Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libica for openSUSE:Factory checked in at 2021-07-01 07:05:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libica (Old)
and /work/SRC/openSUSE:Factory/.libica.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libica"
Thu Jul 1 07:05:32 2021 rev:22 rq:903102 version:3.8.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libica/libica.changes 2020-09-25 16:34:58.696073779 +0200
+++ /work/SRC/openSUSE:Factory/.libica.new.2625/libica.changes 2021-07-01 07:05:42.655441237 +0200
@@ -1,0 +2,19 @@
+Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek
+
+- Update to version 3.8.0 (jsc#SLE-18334)
+ - [FEATURE] provide libica-cex module to satisfy special security requirements
+ - [FEATURE] FIPS: enforce the HMAC check
+- Remove upstreamed patches:
+ - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
+ - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
+ - libica-sles15sp2-Zeroize-local-variables.patch
+- Remove patches obsoleted by upstrea developent:
+ * FIPS: Find libica from phdrs.
+ - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
+ * FIPS: enforce the hmac check
+ - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
+- Fix up tests and hmac generation
+ + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
+- Remove obsolete attributes from filelists
+
+-------------------------------------------------------------------
Old:
----
libica-3.7.0.tar.gz
libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
libica-sles15sp2-Zeroize-local-variables.patch
New:
----
libica-3.8.0.tar.gz
libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libica.spec ++++++
--- /var/tmp/diff_new_pack.8sfKtw/_old 2021-07-01 07:05:43.223436800 +0200
+++ /var/tmp/diff_new_pack.8sfKtw/_new 2021-07-01 07:05:43.227436769 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libica
#
-# Copyright (c) 2018-2020 SUSE LLC
+# Copyright (c) 2018-2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
%endif
Name: libica
-Version: 3.7.0
+Version: 3.8.0
Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0
@@ -37,11 +37,7 @@
Source5: z90crypt.service
Source6: baselibs.conf
Source7: %{name}-rpmlintrc
-Patch01: libica-sles15sp2-Zeroize-local-variables.patch
-Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
-Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
-Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
-Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
+Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
Patch99: libica-sles15sp2-FIPS-hmac-key.patch
BuildRequires: autoconf
@@ -123,14 +119,14 @@
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
--enable-fips
%make_build clean
-%make_build
+%make_build FIPSHMAC=fipshmac
%define major %(echo %{version} | sed -e 's/[.].*//')
-%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }}
+%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
%install
-%make_install
+%make_install FIPSHMAC=fipshmac
mkdir -p %{buildroot}%{_includedir}
cp -p include/ica_api.h %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
@@ -138,17 +134,18 @@
install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
+# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
+# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
+# and the dangling symlink test would fail
+chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
cp -a %{SOURCE2} .
-rm -f %{buildroot}%{_libdir}/libica.la
+rm -vf %{buildroot}%{_libdir}/libica*.la
rm -f %{buildroot}%{_datadir}/doc/libica/*
rmdir %{buildroot}%{_datadir}/doc/libica
%check
-echo Tests should fail without a hash file
-! %make_build check
-fipshmac src/.libs/libica.so.%{major}
-%make_build check
+%make_build check FIPSHMAC=fipshmac
%pre tools
%service_add_pre z90crypt.service
@@ -167,19 +164,25 @@
%postun -n libica3 -p /sbin/ldconfig
%files -n libica3
-%defattr(-,root,root)
%{_libdir}/libica.so.%{version}
%{_libdir}/libica.so.%{major}
+%{_libdir}/.libica.so.%{version}.hmac
%{_libdir}/.libica.so.%{major}.hmac
+%{_libdir}/libica-cex.so.%{version}
+%{_libdir}/libica-cex.so.%{major}
+%{_libdir}/.libica-cex.so.%{version}.hmac
+%{_libdir}/.libica-cex.so.%{major}.hmac
%files tools
%license LICENSE
%doc README.SUSE
%{_sbindir}/rcz90crypt
-%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt
+%{_fillupdir}/sysconfig.z90crypt
%{_bindir}/icainfo
+%{_bindir}/icainfo-cex
%{_bindir}/icastats
%{_mandir}/man1/icainfo.1%{?ext_man}
+%{_mandir}/man1/icainfo-cex.1%{?ext_man}
%{_mandir}/man1/icastats.1%{?ext_man}
%dir %{_prefix}/lib/systemd/scripts
%{_prefix}/lib/systemd/scripts/z90crypt
@@ -188,9 +191,11 @@
%{_libdir}/libica.so
%files devel
-%attr(0644,root,root) %{_includedir}/ica_api.h
+%{_includedir}/ica_api.h
+%{_libdir}/libica-cex.so
%files devel-static
-%attr(0644,root,root) %{_libdir}/libica.a
+%{_libdir}/libica.a
+%{_libdir}/libica-cex.a
%changelog
++++++ libica-3.7.0.tar.gz -> libica-3.8.0.tar.gz ++++++
++++ 4998 lines of diff (skipped)
++++++ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch ++++++
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
From: Michal Suchanek
Date: Mon, 7 Jun 2021 21:12:01 +0200
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
Signed-off-by: Michal Suchanek
---
openssl-fipshmac | 12 ++++++++++++
src/Makefile.am | 4 ++--
2 files changed, 14 insertions(+), 2 deletions(-)
create mode 100755 openssl-fipshmac
diff --git a/openssl-fipshmac b/openssl-fipshmac
new file mode 100755
index 0000000..60fd505
--- /dev/null
+++ b/openssl-fipshmac
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+if [ "$#" -eq 0 ] ; then
+ echo "No library to hash specified." >&2
+ exit 22
+fi
+
+while [ -n "$1" ] ; do
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
+ shift
+done
diff --git a/src/Makefile.am b/src/Makefile.am
index 4a1ef14..2be01a5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -46,13 +46,13 @@ mp.S : mp.pl
./mp.pl mp.S
if ICA_FIPS
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
hmac-file-lnk: hmac-file
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
hmac-file: libica.la libica-cex.la
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
hmac_files = hmac-file hmac-file-lnk
--
2.31.1