diff -Nru libica-3.7.0/ChangeLog libica-3.8.0/ChangeLog --- libica-3.7.0/ChangeLog 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/ChangeLog 2021-05-17 10:26:08.000000000 -0500 @@ -1,3 +1,8 @@ +v3.8.0 + - [FEATURE] provide libica-cex module to satisfy special security requirements + [FEATURE] FIPS: enforce the HMAC check + - [UPDATE] exploit autoselect domain support for ECC + - [UPDATE] FIPS: Add SHA3 kats to fips powerup tests v3.7.0 - [FEATURE] FIPS: Add HMAC based library integrity check - [PATCH] icainfo: bugfix for RSA and EC related info for software column. diff -Nru libica-3.7.0/configure.ac libica-3.8.0/configure.ac --- libica-3.7.0/configure.ac 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/configure.ac 2021-05-17 10:26:08.000000000 -0500 @@ -1,10 +1,11 @@ -AC_INIT([libica], [3.7.0], [https://github.com/opencryptoki/libica/issues],, [https://github.com/opencryptoki/libica]) +AC_INIT([libica], [3.8.0], [https://github.com/opencryptoki/libica/issues],, [https://github.com/opencryptoki/libica]) # save cmdline flags cmdline_CFLAGS="$CFLAGS" AC_USE_SYSTEM_EXTENSIONS AC_CONFIG_SRCDIR([src/ica_api.c]) +AC_CONFIG_MACRO_DIRS([m4]) AC_PROG_CC AC_PROG_CXX @@ -62,6 +63,12 @@ if test "x$enable_fips" = xyes; then FLAGS="$FLAGS -DICA_FIPS" AC_MSG_RESULT([*** Building libica-fips at user request ***]) + AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) + + if test "x$openssl_var" != xyes; then + AC_MSG_ERROR([Missing openssl binary application required for FIPS build]) + fi + fi dnl --- enable_sanitizer diff -Nru libica-3.7.0/debian/changelog libica-3.8.0/debian/changelog --- libica-3.7.0/debian/changelog 2020-06-18 07:47:58.000000000 -0500 +++ libica-3.8.0/debian/changelog 2021-08-05 16:48:40.000000000 -0500 @@ -1,3 +1,9 @@ +libica (3.8.0-0ubuntu1) impish; urgency=medium + + * New upstream release LP: #1928799 + + -- Matthieu Clemenceau Thu, 05 Aug 2021 16:48:40 -0500 + libica (3.7.0-0ubuntu1) groovy; urgency=medium * New upstream release LP: #1878650 diff -Nru libica-3.7.0/doc/icainfo-cex.1 libica-3.8.0/doc/icainfo-cex.1 --- libica-3.7.0/doc/icainfo-cex.1 1969-12-31 18:00:00.000000000 -0600 +++ libica-3.8.0/doc/icainfo-cex.1 2021-05-17 10:26:08.000000000 -0500 @@ -0,0 +1,68 @@ +.\" icainfo-cex man page source +.\" +.\" use +.\" groff -man -Tutf8 icainfo-cex.1 +.\" or +.\" nroff -man icainfo-cex.1 +.\" to process this source +.\" +.TH ICAINFO-CEX 1 2021-05-12 IBM "icainfo-cex user manual" +.SH NAME +icainfo-cex \- print information about cryptographic functions supported by libica-cex +.SH SYNOPSIS +.B icainfo-cex +[-v | --version] [-h | --help] +.SH DESCRIPTION +.B icainfo-cex +prints a table that shows libica-cex's support for various cryptographic +algorithms and information about FIPS support. + +The icainfo-cex output also indicates, whether it is in an error state. +Algorithms that are not FIPS approved are marked as blocked in both table +columns when running in FIPS mode. All algorithms are marked as blocked when +libica is in an error state. + +Available hardware support is divided into two columns: dynamic hardware +means crypto cards, static hardware support means CPACF. Software support +is provided via openssl. + +If a function is disabled via build option, this is indicated +by a dash '-' in the related column. + +A shortened sample output is given below: +.P +.nf + Cryptographic algorithm support +------------------------------------------------------ + | hardware | + function | dynamic | static | software +---------------+------------+------------+------------ + SHA-1 | no | - | - + SHA-224 | no | - | - + SHA-256 | no | - | - + SHA-384 | no | - | - + SHA-512 | no | - | - + GHASH | no | - | - + P_RNG | blocked | - | - + DRBG-SHA-512 | no | - | - + RSA ME | yes | - | - + RSA CRT | yes | - | - + ... +------------------------------------------------------ +Built-in FIPS support: FIPS mode active. +Software fallbacks are disabled in libica-cex. +CPACF support (including fallbacks) is disabled in libica-cex. +.fi +.SH OPTIONS +.IP "-v or --version" +show libica-cex version and copyright +.IP "-h or --help" +display this help and exit +.SH RETURN VALUE +.IP 1 +unknown or invalid argument on invocation +.IP 0 +successful program execution +.SH "SEE ALSO" +.BR icastats (1) + diff -Nru libica-3.7.0/doc/icastats.1 libica-3.8.0/doc/icastats.1 --- libica-3.7.0/doc/icastats.1 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/doc/icastats.1 2021-05-17 10:26:08.000000000 -0500 @@ -37,7 +37,7 @@ ... ECDSA Sign | 0 | 0 ECDSA Verify | 0 | 0 - ECKGEN | 0 | 0 + EC Keygen | 0 | 0 RSA-ME | 0 | 0 ... RSA-ME | 0 | 0 diff -Nru libica-3.7.0/doc/Makefile.am libica-3.8.0/doc/Makefile.am --- libica-3.7.0/doc/Makefile.am 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/doc/Makefile.am 2021-05-17 10:26:08.000000000 -0500 @@ -1 +1 @@ -dist_man1_MANS = icastats.1 icainfo.1 +dist_man1_MANS = icastats.1 icainfo.1 icainfo-cex.1 diff -Nru libica-3.7.0/include/ica_api.h libica-3.8.0/include/ica_api.h --- libica-3.7.0/include/ica_api.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/include/ica_api.h 2021-05-17 10:26:08.000000000 -0500 @@ -1809,7 +1809,7 @@ * first message block subsequent counter values to be combined with subsequent * message blocks will be derived from preceding counter values by an increment * function. The increment function used in ica_des_ctr is s an arithmetic - * increment without carry on the U least significant bytes in the counter + * increment without carry on the U least significant bits in the counter * where M is a parameter to ica_des_ctr. * * Required HW Support @@ -1836,9 +1836,12 @@ * if data_length used in the preceding call is a multiple of the cipher block * size. * @param ctr_width - * A number U between 1 and cipher block size. The value is used by the counter - * increment function which increments a counter value by incrementing without - * carry the least significant U bytes of the counter value. + * A number U between 8 and cipher block size in bits. The value is used by the + * counter increment function which increments a counter value by incrementing + * without carry the least significant U bits of the counter value. The value + * must be a multiple of 8. When in FIPS mode, an additional counter overflow + * check is performed, so that the given data length, divided by the cipher + * block size, is not greater than 2 to the power of U. * @param direction * 0 or 1: * 0 Use the decrypt function. @@ -2292,7 +2295,7 @@ * first message block subsequent counter values to be combined with subsequent * message blocks will be derived from preceding counter values by an increment * function. The increment function used in ica_3des_ctr is s an arithmetic - * increment without carry on the U least significant bytes in the counter + * increment without carry on the U least significant bits in the counter * where M is a parameter to ica_3des_ctr. * * Required HW Support @@ -2319,9 +2322,12 @@ * key if data_length used in the preceding call is a multiple of the cipher * block size. * @param ctr_width - * A number U between 1 and cipher block size. The value is used by the counter - * increment function which increments a counter value by incrementing without - * carry the least significant U bytes of the counter value. + * A number U between 8 and cipher block size in bits. The value is used by the + * counter increment function which increments a counter value by incrementing + * without carry the least significant U bits of the counter value. The value + * must be a multiple of 8. When in FIPS mode, an additional counter overflow + * check is performed, so that the given data length, divided by the cipher + * block size, is not greater than 2 to the power of U. * @param direction * 0 or 1: * 0 Use the decrypt function. @@ -2793,7 +2799,7 @@ * first message block subsequent counter values to be combined with subsequent * message blocks will be derived from preceding counter values by an increment * function. The increment function used in ica_aes_ctr is s an arithmetic - * increment without carry on the U least significant bytes in the counter + * increment without carry on the U least significant bits in the counter * where M is a parameter to ica_aes_ctr. * * Required HW Support @@ -2824,9 +2830,12 @@ * if data_length used in the preceding call is a multiple of the cipher block * size. * @param ctr_width - * A number U between 1 and cipher block size. The value is used by the counter - * increment function which increments a counter value by incrementing without - * carry the least significant U bytes of the counter value. + * A number U between 8 and cipher block size in bits. The value is used by the + * counter increment function which increments a counter value by incrementing + * without carry the least significant U bits of the counter value. The value + * must be a multiple of 8. When in FIPS mode, an additional counter overflow + * check is performed, so that the given data length, divided by the cipher + * block size, is not greater than 2 to the power of U. * @param direction * 0 or 1: * 0 Use the decrypt function. diff -Nru libica-3.7.0/libica.spec libica-3.8.0/libica.spec --- libica-3.7.0/libica.spec 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/libica.spec 2021-05-17 10:26:08.000000000 -0500 @@ -1,5 +1,5 @@ Name: libica -Version: 3.7.0 +Version: 3.8.0 Release: 1%{?dist} Summary: Interface library to the ICA device driver @@ -62,6 +62,8 @@ %{_includedir}/ica_api.h %changelog +* Thu May 06 2021 Joerg Schmidbauer +- Version v3.8.0 * Tue May 06 2020 Joerg Schmidbauer - Version v3.7.0 * Wed Nov 13 2019 Patrick Steuer diff -Nru libica-3.7.0/Makefile.am libica-3.8.0/Makefile.am --- libica-3.7.0/Makefile.am 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/Makefile.am 2021-05-17 10:26:08.000000000 -0500 @@ -4,6 +4,7 @@ dist_doc_DATA = AUTHORS ChangeLog INSTALL LICENSE README.md EXTRA_DIST = libica.map libica.spec +MAJOR := `echo $(VERSION) | cut -d. -f1` coverage: check @echo -e "\n-----------------"; @@ -14,3 +15,18 @@ @echo -e "libica coverage"; @echo -e "---------------\n"; cd ${top_builddir}/src && gcov .libs/*.gcda + +if ICA_FIPS +install-data-hook: + $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir) + cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac + $(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir) + cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac + +uninstall-hook: + rm -f $(DESTDIR)$(libdir)/.libica.so.$(MAJOR).hmac + rm -f $(DESTDIR)$(libdir)/.libica.so.$(VERSION).hmac + rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(MAJOR).hmac + rm -f $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION).hmac +endif + diff -Nru libica-3.7.0/src/fips.c libica-3.8.0/src/fips.c --- libica-3.7.0/src/fips.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/fips.c 2021-05-17 10:26:08.000000000 -0500 @@ -20,6 +20,7 @@ #include #include #include +#include #include #ifdef OPENSSL_FIPS @@ -42,7 +43,7 @@ * The hard-coded HMAC key to be optionally provided for the library * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes. * The known HMAC is supposed to be provided as hex string in a file - * libica.so.MAJOR.hmac in the same directory as the .so module. + * .libica.so.VERSION.hmac in the same directory as the .so module. */ static const char hmackey[] = "0000000000000000000000000000000000000000000000000000000000000000" @@ -71,6 +72,7 @@ static int rsa_kat(void); +#ifndef NO_CPACF #define SHA_KAT(_sha_, _ctx_) \ static int sha##_sha_##_kat(void) { \ sha##_ctx_##_context_t ctx; \ @@ -94,6 +96,92 @@ SHA_KAT(384, 512); SHA_KAT(512, 512); #undef SHA_KAT +#else /* Don't write any error msg to syslog when CPACF is not avail */ +#define SHA_KAT(_sha_, _ctx_) \ +static int sha##_sha_##_kat(void) { \ + sha##_ctx_##_context_t ctx; \ + size_t i; \ + unsigned char out[SHA##_sha_##_HASH_LENGTH]; \ + for (i = 0; i < SHA##_sha_##_TV_LEN; i++) { \ + if (ica_sha##_sha_(SHA_MSG_PART_ONLY, \ + SHA##_sha_##_TV[i].msg_len, SHA##_sha_##_TV[i].msg, \ + &ctx, out) || memcmp(SHA##_sha_##_TV[i].md, out, \ + SHA##_sha_##_HASH_LENGTH)) { \ + return 1; \ + } \ + } \ + return 0; \ +} +SHA_KAT(1, ); +SHA_KAT(224, 256); +SHA_KAT(256, 256); +SHA_KAT(384, 512); +SHA_KAT(512, 512); +#undef SHA_KAT +#endif + +static inline int sha3_available(void) +{ + sha3_224_context_t sha3_224_context; + unsigned char output_hash[SHA3_224_HASH_LENGTH]; + unsigned char test_data[] = { 0x61,0x62,0x63 }; + int rc = 0; + + rc = ica_sha3_224(SHA_MSG_PART_ONLY, sizeof(test_data), test_data, + &sha3_224_context, output_hash); + + return (rc == ENODEV ? 0 : 1); +} + +#ifndef NO_CPACF +#define SHA3_KAT(_sha_, _ctx_) \ +static int sha3_##_sha_##_kat(void) { \ + sha3_##_ctx_##_context_t ctx; \ + size_t i; \ + unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \ + if (!sha3_available()) \ + return 0; \ + for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \ + if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \ + SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \ + &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out, \ + SHA3_##_sha_##_HASH_LENGTH)) { \ + syslog(LOG_ERR, "Libica SHA-3 %d test failed.", \ + _sha_); \ + return 1; \ + } \ + } \ + return 0; \ +} +SHA3_KAT(224, 224); +SHA3_KAT(256, 256); +SHA3_KAT(384, 384); +SHA3_KAT(512, 512); +#undef SHA3_KAT +#else /* Don't write any error msg to syslog when CPACF is not avail */ +#define SHA3_KAT(_sha_, _ctx_) \ +static int sha3_##_sha_##_kat(void) { \ + sha3_##_ctx_##_context_t ctx; \ + size_t i; \ + unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \ + if (!sha3_available()) \ + return 0; \ + for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \ + if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \ + SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \ + &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out, \ + SHA3_##_sha_##_HASH_LENGTH)) { \ + return 1; \ + } \ + } \ + return 0; \ +} +SHA3_KAT(224, 224); +SHA3_KAT(256, 256); +SHA3_KAT(384, 384); +SHA3_KAT(512, 512); +#undef SHA3_KAT +#endif void fips_init(void) @@ -121,33 +209,6 @@ FIPS_mode_set(1); } } -static int get_library_path(const char *libname, const char *symbolname, - char *path, size_t pathlen) -{ - Dl_info info; - void *dl, *sym; - int rc = -1; - - dl = dlopen(libname, RTLD_LAZY); - if (dl == NULL) - goto done; - - sym = dlsym(dl, symbolname); - if (sym != NULL && dladdr(sym, &info)) { - if (strlen(info.dli_fname) < pathlen) - strcpy(path, info.dli_fname); - else - goto done; - } - - rc = 0; - -done: - if (dl != NULL) - dlclose(dl); - - return rc; -} static char *make_hmac_path(const char *origpath) { @@ -258,7 +319,6 @@ fp = fopen(hmacpath, "r"); if (fp == NULL) { - rc = 1; goto end; } @@ -296,6 +356,41 @@ static const char msg2[] = "Libica FIPS library integrity check failed. Module %s probably corrupted.\n"; static const char msg3[] = "Libica FIPS library integrity check passed.\n"; +struct phdr_cb_data { + /* User-provided storage for library path. */ + char *librarypath; + /* Length of storage provided by user. */ + size_t length; + /* How many times did we find a proper library. This is used + * as a sanity check. */ + int count; +}; + +static int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) +{ + int j; + unsigned long start, end; + struct phdr_cb_data *d = data; + unsigned long myaddr = (unsigned long)&phdr_callback; + + (void)size; + for (j = 0; j < info->dlpi_phnum; j++) { + // Only consider loadable program segments + if (info->dlpi_phdr[j].p_type == PT_LOAD) { + start = info->dlpi_addr + info->dlpi_phdr[j].p_vaddr; + end = start + info->dlpi_phdr[j].p_memsz; + if (start <= myaddr && myaddr < end) { + if (d->librarypath[0] == 0 + && strlen(info->dlpi_name) < d->length) { + strcpy(d->librarypath, info->dlpi_name); + } + d->count++; + } + } + } + return 0; +} + /* * Perform an integrity check on libica.so by calculating an HMAC from * the file contents using a static HMAC key, and comparing it to a @@ -304,13 +399,16 @@ */ static void fips_lib_integrity_check(void) { - int rc; char path[PATH_MAX]; - const char *libname = "libica.so"; - const char *symbolname = "ica_sha256"; - - rc = get_library_path(libname, symbolname, path, sizeof(path)); - if (rc != 0) { + struct phdr_cb_data data = { + .librarypath = (char *)path, + .length = sizeof(path), + .count = 0 + }; + + path[0] = 0; + dl_iterate_phdr(phdr_callback, &data); + if (data.count != 1) { syslog(LOG_ERR, msg1); fips |= ICA_FIPS_INTEGRITY; return; @@ -328,21 +426,39 @@ void fips_powerup_tests(void) { +#ifdef NO_CPACF + /* 27 out of the 28 tests return EPERM if CPACF is disabled via config. + * The rsa_kat() is not affected. */ + int num_cpacf_tests = 27; +#endif + int rc; + /* Cryptographic algorithm test. */ - if (ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512) - || sha1_kat() || sha224_kat() || sha256_kat() || sha384_kat() - || sha512_kat() || des3_ecb_kat() || des3_cbc_kat() - || des3_cbc_cs_kat() || des3_cfb_kat() || des3_ofb_kat() - || des3_ctr_kat() || des3_cmac_kat() || aes_ecb_kat() - || aes_cbc_kat() || aes_cbc_cs_kat() || aes_cfb_kat() - || aes_ctr_kat() || aes_ofb_kat() || aes_ccm_kat() || aes_gcm_kat() - || aes_xts_kat() || aes_cmac_kat() || rsa_kat()) { + rc = ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512) + + sha1_kat() + sha224_kat() + sha256_kat() + sha384_kat() + + sha512_kat() + sha3_224_kat() + sha3_256_kat() + sha3_384_kat() + + sha3_512_kat() + des3_ecb_kat() + des3_cbc_kat() + + des3_cbc_cs_kat() + des3_cfb_kat() + des3_ofb_kat() + + des3_ctr_kat() + des3_cmac_kat() + aes_ecb_kat() + + aes_cbc_kat() + aes_cbc_cs_kat() + aes_cfb_kat() + + aes_ctr_kat() + aes_ofb_kat() + aes_ccm_kat() + aes_gcm_kat() + + aes_xts_kat() + aes_cmac_kat() + rsa_kat(); +#ifndef NO_CPACF + if (rc != 0) { +#else + if (rc != 0 && rc != num_cpacf_tests * EPERM) { +#endif fips |= ICA_FIPS_CRYPTOALG; return; } +/* ICA internal test does not link against the library. So we should + * skip the library integrity check in that case. + */ +#ifndef ICA_INTERNAL_TEST /* Library integrity test */ fips_lib_integrity_check(); +#endif } static int @@ -372,7 +488,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-ECB test failed."); +#endif return 1; } @@ -408,7 +526,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CBC test failed."); +#endif return 1; } @@ -446,7 +566,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CBC-CS test failed."); +#endif return 1; } @@ -482,7 +604,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CFB test failed."); +#endif return 1; } @@ -518,7 +642,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-OFB test failed."); +#endif return 1; } @@ -554,7 +680,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CTR test failed."); +#endif return 1; } @@ -595,7 +723,9 @@ _err_: free(ciphertext); free(payload); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CCM test failed."); +#endif return 1; } @@ -695,7 +825,9 @@ _err_: free(tag); free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-GCM test failed."); +#endif return 1; } @@ -731,7 +863,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-XTS test failed."); +#endif return 1; } @@ -798,7 +932,9 @@ _err_: free(mac); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica AES-CMAC test failed."); +#endif return 1; } @@ -830,7 +966,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-ECB test failed."); +#endif return 1; } @@ -866,7 +1004,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-CBC test failed."); +#endif return 1; } @@ -903,7 +1043,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-CBC-CS test failed."); +#endif return 1; } @@ -939,7 +1081,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-CFB test failed."); +#endif return 1; } @@ -975,7 +1119,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-OFB test failed."); +#endif return 1; } @@ -1011,7 +1157,9 @@ _err_: free(out); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-CTR test failed."); +#endif return 1; } @@ -1078,7 +1226,9 @@ _err_: free(mac); +#ifndef NO_CPACF syslog(LOG_ERR, "Libica 3DES-CMAC test failed."); +#endif return 1; } diff -Nru libica-3.7.0/src/ica_api.c libica-3.8.0/src/ica_api.c --- libica-3.7.0/src/ica_api.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/ica_api.c 2021-05-17 10:26:08.000000000 -0500 @@ -52,14 +52,26 @@ #define MAX_VERSION_LENGTH 16 +#ifndef NO_SW_FALLBACKS int ica_fallbacks_enabled = 1; +#else +int ica_fallbacks_enabled = 0; +#endif + +#if defined(NO_SW_FALLBACKS) || defined(NO_CPACF) +#define UNUSED(var) ((void)(var)) +#endif void ica_set_fallback_mode(int fallback_mode) { +#ifdef NO_SW_FALLBACKS + UNUSED(fallback_mode); +#else if (fallback_mode) ica_fallbacks_enabled = 1; else ica_fallbacks_enabled = 0; +#endif } int ica_offload_enabled = 0; @@ -76,6 +88,18 @@ ica_stats_enabled = stats_mode ? 1 : 0; } +#ifdef ICA_FIPS +static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { + if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64) + | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64) + | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64)) + return EINVAL; + + return 0; +} +#endif + +#ifndef NO_CPACF static unsigned int check_des_parms(unsigned int mode, unsigned long data_length, const unsigned char *in_data, @@ -125,17 +149,6 @@ return 0; } -#ifdef ICA_FIPS -static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) { - if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64) - | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64) - | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64)) - return EINVAL; - - return 0; -} -#endif - static unsigned int check_aes_parms(unsigned int mode, unsigned int data_length, const unsigned char *in_data, @@ -334,6 +347,7 @@ else return 0; } +#endif /* NO_CPACF */ unsigned int ica_open_adapter(ica_adapter_handle_t *adapter_handle) { @@ -384,6 +398,14 @@ sha_context_t *sha_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha_context); + UNUSED(output_data); + return EPERM; +#else int rc; #ifdef ICA_FIPS @@ -422,6 +444,7 @@ memcpy(&sha_context->shaHash, output_data, SHA_HASH_LENGTH); return rc; +#endif /* NO_CPACF */ } unsigned int ica_sha224(unsigned int message_part, @@ -430,6 +453,14 @@ sha256_context_t *sha256_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha256_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -460,6 +491,7 @@ return s390_sha224((unsigned char *) &sha256_context->sha256Hash, input_data, input_length, output_data, message_part, (uint64_t *)&sha256_context->runningLength); +#endif /* NO_CPACF */ } unsigned int ica_sha256(unsigned int message_part, @@ -468,6 +500,14 @@ sha256_context_t *sha256_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha256_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -498,6 +538,7 @@ return s390_sha256((unsigned char *) &sha256_context->sha256Hash, input_data, input_length, output_data, message_part, (uint64_t *) &sha256_context->runningLength); +#endif /* NO_CPACF */ } unsigned int ica_sha384(unsigned int message_part, @@ -506,6 +547,14 @@ sha512_context_t *sha512_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha512_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -537,6 +586,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &(sha512_context->runningLengthLow), (uint64_t *) &(sha512_context->runningLengthHigh)); +#endif /* NO_CPACF */ } unsigned int ica_sha512(unsigned int message_part, @@ -545,6 +595,14 @@ sha512_context_t *sha512_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha512_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -576,6 +634,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &sha512_context->runningLengthLow, (uint64_t *) &sha512_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_sha512_224(unsigned int message_part, @@ -584,6 +643,14 @@ sha512_context_t *sha512_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha512_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -615,6 +682,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &sha512_context->runningLengthLow, (uint64_t *) &sha512_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_sha512_256(unsigned int message_part, @@ -623,6 +691,14 @@ sha512_context_t *sha512_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha512_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -654,6 +730,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &sha512_context->runningLengthLow, (uint64_t *) &sha512_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_sha3_224(unsigned int message_part, @@ -662,6 +739,14 @@ sha3_224_context_t *sha3_224_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha3_224_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -692,6 +777,7 @@ return s390_sha3_224((unsigned char *) &sha3_224_context->sha3_224Hash, input_data, input_length, output_data, message_part, (uint64_t *)&sha3_224_context->runningLength); +#endif /* NO_CPACF */ } unsigned int ica_sha3_256(unsigned int message_part, @@ -700,6 +786,14 @@ sha3_256_context_t *sha3_256_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha3_256_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -730,6 +824,7 @@ return s390_sha3_256((unsigned char *) &sha3_256_context->sha3_256Hash, input_data, input_length, output_data, message_part, (uint64_t *) &sha3_256_context->runningLength); +#endif /* NO_CPACF */ } unsigned int ica_sha3_384(unsigned int message_part, @@ -738,6 +833,14 @@ sha3_384_context_t *sha3_384_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha3_384_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -769,6 +872,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &(sha3_384_context->runningLengthLow), (uint64_t *) &(sha3_384_context->runningLengthHigh)); +#endif /* NO_CPACF */ } unsigned int ica_sha3_512(unsigned int message_part, @@ -777,6 +881,14 @@ sha3_512_context_t *sha3_512_context, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(sha3_512_context); + UNUSED(output_data); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -808,6 +920,7 @@ input_data, input_length, output_data, message_part, (uint64_t *) &sha3_512_context->runningLengthLow, (uint64_t *) &sha3_512_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_shake_128(unsigned int message_part, @@ -816,6 +929,15 @@ shake_128_context_t *shake_128_context, unsigned char *output_data, unsigned int output_length) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(shake_128_context); + UNUSED(output_data); + UNUSED(output_length); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -853,6 +975,7 @@ input_data, input_length, output_data, shake_128_context->output_length, message_part, (uint64_t *) &shake_128_context->runningLengthLow, (uint64_t *) &shake_128_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_shake_256(unsigned int message_part, @@ -861,6 +984,15 @@ shake_256_context_t *shake_256_context, unsigned char *output_data, unsigned int output_length) { +#ifdef NO_CPACF + UNUSED(message_part); + UNUSED(input_length); + UNUSED(input_data); + UNUSED(shake_256_context); + UNUSED(output_data); + UNUSED(output_length); + return EPERM; +#else unsigned int rc; #ifdef ICA_FIPS @@ -897,11 +1029,17 @@ input_data, input_length, output_data, shake_256_context->output_length, message_part, (uint64_t *) &shake_256_context->runningLengthLow, (uint64_t *) &shake_256_context->runningLengthHigh); +#endif /* NO_CPACF */ } unsigned int ica_random_number_generate(unsigned int output_length, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(output_length); + UNUSED(output_data); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -912,6 +1050,7 @@ return EINVAL; return s390_prng(output_data, output_length); +#endif /* NO_CPACF */ } unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, @@ -1034,6 +1173,8 @@ if (rc == 0) stats_increment(ICA_STATS_RSA_ME, hardware, ENCRYPT); + OPENSSL_cleanse(&rb, sizeof(rb)); + return rc; } @@ -1089,6 +1230,10 @@ free(tmp_buf); + BN_clear_free(bn_p); + BN_clear_free(bn_q); + BN_clear_free(bn_invq); + return 1; } return 0; @@ -1147,6 +1292,8 @@ if (rc == 0) stats_increment(ICA_STATS_RSA_CRT, hardware, ENCRYPT); + OPENSSL_cleanse(&rb, sizeof(rb)); + return rc; } @@ -1229,7 +1376,11 @@ if (key == NULL) return EINVAL; +#ifndef NO_SW_FALLBACKS icapath = getenv_icapath(); +#else + icapath = 1; +#endif switch (icapath) { case 1: /* hw only */ hardware = ALGO_HW; @@ -1272,7 +1423,11 @@ if (z == NULL || z_length < privlen || privkey_A->nid != pubkey_B->nid) return EINVAL; +#ifndef NO_SW_FALLBACKS icapath = getenv_icapath(); +#else + icapath = 1; +#endif switch (icapath) { case 1: /* hw only */ hardware = ALGO_HW; @@ -1316,7 +1471,11 @@ signature == NULL || signature_length < 2*privlen) return EINVAL; +#ifndef NO_SW_FALLBACKS icapath = getenv_icapath(); +#else + icapath = 1; +#endif switch (icapath) { case 1: /* hw only */ hardware = ALGO_HW; @@ -1360,7 +1519,11 @@ signature == NULL || signature_length < 2*privlen) return EINVAL; +#ifndef NO_SW_FALLBACKS icapath = getenv_icapath(); +#else + icapath = 1; +#endif switch (icapath) { case 1: /* hw only */ hardware = ALGO_HW; @@ -1437,44 +1600,70 @@ int ica_x25519_ctx_new(ICA_X25519_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL) return -1; *ctx = calloc(1, sizeof(**ctx)); return 0; +#endif /* NO_CPACF */ } int ica_x448_ctx_new(ICA_X448_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL) return -1; *ctx = calloc(1, sizeof(**ctx)); return 0; +#endif /* NO_CPACF */ } int ica_ed25519_ctx_new(ICA_ED25519_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL) return -1; *ctx = calloc(1, sizeof(**ctx)); return 0; +#endif /* NO_CPACF */ } int ica_ed448_ctx_new(ICA_ED448_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL) return -1; *ctx = calloc(1, sizeof(**ctx)); return 0; +#endif /* NO_CPACF */ } int ica_x25519_key_set(ICA_X25519_CTX *ctx, const unsigned char priv[32], const unsigned char pub[32]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1491,12 +1680,19 @@ } return 0; +#endif /* NO_CPACF */ } int ica_x448_key_set(ICA_X448_CTX *ctx, const unsigned char priv[56], const unsigned char pub[56]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1513,12 +1709,19 @@ } return 0; +#endif /* NO_CPACF */ } int ica_ed25519_key_set(ICA_ED25519_CTX *ctx, const unsigned char priv[32], const unsigned char pub[32]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1535,12 +1738,19 @@ } return 0; +#endif /* NO_CPACF */ } int ica_ed448_key_set(ICA_ED448_CTX *ctx, const unsigned char priv[57], const unsigned char pub[57]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1562,11 +1772,18 @@ } return 0; +#endif /* NO_CPACF */ } int ica_x25519_key_get(ICA_X25519_CTX *ctx, unsigned char priv[32], unsigned char pub[32]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL) @@ -1597,11 +1814,18 @@ } return 0; +#endif /* NO_CPACF */ } int ica_x448_key_get(ICA_X448_CTX *ctx, unsigned char priv[56], unsigned char pub[56]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL) @@ -1632,11 +1856,18 @@ } return 0; +#endif /* NO_CPACF */ } int ica_ed25519_key_get(ICA_ED25519_CTX *ctx, unsigned char priv[32], unsigned char pub[32]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL) @@ -1669,11 +1900,18 @@ } return 0; +#endif /* NO_CPACF */ } int ica_ed448_key_get(ICA_ED448_CTX *ctx, unsigned char priv[57], unsigned char pub[57]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(priv); + UNUSED(pub); + return EPERM; +#else unsigned char pub64[64]; int rc; @@ -1708,12 +1946,19 @@ } return 0; +#endif /* NO_CPACF */ } int ica_x25519_derive(ICA_X25519_CTX *ctx, unsigned char shared_secret[32], const unsigned char peer_pub[32]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(shared_secret); + UNUSED(peer_pub); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL @@ -1725,12 +1970,19 @@ stats_increment(ICA_STATS_X25519_DERIVE, ALGO_HW, ENCRYPT); return rc; +#endif /* NO_CPACF */ } int ica_x448_derive(ICA_X448_CTX *ctx, unsigned char shared_secret[56], const unsigned char peer_pub[56]) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(shared_secret); + UNUSED(peer_pub); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL @@ -1741,11 +1993,19 @@ stats_increment(ICA_STATS_X448_DERIVE, ALGO_HW, ENCRYPT); return rc; +#endif /* NO_CPACF */ } int ica_ed25519_sign(ICA_ED25519_CTX *ctx, unsigned char sig[64], const unsigned char *msg, size_t msglen) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(sig); + UNUSED(msg); + UNUSED(msglen); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL @@ -1765,11 +2025,19 @@ stats_increment(ICA_STATS_ED25519_SIGN, ALGO_HW, ENCRYPT); return 0; +#endif /* NO_CPACF */ } int ica_ed448_sign(ICA_ED448_CTX *ctx, unsigned char sig[114], const unsigned char *msg, size_t msglen) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(sig); + UNUSED(msg); + UNUSED(msglen); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL @@ -1792,11 +2060,19 @@ stats_increment(ICA_STATS_ED448_SIGN, ALGO_HW, ENCRYPT); return 0; +#endif /* NO_CPACF */ } int ica_ed25519_verify(ICA_ED25519_CTX *ctx, const unsigned char sig[64], const unsigned char *msg, size_t msglen) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(sig); + UNUSED(msg); + UNUSED(msglen); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL || sig == NULL @@ -1827,11 +2103,19 @@ stats_increment(ICA_STATS_ED25519_VERIFY, ALGO_HW, ENCRYPT); return rc == 0 ? 0 : -1; +#endif /* NO_CPACF */ } int ica_ed448_verify(ICA_ED448_CTX *ctx, const unsigned char sig[114], const unsigned char *msg, size_t msglen) { +#ifdef NO_CPACF + UNUSED(ctx); + UNUSED(sig); + UNUSED(msg); + UNUSED(msglen); + return EPERM; +#else int rc; if (check_fips() || !msa9_switch || ctx == NULL || sig == NULL @@ -1867,10 +2151,15 @@ stats_increment(ICA_STATS_ED448_VERIFY, ALGO_HW, ENCRYPT); return rc == 0 ? 0 : -1; +#endif /* NO_CPACF */ } int ica_x25519_ctx_del(ICA_X25519_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL || *ctx == NULL) return -1; @@ -1878,10 +2167,15 @@ free(*ctx); *ctx = NULL; return 0; +#endif /* NO_CPACF */ } int ica_x448_ctx_del(ICA_X448_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL || *ctx == NULL) return -1; @@ -1889,10 +2183,15 @@ free(*ctx); *ctx = NULL; return 0; +#endif /* NO_CPACF */ } int ica_ed25519_ctx_del(ICA_ED25519_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL || *ctx == NULL) return -1; @@ -1900,10 +2199,15 @@ free(*ctx); *ctx = NULL; return 0; +#endif /* NO_CPACF */ } int ica_ed448_ctx_del(ICA_ED448_CTX **ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (!msa9_switch || ctx == NULL || *ctx == NULL) return -1; @@ -1911,10 +2215,15 @@ free(*ctx); *ctx = NULL; return 0; +#endif /* NO_CPACF */ } int ica_x25519_key_gen(ICA_X25519_CTX *ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1924,10 +2233,15 @@ rng_gen(ctx->priv, 32); ctx->priv_init = 1; return 0; +#endif /* NO_CPACF */ } int ica_x448_key_gen(ICA_X448_CTX *ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1937,10 +2251,15 @@ rng_gen(ctx->priv, 56); ctx->priv_init = 1; return 0; +#endif /* NO_CPACF */ } int ica_ed25519_key_gen(ICA_ED25519_CTX *ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1950,10 +2269,15 @@ rng_gen(ctx->sign_param.priv, sizeof(ctx->sign_param.priv)); ctx->priv_init = 1; return 0; +#endif /* NO_CPACF */ } int ica_ed448_key_gen(ICA_ED448_CTX *ctx) { +#ifdef NO_CPACF + UNUSED(ctx); + return EPERM; +#else if (check_fips() || !msa9_switch || ctx == NULL) return -1; @@ -1964,6 +2288,7 @@ sizeof(ctx->sign_param.priv) - (64 - 57)); ctx->priv_init = 1; return 0; +#endif /* NO_CPACF */ } @@ -1979,6 +2304,15 @@ ica_des_key_single_t *des_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(des_key); + UNUSED(output_data); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -1999,6 +2333,7 @@ (unsigned char *) des_key, output_data); } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_des_decrypt(unsigned int mode, @@ -2008,6 +2343,15 @@ ica_des_key_single_t *des_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(des_key); + UNUSED(output_data); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2028,6 +2372,7 @@ (unsigned char *) des_key, output_data); } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_3des_encrypt(unsigned int mode, @@ -2037,6 +2382,15 @@ ica_des_key_triple_t *des_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(des_key); + UNUSED(output_data); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2059,6 +2413,7 @@ (unsigned char *) des_key, output_data); } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_3des_decrypt(unsigned int mode, @@ -2068,6 +2423,15 @@ ica_des_key_triple_t *des_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(des_key); + UNUSED(output_data); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2090,6 +2454,7 @@ (unsigned char *) des_key, output_data); } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_aes_encrypt(unsigned int mode, @@ -2100,6 +2465,16 @@ unsigned char *aes_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(key_length); + UNUSED(aes_key); + UNUSED(output_data); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2128,6 +2503,7 @@ } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_aes_decrypt(unsigned int mode, @@ -2138,6 +2514,16 @@ unsigned char *aes_key, unsigned char *output_data) { +#ifdef NO_CPACF + UNUSED(mode); + UNUSED(data_length); + UNUSED(input_data); + UNUSED(iv); + UNUSED(key_length); + UNUSED(aes_key); + UNUSED(output_data); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2166,12 +2552,21 @@ } return EINVAL; +#endif /* NO_CPACF */ } unsigned int ica_des_ecb(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2182,6 +2577,7 @@ return s390_des_ecb(des_directed_fc(direction), data_length, in_data, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_des_cbc(const unsigned char *in_data, unsigned char *out_data, @@ -2189,6 +2585,15 @@ unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2199,6 +2604,7 @@ return s390_des_cbc(des_directed_fc(direction), data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_des_cbc_cs(const unsigned char *in_data, unsigned char *out_data, @@ -2206,6 +2612,16 @@ unsigned char *key, unsigned char *iv, unsigned int direction, unsigned int variant) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + UNUSED(variant); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2217,6 +2633,7 @@ return s390_des_cbccs(des_directed_fc(direction), in_data, out_data, data_length, key, iv, variant); +#endif /* NO_CPACF */ } unsigned int ica_des_cfb(const unsigned char *in_data, unsigned char *out_data, @@ -2224,6 +2641,16 @@ unsigned char *iv, unsigned int lcfb, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(lcfb); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2237,12 +2664,22 @@ return s390_des_cfb(des_directed_fc(direction), data_length, in_data, iv, key, out_data, lcfb); +#endif /* NO_CPACF */ } unsigned int ica_des_ofb(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2253,6 +2690,7 @@ return s390_des_ofb(des_directed_fc(direction), data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_des_ctr(const unsigned char *in_data, unsigned char *out_data, @@ -2261,6 +2699,16 @@ unsigned char *ctr, unsigned int ctr_width, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(ctr); + UNUSED(ctr_width); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2277,6 +2725,7 @@ return s390_des_ctr(des_directed_fc(direction), in_data, out_data, data_length, key, ctr, ctr_width); +#endif /* NO_CPACF */ } unsigned int ica_des_ctrlist(const unsigned char *in_data, unsigned char *out_data, @@ -2285,6 +2734,15 @@ const unsigned char *ctrlist, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(ctrlist); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2296,6 +2754,7 @@ return s390_des_ctrlist(des_directed_fc(direction), data_length, in_data, ctrlist, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_des_cmac(const unsigned char *message, unsigned long message_length, @@ -2303,6 +2762,15 @@ unsigned char *key, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips) return EACCES; @@ -2313,6 +2781,7 @@ key, NULL, direction); +#endif /* NO_CPACF */ } unsigned int ica_des_cmac_intermediate(const unsigned char *message, @@ -2320,6 +2789,13 @@ unsigned char *key, unsigned char *iv) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(key); + UNUSED(iv); + return EPERM; +#else unsigned long function_code; int rc; @@ -2344,6 +2820,7 @@ if(!rc) stats_increment(ICA_STATS_DES_CMAC, ALGO_HW, ICA_DECRYPT); return rc; +#endif /* NO_CPACF */ } unsigned int ica_des_cmac_last(const unsigned char *message, unsigned long message_length, @@ -2352,6 +2829,16 @@ unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else unsigned char tmp_mac[DES_BLOCK_SIZE]; unsigned long function_code; int rc; @@ -2390,12 +2877,21 @@ } return 0; +#endif /* NO_CPACF */ } unsigned int ica_3des_ecb(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2408,6 +2904,7 @@ return s390_des_ecb(tdes_directed_fc(direction), data_length, in_data, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_3des_cbc(const unsigned char *in_data, unsigned char *out_data, @@ -2415,6 +2912,15 @@ unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2427,6 +2933,7 @@ return s390_des_cbc(tdes_directed_fc(direction), data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_3des_cbc_cs(const unsigned char *in_data, unsigned char *out_data, @@ -2434,6 +2941,16 @@ unsigned char *key, unsigned char *iv, unsigned int direction, unsigned int variant) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + UNUSED(variant); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2447,6 +2964,7 @@ return s390_des_cbccs(tdes_directed_fc(direction), in_data, out_data, data_length, key, iv, variant); +#endif /* NO_CPACF */ } unsigned int ica_3des_cfb(const unsigned char *in_data, unsigned char *out_data, @@ -2454,6 +2972,16 @@ unsigned char *iv, unsigned int lcfb, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(lcfb); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2469,12 +2997,22 @@ return s390_des_cfb(tdes_directed_fc(direction), data_length, in_data, iv, key, out_data, lcfb); +#endif /* NO_CPACF */ } unsigned int ica_3des_ofb(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2487,6 +3025,7 @@ return s390_des_ofb(tdes_directed_fc(direction), data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_3des_ctr(const unsigned char *in_data, unsigned char *out_data, @@ -2495,11 +3034,29 @@ unsigned char *ctr, unsigned int ctr_width, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(ctr); + UNUSED(ctr_width); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS + /* Note that the FIPS ctr check cannot detect ctr wraps + * over chained calls to this function. */ + unsigned long num_blocks = data_length / DES_BLOCK_SIZE; + unsigned int num_additional_bytes = data_length % DES_BLOCK_SIZE; if (fips >> 1) return EACCES; if (fips_check_3des_key((ica_des_key_triple_t *)key)) return EINVAL; + if (num_additional_bytes > 0) + num_blocks++; + if (ctr_width < 64U && num_blocks > (1ULL << ctr_width)) + return EINVAL; #endif /* ICA_FIPS */ if (check_des_parms(MODE_CTR, data_length, in_data, ctr, key, out_data)) @@ -2513,6 +3070,7 @@ return s390_des_ctr(tdes_directed_fc(direction), in_data, out_data, data_length, key, ctr, ctr_width); +#endif /* NO_CPACF */ } unsigned int ica_3des_ctrlist(const unsigned char *in_data, unsigned char *out_data, @@ -2521,6 +3079,15 @@ const unsigned char *ctrlist, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(ctrlist); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2534,6 +3101,7 @@ return s390_des_ctrlist(tdes_directed_fc(direction), data_length, in_data, ctrlist, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_3des_cmac(const unsigned char *message, unsigned long message_length, @@ -2541,6 +3109,15 @@ unsigned char *key, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2553,6 +3130,7 @@ key, NULL, direction); +#endif /* NO_CPACF */ } unsigned int ica_3des_cmac_intermediate(const unsigned char *message, @@ -2560,6 +3138,13 @@ unsigned char *key, unsigned char *iv) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(key); + UNUSED(iv); + return EPERM; +#else unsigned long function_code; int rc; @@ -2586,6 +3171,7 @@ if (!rc) stats_increment(ICA_STATS_3DES_CMAC, ALGO_HW, DECRYPT); return rc; +#endif /* NO_CPACF */ } unsigned int ica_3des_cmac_last(const unsigned char *message, unsigned long message_length, @@ -2594,6 +3180,16 @@ unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else unsigned char tmp_mac[DES_BLOCK_SIZE]; unsigned long function_code; int rc; @@ -2634,6 +3230,7 @@ } return 0; +#endif /* NO_CPACF */ } unsigned int ica_aes_ecb(const unsigned char *in_data, unsigned char *out_data, @@ -2641,6 +3238,15 @@ unsigned int key_length, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2654,6 +3260,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_ecb(function_code, data_length, in_data, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_aes_cbc(const unsigned char *in_data, unsigned char *out_data, @@ -2661,6 +3268,16 @@ unsigned int key_length, unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2674,6 +3291,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_cbc(function_code, data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_aes_cbc_cs(const unsigned char *in_data, unsigned char *out_data, @@ -2682,6 +3300,17 @@ unsigned char *iv, unsigned int direction, unsigned int variant) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + UNUSED(direction); + UNUSED(variant); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2696,6 +3325,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_cbccs(function_code, in_data, out_data, data_length, key, iv, variant); +#endif /* NO_CPACF */ } unsigned int ica_aes_cfb(const unsigned char *in_data, unsigned char *out_data, @@ -2703,6 +3333,17 @@ unsigned int key_length, unsigned char *iv, unsigned int lcfb, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + UNUSED(lcfb); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2720,6 +3361,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_cfb(function_code, data_length, in_data, iv, key, out_data, lcfb); +#endif /* NO_CPACF */ } unsigned int ica_aes_ofb(const unsigned char *in_data, unsigned char *out_data, @@ -2727,6 +3369,16 @@ unsigned int key_length, unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2740,6 +3392,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_ofb(function_code, data_length, in_data, iv, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_aes_ctr(const unsigned char *in_data, unsigned char *out_data, @@ -2748,11 +3401,30 @@ unsigned char *ctr, unsigned int ctr_width, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(ctr); + UNUSED(ctr_width); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS + /* Note that the FIPS ctr check cannot detect ctr wraps + * over chained calls to this function. */ + unsigned long num_blocks = data_length / AES_BLOCK_SIZE; + unsigned int num_additional_bytes = data_length % AES_BLOCK_SIZE; if (fips >> 1) return EACCES; + if (num_additional_bytes > 0) + num_blocks++; + if (ctr_width < 64U && num_blocks > (1ULL << ctr_width)) + return EINVAL; #endif /* ICA_FIPS */ if (check_aes_parms(MODE_CTR, data_length, in_data, ctr, key_length, @@ -2768,6 +3440,7 @@ return s390_aes_ctr(function_code, in_data, out_data, data_length, key, ctr, ctr_width); +#endif /* NO_CPACF */ } unsigned int ica_aes_ctrlist(const unsigned char *in_data, unsigned char *out_data, @@ -2776,6 +3449,16 @@ const unsigned char *ctrlist, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(ctrlist); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2790,6 +3473,7 @@ function_code = aes_directed_fc(key_length, direction); return s390_aes_ctrlist(function_code, data_length, in_data, ctrlist, key, out_data); +#endif /* NO_CPACF */ } unsigned int ica_aes_xts(const unsigned char *in_data, unsigned char *out_data, @@ -2798,6 +3482,17 @@ unsigned int key_length, unsigned char *tweak, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(key1); + UNUSED(key2); + UNUSED(key_length); + UNUSED(tweak); + UNUSED(direction); + return EPERM; +#else unsigned int function_code; #ifdef ICA_FIPS @@ -2829,6 +3524,7 @@ return s390_aes_xts(function_code, data_length, in_data, tweak, key1, key2, key_length, out_data); +#endif /* NO_CPACF */ } unsigned int ica_aes_cmac(const unsigned char *message, unsigned long message_length, @@ -2836,6 +3532,16 @@ unsigned char *key, unsigned int key_length, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(direction); + return EPERM; +#else #ifdef ICA_FIPS if (fips >> 1) return EACCES; @@ -2846,6 +3552,7 @@ key, key_length, NULL, direction); +#endif /* NO_CPACF */ } unsigned int ica_aes_cmac_intermediate(const unsigned char *message, @@ -2853,6 +3560,14 @@ unsigned char *key, unsigned int key_length, unsigned char *iv) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + return EPERM; +#else unsigned long function_code; int rc; @@ -2877,6 +3592,7 @@ if (!rc) stats_increment(ICA_STATS_AES_CMAC, ALGO_HW, ICA_DECRYPT); return rc; +#endif /* NO_CPACF */ } unsigned int ica_aes_cmac_last(const unsigned char *message, unsigned long message_length, @@ -2885,6 +3601,17 @@ unsigned char *iv, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(message); + UNUSED(message_length); + UNUSED(mac); + UNUSED(mac_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(iv); + UNUSED(direction); + return EPERM; +#else unsigned char tmp_mac[AES_BLOCK_SIZE]; unsigned long function_code; int rc; @@ -2923,6 +3650,7 @@ } return 0; +#endif /* NO_CPACF */ } unsigned int ica_aes_ccm(unsigned char *payload, unsigned long payload_length, @@ -2932,6 +3660,20 @@ unsigned char *key, unsigned int key_length, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(payload); + UNUSED(payload_length); + UNUSED(ciphertext_n_mac); + UNUSED(mac_length); + UNUSED(assoc_data); + UNUSED(assoc_data_length); + UNUSED(nonce); + UNUSED(nonce_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(direction); + return EPERM; +#else unsigned char tmp_mac[AES_BLOCK_SIZE]; unsigned char *mac; unsigned long function_code; @@ -2973,6 +3715,7 @@ } return 0; +#endif /* NO_CPACF */ } unsigned int ica_aes_gcm(unsigned char *plaintext, unsigned long plaintext_length, @@ -2983,6 +3726,21 @@ unsigned char *key, unsigned int key_length, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(plaintext); + UNUSED(plaintext_length); + UNUSED(ciphertext); + UNUSED(iv); + UNUSED(iv_length); + UNUSED(aad); + UNUSED(aad_length); + UNUSED(tag); + UNUSED(tag_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(direction); + return EPERM; +#else unsigned char tmp_tag[AES_BLOCK_SIZE]; unsigned long function_code; int rc; @@ -3035,6 +3793,7 @@ return EFAULT; } return 0; +#endif /* NO_CPACF */ } unsigned int ica_aes_gcm_initialize(const unsigned char *iv, @@ -3046,6 +3805,17 @@ unsigned char *subkey, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(iv); + UNUSED(iv_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(icb); + UNUSED(ucb); + UNUSED(subkey); + UNUSED(direction); + return EPERM; +#else unsigned long function_code; #ifdef ICA_FIPS @@ -3057,6 +3827,7 @@ return s390_gcm_initialize(function_code, iv, iv_length, key, icb, ucb, subkey); +#endif /* NO_CPACF */ } unsigned int ica_aes_gcm_intermediate(unsigned char *plaintext, @@ -3068,6 +3839,21 @@ unsigned char *key, unsigned int key_length, unsigned char *subkey, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(plaintext); + UNUSED(plaintext_length); + UNUSED(ciphertext); + UNUSED(cb); + UNUSED(aad); + UNUSED(aad_length); + UNUSED(tag); + UNUSED(tag_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(subkey); + UNUSED(direction); + return EPERM; +#else unsigned long function_code; int rc, iv_length_dummy = 12; @@ -3105,6 +3891,7 @@ return rc; } return 0; +#endif /* NO_CPACF */ } unsigned int ica_aes_gcm_last( unsigned char *icb, @@ -3114,6 +3901,19 @@ unsigned char *key, unsigned int key_length, unsigned char *subkey, unsigned int direction) { +#ifdef NO_CPACF + UNUSED(icb); + UNUSED(aad_length); + UNUSED(ciph_length); + UNUSED(tag); + UNUSED(final_tag); + UNUSED(final_tag_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(subkey); + UNUSED(direction); + return EPERM; +#else unsigned long function_code; int rc; @@ -3140,6 +3940,7 @@ return EFAULT; } return 0; +#endif /* NO_CPACF */ } /************************************************************************************* @@ -3149,6 +3950,9 @@ kma_ctx* ica_aes_gcm_kma_ctx_new(void) { +#ifdef NO_CPACF + return NULL; +#else kma_ctx* ctx = malloc(sizeof(kma_ctx)); if (!ctx) return NULL; @@ -3156,6 +3960,7 @@ memset(ctx, 0, sizeof(kma_ctx)); return ctx; +#endif /* NO_CPACF */ } int ica_aes_gcm_kma_init(unsigned int direction, @@ -3163,6 +3968,15 @@ const unsigned char *key, unsigned int key_length, kma_ctx* ctx) { +#ifdef NO_CPACF + UNUSED(direction); + UNUSED(iv); + UNUSED(iv_length); + UNUSED(key); + UNUSED(key_length); + UNUSED(ctx); + return EPERM; +#else int rc = 0; unsigned long function_code = aes_directed_fc(key_length, direction); @@ -3202,6 +4016,7 @@ } return rc; +#endif /* NO_CPACF */ } int ica_aes_gcm_kma_update(const unsigned char *in_data, @@ -3210,6 +4025,17 @@ unsigned int end_of_aad, unsigned int end_of_data, kma_ctx* ctx) { +#ifdef NO_CPACF + UNUSED(in_data); + UNUSED(out_data); + UNUSED(data_length); + UNUSED(aad); + UNUSED(aad_length); + UNUSED(end_of_aad); + UNUSED(end_of_data); + UNUSED(ctx); + return EPERM; +#else unsigned int function_code = aes_directed_fc(ctx->key_length, ctx->direction); #ifdef ICA_FIPS @@ -3237,10 +4063,17 @@ return s390_aes_gcm_kma(in_data, out_data, data_length, aad, aad_length, end_of_aad, end_of_data, ctx); } +#endif /* NO_CPACF */ } int ica_aes_gcm_kma_get_tag(unsigned char *tag, unsigned int tag_length, const kma_ctx* ctx) { +#ifdef NO_CPACF + UNUSED(tag); + UNUSED(tag_length); + UNUSED(ctx); + return EPERM; +#else int rc=0; unsigned int function_code = aes_directed_fc(ctx->key_length, ctx->direction); @@ -3262,10 +4095,17 @@ memcpy(tag, ctx->tag, tag_length); return 0; +#endif /* NO_CPACF */ } int ica_aes_gcm_kma_verify_tag(const unsigned char* known_tag, unsigned int tag_length, const kma_ctx* ctx) { +#ifdef NO_CPACF + UNUSED(known_tag); + UNUSED(tag_length); + UNUSED(ctx); + return EPERM; +#else int rc; unsigned int function_code = aes_directed_fc(ctx->key_length, ctx->direction); @@ -3288,6 +4128,7 @@ return EFAULT; return 0; +#endif /* NO_CPACF */ } void ica_aes_gcm_kma_ctx_free(kma_ctx* ctx) @@ -3402,6 +4243,15 @@ const unsigned char *pers, size_t pers_len) { +#ifdef NO_CPACF + UNUSED(sh); + UNUSED(sec); + UNUSED(pr); + UNUSED(mech); + UNUSED(pers); + UNUSED(pers_len); + return EPERM; +#else int status; #ifdef ICA_FIPS @@ -3427,6 +4277,7 @@ mech->error_state = status; return ica_drbg_error(status); +#endif /* NO_CPACF */ } int ica_drbg_reseed(ica_drbg_t *sh, @@ -3434,6 +4285,13 @@ const unsigned char *add, size_t add_len) { +#ifdef NO_CPACF + UNUSED(sh); + UNUSED(pr); + UNUSED(add); + UNUSED(add_len); + return EPERM; +#else int status; #ifdef ICA_FIPS @@ -3455,6 +4313,7 @@ sh->mech->error_state = status; return ica_drbg_error(status); +#endif /* NO_CPACF */ } int ica_drbg_generate(ica_drbg_t *sh, @@ -3465,6 +4324,16 @@ unsigned char *prnd, size_t prnd_len) { +#ifdef NO_CPACF + UNUSED(sh); + UNUSED(sec); + UNUSED(pr); + UNUSED(add); + UNUSED(add_len); + UNUSED(prnd); + UNUSED(prnd_len); + return EPERM; +#else int status; #ifdef ICA_FIPS @@ -3509,15 +4378,21 @@ drbg_zmem(prnd, prnd_len); return ica_drbg_error(status); +#endif /* NO_CPACF */ } int ica_drbg_uninstantiate(ica_drbg_t **sh) { +#ifdef NO_CPACF + UNUSED(sh); + return EPERM; +#else /* Uninstantiate health test runs whenever other functions are * tested (11.3.5). */ /* Uninstantiate. */ return ica_drbg_error(drbg_uninstantiate(sh, false)); +#endif /* NO_CPACF */ } int ica_drbg_health_test(void *func, @@ -3525,6 +4400,13 @@ bool pr, ica_drbg_mech_t *mech) { +#ifdef NO_CPACF + UNUSED(func); + UNUSED(sec); + UNUSED(pr); + UNUSED(mech); + return EPERM; +#else int status; status = drbg_mech_valid(mech); @@ -3549,6 +4431,7 @@ pthread_rwlock_unlock(&mech->lock); return ica_drbg_error(status); +#endif /* NO_CPACF */ } #ifdef ICA_FIPS diff -Nru libica-3.7.0/src/icainfo.c libica-3.8.0/src/icainfo.c --- libica-3.7.0/src/icainfo.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/icainfo.c 2021-05-17 10:26:08.000000000 -0500 @@ -31,12 +31,21 @@ #include "ica_api.h" #include "s390_crypto.h" +#if defined(NO_SW_FALLBACKS) && defined(NO_CPACF) +#define CMD_NAME "icainfo-cex" +#else #define CMD_NAME "icainfo" -#define COPYRIGHT "Copyright IBM Corp. 2007, 2016." +#endif +#define COPYRIGHT "Copyright IBM Corp. 2007, 2021." + void print_version(void) { +#if defined(NO_SW_FALLBACKS) && defined(NO_CPACF) + printf(CMD_NAME ": libica-cex version " VERSION "\n" COPYRIGHT "\n"); +#else printf(CMD_NAME ": libica version " VERSION "\n" COPYRIGHT "\n"); +#endif } void print_help(char *cmd) @@ -83,7 +92,7 @@ {"ECDH", EC_DH}, {"ECDSA Sign", EC_DSA_SIGN}, {"ECDSA Verify", EC_DSA_VERIFY}, - {"ECKGEN", EC_KGEN}, + {"EC Keygen", EC_KGEN}, {"Ed25519 Keygen", ED25519_KEYGEN}, {"Ed25519 Sign", ED25519_SIGN}, {"Ed25519 Verify", ED25519_VERIFY}, @@ -177,7 +186,15 @@ if (((ica_fips_status() & ICA_FIPS_MODE) && !fips_approved(pmech_list[j].mech_mode_id)) || ica_fips_status() >> 1) { +#if defined(NO_SW_FALLBACKS) && defined(NO_CPACF) + printf("%14s | blocked | - | - \n", +#elif defined (NO_CPACF) + printf("%14s | blocked | - | - \n", +#elif defined (NO_SW_FALLBACKS) + printf("%14s | blocked | blocked | - \n", +#else printf("%14s | blocked | blocked | blocked\n", +#endif crypt_map[i].name); break; } @@ -187,9 +204,17 @@ CELL_SIZE, pmech_list[j].flags & ICA_FLAG_DHW ? "yes" : "no", CELL_SIZE, +#ifdef NO_CPACF + pmech_list[j].flags & ICA_FLAG_SHW ? "yes" : "-", +#else pmech_list[j].flags & ICA_FLAG_SHW ? "yes" : "no", +#endif CELL_SIZE, +#if defined(NO_SW_FALLBACKS) || defined(NO_CPACF) + pmech_list[j].flags & ICA_FLAG_SW ? "yes" : "-"); +#else pmech_list[j].flags & ICA_FLAG_SW ? "yes" : "no"); +#endif } } } @@ -205,5 +230,12 @@ printf("No built-in FIPS support.\n"); #endif /* ICA_FIPS */ +#ifdef NO_SW_FALLBACKS + printf("Software fallbacks are disabled in libica-cex.\n"); +#endif +#ifdef NO_CPACF + printf("CPACF support (including fallbacks) is disabled in libica-cex.\n"); +#endif + return EXIT_SUCCESS; } diff -Nru libica-3.7.0/src/include/icastats.h libica-3.8.0/src/include/icastats.h --- libica-3.7.0/src/include/icastats.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/include/icastats.h 2021-05-17 10:26:08.000000000 -0500 @@ -110,7 +110,7 @@ "ECDH", \ "ECDSA Sign", \ "ECDSA Verify", \ - "ECKGEN", \ + "EC Keygen", \ "Ed25519 Keygen",\ "Ed25519 Sign", \ "Ed25519 Verify",\ diff -Nru libica-3.7.0/src/include/s390_aes.h libica-3.8.0/src/include/s390_aes.h --- libica-3.7.0/src/include/s390_aes.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/include/s390_aes.h 2021-05-17 10:26:08.000000000 -0500 @@ -327,6 +327,8 @@ &aes_key, direction); } + OPENSSL_cleanse(&aes_key, sizeof(aes_key)); + return 0; } @@ -388,6 +390,8 @@ AES_cbc_encrypt(input_data, output_data, input_length, &aes_key, (unsigned char *) iv, direction); + OPENSSL_cleanse(&aes_key, sizeof(aes_key)); + return 0; } diff -Nru libica-3.7.0/src/include/s390_des.h libica-3.8.0/src/include/s390_des.h --- libica-3.7.0/src/include/s390_des.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/include/s390_des.h 2021-05-17 10:26:08.000000000 -0500 @@ -112,6 +112,10 @@ break; } + OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1)); + OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2)); + OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3)); + return 0; } @@ -193,6 +197,10 @@ break; }; + OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1)); + OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2)); + OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3)); + return 0; } diff -Nru libica-3.7.0/src/include/test_vec.h libica-3.8.0/src/include/test_vec.h --- libica-3.7.0/src/include/test_vec.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/include/test_vec.h 2021-05-17 10:26:08.000000000 -0500 @@ -366,6 +366,19 @@ extern const struct sha_tv SHA512_TV[]; extern const size_t SHA512_TV_LEN; + +extern const struct sha_tv SHA3_224_TV[]; +extern const size_t SHA3_224_TV_LEN; + +extern const struct sha_tv SHA3_256_TV[]; +extern const size_t SHA3_256_TV_LEN; + +extern const struct sha_tv SHA3_384_TV[]; +extern const size_t SHA3_384_TV_LEN; + +extern const struct sha_tv SHA3_512_TV[]; +extern const size_t SHA3_512_TV_LEN; + #endif /* ICA_FIPS */ #ifdef ICA_INTERNAL_TEST_EC diff -Nru libica-3.7.0/src/Makefile.am libica-3.8.0/src/Makefile.am --- libica-3.7.0/src/Makefile.am 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/Makefile.am 2021-05-17 10:26:08.000000000 -0500 @@ -1,18 +1,21 @@ -VERSION = 3:7:0 +VERSION = 3:8:0 AM_CFLAGS = @FLAGS@ +MAJOR := `echo $(VERSION) | cut -d: -f1` +MINOR := `echo $(VERSION) | cut -d: -f2` +PATCH := `echo $(VERSION) | cut -d: -f3` +VERSION1 := $(MAJOR).$(MINOR).$(PATCH) # lib -lib_LTLIBRARIES = libica.la +lib_LTLIBRARIES = libica.la libica-cex.la -libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ +CFLAGS_common = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ -fvisibility=hidden -pthread -libica_la_CCASFLAGS = ${AM_CFLAGS} -libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl -libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \ +LIBS_common = @LIBS@ -lrt -lcrypto -ldl +LDFLAGS_common = -Wl,--version-script=${srcdir}/../libica.map \ -version-number ${VERSION} -libica_la_SOURCES = ica_api.c init.c icastats_shared.c s390_rsa.c \ +SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \ s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \ s390_drbg.c s390_drbg_sha512.c test_vec.c fips.c \ mp.S rng.c \ @@ -26,19 +29,53 @@ include/s390_rsa.h include/s390_sha.h include/test_vec.h \ include/rng.h +libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\" +libica_la_CCASFLAGS = ${AM_CFLAGS} +libica_la_LIBADD = ${LIBS_common} +libica_la_LDFLAGS = ${LDFLAGS_common} +libica_la_SOURCES = ${SOURCES_common} + +libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\" +libica_cex_la_CCASFLAGS = ${AM_CFLAGS} +libica_cex_la_LIBADD = ${LIBS_common} +libica_cex_la_LDFLAGS = ${LDFLAGS_common} +libica_cex_la_SOURCES = ${SOURCES_common} + EXTRA_DIST = mp.pl mp.S : mp.pl ./mp.pl mp.S +if ICA_FIPS +hmac-file-lnk: hmac-file + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac + $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac + +hmac-file: libica.la libica-cex.la + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac + +hmac_files = hmac-file hmac-file-lnk + +all-local: $(hmac_files) +endif + # bin -bin_PROGRAMS = icainfo icastats +bin_PROGRAMS = icainfo icastats icainfo-cex -icainfo_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include -icainfo_LDADD = @LIBS@ libica.la -icainfo_SOURCES = icainfo.c include/fips.h include/s390_crypto.h \ +icainfo_CFLAGS_COMMON = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include +icainfo_LDADD_COMMON = @LIBS@ +icainfo_SOURCES_COMMON = icainfo.c include/fips.h include/s390_crypto.h \ ../include/ica_api.h +icainfo_CFLAGS = ${icainfo_CFLAGS_COMMON} +icainfo_LDADD = ${icainfo_LDADD_COMMON} libica.la +icainfo_SOURCES = ${icainfo_SOURCES_COMMON} + +icainfo_cex_CFLAGS = ${icainfo_CFLAGS_COMMON} -DNO_CPACF -DNO_SW_FALLBACKS +icainfo_cex_LDADD = ${icainfo_LDADD_COMMON} libica-cex.la +icainfo_cex_SOURCES = ${icainfo_SOURCES_COMMON} + icastats_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -DICASTATS icastats_LDADD = @LIBS@ -lrt icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h @@ -51,7 +88,8 @@ internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \ -I${srcdir}/../include \ -DICA_INTERNAL_TEST \ - -DICA_INTERNAL_TEST_EC + -DICA_INTERNAL_TEST_EC \ + -DLIBNAME=\"libica\" internal_tests_ec_internal_test_CCASFLAGS = ${AM_CFLAGS} internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread -ldl internal_tests_ec_internal_test_SOURCES = \ @@ -69,3 +107,5 @@ include/s390_rsa.h include/s390_sha.h include/test_vec.h \ include/rng.h ../test/testcase.h endif + +.PHONY: hmac-file hmac-file-lnk diff -Nru libica-3.7.0/src/s390_crypto.c libica-3.8.0/src/s390_crypto.c --- libica-3.7.0/src/s390_crypto.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/s390_crypto.c 2021-05-17 10:26:08.000000000 -0500 @@ -280,7 +280,7 @@ s390_pcc(S390_CRYPTO_QUERY, mask); end_sigill_section(&oldact, &oldset); } - for (n = 0; n < (sizeof(s390_ppno_functions) / + for (n = 0; n < (sizeof(s390_pcc_functions) / sizeof(s390_supported_function_t)); n++) if (S390_CRYPTO_TEST_MASK(mask, s390_pcc_functions[n].hw_fc)) *s390_pcc_functions[n].enabled = 1; @@ -667,6 +667,19 @@ pmech_list[x].property = 0; } #endif /* ICA_FIPS */ + +#ifdef NO_CPACF + pmech_list[x].flags &= ~ICA_FLAG_SHW; + /* NO_CPACF also removes sw fallbacks for CPACF based functions, but not + * for card-based functions. */ + if (pmech_list[x].flags & ICA_FLAG_SW && !(pmech_list[x].flags & ICA_FLAG_DHW)) { + pmech_list[x].flags &= ~ICA_FLAG_SW; + } +#endif /* NO_CPACF */ + +#ifdef NO_SW_FALLBACKS + pmech_list[x].flags &= ~ICA_FLAG_SW; +#endif } return 0; } diff -Nru libica-3.7.0/src/s390_ecc.c libica-3.8.0/src/s390_ecc.c --- libica-3.7.0/src/s390_ecc.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/s390_ecc.c 2021-05-17 10:26:08.000000000 -0500 @@ -64,6 +64,18 @@ int curve_nid); /** + * Since kernel 4.10 the zcrypt device driver has multi domain support and + * accepts CPRBs via the ioctl ZSECSENDCPRB with domain addressing 0xFFFF + * (AUTOSELECT_DOM in zcrypyt.h). This allows for load balancing between + * multiple available crypto cards. + */ +typedef enum { + dom_addressing_autoselect = 0, + dom_addressing_default_domain, +} dom_addressing_t; +int dom_addressing = dom_addressing_autoselect; + +/** * Check if openssl does support this ec curve */ static int is_supported_openssl_curve(int nid) @@ -248,8 +260,10 @@ cprbx->cprb_ver_id = 0x02; memcpy(&(cprbx->func_id), "T2", 2); cprbx->req_parml = parmlen; - cprbx->domain = get_default_domain(); - + if (dom_addressing == dom_addressing_autoselect) + cprbx->domain = 0xFFFF; + else + cprbx->domain = get_default_domain(); cprbx->rpl_msgbl = CPRBXSIZE + PARMBSIZE; cprbx->req_parmb = ((uint8_t *) preqcblk) + CPRBXSIZE; cprbx->rpl_parmb = ((uint8_t *) prepcblk) + CPRBXSIZE; @@ -739,7 +753,7 @@ const ICA_EC_KEY *privkey_A, const ICA_EC_KEY *pubkey_B, unsigned char *z) { - uint8_t *buf; + uint8_t *buf = NULL; size_t len; int rc; struct ica_xcRB xcrb; @@ -760,13 +774,25 @@ return EIO; reply_p = make_ecdh_request(privkey_A, pubkey_B, &xcrb, &buf, &len); - if (!reply_p) - return EIO; + if (!reply_p) { + rc = EIO; + goto ret; + } rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); if (rc != 0) { - rc = EIO; - goto ret; + dom_addressing = dom_addressing_default_domain; + reply_p = make_ecdh_request(privkey_A, pubkey_B, &xcrb, &buf, &len); + if (!reply_p) { + rc = EIO; + goto ret; + } + + rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); + if (rc != 0) { + rc = EIO; + goto ret; + } } if (reply_p->key_len - 4 != privlen) { @@ -777,8 +803,10 @@ memcpy(z, reply_p->raw_z_value, privlen); rc = 0; ret: - OPENSSL_cleanse(buf, len); - free(buf); + if (buf) { + OPENSSL_cleanse(buf, len); + free(buf); + } return rc; } @@ -1125,7 +1153,7 @@ const ICA_EC_KEY *privkey, const unsigned char *hash, unsigned int hash_length, unsigned char *signature) { - uint8_t *buf; + uint8_t *buf = NULL; size_t len; int rc; struct ica_xcRB xcrb; @@ -1153,13 +1181,26 @@ reply_p = make_ecdsa_sign_request((const ICA_EC_KEY*)privkey, X, Y, hash, hash_length, &xcrb, &buf, &len); - if (!reply_p) - return EIO; + if (!reply_p) { + rc = EIO; + goto ret; + } rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); if (rc != 0) { - rc = EIO; - goto ret; + dom_addressing = dom_addressing_default_domain; + reply_p = make_ecdsa_sign_request((const ICA_EC_KEY*)privkey, + X, Y, hash, hash_length, &xcrb, &buf, &len); + if (!reply_p) { + rc = EIO; + goto ret; + } + + rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); + if (rc != 0) { + rc = EIO; + goto ret; + } } if (reply_p->vud_len - 8 != 2 * privlen) { @@ -1170,8 +1211,10 @@ memcpy(signature, reply_p->signature, reply_p->vud_len-8); rc = 0; ret: - OPENSSL_cleanse(buf, len); - free(buf); + if (buf) { + OPENSSL_cleanse(buf, len); + free(buf); + } return rc; } @@ -1582,7 +1625,7 @@ const ICA_EC_KEY *pubkey, const unsigned char *hash, unsigned int hash_length, const unsigned char *signature) { - uint8_t *buf; + uint8_t *buf = NULL; size_t len; int rc; struct ica_xcRB xcrb; @@ -1602,13 +1645,26 @@ reply_p = make_ecdsa_verify_request(pubkey, hash, hash_length, signature, &xcrb, &buf, &len); - if (!reply_p) - return EIO; + if (!reply_p) { + rc = EIO; + goto ret; + } rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); if (rc != 0) { - rc = EIO; - goto ret; + dom_addressing = dom_addressing_default_domain; + reply_p = make_ecdsa_verify_request(pubkey, hash, hash_length, + signature, &xcrb, &buf, &len); + if (!reply_p) { + rc = EIO; + goto ret; + } + + rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); + if (rc != 0) { + rc = EIO; + goto ret; + } } if (((struct CPRBX*)reply_p)->ccp_rtcode == 4 && @@ -1625,8 +1681,10 @@ rc = 0; ret: - OPENSSL_cleanse(buf, len); - free(buf); + if (buf) { + OPENSSL_cleanse(buf, len); + free(buf); + } return rc; } @@ -1940,7 +1998,7 @@ */ unsigned int eckeygen_hw(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key) { - uint8_t *buf; + uint8_t *buf = NULL; size_t len; int rc; struct ica_xcRB xcrb; @@ -1959,13 +2017,25 @@ return ENODEV; reply_p = make_eckeygen_request(key, &xcrb, &buf, &len); - if (!reply_p) - return EIO; + if (!reply_p) { + rc = EIO; + goto ret; + } rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); if (rc != 0) { - rc = EIO; - goto ret; + dom_addressing = dom_addressing_default_domain; + reply_p = make_eckeygen_request(key, &xcrb, &buf, &len); + if (!reply_p) { + rc = EIO; + goto ret; + } + + rc = ioctl(adapter_handle, ZSECSENDCPRB, xcrb); + if (rc != 0) { + rc = EIO; + goto ret; + } } if (reply_p->eckey.privsec.formatted_data_len != privlen) { @@ -1985,8 +2055,10 @@ memcpy(key->X, (char*)pub_p->pubkey, 2*privlen); rc = 0; ret: - OPENSSL_cleanse(buf, len); - free(buf); + if (buf) { + OPENSSL_cleanse(buf, len); + free(buf); + } return rc; } @@ -2251,6 +2323,7 @@ exit(TEST_FAIL); \ } while(0) +#ifndef NO_CPACF static void ecdsa_test(void) { unsigned long long rnd[2]; @@ -2298,6 +2371,7 @@ TEST_ERROR("Unknown hash", "ECDSA", i); } + if (rc) TEST_ERROR("Hashing failed", "ECDSA", i); @@ -2639,9 +2713,14 @@ t4++; } } +#endif /* NO_CPACF */ int main(void) { +#ifdef NO_CPACF + printf("Skipping EC internal test, because CPACF support disabled via config option.\n"); + exit(TEST_SKIP); +#else if (!msa9_switch) exit(TEST_SKIP); @@ -2650,6 +2729,7 @@ ecdsa_test(); return TEST_SUCC; +#endif } #endif diff -Nru libica-3.7.0/src/s390_prng.c libica-3.8.0/src/s390_prng.c --- libica-3.7.0/src/s390_prng.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/s390_prng.c 2021-05-17 10:26:08.000000000 -0500 @@ -70,6 +70,35 @@ /* Constant */ #define PRNG_BLK_SZ 8 +#if defined(NO_CPACF) && defined(ICA_FIPS) +/** + * Generate random numbers using fips-approved random sources. + * /dev/random can be used in fips mode, but not /dev/urandom. + */ +static int s390_prng_fips(unsigned char *output_data, unsigned int output_length) +{ + const char *const rng_list[] = { + "/dev/prandom", + "/dev/hwrng", + "/dev/random" }; + const size_t rng_list_len = sizeof(rng_list) / sizeof(rng_list[0]); + size_t priority, status; + FILE *fd; + + for (priority = 0; priority < rng_list_len; priority++) { + fd = fopen(rng_list[priority], "r"); + if (fd) { + status = fread(output_data, output_length, 1, fd); + fclose(fd); + if (status == 1) + return 0; + } + } + + return EIO; +} +#endif + int s390_prng_init(void) { int rc = -1; @@ -216,6 +245,14 @@ return 0; } +#if defined(NO_CPACF) && defined(ICA_FIPS) + rc = s390_prng_fips(output_data, output_length); + if (rc == 0) + stats_increment(ICA_STATS_PRNG, ALGO_SW, ENCRYPT); + + return rc; +#endif + #ifndef ICA_FIPS /* Old prng code disabled with FIPS built. */ if (prng_switch) rc = s390_prng_hw(output_data, output_length); diff -Nru libica-3.7.0/src/s390_rsa.c libica-3.8.0/src/s390_rsa.c --- libica-3.7.0/src/s390_rsa.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/s390_rsa.c 2021-05-17 10:26:08.000000000 -0500 @@ -29,6 +29,11 @@ #include "s390_rsa.h" #include "s390_prng.h" +#if defined(NO_SW_FALLBACKS) +#define UNUSED(var) ((void)(var)) +#endif + +#ifndef NO_SW_FALLBACKS static unsigned int mod_expo_sw(int arg_length, char *arg, int exp_length, char *exp, int mod_length, char *mod, int *res_length, char *res, BN_CTX *ctx); @@ -47,6 +52,7 @@ static unsigned int mod_expo_sw(int arg_length, char *arg, int exp_length, char *exp, int mod_length, char *mod, int *res_length, char *res, BN_CTX *ctx); +#endif /* NO_SW_FALLBACKS */ RSA* rsa_key_generate(unsigned int modulus_bit_length, unsigned long *public_exponent) @@ -294,6 +300,8 @@ return 0; } + +#ifndef NO_SW_FALLBACKS /** * @deprecated Perform a modular muliplication operation in software. */ @@ -384,6 +392,7 @@ return rc; } +#endif /* NO_SW_FALLBACKS */ /** * Perform a mod expo operation using a key in modulus/exponent form, in @@ -403,6 +412,10 @@ */ unsigned int rsa_mod_expo_sw(ica_rsa_modexpo_t *pMex) { +#ifdef NO_SW_FALLBACKS + UNUSED(pMex); + return EPERM; +#else int rc = 0; BN_CTX *ctx = NULL; @@ -429,8 +442,10 @@ if (rc == 1) rc = EIO; return rc; +#endif /* NO_SW_FALLBACKS */ } +#ifndef NO_SW_FALLBACKS /** * Perform a mod expo operation using a key in modulus/exponent form, in * software. @@ -525,6 +540,7 @@ return rc; } +#endif /* NO_SW_FALLBACKS */ /** * Perform a RSA mod expo on input data using a key in CRT format, in software. @@ -547,6 +563,10 @@ */ unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt) { +#ifdef NO_SW_FALLBACKS + UNUSED(pCrt); + return EPERM; +#else int rc = 0; unsigned int long_length = 0; unsigned int short_length = 0; @@ -671,8 +691,10 @@ BN_CTX_free(ctx); return rc; +#endif /* NO_SW_FALLBACKS */ } +#ifndef NO_SW_FALLBACKS /** * Perform a 'residue modulo' operation using an argument and a modulus. * @param arg_length The byte length of the input data @@ -995,4 +1017,4 @@ return rc; } - +#endif /* NO_SW_FALLBACKS */ diff -Nru libica-3.7.0/src/s390_sha.c libica-3.8.0/src/s390_sha.c --- libica-3.7.0/src/s390_sha.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/s390_sha.c 2021-05-17 10:26:08.000000000 -0500 @@ -241,14 +241,14 @@ if (message_part == SHA_MSG_PART_ONLY || message_part == SHA_MSG_PART_FIRST) { SHA512_Init(&ctx); /* SHA-512/224 uses a distinct initial hash value */ - ctx.h[0] = U64(0x8c3d37c819544da2); - ctx.h[1] = U64(0x73e1996689dcd4d6); - ctx.h[2] = U64(0x1dfab7ae32ff9c82); - ctx.h[3] = U64(0x679dd514582f9fcf); - ctx.h[4] = U64(0x0f6d2b697bd44da8); - ctx.h[5] = U64(0x77e36f7304c48942); - ctx.h[6] = U64(0x3f9d85a86a1d36c8); - ctx.h[7] = U64(0x1112e6ad91d692a1); + ctx.h[0] = UINT64_C(0x8c3d37c819544da2); + ctx.h[1] = UINT64_C(0x73e1996689dcd4d6); + ctx.h[2] = UINT64_C(0x1dfab7ae32ff9c82); + ctx.h[3] = UINT64_C(0x679dd514582f9fcf); + ctx.h[4] = UINT64_C(0x0f6d2b697bd44da8); + ctx.h[5] = UINT64_C(0x77e36f7304c48942); + ctx.h[6] = UINT64_C(0x3f9d85a86a1d36c8); + ctx.h[7] = UINT64_C(0x1112e6ad91d692a1); } else { ctx.md_len = SHA224_DIGEST_LENGTH; ctx.Nl = *running_length_lo; @@ -289,14 +289,14 @@ if (message_part == SHA_MSG_PART_ONLY || message_part == SHA_MSG_PART_FIRST) { SHA512_Init(&ctx); /* SHA-512/256 uses a distinct initial hash value */ - ctx.h[0] = U64(0x22312194fc2bf72c); - ctx.h[1] = U64(0x9f555fa3c84c64c2); - ctx.h[2] = U64(0x2393b86b6f53b151); - ctx.h[3] = U64(0x963877195940eabd); - ctx.h[4] = U64(0x96283ee2a88effe3); - ctx.h[5] = U64(0xbe5e1e2553863992); - ctx.h[6] = U64(0x2b0199fc2c85b8aa); - ctx.h[7] = U64(0x0eb72ddc81c52ca2); + ctx.h[0] = UINT64_C(0x22312194fc2bf72c); + ctx.h[1] = UINT64_C(0x9f555fa3c84c64c2); + ctx.h[2] = UINT64_C(0x2393b86b6f53b151); + ctx.h[3] = UINT64_C(0x963877195940eabd); + ctx.h[4] = UINT64_C(0x96283ee2a88effe3); + ctx.h[5] = UINT64_C(0xbe5e1e2553863992); + ctx.h[6] = UINT64_C(0x2b0199fc2c85b8aa); + ctx.h[7] = UINT64_C(0x0eb72ddc81c52ca2); } else { ctx.md_len = SHA256_DIGEST_LENGTH; ctx.Nl = *running_length_lo; diff -Nru libica-3.7.0/src/test_vec.c libica-3.8.0/src/test_vec.c --- libica-3.7.0/src/test_vec.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/src/test_vec.c 2021-05-17 10:26:08.000000000 -0500 @@ -2449,6 +2449,61 @@ } }, }; + +const struct sha_tv SHA3_224_TV[] = { +{ +.msg_len = 3, +.msg = (unsigned char []){ +0x61, 0x62, 0x63, +}, +.md = (unsigned char []){ +0xe6,0x42,0x82,0x4c,0x3f,0x8c,0xf2,0x4a,0xd0,0x92,0x34,0xee,0x7d,0x3c,0x76,0x6f, +0xc9,0xa3,0xa5,0x16,0x8d,0x0c,0x94,0xad,0x73,0xb4,0x6f,0xdf, +} +}, +}; + +const struct sha_tv SHA3_256_TV[] = { +{ +.msg_len = 3, +.msg = (unsigned char []){ +0x61, 0x62, 0x63, +}, +.md = (unsigned char []){ +0x3A,0x98,0x5D,0xA7,0x4F,0xE2,0x25,0xB2,0x04,0x5C,0x17,0x2D,0x6B,0xD3,0x90,0xBD, +0x85,0x5F,0x08,0x6E,0x3E,0x9D,0x52,0x5B,0x46,0xBF,0xE2,0x45,0x11,0x43,0x15,0x32, +} +}, +}; + +const struct sha_tv SHA3_384_TV[] = { +{ +.msg_len = 3, +.msg = (unsigned char []){ +0x61, 0x62, 0x63, +}, +.md = (unsigned char []){ +0xEC,0x01,0x49,0x82,0x88,0x51,0x6F,0xC9,0x26,0x45,0x9F,0x58,0xE2,0xC6,0xAD,0x8D, +0xF9,0xB4,0x73,0xCB,0x0F,0xC0,0x8C,0x25,0x96,0xDA,0x7C,0xF0,0xE4,0x9B,0xE4,0xB2, +0x98,0xD8,0x8C,0xEA,0x92,0x7A,0xC7,0xF5,0x39,0xF1,0xED,0xF2,0x28,0x37,0x6D,0x25, +} +}, +}; + +const struct sha_tv SHA3_512_TV[] = { +{ +.msg_len = 3, +.msg = (unsigned char []){ +0x61, 0x62, 0x63, +}, +.md = (unsigned char []){ +0xB7,0x51,0x85,0x0B,0x1A,0x57,0x16,0x8A,0x56,0x93,0xCD,0x92,0x4B,0x6B,0x09,0x6E, +0x08,0xF6,0x21,0x82,0x74,0x44,0xF7,0x0D,0x88,0x4F,0x5D,0x02,0x40,0xD2,0x71,0x2E, +0x10,0xE1,0x16,0xE9,0x19,0x2A,0xF3,0xC9,0x1A,0x7E,0xC5,0x76,0x47,0xE3,0x93,0x40, +0x57,0x34,0x0B,0x4C,0xF4,0x08,0xD5,0xA5,0x65,0x92,0xF8,0x27,0x4E,0xEC,0x53,0xF0, +} +}, +}; #endif /* ICA_FIPS */ #ifdef ICA_INTERNAL_TEST_EC @@ -5759,6 +5814,10 @@ const size_t SHA256_TV_LEN = sizeof(SHA256_TV) / sizeof(SHA256_TV[0]); const size_t SHA384_TV_LEN = sizeof(SHA384_TV) / sizeof(SHA384_TV[0]); const size_t SHA512_TV_LEN = sizeof(SHA512_TV) / sizeof(SHA512_TV[0]); +const size_t SHA3_224_TV_LEN = sizeof(SHA3_224_TV) / sizeof(SHA3_224_TV[0]); +const size_t SHA3_256_TV_LEN = sizeof(SHA3_256_TV) / sizeof(SHA3_256_TV[0]); +const size_t SHA3_384_TV_LEN = sizeof(SHA3_384_TV) / sizeof(SHA3_384_TV[0]); +const size_t SHA3_512_TV_LEN = sizeof(SHA3_512_TV) / sizeof(SHA3_512_TV[0]); #endif /* ICA_FIPS */ #ifdef ICA_INTERNAL_TEST_EC const size_t ECDSA_TV_LEN = sizeof(ECDSA_TV) / sizeof(ECDSA_TV[0]); diff -Nru libica-3.7.0/test/aes_128_test.c libica-3.8.0/test/aes_128_test.c --- libica-3.7.0/test/aes_128_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_128_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -217,6 +217,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-128 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int mode = 0; int rc = 0; int error_count = 0; @@ -274,4 +280,5 @@ return TEST_FAIL; return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_192_test.c libica-3.8.0/test/aes_192_test.c --- libica-3.7.0/test/aes_192_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_192_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -98,6 +98,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-192 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int mode = 0; int rc = 0; int error_count = 0; @@ -153,4 +159,5 @@ return TEST_FAIL; return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_256_test.c libica-3.8.0/test/aes_256_test.c --- libica-3.7.0/test/aes_256_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_256_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -97,6 +97,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-256 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int mode = 0; int rc = 0; int error_count = 0; @@ -152,4 +158,5 @@ return TEST_FAIL; return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_cbc_test.c libica-3.8.0/test/aes_cbc_test.c --- libica-3.7.0/test/aes_cbc_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_cbc_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -567,6 +567,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-CBC test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -603,5 +609,6 @@ printf("All AES-CBC tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_cfb_test.c libica-3.8.0/test/aes_cfb_test.c --- libica-3.7.0/test/aes_cfb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_cfb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -761,6 +761,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-CFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int data_length = 1; unsigned int lcfb = 1; unsigned int j; @@ -815,4 +821,5 @@ printf("All AES-CFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_ctr_test.c libica-3.8.0/test/aes_ctr_test.c --- libica-3.7.0/test/aes_ctr_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_ctr_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -584,6 +584,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-CTR test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int endless = 0; int i = 0; int rc = 0; @@ -648,5 +654,6 @@ printf("All AES-CTR tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_ecb_test.c libica-3.8.0/test/aes_ecb_test.c --- libica-3.7.0/test/aes_ecb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_ecb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -441,6 +441,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-ECB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -474,5 +480,6 @@ printf("All AES-ECB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_gcm_kma_test.c libica-3.8.0/test/aes_gcm_kma_test.c --- libica-3.7.0/test/aes_gcm_kma_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_gcm_kma_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -716,6 +716,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-GCM-KMA test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; unsigned int iteration; @@ -756,4 +762,5 @@ printf("All AES-GCM-KMA tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_gcm_test.c libica-3.8.0/test/aes_gcm_test.c --- libica-3.7.0/test/aes_gcm_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_gcm_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -709,6 +709,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-GCM test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; unsigned int iteration; @@ -749,4 +755,5 @@ printf("All AES-GCM tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_ofb_test.c libica-3.8.0/test/aes_ofb_test.c --- libica-3.7.0/test/aes_ofb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_ofb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -495,6 +495,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-OFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -536,5 +542,6 @@ printf("All AES-OFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/aes_xts_test.c libica-3.8.0/test/aes_xts_test.c --- libica-3.7.0/test/aes_xts_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/aes_xts_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -621,6 +621,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-XTS test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -654,5 +660,6 @@ printf("All AES-XTS tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/cbccs_test.c libica-3.8.0/test/cbccs_test.c --- libica-3.7.0/test/cbccs_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/cbccs_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -491,6 +491,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping CBC-CS test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int variant; int rc, error_count; @@ -523,7 +529,7 @@ /* DES tests */ rc = test_des_new_api(variant); - if (rc) { + if (rc && rc != TEST_SKIP) { error_count++; printf("test_des_new_api for CBC_CS mode with DES " "failed.\n"); @@ -542,5 +548,6 @@ printf("All CBC-CS tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/ccm_test.c libica-3.8.0/test/ccm_test.c --- libica-3.7.0/test/ccm_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ccm_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -164,6 +164,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-CCM test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -176,6 +182,7 @@ printf("All AES-CCM tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/cmac_test.c libica-3.8.0/test/cmac_test.c --- libica-3.7.0/test/cmac_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/cmac_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -291,6 +291,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping AES-CMAC test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -309,4 +315,5 @@ printf("All CMAC tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_cbc_test.c libica-3.8.0/test/des_cbc_test.c --- libica-3.7.0/test/des_cbc_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_cbc_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -285,6 +285,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES-CBC test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -326,5 +332,6 @@ printf("All DES-CBC tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_cfb_test.c libica-3.8.0/test/des_cfb_test.c --- libica-3.7.0/test/des_cfb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_cfb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -138,6 +138,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES-CFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -189,5 +195,6 @@ printf("All DES-CFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_ctr_test.c libica-3.8.0/test/des_ctr_test.c --- libica-3.7.0/test/des_ctr_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_ctr_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -117,6 +117,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES-CTR test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int i = 0; @@ -183,5 +189,6 @@ printf("All DES-CTR tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_ecb_test.c libica-3.8.0/test/des_ecb_test.c --- libica-3.7.0/test/des_ecb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_ecb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -119,6 +119,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES-ECB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -152,5 +158,6 @@ printf("All DES-ECB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_ofb_test.c libica-3.8.0/test/des_ofb_test.c --- libica-3.7.0/test/des_ofb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_ofb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -134,6 +134,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES-OFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -173,5 +179,6 @@ printf("All DES-OFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/des_test.c libica-3.8.0/test/des_test.c --- libica-3.7.0/test/des_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/des_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -90,6 +90,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DES test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int mode = 0; int rc = 0; int error_count = 0; @@ -147,4 +153,5 @@ return TEST_FAIL; return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/drbg_birthdays_test.c libica-3.8.0/test/drbg_birthdays_test.c --- libica-3.7.0/test/drbg_birthdays_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/drbg_birthdays_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -21,6 +21,7 @@ * 301 65536 = 2 ^ (8 * 2) 0.5 * 4823 16777216 = 2 ^ (8 * 3) 0.5 */ +#ifndef NO_CPACF static const int THREADS[] = {19, 301, 4823}; static const int GEN_BYTES[] = { 1, 2, 3}; @@ -40,9 +41,17 @@ return NULL; } +#endif /* NO_CPACF */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DRBG-Birthday test, because CPACF support disabled via config option.\n"); + printf("Satisfy perl script: (p = 0.50).\n"); + return TEST_SKIP; +#else long rnd_ex[3] = {0}, ex, pair_found; int i, j, rc; bool toggle; @@ -137,4 +146,5 @@ return TEST_FAIL; } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/drbg_test.c libica-3.8.0/test/drbg_test.c --- libica-3.7.0/test/drbg_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/drbg_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -80,6 +80,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping DRBG test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int i = 0; int failed = 0; int passed = 0; @@ -621,4 +627,5 @@ printf("All DRBG tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/ecdh1_test.sh libica-3.8.0/test/ecdh1_test.sh --- libica-3.7.0/test/ecdh1_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ecdh1_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=1 ./ecdh_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/ecdh2_test.sh libica-3.8.0/test/ecdh2_test.sh --- libica-3.7.0/test/ecdh2_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ecdh2_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=2 ./ecdh_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/ecdsa1_test.sh libica-3.8.0/test/ecdsa1_test.sh --- libica-3.7.0/test/ecdsa1_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ecdsa1_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=1 ./ecdsa_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/ecdsa2_test.sh libica-3.8.0/test/ecdsa2_test.sh --- libica-3.7.0/test/ecdsa2_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ecdsa2_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=2 ./ecdsa_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/ec_keygen1_test.sh libica-3.8.0/test/ec_keygen1_test.sh --- libica-3.7.0/test/ec_keygen1_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ec_keygen1_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=1 ./ec_keygen_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/ec_keygen2_test.sh libica-3.8.0/test/ec_keygen2_test.sh --- libica-3.7.0/test/ec_keygen2_test.sh 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/ec_keygen2_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -3,5 +3,7 @@ if lszcrypt | grep -q -e "CEX.C.*online"; then ICAPATH=2 ./ec_keygen_test else + # Show output in log file for debugging + lszcrypt exit 77 fi diff -Nru libica-3.7.0/test/eddsa_test.c libica-3.8.0/test/eddsa_test.c --- libica-3.7.0/test/eddsa_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/eddsa_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -18,6 +18,7 @@ #define ITERATIONS 1000 #define MSGLEN (16384 * 2ULL) +#ifndef NO_CPACF static void check_functionlist(void); static void ed25519_kat(void); @@ -37,9 +38,16 @@ time_t seed; pthread_t threads[THREADS]; +#endif /* NO_CPACF */ int main(int argc, char *argv[]) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping ED-DSA test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int i; set_verbosity(argc, argv); @@ -75,8 +83,10 @@ ed448_speed(); return TEST_SUCC; +#endif /* NO_CPACF */ } +#ifndef NO_CPACF static void check_functionlist(void) { unsigned int i, listlen, func; @@ -599,3 +609,4 @@ if (ica_ed448_ctx_del(&ctx)) EXIT_ERR("ica_ed448_ctx_del failed."); } +#endif /* NO_CPACF */ diff -Nru libica-3.7.0/test/icastats_test.c libica-3.8.0/test/icastats_test.c --- libica-3.7.0/test/icastats_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/icastats_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -45,6 +45,12 @@ int main (int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping ICA-stats test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int value; const char *ptr; @@ -125,6 +131,7 @@ printf("All icastats tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } @@ -871,7 +878,11 @@ rc = ica_rsa_mod_expo(handle, data, &mod_expo_key, output_data); if(rc) +#ifndef NO_SW_FALLBACKS exit(handle_ica_error(rc, "ica_rsa_key_mod_expo")); +#else + rc == ENODEV ? exit(TEST_SKIP) : exit(handle_ica_error(rc, "ica_rsa_key_mod_expo")); +#endif check_icastats(RSA_ME, "RSA-ME"); rc = system("icastats -r"); @@ -881,7 +892,11 @@ rc = ica_rsa_crt(handle, data, &crt_key, output_data); if(rc) +#ifndef NO_SW_FALLBACKS exit(handle_ica_error(rc, "ica_rsa_crt")); +#else + rc == ENODEV ? exit(TEST_SKIP) : exit(handle_ica_error(rc, "ica_rsa_crt")); +#endif check_icastats(RSA_CRT, "RSA-CRT"); free(output_data); diff -Nru libica-3.7.0/test/icastats_test.sh libica-3.8.0/test/icastats_test.sh --- libica-3.7.0/test/icastats_test.sh 1969-12-31 18:00:00.000000000 -0600 +++ libica-3.8.0/test/icastats_test.sh 2021-05-17 10:26:08.000000000 -0500 @@ -0,0 +1,4 @@ +#!/bin/bash + +./icastats_test -vv + diff -Nru libica-3.7.0/test/Makefile.am libica-3.8.0/test/Makefile.am --- libica-3.7.0/test/Makefile.am 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/Makefile.am 2021-05-17 10:26:08.000000000 -0500 @@ -1,6 +1,6 @@ TESTS = \ fips_test \ -icastats_test \ +icastats_test.sh \ get_functionlist_test \ get_version_test \ rng_test \ diff -Nru libica-3.7.0/test/rng_test.c libica-3.8.0/test/rng_test.c --- libica-3.7.0/test/rng_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/rng_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -18,6 +18,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping RNG test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc; ica_adapter_handle_t adapter_handle; @@ -44,4 +50,5 @@ ica_close_adapter(adapter_handle); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/rsa_keygen_test.c libica-3.8.0/test/rsa_keygen_test.c --- libica-3.7.0/test/rsa_keygen_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/rsa_keygen_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -108,11 +108,16 @@ ica_adapter_handle_t adapter_handle = 0; V_(printf("[TEST RSA CRT]\n")); +#ifdef NO_CPACF + V_(printf("CPACF disabled, cannot create random plaintext, use static plaintext instead...\n")); + memset(plaintext, 0x12, BITSTOBYTES(key_bit_length)); +#else V_(printf("generate random plaintext...\n")); if((rc = ica_random_number_generate(BITSTOBYTES(key_bit_length) ,plaintext)) != 0){ ++rc_test; print_error_report(rc, errno, "ica_random_number_generate"); } +#endif /* make sure that plaintext < modulus */ plaintext[0] = 0; @@ -185,8 +190,17 @@ V_(printf("encrypt...\n")); if((rc = ica_rsa_mod_expo(adapter_handle, plaintext, &modexpo_public_key, ciphertext)) != 0){ +#ifndef NO_SW_FALLBACKS ++rc_test; print_error_report(rc, errno, "ica_rsa_mod_expo"); +#else + if (rc == ENODEV) { + return TEST_SKIP; + } else { + ++rc_test; + print_error_report(rc, errno, "ica_rsa_mod_expo"); + } +#endif } VV_(printf("ciphertext:\n")); @@ -195,8 +209,17 @@ V_(printf("decrypt...\n")); if((rc = ica_rsa_crt(adapter_handle, ciphertext, &crt_private_key, decrypted)) != 0){ +#ifndef NO_SW_FALLBACKS ++rc_test; print_error_report(rc, errno, "ica_rsa_crt"); +#else + if (rc == ENODEV) { + return TEST_SKIP; + } else { + ++rc_test; + print_error_report(rc, errno, "ica_rsa_crt"); + } +#endif } VV_(printf("result:\n")); diff -Nru libica-3.7.0/test/rsa_test.c libica-3.8.0/test/rsa_test.c --- libica-3.7.0/test/rsa_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/rsa_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -70,7 +70,11 @@ rc = ica_rsa_mod_expo(adapter_handle, input_data, &mod_expo_key, my_result); if (rc) +#ifndef NO_SW_FALLBACKS exit(handle_ica_error(rc, "ica_rsa_key_mod_expo")); +#else + rc == ENODEV ? exit(TEST_SKIP) : exit(handle_ica_error(rc, "ica_rsa_key_mod_expo")); +#endif VV_(printf("result of encrypt with public key\n")); dump_array(my_result, RSA_BYTE_LENGHT[i]); @@ -88,7 +92,11 @@ gettimeofday(&start, NULL); rc = ica_rsa_crt(adapter_handle, ciphertext[i], &crt_key, my_result2); if(rc) +#ifndef NO_SW_FALLBACKS exit(handle_ica_error(rc, "ica_rsa_crt")); +#else + rc == ENODEV ? exit(TEST_SKIP) : exit(handle_ica_error(rc, "ica_rsa_crt")); +#endif gettimeofday(&end, NULL); V_(printf("RSA decrypt with key[%d] (l=%d) took %06lu µs.\n", i, diff -Nru libica-3.7.0/test/sha1_test.c libica-3.8.0/test/sha1_test.c --- libica-3.7.0/test/sha1_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha1_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -186,6 +186,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA-1 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -197,5 +203,6 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha256_test.c libica-3.8.0/test/sha256_test.c --- libica-3.7.0/test/sha256_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha256_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -176,6 +176,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA-256 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -187,4 +193,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha3_224_test.c libica-3.8.0/test/sha3_224_test.c --- libica-3.7.0/test/sha3_224_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha3_224_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -187,6 +187,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA3-224 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -203,4 +209,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha3_256_test.c libica-3.8.0/test/sha3_256_test.c --- libica-3.7.0/test/sha3_256_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha3_256_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -196,6 +196,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA3-256 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -212,4 +218,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha3_384_test.c libica-3.8.0/test/sha3_384_test.c --- libica-3.7.0/test/sha3_384_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha3_384_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -191,6 +191,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA3-384 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -207,4 +213,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha3_512_test.c libica-3.8.0/test/sha3_512_test.c --- libica-3.7.0/test/sha3_512_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha3_512_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -193,6 +193,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA3-512 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -209,4 +215,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/shake_128_test.c libica-3.8.0/test/shake_128_test.c --- libica-3.7.0/test/shake_128_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/shake_128_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -204,6 +204,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHAKE-128 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -220,4 +226,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/shake_256_test.c libica-3.8.0/test/shake_256_test.c --- libica-3.7.0/test/shake_256_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/shake_256_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -240,6 +240,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHAKE-256 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; set_verbosity(argc, argv); @@ -256,4 +262,5 @@ } return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/sha_test.c libica-3.8.0/test/sha_test.c --- libica-3.7.0/test/sha_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/sha_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -58,6 +58,7 @@ test_t *tail; } queue_t; +#ifndef NO_CPACF static test_t new_test_t(void); static queue_t new_queue_t(void); static void push(queue_t * queue, test_t test); @@ -79,9 +80,16 @@ static int sha3_512_api_test(test_t * test); static queue_t queue; +#endif /* NO_CPACF */ int main(int argc, char *argv[]) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping SHA-1 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else test_t *curr_test; FILE *test_data; int i, j, rc, sha3_flag, sha3; @@ -210,8 +218,10 @@ printf("All SHA%s tests passed.\n", sha3_flag ? "3" : ""); return TEST_SUCC; +#endif /* NO_CPACF */ } +#ifndef NO_CPACF static test_t new_test_t(void) { test_t test; @@ -1342,3 +1352,4 @@ return TEST_SUCC; } +#endif /* NO_CPACF */ diff -Nru libica-3.7.0/test/tdes_cbc_test.c libica-3.8.0/test/tdes_cbc_test.c --- libica-3.7.0/test/tdes_cbc_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_cbc_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -137,6 +137,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES-CBC test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -161,5 +167,6 @@ printf("All 3DES-CBC tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/tdes_cfb_test.c libica-3.8.0/test/tdes_cfb_test.c --- libica-3.7.0/test/tdes_cfb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_cfb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -137,6 +137,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES-CFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -180,5 +186,6 @@ printf("All 3DES-CFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/tdes_ctr_test.c libica-3.8.0/test/tdes_ctr_test.c --- libica-3.7.0/test/tdes_ctr_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_ctr_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -115,6 +115,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES-CTR test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int endless = 0; unsigned int data_length = 1; unsigned int rdata; @@ -164,5 +170,6 @@ printf("All 3DES-CTR tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/tdes_ecb_test.c libica-3.8.0/test/tdes_ecb_test.c --- libica-3.7.0/test/tdes_ecb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_ecb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -271,6 +271,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES-ECB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -304,5 +310,6 @@ printf("All 3DES-ECB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/tdes_ofb_test.c libica-3.8.0/test/tdes_ofb_test.c --- libica-3.7.0/test/tdes_ofb_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_ofb_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -135,6 +135,12 @@ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES-OFB test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int rc = 0; int error_count = 0; int iteration; @@ -166,5 +172,6 @@ printf("All 3DES-OFB tests passed.\n"); return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/tdes_test.c libica-3.8.0/test/tdes_test.c --- libica-3.7.0/test/tdes_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/tdes_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -87,6 +87,12 @@ */ int main(int argc, char **argv) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping TDES test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else unsigned int mode = 0; int rc = 0; int error_count = 0; @@ -137,5 +143,6 @@ return TEST_FAIL; return TEST_SUCC; +#endif /* NO_CPACF */ } diff -Nru libica-3.7.0/test/testcase.h libica-3.8.0/test/testcase.h --- libica-3.7.0/test/testcase.h 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/testcase.h 2021-05-17 10:26:08.000000000 -0500 @@ -17,6 +17,10 @@ #include "../include/ica_api.h" +#if defined(NO_SW_FALLBACKS) || defined(NO_CPACF) +#define UNUSED(var) ((void)(var)) +#endif + /* automake test exist status */ #define TEST_SUCC 0 #define TEST_FAIL 1 diff -Nru libica-3.7.0/test/x_test.c libica-3.8.0/test/x_test.c --- libica-3.7.0/test/x_test.c 2020-05-14 08:32:36.000000000 -0500 +++ libica-3.8.0/test/x_test.c 2021-05-17 10:26:08.000000000 -0500 @@ -23,15 +23,23 @@ const unsigned char *shared_secret; }; +#ifndef NO_CPACF static void check_functionlist(void); static void x25519_kat(void); static void x448_kat(void); static void x25519_pc(void); static void x448_pc(void); +#endif /* NO_CPACF */ int main(int argc, char *argv[]) { +#ifdef NO_CPACF + UNUSED(argc); + UNUSED(argv); + printf("Skipping X25519/X448 test, because CPACF support disabled via config option.\n"); + return TEST_SKIP; +#else int i; set_verbosity(argc, argv); @@ -51,8 +59,10 @@ VV_(printf("\n=== X448 PC ===\n")); for (i = 0; i < ITERATIONS; i++) x448_pc(); +#endif /* NO_CPACF */ } +#ifndef NO_CPACF static void check_functionlist(void) { unsigned int i, listlen, func; @@ -409,3 +419,4 @@ (void)ica_x448_ctx_del(&ctx); } +#endif /* NO_CPACF */