From a80204a907c276caded83f4aae2d7832a1e82275 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 17:00:23 -0400 Subject: [PATCH] import libica-4.0.2-1.el8 --- .gitignore | 2 +- .libica.metadata | 2 +- SOURCES/libica-3.9.0-hmac.patch | 64 - ...tate.patch => libica-4.0.1-annotate.patch} | 10 +- SOURCES/libica-4.0.1-revert-abi.patch | 1582 +++++++++++++++++ SPECS/libica.spec | 25 +- 6 files changed, 1607 insertions(+), 78 deletions(-) delete mode 100644 SOURCES/libica-3.9.0-hmac.patch rename SOURCES/{libica-3.8.0-annotate.patch => libica-4.0.1-annotate.patch} (60%) create mode 100644 SOURCES/libica-4.0.1-revert-abi.patch diff --git a/.gitignore b/.gitignore index 475cbd7..4330df8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libica-3.9.0.tar.gz +SOURCES/libica-4.0.2.tar.gz diff --git a/.libica.metadata b/.libica.metadata index e816bdf..435c11f 100644 --- a/.libica.metadata +++ b/.libica.metadata @@ -1 +1 @@ -98f9f376a8db6f58deab1e08987653170159fe41 SOURCES/libica-3.9.0.tar.gz +a9137e070966cefc5a2078893edc4693ee62088f SOURCES/libica-4.0.2.tar.gz diff --git a/SOURCES/libica-3.9.0-hmac.patch b/SOURCES/libica-3.9.0-hmac.patch deleted file mode 100644 index 333181a..0000000 --- a/SOURCES/libica-3.9.0-hmac.patch +++ /dev/null @@ -1,64 +0,0 @@ -From da198ddc689ee877e2fe9724a5f0252ffca5265c Mon Sep 17 00:00:00 2001 -From: Joerg Schmidbauer -Date: Wed, 2 Jun 2021 09:40:47 +0200 -Subject: [PATCH] Compute HMAC from installed library - -The HMAC hash was computed from the libica in the build tree, but -the runtime check is run against the installed libica and those 2 -files were different. The runtime one has debuginfo stripped -(and placed into a separate file), thus the hashes are different. - -Signed-off-by: Joerg Schmidbauer ---- - Makefile.am | 9 ++++----- - src/Makefile.am | 8 +++++++- - 2 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 4a1ef14..5367d49 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -46,6 +46,12 @@ mp.S : mp.pl - ./mp.pl mp.S - - if ICA_FIPS -+fipsinstall: -+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac -+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac -+ $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac -+ $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac -+ - hmac-file-lnk: hmac-file - $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac - $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac -@@ -108,4 +114,4 @@ internal_tests_ec_internal_test_SOURCES = \ - include/rng.h ../test/testcase.h - endif - --.PHONY: hmac-file hmac-file-lnk -+.PHONY: hmac-file hmac-file-lnk fipsinstall --- -2.29.2.windows.2 - -diff -up libica-3.9.0/Makefile.am.orig libica-3.9.0/Makefile.am ---- libica-3.9.0/Makefile.am.orig 2022-02-08 09:50:48.320207446 +0100 -+++ libica-3.9.0/Makefile.am 2022-02-08 09:51:25.945624410 +0100 -@@ -17,11 +17,8 @@ coverage: check - cd ${top_builddir}/src && gcov .libs/*.gcda - - if ICA_FIPS --install-data-hook: -- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) -- cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac -- $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) -- cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac -+fipsinstall: -+ $(AM_V_GEN)$(MAKE) -C src fipsinstall - if ICA_OPENSSL3 - test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica - test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true -@@ -38,3 +35,4 @@ if ICA_OPENSSL3 - endif - endif - -+.PHONY: fipsinstall diff --git a/SOURCES/libica-3.8.0-annotate.patch b/SOURCES/libica-4.0.1-annotate.patch similarity index 60% rename from SOURCES/libica-3.8.0-annotate.patch rename to SOURCES/libica-4.0.1-annotate.patch index 9ccc86c..d915006 100644 --- a/SOURCES/libica-3.8.0-annotate.patch +++ b/SOURCES/libica-4.0.1-annotate.patch @@ -1,7 +1,7 @@ -diff -up libica-3.8.0/src/Makefile.am.orig libica-3.8.0/src/Makefile.am ---- libica-3.8.0/src/Makefile.am.orig 2021-07-08 12:20:00.123572020 +0200 -+++ libica-3.8.0/src/Makefile.am 2021-07-08 12:20:13.611929256 +0200 -@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icasta +diff -up libica-4.0.1/src/Makefile.am.orig libica-4.0.1/src/Makefile.am +--- libica-4.0.1/src/Makefile.am.orig 2022-03-22 13:13:36.186395805 +0100 ++++ libica-4.0.1/src/Makefile.am 2022-03-22 13:13:55.224076905 +0100 +@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icasta include/rng.h libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" @@ -11,7 +11,7 @@ diff -up libica-3.8.0/src/Makefile.am.orig libica-3.8.0/src/Makefile.am libica_la_LDFLAGS = ${LDFLAGS_common} libica_la_SOURCES = ${SOURCES_common} - libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\" + libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\" -libica_cex_la_CCASFLAGS = ${AM_CFLAGS} +libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes libica_cex_la_LIBADD = ${LIBS_common} diff --git a/SOURCES/libica-4.0.1-revert-abi.patch b/SOURCES/libica-4.0.1-revert-abi.patch new file mode 100644 index 0000000..c6f58f5 --- /dev/null +++ b/SOURCES/libica-4.0.1-revert-abi.patch @@ -0,0 +1,1582 @@ +From 2fff02190269bc3a1b5bb1f7d721fffb9aabe1e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Tue, 22 Mar 2022 12:43:19 +0100 +Subject: [libica PATCH] Revert "Remove deprecated API functions" + +This reverts commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048. +--- + include/ica_api.h | 230 ++++++++++++++++++++++++++++++ + libica.map | 8 ++ + src/ica_api.c | 258 ++++++++++++++++++++++++++++++++++ + src/include/s390_crypto.h | 5 - + test/Makefile.am | 11 +- + test/aes_128_test.c | 284 ++++++++++++++++++++++++++++++++++++++ + test/aes_192_test.c | 163 ++++++++++++++++++++++ + test/aes_256_test.c | 162 ++++++++++++++++++++++ + test/des_test.c | 157 +++++++++++++++++++++ + test/tdes_test.c | 148 ++++++++++++++++++++ + 10 files changed, 1418 insertions(+), 8 deletions(-) + create mode 100644 test/aes_128_test.c + create mode 100644 test/aes_192_test.c + create mode 100644 test/aes_256_test.c + create mode 100644 test/des_test.c + create mode 100644 test/tdes_test.c + +diff --git a/include/ica_api.h b/include/ica_api.h +index 6137c4a..e00103e 100644 +--- a/include/ica_api.h ++++ b/include/ica_api.h +@@ -1403,6 +1403,227 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, + ICA_EXPORT + unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key); + ++/** ++ * @deprecated, use ica_des_ecb() or ica_des_cbc() instead. ++ * ++ * Encrypt data using a single length DES key. ++ * @param mode Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. It has to be a multiple of the ++ * cipher block which has a size of 8 byte. ++ * @param input_data ++ * Pointer to the input data data to be encrypted. Must be a multiple of the ++ * cipher to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 8 byte initialization vector when using CBC mode. ++ * @param des_key ++ * Pointer to a single length DES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting encrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_des_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_single_t *des_key, ++ unsigned char *output_data); ++ ++/** ++ * @deprecated, use ica_des_ecb() or ica_des_cbc() instead. ++ * ++ * Decrypt data using a single length DES key. ++ * @param mode ++ * Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. It has to be a multiple of the ++ * cipher block which has a size of 8 byte. ++ * @param input_data ++ * Pointer to the input data data to be decrypted. Must be a multiple of the ++ * cipher to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 8 byte initialization vector when using CBC mode. ++ * @param des_key ++ * Pointer to a single length DES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting decrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_des_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_single_t *des_key, ++ unsigned char *output_data); ++ ++/** ++ * @deprecated, use ica_3des_ecb() or ica_3des_cbc() instead. ++ * ++ * Encrypt data using a triple length DES key. ++ * @param mode ++ * Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. It has to be a multiple of the ++ * cipher block which has a size of 8 byte. ++ * @param input_data ++ * Pointer to the input data data to be encrypted. Must be a multiple of the ++ * cipher block to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 8 byte initialization vector when using CBC mode. ++ * @param des_key ++ * Pointer to a triple length DES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting encrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_3des_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_triple_t *des_key, ++ unsigned char *output_data); ++ ++/** ++ * @deprecated, use ica_3des_ecb() or ica_3des_cbc() instead. ++ * ++ * Decrypt data using a triple length DES key. ++ * @param mode ++ * Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. It has to be a multiple of the ++ * cipher block which has a size of 8 byte. ++ * @param input_data ++ * Pointer to the input data data to be decrypted. Must be a multiple of the ++ * cipher block to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 8 byte initialization vector when using CBC mode. ++ * @param des_key ++ * Pointer to a triple length DES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting decrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_3des_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_triple_t *des_key, ++ unsigned char *output_data); ++ ++/** ++ * @deprecated, use ica_aes_ecb() or ica_aes_cbc() instead. ++ * ++ * Encrypt data using AES (key_length is 16, 24, or 32) ++ * @param mode ++ * Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. Input data length has to be ++ * a multiple of the AES block length, which is 16 bytes. ++ * @param input_data ++ * Pointer to the input data data to be encrypted. Must be a multiple of the ++ * cipher block to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 16 byte initialization vector when using CBC mode. ++ * @param key_length ++ * Length of the AES key being used. ++ * @param aes_key ++ * Pointer to an AES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting encrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_aes_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_aes_vector_t *iv, ++ unsigned int key_length, ++ unsigned char *aes_key, ++ unsigned char *output_data); ++ ++/** ++ * @deprecated, use ica_aes_ecb() or ica_aes_cbc() instead. ++ * ++ * Decrypt data using AES (key_length is 16, 24, or 32) ++ * @param mode ++ * Specifies the operational mode and must be: ++ * MODE_ECB - Use Electronic Code Book mode ++ * MODE_CBC - Use Cipher Block Chaining mode ++ * @param data_length ++ * Specifies the byte length of the input data. Input data length has to be ++ * a multiple of the AES block length, which is 16 bytes. ++ * @param input_data ++ * Pointer to the input data to be decrypted. Must be a multiple of the ++ * cipher block to use hw acceleration. ++ * @param iv ++ * Pointer to a valid 16 byte initialization vector when using CBC mode. ++ * @param key_length ++ * Length of the AES key being used. ++ * @param aes_key ++ * Pointer to an AES key. ++ * @param output_data ++ * Pointer to the buffer to contain the resulting decrypted data. Must be a ++ * multiple of the cipher block and at least as big as the buffer for ++ * input_data. ++ * ++ * @return 0 if successful. ++ * EINVAL if at least one invalid parameter is given. ++ * EIO if the operation fails. This should never happen. ++ */ ++/* XXX next major: remove */ ++ICA_EXPORT ICA_DEPRECATED ++unsigned int ica_aes_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_aes_vector_t *iv, ++ unsigned int key_length, ++ unsigned char *aes_key, ++ unsigned char *output_data); ++ + /** + * Encrypt or decrypt data with an DES key using Electronic Cook Book (ECB) + * mode as described in NIST Special Publication 800-38A Chapter 6.1. +@@ -3379,6 +3600,15 @@ void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx); + ICA_EXPORT + unsigned int ica_get_version(libica_version_info *version_info); + ++/* XXX next major: dont export, move to s390_crypto.h */ ++ICA_EXPORT ICA_DEPRECATED ++int s390_initialize_functionlist(void); ++ ++/* XXX next major: dont export, move to s390_crypto.h */ ++ICA_EXPORT ICA_DEPRECATED ++int s390_get_functionlist(libica_func_list_element *pmech_list, ++ unsigned int *pmech_list_len); ++ + /** + * Function that returns a list of crypto mechanisms supported by libica. + * @param pmech_list +diff --git a/libica.map b/libica.map +index 0d031e1..e74092e 100644 +--- a/libica.map ++++ b/libica.map +@@ -3,11 +3,15 @@ LIBICA_3.0.0 { + _fini; + _init; + ++ s390_initialize_functionlist; ++ s390_get_functionlist; + ica_get_functionlist; + ica_get_version; + + ica_random_number_generate; + ++ ica_des_encrypt; ++ ica_des_decrypt; + ica_des_ecb; + ica_des_cbc; + ica_des_cbc_cs; +@@ -19,6 +23,8 @@ LIBICA_3.0.0 { + ica_des_cmac_intermediate; + ica_des_cmac_last; + ++ ica_3des_encrypt; ++ ica_3des_decrypt; + ica_3des_ecb; + ica_3des_cbc; + ica_3des_cbc_cs; +@@ -30,6 +36,8 @@ LIBICA_3.0.0 { + ica_3des_cmac_intermediate; + ica_3des_cmac_last; + ++ ica_aes_encrypt; ++ ica_aes_decrypt; + ica_aes_ecb; + ica_aes_cbc; + ica_aes_cbc_cs; +diff --git a/src/ica_api.c b/src/ica_api.c +index a10e139..c3a6343 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -2378,6 +2378,264 @@ int ica_ed448_key_gen(ICA_ED448_CTX *ctx) + * + ******************************************************************************/ + ++unsigned int ica_des_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_single_t *des_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(des_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++#ifdef ICA_FIPS ++ if (fips) ++ return EACCES; ++#endif /* ICA_FIPS */ ++ ++ if (check_des_parms(mode, data_length, input_data, ++ (unsigned char *) iv, (unsigned char *) des_key, ++ output_data)) ++ return EINVAL; ++ ++ if (mode == MODE_ECB) { ++ return s390_des_ecb(DEA_ENCRYPT, data_length, ++ input_data, (unsigned char *) des_key, ++ output_data); ++ } else if (mode == MODE_CBC) { ++ return s390_des_cbc(DEA_ENCRYPT, data_length, ++ input_data, (unsigned char *) iv, ++ (unsigned char *) des_key, output_data); ++ } ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ ++unsigned int ica_des_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_single_t *des_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(des_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++#ifdef ICA_FIPS ++ if (fips) ++ return EACCES; ++#endif /* ICA_FIPS */ ++ ++ if (check_des_parms(mode, data_length, input_data, ++ (unsigned char *) iv, (unsigned char *) des_key, ++ output_data)) ++ return EINVAL; ++ ++ if (mode == MODE_ECB) { ++ return s390_des_ecb(DEA_DECRYPT, data_length, ++ input_data, (unsigned char *) des_key, ++ output_data); ++ } else if (mode == MODE_CBC) { ++ return s390_des_cbc(DEA_DECRYPT, data_length, ++ input_data, (unsigned char *) iv, ++ (unsigned char *) des_key, output_data); ++ } ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ ++unsigned int ica_3des_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_triple_t *des_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(des_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++#ifdef ICA_FIPS ++ if (fips >> 1) ++ return EACCES; ++ if (fips_check_3des_key(des_key)) ++ return EINVAL; ++#endif /* ICA_FIPS */ ++ ++ if (check_des_parms(mode, data_length, input_data, ++ (unsigned char *) iv, (unsigned char *) des_key, ++ output_data)) ++ return EINVAL; ++ ++ if (mode == MODE_ECB) { ++ return s390_des_ecb(TDEA_192_ENCRYPT, data_length, ++ input_data,(unsigned char *) des_key, ++ output_data); ++ } else if (mode == MODE_CBC) { ++ return s390_des_cbc(TDEA_192_ENCRYPT, data_length, ++ input_data, (unsigned char *) iv, ++ (unsigned char *) des_key, output_data); ++ } ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ ++unsigned int ica_3des_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_des_vector_t *iv, ++ ica_des_key_triple_t *des_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(des_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++#ifdef ICA_FIPS ++ if (fips >> 1) ++ return EACCES; ++ if (fips_check_3des_key(des_key)) ++ return EINVAL; ++#endif /* ICA_FIPS */ ++ ++ if (check_des_parms(mode, data_length, input_data, ++ (unsigned char *) iv, (unsigned char *) des_key, ++ output_data)) ++ return EINVAL; ++ ++ if (mode == MODE_ECB) { ++ return s390_des_ecb(TDEA_192_DECRYPT, data_length, ++ input_data, (unsigned char *) des_key, ++ output_data); ++ } else if (mode == MODE_CBC) { ++ return s390_des_cbc(TDEA_192_DECRYPT, data_length, ++ input_data, (unsigned char *) iv, ++ (unsigned char *) des_key, output_data); ++ } ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ ++unsigned int ica_aes_encrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_aes_vector_t *iv, ++ unsigned int key_length, ++ unsigned char *aes_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(key_length); ++ UNUSED(aes_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++ unsigned int function_code; ++ ++#ifdef ICA_FIPS ++ if (fips >> 1) ++ return EACCES; ++#endif /* ICA_FIPS */ ++ ++ /* check for obvious errors in parms */ ++ if (check_aes_parms(mode, data_length, input_data, ++ (unsigned char *) iv, key_length, aes_key, ++ output_data)) ++ return EINVAL; ++ ++ function_code = aes_directed_fc(key_length, ICA_ENCRYPT); ++ ++ switch (mode) { ++ case MODE_CBC: ++ return s390_aes_cbc(function_code, data_length, input_data, ++ (unsigned char *) iv, aes_key, ++ output_data); ++ case MODE_ECB: ++ return s390_aes_ecb(function_code, data_length, input_data, ++ aes_key, output_data); ++ default: ++ return EINVAL; ++ } ++ ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ ++unsigned int ica_aes_decrypt(unsigned int mode, ++ unsigned int data_length, ++ unsigned char *input_data, ++ ica_aes_vector_t *iv, ++ unsigned int key_length, ++ unsigned char *aes_key, ++ unsigned char *output_data) ++{ ++#ifdef NO_CPACF ++ UNUSED(mode); ++ UNUSED(data_length); ++ UNUSED(input_data); ++ UNUSED(iv); ++ UNUSED(key_length); ++ UNUSED(aes_key); ++ UNUSED(output_data); ++ return EPERM; ++#else ++ unsigned int function_code; ++ ++#ifdef ICA_FIPS ++ if (fips >> 1) ++ return EACCES; ++#endif /* ICA_FIPS */ ++ ++ /* check for obvious errors in parms */ ++ if (check_aes_parms(mode, data_length, input_data, ++ (unsigned char *) iv, key_length, aes_key, ++ output_data)) ++ return EINVAL; ++ ++ function_code = aes_directed_fc(key_length, ICA_DECRYPT); ++ ++ switch (mode) { ++ case MODE_CBC: ++ return s390_aes_cbc(function_code, data_length, input_data, ++ (unsigned char *) iv, aes_key, ++ output_data); ++ case MODE_ECB: ++ return s390_aes_ecb(function_code, data_length, input_data, ++ aes_key, output_data); ++ default: ++ return EINVAL; ++ } ++ ++ return EINVAL; ++#endif /* NO_CPACF */ ++} ++ + unsigned int ica_des_ecb(const unsigned char *in_data, unsigned char *out_data, + unsigned long data_length, unsigned char *key, + unsigned int direction) +diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h +index 49cbb09..76f530f 100644 +--- a/src/include/s390_crypto.h ++++ b/src/include/s390_crypto.h +@@ -25,11 +25,6 @@ + + #include + +-/* major 4.0: no more exported, now internal */ +-int s390_initialize_functionlist(void); +-int s390_get_functionlist(libica_func_list_element *pmech_list, +- unsigned int *pmech_list_len); +- + #ifndef OPENSSL_VERSION_PREREQ + #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR) + #define OPENSSL_VERSION_PREREQ(maj, min) \ +diff --git a/test/Makefile.am b/test/Makefile.am +index d1e5a09..11ed749 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -7,16 +7,21 @@ get_version_test \ + rng_test \ + drbg_test \ + drbg_birthdays_test.pl \ ++des_test \ + des_ecb_test \ + des_cbc_test \ + des_ctr_test \ + des_cfb_test \ + des_ofb_test \ ++tdes_test \ + tdes_ecb_test \ + tdes_cbc_test \ + tdes_ctr_test \ + tdes_cfb_test \ + tdes_ofb_test \ ++aes_128_test \ ++aes_192_test \ ++aes_256_test \ + aes_ecb_test \ + aes_cbc_test \ + aes_ctr_test \ +@@ -70,10 +75,10 @@ get_functionlist_cex_test_SOURCES = get_functionlist_cex_test.c + get_functionlist_cex_test_LDADD = @LIBS@ ${top_builddir}/src/.libs/libica-cex.so -lcrypto -lpthread + + check_PROGRAMS = fips_test icastats_test get_functionlist_test \ +-get_version_test rng_test drbg_test drbg_birthdays_test \ ++get_version_test rng_test drbg_test drbg_birthdays_test des_test \ + des_ecb_test des_cbc_test des_ctr_test des_cfb_test des_ofb_test \ +-tdes_ecb_test tdes_cbc_test tdes_ctr_test tdes_cfb_test \ +-tdes_ofb_test aes_ecb_test \ ++tdes_test tdes_ecb_test tdes_cbc_test tdes_ctr_test tdes_cfb_test \ ++tdes_ofb_test aes_128_test aes_192_test aes_256_test aes_ecb_test \ + aes_cbc_test aes_ctr_test aes_cfb_test aes_ofb_test aes_xts_test \ + aes_gcm_test aes_gcm_kma_test cbccs_test ccm_test cmac_test sha_test \ + sha1_test sha256_test sha3_224_test sha3_256_test sha3_384_test \ +diff --git a/test/aes_128_test.c b/test/aes_128_test.c +new file mode 100644 +index 0000000..d5667bb +--- /dev/null ++++ b/test/aes_128_test.c +@@ -0,0 +1,284 @@ ++/* This program is released under the Common Public License V1.0 ++ * ++ * You should have received a copy of Common Public License V1.0 along with ++ * with this program. ++ */ ++ ++/* Copyright IBM Corp. 2005, 2009, 2011 */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "ica_api.h" ++#include ++#include ++#include "testcase.h" ++ ++unsigned char NIST_KEY1[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++}; ++ ++unsigned char NIST_TEST_DATA[] = { ++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, ++ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, ++}; ++ ++unsigned char NIST_TEST_RESULT[] = { ++ 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, ++ 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a, ++}; ++ ++int test_aes128_new_api(int mode) ++{ ++ ica_aes_vector_t iv; ++ unsigned char key[AES_KEY_LEN128]; ++ int rc = 0; ++ unsigned char dec_text[sizeof(NIST_TEST_DATA)], ++ enc_text[sizeof(NIST_TEST_DATA)]; ++ ++ bzero(dec_text, sizeof(dec_text)); ++ bzero(enc_text, sizeof(enc_text)); ++ bzero(iv, sizeof(iv)); ++ bcopy(NIST_KEY1, key, sizeof(NIST_KEY1)); ++ ++ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, ++ AES_KEY_LEN128, key, enc_text); ++ if (rc) { ++ VV_(printf("key \n")); ++ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("test iv\n")); ++ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); ++ VV_(printf("key\n")); ++ dump_array((unsigned char *) key, AES_KEY_LEN128); ++ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { ++ VV_(printf("key \n")); ++ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("test iv\n")); ++ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); ++ VV_(printf("key\n")); ++ dump_array((unsigned char *) key, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("This does NOT match the known result.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Yep, it's what it should be.\n")); ++ } ++ ++ bzero(iv, sizeof(iv)); ++ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, ++ AES_KEY_LEN128, key, dec_text); ++ if (rc) { ++ VV_(printf("key \n")); ++ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("test iv\n")); ++ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); ++ VV_(printf("key\n")); ++ dump_array((unsigned char *) key, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) dec_text, sizeof(dec_text)); ++ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { ++ VV_(printf("This does NOT match the original data.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Successful!\n")); ++ VV_(printf("key \n")); ++ dump_array((unsigned char *) key, sizeof(NIST_KEY1)); ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("test iv\n")); ++ dump_array((unsigned char *) &iv, sizeof(ica_aes_vector_t)); ++ VV_(printf("key\n")); ++ dump_array((unsigned char *) key, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) dec_text, sizeof(dec_text)); ++ } ++ ++// Test 2 ++ ++ rc = 0; ++ bzero(dec_text, sizeof(dec_text)); ++ bzero(enc_text, sizeof(enc_text)); ++ bzero(iv, sizeof(iv)); ++ bzero(key, sizeof(key)); ++ ++ unsigned int length = 64; ++ unsigned char *decrypt = malloc(length); ++ unsigned char *encrypt = malloc(length); ++ unsigned char *original = malloc(length); ++ ica_aes_key_len_128_t key2; ++ ++ rc = ica_random_number_generate(length, original); ++ if (rc) { ++ VV_(printf("ica_random_number_generate returned rc = %i\n", rc)); ++ return TEST_FAIL; ++ } ++ ++ rc = ica_random_number_generate(AES_KEY_LEN128, (unsigned char *) &key2); ++ if (rc) { ++ VV_(printf("ica_random_number_generate returned rc = %i\n", rc)); ++ return TEST_FAIL; ++ } ++ ++ rc = ica_aes_encrypt(mode, length, original, &iv, AES_KEY_LEN128, (unsigned char *) &key2, ++ (unsigned char *) encrypt); ++ if (rc) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) original, length); ++ VV_(printf("KEY: \n")); ++ dump_array((unsigned char *) &key2, AES_KEY_LEN128); ++ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(encrypt, original, length) == 0) { ++ VV_(printf("Encrypt and original are the same.\n")); ++ return TEST_FAIL; ++ } ++ ++ bzero(iv, sizeof(iv)); ++ rc = ica_aes_decrypt(mode, length, encrypt, &iv, AES_KEY_LEN128, ++ (unsigned char *) &key2, decrypt); ++ if (rc) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) original, length); ++ VV_(printf("KEY: \n")); ++ dump_array((unsigned char *) &key2, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) encrypt, length); ++ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ goto free; ++ } ++ ++ if (memcmp(decrypt, original, length) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) original, length); ++ VV_(printf("KEY: \n")); ++ dump_array((unsigned char *) &key2, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) encrypt, length); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) decrypt, length); ++ VV_(printf("This does NOT match the original data.\n")); ++ rc = -1; ++ goto free; ++ } ++ ++ if(memcmp(decrypt, encrypt, length) == 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) original, length); ++ VV_(printf("KEY: \n")); ++ dump_array((unsigned char *) &key2, AES_KEY_LEN128); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) encrypt, length); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) decrypt, length); ++ VV_(printf("decrypt and encrypt are the same\n")); ++ rc = -1; ++ goto free; ++ ++ } else { ++ VV_(printf("Successful!\n")); ++ } ++free: ++ free(original); ++ free(encrypt); ++ free(decrypt); ++ ++ if (rc) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++} ++ ++/* ++ * Performs ECB and CBC tests. ++ */ ++int main(int argc, char **argv) ++{ ++#ifdef NO_CPACF ++ UNUSED(argc); ++ UNUSED(argv); ++ printf("Skipping AES-128 test, because CPACF support disabled via config option.\n"); ++ return TEST_SKIP; ++#else ++ unsigned int mode = 0; ++ int rc = 0; ++ int error_count = 0; ++ ++ if (argc > 1) { ++ if (strstr(argv[1], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[1], "cbc")) ++ mode = MODE_CBC; ++ } ++ ++ if (argc > 2) { ++ if (strstr(argv[2], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[2], "cbc")) ++ mode = MODE_CBC; ++ } ++ ++ set_verbosity(argc, argv); ++ ++ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { ++ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); ++ return TEST_ERR; ++ } ++ ++ if (!mode) { ++ /* This is the standard loop that will perform all testcases */ ++ mode = 2; ++ while (mode) { ++ rc = test_aes128_new_api(mode); ++ if (rc) { ++ error_count++; ++ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); ++ } ++ else { ++ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); ++ } ++ mode--; ++ } ++ if (error_count) ++ printf("%i AES-128-ECB/CBC tests failed.\n", error_count); ++ else ++ printf("All AES-128-ECB/CBC tests passed.\n"); ++ } else { ++ /* Perform only either in ECB or CBC mode */ ++ rc = test_aes128_new_api(mode); ++ if (rc) ++ printf ("test_aes_new_api mode = %i failed \n", mode); ++ else { ++ printf ("test_aes_new_api mode = %i finished.\n", mode); ++ } ++ } ++ ++ if (rc) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++#endif /* NO_CPACF */ ++} +diff --git a/test/aes_192_test.c b/test/aes_192_test.c +new file mode 100644 +index 0000000..e803f39 +--- /dev/null ++++ b/test/aes_192_test.c +@@ -0,0 +1,163 @@ ++/* This program is released under the Common Public License V1.0 ++ * ++ * You should have received a copy of Common Public License V1.0 along with ++ * with this program. ++ */ ++ ++/* Copyright IBM Corp. 2005, 2009, 2011 */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "ica_api.h" ++#include "testcase.h" ++ ++unsigned char NIST_KEY2[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++}; ++ ++unsigned char NIST_TEST_DATA[] = { ++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, ++ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, ++}; ++ ++unsigned char NIST_TEST_RESULT[] = { ++ 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, ++ 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, ++}; ++ ++int test_aes192_new_api(int mode) ++{ ++ ica_aes_vector_t iv; ++ ica_aes_key_len_192_t key; ++ int rc = 0; ++ unsigned char dec_text[sizeof(NIST_TEST_DATA)], ++ enc_text[sizeof(NIST_TEST_DATA)]; ++ ++ bzero(dec_text, sizeof(dec_text)); ++ bzero(enc_text, sizeof(enc_text)); ++ bzero(iv, sizeof(iv)); ++ bcopy(NIST_KEY2, key, sizeof(NIST_KEY2)); ++ ++ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, ++ AES_KEY_LEN192, (unsigned char *) &key, enc_text); ++ if (rc) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char*)enc_text, sizeof(enc_text)); ++ VV_(printf("This does NOT match the known result.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Yep, it's what it should be.\n")); ++ } ++ ++ bzero(iv, sizeof(iv)); ++ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, ++ AES_KEY_LEN192, (unsigned char *) &key, dec_text); ++ if (rc != 0) { ++ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char*)enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char*)dec_text, sizeof(dec_text)); ++ VV_(printf("This does NOT match the original data.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Successful!\n")); ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char*)enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char*)dec_text, sizeof(dec_text)); ++ } ++ ++ return TEST_SUCC; ++} ++ ++/* ++ * Performs ECB and CBC tests. ++ */ ++int main(int argc, char **argv) ++{ ++#ifdef NO_CPACF ++ UNUSED(argc); ++ UNUSED(argv); ++ printf("Skipping AES-192 test, because CPACF support disabled via config option.\n"); ++ return TEST_SKIP; ++#else ++ unsigned int mode = 0; ++ int rc = 0; ++ int error_count = 0; ++ ++ if (argc > 1) { ++ if (strstr(argv[1], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[1], "cbc")) ++ mode = MODE_CBC; ++ } ++ if (argc > 2) { ++ if (strstr(argv[2], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[2], "cbc")) ++ mode = MODE_CBC; ++ } ++ ++ set_verbosity(argc, argv); ++ ++ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { ++ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); ++ return TEST_ERR; ++ } ++ ++ if (!mode) { ++ /* This is the standard loop that will perform all testcases */ ++ mode = 2; ++ while (mode) { ++ rc = test_aes192_new_api(mode); ++ if (rc) { ++ error_count++; ++ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); ++ } else { ++ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); ++ } ++ mode--; ++ } ++ if (error_count) ++ printf("%i AES-192-ECB/CBC tests failed.\n", error_count); ++ else ++ printf("All AES-192-ECB/CBC tests passed.\n"); ++ } else { ++ /* Perform only either in ECB or CBC mode */ ++ rc = test_aes192_new_api(mode); ++ if (rc) ++ printf ("test_aes_new_api mode = %i failed \n", mode); ++ else { ++ printf ("test_aes_new_api mode = %i finished.\n", mode); ++ } ++ } ++ ++ if (rc) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++#endif /* NO_CPACF */ ++} +diff --git a/test/aes_256_test.c b/test/aes_256_test.c +new file mode 100644 +index 0000000..30f01f0 +--- /dev/null ++++ b/test/aes_256_test.c +@@ -0,0 +1,162 @@ ++/* This program is released under the Common Public License V1.0 ++ * ++ * You should have received a copy of Common Public License V1.0 along with ++ * with this program. ++ */ ++ ++/* Copyright IBM Corp. 2005, 2009, 2011 */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "ica_api.h" ++#include "testcase.h" ++ ++unsigned char NIST_KEY3[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, ++}; ++ ++unsigned char NIST_TEST_DATA[] = { ++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, ++ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, ++}; ++ ++unsigned char NIST_TEST_RESULT[] = { ++ 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, ++ 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, ++}; ++ ++int test_aes256_new_api(int mode) ++{ ++ ica_aes_vector_t iv; ++ unsigned char key[AES_KEY_LEN256]; ++ int rc = 0; ++ unsigned char dec_text[sizeof(NIST_TEST_DATA)], ++ enc_text[sizeof(NIST_TEST_DATA)]; ++ ++ bzero(dec_text, sizeof(dec_text)); ++ bzero(enc_text, sizeof(enc_text)); ++ bzero(iv, sizeof(iv)); ++ bcopy(NIST_KEY3, key, sizeof(NIST_KEY3)); ++ ++ rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, ++ AES_KEY_LEN256, key, enc_text); ++ if (rc) { ++ VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("This does NOT match the known result.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Yep, it's what it should be.\n")); ++ } ++ ++ bzero(iv, sizeof(iv)); ++ rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, ++ AES_KEY_LEN256, key, dec_text); ++ if (rc) { ++ VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) dec_text, sizeof(dec_text)); ++ VV_(printf("This does NOT match the original data.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array((unsigned char *) enc_text, sizeof(enc_text)); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array((unsigned char *) dec_text, sizeof(dec_text)); ++ VV_(printf("Successful!\n")); ++ } ++ ++ return TEST_SUCC; ++} ++ ++/* ++ * Performs ECB and CBC tests. ++ */ ++int main(int argc, char **argv) ++{ ++#ifdef NO_CPACF ++ UNUSED(argc); ++ UNUSED(argv); ++ printf("Skipping AES-256 test, because CPACF support disabled via config option.\n"); ++ return TEST_SKIP; ++#else ++ unsigned int mode = 0; ++ int rc = 0; ++ int error_count = 0; ++ ++ if (argc > 1) { ++ if (strstr(argv[1], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[1], "cbc")) ++ mode = MODE_CBC; ++ } ++ if (argc > 2) { ++ if (strstr(argv[2], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[2], "cbc")) ++ mode = MODE_CBC; ++ } ++ ++ set_verbosity(argc, argv); ++ ++ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { ++ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); ++ return TEST_ERR; ++ } ++ ++ if (!mode) { ++ /* This is the standard loop that will perform all testcases */ ++ mode = 2; ++ while (mode) { ++ rc = test_aes256_new_api(mode); ++ if (rc) { ++ error_count++; ++ V_(printf ("test_aes_new_api mode = %i failed \n", mode)); ++ } ++ else { ++ V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); ++ } ++ mode--; ++ } ++ if (error_count) ++ printf("%i AES-256-ECB/CBC tests failed.\n", error_count); ++ else ++ printf("All AES-256-ECB/CBC tests passed.\n"); ++ } else { ++ /* Perform only either in ECB or CBC mode */ ++ rc = test_aes256_new_api(mode); ++ if (rc) ++ printf("test_aes_new_api mode = %i failed \n", mode); ++ else ++ printf("test_aes_new_api mode = %i finished.\n", mode); ++ } ++ ++ if (rc) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++#endif /* NO_CPACF */ ++} +diff --git a/test/des_test.c b/test/des_test.c +new file mode 100644 +index 0000000..c796792 +--- /dev/null ++++ b/test/des_test.c +@@ -0,0 +1,157 @@ ++/* This program is released under the Common Public License V1.0 ++ * ++ * You should have received a copy of Common Public License V1.0 along with ++ * with this program. ++ */ ++ ++/* Copyright IBM Corp. 2001, 2009, 2011 */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "ica_api.h" ++#include "testcase.h" ++ ++const int cipher_buf_length = 8; ++ ++unsigned char NIST_KEY1[] = ++ { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; ++ ++unsigned char NIST_TEST_DATA[] = ++ { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; ++ ++unsigned char NIST_TEST_RESULT[] = ++ { 0x69, 0x0f, 0x5b, 0x0d, 0x9a, 0x26, 0x93, 0x9b }; ++ ++int test_des_new_api(int mode) ++{ ++ ica_des_vector_t iv; ++ ica_des_key_single_t key; ++ int rc = 0; ++ unsigned char dec_text[sizeof NIST_TEST_DATA], ++ enc_text[sizeof NIST_TEST_DATA]; ++ ++ bzero(dec_text, sizeof dec_text); ++ bzero(enc_text, sizeof enc_text); ++ bzero(iv, sizeof iv); ++ bcopy(NIST_KEY1, key, sizeof NIST_KEY1); ++ ++ rc = ica_des_encrypt(mode, sizeof NIST_TEST_DATA, NIST_TEST_DATA, &iv, ++ &key, enc_text); ++ if (rc) { ++ VV_(printf("\nOriginal data:\n"); ++ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA)); ++ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array(enc_text, sizeof enc_text); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(enc_text, NIST_TEST_RESULT, sizeof NIST_TEST_RESULT) != 0) { ++ VV_(printf("This does NOT match the known result.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Yep, it's what it should be.\n")); ++ } ++ ++ bzero(iv, sizeof iv); ++ rc = ica_des_decrypt(mode, sizeof enc_text, enc_text, &iv, &key, ++ dec_text); ++ if (rc) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); ++ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array(enc_text, sizeof enc_text); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array(dec_text, sizeof dec_text); ++ VV_(printf("ica_des_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ if (memcmp(dec_text, NIST_TEST_DATA, sizeof NIST_TEST_DATA) != 0) { ++ VV_(printf("\nOriginal data:\n")); ++ dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); ++ VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array(enc_text, sizeof enc_text); ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array(dec_text, sizeof dec_text); ++ VV_(printf("This does NOT match the original data.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Successful!\n")); ++ } ++ ++ return TEST_SUCC; ++} ++ ++int main(int argc, char **argv) ++{ ++#ifdef NO_CPACF ++ UNUSED(argc); ++ UNUSED(argv); ++ printf("Skipping DES test, because CPACF support disabled via config option.\n"); ++ return TEST_SKIP; ++#else ++ unsigned int mode = 0; ++ int rc = 0; ++ int error_count = 0; ++ ++ set_verbosity(argc, argv); ++ ++#ifdef ICA_FIPS ++ if (ica_fips_status() & ICA_FIPS_MODE) { ++ printf("All DES new api tests skipped." ++ " (DES not FIPS approved)\n"); ++ return TEST_SKIP; ++ } ++#endif /* ICA_FIPS */ ++ ++ if (argc > 1) { ++ if (strstr(argv[1], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[1], "cbc")) ++ mode = MODE_CBC; ++ V_(printf("mode = %i \n", mode)); ++ } ++ ++ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { ++ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); ++ return TEST_ERR; ++ } ++ if (!mode) { ++ /* This is the standard loop that will perform all testcases */ ++ mode = 2; ++ while (mode) { ++ rc = test_des_new_api(mode); ++ if (rc) { ++ error_count++; ++ V_(printf ("test_des_new_api mode = %i failed \n", mode)); ++ } ++ else { ++ V_(printf ("test_des_new_api mode = %i finished.\n", mode)); ++ } ++ mode--; ++ } ++ if (error_count) ++ printf("%i tests failed.\n", error_count); ++ else ++ printf("All tests passed.\n"); ++ } else { ++ /* Perform only either in ECB or CBC mode */ ++ rc = test_des_new_api(mode); ++ if (rc) ++ printf ("test_des_new_api mode = %i failed \n", mode); ++ else ++ printf ("test_des_new_api mode = %i finished.\n", mode); ++ } ++ ++ if (rc) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++#endif /* NO_CPACF */ ++} +diff --git a/test/tdes_test.c b/test/tdes_test.c +new file mode 100644 +index 0000000..bfa33c2 +--- /dev/null ++++ b/test/tdes_test.c +@@ -0,0 +1,148 @@ ++/* This program is released under the Common Public License V1.0 ++ * ++ * You should have received a copy of Common Public License V1.0 along with ++ * with this program. ++ */ ++ ++/* Copyright IBM Corp. 2001, 2009, 2011 */ ++#include ++#include ++#include ++#include ++#include ++#include "ica_api.h" ++#include "testcase.h" ++ ++unsigned char KEY1[] = ++ { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; ++ ++unsigned char KEY2[] = ++ { 0x8c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; ++ ++unsigned char KEY3[] = ++ { 0x9c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; ++ ++unsigned char TEST_DATA[] = ++ { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; ++ ++unsigned char TEST_RESULT[] = ++ { 0x90, 0x9c, 0xbc, 0x01, 0xc5, 0x1f, 0x09, 0x60 }; ++ ++int test_3des_new_api(int mode) ++{ ++ ica_des_vector_t iv; ++ ica_des_key_triple_t key; ++ int rc = 0; ++ unsigned char dec_text[sizeof(TEST_DATA)], ++ enc_text[sizeof(TEST_DATA)]; ++ ++ bzero(dec_text, sizeof(dec_text)); ++ bzero(enc_text, sizeof(enc_text)); ++ bzero(iv, sizeof(iv)); ++ bcopy(KEY1, key.key1, sizeof(KEY1)); ++ bcopy(KEY2, key.key2, sizeof(KEY2)); ++ bcopy(KEY3, key.key3, sizeof(KEY3)); ++ ++ VV_(printf("\nOriginal data:\n")); ++ dump_array(TEST_DATA, sizeof(TEST_DATA)); ++ ++ rc = ica_3des_encrypt(mode, sizeof(TEST_DATA), TEST_DATA, ++ &iv, &key, enc_text); ++ if (rc != 0) { ++ VV_(printf("ica_3des_encrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ VV_(printf("\nEncrypted data:\n")); ++ dump_array(enc_text, sizeof(enc_text)); ++ if (memcmp(enc_text, TEST_RESULT, sizeof TEST_RESULT) != 0) { ++ VV_(printf("This does NOT match the known result.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Yep, it's what it should be.\n")); ++ } ++ ++ bzero(iv, sizeof(iv)); ++ rc = ica_3des_decrypt(mode, sizeof(enc_text), enc_text, ++ &iv, &key, dec_text); ++ if (rc != 0) { ++ VV_(printf("ica_3des_decrypt failed with errno %d (0x%x).\n", rc, rc)); ++ return TEST_FAIL; ++ } ++ ++ VV_(printf("\nDecrypted data:\n")); ++ dump_array(dec_text, sizeof(dec_text)); ++ if (memcmp(dec_text, TEST_DATA, sizeof(TEST_DATA)) != 0) { ++ VV_(printf("This does NOT match the original data.\n")); ++ return TEST_FAIL; ++ } else { ++ VV_(printf("Successful!\n")); ++ } ++ ++ return TEST_SUCC; ++} ++ ++/* ++ * Performs ECB and CBC tests. ++ */ ++int main(int argc, char **argv) ++{ ++#ifdef NO_CPACF ++ UNUSED(argc); ++ UNUSED(argv); ++ printf("Skipping TDES test, because CPACF support disabled via config option.\n"); ++ return TEST_SKIP; ++#else ++ unsigned int mode = 0; ++ int rc = 0; ++ int error_count = 0; ++ ++ if (argc > 1) { ++ if (strstr(argv[1], "ecb")) ++ mode = MODE_ECB; ++ if (strstr(argv[1], "cbc")) ++ mode = MODE_CBC; ++ V_(printf("mode = %i \n", mode)); ++ } ++ if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { ++ printf("Usage: %s [ ecb | cbc ]\n", argv[0]); ++ return TEST_ERR; ++ } ++ ++ set_verbosity(argc, argv); ++ ++ if (!mode) { ++ /* This is the standard loop that will perform all testcases */ ++ mode = 2; ++ while (mode) { ++ rc = test_3des_new_api(mode); ++ if (rc) { ++ error_count++; ++ V_(printf ("test_des_new_api mode = %i failed \n", mode)); ++ } ++ else { ++ V_(printf ("test_des_new_api mode = %i finished.\n", mode)); ++ } ++ ++ mode--; ++ } ++ if (error_count) ++ printf("%i tests failed.\n", error_count); ++ else ++ printf("All tests passed.\n"); ++ } else { ++ /* Perform only either in ECB or CBC mode */ ++ rc = test_3des_new_api(mode); ++ if (rc) ++ printf ("test_des_new_api mode = %i failed \n", mode); ++ else ++ printf ("test_des_new_api mode = %i finished.\n", mode); ++ } ++ ++ if (rc || error_count) ++ return TEST_FAIL; ++ ++ return TEST_SUCC; ++#endif /* NO_CPACF */ ++} ++ +-- +2.34.1 + diff --git a/SPECS/libica.spec b/SPECS/libica.spec index 66c9f22..b23958a 100644 --- a/SPECS/libica.spec +++ b/SPECS/libica.spec @@ -1,8 +1,10 @@ %global with_fips 1 +# workaround to keep ABI/soname stable at major version 3 +%global fakeversion 3:99:1 Summary: Library for accessing ICA hardware crypto on IBM z Systems Name: libica -Version: 3.9.0 +Version: 4.0.2 Release: 1%{?dist} License: CPL Group: System Environment/Libraries @@ -10,9 +12,10 @@ URL: https://github.com/opencryptoki/ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # annotate assembler source # https://bugzilla.redhat.com/show_bug.cgi?id=1630582 -Patch0: %{name}-3.8.0-annotate.patch -# https://github.com/opencryptoki/libica/issues/62 -Patch1: %{name}-3.9.0-hmac.patch +Patch0: %{name}-4.0.1-annotate.patch +# revert ABI to 3.x +# reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048 +Patch1: %{name}-4.0.1-revert-abi.patch BuildRequires: gcc BuildRequires: openssl BuildRequires: openssl-devel @@ -51,11 +54,11 @@ sh ./bootstrap.sh %else --disable-fips %endif -make %{?_smp_mflags} +make %{?_smp_mflags} VERSION=%{fakeversion} %install -make install DESTDIR=$RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT VERSION=%{fakeversion} rm %{buildroot}%{_libdir}/libica*.la rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md} @@ -77,7 +80,7 @@ fi %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - make fipsinstall DESTDIR=%{buildroot} + make fipsinstall DESTDIR=%{buildroot} VERSION=%{fakeversion} %{nil} %endif @@ -103,6 +106,14 @@ fi %changelog +* Thu Jun 30 2022 Dan Horák - 4.0.2-1 +- updated to 4.0.2 (#2101766) +- Resolves: #2101766 + +* Tue Mar 22 2022 Dan Horák - 4.0.1-1 +- updated to 4.0.1 (#2043843) +- Resolves: #2043843 #2043904 + * Tue Feb 08 2022 Dan Horák - 3.9.0-1 - updated to 3.9.0 (#1984972) - Resolves: #1984972