Compare commits
No commits in common. "factory" and "devel" have entirely different histories.
@ -1,67 +0,0 @@
|
||||
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon, 8 Jan 2024 08:52:24 +0100
|
||||
Subject: [PATCH] engine: Enable external AES-GCM IV when libica is in FIPS
|
||||
mode
|
||||
|
||||
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
|
||||
from being used with an external IV. FIPS requires that the AES-GCM IV is
|
||||
created libica internally via an approved random source.
|
||||
|
||||
The IBMCA engine can not support the internal generation of the AES-GCM IV,
|
||||
because the engine API for AES-GCM does not allow this. Applications using
|
||||
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
|
||||
external IV.
|
||||
|
||||
Enable the use of external AES-GCM IVs for libica, if the used libica library
|
||||
supports this. Newer libica versions support to allow external AES-GCM IVs via
|
||||
function ica_allow_external_gcm_iv_in_fips_mode().
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/e_ibmca.c | 12 +++++++++++-
|
||||
src/engine/ibmca.h | 1 +
|
||||
2 files changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
||||
index 6cbf745..afed3fe 100644
|
||||
--- a/src/engine/e_ibmca.c
|
||||
+++ b/src/engine/e_ibmca.c
|
||||
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
|
||||
ica_aes_gcm_last_t p_ica_aes_gcm_last;
|
||||
#endif
|
||||
ica_cleanup_t p_ica_cleanup;
|
||||
+ica_allow_external_gcm_iv_in_fips_mode_t
|
||||
+ p_ica_allow_external_gcm_iv_in_fips_mode;
|
||||
|
||||
/* save libcrypto's default ec methods */
|
||||
#ifndef NO_EC
|
||||
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
|
||||
BIND(ibmca_dso, ica_ed448_ctx_del);
|
||||
|
||||
/* ica_cleanup is not always present and only needed for newer libraries */
|
||||
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
|
||||
+ BIND(ibmca_dso, ica_cleanup);
|
||||
+
|
||||
+ /*
|
||||
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
|
||||
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
|
||||
+ * available with newer libraries.
|
||||
+ */
|
||||
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
|
||||
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
|
||||
|
||||
/* disable fallbacks on Libica */
|
||||
if (BIND(ibmca_dso, ica_set_fallback_mode))
|
||||
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
||||
index 7281a5b..01465eb 100644
|
||||
--- a/src/engine/ibmca.h
|
||||
+++ b/src/engine/ibmca.h
|
||||
@@ -617,6 +617,7 @@ typedef
|
||||
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
|
||||
|
||||
typedef void (*ica_cleanup_t)(void);
|
||||
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
|
||||
|
||||
/* entry points into libica, filled out at DSO load time */
|
||||
extern ica_get_functionlist_t p_ica_get_functionlist;
|
||||
@ -1,243 +0,0 @@
|
||||
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed, 10 Jan 2024 15:08:47 +0100
|
||||
Subject: [PATCH] test/provider: Do not link against libica use dlopen instead
|
||||
|
||||
When an application links against libica (via -lica), then the libica library
|
||||
constructor runs before the program's main function. Libica's library
|
||||
constructor does initialize OpenSSL and thus parses the config file.
|
||||
|
||||
However, the test programs set up some OpenSSL configuration related
|
||||
environment variables within function check_libica() called from the
|
||||
main function. If libica has already initialized OpenSSL prior to that,
|
||||
OpenSSL won't initialize again, and thus these environment variables have
|
||||
no effect.
|
||||
|
||||
Dynamically load libica (via dlopen) only after setting the environment
|
||||
variables.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
configure.ac | 2 ++
|
||||
test/provider/Makefile.am | 15 +++++++++------
|
||||
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
|
||||
test/provider/eckey.c | 24 ++++++++++++++++++++++--
|
||||
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
|
||||
5 files changed, 77 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index b43a659..09df230 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
|
||||
[])
|
||||
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
|
||||
|
||||
+AC_SUBST(libicaversion, "$libicaversion")
|
||||
+
|
||||
# If compiled against OpenSSL 3.0 or later, build the provider unless
|
||||
# explicitely disabled.
|
||||
# If build against OpenSSL 1.1.1, we can not build the provider.
|
||||
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
|
||||
index 15a5466..fce06b3 100644
|
||||
--- a/test/provider/Makefile.am
|
||||
+++ b/test/provider/Makefile.am
|
||||
@@ -24,24 +24,27 @@ TESTS = \
|
||||
check_PROGRAMS = rsakey eckey dhkey threadtest
|
||||
|
||||
dhkey_SOURCES = dhkey.c
|
||||
+dhkey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-dhkey_LDADD = -lcrypto -lica
|
||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-dhkey_LDADD = -lcrypto -lica-cex
|
||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
eckey_SOURCES = eckey.c
|
||||
+eckey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-eckey_LDADD = -lcrypto -lica
|
||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-eckey_LDADD = -lcrypto -lica-cex
|
||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
rsakey_SOURCES = rsakey.c
|
||||
+rsakey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-rsakey_LDADD = -lcrypto -lica
|
||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-rsakey_LDADD = -lcrypto -lica-cex
|
||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
threadtest_SOURCES = threadtest.c
|
||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||
index 8829ecc..0ec2c03 100644
|
||||
--- a/test/provider/dhkey.c
|
||||
+++ b/test/provider/dhkey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -373,7 +393,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||
index b2334d7..b8f47b7 100644
|
||||
--- a/test/provider/eckey.c
|
||||
+++ b/test/provider/eckey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -806,7 +826,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||
index 366b503..9d6a618 100644
|
||||
--- a/test/provider/rsakey.c
|
||||
+++ b/test/provider/rsakey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -753,7 +773,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
@ -1,61 +0,0 @@
|
||||
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu, 18 Jan 2024 16:35:14 +0100
|
||||
Subject: [PATCH] test/provider: Explicitly initialize OpenSSL after setting
|
||||
env vars.
|
||||
|
||||
When running with a libica version without commit
|
||||
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
|
||||
it is necessary to explicitly initialize OpenSSL before loading libica. Because
|
||||
otherwise libica's library constructor will initialize OpenSSL the first time,
|
||||
which in turn will load the IBMCA provider, and it will fall into the same
|
||||
problem as fixed by above libica commit, i.e. the provider won't be able to
|
||||
get the supported algorithms from libica an thus will not register any
|
||||
algorithms.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
test/provider/dhkey.c | 2 ++
|
||||
test/provider/eckey.c | 2 ++
|
||||
test/provider/rsakey.c | 2 ++
|
||||
3 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||
index 0ec2c03..b1270f5 100644
|
||||
--- a/test/provider/dhkey.c
|
||||
+++ b/test/provider/dhkey.c
|
||||
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||
index b8f47b7..a65bea5 100644
|
||||
--- a/test/provider/eckey.c
|
||||
+++ b/test/provider/eckey.c
|
||||
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||
index 9d6a618..874de6d 100644
|
||||
--- a/test/provider/rsakey.c
|
||||
+++ b/test/provider/rsakey.c
|
||||
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
@ -1,36 +0,0 @@
|
||||
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon, 13 May 2024 08:53:56 +0200
|
||||
Subject: [PATCH] engine: Fix compile error on Fedora 40
|
||||
|
||||
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
|
||||
from incompatible pointer type [-Wincompatible-pointer-types]
|
||||
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/ibmca_pkey.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
|
||||
index 9c8de94c..6cd8fcd9 100644
|
||||
--- a/src/engine/ibmca_pkey.c
|
||||
+++ b/src/engine/ibmca_pkey.c
|
||||
@@ -258,7 +258,7 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
|
||||
|
||||
/* ED25519 */
|
||||
|
||||
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@@ -402,7 +402,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
|
||||
|
||||
/* ED448 */
|
||||
|
||||
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@ -1,170 +0,0 @@
|
||||
From e544577b41f22533d6e6188fc7fad22845d5e6ee Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon, 3 Feb 2025 13:36:47 +0100
|
||||
Subject: [PATCH] provider: Fix segfault with 'openssl list -key-managers
|
||||
-verbose'
|
||||
|
||||
Command 'openssl list -key-managers -verbose' calls OpenSSL function
|
||||
EVP_KEYMGMT_gen_settable_params() which in turn calls the provider's
|
||||
gen_settable_params() function, but with NULL for the keygen operation
|
||||
context. This causes segfaults in IBMCAs gen_settable_params() functions,
|
||||
as they assume that the keygen operation context is not NULL.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/provider/dh_keymgmt.c | 51 ++++++++++++++++++++++++++++++++++----
|
||||
src/provider/rsa_keymgmt.c | 31 +++++++++++++++++------
|
||||
2 files changed, 70 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
|
||||
index d4d68bf..5e7e952 100644
|
||||
--- a/src/provider/dh_keymgmt.c
|
||||
+++ b/src/provider/dh_keymgmt.c
|
||||
@@ -43,6 +43,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_dh_gen_set_template;
|
||||
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_dh_gen_set_params;
|
||||
static OSSL_FUNC_keymgmt_gen_settable_params_fn
|
||||
ibmca_keymgmt_dh_gen_settable_params;
|
||||
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
|
||||
+ ibmca_keymgmt_dhx_gen_settable_params;
|
||||
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_dh_gen;
|
||||
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_dh_has;
|
||||
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_dh_match;
|
||||
@@ -529,23 +531,62 @@ static int ibmca_keymgmt_dh_gen_set_params(void *vgenctx,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static const OSSL_PARAM ibmca_dh_op_ctx_settable_params[] = {
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
|
||||
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_GENERATOR, NULL),
|
||||
+ OSSL_PARAM_END
|
||||
+};
|
||||
+
|
||||
+static const OSSL_PARAM ibmca_dhx_op_ctx_settable_params[] = {
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
|
||||
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
|
||||
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_QBITS, NULL),
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, NULL, 0),
|
||||
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL),
|
||||
+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),
|
||||
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),
|
||||
+ OSSL_PARAM_END
|
||||
+};
|
||||
+
|
||||
static const OSSL_PARAM *ibmca_keymgmt_dh_gen_settable_params(void *vgenctx,
|
||||
void *vprovctx)
|
||||
{
|
||||
const struct ibmca_op_ctx *genctx = vgenctx;
|
||||
const struct ibmca_prov_ctx *provctx = vprovctx;
|
||||
- const OSSL_PARAM *p, *params;
|
||||
+ const OSSL_PARAM *params, *p;
|
||||
|
||||
UNUSED(genctx);
|
||||
|
||||
if (provctx == NULL)
|
||||
return NULL;
|
||||
|
||||
- if (genctx->dh.gen.pctx == NULL)
|
||||
- return NULL;
|
||||
+ params = ibmca_dh_op_ctx_settable_params;
|
||||
+ for (p = params; p != NULL && p->key != NULL; p++)
|
||||
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
|
||||
|
||||
- params = EVP_PKEY_CTX_settable_params(genctx->dh.gen.pctx);
|
||||
+ return params;
|
||||
+}
|
||||
|
||||
+static const OSSL_PARAM *ibmca_keymgmt_dhx_gen_settable_params(void *vgenctx,
|
||||
+ void *vprovctx)
|
||||
+{
|
||||
+ const struct ibmca_op_ctx *genctx = vgenctx;
|
||||
+ const struct ibmca_prov_ctx *provctx = vprovctx;
|
||||
+ const OSSL_PARAM *params, *p;
|
||||
+
|
||||
+ UNUSED(genctx);
|
||||
+
|
||||
+ if (provctx == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ params = ibmca_dhx_op_ctx_settable_params;
|
||||
for (p = params; p != NULL && p->key != NULL; p++)
|
||||
ibmca_debug_ctx(provctx, "param: %s", p->key);
|
||||
|
||||
@@ -1964,7 +2005,7 @@ static const OSSL_DISPATCH ibmca_dhx_keymgmt_functions[] = {
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
|
||||
(void (*)(void))ibmca_keymgmt_dh_gen_set_params },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
|
||||
- (void (*)(void))ibmca_keymgmt_dh_gen_settable_params },
|
||||
+ (void (*)(void))ibmca_keymgmt_dhx_gen_settable_params },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_dh_gen },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
|
||||
(void (*)(void))ibmca_keymgmt_gen_cleanup },
|
||||
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
|
||||
index ce49c88..2d7570a 100644
|
||||
--- a/src/provider/rsa_keymgmt.c
|
||||
+++ b/src/provider/rsa_keymgmt.c
|
||||
@@ -53,6 +53,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_rsa_gen_set_template;
|
||||
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_rsa_gen_set_params;
|
||||
static OSSL_FUNC_keymgmt_gen_settable_params_fn
|
||||
ibmca_keymgmt_rsa_gen_settable_params;
|
||||
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
|
||||
+ ibmca_keymgmt_rsa_pss_gen_settable_params;
|
||||
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_rsa_gen;
|
||||
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_rsa_has;
|
||||
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_rsa_match;
|
||||
@@ -1071,19 +1073,34 @@ static const OSSL_PARAM *ibmca_keymgmt_rsa_gen_settable_params(void *vgenctx,
|
||||
{
|
||||
const struct ibmca_op_ctx *genctx = vgenctx;
|
||||
const struct ibmca_prov_ctx *provctx = vprovctx;
|
||||
-
|
||||
const OSSL_PARAM *params, *p;
|
||||
|
||||
+ UNUSED(genctx);
|
||||
+
|
||||
if (provctx == NULL)
|
||||
return NULL;
|
||||
|
||||
- ibmca_debug_ctx(provctx, "type: %d", genctx->type);
|
||||
+ params = ibmca_rsa_op_ctx_settable_params;
|
||||
+ for (p = params; p != NULL && p->key != NULL; p++)
|
||||
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
|
||||
|
||||
- if (genctx->type == EVP_PKEY_RSA_PSS)
|
||||
- params = ibmca_rsa_pss_op_ctx_settable_params;
|
||||
- else
|
||||
- params = ibmca_rsa_op_ctx_settable_params;
|
||||
+ return params;
|
||||
+}
|
||||
|
||||
+static const OSSL_PARAM *ibmca_keymgmt_rsa_pss_gen_settable_params(
|
||||
+ void *vgenctx,
|
||||
+ void *vprovctx)
|
||||
+{
|
||||
+ const struct ibmca_op_ctx *genctx = vgenctx;
|
||||
+ const struct ibmca_prov_ctx *provctx = vprovctx;
|
||||
+ const OSSL_PARAM *params, *p;
|
||||
+
|
||||
+ UNUSED(genctx);
|
||||
+
|
||||
+ if (provctx == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ params = ibmca_rsa_pss_op_ctx_settable_params;
|
||||
for (p = params; p != NULL && p->key != NULL; p++)
|
||||
ibmca_debug_ctx(provctx, "param: %s", p->key);
|
||||
|
||||
@@ -2256,7 +2273,7 @@ static const OSSL_DISPATCH ibmca_rsapss_keymgmt_functions[] = {
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
|
||||
(void (*)(void))ibmca_keymgmt_rsa_gen_set_params },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
|
||||
- (void (*)(void))ibmca_keymgmt_rsa_gen_settable_params },
|
||||
+ (void (*)(void))ibmca_keymgmt_rsa_pss_gen_settable_params },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_rsa_gen },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
|
||||
(void (*)(void))ibmca_keymgmt_gen_cleanup },
|
||||
@ -1,80 +0,0 @@
|
||||
From 85b8c528759df2ef09028bc49a5ec103142820fb Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed, 5 Feb 2025 10:16:17 +0100
|
||||
Subject: [PATCH] provider: Fix segfault with 'openssl list
|
||||
-signature-algorithms -verbose'
|
||||
|
||||
Command 'openssl list -signature-algorithms -verbose' calls OpenSSL function
|
||||
EVP_SIGNATURE_settable_ctx_params() which in turn calls the provider's
|
||||
settable_ctx_params() function, but with NULL for the operation
|
||||
context. This causes segfaults in IBMCAs settable_ctx_params() functions,
|
||||
as they assume that the operation context is not NULL.
|
||||
|
||||
While at it, make sure that the settable/gettable_ctx_md_params() functions
|
||||
do not crash if called with a NULL context.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/provider/ec_signature.c | 2 +-
|
||||
src/provider/p_context.c | 14 ++++++++------
|
||||
src/provider/rsa_signature.c | 2 +-
|
||||
3 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/provider/ec_signature.c b/src/provider/ec_signature.c
|
||||
index 8d87ddd9..069601e3 100644
|
||||
--- a/src/provider/ec_signature.c
|
||||
+++ b/src/provider/ec_signature.c
|
||||
@@ -823,7 +823,7 @@ static const OSSL_PARAM *ibmca_signature_ec_settable_ctx_params(
|
||||
|
||||
ibmca_debug_ctx(provctx, "ctx: %p", ctx);
|
||||
|
||||
- if (ctx->ec.signature.set_md_allowed)
|
||||
+ if (ctx == NULL || ctx->ec.signature.set_md_allowed)
|
||||
params = ibmca_signature_ec_settable_params;
|
||||
else
|
||||
params = ibmca_signature_ec_settable_params_no_digest;
|
||||
diff --git a/src/provider/p_context.c b/src/provider/p_context.c
|
||||
index 135690e7..58285ba9 100644
|
||||
--- a/src/provider/p_context.c
|
||||
+++ b/src/provider/p_context.c
|
||||
@@ -392,9 +392,10 @@ const OSSL_PARAM *ibmca_gettable_ctx_md_params(const struct ibmca_op_ctx *ctx,
|
||||
ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
|
||||
|
||||
if (md == NULL) {
|
||||
- put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
|
||||
- "Digest sign/verify context not initialized");
|
||||
- return 0;
|
||||
+ if (ctx != NULL)
|
||||
+ put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
|
||||
+ "Digest sign/verify context not initialized");
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
params = EVP_MD_gettable_ctx_params(md);
|
||||
@@ -413,9 +414,10 @@ const OSSL_PARAM *ibmca_settable_ctx_md_params(const struct ibmca_op_ctx *ctx,
|
||||
ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
|
||||
|
||||
if (md == NULL) {
|
||||
- put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
|
||||
- "Digest sign/verify context not initialized");
|
||||
- return 0;
|
||||
+ if (ctx != NULL)
|
||||
+ put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
|
||||
+ "Digest sign/verify context not initialized");
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
params = EVP_MD_settable_ctx_params(md);
|
||||
diff --git a/src/provider/rsa_signature.c b/src/provider/rsa_signature.c
|
||||
index f7a0a91b..617bb999 100644
|
||||
--- a/src/provider/rsa_signature.c
|
||||
+++ b/src/provider/rsa_signature.c
|
||||
@@ -1814,7 +1814,7 @@ static const OSSL_PARAM *ibmca_signature_rsa_settable_ctx_params(
|
||||
|
||||
ibmca_debug_ctx(provctx, "ctx: %p", ctx);
|
||||
|
||||
- if (ctx->rsa.signature.set_md_allowed)
|
||||
+ if (ctx == NULL || ctx->rsa.signature.set_md_allowed)
|
||||
params = ibmca_signature_rsa_settable_params;
|
||||
else
|
||||
params = ibmca_signature_rsa_settable_params_no_digest;
|
||||
@ -1,52 +0,0 @@
|
||||
From 6bc53d814762b24045bfd5bb6003949a163fa58b Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue, 18 Feb 2025 09:00:59 +0100
|
||||
Subject: [PATCH] engine: Do not report errors if libica does not support EC
|
||||
key
|
||||
|
||||
In case EC key creation using libica fails (for whatever reason), and
|
||||
the software fallback is used to perform the operation, do not report
|
||||
the errors that have been put to the error stack by the failing attempt
|
||||
to use libica.
|
||||
|
||||
Fixes: a462093d2478b287cb9a7a25131788eba16b7640
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/ibmca_ec.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
|
||||
index 5206ae3..c264f32 100644
|
||||
--- a/src/engine/ibmca_ec.c
|
||||
+++ b/src/engine/ibmca_ec.c
|
||||
@@ -337,7 +337,9 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
||||
}
|
||||
|
||||
/* Create ICA_EC_KEY object for private key */
|
||||
+ ERR_set_mark();
|
||||
ica_privkey = ibmca_ec_make_and_cache_ica_key((EC_KEY*)ecdh, &privlen);
|
||||
+ ERR_pop_to_mark();
|
||||
if (ica_privkey == NULL) {
|
||||
/* This curve is not supported by libica. */
|
||||
#ifdef OLDER_OPENSSL
|
||||
@@ -502,7 +504,9 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
||||
}
|
||||
|
||||
/* Create ICA_EC_KEY object */
|
||||
+ ERR_set_mark();
|
||||
icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
|
||||
+ ERR_pop_to_mark();
|
||||
if (icakey == NULL) {
|
||||
/* This curve is not supported by libica. */
|
||||
#ifdef OLDER_OPENSSL
|
||||
@@ -633,7 +637,9 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
||||
}
|
||||
|
||||
/* Create ICA_EC_KEY object */
|
||||
+ ERR_set_mark();
|
||||
icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
|
||||
+ ERR_pop_to_mark();
|
||||
if (icakey == NULL) {
|
||||
/* This curve is not supported by libica. */
|
||||
#ifdef OLDER_OPENSSL
|
||||
@ -1,29 +0,0 @@
|
||||
From 5cdcbf0d5b7169a60826c7c0893d7f59798fc409 Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed, 19 Feb 2025 13:48:12 +0100
|
||||
Subject: [PATCH] Fix compiler error for undefined ERR_pop_to_mark
|
||||
|
||||
ibmca_ec.c:342:5: error: implicit declaration of function
|
||||
'ERR_pop_to_mark' [-Wimplicit-function-declaration]
|
||||
342 | ERR_pop_to_mark();
|
||||
| ^~~~~~~~~~~~~~~
|
||||
|
||||
Fixes: 6bc53d814762b24045bfd5bb6003949a163fa58b
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/ibmca_ec.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
|
||||
index c264f32..1bbb37e 100644
|
||||
--- a/src/engine/ibmca_ec.c
|
||||
+++ b/src/engine/ibmca_ec.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <pthread.h>
|
||||
+#include <openssl/err.h>
|
||||
#include "ibmca.h"
|
||||
#include "e_ibmca_err.h"
|
||||
|
||||
@ -1,40 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 19 13:25:55 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied additonal patches(bsc#1237344)
|
||||
* openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
|
||||
* openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 5 10:28:31 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied additional patch (bsc#1236770)
|
||||
* openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
|
||||
for Provider: Fix segfault with 'openssl list -signature-algorithms -verbose'
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 4 09:00:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied a patch (bsc#1236770)
|
||||
* openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
|
||||
for openssl list -key-managers -verbose causes core dump
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)
|
||||
- Removed obsolete patch
|
||||
* openssl1-rename-libica-files.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
- Applied patches(jsc#PED-10292)
|
||||
* openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
|
||||
* openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
|
||||
* openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
|
||||
* openssl-ibmca-04-engine-Fix-compile-error.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssl-ibmca
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -36,6 +36,12 @@ Name: openssl-ibmca-engine
|
||||
Name: openssl-ibmca-provider
|
||||
%endif
|
||||
|
||||
%if "%{flavor}" == "openssl1_1"
|
||||
%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d
|
||||
%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d
|
||||
Name: openssl1_1-ibmca
|
||||
%endif
|
||||
|
||||
Version: 2.4.1
|
||||
Release: 0
|
||||
Summary: The IBMCA OpenSSL dynamic engine
|
||||
@ -50,25 +56,28 @@ BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
###
|
||||
%if "%{flavor}" != "openssl1_1"
|
||||
BuildRequires: libica-devel >= 4.0.0
|
||||
BuildRequires: libica-tools >= 4.0.0
|
||||
BuildRequires: libopenssl-3-devel
|
||||
BuildRequires: libopenssl3
|
||||
Requires: libica4 >= 4.0.0
|
||||
Requires: libopenssl3
|
||||
%else
|
||||
BuildRequires: libica-openssl1_1-devel
|
||||
BuildRequires: libica-openssl1_1-tools
|
||||
BuildRequires: libopenssl-1_1-devel
|
||||
BuildRequires: libopenssl1_1
|
||||
BuildRequires: openssl
|
||||
Requires: libica4-openssl1_1
|
||||
Requires: libopenssl1_1
|
||||
%endif
|
||||
###
|
||||
ExclusiveArch: s390x
|
||||
|
||||
###
|
||||
Patch10: openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
|
||||
Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
|
||||
Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
|
||||
Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch
|
||||
Patch14: openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
|
||||
Patch15: openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
|
||||
Patch16: openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
|
||||
Patch17: openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
|
||||
###
|
||||
%if "%{flavor}" == "openssl1_1"
|
||||
Patch001: openssl1-rename-libica-files.patch
|
||||
%endif
|
||||
|
||||
%description
|
||||
This package contains a shared object OpenSSL dynamic engine which interfaces
|
||||
@ -100,6 +109,11 @@ export CPPFLAGS="%{optflags}"
|
||||
--libdir=%{modulesdir}
|
||||
%endif
|
||||
|
||||
%if "%{flavor}" == "openssl1_1"
|
||||
%configure \
|
||||
--libdir=%{enginesdir}
|
||||
%endif
|
||||
|
||||
%make_build
|
||||
|
||||
%install
|
||||
@ -111,6 +125,10 @@ sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sa
|
||||
|
||||
%make_install
|
||||
|
||||
%if "%{flavor}" == "openssl1_1"
|
||||
rm -f %{buildroot}/%{enginesdir}/ibmca-provider.*
|
||||
%endif
|
||||
|
||||
%if "%{flavor}" == ""
|
||||
mkdir -p %{buildroot}/%{enginesdir}
|
||||
mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/
|
||||
@ -184,5 +202,10 @@ fi
|
||||
%{enginesdir}/ibmca.*
|
||||
%{_mandir}/man5/ibmca.5%{?ext_man}
|
||||
%endif
|
||||
%if "%{flavor}" == "openssl1_1"
|
||||
%doc src/engine/openssl.cnf.sample
|
||||
%{enginesdir}/ibmca.*
|
||||
%{_mandir}/man5/ibmca.5%{?ext_man}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
|
||||
65
openssl1-rename-libica-files.patch
Normal file
65
openssl1-rename-libica-files.patch
Normal file
@ -0,0 +1,65 @@
|
||||
--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200
|
||||
+++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200
|
||||
@@ -69,7 +69,7 @@
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
|
||||
string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
|
||||
-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
|
||||
+AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***]))
|
||||
|
||||
|
||||
# Checks for typedefs, structures, and compiler characteristics.
|
||||
@@ -81,15 +81,15 @@
|
||||
# Checks for library functions.
|
||||
AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc])
|
||||
AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [],
|
||||
- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]),
|
||||
+ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]),
|
||||
[#include <ica_api.h>])
|
||||
AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION],
|
||||
[openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"],
|
||||
[#include <openssl/core_names.h>])
|
||||
AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes])
|
||||
|
||||
-AC_ARG_WITH([libica-cex],
|
||||
- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])],
|
||||
+AC_ARG_WITH([libica-openssl1_1-cex],
|
||||
+ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])],
|
||||
[usecexonly=${withval}],
|
||||
[])
|
||||
|
||||
@@ -99,11 +99,11 @@
|
||||
[libicaversion=4])
|
||||
|
||||
if test "x$usecexonly" = xyes; then
|
||||
- defaultlib="libica-cex.so.$libicaversion"
|
||||
- ica="ica-cex"
|
||||
+ defaultlib="libica-openssl1_1-cex.so.$libicaversion"
|
||||
+ ica="ica-openssl1_1-cex"
|
||||
else
|
||||
- defaultlib="libica.so.$libicaversion"
|
||||
- ica="ica"
|
||||
+ defaultlib="libica-openssl1_1.so.$libicaversion"
|
||||
+ ica="ica-openssl1_1"
|
||||
fi
|
||||
# In cex-only mode, testing the ciphers does not make any sense since
|
||||
# they will fall back to OpenSSL without the engine. So remove these
|
||||
@@ -135,7 +135,7 @@
|
||||
|
||||
|
||||
AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"])
|
||||
-AC_SUBST([ICA],["$ica"])
|
||||
+AC_SUBST([ICA],["$ica-openssl1_1"])
|
||||
|
||||
AC_CHECK_PROG([openssl_var],[openssl],[yes],[no])
|
||||
if test "x$openssl_var" != xyes; then
|
||||
@@ -169,7 +169,7 @@
|
||||
echo " default library: $defaultlib"
|
||||
echo "IBMCA provider: $enable_provider"
|
||||
if test "x$useproviderfulllibica" = xyes; then
|
||||
- echo " libica library: libica"
|
||||
+ echo " libica library: libica-openssl1_1"
|
||||
else
|
||||
- echo " libica library: libica-cex"
|
||||
+ echo " libica library: libica-openssl1_1-cex"
|
||||
fi
|
||||
Loading…
x
Reference in New Issue
Block a user