rpms/openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS openssl-ibmca-2.4.0-4.el9

Browse Source
This commit is contained in:
eabdullin 2023-10-09 11:17:26 +00:00
parent 8617aa0a2d
commit d1fd2c848b
7 changed files with 1410 additions and 835 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openssl-ibmca-2.3.1.tar.gz
SOURCES/openssl-ibmca-2.4.0.tar.gz

2
.openssl-ibmca.metadata
View File

@ -1 +1 @@
5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz
d1361eec709c4b6d1760171ac077fa0d21f5a698 SOURCES/openssl-ibmca-2.4.0.tar.gz

827
SOURCES/openssl-ibmca-2.3.1-fixes.patch
View File

@ -1,827 +0,0 @@
From ec926d577754babce01db22274a582988c5c4e44 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 12 Oct 2022 09:40:27 +0200
Subject: [PATCH 1/4] provider: Support EC parameter generation with named
curve
In general the IBMCA provider does not support EC parameter generation,
because libica only supports certain named curves. However, one can
also use EC parameter generation with a named curve, and then use such
parameter key object as template for generating other keys. One example
for this is the openssl speed utility.
Like for EC key generation, EC parameter generation only supports
parameters 'group', 'point-format', 'encoding', and 'use-cofactor-flag',
where the only accepted value for parameter 'encoding' is 'named_curve',
and the only accepted value for parameter 'use-cofactor-flag' is '0'.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/ec_keymgmt.c | 10 ++++++++--
src/provider/p_ibmca.h | 1 +
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c
index d39b1e2..97516f1 100644
--- a/src/provider/ec_keymgmt.c
+++ b/src/provider/ec_keymgmt.c
@@ -928,9 +928,10 @@ static void *ibmca_keymgmt_ec_gen_init(void *vprovctx, int selection,
for (p = params; p != NULL && p->key != NULL; p++)
ibmca_debug_ctx(provctx, "param: %s", p->key);
- if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) {
+ if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR |
+ OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)) == 0) {
put_error_ctx(provctx, IBMCA_ERR_INVALID_PARAM,
- "selection is not KEYPAIR");
+ "selection is not KEYPAIR and/or parameters");
return NULL;
}
@@ -943,6 +944,7 @@ static void *ibmca_keymgmt_ec_gen_init(void *vprovctx, int selection,
}
/* set defaults */
+ ctx->ec.gen.selection = selection;
ctx->ec.gen.curve_nid = NID_undef;
ctx->ec.gen.format = POINT_CONVERSION_UNCOMPRESSED;
@@ -1223,6 +1225,9 @@ static void *ibmca_keymgmt_ec_gen(void *vgenctx, OSSL_CALLBACK *osslcb,
ibmca_debug_op_ctx(genctx, "prime_size: %lu", key->ec.prime_size);
+ if ((genctx->ec.gen.selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
+ goto out;
+
key->ec.key = ica_ec_key_new(key->ec.curve_nid, &privlen);
if (key->ec.key == NULL || key->ec.prime_size != privlen) {
ibmca_debug_op_ctx(genctx, "ica_ec_key_new failed");
@@ -1267,6 +1272,7 @@ static void *ibmca_keymgmt_ec_gen(void *vgenctx, OSSL_CALLBACK *osslcb,
return NULL;
}
+out:
ibmca_debug_op_ctx(genctx, "key: %p", key);
return key;
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
index fa0e1ee..2b4ff8e 100644
--- a/src/provider/p_ibmca.h
+++ b/src/provider/p_ibmca.h
@@ -216,6 +216,7 @@ struct ibmca_op_ctx {
} rsa; /* For type EVP_PKEY_RSA and EVP_PKEY_RSA_PSS */
union {
struct {
+ int selection;
int curve_nid;
point_conversion_form_t format;
} gen; /* For operation EVP_PKEY_OP_KEYGEN */
--
2.39.0
From a462093d2478b287cb9a7a25131788eba16b7640 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 14 Oct 2022 11:31:16 +0200
Subject: [PATCH 2/4] engine: EC: Cache ICA key in EC_KEY object
Creating a new ICA EC key via ica_ec_key_init() is time consuming, because
libica performs EC key checks on the key components.
Currently every sign, verify or derive operation creates a new ICA key, and
thus suffers from the long taking EC key checks with every operation.
Change this to create an ICA key on the first usage of an EC key, and attach
the ICA key to the EC_KEY object as ex-data. That way, subsequent operations
using the same key will reuse the attached ICA key and do not have to create
a new ICA key again.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/e_ibmca.c | 5 +
src/engine/ibmca.h | 1 +
src/engine/ibmca_ec.c | 411 ++++++++++++++++++++++++++++++------------
3 files changed, 306 insertions(+), 111 deletions(-)
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index d045828..fe21897 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -833,6 +833,11 @@ static int ibmca_init(ENGINE *e)
goto err;
}
+#ifndef NO_EC
+ if (!ibmca_ec_init())
+ goto err;
+#endif
+
if (!set_supported_meths(e))
goto err;
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
index 37bdfd8..7281a5b 100644
--- a/src/engine/ibmca.h
+++ b/src/engine/ibmca.h
@@ -298,6 +298,7 @@ void ibmca_dh_destroy(void);
#define IBMCA_EC_MAX_Z_LEN IBMCA_EC_MAX_D_LEN
#ifndef OPENSSL_NO_EC
+int ibmca_ec_init(void);
void ibmca_ec_destroy(void);
int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
index 8bc6cbf..5206ae3 100644
--- a/src/engine/ibmca_ec.c
+++ b/src/engine/ibmca_ec.c
@@ -16,6 +16,7 @@
*/
#include <stdlib.h>
+#include <pthread.h>
#include "ibmca.h"
#include "e_ibmca_err.h"
@@ -31,6 +32,251 @@ ica_ec_key_get_public_key_t p_ica_ec_key_get_public_key;
ica_ec_key_get_private_key_t p_ica_ec_key_get_private_key;
ica_ec_key_free_t p_ica_ec_key_free;
+int ec_ex_data_index = -1;
+pthread_mutex_t ec_ex_data_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+struct ibmca_ec_ex_data {
+ ICA_EC_KEY *ica_key;
+ int nid;
+ unsigned int privlen;
+};
+
+void ibmca_ec_ex_data_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp)
+{
+ struct ibmca_ec_ex_data *data = ptr;
+
+ if (data == NULL)
+ return;
+
+ p_ica_ec_key_free(data->ica_key);
+ OPENSSL_free(data);
+}
+
+int ibmca_ec_ex_data_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+#ifdef OPENSSL_VERSION_PREREQ
+ void **pptr, int idx, long argl, void *argp)
+#else
+ void *from_d, int idx, long argl, void *argp)
+#endif
+{
+#ifndef OPENSSL_VERSION_PREREQ
+ void **pptr = (void **)from_d;
+#endif
+ struct ibmca_ec_ex_data *from_data;
+ struct ibmca_ec_ex_data *to_data;
+ unsigned char Q[2 * IBMCA_EC_MAX_D_LEN];
+ unsigned char D[IBMCA_EC_MAX_D_LEN];
+ unsigned int len;
+ int rc;
+
+ if (pptr == NULL)
+ return 0;
+
+ from_data = (struct ibmca_ec_ex_data *)*pptr;
+ if (from_data == NULL)
+ return 0;
+
+ to_data = OPENSSL_zalloc(sizeof(*to_data));
+ if (to_data == NULL) {
+ return 0;
+ }
+
+ to_data->nid = from_data->nid;
+ to_data->ica_key = p_ica_ec_key_new(to_data->nid, &to_data->privlen);
+ if (to_data->ica_key == NULL) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_ICA_EC_KEY_INIT);
+ goto error;
+ }
+
+ if (p_ica_ec_key_get_private_key(from_data->ica_key, D, &len) == 0) {
+ rc = p_ica_ec_key_init(NULL, NULL, D, to_data->ica_key);
+ if (rc != 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
+ goto error;
+ }
+ }
+
+ if (p_ica_ec_key_get_public_key(from_data->ica_key, Q, &len) == 0) {
+ rc = p_ica_ec_key_init(Q, Q + to_data->privlen, NULL, to_data->ica_key);
+ if (rc != 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
+ goto error;
+ }
+ }
+
+ *pptr = to_data;
+
+ return 1;
+
+error:
+ if (to_data->ica_key != NULL)
+ p_ica_ec_key_free(to_data->ica_key);
+ OPENSSL_free(to_data);
+
+ return 0;
+}
+
+static ICA_EC_KEY *ibmca_ec_make_ica_key(EC_KEY *ec_key, int *nid,
+ unsigned int *privlen)
+{
+ ICA_EC_KEY *icakey;
+ const EC_GROUP *group;
+ const EC_POINT *q;
+ const BIGNUM *bn_d;
+ BIGNUM *bn_x = NULL, *bn_y = NULL;
+ unsigned char D[IBMCA_EC_MAX_D_LEN];
+ unsigned char X[IBMCA_EC_MAX_D_LEN];
+ unsigned char Y[IBMCA_EC_MAX_D_LEN];
+ int rc, n;
+
+ /* Get group */
+ if ((group = EC_KEY_get0_group(ec_key)) == NULL) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INVALID_PARM);
+ return NULL;
+ }
+
+ /* Get curve nid */
+ *nid = EC_GROUP_get_curve_name(group);
+ if (*nid <= 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_UNSUPPORTED_CURVE);
+ return NULL;
+ }
+
+ /* Create ICA_EC_KEY object */
+ icakey = p_ica_ec_key_new(*nid, privlen);
+ if (icakey == NULL) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_ICA_EC_KEY_INIT);
+ return NULL;
+ }
+
+ /* Get private (D) value from EC_KEY (if available) */
+ bn_d = EC_KEY_get0_private_key(ec_key);
+ if (bn_d != NULL) {
+ /* Format (D) as char array, with leading zeros if necessary */
+ n = *privlen - BN_num_bytes(bn_d);
+ memset(D, 0, n);
+ BN_bn2bin(bn_d, &(D[n]));
+
+ /* Initialize private ICA_EC_KEY */
+ rc = p_ica_ec_key_init(NULL, NULL, D, icakey);
+ if (rc != 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
+ goto error;
+ }
+ }
+
+ /* Get public (X and Y) values from EC_KEY (if available) */
+ q = EC_KEY_get0_public_key(ec_key);
+ if (q != NULL) {
+ /* Provide public key (X,Y) */
+ bn_x = BN_new();
+ bn_y = BN_new();
+ if (!EC_POINT_get_affine_coordinates_GFp(group, q, bn_x, bn_y, NULL)) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
+ goto error;
+ }
+
+ /* Format (X) as char array with leading nulls if necessary */
+ n = *privlen - BN_num_bytes(bn_x);
+ memset(X, 0, n);
+ BN_bn2bin(bn_x, &X[n]);
+
+ /* Format (Y) as char array with leading nulls if necessary */
+ n = *privlen - BN_num_bytes(bn_y);
+ memset(Y, 0, n);
+ BN_bn2bin(bn_y, &Y[n]);
+
+ /* Initialize public ICA_EC_KEY */
+ rc = p_ica_ec_key_init(X, Y, NULL, icakey);
+ if (rc != 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
+ goto error;
+ }
+ }
+
+out:
+ BN_clear_free(bn_x);
+ BN_clear_free(bn_y);
+
+ return icakey;
+
+error:
+ p_ica_ec_key_free(icakey);
+ icakey = NULL;
+ goto out;
+}
+
+static ICA_EC_KEY *ibmca_ec_make_and_cache_ica_key(EC_KEY *ec_key,
+ unsigned int *privlen)
+{
+ struct ibmca_ec_ex_data *data, *data2;
+
+ data = OPENSSL_zalloc(sizeof(*data));
+ if (data == NULL)
+ return NULL;
+
+ data->ica_key = ibmca_ec_make_ica_key(ec_key, &data->nid, &data->privlen);
+ if (data->ica_key == NULL) {
+ OPENSSL_free(data);
+ return NULL;
+ }
+
+ /*
+ * Note that another thread could have allocated and set the ex_data for
+ * that key after the caller of this function has checked if there is
+ * already ex_data available for the key. So once we have the lock, we
+ * check again, and if there now is ex_data available, we return the
+ * ICA key from the ex_data, and free the one just created.
+ */
+ if (pthread_mutex_lock(&ec_ex_data_mutex) != 0) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
+ return NULL;
+ }
+
+ data2 = EC_KEY_get_ex_data(ec_key, ec_ex_data_index);
+ if (data2 != NULL) {
+ pthread_mutex_unlock(&ec_ex_data_mutex);
+
+ p_ica_ec_key_free(data->ica_key);
+ OPENSSL_free(data);
+
+ *privlen = data2->privlen;
+
+ return data2->ica_key;
+ }
+
+ if (EC_KEY_set_ex_data(ec_key, ec_ex_data_index, data) != 1) {
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
+ pthread_mutex_unlock(&ec_ex_data_mutex);
+ OPENSSL_free(data);
+ return NULL;
+ }
+
+ pthread_mutex_unlock(&ec_ex_data_mutex);
+
+ *privlen = data->privlen;
+
+ return data->ica_key;
+}
+
+int ibmca_ec_init(void)
+{
+#ifdef OLDER_OPENSSL
+ return 0;
+#else
+ ec_ex_data_index = EC_KEY_get_ex_new_index(0, NULL, NULL,
+ ibmca_ec_ex_data_dup,
+ ibmca_ec_ex_data_free);
+ if (ec_ex_data_index < 0) {
+ IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_EC_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+#endif
+}
+
void ibmca_ec_destroy(void)
{
#ifdef OLDER_OPENSSL
@@ -39,6 +285,10 @@ void ibmca_ec_destroy(void)
if (ibmca_ecdh)
ECDSA_METHOD_free(ibmca_ecdsa);
#else
+ if (ec_ex_data_index >= 0) {
+ CRYPTO_free_ex_index(CRYPTO_EX_INDEX_EC_KEY, ec_ex_data_index);
+ ec_ex_data_index = -1;
+ }
if (ibmca_ec)
EC_KEY_METHOD_free(ibmca_ec);
#endif
@@ -55,17 +305,17 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
{
ICA_EC_KEY *ica_pubkey = NULL, *ica_privkey = NULL;
const EC_GROUP *group;
- BIGNUM *bn_d, *bn_x, *bn_y;
+ BIGNUM *bn_x = NULL, *bn_y = NULL;
unsigned int n, privlen;
unsigned char X[IBMCA_EC_MAX_D_LEN];
unsigned char Y[IBMCA_EC_MAX_D_LEN];
- unsigned char D[IBMCA_EC_MAX_D_LEN];
unsigned char *z_buf = NULL;
int rc, ret = 0, nid;
#ifndef OLDER_OPENSSL
int (*compute_key_sw)(unsigned char **pout, size_t *poutlen,
const EC_POINT *pub_key, const EC_KEY *ecdh) = NULL;
#endif
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(ecdh, ec_ex_data_index);
/* Get group from EC_KEY */
if ((group = EC_KEY_get0_group(ecdh)) == NULL) {
@@ -76,10 +326,40 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
/* Determine curve nid */
nid = EC_GROUP_get_curve_name(group);
if (nid <= 0) {
- IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
+ IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_UNSUPPORTED_CURVE);
+ return 0;
+ }
+
+ if (data != NULL) {
+ ica_privkey = data->ica_key;
+ privlen = data->privlen;
+ goto do_derive;
+ }
+
+ /* Create ICA_EC_KEY object for private key */
+ ica_privkey = ibmca_ec_make_and_cache_ica_key((EC_KEY*)ecdh, &privlen);
+ if (ica_privkey == NULL) {
+ /* This curve is not supported by libica. */
+ #ifdef OLDER_OPENSSL
return 0;
+ #else
+ /*
+ * EC_KEY_METHOD_get_compute_key misses the const-qualifier of the
+ * parameter in some openssl versions.
+ */
+ EC_KEY_METHOD_get_compute_key((EC_KEY_METHOD *)ossl_ec,
+ &compute_key_sw);
+ if (compute_key_sw == NULL) {
+ IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY,
+ IBMCA_R_EC_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return compute_key_sw(pout, poutlen, pub_key, ecdh);
+ #endif
}
+do_derive:
/* Create ICA_EC_KEY object for public key */
ica_pubkey = p_ica_ec_key_new(nid, &privlen);
if (ica_pubkey == NULL) {
@@ -128,32 +408,6 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
goto end;
}
- /* Create ICA_EC_KEY object for private key */
- ica_privkey = p_ica_ec_key_new(nid, &privlen);
- if (!ica_privkey) {
- IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
- goto end;
- }
-
- /* Get private (D) value from EC_KEY */
- bn_d = (BIGNUM*)EC_KEY_get0_private_key((EC_KEY*)ecdh);
- if (bn_d == NULL) {
- IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
- goto end;
- }
-
- /* Format (D) as char array, with leading zeros if necessary */
- n = privlen - BN_num_bytes(bn_d);
- memset(D, 0, n);
- BN_bn2bin(bn_d, &(D[n]));
-
- /* Initialize private ICA_EC_KEY with (D) */
- rc = p_ica_ec_key_init(NULL, NULL, D, ica_privkey);
- if (rc != 0) {
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
- goto end;
- }
-
/* Allocate memory for shared secret z, will be freed by caller */
if ((z_buf = OPENSSL_malloc(privlen)) == NULL) {
IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
@@ -193,7 +447,6 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
end:
p_ica_ec_key_free(ica_pubkey);
- p_ica_ec_key_free(ica_privkey);
BN_clear_free(bn_x);
BN_clear_free(bn_y);
return ret;
@@ -210,12 +463,10 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
{
ECDSA_SIG *sig = NULL;
ICA_EC_KEY *icakey = NULL;
- const EC_GROUP *group;
unsigned int privlen;
- BIGNUM *r, *s, *bn_d, *kinv;
- unsigned char D[IBMCA_EC_MAX_D_LEN];
+ BIGNUM *r, *s, *kinv;
unsigned char sigret[IBMCA_EC_MAX_SIG_LEN];
- int n, nid, rc;
+ int rc;
#ifndef OLDER_OPENSSL
int (*sign_sw)(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
@@ -227,6 +478,7 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
const BIGNUM *in_kinv, const BIGNUM *in_r,
EC_KEY *eckey) = NULL;
BN_CTX *ctx;
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(eckey, ec_ex_data_index);
/* Check parms: precomputed (k,r) are not supported by ibmca */
if (in_kinv != NULL || in_r != NULL) {
@@ -234,12 +486,6 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
return NULL;
}
- /* Get group */
- if ((group = EC_KEY_get0_group(eckey)) == NULL) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INVALID_PARM);
- return NULL;
- }
-
/* Check if key usable */
#ifndef OLDER_OPENSSL
if (!EC_KEY_can_sign(eckey)) {
@@ -249,15 +495,14 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
#endif
- /* Get curve nid */
- nid = EC_GROUP_get_curve_name(group);
- if (nid <= 0) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE);
- return NULL;
+ if (data != NULL) {
+ icakey = data->ica_key;
+ privlen = data->privlen;
+ goto do_sign;
}
/* Create ICA_EC_KEY object */
- icakey = p_ica_ec_key_new(nid, &privlen);
+ icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
if (icakey == NULL) {
/* This curve is not supported by libica. */
#ifdef OLDER_OPENSSL
@@ -287,25 +532,7 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
return sig;
}
- /* Get private (D) value from EC_KEY */
- bn_d = (BIGNUM*)EC_KEY_get0_private_key(eckey);
- if (bn_d == NULL) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INTERNAL_ERROR);
- goto end;
- }
-
- /* Format (D) as char array, with leading zeros if necessary */
- n = privlen - BN_num_bytes(bn_d);
- memset(D, 0, n);
- BN_bn2bin(bn_d, &(D[n]));
-
- /* Initialize private ICA_EC_KEY */
- rc = p_ica_ec_key_init(NULL, NULL, D, icakey);
- if (rc != 0) {
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
- goto end;
- }
-
+do_sign:
/* Call libica signing routine */
rc = p_ica_ecdsa_sign(ibmca_handle, icakey, dgst, dgst_len, sigret,
sizeof(sigret));
@@ -343,7 +570,6 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
s = BN_bin2bn(sigret + privlen, privlen, NULL);
sig = ECDSA_SIG_new();
-end:
#ifndef OLDER_OPENSSL
if (sig)
ECDSA_SIG_set0(sig, r, s);
@@ -357,7 +583,6 @@ end:
#endif
end2:
- p_ica_ec_key_free(icakey);
return sig;
}
@@ -372,16 +597,12 @@ end2:
int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey)
{
- const EC_GROUP *group;
- const EC_POINT *q;
- unsigned char x_array[IBMCA_EC_MAX_D_LEN];
- unsigned char y_array[IBMCA_EC_MAX_D_LEN];
unsigned char sig_array[IBMCA_EC_MAX_Q_LEN];
BIGNUM *bn_x = NULL, *bn_y = NULL;
const BIGNUM *bn_r, *bn_s;
unsigned int privlen;
ICA_EC_KEY *icakey = NULL;
- int rc, n, nid;
+ int rc, n;
int ret = -1;
#ifndef OLDER_OPENSSL
int (*verify_sw)(int type, const unsigned char *dgst, int dgst_len,
@@ -389,6 +610,7 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
#endif
int (*verify_sig_sw)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey) = NULL;
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(eckey, ec_ex_data_index);
/* Check parms */
if (eckey == NULL || sig == NULL) {
@@ -404,21 +626,14 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
}
#endif
- /* Get group */
- if ((group = EC_KEY_get0_group(eckey)) == NULL) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR);
- return ret;
- }
-
- /* Get curve nid */
- nid = EC_GROUP_get_curve_name(group);
- if (nid <= 0) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE);
- return ret;
+ if (data != NULL) {
+ icakey = data->ica_key;
+ privlen = data->privlen;
+ goto do_verify;
}
/* Create ICA_EC_KEY object */
- icakey = p_ica_ec_key_new(nid, &privlen);
+ icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
if (icakey == NULL) {
/* This curve is not supported by libica. */
#ifdef OLDER_OPENSSL
@@ -440,32 +655,7 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
return verify_sig_sw(dgst, dgst_len, sig, eckey);
}
- /* Provide public key (X,Y) */
- bn_x = BN_new();
- bn_y = BN_new();
- q = EC_KEY_get0_public_key(eckey);
- if (!EC_POINT_get_affine_coordinates_GFp(group, q, bn_x, bn_y, NULL)) {
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR);
- goto end;
- }
-
- /* Format (X) as char array with leading nulls if necessary */
- n = privlen - BN_num_bytes(bn_x);
- memset(x_array, 0, n);
- BN_bn2bin(bn_x, &(x_array[n]));
-
- /* Format (Y) as char array with leading nulls if necessary */
- n = privlen - BN_num_bytes(bn_y);
- memset(y_array, 0, n);
- BN_bn2bin(bn_y, &(y_array[n]));
-
- /* Initialize ICA_EC_KEY */
- rc = p_ica_ec_key_init(x_array, y_array, NULL, icakey);
- if (rc != 0) {
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
- goto end;
- }
-
+do_verify:
/* Get (r,s) from ECDSA_SIG */
#ifdef OLDER_OPENSSL
bn_r = sig->r;
@@ -517,7 +707,6 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
}
end:
- p_ica_ec_key_free(icakey);
BN_clear_free(bn_x);
BN_clear_free(bn_y);
--
2.39.0
From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 27 Oct 2022 16:13:01 +0200
Subject: [PATCH 3/4] provider: Fix configuration script
Small typo in the configuration script created an invalid configuration.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/provider/ibmca-provider-opensslconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index 21ed6f6..d45428e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -83,7 +83,7 @@ sub generate()
}
if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
print $oh "ibmca_provider = ibmca_provider_section\n";
- print $oh # Make sure that you have configured and activated at least one other provider!\n";
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
print "WARNING: The IBMCA provider was added to section [$providersect].\n";
print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
}
--
2.39.0
From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 2 Nov 2022 14:29:35 +0100
Subject: [PATCH 4/4] provider: Fix order of providers in configuration
Since libica requires a provider that supports HMAC to be loaded and
available, fix the order of providers loaded by our sample configuration
generator. The "default" provider has to come first such that libica can do
the file integrity test with a HMAC provided by this provider when being
loaded via the ibmca provider.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index d45428e..d87fa8e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -30,7 +30,7 @@ use warnings;
sub generate()
{
my ($osslconfpath);
- my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect);
+ my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect);
my ($inalgsect, $algsection);
$osslconfpath = `openssl version -d` || die "Please install openssl binary";
@@ -43,6 +43,7 @@ sub generate()
$defaultcnfsect = undef;
$indefaultsect = 0;
$providersect = undef;
+ $inprovidersect = 0;
while ($line = <$ih>) {
if ($line =~ /openssl_conf\s*=\s*(.*)/) {
$defaultcnfsect = $1;
@@ -67,13 +68,22 @@ sub generate()
} elsif ($inalgsect) {
if ($line =~ /\[\s*\w+\s*\]/) {
print $oh "default_properties = ?provider=ibmca\n";
+ $inalgsect = 0;
} elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) {
print $oh "default_properties = ?provider=ibmca\n";
print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n";
print "WARNING: The default_properties in $algsection was modified by this script.\n";
$line = "# $line";
}
- }
+ } elsif ($inprovidersect) {
+ if ($line =~ /\[\s*\w+\s*\]/) {
+ $inprovidersect = 0;
+ print $oh "ibmca_provider = ibmca_provider_section\n";
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
+ print "WARNING: The IBMCA provider was added to section [$providersect].\n";
+ print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+ }
+ }
print $oh "$line";
if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) {
$indefaultsect = 1;
@@ -81,11 +91,8 @@ sub generate()
if ($algsection && $line =~ /\[\s*$algsection\s*\]/) {
$inalgsect = 1;
}
- if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
- print $oh "ibmca_provider = ibmca_provider_section\n";
- print $oh "# Make sure that you have configured and activated at least one other provider!\n";
- print "WARNING: The IBMCA provider was added to section [$providersect].\n";
- print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+ if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
+ $inprovidersect = 1;
}
}
@@ -100,8 +107,8 @@ providers = provider_section
if (!$providersect) {
print $oh qq|
[provider_section]
-ibmca_provider = ibmca_provider_section
default = default_sect
+ibmca_provider = ibmca_provider_section
[default_sect]
activate = 1
--
2.39.0

40
SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch Normal file
View File

@ -0,0 +1,40 @@
From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 19 Apr 2023 10:07:01 +0200
Subject: [PATCH] engine: Only register those algos specified with
default_algorithms
As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
config file are loaded, and its algorithms (methods) are registered according
to the default_algorithms setting.
However, later during initialization, ENGINE_register_all_complete() is called
which unconditionally registered all algorithms (methods) of the loaded engines
again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
to avoid unconditional registration of all algorithms. We only want to register
algorithms specified in the default_algorithms configuration setting.
Note that if the default_algorithms setting is omitted in the OpenSSL config
file, then no algorithms will be registered.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/e_ibmca.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index fe21897..6cbf745 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
goto out;
+ if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
+ goto out;
+
rc = 1;
out:
free(pmech_list);

218
SOURCES/openssl-ibmca-2.4.0-log-into-tmp.patch Normal file
View File

@ -0,0 +1,218 @@
From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 26 Jul 2023 15:19:55 +0200
Subject: [PATCH] provider: Default debug directory to /tmp but make it
configurable
The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
but this required that directory to be world-writable, because we don't know
under which user an application runs that uses the provider.
A world-writable directory under /var has security implications and should be
avoided.
Change the default log directory to /tmp which is world-writable anyway.
Additionally the log directory can now be configured via the 'debug-path'
option in the IBMCA provider section of the OpenSSL config file, or via
environment variable 'IBMCA_DEBUG_PATH'.
Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 +-
src/provider/Makefile.am | 4 ---
src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
src/provider/p_ibmca.c | 25 ++++++++++++++++++-
src/provider/p_ibmca.h | 3 +++
test/provider/openssl-test.cnf | 1 +
6 files changed, 59 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index cea8ce8f..57b32050 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
-logdir=$localstatedir/log/ibmca
+logdir=/tmp
AC_SUBST(logdir)
# Cmdline arguments.
diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
index da45a52e..f2d1d50b 100644
--- a/src/provider/Makefile.am
+++ b/src/provider/Makefile.am
@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = doc
noinst_SCRIPTS = ibmca-provider-opensslconfig
-
-install-data-hook:
- $(MKDIR_P) $(DESTDIR)$(logdir)
- $(CHMOD) 0777 $(DESTDIR)$(logdir)
diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
index 52350e47..846d6070 100644
--- a/src/provider/doc/ibmca-provider.man
+++ b/src/provider/doc/ibmca-provider.man
@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
.IP "debug = yes | no | stderr"
.RS
Enables debug output for the IBMCA provider. If this option is not specified,
-no debuging output is produced. If \fBdebug = stderr\fP is specified,
+no debugging output is produced. If \fBdebug = stderr\fP is specified,
debugging messages are printed to stderr. Otherwise the debug output is written
-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
-where <provider-name> is the name of the IBMCA provider from the identity
-option, and <pid> is the process ID of the current process. You can also
-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
-\fBon\fP or \fBstderr\fP.
+into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
+where <debug-path> is the path name of a directory to where the debug files are
+written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
+from the identity option, and <pid> is the process ID of the current process.
+You can also enable debugging by setting the environment variable
+\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
+.RE
+.PP
+.IP "debug-path = /dir/to/debug/directory"
+.RS
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
+You can also set the debug path by setting the environment variable
+\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
+under which the application that uses the IBMCA provider runs has write access
+to that directory. If this option is not specified, the default debug path is
+\fB/tmp\fP.
.RE
.PP
.IP "fips = yes | no"
@@ -153,8 +165,18 @@ If
.B $IBMCA_DEBUG
is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
If it is set to \fBon\fP the debug output is written into a trace file in
-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
-the process ID of the current process.
+\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
+name of a directory to where the debug files are written (default: \fB/tmp\fP),
+<provider-name> is the name of the IBMCA provider from the identity option,
+and <pid> is the process ID of the current process.
+.PP
+.TP
+.BR IBMCA_DEBUG_PATH
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP configuration option or via environment variable
+\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
+application that uses the IBMCA provider runs has write access to that
+directory.
.PP
.SH SEE ALSO
.B provider(1)
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
index 80f03685..ffb9b5dd 100644
--- a/src/provider/p_ibmca.c
+++ b/src/provider/p_ibmca.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
+#include <stdlib.h>
#include <err.h>
#include <strings.h>
#include <string.h>
@@ -58,6 +59,8 @@ struct ibmca_config_item {
static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value);
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static const struct ibmca_config_item config_items[] = {
+ { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
{ IBMCA_CONF_DEBUG, ibmca_config_debug },
{ IBMCA_CONF_FIPS, ibmca_config_fips },
{ IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
*p = '_';
if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
- IBMCA_LOGDIR, prov_name, provctx->debug_pid)
+ provctx->debug_path != NULL ? provctx->debug_path :
+ IBMCA_LOGDIR,
+ prov_name, provctx->debug_pid)
>= (int)sizeof(debug_file)) {
put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
"IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
return 1;
}
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value)
+{
+ /*
+ * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
+ * environment variable) do not override the setting.
+ */
+ if (provctx->debug_path != NULL)
+ return 1;
+
+ return ibmca_config_const_string(provctx, key, value,
+ &provctx->debug_path);
+}
+
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value)
{
@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
ctx->c_free = c_free;
ctx->ica_adapter = DRIVER_NOT_LOADED;
+ val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
+ if (val != NULL)
+ ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
val = getenv(IBMCA_DEBUG_ENVVAR);
if (val != NULL)
ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
index 3b3d4f04..c47a6aa9 100644
--- a/src/provider/p_ibmca.h
+++ b/src/provider/p_ibmca.h
@@ -27,9 +27,11 @@
/* Environment variable name to enable debug */
#define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG"
+#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH"
/* IBMCA provider configuration key words */
#define IBMCA_CONF_DEBUG "debug"
+#define IBMCA_CONF_DEBUG_PATH "debug-path"
#define IBMCA_CONF_ALGORITHMS "algorithms"
#define IBMCA_CONF_FIPS "fips"
#define IBMCA_CONF_FALLBACK_PROPS "fallback-properties"
@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
bool debug;
+ const char *debug_path;
FILE *debug_file;
pid_t debug_pid;
pthread_mutex_t debug_mutex;
diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
index 7866f4e9..e8132a6b 100644
--- a/test/provider/openssl-test.cnf
+++ b/test/provider/openssl-test.cnf
@@ -16,6 +16,7 @@ identity = ibmca
module = ibmca-provider.so
activate = 1
#debug = yes
+#debug-path = /dir/to/debug/directory
#fips=yes
#algorithms = RSA,EC,DH
algorithms = ALL

1118
SOURCES/openssl-ibmca-2.4.0-rsa-me.patch Normal file
View File

File diff suppressed because it is too large Load Diff

38
SPECS/openssl-ibmca.spec
View File

@ -6,17 +6,25 @@
%endif
Summary: A dynamic OpenSSL engine for IBMCA
Summary: OpenSSL engine and provider for IBMCA
Name: openssl-ibmca
Version: 2.3.1
Release: 2%{?dist}
Version: 2.4.0
Release: 4%{?dist}
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# post GA fixes
Patch0: %{name}-%{version}-fixes.patch
# warn the user about engine being deprecated
Patch1: %{name}-2.3.1-engine-warning.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
Patch2: %{name}-2.4.0-engine-defaults.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2222878
# https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a
# https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0
# https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86
Patch3: %{name}-2.4.0-rsa-me.patch
# https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4
Patch4: %{name}-2.4.0-log-into-tmp.patch
Requires: libica >= 4.0.0
BuildRequires: make
BuildRequires: gcc
@ -28,7 +36,8 @@ ExclusiveArch: s390 s390x
%description
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
machines to accelerate cryptographic operations.
%prep
@ -78,6 +87,23 @@ make check
%changelog
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
- provider: Support importing of RSA keys with just ME components (#2222878)
- Resolves: #2222878
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
- engine: Only register those algos specified with default_algorithms (#2221894)
- Resolves: #2221894
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
- updated to 2.4.0 (#2160084)
- Resolves: #2160084
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
- fix provider configuration script (#2140028)
- Resolves: #2140028