rpms/openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- updated to 2.2.0

Browse Source
This commit is contained in:
Dan Horák 2021-06-04 08:05:04 +00:00
parent 64820002fb
commit 6a686d21ad
4 changed files with 46 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
openssl-ibmca-2.2.0-eckey.patch Normal file
View File

@ -0,0 +1,31 @@
From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Mon, 31 May 2021 18:00:07 +0200
Subject: [PATCH] Skip eckey test if needed.
Without crypto cards on a machine < z15, ibmca might not register with the
EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped
since it is doomed to fail.
Fixes #69.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
test/eckey.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/eckey.c b/test/eckey.c
index 35b3df2..6d0870b 100644
--- a/test/eckey.c
+++ b/test/eckey.c
@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
fprintf(stderr, "ibmca engine not loaded\n");
goto out;
}
+ if (ENGINE_get_EC(engine) == NULL) {
+ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n");
+ exit(77);
+ }
eckey = EC_KEY_new_by_curve_name(nid);
if (eckey == NULL) {
/* curve not supported => test passed */

194
openssl-ibmca-tests.patch
View File

@ -1,194 +0,0 @@
From 281cb45a8514e616a777a7a5b93c1dd28ae428e9 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Mon, 3 May 2021 11:47:59 +0200
Subject: [PATCH] Fix test problems on non-z15 without CEX cards
The tests assumed to run on a z15 with a CEX card that supports secp384r1.
Check these assumptions and skip tests if they are not valid.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
test/loadtest-ec.c | 49 ++++++++++++++++++++++++++++++++++++++++++----
test/loadtest.c | 13 ++++++++++--
test/threadtest.c | 16 ++++++++++++++-
3 files changed, 71 insertions(+), 7 deletions(-)
diff --git a/test/loadtest-ec.c b/test/loadtest-ec.c
index a5821b7..cd35729 100644
--- a/test/loadtest-ec.c
+++ b/test/loadtest-ec.c
@@ -11,7 +11,11 @@
int setup()
{
const SSL_METHOD *req_method;
- SSL_CTX *ctx;
+ SSL_CTX *ctx;
+ EC_KEY *eckey = NULL;
+ ENGINE *ibmca;
+ ENGINE *actual;
+ int ret = 0;
/* Start code copy from libcurl 7.61.1 Curl_ossl_init function */
OPENSSL_load_builtin_modules();
@@ -52,6 +56,24 @@ int setup()
OpenSSL_add_all_algorithms();
#endif
/* End code copy from libcurl 7.61.1 Curl_ossl_init function */
+
+ ibmca = ENGINE_by_id("ibmca");
+ if (ibmca == NULL) {
+ fprintf(stderr, "Failed to retrieve ibmca engine\n");
+ goto out;
+ }
+
+ eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (eckey == NULL) {
+ /* error */
+ fprintf(stderr, "Failed to create EC_KEY for secp384r1\n");
+ goto out;
+ }
+ actual = EC_KEY_get0_engine(eckey);
+ if (ibmca != actual) {
+ fprintf(stderr, "EC_KEY not associated with ibmca\n");
+ goto out;
+ }
/* Start extraction from libcurl 7.61.1 ossl_connect_step1 */
req_method = TLS_client_method();
@@ -59,7 +81,11 @@ int setup()
second time. */
ctx = SSL_CTX_new(req_method);
SSL_CTX_free(ctx);
- return 1;
+ ret = 1;
+ out:
+ if (eckey)
+ EC_KEY_free(eckey);
+ return ret;
}
int check_globals()
@@ -68,8 +94,16 @@ int check_globals()
ECDSA_SIG *sig = NULL;
EC_KEY *eckey = NULL;
unsigned char digest[20];
+ ENGINE *ibmca;
+ ENGINE *actual;
memset(digest, 0, sizeof(digest));
+
+ ibmca = ENGINE_by_id("ibmca");
+ if (ibmca == NULL) {
+ fprintf(stderr, "Failed to retrieve ibmca engine\n");
+ goto out;
+ }
eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
if (eckey == NULL) {
@@ -82,6 +116,13 @@ int check_globals()
fprintf(stderr, "Failed to generate EC_KEY\n");
goto out;
}
+
+ actual = EC_KEY_get0_engine(eckey);
+ if (ibmca != actual) {
+ fprintf(stderr, "EC_KEY not associated with ibmca\n");
+ goto out;
+ }
+
sig = ECDSA_do_sign(digest, sizeof(digest), eckey);
if (sig == NULL) {
/* error */
@@ -123,8 +164,8 @@ int main(int argc, char **argv)
}
if (!setup()) {
- fprintf(stderr, "Setup failed!\n");
- return 99;
+ fprintf(stderr, "Setup failed! Skipping...\n");
+ return 77;
}
if (!check_globals()) {
fprintf(stderr, "Check for global variables failed!\n");
diff --git a/test/loadtest.c b/test/loadtest.c
index fea6f62..19f0cf9 100644
--- a/test/loadtest.c
+++ b/test/loadtest.c
@@ -12,6 +12,8 @@ int setup()
{
const SSL_METHOD *req_method;
SSL_CTX *ctx;
+ ENGINE *engine;
+ EVP_PKEY_CTX *pctx = NULL;
/* Start code copy from libcurl 7.61.1 Curl_ossl_init function */
OPENSSL_load_builtin_modules();
@@ -52,6 +54,13 @@ int setup()
OpenSSL_add_all_algorithms();
#endif
/* End code copy from libcurl 7.61.1 Curl_ossl_init function */
+
+ engine = ENGINE_by_id("ibmca");
+ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine);
+ if (pctx == NULL) {
+ return 0;
+ }
+ EVP_PKEY_CTX_free(pctx);
/* Start extraction from libcurl 7.61.1 ossl_connect_step1 */
req_method = TLS_client_method();
@@ -112,8 +121,8 @@ int main(int argc, char **argv)
}
if (!setup()) {
- fprintf(stderr, "Setup failed!\n");
- return 99;
+ fprintf(stderr, "Setup failed! Skipping...\n");
+ return 77;
}
if (!check_globals()) {
fprintf(stderr, "Check for global variables failed!\n");
diff --git a/test/threadtest.c b/test/threadtest.c
index 159c363..662ebf5 100644
--- a/test/threadtest.c
+++ b/test/threadtest.c
@@ -17,6 +17,9 @@
static int setup()
{
+ ENGINE *engine;
+ EVP_PKEY_CTX *pctx = NULL;
+
OPENSSL_load_builtin_modules();
ENGINE_load_builtin_engines();
@@ -37,6 +40,14 @@ static int setup()
#else
OpenSSL_add_all_algorithms();
#endif
+
+ engine = ENGINE_by_id("ibmca");
+ pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine);
+ if (pctx == NULL) {
+ return 0;
+ }
+ EVP_PKEY_CTX_free(pctx);
+
return 1;
}
@@ -132,7 +143,10 @@ int main(int argc, char **argv)
return 1;
}
- setup();
+ if (setup() != 1) {
+ fprintf(stderr, "Failed to set up test. Skipping...\n");
+ return 77;
+ }
me = pthread_self();
// Start threads
--
2.31.1

22
openssl-ibmca.spec
View File

@ -2,17 +2,17 @@
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.1.2
Version: 2.2.0
Release: 1%{?dist}
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://github.com/opencryptoki/openssl-ibmca/commit/281cb45a8514e616a777a7a5b93c1dd28ae428e9
Patch0: %{name}-tests.patch
Requires: libica >= 3.6.0
# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240
Patch0: openssl-ibmca-2.2.0-eckey.patch
Requires: libica >= 3.8.0
BuildRequires: make
BuildRequires: gcc
BuildRequires: libica-devel >= 3.6.0
BuildRequires: libica-devel >= 3.8.0
BuildRequires: automake libtool
ExclusiveArch: s390 s390x
@ -28,18 +28,21 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
%build
%configure --libdir=%{enginesdir}
%configure --libdir=%{enginesdir} --with-libica-cex
%make_build
%install
%make_install
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
rm -f %{buildroot}%{enginesdir}/*.la
pushd src
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
popd
# remove generated sample configs
rm -rf %{buildroot}%{_datadir}/%{name}
%check
make check
@ -47,12 +50,15 @@ make check
%files
%license LICENSE
%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch}
%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl
%{enginesdir}/ibmca.so
%{_mandir}/man5/ibmca.5*
%changelog
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
- updated to 2.2.0
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
- updated to 2.1.2

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-ibmca-2.1.2.tar.gz) = 4b91ae6fe0950540b253aec70494ed8b6563d10aeddb74468944864bd48c6230e3b0235a4c85a7bf73dd385850b07a2038111d0a3e728cbeafb1f1de14e53afe
SHA512 (openssl-ibmca-2.2.0.tar.gz) = 1e88c1726a6473045e46fbd8f0edc8c95cb5c6794b9d3535871bdc0cada28392b392b5e0bc96d9cb152b20501e2c60abf8ac5d0df5f4081e64768abea7a818f5