import openssl-ibmca-2.2.0-2.el8

This commit is contained in:
CentOS Sources 2021-11-09 05:08:50 -05:00 committed by Stepan Oksanichenko
parent 656084f5a1
commit 5e3860b553
6 changed files with 163 additions and 125 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openssl-ibmca-2.1.1.tar.gz SOURCES/openssl-ibmca-2.2.0.tar.gz

View File

@ -1 +1 @@
6f245f09c9ae7c1c1e287030aa5bd1db340dbdb0 SOURCES/openssl-ibmca-2.1.1.tar.gz 9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz

View File

@ -0,0 +1,31 @@
From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Mon, 31 May 2021 18:00:07 +0200
Subject: [PATCH] Skip eckey test if needed.
Without crypto cards on a machine < z15, ibmca might not register with the
EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped
since it is doomed to fail.
Fixes #69.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
test/eckey.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/eckey.c b/test/eckey.c
index 35b3df2..6d0870b 100644
--- a/test/eckey.c
+++ b/test/eckey.c
@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
fprintf(stderr, "ibmca engine not loaded\n");
goto out;
}
+ if (ENGINE_get_EC(engine) == NULL) {
+ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n");
+ exit(77);
+ }
eckey = EC_KEY_new_by_curve_name(nid);
if (eckey == NULL) {
/* curve not supported => test passed */

View File

@ -0,0 +1,105 @@
From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 29 Jul 2021 17:38:59 +0200
Subject: [PATCH] Fix DSA and DH registration.
DSA does not provide backups by default.
Also fix typo in DH initialization.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/ibmca_dh.c | 2 +-
src/ibmca_dsa.c | 26 ++++----------------------
2 files changed, 5 insertions(+), 23 deletions(-)
diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c
index 2459cf1..b2b75a9 100644
--- a/src/ibmca_dh.c
+++ b/src/ibmca_dh.c
@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void)
if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL
|| (meth1 = DH_OpenSSL()) == NULL
- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL
+ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL
|| !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1))
|| !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1))
|| !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)
diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c
index f5bf4e4..3b5ac87 100644
--- a/src/ibmca_dsa.c
+++ b/src/ibmca_dsa.c
@@ -28,18 +28,10 @@
* RSA. Just check out the "signs" statistics from the RSA and DSA parts
* of "openssl speed -engine ibmca dsa1024 rsa1024". */
#ifdef OLDER_OPENSSL
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
- BIGNUM *m, BN_CTX *ctx,
- BN_MONT_CTX *in_mont);
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
#else
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
- const BIGNUM *p1, const BIGNUM *a2,
- const BIGNUM *p2, const BIGNUM *m,
- BN_CTX *ctx, BN_MONT_CTX *in_mont);
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
const BIGNUM *p1, const BIGNUM *a2,
const BIGNUM *p2, const BIGNUM *m,
@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
end:
BN_free(t);
- if (!to_return && ibmca_dsa_mod_exp_backup)
- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont);
+ if (!to_return)
+ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
return to_return;
}
#ifdef OLDER_OPENSSL
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a,
- const BIGNUM *p, const BIGNUM *m,
- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
#else
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *p, const BIGNUM *m,
- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
#endif
{
- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup)
- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx);
+ if (!ibmca_mod_exp(r, a, p, m, ctx))
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
return 1;
}
@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void)
{
const DSA_METHOD *meth1 = DSA_OpenSSL();
- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp;
- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp;
dsa_m.dsa_do_sign = meth1->dsa_do_sign;
dsa_m.dsa_sign_setup = meth1->dsa_sign_setup;
dsa_m.dsa_do_verify = meth1->dsa_do_verify;
@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void)
if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL
|| (meth1 = DSA_OpenSSL()) == NULL
- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL
- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL
|| !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1))
|| !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1))
|| !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1))

View File

@ -1,114 +0,0 @@
From 40928425d848827fa8427d677e37178ab3b57e50 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Fri, 23 Apr 2021 15:09:36 +0200
Subject: [PATCH] Fix for multiple loading of the engine.
The ibmca engine global state gets destroyed if the engine is loaded multiple
times. This happens, e.g., during a git clone via https where first
git-remote-https loads the engine and initializes it, and the libcurl loads
the engine a second time, does not initialize it, but then destroy its second
copy. During destruction, OpenSSL calls into the ibmca_destroy function when
then manipulates global state that is shared with the first engine (the one
loaded by git-remote-https which is still actively used).
Furthermore, the second load changes some global variables which causes the
engine to not have any pkey methods registered anymore.
To fix this, add a load count and only destroy global state once the load
count drops to zero. Also move the setting of the engine properties from the
load phase (where OpenSSL only creates a structural reference) to the
initialization phase (where OpenSSL create a functional reference). This
prevents another overwrite of global variables.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/e_ibmca.c | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/src/e_ibmca.c b/src/e_ibmca.c
index b448e2c..a9b8a10 100644
--- a/src/e_ibmca.c
+++ b/src/e_ibmca.c
@@ -1,5 +1,5 @@
/*
- * Copyright [2005-2018] International Business Machines Corp.
+ * Copyright [2005-2021] International Business Machines Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -175,6 +175,10 @@ static size_t size_cipher_list = 0;
static size_t size_digest_list = 0;
static size_t size_pkey_meths_list = 0;
+static CRYPTO_ONCE bindcountlockinitonce = CRYPTO_ONCE_STATIC_INIT;
+static CRYPTO_RWLOCK *bindcountlock = NULL;
+static int bindcount = 0;
+
static struct crypto_pair ibmca_cipher_lists;
static struct crypto_pair ibmca_digest_lists;
static struct crypto_pair ibmca_pkey_meths_lists;
@@ -189,6 +193,11 @@ static int ibmca_engine_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
const int **nids, int nid);
static int ibmca_usable_pkey_meths(const int **nids);
+static void bindcountlockinit(void)
+{
+ bindcountlock = CRYPTO_THREAD_lock_new();
+}
+
/* RAND stuff */
static int ibmca_rand_bytes(unsigned char *buf, int num);
static int ibmca_rand_status(void);
@@ -217,6 +226,10 @@ static const ENGINE_CMD_DEFN ibmca_cmd_defns[] = {
/* Destructor (complements the "ENGINE_ibmca()" constructor) */
static int ibmca_destroy(ENGINE *e)
{
+ int newbindcount;
+ CRYPTO_atomic_add(&bindcount, -1, &newbindcount, bindcountlock);
+ if (newbindcount)
+ return 1;
/* Unload the ibmca error strings so any error state including our
* functs or reasons won't lead to a segfault (they simply get displayed
* without corresponding string data because none will be found).
@@ -785,6 +798,9 @@ static void ibmca_destructor(void)
}
p_ica_close_adapter(ibmca_handle);
+
+ if (bindcountlock)
+ CRYPTO_THREAD_lock_free(bindcountlock);
}
static int ibmca_init(ENGINE *e)
@@ -792,6 +808,9 @@ static int ibmca_init(ENGINE *e)
if (ibmca_dso == NULL)
return 0;
+ if (!set_supported_meths(e))
+ return 0;
+
return 1;
}
@@ -829,6 +848,11 @@ static int ibmca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) ())
*/
static int bind_helper(ENGINE *e)
{
+ int ignored;
+
+ CRYPTO_THREAD_run_once(&bindcountlockinitonce, bindcountlockinit);
+
+ CRYPTO_atomic_add(&bindcount, 1, &ignored, bindcountlock);
ERR_load_IBMCA_strings();
if (!ENGINE_set_id(e, engine_ibmca_id) ||
@@ -843,9 +867,6 @@ static int bind_helper(ENGINE *e)
if (ibmca_dso == NULL)
return 0;
- if (!set_supported_meths(e))
- return 0;
-
return 1;
}

View File

@ -2,18 +2,22 @@
Summary: A dynamic OpenSSL engine for IBMCA Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca Name: openssl-ibmca
Version: 2.1.1 Version: 2.2.0
Release: 1%{?dist}.1 Release: 2%{?dist}
License: ASL 2.0 License: ASL 2.0
Group: System Environment/Libraries Group: System Environment/Libraries
URL: https://github.com/opencryptoki URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://github.com/opencryptoki/openssl-ibmca/commit/40928425d848827fa8427d677e37178ab3b57e50 # https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240
Patch0: %{name}-multi.patch Patch0: openssl-ibmca-2.2.0-eckey.patch
Requires: libica >= 3.6.0 # https://bugzilla.redhat.com/show_bug.cgi?id=1989064
# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20
Patch1: openssl-ibmca-2.2.0-fix-registration.patch
Requires: libica >= 3.8.0
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libica-devel >= 3.6.0 BuildRequires: libica-devel >= 3.8.0
BuildRequires: automake libtool BuildRequires: automake libtool
BuildRequires: openssl
ExclusiveArch: s390 s390x ExclusiveArch: s390 s390x
@ -40,6 +44,13 @@ pushd src
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
popd popd
# remove generated sample configs
rm -rf %{buildroot}%{_datadir}/%{name}
%check
make check
%files %files
%license LICENSE %license LICENSE
@ -49,9 +60,14 @@ popd
%changelog %changelog
* Tue May 11 2021 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1.1 * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
- Fix for multiple loading of the engine (#1957153) - fix DSA and DH registration (#1989064)
- Resolves: #1957153 - Resolves: #1989064
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
- updated to 2.2.0 (#1919222)
- do not use libica software fallbacks (#1922204)
- Resolves: #1919222 #1922204
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1 * Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
- updated to 2.1.1 (#1780306) - updated to 2.1.1 (#1780306)