forked from pool/libica
Accepting request 494492 from devel:openSUSE:Factory
OK, let's try this again. Update to version 3.0.2 per fate#322025 OBS-URL: https://build.opensuse.org/request/show/494492 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=2
This commit is contained in:
commit
d48222617a
@ -1,26 +0,0 @@
|
||||
--- a/src/include/s390_crypto.h
|
||||
+++ b/src/include/s390_crypto.h
|
||||
@@ -83,7 +83,7 @@
|
||||
S390_CRYPTO_SHA512_DRNG_SEED = 0x03 | 0x80
|
||||
};
|
||||
|
||||
-unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
|
||||
+extern unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
|
||||
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
|
||||
prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
|
||||
msa4_switch, msa5_switch;
|
||||
@@ -119,10 +119,10 @@
|
||||
SHA512_DRNG_SEED
|
||||
} ppno_functions_t;
|
||||
|
||||
-s390_supported_function_t s390_kmc_functions[PRNG + 1];
|
||||
-s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
|
||||
-s390_supported_function_t s390_kimd_functions[GHASH + 1];
|
||||
-s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
|
||||
+extern s390_supported_function_t s390_kmc_functions[PRNG + 1];
|
||||
+extern s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
|
||||
+extern s390_supported_function_t s390_kimd_functions[GHASH + 1];
|
||||
+extern s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
|
||||
|
||||
void s390_crypto_switches_init(void);
|
||||
|
@ -1,15 +0,0 @@
|
||||
--- a/src/s390_crypto.c
|
||||
+++ b/src/s390_crypto.c
|
||||
@@ -25,6 +25,11 @@
|
||||
#include <errno.h>
|
||||
#include "s390_crypto.h"
|
||||
#include "init.h"
|
||||
+
|
||||
+unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
|
||||
+ tdes_switch, aes128_switch, aes192_switch, aes256_switch,
|
||||
+ prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
|
||||
+ msa4_switch, msa5_switch;
|
||||
|
||||
s390_supported_function_t s390_kimd_functions[] = {
|
||||
{SHA_1, S390_CRYPTO_SHA_1, &sha1_switch},
|
||||
|
@ -1,75 +0,0 @@
|
||||
Subject: [PATCH] [BZ 148767] libica: libica crash with illegal instruction on z196/z114
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
|
||||
Description: libica: libica crash with illegal instruction on z196/z114
|
||||
Symptom: 'illegal instruction' on libica initialization
|
||||
Problem: Upon initialization libica checks all the MSA levels
|
||||
of the system to find out the available functions.
|
||||
This check function reuses a buffer variable without
|
||||
proper reinitialization thus leading to detect an
|
||||
MSA 5 function PPNO which is in fact not available
|
||||
on z196/z114 systems. Upon initialization the libica
|
||||
internal pseudo random generator is initialized which
|
||||
is then trying to use this PPNO function and so
|
||||
the 'illegal instruction' occurs.
|
||||
Solution: Fix libica initialization function.
|
||||
Reproduction: On z196/z114 systems with every libica version >= 2.6.
|
||||
Upstream-ID: eeb40e5aea7dd36580629e6b17cd7f03fb62549c
|
||||
Problem-ID: 148767
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Index: libica-service/src/s390_crypto.c
|
||||
===================================================================
|
||||
--- libica-service.orig/src/s390_crypto.c 2016-11-18 12:04:39.809574833 +0100
|
||||
+++ libica-service/src/s390_crypto.c 2016-11-18 12:04:39.805574781 +0100
|
||||
@@ -144,6 +144,8 @@ void set_switches(int msa)
|
||||
* kimd query and do not need to over the whole array. Therfore there
|
||||
* is also no distict setting of the switch needed in form
|
||||
* msa4_switch = 1. */
|
||||
+
|
||||
+ /* kmc query */
|
||||
memset(mask, 0, sizeof(mask));
|
||||
if (msa) {
|
||||
if (begin_sigill_section(&oldact, &oldset) == 0) {
|
||||
@@ -160,13 +162,14 @@ void set_switches(int msa)
|
||||
*s390_kmc_functions[n].enabled = on;
|
||||
}
|
||||
|
||||
+ /* kimd query */
|
||||
+ memset(mask, 0, sizeof(mask));
|
||||
if (msa) {
|
||||
if (begin_sigill_section(&oldact, &oldset) == 0) {
|
||||
s390_kimd(S390_CRYPTO_QUERY, mask, (void *) 0, 0);
|
||||
end_sigill_section(&oldact, &oldset);
|
||||
}
|
||||
}
|
||||
-
|
||||
for (n = 0; n < (sizeof(s390_kimd_functions) /
|
||||
sizeof(s390_supported_function_t)); n++) {
|
||||
if (S390_CRYPTO_TEST_MASK(mask, s390_kimd_functions[n].hw_fc))
|
||||
@@ -176,6 +179,8 @@ void set_switches(int msa)
|
||||
*s390_kimd_functions[n].enabled = on;
|
||||
}
|
||||
|
||||
+ /* ppno query */
|
||||
+ memset(mask, 0, sizeof(mask));
|
||||
if (5 <= msa) {
|
||||
msa5_switch = 1;
|
||||
if (begin_sigill_section(&oldact, &oldset) == 0) {
|
||||
@@ -183,7 +188,6 @@ void set_switches(int msa)
|
||||
end_sigill_section(&oldact, &oldset);
|
||||
}
|
||||
}
|
||||
-
|
||||
for (n = 0; n < (sizeof(s390_ppno_functions) /
|
||||
sizeof(s390_supported_function_t)); n++) {
|
||||
if (S390_CRYPTO_TEST_MASK(mask, s390_ppno_functions[n].hw_fc))
|
||||
@@ -254,7 +258,7 @@ libica_func_list_element_int icaList[] =
|
||||
{RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
|
||||
{RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
|
||||
|
||||
- {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SHW | ICA_FLAG_SW, 0},
|
||||
+ {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SW, 0},
|
||||
|
||||
/* available for the MSA4 instruction */
|
||||
/* available for the RSA instruction */
|
@ -1,183 +0,0 @@
|
||||
Index: src/s390_rsa.c
|
||||
===================================================================
|
||||
--- a/src/s390_rsa.c
|
||||
+++ b/src/s390_rsa.c
|
||||
@@ -18,6 +18,9 @@
|
||||
#include <errno.h>
|
||||
#include <stdint.h>
|
||||
#include <openssl/rsa.h>
|
||||
+#include <openssl/crypto.h>
|
||||
+#include <pthread.h>
|
||||
+#include <semaphore.h>
|
||||
|
||||
#include "s390_rsa.h"
|
||||
#include "s390_prng.h"
|
||||
@@ -41,9 +44,22 @@ static unsigned int mod_expo_sw(int arg_
|
||||
char *exp, int mod_length, char *mod,
|
||||
int *res_length, char *res, BN_CTX *ctx);
|
||||
|
||||
-RSA* rsa_key_generate(unsigned int modulus_bit_length,
|
||||
- unsigned long *public_exponent)
|
||||
+struct thread_data
|
||||
+{
|
||||
+ unsigned int mod_bit_length;
|
||||
+ unsigned long *pub_exp;
|
||||
+ RSA *rsa;
|
||||
+};
|
||||
+
|
||||
+static void *__rsa_key_generate(void *ptr)
|
||||
{
|
||||
+ struct thread_data *pth_data;
|
||||
+ unsigned int modulus_bit_length;
|
||||
+ unsigned long *public_exponent;
|
||||
+
|
||||
+ pth_data = (struct thread_data*)ptr;
|
||||
+ modulus_bit_length = pth_data->mod_bit_length;
|
||||
+ public_exponent = pth_data->pub_exp;
|
||||
BN_GENCB cb;
|
||||
|
||||
if (*public_exponent == 0)
|
||||
@@ -70,9 +86,36 @@ RSA* rsa_key_generate(unsigned int modul
|
||||
|
||||
if (RSA_generate_key_ex(rsa, modulus_bit_length, exp, &cb)) {
|
||||
BN_free(exp);
|
||||
- return rsa;
|
||||
+ pth_data->rsa = rsa;
|
||||
}
|
||||
+ else
|
||||
+ pth_data->rsa = NULL;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
|
||||
+RSA* rsa_key_generate(unsigned int modulus_bit_length,
|
||||
+ unsigned long *public_exponent)
|
||||
+{
|
||||
+ pthread_t tid;
|
||||
+ struct thread_data th_data;
|
||||
+ int rc;
|
||||
+
|
||||
+ sem_wait(&openssl_crypto_lock_mtx);
|
||||
+
|
||||
+ th_data.mod_bit_length = modulus_bit_length;
|
||||
+ th_data.pub_exp = public_exponent;
|
||||
+ rc = pthread_create(&(tid), NULL, (void *)&__rsa_key_generate,
|
||||
+ (void *)(&th_data));
|
||||
+ if (rc)
|
||||
+ return 0;
|
||||
+ rc = pthread_join(tid, NULL);
|
||||
+
|
||||
+ if (!rc && th_data.rsa) {
|
||||
+ sem_post(&openssl_crypto_lock_mtx);
|
||||
+ return th_data.rsa;
|
||||
+ }
|
||||
+ sem_post(&openssl_crypto_lock_mtx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Index: src/init.c
|
||||
===================================================================
|
||||
--- a/src/init.c
|
||||
+++ b/src/init.c
|
||||
@@ -18,10 +18,14 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/crypto.h>
|
||||
+#include <semaphore.h>
|
||||
+#include <pthread.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#include "init.h"
|
||||
#include "icastats.h"
|
||||
+#include "s390_rsa.h"
|
||||
#include "s390_prng.h"
|
||||
#include "s390_crypto.h"
|
||||
#include "ica_api.h"
|
||||
@@ -79,12 +83,60 @@ void end_sigill_section(struct sigaction
|
||||
sigprocmask(SIG_SETMASK, oldset, 0);
|
||||
}
|
||||
|
||||
+static pthread_mutex_t *openssl_locks;
|
||||
+
|
||||
+static void openssl_lock_callback(int mode, int num, char *file, int line)
|
||||
+{
|
||||
+ if (mode & CRYPTO_LOCK) {
|
||||
+ pthread_mutex_lock(&(openssl_locks[num]));
|
||||
+ }
|
||||
+ else {
|
||||
+ pthread_mutex_unlock(&(openssl_locks[num]));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static unsigned long get_thread_id(void)
|
||||
+{
|
||||
+ return (unsigned long)pthread_self();
|
||||
+}
|
||||
+
|
||||
+static void init_openssl_locks(void)
|
||||
+{
|
||||
+ int i, crypt_num_locks;
|
||||
+
|
||||
+ crypt_num_locks = CRYPTO_num_locks();
|
||||
+ openssl_locks = (pthread_mutex_t *)
|
||||
+ OPENSSL_malloc(crypt_num_locks *
|
||||
+ sizeof(pthread_mutex_t));
|
||||
+ for (i = 0; i < CRYPTO_num_locks(); i++) {
|
||||
+ pthread_mutex_init(&(openssl_locks[i]),NULL);
|
||||
+ }
|
||||
+
|
||||
+ CRYPTO_set_id_callback((unsigned long (*)())get_thread_id);
|
||||
+ CRYPTO_set_locking_callback((void (*)
|
||||
+ (int, int, const char*, int))openssl_lock_callback);
|
||||
+
|
||||
+ sem_init(&openssl_crypto_lock_mtx, 0, crypt_num_locks);
|
||||
+}
|
||||
+
|
||||
+static void free_openssl_locks(void)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ CRYPTO_set_locking_callback(NULL);
|
||||
+ for (i = 0; i < CRYPTO_num_locks(); i++)
|
||||
+ pthread_mutex_destroy(&(openssl_locks[i]));
|
||||
+
|
||||
+ OPENSSL_free(openssl_locks);
|
||||
+}
|
||||
+
|
||||
void openssl_init(void)
|
||||
{
|
||||
/* initial seed the openssl random generator */
|
||||
unsigned char random_data[64];
|
||||
s390_prng(random_data, sizeof(random_data));
|
||||
RAND_seed(random_data, sizeof(random_data));
|
||||
+ init_openssl_locks();
|
||||
}
|
||||
|
||||
/* Switches have to be done first. Otherwise we will not have hw support
|
||||
@@ -115,4 +167,5 @@ void __attribute__ ((constructor)) icain
|
||||
void __attribute__ ((destructor)) icaexit(void)
|
||||
{
|
||||
stats_munmap(SHM_CLOSE);
|
||||
+ free_openssl_locks();
|
||||
}
|
||||
Index: src/include/s390_rsa.h
|
||||
===================================================================
|
||||
--- a/src/include/s390_rsa.h
|
||||
+++ b/src/include/s390_rsa.h
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <asm/zcrypt.h>
|
||||
+#include <semaphore.h>
|
||||
#include "ica_api.h"
|
||||
|
||||
typedef struct ica_rsa_modexpo ica_rsa_modexpo_t;
|
||||
@@ -40,5 +41,7 @@ unsigned int rsa_key_generate_crt(ica_ad
|
||||
unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt);
|
||||
unsigned int rsa_mod_mult_sw(ica_rsa_modmult_t * pMul);
|
||||
unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex);
|
||||
+
|
||||
+sem_t openssl_crypto_lock_mtx;
|
||||
#endif
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3528ce8d2cb3e77ba20f6c85226be5b023c7c5a3fe30b6bc841cc98d5f8fe77d
|
||||
size 172317
|
3
libica-3.0.2.tgz
Normal file
3
libica-3.0.2.tgz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c8af14d8ff87ac7e88400064184dd1d83b23eb2ef3daff1e8072423ab6fe9833
|
||||
size 204325
|
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 9 17:23:11 UTC 2017 - mpost@suse.com
|
||||
|
||||
- Upgraded to version 3.0.2 (Fate#322025).
|
||||
- v3.0.2
|
||||
- Fix locking callbacks for openSSL APIs.
|
||||
- v3.0.1
|
||||
- Fixed msa level detection on zEC/BC12 GA1 and predecessors.
|
||||
- v3.0.0
|
||||
- Added FIPS mode.
|
||||
- Sanitized exported symbols.
|
||||
- Removed deprecated APIs. Marked some APIs as deprecated.
|
||||
- Adapted to OpenSSL v1.1.0.
|
||||
- RSA key generation is thread-safe now.
|
||||
- Removed the following obsolete patches:
|
||||
- fix-initialization-of-s390-hardware-switches-1.patch
|
||||
- fix-initialization-of-s390-hardware-switches-2.patch
|
||||
- fix-msa-level-detection.patch
|
||||
- fix-segfault-during-multithread-keygen.patch
|
||||
- rng-performance.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
|
||||
|
||||
|
30
libica.spec
30
libica.spec
@ -25,7 +25,7 @@ BuildRequires: openssl-devel
|
||||
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
||||
License: CPL-1.0
|
||||
Group: Hardware/Other
|
||||
Version: 2.6.2
|
||||
Version: 3.0.2
|
||||
Release: 0
|
||||
Source: libica-%{version}.tgz
|
||||
Source1: libica-SuSE.tar.bz2
|
||||
@ -35,11 +35,6 @@ Source4: README.SUSE
|
||||
Source5: sysconfig.z90crypt
|
||||
Source6: baselibs.conf
|
||||
Source7: %{name}-rpmlintrc
|
||||
Patch1: fix-initialization-of-s390-hardware-switches-1.patch
|
||||
Patch2: fix-initialization-of-s390-hardware-switches-2.patch
|
||||
Patch3: rng-performance.patch
|
||||
Patch4: fix-segfault-during-multithread-keygen.patch
|
||||
Patch5: fix-msa-level-detection.patch
|
||||
|
||||
Url: http://sourceforge.net/projects/opencryptoki/files/libica
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -51,15 +46,11 @@ This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
|
||||
%package -n libica2
|
||||
%package -n libica3
|
||||
Summary: Library interface for the IBM Cryptographic Accelerator
|
||||
Group: System/Libraries
|
||||
Obsoletes: libica-2_1_0 < %{version}-%{release}
|
||||
Provides: libica-2_1_0 = %{version}-%{release}
|
||||
Obsoletes: libica-2_3_0 < %{version}-%{release}
|
||||
Provides: libica-2_3_0 = %{version}-%{release}
|
||||
|
||||
%description -n libica2
|
||||
%description -n libica3
|
||||
This package contains the interface library routines used by IBM
|
||||
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||
(ICA).
|
||||
@ -82,7 +73,7 @@ Obsoletes: libica-2_1_0-devel < %{version}-%{release}
|
||||
Provides: libica-2_1_0-devel = %{version}-%{release}
|
||||
Obsoletes: libica-2_3_0-devel < %{version}-%{release}
|
||||
Provides: libica-2_3_0-devel = %{version}-%{release}
|
||||
Requires: libica2 = %{version}
|
||||
Requires: libica3 = %{version}
|
||||
Requires: libopenssl-devel
|
||||
|
||||
%description devel
|
||||
@ -108,11 +99,6 @@ the libica library.
|
||||
|
||||
%prep
|
||||
%setup -a 1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
mkdir -p include/linux/
|
||||
@ -142,12 +128,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libica.la
|
||||
%restart_on_update boot.z90crypt
|
||||
%{insserv_cleanup}
|
||||
|
||||
%post -n libica2 -p /sbin/ldconfig
|
||||
%postun -n libica2 -p /sbin/ldconfig
|
||||
%post -n libica3 -p /sbin/ldconfig
|
||||
%postun -n libica3 -p /sbin/ldconfig
|
||||
|
||||
%files -n libica2
|
||||
%files -n libica3
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libica.so.2*
|
||||
%{_libdir}/libica.so.3*
|
||||
|
||||
%files tools
|
||||
%defattr(-, root, root)
|
||||
|
@ -1,35 +0,0 @@
|
||||
Index: libica-2.6.2/src/s390_prng.c
|
||||
===================================================================
|
||||
--- libica-2.6.2.orig/src/s390_prng.c
|
||||
+++ libica-2.6.2/src/s390_prng.c
|
||||
@@ -76,10 +76,9 @@ int s390_prng_init(void)
|
||||
// available. However, the old prng is still initialized but
|
||||
// only used as a fallback.
|
||||
if(sha512_switch || sha512_drng_switch){
|
||||
- const char *pers = "ica_drbg_global";
|
||||
ica_drbg_instantiate(&ica_drbg_global, 256, true,
|
||||
- ICA_DRBG_SHA512, (unsigned char *)pers,
|
||||
- strlen(pers));
|
||||
+ ICA_DRBG_SHA512,
|
||||
+ (unsigned char *)"GLOBAL INSTANCE", 15);
|
||||
}
|
||||
|
||||
// The old prng code starts here:
|
||||
@@ -181,7 +180,7 @@ int s390_prng(unsigned char *output_data
|
||||
unsigned char *ptr = output_data;
|
||||
size_t i = 0;
|
||||
for(; i < q; i++){
|
||||
- status = ica_drbg_generate(ica_drbg_global, 256, true,
|
||||
+ status = ica_drbg_generate(ica_drbg_global, 256, false,
|
||||
NULL, 0, ptr,
|
||||
ICA_DRBG_SHA512
|
||||
->max_no_of_bytes_per_req);
|
||||
@@ -191,7 +190,7 @@ int s390_prng(unsigned char *output_data
|
||||
ptr += ICA_DRBG_SHA512->max_no_of_bytes_per_req;
|
||||
}
|
||||
if(!status){
|
||||
- status = ica_drbg_generate(ica_drbg_global, 256, true,
|
||||
+ status = ica_drbg_generate(ica_drbg_global, 256, false,
|
||||
NULL, 0, ptr, r);
|
||||
if(!status)
|
||||
return 0;
|
Loading…
Reference in New Issue
Block a user