Compare commits
No commits in common. "c9s" and "c8" have entirely different histories.
|
@ -1 +1 @@
|
||||||
/openssl-ibmca-*.tar.gz
|
SOURCES/openssl-ibmca-2.4.1.tar.gz
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
8e7fc23ec2253da7d2b6e3181c80843253fcb68c openssl-ibmca-2.4.1.tar.gz
|
|
|
@ -1,35 +1,23 @@
|
||||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||||
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
|
|
||||||
|
|
||||||
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
Summary: A dynamic OpenSSL engine for IBMCA
|
||||||
%global with_openssl3 1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
Summary: OpenSSL engine and provider for IBMCA
|
|
||||||
Name: openssl-ibmca
|
Name: openssl-ibmca
|
||||||
Version: 2.4.1
|
Version: 2.4.1
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
|
Group: System Environment/Libraries
|
||||||
URL: https://github.com/opencryptoki
|
URL: https://github.com/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
# warn the user about engine being deprecated
|
Requires: libica >= 3.8.0
|
||||||
Patch1: %{name}-2.3.1-engine-warning.patch
|
|
||||||
# post GA fixes
|
|
||||||
Patch2: %{name}-%{version}-fixes.patch
|
|
||||||
Requires: libica >= 4.0.0
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libica-devel >= 4.0.0
|
BuildRequires: libica-devel >= 3.8.0
|
||||||
BuildRequires: automake libtool
|
BuildRequires: automake libtool
|
||||||
BuildRequires: openssl >= 3.0.5
|
BuildRequires: openssl
|
||||||
BuildRequires: perl(FindBin)
|
|
||||||
ExclusiveArch: s390 s390x
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
|
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
||||||
machines to accelerate cryptographic operations.
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
@ -39,22 +27,16 @@ machines to accelerate cryptographic operations.
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
|
%configure --libdir=%{enginesdir} --with-libica-version=3
|
||||||
%make_build
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
rm -f %{buildroot}%{enginesdir}/*.la
|
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
|
||||||
|
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
# provider is built when openssl3 is available, fix its location
|
|
||||||
mkdir -p %{buildroot}%{modulesdir}
|
|
||||||
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
|
|
||||||
%endif
|
|
||||||
|
|
||||||
pushd src/engine
|
pushd src/engine
|
||||||
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
|
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# remove generated sample configs
|
# remove generated sample configs
|
||||||
|
@ -67,114 +49,60 @@ make check
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample
|
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
|
||||||
%doc src/engine/ibmca-engine-opensslconfig
|
|
||||||
%doc src/provider/ibmca-provider-opensslconfig
|
|
||||||
%{enginesdir}/ibmca.so
|
%{enginesdir}/ibmca.so
|
||||||
%{_mandir}/man5/ibmca.5*
|
%{_mandir}/man5/ibmca.5*
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
%{modulesdir}/ibmca-provider.so
|
|
||||||
%{_mandir}/man5/ibmca-provider.5*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
|
* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
|
||||||
- apply post-2.4.1 fixes (RHEL-23702)
|
- updated to 2.4.1 (RHEL-11410)
|
||||||
- Resolves: RHEL-23702
|
- Resolves: RHEL-11410
|
||||||
|
|
||||||
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
|
* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
||||||
- updated to 2.4.1 (RHEL-11414)
|
- engine: Only register those algos specified with default_algorithms (#2221891)
|
||||||
- Resolves: RHEL-11414
|
- Resolves: #2221891
|
||||||
|
|
||||||
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
|
* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
|
||||||
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
|
- updated to 2.4.0 (#2159722)
|
||||||
- provider: Default debug directory to /tmp but make it configurable (#2160084)
|
- Resolves: #2159722
|
||||||
- Resolves: #2222878 #2160084 #2224568
|
|
||||||
|
|
||||||
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
|
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
|
||||||
- provider: Support importing of RSA keys with just ME components (#2222878)
|
- updated to 2.3.1 (#2110379)
|
||||||
- Resolves: #2222878
|
- Resolves: #2110379
|
||||||
|
|
||||||
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
|
||||||
- engine: Only register those algos specified with default_algorithms (#2221894)
|
- updated to 2.3.0 (#2043842)
|
||||||
- Resolves: #2221894
|
- Resolves: #2043842
|
||||||
|
|
||||||
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
|
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
|
||||||
- updated to 2.4.0 (#2160084)
|
- updated to 2.2.1 (#1984971)
|
||||||
- Resolves: #2160084
|
- Resolves: #1984971
|
||||||
|
|
||||||
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
|
|
||||||
- fix provider configuration script (#2140028)
|
|
||||||
- Resolves: #2140028
|
|
||||||
|
|
||||||
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
|
|
||||||
- updated to 2.3.1 (#2110378)
|
|
||||||
- Resolves: #2110378
|
|
||||||
|
|
||||||
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
|
|
||||||
- updated to 2.3.0 (#2044177)
|
|
||||||
- add provider for openssl 3.x (#2044185)
|
|
||||||
- Resolves: #2044177 #2044185
|
|
||||||
|
|
||||||
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
|
|
||||||
- updated to 2.2.2 (#2016989)
|
|
||||||
- Resolves: #2016989
|
|
||||||
|
|
||||||
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
|
|
||||||
- updated to 2.2.1 (#2016989)
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||||
- fix DSA and DH registration (#1989380)
|
- fix DSA and DH registration (#1989064)
|
||||||
- Resolves: #1989380
|
- Resolves: #1989064
|
||||||
|
|
||||||
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
|
||||||
- updated to 2.2.0 (#1869531)
|
- updated to 2.2.0 (#1919222)
|
||||||
- eliminate SW fallback functions (#1924117)
|
- do not use libica software fallbacks (#1922204)
|
||||||
- Resolves: #1869531 #1924117
|
- Resolves: #1919222 #1922204
|
||||||
|
|
||||||
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
|
||||||
- updated to 2.1.2
|
- updated to 2.1.1 (#1780306)
|
||||||
|
- Resolves: #1780306
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- updated to 2.1.0 (#1726242)
|
||||||
|
- Resolves: #1726242, #1723854
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- updated to 2.0.3 (#1666622)
|
||||||
|
- Resolves: #1666622 #1659427 #1683099
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Fix doing rsa-me, altough rsa-crt would be possible
|
||||||
|
- Resolves: #1655654
|
||||||
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
|
||||||
- updated to 2.1.1
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
|
||||||
- updated to 2.1.0
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
|
||||||
- updated to 2.0.3
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
|
||||||
- updated to 2.0.2
|
|
||||||
|
|
||||||
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
|
||||||
- run upstream test-suite during build
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||||
- updated to 2.0.0
|
- updated to 2.0.0
|
|
@ -1,6 +0,0 @@
|
||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-9
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tier1.functional}
|
|
|
@ -1,27 +0,0 @@
|
||||||
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
||||||
Date: Fri, 13 Jan 2023 18:09:49 +0100
|
|
||||||
Subject: [ibmca PATCH] warn the user when configuring the engine
|
|
||||||
|
|
||||||
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
|
|
||||||
Thus warn the user and recommend using the provider instead.
|
|
||||||
---
|
|
||||||
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
index e4b168b..ec7fbfc 100644
|
|
||||||
--- a/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
+++ b/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
@@ -140,4 +140,8 @@ this file.
|
|
||||||
|;
|
|
||||||
}
|
|
||||||
|
|
||||||
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
|
|
||||||
+print "WARNING: It will be removed in the future.\n";
|
|
||||||
+print "WARNING: Please use the OpenSSL provider instead.\n";
|
|
||||||
+
|
|
||||||
generate();
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
|
@ -1,423 +0,0 @@
|
||||||
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 8 Jan 2024 08:52:24 +0100
|
|
||||||
Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
|
|
||||||
mode
|
|
||||||
|
|
||||||
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
|
|
||||||
from being used with an external IV. FIPS requires that the AES-GCM IV is
|
|
||||||
created libica internally via an approved random source.
|
|
||||||
|
|
||||||
The IBMCA engine can not support the internal generation of the AES-GCM IV,
|
|
||||||
because the engine API for AES-GCM does not allow this. Applications using
|
|
||||||
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
|
|
||||||
external IV.
|
|
||||||
|
|
||||||
Enable the use of external AES-GCM IVs for libica, if the used libica library
|
|
||||||
supports this. Newer libica versions support to allow external AES-GCM IVs via
|
|
||||||
function ica_allow_external_gcm_iv_in_fips_mode().
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/engine/e_ibmca.c | 12 +++++++++++-
|
|
||||||
src/engine/ibmca.h | 1 +
|
|
||||||
2 files changed, 12 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
|
||||||
index 6cbf745..afed3fe 100644
|
|
||||||
--- a/src/engine/e_ibmca.c
|
|
||||||
+++ b/src/engine/e_ibmca.c
|
|
||||||
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
|
|
||||||
ica_aes_gcm_last_t p_ica_aes_gcm_last;
|
|
||||||
#endif
|
|
||||||
ica_cleanup_t p_ica_cleanup;
|
|
||||||
+ica_allow_external_gcm_iv_in_fips_mode_t
|
|
||||||
+ p_ica_allow_external_gcm_iv_in_fips_mode;
|
|
||||||
|
|
||||||
/* save libcrypto's default ec methods */
|
|
||||||
#ifndef NO_EC
|
|
||||||
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
|
|
||||||
BIND(ibmca_dso, ica_ed448_ctx_del);
|
|
||||||
|
|
||||||
/* ica_cleanup is not always present and only needed for newer libraries */
|
|
||||||
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
|
|
||||||
+ BIND(ibmca_dso, ica_cleanup);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
|
|
||||||
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
|
|
||||||
+ * available with newer libraries.
|
|
||||||
+ */
|
|
||||||
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
|
|
||||||
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
|
|
||||||
|
|
||||||
/* disable fallbacks on Libica */
|
|
||||||
if (BIND(ibmca_dso, ica_set_fallback_mode))
|
|
||||||
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
|
||||||
index 7281a5b..01465eb 100644
|
|
||||||
--- a/src/engine/ibmca.h
|
|
||||||
+++ b/src/engine/ibmca.h
|
|
||||||
@@ -617,6 +617,7 @@ typedef
|
|
||||||
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
|
|
||||||
|
|
||||||
typedef void (*ica_cleanup_t)(void);
|
|
||||||
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
|
|
||||||
|
|
||||||
/* entry points into libica, filled out at DSO load time */
|
|
||||||
extern ica_get_functionlist_t p_ica_get_functionlist;
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
||||||
|
|
||||||
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Wed, 10 Jan 2024 15:08:47 +0100
|
|
||||||
Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
|
|
||||||
instead
|
|
||||||
|
|
||||||
When an application links against libica (via -lica), then the libica library
|
|
||||||
constructor runs before the program's main function. Libica's library
|
|
||||||
constructor does initialize OpenSSL and thus parses the config file.
|
|
||||||
|
|
||||||
However, the test programs set up some OpenSSL configuration related
|
|
||||||
environment variables within function check_libica() called from the
|
|
||||||
main function. If libica has already initialized OpenSSL prior to that,
|
|
||||||
OpenSSL won't initialize again, and thus these environment variables have
|
|
||||||
no effect.
|
|
||||||
|
|
||||||
Dynamically load libica (via dlopen) only after setting the environment
|
|
||||||
variables.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
configure.ac | 2 ++
|
|
||||||
test/provider/Makefile.am | 15 +++++++++------
|
|
||||||
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
|
|
||||||
test/provider/eckey.c | 24 ++++++++++++++++++++++--
|
|
||||||
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
|
|
||||||
5 files changed, 77 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index b43a659..09df230 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
|
|
||||||
[])
|
|
||||||
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
|
|
||||||
|
|
||||||
+AC_SUBST(libicaversion, "$libicaversion")
|
|
||||||
+
|
|
||||||
# If compiled against OpenSSL 3.0 or later, build the provider unless
|
|
||||||
# explicitely disabled.
|
|
||||||
# If build against OpenSSL 1.1.1, we can not build the provider.
|
|
||||||
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
|
|
||||||
index 15a5466..fce06b3 100644
|
|
||||||
--- a/test/provider/Makefile.am
|
|
||||||
+++ b/test/provider/Makefile.am
|
|
||||||
@@ -24,24 +24,27 @@ TESTS = \
|
|
||||||
check_PROGRAMS = rsakey eckey dhkey threadtest
|
|
||||||
|
|
||||||
dhkey_SOURCES = dhkey.c
|
|
||||||
+dhkey_LDADD = -lcrypto -ldl
|
|
||||||
if PROVIDER_FULL_LIBICA
|
|
||||||
-dhkey_LDADD = -lcrypto -lica
|
|
||||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
|
||||||
else
|
|
||||||
-dhkey_LDADD = -lcrypto -lica-cex
|
|
||||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
|
||||||
endif
|
|
||||||
|
|
||||||
eckey_SOURCES = eckey.c
|
|
||||||
+eckey_LDADD = -lcrypto -ldl
|
|
||||||
if PROVIDER_FULL_LIBICA
|
|
||||||
-eckey_LDADD = -lcrypto -lica
|
|
||||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
|
||||||
else
|
|
||||||
-eckey_LDADD = -lcrypto -lica-cex
|
|
||||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
|
||||||
endif
|
|
||||||
|
|
||||||
rsakey_SOURCES = rsakey.c
|
|
||||||
+rsakey_LDADD = -lcrypto -ldl
|
|
||||||
if PROVIDER_FULL_LIBICA
|
|
||||||
-rsakey_LDADD = -lcrypto -lica
|
|
||||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
|
||||||
else
|
|
||||||
-rsakey_LDADD = -lcrypto -lica-cex
|
|
||||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
|
||||||
endif
|
|
||||||
|
|
||||||
threadtest_SOURCES = threadtest.c
|
|
||||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
|
||||||
index 8829ecc..0ec2c03 100644
|
|
||||||
--- a/test/provider/dhkey.c
|
|
||||||
+++ b/test/provider/dhkey.c
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
|
|
||||||
static const unsigned int required_ica_mechs_len =
|
|
||||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
|
|
||||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
|
||||||
+ unsigned int *);
|
|
||||||
+
|
|
||||||
int check_libica()
|
|
||||||
{
|
|
||||||
unsigned int mech_len, i, k, found = 0;
|
|
||||||
libica_func_list_element *mech_list = NULL;
|
|
||||||
+ void *ibmca_dso;
|
|
||||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
|
||||||
+ if (ibmca_dso == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p_ica_get_functionlist =
|
|
||||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
|
||||||
+ if (p_ica_get_functionlist == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
|
||||||
+ LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
return 77;
|
|
||||||
@@ -373,7 +393,7 @@ int check_libica()
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
free(mech_list);
|
|
||||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
|
||||||
index b2334d7..b8f47b7 100644
|
|
||||||
--- a/test/provider/eckey.c
|
|
||||||
+++ b/test/provider/eckey.c
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
|
|
||||||
static const unsigned int required_ica_mechs_len =
|
|
||||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
|
|
||||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
|
||||||
+ unsigned int *);
|
|
||||||
+
|
|
||||||
int check_libica()
|
|
||||||
{
|
|
||||||
unsigned int mech_len, i, k, found = 0;
|
|
||||||
libica_func_list_element *mech_list = NULL;
|
|
||||||
+ void *ibmca_dso;
|
|
||||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
|
||||||
+ if (ibmca_dso == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p_ica_get_functionlist =
|
|
||||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
|
||||||
+ if (p_ica_get_functionlist == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
|
||||||
+ LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
return 77;
|
|
||||||
@@ -806,7 +826,7 @@ int check_libica()
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
free(mech_list);
|
|
||||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
|
||||||
index 366b503..9d6a618 100644
|
|
||||||
--- a/test/provider/rsakey.c
|
|
||||||
+++ b/test/provider/rsakey.c
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
|
|
||||||
static const unsigned int required_ica_mechs_len =
|
|
||||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
|
|
||||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
|
||||||
+ unsigned int *);
|
|
||||||
+
|
|
||||||
int check_libica()
|
|
||||||
{
|
|
||||||
unsigned int mech_len, i, k, found = 0;
|
|
||||||
libica_func_list_element *mech_list = NULL;
|
|
||||||
+ void *ibmca_dso;
|
|
||||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
|
||||||
+ if (ibmca_dso == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p_ica_get_functionlist =
|
|
||||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
|
||||||
+ if (p_ica_get_functionlist == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
|
||||||
+ LIBICA_NAME);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
return 77;
|
|
||||||
@@ -753,7 +773,7 @@ int check_libica()
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
if (rc != 0) {
|
|
||||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
free(mech_list);
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
||||||
|
|
||||||
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Thu, 18 Jan 2024 16:35:14 +0100
|
|
||||||
Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
|
|
||||||
setting env vars.
|
|
||||||
|
|
||||||
When running with a libica version without commit
|
|
||||||
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
|
|
||||||
it is necessary to explicitly initialize OpenSSL before loading libica. Because
|
|
||||||
otherwise libica's library constructor will initialize OpenSSL the first time,
|
|
||||||
which in turn will load the IBMCA provider, and it will fall into the same
|
|
||||||
problem as fixed by above libica commit, i.e. the provider won't be able to
|
|
||||||
get the supported algorithms from libica an thus will not register any
|
|
||||||
algorithms.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
test/provider/dhkey.c | 2 ++
|
|
||||||
test/provider/eckey.c | 2 ++
|
|
||||||
test/provider/rsakey.c | 2 ++
|
|
||||||
3 files changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
|
||||||
index 0ec2c03..b1270f5 100644
|
|
||||||
--- a/test/provider/dhkey.c
|
|
||||||
+++ b/test/provider/dhkey.c
|
|
||||||
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
|
||||||
+
|
|
||||||
ret = check_libica();
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
|
||||||
index b8f47b7..a65bea5 100644
|
|
||||||
--- a/test/provider/eckey.c
|
|
||||||
+++ b/test/provider/eckey.c
|
|
||||||
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
|
||||||
+
|
|
||||||
ret = check_libica();
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
|
||||||
index 9d6a618..874de6d 100644
|
|
||||||
--- a/test/provider/rsakey.c
|
|
||||||
+++ b/test/provider/rsakey.c
|
|
||||||
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
|
||||||
+
|
|
||||||
ret = check_libica();
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
||||||
|
|
||||||
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 13 May 2024 08:53:56 +0200
|
|
||||||
Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
|
|
||||||
|
|
||||||
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
|
|
||||||
from incompatible pointer type [-Wincompatible-pointer-types]
|
|
||||||
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/engine/ibmca_pkey.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
|
|
||||||
index 9c8de94..6cd8fcd 100644
|
|
||||||
--- a/src/engine/ibmca_pkey.c
|
|
||||||
+++ b/src/engine/ibmca_pkey.c
|
|
||||||
@@ -258,7 +258,7 @@ ret:
|
|
||||||
|
|
||||||
/* ED25519 */
|
|
||||||
|
|
||||||
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
|
||||||
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -402,7 +402,7 @@ ret:
|
|
||||||
|
|
||||||
/* ED448 */
|
|
||||||
|
|
||||||
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
|
||||||
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
Loading…
Reference in New Issue