Update to new upstream release 1.4.0

Resolves: RHEL-5366

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

.gitignore

@@ -1,4 +1,3 @@
-SOURCES/libkcapi-1.2.0.tar.xz
-SOURCES/libkcapi-1.2.0.tar.xz.asc
-/libkcapi-1.2.0.tar.xz
-/libkcapi-1.2.0.tar.xz.asc
+/libkcapi-*.tar.xz
+/libkcapi-*.tar.xz.asc
+/*.src.rpm

001-tests-kernel-version.patch

@@ -0,0 +1,40 @@
+From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Mon, 15 Aug 2022 10:19:50 +0200
+Subject: [PATCH] tests: fix overly-optimistic kernel version checks
+
+The mainline kernel is now at version 6.0 so these >= 5.99 checks are
+now incorrectly enabling tests that don't work. Instead of bumping the
+imaginary version and face the same problem again in a couple years,
+replace the checks with 'false' and a TODO comment.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+---
+ test/test.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/test/test.sh b/test/test.sh
+index 1d9be73..a75b802 100755
+--- a/test/test.sh
++++ b/test/test.sh
+@@ -1560,7 +1560,8 @@ else
+ 	echo_deact "AEAD tests of copied AAD deactivated"
+ fi
+ 
+-if $(check_min_kernelver 5 99); then
++# TODO add version check when supported upstream
++if false; then
+ 	asymfunc 4
+ 	asymfunc 4 -s
+ 	asymfunc 4 -v
+@@ -1583,7 +1584,8 @@ else
+ 	echo_deact "All asymmetric tests deactivated"
+ fi
+ 
+-if $(check_min_kernelver 5 99); then
++# TODO add version check when supported upstream
++if false; then
+ 	kppfunc 13
+ 	kppfunc 13 X -m
+ 	kppfunc 13 -v

100-fix-double-free-hasher.patch

@@ -1,54 +0,0 @@
---- libkcapi-1.2.0/apps/kcapi-hasher.c.fix-double-free-hasher	2020-05-26 16:31:28.296332614 +0200
-+++ libkcapi-1.2.0/apps/kcapi-hasher.c	2020-05-26 16:37:07.681011437 +0200
-@@ -301,7 +301,7 @@ static int hasher(struct kcapi_handle *h
- 				fprintf(stderr,
- 					"Use of mmap failed mapping %zu bytes at offset %" PRId64 " of file %s (%d)\n",
- 					mapped, (int64_t)offset, filename, ret);
--				goto out;
-+				return ret;
- 			}
- 			/* Compute hash */
- 			memblock_p = memblock;
-@@ -311,8 +311,10 @@ static int hasher(struct kcapi_handle *h
- 						 INT_MAX : (uint32_t)left;
- 
- 				ret = kcapi_md_update(handle, memblock_p, todo);
--				if (ret < 0)
--					goto out;
-+				if (ret < 0) {
-+			        munmap(memblock, mapped);
-+					return ret;
-+                }
- 				left -= todo;
- 				memblock_p += todo;
- 			} while (left);
-@@ -329,7 +331,7 @@ static int hasher(struct kcapi_handle *h
- 
- 			ret = kcapi_md_update(handle, tmpbuf, bufsize);
- 			if (ret < 0)
--				goto out;
-+				return ret;
- 		}
- 		kcapi_memset_secure(tmpbuf, 0, sizeof(tmpbuf));
- 	}
-@@ -340,7 +342,7 @@ static int hasher(struct kcapi_handle *h
- 		if (hashlen > (uint32_t)ret) {
- 			fprintf(stderr, "Invalid truncated hash size: %lu > %i\n",
- 			        (unsigned long)hashlen, ret);
--			goto out;
-+			return ret;
- 		}
- 
- 		if (!hashlen)
-@@ -376,11 +378,6 @@ static int hasher(struct kcapi_handle *h
- 		fprintf(stderr, "Generation of hash for file %s failed (%d)\n",
- 			filename ? filename : "stdin", ret);
- 	}
--
--out:
--	if (memblock)
--		munmap(memblock, mapped);
--
- 	return ret;
- }
- 

libkcapi.spec

@@ -1,6 +1,6 @@
 # Shared object version of libkcapi.
 %global vmajor            1
-%global vminor            2
+%global vminor            4
 %global vpatch            0
 
 # Do we build the replacements packages?
@@ -22,6 +22,21 @@
 %else
 %bcond_with test_package
 %endif
+# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518
+%if 0%{?rhel}
+%bcond_with cppcheck
+%else
+%bcond_without cppcheck
+%endif
+
+# Use `--without test` to build without running the tests
+%bcond_without test
+# Use `--without fuzz_test` to skip the fuzz test during build
+%bcond_without fuzz_test
+# Use `--without doc` to build without the -doc subpackage
+%bcond_without doc
+# Use `--without clang_sa` to skip clang static analysis during build
+%bcond_without clang_sa
 
 # This package needs at least Linux Kernel v4.10.0.
 %global min_kernel_ver    4.10.0
@@ -69,16 +84,16 @@
 %global hmaccalc_evr      0.9.14-10%{?dist}
 %endif
 
-%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
-%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
+%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
+%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac
 
 # On old kernels use mock hashers implemented via openssl
 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
 %global sha512hmac bin/kcapi-hasher -n sha512hmac
 %global fipshmac   bin/kcapi-hasher -n fipshmac
 %else
-%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
-%global fipshmac   bash %{_sourcedir}/fipshmac-openssl.sh
+%global sha512hmac bash %{SOURCE2}
+%global fipshmac   bash %{SOURCE3}
 %endif
 
 # Add generation of HMAC checksums of the final stripped
@@ -109,32 +124,39 @@ done                                                             \
 
 Name:           libkcapi
 Version:        %{vmajor}.%{vminor}.%{vpatch}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        User space interface to the Linux Kernel Crypto API
 
-License:        BSD or GPLv2
-URL:            http://www.chronox.de/%{name}.html
-Source0:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
-Source1:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+License:        BSD-3-Clause OR GPL-2.0-only
+URL:            https://www.chronox.de/%{name}.html
+Source0:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
+Source1:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
 Source2:        sha512hmac-openssl.sh
 Source3:        fipshmac-openssl.sh
 
-Patch100:       100-fix-double-free-hasher.patch
+Patch1:         001-tests-kernel-version.patch
 
 BuildRequires:  bash
-BuildRequires:  clang
 BuildRequires:  coreutils
-BuildRequires:  cppcheck
-BuildRequires:  docbook-utils-pdf
 BuildRequires:  gcc
-BuildRequires:  git
+BuildRequires:  git-core
 BuildRequires:  hardlink
 BuildRequires:  kernel-headers >= %{min_kernel_ver}
 BuildRequires:  libtool
+BuildRequires:  make
 BuildRequires:  openssl
-BuildRequires:  perl
+BuildRequires:  perl-interpreter
 BuildRequires:  systemd
 BuildRequires:  xmlto
+%if %{with doc}
+BuildRequires:  docbook-utils-pdf
+%endif
+%if %{with clang_sa}
+BuildRequires:  clang
+%endif
+%if %{with cppcheck}
+BuildRequires:  cppcheck >= 2.4
+%endif
 
 # For ownership of %%{_sysctldir}.
 Requires:       systemd
@@ -164,12 +186,14 @@ Requires:       %{name}%{?_isa} == %{version}-%{release}
 Header files for applications that use %{name}.
 
 
+%if %{with doc}
 %package        doc
 Summary:        User documentation for the %{name} package
 Requires:       %{name}%{?_isa} == %{version}-%{release}
 
 %description    doc
 User documentation for %{name}.
+%endif
 
 
 %if %{with replace_coreutils}
@@ -253,7 +277,7 @@ Requires:       %{name}-checksum%{?_isa} == %{version}-%{release}
 %endif
 Requires:       coreutils
 Requires:       openssl
-Requires:       perl
+Requires:       perl-interpreter
 
 %description    tests
 Auxiliary scripts for testing %{name}.
@@ -315,7 +339,11 @@ EOF
   --enable-sum-prefix=   \
   --enable-sum-dir=/%{_lib} \
   --with-pkgconfigdir=%{_libdir}/pkgconfig
+%if %{with doc}
 %make_build all doc
+%else
+%make_build all man
+%endif
 
 
 %install
@@ -332,14 +360,21 @@ EOF
 %if %{with_sysctl_tweak}
   README.%{distroname_ext}                          \
 %endif
-  README.md CHANGES.md TODO doc/%{name}.p{df,s}
+%if %{with doc}
+  doc/%{name}.p{df,s}                               \
+%endif
+  README.md CHANGES.md TODO
+
+%if %{with doc}
 %{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
+%endif
 
 # Install replacement tools, if enabled.
 %if !%{with replace_coreutils}
 %{__rm} -f                            \
   %{buildroot}%{_bindir}/md5sum       \
-  %{buildroot}%{_bindir}/sha*sum
+  %{buildroot}%{_bindir}/sha*sum      \
+  %{buildroot}%{_bindir}/sm*sum
 %endif
 
 %if !%{with replace_fipscheck}
@@ -348,6 +383,7 @@ EOF
 
 %if !%{with replace_hmaccalc}
 %{__rm} -f %{buildroot}%{_bindir}/sha*hmac
+%{__rm} -f %{buildroot}%{_bindir}/sm*hmac
 %endif
 
 # We don't ship autocrap dumplings.
@@ -359,11 +395,13 @@ EOF
 # Remove 0-size files.
 %{_bindir}/find %{buildroot} -type f -size 0 -print -delete
 
+%if %{with doc}
 # Make sure all docs have non-exec permissions, except for the dirs.
 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
   %{_bindir}/xargs %{__chmod} -c 0644
 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
   %{_bindir}/xargs %{__chmod} -c 0755
+%endif
 
 # Possibly save some space by hardlinking.
 for d in %{_mandir} %{_pkgdocdir}; do
@@ -373,10 +411,14 @@ done
 
 %check
 # Some basic sanity checks.
-for t in cppcheck scan; do
-  %make_build $t
-done
+%if %{with clang_sa}
+%make_build scan
+%endif
+%if %{with cppcheck}
+%make_build cppcheck
+%endif
 
+%if %{with test}
 # On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
 # which is the lowest limit needed to run the testsuite.  If that limit
 # is not met, we do not run it.
@@ -385,21 +427,24 @@ done
 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0
 # Real testsuite.
 pushd test
-# Ignore test result since the CI will do better testing anyway
+%if %{with fuzz_test}
+ENABLE_FUZZ_TEST=1 \
+%endif
 NO_32BIT_TEST=1    \
-  ./test-invocation.sh || true
+  ./test-invocation.sh
 popd
 %endif
 %endif
+%endif
 
 
 %ldconfig_scriptlets
 
 
 %files
-%license COPYING*
 %doc %dir %{_pkgdocdir}
 %doc %{_pkgdocdir}/README.md
+%license COPYING*
 /%{_lib}/%{name}.so.%{vmajor}
 /%{_lib}/%{name}.so.%{version}
 /%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
@@ -419,16 +464,22 @@ popd
 %{_libdir}/pkgconfig/%{name}.pc
 
 
+%if %{with doc}
 %files          doc
-%doc %{_pkgdocdir}
+%doc %{_pkgdocdir}/html
+%doc %{_pkgdocdir}/%{name}.pdf
+%doc %{_pkgdocdir}/%{name}.ps
+%endif
 
 
 %if %{with replace_coreutils}
 %files          checksum
 %{_bindir}/md5sum
 %{_bindir}/sha*sum
+%{_bindir}/sm*sum
 /%{_lib}/fipscheck/md5sum.hmac
 /%{_lib}/fipscheck/sha*sum.hmac
+/%{_lib}/fipscheck/sm*sum.hmac
 %endif
 
 %if %{with replace_fipscheck}
@@ -440,7 +491,9 @@ popd
 %if %{with replace_hmaccalc}
 %files          hmaccalc
 %{_bindir}/sha*hmac
+%{_bindir}/sm*hmac
 /%{_lib}/hmaccalc/sha*hmac.hmac
+/%{_lib}/hmaccalc/sm*hmac.hmac
 %endif
 
 
@@ -460,6 +513,10 @@ popd
 
 
 %changelog
+* Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
+- Update to new upstream release 1.4.0
+  Resolves: RHEL-5366
+
 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
 - Fix double free issue in hasher()
 

sources

@@ -1,2 +1,2 @@
-SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289
-SHA512 (libkcapi-1.2.0.tar.xz.asc) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289
+SHA512 (libkcapi-1.4.0.tar.xz) = fa3df1fe22eba32585de5df044f907d3ad189c33f5704fe29b0fdeda92e772ef077055b80e17bc1646a8cdedaf4f195aadf0b133f493597f0f7657b04ea93a99
+SHA512 (libkcapi-1.4.0.tar.xz.asc) = a41303cba88b214c82537bb5de2584a72a239670318753ba6873a2c3ebe3b56ffd381fdf7ae266aa21857e850bebdfbfdec487c98655ddbc2b9a0ba0d4f383ca