Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libica for openSUSE:Factory checked in at 2021-07-01 07:05:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libica (Old) and /work/SRC/openSUSE:Factory/.libica.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libica" Thu Jul 1 07:05:32 2021 rev:22 rq:903102 version:3.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libica/libica.changes 2020-09-25 16:34:58.696073779 +0200 +++ /work/SRC/openSUSE:Factory/.libica.new.2625/libica.changes 2021-07-01 07:05:42.655441237 +0200 @@ -1,0 +2,19 @@ +Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com> + +- Update to version 3.8.0 (jsc#SLE-18334) + - [FEATURE] provide libica-cex module to satisfy special security requirements + - [FEATURE] FIPS: enforce the HMAC check +- Remove upstreamed patches: + - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch + - libica-sles15sp2-Zeroize-local-variables.patch +- Remove patches obsoleted by upstrea developent: + * FIPS: Find libica from phdrs. + - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS: enforce the hmac check + - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +- Fix up tests and hmac generation + + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +- Remove obsolete attributes from filelists + +------------------------------------------------------------------- Old: ---- libica-3.7.0.tar.gz libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch libica-sles15sp2-Zeroize-local-variables.patch New: ---- libica-3.8.0.tar.gz libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libica.spec ++++++ --- /var/tmp/diff_new_pack.8sfKtw/_old 2021-07-01 07:05:43.223436800 +0200 +++ /var/tmp/diff_new_pack.8sfKtw/_new 2021-07-01 07:05:43.227436769 +0200 @@ -1,7 +1,7 @@ # # spec file for package libica # -# Copyright (c) 2018-2020 SUSE LLC +# Copyright (c) 2018-2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %endif Name: libica -Version: 3.7.0 +Version: 3.8.0 Release: 0 Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 @@ -37,11 +37,7 @@ Source5: z90crypt.service Source6: baselibs.conf Source7: %{name}-rpmlintrc -Patch01: libica-sles15sp2-Zeroize-local-variables.patch -Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch -Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch -Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch -Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch Patch99: libica-sles15sp2-FIPS-hmac-key.patch BuildRequires: autoconf @@ -123,14 +119,14 @@ %configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \ --enable-fips %make_build clean -%make_build +%make_build FIPSHMAC=fipshmac %define major %(echo %{version} | sed -e 's/[.].*//') -%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }} +%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }} %install -%make_install +%make_install FIPSHMAC=fipshmac mkdir -p %{buildroot}%{_includedir} cp -p include/ica_api.h %{buildroot}%{_includedir} mkdir -p %{buildroot}%{_sbindir} @@ -138,17 +134,18 @@ install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service +# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped +# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it +# and the dangling symlink test would fail +chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac cp -a %{SOURCE2} . -rm -f %{buildroot}%{_libdir}/libica.la +rm -vf %{buildroot}%{_libdir}/libica*.la rm -f %{buildroot}%{_datadir}/doc/libica/* rmdir %{buildroot}%{_datadir}/doc/libica %check -echo Tests should fail without a hash file -! %make_build check -fipshmac src/.libs/libica.so.%{major} -%make_build check +%make_build check FIPSHMAC=fipshmac %pre tools %service_add_pre z90crypt.service @@ -167,19 +164,25 @@ %postun -n libica3 -p /sbin/ldconfig %files -n libica3 -%defattr(-,root,root) %{_libdir}/libica.so.%{version} %{_libdir}/libica.so.%{major} +%{_libdir}/.libica.so.%{version}.hmac %{_libdir}/.libica.so.%{major}.hmac +%{_libdir}/libica-cex.so.%{version} +%{_libdir}/libica-cex.so.%{major} +%{_libdir}/.libica-cex.so.%{version}.hmac +%{_libdir}/.libica-cex.so.%{major}.hmac %files tools %license LICENSE %doc README.SUSE %{_sbindir}/rcz90crypt -%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt +%{_fillupdir}/sysconfig.z90crypt %{_bindir}/icainfo +%{_bindir}/icainfo-cex %{_bindir}/icastats %{_mandir}/man1/icainfo.1%{?ext_man} +%{_mandir}/man1/icainfo-cex.1%{?ext_man} %{_mandir}/man1/icastats.1%{?ext_man} %dir %{_prefix}/lib/systemd/scripts %{_prefix}/lib/systemd/scripts/z90crypt @@ -188,9 +191,11 @@ %{_libdir}/libica.so %files devel -%attr(0644,root,root) %{_includedir}/ica_api.h +%{_includedir}/ica_api.h +%{_libdir}/libica-cex.so %files devel-static -%attr(0644,root,root) %{_libdir}/libica.a +%{_libdir}/libica.a +%{_libdir}/libica-cex.a %changelog ++++++ libica-3.7.0.tar.gz -> libica-3.8.0.tar.gz ++++++ ++++ 4998 lines of diff (skipped) ++++++ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch ++++++ From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001 From: Michal Suchanek <msuchanek@suse.de> Date: Mon, 7 Jun 2021 21:12:01 +0200 Subject: [PATCH] FIPS: make it possible to specify fipshmac binary. Signed-off-by: Michal Suchanek <msuchanek@suse.de> --- openssl-fipshmac | 12 ++++++++++++ src/Makefile.am | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100755 openssl-fipshmac diff --git a/openssl-fipshmac b/openssl-fipshmac new file mode 100755 index 0000000..60fd505 --- /dev/null +++ b/openssl-fipshmac @@ -0,0 +1,12 @@ +#!/bin/sh -e + +if [ "$#" -eq 0 ] ; then + echo "No library to hash specified." >&2 + exit 22 +fi + +while [ -n "$1" ] ; do + dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")" + echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac + shift +done diff --git a/src/Makefile.am b/src/Makefile.am index 4a1ef14..2be01a5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -46,13 +46,13 @@ mp.S : mp.pl ./mp.pl mp.S if ICA_FIPS +FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac hmac-file-lnk: hmac-file $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac hmac-file: libica.la libica-cex.la - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac + $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) hmac_files = hmac-file hmac-file-lnk -- 2.31.1