Accepting request 494492 from devel:openSUSE:Factory

OK, let's try this again. Update to version 3.0.2 per fate#322025

OBS-URL: https://build.opensuse.org/request/show/494492
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=2

fix-initialization-of-s390-hardware-switches-1.patch

@@ -1,26 +0,0 @@
---- a/src/include/s390_crypto.h
-+++ b/src/include/s390_crypto.h
-@@ -83,7 +83,7 @@
- 	S390_CRYPTO_SHA512_DRNG_SEED = 0x03 | 0x80
- };
- 
--unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
-+extern unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
- 	     tdes_switch, aes128_switch, aes192_switch, aes256_switch,
- 	     prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
- 	     msa4_switch, msa5_switch;
-@@ -119,10 +119,10 @@
- 	SHA512_DRNG_SEED
- } ppno_functions_t;
- 
--s390_supported_function_t s390_kmc_functions[PRNG + 1];
--s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
--s390_supported_function_t s390_kimd_functions[GHASH + 1];
--s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
-+extern s390_supported_function_t s390_kmc_functions[PRNG + 1];
-+extern s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
-+extern s390_supported_function_t s390_kimd_functions[GHASH + 1];
-+extern s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
- 
- void s390_crypto_switches_init(void);
- 

fix-initialization-of-s390-hardware-switches-2.patch

@@ -1,15 +0,0 @@
---- a/src/s390_crypto.c
-+++ b/src/s390_crypto.c
-@@ -25,6 +25,11 @@
- #include <errno.h>
- #include "s390_crypto.h"
- #include "init.h"
-+
-+unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
-+             tdes_switch, aes128_switch, aes192_switch, aes256_switch,
-+             prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
-+             msa4_switch, msa5_switch;
- 
- s390_supported_function_t s390_kimd_functions[] = {
- 	{SHA_1, S390_CRYPTO_SHA_1, &sha1_switch},
-

fix-msa-level-detection.patch

@@ -1,75 +0,0 @@
-Subject: [PATCH] [BZ 148767] libica: libica crash with illegal instruction on z196/z114
-From: Harald Freudenberger <freude@linux.vnet.ibm.com>
-
-Description:  libica: libica crash with illegal instruction on z196/z114
-Symptom:      'illegal instruction' on libica initialization
-Problem:      Upon initialization libica checks all the MSA levels
-              of the system to find out the available functions.
-              This check function reuses a buffer variable without
-              proper reinitialization thus leading to detect an
-              MSA 5 function PPNO which is in fact not available
-              on z196/z114 systems. Upon initialization the libica
-              internal pseudo random generator is initialized which
-              is then trying to use this PPNO function and so
-              the 'illegal instruction' occurs.
-Solution:     Fix libica initialization function.
-Reproduction: On z196/z114 systems with every libica version >= 2.6.
-Upstream-ID:  eeb40e5aea7dd36580629e6b17cd7f03fb62549c
-Problem-ID:   148767
-
-Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
-Index: libica-service/src/s390_crypto.c
-===================================================================
---- libica-service.orig/src/s390_crypto.c	2016-11-18 12:04:39.809574833 +0100
-+++ libica-service/src/s390_crypto.c	2016-11-18 12:04:39.805574781 +0100
-@@ -144,6 +144,8 @@ void set_switches(int msa)
- 	 * kimd query and do not need to over the whole array. Therfore there
- 	 * is also no distict setting of the switch needed in form
- 	 * msa4_switch = 1. */
-+
-+	/* kmc query */
- 	memset(mask, 0, sizeof(mask));
- 	if (msa) {
- 		if (begin_sigill_section(&oldact, &oldset) == 0) {
-@@ -160,13 +162,14 @@ void set_switches(int msa)
- 		*s390_kmc_functions[n].enabled = on;
- 	}
- 
-+	/* kimd query */
-+	memset(mask, 0, sizeof(mask));
- 	if (msa) {
- 		if (begin_sigill_section(&oldact, &oldset) == 0) {
- 			s390_kimd(S390_CRYPTO_QUERY, mask, (void *) 0, 0);
- 			end_sigill_section(&oldact, &oldset);
- 		}
- 	}
--
- 	for (n = 0; n < (sizeof(s390_kimd_functions) /
- 			 sizeof(s390_supported_function_t)); n++) {
- 		if (S390_CRYPTO_TEST_MASK(mask, s390_kimd_functions[n].hw_fc))
-@@ -176,6 +179,8 @@ void set_switches(int msa)
- 		*s390_kimd_functions[n].enabled = on;
- 	}
- 
-+	/* ppno query */
-+	memset(mask, 0, sizeof(mask));
- 	if (5 <= msa) {
- 		msa5_switch = 1;
- 		if (begin_sigill_section(&oldact, &oldset) == 0) {
-@@ -183,7 +188,6 @@ void set_switches(int msa)
- 			end_sigill_section(&oldact, &oldset);
- 		}
- 	}
--
- 	for (n = 0; n < (sizeof(s390_ppno_functions) /
- 			 sizeof(s390_supported_function_t)); n++) {
- 		if (S390_CRYPTO_TEST_MASK(mask, s390_ppno_functions[n].hw_fc))
-@@ -254,7 +258,7 @@ libica_func_list_element_int icaList[] =
-  {RSA_KEY_GEN_ME,  	ADAPTER, 0, ICA_FLAG_SW, 		0},	// SW (openssl)
-  {RSA_KEY_GEN_CRT, 	ADAPTER, 0, ICA_FLAG_SW, 		0},	// SW (openssl)
- 
-- {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SHW | ICA_FLAG_SW, 0},
-+ {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SW, 0},
- 
- /* available for the MSA4 instruction */
- /* available for the RSA instruction */

fix-segfault-during-multithread-keygen.patch

@@ -1,183 +0,0 @@
-Index: src/s390_rsa.c
-===================================================================
---- a/src/s390_rsa.c
-+++ b/src/s390_rsa.c
-@@ -18,6 +18,9 @@
- #include <errno.h>
- #include <stdint.h>
- #include <openssl/rsa.h>
-+#include <openssl/crypto.h>
-+#include <pthread.h>
-+#include <semaphore.h>
- 
- #include "s390_rsa.h"
- #include "s390_prng.h"
-@@ -41,9 +44,22 @@ static unsigned int mod_expo_sw(int arg_
- 				char *exp, int mod_length, char *mod,
- 				int *res_length, char *res, BN_CTX *ctx);
- 
--RSA* rsa_key_generate(unsigned int modulus_bit_length,
--		      unsigned long *public_exponent)
-+struct thread_data
-+{
-+	unsigned int mod_bit_length;
-+	unsigned long *pub_exp;
-+	RSA	*rsa;
-+};
-+
-+static void *__rsa_key_generate(void *ptr)
- {
-+	struct thread_data *pth_data;
-+	unsigned int modulus_bit_length;
-+	unsigned long *public_exponent;
-+
-+	pth_data = (struct thread_data*)ptr;
-+	modulus_bit_length = pth_data->mod_bit_length;
-+	public_exponent = pth_data->pub_exp;
- 	BN_GENCB cb;
- 
- 	if (*public_exponent == 0)
-@@ -70,9 +86,36 @@ RSA* rsa_key_generate(unsigned int modul
- 
- 	if (RSA_generate_key_ex(rsa, modulus_bit_length, exp, &cb)) {
- 		BN_free(exp);
--		return rsa;
-+		pth_data->rsa = rsa;
- 	}
-+	else
-+		pth_data->rsa = NULL;
-+
-+	return 0;
-+}
- 
-+RSA* rsa_key_generate(unsigned int modulus_bit_length,
-+		      unsigned long *public_exponent)
-+{
-+	pthread_t tid;
-+	struct thread_data th_data;
-+	int rc;
-+
-+	sem_wait(&openssl_crypto_lock_mtx);
-+
-+	th_data.mod_bit_length = modulus_bit_length;
-+	th_data.pub_exp = public_exponent;
-+	rc = pthread_create(&(tid), NULL, (void *)&__rsa_key_generate,
-+			    (void *)(&th_data));
-+	if (rc)
-+		return 0;
-+	rc = pthread_join(tid, NULL);
-+
-+	if (!rc && th_data.rsa) {
-+		sem_post(&openssl_crypto_lock_mtx);
-+		return th_data.rsa;
-+	}
-+	sem_post(&openssl_crypto_lock_mtx);
- 	return 0;
- }
- 
-Index: src/init.c
-===================================================================
---- a/src/init.c
-+++ b/src/init.c
-@@ -18,10 +18,14 @@
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/rand.h>
-+#include <openssl/crypto.h>
-+#include <semaphore.h>
-+#include <pthread.h>
- #include <syslog.h>
- 
- #include "init.h"
- #include "icastats.h"
-+#include "s390_rsa.h"
- #include "s390_prng.h"
- #include "s390_crypto.h"
- #include "ica_api.h"
-@@ -79,12 +83,60 @@ void end_sigill_section(struct sigaction
- 	sigprocmask(SIG_SETMASK, oldset, 0);
- }
- 
-+static pthread_mutex_t *openssl_locks;
-+
-+static void openssl_lock_callback(int mode, int num, char *file, int line)
-+{
-+	if (mode & CRYPTO_LOCK) {
-+		pthread_mutex_lock(&(openssl_locks[num]));
-+	}
-+	else {
-+		pthread_mutex_unlock(&(openssl_locks[num]));
-+	}
-+}
-+
-+static unsigned long get_thread_id(void)
-+{
-+	return (unsigned long)pthread_self();
-+}
-+
-+static void init_openssl_locks(void)
-+{
-+	int i, crypt_num_locks;
-+
-+	crypt_num_locks = CRYPTO_num_locks();
-+	openssl_locks = (pthread_mutex_t *)
-+			OPENSSL_malloc(crypt_num_locks *
-+				       sizeof(pthread_mutex_t));
-+	for (i = 0; i < CRYPTO_num_locks(); i++) {
-+		pthread_mutex_init(&(openssl_locks[i]),NULL);
-+	}
-+
-+	CRYPTO_set_id_callback((unsigned long (*)())get_thread_id);
-+	CRYPTO_set_locking_callback((void (*)
-+		(int, int, const char*, int))openssl_lock_callback);
-+
-+	sem_init(&openssl_crypto_lock_mtx, 0, crypt_num_locks);
-+}
-+
-+static void free_openssl_locks(void)
-+{
-+	int i;
-+
-+	CRYPTO_set_locking_callback(NULL);
-+	for (i = 0; i < CRYPTO_num_locks(); i++)
-+		pthread_mutex_destroy(&(openssl_locks[i]));
-+
-+	OPENSSL_free(openssl_locks);
-+}
-+
- void openssl_init(void)
- {
- 	/* initial seed the openssl random generator */
- 	unsigned char random_data[64];
- 	s390_prng(random_data, sizeof(random_data));
- 	RAND_seed(random_data, sizeof(random_data));
-+	init_openssl_locks();
- }
- 
- /* Switches have to be done first. Otherwise we will not have hw support
-@@ -115,4 +167,5 @@ void __attribute__ ((constructor)) icain
- void __attribute__ ((destructor)) icaexit(void)
- {
- 	stats_munmap(SHM_CLOSE);
-+	free_openssl_locks();
- }
-Index: src/include/s390_rsa.h
-===================================================================
---- a/src/include/s390_rsa.h
-+++ b/src/include/s390_rsa.h
-@@ -16,6 +16,7 @@
- 
- #include <openssl/bn.h>
- #include <asm/zcrypt.h>
-+#include <semaphore.h>
- #include "ica_api.h"
- 
- typedef struct ica_rsa_modexpo ica_rsa_modexpo_t;
-@@ -40,5 +41,7 @@ unsigned int rsa_key_generate_crt(ica_ad
- unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt);
- unsigned int rsa_mod_mult_sw(ica_rsa_modmult_t * pMul);
- unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex);
-+
-+sem_t openssl_crypto_lock_mtx;
- #endif
- 

libica-2.6.2.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3528ce8d2cb3e77ba20f6c85226be5b023c7c5a3fe30b6bc841cc98d5f8fe77d
-size 172317

libica-3.0.2.tgz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8af14d8ff87ac7e88400064184dd1d83b23eb2ef3daff1e8072423ab6fe9833
+size 204325

libica.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue May  9 17:23:11 UTC 2017 - mpost@suse.com
+
+- Upgraded to version 3.0.2 (Fate#322025).
+  - v3.0.2
+    - Fix locking callbacks for openSSL APIs.
+  - v3.0.1
+    - Fixed msa level detection on zEC/BC12 GA1 and predecessors.
+  - v3.0.0
+    - Added FIPS mode.
+    - Sanitized exported symbols.
+    - Removed deprecated APIs. Marked some APIs as deprecated.
+    - Adapted to OpenSSL v1.1.0.
+    - RSA key generation is thread-safe now.
+- Removed the following obsolete patches:
+  - fix-initialization-of-s390-hardware-switches-1.patch
+  - fix-initialization-of-s390-hardware-switches-2.patch
+  - fix-msa-level-detection.patch
+  - fix-segfault-during-multithread-keygen.patch
+  - rng-performance.patch
+
 -------------------------------------------------------------------
 Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
 

libica.spec

@@ -25,7 +25,7 @@ BuildRequires:  openssl-devel
 Summary:        Library interface for the IBM Cryptographic Accelerator device driver
 License:        CPL-1.0
 Group:          Hardware/Other
-Version:        2.6.2
+Version:        3.0.2
 Release:        0
 Source:         libica-%{version}.tgz
 Source1:        libica-SuSE.tar.bz2
@@ -35,11 +35,6 @@ Source4:        README.SUSE
 Source5:        sysconfig.z90crypt
 Source6:        baselibs.conf
 Source7:        %{name}-rpmlintrc
-Patch1:         fix-initialization-of-s390-hardware-switches-1.patch
-Patch2:         fix-initialization-of-s390-hardware-switches-2.patch
-Patch3:         rng-performance.patch
-Patch4:         fix-segfault-during-multithread-keygen.patch
-Patch5:         fix-msa-level-detection.patch
 
 Url:            http://sourceforge.net/projects/opencryptoki/files/libica
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -51,15 +46,11 @@ This package contains the interface library routines used by IBM
 modules to interface with the IBM eServer Cryptographic Accelerator
 (ICA).
 
-%package -n libica2
+%package -n libica3
 Summary:        Library interface for the IBM Cryptographic Accelerator
 Group:          System/Libraries
-Obsoletes:      libica-2_1_0 < %{version}-%{release}
-Provides:       libica-2_1_0 = %{version}-%{release}
-Obsoletes:      libica-2_3_0 < %{version}-%{release}
-Provides:       libica-2_3_0 = %{version}-%{release}
 
-%description -n libica2
+%description -n libica3
 This package contains the interface library routines used by IBM
 modules to interface with the IBM eServer Cryptographic Accelerator
 (ICA).
@@ -82,7 +73,7 @@ Obsoletes:      libica-2_1_0-devel < %{version}-%{release}
 Provides:       libica-2_1_0-devel = %{version}-%{release}
 Obsoletes:      libica-2_3_0-devel < %{version}-%{release}
 Provides:       libica-2_3_0-devel = %{version}-%{release}
-Requires:       libica2 = %{version}
+Requires:       libica3 = %{version}
 Requires:       libopenssl-devel
 
 %description devel
@@ -108,11 +99,6 @@ the libica library.
 
 %prep
 %setup -a 1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
 
 %build
 mkdir -p include/linux/
@@ -142,12 +128,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libica.la
 %restart_on_update boot.z90crypt
 %{insserv_cleanup}
 
-%post   -n libica2 -p /sbin/ldconfig
-%postun -n libica2 -p /sbin/ldconfig
+%post   -n libica3 -p /sbin/ldconfig
+%postun -n libica3 -p /sbin/ldconfig
 
-%files -n libica2
+%files -n libica3
 %defattr(-,root,root)
-%{_libdir}/libica.so.2*
+%{_libdir}/libica.so.3*
 
 %files tools
 %defattr(-, root, root)

rng-performance.patch

@@ -1,35 +0,0 @@
-Index: libica-2.6.2/src/s390_prng.c
-===================================================================
---- libica-2.6.2.orig/src/s390_prng.c
-+++ libica-2.6.2/src/s390_prng.c
-@@ -76,10 +76,9 @@ int s390_prng_init(void)
- 	// available. However, the old prng is still initialized but
- 	// only used as a fallback.
- 	if(sha512_switch || sha512_drng_switch){
--		const char *pers = "ica_drbg_global";
- 		ica_drbg_instantiate(&ica_drbg_global, 256, true,
--				     ICA_DRBG_SHA512, (unsigned char *)pers,
--				     strlen(pers));
-+				     ICA_DRBG_SHA512,
-+				     (unsigned char *)"GLOBAL INSTANCE", 15);
- 	}
- 
- 	// The old prng code starts here:
-@@ -181,7 +180,7 @@ int s390_prng(unsigned char *output_data
- 		unsigned char *ptr = output_data;
- 		size_t i = 0;
- 		for(; i < q; i++){
--			status = ica_drbg_generate(ica_drbg_global, 256, true,
-+			status = ica_drbg_generate(ica_drbg_global, 256, false,
- 						   NULL, 0, ptr,
- 						   ICA_DRBG_SHA512
- 						   ->max_no_of_bytes_per_req);
-@@ -191,7 +190,7 @@ int s390_prng(unsigned char *output_data
- 			ptr += ICA_DRBG_SHA512->max_no_of_bytes_per_req;
- 		}
- 		if(!status){
--			status = ica_drbg_generate(ica_drbg_global, 256, true,
-+			status = ica_drbg_generate(ica_drbg_global, 256, false,
- 						   NULL, 0, ptr, r);
- 			if(!status)
- 				return 0;