - openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl - diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)" - -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST -- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2 -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST -+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2 - - diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)" - } -diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh -index 3ace39c..63d2b23 100755 ---- a/test/kcapi-enc-test.sh -+++ b/test/kcapi-enc-test.sh -@@ -163,8 +163,8 @@ test_stdin_stdout() - diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)" - diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)" - -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT - - diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)" - } -@@ -195,8 +195,8 @@ test_stdin_fileout() - diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)" - diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)" - -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT - - diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)" - } -@@ -227,8 +227,8 @@ test_filein_stdout() - diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)" - diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)" - -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT - - diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)" - } -@@ -271,8 +271,8 @@ test_filein_fileout() - diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)" - diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)" - -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT -- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT -+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT - - diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)" - } -diff --git a/test/test.sh b/test/test.sh -index b889335..e07589e 100755 ---- a/test/test.sh -+++ b/test/test.sh -@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797" - - PBKDF_name_8="hmac(sha256)" - PBKDF_salt_8="73616c74" --PBKDF_pw_8="70617373776f7264" -+PBKDF_pw_8="70617373776f726470617373776f7264" - PBKDF_count_8=4096 --PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0" -+PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca" - - PBKDF_name_9="hmac(sha224)" - PBKDF_salt_9="73616c74" --PBKDF_pw_9="70617373776f7264" -+PBKDF_pw_9="70617373776f726470617373776f7264" - PBKDF_count_9=4096 --PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60" -+PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70" - - PBKDF_name_10="hmac(sha384)" - PBKDF_salt_10="73616c74" --PBKDF_pw_10="70617373776f7264" -+PBKDF_pw_10="70617373776f726470617373776f7264" - PBKDF_count_10=4096 --PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c" -+PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d" - - PBKDF_name_11="hmac(sha512)" - PBKDF_salt_11="73616c74" --PBKDF_pw_11="70617373776f7264" -+PBKDF_pw_11="70617373776f726470617373776f7264" - PBKDF_count_11=4096 --PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc" -+PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b" - - PBKDF_name_12="cmac(aes)" - PBKDF_salt_12="73616c74" -@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7" - - PBKDF_name_13="hmac(sha512)" - PBKDF_salt_13="73616c74" --PBKDF_pw_13="70617373776f7264" -+PBKDF_pw_13="70617373776f726470617373776f7264" - PBKDF_count_13=4096 --PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e" -+PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a" - - ########################################################################### - ########################################################################### -@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514 - #RFC 5869 Appendix A vectors - HKDF_name_1="hmac(sha256)" - HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" --HKDF_salt_1="000102030405060708090a0b0c" -+HKDF_salt_1="000102030405060708090a0b0c0d" - HKDF_info_1="f0f1f2f3f4f5f6f7f8f9" --HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" -+HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd" - - HKDF_name_2="hmac(sha256)" - HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f" -@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a - ########################################################################### - ########################################################################### - -+is_fips_enabled() -+{ -+ test $(cat /proc/sys/crypto/fips_enabled) = "1" -+} -+ - # Test required for test with multiple IOVECs on i686 - check_memory() { - if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ] -@@ -576,7 +581,14 @@ check_memory_soft() { - hashfunc() - { - stream=$1 -- HASHEXEC="1 2 3 4 5 6 7 8 9" -+ -+ if is_fips_enabled; then -+ echo_deact "Hash tests using 3DES are disabled in FIPS" -+ HASHEXEC="2 3 4 5 6 7 8 9" -+ else -+ HASHEXEC="1 2 3 4 5 6 7 8 9" -+ fi -+ - for i in $HASHEXEC - do - eval HASH_name=\$HASH_name_$i -@@ -630,7 +642,12 @@ symfunc() - aligned=$3 - aiofallback=$4 - -- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12" -+ if is_fips_enabled; then -+ echo_deact "Symmetric tests using 3DES are disabled in FIPS" -+ SYMEXEC="1 2 3 8 9 10 11 12" -+ else -+ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12" -+ fi - - if [ x"$stream" = x"X" ] - then -@@ -666,7 +683,11 @@ symfunc() - - # Disable XTS tests for multi-threading due to the issue - # discussed in https://github.com/smuellerDD/libkcapi/issues/92 -- SYMEXEC="1 2 3 4 5 6 7" -+ if is_fips_enabled; then -+ SYMEXEC="1 2 3" -+ else -+ SYMEXEC="1 2 3 4 5 6 7" -+ fi - else - sout="one shot" - fi -@@ -1148,7 +1169,13 @@ pbkdftest() - { - aligned=$1 - -- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13" -+ if is_fips_enabled; then -+ echo_deact "PBKDF tests using SHA1 are disabled in FIPS" -+ PBKDFEXEC="8 9 10 11 12 13" -+ else -+ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13" -+ fi -+ - for i in $PBKDFEXEC - do - eval PBKDF_name=\$PBKDF_name_$i -@@ -1185,7 +1212,13 @@ hkdftest() - { - aligned=$1 - -- HKDFEXEC="1 2 3 4 5 6 7" -+ if is_fips_enabled; then -+ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS" -+ HKDFEXEC="1 2" -+ else -+ HKDFEXEC="1 2 3 4 5 6 7" -+ fi -+ - for i in $HKDFEXEC - do - eval HKDF_name=\$HKDF_name_$i diff --git a/SOURCES/libkcapi-1.4.0.tar.xz.asc b/SOURCES/libkcapi-1.4.0.tar.xz.asc deleted file mode 100644 index 037df0e..0000000 --- a/SOURCES/libkcapi-1.4.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmISvaAACgkQQh7pNjJq -wVv6jggAh7UpchOXZ1THbDZ0PE+YGWSr3Y3qKHMls9ixNn/RDSYxPvyZqc6pIAKQ -zVA6bGtB9kqcSexmrk2EyiUYgi1lo+5HwsfAfHBQaq7vD1S8Q/FYx/XVRv2GQfkj -/E1ivlcdcInlpn+vu+7Hei+H/IXtETh8QPwGwRI1Je84pIt7K4K4VPwWpur0su6E -oF1AFT6ldlMczsoDTCi3eP3rZWKvMmX5718W9F6eKuTkKoIiipCUxdMBy4f6YpDB -1ZmQPHjSgG4URlclQnFiGXYAbMBRHYfguJRl/HjZWSQMigRzqGSdvJR8wrfMeQzr -Bk0z0nGayzHgcC7gPz8CsAMJj5C9eQ== -=OA3o ------END PGP SIGNATURE----- diff --git a/SOURCES/fipshmac-openssl.sh b/fipshmac-openssl.sh similarity index 100% rename from SOURCES/fipshmac-openssl.sh rename to fipshmac-openssl.sh diff --git a/libkcapi-1.5.0.tar.xz.asc b/libkcapi-1.5.0.tar.xz.asc new file mode 100644 index 0000000..b01dbe4 --- /dev/null +++ b/libkcapi-1.5.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmWgNy0ACgkQQh7pNjJq +wVvBXAf+Jj6w9sssgWOnDsybgM8YmILFqikWgmHEDpKfsqQmMKLXT/6ovSFeRht5 +TI0vPB9p1FDnBbVx7/go1lUwt+I+TZV5lW7Vl/goZh+O/VvWoSBdO1joBYqM3wYU +pqtf63WUBM9HcCj2s2pVjbZnblZloWQvH8Lo0eyuoDEJGMJgkKoTEq8/aEIVqZ3I +MyMdXm2R2JuhYgKJZw1k1c1eDt9xDs4iFCve7H4TnISqj5D0q5FRIKJVLwOFs20L +16S0aZSrR8IGMr2sUi6Qsric91xSlpz1MoIWocUoliWKHut/VuiXt9e4QAoD9d5t +kusdWafJhKkaTSWj1S7JQhtFmJq/Kw== +=xTnZ +-----END PGP SIGNATURE----- diff --git a/SPECS/libkcapi.spec b/libkcapi.spec similarity index 66% rename from SPECS/libkcapi.spec rename to libkcapi.spec index 2300911..4b9ac57 100644 --- a/SPECS/libkcapi.spec +++ b/libkcapi.spec @@ -1,6 +1,16 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 3; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + # Shared object version of libkcapi. %global vmajor 1 -%global vminor 4 +%global vminor 5 %global vpatch 0 # Do we build the replacements packages? @@ -84,8 +94,9 @@ %global hmaccalc_evr 0.9.14-10%{?dist} %endif +%global apps_coreutils sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac -%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac +%global apps_fipscheck fipscheck fipshmac # On old kernels use mock hashers implemented via openssl %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 @@ -96,50 +107,35 @@ %global fipshmac bash %{SOURCE3} %endif -# Add generation of HMAC checksums of the final stripped -# binaries. %%define with lazy globbing is used here +# Add generation of HMAC checksum of the final stripped +# binary. %%define with lazy globbing is used here # intentionally, because using %%global does not work. %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ bin_path=%{buildroot}%{_bindir} \ -lib_path=%{buildroot}/%{_lib} \ -for app in %{apps_hmaccalc}; do \ - test -e "$bin_path"/$app || continue \ - { %sha512hmac "$bin_path"/$app || exit 1; } \\\ - | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \ -done \ -for app in %{apps_fipscheck}; do \ - test -e "$bin_path"/$app || continue \ - %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \ -done \ -%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ -%fipshmac -d "$lib_path"/fipscheck \\\ - "$lib_path"/libkcapi.so.%{version} || exit 1 \ +lib_path=%{buildroot}%{_libdir} \ +{ %sha512hmac "$bin_path"/kcapi-hasher || exit 1; } | \\\ + cut -f 1 -d ' ' >"$lib_path"/hmaccalc/kcapi-hasher.hmac \ +{ %sha512hmac "$lib_path"/libkcapi.so.%{version} || exit 1; } | \\\ + cut -f 1 -d ' ' >"$lib_path"/hmaccalc/libkcapi.so.%{version}.hmac \ %{__ln_s} libkcapi.so.%{version}.hmac \\\ - "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ + "$lib_path"/hmaccalc/libkcapi.so.%{vmajor}.hmac \ %{nil} - Name: libkcapi Version: %{vmajor}.%{vminor}.%{vpatch} -Release: 2%{?dist} +Release: %autorelease Summary: User space interface to the Linux Kernel Crypto API License: BSD-3-Clause OR GPL-2.0-only -URL: https://www.chronox.de/%{name}.html -Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz -Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc +URL: https://www.chronox.de/%{name}/ +Source0: https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz +Source1: https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz.asc Source2: sha512hmac-openssl.sh Source3: fipshmac-openssl.sh -Patch1: 001-tests-kernel-version.patch -Patch2: 002-fips-disable-ansi_cprng.patch -Patch3: 003-zeroize-hasher.patch -Patch4: 004-hasher-target-option.patch -Patch5: 005-fips-mode-tests.patch - BuildRequires: bash BuildRequires: coreutils BuildRequires: gcc @@ -193,17 +189,29 @@ Header files for applications that use %{name}. %if %{with doc} %package doc Summary: User documentation for the %{name} package -Requires: %{name}%{?_isa} == %{version}-%{release} +BuildArch: noarch +# Depend on one of the base packages because they have the license files +# We cannot just bundle them into doc because they might conflict with an +# older or newer version of the base package. +Requires: %{name} == %{version}-%{release} %description doc User documentation for %{name}. %endif +%package hasher +Summary: Common %{name} hashing application +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description hasher +Provides The kcapi-hasher binary used by other %{name} subpackages. + + %if %{with replace_coreutils} %package checksum Summary: Drop-in replacement for *sum utils provided by the %{name} package -Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-hasher%{?_isa} == %{version}-%{release} Requires: coreutils%{?_isa} >= %{coreutils_evr} @@ -219,7 +227,7 @@ coreutils) using %{name}. %if %{with replace_fipscheck} %package fipscheck Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package -Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-hasher%{?_isa} == %{version}-%{release} Obsoletes: fipscheck <= %{fipscheck_evr} @@ -235,7 +243,7 @@ package fipscheck) using %{name}. %if %{with replace_hmaccalc} %package hmaccalc Summary: Drop-in replacements for hmaccalc provided by the %{name} package -Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-hasher%{?_isa} == %{version}-%{release} Obsoletes: hmaccalc <= %{hmaccalc_evr} @@ -260,7 +268,8 @@ is highly discouraged. %package tools Summary: Utility applications for the %{name} package -Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-hasher%{?_isa} == %{version}-%{release} %description tools Utility applications that are provided with %{name}. This includes @@ -291,6 +300,10 @@ Auxiliary scripts for testing %{name}. %prep %autosetup -p 1 -S git +# Work around https://bugzilla.redhat.com/show_bug.cgi?id=2258240 +sed -i -e 's|XML V45|XML V4.1.2|' -e 's|/xml/4\.5/|/xml/4.1.2/|' \ + lib/doc/libkcapi.tmpl + %if %{with_sysctl_tweak} %{__cat} << EOF > README.%{distroname_ext} This package increases the default limit of the ancillary buffer size @@ -330,7 +343,7 @@ EOF %build %configure \ - --libdir=/%{_lib} \ + --libdir=%{_libdir} \ --disable-silent-rules \ --enable-kcapi-encapp \ --enable-kcapi-dgstapp \ @@ -341,7 +354,7 @@ EOF --enable-shared \ --enable-static \ --enable-sum-prefix= \ - --enable-sum-dir=/%{_lib} \ + --enable-sum-dir=%{_libdir} \ --with-pkgconfigdir=%{_libdir}/pkgconfig %if %{with doc} %make_build all doc @@ -374,20 +387,22 @@ EOF %endif # Install replacement tools, if enabled. -%if !%{with replace_coreutils} -%{__rm} -f \ - %{buildroot}%{_bindir}/md5sum \ - %{buildroot}%{_bindir}/sha*sum \ - %{buildroot}%{_bindir}/sm*sum +%if %{with replace_coreutils} +for app in %apps_coreutils; do + %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app +done %endif -%if !%{with replace_fipscheck} -%{__rm} -f %{buildroot}%{_bindir}/fips* +%if %{with replace_fipscheck} +for app in %apps_fipscheck; do + %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app +done %endif -%if !%{with replace_hmaccalc} -%{__rm} -f %{buildroot}%{_bindir}/sha*hmac -%{__rm} -f %{buildroot}%{_bindir}/sm*hmac +%if %{with replace_hmaccalc} +for app in %apps_hmaccalc; do + %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app +done %endif # We don't ship autocrap dumplings. @@ -409,7 +424,7 @@ EOF # Possibly save some space by hardlinking. for d in %{_mandir} %{_pkgdocdir}; do - %{_sbindir}/hardlink -cfv %{buildroot}$d + %{_bindir}/hardlink -cfv %{buildroot}$d done @@ -419,7 +434,11 @@ done %make_build scan %endif %if %{with cppcheck} -%make_build cppcheck +# -UCHECK_DIR: string literal concatenation raises syntaxError +# with cppcheck-2.11 (https://trac.cppcheck.net/ticket/11830) +# --check-level=exhaustive: otherwise it emits warnings that get +# treated like errors +%make_build cppcheck CPPCHECK="cppcheck --check-level=exhaustive -UCHECK_DIR" %endif %if %{with test} @@ -449,10 +468,10 @@ popd %doc %dir %{_pkgdocdir} %doc %{_pkgdocdir}/README.md %license COPYING* -/%{_lib}/%{name}.so.%{vmajor} -/%{_lib}/%{name}.so.%{version} -/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac -/%{_lib}/fipscheck/%{name}.so.%{version}.hmac +%{_libdir}/%{name}.so.%{vmajor} +%{_libdir}/%{name}.so.%{version} +%{_libdir}/hmaccalc/%{name}.so.%{vmajor}.hmac +%{_libdir}/hmaccalc/%{name}.so.%{version}.hmac %if %{with_sysctl_tweak} %doc %{_pkgdocdir}/README.%{distroname_ext} %{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf @@ -464,7 +483,7 @@ popd %doc %{_pkgdocdir}/TODO %{_includedir}/kcapi.h %{_mandir}/man3/kcapi_*.3.* -/%{_lib}/%{name}.so +%{_libdir}/%{name}.so %{_libdir}/pkgconfig/%{name}.pc @@ -476,33 +495,38 @@ popd %endif +%files hasher +%{_bindir}/kcapi-hasher +%{_libexecdir}/%{name}/md5sum +%{_libexecdir}/%{name}/sha*sum +%{_libexecdir}/%{name}/sm*sum +%{_libexecdir}/%{name}/fips* +%{_libexecdir}/%{name}/sha*hmac +%{_libexecdir}/%{name}/sm*hmac +%{_libdir}/hmaccalc/kcapi-hasher.hmac + + %if %{with replace_coreutils} %files checksum %{_bindir}/md5sum %{_bindir}/sha*sum %{_bindir}/sm*sum -/%{_lib}/fipscheck/md5sum.hmac -/%{_lib}/fipscheck/sha*sum.hmac -/%{_lib}/fipscheck/sm*sum.hmac %endif %if %{with replace_fipscheck} %files fipscheck %{_bindir}/fips* -/%{_lib}/fipscheck/fips*.hmac %endif %if %{with replace_hmaccalc} %files hmaccalc %{_bindir}/sha*hmac %{_bindir}/sm*hmac -/%{_lib}/hmaccalc/sha*hmac.hmac -/%{_lib}/hmaccalc/sm*hmac.hmac %endif %files static -/%{_lib}/%{name}.a +%{_libdir}/%{name}.a %files tools @@ -512,94 +536,181 @@ popd %if %{with test_package} %files tests -%{_libexecdir}/%{name}/* +%{_libexecdir}/%{name}/kcapi +%{_libexecdir}/%{name}/kcapi-convenience +%{_libexecdir}/%{name}/kcapi-enc-test-large +%{_libexecdir}/%{name}/*.sh %endif %changelog -* Fri Dec 01 2023 Zoltan Fridrich - 1.4.0-2 -- Backport fixes for kcapi-hasher target option - Related: RHEL-15300 -- Fix kcapi tests in FIPS mode - Resolves: RHEL-2406 +## START: Generated by rpmautospec +* Tue Oct 29 2024 Troy Dawson - 1.5.0-3 +- Bump release for October 2024 mass rebuild: -* Wed Nov 01 2023 Zoltan Fridrich - 1.4.0-1 -- Update to new upstream release 1.4.0 - Resolves: RHEL-5366 -- Add a patch to fix auxiliary tests in FIPS mode - Resolves: RHEL-2406 -- Add a patch to zeroize kcapi-hasher for FIPS 140-3 - Resolves: RHEL-15290 -- Add a patch to allow overriding target file in kcapi-hasher - Resolves: RHEL-15300 +* Thu Aug 08 2024 Zoltan Fridrich - 1.5.0-2 +- Fixup 1.5.0 rebase -* Tue May 26 2020 Sahana Prasad - 1.2.0-2 -- Fix double free issue in hasher() +* Fri Jul 26 2024 Zoltan Fridrich - 1.5.0-1 +- Rebase to 1.5.0 -* Mon May 25 2020 Sahana Prasad - 1.2.0-1 -- [RHEL] Update to upstream version 1.2.0 +* Tue Jul 09 2024 Ondrej Moris - 1.4.0-15 +- Enable RHEL-10 CI and gating -* Thu Apr 30 2020 Sahana Prasad - 1.1.5-3 -- Enables building on old kernels [sync fix in Fedora from omosnance]. -- This is required for covscans as they run on RHEL7 machines. +* Mon Jun 24 2024 Troy Dawson - 1.4.0-14 +- Bump release for June 2024 mass rebuild -* Wed Apr 29 2020 Sahana Prasad - 1.1.5-2 -- Drop the license from the doc subpackage to avoid conflicts +* Tue May 28 2024 Zoltan Fridrich - 1.4.0-13 +- Bring back usage of /usr/lib64 instead of /lib64 -* Mon Apr 27 2020 Sahana Prasad - 1.1.5-1 -- [RHEL] Update to upstream version 1.1.5 -- [RHEL] Sync with Fedora branch +* Tue May 28 2024 Zoltan Fridrich - 1.4.0-12 +- Remove tests from repo -* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-16_1 -- [RHEL] Apply 'Add missing dependencies to the tests package' -- [RHEL] Apply 'Update patch from upstream' +* Tue May 28 2024 Zoltan Fridrich - 1.4.0-11 +- Backport fixes from c9s + +* Thu Jan 25 2024 Fedora Release Engineering - 1.4.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1.4.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Aug 30 2023 Zoltan Fridrich - 1.4.0-8 +- Migrate to SPDX license + +* Fri Jul 28 2023 Yaakov Selkowitz - 1.4.0-7 +- Fix build with cppcheck-2.11 + +* Thu Jul 20 2023 Fedora Release Engineering - 1.4.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 1.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Aug 25 2022 Ondrej Mosnacek - 1.4.0-4 +- Convert tests to TMT + +* Thu Aug 25 2022 Ondrej Mosnacek - 1.4.0-3 +- Add a patch to fix tests with kernels 6.0+ + +* Sat Aug 13 2022 Ondrej Mosnáček - 1.4.0-2 +- Switch to rpmautospec + +* Sat Aug 13 2022 Ondrej Mosnáček - 1.4.0-1 +- Update to upstream version 1.4.0 +- Re-enable cppcheck scanning on Fedora +- Resolves: rhbz#2056732 + +* Thu Jul 21 2022 Fedora Release Engineering - 1.3.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 1.3.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 1.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 14 2021 Simo Sorce - 1.3.1-2 +- Remove LTO build suppression by using better symver machinery + +* Wed Jul 14 2021 Simo Sorce - 1.3.1-1 +- Update to upstream version 1.3.1 which fixes ABI issues + +* Mon Jul 12 2021 Simo Sorce - 1.3.0-1 +- Update to upstream version 1.3.0 + +* Mon Mar 15 2021 Sahana Prasad - 1.2.1-1 +- Update to upstream version 1.2.1 +- Remove patch fix MSG_MORE uasge as it is added upstream +- Remove cppcheck dependency for rhel bz#1931518 +- Add a patch to fix fuzz tests + +* Tue Jan 26 2021 Fedora Release Engineering - 1.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Aug 14 2020 Ondrej Mosnáček - 1.2.0-3 +- Require perl-interpreter instead of full perl +- Backport fix for 5.9 kernels + +* Tue Jul 28 2020 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon May 25 2020 Sahana Prasad - 1.2.0-1 +- Update to upstream version 1.2.0 tracked by BZ 1839592. +- Enable kcapi-enc tests as libkcapi BZ 1826022 is fixed. +- Remove 110-fipshmac-compat.patch as the changes are merged upstream. +- Remove 100-workaround-cppcheck-bug.patch as the changes are merged upstream. + +* Tue May 05 2020 Ondrej Mosnáček - 1.1.5-5 +- Fix the CI test failures +- Enable building on old kernels +- Avoid conflicts between different versions of packages + +* Thu Apr 23 2020 Tomáš Mráz - 1.1.5-4 +- Add . prefix to files created by fipshmac if -d option is not specified + +* Wed Apr 22 2020 Sahana Prasad - 1.1.5-3 +- Disables kcapi-enc tests until the kernel bug bz 1826022 is fixed. +- Produce also the fipscheck replacement package + +* Wed Jan 29 2020 Fedora Release Engineering - 1.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Aug 13 2019 Ondrej Mosnáček - 1.1.5-1 +- Update to upstream version 1.1.5 + +* Sat Jul 27 2019 Ondrej Mosnáček - 1.1.4-6 +- Backport patch to fix test failure on aarch64 +- Remove no longer needed ppc64 workaround + +* Sat Jul 27 2019 Ondrej Mosnáček - 1.1.4-5 +- Backport patch to fix tests + +* Thu Jul 25 2019 Ondrej Mosnáček - 1.1.4-4 +- Work around cppcheck issue +- Enable gating + +* Thu Jul 25 2019 Fedora Release Engineering - 1.1.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon May 27 2019 Ondrej Mosnáček - 1.1.4-2 +- Fix FTBFS: hardlink is now in bindir + +* Sat Feb 02 2019 Ondrej Mosnáček - 1.1.4-1 +- Update to upstream version 1.1.4 + +* Fri Feb 01 2019 Ondrej Mosnáček - 1.1.3-3 +- Fix build with new GCC + +* Fri Feb 01 2019 Fedora Release Engineering - 1.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Aug 23 2018 Ondrej Mosnáček - 1.1.3-1 +- Update to upstream version 1.1.3 * Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-16 - Add missing dependencies to the tests package - Update patch from upstream -* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-15_1 -- [RHEL] Apply 'Build and tests require perl' - * Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-15 - Build and tests require perl -* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14_2 -- [RHEL] Re-enable AEAD tests and ignore test result -- [RHEL] Drop the ppc64 ignore-failures workaround - -* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14_1 -- [RHEL] Apply 'Add missing script to the 'tests' package' - * Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14 - Add missing script to the 'tests' package -* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-13_1 -- [RHEL] Sync with the Fedora branch - * Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-13 - Add missing requires to the 'tests' subpackage -* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-12_1 -- [RHEL] Sync with the Fedora branch - * Tue Aug 07 2018 Ondrej Mosnáček - 1.1.1-12 - Produce a subpackage with test scripts - Build the 'tests' subpackage conditionally -* Wed Aug 01 2018 Ondrej Mosnáček - 1.1.1-11_1 -- [RHEL] Sync with the Fedora branch - * Wed Aug 01 2018 Ondrej Mosnáček - 1.1.1-11 - Add patch to fix unwanted closing of FD 0 * Tue Jul 31 2018 Ondrej Mosnáček - 1.1.1-10 - Remove the kernel headers workaround -* Mon Jul 30 2018 Ondrej Mosnáček - 1.1.1-9_1 -- [RHEL] Sync with the Fedora branch -- [RHEL] Rebase the disable-AEAD-tests patch - * Fri Jul 27 2018 Igor Gnatenko - 1.1.1-9 - Rebuild for new binutils @@ -608,18 +719,10 @@ popd - Add patch to fix AEAD fuzz test for BE arches - Fixup specfile -* Mon Jul 23 2018 Ondrej Mosnáček - 1.1.1-7_1 -- [RHEL] Sync with the Fedora branch -- [RHEL] Fixup specfile -- [RHEL] Rebase the disable-AEAD-tests patch - * Mon Jul 23 2018 Ondrej Mosnáček - 1.1.1-7 - Add various fixes from upstream - Drop the Requires on kernel package -* Wed Jul 18 2018 Ondrej Mosnáček - 1.1.1-3_2 -- [RHEL] Temporarily disable AEAD tests - * Mon Jul 16 2018 Ondrej Mosnáček - 1.1.1-6 - Put .hmac files into a separate directory @@ -629,28 +732,12 @@ popd * Thu Jul 12 2018 Ondrej Mosnáček - 1.1.1-4 - Add patch to work around FTBFS on rawhide -* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-3_1 -- [RHEL] Sync with the Fedora branch - * Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-3 - Fix off-by-one error in checkfile parsing -* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2_2 -- [RHEL] Disable fuzz test - -* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2_1 -- [RHEL] Sync with the Fedora branch - * Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2 - Fix command-line parsing in libkcapi-hmaccalc -* Tue Jul 10 2018 Ondrej Mosnáček - 1.1.1-1_2 -- [RHEL] Work around build failure with new kernel headers - -* Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1_1 -- [RHEL] Skip CLang static analysis -- [RHEL] Remove the dependency on kernel package - * Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1 - Update to upstream version 1.1.1 @@ -753,3 +840,5 @@ popd * Wed Jan 10 2018 Björn Esser - 1.0.2-0.1 - Initial rpm release (rhbz#1533929) + +## END: Generated by rpmautospec diff --git a/SOURCES/sha512hmac-openssl.sh b/sha512hmac-openssl.sh similarity index 100% rename from SOURCES/sha512hmac-openssl.sh rename to sha512hmac-openssl.sh diff --git a/sources b/sources new file mode 100644 index 0000000..08b8acf --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libkcapi-1.5.0.tar.xz) = db156ee94fc63815a31876ab072aca72a806b26961c43f2caf8495c53b95484de71cd3be84dc9e5c9560e9ee704979be059ff6c102b4893d6bbdf9a8a69a667a