From bec385aa3bba520ed833b5edf410e59807fcb19f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 01:54:21 -0500 Subject: [PATCH] import openssl-ibmca-2.3.0-1.el9 --- .gitignore | 2 +- .openssl-ibmca.metadata | 2 +- .../openssl-ibmca-2.2.2-fix-ecx-keys.patch | 403 ---------- SOURCES/openssl-ibmca-2.2.2-openssl3.patch | 72 -- SOURCES/openssl-ibmca-2.3.0-fixes.patch | 689 ++++++++++++++++++ SPECS/openssl-ibmca.spec | 47 +- 6 files changed, 725 insertions(+), 490 deletions(-) delete mode 100644 SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch delete mode 100644 SOURCES/openssl-ibmca-2.2.2-openssl3.patch create mode 100644 SOURCES/openssl-ibmca-2.3.0-fixes.patch diff --git a/.gitignore b/.gitignore index 1555e03..9201c59 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-ibmca-2.2.2.tar.gz +SOURCES/openssl-ibmca-2.3.0.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata index fdb0b42..1ed5dac 100644 --- a/.openssl-ibmca.metadata +++ b/.openssl-ibmca.metadata @@ -1 +1 @@ -6521a8e6e7cb41cc621bc7a8942543e979423ae7 SOURCES/openssl-ibmca-2.2.2.tar.gz +826976fdb0a4de24affe6b7c6678665bea8cdda0 SOURCES/openssl-ibmca-2.3.0.tar.gz diff --git a/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch b/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch deleted file mode 100644 index f813865..0000000 --- a/SOURCES/openssl-ibmca-2.2.2-fix-ecx-keys.patch +++ /dev/null @@ -1,403 +0,0 @@ -From e91e17901e0398b9a55850123ffe2cc4a0d04f34 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Wed, 9 Mar 2022 13:17:18 +0100 -Subject: [PATCH] PKEY: Fix usage of ECX keys - -ED25519, ED448, X25519, and X448 caused a segmentation fault due to wrong -usage of ECX keys. - -Signed-off-by: Juergen Christ ---- - src/ibmca_pkey.c | 124 +++++++++++----------------------------- - src/openssl-compat.h | 131 +++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 164 insertions(+), 91 deletions(-) - create mode 100644 src/openssl-compat.h - -diff --git a/src/ibmca_pkey.c b/src/ibmca_pkey.c -index e8ba9067..9c8de94c 100644 ---- a/src/ibmca_pkey.c -+++ b/src/ibmca_pkey.c -@@ -22,65 +22,7 @@ - #include "ibmca.h" - #include "e_ibmca_err.h" - --/* -- * copied from evp_int.h: -- * missing set/get methods for opaque types. -- */ -- --typedef struct { -- unsigned char pub[57]; -- unsigned char *priv; --} ECX_KEY; -- --typedef struct evp_pkey_method_st { -- int pkey_id; -- int flags; -- int (*init) (EVP_PKEY_CTX *ctx); -- int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src); -- void (*cleanup) (EVP_PKEY_CTX *ctx); -- int (*paramgen_init) (EVP_PKEY_CTX *ctx); -- int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); -- int (*keygen_init) (EVP_PKEY_CTX *ctx); -- int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey); -- int (*sign_init) (EVP_PKEY_CTX *ctx); -- int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, -- const unsigned char *tbs, size_t tbslen); -- int (*verify_init) (EVP_PKEY_CTX *ctx); -- int (*verify) (EVP_PKEY_CTX *ctx, -- const unsigned char *sig, size_t siglen, -- const unsigned char *tbs, size_t tbslen); -- int (*verify_recover_init) (EVP_PKEY_CTX *ctx); -- int (*verify_recover) (EVP_PKEY_CTX *ctx, -- unsigned char *rout, size_t *routlen, -- const unsigned char *sig, size_t siglen); -- int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); -- int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, -- EVP_MD_CTX *mctx); -- int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); -- int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen, -- EVP_MD_CTX *mctx); -- int (*encrypt_init) (EVP_PKEY_CTX *ctx); -- int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, -- const unsigned char *in, size_t inlen); -- int (*decrypt_init) (EVP_PKEY_CTX *ctx); -- int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, -- const unsigned char *in, size_t inlen); -- int (*derive_init) (EVP_PKEY_CTX *ctx); -- int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen); -- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2); -- int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value); -- int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, -- const unsigned char *tbs, size_t tbslen); -- int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, -- size_t siglen, const unsigned char *tbs, -- size_t tbslen); -- int (*check) (EVP_PKEY *pkey); -- int (*public_check) (EVP_PKEY *pkey); -- int (*param_check) (EVP_PKEY *pkey); -- -- int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); --} EVP_PKEY_METHOD; -- -+#include "openssl-compat.h" - - ica_x25519_ctx_new_t p_ica_x25519_ctx_new; - ica_x448_ctx_new_t p_ica_x448_ctx_new; -@@ -136,16 +78,16 @@ static int ibmca_x25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) - goto ret; - } - -- key = calloc(1, sizeof(ECX_KEY)); -+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X25519); - private = calloc(1, sizeof(priv)); -- if (key == NULL) { -+ if (key == NULL || private == NULL) { - IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); - goto ret; - } - - memcpy(private, priv, sizeof(priv)); -- memcpy(key, pub, sizeof(pub)); -- key->priv = private; -+ ossl_ecx_copypubkey(key, pub, sizeof(pub)); -+ ossl_ecx_set0_privkey(key, private); - - EVP_PKEY_assign(pkey, NID_X25519, key); - rc = 1; -@@ -199,12 +141,12 @@ static int ibmca_x25519_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_ - goto ret; - } - -- if (p_ica_x25519_key_set(ctx, key_ecx->priv, NULL) != 0) { -+ if (p_ica_x25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { - IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); -- goto ret;; -+ goto ret; - } - -- if (p_ica_x25519_derive(ctx, key, peerkey_ecx->pub) != 0) -+ if (p_ica_x25519_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) - goto ret; - - rc = 1; -@@ -236,16 +178,16 @@ static int ibmca_x448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) - goto ret; - } - -- key = calloc(1, sizeof(ECX_KEY)); -+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X448); - private = calloc(1, sizeof(priv)); -- if (key == NULL) { -+ if (key == NULL || private == NULL) { - IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); - goto ret; - } - - memcpy(private, priv, sizeof(priv)); -- memcpy(key, pub, sizeof(pub)); -- key->priv = private; -+ ossl_ecx_copypubkey(key, pub, sizeof(pub)); -+ ossl_ecx_set0_privkey(key, private); - - EVP_PKEY_assign(pkey, NID_X448, key); - rc = 1; -@@ -299,12 +241,12 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t - goto ret; - } - -- if (p_ica_x448_key_set(ctx, key_ecx->priv, NULL) != 0) { -+ if (p_ica_x448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { - IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); -- goto ret;; -+ goto ret; - } - -- if (p_ica_x448_derive(ctx, key, peerkey_ecx->pub) != 0) -+ if (p_ica_x448_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) - goto ret; - - rc = 1; -@@ -341,16 +283,16 @@ static int ibmca_ed25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) - goto ret; - } - -- key = calloc(1, sizeof(ECX_KEY)); -+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED25519); - private = calloc(1, sizeof(priv)); -- if (key == NULL) { -+ if (key == NULL || private == NULL) { - IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); - goto ret; - } - - memcpy(private, priv, sizeof(priv)); -- memcpy(key, pub, sizeof(pub)); -- key->priv = private; -+ ossl_ecx_copypubkey(key, pub, sizeof(pub)); -+ ossl_ecx_set0_privkey(key, private); - - EVP_PKEY_assign(pkey, NID_ED25519, key); - rc = 1; -@@ -398,9 +340,9 @@ static int ibmca_ed25519_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, - goto ret; - } - -- if (p_ica_ed25519_key_set(ctx, key_ecx->priv, NULL) != 0) { -+ if (p_ica_ed25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { - IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); -- goto ret;; -+ goto ret; - } - - if (p_ica_ed25519_sign(ctx, sig, tbs, tbslen) != 0) -@@ -443,7 +385,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, - goto ret; - } - -- if (p_ica_ed25519_key_set(ctx, NULL, key_ecx->pub) != 0) { -+ if (p_ica_ed25519_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { - IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); - goto ret; - } -@@ -485,16 +427,16 @@ static int ibmca_ed448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) - goto ret; - } - -- key = calloc(1, sizeof(ECX_KEY)); -+ key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED448); - private = calloc(1, sizeof(priv)); -- if (key == NULL) { -+ if (key == NULL || private == NULL) { - IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); - goto ret; - } - - memcpy(private, priv, sizeof(priv)); -- memcpy(key, pub, sizeof(pub)); -- key->priv = private; -+ ossl_ecx_copypubkey(key, pub, sizeof(pub)); -+ ossl_ecx_set0_privkey(key, private); - - EVP_PKEY_assign(pkey, NID_ED448, key); - rc = 1; -@@ -542,9 +484,9 @@ static int ibmca_ed448_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, - goto ret; - } - -- if (p_ica_ed448_key_set(ctx, key_ecx->priv, NULL) != 0) { -+ if (p_ica_ed448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { - IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); -- goto ret;; -+ goto ret; - } - - if (p_ica_ed448_sign(ctx, sig, tbs, tbslen) != 0) -@@ -587,7 +529,7 @@ static int ibmca_ed448_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, - goto ret; - } - -- if (p_ica_ed448_key_set(ctx, NULL, key_ecx->pub) != 0) { -+ if (p_ica_ed448_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { - IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); - goto ret; - } -@@ -665,8 +607,8 @@ const EVP_PKEY_METHOD *ibmca_ed25519(void) - EVP_PKEY_meth_set_ctrl(ibmca_ed25519_pmeth, ibmca_ed_ctrl, NULL); - EVP_PKEY_meth_set_copy(ibmca_ed25519_pmeth, ibmca_ed25519_copy); - EVP_PKEY_meth_set_keygen(ibmca_ed25519_pmeth, NULL, ibmca_ed25519_keygen); -- ibmca_ed25519_pmeth->digestsign = ibmca_ed25519_sign; -- ibmca_ed25519_pmeth->digestverify = ibmca_ed25519_verify; -+ EVP_PKEY_meth_set_digestsign(ibmca_ed25519_pmeth, ibmca_ed25519_sign); -+ EVP_PKEY_meth_set_digestverify(ibmca_ed25519_pmeth, ibmca_ed25519_verify); - - ret: - return ibmca_ed25519_pmeth; -@@ -684,8 +626,8 @@ const EVP_PKEY_METHOD *ibmca_ed448(void) - EVP_PKEY_meth_set_ctrl(ibmca_ed448_pmeth, ibmca_ed_ctrl, NULL); - EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy); - EVP_PKEY_meth_set_keygen(ibmca_ed448_pmeth, NULL, ibmca_ed448_keygen); -- ibmca_ed448_pmeth->digestsign = ibmca_ed448_sign; -- ibmca_ed448_pmeth->digestverify = ibmca_ed448_verify; -+ EVP_PKEY_meth_set_digestsign(ibmca_ed448_pmeth, ibmca_ed448_sign); -+ EVP_PKEY_meth_set_digestverify(ibmca_ed448_pmeth, ibmca_ed448_verify); - - ret: - return ibmca_ed448_pmeth; -diff --git a/src/openssl-compat.h b/src/openssl-compat.h -new file mode 100644 -index 00000000..0013365b ---- /dev/null -+++ b/src/openssl-compat.h -@@ -0,0 +1,131 @@ -+/* -+ * Copyright 2022 International Business Machines Corp. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#ifndef IBMCA_OPENSSL_COMPAT_H -+#define IBMCA_OPENSSL_COMPAT_H -+ -+#include -+ -+#ifdef OPENSSL_VERSION_PREREQ -+/* This is 3.x */ -+#include -+ -+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) -+{ -+ ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); -+ -+ if (ret == NULL) -+ return NULL; -+ -+ ret->libctx = NULL; -+ ret->haspubkey = 0; -+ switch (type) { -+ case ECX_KEY_TYPE_X25519: -+ ret->keylen = X25519_KEYLEN; -+ break; -+ case ECX_KEY_TYPE_X448: -+ ret->keylen = X448_KEYLEN; -+ break; -+ case ECX_KEY_TYPE_ED25519: -+ ret->keylen = ED25519_KEYLEN; -+ break; -+ case ECX_KEY_TYPE_ED448: -+ ret->keylen = ED448_KEYLEN; -+ break; -+ } -+ ret->type = type; -+ ret->references = 1; -+ -+ ret->lock = CRYPTO_THREAD_lock_new(); -+ if (ret->lock == NULL) -+ goto err; -+ return ret; -+err: -+ OPENSSL_free(ret); -+ return NULL; -+} -+ -+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) -+{ -+ key->privkey = privkey; -+} -+ -+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) -+{ -+ return key->privkey; -+} -+ -+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) -+{ -+ return key->pubkey; -+} -+ -+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) -+{ -+ memcpy(key->pubkey, pubkey, len); -+ key->haspubkey = 1; -+} -+ -+#else -+/* This is 1.1.x */ -+ -+#include -+ -+/* -+ * copied from evp_int.h: -+ * missing set/get methods for opaque types. -+ */ -+ -+typedef struct { -+ unsigned char pub[57]; -+ unsigned char *priv; -+} ECX_KEY; -+ -+typedef enum { -+ ECX_KEY_TYPE_X25519, -+ ECX_KEY_TYPE_X448, -+ ECX_KEY_TYPE_ED25519, -+ ECX_KEY_TYPE_ED448 -+} ECX_KEY_TYPE; -+ -+static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) -+{ -+ return calloc(1, sizeof(ECX_KEY)); -+} -+ -+static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) -+{ -+ key->priv = privkey; -+} -+ -+static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) -+{ -+ return key->priv; -+} -+ -+static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) -+{ -+ return key->pub; -+} -+ -+static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) -+{ -+ memcpy(key->pub, pubkey, len); -+} -+ -+#endif -+ -+#endif diff --git a/SOURCES/openssl-ibmca-2.2.2-openssl3.patch b/SOURCES/openssl-ibmca-2.2.2-openssl3.patch deleted file mode 100644 index 833311a..0000000 --- a/SOURCES/openssl-ibmca-2.2.2-openssl3.patch +++ /dev/null @@ -1,72 +0,0 @@ -From e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Mon, 21 Mar 2022 15:27:40 +0100 -Subject: [PATCH] Fix compilation for OpenSSL 3.0 - -ECX_KEY structure as used by engine is not public API in OpenSSL 3.0 and -should not be included via a private header. This forced the engine to only -compile if the OpenSSL 3.0 source tree is present. While this might be the -cleaner solution, we now copy out the defines to be used. This makes the -engine compile even without OpenSSL 3.0 source tree. - -Signed-off-by: Juergen Christ ---- - src/engine/openssl-compat.h | 36 ++++++++++++++++++++++++++++-------- - 1 file changed, 28 insertions(+), 8 deletions(-) - -diff --git a/src/openssl-compat.h b/src/openssl-compat.h -index 0013365b..aae40dab 100644 ---- a/src/openssl-compat.h -+++ b/src/openssl-compat.h -@@ -19,9 +19,36 @@ - - #include - -+typedef enum { -+ ECX_KEY_TYPE_X25519, -+ ECX_KEY_TYPE_X448, -+ ECX_KEY_TYPE_ED25519, -+ ECX_KEY_TYPE_ED448 -+} ECX_KEY_TYPE; -+ - #ifdef OPENSSL_VERSION_PREREQ - /* This is 3.x */ --#include -+ -+# define X25519_KEYLEN 32 -+# define X448_KEYLEN 56 -+# define ED25519_KEYLEN 32 -+# define ED448_KEYLEN 57 -+ -+# define MAX_KEYLEN ED448_KEYLEN -+ -+typedef int CRYPTO_REF_COUNT; -+ -+typedef struct ecx_key_st { -+ OSSL_LIB_CTX *libctx; -+ char *propq; -+ unsigned int haspubkey:1; -+ unsigned char pubkey[MAX_KEYLEN]; -+ unsigned char *privkey; -+ size_t keylen; -+ ECX_KEY_TYPE type; -+ CRYPTO_REF_COUNT references; -+ CRYPTO_RWLOCK *lock; -+} ECX_KEY; - - static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) - { -@@ -94,13 +121,6 @@ typedef struct { - unsigned char *priv; - } ECX_KEY; - --typedef enum { -- ECX_KEY_TYPE_X25519, -- ECX_KEY_TYPE_X448, -- ECX_KEY_TYPE_ED25519, -- ECX_KEY_TYPE_ED448 --} ECX_KEY_TYPE; -- - static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) - { - return calloc(1, sizeof(ECX_KEY)); diff --git a/SOURCES/openssl-ibmca-2.3.0-fixes.patch b/SOURCES/openssl-ibmca-2.3.0-fixes.patch new file mode 100644 index 0000000..65be671 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.3.0-fixes.patch @@ -0,0 +1,689 @@ +From 1a75586c2821a55deeaa76861b1fc0539e6a3ca1 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 1 Apr 2022 10:47:45 +0200 +Subject: [PATCH 1/5] SPEC: Fix version number in provider-spec file + +Signed-off-by: Ingo Franzki +--- + openssl-ibmca-provider.spec | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/openssl-ibmca-provider.spec b/openssl-ibmca-provider.spec +index a3ef1a6..6c95b54 100644 +--- a/openssl-ibmca-provider.spec ++++ b/openssl-ibmca-provider.spec +@@ -5,7 +5,7 @@ + # %global modulesdir %(pkg-config --variable=modulesdir libcrypto) + + Name: openssl-ibmca +-Version: 2.2.3 ++Version: 2.3.0 + Release: 1%{?dist} + Summary: An IBMCA OpenSSL dynamic provider + +@@ -45,6 +45,10 @@ mv -f src/provider/openssl.cnf.sample src/provider/openssl.cnf.sample.%{_arch} + %dir %attr(777,root,root) %{_localstatedir}/log/ibmca + + %changelog ++* Fri Mar 25 2022 Juergen Christ 2.3.0 ++- First version including the provider ++- Fix for engine build without OpenSSL 3.0 sources ++ + * Wed March 3 2022 Ingo Franzki + - Add provider support + +-- +2.36.1 + + +From 76341149f2102bb628da61c2653e5911ddb81084 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 7 Apr 2022 12:32:36 +0200 +Subject: [PATCH 2/5] Adjust to new libica. + +libica recently added function ica_cleanup to be called to free internal +OpenSSL 3.0 resources. This collided with our internal ica_cleanup function. +Rename that and call ica_cleanup if present. + +Signed-off-by: Juergen Christ +--- + configure.ac | 2 ++ + src/engine/e_ibmca.c | 13 ++++++++++--- + src/engine/ibmca.h | 3 +++ + src/provider/p_ibmca.c | 3 +++ + 4 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 46ad10e..6434056 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -130,6 +130,8 @@ if test "x$enable_provider" = xyes; then + [#include ]) + fi + ++AC_CHECK_DECLS([ica_cleanup],,,[#include ]) ++ + AC_CONFIG_FILES([ + Makefile + src/Makefile +diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c +index ef17349..7335246 100644 +--- a/src/engine/e_ibmca.c ++++ b/src/engine/e_ibmca.c +@@ -102,6 +102,7 @@ ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize; + ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; + ica_aes_gcm_last_t p_ica_aes_gcm_last; + #endif ++ica_cleanup_t p_ica_cleanup; + + /* save libcrypto's default ec methods */ + #ifndef NO_EC +@@ -652,8 +653,10 @@ static void ibmca_destructor(void) + free((void *)LIBICA_NAME); + } + +-static void ica_cleanup(void) ++static void do_ica_cleanup(void) + { ++ if (p_ica_cleanup) ++ p_ica_cleanup(); + if (ibmca_dso && dlclose(ibmca_dso)) { + IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE); + return; +@@ -725,6 +728,7 @@ static void ica_cleanup(void) + p_ica_x448_ctx_del = NULL; + p_ica_ed25519_ctx_del = NULL; + p_ica_ed448_ctx_del = NULL; ++ p_ica_cleanup = NULL; + } + + static int ibmca_init(ENGINE *e) +@@ -806,6 +810,9 @@ static int ibmca_init(ENGINE *e) + BIND(ibmca_dso, ica_ed25519_ctx_del); + BIND(ibmca_dso, ica_ed448_ctx_del); + ++ /* ica_cleanup is not always present and only needed for newer libraries */ ++ p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup"); ++ + /* disable fallbacks on Libica */ + if (BIND(ibmca_dso, ica_set_fallback_mode)) + p_ica_set_fallback_mode(0); +@@ -821,7 +828,7 @@ static int ibmca_init(ENGINE *e) + return 1; + + err: +- ica_cleanup(); ++ do_ica_cleanup(); + return 0; + } + +@@ -884,7 +891,7 @@ static int ibmca_finish(ENGINE *e) + if (p_ica_close_adapter) + p_ica_close_adapter(ibmca_handle); + +- ica_cleanup(); ++ do_ica_cleanup(); + memset(&ibmca_registration, 0, sizeof(ibmca_registration)); + return 1; + } +diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h +index 382a45d..53f4ca1 100644 +--- a/src/engine/ibmca.h ++++ b/src/engine/ibmca.h +@@ -616,6 +616,8 @@ int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx); + typedef + int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); + ++typedef void (*ica_cleanup_t)(void); ++ + /* entry points into libica, filled out at DSO load time */ + extern ica_get_functionlist_t p_ica_get_functionlist; + extern ica_set_fallback_mode_t p_ica_set_fallback_mode; +@@ -681,3 +683,4 @@ extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del; + extern ica_x448_ctx_del_t p_ica_x448_ctx_del; + extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; + extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del; ++extern ica_cleanup_t p_ica_cleanup; +diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c +index d8045ba..80f0368 100644 +--- a/src/provider/p_ibmca.c ++++ b/src/provider/p_ibmca.c +@@ -633,6 +633,9 @@ static void ibmca_teardown(void *vprovctx) + pthread_mutex_destroy(&provctx->debug_mutex); + + P_FREE(provctx, provctx); ++#if HAVE_DECL_ICA_CLEANUP == 1 ++ ica_cleanup(); ++#endif + } + + static const OSSL_PARAM ibmca_param_types[] = { +-- +2.36.1 + + +From 688273ec77530a44d43ad5133155e646a945bc88 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 7 Apr 2022 12:33:44 +0200 +Subject: [PATCH 3/5] Support tests in remote builds. + +If the build is not wihin the source tree, tests failed since they could not +find the key files. Add support for this. + +Signed-off-by: Juergen Christ +--- + test/engine/test.pm | 26 ++++++++++++++------------ + test/provider/tls.pl | 13 +++++++------ + 2 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/test/engine/test.pm b/test/engine/test.pm +index 8e4b8ab..3a313e1 100644 +--- a/test/engine/test.pm ++++ b/test/engine/test.pm +@@ -3,6 +3,8 @@ + use strict; + use warnings; + ++use FindBin; ++ + package test; + + sub osslversion1 { +@@ -69,16 +71,16 @@ sub rsaencdec { + my $bytes = 1 + int(rand($max_file_size)); + # engine enc, no-engine dec + `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; +- `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; +- `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; ++ `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; ++ `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; + exit(99) if ($?); + `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; + + # no-engine enc, engine dec + `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; +- `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; +- `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; ++ `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; ++ `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; + exit(99) if ($?); + `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; +@@ -100,16 +102,16 @@ sub rsasignverify { + $key .= $hex[rand(@hex)] for (1..$keylen); + # engine sign, no-engine verify + `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; +- `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; +- `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; ++ `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; ++ `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; + exit(99) if ($?); + `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; + + # no-engine sign, engine verify + `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; +- `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; +- `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; ++ `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; ++ `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; + exit(99) if ($?); + `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; +@@ -131,15 +133,15 @@ sub dsasignverify { + my $bytes = 1 + int(rand($max_file_size)); + # engine sign, no-engine verify + `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; +- `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; +- `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; ++ `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; ++ `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + exit(99) if ($?); + `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; + + # no-engine sign, engine verify + `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; +- `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; +- `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; ++ `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; ++ `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + exit(99) if ($?); + `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; + } +diff --git a/test/provider/tls.pl b/test/provider/tls.pl +index c8871d4..0d9df6d 100755 +--- a/test/provider/tls.pl ++++ b/test/provider/tls.pl +@@ -19,17 +19,18 @@ + use strict; + use warnings; + use test; ++use FindBin; + + # TLS 1.3 with RSA signatures +-test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); ++test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); + # TLS 1.3 with EC signatures +-test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); ++test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); + # TLS 1.2 with RSA signatures and ECDH key exchange +-test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); ++test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); + # TLS 1.2 with ECDSA signatures and ECDH key exchange +-test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); ++test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); + # TLS 1.2 with RSA signatures and DH key exchange +-test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); ++test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); + # TLS 1.2 with RSA signatures and RSA key exchange +-test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); ++test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); + +-- +2.36.1 + + +From c0d384b72f280a4bd1c71407df0583da1847f5cb Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 12 May 2022 11:20:18 +0200 +Subject: [PATCH 4/5] provider: Adapt keymgmt_match() implementations to + OpenSSL + +OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the +OpenSSL provider's keymgmt_match() function to be not so strict with +the selector bits in regards to matching different key parts. + +Adapt the provider's match functions accordingly. +This means, that if the public key is selected to be matched, and the +public key matches (together with any also selected parameters), +then the private key is no longer checked, although it may also be +selected to be matched. This is according to how the OpenSSL function +EVP_PKEY_eq() is supposed to behave. + +Signed-off-by: Ingo Franzki +--- + src/provider/dh_keymgmt.c | 2 +- + src/provider/ec_keymgmt.c | 5 +++-- + src/provider/rsa_keymgmt.c | 8 +++++--- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c +index 48ba739..3180158 100644 +--- a/src/provider/dh_keymgmt.c ++++ b/src/provider/dh_keymgmt.c +@@ -1000,7 +1000,7 @@ static int ibmca_keymgmt_dh_match(const void *vkey1, const void *vkey2, + } + } + +- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { ++ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + if (key1->dh.priv != NULL || key2->dh.priv != NULL) { + ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0); + checked = 1; +diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c +index d898c6a..d39b1e2 100644 +--- a/src/provider/ec_keymgmt.c ++++ b/src/provider/ec_keymgmt.c +@@ -751,7 +751,7 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, + const struct ibmca_key *key2 = vkey2; + BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL; + BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL; +- int ok = 1, rc1, rc2; ++ int ok = 1, rc1, rc2, checked = 0; + + if (key1 == NULL || key2 == NULL) + return 0; +@@ -781,9 +781,10 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, + + ok = ok && (rc1 == rc2 && (rc1 == -1 || + (BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0))); ++ checked = 1; + } + +- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { ++ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1); + if (rc1 == 0) { + ok = 0; +diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c +index 61f7744..9278327 100644 +--- a/src/provider/rsa_keymgmt.c ++++ b/src/provider/rsa_keymgmt.c +@@ -641,7 +641,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, + { + const struct ibmca_key *key1 = vkey1; + const struct ibmca_key *key2 = vkey2; +- int ok = 1; ++ int ok = 1, checked = 0; + + if (key1 == NULL || key2 == NULL) + return 0; +@@ -652,7 +652,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, + if (ibmca_keymgmt_match(key1, key2) == 0) + return 0; + +- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) ++ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + ok = ok && (key1->rsa.public.key_length == + key2->rsa.public.key_length && + memcmp(key1->rsa.public.exponent, +@@ -661,8 +661,10 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, + memcmp(key1->rsa.public.modulus, + key2->rsa.public.modulus, + key1->rsa.public.key_length) == 0); ++ checked = 1; ++ } + +- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ++ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + ok = ok && (key1->rsa.private.key_length == + key2->rsa.private.key_length && + CRYPTO_memcmp(key1->rsa.private.p, +-- +2.36.1 + + +From 49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 18 May 2022 15:41:12 +0200 +Subject: [PATCH 5/5] tests: skip tests if libica does not support required + algorithms + +Before actually running the tests, check if libica supports the +required algorithms. Skip the whole test if not. + +This can happen when running the test on a system without appropriate +crypto adapters. This would lead to the situation that the provider would +not register itself for the required algorithms, and thus the OpenSSL +default provider would be used. This would make the tests to fail, because +it is not running with the IBMCA provider as expected by the test. + +Signed-off-by: Ingo Franzki +--- + test/provider/Makefile.am | 18 ++++++++++--- + test/provider/dhkey.c | 56 ++++++++++++++++++++++++++++++++++++++ + test/provider/eckey.c | 57 +++++++++++++++++++++++++++++++++++++++ + test/provider/rsakey.c | 56 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 184 insertions(+), 3 deletions(-) + +diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am +index f5cb97d..b007682 100644 +--- a/test/provider/Makefile.am ++++ b/test/provider/Makefile.am +@@ -20,13 +20,25 @@ TESTS = \ + check_PROGRAMS = rsakey eckey dhkey threadtest + + dhkey_SOURCES = dhkey.c +-dhkey_LDADD = -lcrypto ++if PROVIDER_FULL_LIBICA ++dhkey_LDADD = -lcrypto -lica ++else ++dhkey_LDADD = -lcrypto -lica-cex ++endif + + eckey_SOURCES = eckey.c +-eckey_LDADD = -lcrypto ++if PROVIDER_FULL_LIBICA ++eckey_LDADD = -lcrypto -lica ++else ++eckey_LDADD = -lcrypto -lica-cex ++endif + + rsakey_SOURCES = rsakey.c +-rsakey_LDADD = -lcrypto ++if PROVIDER_FULL_LIBICA ++rsakey_LDADD = -lcrypto -lica ++else ++rsakey_LDADD = -lcrypto -lica-cex ++endif + + threadtest_SOURCES = threadtest.c + threadtest_LDADD = -lcrypto -lpthread +diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c +index a9cea13..8829ecc 100644 +--- a/test/provider/dhkey.c ++++ b/test/provider/dhkey.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include ++ + #define UNUSED(var) ((void)(var)) + + void setup(void) +@@ -349,6 +351,56 @@ int check_dhkey(int nid, const char *name, const char *algo) + return ret; + } + ++static const unsigned int required_ica_mechs[] = { RSA_ME }; ++static const unsigned int required_ica_mechs_len = ++ sizeof(required_ica_mechs) / sizeof(unsigned int); ++ ++int check_libica() ++{ ++ unsigned int mech_len, i, k, found = 0; ++ libica_func_list_element *mech_list = NULL; ++ int rc; ++ ++ rc = ica_get_functionlist(NULL, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ return 77; ++ } ++ ++ mech_list = calloc(sizeof(libica_func_list_element), mech_len); ++ if (mech_list == NULL) { ++ fprintf(stderr, "Failed to allocate memory for function list!\n"); ++ return 77; ++ } ++ ++ rc = ica_get_functionlist(mech_list, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ free(mech_list); ++ return 77; ++ } ++ ++ for (i = 0; i < mech_len; i++) { ++ for (k = 0; k < required_ica_mechs_len; k++) { ++ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { ++ if (mech_list[i].flags & ++ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) ++ found++; ++ } ++ } ++ } ++ ++ free(mech_list); ++ ++ if (found < required_ica_mechs_len) { ++ fprintf(stderr, ++ "Libica does not support the required algorithms, skipping.\n"); ++ return 77; ++ } ++ ++ return 0; ++} ++ + int main(int argc, char **argv) + { + static const struct testparams { +@@ -389,6 +441,10 @@ int main(int argc, char **argv) + return 77; + } + ++ ret = check_libica(); ++ if (ret != 0) ++ return ret; ++ + setup(); + for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { + if (!check_dhkey(params[i].nid, params[i].name, "DH")) { +diff --git a/test/provider/eckey.c b/test/provider/eckey.c +index 279b942..b2334d7 100644 +--- a/test/provider/eckey.c ++++ b/test/provider/eckey.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include ++ + #define UNUSED(var) ((void)(var)) + + void setup(void) +@@ -781,6 +783,57 @@ int check_eckey(int nid, const char *name) + return ret; + } + ++static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN, ++ EC_DSA_VERIFY, EC_KGEN, }; ++static const unsigned int required_ica_mechs_len = ++ sizeof(required_ica_mechs) / sizeof(unsigned int); ++ ++int check_libica() ++{ ++ unsigned int mech_len, i, k, found = 0; ++ libica_func_list_element *mech_list = NULL; ++ int rc; ++ ++ rc = ica_get_functionlist(NULL, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ return 77; ++ } ++ ++ mech_list = calloc(sizeof(libica_func_list_element), mech_len); ++ if (mech_list == NULL) { ++ fprintf(stderr, "Failed to allocate memory for function list!\n"); ++ return 77; ++ } ++ ++ rc = ica_get_functionlist(mech_list, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ free(mech_list); ++ return 77; ++ } ++ ++ for (i = 0; i < mech_len; i++) { ++ for (k = 0; k < required_ica_mechs_len; k++) { ++ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { ++ if (mech_list[i].flags & ++ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) ++ found++; ++ } ++ } ++ } ++ ++ free(mech_list); ++ ++ if (found < required_ica_mechs_len) { ++ fprintf(stderr, ++ "Libica does not support the required algorithms, skipping.\n"); ++ return 77; ++ } ++ ++ return 0; ++} ++ + int main(int argc, char **argv) + { + static const struct testparams { +@@ -822,6 +875,10 @@ int main(int argc, char **argv) + return 77; + } + ++ ret = check_libica(); ++ if (ret != 0) ++ return ret; ++ + setup(); + for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { + if (!check_eckey(params[i].nid, params[i].name)) { +diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c +index 0adface..366b503 100644 +--- a/test/provider/rsakey.c ++++ b/test/provider/rsakey.c +@@ -26,6 +26,8 @@ + #include + #include + ++#include ++ + #define UNUSED(var) ((void)(var)) + + void setup(void) +@@ -729,6 +731,56 @@ int check_rsakey(int bits, const char *algo, const char *name) + return ret; + } + ++static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT }; ++static const unsigned int required_ica_mechs_len = ++ sizeof(required_ica_mechs) / sizeof(unsigned int); ++ ++int check_libica() ++{ ++ unsigned int mech_len, i, k, found = 0; ++ libica_func_list_element *mech_list = NULL; ++ int rc; ++ ++ rc = ica_get_functionlist(NULL, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ return 77; ++ } ++ ++ mech_list = calloc(sizeof(libica_func_list_element), mech_len); ++ if (mech_list == NULL) { ++ fprintf(stderr, "Failed to allocate memory for function list!\n"); ++ return 77; ++ } ++ ++ rc = ica_get_functionlist(mech_list, &mech_len); ++ if (rc != 0) { ++ fprintf(stderr, "Failed to get function list from libica!\n"); ++ free(mech_list); ++ return 77; ++ } ++ ++ for (i = 0; i < mech_len; i++) { ++ for (k = 0; k < required_ica_mechs_len; k++) { ++ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { ++ if (mech_list[i].flags & ++ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) ++ found++; ++ } ++ } ++ } ++ ++ free(mech_list); ++ ++ if (found < required_ica_mechs_len) { ++ fprintf(stderr, ++ "Libica does not support the required algorithms, skipping.\n"); ++ return 77; ++ } ++ ++ return 0; ++} ++ + int main(int argc, char **argv) + { + static const struct testparams { +@@ -767,6 +819,10 @@ int main(int argc, char **argv) + return 77; + } + ++ ret = check_libica(); ++ if (ret != 0) ++ return ret; ++ + setup(); + for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { + if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) { +-- +2.36.1 + diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index bdf39eb..f401ce3 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -1,23 +1,31 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) +%global modulesdir %(openssl version -m | grep -o '".*"' | tr -d '"') +# Above can be replaced by the following once OpenSSL commit +# https://github.com/openssl/openssl/commit/7fde39de848f062d6db45bf9e69439db2100b9bb +# has been included into the distribution: +# %%global modulesdir %%(pkg-config --variable=modulesdir libcrypto) + +%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 +%global with_openssl3 1 +%endif + Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.2.2 -Release: 1%{?dist}.1 +Version: 2.3.0 +Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://bugzilla.redhat.com/show_bug.cgi?id=2069683 -# https://github.com/opencryptoki/openssl-ibmca/commit/e91e17901e0398b9a55850123ffe2cc4a0d04f34 -Patch0: %{name}-2.2.2-fix-ecx-keys.patch -# https://github.com/opencryptoki/openssl-ibmca/commit/e59cce5af547cc4cbda2a1bce1eb2b89e959ae99 -Patch1: %{name}-2.2.2-openssl3.patch +# post GA fixes +Patch0: %{name}-%{version}-fixes.patch Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc BuildRequires: libica-devel >= 4.0.0 BuildRequires: automake libtool BuildRequires: openssl +BuildRequires: perl(FindBin) ExclusiveArch: s390 s390x @@ -40,8 +48,14 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. %make_install rm -f %{buildroot}%{enginesdir}/*.la -pushd src -sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +%if 0%{?with_openssl3} +# provider is built when openssl3 is available, fix its location +mkdir -p %{buildroot}%{modulesdir} +mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so +%endif + +pushd src/engine +sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample popd # remove generated sample configs @@ -54,15 +68,22 @@ make check %files %license LICENSE -%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/ibmca-engine-opensslconfig +%doc ChangeLog README.md src/engine/openssl.cnf.sample +%doc src/engine/ibmca-engine-opensslconfig +%doc src/provider/ibmca-provider-opensslconfig %{enginesdir}/ibmca.so %{_mandir}/man5/ibmca.5* +%if 0%{?with_openssl3} +%{modulesdir}/ibmca-provider.so +%{_mandir}/man5/ibmca-provider.5* +%endif %changelog -* Wed Mar 30 2022 Dan Horák - 2.2.2-1.1 -- fix crash with ECX keys (#2069683) -- Resolves: #2069683 +* Thu May 19 2022 Dan Horák - 2.3.0-1 +- updated to 2.3.0 (#2044177) +- add provider for openssl 3.x (#2044185) +- Resolves: #2044177 #2044185 * Wed Feb 02 2022 Dan Horák - 2.2.2-1 - updated to 2.2.2 (#2016989)