rpms/libkcapi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to new upstream release 1.4.0

Browse Source 
Resolves: RHEL-5366

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2023-11-02 12:31:26 +01:00
parent c98cb30e55
commit 8510b5be2f
5 changed files with 128 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored
View File

@ -1,4 +1,3 @@
SOURCES/libkcapi-1.2.0.tar.xz /libkcapi-*.tar.xz
SOURCES/libkcapi-1.2.0.tar.xz.asc /libkcapi-*.tar.xz.asc
/libkcapi-1.2.0.tar.xz /*.src.rpm
/libkcapi-1.2.0.tar.xz.asc

40
001-tests-kernel-version.patch Normal file
View File

@ -0,0 +1,40 @@
From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 15 Aug 2022 10:19:50 +0200
Subject: [PATCH] tests: fix overly-optimistic kernel version checks
The mainline kernel is now at version 6.0 so these >= 5.99 checks are
now incorrectly enabling tests that don't work. Instead of bumping the
imaginary version and face the same problem again in a couple years,
replace the checks with 'false' and a TODO comment.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
test/test.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/test/test.sh b/test/test.sh
index 1d9be73..a75b802 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1560,7 +1560,8 @@ else
echo_deact "AEAD tests of copied AAD deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
asymfunc 4
asymfunc 4 -s
asymfunc 4 -v
@@ -1583,7 +1584,8 @@ else
echo_deact "All asymmetric tests deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
kppfunc 13
kppfunc 13 X -m
kppfunc 13 -v

54
100-fix-double-free-hasher.patch
View File

@ -1,54 +0,0 @@
--- libkcapi-1.2.0/apps/kcapi-hasher.c.fix-double-free-hasher 2020-05-26 16:31:28.296332614 +0200
+++ libkcapi-1.2.0/apps/kcapi-hasher.c 2020-05-26 16:37:07.681011437 +0200
@@ -301,7 +301,7 @@ static int hasher(struct kcapi_handle *h
fprintf(stderr,
"Use of mmap failed mapping %zu bytes at offset %" PRId64 " of file %s (%d)\n",
mapped, (int64_t)offset, filename, ret);
- goto out;
+ return ret;
}
/* Compute hash */
memblock_p = memblock;
@@ -311,8 +311,10 @@ static int hasher(struct kcapi_handle *h
INT_MAX : (uint32_t)left;
ret = kcapi_md_update(handle, memblock_p, todo);
- if (ret < 0)
- goto out;
+ if (ret < 0) {
+ munmap(memblock, mapped);
+ return ret;
+ }
left -= todo;
memblock_p += todo;
} while (left);
@@ -329,7 +331,7 @@ static int hasher(struct kcapi_handle *h
ret = kcapi_md_update(handle, tmpbuf, bufsize);
if (ret < 0)
- goto out;
+ return ret;
}
kcapi_memset_secure(tmpbuf, 0, sizeof(tmpbuf));
}
@@ -340,7 +342,7 @@ static int hasher(struct kcapi_handle *h
if (hashlen > (uint32_t)ret) {
fprintf(stderr, "Invalid truncated hash size: %lu > %i\n",
(unsigned long)hashlen, ret);
- goto out;
+ return ret;
}
if (!hashlen)
@@ -376,11 +378,6 @@ static int hasher(struct kcapi_handle *h
fprintf(stderr, "Generation of hash for file %s failed (%d)\n",
filename ? filename : "stdin", ret);
}
-
-out:
- if (memblock)
- munmap(memblock, mapped);
-
return ret;
}

109
libkcapi.spec
View File

@ -1,6 +1,6 @@
# Shared object version of libkcapi. # Shared object version of libkcapi.
%global vmajor 1 %global vmajor 1
%global vminor 2 %global vminor 4
%global vpatch 0 %global vpatch 0
# Do we build the replacements packages? # Do we build the replacements packages?
@ -22,6 +22,21 @@
%else %else
%bcond_with test_package %bcond_with test_package
%endif %endif
# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518
%if 0%{?rhel}
%bcond_with cppcheck
%else
%bcond_without cppcheck
%endif
# Use `--without test` to build without running the tests
%bcond_without test
# Use `--without fuzz_test` to skip the fuzz test during build
%bcond_without fuzz_test
# Use `--without doc` to build without the -doc subpackage
%bcond_without doc
# Use `--without clang_sa` to skip clang static analysis during build
%bcond_without clang_sa
# This package needs at least Linux Kernel v4.10.0. # This package needs at least Linux Kernel v4.10.0.
%global min_kernel_ver 4.10.0 %global min_kernel_ver 4.10.0
@ -69,16 +84,16 @@
%global hmaccalc_evr 0.9.14-10%{?dist} %global hmaccalc_evr 0.9.14-10%{?dist}
%endif %endif
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac %global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac
# On old kernels use mock hashers implemented via openssl # On old kernels use mock hashers implemented via openssl
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
%global sha512hmac bin/kcapi-hasher -n sha512hmac %global sha512hmac bin/kcapi-hasher -n sha512hmac
%global fipshmac bin/kcapi-hasher -n fipshmac %global fipshmac bin/kcapi-hasher -n fipshmac
%else %else
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh %global sha512hmac bash %{SOURCE2}
%global fipshmac bash %{_sourcedir}/fipshmac-openssl.sh %global fipshmac bash %{SOURCE3}
%endif %endif
# Add generation of HMAC checksums of the final stripped # Add generation of HMAC checksums of the final stripped
@ -109,32 +124,39 @@ done \
Name: libkcapi Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch} Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 2%{?dist} Release: 1%{?dist}
Summary: User space interface to the Linux Kernel Crypto API Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2 License: BSD-3-Clause OR GPL-2.0-only
URL: http://www.chronox.de/%{name}.html URL: https://www.chronox.de/%{name}.html
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Source2: sha512hmac-openssl.sh Source2: sha512hmac-openssl.sh
Source3: fipshmac-openssl.sh Source3: fipshmac-openssl.sh
Patch100: 100-fix-double-free-hasher.patch Patch1: 001-tests-kernel-version.patch
BuildRequires: bash BuildRequires: bash
BuildRequires: clang
BuildRequires: coreutils BuildRequires: coreutils
BuildRequires: cppcheck
BuildRequires: docbook-utils-pdf
BuildRequires: gcc BuildRequires: gcc
BuildRequires: git BuildRequires: git-core
BuildRequires: hardlink BuildRequires: hardlink
BuildRequires: kernel-headers >= %{min_kernel_ver} BuildRequires: kernel-headers >= %{min_kernel_ver}
BuildRequires: libtool BuildRequires: libtool
BuildRequires: make
BuildRequires: openssl BuildRequires: openssl
BuildRequires: perl BuildRequires: perl-interpreter
BuildRequires: systemd BuildRequires: systemd
BuildRequires: xmlto BuildRequires: xmlto
%if %{with doc}
BuildRequires: docbook-utils-pdf
%endif
%if %{with clang_sa}
BuildRequires: clang
%endif
%if %{with cppcheck}
BuildRequires: cppcheck >= 2.4
%endif
# For ownership of %%{_sysctldir}. # For ownership of %%{_sysctldir}.
Requires: systemd Requires: systemd
@ -164,12 +186,14 @@ Requires: %{name}%{?_isa} == %{version}-%{release}
Header files for applications that use %{name}. Header files for applications that use %{name}.
%if %{with doc}
%package doc %package doc
Summary: User documentation for the %{name} package Summary: User documentation for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} Requires: %{name}%{?_isa} == %{version}-%{release}
%description doc %description doc
User documentation for %{name}. User documentation for %{name}.
%endif
%if %{with replace_coreutils} %if %{with replace_coreutils}
@ -253,7 +277,7 @@ Requires: %{name}-checksum%{?_isa} == %{version}-%{release}
%endif %endif
Requires: coreutils Requires: coreutils
Requires: openssl Requires: openssl
Requires: perl Requires: perl-interpreter
%description tests %description tests
Auxiliary scripts for testing %{name}. Auxiliary scripts for testing %{name}.
@ -315,7 +339,11 @@ EOF
--enable-sum-prefix= \ --enable-sum-prefix= \
--enable-sum-dir=/%{_lib} \ --enable-sum-dir=/%{_lib} \
--with-pkgconfigdir=%{_libdir}/pkgconfig --with-pkgconfigdir=%{_libdir}/pkgconfig
%if %{with doc}
%make_build all doc %make_build all doc
%else
%make_build all man
%endif
%install %install
@ -332,14 +360,21 @@ EOF
%if %{with_sysctl_tweak} %if %{with_sysctl_tweak}
README.%{distroname_ext} \ README.%{distroname_ext} \
%endif %endif
README.md CHANGES.md TODO doc/%{name}.p{df,s} %if %{with doc}
doc/%{name}.p{df,s} \
%endif
README.md CHANGES.md TODO
%if %{with doc}
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir} %{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
%endif
# Install replacement tools, if enabled. # Install replacement tools, if enabled.
%if !%{with replace_coreutils} %if !%{with replace_coreutils}
%{__rm} -f \ %{__rm} -f \
%{buildroot}%{_bindir}/md5sum \ %{buildroot}%{_bindir}/md5sum \
%{buildroot}%{_bindir}/sha*sum %{buildroot}%{_bindir}/sha*sum \
%{buildroot}%{_bindir}/sm*sum
%endif %endif
%if !%{with replace_fipscheck} %if !%{with replace_fipscheck}
@ -348,6 +383,7 @@ EOF
%if !%{with replace_hmaccalc} %if !%{with replace_hmaccalc}
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac %{__rm} -f %{buildroot}%{_bindir}/sha*hmac
%{__rm} -f %{buildroot}%{_bindir}/sm*hmac
%endif %endif
# We don't ship autocrap dumplings. # We don't ship autocrap dumplings.
@ -359,11 +395,13 @@ EOF
# Remove 0-size files. # Remove 0-size files.
%{_bindir}/find %{buildroot} -type f -size 0 -print -delete %{_bindir}/find %{buildroot} -type f -size 0 -print -delete
%if %{with doc}
# Make sure all docs have non-exec permissions, except for the dirs. # Make sure all docs have non-exec permissions, except for the dirs.
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \ %{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
%{_bindir}/xargs %{__chmod} -c 0644 %{_bindir}/xargs %{__chmod} -c 0644
%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \ %{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
%{_bindir}/xargs %{__chmod} -c 0755 %{_bindir}/xargs %{__chmod} -c 0755
%endif
# Possibly save some space by hardlinking. # Possibly save some space by hardlinking.
for d in %{_mandir} %{_pkgdocdir}; do for d in %{_mandir} %{_pkgdocdir}; do
@ -373,10 +411,14 @@ done
%check %check
# Some basic sanity checks. # Some basic sanity checks.
for t in cppcheck scan; do %if %{with clang_sa}
%make_build $t %make_build scan
done %endif
%if %{with cppcheck}
%make_build cppcheck
%endif
%if %{with test}
# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480, # On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
# which is the lowest limit needed to run the testsuite. If that limit # which is the lowest limit needed to run the testsuite. If that limit
# is not met, we do not run it. # is not met, we do not run it.
@ -385,21 +427,24 @@ done
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0
# Real testsuite. # Real testsuite.
pushd test pushd test
# Ignore test result since the CI will do better testing anyway %if %{with fuzz_test}
ENABLE_FUZZ_TEST=1 \
%endif
NO_32BIT_TEST=1 \ NO_32BIT_TEST=1 \
./test-invocation.sh || true ./test-invocation.sh
popd popd
%endif %endif
%endif %endif
%endif
%ldconfig_scriptlets %ldconfig_scriptlets
%files %files
%license COPYING*
%doc %dir %{_pkgdocdir} %doc %dir %{_pkgdocdir}
%doc %{_pkgdocdir}/README.md %doc %{_pkgdocdir}/README.md
%license COPYING*
/%{_lib}/%{name}.so.%{vmajor} /%{_lib}/%{name}.so.%{vmajor}
/%{_lib}/%{name}.so.%{version} /%{_lib}/%{name}.so.%{version}
/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac /%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
@ -419,16 +464,22 @@ popd
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%if %{with doc}
%files doc %files doc
%doc %{_pkgdocdir} %doc %{_pkgdocdir}/html
%doc %{_pkgdocdir}/%{name}.pdf
%doc %{_pkgdocdir}/%{name}.ps
%endif
%if %{with replace_coreutils} %if %{with replace_coreutils}
%files checksum %files checksum
%{_bindir}/md5sum %{_bindir}/md5sum
%{_bindir}/sha*sum %{_bindir}/sha*sum
%{_bindir}/sm*sum
/%{_lib}/fipscheck/md5sum.hmac /%{_lib}/fipscheck/md5sum.hmac
/%{_lib}/fipscheck/sha*sum.hmac /%{_lib}/fipscheck/sha*sum.hmac
/%{_lib}/fipscheck/sm*sum.hmac
%endif %endif
%if %{with replace_fipscheck} %if %{with replace_fipscheck}
@ -440,7 +491,9 @@ popd
%if %{with replace_hmaccalc} %if %{with replace_hmaccalc}
%files hmaccalc %files hmaccalc
%{_bindir}/sha*hmac %{_bindir}/sha*hmac
%{_bindir}/sm*hmac
/%{_lib}/hmaccalc/sha*hmac.hmac /%{_lib}/hmaccalc/sha*hmac.hmac
/%{_lib}/hmaccalc/sm*hmac.hmac
%endif %endif
@ -460,6 +513,10 @@ popd
%changelog %changelog
* Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
- Update to new upstream release 1.4.0
Resolves: RHEL-5366
* Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
- Fix double free issue in hasher() - Fix double free issue in hasher()

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 SHA512 (libkcapi-1.4.0.tar.xz) = fa3df1fe22eba32585de5df044f907d3ad189c33f5704fe29b0fdeda92e772ef077055b80e17bc1646a8cdedaf4f195aadf0b133f493597f0f7657b04ea93a99
SHA512 (libkcapi-1.2.0.tar.xz.asc) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289 SHA512 (libkcapi-1.4.0.tar.xz.asc) = a41303cba88b214c82537bb5de2584a72a239670318753ba6873a2c3ebe3b56ffd381fdf7ae266aa21857e850bebdfbfdec487c98655ddbc2b9a0ba0d4f383ca