- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)

* Updates for FIPS 140-3 certification 2024
  * Various bug fixes and housekeeping 
- Removed obsolete patches
  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
  * libica-02-fips-update-Change-service-indicator-implementation.patch
  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=31
This commit is contained in:
Nikolay Gueorguiev 2024-12-31 10:55:20 +00:00 committed by Git OBS Bridge
commit e688997ad5
21 changed files with 2442 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

331
README.SUSE Normal file
View File

@ -0,0 +1,331 @@
The following information was provided to us courtesy of the IBM
testing team, who tested the functionality of apache with mod_ssl
on SUSE LINUX Enterprise Server 9 for S/390 and zSeries.
It thus refers to testing only from a certain point, and the
z90crypt part is of course specific to S/390 and zSeries.
-------------------------------------------------------------------
Installation and Configuration of S/390 HW Crypto
on SUSE Linux Enterprise Server 9 for S/390 and zSeries:
1) Installation of the driver packages openCryptoki and libica
The driver packages are installed during base install in the
default selection. If you installed only minimal system or
deinstalled the packages, install them now. If the installation
source is accessible, you can do it with a single command:
31bit:
yast sw_single openCryptoki openCryptoki-32bit
64bit:
yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit
This will automatically install the necessary libica packages as
well if they are not installed yet.
2) Loading the z90crypt driver:
systemctl start z90crypt to load z90crypt
systemctl stop z90crypt to unload z90crypt
this command will be available only after installation of the
crypto driver packages.
To load the driver automatically at every system boot, integrate it
with the other boot scripts issuing
systemctl enable z90crypt
3) Checking if the z90crypt hardware driver can be accessed
Run this command:
openssl speed rsa1024 -engine ibmca -elapsed
If you get 'can't use that engine', as the first line
of output of the command look for the successive line
and check:
- if running "rcz90crypt restart" gives no error message
- the output of command "dmesg" for error messages from the driver
- the hardware is indeed available to this instance
4) Installation and Setup of mod_ssl and apache
a) ensure that mod_ssl and apache are installed during base
install. If the installation source is accessible,
the command
yast sw_single mod_ssl
will install apache and mod_ssl if they are not installed yet.
b) to activate the apache ssl support do the following:
if you did not use yast to install the packages, you have
to run manually: SuSEconfig --module apache
edit /etc/sysconfig/apache:
change HTTPD_START_TIMEOUT=2 to 20
change HTTPD_SEC_MOD_SSL=no to yes
edit httpd.conf in /etc/httpd:
in section 2: check that the ServerName and ServerMail in
the ServerAdmin section is ok.
in section 3: set inside <VirtualHost_default_: 443> the
ServerName to host name
add on section <IfModule mod_ssl.c>: SSLCryptoDevice ibmca
run: SuSEconfig --module apache
5) Crypto configuration of apache/mod_ssl:
a) create a certificate (Snake Oil) for the TEST --- THIS
CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR
TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A
CERTIFICATION AUTHORITY FOR PRODUCTION USE.
go to: cd /usr/share/doc/packages/mod_ssl
run: ./certificate.sh
see following questions will come up. Give shown answers
and use the pass phrase:
der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:R
STEP 1: Generating RSA private key (1024 bit) [server.key]
123006 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..++++++
.................++++++
e is 65537 (0x10001)
STEP 2: Generating X.509 certificate signing request
[server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:DE
2. State or Province Name (full name) [Snake Desert]:
<enter>
3. Locality Name (eg, city) [Snake Town]:
<enter>
4. Organization Name (eg, company) [Snake Oil, Ltd]:
<enter>
5. Organizational Unit Name (eg, section) [Webserver Team]:
<enter>
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
<enter>
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:
<enter>
STEP 3: Generating X.509 certificate signed by Snake Oil CA
[server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil,
Ltd/OU=Webserver
Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
/etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake
Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil
CA/Email=ca@snakeoil.dom
error 10 at 1 depth lookup:certificate has expired
OK
STEP 4: Enrypting RSA private key with a pass phrase for
security [server.key]
The contents of the server.key file (the generated private key)
has to be
kept secret. So we strongly recommend you to encrypt the
server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: Y
read RSA key
writing RSA key
Enter PEM pass phrase: <=== crypto
Verifying password - Enter PEM pass phrase: <=== crypto
Fine, you're using an encrypted RSA private key.
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you
configure with the 'SSLCertificateKeyFile' directive
(automatically done when you install via APACI). KEEP
THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file
which you can send to an official Certificate Authority
(CA) in order to request a real server certificate
(signed by this CA instead of our demonstration-only
Snake Oil CA) which later can replace the
conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
der3gbe:/usr/share/doc/packages/mod_ssl #
6) Start Apache with SSL
a) start with pass phrase (Changes done to apache modul
described in item c)).
run: rcapache start
dev3fe01:~ # rcapache start
Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26
mod_ssl/2.8.10 (Pass Phrase Dialog)
Some of your private key files are encrypted for security
reasons.
In order to read them you have to provide us with the pass
phrases.
Server dev3fe01.boeblingen.de.ibm.com:443 (RSA)
Enter pass phrase: crypto
Ok: Pass Phrase Dialog successful.
done
b) start without pass phrase when using apache without
ssl-support
remark: You need to change the apache modul (see
item c)). Set the HTTPD_SEC_MOD_SSL=no.
run: rcapache start
7) Check that ibmca is used and apache is working with http and https:
a) On a browser enter http://<server-host> or
https://<server-host>
b) with netstat or netstat -a on the apache server machine you
can see if https is used.
c) in the log /var/log/httpd/ssl_engine_log you can see if the
ibmca engine is started or not.
d) during siege test you can see with cat /proc/driver/z90crypt
if and what crypto HW is used
e) you can check a http connection with telnet <server-host>
http. Then enter
get / http/1.0
and you should get back some stuff after pressing enter
twice.
f) You can check if openssl works with the ibmca engine
a) Therefore you must create certificates:
cd /usr/share/ssl/misc
run: ./CA.sh -newcert
dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
......................++++++
.++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: <== geheim
Verifying password - Enter PEM pass phrase: <== geheim
Verify failure
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
<== press enter
State or Province Name (full name) [Some-State]:
<== press enter
Locality Name (eg, city) []:
<== press enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<== press enter
Organizational Unit Name (eg, section) []:
<== press enter
Common Name (eg, YOUR name) []: <== press enter
Email Address []: <== press
enter
Certificate (and private key) is in newreq.pem
run: ./CA.sh -newca
dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)
newreq.pem
dev3fe02:
b) Use openssl as a Web-browser and use https connection:
openssl s_client \
-connect <ip-addr of webserver>:443 -state -debug
The machine were you start the client is working as
your 'browser' connecting to the webserver. You can
start commands from the client like get / http/1.0 .
c) Use openssl as a Web-server and use https connection:
openssl s_server \
-accept 443 -www -engine ibmca -cert newreq.pem
The machine is working like a small webserver with full
openssl functionality. You can start your browser to
this machine and a lot of info will be sent.
dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443
-www -cert newreq.pem -engine ibmca
engine "ibmca" set.
Using default temp DH parameters
Enter PEM pass phrase: <== geheim
ACCEPT
-------------------------------------------------------------------

View File

@ -0,0 +1,28 @@
From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Mon, 28 Oct 2024 13:04:19 +0100
Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat
From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc
"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and
ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index 4d1db07..3c26043 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -1240,9 +1240,6 @@ ecdsa_kat(void)
/* adapter handle not needed here, just CPACF */
rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen,
sigbuf, tv->siglen, tv->k);
- if (rc)
- goto _err_;
- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen);
if (rc)
goto _err_;
if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) {

View File

@ -0,0 +1,116 @@
From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Mon, 28 Oct 2024 13:44:11 +0100
Subject: [PATCH] fips update: Change service indicator implementation
Perform checks for non-approved algorithms / parameters directly into the
APIs that perform the services.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/ica_api.c b/src/ica_api.c
index 0826af8..d071f61 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
+ return EPERM;
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
if (public_key->key_length != private_key->key_length)
@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
/* check if p > q */
@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
+ return EPERM;
#endif /* ICA_FIPS */
/* check for obvious errors in parms */
@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
#ifdef ICA_FIPS
if (fips >> 1)
return NULL;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return NULL;
#endif /* ICA_FIPS */
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid)) {
@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(key->nid) ||
!curve_supported_via_cpacf(key->nid))
@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_DH) && !fips_override(EC_DH))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(privkey_A->nid) ||
!curve_supported_via_cpacf(privkey_A->nid))
@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
if (!curve_supported_via_openssl(privkey->nid) ||
!curve_supported_via_cpacf(privkey->nid))
return EPERM;
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
+ return EPERM;
}
#endif /* ICA_FIPS */
@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
#ifdef ICA_FIPS
if (fips >> 1)
return EACCES;
+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY))
+ return EPERM;
if (fips & ICA_FIPS_MODE) {
if (!curve_supported_via_openssl(pubkey->nid) ||
!curve_supported_via_cpacf(pubkey->nid))

View File

@ -0,0 +1,164 @@
From b7d11c21d7f15dc11ae7354a7ec97299eacd7045 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:12:11 +0100
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
usage
Fix handling to differentiate if the call to AES-GCM encryption API was approved
or not. If the IV was set externally, it's non-approved, otherwise with internal
IV it's approved. Bind the service indicator to the service by checking the
behavior of the GCM IV in the gcm API.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 6 ++++++
src/include/fips.h | 54 +++++++++++++++++++++++++++++++++++++++++++---
src/s390_crypto.c | 16 ++++++++++++++
3 files changed, 73 insertions(+), 3 deletions(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index d071f61..c1bb4e1 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -3727,6 +3727,8 @@ unsigned int ica_aes_gcm(unsigned char *plaintext,
#ifdef ICA_FIPS
if (fips & ICA_FIPS_MODE)
return EPERM;
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_internal(plaintext, plaintext_length, ciphertext,
@@ -3776,6 +3778,8 @@ unsigned int ica_aes_gcm_initialize(const unsigned char *iv,
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
direction == ENCRYPT && (fips & ICA_FIPS_MODE))
return EPERM;
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_initialize_internal(iv, iv_length, key, key_length,
@@ -4025,6 +4029,8 @@ int ica_aes_gcm_kma_init(unsigned int direction,
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
direction == ICA_ENCRYPT && (fips & ICA_FIPS_MODE))
return EPERM;
+ if (!fips_approved(AES_GCM_KMA) && !fips_override(AES_GCM_KMA))
+ return EPERM;
#endif /* ICA_FIPS */
return ica_aes_gcm_kma_init_internal(direction, iv, iv_length,
diff --git a/src/include/fips.h b/src/include/fips.h
index c0af6b6..0a6e0bd 100644
--- a/src/include/fips.h
+++ b/src/include/fips.h
@@ -68,19 +68,19 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv,
/*
* List of non-fips-approved algorithms
*/
-static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
+static int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
DES_CFB, DES_CTR, DES_CTRLST, DES_CBC_MAC, DES_CMAC, P_RNG, DES3_ECB,
DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG };
+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
static const size_t FIPS_BLACKLIST_LEN
= sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
/*
* FIPS service indicator: List of tolerated but non-approved algorithms.
*/
-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG };
+static int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
static const size_t FIPS_OVERRIDE_LIST_LEN
= sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);
@@ -117,5 +117,53 @@ static inline int fips_override(int id)
return 0;
}
+
+static inline void add_to_fips_black_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
+ if (FIPS_BLACKLIST[i] == -1) {
+ FIPS_BLACKLIST[i] = id;
+ return;
+ }
+ }
+}
+
+static inline void add_to_fips_override_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
+ if (FIPS_OVERRIDE_LIST[i] == -1) {
+ FIPS_OVERRIDE_LIST[i] = id;
+ return;
+ }
+ }
+}
+
+static inline void remove_from_fips_black_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
+ if (FIPS_BLACKLIST[i] == id) {
+ FIPS_BLACKLIST[i] = -1;
+ return;
+ }
+ }
+}
+
+static inline void remove_from_fips_override_list(int id)
+{
+ size_t i;
+
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
+ if (FIPS_OVERRIDE_LIST[i] == id) {
+ FIPS_OVERRIDE_LIST[i] = -1;
+ return;
+ }
+ }
+}
#endif /* FIPS_H */
#endif /* ICA_FIPS */
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
index 623864b..03655e7 100644
--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
@@ -30,6 +30,10 @@
#include "init.h"
#include "s390_crypto.h"
+#ifdef ICA_FIPS
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
+#endif
+
unsigned long long facility_bits[3];
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
@@ -810,6 +814,18 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
if (*indicator_list_len < (sizeof(icaList) / sizeof(libica_func_list_element_int)))
return EINVAL;
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
+ add_to_fips_black_list(AES_GCM);
+ add_to_fips_override_list(AES_GCM);
+ add_to_fips_black_list(AES_GCM_KMA);
+ add_to_fips_override_list(AES_GCM_KMA);
+ } else {
+ remove_from_fips_black_list(AES_GCM);
+ remove_from_fips_override_list(AES_GCM);
+ remove_from_fips_black_list(AES_GCM_KMA);
+ remove_from_fips_override_list(AES_GCM_KMA);
+ }
+
for (i = 0; i < *indicator_list_len; i++) {
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);

View File

@ -0,0 +1,94 @@
From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:17:54 +0100
Subject: [PATCH] fips update: provide test for dynamic service indicator
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
API to allow and forbid an external GCM IV. Depending on whether the application
allows or forbids external IVs, the service indicator changes dynamically.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/test/fips_test.c b/test/fips_test.c
index 2bd3d40..873c4b0 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -13,6 +13,64 @@
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
+#ifdef ICA_FIPS
+static int test_gcm_iv_usage(void)
+{
+ libica_fips_indicator_element *fips_list = NULL;
+ unsigned int rc, i, fips_len, allow;
+ unsigned int approved_expected, override_expected;
+
+ for (allow = 0; allow < 2; allow++) {
+
+ approved_expected = allow == 1 ? 0 : 1;
+ override_expected = allow == 1 ? 1 : 0;
+
+ /* Check allowance of an external iv in fips mode */
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
+
+ /* Get fips indicator list */
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
+ printf("get_fips_indicator failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
+ if (!fips_list) {
+ printf("malloc fips_indicator list failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
+ printf("ica_get_fips_indicator failed\n");
+ free(fips_list);
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ for (i = 0; i < fips_len; i++) {
+ if (fips_list[i].mech_mode_id == AES_GCM ||
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
+ if (fips_list[i].fips_approved != approved_expected ||
+ fips_list[i].fips_override != override_expected) {
+ rc = EXIT_FAILURE;
+ free(fips_list);
+ goto done;
+ }
+ }
+ }
+
+ free(fips_list);
+ }
+
+ rc = 0;
+
+done:
+ return rc;
+}
+#endif /* ICA_FIPS */
+
int
main(void)
{
@@ -68,6 +126,10 @@ main(void)
printf("Libica FIPS integrity check failed.\n");
rv = EXIT_FAILURE;
}
+ if (test_gcm_iv_usage()) {
+ printf("Libica FIPS gcm iv usage check failed.\n");
+ rv = EXIT_FAILURE;
+ }
#endif /* ICA_FIPS */
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);

View File

@ -0,0 +1,40 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread

View File

@ -0,0 +1,83 @@
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde0..a6ff27bd 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca5..f19c069d 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241fd..f11eacb2 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**

View File

@ -0,0 +1,366 @@
From 900557435b85f2fa6446bf9d62e80d58eff4bfbe Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 19 Jun 2024 12:34:26 +0200
Subject: [PATCH] Use __asm__ instead of asm
The asm keyword is a GNU extension. When writing code that can be compiled with
-ansi and the various -std options, use __asm__ instead of asm.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_crypto.h | 194 +++++++++++++++++++-------------------
1 file changed, 97 insertions(+), 97 deletions(-)
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f11eacb..6ef4728 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -253,11 +253,11 @@ void s390_crypto_switches_init(void);
*/
static inline int s390_pcc(unsigned long func, void *param)
{
- register unsigned long r0 asm("0") = (unsigned long)func;
- register unsigned long r1 asm("1") = (unsigned long)param;
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
char cc;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
" brc 1,0b\n" /* handle partial completion */
" ipm %[cc]\n"
@@ -285,12 +285,12 @@ static inline int s390_pcc(unsigned long func, void *param)
static inline int s390_kmac(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb91e0000,%0,%0 \n"
" brc 1, 0b \n"
: "+a"(__src), "+d"(__src_len)
@@ -318,15 +318,15 @@ static inline int s390_kma(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len,
const unsigned char *aad, long aad_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
- register const unsigned char *__aad asm("6") = aad;
- register long __aad_len asm("7") = aad_len;
-
- asm volatile(
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
+ register const unsigned char *__aad __asm__("6") = aad;
+ register long __aad_len __asm__("7") = aad_len;
+
+ __asm__ volatile(
"0: .insn rrf,0xb9290000,%2,%0,%3,0 \n"
"1: brc 1,0b \n" /* handle partial completion */
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__aad), "+d" (__aad_len)
@@ -353,14 +353,14 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
const unsigned char *src, long src_len,
unsigned char *counter)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
- register unsigned char *__ctr asm("6") = counter;
-
- asm volatile(
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
+ register unsigned char *__ctr __asm__("6") = counter;
+
+ __asm__ volatile(
"0: .insn rrf,0xb92d0000,%2,%0,%3,0 \n"
"1: brc 1,0b \n"
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__ctr)
@@ -386,13 +386,13 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len, unsigned int *lcfb)
{
- register long __func asm("0") = ((*lcfb & 0x000000ff) << 24) | func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = ((*lcfb & 0x000000ff) << 24) | func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb92a0000,%2,%0 \n"
" brc 1,0b \n"
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -418,13 +418,13 @@ static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb92b0000,%2,%0 \n"
" brc 1, 0b \n"
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -450,13 +450,13 @@ static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb92e0000,%2,%0 \n" /* KM opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -482,13 +482,13 @@ static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
static inline int s390_kmc(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb92f0000,%2,%0 \n" /* KMC opcode */
" brc 1, 0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -515,15 +515,15 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
unsigned char *dest, long dest_len,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93e0000,%1,%5\n\t" /* KIMD opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -538,12 +538,12 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
static inline int s390_kimd(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93e0000,%0,%0 \n" /* KIMD opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len)
@@ -569,15 +569,15 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
unsigned char *dest, long dest_len,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93f0000,%1,%5\n\t" /* KLMD opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -592,12 +592,12 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
static inline int s390_klmd(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93f0000,%0,%0 \n" /* KLMD opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len)
@@ -624,13 +624,13 @@ static inline int s390_klmd(unsigned long func, void *param,
static inline int s390_kdsa(unsigned long func, void *param,
const unsigned char *src, unsigned long srclen)
{
- register unsigned long r0 asm("0") = (unsigned long)func;
- register unsigned long r1 asm("1") = (unsigned long)param;
- register unsigned long r2 asm("2") = (unsigned long)src;
- register unsigned long r3 asm("3") = (unsigned long)srclen;
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
+ register unsigned long r2 __asm__("2") = (unsigned long)src;
+ register unsigned long r3 __asm__("3") = (unsigned long)srclen;
unsigned long rc = 1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,%[__opc] << 16,0,%[__src]\n"
" brc 1,0b\n" /* handle partial completion */
" brc 7,1f\n"
@@ -668,15 +668,15 @@ static inline int s390_ppno(long func,
const unsigned char *src,
long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93c0000,%1,%5\n\t" /* PPNO opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -701,13 +701,13 @@ static inline int s390_ppno(long func,
static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
unsigned char *cbuf, unsigned long cbuf_len)
{
- register unsigned long r0 asm("0") = (unsigned long) S390_CRYPTO_TRNG;
- register unsigned long r2 asm("2") = (unsigned long) ucbuf;
- register unsigned long r3 asm("3") = (unsigned long) ucbuf_len;
- register unsigned long r4 asm("4") = (unsigned long) cbuf;
- register unsigned long r5 asm("5") = (unsigned long) cbuf_len;
+ register unsigned long r0 __asm__("0") = (unsigned long) S390_CRYPTO_TRNG;
+ register unsigned long r2 __asm__("2") = (unsigned long) ucbuf;
+ register unsigned long r3 __asm__("3") = (unsigned long) ucbuf_len;
+ register unsigned long r4 __asm__("4") = (unsigned long) cbuf;
+ register unsigned long r5 __asm__("5") = (unsigned long) cbuf_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93c0000,%[ucbuf],%[cbuf]\n"
" brc 1,0b\n" /* handle partial completion */
: [ucbuf] "+a" (r2), [ucbuflen] "+d" (r3),
@@ -719,21 +719,21 @@ static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
static inline void s390_stckf_hw(void *buf)
{
- asm volatile(".insn s,0xb27c0000,%0"
+ __asm__ volatile(".insn s,0xb27c0000,%0"
: "=Q" (*((unsigned long long *)buf)) : : "cc");
}
static inline void s390_stcke_hw(void *buf)
{
- asm volatile(".insn s,0xb2780000,%0"
+ __asm__ volatile(".insn s,0xb2780000,%0"
: "=Q" (*((unsigned long long *)buf)) : : "cc");
}
static inline int __stfle(unsigned long long *list, int doublewords)
{
- register unsigned long __nr asm("0") = doublewords - 1;
+ register unsigned long __nr __asm__("0") = doublewords - 1;
- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
+ __asm__ volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
: "+d" (__nr) : "a" (list) : "memory", "cc");
return __nr + 1;
@@ -741,7 +741,7 @@ static inline int __stfle(unsigned long long *list, int doublewords)
static inline void s390_flip_endian_32(void *dest, const void *src)
{
- asm volatile(
+ __asm__ volatile(
" lrvg %%r0,0(0,%[__src])\n"
" lrvg %%r1,8(0,%[__src])\n"
" lrvg %%r4,16(0,%[__src])\n"
@@ -757,7 +757,7 @@ static inline void s390_flip_endian_32(void *dest, const void *src)
static inline void s390_flip_endian_64(void *dest, const void *src)
{
- asm volatile(
+ __asm__ volatile(
" lrvg %%r0,0(0,%[__src])\n"
" lrvg %%r1,8(0,%[__src])\n"
" lrvg %%r4,16(0,%[__src])\n"

3
libica-4.3.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:112c6136fd5ccfd6a1d33b5fd2427f5fec69aa2a0fc04e80a6ab58d7b9012db3
size 576077

BIN
libica-4.3.1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
libica-4.4.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,55 @@
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Mon, 7 Jun 2021 21:12:01 +0200
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
openssl-fipshmac | 12 ++++++++++++
src/Makefile.am | 4 ++--
2 files changed, 14 insertions(+), 2 deletions(-)
create mode 100755 openssl-fipshmac
diff --git a/openssl-fipshmac b/openssl-fipshmac
new file mode 100755
index 0000000..60fd505
--- /dev/null
+++ b/openssl-fipshmac
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+if [ "$#" -eq 0 ] ; then
+ echo "No library to hash specified." >&2
+ exit 22
+fi
+
+while [ -n "$1" ] ; do
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
+ shift
+done
diff --git a/src/Makefile.am b/src/Makefile.am
index 4a1ef14..2be01a5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -47,6 +47,7 @@
./mp.pl mp.S
if ICA_FIPS
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
fipsinstall:
$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
@@ -58,8 +59,7 @@
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
hmac-file: libica.la libica-cex.la
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
hmac_files = hmac-file hmac-file-lnk
--
2.31.1

3
libica-rpmlintrc Normal file
View File

@ -0,0 +1,3 @@
addFilter("libica-tools.* * devel-file-in-non-devel-package * /usr/lib64/libica.so")
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica.so.*.hmac")
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica-cex.so.*.hmac")

View File

@ -0,0 +1,15 @@
--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
+++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
@@ -65,10 +65,9 @@
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
* The known HMAC is supposed to be provided as hex string in a file
* .libica.so.VERSION.hmac in the same directory as the .so module.
- */
+ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */
static const char hmackey[] =
- "0000000000000000000000000000000000000000000000000000000000000000"
- "0000000000000000000000000000000000000000000000000000000000000000";
+ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
#endif /* ICA_INTERNAL_TEST */

860
libica.changes Normal file
View File

@ -0,0 +1,860 @@
-------------------------------------------------------------------
Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)
* Updates for FIPS 140-3 certification 2024
* Various bug fixes and housekeeping
- Removed obsolete patches
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
* libica-02-fips-update-Change-service-indicator-implementation.patch
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
-------------------------------------------------------------------
Wed Dec 4 07:05:18 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1234117, bsc#1231999)
* downgraded libica tools requires down to recommends again
-------------------------------------------------------------------
Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-02-fips-update-Change-service-indicator-implementation.patch
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
-------------------------------------------------------------------
Tue Nov 5 12:07:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
* libica-02-fips-update-Change-service-indicator-implementation.patch
-------------------------------------------------------------------
Tue Oct 29 06:22:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
* Various bug fixes and housekeeping
- Removed obsolete patches
* libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
* libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
* libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
-------------------------------------------------------------------
Wed Oct 23 09:05:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1231999)
* Replaced Recommends libica-tools with Requires
-------------------------------------------------------------------
Wed Jul 3 10:51:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied patches
* libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
* libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
* libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
- Amended the .spec file to enable FIPS
-------------------------------------------------------------------
Mon Jan 29 07:52:34 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 2.3.0 (jsc#PED-5446)
* New API function ica_allow_external_gcm_iv_in_fips_mode
* Bug fixes
-------------------------------------------------------------------
Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 4.2.3 (jsc#PED-5446)
* Add OPENSSL_init_crypto in libica constructor
* Remove deprecated ioctl Z90STAT_STATUS_MASK
* Bug fixes
-------------------------------------------------------------------
Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
- [UPDATE] syslog msgs only in error cases
- [UPDATE] don't count statistics in fips power-on self tests
- [PATCH] various fixes and some new tests
-------------------------------------------------------------------
Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
-------------------------------------------------------------------
Thu Apr 27 16:12:06 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Prefix /etc/libica with %dir to ensure we don't package
unversioned files in libica4, as otherwise we violate SLPP.
-------------------------------------------------------------------
Thu Apr 27 14:34:27 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Add /etc/libica directory into %files section.
-------------------------------------------------------------------
Fri Feb 17 11:08:33 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 4.2.1 (jsc#PED-2872)
- [PATCH] fix regression opening shared memory
-------------------------------------------------------------------
Mon Jan 16 13:00:34 UTC 2023 - Marcus Meissner <meissner@suse.com>
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
- [FEATURE] Display build info via icainfo -v
- [FEATURE] New API function ica_get_build_version()
- [FEATURE] Display fips indication via icainfo -f
- [FEATURE] New API function ica_get_fips_indicator()
- [FEATURE] New API function ica_aes_gcm_initialize_fips()
- [FEATURE] New API function ica_aes_gcm_kma_get_iv()
- [FEATURE] New API function ica_get_msa_level()
- [PATCH] icainfo: check for malloc error when getting functionlist
-------------------------------------------------------------------
Tue Oct 11 20:32:12 UTC 2022 - Mark Post <mpost@suse.com>
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
v4.1.1
- [PATCH] Fix aes-xts multi-part operations
[PATCH] Fix make dist
v4.1.0
- [FEATURE] FIPS: make libica FIPS 140-3 compliant
[FEATURE] New API function ica_ecdsa_sign_ex()
[FEATURE] New icainfo output option -r
- [PATCH] Various bug fixes
- Removed the following obsolete files:
baselibs.conf
icaioctl.h
-------------------------------------------------------------------
Mon Sep 12 19:09:59 UTC 2022 - Mark Post <mpost@suse.com>
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
v4.0.3
- [PATCH] Reduce the number of open file descriptors
- [PATCH] Various bug fixes
v4.0.2
- [PATCH] Various bug fixes
v4.0.1
- [PATCH] Various bug fixes
- [PATCH] Compute HMAC from installed library
v4.0.0
- [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
[UPDATE] Removed deprecated API functions including tests
[UPDATE] Introduced 'const' for some API function parameters
[FEATURE] icastats: new parm -k to display detailed counters
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
version named libica-sles15sp5-FIPS-hmac-key.patch.
- Updated the libica-rpmlintrc file to suppress warnings about the
libica-cex hmac files being hidden.
- Updated the spec file to properly both obsolete and provide two
older versions of the package.
-------------------------------------------------------------------
Tue Oct 19 21:20:22 UTC 2021 - Mark Post <mpost@suse.com>
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
- [FEATURE] Add support for OpenSSL 3.0
- [FEATURE] icainfo: new parm -c to display available EC curves
- Replaced the obsolete PreReq: %fillup_prereq
with Requires(post): %fillup_prereq
in the spec file.
-------------------------------------------------------------------
Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
- Update to version 3.8.0 (jsc#SLE-18334)
- [FEATURE] provide libica-cex module to satisfy special security requirements
- [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
* FIPS: Find libica from phdrs.
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
* FIPS: enforce the hmac check
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists
-------------------------------------------------------------------
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
- Upgraded to version 3.7.0 (jsc#SLE-13708)
* Version 3.7.0
- [FEATURE] FIPS: Add HMAC based library integrity check
- [PATCH] icainfo: bugfix for RSA and EC related info for software column.
- [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
- [PATCH] FIPS: Fix DES and TDES key length
- [PATCH] icastats: Fix stats counter format
* Version 3.6.1
- [PATCH] Fix x25519 and x448 handling of non-canonical values
- Removed the following obsolete patches
* libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
* libica-sles15sp2-Build-with-pthread-flag.patch
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
-------------------------------------------------------------------
Tue Sep 15 21:08:38 UTC 2020 - Mark Post <mpost@suse.com>
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
* Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
* Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- Fix FIPS hmac check (bsc#1175356).
* Update FIPS support to upstream
- Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
from upstream.
- Add libica-sles15sp2-Build-with-pthread-flag.patch
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
- Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
* FIPS check should fail when hmac is missing
- Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Create an hmac for the selftest
- Check that selftest fails without a hmac
- Hash libica.so.3 rather than libica.so.3.6.0
* Fix hmac key format. It should be hexadecimal, not ASCII
- Refresh libica-sles15sp2-FIPS-hmac-key.patch
- Fix Some internal variables used to store sensitive information
(keys) were not zeroized before returning to the calling application.
(bsc#1175357)
* Added libica-sles15sp2-Zeroize-local-variables.patch
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
being a hidden file. It is supposed to be hidden.
-------------------------------------------------------------------
Thu May 7 18:01:31 UTC 2020 - Mark Post <mpost@suse.com>
- Added the following patches for FIPS certification (bsc#1162533)
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
* libica-sles15sp2-FIPS-hmac-key.patch
- Added a BuildRequires for the fipscheck package.
- Made a couple of changes to the spec file based upon recommendations
by spec-cleaner.
-------------------------------------------------------------------
Wed Apr 8 18:55:24 UTC 2020 - Mark Post <mpost@suse.com>
- Added the following patches for FIPS certification.
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
(bsc#1166071) Although a DES key has only 56 effective bits,
all 64 bits must be considered, because the parity bits are
spread over all 8 bytes of the key.
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
(bsc#1166210) FIPS tests require the output iv to be the iv
resulting from decrypting the last block with a zero iv as input.
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
(bsc#1166224) The output from icainfo never shows 'yes' for
RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
due to the missing ICA_FLAG_SW flag in the icaList.
-------------------------------------------------------------------
Thu Nov 14 22:45:16 UTC 2019 - Mark Post <mpost@suse.com>
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
(bsc#1156768)
-------------------------------------------------------------------
Tue Oct 15 18:53:36 UTC 2019 - Mark Post <mpost@suse.com>
- Upgraded to version 3.6.0 (jsc#SLE-7584)
* [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
-------------------------------------------------------------------
Fri Aug 30 21:46:50 UTC 2019 - Mark Post <mpost@suse.com>
- Upgraded to version 3.5.0 (Fate#327840)
- [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
- Reworked how libica-tools loads and unloads kernel modules to
avoid spurious error messages (bsc#1134004):
* Converted the boot.z90crypt sysV init script to a systemd unit
file.
* Removed any references to insserv in the spec file.
* Updated the z90crypt script itself to properly load and unload
the kernel modules as they exist today.
* Eliminated the obsolete libica-SuSE.tar.bz2 archive.
- Updated the README.SUSE file to reflect the change from sysV init
style script to systemd.
- Made numerous changes to the spec file, based on the output from
the spec-cleaner command.
-------------------------------------------------------------------
Wed Jul 24 10:09:46 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
- Run testsuite during build
-------------------------------------------------------------------
Thu Nov 15 19:16:30 UTC 2018 - mpost@suse.com
- Upgraded to version 3.4.0 (Fate#325690)
* v3.4.0
[FEATURE] Add SHA-512/224 and SHA-512/256 support
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
- Made numerous updates to spec file based on spec-cleanup run.
-------------------------------------------------------------------
Wed Nov 14 18:01:37 UTC 2018 - mpost@suse.com
- Upgraded to version 3.3.3 (Fate#325690)
* v3.3.3
[PATCH] Various bug fixes
* v3.3.2
[PATCH] Skip ECC tests if required HW is not available
[PATCH] Update spec file
* v3.3.1
[PATCH] Fix configure.ac to honour CFLAGS
* v3.3.0
[FEATURE] Add CEX supported elliptic-curve crypto interfaces
[FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
[FEATURE] Add interface to enable/disable SW fallbacks
[FEATURE] Add 'make check' target, test-suite rework
* v3.2.1
[FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
[PATCH] Various bug fixes.
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
- Removed COPYING from %files, since it is no longer in the tarball.
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
(bsc#1103493).
- Made multiple changes to the spec file based on the output of
spec-cleaner
-------------------------------------------------------------------
Mon Oct 22 19:09:13 UTC 2018 - mpost@suse.com
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
fix a problem with upgrading from SLES12 SP2 to either SLES12
SP3/SP4, or SLES15. (bsc#1112655)
-------------------------------------------------------------------
Tue Sep 11 17:19:57 UTC 2018 - mpost@suse.com
- Added "Obsoletes: libica2" to the libica-tools package to fix
a problem with upgrading from SLES12 SP2 to either SLES12
SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
-------------------------------------------------------------------
Wed Apr 18 02:29:29 UTC 2018 - mpost@suse.com
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
- Updated boot.z90crypt script to fix a problem with the modprobe
command not being found. (bsc#1040229).
- Added "Recommends: libica-tools" (bsc#1046435).
-------------------------------------------------------------------
Thu Nov 23 13:53:22 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Oct 4 19:22:58 UTC 2017 - mpost@suse.com
- Added "--enable-fips" to the %configure parms (Fate#324115)
-------------------------------------------------------------------
Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com
- Upgraded to version 3.2 (Fate#321517)
* v3.2.0
[FEATURE] New AES-GCM interface.
[UPDATE] Add symbol versioning.
* v3.1.1
[PATCH] Various bug fixes related to old and new AES-GCM implementations.
[UPDATE] Add SHA3 test cases. Improved and extended test suite.
* v3.1.0
[FEATURE] Add KMA support for AES-GCM.
[FEATURE] Add SHA-3 support.
[PATCH] Reject RSA keys with invalid key-length.
[PATCH] Allow zero output length for ica_random_number_generate.
[PATCH] icastats: Correct owner of shared segment when root creates it.
* Removed the following obsolete patches:
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
libica-3.0.2-03-fix-aes-ctr.patch
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
-------------------------------------------------------------------
Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
- Added the following patches (bsc#1058567)
- libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
- libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
- libica-3.0.2-03-fix-aes-ctr.patch
- libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
-------------------------------------------------------------------
Thu Jun 1 14:36:04 UTC 2017 - fcrozat@suse.com
- baselibs.conf doesn't need any additional provides/conflicts for
libica3.
-------------------------------------------------------------------
Fri May 12 09:07:34 UTC 2017 - fcrozat@suse.com
- Update baselibs.conf with proper name for library package name,
stop providing/obsoleting libica-2_1_0/libica-2_3-0.
-------------------------------------------------------------------
Tue May 9 17:23:11 UTC 2017 - mpost@suse.com
- Upgraded to version 3.0.2 (Fate#322025).
- v3.0.2
- Fix locking callbacks for openSSL APIs.
- v3.0.1
- Fixed msa level detection on zEC/BC12 GA1 and predecessors.
- v3.0.0
- Added FIPS mode.
- Sanitized exported symbols.
- Removed deprecated APIs. Marked some APIs as deprecated.
- Adapted to OpenSSL v1.1.0.
- RSA key generation is thread-safe now.
- Removed the following obsolete patches:
- fix-initialization-of-s390-hardware-switches-1.patch
- fix-initialization-of-s390-hardware-switches-2.patch
- fix-msa-level-detection.patch
- fix-segfault-during-multithread-keygen.patch
- rng-performance.patch
-------------------------------------------------------------------
Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
- Made the following packaging changes:
- Implemented the shared library packaging guidelines.
- Consolidated double invocation of %setup into just one.
- Dropped redundant %ifarch, the package is already ExclusiveArch.
- Updated descriptions.
- Added an libica-rpmlintrc file.
-------------------------------------------------------------------
Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com
- Added the following two patches:
- fix-segfault-during-multithread-keygen.patch (bsc#991485)
- fix-msa-level-detection.patch (bsc#1010927)
-------------------------------------------------------------------
Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com
- Added rng-performance.patch (bsc#990850).
-------------------------------------------------------------------
Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com
- Updated baselibs.conf to obsolete prior versions of the 32bit
package. (bsc#983897):
provides "libica-<targettype> = <version>"
obsoletes "libica-<targettype> < <version>"
provides "libica-2_1_0-<targettype> = <version>"
obsoletes "libica-2_1_0-<targettype> < <version>"
provides "libica-2_3_0-<targettype> = <version>"
obsoletes "libica-2_3_0-<targettype> < <version>"
-------------------------------------------------------------------
Wed May 18 16:52:44 UTC 2016 - mpost@suse.com
- Added fix-initialization-of-s390-hardware-switches-1.patch and
fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
-------------------------------------------------------------------
Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com
- Upgraded to version 2.6.2 (FATE#319610).
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
naming standards.
- Found the original location of the icaioctl.h file and downloaded
it to replace what we had previously.
- Removed the unnecessary libica2.la file
- Removed unnecessary Requires for glibc-devel
- Added Requires libica2 to the -devel package
- Converted call to configure to %configure macro
- Removed obsolete and unnecessary INSROOT and bindir parameters
from the make install command
-------------------------------------------------------------------
Fri Nov 6 16:02:05 CET 2015 - pth@suse.de
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
SLE12 GA is replaced (bsc#953096).
-------------------------------------------------------------------
Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com
- move the .so file to the mainpackage, the openssl-ibmca engine
will only load "libica.so" (bsc#952871)
-------------------------------------------------------------------
Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com
- Update to libica v2.4.2 (FATE#318035)
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
- Moved init script into libica-SuSE.tar.bz2 archive
-------------------------------------------------------------------
Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de
- sanitize release line in specfile
-------------------------------------------------------------------
Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
- Removed libica-SuSE.tar.bz2
- z90crypt now starts and stops ap kernel module (bnc#888943)
-------------------------------------------------------------------
Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
fixed 64/31 bit compatibility
-------------------------------------------------------------------
Thu Mar 6 14:51:45 CET 2014 - ro@suse.de
- add obsoletes and provides for older libica versions
-------------------------------------------------------------------
Wed Mar 5 18:33:02 CET 2014 - ro@suse.de
- update to 2.3.0 (fate#315342)
- obsolete/upstreamed patches:
libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
libica-2_1_0-msa4-extension.patch
libica-2_1_0-synchronize_shared_memory_ref_counting.patch
-------------------------------------------------------------------
Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com
- Added COPYING to %files
-------------------------------------------------------------------
Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com
- Fixed build dependency errors by requiring autoconf, automake
and libtool
- Changed license to CPL-1.0
- Created devel package
-------------------------------------------------------------------
Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com
- Support for MSA4 extension (bnc#794518, fate#314078)
-------------------------------------------------------------------
Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com
- synchronize shared memory reference counting for library
statistics (bnc#719659)
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
-------------------------------------------------------------------
Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de
- update -> 2.1.0 (fate#311914)
-------------------------------------------------------------------
Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de
- Moved icainfo into /usr/bin (bnc#448643)
-------------------------------------------------------------------
Tue Jan 13 12:34:56 CET 2009 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Wed Nov 5 01:34:34 CET 2008 - ro@suse.de
- fix build on all platforms
-------------------------------------------------------------------
Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de
- Added CPL license to include/z90crypt.h, removed GPL reference
(This patch is upstream)
-------------------------------------------------------------------
Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de
- Changed package name to libica-1_3_9 to conform to rpmlint
requirements. (bnc#433432)
-------------------------------------------------------------------
Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de
- Removed soname filter for rpmlint
- Several RPM fixes to help satisfy rpmlint
-------------------------------------------------------------------
Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de
- Updated to libica 1.3.9
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de
- remove inclusion of linux/config.h
-------------------------------------------------------------------
Mon Mar 12 14:02:57 CET 2007 - uli@suse.de
- z90crypt: handle errors (bug #247799)
-------------------------------------------------------------------
Mon May 22 08:43:22 CEST 2006 - aj@suse.de
- Add gcc-c++ to BuildRequires.
-------------------------------------------------------------------
Fri May 19 16:50:02 CEST 2006 - ro@suse.de
- fix build for the rest of platforms
-------------------------------------------------------------------
Fri May 19 15:34:30 CEST 2006 - hare@suse.de
- Update to libica 1.3.7 (#160036 - LTC22571)
-------------------------------------------------------------------
Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de
- Increasing # of open handles with symmetric crypto support
(#165323 - LTC23095)
-------------------------------------------------------------------
Wed Jan 25 21:37:29 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Wed Dec 14 01:30:49 CET 2005 - ro@suse.de
- include string.h and unistd.h in icalinux.c
-------------------------------------------------------------------
Mon Dec 12 15:09:25 CET 2005 - hare@suse.de
- Port package from SLES9 SP3
- Update to libica 1.3.6-rc3.
-------------------------------------------------------------------
Wed Nov 2 16:23:24 CET 2005 - hare@suse.de
- Close all filehandles (#130060 - LTC19221).
-------------------------------------------------------------------
Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
bug #117336)
-------------------------------------------------------------------
Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de
- Update to libica 1.3.6 (#117336)
-------------------------------------------------------------------
Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de
- fix implicit declaration
-------------------------------------------------------------------
Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de
- Changing the default value from 0 to -1 in rcz90crypt (#114371)
-------------------------------------------------------------------
Mon May 23 17:52:05 CEST 2005 - hare@suse.de
- Finally fix 'reload' messages (#81824 - LTC15733).
-------------------------------------------------------------------
Fri May 20 12:11:51 CEST 2005 - hare@suse.de
- Fix sigill patch.
-------------------------------------------------------------------
Wed May 18 13:17:39 CEST 2005 - hare@suse.de
- Remove printf output from sigill patch (#81829 - LTC15731).
-------------------------------------------------------------------
Tue May 10 12:56:38 CEST 2005 - hare@suse.de
- Use correct default value for z90crypt (#81825 - LTC15732).
-------------------------------------------------------------------
Mon May 9 14:49:52 CEST 2005 - hare@suse.de
- Fix messages for 'reload' (#81824 - LTC15733).
-------------------------------------------------------------------
Tue Feb 8 16:58:02 CET 2005 - hare@suse.de
- Fixed SIGILL on z900 (#46422).
-------------------------------------------------------------------
Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
-------------------------------------------------------------------
Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de
- Fix module loading error (#42006).
- Add sysconfig variable to set the 'domain' parameter (#42005).
-------------------------------------------------------------------
Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de
- update -> 1.3.5-3 (bug #42122)
-------------------------------------------------------------------
Mon May 24 18:28:27 CEST 2004 - bk@suse.de
- Update README.SuSE and correct name as well
- Use modprobe instead of insmod and fix module load error(#40526)
- Fix error checking for no hardware found case and hw error on load
-------------------------------------------------------------------
Fri May 7 15:15:17 CEST 2004 - hare@suse.de
- Update Readme again for the correct name (SUSE LINUX Server).
- Moved README.SuSE to README.SUSE.
-------------------------------------------------------------------
Fri May 7 15:00:51 CEST 2004 - hare@suse.de
- Update Readme to refer to the correct name (SUSE Linux Server).
-------------------------------------------------------------------
Thu May 6 09:01:53 CEST 2004 - hare@suse.de
- Update to 1.3.5-2 (#38511, #39693).
- Update Readme to refer to SUSE Linux Server instead of
SuSE Linux Enterprise Server.
-------------------------------------------------------------------
Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de
- Update to 1.3.5
- export CFLAGS & CPPFLAGS for configure
- Exclude S/390-specific files for other archs (#37183)
-------------------------------------------------------------------
Fri Jan 16 01:29:03 CET 2004 - ro@suse.de
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
-------------------------------------------------------------------
Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de
- fix build
-------------------------------------------------------------------
Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de
- build as user
-------------------------------------------------------------------
Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de
- update to 1.3.4
-------------------------------------------------------------------
Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de
- update to 1.3.2
-------------------------------------------------------------------
Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de
- update to 1.3.1:
now supports DES, TDES and SHA, as well as RSA.
- throw libica.patch away, since autoversion and Makefile.am have
similar changes now, and the renaming from _LINUX_S390_ to
__s390__ is not really necessary
- use %defattr
- checked that icaioctl.h is still current
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
open source meanwhile and comes with the kernel sources
-------------------------------------------------------------------
Thu Oct 31 10:45:00 CET 2002 - froh@suse.de
- added documentation how to set up crypto hardware support,
esp. S/390 and zSeries. (#16011, #22056)
-------------------------------------------------------------------
Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
actually work. (#20737)
-------------------------------------------------------------------
Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de
- Correct PreReq
-------------------------------------------------------------------
Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
to build on non-s390
-------------------------------------------------------------------
Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de
- updated to current libica
- hacked in icaioctl.h for build, 'til we have the module in the
kernel.
-------------------------------------------------------------------
Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de
- add %run_ldconfig
-------------------------------------------------------------------
Tue May 7 14:27:50 CEST 2002 - ro@suse.de
- fix for current automake/autoconf
-------------------------------------------------------------------
Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de
- removed old fillup-template and START_ variable
-------------------------------------------------------------------
Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de
- modified etc/init.d/z90crypt-script to report result at start.
-------------------------------------------------------------------
Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
-------------------------------------------------------------------
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
- initial version
-------------------------------------------------------------------

210
libica.spec Normal file
View File

@ -0,0 +1,210 @@
#
# spec file for package libica
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: libica
Version: 4.4.0
Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0
Group: Hardware/Other
URL: https://github.com/opencryptoki/libica
Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: README.SUSE
Source2: sysconfig.z90crypt
Source3: z90crypt
Source4: z90crypt.service
Source5: %{name}-rpmlintrc
###
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
###
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: fipscheck
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: openssl
BuildRequires: openssl-devel
Requires(post): %fillup_prereq
ExclusiveArch: s390 s390x
%description
This package contains the interface library routines used by IBM
modules to interface with the IBM eServer Cryptographic Accelerator
(ICA).
%package -n libica4
Summary: Library interface for the IBM Cryptographic Accelerator
Group: System/Libraries
Recommends: libica-tools
%description -n libica4
This package contains the interface library routines used by IBM
modules to interface with the IBM eServer Cryptographic Accelerator
(ICA).
%package tools
Summary: Utilities for the IBM Cryptographic Accelerator
Group: Hardware/Other
Obsoletes: libica < %{version}-%{release}
Obsoletes: libica-2_3_0 < %{version}-%{release}
Obsoletes: libica2 < %{version}-%{release}
Obsoletes: libica3 < %{version}-%{release}
Provides: libica = %{version}-%{release}
Provides: libica-2_3_0 = %{version}-%{release}
Provides: libica-plugin = %{version}-%{release}
Provides: libica2 = %{version}-%{release}
Provides: libica3 = %{version}-%{release}
%description tools
This package contains command-line utilities to inspect the IBM
eServer Cryptographic Accelerator (ICA).
%package devel
Summary: Development files for the ICA device driver interface library
Group: Development/Libraries/C and C++
Requires: libica4 = %{version}
Requires: libopenssl-devel
Obsoletes: libica-2_1_0-devel < %{version}-%{release}
Provides: libica-2_1_0-devel = %{version}-%{release}
Obsoletes: libica-2_3_0-devel < %{version}-%{release}
Provides: libica-2_3_0-devel = %{version}-%{release}
%description devel
This package contains the interface library routines used by IBM
modules to interface with the IBM eServer Cryptographic Accelerator
(ICA).
This subpackage contains the necessary files to compile and link
using the libica library.
%package devel-static
Summary: Static Development files for the ICA device driver interface library
Group: Development/Libraries/C and C++
Requires: libica-devel
%description devel-static
This package contains the interface library routines used by IBM
modules to interface with the IBM eServer Cryptographic Accelerator
(ICA).
This RPM contains all the tools necessary to compile and link using
the libica library.
%prep
%autosetup -p 1
%build
autoreconf --force --install
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
--enable-fips
%make_build clean
%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release"
%define major %(echo %{version} | sed -e 's/[.].*//')
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
%install
%make_install FIPSHMAC=fipshmac
make fipsinstall FIPSHMAC=fipshmac DESTDIR=%{buildroot}
mkdir -p %{buildroot}%{_includedir}
cp -p include/ica_api.h %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
install -D %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
install -D %{SOURCE3} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
# and the dangling symlink test would fail
chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
cp -a %{SOURCE1} .
rm -vf %{buildroot}%{_libdir}/libica*.la
rm -f %{buildroot}%{_datadir}/doc/libica/*
rmdir %{buildroot}%{_datadir}/doc/libica
# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
# rmdir %{buildroot}/%{_sysconfdir}/libica
%check
%make_build check FIPSHMAC=fipshmac
%pre tools
%service_add_pre z90crypt.service
%post tools
%service_add_post z90crypt.service
%{fillup_only -n z90crypt}
%preun tools
%service_del_preun z90crypt.service
%postun tools
%service_del_postun z90crypt.service
%post -n libica4 -p /sbin/ldconfig
%postun -n libica4 -p /sbin/ldconfig
%files -n libica4
%{_libdir}/libica.so.%{version}
%{_libdir}/libica.so.%{major}
%{_libdir}/.libica.so.%{version}.hmac
%{_libdir}/.libica.so.%{major}.hmac
%{_libdir}/libica-cex.so.%{version}
%{_libdir}/libica-cex.so.%{major}
%{_libdir}/.libica-cex.so.%{version}.hmac
%{_libdir}/.libica-cex.so.%{major}.hmac
### Enable FIPS
%dir %{_sysconfdir}/libica
%{_sysconfdir}/libica/openssl3-fips.cnf
###
%files tools
%license LICENSE
%doc README.SUSE
%{_sbindir}/rcz90crypt
%attr(644,root,root) %{_fillupdir}/sysconfig.z90crypt
%{_bindir}/icainfo
%{_bindir}/icainfo-cex
%{_bindir}/icastats
%{_mandir}/man1/icainfo.1%{?ext_man}
%{_mandir}/man1/icainfo-cex.1%{?ext_man}
%{_mandir}/man1/icastats.1%{?ext_man}
%dir %{_prefix}/lib/systemd/scripts
%{_prefix}/lib/systemd/scripts/z90crypt
%{_prefix}/lib/systemd/system/z90crypt.service
# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871
%{_libdir}/libica.so
%files devel
%{_includedir}/ica_api.h
%{_libdir}/libica-cex.so
%files devel-static
%{_libdir}/libica.a
%{_libdir}/libica-cex.a
%changelog

10
sysconfig.z90crypt Normal file
View File

@ -0,0 +1,10 @@
## Path: Kernel/z90Crypt
## Description: Set domain parameter for z90crypt
## Type: integer(-1:15)
## Default: -1
#
# This variable selects the crypto domain to be used,
# required if an LPAR owns several crypto domains.
# The value of -1 is used for autodetect.
#
Z90CRYPT_DOMAIN=-1

21
z90crypt Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
MODULE_LIST="pkey zcrypt_pcixcc zcrypt_cex2a zcrypt_cex4 zcrypt rng_core"
case "${1}" in
start) for module in ${MODULE_LIST}
do if ! grep -q ^{$module} /proc/modules ; then
modprobe ${module}
fi
done
;;
stop) for module in ${MODULE_LIST}
do if grep -q ^${module} /proc/modules ; then
rmmod ${module}
fi
done
;;
esac

13
z90crypt.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Activate any cryptographic hardware
After=systemd-modules-load.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/systemd/scripts/z90crypt start
ExecStop=/usr/lib/systemd/scripts/z90crypt stop
[Install]
WantedBy=default.target