diff --git a/openssl-ibmca-tests.patch b/openssl-ibmca-tests.patch new file mode 100644 index 0000000..17e8cc9 --- /dev/null +++ b/openssl-ibmca-tests.patch @@ -0,0 +1,194 @@ +From 281cb45a8514e616a777a7a5b93c1dd28ae428e9 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Mon, 3 May 2021 11:47:59 +0200 +Subject: [PATCH] Fix test problems on non-z15 without CEX cards + +The tests assumed to run on a z15 with a CEX card that supports secp384r1. +Check these assumptions and skip tests if they are not valid. + +Signed-off-by: Juergen Christ +--- + test/loadtest-ec.c | 49 ++++++++++++++++++++++++++++++++++++++++++---- + test/loadtest.c | 13 ++++++++++-- + test/threadtest.c | 16 ++++++++++++++- + 3 files changed, 71 insertions(+), 7 deletions(-) + +diff --git a/test/loadtest-ec.c b/test/loadtest-ec.c +index a5821b7..cd35729 100644 +--- a/test/loadtest-ec.c ++++ b/test/loadtest-ec.c +@@ -11,7 +11,11 @@ + int setup() + { + const SSL_METHOD *req_method; +- SSL_CTX *ctx; ++ SSL_CTX *ctx; ++ EC_KEY *eckey = NULL; ++ ENGINE *ibmca; ++ ENGINE *actual; ++ int ret = 0; + + /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ + OPENSSL_load_builtin_modules(); +@@ -52,6 +56,24 @@ int setup() + OpenSSL_add_all_algorithms(); + #endif + /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ ++ ++ ibmca = ENGINE_by_id("ibmca"); ++ if (ibmca == NULL) { ++ fprintf(stderr, "Failed to retrieve ibmca engine\n"); ++ goto out; ++ } ++ ++ eckey = EC_KEY_new_by_curve_name(NID_secp384r1); ++ if (eckey == NULL) { ++ /* error */ ++ fprintf(stderr, "Failed to create EC_KEY for secp384r1\n"); ++ goto out; ++ } ++ actual = EC_KEY_get0_engine(eckey); ++ if (ibmca != actual) { ++ fprintf(stderr, "EC_KEY not associated with ibmca\n"); ++ goto out; ++ } + + /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ + req_method = TLS_client_method(); +@@ -59,7 +81,11 @@ int setup() + second time. */ + ctx = SSL_CTX_new(req_method); + SSL_CTX_free(ctx); +- return 1; ++ ret = 1; ++ out: ++ if (eckey) ++ EC_KEY_free(eckey); ++ return ret; + } + + int check_globals() +@@ -68,8 +94,16 @@ int check_globals() + ECDSA_SIG *sig = NULL; + EC_KEY *eckey = NULL; + unsigned char digest[20]; ++ ENGINE *ibmca; ++ ENGINE *actual; + + memset(digest, 0, sizeof(digest)); ++ ++ ibmca = ENGINE_by_id("ibmca"); ++ if (ibmca == NULL) { ++ fprintf(stderr, "Failed to retrieve ibmca engine\n"); ++ goto out; ++ } + + eckey = EC_KEY_new_by_curve_name(NID_secp384r1); + if (eckey == NULL) { +@@ -82,6 +116,13 @@ int check_globals() + fprintf(stderr, "Failed to generate EC_KEY\n"); + goto out; + } ++ ++ actual = EC_KEY_get0_engine(eckey); ++ if (ibmca != actual) { ++ fprintf(stderr, "EC_KEY not associated with ibmca\n"); ++ goto out; ++ } ++ + sig = ECDSA_do_sign(digest, sizeof(digest), eckey); + if (sig == NULL) { + /* error */ +@@ -123,8 +164,8 @@ int main(int argc, char **argv) + } + + if (!setup()) { +- fprintf(stderr, "Setup failed!\n"); +- return 99; ++ fprintf(stderr, "Setup failed! Skipping...\n"); ++ return 77; + } + if (!check_globals()) { + fprintf(stderr, "Check for global variables failed!\n"); +diff --git a/test/loadtest.c b/test/loadtest.c +index fea6f62..19f0cf9 100644 +--- a/test/loadtest.c ++++ b/test/loadtest.c +@@ -12,6 +12,8 @@ int setup() + { + const SSL_METHOD *req_method; + SSL_CTX *ctx; ++ ENGINE *engine; ++ EVP_PKEY_CTX *pctx = NULL; + + /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ + OPENSSL_load_builtin_modules(); +@@ -52,6 +54,13 @@ int setup() + OpenSSL_add_all_algorithms(); + #endif + /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ ++ ++ engine = ENGINE_by_id("ibmca"); ++ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); ++ if (pctx == NULL) { ++ return 0; ++ } ++ EVP_PKEY_CTX_free(pctx); + + /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ + req_method = TLS_client_method(); +@@ -112,8 +121,8 @@ int main(int argc, char **argv) + } + + if (!setup()) { +- fprintf(stderr, "Setup failed!\n"); +- return 99; ++ fprintf(stderr, "Setup failed! Skipping...\n"); ++ return 77; + } + if (!check_globals()) { + fprintf(stderr, "Check for global variables failed!\n"); +diff --git a/test/threadtest.c b/test/threadtest.c +index 159c363..662ebf5 100644 +--- a/test/threadtest.c ++++ b/test/threadtest.c +@@ -17,6 +17,9 @@ + + static int setup() + { ++ ENGINE *engine; ++ EVP_PKEY_CTX *pctx = NULL; ++ + OPENSSL_load_builtin_modules(); + + ENGINE_load_builtin_engines(); +@@ -37,6 +40,14 @@ static int setup() + #else + OpenSSL_add_all_algorithms(); + #endif ++ ++ engine = ENGINE_by_id("ibmca"); ++ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); ++ if (pctx == NULL) { ++ return 0; ++ } ++ EVP_PKEY_CTX_free(pctx); ++ + return 1; + } + +@@ -132,7 +143,10 @@ int main(int argc, char **argv) + return 1; + } + +- setup(); ++ if (setup() != 1) { ++ fprintf(stderr, "Failed to set up test. Skipping...\n"); ++ return 77; ++ } + + me = pthread_self(); + // Start threads +-- +2.31.1 + diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 6684a3f..6bfc9c6 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -2,11 +2,13 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.1.1 -Release: 3%{?dist} +Version: 2.1.2 +Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +# https://github.com/opencryptoki/openssl-ibmca/commit/281cb45a8514e616a777a7a5b93c1dd28ae428e9 +Patch0: %{name}-tests.patch Requires: libica >= 3.6.0 BuildRequires: make BuildRequires: gcc @@ -51,6 +53,9 @@ make check %changelog +* Wed May 12 2021 Dan HorĂ¡k - 2.1.2-1 +- updated to 2.1.2 + * Tue Jan 26 2021 Fedora Release Engineering - 2.1.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild