rpms/openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openssl-ibmca-2.3.0-1.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-11-15 01:54:21 -05:00 committed by Stepan Oksanichenko
parent 43627c5358
commit bec385aa3b
6 changed files with 725 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openssl-ibmca-2.2.2.tar.gz
SOURCES/openssl-ibmca-2.3.0.tar.gz

2
.openssl-ibmca.metadata
View File

@ -1 +1 @@
6521a8e6e7cb41cc621bc7a8942543e979423ae7 SOURCES/openssl-ibmca-2.2.2.tar.gz
826976fdb0a4de24affe6b7c6678665bea8cdda0 SOURCES/openssl-ibmca-2.3.0.tar.gz

403
SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch
View File

@ -1,403 +0,0 @@
From e91e17901e0398b9a55850123ffe2cc4a0d04f34 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 9 Mar 2022 13:17:18 +0100
Subject: [PATCH] PKEY: Fix usage of ECX keys
ED25519, ED448, X25519, and X448 caused a segmentation fault due to wrong
usage of ECX keys.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/ibmca_pkey.c | 124 +++++++++++-----------------------------
src/openssl-compat.h | 131 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 164 insertions(+), 91 deletions(-)
create mode 100644 src/openssl-compat.h
diff --git a/src/ibmca_pkey.c b/src/ibmca_pkey.c
index e8ba9067..9c8de94c 100644
--- a/src/ibmca_pkey.c
+++ b/src/ibmca_pkey.c
@@ -22,65 +22,7 @@
#include "ibmca.h"
#include "e_ibmca_err.h"
-/*
- * copied from evp_int.h:
- * missing set/get methods for opaque types.
- */
-
-typedef struct {
- unsigned char pub[57];
- unsigned char *priv;
-} ECX_KEY;
-
-typedef struct evp_pkey_method_st {
- int pkey_id;
- int flags;
- int (*init) (EVP_PKEY_CTX *ctx);
- int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
- void (*cleanup) (EVP_PKEY_CTX *ctx);
- int (*paramgen_init) (EVP_PKEY_CTX *ctx);
- int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
- int (*keygen_init) (EVP_PKEY_CTX *ctx);
- int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
- int (*sign_init) (EVP_PKEY_CTX *ctx);
- int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*verify_init) (EVP_PKEY_CTX *ctx);
- int (*verify) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig, size_t siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
- int (*verify_recover) (EVP_PKEY_CTX *ctx,
- unsigned char *rout, size_t *routlen,
- const unsigned char *sig, size_t siglen);
- int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- EVP_MD_CTX *mctx);
- int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
- EVP_MD_CTX *mctx);
- int (*encrypt_init) (EVP_PKEY_CTX *ctx);
- int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
- int (*decrypt_init) (EVP_PKEY_CTX *ctx);
- int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
- int (*derive_init) (EVP_PKEY_CTX *ctx);
- int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
- int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
- int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
- size_t siglen, const unsigned char *tbs,
- size_t tbslen);
- int (*check) (EVP_PKEY *pkey);
- int (*public_check) (EVP_PKEY *pkey);
- int (*param_check) (EVP_PKEY *pkey);
-
- int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
-} EVP_PKEY_METHOD;
-
+#include "openssl-compat.h"
ica_x25519_ctx_new_t p_ica_x25519_ctx_new;
ica_x448_ctx_new_t p_ica_x448_ctx_new;
@@ -136,16 +78,16 @@ static int ibmca_x25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X25519);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_X25519, key);
rc = 1;
@@ -199,12 +141,12 @@ static int ibmca_x25519_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_
goto ret;
}
- if (p_ica_x25519_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_x25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
- if (p_ica_x25519_derive(ctx, key, peerkey_ecx->pub) != 0)
+ if (p_ica_x25519_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0)
goto ret;
rc = 1;
@@ -236,16 +178,16 @@ static int ibmca_x448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X448);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_X448, key);
rc = 1;
@@ -299,12 +241,12 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
goto ret;
}
- if (p_ica_x448_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_x448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
- if (p_ica_x448_derive(ctx, key, peerkey_ecx->pub) != 0)
+ if (p_ica_x448_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0)
goto ret;
rc = 1;
@@ -341,16 +283,16 @@ static int ibmca_ed25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED25519);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_ED25519, key);
rc = 1;
@@ -398,9 +340,9 @@ static int ibmca_ed25519_sign(EVP_MD_CTX *md_ctx, unsigned char *sig,
goto ret;
}
- if (p_ica_ed25519_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_ed25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
if (p_ica_ed25519_sign(ctx, sig, tbs, tbslen) != 0)
@@ -443,7 +385,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
goto ret;
}
- if (p_ica_ed25519_key_set(ctx, NULL, key_ecx->pub) != 0) {
+ if (p_ica_ed25519_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET);
goto ret;
}
@@ -485,16 +427,16 @@ static int ibmca_ed448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey)
goto ret;
}
- key = calloc(1, sizeof(ECX_KEY));
+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED448);
private = calloc(1, sizeof(priv));
- if (key == NULL) {
+ if (key == NULL || private == NULL) {
IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED);
goto ret;
}
memcpy(private, priv, sizeof(priv));
- memcpy(key, pub, sizeof(pub));
- key->priv = private;
+ ossl_ecx_copypubkey(key, pub, sizeof(pub));
+ ossl_ecx_set0_privkey(key, private);
EVP_PKEY_assign(pkey, NID_ED448, key);
rc = 1;
@@ -542,9 +484,9 @@ static int ibmca_ed448_sign(EVP_MD_CTX *md_ctx, unsigned char *sig,
goto ret;
}
- if (p_ica_ed448_key_set(ctx, key_ecx->priv, NULL) != 0) {
+ if (p_ica_ed448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET);
- goto ret;;
+ goto ret;
}
if (p_ica_ed448_sign(ctx, sig, tbs, tbslen) != 0)
@@ -587,7 +529,7 @@ static int ibmca_ed448_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
goto ret;
}
- if (p_ica_ed448_key_set(ctx, NULL, key_ecx->pub) != 0) {
+ if (p_ica_ed448_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) {
IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET);
goto ret;
}
@@ -665,8 +607,8 @@ const EVP_PKEY_METHOD *ibmca_ed25519(void)
EVP_PKEY_meth_set_ctrl(ibmca_ed25519_pmeth, ibmca_ed_ctrl, NULL);
EVP_PKEY_meth_set_copy(ibmca_ed25519_pmeth, ibmca_ed25519_copy);
EVP_PKEY_meth_set_keygen(ibmca_ed25519_pmeth, NULL, ibmca_ed25519_keygen);
- ibmca_ed25519_pmeth->digestsign = ibmca_ed25519_sign;
- ibmca_ed25519_pmeth->digestverify = ibmca_ed25519_verify;
+ EVP_PKEY_meth_set_digestsign(ibmca_ed25519_pmeth, ibmca_ed25519_sign);
+ EVP_PKEY_meth_set_digestverify(ibmca_ed25519_pmeth, ibmca_ed25519_verify);
ret:
return ibmca_ed25519_pmeth;
@@ -684,8 +626,8 @@ const EVP_PKEY_METHOD *ibmca_ed448(void)
EVP_PKEY_meth_set_ctrl(ibmca_ed448_pmeth, ibmca_ed_ctrl, NULL);
EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
EVP_PKEY_meth_set_keygen(ibmca_ed448_pmeth, NULL, ibmca_ed448_keygen);
- ibmca_ed448_pmeth->digestsign = ibmca_ed448_sign;
- ibmca_ed448_pmeth->digestverify = ibmca_ed448_verify;
+ EVP_PKEY_meth_set_digestsign(ibmca_ed448_pmeth, ibmca_ed448_sign);
+ EVP_PKEY_meth_set_digestverify(ibmca_ed448_pmeth, ibmca_ed448_verify);
ret:
return ibmca_ed448_pmeth;
diff --git a/src/openssl-compat.h b/src/openssl-compat.h
new file mode 100644
index 00000000..0013365b
--- /dev/null
+++ b/src/openssl-compat.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2022 International Business Machines Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef IBMCA_OPENSSL_COMPAT_H
+#define IBMCA_OPENSSL_COMPAT_H
+
+#include <openssl/opensslv.h>
+
+#ifdef OPENSSL_VERSION_PREREQ
+/* This is 3.x */
+#include <crypto/evp.h>
+
+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
+{
+ ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret));
+
+ if (ret == NULL)
+ return NULL;
+
+ ret->libctx = NULL;
+ ret->haspubkey = 0;
+ switch (type) {
+ case ECX_KEY_TYPE_X25519:
+ ret->keylen = X25519_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_X448:
+ ret->keylen = X448_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_ED25519:
+ ret->keylen = ED25519_KEYLEN;
+ break;
+ case ECX_KEY_TYPE_ED448:
+ ret->keylen = ED448_KEYLEN;
+ break;
+ }
+ ret->type = type;
+ ret->references = 1;
+
+ ret->lock = CRYPTO_THREAD_lock_new();
+ if (ret->lock == NULL)
+ goto err;
+ return ret;
+err:
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey)
+{
+ key->privkey = privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key)
+{
+ return key->privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key)
+{
+ return key->pubkey;
+}
+
+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len)
+{
+ memcpy(key->pubkey, pubkey, len);
+ key->haspubkey = 1;
+}
+
+#else
+/* This is 1.1.x */
+
+#include <openssl/evp.h>
+
+/*
+ * copied from evp_int.h:
+ * missing set/get methods for opaque types.
+ */
+
+typedef struct {
+ unsigned char pub[57];
+ unsigned char *priv;
+} ECX_KEY;
+
+typedef enum {
+ ECX_KEY_TYPE_X25519,
+ ECX_KEY_TYPE_X448,
+ ECX_KEY_TYPE_ED25519,
+ ECX_KEY_TYPE_ED448
+} ECX_KEY_TYPE;
+
+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
+{
+ return calloc(1, sizeof(ECX_KEY));
+}
+
+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey)
+{
+ key->priv = privkey;
+}
+
+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key)
+{
+ return key->priv;
+}
+
+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key)
+{
+ return key->pub;
+}
+
+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len)
+{
+ memcpy(key->pub, pubkey, len);
+}
+
+#endif
+
+#endif

72
SOURCES/openssl-ibmca-2.2.2-openssl3.patch
View File

@ -1,72 +0,0 @@
From e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Mon, 21 Mar 2022 15:27:40 +0100
Subject: [PATCH] Fix compilation for OpenSSL 3.0
ECX_KEY structure as used by engine is not public API in OpenSSL 3.0 and
should not be included via a private header. This forced the engine to only
compile if the OpenSSL 3.0 source tree is present. While this might be the
cleaner solution, we now copy out the defines to be used. This makes the
engine compile even without OpenSSL 3.0 source tree.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/engine/openssl-compat.h | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/src/openssl-compat.h b/src/openssl-compat.h
index 0013365b..aae40dab 100644
--- a/src/openssl-compat.h
+++ b/src/openssl-compat.h
@@ -19,9 +19,36 @@
#include <openssl/opensslv.h>
+typedef enum {
+ ECX_KEY_TYPE_X25519,
+ ECX_KEY_TYPE_X448,
+ ECX_KEY_TYPE_ED25519,
+ ECX_KEY_TYPE_ED448
+} ECX_KEY_TYPE;
+
#ifdef OPENSSL_VERSION_PREREQ
/* This is 3.x */
-#include <crypto/evp.h>
+
+# define X25519_KEYLEN 32
+# define X448_KEYLEN 56
+# define ED25519_KEYLEN 32
+# define ED448_KEYLEN 57
+
+# define MAX_KEYLEN ED448_KEYLEN
+
+typedef int CRYPTO_REF_COUNT;
+
+typedef struct ecx_key_st {
+ OSSL_LIB_CTX *libctx;
+ char *propq;
+ unsigned int haspubkey:1;
+ unsigned char pubkey[MAX_KEYLEN];
+ unsigned char *privkey;
+ size_t keylen;
+ ECX_KEY_TYPE type;
+ CRYPTO_REF_COUNT references;
+ CRYPTO_RWLOCK *lock;
+} ECX_KEY;
static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
{
@@ -94,13 +121,6 @@ typedef struct {
unsigned char *priv;
} ECX_KEY;
-typedef enum {
- ECX_KEY_TYPE_X25519,
- ECX_KEY_TYPE_X448,
- ECX_KEY_TYPE_ED25519,
- ECX_KEY_TYPE_ED448
-} ECX_KEY_TYPE;
-
static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type)
{
return calloc(1, sizeof(ECX_KEY));

689
SOURCES/openssl-ibmca-2.3.0-fixes.patch Normal file
View File

@ -0,0 +1,689 @@
From 1a75586c2821a55deeaa76861b1fc0539e6a3ca1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 1 Apr 2022 10:47:45 +0200
Subject: [PATCH 1/5] SPEC: Fix version number in provider-spec file
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
openssl-ibmca-provider.spec | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/openssl-ibmca-provider.spec b/openssl-ibmca-provider.spec
index a3ef1a6..6c95b54 100644
--- a/openssl-ibmca-provider.spec
+++ b/openssl-ibmca-provider.spec
@@ -5,7 +5,7 @@
# %global modulesdir %(pkg-config --variable=modulesdir libcrypto)
Name: openssl-ibmca
-Version: 2.2.3
+Version: 2.3.0
Release: 1%{?dist}
Summary: An IBMCA OpenSSL dynamic provider
@@ -45,6 +45,10 @@ mv -f src/provider/openssl.cnf.sample src/provider/openssl.cnf.sample.%{_arch}
%dir %attr(777,root,root) %{_localstatedir}/log/ibmca
%changelog
+* Fri Mar 25 2022 Juergen Christ <jchrist@linux.ibm.com> 2.3.0
+- First version including the provider
+- Fix for engine build without OpenSSL 3.0 sources
+
* Wed March 3 2022 Ingo Franzki <ifranzki@linux.ibm.com>
- Add provider support
--
2.36.1
From 76341149f2102bb628da61c2653e5911ddb81084 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 7 Apr 2022 12:32:36 +0200
Subject: [PATCH 2/5] Adjust to new libica.
libica recently added function ica_cleanup to be called to free internal
OpenSSL 3.0 resources. This collided with our internal ica_cleanup function.
Rename that and call ica_cleanup if present.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
configure.ac | 2 ++
src/engine/e_ibmca.c | 13 ++++++++++---
src/engine/ibmca.h | 3 +++
src/provider/p_ibmca.c | 3 +++
4 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 46ad10e..6434056 100644
--- a/configure.ac
+++ b/configure.ac
@@ -130,6 +130,8 @@ if test "x$enable_provider" = xyes; then
[#include <ica_api.h>])
fi
+AC_CHECK_DECLS([ica_cleanup],,,[#include <ica_api.h>])
+
AC_CONFIG_FILES([
Makefile
src/Makefile
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index ef17349..7335246 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -102,6 +102,7 @@ ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize;
ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
ica_aes_gcm_last_t p_ica_aes_gcm_last;
#endif
+ica_cleanup_t p_ica_cleanup;
/* save libcrypto's default ec methods */
#ifndef NO_EC
@@ -652,8 +653,10 @@ static void ibmca_destructor(void)
free((void *)LIBICA_NAME);
}
-static void ica_cleanup(void)
+static void do_ica_cleanup(void)
{
+ if (p_ica_cleanup)
+ p_ica_cleanup();
if (ibmca_dso && dlclose(ibmca_dso)) {
IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE);
return;
@@ -725,6 +728,7 @@ static void ica_cleanup(void)
p_ica_x448_ctx_del = NULL;
p_ica_ed25519_ctx_del = NULL;
p_ica_ed448_ctx_del = NULL;
+ p_ica_cleanup = NULL;
}
static int ibmca_init(ENGINE *e)
@@ -806,6 +810,9 @@ static int ibmca_init(ENGINE *e)
BIND(ibmca_dso, ica_ed25519_ctx_del);
BIND(ibmca_dso, ica_ed448_ctx_del);
+ /* ica_cleanup is not always present and only needed for newer libraries */
+ p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
+
/* disable fallbacks on Libica */
if (BIND(ibmca_dso, ica_set_fallback_mode))
p_ica_set_fallback_mode(0);
@@ -821,7 +828,7 @@ static int ibmca_init(ENGINE *e)
return 1;
err:
- ica_cleanup();
+ do_ica_cleanup();
return 0;
}
@@ -884,7 +891,7 @@ static int ibmca_finish(ENGINE *e)
if (p_ica_close_adapter)
p_ica_close_adapter(ibmca_handle);
- ica_cleanup();
+ do_ica_cleanup();
memset(&ibmca_registration, 0, sizeof(ibmca_registration));
return 1;
}
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
index 382a45d..53f4ca1 100644
--- a/src/engine/ibmca.h
+++ b/src/engine/ibmca.h
@@ -616,6 +616,8 @@ int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx);
typedef
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
+typedef void (*ica_cleanup_t)(void);
+
/* entry points into libica, filled out at DSO load time */
extern ica_get_functionlist_t p_ica_get_functionlist;
extern ica_set_fallback_mode_t p_ica_set_fallback_mode;
@@ -681,3 +683,4 @@ extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del;
extern ica_x448_ctx_del_t p_ica_x448_ctx_del;
extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del;
extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del;
+extern ica_cleanup_t p_ica_cleanup;
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
index d8045ba..80f0368 100644
--- a/src/provider/p_ibmca.c
+++ b/src/provider/p_ibmca.c
@@ -633,6 +633,9 @@ static void ibmca_teardown(void *vprovctx)
pthread_mutex_destroy(&provctx->debug_mutex);
P_FREE(provctx, provctx);
+#if HAVE_DECL_ICA_CLEANUP == 1
+ ica_cleanup();
+#endif
}
static const OSSL_PARAM ibmca_param_types[] = {
--
2.36.1
From 688273ec77530a44d43ad5133155e646a945bc88 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 7 Apr 2022 12:33:44 +0200
Subject: [PATCH 3/5] Support tests in remote builds.
If the build is not wihin the source tree, tests failed since they could not
find the key files. Add support for this.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
test/engine/test.pm | 26 ++++++++++++++------------
test/provider/tls.pl | 13 +++++++------
2 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/test/engine/test.pm b/test/engine/test.pm
index 8e4b8ab..3a313e1 100644
--- a/test/engine/test.pm
+++ b/test/engine/test.pm
@@ -3,6 +3,8 @@
use strict;
use warnings;
+use FindBin;
+
package test;
sub osslversion1 {
@@ -69,16 +71,16 @@ sub rsaencdec {
my $bytes = 1 + int(rand($max_file_size));
# engine enc, no-engine dec
`openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`;
- `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
- `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
+ `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
+ `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
`cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`;
exit(99) if ($?);
`rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`;
# no-engine enc, engine dec
`openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`;
- `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
- `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
+ `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
+ `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
`cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`;
exit(99) if ($?);
`rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`;
@@ -100,16 +102,16 @@ sub rsasignverify {
$key .= $hex[rand(@hex)] for (1..$keylen);
# engine sign, no-engine verify
`openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`;
- `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
- `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
+ `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
+ `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
`cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`;
exit(99) if ($?);
`rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`;
# no-engine sign, engine verify
`openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`;
- `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
- `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
+ `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
+ `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
`cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`;
exit(99) if ($?);
`rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`;
@@ -131,15 +133,15 @@ sub dsasignverify {
my $bytes = 1 + int(rand($max_file_size));
# engine sign, no-engine verify
`openssl rand $bytes > dsa.${i}.${keylen}.data.in`;
- `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
- `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
+ `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
+ `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
exit(99) if ($?);
`rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`;
# no-engine sign, engine verify
`openssl rand $bytes > dsa.${i}.${keylen}.data.in`;
- `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
- `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
+ `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
+ `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
exit(99) if ($?);
`rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`;
}
diff --git a/test/provider/tls.pl b/test/provider/tls.pl
index c8871d4..0d9df6d 100755
--- a/test/provider/tls.pl
+++ b/test/provider/tls.pl
@@ -19,17 +19,18 @@
use strict;
use warnings;
use test;
+use FindBin;
# TLS 1.3 with RSA signatures
-test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
+test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
# TLS 1.3 with EC signatures
-test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
+test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
# TLS 1.2 with RSA signatures and ECDH key exchange
-test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
+test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
# TLS 1.2 with ECDSA signatures and ECDH key exchange
-test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
+test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
# TLS 1.2 with RSA signatures and DH key exchange
-test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
+test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
# TLS 1.2 with RSA signatures and RSA key exchange
-test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
+test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
--
2.36.1
From c0d384b72f280a4bd1c71407df0583da1847f5cb Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 12 May 2022 11:20:18 +0200
Subject: [PATCH 4/5] provider: Adapt keymgmt_match() implementations to
OpenSSL
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
OpenSSL provider's keymgmt_match() function to be not so strict with
the selector bits in regards to matching different key parts.
Adapt the provider's match functions accordingly.
This means, that if the public key is selected to be matched, and the
public key matches (together with any also selected parameters),
then the private key is no longer checked, although it may also be
selected to be matched. This is according to how the OpenSSL function
EVP_PKEY_eq() is supposed to behave.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/dh_keymgmt.c | 2 +-
src/provider/ec_keymgmt.c | 5 +++--
src/provider/rsa_keymgmt.c | 8 +++++---
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
index 48ba739..3180158 100644
--- a/src/provider/dh_keymgmt.c
+++ b/src/provider/dh_keymgmt.c
@@ -1000,7 +1000,7 @@ static int ibmca_keymgmt_dh_match(const void *vkey1, const void *vkey2,
}
}
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
if (key1->dh.priv != NULL || key2->dh.priv != NULL) {
ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0);
checked = 1;
diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c
index d898c6a..d39b1e2 100644
--- a/src/provider/ec_keymgmt.c
+++ b/src/provider/ec_keymgmt.c
@@ -751,7 +751,7 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2,
const struct ibmca_key *key2 = vkey2;
BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL;
BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL;
- int ok = 1, rc1, rc2;
+ int ok = 1, rc1, rc2, checked = 0;
if (key1 == NULL || key2 == NULL)
return 0;
@@ -781,9 +781,10 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2,
ok = ok && (rc1 == rc2 && (rc1 == -1 ||
(BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0)));
+ checked = 1;
}
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1);
if (rc1 == 0) {
ok = 0;
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
index 61f7744..9278327 100644
--- a/src/provider/rsa_keymgmt.c
+++ b/src/provider/rsa_keymgmt.c
@@ -641,7 +641,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
{
const struct ibmca_key *key1 = vkey1;
const struct ibmca_key *key2 = vkey2;
- int ok = 1;
+ int ok = 1, checked = 0;
if (key1 == NULL || key2 == NULL)
return 0;
@@ -652,7 +652,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
if (ibmca_keymgmt_match(key1, key2) == 0)
return 0;
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
ok = ok && (key1->rsa.public.key_length ==
key2->rsa.public.key_length &&
memcmp(key1->rsa.public.exponent,
@@ -661,8 +661,10 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
memcmp(key1->rsa.public.modulus,
key2->rsa.public.modulus,
key1->rsa.public.key_length) == 0);
+ checked = 1;
+ }
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
ok = ok && (key1->rsa.private.key_length ==
key2->rsa.private.key_length &&
CRYPTO_memcmp(key1->rsa.private.p,
--
2.36.1
From 49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 18 May 2022 15:41:12 +0200
Subject: [PATCH 5/5] tests: skip tests if libica does not support required
algorithms
Before actually running the tests, check if libica supports the
required algorithms. Skip the whole test if not.
This can happen when running the test on a system without appropriate
crypto adapters. This would lead to the situation that the provider would
not register itself for the required algorithms, and thus the OpenSSL
default provider would be used. This would make the tests to fail, because
it is not running with the IBMCA provider as expected by the test.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
test/provider/Makefile.am | 18 ++++++++++---
test/provider/dhkey.c | 56 ++++++++++++++++++++++++++++++++++++++
test/provider/eckey.c | 57 +++++++++++++++++++++++++++++++++++++++
test/provider/rsakey.c | 56 ++++++++++++++++++++++++++++++++++++++
4 files changed, 184 insertions(+), 3 deletions(-)
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
index f5cb97d..b007682 100644
--- a/test/provider/Makefile.am
+++ b/test/provider/Makefile.am
@@ -20,13 +20,25 @@ TESTS = \
check_PROGRAMS = rsakey eckey dhkey threadtest
dhkey_SOURCES = dhkey.c
-dhkey_LDADD = -lcrypto
+if PROVIDER_FULL_LIBICA
+dhkey_LDADD = -lcrypto -lica
+else
+dhkey_LDADD = -lcrypto -lica-cex
+endif
eckey_SOURCES = eckey.c
-eckey_LDADD = -lcrypto
+if PROVIDER_FULL_LIBICA
+eckey_LDADD = -lcrypto -lica
+else
+eckey_LDADD = -lcrypto -lica-cex
+endif
rsakey_SOURCES = rsakey.c
-rsakey_LDADD = -lcrypto
+if PROVIDER_FULL_LIBICA
+rsakey_LDADD = -lcrypto -lica
+else
+rsakey_LDADD = -lcrypto -lica-cex
+endif
threadtest_SOURCES = threadtest.c
threadtest_LDADD = -lcrypto -lpthread
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
index a9cea13..8829ecc 100644
--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
@@ -27,6 +27,8 @@
#include <openssl/core_names.h>
#include <openssl/err.h>
+#include <ica_api.h>
+
#define UNUSED(var) ((void)(var))
void setup(void)
@@ -349,6 +351,56 @@ int check_dhkey(int nid, const char *name, const char *algo)
return ret;
}
+static const unsigned int required_ica_mechs[] = { RSA_ME };
+static const unsigned int required_ica_mechs_len =
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
+
+int check_libica()
+{
+ unsigned int mech_len, i, k, found = 0;
+ libica_func_list_element *mech_list = NULL;
+ int rc;
+
+ rc = ica_get_functionlist(NULL, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ return 77;
+ }
+
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
+ if (mech_list == NULL) {
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
+ return 77;
+ }
+
+ rc = ica_get_functionlist(mech_list, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ free(mech_list);
+ return 77;
+ }
+
+ for (i = 0; i < mech_len; i++) {
+ for (k = 0; k < required_ica_mechs_len; k++) {
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
+ if (mech_list[i].flags &
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
+ found++;
+ }
+ }
+ }
+
+ free(mech_list);
+
+ if (found < required_ica_mechs_len) {
+ fprintf(stderr,
+ "Libica does not support the required algorithms, skipping.\n");
+ return 77;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
static const struct testparams {
@@ -389,6 +441,10 @@ int main(int argc, char **argv)
return 77;
}
+ ret = check_libica();
+ if (ret != 0)
+ return ret;
+
setup();
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
if (!check_dhkey(params[i].nid, params[i].name, "DH")) {
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
index 279b942..b2334d7 100644
--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
@@ -27,6 +27,8 @@
#include <openssl/core_names.h>
#include <openssl/err.h>
+#include <ica_api.h>
+
#define UNUSED(var) ((void)(var))
void setup(void)
@@ -781,6 +783,57 @@ int check_eckey(int nid, const char *name)
return ret;
}
+static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
+ EC_DSA_VERIFY, EC_KGEN, };
+static const unsigned int required_ica_mechs_len =
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
+
+int check_libica()
+{
+ unsigned int mech_len, i, k, found = 0;
+ libica_func_list_element *mech_list = NULL;
+ int rc;
+
+ rc = ica_get_functionlist(NULL, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ return 77;
+ }
+
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
+ if (mech_list == NULL) {
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
+ return 77;
+ }
+
+ rc = ica_get_functionlist(mech_list, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ free(mech_list);
+ return 77;
+ }
+
+ for (i = 0; i < mech_len; i++) {
+ for (k = 0; k < required_ica_mechs_len; k++) {
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
+ if (mech_list[i].flags &
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
+ found++;
+ }
+ }
+ }
+
+ free(mech_list);
+
+ if (found < required_ica_mechs_len) {
+ fprintf(stderr,
+ "Libica does not support the required algorithms, skipping.\n");
+ return 77;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
static const struct testparams {
@@ -822,6 +875,10 @@ int main(int argc, char **argv)
return 77;
}
+ ret = check_libica();
+ if (ret != 0)
+ return ret;
+
setup();
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
if (!check_eckey(params[i].nid, params[i].name)) {
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
index 0adface..366b503 100644
--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
@@ -26,6 +26,8 @@
#include <openssl/provider.h>
#include <openssl/err.h>
+#include <ica_api.h>
+
#define UNUSED(var) ((void)(var))
void setup(void)
@@ -729,6 +731,56 @@ int check_rsakey(int bits, const char *algo, const char *name)
return ret;
}
+static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
+static const unsigned int required_ica_mechs_len =
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
+
+int check_libica()
+{
+ unsigned int mech_len, i, k, found = 0;
+ libica_func_list_element *mech_list = NULL;
+ int rc;
+
+ rc = ica_get_functionlist(NULL, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ return 77;
+ }
+
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
+ if (mech_list == NULL) {
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
+ return 77;
+ }
+
+ rc = ica_get_functionlist(mech_list, &mech_len);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to get function list from libica!\n");
+ free(mech_list);
+ return 77;
+ }
+
+ for (i = 0; i < mech_len; i++) {
+ for (k = 0; k < required_ica_mechs_len; k++) {
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
+ if (mech_list[i].flags &
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
+ found++;
+ }
+ }
+ }
+
+ free(mech_list);
+
+ if (found < required_ica_mechs_len) {
+ fprintf(stderr,
+ "Libica does not support the required algorithms, skipping.\n");
+ return 77;
+ }
+
+ return 0;
+}
+
int main(int argc, char **argv)
{
static const struct testparams {
@@ -767,6 +819,10 @@ int main(int argc, char **argv)
return 77;
}
+ ret = check_libica();
+ if (ret != 0)
+ return ret;
+
setup();
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) {
--
2.36.1

47
SPECS/openssl-ibmca.spec
View File

@ -1,23 +1,31 @@
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
%global modulesdir %(openssl version -m | grep -o '".*"' | tr -d '"')
# Above can be replaced by the following once OpenSSL commit
# https://github.com/openssl/openssl/commit/7fde39de848f062d6db45bf9e69439db2100b9bb
# has been included into the distribution:
# %%global modulesdir %%(pkg-config --variable=modulesdir libcrypto)
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
%global with_openssl3 1
%endif
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.2.2
Release: 1%{?dist}.1
Version: 2.3.0
Release: 1%{?dist}
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://bugzilla.redhat.com/show_bug.cgi?id=2069683
# https://github.com/opencryptoki/openssl-ibmca/commit/e91e17901e0398b9a55850123ffe2cc4a0d04f34
Patch0: %{name}-2.2.2-fix-ecx-keys.patch
# https://github.com/opencryptoki/openssl-ibmca/commit/e59cce5af547cc4cbda2a1bce1eb2b89e959ae99
Patch1: %{name}-2.2.2-openssl3.patch
# post GA fixes
Patch0: %{name}-%{version}-fixes.patch
Requires: libica >= 4.0.0
BuildRequires: make
BuildRequires: gcc
BuildRequires: libica-devel >= 4.0.0
BuildRequires: automake libtool
BuildRequires: openssl
BuildRequires: perl(FindBin)
ExclusiveArch: s390 s390x
@ -40,8 +48,14 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
%make_install
rm -f %{buildroot}%{enginesdir}/*.la
pushd src
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
%if 0%{?with_openssl3}
# provider is built when openssl3 is available, fix its location
mkdir -p %{buildroot}%{modulesdir}
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
%endif
pushd src/engine
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
popd
# remove generated sample configs
@ -54,15 +68,22 @@ make check
%files
%license LICENSE
%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/ibmca-engine-opensslconfig
%doc ChangeLog README.md src/engine/openssl.cnf.sample
%doc src/engine/ibmca-engine-opensslconfig
%doc src/provider/ibmca-provider-opensslconfig
%{enginesdir}/ibmca.so
%{_mandir}/man5/ibmca.5*
%if 0%{?with_openssl3}
%{modulesdir}/ibmca-provider.so
%{_mandir}/man5/ibmca-provider.5*
%endif
%changelog
* Wed Mar 30 2022 Dan Horák <dhorak@redhat.com> - 2.2.2-1.1
- fix crash with ECX keys (#2069683)
- Resolves: #2069683
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2044177)
- add provider for openssl 3.x (#2044185)
- Resolves: #2044177 #2044185
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
- updated to 2.2.2 (#2016989)