import openssl-ibmca-2.2.0-2.el8
This commit is contained in:
		
							parent
							
								
									88830c863d
								
							
						
					
					
						commit
						76e92345d6
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | ||||
| SOURCES/openssl-ibmca-2.1.1.tar.gz | ||||
| SOURCES/openssl-ibmca-2.2.0.tar.gz | ||||
|  | ||||
| @ -1 +1 @@ | ||||
| 6f245f09c9ae7c1c1e287030aa5bd1db340dbdb0 SOURCES/openssl-ibmca-2.1.1.tar.gz | ||||
| 9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz | ||||
|  | ||||
							
								
								
									
										31
									
								
								SOURCES/openssl-ibmca-2.2.0-eckey.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								SOURCES/openssl-ibmca-2.2.0-eckey.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,31 @@ | ||||
| From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 | ||||
| From: Juergen Christ <jchrist@linux.ibm.com> | ||||
| Date: Mon, 31 May 2021 18:00:07 +0200 | ||||
| Subject: [PATCH] Skip eckey test if needed. | ||||
| 
 | ||||
| Without crypto cards on a machine < z15, ibmca might not register with the | ||||
| EC_KEY subsystem of OpenSSL.  In these cases, the eckey test should be skipped | ||||
| since it is doomed to fail. | ||||
| 
 | ||||
| Fixes #69. | ||||
| 
 | ||||
| Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> | ||||
| ---
 | ||||
|  test/eckey.c | 4 ++++ | ||||
|  1 file changed, 4 insertions(+) | ||||
| 
 | ||||
| diff --git a/test/eckey.c b/test/eckey.c
 | ||||
| index 35b3df2..6d0870b 100644
 | ||||
| --- a/test/eckey.c
 | ||||
| +++ b/test/eckey.c
 | ||||
| @@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
 | ||||
|          fprintf(stderr, "ibmca engine not loaded\n"); | ||||
|          goto out; | ||||
|      } | ||||
| +    if (ENGINE_get_EC(engine) == NULL) {
 | ||||
| +        fprintf(stderr, "ibmca does not support EC_KEY.  Skipping...\n");
 | ||||
| +        exit(77);
 | ||||
| +    }
 | ||||
|      eckey = EC_KEY_new_by_curve_name(nid); | ||||
|      if (eckey == NULL) { | ||||
|          /* curve not supported => test passed */ | ||||
							
								
								
									
										105
									
								
								SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										105
									
								
								SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,105 @@ | ||||
| From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 | ||||
| From: Juergen Christ <jchrist@linux.ibm.com> | ||||
| Date: Thu, 29 Jul 2021 17:38:59 +0200 | ||||
| Subject: [PATCH] Fix DSA and DH registration. | ||||
| 
 | ||||
| DSA does not provide backups by default. | ||||
| 
 | ||||
| Also fix typo in DH initialization. | ||||
| 
 | ||||
| Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> | ||||
| ---
 | ||||
|  src/ibmca_dh.c  |  2 +- | ||||
|  src/ibmca_dsa.c | 26 ++++---------------------- | ||||
|  2 files changed, 5 insertions(+), 23 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c
 | ||||
| index 2459cf1..b2b75a9 100644
 | ||||
| --- a/src/ibmca_dh.c
 | ||||
| +++ b/src/ibmca_dh.c
 | ||||
| @@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void)
 | ||||
|   | ||||
|      if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL | ||||
|          || (meth1 = DH_OpenSSL()) == NULL | ||||
| -	    || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL
 | ||||
| +	    || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL
 | ||||
|          || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) | ||||
|          || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) | ||||
|          || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) | ||||
| diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c
 | ||||
| index f5bf4e4..3b5ac87 100644
 | ||||
| --- a/src/ibmca_dsa.c
 | ||||
| +++ b/src/ibmca_dsa.c
 | ||||
| @@ -28,18 +28,10 @@
 | ||||
|   * RSA. Just check out the "signs" statistics from the RSA and DSA parts | ||||
|   * of "openssl speed -engine ibmca dsa1024 rsa1024". */ | ||||
|  #ifdef OLDER_OPENSSL | ||||
| -static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 | ||||
| -                                       BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
 | ||||
| -                                       BIGNUM *m, BN_CTX *ctx,
 | ||||
| -                                       BN_MONT_CTX *in_mont);
 | ||||
|  static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, | ||||
|                               BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, | ||||
|                               BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) | ||||
|  #else | ||||
| -static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
 | ||||
| -                                       const BIGNUM *p1, const BIGNUM *a2,
 | ||||
| -                                       const BIGNUM *p2, const BIGNUM *m,
 | ||||
| -                                       BN_CTX *ctx, BN_MONT_CTX *in_mont);
 | ||||
|  static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, | ||||
|                               const BIGNUM *p1, const BIGNUM *a2, | ||||
|                               const BIGNUM *p2, const BIGNUM *m, | ||||
| @@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
 | ||||
|  end: | ||||
|      BN_free(t); | ||||
|   | ||||
| -    if (!to_return && ibmca_dsa_mod_exp_backup)
 | ||||
| -        return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont);
 | ||||
| +    if (!to_return)
 | ||||
| +        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
 | ||||
|      return to_return; | ||||
|  } | ||||
|   | ||||
|  #ifdef OLDER_OPENSSL | ||||
| -static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a,
 | ||||
| -                       const BIGNUM *p, const BIGNUM *m,
 | ||||
| -                       BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 | ||||
|   | ||||
|  static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, | ||||
|                               const BIGNUM *p, const BIGNUM *m, | ||||
|                               BN_CTX *ctx, BN_MONT_CTX *m_ctx) | ||||
|  #else | ||||
| -static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a,
 | ||||
| -                       const BIGNUM *p, const BIGNUM *m,
 | ||||
| -                       BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 | ||||
|   | ||||
|  static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, | ||||
|                               const BIGNUM *p, const BIGNUM *m, | ||||
|                               BN_CTX *ctx, BN_MONT_CTX *m_ctx) | ||||
|  #endif | ||||
|  { | ||||
| -    if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup)
 | ||||
| -        return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx);
 | ||||
| +    if (!ibmca_mod_exp(r, a, p, m, ctx))
 | ||||
| +        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 | ||||
|      return 1; | ||||
|  } | ||||
|   | ||||
| @@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void)
 | ||||
|  { | ||||
|      const DSA_METHOD *meth1 = DSA_OpenSSL(); | ||||
|   | ||||
| -    ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp;
 | ||||
| -    ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp;
 | ||||
|      dsa_m.dsa_do_sign = meth1->dsa_do_sign; | ||||
|      dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; | ||||
|      dsa_m.dsa_do_verify = meth1->dsa_do_verify; | ||||
| @@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void)
 | ||||
|   | ||||
|      if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL | ||||
|          || (meth1 = DSA_OpenSSL()) == NULL | ||||
| -        || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL
 | ||||
| -        || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL
 | ||||
|          || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) | ||||
|          || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) | ||||
|          || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) | ||||
| @ -2,16 +2,22 @@ | ||||
| 
 | ||||
| Summary: A dynamic OpenSSL engine for IBMCA | ||||
| Name: openssl-ibmca | ||||
| Version: 2.1.1 | ||||
| Release: 1%{?dist} | ||||
| Version: 2.2.0 | ||||
| Release: 2%{?dist} | ||||
| License: ASL 2.0 | ||||
| Group: System Environment/Libraries | ||||
| URL: https://github.com/opencryptoki | ||||
| Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz | ||||
| Requires: libica >= 3.6.0 | ||||
| # https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 | ||||
| Patch0: openssl-ibmca-2.2.0-eckey.patch | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1989064 | ||||
| # https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 | ||||
| Patch1: openssl-ibmca-2.2.0-fix-registration.patch | ||||
| Requires: libica >= 3.8.0 | ||||
| BuildRequires: gcc | ||||
| BuildRequires: libica-devel >= 3.6.0 | ||||
| BuildRequires: libica-devel >= 3.8.0 | ||||
| BuildRequires: automake libtool | ||||
| BuildRequires: openssl | ||||
| ExclusiveArch: s390 s390x | ||||
| 
 | ||||
| 
 | ||||
| @ -38,6 +44,13 @@ pushd src | ||||
| sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} | ||||
| popd | ||||
| 
 | ||||
| # remove generated sample configs | ||||
| rm -rf %{buildroot}%{_datadir}/%{name} | ||||
| 
 | ||||
| 
 | ||||
| %check | ||||
| make check | ||||
| 
 | ||||
| 
 | ||||
| %files | ||||
| %license LICENSE | ||||
| @ -47,6 +60,15 @@ popd | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2 | ||||
| - fix DSA and DH registration (#1989064) | ||||
| - Resolves: #1989064 | ||||
| 
 | ||||
| * Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1 | ||||
| - updated to 2.2.0 (#1919222) | ||||
| - do not use libica software fallbacks (#1922204) | ||||
| - Resolves: #1919222 #1922204 | ||||
| 
 | ||||
| * Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1 | ||||
| - updated to 2.1.1 (#1780306) | ||||
| - Resolves: #1780306 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user