opencryptoki / openssl-ibmca Goto Github PK

View Code? Open in Web Editor NEW

6.0 6.0 15.0 769 KB

OpenSSL engine and provider for libica.

License: Apache License 2.0

Makefile 0.61% Shell 0.16% M4 0.56% C 92.39% Roff 1.05% Perl 5.24%

crypto s390x openssl-engine openssl-provider

openssl-ibmca's People

Contributors

Stargazers

Watchers

Forkers

pvital sharkcz dodys hfreude netdebug bartzjegr dhodovsk juergenchrist jschmidb markkp ccdxc ifranzki charygao edwardt corccc

openssl-ibmca's Issues

icastats is still empty

Bug description: icastats not updated
Distro release:
RHEL 7.4
openssl-ibmca package version
[root@ghrhel74crypt ~]# rpm -qa openssl-ibmca
openssl-ibmca-1.3.0-2.el7.s390
openssl-ibmca-1.3.0-2.el7.s390x

libica package version
[root@ghrhel74crypt ~]# rpm -qa libica
libica-3.0.2-2.el7.s390x
libica-3.0.2-2.el7.s390

steps to reproduce the bug

Install RHEL7.4 on IBM Z14
yum install libica libica-utils openssl openssl-ibmca
icastats #empty
modprobe aes_s390
install ibmca engine in openssl
openssl speed -evp aes-128-cbc -engine ibmca
7 icastats # still empty (but performance is OK to consider CPACF in use 4,5 GB/S in encryption and 13 GB/s in decryption.

Testsuite fails on in a chroot on qemu/kvm VM

make  check-TESTS
make[3]: Entering directory '/<<PKGBUILDDIR>>/test'
make[4]: Entering directory '/<<PKGBUILDDIR>>/test'
FAIL: des-cbc-test.pl
FAIL: des-ofb-test.pl
FAIL: des-cfb-test.pl
FAIL: des-ecb-test.pl
FAIL: 3des-cbc-test.pl
FAIL: 3des-ecb-test.pl
FAIL: 3des-cfb-test.pl
FAIL: 3des-ofb-test.pl
FAIL: aes-128-ecb-test.pl
FAIL: aes-128-cbc-test.pl
FAIL: aes-128-cfb-test.pl
FAIL: aes-192-ecb-test.pl
FAIL: aes-128-ofb-test.pl
FAIL: aes-192-cbc-test.pl
FAIL: aes-192-cfb-test.pl
FAIL: aes-192-ofb-test.pl
FAIL: aes-256-cbc-test.pl
FAIL: aes-256-ecb-test.pl
FAIL: aes-256-ofb-test.pl
PASS: aes-256-cfb-test.pl
==============================================
   openssl-ibmca 2.0.0: test/test-suite.log
==============================================

# TOTAL: 20
# PASS:  1
# SKIP:  0
# XFAIL: 0
# FAIL:  19
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: des-ecb-test.pl
=====================

unable to write 'random state'
unable to write 'random state'
FAIL des-ecb-test.pl (exit status: 1)

FAIL: des-cbc-test.pl
=====================

unable to write 'random state'
bad decrypt
4396773508896:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:541:
FAIL des-cbc-test.pl (exit status: 1)

FAIL: des-cfb-test.pl
=====================

unable to write 'random state'
FAIL des-cfb-test.pl (exit status: 1)

FAIL: des-ofb-test.pl
=====================

unable to write 'random state'
FAIL des-ofb-test.pl (exit status: 1)

FAIL: 3des-ecb-test.pl
======================

unable to write 'random state'
bad decrypt
4396134926112:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
unable to write 'random state'
bad decrypt
4396630378272:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL 3des-ecb-test.pl (exit status: 1)

FAIL: 3des-cbc-test.pl
======================

unable to write 'random state'
unable to write 'random state'
bad decrypt
4396428003104:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL 3des-cbc-test.pl (exit status: 1)

FAIL: 3des-cfb-test.pl
======================

unable to write 'random state'
unable to write 'random state'
FAIL 3des-cfb-test.pl (exit status: 1)

FAIL: 3des-ofb-test.pl
======================

unable to write 'random state'
unable to write 'random state'
cmp: EOF on data.in which is empty
FAIL 3des-ofb-test.pl (exit status: 1)

FAIL: aes-128-ecb-test.pl
=========================

unable to write 'random state'
bad decrypt
4396508219168:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL aes-128-ecb-test.pl (exit status: 1)

FAIL: aes-128-cbc-test.pl
=========================

unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-128-cbc-test.pl (exit status: 1)

FAIL: aes-128-cfb-test.pl
=========================

unable to write 'random state'
unable to write 'random state'
FAIL aes-128-cfb-test.pl (exit status: 1)

FAIL: aes-128-ofb-test.pl
=========================

unable to write 'random state'
unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-128-ofb-test.pl (exit status: 1)

FAIL: aes-192-ecb-test.pl
=========================

unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-192-ecb-test.pl (exit status: 1)

FAIL: aes-192-cbc-test.pl
=========================

unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-192-cbc-test.pl (exit status: 1)

FAIL: aes-192-cfb-test.pl
=========================

unable to write 'random state'
unable to write 'random state'
FAIL aes-192-cfb-test.pl (exit status: 1)

FAIL: aes-192-ofb-test.pl
=========================

unable to write 'random state'
FAIL aes-192-ofb-test.pl (exit status: 1)

FAIL: aes-256-ecb-test.pl
=========================

unable to write 'random state'
unable to write 'random state'
FAIL aes-256-ecb-test.pl (exit status: 1)

FAIL: aes-256-cbc-test.pl
=========================

unable to write 'random state'
bad decrypt
4395925210912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
FAIL aes-256-cbc-test.pl (exit status: 1)

FAIL: aes-256-ofb-test.pl
=========================

unable to write 'random state'
FAIL aes-256-ofb-test.pl (exit status: 1)

============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS:  1
# SKIP:  0
# XFAIL: 0
# FAIL:  19
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
Please report to [email protected]
============================================================================

This is on Ubuntu Cosmic (to become 18.10) as built in launchpad PPA. Note anybody can use PPAs on launchpad and activate builds for s390x.

When doing a similar build, but in chroot on a z/VM, things are slightly better:

============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS:  0
# SKIP:  20
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

So no tests are actually run, and everything is skipped.

Regular user build (non-chrooted) on z/VM goes fine and results in full test suite pass:

============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS:  20
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

make use of the engine transparent

libcrypto's evp interfaces for ciphers allow to encrypt messages divided in chunks of arbitrary lengths.

ibmca requires the all chunk lenghts except the last one to be multiples of the cipher's block size.

Use of the engine should be made transparent to an application using libcrypto's evp interfaces, in the sense that the behavior is the same \w engine and w\o engine.

dlclose logic is inverted in ibmca_finish

The test for dlclose() in ibmca_finish() is inverted.

dlclose() returns 0 on success and a non zero value on error. The current code treats success as an error.

loadtest and threadtest fails after recent update

I'm getting test failures in our CI after the last updates. The system is Fedora 33 on a KVM guest on a z14.

==============================================
   openssl-ibmca 2.1.2: test/test-suite.log
==============================================

# TOTAL: 23
# PASS:  21
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 2

.. contents:: :depth: 2

ERROR: loadtest
===============

Failed to create PKEY_CTX
Check for global variables failed!
ERROR loadtest (exit status: 99)

ERROR: threadtest
=================

Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Error in thread 0
Error in thread 1
Error in thread 2
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Error in thread 3
Failed to create PKEY_CTX
Error in thread 4
Error in thread 5
Failed to create PKEY_CTX
Error in thread 6
Error in thread 7
Failed to create PKEY_CTX
Error in thread 8
Error in thread 9
Error in thread 10
Error in thread 11
Error in thread 12
Error in thread 13
Error in thread 14
Error in thread 15
Error in thread 16
Error in thread 17
Error in thread 18
Error in thread 19
ERROR threadtest (exit status: 99)

Question: Would there be support for Post Quantum Crypto? (Dilithium & Kyber)

Will the IBM-CA provider (https://www.ibm.com/docs/en/linux-on-systems?topic=openssl-using-ibmca-provider) support post-quantum crypto algorithms in the future similar to the OQS provider (https://github.com/open-quantum-safe/oqs-provider) for Z and LinuxONE?

Support OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ for RSA key import

OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ is new for OpenSSL 3.3.

"rsa-derive-from-pq" (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ) unsigned integer

Indicate that missing parameters not passed in the parameter list should be derived if not provided. Setting a nonzero value will cause all needed exponents and coefficients to be derived if not available. Setting this option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2, and OSSL_PARAM_RSA_N to be provided. This option is ignored if OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.

Remove dependency of old local OpenSSL headers.

src/cryptlib.h and src/e_os.h are OpenSSL headers and added to the project to be able to build it, but nothing from them are used and both files were made opaque in OpenSSL 1.1 release.

Got "FATAL: Startup failure (dev note: apps_startup()) for openssl" when I run 'openssl engine -c'

Platform: LinuxONE 4 LA1 with DPM mode enabled
OS: rhel 9.3 KVM guest
Versions:

libica-4.3.0.tar.gz
openssl-ibmca-2.4.1.tar.gz

Hi,
Usually, when I installed libica and ibmca, I use '$ tee -a /etc/pki/tls/openssl.cnf < sample_file', then comment out 'openssl_conf = default_modules' and move the 'openssl_conf = openssl_def' to the top of cnf file. After that, I can see 'ibmca' engine shows up in the output of 'openssl engine -c'.

This time, I duplicated the same steps running in a rhel 9.3 kvm guest, after that, when I run the 'openssl engine -c', it responsed:

[root@a90kvm04-rhel93-079041 ~]# openssl engine -c
FATAL: Startup failure (dev note: apps_startup()) for openssl
000003FF875F3B40:error:40000068:lib(128):ERR_IBMCA_error:dso failure:e_ibmca.c:753:
000003FF875F3B40:error:13000066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:139:section=ibmca_section, name=init, value=1
000003FF875F3B40:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:270:module=engines, value=engine_section retcode=-1

Not sure what's happened, the only difference is it is the first time I tried in a kvm guest, not a normal server.

I'll attach the updated '/etc/pki/tls/openssl.cnf' (zipped)configure file, I don't know which log should be added, if anything logs, traces, please let me know.

Thanks~
41_openssl.cnf.zip

Please integrate building and running the src/test/ibmca_mechaList_test into the regular build process

To prevent algorithms from being supported (such as fix 1ab83f9) an extended test coverage would be helpful which is already existing but not automatically built and run i.e. used.

To integrate, please extend the build process by running
cd src/test
make -f Makefile.linux
./ibmca_mechaList_test -f ../.libs/ibmca.so

Thanks.

provider {rsa,ec,dh}key tests fail on z14

I am getting test failures for the {rsa,ec,dh}key tests fail on z14 with this build configuration

CFLAGS= -O2 -Wall
IBMCA engine:      yes
  default library: libica.so.4
IBMCA provider:    yes
  libica library:  libica-cex

The system is Fedora 36 with

libica-4.0.1-1.fc36.s390x
openssl-3.0.2-5.fc36.s390x

test-suite.log is here

=======================================================
   openssl-ibmca 2.3.0: test/provider/test-suite.log
=======================================================

# TOTAL: 13
# PASS:  10
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 3

.. contents:: :depth: 2

ERROR: rsakey
=============

Context is not using the IBMCA provider, but 'default'
Failure for RSA-512
Context is not using the IBMCA provider, but 'default'
Failure for RSA-1024
Context is not using the IBMCA provider, but 'default'
Failure for RSA-2048
Context is not using the IBMCA provider, but 'default'
Failure for RSA-4096
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-512
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-1024
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-2048
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-4096
ERROR rsakey (exit status: 99)

ERROR: eckey
============

Context is not using the IBMCA provider, but 'default'
Failure for NID_X9_62_prime192v1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp224r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_X9_62_prime256v1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp384r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp521r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP160r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP192r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP224r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP256r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP320r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP384r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP512r1
ERROR eckey (exit status: 99)

ERROR: dhkey
============

Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe2048 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe2048 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe3072 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe3072 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe4096 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe4096 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe6144 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe6144 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe8192 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe8192 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_1536 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_1536 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_2048 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_2048 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_3072 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_3072 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_4096 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_4096 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_6144 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_6144 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_8192 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_8192 (DHX)
ERROR dhkey (exit status: 99)

Adapt src/openssl.cnf.sample file for new openssl version

The definition of the ibmca engine for openssl 1.1 changed from openssl_conf = openssl_def to
openssl_conf = default_modules

[ default_modules ]
engines = engine_section
Please work this change into the openssl.cnf.sample file.
Thanks.

improve docs how to enable ibmca

The current docs say to include the sample config in openssl.cfg and move the openssl_conf= option to the top. Unfortunately it conflicts with openssl.cfg in Fedora 29+ where openssl_conf= is used to include the system-wide crypto policies.

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
#RANDFILE               = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

# Load default TLS policy configuration

openssl_conf = default_modules

[ default_modules ]

ssl_conf = ssl_module

[ ssl_module ]

system_default = crypto_policy

[ crypto_policy ]

.include /etc/crypto-policies/back-ends/opensslcnf.config

[ new_oids ]
...

My solution was to omit openssl_conf= and do

--- openssl.cnf.orig	2019-01-09 10:21:43.243015514 -0500
+++ openssl.cnf	2019-01-09 10:45:40.183065475 -0500
@@ -30,6 +30,7 @@
 [ default_modules ]
 
 ssl_conf = ssl_module
+engines = engine_section
 
 [ ssl_module ]
 
@@ -368,3 +369,58 @@
 				# (optional, default: no)
 ess_cert_id_alg		= sha1	# algorithm to compute certificate
 				# identifier (optional, default: sha1)
+
+
+
+[engine_section]
+ibmca = ibmca_section
+
+
+[ibmca_section]
...

use better location for provider debug output

Currently the provider will use /var/log/ibmca for the debug traces, but the directory needs to world writeable (mode 0777), which has security implications I believe. Ideally the location would be set by eg. an environment variable (eg. IBMCA_LOGDIR) or set in the config file and would default to eg. /tmp if not set by the user. I am pretty sure we don't want a wide open directory on a production system.

Add support for SHA-224 and SHA-384.

ibmca is missing support for the SHA-224, SHA-384, and SHA-512.

This issue was migrated from https://sourceforge.net/p/opencryptoki/bugs/126/

Bootstrap.sh is failing.

After remove some files not used, bootstrap.sh started to fail:

# ./bootstrap.sh 
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy
autoreconf: running: /usr/bin/autoconf
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --no-force
Makefile.am: installing './INSTALL'
Makefile.am: error: required file './NEWS' not found
Makefile.am: error: required file './README' not found
Makefile.am: installing './COPYING' using GNU General Public License v3 file
Makefile.am:     Consider adding the COPYING file to the version control system
Makefile.am:     for your code, to avoid questions about which license your project uses
autoreconf: automake failed with exit status: 1

sshd fails to start when provider is enabled

When a config file prepared by ibmca-provider-opensslconfig is used, sshd (and some other services) fails to start in Fedora Rawhide.

The journal contains

Jan 13 09:53:29 fedora systemd[1]: Starting sshd.service - OpenSSH server daemon...
Jan 13 09:53:29 fedora sshd[770]: PRNG is not seeded
Jan 13 09:53:29 fedora systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
Jan 13 09:53:29 fedora systemd[1]: sshd.service: Failed with result 'exit-code'.
Jan 13 09:53:29 fedora systemd[1]: Failed to start sshd.service - OpenSSH server daemon.

The package versions are

openssl-3.0.7-2.fc38.s390x
libica-4.2.0-1.fc38.s390x
openssl-ibmca-2.3.1-3.fc38.s390x

ibmca is configured with --disable-engine --enable-provider --libdir=/usr/lib64/ossl-modules --with-libica-cex --with-libica-version=4

CCing @kkaarreell

Provider vs engine

Hello,

I tried to use the provider for linux s390x, and I am wondering if it's the same as the engine.
When I run the test suite for the provider, I see only a few hardware usage with icastats (ECDH, ECDSA Sign, ECDSA Verify, EC Keygen, RSA-ME, RSA-CRT). When I run the test suite for the engine, I see a lot of them (SHA256, SHA512, DRBG-SHA-512, RSA-ME, RSA-CRT, and the 3DES and AES ones).

I'm kinda surprised, as I expected the provider to get the same crypto acceleration than the engine. Even when using the provider to do some TLS tests, I can see that the AES counters are not incremented, and thus the crypto acceleration is not there.

Is that normal ? Is it because OpenSSL now handle this and libica is not needed ?

Regards,

Robin Geffroy

undefined symbol: rpl_malloc

i get "libibmca.so: undefined symbol: rpl_malloc" on some systems, when using ibmca engine, for example with the "openssl engine -c" command.

this is fixed by removing AC_FUNC_MALLOC from configure.ac.

should this be fixed or am i missing something here ?

provider filename ibmca-provider.so vs ibmca.so

Currently the provider filename is ibmca-provider.so, but would it be possible to use ibmca.so instead, which is more obvious in my opinion?

openssl speed -engine ibmca
vs
openssl speed -provider ibmca-provider
The 'provider' string looks redundant ...

Not sure if it was causing some filename conflicts previously when both engine and provider were built, but with switching to using provider exclusively in systems with openssl >=3, it shouldn't be an issue.

Add contributing guide.

Would be nice to have a contributing guidelines.

refer libica by its soname

Currently the development symlink for libica (libica.so, https://github.com/opencryptoki/openssl-ibmca/blob/master/src/e_ibmca.c#L46) is used as the filename when loading libica into ibmca. It means the libica-devel package to be installed on distributions in addition to the runtime library. Or the string needs to patched in ibmca, that's what Fedora/RHEL do in https://src.fedoraproject.org/rpms/openssl-ibmca/blob/master/f/openssl-ibmca-2.0.0-libica-soname.patch.

eckey test failure

I am in the process of updating libica and openssl-ibmca in Fedora and I have encountered a new test failure in eckey.
The system is Fedora 34 on z14 LPAR, with libica 3.8.0 and openssl-1.1.1k-1.fc34.s390x installed. Will retry with --with-libica-cex too.

./configure --build=s390x-ibm-linux-gnu --host=s390x-ibm-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --
sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=
/usr/share/info --libdir=/usr/lib64/engines-1.1

test log

Curve NID_X9_62_prime192v1 not supported by OpenSSL
EC_KEY for NID_secp224r1 does not use ibmca engine
Failure for NID_secp224r1
EC_KEY for NID_X9_62_prime256v1 does not use ibmca engine
Failure for NID_X9_62_prime256v1
EC_KEY for NID_secp384r1 does not use ibmca engine
Failure for NID_secp384r1
EC_KEY for NID_secp521r1 does not use ibmca engine
Failure for NID_secp521r1
Curve NID_brainpoolP160r1 not supported by OpenSSL
Curve NID_brainpoolP192r1 not supported by OpenSSL
Curve NID_brainpoolP224r1 not supported by OpenSSL
Curve NID_brainpoolP256r1 not supported by OpenSSL
Curve NID_brainpoolP320r1 not supported by OpenSSL
Curve NID_brainpoolP384r1 not supported by OpenSSL
Curve NID_brainpoolP512r1 not supported by OpenSSL
ERROR eckey (exit status: 99)

Add FIPS support.

Would be interesting to enable the openssl/ibmca/libica stack for openssl running in FIPS mode.

The libica has a built time option for FIPS mode. If FIPS mode is built-in, libica will activate FIPS mode if the kernel FIPS flag is set and try to set openssl to FIPS mode. Openssl with active FIPS mode (if triggered by libica or from somewhere else) will only use algorithms that have the corresponding FIPS flags set.

As for ibmca this would require to:

Set the correspodning FIPS flags for all algorithms, that ibmca implements.
Read openssl FIPS status. Set libica to FIPS mode if needed (and if its possible), otherwise fail. This requires either an ibmca built option (since libica FIPS API has 2 additional functions) or enable libica to report this via the function list.

ibmca FIPS mode

libica (>=3.0.0) can be configured with the --enable-fips option to have built-in FIPS 140-2 support:
When /proc/sys/crypto/fips_enabled is 1, libica runs in FIPS mode and triggers OpenSSL's FIPS mode via FIPS_mode_set(1).

When running in FIPS mode, the OpenSSL/ibmca/libica stack crashes (SIGSEGV) in OpenSSL's RNG (which uses SHA-1).

libica currently does not block SHA-1 in FIPS mode: It is not allowed to be used in signatures, while still being allowed in HMAC-SHA1.

This problem needs to be investigated. Maybe the engines sha1 implementation has to set the EVP_MD_FLAG_FIPS flag.

Last field in RSA_METHOD appears uninitialized

The last field in the RSA_METHOD structure is rsa_keygen, which goes uninitialized in e_ibmca.c.

This issue was migrated from https://sourceforge.net/p/opencryptoki/bugs/130/