From 910ea538d2c7a0b5b66783ed1df530e234d78cc7f2b6bb1f12a9381ba34d44b8 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 9 May 2017 17:52:19 +0000 Subject: [PATCH] Accepting request 493816 from openSUSE:Factory:zSystems Upgrade to version 3.0.2 per Fate#322025. OBS-URL: https://build.opensuse.org/request/show/493816 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=3 --- ...lization-of-s390-hardware-switches-1.patch | 26 --- ...lization-of-s390-hardware-switches-2.patch | 15 -- fix-msa-level-detection.patch | 75 ------- fix-segfault-during-multithread-keygen.patch | 183 ------------------ libica-2.6.2.tgz | 3 - libica-3.0.2.tgz | 3 + libica.changes | 21 ++ libica.spec | 27 +-- rng-performance.patch | 35 ---- 9 files changed, 33 insertions(+), 355 deletions(-) delete mode 100644 fix-initialization-of-s390-hardware-switches-1.patch delete mode 100644 fix-initialization-of-s390-hardware-switches-2.patch delete mode 100644 fix-msa-level-detection.patch delete mode 100644 fix-segfault-during-multithread-keygen.patch delete mode 100644 libica-2.6.2.tgz create mode 100644 libica-3.0.2.tgz delete mode 100644 rng-performance.patch diff --git a/fix-initialization-of-s390-hardware-switches-1.patch b/fix-initialization-of-s390-hardware-switches-1.patch deleted file mode 100644 index 1e4b4d3..0000000 --- a/fix-initialization-of-s390-hardware-switches-1.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- a/src/include/s390_crypto.h -+++ b/src/include/s390_crypto.h -@@ -83,7 +83,7 @@ - S390_CRYPTO_SHA512_DRNG_SEED = 0x03 | 0x80 - }; - --unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, -+extern unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, - tdes_switch, aes128_switch, aes192_switch, aes256_switch, - prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch, - msa4_switch, msa5_switch; -@@ -119,10 +119,10 @@ - SHA512_DRNG_SEED - } ppno_functions_t; - --s390_supported_function_t s390_kmc_functions[PRNG + 1]; --s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1]; --s390_supported_function_t s390_kimd_functions[GHASH + 1]; --s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1]; -+extern s390_supported_function_t s390_kmc_functions[PRNG + 1]; -+extern s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1]; -+extern s390_supported_function_t s390_kimd_functions[GHASH + 1]; -+extern s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1]; - - void s390_crypto_switches_init(void); - diff --git a/fix-initialization-of-s390-hardware-switches-2.patch b/fix-initialization-of-s390-hardware-switches-2.patch deleted file mode 100644 index 0f2cae0..0000000 --- a/fix-initialization-of-s390-hardware-switches-2.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/src/s390_crypto.c -+++ b/src/s390_crypto.c -@@ -25,6 +25,11 @@ - #include - #include "s390_crypto.h" - #include "init.h" -+ -+unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch, -+ tdes_switch, aes128_switch, aes192_switch, aes256_switch, -+ prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch, -+ msa4_switch, msa5_switch; - - s390_supported_function_t s390_kimd_functions[] = { - {SHA_1, S390_CRYPTO_SHA_1, &sha1_switch}, - diff --git a/fix-msa-level-detection.patch b/fix-msa-level-detection.patch deleted file mode 100644 index 6c3db41..0000000 --- a/fix-msa-level-detection.patch +++ /dev/null @@ -1,75 +0,0 @@ -Subject: [PATCH] [BZ 148767] libica: libica crash with illegal instruction on z196/z114 -From: Harald Freudenberger - -Description: libica: libica crash with illegal instruction on z196/z114 -Symptom: 'illegal instruction' on libica initialization -Problem: Upon initialization libica checks all the MSA levels - of the system to find out the available functions. - This check function reuses a buffer variable without - proper reinitialization thus leading to detect an - MSA 5 function PPNO which is in fact not available - on z196/z114 systems. Upon initialization the libica - internal pseudo random generator is initialized which - is then trying to use this PPNO function and so - the 'illegal instruction' occurs. -Solution: Fix libica initialization function. -Reproduction: On z196/z114 systems with every libica version >= 2.6. -Upstream-ID: eeb40e5aea7dd36580629e6b17cd7f03fb62549c -Problem-ID: 148767 - -Signed-off-by: Harald Freudenberger -Index: libica-service/src/s390_crypto.c -=================================================================== ---- libica-service.orig/src/s390_crypto.c 2016-11-18 12:04:39.809574833 +0100 -+++ libica-service/src/s390_crypto.c 2016-11-18 12:04:39.805574781 +0100 -@@ -144,6 +144,8 @@ void set_switches(int msa) - * kimd query and do not need to over the whole array. Therfore there - * is also no distict setting of the switch needed in form - * msa4_switch = 1. */ -+ -+ /* kmc query */ - memset(mask, 0, sizeof(mask)); - if (msa) { - if (begin_sigill_section(&oldact, &oldset) == 0) { -@@ -160,13 +162,14 @@ void set_switches(int msa) - *s390_kmc_functions[n].enabled = on; - } - -+ /* kimd query */ -+ memset(mask, 0, sizeof(mask)); - if (msa) { - if (begin_sigill_section(&oldact, &oldset) == 0) { - s390_kimd(S390_CRYPTO_QUERY, mask, (void *) 0, 0); - end_sigill_section(&oldact, &oldset); - } - } -- - for (n = 0; n < (sizeof(s390_kimd_functions) / - sizeof(s390_supported_function_t)); n++) { - if (S390_CRYPTO_TEST_MASK(mask, s390_kimd_functions[n].hw_fc)) -@@ -176,6 +179,8 @@ void set_switches(int msa) - *s390_kimd_functions[n].enabled = on; - } - -+ /* ppno query */ -+ memset(mask, 0, sizeof(mask)); - if (5 <= msa) { - msa5_switch = 1; - if (begin_sigill_section(&oldact, &oldset) == 0) { -@@ -183,7 +188,6 @@ void set_switches(int msa) - end_sigill_section(&oldact, &oldset); - } - } -- - for (n = 0; n < (sizeof(s390_ppno_functions) / - sizeof(s390_supported_function_t)); n++) { - if (S390_CRYPTO_TEST_MASK(mask, s390_ppno_functions[n].hw_fc)) -@@ -254,7 +258,7 @@ libica_func_list_element_int icaList[] = - {RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl) - {RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl) - -- {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SHW | ICA_FLAG_SW, 0}, -+ {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SW, 0}, - - /* available for the MSA4 instruction */ - /* available for the RSA instruction */ diff --git a/fix-segfault-during-multithread-keygen.patch b/fix-segfault-during-multithread-keygen.patch deleted file mode 100644 index 6878c2f..0000000 --- a/fix-segfault-during-multithread-keygen.patch +++ /dev/null @@ -1,183 +0,0 @@ -Index: src/s390_rsa.c -=================================================================== ---- a/src/s390_rsa.c -+++ b/src/s390_rsa.c -@@ -18,6 +18,9 @@ - #include - #include - #include -+#include -+#include -+#include - - #include "s390_rsa.h" - #include "s390_prng.h" -@@ -41,9 +44,22 @@ static unsigned int mod_expo_sw(int arg_ - char *exp, int mod_length, char *mod, - int *res_length, char *res, BN_CTX *ctx); - --RSA* rsa_key_generate(unsigned int modulus_bit_length, -- unsigned long *public_exponent) -+struct thread_data -+{ -+ unsigned int mod_bit_length; -+ unsigned long *pub_exp; -+ RSA *rsa; -+}; -+ -+static void *__rsa_key_generate(void *ptr) - { -+ struct thread_data *pth_data; -+ unsigned int modulus_bit_length; -+ unsigned long *public_exponent; -+ -+ pth_data = (struct thread_data*)ptr; -+ modulus_bit_length = pth_data->mod_bit_length; -+ public_exponent = pth_data->pub_exp; - BN_GENCB cb; - - if (*public_exponent == 0) -@@ -70,9 +86,36 @@ RSA* rsa_key_generate(unsigned int modul - - if (RSA_generate_key_ex(rsa, modulus_bit_length, exp, &cb)) { - BN_free(exp); -- return rsa; -+ pth_data->rsa = rsa; - } -+ else -+ pth_data->rsa = NULL; -+ -+ return 0; -+} - -+RSA* rsa_key_generate(unsigned int modulus_bit_length, -+ unsigned long *public_exponent) -+{ -+ pthread_t tid; -+ struct thread_data th_data; -+ int rc; -+ -+ sem_wait(&openssl_crypto_lock_mtx); -+ -+ th_data.mod_bit_length = modulus_bit_length; -+ th_data.pub_exp = public_exponent; -+ rc = pthread_create(&(tid), NULL, (void *)&__rsa_key_generate, -+ (void *)(&th_data)); -+ if (rc) -+ return 0; -+ rc = pthread_join(tid, NULL); -+ -+ if (!rc && th_data.rsa) { -+ sem_post(&openssl_crypto_lock_mtx); -+ return th_data.rsa; -+ } -+ sem_post(&openssl_crypto_lock_mtx); - return 0; - } - -Index: src/init.c -=================================================================== ---- a/src/init.c -+++ b/src/init.c -@@ -18,10 +18,14 @@ - #include - #include - #include -+#include -+#include -+#include - #include - - #include "init.h" - #include "icastats.h" -+#include "s390_rsa.h" - #include "s390_prng.h" - #include "s390_crypto.h" - #include "ica_api.h" -@@ -79,12 +83,60 @@ void end_sigill_section(struct sigaction - sigprocmask(SIG_SETMASK, oldset, 0); - } - -+static pthread_mutex_t *openssl_locks; -+ -+static void openssl_lock_callback(int mode, int num, char *file, int line) -+{ -+ if (mode & CRYPTO_LOCK) { -+ pthread_mutex_lock(&(openssl_locks[num])); -+ } -+ else { -+ pthread_mutex_unlock(&(openssl_locks[num])); -+ } -+} -+ -+static unsigned long get_thread_id(void) -+{ -+ return (unsigned long)pthread_self(); -+} -+ -+static void init_openssl_locks(void) -+{ -+ int i, crypt_num_locks; -+ -+ crypt_num_locks = CRYPTO_num_locks(); -+ openssl_locks = (pthread_mutex_t *) -+ OPENSSL_malloc(crypt_num_locks * -+ sizeof(pthread_mutex_t)); -+ for (i = 0; i < CRYPTO_num_locks(); i++) { -+ pthread_mutex_init(&(openssl_locks[i]),NULL); -+ } -+ -+ CRYPTO_set_id_callback((unsigned long (*)())get_thread_id); -+ CRYPTO_set_locking_callback((void (*) -+ (int, int, const char*, int))openssl_lock_callback); -+ -+ sem_init(&openssl_crypto_lock_mtx, 0, crypt_num_locks); -+} -+ -+static void free_openssl_locks(void) -+{ -+ int i; -+ -+ CRYPTO_set_locking_callback(NULL); -+ for (i = 0; i < CRYPTO_num_locks(); i++) -+ pthread_mutex_destroy(&(openssl_locks[i])); -+ -+ OPENSSL_free(openssl_locks); -+} -+ - void openssl_init(void) - { - /* initial seed the openssl random generator */ - unsigned char random_data[64]; - s390_prng(random_data, sizeof(random_data)); - RAND_seed(random_data, sizeof(random_data)); -+ init_openssl_locks(); - } - - /* Switches have to be done first. Otherwise we will not have hw support -@@ -115,4 +167,5 @@ void __attribute__ ((constructor)) icain - void __attribute__ ((destructor)) icaexit(void) - { - stats_munmap(SHM_CLOSE); -+ free_openssl_locks(); - } -Index: src/include/s390_rsa.h -=================================================================== ---- a/src/include/s390_rsa.h -+++ b/src/include/s390_rsa.h -@@ -16,6 +16,7 @@ - - #include - #include -+#include - #include "ica_api.h" - - typedef struct ica_rsa_modexpo ica_rsa_modexpo_t; -@@ -40,5 +41,7 @@ unsigned int rsa_key_generate_crt(ica_ad - unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt); - unsigned int rsa_mod_mult_sw(ica_rsa_modmult_t * pMul); - unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex); -+ -+sem_t openssl_crypto_lock_mtx; - #endif - diff --git a/libica-2.6.2.tgz b/libica-2.6.2.tgz deleted file mode 100644 index ca24a15..0000000 --- a/libica-2.6.2.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3528ce8d2cb3e77ba20f6c85226be5b023c7c5a3fe30b6bc841cc98d5f8fe77d -size 172317 diff --git a/libica-3.0.2.tgz b/libica-3.0.2.tgz new file mode 100644 index 0000000..2293b36 --- /dev/null +++ b/libica-3.0.2.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8af14d8ff87ac7e88400064184dd1d83b23eb2ef3daff1e8072423ab6fe9833 +size 204325 diff --git a/libica.changes b/libica.changes index 67eab60..9efcb11 100644 --- a/libica.changes +++ b/libica.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue May 9 17:23:11 UTC 2017 - mpost@suse.com + +- Upgraded to version 3.0.2 (Fate#322025). + - v3.0.2 + - Fix locking callbacks for openSSL APIs. + - v3.0.1 + - Fixed msa level detection on zEC/BC12 GA1 and predecessors. + - v3.0.0 + - Added FIPS mode. + - Sanitized exported symbols. + - Removed deprecated APIs. Marked some APIs as deprecated. + - Adapted to OpenSSL v1.1.0. + - RSA key generation is thread-safe now. +- Removed the following obsolete patches: + - fix-initialization-of-s390-hardware-switches-1.patch + - fix-initialization-of-s390-hardware-switches-2.patch + - fix-msa-level-detection.patch + - fix-segfault-during-multithread-keygen.patch + - rng-performance.patch + ------------------------------------------------------------------- Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com diff --git a/libica.spec b/libica.spec index 2c55dfc..15c65bc 100644 --- a/libica.spec +++ b/libica.spec @@ -25,7 +25,7 @@ BuildRequires: openssl-devel Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 Group: Hardware/Other -Version: 2.6.2 +Version: 3.0.2 Release: 0 Source: libica-%{version}.tgz Source1: libica-SuSE.tar.bz2 @@ -35,11 +35,6 @@ Source4: README.SUSE Source5: sysconfig.z90crypt Source6: baselibs.conf Source7: %{name}-rpmlintrc -Patch1: fix-initialization-of-s390-hardware-switches-1.patch -Patch2: fix-initialization-of-s390-hardware-switches-2.patch -Patch3: rng-performance.patch -Patch4: fix-segfault-during-multithread-keygen.patch -Patch5: fix-msa-level-detection.patch Url: http://sourceforge.net/projects/opencryptoki/files/libica BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -51,15 +46,16 @@ This package contains the interface library routines used by IBM modules to interface with the IBM eServer Cryptographic Accelerator (ICA). -%package -n libica2 +%package -n libica3 Summary: Library interface for the IBM Cryptographic Accelerator Group: System/Libraries Obsoletes: libica-2_1_0 < %{version}-%{release} Provides: libica-2_1_0 = %{version}-%{release} Obsoletes: libica-2_3_0 < %{version}-%{release} Provides: libica-2_3_0 = %{version}-%{release} +Obsoletes: libica2 -%description -n libica2 +%description -n libica3 This package contains the interface library routines used by IBM modules to interface with the IBM eServer Cryptographic Accelerator (ICA). @@ -82,7 +78,7 @@ Obsoletes: libica-2_1_0-devel < %{version}-%{release} Provides: libica-2_1_0-devel = %{version}-%{release} Obsoletes: libica-2_3_0-devel < %{version}-%{release} Provides: libica-2_3_0-devel = %{version}-%{release} -Requires: libica2 = %{version} +Requires: libica3 = %{version} Requires: libopenssl-devel %description devel @@ -108,11 +104,6 @@ the libica library. %prep %setup -a 1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 %build mkdir -p include/linux/ @@ -142,12 +133,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libica.la %restart_on_update boot.z90crypt %{insserv_cleanup} -%post -n libica2 -p /sbin/ldconfig -%postun -n libica2 -p /sbin/ldconfig +%post -n libica3 -p /sbin/ldconfig +%postun -n libica3 -p /sbin/ldconfig -%files -n libica2 +%files -n libica3 %defattr(-,root,root) -%{_libdir}/libica.so.2* +%{_libdir}/libica.so.3* %files tools %defattr(-, root, root) diff --git a/rng-performance.patch b/rng-performance.patch deleted file mode 100644 index 746affb..0000000 --- a/rng-performance.patch +++ /dev/null @@ -1,35 +0,0 @@ -Index: libica-2.6.2/src/s390_prng.c -=================================================================== ---- libica-2.6.2.orig/src/s390_prng.c -+++ libica-2.6.2/src/s390_prng.c -@@ -76,10 +76,9 @@ int s390_prng_init(void) - // available. However, the old prng is still initialized but - // only used as a fallback. - if(sha512_switch || sha512_drng_switch){ -- const char *pers = "ica_drbg_global"; - ica_drbg_instantiate(&ica_drbg_global, 256, true, -- ICA_DRBG_SHA512, (unsigned char *)pers, -- strlen(pers)); -+ ICA_DRBG_SHA512, -+ (unsigned char *)"GLOBAL INSTANCE", 15); - } - - // The old prng code starts here: -@@ -181,7 +180,7 @@ int s390_prng(unsigned char *output_data - unsigned char *ptr = output_data; - size_t i = 0; - for(; i < q; i++){ -- status = ica_drbg_generate(ica_drbg_global, 256, true, -+ status = ica_drbg_generate(ica_drbg_global, 256, false, - NULL, 0, ptr, - ICA_DRBG_SHA512 - ->max_no_of_bytes_per_req); -@@ -191,7 +190,7 @@ int s390_prng(unsigned char *output_data - ptr += ICA_DRBG_SHA512->max_no_of_bytes_per_req; - } - if(!status){ -- status = ica_drbg_generate(ica_drbg_global, 256, true, -+ status = ica_drbg_generate(ica_drbg_global, 256, false, - NULL, 0, ptr, r); - if(!status) - return 0;