Sync from SUSE:SLFO:Main libica revision 007856dc96855ffbb0340483bbfe8316
This commit is contained in:
parent
5420e6763e
commit
e220c863bf
@ -0,0 +1,28 @@
|
|||||||
|
From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Mon, 28 Oct 2024 13:04:19 +0100
|
||||||
|
Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat
|
||||||
|
|
||||||
|
From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc
|
||||||
|
"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and
|
||||||
|
ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
src/fips.c | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/fips.c b/src/fips.c
|
||||||
|
index 4d1db07..3c26043 100644
|
||||||
|
--- a/src/fips.c
|
||||||
|
+++ b/src/fips.c
|
||||||
|
@@ -1240,9 +1240,6 @@ ecdsa_kat(void)
|
||||||
|
/* adapter handle not needed here, just CPACF */
|
||||||
|
rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen,
|
||||||
|
sigbuf, tv->siglen, tv->k);
|
||||||
|
- if (rc)
|
||||||
|
- goto _err_;
|
||||||
|
- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen);
|
||||||
|
if (rc)
|
||||||
|
goto _err_;
|
||||||
|
if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) {
|
@ -0,0 +1,292 @@
|
|||||||
|
From 86c400a516a23ce807c1b7a5a3dec3c0ef441733 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Mon, 28 Oct 2024 13:44:11 +0100
|
||||||
|
Subject: [PATCH] fips update: Change service indicator implementation
|
||||||
|
|
||||||
|
Perform checks for non-approved algorithms / parameters directly into the
|
||||||
|
APIs that perform the services. Especially, indicate that using an external
|
||||||
|
GCM iv in fips mode is non-compliant, but on the exception list.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
src/ica_api.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
src/icainfo.c | 1 +
|
||||||
|
src/include/fips.h | 7 ++++--
|
||||||
|
3 files changed, 59 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||||
|
index 0826af8..e0f6c43 100644
|
||||||
|
--- a/src/ica_api.c
|
||||||
|
+++ b/src/ica_api.c
|
||||||
|
@@ -94,7 +94,12 @@ int ica_external_gcm_iv_in_fips_mode_allowed = 0;
|
||||||
|
|
||||||
|
void ica_allow_external_gcm_iv_in_fips_mode(int allow)
|
||||||
|
{
|
||||||
|
+#ifdef ICA_FIPS
|
||||||
|
+ if (!fips_approved(AES_GCM_EXT_IV) && !fips_override(AES_GCM_EXT_IV))
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
ica_external_gcm_iv_in_fips_mode_allowed = allow ? 1 : 0;
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -399,6 +404,8 @@ unsigned int ica_sha1(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA1) && !fips_override(SHA1))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -454,6 +461,8 @@ unsigned int ica_sha224(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA224) && !fips_override(SHA224))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -501,6 +510,8 @@ unsigned int ica_sha256(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA256) && !fips_override(SHA256))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -548,6 +559,8 @@ unsigned int ica_sha384(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA384) && !fips_override(SHA384))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -596,6 +609,8 @@ unsigned int ica_sha512(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA512) && !fips_override(SHA512))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -644,6 +659,8 @@ unsigned int ica_sha512_224(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA512_224) && !fips_override(SHA512_224))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -692,6 +709,8 @@ unsigned int ica_sha512_256(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA512_256) && !fips_override(SHA512_256))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -740,6 +759,8 @@ unsigned int ica_sha3_224(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA3_224) && !fips_override(SHA3_224))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -787,6 +808,8 @@ unsigned int ica_sha3_256(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA3_256) && !fips_override(SHA3_256))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -834,6 +857,8 @@ unsigned int ica_sha3_384(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA3_384) && !fips_override(SHA3_384))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -882,6 +907,8 @@ unsigned int ica_sha3_512(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHA3_512) && !fips_override(SHA3_512))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -931,6 +958,8 @@ unsigned int ica_shake_128(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHAKE128) && !fips_override(SHAKE128))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -986,6 +1015,8 @@ unsigned int ica_shake_256(unsigned int message_part,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(SHAKE256) && !fips_override(SHAKE256))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -1052,6 +1083,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
if (public_key->key_length != private_key->key_length)
|
||||||
|
@@ -1094,6 +1127,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
if (public_key->key_length != private_key->key_length)
|
||||||
|
@@ -1130,6 +1165,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -1193,6 +1230,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check if p > q */
|
||||||
|
@@ -1266,6 +1305,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
/* check for obvious errors in parms */
|
||||||
|
@@ -1337,6 +1378,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return NULL;
|
||||||
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||||
|
+ return EPERM;
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
|
||||||
|
@@ -1375,6 +1418,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||||
|
+ return EPERM;
|
||||||
|
if (fips & ICA_FIPS_MODE) {
|
||||||
|
if (!curve_supported_via_openssl(key->nid) ||
|
||||||
|
!curve_supported_via_cpacf(key->nid)) {
|
||||||
|
@@ -1421,6 +1466,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||||
|
+ return EPERM;
|
||||||
|
if (fips & ICA_FIPS_MODE) {
|
||||||
|
if (!curve_supported_via_openssl(key->nid) ||
|
||||||
|
!curve_supported_via_cpacf(key->nid))
|
||||||
|
@@ -1494,6 +1541,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(EC_DH) && !fips_override(EC_DH))
|
||||||
|
+ return EPERM;
|
||||||
|
if (fips & ICA_FIPS_MODE) {
|
||||||
|
if (!curve_supported_via_openssl(privkey_A->nid) ||
|
||||||
|
!curve_supported_via_cpacf(privkey_A->nid))
|
||||||
|
@@ -1563,6 +1612,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
|
||||||
|
+ return EPERM;
|
||||||
|
if (fips & ICA_FIPS_MODE) {
|
||||||
|
if (!curve_supported_via_openssl(privkey->nid) ||
|
||||||
|
!curve_supported_via_cpacf(privkey->nid))
|
||||||
|
@@ -1654,6 +1705,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
if (fips >> 1)
|
||||||
|
return EACCES;
|
||||||
|
+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY))
|
||||||
|
+ return EPERM;
|
||||||
|
if (fips & ICA_FIPS_MODE) {
|
||||||
|
if (!curve_supported_via_openssl(pubkey->nid) ||
|
||||||
|
!curve_supported_via_cpacf(pubkey->nid))
|
||||||
|
diff --git a/src/icainfo.c b/src/icainfo.c
|
||||||
|
index 608994f..b18cbfa 100644
|
||||||
|
--- a/src/icainfo.c
|
||||||
|
+++ b/src/icainfo.c
|
||||||
|
@@ -556,6 +556,7 @@ void print_fips_indicator(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ printf(" GCM ext iv | - | - | - \n");
|
||||||
|
printf("------------------------------------------------------\n");
|
||||||
|
|
||||||
|
done:
|
||||||
|
diff --git a/src/include/fips.h b/src/include/fips.h
|
||||||
|
index c0af6b6..ec7f2c9 100644
|
||||||
|
--- a/src/include/fips.h
|
||||||
|
+++ b/src/include/fips.h
|
||||||
|
@@ -65,6 +65,8 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv,
|
||||||
|
unsigned char *ucb, unsigned char *subkey,
|
||||||
|
unsigned int direction);
|
||||||
|
|
||||||
|
+#define AES_GCM_EXT_IV 73
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* List of non-fips-approved algorithms
|
||||||
|
*/
|
||||||
|
@@ -73,14 +75,15 @@ static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
|
||||||
|
DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
|
||||||
|
DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
|
||||||
|
ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
|
||||||
|
- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG };
|
||||||
|
+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, AES_GCM_EXT_IV };
|
||||||
|
static const size_t FIPS_BLACKLIST_LEN
|
||||||
|
= sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* FIPS service indicator: List of tolerated but non-approved algorithms.
|
||||||
|
*/
|
||||||
|
-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG };
|
||||||
|
+static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG,
|
||||||
|
+ AES_GCM_EXT_IV };
|
||||||
|
static const size_t FIPS_OVERRIDE_LIST_LEN
|
||||||
|
= sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 6823004d49fad72ccc5a8933cbf8443f08371584 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Wed, 6 Nov 2024 13:12:11 +0100
|
||||||
|
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
|
||||||
|
usage
|
||||||
|
|
||||||
|
Fix handling to differentiate if the call to AES-GCM encryption API was approved
|
||||||
|
or not. If the IV was set externally, it's non-approved, otherwise with internal
|
||||||
|
IV it's approved.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
src/s390_crypto.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
|
||||||
|
index 623864b..29f2b29 100644
|
||||||
|
--- a/src/s390_crypto.c
|
||||||
|
+++ b/src/s390_crypto.c
|
||||||
|
@@ -30,6 +30,8 @@
|
||||||
|
#include "init.h"
|
||||||
|
#include "s390_crypto.h"
|
||||||
|
|
||||||
|
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
|
||||||
|
+
|
||||||
|
unsigned long long facility_bits[3];
|
||||||
|
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
|
||||||
|
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
|
||||||
|
@@ -814,6 +816,15 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
|
||||||
|
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
|
||||||
|
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);
|
||||||
|
indicator_list[i].fips_override = fips_override(icaList[i].mech_mode_id);
|
||||||
|
+ if (icaList[i].mech_mode_id == AES_GCM || icaList[i].mech_mode_id == AES_GCM_KMA) {
|
||||||
|
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
|
||||||
|
+ indicator_list[i].fips_approved = 0;
|
||||||
|
+ indicator_list[i].fips_override = 1;
|
||||||
|
+ } else {
|
||||||
|
+ indicator_list[i].fips_approved = 1;
|
||||||
|
+ indicator_list[i].fips_override = 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
@ -0,0 +1,94 @@
|
|||||||
|
From 9e1582dd059d69c86b6f323fadd87956b6034aab Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Wed, 6 Nov 2024 13:17:54 +0100
|
||||||
|
Subject: [PATCH] fips update: provide test for dynamic service indicator
|
||||||
|
|
||||||
|
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
|
||||||
|
API to allow and forbid an external GCM IV. Depending on whether the application
|
||||||
|
allows or forbids external IVs, the service indicator changes dynamically.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 62 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/fips_test.c b/test/fips_test.c
|
||||||
|
index 2bd3d40..873c4b0 100644
|
||||||
|
--- a/test/fips_test.c
|
||||||
|
+++ b/test/fips_test.c
|
||||||
|
@@ -13,6 +13,64 @@
|
||||||
|
|
||||||
|
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
|
||||||
|
|
||||||
|
+#ifdef ICA_FIPS
|
||||||
|
+static int test_gcm_iv_usage(void)
|
||||||
|
+{
|
||||||
|
+ libica_fips_indicator_element *fips_list = NULL;
|
||||||
|
+ unsigned int rc, i, fips_len, allow;
|
||||||
|
+ unsigned int approved_expected, override_expected;
|
||||||
|
+
|
||||||
|
+ for (allow = 0; allow < 2; allow++) {
|
||||||
|
+
|
||||||
|
+ approved_expected = allow == 1 ? 0 : 1;
|
||||||
|
+ override_expected = allow == 1 ? 1 : 0;
|
||||||
|
+
|
||||||
|
+ /* Check allowance of an external iv in fips mode */
|
||||||
|
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
|
||||||
|
+
|
||||||
|
+ /* Get fips indicator list */
|
||||||
|
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
|
||||||
|
+ printf("get_fips_indicator failed\n");
|
||||||
|
+ rc = EXIT_FAILURE;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
|
||||||
|
+ if (!fips_list) {
|
||||||
|
+ printf("malloc fips_indicator list failed\n");
|
||||||
|
+ rc = EXIT_FAILURE;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
|
||||||
|
+ printf("ica_get_fips_indicator failed\n");
|
||||||
|
+ free(fips_list);
|
||||||
|
+ rc = EXIT_FAILURE;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < fips_len; i++) {
|
||||||
|
+ if (fips_list[i].mech_mode_id == AES_GCM ||
|
||||||
|
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
|
||||||
|
+ if (fips_list[i].fips_approved != approved_expected ||
|
||||||
|
+ fips_list[i].fips_override != override_expected) {
|
||||||
|
+ rc = EXIT_FAILURE;
|
||||||
|
+ free(fips_list);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(fips_list);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = 0;
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+#endif /* ICA_FIPS */
|
||||||
|
+
|
||||||
|
int
|
||||||
|
main(void)
|
||||||
|
{
|
||||||
|
@@ -68,6 +126,10 @@ main(void)
|
||||||
|
printf("Libica FIPS integrity check failed.\n");
|
||||||
|
rv = EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
+ if (test_gcm_iv_usage()) {
|
||||||
|
+ printf("Libica FIPS gcm iv usage check failed.\n");
|
||||||
|
+ rv = EXIT_FAILURE;
|
||||||
|
+ }
|
||||||
|
#endif /* ICA_FIPS */
|
||||||
|
|
||||||
|
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
|
BIN
libica-4.2.3.tar.gz
(Stored with Git LFS)
BIN
libica-4.2.3.tar.gz
(Stored with Git LFS)
Binary file not shown.
BIN
libica-4.3.1.tar.gz
(Stored with Git LFS)
Normal file
BIN
libica-4.3.1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,24 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 6 13:40:24 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Applied additional patches (bsc#1231302)
|
||||||
|
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
|
||||||
|
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 5 11:51:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
|
||||||
|
* Various bug fixes and housekeeping
|
||||||
|
*** libica version 4.3.0
|
||||||
|
* New API function ica_allow_external_gcm_iv_in_fips_mode
|
||||||
|
* Bug fixes
|
||||||
|
- Amended the .spec file (bsc#1231999)
|
||||||
|
* Replaced Recommends libica-tools with Requires
|
||||||
|
- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
|
||||||
|
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
|
||||||
|
* libica-02-fips-update-Change-service-indicator-implementation.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
20
libica.spec
20
libica.spec
@ -22,7 +22,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: libica
|
Name: libica
|
||||||
Version: 4.2.3
|
Version: 4.3.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
||||||
License: CPL-1.0
|
License: CPL-1.0
|
||||||
@ -34,8 +34,15 @@ Source2: sysconfig.z90crypt
|
|||||||
Source3: z90crypt
|
Source3: z90crypt
|
||||||
Source4: z90crypt.service
|
Source4: z90crypt.service
|
||||||
Source5: %{name}-rpmlintrc
|
Source5: %{name}-rpmlintrc
|
||||||
|
###
|
||||||
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||||
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
|
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
|
||||||
|
###
|
||||||
|
Patch110: libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
|
||||||
|
Patch111: libica-02-fips-update-Change-service-indicator-implementation.patch
|
||||||
|
Patch112: libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
|
||||||
|
Patch113: libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
|
||||||
|
###
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -55,7 +62,8 @@ modules to interface with the IBM eServer Cryptographic Accelerator
|
|||||||
%package -n libica4
|
%package -n libica4
|
||||||
Summary: Library interface for the IBM Cryptographic Accelerator
|
Summary: Library interface for the IBM Cryptographic Accelerator
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Recommends: libica-tools
|
# Recommends: libica-tools
|
||||||
|
Requires: libica-tools
|
||||||
|
|
||||||
%description -n libica4
|
%description -n libica4
|
||||||
This package contains the interface library routines used by IBM
|
This package contains the interface library routines used by IBM
|
||||||
@ -144,8 +152,8 @@ cp -a %{SOURCE1} .
|
|||||||
rm -vf %{buildroot}%{_libdir}/libica*.la
|
rm -vf %{buildroot}%{_libdir}/libica*.la
|
||||||
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
||||||
rmdir %{buildroot}%{_datadir}/doc/libica
|
rmdir %{buildroot}%{_datadir}/doc/libica
|
||||||
rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
|
# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||||
rmdir %{buildroot}/%{_sysconfdir}/libica
|
# rmdir %{buildroot}/%{_sysconfdir}/libica
|
||||||
|
|
||||||
%check
|
%check
|
||||||
%make_build check FIPSHMAC=fipshmac
|
%make_build check FIPSHMAC=fipshmac
|
||||||
@ -175,6 +183,10 @@ rmdir %{buildroot}/%{_sysconfdir}/libica
|
|||||||
%{_libdir}/libica-cex.so.%{major}
|
%{_libdir}/libica-cex.so.%{major}
|
||||||
%{_libdir}/.libica-cex.so.%{version}.hmac
|
%{_libdir}/.libica-cex.so.%{version}.hmac
|
||||||
%{_libdir}/.libica-cex.so.%{major}.hmac
|
%{_libdir}/.libica-cex.so.%{major}.hmac
|
||||||
|
### Enable FIPS
|
||||||
|
%dir %{_sysconfdir}/libica
|
||||||
|
%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||||
|
###
|
||||||
|
|
||||||
%files tools
|
%files tools
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
Loading…
Reference in New Issue
Block a user