diff --git a/openssl-ibmca-2.4.0-fixes.patch b/openssl-ibmca-2.4.0-fixes.patch index 62fe880..1d3ac73 100644 --- a/openssl-ibmca-2.4.0-fixes.patch +++ b/openssl-ibmca-2.4.0-fixes.patch @@ -1,7 +1,7 @@ From 2d9f0222076f6e243e68238c533b6bf0b6073138 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Mon, 17 Apr 2023 13:38:36 +0200 -Subject: [PATCH 1/6] configure: check for perl and perl-FindBin +Subject: [PATCH 1/7] configure: check for perl and perl-FindBin Perl as well as the perl module FindBin are required to run the IBMCA tests. Check for it during configuration and fail if it is not available. @@ -43,7 +43,7 @@ index 39317c7..cea8ce8 100644 From e8983a442f53e56e49c9143babeacb5c0206c1bd Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Mon, 17 Apr 2023 13:43:59 +0200 -Subject: [PATCH 2/6] bootstrap: add --force option to autoreconf +Subject: [PATCH 2/7] bootstrap: add --force option to autoreconf Consider all files as obsolete and make all of them new. @@ -69,7 +69,7 @@ index 7800f7f..e60cda5 100755 From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Wed, 19 Apr 2023 10:07:01 +0200 -Subject: [PATCH 3/6] engine: Only register those algos specified with +Subject: [PATCH 3/7] engine: Only register those algos specified with default_algorithms As part of OpenSSL initialization, the engine(s) configured in the OpenSSL @@ -113,7 +113,7 @@ index fe21897..6cbf745 100644 From f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Tue, 25 Apr 2023 16:23:52 +0200 -Subject: [PATCH 4/6] provider: rsa: Check RSA keys with p < q at key +Subject: [PATCH 4/7] provider: rsa: Check RSA keys with p < q at key generation and import Since OpenSSL 3.0 the OpenSSL RSA key generation taking place within libica @@ -174,7 +174,7 @@ index aabf9d2..f83d90a 100644 From acba1d936bd84c7090ed7d3849b0bab3c7f18da0 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Fri, 7 Jul 2023 14:55:26 +0200 -Subject: [PATCH 5/6] provider: Support importing of RSA keys with just ME +Subject: [PATCH 5/7] provider: Support importing of RSA keys with just ME components RSA private keys may contain just CRT (p, q, dp, dq, qinv) or ME (d) @@ -1203,7 +1203,7 @@ index cfc10a1..f7a0a91 100644 From 67efa9ad713e8283cb20111a15629f15a8ea8c86 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Tue, 25 Jul 2023 14:52:49 +0200 -Subject: [PATCH 6/6] provider: RSA: Fix get_params to retrieve max-size, bits, +Subject: [PATCH 6/7] provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits The RSA key management's get_params() function should be able to return the @@ -1239,3 +1239,225 @@ index 526f2aa..ce49c88 100644 -- 2.41.0 + +From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 26 Jul 2023 15:19:55 +0200 +Subject: [PATCH 7/7] provider: Default debug directory to /tmp but make it + configurable + +The IBMCA provider debug logs were written to the /var/log/ibmca/ directory, +but this required that directory to be world-writable, because we don't know +under which user an application runs that uses the provider. +A world-writable directory under /var has security implications and should be +avoided. + +Change the default log directory to /tmp which is world-writable anyway. +Additionally the log directory can now be configured via the 'debug-path' +option in the IBMCA provider section of the OpenSSL config file, or via +environment variable 'IBMCA_DEBUG_PATH'. + +Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107 + +Signed-off-by: Ingo Franzki +--- + configure.ac | 2 +- + src/provider/Makefile.am | 4 --- + src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------ + src/provider/p_ibmca.c | 25 ++++++++++++++++++- + src/provider/p_ibmca.h | 3 +++ + test/provider/openssl-test.cnf | 1 + + 6 files changed, 59 insertions(+), 14 deletions(-) + +diff --git a/configure.ac b/configure.ac +index cea8ce8..57b3205 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign]) + + AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod]) + +-logdir=$localstatedir/log/ibmca ++logdir=/tmp + AC_SUBST(logdir) + + # Cmdline arguments. +diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am +index da45a52..f2d1d50 100644 +--- a/src/provider/Makefile.am ++++ b/src/provider/Makefile.am +@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4 + SUBDIRS = doc + + noinst_SCRIPTS = ibmca-provider-opensslconfig +- +-install-data-hook: +- $(MKDIR_P) $(DESTDIR)$(logdir) +- $(CHMOD) 0777 $(DESTDIR)$(logdir) +diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man +index 52350e4..846d607 100644 +--- a/src/provider/doc/ibmca-provider.man ++++ b/src/provider/doc/ibmca-provider.man +@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower. + .IP "debug = yes | no | stderr" + .RS + Enables debug output for the IBMCA provider. If this option is not specified, +-no debuging output is produced. If \fBdebug = stderr\fP is specified, ++no debugging output is produced. If \fBdebug = stderr\fP is specified, + debugging messages are printed to stderr. Otherwise the debug output is written +-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-.\fP, +-where is the name of the IBMCA provider from the identity +-option, and is the process ID of the current process. You can also +-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to +-\fBon\fP or \fBstderr\fP. ++into a trace file in \fB/trace-.\fP, ++where is the path name of a directory to where the debug files are ++written (default: \fB/tmp\fP), is the name of the IBMCA provider ++from the identity option, and is the process ID of the current process. ++You can also enable debugging by setting the environment variable ++\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP. ++.RE ++.PP ++.IP "debug-path = /dir/to/debug/directory" ++.RS ++Sets the directory path to where debug files are written when debug is enabled ++via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP. ++You can also set the debug path by setting the environment variable ++\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user ++under which the application that uses the IBMCA provider runs has write access ++to that directory. If this option is not specified, the default debug path is ++\fB/tmp\fP. + .RE + .PP + .IP "fips = yes | no" +@@ -153,8 +165,18 @@ If + .B $IBMCA_DEBUG + is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled. + If it is set to \fBon\fP the debug output is written into a trace file in +-\fB[/usr/local]/var/log/ibmca/trace-.\fP, where is +-the process ID of the current process. ++\fB/trace-.\fP, where is the path ++name of a directory to where the debug files are written (default: \fB/tmp\fP), ++ is the name of the IBMCA provider from the identity option, ++and is the process ID of the current process. ++.PP ++.TP ++.BR IBMCA_DEBUG_PATH ++Sets the directory path to where debug files are written when debug is enabled ++via \fBdebug = yes\fP configuration option or via environment variable ++\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the ++application that uses the IBMCA provider runs has write access to that ++directory. + .PP + .SH SEE ALSO + .B provider(1) +diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c +index 80f0368..ffb9b5d 100644 +--- a/src/provider/p_ibmca.c ++++ b/src/provider/p_ibmca.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -58,6 +59,8 @@ struct ibmca_config_item { + + static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, + const char *key, const char *value); ++static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx, ++ const char *key, const char *value); + static int ibmca_config_fips(struct ibmca_prov_ctx *provctx, + const char *key, const char *value); + static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx, +@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx, + const char *key, const char *value); + + static const struct ibmca_config_item config_items[] = { ++ { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path }, + { IBMCA_CONF_DEBUG, ibmca_config_debug }, + { IBMCA_CONF_FIPS, ibmca_config_fips }, + { IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms }, +@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, + *p = '_'; + + if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d", +- IBMCA_LOGDIR, prov_name, provctx->debug_pid) ++ provctx->debug_path != NULL ? provctx->debug_path : ++ IBMCA_LOGDIR, ++ prov_name, provctx->debug_pid) + >= (int)sizeof(debug_file)) { + put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR, + "IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR); +@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, + return 1; + } + ++static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx, ++ const char *key, const char *value) ++{ ++ /* ++ * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH ++ * environment variable) do not override the setting. ++ */ ++ if (provctx->debug_path != NULL) ++ return 1; ++ ++ return ibmca_config_const_string(provctx, key, value, ++ &provctx->debug_path); ++} ++ + static int ibmca_config_fips(struct ibmca_prov_ctx *provctx, + const char *key, const char *value) + { +@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, + ctx->c_free = c_free; + ctx->ica_adapter = DRIVER_NOT_LOADED; + ++ val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR); ++ if (val != NULL) ++ ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val); + val = getenv(IBMCA_DEBUG_ENVVAR); + if (val != NULL) + ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val); +diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h +index 3b3d4f0..c47a6aa 100644 +--- a/src/provider/p_ibmca.h ++++ b/src/provider/p_ibmca.h +@@ -27,9 +27,11 @@ + + /* Environment variable name to enable debug */ + #define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG" ++#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH" + + /* IBMCA provider configuration key words */ + #define IBMCA_CONF_DEBUG "debug" ++#define IBMCA_CONF_DEBUG_PATH "debug-path" + #define IBMCA_CONF_ALGORITHMS "algorithms" + #define IBMCA_CONF_FIPS "fips" + #define IBMCA_CONF_FALLBACK_PROPS "fallback-properties" +@@ -64,6 +66,7 @@ struct ibmca_prov_ctx { + OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free; + OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse; + bool debug; ++ const char *debug_path; + FILE *debug_file; + pid_t debug_pid; + pthread_mutex_t debug_mutex; +diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf +index 7866f4e..e8132a6 100644 +--- a/test/provider/openssl-test.cnf ++++ b/test/provider/openssl-test.cnf +@@ -16,6 +16,7 @@ identity = ibmca + module = ibmca-provider.so + activate = 1 + #debug = yes ++#debug-path = /dir/to/debug/directory + #fips=yes + #algorithms = RSA,EC,DH + algorithms = ALL +-- +2.41.0 + diff --git a/openssl-ibmca-2.4.0-log-into-tmp.patch b/openssl-ibmca-2.4.0-log-into-tmp.patch deleted file mode 100644 index f1ae1d4..0000000 --- a/openssl-ibmca-2.4.0-log-into-tmp.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b6d3f8f1fa3013a748eb538f8c2d31936d4188c2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20Hor=C3=A1k?= -Date: Wed, 26 Jul 2023 07:31:43 +0000 -Subject: [PATCH] provider: use /tmp as logdir - -The location for storing debug traces of the provider needs to be world -writeable. Using the original /var/log/ibmca has security implication, -so switch to using /tmp instead. ---- - configure.ac | 2 +- - src/provider/doc/ibmca-provider.man | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index cea8ce8..57b3205 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign]) - - AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod]) - --logdir=$localstatedir/log/ibmca -+logdir=/tmp - AC_SUBST(logdir) - - # Cmdline arguments. -diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man -index 52350e4..b3d5174 100644 ---- a/src/provider/doc/ibmca-provider.man -+++ b/src/provider/doc/ibmca-provider.man -@@ -153,7 +153,7 @@ If - .B $IBMCA_DEBUG - is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled. - If it is set to \fBon\fP the debug output is written into a trace file in --\fB[/usr/local]/var/log/ibmca/trace-.\fP, where is -+\fB[/tmp/trace-.\fP, where is - the process ID of the current process. - .PP - .SH SEE ALSO --- -2.41.0 - diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index f86e3aa..e00c0e1 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -3,14 +3,12 @@ Summary: OpenSSL provider for IBMCA Name: openssl-ibmca Version: 2.4.0 -Release: 4%{?dist} +Release: 5%{?dist} License: Apache-2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # post GA fixes Patch0: %{name}-%{version}-fixes.patch -# https://github.com/opencryptoki/openssl-ibmca/issues/107 -Patch1: %{name}-2.4.0-log-into-tmp.patch Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc @@ -58,6 +56,9 @@ make check %changelog +* Thu Jul 27 2023 Dan Horák - 2.4.0-5 +- switch to upstream fix for logging into /tmp + * Wed Jul 26 2023 Dan Horák - 2.4.0-4 - one more fix