Compare commits
No commits in common. "imports/c9/openssl-ibmca-2.3.0-1.el9_1.1" and "c8" have entirely different histories.
imports/c9
...
c8
|
@ -1 +1 @@
|
||||||
SOURCES/openssl-ibmca-2.3.0.tar.gz
|
SOURCES/openssl-ibmca-2.3.1.tar.gz
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
826976fdb0a4de24affe6b7c6678665bea8cdda0 SOURCES/openssl-ibmca-2.3.0.tar.gz
|
5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz
|
||||||
|
|
|
@ -1,689 +0,0 @@
|
||||||
From 1a75586c2821a55deeaa76861b1fc0539e6a3ca1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Fri, 1 Apr 2022 10:47:45 +0200
|
|
||||||
Subject: [PATCH 1/5] SPEC: Fix version number in provider-spec file
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
openssl-ibmca-provider.spec | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/openssl-ibmca-provider.spec b/openssl-ibmca-provider.spec
|
|
||||||
index a3ef1a6..6c95b54 100644
|
|
||||||
--- a/openssl-ibmca-provider.spec
|
|
||||||
+++ b/openssl-ibmca-provider.spec
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
# %global modulesdir %(pkg-config --variable=modulesdir libcrypto)
|
|
||||||
|
|
||||||
Name: openssl-ibmca
|
|
||||||
-Version: 2.2.3
|
|
||||||
+Version: 2.3.0
|
|
||||||
Release: 1%{?dist}
|
|
||||||
Summary: An IBMCA OpenSSL dynamic provider
|
|
||||||
|
|
||||||
@@ -45,6 +45,10 @@ mv -f src/provider/openssl.cnf.sample src/provider/openssl.cnf.sample.%{_arch}
|
|
||||||
%dir %attr(777,root,root) %{_localstatedir}/log/ibmca
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
+* Fri Mar 25 2022 Juergen Christ <jchrist@linux.ibm.com> 2.3.0
|
|
||||||
+- First version including the provider
|
|
||||||
+- Fix for engine build without OpenSSL 3.0 sources
|
|
||||||
+
|
|
||||||
* Wed March 3 2022 Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
- Add provider support
|
|
||||||
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From 76341149f2102bb628da61c2653e5911ddb81084 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Thu, 7 Apr 2022 12:32:36 +0200
|
|
||||||
Subject: [PATCH 2/5] Adjust to new libica.
|
|
||||||
|
|
||||||
libica recently added function ica_cleanup to be called to free internal
|
|
||||||
OpenSSL 3.0 resources. This collided with our internal ica_cleanup function.
|
|
||||||
Rename that and call ica_cleanup if present.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
configure.ac | 2 ++
|
|
||||||
src/engine/e_ibmca.c | 13 ++++++++++---
|
|
||||||
src/engine/ibmca.h | 3 +++
|
|
||||||
src/provider/p_ibmca.c | 3 +++
|
|
||||||
4 files changed, 18 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 46ad10e..6434056 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -130,6 +130,8 @@ if test "x$enable_provider" = xyes; then
|
|
||||||
[#include <ica_api.h>])
|
|
||||||
fi
|
|
||||||
|
|
||||||
+AC_CHECK_DECLS([ica_cleanup],,,[#include <ica_api.h>])
|
|
||||||
+
|
|
||||||
AC_CONFIG_FILES([
|
|
||||||
Makefile
|
|
||||||
src/Makefile
|
|
||||||
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
|
||||||
index ef17349..7335246 100644
|
|
||||||
--- a/src/engine/e_ibmca.c
|
|
||||||
+++ b/src/engine/e_ibmca.c
|
|
||||||
@@ -102,6 +102,7 @@ ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize;
|
|
||||||
ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
|
|
||||||
ica_aes_gcm_last_t p_ica_aes_gcm_last;
|
|
||||||
#endif
|
|
||||||
+ica_cleanup_t p_ica_cleanup;
|
|
||||||
|
|
||||||
/* save libcrypto's default ec methods */
|
|
||||||
#ifndef NO_EC
|
|
||||||
@@ -652,8 +653,10 @@ static void ibmca_destructor(void)
|
|
||||||
free((void *)LIBICA_NAME);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void ica_cleanup(void)
|
|
||||||
+static void do_ica_cleanup(void)
|
|
||||||
{
|
|
||||||
+ if (p_ica_cleanup)
|
|
||||||
+ p_ica_cleanup();
|
|
||||||
if (ibmca_dso && dlclose(ibmca_dso)) {
|
|
||||||
IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE);
|
|
||||||
return;
|
|
||||||
@@ -725,6 +728,7 @@ static void ica_cleanup(void)
|
|
||||||
p_ica_x448_ctx_del = NULL;
|
|
||||||
p_ica_ed25519_ctx_del = NULL;
|
|
||||||
p_ica_ed448_ctx_del = NULL;
|
|
||||||
+ p_ica_cleanup = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int ibmca_init(ENGINE *e)
|
|
||||||
@@ -806,6 +810,9 @@ static int ibmca_init(ENGINE *e)
|
|
||||||
BIND(ibmca_dso, ica_ed25519_ctx_del);
|
|
||||||
BIND(ibmca_dso, ica_ed448_ctx_del);
|
|
||||||
|
|
||||||
+ /* ica_cleanup is not always present and only needed for newer libraries */
|
|
||||||
+ p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
|
|
||||||
+
|
|
||||||
/* disable fallbacks on Libica */
|
|
||||||
if (BIND(ibmca_dso, ica_set_fallback_mode))
|
|
||||||
p_ica_set_fallback_mode(0);
|
|
||||||
@@ -821,7 +828,7 @@ static int ibmca_init(ENGINE *e)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
err:
|
|
||||||
- ica_cleanup();
|
|
||||||
+ do_ica_cleanup();
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -884,7 +891,7 @@ static int ibmca_finish(ENGINE *e)
|
|
||||||
if (p_ica_close_adapter)
|
|
||||||
p_ica_close_adapter(ibmca_handle);
|
|
||||||
|
|
||||||
- ica_cleanup();
|
|
||||||
+ do_ica_cleanup();
|
|
||||||
memset(&ibmca_registration, 0, sizeof(ibmca_registration));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
|
||||||
index 382a45d..53f4ca1 100644
|
|
||||||
--- a/src/engine/ibmca.h
|
|
||||||
+++ b/src/engine/ibmca.h
|
|
||||||
@@ -616,6 +616,8 @@ int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx);
|
|
||||||
typedef
|
|
||||||
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
|
|
||||||
|
|
||||||
+typedef void (*ica_cleanup_t)(void);
|
|
||||||
+
|
|
||||||
/* entry points into libica, filled out at DSO load time */
|
|
||||||
extern ica_get_functionlist_t p_ica_get_functionlist;
|
|
||||||
extern ica_set_fallback_mode_t p_ica_set_fallback_mode;
|
|
||||||
@@ -681,3 +683,4 @@ extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del;
|
|
||||||
extern ica_x448_ctx_del_t p_ica_x448_ctx_del;
|
|
||||||
extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del;
|
|
||||||
extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del;
|
|
||||||
+extern ica_cleanup_t p_ica_cleanup;
|
|
||||||
diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
|
|
||||||
index d8045ba..80f0368 100644
|
|
||||||
--- a/src/provider/p_ibmca.c
|
|
||||||
+++ b/src/provider/p_ibmca.c
|
|
||||||
@@ -633,6 +633,9 @@ static void ibmca_teardown(void *vprovctx)
|
|
||||||
pthread_mutex_destroy(&provctx->debug_mutex);
|
|
||||||
|
|
||||||
P_FREE(provctx, provctx);
|
|
||||||
+#if HAVE_DECL_ICA_CLEANUP == 1
|
|
||||||
+ ica_cleanup();
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM ibmca_param_types[] = {
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From 688273ec77530a44d43ad5133155e646a945bc88 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Thu, 7 Apr 2022 12:33:44 +0200
|
|
||||||
Subject: [PATCH 3/5] Support tests in remote builds.
|
|
||||||
|
|
||||||
If the build is not wihin the source tree, tests failed since they could not
|
|
||||||
find the key files. Add support for this.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
test/engine/test.pm | 26 ++++++++++++++------------
|
|
||||||
test/provider/tls.pl | 13 +++++++------
|
|
||||||
2 files changed, 21 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/engine/test.pm b/test/engine/test.pm
|
|
||||||
index 8e4b8ab..3a313e1 100644
|
|
||||||
--- a/test/engine/test.pm
|
|
||||||
+++ b/test/engine/test.pm
|
|
||||||
@@ -3,6 +3,8 @@
|
|
||||||
use strict;
|
|
||||||
use warnings;
|
|
||||||
|
|
||||||
+use FindBin;
|
|
||||||
+
|
|
||||||
package test;
|
|
||||||
|
|
||||||
sub osslversion1 {
|
|
||||||
@@ -69,16 +71,16 @@ sub rsaencdec {
|
|
||||||
my $bytes = 1 + int(rand($max_file_size));
|
|
||||||
# engine enc, no-engine dec
|
|
||||||
`openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`;
|
|
||||||
- `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
|
|
||||||
- `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
+ `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
|
|
||||||
+ `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
`cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`;
|
|
||||||
|
|
||||||
# no-engine enc, engine dec
|
|
||||||
`openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`;
|
|
||||||
- `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
|
|
||||||
- `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
+ `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`;
|
|
||||||
+ `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
`cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`;
|
|
||||||
@@ -100,16 +102,16 @@ sub rsasignverify {
|
|
||||||
$key .= $hex[rand(@hex)] for (1..$keylen);
|
|
||||||
# engine sign, no-engine verify
|
|
||||||
`openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`;
|
|
||||||
- `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
|
|
||||||
- `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
+ `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
|
|
||||||
+ `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
`cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
|
|
||||||
# no-engine sign, engine verify
|
|
||||||
`openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`;
|
|
||||||
- `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
|
|
||||||
- `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
+ `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`;
|
|
||||||
+ `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
`cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`;
|
|
||||||
@@ -131,15 +133,15 @@ sub dsasignverify {
|
|
||||||
my $bytes = 1 + int(rand($max_file_size));
|
|
||||||
# engine sign, no-engine verify
|
|
||||||
`openssl rand $bytes > dsa.${i}.${keylen}.data.in`;
|
|
||||||
- `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
- `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
+ `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
+ `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`;
|
|
||||||
|
|
||||||
# no-engine sign, engine verify
|
|
||||||
`openssl rand $bytes > dsa.${i}.${keylen}.data.in`;
|
|
||||||
- `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
- `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
+ `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
+ `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`;
|
|
||||||
exit(99) if ($?);
|
|
||||||
`rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`;
|
|
||||||
}
|
|
||||||
diff --git a/test/provider/tls.pl b/test/provider/tls.pl
|
|
||||||
index c8871d4..0d9df6d 100755
|
|
||||||
--- a/test/provider/tls.pl
|
|
||||||
+++ b/test/provider/tls.pl
|
|
||||||
@@ -19,17 +19,18 @@
|
|
||||||
use strict;
|
|
||||||
use warnings;
|
|
||||||
use test;
|
|
||||||
+use FindBin;
|
|
||||||
|
|
||||||
# TLS 1.3 with RSA signatures
|
|
||||||
-test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
|
|
||||||
+test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
|
|
||||||
# TLS 1.3 with EC signatures
|
|
||||||
-test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
|
|
||||||
+test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3");
|
|
||||||
# TLS 1.2 with RSA signatures and ECDH key exchange
|
|
||||||
-test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
+test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
# TLS 1.2 with ECDSA signatures and ECDH key exchange
|
|
||||||
-test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
+test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
# TLS 1.2 with RSA signatures and DH key exchange
|
|
||||||
-test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
+test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
# TLS 1.2 with RSA signatures and RSA key exchange
|
|
||||||
-test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
+test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3");
|
|
||||||
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From c0d384b72f280a4bd1c71407df0583da1847f5cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Thu, 12 May 2022 11:20:18 +0200
|
|
||||||
Subject: [PATCH 4/5] provider: Adapt keymgmt_match() implementations to
|
|
||||||
OpenSSL
|
|
||||||
|
|
||||||
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
|
|
||||||
OpenSSL provider's keymgmt_match() function to be not so strict with
|
|
||||||
the selector bits in regards to matching different key parts.
|
|
||||||
|
|
||||||
Adapt the provider's match functions accordingly.
|
|
||||||
This means, that if the public key is selected to be matched, and the
|
|
||||||
public key matches (together with any also selected parameters),
|
|
||||||
then the private key is no longer checked, although it may also be
|
|
||||||
selected to be matched. This is according to how the OpenSSL function
|
|
||||||
EVP_PKEY_eq() is supposed to behave.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/dh_keymgmt.c | 2 +-
|
|
||||||
src/provider/ec_keymgmt.c | 5 +++--
|
|
||||||
src/provider/rsa_keymgmt.c | 8 +++++---
|
|
||||||
3 files changed, 9 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
|
|
||||||
index 48ba739..3180158 100644
|
|
||||||
--- a/src/provider/dh_keymgmt.c
|
|
||||||
+++ b/src/provider/dh_keymgmt.c
|
|
||||||
@@ -1000,7 +1000,7 @@ static int ibmca_keymgmt_dh_match(const void *vkey1, const void *vkey2,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
|
|
||||||
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
|
|
||||||
if (key1->dh.priv != NULL || key2->dh.priv != NULL) {
|
|
||||||
ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0);
|
|
||||||
checked = 1;
|
|
||||||
diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c
|
|
||||||
index d898c6a..d39b1e2 100644
|
|
||||||
--- a/src/provider/ec_keymgmt.c
|
|
||||||
+++ b/src/provider/ec_keymgmt.c
|
|
||||||
@@ -751,7 +751,7 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2,
|
|
||||||
const struct ibmca_key *key2 = vkey2;
|
|
||||||
BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL;
|
|
||||||
BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL;
|
|
||||||
- int ok = 1, rc1, rc2;
|
|
||||||
+ int ok = 1, rc1, rc2, checked = 0;
|
|
||||||
|
|
||||||
if (key1 == NULL || key2 == NULL)
|
|
||||||
return 0;
|
|
||||||
@@ -781,9 +781,10 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2,
|
|
||||||
|
|
||||||
ok = ok && (rc1 == rc2 && (rc1 == -1 ||
|
|
||||||
(BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0)));
|
|
||||||
+ checked = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
|
|
||||||
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
|
|
||||||
rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1);
|
|
||||||
if (rc1 == 0) {
|
|
||||||
ok = 0;
|
|
||||||
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
|
|
||||||
index 61f7744..9278327 100644
|
|
||||||
--- a/src/provider/rsa_keymgmt.c
|
|
||||||
+++ b/src/provider/rsa_keymgmt.c
|
|
||||||
@@ -641,7 +641,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
|
|
||||||
{
|
|
||||||
const struct ibmca_key *key1 = vkey1;
|
|
||||||
const struct ibmca_key *key2 = vkey2;
|
|
||||||
- int ok = 1;
|
|
||||||
+ int ok = 1, checked = 0;
|
|
||||||
|
|
||||||
if (key1 == NULL || key2 == NULL)
|
|
||||||
return 0;
|
|
||||||
@@ -652,7 +652,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
|
|
||||||
if (ibmca_keymgmt_match(key1, key2) == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
|
|
||||||
+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
|
|
||||||
ok = ok && (key1->rsa.public.key_length ==
|
|
||||||
key2->rsa.public.key_length &&
|
|
||||||
memcmp(key1->rsa.public.exponent,
|
|
||||||
@@ -661,8 +661,10 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2,
|
|
||||||
memcmp(key1->rsa.public.modulus,
|
|
||||||
key2->rsa.public.modulus,
|
|
||||||
key1->rsa.public.key_length) == 0);
|
|
||||||
+ checked = 1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
|
|
||||||
+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
|
|
||||||
ok = ok && (key1->rsa.private.key_length ==
|
|
||||||
key2->rsa.private.key_length &&
|
|
||||||
CRYPTO_memcmp(key1->rsa.private.p,
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From 49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Wed, 18 May 2022 15:41:12 +0200
|
|
||||||
Subject: [PATCH 5/5] tests: skip tests if libica does not support required
|
|
||||||
algorithms
|
|
||||||
|
|
||||||
Before actually running the tests, check if libica supports the
|
|
||||||
required algorithms. Skip the whole test if not.
|
|
||||||
|
|
||||||
This can happen when running the test on a system without appropriate
|
|
||||||
crypto adapters. This would lead to the situation that the provider would
|
|
||||||
not register itself for the required algorithms, and thus the OpenSSL
|
|
||||||
default provider would be used. This would make the tests to fail, because
|
|
||||||
it is not running with the IBMCA provider as expected by the test.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
test/provider/Makefile.am | 18 ++++++++++---
|
|
||||||
test/provider/dhkey.c | 56 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
test/provider/eckey.c | 57 +++++++++++++++++++++++++++++++++++++++
|
|
||||||
test/provider/rsakey.c | 56 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 184 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
|
|
||||||
index f5cb97d..b007682 100644
|
|
||||||
--- a/test/provider/Makefile.am
|
|
||||||
+++ b/test/provider/Makefile.am
|
|
||||||
@@ -20,13 +20,25 @@ TESTS = \
|
|
||||||
check_PROGRAMS = rsakey eckey dhkey threadtest
|
|
||||||
|
|
||||||
dhkey_SOURCES = dhkey.c
|
|
||||||
-dhkey_LDADD = -lcrypto
|
|
||||||
+if PROVIDER_FULL_LIBICA
|
|
||||||
+dhkey_LDADD = -lcrypto -lica
|
|
||||||
+else
|
|
||||||
+dhkey_LDADD = -lcrypto -lica-cex
|
|
||||||
+endif
|
|
||||||
|
|
||||||
eckey_SOURCES = eckey.c
|
|
||||||
-eckey_LDADD = -lcrypto
|
|
||||||
+if PROVIDER_FULL_LIBICA
|
|
||||||
+eckey_LDADD = -lcrypto -lica
|
|
||||||
+else
|
|
||||||
+eckey_LDADD = -lcrypto -lica-cex
|
|
||||||
+endif
|
|
||||||
|
|
||||||
rsakey_SOURCES = rsakey.c
|
|
||||||
-rsakey_LDADD = -lcrypto
|
|
||||||
+if PROVIDER_FULL_LIBICA
|
|
||||||
+rsakey_LDADD = -lcrypto -lica
|
|
||||||
+else
|
|
||||||
+rsakey_LDADD = -lcrypto -lica-cex
|
|
||||||
+endif
|
|
||||||
|
|
||||||
threadtest_SOURCES = threadtest.c
|
|
||||||
threadtest_LDADD = -lcrypto -lpthread
|
|
||||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
|
||||||
index a9cea13..8829ecc 100644
|
|
||||||
--- a/test/provider/dhkey.c
|
|
||||||
+++ b/test/provider/dhkey.c
|
|
||||||
@@ -27,6 +27,8 @@
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
|
|
||||||
+#include <ica_api.h>
|
|
||||||
+
|
|
||||||
#define UNUSED(var) ((void)(var))
|
|
||||||
|
|
||||||
void setup(void)
|
|
||||||
@@ -349,6 +351,56 @@ int check_dhkey(int nid, const char *name, const char *algo)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const unsigned int required_ica_mechs[] = { RSA_ME };
|
|
||||||
+static const unsigned int required_ica_mechs_len =
|
|
||||||
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
+
|
|
||||||
+int check_libica()
|
|
||||||
+{
|
|
||||||
+ unsigned int mech_len, i, k, found = 0;
|
|
||||||
+ libica_func_list_element *mech_list = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
|
|
||||||
+ if (mech_list == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ free(mech_list);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < mech_len; i++) {
|
|
||||||
+ for (k = 0; k < required_ica_mechs_len; k++) {
|
|
||||||
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
|
|
||||||
+ if (mech_list[i].flags &
|
|
||||||
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
|
|
||||||
+ found++;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(mech_list);
|
|
||||||
+
|
|
||||||
+ if (found < required_ica_mechs_len) {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "Libica does not support the required algorithms, skipping.\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
static const struct testparams {
|
|
||||||
@@ -389,6 +441,10 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = check_libica();
|
|
||||||
+ if (ret != 0)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
setup();
|
|
||||||
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
|
|
||||||
if (!check_dhkey(params[i].nid, params[i].name, "DH")) {
|
|
||||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
|
||||||
index 279b942..b2334d7 100644
|
|
||||||
--- a/test/provider/eckey.c
|
|
||||||
+++ b/test/provider/eckey.c
|
|
||||||
@@ -27,6 +27,8 @@
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
|
|
||||||
+#include <ica_api.h>
|
|
||||||
+
|
|
||||||
#define UNUSED(var) ((void)(var))
|
|
||||||
|
|
||||||
void setup(void)
|
|
||||||
@@ -781,6 +783,57 @@ int check_eckey(int nid, const char *name)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
|
|
||||||
+ EC_DSA_VERIFY, EC_KGEN, };
|
|
||||||
+static const unsigned int required_ica_mechs_len =
|
|
||||||
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
+
|
|
||||||
+int check_libica()
|
|
||||||
+{
|
|
||||||
+ unsigned int mech_len, i, k, found = 0;
|
|
||||||
+ libica_func_list_element *mech_list = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
|
|
||||||
+ if (mech_list == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ free(mech_list);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < mech_len; i++) {
|
|
||||||
+ for (k = 0; k < required_ica_mechs_len; k++) {
|
|
||||||
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
|
|
||||||
+ if (mech_list[i].flags &
|
|
||||||
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
|
|
||||||
+ found++;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(mech_list);
|
|
||||||
+
|
|
||||||
+ if (found < required_ica_mechs_len) {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "Libica does not support the required algorithms, skipping.\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
static const struct testparams {
|
|
||||||
@@ -822,6 +875,10 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = check_libica();
|
|
||||||
+ if (ret != 0)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
setup();
|
|
||||||
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
|
|
||||||
if (!check_eckey(params[i].nid, params[i].name)) {
|
|
||||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
|
||||||
index 0adface..366b503 100644
|
|
||||||
--- a/test/provider/rsakey.c
|
|
||||||
+++ b/test/provider/rsakey.c
|
|
||||||
@@ -26,6 +26,8 @@
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
|
|
||||||
+#include <ica_api.h>
|
|
||||||
+
|
|
||||||
#define UNUSED(var) ((void)(var))
|
|
||||||
|
|
||||||
void setup(void)
|
|
||||||
@@ -729,6 +731,56 @@ int check_rsakey(int bits, const char *algo, const char *name)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
|
|
||||||
+static const unsigned int required_ica_mechs_len =
|
|
||||||
+ sizeof(required_ica_mechs) / sizeof(unsigned int);
|
|
||||||
+
|
|
||||||
+int check_libica()
|
|
||||||
+{
|
|
||||||
+ unsigned int mech_len, i, k, found = 0;
|
|
||||||
+ libica_func_list_element *mech_list = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(NULL, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ mech_list = calloc(sizeof(libica_func_list_element), mech_len);
|
|
||||||
+ if (mech_list == NULL) {
|
|
||||||
+ fprintf(stderr, "Failed to allocate memory for function list!\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = ica_get_functionlist(mech_list, &mech_len);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ fprintf(stderr, "Failed to get function list from libica!\n");
|
|
||||||
+ free(mech_list);
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < mech_len; i++) {
|
|
||||||
+ for (k = 0; k < required_ica_mechs_len; k++) {
|
|
||||||
+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) {
|
|
||||||
+ if (mech_list[i].flags &
|
|
||||||
+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW))
|
|
||||||
+ found++;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(mech_list);
|
|
||||||
+
|
|
||||||
+ if (found < required_ica_mechs_len) {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "Libica does not support the required algorithms, skipping.\n");
|
|
||||||
+ return 77;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
static const struct testparams {
|
|
||||||
@@ -767,6 +819,10 @@ int main(int argc, char **argv)
|
|
||||||
return 77;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = check_libica();
|
|
||||||
+ if (ret != 0)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
setup();
|
|
||||||
for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) {
|
|
||||||
if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) {
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
|
@ -1,117 +0,0 @@
|
||||||
From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Thu, 27 Oct 2022 16:13:01 +0200
|
|
||||||
Subject: [PATCH 1/2] provider: Fix configuration script
|
|
||||||
|
|
||||||
Small typo in the configuration script created an invalid configuration.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/ibmca-provider-opensslconfig | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
index 21ed6f6..d45428e 100755
|
|
||||||
--- a/src/provider/ibmca-provider-opensslconfig
|
|
||||||
+++ b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
@@ -83,7 +83,7 @@ sub generate()
|
|
||||||
}
|
|
||||||
if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
- print $oh # Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
Date: Wed, 2 Nov 2022 14:29:35 +0100
|
|
||||||
Subject: [PATCH 2/2] provider: Fix order of providers in configuration
|
|
||||||
|
|
||||||
Since libica requires a provider that supports HMAC to be loaded and
|
|
||||||
available, fix the order of providers loaded by our sample configuration
|
|
||||||
generator. The "default" provider has to come first such that libica can do
|
|
||||||
the file integrity test with a HMAC provided by this provider when being
|
|
||||||
loaded via the ibmca provider.
|
|
||||||
|
|
||||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
|
||||||
---
|
|
||||||
src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++--------
|
|
||||||
1 file changed, 15 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
index d45428e..d87fa8e 100755
|
|
||||||
--- a/src/provider/ibmca-provider-opensslconfig
|
|
||||||
+++ b/src/provider/ibmca-provider-opensslconfig
|
|
||||||
@@ -30,7 +30,7 @@ use warnings;
|
|
||||||
sub generate()
|
|
||||||
{
|
|
||||||
my ($osslconfpath);
|
|
||||||
- my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect);
|
|
||||||
+ my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect);
|
|
||||||
my ($inalgsect, $algsection);
|
|
||||||
|
|
||||||
$osslconfpath = `openssl version -d` || die "Please install openssl binary";
|
|
||||||
@@ -43,6 +43,7 @@ sub generate()
|
|
||||||
$defaultcnfsect = undef;
|
|
||||||
$indefaultsect = 0;
|
|
||||||
$providersect = undef;
|
|
||||||
+ $inprovidersect = 0;
|
|
||||||
while ($line = <$ih>) {
|
|
||||||
if ($line =~ /openssl_conf\s*=\s*(.*)/) {
|
|
||||||
$defaultcnfsect = $1;
|
|
||||||
@@ -67,13 +68,22 @@ sub generate()
|
|
||||||
} elsif ($inalgsect) {
|
|
||||||
if ($line =~ /\[\s*\w+\s*\]/) {
|
|
||||||
print $oh "default_properties = ?provider=ibmca\n";
|
|
||||||
+ $inalgsect = 0;
|
|
||||||
} elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) {
|
|
||||||
print $oh "default_properties = ?provider=ibmca\n";
|
|
||||||
print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n";
|
|
||||||
print "WARNING: The default_properties in $algsection was modified by this script.\n";
|
|
||||||
$line = "# $line";
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+ } elsif ($inprovidersect) {
|
|
||||||
+ if ($line =~ /\[\s*\w+\s*\]/) {
|
|
||||||
+ $inprovidersect = 0;
|
|
||||||
+ print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
+ print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
+ print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
print $oh "$line";
|
|
||||||
if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) {
|
|
||||||
$indefaultsect = 1;
|
|
||||||
@@ -81,11 +91,8 @@ sub generate()
|
|
||||||
if ($algsection && $line =~ /\[\s*$algsection\s*\]/) {
|
|
||||||
$inalgsect = 1;
|
|
||||||
}
|
|
||||||
- if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
- print $oh "ibmca_provider = ibmca_provider_section\n";
|
|
||||||
- print $oh "# Make sure that you have configured and activated at least one other provider!\n";
|
|
||||||
- print "WARNING: The IBMCA provider was added to section [$providersect].\n";
|
|
||||||
- print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
|
|
||||||
+ if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
|
|
||||||
+ $inprovidersect = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -100,8 +107,8 @@ providers = provider_section
|
|
||||||
if (!$providersect) {
|
|
||||||
print $oh qq|
|
|
||||||
[provider_section]
|
|
||||||
-ibmca_provider = ibmca_provider_section
|
|
||||||
default = default_sect
|
|
||||||
+ibmca_provider = ibmca_provider_section
|
|
||||||
|
|
||||||
[default_sect]
|
|
||||||
activate = 1
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
|
@ -1,34 +1,18 @@
|
||||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||||
%global modulesdir %(openssl version -m | grep -o '".*"' | tr -d '"')
|
|
||||||
# Above can be replaced by the following once OpenSSL commit
|
|
||||||
# https://github.com/openssl/openssl/commit/7fde39de848f062d6db45bf9e69439db2100b9bb
|
|
||||||
# has been included into the distribution:
|
|
||||||
# %%global modulesdir %%(pkg-config --variable=modulesdir libcrypto)
|
|
||||||
|
|
||||||
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
|
||||||
%global with_openssl3 1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
Summary: A dynamic OpenSSL engine for IBMCA
|
Summary: A dynamic OpenSSL engine for IBMCA
|
||||||
Name: openssl-ibmca
|
Name: openssl-ibmca
|
||||||
Version: 2.3.0
|
Version: 2.3.1
|
||||||
Release: 1%{?dist}.1
|
Release: 1%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
|
Group: System Environment/Libraries
|
||||||
URL: https://github.com/opencryptoki
|
URL: https://github.com/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
# post GA fixes
|
Requires: libica >= 3.8.0
|
||||||
Patch0: %{name}-%{version}-fixes.patch
|
|
||||||
# fix provider config script
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2160761
|
|
||||||
Patch1: %{name}-2.3.0-provider-config.patch
|
|
||||||
Requires: libica >= 4.0.0
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libica-devel >= 4.0.0
|
BuildRequires: libica-devel >= 3.8.0
|
||||||
BuildRequires: automake libtool
|
BuildRequires: automake libtool
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: perl(FindBin)
|
|
||||||
ExclusiveArch: s390 s390x
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
|
||||||
|
@ -43,22 +27,16 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
|
%configure --libdir=%{enginesdir} --with-libica-version=3
|
||||||
%make_build
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
rm -f %{buildroot}%{enginesdir}/*.la
|
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
|
||||||
|
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
# provider is built when openssl3 is available, fix its location
|
|
||||||
mkdir -p %{buildroot}%{modulesdir}
|
|
||||||
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
|
|
||||||
%endif
|
|
||||||
|
|
||||||
pushd src/engine
|
pushd src/engine
|
||||||
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
|
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# remove generated sample configs
|
# remove generated sample configs
|
||||||
|
@ -71,85 +49,48 @@ make check
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample
|
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
|
||||||
%doc src/engine/ibmca-engine-opensslconfig
|
|
||||||
%doc src/provider/ibmca-provider-opensslconfig
|
|
||||||
%{enginesdir}/ibmca.so
|
%{enginesdir}/ibmca.so
|
||||||
%{_mandir}/man5/ibmca.5*
|
%{_mandir}/man5/ibmca.5*
|
||||||
%if 0%{?with_openssl3}
|
|
||||||
%{modulesdir}/ibmca-provider.so
|
|
||||||
%{_mandir}/man5/ibmca-provider.5*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Jan 18 2023 Dan Horák <dhorak@redhat.com> - 2.3.0-1.1
|
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
|
||||||
- fix provider config script (#2160761)
|
- updated to 2.3.1 (#2110379)
|
||||||
- Resolves: #2160761
|
- Resolves: #2110379
|
||||||
|
|
||||||
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
|
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
|
||||||
- updated to 2.3.0 (#2044177)
|
- updated to 2.3.0 (#2043842)
|
||||||
- add provider for openssl 3.x (#2044185)
|
- Resolves: #2043842
|
||||||
- Resolves: #2044177 #2044185
|
|
||||||
|
|
||||||
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
|
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
|
||||||
- updated to 2.2.2 (#2016989)
|
- updated to 2.2.1 (#1984971)
|
||||||
- Resolves: #2016989
|
- Resolves: #1984971
|
||||||
|
|
||||||
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
|
|
||||||
- updated to 2.2.1 (#2016989)
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||||
- fix DSA and DH registration (#1989380)
|
- fix DSA and DH registration (#1989064)
|
||||||
- Resolves: #1989380
|
- Resolves: #1989064
|
||||||
|
|
||||||
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
|
||||||
- updated to 2.2.0 (#1869531)
|
- updated to 2.2.0 (#1919222)
|
||||||
- eliminate SW fallback functions (#1924117)
|
- do not use libica software fallbacks (#1922204)
|
||||||
- Resolves: #1869531 #1924117
|
- Resolves: #1919222 #1922204
|
||||||
|
|
||||||
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
|
||||||
- updated to 2.1.2
|
- updated to 2.1.1 (#1780306)
|
||||||
|
- Resolves: #1780306
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- updated to 2.1.0 (#1726242)
|
||||||
|
- Resolves: #1726242, #1723854
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- updated to 2.0.3 (#1666622)
|
||||||
|
- Resolves: #1666622 #1659427 #1683099
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Fix doing rsa-me, altough rsa-crt would be possible
|
||||||
|
- Resolves: #1655654
|
||||||
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
|
||||||
- updated to 2.1.1
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
|
||||||
- updated to 2.1.0
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
|
||||||
- updated to 2.0.3
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
|
||||||
- updated to 2.0.2
|
|
||||||
|
|
||||||
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
|
||||||
- run upstream test-suite during build
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||||
- updated to 2.0.0
|
- updated to 2.0.0
|
||||||
|
|
Loading…
Reference in New Issue