rpms
/
libica
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libica-4.0.2-1.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:54:21 -05:00 committed by Stepan Oksanichenko
parent 4b8a1ffdfb
commit 2d0fbad961
5 changed files with 52 additions and 654 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libica-4.0.0.tar.gz
SOURCES/libica-4.0.2.tar.gz

2
.libica.metadata
View File

@ -1 +1 @@
9c18c8b990f8e21162364006cb60a3c9104eae19 SOURCES/libica-4.0.0.tar.gz
a9137e070966cefc5a2078893edc4693ee62088f SOURCES/libica-4.0.2.tar.gz

646
SOURCES/libica-4.0.0-fixes.patch
View File

@ -1,646 +0,0 @@
From 977fe8ac713f9ff3101ce9882e23d0183fb46ec8 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 15 Dec 2021 16:29:57 +0100
Subject: [libica PATCH 01/10] RSA: limit RSA key length to 4096
CEX adapters support RSA up to 4096 bits. Although RSA key generation
in libica is done via openssl, and therefore even greater key lengths
would be supported, such keys could not be processed on CEX adapters
afterwards. With the removal of sw fallbacks this is now a hard
restriction.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
include/ica_api.h | 4 ++++
src/ica_api.c | 13 ++++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/include/ica_api.h b/include/ica_api.h
index ce27261..6137c4a 100644
--- a/include/ica_api.h
+++ b/include/ica_api.h
@@ -1291,6 +1291,7 @@ int ica_ed448_ctx_del(ICA_ED448_CTX **ctx);
*
* @return 0 if successful.
* EINVAL if at least one invalid parameter is given.
+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
* EFAULT if OpenSSL key generation should fail.
*/
ICA_EXPORT
@@ -1319,6 +1320,7 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
*
* @return 0 if successful.
* EINVAL if at least one invalid parameter is given.
+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
* EFAULT if OpenSSL key generation should fail.
*/
ICA_EXPORT
@@ -1346,6 +1348,7 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
*
* @return 0 if successful.
* EINVAL if at least one invalid parameter is given.
+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
* ENOMEM if memory allocation fails.
* EIO if the operation fails. This should never happen.
*/
@@ -1375,6 +1378,7 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
*
* @return 0 if successful.
* EINVAL if at least one invalid parameter is given.
+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
* ENOMEM if memory allocation fails.
* EIO if the operation fails. This should never happen.
*/
diff --git a/src/ica_api.c b/src/ica_api.c
index 445b0ab..a412052 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -52,6 +52,8 @@
#define MAX_VERSION_LENGTH 16
+#define MAX_RSA_KEY_BITS 4096
+
#ifndef NO_SW_FALLBACKS
int ica_fallbacks_enabled = 1;
#else
@@ -1071,9 +1073,12 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
/* Keys should comply with modulus_bit_length */
if ((modulus_bit_length + 7) / 8 != public_key->key_length)
return EINVAL;
- /* Minimum length for public exponent is sizeof(unsigned long) */
+ /* Minimum key length is sizeof(unsigned long) */
if (public_key->key_length < sizeof(unsigned long))
return EINVAL;
+ /* Max key bit length is 4096 because of CEX adapter restriction */
+ if (modulus_bit_length > MAX_RSA_KEY_BITS)
+ return EPERM;
/* OpenSSL takes only exponents of type unsigned long, so we have to
* be sure that we give a value of the right size to OpenSSL.
@@ -1111,6 +1116,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
return EINVAL;
if (public_key->key_length < sizeof(unsigned long))
return EINVAL;
+ if (modulus_bit_length > MAX_RSA_KEY_BITS)
+ return EPERM;
num_ignored_bytes = public_key->key_length - sizeof(unsigned long);
public_exponent = public_key->exponent;
@@ -1145,6 +1152,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
if (rsa_key->key_length < sizeof(unsigned long))
return EINVAL;
+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
+ return EPERM;
/* fill driver structure */
rb.inputdata = (unsigned char *)input_data;
@@ -1264,6 +1273,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
if (rsa_key->key_length < sizeof(unsigned long))
return EINVAL;
+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
+ return EPERM;
/* fill driver structure */
rb.inputdata = (unsigned char *)input_data;
--
2.34.1
From 553977ef505b43c7d17056369ed518a971d43d68 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 5 Jan 2022 09:07:51 +0100
Subject: [libica PATCH 02/10] ECC: fix memory leaks in make_eckey()
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/s390_ecc.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
index bb13944..af121b0 100644
--- a/src/s390_ecc.c
+++ b/src/s390_ecc.c
@@ -146,12 +146,12 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
EC_GROUP *group = NULL;
EC_POINT *point = NULL;
BIGNUM *bn_priv = NULL;
- unsigned char *pub_key = NULL;
- unsigned int pub_key_len;
- point_conversion_form_t form;
#if !OPENSSL_VERSION_PREREQ(3, 0)
EC_KEY *ec_key;
#else
+ unsigned char *pub_key = NULL;
+ unsigned int pub_key_len;
+ point_conversion_form_t form;
OSSL_PARAM_BLD *tmpl = NULL;
int rc;
#endif
@@ -175,18 +175,13 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
goto err;
}
- form = EC_GROUP_get_point_conversion_form(group);
- pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
- if (pub_key_len == 0) {
- goto err;
- }
-
#if !OPENSSL_VERSION_PREREQ(3, 0)
ec_key = EC_KEY_new_by_curve_name(nid);
if (ec_key == NULL) {
goto err;
}
+ EC_POINT_free(point);
point = EC_POINT_new(EC_KEY_get0_group(ec_key));
if (point == NULL) {
goto err;
@@ -209,6 +204,11 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
}
#else
+ form = EC_GROUP_get_point_conversion_form(group);
+ pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
+ if (pub_key_len == 0) {
+ goto err;
+ }
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL) {
@@ -243,6 +243,8 @@ err:
#else
if (tmpl)
OSSL_PARAM_BLD_free(tmpl);
+ if (pub_key)
+ OPENSSL_free(pub_key);
#endif
if (ok)
--
2.34.1
From b41addd200c0938c6c10202da08ad5f7df940e18 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 5 Jan 2022 09:15:58 +0100
Subject: [libica PATCH 03/10] ECC: Avoid recursive loop in ec_key_check() with
OpenSSL 3.0
Use libica's OpenSSL library context in ec_key_check(), otherwise
calling EVP_PKEY_fromdata() in build_pkey_from_params() may cause
a recursive loop, when a provider is used that calls ica_ec_key_init()
(and thus ec_key_check()) within its key import function.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/s390_ecc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
index af121b0..c0c1549 100644
--- a/src/s390_ecc.c
+++ b/src/s390_ecc.c
@@ -2458,6 +2458,8 @@ int ec_key_check(ICA_EC_KEY *ica_key)
BIGNUM *d = NULL, *x = NULL, *y = NULL;
int privlen, rc = EINVAL;
+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
+
if (!ica_key)
goto done;
@@ -2489,6 +2491,7 @@ done:
if (privkey)
EVP_PKEY_free(privkey);
+ END_OPENSSL_LIBCTX(rc);
return rc;
}
--
2.34.1
From 6031ec80a5ada52609822fed4a6bd2cccafe5563 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 5 Jan 2022 09:26:26 +0100
Subject: [libica PATCH 04/10] RSA: Fix memory leaks in
rsa_key_generate_mod_expo()/crt()
Also fix a compiler warning in rsa_key_generate().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/s390_rsa.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/s390_rsa.c b/src/s390_rsa.c
index 360c374..cea2ba2 100644
--- a/src/s390_rsa.c
+++ b/src/s390_rsa.c
@@ -128,7 +128,8 @@ EVP_PKEY* rsa_key_generate(unsigned int modulus_bit_length,
} while (*public_exponent <= 2 || !(*public_exponent % 2));
}
- e = BN_bin2bn(public_exponent, sizeof(unsigned long), NULL);
+ e = BN_bin2bn((const unsigned char *)public_exponent,
+ sizeof(unsigned long), NULL);
if (e == NULL) {
goto done;
}
@@ -259,6 +260,8 @@ err:
#if !OPENSSL_VERSION_PREREQ(3, 0)
RSA_free(rsa);
#else
+ BN_free(n);
+ BN_free(d);
EVP_PKEY_free(pkey);
#endif
@@ -410,6 +413,12 @@ err:
#if !OPENSSL_VERSION_PREREQ(3, 0)
RSA_free(rsa);
#else
+ BN_free(n);
+ BN_free(p);
+ BN_free(q);
+ BN_free(dmp1);
+ BN_free(dmq1);
+ BN_free(iqmp);
EVP_PKEY_free(pkey);
#endif
--
2.34.1
From b49cf457659a4baf382b3828d89823497bb00f6e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 13 Jan 2022 10:42:02 +0100
Subject: [libica PATCH 05/10] EC: Handle unsupported EC curve in
ica_ec_key_new()
In case of an unsupported curve nid, privlen_from_nid() returns -1.
The subsequent calloc() will fail with a size of -3 (0xfffffffffffffffd).
Also free the already allocated key in case of an error to avoid a
memory leak.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/ica_api.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index a412052..0a885e2 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1336,9 +1336,15 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
/* allocate clear memory for the 3 key parts */
len = privlen_from_nid(nid);
+ if (len <= 0) {
+ free(key);
+ return NULL;
+ }
key->X = calloc(1, 3*len);
- if (!key->X)
+ if (!key->X) {
+ free(key);
return NULL;
+ }
key->nid = nid;
key->Y = key->X + len;
--
2.34.1
From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue, 11 Jan 2022 16:04:15 +0100
Subject: [libica PATCH 06/10] Compute HMAC from installed library
The HMAC hash was computed from the libica in the build tree, but
the runtime check is run against the installed libica and those 2
files may be different. E.g. if the runtime one has debuginfo stripped
(and placed into a separate file), the hashes are different.
This commit introduces a new make target: fipsinstall, which creates
the HMAC files in the install directory.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
Makefile.am | 9 ++++-----
src/Makefile.am | 8 +++++++-
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 2d8ab9e..e14abb5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -17,11 +17,8 @@ coverage: check
cd ${top_builddir}/src && gcov .libs/*.gcda
if ICA_FIPS
-install-data-hook:
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir)
- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir)
- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac
+fipsinstall:
+ $(AM_V_GEN)$(MAKE) -C src fipsinstall
if ICA_OPENSSL3
test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica
test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true
@@ -38,3 +35,5 @@ if ICA_OPENSSL3
endif
endif
+.PHONY: fipsinstall
+
diff --git a/src/Makefile.am b/src/Makefile.am
index c630048..4c92c96 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -47,6 +47,12 @@ mp.S : mp.pl
./mp.pl mp.S
if ICA_FIPS
+fipsinstall:
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
+
hmac-file-lnk: hmac-file
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \
include/rng.h ../test/testcase.h
endif
-.PHONY: hmac-file hmac-file-lnk
+.PHONY: hmac-file hmac-file-lnk fipsinstall
--
2.34.1
From 28fa931bed9e6847137829952a3e7cc6091bd071 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 24 Jan 2022 10:24:44 +0100
Subject: [libica PATCH 07/10] Fix compile warnings
... like potentially uninitialized variables or unused functions.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/fips.c | 4 ++--
src/ica_api.c | 2 +-
src/s390_ecc.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index 934f6f7..505dd0b 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -1304,8 +1304,8 @@ rsa_kat(void)
ica_adapter_handle_t ah;
const struct rsa_tv *tv;
size_t i, keylen, crtparamlen;
- unsigned char *out;
- libica_func_list_element* libica_func_list;
+ unsigned char *out = NULL;
+ libica_func_list_element* libica_func_list = NULL;
unsigned int count;
if (ica_open_adapter(&ah))
diff --git a/src/ica_api.c b/src/ica_api.c
index 0a885e2..a10e139 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -90,6 +90,7 @@ void ica_set_stats_mode(int stats_mode)
ica_stats_enabled = stats_mode ? 1 : 0;
}
+#ifndef NO_CPACF
#ifdef ICA_FIPS
static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
@@ -101,7 +102,6 @@ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
}
#endif
-#ifndef NO_CPACF
static unsigned int check_des_parms(unsigned int mode,
unsigned long data_length,
const unsigned char *in_data,
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
index c0c1549..211db01 100644
--- a/src/s390_ecc.c
+++ b/src/s390_ecc.c
@@ -147,7 +147,7 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
EC_POINT *point = NULL;
BIGNUM *bn_priv = NULL;
#if !OPENSSL_VERSION_PREREQ(3, 0)
- EC_KEY *ec_key;
+ EC_KEY *ec_key = NULL;
#else
unsigned char *pub_key = NULL;
unsigned int pub_key_len;
@@ -262,7 +262,7 @@ static EVP_PKEY *make_public_eckey(int nid, unsigned char *pubkey, size_t publen
{
int ok = 0;
#if !OPENSSL_VERSION_PREREQ(3, 0)
- EC_KEY *ec_key;
+ EC_KEY *ec_key = NULL;
#else
OSSL_PARAM_BLD *tmpl = NULL;
int rc;
--
2.34.1
From cc44f18383ec6dc01a05abd6c25a1dec8efe84cb Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 24 Jan 2022 10:32:47 +0100
Subject: [libica PATCH 08/10] Fix memory leaks in test programs
When configured with --enable-sanitizer some tests fail because
the address sanitizer reports memory leaks.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
test/ec_keygen_test.c | 6 +++++-
test/ecdh_test.c | 13 ++++++++++++-
test/ecdsa_test.c | 3 +++
test/icastats_test.c.in | 1 +
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/test/ec_keygen_test.c b/test/ec_keygen_test.c
index 43c6092..0445c41 100644
--- a/test/ec_keygen_test.c
+++ b/test/ec_keygen_test.c
@@ -115,6 +115,8 @@ int main(int argc, char **argv)
rc = ica_ec_key_generate(adapter_handle, eckey);
if (rc) {
+ ica_ec_key_free(eckey);
+ eckey = NULL;
if (rc == EPERM) {
V_(printf("Curve %d not supported on this system, skipping ...\n", eckeygen_tests[i].nid));
continue;
@@ -156,12 +158,14 @@ int main(int argc, char **argv)
}
}
}
+
+ ica_ec_key_free(eckey);
+ eckey = NULL;
}
if (test_failed)
errors++;
- ica_ec_key_free(eckey);
unset_env_icapath();
}
diff --git a/test/ecdh_test.c b/test/ecdh_test.c
index 9a81036..e1191d0 100644
--- a/test/ecdh_test.c
+++ b/test/ecdh_test.c
@@ -339,6 +339,8 @@ int main(int argc, char **argv)
rc = ica_ec_key_init(ecdh_kats[i].xa, ecdh_kats[i].ya, ecdh_kats[i].da, eckey_A);
if (rc != 0) {
+ ica_ec_key_free(eckey_A);
+ eckey_A = NULL;
if (rc == EPERM) {
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
continue;
@@ -350,11 +352,18 @@ int main(int argc, char **argv)
}
eckey_B = ica_ec_key_new(ecdh_kats[i].nid, &privlen);
- if (!eckey_B)
+ if (!eckey_B) {
+ ica_ec_key_free(eckey_A);
+ eckey_A = NULL;
continue;
+ }
rc = ica_ec_key_init(ecdh_kats[i].xb, ecdh_kats[i].yb, ecdh_kats[i].db, eckey_B);
if (rc != 0) {
+ ica_ec_key_free(eckey_B);
+ eckey_B = NULL;
+ ica_ec_key_free(eckey_A);
+ eckey_A = NULL;
if (rc == EPERM) {
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
continue;
@@ -415,7 +424,9 @@ int main(int argc, char **argv)
errors++;
ica_ec_key_free(eckey_A);
+ eckey_A = NULL;
ica_ec_key_free(eckey_B);
+ eckey_B = NULL;
unset_env_icapath();
}
diff --git a/test/ecdsa_test.c b/test/ecdsa_test.c
index 3b6bda3..2393882 100644
--- a/test/ecdsa_test.c
+++ b/test/ecdsa_test.c
@@ -225,6 +225,8 @@ int main(int argc, char **argv)
rc = ica_ec_key_init(ecdsa_kats[i].x, ecdsa_kats[i].y, ecdsa_kats[i].d, eckey);
if (rc != 0) {
+ ica_ec_key_free(eckey);
+ eckey = NULL;
if (rc == EPERM) {
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdsa_kats[i].nid));
continue;
@@ -274,6 +276,7 @@ int main(int argc, char **argv)
errors++;
ica_ec_key_free(eckey);
+ eckey = NULL;
unset_env_icapath();
}
diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in
index 98905a9..f0d1212 100644
--- a/test/icastats_test.c.in
+++ b/test/icastats_test.c.in
@@ -186,6 +186,7 @@ int is_crypto_card_loaded()
}
if((c = fgetc(file)) == '1'){
fclose(file);
+ closedir(sysDir);
return 1;
}
fclose(file);
--
2.34.1
From 9c6431f49a9fe0d574722954e018b4cba6ab085b Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 24 Jan 2022 14:33:57 +0100
Subject: [libica PATCH 09/10] FIPS: Calculation of library HMAC may fail
Initialize length variable before calling EVP_DigestSignFinal().
If hlen is uninitialized it may cause EVP_DigestSignFinal() to fail.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/fips.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/fips.c b/src/fips.c
index 505dd0b..129a1a7 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -333,6 +333,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
}
}
+ hlen = sizeof(rbuf);
if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
goto end;
--
2.34.1
From 5aa9366c236a6d17570403ef81c65e4f5f91a8af Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 26 Jan 2022 09:29:27 +0100
Subject: [libica PATCH 10/10] MAKEFILE: Do not install ec_internal_test
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 4c92c96..d6f5c52 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -90,7 +90,7 @@ icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h
# internal tests
if ICA_INTERNAL_TESTS
-bin_PROGRAMS += internal_tests/ec_internal_test
+noinst_PROGRAMS = internal_tests/ec_internal_test
internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \
-I${srcdir}/../include \
--
2.34.1

33
SOURCES/libica-no-fips-config.patch Normal file
View File

@ -0,0 +1,33 @@
From 56b6ca219ecd37ba2c7e520ddac83eb801ce76ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Mon, 16 May 2022 15:44:06 +0200
Subject: [libica PATCH] FIPS specific openssl config is not required in
RHEL/Fedora
---
src/fips.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index 129a1a7..6466133 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -235,12 +235,15 @@ fips_init(void)
FIPS_mode_set(1);
#else
fips = 0;
+ /* FIPS specific openssl config is not required in RHEL/Fedora */
+#if 0
if (!OSSL_LIB_CTX_load_config(openssl_libctx, LIBICA_FIPS_CONFIG)) {
syslog(LOG_ERR, "Libica failed to load openssl fips config %s\n",
LIBICA_FIPS_CONFIG);
fips |= ICA_FIPS_INTEGRITY;
return;
}
+#endif
openssl_provider = OSSL_PROVIDER_load(openssl_libctx, "fips");
if (openssl_provider == NULL) {
--
2.34.3

23
SPECS/libica.spec
View File

@ -2,7 +2,7 @@
Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica
Version: 4.0.0
Version: 4.0.2
Release: 1%{?dist}
License: CPL
URL: https://github.com/opencryptoki/
@ -11,8 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
# https://github.com/opencryptoki/libica/pull/24
Patch0: %{name}-4.0.0-annotate.patch
# post GA fixes, includes HMAC calculation
Patch1: %{name}-4.0.0-fixes.patch
# FIPS openssl config is not needed on RHEL/Fedora
# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
Patch1: %{name}-no-fips-config.patch
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: openssl
@ -86,9 +87,7 @@ fi
%{_bindir}/icastats
%if %{with_fips}
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
# openssl 3.0 is available since Fedora 36 and RHEL 9
%dir %{_sysconfdir}/libica
%{_sysconfdir}/libica/openssl3-fips.cnf
%exclude %{_sysconfdir}/libica/openssl3-fips.cnf
%endif
%{_libdir}/.libica.*.hmac
%{_libdir}/.libica-cex.*.hmac
@ -106,6 +105,18 @@ fi
%changelog
* Thu Jun 30 2022 Dan Horák <dhorak@redhat.com> - 4.0.2-1
- updated to 4.0.2 (#2101767)
- Resolves: #2101767
* Mon May 16 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-2
- fix running in FIPS mode (#2084097)
- Resolves: #2084097
* Thu May 12 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
- updated to 4.0.1 (#2044178)
- Resolves: #2044178 #2044174
* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
- updated to 4.0.0 (#2040237)
- Resolves: #2040237