rpms
/
openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openssl-ibmca-2.2.2-1.el9_0.1

This commit is contained in:
CentOS Sources 2022-09-20 07:47:33 -04:00 committed by Stepan Oksanichenko
parent c32c84fe68
commit 43627c5358
3 changed files with 485 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

403
SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch Normal file
View File

@ -0,0 +1,403 @@
From e91e17901e0398b9a55850123ffe2cc4a0d04f34 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 9 Mar 2022 13:17:18 +0100
Subject: [PATCH] PKEY: Fix usage of ECX keys
ED25519, ED448, X25519, and X448 caused a segmentation fault due to wrong
usage of ECX keys.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/ibmca_pkey.c | 124 +++++++++++-----------------------------
src/openssl-compat.h | 131 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 164 insertions(+), 91 deletions(-)
create mode 100644 src/openssl-compat.h
diff --git a/src/ibmca_pkey.c b/src/ibmca_pkey.c
index e8ba9067..9c8de94c 100644
--- a/src/ibmca_pkey.c
+++ b/src/ibmca_pkey.c
@@ -22,65 +22,7 @@
#include "ibmca.h"
#include "e_ibmca_err.h"
-/*
- * copied from evp_int.h:
- * missing set/get methods for opaque types.
- */
-
-typedef struct {
- unsigned char pub[57];
- unsigned char *priv;
-} ECX_KEY;
-
-typedef struct evp_pkey_method_st {
- int pkey_id;
- int flags;
- int (*init) (EVP_PKEY_CTX *ctx);
- int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
- void (*cleanup) (EVP_PKEY_CTX *ctx);
- int (*paramgen_init) (EVP_PKEY_CTX *ctx);
- int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
- int (*keygen_init) (EVP_PKEY_CTX *ctx);
- int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
- int (*sign_init) (EVP_PKEY_CTX *ctx);
- int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*verify_init) (EVP_PKEY_CTX *ctx);
- int (*verify) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig, size_t siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
- int (*verify_recover) (EVP_PKEY_CTX *ctx,
- unsigned char *rout, size_t *routlen,
- const unsigned char *sig, size_t siglen);
- int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- EVP_MD_CTX *mctx);
- int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
- EVP_MD_CTX *mctx);
- int (*encrypt_init) (EVP_PKEY_CTX *ctx);
- int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
- int (*decrypt_init) (EVP_PKEY_CTX *ctx);
- int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
- int (*derive_init) (EVP_PKEY_CTX *ctx);
- int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
- int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
- int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
- size_t siglen, const unsigned char *tbs,
- size_t tbslen);
- int (*check) (EVP_PKEY *pkey);
- int (*public_check) (EVP_PKEY *pkey);
- int (*param_check) (EVP_PKEY *pkey);
-
- int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
-} EVP_PKEY_METHOD;
-
+#include "openssl-compat.h"
ica_x25519_ctx_new_t p_ica_x25519_ctx_new;
ica_x448_ctx_new_t p_ica_x448_ctx_new;
@@ -136,16 +78,16 @@ static int ibmca_x25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X25519);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_X25519, key);
rc = 1;
@@ -199,12 +141,12 @@ static int ibmca_x25519_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_
goto ret;
}
- if (p_ica_x25519_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_x25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
- if (p_ica_x25519_derive(ctx, key, peerkey_ecx->pub) != 0)
+ if (p_ica_x25519_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0)
goto ret;
rc = 1;
@@ -236,16 +178,16 @@ static int ibmca_x448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X448);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_X448, key);
rc = 1;
@@ -299,12 +241,12 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
goto ret;
}
- if (p_ica_x448_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_x448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
- if (p_ica_x448_derive(ctx, key, peerkey_ecx->pub) != 0)
+ if (p_ica_x448_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0)
goto ret;
rc = 1;
@@ -341,16 +283,16 @@ static int ibmca_ed25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED25519);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_ED25519, key);
rc = 1;
@@ -398,9 +340,9 @@ static int ibmca_ed25519_sign(EVP_MD_CTX *md_ctx, unsigned char *sig,
goto ret;
}
- if (p_ica_ed25519_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_ed25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
if (p_ica_ed25519_sign(ctx, sig, tbs, tbslen) != 0)
@@ -443,7 +385,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
goto ret;
}
- if (p_ica_ed25519_key_set(ctx, NULL, key_ecx->pub) != 0) {
+ if (p_ica_ed25519_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET);
goto ret;
}
@@ -485,16 +427,16 @@ static int ibmca_ed448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED448);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_ED448, key);
rc = 1;
@@ -542,9 +484,9 @@ static int ibmca_ed448_sign(EVP_MD_CTX *md_ctx, unsigned char *sig,
goto ret;
}
- if (p_ica_ed448_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_ed448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
if (p_ica_ed448_sign(ctx, sig, tbs, tbslen) != 0)
@@ -587,7 +529,7 @@ static int ibmca_ed448_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
goto ret;
}
- if (p_ica_ed448_key_set(ctx, NULL, key_ecx->pub) != 0) {
+ if (p_ica_ed448_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET);
goto ret;
}
@@ -665,8 +607,8 @@ const EVP_PKEY_METHOD *ibmca_ed25519(void)
EVP_PKEY_meth_set_ctrl(ibmca_ed25519_pmeth, ibmca_ed_ctrl, NULL);
EVP_PKEY_meth_set_copy(ibmca_ed25519_pmeth, ibmca_ed25519_copy);
EVP_PKEY_meth_set_keygen(ibmca_ed25519_pmeth, NULL, ibmca_ed25519_keygen);
- ibmca_ed25519_pmeth->digestsign = ibmca_ed25519_sign;
- ibmca_ed25519_pmeth->digestverify = ibmca_ed25519_verify;
+ EVP_PKEY_meth_set_digestsign(ibmca_ed25519_pmeth, ibmca_ed25519_sign);
+ EVP_PKEY_meth_set_digestverify(ibmca_ed25519_pmeth, ibmca_ed25519_verify);
ret:
return ibmca_ed25519_pmeth;
@@ -684,8 +626,8 @@ const EVP_PKEY_METHOD *ibmca_ed448(void)
EVP_PKEY_meth_set_ctrl(ibmca_ed448_pmeth, ibmca_ed_ctrl, NULL);
EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
EVP_PKEY_meth_set_keygen(ibmca_ed448_pmeth, NULL, ibmca_ed448_keygen);
- ibmca_ed448_pmeth->digestsign = ibmca_ed448_sign;
- ibmca_ed448_pmeth->digestverify = ibmca_ed448_verify;
+ EVP_PKEY_meth_set_digestsign(ibmca_ed448_pmeth, ibmca_ed448_sign);
+ EVP_PKEY_meth_set_digestverify(ibmca_ed448_pmeth, ibmca_ed448_verify);
ret:
return ibmca_ed448_pmeth;
diff --git a/src/openssl-compat.h b/src/openssl-compat.h
new file mode 100644
index 00000000..0013365b
--- /dev/null
+++ b/src/openssl-compat.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2022 International Business Machines Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef IBMCA_OPENSSL_COMPAT_H
+#define IBMCA_OPENSSL_COMPAT_H
+
+#include <openssl/opensslv.h>
+
+#ifdef OPENSSL_VERSION_PREREQ
+/* This is 3.x */
+#include <crypto/evp.h>
+
+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
+{
+ ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret));
+
+ if (ret == NULL)
+ return NULL;
+
+ ret->libctx = NULL;
+ ret->haspubkey = 0;
+ switch (type) {
+ case ECX_KEY_TYPE_X25519:
+ ret->keylen = X25519_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_X448:
+ ret->keylen = X448_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_ED25519:
+ ret->keylen = ED25519_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_ED448:
+ ret->keylen = ED448_KEYLEN;
+ break;
+ }
+ ret->type = type;
+ ret->references = 1;
+
+ ret->lock = CRYPTO_THREAD_lock_new();
+ if (ret->lock == NULL)
+ goto err;
+ return ret;
+err:
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey)
+{
+ key->privkey = privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key)
+{
+ return key->privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key)
+{
+ return key->pubkey;
+}
+
+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len)
+{
+ memcpy(key->pubkey, pubkey, len);
+ key->haspubkey = 1;
+}
+
+#else
+/* This is 1.1.x */
+
+#include <openssl/evp.h>
+
+/*
+ * copied from evp_int.h:
+ * missing set/get methods for opaque types.
+ */
+
+typedef struct {
+ unsigned char pub[57];
+ unsigned char *priv;
+} ECX_KEY;
+
+typedef enum {
+ ECX_KEY_TYPE_X25519,
+ ECX_KEY_TYPE_X448,
+ ECX_KEY_TYPE_ED25519,
+ ECX_KEY_TYPE_ED448
+} ECX_KEY_TYPE;
+
+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
+{
+ return calloc(1, sizeof(ECX_KEY));
+}
+
+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey)
+{
+ key->priv = privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key)
+{
+ return key->priv;
+}
+
+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key)
+{
+ return key->pub;
+}
+
+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len)
+{
+ memcpy(key->pub, pubkey, len);
+}
+
+#endif
+
+#endif

72
SOURCES/openssl-ibmca-2.2.2-openssl3.patch Normal file
View File

@ -0,0 +1,72 @@
From e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Mon, 21 Mar 2022 15:27:40 +0100
Subject: [PATCH] Fix compilation for OpenSSL 3.0
ECX_KEY structure as used by engine is not public API in OpenSSL 3.0 and
should not be included via a private header. This forced the engine to only
compile if the OpenSSL 3.0 source tree is present. While this might be the
cleaner solution, we now copy out the defines to be used. This makes the
engine compile even without OpenSSL 3.0 source tree.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/engine/openssl-compat.h | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/src/openssl-compat.h b/src/openssl-compat.h
index 0013365b..aae40dab 100644
--- a/src/openssl-compat.h
+++ b/src/openssl-compat.h
@@ -19,9 +19,36 @@
#include <openssl/opensslv.h>
+typedef enum {
+ ECX_KEY_TYPE_X25519,
+ ECX_KEY_TYPE_X448,
+ ECX_KEY_TYPE_ED25519,
+ ECX_KEY_TYPE_ED448
+} ECX_KEY_TYPE;
+
#ifdef OPENSSL_VERSION_PREREQ
/* This is 3.x */
-#include <crypto/evp.h>
+
+# define X25519_KEYLEN 32
+# define X448_KEYLEN 56
+# define ED25519_KEYLEN 32
+# define ED448_KEYLEN 57
+
+# define MAX_KEYLEN ED448_KEYLEN
+
+typedef int CRYPTO_REF_COUNT;
+
+typedef struct ecx_key_st {
+ OSSL_LIB_CTX *libctx;
+ char *propq;
+ unsigned int haspubkey:1;
+ unsigned char pubkey[MAX_KEYLEN];
+ unsigned char *privkey;
+ size_t keylen;
+ ECX_KEY_TYPE type;
+ CRYPTO_REF_COUNT references;
+ CRYPTO_RWLOCK *lock;
+} ECX_KEY;
static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
{
@@ -94,13 +121,6 @@ typedef struct {
unsigned char *priv;
} ECX_KEY;
-typedef enum {
- ECX_KEY_TYPE_X25519,
- ECX_KEY_TYPE_X448,
- ECX_KEY_TYPE_ED25519,
- ECX_KEY_TYPE_ED448
-} ECX_KEY_TYPE;
-
static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
{
return calloc(1, sizeof(ECX_KEY));

11
SPECS/openssl-ibmca.spec
View File

@ -3,10 +3,15 @@
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.2.2
Release: 1%{?dist}
Release: 1%{?dist}.1
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://bugzilla.redhat.com/show_bug.cgi?id=2069683
# https://github.com/opencryptoki/openssl-ibmca/commit/e91e17901e0398b9a55850123ffe2cc4a0d04f34
Patch0: %{name}-2.2.2-fix-ecx-keys.patch
# https://github.com/opencryptoki/openssl-ibmca/commit/e59cce5af547cc4cbda2a1bce1eb2b89e959ae99
Patch1: %{name}-2.2.2-openssl3.patch
Requires: libica >= 4.0.0
BuildRequires: make
BuildRequires: gcc
@ -55,6 +60,10 @@ make check
%changelog
* Wed Mar 30 2022 Dan Horák <dhorak@redhat.com> - 2.2.2-1.1
- fix crash with ECX keys (#2069683)
- Resolves: #2069683
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
- updated to 2.2.2 (#2016989)
- Resolves: #2016989