diff --git a/openssl-ibmca-2.2.0-eckey.patch b/openssl-ibmca-2.2.0-eckey.patch new file mode 100644 index 0000000..6e8d490 --- /dev/null +++ b/openssl-ibmca-2.2.0-eckey.patch @@ -0,0 +1,31 @@ +From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Mon, 31 May 2021 18:00:07 +0200 +Subject: [PATCH] Skip eckey test if needed. + +Without crypto cards on a machine < z15, ibmca might not register with the +EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped +since it is doomed to fail. + +Fixes #69. + +Signed-off-by: Juergen Christ +--- + test/eckey.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/eckey.c b/test/eckey.c +index 35b3df2..6d0870b 100644 +--- a/test/eckey.c ++++ b/test/eckey.c +@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name) + fprintf(stderr, "ibmca engine not loaded\n"); + goto out; + } ++ if (ENGINE_get_EC(engine) == NULL) { ++ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); ++ exit(77); ++ } + eckey = EC_KEY_new_by_curve_name(nid); + if (eckey == NULL) { + /* curve not supported => test passed */ diff --git a/openssl-ibmca-tests.patch b/openssl-ibmca-tests.patch deleted file mode 100644 index 17e8cc9..0000000 --- a/openssl-ibmca-tests.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 281cb45a8514e616a777a7a5b93c1dd28ae428e9 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Mon, 3 May 2021 11:47:59 +0200 -Subject: [PATCH] Fix test problems on non-z15 without CEX cards - -The tests assumed to run on a z15 with a CEX card that supports secp384r1. -Check these assumptions and skip tests if they are not valid. - -Signed-off-by: Juergen Christ ---- - test/loadtest-ec.c | 49 ++++++++++++++++++++++++++++++++++++++++++---- - test/loadtest.c | 13 ++++++++++-- - test/threadtest.c | 16 ++++++++++++++- - 3 files changed, 71 insertions(+), 7 deletions(-) - -diff --git a/test/loadtest-ec.c b/test/loadtest-ec.c -index a5821b7..cd35729 100644 ---- a/test/loadtest-ec.c -+++ b/test/loadtest-ec.c -@@ -11,7 +11,11 @@ - int setup() - { - const SSL_METHOD *req_method; -- SSL_CTX *ctx; -+ SSL_CTX *ctx; -+ EC_KEY *eckey = NULL; -+ ENGINE *ibmca; -+ ENGINE *actual; -+ int ret = 0; - - /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ - OPENSSL_load_builtin_modules(); -@@ -52,6 +56,24 @@ int setup() - OpenSSL_add_all_algorithms(); - #endif - /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ -+ -+ ibmca = ENGINE_by_id("ibmca"); -+ if (ibmca == NULL) { -+ fprintf(stderr, "Failed to retrieve ibmca engine\n"); -+ goto out; -+ } -+ -+ eckey = EC_KEY_new_by_curve_name(NID_secp384r1); -+ if (eckey == NULL) { -+ /* error */ -+ fprintf(stderr, "Failed to create EC_KEY for secp384r1\n"); -+ goto out; -+ } -+ actual = EC_KEY_get0_engine(eckey); -+ if (ibmca != actual) { -+ fprintf(stderr, "EC_KEY not associated with ibmca\n"); -+ goto out; -+ } - - /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ - req_method = TLS_client_method(); -@@ -59,7 +81,11 @@ int setup() - second time. */ - ctx = SSL_CTX_new(req_method); - SSL_CTX_free(ctx); -- return 1; -+ ret = 1; -+ out: -+ if (eckey) -+ EC_KEY_free(eckey); -+ return ret; - } - - int check_globals() -@@ -68,8 +94,16 @@ int check_globals() - ECDSA_SIG *sig = NULL; - EC_KEY *eckey = NULL; - unsigned char digest[20]; -+ ENGINE *ibmca; -+ ENGINE *actual; - - memset(digest, 0, sizeof(digest)); -+ -+ ibmca = ENGINE_by_id("ibmca"); -+ if (ibmca == NULL) { -+ fprintf(stderr, "Failed to retrieve ibmca engine\n"); -+ goto out; -+ } - - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); - if (eckey == NULL) { -@@ -82,6 +116,13 @@ int check_globals() - fprintf(stderr, "Failed to generate EC_KEY\n"); - goto out; - } -+ -+ actual = EC_KEY_get0_engine(eckey); -+ if (ibmca != actual) { -+ fprintf(stderr, "EC_KEY not associated with ibmca\n"); -+ goto out; -+ } -+ - sig = ECDSA_do_sign(digest, sizeof(digest), eckey); - if (sig == NULL) { - /* error */ -@@ -123,8 +164,8 @@ int main(int argc, char **argv) - } - - if (!setup()) { -- fprintf(stderr, "Setup failed!\n"); -- return 99; -+ fprintf(stderr, "Setup failed! Skipping...\n"); -+ return 77; - } - if (!check_globals()) { - fprintf(stderr, "Check for global variables failed!\n"); -diff --git a/test/loadtest.c b/test/loadtest.c -index fea6f62..19f0cf9 100644 ---- a/test/loadtest.c -+++ b/test/loadtest.c -@@ -12,6 +12,8 @@ int setup() - { - const SSL_METHOD *req_method; - SSL_CTX *ctx; -+ ENGINE *engine; -+ EVP_PKEY_CTX *pctx = NULL; - - /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ - OPENSSL_load_builtin_modules(); -@@ -52,6 +54,13 @@ int setup() - OpenSSL_add_all_algorithms(); - #endif - /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ -+ -+ engine = ENGINE_by_id("ibmca"); -+ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); -+ if (pctx == NULL) { -+ return 0; -+ } -+ EVP_PKEY_CTX_free(pctx); - - /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ - req_method = TLS_client_method(); -@@ -112,8 +121,8 @@ int main(int argc, char **argv) - } - - if (!setup()) { -- fprintf(stderr, "Setup failed!\n"); -- return 99; -+ fprintf(stderr, "Setup failed! Skipping...\n"); -+ return 77; - } - if (!check_globals()) { - fprintf(stderr, "Check for global variables failed!\n"); -diff --git a/test/threadtest.c b/test/threadtest.c -index 159c363..662ebf5 100644 ---- a/test/threadtest.c -+++ b/test/threadtest.c -@@ -17,6 +17,9 @@ - - static int setup() - { -+ ENGINE *engine; -+ EVP_PKEY_CTX *pctx = NULL; -+ - OPENSSL_load_builtin_modules(); - - ENGINE_load_builtin_engines(); -@@ -37,6 +40,14 @@ static int setup() - #else - OpenSSL_add_all_algorithms(); - #endif -+ -+ engine = ENGINE_by_id("ibmca"); -+ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); -+ if (pctx == NULL) { -+ return 0; -+ } -+ EVP_PKEY_CTX_free(pctx); -+ - return 1; - } - -@@ -132,7 +143,10 @@ int main(int argc, char **argv) - return 1; - } - -- setup(); -+ if (setup() != 1) { -+ fprintf(stderr, "Failed to set up test. Skipping...\n"); -+ return 77; -+ } - - me = pthread_self(); - // Start threads --- -2.31.1 - diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 10259c3..9f87d55 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -2,17 +2,17 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.1.2 +Version: 2.2.0 Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/opencryptoki/openssl-ibmca/commit/281cb45a8514e616a777a7a5b93c1dd28ae428e9 -Patch0: %{name}-tests.patch -Requires: libica >= 3.6.0 +# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 +Patch0: openssl-ibmca-2.2.0-eckey.patch +Requires: libica >= 3.8.0 BuildRequires: make BuildRequires: gcc -BuildRequires: libica-devel >= 3.6.0 +BuildRequires: libica-devel >= 3.8.0 BuildRequires: automake libtool ExclusiveArch: s390 s390x @@ -28,18 +28,21 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. %build -%configure --libdir=%{enginesdir} +%configure --libdir=%{enginesdir} --with-libica-cex %make_build %install %make_install -rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la +rm -f %{buildroot}%{enginesdir}/*.la pushd src sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} popd +# remove generated sample configs +rm -rf %{buildroot}%{_datadir}/%{name} + %check make check @@ -47,12 +50,15 @@ make check %files %license LICENSE -%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl %{enginesdir}/ibmca.so %{_mandir}/man5/ibmca.5* %changelog +* Fri Jun 04 2021 Dan Horák - 2.2.0-1 +- updated to 2.2.0 + * Wed May 12 2021 Dan Horák - 2.1.2-1 - updated to 2.1.2 diff --git a/sources b/sources index 348824e..780b75b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-ibmca-2.1.2.tar.gz) = 4b91ae6fe0950540b253aec70494ed8b6563d10aeddb74468944864bd48c6230e3b0235a4c85a7bf73dd385850b07a2038111d0a3e728cbeafb1f1de14e53afe +SHA512 (openssl-ibmca-2.2.0.tar.gz) = 1e88c1726a6473045e46fbd8f0edc8c95cb5c6794b9d3535871bdc0cada28392b392b5e0bc96d9cb152b20501e2c60abf8ac5d0df5f4081e64768abea7a818f5