opencryptoki / openssl-ibmca Goto Github PK
View Code? Open in Web Editor NEWOpenSSL engine and provider for libica.
License: Apache License 2.0
OpenSSL engine and provider for libica.
License: Apache License 2.0
I am running RHEL 8.10 on LinuxONE (machine type 8562, model LT2) with CPACF enabled, and am configuring IBMCA to use the CEX7C Cyrpto Express cards which are in CCA-Coprocessor mode, with OpenSSL version 1.1.1k
[syb526@XTIM0429 ~]$ uname -a
Linux XTIM0429 4.18.0-553.8.1.el8_10.s390x #1 SMP Fri Jun 14 02:46:29 EDT 2024 s390x s390x s390x GNU/Linux
[syb526@XTIM0429 ~]$ lszcrypt -VV
CARD.DOM TYPE MODE STATUS REQUESTS PENDING HWTYPE QDEPTH FUNCTIONS DRIVER
--------------------------------------------------------------------------------------------
01 CEX7C CCA-Coproc online 12 0 13 08 ---D--N--R cex4card
01.0001 CEX7C CCA-Coproc online 12 0 13 08 ---D--N--R cex4queue
[syb526@XTIM0429 ~]$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH, RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512, ED25519, ED448, X25519, X448]
[syb526@XTIM0429 ~]$ openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
I have encountered an odd issue in the configuration when trying to use sudo
... if I omit default_algorithms
from my openssl.cnf
file, then everything works fine, however, if I specify default_algorithms = ALL
then I get a Segmentation Fault when using a sudo command:
[syb526@XTIM0429 ~]$ sudo echo test
test
Segmentation fault
With the following appearing in dmesg
output:
[26237.991859] [<000003ffb71fbf6c>] 0x3ffb71fbf6c
[26243.861905] User process fault: interruption code 003b ilc:2 in libpthread-2.28.so[3ff87600000+1c000]
[26243.861922] Failing address: 0000000000000000 TEID: 0000000000000800
[26243.861925] Fault in primary space mode while using user ASCE.
[26243.861929] AS:000000008853c1c7 R3:0000000000000024
[26243.861934] CPU: 1 PID: 14696 Comm: sudo Kdump: loaded Not tainted 4.18.0-553.8.1.el8_10.s390x #1
[26243.861939] Hardware name: IBM 8562 LT2 A00 (z/VM 7.3.0)
[26243.861946] User PSW : 0705000180000000 000003ff8760ce84
[26243.861950] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:0 PM:0 RI:0 EA:3
[26243.861955] User GPRS: 0000000000000007 0000000000000000 0000000000000000 000002aa51ee2e10
[26243.861960] 000003ff85a777c0 0000000000000000 000003ff85a7fb10 000003ff859a7dd0
[26243.861965] 000003ff85a7fb10 0000000000000000 000003ff85a8ac38 000002aa51ede290
[26243.861971] 000003ff8751eca8 0000000000000002 000003ff8598c0fa 000003fff347d450
[26243.861984] User Code: 000003ff8760ce76: b9040012 lgr %r1,%r2
000003ff8760ce7a: e3f0ff60ff71 lay %r15,-160(%r15)
#000003ff8760ce80: 47000000 bc 0,0
>000003ff8760ce84: 58202018 l %r2,24(%r2)
000003ff8760ce88: b24f00b0 ear %r11,%a0
000003ff8760ce8c: ebbb0020000d sllg %r11,%r11,32
000003ff8760ce92: b24f00b1 ear %r11,%a1
000003ff8760ce96: 5920b0d0 c %r2,208(%r11)
[26243.862013] Last Breaking-Event-Address:
[26243.862014] [<000003ff8587bf6c>] 0x3ff8587bf6c
If I specify any value for default_algorithms
this issue persists ... for example, I want to use default_algorithms = RSA, DH, DSA, RAND
but the Segmentation Fault occurs after using sudo.
It is worth noting that the sudo
command executes just fine, it appears to happen when the sudo environment exits. Additionally, IBMCA Engine appears to be working just fine ... but I can not deploy as it is with this causing a Segmentation Fault anytime I use the sudo command. I have not found this to occur anywhere except when sudo exits.
Packages installed are:
openssl-ibmca.s390x 2.4.1-1.el8 @rhel8_current-baseos
libica.s390x 4.2.3-1.el8 @rhel8_current-baseos
libica-devel.s390x 4.2.3-1.el8 @rhel8_current-baseos
opencryptoki.s390x 3.22.0-3.el8 @rhel8_current-baseos
opencryptoki-ccatok.s390x 3.22.0-3.el8 @rhel8_current-baseos
opencryptoki-icatok.s390x 3.22.0-3.el8 @rhel8_current-baseos
opencryptoki-libs.s390x 3.22.0-3.el8 @rhel8_current-baseos
openssl configuration is:
openssl_conf = default_modules
[ default_modules ]
[ibmca_section]
dynamic_path = /usr/lib64/engines-1.1/ibmca.so
engine_id = ibmca
init = 1
# Note -- our z15 (LinuxONE 8562) -- has CPACF enabled, which already accelerates
# ECC, as well as symmetric ciphers and digests
#
# IBMCA Engine then should be restricted to: RSA, DH, and DSA algorithms
#
# However, adding the default_algorithms = RSA,DH,DSA causes segfauls using sudo.
# default_algorithms = RSA,DH,DSA,RAND
Bug description: icastats not updated
Distro release:
RHEL 7.4
openssl-ibmca package version
[root@ghrhel74crypt ~]# rpm -qa openssl-ibmca
openssl-ibmca-1.3.0-2.el7.s390
openssl-ibmca-1.3.0-2.el7.s390x
libica package version
[root@ghrhel74crypt ~]# rpm -qa libica
libica-3.0.2-2.el7.s390x
libica-3.0.2-2.el7.s390
steps to reproduce the bug
Would be interesting to enable the openssl/ibmca/libica stack for openssl running in FIPS mode.
The libica has a built time option for FIPS mode. If FIPS mode is built-in, libica will activate FIPS mode if the kernel FIPS flag is set and try to set openssl to FIPS mode. Openssl with active FIPS mode (if triggered by libica or from somewhere else) will only use algorithms that have the corresponding FIPS flags set.
As for ibmca this would require to:
Currently the provider filename is ibmca-provider.so
, but would it be possible to use ibmca.so
instead, which is more obvious in my opinion?
openssl speed -engine ibmca
vs
openssl speed -provider ibmca-provider
The 'provider' string looks redundant ...
Not sure if it was causing some filename conflicts previously when both engine and provider were built, but with switching to using provider exclusively in systems with openssl >=3, it shouldn't be an issue.
The current docs say to include the sample config in openssl.cfg and move the openssl_conf= option to the top. Unfortunately it conflicts with openssl.cfg in Fedora 29+ where openssl_conf= is used to include the system-wide crypto policies.
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
#RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
# Load default TLS policy configuration
openssl_conf = default_modules
[ default_modules ]
ssl_conf = ssl_module
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
[ new_oids ]
...
My solution was to omit openssl_conf= and do
--- openssl.cnf.orig 2019-01-09 10:21:43.243015514 -0500
+++ openssl.cnf 2019-01-09 10:45:40.183065475 -0500
@@ -30,6 +30,7 @@
[ default_modules ]
ssl_conf = ssl_module
+engines = engine_section
[ ssl_module ]
@@ -368,3 +369,58 @@
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
+
+
+
+[engine_section]
+ibmca = ibmca_section
+
+
+[ibmca_section]
...
I am getting test failures for the {rsa,ec,dh}key tests fail on z14 with this build configuration
CFLAGS= -O2 -Wall
IBMCA engine: yes
default library: libica.so.4
IBMCA provider: yes
libica library: libica-cex
The system is Fedora 36 with
libica-4.0.1-1.fc36.s390x
openssl-3.0.2-5.fc36.s390x
test-suite.log
is here
=======================================================
openssl-ibmca 2.3.0: test/provider/test-suite.log
=======================================================
# TOTAL: 13
# PASS: 10
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 3
.. contents:: :depth: 2
ERROR: rsakey
=============
Context is not using the IBMCA provider, but 'default'
Failure for RSA-512
Context is not using the IBMCA provider, but 'default'
Failure for RSA-1024
Context is not using the IBMCA provider, but 'default'
Failure for RSA-2048
Context is not using the IBMCA provider, but 'default'
Failure for RSA-4096
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-512
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-1024
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-2048
Context is not using the IBMCA provider, but 'default'
Failure for RSA-PSS-4096
ERROR rsakey (exit status: 99)
ERROR: eckey
============
Context is not using the IBMCA provider, but 'default'
Failure for NID_X9_62_prime192v1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp224r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_X9_62_prime256v1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp384r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_secp521r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP160r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP192r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP224r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP256r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP320r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP384r1
Context is not using the IBMCA provider, but 'default'
Failure for NID_brainpoolP512r1
ERROR eckey (exit status: 99)
ERROR: dhkey
============
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe2048 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe2048 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe3072 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe3072 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe4096 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe4096 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe6144 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe6144 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe8192 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_ffdhe8192 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_1536 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_1536 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_2048 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_2048 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_3072 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_3072 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_4096 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_4096 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_6144 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_6144 (DHX)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_8192 (DH)
Context is not using the IBMCA provider, but 'default'
Failure for NID_modp_8192 (DHX)
ERROR dhkey (exit status: 99)
Platform: LinuxONE 4 LA1 with DPM mode enabled
OS: rhel 9.3 KVM guest
Versions:
Hi,
Usually, when I installed libica and ibmca, I use '$ tee -a /etc/pki/tls/openssl.cnf < sample_file', then comment out 'openssl_conf = default_modules' and move the 'openssl_conf = openssl_def' to the top of cnf file. After that, I can see 'ibmca' engine shows up in the output of 'openssl engine -c'.
This time, I duplicated the same steps running in a rhel 9.3 kvm guest, after that, when I run the 'openssl engine -c', it responsed:
[root@a90kvm04-rhel93-079041 ~]# openssl engine -c
FATAL: Startup failure (dev note: apps_startup()) for openssl
000003FF875F3B40:error:40000068:lib(128):ERR_IBMCA_error:dso failure:e_ibmca.c:753:
000003FF875F3B40:error:13000066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:139:section=ibmca_section, name=init, value=1
000003FF875F3B40:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:270:module=engines, value=engine_section retcode=-1
Not sure what's happened, the only difference is it is the first time I tried in a kvm guest, not a normal server.
I'll attach the updated '/etc/pki/tls/openssl.cnf' (zipped)configure file, I don't know which log should be added, if anything logs, traces, please let me know.
Thanks~
41_openssl.cnf.zip
The last field in the RSA_METHOD structure is rsa_keygen, which goes uninitialized in e_ibmca.c.
This issue was migrated from https://sourceforge.net/p/opencryptoki/bugs/130/
Would be nice to have a contributing guidelines.
i get "libibmca.so: undefined symbol: rpl_malloc" on some systems, when using ibmca engine, for example with the "openssl engine -c" command.
this is fixed by removing AC_FUNC_MALLOC from configure.ac.
should this be fixed or am i missing something here ?
To prevent algorithms from being supported (such as fix 1ab83f9) an extended test coverage would be helpful which is already existing but not automatically built and run i.e. used.
To integrate, please extend the build process by running
cd src/test
make -f Makefile.linux
./ibmca_mechaList_test -f ../.libs/ibmca.so
Thanks.
src/cryptlib.h and src/e_os.h are OpenSSL headers and added to the project to be able to build it, but nothing from them are used and both files were made opaque in OpenSSL 1.1 release.
libica (>=3.0.0) can be configured with the --enable-fips option to have built-in FIPS 140-2 support:
When /proc/sys/crypto/fips_enabled is 1, libica runs in FIPS mode and triggers OpenSSL's FIPS mode via FIPS_mode_set(1).
When running in FIPS mode, the OpenSSL/ibmca/libica stack crashes (SIGSEGV) in OpenSSL's RNG (which uses SHA-1).
libica currently does not block SHA-1 in FIPS mode: It is not allowed to be used in signatures, while still being allowed in HMAC-SHA1.
This problem needs to be investigated. Maybe the engines sha1 implementation has to set the EVP_MD_FLAG_FIPS flag.
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ is new for OpenSSL 3.3.
"rsa-derive-from-pq" (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ) unsigned integer
Indicate that missing parameters not passed in the parameter list should be derived if not provided. Setting a nonzero value will cause all needed exponents and coefficients to be derived if not available. Setting this option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2, and OSSL_PARAM_RSA_N to be provided. This option is ignored if OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.
libcrypto's evp interfaces for ciphers allow to encrypt messages divided in chunks of arbitrary lengths.
ibmca requires the all chunk lenghts except the last one to be multiples of the cipher's block size.
Use of the engine should be made transparent to an application using libcrypto's evp interfaces, in the sense that the behavior is the same \w engine and w\o engine.
The test for dlclose() in ibmca_finish() is inverted.
dlclose() returns 0 on success and a non zero value on error. The current code treats success as an error.
ibmca is missing support for the SHA-224, SHA-384, and SHA-512.
This issue was migrated from https://sourceforge.net/p/opencryptoki/bugs/126/
The definition of the ibmca engine for openssl 1.1 changed from openssl_conf = openssl_def to
openssl_conf = default_modules
[ default_modules ]
engines = engine_section
Please work this change into the openssl.cnf.sample file.
Thanks.
I am in the process of updating libica and openssl-ibmca in Fedora and I have encountered a new test failure in eckey
.
The system is Fedora 34 on z14 LPAR, with libica 3.8.0 and openssl-1.1.1k-1.fc34.s390x installed. Will retry with --with-libica-cex
too.
./configure --build=s390x-ibm-linux-gnu --host=s390x-ibm-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --
sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=
/usr/share/info --libdir=/usr/lib64/engines-1.1
test log
Curve NID_X9_62_prime192v1 not supported by OpenSSL
EC_KEY for NID_secp224r1 does not use ibmca engine
Failure for NID_secp224r1
EC_KEY for NID_X9_62_prime256v1 does not use ibmca engine
Failure for NID_X9_62_prime256v1
EC_KEY for NID_secp384r1 does not use ibmca engine
Failure for NID_secp384r1
EC_KEY for NID_secp521r1 does not use ibmca engine
Failure for NID_secp521r1
Curve NID_brainpoolP160r1 not supported by OpenSSL
Curve NID_brainpoolP192r1 not supported by OpenSSL
Curve NID_brainpoolP224r1 not supported by OpenSSL
Curve NID_brainpoolP256r1 not supported by OpenSSL
Curve NID_brainpoolP320r1 not supported by OpenSSL
Curve NID_brainpoolP384r1 not supported by OpenSSL
Curve NID_brainpoolP512r1 not supported by OpenSSL
ERROR eckey (exit status: 99)
Hello,
I tried to use the provider for linux s390x, and I am wondering if it's the same as the engine.
When I run the test suite for the provider, I see only a few hardware usage with icastats (ECDH, ECDSA Sign, ECDSA Verify, EC Keygen, RSA-ME, RSA-CRT). When I run the test suite for the engine, I see a lot of them (SHA256, SHA512, DRBG-SHA-512, RSA-ME, RSA-CRT, and the 3DES and AES ones).
I'm kinda surprised, as I expected the provider to get the same crypto acceleration than the engine. Even when using the provider to do some TLS tests, I can see that the AES counters are not incremented, and thus the crypto acceleration is not there.
Is that normal ? Is it because OpenSSL now handle this and libica is not needed ?
Regards,
Robin Geffroy
make check-TESTS
make[3]: Entering directory '/<<PKGBUILDDIR>>/test'
make[4]: Entering directory '/<<PKGBUILDDIR>>/test'
FAIL: des-cbc-test.pl
FAIL: des-ofb-test.pl
FAIL: des-cfb-test.pl
FAIL: des-ecb-test.pl
FAIL: 3des-cbc-test.pl
FAIL: 3des-ecb-test.pl
FAIL: 3des-cfb-test.pl
FAIL: 3des-ofb-test.pl
FAIL: aes-128-ecb-test.pl
FAIL: aes-128-cbc-test.pl
FAIL: aes-128-cfb-test.pl
FAIL: aes-192-ecb-test.pl
FAIL: aes-128-ofb-test.pl
FAIL: aes-192-cbc-test.pl
FAIL: aes-192-cfb-test.pl
FAIL: aes-192-ofb-test.pl
FAIL: aes-256-cbc-test.pl
FAIL: aes-256-ecb-test.pl
FAIL: aes-256-ofb-test.pl
PASS: aes-256-cfb-test.pl
==============================================
openssl-ibmca 2.0.0: test/test-suite.log
==============================================
# TOTAL: 20
# PASS: 1
# SKIP: 0
# XFAIL: 0
# FAIL: 19
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: des-ecb-test.pl
=====================
unable to write 'random state'
unable to write 'random state'
FAIL des-ecb-test.pl (exit status: 1)
FAIL: des-cbc-test.pl
=====================
unable to write 'random state'
bad decrypt
4396773508896:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:541:
FAIL des-cbc-test.pl (exit status: 1)
FAIL: des-cfb-test.pl
=====================
unable to write 'random state'
FAIL des-cfb-test.pl (exit status: 1)
FAIL: des-ofb-test.pl
=====================
unable to write 'random state'
FAIL des-ofb-test.pl (exit status: 1)
FAIL: 3des-ecb-test.pl
======================
unable to write 'random state'
bad decrypt
4396134926112:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
unable to write 'random state'
bad decrypt
4396630378272:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL 3des-ecb-test.pl (exit status: 1)
FAIL: 3des-cbc-test.pl
======================
unable to write 'random state'
unable to write 'random state'
bad decrypt
4396428003104:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL 3des-cbc-test.pl (exit status: 1)
FAIL: 3des-cfb-test.pl
======================
unable to write 'random state'
unable to write 'random state'
FAIL 3des-cfb-test.pl (exit status: 1)
FAIL: 3des-ofb-test.pl
======================
unable to write 'random state'
unable to write 'random state'
cmp: EOF on data.in which is empty
FAIL 3des-ofb-test.pl (exit status: 1)
FAIL: aes-128-ecb-test.pl
=========================
unable to write 'random state'
bad decrypt
4396508219168:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../crypto/evp/evp_enc.c:525:
FAIL aes-128-ecb-test.pl (exit status: 1)
FAIL: aes-128-cbc-test.pl
=========================
unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-128-cbc-test.pl (exit status: 1)
FAIL: aes-128-cfb-test.pl
=========================
unable to write 'random state'
unable to write 'random state'
FAIL aes-128-cfb-test.pl (exit status: 1)
FAIL: aes-128-ofb-test.pl
=========================
unable to write 'random state'
unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-128-ofb-test.pl (exit status: 1)
FAIL: aes-192-ecb-test.pl
=========================
unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-192-ecb-test.pl (exit status: 1)
FAIL: aes-192-cbc-test.pl
=========================
unable to write 'random state'
cmp: EOF on data.dec which is empty
FAIL aes-192-cbc-test.pl (exit status: 1)
FAIL: aes-192-cfb-test.pl
=========================
unable to write 'random state'
unable to write 'random state'
FAIL aes-192-cfb-test.pl (exit status: 1)
FAIL: aes-192-ofb-test.pl
=========================
unable to write 'random state'
FAIL aes-192-ofb-test.pl (exit status: 1)
FAIL: aes-256-ecb-test.pl
=========================
unable to write 'random state'
unable to write 'random state'
FAIL aes-256-ecb-test.pl (exit status: 1)
FAIL: aes-256-cbc-test.pl
=========================
unable to write 'random state'
bad decrypt
4395925210912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
FAIL aes-256-cbc-test.pl (exit status: 1)
FAIL: aes-256-ofb-test.pl
=========================
unable to write 'random state'
FAIL aes-256-ofb-test.pl (exit status: 1)
============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS: 1
# SKIP: 0
# XFAIL: 0
# FAIL: 19
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
Please report to [email protected]
============================================================================
This is on Ubuntu Cosmic (to become 18.10) as built in launchpad PPA. Note anybody can use PPAs on launchpad and activate builds for s390x.
When doing a similar build, but in chroot on a z/VM, things are slightly better:
============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS: 0
# SKIP: 20
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
So no tests are actually run, and everything is skipped.
Regular user build (non-chrooted) on z/VM goes fine and results in full test suite pass:
============================================================================
Testsuite summary for openssl-ibmca 2.0.0
============================================================================
# TOTAL: 20
# PASS: 20
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
Currently the provider will use /var/log/ibmca
for the debug traces, but the directory needs to world writeable (mode 0777), which has security implications I believe. Ideally the location would be set by eg. an environment variable (eg. IBMCA_LOGDIR
) or set in the config file and would default to eg. /tmp
if not set by the user. I am pretty sure we don't want a wide open directory on a production system.
When a config file prepared by ibmca-provider-opensslconfig
is used, sshd
(and some other services) fails to start in Fedora Rawhide.
The journal contains
Jan 13 09:53:29 fedora systemd[1]: Starting sshd.service - OpenSSH server daemon...
Jan 13 09:53:29 fedora sshd[770]: PRNG is not seeded
Jan 13 09:53:29 fedora systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
Jan 13 09:53:29 fedora systemd[1]: sshd.service: Failed with result 'exit-code'.
Jan 13 09:53:29 fedora systemd[1]: Failed to start sshd.service - OpenSSH server daemon.
The package versions are
openssl-3.0.7-2.fc38.s390x
libica-4.2.0-1.fc38.s390x
openssl-ibmca-2.3.1-3.fc38.s390x
ibmca
is configured with --disable-engine --enable-provider --libdir=/usr/lib64/ossl-modules --with-libica-cex --with-libica-version=4
CCing @kkaarreell
I'm getting test failures in our CI after the last updates. The system is Fedora 33 on a KVM guest on a z14.
==============================================
openssl-ibmca 2.1.2: test/test-suite.log
==============================================
# TOTAL: 23
# PASS: 21
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 2
.. contents:: :depth: 2
ERROR: loadtest
===============
Failed to create PKEY_CTX
Check for global variables failed!
ERROR loadtest (exit status: 99)
ERROR: threadtest
=================
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Error in thread 0
Error in thread 1
Error in thread 2
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Failed to create PKEY_CTX
Error in thread 3
Failed to create PKEY_CTX
Error in thread 4
Error in thread 5
Failed to create PKEY_CTX
Error in thread 6
Error in thread 7
Failed to create PKEY_CTX
Error in thread 8
Error in thread 9
Error in thread 10
Error in thread 11
Error in thread 12
Error in thread 13
Error in thread 14
Error in thread 15
Error in thread 16
Error in thread 17
Error in thread 18
Error in thread 19
ERROR threadtest (exit status: 99)
Will the IBM-CA provider (https://www.ibm.com/docs/en/linux-on-systems?topic=openssl-using-ibmca-provider) support post-quantum crypto algorithms in the future similar to the OQS provider (https://github.com/open-quantum-safe/oqs-provider) for Z and LinuxONE?
Currently the development symlink for libica (libica.so, https://github.com/opencryptoki/openssl-ibmca/blob/master/src/e_ibmca.c#L46) is used as the filename when loading libica into ibmca. It means the libica-devel package to be installed on distributions in addition to the runtime library. Or the string needs to patched in ibmca, that's what Fedora/RHEL do in https://src.fedoraproject.org/rpms/openssl-ibmca/blob/master/f/openssl-ibmca-2.0.0-libica-soname.patch.
After remove some files not used, bootstrap.sh started to fail:
# ./bootstrap.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy
autoreconf: running: /usr/bin/autoconf
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --no-force
Makefile.am: installing './INSTALL'
Makefile.am: error: required file './NEWS' not found
Makefile.am: error: required file './README' not found
Makefile.am: installing './COPYING' using GNU General Public License v3 file
Makefile.am: Consider adding the COPYING file to the version control system
Makefile.am: for your code, to avoid questions about which license your project uses
autoreconf: automake failed with exit status: 1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.