Hello community,
here is the log from the commit of package libica for openSUSE:Factory checked
in at 2020-05-08 23:07:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libica (Old)
and /work/SRC/openSUSE:Factory/.libica.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libica"
Fri May 8 23:07:32 2020 rev:18 rq:801384 version:3.6.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libica/libica.changes 2019-11-15
22:38:11.680114280 +0100
+++ /work/SRC/openSUSE:Factory/.libica.new.2738/libica.changes 2020-05-08
23:07:38.930143806 +0200
@@ -1,0 +2,26 @@
+Thu May 7 18:01:31 UTC 2020 - Mark Post <mp...@suse.com>
+
+- Added the following patches for FIPS certification (bsc#1162533)
+ * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
+ * libica-sles15sp2-FIPS-hmac-key.patch
+- Added a BuildRequires for the fipscheck package.
+- Made a couple of changes to the spec file based upon recommendations
+ by spec-cleaner.
+
+-------------------------------------------------------------------
+Wed Apr 8 18:55:24 UTC 2020 - Mark Post <mp...@suse.com>
+
+- Added the following patches for FIPS certification.
+ * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
+ (bsc#1166071) Although a DES key has only 56 effective bits,
+ all 64 bits must be considered, because the parity bits are
+ spread over all 8 bytes of the key.
+ * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
+ (bsc#1166210) FIPS tests require the output iv to be the iv
+ resulting from decrypting the last block with a zero iv as input.
+ * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
+ (bsc#1166224) The output from icainfo never shows 'yes' for
+ RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
+ due to the missing ICA_FLAG_SW flag in the icaList.
+
+-------------------------------------------------------------------
New:
----
libica-sles15sp2-FIPS-hmac-key.patch
libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libica.spec ++++++
--- /var/tmp/diff_new_pack.q8rLlJ/_old 2020-05-08 23:07:40.538147090 +0200
+++ /var/tmp/diff_new_pack.q8rLlJ/_new 2020-05-08 23:07:40.542147099 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libica
#
-# Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018-2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -38,8 +38,15 @@
Source6: baselibs.conf
Source7: %{name}-rpmlintrc
Patch1:
libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
+Patch2: libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
+Patch3:
libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
+Patch4:
libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
+Patch5:
libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
+Patch6: libica-sles15sp2-FIPS-hmac-key.patch
+
BuildRequires: autoconf
BuildRequires: automake
+BuildRequires: fipscheck
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: openssl-devel
@@ -115,8 +122,10 @@
autoreconf --force --install
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
--enable-fips
-make %{?_smp_mflags} clean
-make %{?_smp_mflags}
+%make_build clean
+%make_build
+
+%{expand:%%global __os_install_post {%__os_install_post fipshmac
%{buildroot}/%{_libdir}/*.so.?.* }}
%install
%make_install
@@ -134,7 +143,7 @@
rmdir %{buildroot}%{_datadir}/doc/libica
%check
-make check
+%make_build check
%pre tools
%service_add_pre z90crypt.service
@@ -155,6 +164,7 @@
%files -n libica3
%defattr(-,root,root)
%{_libdir}/libica.so.3*
+%{_libdir}/.libica.so.3*hmac
%files tools
%license LICENSE
++++++ libica-sles15sp2-FIPS-hmac-key.patch ++++++
--- libica-3.6.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
+++ libica-3.6.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
@@ -45,8 +45,7 @@
* libica.so.MAJOR.hmac in the same directory as the .so module.
*/
static const char hmackey[] =
- "0000000000000000000000000000000000000000000000000000000000000000"
- "0000000000000000000000000000000000000000000000000000000000000000";
+ "orboDeJITITejsirpADONivirpUkvarP";
int fips;
++++++ libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
++++++
>From 231bba3b32bd246d8286f1c7dc231d836ea92bd9 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschm...@de.ibm.com>
Date: Mon, 27 Apr 2020 11:18:26 +0200
Subject: [PATCH] FIPS: introduce HMAC based library integrity check
When in FIPS mode, perform an integrity check on libica.so by calculating
an HMAC from the file contents using a static HMAC key, and comparing it
to a pre-calculated HMAC in a separate file. The HMAC key and HMAC file
may be provided by a Distributor when building the packet. The test
succeeds if the HMAC file is not present.
Signed-off-by: Joerg Schmidbauer <jschm...@de.ibm.com>
---
include/ica_api.h | 2 +-
src/Makefile.am | 4 +-
src/fips.c | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
src/include/fips.h | 4 +-
test/fips_test.c | 4 +
5 files changed, 232 insertions(+), 6 deletions(-)
diff --git a/include/ica_api.h b/include/ica_api.h
index 91bf0be..8221f55 100644
--- a/include/ica_api.h
+++ b/include/ica_api.h
@@ -216,7 +216,7 @@ typedef ica_adapter_handle_t ICA_ADAPTER_HANDLE;
*/
/* Cryptographic algorithm test (KAT or pair-wise consistency test) */
#define ICA_FIPS_CRYPTOALG 2
-/* Software/Firmware integrity test (not implemented yet) */
+/* Software/Firmware integrity test */
#define ICA_FIPS_INTEGRITY 4
/* Critical functions test (N/A) */
#define ICA_FIPS_CRITICALFUNC 8
diff --git a/src/Makefile.am b/src/Makefile.am
index 65f471f..9e4ef52 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -9,7 +9,7 @@
libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
-fvisibility=hidden
libica_la_CCASFLAGS = ${AM_CFLAGS}
-libica_la_LIBADD = @LIBS@ -lrt -lcrypto
+libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl
libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
-version-number ${VERSION}
libica_la_SOURCES = ica_api.c init.c icastats_shared.c s390_rsa.c \
@@ -53,7 +53,7 @@
-DICA_INTERNAL_TEST \
-DICA_INTERNAL_TEST_EC
internal_tests_ec_internal_test_CCASFLAGS = ${AM_CFLAGS}
-internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread
+internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread -ldl
internal_tests_ec_internal_test_SOURCES = \
ica_api.c init.c icastats_shared.c s390_rsa.c \
s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \
diff --git a/src/fips.c b/src/fips.c
index d09a553..bab00db 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -13,11 +13,13 @@
#include <errno.h>
#include <openssl/crypto.h>
+#include <openssl/evp.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
+#include <dlfcn.h>
#include <openssl/opensslconf.h>
#ifdef OPENSSL_FIPS
@@ -28,6 +30,24 @@
#include "ica_api.h"
#include "test_vec.h"
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
+#define HMAC_PREFIX "."
+#define HMAC_SUFFIX ".hmac"
+#define READ_BUFFER_LENGTH 16384
+
+/*
+ * The hard-coded HMAC key to be optionally provided for the library
+ * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
+ * The known HMAC is supposed to be provided as hex string in a file
+ * libica.so.MAJOR.hmac in the same directory as the .so module.
+ */
+static const char hmackey[] =
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000";
+
int fips;
static int aes_ecb_kat(void);
@@ -101,6 +121,206 @@ fips_init(void)
FIPS_mode_set(1);
}
}
+static int get_library_path(const char *libname, const char *symbolname,
+ char *path, size_t
pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rc = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL)
+ goto done;
+
+ sym = dlsym(dl, symbolname);
+ if (sym != NULL && dladdr(sym, &info)) {
+ if (strlen(info.dli_fname) < pathlen)
+ strcpy(path, info.dli_fname);
+ else
+ goto done;
+ }
+
+ rc = 0;
+
+done:
+ if (dl != NULL)
+ dlclose(dl);
+
+ return rc;
+}
+
+static char *make_hmac_path(const char *origpath)
+{
+ char *path;
+ const char *fn;
+
+ path = calloc(1,sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) +
strlen(origpath) + 1);
+ if (path == NULL)
+ return NULL;
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn - origpath);
+ strcat(path, HMAC_PREFIX);
+ strcat(path, fn);
+ strcat(path, HMAC_SUFFIX);
+
+ return path;
+}
+
+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *fp = NULL;
+ int rc = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ unsigned char *keybuf;
+ EVP_MD_CTX *mdctx = NULL;
+ EVP_PKEY *pkey = NULL;
+ size_t hlen, len;
+ long keylen;
+
+ keybuf = OPENSSL_hexstr2buf(hmackey, &keylen);
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen);
+ if (!pkey)
+ goto end;
+
+ mdctx = EVP_MD_CTX_create();
+ if (!mdctx)
+ goto end;
+
+ fp = fopen(path, "r");
+ if (fp == NULL)
+ goto end;
+
+ if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey) <= 0)
+ goto end;
+
+ while ((len = fread(rbuf, 1, sizeof(rbuf), fp)) != 0) {
+ if (EVP_DigestSignUpdate(mdctx, rbuf, len) <= 0) {
+ goto end;
+ }
+ }
+
+ if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
+ goto end;
+
+ *buf = malloc(hlen);
+ if (*buf == NULL)
+ goto end;
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rc = 0;
+
+end:
+
+ if (pkey != NULL)
+ EVP_PKEY_free(pkey);
+
+ free(keybuf);
+ EVP_MD_CTX_destroy(mdctx);
+ if (fp)
+ fclose(fp);
+
+ return rc;
+}
+
+/**
+ * Performs the FIPS check.
+ *
+ * @return 1 if check succeeded
+ * 0 otherwise
+ */
+static int FIPSCHECK_verify(const char *path)
+{
+ int rc = 0;
+ FILE *fp;
+ unsigned char *hmac_buf = NULL;
+ long hmaclen;
+ char *hmacpath, *p;
+ char *hmac_str = NULL;
+ size_t n, buflen;
+ void *buf = NULL;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+
+ fp = fopen(hmacpath, "r");
+ if (fp == NULL) {
+ rc = 1;
+ goto end;
+ }
+
+ if (getline(&hmac_str, &n, fp) <= 0)
+ goto end;
+
+ if ((p = strchr(hmac_str, '\n')) != NULL)
+ *p = '\0';
+
+ hmac_buf = OPENSSL_hexstr2buf(hmac_str, &hmaclen);
+
+ if (compute_file_hmac(path, &buf, &buflen) != 0)
+ goto end;
+
+ if (memcmp(buf, hmac_buf, hmaclen) != 0)
+ goto end;
+
+ rc = 1;
+
+end:
+
+ free(buf);
+ free(hmac_str);
+ free(hmacpath);
+
+ OPENSSL_free(hmac_buf);
+
+ if (fp)
+ fclose(fp);
+
+ return rc;
+}
+
+static const char msg1[] = "Libica FIPS library integrity check failed. Cannot
determine library path.\n";
+static const char msg2[] = "Libica FIPS library integrity check failed. Module
%s probably corrupted.\n";
+static const char msg3[] = "Libica FIPS library integrity check passed.\n";
+
+/*
+ * Perform an integrity check on libica.so by calculating an HMAC from
+ * the file contents using a static HMAC key, and comparing it to a
+ * pre-calculated HMAC in a separate file. The HMAC key and HMAC file
+ * may be provided by a Distributor when building the packet.
+ */
+static void fips_lib_integrity_check(void)
+{
+ int rc;
+ char path[PATH_MAX];
+ const char *libname = "libica.so";
+ const char *symbolname = "ica_sha256";
+
+ rc = get_library_path(libname, symbolname, path, sizeof(path));
+ if (rc != 0) {
+ syslog(LOG_ERR, msg1);
+ fips |= ICA_FIPS_INTEGRITY;
+ return;
+ }
+
+ if (!FIPSCHECK_verify(path)) {
+ syslog(LOG_ERR, msg2, path);
+ fips |= ICA_FIPS_INTEGRITY;
+ return;
+ }
+
+ syslog(LOG_INFO, msg3);
+}
void
fips_powerup_tests(void)
@@ -117,6 +337,9 @@ fips_powerup_tests(void)
fips |= ICA_FIPS_CRYPTOALG;
return;
}
+
+ /* Library integrity test */
+ fips_lib_integrity_check();
}
static int
@@ -933,5 +1156,4 @@ _err_:
syslog(LOG_ERR, "Libica RSA test failed.");
return 1;
}
-
#endif /* FIPS_H */
diff --git a/src/include/fips.h b/src/include/fips.h
index 421be4c..0ffdef6 100644
--- a/src/include/fips.h
+++ b/src/include/fips.h
@@ -27,8 +27,8 @@ extern int fips; /* module status */
void fips_init(void);
/*
- * Powerup tests: crypto algorithm test, SW/FW integrity test (not implemented
- * yet), critical function test (no critical functions). The tests set the
+ * Powerup tests: crypto algorithm test, SW/FW integrity test, critical
+ * function test (no critical functions). The tests set the
* corresponding status flags.
*/
void fips_powerup_tests(void);
diff --git a/test/fips_test.c b/test/fips_test.c
index 06563e3..0f1940d 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -57,6 +57,10 @@ main(void)
printf("Libica FIPS powerup test failed.\n");
rv = EXIT_FAILURE;
}
+ if (fips & ICA_FIPS_INTEGRITY) {
+ printf("Libica FIPS integrity check failed.\n");
+ rv = EXIT_FAILURE;
+ }
#endif /* ICA_FIPS */
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
--
2.16.4
++++++ libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
++++++
>From b687f1514b3d371cdc44b5b3b02d5ddd9ac4eb54 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschm...@de.ibm.com>
Date: Wed, 25 Mar 2020 10:07:10 +0100
Subject: [PATCH] FIPS: provide output iv as required by FIPS tests
This fix is introduced to satisfy FIPS tests. They require the
output iv to be the iv resulting from decrypting the last block
with a zero iv as input. But note that this is not described
in the NIST standard for CBC-CS. According to the standard,
the output iv is simply undefined.
Signed-off-by: Joerg Schmidbauer <jschm...@de.ibm.com>
---
src/include/s390_cbccs.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/include/s390_cbccs.h b/src/include/s390_cbccs.h
index aa29bff..f6626dc 100644
--- a/src/include/s390_cbccs.h
+++ b/src/include/s390_cbccs.h
@@ -287,6 +287,17 @@ s390_aes_cbccs_dec(unsigned int fc, const unsigned char
*in_data,
block_xor(out_data + tmp_data_length + AES_BLOCK_SIZE,
tmp_in_data, tmp_out_data, rest_data_length);
+ /*
+ * This fix was introduced to satisfy FIPS tests. They require the
+ * output iv to be the iv resulting from decrypting the last block
+ * with a zero iv as input, which is tmp_iv here. But note that this
+ * is not described in the NIST standard for CBC-CS. According to the
+ * standard, the output iv is simply undefined.
+ */
+#ifdef ICA_FIPS
+ memcpy(iv, tmp_iv, AES_BLOCK_SIZE);
+#endif /* ICA_FIPS */
+
return 0;
}
--
2.16.4
++++++ libica-sles15sp2-Fix-DES-and-TDES-key-length.patch ++++++
>From db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschm...@de.ibm.com>
Date: Wed, 18 Mar 2020 16:48:43 +0100
Subject: [PATCH] Fix DES and TDES key length.
Although a DES key has only 56 effective bits, all 64 bits must be
considered, because the parity bits are spread over all 8 bytes of
the key.
Signed-off-by: Joerg Schmidbauer <jschm...@de.ibm.com>
---
src/ica_api.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/ica_api.c b/src/ica_api.c
index b80c6e3..eb6b154 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -48,6 +48,8 @@
#define DEFAULT2_CRYPT_DEVICE "/dev/z90crypt"
#define DEFAULT3_CRYPT_DEVICE "/dev/zcrypt"
+#define DES_KEY_LEN64 (64/8)
+
#define MAX_VERSION_LENGTH 16
int ica_fallbacks_enabled = 1;
@@ -125,9 +127,9 @@ static unsigned int check_des_parms(unsigned int mode,
#ifdef ICA_FIPS
static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
- if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LENGTH)
- | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LENGTH))
+ if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64)
+ | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64))
return EINVAL;
return 0;
--
2.16.4
++++++
libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
++++++
>From a4a9381d1597b78374925385a6d71cf8ccb16c21 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschm...@de.ibm.com>
Date: Fri, 27 Mar 2020 15:25:33 +0100
Subject: [PATCH] icainfo: bugfix for RSA and EC related info for software
column.
The software column did never show 'yes' for RSA ME, RSA CRT, ECDH,
ECDSA sign, ECDSA verify, and ECKGEN, due to the missing ICA_FLAG_SW
flag in the icaList.
Signed-off-by: Joerg Schmidbauer <jschm...@de.ibm.com>
---
src/s390_crypto.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
index ab7a269..8fb5662 100644
--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
@@ -489,10 +489,10 @@ libica_func_list_element_int icaList[] = {
{AES_GCM_KMA, MSA8, AES_128_GCM_ENCRYPT, 0, 0},
{AES_XTS, MSA4, AES_128_XTS_ENCRYPT, 0, 0},
{P_RNG, ADAPTER, 0, ICA_FLAG_SHW | ICA_FLAG_SW, 0}, // SHW (CPACF) + SW
- {EC_DH, ADAPTER, 0, 0, 0},
- {EC_DSA_SIGN, ADAPTER, 0, 0, 0},
- {EC_DSA_VERIFY, ADAPTER, 0, 0, 0},
- {EC_KGEN, ADAPTER, 0, 0, 0},
+ {EC_DH, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_DSA_SIGN, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_DSA_VERIFY, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {EC_KGEN, ADAPTER, 0, ICA_FLAG_SW, 0},
{ED25519_KEYGEN, MSA9, SCALAR_MULTIPLY_ED25519, 0, 0},
{ED25519_SIGN, MSA9, EDDSA_SIGN_ED25519, 0, 0},
{ED25519_VERIFY, MSA9, EDDSA_VERIFY_ED25519, 0, 0},
@@ -503,8 +503,8 @@ libica_func_list_element_int icaList[] = {
{X25519_DERIVE, MSA9, SCALAR_MULTIPLY_X25519, 0, 0},
{X448_KEYGEN, MSA9, SCALAR_MULTIPLY_X448, 0, 0},
{X448_DERIVE, MSA9, SCALAR_MULTIPLY_X448, 0, 0},
- {RSA_ME, ADAPTER, 0, 0, 0},
- {RSA_CRT, ADAPTER, 0, 0, 0},
+ {RSA_ME, ADAPTER, 0, ICA_FLAG_SW, 0},
+ {RSA_CRT, ADAPTER, 0, ICA_FLAG_SW, 0},
{RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
{RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
--
2.16.4
