diff --git a/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch b/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch deleted file mode 100644 index 0ed974a..0000000 --- a/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Mon, 28 Oct 2024 13:04:19 +0100 -Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat - -From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc -"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and -ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested. - -Signed-off-by: Joerg Schmidbauer ---- - src/fips.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/fips.c b/src/fips.c -index 4d1db07..3c26043 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -1240,9 +1240,6 @@ ecdsa_kat(void) - /* adapter handle not needed here, just CPACF */ - rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen, - sigbuf, tv->siglen, tv->k); -- if (rc) -- goto _err_; -- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen); - if (rc) - goto _err_; - if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) { diff --git a/libica-02-fips-update-Change-service-indicator-implementation.patch b/libica-02-fips-update-Change-service-indicator-implementation.patch deleted file mode 100644 index 905d09c..0000000 --- a/libica-02-fips-update-Change-service-indicator-implementation.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Mon, 28 Oct 2024 13:44:11 +0100 -Subject: [PATCH] fips update: Change service indicator implementation - -Perform checks for non-approved algorithms / parameters directly into the -APIs that perform the services. - -Signed-off-by: Joerg Schmidbauer ---- - src/ica_api.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/ica_api.c b/src/ica_api.c -index 0826af8..d071f61 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) -+ return EPERM; - #endif /* ICA_FIPS */ - - if (public_key->key_length != private_key->key_length) -@@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) -+ return EPERM; - #endif /* ICA_FIPS */ - - if (public_key->key_length != private_key->key_length) -@@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) -+ return EPERM; - #endif /* ICA_FIPS */ - - /* check for obvious errors in parms */ -@@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key) - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) -+ return EPERM; - #endif /* ICA_FIPS */ - - /* check if p > q */ -@@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) -+ return EPERM; - #endif /* ICA_FIPS */ - - /* check for obvious errors in parms */ -@@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) - #ifdef ICA_FIPS - if (fips >> 1) - return NULL; -+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) -+ return NULL; - #endif /* ICA_FIPS */ - - if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL) -@@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) -+ return EPERM; - if (fips & ICA_FIPS_MODE) { - if (!curve_supported_via_openssl(key->nid) || - !curve_supported_via_cpacf(key->nid)) { -@@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key) - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) -+ return EPERM; - if (fips & ICA_FIPS_MODE) { - if (!curve_supported_via_openssl(key->nid) || - !curve_supported_via_cpacf(key->nid)) -@@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(EC_DH) && !fips_override(EC_DH)) -+ return EPERM; - if (fips & ICA_FIPS_MODE) { - if (!curve_supported_via_openssl(privkey_A->nid) || - !curve_supported_via_cpacf(privkey_A->nid)) -@@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle, - if (!curve_supported_via_openssl(privkey->nid) || - !curve_supported_via_cpacf(privkey->nid)) - return EPERM; -+ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN)) -+ return EPERM; - } - #endif /* ICA_FIPS */ - -@@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle, - #ifdef ICA_FIPS - if (fips >> 1) - return EACCES; -+ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY)) -+ return EPERM; - if (fips & ICA_FIPS_MODE) { - if (!curve_supported_via_openssl(pubkey->nid) || - !curve_supported_via_cpacf(pubkey->nid)) diff --git a/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch b/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch deleted file mode 100644 index 4a27a7f..0000000 --- a/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch +++ /dev/null @@ -1,164 +0,0 @@ -From b7d11c21d7f15dc11ae7354a7ec97299eacd7045 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 6 Nov 2024 13:12:11 +0100 -Subject: [PATCH] fips update: Dynamically update service indicator based on IV - usage - -Fix handling to differentiate if the call to AES-GCM encryption API was approved -or not. If the IV was set externally, it's non-approved, otherwise with internal -IV it's approved. Bind the service indicator to the service by checking the -behavior of the GCM IV in the gcm API. - -Signed-off-by: Joerg Schmidbauer ---- - src/ica_api.c | 6 ++++++ - src/include/fips.h | 54 +++++++++++++++++++++++++++++++++++++++++++--- - src/s390_crypto.c | 16 ++++++++++++++ - 3 files changed, 73 insertions(+), 3 deletions(-) - -diff --git a/src/ica_api.c b/src/ica_api.c -index d071f61..c1bb4e1 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -3727,6 +3727,8 @@ unsigned int ica_aes_gcm(unsigned char *plaintext, - #ifdef ICA_FIPS - if (fips & ICA_FIPS_MODE) - return EPERM; -+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM)) -+ return EPERM; - #endif /* ICA_FIPS */ - - return ica_aes_gcm_internal(plaintext, plaintext_length, ciphertext, -@@ -3776,6 +3778,8 @@ unsigned int ica_aes_gcm_initialize(const unsigned char *iv, - if (!ica_external_gcm_iv_in_fips_mode_allowed && - direction == ENCRYPT && (fips & ICA_FIPS_MODE)) - return EPERM; -+ if (!fips_approved(AES_GCM) && !fips_override(AES_GCM)) -+ return EPERM; - #endif /* ICA_FIPS */ - - return ica_aes_gcm_initialize_internal(iv, iv_length, key, key_length, -@@ -4025,6 +4029,8 @@ int ica_aes_gcm_kma_init(unsigned int direction, - if (!ica_external_gcm_iv_in_fips_mode_allowed && - direction == ICA_ENCRYPT && (fips & ICA_FIPS_MODE)) - return EPERM; -+ if (!fips_approved(AES_GCM_KMA) && !fips_override(AES_GCM_KMA)) -+ return EPERM; - #endif /* ICA_FIPS */ - - return ica_aes_gcm_kma_init_internal(direction, iv, iv_length, -diff --git a/src/include/fips.h b/src/include/fips.h -index c0af6b6..0a6e0bd 100644 ---- a/src/include/fips.h -+++ b/src/include/fips.h -@@ -68,19 +68,19 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv, - /* - * List of non-fips-approved algorithms - */ --static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, -+static int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, - DES_CFB, DES_CTR, DES_CTRLST, DES_CBC_MAC, DES_CMAC, P_RNG, DES3_ECB, - DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST, - DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, - ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, -- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG }; -+ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; - static const size_t FIPS_BLACKLIST_LEN - = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]); - - /* - * FIPS service indicator: List of tolerated but non-approved algorithms. - */ --static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG }; -+static int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; - static const size_t FIPS_OVERRIDE_LIST_LEN - = sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]); - -@@ -117,5 +117,53 @@ static inline int fips_override(int id) - - return 0; - } -+ -+static inline void add_to_fips_black_list(int id) -+{ -+ size_t i; -+ -+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) { -+ if (FIPS_BLACKLIST[i] == -1) { -+ FIPS_BLACKLIST[i] = id; -+ return; -+ } -+ } -+} -+ -+static inline void add_to_fips_override_list(int id) -+{ -+ size_t i; -+ -+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) { -+ if (FIPS_OVERRIDE_LIST[i] == -1) { -+ FIPS_OVERRIDE_LIST[i] = id; -+ return; -+ } -+ } -+} -+ -+static inline void remove_from_fips_black_list(int id) -+{ -+ size_t i; -+ -+ for (i = 0; i < FIPS_BLACKLIST_LEN; i++) { -+ if (FIPS_BLACKLIST[i] == id) { -+ FIPS_BLACKLIST[i] = -1; -+ return; -+ } -+ } -+} -+ -+static inline void remove_from_fips_override_list(int id) -+{ -+ size_t i; -+ -+ for (i = 0; i < FIPS_OVERRIDE_LIST_LEN; i++) { -+ if (FIPS_OVERRIDE_LIST[i] == id) { -+ FIPS_OVERRIDE_LIST[i] = -1; -+ return; -+ } -+ } -+} - #endif /* FIPS_H */ - #endif /* ICA_FIPS */ -diff --git a/src/s390_crypto.c b/src/s390_crypto.c -index 623864b..03655e7 100644 ---- a/src/s390_crypto.c -+++ b/src/s390_crypto.c -@@ -30,6 +30,10 @@ - #include "init.h" - #include "s390_crypto.h" - -+#ifdef ICA_FIPS -+extern int ica_external_gcm_iv_in_fips_mode_allowed; -+#endif -+ - unsigned long long facility_bits[3]; - unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch, - tdes_switch, aes128_switch, aes192_switch, aes256_switch, -@@ -810,6 +814,18 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list, - if (*indicator_list_len < (sizeof(icaList) / sizeof(libica_func_list_element_int))) - return EINVAL; - -+ if (ica_external_gcm_iv_in_fips_mode_allowed) { -+ add_to_fips_black_list(AES_GCM); -+ add_to_fips_override_list(AES_GCM); -+ add_to_fips_black_list(AES_GCM_KMA); -+ add_to_fips_override_list(AES_GCM_KMA); -+ } else { -+ remove_from_fips_black_list(AES_GCM); -+ remove_from_fips_override_list(AES_GCM); -+ remove_from_fips_black_list(AES_GCM_KMA); -+ remove_from_fips_override_list(AES_GCM_KMA); -+ } -+ - for (i = 0; i < *indicator_list_len; i++) { - indicator_list[i].mech_mode_id = icaList[i].mech_mode_id; - indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id); diff --git a/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch b/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch deleted file mode 100644 index 246e018..0000000 --- a/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch +++ /dev/null @@ -1,94 +0,0 @@ -From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 6 Nov 2024 13:17:54 +0100 -Subject: [PATCH] fips update: provide test for dynamic service indicator - -Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode -API to allow and forbid an external GCM IV. Depending on whether the application -allows or forbids external IVs, the service indicator changes dynamically. - -Signed-off-by: Joerg Schmidbauer ---- - test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 62 insertions(+) - -diff --git a/test/fips_test.c b/test/fips_test.c -index 2bd3d40..873c4b0 100644 ---- a/test/fips_test.c -+++ b/test/fips_test.c -@@ -13,6 +13,64 @@ - - #define FIPS_FLAG "/proc/sys/crypto/fips_enabled" - -+#ifdef ICA_FIPS -+static int test_gcm_iv_usage(void) -+{ -+ libica_fips_indicator_element *fips_list = NULL; -+ unsigned int rc, i, fips_len, allow; -+ unsigned int approved_expected, override_expected; -+ -+ for (allow = 0; allow < 2; allow++) { -+ -+ approved_expected = allow == 1 ? 0 : 1; -+ override_expected = allow == 1 ? 1 : 0; -+ -+ /* Check allowance of an external iv in fips mode */ -+ ica_allow_external_gcm_iv_in_fips_mode(allow); -+ -+ /* Get fips indicator list */ -+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){ -+ printf("get_fips_indicator failed\n"); -+ rc = EXIT_FAILURE; -+ goto done; -+ } -+ -+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len); -+ if (!fips_list) { -+ printf("malloc fips_indicator list failed\n"); -+ rc = EXIT_FAILURE; -+ goto done; -+ } -+ -+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){ -+ printf("ica_get_fips_indicator failed\n"); -+ free(fips_list); -+ rc = EXIT_FAILURE; -+ goto done; -+ } -+ -+ for (i = 0; i < fips_len; i++) { -+ if (fips_list[i].mech_mode_id == AES_GCM || -+ fips_list[i].mech_mode_id == AES_GCM_KMA) { -+ if (fips_list[i].fips_approved != approved_expected || -+ fips_list[i].fips_override != override_expected) { -+ rc = EXIT_FAILURE; -+ free(fips_list); -+ goto done; -+ } -+ } -+ } -+ -+ free(fips_list); -+ } -+ -+ rc = 0; -+ -+done: -+ return rc; -+} -+#endif /* ICA_FIPS */ -+ - int - main(void) - { -@@ -68,6 +126,10 @@ main(void) - printf("Libica FIPS integrity check failed.\n"); - rv = EXIT_FAILURE; - } -+ if (test_gcm_iv_usage()) { -+ printf("Libica FIPS gcm iv usage check failed.\n"); -+ rv = EXIT_FAILURE; -+ } - #endif /* ICA_FIPS */ - - printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT); diff --git a/libica-4.3.1.tar.gz b/libica-4.3.1.tar.gz deleted file mode 100644 index 44590b4..0000000 --- a/libica-4.3.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5693fa8858941b68252a94c1f03f098e773b43cd56c10d6d3f15f24fdc623562 -size 576561 diff --git a/libica-4.4.0.tar.gz b/libica-4.4.0.tar.gz new file mode 100644 index 0000000..0144a84 --- /dev/null +++ b/libica-4.4.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:edf70e9c9ddf8d74c477f871a8edc6bf57a0ec9071f7afc6774fd67ac24a857a +size 579644 diff --git a/libica.changes b/libica.changes index a7e5212..f0609ee 100644 --- a/libica.changes +++ b/libica.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev + +- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289) + * Updates for FIPS 140-3 certification 2024 + * Various bug fixes and housekeeping +- Removed obsolete patches + * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch + * libica-02-fips-update-Change-service-indicator-implementation.patch + * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch + * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch + ------------------------------------------------------------------- Wed Dec 4 07:05:18 UTC 2024 - Nikolay Gueorguiev diff --git a/libica.spec b/libica.spec index 0dd8419..1e2788b 100644 --- a/libica.spec +++ b/libica.spec @@ -22,7 +22,7 @@ %endif Name: libica -Version: 4.3.1 +Version: 4.4.0 Release: 0 Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 @@ -38,11 +38,6 @@ Source5: %{name}-rpmlintrc Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch Patch99: libica-sles15sp5-FIPS-hmac-key.patch ### -Patch110: libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch -Patch111: libica-02-fips-update-Change-service-indicator-implementation.patch -Patch112: libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch -Patch113: libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch -### BuildRequires: autoconf BuildRequires: automake