rpms
/
libica
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:cs10
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'cs10' and 'c9' have entirely different histories.
cs10 ... c9

5 changed files with 75 additions and 209 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/libica-4.3.0.tar.gz
SOURCES/libica-4.1.1.tar.gz

2
.libica.metadata
Unescape View File

@ -1 +1 @@
e7f7a7f714c793496294a5f865ad23d4c48866f9 SOURCES/libica-4.3.0.tar.gz
a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz

35
SOURCES/libica-4.1.1-shmem.patch
Unescape View File

@ -0,0 +1,35 @@
From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 1 Feb 2023 10:54:33 +0100
Subject: [libica PATCH] bugfix: permission denied on shared memory segments
A change to the Linux kernel in 4.19 for added security is
changing the behavior when opening shared memory segments.
The O_CREAT flag must not be used for existing segments.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/icastats_shared.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/icastats_shared.c b/src/icastats_shared.c
index bbc8d0e..8290239 100644
--- a/src/icastats_shared.c
+++ b/src/icastats_shared.c
@@ -54,9 +54,10 @@ int stats_mmap(int user)
sprintf(shm_id, "icastats_%d",
user == -1 ? geteuid() : (uid_t)user);
- stats_shm_handle = shm_open(shm_id,
- O_CREAT | O_RDWR,
- S_IRUSR | S_IWUSR);
+ stats_shm_handle = shm_open(shm_id, O_RDWR, S_IRUSR | S_IWUSR);
+
+ if (stats_shm_handle == -1)
+ stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
if (stats_shm_handle == -1)
return rc;
--
2.39.1

130
SOURCES/libica-4.3.0-fixes.patch
Unescape View File

@ -1,130 +0,0 @@
From 49d619ea05743a3df6b9bf8160aaa0b4306118db Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linux.ibm.com>
Date: Tue, 16 Apr 2024 14:18:23 +0200
Subject: [PATCH 1/2] test: disable CEX usage in OpenSSL for all tests
OpenSSL supports CEX exploitation since version v3.2.x. Libica and its
testcases use OpenSSL as helper and fallback, so disable the CEX
acceleration for all tests.
If the environment variable is already set, use it as is without
modifying it. In this case, it is up to the user to choose the right
settings.
Fixes: Issue #126
Link: https://github.com/opencryptoki/libica/issues/126
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
test/Makefile.am | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/Makefile.am b/test/Makefile.am
index 76d4f15..e56b256 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -61,10 +61,14 @@ TESTS += \
${top_builddir}/src/internal_tests/ec_internal_test
endif
+# disable OpenSSL CEX usage for all tests
+OPENSSL_s390xcap ?= nocex
+
TEST_EXTENSIONS = .sh .pl
TESTS_ENVIRONMENT = export LD_LIBRARY_PATH=${builddir}/../src/.libs/:$$LD_LIBRARY_PATH \
PATH=${builddir}/../src/:$$PATH \
- LIBICA_TESTDATA=${srcdir}/testdata/;
+ LIBICA_TESTDATA=${srcdir}/testdata/ \
+ OPENSSL_s390xcap=${OPENSSL_s390xcap};
AM_CFLAGS = @FLAGS@ -DNO_SW_FALLBACKS -I${srcdir}/../include/ -I${srcdir}/../src/include/
LDADD = @LIBS@ ${top_builddir}/src/.libs/libica.so -lcrypto -lpthread
--
2.45.1
From d3a7542e7eb45c22066ecb1be62480dde41fd544 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 24 Apr 2024 10:44:26 +0200
Subject: [PATCH 2/2] Bugfix: correct rc handling with s390_pcc function
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/include/s390_aes.h | 2 +-
src/include/s390_cmac.h | 2 +-
src/include/s390_crypto.h | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 6252dde..a6ff27b 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -674,7 +674,7 @@ static inline int s390_aes_xts_parm(unsigned long function_code,
memset(&parm_block.keys, 0, key_size);
- if (rc >= 0) {
+ if (rc == 0) {
memcpy(xts_parm, parm_block.xts_parameter,
sizeof(ica_aes_vector_t));
return 0;
diff --git a/src/include/s390_cmac.h b/src/include/s390_cmac.h
index 76b9cca..f19c069 100644
--- a/src/include/s390_cmac.h
+++ b/src/include/s390_cmac.h
@@ -161,7 +161,7 @@ static inline int s390_cmac_hw(unsigned long fc,
/* calculate final block (last/full) */
rc = s390_pcc(fc, pb_lookup.base);
memset(pb_lookup.keys, 0, key_size);
- if (rc < 0)
+ if (rc != 0)
return EIO;
_stats_increment(fc, ALGO_HW, ENCRYPT);
diff --git a/src/include/s390_crypto.h b/src/include/s390_crypto.h
index f34241f..f11eacb 100644
--- a/src/include/s390_crypto.h
+++ b/src/include/s390_crypto.h
@@ -244,27 +244,30 @@ void s390_crypto_switches_init(void);
/**
* s390_pcc:
- * @func: the function code passed to KM; see s390_pcc_functions
+ * @func: the function code passed to PCC; see s390_pcc_functions
* @param: address of parameter block; see POP for details on each func
*
* Executes the PCC operation of the CPU.
*
- * Returns -1 for failure, 0 for the query func, number of processed
- * bytes for encryption/decryption funcs
+ * Returns condition code of the PCC instruction
*/
static inline int s390_pcc(unsigned long func, void *param)
{
register unsigned long r0 asm("0") = (unsigned long)func;
register unsigned long r1 asm("1") = (unsigned long)param;
+ char cc;
- asm volatile (
- "0: .long %[opc] << 16\n"
- " brc 1,0b\n"
- :
- : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
- : "cc", "memory");
+ asm volatile(
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=d" (cc)
+ : [func] "d" (r0), [param] "a" (r1), [opc] "i" (0xb92c)
+ : "cc", "memory"
+ );
- return 0;
+ return cc;
}
/**
--
2.45.1

115
SPECS/libica.spec
Unescape View File

@ -2,17 +2,18 @@
Summary: Library for accessing ICA hardware crypto on IBM z Systems
Name: libica
Version: 4.3.0
Release: 3%{?dist}
License: CPL-1.0
Version: 4.1.1
Release: 2%{?dist}
License: CPL
URL: https://github.com/opencryptoki/
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# annotate assembler source
# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
# https://github.com/opencryptoki/libica/pull/24
Patch0: %{name}-4.0.0-annotate.patch
# post GA fixes
Patch1: %{name}-%{version}-fixes.patch
# fix permissions for shared memory segments
# https://bugzilla.redhat.com/show_bug.cgi?id=2167364
Patch1: %{name}-4.1.1-shmem.patch
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: openssl
@ -52,6 +53,7 @@ sh ./bootstrap.sh
# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
CPPFLAGS=-DNO_FIPS_CONFIG_LOAD
export CPPFLAGS
%configure --disable-static \
%if %{with_fips}
--enable-fips
@ -90,7 +92,6 @@ fi
%{_bindir}/icastats
%if %{with_fips}
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
# openssl 3.0 is available since Fedora 36 and RHEL 9
%exclude %{_sysconfdir}/libica/openssl3-fips.cnf
%endif
%{_libdir}/.libica.*.hmac
@ -109,87 +110,47 @@ fi
%changelog
* Tue Jun 25 2024 Dan Horák <dan[at]danny.cz> - 4.3.0-3
- add post GA fixes
- Resolves: RHEL-24117
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.3.0-2
- Bump release for June 2024 mass rebuild
* Wed Jan 31 2024 Dan Horák <dan[at]danny.cz> - 4.3.0-1
- updated to 4.3.0
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Oct 27 2023 Dan Horák <dan[at]danny.cz> - 4.2.3-2
- fix selfcheck in FIPS mode (RHEL-9918)
* Thu Sep 21 2023 Dan Horák <dan[at]danny.cz> - 4.2.3-1
- updated to 4.2.3
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri May 19 2023 Dan Horák <dan[at]danny.cz> - 4.2.2-1
- updated to 4.2.2
* Mon Feb 06 2023 Dan Horák <dan[at]danny.cz> - 4.2.1-1
- updated to 4.2.1
* Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
- fix permissions for shared memory segments (#2167364)
- Resolves: #2167364
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Oct 24 2022 Dan Horák <dhorak@redhat.com> - 4.1.1-1
- updated to 4.1.1 (#2110374)
- Resolves: #2110374
* Thu Dec 15 2022 Dan Horák <dan[at]danny.cz> - 4.2.0-1
- updated to 4.2.0
* Thu Jun 30 2022 Dan Horák <dhorak@redhat.com> - 4.0.2-1
- updated to 4.0.2 (#2101767)
- Resolves: #2101767
* Tue Oct 11 2022 Dan Horák <dan[at]danny.cz> - 4.1.1-1
- updated to 4.1.1
* Mon May 16 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-2
- fix running in FIPS mode (#2084097)
- Resolves: #2084097
* Fri Sep 30 2022 Dan Horák <dan[at]danny.cz> - 4.1.0-1
- updated to 4.1.0
* Thu May 12 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
- updated to 4.0.1 (#2044178)
- Resolves: #2044178 #2044174
* Tue Aug 16 2022 Dan Horák <dan[at]danny.cz> - 4.0.3-1
- updated to 4.0.3
* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
- updated to 4.0.0 (#2040237)
- Resolves: #2040237
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.8.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Jun 24 2022 Dan Horák <dan[at]danny.cz> - 4.0.2-1
- updated to 4.0.2
* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 3.8.0-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Mon May 16 2022 Dan Horák <dan[at]danny.cz> - 4.0.1-2
- FIPS specific openssl config is not required in RHEL/Fedora
* Tue Feb 08 2022 Dan Horák <dan[at]danny.cz> - 4.0.1-1
- updated to 4.0.1
* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-3
- post GA fixes
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
- updated to 4.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 02 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-4
- re-enable FIPS support
* Mon May 31 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-3
* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
- updated to 3.8.0 (#1869532)
- eliminate SW fallback functions (#1924119)
- updated for OpenSSL 3.0 (#1952946)
- disable FIPS support (broken)
- Resolves: #1869532 #1924119 #1952946
* Mon May 24 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-2
- conditionalize FIPS support
* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
- updated to 3.8.0
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save