Import from CS git and update for 8

This commit is contained in:
eabdullin 2024-04-10 22:27:34 +03:00
parent 2895cffc24
commit 0267650013
6 changed files with 66 additions and 52 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libica-4.1.1.tar.gz SOURCES/libica-4.2.3.tar.gz

View File

@ -1 +1 @@
a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz 2fdb8eaa8985f05aea287b9d6547bb5169863ae4 SOURCES/libica-4.2.3.tar.gz

View File

@ -26,7 +26,7 @@ diff --git a/include/ica_api.h b/include/ica_api.h
index 0263d2f..8f7bbdb 100644 index 0263d2f..8f7bbdb 100644
--- a/include/ica_api.h --- a/include/ica_api.h
+++ b/include/ica_api.h +++ b/include/ica_api.h
@@ -1447,6 +1447,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, @@ -1480,6 +1480,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
ICA_EXPORT ICA_EXPORT
unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key); unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key);
@ -254,7 +254,7 @@ index 0263d2f..8f7bbdb 100644
/** /**
* Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB) * Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB)
* mode as described in NIST Special Publication 800-38A Chapter 6.1. * mode as described in NIST Special Publication 800-38A Chapter 6.1.
@@ -3485,6 +3706,15 @@ void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx); @@ -3599,6 +3820,15 @@ int ica_get_hw_info(libica_hw_info *hw_info);
ICA_EXPORT ICA_EXPORT
unsigned int ica_get_version(libica_version_info *version_info); unsigned int ica_get_version(libica_version_info *version_info);
@ -268,8 +268,8 @@ index 0263d2f..8f7bbdb 100644
+ unsigned int *pmech_list_len); + unsigned int *pmech_list_len);
+ +
/** /**
* Function that returns a list of crypto mechanisms supported by libica. * Return libica build information.
* @param pmech_list *
diff --git a/libica.map b/libica.map diff --git a/libica.map b/libica.map
index 0a64d4c..0a71832 100644 index 0a64d4c..0a71832 100644
--- a/libica.map --- a/libica.map
@ -312,7 +312,7 @@ diff --git a/src/ica_api.c b/src/ica_api.c
index 42d9baf..3e13a29 100644 index 42d9baf..3e13a29 100644
--- a/src/ica_api.c --- a/src/ica_api.c
+++ b/src/ica_api.c +++ b/src/ica_api.c
@@ -2436,6 +2436,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx) @@ -2452,6 +2452,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx)
* *
******************************************************************************/ ******************************************************************************/
@ -581,9 +581,9 @@ diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index 49cbb09..76f530f 100644 index 49cbb09..76f530f 100644
--- a/src/include/s390_crypto.h --- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h +++ b/src/include/s390_crypto.h
@@ -25,11 +25,6 @@ @@ -30,11 +30,6 @@ int s390_get_fips_indicator(libica_fips_indicator_element *fips_list,
unsigned int *fips_list_len);
#include <openssl/opensslv.h> #endif
-/* major 4.0: no more exported, now internal */ -/* major 4.0: no more exported, now internal */
-int s390_initialize_functionlist(void); -int s390_initialize_functionlist(void);
@ -619,7 +619,7 @@ index f220205..f756597 100644
aes_ecb_test \ aes_ecb_test \
aes_cbc_test \ aes_cbc_test \
aes_ctr_test \ aes_ctr_test \
@@ -71,10 +76,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c @@ -72,10 +77,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c
get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread
check_PROGRAMS = fips_test icastats_test get_functionlist_test \ check_PROGRAMS = fips_test icastats_test get_functionlist_test \
@ -1596,7 +1596,7 @@ diff --git a/src/ica_api.c b/src/ica_api.c
index 3e13a29..1bd81bb 100644 index 3e13a29..1bd81bb 100644
--- a/src/ica_api.c --- a/src/ica_api.c
+++ b/src/ica_api.c +++ b/src/ica_api.c
@@ -91,6 +91,16 @@ void ica_set_stats_mode(int stats_mode) @@ -93,6 +93,16 @@ void ica_set_stats_mode(int stats_mode)
} }
#ifndef NO_CPACF #ifndef NO_CPACF

View File

@ -1,35 +0,0 @@
From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 1 Feb 2023 10:54:33 +0100
Subject: [libica PATCH] bugfix: permission denied on shared memory segments
A change to the Linux kernel in 4.19 for added security is
changing the behavior when opening shared memory segments.
The O_CREAT flag must not be used for existing segments.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/icastats_shared.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/icastats_shared.c b/src/icastats_shared.c
index bbc8d0e..8290239 100644
--- a/src/icastats_shared.c
+++ b/src/icastats_shared.c
@@ -54,9 +54,10 @@ int stats_mmap(int user)
sprintf(shm_id, "icastats_%d",
user == -1 ? geteuid() : (uid_t)user);
- stats_shm_handle = shm_open(shm_id,
- O_CREAT | O_RDWR,
- S_IRUSR | S_IWUSR);
+ stats_shm_handle = shm_open(shm_id, O_RDWR, S_IRUSR | S_IWUSR);
+
+ if (stats_shm_handle == -1)
+ stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
if (stats_shm_handle == -1)
return rc;
--
2.39.1

View File

@ -0,0 +1,35 @@
From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue, 10 Oct 2023 14:10:22 +0200
Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
Before calling any openssl EVP function, libica's own openssl lib ctx
must be made the current one. This was missing in compute_file_hmac.
Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index f09dc77..3bbc325 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
void *fdata = NULL;
struct stat fdata_stat;
+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
+
pkey = get_pkey();
if (!pkey)
goto end;
@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
EVP_MD_CTX_destroy(mdctx);
OPENSSL_cleanse(tmp, sizeof(tmp));
+ END_OPENSSL_LIBCTX(rc);
return rc;
}

View File

@ -4,8 +4,8 @@
Summary: Library for accessing ICA hardware crypto on IBM z Systems Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica Name: libica
Version: 4.1.1 Version: 4.2.3
Release: 2%{?dist} Release: 1%{?dist}
License: CPL License: CPL
Group: System Environment/Libraries Group: System Environment/Libraries
URL: https://github.com/opencryptoki/ URL: https://github.com/opencryptoki/
@ -17,9 +17,9 @@ Patch0: %{name}-4.0.1-annotate.patch
# - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048 # - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048
# - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2 # - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2
Patch1: %{name}-4.1.1-revert-abi.patch Patch1: %{name}-4.1.1-revert-abi.patch
# fix permissions for shared memory segments # https://issues.redhat.com/browse/RHEL-14892
# https://bugzilla.redhat.com/show_bug.cgi?id=2167363 # https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
Patch2: %{name}-4.1.1-shmem.patch Patch2: %{name}-4.2.3-fips.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: openssl BuildRequires: openssl
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -110,6 +110,20 @@ fi
%changelog %changelog
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
- updated to 4.2.3 (RHEL-11411)
- fix selfcheck in FIPS mode (RHEL-14892)
- Resolves: RHEL-11411 RHEL-14892
* Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
- icastats: Fix summary option (#2223697)
- Resolves: #2223697
* Wed May 24 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
- updated to 4.2.2 (#2159718)
- FIPS 140-3 compliance (#2159748)
- Resolves: #2159718 #2159748
* Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2 * Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
- fix permissions for shared memory segments (#2167363) - fix permissions for shared memory segments (#2167363)
- Resolves: #2167363 - Resolves: #2167363