rpms
/
libkcapi
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:c8-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c8-beta' have entirely different histories.
c9 ... c8-beta

11 changed files with 810 additions and 184 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/libkcapi-1.3.1.tar.xz SOURCES/libkcapi-1.4.0.tar.xz

2
.libkcapi.metadata
Unescape View File

@ -1 +1 @@
ee581bce3e76310f5c5488898771f7f403f72693 SOURCES/libkcapi-1.3.1.tar.xz 526dca7d8eb8ddc29395f0716ba1233e27bf2ab5 SOURCES/libkcapi-1.4.0.tar.xz

49
SOURCES/0001-Use-GCCs-__symver__-attribute.patch
Unescape View File

@ -1,49 +0,0 @@
From 2abf7fecb5162e4b59ba134c813ebee839eb45e9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 14 Jul 2021 10:52:01 -0400
Subject: [PATCH] Use GCCs __symver__ attribute
This is needed to allow LTO builds, as the __asm__ directives do not give
enough context to the compiler and the build fails when the -flto flag is
passed in.
Unfotunately __symver__ is avilbel only startig from GCC 10, so we need
more macro juggling.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
lib/internal.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lib/internal.h b/lib/internal.h
index 29fdb7b..64dad24 100644
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -350,6 +350,16 @@ static inline int io_getevents(__attribute__((unused)) aio_context_t ctx,
#if __GNUC__ >= 4
# define DSO_PUBLIC __attribute__ ((visibility ("default")))
+#if __GNUC__ >= 10
+# define IMPL_SYMVER(name, version) \
+ __attribute__ ((visibility ("default"))) \
+ __attribute__((__symver__("kcapi_" #name "@@LIBKCAPI_" version)))
+
+# define ORIG_SYMVER(name, version) \
+ __attribute__ ((visibility ("default"))) \
+ __attribute__((__symver__("kcapi_" #name "@LIBKCAPI_" version)))
+
+#else
# define IMPL_SYMVER(name, version) \
__asm__(".global impl_" #name ";"\
".symver impl_" #name ",kcapi_" #name "@@LIBKCAPI_" version);\
@@ -359,6 +369,7 @@ static inline int io_getevents(__attribute__((unused)) aio_context_t ctx,
__asm__(".global orig_" #name ";"\
".symver orig_" #name ",kcapi_" #name "@LIBKCAPI_" version);\
__attribute__ ((visibility ("default")))
+#endif
#else
# error "Compiler version too old"
--
2.31.1

40
SOURCES/001-tests-kernel-version.patch
Unescape View File

@ -0,0 +1,40 @@
From c2af62dcc7a287f3c14f6aaec5724401c1ea470a Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 15 Aug 2022 10:19:50 +0200
Subject: [PATCH] tests: fix overly-optimistic kernel version checks
The mainline kernel is now at version 6.0 so these >= 5.99 checks are
now incorrectly enabling tests that don't work. Instead of bumping the
imaginary version and face the same problem again in a couple years,
replace the checks with 'false' and a TODO comment.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
test/test.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/test/test.sh b/test/test.sh
index 1d9be73..a75b802 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1560,7 +1560,8 @@ else
echo_deact "AEAD tests of copied AAD deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
asymfunc 4
asymfunc 4 -s
asymfunc 4 -v
@@ -1583,7 +1584,8 @@ else
echo_deact "All asymmetric tests deactivated"
fi
-if $(check_min_kernelver 5 99); then
+# TODO add version check when supported upstream
+if false; then
kppfunc 13
kppfunc 13 X -m
kppfunc 13 -v

74
SOURCES/002-fips-disable-ansi_cprng.patch
Unescape View File

@ -0,0 +1,74 @@
From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 11 Aug 2023 12:20:22 +0200
Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
test/kcapi-main.c | 45 ++++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/test/kcapi-main.c b/test/kcapi-main.c
index 67fb53f..23fc8ed 100644
--- a/test/kcapi-main.c
+++ b/test/kcapi-main.c
@@ -652,8 +652,6 @@ static int is_fips_mode(void)
static int auxiliary_tests(void)
{
struct kcapi_handle *handle = NULL;
- const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)"
- : "ansi_cprng";
int ret = 0;
if (kcapi_aead_init(&handle, "ccm(aes)", 0)) {
@@ -711,27 +709,28 @@ static int auxiliary_tests(void)
if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0))
ret++;
- /* X9.31 RNG must require seed */
- printf("X9.31 missing seeding: ");
- if (!aux_test_rng(ansi_cprng_name, NULL, 0))
- ret++;
- /* X9.31 seed too short */
- printf("X9.31 insufficient seeding: ");
- if (!aux_test_rng(ansi_cprng_name,
- (uint8_t *)
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
- ret++;
- /* X9.31 seed right sized short */
- if (aux_test_rng(ansi_cprng_name,
- (uint8_t *)
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
- "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
- printf("Error for %s: kernel module ansi_cprng present?\n",
- ansi_cprng_name);
- ret++;
+ if (!is_fips_mode()) {
+ /* X9.31 RNG must require seed */
+ printf("X9.31 missing seeding: ");
+ if (!aux_test_rng("ansi_cprng", NULL, 0))
+ ret++;
+ /* X9.31 seed too short */
+ printf("X9.31 insufficient seeding: ");
+ if (!aux_test_rng("ansi_cprng",
+ (uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
+ ret++;
+ /* X9.31 seed right sized short */
+ if (aux_test_rng("ansi_cprng",
+ (uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
+ printf("Error for ansi_cprng: kernel module ansi_cprng present?\n");
+ ret++;
+ }
}
return ret;

58
SOURCES/003-zeroize-hasher.patch
Unescape View File

@ -0,0 +1,58 @@
From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 1 Nov 2023 10:54:03 +0100
Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Requirement introduced by AS05.10:
"The temporary value(s) generated during the integrity test of the
modules software or firmware shall [05.10] be zeroised from the module
upon completion of the integrity test;"
As some modules use fipscheck or sha*hmac for integrity tests, these
temporary values need to be zeroised from the hasher.
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
apps/kcapi-hasher.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 098b655..f5caf77 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
if (hashlen > (uint32_t)ret) {
fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
(unsigned long)hashlen, ret);
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
ret = 1;
else
ret = 0;
+ kcapi_memset_secure(compmd, 0, sizeof(compmd));
} else {
if (outfile == NULL) { /* only print hash (hmaccalc -S) */
bin2print(md, hashlen, NULL, stdout,
@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
filename ? filename : "stdin", ret);
}
+ kcapi_memset_secure(md, 0, sizeof(md));
return (int)ret;
}
@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
if (file)
fclose(file);
kcapi_md_destroy(handle);
+ kcapi_memset_secure(buf, 0, sizeof(buf));
/*
* If we found no lines to check, return an error.

185
SOURCES/004-hasher-target-option.patch
Unescape View File

@ -0,0 +1,185 @@
diff --color -ruNp a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
--- a/apps/kcapi-hasher.c 2023-11-28 17:08:09.124214489 +0100
+++ b/apps/kcapi-hasher.c 2023-11-28 17:11:12.975963482 +0100
@@ -140,15 +140,17 @@ static void usage(char *name, int fipsch
if (fipscheck)
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE\n", base);
else {
- fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE\n", base);
+ fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... -c FILE [-T FILE]\n", base);
fprintf(stderr, "\t%s [-n BASENAME] [OPTION]... FILE...\n", base);
}
fprintf(stderr, "\nOptions:\n");
fprintf(stderr, "\t-n --name\t\tForce given application name (sha512hmac/...)\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
- if (!fipscheck)
+ if (!fipscheck) {
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
+ fprintf(stderr, "\t-T --target FILE\tOverride filenames found in hash sums file; use with -c\n");
+ }
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
fprintf(stderr, "\t-h --hash HASH\t\tUse given hash algorithm\n");
fprintf(stderr, "\t-t --truncate N\t\tUse hash truncated to N bits\n");
@@ -530,11 +532,12 @@ static int hash_files(const struct hash_
#define CHK_STATUS (2)
static int process_checkfile(const struct hash_params *params,
- const char *checkfile, const char *targetfile, int log)
+ const char *checkfile, const char *targetfile, int log, int fipscheck)
{
FILE *file = NULL;
int ret = 0;
int checked_any = 0;
+ int failed_any = 0;
struct kcapi_handle *handle;
const char *hashname = params->name.kcapiname;
@@ -570,7 +573,7 @@ static int process_checkfile(const struc
}
while (fgets(buf, sizeof(buf), file)) {
- char *filename = NULL; // parsed file name
+ const char *filename = NULL; // parsed file name
char *hexhash = NULL; // parsed hex value of hash
uint32_t hexhashlen = 0; // length of hash hex value
uint32_t linelen = (uint32_t)strlen(buf);
@@ -645,17 +648,7 @@ static int process_checkfile(const struc
goto out;
}
- /* fipscheck does not have the filename in the check file */
- if (targetfile) {
- ret = hasher(handle, params, targetfile,
- hexhash, hexhashlen, stdout);
- checked_any = 1;
- goto out;
- }
-
if (filename) {
- int r;
-
if (!bsd_style) {
if (!isblank(filename[0]) ||
(!isblank(filename[1]) && filename[1] != '*')) {
@@ -665,20 +658,29 @@ static int process_checkfile(const struc
}
filename += 2;
}
+ }
+
+ /*
+ * if targetfile is specified, use it instead of the filename
+ * found inside the checkfile
+ */
+ if (targetfile)
+ filename = targetfile;
- r = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
+ if (filename) {
+ ret = hasher(handle, params, filename, hexhash, hexhashlen, stdout);
+ checked_any = 1;
+ if (fipscheck)
+ goto out;
- if (r == 0) {
+ if (ret == 0) {
if (log < CHK_QUIET)
printf("%s: OK\n", filename);
} else {
+ failed_any = 1;
if (log < CHK_STATUS)
- printf("%s: Not OK\n",
- filename);
- if (ret >= 0)
- ret++;
+ printf("%s: Not OK\n", filename);
}
- checked_any = 1;
}
}
@@ -692,7 +694,7 @@ out:
* If we found no lines to check, return an error.
* (See https://pagure.io/hmaccalc/c/1afb99549816192eb8e6bc8101bc417c2ffa764c)
*/
- return ret != 0 ? ret : !checked_any;
+ return ret != 0 ? ret : !(checked_any && !failed_any);
}
@@ -770,7 +772,7 @@ static int fipscheck_self(const struct h
goto out;
}
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS, 1);
if (ret)
goto out;
}
@@ -810,7 +812,7 @@ static int fipscheck_self(const struct h
goto out;
}
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS, 1);
}
out:
@@ -866,12 +868,13 @@ int main(int argc, char *argv[])
{0, 0, 0, 0}
};
- static const char *opts_short = "c:uh:t:SLqk:K:vbd:Pz";
+ static const char *opts_short = "c:T:uh:t:SLqk:K:vbd:Pz";
static const struct option opts[] = {
{"help", 0, 0, 0},
{"tag", 0, 0, 0},
{"quiet", 0, 0, 0},
{"check", 1, 0, 'c'},
+ {"target", 1, 0, 'T'},
{"unkeyed", 0, 0, 'u'},
{"hash", 1, 0, 'h'},
{"truncate", 1, 0, 't'},
@@ -1124,6 +1127,9 @@ int main(int argc, char *argv[])
version(argv[0]);
ret = 0;
goto out;
+ case 'T':
+ targetfile = optarg;
+ break;
case 'd':
checkdir = optarg;
break;
@@ -1180,6 +1186,11 @@ int main(int argc, char *argv[])
ret = 1;
goto out;
}
+ if (targetfile) {
+ fprintf(stderr, "-T is not valid for fipscheck\n");
+ ret = 1;
+ goto out;
+ }
targetfile = argv[optind];
if (checkfile)
@@ -1192,12 +1203,18 @@ int main(int argc, char *argv[])
optind++;
}
+ if (targetfile && !checkfile) {
+ fprintf(stderr, "-T cannot be used without -c\n");
+ ret = 1;
+ goto out;
+ }
+
if (!checkfile)
ret = hash_files(&params, argv + optind,
(uint32_t)(argc - optind),
fipshmac, checkdir, 0);
else if (optind == argc)
- ret = process_checkfile(&params, checkfile, targetfile, loglevel);
+ ret = process_checkfile(&params, checkfile, targetfile, loglevel, fipscheck);
else {
fprintf(stderr, "-c cannot be used with input files\n");
ret = 1;

320
SOURCES/005-fips-mode-tests.patch
Unescape View File

@ -0,0 +1,320 @@
From 8dc30412618019f5480f993c637e4cf0f5a11a39 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Tue, 28 Nov 2023 09:34:29 +0100
Subject: [PATCH] Fix kcapi tests in FIPS mode
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
test/hasher-test.sh | 23 +++++++++++---
test/kcapi-convenience.c | 2 +-
test/kcapi-dgst-test.sh | 16 +++++-----
test/kcapi-enc-test.sh | 16 +++++-----
test/test.sh | 67 ++++++++++++++++++++++++++++++----------
5 files changed, 86 insertions(+), 38 deletions(-)
diff --git a/test/hasher-test.sh b/test/hasher-test.sh
index c90fcc9..e97127e 100755
--- a/test/hasher-test.sh
+++ b/test/hasher-test.sh
@@ -26,6 +26,11 @@ HMACHASHER="sha1hmac sha256hmac sha384hmac sha512hmac"
CHKFILE="${TMPDIR}/chk.$$"
ANOTHER="${TMPDIR}/test.$$"
+is_fips_enabled()
+{
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
+}
+
if [ "$KCAPI_TEST_LOCAL" -eq 1 ]; then
find_platform kcapi-hasher
function run_hasher() {
@@ -365,7 +370,11 @@ fi
for suffix in $KAT_SUFFIXES
do
run_kat sha1$suffix "RFC 2202, section 3, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb617318655057264e28bc0b6fb378c8ef146be00
- run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
+ if is_fips_enabled; then
+ echo_deact "'RFC 2202, section 3, #2' test case deactivated in FIPS"
+ else
+ run_kat sha1$suffix "RFC 2202, section 3, #2" "Jefe" "what do ya want for nothing?" 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
+ fi
run_kat sha1$suffix "RFC 2202, section 3, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3
run_kat sha1$suffix "RFC 2202, section 3, #4" 0x0102030405060708090a0b0c0d0e0f10111213141516171819 0xcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da
run_kat sha1$suffix "RFC 2202, section 3, #5" 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c "Test With Truncation" 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
@@ -374,9 +383,15 @@ do
run_kat sha256$suffix "RFC 4231, section 4.2, #1" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xb0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7
run_kat sha384$suffix "RFC 4231, section 4.2, #2" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0xafd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6
run_kat sha512$suffix "RFC 4231, section 4.2, #3" 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b "Hi There" 0x87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854
- run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
- run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
- run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
+ if is_fips_enabled; then
+ echo_deact "'RFC 4231, section 4.3, #1' test case deactivated in FIPS"
+ echo_deact "'RFC 4231, section 4.3, #2' test case deactivated in FIPS"
+ echo_deact "'RFC 4231, section 4.3, #3' test case deactivated in FIPS"
+ else
+ run_kat sha256$suffix "RFC 4231, section 4.3, #1" "Jefe" "what do ya want for nothing?" 0x5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
+ run_kat sha384$suffix "RFC 4231, section 4.3, #2" "Jefe" "what do ya want for nothing?" 0xaf45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649
+ run_kat sha512$suffix "RFC 4231, section 4.3, #3" "Jefe" "what do ya want for nothing?" 0x164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737
+ fi
run_kat sha256$suffix "RFC 4231, section 4.4, #1" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe
run_kat sha384$suffix "RFC 4231, section 4.4, #2" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0x88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27
run_kat sha512$suffix "RFC 4231, section 4.4, #3" 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0xdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 0xfa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb
diff --git a/test/kcapi-convenience.c b/test/kcapi-convenience.c
index c5ff4b4..1cdaebe 100644
--- a/test/kcapi-convenience.c
+++ b/test/kcapi-convenience.c
@@ -63,7 +63,7 @@ static int hashtest(void)
static int hmactest(void)
{
- char *in = "teststring";
+ char *in = "longteststring";
uint8_t out[64];
ssize_t ret;
diff --git a/test/kcapi-dgst-test.sh b/test/kcapi-dgst-test.sh
index 0ad5ed3..67576b3 100755
--- a/test/kcapi-dgst-test.sh
+++ b/test/kcapi-dgst-test.sh
@@ -105,8 +105,8 @@ test_stdin_stdout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "STDIN / STDOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" < $ORIGPT > $GENDGST.2
diff_file $GENDGST $GENDGST.2 "STDIN / STDOUT test (password)"
}
@@ -135,8 +135,8 @@ test_stdin_fileout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "STDIN / FILEOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST < $ORIGPT
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -o $GENDGST.2 < $ORIGPT
diff_file $GENDGST $GENDGST.2 "STDIN / FILEOUT test (password)"
}
@@ -165,8 +165,8 @@ test_filein_stdout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "FILEIN / STDOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT > $GENDGST.2
diff_file $GENDGST $GENDGST.2 "FILEIN / STDOUT test (password)"
}
@@ -197,8 +197,8 @@ test_filein_fileout()
openssl dgst -sha256 -hmac $opensslkey $ORIGPT | awk 'BEGIN {FS="= "} {print $2}' > $GENDGST.openssl
diff_file $GENDGST $GENDGST.openssl "FILEIN / FILEOUT test (keyed MD $keysize bits)"
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
- run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwd" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST
+ run_app kcapi-dgst -q --pbkdfiter 1000 -p "passwordpassword" -s $SALT -c "hmac(sha256)" -i $ORIGPT -o $GENDGST.2
diff_file $GENDGST $GENDGST.2 "FILEIN / FILEOUT test (password)"
}
diff --git a/test/kcapi-enc-test.sh b/test/kcapi-enc-test.sh
index 3ace39c..63d2b23 100755
--- a/test/kcapi-enc-test.sh
+++ b/test/kcapi-enc-test.sh
@@ -163,8 +163,8 @@ test_stdin_stdout()
diff_file $GENCT $GENCT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "STDIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV < $ORIGPT > $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV < $GENCT > $GENPT
diff_file $ORIGPT $GENPT "STDIN / STDOUT enc test (password)"
}
@@ -195,8 +195,8 @@ test_stdin_fileout()
diff_file $GENCT $GENCT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "STDIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -o $GENCT < $ORIGPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -o $GENPT < $GENCT
diff_file $ORIGPT $GENPT "STDIN / FILEOUT enc test (password)"
}
@@ -227,8 +227,8 @@ test_filein_stdout()
diff_file $GENCT $GENCT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "FILEIN / STDOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -e -c "ctr(aes)" --iv $IV -i $ORIGPT > $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s $IV -d -c "ctr(aes)" --iv $IV -i $GENCT > $GENPT
diff_file $ORIGPT $GENPT "FILEIN / STDOUT enc test (password)"
}
@@ -271,8 +271,8 @@ test_filein_fileout()
diff_file $GENCT $GENCT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated CT)"
diff_file $GENPT $GENPT.openssl "FILEIN / FILEOUT enc test ($keysize bits) (openssl generated PT)"
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
- run_app kcapi-enc -q --pbkdfiter 1000 -p "passwd" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -e -c "cbc(aes)" --iv $IV -i $ORIGPT -o $GENCT
+ run_app kcapi-enc -q --pbkdfiter 1000 -p "passwordpassword" -s "123" -d -c "cbc(aes)" --iv $IV -i $GENCT -o $GENPT
diff_file $ORIGPT $GENPT "FILEIN / FILEOUT enc test (password)"
}
diff --git a/test/test.sh b/test/test.sh
index b889335..e07589e 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -450,27 +450,27 @@ PBKDF_exp_7="133a4ce837b4d2521ee2bf03e11c71ca794e0797"
PBKDF_name_8="hmac(sha256)"
PBKDF_salt_8="73616c74"
-PBKDF_pw_8="70617373776f7264"
+PBKDF_pw_8="70617373776f726470617373776f7264"
PBKDF_count_8=4096
-PBKDF_exp_8="c5e478d59288c841aa530db6845c4c8d962893a0"
+PBKDF_exp_8="9cefdbeb6abaaf0e0b6fa3fb5bc9f2b8301d6aca"
PBKDF_name_9="hmac(sha224)"
PBKDF_salt_9="73616c74"
-PBKDF_pw_9="70617373776f7264"
+PBKDF_pw_9="70617373776f726470617373776f7264"
PBKDF_count_9=4096
-PBKDF_exp_9="218c453bf90635bd0a21a75d172703ff6108ef60"
+PBKDF_exp_9="624f7dd223ae0bd8d46a69b27f84e703e7dadd70"
PBKDF_name_10="hmac(sha384)"
PBKDF_salt_10="73616c74"
-PBKDF_pw_10="70617373776f7264"
+PBKDF_pw_10="70617373776f726470617373776f7264"
PBKDF_count_10=4096
-PBKDF_exp_10="559726be38db125bc85ed7895f6e3cf574c7a01c"
+PBKDF_exp_10="2c34a3242a138933c63fce6d827e4acf57ef528d"
PBKDF_name_11="hmac(sha512)"
PBKDF_salt_11="73616c74"
-PBKDF_pw_11="70617373776f7264"
+PBKDF_pw_11="70617373776f726470617373776f7264"
PBKDF_count_11=4096
-PBKDF_exp_11="d197b1b33db0143e018b12f3d1d1479e6cdebdcc"
+PBKDF_exp_11="299ae1f55743f2cb81be4a417b878ab32374660b"
PBKDF_name_12="cmac(aes)"
PBKDF_salt_12="73616c74"
@@ -480,9 +480,9 @@ PBKDF_exp_12="c4c112c6e1e3b8757640603dec78825ff87605a7"
PBKDF_name_13="hmac(sha512)"
PBKDF_salt_13="73616c74"
-PBKDF_pw_13="70617373776f7264"
+PBKDF_pw_13="70617373776f726470617373776f7264"
PBKDF_count_13=4096
-PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5d6883f0be4c24d363b638f4c2f8d917533cd4158937d0b490697a64adadb07f180c323080a7368033eeadf9e612b2e"
+PBKDF_exp_13="299ae1f55743f2cb81be4a417b878ab32374660b17f5b328662e56296582e8a285c307947b41e00fed812c978212394574f57756c481b3d64cc91659f75a468383bcad1e25f2b85c15f8ac7004484889081eb91001b0feab9b12dd51e001491c795bdf45ff880ffe493e7acdd91f1a"
###########################################################################
###########################################################################
@@ -491,9 +491,9 @@ PBKDF_exp_13="d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b514
#RFC 5869 Appendix A vectors
HKDF_name_1="hmac(sha256)"
HKDF_ikm_1="0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"
-HKDF_salt_1="000102030405060708090a0b0c"
+HKDF_salt_1="000102030405060708090a0b0c0d"
HKDF_info_1="f0f1f2f3f4f5f6f7f8f9"
-HKDF_exp_1="3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+HKDF_exp_1="cb95d056d6ba6f084df0a03a3317bcca7f83773204b76f527f4f06736168a52bbcd88869a3a4e7972dcd"
HKDF_name_2="hmac(sha256)"
HKDF_ikm_2="000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"
@@ -555,6 +555,11 @@ KPP_exp_2="78fbd4d1ed7ea6fc8f1e1a6f8a5c750845401589ad3c135088b4ec78f54c57b436d1a
###########################################################################
###########################################################################
+is_fips_enabled()
+{
+ test $(cat /proc/sys/crypto/fips_enabled) = "1"
+}
+
# Test required for test with multiple IOVECs on i686
check_memory() {
if [ $(cat /proc/sys/net/core/optmem_max) -lt $1 ]
@@ -576,7 +581,14 @@ check_memory_soft() {
hashfunc()
{
stream=$1
- HASHEXEC="1 2 3 4 5 6 7 8 9"
+
+ if is_fips_enabled; then
+ echo_deact "Hash tests using 3DES are disabled in FIPS"
+ HASHEXEC="2 3 4 5 6 7 8 9"
+ else
+ HASHEXEC="1 2 3 4 5 6 7 8 9"
+ fi
+
for i in $HASHEXEC
do
eval HASH_name=\$HASH_name_$i
@@ -630,7 +642,12 @@ symfunc()
aligned=$3
aiofallback=$4
- SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
+ if is_fips_enabled; then
+ echo_deact "Symmetric tests using 3DES are disabled in FIPS"
+ SYMEXEC="1 2 3 8 9 10 11 12"
+ else
+ SYMEXEC="1 2 3 4 5 6 7 8 9 10 11 12"
+ fi
if [ x"$stream" = x"X" ]
then
@@ -666,7 +683,11 @@ symfunc()
# Disable XTS tests for multi-threading due to the issue
# discussed in https://github.com/smuellerDD/libkcapi/issues/92
- SYMEXEC="1 2 3 4 5 6 7"
+ if is_fips_enabled; then
+ SYMEXEC="1 2 3"
+ else
+ SYMEXEC="1 2 3 4 5 6 7"
+ fi
else
sout="one shot"
fi
@@ -1148,7 +1169,13 @@ pbkdftest()
{
aligned=$1
- PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
+ if is_fips_enabled; then
+ echo_deact "PBKDF tests using SHA1 are disabled in FIPS"
+ PBKDFEXEC="8 9 10 11 12 13"
+ else
+ PBKDFEXEC="1 2 3 4 5 6 7 8 9 10 11 12 13"
+ fi
+
for i in $PBKDFEXEC
do
eval PBKDF_name=\$PBKDF_name_$i
@@ -1185,7 +1212,13 @@ hkdftest()
{
aligned=$1
- HKDFEXEC="1 2 3 4 5 6 7"
+ if is_fips_enabled; then
+ echo_deact "HKDF tests using SHA1 and zero length salts are disabled in FIPS"
+ HKDFEXEC="1 2"
+ else
+ HKDFEXEC="1 2 3 4 5 6 7"
+ fi
+
for i in $HKDFEXEC
do
eval HKDF_name=\$HKDF_name_$i

11
SOURCES/libkcapi-1.3.1.tar.xz.asc
Unescape View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmDttB4ACgkQQh7pNjJq
wVvV4Af/X0t4iZ8ng+AaItGiK3m2Wx1UTJTA1SYTfTTUpENtePKZADG3MX/I5x5N
VVO6CTF6ADZFrwrswP+3KIwZpEsrssTEGZ54G0nLbaHTzyXvE9Ec3CPGECgjZGzM
T0ZGz0XYykWpEVqQDEFKoLs2yK5U/WYHrde5iV9CW2WHK/6VyuRvzAKzh83n5fDg
WlAWGtBQWaGdJAhduLnFx7U7clbpLCuwAZFURWPT1nUamkioT64Io2MfHx+Y9xu+
cLLqpOBDZAk34MDA0i09psyfD+NPjtzn5i3IEZO9rs8CpFuEe+tBpoJdGpROhuz2
9o9G2TEe8khpGuKnkAJ7G60Ggdcnmg==
=e24H
-----END PGP SIGNATURE-----

11
SOURCES/libkcapi-1.4.0.tar.xz.asc
Unescape View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEO8xD1NLIfReEtp7kQh7pNjJqwVsFAmISvaAACgkQQh7pNjJq
wVv6jggAh7UpchOXZ1THbDZ0PE+YGWSr3Y3qKHMls9ixNn/RDSYxPvyZqc6pIAKQ
zVA6bGtB9kqcSexmrk2EyiUYgi1lo+5HwsfAfHBQaq7vD1S8Q/FYx/XVRv2GQfkj
/E1ivlcdcInlpn+vu+7Hei+H/IXtETh8QPwGwRI1Je84pIt7K4K4VPwWpur0su6E
oF1AFT6ldlMczsoDTCi3eP3rZWKvMmX5718W9F6eKuTkKoIiipCUxdMBy4f6YpDB
1ZmQPHjSgG4URlclQnFiGXYAbMBRHYfguJRl/HjZWSQMigRzqGSdvJR8wrfMeQzr
Bk0z0nGayzHgcC7gPz8CsAMJj5C9eQ==
=OA3o
-----END PGP SIGNATURE-----

242
SPECS/libkcapi.spec
Unescape View File

@ -1,7 +1,7 @@
# Shared object version of libkcapi. # Shared object version of libkcapi.
%global vmajor 1 %global vmajor 1
%global vminor 3 %global vminor 4
%global vpatch 1 %global vpatch 0
# Do we build the replacements packages? # Do we build the replacements packages?
%bcond_with replace_coreutils %bcond_with replace_coreutils
@ -26,9 +26,7 @@
%if 0%{?rhel} %if 0%{?rhel}
%bcond_with cppcheck %bcond_with cppcheck
%else %else
# Temporarily disable cppcheck on Fedora until bz#1923600 is fixed in rawhide %bcond_without cppcheck
%bcond_with cppcheck
#bcond_without cppcheck
%endif %endif
# Use `--without test` to build without running the tests # Use `--without test` to build without running the tests
@ -86,8 +84,8 @@
%global hmaccalc_evr 0.9.14-10%{?dist} %global hmaccalc_evr 0.9.14-10%{?dist}
%endif %endif
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac %global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac %global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum fipscheck fipshmac
# On old kernels use mock hashers implemented via openssl # On old kernels use mock hashers implemented via openssl
%if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
@ -106,7 +104,7 @@
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
bin_path=%{buildroot}%{_bindir} \ bin_path=%{buildroot}%{_bindir} \
lib_path=%{buildroot}%{_libdir} \ lib_path=%{buildroot}/%{_lib} \
for app in %{apps_hmaccalc}; do \ for app in %{apps_hmaccalc}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
{ %sha512hmac "$bin_path"/$app || exit 1; } \\\ { %sha512hmac "$bin_path"/$app || exit 1; } \\\
@ -116,26 +114,31 @@ for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \ test -e "$bin_path"/$app || continue \
%fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \ %fipshmac -d "$lib_path"/fipscheck "$bin_path"/$app || exit 1 \
done \ done \
%{_bindir}/hardlink -cfv %{buildroot}%{_bindir} \ %{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
%fipshmac -d "$lib_path"/fipscheck \\\ %fipshmac -d "$lib_path"/fipscheck \\\
"$lib_path"/libkcapi.so.%{version} || exit 1 \ "$lib_path"/libkcapi.so.%{version} || exit 1 \
%{__ln_s} libkcapi.so.%{version}.hmac \\\ %{__ln_s} libkcapi.so.%{version}.hmac \\\
"$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \ "$lib_path"/fipscheck/libkcapi.so.%{vmajor}.hmac \
%{nil} %{nil}
Name: libkcapi Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch} Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 3%{?dist} Release: 2%{?dist}
Summary: User space interface to the Linux Kernel Crypto API Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2 License: BSD-3-Clause OR GPL-2.0-only
URL: https://www.chronox.de/%{name}.html URL: https://www.chronox.de/%{name}.html
Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz Source0: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc Source1: https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Source2: sha512hmac-openssl.sh Source2: sha512hmac-openssl.sh
Source3: fipshmac-openssl.sh Source3: fipshmac-openssl.sh
Patch1: 0001-Use-GCCs-__symver__-attribute.patch Patch1: 001-tests-kernel-version.patch
Patch2: 002-fips-disable-ansi_cprng.patch
Patch3: 003-zeroize-hasher.patch
Patch4: 004-hasher-target-option.patch
Patch5: 005-fips-mode-tests.patch
BuildRequires: bash BuildRequires: bash
BuildRequires: coreutils BuildRequires: coreutils
@ -156,7 +159,7 @@ BuildRequires: docbook-utils-pdf
BuildRequires: clang BuildRequires: clang
%endif %endif
%if %{with cppcheck} %if %{with cppcheck}
BuildRequires: cppcheck BuildRequires: cppcheck >= 2.4
%endif %endif
# For ownership of %%{_sysctldir}. # For ownership of %%{_sysctldir}.
@ -190,11 +193,7 @@ Header files for applications that use %{name}.
%if %{with doc} %if %{with doc}
%package doc %package doc
Summary: User documentation for the %{name} package Summary: User documentation for the %{name} package
BuildArch: noarch Requires: %{name}%{?_isa} == %{version}-%{release}
# Depend on one of the base packages because they have the license files
# We cannot just bundle them into doc because they might conflict with an
# older or newer version of the base package.
Requires: %{name} == %{version}-%{release}
%description doc %description doc
User documentation for %{name}. User documentation for %{name}.
@ -331,7 +330,7 @@ EOF
%build %build
%configure \ %configure \
--libdir=%{_libdir} \ --libdir=/%{_lib} \
--disable-silent-rules \ --disable-silent-rules \
--enable-kcapi-encapp \ --enable-kcapi-encapp \
--enable-kcapi-dgstapp \ --enable-kcapi-dgstapp \
@ -342,7 +341,7 @@ EOF
--enable-shared \ --enable-shared \
--enable-static \ --enable-static \
--enable-sum-prefix= \ --enable-sum-prefix= \
--enable-sum-dir=%{_libdir} \ --enable-sum-dir=/%{_lib} \
--with-pkgconfigdir=%{_libdir}/pkgconfig --with-pkgconfigdir=%{_libdir}/pkgconfig
%if %{with doc} %if %{with doc}
%make_build all doc %make_build all doc
@ -378,7 +377,8 @@ EOF
%if !%{with replace_coreutils} %if !%{with replace_coreutils}
%{__rm} -f \ %{__rm} -f \
%{buildroot}%{_bindir}/md5sum \ %{buildroot}%{_bindir}/md5sum \
%{buildroot}%{_bindir}/sha*sum %{buildroot}%{_bindir}/sha*sum \
%{buildroot}%{_bindir}/sm*sum
%endif %endif
%if !%{with replace_fipscheck} %if !%{with replace_fipscheck}
@ -387,6 +387,7 @@ EOF
%if !%{with replace_hmaccalc} %if !%{with replace_hmaccalc}
%{__rm} -f %{buildroot}%{_bindir}/sha*hmac %{__rm} -f %{buildroot}%{_bindir}/sha*hmac
%{__rm} -f %{buildroot}%{_bindir}/sm*hmac
%endif %endif
# We don't ship autocrap dumplings. # We don't ship autocrap dumplings.
@ -408,7 +409,7 @@ EOF
# Possibly save some space by hardlinking. # Possibly save some space by hardlinking.
for d in %{_mandir} %{_pkgdocdir}; do for d in %{_mandir} %{_pkgdocdir}; do
%{_bindir}/hardlink -cfv %{buildroot}$d %{_sbindir}/hardlink -cfv %{buildroot}$d
done done
@ -448,10 +449,10 @@ popd
%doc %dir %{_pkgdocdir} %doc %dir %{_pkgdocdir}
%doc %{_pkgdocdir}/README.md %doc %{_pkgdocdir}/README.md
%license COPYING* %license COPYING*
%{_libdir}/%{name}.so.%{vmajor} /%{_lib}/%{name}.so.%{vmajor}
%{_libdir}/%{name}.so.%{version} /%{_lib}/%{name}.so.%{version}
%{_libdir}/fipscheck/%{name}.so.%{vmajor}.hmac /%{_lib}/fipscheck/%{name}.so.%{vmajor}.hmac
%{_libdir}/fipscheck/%{name}.so.%{version}.hmac /%{_lib}/fipscheck/%{name}.so.%{version}.hmac
%if %{with_sysctl_tweak} %if %{with_sysctl_tweak}
%doc %{_pkgdocdir}/README.%{distroname_ext} %doc %{_pkgdocdir}/README.%{distroname_ext}
%{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf %{_sysctldir}/%{sysctl_prio}-%{name}-optmem_max.conf
@ -463,7 +464,7 @@ popd
%doc %{_pkgdocdir}/TODO %doc %{_pkgdocdir}/TODO
%{_includedir}/kcapi.h %{_includedir}/kcapi.h
%{_mandir}/man3/kcapi_*.3.* %{_mandir}/man3/kcapi_*.3.*
%{_libdir}/%{name}.so /%{_lib}/%{name}.so
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
@ -479,25 +480,29 @@ popd
%files checksum %files checksum
%{_bindir}/md5sum %{_bindir}/md5sum
%{_bindir}/sha*sum %{_bindir}/sha*sum
%{_libdir}/fipscheck/md5sum.hmac %{_bindir}/sm*sum
%{_libdir}/fipscheck/sha*sum.hmac /%{_lib}/fipscheck/md5sum.hmac
/%{_lib}/fipscheck/sha*sum.hmac
/%{_lib}/fipscheck/sm*sum.hmac
%endif %endif
%if %{with replace_fipscheck} %if %{with replace_fipscheck}
%files fipscheck %files fipscheck
%{_bindir}/fips* %{_bindir}/fips*
%{_libdir}/fipscheck/fips*.hmac /%{_lib}/fipscheck/fips*.hmac
%endif %endif
%if %{with replace_hmaccalc} %if %{with replace_hmaccalc}
%files hmaccalc %files hmaccalc
%{_bindir}/sha*hmac %{_bindir}/sha*hmac
%{_libdir}/hmaccalc/sha*hmac.hmac %{_bindir}/sm*hmac
/%{_lib}/hmaccalc/sha*hmac.hmac
/%{_lib}/hmaccalc/sm*hmac.hmac
%endif %endif
%files static %files static
%{_libdir}/%{name}.a /%{_lib}/%{name}.a
%files tools %files tools
@ -512,120 +517,89 @@ popd
%changelog %changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.1-3 * Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Backport fixes for kcapi-hasher target option
Related: rhbz#1991688 Related: RHEL-15300
- Fix kcapi tests in FIPS mode
* Thu Jul 15 2021 Simo Sorce <simo@redhat.com> - 1.3.1-2 Resolves: RHEL-2406
- Bring back usage of %{_libdir} instead of /%{_lib}
- Resolves: rhbz#1982620 * Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
- Update to new upstream release 1.4.0
* Wed Jul 14 2021 Simo Sorce <simo@redhat.com> - 1.3.1-1 Resolves: RHEL-5366
- Update to new upstream release 1.3.1 - Add a patch to fix auxiliary tests in FIPS mode
- This fixes ABI issues and incorporates previous patches Resolves: RHEL-2406
- Add a patch to zeroize kcapi-hasher for FIPS 140-3
* Mon Jul 12 2021 Simo Sorce <simo@redhat.com> - 1.3.0-1 Resolves: RHEL-15290
- Update to new upstream release 1.3.0 - Add a patch to allow overriding target file in kcapi-hasher
Resolves: RHEL-15300
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.1-3
- Rebuilt for RHEL 9 BETA for openssl 3.0 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
Related: rhbz#1971065 - Fix double free issue in hasher()
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.1-2 * Mon May 25 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - [RHEL] Update to upstream version 1.2.0
* Mon Mar 15 2021 Sahana Prasad <sahana@redhat.com> - 1.2.1-1 * Thu Apr 30 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
- Update to upstream version 1.2.1 - Enables building on old kernels [sync fix in Fedora from omosnance].
- Remove patch fix MSG_MORE uasge as it is added upstream - This is required for covscans as they run on RHEL7 machines.
- Remove cppcheck dependency for rhel bz#1931518
- Add a patch to fix fuzz tests * Wed Apr 29 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-2
- Drop the license from the doc subpackage to avoid conflicts
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Mon Apr 27 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-1
- [RHEL] Update to upstream version 1.1.5
* Fri Aug 14 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.2.0-3 - [RHEL] Sync with Fedora branch
- Require perl-interpreter instead of full perl
- Backport fix for 5.9 kernels * Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16_1
- [RHEL] Apply 'Add missing dependencies to the tests package'
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2 - [RHEL] Apply 'Update patch from upstream'
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 25 2020 Sahana Prasad <omosnace@redhat.com> - 1.2.0-1
- Update to upstream version 1.2.0 tracked by BZ 1839592.
- Enable kcapi-enc tests as libkcapi BZ 1826022 is fixed.
- Remove 110-fipshmac-compat.patch as the changes are merged upstream.
- Remove 100-workaround-cppcheck-bug.patch as the changes are merged upstream.
* Tue May 05 2020 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-5
- Fix the CI test failures
- Enable building on old kernels
- Avoid conflicts between different versions of packages
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> - 1.1.5-4
- Add . prefix to files created by fipshmac if -d option is not specified
* Wed Apr 22 2020 Sahana Prasad <sahana@redhat.com> - 1.1.5-3
- Disables kcapi-enc tests until the kernel bug bz 1826022 is fixed.
- Produce also the fipscheck replacement package
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Aug 13 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.5-1
- Update to upstream version 1.1.5
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-6
- Backport patch to fix test failure on aarch64
- Remove no longer needed ppc64 workaround
* Sat Jul 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-5
- Backport patch to fix tests
* Thu Jul 25 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-4
- Work around cppcheck issue
- Enable gating
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 27 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-2
- Fix FTBFS: hardlink is now in bindir
* Sat Feb 02 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.4-1
- Update to upstream version 1.1.4
* Fri Feb 01 2019 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-3
- Fix build with new GCC
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Aug 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.3-1
- Update to upstream version 1.1.3
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16 * Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-16
- Add missing dependencies to the tests package - Add missing dependencies to the tests package
- Update patch from upstream - Update patch from upstream
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15_1
- [RHEL] Apply 'Build and tests require perl'
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15 * Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-15
- Build and tests require perl - Build and tests require perl
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14_2
- [RHEL] Re-enable AEAD tests and ignore test result
- [RHEL] Drop the ppc64 ignore-failures workaround
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14_1
- [RHEL] Apply 'Add missing script to the 'tests' package'
* Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14 * Thu Aug 09 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-14
- Add missing script to the 'tests' package - Add missing script to the 'tests' package
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13_1
- [RHEL] Sync with the Fedora branch
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13 * Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-13
- Add missing requires to the 'tests' subpackage - Add missing requires to the 'tests' subpackage
* Wed Aug 08 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12_1
- [RHEL] Sync with the Fedora branch
* Tue Aug 07 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12 * Tue Aug 07 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-12
- Produce a subpackage with test scripts - Produce a subpackage with test scripts
- Build the 'tests' subpackage conditionally - Build the 'tests' subpackage conditionally
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11_1
- [RHEL] Sync with the Fedora branch
* Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11 * Wed Aug 01 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-11
- Add patch to fix unwanted closing of FD 0 - Add patch to fix unwanted closing of FD 0
* Tue Jul 31 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-10 * Tue Jul 31 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-10
- Remove the kernel headers workaround - Remove the kernel headers workaround
* Mon Jul 30 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-9_1
- [RHEL] Sync with the Fedora branch
- [RHEL] Rebase the disable-AEAD-tests patch
* Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.1.1-9 * Fri Jul 27 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.1.1-9
- Rebuild for new binutils - Rebuild for new binutils
@ -634,10 +608,18 @@ popd
- Add patch to fix AEAD fuzz test for BE arches - Add patch to fix AEAD fuzz test for BE arches
- Fixup specfile - Fixup specfile
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7_1
- [RHEL] Sync with the Fedora branch
- [RHEL] Fixup specfile
- [RHEL] Rebase the disable-AEAD-tests patch
* Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7 * Mon Jul 23 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-7
- Add various fixes from upstream - Add various fixes from upstream
- Drop the Requires on kernel package - Drop the Requires on kernel package
* Wed Jul 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3_2
- [RHEL] Temporarily disable AEAD tests
* Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6 * Mon Jul 16 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-6
- Put .hmac files into a separate directory - Put .hmac files into a separate directory
@ -647,12 +629,28 @@ popd
* Thu Jul 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-4 * Thu Jul 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-4
- Add patch to work around FTBFS on rawhide - Add patch to work around FTBFS on rawhide
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3_1
- [RHEL] Sync with the Fedora branch
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3 * Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-3
- Fix off-by-one error in checkfile parsing - Fix off-by-one error in checkfile parsing
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2_2
- [RHEL] Disable fuzz test
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2_1
- [RHEL] Sync with the Fedora branch
* Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2 * Wed Jul 11 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-2
- Fix command-line parsing in libkcapi-hmaccalc - Fix command-line parsing in libkcapi-hmaccalc
* Tue Jul 10 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1_2
- [RHEL] Work around build failure with new kernel headers
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1_1
- [RHEL] Skip CLang static analysis
- [RHEL] Remove the dependency on kernel package
* Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1 * Mon Jun 18 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.1-1
- Update to upstream version 1.1.1 - Update to upstream version 1.1.1

Write Preview
Loading…
Cancel
Save