Accepting request 494492 from devel:openSUSE:Factory

OK, let's try this again. Update to version 3.0.2 per fate#322025 OBS-URL: https://build.opensuse.org/request/show/494492 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=2
2017-05-17 15:18:35 +00:00 · 2017-05-17 15:18:35 +00:00 · d48222617a
commit d48222617a
parent fac132c77e 03569f5c0f
9 changed files with 32 additions and 359 deletions
--- a/fix-initialization-of-s390-hardware-switches-1.patch
+++ b/fix-initialization-of-s390-hardware-switches-1.patch
@ -1,26 +0,0 @@
 --- a/src/include/s390_crypto.h
 +++ b/src/include/s390_crypto.h
@@ -83,7 +83,7 @@
 	S390_CRYPTO_SHA512_DRNG_SEED = 0x03 | 0x80
 };
 -unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
 +extern unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
 	     tdes_switch, aes128_switch, aes192_switch, aes256_switch,
 	     prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
 	     msa4_switch, msa5_switch;
@@ -119,10 +119,10 @@
 	SHA512_DRNG_SEED
 } ppno_functions_t;
 -s390_supported_function_t s390_kmc_functions[PRNG + 1];
 -s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
 -s390_supported_function_t s390_kimd_functions[GHASH + 1];
 -s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
 +extern s390_supported_function_t s390_kmc_functions[PRNG + 1];
 +extern s390_supported_function_t s390_msa4_functions[AES_256_XTS_DECRYPT + 1];
 +extern s390_supported_function_t s390_kimd_functions[GHASH + 1];
 +extern s390_supported_function_t s390_ppno_functions[SHA512_DRNG_SEED + 1];
 void s390_crypto_switches_init(void);
--- a/fix-initialization-of-s390-hardware-switches-2.patch
+++ b/fix-initialization-of-s390-hardware-switches-2.patch
@ -1,15 +0,0 @@
 --- a/src/s390_crypto.c
 +++ b/src/s390_crypto.c
@@ -25,6 +25,11 @@
 #include <errno.h>
 #include "s390_crypto.h"
 #include "init.h"
 +
 +unsigned int sha1_switch, sha256_switch, sha512_switch, des_switch,
 +             tdes_switch, aes128_switch, aes192_switch, aes256_switch,
 +             prng_switch, tdea128_switch, tdea192_switch, sha512_drng_switch,
 +             msa4_switch, msa5_switch;
 s390_supported_function_t s390_kimd_functions[] = {
 	{SHA_1, S390_CRYPTO_SHA_1, &sha1_switch},
--- a/fix-msa-level-detection.patch
+++ b/fix-msa-level-detection.patch
@ -1,75 +0,0 @@
 Subject: [PATCH] [BZ 148767] libica: libica crash with illegal instruction on z196/z114
 From: Harald Freudenberger <freude@linux.vnet.ibm.com>
 Description:  libica: libica crash with illegal instruction on z196/z114
 Symptom:      'illegal instruction' on libica initialization
 Problem:      Upon initialization libica checks all the MSA levels
              of the system to find out the available functions.
              This check function reuses a buffer variable without
              proper reinitialization thus leading to detect an
              MSA 5 function PPNO which is in fact not available
              on z196/z114 systems. Upon initialization the libica
              internal pseudo random generator is initialized which
              is then trying to use this PPNO function and so
              the 'illegal instruction' occurs.
 Solution:     Fix libica initialization function.
 Reproduction: On z196/z114 systems with every libica version >= 2.6.
 Upstream-ID:  eeb40e5aea7dd36580629e6b17cd7f03fb62549c
 Problem-ID:   148767
 Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
 Index: libica-service/src/s390_crypto.c
 ===================================================================
 --- libica-service.orig/src/s390_crypto.c	2016-11-18 12:04:39.809574833 +0100
 +++ libica-service/src/s390_crypto.c	2016-11-18 12:04:39.805574781 +0100
@@ -144,6 +144,8 @@ void set_switches(int msa)
 	 * kimd query and do not need to over the whole array. Therfore there
 	 * is also no distict setting of the switch needed in form
 	 * msa4_switch = 1. */
 +
 +	/* kmc query */
 	memset(mask, 0, sizeof(mask));
 	if (msa) {
 		if (begin_sigill_section(&oldact, &oldset) == 0) {
@@ -160,13 +162,14 @@ void set_switches(int msa)
 		*s390_kmc_functions[n].enabled = on;
 	}
 +	/* kimd query */
 +	memset(mask, 0, sizeof(mask));
 	if (msa) {
 		if (begin_sigill_section(&oldact, &oldset) == 0) {
 			s390_kimd(S390_CRYPTO_QUERY, mask, (void *) 0, 0);
 			end_sigill_section(&oldact, &oldset);
 		}
 	}
 -
 	for (n = 0; n < (sizeof(s390_kimd_functions) /
 			 sizeof(s390_supported_function_t)); n++) {
 		if (S390_CRYPTO_TEST_MASK(mask, s390_kimd_functions[n].hw_fc))
@@ -176,6 +179,8 @@ void set_switches(int msa)
 		*s390_kimd_functions[n].enabled = on;
 	}
 +	/* ppno query */
 +	memset(mask, 0, sizeof(mask));
 	if (5 <= msa) {
 		msa5_switch = 1;
 		if (begin_sigill_section(&oldact, &oldset) == 0) {
@@ -183,7 +188,6 @@ void set_switches(int msa)
 			end_sigill_section(&oldact, &oldset);
 		}
 	}
 -
 	for (n = 0; n < (sizeof(s390_ppno_functions) /
 			 sizeof(s390_supported_function_t)); n++) {
 		if (S390_CRYPTO_TEST_MASK(mask, s390_ppno_functions[n].hw_fc))
@@ -254,7 +258,7 @@ libica_func_list_element_int icaList[] =
  {RSA_KEY_GEN_ME,  	ADAPTER, 0, ICA_FLAG_SW, 		0},	// SW (openssl)
  {RSA_KEY_GEN_CRT, 	ADAPTER, 0, ICA_FLAG_SW, 		0},	// SW (openssl)
 - {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SHW | ICA_FLAG_SW, 0},
 + {SHA512_DRNG, PPNO, SHA512_DRNG_GEN, ICA_FLAG_SW, 0},
 /* available for the MSA4 instruction */
 /* available for the RSA instruction */
--- a/fix-segfault-during-multithread-keygen.patch
+++ b/fix-segfault-during-multithread-keygen.patch
@ -1,183 +0,0 @@
 Index: src/s390_rsa.c
 ===================================================================
 --- a/src/s390_rsa.c
 +++ b/src/s390_rsa.c
@@ -18,6 +18,9 @@
 #include <errno.h>
 #include <stdint.h>
 #include <openssl/rsa.h>
 +#include <openssl/crypto.h>
 +#include <pthread.h>
 +#include <semaphore.h>
 #include "s390_rsa.h"
 #include "s390_prng.h"
@@ -41,9 +44,22 @@ static unsigned int mod_expo_sw(int arg_
 				char *exp, int mod_length, char *mod,
 				int *res_length, char *res, BN_CTX *ctx);
 -RSA* rsa_key_generate(unsigned int modulus_bit_length,
 -		      unsigned long *public_exponent)
 +struct thread_data
 +{
 +	unsigned int mod_bit_length;
 +	unsigned long *pub_exp;
 +	RSA	*rsa;
 +};
 +
 +static void *__rsa_key_generate(void *ptr)
 {
 +	struct thread_data *pth_data;
 +	unsigned int modulus_bit_length;
 +	unsigned long *public_exponent;
 +
 +	pth_data = (struct thread_data*)ptr;
 +	modulus_bit_length = pth_data->mod_bit_length;
 +	public_exponent = pth_data->pub_exp;
 	BN_GENCB cb;
 	if (*public_exponent == 0)
@@ -70,9 +86,36 @@ RSA* rsa_key_generate(unsigned int modul
 	if (RSA_generate_key_ex(rsa, modulus_bit_length, exp, &cb)) {
 		BN_free(exp);
 -		return rsa;
 +		pth_data->rsa = rsa;
 	}
 +	else
 +		pth_data->rsa = NULL;
 +
 +	return 0;
 +}
 +RSA* rsa_key_generate(unsigned int modulus_bit_length,
 +		      unsigned long *public_exponent)
 +{
 +	pthread_t tid;
 +	struct thread_data th_data;
 +	int rc;
 +
 +	sem_wait(&openssl_crypto_lock_mtx);
 +
 +	th_data.mod_bit_length = modulus_bit_length;
 +	th_data.pub_exp = public_exponent;
 +	rc = pthread_create(&(tid), NULL, (void *)&__rsa_key_generate,
 +			    (void *)(&th_data));
 +	if (rc)
 +		return 0;
 +	rc = pthread_join(tid, NULL);
 +
 +	if (!rc && th_data.rsa) {
 +		sem_post(&openssl_crypto_lock_mtx);
 +		return th_data.rsa;
 +	}
 +	sem_post(&openssl_crypto_lock_mtx);
 	return 0;
 }
 Index: src/init.c
 ===================================================================
 --- a/src/init.c
 +++ b/src/init.c
@@ -18,10 +18,14 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/rand.h>
 +#include <openssl/crypto.h>
 +#include <semaphore.h>
 +#include <pthread.h>
 #include <syslog.h>
 #include "init.h"
 #include "icastats.h"
 +#include "s390_rsa.h"
 #include "s390_prng.h"
 #include "s390_crypto.h"
 #include "ica_api.h"
@@ -79,12 +83,60 @@ void end_sigill_section(struct sigaction
 	sigprocmask(SIG_SETMASK, oldset, 0);
 }
 +static pthread_mutex_t *openssl_locks;
 +
 +static void openssl_lock_callback(int mode, int num, char *file, int line)
 +{
 +	if (mode & CRYPTO_LOCK) {
 +		pthread_mutex_lock(&(openssl_locks[num]));
 +	}
 +	else {
 +		pthread_mutex_unlock(&(openssl_locks[num]));
 +	}
 +}
 +
 +static unsigned long get_thread_id(void)
 +{
 +	return (unsigned long)pthread_self();
 +}
 +
 +static void init_openssl_locks(void)
 +{
 +	int i, crypt_num_locks;
 +
 +	crypt_num_locks = CRYPTO_num_locks();
 +	openssl_locks = (pthread_mutex_t *)
 +			OPENSSL_malloc(crypt_num_locks *
 +				       sizeof(pthread_mutex_t));
 +	for (i = 0; i < CRYPTO_num_locks(); i++) {
 +		pthread_mutex_init(&(openssl_locks[i]),NULL);
 +	}
 +
 +	CRYPTO_set_id_callback((unsigned long (*)())get_thread_id);
 +	CRYPTO_set_locking_callback((void (*)
 +		(int, int, const char*, int))openssl_lock_callback);
 +
 +	sem_init(&openssl_crypto_lock_mtx, 0, crypt_num_locks);
 +}
 +
 +static void free_openssl_locks(void)
 +{
 +	int i;
 +
 +	CRYPTO_set_locking_callback(NULL);
 +	for (i = 0; i < CRYPTO_num_locks(); i++)
 +		pthread_mutex_destroy(&(openssl_locks[i]));
 +
 +	OPENSSL_free(openssl_locks);
 +}
 +
 void openssl_init(void)
 {
 	/* initial seed the openssl random generator */
 	unsigned char random_data[64];
 	s390_prng(random_data, sizeof(random_data));
 	RAND_seed(random_data, sizeof(random_data));
 +	init_openssl_locks();
 }
 /* Switches have to be done first. Otherwise we will not have hw support
@@ -115,4 +167,5 @@ void __attribute__ ((constructor)) icain
 void __attribute__ ((destructor)) icaexit(void)
 {
 	stats_munmap(SHM_CLOSE);
 +	free_openssl_locks();
 }
 Index: src/include/s390_rsa.h
 ===================================================================
 --- a/src/include/s390_rsa.h
 +++ b/src/include/s390_rsa.h
@@ -16,6 +16,7 @@
 #include <openssl/bn.h>
 #include <asm/zcrypt.h>
 +#include <semaphore.h>
 #include "ica_api.h"
 typedef struct ica_rsa_modexpo ica_rsa_modexpo_t;
@@ -40,5 +41,7 @@ unsigned int rsa_key_generate_crt(ica_ad
 unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt);
 unsigned int rsa_mod_mult_sw(ica_rsa_modmult_t * pMul);
 unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex);
 +
 +sem_t openssl_crypto_lock_mtx;
 #endif
--- a/libica-2.6.2.tgz
+++ b/libica-2.6.2.tgz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3528ce8d2cb3e77ba20f6c85226be5b023c7c5a3fe30b6bc841cc98d5f8fe77d
 size 172317
--- a/libica-3.0.2.tgz
+++ b/libica-3.0.2.tgz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:c8af14d8ff87ac7e88400064184dd1d83b23eb2ef3daff1e8072423ab6fe9833
 size 204325
--- a/libica.changes
+++ b/libica.changes
@ -1,3 +1,24 @@
 -------------------------------------------------------------------
 Tue May  9 17:23:11 UTC 2017 - mpost@suse.com
 - Upgraded to version 3.0.2 (Fate#322025).
  - v3.0.2
    - Fix locking callbacks for openSSL APIs.
  - v3.0.1
    - Fixed msa level detection on zEC/BC12 GA1 and predecessors.
  - v3.0.0
    - Added FIPS mode.
    - Sanitized exported symbols.
    - Removed deprecated APIs. Marked some APIs as deprecated.
    - Adapted to OpenSSL v1.1.0.
    - RSA key generation is thread-safe now.
 - Removed the following obsolete patches:
  - fix-initialization-of-s390-hardware-switches-1.patch
  - fix-initialization-of-s390-hardware-switches-2.patch
  - fix-msa-level-detection.patch
  - fix-segfault-during-multithread-keygen.patch
  - rng-performance.patch
 -------------------------------------------------------------------
 Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
--- a/libica.spec
+++ b/libica.spec
@ -25,7 +25,7 @@ BuildRequires:  openssl-devel
 Summary:        Library interface for the IBM Cryptographic Accelerator device driver
 License:        CPL-1.0
 Group:          Hardware/Other
-Version:        2.6.2
+Version:        3.0.2
 Release:        0
 Source:         libica-%{version}.tgz
 Source1:        libica-SuSE.tar.bz2
@ -35,11 +35,6 @@ Source4:        README.SUSE
 Source5:        sysconfig.z90crypt
 Source6:        baselibs.conf
 Source7:        %{name}-rpmlintrc
 Patch1:         fix-initialization-of-s390-hardware-switches-1.patch
 Patch2:         fix-initialization-of-s390-hardware-switches-2.patch
 Patch3:         rng-performance.patch
 Patch4:         fix-segfault-during-multithread-keygen.patch
 Patch5:         fix-msa-level-detection.patch
 Url:            http://sourceforge.net/projects/opencryptoki/files/libica
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -51,15 +46,11 @@ This package contains the interface library routines used by IBM
 modules to interface with the IBM eServer Cryptographic Accelerator
 (ICA).
-%package -n libica2
+%package -n libica3
 Summary:        Library interface for the IBM Cryptographic Accelerator
 Group:          System/Libraries
 Obsoletes:      libica-2_1_0 < %{version}-%{release}
 Provides:       libica-2_1_0 = %{version}-%{release}
 Obsoletes:      libica-2_3_0 < %{version}-%{release}
 Provides:       libica-2_3_0 = %{version}-%{release}
-%description -n libica2
+%description -n libica3
 This package contains the interface library routines used by IBM
 modules to interface with the IBM eServer Cryptographic Accelerator
 (ICA).
@ -82,7 +73,7 @@ Obsoletes:      libica-2_1_0-devel < %{version}-%{release}
 Provides:       libica-2_1_0-devel = %{version}-%{release}
 Obsoletes:      libica-2_3_0-devel < %{version}-%{release}
 Provides:       libica-2_3_0-devel = %{version}-%{release}
-Requires:       libica2 = %{version}
+Requires:       libica3 = %{version}
 Requires:       libopenssl-devel
 %description devel
@ -108,11 +99,6 @@ the libica library.
 %prep
 %setup -a 1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %build
 mkdir -p include/linux/
@ -142,12 +128,12 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libica.la
 %restart_on_update boot.z90crypt
 %{insserv_cleanup}
-%post   -n libica2 -p /sbin/ldconfig
+%post   -n libica3 -p /sbin/ldconfig
-%postun -n libica2 -p /sbin/ldconfig
+%postun -n libica3 -p /sbin/ldconfig
-%files -n libica2
+%files -n libica3
 %defattr(-,root,root)
-%{_libdir}/libica.so.2*
+%{_libdir}/libica.so.3*
 %files tools
 %defattr(-, root, root)
--- a/rng-performance.patch
+++ b/rng-performance.patch
@ -1,35 +0,0 @@
 Index: libica-2.6.2/src/s390_prng.c
 ===================================================================
 --- libica-2.6.2.orig/src/s390_prng.c
 +++ libica-2.6.2/src/s390_prng.c
@@ -76,10 +76,9 @@ int s390_prng_init(void)
 	// available. However, the old prng is still initialized but
 	// only used as a fallback.
 	if(sha512_switch || sha512_drng_switch){
 -		const char *pers = "ica_drbg_global";
 		ica_drbg_instantiate(&ica_drbg_global, 256, true,
 -				     ICA_DRBG_SHA512, (unsigned char *)pers,
 -				     strlen(pers));
 +				     ICA_DRBG_SHA512,
 +				     (unsigned char *)"GLOBAL INSTANCE", 15);
 	}
 	// The old prng code starts here:
@@ -181,7 +180,7 @@ int s390_prng(unsigned char *output_data
 		unsigned char *ptr = output_data;
 		size_t i = 0;
 		for(; i < q; i++){
 -			status = ica_drbg_generate(ica_drbg_global, 256, true,
 +			status = ica_drbg_generate(ica_drbg_global, 256, false,
 						   NULL, 0, ptr,
 						   ICA_DRBG_SHA512
 						   ->max_no_of_bytes_per_req);
@@ -191,7 +190,7 @@ int s390_prng(unsigned char *output_data
 			ptr += ICA_DRBG_SHA512->max_no_of_bytes_per_req;
 		}
 		if(!status){
 -			status = ica_drbg_generate(ica_drbg_global, 256, true,
 +			status = ica_drbg_generate(ica_drbg_global, 256, false,
 						   NULL, 0, ptr, r);
 			if(!status)
 				return 0;