- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)
* Updates for FIPS 140-3 certification 2024 * Various bug fixes and housekeeping - Removed obsolete patches * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch * libica-02-fips-update-Change-service-indicator-implementation.patch * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=31
This commit is contained in:
commit
e688997ad5
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
331
README.SUSE
Normal file
331
README.SUSE
Normal file
@ -0,0 +1,331 @@
|
||||
The following information was provided to us courtesy of the IBM
|
||||
testing team, who tested the functionality of apache with mod_ssl
|
||||
on SUSE LINUX Enterprise Server 9 for S/390 and zSeries.
|
||||
|
||||
It thus refers to testing only from a certain point, and the
|
||||
z90crypt part is of course specific to S/390 and zSeries.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Installation and Configuration of S/390 HW Crypto
|
||||
on SUSE Linux Enterprise Server 9 for S/390 and zSeries:
|
||||
|
||||
1) Installation of the driver packages openCryptoki and libica
|
||||
|
||||
The driver packages are installed during base install in the
|
||||
default selection. If you installed only minimal system or
|
||||
deinstalled the packages, install them now. If the installation
|
||||
source is accessible, you can do it with a single command:
|
||||
|
||||
31bit:
|
||||
yast sw_single openCryptoki openCryptoki-32bit
|
||||
|
||||
64bit:
|
||||
yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit
|
||||
|
||||
This will automatically install the necessary libica packages as
|
||||
well if they are not installed yet.
|
||||
|
||||
|
||||
2) Loading the z90crypt driver:
|
||||
|
||||
systemctl start z90crypt to load z90crypt
|
||||
|
||||
systemctl stop z90crypt to unload z90crypt
|
||||
|
||||
this command will be available only after installation of the
|
||||
crypto driver packages.
|
||||
|
||||
To load the driver automatically at every system boot, integrate it
|
||||
with the other boot scripts issuing
|
||||
|
||||
systemctl enable z90crypt
|
||||
|
||||
|
||||
3) Checking if the z90crypt hardware driver can be accessed
|
||||
|
||||
Run this command:
|
||||
|
||||
openssl speed rsa1024 -engine ibmca -elapsed
|
||||
|
||||
If you get 'can't use that engine', as the first line
|
||||
of output of the command look for the successive line
|
||||
and check:
|
||||
- if running "rcz90crypt restart" gives no error message
|
||||
- the output of command "dmesg" for error messages from the driver
|
||||
- the hardware is indeed available to this instance
|
||||
|
||||
4) Installation and Setup of mod_ssl and apache
|
||||
|
||||
a) ensure that mod_ssl and apache are installed during base
|
||||
install. If the installation source is accessible,
|
||||
the command
|
||||
|
||||
yast sw_single mod_ssl
|
||||
|
||||
will install apache and mod_ssl if they are not installed yet.
|
||||
|
||||
b) to activate the apache ssl support do the following:
|
||||
|
||||
if you did not use yast to install the packages, you have
|
||||
to run manually: SuSEconfig --module apache
|
||||
|
||||
edit /etc/sysconfig/apache:
|
||||
change HTTPD_START_TIMEOUT=2 to 20
|
||||
|
||||
change HTTPD_SEC_MOD_SSL=no to yes
|
||||
|
||||
edit httpd.conf in /etc/httpd:
|
||||
|
||||
in section 2: check that the ServerName and ServerMail in
|
||||
the ServerAdmin section is ok.
|
||||
|
||||
in section 3: set inside <VirtualHost_default_: 443> the
|
||||
ServerName to host name
|
||||
|
||||
add on section <IfModule mod_ssl.c>: SSLCryptoDevice ibmca
|
||||
|
||||
run: SuSEconfig --module apache
|
||||
|
||||
5) Crypto configuration of apache/mod_ssl:
|
||||
|
||||
a) create a certificate (Snake Oil) for the TEST --- THIS
|
||||
CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR
|
||||
TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A
|
||||
CERTIFICATION AUTHORITY FOR PRODUCTION USE.
|
||||
|
||||
go to: cd /usr/share/doc/packages/mod_ssl
|
||||
|
||||
run: ./certificate.sh
|
||||
|
||||
see following questions will come up. Give shown answers
|
||||
and use the pass phrase:
|
||||
|
||||
der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh
|
||||
SSL Certificate Generation Utility (mkcert.sh)
|
||||
Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.
|
||||
|
||||
Generating test certificate signed by Snake Oil CA [TEST]
|
||||
WARNING: Do not use this for real-life/production systems
|
||||
|
||||
STEP 0: Decide the signature algorithm used for certificate
|
||||
The generated X.509 CA certificate can contain either
|
||||
RSA or DSA based ingredients. Select the one you want to use.
|
||||
Signature Algorithm ((R)SA or (D)SA) [R]:R
|
||||
|
||||
|
||||
STEP 1: Generating RSA private key (1024 bit) [server.key]
|
||||
123006 semi-random bytes loaded
|
||||
Generating RSA private key, 1024 bit long modulus
|
||||
..++++++
|
||||
.................++++++
|
||||
e is 65537 (0x10001)
|
||||
|
||||
STEP 2: Generating X.509 certificate signing request
|
||||
[server.csr]
|
||||
Using configuration from .mkcert.cfg
|
||||
You are about to be asked to enter information that will be
|
||||
incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished
|
||||
Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
1. Country Name (2 letter code) [XY]:DE
|
||||
2. State or Province Name (full name) [Snake Desert]:
|
||||
<enter>
|
||||
3. Locality Name (eg, city) [Snake Town]:
|
||||
<enter>
|
||||
4. Organization Name (eg, company) [Snake Oil, Ltd]:
|
||||
<enter>
|
||||
5. Organizational Unit Name (eg, section) [Webserver Team]:
|
||||
<enter>
|
||||
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
|
||||
<enter>
|
||||
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:
|
||||
<enter>
|
||||
|
||||
STEP 3: Generating X.509 certificate signed by Snake Oil CA
|
||||
[server.crt]
|
||||
Certificate Version (1 or 3) [3]:3
|
||||
Signature ok
|
||||
subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil,
|
||||
Ltd/OU=Webserver
|
||||
Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom
|
||||
Getting CA Private Key
|
||||
Verify: matching certificate & key modulus
|
||||
read RSA key
|
||||
Verify: matching certificate signature
|
||||
/etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake
|
||||
Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil
|
||||
CA/Email=ca@snakeoil.dom
|
||||
error 10 at 1 depth lookup:certificate has expired
|
||||
OK
|
||||
|
||||
STEP 4: Enrypting RSA private key with a pass phrase for
|
||||
security [server.key]
|
||||
The contents of the server.key file (the generated private key)
|
||||
has to be
|
||||
kept secret. So we strongly recommend you to encrypt the
|
||||
server.key file
|
||||
with a Triple-DES cipher and a Pass Phrase.
|
||||
Encrypt the private key now? [Y/n]: Y
|
||||
read RSA key
|
||||
writing RSA key
|
||||
Enter PEM pass phrase: <=== crypto
|
||||
Verifying password - Enter PEM pass phrase: <=== crypto
|
||||
Fine, you're using an encrypted RSA private key.
|
||||
|
||||
RESULT: Server Certification Files
|
||||
|
||||
o conf/ssl.key/server.key
|
||||
|
||||
The PEM-encoded RSA private key file which you
|
||||
configure with the 'SSLCertificateKeyFile' directive
|
||||
(automatically done when you install via APACI). KEEP
|
||||
THIS FILE PRIVATE!
|
||||
|
||||
o conf/ssl.crt/server.crt
|
||||
|
||||
The PEM-encoded X.509 certificate file which you configure
|
||||
with the 'SSLCertificateFile' directive (automatically done
|
||||
when you install via APACI).
|
||||
|
||||
o conf/ssl.csr/server.csr
|
||||
|
||||
The PEM-encoded X.509 certificate signing request file
|
||||
which you can send to an official Certificate Authority
|
||||
(CA) in order to request a real server certificate
|
||||
(signed by this CA instead of our demonstration-only
|
||||
Snake Oil CA) which later can replace the
|
||||
conf/ssl.crt/server.crt file.
|
||||
|
||||
WARNING: Do not use this for real-life/production systems
|
||||
|
||||
der3gbe:/usr/share/doc/packages/mod_ssl #
|
||||
|
||||
6) Start Apache with SSL
|
||||
|
||||
a) start with pass phrase (Changes done to apache modul
|
||||
described in item c)).
|
||||
|
||||
run: rcapache start
|
||||
|
||||
dev3fe01:~ # rcapache start
|
||||
|
||||
Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26
|
||||
mod_ssl/2.8.10 (Pass Phrase Dialog)
|
||||
Some of your private key files are encrypted for security
|
||||
reasons.
|
||||
In order to read them you have to provide us with the pass
|
||||
phrases.
|
||||
|
||||
Server dev3fe01.boeblingen.de.ibm.com:443 (RSA)
|
||||
Enter pass phrase: crypto
|
||||
|
||||
Ok: Pass Phrase Dialog successful.
|
||||
done
|
||||
|
||||
b) start without pass phrase when using apache without
|
||||
ssl-support
|
||||
|
||||
remark: You need to change the apache modul (see
|
||||
item c)). Set the HTTPD_SEC_MOD_SSL=no.
|
||||
|
||||
run: rcapache start
|
||||
|
||||
|
||||
7) Check that ibmca is used and apache is working with http and https:
|
||||
|
||||
a) On a browser enter http://<server-host> or
|
||||
https://<server-host>
|
||||
b) with netstat or netstat -a on the apache server machine you
|
||||
can see if https is used.
|
||||
c) in the log /var/log/httpd/ssl_engine_log you can see if the
|
||||
ibmca engine is started or not.
|
||||
d) during siege test you can see with cat /proc/driver/z90crypt
|
||||
if and what crypto HW is used
|
||||
e) you can check a http connection with telnet <server-host>
|
||||
http. Then enter
|
||||
get / http/1.0
|
||||
and you should get back some stuff after pressing enter
|
||||
twice.
|
||||
|
||||
f) You can check if openssl works with the ibmca engine
|
||||
|
||||
a) Therefore you must create certificates:
|
||||
cd /usr/share/ssl/misc
|
||||
run: ./CA.sh -newcert
|
||||
|
||||
dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert
|
||||
Using configuration from /etc/ssl/openssl.cnf
|
||||
Generating a 1024 bit RSA private key
|
||||
......................++++++
|
||||
.++++++
|
||||
writing new private key to 'newreq.pem'
|
||||
Enter PEM pass phrase: <== geheim
|
||||
Verifying password - Enter PEM pass phrase: <== geheim
|
||||
Verify failure
|
||||
Enter PEM pass phrase:
|
||||
Verifying password - Enter PEM pass phrase:
|
||||
phrase is too short, needs to be at least 4 chars
|
||||
Enter PEM pass phrase:
|
||||
Verifying password - Enter PEM pass phrase:
|
||||
-----
|
||||
You are about to be asked to enter information that will be
|
||||
incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a
|
||||
Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [AU]:
|
||||
<== press enter
|
||||
State or Province Name (full name) [Some-State]:
|
||||
<== press enter
|
||||
Locality Name (eg, city) []:
|
||||
<== press enter
|
||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
||||
<== press enter
|
||||
Organizational Unit Name (eg, section) []:
|
||||
<== press enter
|
||||
Common Name (eg, YOUR name) []: <== press enter
|
||||
Email Address []: <== press
|
||||
enter
|
||||
Certificate (and private key) is in newreq.pem
|
||||
|
||||
run: ./CA.sh -newca
|
||||
|
||||
dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca
|
||||
CA certificate filename (or enter to create)
|
||||
newreq.pem
|
||||
dev3fe02:
|
||||
|
||||
|
||||
b) Use openssl as a Web-browser and use https connection:
|
||||
openssl s_client \
|
||||
-connect <ip-addr of webserver>:443 -state -debug
|
||||
|
||||
The machine were you start the client is working as
|
||||
your 'browser' connecting to the webserver. You can
|
||||
start commands from the client like get / http/1.0 .
|
||||
|
||||
c) Use openssl as a Web-server and use https connection:
|
||||
openssl s_server \
|
||||
-accept 443 -www -engine ibmca -cert newreq.pem
|
||||
|
||||
The machine is working like a small webserver with full
|
||||
openssl functionality. You can start your browser to
|
||||
this machine and a lot of info will be sent.
|
||||
|
||||
dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443
|
||||
-www -cert newreq.pem -engine ibmca
|
||||
engine "ibmca" set.
|
||||
Using default temp DH parameters
|
||||
Enter PEM pass phrase: <== geheim
|
||||
ACCEPT
|
||||
|
||||
-------------------------------------------------------------------
|
@ -0,0 +1,28 @@
|
||||
From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Mon, 28 Oct 2024 13:04:19 +0100
|
||||
Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat
|
||||
|
||||
From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc
|
||||
"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and
|
||||
ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
src/fips.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/src/fips.c b/src/fips.c
|
||||
index 4d1db07..3c26043 100644
|
||||
--- a/src/fips.c
|
||||
+++ b/src/fips.c
|
||||
@@ -1240,9 +1240,6 @@ ecdsa_kat(void)
|
||||
/* adapter handle not needed here, just CPACF */
|
||||
rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen,
|
||||
sigbuf, tv->siglen, tv->k);
|
||||
- if (rc)
|
||||
- goto _err_;
|
||||
- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen);
|
||||
if (rc)
|
||||
goto _err_;
|
||||
if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) {
|
@ -0,0 +1,116 @@
|
||||
From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Mon, 28 Oct 2024 13:44:11 +0100
|
||||
Subject: [PATCH] fips update: Change service indicator implementation
|
||||
|
||||
Perform checks for non-approved algorithms / parameters directly into the
|
||||
APIs that perform the services.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
src/ica_api.c | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||
index 0826af8..d071f61 100644
|
||||
--- a/src/ica_api.c
|
||||
+++ b/src/ica_api.c
|
||||
@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
if (public_key->key_length != private_key->key_length)
|
||||
@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
if (public_key->key_length != private_key->key_length)
|
||||
@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
/* check for obvious errors in parms */
|
||||
@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
/* check if p > q */
|
||||
@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
/* check for obvious errors in parms */
|
||||
@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return NULL;
|
||||
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||
+ return NULL;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL)
|
||||
@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||
+ return EPERM;
|
||||
if (fips & ICA_FIPS_MODE) {
|
||||
if (!curve_supported_via_openssl(key->nid) ||
|
||||
!curve_supported_via_cpacf(key->nid)) {
|
||||
@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key)
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN))
|
||||
+ return EPERM;
|
||||
if (fips & ICA_FIPS_MODE) {
|
||||
if (!curve_supported_via_openssl(key->nid) ||
|
||||
!curve_supported_via_cpacf(key->nid))
|
||||
@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(EC_DH) && !fips_override(EC_DH))
|
||||
+ return EPERM;
|
||||
if (fips & ICA_FIPS_MODE) {
|
||||
if (!curve_supported_via_openssl(privkey_A->nid) ||
|
||||
!curve_supported_via_cpacf(privkey_A->nid))
|
||||
@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle,
|
||||
if (!curve_supported_via_openssl(privkey->nid) ||
|
||||
!curve_supported_via_cpacf(privkey->nid))
|
||||
return EPERM;
|
||||
+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN))
|
||||
+ return EPERM;
|
||||
}
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips >> 1)
|
||||
return EACCES;
|
||||
+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY))
|
||||
+ return EPERM;
|
||||
if (fips & ICA_FIPS_MODE) {
|
||||
if (!curve_supported_via_openssl(pubkey->nid) ||
|
||||
!curve_supported_via_cpacf(pubkey->nid))
|
@ -0,0 +1,164 @@
|
||||
From b7d11c21d7f15dc11ae7354a7ec97299eacd7045 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Wed, 6 Nov 2024 13:12:11 +0100
|
||||
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
|
||||
usage
|
||||
|
||||
Fix handling to differentiate if the call to AES-GCM encryption API was approved
|
||||
or not. If the IV was set externally, it's non-approved, otherwise with internal
|
||||
IV it's approved. Bind the service indicator to the service by checking the
|
||||
behavior of the GCM IV in the gcm API.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
src/ica_api.c | 6 ++++++
|
||||
src/include/fips.h | 54 +++++++++++++++++++++++++++++++++++++++++++---
|
||||
src/s390_crypto.c | 16 ++++++++++++++
|
||||
3 files changed, 73 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||
index d071f61..c1bb4e1 100644
|
||||
--- a/src/ica_api.c
|
||||
+++ b/src/ica_api.c
|
||||
@@ -3727,6 +3727,8 @@ unsigned int ica_aes_gcm(unsigned char *plaintext,
|
||||
#ifdef ICA_FIPS
|
||||
if (fips & ICA_FIPS_MODE)
|
||||
return EPERM;
|
||||
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
return ica_aes_gcm_internal(plaintext, plaintext_length, ciphertext,
|
||||
@@ -3776,6 +3778,8 @@ unsigned int ica_aes_gcm_initialize(const unsigned char *iv,
|
||||
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
|
||||
direction == ENCRYPT && (fips & ICA_FIPS_MODE))
|
||||
return EPERM;
|
||||
+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
return ica_aes_gcm_initialize_internal(iv, iv_length, key, key_length,
|
||||
@@ -4025,6 +4029,8 @@ int ica_aes_gcm_kma_init(unsigned int direction,
|
||||
if (!ica_external_gcm_iv_in_fips_mode_allowed &&
|
||||
direction == ICA_ENCRYPT && (fips & ICA_FIPS_MODE))
|
||||
return EPERM;
|
||||
+ if (!fips_approved(AES_GCM_KMA) && !fips_override(AES_GCM_KMA))
|
||||
+ return EPERM;
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
return ica_aes_gcm_kma_init_internal(direction, iv, iv_length,
|
||||
diff --git a/src/include/fips.h b/src/include/fips.h
|
||||
index c0af6b6..0a6e0bd 100644
|
||||
--- a/src/include/fips.h
|
||||
+++ b/src/include/fips.h
|
||||
@@ -68,19 +68,19 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv,
|
||||
/*
|
||||
* List of non-fips-approved algorithms
|
||||
*/
|
||||
-static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
|
||||
+static int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB,
|
||||
DES_CFB, DES_CTR, DES_CTRLST, DES_CBC_MAC, DES_CMAC, P_RNG, DES3_ECB,
|
||||
DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
|
||||
DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
|
||||
ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
|
||||
- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG };
|
||||
+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
|
||||
static const size_t FIPS_BLACKLIST_LEN
|
||||
= sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
|
||||
|
||||
/*
|
||||
* FIPS service indicator: List of tolerated but non-approved algorithms.
|
||||
*/
|
||||
-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG };
|
||||
+static int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
|
||||
static const size_t FIPS_OVERRIDE_LIST_LEN
|
||||
= sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);
|
||||
|
||||
@@ -117,5 +117,53 @@ static inline int fips_override(int id)
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+static inline void add_to_fips_black_list(int id)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
|
||||
+ if (FIPS_BLACKLIST[i] == -1) {
|
||||
+ FIPS_BLACKLIST[i] = id;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void add_to_fips_override_list(int id)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
|
||||
+ if (FIPS_OVERRIDE_LIST[i] == -1) {
|
||||
+ FIPS_OVERRIDE_LIST[i] = id;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void remove_from_fips_black_list(int id)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) {
|
||||
+ if (FIPS_BLACKLIST[i] == id) {
|
||||
+ FIPS_BLACKLIST[i] = -1;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void remove_from_fips_override_list(int id)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) {
|
||||
+ if (FIPS_OVERRIDE_LIST[i] == id) {
|
||||
+ FIPS_OVERRIDE_LIST[i] = -1;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
#endif /* FIPS_H */
|
||||
#endif /* ICA_FIPS */
|
||||
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
|
||||
index 623864b..03655e7 100644
|
||||
--- a/src/s390_crypto.c
|
||||
+++ b/src/s390_crypto.c
|
||||
@@ -30,6 +30,10 @@
|
||||
#include "init.h"
|
||||
#include "s390_crypto.h"
|
||||
|
||||
+#ifdef ICA_FIPS
|
||||
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
|
||||
+#endif
|
||||
+
|
||||
unsigned long long facility_bits[3];
|
||||
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
|
||||
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
|
||||
@@ -810,6 +814,18 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
|
||||
if (*indicator_list_len < (sizeof(icaList) / sizeof(libica_func_list_element_int)))
|
||||
return EINVAL;
|
||||
|
||||
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
|
||||
+ add_to_fips_black_list(AES_GCM);
|
||||
+ add_to_fips_override_list(AES_GCM);
|
||||
+ add_to_fips_black_list(AES_GCM_KMA);
|
||||
+ add_to_fips_override_list(AES_GCM_KMA);
|
||||
+ } else {
|
||||
+ remove_from_fips_black_list(AES_GCM);
|
||||
+ remove_from_fips_override_list(AES_GCM);
|
||||
+ remove_from_fips_black_list(AES_GCM_KMA);
|
||||
+ remove_from_fips_override_list(AES_GCM_KMA);
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < *indicator_list_len; i++) {
|
||||
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
|
||||
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);
|
@ -0,0 +1,94 @@
|
||||
From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Wed, 6 Nov 2024 13:17:54 +0100
|
||||
Subject: [PATCH] fips update: provide test for dynamic service indicator
|
||||
|
||||
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
|
||||
API to allow and forbid an external GCM IV. Depending on whether the application
|
||||
allows or forbids external IVs, the service indicator changes dynamically.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 62 insertions(+)
|
||||
|
||||
diff --git a/test/fips_test.c b/test/fips_test.c
|
||||
index 2bd3d40..873c4b0 100644
|
||||
--- a/test/fips_test.c
|
||||
+++ b/test/fips_test.c
|
||||
@@ -13,6 +13,64 @@
|
||||
|
||||
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
|
||||
|
||||
+#ifdef ICA_FIPS
|
||||
+static int test_gcm_iv_usage(void)
|
||||
+{
|
||||
+ libica_fips_indicator_element *fips_list = NULL;
|
||||
+ unsigned int rc, i, fips_len, allow;
|
||||
+ unsigned int approved_expected, override_expected;
|
||||
+
|
||||
+ for (allow = 0; allow < 2; allow++) {
|
||||
+
|
||||
+ approved_expected = allow == 1 ? 0 : 1;
|
||||
+ override_expected = allow == 1 ? 1 : 0;
|
||||
+
|
||||
+ /* Check allowance of an external iv in fips mode */
|
||||
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
|
||||
+
|
||||
+ /* Get fips indicator list */
|
||||
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
|
||||
+ printf("get_fips_indicator failed\n");
|
||||
+ rc = EXIT_FAILURE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
|
||||
+ if (!fips_list) {
|
||||
+ printf("malloc fips_indicator list failed\n");
|
||||
+ rc = EXIT_FAILURE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
|
||||
+ printf("ica_get_fips_indicator failed\n");
|
||||
+ free(fips_list);
|
||||
+ rc = EXIT_FAILURE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < fips_len; i++) {
|
||||
+ if (fips_list[i].mech_mode_id == AES_GCM ||
|
||||
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
|
||||
+ if (fips_list[i].fips_approved != approved_expected ||
|
||||
+ fips_list[i].fips_override != override_expected) {
|
||||
+ rc = EXIT_FAILURE;
|
||||
+ free(fips_list);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ free(fips_list);
|
||||
+ }
|
||||
+
|
||||
+ rc = 0;
|
||||
+
|
||||
+done:
|
||||
+ return rc;
|
||||
+}
|
||||
+#endif /* ICA_FIPS */
|
||||
+
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
@@ -68,6 +126,10 @@ main(void)
|
||||
printf("Libica FIPS integrity check failed.\n");
|
||||
rv = EXIT_FAILURE;
|
||||
}
|
||||
+ if (test_gcm_iv_usage()) {
|
||||
+ printf("Libica FIPS gcm iv usage check failed.\n");
|
||||
+ rv = EXIT_FAILURE;
|
||||
+ }
|
||||
#endif /* ICA_FIPS */
|
||||
|
||||
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
|
@ -0,0 +1,40 @@
|
||||
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
|
||||
From: Holger Dengler <dengler@linux.ibm.com>
|
||||
Date: Tue, 16 Apr 2024 14:18:23 +0200
|
||||
Subject: [PATCH] test: disable CEX usage in OpenSSL for all tests
|
||||
|
||||
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
|
||||
testcases use OpenSSL as helper and fallback, so disable the CEX
|
||||
acceleration for all tests.
|
||||
|
||||
If the environment variable is already set, use it as is without
|
||||
modifying it. In this case, it is up to the user to choose the right
|
||||
settings.
|
||||
|
||||
Fixes: Issue #126
|
||||
Link: https://github.com/opencryptoki/libica/issues/126
|
||||
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
|
||||
---
|
||||
test/Makefile.am | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/test/Makefile.am b/test/Makefile.am
|
||||
index 76d4f15..e56b256 100644
|
||||
--- a/test/Makefile.am
|
||||
+++ b/test/Makefile.am
|
||||
@@ -61,10 +61,14 @@ TESTS += \
|
||||
${top_builddir}/src/internal_tests/ec_internal_test
|
||||
endif
|
||||
|
||||
+# disable OpenSSL CEX usage for all tests
|
||||
+OPENSSL_s390xcap ?= nocex
|
||||
+
|
||||
TEST_EXTENSIONS = .sh .pl
|
||||
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
|
||||
PATH=${builddir}/../src/:$$PATH \
|
||||
- LIBICA_TESTDATA=${srcdir}/testdata/;
|
||||
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
|
||||
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
|
||||
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
|
||||
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
|
||||
|
@ -0,0 +1,83 @@
|
||||
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Wed, 24 Apr 2024 10:44:26 +0200
|
||||
Subject: [PATCH] Bugfix: correct rc handling with s390_pcc function
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
src/include/s390_aes.h | 2 +-
|
||||
src/include/s390_cmac.h | 2 +-
|
||||
src/include/s390_crypto.h | 23 +++++++++++++----------
|
||||
3 files changed, 15 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
|
||||
index 6252dde0..a6ff27bd 100644
|
||||
--- a/src/include/s390_aes.h
|
||||
+++ b/src/include/s390_aes.h
|
||||
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
|
||||
|
||||
memset(&parm_block.keys, 0, key_size);
|
||||
|
||||
- if (rc >= 0) {
|
||||
+ if (rc == 0) {
|
||||
memcpy(xts_parm, parm_block.xts_parameter,
|
||||
sizeof(ica_aes_vector_t));
|
||||
return 0;
|
||||
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
|
||||
index 76b9cca5..f19c069d 100644
|
||||
--- a/src/include/s390_cmac.h
|
||||
+++ b/src/include/s390_cmac.h
|
||||
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
|
||||
/* calculate final block (last/full) */
|
||||
rc = s390_pcc(fc, pb_lookup.base);
|
||||
memset(pb_lookup.keys, 0, key_size);
|
||||
- if (rc < 0)
|
||||
+ if (rc != 0)
|
||||
return EIO;
|
||||
|
||||
_stats_increment(fc, ALGO_HW, ENCRYPT);
|
||||
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
|
||||
index f34241fd..f11eacb2 100644
|
||||
--- a/src/include/s390_crypto.h
|
||||
+++ b/src/include/s390_crypto.h
|
||||
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
|
||||
|
||||
/**
|
||||
* s390_pcc:
|
||||
- * @func: the function code passed to KM; see s390_pcc_functions
|
||||
+ * @func: the function code passed to PCC; see s390_pcc_functions
|
||||
* @param: address of parameter block; see POP for details on each func
|
||||
*
|
||||
* Executes the PCC operation of the CPU.
|
||||
*
|
||||
- * Returns -1 for failure, 0 for the query func, number of processed
|
||||
- * bytes for encryption/decryption funcs
|
||||
+ * Returns condition code of the PCC instruction
|
||||
*/
|
||||
static inline int s390_pcc(unsigned long func, void *param)
|
||||
{
|
||||
register unsigned long r0 asm("0") = (unsigned long)func;
|
||||
register unsigned long r1 asm("1") = (unsigned long)param;
|
||||
+ char cc;
|
||||
|
||||
- asm volatile (
|
||||
- "0: .long %[opc] << 16\n"
|
||||
- " brc 1,0b\n"
|
||||
- :
|
||||
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
|
||||
- : "cc", "memory");
|
||||
+ asm volatile(
|
||||
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
|
||||
+ " brc 1,0b\n" /* handle partial completion */
|
||||
+ " ipm %[cc]\n"
|
||||
+ " srl %[cc],28\n"
|
||||
+ : [cc] "=d" (cc)
|
||||
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
|
||||
+ : "cc", "memory"
|
||||
+ );
|
||||
|
||||
- return 0;
|
||||
+ return cc;
|
||||
}
|
||||
|
||||
/**
|
366
libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
Normal file
366
libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
Normal file
@ -0,0 +1,366 @@
|
||||
From 900557435b85f2fa6446bf9d62e80d58eff4bfbe Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
Date: Wed, 19 Jun 2024 12:34:26 +0200
|
||||
Subject: [PATCH] Use __asm__ instead of asm
|
||||
|
||||
The asm keyword is a GNU extension. When writing code that can be compiled with
|
||||
-ansi and the various -std options, use __asm__ instead of asm.
|
||||
|
||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||
---
|
||||
src/include/s390_crypto.h | 194 +++++++++++++++++++-------------------
|
||||
1 file changed, 97 insertions(+), 97 deletions(-)
|
||||
|
||||
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
|
||||
index f11eacb..6ef4728 100644
|
||||
--- a/src/include/s390_crypto.h
|
||||
+++ b/src/include/s390_crypto.h
|
||||
@@ -253,11 +253,11 @@ void s390_crypto_switches_init(void);
|
||||
*/
|
||||
static inline int s390_pcc(unsigned long func, void *param)
|
||||
{
|
||||
- register unsigned long r0 asm("0") = (unsigned long)func;
|
||||
- register unsigned long r1 asm("1") = (unsigned long)param;
|
||||
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
|
||||
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
|
||||
char cc;
|
||||
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
|
||||
" brc 1,0b\n" /* handle partial completion */
|
||||
" ipm %[cc]\n"
|
||||
@@ -285,12 +285,12 @@ static inline int s390_pcc(unsigned long func, void *param)
|
||||
static inline int s390_kmac(unsigned long func, void *param,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre, 0xb91e0000,%0,%0 \n"
|
||||
" brc 1, 0b \n"
|
||||
: "+a"(__src), "+d"(__src_len)
|
||||
@@ -318,15 +318,15 @@ static inline int s390_kma(unsigned long func, void *param, unsigned char *dest,
|
||||
const unsigned char *src, long src_len,
|
||||
const unsigned char *aad, long aad_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
- register const unsigned char *__aad asm("6") = aad;
|
||||
- register long __aad_len asm("7") = aad_len;
|
||||
-
|
||||
- asm volatile(
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
+ register const unsigned char *__aad __asm__("6") = aad;
|
||||
+ register long __aad_len __asm__("7") = aad_len;
|
||||
+
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rrf,0xb9290000,%2,%0,%3,0 \n"
|
||||
"1: brc 1,0b \n" /* handle partial completion */
|
||||
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__aad), "+d" (__aad_len)
|
||||
@@ -353,14 +353,14 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
|
||||
const unsigned char *src, long src_len,
|
||||
unsigned char *counter)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
- register unsigned char *__ctr asm("6") = counter;
|
||||
-
|
||||
- asm volatile(
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
+ register unsigned char *__ctr __asm__("6") = counter;
|
||||
+
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rrf,0xb92d0000,%2,%0,%3,0 \n"
|
||||
"1: brc 1,0b \n"
|
||||
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__ctr)
|
||||
@@ -386,13 +386,13 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
|
||||
static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
|
||||
const unsigned char *src, long src_len, unsigned int *lcfb)
|
||||
{
|
||||
- register long __func asm("0") = ((*lcfb & 0x000000ff) << 24) | func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
+ register long __func __asm__("0") = ((*lcfb & 0x000000ff) << 24) | func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre,0xb92a0000,%2,%0 \n"
|
||||
" brc 1,0b \n"
|
||||
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
|
||||
@@ -418,13 +418,13 @@ static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
|
||||
static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre, 0xb92b0000,%2,%0 \n"
|
||||
" brc 1, 0b \n"
|
||||
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
|
||||
@@ -450,13 +450,13 @@ static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
|
||||
static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre,0xb92e0000,%2,%0 \n" /* KM opcode */
|
||||
" brc 1,0b \n" /* handle partial completion */
|
||||
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
|
||||
@@ -482,13 +482,13 @@ static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
|
||||
static inline int s390_kmc(unsigned long func, void *param, unsigned char *dest,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
- register unsigned char *__dest asm("4") = dest;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
+ register unsigned char *__dest __asm__("4") = dest;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre, 0xb92f0000,%2,%0 \n" /* KMC opcode */
|
||||
" brc 1, 0b \n" /* handle partial completion */
|
||||
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
|
||||
@@ -515,15 +515,15 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
|
||||
unsigned char *dest, long dest_len,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register unsigned char *__dest asm("2") = dest;
|
||||
- register long __dest_len asm("3") = dest_len;
|
||||
- register const unsigned char *__src asm("4") = src;
|
||||
- register long __src_len asm("5") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register unsigned char *__dest __asm__("2") = dest;
|
||||
+ register long __dest_len __asm__("3") = dest_len;
|
||||
+ register const unsigned char *__src __asm__("4") = src;
|
||||
+ register long __src_len __asm__("5") = src_len;
|
||||
int ret = -1;
|
||||
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rre,0xb93e0000,%1,%5\n\t" /* KIMD opcode */
|
||||
" brc 1,0b\n\t" /* handle partial completion */
|
||||
" la %0,0\n\t"
|
||||
@@ -538,12 +538,12 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
|
||||
static inline int s390_kimd(unsigned long func, void *param,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre,0xb93e0000,%0,%0 \n" /* KIMD opcode */
|
||||
" brc 1,0b \n" /* handle partial completion */
|
||||
: "+a"(__src), "+d"(__src_len)
|
||||
@@ -569,15 +569,15 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
|
||||
unsigned char *dest, long dest_len,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register unsigned char *__dest asm("2") = dest;
|
||||
- register long __dest_len asm("3") = dest_len;
|
||||
- register const unsigned char *__src asm("4") = src;
|
||||
- register long __src_len asm("5") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register unsigned char *__dest __asm__("2") = dest;
|
||||
+ register long __dest_len __asm__("3") = dest_len;
|
||||
+ register const unsigned char *__src __asm__("4") = src;
|
||||
+ register long __src_len __asm__("5") = src_len;
|
||||
int ret = -1;
|
||||
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rre,0xb93f0000,%1,%5\n\t" /* KLMD opcode */
|
||||
" brc 1,0b\n\t" /* handle partial completion */
|
||||
" la %0,0\n\t"
|
||||
@@ -592,12 +592,12 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
|
||||
static inline int s390_klmd(unsigned long func, void *param,
|
||||
const unsigned char *src, long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register const unsigned char *__src asm("2") = src;
|
||||
- register long __src_len asm("3") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register const unsigned char *__src __asm__("2") = src;
|
||||
+ register long __src_len __asm__("3") = src_len;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre,0xb93f0000,%0,%0 \n" /* KLMD opcode */
|
||||
" brc 1,0b \n" /* handle partial completion */
|
||||
: "+a"(__src), "+d"(__src_len)
|
||||
@@ -624,13 +624,13 @@ static inline int s390_klmd(unsigned long func, void *param,
|
||||
static inline int s390_kdsa(unsigned long func, void *param,
|
||||
const unsigned char *src, unsigned long srclen)
|
||||
{
|
||||
- register unsigned long r0 asm("0") = (unsigned long)func;
|
||||
- register unsigned long r1 asm("1") = (unsigned long)param;
|
||||
- register unsigned long r2 asm("2") = (unsigned long)src;
|
||||
- register unsigned long r3 asm("3") = (unsigned long)srclen;
|
||||
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
|
||||
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
|
||||
+ register unsigned long r2 __asm__("2") = (unsigned long)src;
|
||||
+ register unsigned long r3 __asm__("3") = (unsigned long)srclen;
|
||||
unsigned long rc = 1;
|
||||
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rre,%[__opc] << 16,0,%[__src]\n"
|
||||
" brc 1,0b\n" /* handle partial completion */
|
||||
" brc 7,1f\n"
|
||||
@@ -668,15 +668,15 @@ static inline int s390_ppno(long func,
|
||||
const unsigned char *src,
|
||||
long src_len)
|
||||
{
|
||||
- register long __func asm("0") = func;
|
||||
- register void *__param asm("1") = param;
|
||||
- register unsigned char *__dest asm("2") = dest;
|
||||
- register long __dest_len asm("3") = dest_len;
|
||||
- register const unsigned char *__src asm("4") = src;
|
||||
- register long __src_len asm("5") = src_len;
|
||||
+ register long __func __asm__("0") = func;
|
||||
+ register void *__param __asm__("1") = param;
|
||||
+ register unsigned char *__dest __asm__("2") = dest;
|
||||
+ register long __dest_len __asm__("3") = dest_len;
|
||||
+ register const unsigned char *__src __asm__("4") = src;
|
||||
+ register long __src_len __asm__("5") = src_len;
|
||||
int ret = -1;
|
||||
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
"0: .insn rre,0xb93c0000,%1,%5\n\t" /* PPNO opcode */
|
||||
" brc 1,0b\n\t" /* handle partial completion */
|
||||
" la %0,0\n\t"
|
||||
@@ -701,13 +701,13 @@ static inline int s390_ppno(long func,
|
||||
static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
|
||||
unsigned char *cbuf, unsigned long cbuf_len)
|
||||
{
|
||||
- register unsigned long r0 asm("0") = (unsigned long) S390_CRYPTO_TRNG;
|
||||
- register unsigned long r2 asm("2") = (unsigned long) ucbuf;
|
||||
- register unsigned long r3 asm("3") = (unsigned long) ucbuf_len;
|
||||
- register unsigned long r4 asm("4") = (unsigned long) cbuf;
|
||||
- register unsigned long r5 asm("5") = (unsigned long) cbuf_len;
|
||||
+ register unsigned long r0 __asm__("0") = (unsigned long) S390_CRYPTO_TRNG;
|
||||
+ register unsigned long r2 __asm__("2") = (unsigned long) ucbuf;
|
||||
+ register unsigned long r3 __asm__("3") = (unsigned long) ucbuf_len;
|
||||
+ register unsigned long r4 __asm__("4") = (unsigned long) cbuf;
|
||||
+ register unsigned long r5 __asm__("5") = (unsigned long) cbuf_len;
|
||||
|
||||
- asm volatile (
|
||||
+ __asm__ volatile (
|
||||
"0: .insn rre,0xb93c0000,%[ucbuf],%[cbuf]\n"
|
||||
" brc 1,0b\n" /* handle partial completion */
|
||||
: [ucbuf] "+a" (r2), [ucbuflen] "+d" (r3),
|
||||
@@ -719,21 +719,21 @@ static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
|
||||
|
||||
static inline void s390_stckf_hw(void *buf)
|
||||
{
|
||||
- asm volatile(".insn s,0xb27c0000,%0"
|
||||
+ __asm__ volatile(".insn s,0xb27c0000,%0"
|
||||
: "=Q" (*((unsigned long long *)buf)) : : "cc");
|
||||
}
|
||||
|
||||
static inline void s390_stcke_hw(void *buf)
|
||||
{
|
||||
- asm volatile(".insn s,0xb2780000,%0"
|
||||
+ __asm__ volatile(".insn s,0xb2780000,%0"
|
||||
: "=Q" (*((unsigned long long *)buf)) : : "cc");
|
||||
}
|
||||
|
||||
static inline int __stfle(unsigned long long *list, int doublewords)
|
||||
{
|
||||
- register unsigned long __nr asm("0") = doublewords - 1;
|
||||
+ register unsigned long __nr __asm__("0") = doublewords - 1;
|
||||
|
||||
- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
|
||||
+ __asm__ volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
|
||||
: "+d" (__nr) : "a" (list) : "memory", "cc");
|
||||
|
||||
return __nr + 1;
|
||||
@@ -741,7 +741,7 @@ static inline int __stfle(unsigned long long *list, int doublewords)
|
||||
|
||||
static inline void s390_flip_endian_32(void *dest, const void *src)
|
||||
{
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
" lrvg %%r0,0(0,%[__src])\n"
|
||||
" lrvg %%r1,8(0,%[__src])\n"
|
||||
" lrvg %%r4,16(0,%[__src])\n"
|
||||
@@ -757,7 +757,7 @@ static inline void s390_flip_endian_32(void *dest, const void *src)
|
||||
|
||||
static inline void s390_flip_endian_64(void *dest, const void *src)
|
||||
{
|
||||
- asm volatile(
|
||||
+ __asm__ volatile(
|
||||
" lrvg %%r0,0(0,%[__src])\n"
|
||||
" lrvg %%r1,8(0,%[__src])\n"
|
||||
" lrvg %%r4,16(0,%[__src])\n"
|
3
libica-4.3.0.tar.gz
Normal file
3
libica-4.3.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:112c6136fd5ccfd6a1d33b5fd2427f5fec69aa2a0fc04e80a6ab58d7b9012db3
|
||||
size 576077
|
BIN
libica-4.3.1.tar.gz
(Stored with Git LFS)
Normal file
BIN
libica-4.3.1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
libica-4.4.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
libica-4.4.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -0,0 +1,55 @@
|
||||
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Suchanek <msuchanek@suse.de>
|
||||
Date: Mon, 7 Jun 2021 21:12:01 +0200
|
||||
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
|
||||
|
||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||
---
|
||||
openssl-fipshmac | 12 ++++++++++++
|
||||
src/Makefile.am | 4 ++--
|
||||
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||
create mode 100755 openssl-fipshmac
|
||||
|
||||
diff --git a/openssl-fipshmac b/openssl-fipshmac
|
||||
new file mode 100755
|
||||
index 0000000..60fd505
|
||||
--- /dev/null
|
||||
+++ b/openssl-fipshmac
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/sh -e
|
||||
+
|
||||
+if [ "$#" -eq 0 ] ; then
|
||||
+ echo "No library to hash specified." >&2
|
||||
+ exit 22
|
||||
+fi
|
||||
+
|
||||
+while [ -n "$1" ] ; do
|
||||
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
|
||||
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
|
||||
+ shift
|
||||
+done
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index 4a1ef14..2be01a5 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -47,6 +47,7 @@
|
||||
./mp.pl mp.S
|
||||
|
||||
if ICA_FIPS
|
||||
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
|
||||
fipsinstall:
|
||||
$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
|
||||
$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||
@@ -58,8 +59,7 @@
|
||||
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||
|
||||
hmac-file: libica.la libica-cex.la
|
||||
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
|
||||
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
|
||||
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
|
||||
|
||||
hmac_files = hmac-file hmac-file-lnk
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
3
libica-rpmlintrc
Normal file
3
libica-rpmlintrc
Normal file
@ -0,0 +1,3 @@
|
||||
addFilter("libica-tools.* * devel-file-in-non-devel-package * /usr/lib64/libica.so")
|
||||
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica.so.*.hmac")
|
||||
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica-cex.so.*.hmac")
|
15
libica-sles15sp5-FIPS-hmac-key.patch
Normal file
15
libica-sles15sp5-FIPS-hmac-key.patch
Normal file
@ -0,0 +1,15 @@
|
||||
--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
|
||||
+++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
|
||||
@@ -65,10 +65,9 @@
|
||||
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
|
||||
* The known HMAC is supposed to be provided as hex string in a file
|
||||
* .libica.so.VERSION.hmac in the same directory as the .so module.
|
||||
- */
|
||||
+ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */
|
||||
static const char hmackey[] =
|
||||
- "0000000000000000000000000000000000000000000000000000000000000000"
|
||||
- "0000000000000000000000000000000000000000000000000000000000000000";
|
||||
+ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
|
||||
|
||||
#endif /* ICA_INTERNAL_TEST */
|
||||
|
860
libica.changes
Normal file
860
libica.changes
Normal file
@ -0,0 +1,860 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)
|
||||
* Updates for FIPS 140-3 certification 2024
|
||||
* Various bug fixes and housekeeping
|
||||
- Removed obsolete patches
|
||||
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
|
||||
* libica-02-fips-update-Change-service-indicator-implementation.patch
|
||||
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
|
||||
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 4 07:05:18 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Amended the .spec file (bsc#1234117, bsc#1231999)
|
||||
* downgraded libica tools requires down to recommends again
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
|
||||
* libica-02-fips-update-Change-service-indicator-implementation.patch
|
||||
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
|
||||
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 5 12:07:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
|
||||
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
|
||||
* libica-02-fips-update-Change-service-indicator-implementation.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 29 06:22:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
|
||||
* Various bug fixes and housekeeping
|
||||
- Removed obsolete patches
|
||||
* libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
|
||||
* libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
|
||||
* libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 23 09:05:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Amended the .spec file (bsc#1231999)
|
||||
* Replaced Recommends libica-tools with Requires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 3 10:51:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied patches
|
||||
* libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
|
||||
* libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
|
||||
* libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
|
||||
- Amended the .spec file to enable FIPS
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 29 07:52:34 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade libica to version 2.3.0 (jsc#PED-5446)
|
||||
* New API function ica_allow_external_gcm_iv_in_fips_mode
|
||||
* Bug fixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade to version 4.2.3 (jsc#PED-5446)
|
||||
* Add OPENSSL_init_crypto in libica constructor
|
||||
* Remove deprecated ioctl Z90STAT_STATUS_MASK
|
||||
* Bug fixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
|
||||
- [UPDATE] syslog msgs only in error cases
|
||||
- [UPDATE] don't count statistics in fips power-on self tests
|
||||
- [PATCH] various fixes and some new tests
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||
|
||||
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 27 16:12:06 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Prefix /etc/libica with %dir to ensure we don't package
|
||||
unversioned files in libica4, as otherwise we violate SLPP.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 27 14:34:27 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||
|
||||
- Add /etc/libica directory into %files section.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 17 11:08:33 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Upgrade to version 4.2.1 (jsc#PED-2872)
|
||||
- [PATCH] fix regression opening shared memory
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 16 13:00:34 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
|
||||
- [FEATURE] Display build info via icainfo -v
|
||||
- [FEATURE] New API function ica_get_build_version()
|
||||
- [FEATURE] Display fips indication via icainfo -f
|
||||
- [FEATURE] New API function ica_get_fips_indicator()
|
||||
- [FEATURE] New API function ica_aes_gcm_initialize_fips()
|
||||
- [FEATURE] New API function ica_aes_gcm_kma_get_iv()
|
||||
- [FEATURE] New API function ica_get_msa_level()
|
||||
- [PATCH] icainfo: check for malloc error when getting functionlist
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 11 20:32:12 UTC 2022 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
|
||||
v4.1.1
|
||||
- [PATCH] Fix aes-xts multi-part operations
|
||||
[PATCH] Fix make dist
|
||||
v4.1.0
|
||||
- [FEATURE] FIPS: make libica FIPS 140-3 compliant
|
||||
[FEATURE] New API function ica_ecdsa_sign_ex()
|
||||
[FEATURE] New icainfo output option -r
|
||||
- [PATCH] Various bug fixes
|
||||
- Removed the following obsolete files:
|
||||
baselibs.conf
|
||||
icaioctl.h
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 12 19:09:59 UTC 2022 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
|
||||
v4.0.3
|
||||
- [PATCH] Reduce the number of open file descriptors
|
||||
- [PATCH] Various bug fixes
|
||||
v4.0.2
|
||||
- [PATCH] Various bug fixes
|
||||
v4.0.1
|
||||
- [PATCH] Various bug fixes
|
||||
- [PATCH] Compute HMAC from installed library
|
||||
v4.0.0
|
||||
- [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
|
||||
[UPDATE] Removed deprecated API functions including tests
|
||||
[UPDATE] Introduced 'const' for some API function parameters
|
||||
[FEATURE] icastats: new parm -k to display detailed counters
|
||||
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
|
||||
version named libica-sles15sp5-FIPS-hmac-key.patch.
|
||||
- Updated the libica-rpmlintrc file to suppress warnings about the
|
||||
libica-cex hmac files being hidden.
|
||||
- Updated the spec file to properly both obsolete and provide two
|
||||
older versions of the package.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 19 21:20:22 UTC 2021 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
|
||||
- [FEATURE] Add support for OpenSSL 3.0
|
||||
- [FEATURE] icainfo: new parm -c to display available EC curves
|
||||
- Replaced the obsolete PreReq: %fillup_prereq
|
||||
with Requires(post): %fillup_prereq
|
||||
in the spec file.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
|
||||
|
||||
- Update to version 3.8.0 (jsc#SLE-18334)
|
||||
- [FEATURE] provide libica-cex module to satisfy special security requirements
|
||||
- [FEATURE] FIPS: enforce the HMAC check
|
||||
- Remove upstreamed patches:
|
||||
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
||||
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
||||
- libica-sles15sp2-Zeroize-local-variables.patch
|
||||
- Remove patches obsoleted by upstrea developent:
|
||||
* FIPS: Find libica from phdrs.
|
||||
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
||||
* FIPS: enforce the hmac check
|
||||
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
||||
- Fix up tests and hmac generation
|
||||
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||
- Remove obsolete attributes from filelists
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgraded to version 3.7.0 (jsc#SLE-13708)
|
||||
* Version 3.7.0
|
||||
- [FEATURE] FIPS: Add HMAC based library integrity check
|
||||
- [PATCH] icainfo: bugfix for RSA and EC related info for software column.
|
||||
- [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
|
||||
- [PATCH] FIPS: Fix DES and TDES key length
|
||||
- [PATCH] icastats: Fix stats counter format
|
||||
* Version 3.6.1
|
||||
- [PATCH] Fix x25519 and x448 handling of non-canonical values
|
||||
- Removed the following obsolete patches
|
||||
* libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
|
||||
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
|
||||
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
|
||||
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
|
||||
* libica-sles15sp2-Build-with-pthread-flag.patch
|
||||
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
|
||||
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 15 21:08:38 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
|
||||
* Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
||||
* Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
||||
- Fix FIPS hmac check (bsc#1175356).
|
||||
* Update FIPS support to upstream
|
||||
- Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||
from upstream.
|
||||
- Add libica-sles15sp2-Build-with-pthread-flag.patch
|
||||
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
|
||||
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
|
||||
- Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
||||
* FIPS check should fail when hmac is missing
|
||||
- Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
||||
- Create an hmac for the selftest
|
||||
- Check that selftest fails without a hmac
|
||||
- Hash libica.so.3 rather than libica.so.3.6.0
|
||||
* Fix hmac key format. It should be hexadecimal, not ASCII
|
||||
- Refresh libica-sles15sp2-FIPS-hmac-key.patch
|
||||
- Fix Some internal variables used to store sensitive information
|
||||
(keys) were not zeroized before returning to the calling application.
|
||||
(bsc#1175357)
|
||||
* Added libica-sles15sp2-Zeroize-local-variables.patch
|
||||
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
|
||||
being a hidden file. It is supposed to be hidden.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 7 18:01:31 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Added the following patches for FIPS certification (bsc#1162533)
|
||||
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||
* libica-sles15sp2-FIPS-hmac-key.patch
|
||||
- Added a BuildRequires for the fipscheck package.
|
||||
- Made a couple of changes to the spec file based upon recommendations
|
||||
by spec-cleaner.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 8 18:55:24 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Added the following patches for FIPS certification.
|
||||
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
|
||||
(bsc#1166071) Although a DES key has only 56 effective bits,
|
||||
all 64 bits must be considered, because the parity bits are
|
||||
spread over all 8 bytes of the key.
|
||||
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
|
||||
(bsc#1166210) FIPS tests require the output iv to be the iv
|
||||
resulting from decrypting the last block with a zero iv as input.
|
||||
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
|
||||
(bsc#1166224) The output from icainfo never shows 'yes' for
|
||||
RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
|
||||
due to the missing ICA_FLAG_SW flag in the icaList.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 14 22:45:16 UTC 2019 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
|
||||
(bsc#1156768)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 15 18:53:36 UTC 2019 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgraded to version 3.6.0 (jsc#SLE-7584)
|
||||
* [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 30 21:46:50 UTC 2019 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Upgraded to version 3.5.0 (Fate#327840)
|
||||
- [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
|
||||
- Reworked how libica-tools loads and unloads kernel modules to
|
||||
avoid spurious error messages (bsc#1134004):
|
||||
* Converted the boot.z90crypt sysV init script to a systemd unit
|
||||
file.
|
||||
* Removed any references to insserv in the spec file.
|
||||
* Updated the z90crypt script itself to properly load and unload
|
||||
the kernel modules as they exist today.
|
||||
* Eliminated the obsolete libica-SuSE.tar.bz2 archive.
|
||||
- Updated the README.SUSE file to reflect the change from sysV init
|
||||
style script to systemd.
|
||||
- Made numerous changes to the spec file, based on the output from
|
||||
the spec-cleaner command.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 24 10:09:46 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
|
||||
|
||||
- Run testsuite during build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 15 19:16:30 UTC 2018 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 3.4.0 (Fate#325690)
|
||||
* v3.4.0
|
||||
[FEATURE] Add SHA-512/224 and SHA-512/256 support
|
||||
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
|
||||
- Made numerous updates to spec file based on spec-cleanup run.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 14 18:01:37 UTC 2018 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 3.3.3 (Fate#325690)
|
||||
* v3.3.3
|
||||
[PATCH] Various bug fixes
|
||||
* v3.3.2
|
||||
[PATCH] Skip ECC tests if required HW is not available
|
||||
[PATCH] Update spec file
|
||||
* v3.3.1
|
||||
[PATCH] Fix configure.ac to honour CFLAGS
|
||||
* v3.3.0
|
||||
[FEATURE] Add CEX supported elliptic-curve crypto interfaces
|
||||
[FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
|
||||
[FEATURE] Add interface to enable/disable SW fallbacks
|
||||
[FEATURE] Add 'make check' target, test-suite rework
|
||||
* v3.2.1
|
||||
[FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
|
||||
[PATCH] Various bug fixes.
|
||||
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
|
||||
- Removed COPYING from %files, since it is no longer in the tarball.
|
||||
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
|
||||
(bsc#1103493).
|
||||
- Made multiple changes to the spec file based on the output of
|
||||
spec-cleaner
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 22 19:09:13 UTC 2018 - mpost@suse.com
|
||||
|
||||
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
|
||||
fix a problem with upgrading from SLES12 SP2 to either SLES12
|
||||
SP3/SP4, or SLES15. (bsc#1112655)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 11 17:19:57 UTC 2018 - mpost@suse.com
|
||||
|
||||
- Added "Obsoletes: libica2" to the libica-tools package to fix
|
||||
a problem with upgrading from SLES12 SP2 to either SLES12
|
||||
SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 18 02:29:29 UTC 2018 - mpost@suse.com
|
||||
|
||||
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
|
||||
- Updated boot.z90crypt script to fix a problem with the modprobe
|
||||
command not being found. (bsc#1040229).
|
||||
- Added "Recommends: libica-tools" (bsc#1046435).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 23 13:53:22 UTC 2017 - rbrown@suse.com
|
||||
|
||||
- Replace references to /var/adm/fillup-templates with new
|
||||
%_fillupdir macro (boo#1069468)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 4 19:22:58 UTC 2017 - mpost@suse.com
|
||||
|
||||
- Added "--enable-fips" to the %configure parms (Fate#324115)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 3.2 (Fate#321517)
|
||||
* v3.2.0
|
||||
[FEATURE] New AES-GCM interface.
|
||||
[UPDATE] Add symbol versioning.
|
||||
* v3.1.1
|
||||
[PATCH] Various bug fixes related to old and new AES-GCM implementations.
|
||||
[UPDATE] Add SHA3 test cases. Improved and extended test suite.
|
||||
* v3.1.0
|
||||
[FEATURE] Add KMA support for AES-GCM.
|
||||
[FEATURE] Add SHA-3 support.
|
||||
[PATCH] Reject RSA keys with invalid key-length.
|
||||
[PATCH] Allow zero output length for ica_random_number_generate.
|
||||
[PATCH] icastats: Correct owner of shared segment when root creates it.
|
||||
* Removed the following obsolete patches:
|
||||
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
|
||||
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
|
||||
libica-3.0.2-03-fix-aes-ctr.patch
|
||||
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com
|
||||
|
||||
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
|
||||
- Added the following patches (bsc#1058567)
|
||||
- libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
|
||||
- libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
|
||||
- libica-3.0.2-03-fix-aes-ctr.patch
|
||||
- libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 1 14:36:04 UTC 2017 - fcrozat@suse.com
|
||||
|
||||
- baselibs.conf doesn't need any additional provides/conflicts for
|
||||
libica3.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 12 09:07:34 UTC 2017 - fcrozat@suse.com
|
||||
|
||||
- Update baselibs.conf with proper name for library package name,
|
||||
stop providing/obsoleting libica-2_1_0/libica-2_3-0.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 9 17:23:11 UTC 2017 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 3.0.2 (Fate#322025).
|
||||
- v3.0.2
|
||||
- Fix locking callbacks for openSSL APIs.
|
||||
- v3.0.1
|
||||
- Fixed msa level detection on zEC/BC12 GA1 and predecessors.
|
||||
- v3.0.0
|
||||
- Added FIPS mode.
|
||||
- Sanitized exported symbols.
|
||||
- Removed deprecated APIs. Marked some APIs as deprecated.
|
||||
- Adapted to OpenSSL v1.1.0.
|
||||
- RSA key generation is thread-safe now.
|
||||
- Removed the following obsolete patches:
|
||||
- fix-initialization-of-s390-hardware-switches-1.patch
|
||||
- fix-initialization-of-s390-hardware-switches-2.patch
|
||||
- fix-msa-level-detection.patch
|
||||
- fix-segfault-during-multithread-keygen.patch
|
||||
- rng-performance.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
|
||||
|
||||
- Made the following packaging changes:
|
||||
- Implemented the shared library packaging guidelines.
|
||||
- Consolidated double invocation of %setup into just one.
|
||||
- Dropped redundant %ifarch, the package is already ExclusiveArch.
|
||||
- Updated descriptions.
|
||||
- Added an libica-rpmlintrc file.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com
|
||||
|
||||
- Added the following two patches:
|
||||
- fix-segfault-during-multithread-keygen.patch (bsc#991485)
|
||||
- fix-msa-level-detection.patch (bsc#1010927)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com
|
||||
|
||||
- Added rng-performance.patch (bsc#990850).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com
|
||||
|
||||
- Updated baselibs.conf to obsolete prior versions of the 32bit
|
||||
package. (bsc#983897):
|
||||
provides "libica-<targettype> = <version>"
|
||||
obsoletes "libica-<targettype> < <version>"
|
||||
provides "libica-2_1_0-<targettype> = <version>"
|
||||
obsoletes "libica-2_1_0-<targettype> < <version>"
|
||||
provides "libica-2_3_0-<targettype> = <version>"
|
||||
obsoletes "libica-2_3_0-<targettype> < <version>"
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 18 16:52:44 UTC 2016 - mpost@suse.com
|
||||
|
||||
- Added fix-initialization-of-s390-hardware-switches-1.patch and
|
||||
fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 2.6.2 (FATE#319610).
|
||||
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
|
||||
naming standards.
|
||||
- Found the original location of the icaioctl.h file and downloaded
|
||||
it to replace what we had previously.
|
||||
- Removed the unnecessary libica2.la file
|
||||
- Removed unnecessary Requires for glibc-devel
|
||||
- Added Requires libica2 to the -devel package
|
||||
- Converted call to configure to %configure macro
|
||||
- Removed obsolete and unnecessary INSROOT and bindir parameters
|
||||
from the make install command
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 6 16:02:05 CET 2015 - pth@suse.de
|
||||
|
||||
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
|
||||
SLE12 GA is replaced (bsc#953096).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com
|
||||
|
||||
- move the .so file to the mainpackage, the openssl-ibmca engine
|
||||
will only load "libica.so" (bsc#952871)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com
|
||||
|
||||
- Update to libica v2.4.2 (FATE#318035)
|
||||
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
|
||||
- Moved init script into libica-SuSE.tar.bz2 archive
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de
|
||||
|
||||
- sanitize release line in specfile
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com
|
||||
|
||||
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
|
||||
- Removed libica-SuSE.tar.bz2
|
||||
- z90crypt now starts and stops ap kernel module (bnc#888943)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com
|
||||
|
||||
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
|
||||
fixed 64/31 bit compatibility
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 6 14:51:45 CET 2014 - ro@suse.de
|
||||
|
||||
- add obsoletes and provides for older libica versions
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 5 18:33:02 CET 2014 - ro@suse.de
|
||||
|
||||
- update to 2.3.0 (fate#315342)
|
||||
- obsolete/upstreamed patches:
|
||||
libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
|
||||
libica-2_1_0-msa4-extension.patch
|
||||
libica-2_1_0-synchronize_shared_memory_ref_counting.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com
|
||||
|
||||
- Added COPYING to %files
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com
|
||||
|
||||
- Fixed build dependency errors by requiring autoconf, automake
|
||||
and libtool
|
||||
- Changed license to CPL-1.0
|
||||
- Created devel package
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com
|
||||
|
||||
- Support for MSA4 extension (bnc#794518, fate#314078)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com
|
||||
|
||||
- synchronize shared memory reference counting for library
|
||||
statistics (bnc#719659)
|
||||
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de
|
||||
|
||||
- update -> 2.1.0 (fate#311914)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de
|
||||
|
||||
- Moved icainfo into /usr/bin (bnc#448643)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 13 12:34:56 CET 2009 - olh@suse.de
|
||||
|
||||
- obsolete old -XXbit packages (bnc#437293)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 5 01:34:34 CET 2008 - ro@suse.de
|
||||
|
||||
- fix build on all platforms
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de
|
||||
|
||||
- Added CPL license to include/z90crypt.h, removed GPL reference
|
||||
(This patch is upstream)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de
|
||||
|
||||
- Changed package name to libica-1_3_9 to conform to rpmlint
|
||||
requirements. (bnc#433432)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de
|
||||
|
||||
- Removed soname filter for rpmlint
|
||||
- Several RPM fixes to help satisfy rpmlint
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de
|
||||
|
||||
- Updated to libica 1.3.9
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
|
||||
|
||||
- added baselibs.conf file to build xxbit packages
|
||||
for multilib support
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de
|
||||
|
||||
- remove inclusion of linux/config.h
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 12 14:02:57 CET 2007 - uli@suse.de
|
||||
|
||||
- z90crypt: handle errors (bug #247799)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 22 08:43:22 CEST 2006 - aj@suse.de
|
||||
|
||||
- Add gcc-c++ to BuildRequires.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 19 16:50:02 CEST 2006 - ro@suse.de
|
||||
|
||||
- fix build for the rest of platforms
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 19 15:34:30 CEST 2006 - hare@suse.de
|
||||
|
||||
- Update to libica 1.3.7 (#160036 - LTC22571)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de
|
||||
|
||||
- Increasing # of open handles with symmetric crypto support
|
||||
(#165323 - LTC23095)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 25 21:37:29 CET 2006 - mls@suse.de
|
||||
|
||||
- converted neededforbuild to BuildRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 14 01:30:49 CET 2005 - ro@suse.de
|
||||
|
||||
- include string.h and unistd.h in icalinux.c
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 12 15:09:25 CET 2005 - hare@suse.de
|
||||
|
||||
- Port package from SLES9 SP3
|
||||
- Update to libica 1.3.6-rc3.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 2 16:23:24 CET 2005 - hare@suse.de
|
||||
|
||||
- Close all filehandles (#130060 - LTC19221).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de
|
||||
|
||||
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
|
||||
bug #117336)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de
|
||||
|
||||
- Update to libica 1.3.6 (#117336)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de
|
||||
|
||||
- fix implicit declaration
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de
|
||||
|
||||
- Changing the default value from 0 to -1 in rcz90crypt (#114371)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 23 17:52:05 CEST 2005 - hare@suse.de
|
||||
|
||||
- Finally fix 'reload' messages (#81824 - LTC15733).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 20 12:11:51 CEST 2005 - hare@suse.de
|
||||
|
||||
- Fix sigill patch.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 18 13:17:39 CEST 2005 - hare@suse.de
|
||||
|
||||
- Remove printf output from sigill patch (#81829 - LTC15731).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 10 12:56:38 CEST 2005 - hare@suse.de
|
||||
|
||||
- Use correct default value for z90crypt (#81825 - LTC15732).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 9 14:49:52 CEST 2005 - hare@suse.de
|
||||
|
||||
- Fix messages for 'reload' (#81824 - LTC15733).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 8 16:58:02 CET 2005 - hare@suse.de
|
||||
|
||||
- Fixed SIGILL on z900 (#46422).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de
|
||||
|
||||
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de
|
||||
|
||||
- Fix module loading error (#42006).
|
||||
- Add sysconfig variable to set the 'domain' parameter (#42005).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de
|
||||
|
||||
- update -> 1.3.5-3 (bug #42122)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 24 18:28:27 CEST 2004 - bk@suse.de
|
||||
|
||||
- Update README.SuSE and correct name as well
|
||||
- Use modprobe instead of insmod and fix module load error(#40526)
|
||||
- Fix error checking for no hardware found case and hw error on load
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 7 15:15:17 CEST 2004 - hare@suse.de
|
||||
|
||||
- Update Readme again for the correct name (SUSE LINUX Server).
|
||||
- Moved README.SuSE to README.SUSE.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 7 15:00:51 CEST 2004 - hare@suse.de
|
||||
|
||||
- Update Readme to refer to the correct name (SUSE Linux Server).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 6 09:01:53 CEST 2004 - hare@suse.de
|
||||
|
||||
- Update to 1.3.5-2 (#38511, #39693).
|
||||
- Update Readme to refer to SUSE Linux Server instead of
|
||||
SuSE Linux Enterprise Server.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de
|
||||
|
||||
- Update to 1.3.5
|
||||
- export CFLAGS & CPPFLAGS for configure
|
||||
- Exclude S/390-specific files for other archs (#37183)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 16 01:29:03 CET 2004 - ro@suse.de
|
||||
|
||||
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de
|
||||
|
||||
- fix build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de
|
||||
|
||||
- build as user
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de
|
||||
|
||||
- update to 1.3.4
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de
|
||||
|
||||
- update to 1.3.2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de
|
||||
|
||||
- update to 1.3.1:
|
||||
now supports DES, TDES and SHA, as well as RSA.
|
||||
- throw libica.patch away, since autoversion and Makefile.am have
|
||||
similar changes now, and the renaming from _LINUX_S390_ to
|
||||
__s390__ is not really necessary
|
||||
- use %defattr
|
||||
- checked that icaioctl.h is still current
|
||||
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
|
||||
open source meanwhile and comes with the kernel sources
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 31 10:45:00 CET 2002 - froh@suse.de
|
||||
|
||||
- added documentation how to set up crypto hardware support,
|
||||
esp. S/390 and zSeries. (#16011, #22056)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de
|
||||
|
||||
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
|
||||
actually work. (#20737)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de
|
||||
|
||||
- Correct PreReq
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de
|
||||
|
||||
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
|
||||
to build on non-s390
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de
|
||||
|
||||
- updated to current libica
|
||||
- hacked in icaioctl.h for build, 'til we have the module in the
|
||||
kernel.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de
|
||||
|
||||
- add %run_ldconfig
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 7 14:27:50 CEST 2002 - ro@suse.de
|
||||
|
||||
- fix for current automake/autoconf
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de
|
||||
|
||||
- removed old fillup-template and START_ variable
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de
|
||||
|
||||
- modified etc/init.d/z90crypt-script to report result at start.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
|
||||
|
||||
- Added openssl to #neededforbuild, which is needed in addition to
|
||||
openssl-devel
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
|
||||
|
||||
- initial version
|
||||
|
||||
-------------------------------------------------------------------
|
210
libica.spec
Normal file
210
libica.spec
Normal file
@ -0,0 +1,210 @@
|
||||
#
|
||||
# spec file for package libica
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
|
||||
Name: libica
|
||||
Version: 4.4.0
|
||||
Release: 0
|
||||
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
||||
License: CPL-1.0
|
||||
Group: Hardware/Other
|
||||
URL: https://github.com/opencryptoki/libica
|
||||
Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Source1: README.SUSE
|
||||
Source2: sysconfig.z90crypt
|
||||
Source3: z90crypt
|
||||
Source4: z90crypt.service
|
||||
Source5: %{name}-rpmlintrc
|
||||
###
|
||||
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
|
||||
###
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: fipscheck
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssl-devel
|
||||
Requires(post): %fillup_prereq
|
||||
ExclusiveArch: s390 s390x
|
||||
|
||||
%description
|
||||
This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
|
||||
%package -n libica4
|
||||
Summary: Library interface for the IBM Cryptographic Accelerator
|
||||
Group: System/Libraries
|
||||
Recommends: libica-tools
|
||||
|
||||
%description -n libica4
|
||||
This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
|
||||
%package tools
|
||||
Summary: Utilities for the IBM Cryptographic Accelerator
|
||||
Group: Hardware/Other
|
||||
Obsoletes: libica < %{version}-%{release}
|
||||
Obsoletes: libica-2_3_0 < %{version}-%{release}
|
||||
Obsoletes: libica2 < %{version}-%{release}
|
||||
Obsoletes: libica3 < %{version}-%{release}
|
||||
Provides: libica = %{version}-%{release}
|
||||
Provides: libica-2_3_0 = %{version}-%{release}
|
||||
Provides: libica-plugin = %{version}-%{release}
|
||||
Provides: libica2 = %{version}-%{release}
|
||||
Provides: libica3 = %{version}-%{release}
|
||||
|
||||
%description tools
|
||||
This package contains command-line utilities to inspect the IBM
|
||||
eServer Cryptographic Accelerator (ICA).
|
||||
|
||||
%package devel
|
||||
Summary: Development files for the ICA device driver interface library
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libica4 = %{version}
|
||||
Requires: libopenssl-devel
|
||||
Obsoletes: libica-2_1_0-devel < %{version}-%{release}
|
||||
Provides: libica-2_1_0-devel = %{version}-%{release}
|
||||
Obsoletes: libica-2_3_0-devel < %{version}-%{release}
|
||||
Provides: libica-2_3_0-devel = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
|
||||
This subpackage contains the necessary files to compile and link
|
||||
using the libica library.
|
||||
|
||||
%package devel-static
|
||||
Summary: Static Development files for the ICA device driver interface library
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libica-devel
|
||||
|
||||
%description devel-static
|
||||
This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
|
||||
This RPM contains all the tools necessary to compile and link using
|
||||
the libica library.
|
||||
|
||||
%prep
|
||||
%autosetup -p 1
|
||||
|
||||
%build
|
||||
autoreconf --force --install
|
||||
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
|
||||
--enable-fips
|
||||
|
||||
%make_build clean
|
||||
%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release"
|
||||
|
||||
%define major %(echo %{version} | sed -e 's/[.].*//')
|
||||
|
||||
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
|
||||
|
||||
%install
|
||||
%make_install FIPSHMAC=fipshmac
|
||||
make fipsinstall FIPSHMAC=fipshmac DESTDIR=%{buildroot}
|
||||
mkdir -p %{buildroot}%{_includedir}
|
||||
cp -p include/ica_api.h %{buildroot}%{_includedir}
|
||||
mkdir -p %{buildroot}%{_sbindir}
|
||||
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
|
||||
install -D %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
|
||||
install -D %{SOURCE3} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
|
||||
install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
|
||||
# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
|
||||
# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
|
||||
# and the dangling symlink test would fail
|
||||
chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
|
||||
|
||||
cp -a %{SOURCE1} .
|
||||
rm -vf %{buildroot}%{_libdir}/libica*.la
|
||||
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
||||
rmdir %{buildroot}%{_datadir}/doc/libica
|
||||
# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||
# rmdir %{buildroot}/%{_sysconfdir}/libica
|
||||
|
||||
%check
|
||||
%make_build check FIPSHMAC=fipshmac
|
||||
|
||||
%pre tools
|
||||
%service_add_pre z90crypt.service
|
||||
|
||||
%post tools
|
||||
%service_add_post z90crypt.service
|
||||
%{fillup_only -n z90crypt}
|
||||
|
||||
%preun tools
|
||||
%service_del_preun z90crypt.service
|
||||
|
||||
%postun tools
|
||||
%service_del_postun z90crypt.service
|
||||
|
||||
%post -n libica4 -p /sbin/ldconfig
|
||||
%postun -n libica4 -p /sbin/ldconfig
|
||||
|
||||
%files -n libica4
|
||||
%{_libdir}/libica.so.%{version}
|
||||
%{_libdir}/libica.so.%{major}
|
||||
%{_libdir}/.libica.so.%{version}.hmac
|
||||
%{_libdir}/.libica.so.%{major}.hmac
|
||||
%{_libdir}/libica-cex.so.%{version}
|
||||
%{_libdir}/libica-cex.so.%{major}
|
||||
%{_libdir}/.libica-cex.so.%{version}.hmac
|
||||
%{_libdir}/.libica-cex.so.%{major}.hmac
|
||||
### Enable FIPS
|
||||
%dir %{_sysconfdir}/libica
|
||||
%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||
###
|
||||
|
||||
%files tools
|
||||
%license LICENSE
|
||||
%doc README.SUSE
|
||||
%{_sbindir}/rcz90crypt
|
||||
%attr(644,root,root) %{_fillupdir}/sysconfig.z90crypt
|
||||
%{_bindir}/icainfo
|
||||
%{_bindir}/icainfo-cex
|
||||
%{_bindir}/icastats
|
||||
%{_mandir}/man1/icainfo.1%{?ext_man}
|
||||
%{_mandir}/man1/icainfo-cex.1%{?ext_man}
|
||||
%{_mandir}/man1/icastats.1%{?ext_man}
|
||||
%dir %{_prefix}/lib/systemd/scripts
|
||||
%{_prefix}/lib/systemd/scripts/z90crypt
|
||||
%{_prefix}/lib/systemd/system/z90crypt.service
|
||||
# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871
|
||||
%{_libdir}/libica.so
|
||||
|
||||
%files devel
|
||||
%{_includedir}/ica_api.h
|
||||
%{_libdir}/libica-cex.so
|
||||
|
||||
%files devel-static
|
||||
%{_libdir}/libica.a
|
||||
%{_libdir}/libica-cex.a
|
||||
|
||||
%changelog
|
10
sysconfig.z90crypt
Normal file
10
sysconfig.z90crypt
Normal file
@ -0,0 +1,10 @@
|
||||
## Path: Kernel/z90Crypt
|
||||
## Description: Set domain parameter for z90crypt
|
||||
## Type: integer(-1:15)
|
||||
## Default: -1
|
||||
#
|
||||
# This variable selects the crypto domain to be used,
|
||||
# required if an LPAR owns several crypto domains.
|
||||
# The value of -1 is used for autodetect.
|
||||
#
|
||||
Z90CRYPT_DOMAIN=-1
|
21
z90crypt
Normal file
21
z90crypt
Normal file
@ -0,0 +1,21 @@
|
||||
#!/bin/sh
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
MODULE_LIST="pkey zcrypt_pcixcc zcrypt_cex2a zcrypt_cex4 zcrypt rng_core"
|
||||
case "${1}" in
|
||||
start) for module in ${MODULE_LIST}
|
||||
do if ! grep -q ^{$module} /proc/modules ; then
|
||||
modprobe ${module}
|
||||
fi
|
||||
done
|
||||
;;
|
||||
stop) for module in ${MODULE_LIST}
|
||||
do if grep -q ^${module} /proc/modules ; then
|
||||
rmmod ${module}
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
13
z90crypt.service
Normal file
13
z90crypt.service
Normal file
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Activate any cryptographic hardware
|
||||
After=systemd-modules-load.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
|
||||
ExecStart=/usr/lib/systemd/scripts/z90crypt start
|
||||
ExecStop=/usr/lib/systemd/scripts/z90crypt stop
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
Loading…
Reference in New Issue
Block a user