From 7428af857515b1343865b4597050d8db2627b05ae27aef568aabb2486c34e0f7 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 13 Nov 2024 09:12:54 +0000 Subject: [PATCH] - Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) * libica-02-fips-update-Change-service-indicator-implementation.patch * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=26 --- .gitattributes | 23 + .gitignore | 1 + README.SUSE | 331 +++++++ ...te-remove-sigVer-from-fips-ECDSA-kat.patch | 28 + ...nge-service-indicator-implementation.patch | 116 +++ ...-service-indicator-based-on-IV-usage.patch | 164 ++++ ...e-test-for-dynamic-service-indicator.patch | 94 ++ ...e-CEX-usage-in-OpenSSL-for-all-tests.patch | 40 + ...t-rc-handling-with-s390_pcc-function.patch | 83 ++ ...-4.3.0-03-Use-__asm__-instead-of-asm.patch | 366 ++++++++ libica-4.3.0.tar.gz | 3 + libica-4.3.1.tar.gz | 3 + ...-possible-to-specify-fipshmac-binary.patch | 55 ++ libica-rpmlintrc | 3 + libica-sles15sp5-FIPS-hmac-key.patch | 15 + libica.changes | 842 ++++++++++++++++++ libica.spec | 216 +++++ sysconfig.z90crypt | 10 + z90crypt | 21 + z90crypt.service | 13 + 20 files changed, 2427 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SUSE create mode 100644 libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch create mode 100644 libica-02-fips-update-Change-service-indicator-implementation.patch create mode 100644 libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch create mode 100644 libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch create mode 100644 libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch create mode 100644 libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch create mode 100644 libica-4.3.0-03-Use-__asm__-instead-of-asm.patch create mode 100644 libica-4.3.0.tar.gz create mode 100644 libica-4.3.1.tar.gz create mode 100644 libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch create mode 100644 libica-rpmlintrc create mode 100644 libica-sles15sp5-FIPS-hmac-key.patch create mode 100644 libica.changes create mode 100644 libica.spec create mode 100644 sysconfig.z90crypt create mode 100644 z90crypt create mode 100644 z90crypt.service diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..c8a1b1d --- /dev/null +++ b/README.SUSE @@ -0,0 +1,331 @@ +The following information was provided to us courtesy of the IBM +testing team, who tested the functionality of apache with mod_ssl +on SUSE LINUX Enterprise Server 9 for S/390 and zSeries. + +It thus refers to testing only from a certain point, and the +z90crypt part is of course specific to S/390 and zSeries. + +------------------------------------------------------------------- +Installation and Configuration of S/390 HW Crypto +on SUSE Linux Enterprise Server 9 for S/390 and zSeries: + +1) Installation of the driver packages openCryptoki and libica + + The driver packages are installed during base install in the + default selection. If you installed only minimal system or + deinstalled the packages, install them now. If the installation + source is accessible, you can do it with a single command: + + 31bit: + yast sw_single openCryptoki openCryptoki-32bit + + 64bit: + yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit + + This will automatically install the necessary libica packages as + well if they are not installed yet. + + +2) Loading the z90crypt driver: + + systemctl start z90crypt to load z90crypt + + systemctl stop z90crypt to unload z90crypt + + this command will be available only after installation of the + crypto driver packages. + + To load the driver automatically at every system boot, integrate it + with the other boot scripts issuing + + systemctl enable z90crypt + + +3) Checking if the z90crypt hardware driver can be accessed + + Run this command: + + openssl speed rsa1024 -engine ibmca -elapsed + + If you get 'can't use that engine', as the first line + of output of the command look for the successive line + and check: + - if running "rcz90crypt restart" gives no error message + - the output of command "dmesg" for error messages from the driver + - the hardware is indeed available to this instance + +4) Installation and Setup of mod_ssl and apache + + a) ensure that mod_ssl and apache are installed during base + install. If the installation source is accessible, + the command + + yast sw_single mod_ssl + + will install apache and mod_ssl if they are not installed yet. + + b) to activate the apache ssl support do the following: + + if you did not use yast to install the packages, you have + to run manually: SuSEconfig --module apache + + edit /etc/sysconfig/apache: + change HTTPD_START_TIMEOUT=2 to 20 + + change HTTPD_SEC_MOD_SSL=no to yes + + edit httpd.conf in /etc/httpd: + + in section 2: check that the ServerName and ServerMail in + the ServerAdmin section is ok. + + in section 3: set inside the + ServerName to host name + + add on section : SSLCryptoDevice ibmca + + run: SuSEconfig --module apache + +5) Crypto configuration of apache/mod_ssl: + + a) create a certificate (Snake Oil) for the TEST --- THIS + CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR + TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A + CERTIFICATION AUTHORITY FOR PRODUCTION USE. + + go to: cd /usr/share/doc/packages/mod_ssl + + run: ./certificate.sh + + see following questions will come up. Give shown answers + and use the pass phrase: + + der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh + SSL Certificate Generation Utility (mkcert.sh) + Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved. + + Generating test certificate signed by Snake Oil CA [TEST] + WARNING: Do not use this for real-life/production systems + + STEP 0: Decide the signature algorithm used for certificate + The generated X.509 CA certificate can contain either + RSA or DSA based ingredients. Select the one you want to use. + Signature Algorithm ((R)SA or (D)SA) [R]:R + + + STEP 1: Generating RSA private key (1024 bit) [server.key] + 123006 semi-random bytes loaded + Generating RSA private key, 1024 bit long modulus + ..++++++ + .................++++++ + e is 65537 (0x10001) + + STEP 2: Generating X.509 certificate signing request + [server.csr] + Using configuration from .mkcert.cfg + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished + Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + 1. Country Name (2 letter code) [XY]:DE + 2. State or Province Name (full name) [Snake Desert]: + + 3. Locality Name (eg, city) [Snake Town]: + + 4. Organization Name (eg, company) [Snake Oil, Ltd]: + + 5. Organizational Unit Name (eg, section) [Webserver Team]: + + 6. Common Name (eg, FQDN) [www.snakeoil.dom]: + + 7. Email Address (eg, name@FQDN) [www@snakeoil.dom]: + + + STEP 3: Generating X.509 certificate signed by Snake Oil CA + [server.crt] + Certificate Version (1 or 3) [3]:3 + Signature ok + subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil, + Ltd/OU=Webserver + Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom + Getting CA Private Key + Verify: matching certificate & key modulus + read RSA key + Verify: matching certificate signature + /etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake + Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil + CA/Email=ca@snakeoil.dom + error 10 at 1 depth lookup:certificate has expired + OK + + STEP 4: Enrypting RSA private key with a pass phrase for + security [server.key] + The contents of the server.key file (the generated private key) + has to be + kept secret. So we strongly recommend you to encrypt the + server.key file + with a Triple-DES cipher and a Pass Phrase. + Encrypt the private key now? [Y/n]: Y + read RSA key + writing RSA key + Enter PEM pass phrase: <=== crypto + Verifying password - Enter PEM pass phrase: <=== crypto + Fine, you're using an encrypted RSA private key. + + RESULT: Server Certification Files + + o conf/ssl.key/server.key + + The PEM-encoded RSA private key file which you + configure with the 'SSLCertificateKeyFile' directive + (automatically done when you install via APACI). KEEP + THIS FILE PRIVATE! + + o conf/ssl.crt/server.crt + + The PEM-encoded X.509 certificate file which you configure + with the 'SSLCertificateFile' directive (automatically done + when you install via APACI). + + o conf/ssl.csr/server.csr + + The PEM-encoded X.509 certificate signing request file + which you can send to an official Certificate Authority + (CA) in order to request a real server certificate + (signed by this CA instead of our demonstration-only + Snake Oil CA) which later can replace the + conf/ssl.crt/server.crt file. + + WARNING: Do not use this for real-life/production systems + + der3gbe:/usr/share/doc/packages/mod_ssl # + +6) Start Apache with SSL + + a) start with pass phrase (Changes done to apache modul + described in item c)). + + run: rcapache start + + dev3fe01:~ # rcapache start + + Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26 + mod_ssl/2.8.10 (Pass Phrase Dialog) + Some of your private key files are encrypted for security + reasons. + In order to read them you have to provide us with the pass + phrases. + + Server dev3fe01.boeblingen.de.ibm.com:443 (RSA) + Enter pass phrase: crypto + + Ok: Pass Phrase Dialog successful. + done + + b) start without pass phrase when using apache without + ssl-support + + remark: You need to change the apache modul (see + item c)). Set the HTTPD_SEC_MOD_SSL=no. + + run: rcapache start + + +7) Check that ibmca is used and apache is working with http and https: + + a) On a browser enter http:// or + https:// + b) with netstat or netstat -a on the apache server machine you + can see if https is used. + c) in the log /var/log/httpd/ssl_engine_log you can see if the + ibmca engine is started or not. + d) during siege test you can see with cat /proc/driver/z90crypt + if and what crypto HW is used + e) you can check a http connection with telnet + http. Then enter + get / http/1.0 + and you should get back some stuff after pressing enter + twice. + + f) You can check if openssl works with the ibmca engine + + a) Therefore you must create certificates: + cd /usr/share/ssl/misc + run: ./CA.sh -newcert + + dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert + Using configuration from /etc/ssl/openssl.cnf + Generating a 1024 bit RSA private key + ......................++++++ + .++++++ + writing new private key to 'newreq.pem' + Enter PEM pass phrase: <== geheim + Verifying password - Enter PEM pass phrase: <== geheim + Verify failure + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + phrase is too short, needs to be at least 4 chars + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + ----- + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a + Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]: + <== press enter + State or Province Name (full name) [Some-State]: + <== press enter + Locality Name (eg, city) []: + <== press enter + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + <== press enter + Organizational Unit Name (eg, section) []: + <== press enter + Common Name (eg, YOUR name) []: <== press enter + Email Address []: <== press + enter + Certificate (and private key) is in newreq.pem + + run: ./CA.sh -newca + + dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca + CA certificate filename (or enter to create) + newreq.pem + dev3fe02: + + + b) Use openssl as a Web-browser and use https connection: + openssl s_client \ + -connect :443 -state -debug + + The machine were you start the client is working as + your 'browser' connecting to the webserver. You can + start commands from the client like get / http/1.0 . + + c) Use openssl as a Web-server and use https connection: + openssl s_server \ + -accept 443 -www -engine ibmca -cert newreq.pem + + The machine is working like a small webserver with full + openssl functionality. You can start your browser to + this machine and a lot of info will be sent. + + dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443 + -www -cert newreq.pem -engine ibmca + engine "ibmca" set. + Using default temp DH parameters + Enter PEM pass phrase: <== geheim + ACCEPT + +------------------------------------------------------------------- diff --git a/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch b/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch new file mode 100644 index 0000000..0ed974a --- /dev/null +++ b/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch @@ -0,0 +1,28 @@ +From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Mon, 28 Oct 2024 13:04:19 +0100 +Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat + +From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc +"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and +ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested. + +Signed-off-by: Joerg Schmidbauer +--- + src/fips.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/fips.c b/src/fips.c +index 4d1db07..3c26043 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -1240,9 +1240,6 @@ ecdsa_kat(void) + /* adapter handle not needed here, just CPACF */ + rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen, + sigbuf, tv->siglen, tv->k); +- if (rc) +- goto _err_; +- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen); + if (rc) + goto _err_; + if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) { diff --git a/libica-02-fips-update-Change-service-indicator-implementation.patch b/libica-02-fips-update-Change-service-indicator-implementation.patch new file mode 100644 index 0000000..905d09c --- /dev/null +++ b/libica-02-fips-update-Change-service-indicator-implementation.patch @@ -0,0 +1,116 @@ +From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Mon, 28 Oct 2024 13:44:11 +0100 +Subject: [PATCH] fips update: Change service indicator implementation + +Perform checks for non-approved algorithms / parameters directly into the +APIs that perform the services. + +Signed-off-by: Joerg Schmidbauer +--- + src/ica_api.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/ica_api.c b/src/ica_api.c +index 0826af8..d071f61 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) ++ return EPERM; + #endif /* ICA_FIPS */ + + if (public_key->key_length != private_key->key_length) +@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + if (public_key->key_length != private_key->key_length) +@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key) + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check if p > q */ +@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) + #ifdef ICA_FIPS + if (fips >> 1) + return NULL; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return NULL; + #endif /* ICA_FIPS */ + + if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL) +@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(key->nid) || + !curve_supported_via_cpacf(key->nid)) { +@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key) + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(key->nid) || + !curve_supported_via_cpacf(key->nid)) +@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_DH) && !fips_override(EC_DH)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(privkey_A->nid) || + !curve_supported_via_cpacf(privkey_A->nid)) +@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle, + if (!curve_supported_via_openssl(privkey->nid) || + !curve_supported_via_cpacf(privkey->nid)) + return EPERM; ++ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN)) ++ return EPERM; + } + #endif /* ICA_FIPS */ + +@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(pubkey->nid) || + !curve_supported_via_cpacf(pubkey->nid)) diff --git a/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch b/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch new file mode 100644 index 0000000..4a27a7f --- /dev/null +++ b/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch @@ -0,0 +1,164 @@ +From b7d11c21d7f15dc11ae7354a7ec97299eacd7045 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 6 Nov 2024 13:12:11 +0100 +Subject: [PATCH] fips update: Dynamically update service indicator based on IV + usage + +Fix handling to differentiate if the call to AES-GCM encryption API was approved +or not. If the IV was set externally, it's non-approved, otherwise with internal +IV it's approved. Bind the service indicator to the service by checking the +behavior of the GCM IV in the gcm API. + +Signed-off-by: Joerg Schmidbauer +--- + src/ica_api.c | 6 ++++++ + src/include/fips.h | 54 +++++++++++++++++++++++++++++++++++++++++++--- + src/s390_crypto.c | 16 ++++++++++++++ + 3 files changed, 73 insertions(+), 3 deletions(-) + +diff --git a/src/ica_api.c b/src/ica_api.c +index d071f61..c1bb4e1 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -3727,6 +3727,8 @@ unsigned int ica_aes_gcm(unsigned char *plaintext, + #ifdef ICA_FIPS + if (fips & ICA_FIPS_MODE) + return EPERM; ++ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM)) ++ return EPERM; + #endif /* ICA_FIPS */ + + return ica_aes_gcm_internal(plaintext, plaintext_length, ciphertext, +@@ -3776,6 +3778,8 @@ unsigned int ica_aes_gcm_initialize(const unsigned char *iv, + if (!ica_external_gcm_iv_in_fips_mode_allowed && + direction == ENCRYPT && (fips & ICA_FIPS_MODE)) + return EPERM; ++ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM)) ++ return EPERM; + #endif /* ICA_FIPS */ + + return ica_aes_gcm_initialize_internal(iv, iv_length, key, key_length, +@@ -4025,6 +4029,8 @@ int ica_aes_gcm_kma_init(unsigned int direction, + if (!ica_external_gcm_iv_in_fips_mode_allowed && + direction == ICA_ENCRYPT && (fips & ICA_FIPS_MODE)) + return EPERM; ++ if (!fips_approved(AES_GCM_KMA) && !fips_override(AES_GCM_KMA)) ++ return EPERM; + #endif /* ICA_FIPS */ + + return ica_aes_gcm_kma_init_internal(direction, iv, iv_length, +diff --git a/src/include/fips.h b/src/include/fips.h +index c0af6b6..0a6e0bd 100644 +--- a/src/include/fips.h ++++ b/src/include/fips.h +@@ -68,19 +68,19 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv, + /* + * List of non-fips-approved algorithms + */ +-static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, ++static int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, + DES_CFB, DES_CTR, DES_CTRLST, DES_CBC_MAC, DES_CMAC, P_RNG, DES3_ECB, + DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST, + DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, + ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, +- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG }; ++ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; + static const size_t FIPS_BLACKLIST_LEN + = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]); + + /* + * FIPS service indicator: List of tolerated but non-approved algorithms. + */ +-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG }; ++static int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; + static const size_t FIPS_OVERRIDE_LIST_LEN + = sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]); + +@@ -117,5 +117,53 @@ static inline int fips_override(int id) + + return 0; + } ++ ++static inline void add_to_fips_black_list(int id) ++{ ++ size_t i; ++ ++ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) { ++ if (FIPS_BLACKLIST[i] == -1) { ++ FIPS_BLACKLIST[i] = id; ++ return; ++ } ++ } ++} ++ ++static inline void add_to_fips_override_list(int id) ++{ ++ size_t i; ++ ++ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) { ++ if (FIPS_OVERRIDE_LIST[i] == -1) { ++ FIPS_OVERRIDE_LIST[i] = id; ++ return; ++ } ++ } ++} ++ ++static inline void remove_from_fips_black_list(int id) ++{ ++ size_t i; ++ ++ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) { ++ if (FIPS_BLACKLIST[i] == id) { ++ FIPS_BLACKLIST[i] = -1; ++ return; ++ } ++ } ++} ++ ++static inline void remove_from_fips_override_list(int id) ++{ ++ size_t i; ++ ++ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) { ++ if (FIPS_OVERRIDE_LIST[i] == id) { ++ FIPS_OVERRIDE_LIST[i] = -1; ++ return; ++ } ++ } ++} + #endif /* FIPS_H */ + #endif /* ICA_FIPS */ +diff --git a/src/s390_crypto.c b/src/s390_crypto.c +index 623864b..03655e7 100644 +--- a/src/s390_crypto.c ++++ b/src/s390_crypto.c +@@ -30,6 +30,10 @@ + #include "init.h" + #include "s390_crypto.h" + ++#ifdef ICA_FIPS ++extern int ica_external_gcm_iv_in_fips_mode_allowed; ++#endif ++ + unsigned long long facility_bits[3]; + unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch, + tdes_switch, aes128_switch, aes192_switch, aes256_switch, +@@ -810,6 +814,18 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list, + if (*indicator_list_len < (sizeof(icaList) / sizeof(libica_func_list_element_int))) + return EINVAL; + ++ if (ica_external_gcm_iv_in_fips_mode_allowed) { ++ add_to_fips_black_list(AES_GCM); ++ add_to_fips_override_list(AES_GCM); ++ add_to_fips_black_list(AES_GCM_KMA); ++ add_to_fips_override_list(AES_GCM_KMA); ++ } else { ++ remove_from_fips_black_list(AES_GCM); ++ remove_from_fips_override_list(AES_GCM); ++ remove_from_fips_black_list(AES_GCM_KMA); ++ remove_from_fips_override_list(AES_GCM_KMA); ++ } ++ + for (i = 0; i < *indicator_list_len; i++) { + indicator_list[i].mech_mode_id = icaList[i].mech_mode_id; + indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id); diff --git a/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch b/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch new file mode 100644 index 0000000..246e018 --- /dev/null +++ b/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch @@ -0,0 +1,94 @@ +From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 6 Nov 2024 13:17:54 +0100 +Subject: [PATCH] fips update: provide test for dynamic service indicator + +Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode +API to allow and forbid an external GCM IV. Depending on whether the application +allows or forbids external IVs, the service indicator changes dynamically. + +Signed-off-by: Joerg Schmidbauer +--- + test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 62 insertions(+) + +diff --git a/test/fips_test.c b/test/fips_test.c +index 2bd3d40..873c4b0 100644 +--- a/test/fips_test.c ++++ b/test/fips_test.c +@@ -13,6 +13,64 @@ + + #define FIPS_FLAG "/proc/sys/crypto/fips_enabled" + ++#ifdef ICA_FIPS ++static int test_gcm_iv_usage(void) ++{ ++ libica_fips_indicator_element *fips_list = NULL; ++ unsigned int rc, i, fips_len, allow; ++ unsigned int approved_expected, override_expected; ++ ++ for (allow = 0; allow < 2; allow++) { ++ ++ approved_expected = allow == 1 ? 0 : 1; ++ override_expected = allow == 1 ? 1 : 0; ++ ++ /* Check allowance of an external iv in fips mode */ ++ ica_allow_external_gcm_iv_in_fips_mode(allow); ++ ++ /* Get fips indicator list */ ++ if (ica_get_fips_indicator(NULL, &fips_len) != 0){ ++ printf("get_fips_indicator failed\n"); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len); ++ if (!fips_list) { ++ printf("malloc fips_indicator list failed\n"); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){ ++ printf("ica_get_fips_indicator failed\n"); ++ free(fips_list); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ for (i = 0; i < fips_len; i++) { ++ if (fips_list[i].mech_mode_id == AES_GCM || ++ fips_list[i].mech_mode_id == AES_GCM_KMA) { ++ if (fips_list[i].fips_approved != approved_expected || ++ fips_list[i].fips_override != override_expected) { ++ rc = EXIT_FAILURE; ++ free(fips_list); ++ goto done; ++ } ++ } ++ } ++ ++ free(fips_list); ++ } ++ ++ rc = 0; ++ ++done: ++ return rc; ++} ++#endif /* ICA_FIPS */ ++ + int + main(void) + { +@@ -68,6 +126,10 @@ main(void) + printf("Libica FIPS integrity check failed.\n"); + rv = EXIT_FAILURE; + } ++ if (test_gcm_iv_usage()) { ++ printf("Libica FIPS gcm iv usage check failed.\n"); ++ rv = EXIT_FAILURE; ++ } + #endif /* ICA_FIPS */ + + printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT); diff --git a/libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch b/libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch new file mode 100644 index 0000000..1d7105a --- /dev/null +++ b/libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch @@ -0,0 +1,40 @@ +From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001 +From: Holger Dengler +Date: Tue, 16 Apr 2024 14:18:23 +0200 +Subject: [PATCH] test: disable CEX usage in OpenSSL for all tests + +OpenSSL supports CEX exploitation since version v3.2.x. Libica and its +testcases use OpenSSL as helper and fallback, so disable the CEX +acceleration for all tests. + +If the environment variable is already set, use it as is without +modifying it. In this case, it is up to the user to choose the right +settings. + +Fixes: Issue #126 +Link: https://github.com/opencryptoki/libica/issues/126 +Signed-off-by: Holger Dengler +--- + test/Makefile.am | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/test/Makefile.am b/test/Makefile.am +index 76d4f15..e56b256 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -61,10 +61,14 @@ TESTS += \ + ${top_builddir}/src/internal_tests/ec_internal_test + endif + ++# disable OpenSSL CEX usage for all tests ++OPENSSL_s390xcap ?= nocex ++ + TEST_EXTENSIONS = .sh .pl + TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \ + PATH=${builddir}/../src/:$$PATH \ +- LIBICA_TESTDATA=${srcdir}/testdata/; ++ LIBICA_TESTDATA=${srcdir}/testdata/ \ ++ OPENSSL_s390xcap=${OPENSSL_s390xcap}; + AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/ + LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread + diff --git a/libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch b/libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch new file mode 100644 index 0000000..4c79862 --- /dev/null +++ b/libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch @@ -0,0 +1,83 @@ +From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 24 Apr 2024 10:44:26 +0200 +Subject: [PATCH] Bugfix: correct rc handling with s390_pcc function + +Signed-off-by: Joerg Schmidbauer +--- + src/include/s390_aes.h | 2 +- + src/include/s390_cmac.h | 2 +- + src/include/s390_crypto.h | 23 +++++++++++++---------- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h +index 6252dde0..a6ff27bd 100644 +--- a/src/include/s390_aes.h ++++ b/src/include/s390_aes.h +@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code, + + memset(&parm_block.keys, 0, key_size); + +- if (rc >= 0) { ++ if (rc == 0) { + memcpy(xts_parm, parm_block.xts_parameter, + sizeof(ica_aes_vector_t)); + return 0; +diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h +index 76b9cca5..f19c069d 100644 +--- a/src/include/s390_cmac.h ++++ b/src/include/s390_cmac.h +@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc, + /* calculate final block (last/full) */ + rc = s390_pcc(fc, pb_lookup.base); + memset(pb_lookup.keys, 0, key_size); +- if (rc < 0) ++ if (rc != 0) + return EIO; + + _stats_increment(fc, ALGO_HW, ENCRYPT); +diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h +index f34241fd..f11eacb2 100644 +--- a/src/include/s390_crypto.h ++++ b/src/include/s390_crypto.h +@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void); + + /** + * s390_pcc: +- * @func: the function code passed to KM; see s390_pcc_functions ++ * @func: the function code passed to PCC; see s390_pcc_functions + * @param: address of parameter block; see POP for details on each func + * + * Executes the PCC operation of the CPU. + * +- * Returns -1 for failure, 0 for the query func, number of processed +- * bytes for encryption/decryption funcs ++ * Returns condition code of the PCC instruction + */ + static inline int s390_pcc(unsigned long func, void *param) + { + register unsigned long r0 asm("0") = (unsigned long)func; + register unsigned long r1 asm("1") = (unsigned long)param; ++ char cc; + +- asm volatile ( +- "0: .long %[opc] << 16\n" +- " brc 1,0b\n" +- : +- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c) +- : "cc", "memory"); ++ asm volatile( ++ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */ ++ " brc 1,0b\n" /* handle partial completion */ ++ " ipm %[cc]\n" ++ " srl %[cc],28\n" ++ : [cc] "=d" (cc) ++ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c) ++ : "cc", "memory" ++ ); + +- return 0; ++ return cc; + } + + /** diff --git a/libica-4.3.0-03-Use-__asm__-instead-of-asm.patch b/libica-4.3.0-03-Use-__asm__-instead-of-asm.patch new file mode 100644 index 0000000..95b364e --- /dev/null +++ b/libica-4.3.0-03-Use-__asm__-instead-of-asm.patch @@ -0,0 +1,366 @@ +From 900557435b85f2fa6446bf9d62e80d58eff4bfbe Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 19 Jun 2024 12:34:26 +0200 +Subject: [PATCH] Use __asm__ instead of asm + +The asm keyword is a GNU extension. When writing code that can be compiled with +-ansi and the various -std options, use __asm__ instead of asm. + +Signed-off-by: Joerg Schmidbauer +--- + src/include/s390_crypto.h | 194 +++++++++++++++++++------------------- + 1 file changed, 97 insertions(+), 97 deletions(-) + +diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h +index f11eacb..6ef4728 100644 +--- a/src/include/s390_crypto.h ++++ b/src/include/s390_crypto.h +@@ -253,11 +253,11 @@ void s390_crypto_switches_init(void); + */ + static inline int s390_pcc(unsigned long func, void *param) + { +- register unsigned long r0 asm("0") = (unsigned long)func; +- register unsigned long r1 asm("1") = (unsigned long)param; ++ register unsigned long r0 __asm__("0") = (unsigned long)func; ++ register unsigned long r1 __asm__("1") = (unsigned long)param; + char cc; + +- asm volatile( ++ __asm__ volatile( + "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */ + " brc 1,0b\n" /* handle partial completion */ + " ipm %[cc]\n" +@@ -285,12 +285,12 @@ static inline int s390_pcc(unsigned long func, void *param) + static inline int s390_kmac(unsigned long func, void *param, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre, 0xb91e0000,%0,%0 \n" + " brc 1, 0b \n" + : "+a"(__src), "+d"(__src_len) +@@ -318,15 +318,15 @@ static inline int s390_kma(unsigned long func, void *param, unsigned char *dest, + const unsigned char *src, long src_len, + const unsigned char *aad, long aad_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; +- register const unsigned char *__aad asm("6") = aad; +- register long __aad_len asm("7") = aad_len; +- +- asm volatile( ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; ++ register const unsigned char *__aad __asm__("6") = aad; ++ register long __aad_len __asm__("7") = aad_len; ++ ++ __asm__ volatile( + "0: .insn rrf,0xb9290000,%2,%0,%3,0 \n" + "1: brc 1,0b \n" /* handle partial completion */ + : "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__aad), "+d" (__aad_len) +@@ -353,14 +353,14 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des + const unsigned char *src, long src_len, + unsigned char *counter) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; +- register unsigned char *__ctr asm("6") = counter; +- +- asm volatile( ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; ++ register unsigned char *__ctr __asm__("6") = counter; ++ ++ __asm__ volatile( + "0: .insn rrf,0xb92d0000,%2,%0,%3,0 \n" + "1: brc 1,0b \n" + : "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__ctr) +@@ -386,13 +386,13 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des + static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest, + const unsigned char *src, long src_len, unsigned int *lcfb) + { +- register long __func asm("0") = ((*lcfb & 0x000000ff) << 24) | func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; ++ register long __func __asm__("0") = ((*lcfb & 0x000000ff) << 24) | func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre,0xb92a0000,%2,%0 \n" + " brc 1,0b \n" + : "+a"(__src), "+d"(__src_len), "+a"(__dest) +@@ -418,13 +418,13 @@ static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest, + static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre, 0xb92b0000,%2,%0 \n" + " brc 1, 0b \n" + : "+a"(__src), "+d"(__src_len), "+a"(__dest) +@@ -450,13 +450,13 @@ static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest, + static inline int s390_km(unsigned long func, void *param, unsigned char *dest, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre,0xb92e0000,%2,%0 \n" /* KM opcode */ + " brc 1,0b \n" /* handle partial completion */ + : "+a"(__src), "+d"(__src_len), "+a"(__dest) +@@ -482,13 +482,13 @@ static inline int s390_km(unsigned long func, void *param, unsigned char *dest, + static inline int s390_kmc(unsigned long func, void *param, unsigned char *dest, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; +- register unsigned char *__dest asm("4") = dest; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; ++ register unsigned char *__dest __asm__("4") = dest; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre, 0xb92f0000,%2,%0 \n" /* KMC opcode */ + " brc 1, 0b \n" /* handle partial completion */ + : "+a"(__src), "+d"(__src_len), "+a"(__dest) +@@ -515,15 +515,15 @@ static inline int s390_kimd_shake(unsigned long func, void *param, + unsigned char *dest, long dest_len, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register unsigned char *__dest asm("2") = dest; +- register long __dest_len asm("3") = dest_len; +- register const unsigned char *__src asm("4") = src; +- register long __src_len asm("5") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register unsigned char *__dest __asm__("2") = dest; ++ register long __dest_len __asm__("3") = dest_len; ++ register const unsigned char *__src __asm__("4") = src; ++ register long __src_len __asm__("5") = src_len; + int ret = -1; + +- asm volatile( ++ __asm__ volatile( + "0: .insn rre,0xb93e0000,%1,%5\n\t" /* KIMD opcode */ + " brc 1,0b\n\t" /* handle partial completion */ + " la %0,0\n\t" +@@ -538,12 +538,12 @@ static inline int s390_kimd_shake(unsigned long func, void *param, + static inline int s390_kimd(unsigned long func, void *param, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre,0xb93e0000,%0,%0 \n" /* KIMD opcode */ + " brc 1,0b \n" /* handle partial completion */ + : "+a"(__src), "+d"(__src_len) +@@ -569,15 +569,15 @@ static inline int s390_klmd_shake(unsigned long func, void *param, + unsigned char *dest, long dest_len, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register unsigned char *__dest asm("2") = dest; +- register long __dest_len asm("3") = dest_len; +- register const unsigned char *__src asm("4") = src; +- register long __src_len asm("5") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register unsigned char *__dest __asm__("2") = dest; ++ register long __dest_len __asm__("3") = dest_len; ++ register const unsigned char *__src __asm__("4") = src; ++ register long __src_len __asm__("5") = src_len; + int ret = -1; + +- asm volatile( ++ __asm__ volatile( + "0: .insn rre,0xb93f0000,%1,%5\n\t" /* KLMD opcode */ + " brc 1,0b\n\t" /* handle partial completion */ + " la %0,0\n\t" +@@ -592,12 +592,12 @@ static inline int s390_klmd_shake(unsigned long func, void *param, + static inline int s390_klmd(unsigned long func, void *param, + const unsigned char *src, long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register const unsigned char *__src asm("2") = src; +- register long __src_len asm("3") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register const unsigned char *__src __asm__("2") = src; ++ register long __src_len __asm__("3") = src_len; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre,0xb93f0000,%0,%0 \n" /* KLMD opcode */ + " brc 1,0b \n" /* handle partial completion */ + : "+a"(__src), "+d"(__src_len) +@@ -624,13 +624,13 @@ static inline int s390_klmd(unsigned long func, void *param, + static inline int s390_kdsa(unsigned long func, void *param, + const unsigned char *src, unsigned long srclen) + { +- register unsigned long r0 asm("0") = (unsigned long)func; +- register unsigned long r1 asm("1") = (unsigned long)param; +- register unsigned long r2 asm("2") = (unsigned long)src; +- register unsigned long r3 asm("3") = (unsigned long)srclen; ++ register unsigned long r0 __asm__("0") = (unsigned long)func; ++ register unsigned long r1 __asm__("1") = (unsigned long)param; ++ register unsigned long r2 __asm__("2") = (unsigned long)src; ++ register unsigned long r3 __asm__("3") = (unsigned long)srclen; + unsigned long rc = 1; + +- asm volatile( ++ __asm__ volatile( + "0: .insn rre,%[__opc] << 16,0,%[__src]\n" + " brc 1,0b\n" /* handle partial completion */ + " brc 7,1f\n" +@@ -668,15 +668,15 @@ static inline int s390_ppno(long func, + const unsigned char *src, + long src_len) + { +- register long __func asm("0") = func; +- register void *__param asm("1") = param; +- register unsigned char *__dest asm("2") = dest; +- register long __dest_len asm("3") = dest_len; +- register const unsigned char *__src asm("4") = src; +- register long __src_len asm("5") = src_len; ++ register long __func __asm__("0") = func; ++ register void *__param __asm__("1") = param; ++ register unsigned char *__dest __asm__("2") = dest; ++ register long __dest_len __asm__("3") = dest_len; ++ register const unsigned char *__src __asm__("4") = src; ++ register long __src_len __asm__("5") = src_len; + int ret = -1; + +- asm volatile( ++ __asm__ volatile( + "0: .insn rre,0xb93c0000,%1,%5\n\t" /* PPNO opcode */ + " brc 1,0b\n\t" /* handle partial completion */ + " la %0,0\n\t" +@@ -701,13 +701,13 @@ static inline int s390_ppno(long func, + static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len, + unsigned char *cbuf, unsigned long cbuf_len) + { +- register unsigned long r0 asm("0") = (unsigned long) S390_CRYPTO_TRNG; +- register unsigned long r2 asm("2") = (unsigned long) ucbuf; +- register unsigned long r3 asm("3") = (unsigned long) ucbuf_len; +- register unsigned long r4 asm("4") = (unsigned long) cbuf; +- register unsigned long r5 asm("5") = (unsigned long) cbuf_len; ++ register unsigned long r0 __asm__("0") = (unsigned long) S390_CRYPTO_TRNG; ++ register unsigned long r2 __asm__("2") = (unsigned long) ucbuf; ++ register unsigned long r3 __asm__("3") = (unsigned long) ucbuf_len; ++ register unsigned long r4 __asm__("4") = (unsigned long) cbuf; ++ register unsigned long r5 __asm__("5") = (unsigned long) cbuf_len; + +- asm volatile ( ++ __asm__ volatile ( + "0: .insn rre,0xb93c0000,%[ucbuf],%[cbuf]\n" + " brc 1,0b\n" /* handle partial completion */ + : [ucbuf] "+a" (r2), [ucbuflen] "+d" (r3), +@@ -719,21 +719,21 @@ static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len, + + static inline void s390_stckf_hw(void *buf) + { +- asm volatile(".insn s,0xb27c0000,%0" ++ __asm__ volatile(".insn s,0xb27c0000,%0" + : "=Q" (*((unsigned long long *)buf)) : : "cc"); + } + + static inline void s390_stcke_hw(void *buf) + { +- asm volatile(".insn s,0xb2780000,%0" ++ __asm__ volatile(".insn s,0xb2780000,%0" + : "=Q" (*((unsigned long long *)buf)) : : "cc"); + } + + static inline int __stfle(unsigned long long *list, int doublewords) + { +- register unsigned long __nr asm("0") = doublewords - 1; ++ register unsigned long __nr __asm__("0") = doublewords - 1; + +- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */ ++ __asm__ volatile(".insn s,0xb2b00000,0(%1)" /* stfle */ + : "+d" (__nr) : "a" (list) : "memory", "cc"); + + return __nr + 1; +@@ -741,7 +741,7 @@ static inline int __stfle(unsigned long long *list, int doublewords) + + static inline void s390_flip_endian_32(void *dest, const void *src) + { +- asm volatile( ++ __asm__ volatile( + " lrvg %%r0,0(0,%[__src])\n" + " lrvg %%r1,8(0,%[__src])\n" + " lrvg %%r4,16(0,%[__src])\n" +@@ -757,7 +757,7 @@ static inline void s390_flip_endian_32(void *dest, const void *src) + + static inline void s390_flip_endian_64(void *dest, const void *src) + { +- asm volatile( ++ __asm__ volatile( + " lrvg %%r0,0(0,%[__src])\n" + " lrvg %%r1,8(0,%[__src])\n" + " lrvg %%r4,16(0,%[__src])\n" diff --git a/libica-4.3.0.tar.gz b/libica-4.3.0.tar.gz new file mode 100644 index 0000000..612dae5 --- /dev/null +++ b/libica-4.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:112c6136fd5ccfd6a1d33b5fd2427f5fec69aa2a0fc04e80a6ab58d7b9012db3 +size 576077 diff --git a/libica-4.3.1.tar.gz b/libica-4.3.1.tar.gz new file mode 100644 index 0000000..44590b4 --- /dev/null +++ b/libica-4.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5693fa8858941b68252a94c1f03f098e773b43cd56c10d6d3f15f24fdc623562 +size 576561 diff --git a/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch new file mode 100644 index 0000000..b1e8b0c --- /dev/null +++ b/libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch @@ -0,0 +1,55 @@ +From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Mon, 7 Jun 2021 21:12:01 +0200 +Subject: [PATCH] FIPS: make it possible to specify fipshmac binary. + +Signed-off-by: Michal Suchanek +--- + openssl-fipshmac | 12 ++++++++++++ + src/Makefile.am | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + create mode 100755 openssl-fipshmac + +diff --git a/openssl-fipshmac b/openssl-fipshmac +new file mode 100755 +index 0000000..60fd505 +--- /dev/null ++++ b/openssl-fipshmac +@@ -0,0 +1,12 @@ ++#!/bin/sh -e ++ ++if [ "$#" -eq 0 ] ; then ++ echo "No library to hash specified." >&2 ++ exit 22 ++fi ++ ++while [ -n "$1" ] ; do ++ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")" ++ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac ++ shift ++done +diff --git a/src/Makefile.am b/src/Makefile.am +index 4a1ef14..2be01a5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -47,6 +47,7 @@ + ./mp.pl mp.S + + if ICA_FIPS ++FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac + fipsinstall: + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac +@@ -58,8 +59,7 @@ + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + + hmac-file: libica.la libica-cex.la +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac +- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) + + hmac_files = hmac-file hmac-file-lnk + +-- +2.31.1 + diff --git a/libica-rpmlintrc b/libica-rpmlintrc new file mode 100644 index 0000000..7b2660b --- /dev/null +++ b/libica-rpmlintrc @@ -0,0 +1,3 @@ +addFilter("libica-tools.* * devel-file-in-non-devel-package * /usr/lib64/libica.so") +addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica.so.*.hmac") +addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica-cex.so.*.hmac") diff --git a/libica-sles15sp5-FIPS-hmac-key.patch b/libica-sles15sp5-FIPS-hmac-key.patch new file mode 100644 index 0000000..c473357 --- /dev/null +++ b/libica-sles15sp5-FIPS-hmac-key.patch @@ -0,0 +1,15 @@ +--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400 ++++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400 +@@ -65,10 +65,9 @@ + * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes. + * The known HMAC is supposed to be provided as hex string in a file + * .libica.so.VERSION.hmac in the same directory as the .so module. +- */ ++ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */ + static const char hmackey[] = +- "0000000000000000000000000000000000000000000000000000000000000000" +- "0000000000000000000000000000000000000000000000000000000000000000"; ++ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250"; + + #endif /* ICA_INTERNAL_TEST */ + diff --git a/libica.changes b/libica.changes new file mode 100644 index 0000000..8a5f59f --- /dev/null +++ b/libica.changes @@ -0,0 +1,842 @@ +------------------------------------------------------------------- +Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev + +- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) + * libica-02-fips-update-Change-service-indicator-implementation.patch + * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch + * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch + +------------------------------------------------------------------- +Tue Nov 5 12:07:12 UTC 2024 - Nikolay Gueorguiev + +- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) + * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch + * libica-02-fips-update-Change-service-indicator-implementation.patch + +------------------------------------------------------------------- +Tue Oct 29 06:22:04 UTC 2024 - Nikolay Gueorguiev + +- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276) + * Various bug fixes and housekeeping +- Removed obsolete patches + * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch + * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch + * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch + +------------------------------------------------------------------- +Wed Oct 23 09:05:28 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1231999) + * Replaced Recommends libica-tools with Requires + +------------------------------------------------------------------- +Wed Jul 3 10:51:28 UTC 2024 - Nikolay Gueorguiev + +- Applied patches + * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch + * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch + * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch +- Amended the .spec file to enable FIPS + +------------------------------------------------------------------- +Mon Jan 29 07:52:34 UTC 2024 - Nikolay Gueorguiev + +- Upgrade libica to version 2.3.0 (jsc#PED-5446) + * New API function ica_allow_external_gcm_iv_in_fips_mode + * Bug fixes + +------------------------------------------------------------------- +Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.3 (jsc#PED-5446) + * Add OPENSSL_init_crypto in libica constructor + * Remove deprecated ioctl Z90STAT_STATUS_MASK + * Bug fixes + +------------------------------------------------------------------- +Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276) + - [UPDATE] syslog msgs only in error cases + - [UPDATE] don't count statistics in fips power-on self tests + - [PATCH] various fixes and some new tests + +------------------------------------------------------------------- +Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann + +- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet + +------------------------------------------------------------------- +Thu Apr 27 16:12:06 UTC 2023 - Dominique Leuenberger + +- Prefix /etc/libica with %dir to ensure we don't package + unversioned files in libica4, as otherwise we violate SLPP. + +------------------------------------------------------------------- +Thu Apr 27 14:34:27 UTC 2023 - Otto Hollmann + +- Add /etc/libica directory into %files section. + +------------------------------------------------------------------- +Fri Feb 17 11:08:33 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 4.2.1 (jsc#PED-2872) + - [PATCH] fix regression opening shared memory + +------------------------------------------------------------------- +Mon Jan 16 13:00:34 UTC 2023 - Marcus Meissner + +- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365). + - [FEATURE] Display build info via icainfo -v + - [FEATURE] New API function ica_get_build_version() + - [FEATURE] Display fips indication via icainfo -f + - [FEATURE] New API function ica_get_fips_indicator() + - [FEATURE] New API function ica_aes_gcm_initialize_fips() + - [FEATURE] New API function ica_aes_gcm_kma_get_iv() + - [FEATURE] New API function ica_get_msa_level() + - [PATCH] icainfo: check for malloc error when getting functionlist + +------------------------------------------------------------------- +Tue Oct 11 20:32:12 UTC 2022 - Mark Post + +- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365). + v4.1.1 + - [PATCH] Fix aes-xts multi-part operations + [PATCH] Fix make dist + v4.1.0 + - [FEATURE] FIPS: make libica FIPS 140-3 compliant + [FEATURE] New API function ica_ecdsa_sign_ex() + [FEATURE] New icainfo output option -r + - [PATCH] Various bug fixes +- Removed the following obsolete files: + baselibs.conf + icaioctl.h + +------------------------------------------------------------------- +Mon Sep 12 19:09:59 UTC 2022 - Mark Post + +- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629) + v4.0.3 + - [PATCH] Reduce the number of open file descriptors + - [PATCH] Various bug fixes + v4.0.2 + - [PATCH] Various bug fixes + v4.0.1 + - [PATCH] Various bug fixes + - [PATCH] Compute HMAC from installed library + v4.0.0 + - [UPDATE] NO_SW_FALLBACKS is now the default for libica.so + [UPDATE] Removed deprecated API functions including tests + [UPDATE] Introduced 'const' for some API function parameters + [FEATURE] icastats: new parm -k to display detailed counters +- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated + version named libica-sles15sp5-FIPS-hmac-key.patch. +- Updated the libica-rpmlintrc file to suppress warnings about the + libica-cex hmac files being hidden. +- Updated the spec file to properly both obsolete and provide two + older versions of the package. + +------------------------------------------------------------------- +Tue Oct 19 21:20:22 UTC 2021 - Mark Post + +- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564) + - [FEATURE] Add support for OpenSSL 3.0 + - [FEATURE] icainfo: new parm -c to display available EC curves +- Replaced the obsolete PreReq: %fillup_prereq + with Requires(post): %fillup_prereq + in the spec file. + +------------------------------------------------------------------- +Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek + +- Update to version 3.8.0 (jsc#SLE-18334) + - [FEATURE] provide libica-cex module to satisfy special security requirements + - [FEATURE] FIPS: enforce the HMAC check +- Remove upstreamed patches: + - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch + - libica-sles15sp2-Zeroize-local-variables.patch +- Remove patches obsoleted by upstrea developent: + * FIPS: Find libica from phdrs. + - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS: enforce the hmac check + - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch +- Fix up tests and hmac generation + + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +- Remove obsolete attributes from filelists + +------------------------------------------------------------------- +Fri Sep 18 20:59:39 UTC 2020 - Mark Post + +- Upgraded to version 3.7.0 (jsc#SLE-13708) + * Version 3.7.0 + - [FEATURE] FIPS: Add HMAC based library integrity check + - [PATCH] icainfo: bugfix for RSA and EC related info for software column. + - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests + - [PATCH] FIPS: Fix DES and TDES key length + - [PATCH] icastats: Fix stats counter format + * Version 3.6.1 + - [PATCH] Fix x25519 and x448 handling of non-canonical values +- Removed the following obsolete patches + * libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch + * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch + * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch + * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch + * libica-sles15sp2-Build-with-pthread-flag.patch + * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch + * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch + +------------------------------------------------------------------- +Tue Sep 15 21:08:38 UTC 2020 - Mark Post + +- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277) + * Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch + * Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch +- Fix FIPS hmac check (bsc#1175356). + * Update FIPS support to upstream + - Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + from upstream. + - Add libica-sles15sp2-Build-with-pthread-flag.patch + - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch + - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch + - Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch + * FIPS check should fail when hmac is missing + - Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch + - Create an hmac for the selftest + - Check that selftest fails without a hmac + - Hash libica.so.3 rather than libica.so.3.6.0 + * Fix hmac key format. It should be hexadecimal, not ASCII + - Refresh libica-sles15sp2-FIPS-hmac-key.patch +- Fix Some internal variables used to store sensitive information + (keys) were not zeroized before returning to the calling application. + (bsc#1175357) + * Added libica-sles15sp2-Zeroize-local-variables.patch +- Updated libica-rpmlintrc to eliminate the warning about the HMAC file + being a hidden file. It is supposed to be hidden. + +------------------------------------------------------------------- +Thu May 7 18:01:31 UTC 2020 - Mark Post + +- Added the following patches for FIPS certification (bsc#1162533) + * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch + * libica-sles15sp2-FIPS-hmac-key.patch +- Added a BuildRequires for the fipscheck package. +- Made a couple of changes to the spec file based upon recommendations + by spec-cleaner. + +------------------------------------------------------------------- +Wed Apr 8 18:55:24 UTC 2020 - Mark Post + +- Added the following patches for FIPS certification. + * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch + (bsc#1166071) Although a DES key has only 56 effective bits, + all 64 bits must be considered, because the parity bits are + spread over all 8 bytes of the key. + * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch + (bsc#1166210) FIPS tests require the output iv to be the iv + resulting from decrypting the last block with a zero iv as input. + * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch + (bsc#1166224) The output from icainfo never shows 'yes' for + RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN, + due to the missing ICA_FLAG_SW flag in the icaList. + +------------------------------------------------------------------- +Thu Nov 14 22:45:16 UTC 2019 - Mark Post + +- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch + (bsc#1156768) + +------------------------------------------------------------------- +Tue Oct 15 18:53:36 UTC 2019 - Mark Post + +- Upgraded to version 3.6.0 (jsc#SLE-7584) + * [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448 + +------------------------------------------------------------------- +Fri Aug 30 21:46:50 UTC 2019 - Mark Post + +- Upgraded to version 3.5.0 (Fate#327840) + - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify +- Reworked how libica-tools loads and unloads kernel modules to + avoid spurious error messages (bsc#1134004): + * Converted the boot.z90crypt sysV init script to a systemd unit + file. + * Removed any references to insserv in the spec file. + * Updated the z90crypt script itself to properly load and unload + the kernel modules as they exist today. + * Eliminated the obsolete libica-SuSE.tar.bz2 archive. +- Updated the README.SUSE file to reflect the change from sysV init + style script to systemd. +- Made numerous changes to the spec file, based on the output from + the spec-cleaner command. + +------------------------------------------------------------------- +Wed Jul 24 10:09:46 UTC 2019 - Martin Pluskal + +- Run testsuite during build + +------------------------------------------------------------------- +Thu Nov 15 19:16:30 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.4.0 (Fate#325690) + * v3.4.0 + [FEATURE] Add SHA-512/224 and SHA-512/256 support +- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch +- Made numerous updates to spec file based on spec-cleanup run. + +------------------------------------------------------------------- +Wed Nov 14 18:01:37 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.3.3 (Fate#325690) + * v3.3.3 + [PATCH] Various bug fixes + * v3.3.2 + [PATCH] Skip ECC tests if required HW is not available + [PATCH] Update spec file + * v3.3.1 + [PATCH] Fix configure.ac to honour CFLAGS + * v3.3.0 + [FEATURE] Add CEX supported elliptic-curve crypto interfaces + [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces + [FEATURE] Add interface to enable/disable SW fallbacks + [FEATURE] Add 'make check' target, test-suite rework + * v3.2.1 + [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG. + [PATCH] Various bug fixes. +- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch +- Removed COPYING from %files, since it is no longer in the tarball. +- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch + (bsc#1103493). +- Made multiple changes to the spec file based on the output of + spec-cleaner + +------------------------------------------------------------------- +Mon Oct 22 19:09:13 UTC 2018 - mpost@suse.com + +- Added "Obsoletes: libica-2_3_0" to the libica-tools package to + fix a problem with upgrading from SLES12 SP2 to either SLES12 + SP3/SP4, or SLES15. (bsc#1112655) + +------------------------------------------------------------------- +Tue Sep 11 17:19:57 UTC 2018 - mpost@suse.com + +- Added "Obsoletes: libica2" to the libica-tools package to fix + a problem with upgrading from SLES12 SP2 to either SLES12 + SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638) + +------------------------------------------------------------------- +Wed Apr 18 02:29:29 UTC 2018 - mpost@suse.com + +- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756) +- Updated boot.z90crypt script to fix a problem with the modprobe + command not being found. (bsc#1040229). +- Added "Recommends: libica-tools" (bsc#1046435). + +------------------------------------------------------------------- +Thu Nov 23 13:53:22 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Wed Oct 4 19:22:58 UTC 2017 - mpost@suse.com + +- Added "--enable-fips" to the %configure parms (Fate#324115) + +------------------------------------------------------------------- +Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.2 (Fate#321517) + * v3.2.0 + [FEATURE] New AES-GCM interface. + [UPDATE] Add symbol versioning. + * v3.1.1 + [PATCH] Various bug fixes related to old and new AES-GCM implementations. + [UPDATE] Add SHA3 test cases. Improved and extended test suite. + * v3.1.0 + [FEATURE] Add KMA support for AES-GCM. + [FEATURE] Add SHA-3 support. + [PATCH] Reject RSA keys with invalid key-length. + [PATCH] Allow zero output length for ica_random_number_generate. + [PATCH] icastats: Correct owner of shared segment when root creates it. + * Removed the following obsolete patches: + libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch + libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch + libica-3.0.2-03-fix-aes-ctr.patch + libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch + +------------------------------------------------------------------- +Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com + +- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567) + - Added the following patches (bsc#1058567) + - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch + - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch + - libica-3.0.2-03-fix-aes-ctr.patch + - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch + +------------------------------------------------------------------- +Thu Jun 1 14:36:04 UTC 2017 - fcrozat@suse.com + +- baselibs.conf doesn't need any additional provides/conflicts for + libica3. + +------------------------------------------------------------------- +Fri May 12 09:07:34 UTC 2017 - fcrozat@suse.com + +- Update baselibs.conf with proper name for library package name, + stop providing/obsoleting libica-2_1_0/libica-2_3-0. + +------------------------------------------------------------------- +Tue May 9 17:23:11 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.0.2 (Fate#322025). + - v3.0.2 + - Fix locking callbacks for openSSL APIs. + - v3.0.1 + - Fixed msa level detection on zEC/BC12 GA1 and predecessors. + - v3.0.0 + - Added FIPS mode. + - Sanitized exported symbols. + - Removed deprecated APIs. Marked some APIs as deprecated. + - Adapted to OpenSSL v1.1.0. + - RSA key generation is thread-safe now. +- Removed the following obsolete patches: + - fix-initialization-of-s390-hardware-switches-1.patch + - fix-initialization-of-s390-hardware-switches-2.patch + - fix-msa-level-detection.patch + - fix-segfault-during-multithread-keygen.patch + - rng-performance.patch + +------------------------------------------------------------------- +Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com + +- Made the following packaging changes: + - Implemented the shared library packaging guidelines. + - Consolidated double invocation of %setup into just one. + - Dropped redundant %ifarch, the package is already ExclusiveArch. + - Updated descriptions. +- Added an libica-rpmlintrc file. + +------------------------------------------------------------------- +Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com + +- Added the following two patches: + - fix-segfault-during-multithread-keygen.patch (bsc#991485) + - fix-msa-level-detection.patch (bsc#1010927) + +------------------------------------------------------------------- +Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com + +- Added rng-performance.patch (bsc#990850). + +------------------------------------------------------------------- +Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com + +- Updated baselibs.conf to obsolete prior versions of the 32bit + package. (bsc#983897): + provides "libica- = " + obsoletes "libica- < " + provides "libica-2_1_0- = " + obsoletes "libica-2_1_0- < " + provides "libica-2_3_0- = " + obsoletes "libica-2_3_0- < " + +------------------------------------------------------------------- +Wed May 18 16:52:44 UTC 2016 - mpost@suse.com + +- Added fix-initialization-of-s390-hardware-switches-1.patch and + fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548) + +------------------------------------------------------------------- +Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com + +- Upgraded to version 2.6.2 (FATE#319610). +- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to + naming standards. +- Found the original location of the icaioctl.h file and downloaded + it to replace what we had previously. +- Removed the unnecessary libica2.la file +- Removed unnecessary Requires for glibc-devel +- Added Requires libica2 to the -devel package +- Converted call to configure to %configure macro +- Removed obsolete and unnecessary INSROOT and bindir parameters + from the make install command + +------------------------------------------------------------------- +Fri Nov 6 16:02:05 CET 2015 - pth@suse.de + +- Add Provides/Obsoletes for libica-2_3_0 so that the package from + SLE12 GA is replaced (bsc#953096). + +------------------------------------------------------------------- +Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com + +- move the .so file to the mainpackage, the openssl-ibmca engine + will only load "libica.so" (bsc#952871) + +------------------------------------------------------------------- +Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com + +- Update to libica v2.4.2 (FATE#318035) +- Removed outdated libica-aes_ccm-31-bit-compatibility.patch +- Moved init script into libica-SuSE.tar.bz2 archive + +------------------------------------------------------------------- +Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- +Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com + +- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root +- Removed libica-SuSE.tar.bz2 +- z90crypt now starts and stops ap kernel module (bnc#888943) + +------------------------------------------------------------------- +Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com + +- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM: + fixed 64/31 bit compatibility + +------------------------------------------------------------------- +Thu Mar 6 14:51:45 CET 2014 - ro@suse.de + +- add obsoletes and provides for older libica versions + +------------------------------------------------------------------- +Wed Mar 5 18:33:02 CET 2014 - ro@suse.de + +- update to 2.3.0 (fate#315342) +- obsolete/upstreamed patches: + libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch + libica-2_1_0-msa4-extension.patch + libica-2_1_0-synchronize_shared_memory_ref_counting.patch + +------------------------------------------------------------------- +Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com + +- Fixed build dependency errors by requiring autoconf, automake + and libtool +- Changed license to CPL-1.0 +- Created devel package + +------------------------------------------------------------------- +Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com + +- Support for MSA4 extension (bnc#794518, fate#314078) + +------------------------------------------------------------------- +Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com + +- synchronize shared memory reference counting for library + statistics (bnc#719659) +- fix temporary buffer allocation in ica_get_version() (bnc#719660) + +------------------------------------------------------------------- +Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de + +- update -> 2.1.0 (fate#311914) + +------------------------------------------------------------------- +Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de + +- Moved icainfo into /usr/bin (bnc#448643) + +------------------------------------------------------------------- +Tue Jan 13 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Nov 5 01:34:34 CET 2008 - ro@suse.de + +- fix build on all platforms + +------------------------------------------------------------------- +Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de + +- Added CPL license to include/z90crypt.h, removed GPL reference + (This patch is upstream) + +------------------------------------------------------------------- +Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de + +- Changed package name to libica-1_3_9 to conform to rpmlint + requirements. (bnc#433432) + +------------------------------------------------------------------- +Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de + +- Removed soname filter for rpmlint +- Several RPM fixes to help satisfy rpmlint + +------------------------------------------------------------------- +Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de + +- Updated to libica 1.3.9 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de + +- remove inclusion of linux/config.h + +------------------------------------------------------------------- +Mon Mar 12 14:02:57 CET 2007 - uli@suse.de + +- z90crypt: handle errors (bug #247799) + +------------------------------------------------------------------- +Mon May 22 08:43:22 CEST 2006 - aj@suse.de + +- Add gcc-c++ to BuildRequires. + +------------------------------------------------------------------- +Fri May 19 16:50:02 CEST 2006 - ro@suse.de + +- fix build for the rest of platforms + +------------------------------------------------------------------- +Fri May 19 15:34:30 CEST 2006 - hare@suse.de + +- Update to libica 1.3.7 (#160036 - LTC22571) + +------------------------------------------------------------------- +Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de + +- Increasing # of open handles with symmetric crypto support + (#165323 - LTC23095) + +------------------------------------------------------------------- +Wed Jan 25 21:37:29 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Dec 14 01:30:49 CET 2005 - ro@suse.de + +- include string.h and unistd.h in icalinux.c + +------------------------------------------------------------------- +Mon Dec 12 15:09:25 CET 2005 - hare@suse.de + +- Port package from SLES9 SP3 +- Update to libica 1.3.6-rc3. + +------------------------------------------------------------------- +Wed Nov 2 16:23:24 CET 2005 - hare@suse.de + +- Close all filehandles (#130060 - LTC19221). + +------------------------------------------------------------------- +Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de + +- downgrade to libica 1.3.6-rc2 (contains AES software fallback, + bug #117336) + +------------------------------------------------------------------- +Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de + +- Update to libica 1.3.6 (#117336) + +------------------------------------------------------------------- +Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de + +- fix implicit declaration + +------------------------------------------------------------------- +Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de + +- Changing the default value from 0 to -1 in rcz90crypt (#114371) + +------------------------------------------------------------------- +Mon May 23 17:52:05 CEST 2005 - hare@suse.de + +- Finally fix 'reload' messages (#81824 - LTC15733). + +------------------------------------------------------------------- +Fri May 20 12:11:51 CEST 2005 - hare@suse.de + +- Fix sigill patch. + +------------------------------------------------------------------- +Wed May 18 13:17:39 CEST 2005 - hare@suse.de + +- Remove printf output from sigill patch (#81829 - LTC15731). + +------------------------------------------------------------------- +Tue May 10 12:56:38 CEST 2005 - hare@suse.de + +- Use correct default value for z90crypt (#81825 - LTC15732). + +------------------------------------------------------------------- +Mon May 9 14:49:52 CEST 2005 - hare@suse.de + +- Fix messages for 'reload' (#81824 - LTC15733). + +------------------------------------------------------------------- +Tue Feb 8 16:58:02 CET 2005 - hare@suse.de + +- Fixed SIGILL on z900 (#46422). + +------------------------------------------------------------------- +Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de + +- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005). + +------------------------------------------------------------------- +Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de + +- Fix module loading error (#42006). +- Add sysconfig variable to set the 'domain' parameter (#42005). + +------------------------------------------------------------------- +Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de + +- update -> 1.3.5-3 (bug #42122) + +------------------------------------------------------------------- +Mon May 24 18:28:27 CEST 2004 - bk@suse.de + +- Update README.SuSE and correct name as well +- Use modprobe instead of insmod and fix module load error(#40526) +- Fix error checking for no hardware found case and hw error on load + +------------------------------------------------------------------- +Fri May 7 15:15:17 CEST 2004 - hare@suse.de + +- Update Readme again for the correct name (SUSE LINUX Server). +- Moved README.SuSE to README.SUSE. + +------------------------------------------------------------------- +Fri May 7 15:00:51 CEST 2004 - hare@suse.de + +- Update Readme to refer to the correct name (SUSE Linux Server). + +------------------------------------------------------------------- +Thu May 6 09:01:53 CEST 2004 - hare@suse.de + +- Update to 1.3.5-2 (#38511, #39693). +- Update Readme to refer to SUSE Linux Server instead of + SuSE Linux Enterprise Server. + +------------------------------------------------------------------- +Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de + +- Update to 1.3.5 +- export CFLAGS & CPPFLAGS for configure +- Exclude S/390-specific files for other archs (#37183) + +------------------------------------------------------------------- +Fri Jan 16 01:29:03 CET 2004 - ro@suse.de + +- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS + +------------------------------------------------------------------- +Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de + +- fix build + +------------------------------------------------------------------- +Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de + +- update to 1.3.4 + +------------------------------------------------------------------- +Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de + +- update to 1.3.2 + +------------------------------------------------------------------- +Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de + +- update to 1.3.1: + now supports DES, TDES and SHA, as well as RSA. +- throw libica.patch away, since autoversion and Makefile.am have + similar changes now, and the renaming from _LINUX_S390_ to + __s390__ is not really necessary +- use %defattr +- checked that icaioctl.h is still current +- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone + open source meanwhile and comes with the kernel sources + +------------------------------------------------------------------- +Thu Oct 31 10:45:00 CET 2002 - froh@suse.de + +- added documentation how to set up crypto hardware support, + esp. S/390 and zSeries. (#16011, #22056) + +------------------------------------------------------------------- +Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de + +- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5 + actually work. (#20737) + +------------------------------------------------------------------- +Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de + +- Correct PreReq + +------------------------------------------------------------------- +Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de + +- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and + to build on non-s390 + +------------------------------------------------------------------- +Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de + +- updated to current libica +- hacked in icaioctl.h for build, 'til we have the module in the + kernel. + +------------------------------------------------------------------- +Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de + +- add %run_ldconfig + +------------------------------------------------------------------- +Tue May 7 14:27:50 CEST 2002 - ro@suse.de + +- fix for current automake/autoconf + +------------------------------------------------------------------- +Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de + +- removed old fillup-template and START_ variable + +------------------------------------------------------------------- +Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de + +- modified etc/init.d/z90crypt-script to report result at start. + +------------------------------------------------------------------- +Tue Feb 5 11:01:16 CET 2002 - froh@suse.de + +- Added openssl to #neededforbuild, which is needed in addition to + openssl-devel + +------------------------------------------------------------------- +Wed Jan 30 16:20:48 CET 2002 - froh@suse.de + +- initial version + +------------------------------------------------------------------- diff --git a/libica.spec b/libica.spec new file mode 100644 index 0000000..00b1216 --- /dev/null +++ b/libica.spec @@ -0,0 +1,216 @@ +# +# spec file for package libica +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif + +Name: libica +Version: 4.3.1 +Release: 0 +Summary: Library interface for the IBM Cryptographic Accelerator device driver +License: CPL-1.0 +Group: Hardware/Other +URL: https://github.com/opencryptoki/libica +Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: sysconfig.z90crypt +Source3: z90crypt +Source4: z90crypt.service +Source5: %{name}-rpmlintrc +### +Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch +Patch99: libica-sles15sp5-FIPS-hmac-key.patch +### +Patch110: libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch +Patch111: libica-02-fips-update-Change-service-indicator-implementation.patch +Patch112: libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch +Patch113: libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch +### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: fipscheck +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: openssl +BuildRequires: openssl-devel +Requires(post): %fillup_prereq +ExclusiveArch: s390 s390x + +%description +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package -n libica4 +Summary: Library interface for the IBM Cryptographic Accelerator +Group: System/Libraries +# Recommends: libica-tools +Requires: libica-tools + +%description -n libica4 +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package tools +Summary: Utilities for the IBM Cryptographic Accelerator +Group: Hardware/Other +Obsoletes: libica < %{version}-%{release} +Obsoletes: libica-2_3_0 < %{version}-%{release} +Obsoletes: libica2 < %{version}-%{release} +Obsoletes: libica3 < %{version}-%{release} +Provides: libica = %{version}-%{release} +Provides: libica-2_3_0 = %{version}-%{release} +Provides: libica-plugin = %{version}-%{release} +Provides: libica2 = %{version}-%{release} +Provides: libica3 = %{version}-%{release} + +%description tools +This package contains command-line utilities to inspect the IBM +eServer Cryptographic Accelerator (ICA). + +%package devel +Summary: Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Requires: libica4 = %{version} +Requires: libopenssl-devel +Obsoletes: libica-2_1_0-devel < %{version}-%{release} +Provides: libica-2_1_0-devel = %{version}-%{release} +Obsoletes: libica-2_3_0-devel < %{version}-%{release} +Provides: libica-2_3_0-devel = %{version}-%{release} + +%description devel +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This subpackage contains the necessary files to compile and link +using the libica library. + +%package devel-static +Summary: Static Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Requires: libica-devel + +%description devel-static +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This RPM contains all the tools necessary to compile and link using +the libica library. + +%prep +%autosetup -p 1 + +%build +autoreconf --force --install +%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \ + --enable-fips + +%make_build clean +%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release" + +%define major %(echo %{version} | sed -e 's/[.].*//') + +%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }} + +%install +%make_install FIPSHMAC=fipshmac +make fipsinstall FIPSHMAC=fipshmac DESTDIR=%{buildroot} +mkdir -p %{buildroot}%{_includedir} +cp -p include/ica_api.h %{buildroot}%{_includedir} +mkdir -p %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt +install -D %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.z90crypt +install -D %{SOURCE3} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt +install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service +# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped +# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it +# and the dangling symlink test would fail +chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac + +cp -a %{SOURCE1} . +rm -vf %{buildroot}%{_libdir}/libica*.la +rm -f %{buildroot}%{_datadir}/doc/libica/* +rmdir %{buildroot}%{_datadir}/doc/libica +# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf +# rmdir %{buildroot}/%{_sysconfdir}/libica + +%check +%make_build check FIPSHMAC=fipshmac + +%pre tools +%service_add_pre z90crypt.service + +%post tools +%service_add_post z90crypt.service +%{fillup_only -n z90crypt} + +%preun tools +%service_del_preun z90crypt.service + +%postun tools +%service_del_postun z90crypt.service + +%post -n libica4 -p /sbin/ldconfig +%postun -n libica4 -p /sbin/ldconfig + +%files -n libica4 +%{_libdir}/libica.so.%{version} +%{_libdir}/libica.so.%{major} +%{_libdir}/.libica.so.%{version}.hmac +%{_libdir}/.libica.so.%{major}.hmac +%{_libdir}/libica-cex.so.%{version} +%{_libdir}/libica-cex.so.%{major} +%{_libdir}/.libica-cex.so.%{version}.hmac +%{_libdir}/.libica-cex.so.%{major}.hmac +### Enable FIPS +%dir %{_sysconfdir}/libica +%{_sysconfdir}/libica/openssl3-fips.cnf +### + +%files tools +%license LICENSE +%doc README.SUSE +%{_sbindir}/rcz90crypt +%attr(644,root,root) %{_fillupdir}/sysconfig.z90crypt +%{_bindir}/icainfo +%{_bindir}/icainfo-cex +%{_bindir}/icastats +%{_mandir}/man1/icainfo.1%{?ext_man} +%{_mandir}/man1/icainfo-cex.1%{?ext_man} +%{_mandir}/man1/icastats.1%{?ext_man} +%dir %{_prefix}/lib/systemd/scripts +%{_prefix}/lib/systemd/scripts/z90crypt +%{_prefix}/lib/systemd/system/z90crypt.service +# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871 +%{_libdir}/libica.so + +%files devel +%{_includedir}/ica_api.h +%{_libdir}/libica-cex.so + +%files devel-static +%{_libdir}/libica.a +%{_libdir}/libica-cex.a + +%changelog diff --git a/sysconfig.z90crypt b/sysconfig.z90crypt new file mode 100644 index 0000000..663ca97 --- /dev/null +++ b/sysconfig.z90crypt @@ -0,0 +1,10 @@ +## Path: Kernel/z90Crypt +## Description: Set domain parameter for z90crypt +## Type: integer(-1:15) +## Default: -1 +# +# This variable selects the crypto domain to be used, +# required if an LPAR owns several crypto domains. +# The value of -1 is used for autodetect. +# +Z90CRYPT_DOMAIN=-1 diff --git a/z90crypt b/z90crypt new file mode 100644 index 0000000..6810c9f --- /dev/null +++ b/z90crypt @@ -0,0 +1,21 @@ +#!/bin/sh +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +MODULE_LIST="pkey zcrypt_pcixcc zcrypt_cex2a zcrypt_cex4 zcrypt rng_core" +case "${1}" in + start) for module in ${MODULE_LIST} + do if ! grep -q ^{$module} /proc/modules ; then + modprobe ${module} + fi + done + ;; + stop) for module in ${MODULE_LIST} + do if grep -q ^${module} /proc/modules ; then + rmmod ${module} + fi + done + ;; +esac diff --git a/z90crypt.service b/z90crypt.service new file mode 100644 index 0000000..73da4f1 --- /dev/null +++ b/z90crypt.service @@ -0,0 +1,13 @@ +[Unit] +Description=Activate any cryptographic hardware +After=systemd-modules-load.service + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStart=/usr/lib/systemd/scripts/z90crypt start +ExecStop=/usr/lib/systemd/scripts/z90crypt stop + +[Install] +WantedBy=default.target