Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
1
.openssl-ibmca.metadata
Normal file
1
.openssl-ibmca.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
8e7fc23ec2253da7d2b6e3181c80843253fcb68c SOURCES/openssl-ibmca-2.4.1.tar.gz
|
27
SOURCES/openssl-ibmca-2.3.1-engine-warning.patch
Normal file
27
SOURCES/openssl-ibmca-2.3.1-engine-warning.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
||||||
|
Date: Fri, 13 Jan 2023 18:09:49 +0100
|
||||||
|
Subject: [ibmca PATCH] warn the user when configuring the engine
|
||||||
|
|
||||||
|
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
|
||||||
|
Thus warn the user and recommend using the provider instead.
|
||||||
|
---
|
||||||
|
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
|
||||||
|
index e4b168b..ec7fbfc 100644
|
||||||
|
--- a/src/engine/ibmca-engine-opensslconfig.in
|
||||||
|
+++ b/src/engine/ibmca-engine-opensslconfig.in
|
||||||
|
@@ -140,4 +140,8 @@ this file.
|
||||||
|
|;
|
||||||
|
}
|
||||||
|
|
||||||
|
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
|
||||||
|
+print "WARNING: It will be removed in the future.\n";
|
||||||
|
+print "WARNING: Please use the OpenSSL provider instead.\n";
|
||||||
|
+
|
||||||
|
generate();
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
423
SOURCES/openssl-ibmca-2.4.1-fixes.patch
Normal file
423
SOURCES/openssl-ibmca-2.4.1-fixes.patch
Normal file
@ -0,0 +1,423 @@
|
|||||||
|
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 8 Jan 2024 08:52:24 +0100
|
||||||
|
Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
|
||||||
|
mode
|
||||||
|
|
||||||
|
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
|
||||||
|
from being used with an external IV. FIPS requires that the AES-GCM IV is
|
||||||
|
created libica internally via an approved random source.
|
||||||
|
|
||||||
|
The IBMCA engine can not support the internal generation of the AES-GCM IV,
|
||||||
|
because the engine API for AES-GCM does not allow this. Applications using
|
||||||
|
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
|
||||||
|
external IV.
|
||||||
|
|
||||||
|
Enable the use of external AES-GCM IVs for libica, if the used libica library
|
||||||
|
supports this. Newer libica versions support to allow external AES-GCM IVs via
|
||||||
|
function ica_allow_external_gcm_iv_in_fips_mode().
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/engine/e_ibmca.c | 12 +++++++++++-
|
||||||
|
src/engine/ibmca.h | 1 +
|
||||||
|
2 files changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
||||||
|
index 6cbf745..afed3fe 100644
|
||||||
|
--- a/src/engine/e_ibmca.c
|
||||||
|
+++ b/src/engine/e_ibmca.c
|
||||||
|
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
|
||||||
|
ica_aes_gcm_last_t p_ica_aes_gcm_last;
|
||||||
|
#endif
|
||||||
|
ica_cleanup_t p_ica_cleanup;
|
||||||
|
+ica_allow_external_gcm_iv_in_fips_mode_t
|
||||||
|
+ p_ica_allow_external_gcm_iv_in_fips_mode;
|
||||||
|
|
||||||
|
/* save libcrypto's default ec methods */
|
||||||
|
#ifndef NO_EC
|
||||||
|
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
|
||||||
|
BIND(ibmca_dso, ica_ed448_ctx_del);
|
||||||
|
|
||||||
|
/* ica_cleanup is not always present and only needed for newer libraries */
|
||||||
|
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
|
||||||
|
+ BIND(ibmca_dso, ica_cleanup);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
|
||||||
|
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
|
||||||
|
+ * available with newer libraries.
|
||||||
|
+ */
|
||||||
|
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
|
||||||
|
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
|
||||||
|
|
||||||
|
/* disable fallbacks on Libica */
|
||||||
|
if (BIND(ibmca_dso, ica_set_fallback_mode))
|
||||||
|
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
||||||
|
index 7281a5b..01465eb 100644
|
||||||
|
--- a/src/engine/ibmca.h
|
||||||
|
+++ b/src/engine/ibmca.h
|
||||||
|
@@ -617,6 +617,7 @@ typedef
|
||||||
|
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
|
||||||
|
|
||||||
|
typedef void (*ica_cleanup_t)(void);
|
||||||
|
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
|
||||||
|
|
||||||
|
/* entry points into libica, filled out at DSO load time */
|
||||||
|
extern ica_get_functionlist_t p_ica_get_functionlist;
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
||||||
|
|
||||||
|
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed, 10 Jan 2024 15:08:47 +0100
|
||||||
|
Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
|
||||||
|
instead
|
||||||
|
|
||||||
|
When an application links against libica (via -lica), then the libica library
|
||||||
|
constructor runs before the program's main function. Libica's library
|
||||||
|
constructor does initialize OpenSSL and thus parses the config file.
|
||||||
|
|
||||||
|
However, the test programs set up some OpenSSL configuration related
|
||||||
|
environment variables within function check_libica() called from the
|
||||||
|
main function. If libica has already initialized OpenSSL prior to that,
|
||||||
|
OpenSSL won't initialize again, and thus these environment variables have
|
||||||
|
no effect.
|
||||||
|
|
||||||
|
Dynamically load libica (via dlopen) only after setting the environment
|
||||||
|
variables.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
configure.ac | 2 ++
|
||||||
|
test/provider/Makefile.am | 15 +++++++++------
|
||||||
|
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
|
||||||
|
test/provider/eckey.c | 24 ++++++++++++++++++++++--
|
||||||
|
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
|
||||||
|
5 files changed, 77 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index b43a659..09df230 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
|
||||||
|
[])
|
||||||
|
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
|
||||||
|
|
||||||
|
+AC_SUBST(libicaversion, "$libicaversion")
|
||||||
|
+
|
||||||
|
# If compiled against OpenSSL 3.0 or later, build the provider unless
|
||||||
|
# explicitely disabled.
|
||||||
|
# If build against OpenSSL 1.1.1, we can not build the provider.
|
||||||
|
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
|
||||||
|
index 15a5466..fce06b3 100644
|
||||||
|
--- a/test/provider/Makefile.am
|
||||||
|
+++ b/test/provider/Makefile.am
|
||||||
|
@@ -24,24 +24,27 @@ TESTS = \
|
||||||
|
check_PROGRAMS = rsakey eckey dhkey threadtest
|
||||||
|
|
||||||
|
dhkey_SOURCES = dhkey.c
|
||||||
|
+dhkey_LDADD = -lcrypto -ldl
|
||||||
|
if PROVIDER_FULL_LIBICA
|
||||||
|
-dhkey_LDADD = -lcrypto -lica
|
||||||
|
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||||
|
else
|
||||||
|
-dhkey_LDADD = -lcrypto -lica-cex
|
||||||
|
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||||
|
endif
|
||||||
|
|
||||||
|
eckey_SOURCES = eckey.c
|
||||||
|
+eckey_LDADD = -lcrypto -ldl
|
||||||
|
if PROVIDER_FULL_LIBICA
|
||||||
|
-eckey_LDADD = -lcrypto -lica
|
||||||
|
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||||
|
else
|
||||||
|
-eckey_LDADD = -lcrypto -lica-cex
|
||||||
|
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||||
|
endif
|
||||||
|
|
||||||
|
rsakey_SOURCES = rsakey.c
|
||||||
|
+rsakey_LDADD = -lcrypto -ldl
|
||||||
|
if PROVIDER_FULL_LIBICA
|
||||||
|
-rsakey_LDADD = -lcrypto -lica
|
||||||
|
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||||
|
else
|
||||||
|
-rsakey_LDADD = -lcrypto -lica-cex
|
||||||
|
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||||
|
endif
|
||||||
|
|
||||||
|
threadtest_SOURCES = threadtest.c
|
||||||
|
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||||
|
index 8829ecc..0ec2c03 100644
|
||||||
|
--- a/test/provider/dhkey.c
|
||||||
|
+++ b/test/provider/dhkey.c
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
|
||||||
|
static const unsigned int required_ica_mechs_len =
|
||||||
|
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||||
|
|
||||||
|
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||||
|
+ unsigned int *);
|
||||||
|
+
|
||||||
|
int check_libica()
|
||||||
|
{
|
||||||
|
unsigned int mech_len, i, k, found = 0;
|
||||||
|
libica_func_list_element *mech_list = NULL;
|
||||||
|
+ void *ibmca_dso;
|
||||||
|
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||||
|
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||||
|
+ if (ibmca_dso == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p_ica_get_functionlist =
|
||||||
|
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||||
|
+ if (p_ica_get_functionlist == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||||
|
+ LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
return 77;
|
||||||
|
@@ -373,7 +393,7 @@ int check_libica()
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
free(mech_list);
|
||||||
|
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||||
|
index b2334d7..b8f47b7 100644
|
||||||
|
--- a/test/provider/eckey.c
|
||||||
|
+++ b/test/provider/eckey.c
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
|
||||||
|
static const unsigned int required_ica_mechs_len =
|
||||||
|
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||||
|
|
||||||
|
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||||
|
+ unsigned int *);
|
||||||
|
+
|
||||||
|
int check_libica()
|
||||||
|
{
|
||||||
|
unsigned int mech_len, i, k, found = 0;
|
||||||
|
libica_func_list_element *mech_list = NULL;
|
||||||
|
+ void *ibmca_dso;
|
||||||
|
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||||
|
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||||
|
+ if (ibmca_dso == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p_ica_get_functionlist =
|
||||||
|
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||||
|
+ if (p_ica_get_functionlist == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||||
|
+ LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
return 77;
|
||||||
|
@@ -806,7 +826,7 @@ int check_libica()
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
free(mech_list);
|
||||||
|
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||||
|
index 366b503..9d6a618 100644
|
||||||
|
--- a/test/provider/rsakey.c
|
||||||
|
+++ b/test/provider/rsakey.c
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
|
||||||
|
static const unsigned int required_ica_mechs_len =
|
||||||
|
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||||
|
|
||||||
|
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||||
|
+ unsigned int *);
|
||||||
|
+
|
||||||
|
int check_libica()
|
||||||
|
{
|
||||||
|
unsigned int mech_len, i, k, found = 0;
|
||||||
|
libica_func_list_element *mech_list = NULL;
|
||||||
|
+ void *ibmca_dso;
|
||||||
|
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||||
|
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||||
|
+ if (ibmca_dso == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p_ica_get_functionlist =
|
||||||
|
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||||
|
+ if (p_ica_get_functionlist == NULL) {
|
||||||
|
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||||
|
+ LIBICA_NAME);
|
||||||
|
+ return 77;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
return 77;
|
||||||
|
@@ -753,7 +773,7 @@ int check_libica()
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||||
|
if (rc != 0) {
|
||||||
|
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||||
|
free(mech_list);
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
||||||
|
|
||||||
|
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu, 18 Jan 2024 16:35:14 +0100
|
||||||
|
Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
|
||||||
|
setting env vars.
|
||||||
|
|
||||||
|
When running with a libica version without commit
|
||||||
|
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
|
||||||
|
it is necessary to explicitly initialize OpenSSL before loading libica. Because
|
||||||
|
otherwise libica's library constructor will initialize OpenSSL the first time,
|
||||||
|
which in turn will load the IBMCA provider, and it will fall into the same
|
||||||
|
problem as fixed by above libica commit, i.e. the provider won't be able to
|
||||||
|
get the supported algorithms from libica an thus will not register any
|
||||||
|
algorithms.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
test/provider/dhkey.c | 2 ++
|
||||||
|
test/provider/eckey.c | 2 ++
|
||||||
|
test/provider/rsakey.c | 2 ++
|
||||||
|
3 files changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||||
|
index 0ec2c03..b1270f5 100644
|
||||||
|
--- a/test/provider/dhkey.c
|
||||||
|
+++ b/test/provider/dhkey.c
|
||||||
|
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||||
|
+
|
||||||
|
ret = check_libica();
|
||||||
|
if (ret != 0)
|
||||||
|
return ret;
|
||||||
|
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||||
|
index b8f47b7..a65bea5 100644
|
||||||
|
--- a/test/provider/eckey.c
|
||||||
|
+++ b/test/provider/eckey.c
|
||||||
|
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||||
|
+
|
||||||
|
ret = check_libica();
|
||||||
|
if (ret != 0)
|
||||||
|
return ret;
|
||||||
|
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||||
|
index 9d6a618..874de6d 100644
|
||||||
|
--- a/test/provider/rsakey.c
|
||||||
|
+++ b/test/provider/rsakey.c
|
||||||
|
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
|
||||||
|
return 77;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||||
|
+
|
||||||
|
ret = check_libica();
|
||||||
|
if (ret != 0)
|
||||||
|
return ret;
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
||||||
|
|
||||||
|
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 13 May 2024 08:53:56 +0200
|
||||||
|
Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
|
||||||
|
|
||||||
|
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
|
||||||
|
from incompatible pointer type [-Wincompatible-pointer-types]
|
||||||
|
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/engine/ibmca_pkey.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
|
||||||
|
index 9c8de94..6cd8fcd 100644
|
||||||
|
--- a/src/engine/ibmca_pkey.c
|
||||||
|
+++ b/src/engine/ibmca_pkey.c
|
||||||
|
@@ -258,7 +258,7 @@ ret:
|
||||||
|
|
||||||
|
/* ED25519 */
|
||||||
|
|
||||||
|
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||||
|
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -402,7 +402,7 @@ ret:
|
||||||
|
|
||||||
|
/* ED448 */
|
||||||
|
|
||||||
|
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||||
|
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
@ -1,23 +1,35 @@
|
|||||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||||
|
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
|
||||||
|
|
||||||
Summary: A dynamic OpenSSL engine for IBMCA
|
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
||||||
|
%global with_openssl3 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
Summary: OpenSSL engine and provider for IBMCA
|
||||||
Name: openssl-ibmca
|
Name: openssl-ibmca
|
||||||
Version: 2.4.1
|
Version: 2.4.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Group: System Environment/Libraries
|
|
||||||
URL: https://github.com/opencryptoki
|
URL: https://github.com/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Requires: libica >= 3.8.0
|
# warn the user about engine being deprecated
|
||||||
|
Patch1: %{name}-2.3.1-engine-warning.patch
|
||||||
|
# post GA fixes
|
||||||
|
Patch2: %{name}-%{version}-fixes.patch
|
||||||
|
Requires: libica >= 4.0.0
|
||||||
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libica-devel >= 3.8.0
|
BuildRequires: libica-devel >= 4.0.0
|
||||||
BuildRequires: automake libtool
|
BuildRequires: automake libtool
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl >= 3.0.5
|
||||||
|
BuildRequires: perl(FindBin)
|
||||||
ExclusiveArch: s390 s390x
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
|
||||||
|
machines to accelerate cryptographic operations.
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
@ -27,16 +39,22 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
|||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --libdir=%{enginesdir} --with-libica-version=3
|
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
|
||||||
make %{?_smp_mflags}
|
%make_build
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
|
rm -f %{buildroot}%{enginesdir}/*.la
|
||||||
|
|
||||||
|
%if 0%{?with_openssl3}
|
||||||
|
# provider is built when openssl3 is available, fix its location
|
||||||
|
mkdir -p %{buildroot}%{modulesdir}
|
||||||
|
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
|
||||||
|
%endif
|
||||||
|
|
||||||
pushd src/engine
|
pushd src/engine
|
||||||
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# remove generated sample configs
|
# remove generated sample configs
|
||||||
@ -49,60 +67,114 @@ make check
|
|||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
|
%doc ChangeLog README.md src/engine/openssl.cnf.sample
|
||||||
|
%doc src/engine/ibmca-engine-opensslconfig
|
||||||
|
%doc src/provider/ibmca-provider-opensslconfig
|
||||||
%{enginesdir}/ibmca.so
|
%{enginesdir}/ibmca.so
|
||||||
%{_mandir}/man5/ibmca.5*
|
%{_mandir}/man5/ibmca.5*
|
||||||
|
%if 0%{?with_openssl3}
|
||||||
|
%{modulesdir}/ibmca-provider.so
|
||||||
|
%{_mandir}/man5/ibmca-provider.5*
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
|
* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
|
||||||
- updated to 2.4.1 (RHEL-11410)
|
- apply post-2.4.1 fixes (RHEL-23702)
|
||||||
- Resolves: RHEL-11410
|
- Resolves: RHEL-23702
|
||||||
|
|
||||||
* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
|
||||||
- engine: Only register those algos specified with default_algorithms (#2221891)
|
- updated to 2.4.1 (RHEL-11414)
|
||||||
- Resolves: #2221891
|
- Resolves: RHEL-11414
|
||||||
|
|
||||||
* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
|
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
|
||||||
- updated to 2.4.0 (#2159722)
|
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
|
||||||
- Resolves: #2159722
|
- provider: Default debug directory to /tmp but make it configurable (#2160084)
|
||||||
|
- Resolves: #2222878 #2160084 #2224568
|
||||||
|
|
||||||
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
|
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
|
||||||
- updated to 2.3.1 (#2110379)
|
- provider: Support importing of RSA keys with just ME components (#2222878)
|
||||||
- Resolves: #2110379
|
- Resolves: #2222878
|
||||||
|
|
||||||
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
|
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
||||||
- updated to 2.3.0 (#2043842)
|
- engine: Only register those algos specified with default_algorithms (#2221894)
|
||||||
- Resolves: #2043842
|
- Resolves: #2221894
|
||||||
|
|
||||||
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
|
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
|
||||||
- updated to 2.2.1 (#1984971)
|
- updated to 2.4.0 (#2160084)
|
||||||
- Resolves: #1984971
|
- Resolves: #2160084
|
||||||
|
|
||||||
|
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
|
||||||
|
- fix provider configuration script (#2140028)
|
||||||
|
- Resolves: #2140028
|
||||||
|
|
||||||
|
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
|
||||||
|
- updated to 2.3.1 (#2110378)
|
||||||
|
- Resolves: #2110378
|
||||||
|
|
||||||
|
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
|
||||||
|
- updated to 2.3.0 (#2044177)
|
||||||
|
- add provider for openssl 3.x (#2044185)
|
||||||
|
- Resolves: #2044177 #2044185
|
||||||
|
|
||||||
|
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
|
||||||
|
- updated to 2.2.2 (#2016989)
|
||||||
|
- Resolves: #2016989
|
||||||
|
|
||||||
|
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
|
||||||
|
- updated to 2.2.1 (#2016989)
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||||
- fix DSA and DH registration (#1989064)
|
- fix DSA and DH registration (#1989380)
|
||||||
- Resolves: #1989064
|
- Resolves: #1989380
|
||||||
|
|
||||||
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
|
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
||||||
- updated to 2.2.0 (#1919222)
|
- updated to 2.2.0 (#1869531)
|
||||||
- do not use libica software fallbacks (#1922204)
|
- eliminate SW fallback functions (#1924117)
|
||||||
- Resolves: #1919222 #1922204
|
- Resolves: #1869531 #1924117
|
||||||
|
|
||||||
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
|
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
||||||
- updated to 2.1.1 (#1780306)
|
- updated to 2.1.2
|
||||||
- Resolves: #1780306
|
|
||||||
|
|
||||||
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
||||||
- updated to 2.1.0 (#1726242)
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
- Resolves: #1726242, #1723854
|
|
||||||
|
|
||||||
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
||||||
- updated to 2.0.3 (#1666622)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
- Resolves: #1666622 #1659427 #1683099
|
|
||||||
|
|
||||||
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
||||||
- Fix doing rsa-me, altough rsa-crt would be possible
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
- Resolves: #1655654
|
|
||||||
|
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
||||||
|
- updated to 2.1.1
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
||||||
|
- updated to 2.1.0
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
||||||
|
- updated to 2.0.3
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
||||||
|
- updated to 2.0.2
|
||||||
|
|
||||||
|
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
||||||
|
- run upstream test-suite during build
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||||
- updated to 2.0.0
|
- updated to 2.0.0
|
||||||
|
Loading…
Reference in New Issue
Block a user