Compare commits

...

2 Commits

Author SHA1 Message Date
Dan Horák
270004b6c0 - updated to 4.3.0 (RHEL-23703) 2024-06-05 02:55:22 +00:00
Dan Horák
d3bac2d3f3 - updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918
2023-10-27 11:36:44 +02:00
5 changed files with 145 additions and 237 deletions

1
.libica.metadata Normal file
View File

@ -0,0 +1 @@
e7f7a7f714c793496294a5f865ad23d4c48866f9 libica-4.3.0.tar.gz

View File

@ -1,231 +0,0 @@
From f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 18 Jul 2023 09:21:54 +0200
Subject: [libica PATCH] icastats: Fix summary option to display correct
summary information
The '--summary' option of icastats did not display correct statistics since
the introduction of per key keysize counters with libica version 4.0.0.
To display the correct summary counters, the all-key-size-counter values of an
algorithm that supports multiple key sizes must be calculated like it is done
in get_stats_data(). Adjust get_stats_data() function and friends so that it
now also can be called from get_stats_sum() and can optionally operate on a
specified statistics segment (i.e. the one where the summary statistics have
been calculated in), not just the global one.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/icastats.c | 4 +-
src/icastats_shared.c | 102 +++++++++++++++++++++++------------------
src/include/icastats.h | 5 +-
3 files changed, 62 insertions(+), 49 deletions(-)
diff --git a/src/icastats.c b/src/icastats.c
index e98617f..07b0d50 100644
--- a/src/icastats.c
+++ b/src/icastats.c
@@ -302,7 +302,7 @@ int main(int argc, char *argv[])
perror("malloc: ");
return EXIT_FAILURE;
}
- get_stats_data(entries);
+ get_stats_data(NULL, entries);
if (json) {
print_stats_json(entries, usr);
} else {
@@ -358,7 +358,7 @@ int main(int argc, char *argv[])
perror("malloc: ");
return EXIT_FAILURE;
}
- get_stats_data(stats);
+ get_stats_data(NULL, stats);
if (json) {
pswd = getpwuid(user == -1 ? geteuid() : (uid_t)user);
if (pswd == NULL) {
diff --git a/src/icastats_shared.c b/src/icastats_shared.c
index 8290239..f8e8563 100644
--- a/src/icastats_shared.c
+++ b/src/icastats_shared.c
@@ -124,39 +124,46 @@ void stats_munmap(int user, int unlink)
* @direction - valid values are ENCRYPT and DECRYPT
*/
-uint64_t stats_query(stats_fields_t field, int hardware, int direction)
+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
+ int hardware, int direction)
{
- if (stats == NULL)
+ if (source == NULL)
+ source = stats;
+
+ if (source == NULL)
return 0;
if (direction == ENCRYPT)
if (hardware == ALGO_HW)
- return stats[field].enc.hw;
+ return source[field].enc.hw;
else
- return stats[field].enc.sw;
+ return source[field].enc.sw;
else
if (hardware == ALGO_HW)
- return stats[field].dec.hw;
+ return source[field].dec.hw;
else
- return stats[field].dec.sw;
+ return source[field].dec.sw;
}
-static uint64_t calc_summary(stats_fields_t start, unsigned int num,
+static uint64_t calc_summary(stats_entry_t *source,
+ stats_fields_t start, unsigned int num,
int hardware, int direction)
{
unsigned int i;
uint64_t sum = 0;
for (i = 0; i < num; i++)
- sum += stats_query(start + i, hardware, direction);
+ sum += stats_query(source, start + i, hardware, direction);
return sum;
}
/* Returns the statistic data in a stats_entry_t array
+ * @source - source of the statistics data. If NULL, then the global stats
+ * are used, which must have been mapped via stats_mmap() before.
* @entries - Needs to be a array of size ICA_NUM_STATS.
*/
-void get_stats_data(stats_entry_t *entries)
+void get_stats_data(stats_entry_t *source, stats_entry_t *entries)
{
unsigned int i;
for (i = 0; i < ICA_NUM_STATS; i++) {
@@ -168,58 +175,62 @@ void get_stats_data(stats_entry_t *entries)
case ICA_STATS_AES_CTR:
case ICA_STATS_AES_CMAC:
case ICA_STATS_AES_GCM:
- entries[i].enc.hw = calc_summary(i + 1, 3,
- ALGO_HW, ENCRYPT);
- entries[i].enc.sw = calc_summary(i + 1, 3,
- ALGO_SW, ENCRYPT);
- entries[i].dec.hw = calc_summary(i + 1, 3,
- ALGO_HW, DECRYPT);
- entries[i].dec.sw = calc_summary(i + 1, 3,
- ALGO_SW, DECRYPT);
+ entries[i].enc.hw = calc_summary(source, i + 1, 3,
+ ALGO_HW, ENCRYPT);
+ entries[i].enc.sw = calc_summary(source, i + 1, 3,
+ ALGO_SW, ENCRYPT);
+ entries[i].dec.hw = calc_summary(source, i + 1, 3,
+ ALGO_HW, DECRYPT);
+ entries[i].dec.sw = calc_summary(source, i + 1, 3,
+ ALGO_SW, DECRYPT);
break;
case ICA_STATS_AES_XTS:
- entries[i].enc.hw = calc_summary(i + 1, 2,
- ALGO_HW, ENCRYPT);
- entries[i].enc.sw = calc_summary(i + 1, 2,
- ALGO_SW, ENCRYPT);
- entries[i].dec.hw = calc_summary(i + 1, 2,
- ALGO_HW, DECRYPT);
- entries[i].dec.sw = calc_summary(i + 1, 2,
- ALGO_SW, DECRYPT);
+ entries[i].enc.hw = calc_summary(source, i + 1, 2,
+ ALGO_HW, ENCRYPT);
+ entries[i].enc.sw = calc_summary(source, i + 1, 2,
+ ALGO_SW, ENCRYPT);
+ entries[i].dec.hw = calc_summary(source, i + 1, 2,
+ ALGO_HW, DECRYPT);
+ entries[i].dec.sw = calc_summary(source, i + 1, 2,
+ ALGO_SW, DECRYPT);
break;
case ICA_STATS_RSA_ME:
case ICA_STATS_RSA_CRT:
- entries[i].enc.hw = calc_summary(i + 1, 4,
- ALGO_HW, ENCRYPT);
- entries[i].enc.sw = calc_summary(i + 1, 4,
- ALGO_SW, ENCRYPT);
- entries[i].dec.hw = calc_summary(i + 1, 4,
- ALGO_HW, DECRYPT);
- entries[i].dec.sw = calc_summary(i + 1, 4,
- ALGO_SW, DECRYPT);
+ entries[i].enc.hw = calc_summary(source, i + 1, 4,
+ ALGO_HW, ENCRYPT);
+ entries[i].enc.sw = calc_summary(source, i + 1, 4,
+ ALGO_SW, ENCRYPT);
+ entries[i].dec.hw = calc_summary(source, i + 1, 4,
+ ALGO_HW, DECRYPT);
+ entries[i].dec.sw = calc_summary(source, i + 1, 4,
+ ALGO_SW, DECRYPT);
break;
case ICA_STATS_ECDH:
case ICA_STATS_ECDSA_SIGN:
case ICA_STATS_ECDSA_VERIFY:
case ICA_STATS_ECKGEN:
- entries[i].enc.hw = calc_summary(i + 1, 8,
- ALGO_HW, ENCRYPT);
- entries[i].enc.sw = calc_summary(i + 1, 8,
- ALGO_SW, ENCRYPT);
- entries[i].dec.hw = calc_summary(i + 1, 8,
- ALGO_HW, DECRYPT);
- entries[i].dec.sw = calc_summary(i + 1, 8,
- ALGO_SW, DECRYPT);
+ entries[i].enc.hw = calc_summary(source, i + 1, 8,
+ ALGO_HW, ENCRYPT);
+ entries[i].enc.sw = calc_summary(source, i + 1, 8,
+ ALGO_SW, ENCRYPT);
+ entries[i].dec.hw = calc_summary(source, i + 1, 8,
+ ALGO_HW, DECRYPT);
+ entries[i].dec.sw = calc_summary(source, i + 1, 8,
+ ALGO_SW, DECRYPT);
break;
default:
- entries[i].enc.hw = stats_query(i, ALGO_HW, ENCRYPT);
- entries[i].enc.sw = stats_query(i, ALGO_SW, ENCRYPT);
- entries[i].dec.hw = stats_query(i, ALGO_HW, DECRYPT);
- entries[i].dec.sw = stats_query(i, ALGO_SW, DECRYPT);
+ entries[i].enc.hw = stats_query(source, i,
+ ALGO_HW, ENCRYPT);
+ entries[i].enc.sw = stats_query(source, i,
+ ALGO_SW, ENCRYPT);
+ entries[i].dec.hw = stats_query(source, i,
+ ALGO_HW, DECRYPT);
+ entries[i].dec.sw = stats_query(source, i,
+ ALGO_SW, DECRYPT);
break;
}
}
@@ -280,6 +291,7 @@ int get_stats_sum(stats_entry_t *sum)
}
}
closedir(shmDir);
+ get_stats_data(sum, sum);
return 1;
}
diff --git a/src/include/icastats.h b/src/include/icastats.h
index f1d70ba..136ac0f 100644
--- a/src/include/icastats.h
+++ b/src/include/icastats.h
@@ -286,8 +286,9 @@ typedef enum stats_fields {
int stats_mmap(int user);
void stats_munmap(int user, int unlink);
-uint64_t stats_query(stats_fields_t field, int hardware, int direction);
-void get_stats_data(stats_entry_t *entries);
+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
+ int hardware, int direction);
+void get_stats_data(stats_entry_t *source, stats_entry_t *entries);
void stats_increment(stats_fields_t field, int hardware, int direction);
int get_stats_sum(stats_entry_t *sum);
char *get_next_usr();
--
2.40.1

130
libica-4.3.0-fixes.patch Normal file
View File

@ -0,0 +1,130 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
--
2.45.1
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde..a6ff27b 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca..f19c069 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241f..f11eacb 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**
--
2.45.1

View File

@ -2,8 +2,8 @@
Summary: Library for accessing ICA hardware crypto on IBM z Systems Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica Name: libica
Version: 4.2.2 Version: 4.3.0
Release: 2%{?dist} Release: 1%{?dist}
License: CPL License: CPL
URL: https://github.com/opencryptoki/ URL: https://github.com/opencryptoki/
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -11,9 +11,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
# https://github.com/opencryptoki/libica/pull/24 # https://github.com/opencryptoki/libica/pull/24
Patch0: %{name}-4.0.0-annotate.patch Patch0: %{name}-4.0.0-annotate.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2223698 # post GA fixes
# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 Patch1: %{name}-%{version}-fixes.patch
Patch1: %{name}-4.2.2-icastats-summary.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: openssl BuildRequires: openssl
@ -110,6 +109,15 @@ fi
%changelog %changelog
* Mon May 27 2024 Dan Horák <dhorak@redhat.com> - 4.3.0-1
- updated to 4.3.0 (RHEL-23703)
- Resolves: RHEL-23703
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
- updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918
* Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2 * Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
- icastats: Fix summary option (#2223698) - icastats: Fix summary option (#2223698)
- Resolves: #2223698 - Resolves: #2223698

View File

@ -1 +1 @@
SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079 SHA512 (libica-4.3.0.tar.gz) = 0952e0c7005756faf90cccf824cf5d3c22a45076008edb0622030ca148dbacb8752e6ece5b22b06b877ca7038ecca3e1c26ab66bc19328ed36784320ec27071d