diff --git a/.gitignore b/.gitignore index a5fa060..fd8588c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-ibmca-2.1.1.tar.gz +SOURCES/openssl-ibmca-2.2.0.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata index 725c032..9bba6dd 100644 --- a/.openssl-ibmca.metadata +++ b/.openssl-ibmca.metadata @@ -1 +1 @@ -6f245f09c9ae7c1c1e287030aa5bd1db340dbdb0 SOURCES/openssl-ibmca-2.1.1.tar.gz +9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz diff --git a/SOURCES/openssl-ibmca-2.2.0-eckey.patch b/SOURCES/openssl-ibmca-2.2.0-eckey.patch new file mode 100644 index 0000000..6e8d490 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.0-eckey.patch @@ -0,0 +1,31 @@ +From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Mon, 31 May 2021 18:00:07 +0200 +Subject: [PATCH] Skip eckey test if needed. + +Without crypto cards on a machine < z15, ibmca might not register with the +EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped +since it is doomed to fail. + +Fixes #69. + +Signed-off-by: Juergen Christ +--- + test/eckey.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/eckey.c b/test/eckey.c +index 35b3df2..6d0870b 100644 +--- a/test/eckey.c ++++ b/test/eckey.c +@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name) + fprintf(stderr, "ibmca engine not loaded\n"); + goto out; + } ++ if (ENGINE_get_EC(engine) == NULL) { ++ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); ++ exit(77); ++ } + eckey = EC_KEY_new_by_curve_name(nid); + if (eckey == NULL) { + /* curve not supported => test passed */ diff --git a/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch new file mode 100644 index 0000000..04122e8 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch @@ -0,0 +1,105 @@ +From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 29 Jul 2021 17:38:59 +0200 +Subject: [PATCH] Fix DSA and DH registration. + +DSA does not provide backups by default. + +Also fix typo in DH initialization. + +Signed-off-by: Juergen Christ +--- + src/ibmca_dh.c | 2 +- + src/ibmca_dsa.c | 26 ++++---------------------- + 2 files changed, 5 insertions(+), 23 deletions(-) + +diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c +index 2459cf1..b2b75a9 100644 +--- a/src/ibmca_dh.c ++++ b/src/ibmca_dh.c +@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void) + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL +- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL ++ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) +diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c +index f5bf4e4..3b5ac87 100644 +--- a/src/ibmca_dsa.c ++++ b/src/ibmca_dsa.c +@@ -28,18 +28,10 @@ + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ + #ifdef OLDER_OPENSSL +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, +- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, +- BIGNUM *m, BN_CTX *ctx, +- BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + #else +-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, +- const BIGNUM *p1, const BIGNUM *a2, +- const BIGNUM *p2, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *in_mont); + static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, +@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + end: + BN_free(t); + +- if (!to_return && ibmca_dsa_mod_exp_backup) +- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont); ++ if (!to_return) ++ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); + return to_return; + } + + #ifdef OLDER_OPENSSL +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #else +-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a, +- const BIGNUM *p, const BIGNUM *m, +- BN_CTX *ctx, BN_MONT_CTX *m_ctx); + + static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) + #endif + { +- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup) +- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx); ++ if (!ibmca_mod_exp(r, a, p, m, ctx)) ++ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return 1; + } + +@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void) + { + const DSA_METHOD *meth1 = DSA_OpenSSL(); + +- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp; +- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp; + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; +@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void) + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL +- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL +- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) diff --git a/SOURCES/openssl-ibmca-multi.patch b/SOURCES/openssl-ibmca-multi.patch deleted file mode 100644 index d12f2d0..0000000 --- a/SOURCES/openssl-ibmca-multi.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 40928425d848827fa8427d677e37178ab3b57e50 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Fri, 23 Apr 2021 15:09:36 +0200 -Subject: [PATCH] Fix for multiple loading of the engine. - -The ibmca engine global state gets destroyed if the engine is loaded multiple -times. This happens, e.g., during a git clone via https where first -git-remote-https loads the engine and initializes it, and the libcurl loads -the engine a second time, does not initialize it, but then destroy its second -copy. During destruction, OpenSSL calls into the ibmca_destroy function when -then manipulates global state that is shared with the first engine (the one -loaded by git-remote-https which is still actively used). - -Furthermore, the second load changes some global variables which causes the -engine to not have any pkey methods registered anymore. - -To fix this, add a load count and only destroy global state once the load -count drops to zero. Also move the setting of the engine properties from the -load phase (where OpenSSL only creates a structural reference) to the -initialization phase (where OpenSSL create a functional reference). This -prevents another overwrite of global variables. - -Signed-off-by: Juergen Christ ---- - src/e_ibmca.c | 29 +++++++++++++++++++++++++---- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/src/e_ibmca.c b/src/e_ibmca.c -index b448e2c..a9b8a10 100644 ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -1,5 +1,5 @@ - /* -- * Copyright [2005-2018] International Business Machines Corp. -+ * Copyright [2005-2021] International Business Machines Corp. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -175,6 +175,10 @@ static size_t size_cipher_list = 0; - static size_t size_digest_list = 0; - static size_t size_pkey_meths_list = 0; - -+static CRYPTO_ONCE bindcountlockinitonce = CRYPTO_ONCE_STATIC_INIT; -+static CRYPTO_RWLOCK *bindcountlock = NULL; -+static int bindcount = 0; -+ - static struct crypto_pair ibmca_cipher_lists; - static struct crypto_pair ibmca_digest_lists; - static struct crypto_pair ibmca_pkey_meths_lists; -@@ -189,6 +193,11 @@ static int ibmca_engine_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, - const int **nids, int nid); - static int ibmca_usable_pkey_meths(const int **nids); - -+static void bindcountlockinit(void) -+{ -+ bindcountlock = CRYPTO_THREAD_lock_new(); -+} -+ - /* RAND stuff */ - static int ibmca_rand_bytes(unsigned char *buf, int num); - static int ibmca_rand_status(void); -@@ -217,6 +226,10 @@ static const ENGINE_CMD_DEFN ibmca_cmd_defns[] = { - /* Destructor (complements the "ENGINE_ibmca()" constructor) */ - static int ibmca_destroy(ENGINE *e) - { -+ int newbindcount; -+ CRYPTO_atomic_add(&bindcount, -1, &newbindcount, bindcountlock); -+ if (newbindcount) -+ return 1; - /* Unload the ibmca error strings so any error state including our - * functs or reasons won't lead to a segfault (they simply get displayed - * without corresponding string data because none will be found). -@@ -785,6 +798,9 @@ static void ibmca_destructor(void) - } - - p_ica_close_adapter(ibmca_handle); -+ -+ if (bindcountlock) -+ CRYPTO_THREAD_lock_free(bindcountlock); - } - - static int ibmca_init(ENGINE *e) -@@ -792,6 +808,9 @@ static int ibmca_init(ENGINE *e) - if (ibmca_dso == NULL) - return 0; - -+ if (!set_supported_meths(e)) -+ return 0; -+ - return 1; - } - -@@ -829,6 +848,11 @@ static int ibmca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) ()) - */ - static int bind_helper(ENGINE *e) - { -+ int ignored; -+ -+ CRYPTO_THREAD_run_once(&bindcountlockinitonce, bindcountlockinit); -+ -+ CRYPTO_atomic_add(&bindcount, 1, &ignored, bindcountlock); - ERR_load_IBMCA_strings(); - - if (!ENGINE_set_id(e, engine_ibmca_id) || -@@ -843,9 +867,6 @@ static int bind_helper(ENGINE *e) - if (ibmca_dso == NULL) - return 0; - -- if (!set_supported_meths(e)) -- return 0; -- - return 1; - } - diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index 1e394f6..e508c83 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -2,18 +2,22 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.1.1 -Release: 1%{?dist}.1 +Version: 2.2.0 +Release: 2%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/opencryptoki/openssl-ibmca/commit/40928425d848827fa8427d677e37178ab3b57e50 -Patch0: %{name}-multi.patch -Requires: libica >= 3.6.0 +# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 +Patch0: openssl-ibmca-2.2.0-eckey.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1989064 +# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 +Patch1: openssl-ibmca-2.2.0-fix-registration.patch +Requires: libica >= 3.8.0 BuildRequires: gcc -BuildRequires: libica-devel >= 3.6.0 +BuildRequires: libica-devel >= 3.8.0 BuildRequires: automake libtool +BuildRequires: openssl ExclusiveArch: s390 s390x @@ -40,6 +44,13 @@ pushd src sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} popd +# remove generated sample configs +rm -rf %{buildroot}%{_datadir}/%{name} + + +%check +make check + %files %license LICENSE @@ -49,9 +60,14 @@ popd %changelog -* Tue May 11 2021 Dan Horák - 2.1.1-1.1 -- Fix for multiple loading of the engine (#1957153) -- Resolves: #1957153 +* Mon Aug 09 2021 Dan Horák - 2.2.0-2 +- fix DSA and DH registration (#1989064) +- Resolves: #1989064 + +* Tue Jul 13 2021 Dan Horák - 2.2.0-1 +- updated to 2.2.0 (#1919222) +- do not use libica software fallbacks (#1922204) +- Resolves: #1919222 #1922204 * Thu May 21 2020 Dan Horák - 2.1.1-1 - updated to 2.1.1 (#1780306)