rpm/libica
SHA256
1
0
Fork 0
forked from pool/libica
Code Pull Requests Activity

Compare commits

merge into: rpm:devel
Branches Tags
rpm:factory rpm:devel pool:slfo-1.2 pool:slfo-main pool:factory pool:devel
...
pull from: pool:factory
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory pool:devel rpm:factory rpm:devel

29 Commits
devel ... factory

Author SHA256 Message Date
Dominique Leuenberger
bbec9ddbd1 Accepting request 1296535 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1296535
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=43
 2025-07-31 15:46:05 +00:00
Nikolay Gueorguiev
461e6eb16c - Applied a patch (bsc#1247287) 
* libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
- Added '--with-fips-config=fips_local.cnf' in "%configure"

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=41
 2025-07-30 10:43:10 +00:00
Dominique Leuenberger
93becb17d2 Accepting request 1296092 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1296092
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=42
 2025-07-28 12:59:25 +00:00
Nikolay Gueorguiev
7d5f904152 - Amended the .spec file (bsc#1246541) 
* Added a flag '-DNO_FIPS_CONFIG_LOAD' to CPPFLAGS and CFLAGS
  * Do not ship the config file '/etc/libica/openssl3-fips.cnf'

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=39
 2025-07-28 11:07:32 +00:00
Dominique Leuenberger
43f813bb38 Accepting request 1281372 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1281372
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=41
 2025-05-30 12:40:32 +00:00
Nikolay Gueorguiev
5bc1dfc6bb - Upgrade libica to version 4.4.1 
* Bug fixes 
- Removed obsolete patch
  * libica-fips-update-Fix-bug-in-condition-logic.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=37
 2025-05-30 10:37:05 +00:00
Nikolay Gueorguiev
88aeb53aec - Upgrade libica to version 4.4.1 
* Bug fixes 
- Removed obsolete patch
  * libica-fips-update-Fix-bug-in-condition-logic.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=36
 2025-05-30 10:09:08 +00:00
Nikolay Gueorguiev
383f819724 - Upgrade libica to version 4.4.1 
* Bug fixes 
- Removed obsolete patch
  * libica-fips-update-Fix-bug-in-condition-logic.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=35
 2025-05-30 09:29:44 +00:00
Ana Guerrero
2d36735794 Accepting request 1244061 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1244061
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=40
 2025-02-07 22:05:25 +00:00
Nikolay Gueorguiev
a309387740 - Applied a patch (jsc#PED-10289, jsc#PED-3277) 
* libica-fips-update-Fix-bug-in-condition-logic.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=33
 2025-02-07 07:20:59 +00:00
Ana Guerrero
ba11b9a144 Accepting request 1234137 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1234137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=39
 2025-01-01 22:08:23 +00:00
Nikolay Gueorguiev
e688997ad5 - Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289) 
* Updates for FIPS 140-3 certification 2024
  * Various bug fixes and housekeeping 
- Removed obsolete patches
  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
  * libica-02-fips-update-Change-service-indicator-implementation.patch
  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=31
 2024-12-31 10:55:20 +00:00
Ana Guerrero
eb8f219a88 Accepting request 1228239 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1228239
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=38
 2024-12-04 14:27:45 +00:00
Nikolay Gueorguiev
d7e1827e78 - Amended the .spec file (bsc#1234117, bsc#1231999) 
* downgraded libica tools requires down to recommends again
- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
  * libica-02-fips-update-Change-service-indicator-implementation.patch
  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
  * libica-02-fips-update-Change-service-indicator-implementation.patch
- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
  *  Various bug fixes and housekeeping
- Removed obsolete patches
  * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
  * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
  * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
- Amended the .spec file (bsc#1231999)
  * Replaced Recommends libica-tools with Requires
- Applied patches
  * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
  * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
  * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
- Amended the .spec file to enable FIPS
- Upgrade libica to version 2.3.0 (jsc#PED-5446)
  * New API function ica_allow_external_gcm_iv_in_fips_mode
  * Bug fixes
- Upgrade to version 4.2.3 (jsc#PED-5446) 
  * Add OPENSSL_init_crypto in libica constructor
  * Remove deprecated ioctl Z90STAT_STATUS_MASK
  * Bug fixes
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
  - [UPDATE] syslog msgs only in error cases
  - [UPDATE] don't count statistics in fips power-on self tests
  - [PATCH] various fixes and some new tests
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
- Prefix /etc/libica with %dir to ensure we don't package
  unversioned files in libica4, as otherwise we violate SLPP.
- Add /etc/libica directory into %files section.
- Upgrade to version 4.2.1 (jsc#PED-2872)
  - [PATCH] fix regression opening shared memory
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
  - [FEATURE] Display build info via icainfo -v
  - [FEATURE] New API function ica_get_build_version()
  - [FEATURE] Display fips indication via icainfo -f
  - [FEATURE] New API function ica_get_fips_indicator()
  - [FEATURE] New API function ica_aes_gcm_initialize_fips()
  - [FEATURE] New API function ica_aes_gcm_kma_get_iv()
  - [FEATURE] New API function ica_get_msa_level()
  - [PATCH] icainfo: check for malloc error when getting functionlist
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
  v4.1.1
   - [PATCH] Fix aes-xts multi-part operations
     [PATCH] Fix make dist
  v4.1.0
   - [FEATURE] FIPS: make libica FIPS 140-3 compliant
     [FEATURE] New API function ica_ecdsa_sign_ex()
     [FEATURE] New icainfo output option -r
   - [PATCH] Various bug fixes
- Removed the following obsolete files:
  baselibs.conf
  icaioctl.h
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
  v4.0.3
   - [PATCH] Reduce the number of open file descriptors
   - [PATCH] Various bug fixes
  v4.0.2
   - [PATCH] Various bug fixes
  v4.0.1
   - [PATCH] Various bug fixes
   - [PATCH] Compute HMAC from installed library
  v4.0.0
   - [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
     [UPDATE] Removed deprecated API functions including tests
     [UPDATE] Introduced 'const' for some API function parameters
     [FEATURE] icastats: new parm -k to display detailed counters
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
  version named libica-sles15sp5-FIPS-hmac-key.patch.
- Updated the libica-rpmlintrc file to suppress warnings about the 
  libica-cex hmac files being hidden.
- Updated the spec file to properly both obsolete and provide two
  older versions of the package.
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
  - [FEATURE] Add support for OpenSSL 3.0
  - [FEATURE] icainfo: new parm -c to display available EC curves
- Replaced the obsolete PreReq: %fillup_prereq
  with                  Requires(post): %fillup_prereq
  in the spec file.
- Update to version 3.8.0 (jsc#SLE-18334)
  - [FEATURE] provide libica-cex module to satisfy special security requirements
  - [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
   - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
   - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
   - libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
   * FIPS: Find libica from phdrs.
     - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
   * FIPS: enforce the hmac check
     - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
   + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists
- Upgraded to version 3.7.0 (jsc#SLE-13708)
  * Version 3.7.0
    - [FEATURE] FIPS: Add HMAC based library integrity check
    - [PATCH] icainfo: bugfix for RSA and EC related info for software column.
    - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
    - [PATCH] FIPS: Fix DES and TDES key length
    - [PATCH] icastats: Fix stats counter format
  * Version 3.6.1
    - [PATCH] Fix x25519 and x448 handling of non-canonical values
- Removed the following obsolete patches
  * libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
  * libica-sles15sp2-Build-with-pthread-flag.patch
  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
  * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
  * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
  * Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
  * Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- Fix FIPS hmac check (bsc#1175356).
  * Update FIPS support to upstream
    - Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
      from upstream.
    - Add libica-sles15sp2-Build-with-pthread-flag.patch
    - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
    - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
    - Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
  * FIPS check should fail when hmac is missing
    - Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
    - Create an hmac for the selftest
    - Check that selftest fails without a hmac
    - Hash libica.so.3 rather than libica.so.3.6.0
  * Fix hmac key format. It should be hexadecimal, not ASCII
    - Refresh libica-sles15sp2-FIPS-hmac-key.patch
- Fix Some internal variables used to store sensitive information
  (keys) were not zeroized before returning to the calling application.
  (bsc#1175357)
  * Added libica-sles15sp2-Zeroize-local-variables.patch
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
  being a hidden file. It is supposed to be hidden.
- Added the following patches for FIPS certification (bsc#1162533)
  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
  * libica-sles15sp2-FIPS-hmac-key.patch
- Added a BuildRequires for the fipscheck package.
- Made a couple of changes to the spec file based upon recommendations
  by spec-cleaner.
- Added the following patches for FIPS certification.
  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
    (bsc#1166071) Although a DES key has only 56 effective bits,
     all 64 bits must be considered, because the parity bits are
     spread over all 8 bytes of the key.
  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
    (bsc#1166210) FIPS tests require the output iv to be the iv
    resulting from decrypting the last block with a zero iv as input.
  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
    (bsc#1166224) The output from icainfo never shows 'yes' for
    RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
    due to the missing ICA_FLAG_SW flag in the icaList.
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
  (bsc#1156768)
- Upgraded to version 3.6.0 (jsc#SLE-7584)
  * [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
- Upgraded to version 3.5.0 (Fate#327840)
  - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
- Reworked how libica-tools loads and unloads kernel modules to
  avoid spurious error messages (bsc#1134004):
  * Converted the boot.z90crypt sysV init script to a systemd unit
  file.
  * Removed any references to insserv in the spec file.
  * Updated the z90crypt script itself to properly load and unload
  the kernel modules as they exist today.
  * Eliminated the obsolete libica-SuSE.tar.bz2 archive.
- Updated the README.SUSE file to reflect the change from sysV init
  style script to systemd.
- Made numerous changes to the spec file, based on the output from
  the spec-cleaner command.
- Run testsuite during build
- Upgraded to version 3.4.0 (Fate#325690)
  * v3.4.0
    [FEATURE] Add SHA-512/224 and SHA-512/256 support
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
- Made numerous updates to spec file based on spec-cleanup run.
- Upgraded to version 3.3.3 (Fate#325690)
  * v3.3.3
    [PATCH] Various bug fixes
  * v3.3.2
    [PATCH] Skip ECC tests if required HW is not available
    [PATCH] Update spec file
  * v3.3.1
    [PATCH] Fix configure.ac to honour CFLAGS
  * v3.3.0
    [FEATURE] Add CEX supported elliptic-curve crypto interfaces
    [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
    [FEATURE] Add interface to enable/disable SW fallbacks
    [FEATURE] Add 'make check' target, test-suite rework
  * v3.2.1
    [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
    [PATCH] Various bug fixes.
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
- Removed COPYING from %files, since it is no longer in the tarball.
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
  (bsc#1103493).
- Made multiple changes to the spec file based on the output of
  spec-cleaner
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
  fix a problem with upgrading from SLES12 SP2 to either SLES12
  SP3/SP4, or SLES15. (bsc#1112655)
- Added "Obsoletes: libica2" to the libica-tools package to fix
  a problem with upgrading from SLES12 SP2 to either SLES12
  SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
- Updated boot.z90crypt script to fix a problem with the modprobe
  command not being found. (bsc#1040229).
- Added "Recommends: libica-tools" (bsc#1046435).
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- Added "--enable-fips" to the %configure parms (Fate#324115)
- Upgraded to version 3.2 (Fate#321517)
  * v3.2.0
    [FEATURE] New AES-GCM interface.
    [UPDATE] Add symbol versioning.
  * v3.1.1
    [PATCH] Various bug fixes related to old and new AES-GCM implementations.
    [UPDATE] Add SHA3 test cases. Improved and extended test suite.
  * v3.1.0
    [FEATURE] Add KMA support for AES-GCM.
    [FEATURE] Add SHA-3 support.
    [PATCH] Reject RSA keys with invalid key-length.
    [PATCH] Allow zero output length for ica_random_number_generate.
    [PATCH] icastats: Correct owner of shared segment when root creates it.
  * Removed the following obsolete patches:
    libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
    libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
    libica-3.0.2-03-fix-aes-ctr.patch
    libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
  - Added the following patches (bsc#1058567)
    - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
    - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
    - libica-3.0.2-03-fix-aes-ctr.patch
    - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- baselibs.conf doesn't need any additional provides/conflicts for
  libica3.
- Update baselibs.conf with proper name for library package name,
  stop providing/obsoleting libica-2_1_0/libica-2_3-0.
- Upgraded to version 3.0.2 (Fate#322025).
  - v3.0.2
    - Fix locking callbacks for openSSL APIs.
  - v3.0.1
    - Fixed msa level detection on zEC/BC12 GA1 and predecessors.
  - v3.0.0
    - Added FIPS mode.
    - Sanitized exported symbols.
    - Removed deprecated APIs. Marked some APIs as deprecated.
    - Adapted to OpenSSL v1.1.0.
    - RSA key generation is thread-safe now.
- Removed the following obsolete patches:
  - fix-initialization-of-s390-hardware-switches-1.patch
  - fix-initialization-of-s390-hardware-switches-2.patch
  - fix-msa-level-detection.patch
  - fix-segfault-during-multithread-keygen.patch
  - rng-performance.patch
- Made the following packaging changes:
  - Implemented the shared library packaging guidelines.
  - Consolidated double invocation of %setup into just one.
  - Dropped redundant %ifarch, the package is already ExclusiveArch.
  - Updated descriptions.
- Added an libica-rpmlintrc file.
- Added the following two patches:
  - fix-segfault-during-multithread-keygen.patch (bsc#991485)
  - fix-msa-level-detection.patch (bsc#1010927)
- Added rng-performance.patch (bsc#990850).
- Updated baselibs.conf to obsolete prior versions of the 32bit
  package. (bsc#983897):
   provides "libica-<targettype> = <version>"
   obsoletes "libica-<targettype> < <version>"
   provides "libica-2_1_0-<targettype> = <version>"
   obsoletes "libica-2_1_0-<targettype> < <version>"
   provides "libica-2_3_0-<targettype> = <version>"
   obsoletes "libica-2_3_0-<targettype> < <version>"
- Added fix-initialization-of-s390-hardware-switches-1.patch and
  fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
- Upgraded to version 2.6.2 (FATE#319610).
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
  naming standards.
- Found the original location of the icaioctl.h file and downloaded
  it to replace what we had previously.
- Removed the unnecessary libica2.la file
- Removed unnecessary Requires for glibc-devel
- Added Requires libica2 to the -devel package
- Converted call to configure to %configure macro
- Removed obsolete and unnecessary INSROOT and bindir parameters
  from the make install command
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
  SLE12 GA is replaced (bsc#953096).
- move the .so file to the mainpackage, the openssl-ibmca engine
  will only load "libica.so" (bsc#952871)
- Update to libica v2.4.2 (FATE#318035)
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
- Moved init script into libica-SuSE.tar.bz2 archive
- sanitize release line in specfile
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
- Removed libica-SuSE.tar.bz2
- z90crypt now starts and stops ap kernel module (bnc#888943)
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
  fixed 64/31 bit compatibility
- add obsoletes and provides for older libica versions 
- update to 2.3.0 (fate#315342) 
- obsolete/upstreamed patches:
  libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
  libica-2_1_0-msa4-extension.patch
  libica-2_1_0-synchronize_shared_memory_ref_counting.patch
- Added COPYING to %files
- Fixed build dependency errors by requiring autoconf, automake
  and libtool
- Changed license to CPL-1.0
- Created devel package
- Support for MSA4 extension (bnc#794518, fate#314078)
- synchronize shared memory reference counting for library
  statistics (bnc#719659)
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
- update -> 2.1.0 (fate#311914)
- Moved icainfo into /usr/bin (bnc#448643)
- obsolete old -XXbit packages (bnc#437293)
- fix build on all platforms 
- Added CPL license to include/z90crypt.h, removed GPL reference
  (This patch is upstream)
- Changed package name to libica-1_3_9 to conform to rpmlint
  requirements. (bnc#433432)
- Removed soname filter for rpmlint
- Several RPM fixes to help satisfy rpmlint
- Updated to libica 1.3.9
- added baselibs.conf file to build xxbit packages
  for multilib support
- remove inclusion of linux/config.h
- z90crypt: handle errors (bug #247799)
- Add gcc-c++ to BuildRequires.
- fix build for the rest of platforms 
- Update to libica 1.3.7 (#160036 - LTC22571)
- Increasing # of open handles with symmetric crypto support
  (#165323 - LTC23095)
- converted neededforbuild to BuildRequires
- include string.h and unistd.h in icalinux.c 
- Port package from SLES9 SP3
- Update to libica 1.3.6-rc3.
- Close all filehandles (#130060 - LTC19221).
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
  bug #117336)
- Update to libica 1.3.6 (#117336)
- fix implicit declaration 
- Changing the default value from 0 to -1 in rcz90crypt (#114371) 
- Finally fix 'reload' messages (#81824 - LTC15733).
- Fix sigill patch.
- Remove printf output from sigill patch (#81829 - LTC15731).
- Use correct default value for z90crypt (#81825 - LTC15732).
- Fix messages for 'reload' (#81824 - LTC15733).
- Fixed SIGILL on z900 (#46422).
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
- Fix module loading error (#42006).
- Add sysconfig variable to set the 'domain' parameter (#42005).
- update -> 1.3.5-3 (bug #42122)
- Update README.SuSE and correct name as well
- Use modprobe instead of insmod and fix module load error(#40526)
- Fix error checking for no hardware found case and hw error on load
- Update Readme again for the correct name (SUSE LINUX Server).
- Moved README.SuSE to README.SUSE.
- Update Readme to refer to the correct name (SUSE Linux Server).
- Update to 1.3.5-2 (#38511, #39693).
- Update Readme to refer to SUSE Linux Server instead of
  SuSE Linux Enterprise Server.
- Update to 1.3.5
- export CFLAGS & CPPFLAGS for configure
- Exclude S/390-specific files for other archs (#37183) 
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
- fix build
- build as user
- update to 1.3.4
- update to 1.3.2
- update to 1.3.1:
  now supports DES, TDES and SHA, as well as RSA.
- throw libica.patch away, since autoversion and Makefile.am have
  similar changes now, and the renaming from _LINUX_S390_ to
  __s390__ is not really necessary
- use %defattr
- checked that icaioctl.h is still current
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
  open source meanwhile and comes with the kernel sources
- added documentation how to set up crypto hardware support,
  esp. S/390 and zSeries. (#16011, #22056)
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
  actually work. (#20737)
- Correct PreReq
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
  to build on non-s390
- updated to current libica
- hacked in icaioctl.h for build, 'til we have the module in the
  kernel.
- add %run_ldconfig
- fix for current automake/autoconf
- removed old fillup-template and START_ variable 
- modified etc/init.d/z90crypt-script to report result at start.
- Added openssl to #neededforbuild, which is needed in addition to
  openssl-devel
- initial version

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=29
 2024-12-04 08:59:06 +00:00
Nikolay Gueorguiev
a3db504f08 - Amended the .spec file (bsc#1234117, bsc#1231999) 
* moved .so symlink to main libica4 / libica4-openssl1 packages
  * downgraded libica tools requires down to recommends again

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=28
 2024-12-04 07:33:17 +00:00
Ana Guerrero
d6632a5ee5 Accepting request 1223882 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1223882
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=37
 2024-11-13 14:29:20 +00:00
Nikolay Gueorguiev
7428af8575 - Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) 
* libica-02-fips-update-Change-service-indicator-implementation.patch
  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=26
 2024-11-13 09:12:54 +00:00
Ana Guerrero
8937625a46 Accepting request 1221422 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1221422
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=36
 2024-11-05 14:42:24 +00:00
Nikolay Gueorguiev
4af0aa7796 - Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) 
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
  * libica-02-fips-update-Change-service-indicator-implementation.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=24
 2024-11-05 12:33:33 +00:00
Ana Guerrero
c29bfa8528 Accepting request 1218932 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1218932
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=35
 2024-10-29 13:36:27 +00:00
Nikolay Gueorguiev
68657232eb - Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276) 
*  Various bug fixes and housekeeping
- Removed obsolete patches
  * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
  * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
  * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=22
 2024-10-29 06:41:24 +00:00
Ana Guerrero
dcaf84635d Accepting request 1217282 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1217282
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=34
 2024-10-23 19:12:00 +00:00
Nikolay Gueorguiev
96a0b76e05 - Amended the .spec file (bsc#1231999) 
* Replaced Recommends libica-tools with Requires

OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=20
 2024-10-23 09:35:56 +00:00
Ana Guerrero
7870ea3fd9 Accepting request 1185106 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1185106
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=33
 2024-07-03 18:30:45 +00:00
Ana Guerrero
00d51c1b2e Accepting request 1142194 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1142194
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=32
 2024-01-29 21:29:25 +00:00
Ana Guerrero
0c6f4d173f Accepting request 1117652 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1117652
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=31
 2023-10-13 21:15:35 +00:00
Dominique Leuenberger
63b7a0c64c Accepting request 1088689 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1088689
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=30
 2023-05-24 18:22:26 +00:00
Dominique Leuenberger
3753113a93 Accepting request 1084581 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1084581
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=29
 2023-05-04 15:11:08 +00:00
Dominique Leuenberger
7c47619fb7 Accepting request 1083312 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1083312
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=28
 2023-04-27 18:02:58 +00:00
8 changed files with 139 additions and 502 deletions
Expand all files Collapse all files

40
libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
View File

@@ -1,40 +0,0 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread

83
libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
View File

@@ -1,83 +0,0 @@
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde0..a6ff27bd 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca5..f19c069d 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241fd..f11eacb2 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**

366
libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
View File

@@ -1,366 +0,0 @@
From 900557435b85f2fa6446bf9d62e80d58eff4bfbe Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 19 Jun 2024 12:34:26 +0200
Subject: [PATCH] Use __asm__ instead of asm
The asm keyword is a GNU extension. When writing code that can be compiled with
-ansi and the various -std options, use __asm__ instead of asm.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_crypto.h | 194 +++++++++++++++++++-------------------
1 file changed, 97 insertions(+), 97 deletions(-)
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f11eacb..6ef4728 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -253,11 +253,11 @@ void s390_crypto_switches_init(void);
*/
static inline int s390_pcc(unsigned long func, void *param)
{
- register unsigned long r0 asm("0") = (unsigned long)func;
- register unsigned long r1 asm("1") = (unsigned long)param;
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
char cc;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
" brc 1,0b\n" /* handle partial completion */
" ipm %[cc]\n"
@@ -285,12 +285,12 @@ static inline int s390_pcc(unsigned long func, void *param)
static inline int s390_kmac(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb91e0000,%0,%0 \n"
" brc 1, 0b \n"
: "+a"(__src), "+d"(__src_len)
@@ -318,15 +318,15 @@ static inline int s390_kma(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len,
const unsigned char *aad, long aad_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
- register const unsigned char *__aad asm("6") = aad;
- register long __aad_len asm("7") = aad_len;
-
- asm volatile(
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
+ register const unsigned char *__aad __asm__("6") = aad;
+ register long __aad_len __asm__("7") = aad_len;
+
+ __asm__ volatile(
"0: .insn rrf,0xb9290000,%2,%0,%3,0 \n"
"1: brc 1,0b \n" /* handle partial completion */
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__aad), "+d" (__aad_len)
@@ -353,14 +353,14 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
const unsigned char *src, long src_len,
unsigned char *counter)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
- register unsigned char *__ctr asm("6") = counter;
-
- asm volatile(
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
+ register unsigned char *__ctr __asm__("6") = counter;
+
+ __asm__ volatile(
"0: .insn rrf,0xb92d0000,%2,%0,%3,0 \n"
"1: brc 1,0b \n"
: "+a" (__src), "+d" (__src_len), "+a" (__dest), "+a" (__ctr)
@@ -386,13 +386,13 @@ static inline int s390_kmctr(unsigned long func, void *param, unsigned char *des
static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len, unsigned int *lcfb)
{
- register long __func asm("0") = ((*lcfb & 0x000000ff) << 24) | func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = ((*lcfb & 0x000000ff) << 24) | func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb92a0000,%2,%0 \n"
" brc 1,0b \n"
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -418,13 +418,13 @@ static inline int s390_kmf(unsigned long func, void *param, unsigned char *dest,
static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb92b0000,%2,%0 \n"
" brc 1, 0b \n"
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -450,13 +450,13 @@ static inline int s390_kmo(unsigned long func, void *param, unsigned char *dest,
static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb92e0000,%2,%0 \n" /* KM opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -482,13 +482,13 @@ static inline int s390_km(unsigned long func, void *param, unsigned char *dest,
static inline int s390_kmc(unsigned long func, void *param, unsigned char *dest,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
- register unsigned char *__dest asm("4") = dest;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
+ register unsigned char *__dest __asm__("4") = dest;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre, 0xb92f0000,%2,%0 \n" /* KMC opcode */
" brc 1, 0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len), "+a"(__dest)
@@ -515,15 +515,15 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
unsigned char *dest, long dest_len,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93e0000,%1,%5\n\t" /* KIMD opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -538,12 +538,12 @@ static inline int s390_kimd_shake(unsigned long func, void *param,
static inline int s390_kimd(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93e0000,%0,%0 \n" /* KIMD opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len)
@@ -569,15 +569,15 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
unsigned char *dest, long dest_len,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93f0000,%1,%5\n\t" /* KLMD opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -592,12 +592,12 @@ static inline int s390_klmd_shake(unsigned long func, void *param,
static inline int s390_klmd(unsigned long func, void *param,
const unsigned char *src, long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register const unsigned char *__src asm("2") = src;
- register long __src_len asm("3") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register const unsigned char *__src __asm__("2") = src;
+ register long __src_len __asm__("3") = src_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93f0000,%0,%0 \n" /* KLMD opcode */
" brc 1,0b \n" /* handle partial completion */
: "+a"(__src), "+d"(__src_len)
@@ -624,13 +624,13 @@ static inline int s390_klmd(unsigned long func, void *param,
static inline int s390_kdsa(unsigned long func, void *param,
const unsigned char *src, unsigned long srclen)
{
- register unsigned long r0 asm("0") = (unsigned long)func;
- register unsigned long r1 asm("1") = (unsigned long)param;
- register unsigned long r2 asm("2") = (unsigned long)src;
- register unsigned long r3 asm("3") = (unsigned long)srclen;
+ register unsigned long r0 __asm__("0") = (unsigned long)func;
+ register unsigned long r1 __asm__("1") = (unsigned long)param;
+ register unsigned long r2 __asm__("2") = (unsigned long)src;
+ register unsigned long r3 __asm__("3") = (unsigned long)srclen;
unsigned long rc = 1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,%[__opc] << 16,0,%[__src]\n"
" brc 1,0b\n" /* handle partial completion */
" brc 7,1f\n"
@@ -668,15 +668,15 @@ static inline int s390_ppno(long func,
const unsigned char *src,
long src_len)
{
- register long __func asm("0") = func;
- register void *__param asm("1") = param;
- register unsigned char *__dest asm("2") = dest;
- register long __dest_len asm("3") = dest_len;
- register const unsigned char *__src asm("4") = src;
- register long __src_len asm("5") = src_len;
+ register long __func __asm__("0") = func;
+ register void *__param __asm__("1") = param;
+ register unsigned char *__dest __asm__("2") = dest;
+ register long __dest_len __asm__("3") = dest_len;
+ register const unsigned char *__src __asm__("4") = src;
+ register long __src_len __asm__("5") = src_len;
int ret = -1;
- asm volatile(
+ __asm__ volatile(
"0: .insn rre,0xb93c0000,%1,%5\n\t" /* PPNO opcode */
" brc 1,0b\n\t" /* handle partial completion */
" la %0,0\n\t"
@@ -701,13 +701,13 @@ static inline int s390_ppno(long func,
static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
unsigned char *cbuf, unsigned long cbuf_len)
{
- register unsigned long r0 asm("0") = (unsigned long) S390_CRYPTO_TRNG;
- register unsigned long r2 asm("2") = (unsigned long) ucbuf;
- register unsigned long r3 asm("3") = (unsigned long) ucbuf_len;
- register unsigned long r4 asm("4") = (unsigned long) cbuf;
- register unsigned long r5 asm("5") = (unsigned long) cbuf_len;
+ register unsigned long r0 __asm__("0") = (unsigned long) S390_CRYPTO_TRNG;
+ register unsigned long r2 __asm__("2") = (unsigned long) ucbuf;
+ register unsigned long r3 __asm__("3") = (unsigned long) ucbuf_len;
+ register unsigned long r4 __asm__("4") = (unsigned long) cbuf;
+ register unsigned long r5 __asm__("5") = (unsigned long) cbuf_len;
- asm volatile (
+ __asm__ volatile (
"0: .insn rre,0xb93c0000,%[ucbuf],%[cbuf]\n"
" brc 1,0b\n" /* handle partial completion */
: [ucbuf] "+a" (r2), [ucbuflen] "+d" (r3),
@@ -719,21 +719,21 @@ static inline void cpacf_trng(unsigned char *ucbuf, unsigned long ucbuf_len,
static inline void s390_stckf_hw(void *buf)
{
- asm volatile(".insn s,0xb27c0000,%0"
+ __asm__ volatile(".insn s,0xb27c0000,%0"
: "=Q" (*((unsigned long long *)buf)) : : "cc");
}
static inline void s390_stcke_hw(void *buf)
{
- asm volatile(".insn s,0xb2780000,%0"
+ __asm__ volatile(".insn s,0xb2780000,%0"
: "=Q" (*((unsigned long long *)buf)) : : "cc");
}
static inline int __stfle(unsigned long long *list, int doublewords)
{
- register unsigned long __nr asm("0") = doublewords - 1;
+ register unsigned long __nr __asm__("0") = doublewords - 1;
- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
+ __asm__ volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
: "+d" (__nr) : "a" (list) : "memory", "cc");
return __nr + 1;
@@ -741,7 +741,7 @@ static inline int __stfle(unsigned long long *list, int doublewords)
static inline void s390_flip_endian_32(void *dest, const void *src)
{
- asm volatile(
+ __asm__ volatile(
" lrvg %%r0,0(0,%[__src])\n"
" lrvg %%r1,8(0,%[__src])\n"
" lrvg %%r4,16(0,%[__src])\n"
@@ -757,7 +757,7 @@ static inline void s390_flip_endian_32(void *dest, const void *src)
static inline void s390_flip_endian_64(void *dest, const void *src)
{
- asm volatile(
+ __asm__ volatile(
" lrvg %%r0,0(0,%[__src])\n"
" lrvg %%r1,8(0,%[__src])\n"
" lrvg %%r4,16(0,%[__src])\n"

3
libica-4.3.0.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:112c6136fd5ccfd6a1d33b5fd2427f5fec69aa2a0fc04e80a6ab58d7b9012db3
size 576077

3
libica-4.4.1.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:edc755494797331427c5f7900c7eecd8b5ecd3e69b7502313bf764f490b8e87a
size 579706

52
libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch Normal file
View File

@@ -0,0 +1,52 @@
From 11078c8bcd99f29f2cc7094cdced801a0b53f6df Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 4 Jun 2025 11:17:35 +0200
Subject: [PATCH] CONFIGURE: Make the OpenSSL FIPS config file name
configurable
The name of the OpenSSL FIPS config file may be different on various
distros. It is included in src/openssl3-fips.cnf when used with
OpenSSL 3.0 or later.
To use a specific name:
./configure --enable-fips --with-fips-config=fips_local.cnf
The default remains fipsmodule.cnf. It is only used when --enable-fips
is also specified, and libica is built against OpenSSL 3.0 or later.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 7 +++++++
src/openssl3-fips.cnf.in | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index bb35b867..7e45dd70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -100,6 +100,13 @@ if test "x$enable_fips" = xyes; then
fi
fi
+dnl --- with-fips-config
+AC_ARG_WITH([fips-config],
+ AS_HELP_STRING([--with-fips-config=FILE],[OpenSSL FIPS config file name. Default is fipsmodule.cnf]),
+ [], [with_fips_config=fipsmodule.cnf])
+FIPSCONFIGFILE="$with_fips_config"
+AC_SUBST(FIPSCONFIGFILE)
+
dnl --- enable_sanitizer
AC_ARG_ENABLE(sanitizer,
[ --enable-sanitizer turn on sanitizer (may not work on all systems)],
diff --git a/src/openssl3-fips.cnf.in b/src/openssl3-fips.cnf.in
index 1391bcbd..0c1a4147 100644
--- a/src/openssl3-fips.cnf.in
+++ b/src/openssl3-fips.cnf.in
@@ -1,6 +1,6 @@
openssl_conf = openssl_init
-.include @FIPSDIR@/fipsmodule.cnf
+.include @FIPSDIR@/@FIPSCONFIGFILE@
[openssl_init]
providers = provider_sect

79
libica.changes
View File

@@ -1,3 +1,80 @@
-------------------------------------------------------------------
Wed Jul 30 06:53:05 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1247287)
* libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
- Added '--with-fips-config=fips_local.cnf' in "%configure"
-------------------------------------------------------------------
Mon Jul 28 10:40:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1246541)
* Added a flag '-DNO_FIPS_CONFIG_LOAD' to CPPFLAGS and CFLAGS
* Do not ship the config file '/etc/libica/openssl3-fips.cnf'
-------------------------------------------------------------------
Fri May 30 09:40:05 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 4.4.1
* Bug fixes
- Removed obsolete patch
* libica-fips-update-Fix-bug-in-condition-logic.patch
-------------------------------------------------------------------
Fri Feb 7 06:58:32 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (jsc#PED-10289, jsc#PED-3277)
* libica-fips-update-Fix-bug-in-condition-logic.patch
-------------------------------------------------------------------
Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)
* Updates for FIPS 140-3 certification 2024
* Various bug fixes and housekeeping
- Removed obsolete patches
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
* libica-02-fips-update-Change-service-indicator-implementation.patch
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
-------------------------------------------------------------------
Wed Dec 4 07:05:18 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1234117, bsc#1231999)
* downgraded libica tools requires down to recommends again
-------------------------------------------------------------------
Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-02-fips-update-Change-service-indicator-implementation.patch
* libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
* libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch
-------------------------------------------------------------------
Tue Nov 5 12:07:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
* libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
* libica-02-fips-update-Change-service-indicator-implementation.patch
-------------------------------------------------------------------
Tue Oct 29 06:22:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
* Various bug fixes and housekeeping
- Removed obsolete patches
* libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
* libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
* libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
-------------------------------------------------------------------
Wed Oct 23 09:05:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1231999)
* Replaced Recommends libica-tools with Requires
-------------------------------------------------------------------
Wed Jul 3 10:51:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
@@ -807,5 +884,3 @@ Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
- initial version
-------------------------------------------------------------------

15
libica.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package libica
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
%endif
Name: libica
Version: 4.3.0
Version: 4.4.1
Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0
@@ -36,11 +36,9 @@ Source4: z90crypt.service
Source5: %{name}-rpmlintrc
###
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
Patch02: libica-sles15sp5-FIPS-hmac-key.patch
###
Patch110: libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
Patch111: libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
Patch112: libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
Patch10: libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
###
BuildRequires: autoconf
@@ -121,8 +119,8 @@ the libica library.
%build
autoreconf --force --install
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
--enable-fips
%configure CPPFLAGS="-Iinclude -fPIC -DNO_FIPS_CONFIG_LOAD" CFLAGS="%{optflags} -fPIC -DNO_FIPS_CONFIG_LOAD" \
--enable-fips --with-fips-config=fips_local.cnf
%make_build clean
%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release"
@@ -150,6 +148,7 @@ cp -a %{SOURCE1} .
rm -vf %{buildroot}%{_libdir}/libica*.la
rm -f %{buildroot}%{_datadir}/doc/libica/*
rmdir %{buildroot}%{_datadir}/doc/libica
### Comment below two lines to enable FIPS config file 'openssl3-fips.cnf'
# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
# rmdir %{buildroot}/%{_sysconfdir}/libica