1
0
forked from pool/openssl-ibmca
Dominique Leuenberger 2015-03-27 08:39:56 +00:00 committed by Git OBS Bridge
parent c1b4002565
commit ca089ef5ad
12 changed files with 207 additions and 620 deletions

View File

@ -1,67 +0,0 @@
--- openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:45 1.1
+++ openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:54
@@ -21,39 +21,16 @@
fi
fi
-OPENSSL_LIB_DIR="/usr/local/ssl/lib"
+# OpenSSL location
+AC_MSG_CHECKING([OpenSSL])
+AC_CHECK_LIB(crypto, RAND_add, [LIBCRYPTO="-lcrypto"], \
+ AC_MSG_ERROR([*** libcrypto not found]))
# libica
AC_MSG_CHECKING([libICA])
AC_CHECK_LIB(ica, icaOpenAdapter, [LIBICA="-lica"], \
- AC_MSG_ERROR([*** libICA not found]))
-
-# OpenSSL location
-AC_MSG_CHECKING([OpenSSL location])
-AC_ARG_WITH(openssl,
- [ --with-openssl=PATH Location of openssl libs/includes],
- [OPENSSL_INCLUDE_DIR="$withval/include"
- OPENSSL_LIB_DIR="$withval/lib"
- if [[ ! -d $OPENSSL_INCLUDE_DIR -o ! -d $OPENSSL_LIB_DIR ]]; then
- AC_MSG_ERROR([$OPENSSL_INCLUDE_DIR or $OPENSSL_LIB_DIR doen't exist!])
- else
- AC_MSG_RESULT([yes])
- CFLAGS="$CFLAGS -L$OPENSSL_LIB_DIR -I$OPENSSL_INCLUDE_DIR"
- fi],
- [AC_MSG_RESULT([no])
- AC_SUBST([OPENSSL_LIB_DIR], [/usr/local/ssl/lib])
- AC_SUBST([OPENSSL_INCLUDE_DIR], [/usr/local/ssl/include]) ] )
-
-# Is the library specified?
-AC_MSG_CHECKING([Engines library directory])
-AC_ARG_WITH(engines-dir,
- [ --with-engines-dir=PATH Location of OpenSSL engines],
- [OPENSSL_ENGINES_DIR="$withval/"],
- [AC_MSG_RESULT([no])
- AC_SUBST([OPENSSL_ENGINES_DIR], [$OPENSSL_LIB_DIR/engines])])
+ AC_MSG_ERROR([*** libICA not found]),-lssl)
-# for the correct install target
-libdir=$OPENSSL_ENGINES_DIR
AC_DISABLE_STATIC
AC_PROG_CC
@@ -61,6 +38,8 @@
CFLAGS="$CFLAGS -Wall"
AC_SUBST(CFLAGS)
+AC_SUBST(LIBCRYPTO)
+AC_SUBST(LIBICA)
AC_OUTPUT(Makefile openssl.cnf.sample)
--- openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:06:46 1.1
+++ openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:07:34
@@ -1,7 +1,4 @@
lib_LTLIBRARIES=libibmca.la
-libibmca_la_LIBADD=@OPENSSL_LIB_DIR@/libcrypto.a
-libibmca_la_LDFLAGS=-lc
-libibmca_la_CFLAGS=-I@OPENSSL_INCLUDE_DIR@
-AM_CFLAGS=-I@OPENSSL_INCLUDE_DIR@
+libibmca_la_LDFLAGS=@LIBICA@ @LIBCRYPTO@ -lc
libibmca_la_SOURCES=e_ibmca.c e_ibmca.h e_ibmca_err.c

View File

@ -1,202 +0,0 @@
Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c
===================================================================
--- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2005-12-16 14:45:43.000000000 -0600
+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 18:03:31.000000000 -0600
@@ -1582,133 +1582,92 @@
} // end ibmca_sha256_cleanup
#endif // OPENSSL_NO_SHA256
-static int ibmca_mod_exp(BIGNUM * r, const BIGNUM * a, const BIGNUM * p,
- const BIGNUM * m, BN_CTX * ctx)
+static int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx)
{
- /* I need somewhere to store temporary serialised values for
- * use with the Ibmca API calls. A neat cheat - I'll use
- * BIGNUMs from the BN_CTX but access their arrays directly as
- * byte arrays <grin>. This way I don't have to clean anything
- * up. */
-
- BIGNUM *argument = NULL;
- BIGNUM *result = NULL;
- BIGNUM *key = NULL;
- int to_return;
+ char *argument;
+ char *result;
+ char *key;
+ ICA_KEY_RSA_MODEXPO *pubkey;
int inLen, outLen, tmpLen;
-
-
-
- ICA_KEY_RSA_MODEXPO *publKey = NULL;
unsigned int rc;
-
- to_return = 0; /* expect failure */
+ int to_return = 0; /* fail code set by default */
if (!ibmca_dso) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_NOT_LOADED);
goto err;
}
- /* Prepare the params */
- BN_CTX_start(ctx);
- argument = BN_CTX_get(ctx);
- result = BN_CTX_get(ctx);
- key = BN_CTX_get(ctx);
-
- if (!argument || !result || !key) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_CTX_FULL);
- goto err;
- }
-
-
- if (!bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top) ||
- !bn_wexpand(key, sizeof(*publKey) / BN_BYTES)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_EXPAND_FAIL);
- goto err;
- }
-
- publKey = (ICA_KEY_RSA_MODEXPO *) key->d;
-
- if (publKey == NULL) {
+ outLen = BN_num_bytes(m);
+ argument = malloc(outLen);
+ if (!argument) {
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
- memset(publKey, 0, sizeof(ICA_KEY_RSA_MODEXPO));
-
- publKey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE);
- publKey->keyLength =
- CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO));
- publKey->expOffset =
- (char *) publKey->keyRecord - (char *) publKey;
-
- /* A quirk of the card: the exponent length has to be the same
- as the modulus (key) length */
-
- outLen = BN_num_bytes(m);
-
-/* check for modulus length SAB*/
- if (outLen > 256) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP,
- IBMCA_R_MEXP_LENGTH_TO_LARGE);
+ result = malloc(outLen);
+ if (!result) {
+ free(argument);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-/* check for modulus length SAB*/
-
-
- publKey->expLength = publKey->nLength = outLen;
-/* SAB Check for underflow condition
- the size of the exponent is less than the size of the parameter
- then we have a big problem and will underflow the keyRecord
- buffer. Bad stuff could happen then
-*/
- if (outLen < BN_num_bytes(p)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP,
- IBMCA_R_UNDERFLOW_KEYRECORD);
+ key = malloc(sizeof(*pubkey));
+ if (!key) {
+ free(argument);
+ free(result);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-/* SAB End check for underflow */
-
-
- BN_bn2bin(p, &publKey->keyRecord[publKey->expLength -
- BN_num_bytes(p)]);
- BN_bn2bin(m, &publKey->keyRecord[publKey->expLength]);
-
-
-
- publKey->modulusBitLength =
- CORRECT_ENDIANNESS(publKey->nLength * 8);
- publKey->nOffset =
- CORRECT_ENDIANNESS(publKey->expOffset + publKey->expLength);
-
- publKey->expOffset =
- CORRECT_ENDIANNESS((char *) publKey->keyRecord -
- (char *) publKey);
-
+ pubkey = (ICA_KEY_RSA_MODEXPO *)key;
+ memset(pubkey, 0, sizeof(*pubkey));
+ pubkey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE);
+ pubkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO));
+ pubkey->expOffset = (char *)pubkey->keyRecord - (char *)pubkey;
+#define IBMCA_MAX_EXP_LEN 256
+ if (outLen > IBMCA_MAX_EXP_LEN) {
+ free(argument);
+ free(result);
+ free(key);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_MEXP_LENGTH_TO_LARGE);
+ goto err;
+ }
+ pubkey->expLength = pubkey->nLength = outLen;
+ if (outLen < BN_num_bytes(p)) { /* Key record underflow check */
+ free(argument);
+ free(result);
+ free(key);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_UNDERFLOW_KEYRECORD);
+ goto err;
+ }
+ BN_bn2bin(p,
+ &pubkey->keyRecord[(pubkey->expLength - BN_num_bytes(p))]);
+ BN_bn2bin(m, &pubkey->keyRecord[pubkey->expLength]);
+ pubkey->modulusBitLength = CORRECT_ENDIANNESS((pubkey->nLength * 8));
+ pubkey->nOffset =
+ CORRECT_ENDIANNESS((pubkey->expOffset + pubkey->expLength));
+ pubkey->expOffset = CORRECT_ENDIANNESS(((char *)pubkey->keyRecord -
+ (char *)pubkey));
tmpLen = outLen;
- publKey->expLength = publKey->nLength = CORRECT_ENDIANNESS(tmpLen);
-
- /* Prepare the argument */
-
- memset(argument->d, 0, outLen);
- BN_bn2bin(a, (unsigned char *) argument->d + outLen -
- BN_num_bytes(a));
-
+ pubkey->expLength = pubkey->nLength = CORRECT_ENDIANNESS(tmpLen);
+ memset(argument, 0, outLen);
+ BN_bn2bin(a, ((unsigned char *)argument
+ + outLen
+ - BN_num_bytes(a)));
inLen = outLen;
-
- /* Perform the operation */
-
if ((rc = p_icaRsaModExpo(ibmca_handle, inLen,
- (unsigned char *) argument->d,
- publKey, &outLen,
- (unsigned char *) result->d)) != 0) {
+ (unsigned char *)argument,
+ pubkey, &outLen,
+ (unsigned char *)result)) != 0) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-
-
- /* Convert the response */
- BN_bin2bn((unsigned char *) result->d, outLen, r);
+ BN_bin2bn((unsigned char *)result, outLen, r);
to_return = 1;
+ free(argument);
+ free(result);
+ free(key);
err:
- BN_CTX_end(ctx);
return to_return;
}

View File

@ -1,302 +0,0 @@
Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c
===================================================================
--- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2007-01-14 23:43:21.000000000 -0600
+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 23:43:31.000000000 -0600
@@ -1711,95 +1711,78 @@
const BIGNUM * dmp1, const BIGNUM * dmq1,
const BIGNUM * iqmp, BN_CTX * ctx)
{
-
- BIGNUM *argument = NULL;
- BIGNUM *result = NULL;
- BIGNUM *key = NULL;
-
- int to_return = 0; /* expect failure */
-
- char *pkey = NULL;
- ICA_KEY_RSA_CRT *privKey = NULL;
+ char *argument;
+ char *result;
+ char *key;
+ unsigned char *pkey;
+ ICA_KEY_RSA_CRT *privkey;
int inLen, outLen;
-
int rc;
unsigned int offset, pSize, qSize;
- /* SAB New variables */
unsigned int keyRecordSize;
unsigned int pbytes = BN_num_bytes(p);
unsigned int qbytes = BN_num_bytes(q);
unsigned int dmp1bytes = BN_num_bytes(dmp1);
unsigned int dmq1bytes = BN_num_bytes(dmq1);
unsigned int iqmpbytes = BN_num_bytes(iqmp);
+ int to_return = 0;
- /* Prepare the params */
-
- BN_CTX_start(ctx);
- argument = BN_CTX_get(ctx);
- result = BN_CTX_get(ctx);
- key = BN_CTX_get(ctx);
-
- if (!argument || !result || !key) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_BN_CTX_FULL);
- goto err;
- }
-
- if (!bn_wexpand(argument, p->top + q->top) ||
- !bn_wexpand(result, p->top + q->top) ||
- !bn_wexpand(key, sizeof(*privKey) / BN_BYTES)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
- IBMCA_R_BN_EXPAND_FAIL);
- goto err;
- }
-
-
- privKey = (ICA_KEY_RSA_CRT *) key->d;
- /* SAB Add check for total size in bytes of the parms does not
- * exceed the buffer space we have do this first
- */
- keyRecordSize =
- pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes;
- if (keyRecordSize > sizeof(privKey->keyRecord)) {
+ argument = malloc((pbytes + qbytes));
+ if (!argument) {
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ result = malloc((pbytes + qbytes));
+ if (!result) {
+ free(argument);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ key = malloc(sizeof(*privkey));
+ if (!key) {
+ free(argument);
+ free(result);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ privkey = (ICA_KEY_RSA_CRT *)key;
+ keyRecordSize = (pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes);
+ if (keyRecordSize > sizeof(privkey->keyRecord)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
if ((qbytes + dmq1bytes) > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
if (pbytes + dmp1bytes > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
- /* end SAB additions */
-
- memset(privKey, 0, sizeof(ICA_KEY_RSA_CRT));
- privKey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE);
- privKey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT));
- privKey->modulusBitLength =
- CORRECT_ENDIANNESS(BN_num_bytes(q) * 2 * 8);
-
- /*
- * p,dp & qInv are 1 QWORD Larger
- */
- privKey->pLength = CORRECT_ENDIANNESS(BN_num_bytes(p) + 8);
- privKey->qLength = CORRECT_ENDIANNESS(BN_num_bytes(q));
- privKey->dpLength = CORRECT_ENDIANNESS(BN_num_bytes(dmp1) + 8);
- privKey->dqLength = CORRECT_ENDIANNESS(BN_num_bytes(dmq1));
- privKey->qInvLength = CORRECT_ENDIANNESS(BN_num_bytes(iqmp) + 8);
-
- offset = (char *) privKey->keyRecord - (char *) privKey;
-
- qSize = BN_num_bytes(q);
- pSize = qSize + 8; /* 1 QWORD larger */
-
-
+ memset(privkey, 0, sizeof(*privkey));
+ privkey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE);
+ privkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT));
+ privkey->modulusBitLength = CORRECT_ENDIANNESS(qbytes * 2 * 8);
+ privkey->pLength = CORRECT_ENDIANNESS(pbytes + 8);
+ privkey->qLength = CORRECT_ENDIANNESS(qbytes);
+ privkey->dpLength = CORRECT_ENDIANNESS(dmp1bytes + 8);
+ privkey->dqLength = CORRECT_ENDIANNESS(dmq1bytes);
+ privkey->qInvLength = CORRECT_ENDIANNESS(iqmpbytes + 8);
+ offset = ((char *)privkey->keyRecord - (char *)privkey);
+ qSize = qbytes;
+ pSize = (qSize + 8); /* 1 QWORD larger */
/* SAB probably aittle redundant, but we'll verify that each
* of the components which make up a key record sent ot the card
* does not exceed the space that is allocated for it. this
@@ -1808,105 +1791,96 @@
* could cause potential side affects on either the card or the
* result
*/
-
if ((pbytes > pSize) || (dmp1bytes > pSize) ||
(iqmpbytes > pSize) || (qbytes > qSize) ||
(dmq1bytes > qSize)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
-
}
-
-
- privKey->dpOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->dpOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
- privKey->dqOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->dqOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
- privKey->pOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->pOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
- privKey->qOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->qOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
- privKey->qInvOffset = CORRECT_ENDIANNESS(offset);
-
- pkey = (char *) privKey->keyRecord;
-
-
- /* SAB first check that we don;t under flow the buffer */
+ privkey->qInvOffset = CORRECT_ENDIANNESS(offset);
+ pkey = (char *)privkey->keyRecord;
if (pSize < pbytes) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
-
- /* pkey += pSize - BN_num_bytes(p); WROING this should be dmp1) */
- pkey += pSize - BN_num_bytes(dmp1);
+ pkey += pSize - dmp1bytes;
BN_bn2bin(dmp1, pkey);
- pkey += BN_num_bytes(dmp1); /* move the pointer */
-
- BN_bn2bin(dmq1, pkey); /* Copy over dmq1 */
-
- pkey += qSize; /* move pointer */
- pkey += pSize - BN_num_bytes(p); /* set up for zero padding of next field */
-
+ pkey += dmp1bytes;
+ BN_bn2bin(dmq1, pkey);
+ pkey += qSize;
+ pkey += pSize - pbytes; /* set up for zero padding of next field */
BN_bn2bin(p, pkey);
- pkey += BN_num_bytes(p); /* increment pointer by number of bytes moved */
-
+ pkey += pbytes;
BN_bn2bin(q, pkey);
- pkey += qSize; /* move the pointer */
- pkey += pSize - BN_num_bytes(iqmp); /* Adjust for padding */
+ pkey += qSize;
+ pkey += pSize - iqmpbytes; /* Adjust for padding */
BN_bn2bin(iqmp, pkey);
-
/* Prepare the argument and response */
-
- outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2; /* Correct endianess
- is used because the
- fields were converted
+ outLen = CORRECT_ENDIANNESS(privkey->qLength) * 2; /* Correct
+ endianess
+ is used
+ because
+ the
+ fields
+ were
+ converted
above */
-
if (outLen > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OUTLEN_TO_LARGE);
goto err;
}
-
/* SAB check for underflow here on the argeument */
if (outLen < BN_num_bytes(a)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
-
- BN_bn2bin(a, (unsigned char *) argument->d + outLen -
- BN_num_bytes(a));
+ BN_bn2bin(a, ((unsigned char *)argument
+ + outLen
+ - BN_num_bytes(a)));
inLen = outLen;
-
- memset(result->d, 0, outLen);
-
- /* Perform the operation */
-
+ memset(result, 0, outLen);
if ((rc = p_icaRsaCrt(ibmca_handle, inLen,
- (unsigned char *) argument->d,
- privKey, &outLen,
- (unsigned char *) result->d)) != 0) {
+ (unsigned char *)argument,
+ privkey, &outLen,
+ (unsigned char *)result)) != 0) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_REQUEST_FAILED);
goto err;
}
-
- /* Convert the response */
-
- BN_bin2bn((unsigned char *) result->d, outLen, r);
+ BN_bin2bn((unsigned char *)result, outLen, r);
to_return = 1;
-
+ free(argument);
+ free(result);
+ free(key);
err:
- BN_CTX_end(ctx);
return to_return;
-
}
#ifndef OPENSSL_NO_DSA

68
openssl-des-ede.patch Normal file
View File

@ -0,0 +1,68 @@
commit 83b8ed7b25c809fa36ec86d7041a6350dc516606
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Mar 19 15:57:10 2014 -0500
openssl-ibmca: openssl speed -engine ibmca -evp des-ede3-ofb segfaults
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/e_ibmca.c b/e_ibmca.c
index b1ad975..0acbe5f 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -883,8 +883,7 @@ typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char *
sha256_context_t *, unsigned char *);
typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
- unsigned int key_length, unsigned char *iv,
- unsigned int direction);
+ unsigned char *iv, unsigned int direction);
typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
unsigned char *iv, unsigned int lcfb,
@@ -894,8 +893,7 @@ typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *,
unsigned int, unsigned int);
typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
- unsigned int key_length, unsigned char *iv,
- unsigned int direction);
+ unsigned char *iv, unsigned int direction);
typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
unsigned int key_length, unsigned char *iv,
@@ -1197,7 +1195,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
8, ICA_ENCRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
ICA_ENCRYPT);
} else {
rv = p_ica_des_encrypt(mode, len, (unsigned char *)in,
@@ -1223,7 +1221,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
8, ICA_DECRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
ICA_DECRYPT);
} else {
/* Protect against decrypt in place */
@@ -1279,7 +1277,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
ctx->iv, 8, ICA_ENCRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
rv = p_ica_3des_ofb(in, out, len, pCtx->key,
- 8, ctx->iv, ICA_ENCRYPT);
+ ctx->iv, ICA_ENCRYPT);
} else {
rv = p_ica_3des_encrypt(mode, len, (unsigned char *)in,
(ica_des_vector_t *) ctx->iv,
@@ -1305,7 +1303,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
ctx->iv, 8, ICA_DECRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
rv = p_ica_3des_ofb(in, out, len, pCtx->key,
- 8, ctx->iv, ICA_DECRYPT);
+ ctx->iv, ICA_DECRYPT);
} else {
/* Protect against decrypt in place */
/* FIXME: Again, check if EVP_CIPHER_CTX_iv_length() should be used */

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d3b114bc78fe8180b0c5f5d4d687b0fe2b3b23942c1f03e70aebc99b253119c9
size 215240

View File

@ -1,11 +0,0 @@
diff -urpN openssl-ibmca-1.0.0-rc2/e_ibmca.c openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c
--- openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-22 17:23:20.000000000 +0100
+++ openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c 2007-01-22 17:27:09.000000000 +0100
@@ -1858,6 +1858,7 @@ static int ibmca_mod_exp_crt(BIGNUM * r,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
+ memset(argument, 0, pbytes + qbytes);
BN_bn2bin(a, ((unsigned char *)argument
+ outLen
- BN_num_bytes(a)));

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d36363798e69e19b203126106f0e3f1a08626f96523994dd3c06adfe9c6d27ad
size 26525

View File

@ -0,0 +1,11 @@
--- configure.in
+++ configure.in
@@ -28,7 +28,7 @@
# libica is dlopened, so do not add it to LIBS
save_LIBS=$LIBS
AC_CHECK_LIB(ica, ica_open_adapter, [], \
- AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl])
+ AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl -lrt -lcrypto -lpthread])
LIBS=$save_LIBS
# OpenSSL location

View File

@ -0,0 +1,22 @@
commit f204aca935dfe45b736e9fb8f822c9e79ec9747c
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Mar 7 10:35:33 2014 +0100
SHA256: Fixed message digest length definition in sha256 template
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Acked-by: John Jolly <jjolly@suse.de>
diff --git a/e_ibmca.c b/e_ibmca.c
index 94c44a4..f3fad35 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -727,7 +727,7 @@ static const EVP_MD ibmca_sha1 = {
static const EVP_MD ibmca_sha256 = {
NID_sha256,
NID_sha256WithRSAEncryption,
- SHA_HASH_LENGTH,
+ SHA256_HASH_LENGTH,
0,
ibmca_sha256_init,
ibmca_sha256_update,

View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com
- Remove dependency on fillup anf insserv; the package provides
neither sysconfig file nor sysvinit script
- Remove depreciated AUTHORS section
- Use %configure macro
- Add openssl-ibmca-configure.patch
-------------------------------------------------------------------
Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com
- Forced requirement of libica-2_3_0 (bnc#890824)
-------------------------------------------------------------------
Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com
- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922)
- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes
fips self-test during EC key creation (bnc#879922)
- spec file cleaned up a bit
-------------------------------------------------------------------
Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com
- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message
digest length definition in sha256 template (bnc#868275)
-------------------------------------------------------------------
Wed Mar 5 18:51:25 CET 2014 - ro@suse.de
- update to 1.2.0
- removed patches:
ibmca-configure.patch
ibmca-segfault.fix.patch
ibmca-sw-fix.patch
openssl-ibmca-1.0.0.rc2-memset-fix.patch
- make it exclusivearch for s390/s390x as the required libica
is only available for s390/s390x
-------------------------------------------------------------------
Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com
- Made required libica-2_1_0 s390 specific
- Added x86_64 to ExclusiveArch as %ix86 doesn't do it
- Removed libica requirement - allowing build process to find it
-------------------------------------------------------------------
Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com
- Added COPYING to %files
-------------------------------------------------------------------
Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com
- Requiring libica 2.1.0 or greater
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssl-ibmca # spec file for package openssl-ibmca
# #
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -19,58 +19,43 @@
Name: openssl-ibmca Name: openssl-ibmca
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libica BuildRequires: libica-2_3_0-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: openssl-devel BuildRequires: openssl-devel
Summary: The IBMCA OpenSSL dynamic engine Summary: The IBMCA OpenSSL dynamic engine
License: IPL-1.0 License: IPL-1.0
Group: Hardware/Other Group: Hardware/Other
Version: 1.0.0 Version: 1.2.0
Release: 0 Release: 0
Source: openssl-ibmca-1.0.0-rc2.tar.bz2 Source: openssl-ibmca-1.2.0.tar.gz
Source2: baselibs.conf Source2: baselibs.conf
Patch: ibmca-configure.patch
Patch1: openssl-ibmca-README.patch Patch1: openssl-ibmca-README.patch
Patch2: ibmca-segfault.fix.patch Patch2: openssl-ibmca-configure.patch
Patch3: ibmca-sw-fix.patch Patch3: openssl-ibmca-sha256-digest-length.patch
Patch4: openssl-ibmca-1.0.0.rc2-memset-fix.patch Patch4: openssl-pkey.patch
Patch5: openssl-des-ede.patch
Url: http://sourceforge.net/projects/opencryptoki Url: http://sourceforge.net/projects/opencryptoki
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq %insserv_prereq Requires: libica-2_3_0
Requires: libica
Requires: openssl Requires: openssl
# bug437293 ExclusiveArch: s390 s390x
%ifarch ppc64
Obsoletes: openssl-ibmca-64bit
%endif
# #
%define ibmca_64bit_arch s390x ppc64 ppc64le
%define ibmca_32bit_arch %ix86 s390 ppc %arm
ExclusiveArch: %ibmca_32bit_arch %ibmca_64bit_arch
%description %description
This package contains a shared object OpenSSL dynamic engine for the This package contains a shared object OpenSSL dynamic engine for the
IBM eServer Cryptographic Accelerator (ICA). IBM eServer Cryptographic Accelerator (ICA).
Authors:
--------
Mike Halcrow <mhalcrow@us.ibm.com>
%prep %prep
%setup -n openssl-ibmca-1.0.0-rc2 %setup -q
%patch -p1
%patch1 %patch1
%patch2 -p1 %patch2
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%build %build
autoreconf --force --install autoreconf --force --install
export CFLAGS="$RPM_OPT_FLAGS" %configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines
export CPPFLAGS="$RPM_OPT_FLAGS"
./configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines
make make
%install %install
@ -78,14 +63,9 @@ make
#(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines) #(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines)
rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la
%post
%run_ldconfig
%postun
%files %files
%defattr(-, root, root) %defattr(-, root, root)
%doc README %doc README COPYING
%doc openssl.cnf.sample %doc openssl.cnf.sample
%dir %{_libdir}/engines %dir %{_libdir}/engines
%{_libdir}/engines/libibmca.* %{_libdir}/engines/libibmca.*

31
openssl-pkey.patch Normal file
View File

@ -0,0 +1,31 @@
commit 6cdca2c3d655ef19d022fb3d8bcbf63491b79db2
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Mar 19 12:50:14 2014 -0500
Add flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE to EVP_MD so that signing method
comes from key type.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/e_ibmca.c b/e_ibmca.c
index f3fad35..9353470 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -711,7 +711,7 @@ static const EVP_MD ibmca_sha1 = {
NID_sha1,
NID_sha1WithRSAEncryption,
SHA_HASH_LENGTH,
- 0,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
ibmca_sha1_init,
ibmca_sha1_update,
ibmca_sha1_final,
@@ -728,7 +728,7 @@ static const EVP_MD ibmca_sha256 = {
NID_sha256,
NID_sha256WithRSAEncryption,
SHA256_HASH_LENGTH,
- 0,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
ibmca_sha256_init,
ibmca_sha256_update,
ibmca_sha256_final,