diff --git a/openssl-ibmca-2.3.0-fixes.patch b/openssl-ibmca-2.3.0-fixes.patch deleted file mode 100644 index 65be671..0000000 --- a/openssl-ibmca-2.3.0-fixes.patch +++ /dev/null @@ -1,689 +0,0 @@ -From 1a75586c2821a55deeaa76861b1fc0539e6a3ca1 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 1 Apr 2022 10:47:45 +0200 -Subject: [PATCH 1/5] SPEC: Fix version number in provider-spec file - -Signed-off-by: Ingo Franzki ---- - openssl-ibmca-provider.spec | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/openssl-ibmca-provider.spec b/openssl-ibmca-provider.spec -index a3ef1a6..6c95b54 100644 ---- a/openssl-ibmca-provider.spec -+++ b/openssl-ibmca-provider.spec -@@ -5,7 +5,7 @@ - # %global modulesdir %(pkg-config --variable=modulesdir libcrypto) - - Name: openssl-ibmca --Version: 2.2.3 -+Version: 2.3.0 - Release: 1%{?dist} - Summary: An IBMCA OpenSSL dynamic provider - -@@ -45,6 +45,10 @@ mv -f src/provider/openssl.cnf.sample src/provider/openssl.cnf.sample.%{_arch} - %dir %attr(777,root,root) %{_localstatedir}/log/ibmca - - %changelog -+* Fri Mar 25 2022 Juergen Christ 2.3.0 -+- First version including the provider -+- Fix for engine build without OpenSSL 3.0 sources -+ - * Wed March 3 2022 Ingo Franzki - - Add provider support - --- -2.36.1 - - -From 76341149f2102bb628da61c2653e5911ddb81084 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 7 Apr 2022 12:32:36 +0200 -Subject: [PATCH 2/5] Adjust to new libica. - -libica recently added function ica_cleanup to be called to free internal -OpenSSL 3.0 resources. This collided with our internal ica_cleanup function. -Rename that and call ica_cleanup if present. - -Signed-off-by: Juergen Christ ---- - configure.ac | 2 ++ - src/engine/e_ibmca.c | 13 ++++++++++--- - src/engine/ibmca.h | 3 +++ - src/provider/p_ibmca.c | 3 +++ - 4 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 46ad10e..6434056 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -130,6 +130,8 @@ if test "x$enable_provider" = xyes; then - [#include ]) - fi - -+AC_CHECK_DECLS([ica_cleanup],,,[#include ]) -+ - AC_CONFIG_FILES([ - Makefile - src/Makefile -diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c -index ef17349..7335246 100644 ---- a/src/engine/e_ibmca.c -+++ b/src/engine/e_ibmca.c -@@ -102,6 +102,7 @@ ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize; - ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; - ica_aes_gcm_last_t p_ica_aes_gcm_last; - #endif -+ica_cleanup_t p_ica_cleanup; - - /* save libcrypto's default ec methods */ - #ifndef NO_EC -@@ -652,8 +653,10 @@ static void ibmca_destructor(void) - free((void *)LIBICA_NAME); - } - --static void ica_cleanup(void) -+static void do_ica_cleanup(void) - { -+ if (p_ica_cleanup) -+ p_ica_cleanup(); - if (ibmca_dso && dlclose(ibmca_dso)) { - IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE); - return; -@@ -725,6 +728,7 @@ static void ica_cleanup(void) - p_ica_x448_ctx_del = NULL; - p_ica_ed25519_ctx_del = NULL; - p_ica_ed448_ctx_del = NULL; -+ p_ica_cleanup = NULL; - } - - static int ibmca_init(ENGINE *e) -@@ -806,6 +810,9 @@ static int ibmca_init(ENGINE *e) - BIND(ibmca_dso, ica_ed25519_ctx_del); - BIND(ibmca_dso, ica_ed448_ctx_del); - -+ /* ica_cleanup is not always present and only needed for newer libraries */ -+ p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup"); -+ - /* disable fallbacks on Libica */ - if (BIND(ibmca_dso, ica_set_fallback_mode)) - p_ica_set_fallback_mode(0); -@@ -821,7 +828,7 @@ static int ibmca_init(ENGINE *e) - return 1; - - err: -- ica_cleanup(); -+ do_ica_cleanup(); - return 0; - } - -@@ -884,7 +891,7 @@ static int ibmca_finish(ENGINE *e) - if (p_ica_close_adapter) - p_ica_close_adapter(ibmca_handle); - -- ica_cleanup(); -+ do_ica_cleanup(); - memset(&ibmca_registration, 0, sizeof(ibmca_registration)); - return 1; - } -diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h -index 382a45d..53f4ca1 100644 ---- a/src/engine/ibmca.h -+++ b/src/engine/ibmca.h -@@ -616,6 +616,8 @@ int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx); - typedef - int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); - -+typedef void (*ica_cleanup_t)(void); -+ - /* entry points into libica, filled out at DSO load time */ - extern ica_get_functionlist_t p_ica_get_functionlist; - extern ica_set_fallback_mode_t p_ica_set_fallback_mode; -@@ -681,3 +683,4 @@ extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del; - extern ica_x448_ctx_del_t p_ica_x448_ctx_del; - extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; - extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del; -+extern ica_cleanup_t p_ica_cleanup; -diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c -index d8045ba..80f0368 100644 ---- a/src/provider/p_ibmca.c -+++ b/src/provider/p_ibmca.c -@@ -633,6 +633,9 @@ static void ibmca_teardown(void *vprovctx) - pthread_mutex_destroy(&provctx->debug_mutex); - - P_FREE(provctx, provctx); -+#if HAVE_DECL_ICA_CLEANUP == 1 -+ ica_cleanup(); -+#endif - } - - static const OSSL_PARAM ibmca_param_types[] = { --- -2.36.1 - - -From 688273ec77530a44d43ad5133155e646a945bc88 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 7 Apr 2022 12:33:44 +0200 -Subject: [PATCH 3/5] Support tests in remote builds. - -If the build is not wihin the source tree, tests failed since they could not -find the key files. Add support for this. - -Signed-off-by: Juergen Christ ---- - test/engine/test.pm | 26 ++++++++++++++------------ - test/provider/tls.pl | 13 +++++++------ - 2 files changed, 21 insertions(+), 18 deletions(-) - -diff --git a/test/engine/test.pm b/test/engine/test.pm -index 8e4b8ab..3a313e1 100644 ---- a/test/engine/test.pm -+++ b/test/engine/test.pm -@@ -3,6 +3,8 @@ - use strict; - use warnings; - -+use FindBin; -+ - package test; - - sub osslversion1 { -@@ -69,16 +71,16 @@ sub rsaencdec { - my $bytes = 1 + int(rand($max_file_size)); - # engine enc, no-engine dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; - - # no-engine enc, engine dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; -@@ -100,16 +102,16 @@ sub rsasignverify { - $key .= $hex[rand(@hex)] for (1..$keylen); - # engine sign, no-engine verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; - - # no-engine sign, engine verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; -@@ -131,15 +133,15 @@ sub dsasignverify { - my $bytes = 1 + int(rand($max_file_size)); - # engine sign, no-engine verify - `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; -- `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -- `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - exit(99) if ($?); - `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; - - # no-engine sign, engine verify - `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; -- `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -- `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - exit(99) if ($?); - `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; - } -diff --git a/test/provider/tls.pl b/test/provider/tls.pl -index c8871d4..0d9df6d 100755 ---- a/test/provider/tls.pl -+++ b/test/provider/tls.pl -@@ -19,17 +19,18 @@ - use strict; - use warnings; - use test; -+use FindBin; - - # TLS 1.3 with RSA signatures --test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); -+test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); - # TLS 1.3 with EC signatures --test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); -+test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); - # TLS 1.2 with RSA signatures and ECDH key exchange --test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with ECDSA signatures and ECDH key exchange --test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with RSA signatures and DH key exchange --test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with RSA signatures and RSA key exchange --test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - --- -2.36.1 - - -From c0d384b72f280a4bd1c71407df0583da1847f5cb Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 12 May 2022 11:20:18 +0200 -Subject: [PATCH 4/5] provider: Adapt keymgmt_match() implementations to - OpenSSL - -OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the -OpenSSL provider's keymgmt_match() function to be not so strict with -the selector bits in regards to matching different key parts. - -Adapt the provider's match functions accordingly. -This means, that if the public key is selected to be matched, and the -public key matches (together with any also selected parameters), -then the private key is no longer checked, although it may also be -selected to be matched. This is according to how the OpenSSL function -EVP_PKEY_eq() is supposed to behave. - -Signed-off-by: Ingo Franzki ---- - src/provider/dh_keymgmt.c | 2 +- - src/provider/ec_keymgmt.c | 5 +++-- - src/provider/rsa_keymgmt.c | 8 +++++--- - 3 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c -index 48ba739..3180158 100644 ---- a/src/provider/dh_keymgmt.c -+++ b/src/provider/dh_keymgmt.c -@@ -1000,7 +1000,7 @@ static int ibmca_keymgmt_dh_match(const void *vkey1, const void *vkey2, - } - } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - if (key1->dh.priv != NULL || key2->dh.priv != NULL) { - ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0); - checked = 1; -diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c -index d898c6a..d39b1e2 100644 ---- a/src/provider/ec_keymgmt.c -+++ b/src/provider/ec_keymgmt.c -@@ -751,7 +751,7 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, - const struct ibmca_key *key2 = vkey2; - BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL; - BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL; -- int ok = 1, rc1, rc2; -+ int ok = 1, rc1, rc2, checked = 0; - - if (key1 == NULL || key2 == NULL) - return 0; -@@ -781,9 +781,10 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, - - ok = ok && (rc1 == rc2 && (rc1 == -1 || - (BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0))); -+ checked = 1; - } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1); - if (rc1 == 0) { - ok = 0; -diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c -index 61f7744..9278327 100644 ---- a/src/provider/rsa_keymgmt.c -+++ b/src/provider/rsa_keymgmt.c -@@ -641,7 +641,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - { - const struct ibmca_key *key1 = vkey1; - const struct ibmca_key *key2 = vkey2; -- int ok = 1; -+ int ok = 1, checked = 0; - - if (key1 == NULL || key2 == NULL) - return 0; -@@ -652,7 +652,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - if (ibmca_keymgmt_match(key1, key2) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) -+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - ok = ok && (key1->rsa.public.key_length == - key2->rsa.public.key_length && - memcmp(key1->rsa.public.exponent, -@@ -661,8 +661,10 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - memcmp(key1->rsa.public.modulus, - key2->rsa.public.modulus, - key1->rsa.public.key_length) == 0); -+ checked = 1; -+ } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && (key1->rsa.private.key_length == - key2->rsa.private.key_length && - CRYPTO_memcmp(key1->rsa.private.p, --- -2.36.1 - - -From 49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 18 May 2022 15:41:12 +0200 -Subject: [PATCH 5/5] tests: skip tests if libica does not support required - algorithms - -Before actually running the tests, check if libica supports the -required algorithms. Skip the whole test if not. - -This can happen when running the test on a system without appropriate -crypto adapters. This would lead to the situation that the provider would -not register itself for the required algorithms, and thus the OpenSSL -default provider would be used. This would make the tests to fail, because -it is not running with the IBMCA provider as expected by the test. - -Signed-off-by: Ingo Franzki ---- - test/provider/Makefile.am | 18 ++++++++++--- - test/provider/dhkey.c | 56 ++++++++++++++++++++++++++++++++++++++ - test/provider/eckey.c | 57 +++++++++++++++++++++++++++++++++++++++ - test/provider/rsakey.c | 56 ++++++++++++++++++++++++++++++++++++++ - 4 files changed, 184 insertions(+), 3 deletions(-) - -diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am -index f5cb97d..b007682 100644 ---- a/test/provider/Makefile.am -+++ b/test/provider/Makefile.am -@@ -20,13 +20,25 @@ TESTS = \ - check_PROGRAMS = rsakey eckey dhkey threadtest - - dhkey_SOURCES = dhkey.c --dhkey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+dhkey_LDADD = -lcrypto -lica -+else -+dhkey_LDADD = -lcrypto -lica-cex -+endif - - eckey_SOURCES = eckey.c --eckey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+eckey_LDADD = -lcrypto -lica -+else -+eckey_LDADD = -lcrypto -lica-cex -+endif - - rsakey_SOURCES = rsakey.c --rsakey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+rsakey_LDADD = -lcrypto -lica -+else -+rsakey_LDADD = -lcrypto -lica-cex -+endif - - threadtest_SOURCES = threadtest.c - threadtest_LDADD = -lcrypto -lpthread -diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c -index a9cea13..8829ecc 100644 ---- a/test/provider/dhkey.c -+++ b/test/provider/dhkey.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -349,6 +351,56 @@ int check_dhkey(int nid, const char *name, const char *algo) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { RSA_ME }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -389,6 +441,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_dhkey(params[i].nid, params[i].name, "DH")) { -diff --git a/test/provider/eckey.c b/test/provider/eckey.c -index 279b942..b2334d7 100644 ---- a/test/provider/eckey.c -+++ b/test/provider/eckey.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -781,6 +783,57 @@ int check_eckey(int nid, const char *name) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN, -+ EC_DSA_VERIFY, EC_KGEN, }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -822,6 +875,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_eckey(params[i].nid, params[i].name)) { -diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c -index 0adface..366b503 100644 ---- a/test/provider/rsakey.c -+++ b/test/provider/rsakey.c -@@ -26,6 +26,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -729,6 +731,56 @@ int check_rsakey(int bits, const char *algo, const char *name) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -767,6 +819,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) { --- -2.36.1 - diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index f401ce3..f25230a 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,9 +1,5 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) -%global modulesdir %(openssl version -m | grep -o '".*"' | tr -d '"') -# Above can be replaced by the following once OpenSSL commit -# https://github.com/openssl/openssl/commit/7fde39de848f062d6db45bf9e69439db2100b9bb -# has been included into the distribution: -# %%global modulesdir %%(pkg-config --variable=modulesdir libcrypto) +%global modulesdir %(pkg-config --variable=modulesdir libcrypto) %if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 %global with_openssl3 1 @@ -12,19 +8,17 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.3.0 +Version: 2.3.1 Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# post GA fixes -Patch0: %{name}-%{version}-fixes.patch Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc BuildRequires: libica-devel >= 4.0.0 BuildRequires: automake libtool -BuildRequires: openssl +BuildRequires: openssl >= 3.0.5 BuildRequires: perl(FindBin) ExclusiveArch: s390 s390x @@ -80,6 +74,11 @@ make check %changelog +* Thu Jan 12 2023 Dan Horák - 2.3.1-1 +- updated to 2.3.1 (#2110378) +- fix configuration script (#2140028) +- Resolves: #2110378 #2140028 + * Thu May 19 2022 Dan Horák - 2.3.0-1 - updated to 2.3.0 (#2044177) - add provider for openssl 3.x (#2044185) diff --git a/sources b/sources index 34c4d4e..6fdab29 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-ibmca-2.3.0.tar.gz) = dddc66e8686c12a1a2cb602753abad4e1983121203cdd3d04e7b8f54588bac41d2a2665d2ebd61ba9537487c534a0c70ea3a994617cd4b84799318a624b8bc40 +SHA512 (openssl-ibmca-2.3.1.tar.gz) = 16a1fae7ddc71caa40f60f803991e32227badeee22db33080bcefc7a01fb79b714eb007ebd5d61e97534d5779d765ac65fd79be496a46f160a4f321c9f836942