diff --git a/.gitignore b/.gitignore index 676babc..3621386 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-3.8.0.tar.gz +SOURCES/libica-4.0.0.tar.gz diff --git a/.libica.metadata b/.libica.metadata index 0df4829..b44dc46 100644 --- a/.libica.metadata +++ b/.libica.metadata @@ -1 +1 @@ -84db4d350fe1b142cc84adf8c3cce86777147e60 SOURCES/libica-3.8.0.tar.gz +9c18c8b990f8e21162364006cb60a3c9104eae19 SOURCES/libica-4.0.0.tar.gz diff --git a/SOURCES/libica-3.8.0-configure.patch b/SOURCES/libica-3.8.0-configure.patch deleted file mode 100644 index d157510..0000000 --- a/SOURCES/libica-3.8.0-configure.patch +++ /dev/null @@ -1,67 +0,0 @@ -From a70dfe13b7dd2914ad29175ae026284bd5461e0e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Mon, 24 May 2021 12:21:55 +0000 -Subject: [PATCH] fix handling of --disable-foo options -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently passing eg. --disable-debug actually enables the debug build -as one would expect from --enable-debug. The fix is to omit setting the -enable_foo variable as the "action-if-given" parameter of AC_ARG_ENABLE, -because it handles both the --enable and --disable forms. - -Signed-off-by: Dan Horák ---- - configure.ac | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ae6370c..9dc4786 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -35,7 +35,7 @@ FLAGS="-Wall -Wextra -mzarch" - dnl --- enable_debug - AC_ARG_ENABLE(debug, - [ --enable-debug turn on debugging flags], -- [enable_debug="yes"],[enable_debug="no"]) -+ [],[enable_debug="no"]) - AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes) - - if test "x$enable_debug" = xyes; then -@@ -46,7 +46,7 @@ fi - dnl --- enable_coverage - AC_ARG_ENABLE(coverage, - [ --enable-coverage turn on coverage testing], -- [enable_coverage="yes"],[enable_coverage="no"]) -+ [],[enable_coverage="no"]) - AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes) - - if test "x$enable_coverage" = xyes; then -@@ -57,7 +57,7 @@ fi - dnl --- enable_fips - AC_ARG_ENABLE(fips, - [ --enable-fips built with FIPS mode support], -- [enable_fips="yes"],[enable_fips="no"]) -+ [],[enable_fips="no"]) - AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes) - - if test "x$enable_fips" = xyes; then -@@ -74,7 +74,7 @@ fi - dnl --- enable_sanitizer - AC_ARG_ENABLE(sanitizer, - [ --enable-sanitizer turn on sanitizer (may not work on all systems)], -- [enable_sanitizer="yes"],[enable_sanitizer="no"]) -+ [],[enable_sanitizer="no"]) - AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes) - - if test "x$enable_sanitizer" = xyes; then -@@ -86,7 +86,7 @@ fi - dnl --- enable_internal tests - AC_ARG_ENABLE(internal_tests, - [ --enable-internal-tests built internal tests], -- [enable_internal_tests="yes"],[enable_internal_tests="no"]) -+ [],[enable_internal_tests="no"]) - AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes) - - if test "x$enable_internal_tests" = xyes; then diff --git a/SOURCES/libica-3.8.0-no-eddsa-test.patch b/SOURCES/libica-3.8.0-no-eddsa-test.patch deleted file mode 100644 index aec3c14..0000000 --- a/SOURCES/libica-3.8.0-no-eddsa-test.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 83909cdc63550b3151e76d727fe161a9ef71ab6c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Mon, 31 May 2021 19:01:01 +0200 -Subject: [libica PATCH] disable eddsa test - broken with OpenSSL 3.0 - ---- - test/Makefile.am | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/test/Makefile.am b/test/Makefile.am -index f889a97..428982d 100644 ---- a/test/Makefile.am -+++ b/test/Makefile.am -@@ -54,7 +54,6 @@ ecdsa1_test.sh \ - ec_keygen2_test.sh \ - ecdh2_test.sh \ - ecdsa2_test.sh \ --eddsa_test \ - x_test \ - mp_test - --- -2.26.3 - diff --git a/SOURCES/libica-3.8.0-annotate.patch b/SOURCES/libica-4.0.0-annotate.patch similarity index 86% rename from SOURCES/libica-3.8.0-annotate.patch rename to SOURCES/libica-4.0.0-annotate.patch index b0cc196..3ad0e64 100644 --- a/SOURCES/libica-3.8.0-annotate.patch +++ b/SOURCES/libica-4.0.0-annotate.patch @@ -1,4 +1,4 @@ -From 0e4592f46c6c4a94eef66257af423d57c73af134 Mon Sep 17 00:00:00 2001 +From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Tue, 25 Sep 2018 13:44:32 +0200 Subject: [libica PATCH] add build note to assembler sources @@ -25,10 +25,10 @@ Signed-off-by: Dan Horák 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac -index ae6370c..bc2fff4 100644 +index 958371c..b8d0e42 100644 --- a/configure.ac +++ b/configure.ac -@@ -99,12 +99,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab +@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2" fi @@ -46,7 +46,7 @@ index ae6370c..bc2fff4 100644 AC_OUTPUT diff --git a/libica.spec b/libica.spec -index 812b73d..3461b65 100644 +index d71890a..e51430e 100644 --- a/libica.spec +++ b/libica.spec @@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica @@ -59,10 +59,10 @@ index 812b73d..3461b65 100644 %description Interface library on Linux for IBM System z to utilize CPACF diff --git a/src/Makefile.am b/src/Makefile.am -index 4a1ef14..d6f7f7f 100644 +index c630048..1b5ec71 100644 --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ +@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ include/rng.h libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" @@ -72,12 +72,12 @@ index 4a1ef14..d6f7f7f 100644 libica_la_LDFLAGS = ${LDFLAGS_common} libica_la_SOURCES = ${SOURCES_common} - libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\" + libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\" -libica_cex_la_CCASFLAGS = ${AM_CFLAGS} +libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS} libica_cex_la_LIBADD = ${LIBS_common} libica_cex_la_LDFLAGS = ${LDFLAGS_common} libica_cex_la_SOURCES = ${SOURCES_common} -- -2.26.3 +2.31.1 diff --git a/SOURCES/libica-4.0.0-fixes.patch b/SOURCES/libica-4.0.0-fixes.patch new file mode 100644 index 0000000..67c41da --- /dev/null +++ b/SOURCES/libica-4.0.0-fixes.patch @@ -0,0 +1,646 @@ +From 977fe8ac713f9ff3101ce9882e23d0183fb46ec8 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 15 Dec 2021 16:29:57 +0100 +Subject: [libica PATCH 01/10] RSA: limit RSA key length to 4096 + +CEX adapters support RSA up to 4096 bits. Although RSA key generation +in libica is done via openssl, and therefore even greater key lengths +would be supported, such keys could not be processed on CEX adapters +afterwards. With the removal of sw fallbacks this is now a hard +restriction. + +Signed-off-by: Joerg Schmidbauer +--- + include/ica_api.h | 4 ++++ + src/ica_api.c | 13 ++++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/include/ica_api.h b/include/ica_api.h +index ce27261..6137c4a 100644 +--- a/include/ica_api.h ++++ b/include/ica_api.h +@@ -1291,6 +1291,7 @@ int ica_ed448_ctx_del(ICA_ED448_CTX **ctx); + * + * @return 0 if successful. + * EINVAL if at least one invalid parameter is given. ++ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction). + * EFAULT if OpenSSL key generation should fail. + */ + ICA_EXPORT +@@ -1319,6 +1320,7 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, + * + * @return 0 if successful. + * EINVAL if at least one invalid parameter is given. ++ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction). + * EFAULT if OpenSSL key generation should fail. + */ + ICA_EXPORT +@@ -1346,6 +1348,7 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, + * + * @return 0 if successful. + * EINVAL if at least one invalid parameter is given. ++ * EPERM if key bit length is greater than 4096 (CEX adapter restriction). + * ENOMEM if memory allocation fails. + * EIO if the operation fails. This should never happen. + */ +@@ -1375,6 +1378,7 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, + * + * @return 0 if successful. + * EINVAL if at least one invalid parameter is given. ++ * EPERM if key bit length is greater than 4096 (CEX adapter restriction). + * ENOMEM if memory allocation fails. + * EIO if the operation fails. This should never happen. + */ +diff --git a/src/ica_api.c b/src/ica_api.c +index 445b0ab..a412052 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -52,6 +52,8 @@ + + #define MAX_VERSION_LENGTH 16 + ++#define MAX_RSA_KEY_BITS 4096 ++ + #ifndef NO_SW_FALLBACKS + int ica_fallbacks_enabled = 1; + #else +@@ -1071,9 +1073,12 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, + /* Keys should comply with modulus_bit_length */ + if ((modulus_bit_length + 7) / 8 != public_key->key_length) + return EINVAL; +- /* Minimum length for public exponent is sizeof(unsigned long) */ ++ /* Minimum key length is sizeof(unsigned long) */ + if (public_key->key_length < sizeof(unsigned long)) + return EINVAL; ++ /* Max key bit length is 4096 because of CEX adapter restriction */ ++ if (modulus_bit_length > MAX_RSA_KEY_BITS) ++ return EPERM; + + /* OpenSSL takes only exponents of type unsigned long, so we have to + * be sure that we give a value of the right size to OpenSSL. +@@ -1111,6 +1116,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, + return EINVAL; + if (public_key->key_length < sizeof(unsigned long)) + return EINVAL; ++ if (modulus_bit_length > MAX_RSA_KEY_BITS) ++ return EPERM; + + num_ignored_bytes = public_key->key_length - sizeof(unsigned long); + public_exponent = public_key->exponent; +@@ -1145,6 +1152,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, + + if (rsa_key->key_length < sizeof(unsigned long)) + return EINVAL; ++ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS) ++ return EPERM; + + /* fill driver structure */ + rb.inputdata = (unsigned char *)input_data; +@@ -1264,6 +1273,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, + + if (rsa_key->key_length < sizeof(unsigned long)) + return EINVAL; ++ if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS) ++ return EPERM; + + /* fill driver structure */ + rb.inputdata = (unsigned char *)input_data; +-- +2.34.1 + + +From 553977ef505b43c7d17056369ed518a971d43d68 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 5 Jan 2022 09:07:51 +0100 +Subject: [libica PATCH 02/10] ECC: fix memory leaks in make_eckey() + +Signed-off-by: Ingo Franzki +--- + src/s390_ecc.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/s390_ecc.c b/src/s390_ecc.c +index bb13944..af121b0 100644 +--- a/src/s390_ecc.c ++++ b/src/s390_ecc.c +@@ -146,12 +146,12 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + BIGNUM *bn_priv = NULL; +- unsigned char *pub_key = NULL; +- unsigned int pub_key_len; +- point_conversion_form_t form; + #if !OPENSSL_VERSION_PREREQ(3, 0) + EC_KEY *ec_key; + #else ++ unsigned char *pub_key = NULL; ++ unsigned int pub_key_len; ++ point_conversion_form_t form; + OSSL_PARAM_BLD *tmpl = NULL; + int rc; + #endif +@@ -175,18 +175,13 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) + goto err; + } + +- form = EC_GROUP_get_point_conversion_form(group); +- pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL); +- if (pub_key_len == 0) { +- goto err; +- } +- + #if !OPENSSL_VERSION_PREREQ(3, 0) + ec_key = EC_KEY_new_by_curve_name(nid); + if (ec_key == NULL) { + goto err; + } + ++ EC_POINT_free(point); + point = EC_POINT_new(EC_KEY_get0_group(ec_key)); + if (point == NULL) { + goto err; +@@ -209,6 +204,11 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) + } + + #else ++ form = EC_GROUP_get_point_conversion_form(group); ++ pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL); ++ if (pub_key_len == 0) { ++ goto err; ++ } + + tmpl = OSSL_PARAM_BLD_new(); + if (tmpl == NULL) { +@@ -243,6 +243,8 @@ err: + #else + if (tmpl) + OSSL_PARAM_BLD_free(tmpl); ++ if (pub_key) ++ OPENSSL_free(pub_key); + #endif + + if (ok) +-- +2.34.1 + + +From b41addd200c0938c6c10202da08ad5f7df940e18 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 5 Jan 2022 09:15:58 +0100 +Subject: [libica PATCH 03/10] ECC: Avoid recursive loop in ec_key_check() with + OpenSSL 3.0 + +Use libica's OpenSSL library context in ec_key_check(), otherwise +calling EVP_PKEY_fromdata() in build_pkey_from_params() may cause +a recursive loop, when a provider is used that calls ica_ec_key_init() +(and thus ec_key_check()) within its key import function. + +Signed-off-by: Ingo Franzki +--- + src/s390_ecc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/s390_ecc.c b/src/s390_ecc.c +index af121b0..c0c1549 100644 +--- a/src/s390_ecc.c ++++ b/src/s390_ecc.c +@@ -2458,6 +2458,8 @@ int ec_key_check(ICA_EC_KEY *ica_key) + BIGNUM *d = NULL, *x = NULL, *y = NULL; + int privlen, rc = EINVAL; + ++ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc); ++ + if (!ica_key) + goto done; + +@@ -2489,6 +2491,7 @@ done: + if (privkey) + EVP_PKEY_free(privkey); + ++ END_OPENSSL_LIBCTX(rc); + return rc; + } + +-- +2.34.1 + + +From 6031ec80a5ada52609822fed4a6bd2cccafe5563 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 5 Jan 2022 09:26:26 +0100 +Subject: [libica PATCH 04/10] RSA: Fix memory leaks in + rsa_key_generate_mod_expo()/crt() + +Also fix a compiler warning in rsa_key_generate(). + +Signed-off-by: Ingo Franzki +--- + src/s390_rsa.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/s390_rsa.c b/src/s390_rsa.c +index 360c374..cea2ba2 100644 +--- a/src/s390_rsa.c ++++ b/src/s390_rsa.c +@@ -128,7 +128,8 @@ EVP_PKEY* rsa_key_generate(unsigned int modulus_bit_length, + } while (*public_exponent <= 2 || !(*public_exponent % 2)); + } + +- e = BN_bin2bn(public_exponent, sizeof(unsigned long), NULL); ++ e = BN_bin2bn((const unsigned char *)public_exponent, ++ sizeof(unsigned long), NULL); + if (e == NULL) { + goto done; + } +@@ -259,6 +260,8 @@ err: + #if !OPENSSL_VERSION_PREREQ(3, 0) + RSA_free(rsa); + #else ++ BN_free(n); ++ BN_free(d); + EVP_PKEY_free(pkey); + #endif + +@@ -410,6 +413,12 @@ err: + #if !OPENSSL_VERSION_PREREQ(3, 0) + RSA_free(rsa); + #else ++ BN_free(n); ++ BN_free(p); ++ BN_free(q); ++ BN_free(dmp1); ++ BN_free(dmq1); ++ BN_free(iqmp); + EVP_PKEY_free(pkey); + #endif + +-- +2.34.1 + + +From b49cf457659a4baf382b3828d89823497bb00f6e Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 13 Jan 2022 10:42:02 +0100 +Subject: [libica PATCH 05/10] EC: Handle unsupported EC curve in + ica_ec_key_new() + +In case of an unsupported curve nid, privlen_from_nid() returns -1. +The subsequent calloc() will fail with a size of -3 (0xfffffffffffffffd). + +Also free the already allocated key in case of an error to avoid a +memory leak. + +Signed-off-by: Ingo Franzki +--- + src/ica_api.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/ica_api.c b/src/ica_api.c +index a412052..0a885e2 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -1336,9 +1336,15 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) + + /* allocate clear memory for the 3 key parts */ + len = privlen_from_nid(nid); ++ if (len <= 0) { ++ free(key); ++ return NULL; ++ } + key->X = calloc(1, 3*len); +- if (!key->X) ++ if (!key->X) { ++ free(key); + return NULL; ++ } + + key->nid = nid; + key->Y = key->X + len; +-- +2.34.1 + + +From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Tue, 11 Jan 2022 16:04:15 +0100 +Subject: [libica PATCH 06/10] Compute HMAC from installed library + +The HMAC hash was computed from the libica in the build tree, but +the runtime check is run against the installed libica and those 2 +files may be different. E.g. if the runtime one has debuginfo stripped +(and placed into a separate file), the hashes are different. +This commit introduces a new make target: fipsinstall, which creates +the HMAC files in the install directory. + +Signed-off-by: Joerg Schmidbauer +--- + Makefile.am | 9 ++++----- + src/Makefile.am | 8 +++++++- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 2d8ab9e..e14abb5 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -17,11 +17,8 @@ coverage: check + cd ${top_builddir}/src && gcov .libs/*.gcda + + if ICA_FIPS +-install-data-hook: +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac +- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) +- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac ++fipsinstall: ++ $(AM_V_GEN)$(MAKE) -C src fipsinstall + if ICA_OPENSSL3 + test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica + test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true +@@ -38,3 +35,5 @@ if ICA_OPENSSL3 + endif + endif + ++.PHONY: fipsinstall ++ +diff --git a/src/Makefile.am b/src/Makefile.am +index c630048..4c92c96 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -47,6 +47,12 @@ mp.S : mp.pl + ./mp.pl mp.S + + if ICA_FIPS ++fipsinstall: ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac ++ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac ++ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac ++ + hmac-file-lnk: hmac-file + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac +@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \ + include/rng.h ../test/testcase.h + endif + +-.PHONY: hmac-file hmac-file-lnk ++.PHONY: hmac-file hmac-file-lnk fipsinstall +-- +2.34.1 + + +From 28fa931bed9e6847137829952a3e7cc6091bd071 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 24 Jan 2022 10:24:44 +0100 +Subject: [libica PATCH 07/10] Fix compile warnings + +... like potentially uninitialized variables or unused functions. + +Signed-off-by: Ingo Franzki +--- + src/fips.c | 4 ++-- + src/ica_api.c | 2 +- + src/s390_ecc.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/fips.c b/src/fips.c +index 934f6f7..505dd0b 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -1304,8 +1304,8 @@ rsa_kat(void) + ica_adapter_handle_t ah; + const struct rsa_tv *tv; + size_t i, keylen, crtparamlen; +- unsigned char *out; +- libica_func_list_element* libica_func_list; ++ unsigned char *out = NULL; ++ libica_func_list_element* libica_func_list = NULL; + unsigned int count; + + if (ica_open_adapter(&ah)) +diff --git a/src/ica_api.c b/src/ica_api.c +index 0a885e2..a10e139 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -90,6 +90,7 @@ void ica_set_stats_mode(int stats_mode) + ica_stats_enabled = stats_mode ? 1 : 0; + } + ++#ifndef NO_CPACF + #ifdef ICA_FIPS + static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { + if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64) +@@ -101,7 +102,6 @@ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { + } + #endif + +-#ifndef NO_CPACF + static unsigned int check_des_parms(unsigned int mode, + unsigned long data_length, + const unsigned char *in_data, +diff --git a/src/s390_ecc.c b/src/s390_ecc.c +index c0c1549..211db01 100644 +--- a/src/s390_ecc.c ++++ b/src/s390_ecc.c +@@ -147,7 +147,7 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen) + EC_POINT *point = NULL; + BIGNUM *bn_priv = NULL; + #if !OPENSSL_VERSION_PREREQ(3, 0) +- EC_KEY *ec_key; ++ EC_KEY *ec_key = NULL; + #else + unsigned char *pub_key = NULL; + unsigned int pub_key_len; +@@ -262,7 +262,7 @@ static EVP_PKEY *make_public_eckey(int nid, unsigned char *pubkey, size_t publen + { + int ok = 0; + #if !OPENSSL_VERSION_PREREQ(3, 0) +- EC_KEY *ec_key; ++ EC_KEY *ec_key = NULL; + #else + OSSL_PARAM_BLD *tmpl = NULL; + int rc; +-- +2.34.1 + + +From cc44f18383ec6dc01a05abd6c25a1dec8efe84cb Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 24 Jan 2022 10:32:47 +0100 +Subject: [libica PATCH 08/10] Fix memory leaks in test programs + +When configured with --enable-sanitizer some tests fail because +the address sanitizer reports memory leaks. + +Signed-off-by: Ingo Franzki +--- + test/ec_keygen_test.c | 6 +++++- + test/ecdh_test.c | 13 ++++++++++++- + test/ecdsa_test.c | 3 +++ + test/icastats_test.c.in | 1 + + 4 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/test/ec_keygen_test.c b/test/ec_keygen_test.c +index 43c6092..0445c41 100644 +--- a/test/ec_keygen_test.c ++++ b/test/ec_keygen_test.c +@@ -115,6 +115,8 @@ int main(int argc, char **argv) + + rc = ica_ec_key_generate(adapter_handle, eckey); + if (rc) { ++ ica_ec_key_free(eckey); ++ eckey = NULL; + if (rc == EPERM) { + V_(printf("Curve %d not supported on this system, skipping ...\n", eckeygen_tests[i].nid)); + continue; +@@ -156,12 +158,14 @@ int main(int argc, char **argv) + } + } + } ++ ++ ica_ec_key_free(eckey); ++ eckey = NULL; + } + + if (test_failed) + errors++; + +- ica_ec_key_free(eckey); + unset_env_icapath(); + } + +diff --git a/test/ecdh_test.c b/test/ecdh_test.c +index 9a81036..e1191d0 100644 +--- a/test/ecdh_test.c ++++ b/test/ecdh_test.c +@@ -339,6 +339,8 @@ int main(int argc, char **argv) + + rc = ica_ec_key_init(ecdh_kats[i].xa, ecdh_kats[i].ya, ecdh_kats[i].da, eckey_A); + if (rc != 0) { ++ ica_ec_key_free(eckey_A); ++ eckey_A = NULL; + if (rc == EPERM) { + V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid)); + continue; +@@ -350,11 +352,18 @@ int main(int argc, char **argv) + } + + eckey_B = ica_ec_key_new(ecdh_kats[i].nid, &privlen); +- if (!eckey_B) ++ if (!eckey_B) { ++ ica_ec_key_free(eckey_A); ++ eckey_A = NULL; + continue; ++ } + + rc = ica_ec_key_init(ecdh_kats[i].xb, ecdh_kats[i].yb, ecdh_kats[i].db, eckey_B); + if (rc != 0) { ++ ica_ec_key_free(eckey_B); ++ eckey_B = NULL; ++ ica_ec_key_free(eckey_A); ++ eckey_A = NULL; + if (rc == EPERM) { + V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid)); + continue; +@@ -415,7 +424,9 @@ int main(int argc, char **argv) + errors++; + + ica_ec_key_free(eckey_A); ++ eckey_A = NULL; + ica_ec_key_free(eckey_B); ++ eckey_B = NULL; + unset_env_icapath(); + } + +diff --git a/test/ecdsa_test.c b/test/ecdsa_test.c +index 3b6bda3..2393882 100644 +--- a/test/ecdsa_test.c ++++ b/test/ecdsa_test.c +@@ -225,6 +225,8 @@ int main(int argc, char **argv) + + rc = ica_ec_key_init(ecdsa_kats[i].x, ecdsa_kats[i].y, ecdsa_kats[i].d, eckey); + if (rc != 0) { ++ ica_ec_key_free(eckey); ++ eckey = NULL; + if (rc == EPERM) { + V_(printf("Curve %d not supported on this system, skipping ...\n", ecdsa_kats[i].nid)); + continue; +@@ -274,6 +276,7 @@ int main(int argc, char **argv) + errors++; + + ica_ec_key_free(eckey); ++ eckey = NULL; + unset_env_icapath(); + } + +diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in +index 98905a9..f0d1212 100644 +--- a/test/icastats_test.c.in ++++ b/test/icastats_test.c.in +@@ -186,6 +186,7 @@ int is_crypto_card_loaded() + } + if((c = fgetc(file)) == '1'){ + fclose(file); ++ closedir(sysDir); + return 1; + } + fclose(file); +-- +2.34.1 + + +From 9c6431f49a9fe0d574722954e018b4cba6ab085b Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 24 Jan 2022 14:33:57 +0100 +Subject: [libica PATCH 09/10] FIPS: Calculation of library HMAC may fail + +Initialize length variable before calling EVP_DigestSignFinal(). +If hlen is uninitialized it may cause EVP_DigestSignFinal() to fail. + +Signed-off-by: Ingo Franzki +--- + src/fips.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/fips.c b/src/fips.c +index 505dd0b..129a1a7 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -333,6 +333,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + } + } + ++ hlen = sizeof(rbuf); + if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0) + goto end; + +-- +2.34.1 + + +From 5aa9366c236a6d17570403ef81c65e4f5f91a8af Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 26 Jan 2022 09:29:27 +0100 +Subject: [libica PATCH 10/10] MAKEFILE: Do not install ec_internal_test + +Signed-off-by: Ingo Franzki +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 4c92c96..d6f5c52 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -90,7 +90,7 @@ icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h + # internal tests + + if ICA_INTERNAL_TESTS +-bin_PROGRAMS += internal_tests/ec_internal_test ++noinst_PROGRAMS = internal_tests/ec_internal_test + + internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \ + -I${srcdir}/../include \ +-- +2.34.1 + diff --git a/SPECS/libica.spec b/SPECS/libica.spec index 4a3fed5..adf5c4e 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -1,24 +1,18 @@ -# generally broken in 3.8.0 and also not ready for OpenSSL 3.0 -# https://github.com/opencryptoki/libica/issues/58 -# https://github.com/opencryptoki/libica/issues/62 -%global with_fips 0 +%global with_fips 1 Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 3.8.0 -Release: 3%{?dist} +Version: 4.0.0 +Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://github.com/opencryptoki/libica/pull/24 -Patch0: %{name}-3.8.0-annotate.patch -# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e -Patch1: %{name}-3.8.0-configure.patch -# https://github.com/opencryptoki/libica/issues/61 -# temporarily disable (OpenSSL 3.0) -Patch2: %{name}-3.8.0-no-eddsa-test.patch +Patch0: %{name}-4.0.0-annotate.patch +# post GA fixes, includes HMAC calculation +Patch1: %{name}-4.0.0-fixes.patch BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: openssl @@ -76,6 +70,14 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then make check fi +%if %{with_fips} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + make fipsinstall DESTDIR=%{buildroot} + %{nil} +%endif %files %doc AUTHORS LICENSE ChangeLog @@ -83,6 +85,11 @@ fi %{_bindir}/icainfo-cex %{_bindir}/icastats %if %{with_fips} +%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 +# openssl 3.0 is available since Fedora 36 and RHEL 9 +%dir %{_sysconfdir}/libica +%{_sysconfdir}/libica/openssl3-fips.cnf +%endif %{_libdir}/.libica.*.hmac %{_libdir}/.libica-cex.*.hmac %endif @@ -99,6 +106,10 @@ fi %changelog +* Tue Feb 01 2022 Dan Horák - 4.0.0-1 +- updated to 4.0.0 (#2040237) +- Resolves: #2040237 + * Mon Aug 09 2021 Mohan Boddu - 3.8.0-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688