Rebuilt for IMA sigs, glibc 2.34, aarch64 flags

Resolves: rhbz#1982620

Signed-off-by: Simo Sorce <simo@redhat.com>

.libkcapi.metadata

@@ -0,0 +1,2 @@
+ee581bce3e76310f5c5488898771f7f403f72693 libkcapi-1.3.1.tar.xz
+b667ef4177e1ce64a6f1278ba73fb834d06c3cb1 libkcapi-1.3.1.tar.xz.asc

000-Kern-5.8-fix-MSG_MORE-usage.patch

@@ -1,163 +0,0 @@
-From b612c52c5ccf021d01e6c786db1a31a697f21d97 Mon Sep 17 00:00:00 2001
-From: Stephan Mueller <smueller@chronox.de>
-Date: Thu, 13 Aug 2020 21:58:07 +0200
-Subject: [PATCH] Kern 5.8: fix MSG_MORE usage
-
-With kernel 5.8, a precise use of MSG_MORE is mandatory to support
-a stream cipher approach (init -> update -> update -> ... -> final).
-All but the last update operations must use MSG_MORE, the last update
-operation must not use MSG_MORE.
-
-Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
-Signed-off-by: Stephan Mueller <smueller@chronox.de>
----
- lib/kcapi-aead.c      | 24 ++++++++++++++----------
- lib/kcapi-kernel-if.c |  6 ++----
- test/kcapi-main.c     | 31 +++++++++++++++++--------------
- 3 files changed, 33 insertions(+), 28 deletions(-)
-
-diff --git a/lib/kcapi-aead.c b/lib/kcapi-aead.c
-index d241618..45a0bd7 100644
---- a/lib/kcapi-aead.c
-+++ b/lib/kcapi-aead.c
-@@ -210,13 +210,15 @@ _kcapi_aead_encrypt_aio_fallback(struct kcapi_handle *handle,
- 				 uint32_t iovlen, const uint8_t *iv)
- {
- 	uint32_t i;
--	int32_t ret = kcapi_aead_stream_init_enc(handle, iv, NULL, 0);
--
--	if (ret < 0)
--		return ret;
-+	int32_t ret = 0;
- 
- 	for (i = 0; i < iovlen; i++) {
--		int rc = kcapi_aead_stream_update_last(handle, iniov, 1);
-+		int rc = kcapi_aead_stream_init_enc(handle, iv, NULL, 0);
-+
-+		if (rc < 0)
-+			return rc;
-+
-+		rc = kcapi_aead_stream_update_last(handle, iniov, 1);
- 		if (rc < 0)
- 			return rc;
- 
-@@ -271,13 +273,15 @@ _kcapi_aead_decrypt_aio_fallback(struct kcapi_handle *handle,
- 				 uint32_t iovlen, const uint8_t *iv)
- {
- 	uint32_t i;
--	int32_t ret = kcapi_aead_stream_init_dec(handle, iv, NULL, 0);
--
--	if (ret < 0)
--		return ret;
-+	int32_t ret = 0;
- 
- 	for (i = 0; i < iovlen; i++) {
--		int rc = kcapi_aead_stream_update_last(handle, iniov, 1);
-+		int rc = kcapi_aead_stream_init_dec(handle, iv, NULL, 0);
-+
-+		if (rc < 0)
-+			return rc;
-+
-+		rc = kcapi_aead_stream_update_last(handle, iniov, 1);
- 		if (rc < 0)
- 			return rc;
- 
-diff --git a/lib/kcapi-kernel-if.c b/lib/kcapi-kernel-if.c
-index bea994f..42cf1ad 100644
---- a/lib/kcapi-kernel-if.c
-+++ b/lib/kcapi-kernel-if.c
-@@ -439,8 +439,7 @@ int _kcapi_aio_send_iov(struct kcapi_handle *handle, struct iovec *iov,
- 		if (0 > ret)
- 			return ret;
- 	} else {
--		ret = _kcapi_common_send_meta(handle, NULL, 0, enc,
--					      len ? MSG_MORE : 0);
-+		ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE);
- 		if (0 > ret)
- 			return ret;
- 		ret = _kcapi_common_vmsplice_iov(handle, iov, iovlen, 0);
-@@ -1246,8 +1245,7 @@ int32_t _kcapi_cipher_crypt(struct kcapi_handle *handle, const uint8_t *in,
- 		if (0 > ret)
- 			return ret;
- 	} else {
--		ret = _kcapi_common_send_meta(handle, NULL, 0, enc,
--					      inlen ? MSG_MORE : 0);
-+		ret = _kcapi_common_send_meta(handle, NULL, 0, enc, MSG_MORE);
- 		if (0 > ret)
- 			return ret;
- 		ret = _kcapi_common_vmsplice_chunk(handle, in, inlen, 0);
-diff --git a/test/kcapi-main.c b/test/kcapi-main.c
-index 51f6ec7..64e466c 100644
---- a/test/kcapi-main.c
-+++ b/test/kcapi-main.c
-@@ -846,7 +846,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops,
- 		goto out;
- 	}
- 
--	for(i = 0; i < loops; i++) {
-+	for (i = 0; i < loops; i++) {
- 		_get_time(&begin);
- 		if (cavs_test->enc) {
- 			ret = kcapi_cipher_encrypt(handle,
-@@ -886,7 +886,7 @@ static int cavs_sym(struct kcapi_cavs *cavs_test, uint32_t loops,
- }
- 
- static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov,
--			  int forking)
-+			  int forking, int last)
- {
- 	int ret;
- 
-@@ -899,7 +899,10 @@ static void mt_sym_writer(struct kcapi_handle *handle, struct iovec *iov,
- 			return;
- 	}
- 
--	ret = kcapi_cipher_stream_update_last(handle, iov, 1);
-+	if (last)
-+		ret = kcapi_cipher_stream_update_last(handle, iov, 1);
-+	else
-+		ret = kcapi_cipher_stream_update(handle, iov, 1);
- 	if (0 > ret)
- 		printf("Sending of data failed\n");
- 
-@@ -1004,7 +1007,7 @@ static int cavs_sym_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
- 			iov.iov_len = cavs_test->ctlen;
- 		}
- 
--		mt_sym_writer(handle_ptr, &iov, forking);
-+		mt_sym_writer(handle_ptr, &iov, forking, i == (loops * 2 - 1));
- 
- 		outiov.iov_base = outbuf_ptr;
- 		outiov.iov_len = outbuflen;
-@@ -1636,21 +1639,21 @@ static int cavs_aead_stream(struct kcapi_cavs *cavs_test, uint32_t loops,
- 	if (ret)
- 		goto out;
- 
--	if (cavs_test->enc)
--		ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0);
--
--	else
--		ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0);
--	if (0 > ret) {
--		printf("Initialization of cipher buffer failed\n");
--		goto out;
--	}
--
- 	for (i = 0; i < loops; i++) {
- 		int errsv = 0;
- 
- 		memset(outbuf, 0, outbuflen);
- 
-+		if (cavs_test->enc)
-+			ret = kcapi_aead_stream_init_enc(handle, newiv, NULL, 0);
-+		else
-+			ret = kcapi_aead_stream_init_dec(handle, newiv, NULL, 0);
-+		if (0 > ret) {
-+			printf("Initialization of cipher buffer failed\n");
-+			goto out;
-+		}
-+
-+
- 		iov.iov_base = cavs_test->assoc;
- 		iov.iov_len = cavs_test->assoclen;
- 		if (cavs_test->enc) {

0001-Use-GCCs-__symver__-attribute.patch

@@ -0,0 +1,49 @@
+From 2abf7fecb5162e4b59ba134c813ebee839eb45e9 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 14 Jul 2021 10:52:01 -0400
+Subject: [PATCH] Use GCCs __symver__ attribute
+
+This is needed to allow LTO builds, as the __asm__ directives do not give
+enough context to the compiler and the build fails when the -flto flag is
+passed in.
+
+Unfotunately __symver__ is avilbel only startig from GCC 10, so we need
+more macro juggling.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ lib/internal.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 29fdb7b..64dad24 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -350,6 +350,16 @@ static inline int io_getevents(__attribute__((unused)) aio_context_t ctx,
+ #if __GNUC__ >= 4
+ # define DSO_PUBLIC __attribute__ ((visibility ("default")))
+ 
++#if __GNUC__ >= 10
++# define IMPL_SYMVER(name, version) \
++    __attribute__ ((visibility ("default"))) \
++    __attribute__((__symver__("kcapi_" #name "@@LIBKCAPI_" version)))
++
++# define ORIG_SYMVER(name, version) \
++    __attribute__ ((visibility ("default"))) \
++    __attribute__((__symver__("kcapi_" #name "@LIBKCAPI_" version)))
++
++#else
+ # define IMPL_SYMVER(name, version) \
+     __asm__(".global impl_" #name ";"\
+ 	    ".symver impl_" #name ",kcapi_" #name "@@LIBKCAPI_" version);\
+@@ -359,6 +369,7 @@ static inline int io_getevents(__attribute__((unused)) aio_context_t ctx,
+     __asm__(".global orig_" #name ";"\
+ 	    ".symver orig_" #name ",kcapi_" #name "@LIBKCAPI_" version);\
+     __attribute__ ((visibility ("default")))
++#endif
+ 
+ #else
+ # error "Compiler version too old"
+-- 
+2.31.1
+

gating.yaml

@@ -4,3 +4,10 @@ product_versions:
 decision_context: bodhi_update_push_stable
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

libkcapi.spec

@@ -1,7 +1,7 @@
 # Shared object version of libkcapi.
 %global vmajor            1
-%global vminor            2
-%global vpatch            0
+%global vminor            3
+%global vpatch            1
 
 # Do we build the replacements packages?
 %bcond_with replace_coreutils
@@ -22,6 +22,23 @@
 %else
 %bcond_with test_package
 %endif
+# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518
+%if 0%{?rhel}
+%bcond_with cppcheck
+%else
+# Temporarily disable cppcheck on Fedora until bz#1923600 is fixed in rawhide
+%bcond_with cppcheck
+#bcond_without cppcheck
+%endif
+
+# Use `--without test` to build without running the tests
+%bcond_without test
+# Use `--without fuzz_test` to skip the fuzz test during build
+%bcond_without fuzz_test
+# Use `--without doc` to build without the -doc subpackage
+%bcond_without doc
+# Use `--without clang_sa` to skip clang static analysis during build
+%bcond_without clang_sa
 
 # This package needs at least Linux Kernel v4.10.0.
 %global min_kernel_ver    4.10.0
@@ -77,8 +94,8 @@
 %global sha512hmac bin/kcapi-hasher -n sha512hmac
 %global fipshmac   bin/kcapi-hasher -n fipshmac
 %else
-%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
-%global fipshmac   bash %{_sourcedir}/fipshmac-openssl.sh
+%global sha512hmac bash %{SOURCE2}
+%global fipshmac   bash %{SOURCE3}
 %endif
 
 # Add generation of HMAC checksums of the final stripped
@@ -89,7 +106,7 @@
 %{__arch_install_post}                                           \
 %{__os_install_post}                                             \
 bin_path=%{buildroot}%{_bindir}                                  \
-lib_path=%{buildroot}/%{_lib}                                    \
+lib_path=%{buildroot}%{_libdir}                                  \
 for app in %{apps_hmaccalc}; do                                  \
   test -e "$bin_path"/$app || continue                           \
   { %sha512hmac "$bin_path"/$app || exit 1; }                    \\\
@@ -106,35 +123,41 @@ done                                                             \
   "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac               \
 %{nil}
 
-
 Name:           libkcapi
 Version:        %{vmajor}.%{vminor}.%{vpatch}
 Release:        3%{?dist}
 Summary:        User space interface to the Linux Kernel Crypto API
 
 License:        BSD or GPLv2
-URL:            http://www.chronox.de/%{name}.html
-Source0:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
-Source1:        http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+URL:            https://www.chronox.de/%{name}.html
+Source0:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
+Source1:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
 Source2:        sha512hmac-openssl.sh
 Source3:        fipshmac-openssl.sh
 
-Patch0:         %{giturl}/commit/b612c52c5ccf.patch#/000-Kern-5.8-fix-MSG_MORE-usage.patch
+Patch1:         0001-Use-GCCs-__symver__-attribute.patch
 
 BuildRequires:  bash
-BuildRequires:  clang
 BuildRequires:  coreutils
-BuildRequires:  cppcheck
-BuildRequires:  docbook-utils-pdf
 BuildRequires:  gcc
-BuildRequires:  git
+BuildRequires:  git-core
 BuildRequires:  hardlink
 BuildRequires:  kernel-headers >= %{min_kernel_ver}
 BuildRequires:  libtool
+BuildRequires:  make
 BuildRequires:  openssl
 BuildRequires:  perl-interpreter
 BuildRequires:  systemd
 BuildRequires:  xmlto
+%if %{with doc}
+BuildRequires:  docbook-utils-pdf
+%endif
+%if %{with clang_sa}
+BuildRequires:  clang
+%endif
+%if %{with cppcheck}
+BuildRequires:  cppcheck
+%endif
 
 # For ownership of %%{_sysctldir}.
 Requires:       systemd
@@ -164,6 +187,7 @@ Requires:       %{name}%{?_isa} == %{version}-%{release}
 Header files for applications that use %{name}.
 
 
+%if %{with doc}
 %package        doc
 Summary:        User documentation for the %{name} package
 BuildArch:      noarch
@@ -174,6 +198,7 @@ Requires:       %{name} == %{version}-%{release}
 
 %description    doc
 User documentation for %{name}.
+%endif
 
 
 %if %{with replace_coreutils}
@@ -306,7 +331,7 @@ EOF
 
 %build
 %configure               \
-  --libdir=/%{_lib}      \
+  --libdir=%{_libdir}  \
   --disable-silent-rules \
   --enable-kcapi-encapp  \
   --enable-kcapi-dgstapp \
@@ -317,9 +342,13 @@ EOF
   --enable-shared        \
   --enable-static        \
   --enable-sum-prefix=   \
-  --enable-sum-dir=/%{_lib} \
+  --enable-sum-dir=%{_libdir} \
   --with-pkgconfigdir=%{_libdir}/pkgconfig
+%if %{with doc}
 %make_build all doc
+%else
+%make_build all man
+%endif
 
 
 %install
@@ -336,8 +365,14 @@ EOF
 %if %{with_sysctl_tweak}
   README.%{distroname_ext}                          \
 %endif
-  README.md CHANGES.md TODO doc/%{name}.p{df,s}
+%if %{with doc}
+  doc/%{name}.p{df,s}                               \
+%endif
+  README.md CHANGES.md TODO
+
+%if %{with doc}
 %{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
+%endif
 
 # Install replacement tools, if enabled.
 %if !%{with replace_coreutils}
@@ -363,11 +398,13 @@ EOF
 # Remove 0-size files.
 %{_bindir}/find %{buildroot} -type f -size 0 -print -delete
 
+%if %{with doc}
 # Make sure all docs have non-exec permissions, except for the dirs.
 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \
   %{_bindir}/xargs %{__chmod} -c 0644
 %{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \
   %{_bindir}/xargs %{__chmod} -c 0755
+%endif
 
 # Possibly save some space by hardlinking.
 for d in %{_mandir} %{_pkgdocdir}; do
@@ -377,10 +414,14 @@ done
 
 %check
 # Some basic sanity checks.
-for t in cppcheck scan; do
-  %make_build $t
-done
+%if %{with clang_sa}
+%make_build scan
+%endif
+%if %{with cppcheck}
+%make_build cppcheck
+%endif
 
+%if %{with test}
 # On some arches `/proc/sys/net/core/optmem_max` is lower than 20480,
 # which is the lowest limit needed to run the testsuite.  If that limit
 # is not met, we do not run it.
@@ -389,12 +430,15 @@ done
 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0
 # Real testsuite.
 pushd test
+%if %{with fuzz_test}
 ENABLE_FUZZ_TEST=1 \
+%endif
 NO_32BIT_TEST=1    \
   ./test-invocation.sh
 popd
 %endif
 %endif
+%endif
 
 
 %ldconfig_scriptlets
@@ -404,10 +448,10 @@ popd
 %doc %dir %{_pkgdocdir}
 %doc %{_pkgdocdir}/README.md
 %license COPYING*
-/%{_lib}/%{name}.so.%{vmajor}
-/%{_lib}/%{name}.so.%{version}
-/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
-/%{_lib}/fipscheck/%{name}.so.%{version}.hmac
+%{_libdir}/%{name}.so.%{vmajor}
+%{_libdir}/%{name}.so.%{version}
+%{_libdir}/fipscheck/%{name}.so.%{vmajor}.hmac
+%{_libdir}/fipscheck/%{name}.so.%{version}.hmac
 %if %{with_sysctl_tweak}
 %doc %{_pkgdocdir}/README.%{distroname_ext}
 %{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
@@ -419,39 +463,41 @@ popd
 %doc %{_pkgdocdir}/TODO
 %{_includedir}/kcapi.h
 %{_mandir}/man3/kcapi_*.3.*
-/%{_lib}/%{name}.so
+%{_libdir}/%{name}.so
 %{_libdir}/pkgconfig/%{name}.pc
 
 
+%if %{with doc}
 %files          doc
 %doc %{_pkgdocdir}/html
 %doc %{_pkgdocdir}/%{name}.pdf
 %doc %{_pkgdocdir}/%{name}.ps
+%endif
 
 
 %if %{with replace_coreutils}
 %files          checksum
 %{_bindir}/md5sum
 %{_bindir}/sha*sum
-/%{_lib}/fipscheck/md5sum.hmac
-/%{_lib}/fipscheck/sha*sum.hmac
+%{_libdir}/fipscheck/md5sum.hmac
+%{_libdir}/fipscheck/sha*sum.hmac
 %endif
 
 %if %{with replace_fipscheck}
 %files          fipscheck
 %{_bindir}/fips*
-/%{_lib}/fipscheck/fips*.hmac
+%{_libdir}/fipscheck/fips*.hmac
 %endif
 
 %if %{with replace_hmaccalc}
 %files          hmaccalc
 %{_bindir}/sha*hmac
-/%{_lib}/hmaccalc/sha*hmac.hmac
+%{_libdir}/hmaccalc/sha*hmac.hmac
 %endif
 
 
 %files          static
-/%{_lib}/%{name}.a
+%{_libdir}/%{name}.a
 
 
 %files          tools
@@ -466,6 +512,37 @@ popd
 
 
 %changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.1-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 15 2021 Simo Sorce <simo@redhat.com> - 1.3.1-2
+- Bring back usage of %{_libdir} instead of /%{_lib}
+- Resolves: rhbz#1982620
+
+* Wed Jul 14 2021 Simo Sorce <simo@redhat.com> - 1.3.1-1
+- Update to new upstream release 1.3.1
+- This fixes ABI issues and incorporates previous patches
+
+* Mon Jul 12 2021 Simo Sorce <simo@redhat.com> - 1.3.0-1
+- Update to new upstream release 1.3.0
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.1-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.1-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 15 2021 Sahana Prasad <sahana@redhat.com> - 1.2.1-1
+- Update to upstream version 1.2.1
+- Remove patch fix MSG_MORE uasge as it is added upstream
+- Remove cppcheck dependency for rhel bz#1931518
+- Add a patch to fix fuzz tests
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Fri Aug 14 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.2.0-3
 - Require perl-interpreter instead of full perl
 - Backport fix for 5.9 kernels

sources

@@ -1,2 +1,2 @@
-SHA512 (libkcapi-1.2.0.tar.xz) = f097aac4fb06d0e0a7f62376506caa2d4cdb03572be89286ff335684f9a10285ffea4b3cfb37fd49e51435aa6636256aa12f0cf970fd48b1358aace8ac14b289
-SHA512 (libkcapi-1.2.0.tar.xz.asc) = 336769b04c75ee23d4cae98697a6ea14e5bd244bcefaa2396d80dab95538620c9353100685bd0568f61b8dfa3089c6ff7e4fdcdde949012ba0d7fe6aac650577
+SHA512 (libkcapi-1.3.1.tar.xz) = 2240e5410e1df4b54f42182bf294ac13d82fd78d60466cafef7644bf7c9144c064ba1fd78d110d66bc41fd220ad2f211081eb64a0da5c8740716a3146d72ba30
+SHA512 (libkcapi-1.3.1.tar.xz.asc) = fb5f85401921e884e7eb7b989baed2c98371a90b61056c929bf8348e7864fc001b67d7e5bf5f799d61befbefa6ab60b296c1d781fc30069936edc3eb40134954