forked from pool/libica
Accepting request 903102 from devel:openSUSE:Factory
- Update to version 3.8.0 (jsc#SLE-18334) - [FEATURE] provide libica-cex module to satisfy special security requirements - [FEATURE] FIPS: enforce the HMAC check - Remove upstreamed patches: - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch - libica-sles15sp2-Zeroize-local-variables.patch - Remove patches obsoleted by upstrea developent: * FIPS: Find libica from phdrs. - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch * FIPS: enforce the hmac check - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch - Fix up tests and hmac generation + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch - Remove obsolete attributes from filelists OBS-URL: https://build.opensuse.org/request/show/903102 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=22
This commit is contained in:
commit
6875eb5be8
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:a08fe8a3a5cb1fe75f2488d47f4785e92966c43bf8405f638fa1b2990823a505
|
|
||||||
size 542422
|
|
3
libica-3.8.0.tar.gz
Normal file
3
libica-3.8.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:dab8dabc40d939fbef7a6e1a88ffb53db433795a38a2dde42ba3063b32195d3b
|
||||||
|
size 548378
|
@ -0,0 +1,53 @@
|
|||||||
|
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
Date: Mon, 7 Jun 2021 21:12:01 +0200
|
||||||
|
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
|
||||||
|
|
||||||
|
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
---
|
||||||
|
openssl-fipshmac | 12 ++++++++++++
|
||||||
|
src/Makefile.am | 4 ++--
|
||||||
|
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100755 openssl-fipshmac
|
||||||
|
|
||||||
|
diff --git a/openssl-fipshmac b/openssl-fipshmac
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..60fd505
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/openssl-fipshmac
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+#!/bin/sh -e
|
||||||
|
+
|
||||||
|
+if [ "$#" -eq 0 ] ; then
|
||||||
|
+ echo "No library to hash specified." >&2
|
||||||
|
+ exit 22
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+while [ -n "$1" ] ; do
|
||||||
|
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
|
||||||
|
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
|
||||||
|
+ shift
|
||||||
|
+done
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index 4a1ef14..2be01a5 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -46,13 +46,13 @@ mp.S : mp.pl
|
||||||
|
./mp.pl mp.S
|
||||||
|
|
||||||
|
if ICA_FIPS
|
||||||
|
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
|
||||||
|
hmac-file-lnk: hmac-file
|
||||||
|
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||||
|
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||||
|
|
||||||
|
hmac-file: libica.la libica-cex.la
|
||||||
|
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
|
||||||
|
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
|
||||||
|
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
|
||||||
|
|
||||||
|
hmac_files = hmac-file hmac-file-lnk
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,160 +0,0 @@
|
|||||||
From 23a647aab7b44442b63345bdf70da0696b7fcd5a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
Date: Fri, 21 Aug 2020 15:29:49 +0200
|
|
||||||
Subject: [PATCH] FIPS: add SHA3 KATs to fips_powerup_tests
|
|
||||||
|
|
||||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
---
|
|
||||||
src/fips.c | 26 ++++++++++++++++++-
|
|
||||||
src/include/test_vec.h | 13 ++++++++++
|
|
||||||
src/test_vec.c | 59 ++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 97 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/fips.c b/src/fips.c
|
|
||||||
index 2bf11f5..13a550b 100644
|
|
||||||
--- a/src/fips.c
|
|
||||||
+++ b/src/fips.c
|
|
||||||
@@ -95,6 +95,29 @@ SHA_KAT(384, 512);
|
|
||||||
SHA_KAT(512, 512);
|
|
||||||
#undef SHA_KAT
|
|
||||||
|
|
||||||
+#define SHA3_KAT(_sha_, _ctx_) \
|
|
||||||
+static int sha3_##_sha_##_kat(void) { \
|
|
||||||
+ sha3_##_ctx_##_context_t ctx; \
|
|
||||||
+ size_t i; \
|
|
||||||
+ unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \
|
|
||||||
+ for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \
|
|
||||||
+ if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \
|
|
||||||
+ SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \
|
|
||||||
+ &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out, \
|
|
||||||
+ SHA3_##_sha_##_HASH_LENGTH)) { \
|
|
||||||
+ syslog(LOG_ERR, "Libica SHA-3%d test failed.", \
|
|
||||||
+ _sha_); \
|
|
||||||
+ return 1; \
|
|
||||||
+ } \
|
|
||||||
+ } \
|
|
||||||
+ return 0; \
|
|
||||||
+}
|
|
||||||
+SHA3_KAT(224, 224);
|
|
||||||
+SHA3_KAT(256, 256);
|
|
||||||
+SHA3_KAT(384, 384);
|
|
||||||
+SHA3_KAT(512, 512);
|
|
||||||
+#undef SHA3_KAT
|
|
||||||
+
|
|
||||||
void
|
|
||||||
fips_init(void)
|
|
||||||
{
|
|
||||||
@@ -328,7 +351,8 @@ fips_powerup_tests(void)
|
|
||||||
/* Cryptographic algorithm test. */
|
|
||||||
if (ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512)
|
|
||||||
|| sha1_kat() || sha224_kat() || sha256_kat() || sha384_kat()
|
|
||||||
- || sha512_kat() || des3_ecb_kat() || des3_cbc_kat()
|
|
||||||
+ || sha512_kat() || sha3_224_kat() || sha3_256_kat() || sha3_384_kat()
|
|
||||||
+ || sha3_512_kat() || des3_ecb_kat() || des3_cbc_kat()
|
|
||||||
|| des3_cbc_cs_kat() || des3_cfb_kat() || des3_ofb_kat()
|
|
||||||
|| des3_ctr_kat() || des3_cmac_kat() || aes_ecb_kat()
|
|
||||||
|| aes_cbc_kat() || aes_cbc_cs_kat() || aes_cfb_kat()
|
|
||||||
diff --git a/src/include/test_vec.h b/src/include/test_vec.h
|
|
||||||
index bba6ea9..692afbc 100644
|
|
||||||
--- a/src/include/test_vec.h
|
|
||||||
+++ b/src/include/test_vec.h
|
|
||||||
@@ -366,6 +366,19 @@ extern const size_t SHA384_TV_LEN;
|
|
||||||
|
|
||||||
extern const struct sha_tv SHA512_TV[];
|
|
||||||
extern const size_t SHA512_TV_LEN;
|
|
||||||
+
|
|
||||||
+extern const struct sha_tv SHA3_224_TV[];
|
|
||||||
+extern const size_t SHA3_224_TV_LEN;
|
|
||||||
+
|
|
||||||
+extern const struct sha_tv SHA3_256_TV[];
|
|
||||||
+extern const size_t SHA3_256_TV_LEN;
|
|
||||||
+
|
|
||||||
+extern const struct sha_tv SHA3_384_TV[];
|
|
||||||
+extern const size_t SHA3_384_TV_LEN;
|
|
||||||
+
|
|
||||||
+extern const struct sha_tv SHA3_512_TV[];
|
|
||||||
+extern const size_t SHA3_512_TV_LEN;
|
|
||||||
+
|
|
||||||
#endif /* ICA_FIPS */
|
|
||||||
|
|
||||||
#ifdef ICA_INTERNAL_TEST_EC
|
|
||||||
diff --git a/src/test_vec.c b/src/test_vec.c
|
|
||||||
index ab260dc..f282dbb 100644
|
|
||||||
--- a/src/test_vec.c
|
|
||||||
+++ b/src/test_vec.c
|
|
||||||
@@ -2449,6 +2449,61 @@ const struct sha_tv SHA512_TV[] = {
|
|
||||||
}
|
|
||||||
},
|
|
||||||
};
|
|
||||||
+
|
|
||||||
+const struct sha_tv SHA3_224_TV[] = {
|
|
||||||
+{
|
|
||||||
+.msg_len = 3,
|
|
||||||
+.msg = (unsigned char []){
|
|
||||||
+0x61, 0x62, 0x63,
|
|
||||||
+},
|
|
||||||
+.md = (unsigned char []){
|
|
||||||
+0xe6,0x42,0x82,0x4c,0x3f,0x8c,0xf2,0x4a,0xd0,0x92,0x34,0xee,0x7d,0x3c,0x76,0x6f,
|
|
||||||
+0xc9,0xa3,0xa5,0x16,0x8d,0x0c,0x94,0xad,0x73,0xb4,0x6f,0xdf,
|
|
||||||
+}
|
|
||||||
+},
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const struct sha_tv SHA3_256_TV[] = {
|
|
||||||
+{
|
|
||||||
+.msg_len = 3,
|
|
||||||
+.msg = (unsigned char []){
|
|
||||||
+0x61, 0x62, 0x63,
|
|
||||||
+},
|
|
||||||
+.md = (unsigned char []){
|
|
||||||
+0x3A,0x98,0x5D,0xA7,0x4F,0xE2,0x25,0xB2,0x04,0x5C,0x17,0x2D,0x6B,0xD3,0x90,0xBD,
|
|
||||||
+0x85,0x5F,0x08,0x6E,0x3E,0x9D,0x52,0x5B,0x46,0xBF,0xE2,0x45,0x11,0x43,0x15,0x32,
|
|
||||||
+}
|
|
||||||
+},
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const struct sha_tv SHA3_384_TV[] = {
|
|
||||||
+{
|
|
||||||
+.msg_len = 3,
|
|
||||||
+.msg = (unsigned char []){
|
|
||||||
+0x61, 0x62, 0x63,
|
|
||||||
+},
|
|
||||||
+.md = (unsigned char []){
|
|
||||||
+0xEC,0x01,0x49,0x82,0x88,0x51,0x6F,0xC9,0x26,0x45,0x9F,0x58,0xE2,0xC6,0xAD,0x8D,
|
|
||||||
+0xF9,0xB4,0x73,0xCB,0x0F,0xC0,0x8C,0x25,0x96,0xDA,0x7C,0xF0,0xE4,0x9B,0xE4,0xB2,
|
|
||||||
+0x98,0xD8,0x8C,0xEA,0x92,0x7A,0xC7,0xF5,0x39,0xF1,0xED,0xF2,0x28,0x37,0x6D,0x25,
|
|
||||||
+}
|
|
||||||
+},
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const struct sha_tv SHA3_512_TV[] = {
|
|
||||||
+{
|
|
||||||
+.msg_len = 3,
|
|
||||||
+.msg = (unsigned char []){
|
|
||||||
+0x61, 0x62, 0x63,
|
|
||||||
+},
|
|
||||||
+.md = (unsigned char []){
|
|
||||||
+0xB7,0x51,0x85,0x0B,0x1A,0x57,0x16,0x8A,0x56,0x93,0xCD,0x92,0x4B,0x6B,0x09,0x6E,
|
|
||||||
+0x08,0xF6,0x21,0x82,0x74,0x44,0xF7,0x0D,0x88,0x4F,0x5D,0x02,0x40,0xD2,0x71,0x2E,
|
|
||||||
+0x10,0xE1,0x16,0xE9,0x19,0x2A,0xF3,0xC9,0x1A,0x7E,0xC5,0x76,0x47,0xE3,0x93,0x40,
|
|
||||||
+0x57,0x34,0x0B,0x4C,0xF4,0x08,0xD5,0xA5,0x65,0x92,0xF8,0x27,0x4E,0xEC,0x53,0xF0,
|
|
||||||
+}
|
|
||||||
+},
|
|
||||||
+};
|
|
||||||
#endif /* ICA_FIPS */
|
|
||||||
|
|
||||||
#ifdef ICA_INTERNAL_TEST_EC
|
|
||||||
@@ -5759,6 +5814,10 @@ const size_t SHA224_TV_LEN = sizeof(SHA224_TV) / sizeof(SHA224_TV[0]);
|
|
||||||
const size_t SHA256_TV_LEN = sizeof(SHA256_TV) / sizeof(SHA256_TV[0]);
|
|
||||||
const size_t SHA384_TV_LEN = sizeof(SHA384_TV) / sizeof(SHA384_TV[0]);
|
|
||||||
const size_t SHA512_TV_LEN = sizeof(SHA512_TV) / sizeof(SHA512_TV[0]);
|
|
||||||
+const size_t SHA3_224_TV_LEN = sizeof(SHA3_224_TV) / sizeof(SHA3_224_TV[0]);
|
|
||||||
+const size_t SHA3_256_TV_LEN = sizeof(SHA3_256_TV) / sizeof(SHA3_256_TV[0]);
|
|
||||||
+const size_t SHA3_384_TV_LEN = sizeof(SHA3_384_TV) / sizeof(SHA3_384_TV[0]);
|
|
||||||
+const size_t SHA3_512_TV_LEN = sizeof(SHA3_512_TV) / sizeof(SHA3_512_TV[0]);
|
|
||||||
#endif /* ICA_FIPS */
|
|
||||||
#ifdef ICA_INTERNAL_TEST_EC
|
|
||||||
const size_t ECDSA_TV_LEN = sizeof(ECDSA_TV) / sizeof(ECDSA_TV[0]);
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 8acba8fc09a91831172658c9c0810aa45ab39245 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michal Suchanek <msuchanek@suse.de>
|
|
||||||
Date: Tue, 1 Sep 2020 10:03:38 +0200
|
|
||||||
Subject: [PATCH] FIPS: fix inconsistent error handling.
|
|
||||||
|
|
||||||
when the HMAC file is not present/readable it is also an error.
|
|
||||||
|
|
||||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
|
||||||
---
|
|
||||||
src/fips.c | 4 +---
|
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/fips.c b/src/fips.c
|
|
||||||
index c0055b719bff..71a417e8de40 100644
|
|
||||||
--- a/src/fips.c
|
|
||||||
+++ b/src/fips.c
|
|
||||||
@@ -295,10 +295,8 @@ static int FIPSCHECK_verify(const char *path)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
fp = fopen(hmacpath, "r");
|
|
||||||
- if (fp == NULL) {
|
|
||||||
- rc = 1;
|
|
||||||
+ if (fp == NULL)
|
|
||||||
goto end;
|
|
||||||
- }
|
|
||||||
|
|
||||||
if (getline(&known_hmac_str, &n, fp) <= 0)
|
|
||||||
goto end;
|
|
||||||
--
|
|
||||||
2.28.0
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 54c1a5341c9a5cb5513e52548ab0490f8dafbff6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
Date: Thu, 27 Aug 2020 17:08:29 +0200
|
|
||||||
Subject: [PATCH] FIPS: skip SHA3 tests if running on hardware without SHA3
|
|
||||||
|
|
||||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
---
|
|
||||||
src/fips.c | 15 +++++++++++++++
|
|
||||||
1 file changed, 15 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/fips.c b/src/fips.c
|
|
||||||
index 13a550b..facffee 100644
|
|
||||||
--- a/src/fips.c
|
|
||||||
+++ b/src/fips.c
|
|
||||||
@@ -95,11 +95,26 @@ SHA_KAT(384, 512);
|
|
||||||
SHA_KAT(512, 512);
|
|
||||||
#undef SHA_KAT
|
|
||||||
|
|
||||||
+static inline int sha3_available(void)
|
|
||||||
+{
|
|
||||||
+ sha3_224_context_t sha3_224_context;
|
|
||||||
+ unsigned char output_hash[SHA3_224_HASH_LENGTH];
|
|
||||||
+ unsigned char test_data[] = { 0x61,0x62,0x63 };
|
|
||||||
+ int rc = 0;
|
|
||||||
+
|
|
||||||
+ rc = ica_sha3_224(SHA_MSG_PART_ONLY, sizeof(test_data), test_data,
|
|
||||||
+ &sha3_224_context, output_hash);
|
|
||||||
+
|
|
||||||
+ return (rc == ENODEV ? 0 : 1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#define SHA3_KAT(_sha_, _ctx_) \
|
|
||||||
static int sha3_##_sha_##_kat(void) { \
|
|
||||||
sha3_##_ctx_##_context_t ctx; \
|
|
||||||
size_t i; \
|
|
||||||
unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \
|
|
||||||
+ if (!sha3_available()) \
|
|
||||||
+ return 0; \
|
|
||||||
for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \
|
|
||||||
if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \
|
|
||||||
SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 71a04ed492f6cb9dd2de91ff28d0327d17fe702a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michal Suchanek <msuchanek@suse.de>
|
|
||||||
Date: Fri, 28 Aug 2020 14:08:53 +0200
|
|
||||||
Subject: [PATCH] FIPS: use full library version for hmac filename.
|
|
||||||
|
|
||||||
Fixes: 231bba3b32bd ("FIPS: introduce HMAC based library integrity check")
|
|
||||||
Fixes: f9f148487fad ("fix library filename for FIPS integrity check")
|
|
||||||
|
|
||||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
|
||||||
---
|
|
||||||
src/fips.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/fips.c b/src/fips.c
|
|
||||||
index facffee..c0055b7 100644
|
|
||||||
--- a/src/fips.c
|
|
||||||
+++ b/src/fips.c
|
|
||||||
@@ -42,7 +42,7 @@
|
|
||||||
* The hard-coded HMAC key to be optionally provided for the library
|
|
||||||
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
|
|
||||||
* The known HMAC is supposed to be provided as hex string in a file
|
|
||||||
- * libica.so.MAJOR.hmac in the same directory as the .so module.
|
|
||||||
+ * .libica.so.VERSION.hmac in the same directory as the .so module.
|
|
||||||
*/
|
|
||||||
static const char hmackey[] =
|
|
||||||
"0000000000000000000000000000000000000000000000000000000000000000"
|
|
||||||
@@ -344,7 +344,7 @@ static void fips_lib_integrity_check(void)
|
|
||||||
{
|
|
||||||
int rc;
|
|
||||||
char path[PATH_MAX];
|
|
||||||
- const char *libname = "libica.so";
|
|
||||||
+ const char *libname = "libica.so." VERSION;
|
|
||||||
const char *symbolname = "ica_sha256";
|
|
||||||
|
|
||||||
rc = get_library_path(libname, symbolname, path, sizeof(path));
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,99 +0,0 @@
|
|||||||
From 47a98c0f37af62783d59699b5e10830385817ec2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
Date: Fri, 21 Aug 2020 11:29:11 +0200
|
|
||||||
Subject: [PATCH] Zeroize local variables
|
|
||||||
|
|
||||||
Some internal variables used to store sensitive information (keys)
|
|
||||||
were not zeroized before returning to the calling application.
|
|
||||||
|
|
||||||
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
---
|
|
||||||
src/ica_api.c | 8 ++++++++
|
|
||||||
src/include/s390_aes.h | 4 ++++
|
|
||||||
src/include/s390_des.h | 8 ++++++++
|
|
||||||
3 files changed, 20 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/ica_api.c b/src/ica_api.c
|
|
||||||
index eb6b154..5bdf24e 100644
|
|
||||||
--- a/src/ica_api.c
|
|
||||||
+++ b/src/ica_api.c
|
|
||||||
@@ -1034,6 +1034,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
|
||||||
if (rc == 0)
|
|
||||||
stats_increment(ICA_STATS_RSA_ME, hardware, ENCRYPT);
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&rb, sizeof(rb));
|
|
||||||
+
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1089,6 +1091,10 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
|
|
||||||
|
|
||||||
free(tmp_buf);
|
|
||||||
|
|
||||||
+ BN_clear_free(bn_p);
|
|
||||||
+ BN_clear_free(bn_q);
|
|
||||||
+ BN_clear_free(bn_invq);
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
@@ -1147,6 +1153,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
|
|
||||||
if (rc == 0)
|
|
||||||
stats_increment(ICA_STATS_RSA_CRT, hardware, ENCRYPT);
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&rb, sizeof(rb));
|
|
||||||
+
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
|
|
||||||
index 2e2f325..4a02a4c 100644
|
|
||||||
--- a/src/include/s390_aes.h
|
|
||||||
+++ b/src/include/s390_aes.h
|
|
||||||
@@ -327,6 +327,8 @@ static inline int s390_aes_ecb_sw(unsigned int function_code,
|
|
||||||
&aes_key, direction);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&aes_key, sizeof(aes_key));
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -388,6 +390,8 @@ static inline int s390_aes_cbc_sw(unsigned int function_code,
|
|
||||||
AES_cbc_encrypt(input_data, output_data, input_length,
|
|
||||||
&aes_key, (unsigned char *) iv, direction);
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&aes_key, sizeof(aes_key));
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/include/s390_des.h b/src/include/s390_des.h
|
|
||||||
index 811de4d..81d8ed0 100644
|
|
||||||
--- a/src/include/s390_des.h
|
|
||||||
+++ b/src/include/s390_des.h
|
|
||||||
@@ -112,6 +112,10 @@ static inline int s390_des_ecb_sw(unsigned int function_code, unsigned long inpu
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
|
|
||||||
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
|
|
||||||
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -193,6 +197,10 @@ static inline int s390_des_cbc_sw(unsigned int function_code,
|
|
||||||
break;
|
|
||||||
};
|
|
||||||
|
|
||||||
+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
|
|
||||||
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
|
|
||||||
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
|
||||||
|
|
||||||
|
- Update to version 3.8.0 (jsc#SLE-18334)
|
||||||
|
- [FEATURE] provide libica-cex module to satisfy special security requirements
|
||||||
|
- [FEATURE] FIPS: enforce the HMAC check
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
||||||
|
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
||||||
|
- libica-sles15sp2-Zeroize-local-variables.patch
|
||||||
|
- Remove patches obsoleted by upstrea developent:
|
||||||
|
* FIPS: Find libica from phdrs.
|
||||||
|
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
||||||
|
* FIPS: enforce the hmac check
|
||||||
|
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
||||||
|
- Fix up tests and hmac generation
|
||||||
|
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||||
|
- Remove obsolete attributes from filelists
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
|
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
43
libica.spec
43
libica.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package libica
|
# spec file for package libica
|
||||||
#
|
#
|
||||||
# Copyright (c) 2018-2020 SUSE LLC
|
# Copyright (c) 2018-2021 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -22,7 +22,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: libica
|
Name: libica
|
||||||
Version: 3.7.0
|
Version: 3.8.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
||||||
License: CPL-1.0
|
License: CPL-1.0
|
||||||
@ -37,11 +37,7 @@ Source4: z90crypt
|
|||||||
Source5: z90crypt.service
|
Source5: z90crypt.service
|
||||||
Source6: baselibs.conf
|
Source6: baselibs.conf
|
||||||
Source7: %{name}-rpmlintrc
|
Source7: %{name}-rpmlintrc
|
||||||
Patch01: libica-sles15sp2-Zeroize-local-variables.patch
|
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||||
Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
|
||||||
Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
|
||||||
Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
|
||||||
Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
|
||||||
Patch99: libica-sles15sp2-FIPS-hmac-key.patch
|
Patch99: libica-sles15sp2-FIPS-hmac-key.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
@ -123,14 +119,14 @@ autoreconf --force --install
|
|||||||
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
|
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
|
||||||
--enable-fips
|
--enable-fips
|
||||||
%make_build clean
|
%make_build clean
|
||||||
%make_build
|
%make_build FIPSHMAC=fipshmac
|
||||||
|
|
||||||
%define major %(echo %{version} | sed -e 's/[.].*//')
|
%define major %(echo %{version} | sed -e 's/[.].*//')
|
||||||
|
|
||||||
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }}
|
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install FIPSHMAC=fipshmac
|
||||||
mkdir -p %{buildroot}%{_includedir}
|
mkdir -p %{buildroot}%{_includedir}
|
||||||
cp -p include/ica_api.h %{buildroot}%{_includedir}
|
cp -p include/ica_api.h %{buildroot}%{_includedir}
|
||||||
mkdir -p %{buildroot}%{_sbindir}
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
@ -138,17 +134,18 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
|
|||||||
install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
|
install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
|
||||||
install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
|
install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
|
||||||
install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
|
install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
|
||||||
|
# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
|
||||||
|
# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
|
||||||
|
# and the dangling symlink test would fail
|
||||||
|
chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
|
||||||
|
|
||||||
cp -a %{SOURCE2} .
|
cp -a %{SOURCE2} .
|
||||||
rm -f %{buildroot}%{_libdir}/libica.la
|
rm -vf %{buildroot}%{_libdir}/libica*.la
|
||||||
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
||||||
rmdir %{buildroot}%{_datadir}/doc/libica
|
rmdir %{buildroot}%{_datadir}/doc/libica
|
||||||
|
|
||||||
%check
|
%check
|
||||||
echo Tests should fail without a hash file
|
%make_build check FIPSHMAC=fipshmac
|
||||||
! %make_build check
|
|
||||||
fipshmac src/.libs/libica.so.%{major}
|
|
||||||
%make_build check
|
|
||||||
|
|
||||||
%pre tools
|
%pre tools
|
||||||
%service_add_pre z90crypt.service
|
%service_add_pre z90crypt.service
|
||||||
@ -167,19 +164,25 @@ fipshmac src/.libs/libica.so.%{major}
|
|||||||
%postun -n libica3 -p /sbin/ldconfig
|
%postun -n libica3 -p /sbin/ldconfig
|
||||||
|
|
||||||
%files -n libica3
|
%files -n libica3
|
||||||
%defattr(-,root,root)
|
|
||||||
%{_libdir}/libica.so.%{version}
|
%{_libdir}/libica.so.%{version}
|
||||||
%{_libdir}/libica.so.%{major}
|
%{_libdir}/libica.so.%{major}
|
||||||
|
%{_libdir}/.libica.so.%{version}.hmac
|
||||||
%{_libdir}/.libica.so.%{major}.hmac
|
%{_libdir}/.libica.so.%{major}.hmac
|
||||||
|
%{_libdir}/libica-cex.so.%{version}
|
||||||
|
%{_libdir}/libica-cex.so.%{major}
|
||||||
|
%{_libdir}/.libica-cex.so.%{version}.hmac
|
||||||
|
%{_libdir}/.libica-cex.so.%{major}.hmac
|
||||||
|
|
||||||
%files tools
|
%files tools
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc README.SUSE
|
%doc README.SUSE
|
||||||
%{_sbindir}/rcz90crypt
|
%{_sbindir}/rcz90crypt
|
||||||
%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt
|
%{_fillupdir}/sysconfig.z90crypt
|
||||||
%{_bindir}/icainfo
|
%{_bindir}/icainfo
|
||||||
|
%{_bindir}/icainfo-cex
|
||||||
%{_bindir}/icastats
|
%{_bindir}/icastats
|
||||||
%{_mandir}/man1/icainfo.1%{?ext_man}
|
%{_mandir}/man1/icainfo.1%{?ext_man}
|
||||||
|
%{_mandir}/man1/icainfo-cex.1%{?ext_man}
|
||||||
%{_mandir}/man1/icastats.1%{?ext_man}
|
%{_mandir}/man1/icastats.1%{?ext_man}
|
||||||
%dir %{_prefix}/lib/systemd/scripts
|
%dir %{_prefix}/lib/systemd/scripts
|
||||||
%{_prefix}/lib/systemd/scripts/z90crypt
|
%{_prefix}/lib/systemd/scripts/z90crypt
|
||||||
@ -188,9 +191,11 @@ fipshmac src/.libs/libica.so.%{major}
|
|||||||
%{_libdir}/libica.so
|
%{_libdir}/libica.so
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%attr(0644,root,root) %{_includedir}/ica_api.h
|
%{_includedir}/ica_api.h
|
||||||
|
%{_libdir}/libica-cex.so
|
||||||
|
|
||||||
%files devel-static
|
%files devel-static
|
||||||
%attr(0644,root,root) %{_libdir}/libica.a
|
%{_libdir}/libica.a
|
||||||
|
%{_libdir}/libica-cex.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user