- updated to 4.3.0 (RHEL-23703)

- updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918) - Resolves: RHEL-11415 RHEL-9918
2024-06-05 02:55:22 +00:00 · 2023-10-27 11:36:44 +02:00
5 changed files with 139 additions and 41 deletions
--- a/.libica.metadata
+++ b/.libica.metadata
@ -1 +1 @@
-2fdb8eaa8985f05aea287b9d6547bb5169863ae4 libica-4.2.3.tar.gz
+e7f7a7f714c793496294a5f865ad23d4c48866f9 libica-4.3.0.tar.gz
--- a/libica-4.2.3-fips.patch
+++ b/libica-4.2.3-fips.patch
@ -1,35 +0,0 @@
-From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Tue, 10 Oct 2023 14:10:22 +0200
-Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
-
-Before calling any openssl EVP function, libica's own openssl lib ctx
-must be made the current one. This was missing in compute_file_hmac.
-
-Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
- src/fips.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/fips.c b/src/fips.c
-index f09dc77..3bbc325 100644
--- a/src/fips.c
-+++ b/src/fips.c
-@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
- 	void *fdata = NULL;
- 	struct stat fdata_stat;
- 
-+	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
-+
- 	pkey = get_pkey();
- 	if (!pkey)
- 		goto end;
-@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
- 		EVP_MD_CTX_destroy(mdctx);
- 
- 	OPENSSL_cleanse(tmp, sizeof(tmp));
-+	END_OPENSSL_LIBCTX(rc);
- 
- 	return rc;
- }
--- a/libica-4.3.0-fixes.patch
+++ b/libica-4.3.0-fixes.patch
@ -0,0 +1,130 @@
+From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
+From: Holger Dengler <dengler@linux.ibm.com>
+Date: Tue, 16 Apr 2024 14:18:23 +0200
+Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
+
+OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
+testcases use OpenSSL as helper and fallback, so disable the CEX
+acceleration for all tests.
+
+If the environment variable is already set, use it as is without
+modifying it. In this case, it is up to the user to choose the right
+settings.
+
+Fixes: Issue #126
+Link: https://github.com/opencryptoki/libica/issues/126
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+---
+ test/Makefile.am | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 76d4f15..e56b256 100644
+--- a/test/Makefile.am
+++ b/test/Makefile.am
+@@ -61,10 +61,14 @@ TESTS += \
+ ${top_builddir}/src/internal_tests/ec_internal_test
+ endif
+ 
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
+ TEST_EXTENSIONS = .sh .pl
+ TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
+ 			   PATH=${builddir}/../src/:$$PATH \
+-			   LIBICA_TESTDATA=${srcdir}/testdata/;
+			   LIBICA_TESTDATA=${srcdir}/testdata/ \
+			   OPENSSL_s390xcap=${OPENSSL_s390xcap};
+ AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
+ LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
+ 
+-- 
+2.45.1
+
+
+From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 24 Apr 2024 10:44:26 +0200
+Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/include/s390_aes.h    |  2 +-
+ src/include/s390_cmac.h   |  2 +-
+ src/include/s390_crypto.h | 23 +++++++++++++----------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
+index 6252dde..a6ff27b 100644
+--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
+@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
+ 
+ 	memset(&parm_block.keys, 0, key_size);
+ 
+-	if (rc >= 0) {
+	if (rc == 0) {
+ 		memcpy(xts_parm, parm_block.xts_parameter,
+ 		       sizeof(ica_aes_vector_t));
+ 		return 0;
+diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
+index 76b9cca..f19c069 100644
+--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
+@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
+ 		/* calculate final block (last/full) */
+ 		rc = s390_pcc(fc, pb_lookup.base);
+ 		memset(pb_lookup.keys, 0, key_size);
+-		if (rc < 0)
+		if (rc != 0)
+ 			return EIO;
+ 
+ 		_stats_increment(fc, ALGO_HW, ENCRYPT);
+diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
+index f34241f..f11eacb 100644
+--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
+@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
+ 
+ /**
+  * s390_pcc:
+- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
+  * @param: address of parameter block; see POP for details on each func
+  *
+  * Executes the PCC operation of the CPU.
+  *
+- * Returns -1 for failure, 0 for the query func, number of processed
+- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
+  */
+ static inline int s390_pcc(unsigned long func, void *param)
+ {
+ 	register unsigned long r0 asm("0") = (unsigned long)func;
+ 	register unsigned long r1 asm("1") = (unsigned long)param;
+	char cc;
+ 
+-	asm volatile (
+-		"0:	.long	%[opc] << 16\n"
+-		"	brc	1,0b\n"
+-		:
+-		: [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+-		: "cc", "memory");
+	asm volatile(
+		"0:     .insn   rre,%[opc] << 16,0,0\n" /* PCC opcode */
+		"       brc     1,0b\n" /* handle partial completion */
+		"       ipm     %[cc]\n"
+		"       srl     %[cc],28\n"
+		: [cc] "=d" (cc)
+		: [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+		: "cc", "memory"
+	);
+ 
+-	return 0;
+	return cc;
+ }
+ 
+ /**
+-- 
+2.45.1
+
--- a/libica.spec
+++ b/libica.spec
@ -2,7 +2,7 @@

 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.2.3
+Version: 4.3.0
 Release: 1%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
@ -11,9 +11,8 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
-# https://issues.redhat.com/browse/RHEL-9918
-# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
-Patch1: %{name}-4.2.3-fips.patch
+# post GA fixes
+Patch1: %{name}-%{version}-fixes.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@ -110,6 +109,10 @@ fi


 %changelog
+* Mon May 27 2024 Dan Horák <dhorak@redhat.com> - 4.3.0-1
+- updated to 4.3.0 (RHEL-23703)
+- Resolves: RHEL-23703
+
 * Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
 - updated to 4.2.3 (RHEL-11415)
 - fix selfcheck in FIPS mode (RHEL-9918)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035
+SHA512 (libica-4.3.0.tar.gz) = 0952e0c7005756faf90cccf824cf5d3c22a45076008edb0622030ca148dbacb8752e6ece5b22b06b877ca7038ecca3e1c26ab66bc19328ed36784320ec27071d
Author	SHA1	Message	Date
Dan Horák	270004b6c0	- updated to 4.3.0 (RHEL-23703)	2024-06-05 02:55:22 +00:00
Dan Horák	d3bac2d3f3	- updated to 4.2.3 (RHEL-11415) - fix selfcheck in FIPS mode (RHEL-9918) - Resolves: RHEL-11415 RHEL-9918	2023-10-27 11:36:44 +02:00