- updated to 2.2.0

2021-06-04 08:05:04 +00:00 · 2021-06-04 08:05:04 +00:00 · 6a686d21ad
commit 6a686d21ad
parent 64820002fb
4 changed files with 46 additions and 203 deletions
--- a/openssl-ibmca-2.2.0-eckey.patch
+++ b/openssl-ibmca-2.2.0-eckey.patch
@ -0,0 +1,31 @@
 From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001
 From: Juergen Christ <jchrist@linux.ibm.com>
 Date: Mon, 31 May 2021 18:00:07 +0200
 Subject: [PATCH] Skip eckey test if needed.
 Without crypto cards on a machine < z15, ibmca might not register with the
 EC_KEY subsystem of OpenSSL.  In these cases, the eckey test should be skipped
 since it is doomed to fail.
 Fixes #69.
 Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
 ---
 test/eckey.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/test/eckey.c b/test/eckey.c
 index 35b3df2..6d0870b 100644
 --- a/test/eckey.c
 +++ b/test/eckey.c
@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
         fprintf(stderr, "ibmca engine not loaded\n");
         goto out;
     }
 +    if (ENGINE_get_EC(engine) == NULL) {
 +        fprintf(stderr, "ibmca does not support EC_KEY.  Skipping...\n");
 +        exit(77);
 +    }
     eckey = EC_KEY_new_by_curve_name(nid);
     if (eckey == NULL) {
         /* curve not supported => test passed */
--- a/openssl-ibmca-tests.patch
+++ b/openssl-ibmca-tests.patch
@ -1,194 +0,0 @@
 From 281cb45a8514e616a777a7a5b93c1dd28ae428e9 Mon Sep 17 00:00:00 2001
 From: Juergen Christ <jchrist@linux.ibm.com>
 Date: Mon, 3 May 2021 11:47:59 +0200
 Subject: [PATCH] Fix test problems on non-z15 without CEX cards
 The tests assumed to run on a z15 with a CEX card that supports secp384r1.
 Check these assumptions and skip tests if they are not valid.
 Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
 ---
 test/loadtest-ec.c | 49 ++++++++++++++++++++++++++++++++++++++++++----
 test/loadtest.c    | 13 ++++++++++--
 test/threadtest.c  | 16 ++++++++++++++-
 3 files changed, 71 insertions(+), 7 deletions(-)
 diff --git a/test/loadtest-ec.c b/test/loadtest-ec.c
 index a5821b7..cd35729 100644
 --- a/test/loadtest-ec.c
 +++ b/test/loadtest-ec.c
@@ -11,7 +11,11 @@
 int setup()
 {
     const SSL_METHOD *req_method;
 -    SSL_CTX *ctx;
 +    SSL_CTX          *ctx;
 +    EC_KEY           *eckey = NULL;
 +    ENGINE           *ibmca;
 +    ENGINE           *actual;
 +    int               ret = 0;
     /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */
     OPENSSL_load_builtin_modules();
@@ -52,6 +56,24 @@ int setup()
     OpenSSL_add_all_algorithms();
 #endif
     /* End code copy from libcurl 7.61.1 Curl_ossl_init function */
 +
 +    ibmca = ENGINE_by_id("ibmca");
 +    if (ibmca == NULL) {
 +        fprintf(stderr, "Failed to retrieve ibmca engine\n");
 +        goto out;
 +    }
 +    
 +    eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
 +    if (eckey == NULL) {
 +        /* error */
 +        fprintf(stderr, "Failed to create EC_KEY for secp384r1\n");
 +        goto out;
 +    }
 +    actual = EC_KEY_get0_engine(eckey);
 +    if (ibmca != actual) {
 +        fprintf(stderr, "EC_KEY not associated with ibmca\n");
 +        goto out;
 +    }
     /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */
     req_method = TLS_client_method();
@@ -59,7 +81,11 @@ int setup()
        second time. */
     ctx = SSL_CTX_new(req_method);
     SSL_CTX_free(ctx);
 -    return 1;
 +    ret = 1;
 + out:
 +    if (eckey)
 +        EC_KEY_free(eckey);
 +    return ret;
 }
 int check_globals()
@@ -68,8 +94,16 @@ int check_globals()
     ECDSA_SIG     *sig = NULL;
     EC_KEY        *eckey = NULL;
     unsigned char  digest[20];
 +    ENGINE        *ibmca;
 +    ENGINE        *actual;
     memset(digest, 0, sizeof(digest));
 +
 +    ibmca = ENGINE_by_id("ibmca");
 +    if (ibmca == NULL) {
 +        fprintf(stderr, "Failed to retrieve ibmca engine\n");
 +        goto out;
 +    }
     eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
     if (eckey == NULL) {
@@ -82,6 +116,13 @@ int check_globals()
         fprintf(stderr, "Failed to generate EC_KEY\n");
         goto out;
     }
 +
 +    actual = EC_KEY_get0_engine(eckey);
 +    if (ibmca != actual) {
 +        fprintf(stderr, "EC_KEY not associated with ibmca\n");
 +        goto out;
 +    }
 +    
     sig = ECDSA_do_sign(digest, sizeof(digest), eckey);
     if (sig == NULL) {
         /* error */
@@ -123,8 +164,8 @@ int main(int argc, char **argv)
     }
     if (!setup()) {
 -        fprintf(stderr, "Setup failed!\n");
 -        return 99;
 +        fprintf(stderr, "Setup failed!  Skipping...\n");
 +        return 77;
     }
     if (!check_globals()) {
         fprintf(stderr, "Check for global variables failed!\n");
 diff --git a/test/loadtest.c b/test/loadtest.c
 index fea6f62..19f0cf9 100644
 --- a/test/loadtest.c
 +++ b/test/loadtest.c
@@ -12,6 +12,8 @@ int setup()
 {
     const SSL_METHOD *req_method;
     SSL_CTX *ctx;
 +    ENGINE        *engine;
 +    EVP_PKEY_CTX  *pctx = NULL;
     /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */
     OPENSSL_load_builtin_modules();
@@ -52,6 +54,13 @@ int setup()
     OpenSSL_add_all_algorithms();
 #endif
     /* End code copy from libcurl 7.61.1 Curl_ossl_init function */
 +
 +    engine = ENGINE_by_id("ibmca");
 +    pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine);
 +    if (pctx == NULL) {
 +        return 0;
 +    }
 +    EVP_PKEY_CTX_free(pctx);
     /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */
     req_method = TLS_client_method();
@@ -112,8 +121,8 @@ int main(int argc, char **argv)
     }
     if (!setup()) {
 -        fprintf(stderr, "Setup failed!\n");
 -        return 99;
 +        fprintf(stderr, "Setup failed!  Skipping...\n");
 +        return 77;
     }
     if (!check_globals()) {
         fprintf(stderr, "Check for global variables failed!\n");
 diff --git a/test/threadtest.c b/test/threadtest.c
 index 159c363..662ebf5 100644
 --- a/test/threadtest.c
 +++ b/test/threadtest.c
@@ -17,6 +17,9 @@
 static int setup()
 {
 +    ENGINE        *engine;
 +    EVP_PKEY_CTX  *pctx = NULL;
 +
     OPENSSL_load_builtin_modules();
     ENGINE_load_builtin_engines();
@@ -37,6 +40,14 @@ static int setup()
 #else
     OpenSSL_add_all_algorithms();
 #endif
 +
 +    engine = ENGINE_by_id("ibmca");
 +    pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine);
 +    if (pctx == NULL) {
 +        return 0;
 +    }
 +    EVP_PKEY_CTX_free(pctx);
 +
     return 1;
 }
@@ -132,7 +143,10 @@ int main(int argc, char **argv)
         return 1;
     }
 -    setup();
 +    if (setup() != 1) {
 +        fprintf(stderr, "Failed to set up test.  Skipping...\n");
 +        return 77;
 +    }
     me = pthread_self();
     // Start threads
 -- 
 2.31.1
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -2,17 +2,17 @@
 Summary: A dynamic OpenSSL engine for IBMCA
 Name: openssl-ibmca
-Version: 2.1.2
+Version: 2.2.0
 Release: 1%{?dist}
 License: ASL 2.0
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-# https://github.com/opencryptoki/openssl-ibmca/commit/281cb45a8514e616a777a7a5b93c1dd28ae428e9
+# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240
-Patch0: %{name}-tests.patch
+Patch0: openssl-ibmca-2.2.0-eckey.patch
-Requires: libica >= 3.6.0
+Requires: libica >= 3.8.0
 BuildRequires: make
 BuildRequires: gcc
-BuildRequires: libica-devel >= 3.6.0
+BuildRequires: libica-devel >= 3.8.0
 BuildRequires: automake libtool
 ExclusiveArch: s390 s390x
@ -28,18 +28,21 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
 %build
-%configure --libdir=%{enginesdir}
+%configure --libdir=%{enginesdir} --with-libica-cex
 %make_build
 %install
 %make_install
-rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
+rm -f %{buildroot}%{enginesdir}/*.la
 pushd src
 sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
 popd
 # remove generated sample configs
 rm -rf %{buildroot}%{_datadir}/%{name}
 %check
 make check
@ -47,12 +50,15 @@ make check
 %files
 %license LICENSE
-%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch}
+%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl
 %{enginesdir}/ibmca.so
 %{_mandir}/man5/ibmca.5*
 %changelog
 * Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
 - updated to 2.2.0
 * Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
 - updated to 2.1.2
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-ibmca-2.1.2.tar.gz) = 4b91ae6fe0950540b253aec70494ed8b6563d10aeddb74468944864bd48c6230e3b0235a4c85a7bf73dd385850b07a2038111d0a3e728cbeafb1f1de14e53afe
+SHA512 (openssl-ibmca-2.2.0.tar.gz) = 1e88c1726a6473045e46fbd8f0edc8c95cb5c6794b9d3535871bdc0cada28392b392b5e0bc96d9cb152b20501e2c60abf8ac5d0df5f4081e64768abea7a818f5
`@ -1 +1 @@`
	`SHA512 (openssl-ibmca-2.1.2.tar.gz) = 4b91ae6fe0950540b253aec70494ed8b6563d10aeddb74468944864bd48c6230e3b0235a4c85a7bf73dd385850b07a2038111d0a3e728cbeafb1f1de14e53afe`	`SHA512 (openssl-ibmca-2.2.0.tar.gz) = 1e88c1726a6473045e46fbd8f0edc8c95cb5c6794b9d3535871bdc0cada28392b392b5e0bc96d9cb152b20501e2c60abf8ac5d0df5f4081e64768abea7a818f5`