rpms/libkcapi
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c8s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:imports/c10s/libkcapi-1.5.0-3.el10
rpms:imports/c10s/libkcapi-1.5.0-1.el10
rpms:imports/c10s/libkcapi-1.5.0-2.el10
rpms:imports/c10s/libkcapi-1.4.0-14.el10
rpms:imports/c8/libkcapi-1.4.0-2.el8
rpms:imports/c9/libkcapi-1.4.0-2.el9
rpms:imports/c9/libkcapi-1.3.1-3.el9
rpms:imports/c9-beta/libkcapi-1.3.1-3.el9
rpms:imports/c8-beta/libkcapi-1.2.0-2.el8
rpms:imports/c8-beta/libkcapi-1.1.1-16_1.el8
rpms:imports/c8s/libkcapi-1.2.0-2.el8
rpms:imports/c8s/libkcapi-1.1.5-3.el8
rpms:imports/c8/libkcapi-1.2.0-2.el8
rpms:imports/c8/libkcapi-1.1.1-16_1.el8
..
compare: rpms:c10s
Branches Tags
rpms:c10s
rpms:c8s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:imports/c10s/libkcapi-1.5.0-3.el10
rpms:imports/c10s/libkcapi-1.5.0-1.el10
rpms:imports/c10s/libkcapi-1.5.0-2.el10
rpms:imports/c10s/libkcapi-1.4.0-14.el10
rpms:imports/c8/libkcapi-1.4.0-2.el8
rpms:imports/c9/libkcapi-1.4.0-2.el9
rpms:imports/c9/libkcapi-1.3.1-3.el9
rpms:imports/c9-beta/libkcapi-1.3.1-3.el9
rpms:imports/c8-beta/libkcapi-1.2.0-2.el8
rpms:imports/c8-beta/libkcapi-1.1.1-16_1.el8
rpms:imports/c8s/libkcapi-1.2.0-2.el8
rpms:imports/c8s/libkcapi-1.1.5-3.el8
rpms:imports/c8/libkcapi-1.2.0-2.el8
rpms:imports/c8/libkcapi-1.1.1-16_1.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

18 changed files with 368 additions and 987 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/libkcapi-1.4.0.tar.xz /libkcapi-*.tar.xz
/libkcapi-*.tar.xz.asc
/*.src.rpm

1
.libkcapi.metadata
View File

@ -1 +0,0 @@
526dca7d8eb8ddc29395f0716ba1233e27bf2ab5 SOURCES/libkcapi-1.4.0.tar.xz

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# libkcapi
The libkcapi package

40
SOURCES/001-tests-kernel-version.patch
View File

@ -1,40 +0,0 @@
From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 15 Aug 2022 10:19:50 +0200
Subject: [PATCH] tests: fix overly-optimistic kernel version checks
The mainline kernel is now at version 6.0 so these >= 5.99 checks are
now incorrectly enabling tests that don't work. Instead of bumping the
imaginary version and face the same problem again in a couple years,
replace the checks with 'false' and a TODO comment.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
test/test.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/test/test.sh b/test/test.sh
index 1d9be73..a75b802 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1560,7 +1560,8 @@ else
echo_deact "AEAD tests of copied AAD deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
asymfunc 4
asymfunc 4 -s
asymfunc 4 -v
@@ -1583,7 +1584,8 @@ else
echo_deact "All asymmetric tests deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
kppfunc 13
kppfunc 13 X -m
kppfunc 13 -v

74
SOURCES/002-fips-disable-ansi_cprng.patch
View File

@ -1,74 +0,0 @@
From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 11 Aug 2023 12:20:22 +0200
Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
test/kcapi-main.c | 45 ++++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
index 67fb53f..23fc8ed 100644
--- a/test/kcapi-main.c
+++ b/test/kcapi-main.c
@@ -652,8 +652,6 @@ static int is_fips_mode(void)
static int auxiliary_tests(void)
{
struct kcapi_handle *handle = NULL;
- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)"
- : "ansi_cprng";
int ret = 0;
if (kcapi_aead_init(&handle, "ccm(aes)", 0)) {
@@ -711,27 +709,28 @@ static int auxiliary_tests(void)
if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0))
ret++;
- /* X9.31 RNG must require seed */
- printf("X9.31 missing seeding: ");
- if (!aux_test_rng(ansi_cprng_name, NULL, 0))
- ret++;
- /* X9.31 seed too short */
- printf("X9.31 insufficient seeding: ");
- if (!aux_test_rng(ansi_cprng_name,
- (uint8_t *)
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
- ret++;
- /* X9.31 seed right sized short */
- if (aux_test_rng(ansi_cprng_name,
- (uint8_t *)
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
- printf("Error for %s: kernel module ansi_cprng present?\n",
- ansi_cprng_name);
- ret++;
+ if (!is_fips_mode()) {
+ /* X9.31 RNG must require seed */
+ printf("X9.31 missing seeding: ");
+ if (!aux_test_rng("ansi_cprng", NULL, 0))
+ ret++;
+ /* X9.31 seed too short */
+ printf("X9.31 insufficient seeding: ");
+ if (!aux_test_rng("ansi_cprng",
+ (uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
+ ret++;
+ /* X9.31 seed right sized short */
+ if (aux_test_rng("ansi_cprng",
+ (uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
+ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n");
+ ret++;
+ }
}
return ret;

58
SOURCES/003-zeroize-hasher.patch
View File

@ -1,58 +0,0 @@
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 1 Nov 2023 10:54:03 +0100
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Requirement introduced by AS05.10:
"The temporary value(s) generated during the integrity test of the
modules software or firmware shall [05.10] be zeroised from the module
upon completion of the integrity test;"
As some modules use fipscheck or sha*hmac for integrity tests, these
temporary values need to be zeroised from the hasher.
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
apps/kcapi-hasher.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 098b655..f5caf77 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
if (hashlen > (uint32_t)ret) {
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
(unsigned long)hashlen, ret);
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
ret = 1;
else
ret = 0;
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
} else {
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
bin2print(md, hashlen, NULL, stdout,
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
filename ? filename : "stdin", ret);
}
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
if (file)
fclose(file);
kcapi_md_destroy(handle);
+ kcapi_memset_secure(buf, 0, sizeof(buf));
/*
* If we found no lines to check, return an error.

185
SOURCES/004-hasher-target-option.patch
View File

@ -1,185 +0,0 @@
diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
--- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100
+++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100
@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch
if (fipscheck)
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
else {
- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base);
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
}
fprintf(stderr, "\nOptions:\n");
fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
- if (!fipscheck)
+ if (!fipscheck) {
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
+ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n");
+ }
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n");
fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n");
@@ -530,11 +532,12 @@ static int hash_files(const struct hash_
#define CHK_STATUS (2)
static int process_checkfile(const struct hash_params *params,
- const char *checkfile, const char *targetfile, int log)
+ const char *checkfile, const char *targetfile, int log, int fipscheck)
{
FILE *file = NULL;
int ret = 0;
int checked_any = 0;
+ int failed_any = 0;
struct kcapi_handle *handle;
const char *hashname = params->name.kcapiname;
@@ -570,7 +573,7 @@ static int process_checkfile(const struc
}
while (fgets(buf, sizeof(buf), file)) {
- char *filename = NULL; // parsed file name
+ const char *filename = NULL; // parsed file name
char *hexhash = NULL; // parsed hex value of hash
uint32_t hexhashlen = 0; // length of hash hex value
uint32_t linelen = (uint32_t)strlen(buf);
@@ -645,17 +648,7 @@ static int process_checkfile(const struc
goto out;
}
- /* fipscheck does not have the filename in the check file */
- if (targetfile) {
- ret = hasher(handle, params, targetfile,
- hexhash, hexhashlen, stdout);
- checked_any = 1;
- goto out;
- }
-
if (filename) {
- int r;
-
if (!bsd_style) {
if (!isblank(filename[0]) ||
(!isblank(filename[1]) && filename[1] != '*')) {
@@ -665,20 +658,29 @@ static int process_checkfile(const struc
}
filename += 2;
}
+ }
+
+ /*
+ * if targetfile is specified, use it instead of the filename
+ * found inside the checkfile
+ */
+ if (targetfile)
+ filename = targetfile;
- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
+ if (filename) {
+ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
+ checked_any = 1;
+ if (fipscheck)
+ goto out;
- if (r == 0) {
+ if (ret == 0) {
if (log < CHK_QUIET)
printf("%s: OK\n", filename);
} else {
+ failed_any = 1;
if (log < CHK_STATUS)
- printf("%s: Not OK\n",
- filename);
- if (ret >= 0)
- ret++;
+ printf("%s: Not OK\n", filename);
}
- checked_any = 1;
}
}
@@ -692,7 +694,7 @@ out:
* If we found no lines to check, return an error.
* (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c)
*/
- return ret != 0 ? ret : !checked_any;
+ return ret != 0 ? ret : !(checked_any && !failed_any);
}
@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h
goto out;
}
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1);
if (ret)
goto out;
}
@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h
goto out;
}
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1);
}
out:
@@ -866,12 +868,13 @@ int main(int argc, char *argv[])
{0, 0, 0, 0}
};
- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz";
+ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz";
static const struct option opts[] = {
{"help", 0, 0, 0},
{"tag", 0, 0, 0},
{"quiet", 0, 0, 0},
{"check", 1, 0, 'c'},
+ {"target", 1, 0, 'T'},
{"unkeyed", 0, 0, 'u'},
{"hash", 1, 0, 'h'},
{"truncate", 1, 0, 't'},
@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[])
version(argv[0]);
ret = 0;
goto out;
+ case 'T':
+ targetfile = optarg;
+ break;
case 'd':
checkdir = optarg;
break;
@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[])
ret = 1;
goto out;
}
+ if (targetfile) {
+ fprintf(stderr, "-T is not valid for fipscheck\n");
+ ret = 1;
+ goto out;
+ }
targetfile = argv[optind];
if (checkfile)
@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[])
optind++;
}
+ if (targetfile && !checkfile) {
+ fprintf(stderr, "-T cannot be used without -c\n");
+ ret = 1;
+ goto out;
+ }
+
if (!checkfile)
ret = hash_files(&params, argv + optind,
(uint32_t)(argc - optind),
fipshmac, checkdir, 0);
else if (optind == argc)
- ret = process_checkfile(&params, checkfile, targetfile, loglevel);
+ ret = process_checkfile(&params, checkfile, targetfile, loglevel, fipscheck);
else {
fprintf(stderr, "-c cannot be used with input files\n");
ret = 1;

320
SOURCES/005-fips-mode-tests.patch
View File

@ -1,320 +0,0 @@
From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Tue, 28 Nov 2023 09:34:29 +0100
Subject: [PATCH] Fix kcapi tests in FIPS mode
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
test/hasher-test.sh | 23 +++++++++++---
test/kcapi-convenience.c | 2 +-
test/kcapi-dgst-test.sh | 16 +++++-----
test/kcapi-enc-test.sh | 16 +++++-----
test/test.sh | 67 ++++++++++++++++++++++++++++++----------
5 files changed, 86 insertions(+), 38 deletions(-)
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
index c90fcc9..e97127e 100755
--- a/test/hasher-test.sh
+++ b/test/hasher-test.sh
@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
CHKFILE="${TMPDIR}/chk.$$"
ANOTHER="${TMPDIR}/test.$$"
+is_fips_enabled()
+{
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
+}
+
if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then
find_platform kcapi-hasher
function run_hasher() {
@@ -365,7 +370,11 @@ fi
for suffix in $KAT_SUFFIXES
do
run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00
- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
+ if is_fips_enabled; then
+ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS"
+ else
+ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
+ fi
run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3
run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da
run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
@@ -374,9 +383,15 @@ do
run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7
run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6
run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854
- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
+ if is_fips_enabled; then
+ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS"
+ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS"
+ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS"
+ else
+ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
+ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
+ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
+ fi
run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe
run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27
run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb
diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c
index c5ff4b4..1cdaebe 100644
--- a/test/kcapi-convenience.c
+++ b/test/kcapi-convenience.c
@@ -63,7 +63,7 @@ static int hashtest(void)
static int hmactest(void)
{
- char *in = "teststring";
+ char *in = "longteststring";
uint8_t out[64];
ssize_t ret;
diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh
index 0ad5ed3..67576b3 100755
--- a/test/kcapi-dgst-test.sh
+++ b/test/kcapi-dgst-test.sh
@@ -105,8 +105,8 @@ test_stdin_stdout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)"
}
@@ -135,8 +135,8 @@ test_stdin_fileout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)"
}
@@ -165,8 +165,8 @@ test_filein_stdout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)"
}
@@ -197,8 +197,8 @@ test_filein_fileout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)"
}
diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh
index 3ace39c..63d2b23 100755
--- a/test/kcapi-enc-test.sh
+++ b/test/kcapi-enc-test.sh
@@ -163,8 +163,8 @@ test_stdin_stdout()
diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)"
}
@@ -195,8 +195,8 @@ test_stdin_fileout()
diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)"
}
@@ -227,8 +227,8 @@ test_filein_stdout()
diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)"
}
@@ -271,8 +271,8 @@ test_filein_fileout()
diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)"
}
diff --git a/test/test.sh b/test/test.sh
index b889335..e07589e 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797"
PBKDF_name_8="hmac(sha256)"
PBKDF_salt_8="73616c74"
-PBKDF_pw_8="70617373776f7264"
+PBKDF_pw_8="70617373776f726470617373776f7264"
PBKDF_count_8=4096
-PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0"
+PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca"
PBKDF_name_9="hmac(sha224)"
PBKDF_salt_9="73616c74"
-PBKDF_pw_9="70617373776f7264"
+PBKDF_pw_9="70617373776f726470617373776f7264"
PBKDF_count_9=4096
-PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60"
+PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70"
PBKDF_name_10="hmac(sha384)"
PBKDF_salt_10="73616c74"
-PBKDF_pw_10="70617373776f7264"
+PBKDF_pw_10="70617373776f726470617373776f7264"
PBKDF_count_10=4096
-PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c"
+PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d"
PBKDF_name_11="hmac(sha512)"
PBKDF_salt_11="73616c74"
-PBKDF_pw_11="70617373776f7264"
+PBKDF_pw_11="70617373776f726470617373776f7264"
PBKDF_count_11=4096
-PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc"
+PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b"
PBKDF_name_12="cmac(aes)"
PBKDF_salt_12="73616c74"
@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7"
PBKDF_name_13="hmac(sha512)"
PBKDF_salt_13="73616c74"
-PBKDF_pw_13="70617373776f7264"
+PBKDF_pw_13="70617373776f726470617373776f7264"
PBKDF_count_13=4096
-PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e"
+PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a"
###########################################################################
###########################################################################
@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514
#RFC 5869 Appendix A vectors
HKDF_name_1="hmac(sha256)"
HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"
-HKDF_salt_1="000102030405060708090a0b0c"
+HKDF_salt_1="000102030405060708090a0b0c0d"
HKDF_info_1="f0f1f2f3f4f5f6f7f8f9"
-HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd"
HKDF_name_2="hmac(sha256)"
HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"
@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a
###########################################################################
###########################################################################
+is_fips_enabled()
+{
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
+}
+
# Test required for test with multiple IOVECs on i686
check_memory() {
if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ]
@@ -576,7 +581,14 @@ check_memory_soft() {
hashfunc()
{
stream=$1
- HASHEXEC="1 2 3 4 5 6 7 8 9"
+
+ if is_fips_enabled; then
+ echo_deact "Hash tests using 3DES are disabled in FIPS"
+ HASHEXEC="2 3 4 5 6 7 8 9"
+ else
+ HASHEXEC="1 2 3 4 5 6 7 8 9"
+ fi
+
for i in $HASHEXEC
do
eval HASH_name=\$HASH_name_$i
@@ -630,7 +642,12 @@ symfunc()
aligned=$3
aiofallback=$4
- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
+ if is_fips_enabled; then
+ echo_deact "Symmetric tests using 3DES are disabled in FIPS"
+ SYMEXEC="1 2 3 8 9 10 11 12"
+ else
+ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
+ fi
if [ x"$stream" = x"X" ]
then
@@ -666,7 +683,11 @@ symfunc()
# Disable XTS tests for multi-threading due to the issue
# discussed in https://github.com/smuellerDD/libkcapi/issues/92
- SYMEXEC="1 2 3 4 5 6 7"
+ if is_fips_enabled; then
+ SYMEXEC="1 2 3"
+ else
+ SYMEXEC="1 2 3 4 5 6 7"
+ fi
else
sout="one shot"
fi
@@ -1148,7 +1169,13 @@ pbkdftest()
{
aligned=$1
- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
+ if is_fips_enabled; then
+ echo_deact "PBKDF tests using SHA1 are disabled in FIPS"
+ PBKDFEXEC="8 9 10 11 12 13"
+ else
+ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
+ fi
+
for i in $PBKDFEXEC
do
eval PBKDF_name=\$PBKDF_name_$i
@@ -1185,7 +1212,13 @@ hkdftest()
{
aligned=$1
- HKDFEXEC="1 2 3 4 5 6 7"
+ if is_fips_enabled; then
+ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS"
+ HKDFEXEC="1 2"
+ else
+ HKDFEXEC="1 2 3 4 5 6 7"
+ fi
+
for i in $HKDFEXEC
do
eval HKDF_name=\$HKDF_name_$i

11
SOURCES/libkcapi-1.4.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmISvaAACgkQQh7pNjJq
wVv6jggAh7UpchOXZ1THbDZ0PE+YGWSr3Y3qKHMls9ixNn/RDSYxPvyZqc6pIAKQ
zVA6bGtB9kqcSexmrk2EyiUYgi1lo+5HwsfAfHBQaq7vD1S8Q/FYx/XVRv2GQfkj
/E1ivlcdcInlpn+vu+7Hei+H/IXtETh8QPwGwRI1Je84pIt7K4K4VPwWpur0su6E
oF1AFT6ldlMczsoDTCi3eP3rZWKvMmX5718W9F6eKuTkKoIiipCUxdMBy4f6YpDB
1ZmQPHjSgG4URlclQnFiGXYAbMBRHYfguJRl/HjZWSQMigRzqGSdvJR8wrfMeQzr
Bk0z0nGayzHgcC7gPz8CsAMJj5C9eQ==
=OA3o
-----END PGP SIGNATURE-----

247
changelog Normal file
View File

@ -0,0 +1,247 @@
* Sat Aug 13 2022 Ondrej Mosnáček <omosnace@redhat.com> - 1.4.0-2
- Switch to rpmautospec
* Sat Aug 13 2022 Ondrej Mosnáček <omosnace@redhat.com> - 1.4.0-1
- Update to upstream version 1.4.0
- Re-enable cppcheck scanning on Fedora
- Resolves: rhbz#2056732
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Simo Sorce <simo@redhat.com> - 1.3.1-2
- Remove LTO build suppression by using better symver machinery
* Wed Jul 14 2021 Simo Sorce <simo@redhat.com> - 1.3.1-1
- Update to upstream version 1.3.1 which fixes ABI issues
* Mon Jul 12 2021 Simo Sorce <simo@redhat.com> - 1.3.0-1
- Update to upstream version 1.3.0
* Mon Mar 15 2021 Sahana Prasad <sahana@redhat.com> - 1.2.1-1
- Update to upstream version 1.2.1
- Remove patch fix MSG_MORE uasge as it is added upstream
- Remove cppcheck dependency for rhel bz#1931518
- Add a patch to fix fuzz tests
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Aug 14 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.2.0-3
- Require perl-interpreter instead of full perl
- Backport fix for 5.9 kernels
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 25 2020 Sahana Prasad <omosnace@redhat.com> - 1.2.0-1
- Update to upstream version 1.2.0 tracked by BZ 1839592.
- Enable kcapi-enc tests as libkcapi BZ 1826022 is fixed.
- Remove 110-fipshmac-compat.patch as the changes are merged upstream.
- Remove 100-workaround-cppcheck-bug.patch as the changes are merged upstream.
* Tue May 05 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-5
- Fix the CI test failures
- Enable building on old kernels
- Avoid conflicts between different versions of packages
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> - 1.1.5-4
- Add . prefix to files created by fipshmac if -d option is not specified
* Wed Apr 22 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
- Disables kcapi-enc tests until the kernel bug bz 1826022 is fixed.
- Produce also the fipscheck replacement package
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Aug 13 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-1
- Update to upstream version 1.1.5
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-6
- Backport patch to fix test failure on aarch64
- Remove no longer needed ppc64 workaround
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-5
- Backport patch to fix tests
* Thu Jul 25 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-4
- Work around cppcheck issue
- Enable gating
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-2
- Fix FTBFS: hardlink is now in bindir
* Sat Feb 02 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-1
- Update to upstream version 1.1.4
* Fri Feb 01 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-3
- Fix build with new GCC
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Aug 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-1
- Update to upstream version 1.1.3
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16
- Add missing dependencies to the tests package
- Update patch from upstream
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15
- Build and tests require perl
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14
- Add missing script to the 'tests' package
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13
- Add missing requires to the 'tests' subpackage
* Tue Aug 07 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12
- Produce a subpackage with test scripts
- Build the 'tests' subpackage conditionally
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11
- Add patch to fix unwanted closing of FD 0
* Tue Jul 31 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-10
- Remove the kernel headers workaround
* Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.1.1-9
- Rebuild for new binutils
* Fri Jul 27 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-8
- Add more Coverity fixes from upstream
- Add patch to fix AEAD fuzz test for BE arches
- Fixup specfile
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7
- Add various fixes from upstream
- Drop the Requires on kernel package
* Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6
- Put .hmac files into a separate directory
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-4
- Add patch to work around FTBFS on rawhide
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3
- Fix off-by-one error in checkfile parsing
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2
- Fix command-line parsing in libkcapi-hmaccalc
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1
- Update to upstream version 1.1.1
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
- Skip CLang static analysis in RHEL
- Revert "Skip CLang static analysis in RHEL"
- Use own sha512hmac and fipscheck
* Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4
- Fix description lines being too long
* Fri Apr 27 2018 Björn Esser <besser82@fedoraproject.org> - 1.1.0-3
- Fix conditional for hmaccalc replacement
* Mon Apr 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-2
- Enable hmaccalc replacements in Fedora 28+
* Thu Apr 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-1
- Update to upstream version 1.1.0
* Sat Mar 31 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-10
- Replace single patches with a monolitic one from upstream
- Obsolete replacements subpackage
- Ignore failing tests on %%{power64} temporarily
* Thu Mar 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.0.3-9
- Split up the replacements subpackage
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-8
- Increase optmem_max preset to 81920
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-7
- Obsoletes work by package name, not by provides (rhbz#1537225)
* Sun Feb 25 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-6
- Add patch to fix a copy-paste typo
* Sat Feb 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-5
- Add patch to fix build with -Werror
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org>
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Feb 04 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-3
- Switch to %%ldconfig_scriptlets
* Wed Jan 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-2
- Decrease optmem_max preset to 40960
- Let the build fail, if the minimum kernel version cannot be met
- Conditionalize the sysctl.d tweak on version of the kernel
- Conditionalize the name of README.distro on the distro
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-1
- Initial import (rhbz#1533929)
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.13
- Increase optmem_max preset to 81920
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.12
- Add sysctl.d preset and README.fedora
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.11
- Make the contents of the -replacements package configurable
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.10
- Fix Obsoletes of the -replacements package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.9
- Disable the -replacements package until we have a plan for it
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.8
- Move the kcapi-hasher binary to -replacements package, since it is
not of much use without the linked invocation names and saves the
extra Requires on the -tools package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.7
- Fix internal Requires of sub-packages
- Hardlink files in %%{_bindir}
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.6
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.5
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.4
- Asume the testsuite cannot be run, if the value of optmem_max cannot
be obtained
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.3
- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful
during boot when the library might be needed before a potentially
seperate /usr partition is mounted
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.2
- Asume optmem_max is at least 20480, if the real value cannot be obtained
* Fri Jan 12 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.1
- New upstream release
* Wed Jan 10 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.2-0.1
- Initial rpm release (rhbz#1533929)

1
ci.fmf Normal file
View File

@ -0,0 +1 @@
resultsdb-testcase: separate

0
SOURCES/fipshmac-openssl.sh → fipshmac-openssl.sh
View File

9
gating.yaml Normal file
View File

@ -0,0 +1,9 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}

376
SPECS/libkcapi.spec → libkcapi.spec
View File

@ -1,6 +1,6 @@
# Shared object version of libkcapi. # Shared object version of libkcapi.
%global vmajor 1 %global vmajor 1
%global vminor 4 %global vminor 5
%global vpatch 0 %global vpatch 0
# Do we build the replacements packages? # Do we build the replacements packages?
@ -84,8 +84,9 @@
%global hmaccalc_evr 0.9.14-10%{?dist} %global hmaccalc_evr 0.9.14-10%{?dist}
%endif %endif
%global apps_coreutils sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac %global apps_fipscheck fipscheck fipshmac
# On old kernels use mock hashers implemented via openssl # On old kernels use mock hashers implemented via openssl
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
@ -96,50 +97,35 @@
%global fipshmac bash %{SOURCE3} %global fipshmac bash %{SOURCE3}
%endif %endif
# Add generation of HMAC checksums of the final stripped # Add generation of HMAC checksum of the final stripped
# binaries. %%define with lazy globbing is used here # binary. %%define with lazy globbing is used here
# intentionally, because using %%global does not work. # intentionally, because using %%global does not work.
%define __spec_install_post \ %define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \ %{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
bin_path=%{buildroot}%{_bindir} \ bin_path=%{buildroot}%{_bindir} \
lib_path=%{buildroot}/%{_lib} \ lib_path=%{buildroot}%{_libdir} \
for app in %{apps_hmaccalc}; do \ { %sha512hmac "$bin_path"/kcapi-hasher || exit 1; } | \\\
test -e "$bin_path"/$app || continue \ cut -f 1 -d ' ' >"$lib_path"/hmaccalc/kcapi-hasher.hmac \
{ %sha512hmac "$bin_path"/$app || exit 1; } \\\ { %sha512hmac "$lib_path"/libkcapi.so.%{version} || exit 1; } | \\\
| cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \ cut -f 1 -d ' ' >"$lib_path"/hmaccalc/libkcapi.so.%{version}.hmac \
done \
for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \
%fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \
done \
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
%fipshmac -d "$lib_path"/fipscheck \\\
"$lib_path"/libkcapi.so.%{version} || exit 1 \
%{__ln_s} libkcapi.so.%{version}.hmac \\\ %{__ln_s} libkcapi.so.%{version}.hmac \\\
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ "$lib_path"/hmaccalc/libkcapi.so.%{vmajor}.hmac \
%{nil} %{nil}
Name: libkcapi Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch} Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 2%{?dist} Release: %autorelease
Summary: User space interface to the Linux Kernel Crypto API Summary: User space interface to the Linux Kernel Crypto API
License: BSD-3-Clause OR GPL-2.0-only License: BSD-3-Clause OR GPL-2.0-only
URL: https://www.chronox.de/%{name}.html URL: https://www.chronox.de/%{name}/
Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz Source0: https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz
Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source1: https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz.asc
Source2: sha512hmac-openssl.sh Source2: sha512hmac-openssl.sh
Source3: fipshmac-openssl.sh Source3: fipshmac-openssl.sh
Patch1: 001-tests-kernel-version.patch
Patch2: 002-fips-disable-ansi_cprng.patch
Patch3: 003-zeroize-hasher.patch
Patch4: 004-hasher-target-option.patch
Patch5: 005-fips-mode-tests.patch
BuildRequires: bash BuildRequires: bash
BuildRequires: coreutils BuildRequires: coreutils
BuildRequires: gcc BuildRequires: gcc
@ -193,17 +179,29 @@ Header files for applications that use %{name}.
%if %{with doc} %if %{with doc}
%package doc %package doc
Summary: User documentation for the %{name} package Summary: User documentation for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} BuildArch: noarch
# Depend on one of the base packages because they have the license files
# We cannot just bundle them into doc because they might conflict with an
# older or newer version of the base package.
Requires: %{name} == %{version}-%{release}
%description doc %description doc
User documentation for %{name}. User documentation for %{name}.
%endif %endif
%package hasher
Summary: Common %{name} hashing application
Requires: %{name}%{?_isa} == %{version}-%{release}
%description hasher
Provides The kcapi-hasher binary used by other %{name} subpackages.
%if %{with replace_coreutils} %if %{with replace_coreutils}
%package checksum %package checksum
Summary: Drop-in replacement for *sum utils provided by the %{name} package Summary: Drop-in replacement for *sum utils provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Requires: coreutils%{?_isa} >= %{coreutils_evr} Requires: coreutils%{?_isa} >= %{coreutils_evr}
@ -219,7 +217,7 @@ coreutils) using %{name}.
%if %{with replace_fipscheck} %if %{with replace_fipscheck}
%package fipscheck %package fipscheck
Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Obsoletes: fipscheck <= %{fipscheck_evr} Obsoletes: fipscheck <= %{fipscheck_evr}
@ -235,7 +233,7 @@ package fipscheck) using %{name}.
%if %{with replace_hmaccalc} %if %{with replace_hmaccalc}
%package hmaccalc %package hmaccalc
Summary: Drop-in replacements for hmaccalc provided by the %{name} package Summary: Drop-in replacements for hmaccalc provided by the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Obsoletes: hmaccalc <= %{hmaccalc_evr} Obsoletes: hmaccalc <= %{hmaccalc_evr}
@ -260,7 +258,8 @@ is highly discouraged.
%package tools %package tools
Summary: Utility applications for the %{name} package Summary: Utility applications for the %{name} package
Requires: %{name}%{?_isa} == %{version}-%{release} Requires: %{name}%{?_isa} == %{version}-%{release}
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
%description tools %description tools
Utility applications that are provided with %{name}. This includes Utility applications that are provided with %{name}. This includes
@ -291,6 +290,10 @@ Auxiliary scripts for testing %{name}.
%prep %prep
%autosetup -p 1 -S git %autosetup -p 1 -S git
# Work around https://bugzilla.redhat.com/show_bug.cgi?id=2258240
sed -i -e 's|XML V45|XML V4.1.2|' -e 's|/xml/4\.5/|/xml/4.1.2/|' \
lib/doc/libkcapi.tmpl
%if %{with_sysctl_tweak} %if %{with_sysctl_tweak}
%{__cat} << EOF > README.%{distroname_ext} %{__cat} << EOF > README.%{distroname_ext}
This package increases the default limit of the ancillary buffer size This package increases the default limit of the ancillary buffer size
@ -330,7 +333,7 @@ EOF
%build %build
%configure \ %configure \
--libdir=/%{_lib} \ --libdir=%{_libdir} \
--disable-silent-rules \ --disable-silent-rules \
--enable-kcapi-encapp \ --enable-kcapi-encapp \
--enable-kcapi-dgstapp \ --enable-kcapi-dgstapp \
@ -341,7 +344,7 @@ EOF
--enable-shared \ --enable-shared \
--enable-static \ --enable-static \
--enable-sum-prefix= \ --enable-sum-prefix= \
--enable-sum-dir=/%{_lib} \ --enable-sum-dir=%{_libdir} \
--with-pkgconfigdir=%{_libdir}/pkgconfig --with-pkgconfigdir=%{_libdir}/pkgconfig
%if %{with doc} %if %{with doc}
%make_build all doc %make_build all doc
@ -374,20 +377,22 @@ EOF
%endif %endif
# Install replacement tools, if enabled. # Install replacement tools, if enabled.
%if !%{with replace_coreutils} %if %{with replace_coreutils}
%{__rm} -f \ for app in %apps_coreutils; do
%{buildroot}%{_bindir}/md5sum \ %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
%{buildroot}%{_bindir}/sha*sum \ done
%{buildroot}%{_bindir}/sm*sum
%endif %endif
%if !%{with replace_fipscheck} %if %{with replace_fipscheck}
%{__rm} -f %{buildroot}%{_bindir}/fips* for app in %apps_fipscheck; do
%{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
done
%endif %endif
%if !%{with replace_hmaccalc} %if %{with replace_hmaccalc}
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac for app in %apps_hmaccalc; do
%{__rm} -f %{buildroot}%{_bindir}/sm*hmac %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
done
%endif %endif
# We don't ship autocrap dumplings. # We don't ship autocrap dumplings.
@ -409,7 +414,7 @@ EOF
# Possibly save some space by hardlinking. # Possibly save some space by hardlinking.
for d in %{_mandir} %{_pkgdocdir}; do for d in %{_mandir} %{_pkgdocdir}; do
%{_sbindir}/hardlink -cfv %{buildroot}$d %{_bindir}/hardlink -cfv %{buildroot}$d
done done
@ -419,7 +424,11 @@ done
%make_build scan %make_build scan
%endif %endif
%if %{with cppcheck} %if %{with cppcheck}
%make_build cppcheck # -UCHECK_DIR: string literal concatenation raises syntaxError
# with cppcheck-2.11 (https://trac.cppcheck.net/ticket/11830)
# --check-level=exhaustive: otherwise it emits warnings that get
# treated like errors
%make_build cppcheck CPPCHECK="cppcheck --check-level=exhaustive -UCHECK_DIR"
%endif %endif
%if %{with test} %if %{with test}
@ -449,10 +458,10 @@ popd
%doc %dir %{_pkgdocdir} %doc %dir %{_pkgdocdir}
%doc %{_pkgdocdir}/README.md %doc %{_pkgdocdir}/README.md
%license COPYING* %license COPYING*
/%{_lib}/%{name}.so.%{vmajor} %{_libdir}/%{name}.so.%{vmajor}
/%{_lib}/%{name}.so.%{version} %{_libdir}/%{name}.so.%{version}
/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac %{_libdir}/hmaccalc/%{name}.so.%{vmajor}.hmac
/%{_lib}/fipscheck/%{name}.so.%{version}.hmac %{_libdir}/hmaccalc/%{name}.so.%{version}.hmac
%if %{with_sysctl_tweak} %if %{with_sysctl_tweak}
%doc %{_pkgdocdir}/README.%{distroname_ext} %doc %{_pkgdocdir}/README.%{distroname_ext}
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf %{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
@ -464,7 +473,7 @@ popd
%doc %{_pkgdocdir}/TODO %doc %{_pkgdocdir}/TODO
%{_includedir}/kcapi.h %{_includedir}/kcapi.h
%{_mandir}/man3/kcapi_*.3.* %{_mandir}/man3/kcapi_*.3.*
/%{_lib}/%{name}.so %{_libdir}/%{name}.so
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
@ -476,33 +485,38 @@ popd
%endif %endif
%files hasher
%{_bindir}/kcapi-hasher
%{_libexecdir}/%{name}/md5sum
%{_libexecdir}/%{name}/sha*sum
%{_libexecdir}/%{name}/sm*sum
%{_libexecdir}/%{name}/fips*
%{_libexecdir}/%{name}/sha*hmac
%{_libexecdir}/%{name}/sm*hmac
%{_libdir}/hmaccalc/kcapi-hasher.hmac
%if %{with replace_coreutils} %if %{with replace_coreutils}
%files checksum %files checksum
%{_bindir}/md5sum %{_bindir}/md5sum
%{_bindir}/sha*sum %{_bindir}/sha*sum
%{_bindir}/sm*sum %{_bindir}/sm*sum
/%{_lib}/fipscheck/md5sum.hmac
/%{_lib}/fipscheck/sha*sum.hmac
/%{_lib}/fipscheck/sm*sum.hmac
%endif %endif
%if %{with replace_fipscheck} %if %{with replace_fipscheck}
%files fipscheck %files fipscheck
%{_bindir}/fips* %{_bindir}/fips*
/%{_lib}/fipscheck/fips*.hmac
%endif %endif
%if %{with replace_hmaccalc} %if %{with replace_hmaccalc}
%files hmaccalc %files hmaccalc
%{_bindir}/sha*hmac %{_bindir}/sha*hmac
%{_bindir}/sm*hmac %{_bindir}/sm*hmac
/%{_lib}/hmaccalc/sha*hmac.hmac
/%{_lib}/hmaccalc/sm*hmac.hmac
%endif %endif
%files static %files static
/%{_lib}/%{name}.a %{_libdir}/%{name}.a
%files tools %files tools
@ -512,244 +526,12 @@ popd
%if %{with test_package} %if %{with test_package}
%files tests %files tests
%{_libexecdir}/%{name}/* %{_libexecdir}/%{name}/kcapi
%{_libexecdir}/%{name}/kcapi-convenience
%{_libexecdir}/%{name}/kcapi-enc-test-large
%{_libexecdir}/%{name}/*.sh
%endif %endif
%changelog %changelog
* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-2 %autochangelog
- Backport fixes for kcapi-hasher target option
Related: RHEL-15300
- Fix kcapi tests in FIPS mode
Resolves: RHEL-2406
* Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
- Update to new upstream release 1.4.0
Resolves: RHEL-5366
- Add a patch to fix auxiliary tests in FIPS mode
Resolves: RHEL-2406
- Add a patch to zeroize kcapi-hasher for FIPS 140-3
Resolves: RHEL-15290
- Add a patch to allow overriding target file in kcapi-hasher
Resolves: RHEL-15300
* Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
- Fix double free issue in hasher()
* Mon May 25 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-1
- [RHEL] Update to upstream version 1.2.0
* Thu Apr 30 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
- Enables building on old kernels [sync fix in Fedora from omosnance].
- This is required for covscans as they run on RHEL7 machines.
* Wed Apr 29 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-2
- Drop the license from the doc subpackage to avoid conflicts
* Mon Apr 27 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-1
- [RHEL] Update to upstream version 1.1.5
- [RHEL] Sync with Fedora branch
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16_1
- [RHEL] Apply 'Add missing dependencies to the tests package'
- [RHEL] Apply 'Update patch from upstream'
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16
- Add missing dependencies to the tests package
- Update patch from upstream
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15_1
- [RHEL] Apply 'Build and tests require perl'
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15
- Build and tests require perl
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14_2
- [RHEL] Re-enable AEAD tests and ignore test result
- [RHEL] Drop the ppc64 ignore-failures workaround
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14_1
- [RHEL] Apply 'Add missing script to the 'tests' package'
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14
- Add missing script to the 'tests' package
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13_1
- [RHEL] Sync with the Fedora branch
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13
- Add missing requires to the 'tests' subpackage
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12_1
- [RHEL] Sync with the Fedora branch
* Tue Aug 07 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12
- Produce a subpackage with test scripts
- Build the 'tests' subpackage conditionally
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11_1
- [RHEL] Sync with the Fedora branch
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11
- Add patch to fix unwanted closing of FD 0
* Tue Jul 31 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-10
- Remove the kernel headers workaround
* Mon Jul 30 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-9_1
- [RHEL] Sync with the Fedora branch
- [RHEL] Rebase the disable-AEAD-tests patch
* Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.1.1-9
- Rebuild for new binutils
* Fri Jul 27 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-8
- Add more Coverity fixes from upstream
- Add patch to fix AEAD fuzz test for BE arches
- Fixup specfile
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7_1
- [RHEL] Sync with the Fedora branch
- [RHEL] Fixup specfile
- [RHEL] Rebase the disable-AEAD-tests patch
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7
- Add various fixes from upstream
- Drop the Requires on kernel package
* Wed Jul 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3_2
- [RHEL] Temporarily disable AEAD tests
* Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6
- Put .hmac files into a separate directory
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-4
- Add patch to work around FTBFS on rawhide
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3_1
- [RHEL] Sync with the Fedora branch
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3
- Fix off-by-one error in checkfile parsing
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2_2
- [RHEL] Disable fuzz test
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2_1
- [RHEL] Sync with the Fedora branch
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2
- Fix command-line parsing in libkcapi-hmaccalc
* Tue Jul 10 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1_2
- [RHEL] Work around build failure with new kernel headers
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1_1
- [RHEL] Skip CLang static analysis
- [RHEL] Remove the dependency on kernel package
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1
- Update to upstream version 1.1.1
* Wed May 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-5
- Skip CLang static analysis in RHEL
- Revert "Skip CLang static analysis in RHEL"
- Use own sha512hmac and fipscheck
* Wed May 02 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-4
- Fix description lines being too long
* Fri Apr 27 2018 Björn Esser <besser82@fedoraproject.org> - 1.1.0-3
- Fix conditional for hmaccalc replacement
* Mon Apr 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-2
- Enable hmaccalc replacements in Fedora 28+
* Thu Apr 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-1
- Update to upstream version 1.1.0
* Sat Mar 31 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-10
- Replace single patches with a monolitic one from upstream
- Obsolete replacements subpackage
- Ignore failing tests on %%{power64} temporarily
* Thu Mar 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.0.3-9
- Split up the replacements subpackage
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-8
- Increase optmem_max preset to 81920
* Mon Feb 26 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-7
- Obsoletes work by package name, not by provides (rhbz#1537225)
* Sun Feb 25 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-6
- Add patch to fix a copy-paste typo
* Sat Feb 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-5
- Add patch to fix build with -Werror
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org>
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Feb 04 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-3
- Switch to %%ldconfig_scriptlets
* Wed Jan 17 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-2
- Decrease optmem_max preset to 40960
- Let the build fail, if the minimum kernel version cannot be met
- Conditionalize the sysctl.d tweak on version of the kernel
- Conditionalize the name of README.distro on the distro
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-1
- Initial import (rhbz#1533929)
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.13
- Increase optmem_max preset to 81920
* Tue Jan 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.12
- Add sysctl.d preset and README.fedora
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.11
- Make the contents of the -replacements package configurable
* Mon Jan 15 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.10
- Fix Obsoletes of the -replacements package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.9
- Disable the -replacements package until we have a plan for it
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.8
- Move the kcapi-hasher binary to -replacements package, since it is
not of much use without the linked invocation names and saves the
extra Requires on the -tools package
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.7
- Fix internal Requires of sub-packages
- Hardlink files in %%{_bindir}
* Sun Jan 14 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.6
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.5
- Add patches from upstream
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.4
- Asume the testsuite cannot be run, if the value of optmem_max cannot
be obtained
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.3
- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful
during boot when the library might be needed before a potentially
seperate /usr partition is mounted
* Sat Jan 13 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.2
- Asume optmem_max is at least 20480, if the real value cannot be obtained
* Fri Jan 12 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-0.1
- New upstream release
* Wed Jan 10 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.2-0.1
- Initial rpm release (rhbz#1533929)

23
plans/ci.fmf Normal file
View File

@ -0,0 +1,23 @@
/fips-disabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libkcapi
name: /plans/ci/fips-disabled-buildroot-disabled
/fips-disabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libkcapi
name: /plans/ci/fips-disabled-buildroot-enabled
/fips-enabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libkcapi
name: /plans/ci/fips-enabled-buildroot-disabled
/fips-enabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libkcapi
name: /plans/ci/fips-enabled-buildroot-enabled

0
SOURCES/sha512hmac-openssl.sh → sha512hmac-openssl.sh
View File

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (libkcapi-1.5.0.tar.xz) = db156ee94fc63815a31876ab072aca72a806b26961c43f2caf8495c53b95484de71cd3be84dc9e5c9560e9ee704979be059ff6c102b4893d6bbdf9a8a69a667a
SHA512 (libkcapi-1.5.0.tar.xz.asc) = 69cfb6bf98f89c503e7fda07a54eddb9fcc2dafe418f1bc1216c051565c214a6caab83495c19b650a5c6e46e22080f8df4dd2152ab364993ed5badd256495159