Accepting request 835924 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/835924
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=20
This commit is contained in:
Dominique Leuenberger 2020-09-22 19:12:27 +00:00 committed by Git OBS Bridge
commit d3aee5742a
12 changed files with 31 additions and 782 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7762e86d288f66f4ab7a4b020b8e82d52506fff6860b4506e3774d70d2ef3a64
size 538264

3
libica-3.7.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a08fe8a3a5cb1fe75f2488d47f4785e92966c43bf8405f638fa1b2990823a505
size 542422

View File

@ -1,26 +0,0 @@
From 64ff9599a7d17a5edc534a750777536b43e9c386 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Mon, 9 Sep 2019 14:30:42 +0200
Subject: [PATCH] Build with -pthread flag
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index ff6bb49..5e75074 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,7 +7,7 @@ AM_CFLAGS = @FLAGS@
lib_LTLIBRARIES = libica.la
libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
- -fvisibility=hidden
+ -fvisibility=hidden -pthread
libica_la_CCASFLAGS = ${AM_CFLAGS}
libica_la_LIBADD = @LIBS@ -lrt -lcrypto
libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
--
2.26.2

View File

@ -1,48 +0,0 @@
From 422913a4834a6bc35270d5d890cb43c84779f18d Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 May 2020 09:50:20 +0200
Subject: [PATCH] FIPS: HMAC based library integrity check addon
Initialize path variable with nulls by using calloc instead of
malloc, improve checking of hmac length.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index bab00db..a1c6f5f 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -154,7 +154,7 @@ static char *make_hmac_path(const char *origpath)
char *path;
const char *fn;
- path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath) + 1);
+ path = calloc(1, sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath) + 1);
if (path == NULL)
return NULL;
@@ -184,6 +184,9 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
size_t hlen, len;
long keylen;
+ *buf = NULL;
+ *hmaclen = 0;
+
keybuf = OPENSSL_hexstr2buf(hmackey, &keylen);
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen);
if (!pkey)
@@ -270,7 +273,7 @@ static int FIPSCHECK_verify(const char *path)
if (compute_file_hmac(path, &buf, &buflen) != 0)
goto end;
- if (memcmp(buf, hmac_buf, hmaclen) != 0)
+ if (memcmp(buf, hmac_buf, buflen) != 0)
goto end;
rc = 1;
--
2.26.2

View File

@ -1,74 +0,0 @@
From 2078b62947d2e0f2641b48975786e839d6396be8 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 May 2020 09:52:36 +0200
Subject: [PATCH] FIPS: HMAC based library integrity check, rename variables
Rename variables to more speaking names, no logic change.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index a1c6f5f..07310c3 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -245,12 +245,12 @@ static int FIPSCHECK_verify(const char *path)
{
int rc = 0;
FILE *fp;
- unsigned char *hmac_buf = NULL;
+ unsigned char *known_hmac = NULL;
long hmaclen;
char *hmacpath, *p;
- char *hmac_str = NULL;
- size_t n, buflen;
- void *buf = NULL;
+ char *known_hmac_str = NULL;
+ size_t n, computed_hmac_len;
+ void *computed_hmac = NULL;
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
@@ -262,29 +262,29 @@ static int FIPSCHECK_verify(const char *path)
goto end;
}
- if (getline(&hmac_str, &n, fp) <= 0)
+ if (getline(&known_hmac_str, &n, fp) <= 0)
goto end;
- if ((p = strchr(hmac_str, '\n')) != NULL)
+ if ((p = strchr(known_hmac_str, '\n')) != NULL)
*p = '\0';
- hmac_buf = OPENSSL_hexstr2buf(hmac_str, &hmaclen);
+ known_hmac = OPENSSL_hexstr2buf(known_hmac_str, &hmaclen);
- if (compute_file_hmac(path, &buf, &buflen) != 0)
+ if (compute_file_hmac(path, &computed_hmac, &computed_hmac_len) != 0)
goto end;
- if (memcmp(buf, hmac_buf, buflen) != 0)
+ if (memcmp(computed_hmac, known_hmac, computed_hmac_len) != 0)
goto end;
rc = 1;
end:
- free(buf);
- free(hmac_str);
+ free(computed_hmac);
+ free(known_hmac_str);
free(hmacpath);
- OPENSSL_free(hmac_buf);
+ OPENSSL_free(known_hmac);
if (fp)
fclose(fp);
--
2.26.2

View File

@ -1,354 +0,0 @@
From 231bba3b32bd246d8286f1c7dc231d836ea92bd9 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Mon, 27 Apr 2020 11:18:26 +0200
Subject: [PATCH] FIPS: introduce HMAC based library integrity check
When in FIPS mode, perform an integrity check on libica.so by calculating
an HMAC from the file contents using a static HMAC key, and comparing it
to a pre-calculated HMAC in a separate file. The HMAC key and HMAC file
may be provided by a Distributor when building the packet. The test
succeeds if the HMAC file is not present.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
include/ica_api.h | 2 +-
src/Makefile.am | 4 +-
src/fips.c | 224 ++++++++++++++++++++++++++++++++++++++++++++-
src/include/fips.h | 4 +-
test/fips_test.c | 4 +
5 files changed, 232 insertions(+), 6 deletions(-)
diff --git a/include/ica_api.h b/include/ica_api.h
index 91bf0be..8221f55 100644
--- a/include/ica_api.h
+++ b/include/ica_api.h
@@ -216,7 +216,7 @@ typedef ica_adapter_handle_t ICA_ADAPTER_HANDLE;
*/
/* Cryptographic algorithm test (KAT or pair-wise consistency test) */
#define ICA_FIPS_CRYPTOALG 2
-/* Software/Firmware integrity test (not implemented yet) */
+/* Software/Firmware integrity test */
#define ICA_FIPS_INTEGRITY 4
/* Critical functions test (N/A) */
#define ICA_FIPS_CRITICALFUNC 8
diff --git a/src/Makefile.am b/src/Makefile.am
index 65f471f..9e4ef52 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -9,7 +9,7 @@ lib_LTLIBRARIES = libica.la
libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
-fvisibility=hidden -pthread
libica_la_CCASFLAGS = ${AM_CFLAGS}
-libica_la_LIBADD = @LIBS@ -lrt -lcrypto
+libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl
libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
-version-number ${VERSION}
libica_la_SOURCES = ica_api.c init.c icastats_shared.c s390_rsa.c \
@@ -53,7 +53,7 @@ internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \
-DICA_INTERNAL_TEST \
-DICA_INTERNAL_TEST_EC
internal_tests_ec_internal_test_CCASFLAGS = ${AM_CFLAGS}
-internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread
+internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread -ldl
internal_tests_ec_internal_test_SOURCES = \
ica_api.c init.c icastats_shared.c s390_rsa.c \
s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \
diff --git a/src/fips.c b/src/fips.c
index d09a553..bab00db 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -13,11 +13,13 @@
#include <errno.h>
#include <openssl/crypto.h>
+#include <openssl/evp.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
+#include <dlfcn.h>
#include <openssl/opensslconf.h>
#ifdef OPENSSL_FIPS
@@ -28,6 +30,24 @@
#include "ica_api.h"
#include "test_vec.h"
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
+#define HMAC_PREFIX "."
+#define HMAC_SUFFIX ".hmac"
+#define READ_BUFFER_LENGTH 16384
+
+/*
+ * The hard-coded HMAC key to be optionally provided for the library
+ * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
+ * The known HMAC is supposed to be provided as hex string in a file
+ * libica.so.MAJOR.hmac in the same directory as the .so module.
+ */
+static const char hmackey[] =
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000";
+
int fips;
static int aes_ecb_kat(void);
@@ -101,6 +121,206 @@ fips_init(void)
FIPS_mode_set(1);
}
}
+static int get_library_path(const char *libname, const char *symbolname,
+ char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rc = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL)
+ goto done;
+
+ sym = dlsym(dl, symbolname);
+ if (sym != NULL && dladdr(sym, &info)) {
+ if (strlen(info.dli_fname) < pathlen)
+ strcpy(path, info.dli_fname);
+ else
+ goto done;
+ }
+
+ rc = 0;
+
+done:
+ if (dl != NULL)
+ dlclose(dl);
+
+ return rc;
+}
+
+static char *make_hmac_path(const char *origpath)
+{
+ char *path;
+ const char *fn;
+
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath) + 1);
+ if (path == NULL)
+ return NULL;
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn - origpath);
+ strcat(path, HMAC_PREFIX);
+ strcat(path, fn);
+ strcat(path, HMAC_SUFFIX);
+
+ return path;
+}
+
+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *fp = NULL;
+ int rc = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ unsigned char *keybuf;
+ EVP_MD_CTX *mdctx = NULL;
+ EVP_PKEY *pkey = NULL;
+ size_t hlen, len;
+ long keylen;
+
+ keybuf = OPENSSL_hexstr2buf(hmackey, &keylen);
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen);
+ if (!pkey)
+ goto end;
+
+ mdctx = EVP_MD_CTX_create();
+ if (!mdctx)
+ goto end;
+
+ fp = fopen(path, "r");
+ if (fp == NULL)
+ goto end;
+
+ if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey) <= 0)
+ goto end;
+
+ while ((len = fread(rbuf, 1, sizeof(rbuf), fp)) != 0) {
+ if (EVP_DigestSignUpdate(mdctx, rbuf, len) <= 0) {
+ goto end;
+ }
+ }
+
+ if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
+ goto end;
+
+ *buf = malloc(hlen);
+ if (*buf == NULL)
+ goto end;
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rc = 0;
+
+end:
+
+ if (pkey != NULL)
+ EVP_PKEY_free(pkey);
+
+ free(keybuf);
+ EVP_MD_CTX_destroy(mdctx);
+ if (fp)
+ fclose(fp);
+
+ return rc;
+}
+
+/**
+ * Performs the FIPS check.
+ *
+ * @return 1 if check succeeded
+ * 0 otherwise
+ */
+static int FIPSCHECK_verify(const char *path)
+{
+ int rc = 0;
+ FILE *fp;
+ unsigned char *hmac_buf = NULL;
+ long hmaclen;
+ char *hmacpath, *p;
+ char *hmac_str = NULL;
+ size_t n, buflen;
+ void *buf = NULL;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+
+ fp = fopen(hmacpath, "r");
+ if (fp == NULL) {
+ rc = 1;
+ goto end;
+ }
+
+ if (getline(&hmac_str, &n, fp) <= 0)
+ goto end;
+
+ if ((p = strchr(hmac_str, '\n')) != NULL)
+ *p = '\0';
+
+ hmac_buf = OPENSSL_hexstr2buf(hmac_str, &hmaclen);
+
+ if (compute_file_hmac(path, &buf, &buflen) != 0)
+ goto end;
+
+ if (memcmp(buf, hmac_buf, hmaclen) != 0)
+ goto end;
+
+ rc = 1;
+
+end:
+
+ free(buf);
+ free(hmac_str);
+ free(hmacpath);
+
+ OPENSSL_free(hmac_buf);
+
+ if (fp)
+ fclose(fp);
+
+ return rc;
+}
+
+static const char msg1[] = "Libica FIPS library integrity check failed. Cannot determine library path.\n";
+static const char msg2[] = "Libica FIPS library integrity check failed. Module %s probably corrupted.\n";
+static const char msg3[] = "Libica FIPS library integrity check passed.\n";
+
+/*
+ * Perform an integrity check on libica.so by calculating an HMAC from
+ * the file contents using a static HMAC key, and comparing it to a
+ * pre-calculated HMAC in a separate file. The HMAC key and HMAC file
+ * may be provided by a Distributor when building the packet.
+ */
+static void fips_lib_integrity_check(void)
+{
+ int rc;
+ char path[PATH_MAX];
+ const char *libname = "libica.so";
+ const char *symbolname = "ica_sha256";
+
+ rc = get_library_path(libname, symbolname, path, sizeof(path));
+ if (rc != 0) {
+ syslog(LOG_ERR, msg1);
+ fips |= ICA_FIPS_INTEGRITY;
+ return;
+ }
+
+ if (!FIPSCHECK_verify(path)) {
+ syslog(LOG_ERR, msg2, path);
+ fips |= ICA_FIPS_INTEGRITY;
+ return;
+ }
+
+ syslog(LOG_INFO, msg3);
+}
void
fips_powerup_tests(void)
@@ -117,6 +337,9 @@ fips_powerup_tests(void)
fips |= ICA_FIPS_CRYPTOALG;
return;
}
+
+ /* Library integrity test */
+ fips_lib_integrity_check();
}
static int
@@ -933,5 +1156,4 @@ _err_:
syslog(LOG_ERR, "Libica RSA test failed.");
return 1;
}
-
#endif /* FIPS_H */
diff --git a/src/include/fips.h b/src/include/fips.h
index 421be4c..0ffdef6 100644
--- a/src/include/fips.h
+++ b/src/include/fips.h
@@ -27,8 +27,8 @@ extern int fips; /* module status */
void fips_init(void);
/*
- * Powerup tests: crypto algorithm test, SW/FW integrity test (not implemented
- * yet), critical function test (no critical functions). The tests set the
+ * Powerup tests: crypto algorithm test, SW/FW integrity test, critical
+ * function test (no critical functions). The tests set the
* corresponding status flags.
*/
void fips_powerup_tests(void);
diff --git a/test/fips_test.c b/test/fips_test.c
index 06563e3..0f1940d 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -57,6 +57,10 @@ main(void)
printf("Libica FIPS powerup test failed.\n");
rv = EXIT_FAILURE;
}
+ if (fips & ICA_FIPS_INTEGRITY) {
+ printf("Libica FIPS integrity check failed.\n");
+ rv = EXIT_FAILURE;
+ }
#endif /* ICA_FIPS */
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
--
2.26.2

View File

@ -1,41 +0,0 @@
From b687f1514b3d371cdc44b5b3b02d5ddd9ac4eb54 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 25 Mar 2020 10:07:10 +0100
Subject: [PATCH] FIPS: provide output iv as required by FIPS tests
This fix is introduced to satisfy FIPS tests. They require the
output iv to be the iv resulting from decrypting the last block
with a zero iv as input. But note that this is not described
in the NIST standard for CBC-CS. According to the standard,
the output iv is simply undefined.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_cbccs.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/include/s390_cbccs.h b/src/include/s390_cbccs.h
index aa29bff..f6626dc 100644
--- a/src/include/s390_cbccs.h
+++ b/src/include/s390_cbccs.h
@@ -287,6 +287,17 @@ s390_aes_cbccs_dec(unsigned int fc, const unsigned char *in_data,
block_xor(out_data + tmp_data_length + AES_BLOCK_SIZE,
tmp_in_data, tmp_out_data, rest_data_length);
+ /*
+ * This fix was introduced to satisfy FIPS tests. They require the
+ * output iv to be the iv resulting from decrypting the last block
+ * with a zero iv as input, which is tmp_iv here. But note that this
+ * is not described in the NIST standard for CBC-CS. According to the
+ * standard, the output iv is simply undefined.
+ */
+#ifdef ICA_FIPS
+ memcpy(iv, tmp_iv, AES_BLOCK_SIZE);
+#endif /* ICA_FIPS */
+
return 0;
}
--
2.16.4

View File

@ -1,43 +0,0 @@
From db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 18 Mar 2020 16:48:43 +0100
Subject: [PATCH] Fix DES and TDES key length.
Although a DES key has only 56 effective bits, all 64 bits must be
considered, because the parity bits are spread over all 8 bytes of
the key.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index b80c6e3..eb6b154 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -48,6 +48,8 @@
#define DEFAULT2_CRYPT_DEVICE "/dev/z90crypt"
#define DEFAULT3_CRYPT_DEVICE "/dev/zcrypt"
+#define DES_KEY_LEN64 (64/8)
+
#define MAX_VERSION_LENGTH 16
int ica_fallbacks_enabled = 1;
@@ -125,9 +127,9 @@ static unsigned int check_des_parms(unsigned int mode,
#ifdef ICA_FIPS
static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
- if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LENGTH))
+ if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64))
return EINVAL;
return 0;
--
2.16.4

View File

@ -1,48 +0,0 @@
From a4a9381d1597b78374925385a6d71cf8ccb16c21 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Fri, 27 Mar 2020 15:25:33 +0100
Subject: [PATCH] icainfo: bugfix for RSA and EC related info for software
column.
The software column did never show 'yes' for RSA ME, RSA CRT, ECDH,
ECDSA sign, ECDSA verify, and ECKGEN, due to the missing ICA_FLAG_SW
flag in the icaList.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/s390_crypto.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
index ab7a269..8fb5662 100644
--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
@@ -489,10 +489,10 @@ libica_func_list_element_int icaList[] = {
{AES_GCM_KMA, MSA8, AES_128_GCM_ENCRYPT, 0, 0},
{AES_XTS, MSA4, AES_128_XTS_ENCRYPT, 0, 0},
{P_RNG, ADAPTER, 0, ICA_FLAG_SHW | ICA_FLAG_SW, 0}, // SHW (CPACF) + SW
- {EC_DH, ADAPTER, 0, 0, 0},
- {EC_DSA_SIGN, ADAPTER, 0, 0, 0},
- {EC_DSA_VERIFY, ADAPTER, 0, 0, 0},
- {EC_KGEN, ADAPTER, 0, 0, 0},
+ {EC_DH, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_DSA_SIGN, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_DSA_VERIFY, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_KGEN, ADAPTER, 0, ICA_FLAG_SW, 0},
{ED25519_KEYGEN, MSA9, SCALAR_MULTIPLY_ED25519, 0, 0},
{ED25519_SIGN, MSA9, EDDSA_SIGN_ED25519, 0, 0},
{ED25519_VERIFY, MSA9, EDDSA_VERIFY_ED25519, 0, 0},
@@ -503,8 +503,8 @@ libica_func_list_element_int icaList[] = {
{X25519_DERIVE, MSA9, SCALAR_MULTIPLY_X25519, 0, 0},
{X448_KEYGEN, MSA9, SCALAR_MULTIPLY_X448, 0, 0},
{X448_DERIVE, MSA9, SCALAR_MULTIPLY_X448, 0, 0},
- {RSA_ME, ADAPTER, 0, 0, 0},
- {RSA_CRT, ADAPTER, 0, 0, 0},
+ {RSA_ME, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {RSA_CRT, ADAPTER, 0, ICA_FLAG_SW, 0},
{RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
{RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
--
2.16.4

View File

@ -1,131 +0,0 @@
From a3b36ef136e304a1e2dc12ef7b96686202cbd00d Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Wed, 13 Nov 2019 17:12:43 +0100
Subject: [PATCH] x25519,x448: fix handling of non-canonical values
Reduce the peer public key's u-coordinate if it is >= p.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/s390_ecc.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 91 insertions(+)
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
index 7654959..62799ee 100644
--- a/src/s390_ecc.c
+++ b/src/s390_ecc.c
@@ -557,6 +557,91 @@ struct { \
return rc;
}
+/*
+ * mask must be 0xFF or 0x00.
+ * "constant time" is per len.
+ *
+ * if (mask) {
+ * unsigned char tmp[len];
+ *
+ * memcpy(tmp, a, len);
+ * memcpy(a, b);
+ * memcpy(b, tmp);
+ * }
+ */
+static inline void constant_time_cond_swap_buff(unsigned char mask,
+ unsigned char *a,
+ unsigned char *b,
+ size_t len)
+{
+ size_t i;
+ unsigned char tmp;
+
+ for (i = 0; i < len; i++) {
+ tmp = a[i] ^ b[i];
+ tmp &= mask;
+ a[i] ^= tmp;
+ b[i] ^= tmp;
+ }
+}
+
+
+static void s390_x25519_mod_p(unsigned char u[32])
+{
+ unsigned char u_red[32];
+ unsigned int c = 0;
+ int i;
+
+ memcpy(u_red, u, sizeof(u_red));
+
+ c += (unsigned int)u_red[31] + 19;
+ u_red[31] = (unsigned char)c;
+ c >>= 8;
+
+ for (i = 30; i >= 0; i--) {
+ c += (unsigned int)u_red[i];
+ u_red[i] = (unsigned char)c;
+ c >>= 8;
+ }
+
+ c = (u_red[0] & 0x80) >> 7;
+ u_red[0] &= 0x7f;
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
+}
+
+static void s390_x448_mod_p(unsigned char u[56])
+{
+ unsigned char u_red[56];
+ unsigned int c = 0;
+ int i;
+
+ memcpy(u_red, u, sizeof(u_red));
+
+ c += (unsigned int)u_red[55] + 1;
+ u_red[55] = (unsigned char)c;
+ c >>= 8;
+
+ for (i = 54; i >= 28; i--) {
+ c += (unsigned int)u_red[i];
+ u_red[i] = (unsigned char)c;
+ c >>= 8;
+ }
+
+ c += (unsigned int)u_red[27] + 1;
+ u_red[27] = (unsigned char)c;
+ c >>= 8;
+
+ for (i = 26; i >= 0; i--) {
+ c += (unsigned int)u_red[i];
+ u_red[i] = (unsigned char)c;
+ c >>= 8;
+ }
+
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
+}
+
int scalar_mulx_cpacf(unsigned char *res_u,
const unsigned char *scalar,
const unsigned char *u,
@@ -598,6 +683,9 @@ struct { \
s390_flip_endian_32(param.X25519.u, param.X25519.u);
s390_flip_endian_32(param.X25519.scalar, param.X25519.scalar);
+ /* reduce non-canonical values */
+ s390_x25519_mod_p(param.X25519.u);
+
fc = s390_pcc_functions[SCALAR_MULTIPLY_X25519].hw_fc;
rc = s390_pcc(fc, &param) ? EIO : 0;
@@ -619,6 +707,9 @@ struct { \
s390_flip_endian_64(param.X448.u, param.X448.u);
s390_flip_endian_64(param.X448.scalar, param.X448.scalar);
+ /* reduce non-canonical values */
+ s390_x448_mod_p(param.X448.u + 8);
+
fc = s390_pcc_functions[SCALAR_MULTIPLY_X448].hw_fc;
rc = s390_pcc(fc, &param) ? EIO : 0;
--
2.13.7

View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
- Upgraded to version 3.7.0 (jsc#SLE-14466)
* Version 3.7.0
- [FEATURE] FIPS: Add HMAC based library integrity check
- [PATCH] icainfo: bugfix for RSA and EC related info for software column.
- [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
- [PATCH] FIPS: Fix DES and TDES key length
- [PATCH] icastats: Fix stats counter format
* Version 3.6.1
- [PATCH] Fix x25519 and x448 handling of non-canonical values
- Removed the following obsolete patches
* libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
* libica-sles15sp2-Build-with-pthread-flag.patch
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 15 21:08:38 UTC 2020 - Mark Post <mpost@suse.com> Tue Sep 15 21:08:38 UTC 2020 - Mark Post <mpost@suse.com>

View File

@ -22,7 +22,7 @@
%endif %endif
Name: libica Name: libica
Version: 3.6.0 Version: 3.7.0
Release: 0 Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0 License: CPL-1.0
@ -37,19 +37,11 @@ Source4: z90crypt
Source5: z90crypt.service Source5: z90crypt.service
Source6: baselibs.conf Source6: baselibs.conf
Source7: %{name}-rpmlintrc Source7: %{name}-rpmlintrc
Patch1: libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch Patch01: libica-sles15sp2-Zeroize-local-variables.patch
Patch2: libica-sles15sp2-Fix-DES-and-TDES-key-length.patch Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
Patch3: libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
Patch4: libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
Patch5: libica-sles15sp2-Build-with-pthread-flag.patch Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
Patch6: libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
Patch7: libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
Patch8: libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
Patch9: libica-sles15sp2-Zeroize-local-variables.patch
Patch10: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
Patch11: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
Patch12: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
Patch13: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
Patch99: libica-sles15sp2-FIPS-hmac-key.patch Patch99: libica-sles15sp2-FIPS-hmac-key.patch
BuildRequires: autoconf BuildRequires: autoconf