- updated to 4.3.0 (RHEL-23703)

- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918

.libica.metadata

@@ -0,0 +1 @@
+e7f7a7f714c793496294a5f865ad23d4c48866f9 libica-4.3.0.tar.gz

libica-4.2.2-icastats-summary.patch

@@ -1,231 +0,0 @@
-From f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Tue, 18 Jul 2023 09:21:54 +0200
-Subject: [libica PATCH] icastats: Fix summary option to display correct
- summary information
-
-The '--summary' option of icastats did not display correct statistics since
-the introduction of per key keysize counters with libica version 4.0.0.
-
-To display the correct summary counters, the all-key-size-counter values of an
-algorithm that supports multiple key sizes must be calculated like it is done
-in get_stats_data(). Adjust get_stats_data() function and friends so that it
-now also can be called from get_stats_sum() and can optionally operate on a
-specified statistics segment (i.e. the one where the summary statistics have
-been calculated in), not just the global one.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- src/icastats.c         |   4 +-
- src/icastats_shared.c  | 102 +++++++++++++++++++++++------------------
- src/include/icastats.h |   5 +-
- 3 files changed, 62 insertions(+), 49 deletions(-)
-
-diff --git a/src/icastats.c b/src/icastats.c
-index e98617f..07b0d50 100644
---- a/src/icastats.c
-+++ b/src/icastats.c
-@@ -302,7 +302,7 @@ int main(int argc, char *argv[])
- 				perror("malloc: ");
- 				return EXIT_FAILURE;
- 			}
--			get_stats_data(entries);
-+			get_stats_data(NULL, entries);
- 			if (json) {
- 				print_stats_json(entries, usr);
- 			} else {
-@@ -358,7 +358,7 @@ int main(int argc, char *argv[])
- 			perror("malloc: ");
- 			return EXIT_FAILURE;
- 		}
--		get_stats_data(stats);
-+		get_stats_data(NULL, stats);
- 		if (json) {
- 			pswd = getpwuid(user == -1 ? geteuid() : (uid_t)user);
- 			if (pswd == NULL) {
-diff --git a/src/icastats_shared.c b/src/icastats_shared.c
-index 8290239..f8e8563 100644
---- a/src/icastats_shared.c
-+++ b/src/icastats_shared.c
-@@ -124,39 +124,46 @@ void stats_munmap(int user, int unlink)
-  * @direction - valid values are ENCRYPT and DECRYPT
-  */
- 
--uint64_t stats_query(stats_fields_t field, int hardware, int direction)
-+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
-+		     int hardware, int direction)
- {
--	if (stats == NULL)
-+	if (source == NULL)
-+		source = stats;
-+
-+	if (source == NULL)
- 		return 0;
- 
- 	if (direction == ENCRYPT)
- 		if (hardware == ALGO_HW)
--			return stats[field].enc.hw;
-+			return source[field].enc.hw;
- 		else
--			return stats[field].enc.sw;
-+			return source[field].enc.sw;
- 	else
- 		if (hardware == ALGO_HW)
--			return stats[field].dec.hw;
-+			return source[field].dec.hw;
- 		else
--			return stats[field].dec.sw;
-+			return source[field].dec.sw;
- }
- 
--static uint64_t calc_summary(stats_fields_t start, unsigned int num,
-+static uint64_t calc_summary(stats_entry_t *source,
-+		             stats_fields_t start, unsigned int num,
- 		             int hardware, int direction)
- {
- 	unsigned int i;
- 	uint64_t sum = 0;
- 
- 	for (i = 0; i < num; i++)
--		sum += stats_query(start + i, hardware, direction);
-+		sum += stats_query(source, start + i, hardware, direction);
- 
- 	return sum;
- }
- 
- /* Returns the statistic data in a stats_entry_t array
-+ * @source - source of the statistics data. If NULL, then the global stats
-+ *           are used, which must have been mapped via stats_mmap() before.
-  * @entries - Needs to be a array of size ICA_NUM_STATS.
-  */
--void get_stats_data(stats_entry_t *entries)
-+void get_stats_data(stats_entry_t *source, stats_entry_t *entries)
- {
- 	unsigned int i;
- 	for (i = 0; i < ICA_NUM_STATS; i++) {
-@@ -168,58 +175,62 @@ void get_stats_data(stats_entry_t *entries)
- 		case ICA_STATS_AES_CTR:
- 		case ICA_STATS_AES_CMAC:
- 		case ICA_STATS_AES_GCM:
--			entries[i].enc.hw = calc_summary(i + 1, 3,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 3,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 3,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 3,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 3,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 3,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 3,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 3,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_AES_XTS:
--			entries[i].enc.hw = calc_summary(i + 1, 2,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 2,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 2,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 2,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 2,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 2,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 2,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 2,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_RSA_ME:
- 		case ICA_STATS_RSA_CRT:
--			entries[i].enc.hw = calc_summary(i + 1, 4,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 4,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 4,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 4,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 4,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 4,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 4,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 4,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_ECDH:
- 		case ICA_STATS_ECDSA_SIGN:
- 		case ICA_STATS_ECDSA_VERIFY:
- 		case ICA_STATS_ECKGEN:
--			entries[i].enc.hw = calc_summary(i + 1, 8,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 8,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 8,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 8,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 8,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 8,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 8,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 8,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		default:
--			entries[i].enc.hw = stats_query(i, ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = stats_query(i, ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = stats_query(i, ALGO_HW, DECRYPT);
--			entries[i].dec.sw = stats_query(i, ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = stats_query(source, i,
-+							ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = stats_query(source, i,
-+							ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = stats_query(source, i,
-+							ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = stats_query(source, i,
-+							ALGO_SW, DECRYPT);
- 			break;
- 		}
- 	}
-@@ -280,6 +291,7 @@ int get_stats_sum(stats_entry_t *sum)
- 		}
- 	}
- 	closedir(shmDir);
-+	get_stats_data(sum, sum);
- 	return 1;
- }
- 
-diff --git a/src/include/icastats.h b/src/include/icastats.h
-index f1d70ba..136ac0f 100644
---- a/src/include/icastats.h
-+++ b/src/include/icastats.h
-@@ -286,8 +286,9 @@ typedef enum stats_fields {
- 
- int stats_mmap(int user);
- void stats_munmap(int user, int unlink);
--uint64_t stats_query(stats_fields_t field, int hardware, int direction);
--void get_stats_data(stats_entry_t *entries);
-+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
-+		     int hardware, int direction);
-+void get_stats_data(stats_entry_t *source, stats_entry_t *entries);
- void stats_increment(stats_fields_t field, int hardware, int direction);
- int get_stats_sum(stats_entry_t *sum);
- char *get_next_usr();
--- 
-2.40.1
-

libica-4.3.0-fixes.patch

@@ -0,0 +1,130 @@
+From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
+From: Holger Dengler <dengler@linux.ibm.com>
+Date: Tue, 16 Apr 2024 14:18:23 +0200
+Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
+
+OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
+testcases use OpenSSL as helper and fallback, so disable the CEX
+acceleration for all tests.
+
+If the environment variable is already set, use it as is without
+modifying it. In this case, it is up to the user to choose the right
+settings.
+
+Fixes: Issue #126
+Link: https://github.com/opencryptoki/libica/issues/126
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+---
+ test/Makefile.am | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 76d4f15..e56b256 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -61,10 +61,14 @@ TESTS += \
+ ${top_builddir}/src/internal_tests/ec_internal_test
+ endif
+ 
++# disable OpenSSL CEX usage for all tests
++OPENSSL_s390xcap ?= nocex
++
+ TEST_EXTENSIONS = .sh .pl
+ TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
+ 			   PATH=${builddir}/../src/:$$PATH \
+-			   LIBICA_TESTDATA=${srcdir}/testdata/;
++			   LIBICA_TESTDATA=${srcdir}/testdata/ \
++			   OPENSSL_s390xcap=${OPENSSL_s390xcap};
+ AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
+ LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
+ 
+-- 
+2.45.1
+
+
+From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 24 Apr 2024 10:44:26 +0200
+Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/include/s390_aes.h    |  2 +-
+ src/include/s390_cmac.h   |  2 +-
+ src/include/s390_crypto.h | 23 +++++++++++++----------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
+index 6252dde..a6ff27b 100644
+--- a/src/include/s390_aes.h
++++ b/src/include/s390_aes.h
+@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
+ 
+ 	memset(&parm_block.keys, 0, key_size);
+ 
+-	if (rc >= 0) {
++	if (rc == 0) {
+ 		memcpy(xts_parm, parm_block.xts_parameter,
+ 		       sizeof(ica_aes_vector_t));
+ 		return 0;
+diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
+index 76b9cca..f19c069 100644
+--- a/src/include/s390_cmac.h
++++ b/src/include/s390_cmac.h
+@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
+ 		/* calculate final block (last/full) */
+ 		rc = s390_pcc(fc, pb_lookup.base);
+ 		memset(pb_lookup.keys, 0, key_size);
+-		if (rc < 0)
++		if (rc != 0)
+ 			return EIO;
+ 
+ 		_stats_increment(fc, ALGO_HW, ENCRYPT);
+diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
+index f34241f..f11eacb 100644
+--- a/src/include/s390_crypto.h
++++ b/src/include/s390_crypto.h
+@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
+ 
+ /**
+  * s390_pcc:
+- * @func: the function code passed to KM; see s390_pcc_functions
++ * @func: the function code passed to PCC; see s390_pcc_functions
+  * @param: address of parameter block; see POP for details on each func
+  *
+  * Executes the PCC operation of the CPU.
+  *
+- * Returns -1 for failure, 0 for the query func, number of processed
+- * bytes for encryption/decryption funcs
++ * Returns condition code of the PCC instruction
+  */
+ static inline int s390_pcc(unsigned long func, void *param)
+ {
+ 	register unsigned long r0 asm("0") = (unsigned long)func;
+ 	register unsigned long r1 asm("1") = (unsigned long)param;
++	char cc;
+ 
+-	asm volatile (
+-		"0:	.long	%[opc] << 16\n"
+-		"	brc	1,0b\n"
+-		:
+-		: [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+-		: "cc", "memory");
++	asm volatile(
++		"0:     .insn   rre,%[opc] << 16,0,0\n" /* PCC opcode */
++		"       brc     1,0b\n" /* handle partial completion */
++		"       ipm     %[cc]\n"
++		"       srl     %[cc],28\n"
++		: [cc] "=d" (cc)
++		: [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
++		: "cc", "memory"
++	);
+ 
+-	return 0;
++	return cc;
+ }
+ 
+ /**
+-- 
+2.45.1
+

libica.spec

@@ -2,8 +2,8 @@
 
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.2.2
+Version: 4.3.0
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -11,9 +11,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2223698
+# post GA fixes
-# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1
+Patch1: %{name}-%{version}-fixes.patch
-Patch1: %{name}-4.2.2-icastats-summary.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@@ -110,6 +109,15 @@ fi
 
 
 %changelog
+* Mon May 27 2024 Dan Horák <dhorak@redhat.com> - 4.3.0-1
+- updated to 4.3.0 (RHEL-23703)
+- Resolves: RHEL-23703
+
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
+- updated to 4.2.3 (RHEL-11415)
+- fix selfcheck in FIPS mode (RHEL-9918)
+- Resolves: RHEL-11415 RHEL-9918
+
 * Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
 - icastats: Fix summary option (#2223698)
 - Resolves: #2223698

sources

@@ -1 +1 @@
-SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079
+SHA512 (libica-4.3.0.tar.gz) = 0952e0c7005756faf90cccf824cf5d3c22a45076008edb0622030ca148dbacb8752e6ece5b22b06b877ca7038ecca3e1c26ab66bc19328ed36784320ec27071d