From 39bbd43c162b119e5447b150eaac630ad938c0bd Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Thu, 14 Aug 2025 08:42:23 +0200
Subject: [PATCH] - Fix pkcsslotd fails to start in FIPS - Drop tier1 test as
 it mostly provides duplicate results - Enable ci test for FIPS mode  
 Resolves: RHEL-109050

---
 CI_plan.fmf                                   |  30 ++-
 gating.yaml                                   |   1 -
 ...3.25.0-reject-using-md5-in-fips-mode.patch | 176 ++++++++++++++++++
 opencryptoki.spec                             |  13 +-
 4 files changed, 210 insertions(+), 10 deletions(-)
 create mode 100644 opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch

diff --git a/CI_plan.fmf b/CI_plan.fmf
index f74dc51..a889e80 100644
--- a/CI_plan.fmf
+++ b/CI_plan.fmf
@@ -1,6 +1,9 @@
-/tier1-tests-on-x86_64-with-swtok:
+execute:
+  how: tmt
 
-  summary: opencryptoki Tier1 tests on x86_64 with swtok
+/tier1-tests-with-swtok:
+
+  summary: opencryptoki Tier1 tests with swtok
 
   tag:
    - Tier1
@@ -13,9 +16,6 @@
      - "Sanity/.*"
      - "Regression/.*"
 
-  execute:
-    how: tmt
-
 /sw-token-package-update:
 
   summary: perform opencryptoki package update on a configured SW token
@@ -34,5 +34,21 @@
       - /Update/dnf-update-opencryptoki
       - /Update/initialized-sw-token/test
 
-  execute:
-    how: tmt
+/fips-sw-token-sanity:
+
+  summary: test SW token sanity on FIPS enabled system
+
+  discover:
+
+    # enable fips
+    - name: enable_fips
+      url: https://github.com/beakerlib/crypto.git
+      how: fmf
+      test:
+       - enable-fips-mode
+
+    - name: tests
+      url: https://gitlab.cee.redhat.com/rhel-tests/opencryptoki.git
+      how: fmf
+      test:
+       - /Sanity/init-token-as-a-nonroot-user
diff --git a/gating.yaml b/gating.yaml
index acaedc4..2c7ed80 100644
--- a/gating.yaml
+++ b/gating.yaml
@@ -4,4 +4,3 @@ product_versions:
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tier1.functional}
diff --git a/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch b/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch
new file mode 100644
index 0000000..29b29ca
--- /dev/null
+++ b/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch
@@ -0,0 +1,176 @@
+commit 144456ede9897662eed35ac8415d0ecb1c5907e3
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Aug 13 13:50:24 2025 +0200
+
+    PKCSSLOTD: Remove the use of MD5
+    
+    The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory
+    path, for easy checking if the same token directory has already been used by
+    other tokens.
+    
+    The use of MD5 for this is just historical, and has no security relevance at
+    all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so
+    pkcsslotd will fail to start.
+    
+    Change the code to use SHA256 instead.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
+index ec6a489a..fa0db30f 100644
+--- a/usr/sbin/pkcsslotd/pkcsslotd.h
++++ b/usr/sbin/pkcsslotd/pkcsslotd.h
+@@ -42,11 +42,7 @@
+ 
+ #endif                          /* DEV */
+ 
+-#define HASH_SHA1   1
+-#define HASH_MD5    2
+-#define compute_md5(a,b,c)      compute_hash(HASH_MD5,b,a,c)
+-
+-int compute_hash(int hash_type, int buf_size, char *buf, char *digest);
++int compute_sha256(char *buf, int buf_size, char *digest);
+ 
+ /********************
+  * Global Variables *
+diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
+index 0c1a5586..d0d85a85 100644
+--- a/usr/sbin/pkcsslotd/slotmgr.c
++++ b/usr/sbin/pkcsslotd/slotmgr.c
+@@ -27,7 +27,7 @@
+ #include "configuration.h"
+ 
+ #define OBJ_DIR "TOK_OBJ"
+-#define MD5_HASH_SIZE 16
++#define SHA256_HASH_SIZE 32
+ 
+ #define DEF_MANUFID "IBM"
+ 
+@@ -44,8 +44,8 @@
+     #define DEF_SLOTDESC    "Linux"
+ #endif
+ 
+-typedef char md5_hash_entry[MD5_HASH_SIZE];
+-md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
++typedef char sha256_hash_entry[SHA256_HASH_SIZE];
++sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
+ 
+ Slot_Mgr_Shr_t *shmp;           // pointer to the shared memory region.
+ int shmid;
+@@ -86,27 +86,19 @@ void DumpSharedMemory(void)
+     }
+ }
+ 
+-int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
++int compute_sha256(char *buf, int buf_size, char *digest)
+ {
+     EVP_MD_CTX *md_ctx = NULL;
+     unsigned int result_size;
+     int rc;
+ 
+     md_ctx = EVP_MD_CTX_create();
+-
+-    switch (hash_type) {
+-    case HASH_SHA1:
+-        rc = EVP_DigestInit(md_ctx, EVP_sha1());
+-        break;
+-    case HASH_MD5:
+-        rc = EVP_DigestInit(md_ctx, EVP_md5());
+-        break;
+-    default:
+-        EVP_MD_CTX_destroy(md_ctx);
++    if (md_ctx == NULL) {
++        fprintf(stderr, "EVP_MD_CTX_create() failed\n");
+         return -1;
+-        break;
+     }
+ 
++    rc = EVP_DigestInit(md_ctx, EVP_sha256());
+     if (rc != 1) {
+         fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
+         return -1;
+@@ -374,12 +366,12 @@ void run_sanity_checks(void)
+     }
+ }
+ 
+-int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table)
++int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table)
+ {
+     int i;
+ 
+     for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) {
+-        if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0)
++        if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0)
+             return 1;
+     }
+ 
+@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
+     mode_t proc_umask;
+     char *tokdir = psinfo->tokname;
+     char *tokgroup = psinfo->usergroup;
+-    char token_md5_hash[MD5_HASH_SIZE];
++    char token_sha256_hash[SHA256_HASH_SIZE];
+ 
+     if (psinfo->present == FALSE)
+         return 0;
+@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
+      */
+     if (!tokdir || strlen(tokdir) == 0) {
+         /*
+-         * Build the md5 hash from the dll name prefixed with 'dll:' to
++         * Build the SHA256 hash from the dll name prefixed with 'dll:' to
+          * check for duplicate tokens with no 'tokname'.
+          */
+         snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location);
+-        rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash);
++        rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash);
+         if (rc) {
+-            fprintf(stderr, "Error calculating MD5 of token name!\n");
++            fprintf(stderr, "Error calculating SHA256 of token name!\n");
+             return -1;
+         }
+ 
+         /* check for duplicate token names */
+-        if (is_duplicate(token_md5_hash, tokname_hash_table)) {
++        if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
+             fprintf(stderr, "Duplicate token in slot %llu!\n",
+                     psinfo->slot_number);
+             return -1;
+         }
+ 
+         /* add entry into hash table */
+-        memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
+-               MD5_HASH_SIZE);
++        memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
++               SHA256_HASH_SIZE);
+ 
+         return 0;
+     }
+@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
+         return -1;
+     }
+ 
+-    /* calculate md5 hash from token name */
+-    rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash);
++    /* calculate SHA256 hash from token name */
++    rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash);
+     if (rc) {
+-        fprintf(stderr, "Error calculating MD5 of token name!\n");
++        fprintf(stderr, "Error calculating SHA256 of token name!\n");
+         return -1;
+     }
+     /* check for duplicate token names */
+-    if (is_duplicate(token_md5_hash, tokname_hash_table)) {
++    if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
+         fprintf(stderr, "Duplicate token name '%s'!\n", tokdir);
+         return -1;
+     }
+ 
+     /* add entry into hash table */
+-    memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
+-           MD5_HASH_SIZE);
++    memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
++           SHA256_HASH_SIZE);
+ 
+     /* Create token specific directory */
+     /* sprintf checked above */
diff --git a/opencryptoki.spec b/opencryptoki.spec
index cd0db72..2bb3efd 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
-Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
+Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
 Version: 3.25.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -25,6 +25,9 @@ Patch10: opencryptoki-openssl-3.5.x.patch
 # Fix covscan findings, https://github.com/opencryptoki/opencryptoki/pull/880
 Patch11: opencryptoki-3.25.0-covscan-findings.patch
 
+# Remove the use of MD5, pkcsslotd crashes in FIPS mode
+Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch
+
 Requires(pre): coreutils
 Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
 BuildRequires: gcc gcc-c++
@@ -410,6 +413,12 @@ fi
 
 
 %changelog
+* Wed Aug 13 2025 Than Ngo <than@redhat.com> - 3.25.0-4
+- Fix pkcsslotd fails to start in FIPS
+- Drop tier1 test as it mostly provides duplicate results
+- Enable ci test for FIPS mode
+  Resolves: RHEL-109050
+
 * Mon Jul 21 2025 Than Ngo <than@redhat.com> - 3.25.0-3
 - Fix incorrect effective group id of pkcsslotd daemon
 - Fix covscan findings