- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)

- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
This commit is contained in:
Dan Horák 2023-07-27 09:41:59 +02:00
parent eac80ef081
commit 23e4288b7e
3 changed files with 263 additions and 1 deletions

View File

@ -0,0 +1,218 @@
From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 26 Jul 2023 15:19:55 +0200
Subject: [PATCH] provider: Default debug directory to /tmp but make it
configurable
The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
but this required that directory to be world-writable, because we don't know
under which user an application runs that uses the provider.
A world-writable directory under /var has security implications and should be
avoided.
Change the default log directory to /tmp which is world-writable anyway.
Additionally the log directory can now be configured via the 'debug-path'
option in the IBMCA provider section of the OpenSSL config file, or via
environment variable 'IBMCA_DEBUG_PATH'.
Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 +-
src/provider/Makefile.am | 4 ---
src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
src/provider/p_ibmca.c | 25 ++++++++++++++++++-
src/provider/p_ibmca.h | 3 +++
test/provider/openssl-test.cnf | 1 +
6 files changed, 59 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index cea8ce8f..57b32050 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
-logdir=$localstatedir/log/ibmca
+logdir=/tmp
AC_SUBST(logdir)
# Cmdline arguments.
diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
index da45a52e..f2d1d50b 100644
--- a/src/provider/Makefile.am
+++ b/src/provider/Makefile.am
@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = doc
noinst_SCRIPTS = ibmca-provider-opensslconfig
-
-install-data-hook:
- $(MKDIR_P) $(DESTDIR)$(logdir)
- $(CHMOD) 0777 $(DESTDIR)$(logdir)
diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
index 52350e47..846d6070 100644
--- a/src/provider/doc/ibmca-provider.man
+++ b/src/provider/doc/ibmca-provider.man
@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
.IP "debug = yes | no | stderr"
.RS
Enables debug output for the IBMCA provider. If this option is not specified,
-no debuging output is produced. If \fBdebug = stderr\fP is specified,
+no debugging output is produced. If \fBdebug = stderr\fP is specified,
debugging messages are printed to stderr. Otherwise the debug output is written
-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
-where <provider-name> is the name of the IBMCA provider from the identity
-option, and <pid> is the process ID of the current process. You can also
-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
-\fBon\fP or \fBstderr\fP.
+into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
+where <debug-path> is the path name of a directory to where the debug files are
+written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
+from the identity option, and <pid> is the process ID of the current process.
+You can also enable debugging by setting the environment variable
+\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
+.RE
+.PP
+.IP "debug-path = /dir/to/debug/directory"
+.RS
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
+You can also set the debug path by setting the environment variable
+\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
+under which the application that uses the IBMCA provider runs has write access
+to that directory. If this option is not specified, the default debug path is
+\fB/tmp\fP.
.RE
.PP
.IP "fips = yes | no"
@@ -153,8 +165,18 @@ If
.B $IBMCA_DEBUG
is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
If it is set to \fBon\fP the debug output is written into a trace file in
-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
-the process ID of the current process.
+\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
+name of a directory to where the debug files are written (default: \fB/tmp\fP),
+<provider-name> is the name of the IBMCA provider from the identity option,
+and <pid> is the process ID of the current process.
+.PP
+.TP
+.BR IBMCA_DEBUG_PATH
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP configuration option or via environment variable
+\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
+application that uses the IBMCA provider runs has write access to that
+directory.
.PP
.SH SEE ALSO
.B provider(1)
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
index 80f03685..ffb9b5dd 100644
--- a/src/provider/p_ibmca.c
+++ b/src/provider/p_ibmca.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
+#include <stdlib.h>
#include <err.h>
#include <strings.h>
#include <string.h>
@@ -58,6 +59,8 @@ struct ibmca_config_item {
static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value);
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static const struct ibmca_config_item config_items[] = {
+ { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
{ IBMCA_CONF_DEBUG, ibmca_config_debug },
{ IBMCA_CONF_FIPS, ibmca_config_fips },
{ IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
*p = '_';
if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
- IBMCA_LOGDIR, prov_name, provctx->debug_pid)
+ provctx->debug_path != NULL ? provctx->debug_path :
+ IBMCA_LOGDIR,
+ prov_name, provctx->debug_pid)
>= (int)sizeof(debug_file)) {
put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
"IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
return 1;
}
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value)
+{
+ /*
+ * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
+ * environment variable) do not override the setting.
+ */
+ if (provctx->debug_path != NULL)
+ return 1;
+
+ return ibmca_config_const_string(provctx, key, value,
+ &provctx->debug_path);
+}
+
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value)
{
@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
ctx->c_free = c_free;
ctx->ica_adapter = DRIVER_NOT_LOADED;
+ val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
+ if (val != NULL)
+ ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
val = getenv(IBMCA_DEBUG_ENVVAR);
if (val != NULL)
ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
index 3b3d4f04..c47a6aa9 100644
--- a/src/provider/p_ibmca.h
+++ b/src/provider/p_ibmca.h
@@ -27,9 +27,11 @@
/* Environment variable name to enable debug */
#define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG"
+#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH"
/* IBMCA provider configuration key words */
#define IBMCA_CONF_DEBUG "debug"
+#define IBMCA_CONF_DEBUG_PATH "debug-path"
#define IBMCA_CONF_ALGORITHMS "algorithms"
#define IBMCA_CONF_FIPS "fips"
#define IBMCA_CONF_FALLBACK_PROPS "fallback-properties"
@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
bool debug;
+ const char *debug_path;
FILE *debug_file;
pid_t debug_pid;
pthread_mutex_t debug_mutex;
diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
index 7866f4e9..e8132a6b 100644
--- a/test/provider/openssl-test.cnf
+++ b/test/provider/openssl-test.cnf
@@ -16,6 +16,7 @@ identity = ibmca
module = ibmca-provider.so
activate = 1
#debug = yes
+#debug-path = /dir/to/debug/directory
#fips=yes
#algorithms = RSA,EC,DH
algorithms = ALL

View File

@ -1080,3 +1080,39 @@ index cfc10a1..f7a0a91 100644
if (rc != 1) { if (rc != 1) {
ibmca_debug_op_ctx(ctx, "ibmca_asym_cipher_rsa_with_blinding failed"); ibmca_debug_op_ctx(ctx, "ibmca_asym_cipher_rsa_with_blinding failed");
From 67efa9ad713e8283cb20111a15629f15a8ea8c86 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 25 Jul 2023 14:52:49 +0200
Subject: [PATCH] provider: RSA: Fix get_params to retrieve max-size, bits, and
security-bits
The RSA key management's get_params() function should be able to return the
values for max-size, bits, and security-bits if at least the public key is
available.
The detection whether the key is 'empty', i.e. has neither the public nor the
private key components was wrong. This leads to the fact that those parameters
were not returned when only the public key was available.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/rsa_keymgmt.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
index 526f2aa..ce49c88 100644
--- a/src/provider/rsa_keymgmt.c
+++ b/src/provider/rsa_keymgmt.c
@@ -1512,9 +1512,9 @@ static int ibmca_keymgmt_rsa_get_params(void *vkey, OSSL_PARAM params[])
for (parm = params; parm != NULL && parm->key != NULL; parm++)
ibmca_debug_key(key, "param: %s", parm->key);
- empty = (!ibmca_keymgmt_rsa_pub_valid(&key->rsa.public) ||
- (!ibmca_keymgmt_rsa_priv_crt_valid(&key->rsa.private_crt) &&
- !ibmca_keymgmt_rsa_priv_me_valid(&key->rsa.private_me)));
+ empty = (!ibmca_keymgmt_rsa_pub_valid(&key->rsa.public) &&
+ !ibmca_keymgmt_rsa_priv_crt_valid(&key->rsa.private_crt) &&
+ !ibmca_keymgmt_rsa_priv_me_valid(&key->rsa.private_me));
if (!empty) {
/* OSSL_PKEY_PARAM_BITS */

View File

@ -9,7 +9,7 @@
Summary: OpenSSL engine and provider for IBMCA Summary: OpenSSL engine and provider for IBMCA
Name: openssl-ibmca Name: openssl-ibmca
Version: 2.4.0 Version: 2.4.0
Release: 3%{?dist} Release: 4%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/opencryptoki URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -21,7 +21,10 @@ Patch2: %{name}-2.4.0-engine-defaults.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2222878 # https://bugzilla.redhat.com/show_bug.cgi?id=2222878
# https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a # https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a
# https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0 # https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0
# https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86
Patch3: %{name}-2.4.0-rsa-me.patch Patch3: %{name}-2.4.0-rsa-me.patch
# https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4
Patch4: %{name}-2.4.0-log-into-tmp.patch
Requires: libica >= 4.0.0 Requires: libica >= 4.0.0
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -84,6 +87,11 @@ make check
%changelog %changelog
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3 * Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
- provider: Support importing of RSA keys with just ME components (#2222878) - provider: Support importing of RSA keys with just ME components (#2222878)
- Resolves: #2222878 - Resolves: #2222878