import libica-4.0.0-1.el9
This commit is contained in:
commit
4b8a1ffdfb
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/libica-4.0.0.tar.gz
|
1
.libica.metadata
Normal file
1
.libica.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
9c18c8b990f8e21162364006cb60a3c9104eae19 SOURCES/libica-4.0.0.tar.gz
|
83
SOURCES/libica-4.0.0-annotate.patch
Normal file
83
SOURCES/libica-4.0.0-annotate.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
||||||
|
Date: Tue, 25 Sep 2018 13:44:32 +0200
|
||||||
|
Subject: [libica PATCH] add build note to assembler sources
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When distros use the annobin compiler plugin [1], they have complete overview
|
||||||
|
what compiler flags were used for compilation and they are able to perform
|
||||||
|
security checks on the produced binaries. Compiling assembler source can't
|
||||||
|
provide this kind of information by default, so we need the explicit
|
||||||
|
-Wa,--generate-missing-build-notes=yes option during build. When the option is
|
||||||
|
missing, then the annocheck tool reports "GAPS" in the resulting binary.
|
||||||
|
|
||||||
|
binutils >= 2.31 or older with backport is needed
|
||||||
|
|
||||||
|
[1] https://fedoraproject.org/wiki/Changes/Annobin
|
||||||
|
|
||||||
|
Signed-off-by: Dan Horák <dan@danny.cz>
|
||||||
|
---
|
||||||
|
configure.ac | 4 ++++
|
||||||
|
libica.spec | 2 +-
|
||||||
|
src/Makefile.am | 4 ++--
|
||||||
|
3 files changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 958371c..b8d0e42 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
|
||||||
|
FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
+# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed
|
||||||
|
+AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"])
|
||||||
|
+
|
||||||
|
# restore cmdline flags (ignore PROG_AS/PROG_CC defaults)
|
||||||
|
CFLAGS="$cmdline_CFLAGS"
|
||||||
|
CCASFLAGS="$cmdline_CFLAGS"
|
||||||
|
|
||||||
|
AC_SUBST([FLAGS], $FLAGS)
|
||||||
|
AC_SUBST([LIBS], $LIBS)
|
||||||
|
+AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS)
|
||||||
|
AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile])
|
||||||
|
AC_OUTPUT
|
||||||
|
|
||||||
|
diff --git a/libica.spec b/libica.spec
|
||||||
|
index d71890a..e51430e 100644
|
||||||
|
--- a/libica.spec
|
||||||
|
+++ b/libica.spec
|
||||||
|
@@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica
|
||||||
|
Source0: %{name}-%{version}.tar.gz
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
|
-BuildRequires: autoconf automake libtool openssl-devel
|
||||||
|
+BuildRequires: autoconf automake libtool openssl-devel autoconf-archive
|
||||||
|
|
||||||
|
%description
|
||||||
|
Interface library on Linux for IBM System z to utilize CPACF
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index c630048..1b5ec71 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \
|
||||||
|
include/rng.h
|
||||||
|
|
||||||
|
libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
|
||||||
|
-libica_la_CCASFLAGS = ${AM_CFLAGS}
|
||||||
|
+libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
|
||||||
|
libica_la_LIBADD = ${LIBS_common}
|
||||||
|
libica_la_LDFLAGS = ${LDFLAGS_common}
|
||||||
|
libica_la_SOURCES = ${SOURCES_common}
|
||||||
|
|
||||||
|
libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
|
||||||
|
-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
|
||||||
|
+libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
|
||||||
|
libica_cex_la_LIBADD = ${LIBS_common}
|
||||||
|
libica_cex_la_LDFLAGS = ${LDFLAGS_common}
|
||||||
|
libica_cex_la_SOURCES = ${SOURCES_common}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
646
SOURCES/libica-4.0.0-fixes.patch
Normal file
646
SOURCES/libica-4.0.0-fixes.patch
Normal file
@ -0,0 +1,646 @@
|
|||||||
|
From 977fe8ac713f9ff3101ce9882e23d0183fb46ec8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Wed, 15 Dec 2021 16:29:57 +0100
|
||||||
|
Subject: [libica PATCH 01/10] RSA: limit RSA key length to 4096
|
||||||
|
|
||||||
|
CEX adapters support RSA up to 4096 bits. Although RSA key generation
|
||||||
|
in libica is done via openssl, and therefore even greater key lengths
|
||||||
|
would be supported, such keys could not be processed on CEX adapters
|
||||||
|
afterwards. With the removal of sw fallbacks this is now a hard
|
||||||
|
restriction.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
include/ica_api.h | 4 ++++
|
||||||
|
src/ica_api.c | 13 ++++++++++++-
|
||||||
|
2 files changed, 16 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/include/ica_api.h b/include/ica_api.h
|
||||||
|
index ce27261..6137c4a 100644
|
||||||
|
--- a/include/ica_api.h
|
||||||
|
+++ b/include/ica_api.h
|
||||||
|
@@ -1291,6 +1291,7 @@ int ica_ed448_ctx_del(ICA_ED448_CTX **ctx);
|
||||||
|
*
|
||||||
|
* @return 0 if successful.
|
||||||
|
* EINVAL if at least one invalid parameter is given.
|
||||||
|
+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
|
||||||
|
* EFAULT if OpenSSL key generation should fail.
|
||||||
|
*/
|
||||||
|
ICA_EXPORT
|
||||||
|
@@ -1319,6 +1320,7 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
*
|
||||||
|
* @return 0 if successful.
|
||||||
|
* EINVAL if at least one invalid parameter is given.
|
||||||
|
+ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
|
||||||
|
* EFAULT if OpenSSL key generation should fail.
|
||||||
|
*/
|
||||||
|
ICA_EXPORT
|
||||||
|
@@ -1346,6 +1348,7 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
|
||||||
|
*
|
||||||
|
* @return 0 if successful.
|
||||||
|
* EINVAL if at least one invalid parameter is given.
|
||||||
|
+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
|
||||||
|
* ENOMEM if memory allocation fails.
|
||||||
|
* EIO if the operation fails. This should never happen.
|
||||||
|
*/
|
||||||
|
@@ -1375,6 +1378,7 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
*
|
||||||
|
* @return 0 if successful.
|
||||||
|
* EINVAL if at least one invalid parameter is given.
|
||||||
|
+ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
|
||||||
|
* ENOMEM if memory allocation fails.
|
||||||
|
* EIO if the operation fails. This should never happen.
|
||||||
|
*/
|
||||||
|
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||||
|
index 445b0ab..a412052 100644
|
||||||
|
--- a/src/ica_api.c
|
||||||
|
+++ b/src/ica_api.c
|
||||||
|
@@ -52,6 +52,8 @@
|
||||||
|
|
||||||
|
#define MAX_VERSION_LENGTH 16
|
||||||
|
|
||||||
|
+#define MAX_RSA_KEY_BITS 4096
|
||||||
|
+
|
||||||
|
#ifndef NO_SW_FALLBACKS
|
||||||
|
int ica_fallbacks_enabled = 1;
|
||||||
|
#else
|
||||||
|
@@ -1071,9 +1073,12 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
/* Keys should comply with modulus_bit_length */
|
||||||
|
if ((modulus_bit_length + 7) / 8 != public_key->key_length)
|
||||||
|
return EINVAL;
|
||||||
|
- /* Minimum length for public exponent is sizeof(unsigned long) */
|
||||||
|
+ /* Minimum key length is sizeof(unsigned long) */
|
||||||
|
if (public_key->key_length < sizeof(unsigned long))
|
||||||
|
return EINVAL;
|
||||||
|
+ /* Max key bit length is 4096 because of CEX adapter restriction */
|
||||||
|
+ if (modulus_bit_length > MAX_RSA_KEY_BITS)
|
||||||
|
+ return EPERM;
|
||||||
|
|
||||||
|
/* OpenSSL takes only exponents of type unsigned long, so we have to
|
||||||
|
* be sure that we give a value of the right size to OpenSSL.
|
||||||
|
@@ -1111,6 +1116,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
|
||||||
|
return EINVAL;
|
||||||
|
if (public_key->key_length < sizeof(unsigned long))
|
||||||
|
return EINVAL;
|
||||||
|
+ if (modulus_bit_length > MAX_RSA_KEY_BITS)
|
||||||
|
+ return EPERM;
|
||||||
|
|
||||||
|
num_ignored_bytes = public_key->key_length - sizeof(unsigned long);
|
||||||
|
public_exponent = public_key->exponent;
|
||||||
|
@@ -1145,6 +1152,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
|
||||||
|
|
||||||
|
if (rsa_key->key_length < sizeof(unsigned long))
|
||||||
|
return EINVAL;
|
||||||
|
+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
|
||||||
|
+ return EPERM;
|
||||||
|
|
||||||
|
/* fill driver structure */
|
||||||
|
rb.inputdata = (unsigned char *)input_data;
|
||||||
|
@@ -1264,6 +1273,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
|
||||||
|
|
||||||
|
if (rsa_key->key_length < sizeof(unsigned long))
|
||||||
|
return EINVAL;
|
||||||
|
+ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
|
||||||
|
+ return EPERM;
|
||||||
|
|
||||||
|
/* fill driver structure */
|
||||||
|
rb.inputdata = (unsigned char *)input_data;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 553977ef505b43c7d17056369ed518a971d43d68 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed, 5 Jan 2022 09:07:51 +0100
|
||||||
|
Subject: [libica PATCH 02/10] ECC: fix memory leaks in make_eckey()
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/s390_ecc.c | 20 +++++++++++---------
|
||||||
|
1 file changed, 11 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
|
||||||
|
index bb13944..af121b0 100644
|
||||||
|
--- a/src/s390_ecc.c
|
||||||
|
+++ b/src/s390_ecc.c
|
||||||
|
@@ -146,12 +146,12 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
|
||||||
|
EC_GROUP *group = NULL;
|
||||||
|
EC_POINT *point = NULL;
|
||||||
|
BIGNUM *bn_priv = NULL;
|
||||||
|
- unsigned char *pub_key = NULL;
|
||||||
|
- unsigned int pub_key_len;
|
||||||
|
- point_conversion_form_t form;
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
EC_KEY *ec_key;
|
||||||
|
#else
|
||||||
|
+ unsigned char *pub_key = NULL;
|
||||||
|
+ unsigned int pub_key_len;
|
||||||
|
+ point_conversion_form_t form;
|
||||||
|
OSSL_PARAM_BLD *tmpl = NULL;
|
||||||
|
int rc;
|
||||||
|
#endif
|
||||||
|
@@ -175,18 +175,13 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
- form = EC_GROUP_get_point_conversion_form(group);
|
||||||
|
- pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
|
||||||
|
- if (pub_key_len == 0) {
|
||||||
|
- goto err;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
ec_key = EC_KEY_new_by_curve_name(nid);
|
||||||
|
if (ec_key == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ EC_POINT_free(point);
|
||||||
|
point = EC_POINT_new(EC_KEY_get0_group(ec_key));
|
||||||
|
if (point == NULL) {
|
||||||
|
goto err;
|
||||||
|
@@ -209,6 +204,11 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
|
||||||
|
}
|
||||||
|
|
||||||
|
#else
|
||||||
|
+ form = EC_GROUP_get_point_conversion_form(group);
|
||||||
|
+ pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
|
||||||
|
+ if (pub_key_len == 0) {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
tmpl = OSSL_PARAM_BLD_new();
|
||||||
|
if (tmpl == NULL) {
|
||||||
|
@@ -243,6 +243,8 @@ err:
|
||||||
|
#else
|
||||||
|
if (tmpl)
|
||||||
|
OSSL_PARAM_BLD_free(tmpl);
|
||||||
|
+ if (pub_key)
|
||||||
|
+ OPENSSL_free(pub_key);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (ok)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From b41addd200c0938c6c10202da08ad5f7df940e18 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed, 5 Jan 2022 09:15:58 +0100
|
||||||
|
Subject: [libica PATCH 03/10] ECC: Avoid recursive loop in ec_key_check() with
|
||||||
|
OpenSSL 3.0
|
||||||
|
|
||||||
|
Use libica's OpenSSL library context in ec_key_check(), otherwise
|
||||||
|
calling EVP_PKEY_fromdata() in build_pkey_from_params() may cause
|
||||||
|
a recursive loop, when a provider is used that calls ica_ec_key_init()
|
||||||
|
(and thus ec_key_check()) within its key import function.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/s390_ecc.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
|
||||||
|
index af121b0..c0c1549 100644
|
||||||
|
--- a/src/s390_ecc.c
|
||||||
|
+++ b/src/s390_ecc.c
|
||||||
|
@@ -2458,6 +2458,8 @@ int ec_key_check(ICA_EC_KEY *ica_key)
|
||||||
|
BIGNUM *d = NULL, *x = NULL, *y = NULL;
|
||||||
|
int privlen, rc = EINVAL;
|
||||||
|
|
||||||
|
+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
|
||||||
|
+
|
||||||
|
if (!ica_key)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
@@ -2489,6 +2491,7 @@ done:
|
||||||
|
if (privkey)
|
||||||
|
EVP_PKEY_free(privkey);
|
||||||
|
|
||||||
|
+ END_OPENSSL_LIBCTX(rc);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 6031ec80a5ada52609822fed4a6bd2cccafe5563 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed, 5 Jan 2022 09:26:26 +0100
|
||||||
|
Subject: [libica PATCH 04/10] RSA: Fix memory leaks in
|
||||||
|
rsa_key_generate_mod_expo()/crt()
|
||||||
|
|
||||||
|
Also fix a compiler warning in rsa_key_generate().
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/s390_rsa.c | 11 ++++++++++-
|
||||||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/s390_rsa.c b/src/s390_rsa.c
|
||||||
|
index 360c374..cea2ba2 100644
|
||||||
|
--- a/src/s390_rsa.c
|
||||||
|
+++ b/src/s390_rsa.c
|
||||||
|
@@ -128,7 +128,8 @@ EVP_PKEY* rsa_key_generate(unsigned int modulus_bit_length,
|
||||||
|
} while (*public_exponent <= 2 || !(*public_exponent % 2));
|
||||||
|
}
|
||||||
|
|
||||||
|
- e = BN_bin2bn(public_exponent, sizeof(unsigned long), NULL);
|
||||||
|
+ e = BN_bin2bn((const unsigned char *)public_exponent,
|
||||||
|
+ sizeof(unsigned long), NULL);
|
||||||
|
if (e == NULL) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -259,6 +260,8 @@ err:
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
RSA_free(rsa);
|
||||||
|
#else
|
||||||
|
+ BN_free(n);
|
||||||
|
+ BN_free(d);
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -410,6 +413,12 @@ err:
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
RSA_free(rsa);
|
||||||
|
#else
|
||||||
|
+ BN_free(n);
|
||||||
|
+ BN_free(p);
|
||||||
|
+ BN_free(q);
|
||||||
|
+ BN_free(dmp1);
|
||||||
|
+ BN_free(dmq1);
|
||||||
|
+ BN_free(iqmp);
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From b49cf457659a4baf382b3828d89823497bb00f6e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu, 13 Jan 2022 10:42:02 +0100
|
||||||
|
Subject: [libica PATCH 05/10] EC: Handle unsupported EC curve in
|
||||||
|
ica_ec_key_new()
|
||||||
|
|
||||||
|
In case of an unsupported curve nid, privlen_from_nid() returns -1.
|
||||||
|
The subsequent calloc() will fail with a size of -3 (0xfffffffffffffffd).
|
||||||
|
|
||||||
|
Also free the already allocated key in case of an error to avoid a
|
||||||
|
memory leak.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/ica_api.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||||
|
index a412052..0a885e2 100644
|
||||||
|
--- a/src/ica_api.c
|
||||||
|
+++ b/src/ica_api.c
|
||||||
|
@@ -1336,9 +1336,15 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
|
||||||
|
|
||||||
|
/* allocate clear memory for the 3 key parts */
|
||||||
|
len = privlen_from_nid(nid);
|
||||||
|
+ if (len <= 0) {
|
||||||
|
+ free(key);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
key->X = calloc(1, 3*len);
|
||||||
|
- if (!key->X)
|
||||||
|
+ if (!key->X) {
|
||||||
|
+ free(key);
|
||||||
|
return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
key->nid = nid;
|
||||||
|
key->Y = key->X + len;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Tue, 11 Jan 2022 16:04:15 +0100
|
||||||
|
Subject: [libica PATCH 06/10] Compute HMAC from installed library
|
||||||
|
|
||||||
|
The HMAC hash was computed from the libica in the build tree, but
|
||||||
|
the runtime check is run against the installed libica and those 2
|
||||||
|
files may be different. E.g. if the runtime one has debuginfo stripped
|
||||||
|
(and placed into a separate file), the hashes are different.
|
||||||
|
This commit introduces a new make target: fipsinstall, which creates
|
||||||
|
the HMAC files in the install directory.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
---
|
||||||
|
Makefile.am | 9 ++++-----
|
||||||
|
src/Makefile.am | 8 +++++++-
|
||||||
|
2 files changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 2d8ab9e..e14abb5 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -17,11 +17,8 @@ coverage: check
|
||||||
|
cd ${top_builddir}/src && gcov .libs/*.gcda
|
||||||
|
|
||||||
|
if ICA_FIPS
|
||||||
|
-install-data-hook:
|
||||||
|
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir)
|
||||||
|
- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac
|
||||||
|
- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir)
|
||||||
|
- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac
|
||||||
|
+fipsinstall:
|
||||||
|
+ $(AM_V_GEN)$(MAKE) -C src fipsinstall
|
||||||
|
if ICA_OPENSSL3
|
||||||
|
test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica
|
||||||
|
test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true
|
||||||
|
@@ -38,3 +35,5 @@ if ICA_OPENSSL3
|
||||||
|
endif
|
||||||
|
endif
|
||||||
|
|
||||||
|
+.PHONY: fipsinstall
|
||||||
|
+
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index c630048..4c92c96 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -47,6 +47,12 @@ mp.S : mp.pl
|
||||||
|
./mp.pl mp.S
|
||||||
|
|
||||||
|
if ICA_FIPS
|
||||||
|
+fipsinstall:
|
||||||
|
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
|
||||||
|
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||||
|
+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
|
||||||
|
+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||||
|
+
|
||||||
|
hmac-file-lnk: hmac-file
|
||||||
|
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||||
|
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||||
|
@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \
|
||||||
|
include/rng.h ../test/testcase.h
|
||||||
|
endif
|
||||||
|
|
||||||
|
-.PHONY: hmac-file hmac-file-lnk
|
||||||
|
+.PHONY: hmac-file hmac-file-lnk fipsinstall
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 28fa931bed9e6847137829952a3e7cc6091bd071 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 24 Jan 2022 10:24:44 +0100
|
||||||
|
Subject: [libica PATCH 07/10] Fix compile warnings
|
||||||
|
|
||||||
|
... like potentially uninitialized variables or unused functions.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/fips.c | 4 ++--
|
||||||
|
src/ica_api.c | 2 +-
|
||||||
|
src/s390_ecc.c | 4 ++--
|
||||||
|
3 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/fips.c b/src/fips.c
|
||||||
|
index 934f6f7..505dd0b 100644
|
||||||
|
--- a/src/fips.c
|
||||||
|
+++ b/src/fips.c
|
||||||
|
@@ -1304,8 +1304,8 @@ rsa_kat(void)
|
||||||
|
ica_adapter_handle_t ah;
|
||||||
|
const struct rsa_tv *tv;
|
||||||
|
size_t i, keylen, crtparamlen;
|
||||||
|
- unsigned char *out;
|
||||||
|
- libica_func_list_element* libica_func_list;
|
||||||
|
+ unsigned char *out = NULL;
|
||||||
|
+ libica_func_list_element* libica_func_list = NULL;
|
||||||
|
unsigned int count;
|
||||||
|
|
||||||
|
if (ica_open_adapter(&ah))
|
||||||
|
diff --git a/src/ica_api.c b/src/ica_api.c
|
||||||
|
index 0a885e2..a10e139 100644
|
||||||
|
--- a/src/ica_api.c
|
||||||
|
+++ b/src/ica_api.c
|
||||||
|
@@ -90,6 +90,7 @@ void ica_set_stats_mode(int stats_mode)
|
||||||
|
ica_stats_enabled = stats_mode ? 1 : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_CPACF
|
||||||
|
#ifdef ICA_FIPS
|
||||||
|
static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
|
||||||
|
if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
|
||||||
|
@@ -101,7 +102,6 @@ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#ifndef NO_CPACF
|
||||||
|
static unsigned int check_des_parms(unsigned int mode,
|
||||||
|
unsigned long data_length,
|
||||||
|
const unsigned char *in_data,
|
||||||
|
diff --git a/src/s390_ecc.c b/src/s390_ecc.c
|
||||||
|
index c0c1549..211db01 100644
|
||||||
|
--- a/src/s390_ecc.c
|
||||||
|
+++ b/src/s390_ecc.c
|
||||||
|
@@ -147,7 +147,7 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
|
||||||
|
EC_POINT *point = NULL;
|
||||||
|
BIGNUM *bn_priv = NULL;
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
- EC_KEY *ec_key;
|
||||||
|
+ EC_KEY *ec_key = NULL;
|
||||||
|
#else
|
||||||
|
unsigned char *pub_key = NULL;
|
||||||
|
unsigned int pub_key_len;
|
||||||
|
@@ -262,7 +262,7 @@ static EVP_PKEY *make_public_eckey(int nid, unsigned char *pubkey, size_t publen
|
||||||
|
{
|
||||||
|
int ok = 0;
|
||||||
|
#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
- EC_KEY *ec_key;
|
||||||
|
+ EC_KEY *ec_key = NULL;
|
||||||
|
#else
|
||||||
|
OSSL_PARAM_BLD *tmpl = NULL;
|
||||||
|
int rc;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From cc44f18383ec6dc01a05abd6c25a1dec8efe84cb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 24 Jan 2022 10:32:47 +0100
|
||||||
|
Subject: [libica PATCH 08/10] Fix memory leaks in test programs
|
||||||
|
|
||||||
|
When configured with --enable-sanitizer some tests fail because
|
||||||
|
the address sanitizer reports memory leaks.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
test/ec_keygen_test.c | 6 +++++-
|
||||||
|
test/ecdh_test.c | 13 ++++++++++++-
|
||||||
|
test/ecdsa_test.c | 3 +++
|
||||||
|
test/icastats_test.c.in | 1 +
|
||||||
|
4 files changed, 21 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/ec_keygen_test.c b/test/ec_keygen_test.c
|
||||||
|
index 43c6092..0445c41 100644
|
||||||
|
--- a/test/ec_keygen_test.c
|
||||||
|
+++ b/test/ec_keygen_test.c
|
||||||
|
@@ -115,6 +115,8 @@ int main(int argc, char **argv)
|
||||||
|
|
||||||
|
rc = ica_ec_key_generate(adapter_handle, eckey);
|
||||||
|
if (rc) {
|
||||||
|
+ ica_ec_key_free(eckey);
|
||||||
|
+ eckey = NULL;
|
||||||
|
if (rc == EPERM) {
|
||||||
|
V_(printf("Curve %d not supported on this system, skipping ...\n", eckeygen_tests[i].nid));
|
||||||
|
continue;
|
||||||
|
@@ -156,12 +158,14 @@ int main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ ica_ec_key_free(eckey);
|
||||||
|
+ eckey = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (test_failed)
|
||||||
|
errors++;
|
||||||
|
|
||||||
|
- ica_ec_key_free(eckey);
|
||||||
|
unset_env_icapath();
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/test/ecdh_test.c b/test/ecdh_test.c
|
||||||
|
index 9a81036..e1191d0 100644
|
||||||
|
--- a/test/ecdh_test.c
|
||||||
|
+++ b/test/ecdh_test.c
|
||||||
|
@@ -339,6 +339,8 @@ int main(int argc, char **argv)
|
||||||
|
|
||||||
|
rc = ica_ec_key_init(ecdh_kats[i].xa, ecdh_kats[i].ya, ecdh_kats[i].da, eckey_A);
|
||||||
|
if (rc != 0) {
|
||||||
|
+ ica_ec_key_free(eckey_A);
|
||||||
|
+ eckey_A = NULL;
|
||||||
|
if (rc == EPERM) {
|
||||||
|
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
|
||||||
|
continue;
|
||||||
|
@@ -350,11 +352,18 @@ int main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
eckey_B = ica_ec_key_new(ecdh_kats[i].nid, &privlen);
|
||||||
|
- if (!eckey_B)
|
||||||
|
+ if (!eckey_B) {
|
||||||
|
+ ica_ec_key_free(eckey_A);
|
||||||
|
+ eckey_A = NULL;
|
||||||
|
continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = ica_ec_key_init(ecdh_kats[i].xb, ecdh_kats[i].yb, ecdh_kats[i].db, eckey_B);
|
||||||
|
if (rc != 0) {
|
||||||
|
+ ica_ec_key_free(eckey_B);
|
||||||
|
+ eckey_B = NULL;
|
||||||
|
+ ica_ec_key_free(eckey_A);
|
||||||
|
+ eckey_A = NULL;
|
||||||
|
if (rc == EPERM) {
|
||||||
|
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
|
||||||
|
continue;
|
||||||
|
@@ -415,7 +424,9 @@ int main(int argc, char **argv)
|
||||||
|
errors++;
|
||||||
|
|
||||||
|
ica_ec_key_free(eckey_A);
|
||||||
|
+ eckey_A = NULL;
|
||||||
|
ica_ec_key_free(eckey_B);
|
||||||
|
+ eckey_B = NULL;
|
||||||
|
unset_env_icapath();
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/test/ecdsa_test.c b/test/ecdsa_test.c
|
||||||
|
index 3b6bda3..2393882 100644
|
||||||
|
--- a/test/ecdsa_test.c
|
||||||
|
+++ b/test/ecdsa_test.c
|
||||||
|
@@ -225,6 +225,8 @@ int main(int argc, char **argv)
|
||||||
|
|
||||||
|
rc = ica_ec_key_init(ecdsa_kats[i].x, ecdsa_kats[i].y, ecdsa_kats[i].d, eckey);
|
||||||
|
if (rc != 0) {
|
||||||
|
+ ica_ec_key_free(eckey);
|
||||||
|
+ eckey = NULL;
|
||||||
|
if (rc == EPERM) {
|
||||||
|
V_(printf("Curve %d not supported on this system, skipping ...\n", ecdsa_kats[i].nid));
|
||||||
|
continue;
|
||||||
|
@@ -274,6 +276,7 @@ int main(int argc, char **argv)
|
||||||
|
errors++;
|
||||||
|
|
||||||
|
ica_ec_key_free(eckey);
|
||||||
|
+ eckey = NULL;
|
||||||
|
unset_env_icapath();
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in
|
||||||
|
index 98905a9..f0d1212 100644
|
||||||
|
--- a/test/icastats_test.c.in
|
||||||
|
+++ b/test/icastats_test.c.in
|
||||||
|
@@ -186,6 +186,7 @@ int is_crypto_card_loaded()
|
||||||
|
}
|
||||||
|
if((c = fgetc(file)) == '1'){
|
||||||
|
fclose(file);
|
||||||
|
+ closedir(sysDir);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
fclose(file);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 9c6431f49a9fe0d574722954e018b4cba6ab085b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 24 Jan 2022 14:33:57 +0100
|
||||||
|
Subject: [libica PATCH 09/10] FIPS: Calculation of library HMAC may fail
|
||||||
|
|
||||||
|
Initialize length variable before calling EVP_DigestSignFinal().
|
||||||
|
If hlen is uninitialized it may cause EVP_DigestSignFinal() to fail.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/fips.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/fips.c b/src/fips.c
|
||||||
|
index 505dd0b..129a1a7 100644
|
||||||
|
--- a/src/fips.c
|
||||||
|
+++ b/src/fips.c
|
||||||
|
@@ -333,6 +333,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ hlen = sizeof(rbuf);
|
||||||
|
if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 5aa9366c236a6d17570403ef81c65e4f5f91a8af Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed, 26 Jan 2022 09:29:27 +0100
|
||||||
|
Subject: [libica PATCH 10/10] MAKEFILE: Do not install ec_internal_test
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/Makefile.am | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index 4c92c96..d6f5c52 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -90,7 +90,7 @@ icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h
|
||||||
|
# internal tests
|
||||||
|
|
||||||
|
if ICA_INTERNAL_TESTS
|
||||||
|
-bin_PROGRAMS += internal_tests/ec_internal_test
|
||||||
|
+noinst_PROGRAMS = internal_tests/ec_internal_test
|
||||||
|
|
||||||
|
internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \
|
||||||
|
-I${srcdir}/../include \
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
336
SPECS/libica.spec
Normal file
336
SPECS/libica.spec
Normal file
@ -0,0 +1,336 @@
|
|||||||
|
%global with_fips 1
|
||||||
|
|
||||||
|
Summary: Library for accessing ICA hardware crypto on IBM z Systems
|
||||||
|
Name: libica
|
||||||
|
Version: 4.0.0
|
||||||
|
Release: 1%{?dist}
|
||||||
|
License: CPL
|
||||||
|
URL: https://github.com/opencryptoki/
|
||||||
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
|
# annotate assembler source
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
|
||||||
|
# https://github.com/opencryptoki/libica/pull/24
|
||||||
|
Patch0: %{name}-4.0.0-annotate.patch
|
||||||
|
# post GA fixes, includes HMAC calculation
|
||||||
|
Patch1: %{name}-4.0.0-fixes.patch
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
BuildRequires: openssl
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: autoconf-archive
|
||||||
|
BuildRequires: perl(FindBin)
|
||||||
|
BuildRequires: perl(lib)
|
||||||
|
BuildRequires: make
|
||||||
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
%description
|
||||||
|
A library of functions and utilities for accessing ICA hardware crypto on
|
||||||
|
IBM z Systems.
|
||||||
|
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development tools for programs to access ICA hardware crypto on IBM z Systems
|
||||||
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
Requires: openssl-devel
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
The libica-devel package contains the header files and static
|
||||||
|
libraries necessary for developing programs accessing ICA hardware crypto on
|
||||||
|
IBM z Systems.
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
sh ./bootstrap.sh
|
||||||
|
|
||||||
|
|
||||||
|
%build
|
||||||
|
%configure --disable-static \
|
||||||
|
%if %{with_fips}
|
||||||
|
--enable-fips
|
||||||
|
%else
|
||||||
|
--disable-fips
|
||||||
|
%endif
|
||||||
|
%make_build
|
||||||
|
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install
|
||||||
|
rm %{buildroot}%{_libdir}/libica*.la
|
||||||
|
rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
|
||||||
|
|
||||||
|
|
||||||
|
%check
|
||||||
|
# mock doesn't provide the device, so check here
|
||||||
|
# https://github.com/rpm-software-management/mock/issues/33
|
||||||
|
if [ -c /dev/hwrng -o -c /dev/prandom ]; then
|
||||||
|
make check
|
||||||
|
fi
|
||||||
|
|
||||||
|
%if %{with_fips}
|
||||||
|
%define __spec_install_post \
|
||||||
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
|
%{__arch_install_post} \
|
||||||
|
%{__os_install_post} \
|
||||||
|
make fipsinstall DESTDIR=%{buildroot}
|
||||||
|
%{nil}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files
|
||||||
|
%doc AUTHORS LICENSE ChangeLog
|
||||||
|
%{_bindir}/icainfo
|
||||||
|
%{_bindir}/icainfo-cex
|
||||||
|
%{_bindir}/icastats
|
||||||
|
%if %{with_fips}
|
||||||
|
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
||||||
|
# openssl 3.0 is available since Fedora 36 and RHEL 9
|
||||||
|
%dir %{_sysconfdir}/libica
|
||||||
|
%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||||
|
%endif
|
||||||
|
%{_libdir}/.libica.*.hmac
|
||||||
|
%{_libdir}/.libica-cex.*.hmac
|
||||||
|
%endif
|
||||||
|
%{_libdir}/libica.so.*
|
||||||
|
%{_libdir}/libica-cex.so.*
|
||||||
|
%{_mandir}/man1/icainfo.1*
|
||||||
|
%{_mandir}/man1/icainfo-cex.1*
|
||||||
|
%{_mandir}/man1/icastats.1*
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_includedir}/*
|
||||||
|
%{_libdir}/libica.so
|
||||||
|
%{_libdir}/libica-cex.so
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
|
||||||
|
- updated to 4.0.0 (#2040237)
|
||||||
|
- Resolves: #2040237
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.8.0-3
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 3.8.0-2
|
||||||
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||||
|
Related: rhbz#1971065
|
||||||
|
|
||||||
|
* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
|
||||||
|
- updated to 3.8.0 (#1869532)
|
||||||
|
- eliminate SW fallback functions (#1924119)
|
||||||
|
- updated for OpenSSL 3.0 (#1952946)
|
||||||
|
- disable FIPS support (broken)
|
||||||
|
- Resolves: #1869532 #1924119 #1952946
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 22 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-3
|
||||||
|
- Use make macros (taken from PR#1 by <tstellar at redhat.com>)
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Wed Jul 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-2
|
||||||
|
- fix FIPS integrity validation (#1857130)
|
||||||
|
|
||||||
|
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-1
|
||||||
|
- updated to 3.7.0
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Nov 26 2019 Dan Horák <dan[at]danny.cz> - 3.6.1-1
|
||||||
|
- updated to 3.6.1
|
||||||
|
|
||||||
|
* Mon Sep 02 2019 Dan Horák <dan[at]danny.cz> - 3.6.0-1
|
||||||
|
- updated to 3.6.0
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Apr 24 2019 Dan Horák <dan[at]danny.cz> - 3.5.0-1
|
||||||
|
- updated to 3.5.0
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Nov 16 2018 Dan Horák <dan[at]danny.cz> - 3.4.0-1
|
||||||
|
- updated to 3.4.0
|
||||||
|
|
||||||
|
* Fri Sep 21 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-4
|
||||||
|
- annotate assembler file (#1630582)
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.3-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jun 13 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-2
|
||||||
|
- fix executable stack in assembler code
|
||||||
|
|
||||||
|
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-1
|
||||||
|
- updated to 3.3.3
|
||||||
|
|
||||||
|
* Tue Apr 17 2018 Dan Horák <dan[at]danny.cz> - 3.3.2-1
|
||||||
|
- updated to 3.3.2
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Sep 25 2017 Dan Horák <dan[at]danny.cz> - 3.2.0-1
|
||||||
|
- updated to 3.2.0
|
||||||
|
|
||||||
|
* Mon Sep 11 2017 Dan Horák <dan[at]danny.cz> - 3.1.1-1
|
||||||
|
- updated to 3.1.1
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Apr 18 2017 Dan Horák <dan[at]danny.cz> - 3.0.2-3
|
||||||
|
- update BR
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 18 2017 Dan Horák <dan[at]danny.cz> - 3.0.2-1
|
||||||
|
- updated to 3.0.2
|
||||||
|
|
||||||
|
* Fri Jan 13 2017 Dan Horák <dan[at]danny.cz> - 3.0.1-2
|
||||||
|
- check for /dev/prandom before running the test-suite
|
||||||
|
|
||||||
|
* Fri Jan 13 2017 Dan Horák <dan[at]danny.cz> - 3.0.1-1
|
||||||
|
- updated to 3.0.1
|
||||||
|
|
||||||
|
* Tue Apr 12 2016 Dan Horák <dan[at]danny.cz> - 2.6.2-1
|
||||||
|
- updated to 2.6.2
|
||||||
|
|
||||||
|
* Thu Mar 17 2016 Dan Horák <dan[at]danny.cz> - 2.6.1-1
|
||||||
|
- updated to 2.6.1
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Sep 01 2014 Dan Horák <dan[at]danny.cz> - 2.4.2-1
|
||||||
|
- updated to 2.4.2
|
||||||
|
|
||||||
|
* Wed Jun 11 2014 Dan Horák <dan[at]danny.cz> - 2.3.0-5
|
||||||
|
- fix build with recent kernels
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Mar 14 2014 Dan Horák <dan[at]danny.cz> - 2.3.0-3
|
||||||
|
- add post release fix (#1066014)
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.3.0-1
|
||||||
|
- updated to 2.3.0
|
||||||
|
|
||||||
|
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Aug 17 2012 Dan Horák <dan[at]danny.cz> - 2.2.0-1
|
||||||
|
- updated to 2.2.0
|
||||||
|
|
||||||
|
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 16 2012 Dan Horák <dan[at]danny.cz> - 2.1.1-1
|
||||||
|
- updated to 2.1.1
|
||||||
|
|
||||||
|
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.1.0-1
|
||||||
|
- updated to 2.1.0 with soname set back to 2.0
|
||||||
|
|
||||||
|
* Mon Apr 11 2011 Dan Horák <dan[at]danny.cz> - 2.0.6-1
|
||||||
|
- updated to 2.0.6
|
||||||
|
|
||||||
|
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.4-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 12 2011 Dan Horák <dan[at]danny.cz> - 2.0.4-1
|
||||||
|
- Do not use sigill to wrap all HW instructions (#665401)
|
||||||
|
- updated to 2.0.4
|
||||||
|
|
||||||
|
* Tue Nov 9 2010 Dan Horák <dhorak@redhat.com> - 2.0.3-3
|
||||||
|
- Fix the return value of old_api_sha_test() in libica_sha1_test (#624005)
|
||||||
|
- Use the right buffer length when operating in 32-bit mode (#640035)
|
||||||
|
- Resolves: #624005, #640035
|
||||||
|
|
||||||
|
* Fri May 21 2010 Dan Horák <dan[at]danny.cz> - 2.0.3-2
|
||||||
|
- rebuilt with -fno-strict-aliasing (#593779)
|
||||||
|
- Resolves: #593779
|
||||||
|
|
||||||
|
* Thu Apr 22 2010 Dan Horák <dan[at]danny.cz> - 2.0.3-1
|
||||||
|
- updated to 2.0.3 (#582607)
|
||||||
|
- Resolves: #582607
|
||||||
|
|
||||||
|
* Mon Apr 12 2010 Dan Horák <dan[at]danny.cz> - 2.0.2-3
|
||||||
|
- add SIGILL handler for add_entropy (#581520)
|
||||||
|
- Resolves: #581520
|
||||||
|
|
||||||
|
* Tue Feb 16 2010 Dan Horák <dan[at]danny.cz> - 2.0.2-2
|
||||||
|
- dropped the utils sub-package
|
||||||
|
- Related: #543948
|
||||||
|
|
||||||
|
* Tue Dec 08 2009 Dennis Gregorovic <dgregor@redhat.com> - 2.0.2-1.1
|
||||||
|
- Rebuilt for RHEL 6
|
||||||
|
|
||||||
|
* Mon Aug 17 2009 Dan Horák <dan[at]danny.cz> - 2.0.2-1
|
||||||
|
- update to 2.0.2
|
||||||
|
|
||||||
|
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Apr 1 2009 Dan Horák <dan[at]danny.cz> - 2.0.1-1
|
||||||
|
- update to 2.0.1
|
||||||
|
|
||||||
|
* Mon Mar 23 2009 Dan Horák <dan[at]danny.cz> - 2.0-1
|
||||||
|
- update to 2.0
|
||||||
|
- spec file cleanup before submitting to Fedora
|
||||||
|
|
||||||
|
* Sun Sep 14 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-8.el5
|
||||||
|
- Added the icainfo tool to libica (#439484)
|
||||||
|
|
||||||
|
* Tue Apr 01 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-7.el5
|
||||||
|
- Fixed build of libica with latest AES & SHA feature (#439390)
|
||||||
|
|
||||||
|
* Tue Jan 15 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-6.el5
|
||||||
|
- Added Software Support for CP Assist Instructions AES & SHA (#318971)
|
||||||
|
|
||||||
|
* Thu Nov 23 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-5.el5
|
||||||
|
- Fixed requires bug where devel packages would get wrong arch lib (#215908)
|
||||||
|
|
||||||
|
* Fri Oct 13 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-4
|
||||||
|
- Fixed bug where libica fails to initialize when no crypto hardware is
|
||||||
|
available (#210504)
|
||||||
|
- Only build libica for s390(x), really only needed there.
|
||||||
|
|
||||||
|
* Fri Sep 08 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-3
|
||||||
|
- Build for other archs as well due to openCryptoki requirement (#184631)
|
||||||
|
|
||||||
|
* Fri Jul 14 2006 Tim Powers <timp@redhat.com> - 1.3.7-2
|
||||||
|
- rebuild
|
||||||
|
|
||||||
|
* Tue Jun 13 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-1
|
||||||
|
- Update to libica-1.3.7 final
|
||||||
|
- Fixed build on latest devel tree
|
||||||
|
|
||||||
|
* Tue Apr 04 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.6-rc3-1
|
||||||
|
- Initial package.
|
Loading…
Reference in New Issue
Block a user