From 270004b6c05485946d7bd304d2751b4983f0c784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 27 May 2024 14:28:06 +0200 Subject: [PATCH] - updated to 4.3.0 (RHEL-23703) --- .libica.metadata | 1 + libica-4.2.3-fips.patch | 35 ----------- libica-4.3.0-fixes.patch | 130 +++++++++++++++++++++++++++++++++++++++ libica.spec | 11 ++-- sources | 2 +- 5 files changed, 139 insertions(+), 40 deletions(-) create mode 100644 .libica.metadata delete mode 100644 libica-4.2.3-fips.patch create mode 100644 libica-4.3.0-fixes.patch diff --git a/.libica.metadata b/.libica.metadata new file mode 100644 index 0000000..3283057 --- /dev/null +++ b/.libica.metadata @@ -0,0 +1 @@ +e7f7a7f714c793496294a5f865ad23d4c48866f9 libica-4.3.0.tar.gz diff --git a/libica-4.2.3-fips.patch b/libica-4.2.3-fips.patch deleted file mode 100644 index 5bddfb9..0000000 --- a/libica-4.2.3-fips.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Tue, 10 Oct 2023 14:10:22 +0200 -Subject: [PATCH] fips: use openssl lib context in compute_file_hmac - -Before calling any openssl EVP function, libica's own openssl lib ctx -must be made the current one. This was missing in compute_file_hmac. - -Suggested-by: Ingo Franzki -Signed-off-by: Joerg Schmidbauer ---- - src/fips.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/fips.c b/src/fips.c -index f09dc77..3bbc325 100644 ---- a/src/fips.c -+++ b/src/fips.c -@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) - void *fdata = NULL; - struct stat fdata_stat; - -+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); -+ - pkey = get_pkey(); - if (!pkey) - goto end; -@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) - EVP_MD_CTX_destroy(mdctx); - - OPENSSL_cleanse(tmp, sizeof(tmp)); -+ END_OPENSSL_LIBCTX(rc); - - return rc; - } diff --git a/libica-4.3.0-fixes.patch b/libica-4.3.0-fixes.patch new file mode 100644 index 0000000..8145989 --- /dev/null +++ b/libica-4.3.0-fixes.patch @@ -0,0 +1,130 @@ +From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001 +From: Holger Dengler +Date: Tue, 16 Apr 2024 14:18:23 +0200 +Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests + +OpenSSL supports CEX exploitation since version v3.2.x. Libica and its +testcases use OpenSSL as helper and fallback, so disable the CEX +acceleration for all tests. + +If the environment variable is already set, use it as is without +modifying it. In this case, it is up to the user to choose the right +settings. + +Fixes: Issue #126 +Link: https://github.com/opencryptoki/libica/issues/126 +Signed-off-by: Holger Dengler +--- + test/Makefile.am | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/test/Makefile.am b/test/Makefile.am +index 76d4f15..e56b256 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -61,10 +61,14 @@ TESTS += \ + ${top_builddir}/src/internal_tests/ec_internal_test + endif + ++# disable OpenSSL CEX usage for all tests ++OPENSSL_s390xcap ?= nocex ++ + TEST_EXTENSIONS = .sh .pl + TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \ + PATH=${builddir}/../src/:$$PATH \ +- LIBICA_TESTDATA=${srcdir}/testdata/; ++ LIBICA_TESTDATA=${srcdir}/testdata/ \ ++ OPENSSL_s390xcap=${OPENSSL_s390xcap}; + AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/ + LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread + +-- +2.45.1 + + +From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 24 Apr 2024 10:44:26 +0200 +Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function + +Signed-off-by: Joerg Schmidbauer +--- + src/include/s390_aes.h | 2 +- + src/include/s390_cmac.h | 2 +- + src/include/s390_crypto.h | 23 +++++++++++++---------- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h +index 6252dde..a6ff27b 100644 +--- a/src/include/s390_aes.h ++++ b/src/include/s390_aes.h +@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code, + + memset(&parm_block.keys, 0, key_size); + +- if (rc >= 0) { ++ if (rc == 0) { + memcpy(xts_parm, parm_block.xts_parameter, + sizeof(ica_aes_vector_t)); + return 0; +diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h +index 76b9cca..f19c069 100644 +--- a/src/include/s390_cmac.h ++++ b/src/include/s390_cmac.h +@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc, + /* calculate final block (last/full) */ + rc = s390_pcc(fc, pb_lookup.base); + memset(pb_lookup.keys, 0, key_size); +- if (rc < 0) ++ if (rc != 0) + return EIO; + + _stats_increment(fc, ALGO_HW, ENCRYPT); +diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h +index f34241f..f11eacb 100644 +--- a/src/include/s390_crypto.h ++++ b/src/include/s390_crypto.h +@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void); + + /** + * s390_pcc: +- * @func: the function code passed to KM; see s390_pcc_functions ++ * @func: the function code passed to PCC; see s390_pcc_functions + * @param: address of parameter block; see POP for details on each func + * + * Executes the PCC operation of the CPU. + * +- * Returns -1 for failure, 0 for the query func, number of processed +- * bytes for encryption/decryption funcs ++ * Returns condition code of the PCC instruction + */ + static inline int s390_pcc(unsigned long func, void *param) + { + register unsigned long r0 asm("0") = (unsigned long)func; + register unsigned long r1 asm("1") = (unsigned long)param; ++ char cc; + +- asm volatile ( +- "0: .long %[opc] << 16\n" +- " brc 1,0b\n" +- : +- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c) +- : "cc", "memory"); ++ asm volatile( ++ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */ ++ " brc 1,0b\n" /* handle partial completion */ ++ " ipm %[cc]\n" ++ " srl %[cc],28\n" ++ : [cc] "=d" (cc) ++ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c) ++ : "cc", "memory" ++ ); + +- return 0; ++ return cc; + } + + /** +-- +2.45.1 + diff --git a/libica.spec b/libica.spec index aa6cf16..69c8cf2 100644 --- a/libica.spec +++ b/libica.spec @@ -2,7 +2,7 @@ Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 4.2.3 +Version: 4.3.0 Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/ @@ -11,9 +11,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://github.com/opencryptoki/libica/pull/24 Patch0: %{name}-4.0.0-annotate.patch -# https://issues.redhat.com/browse/RHEL-9918 -# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6 -Patch1: %{name}-4.2.3-fips.patch +# post GA fixes +Patch1: %{name}-%{version}-fixes.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -110,6 +109,10 @@ fi %changelog +* Mon May 27 2024 Dan Horák - 4.3.0-1 +- updated to 4.3.0 (RHEL-23703) +- Resolves: RHEL-23703 + * Fri Oct 27 2023 Dan Horák - 4.2.3-1 - updated to 4.2.3 (RHEL-11415) - fix selfcheck in FIPS mode (RHEL-9918) diff --git a/sources b/sources index 5ee2876..dafcd06 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035 +SHA512 (libica-4.3.0.tar.gz) = 0952e0c7005756faf90cccf824cf5d3c22a45076008edb0622030ca148dbacb8752e6ece5b22b06b877ca7038ecca3e1c26ab66bc19328ed36784320ec27071d