Compare commits

..

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

8 changed files with 1738 additions and 313 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libica-4.3.0.tar.gz
SOURCES/libica-4.2.3.tar.gz

View File

@ -1 +0,0 @@
e7f7a7f714c793496294a5f865ad23d4c48866f9 SOURCES/libica-4.3.0.tar.gz

View File

@ -1,83 +0,0 @@
From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Tue, 25 Sep 2018 13:44:32 +0200
Subject: [libica PATCH] add build note to assembler sources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When distros use the annobin compiler plugin [1], they have complete overview
what compiler flags were used for compilation and they are able to perform
security checks on the produced binaries. Compiling assembler source can't
provide this kind of information by default, so we need the explicit
-Wa,--generate-missing-build-notes=yes option during build. When the option is
missing, then the annocheck tool reports "GAPS" in the resulting binary.
binutils >= 2.31 or older with backport is needed
[1] https://fedoraproject.org/wiki/Changes/Annobin
Signed-off-by: Dan Horák <dan@danny.cz>
---
configure.ac | 4 ++++
libica.spec | 2 +-
src/Makefile.am | 4 ++--
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 958371c..b8d0e42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
fi
+# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed
+AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"])
+
# restore cmdline flags (ignore PROG_AS/PROG_CC defaults)
CFLAGS="$cmdline_CFLAGS"
CCASFLAGS="$cmdline_CFLAGS"
AC_SUBST([FLAGS], $FLAGS)
AC_SUBST([LIBS], $LIBS)
+AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS)
AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile])
AC_OUTPUT
diff --git a/libica.spec b/libica.spec
index d71890a..e51430e 100644
--- a/libica.spec
+++ b/libica.spec
@@ -9,7 +9,7 @@ URL: https://github.com/opencryptoki/libica
Source0: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: autoconf automake libtool openssl-devel
+BuildRequires: autoconf automake libtool openssl-devel autoconf-archive
%description
Interface library on Linux for IBM System z to utilize CPACF
diff --git a/src/Makefile.am b/src/Makefile.am
index c630048..1b5ec71 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \
include/rng.h
libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
-libica_la_CCASFLAGS = ${AM_CFLAGS}
+libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
libica_la_LIBADD = ${LIBS_common}
libica_la_LDFLAGS = ${LDFLAGS_common}
libica_la_SOURCES = ${SOURCES_common}
libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
+libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
libica_cex_la_LIBADD = ${LIBS_common}
libica_cex_la_LDFLAGS = ${LDFLAGS_common}
libica_cex_la_SOURCES = ${SOURCES_common}
--
2.31.1

View File

@ -0,0 +1,19 @@
diff -up libica-4.0.1/src/Makefile.am.orig libica-4.0.1/src/Makefile.am
--- libica-4.0.1/src/Makefile.am.orig 2022-03-22 13:13:36.186395805 +0100
+++ libica-4.0.1/src/Makefile.am 2022-03-22 13:13:55.224076905 +0100
@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icasta
include/rng.h
libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
-libica_la_CCASFLAGS = ${AM_CFLAGS}
+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
libica_la_LIBADD = ${LIBS_common}
libica_la_LDFLAGS = ${LDFLAGS_common}
libica_la_SOURCES = ${SOURCES_common}
libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
+libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
libica_cex_la_LIBADD = ${LIBS_common}
libica_cex_la_LDFLAGS = ${LDFLAGS_common}
libica_cex_la_SOURCES = ${SOURCES_common}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,35 @@
From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue, 10 Oct 2023 14:10:22 +0200
Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
Before calling any openssl EVP function, libica's own openssl lib ctx
must be made the current one. This was missing in compute_file_hmac.
Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index f09dc77..3bbc325 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
void *fdata = NULL;
struct stat fdata_stat;
+ BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
+
pkey = get_pkey();
if (!pkey)
goto end;
@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
EVP_MD_CTX_destroy(mdctx);
OPENSSL_cleanse(tmp, sizeof(tmp));
+ END_OPENSSL_LIBCTX(rc);
return rc;
}

View File

@ -1,130 +0,0 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
--
2.45.1
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde..a6ff27b 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca..f19c069 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241f..f11eacb 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**
--
2.45.1

View File

@ -1,28 +1,31 @@
%global with_fips 1
# workaround to keep ABI/soname stable at major version 3
%global fakeversion 3:99:1
Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica
Version: 4.3.0
Version: 4.2.3
Release: 1%{?dist}
License: CPL
Group: System Environment/Libraries
URL: https://github.com/opencryptoki/
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# annotate assembler source
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
# https://github.com/opencryptoki/libica/pull/24
Patch0: %{name}-4.0.0-annotate.patch
# post GA fixes
Patch1: %{name}-%{version}-fixes.patch
Patch0: %{name}-4.0.1-annotate.patch
# revert ABI to 3.x
# - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048
# - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2
Patch1: %{name}-4.1.1-revert-abi.patch
# https://issues.redhat.com/browse/RHEL-14892
# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
Patch2: %{name}-4.2.3-fips.patch
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: autoconf-archive
BuildRequires: perl(FindBin)
BuildRequires: perl(lib)
BuildRequires: make
ExclusiveArch: s390 s390x
%description
@ -32,6 +35,7 @@ IBM z Systems.
%package devel
Summary: Development tools for programs to access ICA hardware crypto on IBM z Systems
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: openssl-devel
@ -48,22 +52,17 @@ sh ./bootstrap.sh
%build
# FIPS openssl config is not needed on RHEL/Fedora
# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
CPPFLAGS=-DNO_FIPS_CONFIG_LOAD
export CPPFLAGS
%configure --disable-static \
%if %{with_fips}
--enable-fips
%else
--disable-fips
%endif
%make_build
make %{?_smp_mflags} VERSION=%{fakeversion}
%install
%make_install
make install DESTDIR=$RPM_BUILD_ROOT VERSION=%{fakeversion}
rm %{buildroot}%{_libdir}/libica*.la
rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
@ -75,12 +74,17 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then
make check
fi
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%if %{with_fips}
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
make fipsinstall DESTDIR=%{buildroot}
make fipsinstall DESTDIR=%{buildroot} VERSION=%{fakeversion}
%{nil}
%endif
@ -90,9 +94,6 @@ fi
%{_bindir}/icainfo-cex
%{_bindir}/icastats
%if %{with_fips}
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
%exclude %{_sysconfdir}/libica/openssl3-fips.cnf
%endif
%{_libdir}/.libica.*.hmac
%{_libdir}/.libica-cex.*.hmac
%endif
@ -109,102 +110,68 @@ fi
%changelog
* Mon May 27 2024 Dan Horák <dhorak@redhat.com> - 4.3.0-1
- updated to 4.3.0 (RHEL-23703)
- Resolves: RHEL-23703
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
- updated to 4.2.3 (RHEL-11415)
- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918
- updated to 4.2.3 (RHEL-11411)
- fix selfcheck in FIPS mode (RHEL-14892)
- Resolves: RHEL-11411 RHEL-14892
* Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
- icastats: Fix summary option (#2223698)
- Resolves: #2223698
- icastats: Fix summary option (#2223697)
- Resolves: #2223697
* Fri May 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
- updated to 4.2.2 (#2160060)
- FIPS 140-3 compliance (#2160106)
- Resolves: #2160060 #2160106
* Wed May 24 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
- updated to 4.2.2 (#2159718)
- FIPS 140-3 compliance (#2159748)
- Resolves: #2159718 #2159748
* Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
- fix permissions for shared memory segments (#2167364)
- Resolves: #2167364
- fix permissions for shared memory segments (#2167363)
- Resolves: #2167363
* Mon Oct 24 2022 Dan Horák <dhorak@redhat.com> - 4.1.1-1
- updated to 4.1.1 (#2110374)
- Resolves: #2110374
* Tue Oct 25 2022 Dan Horák <dhorak@redhat.com> - 4.1.1-1
- updated to 4.1.1 (#2110375)
- Resolves: #2110375
* Thu Jun 30 2022 Dan Horák <dhorak@redhat.com> - 4.0.2-1
- updated to 4.0.2 (#2101767)
- Resolves: #2101767
- updated to 4.0.2 (#2101766)
- Resolves: #2101766
* Mon May 16 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-2
- fix running in FIPS mode (#2084097)
- Resolves: #2084097
* Tue Mar 22 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
- updated to 4.0.1 (#2043843)
- Resolves: #2043843 #2043904
* Thu May 12 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
- updated to 4.0.1 (#2044178)
- Resolves: #2044178 #2044174
* Tue Feb 08 2022 Dan Horák <dhorak@redhat.com> - 3.9.0-1
- updated to 3.9.0 (#1984972)
- Resolves: #1984972
* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
- updated to 4.0.0 (#2040237)
- Resolves: #2040237
* Thu Jul 08 2021 Dan Horák <dhorak@redhat.com> - 3.8.0-1
- updated to 3.8.0 (#1919224)
- make software fallback call to openSSL/libcrypto (#1922205)
- Resolves: #1919224 #1922205
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.8.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 3.8.0-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
- updated to 3.8.0 (#1869532)
- eliminate SW fallback functions (#1924119)
- updated for OpenSSL 3.0 (#1952946)
- disable FIPS support (broken)
- Resolves: #1869532 #1924119 #1952946
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-3
- Use make macros (taken from PR#1 by <tstellar at redhat.com>)
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jul 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-2
* Mon Jul 20 2020 Dan Horák <dhorak@redhat.com> - 3.7.0-2
- fix FIPS integrity validation (#1857130)
- Resolves: #1857130
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-1
- updated to 3.7.0
* Thu May 21 2020 Dan Horák <dhorak@redhat.com> - 3.7.0-1
- updated to 3.7.0 (#1780299)
- Resolves: #1780299
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Dan Horák <dhorak@redhat.com> - 3.6.1-2
- fix overflow in icastats counters (#1789052)
- Resolves: #1789052
* Tue Nov 26 2019 Dan Horák <dan[at]danny.cz> - 3.6.1-1
- updated to 3.6.1
* Tue Nov 26 2019 Dan Horák <dhorak@redhat.com> - 3.6.1-1
- updated to 3.6.1 (#1772402)
- Resolves: #1772402
* Mon Sep 02 2019 Dan Horák <dan[at]danny.cz> - 3.6.0-1
- updated to 3.6.0
* Tue Nov 05 2019 Dan Horák <dhorak@redhat.com> - 3.6.0-1
- updated to 3.6.0 (#1726244)
- Resolves: #1726244, #1723862
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Apr 24 2019 Dan Horák <dan[at]danny.cz> - 3.5.0-1
- updated to 3.5.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Nov 16 2018 Dan Horák <dan[at]danny.cz> - 3.4.0-1
- updated to 3.4.0
* Wed Apr 24 2019 Dan Horák <dhorak@redhat.com> - 3.5.0-1
- updated to 3.5.0 (#1666621)
- Resolves: #1666621, #1659428, #1673054
* Fri Sep 21 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-4
- annotate assembler file (#1630582)