rpms/openssl-ibmca
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- switch to upstream fix for logging into /tmp

Browse Source
This commit is contained in:
Dan Horák 2023-07-27 07:26:53 +00:00
parent 76acc0209e
commit 9417d8a6e9
3 changed files with 232 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
openssl-ibmca-2.4.0-fixes.patch
View File

@ -1,7 +1,7 @@
From 2d9f0222076f6e243e68238c533b6bf0b6073138 Mon Sep 17 00:00:00 2001 From 2d9f0222076f6e243e68238c533b6bf0b6073138 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 17 Apr 2023 13:38:36 +0200 Date: Mon, 17 Apr 2023 13:38:36 +0200
Subject: [PATCH 1/6] configure: check for perl and perl-FindBin Subject: [PATCH 1/7] configure: check for perl and perl-FindBin
Perl as well as the perl module FindBin are required to run the IBMCA tests. Perl as well as the perl module FindBin are required to run the IBMCA tests.
Check for it during configuration and fail if it is not available. Check for it during configuration and fail if it is not available.
@ -43,7 +43,7 @@ index 39317c7..cea8ce8 100644
From e8983a442f53e56e49c9143babeacb5c0206c1bd Mon Sep 17 00:00:00 2001 From e8983a442f53e56e49c9143babeacb5c0206c1bd Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 17 Apr 2023 13:43:59 +0200 Date: Mon, 17 Apr 2023 13:43:59 +0200
Subject: [PATCH 2/6] bootstrap: add --force option to autoreconf Subject: [PATCH 2/7] bootstrap: add --force option to autoreconf
Consider all files as obsolete and make all of them new. Consider all files as obsolete and make all of them new.
@ -69,7 +69,7 @@ index 7800f7f..e60cda5 100755
From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001 From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 19 Apr 2023 10:07:01 +0200 Date: Wed, 19 Apr 2023 10:07:01 +0200
Subject: [PATCH 3/6] engine: Only register those algos specified with Subject: [PATCH 3/7] engine: Only register those algos specified with
default_algorithms default_algorithms
As part of OpenSSL initialization, the engine(s) configured in the OpenSSL As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
@ -113,7 +113,7 @@ index fe21897..6cbf745 100644
From f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a Mon Sep 17 00:00:00 2001 From f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 25 Apr 2023 16:23:52 +0200 Date: Tue, 25 Apr 2023 16:23:52 +0200
Subject: [PATCH 4/6] provider: rsa: Check RSA keys with p < q at key Subject: [PATCH 4/7] provider: rsa: Check RSA keys with p < q at key
generation and import generation and import
Since OpenSSL 3.0 the OpenSSL RSA key generation taking place within libica Since OpenSSL 3.0 the OpenSSL RSA key generation taking place within libica
@ -174,7 +174,7 @@ index aabf9d2..f83d90a 100644
From acba1d936bd84c7090ed7d3849b0bab3c7f18da0 Mon Sep 17 00:00:00 2001 From acba1d936bd84c7090ed7d3849b0bab3c7f18da0 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 7 Jul 2023 14:55:26 +0200 Date: Fri, 7 Jul 2023 14:55:26 +0200
Subject: [PATCH 5/6] provider: Support importing of RSA keys with just ME Subject: [PATCH 5/7] provider: Support importing of RSA keys with just ME
components components
RSA private keys may contain just CRT (p, q, dp, dq, qinv) or ME (d) RSA private keys may contain just CRT (p, q, dp, dq, qinv) or ME (d)
@ -1203,7 +1203,7 @@ index cfc10a1..f7a0a91 100644
From 67efa9ad713e8283cb20111a15629f15a8ea8c86 Mon Sep 17 00:00:00 2001 From 67efa9ad713e8283cb20111a15629f15a8ea8c86 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com> From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 25 Jul 2023 14:52:49 +0200 Date: Tue, 25 Jul 2023 14:52:49 +0200
Subject: [PATCH 6/6] provider: RSA: Fix get_params to retrieve max-size, bits, Subject: [PATCH 6/7] provider: RSA: Fix get_params to retrieve max-size, bits,
and security-bits and security-bits
The RSA key management's get_params() function should be able to return the The RSA key management's get_params() function should be able to return the
@ -1239,3 +1239,225 @@ index 526f2aa..ce49c88 100644
-- --
2.41.0 2.41.0
From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 26 Jul 2023 15:19:55 +0200
Subject: [PATCH 7/7] provider: Default debug directory to /tmp but make it
configurable
The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
but this required that directory to be world-writable, because we don't know
under which user an application runs that uses the provider.
A world-writable directory under /var has security implications and should be
avoided.
Change the default log directory to /tmp which is world-writable anyway.
Additionally the log directory can now be configured via the 'debug-path'
option in the IBMCA provider section of the OpenSSL config file, or via
environment variable 'IBMCA_DEBUG_PATH'.
Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 +-
src/provider/Makefile.am | 4 ---
src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
src/provider/p_ibmca.c | 25 ++++++++++++++++++-
src/provider/p_ibmca.h | 3 +++
test/provider/openssl-test.cnf | 1 +
6 files changed, 59 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index cea8ce8..57b3205 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
-logdir=$localstatedir/log/ibmca
+logdir=/tmp
AC_SUBST(logdir)
# Cmdline arguments.
diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
index da45a52..f2d1d50 100644
--- a/src/provider/Makefile.am
+++ b/src/provider/Makefile.am
@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = doc
noinst_SCRIPTS = ibmca-provider-opensslconfig
-
-install-data-hook:
- $(MKDIR_P) $(DESTDIR)$(logdir)
- $(CHMOD) 0777 $(DESTDIR)$(logdir)
diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
index 52350e4..846d607 100644
--- a/src/provider/doc/ibmca-provider.man
+++ b/src/provider/doc/ibmca-provider.man
@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
.IP "debug = yes | no | stderr"
.RS
Enables debug output for the IBMCA provider. If this option is not specified,
-no debuging output is produced. If \fBdebug = stderr\fP is specified,
+no debugging output is produced. If \fBdebug = stderr\fP is specified,
debugging messages are printed to stderr. Otherwise the debug output is written
-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
-where <provider-name> is the name of the IBMCA provider from the identity
-option, and <pid> is the process ID of the current process. You can also
-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
-\fBon\fP or \fBstderr\fP.
+into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
+where <debug-path> is the path name of a directory to where the debug files are
+written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
+from the identity option, and <pid> is the process ID of the current process.
+You can also enable debugging by setting the environment variable
+\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
+.RE
+.PP
+.IP "debug-path = /dir/to/debug/directory"
+.RS
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
+You can also set the debug path by setting the environment variable
+\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
+under which the application that uses the IBMCA provider runs has write access
+to that directory. If this option is not specified, the default debug path is
+\fB/tmp\fP.
.RE
.PP
.IP "fips = yes | no"
@@ -153,8 +165,18 @@ If
.B $IBMCA_DEBUG
is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
If it is set to \fBon\fP the debug output is written into a trace file in
-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
-the process ID of the current process.
+\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
+name of a directory to where the debug files are written (default: \fB/tmp\fP),
+<provider-name> is the name of the IBMCA provider from the identity option,
+and <pid> is the process ID of the current process.
+.PP
+.TP
+.BR IBMCA_DEBUG_PATH
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP configuration option or via environment variable
+\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
+application that uses the IBMCA provider runs has write access to that
+directory.
.PP
.SH SEE ALSO
.B provider(1)
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
index 80f0368..ffb9b5d 100644
--- a/src/provider/p_ibmca.c
+++ b/src/provider/p_ibmca.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
+#include <stdlib.h>
#include <err.h>
#include <strings.h>
#include <string.h>
@@ -58,6 +59,8 @@ struct ibmca_config_item {
static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value);
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static const struct ibmca_config_item config_items[] = {
+ { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
{ IBMCA_CONF_DEBUG, ibmca_config_debug },
{ IBMCA_CONF_FIPS, ibmca_config_fips },
{ IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
*p = '_';
if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
- IBMCA_LOGDIR, prov_name, provctx->debug_pid)
+ provctx->debug_path != NULL ? provctx->debug_path :
+ IBMCA_LOGDIR,
+ prov_name, provctx->debug_pid)
>= (int)sizeof(debug_file)) {
put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
"IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
return 1;
}
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value)
+{
+ /*
+ * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
+ * environment variable) do not override the setting.
+ */
+ if (provctx->debug_path != NULL)
+ return 1;
+
+ return ibmca_config_const_string(provctx, key, value,
+ &provctx->debug_path);
+}
+
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value)
{
@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
ctx->c_free = c_free;
ctx->ica_adapter = DRIVER_NOT_LOADED;
+ val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
+ if (val != NULL)
+ ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
val = getenv(IBMCA_DEBUG_ENVVAR);
if (val != NULL)
ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
index 3b3d4f0..c47a6aa 100644
--- a/src/provider/p_ibmca.h
+++ b/src/provider/p_ibmca.h
@@ -27,9 +27,11 @@
/* Environment variable name to enable debug */
#define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG"
+#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH"
/* IBMCA provider configuration key words */
#define IBMCA_CONF_DEBUG "debug"
+#define IBMCA_CONF_DEBUG_PATH "debug-path"
#define IBMCA_CONF_ALGORITHMS "algorithms"
#define IBMCA_CONF_FIPS "fips"
#define IBMCA_CONF_FALLBACK_PROPS "fallback-properties"
@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
bool debug;
+ const char *debug_path;
FILE *debug_file;
pid_t debug_pid;
pthread_mutex_t debug_mutex;
diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
index 7866f4e..e8132a6 100644
--- a/test/provider/openssl-test.cnf
+++ b/test/provider/openssl-test.cnf
@@ -16,6 +16,7 @@ identity = ibmca
module = ibmca-provider.so
activate = 1
#debug = yes
+#debug-path = /dir/to/debug/directory
#fips=yes
#algorithms = RSA,EC,DH
algorithms = ALL
--
2.41.0

42
openssl-ibmca-2.4.0-log-into-tmp.patch
View File

@ -1,42 +0,0 @@
From b6d3f8f1fa3013a748eb538f8c2d31936d4188c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Wed, 26 Jul 2023 07:31:43 +0000
Subject: [PATCH] provider: use /tmp as logdir
The location for storing debug traces of the provider needs to be world
writeable. Using the original /var/log/ibmca has security implication,
so switch to using /tmp instead.
---
configure.ac | 2 +-
src/provider/doc/ibmca-provider.man | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index cea8ce8..57b3205 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
-logdir=$localstatedir/log/ibmca
+logdir=/tmp
AC_SUBST(logdir)
# Cmdline arguments.
diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
index 52350e4..b3d5174 100644
--- a/src/provider/doc/ibmca-provider.man
+++ b/src/provider/doc/ibmca-provider.man
@@ -153,7 +153,7 @@ If
.B $IBMCA_DEBUG
is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
If it is set to \fBon\fP the debug output is written into a trace file in
-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
+\fB[/tmp/trace-<provider-name>.<pid>\fP, where <pid> is
the process ID of the current process.
.PP
.SH SEE ALSO
--
2.41.0

7
openssl-ibmca.spec
View File

@ -3,14 +3,12 @@
Summary: OpenSSL provider for IBMCA Summary: OpenSSL provider for IBMCA
Name: openssl-ibmca Name: openssl-ibmca
Version: 2.4.0 Version: 2.4.0
Release: 4%{?dist} Release: 5%{?dist}
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/opencryptoki URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# post GA fixes # post GA fixes
Patch0: %{name}-%{version}-fixes.patch Patch0: %{name}-%{version}-fixes.patch
# https://github.com/opencryptoki/openssl-ibmca/issues/107
Patch1: %{name}-2.4.0-log-into-tmp.patch
Requires: libica >= 4.0.0 Requires: libica >= 4.0.0
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -58,6 +56,9 @@ make check
%changelog %changelog
* Thu Jul 27 2023 Dan Horák <dan@danny.cz> - 2.4.0-5
- switch to upstream fix for logging into /tmp
* Wed Jul 26 2023 Dan Horák <dan@danny.cz> - 2.4.0-4 * Wed Jul 26 2023 Dan Horák <dan@danny.cz> - 2.4.0-4
- one more fix - one more fix