From 23e4288b7ee749dd177acf9a2ecaa1e6e28563d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dhorak@redhat.com>
Date: Thu, 27 Jul 2023 09:41:59 +0200
Subject: [PATCH] - provider: RSA: Fix get_params to retrieve max-size, bits,
 and security-bits (#2222878 #2224568)

- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
---
 openssl-ibmca-2.4.0-log-into-tmp.patch | 218 +++++++++++++++++++++++++
 openssl-ibmca-2.4.0-rsa-me.patch       |  36 ++++
 openssl-ibmca.spec                     |  10 +-
 3 files changed, 263 insertions(+), 1 deletion(-)
 create mode 100644 openssl-ibmca-2.4.0-log-into-tmp.patch

diff --git a/openssl-ibmca-2.4.0-log-into-tmp.patch b/openssl-ibmca-2.4.0-log-into-tmp.patch
new file mode 100644
index 0000000..f81e270
--- /dev/null
+++ b/openssl-ibmca-2.4.0-log-into-tmp.patch
@@ -0,0 +1,218 @@
+From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 26 Jul 2023 15:19:55 +0200
+Subject: [PATCH] provider: Default debug directory to /tmp but make it
+ configurable
+
+The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
+but this required that directory to be world-writable, because we don't know
+under which user an application runs that uses the provider.
+A world-writable directory under /var has security implications and should be
+avoided.
+
+Change the default log directory to /tmp which is world-writable anyway.
+Additionally the log directory can now be configured via the 'debug-path'
+option in the IBMCA provider section of the OpenSSL config file, or via
+environment variable 'IBMCA_DEBUG_PATH'.
+
+Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ configure.ac                        |  2 +-
+ src/provider/Makefile.am            |  4 ---
+ src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
+ src/provider/p_ibmca.c              | 25 ++++++++++++++++++-
+ src/provider/p_ibmca.h              |  3 +++
+ test/provider/openssl-test.cnf      |  1 +
+ 6 files changed, 59 insertions(+), 14 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index cea8ce8f..57b32050 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
+ 
+ AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
+ 
+-logdir=$localstatedir/log/ibmca
++logdir=/tmp
+ AC_SUBST(logdir)
+ 
+ # Cmdline arguments.
+diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
+index da45a52e..f2d1d50b 100644
+--- a/src/provider/Makefile.am
++++ b/src/provider/Makefile.am
+@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
+ SUBDIRS = doc
+ 
+ noinst_SCRIPTS = ibmca-provider-opensslconfig
+-
+-install-data-hook:
+-	$(MKDIR_P) $(DESTDIR)$(logdir)
+-	$(CHMOD) 0777 $(DESTDIR)$(logdir)
+diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
+index 52350e47..846d6070 100644
+--- a/src/provider/doc/ibmca-provider.man
++++ b/src/provider/doc/ibmca-provider.man
+@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
+ .IP "debug = yes | no | stderr"
+ .RS
+ Enables debug output for the IBMCA provider. If this option is not specified,
+-no debuging output is produced. If \fBdebug = stderr\fP is specified,
++no debugging output is produced. If \fBdebug = stderr\fP is specified,
+ debugging messages are printed to stderr. Otherwise the debug output is written
+-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
+-where <provider-name> is the name of the IBMCA provider from the identity
+-option, and <pid> is the process ID of the current process. You can also
+-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
+-\fBon\fP or \fBstderr\fP.
++into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
++where <debug-path> is the path name of a directory to where the debug files are
++written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
++from the identity option, and <pid> is the process ID of the current process.
++You can also enable debugging by setting the environment variable
++\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
++.RE
++.PP
++.IP "debug-path = /dir/to/debug/directory"
++.RS
++Sets the directory path to where debug files are written when debug is enabled
++via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
++You can also set the debug path by setting the environment variable
++\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
++under which the application that uses the IBMCA provider runs has write access
++to that directory. If this option is not specified, the default debug path is
++\fB/tmp\fP.
+ .RE
+ .PP
+ .IP "fips = yes | no"
+@@ -153,8 +165,18 @@ If
+ .B $IBMCA_DEBUG
+ is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
+ If it is set to \fBon\fP the debug output is written into a trace file in
+-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
+-the process ID of the current process.
++\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
++name of a directory to where the debug files are written (default: \fB/tmp\fP),
++<provider-name> is the name of the IBMCA provider from the identity option,
++and <pid> is the process ID of the current process.
++.PP
++.TP
++.BR IBMCA_DEBUG_PATH
++Sets the directory path to where debug files are written when debug is enabled
++via \fBdebug = yes\fP configuration option or via environment variable
++\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
++application that uses the IBMCA provider runs has write access to that
++directory.
+ .PP
+ .SH SEE ALSO
+ .B provider(1)
+diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
+index 80f03685..ffb9b5dd 100644
+--- a/src/provider/p_ibmca.c
++++ b/src/provider/p_ibmca.c
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <stdarg.h>
+ #include <stddef.h>
++#include <stdlib.h>
+ #include <err.h>
+ #include <strings.h>
+ #include <string.h>
+@@ -58,6 +59,8 @@ struct ibmca_config_item {
+ 
+ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
+                               const char *key, const char *value);
++static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
++                                   const char *key, const char *value);
+ static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
+                              const char *key, const char *value);
+ static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
+@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
+                                         const char *key, const char *value);
+ 
+ static const struct ibmca_config_item config_items[] = {
++    { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
+     { IBMCA_CONF_DEBUG, ibmca_config_debug },
+     { IBMCA_CONF_FIPS, ibmca_config_fips },
+     { IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
+@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
+             *p = '_';
+ 
+         if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
+-                     IBMCA_LOGDIR, prov_name, provctx->debug_pid)
++                     provctx->debug_path != NULL ? provctx->debug_path :
++                                                   IBMCA_LOGDIR,
++                     prov_name, provctx->debug_pid)
+                                         >= (int)sizeof(debug_file)) {
+             put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
+                           "IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
+@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
+     return 1;
+ }
+ 
++static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
++                                   const char *key, const char *value)
++{
++    /*
++     * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
++     * environment variable) do not override the setting.
++     */
++    if (provctx->debug_path != NULL)
++        return 1;
++
++    return ibmca_config_const_string(provctx, key, value,
++                                     &provctx->debug_path);
++}
++
+ static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
+                              const char *key, const char *value)
+ {
+@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
+     ctx->c_free = c_free;
+     ctx->ica_adapter = DRIVER_NOT_LOADED;
+ 
++    val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
++    if (val != NULL)
++        ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
+     val = getenv(IBMCA_DEBUG_ENVVAR);
+     if (val != NULL)
+         ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
+diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
+index 3b3d4f04..c47a6aa9 100644
+--- a/src/provider/p_ibmca.h
++++ b/src/provider/p_ibmca.h
+@@ -27,9 +27,11 @@
+ 
+ /* Environment variable name to enable debug */
+ #define IBMCA_DEBUG_ENVVAR          "IBMCA_DEBUG"
++#define IBMCA_DEBUG_PATH_ENVVAR     "IBMCA_DEBUG_PATH"
+ 
+ /* IBMCA provider configuration key words */
+ #define IBMCA_CONF_DEBUG            "debug"
++#define IBMCA_CONF_DEBUG_PATH       "debug-path"
+ #define IBMCA_CONF_ALGORITHMS       "algorithms"
+ #define IBMCA_CONF_FIPS             "fips"
+ #define IBMCA_CONF_FALLBACK_PROPS   "fallback-properties"
+@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
+     OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
+     OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
+     bool debug;
++    const char *debug_path;
+     FILE *debug_file;
+     pid_t debug_pid;
+     pthread_mutex_t debug_mutex;
+diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
+index 7866f4e9..e8132a6b 100644
+--- a/test/provider/openssl-test.cnf
++++ b/test/provider/openssl-test.cnf
+@@ -16,6 +16,7 @@ identity = ibmca
+ module = ibmca-provider.so
+ activate = 1
+ #debug = yes
++#debug-path = /dir/to/debug/directory
+ #fips=yes
+ #algorithms = RSA,EC,DH
+ algorithms = ALL
diff --git a/openssl-ibmca-2.4.0-rsa-me.patch b/openssl-ibmca-2.4.0-rsa-me.patch
index eeaa299..1e3bb28 100644
--- a/openssl-ibmca-2.4.0-rsa-me.patch
+++ b/openssl-ibmca-2.4.0-rsa-me.patch
@@ -1080,3 +1080,39 @@ index cfc10a1..f7a0a91 100644
      if (rc != 1) {
          ibmca_debug_op_ctx(ctx, "ibmca_asym_cipher_rsa_with_blinding failed");
  
+From 67efa9ad713e8283cb20111a15629f15a8ea8c86 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Tue, 25 Jul 2023 14:52:49 +0200
+Subject: [PATCH] provider: RSA: Fix get_params to retrieve max-size, bits, and
+ security-bits
+
+The RSA key management's get_params() function should be able to return the
+values for max-size, bits, and security-bits if at least the public key is
+available.
+
+The detection whether the key is 'empty', i.e. has neither the public nor the
+private key components was wrong. This leads to the fact that those parameters
+were not returned when only the public key was available.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/provider/rsa_keymgmt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
+index 526f2aa..ce49c88 100644
+--- a/src/provider/rsa_keymgmt.c
++++ b/src/provider/rsa_keymgmt.c
+@@ -1512,9 +1512,9 @@ static int ibmca_keymgmt_rsa_get_params(void *vkey, OSSL_PARAM params[])
+     for (parm = params; parm != NULL && parm->key != NULL; parm++)
+         ibmca_debug_key(key, "param: %s", parm->key);
+ 
+-    empty = (!ibmca_keymgmt_rsa_pub_valid(&key->rsa.public) ||
+-             (!ibmca_keymgmt_rsa_priv_crt_valid(&key->rsa.private_crt) &&
+-              !ibmca_keymgmt_rsa_priv_me_valid(&key->rsa.private_me)));
++    empty = (!ibmca_keymgmt_rsa_pub_valid(&key->rsa.public) &&
++             !ibmca_keymgmt_rsa_priv_crt_valid(&key->rsa.private_crt) &&
++             !ibmca_keymgmt_rsa_priv_me_valid(&key->rsa.private_me));
+ 
+     if (!empty) {
+         /* OSSL_PKEY_PARAM_BITS */
diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec
index 6481823..0d7e42f 100644
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@@ -9,7 +9,7 @@
 Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
 Version: 2.4.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -21,7 +21,10 @@ Patch2: %{name}-2.4.0-engine-defaults.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2222878
 # https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a
 # https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0
+# https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86
 Patch3: %{name}-2.4.0-rsa-me.patch
+# https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4
+Patch4: %{name}-2.4.0-log-into-tmp.patch
 Requires: libica >= 4.0.0
 BuildRequires: make
 BuildRequires: gcc
@@ -84,6 +87,11 @@ make check
 
 
 %changelog
+* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
+- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
+- provider: Default debug directory to /tmp but make it configurable (#2160084)
+- Resolves: #2222878 #2160084 #2224568
+
 * Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
 - provider: Support importing of RSA keys with just ME components (#2222878)
 - Resolves: #2222878