From 43627c53587035cb8875f33ae93b0267d506bbcc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 20 Sep 2022 07:47:33 -0400 Subject: [PATCH] import openssl-ibmca-2.2.2-1.el9_0.1 --- .../openssl-ibmca-2.2.2-fix-ecx-keys.patch | 403 ++++++++++++++++++ SOURCES/openssl-ibmca-2.2.2-openssl3.patch | 72 ++++ SPECS/openssl-ibmca.spec | 11 +- 3 files changed, 485 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch create mode 100644 SOURCES/openssl-ibmca-2.2.2-openssl3.patch diff --git a/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch b/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch new file mode 100644 index 0000000..f813865 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch @@ -0,0 +1,403 @@ +From e91e17901e0398b9a55850123ffe2cc4a0d04f34 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Wed, 9 Mar 2022 13:17:18 +0100 +Subject: [PATCH] PKEY: Fix usage of ECX keys + +ED25519, ED448, X25519, and X448 caused a segmentation fault due to wrong +usage of ECX keys. + +Signed-off-by: Juergen Christ +--- + src/ibmca_pkey.c | 124 +++++++++++----------------------------- + src/openssl-compat.h | 131 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 164 insertions(+), 91 deletions(-) + create mode 100644 src/openssl-compat.h + +diff --git a/src/ibmca_pkey.c b/src/ibmca_pkey.c +index e8ba9067..9c8de94c 100644 +--- a/src/ibmca_pkey.c ++++ b/src/ibmca_pkey.c +@@ -22,65 +22,7 @@ + #include "ibmca.h" + #include "e_ibmca_err.h" + +-/* +- * copied from evp_int.h: +- * missing set/get methods for opaque types. +- */ +- +-typedef struct { +- unsigned char pub[57]; +- unsigned char *priv; +-} ECX_KEY; +- +-typedef struct evp_pkey_method_st { +- int pkey_id; +- int flags; +- int (*init) (EVP_PKEY_CTX *ctx); +- int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src); +- void (*cleanup) (EVP_PKEY_CTX *ctx); +- int (*paramgen_init) (EVP_PKEY_CTX *ctx); +- int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); +- int (*keygen_init) (EVP_PKEY_CTX *ctx); +- int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); +- int (*sign_init) (EVP_PKEY_CTX *ctx); +- int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, +- const unsigned char *tbs, size_t tbslen); +- int (*verify_init) (EVP_PKEY_CTX *ctx); +- int (*verify) (EVP_PKEY_CTX *ctx, +- const unsigned char *sig, size_t siglen, +- const unsigned char *tbs, size_t tbslen); +- int (*verify_recover_init) (EVP_PKEY_CTX *ctx); +- int (*verify_recover) (EVP_PKEY_CTX *ctx, +- unsigned char *rout, size_t *routlen, +- const unsigned char *sig, size_t siglen); +- int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); +- int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, +- EVP_MD_CTX *mctx); +- int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); +- int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen, +- EVP_MD_CTX *mctx); +- int (*encrypt_init) (EVP_PKEY_CTX *ctx); +- int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, +- const unsigned char *in, size_t inlen); +- int (*decrypt_init) (EVP_PKEY_CTX *ctx); +- int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, +- const unsigned char *in, size_t inlen); +- int (*derive_init) (EVP_PKEY_CTX *ctx); +- int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen); +- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2); +- int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value); +- int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, +- const unsigned char *tbs, size_t tbslen); +- int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, +- size_t siglen, const unsigned char *tbs, +- size_t tbslen); +- int (*check) (EVP_PKEY *pkey); +- int (*public_check) (EVP_PKEY *pkey); +- int (*param_check) (EVP_PKEY *pkey); +- +- int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); +-} EVP_PKEY_METHOD; +- ++#include "openssl-compat.h" + + ica_x25519_ctx_new_t p_ica_x25519_ctx_new; + ica_x448_ctx_new_t p_ica_x448_ctx_new; +@@ -136,16 +78,16 @@ static int ibmca_x25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) + goto ret; + } + +- key = calloc(1, sizeof(ECX_KEY)); ++ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X25519); + private = calloc(1, sizeof(priv)); +- if (key == NULL) { ++ if (key == NULL || private == NULL) { + IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); + goto ret; + } + + memcpy(private, priv, sizeof(priv)); +- memcpy(key, pub, sizeof(pub)); +- key->priv = private; ++ ossl_ecx_copypubkey(key, pub, sizeof(pub)); ++ ossl_ecx_set0_privkey(key, private); + + EVP_PKEY_assign(pkey, NID_X25519, key); + rc = 1; +@@ -199,12 +141,12 @@ static int ibmca_x25519_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_ + goto ret; + } + +- if (p_ica_x25519_key_set(ctx, key_ecx->priv, NULL) != 0) { ++ if (p_ica_x25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { + IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); +- goto ret;; ++ goto ret; + } + +- if (p_ica_x25519_derive(ctx, key, peerkey_ecx->pub) != 0) ++ if (p_ica_x25519_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) + goto ret; + + rc = 1; +@@ -236,16 +178,16 @@ static int ibmca_x448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) + goto ret; + } + +- key = calloc(1, sizeof(ECX_KEY)); ++ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X448); + private = calloc(1, sizeof(priv)); +- if (key == NULL) { ++ if (key == NULL || private == NULL) { + IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); + goto ret; + } + + memcpy(private, priv, sizeof(priv)); +- memcpy(key, pub, sizeof(pub)); +- key->priv = private; ++ ossl_ecx_copypubkey(key, pub, sizeof(pub)); ++ ossl_ecx_set0_privkey(key, private); + + EVP_PKEY_assign(pkey, NID_X448, key); + rc = 1; +@@ -299,12 +241,12 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t + goto ret; + } + +- if (p_ica_x448_key_set(ctx, key_ecx->priv, NULL) != 0) { ++ if (p_ica_x448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { + IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); +- goto ret;; ++ goto ret; + } + +- if (p_ica_x448_derive(ctx, key, peerkey_ecx->pub) != 0) ++ if (p_ica_x448_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) + goto ret; + + rc = 1; +@@ -341,16 +283,16 @@ static int ibmca_ed25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) + goto ret; + } + +- key = calloc(1, sizeof(ECX_KEY)); ++ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED25519); + private = calloc(1, sizeof(priv)); +- if (key == NULL) { ++ if (key == NULL || private == NULL) { + IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); + goto ret; + } + + memcpy(private, priv, sizeof(priv)); +- memcpy(key, pub, sizeof(pub)); +- key->priv = private; ++ ossl_ecx_copypubkey(key, pub, sizeof(pub)); ++ ossl_ecx_set0_privkey(key, private); + + EVP_PKEY_assign(pkey, NID_ED25519, key); + rc = 1; +@@ -398,9 +340,9 @@ static int ibmca_ed25519_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, + goto ret; + } + +- if (p_ica_ed25519_key_set(ctx, key_ecx->priv, NULL) != 0) { ++ if (p_ica_ed25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { + IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); +- goto ret;; ++ goto ret; + } + + if (p_ica_ed25519_sign(ctx, sig, tbs, tbslen) != 0) +@@ -443,7 +385,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, + goto ret; + } + +- if (p_ica_ed25519_key_set(ctx, NULL, key_ecx->pub) != 0) { ++ if (p_ica_ed25519_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { + IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); + goto ret; + } +@@ -485,16 +427,16 @@ static int ibmca_ed448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) + goto ret; + } + +- key = calloc(1, sizeof(ECX_KEY)); ++ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED448); + private = calloc(1, sizeof(priv)); +- if (key == NULL) { ++ if (key == NULL || private == NULL) { + IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); + goto ret; + } + + memcpy(private, priv, sizeof(priv)); +- memcpy(key, pub, sizeof(pub)); +- key->priv = private; ++ ossl_ecx_copypubkey(key, pub, sizeof(pub)); ++ ossl_ecx_set0_privkey(key, private); + + EVP_PKEY_assign(pkey, NID_ED448, key); + rc = 1; +@@ -542,9 +484,9 @@ static int ibmca_ed448_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, + goto ret; + } + +- if (p_ica_ed448_key_set(ctx, key_ecx->priv, NULL) != 0) { ++ if (p_ica_ed448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { + IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); +- goto ret;; ++ goto ret; + } + + if (p_ica_ed448_sign(ctx, sig, tbs, tbslen) != 0) +@@ -587,7 +529,7 @@ static int ibmca_ed448_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, + goto ret; + } + +- if (p_ica_ed448_key_set(ctx, NULL, key_ecx->pub) != 0) { ++ if (p_ica_ed448_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { + IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); + goto ret; + } +@@ -665,8 +607,8 @@ const EVP_PKEY_METHOD *ibmca_ed25519(void) + EVP_PKEY_meth_set_ctrl(ibmca_ed25519_pmeth, ibmca_ed_ctrl, NULL); + EVP_PKEY_meth_set_copy(ibmca_ed25519_pmeth, ibmca_ed25519_copy); + EVP_PKEY_meth_set_keygen(ibmca_ed25519_pmeth, NULL, ibmca_ed25519_keygen); +- ibmca_ed25519_pmeth->digestsign = ibmca_ed25519_sign; +- ibmca_ed25519_pmeth->digestverify = ibmca_ed25519_verify; ++ EVP_PKEY_meth_set_digestsign(ibmca_ed25519_pmeth, ibmca_ed25519_sign); ++ EVP_PKEY_meth_set_digestverify(ibmca_ed25519_pmeth, ibmca_ed25519_verify); + + ret: + return ibmca_ed25519_pmeth; +@@ -684,8 +626,8 @@ const EVP_PKEY_METHOD *ibmca_ed448(void) + EVP_PKEY_meth_set_ctrl(ibmca_ed448_pmeth, ibmca_ed_ctrl, NULL); + EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy); + EVP_PKEY_meth_set_keygen(ibmca_ed448_pmeth, NULL, ibmca_ed448_keygen); +- ibmca_ed448_pmeth->digestsign = ibmca_ed448_sign; +- ibmca_ed448_pmeth->digestverify = ibmca_ed448_verify; ++ EVP_PKEY_meth_set_digestsign(ibmca_ed448_pmeth, ibmca_ed448_sign); ++ EVP_PKEY_meth_set_digestverify(ibmca_ed448_pmeth, ibmca_ed448_verify); + + ret: + return ibmca_ed448_pmeth; +diff --git a/src/openssl-compat.h b/src/openssl-compat.h +new file mode 100644 +index 00000000..0013365b +--- /dev/null ++++ b/src/openssl-compat.h +@@ -0,0 +1,131 @@ ++/* ++ * Copyright 2022 International Business Machines Corp. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#ifndef IBMCA_OPENSSL_COMPAT_H ++#define IBMCA_OPENSSL_COMPAT_H ++ ++#include ++ ++#ifdef OPENSSL_VERSION_PREREQ ++/* This is 3.x */ ++#include ++ ++static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) ++{ ++ ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); ++ ++ if (ret == NULL) ++ return NULL; ++ ++ ret->libctx = NULL; ++ ret->haspubkey = 0; ++ switch (type) { ++ case ECX_KEY_TYPE_X25519: ++ ret->keylen = X25519_KEYLEN; ++ break; ++ case ECX_KEY_TYPE_X448: ++ ret->keylen = X448_KEYLEN; ++ break; ++ case ECX_KEY_TYPE_ED25519: ++ ret->keylen = ED25519_KEYLEN; ++ break; ++ case ECX_KEY_TYPE_ED448: ++ ret->keylen = ED448_KEYLEN; ++ break; ++ } ++ ret->type = type; ++ ret->references = 1; ++ ++ ret->lock = CRYPTO_THREAD_lock_new(); ++ if (ret->lock == NULL) ++ goto err; ++ return ret; ++err: ++ OPENSSL_free(ret); ++ return NULL; ++} ++ ++static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) ++{ ++ key->privkey = privkey; ++} ++ ++static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) ++{ ++ return key->privkey; ++} ++ ++static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) ++{ ++ return key->pubkey; ++} ++ ++static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) ++{ ++ memcpy(key->pubkey, pubkey, len); ++ key->haspubkey = 1; ++} ++ ++#else ++/* This is 1.1.x */ ++ ++#include ++ ++/* ++ * copied from evp_int.h: ++ * missing set/get methods for opaque types. ++ */ ++ ++typedef struct { ++ unsigned char pub[57]; ++ unsigned char *priv; ++} ECX_KEY; ++ ++typedef enum { ++ ECX_KEY_TYPE_X25519, ++ ECX_KEY_TYPE_X448, ++ ECX_KEY_TYPE_ED25519, ++ ECX_KEY_TYPE_ED448 ++} ECX_KEY_TYPE; ++ ++static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) ++{ ++ return calloc(1, sizeof(ECX_KEY)); ++} ++ ++static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) ++{ ++ key->priv = privkey; ++} ++ ++static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) ++{ ++ return key->priv; ++} ++ ++static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) ++{ ++ return key->pub; ++} ++ ++static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) ++{ ++ memcpy(key->pub, pubkey, len); ++} ++ ++#endif ++ ++#endif diff --git a/SOURCES/openssl-ibmca-2.2.2-openssl3.patch b/SOURCES/openssl-ibmca-2.2.2-openssl3.patch new file mode 100644 index 0000000..833311a --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.2-openssl3.patch @@ -0,0 +1,72 @@ +From e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Mon, 21 Mar 2022 15:27:40 +0100 +Subject: [PATCH] Fix compilation for OpenSSL 3.0 + +ECX_KEY structure as used by engine is not public API in OpenSSL 3.0 and +should not be included via a private header. This forced the engine to only +compile if the OpenSSL 3.0 source tree is present. While this might be the +cleaner solution, we now copy out the defines to be used. This makes the +engine compile even without OpenSSL 3.0 source tree. + +Signed-off-by: Juergen Christ +--- + src/engine/openssl-compat.h | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/src/openssl-compat.h b/src/openssl-compat.h +index 0013365b..aae40dab 100644 +--- a/src/openssl-compat.h ++++ b/src/openssl-compat.h +@@ -19,9 +19,36 @@ + + #include + ++typedef enum { ++ ECX_KEY_TYPE_X25519, ++ ECX_KEY_TYPE_X448, ++ ECX_KEY_TYPE_ED25519, ++ ECX_KEY_TYPE_ED448 ++} ECX_KEY_TYPE; ++ + #ifdef OPENSSL_VERSION_PREREQ + /* This is 3.x */ +-#include ++ ++# define X25519_KEYLEN 32 ++# define X448_KEYLEN 56 ++# define ED25519_KEYLEN 32 ++# define ED448_KEYLEN 57 ++ ++# define MAX_KEYLEN ED448_KEYLEN ++ ++typedef int CRYPTO_REF_COUNT; ++ ++typedef struct ecx_key_st { ++ OSSL_LIB_CTX *libctx; ++ char *propq; ++ unsigned int haspubkey:1; ++ unsigned char pubkey[MAX_KEYLEN]; ++ unsigned char *privkey; ++ size_t keylen; ++ ECX_KEY_TYPE type; ++ CRYPTO_REF_COUNT references; ++ CRYPTO_RWLOCK *lock; ++} ECX_KEY; + + static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) + { +@@ -94,13 +121,6 @@ typedef struct { + unsigned char *priv; + } ECX_KEY; + +-typedef enum { +- ECX_KEY_TYPE_X25519, +- ECX_KEY_TYPE_X448, +- ECX_KEY_TYPE_ED25519, +- ECX_KEY_TYPE_ED448 +-} ECX_KEY_TYPE; +- + static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) + { + return calloc(1, sizeof(ECX_KEY)); diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index 474c07f..bdf39eb 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -3,10 +3,15 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca Version: 2.2.2 -Release: 1%{?dist} +Release: 1%{?dist}.1 License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=2069683 +# https://github.com/opencryptoki/openssl-ibmca/commit/e91e17901e0398b9a55850123ffe2cc4a0d04f34 +Patch0: %{name}-2.2.2-fix-ecx-keys.patch +# https://github.com/opencryptoki/openssl-ibmca/commit/e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 +Patch1: %{name}-2.2.2-openssl3.patch Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc @@ -55,6 +60,10 @@ make check %changelog +* Wed Mar 30 2022 Dan Horák - 2.2.2-1.1 +- fix crash with ECX keys (#2069683) +- Resolves: #2069683 + * Wed Feb 02 2022 Dan Horák - 2.2.2-1 - updated to 2.2.2 (#2016989) - Resolves: #2016989