pool/libica
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1223882 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1223882
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=37
This commit is contained in:
Ana Guerrero 2024-11-13 14:29:20 +00:00 committed by Git OBS Bridge
commit d6632a5ee5
5 changed files with 291 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
libica-02-fips-update-Change-service-indicator-implementation.patch
View File

@ -1,154 +1,21 @@
From 86c400a516a23ce807c1b7a5a3dec3c0ef441733 Mon Sep 17 00:00:00 2001
From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Mon, 28 Oct 2024 13:44:11 +0100
Subject: [PATCH] fips update: Change service indicator implementation
Perform checks for non-approved algorithms / parameters directly into the
APIs that perform the services. Especially, indicate that using an external
GCM iv in fips mode is non-compliant, but on the exception list.
APIs that perform the services.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++
src/icainfo.c | 1 +
src/include/fips.h | 7 ++++--
3 files changed, 59 insertions(+), 2 deletions(-)
src/ica_api.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/ica_api.c b/src/ica_api.c
index 0826af8..e0f6c43 100644
index 0826af8..d071f61 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -94,7 +94,12 @@ int ica_external_gcm_iv_in_fips_mode_allowed = 0;
void ica_allow_external_gcm_iv_in_fips_mode(int allow)
{
+#ifdef ICA_FIPS
+ if (!fips_approved(AES_GCM_EXT_IV) && !fips_override(AES_GCM_EXT_IV))
+ return;
+
ica_external_gcm_iv_in_fips_mode_allowed = allow ? 1 : 0;
+#endif
}
@@ -399,6 +404,8 @@ unsigned int ica_sha1(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA1) && !fips_override(SHA1))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -454,6 +461,8 @@ unsigned int ica_sha224(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA224) && !fips_override(SHA224))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -501,6 +510,8 @@ unsigned int ica_sha256(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA256) && !fips_override(SHA256))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -548,6 +559,8 @@ unsigned int ica_sha384(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA384) && !fips_override(SHA384))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -596,6 +609,8 @@ unsigned int ica_sha512(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA512) && !fips_override(SHA512))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -644,6 +659,8 @@ unsigned int ica_sha512_224(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA512_224) && !fips_override(SHA512_224))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -692,6 +709,8 @@ unsigned int ica_sha512_256(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA512_256) && !fips_override(SHA512_256))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -740,6 +759,8 @@ unsigned int ica_sha3_224(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA3_224) && !fips_override(SHA3_224))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -787,6 +808,8 @@ unsigned int ica_sha3_256(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA3_256) && !fips_override(SHA3_256))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -834,6 +857,8 @@ unsigned int ica_sha3_384(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA3_384) && !fips_override(SHA3_384))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -882,6 +907,8 @@ unsigned int ica_sha3_512(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHA3_512) && !fips_override(SHA3_512))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -931,6 +958,8 @@ unsigned int ica_shake_128(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHAKE128) && !fips_override(SHAKE128))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -986,6 +1015,8 @@ unsigned int ica_shake_256(unsigned int message_part,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(SHAKE256) && !fips_override(SHAKE256))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1052,6 +1083,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -157,7 +24,7 @@ index 0826af8..e0f6c43 100644
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1094,6 +1127,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -166,7 +33,7 @@ index 0826af8..e0f6c43 100644
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1130,6 +1165,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -175,7 +42,7 @@ index 0826af8..e0f6c43 100644
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1193,6 +1230,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -184,7 +51,7 @@ index 0826af8..e0f6c43 100644
#endif /* ICA_FIPS */
/* check if p > q */
@@ -1266,6 +1305,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -193,16 +60,16 @@ index 0826af8..e0f6c43 100644
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1337,6 +1378,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
#ifdef ICA_FIPS
if (fips >> 1)
return NULL;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return EPERM;
+ return NULL;
#endif /* ICA_FIPS */
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
@@ -1375,6 +1418,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -211,7 +78,7 @@ index 0826af8..e0f6c43 100644
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid)) {
@@ -1421,6 +1466,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -220,7 +87,7 @@ index 0826af8..e0f6c43 100644
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid))
@@ -1494,6 +1541,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -229,16 +96,16 @@ index 0826af8..e0f6c43 100644
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(privkey_A->nid) ||
!curve_supported_via_cpacf(privkey_A->nid))
@@ -1563,6 +1612,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
if (!curve_supported_via_openssl(privkey->nid) ||
!curve_supported_via_cpacf(privkey->nid))
@@ -1654,6 +1705,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
return EPERM;
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
+ return EPERM;
}
#endif /* ICA_FIPS */
@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
@ -247,46 +114,3 @@ index 0826af8..e0f6c43 100644
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(pubkey->nid) ||
!curve_supported_via_cpacf(pubkey->nid))
diff --git a/src/icainfo.c b/src/icainfo.c
index 608994f..b18cbfa 100644
--- a/src/icainfo.c
+++ b/src/icainfo.c
@@ -556,6 +556,7 @@ void print_fips_indicator(void)
}
}
+ printf(" GCM ext iv | - | - | - \n");
printf("------------------------------------------------------\n");
done:
diff --git a/src/include/fips.h b/src/include/fips.h
index c0af6b6..ec7f2c9 100644
--- a/src/include/fips.h
+++ b/src/include/fips.h
@@ -65,6 +65,8 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv,
unsigned char *ucb, unsigned char *subkey,
unsigned int direction);
+#define AES_GCM_EXT_IV 73
+
/*
* List of non-fips-approved algorithms
*/
@@ -73,14 +75,15 @@ static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG };
+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, AES_GCM_EXT_IV };
static const size_t FIPS_BLACKLIST_LEN
= sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
/*
* FIPS service indicator: List of tolerated but non-approved algorithms.
*/
-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG };
+static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG,
+ AES_GCM_EXT_IV };
static const size_t FIPS_OVERRIDE_LIST_LEN
= sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);

164
libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch Normal file
View File

@ -0,0 +1,164 @@
From b7d11c21d7f15dc11ae7354a7ec97299eacd7045 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:12:11 +0100
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
usage
Fix handling to differentiate if the call to AES-GCM encryption API was approved
or not. If the IV was set externally, it's non-approved, otherwise with internal
IV it's approved. Bind the service indicator to the service by checking the
behavior of the GCM IV in the gcm API.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 6 ++++++
src/include/fips.h | 54 +++++++++++++++++++++++++++++++++++++++++++---
src/s390_crypto.c | 16 ++++++++++++++
3 files changed, 73 insertions(+), 3 deletions(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index d071f61..c1bb4e1 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -3727,6 +3727,8 @@ unsigned int ica_aes_gcm(unsigned char *plaintext,
#ifdef ICA_FIPS
if (fips & ICA_FIPS_MODE)
return EPERM;
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_internal(plaintext, plaintext_length, ciphertext,
@@ -3776,6 +3778,8 @@ unsigned int ica_aes_gcm_initialize(const unsigned char *iv,
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
direction == ENCRYPT && (fips & ICA_FIPS_MODE))
return EPERM;
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_initialize_internal(iv, iv_length, key, key_length,
@@ -4025,6 +4029,8 @@ int ica_aes_gcm_kma_init(unsigned int direction,
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
direction == ICA_ENCRYPT && (fips & ICA_FIPS_MODE))
return EPERM;
+ if (!fips_approved(AES_GCM_KMA) && !fips_override(AES_GCM_KMA))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_kma_init_internal(direction, iv, iv_length,
diff --git a/src/include/fips.h b/src/include/fips.h
index c0af6b6..0a6e0bd 100644
--- a/src/include/fips.h
+++ b/src/include/fips.h
@@ -68,19 +68,19 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv,
/*
* List of non-fips-approved algorithms
*/
-static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
+static int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
DES_CFB, DES_CTR, DES_CTRLST, DES_CBC_MAC, DES_CMAC, P_RNG, DES3_ECB,
DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG };
+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
static const size_t FIPS_BLACKLIST_LEN
= sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
/*
* FIPS service indicator: List of tolerated but non-approved algorithms.
*/
-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG };
+static int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
static const size_t FIPS_OVERRIDE_LIST_LEN
= sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);
@@ -117,5 +117,53 @@ static inline int fips_override(int id)
return 0;
}
+
+static inline void add_to_fips_black_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
+ if (FIPS_BLACKLIST[i] == -1) {
+ FIPS_BLACKLIST[i] = id;
+ return;
+ }
+ }
+}
+
+static inline void add_to_fips_override_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
+ if (FIPS_OVERRIDE_LIST[i] == -1) {
+ FIPS_OVERRIDE_LIST[i] = id;
+ return;
+ }
+ }
+}
+
+static inline void remove_from_fips_black_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
+ if (FIPS_BLACKLIST[i] == id) {
+ FIPS_BLACKLIST[i] = -1;
+ return;
+ }
+ }
+}
+
+static inline void remove_from_fips_override_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
+ if (FIPS_OVERRIDE_LIST[i] == id) {
+ FIPS_OVERRIDE_LIST[i] = -1;
+ return;
+ }
+ }
+}
#endif /* FIPS_H */
#endif /* ICA_FIPS */
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
index 623864b..03655e7 100644
--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
@@ -30,6 +30,10 @@
#include "init.h"
#include "s390_crypto.h"
+#ifdef ICA_FIPS
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
+#endif
+
unsigned long long facility_bits[3];
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
@@ -810,6 +814,18 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
if (*indicator_list_len < (sizeof(icaList) / sizeof(libica_func_list_element_int)))
return EINVAL;
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
+ add_to_fips_black_list(AES_GCM);
+ add_to_fips_override_list(AES_GCM);
+ add_to_fips_black_list(AES_GCM_KMA);
+ add_to_fips_override_list(AES_GCM_KMA);
+ } else {
+ remove_from_fips_black_list(AES_GCM);
+ remove_from_fips_override_list(AES_GCM);
+ remove_from_fips_black_list(AES_GCM_KMA);
+ remove_from_fips_override_list(AES_GCM_KMA);
+ }
+
for (i = 0; i < *indicator_list_len; i++) {
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);

94
libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch Normal file
View File

@ -0,0 +1,94 @@
From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:17:54 +0100
Subject: [PATCH] fips update: provide test for dynamic service indicator
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
API to allow and forbid an external GCM IV. Depending on whether the application
allows or forbids external IVs, the service indicator changes dynamically.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/test/fips_test.c b/test/fips_test.c
index 2bd3d40..873c4b0 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -13,6 +13,64 @@
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
+#ifdef ICA_FIPS
+static int test_gcm_iv_usage(void)
+{
+ libica_fips_indicator_element *fips_list = NULL;
+ unsigned int rc, i, fips_len, allow;
+ unsigned int approved_expected, override_expected;
+
+ for (allow = 0; allow < 2; allow++) {
+
+ approved_expected = allow == 1 ? 0 : 1;
+ override_expected = allow == 1 ? 1 : 0;
+
+ /* Check allowance of an external iv in fips mode */
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
+
+ /* Get fips indicator list */
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
+ printf("get_fips_indicator failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
+ if (!fips_list) {
+ printf("malloc fips_indicator list failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
+ printf("ica_get_fips_indicator failed\n");
+ free(fips_list);
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ for (i = 0; i < fips_len; i++) {
+ if (fips_list[i].mech_mode_id == AES_GCM ||
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
+ if (fips_list[i].fips_approved != approved_expected ||
+ fips_list[i].fips_override != override_expected) {
+ rc = EXIT_FAILURE;
+ free(fips_list);
+ goto done;
+ }
+ }
+ }
+
+ free(fips_list);
+ }
+
+ rc = 0;
+
+done:
+ return rc;
+}
+#endif /* ICA_FIPS */
+
int
main(void)
{
@@ -68,6 +126,10 @@ main(void)
printf("Libica FIPS integrity check failed.\n");
rv = EXIT_FAILURE;
}
+ if (test_gcm_iv_usage()) {
+ printf("Libica FIPS gcm iv usage check failed.\n");
+ rv = EXIT_FAILURE;
+ }
#endif /* ICA_FIPS */
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);

8
libica.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-02-fips-update-Change-service-indicator-implementation.patch
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
-------------------------------------------------------------------
Tue Nov 5 12:07:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

2
libica.spec
View File

@ -40,6 +40,8 @@ Patch99: libica-sles15sp5-FIPS-hmac-key.patch
###
Patch110: libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
Patch111: libica-02-fips-update-Change-service-indicator-implementation.patch
Patch112: libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
Patch113: libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
###
BuildRequires: autoconf