commit f4c97f7a9b2f631c90e5ef24dbe76121903f9d00 Author: Adrian Schröter Date: Tue Oct 24 13:47:54 2023 +0200 Sync from SUSE:ALP:Source:Standard:1.0 libica revision 32d5d936009018c2001be56cd661ed55 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..193b56e --- /dev/null +++ b/README.SUSE @@ -0,0 +1,331 @@ +The following information was provided to us courtesy of the IBM +testing team, who tested the functionality of apache with mod_ssl +on SUSE LINUX Enterprise Server 9 for S/390 and zSeries. + +It thus refers to testing only from a certain point, and the +z90crypt part is of course specific to S/390 and zSeries. + +------------------------------------------------------------------- +Installation and Configuration of S/390 HW Crypto +on SUSE Linux Enterprise Server 9 for S/390 and zSeries: + +1) Installation of the driver packages openCryptoki and libica + + The driver packages are installed during base install in the + default selection. If you installed only minimal system or + deinstalled the packages, install them now. If the installation + source is accessible, you can do it with a single command: + + 31bit: + yast sw_single openCryptoki openCryptoki-32bit + + 64bit: + yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit + + This will automatically install the necessary libica packages as + well if they are not installed yet. + + +2) Loading the z90crypt driver: + + systemctl start z90crypt to load z90crypt + + systemctl stop z90crypt to unload z90crypt + + this command will be available only after installation of the + crypto driver packages. + + To load the driver automatically at every system boot, integrate it + with the other boot scripts issuing + + systemctl enable z90crypt + + +3) Checking if the z90crypt hardware driver can be accessed + + Run this command: + + openssl speed rsa1024 -engine ibmca -elapsed + + If you get 'can't use that engine', as the first line + of output of the command look for the successive line + and check: + - if running "rcz90crypt restart" gives no error message + - the output of command "dmesg" for error messages from the driver + - the hardware is indeed available to this instance + +4) Installation and Setup of mod_ssl and apache + + a) ensure that mod_ssl and apache are installed during base + install. If the installation source is accessible, + the command + + yast sw_single mod_ssl + + will install apache and mod_ssl if they are not installed yet. + + b) to activate the apache ssl support do the following: + + if you did not use yast to install the packages, you have + to run manually: SuSEconfig --module apache + + edit /etc/sysconfig/apache: + change HTTPD_START_TIMEOUT=2 to 20 + + change HTTPD_SEC_MOD_SSL=no to yes + + edit httpd.conf in /etc/httpd: + + in section 2: check that the ServerName and ServerMail in + the ServerAdmin section is ok. + + in section 3: set inside the + ServerName to host name + + add on section : SSLCryptoDevice ibmca + + run: SuSEconfig --module apache + +5) Crypto configuration of apache/mod_ssl: + + a) create a certificate (Snake Oil) for the TEST --- THIS + CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR + TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A + CERTIFICATION AUTHORITY FOR PRODUCTION USE. + + go to: cd /usr/share/doc/packages/mod_ssl + + run: ./certificate.sh + + see following questions will come up. Give shown answers + and use the pass phrase: + + der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh + SSL Certificate Generation Utility (mkcert.sh) + Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved. + + Generating test certificate signed by Snake Oil CA [TEST] + WARNING: Do not use this for real-life/production systems + + STEP 0: Decide the signature algorithm used for certificate + The generated X.509 CA certificate can contain either + RSA or DSA based ingredients. Select the one you want to use. + Signature Algorithm ((R)SA or (D)SA) [R]:R + + + STEP 1: Generating RSA private key (1024 bit) [server.key] + 123006 semi-random bytes loaded + Generating RSA private key, 1024 bit long modulus + ..++++++ + .................++++++ + e is 65537 (0x10001) + + STEP 2: Generating X.509 certificate signing request + [server.csr] + Using configuration from .mkcert.cfg + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished + Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + 1. Country Name (2 letter code) [XY]:DE + 2. State or Province Name (full name) [Snake Desert]: + + 3. Locality Name (eg, city) [Snake Town]: + + 4. Organization Name (eg, company) [Snake Oil, Ltd]: + + 5. Organizational Unit Name (eg, section) [Webserver Team]: + + 6. Common Name (eg, FQDN) [www.snakeoil.dom]: + + 7. Email Address (eg, name@FQDN) [www@snakeoil.dom]: + + + STEP 3: Generating X.509 certificate signed by Snake Oil CA + [server.crt] + Certificate Version (1 or 3) [3]:3 + Signature ok + subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil, + Ltd/OU=Webserver + Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom + Getting CA Private Key + Verify: matching certificate & key modulus + read RSA key + Verify: matching certificate signature + /etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake + Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil + CA/Email=ca@snakeoil.dom + error 10 at 1 depth lookup:certificate has expired + OK + + STEP 4: Enrypting RSA private key with a pass phrase for + security [server.key] + The contents of the server.key file (the generated private key) + has to be + kept secret. So we strongly recommend you to encrypt the + server.key file + with a Triple-DES cipher and a Pass Phrase. + Encrypt the private key now? [Y/n]: Y + read RSA key + writing RSA key + Enter PEM pass phrase: <=== crypto + Verifying password - Enter PEM pass phrase: <=== crypto + Fine, you're using an encrypted RSA private key. + + RESULT: Server Certification Files + + o conf/ssl.key/server.key + + The PEM-encoded RSA private key file which you + configure with the 'SSLCertificateKeyFile' directive + (automatically done when you install via APACI). KEEP + THIS FILE PRIVATE! + + o conf/ssl.crt/server.crt + + The PEM-encoded X.509 certificate file which you configure + with the 'SSLCertificateFile' directive (automatically done + when you install via APACI). + + o conf/ssl.csr/server.csr + + The PEM-encoded X.509 certificate signing request file + which you can send to an official Certificate Authority + (CA) in order to request a real server certificate + (signed by this CA instead of our demonstration-only + Snake Oil CA) which later can replace the + conf/ssl.crt/server.crt file. + + WARNING: Do not use this for real-life/production systems + + der3gbe:/usr/share/doc/packages/mod_ssl # + +6) Start Apache with SSL + + a) start with pass phrase (Changes done to apache modul + described in item c)). + + run: rcapache start + + dev3fe01:~ # rcapache start + + Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26 + mod_ssl/2.8.10 (Pass Phrase Dialog) + Some of your private key files are encrypted for security + reasons. + In order to read them you have to provide us with the pass + phrases. + + Server dev3fe01.boeblingen.de.ibm.com:443 (RSA) + Enter pass phrase: crypto + + Ok: Pass Phrase Dialog successful. + done + + b) start without pass phrase when using apache without + ssl-support + + remark: You need to change the apache modul (see + item c)). Set the HTTPD_SEC_MOD_SSL=no. + + run: rcapache start + + +7) Check that ibmca is used and apache is working with http and https: + + a) On a browser enter http:// or + https:// + b) with netstat or netstat -a on the apache server machine you + can see if https is used. + c) in the log /var/log/httpd/ssl_engine_log you can see if the + ibmca engine is started or not. + d) during siege test you can see with cat /proc/driver/z90crypt + if and what crypto HW is used + e) you can check a http connection with telnet + http. Then enter + get / http/1.0 + and you should get back some stuff after pressing enter + twice. + + f) You can check if openssl works with the ibmca engine + + a) Therefore you must create certificates: + cd /usr/share/ssl/misc + run: ./CA.sh -newcert + + dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert + Using configuration from /etc/ssl/openssl.cnf + Generating a 1024 bit RSA private key + ......................++++++ + .++++++ + writing new private key to 'newreq.pem' + Enter PEM pass phrase: <== geheim + Verifying password - Enter PEM pass phrase: <== geheim + Verify failure + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + phrase is too short, needs to be at least 4 chars + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + ----- + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a + Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]: + <== press enter + State or Province Name (full name) [Some-State]: + <== press enter + Locality Name (eg, city) []: + <== press enter + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + <== press enter + Organizational Unit Name (eg, section) []: + <== press enter + Common Name (eg, YOUR name) []: <== press enter + Email Address []: <== press + enter + Certificate (and private key) is in newreq.pem + + run: ./CA.sh -newca + + dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca + CA certificate filename (or enter to create) + newreq.pem + dev3fe02: + + + b) Use openssl as a Web-browser and use https connection: + openssl s_client \ + -connect :443 -state -debug + + The machine were you start the client is working as + your 'browser' connecting to the webserver. You can + start commands from the client like get / http/1.0 . + + c) Use openssl as a Web-server and use https connection: + openssl s_server \ + -accept 443 -www -engine ibmca -cert newreq.pem + + The machine is working like a small webserver with full + openssl functionality. You can start your browser to + this machine and a lot of info will be sent. + + dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443 + -www -cert newreq.pem -engine ibmca + engine "ibmca" set. + Using default temp DH parameters + Enter PEM pass phrase: <== geheim + ACCEPT + +------------------------------------------------------------------- diff --git a/libica-4.2.3.tar.gz b/libica-4.2.3.tar.gz new file mode 100644 index 0000000..f9252cc --- /dev/null +++ b/libica-4.2.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f45c5797a2ed14629c1f16e7d55e0252477d7fca880bc0427cdd57dcf275019 +size 574727 diff --git a/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch new file mode 100644 index 0000000..1215b49 --- /dev/null +++ b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch @@ -0,0 +1,55 @@ +From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Mon, 7 Jun 2021 21:12:01 +0200 +Subject: [PATCH] FIPS: make it possible to specify fipshmac binary. + +Signed-off-by: Michal Suchanek +--- + openssl-fipshmac | 12 ++++++++++++ + src/Makefile.am | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + create mode 100755 openssl-fipshmac + +diff --git a/openssl-fipshmac b/openssl-fipshmac +new file mode 100755 +index 0000000..60fd505 +--- /dev/null ++++ b/openssl-fipshmac +@@ -0,0 +1,12 @@ ++#!/bin/sh -e ++ ++if [ "$#" -eq 0 ] ; then ++ echo "No library to hash specified." >&2 ++ exit 22 ++fi ++ ++while [ -n "$1" ] ; do ++ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")" ++ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac ++ shift ++done +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..2be01a5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -47,6 +47,7 @@ + ./mp.pl mp.S + + if ICA_FIPS ++FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac + fipsinstall: + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac +@@ -58,8 +59,7 @@ + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + + hmac-file: libica.la libica-cex.la +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) + + hmac_files = hmac-file hmac-file-lnk + +-- +2.31.1 + diff --git a/libica-rpmlintrc b/libica-rpmlintrc new file mode 100644 index 0000000..867c8bd --- /dev/null +++ b/libica-rpmlintrc @@ -0,0 +1,3 @@ +addFilter("libica-tools.* * devel-file-in-non-devel-package * /usr/lib64/libica.so") +addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica.so.*.hmac") +addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica-cex.so.*.hmac") diff --git a/libica-sles15sp5-FIPS-hmac-key.patch b/libica-sles15sp5-FIPS-hmac-key.patch new file mode 100644 index 0000000..23c6506 --- /dev/null +++ b/libica-sles15sp5-FIPS-hmac-key.patch @@ -0,0 +1,15 @@ +--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400 ++++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400 +@@ -65,10 +65,9 @@ + * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes. + * The known HMAC is supposed to be provided as hex string in a file + * .libica.so.VERSION.hmac in the same directory as the .so module. +- */ ++ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */ + static const char hmackey[] = +- "0000000000000000000000000000000000000000000000000000000000000000" +- "0000000000000000000000000000000000000000000000000000000000000000"; ++ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250"; + + #endif /* ICA_INTERNAL_TEST */ + diff --git a/libica.changes b/libica.changes new file mode 100644 index 0000000..b931933 --- /dev/null +++ b/libica.changes @@ -0,0 +1,795 @@ +------------------------------------------------------------------- +Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.3 (jsc#PED-5446) + * Add OPENSSL_init_crypto in libica constructor + * Remove deprecated ioctl Z90STAT_STATUS_MASK + * Bug fixes + +------------------------------------------------------------------- +Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276) + - [UPDATE] syslog msgs only in error cases + - [UPDATE] don't count statistics in fips power-on self tests + - [PATCH] various fixes and some new tests + +------------------------------------------------------------------- +Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann + +- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet + +------------------------------------------------------------------- +Thu Apr 27 16:12:06 UTC 2023 - Dominique Leuenberger + +- Prefix /etc/libica with %dir to ensure we don't package + unversioned files in libica4, as otherwise we violate SLPP. + +------------------------------------------------------------------- +Thu Apr 27 14:34:27 UTC 2023 - Otto Hollmann + +- Add /etc/libica directory into %files section. + +------------------------------------------------------------------- +Fri Feb 17 11:08:33 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.1 (jsc#PED-2872) + - [PATCH] fix regression opening shared memory + +------------------------------------------------------------------- +Mon Jan 16 13:00:34 UTC 2023 - Marcus Meissner + +- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365). + - [FEATURE] Display build info via icainfo -v + - [FEATURE] New API function ica_get_build_version() + - [FEATURE] Display fips indication via icainfo -f + - [FEATURE] New API function ica_get_fips_indicator() + - [FEATURE] New API function ica_aes_gcm_initialize_fips() + - [FEATURE] New API function ica_aes_gcm_kma_get_iv() + - [FEATURE] New API function ica_get_msa_level() + - [PATCH] icainfo: check for malloc error when getting functionlist + +------------------------------------------------------------------- +Tue Oct 11 20:32:12 UTC 2022 - Mark Post + +- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365). + v4.1.1 + - [PATCH] Fix aes-xts multi-part operations + [PATCH] Fix make dist + v4.1.0 + - [FEATURE] FIPS: make libica FIPS 140-3 compliant + [FEATURE] New API function ica_ecdsa_sign_ex() + [FEATURE] New icainfo output option -r + - [PATCH] Various bug fixes +- Removed the following obsolete files: + baselibs.conf + icaioctl.h + +------------------------------------------------------------------- +Mon Sep 12 19:09:59 UTC 2022 - Mark Post + +- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629) + v4.0.3 + - [PATCH] Reduce the number of open file descriptors + - [PATCH] Various bug fixes + v4.0.2 + - [PATCH] Various bug fixes + v4.0.1 + - [PATCH] Various bug fixes + - [PATCH] Compute HMAC from installed library + v4.0.0 + - [UPDATE] NO_SW_FALLBACKS is now the default for libica.so + [UPDATE] Removed deprecated API functions including tests + [UPDATE] Introduced 'const' for some API function parameters + [FEATURE] icastats: new parm -k to display detailed counters +- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated + version named libica-sles15sp5-FIPS-hmac-key.patch. +- Updated the libica-rpmlintrc file to suppress warnings about the + libica-cex hmac files being hidden. +- Updated the spec file to properly both obsolete and provide two + older versions of the package. + +------------------------------------------------------------------- +Tue Oct 19 21:20:22 UTC 2021 - Mark Post + +- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564) + - [FEATURE] Add support for OpenSSL 3.0 + - [FEATURE] icainfo: new parm -c to display available EC curves +- Replaced the obsolete PreReq: %fillup_prereq + with Requires(post): %fillup_prereq + in the spec file. + +------------------------------------------------------------------- +Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek + +- Update to version 3.8.0 (jsc#SLE-18334) + - [FEATURE] provide libica-cex module to satisfy special security requirements + - [FEATURE] FIPS: enforce the HMAC check +- Remove upstreamed patches: + - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch + - libica-sles15sp2-Zeroize-local-variables.patch +- Remove patches obsoleted by upstrea developent: + * FIPS: Find libica from phdrs. + - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS: enforce the hmac check + - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +- Fix up tests and hmac generation + + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +- Remove obsolete attributes from filelists + +------------------------------------------------------------------- +Fri Sep 18 20:59:39 UTC 2020 - Mark Post + +- Upgraded to version 3.7.0 (jsc#SLE-13708) + * Version 3.7.0 + - [FEATURE] FIPS: Add HMAC based library integrity check + - [PATCH] icainfo: bugfix for RSA and EC related info for software column. + - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests + - [PATCH] FIPS: Fix DES and TDES key length + - [PATCH] icastats: Fix stats counter format + * Version 3.6.1 + - [PATCH] Fix x25519 and x448 handling of non-canonical values +- Removed the following obsolete patches + * libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch + * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch + * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch + * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch + * libica-sles15sp2-Build-with-pthread-flag.patch + * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch + * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch + +------------------------------------------------------------------- +Tue Sep 15 21:08:38 UTC 2020 - Mark Post + +- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277) + * Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + * Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch +- Fix FIPS hmac check (bsc#1175356). + * Update FIPS support to upstream + - Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + from upstream. + - Add libica-sles15sp2-Build-with-pthread-flag.patch + - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch + - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch + - Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS check should fail when hmac is missing + - Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch + - Create an hmac for the selftest + - Check that selftest fails without a hmac + - Hash libica.so.3 rather than libica.so.3.6.0 + * Fix hmac key format. It should be hexadecimal, not ASCII + - Refresh libica-sles15sp2-FIPS-hmac-key.patch +- Fix Some internal variables used to store sensitive information + (keys) were not zeroized before returning to the calling application. + (bsc#1175357) + * Added libica-sles15sp2-Zeroize-local-variables.patch +- Updated libica-rpmlintrc to eliminate the warning about the HMAC file + being a hidden file. It is supposed to be hidden. + +------------------------------------------------------------------- +Thu May 7 18:01:31 UTC 2020 - Mark Post + +- Added the following patches for FIPS certification (bsc#1162533) + * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + * libica-sles15sp2-FIPS-hmac-key.patch +- Added a BuildRequires for the fipscheck package. +- Made a couple of changes to the spec file based upon recommendations + by spec-cleaner. + +------------------------------------------------------------------- +Wed Apr 8 18:55:24 UTC 2020 - Mark Post + +- Added the following patches for FIPS certification. + * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch + (bsc#1166071) Although a DES key has only 56 effective bits, + all 64 bits must be considered, because the parity bits are + spread over all 8 bytes of the key. + * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch + (bsc#1166210) FIPS tests require the output iv to be the iv + resulting from decrypting the last block with a zero iv as input. + * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch + (bsc#1166224) The output from icainfo never shows 'yes' for + RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN, + due to the missing ICA_FLAG_SW flag in the icaList. + +------------------------------------------------------------------- +Thu Nov 14 22:45:16 UTC 2019 - Mark Post + +- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch + (bsc#1156768) + +------------------------------------------------------------------- +Tue Oct 15 18:53:36 UTC 2019 - Mark Post + +- Upgraded to version 3.6.0 (jsc#SLE-7584) + * [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448 + +------------------------------------------------------------------- +Fri Aug 30 21:46:50 UTC 2019 - Mark Post + +- Upgraded to version 3.5.0 (Fate#327840) + - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify +- Reworked how libica-tools loads and unloads kernel modules to + avoid spurious error messages (bsc#1134004): + * Converted the boot.z90crypt sysV init script to a systemd unit + file. + * Removed any references to insserv in the spec file. + * Updated the z90crypt script itself to properly load and unload + the kernel modules as they exist today. + * Eliminated the obsolete libica-SuSE.tar.bz2 archive. +- Updated the README.SUSE file to reflect the change from sysV init + style script to systemd. +- Made numerous changes to the spec file, based on the output from + the spec-cleaner command. + +------------------------------------------------------------------- +Wed Jul 24 10:09:46 UTC 2019 - Martin Pluskal + +- Run testsuite during build + +------------------------------------------------------------------- +Thu Nov 15 19:16:30 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.4.0 (Fate#325690) + * v3.4.0 + [FEATURE] Add SHA-512/224 and SHA-512/256 support +- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch +- Made numerous updates to spec file based on spec-cleanup run. + +------------------------------------------------------------------- +Wed Nov 14 18:01:37 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.3.3 (Fate#325690) + * v3.3.3 + [PATCH] Various bug fixes + * v3.3.2 + [PATCH] Skip ECC tests if required HW is not available + [PATCH] Update spec file + * v3.3.1 + [PATCH] Fix configure.ac to honour CFLAGS + * v3.3.0 + [FEATURE] Add CEX supported elliptic-curve crypto interfaces + [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces + [FEATURE] Add interface to enable/disable SW fallbacks + [FEATURE] Add 'make check' target, test-suite rework + * v3.2.1 + [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG. + [PATCH] Various bug fixes. +- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch +- Removed COPYING from %files, since it is no longer in the tarball. +- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch + (bsc#1103493). +- Made multiple changes to the spec file based on the output of + spec-cleaner + +------------------------------------------------------------------- +Mon Oct 22 19:09:13 UTC 2018 - mpost@suse.com + +- Added "Obsoletes: libica-2_3_0" to the libica-tools package to + fix a problem with upgrading from SLES12 SP2 to either SLES12 + SP3/SP4, or SLES15. (bsc#1112655) + +------------------------------------------------------------------- +Tue Sep 11 17:19:57 UTC 2018 - mpost@suse.com + +- Added "Obsoletes: libica2" to the libica-tools package to fix + a problem with upgrading from SLES12 SP2 to either SLES12 + SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638) + +------------------------------------------------------------------- +Wed Apr 18 02:29:29 UTC 2018 - mpost@suse.com + +- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756) +- Updated boot.z90crypt script to fix a problem with the modprobe + command not being found. (bsc#1040229). +- Added "Recommends: libica-tools" (bsc#1046435). + +------------------------------------------------------------------- +Thu Nov 23 13:53:22 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Wed Oct 4 19:22:58 UTC 2017 - mpost@suse.com + +- Added "--enable-fips" to the %configure parms (Fate#324115) + +------------------------------------------------------------------- +Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.2 (Fate#321517) + * v3.2.0 + [FEATURE] New AES-GCM interface. + [UPDATE] Add symbol versioning. + * v3.1.1 + [PATCH] Various bug fixes related to old and new AES-GCM implementations. + [UPDATE] Add SHA3 test cases. Improved and extended test suite. + * v3.1.0 + [FEATURE] Add KMA support for AES-GCM. + [FEATURE] Add SHA-3 support. + [PATCH] Reject RSA keys with invalid key-length. + [PATCH] Allow zero output length for ica_random_number_generate. + [PATCH] icastats: Correct owner of shared segment when root creates it. + * Removed the following obsolete patches: + libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch + libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch + libica-3.0.2-03-fix-aes-ctr.patch + libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch + +------------------------------------------------------------------- +Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com + +- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567) + - Added the following patches (bsc#1058567) + - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch + - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch + - libica-3.0.2-03-fix-aes-ctr.patch + - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch + +------------------------------------------------------------------- +Thu Jun 1 14:36:04 UTC 2017 - fcrozat@suse.com + +- baselibs.conf doesn't need any additional provides/conflicts for + libica3. + +------------------------------------------------------------------- +Fri May 12 09:07:34 UTC 2017 - fcrozat@suse.com + +- Update baselibs.conf with proper name for library package name, + stop providing/obsoleting libica-2_1_0/libica-2_3-0. + +------------------------------------------------------------------- +Tue May 9 17:23:11 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.0.2 (Fate#322025). + - v3.0.2 + - Fix locking callbacks for openSSL APIs. + - v3.0.1 + - Fixed msa level detection on zEC/BC12 GA1 and predecessors. + - v3.0.0 + - Added FIPS mode. + - Sanitized exported symbols. + - Removed deprecated APIs. Marked some APIs as deprecated. + - Adapted to OpenSSL v1.1.0. + - RSA key generation is thread-safe now. +- Removed the following obsolete patches: + - fix-initialization-of-s390-hardware-switches-1.patch + - fix-initialization-of-s390-hardware-switches-2.patch + - fix-msa-level-detection.patch + - fix-segfault-during-multithread-keygen.patch + - rng-performance.patch + +------------------------------------------------------------------- +Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com + +- Made the following packaging changes: + - Implemented the shared library packaging guidelines. + - Consolidated double invocation of %setup into just one. + - Dropped redundant %ifarch, the package is already ExclusiveArch. + - Updated descriptions. +- Added an libica-rpmlintrc file. + +------------------------------------------------------------------- +Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com + +- Added the following two patches: + - fix-segfault-during-multithread-keygen.patch (bsc#991485) + - fix-msa-level-detection.patch (bsc#1010927) + +------------------------------------------------------------------- +Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com + +- Added rng-performance.patch (bsc#990850). + +------------------------------------------------------------------- +Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com + +- Updated baselibs.conf to obsolete prior versions of the 32bit + package. (bsc#983897): + provides "libica- = " + obsoletes "libica- < " + provides "libica-2_1_0- = " + obsoletes "libica-2_1_0- < " + provides "libica-2_3_0- = " + obsoletes "libica-2_3_0- < " + +------------------------------------------------------------------- +Wed May 18 16:52:44 UTC 2016 - mpost@suse.com + +- Added fix-initialization-of-s390-hardware-switches-1.patch and + fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548) + +------------------------------------------------------------------- +Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com + +- Upgraded to version 2.6.2 (FATE#319610). +- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to + naming standards. +- Found the original location of the icaioctl.h file and downloaded + it to replace what we had previously. +- Removed the unnecessary libica2.la file +- Removed unnecessary Requires for glibc-devel +- Added Requires libica2 to the -devel package +- Converted call to configure to %configure macro +- Removed obsolete and unnecessary INSROOT and bindir parameters + from the make install command + +------------------------------------------------------------------- +Fri Nov 6 16:02:05 CET 2015 - pth@suse.de + +- Add Provides/Obsoletes for libica-2_3_0 so that the package from + SLE12 GA is replaced (bsc#953096). + +------------------------------------------------------------------- +Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com + +- move the .so file to the mainpackage, the openssl-ibmca engine + will only load "libica.so" (bsc#952871) + +------------------------------------------------------------------- +Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com + +- Update to libica v2.4.2 (FATE#318035) +- Removed outdated libica-aes_ccm-31-bit-compatibility.patch +- Moved init script into libica-SuSE.tar.bz2 archive + +------------------------------------------------------------------- +Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- +Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com + +- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root +- Removed libica-SuSE.tar.bz2 +- z90crypt now starts and stops ap kernel module (bnc#888943) + +------------------------------------------------------------------- +Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com + +- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM: + fixed 64/31 bit compatibility + +------------------------------------------------------------------- +Thu Mar 6 14:51:45 CET 2014 - ro@suse.de + +- add obsoletes and provides for older libica versions + +------------------------------------------------------------------- +Wed Mar 5 18:33:02 CET 2014 - ro@suse.de + +- update to 2.3.0 (fate#315342) +- obsolete/upstreamed patches: + libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch + libica-2_1_0-msa4-extension.patch + libica-2_1_0-synchronize_shared_memory_ref_counting.patch + +------------------------------------------------------------------- +Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com + +- Fixed build dependency errors by requiring autoconf, automake + and libtool +- Changed license to CPL-1.0 +- Created devel package + +------------------------------------------------------------------- +Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com + +- Support for MSA4 extension (bnc#794518, fate#314078) + +------------------------------------------------------------------- +Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com + +- synchronize shared memory reference counting for library + statistics (bnc#719659) +- fix temporary buffer allocation in ica_get_version() (bnc#719660) + +------------------------------------------------------------------- +Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de + +- update -> 2.1.0 (fate#311914) + +------------------------------------------------------------------- +Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de + +- Moved icainfo into /usr/bin (bnc#448643) + +------------------------------------------------------------------- +Tue Jan 13 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Nov 5 01:34:34 CET 2008 - ro@suse.de + +- fix build on all platforms + +------------------------------------------------------------------- +Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de + +- Added CPL license to include/z90crypt.h, removed GPL reference + (This patch is upstream) + +------------------------------------------------------------------- +Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de + +- Changed package name to libica-1_3_9 to conform to rpmlint + requirements. (bnc#433432) + +------------------------------------------------------------------- +Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de + +- Removed soname filter for rpmlint +- Several RPM fixes to help satisfy rpmlint + +------------------------------------------------------------------- +Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de + +- Updated to libica 1.3.9 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de + +- remove inclusion of linux/config.h + +------------------------------------------------------------------- +Mon Mar 12 14:02:57 CET 2007 - uli@suse.de + +- z90crypt: handle errors (bug #247799) + +------------------------------------------------------------------- +Mon May 22 08:43:22 CEST 2006 - aj@suse.de + +- Add gcc-c++ to BuildRequires. + +------------------------------------------------------------------- +Fri May 19 16:50:02 CEST 2006 - ro@suse.de + +- fix build for the rest of platforms + +------------------------------------------------------------------- +Fri May 19 15:34:30 CEST 2006 - hare@suse.de + +- Update to libica 1.3.7 (#160036 - LTC22571) + +------------------------------------------------------------------- +Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de + +- Increasing # of open handles with symmetric crypto support + (#165323 - LTC23095) + +------------------------------------------------------------------- +Wed Jan 25 21:37:29 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Dec 14 01:30:49 CET 2005 - ro@suse.de + +- include string.h and unistd.h in icalinux.c + +------------------------------------------------------------------- +Mon Dec 12 15:09:25 CET 2005 - hare@suse.de + +- Port package from SLES9 SP3 +- Update to libica 1.3.6-rc3. + +------------------------------------------------------------------- +Wed Nov 2 16:23:24 CET 2005 - hare@suse.de + +- Close all filehandles (#130060 - LTC19221). + +------------------------------------------------------------------- +Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de + +- downgrade to libica 1.3.6-rc2 (contains AES software fallback, + bug #117336) + +------------------------------------------------------------------- +Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de + +- Update to libica 1.3.6 (#117336) + +------------------------------------------------------------------- +Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de + +- fix implicit declaration + +------------------------------------------------------------------- +Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de + +- Changing the default value from 0 to -1 in rcz90crypt (#114371) + +------------------------------------------------------------------- +Mon May 23 17:52:05 CEST 2005 - hare@suse.de + +- Finally fix 'reload' messages (#81824 - LTC15733). + +------------------------------------------------------------------- +Fri May 20 12:11:51 CEST 2005 - hare@suse.de + +- Fix sigill patch. + +------------------------------------------------------------------- +Wed May 18 13:17:39 CEST 2005 - hare@suse.de + +- Remove printf output from sigill patch (#81829 - LTC15731). + +------------------------------------------------------------------- +Tue May 10 12:56:38 CEST 2005 - hare@suse.de + +- Use correct default value for z90crypt (#81825 - LTC15732). + +------------------------------------------------------------------- +Mon May 9 14:49:52 CEST 2005 - hare@suse.de + +- Fix messages for 'reload' (#81824 - LTC15733). + +------------------------------------------------------------------- +Tue Feb 8 16:58:02 CET 2005 - hare@suse.de + +- Fixed SIGILL on z900 (#46422). + +------------------------------------------------------------------- +Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de + +- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005). + +------------------------------------------------------------------- +Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de + +- Fix module loading error (#42006). +- Add sysconfig variable to set the 'domain' parameter (#42005). + +------------------------------------------------------------------- +Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de + +- update -> 1.3.5-3 (bug #42122) + +------------------------------------------------------------------- +Mon May 24 18:28:27 CEST 2004 - bk@suse.de + +- Update README.SuSE and correct name as well +- Use modprobe instead of insmod and fix module load error(#40526) +- Fix error checking for no hardware found case and hw error on load + +------------------------------------------------------------------- +Fri May 7 15:15:17 CEST 2004 - hare@suse.de + +- Update Readme again for the correct name (SUSE LINUX Server). +- Moved README.SuSE to README.SUSE. + +------------------------------------------------------------------- +Fri May 7 15:00:51 CEST 2004 - hare@suse.de + +- Update Readme to refer to the correct name (SUSE Linux Server). + +------------------------------------------------------------------- +Thu May 6 09:01:53 CEST 2004 - hare@suse.de + +- Update to 1.3.5-2 (#38511, #39693). +- Update Readme to refer to SUSE Linux Server instead of + SuSE Linux Enterprise Server. + +------------------------------------------------------------------- +Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de + +- Update to 1.3.5 +- export CFLAGS & CPPFLAGS for configure +- Exclude S/390-specific files for other archs (#37183) + +------------------------------------------------------------------- +Fri Jan 16 01:29:03 CET 2004 - ro@suse.de + +- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS + +------------------------------------------------------------------- +Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de + +- fix build + +------------------------------------------------------------------- +Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de + +- update to 1.3.4 + +------------------------------------------------------------------- +Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de + +- update to 1.3.2 + +------------------------------------------------------------------- +Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de + +- update to 1.3.1: + now supports DES, TDES and SHA, as well as RSA. +- throw libica.patch away, since autoversion and Makefile.am have + similar changes now, and the renaming from _LINUX_S390_ to + __s390__ is not really necessary +- use %defattr +- checked that icaioctl.h is still current +- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone + open source meanwhile and comes with the kernel sources + +------------------------------------------------------------------- +Thu Oct 31 10:45:00 CET 2002 - froh@suse.de + +- added documentation how to set up crypto hardware support, + esp. S/390 and zSeries. (#16011, #22056) + +------------------------------------------------------------------- +Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de + +- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5 + actually work. (#20737) + +------------------------------------------------------------------- +Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de + +- Correct PreReq + +------------------------------------------------------------------- +Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de + +- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and + to build on non-s390 + +------------------------------------------------------------------- +Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de + +- updated to current libica +- hacked in icaioctl.h for build, 'til we have the module in the + kernel. + +------------------------------------------------------------------- +Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de + +- add %run_ldconfig + +------------------------------------------------------------------- +Tue May 7 14:27:50 CEST 2002 - ro@suse.de + +- fix for current automake/autoconf + +------------------------------------------------------------------- +Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de + +- removed old fillup-template and START_ variable + +------------------------------------------------------------------- +Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de + +- modified etc/init.d/z90crypt-script to report result at start. + +------------------------------------------------------------------- +Tue Feb 5 11:01:16 CET 2002 - froh@suse.de + +- Added openssl to #neededforbuild, which is needed in addition to + openssl-devel + +------------------------------------------------------------------- +Wed Jan 30 16:20:48 CET 2002 - froh@suse.de + +- initial version + +------------------------------------------------------------------- diff --git a/libica.spec b/libica.spec new file mode 100644 index 0000000..5ca5cb2 --- /dev/null +++ b/libica.spec @@ -0,0 +1,204 @@ +# +# spec file for package libica +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif + +Name: libica +Version: 4.2.3 +Release: 0 +Summary: Library interface for the IBM Cryptographic Accelerator device driver +License: CPL-1.0 +Group: Hardware/Other +URL: https://github.com/opencryptoki/libica +Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: sysconfig.z90crypt +Source3: z90crypt +Source4: z90crypt.service +Source5: %{name}-rpmlintrc +Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +Patch99: libica-sles15sp5-FIPS-hmac-key.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: fipscheck +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: openssl +BuildRequires: openssl-devel +Requires(post): %fillup_prereq +ExclusiveArch: s390 s390x + +%description +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package -n libica4 +Summary: Library interface for the IBM Cryptographic Accelerator +Group: System/Libraries +Recommends: libica-tools + +%description -n libica4 +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package tools +Summary: Utilities for the IBM Cryptographic Accelerator +Group: Hardware/Other +Obsoletes: libica < %{version}-%{release} +Obsoletes: libica-2_3_0 < %{version}-%{release} +Obsoletes: libica2 < %{version}-%{release} +Obsoletes: libica3 < %{version}-%{release} +Provides: libica = %{version}-%{release} +Provides: libica-2_3_0 = %{version}-%{release} +Provides: libica-plugin = %{version}-%{release} +Provides: libica2 = %{version}-%{release} +Provides: libica3 = %{version}-%{release} + +%description tools +This package contains command-line utilities to inspect the IBM +eServer Cryptographic Accelerator (ICA). + +%package devel +Summary: Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Requires: libica4 = %{version} +Requires: libopenssl-devel +Obsoletes: libica-2_1_0-devel < %{version}-%{release} +Provides: libica-2_1_0-devel = %{version}-%{release} +Obsoletes: libica-2_3_0-devel < %{version}-%{release} +Provides: libica-2_3_0-devel = %{version}-%{release} + +%description devel +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This subpackage contains the necessary files to compile and link +using the libica library. + +%package devel-static +Summary: Static Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Requires: libica-devel + +%description devel-static +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This RPM contains all the tools necessary to compile and link using +the libica library. + +%prep +%autosetup -p 1 + +%build +autoreconf --force --install +%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \ + --enable-fips + +%make_build clean +%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release" + +%define major %(echo %{version} | sed -e 's/[.].*//') + +%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }} + +%install +%make_install FIPSHMAC=fipshmac +make fipsinstall FIPSHMAC=fipshmac DESTDIR=%{buildroot} +mkdir -p %{buildroot}%{_includedir} +cp -p include/ica_api.h %{buildroot}%{_includedir} +mkdir -p %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt +install -D %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.z90crypt +install -D %{SOURCE3} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt +install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service +# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped +# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it +# and the dangling symlink test would fail +chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac + +cp -a %{SOURCE1} . +rm -vf %{buildroot}%{_libdir}/libica*.la +rm -f %{buildroot}%{_datadir}/doc/libica/* +rmdir %{buildroot}%{_datadir}/doc/libica +rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf +rmdir %{buildroot}/%{_sysconfdir}/libica + +%check +%make_build check FIPSHMAC=fipshmac + +%pre tools +%service_add_pre z90crypt.service + +%post tools +%service_add_post z90crypt.service +%{fillup_only -n z90crypt} + +%preun tools +%service_del_preun z90crypt.service + +%postun tools +%service_del_postun z90crypt.service + +%post -n libica4 -p /sbin/ldconfig +%postun -n libica4 -p /sbin/ldconfig + +%files -n libica4 +%{_libdir}/libica.so.%{version} +%{_libdir}/libica.so.%{major} +%{_libdir}/.libica.so.%{version}.hmac +%{_libdir}/.libica.so.%{major}.hmac +%{_libdir}/libica-cex.so.%{version} +%{_libdir}/libica-cex.so.%{major} +%{_libdir}/.libica-cex.so.%{version}.hmac +%{_libdir}/.libica-cex.so.%{major}.hmac + +%files tools +%license LICENSE +%doc README.SUSE +%{_sbindir}/rcz90crypt +%attr(644,root,root) %{_fillupdir}/sysconfig.z90crypt +%{_bindir}/icainfo +%{_bindir}/icainfo-cex +%{_bindir}/icastats +%{_mandir}/man1/icainfo.1%{?ext_man} +%{_mandir}/man1/icainfo-cex.1%{?ext_man} +%{_mandir}/man1/icastats.1%{?ext_man} +%dir %{_prefix}/lib/systemd/scripts +%{_prefix}/lib/systemd/scripts/z90crypt +%{_prefix}/lib/systemd/system/z90crypt.service +# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871 +%{_libdir}/libica.so + +%files devel +%{_includedir}/ica_api.h +%{_libdir}/libica-cex.so + +%files devel-static +%{_libdir}/libica.a +%{_libdir}/libica-cex.a + +%changelog diff --git a/sysconfig.z90crypt b/sysconfig.z90crypt new file mode 100644 index 0000000..a0d5a1a --- /dev/null +++ b/sysconfig.z90crypt @@ -0,0 +1,10 @@ +## Path: Kernel/z90Crypt +## Description: Set domain parameter for z90crypt +## Type: integer(-1:15) +## Default: -1 +# +# This variable selects the crypto domain to be used, +# required if an LPAR owns several crypto domains. +# The value of -1 is used for autodetect. +# +Z90CRYPT_DOMAIN=-1 diff --git a/z90crypt b/z90crypt new file mode 100644 index 0000000..d0f36bb --- /dev/null +++ b/z90crypt @@ -0,0 +1,21 @@ +#!/bin/sh +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +MODULE_LIST="pkey zcrypt_pcixcc zcrypt_cex2a zcrypt_cex4 zcrypt rng_core" +case "${1}" in + start) for module in ${MODULE_LIST} + do if ! grep -q ^{$module} /proc/modules ; then + modprobe ${module} + fi + done + ;; + stop) for module in ${MODULE_LIST} + do if grep -q ^${module} /proc/modules ; then + rmmod ${module} + fi + done + ;; +esac diff --git a/z90crypt.service b/z90crypt.service new file mode 100644 index 0000000..ed8c96c --- /dev/null +++ b/z90crypt.service @@ -0,0 +1,13 @@ +[Unit] +Description=Activate any cryptographic hardware +After=systemd-modules-load.service + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStart=/usr/lib/systemd/scripts/z90crypt start +ExecStop=/usr/lib/systemd/scripts/z90crypt stop + +[Install] +WantedBy=default.target