From ca089ef5ad134f36b5902bb14d8bc6d8cec7c47495b2170e79913d702a33202a Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 27 Mar 2015 08:39:56 +0000 Subject: [PATCH] Accepting request 291316 from security 1 OBS-URL: https://build.opensuse.org/request/show/291316 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=23 --- ibmca-configure.patch | 67 ----- ibmca-segfault.fix.patch | 202 --------------- ibmca-sw-fix.patch | 302 ----------------------- openssl-des-ede.patch | 68 +++++ openssl-ibmca-1.0.0-rc2.tar.bz2 | 3 - openssl-ibmca-1.0.0.rc2-memset-fix.patch | 11 - openssl-ibmca-1.2.0.tar.gz | 3 + openssl-ibmca-configure.patch | 11 + openssl-ibmca-sha256-digest-length.patch | 22 ++ openssl-ibmca.changes | 57 +++++ openssl-ibmca.spec | 50 ++-- openssl-pkey.patch | 31 +++ 12 files changed, 207 insertions(+), 620 deletions(-) delete mode 100644 ibmca-configure.patch delete mode 100644 ibmca-segfault.fix.patch delete mode 100644 ibmca-sw-fix.patch create mode 100644 openssl-des-ede.patch delete mode 100644 openssl-ibmca-1.0.0-rc2.tar.bz2 delete mode 100644 openssl-ibmca-1.0.0.rc2-memset-fix.patch create mode 100644 openssl-ibmca-1.2.0.tar.gz create mode 100644 openssl-ibmca-configure.patch create mode 100644 openssl-ibmca-sha256-digest-length.patch create mode 100644 openssl-pkey.patch diff --git a/ibmca-configure.patch b/ibmca-configure.patch deleted file mode 100644 index 95ab5e9..0000000 --- a/ibmca-configure.patch +++ /dev/null @@ -1,67 +0,0 @@ ---- openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:45 1.1 -+++ openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:54 -@@ -21,39 +21,16 @@ - fi - fi - --OPENSSL_LIB_DIR="/usr/local/ssl/lib" -+# OpenSSL location -+AC_MSG_CHECKING([OpenSSL]) -+AC_CHECK_LIB(crypto, RAND_add, [LIBCRYPTO="-lcrypto"], \ -+ AC_MSG_ERROR([*** libcrypto not found])) - - # libica - AC_MSG_CHECKING([libICA]) - AC_CHECK_LIB(ica, icaOpenAdapter, [LIBICA="-lica"], \ -- AC_MSG_ERROR([*** libICA not found])) -- --# OpenSSL location --AC_MSG_CHECKING([OpenSSL location]) --AC_ARG_WITH(openssl, -- [ --with-openssl=PATH Location of openssl libs/includes], -- [OPENSSL_INCLUDE_DIR="$withval/include" -- OPENSSL_LIB_DIR="$withval/lib" -- if [[ ! -d $OPENSSL_INCLUDE_DIR -o ! -d $OPENSSL_LIB_DIR ]]; then -- AC_MSG_ERROR([$OPENSSL_INCLUDE_DIR or $OPENSSL_LIB_DIR doen't exist!]) -- else -- AC_MSG_RESULT([yes]) -- CFLAGS="$CFLAGS -L$OPENSSL_LIB_DIR -I$OPENSSL_INCLUDE_DIR" -- fi], -- [AC_MSG_RESULT([no]) -- AC_SUBST([OPENSSL_LIB_DIR], [/usr/local/ssl/lib]) -- AC_SUBST([OPENSSL_INCLUDE_DIR], [/usr/local/ssl/include]) ] ) -- --# Is the library specified? --AC_MSG_CHECKING([Engines library directory]) --AC_ARG_WITH(engines-dir, -- [ --with-engines-dir=PATH Location of OpenSSL engines], -- [OPENSSL_ENGINES_DIR="$withval/"], -- [AC_MSG_RESULT([no]) -- AC_SUBST([OPENSSL_ENGINES_DIR], [$OPENSSL_LIB_DIR/engines])]) -+ AC_MSG_ERROR([*** libICA not found]),-lssl) - --# for the correct install target --libdir=$OPENSSL_ENGINES_DIR - - AC_DISABLE_STATIC - AC_PROG_CC -@@ -61,6 +38,8 @@ - - CFLAGS="$CFLAGS -Wall" - AC_SUBST(CFLAGS) -+AC_SUBST(LIBCRYPTO) -+AC_SUBST(LIBICA) - - AC_OUTPUT(Makefile openssl.cnf.sample) - ---- openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:06:46 1.1 -+++ openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:07:34 -@@ -1,7 +1,4 @@ - lib_LTLIBRARIES=libibmca.la - --libibmca_la_LIBADD=@OPENSSL_LIB_DIR@/libcrypto.a --libibmca_la_LDFLAGS=-lc --libibmca_la_CFLAGS=-I@OPENSSL_INCLUDE_DIR@ --AM_CFLAGS=-I@OPENSSL_INCLUDE_DIR@ -+libibmca_la_LDFLAGS=@LIBICA@ @LIBCRYPTO@ -lc - libibmca_la_SOURCES=e_ibmca.c e_ibmca.h e_ibmca_err.c diff --git a/ibmca-segfault.fix.patch b/ibmca-segfault.fix.patch deleted file mode 100644 index f5f0a45..0000000 --- a/ibmca-segfault.fix.patch +++ /dev/null @@ -1,202 +0,0 @@ -Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c -=================================================================== ---- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2005-12-16 14:45:43.000000000 -0600 -+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 18:03:31.000000000 -0600 -@@ -1582,133 +1582,92 @@ - } // end ibmca_sha256_cleanup - #endif // OPENSSL_NO_SHA256 - --static int ibmca_mod_exp(BIGNUM * r, const BIGNUM * a, const BIGNUM * p, -- const BIGNUM * m, BN_CTX * ctx) -+static int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx) - { -- /* I need somewhere to store temporary serialised values for -- * use with the Ibmca API calls. A neat cheat - I'll use -- * BIGNUMs from the BN_CTX but access their arrays directly as -- * byte arrays . This way I don't have to clean anything -- * up. */ -- -- BIGNUM *argument = NULL; -- BIGNUM *result = NULL; -- BIGNUM *key = NULL; -- int to_return; -+ char *argument; -+ char *result; -+ char *key; -+ ICA_KEY_RSA_MODEXPO *pubkey; - int inLen, outLen, tmpLen; -- -- -- -- ICA_KEY_RSA_MODEXPO *publKey = NULL; - unsigned int rc; -- -- to_return = 0; /* expect failure */ -+ int to_return = 0; /* fail code set by default */ - - if (!ibmca_dso) { - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_NOT_LOADED); - goto err; - } -- /* Prepare the params */ -- BN_CTX_start(ctx); -- argument = BN_CTX_get(ctx); -- result = BN_CTX_get(ctx); -- key = BN_CTX_get(ctx); -- -- if (!argument || !result || !key) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_CTX_FULL); -- goto err; -- } -- -- -- if (!bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top) || -- !bn_wexpand(key, sizeof(*publKey) / BN_BYTES)) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_EXPAND_FAIL); -- goto err; -- } -- -- publKey = (ICA_KEY_RSA_MODEXPO *) key->d; -- -- if (publKey == NULL) { -+ outLen = BN_num_bytes(m); -+ argument = malloc(outLen); -+ if (!argument) { -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); - goto err; - } -- memset(publKey, 0, sizeof(ICA_KEY_RSA_MODEXPO)); -- -- publKey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE); -- publKey->keyLength = -- CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO)); -- publKey->expOffset = -- (char *) publKey->keyRecord - (char *) publKey; -- -- /* A quirk of the card: the exponent length has to be the same -- as the modulus (key) length */ -- -- outLen = BN_num_bytes(m); -- --/* check for modulus length SAB*/ -- if (outLen > 256) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, -- IBMCA_R_MEXP_LENGTH_TO_LARGE); -+ result = malloc(outLen); -+ if (!result) { -+ free(argument); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); - goto err; - } --/* check for modulus length SAB*/ -- -- -- publKey->expLength = publKey->nLength = outLen; --/* SAB Check for underflow condition -- the size of the exponent is less than the size of the parameter -- then we have a big problem and will underflow the keyRecord -- buffer. Bad stuff could happen then --*/ -- if (outLen < BN_num_bytes(p)) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, -- IBMCA_R_UNDERFLOW_KEYRECORD); -+ key = malloc(sizeof(*pubkey)); -+ if (!key) { -+ free(argument); -+ free(result); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); - goto err; - } --/* SAB End check for underflow */ -- -- -- BN_bn2bin(p, &publKey->keyRecord[publKey->expLength - -- BN_num_bytes(p)]); -- BN_bn2bin(m, &publKey->keyRecord[publKey->expLength]); -- -- -- -- publKey->modulusBitLength = -- CORRECT_ENDIANNESS(publKey->nLength * 8); -- publKey->nOffset = -- CORRECT_ENDIANNESS(publKey->expOffset + publKey->expLength); -- -- publKey->expOffset = -- CORRECT_ENDIANNESS((char *) publKey->keyRecord - -- (char *) publKey); -- -+ pubkey = (ICA_KEY_RSA_MODEXPO *)key; -+ memset(pubkey, 0, sizeof(*pubkey)); -+ pubkey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE); -+ pubkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO)); -+ pubkey->expOffset = (char *)pubkey->keyRecord - (char *)pubkey; -+#define IBMCA_MAX_EXP_LEN 256 -+ if (outLen > IBMCA_MAX_EXP_LEN) { -+ free(argument); -+ free(result); -+ free(key); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_MEXP_LENGTH_TO_LARGE); -+ goto err; -+ } -+ pubkey->expLength = pubkey->nLength = outLen; -+ if (outLen < BN_num_bytes(p)) { /* Key record underflow check */ -+ free(argument); -+ free(result); -+ free(key); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_UNDERFLOW_KEYRECORD); -+ goto err; -+ } -+ BN_bn2bin(p, -+ &pubkey->keyRecord[(pubkey->expLength - BN_num_bytes(p))]); -+ BN_bn2bin(m, &pubkey->keyRecord[pubkey->expLength]); -+ pubkey->modulusBitLength = CORRECT_ENDIANNESS((pubkey->nLength * 8)); -+ pubkey->nOffset = -+ CORRECT_ENDIANNESS((pubkey->expOffset + pubkey->expLength)); -+ pubkey->expOffset = CORRECT_ENDIANNESS(((char *)pubkey->keyRecord - -+ (char *)pubkey)); - tmpLen = outLen; -- publKey->expLength = publKey->nLength = CORRECT_ENDIANNESS(tmpLen); -- -- /* Prepare the argument */ -- -- memset(argument->d, 0, outLen); -- BN_bn2bin(a, (unsigned char *) argument->d + outLen - -- BN_num_bytes(a)); -- -+ pubkey->expLength = pubkey->nLength = CORRECT_ENDIANNESS(tmpLen); -+ memset(argument, 0, outLen); -+ BN_bn2bin(a, ((unsigned char *)argument -+ + outLen -+ - BN_num_bytes(a))); - inLen = outLen; -- -- /* Perform the operation */ -- - if ((rc = p_icaRsaModExpo(ibmca_handle, inLen, -- (unsigned char *) argument->d, -- publKey, &outLen, -- (unsigned char *) result->d)) != 0) { -+ (unsigned char *)argument, -+ pubkey, &outLen, -+ (unsigned char *)result)) != 0) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); - goto err; - } -- -- -- /* Convert the response */ -- BN_bin2bn((unsigned char *) result->d, outLen, r); -+ BN_bin2bn((unsigned char *)result, outLen, r); - to_return = 1; -+ free(argument); -+ free(result); -+ free(key); - err: -- BN_CTX_end(ctx); - return to_return; - } - diff --git a/ibmca-sw-fix.patch b/ibmca-sw-fix.patch deleted file mode 100644 index 2413e45..0000000 --- a/ibmca-sw-fix.patch +++ /dev/null @@ -1,302 +0,0 @@ -Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c -=================================================================== ---- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2007-01-14 23:43:21.000000000 -0600 -+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 23:43:31.000000000 -0600 -@@ -1711,95 +1711,78 @@ - const BIGNUM * dmp1, const BIGNUM * dmq1, - const BIGNUM * iqmp, BN_CTX * ctx) - { -- -- BIGNUM *argument = NULL; -- BIGNUM *result = NULL; -- BIGNUM *key = NULL; -- -- int to_return = 0; /* expect failure */ -- -- char *pkey = NULL; -- ICA_KEY_RSA_CRT *privKey = NULL; -+ char *argument; -+ char *result; -+ char *key; -+ unsigned char *pkey; -+ ICA_KEY_RSA_CRT *privkey; - int inLen, outLen; -- - int rc; - unsigned int offset, pSize, qSize; -- /* SAB New variables */ - unsigned int keyRecordSize; - unsigned int pbytes = BN_num_bytes(p); - unsigned int qbytes = BN_num_bytes(q); - unsigned int dmp1bytes = BN_num_bytes(dmp1); - unsigned int dmq1bytes = BN_num_bytes(dmq1); - unsigned int iqmpbytes = BN_num_bytes(iqmp); -+ int to_return = 0; - -- /* Prepare the params */ -- -- BN_CTX_start(ctx); -- argument = BN_CTX_get(ctx); -- result = BN_CTX_get(ctx); -- key = BN_CTX_get(ctx); -- -- if (!argument || !result || !key) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_BN_CTX_FULL); -- goto err; -- } -- -- if (!bn_wexpand(argument, p->top + q->top) || -- !bn_wexpand(result, p->top + q->top) || -- !bn_wexpand(key, sizeof(*privKey) / BN_BYTES)) { -- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, -- IBMCA_R_BN_EXPAND_FAIL); -- goto err; -- } -- -- -- privKey = (ICA_KEY_RSA_CRT *) key->d; -- /* SAB Add check for total size in bytes of the parms does not -- * exceed the buffer space we have do this first -- */ -- keyRecordSize = -- pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes; -- if (keyRecordSize > sizeof(privKey->keyRecord)) { -+ argument = malloc((pbytes + qbytes)); -+ if (!argument) { -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); -+ goto err; -+ } -+ result = malloc((pbytes + qbytes)); -+ if (!result) { -+ free(argument); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); -+ goto err; -+ } -+ key = malloc(sizeof(*privkey)); -+ if (!key) { -+ free(argument); -+ free(result); -+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); -+ goto err; -+ } -+ privkey = (ICA_KEY_RSA_CRT *)key; -+ keyRecordSize = (pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes); -+ if (keyRecordSize > sizeof(privkey->keyRecord)) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_OPERANDS_TO_LARGE); - goto err; - } -- - if ((qbytes + dmq1bytes) > 256) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_OPERANDS_TO_LARGE); - goto err; - } -- - if (pbytes + dmp1bytes > 256) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_OPERANDS_TO_LARGE); - goto err; - } -- -- /* end SAB additions */ -- -- memset(privKey, 0, sizeof(ICA_KEY_RSA_CRT)); -- privKey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE); -- privKey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT)); -- privKey->modulusBitLength = -- CORRECT_ENDIANNESS(BN_num_bytes(q) * 2 * 8); -- -- /* -- * p,dp & qInv are 1 QWORD Larger -- */ -- privKey->pLength = CORRECT_ENDIANNESS(BN_num_bytes(p) + 8); -- privKey->qLength = CORRECT_ENDIANNESS(BN_num_bytes(q)); -- privKey->dpLength = CORRECT_ENDIANNESS(BN_num_bytes(dmp1) + 8); -- privKey->dqLength = CORRECT_ENDIANNESS(BN_num_bytes(dmq1)); -- privKey->qInvLength = CORRECT_ENDIANNESS(BN_num_bytes(iqmp) + 8); -- -- offset = (char *) privKey->keyRecord - (char *) privKey; -- -- qSize = BN_num_bytes(q); -- pSize = qSize + 8; /* 1 QWORD larger */ -- -- -+ memset(privkey, 0, sizeof(*privkey)); -+ privkey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE); -+ privkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT)); -+ privkey->modulusBitLength = CORRECT_ENDIANNESS(qbytes * 2 * 8); -+ privkey->pLength = CORRECT_ENDIANNESS(pbytes + 8); -+ privkey->qLength = CORRECT_ENDIANNESS(qbytes); -+ privkey->dpLength = CORRECT_ENDIANNESS(dmp1bytes + 8); -+ privkey->dqLength = CORRECT_ENDIANNESS(dmq1bytes); -+ privkey->qInvLength = CORRECT_ENDIANNESS(iqmpbytes + 8); -+ offset = ((char *)privkey->keyRecord - (char *)privkey); -+ qSize = qbytes; -+ pSize = (qSize + 8); /* 1 QWORD larger */ - /* SAB probably aittle redundant, but we'll verify that each - * of the components which make up a key record sent ot the card - * does not exceed the space that is allocated for it. this -@@ -1808,105 +1791,96 @@ - * could cause potential side affects on either the card or the - * result - */ -- - if ((pbytes > pSize) || (dmp1bytes > pSize) || - (iqmpbytes > pSize) || (qbytes > qSize) || - (dmq1bytes > qSize)) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_OPERANDS_TO_LARGE); - goto err; -- - } -- -- -- privKey->dpOffset = CORRECT_ENDIANNESS(offset); -- -+ privkey->dpOffset = CORRECT_ENDIANNESS(offset); - offset += pSize; -- privKey->dqOffset = CORRECT_ENDIANNESS(offset); -- -+ privkey->dqOffset = CORRECT_ENDIANNESS(offset); - offset += qSize; -- privKey->pOffset = CORRECT_ENDIANNESS(offset); -- -+ privkey->pOffset = CORRECT_ENDIANNESS(offset); - offset += pSize; -- privKey->qOffset = CORRECT_ENDIANNESS(offset); -- -+ privkey->qOffset = CORRECT_ENDIANNESS(offset); - offset += qSize; -- privKey->qInvOffset = CORRECT_ENDIANNESS(offset); -- -- pkey = (char *) privKey->keyRecord; -- -- -- /* SAB first check that we don;t under flow the buffer */ -+ privkey->qInvOffset = CORRECT_ENDIANNESS(offset); -+ pkey = (char *)privkey->keyRecord; - if (pSize < pbytes) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_UNDERFLOW_CONDITION); - goto err; - } -- -- /* pkey += pSize - BN_num_bytes(p); WROING this should be dmp1) */ -- pkey += pSize - BN_num_bytes(dmp1); -+ pkey += pSize - dmp1bytes; - BN_bn2bin(dmp1, pkey); -- pkey += BN_num_bytes(dmp1); /* move the pointer */ -- -- BN_bn2bin(dmq1, pkey); /* Copy over dmq1 */ -- -- pkey += qSize; /* move pointer */ -- pkey += pSize - BN_num_bytes(p); /* set up for zero padding of next field */ -- -+ pkey += dmp1bytes; -+ BN_bn2bin(dmq1, pkey); -+ pkey += qSize; -+ pkey += pSize - pbytes; /* set up for zero padding of next field */ - BN_bn2bin(p, pkey); -- pkey += BN_num_bytes(p); /* increment pointer by number of bytes moved */ -- -+ pkey += pbytes; - BN_bn2bin(q, pkey); -- pkey += qSize; /* move the pointer */ -- pkey += pSize - BN_num_bytes(iqmp); /* Adjust for padding */ -+ pkey += qSize; -+ pkey += pSize - iqmpbytes; /* Adjust for padding */ - BN_bn2bin(iqmp, pkey); -- - /* Prepare the argument and response */ -- -- outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2; /* Correct endianess -- is used because the -- fields were converted -+ outLen = CORRECT_ENDIANNESS(privkey->qLength) * 2; /* Correct -+ endianess -+ is used -+ because -+ the -+ fields -+ were -+ converted - above */ -- - if (outLen > 256) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_OUTLEN_TO_LARGE); - goto err; - } -- - /* SAB check for underflow here on the argeument */ - if (outLen < BN_num_bytes(a)) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_UNDERFLOW_CONDITION); - goto err; - } -- -- BN_bn2bin(a, (unsigned char *) argument->d + outLen - -- BN_num_bytes(a)); -+ BN_bn2bin(a, ((unsigned char *)argument -+ + outLen -+ - BN_num_bytes(a))); - inLen = outLen; -- -- memset(result->d, 0, outLen); -- -- /* Perform the operation */ -- -+ memset(result, 0, outLen); - if ((rc = p_icaRsaCrt(ibmca_handle, inLen, -- (unsigned char *) argument->d, -- privKey, &outLen, -- (unsigned char *) result->d)) != 0) { -+ (unsigned char *)argument, -+ privkey, &outLen, -+ (unsigned char *)result)) != 0) { -+ free(argument); -+ free(result); -+ free(key); - IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, - IBMCA_R_REQUEST_FAILED); - goto err; - } -- -- /* Convert the response */ -- -- BN_bin2bn((unsigned char *) result->d, outLen, r); -+ BN_bin2bn((unsigned char *)result, outLen, r); - to_return = 1; -- -+ free(argument); -+ free(result); -+ free(key); - err: -- BN_CTX_end(ctx); - return to_return; -- - } - - #ifndef OPENSSL_NO_DSA diff --git a/openssl-des-ede.patch b/openssl-des-ede.patch new file mode 100644 index 0000000..a0e090b --- /dev/null +++ b/openssl-des-ede.patch @@ -0,0 +1,68 @@ +commit 83b8ed7b25c809fa36ec86d7041a6350dc516606 +Author: Joy Latten +Date: Wed Mar 19 15:57:10 2014 -0500 + + openssl-ibmca: openssl speed -engine ibmca -evp des-ede3-ofb segfaults + + Signed-off-by: Joy Latten + +diff --git a/e_ibmca.c b/e_ibmca.c +index b1ad975..0acbe5f 100644 +--- a/e_ibmca.c ++++ b/e_ibmca.c +@@ -883,8 +883,7 @@ typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char * + sha256_context_t *, unsigned char *); + typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, + unsigned long data_length, const unsigned char *key, +- unsigned int key_length, unsigned char *iv, +- unsigned int direction); ++ unsigned char *iv, unsigned int direction); + typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data, + unsigned long data_length, const unsigned char *key, + unsigned char *iv, unsigned int lcfb, +@@ -894,8 +893,7 @@ typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *, + unsigned int, unsigned int); + typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, + unsigned long data_length, const unsigned char *key, +- unsigned int key_length, unsigned char *iv, +- unsigned int direction); ++ unsigned char *iv, unsigned int direction); + typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data, + unsigned long data_length, const unsigned char *key, + unsigned int key_length, unsigned char *iv, +@@ -1197,7 +1195,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, + rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv, + 8, ICA_ENCRYPT); + } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { +- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv, ++ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv, + ICA_ENCRYPT); + } else { + rv = p_ica_des_encrypt(mode, len, (unsigned char *)in, +@@ -1223,7 +1221,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, + rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv, + 8, ICA_DECRYPT); + } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { +- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv, ++ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv, + ICA_DECRYPT); + } else { + /* Protect against decrypt in place */ +@@ -1279,7 +1277,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, + ctx->iv, 8, ICA_ENCRYPT); + } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { + rv = p_ica_3des_ofb(in, out, len, pCtx->key, +- 8, ctx->iv, ICA_ENCRYPT); ++ ctx->iv, ICA_ENCRYPT); + } else { + rv = p_ica_3des_encrypt(mode, len, (unsigned char *)in, + (ica_des_vector_t *) ctx->iv, +@@ -1305,7 +1303,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, + ctx->iv, 8, ICA_DECRYPT); + } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { + rv = p_ica_3des_ofb(in, out, len, pCtx->key, +- 8, ctx->iv, ICA_DECRYPT); ++ ctx->iv, ICA_DECRYPT); + } else { + /* Protect against decrypt in place */ + /* FIXME: Again, check if EVP_CIPHER_CTX_iv_length() should be used */ diff --git a/openssl-ibmca-1.0.0-rc2.tar.bz2 b/openssl-ibmca-1.0.0-rc2.tar.bz2 deleted file mode 100644 index b25a5fb..0000000 --- a/openssl-ibmca-1.0.0-rc2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d3b114bc78fe8180b0c5f5d4d687b0fe2b3b23942c1f03e70aebc99b253119c9 -size 215240 diff --git a/openssl-ibmca-1.0.0.rc2-memset-fix.patch b/openssl-ibmca-1.0.0.rc2-memset-fix.patch deleted file mode 100644 index feb6295..0000000 --- a/openssl-ibmca-1.0.0.rc2-memset-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -urpN openssl-ibmca-1.0.0-rc2/e_ibmca.c openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c ---- openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-22 17:23:20.000000000 +0100 -+++ openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c 2007-01-22 17:27:09.000000000 +0100 -@@ -1858,6 +1858,7 @@ static int ibmca_mod_exp_crt(BIGNUM * r, - IBMCA_R_UNDERFLOW_CONDITION); - goto err; - } -+ memset(argument, 0, pbytes + qbytes); - BN_bn2bin(a, ((unsigned char *)argument - + outLen - - BN_num_bytes(a))); diff --git a/openssl-ibmca-1.2.0.tar.gz b/openssl-ibmca-1.2.0.tar.gz new file mode 100644 index 0000000..c7ed8be --- /dev/null +++ b/openssl-ibmca-1.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d36363798e69e19b203126106f0e3f1a08626f96523994dd3c06adfe9c6d27ad +size 26525 diff --git a/openssl-ibmca-configure.patch b/openssl-ibmca-configure.patch new file mode 100644 index 0000000..4edc828 --- /dev/null +++ b/openssl-ibmca-configure.patch @@ -0,0 +1,11 @@ +--- configure.in ++++ configure.in +@@ -28,7 +28,7 @@ + # libica is dlopened, so do not add it to LIBS + save_LIBS=$LIBS + AC_CHECK_LIB(ica, ica_open_adapter, [], \ +- AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl]) ++ AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl -lrt -lcrypto -lpthread]) + LIBS=$save_LIBS + + # OpenSSL location diff --git a/openssl-ibmca-sha256-digest-length.patch b/openssl-ibmca-sha256-digest-length.patch new file mode 100644 index 0000000..cb5cf8c --- /dev/null +++ b/openssl-ibmca-sha256-digest-length.patch @@ -0,0 +1,22 @@ +commit f204aca935dfe45b736e9fb8f822c9e79ec9747c +Author: Ingo Tuchscherer +Date: Fri Mar 7 10:35:33 2014 +0100 + + SHA256: Fixed message digest length definition in sha256 template + + Signed-off-by: Ingo Tuchscherer + Acked-by: John Jolly + +diff --git a/e_ibmca.c b/e_ibmca.c +index 94c44a4..f3fad35 100644 +--- a/e_ibmca.c ++++ b/e_ibmca.c +@@ -727,7 +727,7 @@ static const EVP_MD ibmca_sha1 = { + static const EVP_MD ibmca_sha256 = { + NID_sha256, + NID_sha256WithRSAEncryption, +- SHA_HASH_LENGTH, ++ SHA256_HASH_LENGTH, + 0, + ibmca_sha256_init, + ibmca_sha256_update, diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index b70a9c4..e2114e1 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com + +- Remove dependency on fillup anf insserv; the package provides + neither sysconfig file nor sysvinit script +- Remove depreciated AUTHORS section +- Use %configure macro +- Add openssl-ibmca-configure.patch + +------------------------------------------------------------------- +Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com + +- Forced requirement of libica-2_3_0 (bnc#890824) + +------------------------------------------------------------------- +Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com + +- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) +- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes + fips self-test during EC key creation (bnc#879922) +- spec file cleaned up a bit + +------------------------------------------------------------------- +Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com + +- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message + digest length definition in sha256 template (bnc#868275) + +------------------------------------------------------------------- +Wed Mar 5 18:51:25 CET 2014 - ro@suse.de + +- update to 1.2.0 +- removed patches: + ibmca-configure.patch + ibmca-segfault.fix.patch + ibmca-sw-fix.patch + openssl-ibmca-1.0.0.rc2-memset-fix.patch +- make it exclusivearch for s390/s390x as the required libica + is only available for s390/s390x + +------------------------------------------------------------------- +Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com + +- Made required libica-2_1_0 s390 specific +- Added x86_64 to ExclusiveArch as %ix86 doesn't do it +- Removed libica requirement - allowing build process to find it + +------------------------------------------------------------------- +Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com + +- Requiring libica 2.1.0 or greater + ------------------------------------------------------------------- Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index e902edb..7764d31 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-ibmca # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,58 +19,43 @@ Name: openssl-ibmca BuildRequires: autoconf BuildRequires: automake -BuildRequires: libica +BuildRequires: libica-2_3_0-devel BuildRequires: libtool BuildRequires: openssl-devel Summary: The IBMCA OpenSSL dynamic engine License: IPL-1.0 Group: Hardware/Other -Version: 1.0.0 +Version: 1.2.0 Release: 0 -Source: openssl-ibmca-1.0.0-rc2.tar.bz2 +Source: openssl-ibmca-1.2.0.tar.gz Source2: baselibs.conf -Patch: ibmca-configure.patch Patch1: openssl-ibmca-README.patch -Patch2: ibmca-segfault.fix.patch -Patch3: ibmca-sw-fix.patch -Patch4: openssl-ibmca-1.0.0.rc2-memset-fix.patch +Patch2: openssl-ibmca-configure.patch +Patch3: openssl-ibmca-sha256-digest-length.patch +Patch4: openssl-pkey.patch +Patch5: openssl-des-ede.patch Url: http://sourceforge.net/projects/opencryptoki BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: %fillup_prereq %insserv_prereq -Requires: libica +Requires: libica-2_3_0 Requires: openssl -# bug437293 -%ifarch ppc64 -Obsoletes: openssl-ibmca-64bit -%endif +ExclusiveArch: s390 s390x # -%define ibmca_64bit_arch s390x ppc64 ppc64le -%define ibmca_32bit_arch %ix86 s390 ppc %arm -ExclusiveArch: %ibmca_32bit_arch %ibmca_64bit_arch %description This package contains a shared object OpenSSL dynamic engine for the IBM eServer Cryptographic Accelerator (ICA). - - -Authors: --------- - Mike Halcrow - %prep -%setup -n openssl-ibmca-1.0.0-rc2 -%patch -p1 +%setup -q %patch1 -%patch2 -p1 +%patch2 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build autoreconf --force --install -export CFLAGS="$RPM_OPT_FLAGS" -export CPPFLAGS="$RPM_OPT_FLAGS" -./configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines +%configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines make %install @@ -78,14 +63,9 @@ make #(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines) rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la -%post -%run_ldconfig - -%postun - %files %defattr(-, root, root) -%doc README +%doc README COPYING %doc openssl.cnf.sample %dir %{_libdir}/engines %{_libdir}/engines/libibmca.* diff --git a/openssl-pkey.patch b/openssl-pkey.patch new file mode 100644 index 0000000..1cc5976 --- /dev/null +++ b/openssl-pkey.patch @@ -0,0 +1,31 @@ +commit 6cdca2c3d655ef19d022fb3d8bcbf63491b79db2 +Author: Joy Latten +Date: Wed Mar 19 12:50:14 2014 -0500 + + Add flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE to EVP_MD so that signing method + comes from key type. + + Signed-off-by: Joy Latten + +diff --git a/e_ibmca.c b/e_ibmca.c +index f3fad35..9353470 100644 +--- a/e_ibmca.c ++++ b/e_ibmca.c +@@ -711,7 +711,7 @@ static const EVP_MD ibmca_sha1 = { + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_HASH_LENGTH, +- 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE, + ibmca_sha1_init, + ibmca_sha1_update, + ibmca_sha1_final, +@@ -728,7 +728,7 @@ static const EVP_MD ibmca_sha256 = { + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_HASH_LENGTH, +- 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE, + ibmca_sha256_init, + ibmca_sha256_update, + ibmca_sha256_final,