commit 053908a9ac84d081c19345ccc8a5eac1ee6875184380bd74b48dc1648a1c6a0e Author: Stephan Kulow Date: Mon Apr 24 19:06:50 2017 +0000 Accepting request 484290 from openSUSE:Factory:zSystems Major rework of package to conform to shared library policy, including being renamed from libica2 to libica. Additional bugfixes from previous version. Please also make me the maintainer of the package. OBS-URL: https://build.opensuse.org/request/show/484290 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..b791ba0 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,331 @@ +The following information was provided to us courtesy of the IBM +testing team, who tested the functionality of apache with mod_ssl +on SUSE LINUX Enterprise Server 9 for S/390 and zSeries. + +It thus refers to testing only from a certain point, and the +z90crypt part is of course specific to S/390 and zSeries. + +------------------------------------------------------------------- +Installation and Configuration of S/390 HW Crypto +on SUSE Linux Enterprise Server 9 for S/390 and zSeries: + +1) Installation of the driver packages openCryptoki and libica + + The driver packages are installed during base install in the + default selection. If you installed only minimal system or + deinstalled the packages, install them now. If the installation + source is accessible, you can do it with a single command: + + 31bit: + yast sw_single openCryptoki openCryptoki-32bit + + 64bit: + yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit + + This will automatically install the necessary libica packages as + well if they are not installed yet. + + +2) Loading the z90crypt driver: + + rcz90crypt start to load z90crypt + + rcz90crypt stop to unload z90crypt + + this command will be available only after installation of the + crypto driver packages. + + To load the driver automatically at every system boot, integrate it + with the other boot scripts issuing + + insserv z90crypt + + +3) Checking if the z90crypt hardware driver can be accessed + + Run this command: + + openssl speed rsa1024 -engine ibmca -elapsed + + If you get 'can't use that engine', as the first line + of output of the command look for the successive line + and check: + - if running "rcz90crypt restart" gives no error message + - the output of command "dmesg" for error messages from the driver + - the hardware is indeed available to this instance + +4) Installation and Setup of mod_ssl and apache + + a) ensure that mod_ssl and apache are installed during base + install. If the installation source is accessible, + the command + + yast sw_single mod_ssl + + will install apache and mod_ssl if they are not installed yet. + + b) to activate the apache ssl support do the following: + + if you did not use yast to install the packages, you have + to run manually: SuSEconfig --module apache + + edit /etc/sysconfig/apache: + change HTTPD_START_TIMEOUT=2 to 20 + + change HTTPD_SEC_MOD_SSL=no to yes + + edit httpd.conf in /etc/httpd: + + in section 2: check that the ServerName and ServerMail in + the ServerAdmin section is ok. + + in section 3: set inside the + ServerName to host name + + add on section : SSLCryptoDevice ibmca + + run: SuSEconfig --module apache + +5) Crypto configuration of apache/mod_ssl: + + a) create a certificate (Snake Oil) for the TEST --- THIS + CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR + TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A + CERTIFICATION AUTHORITY FOR PRODUCTION USE. + + go to: cd /usr/share/doc/packages/mod_ssl + + run: ./certificate.sh + + see following questions will come up. Give shown answers + and use the pass phrase: + + der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh + SSL Certificate Generation Utility (mkcert.sh) + Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved. + + Generating test certificate signed by Snake Oil CA [TEST] + WARNING: Do not use this for real-life/production systems + + STEP 0: Decide the signature algorithm used for certificate + The generated X.509 CA certificate can contain either + RSA or DSA based ingredients. Select the one you want to use. + Signature Algorithm ((R)SA or (D)SA) [R]:R + + + STEP 1: Generating RSA private key (1024 bit) [server.key] + 123006 semi-random bytes loaded + Generating RSA private key, 1024 bit long modulus + ..++++++ + .................++++++ + e is 65537 (0x10001) + + STEP 2: Generating X.509 certificate signing request + [server.csr] + Using configuration from .mkcert.cfg + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished + Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + 1. Country Name (2 letter code) [XY]:DE + 2. State or Province Name (full name) [Snake Desert]: + + 3. Locality Name (eg, city) [Snake Town]: + + 4. Organization Name (eg, company) [Snake Oil, Ltd]: + + 5. Organizational Unit Name (eg, section) [Webserver Team]: + + 6. Common Name (eg, FQDN) [www.snakeoil.dom]: + + 7. Email Address (eg, name@FQDN) [www@snakeoil.dom]: + + + STEP 3: Generating X.509 certificate signed by Snake Oil CA + [server.crt] + Certificate Version (1 or 3) [3]:3 + Signature ok + subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil, + Ltd/OU=Webserver + Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom + Getting CA Private Key + Verify: matching certificate & key modulus + read RSA key + Verify: matching certificate signature + /etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake + Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil + CA/Email=ca@snakeoil.dom + error 10 at 1 depth lookup:certificate has expired + OK + + STEP 4: Enrypting RSA private key with a pass phrase for + security [server.key] + The contents of the server.key file (the generated private key) + has to be + kept secret. So we strongly recommend you to encrypt the + server.key file + with a Triple-DES cipher and a Pass Phrase. + Encrypt the private key now? [Y/n]: Y + read RSA key + writing RSA key + Enter PEM pass phrase: <=== crypto + Verifying password - Enter PEM pass phrase: <=== crypto + Fine, you're using an encrypted RSA private key. + + RESULT: Server Certification Files + + o conf/ssl.key/server.key + + The PEM-encoded RSA private key file which you + configure with the 'SSLCertificateKeyFile' directive + (automatically done when you install via APACI). KEEP + THIS FILE PRIVATE! + + o conf/ssl.crt/server.crt + + The PEM-encoded X.509 certificate file which you configure + with the 'SSLCertificateFile' directive (automatically done + when you install via APACI). + + o conf/ssl.csr/server.csr + + The PEM-encoded X.509 certificate signing request file + which you can send to an official Certificate Authority + (CA) in order to request a real server certificate + (signed by this CA instead of our demonstration-only + Snake Oil CA) which later can replace the + conf/ssl.crt/server.crt file. + + WARNING: Do not use this for real-life/production systems + + der3gbe:/usr/share/doc/packages/mod_ssl # + +6) Start Apache with SSL + + a) start with pass phrase (Changes done to apache modul + described in item c)). + + run: rcapache start + + dev3fe01:~ # rcapache start + + Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26 + mod_ssl/2.8.10 (Pass Phrase Dialog) + Some of your private key files are encrypted for security + reasons. + In order to read them you have to provide us with the pass + phrases. + + Server dev3fe01.boeblingen.de.ibm.com:443 (RSA) + Enter pass phrase: crypto + + Ok: Pass Phrase Dialog successful. + done + + b) start without pass phrase when using apache without + ssl-support + + remark: You need to change the apache modul (see + item c)). Set the HTTPD_SEC_MOD_SSL=no. + + run: rcapache start + + +7) Check that ibmca is used and apache is working with http and https: + + a) On a browser enter http:// or + https:// + b) with netstat or netstat -a on the apache server machine you + can see if https is used. + c) in the log /var/log/httpd/ssl_engine_log you can see if the + ibmca engine is started or not. + d) during siege test you can see with cat /proc/driver/z90crypt + if and what crypto HW is used + e) you can check a http connection with telnet + http. Then enter + get / http/1.0 + and you should get back some stuff after pressing enter + twice. + + f) You can check if openssl works with the ibmca engine + + a) Therefore you must create certificates: + cd /usr/share/ssl/misc + run: ./CA.sh -newcert + + dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert + Using configuration from /etc/ssl/openssl.cnf + Generating a 1024 bit RSA private key + ......................++++++ + .++++++ + writing new private key to 'newreq.pem' + Enter PEM pass phrase: <== geheim + Verifying password - Enter PEM pass phrase: <== geheim + Verify failure + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + phrase is too short, needs to be at least 4 chars + Enter PEM pass phrase: + Verifying password - Enter PEM pass phrase: + ----- + You are about to be asked to enter information that will be + incorporated + into your certificate request. + What you are about to enter is what is called a + Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]: + <== press enter + State or Province Name (full name) [Some-State]: + <== press enter + Locality Name (eg, city) []: + <== press enter + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + <== press enter + Organizational Unit Name (eg, section) []: + <== press enter + Common Name (eg, YOUR name) []: <== press enter + Email Address []: <== press + enter + Certificate (and private key) is in newreq.pem + + run: ./CA.sh -newca + + dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca + CA certificate filename (or enter to create) + newreq.pem + dev3fe02: + + + b) Use openssl as a Web-browser and use https connection: + openssl s_client \ + -connect :443 -state -debug + + The machine were you start the client is working as + your 'browser' connecting to the webserver. You can + start commands from the client like get / http/1.0 . + + c) Use openssl as a Web-server and use https connection: + openssl s_server \ + -accept 443 -www -engine ibmca -cert newreq.pem + + The machine is working like a small webserver with full + openssl functionality. You can start your browser to + this machine and a lot of info will be sent. + + dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443 + -www -cert newreq.pem -engine ibmca + engine "ibmca" set. + Using default temp DH parameters + Enter PEM pass phrase: <== geheim + ACCEPT + +------------------------------------------------------------------- diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..3eae93a --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,5 @@ +libica + provides "libica-2_1_0- = " + obsoletes "libica-2_1_0- < " + provides "libica-2_3_0- = " + obsoletes "libica-2_3_0- < " diff --git a/fix-initialization-of-s390-hardware-switches-1.patch b/fix-initialization-of-s390-hardware-switches-1.patch new file mode 100644 index 0000000..1e4b4d3 --- /dev/null +++ b/fix-initialization-of-s390-hardware-switches-1.patch @@ -0,0 +1,26 @@ +--- a/src/include/s390_crypto.h ++++ b/src/include/s390_crypto.h +@@ -83,7 +83,7 @@ + S390_CRYPTO_SHA512_DRNG_SEED = 0x03 | 0x80 + }; + +-unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, ++extern unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, + tdes_switch, aes128_switch, aes192_switch, aes256_switch, + prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch, + msa4_switch, msa5_switch; +@@ -119,10 +119,10 @@ + SHA512_DRNG_SEED + } ppno_functions_t; + +-s390_supported_function_t s390_kmc_functions[PRNG + 1]; +-s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1]; +-s390_supported_function_t s390_kimd_functions[GHASH + 1]; +-s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1]; ++extern s390_supported_function_t s390_kmc_functions[PRNG + 1]; ++extern s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1]; ++extern s390_supported_function_t s390_kimd_functions[GHASH + 1]; ++extern s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1]; + + void s390_crypto_switches_init(void); + diff --git a/fix-initialization-of-s390-hardware-switches-2.patch b/fix-initialization-of-s390-hardware-switches-2.patch new file mode 100644 index 0000000..0f2cae0 --- /dev/null +++ b/fix-initialization-of-s390-hardware-switches-2.patch @@ -0,0 +1,15 @@ +--- a/src/s390_crypto.c ++++ b/src/s390_crypto.c +@@ -25,6 +25,11 @@ + #include + #include "s390_crypto.h" + #include "init.h" ++ ++unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, ++ tdes_switch, aes128_switch, aes192_switch, aes256_switch, ++ prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch, ++ msa4_switch, msa5_switch; + + s390_supported_function_t s390_kimd_functions[] = { + {SHA_1, S390_CRYPTO_SHA_1, &sha1_switch}, + diff --git a/fix-msa-level-detection.patch b/fix-msa-level-detection.patch new file mode 100644 index 0000000..6c3db41 --- /dev/null +++ b/fix-msa-level-detection.patch @@ -0,0 +1,75 @@ +Subject: [PATCH] [BZ 148767] libica: libica crash with illegal instruction on z196/z114 +From: Harald Freudenberger + +Description: libica: libica crash with illegal instruction on z196/z114 +Symptom: 'illegal instruction' on libica initialization +Problem: Upon initialization libica checks all the MSA levels + of the system to find out the available functions. + This check function reuses a buffer variable without + proper reinitialization thus leading to detect an + MSA 5 function PPNO which is in fact not available + on z196/z114 systems. Upon initialization the libica + internal pseudo random generator is initialized which + is then trying to use this PPNO function and so + the 'illegal instruction' occurs. +Solution: Fix libica initialization function. +Reproduction: On z196/z114 systems with every libica version >= 2.6. +Upstream-ID: eeb40e5aea7dd36580629e6b17cd7f03fb62549c +Problem-ID: 148767 + +Signed-off-by: Harald Freudenberger +Index: libica-service/src/s390_crypto.c +=================================================================== +--- libica-service.orig/src/s390_crypto.c 2016-11-18 12:04:39.809574833 +0100 ++++ libica-service/src/s390_crypto.c 2016-11-18 12:04:39.805574781 +0100 +@@ -144,6 +144,8 @@ void set_switches(int msa) + * kimd query and do not need to over the whole array. Therfore there + * is also no distict setting of the switch needed in form + * msa4_switch = 1. */ ++ ++ /* kmc query */ + memset(mask, 0, sizeof(mask)); + if (msa) { + if (begin_sigill_section(&oldact, &oldset) == 0) { +@@ -160,13 +162,14 @@ void set_switches(int msa) + *s390_kmc_functions[n].enabled = on; + } + ++ /* kimd query */ ++ memset(mask, 0, sizeof(mask)); + if (msa) { + if (begin_sigill_section(&oldact, &oldset) == 0) { + s390_kimd(S390_CRYPTO_QUERY, mask, (void *) 0, 0); + end_sigill_section(&oldact, &oldset); + } + } +- + for (n = 0; n < (sizeof(s390_kimd_functions) / + sizeof(s390_supported_function_t)); n++) { + if (S390_CRYPTO_TEST_MASK(mask, s390_kimd_functions[n].hw_fc)) +@@ -176,6 +179,8 @@ void set_switches(int msa) + *s390_kimd_functions[n].enabled = on; + } + ++ /* ppno query */ ++ memset(mask, 0, sizeof(mask)); + if (5 <= msa) { + msa5_switch = 1; + if (begin_sigill_section(&oldact, &oldset) == 0) { +@@ -183,7 +188,6 @@ void set_switches(int msa) + end_sigill_section(&oldact, &oldset); + } + } +- + for (n = 0; n < (sizeof(s390_ppno_functions) / + sizeof(s390_supported_function_t)); n++) { + if (S390_CRYPTO_TEST_MASK(mask, s390_ppno_functions[n].hw_fc)) +@@ -254,7 +258,7 @@ libica_func_list_element_int icaList[] = + {RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl) + {RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl) + +- {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SHW | ICA_FLAG_SW, 0}, ++ {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SW, 0}, + + /* available for the MSA4 instruction */ + /* available for the RSA instruction */ diff --git a/fix-segfault-during-multithread-keygen.patch b/fix-segfault-during-multithread-keygen.patch new file mode 100644 index 0000000..6878c2f --- /dev/null +++ b/fix-segfault-during-multithread-keygen.patch @@ -0,0 +1,183 @@ +Index: src/s390_rsa.c +=================================================================== +--- a/src/s390_rsa.c ++++ b/src/s390_rsa.c +@@ -18,6 +18,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "s390_rsa.h" + #include "s390_prng.h" +@@ -41,9 +44,22 @@ static unsigned int mod_expo_sw(int arg_ + char *exp, int mod_length, char *mod, + int *res_length, char *res, BN_CTX *ctx); + +-RSA* rsa_key_generate(unsigned int modulus_bit_length, +- unsigned long *public_exponent) ++struct thread_data ++{ ++ unsigned int mod_bit_length; ++ unsigned long *pub_exp; ++ RSA *rsa; ++}; ++ ++static void *__rsa_key_generate(void *ptr) + { ++ struct thread_data *pth_data; ++ unsigned int modulus_bit_length; ++ unsigned long *public_exponent; ++ ++ pth_data = (struct thread_data*)ptr; ++ modulus_bit_length = pth_data->mod_bit_length; ++ public_exponent = pth_data->pub_exp; + BN_GENCB cb; + + if (*public_exponent == 0) +@@ -70,9 +86,36 @@ RSA* rsa_key_generate(unsigned int modul + + if (RSA_generate_key_ex(rsa, modulus_bit_length, exp, &cb)) { + BN_free(exp); +- return rsa; ++ pth_data->rsa = rsa; + } ++ else ++ pth_data->rsa = NULL; ++ ++ return 0; ++} + ++RSA* rsa_key_generate(unsigned int modulus_bit_length, ++ unsigned long *public_exponent) ++{ ++ pthread_t tid; ++ struct thread_data th_data; ++ int rc; ++ ++ sem_wait(&openssl_crypto_lock_mtx); ++ ++ th_data.mod_bit_length = modulus_bit_length; ++ th_data.pub_exp = public_exponent; ++ rc = pthread_create(&(tid), NULL, (void *)&__rsa_key_generate, ++ (void *)(&th_data)); ++ if (rc) ++ return 0; ++ rc = pthread_join(tid, NULL); ++ ++ if (!rc && th_data.rsa) { ++ sem_post(&openssl_crypto_lock_mtx); ++ return th_data.rsa; ++ } ++ sem_post(&openssl_crypto_lock_mtx); + return 0; + } + +Index: src/init.c +=================================================================== +--- a/src/init.c ++++ b/src/init.c +@@ -18,10 +18,14 @@ + #include + #include + #include ++#include ++#include ++#include + #include + + #include "init.h" + #include "icastats.h" ++#include "s390_rsa.h" + #include "s390_prng.h" + #include "s390_crypto.h" + #include "ica_api.h" +@@ -79,12 +83,60 @@ void end_sigill_section(struct sigaction + sigprocmask(SIG_SETMASK, oldset, 0); + } + ++static pthread_mutex_t *openssl_locks; ++ ++static void openssl_lock_callback(int mode, int num, char *file, int line) ++{ ++ if (mode & CRYPTO_LOCK) { ++ pthread_mutex_lock(&(openssl_locks[num])); ++ } ++ else { ++ pthread_mutex_unlock(&(openssl_locks[num])); ++ } ++} ++ ++static unsigned long get_thread_id(void) ++{ ++ return (unsigned long)pthread_self(); ++} ++ ++static void init_openssl_locks(void) ++{ ++ int i, crypt_num_locks; ++ ++ crypt_num_locks = CRYPTO_num_locks(); ++ openssl_locks = (pthread_mutex_t *) ++ OPENSSL_malloc(crypt_num_locks * ++ sizeof(pthread_mutex_t)); ++ for (i = 0; i < CRYPTO_num_locks(); i++) { ++ pthread_mutex_init(&(openssl_locks[i]),NULL); ++ } ++ ++ CRYPTO_set_id_callback((unsigned long (*)())get_thread_id); ++ CRYPTO_set_locking_callback((void (*) ++ (int, int, const char*, int))openssl_lock_callback); ++ ++ sem_init(&openssl_crypto_lock_mtx, 0, crypt_num_locks); ++} ++ ++static void free_openssl_locks(void) ++{ ++ int i; ++ ++ CRYPTO_set_locking_callback(NULL); ++ for (i = 0; i < CRYPTO_num_locks(); i++) ++ pthread_mutex_destroy(&(openssl_locks[i])); ++ ++ OPENSSL_free(openssl_locks); ++} ++ + void openssl_init(void) + { + /* initial seed the openssl random generator */ + unsigned char random_data[64]; + s390_prng(random_data, sizeof(random_data)); + RAND_seed(random_data, sizeof(random_data)); ++ init_openssl_locks(); + } + + /* Switches have to be done first. Otherwise we will not have hw support +@@ -115,4 +167,5 @@ void __attribute__ ((constructor)) icain + void __attribute__ ((destructor)) icaexit(void) + { + stats_munmap(SHM_CLOSE); ++ free_openssl_locks(); + } +Index: src/include/s390_rsa.h +=================================================================== +--- a/src/include/s390_rsa.h ++++ b/src/include/s390_rsa.h +@@ -16,6 +16,7 @@ + + #include + #include ++#include + #include "ica_api.h" + + typedef struct ica_rsa_modexpo ica_rsa_modexpo_t; +@@ -40,5 +41,7 @@ unsigned int rsa_key_generate_crt(ica_ad + unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt); + unsigned int rsa_mod_mult_sw(ica_rsa_modmult_t * pMul); + unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex); ++ ++sem_t openssl_crypto_lock_mtx; + #endif + diff --git a/icaioctl.h b/icaioctl.h new file mode 100644 index 0000000..4e602ba --- /dev/null +++ b/icaioctl.h @@ -0,0 +1,219 @@ +/* Copyright (c) International Business Machines Corp., 2001 */ +/* + * linux/include/linux/icaioctl.h + * + */ + + + +#ifndef _LINUX_ICAIOCTL_H_ +#define _LINUX_ICAIOCTL_H_ + +enum _sizelimits { + ICA_DES_DATALENGTH_MIN = 8, + ICA_DES_DATALENGTH_MAX = 32 * 1024 * 1024 - 8, + ICA_SHA_DATALENGTH = 20, + ICA_SHA_BLOCKLENGTH = 64, + ICA_RSA_DATALENGTH_MIN = 256/8, + ICA_RSA_DATALENGTH_MAX = 2048/8 +}; + + +typedef struct _ica_rng_rec { + unsigned int nbytes; + char *buf; +} ica_rng_t; + + +// May have some porting issues here + +typedef struct _ica_rsa_modexpo { + char *inputdata; + unsigned int inputdatalength; + char *outputdata; + unsigned int outputdatalength; + char *b_key; + char *n_modulus; +} ica_rsa_modexpo_t; + +typedef ica_rsa_modexpo_t ica_rsa_modmult_t; + +typedef struct _ica_rsa_modexpo_crt { + char *inputdata; + unsigned int inputdatalength; + char *outputdata; + unsigned int outputdatalength; + char *bp_key; + char *bq_key; + char *np_prime; + char *nq_prime; + char *u_mult_inv; +} ica_rsa_modexpo_crt_t; + +typedef unsigned char ica_des_vector_t[8]; +typedef unsigned char ica_des_key_t[8]; +typedef ica_des_key_t ica_des_single_t[1]; +typedef ica_des_single_t ica_des_triple_t[3]; + +enum _ica_mode_des { + DEVICA_MODE_DES_CBC = 0, + DEVICA_MODE_DES_ECB = 1 +}; + +enum _ica_direction_des { + DEVICA_DIR_DES_ENCRYPT = 0, + DEVICA_DIR_DES_DECRYPT = 1 +}; + +typedef struct _ica_des { + unsigned int mode; + unsigned int direction; + unsigned char *inputdata; + unsigned int inputdatalength; + ica_des_vector_t *iv; + ica_des_key_t *keys; + unsigned char *outputdata; + int outputdatalength; +} ica_des_t; + +typedef struct _ica_desmac { + unsigned char *inputdata; + unsigned int inputdatalength; + ica_des_vector_t *iv; + ica_des_key_t *keys; + unsigned char *outputdata; + int outputdatalength; +} ica_desmac_t; + + +typedef unsigned char ica_sha1_result_t[ICA_SHA_DATALENGTH]; + + +typedef struct _ica_sha1 { + unsigned char *inputdata; + unsigned int inputdatalength; + ica_sha1_result_t *outputdata; + ica_sha1_result_t *initialh; +} ica_sha1_t; + +/* The following structs are used by conversion functions + on PowerPC 64 bit only. They should not be used by externel + applications. Should the non PPC specific structs change, these + structures may need to change as well. Also, new conversion + routines will need to be added to devica.c to deal with new + structs or structure members. +*/ +#ifdef CONFIG_PPC64 +typedef struct _ica_rng_rec_32 { + unsigned int nbytes; + unsigned int buf; +} ica_rng_t_32; + +typedef struct _ica_des_32 { + unsigned int mode; + unsigned int direction; + unsigned int inputdata; + unsigned int inputdatalength; + unsigned int iv; + unsigned int keys; + unsigned int outputdata; + unsigned int outputdatalength; +} ica_des_t_32; + +typedef struct _ica_sha1_32 { + unsigned int inputdata; + unsigned int inputdatalength; + unsigned int outputdata; + unsigned int initialh; +} ica_sha1_t_32; + +typedef struct _ica_desmac_32 { + unsigned int inputdata; + unsigned int inputdatalength; + unsigned int iv; + unsigned int keys; + unsigned int outputdata; + int outputdatalength; +} ica_desmac_t_32; + +typedef struct _ica_rsa_modexpo_crt_32 { + unsigned int inputdata; + unsigned int inputdatalength; + unsigned int outputdata; + unsigned int outputdatalength; + unsigned int bp_key; + unsigned int bq_key; + unsigned int np_prime; + unsigned int nq_prime; + unsigned int u_mult_inv; +} ica_rsa_modexpo_crt_t_32; + +typedef struct _ica_rsa_modexpo_32 { + unsigned int inputdata; + unsigned int inputdatalength; + unsigned int outputdata; + unsigned int outputdatalength; + unsigned int b_key; + unsigned int n_modulus; +} ica_rsa_modexpo_t_32; + +#endif + +#define ICA_IOCTL_MAGIC '?' // NOTE: Need to allocate from linux folks + +/* + * Note: Some platforms only use 8 bits to define the parameter size. As + * the macros in ioctl.h don't seem to mask off offending bits, they look + * a little unsafe. We should probably just not use the parameter size + * at all for these ioctls. I don't know if we'll ever run on any of those + * architectures, but seems easier just to not count on this feature. + */ + +#define ICASETBIND _IOW(ICA_IOCTL_MAGIC, 0x01, int) +#define ICAGETBIND _IOR(ICA_IOCTL_MAGIC, 0x02, int) +#define ICAGETCOUNT _IOR(ICA_IOCTL_MAGIC, 0x03, int) +#define ICAGETID _IOR(ICA_IOCTL_MAGIC, 0x04, int) +#define ICARSAMODEXPO _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x05, 0) +#define ICARSACRT _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x06, 0) +#define ICARSAMODMULT _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x07, 0) +#define ICADES _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x08, 0) +#define ICADESMAC _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x09, 0) +#define ICATDES _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x0a, 0) +#define ICATDESSHA _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x0b, 0) +#define ICATDESMAC _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x0c, 0) +#define ICASHA1 _IOC(_IOC_READ|_IOC_WRITE, ICA_IOCTL_MAGIC, 0x0d, 0) +#define ICARNG _IOC(_IOC_READ, ICA_IOCTL_MAGIC, 0x0e, 0) +#define ICAGETVPD _IOC(_IOC_READ, ICA_IOCTL_MAGIC, 0x0f, 0) + +#ifdef __KERNEL__ + +#ifndef assertk +#ifdef NDEBUG +# define assertk(expr) do {} while (0) +#else +# define assertk(expr) \ + if(!(expr)) { \ + printk( "Assertion failed! %s,%s,%s,line=%d\n", \ + #expr,__FILE__,__FUNCTION__,__LINE__); \ + } +#endif +#endif + + +struct ica_operations { + ssize_t (*read) (struct file *, char *, size_t, loff_t *, void *); + int (*ioctl) (struct inode *, struct file *, unsigned int, unsigned long, void *); +}; + +typedef struct ica_worker { + struct ica_operations *icaops; + void * private_data; +} ica_worker_t; + + +extern int ica_register_worker(int partitionnum, ica_worker_t *device); +extern int ica_unregister_worker(int partitionnum, ica_worker_t *device); + +#endif /* __KERNEL__ */ + +#endif /* _LINUX_ICAIOCTL_H_ */ diff --git a/libica-2.6.2.tgz b/libica-2.6.2.tgz new file mode 100644 index 0000000..ca24a15 --- /dev/null +++ b/libica-2.6.2.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3528ce8d2cb3e77ba20f6c85226be5b023c7c5a3fe30b6bc841cc98d5f8fe77d +size 172317 diff --git a/libica-SuSE.tar.bz2 b/libica-SuSE.tar.bz2 new file mode 100644 index 0000000..7a5f0dc --- /dev/null +++ b/libica-SuSE.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c5f6175d3daec01408b803c5781259320c5ba03cad2f15cced2ffef105b4158 +size 1944 diff --git a/libica-rpmlintrc b/libica-rpmlintrc new file mode 100644 index 0000000..bdeb306 --- /dev/null +++ b/libica-rpmlintrc @@ -0,0 +1,4 @@ +addFilter("libica-tools.* shlib-policy-missing-lib") +addFilter("libica-devel-static.* shlib-policy-missing-lib") +addFilter("libica-tools.* devel-file-in-non-devel-package .* /usr/lib64/libica.so") +addFilter("libica-tools.* files-duplicate /usr/share/doc/packages/libica-tools/COPYING /usr/share/doc/packages/libica-tools/LICENSE") diff --git a/libica.changes b/libica.changes new file mode 100644 index 0000000..67eab60 --- /dev/null +++ b/libica.changes @@ -0,0 +1,431 @@ +------------------------------------------------------------------- +Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com + +- Made the following packaging changes: + - Implemented the shared library packaging guidelines. + - Consolidated double invocation of %setup into just one. + - Dropped redundant %ifarch, the package is already ExclusiveArch. + - Updated descriptions. +- Added an libica-rpmlintrc file. + +------------------------------------------------------------------- +Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com + +- Added the following two patches: + - fix-segfault-during-multithread-keygen.patch (bsc#991485) + - fix-msa-level-detection.patch (bsc#1010927) + +------------------------------------------------------------------- +Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com + +- Added rng-performance.patch (bsc#990850). + +------------------------------------------------------------------- +Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com + +- Updated baselibs.conf to obsolete prior versions of the 32bit + package. (bsc#983897): + provides "libica- = " + obsoletes "libica- < " + provides "libica-2_1_0- = " + obsoletes "libica-2_1_0- < " + provides "libica-2_3_0- = " + obsoletes "libica-2_3_0- < " + +------------------------------------------------------------------- +Wed May 18 16:52:44 UTC 2016 - mpost@suse.com + +- Added fix-initialization-of-s390-hardware-switches-1.patch and + fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548) + +------------------------------------------------------------------- +Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com + +- Upgraded to version 2.6.2 (FATE#319610). +- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to + naming standards. +- Found the original location of the icaioctl.h file and downloaded + it to replace what we had previously. +- Removed the unnecessary libica2.la file +- Removed unnecessary Requires for glibc-devel +- Added Requires libica2 to the -devel package +- Converted call to configure to %configure macro +- Removed obsolete and unnecessary INSROOT and bindir parameters + from the make install command + +------------------------------------------------------------------- +Fri Nov 6 16:02:05 CET 2015 - pth@suse.de + +- Add Provides/Obsoletes for libica-2_3_0 so that the package from + SLE12 GA is replaced (bsc#953096). + +------------------------------------------------------------------- +Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com + +- move the .so file to the mainpackage, the openssl-ibmca engine + will only load "libica.so" (bsc#952871) + +------------------------------------------------------------------- +Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com + +- Update to libica v2.4.2 (FATE#318035) +- Removed outdated libica-aes_ccm-31-bit-compatibility.patch +- Moved init script into libica-SuSE.tar.bz2 archive + +------------------------------------------------------------------- +Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- +Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com + +- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root +- Removed libica-SuSE.tar.bz2 +- z90crypt now starts and stops ap kernel module (bnc#888943) + +------------------------------------------------------------------- +Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com + +- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM: + fixed 64/31 bit compatibility + +------------------------------------------------------------------- +Thu Mar 6 14:51:45 CET 2014 - ro@suse.de + +- add obsoletes and provides for older libica versions + +------------------------------------------------------------------- +Wed Mar 5 18:33:02 CET 2014 - ro@suse.de + +- update to 2.3.0 (fate#315342) +- obsolete/upstreamed patches: + libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch + libica-2_1_0-msa4-extension.patch + libica-2_1_0-synchronize_shared_memory_ref_counting.patch + +------------------------------------------------------------------- +Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com + +- Fixed build dependency errors by requiring autoconf, automake + and libtool +- Changed license to CPL-1.0 +- Created devel package + +------------------------------------------------------------------- +Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com + +- Support for MSA4 extension (bnc#794518, fate#314078) + +------------------------------------------------------------------- +Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com + +- synchronize shared memory reference counting for library + statistics (bnc#719659) +- fix temporary buffer allocation in ica_get_version() (bnc#719660) + +------------------------------------------------------------------- +Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de + +- update -> 2.1.0 (fate#311914) + +------------------------------------------------------------------- +Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de + +- Moved icainfo into /usr/bin (bnc#448643) + +------------------------------------------------------------------- +Tue Jan 13 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Nov 5 01:34:34 CET 2008 - ro@suse.de + +- fix build on all platforms + +------------------------------------------------------------------- +Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de + +- Added CPL license to include/z90crypt.h, removed GPL reference + (This patch is upstream) + +------------------------------------------------------------------- +Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de + +- Changed package name to libica-1_3_9 to conform to rpmlint + requirements. (bnc#433432) + +------------------------------------------------------------------- +Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de + +- Removed soname filter for rpmlint +- Several RPM fixes to help satisfy rpmlint + +------------------------------------------------------------------- +Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de + +- Updated to libica 1.3.9 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de + +- remove inclusion of linux/config.h + +------------------------------------------------------------------- +Mon Mar 12 14:02:57 CET 2007 - uli@suse.de + +- z90crypt: handle errors (bug #247799) + +------------------------------------------------------------------- +Mon May 22 08:43:22 CEST 2006 - aj@suse.de + +- Add gcc-c++ to BuildRequires. + +------------------------------------------------------------------- +Fri May 19 16:50:02 CEST 2006 - ro@suse.de + +- fix build for the rest of platforms + +------------------------------------------------------------------- +Fri May 19 15:34:30 CEST 2006 - hare@suse.de + +- Update to libica 1.3.7 (#160036 - LTC22571) + +------------------------------------------------------------------- +Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de + +- Increasing # of open handles with symmetric crypto support + (#165323 - LTC23095) + +------------------------------------------------------------------- +Wed Jan 25 21:37:29 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Dec 14 01:30:49 CET 2005 - ro@suse.de + +- include string.h and unistd.h in icalinux.c + +------------------------------------------------------------------- +Mon Dec 12 15:09:25 CET 2005 - hare@suse.de + +- Port package from SLES9 SP3 +- Update to libica 1.3.6-rc3. + +------------------------------------------------------------------- +Wed Nov 2 16:23:24 CET 2005 - hare@suse.de + +- Close all filehandles (#130060 - LTC19221). + +------------------------------------------------------------------- +Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de + +- downgrade to libica 1.3.6-rc2 (contains AES software fallback, + bug #117336) + +------------------------------------------------------------------- +Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de + +- Update to libica 1.3.6 (#117336) + +------------------------------------------------------------------- +Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de + +- fix implicit declaration + +------------------------------------------------------------------- +Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de + +- Changing the default value from 0 to -1 in rcz90crypt (#114371) + +------------------------------------------------------------------- +Mon May 23 17:52:05 CEST 2005 - hare@suse.de + +- Finally fix 'reload' messages (#81824 - LTC15733). + +------------------------------------------------------------------- +Fri May 20 12:11:51 CEST 2005 - hare@suse.de + +- Fix sigill patch. + +------------------------------------------------------------------- +Wed May 18 13:17:39 CEST 2005 - hare@suse.de + +- Remove printf output from sigill patch (#81829 - LTC15731). + +------------------------------------------------------------------- +Tue May 10 12:56:38 CEST 2005 - hare@suse.de + +- Use correct default value for z90crypt (#81825 - LTC15732). + +------------------------------------------------------------------- +Mon May 9 14:49:52 CEST 2005 - hare@suse.de + +- Fix messages for 'reload' (#81824 - LTC15733). + +------------------------------------------------------------------- +Tue Feb 8 16:58:02 CET 2005 - hare@suse.de + +- Fixed SIGILL on z900 (#46422). + +------------------------------------------------------------------- +Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de + +- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005). + +------------------------------------------------------------------- +Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de + +- Fix module loading error (#42006). +- Add sysconfig variable to set the 'domain' parameter (#42005). + +------------------------------------------------------------------- +Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de + +- update -> 1.3.5-3 (bug #42122) + +------------------------------------------------------------------- +Mon May 24 18:28:27 CEST 2004 - bk@suse.de + +- Update README.SuSE and correct name as well +- Use modprobe instead of insmod and fix module load error(#40526) +- Fix error checking for no hardware found case and hw error on load + +------------------------------------------------------------------- +Fri May 7 15:15:17 CEST 2004 - hare@suse.de + +- Update Readme again for the correct name (SUSE LINUX Server). +- Moved README.SuSE to README.SUSE. + +------------------------------------------------------------------- +Fri May 7 15:00:51 CEST 2004 - hare@suse.de + +- Update Readme to refer to the correct name (SUSE Linux Server). + +------------------------------------------------------------------- +Thu May 6 09:01:53 CEST 2004 - hare@suse.de + +- Update to 1.3.5-2 (#38511, #39693). +- Update Readme to refer to SUSE Linux Server instead of + SuSE Linux Enterprise Server. + +------------------------------------------------------------------- +Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de + +- Update to 1.3.5 +- export CFLAGS & CPPFLAGS for configure +- Exclude S/390-specific files for other archs (#37183) + +------------------------------------------------------------------- +Fri Jan 16 01:29:03 CET 2004 - ro@suse.de + +- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS + +------------------------------------------------------------------- +Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de + +- fix build + +------------------------------------------------------------------- +Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de + +- update to 1.3.4 + +------------------------------------------------------------------- +Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de + +- update to 1.3.2 + +------------------------------------------------------------------- +Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de + +- update to 1.3.1: + now supports DES, TDES and SHA, as well as RSA. +- throw libica.patch away, since autoversion and Makefile.am have + similar changes now, and the renaming from _LINUX_S390_ to + __s390__ is not really necessary +- use %defattr +- checked that icaioctl.h is still current +- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone + open source meanwhile and comes with the kernel sources + +------------------------------------------------------------------- +Thu Oct 31 10:45:00 CET 2002 - froh@suse.de + +- added documentation how to set up crypto hardware support, + esp. S/390 and zSeries. (#16011, #22056) + +------------------------------------------------------------------- +Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de + +- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5 + actually work. (#20737) + +------------------------------------------------------------------- +Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de + +- Correct PreReq + +------------------------------------------------------------------- +Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de + +- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and + to build on non-s390 + +------------------------------------------------------------------- +Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de + +- updated to current libica +- hacked in icaioctl.h for build, 'til we have the module in the + kernel. + +------------------------------------------------------------------- +Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de + +- add %run_ldconfig + +------------------------------------------------------------------- +Tue May 7 14:27:50 CEST 2002 - ro@suse.de + +- fix for current automake/autoconf + +------------------------------------------------------------------- +Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de + +- removed old fillup-template and START_ variable + +------------------------------------------------------------------- +Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de + +- modified etc/init.d/z90crypt-script to report result at start. + +------------------------------------------------------------------- +Tue Feb 5 11:01:16 CET 2002 - froh@suse.de + +- Added openssl to #neededforbuild, which is needed in addition to + openssl-devel + +------------------------------------------------------------------- +Wed Jan 30 16:20:48 CET 2002 - froh@suse.de + +- initial version + +------------------------------------------------------------------- diff --git a/libica.spec b/libica.spec new file mode 100644 index 0000000..2c55dfc --- /dev/null +++ b/libica.spec @@ -0,0 +1,173 @@ +# +# spec file for package libica +# +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: libica +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: openssl-devel +Summary: Library interface for the IBM Cryptographic Accelerator device driver +License: CPL-1.0 +Group: Hardware/Other +Version: 2.6.2 +Release: 0 +Source: libica-%{version}.tgz +Source1: libica-SuSE.tar.bz2 +# The icaioctl.h file came from https://sourceforge.net/p/opencryptoki/icadd/ci/master/tree/ +Source3: icaioctl.h +Source4: README.SUSE +Source5: sysconfig.z90crypt +Source6: baselibs.conf +Source7: %{name}-rpmlintrc +Patch1: fix-initialization-of-s390-hardware-switches-1.patch +Patch2: fix-initialization-of-s390-hardware-switches-2.patch +Patch3: rng-performance.patch +Patch4: fix-segfault-during-multithread-keygen.patch +Patch5: fix-msa-level-detection.patch + +Url: http://sourceforge.net/projects/opencryptoki/files/libica +BuildRoot: %{_tmppath}/%{name}-%{version}-build +PreReq: %fillup_prereq %insserv_prereq +ExclusiveArch: s390 s390x + +%description +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package -n libica2 +Summary: Library interface for the IBM Cryptographic Accelerator +Group: System/Libraries +Obsoletes: libica-2_1_0 < %{version}-%{release} +Provides: libica-2_1_0 = %{version}-%{release} +Obsoletes: libica-2_3_0 < %{version}-%{release} +Provides: libica-2_3_0 = %{version}-%{release} + +%description -n libica2 +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +%package tools +Summary: Utilities for the IBM Cryptographic Accelerator +Group: Hardware/Other +Obsoletes: libica < %{version}-%{release} +Provides: libica = %{version}-%{release} +Provides: libica-plugin = %{version}-%{release} + +%description tools +This package contains command-line utilities to inspect the IBM +eServer Cryptographic Accelerator (ICA). + +%package devel +Summary: Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Obsoletes: libica-2_1_0-devel < %{version}-%{release} +Provides: libica-2_1_0-devel = %{version}-%{release} +Obsoletes: libica-2_3_0-devel < %{version}-%{release} +Provides: libica-2_3_0-devel = %{version}-%{release} +Requires: libica2 = %{version} +Requires: libopenssl-devel + +%description devel +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This subpackage contains the necessary files to compile and link +using the libica library. + +%package devel-static +Summary: Static Development files for the ICA device driver interface library +Group: Development/Libraries/C and C++ +Requires: libica-devel + +%description devel-static +This package contains the interface library routines used by IBM +modules to interface with the IBM eServer Cryptographic Accelerator +(ICA). + +This RPM contains all the tools necessary to compile and link using +the libica library. + +%prep +%setup -a 1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +mkdir -p include/linux/ +cp %{S:3} include/linux/ + +autoreconf --force --install +%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%optflags -fPIC" +make clean +make %{?_smp_mflags} + +%install +mkdir -p $RPM_BUILD_ROOT/usr/include +make DESTDIR=$RPM_BUILD_ROOT install +cp -p include/ica_api.h $RPM_BUILD_ROOT/usr/include +cp -a SuSE/* $RPM_BUILD_ROOT +install -D %{S:5} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.z90crypt +cp -a $RPM_SOURCE_DIR/README.SUSE . +rm -f $RPM_BUILD_ROOT/%{_libdir}/libica.la + +%post +%{fillup_and_insserv -n boot.z90crypt} + +%preun +%stop_on_removal boot.z90crypt + +%postun +%restart_on_update boot.z90crypt +%{insserv_cleanup} + +%post -n libica2 -p /sbin/ldconfig +%postun -n libica2 -p /sbin/ldconfig + +%files -n libica2 +%defattr(-,root,root) +%{_libdir}/libica.so.2* + +%files tools +%defattr(-, root, root) +%doc README.SUSE COPYING LICENSE +%{_initddir}/boot.z90crypt +%{_sbindir}/rcz90crypt +%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.z90crypt +%{_bindir}/icainfo +%{_bindir}/icastats +%{_mandir}/man1/icainfo.1.gz +%{_mandir}/man1/icastats.1.gz +# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871 +%{_libdir}/libica.so + +%files devel +%defattr(-, root, root) +%attr(0644,root,root) /usr/include/ica_api.h + +%files devel-static +%defattr(-, root, root) +%{_libdir}/libica.a + +%changelog diff --git a/rng-performance.patch b/rng-performance.patch new file mode 100644 index 0000000..746affb --- /dev/null +++ b/rng-performance.patch @@ -0,0 +1,35 @@ +Index: libica-2.6.2/src/s390_prng.c +=================================================================== +--- libica-2.6.2.orig/src/s390_prng.c ++++ libica-2.6.2/src/s390_prng.c +@@ -76,10 +76,9 @@ int s390_prng_init(void) + // available. However, the old prng is still initialized but + // only used as a fallback. + if(sha512_switch || sha512_drng_switch){ +- const char *pers = "ica_drbg_global"; + ica_drbg_instantiate(&ica_drbg_global, 256, true, +- ICA_DRBG_SHA512, (unsigned char *)pers, +- strlen(pers)); ++ ICA_DRBG_SHA512, ++ (unsigned char *)"GLOBAL INSTANCE", 15); + } + + // The old prng code starts here: +@@ -181,7 +180,7 @@ int s390_prng(unsigned char *output_data + unsigned char *ptr = output_data; + size_t i = 0; + for(; i < q; i++){ +- status = ica_drbg_generate(ica_drbg_global, 256, true, ++ status = ica_drbg_generate(ica_drbg_global, 256, false, + NULL, 0, ptr, + ICA_DRBG_SHA512 + ->max_no_of_bytes_per_req); +@@ -191,7 +190,7 @@ int s390_prng(unsigned char *output_data + ptr += ICA_DRBG_SHA512->max_no_of_bytes_per_req; + } + if(!status){ +- status = ica_drbg_generate(ica_drbg_global, 256, true, ++ status = ica_drbg_generate(ica_drbg_global, 256, false, + NULL, 0, ptr, r); + if(!status) + return 0; diff --git a/sysconfig.z90crypt b/sysconfig.z90crypt new file mode 100644 index 0000000..663ca97 --- /dev/null +++ b/sysconfig.z90crypt @@ -0,0 +1,10 @@ +## Path: Kernel/z90Crypt +## Description: Set domain parameter for z90crypt +## Type: integer(-1:15) +## Default: -1 +# +# This variable selects the crypto domain to be used, +# required if an LPAR owns several crypto domains. +# The value of -1 is used for autodetect. +# +Z90CRYPT_DOMAIN=-1