Compare commits

..

2 Commits

Author SHA1 Message Date
Dan Horák
270004b6c0 - updated to 4.3.0 (RHEL-23703) 2024-06-05 02:55:22 +00:00
Dan Horák
d3bac2d3f3 - updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918
2023-10-27 11:36:44 +02:00
5 changed files with 139 additions and 41 deletions

View File

@ -1 +1 @@
2fdb8eaa8985f05aea287b9d6547bb5169863ae4 libica-4.2.3.tar.gz
e7f7a7f714c793496294a5f865ad23d4c48866f9 libica-4.3.0.tar.gz

View File

@ -1,35 +0,0 @@
From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue, 10 Oct 2023 14:10:22 +0200
Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
Before calling any openssl EVP function, libica's own openssl lib ctx
must be made the current one. This was missing in compute_file_hmac.
Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index f09dc77..3bbc325 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
void *fdata = NULL;
struct stat fdata_stat;
+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
+
pkey = get_pkey();
if (!pkey)
goto end;
@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
EVP_MD_CTX_destroy(mdctx);
OPENSSL_cleanse(tmp, sizeof(tmp));
+ END_OPENSSL_LIBCTX(rc);
return rc;
}

130
libica-4.3.0-fixes.patch Normal file
View File

@ -0,0 +1,130 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
--
2.45.1
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde..a6ff27b 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca..f19c069 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241f..f11eacb 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**
--
2.45.1

View File

@ -2,7 +2,7 @@
Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica
Version: 4.2.3
Version: 4.3.0
Release: 1%{?dist}
License: CPL
URL: https://github.com/opencryptoki/
@ -11,9 +11,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
# https://github.com/opencryptoki/libica/pull/24
Patch0: %{name}-4.0.0-annotate.patch
# https://issues.redhat.com/browse/RHEL-9918
# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
Patch1: %{name}-4.2.3-fips.patch
# post GA fixes
Patch1: %{name}-%{version}-fixes.patch
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: openssl
@ -110,6 +109,10 @@ fi
%changelog
* Mon May 27 2024 Dan Horák <dhorak@redhat.com> - 4.3.0-1
- updated to 4.3.0 (RHEL-23703)
- Resolves: RHEL-23703
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
- updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918)

View File

@ -1 +1 @@
SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035
SHA512 (libica-4.3.0.tar.gz) = 0952e0c7005756faf90cccf824cf5d3c22a45076008edb0622030ca148dbacb8752e6ece5b22b06b877ca7038ecca3e1c26ab66bc19328ed36784320ec27071d