From b55796340b99bee99391638d5187bcab3bdbed15 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 29 Mar 2024 15:54:27 +0300 Subject: [PATCH] import libkcapi-1.4.0-2.el8 --- .gitignore | 1 + .libkcapi.metadata | 1 + SOURCES/001-tests-kernel-version.patch | 40 ++ SOURCES/002-fips-disable-ansi_cprng.patch | 74 +++ SOURCES/003-zeroize-hasher.patch | 58 ++ SOURCES/004-hasher-target-option.patch | 185 ++++++ SOURCES/005-fips-mode-tests.patch | 320 +++++++++ SOURCES/fipshmac-openssl.sh | 9 + SOURCES/libkcapi-1.4.0.tar.xz.asc | 11 + SOURCES/sha512hmac-openssl.sh | 6 + SPECS/libkcapi.spec | 758 ++++++++++++++++++++++ 11 files changed, 1463 insertions(+) create mode 100644 .gitignore create mode 100644 .libkcapi.metadata create mode 100644 SOURCES/001-tests-kernel-version.patch create mode 100644 SOURCES/002-fips-disable-ansi_cprng.patch create mode 100644 SOURCES/003-zeroize-hasher.patch create mode 100644 SOURCES/004-hasher-target-option.patch create mode 100644 SOURCES/005-fips-mode-tests.patch create mode 100644 SOURCES/fipshmac-openssl.sh create mode 100644 SOURCES/libkcapi-1.4.0.tar.xz.asc create mode 100644 SOURCES/sha512hmac-openssl.sh create mode 100644 SPECS/libkcapi.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8d18e03 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libkcapi-1.4.0.tar.xz diff --git a/.libkcapi.metadata b/.libkcapi.metadata new file mode 100644 index 0000000..56c3b99 --- /dev/null +++ b/.libkcapi.metadata @@ -0,0 +1 @@ +526dca7d8eb8ddc29395f0716ba1233e27bf2ab5 SOURCES/libkcapi-1.4.0.tar.xz diff --git a/SOURCES/001-tests-kernel-version.patch b/SOURCES/001-tests-kernel-version.patch new file mode 100644 index 0000000..aa21536 --- /dev/null +++ b/SOURCES/001-tests-kernel-version.patch @@ -0,0 +1,40 @@ +From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 15 Aug 2022 10:19:50 +0200 +Subject: [PATCH] tests: fix overly-optimistic kernel version checks + +The mainline kernel is now at version 6.0 so these >= 5.99 checks are +now incorrectly enabling tests that don't work. Instead of bumping the +imaginary version and face the same problem again in a couple years, +replace the checks with 'false' and a TODO comment. + +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Stephan Mueller +--- + test/test.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/test/test.sh b/test/test.sh +index 1d9be73..a75b802 100755 +--- a/test/test.sh ++++ b/test/test.sh +@@ -1560,7 +1560,8 @@ else + echo_deact "AEAD tests of copied AAD deactivated" + fi + +-if $(check_min_kernelver 5 99); then ++# TODO add version check when supported upstream ++if false; then + asymfunc 4 + asymfunc 4 -s + asymfunc 4 -v +@@ -1583,7 +1584,8 @@ else + echo_deact "All asymmetric tests deactivated" + fi + +-if $(check_min_kernelver 5 99); then ++# TODO add version check when supported upstream ++if false; then + kppfunc 13 + kppfunc 13 X -m + kppfunc 13 -v diff --git a/SOURCES/002-fips-disable-ansi_cprng.patch b/SOURCES/002-fips-disable-ansi_cprng.patch new file mode 100644 index 0000000..b7f2980 --- /dev/null +++ b/SOURCES/002-fips-disable-ansi_cprng.patch @@ -0,0 +1,74 @@ +From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Fri, 11 Aug 2023 12:20:22 +0200 +Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode + +Signed-off-by: Zoltan Fridrich +Signed-off-by: Stephan Mueller +--- + test/kcapi-main.c | 45 ++++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 23 deletions(-) + +diff --git a/test/kcapi-main.c b/test/kcapi-main.c +index 67fb53f..23fc8ed 100644 +--- a/test/kcapi-main.c ++++ b/test/kcapi-main.c +@@ -652,8 +652,6 @@ static int is_fips_mode(void) + static int auxiliary_tests(void) + { + struct kcapi_handle *handle = NULL; +- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)" +- : "ansi_cprng"; + int ret = 0; + + if (kcapi_aead_init(&handle, "ccm(aes)", 0)) { +@@ -711,27 +709,28 @@ static int auxiliary_tests(void) + if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0)) + ret++; + +- /* X9.31 RNG must require seed */ +- printf("X9.31 missing seeding: "); +- if (!aux_test_rng(ansi_cprng_name, NULL, 0)) +- ret++; +- /* X9.31 seed too short */ +- printf("X9.31 insufficient seeding: "); +- if (!aux_test_rng(ansi_cprng_name, +- (uint8_t *) +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16)) +- ret++; +- /* X9.31 seed right sized short */ +- if (aux_test_rng(ansi_cprng_name, +- (uint8_t *) +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08" +- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) { +- printf("Error for %s: kernel module ansi_cprng present?\n", +- ansi_cprng_name); +- ret++; ++ if (!is_fips_mode()) { ++ /* X9.31 RNG must require seed */ ++ printf("X9.31 missing seeding: "); ++ if (!aux_test_rng("ansi_cprng", NULL, 0)) ++ ret++; ++ /* X9.31 seed too short */ ++ printf("X9.31 insufficient seeding: "); ++ if (!aux_test_rng("ansi_cprng", ++ (uint8_t *) ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16)) ++ ret++; ++ /* X9.31 seed right sized short */ ++ if (aux_test_rng("ansi_cprng", ++ (uint8_t *) ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08" ++ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) { ++ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n"); ++ ret++; ++ } + } + + return ret; diff --git a/SOURCES/003-zeroize-hasher.patch b/SOURCES/003-zeroize-hasher.patch new file mode 100644 index 0000000..7db6a0e --- /dev/null +++ b/SOURCES/003-zeroize-hasher.patch @@ -0,0 +1,58 @@ +From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Wed, 1 Nov 2023 10:54:03 +0100 +Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Requirement introduced by AS05.10: +"The temporary value(s) generated during the integrity test of the +module’s software or firmware shall [05.10] be zeroised from the module +upon completion of the integrity test;" + +As some modules use fipscheck or sha*hmac for integrity tests, these +temporary values need to be zeroised from the hasher. + +Signed-off-by: Zoltan Fridrich +Signed-off-by: Stephan Mueller +--- + apps/kcapi-hasher.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c +index 098b655..f5caf77 100644 +--- a/apps/kcapi-hasher.c ++++ b/apps/kcapi-hasher.c +@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, + if (hashlen > (uint32_t)ret) { + fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n", + (unsigned long)hashlen, ret); ++ kcapi_memset_secure(md, 0, sizeof(md)); + return (int)ret; + } + +@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, + ret = 1; + else + ret = 0; ++ kcapi_memset_secure(compmd, 0, sizeof(compmd)); + } else { + if (outfile == NULL) { /* only print hash (hmaccalc -S) */ + bin2print(md, hashlen, NULL, stdout, +@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params, + fprintf(stderr, "Generation of hash for file %s failed (%zd)\n", + filename ? filename : "stdin", ret); + } ++ kcapi_memset_secure(md, 0, sizeof(md)); + return (int)ret; + } + +@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params, + if (file) + fclose(file); + kcapi_md_destroy(handle); ++ kcapi_memset_secure(buf, 0, sizeof(buf)); + + /* + * If we found no lines to check, return an error. diff --git a/SOURCES/004-hasher-target-option.patch b/SOURCES/004-hasher-target-option.patch new file mode 100644 index 0000000..945fcc3 --- /dev/null +++ b/SOURCES/004-hasher-target-option.patch @@ -0,0 +1,185 @@ +diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c +--- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100 ++++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100 +@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch + if (fipscheck) + fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base); + else { +- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base); ++ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base); + fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base); + } + fprintf(stderr, "\nOptions:\n"); + fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n"); + fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n"); + fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n"); +- if (!fipscheck) ++ if (!fipscheck) { + fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n"); ++ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n"); ++ } + fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n"); + fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n"); + fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n"); +@@ -530,11 +532,12 @@ static int hash_files(const struct hash_ + #define CHK_STATUS (2) + + static int process_checkfile(const struct hash_params *params, +- const char *checkfile, const char *targetfile, int log) ++ const char *checkfile, const char *targetfile, int log, int fipscheck) + { + FILE *file = NULL; + int ret = 0; + int checked_any = 0; ++ int failed_any = 0; + struct kcapi_handle *handle; + const char *hashname = params->name.kcapiname; + +@@ -570,7 +573,7 @@ static int process_checkfile(const struc + } + + while (fgets(buf, sizeof(buf), file)) { +- char *filename = NULL; // parsed file name ++ const char *filename = NULL; // parsed file name + char *hexhash = NULL; // parsed hex value of hash + uint32_t hexhashlen = 0; // length of hash hex value + uint32_t linelen = (uint32_t)strlen(buf); +@@ -645,17 +648,7 @@ static int process_checkfile(const struc + goto out; + } + +- /* fipscheck does not have the filename in the check file */ +- if (targetfile) { +- ret = hasher(handle, params, targetfile, +- hexhash, hexhashlen, stdout); +- checked_any = 1; +- goto out; +- } +- + if (filename) { +- int r; +- + if (!bsd_style) { + if (!isblank(filename[0]) || + (!isblank(filename[1]) && filename[1] != '*')) { +@@ -665,20 +658,29 @@ static int process_checkfile(const struc + } + filename += 2; + } ++ } ++ ++ /* ++ * if targetfile is specified, use it instead of the filename ++ * found inside the checkfile ++ */ ++ if (targetfile) ++ filename = targetfile; + +- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout); ++ if (filename) { ++ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout); ++ checked_any = 1; ++ if (fipscheck) ++ goto out; + +- if (r == 0) { ++ if (ret == 0) { + if (log < CHK_QUIET) + printf("%s: OK\n", filename); + } else { ++ failed_any = 1; + if (log < CHK_STATUS) +- printf("%s: Not OK\n", +- filename); +- if (ret >= 0) +- ret++; ++ printf("%s: Not OK\n", filename); + } +- checked_any = 1; + } + } + +@@ -692,7 +694,7 @@ out: + * If we found no lines to check, return an error. + * (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c) + */ +- return ret != 0 ? ret : !checked_any; ++ return ret != 0 ? ret : !(checked_any && !failed_any); + + } + +@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h + goto out; + } + +- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS); ++ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1); + if (ret) + goto out; + } +@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h + goto out; + } + +- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS); ++ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1); + } + + out: +@@ -866,12 +868,13 @@ int main(int argc, char *argv[]) + {0, 0, 0, 0} + }; + +- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz"; ++ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz"; + static const struct option opts[] = { + {"help", 0, 0, 0}, + {"tag", 0, 0, 0}, + {"quiet", 0, 0, 0}, + {"check", 1, 0, 'c'}, ++ {"target", 1, 0, 'T'}, + {"unkeyed", 0, 0, 'u'}, + {"hash", 1, 0, 'h'}, + {"truncate", 1, 0, 't'}, +@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[]) + version(argv[0]); + ret = 0; + goto out; ++ case 'T': ++ targetfile = optarg; ++ break; + case 'd': + checkdir = optarg; + break; +@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[]) + ret = 1; + goto out; + } ++ if (targetfile) { ++ fprintf(stderr, "-T is not valid for fipscheck\n"); ++ ret = 1; ++ goto out; ++ } + + targetfile = argv[optind]; + if (checkfile) +@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[]) + optind++; + } + ++ if (targetfile && !checkfile) { ++ fprintf(stderr, "-T cannot be used without -c\n"); ++ ret = 1; ++ goto out; ++ } ++ + if (!checkfile) + ret = hash_files(¶ms, argv + optind, + (uint32_t)(argc - optind), + fipshmac, checkdir, 0); + else if (optind == argc) +- ret = process_checkfile(¶ms, checkfile, targetfile, loglevel); ++ ret = process_checkfile(¶ms, checkfile, targetfile, loglevel, fipscheck); + else { + fprintf(stderr, "-c cannot be used with input files\n"); + ret = 1; diff --git a/SOURCES/005-fips-mode-tests.patch b/SOURCES/005-fips-mode-tests.patch new file mode 100644 index 0000000..71a8979 --- /dev/null +++ b/SOURCES/005-fips-mode-tests.patch @@ -0,0 +1,320 @@ +From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Tue, 28 Nov 2023 09:34:29 +0100 +Subject: [PATCH] Fix kcapi tests in FIPS mode + +Signed-off-by: Zoltan Fridrich +--- + test/hasher-test.sh | 23 +++++++++++--- + test/kcapi-convenience.c | 2 +- + test/kcapi-dgst-test.sh | 16 +++++----- + test/kcapi-enc-test.sh | 16 +++++----- + test/test.sh | 67 ++++++++++++++++++++++++++++++---------- + 5 files changed, 86 insertions(+), 38 deletions(-) + +diff --git a/test/hasher-test.sh b/test/hasher-test.sh +index c90fcc9..e97127e 100755 +--- a/test/hasher-test.sh ++++ b/test/hasher-test.sh +@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac" + CHKFILE="${TMPDIR}/chk.$$" + ANOTHER="${TMPDIR}/test.$$" + ++is_fips_enabled() ++{ ++ test $(cat /proc/sys/crypto/fips_enabled) = "1" ++} ++ + if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then + find_platform kcapi-hasher + function run_hasher() { +@@ -365,7 +370,11 @@ fi + for suffix in $KAT_SUFFIXES + do + run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00 +- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79 ++ if is_fips_enabled; then ++ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS" ++ else ++ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79 ++ fi + run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3 + run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da + run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04 +@@ -374,9 +383,15 @@ do + run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7 + run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6 + run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854 +- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843 +- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649 +- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737 ++ if is_fips_enabled; then ++ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS" ++ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS" ++ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS" ++ else ++ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843 ++ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649 ++ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737 ++ fi + run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe + run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27 + run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb +diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c +index c5ff4b4..1cdaebe 100644 +--- a/test/kcapi-convenience.c ++++ b/test/kcapi-convenience.c +@@ -63,7 +63,7 @@ static int hashtest(void) + + static int hmactest(void) + { +- char *in = "teststring"; ++ char *in = "longteststring"; + uint8_t out[64]; + ssize_t ret; + +diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh +index 0ad5ed3..67576b3 100755 +--- a/test/kcapi-dgst-test.sh ++++ b/test/kcapi-dgst-test.sh +@@ -105,8 +105,8 @@ test_stdin_stdout() + openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl + diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)" + +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2 ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2 + + diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)" + } +@@ -135,8 +135,8 @@ test_stdin_fileout() + openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl + diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)" + +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT + + diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)" + } +@@ -165,8 +165,8 @@ test_filein_stdout() + openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl + diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)" + +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2 ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2 + + diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)" + } +@@ -197,8 +197,8 @@ test_filein_fileout() + openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl + diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)" + +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST +- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2 ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST ++ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2 + + diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)" + } +diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh +index 3ace39c..63d2b23 100755 +--- a/test/kcapi-enc-test.sh ++++ b/test/kcapi-enc-test.sh +@@ -163,8 +163,8 @@ test_stdin_stdout() + diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)" + diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)" + +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT + + diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)" + } +@@ -195,8 +195,8 @@ test_stdin_fileout() + diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)" + diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)" + +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT + + diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)" + } +@@ -227,8 +227,8 @@ test_filein_stdout() + diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)" + diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)" + +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT + + diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)" + } +@@ -271,8 +271,8 @@ test_filein_fileout() + diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)" + diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)" + +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT +- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT ++ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT + + diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)" + } +diff --git a/test/test.sh b/test/test.sh +index b889335..e07589e 100755 +--- a/test/test.sh ++++ b/test/test.sh +@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797" + + PBKDF_name_8="hmac(sha256)" + PBKDF_salt_8="73616c74" +-PBKDF_pw_8="70617373776f7264" ++PBKDF_pw_8="70617373776f726470617373776f7264" + PBKDF_count_8=4096 +-PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0" ++PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca" + + PBKDF_name_9="hmac(sha224)" + PBKDF_salt_9="73616c74" +-PBKDF_pw_9="70617373776f7264" ++PBKDF_pw_9="70617373776f726470617373776f7264" + PBKDF_count_9=4096 +-PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60" ++PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70" + + PBKDF_name_10="hmac(sha384)" + PBKDF_salt_10="73616c74" +-PBKDF_pw_10="70617373776f7264" ++PBKDF_pw_10="70617373776f726470617373776f7264" + PBKDF_count_10=4096 +-PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c" ++PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d" + + PBKDF_name_11="hmac(sha512)" + PBKDF_salt_11="73616c74" +-PBKDF_pw_11="70617373776f7264" ++PBKDF_pw_11="70617373776f726470617373776f7264" + PBKDF_count_11=4096 +-PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc" ++PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b" + + PBKDF_name_12="cmac(aes)" + PBKDF_salt_12="73616c74" +@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7" + + PBKDF_name_13="hmac(sha512)" + PBKDF_salt_13="73616c74" +-PBKDF_pw_13="70617373776f7264" ++PBKDF_pw_13="70617373776f726470617373776f7264" + PBKDF_count_13=4096 +-PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e" ++PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a" + + ########################################################################### + ########################################################################### +@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514 + #RFC 5869 Appendix A vectors + HKDF_name_1="hmac(sha256)" + HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" +-HKDF_salt_1="000102030405060708090a0b0c" ++HKDF_salt_1="000102030405060708090a0b0c0d" + HKDF_info_1="f0f1f2f3f4f5f6f7f8f9" +-HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" ++HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd" + + HKDF_name_2="hmac(sha256)" + HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f" +@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a + ########################################################################### + ########################################################################### + ++is_fips_enabled() ++{ ++ test $(cat /proc/sys/crypto/fips_enabled) = "1" ++} ++ + # Test required for test with multiple IOVECs on i686 + check_memory() { + if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ] +@@ -576,7 +581,14 @@ check_memory_soft() { + hashfunc() + { + stream=$1 +- HASHEXEC="1 2 3 4 5 6 7 8 9" ++ ++ if is_fips_enabled; then ++ echo_deact "Hash tests using 3DES are disabled in FIPS" ++ HASHEXEC="2 3 4 5 6 7 8 9" ++ else ++ HASHEXEC="1 2 3 4 5 6 7 8 9" ++ fi ++ + for i in $HASHEXEC + do + eval HASH_name=\$HASH_name_$i +@@ -630,7 +642,12 @@ symfunc() + aligned=$3 + aiofallback=$4 + +- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12" ++ if is_fips_enabled; then ++ echo_deact "Symmetric tests using 3DES are disabled in FIPS" ++ SYMEXEC="1 2 3 8 9 10 11 12" ++ else ++ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12" ++ fi + + if [ x"$stream" = x"X" ] + then +@@ -666,7 +683,11 @@ symfunc() + + # Disable XTS tests for multi-threading due to the issue + # discussed in https://github.com/smuellerDD/libkcapi/issues/92 +- SYMEXEC="1 2 3 4 5 6 7" ++ if is_fips_enabled; then ++ SYMEXEC="1 2 3" ++ else ++ SYMEXEC="1 2 3 4 5 6 7" ++ fi + else + sout="one shot" + fi +@@ -1148,7 +1169,13 @@ pbkdftest() + { + aligned=$1 + +- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13" ++ if is_fips_enabled; then ++ echo_deact "PBKDF tests using SHA1 are disabled in FIPS" ++ PBKDFEXEC="8 9 10 11 12 13" ++ else ++ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13" ++ fi ++ + for i in $PBKDFEXEC + do + eval PBKDF_name=\$PBKDF_name_$i +@@ -1185,7 +1212,13 @@ hkdftest() + { + aligned=$1 + +- HKDFEXEC="1 2 3 4 5 6 7" ++ if is_fips_enabled; then ++ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS" ++ HKDFEXEC="1 2" ++ else ++ HKDFEXEC="1 2 3 4 5 6 7" ++ fi ++ + for i in $HKDFEXEC + do + eval HKDF_name=\$HKDF_name_$i diff --git a/SOURCES/fipshmac-openssl.sh b/SOURCES/fipshmac-openssl.sh new file mode 100644 index 0000000..c554434 --- /dev/null +++ b/SOURCES/fipshmac-openssl.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Mocks fipshmac using the openssl tool. +# Only for use during RPM build. + +[ "$1" = '-d' ] || exit 1 + +openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex "$3" | cut -f 2 -d ' ' \ + >"$2/$(basename "$3").hmac" diff --git a/SOURCES/libkcapi-1.4.0.tar.xz.asc b/SOURCES/libkcapi-1.4.0.tar.xz.asc new file mode 100644 index 0000000..037df0e --- /dev/null +++ b/SOURCES/libkcapi-1.4.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmISvaAACgkQQh7pNjJq +wVv6jggAh7UpchOXZ1THbDZ0PE+YGWSr3Y3qKHMls9ixNn/RDSYxPvyZqc6pIAKQ +zVA6bGtB9kqcSexmrk2EyiUYgi1lo+5HwsfAfHBQaq7vD1S8Q/FYx/XVRv2GQfkj +/E1ivlcdcInlpn+vu+7Hei+H/IXtETh8QPwGwRI1Je84pIt7K4K4VPwWpur0su6E +oF1AFT6ldlMczsoDTCi3eP3rZWKvMmX5718W9F6eKuTkKoIiipCUxdMBy4f6YpDB +1ZmQPHjSgG4URlclQnFiGXYAbMBRHYfguJRl/HjZWSQMigRzqGSdvJR8wrfMeQzr +Bk0z0nGayzHgcC7gPz8CsAMJj5C9eQ== +=OA3o +-----END PGP SIGNATURE----- diff --git a/SOURCES/sha512hmac-openssl.sh b/SOURCES/sha512hmac-openssl.sh new file mode 100644 index 0000000..6496394 --- /dev/null +++ b/SOURCES/sha512hmac-openssl.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Mocks sha512hmac using the openssl tool. +# Only for use during RPM build. + +openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' diff --git a/SPECS/libkcapi.spec b/SPECS/libkcapi.spec new file mode 100644 index 0000000..7c70ff4 --- /dev/null +++ b/SPECS/libkcapi.spec @@ -0,0 +1,758 @@ +# Shared object version of libkcapi. +%global vmajor 1 +%global vminor 4 +%global vpatch 0 + +# Do we build the replacements packages? +%bcond_with replace_coreutils +# Replace fipscheck by default in Fedora 33+: +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 +%bcond_without replace_fipscheck +%else +%bcond_with replace_fipscheck +%endif +# Replace hmaccalc by default in Fedora 28+: +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8 +%bcond_without replace_hmaccalc +%else +%bcond_with replace_hmaccalc +%endif +%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8 +%bcond_without test_package +%else +%bcond_with test_package +%endif +# disable cppcheck analysis in ELN/RHEL to avoid the dependency bz#1931518 +%if 0%{?rhel} +%bcond_with cppcheck +%else +%bcond_without cppcheck +%endif + +# Use `--without test` to build without running the tests +%bcond_without test +# Use `--without fuzz_test` to skip the fuzz test during build +%bcond_without fuzz_test +# Use `--without doc` to build without the -doc subpackage +%bcond_without doc +# Use `--without clang_sa` to skip clang static analysis during build +%bcond_without clang_sa + +# This package needs at least Linux Kernel v4.10.0. +%global min_kernel_ver 4.10.0 + +# Do we need to tweak sysctl.d? In newer versions of the Linux +# Kernel the default ancillary buffer size is set high enough. +# TODO: Adapt this when the patch for net/core/sock.c is merged. +%if %{lua:print(rpm.vercmp('99.0.0', posix.uname('%r')));} >= 0 +%global with_sysctl_tweak 1 +%else +%global with_sysctl_tweak 0 +%endif + +%if %{with_sysctl_tweak} +# Priority for the sysctl.d preset. +%global sysctl_prio 50 + +# Value used for the sysctl.d preset. +%global sysctl_optmem_max 81920 + +# Extension for the README.distro file. +%global distroname_ext %{?fedora:fedora}%{?rhel:redhat} +%endif + +# Lowest limit to run the testsuite. If we cannot obtain this +# value, we asume the testsuite cannot be run. +%global test_optmem_max %(%{__cat} /proc/sys/net/core/optmem_max || echo 0) + +# For picking patches from upstream commits or pull requests. +%global giturl https://github.com/smuellerDD/%{name} + +# Do we replace some coreutils? +%if %{with replace_coreutils} +# TODO: Adapt this when replacing some coreutils initially. +%global coreutils_evr 8.29-1%{?dist} +%endif + +# Do we replace fipscheck? +%if %{with replace_fipscheck} +%global fipscheck_evr 1.5.0-9 +%endif + +# Do we replace hmaccalc? +%if %{with replace_hmaccalc} +%global hmaccalc_evr 0.9.14-10%{?dist} +%endif + +%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac +%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac + +# On old kernels use mock hashers implemented via openssl +%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 +%global sha512hmac bin/kcapi-hasher -n sha512hmac +%global fipshmac bin/kcapi-hasher -n fipshmac +%else +%global sha512hmac bash %{SOURCE2} +%global fipshmac bash %{SOURCE3} +%endif + +# Add generation of HMAC checksums of the final stripped +# binaries. %%define with lazy globbing is used here +# intentionally, because using %%global does not work. +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +bin_path=%{buildroot}%{_bindir} \ +lib_path=%{buildroot}/%{_lib} \ +for app in %{apps_hmaccalc}; do \ + test -e "$bin_path"/$app || continue \ + { %sha512hmac "$bin_path"/$app || exit 1; } \\\ + | cut -f 1 -d ' ' >"$lib_path"/hmaccalc/$app.hmac \ +done \ +for app in %{apps_fipscheck}; do \ + test -e "$bin_path"/$app || continue \ + %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \ +done \ +%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \ +%fipshmac -d "$lib_path"/fipscheck \\\ + "$lib_path"/libkcapi.so.%{version} || exit 1 \ +%{__ln_s} libkcapi.so.%{version}.hmac \\\ + "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ +%{nil} + + +Name: libkcapi +Version: %{vmajor}.%{vminor}.%{vpatch} +Release: 2%{?dist} +Summary: User space interface to the Linux Kernel Crypto API + +License: BSD-3-Clause OR GPL-2.0-only +URL: https://www.chronox.de/%{name}.html +Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz +Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc +Source2: sha512hmac-openssl.sh +Source3: fipshmac-openssl.sh + +Patch1: 001-tests-kernel-version.patch +Patch2: 002-fips-disable-ansi_cprng.patch +Patch3: 003-zeroize-hasher.patch +Patch4: 004-hasher-target-option.patch +Patch5: 005-fips-mode-tests.patch + +BuildRequires: bash +BuildRequires: coreutils +BuildRequires: gcc +BuildRequires: git-core +BuildRequires: hardlink +BuildRequires: kernel-headers >= %{min_kernel_ver} +BuildRequires: libtool +BuildRequires: make +BuildRequires: openssl +BuildRequires: perl-interpreter +BuildRequires: systemd +BuildRequires: xmlto +%if %{with doc} +BuildRequires: docbook-utils-pdf +%endif +%if %{with clang_sa} +BuildRequires: clang +%endif +%if %{with cppcheck} +BuildRequires: cppcheck >= 2.4 +%endif + +# For ownership of %%{_sysctldir}. +Requires: systemd + +Obsoletes: %{name}-replacements <= %{version}-%{release} + +%description +libkcapi allows user-space to access the Linux kernel crypto API. + +This library uses the netlink interface and exports easy to use APIs +so that a developer does not need to consider the low-level netlink +interface handling. + +The library does not implement any cipher algorithms. All consumer +requests are sent to the kernel for processing. Results from the +kernel crypto API are returned to the consumer via the library API. + +The kernel interface and therefore this library can be used by +unprivileged processes. + + +%package devel +Summary: Development files for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description devel +Header files for applications that use %{name}. + + +%if %{with doc} +%package doc +Summary: User documentation for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description doc +User documentation for %{name}. +%endif + + +%if %{with replace_coreutils} +%package checksum +Summary: Drop-in replacement for *sum utils provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Requires: coreutils%{?_isa} >= %{coreutils_evr} + +Conflicts: coreutils < %{coreutils_evr} +Conflicts: coreutils-single + +%description checksum +Provides drop-in replacements for sha*sum tools (from package +coreutils) using %{name}. +%endif + + +%if %{with replace_fipscheck} +%package fipscheck +Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Obsoletes: fipscheck <= %{fipscheck_evr} + +Provides: fipscheck == %{fipscheck_evr}.1 +Provides: fipscheck%{?_isa} == %{fipscheck_evr}.1 + +%description fipscheck +Provides drop-in replacements for fipscheck and fipshmac tools (from +package fipscheck) using %{name}. +%endif + + +%if %{with replace_hmaccalc} +%package hmaccalc +Summary: Drop-in replacements for hmaccalc provided by the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +Obsoletes: hmaccalc <= %{hmaccalc_evr} + +Provides: hmaccalc == %{hmaccalc_evr}.1 +Provides: hmaccalc%{?_isa} == %{hmaccalc_evr}.1 + +%description hmaccalc +Provides drop-in replacements for sha*hmac tools (from package +hmaccalc) using %{name}. +%endif + + +%package static +Summary: Static library for -static linking with %{name} +Requires: %{name}-devel%{?_isa} == %{version}-%{release} + +%description static +This package contains the %{name} static libraries for -static +linking. You don't need this, unless you link statically, which +is highly discouraged. + + +%package tools +Summary: Utility applications for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} + +%description tools +Utility applications that are provided with %{name}. This includes +tools to use message digests, symmetric ciphers and random number +generators implemented in the Linux kernel from command line. + + +%if %{with test_package} +%package tests +Summary: Testing scripts for the %{name} package +Requires: %{name}%{?_isa} == %{version}-%{release} +Requires: %{name}-tools%{?_isa} == %{version}-%{release} +%if %{with replace_hmaccalc} +Requires: %{name}-hmaccalc%{?_isa} == %{version}-%{release} +%endif +%if %{with replace_coreutils} +Requires: %{name}-checksum%{?_isa} == %{version}-%{release} +%endif +Requires: coreutils +Requires: openssl +Requires: perl-interpreter + +%description tests +Auxiliary scripts for testing %{name}. +%endif + + +%prep +%autosetup -p 1 -S git + +%if %{with_sysctl_tweak} +%{__cat} << EOF > README.%{distroname_ext} +This package increases the default limit of the ancillary buffer size +per kernel socket defined in \`net.core.optmem_max\` to %{sysctl_optmem_max} bytes. + +For this preset to become active it requires a reboot after the +installation of this package. You can also manually increase this +limit by invocing \`sysctl net.core.optmem_max=%{sysctl_optmem_max}\` as the +super-user, e.g. using \`su\` or \`sudo\` on the terminal. + +This is done to provide consumers of the new Linux Kernel Crypto API +User Space Interface a well sufficient and reasonable maximum limit +by default, especially when using AIO with a larger amount of IOVECs. + +For further information about the AF_ALG kernel socket and AIO, see +the discussion at the kernel-crypto mailing-list: +https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30417.html + +See the instructions given in '%{_sysctldir}/50-default.conf', +if you need or want to override the preset made by this package. +EOF + +%{__cat} << EOF > %{sysctl_prio}-%{name}-optmem_max.conf +# See the 'README.%{distroname_ext}' file shipped in %%doc +# with the %{name} package. +# +# See '%{_sysctldir}/50-default.conf', +# if you need or want to override this preset. + +# Increase the ancillary buffer size per socket. +net.core.optmem_max = %{sysctl_optmem_max} +EOF +%endif + +%{_bindir}/autoreconf -fiv + + +%build +%configure \ + --libdir=/%{_lib} \ + --disable-silent-rules \ + --enable-kcapi-encapp \ + --enable-kcapi-dgstapp \ + --enable-kcapi-hasher \ + --enable-kcapi-rngapp \ + --enable-kcapi-speed \ + --enable-kcapi-test \ + --enable-shared \ + --enable-static \ + --enable-sum-prefix= \ + --enable-sum-dir=/%{_lib} \ + --with-pkgconfigdir=%{_libdir}/pkgconfig +%if %{with doc} +%make_build all doc +%else +%make_build all man +%endif + + +%install +%make_install + +# Install sysctl.d preset. +%{__mkdir_p} %{buildroot}%{_sysctldir} +%{__install} -Dpm 0644 -t %{buildroot}%{_sysctldir} \ + %{sysctl_prio}-%{name}-optmem_max.conf + +# Install into proper location for inclusion by %%doc. +%{__mkdir_p} %{buildroot}%{_pkgdocdir} +%{__install} -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \ +%if %{with_sysctl_tweak} + README.%{distroname_ext} \ +%endif +%if %{with doc} + doc/%{name}.p{df,s} \ +%endif + README.md CHANGES.md TODO + +%if %{with doc} +%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir} +%endif + +# Install replacement tools, if enabled. +%if !%{with replace_coreutils} +%{__rm} -f \ + %{buildroot}%{_bindir}/md5sum \ + %{buildroot}%{_bindir}/sha*sum \ + %{buildroot}%{_bindir}/sm*sum +%endif + +%if !%{with replace_fipscheck} +%{__rm} -f %{buildroot}%{_bindir}/fips* +%endif + +%if !%{with replace_hmaccalc} +%{__rm} -f %{buildroot}%{_bindir}/sha*hmac +%{__rm} -f %{buildroot}%{_bindir}/sm*hmac +%endif + +# We don't ship autocrap dumplings. +%{_bindir}/find %{buildroot} -type f -name '*.la' -print -delete + +# HMAC checksums are generated during __spec_install_post. +%{_bindir}/find %{buildroot} -type f -name '*.hmac' -print -delete + +# Remove 0-size files. +%{_bindir}/find %{buildroot} -type f -size 0 -print -delete + +%if %{with doc} +# Make sure all docs have non-exec permissions, except for the dirs. +%{_bindir}/find %{buildroot}%{_pkgdocdir} -type f -print | \ + %{_bindir}/xargs %{__chmod} -c 0644 +%{_bindir}/find %{buildroot}%{_pkgdocdir} -type d -print | \ + %{_bindir}/xargs %{__chmod} -c 0755 +%endif + +# Possibly save some space by hardlinking. +for d in %{_mandir} %{_pkgdocdir}; do + %{_sbindir}/hardlink -cfv %{buildroot}$d +done + + +%check +# Some basic sanity checks. +%if %{with clang_sa} +%make_build scan +%endif +%if %{with cppcheck} +%make_build cppcheck +%endif + +%if %{with test} +# On some arches `/proc/sys/net/core/optmem_max` is lower than 20480, +# which is the lowest limit needed to run the testsuite. If that limit +# is not met, we do not run it. +%if %{test_optmem_max} >= 20480 +# Skip the testsuite on old kernels. +%if %{lua:print(rpm.vercmp(posix.uname('%r'), '5.1'));} >= 0 +# Real testsuite. +pushd test +%if %{with fuzz_test} +ENABLE_FUZZ_TEST=1 \ +%endif +NO_32BIT_TEST=1 \ + ./test-invocation.sh +popd +%endif +%endif +%endif + + +%ldconfig_scriptlets + + +%files +%doc %dir %{_pkgdocdir} +%doc %{_pkgdocdir}/README.md +%license COPYING* +/%{_lib}/%{name}.so.%{vmajor} +/%{_lib}/%{name}.so.%{version} +/%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac +/%{_lib}/fipscheck/%{name}.so.%{version}.hmac +%if %{with_sysctl_tweak} +%doc %{_pkgdocdir}/README.%{distroname_ext} +%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf +%endif + + +%files devel +%doc %{_pkgdocdir}/CHANGES.md +%doc %{_pkgdocdir}/TODO +%{_includedir}/kcapi.h +%{_mandir}/man3/kcapi_*.3.* +/%{_lib}/%{name}.so +%{_libdir}/pkgconfig/%{name}.pc + + +%if %{with doc} +%files doc +%doc %{_pkgdocdir}/html +%doc %{_pkgdocdir}/%{name}.pdf +%doc %{_pkgdocdir}/%{name}.ps +%endif + + +%if %{with replace_coreutils} +%files checksum +%{_bindir}/md5sum +%{_bindir}/sha*sum +%{_bindir}/sm*sum +/%{_lib}/fipscheck/md5sum.hmac +/%{_lib}/fipscheck/sha*sum.hmac +/%{_lib}/fipscheck/sm*sum.hmac +%endif + +%if %{with replace_fipscheck} +%files fipscheck +%{_bindir}/fips* +/%{_lib}/fipscheck/fips*.hmac +%endif + +%if %{with replace_hmaccalc} +%files hmaccalc +%{_bindir}/sha*hmac +%{_bindir}/sm*hmac +/%{_lib}/hmaccalc/sha*hmac.hmac +/%{_lib}/hmaccalc/sm*hmac.hmac +%endif + + +%files static +/%{_lib}/%{name}.a + + +%files tools +%{_bindir}/kcapi* +%{_mandir}/man1/kcapi*.1.* + + +%if %{with test_package} +%files tests +%{_libexecdir}/%{name}/* +%endif + + +%changelog +* Fri Mar 29 2024 MSVSphere Packaging Team - 1.4.0-2 +- Rebuilt for MSVSphere 8.10 beta + +* Fri Dec 01 2023 Zoltan Fridrich - 1.4.0-2 +- Backport fixes for kcapi-hasher target option + Related: RHEL-15300 +- Fix kcapi tests in FIPS mode + Resolves: RHEL-2406 + +* Wed Nov 01 2023 Zoltan Fridrich - 1.4.0-1 +- Update to new upstream release 1.4.0 + Resolves: RHEL-5366 +- Add a patch to fix auxiliary tests in FIPS mode + Resolves: RHEL-2406 +- Add a patch to zeroize kcapi-hasher for FIPS 140-3 + Resolves: RHEL-15290 +- Add a patch to allow overriding target file in kcapi-hasher + Resolves: RHEL-15300 + +* Tue May 26 2020 Sahana Prasad - 1.2.0-2 +- Fix double free issue in hasher() + +* Mon May 25 2020 Sahana Prasad - 1.2.0-1 +- [RHEL] Update to upstream version 1.2.0 + +* Thu Apr 30 2020 Sahana Prasad - 1.1.5-3 +- Enables building on old kernels [sync fix in Fedora from omosnance]. +- This is required for covscans as they run on RHEL7 machines. + +* Wed Apr 29 2020 Sahana Prasad - 1.1.5-2 +- Drop the license from the doc subpackage to avoid conflicts + +* Mon Apr 27 2020 Sahana Prasad - 1.1.5-1 +- [RHEL] Update to upstream version 1.1.5 +- [RHEL] Sync with Fedora branch + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-16_1 +- [RHEL] Apply 'Add missing dependencies to the tests package' +- [RHEL] Apply 'Update patch from upstream' + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-16 +- Add missing dependencies to the tests package +- Update patch from upstream + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-15_1 +- [RHEL] Apply 'Build and tests require perl' + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-15 +- Build and tests require perl + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14_2 +- [RHEL] Re-enable AEAD tests and ignore test result +- [RHEL] Drop the ppc64 ignore-failures workaround + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14_1 +- [RHEL] Apply 'Add missing script to the 'tests' package' + +* Thu Aug 09 2018 Ondrej Mosnáček - 1.1.1-14 +- Add missing script to the 'tests' package + +* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-13_1 +- [RHEL] Sync with the Fedora branch + +* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-13 +- Add missing requires to the 'tests' subpackage + +* Wed Aug 08 2018 Ondrej Mosnáček - 1.1.1-12_1 +- [RHEL] Sync with the Fedora branch + +* Tue Aug 07 2018 Ondrej Mosnáček - 1.1.1-12 +- Produce a subpackage with test scripts +- Build the 'tests' subpackage conditionally + +* Wed Aug 01 2018 Ondrej Mosnáček - 1.1.1-11_1 +- [RHEL] Sync with the Fedora branch + +* Wed Aug 01 2018 Ondrej Mosnáček - 1.1.1-11 +- Add patch to fix unwanted closing of FD 0 + +* Tue Jul 31 2018 Ondrej Mosnáček - 1.1.1-10 +- Remove the kernel headers workaround + +* Mon Jul 30 2018 Ondrej Mosnáček - 1.1.1-9_1 +- [RHEL] Sync with the Fedora branch +- [RHEL] Rebase the disable-AEAD-tests patch + +* Fri Jul 27 2018 Igor Gnatenko - 1.1.1-9 +- Rebuild for new binutils + +* Fri Jul 27 2018 Ondrej Mosnáček - 1.1.1-8 +- Add more Coverity fixes from upstream +- Add patch to fix AEAD fuzz test for BE arches +- Fixup specfile + +* Mon Jul 23 2018 Ondrej Mosnáček - 1.1.1-7_1 +- [RHEL] Sync with the Fedora branch +- [RHEL] Fixup specfile +- [RHEL] Rebase the disable-AEAD-tests patch + +* Mon Jul 23 2018 Ondrej Mosnáček - 1.1.1-7 +- Add various fixes from upstream +- Drop the Requires on kernel package + +* Wed Jul 18 2018 Ondrej Mosnáček - 1.1.1-3_2 +- [RHEL] Temporarily disable AEAD tests + +* Mon Jul 16 2018 Ondrej Mosnáček - 1.1.1-6 +- Put .hmac files into a separate directory + +* Fri Jul 13 2018 Fedora Release Engineering - 1.1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Ondrej Mosnáček - 1.1.1-4 +- Add patch to work around FTBFS on rawhide + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-3_1 +- [RHEL] Sync with the Fedora branch + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-3 +- Fix off-by-one error in checkfile parsing + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2_2 +- [RHEL] Disable fuzz test + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2_1 +- [RHEL] Sync with the Fedora branch + +* Wed Jul 11 2018 Ondrej Mosnáček - 1.1.1-2 +- Fix command-line parsing in libkcapi-hmaccalc + +* Tue Jul 10 2018 Ondrej Mosnáček - 1.1.1-1_2 +- [RHEL] Work around build failure with new kernel headers + +* Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1_1 +- [RHEL] Skip CLang static analysis +- [RHEL] Remove the dependency on kernel package + +* Mon Jun 18 2018 Ondrej Mosnáček - 1.1.1-1 +- Update to upstream version 1.1.1 + +* Wed May 09 2018 Ondrej Mosnáček - 1.1.0-5 +- Skip CLang static analysis in RHEL +- Revert "Skip CLang static analysis in RHEL" +- Use own sha512hmac and fipscheck + +* Wed May 02 2018 Ondrej Mosnáček - 1.1.0-4 +- Fix description lines being too long + +* Fri Apr 27 2018 Björn Esser - 1.1.0-3 +- Fix conditional for hmaccalc replacement + +* Mon Apr 16 2018 Ondrej Mosnáček - 1.1.0-2 +- Enable hmaccalc replacements in Fedora 28+ + +* Thu Apr 12 2018 Ondrej Mosnáček - 1.1.0-1 +- Update to upstream version 1.1.0 + +* Sat Mar 31 2018 Björn Esser - 1.0.3-10 +- Replace single patches with a monolitic one from upstream +- Obsolete replacements subpackage +- Ignore failing tests on %%{power64} temporarily + +* Thu Mar 08 2018 Ondrej Mosnáček - 1.0.3-9 +- Split up the replacements subpackage + +* Mon Feb 26 2018 Björn Esser - 1.0.3-8 +- Increase optmem_max preset to 81920 + +* Mon Feb 26 2018 Björn Esser - 1.0.3-7 +- Obsoletes work by package name, not by provides (rhbz#1537225) + +* Sun Feb 25 2018 Björn Esser - 1.0.3-6 +- Add patch to fix a copy-paste typo + +* Sat Feb 17 2018 Björn Esser - 1.0.3-5 +- Add patch to fix build with -Werror + +* Wed Feb 07 2018 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Feb 04 2018 Björn Esser - 1.0.3-3 +- Switch to %%ldconfig_scriptlets + +* Wed Jan 17 2018 Björn Esser - 1.0.3-2 +- Decrease optmem_max preset to 40960 +- Let the build fail, if the minimum kernel version cannot be met +- Conditionalize the sysctl.d tweak on version of the kernel +- Conditionalize the name of README.distro on the distro + +* Tue Jan 16 2018 Björn Esser - 1.0.3-1 +- Initial import (rhbz#1533929) + +* Tue Jan 16 2018 Björn Esser - 1.0.3-0.13 +- Increase optmem_max preset to 81920 + +* Tue Jan 16 2018 Björn Esser - 1.0.3-0.12 +- Add sysctl.d preset and README.fedora + +* Mon Jan 15 2018 Björn Esser - 1.0.3-0.11 +- Make the contents of the -replacements package configurable + +* Mon Jan 15 2018 Björn Esser - 1.0.3-0.10 +- Fix Obsoletes of the -replacements package + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.9 +- Disable the -replacements package until we have a plan for it + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.8 +- Move the kcapi-hasher binary to -replacements package, since it is + not of much use without the linked invocation names and saves the + extra Requires on the -tools package + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.7 +- Fix internal Requires of sub-packages +- Hardlink files in %%{_bindir} + +* Sun Jan 14 2018 Björn Esser - 1.0.3-0.6 +- Add patches from upstream + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.5 +- Add patches from upstream + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.4 +- Asume the testsuite cannot be run, if the value of optmem_max cannot + be obtained + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.3 +- Move libraries to /%%{_lib} instead of %%{_libdir}, which is useful + during boot when the library might be needed before a potentially + seperate /usr partition is mounted + +* Sat Jan 13 2018 Björn Esser - 1.0.3-0.2 +- Asume optmem_max is at least 20480, if the real value cannot be obtained + +* Fri Jan 12 2018 Björn Esser - 1.0.3-0.1 +- New upstream release + +* Wed Jan 10 2018 Björn Esser - 1.0.2-0.1 +- Initial rpm release (rhbz#1533929)