Sync changes to SLFO-1.2 branch

2025-08-20 10:00:09 +02:00
12 changed files with 768 additions and 43 deletions
--- a/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+++ b/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
@@ -0,0 +1,67 @@
 From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Mon, 8 Jan 2024 08:52:24 +0100
 Subject: [PATCH] engine: Enable external AES-GCM IV when libica is in FIPS
 mode
 When the system is in FIPS mode, newer libica versions may prevent AES-GCM
 from being used with an external IV. FIPS requires that the AES-GCM IV is
 created libica internally via an approved random source.
 The IBMCA engine can not support the internal generation of the AES-GCM IV,
 because the engine API for AES-GCM does not allow this. Applications using
 OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
 external IV.
 Enable the use of external AES-GCM IVs for libica, if the used libica library
 supports this. Newer libica versions support to allow external AES-GCM IVs via
 function ica_allow_external_gcm_iv_in_fips_mode().
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/engine/e_ibmca.c | 12 +++++++++++-
 src/engine/ibmca.h   |  1 +
 2 files changed, 12 insertions(+), 1 deletion(-)
 diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
 index 6cbf745..afed3fe 100644
 --- a/src/engine/e_ibmca.c
 +++ b/src/engine/e_ibmca.c
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t      p_ica_aes_gcm_intermediate;
 ica_aes_gcm_last_t              p_ica_aes_gcm_last;
 #endif
 ica_cleanup_t                   p_ica_cleanup;
 +ica_allow_external_gcm_iv_in_fips_mode_t
 +                                p_ica_allow_external_gcm_iv_in_fips_mode;
 /* save libcrypto's default ec methods */
 #ifndef NO_EC
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
     BIND(ibmca_dso, ica_ed448_ctx_del);
     /* ica_cleanup is not always present and only needed for newer libraries */
 -    p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
 +    BIND(ibmca_dso, ica_cleanup);
 +
 +    /*
 +     * Allow external AES-GCM IV when libica runs in FIPS mode.
 +     * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
 +     * available with newer libraries.
 +     */
 +    if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
 +        p_ica_allow_external_gcm_iv_in_fips_mode(1);
     /* disable fallbacks on Libica */
     if (BIND(ibmca_dso, ica_set_fallback_mode))
 diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
 index 7281a5b..01465eb 100644
 --- a/src/engine/ibmca.h
 +++ b/src/engine/ibmca.h
@@ -617,6 +617,7 @@ typedef
 int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
 typedef void (*ica_cleanup_t)(void);
 +typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
 /* entry points into libica, filled out at DSO load time */
 extern ica_get_functionlist_t           p_ica_get_functionlist;
--- a/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+++ b/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
@@ -0,0 +1,243 @@
 From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Wed, 10 Jan 2024 15:08:47 +0100
 Subject: [PATCH] test/provider: Do not link against libica use dlopen instead
 When an application links against libica (via -lica), then the libica library
 constructor runs before the program's main function. Libica's library
 constructor does initialize OpenSSL and thus parses the config file.
 However, the test programs set up some OpenSSL configuration related
 environment variables within function check_libica() called from the
 main function. If libica has already initialized OpenSSL prior to that,
 OpenSSL won't initialize again, and thus these environment variables have
 no effect.
 Dynamically load libica (via dlopen) only after setting the environment
 variables.
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 configure.ac              |  2 ++
 test/provider/Makefile.am | 15 +++++++++------
 test/provider/dhkey.c     | 24 ++++++++++++++++++++++--
 test/provider/eckey.c     | 24 ++++++++++++++++++++++--
 test/provider/rsakey.c    | 24 ++++++++++++++++++++++--
 5 files changed, 77 insertions(+), 12 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index b43a659..09df230 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
 	[])
 AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
 +AC_SUBST(libicaversion, "$libicaversion")
 +
 # If compiled against OpenSSL 3.0 or later, build the provider unless
 # explicitely disabled. 
 # If build against OpenSSL 1.1.1, we can not build the provider.
 diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
 index 15a5466..fce06b3 100644
 --- a/test/provider/Makefile.am
 +++ b/test/provider/Makefile.am
@@ -24,24 +24,27 @@ TESTS = \
 check_PROGRAMS = rsakey eckey dhkey threadtest
 dhkey_SOURCES = dhkey.c
 +dhkey_LDADD = -lcrypto -ldl
 if PROVIDER_FULL_LIBICA
 -dhkey_LDADD = -lcrypto -lica
 +dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
 else
 -dhkey_LDADD = -lcrypto -lica-cex
 +dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
 endif
 eckey_SOURCES = eckey.c
 +eckey_LDADD = -lcrypto -ldl
 if PROVIDER_FULL_LIBICA
 -eckey_LDADD = -lcrypto -lica
 +eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
 else
 -eckey_LDADD = -lcrypto -lica-cex
 +eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
 endif
 rsakey_SOURCES = rsakey.c
 +rsakey_LDADD = -lcrypto -ldl
 if PROVIDER_FULL_LIBICA
 -rsakey_LDADD = -lcrypto -lica
 +rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
 else
 -rsakey_LDADD = -lcrypto -lica-cex
 +rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
 endif
 threadtest_SOURCES = threadtest.c
 diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
 index 8829ecc..0ec2c03 100644
 --- a/test/provider/dhkey.c
 +++ b/test/provider/dhkey.c
@@ -18,6 +18,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 +#include <dlfcn.h>
 #include <openssl/conf.h>
 #include <openssl/evp.h>
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
 static const unsigned int required_ica_mechs_len =
                         sizeof(required_ica_mechs) / sizeof(unsigned int);
 +typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
 +                                               unsigned int *);
 +
 int check_libica()
 {
     unsigned int mech_len, i, k, found = 0;
     libica_func_list_element *mech_list = NULL;
 +    void *ibmca_dso;
 +    ica_get_functionlist_t p_ica_get_functionlist;
     int rc;
 -    rc = ica_get_functionlist(NULL, &mech_len);
 +    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
 +    if (ibmca_dso == NULL) {
 +        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    p_ica_get_functionlist =
 +            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
 +    if (p_ica_get_functionlist == NULL) {
 +        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
 +                LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    rc = p_ica_get_functionlist(NULL, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         return 77;
@@ -373,7 +393,7 @@ int check_libica()
         return 77;
     }
 -    rc = ica_get_functionlist(mech_list, &mech_len);
 +    rc = p_ica_get_functionlist(mech_list, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         free(mech_list);
 diff --git a/test/provider/eckey.c b/test/provider/eckey.c
 index b2334d7..b8f47b7 100644
 --- a/test/provider/eckey.c
 +++ b/test/provider/eckey.c
@@ -18,6 +18,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 +#include <dlfcn.h>
 #include <openssl/conf.h>
 #include <openssl/evp.h>
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
 static const unsigned int required_ica_mechs_len =
                         sizeof(required_ica_mechs) / sizeof(unsigned int);
 +typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
 +                                               unsigned int *);
 +
 int check_libica()
 {
     unsigned int mech_len, i, k, found = 0;
     libica_func_list_element *mech_list = NULL;
 +    void *ibmca_dso;
 +    ica_get_functionlist_t p_ica_get_functionlist;
     int rc;
 -    rc = ica_get_functionlist(NULL, &mech_len);
 +    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
 +    if (ibmca_dso == NULL) {
 +        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    p_ica_get_functionlist =
 +            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
 +    if (p_ica_get_functionlist == NULL) {
 +        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
 +                LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    rc = p_ica_get_functionlist(NULL, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         return 77;
@@ -806,7 +826,7 @@ int check_libica()
         return 77;
     }
 -    rc = ica_get_functionlist(mech_list, &mech_len);
 +    rc = p_ica_get_functionlist(mech_list, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         free(mech_list);
 diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
 index 366b503..9d6a618 100644
 --- a/test/provider/rsakey.c
 +++ b/test/provider/rsakey.c
@@ -18,6 +18,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 +#include <dlfcn.h>
 #include <openssl/conf.h>
 #include <openssl/evp.h>
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME,  RSA_CRT };
 static const unsigned int required_ica_mechs_len =
                         sizeof(required_ica_mechs) / sizeof(unsigned int);
 +typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
 +                                               unsigned int *);
 +
 int check_libica()
 {
     unsigned int mech_len, i, k, found = 0;
     libica_func_list_element *mech_list = NULL;
 +    void *ibmca_dso;
 +    ica_get_functionlist_t p_ica_get_functionlist;
     int rc;
 -    rc = ica_get_functionlist(NULL, &mech_len);
 +    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
 +    if (ibmca_dso == NULL) {
 +        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    p_ica_get_functionlist =
 +            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
 +    if (p_ica_get_functionlist == NULL) {
 +        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
 +                LIBICA_NAME);
 +        return 77;
 +    }
 +
 +    rc = p_ica_get_functionlist(NULL, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         return 77;
@@ -753,7 +773,7 @@ int check_libica()
         return 77;
     }
 -    rc = ica_get_functionlist(mech_list, &mech_len);
 +    rc = p_ica_get_functionlist(mech_list, &mech_len);
     if (rc != 0) {
         fprintf(stderr, "Failed to get function list from libica!\n");
         free(mech_list);
--- a/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+++ b/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
@@ -0,0 +1,61 @@
 From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Thu, 18 Jan 2024 16:35:14 +0100
 Subject: [PATCH] test/provider: Explicitly initialize OpenSSL after setting
 env vars.
 When running with a libica version without commit
 https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
 it is necessary to explicitly initialize OpenSSL before loading libica. Because
 otherwise libica's library constructor will initialize OpenSSL the first time,
 which in turn will load the IBMCA provider, and it will fall into the same
 problem as fixed by above libica commit, i.e. the provider won't be able to
 get the supported algorithms from libica an thus will not register any
 algorithms.
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 test/provider/dhkey.c  | 2 ++
 test/provider/eckey.c  | 2 ++
 test/provider/rsakey.c | 2 ++
 3 files changed, 6 insertions(+)
 diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
 index 0ec2c03..b1270f5 100644
 --- a/test/provider/dhkey.c
 +++ b/test/provider/dhkey.c
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
         return 77;
     }
 +    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
 +
     ret = check_libica();
     if (ret != 0)
         return ret;
 diff --git a/test/provider/eckey.c b/test/provider/eckey.c
 index b8f47b7..a65bea5 100644
 --- a/test/provider/eckey.c
 +++ b/test/provider/eckey.c
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
         return 77;
     }
 +    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
 +
     ret = check_libica();
     if (ret != 0)
         return ret;
 diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
 index 9d6a618..874de6d 100644
 --- a/test/provider/rsakey.c
 +++ b/test/provider/rsakey.c
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
         return 77;
     }
 +    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
 +
     ret = check_libica();
     if (ret != 0)
         return ret;
--- a/openssl-ibmca-04-engine-Fix-compile-error.patch
+++ b/openssl-ibmca-04-engine-Fix-compile-error.patch
@@ -0,0 +1,36 @@
 From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Mon, 13 May 2024 08:53:56 +0200
 Subject: [PATCH] engine: Fix compile error on Fedora 40
 ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
 from incompatible pointer type [-Wincompatible-pointer-types]
      627 |     EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/engine/ibmca_pkey.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
 index 9c8de94c..6cd8fcd9 100644
 --- a/src/engine/ibmca_pkey.c
 +++ b/src/engine/ibmca_pkey.c
@@ -258,7 +258,7 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
 /* ED25519 */
 -static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
 +static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
 {
     return 1;
 }
@@ -402,7 +402,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
 /* ED448 */
 -static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
 +static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
 {
     return 1;
 }
--- a/openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
+++ b/openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
@@ -0,0 +1,170 @@
 From e544577b41f22533d6e6188fc7fad22845d5e6ee Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Mon, 3 Feb 2025 13:36:47 +0100
 Subject: [PATCH] provider: Fix segfault with 'openssl list -key-managers
 -verbose'
 Command 'openssl list -key-managers -verbose' calls OpenSSL function
 EVP_KEYMGMT_gen_settable_params() which in turn calls the provider's
 gen_settable_params() function, but with NULL for the keygen operation
 context. This causes segfaults in IBMCAs gen_settable_params() functions,
 as they assume that the keygen operation context is not NULL.
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/provider/dh_keymgmt.c  | 51 ++++++++++++++++++++++++++++++++++----
 src/provider/rsa_keymgmt.c | 31 +++++++++++++++++------
 2 files changed, 70 insertions(+), 12 deletions(-)
 diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
 index d4d68bf..5e7e952 100644
 --- a/src/provider/dh_keymgmt.c
 +++ b/src/provider/dh_keymgmt.c
@@ -43,6 +43,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_dh_gen_set_template;
 static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_dh_gen_set_params;
 static OSSL_FUNC_keymgmt_gen_settable_params_fn
                                         ibmca_keymgmt_dh_gen_settable_params;
 +static OSSL_FUNC_keymgmt_gen_settable_params_fn
 +                                        ibmca_keymgmt_dhx_gen_settable_params;
 static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_dh_gen;
 static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_dh_has;
 static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_dh_match;
@@ -529,23 +531,62 @@ static int ibmca_keymgmt_dh_gen_set_params(void *vgenctx,
     return 1;
 }
 +static const OSSL_PARAM ibmca_dh_op_ctx_settable_params[] = {
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
 +    OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_GENERATOR, NULL),
 +    OSSL_PARAM_END
 +};
 +
 +static const OSSL_PARAM ibmca_dhx_op_ctx_settable_params[] = {
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
 +    OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
 +    OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_QBITS, NULL),
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, NULL, 0),
 +    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, NULL, 0),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL),
 +    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),
 +    OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),
 +    OSSL_PARAM_END
 +};
 +
 static const OSSL_PARAM *ibmca_keymgmt_dh_gen_settable_params(void *vgenctx,
                                                               void *vprovctx)
 {
     const struct ibmca_op_ctx *genctx = vgenctx;
     const struct ibmca_prov_ctx *provctx = vprovctx;
 -    const OSSL_PARAM *p, *params;
 +    const OSSL_PARAM *params, *p;
     UNUSED(genctx);
     if (provctx == NULL)
         return NULL;
 -    if (genctx->dh.gen.pctx == NULL)
 -        return NULL;
 +    params = ibmca_dh_op_ctx_settable_params;
 +    for (p = params; p != NULL && p->key != NULL; p++)
 +        ibmca_debug_ctx(provctx, "param: %s", p->key);
 -    params = EVP_PKEY_CTX_settable_params(genctx->dh.gen.pctx);
 +    return params;
 +}
 +static const OSSL_PARAM *ibmca_keymgmt_dhx_gen_settable_params(void *vgenctx,
 +                                                               void *vprovctx)
 +{
 +    const struct ibmca_op_ctx *genctx = vgenctx;
 +    const struct ibmca_prov_ctx *provctx = vprovctx;
 +    const OSSL_PARAM *params, *p;
 +
 +    UNUSED(genctx);
 +
 +    if (provctx == NULL)
 +        return NULL;
 +
 +    params = ibmca_dhx_op_ctx_settable_params;
     for (p = params; p != NULL && p->key != NULL; p++)
         ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -1964,7 +2005,7 @@ static const OSSL_DISPATCH ibmca_dhx_keymgmt_functions[] = {
     { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
             (void (*)(void))ibmca_keymgmt_dh_gen_set_params },
     { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
 -            (void (*)(void))ibmca_keymgmt_dh_gen_settable_params },
 +            (void (*)(void))ibmca_keymgmt_dhx_gen_settable_params },
     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_dh_gen },
     { OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
               (void (*)(void))ibmca_keymgmt_gen_cleanup },
 diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
 index ce49c88..2d7570a 100644
 --- a/src/provider/rsa_keymgmt.c
 +++ b/src/provider/rsa_keymgmt.c
@@ -53,6 +53,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_rsa_gen_set_template;
 static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_rsa_gen_set_params;
 static OSSL_FUNC_keymgmt_gen_settable_params_fn
                                         ibmca_keymgmt_rsa_gen_settable_params;
 +static OSSL_FUNC_keymgmt_gen_settable_params_fn
 +                                    ibmca_keymgmt_rsa_pss_gen_settable_params;
 static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_rsa_gen;
 static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_rsa_has;
 static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_rsa_match;
@@ -1071,19 +1073,34 @@ static const OSSL_PARAM *ibmca_keymgmt_rsa_gen_settable_params(void *vgenctx,
 {
     const struct ibmca_op_ctx *genctx = vgenctx;
     const struct ibmca_prov_ctx *provctx = vprovctx;
 -
     const OSSL_PARAM *params, *p;
 +    UNUSED(genctx);
 +
     if (provctx == NULL)
         return NULL;
 -    ibmca_debug_ctx(provctx, "type: %d", genctx->type);
 +    params = ibmca_rsa_op_ctx_settable_params;
 +    for (p = params; p != NULL && p->key != NULL; p++)
 +        ibmca_debug_ctx(provctx, "param: %s", p->key);
 -    if (genctx->type == EVP_PKEY_RSA_PSS)
 -        params = ibmca_rsa_pss_op_ctx_settable_params;
 -    else
 -        params = ibmca_rsa_op_ctx_settable_params;
 +    return params;
 +}
 +static const OSSL_PARAM *ibmca_keymgmt_rsa_pss_gen_settable_params(
 +                                                               void *vgenctx,
 +                                                               void *vprovctx)
 +{
 +    const struct ibmca_op_ctx *genctx = vgenctx;
 +    const struct ibmca_prov_ctx *provctx = vprovctx;
 +    const OSSL_PARAM *params, *p;
 +
 +    UNUSED(genctx);
 +
 +    if (provctx == NULL)
 +        return NULL;
 +
 +    params = ibmca_rsa_pss_op_ctx_settable_params;
     for (p = params; p != NULL && p->key != NULL; p++)
         ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -2256,7 +2273,7 @@ static const OSSL_DISPATCH ibmca_rsapss_keymgmt_functions[] = {
     { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
             (void (*)(void))ibmca_keymgmt_rsa_gen_set_params },
     { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
 -            (void (*)(void))ibmca_keymgmt_rsa_gen_settable_params },
 +            (void (*)(void))ibmca_keymgmt_rsa_pss_gen_settable_params },
     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_rsa_gen },
     { OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
             (void (*)(void))ibmca_keymgmt_gen_cleanup },
--- a/openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+++ b/openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
@@ -0,0 +1,80 @@
 From 85b8c528759df2ef09028bc49a5ec103142820fb Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Wed, 5 Feb 2025 10:16:17 +0100
 Subject: [PATCH] provider: Fix segfault with 'openssl list
 -signature-algorithms -verbose'
 Command 'openssl list -signature-algorithms -verbose' calls OpenSSL function
 EVP_SIGNATURE_settable_ctx_params() which in turn calls the provider's
 settable_ctx_params() function, but with NULL for the operation
 context. This causes segfaults in IBMCAs settable_ctx_params() functions,
 as they assume that the operation context is not NULL.
 While at it, make sure that the settable/gettable_ctx_md_params() functions
 do not crash if called with a NULL context.
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/provider/ec_signature.c  |  2 +-
 src/provider/p_context.c     | 14 ++++++++------
 src/provider/rsa_signature.c |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)
 diff --git a/src/provider/ec_signature.c b/src/provider/ec_signature.c
 index 8d87ddd9..069601e3 100644
 --- a/src/provider/ec_signature.c
 +++ b/src/provider/ec_signature.c
@@ -823,7 +823,7 @@ static const OSSL_PARAM *ibmca_signature_ec_settable_ctx_params(
     ibmca_debug_ctx(provctx, "ctx: %p", ctx);
 -    if (ctx->ec.signature.set_md_allowed)
 +    if (ctx == NULL || ctx->ec.signature.set_md_allowed)
         params = ibmca_signature_ec_settable_params;
     else
         params = ibmca_signature_ec_settable_params_no_digest;
 diff --git a/src/provider/p_context.c b/src/provider/p_context.c
 index 135690e7..58285ba9 100644
 --- a/src/provider/p_context.c
 +++ b/src/provider/p_context.c
@@ -392,9 +392,10 @@ const OSSL_PARAM *ibmca_gettable_ctx_md_params(const struct ibmca_op_ctx *ctx,
     ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
     if (md == NULL) {
 -        put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
 -                         "Digest sign/verify context not initialized");
 -        return 0;
 +        if (ctx != NULL)
 +            put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
 +                             "Digest sign/verify context not initialized");
 +        return NULL;
     }
     params = EVP_MD_gettable_ctx_params(md);
@@ -413,9 +414,10 @@ const OSSL_PARAM *ibmca_settable_ctx_md_params(const struct ibmca_op_ctx *ctx,
     ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
     if (md == NULL) {
 -        put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
 -                         "Digest sign/verify context not initialized");
 -        return 0;
 +        if (ctx != NULL)
 +            put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
 +                            "Digest sign/verify context not initialized");
 +        return NULL;
     }
     params = EVP_MD_settable_ctx_params(md);
 diff --git a/src/provider/rsa_signature.c b/src/provider/rsa_signature.c
 index f7a0a91b..617bb999 100644
 --- a/src/provider/rsa_signature.c
 +++ b/src/provider/rsa_signature.c
@@ -1814,7 +1814,7 @@ static const OSSL_PARAM *ibmca_signature_rsa_settable_ctx_params(
     ibmca_debug_ctx(provctx, "ctx: %p", ctx);
 -    if (ctx->rsa.signature.set_md_allowed)
 +    if (ctx == NULL || ctx->rsa.signature.set_md_allowed)
         params = ibmca_signature_rsa_settable_params;
     else
         params = ibmca_signature_rsa_settable_params_no_digest;
--- a/openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
+++ b/openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
@@ -0,0 +1,52 @@
 From 6bc53d814762b24045bfd5bb6003949a163fa58b Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Tue, 18 Feb 2025 09:00:59 +0100
 Subject: [PATCH] engine: Do not report errors if libica does not support EC
 key
 In case EC key creation using libica fails (for whatever reason), and
 the software fallback is used to perform the operation, do not report
 the errors that have been put to the error stack by the failing attempt
 to use libica.
 Fixes: a462093d2478b287cb9a7a25131788eba16b7640
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/engine/ibmca_ec.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
 index 5206ae3..c264f32 100644
 --- a/src/engine/ibmca_ec.c
 +++ b/src/engine/ibmca_ec.c
@@ -337,7 +337,9 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
     }
     /* Create ICA_EC_KEY object for private key */
 +    ERR_set_mark();
     ica_privkey = ibmca_ec_make_and_cache_ica_key((EC_KEY*)ecdh, &privlen);
 +    ERR_pop_to_mark();
     if (ica_privkey == NULL) {
         /* This curve is not supported by libica. */
     #ifdef OLDER_OPENSSL
@@ -502,7 +504,9 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
     }
     /* Create ICA_EC_KEY object */
 +    ERR_set_mark();
     icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
 +    ERR_pop_to_mark();
     if (icakey == NULL) {
         /* This curve is not supported by libica. */
  #ifdef OLDER_OPENSSL
@@ -633,7 +637,9 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
     }
     /* Create ICA_EC_KEY object */
 +    ERR_set_mark();
     icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
 +    ERR_pop_to_mark();
     if (icakey == NULL) {
         /* This curve is not supported by libica. */
  #ifdef OLDER_OPENSSL
--- a/openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
+++ b/openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
@@ -0,0 +1,29 @@
 From 5cdcbf0d5b7169a60826c7c0893d7f59798fc409 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Wed, 19 Feb 2025 13:48:12 +0100
 Subject: [PATCH] Fix compiler error for undefined ERR_pop_to_mark
    ibmca_ec.c:342:5: error: implicit declaration of function
           'ERR_pop_to_mark' [-Wimplicit-function-declaration]
      342 |     ERR_pop_to_mark();
          |     ^~~~~~~~~~~~~~~
 Fixes: 6bc53d814762b24045bfd5bb6003949a163fa58b
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 src/engine/ibmca_ec.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
 index c264f32..1bbb37e 100644
 --- a/src/engine/ibmca_ec.c
 +++ b/src/engine/ibmca_ec.c
@@ -17,6 +17,7 @@
 #include <stdlib.h>
 #include <pthread.h>
 +#include <openssl/err.h>
 #include "ibmca.h"
 #include "e_ibmca_err.h"
--- a/openssl-ibmca-2.4.1.tar.gz
+++ b/openssl-ibmca-2.4.1.tar.gz
--- a/openssl-ibmca-2.5.0.tar.gz
+++ b/openssl-ibmca-2.5.0.tar.gz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5903c029ef3fc98e17e4209450df554819ceee548b3a6eeb6d55983a1d55843c
 size 225937
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Mon Jul 28 06:30:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Mon Aug 18 06:03:41 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Amended the .spec file (bsc#1246931)
  * removed obsolete engine-related content(files), IBMCA engine is deprecated
@@ -11,61 +11,37 @@ Mon Jul 28 06:30:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  * Source2:        _multibuild
 -------------------------------------------------------------------
-Wed Apr 23 08:33:06 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Wed Feb 19 13:38:24 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Upgrade openssl-ibmca to version 2.5.0
  * Provider: Add support for OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ on import
  * Provider: Add support for SignMessage and VerifyMessage API for ECDSA and RSA
  * Provider: Allow the DHKEM-IKM option for EC keygen, but use fallback provider
  * Provider: Allow ECDSA deterministic signatures, but use fallback
  * Engine: Enable external AES-GCM IV when libica is in FIPS mode
  * Bug fixes   
 - Removed obsolete patches
  * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
  * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
  * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
  * openssl-ibmca-04-engine-Fix-compile-error.patch
  * openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
  * openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
  * openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
  * openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
 -------------------------------------------------------------------
 Wed Feb 19 13:25:55 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Applied additonal patches(bsc#1237344)
  * openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
  * openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
 -------------------------------------------------------------------
-Wed Feb  5 10:28:31 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Wed Feb  5 10:40:59 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Applied additional patch (bsc#1236770)
 * openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
-   for Provider: Fix segfault with 'openssl list  -signature-algorithms -verbose'
+   for Provider: Fix segfault with 'openssl list  -signature-algorithms -verbose' 
 -------------------------------------------------------------------
-Tue Feb  4 09:00:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Tue Feb  4 09:17:34 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1236770) 
+- Applied a patch (bsc#1236770)
-  * openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch 
+  * openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
    for openssl list -key-managers -verbose causes core dump
 -------------------------------------------------------------------
-Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Tue Nov  5 11:19:06 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)
 - Removed obsolete patch
  * openssl1-rename-libica-files.patch
 -------------------------------------------------------------------
 Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 - Applied patches(jsc#PED-10292)
  * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
  * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
  * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
-  * openssl-ibmca-04-engine-Fix-compile-error.patch 
+  * openssl-ibmca-04-engine-Fix-compile-error.patch
 - Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)
 - Removed obsolete patch
  * openssl1-rename-libica-files.patch
 -------------------------------------------------------------------
 Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-ibmca
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,9 +19,9 @@
 %global modulesdir %(pkg-config --variable=modulesdir libcrypto)
 Name:           openssl-ibmca
-Version:        2.5.0
+Version:        2.4.1
 Release:        0
-Summary:        OpenSSL engine and provider for libica
+Summary:        The IBMCA OpenSSL dynamic engine
 License:        Apache-2.0
 Group:          Hardware/Other
 URL:            https://github.com/opencryptoki/openssl-ibmca
@@ -39,10 +39,21 @@ Requires:       libica4 >= 4.0.0
 Requires:       libopenssl3
 ###
 ExclusiveArch:  s390x
 ###
 Patch10:        openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
 Patch11:        openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
 Patch12:        openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
 Patch13:        openssl-ibmca-04-engine-Fix-compile-error.patch
 Patch14:        openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
 Patch15:        openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
 Patch16:        openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
 Patch17:        openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
 ###
 %description
-OpenSSL engine and provider that uses the libica library under s390x to accelerate cryptographic operations
+This package contains a shared object OpenSSL dynamic engine which interfaces
 to libica, a library enabling the IBM s390/x CPACF crypto instructions.
 %prep
 %autosetup -p1 -n openssl-ibmca-%{version}