Compare commits
No commits in common. "imports/c9-beta/openssl-ibmca-2.3.1-2.el9" and "c8" have entirely different histories.
imports/c9
...
c8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/openssl-ibmca-2.3.1.tar.gz
|
SOURCES/openssl-ibmca-2.4.1.tar.gz
|
||||||
|
@ -1 +0,0 @@
|
|||||||
5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz
|
|
@ -1,27 +0,0 @@
|
|||||||
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
||||||
Date: Fri, 13 Jan 2023 18:09:49 +0100
|
|
||||||
Subject: [ibmca PATCH] warn the user when configuring the engine
|
|
||||||
|
|
||||||
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
|
|
||||||
Thus warn the user and recommend using the provider instead.
|
|
||||||
---
|
|
||||||
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
index e4b168b..ec7fbfc 100644
|
|
||||||
--- a/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
+++ b/src/engine/ibmca-engine-opensslconfig.in
|
|
||||||
@@ -140,4 +140,8 @@ this file.
|
|
||||||
|;
|
|
||||||
}
|
|
||||||
|
|
||||||
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
|
|
||||||
+print "WARNING: It will be removed in the future.\n";
|
|
||||||
+print "WARNING: Please use the OpenSSL provider instead.\n";
|
|
||||||
+
|
|
||||||
generate();
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
@ -1,827 +0,0 @@
|
|||||||
From ec926d577754babce01db22274a582988c5c4e44 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Wed, 12 Oct 2022 09:40:27 +0200
|
|
||||||
Subject: [PATCH 1/4] provider: Support EC parameter generation with named
|
|
||||||
curve
|
|
||||||
|
|
||||||
In general the IBMCA provider does not support EC parameter generation,
|
|
||||||
because libica only supports certain named curves. However, one can
|
|
||||||
also use EC parameter generation with a named curve, and then use such
|
|
||||||
parameter key object as template for generating other keys. One example
|
|
||||||
for this is the openssl speed utility.
|
|
||||||
|
|
||||||
Like for EC key generation, EC parameter generation only supports
|
|
||||||
parameters 'group', 'point-format', 'encoding', and 'use-cofactor-flag',
|
|
||||||
where the only accepted value for parameter 'encoding' is 'named_curve',
|
|
||||||
and the only accepted value for parameter 'use-cofactor-flag' is '0'.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/ec_keymgmt.c | 10 ++++++++--
|
|
||||||
src/provider/p_ibmca.h | 1 +
|
|
||||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c
|
|
||||||
index d39b1e2..97516f1 100644
|
|
||||||
--- a/src/provider/ec_keymgmt.c
|
|
||||||
+++ b/src/provider/ec_keymgmt.c
|
|
||||||
@@ -928,9 +928,10 @@ static void *ibmca_keymgmt_ec_gen_init(void *vprovctx, int selection,
|
|
||||||
for (p = params; p != NULL && p->key != NULL; p++)
|
|
||||||
ibmca_debug_ctx(provctx, "param: %s", p->key);
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) {
|
|
||||||
+ if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR |
|
|
||||||
+ OSSL_KEYMGMT_SELECT_ALL_PARAMETERS)) == 0) {
|
|
||||||
put_error_ctx(provctx, IBMCA_ERR_INVALID_PARAM,
|
|
||||||
- "selection is not KEYPAIR");
|
|
||||||
+ "selection is not KEYPAIR and/or parameters");
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -943,6 +944,7 @@ static void *ibmca_keymgmt_ec_gen_init(void *vprovctx, int selection,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set defaults */
|
|
||||||
+ ctx->ec.gen.selection = selection;
|
|
||||||
ctx->ec.gen.curve_nid = NID_undef;
|
|
||||||
ctx->ec.gen.format = POINT_CONVERSION_UNCOMPRESSED;
|
|
||||||
|
|
||||||
@@ -1223,6 +1225,9 @@ static void *ibmca_keymgmt_ec_gen(void *vgenctx, OSSL_CALLBACK *osslcb,
|
|
||||||
|
|
||||||
ibmca_debug_op_ctx(genctx, "prime_size: %lu", key->ec.prime_size);
|
|
||||||
|
|
||||||
+ if ((genctx->ec.gen.selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
key->ec.key = ica_ec_key_new(key->ec.curve_nid, &privlen);
|
|
||||||
if (key->ec.key == NULL || key->ec.prime_size != privlen) {
|
|
||||||
ibmca_debug_op_ctx(genctx, "ica_ec_key_new failed");
|
|
||||||
@@ -1267,6 +1272,7 @@ static void *ibmca_keymgmt_ec_gen(void *vgenctx, OSSL_CALLBACK *osslcb,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+out:
|
|
||||||
ibmca_debug_op_ctx(genctx, "key: %p", key);
|
|
||||||
|
|
||||||
return key;
|
|
||||||
diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
|
|
||||||
index fa0e1ee..2b4ff8e 100644
|
|
||||||
--- a/src/provider/p_ibmca.h
|
|
||||||
+++ b/src/provider/p_ibmca.h
|
|
||||||
@@ -216,6 +216,7 @@ struct ibmca_op_ctx {
|
|
||||||
} rsa; /* For type EVP_PKEY_RSA and EVP_PKEY_RSA_PSS */
|
|
||||||
union {
|
|
||||||
struct {
|
|
||||||
+ int selection;
|
|
||||||
int curve_nid;
|
|
||||||
point_conversion_form_t format;
|
|
||||||
} gen; /* For operation EVP_PKEY_OP_KEYGEN */
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From a462093d2478b287cb9a7a25131788eba16b7640 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Fri, 14 Oct 2022 11:31:16 +0200
|
|
||||||
Subject: [PATCH 2/4] engine: EC: Cache ICA key in EC_KEY object
|
|
||||||
|
|
||||||
Creating a new ICA EC key via ica_ec_key_init() is time consuming, because
|
|
||||||
libica performs EC key checks on the key components.
|
|
||||||
|
|
||||||
Currently every sign, verify or derive operation creates a new ICA key, and
|
|
||||||
thus suffers from the long taking EC key checks with every operation.
|
|
||||||
|
|
||||||
Change this to create an ICA key on the first usage of an EC key, and attach
|
|
||||||
the ICA key to the EC_KEY object as ex-data. That way, subsequent operations
|
|
||||||
using the same key will reuse the attached ICA key and do not have to create
|
|
||||||
a new ICA key again.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/engine/e_ibmca.c | 5 +
|
|
||||||
src/engine/ibmca.h | 1 +
|
|
||||||
src/engine/ibmca_ec.c | 411 ++++++++++++++++++++++++++++++------------
|
|
||||||
3 files changed, 306 insertions(+), 111 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
|
||||||
index d045828..fe21897 100644
|
|
||||||
--- a/src/engine/e_ibmca.c
|
|
||||||
+++ b/src/engine/e_ibmca.c
|
|
||||||
@@ -833,6 +833,11 @@ static int ibmca_init(ENGINE *e)
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef NO_EC
|
|
||||||
+ if (!ibmca_ec_init())
|
|
||||||
+ goto err;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if (!set_supported_meths(e))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
|
||||||
index 37bdfd8..7281a5b 100644
|
|
||||||
--- a/src/engine/ibmca.h
|
|
||||||
+++ b/src/engine/ibmca.h
|
|
||||||
@@ -298,6 +298,7 @@ void ibmca_dh_destroy(void);
|
|
||||||
#define IBMCA_EC_MAX_Z_LEN IBMCA_EC_MAX_D_LEN
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
+int ibmca_ec_init(void);
|
|
||||||
void ibmca_ec_destroy(void);
|
|
||||||
|
|
||||||
int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
||||||
diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
|
|
||||||
index 8bc6cbf..5206ae3 100644
|
|
||||||
--- a/src/engine/ibmca_ec.c
|
|
||||||
+++ b/src/engine/ibmca_ec.c
|
|
||||||
@@ -16,6 +16,7 @@
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#include <pthread.h>
|
|
||||||
#include "ibmca.h"
|
|
||||||
#include "e_ibmca_err.h"
|
|
||||||
|
|
||||||
@@ -31,6 +32,251 @@ ica_ec_key_get_public_key_t p_ica_ec_key_get_public_key;
|
|
||||||
ica_ec_key_get_private_key_t p_ica_ec_key_get_private_key;
|
|
||||||
ica_ec_key_free_t p_ica_ec_key_free;
|
|
||||||
|
|
||||||
+int ec_ex_data_index = -1;
|
|
||||||
+pthread_mutex_t ec_ex_data_mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
||||||
+
|
|
||||||
+struct ibmca_ec_ex_data {
|
|
||||||
+ ICA_EC_KEY *ica_key;
|
|
||||||
+ int nid;
|
|
||||||
+ unsigned int privlen;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+void ibmca_ec_ex_data_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
|
||||||
+ int idx, long argl, void *argp)
|
|
||||||
+{
|
|
||||||
+ struct ibmca_ec_ex_data *data = ptr;
|
|
||||||
+
|
|
||||||
+ if (data == NULL)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ p_ica_ec_key_free(data->ica_key);
|
|
||||||
+ OPENSSL_free(data);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ibmca_ec_ex_data_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
+#ifdef OPENSSL_VERSION_PREREQ
|
|
||||||
+ void **pptr, int idx, long argl, void *argp)
|
|
||||||
+#else
|
|
||||||
+ void *from_d, int idx, long argl, void *argp)
|
|
||||||
+#endif
|
|
||||||
+{
|
|
||||||
+#ifndef OPENSSL_VERSION_PREREQ
|
|
||||||
+ void **pptr = (void **)from_d;
|
|
||||||
+#endif
|
|
||||||
+ struct ibmca_ec_ex_data *from_data;
|
|
||||||
+ struct ibmca_ec_ex_data *to_data;
|
|
||||||
+ unsigned char Q[2 * IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ unsigned char D[IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ unsigned int len;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ if (pptr == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ from_data = (struct ibmca_ec_ex_data *)*pptr;
|
|
||||||
+ if (from_data == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ to_data = OPENSSL_zalloc(sizeof(*to_data));
|
|
||||||
+ if (to_data == NULL) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ to_data->nid = from_data->nid;
|
|
||||||
+ to_data->ica_key = p_ica_ec_key_new(to_data->nid, &to_data->privlen);
|
|
||||||
+ if (to_data->ica_key == NULL) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_ICA_EC_KEY_INIT);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (p_ica_ec_key_get_private_key(from_data->ica_key, D, &len) == 0) {
|
|
||||||
+ rc = p_ica_ec_key_init(NULL, NULL, D, to_data->ica_key);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (p_ica_ec_key_get_public_key(from_data->ica_key, Q, &len) == 0) {
|
|
||||||
+ rc = p_ica_ec_key_init(Q, Q + to_data->privlen, NULL, to_data->ica_key);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *pptr = to_data;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+error:
|
|
||||||
+ if (to_data->ica_key != NULL)
|
|
||||||
+ p_ica_ec_key_free(to_data->ica_key);
|
|
||||||
+ OPENSSL_free(to_data);
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static ICA_EC_KEY *ibmca_ec_make_ica_key(EC_KEY *ec_key, int *nid,
|
|
||||||
+ unsigned int *privlen)
|
|
||||||
+{
|
|
||||||
+ ICA_EC_KEY *icakey;
|
|
||||||
+ const EC_GROUP *group;
|
|
||||||
+ const EC_POINT *q;
|
|
||||||
+ const BIGNUM *bn_d;
|
|
||||||
+ BIGNUM *bn_x = NULL, *bn_y = NULL;
|
|
||||||
+ unsigned char D[IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ unsigned char X[IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ unsigned char Y[IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ int rc, n;
|
|
||||||
+
|
|
||||||
+ /* Get group */
|
|
||||||
+ if ((group = EC_KEY_get0_group(ec_key)) == NULL) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INVALID_PARM);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Get curve nid */
|
|
||||||
+ *nid = EC_GROUP_get_curve_name(group);
|
|
||||||
+ if (*nid <= 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_UNSUPPORTED_CURVE);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Create ICA_EC_KEY object */
|
|
||||||
+ icakey = p_ica_ec_key_new(*nid, privlen);
|
|
||||||
+ if (icakey == NULL) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_ICA_EC_KEY_INIT);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Get private (D) value from EC_KEY (if available) */
|
|
||||||
+ bn_d = EC_KEY_get0_private_key(ec_key);
|
|
||||||
+ if (bn_d != NULL) {
|
|
||||||
+ /* Format (D) as char array, with leading zeros if necessary */
|
|
||||||
+ n = *privlen - BN_num_bytes(bn_d);
|
|
||||||
+ memset(D, 0, n);
|
|
||||||
+ BN_bn2bin(bn_d, &(D[n]));
|
|
||||||
+
|
|
||||||
+ /* Initialize private ICA_EC_KEY */
|
|
||||||
+ rc = p_ica_ec_key_init(NULL, NULL, D, icakey);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Get public (X and Y) values from EC_KEY (if available) */
|
|
||||||
+ q = EC_KEY_get0_public_key(ec_key);
|
|
||||||
+ if (q != NULL) {
|
|
||||||
+ /* Provide public key (X,Y) */
|
|
||||||
+ bn_x = BN_new();
|
|
||||||
+ bn_y = BN_new();
|
|
||||||
+ if (!EC_POINT_get_affine_coordinates_GFp(group, q, bn_x, bn_y, NULL)) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Format (X) as char array with leading nulls if necessary */
|
|
||||||
+ n = *privlen - BN_num_bytes(bn_x);
|
|
||||||
+ memset(X, 0, n);
|
|
||||||
+ BN_bn2bin(bn_x, &X[n]);
|
|
||||||
+
|
|
||||||
+ /* Format (Y) as char array with leading nulls if necessary */
|
|
||||||
+ n = *privlen - BN_num_bytes(bn_y);
|
|
||||||
+ memset(Y, 0, n);
|
|
||||||
+ BN_bn2bin(bn_y, &Y[n]);
|
|
||||||
+
|
|
||||||
+ /* Initialize public ICA_EC_KEY */
|
|
||||||
+ rc = p_ica_ec_key_init(X, Y, NULL, icakey);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ BN_clear_free(bn_x);
|
|
||||||
+ BN_clear_free(bn_y);
|
|
||||||
+
|
|
||||||
+ return icakey;
|
|
||||||
+
|
|
||||||
+error:
|
|
||||||
+ p_ica_ec_key_free(icakey);
|
|
||||||
+ icakey = NULL;
|
|
||||||
+ goto out;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static ICA_EC_KEY *ibmca_ec_make_and_cache_ica_key(EC_KEY *ec_key,
|
|
||||||
+ unsigned int *privlen)
|
|
||||||
+{
|
|
||||||
+ struct ibmca_ec_ex_data *data, *data2;
|
|
||||||
+
|
|
||||||
+ data = OPENSSL_zalloc(sizeof(*data));
|
|
||||||
+ if (data == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ data->ica_key = ibmca_ec_make_ica_key(ec_key, &data->nid, &data->privlen);
|
|
||||||
+ if (data->ica_key == NULL) {
|
|
||||||
+ OPENSSL_free(data);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Note that another thread could have allocated and set the ex_data for
|
|
||||||
+ * that key after the caller of this function has checked if there is
|
|
||||||
+ * already ex_data available for the key. So once we have the lock, we
|
|
||||||
+ * check again, and if there now is ex_data available, we return the
|
|
||||||
+ * ICA key from the ex_data, and free the one just created.
|
|
||||||
+ */
|
|
||||||
+ if (pthread_mutex_lock(&ec_ex_data_mutex) != 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data2 = EC_KEY_get_ex_data(ec_key, ec_ex_data_index);
|
|
||||||
+ if (data2 != NULL) {
|
|
||||||
+ pthread_mutex_unlock(&ec_ex_data_mutex);
|
|
||||||
+
|
|
||||||
+ p_ica_ec_key_free(data->ica_key);
|
|
||||||
+ OPENSSL_free(data);
|
|
||||||
+
|
|
||||||
+ *privlen = data2->privlen;
|
|
||||||
+
|
|
||||||
+ return data2->ica_key;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (EC_KEY_set_ex_data(ec_key, ec_ex_data_index, data) != 1) {
|
|
||||||
+ IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ pthread_mutex_unlock(&ec_ex_data_mutex);
|
|
||||||
+ OPENSSL_free(data);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pthread_mutex_unlock(&ec_ex_data_mutex);
|
|
||||||
+
|
|
||||||
+ *privlen = data->privlen;
|
|
||||||
+
|
|
||||||
+ return data->ica_key;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ibmca_ec_init(void)
|
|
||||||
+{
|
|
||||||
+#ifdef OLDER_OPENSSL
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
+ ec_ex_data_index = EC_KEY_get_ex_new_index(0, NULL, NULL,
|
|
||||||
+ ibmca_ec_ex_data_dup,
|
|
||||||
+ ibmca_ec_ex_data_free);
|
|
||||||
+ if (ec_ex_data_index < 0) {
|
|
||||||
+ IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void ibmca_ec_destroy(void)
|
|
||||||
{
|
|
||||||
#ifdef OLDER_OPENSSL
|
|
||||||
@@ -39,6 +285,10 @@ void ibmca_ec_destroy(void)
|
|
||||||
if (ibmca_ecdh)
|
|
||||||
ECDSA_METHOD_free(ibmca_ecdsa);
|
|
||||||
#else
|
|
||||||
+ if (ec_ex_data_index >= 0) {
|
|
||||||
+ CRYPTO_free_ex_index(CRYPTO_EX_INDEX_EC_KEY, ec_ex_data_index);
|
|
||||||
+ ec_ex_data_index = -1;
|
|
||||||
+ }
|
|
||||||
if (ibmca_ec)
|
|
||||||
EC_KEY_METHOD_free(ibmca_ec);
|
|
||||||
#endif
|
|
||||||
@@ -55,17 +305,17 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
||||||
{
|
|
||||||
ICA_EC_KEY *ica_pubkey = NULL, *ica_privkey = NULL;
|
|
||||||
const EC_GROUP *group;
|
|
||||||
- BIGNUM *bn_d, *bn_x, *bn_y;
|
|
||||||
+ BIGNUM *bn_x = NULL, *bn_y = NULL;
|
|
||||||
unsigned int n, privlen;
|
|
||||||
unsigned char X[IBMCA_EC_MAX_D_LEN];
|
|
||||||
unsigned char Y[IBMCA_EC_MAX_D_LEN];
|
|
||||||
- unsigned char D[IBMCA_EC_MAX_D_LEN];
|
|
||||||
unsigned char *z_buf = NULL;
|
|
||||||
int rc, ret = 0, nid;
|
|
||||||
#ifndef OLDER_OPENSSL
|
|
||||||
int (*compute_key_sw)(unsigned char **pout, size_t *poutlen,
|
|
||||||
const EC_POINT *pub_key, const EC_KEY *ecdh) = NULL;
|
|
||||||
#endif
|
|
||||||
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(ecdh, ec_ex_data_index);
|
|
||||||
|
|
||||||
/* Get group from EC_KEY */
|
|
||||||
if ((group = EC_KEY_get0_group(ecdh)) == NULL) {
|
|
||||||
@@ -76,10 +326,40 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
||||||
/* Determine curve nid */
|
|
||||||
nid = EC_GROUP_get_curve_name(group);
|
|
||||||
if (nid <= 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_UNSUPPORTED_CURVE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (data != NULL) {
|
|
||||||
+ ica_privkey = data->ica_key;
|
|
||||||
+ privlen = data->privlen;
|
|
||||||
+ goto do_derive;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Create ICA_EC_KEY object for private key */
|
|
||||||
+ ica_privkey = ibmca_ec_make_and_cache_ica_key((EC_KEY*)ecdh, &privlen);
|
|
||||||
+ if (ica_privkey == NULL) {
|
|
||||||
+ /* This curve is not supported by libica. */
|
|
||||||
+ #ifdef OLDER_OPENSSL
|
|
||||||
return 0;
|
|
||||||
+ #else
|
|
||||||
+ /*
|
|
||||||
+ * EC_KEY_METHOD_get_compute_key misses the const-qualifier of the
|
|
||||||
+ * parameter in some openssl versions.
|
|
||||||
+ */
|
|
||||||
+ EC_KEY_METHOD_get_compute_key((EC_KEY_METHOD *)ossl_ec,
|
|
||||||
+ &compute_key_sw);
|
|
||||||
+ if (compute_key_sw == NULL) {
|
|
||||||
+ IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY,
|
|
||||||
+ IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return compute_key_sw(pout, poutlen, pub_key, ecdh);
|
|
||||||
+ #endif
|
|
||||||
}
|
|
||||||
|
|
||||||
+do_derive:
|
|
||||||
/* Create ICA_EC_KEY object for public key */
|
|
||||||
ica_pubkey = p_ica_ec_key_new(nid, &privlen);
|
|
||||||
if (ica_pubkey == NULL) {
|
|
||||||
@@ -128,32 +408,6 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Create ICA_EC_KEY object for private key */
|
|
||||||
- ica_privkey = p_ica_ec_key_new(nid, &privlen);
|
|
||||||
- if (!ica_privkey) {
|
|
||||||
- IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Get private (D) value from EC_KEY */
|
|
||||||
- bn_d = (BIGNUM*)EC_KEY_get0_private_key((EC_KEY*)ecdh);
|
|
||||||
- if (bn_d == NULL) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Format (D) as char array, with leading zeros if necessary */
|
|
||||||
- n = privlen - BN_num_bytes(bn_d);
|
|
||||||
- memset(D, 0, n);
|
|
||||||
- BN_bn2bin(bn_d, &(D[n]));
|
|
||||||
-
|
|
||||||
- /* Initialize private ICA_EC_KEY with (D) */
|
|
||||||
- rc = p_ica_ec_key_init(NULL, NULL, D, ica_privkey);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Allocate memory for shared secret z, will be freed by caller */
|
|
||||||
if ((z_buf = OPENSSL_malloc(privlen)) == NULL) {
|
|
||||||
IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
@@ -193,7 +447,6 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
||||||
|
|
||||||
end:
|
|
||||||
p_ica_ec_key_free(ica_pubkey);
|
|
||||||
- p_ica_ec_key_free(ica_privkey);
|
|
||||||
BN_clear_free(bn_x);
|
|
||||||
BN_clear_free(bn_y);
|
|
||||||
return ret;
|
|
||||||
@@ -210,12 +463,10 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
{
|
|
||||||
ECDSA_SIG *sig = NULL;
|
|
||||||
ICA_EC_KEY *icakey = NULL;
|
|
||||||
- const EC_GROUP *group;
|
|
||||||
unsigned int privlen;
|
|
||||||
- BIGNUM *r, *s, *bn_d, *kinv;
|
|
||||||
- unsigned char D[IBMCA_EC_MAX_D_LEN];
|
|
||||||
+ BIGNUM *r, *s, *kinv;
|
|
||||||
unsigned char sigret[IBMCA_EC_MAX_SIG_LEN];
|
|
||||||
- int n, nid, rc;
|
|
||||||
+ int rc;
|
|
||||||
#ifndef OLDER_OPENSSL
|
|
||||||
int (*sign_sw)(int type, const unsigned char *dgst, int dlen,
|
|
||||||
unsigned char *sig, unsigned int *siglen,
|
|
||||||
@@ -227,6 +478,7 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
||||||
EC_KEY *eckey) = NULL;
|
|
||||||
BN_CTX *ctx;
|
|
||||||
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(eckey, ec_ex_data_index);
|
|
||||||
|
|
||||||
/* Check parms: precomputed (k,r) are not supported by ibmca */
|
|
||||||
if (in_kinv != NULL || in_r != NULL) {
|
|
||||||
@@ -234,12 +486,6 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Get group */
|
|
||||||
- if ((group = EC_KEY_get0_group(eckey)) == NULL) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INVALID_PARM);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Check if key usable */
|
|
||||||
#ifndef OLDER_OPENSSL
|
|
||||||
if (!EC_KEY_can_sign(eckey)) {
|
|
||||||
@@ -249,15 +495,14 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- /* Get curve nid */
|
|
||||||
- nid = EC_GROUP_get_curve_name(group);
|
|
||||||
- if (nid <= 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE);
|
|
||||||
- return NULL;
|
|
||||||
+ if (data != NULL) {
|
|
||||||
+ icakey = data->ica_key;
|
|
||||||
+ privlen = data->privlen;
|
|
||||||
+ goto do_sign;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Create ICA_EC_KEY object */
|
|
||||||
- icakey = p_ica_ec_key_new(nid, &privlen);
|
|
||||||
+ icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
|
|
||||||
if (icakey == NULL) {
|
|
||||||
/* This curve is not supported by libica. */
|
|
||||||
#ifdef OLDER_OPENSSL
|
|
||||||
@@ -287,25 +532,7 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
return sig;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Get private (D) value from EC_KEY */
|
|
||||||
- bn_d = (BIGNUM*)EC_KEY_get0_private_key(eckey);
|
|
||||||
- if (bn_d == NULL) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Format (D) as char array, with leading zeros if necessary */
|
|
||||||
- n = privlen - BN_num_bytes(bn_d);
|
|
||||||
- memset(D, 0, n);
|
|
||||||
- BN_bn2bin(bn_d, &(D[n]));
|
|
||||||
-
|
|
||||||
- /* Initialize private ICA_EC_KEY */
|
|
||||||
- rc = p_ica_ec_key_init(NULL, NULL, D, icakey);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+do_sign:
|
|
||||||
/* Call libica signing routine */
|
|
||||||
rc = p_ica_ecdsa_sign(ibmca_handle, icakey, dgst, dgst_len, sigret,
|
|
||||||
sizeof(sigret));
|
|
||||||
@@ -343,7 +570,6 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
s = BN_bin2bn(sigret + privlen, privlen, NULL);
|
|
||||||
sig = ECDSA_SIG_new();
|
|
||||||
|
|
||||||
-end:
|
|
||||||
#ifndef OLDER_OPENSSL
|
|
||||||
if (sig)
|
|
||||||
ECDSA_SIG_set0(sig, r, s);
|
|
||||||
@@ -357,7 +583,6 @@ end:
|
|
||||||
#endif
|
|
||||||
|
|
||||||
end2:
|
|
||||||
- p_ica_ec_key_free(icakey);
|
|
||||||
return sig;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -372,16 +597,12 @@ end2:
|
|
||||||
int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
const ECDSA_SIG *sig, EC_KEY *eckey)
|
|
||||||
{
|
|
||||||
- const EC_GROUP *group;
|
|
||||||
- const EC_POINT *q;
|
|
||||||
- unsigned char x_array[IBMCA_EC_MAX_D_LEN];
|
|
||||||
- unsigned char y_array[IBMCA_EC_MAX_D_LEN];
|
|
||||||
unsigned char sig_array[IBMCA_EC_MAX_Q_LEN];
|
|
||||||
BIGNUM *bn_x = NULL, *bn_y = NULL;
|
|
||||||
const BIGNUM *bn_r, *bn_s;
|
|
||||||
unsigned int privlen;
|
|
||||||
ICA_EC_KEY *icakey = NULL;
|
|
||||||
- int rc, n, nid;
|
|
||||||
+ int rc, n;
|
|
||||||
int ret = -1;
|
|
||||||
#ifndef OLDER_OPENSSL
|
|
||||||
int (*verify_sw)(int type, const unsigned char *dgst, int dgst_len,
|
|
||||||
@@ -389,6 +610,7 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
#endif
|
|
||||||
int (*verify_sig_sw)(const unsigned char *dgst, int dgst_len,
|
|
||||||
const ECDSA_SIG *sig, EC_KEY *eckey) = NULL;
|
|
||||||
+ struct ibmca_ec_ex_data *data = EC_KEY_get_ex_data(eckey, ec_ex_data_index);
|
|
||||||
|
|
||||||
/* Check parms */
|
|
||||||
if (eckey == NULL || sig == NULL) {
|
|
||||||
@@ -404,21 +626,14 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- /* Get group */
|
|
||||||
- if ((group = EC_KEY_get0_group(eckey)) == NULL) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Get curve nid */
|
|
||||||
- nid = EC_GROUP_get_curve_name(group);
|
|
||||||
- if (nid <= 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE);
|
|
||||||
- return ret;
|
|
||||||
+ if (data != NULL) {
|
|
||||||
+ icakey = data->ica_key;
|
|
||||||
+ privlen = data->privlen;
|
|
||||||
+ goto do_verify;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Create ICA_EC_KEY object */
|
|
||||||
- icakey = p_ica_ec_key_new(nid, &privlen);
|
|
||||||
+ icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
|
|
||||||
if (icakey == NULL) {
|
|
||||||
/* This curve is not supported by libica. */
|
|
||||||
#ifdef OLDER_OPENSSL
|
|
||||||
@@ -440,32 +655,7 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
return verify_sig_sw(dgst, dgst_len, sig, eckey);
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Provide public key (X,Y) */
|
|
||||||
- bn_x = BN_new();
|
|
||||||
- bn_y = BN_new();
|
|
||||||
- q = EC_KEY_get0_public_key(eckey);
|
|
||||||
- if (!EC_POINT_get_affine_coordinates_GFp(group, q, bn_x, bn_y, NULL)) {
|
|
||||||
- IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Format (X) as char array with leading nulls if necessary */
|
|
||||||
- n = privlen - BN_num_bytes(bn_x);
|
|
||||||
- memset(x_array, 0, n);
|
|
||||||
- BN_bn2bin(bn_x, &(x_array[n]));
|
|
||||||
-
|
|
||||||
- /* Format (Y) as char array with leading nulls if necessary */
|
|
||||||
- n = privlen - BN_num_bytes(bn_y);
|
|
||||||
- memset(y_array, 0, n);
|
|
||||||
- BN_bn2bin(bn_y, &(y_array[n]));
|
|
||||||
-
|
|
||||||
- /* Initialize ICA_EC_KEY */
|
|
||||||
- rc = p_ica_ec_key_init(x_array, y_array, NULL, icakey);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+do_verify:
|
|
||||||
/* Get (r,s) from ECDSA_SIG */
|
|
||||||
#ifdef OLDER_OPENSSL
|
|
||||||
bn_r = sig->r;
|
|
||||||
@@ -517,7 +707,6 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
||||||
}
|
|
||||||
|
|
||||||
end:
|
|
||||||
- p_ica_ec_key_free(icakey);
|
|
||||||
BN_clear_free(bn_x);
|
|
||||||
BN_clear_free(bn_y);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Thu, 27 Oct 2022 16:13:01 +0200
|
|
||||||
Subject: [PATCH 3/4] provider: Fix configuration script
|
|
||||||
|
|
||||||
Small typo in the configuration script created an invalid configuration.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/ibmca-provider-opensslconfig | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
index 21ed6f6..d45428e 100755
|
|
||||||
--- a/src/provider/ibmca-provider-opensslconfig
|
|
||||||
+++ b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
@@ -83,7 +83,7 @@ sub generate()
|
|
||||||
}
|
|
||||||
if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
- print $oh # Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Wed, 2 Nov 2022 14:29:35 +0100
|
|
||||||
Subject: [PATCH 4/4] provider: Fix order of providers in configuration
|
|
||||||
|
|
||||||
Since libica requires a provider that supports HMAC to be loaded and
|
|
||||||
available, fix the order of providers loaded by our sample configuration
|
|
||||||
generator. The "default" provider has to come first such that libica can do
|
|
||||||
the file integrity test with a HMAC provided by this provider when being
|
|
||||||
loaded via the ibmca provider.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++--------
|
|
||||||
1 file changed, 15 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
index d45428e..d87fa8e 100755
|
|
||||||
--- a/src/provider/ibmca-provider-opensslconfig
|
|
||||||
+++ b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
@@ -30,7 +30,7 @@ use warnings;
|
|
||||||
sub generate()
|
|
||||||
{
|
|
||||||
my ($osslconfpath);
|
|
||||||
- my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect);
|
|
||||||
+ my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect);
|
|
||||||
my ($inalgsect, $algsection);
|
|
||||||
|
|
||||||
$osslconfpath = `openssl version -d` || die "Please install openssl binary";
|
|
||||||
@@ -43,6 +43,7 @@ sub generate()
|
|
||||||
$defaultcnfsect = undef;
|
|
||||||
$indefaultsect = 0;
|
|
||||||
$providersect = undef;
|
|
||||||
+ $inprovidersect = 0;
|
|
||||||
while ($line = <$ih>) {
|
|
||||||
if ($line =~ /openssl_conf\s*=\s*(.*)/) {
|
|
||||||
$defaultcnfsect = $1;
|
|
||||||
@@ -67,13 +68,22 @@ sub generate()
|
|
||||||
} elsif ($inalgsect) {
|
|
||||||
if ($line =~ /\[\s*\w+\s*\]/) {
|
|
||||||
print $oh "default_properties = ?provider=ibmca\n";
|
|
||||||
+ $inalgsect = 0;
|
|
||||||
} elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) {
|
|
||||||
print $oh "default_properties = ?provider=ibmca\n";
|
|
||||||
print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n";
|
|
||||||
print "WARNING: The default_properties in $algsection was modified by this script.\n";
|
|
||||||
$line = "# $line";
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+ } elsif ($inprovidersect) {
|
|
||||||
+ if ($line =~ /\[\s*\w+\s*\]/) {
|
|
||||||
+ $inprovidersect = 0;
|
|
||||||
+ print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
+ print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
+ print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
print $oh "$line";
|
|
||||||
if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) {
|
|
||||||
$indefaultsect = 1;
|
|
||||||
@@ -81,11 +91,8 @@ sub generate()
|
|
||||||
if ($algsection && $line =~ /\[\s*$algsection\s*\]/) {
|
|
||||||
$inalgsect = 1;
|
|
||||||
}
|
|
||||||
- if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
- print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
- print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
- print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
- print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
+ if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
+ $inprovidersect = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -100,8 +107,8 @@ providers = provider_section
|
|
||||||
if (!$providersect) {
|
|
||||||
print $oh qq|
|
|
||||||
[provider_section]
|
|
||||||
-ibmca_provider = ibmca_provider_section
|
|
||||||
default = default_sect
|
|
||||||
+ibmca_provider = ibmca_provider_section
|
|
||||||
|
|
||||||
[default_sect]
|
|
||||||
activate = 1
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
@ -1,29 +1,18 @@
|
|||||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||||
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
|
|
||||||
|
|
||||||
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
|
||||||
%global with_openssl3 1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
Summary: A dynamic OpenSSL engine for IBMCA
|
Summary: A dynamic OpenSSL engine for IBMCA
|
||||||
Name: openssl-ibmca
|
Name: openssl-ibmca
|
||||||
Version: 2.3.1
|
Version: 2.4.1
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
|
Group: System Environment/Libraries
|
||||||
URL: https://github.com/opencryptoki
|
URL: https://github.com/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
# post GA fixes
|
Requires: libica >= 3.8.0
|
||||||
Patch0: %{name}-%{version}-fixes.patch
|
|
||||||
# warn the user about engine being deprecated
|
|
||||||
Patch1: %{name}-2.3.1-engine-warning.patch
|
|
||||||
Requires: libica >= 4.0.0
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libica-devel >= 4.0.0
|
BuildRequires: libica-devel >= 3.8.0
|
||||||
BuildRequires: automake libtool
|
BuildRequires: automake libtool
|
||||||
BuildRequires: openssl >= 3.0.5
|
BuildRequires: openssl
|
||||||
BuildRequires: perl(FindBin)
|
|
||||||
ExclusiveArch: s390 s390x
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
|
||||||
@ -38,22 +27,16 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
|||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
|
%configure --libdir=%{enginesdir} --with-libica-version=3
|
||||||
%make_build
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
rm -f %{buildroot}%{enginesdir}/*.la
|
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
|
||||||
|
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
# provider is built when openssl3 is available, fix its location
|
|
||||||
mkdir -p %{buildroot}%{modulesdir}
|
|
||||||
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
|
|
||||||
%endif
|
|
||||||
|
|
||||||
pushd src/engine
|
pushd src/engine
|
||||||
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
|
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# remove generated sample configs
|
# remove generated sample configs
|
||||||
@ -66,89 +49,60 @@ make check
|
|||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample
|
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
|
||||||
%doc src/engine/ibmca-engine-opensslconfig
|
|
||||||
%doc src/provider/ibmca-provider-opensslconfig
|
|
||||||
%{enginesdir}/ibmca.so
|
%{enginesdir}/ibmca.so
|
||||||
%{_mandir}/man5/ibmca.5*
|
%{_mandir}/man5/ibmca.5*
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
%{modulesdir}/ibmca-provider.so
|
|
||||||
%{_mandir}/man5/ibmca-provider.5*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
|
* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
|
||||||
- fix provider configuration script (#2140028)
|
- updated to 2.4.1 (RHEL-11410)
|
||||||
- Resolves: #2140028
|
- Resolves: RHEL-11410
|
||||||
|
|
||||||
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
|
* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
||||||
- updated to 2.3.1 (#2110378)
|
- engine: Only register those algos specified with default_algorithms (#2221891)
|
||||||
- Resolves: #2110378
|
- Resolves: #2221891
|
||||||
|
|
||||||
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
|
* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
|
||||||
- updated to 2.3.0 (#2044177)
|
- updated to 2.4.0 (#2159722)
|
||||||
- add provider for openssl 3.x (#2044185)
|
- Resolves: #2159722
|
||||||
- Resolves: #2044177 #2044185
|
|
||||||
|
|
||||||
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
|
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
|
||||||
- updated to 2.2.2 (#2016989)
|
- updated to 2.3.1 (#2110379)
|
||||||
- Resolves: #2016989
|
- Resolves: #2110379
|
||||||
|
|
||||||
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
|
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
|
||||||
- updated to 2.2.1 (#2016989)
|
- updated to 2.3.0 (#2043842)
|
||||||
|
- Resolves: #2043842
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- updated to 2.2.1 (#1984971)
|
||||||
Related: rhbz#1991688
|
- Resolves: #1984971
|
||||||
|
|
||||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||||
- fix DSA and DH registration (#1989380)
|
- fix DSA and DH registration (#1989064)
|
||||||
- Resolves: #1989380
|
- Resolves: #1989064
|
||||||
|
|
||||||
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
|
||||||
- updated to 2.2.0 (#1869531)
|
- updated to 2.2.0 (#1919222)
|
||||||
- eliminate SW fallback functions (#1924117)
|
- do not use libica software fallbacks (#1922204)
|
||||||
- Resolves: #1869531 #1924117
|
- Resolves: #1919222 #1922204
|
||||||
|
|
||||||
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
|
||||||
- updated to 2.1.2
|
- updated to 2.1.1 (#1780306)
|
||||||
|
- Resolves: #1780306
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- updated to 2.1.0 (#1726242)
|
||||||
|
- Resolves: #1726242, #1723854
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- updated to 2.0.3 (#1666622)
|
||||||
|
- Resolves: #1666622 #1659427 #1683099
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Fix doing rsa-me, altough rsa-crt would be possible
|
||||||
|
- Resolves: #1655654
|
||||||
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
|
||||||
- updated to 2.1.1
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
|
||||||
- updated to 2.1.0
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
|
||||||
- updated to 2.0.3
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
|
||||||
- updated to 2.0.2
|
|
||||||
|
|
||||||
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
|
||||||
- run upstream test-suite during build
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||||
- updated to 2.0.0
|
- updated to 2.0.0
|
||||||
|
Loading…
Reference in New Issue
Block a user