rpm/openssl-ibmca
SHA256
1
0
Fork 0
forked from pool/openssl-ibmca
Code Pull Requests Activity

Accepting request 291316 from security

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/291316
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=23
This commit is contained in:
Dominique Leuenberger 2015-03-27 08:39:56 +00:00 committed by Git OBS Bridge
parent c1b4002565
commit ca089ef5ad
12 changed files with 207 additions and 620 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
ibmca-configure.patch
View File

@ -1,67 +0,0 @@
--- openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:45 1.1
+++ openssl-ibmca-1.0.0-rc2/configure.in 2006/03/28 08:09:54
@@ -21,39 +21,16 @@
fi
fi
-OPENSSL_LIB_DIR="/usr/local/ssl/lib"
+# OpenSSL location
+AC_MSG_CHECKING([OpenSSL])
+AC_CHECK_LIB(crypto, RAND_add, [LIBCRYPTO="-lcrypto"], \
+ AC_MSG_ERROR([*** libcrypto not found]))
# libica
AC_MSG_CHECKING([libICA])
AC_CHECK_LIB(ica, icaOpenAdapter, [LIBICA="-lica"], \
- AC_MSG_ERROR([*** libICA not found]))
-
-# OpenSSL location
-AC_MSG_CHECKING([OpenSSL location])
-AC_ARG_WITH(openssl,
- [ --with-openssl=PATH Location of openssl libs/includes],
- [OPENSSL_INCLUDE_DIR="$withval/include"
- OPENSSL_LIB_DIR="$withval/lib"
- if [[ ! -d $OPENSSL_INCLUDE_DIR -o ! -d $OPENSSL_LIB_DIR ]]; then
- AC_MSG_ERROR([$OPENSSL_INCLUDE_DIR or $OPENSSL_LIB_DIR doen't exist!])
- else
- AC_MSG_RESULT([yes])
- CFLAGS="$CFLAGS -L$OPENSSL_LIB_DIR -I$OPENSSL_INCLUDE_DIR"
- fi],
- [AC_MSG_RESULT([no])
- AC_SUBST([OPENSSL_LIB_DIR], [/usr/local/ssl/lib])
- AC_SUBST([OPENSSL_INCLUDE_DIR], [/usr/local/ssl/include]) ] )
-
-# Is the library specified?
-AC_MSG_CHECKING([Engines library directory])
-AC_ARG_WITH(engines-dir,
- [ --with-engines-dir=PATH Location of OpenSSL engines],
- [OPENSSL_ENGINES_DIR="$withval/"],
- [AC_MSG_RESULT([no])
- AC_SUBST([OPENSSL_ENGINES_DIR], [$OPENSSL_LIB_DIR/engines])])
+ AC_MSG_ERROR([*** libICA not found]),-lssl)
-# for the correct install target
-libdir=$OPENSSL_ENGINES_DIR
AC_DISABLE_STATIC
AC_PROG_CC
@@ -61,6 +38,8 @@
CFLAGS="$CFLAGS -Wall"
AC_SUBST(CFLAGS)
+AC_SUBST(LIBCRYPTO)
+AC_SUBST(LIBICA)
AC_OUTPUT(Makefile openssl.cnf.sample)
--- openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:06:46 1.1
+++ openssl-ibmca-1.0.0-rc2/Makefile.am 2006/03/28 08:07:34
@@ -1,7 +1,4 @@
lib_LTLIBRARIES=libibmca.la
-libibmca_la_LIBADD=@OPENSSL_LIB_DIR@/libcrypto.a
-libibmca_la_LDFLAGS=-lc
-libibmca_la_CFLAGS=-I@OPENSSL_INCLUDE_DIR@
-AM_CFLAGS=-I@OPENSSL_INCLUDE_DIR@
+libibmca_la_LDFLAGS=@LIBICA@ @LIBCRYPTO@ -lc
libibmca_la_SOURCES=e_ibmca.c e_ibmca.h e_ibmca_err.c

202
ibmca-segfault.fix.patch
View File

@ -1,202 +0,0 @@
Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c
===================================================================
--- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2005-12-16 14:45:43.000000000 -0600
+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 18:03:31.000000000 -0600
@@ -1582,133 +1582,92 @@
} // end ibmca_sha256_cleanup
#endif // OPENSSL_NO_SHA256
-static int ibmca_mod_exp(BIGNUM * r, const BIGNUM * a, const BIGNUM * p,
- const BIGNUM * m, BN_CTX * ctx)
+static int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx)
{
- /* I need somewhere to store temporary serialised values for
- * use with the Ibmca API calls. A neat cheat - I'll use
- * BIGNUMs from the BN_CTX but access their arrays directly as
- * byte arrays <grin>. This way I don't have to clean anything
- * up. */
-
- BIGNUM *argument = NULL;
- BIGNUM *result = NULL;
- BIGNUM *key = NULL;
- int to_return;
+ char *argument;
+ char *result;
+ char *key;
+ ICA_KEY_RSA_MODEXPO *pubkey;
int inLen, outLen, tmpLen;
-
-
-
- ICA_KEY_RSA_MODEXPO *publKey = NULL;
unsigned int rc;
-
- to_return = 0; /* expect failure */
+ int to_return = 0; /* fail code set by default */
if (!ibmca_dso) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_NOT_LOADED);
goto err;
}
- /* Prepare the params */
- BN_CTX_start(ctx);
- argument = BN_CTX_get(ctx);
- result = BN_CTX_get(ctx);
- key = BN_CTX_get(ctx);
-
- if (!argument || !result || !key) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_CTX_FULL);
- goto err;
- }
-
-
- if (!bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top) ||
- !bn_wexpand(key, sizeof(*publKey) / BN_BYTES)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_EXPAND_FAIL);
- goto err;
- }
-
- publKey = (ICA_KEY_RSA_MODEXPO *) key->d;
-
- if (publKey == NULL) {
+ outLen = BN_num_bytes(m);
+ argument = malloc(outLen);
+ if (!argument) {
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
- memset(publKey, 0, sizeof(ICA_KEY_RSA_MODEXPO));
-
- publKey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE);
- publKey->keyLength =
- CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO));
- publKey->expOffset =
- (char *) publKey->keyRecord - (char *) publKey;
-
- /* A quirk of the card: the exponent length has to be the same
- as the modulus (key) length */
-
- outLen = BN_num_bytes(m);
-
-/* check for modulus length SAB*/
- if (outLen > 256) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP,
- IBMCA_R_MEXP_LENGTH_TO_LARGE);
+ result = malloc(outLen);
+ if (!result) {
+ free(argument);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-/* check for modulus length SAB*/
-
-
- publKey->expLength = publKey->nLength = outLen;
-/* SAB Check for underflow condition
- the size of the exponent is less than the size of the parameter
- then we have a big problem and will underflow the keyRecord
- buffer. Bad stuff could happen then
-*/
- if (outLen < BN_num_bytes(p)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP,
- IBMCA_R_UNDERFLOW_KEYRECORD);
+ key = malloc(sizeof(*pubkey));
+ if (!key) {
+ free(argument);
+ free(result);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-/* SAB End check for underflow */
-
-
- BN_bn2bin(p, &publKey->keyRecord[publKey->expLength -
- BN_num_bytes(p)]);
- BN_bn2bin(m, &publKey->keyRecord[publKey->expLength]);
-
-
-
- publKey->modulusBitLength =
- CORRECT_ENDIANNESS(publKey->nLength * 8);
- publKey->nOffset =
- CORRECT_ENDIANNESS(publKey->expOffset + publKey->expLength);
-
- publKey->expOffset =
- CORRECT_ENDIANNESS((char *) publKey->keyRecord -
- (char *) publKey);
-
+ pubkey = (ICA_KEY_RSA_MODEXPO *)key;
+ memset(pubkey, 0, sizeof(*pubkey));
+ pubkey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE);
+ pubkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO));
+ pubkey->expOffset = (char *)pubkey->keyRecord - (char *)pubkey;
+#define IBMCA_MAX_EXP_LEN 256
+ if (outLen > IBMCA_MAX_EXP_LEN) {
+ free(argument);
+ free(result);
+ free(key);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_MEXP_LENGTH_TO_LARGE);
+ goto err;
+ }
+ pubkey->expLength = pubkey->nLength = outLen;
+ if (outLen < BN_num_bytes(p)) { /* Key record underflow check */
+ free(argument);
+ free(result);
+ free(key);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_UNDERFLOW_KEYRECORD);
+ goto err;
+ }
+ BN_bn2bin(p,
+ &pubkey->keyRecord[(pubkey->expLength - BN_num_bytes(p))]);
+ BN_bn2bin(m, &pubkey->keyRecord[pubkey->expLength]);
+ pubkey->modulusBitLength = CORRECT_ENDIANNESS((pubkey->nLength * 8));
+ pubkey->nOffset =
+ CORRECT_ENDIANNESS((pubkey->expOffset + pubkey->expLength));
+ pubkey->expOffset = CORRECT_ENDIANNESS(((char *)pubkey->keyRecord -
+ (char *)pubkey));
tmpLen = outLen;
- publKey->expLength = publKey->nLength = CORRECT_ENDIANNESS(tmpLen);
-
- /* Prepare the argument */
-
- memset(argument->d, 0, outLen);
- BN_bn2bin(a, (unsigned char *) argument->d + outLen -
- BN_num_bytes(a));
-
+ pubkey->expLength = pubkey->nLength = CORRECT_ENDIANNESS(tmpLen);
+ memset(argument, 0, outLen);
+ BN_bn2bin(a, ((unsigned char *)argument
+ + outLen
+ - BN_num_bytes(a)));
inLen = outLen;
-
- /* Perform the operation */
-
if ((rc = p_icaRsaModExpo(ibmca_handle, inLen,
- (unsigned char *) argument->d,
- publKey, &outLen,
- (unsigned char *) result->d)) != 0) {
+ (unsigned char *)argument,
+ pubkey, &outLen,
+ (unsigned char *)result)) != 0) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
-
-
- /* Convert the response */
- BN_bin2bn((unsigned char *) result->d, outLen, r);
+ BN_bin2bn((unsigned char *)result, outLen, r);
to_return = 1;
+ free(argument);
+ free(result);
+ free(key);
err:
- BN_CTX_end(ctx);
return to_return;
}

302
ibmca-sw-fix.patch
View File

@ -1,302 +0,0 @@
Index: openssl-ibmca-1.0.0-rc2/e_ibmca.c
===================================================================
--- openssl-ibmca-1.0.0-rc2.orig/e_ibmca.c 2007-01-14 23:43:21.000000000 -0600
+++ openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-14 23:43:31.000000000 -0600
@@ -1711,95 +1711,78 @@
const BIGNUM * dmp1, const BIGNUM * dmq1,
const BIGNUM * iqmp, BN_CTX * ctx)
{
-
- BIGNUM *argument = NULL;
- BIGNUM *result = NULL;
- BIGNUM *key = NULL;
-
- int to_return = 0; /* expect failure */
-
- char *pkey = NULL;
- ICA_KEY_RSA_CRT *privKey = NULL;
+ char *argument;
+ char *result;
+ char *key;
+ unsigned char *pkey;
+ ICA_KEY_RSA_CRT *privkey;
int inLen, outLen;
-
int rc;
unsigned int offset, pSize, qSize;
- /* SAB New variables */
unsigned int keyRecordSize;
unsigned int pbytes = BN_num_bytes(p);
unsigned int qbytes = BN_num_bytes(q);
unsigned int dmp1bytes = BN_num_bytes(dmp1);
unsigned int dmq1bytes = BN_num_bytes(dmq1);
unsigned int iqmpbytes = BN_num_bytes(iqmp);
+ int to_return = 0;
- /* Prepare the params */
-
- BN_CTX_start(ctx);
- argument = BN_CTX_get(ctx);
- result = BN_CTX_get(ctx);
- key = BN_CTX_get(ctx);
-
- if (!argument || !result || !key) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_BN_CTX_FULL);
- goto err;
- }
-
- if (!bn_wexpand(argument, p->top + q->top) ||
- !bn_wexpand(result, p->top + q->top) ||
- !bn_wexpand(key, sizeof(*privKey) / BN_BYTES)) {
- IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
- IBMCA_R_BN_EXPAND_FAIL);
- goto err;
- }
-
-
- privKey = (ICA_KEY_RSA_CRT *) key->d;
- /* SAB Add check for total size in bytes of the parms does not
- * exceed the buffer space we have do this first
- */
- keyRecordSize =
- pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes;
- if (keyRecordSize > sizeof(privKey->keyRecord)) {
+ argument = malloc((pbytes + qbytes));
+ if (!argument) {
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ result = malloc((pbytes + qbytes));
+ if (!result) {
+ free(argument);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ key = malloc(sizeof(*privkey));
+ if (!key) {
+ free(argument);
+ free(result);
+ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
+ goto err;
+ }
+ privkey = (ICA_KEY_RSA_CRT *)key;
+ keyRecordSize = (pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes);
+ if (keyRecordSize > sizeof(privkey->keyRecord)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
if ((qbytes + dmq1bytes) > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
if (pbytes + dmp1bytes > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
-
- /* end SAB additions */
-
- memset(privKey, 0, sizeof(ICA_KEY_RSA_CRT));
- privKey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE);
- privKey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT));
- privKey->modulusBitLength =
- CORRECT_ENDIANNESS(BN_num_bytes(q) * 2 * 8);
-
- /*
- * p,dp & qInv are 1 QWORD Larger
- */
- privKey->pLength = CORRECT_ENDIANNESS(BN_num_bytes(p) + 8);
- privKey->qLength = CORRECT_ENDIANNESS(BN_num_bytes(q));
- privKey->dpLength = CORRECT_ENDIANNESS(BN_num_bytes(dmp1) + 8);
- privKey->dqLength = CORRECT_ENDIANNESS(BN_num_bytes(dmq1));
- privKey->qInvLength = CORRECT_ENDIANNESS(BN_num_bytes(iqmp) + 8);
-
- offset = (char *) privKey->keyRecord - (char *) privKey;
-
- qSize = BN_num_bytes(q);
- pSize = qSize + 8; /* 1 QWORD larger */
-
-
+ memset(privkey, 0, sizeof(*privkey));
+ privkey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE);
+ privkey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT));
+ privkey->modulusBitLength = CORRECT_ENDIANNESS(qbytes * 2 * 8);
+ privkey->pLength = CORRECT_ENDIANNESS(pbytes + 8);
+ privkey->qLength = CORRECT_ENDIANNESS(qbytes);
+ privkey->dpLength = CORRECT_ENDIANNESS(dmp1bytes + 8);
+ privkey->dqLength = CORRECT_ENDIANNESS(dmq1bytes);
+ privkey->qInvLength = CORRECT_ENDIANNESS(iqmpbytes + 8);
+ offset = ((char *)privkey->keyRecord - (char *)privkey);
+ qSize = qbytes;
+ pSize = (qSize + 8); /* 1 QWORD larger */
/* SAB probably aittle redundant, but we'll verify that each
* of the components which make up a key record sent ot the card
* does not exceed the space that is allocated for it. this
@@ -1808,105 +1791,96 @@
* could cause potential side affects on either the card or the
* result
*/
-
if ((pbytes > pSize) || (dmp1bytes > pSize) ||
(iqmpbytes > pSize) || (qbytes > qSize) ||
(dmq1bytes > qSize)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OPERANDS_TO_LARGE);
goto err;
-
}
-
-
- privKey->dpOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->dpOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
- privKey->dqOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->dqOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
- privKey->pOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->pOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
- privKey->qOffset = CORRECT_ENDIANNESS(offset);
-
+ privkey->qOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
- privKey->qInvOffset = CORRECT_ENDIANNESS(offset);
-
- pkey = (char *) privKey->keyRecord;
-
-
- /* SAB first check that we don;t under flow the buffer */
+ privkey->qInvOffset = CORRECT_ENDIANNESS(offset);
+ pkey = (char *)privkey->keyRecord;
if (pSize < pbytes) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
-
- /* pkey += pSize - BN_num_bytes(p); WROING this should be dmp1) */
- pkey += pSize - BN_num_bytes(dmp1);
+ pkey += pSize - dmp1bytes;
BN_bn2bin(dmp1, pkey);
- pkey += BN_num_bytes(dmp1); /* move the pointer */
-
- BN_bn2bin(dmq1, pkey); /* Copy over dmq1 */
-
- pkey += qSize; /* move pointer */
- pkey += pSize - BN_num_bytes(p); /* set up for zero padding of next field */
-
+ pkey += dmp1bytes;
+ BN_bn2bin(dmq1, pkey);
+ pkey += qSize;
+ pkey += pSize - pbytes; /* set up for zero padding of next field */
BN_bn2bin(p, pkey);
- pkey += BN_num_bytes(p); /* increment pointer by number of bytes moved */
-
+ pkey += pbytes;
BN_bn2bin(q, pkey);
- pkey += qSize; /* move the pointer */
- pkey += pSize - BN_num_bytes(iqmp); /* Adjust for padding */
+ pkey += qSize;
+ pkey += pSize - iqmpbytes; /* Adjust for padding */
BN_bn2bin(iqmp, pkey);
-
/* Prepare the argument and response */
-
- outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2; /* Correct endianess
- is used because the
- fields were converted
+ outLen = CORRECT_ENDIANNESS(privkey->qLength) * 2; /* Correct
+ endianess
+ is used
+ because
+ the
+ fields
+ were
+ converted
above */
-
if (outLen > 256) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_OUTLEN_TO_LARGE);
goto err;
}
-
/* SAB check for underflow here on the argeument */
if (outLen < BN_num_bytes(a)) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
-
- BN_bn2bin(a, (unsigned char *) argument->d + outLen -
- BN_num_bytes(a));
+ BN_bn2bin(a, ((unsigned char *)argument
+ + outLen
+ - BN_num_bytes(a)));
inLen = outLen;
-
- memset(result->d, 0, outLen);
-
- /* Perform the operation */
-
+ memset(result, 0, outLen);
if ((rc = p_icaRsaCrt(ibmca_handle, inLen,
- (unsigned char *) argument->d,
- privKey, &outLen,
- (unsigned char *) result->d)) != 0) {
+ (unsigned char *)argument,
+ privkey, &outLen,
+ (unsigned char *)result)) != 0) {
+ free(argument);
+ free(result);
+ free(key);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,
IBMCA_R_REQUEST_FAILED);
goto err;
}
-
- /* Convert the response */
-
- BN_bin2bn((unsigned char *) result->d, outLen, r);
+ BN_bin2bn((unsigned char *)result, outLen, r);
to_return = 1;
-
+ free(argument);
+ free(result);
+ free(key);
err:
- BN_CTX_end(ctx);
return to_return;
-
}
#ifndef OPENSSL_NO_DSA

68
openssl-des-ede.patch Normal file
View File

@ -0,0 +1,68 @@
commit 83b8ed7b25c809fa36ec86d7041a6350dc516606
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Mar 19 15:57:10 2014 -0500
openssl-ibmca: openssl speed -engine ibmca -evp des-ede3-ofb segfaults
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/e_ibmca.c b/e_ibmca.c
index b1ad975..0acbe5f 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -883,8 +883,7 @@ typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char *
sha256_context_t *, unsigned char *);
typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
- unsigned int key_length, unsigned char *iv,
- unsigned int direction);
+ unsigned char *iv, unsigned int direction);
typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
unsigned char *iv, unsigned int lcfb,
@@ -894,8 +893,7 @@ typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *,
unsigned int, unsigned int);
typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
- unsigned int key_length, unsigned char *iv,
- unsigned int direction);
+ unsigned char *iv, unsigned int direction);
typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
unsigned long data_length, const unsigned char *key,
unsigned int key_length, unsigned char *iv,
@@ -1197,7 +1195,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
8, ICA_ENCRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
ICA_ENCRYPT);
} else {
rv = p_ica_des_encrypt(mode, len, (unsigned char *)in,
@@ -1223,7 +1221,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
8, ICA_DECRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
ICA_DECRYPT);
} else {
/* Protect against decrypt in place */
@@ -1279,7 +1277,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
ctx->iv, 8, ICA_ENCRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
rv = p_ica_3des_ofb(in, out, len, pCtx->key,
- 8, ctx->iv, ICA_ENCRYPT);
+ ctx->iv, ICA_ENCRYPT);
} else {
rv = p_ica_3des_encrypt(mode, len, (unsigned char *)in,
(ica_des_vector_t *) ctx->iv,
@@ -1305,7 +1303,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
ctx->iv, 8, ICA_DECRYPT);
} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
rv = p_ica_3des_ofb(in, out, len, pCtx->key,
- 8, ctx->iv, ICA_DECRYPT);
+ ctx->iv, ICA_DECRYPT);
} else {
/* Protect against decrypt in place */
/* FIXME: Again, check if EVP_CIPHER_CTX_iv_length() should be used */

3
openssl-ibmca-1.0.0-rc2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d3b114bc78fe8180b0c5f5d4d687b0fe2b3b23942c1f03e70aebc99b253119c9
size 215240

11
openssl-ibmca-1.0.0.rc2-memset-fix.patch
View File

@ -1,11 +0,0 @@
diff -urpN openssl-ibmca-1.0.0-rc2/e_ibmca.c openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c
--- openssl-ibmca-1.0.0-rc2/e_ibmca.c 2007-01-22 17:23:20.000000000 +0100
+++ openssl-ibmca-1.0.0-rc2-memset_fix/e_ibmca.c 2007-01-22 17:27:09.000000000 +0100
@@ -1858,6 +1858,7 @@ static int ibmca_mod_exp_crt(BIGNUM * r,
IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
+ memset(argument, 0, pbytes + qbytes);
BN_bn2bin(a, ((unsigned char *)argument
+ outLen
- BN_num_bytes(a)));

3
openssl-ibmca-1.2.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d36363798e69e19b203126106f0e3f1a08626f96523994dd3c06adfe9c6d27ad
size 26525

11
openssl-ibmca-configure.patch Normal file
View File

@ -0,0 +1,11 @@
--- configure.in
+++ configure.in
@@ -28,7 +28,7 @@
# libica is dlopened, so do not add it to LIBS
save_LIBS=$LIBS
AC_CHECK_LIB(ica, ica_open_adapter, [], \
- AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl])
+ AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl -lrt -lcrypto -lpthread])
LIBS=$save_LIBS
# OpenSSL location

22
openssl-ibmca-sha256-digest-length.patch Normal file
View File

@ -0,0 +1,22 @@
commit f204aca935dfe45b736e9fb8f822c9e79ec9747c
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Mar 7 10:35:33 2014 +0100
SHA256: Fixed message digest length definition in sha256 template
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Acked-by: John Jolly <jjolly@suse.de>
diff --git a/e_ibmca.c b/e_ibmca.c
index 94c44a4..f3fad35 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -727,7 +727,7 @@ static const EVP_MD ibmca_sha1 = {
static const EVP_MD ibmca_sha256 = {
NID_sha256,
NID_sha256WithRSAEncryption,
- SHA_HASH_LENGTH,
+ SHA256_HASH_LENGTH,
0,
ibmca_sha256_init,
ibmca_sha256_update,

57
openssl-ibmca.changes
View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com
- Remove dependency on fillup anf insserv; the package provides
neither sysconfig file nor sysvinit script
- Remove depreciated AUTHORS section
- Use %configure macro
- Add openssl-ibmca-configure.patch
-------------------------------------------------------------------
Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com
- Forced requirement of libica-2_3_0 (bnc#890824)
-------------------------------------------------------------------
Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com
- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922)
- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes
fips self-test during EC key creation (bnc#879922)
- spec file cleaned up a bit
-------------------------------------------------------------------
Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com
- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message
digest length definition in sha256 template (bnc#868275)
-------------------------------------------------------------------
Wed Mar 5 18:51:25 CET 2014 - ro@suse.de
- update to 1.2.0
- removed patches:
ibmca-configure.patch
ibmca-segfault.fix.patch
ibmca-sw-fix.patch
openssl-ibmca-1.0.0.rc2-memset-fix.patch
- make it exclusivearch for s390/s390x as the required libica
is only available for s390/s390x
-------------------------------------------------------------------
Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com
- Made required libica-2_1_0 s390 specific
- Added x86_64 to ExclusiveArch as %ix86 doesn't do it
- Removed libica requirement - allowing build process to find it
-------------------------------------------------------------------
Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com
- Added COPYING to %files
-------------------------------------------------------------------
Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com
- Requiring libica 2.1.0 or greater
-------------------------------------------------------------------
Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com

50
openssl-ibmca.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssl-ibmca
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -19,58 +19,43 @@
Name: openssl-ibmca
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libica
BuildRequires: libica-2_3_0-devel
BuildRequires: libtool
BuildRequires: openssl-devel
Summary: The IBMCA OpenSSL dynamic engine
License: IPL-1.0
Group: Hardware/Other
Version: 1.0.0
Version: 1.2.0
Release: 0
Source: openssl-ibmca-1.0.0-rc2.tar.bz2
Source: openssl-ibmca-1.2.0.tar.gz
Source2: baselibs.conf
Patch: ibmca-configure.patch
Patch1: openssl-ibmca-README.patch
Patch2: ibmca-segfault.fix.patch
Patch3: ibmca-sw-fix.patch
Patch4: openssl-ibmca-1.0.0.rc2-memset-fix.patch
Patch2: openssl-ibmca-configure.patch
Patch3: openssl-ibmca-sha256-digest-length.patch
Patch4: openssl-pkey.patch
Patch5: openssl-des-ede.patch
Url: http://sourceforge.net/projects/opencryptoki
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq %insserv_prereq
Requires: libica
Requires: libica-2_3_0
Requires: openssl
# bug437293
%ifarch ppc64
Obsoletes: openssl-ibmca-64bit
%endif
ExclusiveArch: s390 s390x
#
%define ibmca_64bit_arch s390x ppc64 ppc64le
%define ibmca_32bit_arch %ix86 s390 ppc %arm
ExclusiveArch: %ibmca_32bit_arch %ibmca_64bit_arch
%description
This package contains a shared object OpenSSL dynamic engine for the
IBM eServer Cryptographic Accelerator (ICA).
Authors:
--------
Mike Halcrow <mhalcrow@us.ibm.com>
%prep
%setup -n openssl-ibmca-1.0.0-rc2
%patch -p1
%setup -q
%patch1
%patch2 -p1
%patch2
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
autoreconf --force --install
export CFLAGS="$RPM_OPT_FLAGS"
export CPPFLAGS="$RPM_OPT_FLAGS"
./configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines
%configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines
make
%install
@ -78,14 +63,9 @@ make
#(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines)
rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la
%post
%run_ldconfig
%postun
%files
%defattr(-, root, root)
%doc README
%doc README COPYING
%doc openssl.cnf.sample
%dir %{_libdir}/engines
%{_libdir}/engines/libibmca.*

31
openssl-pkey.patch Normal file
View File

@ -0,0 +1,31 @@
commit 6cdca2c3d655ef19d022fb3d8bcbf63491b79db2
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Mar 19 12:50:14 2014 -0500
Add flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE to EVP_MD so that signing method
comes from key type.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/e_ibmca.c b/e_ibmca.c
index f3fad35..9353470 100644
--- a/e_ibmca.c
+++ b/e_ibmca.c
@@ -711,7 +711,7 @@ static const EVP_MD ibmca_sha1 = {
NID_sha1,
NID_sha1WithRSAEncryption,
SHA_HASH_LENGTH,
- 0,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
ibmca_sha1_init,
ibmca_sha1_update,
ibmca_sha1_final,
@@ -728,7 +728,7 @@ static const EVP_MD ibmca_sha256 = {
NID_sha256,
NID_sha256WithRSAEncryption,
SHA256_HASH_LENGTH,
- 0,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
ibmca_sha256_init,
ibmca_sha256_update,
ibmca_sha256_final,