rpms
/
openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c9s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c8-beta/openssl-ibmca-2.0.3-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.1.1-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.2.0-2.el8
rpms:imports/c8-beta/openssl-ibmca-2.2.1-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.3.0-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.3.1-1.el8
rpms:imports/c8/openssl-ibmca-2.0.3-1.el8
rpms:imports/c8/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8/openssl-ibmca-2.1.1-1.el8
rpms:imports/c8/openssl-ibmca-2.1.1-1.el8_4.1
rpms:imports/c8/openssl-ibmca-2.2.0-2.el8
rpms:imports/c8/openssl-ibmca-2.2.1-1.el8
rpms:imports/c8/openssl-ibmca-2.3.0-1.el8
rpms:imports/c8/openssl-ibmca-2.3.1-1.el8
rpms:imports/c8s/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8s/openssl-ibmca-2.1.1-1.el8
rpms:imports/c9-beta/openssl-ibmca-2.2.0-3.el9
rpms:imports/c9-beta/openssl-ibmca-2.2.2-1.el9
rpms:imports/c9-beta/openssl-ibmca-2.3.0-1.el9
rpms:imports/c9-beta/openssl-ibmca-2.3.1-2.el9
rpms:imports/c9/openssl-ibmca-2.2.2-1.el9
rpms:imports/c9/openssl-ibmca-2.2.2-1.el9_0.1
rpms:imports/c9/openssl-ibmca-2.3.0-1.el9
rpms:imports/c9/openssl-ibmca-2.3.0-1.el9_1.1
rpms:imports/c9/openssl-ibmca-2.3.1-2.el9
...
pull from: rpms:c9s
Branches Tags
rpms:c9s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c8-beta/openssl-ibmca-2.0.3-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.1.1-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.2.0-2.el8
rpms:imports/c8-beta/openssl-ibmca-2.2.1-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.3.0-1.el8
rpms:imports/c8-beta/openssl-ibmca-2.3.1-1.el8
rpms:imports/c8/openssl-ibmca-2.0.3-1.el8
rpms:imports/c8/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8/openssl-ibmca-2.1.1-1.el8
rpms:imports/c8/openssl-ibmca-2.1.1-1.el8_4.1
rpms:imports/c8/openssl-ibmca-2.2.0-2.el8
rpms:imports/c8/openssl-ibmca-2.2.1-1.el8
rpms:imports/c8/openssl-ibmca-2.3.0-1.el8
rpms:imports/c8/openssl-ibmca-2.3.1-1.el8
rpms:imports/c8s/openssl-ibmca-2.1.0-1.el8
rpms:imports/c8s/openssl-ibmca-2.1.1-1.el8
rpms:imports/c9-beta/openssl-ibmca-2.2.0-3.el9
rpms:imports/c9-beta/openssl-ibmca-2.2.2-1.el9
rpms:imports/c9-beta/openssl-ibmca-2.3.0-1.el9
rpms:imports/c9-beta/openssl-ibmca-2.3.1-2.el9
rpms:imports/c9/openssl-ibmca-2.2.2-1.el9
rpms:imports/c9/openssl-ibmca-2.2.2-1.el9_0.1
rpms:imports/c9/openssl-ibmca-2.3.0-1.el9
rpms:imports/c9/openssl-ibmca-2.3.0-1.el9_1.1
rpms:imports/c9/openssl-ibmca-2.3.1-2.el9

No commits in common. 'c8' and 'c9s' have entirely different histories.
c8 ... c9s

10 changed files with 1698 additions and 204 deletions
Show Stats

2
.gitignore vendored
Unescape Escape View File

@ -1 +1 @@
SOURCES/openssl-ibmca-2.3.1.tar.gz
/openssl-ibmca-*.tar.gz

2
.openssl-ibmca.metadata
Unescape Escape View File

@ -1 +1 @@
5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz
d1361eec709c4b6d1760171ac077fa0d21f5a698 openssl-ibmca-2.4.0.tar.gz

202
SPECS/openssl-ibmca.spec
Unescape Escape View File

@ -1,202 +0,0 @@
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.3.1
Release: 1%{?dist}
License: ASL 2.0
Group: System Environment/Libraries
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Requires: libica >= 3.8.0
BuildRequires: gcc
BuildRequires: libica-devel >= 3.8.0
BuildRequires: automake libtool
BuildRequires: openssl
ExclusiveArch: s390 s390x
%description
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
%prep
%autosetup -p1
./bootstrap.sh
%build
%configure --libdir=%{enginesdir} --with-libica-version=3
make %{?_smp_mflags}
%install
%make_install
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
pushd src/engine
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
popd
# remove generated sample configs
rm -rf %{buildroot}%{_datadir}/%{name}
%check
make check
%files
%license LICENSE
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
%{enginesdir}/ibmca.so
%{_mandir}/man5/ibmca.5*
%changelog
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
- updated to 2.3.1 (#2110379)
- Resolves: #2110379
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2043842)
- Resolves: #2043842
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
- updated to 2.2.1 (#1984971)
- Resolves: #1984971
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
- fix DSA and DH registration (#1989064)
- Resolves: #1989064
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
- updated to 2.2.0 (#1919222)
- do not use libica software fallbacks (#1922204)
- Resolves: #1919222 #1922204
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
- updated to 2.1.1 (#1780306)
- Resolves: #1780306
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
- updated to 2.1.0 (#1726242)
- Resolves: #1726242, #1723854
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
- updated to 2.0.3 (#1666622)
- Resolves: #1666622 #1659427 #1683099
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
- Fix doing rsa-me, altough rsa-crt would be possible
- Resolves: #1655654
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
- updated to 2.0.0
* Fri Feb 23 2018 Dan Horák <dan@danny.cz> - 1.4.1-1
- updated to 1.4.1
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 24 2018 Dan Horák <dan@danny.cz> - 1.4.0-2
- update engine filename
- spec cleanup
* Mon Sep 11 2017 Dan Horák <dan@danny.cz> - 1.4.0-1
- updated to 1.4.0
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 08 2017 Dan Horák <dan@danny.cz> - 1.3.1-1
- updated to 1.3.1 and OpenSSL 1.1
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Nov 05 2014 Dan Horák <dan@danny.cz> - 1.2.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed Mar 19 2014 Dan Horák <dan[at]danny.cz - 1.2.0-8
- Set proper key signature flag (#1075474)
* Fri Mar 14 2014 Dan Horák <dan[at]danny.cz - 1.2.0-7
- Fix multilib conflict in sample config file (#1076423)
- Fixed message digest length definition in sha256 template (#1074976)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Apr 20 2012 Dan Horák <dan[at]danny.cz - 1.2.0-3
- make the libica dependecies versioned
- fix segfaults in OFB mode (#749638)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz - 1.2.0-1
- update to 1.2.0
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Apr 22 2010 Dan Horák <dhorak@redhat.com> - 1.1-2
- fixed opening of the libica library (#584765)
- Resolves: #584765
* Thu Mar 4 2010 Dan Horák <dhorak@redhat.com> - 1.1-1
- rebased to 1.1 instead of patching
- Resolves: #568847
* Thu Feb 18 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-5
- added patch with port to libica 2.x API
- Related: #543948
* Wed Feb 10 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-4
- added explicit dependency on libica, because it's dlopened
- Related: #543948
* Tue Jan 12 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-3
- rebuild
- Related: #543948
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Thu Jul 9 2009 Dan Horak <dan[at]danny.cz - 1.0.0-1
- update to final 1.0.0
- spec file cleanup
* Thu Jun 21 2007 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.4
- Fixed several issues with failure of using ibmca engine (#227644)
* Tue Dec 12 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.3
- Added missing symlinks for libs (#215735)
- Added samle config file (#215735)
* Thu Nov 23 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.2
- Necessary fix so openssl finds the module properly (#215735)
* Thu May 11 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2
- Initial package.

6
gating.yaml
Unescape Escape View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tier1.functional}

27
openssl-ibmca-2.3.1-engine-warning.patch
Unescape Escape View File

@ -0,0 +1,27 @@
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Fri, 13 Jan 2023 18:09:49 +0100
Subject: [ibmca PATCH] warn the user when configuring the engine
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
Thus warn the user and recommend using the provider instead.
---
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
index e4b168b..ec7fbfc 100644
--- a/src/engine/ibmca-engine-opensslconfig.in
+++ b/src/engine/ibmca-engine-opensslconfig.in
@@ -140,4 +140,8 @@ this file.
|;
}
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
+print "WARNING: It will be removed in the future.\n";
+print "WARNING: Please use the OpenSSL provider instead.\n";
+
generate();
--
2.39.0

40
openssl-ibmca-2.4.0-engine-defaults.patch
Unescape Escape View File

@ -0,0 +1,40 @@
From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 19 Apr 2023 10:07:01 +0200
Subject: [PATCH] engine: Only register those algos specified with
default_algorithms
As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
config file are loaded, and its algorithms (methods) are registered according
to the default_algorithms setting.
However, later during initialization, ENGINE_register_all_complete() is called
which unconditionally registered all algorithms (methods) of the loaded engines
again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
to avoid unconditional registration of all algorithms. We only want to register
algorithms specified in the default_algorithms configuration setting.
Note that if the default_algorithms setting is omitted in the OpenSSL config
file, then no algorithms will be registered.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/e_ibmca.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index fe21897..6cbf745 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
goto out;
+ if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
+ goto out;
+
rc = 1;
out:
free(pmech_list);

218
openssl-ibmca-2.4.0-log-into-tmp.patch
Unescape Escape View File

@ -0,0 +1,218 @@
From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 26 Jul 2023 15:19:55 +0200
Subject: [PATCH] provider: Default debug directory to /tmp but make it
configurable
The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
but this required that directory to be world-writable, because we don't know
under which user an application runs that uses the provider.
A world-writable directory under /var has security implications and should be
avoided.
Change the default log directory to /tmp which is world-writable anyway.
Additionally the log directory can now be configured via the 'debug-path'
option in the IBMCA provider section of the OpenSSL config file, or via
environment variable 'IBMCA_DEBUG_PATH'.
Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 +-
src/provider/Makefile.am | 4 ---
src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
src/provider/p_ibmca.c | 25 ++++++++++++++++++-
src/provider/p_ibmca.h | 3 +++
test/provider/openssl-test.cnf | 1 +
6 files changed, 59 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index cea8ce8f..57b32050 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
-logdir=$localstatedir/log/ibmca
+logdir=/tmp
AC_SUBST(logdir)
# Cmdline arguments.
diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
index da45a52e..f2d1d50b 100644
--- a/src/provider/Makefile.am
+++ b/src/provider/Makefile.am
@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = doc
noinst_SCRIPTS = ibmca-provider-opensslconfig
-
-install-data-hook:
- $(MKDIR_P) $(DESTDIR)$(logdir)
- $(CHMOD) 0777 $(DESTDIR)$(logdir)
diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
index 52350e47..846d6070 100644
--- a/src/provider/doc/ibmca-provider.man
+++ b/src/provider/doc/ibmca-provider.man
@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
.IP "debug = yes | no | stderr"
.RS
Enables debug output for the IBMCA provider. If this option is not specified,
-no debuging output is produced. If \fBdebug = stderr\fP is specified,
+no debugging output is produced. If \fBdebug = stderr\fP is specified,
debugging messages are printed to stderr. Otherwise the debug output is written
-into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
-where <provider-name> is the name of the IBMCA provider from the identity
-option, and <pid> is the process ID of the current process. You can also
-enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
-\fBon\fP or \fBstderr\fP.
+into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
+where <debug-path> is the path name of a directory to where the debug files are
+written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
+from the identity option, and <pid> is the process ID of the current process.
+You can also enable debugging by setting the environment variable
+\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
+.RE
+.PP
+.IP "debug-path = /dir/to/debug/directory"
+.RS
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
+You can also set the debug path by setting the environment variable
+\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
+under which the application that uses the IBMCA provider runs has write access
+to that directory. If this option is not specified, the default debug path is
+\fB/tmp\fP.
.RE
.PP
.IP "fips = yes | no"
@@ -153,8 +165,18 @@ If
.B $IBMCA_DEBUG
is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
If it is set to \fBon\fP the debug output is written into a trace file in
-\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
-the process ID of the current process.
+\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
+name of a directory to where the debug files are written (default: \fB/tmp\fP),
+<provider-name> is the name of the IBMCA provider from the identity option,
+and <pid> is the process ID of the current process.
+.PP
+.TP
+.BR IBMCA_DEBUG_PATH
+Sets the directory path to where debug files are written when debug is enabled
+via \fBdebug = yes\fP configuration option or via environment variable
+\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
+application that uses the IBMCA provider runs has write access to that
+directory.
.PP
.SH SEE ALSO
.B provider(1)
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
index 80f03685..ffb9b5dd 100644
--- a/src/provider/p_ibmca.c
+++ b/src/provider/p_ibmca.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
+#include <stdlib.h>
#include <err.h>
#include <strings.h>
#include <string.h>
@@ -58,6 +59,8 @@ struct ibmca_config_item {
static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value);
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
const char *key, const char *value);
static const struct ibmca_config_item config_items[] = {
+ { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
{ IBMCA_CONF_DEBUG, ibmca_config_debug },
{ IBMCA_CONF_FIPS, ibmca_config_fips },
{ IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
*p = '_';
if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
- IBMCA_LOGDIR, prov_name, provctx->debug_pid)
+ provctx->debug_path != NULL ? provctx->debug_path :
+ IBMCA_LOGDIR,
+ prov_name, provctx->debug_pid)
>= (int)sizeof(debug_file)) {
put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
"IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
return 1;
}
+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
+ const char *key, const char *value)
+{
+ /*
+ * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
+ * environment variable) do not override the setting.
+ */
+ if (provctx->debug_path != NULL)
+ return 1;
+
+ return ibmca_config_const_string(provctx, key, value,
+ &provctx->debug_path);
+}
+
static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
const char *key, const char *value)
{
@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
ctx->c_free = c_free;
ctx->ica_adapter = DRIVER_NOT_LOADED;
+ val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
+ if (val != NULL)
+ ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
val = getenv(IBMCA_DEBUG_ENVVAR);
if (val != NULL)
ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
index 3b3d4f04..c47a6aa9 100644
--- a/src/provider/p_ibmca.h
+++ b/src/provider/p_ibmca.h
@@ -27,9 +27,11 @@
/* Environment variable name to enable debug */
#define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG"
+#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH"
/* IBMCA provider configuration key words */
#define IBMCA_CONF_DEBUG "debug"
+#define IBMCA_CONF_DEBUG_PATH "debug-path"
#define IBMCA_CONF_ALGORITHMS "algorithms"
#define IBMCA_CONF_FIPS "fips"
#define IBMCA_CONF_FALLBACK_PROPS "fallback-properties"
@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
bool debug;
+ const char *debug_path;
FILE *debug_file;
pid_t debug_pid;
pthread_mutex_t debug_mutex;
diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
index 7866f4e9..e8132a6b 100644
--- a/test/provider/openssl-test.cnf
+++ b/test/provider/openssl-test.cnf
@@ -16,6 +16,7 @@ identity = ibmca
module = ibmca-provider.so
activate = 1
#debug = yes
+#debug-path = /dir/to/debug/directory
#fips=yes
#algorithms = RSA,EC,DH
algorithms = ALL

1118
openssl-ibmca-2.4.0-rsa-me.patch
View File

File diff suppressed because it is too large Load Diff

286
openssl-ibmca.spec
Unescape Escape View File

@ -0,0 +1,286 @@
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
%global with_openssl3 1
%endif
Summary: OpenSSL engine and provider for IBMCA
Name: openssl-ibmca
Version: 2.4.0
Release: 4%{?dist}
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# warn the user about engine being deprecated
Patch1: %{name}-2.3.1-engine-warning.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
Patch2: %{name}-2.4.0-engine-defaults.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2222878
# https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a
# https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0
# https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86
Patch3: %{name}-2.4.0-rsa-me.patch
# https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4
Patch4: %{name}-2.4.0-log-into-tmp.patch
Requires: libica >= 4.0.0
BuildRequires: make
BuildRequires: gcc
BuildRequires: libica-devel >= 4.0.0
BuildRequires: automake libtool
BuildRequires: openssl >= 3.0.5
BuildRequires: perl(FindBin)
ExclusiveArch: s390 s390x
%description
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
machines to accelerate cryptographic operations.
%prep
%autosetup -p1
./bootstrap.sh
%build
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
%make_build
%install
%make_install
rm -f %{buildroot}%{enginesdir}/*.la
%if 0%{?with_openssl3}
# provider is built when openssl3 is available, fix its location
mkdir -p %{buildroot}%{modulesdir}
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
%endif
pushd src/engine
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
popd
# remove generated sample configs
rm -rf %{buildroot}%{_datadir}/%{name}
%check
make check
%files
%license LICENSE
%doc ChangeLog README.md src/engine/openssl.cnf.sample
%doc src/engine/ibmca-engine-opensslconfig
%doc src/provider/ibmca-provider-opensslconfig
%{enginesdir}/ibmca.so
%{_mandir}/man5/ibmca.5*
%if 0%{?with_openssl3}
%{modulesdir}/ibmca-provider.so
%{_mandir}/man5/ibmca-provider.5*
%endif
%changelog
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
- provider: Support importing of RSA keys with just ME components (#2222878)
- Resolves: #2222878
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
- engine: Only register those algos specified with default_algorithms (#2221894)
- Resolves: #2221894
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
- updated to 2.4.0 (#2160084)
- Resolves: #2160084
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
- fix provider configuration script (#2140028)
- Resolves: #2140028
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
- updated to 2.3.1 (#2110378)
- Resolves: #2110378
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2044177)
- add provider for openssl 3.x (#2044185)
- Resolves: #2044177 #2044185
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
- updated to 2.2.2 (#2016989)
- Resolves: #2016989
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
- updated to 2.2.1 (#2016989)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
- fix DSA and DH registration (#1989380)
- Resolves: #1989380
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
- updated to 2.2.0 (#1869531)
- eliminate SW fallback functions (#1924117)
- Resolves: #1869531 #1924117
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
- updated to 2.1.2
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
- updated to 2.1.1
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
- updated to 2.1.0
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
- updated to 2.0.3
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
- updated to 2.0.2
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
- run upstream test-suite during build
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
- updated to 2.0.0
* Fri Feb 23 2018 Dan Horák <dan@danny.cz> - 1.4.1-1
- updated to 1.4.1
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 24 2018 Dan Horák <dan@danny.cz> - 1.4.0-2
- update engine filename
- spec cleanup
* Mon Sep 11 2017 Dan Horák <dan@danny.cz> - 1.4.0-1
- updated to 1.4.0
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 08 2017 Dan Horák <dan@danny.cz> - 1.3.1-1
- updated to 1.3.1 and OpenSSL 1.1
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Nov 05 2014 Dan Horák <dan@danny.cz> - 1.2.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed Mar 19 2014 Dan Horák <dan[at]danny.cz - 1.2.0-8
- Set proper key signature flag (#1075474)
* Fri Mar 14 2014 Dan Horák <dan[at]danny.cz - 1.2.0-7
- Fix multilib conflict in sample config file (#1076423)
- Fixed message digest length definition in sha256 template (#1074976)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Apr 20 2012 Dan Horák <dan[at]danny.cz - 1.2.0-3
- make the libica dependecies versioned
- fix segfaults in OFB mode (#749638)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz - 1.2.0-1
- update to 1.2.0
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Apr 22 2010 Dan Horák <dhorak@redhat.com> - 1.1-2
- fixed opening of the libica library (#584765)
- Resolves: #584765
* Thu Mar 4 2010 Dan Horák <dhorak@redhat.com> - 1.1-1
- rebased to 1.1 instead of patching
- Resolves: #568847
* Thu Feb 18 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-5
- added patch with port to libica 2.x API
- Related: #543948
* Wed Feb 10 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-4
- added explicit dependency on libica, because it's dlopened
- Related: #543948
* Tue Jan 12 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-3
- rebuild
- Related: #543948
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Thu Jul 9 2009 Dan Horak <dan[at]danny.cz - 1.0.0-1
- update to final 1.0.0
- spec file cleanup
* Thu Jun 21 2007 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.4
- Fixed several issues with failure of using ibmca engine (#227644)
* Tue Dec 12 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.3
- Added missing symlinks for libs (#215735)
- Added samle config file (#215735)
* Thu Nov 23 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.2
- Necessary fix so openssl finds the module properly (#215735)
* Thu May 11 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2
- Initial package.

1
sources
Unescape Escape View File

@ -0,0 +1 @@
SHA512 (openssl-ibmca-2.4.0.tar.gz) = ec886a89e6537bcda5f40c96dd66a6b3e19563c006434e65e5da7b3bdf7526a1cca7b454d3da1df2455625ffd970a9093ca4a0c7deb5e32e69bed9575f20f811
Write Preview
Loading…
Cancel
Save