rpm/libica
SHA256
1
0
Fork 0
forked from pool/libica
Code Pull Requests Activity

Accepting request 530010 from devel:openSUSE:Factory

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/530010
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=6
This commit is contained in:
Dominique Leuenberger 2017-10-02 14:53:47 +00:00 committed by Git OBS Bridge
commit f84fb246a9
8 changed files with 28 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
View File

@ -1,110 +0,0 @@
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix old aes-gcm decrypt code path.
Patch-mainline: v3.1.1
Git-commit: b95a9fd29fbdab9fd201c8f347bd4710d1811ada
References: LTC#158531
Description: libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom: When the tag values of (unmodified) data are wrong, it is
(wrongly) indicated that the data has been modified.
Problem: With AES-GCM in-place decryption, the tag is computed from the
plaintext. With AES-CCM in-place encryption, the tag is computed
from the ciphertext.
Solution: AES-GCM decryption always computes the tag from the ciphertext.
AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
libica's AES-GCM for libcrypto): (1) A SSH connection fails
using an AES-GCM based cipher-suite, (2) A connection of
openssl's s_client and s_server using an AES-GCM based
cipher-suite fails.
Upstream-Description:
fix old aes-gcm decrypt code path.
The old aes-gcm decrypt code was like pt<-dec(ct), tag<-mac(ct).
So in case of "in-place" decryption (pt=ct), the tag was computed
from the plaintext.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/include/s390_gcm.h | 41 ++++++++++++++++++++++++++---------------
1 file changed, 26 insertions(+), 15 deletions(-)
--- a/src/include/s390_gcm.h
+++ b/src/include/s390_gcm.h
@@ -321,8 +321,14 @@ static inline int s390_gcm(unsigned int
memcpy(tmp_ctr, j0, AES_BLOCK_SIZE);
__inc_aes_ctr((struct uint128 *)tmp_ctr, GCM_CTR_WIDTH);
- /* en-/decrypt payload */
if (function_code % 2) {
+ /* mac */
+ rc = s390_gcm_authenticate(ciphertext, text_length,
+ aad, aad_length,
+ subkey_h, tmp_tag);
+ if (rc)
+ return rc;
+
/* decrypt */
rc = s390_aes_ctr(UNDIRECTED_FC(function_code),
ciphertext, plaintext, text_length,
@@ -336,14 +342,14 @@ static inline int s390_gcm(unsigned int
key, tmp_ctr, GCM_CTR_WIDTH);
if (rc)
return rc;
- }
- /* generate authentication tag */
- rc = s390_gcm_authenticate(ciphertext, text_length,
- aad, aad_length,
- subkey_h, tmp_tag);
- if (rc)
- return rc;
+ /* mac */
+ rc = s390_gcm_authenticate(ciphertext, text_length,
+ aad, aad_length,
+ subkey_h, tmp_tag);
+ if (rc)
+ return rc;
+ }
/* encrypt tag */
return s390_aes_ctr(UNDIRECTED_FC(function_code),
@@ -393,8 +399,13 @@ static inline int s390_gcm_intermediate(
if (!msa4_switch)
return EPERM;
- /* en-/decrypt payload */
if (function_code % 2) {
+ /* mac */
+ rc = s390_gcm_authenticate_intermediate(ciphertext, text_length, aad,
+ aad_length, subkey, tag);
+ if (rc)
+ return rc;
+
/* decrypt */
rc = s390_aes_ctr(UNDIRECTED_FC(function_code), ciphertext, plaintext,
text_length, key, ctr, GCM_CTR_WIDTH);
@@ -406,13 +417,13 @@ static inline int s390_gcm_intermediate(
text_length, key, ctr, GCM_CTR_WIDTH);
if (rc)
return rc;
- }
- /* generate authentication tag */
- rc = s390_gcm_authenticate_intermediate(ciphertext, text_length, aad,
- aad_length, subkey, tag);
- if (rc)
- return rc;
+ /* mac */
+ rc = s390_gcm_authenticate_intermediate(ciphertext, text_length, aad,
+ aad_length, subkey, tag);
+ if (rc)
+ return rc;
+ }
return 0;
}

81
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
View File

@ -1,81 +0,0 @@
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix aes-ccm encrypt code path.
Patch-mainline: v3.1.1
Git-commit: d901d1c06b1a5e3717907e3a8b32d4bb8f3cc03b
References: LTC#158531
Description: libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom: When the tag values of (unmodified) data are wrong, it is
(wrongly) indicated that the data has been modified.
Problem: With AES-GCM in-place decryption, the tag is computed from the
plaintext. With AES-CCM in-place encryption, the tag is computed
from the ciphertext.
Solution: AES-GCM decryption always computes the tag from the ciphertext.
AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
libica's AES-GCM for libcrypto): (1) A SSH connection fails
using an AES-GCM based cipher-suite, (2) A connection of
openssl's s_client and s_server using an AES-GCM based
cipher-suite fails.
Upstream-Description:
fix aes-ccm encrypt code path.
The aes-ccm encrypt code was like ct<-enc(pt), tag<-mac(pt). So in
case of "in-place" encryption (pt=ct), the tag was computed from
the ciphertext.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/include/s390_ccm.h | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
--- a/src/include/s390_ccm.h
+++ b/src/include/s390_ccm.h
@@ -314,7 +314,26 @@ static inline unsigned int s390_ccm(unsi
key, cipher_ctr, ccm_ctr_width);
if (rc)
return rc;
+ /* mac */
+ rc = s390_ccm_authenticate(UNDIRECTED_FC(function_code),
+ payload, payload_length,
+ assoc_data, assoc_data_length,
+ nonce, nonce_length,
+ tag, mac_length,
+ key, fc_to_key_length(function_code));
+ if (rc)
+ return rc;
} else {
+ /* mac */
+ rc = s390_ccm_authenticate(UNDIRECTED_FC(function_code),
+ payload, payload_length,
+ assoc_data, assoc_data_length,
+ nonce, nonce_length,
+ tag, mac_length,
+ key, fc_to_key_length(function_code));
+ if (rc)
+ return rc;
+
/*encrypt */
rc = s390_aes_ctr(UNDIRECTED_FC(function_code),
payload, ciphertext, payload_length,
@@ -324,16 +343,6 @@ static inline unsigned int s390_ccm(unsi
}
}
- /* generate tag */
- rc = s390_ccm_authenticate(UNDIRECTED_FC(function_code),
- payload, payload_length,
- assoc_data, assoc_data_length,
- nonce, nonce_length,
- tag, mac_length,
- key, fc_to_key_length(function_code));
- if (rc)
- return rc;
-
/* encrypt tag into mac */
return s390_aes_ctr(UNDIRECTED_FC(function_code),
tag, mac, mac_length,

48
libica-3.0.2-03-fix-aes-ctr.patch
View File

@ -1,48 +0,0 @@
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix aes-ctr.
Patch-mainline: v3.1.1
Git-commit: 6b9da36a0e616025bc80615d66ba735ec558e263
References: LTC#158531
Description: libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom: When the tag values of (unmodified) data are wrong, it is
(wrongly) indicated that the data has been modified.
Problem: With AES-GCM in-place decryption, the tag is computed from the
plaintext. With AES-CCM in-place encryption, the tag is computed
from the ciphertext.
Solution: AES-GCM decryption always computes the tag from the ciphertext.
AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
libica's AES-GCM for libcrypto): (1) A SSH connection fails
using an AES-GCM based cipher-suite, (2) A connection of
openssl's s_client and s_server using an AES-GCM based
cipher-suite fails.
Upstream-Description:
fix aes-ctr.
aes-ctr incremented the counter even if it was called with zero
input. aes-gcm with non-zero aad and zero pt/ct (ghash) called
aes-ctr with zero input, whereby the counter was erroneously
incremented.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/include/s390_aes.h | 3 +++
1 file changed, 3 insertions(+)
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -110,6 +110,9 @@ static inline int s390_aes_ctr(unsigned
int rc = 0;
+ if (data_length == 0)
+ return 0;
+
if (data_length <= AES_BLOCK_SIZE) {
/* short message handling */
rc = s390_aes_ctrlist(fc, data_length, in_data, ctr,

75
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
View File

@ -1,75 +0,0 @@
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Subject: fix aes-gcm to allow zero pt/ct length.
Patch-mainline: v3.1.1
Git-commit: 089670367c8f645fcf5e4f8e59640877d2400ce4
References: LTC#158531
Description: libica: AES-GCM/CCM sometimes compute wrong tag values
Symptom: When the tag values of (unmodified) data are wrong, it is
(wrongly) indicated that the data has been modified.
Problem: With AES-GCM in-place decryption, the tag is computed from the
plaintext. With AES-CCM in-place encryption, the tag is computed
from the ciphertext.
Solution: AES-GCM decryption always computes the tag from the ciphertext.
AES-CCM encryption always computes the tag from the plaintext.
Reproduction: When used with the ibmca 1.4 openssl engine (which enables
libica's AES-GCM for libcrypto): (1) A SSH connection fails
using an AES-GCM based cipher-suite, (2) A connection of
openssl's s_client and s_server using an AES-GCM based
cipher-suite fails.
Upstream-Description:
fix aes-gcm to allow zero pt/ct length.
In case of zero pt/ct lenght, only aad is processed (ghash).
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/ica_api.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1750,9 +1750,16 @@ unsigned int ica_aes_gcm(unsigned char *
return EACCES;
#endif /* ICA_FIPS */
- if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, iv, key_length,
- key, ciphertext))
- return EINVAL;
+ if (plaintext_length != 0) {
+ if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, iv, key_length,
+ key, ciphertext))
+ return EINVAL;
+ } else {
+ /* If only aad is processed (ghash), pt/ct may be NULL. */
+ if (check_aes_parms(MODE_GCM, plaintext_length, (unsigned char *)1,
+ iv, key_length, key, (unsigned char *)1))
+ return EINVAL;
+ }
if (check_gcm_parms(plaintext_length, aad, aad_length, tag, tag_length, iv_length))
return EINVAL;
@@ -1825,9 +1832,16 @@ unsigned int ica_aes_gcm_intermediate(un
return EACCES;
#endif /* ICA_FIPS */
- if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, cb, key_length,
- key, ciphertext))
- return EINVAL;
+ if (plaintext_length != 0) {
+ if (check_aes_parms(MODE_GCM, plaintext_length, plaintext, cb, key_length,
+ key, ciphertext))
+ return EINVAL;
+ } else {
+ /* If only aad is processed (ghash), pt/ct may be NULL. */
+ if (check_aes_parms(MODE_GCM, plaintext_length, (unsigned char *)1,
+ cb, key_length, key, (unsigned char *)1))
+ return EINVAL;
+ }
if (check_gcm_parms(plaintext_length, aad, aad_length, tag, tag_length,
iv_length_dummy))
return EINVAL;

3
libica-3.0.2.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c8af14d8ff87ac7e88400064184dd1d83b23eb2ef3daff1e8072423ab6fe9833
size 204325

3
libica-3.2.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b548095991269ef1ecfa081266ed7f43d46294bde48a0b7a4db63d1c0e212e50
size 428645

22
libica.changes
View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com
- Upgraded to version 3.2 (Fate#321517)
* v3.2.0
[FEATURE] New AES-GCM interface.
[UPDATE] Add symbol versioning.
* v3.1.1
[PATCH] Various bug fixes related to old and new AES-GCM implementations.
[UPDATE] Add SHA3 test cases. Improved and extended test suite.
* v3.1.0
[FEATURE] Add KMA support for AES-GCM.
[FEATURE] Add SHA-3 support.
[PATCH] Reject RSA keys with invalid key-length.
[PATCH] Allow zero output length for ica_random_number_generate.
[PATCH] icastats: Correct owner of shared segment when root creates it.
* Removed the following obsolete patches:
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
libica-3.0.2-03-fix-aes-ctr.patch
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com

15
libica.spec
View File

@ -25,9 +25,9 @@ BuildRequires: openssl-devel
Summary: Library interface for the IBM Cryptographic Accelerator device driver Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0 License: CPL-1.0
Group: Hardware/Other Group: Hardware/Other
Version: 3.0.2 Version: 3.2.0
Release: 0 Release: 0
Source: libica-%{version}.tgz Source: libica-%{version}.tar.gz
Source1: libica-SuSE.tar.bz2 Source1: libica-SuSE.tar.bz2
# The icaioctl.h file came from https://sourceforge.net/p/opencryptoki/icadd/ci/master/tree/ # The icaioctl.h file came from https://sourceforge.net/p/opencryptoki/icadd/ci/master/tree/
Source3: icaioctl.h Source3: icaioctl.h
@ -36,12 +36,7 @@ Source5: sysconfig.z90crypt
Source6: baselibs.conf Source6: baselibs.conf
Source7: %{name}-rpmlintrc Source7: %{name}-rpmlintrc
Patch1: libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch Url: https://github.com/opencryptoki/libica
Patch2: libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
Patch3: libica-3.0.2-03-fix-aes-ctr.patch
Patch4: libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
Url: http://sourceforge.net/projects/opencryptoki/files/libica
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq %insserv_prereq PreReq: %fillup_prereq %insserv_prereq
ExclusiveArch: s390 s390x ExclusiveArch: s390 s390x
@ -104,10 +99,6 @@ the libica library.
%prep %prep
%setup -a 1 %setup -a 1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build %build
mkdir -p include/linux/ mkdir -p include/linux/