[23.10 FEAT] Apply selected patches on top of openssl-ibmca v2.4.0 for mantic (crypto)

Bug #2027809 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Skipper Bug Screeners
openssl-ibmca (Ubuntu)
Fix Released
High
Frank Heimes

Bug Description

Upgrade openssl-ibmca to latest version
(Available from https://github.com/opencryptoki/openssl-ibmca/releases)

For Mantic, please use openssl-ibmca v2.4.0
(https://github.com/opencryptoki/openssl-ibmca/releases/tag/v2.4.0)

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-202898 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-07-17 06:00 EDT-------
The following commits provided by Ingo should be picked on top of v2.4.0:

https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0 "engine: Only register those algos specified with default_algorithms"
https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a "provider: rsa: Check RSA keys with p < q at key generation and import"
https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0 "provider: Support importing of RSA keys with just ME components"

In case there will be additional recommended fixes before FF, we will provide further commits in time.

Frank Heimes (fheimes)
affects: linux (Ubuntu) → openssl-ibmca (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in openssl-ibmca (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-26 07:49 EDT-------
One additional commit to pick:
https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86 "provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits"

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-27 02:57 EDT-------
There is one more commit to pick:
https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 "provider: Default debug directory to /tmp but make it configurable"
This one is not really a fix, but a change to no longer require a world-writable log directory in /var/log, as this could have security implications. So maybe its worth to include that one, too.

Frank Heimes (fheimes)
Changed in openssl-ibmca (Ubuntu):
assignee: nobody → Frank Heimes (fheimes)
Revision history for this message
Frank Heimes (fheimes) wrote : Re: [23.10 FEAT] Upgrade openssl-ibmca to latest version (crypto)

Ops, just noticed that we have already on openssl-ibmca 2.4.0 in mantic (and even lunar):
 openssl-ibmca | 2.4.0-0ubuntu1 | lunar/universe | source, s390x
 openssl-ibmca | 2.4.0-0ubuntu1 | mantic/universe | source, s390x
So it's not a version bump for us rather than applying the 5 selected commits/patches you've listed on top.
So I may adjust the LP bug title a bit ...

summary: - [23.10 FEAT] Upgrade openssl-ibmca to latest version (crypto)
+ [23.10 FEAT] Apply selected patches on top of openssl-ibmca v2.4.0 for
+ mantic (crypto)
Revision history for this message
Frank Heimes (fheimes) wrote :

A PPA test package build is running/available soon here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2027809

Changed in openssl-ibmca (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

openssl-ibmca has no rdepends:
$ reverse-depends -a source src:openssl-ibmca
No reverse dependencies found

Revision history for this message
Frank Heimes (fheimes) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-ibmca - 2.4.0-0ubuntu2

---------------
openssl-ibmca (2.4.0-0ubuntu2) mantic; urgency=medium

  * Add selected commits/patches as requested here: LP: #2027809
    - d/p/lp-2027809-engine-Only-register-those-algos-specified-with-defa.patch
      To set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine
      initialization to avoid unconditional registration of all algorithms.
    - d/p/lp-2027809-provider-rsa-Check-RSA-keys-with-p-q-at-key-generati.patch
      To check and correct RSA keys where p < q (privileged form) right after
      key generation or during import, so that p > q is assured whenever the key
      is used afterwards, and no ica_rsa_crt() correction is applied later on.
    - d/p/lp-2027809-provider-Support-importing-of-RSA-keys-with-just-ME-.patch
      To let an RSA key also contain the private key components in ME format,
      and use ica_rsa_mod_expo() only if the ME components are available.
    - d/p/lp-2027809-provider-RSA-Fix-get_params-to-retrieve-max-size-bit.patch
      To ensure (and fix) that the RSA key management's get_params() function
      is able to return the values for max-size, bits, and security-bits (if
      at least the public key is available).
    - d/p/lp-2027809-provider-Default-debug-directory-to-tmp-but-make-it-.patch
      To change the default log directory from /var/log/ibmca/ to /tmp which is
      world-writable anyway, and to avoid making /var/log/ibmca/ world-
      writable, which can cause security issues, since it's not known under
      which user an application runs that uses the provider.
      With that a world-writable directory under /var is avoided.

 -- Frank Heimes <email address hidden> Thu, 27 Jul 2023 16:38:43 +0200

Changed in openssl-ibmca (Ubuntu):
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Released
Frank Heimes (fheimes)
information type: Private → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.