From 5722b31740211606a995ce2e2ad747144b924739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 9 Aug 2021 13:50:43 +0200 Subject: [PATCH] - fix DSA and DH registration (#1989380) - Resolves: #1989380 --- openssl-ibmca-2.2.0-fix-registration.patch | 105 +++++++++++++++++++++ openssl-ibmca.spec | 9 +- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 openssl-ibmca-2.2.0-fix-registration.patch diff --git a/openssl-ibmca-2.2.0-fix-registration.patch b/openssl-ibmca-2.2.0-fix-registration.patch new file mode 100644 index 0000000..04122e8 --- /dev/null +++ b/openssl-ibmca-2.2.0-fix-registration.patch @@ -0,0 +1,105 @@ +From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 29 Jul 2021 17:38:59 +0200 +Subject: [PATCH] Fix DSA and DH registration. + +DSA does not provide backups by default. + +Also fix typo in DH initialization. + +Signed-off-by: Juergen Christ +--- + src/ibmca_dh.c | 2 +- + src/ibmca_dsa.c | 26 ++++---------------------- + 2 files changed, 5 insertions(+), 23 deletions(-) + +diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c +index 2459cf1..b2b75a9 100644 +--- a/src/ibmca_dh.c ++++ b/src/ibmca_dh.c +@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void) + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL +- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL ++ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) +diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c +index f5bf4e4..3b5ac87 100644 +--- a/src/ibmca_dsa.c ++++ b/src/ibmca_dsa.c +@@ -28,18 +28,10 @@ + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ + #ifdef OLDER_OPENSSL +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, +- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, +- BIGNUM *m, BN_CTX *ctx, +- BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + #else +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, +- const BIGNUM *p1, const BIGNUM *a2, +- const BIGNUM *p2, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, +@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + end: + BN_free(t); + +- if (!to_return && ibmca_dsa_mod_exp_backup) +- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont); ++ if (!to_return) ++ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); + return to_return; + } + + #ifdef OLDER_OPENSSL +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #else +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #endif + { +- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup) +- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx); ++ if (!ibmca_mod_exp(r, a, p, m, ctx)) ++ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return 1; + } + +@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void) + { + const DSA_METHOD *meth1 = DSA_OpenSSL(); + +- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp; +- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp; + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; +@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void) + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL +- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL +- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 714cf7a..02d48ad 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -3,12 +3,15 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca Version: 2.2.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 Patch0: openssl-ibmca-2.2.0-eckey.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1989380 +# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 +Patch1: openssl-ibmca-2.2.0-fix-registration.patch Requires: libica >= 3.8.0 BuildRequires: make BuildRequires: gcc @@ -57,6 +60,10 @@ make check %changelog +* Mon Aug 09 2021 Dan Horák - 2.2.0-2 +- fix DSA and DH registration (#1989380) +- Resolves: #1989380 + * Fri Jun 04 2021 Dan Horák - 2.2.0-1 - updated to 2.2.0 (#1869531) - eliminate SW fallback functions (#1924117)