From 8510b5be2fb962eb776c48621a1a692cfece21e8 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 2 Nov 2023 12:31:26 +0100 Subject: [PATCH] Update to new upstream release 1.4.0 Resolves: RHEL-5366 Signed-off-by: Zoltan Fridrich --- .gitignore | 7 +- 001-tests-kernel-version.patch | 40 ++++++++++++ 100-fix-double-free-hasher.patch | 54 --------------- libkcapi.spec | 109 +++++++++++++++++++++++-------- sources | 4 +- 5 files changed, 128 insertions(+), 86 deletions(-) create mode 100644 001-tests-kernel-version.patch delete mode 100644 100-fix-double-free-hasher.patch diff --git a/.gitignore b/.gitignore index 04b73d2..6473ae7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -SOURCES/libkcapi-1.2.0.tar.xz -SOURCES/libkcapi-1.2.0.tar.xz.asc -/libkcapi-1.2.0.tar.xz -/libkcapi-1.2.0.tar.xz.asc +/libkcapi-*.tar.xz +/libkcapi-*.tar.xz.asc +/*.src.rpm diff --git a/001-tests-kernel-version.patch b/001-tests-kernel-version.patch new file mode 100644 index 0000000..aa21536 --- /dev/null +++ b/001-tests-kernel-version.patch @@ -0,0 +1,40 @@ +From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 15 Aug 2022 10:19:50 +0200 +Subject: [PATCH] tests: fix overly-optimistic kernel version checks + +The mainline kernel is now at version 6.0 so these >= 5.99 checks are +now incorrectly enabling tests that don't work. Instead of bumping the +imaginary version and face the same problem again in a couple years, +replace the checks with 'false' and a TODO comment. + +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Stephan Mueller +--- + test/test.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/test/test.sh b/test/test.sh +index 1d9be73..a75b802 100755 +--- a/test/test.sh ++++ b/test/test.sh +@@ -1560,7 +1560,8 @@ else + echo_deact "AEAD tests of copied AAD deactivated" + fi + +-if $(check_min_kernelver 5 99); then ++# TODO add version check when supported upstream ++if false; then + asymfunc 4 + asymfunc 4 -s + asymfunc 4 -v +@@ -1583,7 +1584,8 @@ else + echo_deact "All asymmetric tests deactivated" + fi + +-if $(check_min_kernelver 5 99); then ++# TODO add version check when supported upstream ++if false; then + kppfunc 13 + kppfunc 13 X -m + kppfunc 13 -v diff --git a/100-fix-double-free-hasher.patch b/100-fix-double-free-hasher.patch deleted file mode 100644 index a64cabb..0000000 --- a/100-fix-double-free-hasher.patch +++ /dev/null @@ -1,54 +0,0 @@ ---- libkcapi-1.2.0/apps/kcapi-hasher.c.fix-double-free-hasher 2020-05-26 16:31:28.296332614 +0200 -+++ libkcapi-1.2.0/apps/kcapi-hasher.c 2020-05-26 16:37:07.681011437 +0200 -@@ -301,7 +301,7 @@ static int hasher(struct kcapi_handle *h - fprintf(stderr, - "Use of mmap failed mapping %zu bytes at offset %" PRId64 " of file %s (%d)\n", - mapped, (int64_t)offset, filename, ret); -- goto out; -+ return ret; - } - /* Compute hash */ - memblock_p = memblock; -@@ -311,8 +311,10 @@ static int hasher(struct kcapi_handle *h - INT_MAX : (uint32_t)left; - - ret = kcapi_md_update(handle, memblock_p, todo); -- if (ret < 0) -- goto out; -+ if (ret < 0) { -+ munmap(memblock, mapped); -+ return ret; -+ } - left -= todo; - memblock_p += todo; - } while (left); -@@ -329,7 +331,7 @@ static int hasher(struct kcapi_handle *h - - ret = kcapi_md_update(handle, tmpbuf, bufsize); - if (ret < 0) -- goto out; -+ return ret; - } - kcapi_memset_secure(tmpbuf, 0, sizeof(tmpbuf)); - } -@@ -340,7 +342,7 @@ static int hasher(struct kcapi_handle *h - if (hashlen > (uint32_t)ret) { - fprintf(stderr, "Invalid truncated hash size: %lu > %i\n", - (unsigned long)hashlen, ret); -- goto out; -+ return ret; - } - - if (!hashlen) -@@ -376,11 +378,6 @@ static int hasher(struct kcapi_handle *h - fprintf(stderr, "Generation of hash for file %s failed (%d)\n", - filename ? filename : "stdin", ret); - } -- --out: -- if (memblock) -- munmap(memblock, mapped); -- - return ret; - } - diff --git a/libkcapi.spec b/libkcapi.spec index 3ee0ab4..35ae3cf 100644 --- a/libkcapi.spec +++ b/libkcapi.spec @@ -1,6 +1,6 @@ # Shared object version of libkcapi. %global vmajor 1 -%global vminor 2 +%global vminor 4 %global vpatch 0 # Do we build the replacements packages? @@ -22,6 +22,21 @@ %else %bcond_with test_package %endif +# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518 +%if 0%{?rhel} +%bcond_with cppcheck +%else +%bcond_without cppcheck +%endif + +# Use `--without test` to build without running the tests +%bcond_without test +# Use `--without fuzz_test` to skip the fuzz test during build +%bcond_without fuzz_test +# Use `--without doc` to build without the -doc subpackage +%bcond_without doc +# Use `--without clang_sa` to skip clang static analysis during build +%bcond_without clang_sa # This package needs at least Linux Kernel v4.10.0. %global min_kernel_ver 4.10.0 @@ -69,16 +84,16 @@ %global hmaccalc_evr 0.9.14-10%{?dist} %endif -%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac -%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac +%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac +%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac # On old kernels use mock hashers implemented via openssl %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 %global sha512hmac bin/kcapi-hasher -n sha512hmac %global fipshmac bin/kcapi-hasher -n fipshmac %else -%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%global fipshmac bash %{_sourcedir}/fipshmac-openssl.sh +%global sha512hmac bash %{SOURCE2} +%global fipshmac bash %{SOURCE3} %endif # Add generation of HMAC checksums of the final stripped @@ -109,32 +124,39 @@ done \ Name: libkcapi Version: %{vmajor}.%{vminor}.%{vpatch} -Release: 2%{?dist} +Release: 1%{?dist} Summary: User space interface to the Linux Kernel Crypto API -License: BSD or GPLv2 -URL: http://www.chronox.de/%{name}.html -Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz -Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc +License: BSD-3-Clause OR GPL-2.0-only +URL: https://www.chronox.de/%{name}.html +Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz +Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source2: sha512hmac-openssl.sh Source3: fipshmac-openssl.sh -Patch100: 100-fix-double-free-hasher.patch +Patch1: 001-tests-kernel-version.patch BuildRequires: bash -BuildRequires: clang BuildRequires: coreutils -BuildRequires: cppcheck -BuildRequires: docbook-utils-pdf BuildRequires: gcc -BuildRequires: git +BuildRequires: git-core BuildRequires: hardlink BuildRequires: kernel-headers >= %{min_kernel_ver} BuildRequires: libtool +BuildRequires: make BuildRequires: openssl -BuildRequires: perl +BuildRequires: perl-interpreter BuildRequires: systemd BuildRequires: xmlto +%if %{with doc} +BuildRequires: docbook-utils-pdf +%endif +%if %{with clang_sa} +BuildRequires: clang +%endif +%if %{with cppcheck} +BuildRequires: cppcheck >= 2.4 +%endif # For ownership of %%{_sysctldir}. Requires: systemd @@ -164,12 +186,14 @@ Requires: %{name}%{?_isa} == %{version}-%{release} Header files for applications that use %{name}. +%if %{with doc} %package doc Summary: User documentation for the %{name} package Requires: %{name}%{?_isa} == %{version}-%{release} %description doc User documentation for %{name}. +%endif %if %{with replace_coreutils} @@ -253,7 +277,7 @@ Requires: %{name}-checksum%{?_isa} == %{version}-%{release} %endif Requires: coreutils Requires: openssl -Requires: perl +Requires: perl-interpreter %description tests Auxiliary scripts for testing %{name}. @@ -315,7 +339,11 @@ EOF --enable-sum-prefix= \ --enable-sum-dir=/%{_lib} \ --with-pkgconfigdir=%{_libdir}/pkgconfig +%if %{with doc} %make_build all doc +%else +%make_build all man +%endif %install @@ -332,14 +360,21 @@ EOF %if %{with_sysctl_tweak} README.%{distroname_ext} \ %endif - README.md CHANGES.md TODO doc/%{name}.p{df,s} +%if %{with doc} + doc/%{name}.p{df,s} \ +%endif + README.md CHANGES.md TODO + +%if %{with doc} %{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir} +%endif # Install replacement tools, if enabled. %if !%{with replace_coreutils} %{__rm} -f \ %{buildroot}%{_bindir}/md5sum \ - %{buildroot}%{_bindir}/sha*sum + %{buildroot}%{_bindir}/sha*sum \ + %{buildroot}%{_bindir}/sm*sum %endif %if !%{with replace_fipscheck} @@ -348,6 +383,7 @@ EOF %if !%{with replace_hmaccalc} %{__rm} -f %{buildroot}%{_bindir}/sha*hmac +%{__rm} -f %{buildroot}%{_bindir}/sm*hmac %endif # We don't ship autocrap dumplings. @@ -359,11 +395,13 @@ EOF # Remove 0-size files. %{_bindir}/find %{buildroot} -type f -size 0 -print -delete +%if %{with doc} # Make sure all docs have non-exec permissions, except for the dirs. %{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \ %{_bindir}/xargs %{__chmod} -c 0644 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \ %{_bindir}/xargs %{__chmod} -c 0755 +%endif # Possibly save some space by hardlinking. for d in %{_mandir} %{_pkgdocdir}; do @@ -373,10 +411,14 @@ done %check # Some basic sanity checks. -for t in cppcheck scan; do - %make_build $t -done +%if %{with clang_sa} +%make_build scan +%endif +%if %{with cppcheck} +%make_build cppcheck +%endif +%if %{with test} # On some arches `/proc/sys/net/core/optmem_max` is lower than 20480, # which is the lowest limit needed to run the testsuite. If that limit # is not met, we do not run it. @@ -385,21 +427,24 @@ done %if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0 # Real testsuite. pushd test -# Ignore test result since the CI will do better testing anyway +%if %{with fuzz_test} +ENABLE_FUZZ_TEST=1 \ +%endif NO_32BIT_TEST=1 \ - ./test-invocation.sh || true + ./test-invocation.sh popd %endif %endif +%endif %ldconfig_scriptlets %files -%license COPYING* %doc %dir %{_pkgdocdir} %doc %{_pkgdocdir}/README.md +%license COPYING* /%{_lib}/%{name}.so.%{vmajor} /%{_lib}/%{name}.so.%{version} /%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac @@ -419,16 +464,22 @@ popd %{_libdir}/pkgconfig/%{name}.pc +%if %{with doc} %files doc -%doc %{_pkgdocdir} +%doc %{_pkgdocdir}/html +%doc %{_pkgdocdir}/%{name}.pdf +%doc %{_pkgdocdir}/%{name}.ps +%endif %if %{with replace_coreutils} %files checksum %{_bindir}/md5sum %{_bindir}/sha*sum +%{_bindir}/sm*sum /%{_lib}/fipscheck/md5sum.hmac /%{_lib}/fipscheck/sha*sum.hmac +/%{_lib}/fipscheck/sm*sum.hmac %endif %if %{with replace_fipscheck} @@ -440,7 +491,9 @@ popd %if %{with replace_hmaccalc} %files hmaccalc %{_bindir}/sha*hmac +%{_bindir}/sm*hmac /%{_lib}/hmaccalc/sha*hmac.hmac +/%{_lib}/hmaccalc/sm*hmac.hmac %endif @@ -460,6 +513,10 @@ popd %changelog +* Wed Nov 01 2023 Zoltan Fridrich - 1.4.0-1 +- Update to new upstream release 1.4.0 + Resolves: RHEL-5366 + * Tue May 26 2020 Sahana Prasad - 1.2.0-2 - Fix double free issue in hasher() diff --git a/sources b/sources index c0c1830..7e8a98f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 -SHA512 (libkcapi-1.2.0.tar.xz.asc) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 +SHA512 (libkcapi-1.4.0.tar.xz) = fa3df1fe22eba32585de5df044f907d3ad189c33f5704fe29b0fdeda92e772ef077055b80e17bc1646a8cdedaf4f195aadf0b133f493597f0f7657b04ea93a99 +SHA512 (libkcapi-1.4.0.tar.xz.asc) = a41303cba88b214c82537bb5de2584a72a239670318753ba6873a2c3ebe3b56ffd381fdf7ae266aa21857e850bebdfbfdec487c98655ddbc2b9a0ba0d4f383ca