From 366c00afb453b2a4c48a55102c0f2499287eebbd Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 20 Oct 2023 12:27:41 +0000 Subject: [PATCH] import CS libica-4.2.2-2.el9 --- .gitignore | 2 +- .libica.metadata | 2 +- SOURCES/libica-4.0.0-annotate.patch | 83 + SOURCES/libica-4.0.1-annotate.patch | 19 - SOURCES/libica-4.1.1-revert-abi.patch | 1618 ------------------- SOURCES/libica-4.1.1-shmem.patch | 35 - SOURCES/libica-4.2.2-icastats-summary.patch | 231 +++ SPECS/libica.spec | 153 +- 8 files changed, 412 insertions(+), 1731 deletions(-) create mode 100644 SOURCES/libica-4.0.0-annotate.patch delete mode 100644 SOURCES/libica-4.0.1-annotate.patch delete mode 100644 SOURCES/libica-4.1.1-revert-abi.patch delete mode 100644 SOURCES/libica-4.1.1-shmem.patch create mode 100644 SOURCES/libica-4.2.2-icastats-summary.patch diff --git a/.gitignore b/.gitignore index b0eec8c..1ab5bde 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-4.1.1.tar.gz +SOURCES/libica-4.2.2.tar.gz diff --git a/.libica.metadata b/.libica.metadata index 6020dad..dec8d0f 100644 --- a/.libica.metadata +++ b/.libica.metadata @@ -1 +1 @@ -a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz +300e2aa5c7de375a161b2390b178134a46818bdd SOURCES/libica-4.2.2.tar.gz diff --git a/SOURCES/libica-4.0.0-annotate.patch b/SOURCES/libica-4.0.0-annotate.patch new file mode 100644 index 0000000..3ad0e64 --- /dev/null +++ b/SOURCES/libica-4.0.0-annotate.patch @@ -0,0 +1,83 @@ +From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Tue, 25 Sep 2018 13:44:32 +0200 +Subject: [libica PATCH] add build note to assembler sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When distros use the annobin compiler plugin [1], they have complete overview +what compiler flags were used for compilation and they are able to perform +security checks on the produced binaries. Compiling assembler source can't +provide this kind of information by default, so we need the explicit +-Wa,--generate-missing-build-notes=yes option during build. When the option is +missing, then the annocheck tool reports "GAPS" in the resulting binary. + +binutils >= 2.31 or older with backport is needed + +[1] https://fedoraproject.org/wiki/Changes/Annobin + +Signed-off-by: Dan Horák +--- + configure.ac | 4 ++++ + libica.spec | 2 +- + src/Makefile.am | 4 ++-- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 958371c..b8d0e42 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab + FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2" + fi + ++# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed ++AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"]) ++ + # restore cmdline flags (ignore PROG_AS/PROG_CC defaults) + CFLAGS="$cmdline_CFLAGS" + CCASFLAGS="$cmdline_CFLAGS" + + AC_SUBST([FLAGS], $FLAGS) + AC_SUBST([LIBS], $LIBS) ++AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS) + AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile]) + AC_OUTPUT + +diff --git a/libica.spec b/libica.spec +index d71890a..e51430e 100644 +--- a/libica.spec ++++ b/libica.spec +@@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica + Source0: %{name}-%{version}.tar.gz + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +-BuildRequires: autoconf automake libtool openssl-devel ++BuildRequires: autoconf automake libtool openssl-devel autoconf-archive + + %description + Interface library on Linux for IBM System z to utilize CPACF +diff --git a/src/Makefile.am b/src/Makefile.am +index c630048..1b5ec71 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ + include/rng.h + + libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" +-libica_la_CCASFLAGS = ${AM_CFLAGS} ++libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS} + libica_la_LIBADD = ${LIBS_common} + libica_la_LDFLAGS = ${LDFLAGS_common} + libica_la_SOURCES = ${SOURCES_common} + + libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\" +-libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS} + libica_cex_la_LIBADD = ${LIBS_common} + libica_cex_la_LDFLAGS = ${LDFLAGS_common} + libica_cex_la_SOURCES = ${SOURCES_common} +-- +2.31.1 + diff --git a/SOURCES/libica-4.0.1-annotate.patch b/SOURCES/libica-4.0.1-annotate.patch deleted file mode 100644 index d915006..0000000 --- a/SOURCES/libica-4.0.1-annotate.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up libica-4.0.1/src/Makefile.am.orig libica-4.0.1/src/Makefile.am ---- libica-4.0.1/src/Makefile.am.orig 2022-03-22 13:13:36.186395805 +0100 -+++ libica-4.0.1/src/Makefile.am 2022-03-22 13:13:55.224076905 +0100 -@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icasta - include/rng.h - - libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" --libica_la_CCASFLAGS = ${AM_CFLAGS} -+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes - libica_la_LIBADD = ${LIBS_common} - libica_la_LDFLAGS = ${LDFLAGS_common} - libica_la_SOURCES = ${SOURCES_common} - - libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\" --libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -+libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes - libica_cex_la_LIBADD = ${LIBS_common} - libica_cex_la_LDFLAGS = ${LDFLAGS_common} - libica_cex_la_SOURCES = ${SOURCES_common} diff --git a/SOURCES/libica-4.1.1-revert-abi.patch b/SOURCES/libica-4.1.1-revert-abi.patch deleted file mode 100644 index abf8be2..0000000 --- a/SOURCES/libica-4.1.1-revert-abi.patch +++ /dev/null @@ -1,1618 +0,0 @@ -From 2945363230c1d76d21327e12995a8789ec9df514 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Tue, 22 Mar 2022 12:43:19 +0100 -Subject: [libica PATCH 1/2] Revert "Remove deprecated API functions" - -This reverts commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048. ---- - include/ica_api.h | 230 ++++++++++++++++++++++++++++++ - libica.map | 8 ++ - src/ica_api.c | 258 ++++++++++++++++++++++++++++++++++ - src/include/s390_crypto.h | 5 - - test/Makefile.am | 11 +- - test/aes_128_test.c | 284 ++++++++++++++++++++++++++++++++++++++ - test/aes_192_test.c | 163 ++++++++++++++++++++++ - test/aes_256_test.c | 162 ++++++++++++++++++++++ - test/des_test.c | 157 +++++++++++++++++++++ - test/tdes_test.c | 148 ++++++++++++++++++++ - 10 files changed, 1418 insertions(+), 8 deletions(-) - create mode 100644 test/aes_128_test.c - create mode 100644 test/aes_192_test.c - create mode 100644 test/aes_256_test.c - create mode 100644 test/des_test.c - create mode 100644 test/tdes_test.c - -diff --git a/include/ica_api.h b/include/ica_api.h -index 0263d2f..8f7bbdb 100644 ---- a/include/ica_api.h -+++ b/include/ica_api.h -@@ -1447,6 +1447,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, - ICA_EXPORT - unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key); - -+/** -+ * @deprecated, use ica_des_ecb() or ica_des_cbc() instead. -+ * -+ * Encrypt data using a single length DES key. -+ * @param mode Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. It has to be a multiple of the -+ * cipher block which has a size of 8 byte. -+ * @param input_data -+ * Pointer to the input data data to be encrypted. Must be a multiple of the -+ * cipher to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 8 byte initialization vector when using CBC mode. -+ * @param des_key -+ * Pointer to a single length DES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting encrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_des_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_single_t *des_key, -+ unsigned char *output_data); -+ -+/** -+ * @deprecated, use ica_des_ecb() or ica_des_cbc() instead. -+ * -+ * Decrypt data using a single length DES key. -+ * @param mode -+ * Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. It has to be a multiple of the -+ * cipher block which has a size of 8 byte. -+ * @param input_data -+ * Pointer to the input data data to be decrypted. Must be a multiple of the -+ * cipher to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 8 byte initialization vector when using CBC mode. -+ * @param des_key -+ * Pointer to a single length DES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting decrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_des_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_single_t *des_key, -+ unsigned char *output_data); -+ -+/** -+ * @deprecated, use ica_3des_ecb() or ica_3des_cbc() instead. -+ * -+ * Encrypt data using a triple length DES key. -+ * @param mode -+ * Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. It has to be a multiple of the -+ * cipher block which has a size of 8 byte. -+ * @param input_data -+ * Pointer to the input data data to be encrypted. Must be a multiple of the -+ * cipher block to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 8 byte initialization vector when using CBC mode. -+ * @param des_key -+ * Pointer to a triple length DES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting encrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_3des_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_triple_t *des_key, -+ unsigned char *output_data); -+ -+/** -+ * @deprecated, use ica_3des_ecb() or ica_3des_cbc() instead. -+ * -+ * Decrypt data using a triple length DES key. -+ * @param mode -+ * Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. It has to be a multiple of the -+ * cipher block which has a size of 8 byte. -+ * @param input_data -+ * Pointer to the input data data to be decrypted. Must be a multiple of the -+ * cipher block to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 8 byte initialization vector when using CBC mode. -+ * @param des_key -+ * Pointer to a triple length DES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting decrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_3des_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_triple_t *des_key, -+ unsigned char *output_data); -+ -+/** -+ * @deprecated, use ica_aes_ecb() or ica_aes_cbc() instead. -+ * -+ * Encrypt data using AES (key_length is 16, 24, or 32) -+ * @param mode -+ * Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. Input data length has to be -+ * a multiple of the AES block length, which is 16 bytes. -+ * @param input_data -+ * Pointer to the input data data to be encrypted. Must be a multiple of the -+ * cipher block to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 16 byte initialization vector when using CBC mode. -+ * @param key_length -+ * Length of the AES key being used. -+ * @param aes_key -+ * Pointer to an AES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting encrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_aes_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_aes_vector_t *iv, -+ unsigned int key_length, -+ unsigned char *aes_key, -+ unsigned char *output_data); -+ -+/** -+ * @deprecated, use ica_aes_ecb() or ica_aes_cbc() instead. -+ * -+ * Decrypt data using AES (key_length is 16, 24, or 32) -+ * @param mode -+ * Specifies the operational mode and must be: -+ * MODE_ECB - Use Electronic Code Book mode -+ * MODE_CBC - Use Cipher Block Chaining mode -+ * @param data_length -+ * Specifies the byte length of the input data. Input data length has to be -+ * a multiple of the AES block length, which is 16 bytes. -+ * @param input_data -+ * Pointer to the input data to be decrypted. Must be a multiple of the -+ * cipher block to use hw acceleration. -+ * @param iv -+ * Pointer to a valid 16 byte initialization vector when using CBC mode. -+ * @param key_length -+ * Length of the AES key being used. -+ * @param aes_key -+ * Pointer to an AES key. -+ * @param output_data -+ * Pointer to the buffer to contain the resulting decrypted data. Must be a -+ * multiple of the cipher block and at least as big as the buffer for -+ * input_data. -+ * -+ * @return 0 if successful. -+ * EINVAL if at least one invalid parameter is given. -+ * EIO if the operation fails. This should never happen. -+ */ -+/* XXX next major: remove */ -+ICA_EXPORT ICA_DEPRECATED -+unsigned int ica_aes_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_aes_vector_t *iv, -+ unsigned int key_length, -+ unsigned char *aes_key, -+ unsigned char *output_data); -+ - /** - * Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB) - * mode as described in NIST Special Publication 800-38A Chapter 6.1. -@@ -3485,6 +3706,15 @@ void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx); - ICA_EXPORT - unsigned int ica_get_version(libica_version_info *version_info); - -+/* XXX next major: dont export, move to s390_crypto.h */ -+ICA_EXPORT ICA_DEPRECATED -+int s390_initialize_functionlist(void); -+ -+/* XXX next major: dont export, move to s390_crypto.h */ -+ICA_EXPORT ICA_DEPRECATED -+int s390_get_functionlist(libica_func_list_element *pmech_list, -+ unsigned int *pmech_list_len); -+ - /** - * Function that returns a list of crypto mechanisms supported by libica. - * @param pmech_list -diff --git a/libica.map b/libica.map -index 0a64d4c..0a71832 100644 ---- a/libica.map -+++ b/libica.map -@@ -3,11 +3,15 @@ LIBICA_3.0.0 { - _fini; - _init; - -+ s390_initialize_functionlist; -+ s390_get_functionlist; - ica_get_functionlist; - ica_get_version; - - ica_random_number_generate; - -+ ica_des_encrypt; -+ ica_des_decrypt; - ica_des_ecb; - ica_des_cbc; - ica_des_cbc_cs; -@@ -19,6 +23,8 @@ LIBICA_3.0.0 { - ica_des_cmac_intermediate; - ica_des_cmac_last; - -+ ica_3des_encrypt; -+ ica_3des_decrypt; - ica_3des_ecb; - ica_3des_cbc; - ica_3des_cbc_cs; -@@ -30,6 +36,8 @@ LIBICA_3.0.0 { - ica_3des_cmac_intermediate; - ica_3des_cmac_last; - -+ ica_aes_encrypt; -+ ica_aes_decrypt; - ica_aes_ecb; - ica_aes_cbc; - ica_aes_cbc_cs; -diff --git a/src/ica_api.c b/src/ica_api.c -index 42d9baf..3e13a29 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -2436,6 +2436,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx) - * - ******************************************************************************/ - -+unsigned int ica_des_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_single_t *des_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(des_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+#ifdef ICA_FIPS -+ if (fips) -+ return EACCES; -+#endif /* ICA_FIPS */ -+ -+ if (check_des_parms(mode, data_length, input_data, -+ (unsigned char *) iv, (unsigned char *) des_key, -+ output_data)) -+ return EINVAL; -+ -+ if (mode == MODE_ECB) { -+ return s390_des_ecb(DEA_ENCRYPT, data_length, -+ input_data, (unsigned char *) des_key, -+ output_data); -+ } else if (mode == MODE_CBC) { -+ return s390_des_cbc(DEA_ENCRYPT, data_length, -+ input_data, (unsigned char *) iv, -+ (unsigned char *) des_key, output_data); -+ } -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ -+unsigned int ica_des_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_single_t *des_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(des_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+#ifdef ICA_FIPS -+ if (fips) -+ return EACCES; -+#endif /* ICA_FIPS */ -+ -+ if (check_des_parms(mode, data_length, input_data, -+ (unsigned char *) iv, (unsigned char *) des_key, -+ output_data)) -+ return EINVAL; -+ -+ if (mode == MODE_ECB) { -+ return s390_des_ecb(DEA_DECRYPT, data_length, -+ input_data, (unsigned char *) des_key, -+ output_data); -+ } else if (mode == MODE_CBC) { -+ return s390_des_cbc(DEA_DECRYPT, data_length, -+ input_data, (unsigned char *) iv, -+ (unsigned char *) des_key, output_data); -+ } -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ -+unsigned int ica_3des_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_triple_t *des_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(des_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+#ifdef ICA_FIPS -+ if (fips >> 1) -+ return EACCES; -+ if (fips_check_3des_key(des_key)) -+ return EINVAL; -+#endif /* ICA_FIPS */ -+ -+ if (check_des_parms(mode, data_length, input_data, -+ (unsigned char *) iv, (unsigned char *) des_key, -+ output_data)) -+ return EINVAL; -+ -+ if (mode == MODE_ECB) { -+ return s390_des_ecb(TDEA_192_ENCRYPT, data_length, -+ input_data,(unsigned char *) des_key, -+ output_data); -+ } else if (mode == MODE_CBC) { -+ return s390_des_cbc(TDEA_192_ENCRYPT, data_length, -+ input_data, (unsigned char *) iv, -+ (unsigned char *) des_key, output_data); -+ } -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ -+unsigned int ica_3des_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_des_vector_t *iv, -+ ica_des_key_triple_t *des_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(des_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+#ifdef ICA_FIPS -+ if (fips >> 1) -+ return EACCES; -+ if (fips_check_3des_key(des_key)) -+ return EINVAL; -+#endif /* ICA_FIPS */ -+ -+ if (check_des_parms(mode, data_length, input_data, -+ (unsigned char *) iv, (unsigned char *) des_key, -+ output_data)) -+ return EINVAL; -+ -+ if (mode == MODE_ECB) { -+ return s390_des_ecb(TDEA_192_DECRYPT, data_length, -+ input_data, (unsigned char *) des_key, -+ output_data); -+ } else if (mode == MODE_CBC) { -+ return s390_des_cbc(TDEA_192_DECRYPT, data_length, -+ input_data, (unsigned char *) iv, -+ (unsigned char *) des_key, output_data); -+ } -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ -+unsigned int ica_aes_encrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_aes_vector_t *iv, -+ unsigned int key_length, -+ unsigned char *aes_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(key_length); -+ UNUSED(aes_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+ unsigned int function_code; -+ -+#ifdef ICA_FIPS -+ if (fips >> 1) -+ return EACCES; -+#endif /* ICA_FIPS */ -+ -+ /* check for obvious errors in parms */ -+ if (check_aes_parms(mode, data_length, input_data, -+ (unsigned char *) iv, key_length, aes_key, -+ output_data)) -+ return EINVAL; -+ -+ function_code = aes_directed_fc(key_length, ICA_ENCRYPT); -+ -+ switch (mode) { -+ case MODE_CBC: -+ return s390_aes_cbc(function_code, data_length, input_data, -+ (unsigned char *) iv, aes_key, -+ output_data); -+ case MODE_ECB: -+ return s390_aes_ecb(function_code, data_length, input_data, -+ aes_key, output_data); -+ default: -+ return EINVAL; -+ } -+ -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ -+unsigned int ica_aes_decrypt(unsigned int mode, -+ unsigned int data_length, -+ unsigned char *input_data, -+ ica_aes_vector_t *iv, -+ unsigned int key_length, -+ unsigned char *aes_key, -+ unsigned char *output_data) -+{ -+#ifdef NO_CPACF -+ UNUSED(mode); -+ UNUSED(data_length); -+ UNUSED(input_data); -+ UNUSED(iv); -+ UNUSED(key_length); -+ UNUSED(aes_key); -+ UNUSED(output_data); -+ return EPERM; -+#else -+ unsigned int function_code; -+ -+#ifdef ICA_FIPS -+ if (fips >> 1) -+ return EACCES; -+#endif /* ICA_FIPS */ -+ -+ /* check for obvious errors in parms */ -+ if (check_aes_parms(mode, data_length, input_data, -+ (unsigned char *) iv, key_length, aes_key, -+ output_data)) -+ return EINVAL; -+ -+ function_code = aes_directed_fc(key_length, ICA_DECRYPT); -+ -+ switch (mode) { -+ case MODE_CBC: -+ return s390_aes_cbc(function_code, data_length, input_data, -+ (unsigned char *) iv, aes_key, -+ output_data); -+ case MODE_ECB: -+ return s390_aes_ecb(function_code, data_length, input_data, -+ aes_key, output_data); -+ default: -+ return EINVAL; -+ } -+ -+ return EINVAL; -+#endif /* NO_CPACF */ -+} -+ - unsigned int ica_des_ecb(const unsigned char *in_data, unsigned char *out_data, - unsigned long data_length, unsigned char *key, - unsigned int direction) -diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h -index 49cbb09..76f530f 100644 ---- a/src/include/s390_crypto.h -+++ b/src/include/s390_crypto.h -@@ -25,11 +25,6 @@ - - #include - --/* major 4.0: no more exported, now internal */ --int s390_initialize_functionlist(void); --int s390_get_functionlist(libica_func_list_element *pmech_list, -- unsigned int *pmech_list_len); -- - #ifndef OPENSSL_VERSION_PREREQ - #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR) - #define OPENSSL_VERSION_PREREQ(maj, min) \ -diff --git a/test/Makefile.am b/test/Makefile.am -index f220205..f756597 100644 ---- a/test/Makefile.am -+++ b/test/Makefile.am -@@ -7,16 +7,21 @@ get_version_test \ - rng_test \ - drbg_test \ - drbg_birthdays_test.pl \ -+des_test \ - des_ecb_test \ - des_cbc_test \ - des_ctr_test \ - des_cfb_test \ - des_ofb_test \ -+tdes_test \ - tdes_ecb_test \ - tdes_cbc_test \ - tdes_ctr_test \ - tdes_cfb_test \ - tdes_ofb_test \ -+aes_128_test \ -+aes_192_test \ -+aes_256_test \ - aes_ecb_test \ - aes_cbc_test \ - aes_ctr_test \ -@@ -71,10 +76,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c - get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread - - check_PROGRAMS = fips_test icastats_test get_functionlist_test \ --get_version_test rng_test drbg_test drbg_birthdays_test \ -+get_version_test rng_test drbg_test drbg_birthdays_test des_test \ - des_ecb_test des_cbc_test des_ctr_test des_cfb_test des_ofb_test \ --tdes_ecb_test tdes_cbc_test tdes_ctr_test tdes_cfb_test \ --tdes_ofb_test aes_ecb_test \ -+tdes_test tdes_ecb_test tdes_cbc_test tdes_ctr_test tdes_cfb_test \ -+tdes_ofb_test aes_128_test aes_192_test aes_256_test aes_ecb_test \ - aes_cbc_test aes_ctr_test aes_cfb_test aes_ofb_test aes_xts_test \ - aes_gcm_test aes_gcm_kma_test cbccs_test ccm_test cmac_test sha_test \ - sha1_test sha256_test sha3_224_test sha3_256_test sha3_384_test \ -diff --git a/test/aes_128_test.c b/test/aes_128_test.c -new file mode 100644 -index 0000000..d5667bb ---- /dev/null -+++ b/test/aes_128_test.c -@@ -0,0 +1,284 @@ -+/* This program is released under the Common Public License V1.0 -+ * -+ * You should have received a copy of Common Public License V1.0 along with -+ * with this program. -+ */ -+ -+/* Copyright IBM Corp. 2005, 2009, 2011 */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "ica_api.h" -+#include -+#include -+#include "testcase.h" -+ -+unsigned char NIST_KEY1[] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+}; -+ -+unsigned char NIST_TEST_DATA[] = { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -+}; -+ -+unsigned char NIST_TEST_RESULT[] = { -+ 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, -+ 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a, -+}; -+ -+int test_aes128_new_api(int mode) -+{ -+ ica_aes_vector_t iv; -+ unsigned char key[AES_KEY_LEN128]; -+ int rc = 0; -+ unsigned char dec_text[sizeof(NIST_TEST_DATA)], -+ enc_text[sizeof(NIST_TEST_DATA)]; -+ -+ bzero(dec_text, sizeof(dec_text)); -+ bzero(enc_text, sizeof(enc_text)); -+ bzero(iv, sizeof(iv)); -+ bcopy(NIST_KEY1, key, sizeof(NIST_KEY1)); -+ -+ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, -+ AES_KEY_LEN128, key, enc_text); -+ if (rc) { -+ VV_(printf("key \n")); -+ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("test iv\n")); -+ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); -+ VV_(printf("key\n")); -+ dump_array((unsigned char *) key, AES_KEY_LEN128); -+ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { -+ VV_(printf("key \n")); -+ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("test iv\n")); -+ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); -+ VV_(printf("key\n")); -+ dump_array((unsigned char *) key, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("This does NOT match the known result.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Yep, it's what it should be.\n")); -+ } -+ -+ bzero(iv, sizeof(iv)); -+ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, -+ AES_KEY_LEN128, key, dec_text); -+ if (rc) { -+ VV_(printf("key \n")); -+ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("test iv\n")); -+ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); -+ VV_(printf("key\n")); -+ dump_array((unsigned char *) key, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) dec_text, sizeof(dec_text)); -+ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { -+ VV_(printf("This does NOT match the original data.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Successful!\n")); -+ VV_(printf("key \n")); -+ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("test iv\n")); -+ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); -+ VV_(printf("key\n")); -+ dump_array((unsigned char *) key, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) dec_text, sizeof(dec_text)); -+ } -+ -+// Test 2 -+ -+ rc = 0; -+ bzero(dec_text, sizeof(dec_text)); -+ bzero(enc_text, sizeof(enc_text)); -+ bzero(iv, sizeof(iv)); -+ bzero(key, sizeof(key)); -+ -+ unsigned int length = 64; -+ unsigned char *decrypt = malloc(length); -+ unsigned char *encrypt = malloc(length); -+ unsigned char *original = malloc(length); -+ ica_aes_key_len_128_t key2; -+ -+ rc = ica_random_number_generate(length, original); -+ if (rc) { -+ VV_(printf("ica_random_number_generate returned rc = %i\n", rc)); -+ return TEST_FAIL; -+ } -+ -+ rc = ica_random_number_generate(AES_KEY_LEN128, (unsigned char *) &key2); -+ if (rc) { -+ VV_(printf("ica_random_number_generate returned rc = %i\n", rc)); -+ return TEST_FAIL; -+ } -+ -+ rc = ica_aes_encrypt(mode, length, original, &iv, AES_KEY_LEN128, (unsigned char *) &key2, -+ (unsigned char *) encrypt); -+ if (rc) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) original, length); -+ VV_(printf("KEY: \n")); -+ dump_array((unsigned char *) &key2, AES_KEY_LEN128); -+ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(encrypt, original, length) == 0) { -+ VV_(printf("Encrypt and original are the same.\n")); -+ return TEST_FAIL; -+ } -+ -+ bzero(iv, sizeof(iv)); -+ rc = ica_aes_decrypt(mode, length, encrypt, &iv, AES_KEY_LEN128, -+ (unsigned char *) &key2, decrypt); -+ if (rc) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) original, length); -+ VV_(printf("KEY: \n")); -+ dump_array((unsigned char *) &key2, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) encrypt, length); -+ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ goto free; -+ } -+ -+ if (memcmp(decrypt, original, length) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) original, length); -+ VV_(printf("KEY: \n")); -+ dump_array((unsigned char *) &key2, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) encrypt, length); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) decrypt, length); -+ VV_(printf("This does NOT match the original data.\n")); -+ rc = -1; -+ goto free; -+ } -+ -+ if(memcmp(decrypt, encrypt, length) == 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) original, length); -+ VV_(printf("KEY: \n")); -+ dump_array((unsigned char *) &key2, AES_KEY_LEN128); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) encrypt, length); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) decrypt, length); -+ VV_(printf("decrypt and encrypt are the same\n")); -+ rc = -1; -+ goto free; -+ -+ } else { -+ VV_(printf("Successful!\n")); -+ } -+free: -+ free(original); -+ free(encrypt); -+ free(decrypt); -+ -+ if (rc) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+} -+ -+/* -+ * Performs ECB and CBC tests. -+ */ -+int main(int argc, char **argv) -+{ -+#ifdef NO_CPACF -+ UNUSED(argc); -+ UNUSED(argv); -+ printf("Skipping AES-128 test, because CPACF support disabled via config option.\n"); -+ return TEST_SKIP; -+#else -+ unsigned int mode = 0; -+ int rc = 0; -+ int error_count = 0; -+ -+ if (argc > 1) { -+ if (strstr(argv[1], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[1], "cbc")) -+ mode = MODE_CBC; -+ } -+ -+ if (argc > 2) { -+ if (strstr(argv[2], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[2], "cbc")) -+ mode = MODE_CBC; -+ } -+ -+ set_verbosity(argc, argv); -+ -+ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { -+ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); -+ return TEST_ERR; -+ } -+ -+ if (!mode) { -+ /* This is the standard loop that will perform all testcases */ -+ mode = 2; -+ while (mode) { -+ rc = test_aes128_new_api(mode); -+ if (rc) { -+ error_count++; -+ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); -+ } -+ else { -+ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); -+ } -+ mode--; -+ } -+ if (error_count) -+ printf("%i AES-128-ECB/CBC tests failed.\n", error_count); -+ else -+ printf("All AES-128-ECB/CBC tests passed.\n"); -+ } else { -+ /* Perform only either in ECB or CBC mode */ -+ rc = test_aes128_new_api(mode); -+ if (rc) -+ printf ("test_aes_new_api mode = %i failed \n", mode); -+ else { -+ printf ("test_aes_new_api mode = %i finished.\n", mode); -+ } -+ } -+ -+ if (rc) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+#endif /* NO_CPACF */ -+} -diff --git a/test/aes_192_test.c b/test/aes_192_test.c -new file mode 100644 -index 0000000..e803f39 ---- /dev/null -+++ b/test/aes_192_test.c -@@ -0,0 +1,163 @@ -+/* This program is released under the Common Public License V1.0 -+ * -+ * You should have received a copy of Common Public License V1.0 along with -+ * with this program. -+ */ -+ -+/* Copyright IBM Corp. 2005, 2009, 2011 */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "ica_api.h" -+#include "testcase.h" -+ -+unsigned char NIST_KEY2[] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+}; -+ -+unsigned char NIST_TEST_DATA[] = { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -+}; -+ -+unsigned char NIST_TEST_RESULT[] = { -+ 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, -+ 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, -+}; -+ -+int test_aes192_new_api(int mode) -+{ -+ ica_aes_vector_t iv; -+ ica_aes_key_len_192_t key; -+ int rc = 0; -+ unsigned char dec_text[sizeof(NIST_TEST_DATA)], -+ enc_text[sizeof(NIST_TEST_DATA)]; -+ -+ bzero(dec_text, sizeof(dec_text)); -+ bzero(enc_text, sizeof(enc_text)); -+ bzero(iv, sizeof(iv)); -+ bcopy(NIST_KEY2, key, sizeof(NIST_KEY2)); -+ -+ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, -+ AES_KEY_LEN192, (unsigned char *) &key, enc_text); -+ if (rc) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char*)enc_text, sizeof(enc_text)); -+ VV_(printf("This does NOT match the known result.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Yep, it's what it should be.\n")); -+ } -+ -+ bzero(iv, sizeof(iv)); -+ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, -+ AES_KEY_LEN192, (unsigned char *) &key, dec_text); -+ if (rc != 0) { -+ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char*)enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char*)dec_text, sizeof(dec_text)); -+ VV_(printf("This does NOT match the original data.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Successful!\n")); -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char*)enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char*)dec_text, sizeof(dec_text)); -+ } -+ -+ return TEST_SUCC; -+} -+ -+/* -+ * Performs ECB and CBC tests. -+ */ -+int main(int argc, char **argv) -+{ -+#ifdef NO_CPACF -+ UNUSED(argc); -+ UNUSED(argv); -+ printf("Skipping AES-192 test, because CPACF support disabled via config option.\n"); -+ return TEST_SKIP; -+#else -+ unsigned int mode = 0; -+ int rc = 0; -+ int error_count = 0; -+ -+ if (argc > 1) { -+ if (strstr(argv[1], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[1], "cbc")) -+ mode = MODE_CBC; -+ } -+ if (argc > 2) { -+ if (strstr(argv[2], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[2], "cbc")) -+ mode = MODE_CBC; -+ } -+ -+ set_verbosity(argc, argv); -+ -+ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { -+ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); -+ return TEST_ERR; -+ } -+ -+ if (!mode) { -+ /* This is the standard loop that will perform all testcases */ -+ mode = 2; -+ while (mode) { -+ rc = test_aes192_new_api(mode); -+ if (rc) { -+ error_count++; -+ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); -+ } else { -+ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); -+ } -+ mode--; -+ } -+ if (error_count) -+ printf("%i AES-192-ECB/CBC tests failed.\n", error_count); -+ else -+ printf("All AES-192-ECB/CBC tests passed.\n"); -+ } else { -+ /* Perform only either in ECB or CBC mode */ -+ rc = test_aes192_new_api(mode); -+ if (rc) -+ printf ("test_aes_new_api mode = %i failed \n", mode); -+ else { -+ printf ("test_aes_new_api mode = %i finished.\n", mode); -+ } -+ } -+ -+ if (rc) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+#endif /* NO_CPACF */ -+} -diff --git a/test/aes_256_test.c b/test/aes_256_test.c -new file mode 100644 -index 0000000..30f01f0 ---- /dev/null -+++ b/test/aes_256_test.c -@@ -0,0 +1,162 @@ -+/* This program is released under the Common Public License V1.0 -+ * -+ * You should have received a copy of Common Public License V1.0 along with -+ * with this program. -+ */ -+ -+/* Copyright IBM Corp. 2005, 2009, 2011 */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "ica_api.h" -+#include "testcase.h" -+ -+unsigned char NIST_KEY3[] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, -+}; -+ -+unsigned char NIST_TEST_DATA[] = { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -+}; -+ -+unsigned char NIST_TEST_RESULT[] = { -+ 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, -+ 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, -+}; -+ -+int test_aes256_new_api(int mode) -+{ -+ ica_aes_vector_t iv; -+ unsigned char key[AES_KEY_LEN256]; -+ int rc = 0; -+ unsigned char dec_text[sizeof(NIST_TEST_DATA)], -+ enc_text[sizeof(NIST_TEST_DATA)]; -+ -+ bzero(dec_text, sizeof(dec_text)); -+ bzero(enc_text, sizeof(enc_text)); -+ bzero(iv, sizeof(iv)); -+ bcopy(NIST_KEY3, key, sizeof(NIST_KEY3)); -+ -+ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, -+ AES_KEY_LEN256, key, enc_text); -+ if (rc) { -+ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("This does NOT match the known result.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Yep, it's what it should be.\n")); -+ } -+ -+ bzero(iv, sizeof(iv)); -+ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, -+ AES_KEY_LEN256, key, dec_text); -+ if (rc) { -+ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) dec_text, sizeof(dec_text)); -+ VV_(printf("This does NOT match the original data.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array((unsigned char *) enc_text, sizeof(enc_text)); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array((unsigned char *) dec_text, sizeof(dec_text)); -+ VV_(printf("Successful!\n")); -+ } -+ -+ return TEST_SUCC; -+} -+ -+/* -+ * Performs ECB and CBC tests. -+ */ -+int main(int argc, char **argv) -+{ -+#ifdef NO_CPACF -+ UNUSED(argc); -+ UNUSED(argv); -+ printf("Skipping AES-256 test, because CPACF support disabled via config option.\n"); -+ return TEST_SKIP; -+#else -+ unsigned int mode = 0; -+ int rc = 0; -+ int error_count = 0; -+ -+ if (argc > 1) { -+ if (strstr(argv[1], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[1], "cbc")) -+ mode = MODE_CBC; -+ } -+ if (argc > 2) { -+ if (strstr(argv[2], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[2], "cbc")) -+ mode = MODE_CBC; -+ } -+ -+ set_verbosity(argc, argv); -+ -+ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { -+ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); -+ return TEST_ERR; -+ } -+ -+ if (!mode) { -+ /* This is the standard loop that will perform all testcases */ -+ mode = 2; -+ while (mode) { -+ rc = test_aes256_new_api(mode); -+ if (rc) { -+ error_count++; -+ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); -+ } -+ else { -+ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); -+ } -+ mode--; -+ } -+ if (error_count) -+ printf("%i AES-256-ECB/CBC tests failed.\n", error_count); -+ else -+ printf("All AES-256-ECB/CBC tests passed.\n"); -+ } else { -+ /* Perform only either in ECB or CBC mode */ -+ rc = test_aes256_new_api(mode); -+ if (rc) -+ printf("test_aes_new_api mode = %i failed \n", mode); -+ else -+ printf("test_aes_new_api mode = %i finished.\n", mode); -+ } -+ -+ if (rc) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+#endif /* NO_CPACF */ -+} -diff --git a/test/des_test.c b/test/des_test.c -new file mode 100644 -index 0000000..c796792 ---- /dev/null -+++ b/test/des_test.c -@@ -0,0 +1,157 @@ -+/* This program is released under the Common Public License V1.0 -+ * -+ * You should have received a copy of Common Public License V1.0 along with -+ * with this program. -+ */ -+ -+/* Copyright IBM Corp. 2001, 2009, 2011 */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "ica_api.h" -+#include "testcase.h" -+ -+const int cipher_buf_length = 8; -+ -+unsigned char NIST_KEY1[] = -+ { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; -+ -+unsigned char NIST_TEST_DATA[] = -+ { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; -+ -+unsigned char NIST_TEST_RESULT[] = -+ { 0x69, 0x0f, 0x5b, 0x0d, 0x9a, 0x26, 0x93, 0x9b }; -+ -+int test_des_new_api(int mode) -+{ -+ ica_des_vector_t iv; -+ ica_des_key_single_t key; -+ int rc = 0; -+ unsigned char dec_text[sizeof NIST_TEST_DATA], -+ enc_text[sizeof NIST_TEST_DATA]; -+ -+ bzero(dec_text, sizeof dec_text); -+ bzero(enc_text, sizeof enc_text); -+ bzero(iv, sizeof iv); -+ bcopy(NIST_KEY1, key, sizeof NIST_KEY1); -+ -+ rc = ica_des_encrypt(mode, sizeof NIST_TEST_DATA, NIST_TEST_DATA, &iv, -+ &key, enc_text); -+ if (rc) { -+ VV_(printf("\nOriginal data:\n"); -+ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA)); -+ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array(enc_text, sizeof enc_text); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof NIST_TEST_RESULT) != 0) { -+ VV_(printf("This does NOT match the known result.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Yep, it's what it should be.\n")); -+ } -+ -+ bzero(iv, sizeof iv); -+ rc = ica_des_decrypt(mode, sizeof enc_text, enc_text, &iv, &key, -+ dec_text); -+ if (rc) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); -+ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array(enc_text, sizeof enc_text); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array(dec_text, sizeof dec_text); -+ VV_(printf("ica_des_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ if (memcmp(dec_text, NIST_TEST_DATA, sizeof NIST_TEST_DATA) != 0) { -+ VV_(printf("\nOriginal data:\n")); -+ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); -+ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array(enc_text, sizeof enc_text); -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array(dec_text, sizeof dec_text); -+ VV_(printf("This does NOT match the original data.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Successful!\n")); -+ } -+ -+ return TEST_SUCC; -+} -+ -+int main(int argc, char **argv) -+{ -+#ifdef NO_CPACF -+ UNUSED(argc); -+ UNUSED(argv); -+ printf("Skipping DES test, because CPACF support disabled via config option.\n"); -+ return TEST_SKIP; -+#else -+ unsigned int mode = 0; -+ int rc = 0; -+ int error_count = 0; -+ -+ set_verbosity(argc, argv); -+ -+#ifdef ICA_FIPS -+ if (ica_fips_status() & ICA_FIPS_MODE) { -+ printf("All DES new api tests skipped." -+ " (DES not FIPS approved)\n"); -+ return TEST_SKIP; -+ } -+#endif /* ICA_FIPS */ -+ -+ if (argc > 1) { -+ if (strstr(argv[1], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[1], "cbc")) -+ mode = MODE_CBC; -+ V_(printf("mode = %i \n", mode)); -+ } -+ -+ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { -+ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); -+ return TEST_ERR; -+ } -+ if (!mode) { -+ /* This is the standard loop that will perform all testcases */ -+ mode = 2; -+ while (mode) { -+ rc = test_des_new_api(mode); -+ if (rc) { -+ error_count++; -+ V_(printf ("test_des_new_api mode = %i failed \n", mode)); -+ } -+ else { -+ V_(printf ("test_des_new_api mode = %i finished.\n", mode)); -+ } -+ mode--; -+ } -+ if (error_count) -+ printf("%i tests failed.\n", error_count); -+ else -+ printf("All tests passed.\n"); -+ } else { -+ /* Perform only either in ECB or CBC mode */ -+ rc = test_des_new_api(mode); -+ if (rc) -+ printf ("test_des_new_api mode = %i failed \n", mode); -+ else -+ printf ("test_des_new_api mode = %i finished.\n", mode); -+ } -+ -+ if (rc) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+#endif /* NO_CPACF */ -+} -diff --git a/test/tdes_test.c b/test/tdes_test.c -new file mode 100644 -index 0000000..bfa33c2 ---- /dev/null -+++ b/test/tdes_test.c -@@ -0,0 +1,148 @@ -+/* This program is released under the Common Public License V1.0 -+ * -+ * You should have received a copy of Common Public License V1.0 along with -+ * with this program. -+ */ -+ -+/* Copyright IBM Corp. 2001, 2009, 2011 */ -+#include -+#include -+#include -+#include -+#include -+#include "ica_api.h" -+#include "testcase.h" -+ -+unsigned char KEY1[] = -+ { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; -+ -+unsigned char KEY2[] = -+ { 0x8c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; -+ -+unsigned char KEY3[] = -+ { 0x9c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; -+ -+unsigned char TEST_DATA[] = -+ { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; -+ -+unsigned char TEST_RESULT[] = -+ { 0x90, 0x9c, 0xbc, 0x01, 0xc5, 0x1f, 0x09, 0x60 }; -+ -+int test_3des_new_api(int mode) -+{ -+ ica_des_vector_t iv; -+ ica_des_key_triple_t key; -+ int rc = 0; -+ unsigned char dec_text[sizeof(TEST_DATA)], -+ enc_text[sizeof(TEST_DATA)]; -+ -+ bzero(dec_text, sizeof(dec_text)); -+ bzero(enc_text, sizeof(enc_text)); -+ bzero(iv, sizeof(iv)); -+ bcopy(KEY1, key.key1, sizeof(KEY1)); -+ bcopy(KEY2, key.key2, sizeof(KEY2)); -+ bcopy(KEY3, key.key3, sizeof(KEY3)); -+ -+ VV_(printf("\nOriginal data:\n")); -+ dump_array(TEST_DATA, sizeof(TEST_DATA)); -+ -+ rc = ica_3des_encrypt(mode, sizeof(TEST_DATA), TEST_DATA, -+ &iv, &key, enc_text); -+ if (rc != 0) { -+ VV_(printf("ica_3des_encrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ VV_(printf("\nEncrypted data:\n")); -+ dump_array(enc_text, sizeof(enc_text)); -+ if (memcmp(enc_text, TEST_RESULT, sizeof TEST_RESULT) != 0) { -+ VV_(printf("This does NOT match the known result.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Yep, it's what it should be.\n")); -+ } -+ -+ bzero(iv, sizeof(iv)); -+ rc = ica_3des_decrypt(mode, sizeof(enc_text), enc_text, -+ &iv, &key, dec_text); -+ if (rc != 0) { -+ VV_(printf("ica_3des_decrypt failed with errno %d (0x%x).\n", rc, rc)); -+ return TEST_FAIL; -+ } -+ -+ VV_(printf("\nDecrypted data:\n")); -+ dump_array(dec_text, sizeof(dec_text)); -+ if (memcmp(dec_text, TEST_DATA, sizeof(TEST_DATA)) != 0) { -+ VV_(printf("This does NOT match the original data.\n")); -+ return TEST_FAIL; -+ } else { -+ VV_(printf("Successful!\n")); -+ } -+ -+ return TEST_SUCC; -+} -+ -+/* -+ * Performs ECB and CBC tests. -+ */ -+int main(int argc, char **argv) -+{ -+#ifdef NO_CPACF -+ UNUSED(argc); -+ UNUSED(argv); -+ printf("Skipping TDES test, because CPACF support disabled via config option.\n"); -+ return TEST_SKIP; -+#else -+ unsigned int mode = 0; -+ int rc = 0; -+ int error_count = 0; -+ -+ if (argc > 1) { -+ if (strstr(argv[1], "ecb")) -+ mode = MODE_ECB; -+ if (strstr(argv[1], "cbc")) -+ mode = MODE_CBC; -+ V_(printf("mode = %i \n", mode)); -+ } -+ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { -+ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); -+ return TEST_ERR; -+ } -+ -+ set_verbosity(argc, argv); -+ -+ if (!mode) { -+ /* This is the standard loop that will perform all testcases */ -+ mode = 2; -+ while (mode) { -+ rc = test_3des_new_api(mode); -+ if (rc) { -+ error_count++; -+ V_(printf ("test_des_new_api mode = %i failed \n", mode)); -+ } -+ else { -+ V_(printf ("test_des_new_api mode = %i finished.\n", mode)); -+ } -+ -+ mode--; -+ } -+ if (error_count) -+ printf("%i tests failed.\n", error_count); -+ else -+ printf("All tests passed.\n"); -+ } else { -+ /* Perform only either in ECB or CBC mode */ -+ rc = test_3des_new_api(mode); -+ if (rc) -+ printf ("test_des_new_api mode = %i failed \n", mode); -+ else -+ printf ("test_des_new_api mode = %i finished.\n", mode); -+ } -+ -+ if (rc || error_count) -+ return TEST_FAIL; -+ -+ return TEST_SUCC; -+#endif /* NO_CPACF */ -+} -+ --- -2.38.1 - - -From 740531ec03c7dd79e185136b0b1970aa1cd1d924 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Tue, 25 Oct 2022 13:54:11 +0200 -Subject: [libica PATCH 2/2] add back fips_check_3des_key() - -Partially revert 56b9ac0669e4d204ecb3f23e5404c2351cca96a2 by adding back -a function that's required by the previously reverted code. ---- - src/ica_api.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/ica_api.c b/src/ica_api.c -index 3e13a29..1bd81bb 100644 ---- a/src/ica_api.c -+++ b/src/ica_api.c -@@ -91,6 +91,16 @@ void ica_set_stats_mode(int stats_mode) - } - - #ifndef NO_CPACF -+#ifdef ICA_FIPS -+static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { -+ if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64) -+ | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64) -+ | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64)) -+ return EINVAL; -+ -+ return 0; -+} -+#endif - - static unsigned int check_des_parms(unsigned int mode, - unsigned long data_length, --- -2.38.1 - diff --git a/SOURCES/libica-4.1.1-shmem.patch b/SOURCES/libica-4.1.1-shmem.patch deleted file mode 100644 index 0343471..0000000 --- a/SOURCES/libica-4.1.1-shmem.patch +++ /dev/null @@ -1,35 +0,0 @@ -From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 1 Feb 2023 10:54:33 +0100 -Subject: [libica PATCH] bugfix: permission denied on shared memory segments - -A change to the Linux kernel in 4.19 for added security is -changing the behavior when opening shared memory segments. -The O_CREAT flag must not be used for existing segments. - -Signed-off-by: Joerg Schmidbauer ---- - src/icastats_shared.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/icastats_shared.c b/src/icastats_shared.c -index bbc8d0e..8290239 100644 ---- a/src/icastats_shared.c -+++ b/src/icastats_shared.c -@@ -54,9 +54,10 @@ int stats_mmap(int user) - sprintf(shm_id, "icastats_%d", - user == -1 ? geteuid() : (uid_t)user); - -- stats_shm_handle = shm_open(shm_id, -- O_CREAT | O_RDWR, -- S_IRUSR | S_IWUSR); -+ stats_shm_handle = shm_open(shm_id, O_RDWR, S_IRUSR | S_IWUSR); -+ -+ if (stats_shm_handle == -1) -+ stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); - - if (stats_shm_handle == -1) - return rc; --- -2.39.1 - diff --git a/SOURCES/libica-4.2.2-icastats-summary.patch b/SOURCES/libica-4.2.2-icastats-summary.patch new file mode 100644 index 0000000..2558bc0 --- /dev/null +++ b/SOURCES/libica-4.2.2-icastats-summary.patch @@ -0,0 +1,231 @@ +From f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Tue, 18 Jul 2023 09:21:54 +0200 +Subject: [libica PATCH] icastats: Fix summary option to display correct + summary information + +The '--summary' option of icastats did not display correct statistics since +the introduction of per key keysize counters with libica version 4.0.0. + +To display the correct summary counters, the all-key-size-counter values of an +algorithm that supports multiple key sizes must be calculated like it is done +in get_stats_data(). Adjust get_stats_data() function and friends so that it +now also can be called from get_stats_sum() and can optionally operate on a +specified statistics segment (i.e. the one where the summary statistics have +been calculated in), not just the global one. + +Signed-off-by: Ingo Franzki +--- + src/icastats.c | 4 +- + src/icastats_shared.c | 102 +++++++++++++++++++++++------------------ + src/include/icastats.h | 5 +- + 3 files changed, 62 insertions(+), 49 deletions(-) + +diff --git a/src/icastats.c b/src/icastats.c +index e98617f..07b0d50 100644 +--- a/src/icastats.c ++++ b/src/icastats.c +@@ -302,7 +302,7 @@ int main(int argc, char *argv[]) + perror("malloc: "); + return EXIT_FAILURE; + } +- get_stats_data(entries); ++ get_stats_data(NULL, entries); + if (json) { + print_stats_json(entries, usr); + } else { +@@ -358,7 +358,7 @@ int main(int argc, char *argv[]) + perror("malloc: "); + return EXIT_FAILURE; + } +- get_stats_data(stats); ++ get_stats_data(NULL, stats); + if (json) { + pswd = getpwuid(user == -1 ? geteuid() : (uid_t)user); + if (pswd == NULL) { +diff --git a/src/icastats_shared.c b/src/icastats_shared.c +index 8290239..f8e8563 100644 +--- a/src/icastats_shared.c ++++ b/src/icastats_shared.c +@@ -124,39 +124,46 @@ void stats_munmap(int user, int unlink) + * @direction - valid values are ENCRYPT and DECRYPT + */ + +-uint64_t stats_query(stats_fields_t field, int hardware, int direction) ++uint64_t stats_query(stats_entry_t *source, stats_fields_t field, ++ int hardware, int direction) + { +- if (stats == NULL) ++ if (source == NULL) ++ source = stats; ++ ++ if (source == NULL) + return 0; + + if (direction == ENCRYPT) + if (hardware == ALGO_HW) +- return stats[field].enc.hw; ++ return source[field].enc.hw; + else +- return stats[field].enc.sw; ++ return source[field].enc.sw; + else + if (hardware == ALGO_HW) +- return stats[field].dec.hw; ++ return source[field].dec.hw; + else +- return stats[field].dec.sw; ++ return source[field].dec.sw; + } + +-static uint64_t calc_summary(stats_fields_t start, unsigned int num, ++static uint64_t calc_summary(stats_entry_t *source, ++ stats_fields_t start, unsigned int num, + int hardware, int direction) + { + unsigned int i; + uint64_t sum = 0; + + for (i = 0; i < num; i++) +- sum += stats_query(start + i, hardware, direction); ++ sum += stats_query(source, start + i, hardware, direction); + + return sum; + } + + /* Returns the statistic data in a stats_entry_t array ++ * @source - source of the statistics data. If NULL, then the global stats ++ * are used, which must have been mapped via stats_mmap() before. + * @entries - Needs to be a array of size ICA_NUM_STATS. + */ +-void get_stats_data(stats_entry_t *entries) ++void get_stats_data(stats_entry_t *source, stats_entry_t *entries) + { + unsigned int i; + for (i = 0; i < ICA_NUM_STATS; i++) { +@@ -168,58 +175,62 @@ void get_stats_data(stats_entry_t *entries) + case ICA_STATS_AES_CTR: + case ICA_STATS_AES_CMAC: + case ICA_STATS_AES_GCM: +- entries[i].enc.hw = calc_summary(i + 1, 3, +- ALGO_HW, ENCRYPT); +- entries[i].enc.sw = calc_summary(i + 1, 3, +- ALGO_SW, ENCRYPT); +- entries[i].dec.hw = calc_summary(i + 1, 3, +- ALGO_HW, DECRYPT); +- entries[i].dec.sw = calc_summary(i + 1, 3, +- ALGO_SW, DECRYPT); ++ entries[i].enc.hw = calc_summary(source, i + 1, 3, ++ ALGO_HW, ENCRYPT); ++ entries[i].enc.sw = calc_summary(source, i + 1, 3, ++ ALGO_SW, ENCRYPT); ++ entries[i].dec.hw = calc_summary(source, i + 1, 3, ++ ALGO_HW, DECRYPT); ++ entries[i].dec.sw = calc_summary(source, i + 1, 3, ++ ALGO_SW, DECRYPT); + break; + + case ICA_STATS_AES_XTS: +- entries[i].enc.hw = calc_summary(i + 1, 2, +- ALGO_HW, ENCRYPT); +- entries[i].enc.sw = calc_summary(i + 1, 2, +- ALGO_SW, ENCRYPT); +- entries[i].dec.hw = calc_summary(i + 1, 2, +- ALGO_HW, DECRYPT); +- entries[i].dec.sw = calc_summary(i + 1, 2, +- ALGO_SW, DECRYPT); ++ entries[i].enc.hw = calc_summary(source, i + 1, 2, ++ ALGO_HW, ENCRYPT); ++ entries[i].enc.sw = calc_summary(source, i + 1, 2, ++ ALGO_SW, ENCRYPT); ++ entries[i].dec.hw = calc_summary(source, i + 1, 2, ++ ALGO_HW, DECRYPT); ++ entries[i].dec.sw = calc_summary(source, i + 1, 2, ++ ALGO_SW, DECRYPT); + break; + + case ICA_STATS_RSA_ME: + case ICA_STATS_RSA_CRT: +- entries[i].enc.hw = calc_summary(i + 1, 4, +- ALGO_HW, ENCRYPT); +- entries[i].enc.sw = calc_summary(i + 1, 4, +- ALGO_SW, ENCRYPT); +- entries[i].dec.hw = calc_summary(i + 1, 4, +- ALGO_HW, DECRYPT); +- entries[i].dec.sw = calc_summary(i + 1, 4, +- ALGO_SW, DECRYPT); ++ entries[i].enc.hw = calc_summary(source, i + 1, 4, ++ ALGO_HW, ENCRYPT); ++ entries[i].enc.sw = calc_summary(source, i + 1, 4, ++ ALGO_SW, ENCRYPT); ++ entries[i].dec.hw = calc_summary(source, i + 1, 4, ++ ALGO_HW, DECRYPT); ++ entries[i].dec.sw = calc_summary(source, i + 1, 4, ++ ALGO_SW, DECRYPT); + break; + + case ICA_STATS_ECDH: + case ICA_STATS_ECDSA_SIGN: + case ICA_STATS_ECDSA_VERIFY: + case ICA_STATS_ECKGEN: +- entries[i].enc.hw = calc_summary(i + 1, 8, +- ALGO_HW, ENCRYPT); +- entries[i].enc.sw = calc_summary(i + 1, 8, +- ALGO_SW, ENCRYPT); +- entries[i].dec.hw = calc_summary(i + 1, 8, +- ALGO_HW, DECRYPT); +- entries[i].dec.sw = calc_summary(i + 1, 8, +- ALGO_SW, DECRYPT); ++ entries[i].enc.hw = calc_summary(source, i + 1, 8, ++ ALGO_HW, ENCRYPT); ++ entries[i].enc.sw = calc_summary(source, i + 1, 8, ++ ALGO_SW, ENCRYPT); ++ entries[i].dec.hw = calc_summary(source, i + 1, 8, ++ ALGO_HW, DECRYPT); ++ entries[i].dec.sw = calc_summary(source, i + 1, 8, ++ ALGO_SW, DECRYPT); + break; + + default: +- entries[i].enc.hw = stats_query(i, ALGO_HW, ENCRYPT); +- entries[i].enc.sw = stats_query(i, ALGO_SW, ENCRYPT); +- entries[i].dec.hw = stats_query(i, ALGO_HW, DECRYPT); +- entries[i].dec.sw = stats_query(i, ALGO_SW, DECRYPT); ++ entries[i].enc.hw = stats_query(source, i, ++ ALGO_HW, ENCRYPT); ++ entries[i].enc.sw = stats_query(source, i, ++ ALGO_SW, ENCRYPT); ++ entries[i].dec.hw = stats_query(source, i, ++ ALGO_HW, DECRYPT); ++ entries[i].dec.sw = stats_query(source, i, ++ ALGO_SW, DECRYPT); + break; + } + } +@@ -280,6 +291,7 @@ int get_stats_sum(stats_entry_t *sum) + } + } + closedir(shmDir); ++ get_stats_data(sum, sum); + return 1; + } + +diff --git a/src/include/icastats.h b/src/include/icastats.h +index f1d70ba..136ac0f 100644 +--- a/src/include/icastats.h ++++ b/src/include/icastats.h +@@ -286,8 +286,9 @@ typedef enum stats_fields { + + int stats_mmap(int user); + void stats_munmap(int user, int unlink); +-uint64_t stats_query(stats_fields_t field, int hardware, int direction); +-void get_stats_data(stats_entry_t *entries); ++uint64_t stats_query(stats_entry_t *source, stats_fields_t field, ++ int hardware, int direction); ++void get_stats_data(stats_entry_t *source, stats_entry_t *entries); + void stats_increment(stats_fields_t field, int hardware, int direction); + int get_stats_sum(stats_entry_t *sum); + char *get_next_usr(); +-- +2.40.1 + diff --git a/SPECS/libica.spec b/SPECS/libica.spec index e2bd787..a435b63 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -1,31 +1,29 @@ %global with_fips 1 -# workaround to keep ABI/soname stable at major version 3 -%global fakeversion 3:99:1 Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 4.1.1 +Version: 4.2.2 Release: 2%{?dist} License: CPL -Group: System Environment/Libraries URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 -Patch0: %{name}-4.0.1-annotate.patch -# revert ABI to 3.x -# - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048 -# - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2 -Patch1: %{name}-4.1.1-revert-abi.patch -# fix permissions for shared memory segments -# https://bugzilla.redhat.com/show_bug.cgi?id=2167363 -Patch2: %{name}-4.1.1-shmem.patch +# https://github.com/opencryptoki/libica/pull/24 +Patch0: %{name}-4.0.0-annotate.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2223698 +# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 +Patch1: %{name}-4.2.2-icastats-summary.patch BuildRequires: gcc -BuildRequires: openssl BuildRequires: openssl-devel +BuildRequires: openssl BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool +BuildRequires: autoconf-archive +BuildRequires: perl(FindBin) +BuildRequires: perl(lib) +BuildRequires: make ExclusiveArch: s390 s390x %description @@ -35,7 +33,6 @@ IBM z Systems. %package devel Summary: Development tools for programs to access ICA hardware crypto on IBM z Systems -Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: openssl-devel @@ -52,17 +49,22 @@ sh ./bootstrap.sh %build +# FIPS openssl config is not needed on RHEL/Fedora +# https://bugzilla.redhat.com/show_bug.cgi?id=2084097 +CPPFLAGS=-DNO_FIPS_CONFIG_LOAD +export CPPFLAGS + %configure --disable-static \ %if %{with_fips} --enable-fips %else --disable-fips %endif -make %{?_smp_mflags} VERSION=%{fakeversion} +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT VERSION=%{fakeversion} +%make_install rm %{buildroot}%{_libdir}/libica*.la rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md} @@ -74,17 +76,12 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then make check fi - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - %if %{with_fips} %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - make fipsinstall DESTDIR=%{buildroot} VERSION=%{fakeversion} + make fipsinstall DESTDIR=%{buildroot} %{nil} %endif @@ -94,6 +91,9 @@ fi %{_bindir}/icainfo-cex %{_bindir}/icastats %if %{with_fips} +%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 +%exclude %{_sysconfdir}/libica/openssl3-fips.cnf +%endif %{_libdir}/.libica.*.hmac %{_libdir}/.libica-cex.*.hmac %endif @@ -110,54 +110,93 @@ fi %changelog -* Tue Feb 07 2023 Dan Horák - 4.1.1-2 -- fix permissions for shared memory segments (#2167363) -- Resolves: #2167363 +* Wed Jul 19 2023 Dan Horák - 4.2.2-2 +- icastats: Fix summary option (#2223698) +- Resolves: #2223698 -* Tue Oct 25 2022 Dan Horák - 4.1.1-1 -- updated to 4.1.1 (#2110375) -- Resolves: #2110375 +* Fri May 19 2023 Dan Horák - 4.2.2-1 +- updated to 4.2.2 (#2160060) +- FIPS 140-3 compliance (#2160106) +- Resolves: #2160060 #2160106 + +* Tue Feb 07 2023 Dan Horák - 4.1.1-2 +- fix permissions for shared memory segments (#2167364) +- Resolves: #2167364 + +* Mon Oct 24 2022 Dan Horák - 4.1.1-1 +- updated to 4.1.1 (#2110374) +- Resolves: #2110374 * Thu Jun 30 2022 Dan Horák - 4.0.2-1 -- updated to 4.0.2 (#2101766) -- Resolves: #2101766 +- updated to 4.0.2 (#2101767) +- Resolves: #2101767 -* Tue Mar 22 2022 Dan Horák - 4.0.1-1 -- updated to 4.0.1 (#2043843) -- Resolves: #2043843 #2043904 +* Mon May 16 2022 Dan Horák - 4.0.1-2 +- fix running in FIPS mode (#2084097) +- Resolves: #2084097 -* Tue Feb 08 2022 Dan Horák - 3.9.0-1 -- updated to 3.9.0 (#1984972) -- Resolves: #1984972 +* Thu May 12 2022 Dan Horák - 4.0.1-1 +- updated to 4.0.1 (#2044178) +- Resolves: #2044178 #2044174 -* Thu Jul 08 2021 Dan Horák - 3.8.0-1 -- updated to 3.8.0 (#1919224) -- make software fallback call to openSSL/libcrypto (#1922205) -- Resolves: #1919224 #1922205 +* Tue Feb 01 2022 Dan Horák - 4.0.0-1 +- updated to 4.0.0 (#2040237) +- Resolves: #2040237 -* Mon Jul 20 2020 Dan Horák - 3.7.0-2 +* Mon Aug 09 2021 Mohan Boddu - 3.8.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Florian Weimer - 3.8.0-2 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri May 21 2021 Dan Horák - 3.8.0-1 +- updated to 3.8.0 (#1869532) +- eliminate SW fallback functions (#1924119) +- updated for OpenSSL 3.0 (#1952946) +- disable FIPS support (broken) +- Resolves: #1869532 #1924119 #1952946 + +* Fri Apr 16 2021 Mohan Boddu - 3.7.0-6 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 3.7.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 3.7.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 22 2020 Dan Horák - 3.7.0-3 +- Use make macros (taken from PR#1 by ) +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed Jul 15 2020 Dan Horák - 3.7.0-2 - fix FIPS integrity validation (#1857130) -- Resolves: #1857130 -* Thu May 21 2020 Dan Horák - 3.7.0-1 -- updated to 3.7.0 (#1780299) -- Resolves: #1780299 +* Fri May 15 2020 Dan Horák - 3.7.0-1 +- updated to 3.7.0 -* Thu Jan 09 2020 Dan Horák - 3.6.1-2 -- fix overflow in icastats counters (#1789052) -- Resolves: #1789052 +* Wed Jan 29 2020 Fedora Release Engineering - 3.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild -* Tue Nov 26 2019 Dan Horák - 3.6.1-1 -- updated to 3.6.1 (#1772402) -- Resolves: #1772402 +* Tue Nov 26 2019 Dan Horák - 3.6.1-1 +- updated to 3.6.1 -* Tue Nov 05 2019 Dan Horák - 3.6.0-1 -- updated to 3.6.0 (#1726244) -- Resolves: #1726244, #1723862 +* Mon Sep 02 2019 Dan Horák - 3.6.0-1 +- updated to 3.6.0 -* Wed Apr 24 2019 Dan Horák - 3.5.0-1 -- updated to 3.5.0 (#1666621) -- Resolves: #1666621, #1659428, #1673054 +* Thu Jul 25 2019 Fedora Release Engineering - 3.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 24 2019 Dan Horák - 3.5.0-1 +- updated to 3.5.0 + +* Fri Feb 01 2019 Fedora Release Engineering - 3.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Nov 16 2018 Dan Horák - 3.4.0-1 +- updated to 3.4.0 * Fri Sep 21 2018 Dan Horák - 3.3.3-4 - annotate assembler file (#1630582)