diff -Nru openssl-ibmca-2.3.0/ChangeLog openssl-ibmca-2.3.1/ChangeLog --- openssl-ibmca-2.3.0/ChangeLog 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/ChangeLog 2022-09-30 13:59:11.000000000 +0200 @@ -1,3 +1,6 @@ +* openssl-ibmca 2.3.1 +- Adjustments for libica 4.1.0 + * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources diff -Nru openssl-ibmca-2.3.0/configure.ac openssl-ibmca-2.3.1/configure.ac --- openssl-ibmca-2.3.0/configure.ac 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/configure.ac 2022-09-30 13:59:11.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [2.3.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.3.1], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/engine/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -130,6 +130,8 @@ [#include ]) fi +AC_CHECK_DECLS([ica_cleanup],,,[#include ]) + AC_CONFIG_FILES([ Makefile src/Makefile diff -Nru openssl-ibmca-2.3.0/debian/changelog openssl-ibmca-2.3.1/debian/changelog --- openssl-ibmca-2.3.0/debian/changelog 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/changelog 2023-02-01 17:23:55.000000000 +0100 @@ -1,3 +1,21 @@ +openssl-ibmca (2.3.1-0ubuntu1) lunar; urgency=medium + + * New upstream release. LP: #2004529 + * Remove patch d/p/lp-1959763-Adjust-to-new-libica.patch + because it's now included in upstream v2.3.1. + * Remove patch d/p/lp-1959763-Support-tests-in-remote-builds.patch + because it's now included in upstream v2.3.1. + * Remove patch + d/p/lp-1959763-provider-Adapt-keymgmt_match-implementations.patch + because it's now included in upstream v2.3.1. + * Remove patch + d/p/lp-1959763-tests-skip-tests-if-libica-does-not-support.patch + because it's now included in upstream v2.3.1. + * Remove patch d/p/lp-1959763-Provider-Fix-parallel-test-runs.patch + because it's now included in upstream v2.3.1. + + -- Frank Heimes Wed, 01 Feb 2023 17:23:55 +0100 + openssl-ibmca (2.3.0-0ubuntu1) kinetic; urgency=medium * New upstream release. LP: #1959763 diff -Nru openssl-ibmca-2.3.0/debian/patches/lp-1959763-Adjust-to-new-libica.patch openssl-ibmca-2.3.1/debian/patches/lp-1959763-Adjust-to-new-libica.patch --- openssl-ibmca-2.3.0/debian/patches/lp-1959763-Adjust-to-new-libica.patch 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/lp-1959763-Adjust-to-new-libica.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,130 +0,0 @@ -From 76341149f2102bb628da61c2653e5911ddb81084 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 7 Apr 2022 12:32:36 +0200 -Subject: [PATCH] Adjust to new libica. - -libica recently added function ica_cleanup to be called to free internal -OpenSSL 3.0 resources. This collided with our internal ica_cleanup function. -Rename that and call ica_cleanup if present. - -Signed-off-by: Juergen Christ - -Origin: upstream, https://github.com/opencryptoki/openssl-ibmca/commit/76341149f2102bb628da61c2653e5911ddb81084 -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1959763 -Last-Update: 2022-08-11 - ---- - configure.ac | 2 ++ - src/engine/e_ibmca.c | 13 ++++++++++--- - src/engine/ibmca.h | 3 +++ - src/provider/p_ibmca.c | 3 +++ - 4 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 46ad10e..6434056 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -130,6 +130,8 @@ if test "x$enable_provider" = xyes; then - [#include ]) - fi - -+AC_CHECK_DECLS([ica_cleanup],,,[#include ]) -+ - AC_CONFIG_FILES([ - Makefile - src/Makefile -diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c -index ef17349..7335246 100644 ---- a/src/engine/e_ibmca.c -+++ b/src/engine/e_ibmca.c -@@ -102,6 +102,7 @@ ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize; - ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; - ica_aes_gcm_last_t p_ica_aes_gcm_last; - #endif -+ica_cleanup_t p_ica_cleanup; - - /* save libcrypto's default ec methods */ - #ifndef NO_EC -@@ -652,8 +653,10 @@ static void ibmca_destructor(void) - free((void *)LIBICA_NAME); - } - --static void ica_cleanup(void) -+static void do_ica_cleanup(void) - { -+ if (p_ica_cleanup) -+ p_ica_cleanup(); - if (ibmca_dso && dlclose(ibmca_dso)) { - IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE); - return; -@@ -725,6 +728,7 @@ static void ica_cleanup(void) - p_ica_x448_ctx_del = NULL; - p_ica_ed25519_ctx_del = NULL; - p_ica_ed448_ctx_del = NULL; -+ p_ica_cleanup = NULL; - } - - static int ibmca_init(ENGINE *e) -@@ -806,6 +810,9 @@ static int ibmca_init(ENGINE *e) - BIND(ibmca_dso, ica_ed25519_ctx_del); - BIND(ibmca_dso, ica_ed448_ctx_del); - -+ /* ica_cleanup is not always present and only needed for newer libraries */ -+ p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup"); -+ - /* disable fallbacks on Libica */ - if (BIND(ibmca_dso, ica_set_fallback_mode)) - p_ica_set_fallback_mode(0); -@@ -821,7 +828,7 @@ static int ibmca_init(ENGINE *e) - return 1; - - err: -- ica_cleanup(); -+ do_ica_cleanup(); - return 0; - } - -@@ -884,7 +891,7 @@ static int ibmca_finish(ENGINE *e) - if (p_ica_close_adapter) - p_ica_close_adapter(ibmca_handle); - -- ica_cleanup(); -+ do_ica_cleanup(); - memset(&ibmca_registration, 0, sizeof(ibmca_registration)); - return 1; - } -diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h -index 382a45d..53f4ca1 100644 ---- a/src/engine/ibmca.h -+++ b/src/engine/ibmca.h -@@ -616,6 +616,8 @@ int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx); - typedef - int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); - -+typedef void (*ica_cleanup_t)(void); -+ - /* entry points into libica, filled out at DSO load time */ - extern ica_get_functionlist_t p_ica_get_functionlist; - extern ica_set_fallback_mode_t p_ica_set_fallback_mode; -@@ -681,3 +683,4 @@ extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del; - extern ica_x448_ctx_del_t p_ica_x448_ctx_del; - extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; - extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del; -+extern ica_cleanup_t p_ica_cleanup; -diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c -index d8045ba..80f0368 100644 ---- a/src/provider/p_ibmca.c -+++ b/src/provider/p_ibmca.c -@@ -633,6 +633,9 @@ static void ibmca_teardown(void *vprovctx) - pthread_mutex_destroy(&provctx->debug_mutex); - - P_FREE(provctx, provctx); -+#if HAVE_DECL_ICA_CLEANUP == 1 -+ ica_cleanup(); -+#endif - } - - static const OSSL_PARAM ibmca_param_types[] = { --- -2.25.1 - diff -Nru openssl-ibmca-2.3.0/debian/patches/lp-1959763-provider-Adapt-keymgmt_match-implementations.patch openssl-ibmca-2.3.1/debian/patches/lp-1959763-provider-Adapt-keymgmt_match-implementations.patch --- openssl-ibmca-2.3.0/debian/patches/lp-1959763-provider-Adapt-keymgmt_match-implementations.patch 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/lp-1959763-provider-Adapt-keymgmt_match-implementations.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,103 +0,0 @@ -From c0d384b72f280a4bd1c71407df0583da1847f5cb Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 12 May 2022 11:20:18 +0200 -Subject: [PATCH] provider: Adapt keymgmt_match() implementations to OpenSSL - -OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the -OpenSSL provider's keymgmt_match() function to be not so strict with -the selector bits in regards to matching different key parts. - -Adapt the provider's match functions accordingly. -This means, that if the public key is selected to be matched, and the -public key matches (together with any also selected parameters), -then the private key is no longer checked, although it may also be -selected to be matched. This is according to how the OpenSSL function -EVP_PKEY_eq() is supposed to behave. - -Signed-off-by: Ingo Franzki - -Origin: upstream, https://github.com/opencryptoki/openssl-ibmca/commit/c0d384b72f280a4bd1c71407df0583da1847f5cb -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1959763 -Last-Update: 2022-08-11 - ---- - src/provider/dh_keymgmt.c | 2 +- - src/provider/ec_keymgmt.c | 5 +++-- - src/provider/rsa_keymgmt.c | 8 +++++--- - 3 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c -index 48ba739..3180158 100644 ---- a/src/provider/dh_keymgmt.c -+++ b/src/provider/dh_keymgmt.c -@@ -1000,7 +1000,7 @@ static int ibmca_keymgmt_dh_match(const void *vkey1, const void *vkey2, - } - } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - if (key1->dh.priv != NULL || key2->dh.priv != NULL) { - ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0); - checked = 1; -diff --git a/src/provider/ec_keymgmt.c b/src/provider/ec_keymgmt.c -index d898c6a..d39b1e2 100644 ---- a/src/provider/ec_keymgmt.c -+++ b/src/provider/ec_keymgmt.c -@@ -751,7 +751,7 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, - const struct ibmca_key *key2 = vkey2; - BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL; - BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL; -- int ok = 1, rc1, rc2; -+ int ok = 1, rc1, rc2, checked = 0; - - if (key1 == NULL || key2 == NULL) - return 0; -@@ -781,9 +781,10 @@ static int ibmca_keymgmt_ec_match(const void *vkey1, const void *vkey2, - - ok = ok && (rc1 == rc2 && (rc1 == -1 || - (BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0))); -+ checked = 1; - } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1); - if (rc1 == 0) { - ok = 0; -diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c -index 61f7744..9278327 100644 ---- a/src/provider/rsa_keymgmt.c -+++ b/src/provider/rsa_keymgmt.c -@@ -641,7 +641,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - { - const struct ibmca_key *key1 = vkey1; - const struct ibmca_key *key2 = vkey2; -- int ok = 1; -+ int ok = 1, checked = 0; - - if (key1 == NULL || key2 == NULL) - return 0; -@@ -652,7 +652,7 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - if (ibmca_keymgmt_match(key1, key2) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) -+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - ok = ok && (key1->rsa.public.key_length == - key2->rsa.public.key_length && - memcmp(key1->rsa.public.exponent, -@@ -661,8 +661,10 @@ static int ibmca_keymgmt_rsa_match(const void *vkey1, const void *vkey2, - memcmp(key1->rsa.public.modulus, - key2->rsa.public.modulus, - key1->rsa.public.key_length) == 0); -+ checked = 1; -+ } - -- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) -+ if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) - ok = ok && (key1->rsa.private.key_length == - key2->rsa.private.key_length && - CRYPTO_memcmp(key1->rsa.private.p, --- -2.25.1 - diff -Nru openssl-ibmca-2.3.0/debian/patches/lp-1959763-Provider-Fix-parallel-test-runs.patch openssl-ibmca-2.3.1/debian/patches/lp-1959763-Provider-Fix-parallel-test-runs.patch --- openssl-ibmca-2.3.0/debian/patches/lp-1959763-Provider-Fix-parallel-test-runs.patch 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/lp-1959763-Provider-Fix-parallel-test-runs.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,281 +0,0 @@ -From 89b4e6f664b8ada4b14644859a18945f229fc5b4 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Fri, 12 Aug 2022 13:22:32 +0200 -Subject: [PATCH] Provider: Fix parallel test runs - -Make key file names unique and do not use killall. - -Signed-off-by: Juergen Christ - -Origin: upstream, https://github.com/opencryptoki/openssl-ibmca/commit/89b4e6f -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1959763 -Last-Update: 2022-08-15 - ---- - test/provider/test.pm | 111 ++++++++++++++++++++++-------------------- - 1 file changed, 57 insertions(+), 54 deletions(-) - -diff --git a/test/provider/test.pm b/test/provider/test.pm -index 0cc31fa..10ef78c 100644 ---- a/test/provider/test.pm -+++ b/test/provider/test.pm -@@ -29,30 +29,30 @@ sub rsaencdec { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; -- `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; -+ `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsaencdec$keylen.key`; -+ `$prov openssl rsa -in rsaencdec$keylen.key -check -pubout -out rsaencdec$keylen.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { - my $bytes = 1 + int(rand($max_file_size)); - # provider enc, no-provider dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `$prov openssl pkeyutl -encrypt -pubin -inkey rsa$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `openssl pkeyutl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `$prov openssl pkeyutl -encrypt -pubin -inkey rsaencdec$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `openssl pkeyutl -decrypt -inkey rsaencdec$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.out rsaencdec.${i}.${keylen}.data.dec`; - - # no-provider enc, provider dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `openssl pkeyutl -encrypt -pubin -inkey rsa$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `$prov openssl pkeyutl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `openssl pkeyutl -encrypt -pubin -inkey rsaencdec$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `$prov openssl pkeyutl -decrypt -inkey rsaencdec$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.out rsaencdec.${i}.${keylen}.data.dec`; - } - -- `rm -f rsa$keylen.key rsa$keylen.pub`; -+ `rm -f rsaencdec$keylen.key rsaencdec$keylen.pub`; - } - - sub rsaoaepencdec { -@@ -63,24 +63,24 @@ sub rsaoaepencdec { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; -- `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; -+ `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsaoaepencdec$keylen.key`; -+ `$prov openssl rsa -in rsaoaepencdec$keylen.key -check -pubout -out rsaoaepencdec$keylen.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { - my $bytes = 1 + int(rand($max_file_size)); - # provider enc, no-provider dec - `openssl rand $bytes > rsaoaepencdec.${i}.${keylen}.data.in`; -- `$prov openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsa$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; -- `openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsa$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; -+ `$prov openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsaoaepencdec$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; -+ `openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsaoaepencdec$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; - `cmp rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.out rsaoaepencdec.${i}.${keylen}.data.dec`; - - # no-provider enc, provider dec - `openssl rand $bytes > rsaoaepencdec.${i}.${keylen}.data.in`; -- `openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsa$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; -- `$prov openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsa$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; -+ `openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsaoaepencdec$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; -+ `$prov openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsaoaepencdec$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; - `cmp rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.out rsaoaepencdec.${i}.${keylen}.data.dec`; -@@ -97,30 +97,30 @@ sub rsasignverify { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; -- `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; -+ `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsasignverify$keylen.key`; -+ `$prov openssl rsa -in rsasignverify$keylen.key -check -pubout -out rsasignverify$keylen.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { - my $bytes = 1 + int(rand($input_size)); - # provider sign, no-provider verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `$prov openssl pkeyutl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `openssl pkeyutl -verifyrecover -pubin -inkey rsa$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `$prov openssl pkeyutl -sign -inkey rsasignverify$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `openssl pkeyutl -verifyrecover -pubin -inkey rsasignverify$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; - - # no-provider sign, provider verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `openssl pkeyutl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `$prov openssl pkeyutl -verifyrecover -pubin -inkey rsa$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `openssl pkeyutl -sign -inkey rsasignverify$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `$prov openssl pkeyutl -verifyrecover -pubin -inkey rsasignverify$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; - } - -- `rm -f rsa$keylen.key rsa$keylen.pub`; -+ `rm -f rsasignverify$keylen.key rsasignverify$keylen.pub`; - } - - sub rsapsssignverify { -@@ -165,28 +165,28 @@ sub rsax931signverify { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; -- `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; -+ `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsax931$keylen.key`; -+ `$prov openssl rsa -in rsax931$keylen.key -check -pubout -out rsax931$keylen.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { - my $bytes = 1 + int(rand($input_size)); - # provider sign, no-provider verify - `openssl rand $bytes > rsax931signverify.${i}.${keylen}.data.in`; -- `$prov openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsa$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; -- `openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsa$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; -+ `$prov openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsax931$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; -+ `openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsax931$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; - exit(99) if ($?); - `rm -f rsax931signverify.${i}.${keylen}.data.in rsax931signverify.${i}.${keylen}.data.out`; - - # no-provider sign, provider verify - `openssl rand $bytes > rsax931signverify.${i}.${keylen}.data.in`; -- `openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsa$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; -- `$prov openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsa$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; -+ `openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsax931$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; -+ `$prov openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsax931$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; - exit(99) if ($?); - `rm -f rsax931signverify.${i}.${keylen}.data.in rsax931signverify.${i}.${keylen}.data.out`; - } - -- `rm -f rsa$keylen.key rsa$keylen.pub`; -+ `rm -f rsax931$keylen.key rsax931$keylen.pub`; - } - - sub ecsignverify { -@@ -201,23 +201,23 @@ sub ecsignverify { - `openssl ecparam -list_curves | grep $curve`; - return if ($?); - -- `$prov openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:$curve -out ec$curve.key`; -- `$prov openssl ec -in ec$curve.key -check -pubout -out ec$curve.pub`; -+ `$prov openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:$curve -out ecsignverify$curve.key`; -+ `$prov openssl ec -in ecsignverify$curve.key -check -pubout -out ecsignverify$curve.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { - my $bytes = 1 + int(rand($input_size)); - # provider sign, no-provider verify - `openssl rand $bytes > ecsignverify.${i}.${curve}.data.in`; -- `$prov openssl pkeyutl -sign -digest $md -inkey ec$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; -- `openssl pkeyutl -verify -digest $md -pubin -inkey ec$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; -+ `$prov openssl pkeyutl -sign -digest $md -inkey ecsignverify$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; -+ `openssl pkeyutl -verify -digest $md -pubin -inkey ecsignverify$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; - exit(99) if ($?); - `rm -f ecsignverify.${i}.${curve}.data.in ecsignverify.${i}.${curve}.data.out`; - - # no-provider sign, provider verify - `openssl rand $bytes > ecsignverify.${i}.${curve}.data.in`; -- `openssl pkeyutl -sign -digest $md -inkey ec$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; -- `$prov openssl pkeyutl -verify -digest $md -pubin -inkey ec$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; -+ `openssl pkeyutl -sign -digest $md -inkey ecsignverify$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; -+ `$prov openssl pkeyutl -verify -digest $md -pubin -inkey ecsignverify$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; - exit(99) if ($?); - `rm -f ecsignverify.${i}.${curve}.data.in ecsignverify.${i}.${curve}.data.out`; - } -@@ -285,24 +285,23 @@ sub dhderive { - my $prov = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF} OPENSSL_MODULES=$ENV{IBMCA_TEST_PATH}"; - - my ($group, $tests) = @_; -- - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dh$group.key`; -- `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peer$group.key`; -- `$prov openssl pkey -in peer$group.key -check -pubout -out peer$group.pub`; -+ `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dhderive$group.key`; -+ `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peerderive$group.key`; -+ `$prov openssl pkey -in peerderive$group.key -check -pubout -out peerderive$group.pub`; - exit(99) if ($?); - - for my $i (1..$tests) { -- `$prov openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -out dhderive.${i}.${group}.data.out1`; -- `openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -out dhderive.${i}.${group}.data.out2`; -+ `$prov openssl pkeyutl -derive -inkey dhderive$group.key -peerkey peerderive$group.pub -out dhderive.${i}.${group}.data.out1`; -+ `openssl pkeyutl -derive -inkey dhderive$group.key -peerkey peerderive$group.pub -out dhderive.${i}.${group}.data.out2`; - `cmp dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; - exit(99) if ($?); - `rm -f dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; - } - -- `rm -f dh$group.key peer$group.key peer$group.pub`; -+ `rm -f dhderive$group.key peerderive$group.key peerderive$group.pub`; - } - - sub dhderivekdf { -@@ -313,21 +312,21 @@ sub dhderivekdf { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dh$group.key`; -- `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peer$group.key`; -- `$prov openssl pkey -in peer$group.key -check -pubout -out peer$group.pub`; -+ `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dhderivekdf$group.key`; -+ `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peerderivekdf$group.key`; -+ `$prov openssl pkey -in peerderivekdf$group.key -check -pubout -out peerderivekdf$group.pub`; - exit(99) if ($?); - - - for my $i (1..$tests) { -- `$prov openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderive.${i}.${group}.data.out1`; -- `openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderive.${i}.${group}.data.out2`; -- `cmp dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; -+ `$prov openssl pkeyutl -derive -inkey dhderivekdf$group.key -peerkey peerderivekdf$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderivekdf.${i}.${group}.data.out1`; -+ `openssl pkeyutl -derive -inkey dhderivekdf$group.key -peerkey peerderivekdf$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderivekdf.${i}.${group}.data.out2`; -+ `cmp dhderivekdf.${i}.${group}.data.out1 dhderivekdf.${i}.${group}.data.out2`; - exit(99) if ($?); -- `rm -f dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; -+ `rm -f dhderivekdf.${i}.${group}.data.out1 dhderivekdf.${i}.${group}.data.out2`; - } - -- `rm -f dh$group.key peer$group.key peer$group.pub`; -+ `rm -f dhderivekdf$group.key peerderivekdf$group.key peerderivekdf$group.pub`; - } - - sub tls { -@@ -339,12 +338,16 @@ sub tls { - `$prov openssl list -providers | grep "name: ibmca"`; - exit(99) if ($?); - -- `$prov openssl s_server -accept $port -naccept 1 -brief -cert $cert -key $privkey -cipher $cipher -ciphersuites $ciphersuites $opts 1>server-$port.out 2>&1 &`; -- sleep 1; -- `echo "Hello World" | $prov openssl s_client -connect localhost:$port -cipher $cipher -ciphersuites $ciphersuites $opts`; -- $ret = $?; -- sleep 1; -- `killall openssl`; -+ if ($pid = fork) { -+ sleep 1; -+ `echo "Hello World" | $prov openssl s_client -connect localhost:$port -cipher $cipher -ciphersuites $ciphersuites $opts`; -+ $ret = $?; -+ sleep 1; -+ kill 15, $pid; -+ waitpid $pid, 0; -+ } else { -+ exec "$prov openssl s_server -accept $port -naccept 1 -brief -cert $cert -key $privkey -cipher $cipher -ciphersuites $ciphersuites $opts 1>server-$port.out 2>&1"; -+ } - exit(99) if ($ret); - - `rm -f server-$port.out`; --- -2.25.1 - diff -Nru openssl-ibmca-2.3.0/debian/patches/lp-1959763-Support-tests-in-remote-builds.patch openssl-ibmca-2.3.1/debian/patches/lp-1959763-Support-tests-in-remote-builds.patch --- openssl-ibmca-2.3.0/debian/patches/lp-1959763-Support-tests-in-remote-builds.patch 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/lp-1959763-Support-tests-in-remote-builds.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,126 +0,0 @@ -From 688273ec77530a44d43ad5133155e646a945bc88 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 7 Apr 2022 12:33:44 +0200 -Subject: [PATCH] Support tests in remote builds. - -If the build is not wihin the source tree, tests failed since they could not -find the key files. Add support for this. - -Signed-off-by: Juergen Christ - -Origin: upstream, https://github.com/opencryptoki/openssl-ibmca/commit/688273ec77530a44d43ad5133155e646a945bc88 -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1959763 -Last-Update: 2022-08-11 - ---- - test/engine/test.pm | 26 ++++++++++++++------------ - test/provider/tls.pl | 13 +++++++------ - 2 files changed, 21 insertions(+), 18 deletions(-) - -diff --git a/test/engine/test.pm b/test/engine/test.pm -index 8e4b8ab..3a313e1 100644 ---- a/test/engine/test.pm -+++ b/test/engine/test.pm -@@ -3,6 +3,8 @@ - use strict; - use warnings; - -+use FindBin; -+ - package test; - - sub osslversion1 { -@@ -69,16 +71,16 @@ sub rsaencdec { - my $bytes = 1 + int(rand($max_file_size)); - # engine enc, no-engine dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; - - # no-engine enc, engine dec - `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; -- `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -- `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; -+ `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; -+ `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; - `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; - exit(99) if ($?); - `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; -@@ -100,16 +102,16 @@ sub rsasignverify { - $key .= $hex[rand(@hex)] for (1..$keylen); - # engine sign, no-engine verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; - - # no-engine sign, engine verify - `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; -- `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -- `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; -+ `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; -+ `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; - `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; - exit(99) if ($?); - `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; -@@ -131,15 +133,15 @@ sub dsasignverify { - my $bytes = 1 + int(rand($max_file_size)); - # engine sign, no-engine verify - `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; -- `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -- `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - exit(99) if ($?); - `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; - - # no-engine sign, engine verify - `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; -- `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -- `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; -+ `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - exit(99) if ($?); - `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; - } -diff --git a/test/provider/tls.pl b/test/provider/tls.pl -index c8871d4..0d9df6d 100755 ---- a/test/provider/tls.pl -+++ b/test/provider/tls.pl -@@ -19,17 +19,18 @@ - use strict; - use warnings; - use test; -+use FindBin; - - # TLS 1.3 with RSA signatures --test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); -+test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); - # TLS 1.3 with EC signatures --test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); -+test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); - # TLS 1.2 with RSA signatures and ECDH key exchange --test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with ECDSA signatures and ECDH key exchange --test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with RSA signatures and DH key exchange --test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - # TLS 1.2 with RSA signatures and RSA key exchange --test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); -+test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); - --- -2.25.1 - diff -Nru openssl-ibmca-2.3.0/debian/patches/lp-1959763-tests-skip-tests-if-libica-does-not-support.patch openssl-ibmca-2.3.1/debian/patches/lp-1959763-tests-skip-tests-if-libica-does-not-support.patch --- openssl-ibmca-2.3.0/debian/patches/lp-1959763-tests-skip-tests-if-libica-does-not-support.patch 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/lp-1959763-tests-skip-tests-if-libica-does-not-support.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,308 +0,0 @@ -From 49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 18 May 2022 15:41:12 +0200 -Subject: [PATCH] tests: skip tests if libica does not support required - algorithms - -Before actually running the tests, check if libica supports the -required algorithms. Skip the whole test if not. - -This can happen when running the test on a system without appropriate -crypto adapters. This would lead to the situation that the provider would -not register itself for the required algorithms, and thus the OpenSSL -default provider would be used. This would make the tests to fail, because -it is not running with the IBMCA provider as expected by the test. - -Signed-off-by: Ingo Franzki - -Origin: upstream, https://github.com/opencryptoki/openssl-ibmca/commit/49be3a5c9c1258e0dc15bbc50d5aa04a0ba4ba66 -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1959763 -Last-Update: 2022-08-11 - ---- - test/provider/Makefile.am | 18 ++++++++++--- - test/provider/dhkey.c | 56 ++++++++++++++++++++++++++++++++++++++ - test/provider/eckey.c | 57 +++++++++++++++++++++++++++++++++++++++ - test/provider/rsakey.c | 56 ++++++++++++++++++++++++++++++++++++++ - 4 files changed, 184 insertions(+), 3 deletions(-) - -diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am -index f5cb97d..b007682 100644 ---- a/test/provider/Makefile.am -+++ b/test/provider/Makefile.am -@@ -20,13 +20,25 @@ TESTS = \ - check_PROGRAMS = rsakey eckey dhkey threadtest - - dhkey_SOURCES = dhkey.c --dhkey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+dhkey_LDADD = -lcrypto -lica -+else -+dhkey_LDADD = -lcrypto -lica-cex -+endif - - eckey_SOURCES = eckey.c --eckey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+eckey_LDADD = -lcrypto -lica -+else -+eckey_LDADD = -lcrypto -lica-cex -+endif - - rsakey_SOURCES = rsakey.c --rsakey_LDADD = -lcrypto -+if PROVIDER_FULL_LIBICA -+rsakey_LDADD = -lcrypto -lica -+else -+rsakey_LDADD = -lcrypto -lica-cex -+endif - - threadtest_SOURCES = threadtest.c - threadtest_LDADD = -lcrypto -lpthread -diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c -index a9cea13..8829ecc 100644 ---- a/test/provider/dhkey.c -+++ b/test/provider/dhkey.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -349,6 +351,56 @@ int check_dhkey(int nid, const char *name, const char *algo) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { RSA_ME }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -389,6 +441,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_dhkey(params[i].nid, params[i].name, "DH")) { -diff --git a/test/provider/eckey.c b/test/provider/eckey.c -index 279b942..b2334d7 100644 ---- a/test/provider/eckey.c -+++ b/test/provider/eckey.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -781,6 +783,57 @@ int check_eckey(int nid, const char *name) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN, -+ EC_DSA_VERIFY, EC_KGEN, }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -822,6 +875,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_eckey(params[i].nid, params[i].name)) { -diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c -index 0adface..366b503 100644 ---- a/test/provider/rsakey.c -+++ b/test/provider/rsakey.c -@@ -26,6 +26,8 @@ - #include - #include - -+#include -+ - #define UNUSED(var) ((void)(var)) - - void setup(void) -@@ -729,6 +731,56 @@ int check_rsakey(int bits, const char *algo, const char *name) - return ret; - } - -+static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT }; -+static const unsigned int required_ica_mechs_len = -+ sizeof(required_ica_mechs) / sizeof(unsigned int); -+ -+int check_libica() -+{ -+ unsigned int mech_len, i, k, found = 0; -+ libica_func_list_element *mech_list = NULL; -+ int rc; -+ -+ rc = ica_get_functionlist(NULL, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ return 77; -+ } -+ -+ mech_list = calloc(sizeof(libica_func_list_element), mech_len); -+ if (mech_list == NULL) { -+ fprintf(stderr, "Failed to allocate memory for function list!\n"); -+ return 77; -+ } -+ -+ rc = ica_get_functionlist(mech_list, &mech_len); -+ if (rc != 0) { -+ fprintf(stderr, "Failed to get function list from libica!\n"); -+ free(mech_list); -+ return 77; -+ } -+ -+ for (i = 0; i < mech_len; i++) { -+ for (k = 0; k < required_ica_mechs_len; k++) { -+ if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { -+ if (mech_list[i].flags & -+ (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) -+ found++; -+ } -+ } -+ } -+ -+ free(mech_list); -+ -+ if (found < required_ica_mechs_len) { -+ fprintf(stderr, -+ "Libica does not support the required algorithms, skipping.\n"); -+ return 77; -+ } -+ -+ return 0; -+} -+ - int main(int argc, char **argv) - { - static const struct testparams { -@@ -767,6 +819,10 @@ int main(int argc, char **argv) - return 77; - } - -+ ret = check_libica(); -+ if (ret != 0) -+ return ret; -+ - setup(); - for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { - if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) { --- -2.25.1 - diff -Nru openssl-ibmca-2.3.0/debian/patches/series openssl-ibmca-2.3.1/debian/patches/series --- openssl-ibmca-2.3.0/debian/patches/series 2022-08-05 16:37:13.000000000 +0200 +++ openssl-ibmca-2.3.1/debian/patches/series 2023-02-01 17:22:13.000000000 +0100 @@ -1,7 +1,2 @@ openssl-config.patch testconf-openssl3.patch -lp-1959763-Adjust-to-new-libica.patch -lp-1959763-Support-tests-in-remote-builds.patch -lp-1959763-provider-Adapt-keymgmt_match-implementations.patch -lp-1959763-tests-skip-tests-if-libica-does-not-support.patch -lp-1959763-Provider-Fix-parallel-test-runs.patch diff -Nru openssl-ibmca-2.3.0/openssl-ibmca-provider.spec openssl-ibmca-2.3.1/openssl-ibmca-provider.spec --- openssl-ibmca-2.3.0/openssl-ibmca-provider.spec 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/openssl-ibmca-provider.spec 2022-09-30 13:59:11.000000000 +0200 @@ -5,7 +5,7 @@ # %global modulesdir %(pkg-config --variable=modulesdir libcrypto) Name: openssl-ibmca -Version: 2.2.3 +Version: 2.3.1 Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic provider @@ -45,6 +45,13 @@ %dir %attr(777,root,root) %{_localstatedir}/log/ibmca %changelog +* Fri Sep 30 2022 Juergen Christ 2.3.1 +- Adjust to libica 4.1.0 + +* Fri Mar 25 2022 Juergen Christ 2.3.0 +- First version including the provider +- Fix for engine build without OpenSSL 3.0 sources + * Wed March 3 2022 Ingo Franzki - Add provider support diff -Nru openssl-ibmca-2.3.0/openssl-ibmca.spec openssl-ibmca-2.3.1/openssl-ibmca.spec --- openssl-ibmca-2.3.0/openssl-ibmca.spec 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/openssl-ibmca.spec 2022-09-30 13:59:11.000000000 +0200 @@ -1,7 +1,7 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: openssl-ibmca -Version: 2.3.0 +Version: 2.3.1 Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine @@ -44,6 +44,9 @@ %{_mandir}/man5/ibmca.5* %changelog +* Fri Sep 30 2022 Juergen Christ 2.3.1 +- Adjust to libica 4.1.0 + * Fri Mar 25 2022 Juergen Christ 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources diff -Nru openssl-ibmca-2.3.0/src/engine/e_ibmca.c openssl-ibmca-2.3.1/src/engine/e_ibmca.c --- openssl-ibmca-2.3.0/src/engine/e_ibmca.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/engine/e_ibmca.c 2022-09-30 13:59:11.000000000 +0200 @@ -102,6 +102,7 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; ica_aes_gcm_last_t p_ica_aes_gcm_last; #endif +ica_cleanup_t p_ica_cleanup; /* save libcrypto's default ec methods */ #ifndef NO_EC @@ -296,11 +297,13 @@ #ifndef OPENSSL_NO_EC static int set_EC_prop(ENGINE *e) { + int (*keygen_sw)(EC_KEY *key) = NULL; + if (ibmca_registration.ec_enabled) { return 1; } - #ifdef OLDER_OPENSSL +# ifdef OLDER_OPENSSL ossl_ecdh = ECDH_get_default_method(); ossl_ecdsa = ECDSA_get_default_method(); @@ -310,25 +313,34 @@ ECDSA_METHOD_set_name(ibmca_ecdsa, "Ibmca ECDSA method"); ECDSA_METHOD_set_sign(ibmca_ecdsa, ibmca_older_ecdsa_do_sign); ECDSA_METHOD_set_verify(ibmca_ecdsa, ibmca_older_ecdsa_do_verify); - #ifdef ECDSA_FLAG_FIPS_METHOD +# ifdef ECDSA_FLAG_FIPS_METHOD ECDSA_METHOD_set_flags(ibmca_ecdsa, ECDSA_FLAG_FIPS_METHOD); - #endif +# endif ECDH_METHOD_set_name(ibmca_ecdh, "Ibmca ECDH method"); ECDH_METHOD_set_compute_key(ibmca_ecdh, ibmca_older_ecdh_compute_key); - #ifdef ECDH_FLAG_FIPS_METHOD +# ifdef ECDH_FLAG_FIPS_METHOD ECDH_METHOD_set_flags(ibmca_ecdh, ECDH_FLAG_FIPS_METHOD); - #endif +# endif if (!ENGINE_set_ECDH(e, ibmca_ecdh)) return 0; if (!ENGINE_set_ECDSA(e, ibmca_ecdsa)) return 0; - #else +# else ossl_ec = EC_KEY_get_default_method(); + /* + * EC_KEY_METHOD_get_keygen misses the const-qualifier of the + * parameter in some openssl versions. + */ + EC_KEY_METHOD_get_keygen((EC_KEY_METHOD *)ossl_ec, &keygen_sw); + if (keygen_sw == NULL) { + IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); + return 0; + } ibmca_ec = EC_KEY_METHOD_new(ibmca_ec); - EC_KEY_METHOD_set_keygen(ibmca_ec, ibmca_ec_key_gen); + EC_KEY_METHOD_set_keygen(ibmca_ec, keygen_sw); EC_KEY_METHOD_set_compute_key(ibmca_ec, ibmca_ecdh_compute_key); EC_KEY_METHOD_set_sign(ibmca_ec, ibmca_ecdsa_sign, ECDSA_sign_setup, ibmca_ecdsa_sign_sig); @@ -337,7 +349,7 @@ if (!ENGINE_set_EC(e, ibmca_ec)) return 0; - #endif +# endif ibmca_registration.ec_enabled = 1; @@ -652,8 +664,10 @@ free((void *)LIBICA_NAME); } -static void ica_cleanup(void) +static void do_ica_cleanup(void) { + if (p_ica_cleanup) + p_ica_cleanup(); if (ibmca_dso && dlclose(ibmca_dso)) { IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE); return; @@ -725,6 +739,7 @@ p_ica_x448_ctx_del = NULL; p_ica_ed25519_ctx_del = NULL; p_ica_ed448_ctx_del = NULL; + p_ica_cleanup = NULL; } static int ibmca_init(ENGINE *e) @@ -806,6 +821,9 @@ BIND(ibmca_dso, ica_ed25519_ctx_del); BIND(ibmca_dso, ica_ed448_ctx_del); + /* ica_cleanup is not always present and only needed for newer libraries */ + p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup"); + /* disable fallbacks on Libica */ if (BIND(ibmca_dso, ica_set_fallback_mode)) p_ica_set_fallback_mode(0); @@ -821,7 +839,7 @@ return 1; err: - ica_cleanup(); + do_ica_cleanup(); return 0; } @@ -884,7 +902,7 @@ if (p_ica_close_adapter) p_ica_close_adapter(ibmca_handle); - ica_cleanup(); + do_ica_cleanup(); memset(&ibmca_registration, 0, sizeof(ibmca_registration)); return 1; } diff -Nru openssl-ibmca-2.3.0/src/engine/ibmca_ec.c openssl-ibmca-2.3.1/src/engine/ibmca_ec.c --- openssl-ibmca-2.3.0/src/engine/ibmca_ec.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/engine/ibmca_ec.c 2022-09-30 13:59:11.000000000 +0200 @@ -722,130 +722,6 @@ EC_KEY_METHOD *ibmca_ec = NULL; /** - * EC key generation method, replaces ossl_ec_key_gen. - * - * @return 1 success - * 0 error - */ -int ibmca_ec_key_gen(EC_KEY *eckey) -{ - ICA_EC_KEY *icakey = NULL; - EC_POINT *pubkey = NULL; - const EC_GROUP *group; - BIGNUM *privkey = NULL, *bn_x = NULL, *bn_y = NULL; - unsigned int privlen; - int nid, rc, ret = 0; - unsigned int q_len, d_len; - unsigned char q[IBMCA_EC_MAX_Q_LEN]; - unsigned char d[IBMCA_EC_MAX_D_LEN]; - int (*keygen_sw)(EC_KEY *key) = NULL; - - /* Check group */ - if ((group = EC_KEY_get0_group(eckey)) == NULL) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INVALID_PARM); - return 0; - } - - /* Determine curve nid */ - nid = EC_GROUP_get_curve_name(group); - if (nid <= 0) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - return 0; - } - - /* Create ICA_EC_KEY object */ - icakey = p_ica_ec_key_new(nid, &privlen); - if (icakey == NULL) { - /* This curve is not supported by libica */ - - /* - * EC_KEY_METHOD_get_keygen misses the const-qualifier of the - * parameter in some openssl versions. - */ - EC_KEY_METHOD_get_keygen((EC_KEY_METHOD *)ossl_ec, &keygen_sw); - if (keygen_sw == NULL) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - return 0; - } - - return keygen_sw(eckey); - } - - /* Generate key */ - rc = p_ica_ec_key_generate(ibmca_handle, icakey); - if (rc != 0) { - /* Possibly disabled adapter. */ - - /* - * EC_KEY_METHOD_get_keygen misses the const-qualifier of the - * parameter in some openssl versions. - */ - EC_KEY_METHOD_get_keygen((EC_KEY_METHOD *)ossl_ec, &keygen_sw); - if (keygen_sw == NULL) { - IBMCAerr(IBMCA_F_ICA_EC_KEY_GENERATE, rc); - goto end; - } - - ret = keygen_sw(eckey); - goto end; - } - - /* Get public key data from ICA_EC_KEY */ - rc = p_ica_ec_key_get_public_key(icakey, (unsigned char*)&q, &q_len); - if (rc != 0) { - IBMCAerr(IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, rc); - goto end; - } - - /* Make EC_POINT */ - pubkey = EC_POINT_new(group); - if (!pubkey) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - goto end; - } - - /* Add public key data to EC_POINT */ - bn_x = BN_bin2bn((const unsigned char*)&q, q_len / 2, NULL); - bn_y = BN_bin2bn((const unsigned char*)&(q[q_len / 2]), q_len / 2, NULL); - if (!EC_POINT_set_affine_coordinates_GFp(group, pubkey, bn_x, bn_y, - NULL)) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - goto end; - } - - /* Add EC_POINT to EC_KEY */ - if (!EC_KEY_set_public_key(eckey, pubkey)) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - goto end; - } - - /* Get private key data from ICA_EC_KEY */ - rc = p_ica_ec_key_get_private_key(icakey, (unsigned char*)&d, &d_len); - if (rc != 0) { - IBMCAerr(IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, rc); - goto end; - } - - /* Add private key data to EC_KEY */ - privkey = BN_bin2bn((unsigned char*)&d, d_len, NULL); - if (!EC_KEY_set_private_key(eckey, privkey)) { - IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); - goto end; - } - - ret = 1; - -end: - p_ica_ec_key_free(icakey); - EC_POINT_free(pubkey); - BN_clear_free(privkey); - BN_clear_free(bn_x); - BN_clear_free(bn_y); - - return ret; -} - -/** * ECDSA signing method (replaces ossl_ecdsa_sign). * * returns 1 if success diff -Nru openssl-ibmca-2.3.0/src/engine/ibmca.h openssl-ibmca-2.3.1/src/engine/ibmca.h --- openssl-ibmca-2.3.0/src/engine/ibmca.h 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/engine/ibmca.h 2022-09-30 13:59:11.000000000 +0200 @@ -366,7 +366,6 @@ extern EC_KEY_METHOD *ibmca_ec; extern const EC_KEY_METHOD *ossl_ec; -int ibmca_ec_key_gen(EC_KEY *eckey); int ibmca_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig_array, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); @@ -616,6 +615,8 @@ typedef int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); +typedef void (*ica_cleanup_t)(void); + /* entry points into libica, filled out at DSO load time */ extern ica_get_functionlist_t p_ica_get_functionlist; extern ica_set_fallback_mode_t p_ica_set_fallback_mode; @@ -681,3 +682,4 @@ extern ica_x448_ctx_del_t p_ica_x448_ctx_del; extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del; +extern ica_cleanup_t p_ica_cleanup; diff -Nru openssl-ibmca-2.3.0/src/engine/Makefile.am openssl-ibmca-2.3.1/src/engine/Makefile.am --- openssl-ibmca-2.3.0/src/engine/Makefile.am 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/engine/Makefile.am 2022-09-30 13:59:11.000000000 +0200 @@ -1,4 +1,4 @@ -VERSION = 2:3:0 +VERSION = 2:3:1 lib_LTLIBRARIES=ibmca.la diff -Nru openssl-ibmca-2.3.0/src/provider/dh_keymgmt.c openssl-ibmca-2.3.1/src/provider/dh_keymgmt.c --- openssl-ibmca-2.3.0/src/provider/dh_keymgmt.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/provider/dh_keymgmt.c 2022-09-30 13:59:11.000000000 +0200 @@ -1000,7 +1000,7 @@ } } - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { if (key1->dh.priv != NULL || key2->dh.priv != NULL) { ok = ok && (BN_cmp(key1->dh.priv, key2->dh.priv) == 0); checked = 1; diff -Nru openssl-ibmca-2.3.0/src/provider/ec_keymgmt.c openssl-ibmca-2.3.1/src/provider/ec_keymgmt.c --- openssl-ibmca-2.3.0/src/provider/ec_keymgmt.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/provider/ec_keymgmt.c 2022-09-30 13:59:11.000000000 +0200 @@ -751,7 +751,7 @@ const struct ibmca_key *key2 = vkey2; BIGNUM *x1 = NULL, *y1 = NULL, *d1 = NULL; BIGNUM *x2 = NULL, *y2 = NULL, *d2 = NULL; - int ok = 1, rc1, rc2; + int ok = 1, rc1, rc2, checked = 0; if (key1 == NULL || key2 == NULL) return 0; @@ -781,9 +781,10 @@ ok = ok && (rc1 == rc2 && (rc1 == -1 || (BN_cmp(x1, x2) == 0 && BN_cmp(y1, y2) == 0))); + checked = 1; } - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { rc1 = ibmca_keymgmt_ec_priv_key_as_bn(key1, &d1); if (rc1 == 0) { ok = 0; diff -Nru openssl-ibmca-2.3.0/src/provider/Makefile.am openssl-ibmca-2.3.1/src/provider/Makefile.am --- openssl-ibmca-2.3.0/src/provider/Makefile.am 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/provider/Makefile.am 2022-09-30 13:59:11.000000000 +0200 @@ -1,5 +1,5 @@ -VERSION = 2:3:0 -VERSION_STR = 2.3.0 +VERSION = 2:3:1 +VERSION_STR = 2.3.1 lib_LTLIBRARIES=ibmca-provider.la diff -Nru openssl-ibmca-2.3.0/src/provider/p_ibmca.c openssl-ibmca-2.3.1/src/provider/p_ibmca.c --- openssl-ibmca-2.3.0/src/provider/p_ibmca.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/provider/p_ibmca.c 2022-09-30 13:59:11.000000000 +0200 @@ -633,6 +633,9 @@ pthread_mutex_destroy(&provctx->debug_mutex); P_FREE(provctx, provctx); +#if HAVE_DECL_ICA_CLEANUP == 1 + ica_cleanup(); +#endif } static const OSSL_PARAM ibmca_param_types[] = { diff -Nru openssl-ibmca-2.3.0/src/provider/rsa_keymgmt.c openssl-ibmca-2.3.1/src/provider/rsa_keymgmt.c --- openssl-ibmca-2.3.0/src/provider/rsa_keymgmt.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/src/provider/rsa_keymgmt.c 2022-09-30 13:59:11.000000000 +0200 @@ -641,7 +641,7 @@ { const struct ibmca_key *key1 = vkey1; const struct ibmca_key *key2 = vkey2; - int ok = 1; + int ok = 1, checked = 0; if (key1 == NULL || key2 == NULL) return 0; @@ -652,7 +652,7 @@ if (ibmca_keymgmt_match(key1, key2) == 0) return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { ok = ok && (key1->rsa.public.key_length == key2->rsa.public.key_length && memcmp(key1->rsa.public.exponent, @@ -661,8 +661,10 @@ memcmp(key1->rsa.public.modulus, key2->rsa.public.modulus, key1->rsa.public.key_length) == 0); + checked = 1; + } - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + if (!checked && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && (key1->rsa.private.key_length == key2->rsa.private.key_length && CRYPTO_memcmp(key1->rsa.private.p, diff -Nru openssl-ibmca-2.3.0/test/engine/eckey.c openssl-ibmca-2.3.1/test/engine/eckey.c --- openssl-ibmca-2.3.0/test/engine/eckey.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/engine/eckey.c 2022-09-30 13:59:11.000000000 +0200 @@ -29,9 +29,9 @@ #endif } -int check_eckey(int nid, const char *name) +int check_eckey(int nid, const char *name, int error) { - int ret = 0; + int ret = !error; ECDSA_SIG *sig = NULL; EC_KEY *eckey = NULL; unsigned char digest[20]; @@ -66,8 +66,11 @@ } sig = ECDSA_do_sign(digest, sizeof(digest), eckey); if (sig == NULL) { - /* error */ - fprintf(stderr, "Failed to sign with %s\n", name); + if (error) + fprintf(stderr, "Failed to sign with %s\n", name); + else + fprintf(stderr, "Assuming %s is not supported and skipping test\n", + name); goto out; } ret = ECDSA_do_verify(digest, sizeof(digest), sig, eckey); @@ -98,19 +101,20 @@ static const struct testparams { int nid; const char *name; + int error; } params[] = { - {NID_X9_62_prime192v1, "NID_X9_62_prime192v1"}, - {NID_secp224r1, "NID_secp224r1"}, - {NID_X9_62_prime256v1, "NID_X9_62_prime256v1"}, - {NID_secp384r1, "NID_secp384r1"}, - {NID_secp521r1, "NID_secp521r1"}, - {NID_brainpoolP160r1, "NID_brainpoolP160r1"}, - {NID_brainpoolP192r1, "NID_brainpoolP192r1"}, - {NID_brainpoolP224r1, "NID_brainpoolP224r1"}, - {NID_brainpoolP256r1, "NID_brainpoolP256r1"}, - {NID_brainpoolP320r1, "NID_brainpoolP320r1"}, - {NID_brainpoolP384r1, "NID_brainpoolP384r1"}, - {NID_brainpoolP512r1, "NID_brainpoolP512r1"} + {NID_X9_62_prime192v1, "NID_X9_62_prime192v1", 0}, + {NID_secp224r1, "NID_secp224r1", 0}, + {NID_X9_62_prime256v1, "NID_X9_62_prime256v1", 1}, + {NID_secp384r1, "NID_secp384r1", 1}, + {NID_secp521r1, "NID_secp521r1", 1}, + {NID_brainpoolP160r1, "NID_brainpoolP160r1", 0}, + {NID_brainpoolP192r1, "NID_brainpoolP192r1", 0}, + {NID_brainpoolP224r1, "NID_brainpoolP224r1", 0}, + {NID_brainpoolP256r1, "NID_brainpoolP256r1", 0}, + {NID_brainpoolP320r1, "NID_brainpoolP320r1", 0}, + {NID_brainpoolP384r1, "NID_brainpoolP384r1", 0}, + {NID_brainpoolP512r1, "NID_brainpoolP512r1", 0} }; int ret = 0, i; @@ -127,7 +131,7 @@ setup(); for (i = 0; i < sizeof(params) / sizeof(struct testparams); ++i) { - if (!check_eckey(params[i].nid, params[i].name)) { + if (!check_eckey(params[i].nid, params[i].name, params[i].error)) { fprintf(stderr, "Failure for %s\n", params[i].name); ret = 99; } diff -Nru openssl-ibmca-2.3.0/test/engine/test.pm openssl-ibmca-2.3.1/test/engine/test.pm --- openssl-ibmca-2.3.0/test/engine/test.pm 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/engine/test.pm 2022-09-30 13:59:11.000000000 +0200 @@ -3,6 +3,8 @@ use strict; use warnings; +use FindBin; + package test; sub osslversion1 { @@ -69,16 +71,16 @@ my $bytes = 1 + int(rand($max_file_size)); # engine enc, no-engine dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; - `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; - `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `$eng openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; + `openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; # no-engine enc, engine dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; - `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; - `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `openssl rsautl -encrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; + `$eng openssl rsautl -decrypt -inkey $FindBin::Bin/rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; @@ -100,16 +102,16 @@ $key .= $hex[rand(@hex)] for (1..$keylen); # engine sign, no-engine verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; - `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; - `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `$eng openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; + `openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; # no-engine sign, engine verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; - `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; - `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `openssl rsautl -sign -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; + `$eng openssl rsautl -verify -inkey $FindBin::Bin/rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; @@ -131,15 +133,15 @@ my $bytes = 1 + int(rand($max_file_size)); # engine sign, no-engine verify `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; - `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + `$eng openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + `openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; exit(99) if ($?); `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; # no-engine sign, engine verify `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; - `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; - `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + `openssl dgst -sign $FindBin::Bin/dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; + `$eng openssl dgst -verify $FindBin::Bin/dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; exit(99) if ($?); `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; } diff -Nru openssl-ibmca-2.3.0/test/provider/dhkey.c openssl-ibmca-2.3.1/test/provider/dhkey.c --- openssl-ibmca-2.3.0/test/provider/dhkey.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/dhkey.c 2022-09-30 13:59:11.000000000 +0200 @@ -27,6 +27,8 @@ #include #include +#include + #define UNUSED(var) ((void)(var)) void setup(void) @@ -349,6 +351,56 @@ return ret; } +static const unsigned int required_ica_mechs[] = { RSA_ME }; +static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + +int check_libica() +{ + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; + int rc; + + rc = ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; + } + + mech_list = calloc(sizeof(libica_func_list_element), mech_len); + if (mech_list == NULL) { + fprintf(stderr, "Failed to allocate memory for function list!\n"); + return 77; + } + + rc = ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); + return 77; + } + + for (i = 0; i < mech_len; i++) { + for (k = 0; k < required_ica_mechs_len; k++) { + if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { + if (mech_list[i].flags & + (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) + found++; + } + } + } + + free(mech_list); + + if (found < required_ica_mechs_len) { + fprintf(stderr, + "Libica does not support the required algorithms, skipping.\n"); + return 77; + } + + return 0; +} + int main(int argc, char **argv) { static const struct testparams { @@ -389,6 +441,10 @@ return 77; } + ret = check_libica(); + if (ret != 0) + return ret; + setup(); for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { if (!check_dhkey(params[i].nid, params[i].name, "DH")) { diff -Nru openssl-ibmca-2.3.0/test/provider/eckey.c openssl-ibmca-2.3.1/test/provider/eckey.c --- openssl-ibmca-2.3.0/test/provider/eckey.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/eckey.c 2022-09-30 13:59:11.000000000 +0200 @@ -27,6 +27,8 @@ #include #include +#include + #define UNUSED(var) ((void)(var)) void setup(void) @@ -781,6 +783,57 @@ return ret; } +static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN, + EC_DSA_VERIFY, EC_KGEN, }; +static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + +int check_libica() +{ + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; + int rc; + + rc = ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; + } + + mech_list = calloc(sizeof(libica_func_list_element), mech_len); + if (mech_list == NULL) { + fprintf(stderr, "Failed to allocate memory for function list!\n"); + return 77; + } + + rc = ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); + return 77; + } + + for (i = 0; i < mech_len; i++) { + for (k = 0; k < required_ica_mechs_len; k++) { + if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { + if (mech_list[i].flags & + (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) + found++; + } + } + } + + free(mech_list); + + if (found < required_ica_mechs_len) { + fprintf(stderr, + "Libica does not support the required algorithms, skipping.\n"); + return 77; + } + + return 0; +} + int main(int argc, char **argv) { static const struct testparams { @@ -822,6 +875,10 @@ return 77; } + ret = check_libica(); + if (ret != 0) + return ret; + setup(); for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { if (!check_eckey(params[i].nid, params[i].name)) { diff -Nru openssl-ibmca-2.3.0/test/provider/Makefile.am openssl-ibmca-2.3.1/test/provider/Makefile.am --- openssl-ibmca-2.3.0/test/provider/Makefile.am 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/Makefile.am 2022-09-30 13:59:11.000000000 +0200 @@ -20,13 +20,25 @@ check_PROGRAMS = rsakey eckey dhkey threadtest dhkey_SOURCES = dhkey.c -dhkey_LDADD = -lcrypto +if PROVIDER_FULL_LIBICA +dhkey_LDADD = -lcrypto -lica +else +dhkey_LDADD = -lcrypto -lica-cex +endif eckey_SOURCES = eckey.c -eckey_LDADD = -lcrypto +if PROVIDER_FULL_LIBICA +eckey_LDADD = -lcrypto -lica +else +eckey_LDADD = -lcrypto -lica-cex +endif rsakey_SOURCES = rsakey.c -rsakey_LDADD = -lcrypto +if PROVIDER_FULL_LIBICA +rsakey_LDADD = -lcrypto -lica +else +rsakey_LDADD = -lcrypto -lica-cex +endif threadtest_SOURCES = threadtest.c threadtest_LDADD = -lcrypto -lpthread diff -Nru openssl-ibmca-2.3.0/test/provider/rsakey.c openssl-ibmca-2.3.1/test/provider/rsakey.c --- openssl-ibmca-2.3.0/test/provider/rsakey.c 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/rsakey.c 2022-09-30 13:59:11.000000000 +0200 @@ -26,6 +26,8 @@ #include #include +#include + #define UNUSED(var) ((void)(var)) void setup(void) @@ -729,6 +731,56 @@ return ret; } +static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT }; +static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + +int check_libica() +{ + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; + int rc; + + rc = ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; + } + + mech_list = calloc(sizeof(libica_func_list_element), mech_len); + if (mech_list == NULL) { + fprintf(stderr, "Failed to allocate memory for function list!\n"); + return 77; + } + + rc = ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); + return 77; + } + + for (i = 0; i < mech_len; i++) { + for (k = 0; k < required_ica_mechs_len; k++) { + if (mech_list[i].mech_mode_id == required_ica_mechs[k]) { + if (mech_list[i].flags & + (ICA_FLAG_SW | ICA_FLAG_SHW | ICA_FLAG_DHW)) + found++; + } + } + } + + free(mech_list); + + if (found < required_ica_mechs_len) { + fprintf(stderr, + "Libica does not support the required algorithms, skipping.\n"); + return 77; + } + + return 0; +} + int main(int argc, char **argv) { static const struct testparams { @@ -767,6 +819,10 @@ return 77; } + ret = check_libica(); + if (ret != 0) + return ret; + setup(); for (i = 0; i < (int)(sizeof(params) / sizeof(struct testparams)); ++i) { if (!check_rsakey(params[i].bits, params[i].algo, params[i].name)) { diff -Nru openssl-ibmca-2.3.0/test/provider/test.pm openssl-ibmca-2.3.1/test/provider/test.pm --- openssl-ibmca-2.3.0/test/provider/test.pm 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/test.pm 2022-09-30 13:59:11.000000000 +0200 @@ -29,30 +29,30 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; - `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; + `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsaencdec$keylen.key`; + `$prov openssl rsa -in rsaencdec$keylen.key -check -pubout -out rsaencdec$keylen.pub`; exit(99) if ($?); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); # provider enc, no-provider dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; - `$prov openssl pkeyutl -encrypt -pubin -inkey rsa$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; - `openssl pkeyutl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `$prov openssl pkeyutl -encrypt -pubin -inkey rsaencdec$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; + `openssl pkeyutl -decrypt -inkey rsaencdec$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.out rsaencdec.${i}.${keylen}.data.dec`; # no-provider enc, provider dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; - `openssl pkeyutl -encrypt -pubin -inkey rsa$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; - `$prov openssl pkeyutl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; + `openssl pkeyutl -encrypt -pubin -inkey rsaencdec$keylen.pub -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; + `$prov openssl pkeyutl -decrypt -inkey rsaencdec$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.out rsaencdec.${i}.${keylen}.data.dec`; } - `rm -f rsa$keylen.key rsa$keylen.pub`; + `rm -f rsaencdec$keylen.key rsaencdec$keylen.pub`; } sub rsaoaepencdec { @@ -63,24 +63,24 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; - `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; + `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsaoaepencdec$keylen.key`; + `$prov openssl rsa -in rsaoaepencdec$keylen.key -check -pubout -out rsaoaepencdec$keylen.pub`; exit(99) if ($?); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); # provider enc, no-provider dec `openssl rand $bytes > rsaoaepencdec.${i}.${keylen}.data.in`; - `$prov openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsa$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; - `openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsa$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; + `$prov openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsaoaepencdec$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; + `openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsaoaepencdec$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; `cmp rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.out rsaoaepencdec.${i}.${keylen}.data.dec`; # no-provider enc, provider dec `openssl rand $bytes > rsaoaepencdec.${i}.${keylen}.data.in`; - `openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsa$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; - `$prov openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsa$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; + `openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -pubin -inkey rsaoaepencdec$keylen.pub -in rsaoaepencdec.${i}.${keylen}.data.in -out rsaoaepencdec.${i}.${keylen}.data.out`; + `$prov openssl pkeyutl -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:$md -inkey rsaoaepencdec$keylen.key -in rsaoaepencdec.${i}.${keylen}.data.out -out rsaoaepencdec.${i}.${keylen}.data.dec`; `cmp rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaoaepencdec.${i}.${keylen}.data.in rsaoaepencdec.${i}.${keylen}.data.out rsaoaepencdec.${i}.${keylen}.data.dec`; @@ -97,30 +97,30 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; - `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; + `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsasignverify$keylen.key`; + `$prov openssl rsa -in rsasignverify$keylen.key -check -pubout -out rsasignverify$keylen.pub`; exit(99) if ($?); for my $i (1..$tests) { my $bytes = 1 + int(rand($input_size)); # provider sign, no-provider verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; - `$prov openssl pkeyutl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; - `openssl pkeyutl -verifyrecover -pubin -inkey rsa$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `$prov openssl pkeyutl -sign -inkey rsasignverify$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; + `openssl pkeyutl -verifyrecover -pubin -inkey rsasignverify$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; # no-provider sign, provider verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; - `openssl pkeyutl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; - `$prov openssl pkeyutl -verifyrecover -pubin -inkey rsa$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; + `openssl pkeyutl -sign -inkey rsasignverify$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; + `$prov openssl pkeyutl -verifyrecover -pubin -inkey rsasignverify$keylen.pub -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; } - `rm -f rsa$keylen.key rsa$keylen.pub`; + `rm -f rsasignverify$keylen.key rsasignverify$keylen.pub`; } sub rsapsssignverify { @@ -165,28 +165,28 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsa$keylen.key`; - `$prov openssl rsa -in rsa$keylen.key -check -pubout -out rsa$keylen.pub`; + `$prov openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$keylen -out rsax931$keylen.key`; + `$prov openssl rsa -in rsax931$keylen.key -check -pubout -out rsax931$keylen.pub`; exit(99) if ($?); for my $i (1..$tests) { my $bytes = 1 + int(rand($input_size)); # provider sign, no-provider verify `openssl rand $bytes > rsax931signverify.${i}.${keylen}.data.in`; - `$prov openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsa$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; - `openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsa$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; + `$prov openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsax931$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; + `openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsax931$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; exit(99) if ($?); `rm -f rsax931signverify.${i}.${keylen}.data.in rsax931signverify.${i}.${keylen}.data.out`; # no-provider sign, provider verify `openssl rand $bytes > rsax931signverify.${i}.${keylen}.data.in`; - `openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsa$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; - `$prov openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsa$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; + `openssl pkeyutl -sign -digest $md -pkeyopt rsa_padding_mode:x931 -inkey rsax931$keylen.key -rawin -in rsax931signverify.${i}.${keylen}.data.in -out rsax931signverify.${i}.${keylen}.data.out`; + `$prov openssl pkeyutl -verify -digest $md -pkeyopt rsa_padding_mode:x931 -pubin -inkey rsax931$keylen.pub -rawin -in rsax931signverify.${i}.${keylen}.data.in -sigfile rsax931signverify.${i}.${keylen}.data.out`; exit(99) if ($?); `rm -f rsax931signverify.${i}.${keylen}.data.in rsax931signverify.${i}.${keylen}.data.out`; } - `rm -f rsa$keylen.key rsa$keylen.pub`; + `rm -f rsax931$keylen.key rsax931$keylen.pub`; } sub ecsignverify { @@ -201,23 +201,23 @@ `openssl ecparam -list_curves | grep $curve`; return if ($?); - `$prov openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:$curve -out ec$curve.key`; - `$prov openssl ec -in ec$curve.key -check -pubout -out ec$curve.pub`; + `$prov openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:$curve -out ecsignverify$curve.key`; + `$prov openssl ec -in ecsignverify$curve.key -check -pubout -out ecsignverify$curve.pub`; exit(99) if ($?); for my $i (1..$tests) { my $bytes = 1 + int(rand($input_size)); # provider sign, no-provider verify `openssl rand $bytes > ecsignverify.${i}.${curve}.data.in`; - `$prov openssl pkeyutl -sign -digest $md -inkey ec$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; - `openssl pkeyutl -verify -digest $md -pubin -inkey ec$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; + `$prov openssl pkeyutl -sign -digest $md -inkey ecsignverify$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; + `openssl pkeyutl -verify -digest $md -pubin -inkey ecsignverify$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; exit(99) if ($?); `rm -f ecsignverify.${i}.${curve}.data.in ecsignverify.${i}.${curve}.data.out`; # no-provider sign, provider verify `openssl rand $bytes > ecsignverify.${i}.${curve}.data.in`; - `openssl pkeyutl -sign -digest $md -inkey ec$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; - `$prov openssl pkeyutl -verify -digest $md -pubin -inkey ec$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; + `openssl pkeyutl -sign -digest $md -inkey ecsignverify$curve.key -rawin -in ecsignverify.${i}.${curve}.data.in -out ecsignverify.${i}.${curve}.data.out`; + `$prov openssl pkeyutl -verify -digest $md -pubin -inkey ecsignverify$curve.pub -rawin -in ecsignverify.${i}.${curve}.data.in -sigfile ecsignverify.${i}.${curve}.data.out`; exit(99) if ($?); `rm -f ecsignverify.${i}.${curve}.data.in ecsignverify.${i}.${curve}.data.out`; } @@ -285,24 +285,23 @@ my $prov = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF} OPENSSL_MODULES=$ENV{IBMCA_TEST_PATH}"; my ($group, $tests) = @_; - `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dh$group.key`; - `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peer$group.key`; - `$prov openssl pkey -in peer$group.key -check -pubout -out peer$group.pub`; + `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dhderive$group.key`; + `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peerderive$group.key`; + `$prov openssl pkey -in peerderive$group.key -check -pubout -out peerderive$group.pub`; exit(99) if ($?); for my $i (1..$tests) { - `$prov openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -out dhderive.${i}.${group}.data.out1`; - `openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -out dhderive.${i}.${group}.data.out2`; + `$prov openssl pkeyutl -derive -inkey dhderive$group.key -peerkey peerderive$group.pub -out dhderive.${i}.${group}.data.out1`; + `openssl pkeyutl -derive -inkey dhderive$group.key -peerkey peerderive$group.pub -out dhderive.${i}.${group}.data.out2`; `cmp dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; exit(99) if ($?); `rm -f dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; } - `rm -f dh$group.key peer$group.key peer$group.pub`; + `rm -f dhderive$group.key peerderive$group.key peerderive$group.pub`; } sub dhderivekdf { @@ -313,21 +312,21 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dh$group.key`; - `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peer$group.key`; - `$prov openssl pkey -in peer$group.key -check -pubout -out peer$group.pub`; + `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out dhderivekdf$group.key`; + `$prov openssl genpkey -algorithm DH -pkeyopt group:$group -out peerderivekdf$group.key`; + `$prov openssl pkey -in peerderivekdf$group.key -check -pubout -out peerderivekdf$group.pub`; exit(99) if ($?); for my $i (1..$tests) { - `$prov openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderive.${i}.${group}.data.out1`; - `openssl pkeyutl -derive -inkey dh$group.key -peerkey peer$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderive.${i}.${group}.data.out2`; - `cmp dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; + `$prov openssl pkeyutl -derive -inkey dhderivekdf$group.key -peerkey peerderivekdf$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderivekdf.${i}.${group}.data.out1`; + `openssl pkeyutl -derive -inkey dhderivekdf$group.key -peerkey peerderivekdf$group.pub -pkeyopt kdf-type:$kdf -pkeyopt kdf-outlen:$outlen -pkeyopt kdf-digest:$md -pkeyopt cekalg:$cekalg -out dhderivekdf.${i}.${group}.data.out2`; + `cmp dhderivekdf.${i}.${group}.data.out1 dhderivekdf.${i}.${group}.data.out2`; exit(99) if ($?); - `rm -f dhderive.${i}.${group}.data.out1 dhderive.${i}.${group}.data.out2`; + `rm -f dhderivekdf.${i}.${group}.data.out1 dhderivekdf.${i}.${group}.data.out2`; } - `rm -f dh$group.key peer$group.key peer$group.pub`; + `rm -f dhderivekdf$group.key peerderivekdf$group.key peerderivekdf$group.pub`; } sub tls { @@ -339,12 +338,16 @@ `$prov openssl list -providers | grep "name: ibmca"`; exit(99) if ($?); - `$prov openssl s_server -accept $port -naccept 1 -brief -cert $cert -key $privkey -cipher $cipher -ciphersuites $ciphersuites $opts 1>server-$port.out 2>&1 &`; - sleep 1; - `echo "Hello World" | $prov openssl s_client -connect localhost:$port -cipher $cipher -ciphersuites $ciphersuites $opts`; - $ret = $?; - sleep 1; - `killall openssl`; + if ($pid = fork) { + sleep 1; + `echo "Hello World" | $prov openssl s_client -connect localhost:$port -cipher $cipher -ciphersuites $ciphersuites $opts`; + $ret = $?; + sleep 1; + kill 15, $pid; + waitpid $pid, 0; + } else { + exec "$prov openssl s_server -accept $port -naccept 1 -brief -cert $cert -key $privkey -cipher $cipher -ciphersuites $ciphersuites $opts 1>server-$port.out 2>&1"; + } exit(99) if ($ret); `rm -f server-$port.out`; diff -Nru openssl-ibmca-2.3.0/test/provider/tls.pl openssl-ibmca-2.3.1/test/provider/tls.pl --- openssl-ibmca-2.3.0/test/provider/tls.pl 2022-03-25 14:11:55.000000000 +0100 +++ openssl-ibmca-2.3.1/test/provider/tls.pl 2022-09-30 13:59:11.000000000 +0200 @@ -19,17 +19,18 @@ use strict; use warnings; use test; +use FindBin; # TLS 1.3 with RSA signatures -test::tls(10001, "server-key-rsa.pem", "server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); +test::tls(10001, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); # TLS 1.3 with EC signatures -test::tls(10002, "server-key-ec.pem", "server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); +test::tls(10002, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ALL", "TLS_AES_256_GCM_SHA384", "-tls1_3"); # TLS 1.2 with RSA signatures and ECDH key exchange -test::tls(10003, "server-key-rsa.pem", "server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); +test::tls(10003, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "ECDHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); # TLS 1.2 with ECDSA signatures and ECDH key exchange -test::tls(10004, "server-key-ec.pem", "server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); +test::tls(10004, "$FindBin::Bin/server-key-ec.pem", "$FindBin::Bin/server-cert-ec.pem", "ECDHE-ECDSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); # TLS 1.2 with RSA signatures and DH key exchange -test::tls(10005, "server-key-rsa.pem", "server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); +test::tls(10005, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "DHE-RSA-AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); # TLS 1.2 with RSA signatures and RSA key exchange -test::tls(10006, "server-key-rsa.pem", "server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3"); +test::tls(10006, "$FindBin::Bin/server-key-rsa.pem", "$FindBin::Bin/server-cert-rsa.pem", "AES256-GCM-SHA384", "\"\"", "-no_tls1_3");