Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl

openssl (1.1.0g-2ubuntu5) cosmic; urgency=medium * SECURITY UPDATE: ECDSA key extraction side channel - debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA signature in crypto/ec/ecdsa_ossl.c. - CVE-2018-0495 * SECURITY UPDATE: denial of service via long prime values - debian/patches/CVE-2018-0732.patch: reject excessively large primes in DH key generation in crypto/dh/dh_key.c. - CVE-2018-0732 * SECURITY UPDATE: RSA cache timing side channel attack - debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in crypto/rsa/rsa_gen.c. - debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in crypto/rsa/rsa_gen.c. - debian/patches/CVE-2018-0737-3.patch: consttime flag changed in crypto/rsa/rsa_gen.c. - debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in crypto/rsa/rsa_gen.c. - CVE-2018-0737 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 20 Jun 2018 07:13:37 -0400 openssl (1.1.0g-2ubuntu4) bionic; urgency=medium * debian/patches/rehash-pass-on-dupes.patch: Don't return 1 when a duplicate certificate is found. (LP: #1764848) -- Brian Murray <brian@ubuntu.com> Wed, 25 Apr 2018 10:03:48 -0700 openssl (1.1.0g-2ubuntu3) bionic; urgency=medium * SECURITY UPDATE: overflow bug in AVX2 Montgomery multiplication - debian/patches/CVE-2017-3738.patch: fix digit correction bug in crypto/bn/asm/rsaz-avx2.pl. - CVE-2017-3738 * SECURITY UPDATE: DoS via ASN.1 types with a recursive definition - debian/patches/CVE-2018-0739.patch: limit stack depth in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, include/openssl/asn1.h. - CVE-2018-0739 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 27 Mar 2018 13:45:15 -0400 openssl (1.1.0g-2ubuntu2) bionic; urgency=medium * s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP: #1743750 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 27 Feb 2018 13:01:19 +0000 openssl (1.1.0g-2ubuntu1) bionic; urgency=medium * Merge from Debian unstable, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 05 Feb 2018 13:16:42 +0000

Modifications :
  1. Download patch debian/patches/CVE-2018-0737-1.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0737-1.patch 2018-06-20 11:13:13.000000000 +0000 @@ -0,0 +1,80 @@ +From 9db724cfede4ba7a3668bff533973ee70145ec07 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser <samuel.weiser@iaik.tugraz.at> +Date: Tue, 5 Dec 2017 15:55:17 +0100 +Subject: [PATCH] Replaced variable-time GCD with consttime inversion to avoid + side-channel attacks on RSA key generation + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/5170) +--- + crypto/rsa/rsa_gen.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 4ced965..a287ed7 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -42,6 +42,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; ++ unsigned long error = 0; + + /* + * When generating ridiculously small keys, we can get stuck +@@ -88,16 +89,25 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++ BN_set_flags(rsa->e, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +@@ -110,10 +120,18 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + } while (BN_cmp(rsa->p, rsa->q) == 0); + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +-- +2.7.4 +
  2. Download patch debian/patches/CVE-2018-0737-2.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0737-2.patch 2018-06-20 11:13:16.000000000 +0000 @@ -0,0 +1,54 @@ +From 011f82e66f4bf131c733fd41a8390039859aafb2 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser <samuel.weiser@iaik.tugraz.at> +Date: Wed, 31 Jan 2018 13:10:55 +0100 +Subject: [PATCH] used ERR set/pop mark + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/5170) +--- + crypto/rsa/rsa_gen.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index a287ed7..f869f19 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -96,6 +96,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -104,7 +105,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } +@@ -120,6 +121,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + } while (BN_cmp(rsa->p, rsa->q) == 0); + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -128,7 +130,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } +-- +2.7.4 +
  3. Download patch debian/rules

    --- 1.1.0g-2/debian/rules 2017-11-02 11:16:11.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/rules 2018-02-05 13:11:12.000000000 +0000 @@ -133,6 +133,15 @@ override_dh_fixperms: fi dh_fixperms -a -X etc/ssl/private +override_dh_compress: + dh_compress + # symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.1/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done + override_dh_perl: dh_perl -d
  4. Download patch debian/patches/CVE-2018-0737-3.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0737-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0737-3.patch 2018-06-20 11:13:26.000000000 +0000 @@ -0,0 +1,29 @@ +From 7150a4720af7913cae16f2e4eaf768b578c0b298 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser <samuel.weiser@iaik.tugraz.at> +Date: Fri, 9 Feb 2018 14:11:47 +0100 +Subject: [PATCH] consttime flag changed + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/5170) +--- + crypto/rsa/rsa_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index f869f19..4952ec3 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -89,7 +89,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + +- BN_set_flags(rsa->e, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) +-- +2.7.4 +
  5. Download patch debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch

    --- 1.1.0g-2/debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch 2018-02-27 12:49:01.000000000 +0000 @@ -0,0 +1,81 @@ +From 1c3a23e44648524755b74595ad816f5cc881102c Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 14 Feb 2017 02:07:37 +0100 +Subject: [PATCH] s390x assembly pack: add KMA code path for aes-ctr. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Andy Polyakov <appro@openssl.org> +Reviewed-by: Tim Hudson <tjh@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/4634) +--- + crypto/aes/asm/aes-s390x.pl | 56 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl +index 0ef1f6b50ab..cfbe1321320 100644 +--- a/crypto/aes/asm/aes-s390x.pl ++++ b/crypto/aes/asm/aes-s390x.pl +@@ -1405,7 +1405,61 @@ () + clr %r0,%r1 + jl .Lctr32_software + +- stm${g} %r6,$s3,6*$SIZE_T($sp) ++ st${g} $s2,10*$SIZE_T($sp) ++ st${g} $s3,11*$SIZE_T($sp) ++ ++ clr $len,%r1 # does work even in 64-bit mode ++ jle .Lctr32_nokma # kma is slower for <= 16 blocks ++ ++ larl %r1,OPENSSL_s390xcap_P ++ lr $s2,%r0 ++ llihh $s3,0x8000 ++ srlg $s3,$s3,0($s2) ++ ng $s3,S390X_KMA(%r1) # check kma capability vector ++ jz .Lctr32_nokma ++ ++ l${g}hi %r1,-$stdframe-112 ++ l${g}r $s3,$sp ++ la $sp,0(%r1,$sp) # prepare parameter block ++ ++ lhi %r1,0x0600 ++ sllg $len,$len,4 ++ or %r0,%r1 # set HS and LAAD flags ++ ++ st${g} $s3,0($sp) # backchain ++ la %r1,$stdframe($sp) ++ ++ lmg $s2,$s3,0($key) # copy key ++ stg $s2,$stdframe+80($sp) ++ stg $s3,$stdframe+88($sp) ++ lmg $s2,$s3,16($key) ++ stg $s2,$stdframe+96($sp) ++ stg $s3,$stdframe+104($sp) ++ ++ lmg $s2,$s3,0($ivp) # copy iv ++ stg $s2,$stdframe+64($sp) ++ ahi $s3,-1 # kma requires counter-1 ++ stg $s3,$stdframe+72($sp) ++ st $s3,$stdframe+12($sp) # copy counter ++ ++ lghi $s2,0 # no AAD ++ lghi $s3,0 ++ ++ .long 0xb929a042 # kma $out,$s2,$inp ++ brc 1,.-4 # pay attention to "partial completion" ++ ++ stg %r0,$stdframe+80($sp) # wipe key ++ stg %r0,$stdframe+88($sp) ++ stg %r0,$stdframe+96($sp) ++ stg %r0,$stdframe+104($sp) ++ la $sp,$stdframe+112($sp) ++ ++ lm${g} $s2,$s3,10*$SIZE_T($sp) ++ br $ra ++ ++.align 16 ++.Lctr32_nokma: ++ stm${g} %r6,$s1,6*$SIZE_T($sp) + + slgr $out,$inp + la %r1,0($key) # %r1 is permanent copy of $key
  6. Download patch debian/patches/CVE-2018-0737-4.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0737-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0737-4.patch 2018-06-20 11:13:30.000000000 +0000 @@ -0,0 +1,30 @@ +From 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 Mon Sep 17 00:00:00 2001 +From: Billy Brumley <bbrumley@gmail.com> +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 9af43e0..79f77e3 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { +-- +2.7.4 +
  7. Download patch debian/control

    --- 1.1.0g-2/debian/control 2017-06-04 10:07:33.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/control 2018-02-05 13:16:42.000000000 +0000 @@ -2,7 +2,8 @@ Source: openssl Build-Depends: debhelper (>= 10), m4, bc, dpkg-dev (>= 1.15.7) Section: utils Priority: optional -Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> Uploaders: Christoph Martin <christoph.martin@uni-mainz.de>, Kurt Roeckx <kurt@roeckx.be>, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Standards-Version: 3.9.8 Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-openssl/openssl
  8. Download patch debian/patches/rehash-pass-on-dupes.patch

    --- 1.1.0g-2/debian/patches/rehash-pass-on-dupes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/rehash-pass-on-dupes.patch 2018-04-25 17:03:48.000000000 +0000 @@ -0,0 +1,22 @@ +Description: return 0 on a duplicate certificate + Modify openssl rehash so it returns 0 on a duplicate certificate like c_rehash does. +Author: Brian Murray <brian@ubuntu.com> +Origin: vendor +Bug: https://github.com/openssl/openssl/issues/6083 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1764848 +Last-Update: 2018-04-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: openssl-1.1.0g/apps/rehash.c +=================================================================== +--- openssl-1.1.0g.orig/apps/rehash.c ++++ openssl-1.1.0g/apps/rehash.c +@@ -132,7 +132,7 @@ static int add_entry(enum Type type, uns + BIO_printf(bio_err, + "%s: skipping duplicate %s in %s\n", opt_getprog(), + type == TYPE_CERT ? "certificate" : "CRL", filename); +- return 1; ++ return 0; + } + if (strcmp(filename, ep->filename) == 0) { + found = ep;
  9. Download patch debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch

    --- 1.1.0g-2/debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch 2018-02-27 12:40:38.000000000 +0000 @@ -0,0 +1,29 @@ +From c0dba2cca4d2bf3526d90a2050bdb17148ce803f Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <psteuer@mail.de> +Date: Sat, 15 Oct 2016 17:41:41 +0200 +Subject: [PATCH] Fix strict-warnings build + +crypto/s390xcap.c: internal/cryptlib.h needs to be included for +OPENSSL_cpuid_setup function prototype is located there to avoid +build error due to -Werror=missing-prototypes. + +Signed-off-by: Patrick Steuer <psteuer@mail.de> + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +CLA: trivial +--- + crypto/s390xcap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -12,6 +12,7 @@ + #include <string.h> + #include <setjmp.h> + #include <signal.h> ++#include "internal/cryptlib.h" + + unsigned long long OPENSSL_s390xcap_P[10]; +
  10. Download patch debian/libssl1.1.postinst

    --- 1.1.0g-2/debian/libssl1.1.postinst 2016-05-28 17:24:13.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/libssl1.1.postinst 2018-02-05 13:16:05.000000000 +0000 @@ -57,6 +57,8 @@ filerc() { if [ "$1" = "configure" ] then if [ ! -z "$2" ]; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. if dpkg --compare-versions "$2" lt 1.0.1g-2; then echo -n "Checking for services that may need to be restarted..." check="amanda-server anon-proxy apache2 apache-ssl" @@ -152,7 +154,11 @@ then if [ "x$RET" != xtrue ]; then db_reset libssl1.1/restart-services db_set libssl1.1/restart-services "$services" - db_input critical libssl1.1/restart-services || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libssl1.1/restart-services || true + else + db_input critical libssl1.1/restart-services || true + fi db_go || true db_get libssl1.1/restart-services @@ -200,7 +206,20 @@ then # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/bin/X > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi
  11. Download patch debian/patches/series

    --- 1.1.0g-2/debian/patches/series 2017-11-04 11:48:13.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/series 2018-06-20 11:13:30.000000000 +0000 @@ -7,3 +7,19 @@ c_rehash-compat.patch #tls1_2_default.patch testsuite_race.patch 0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch + +# s390x CPACF enchancements +c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch +bc4e831ccd81a1d22a7462df645c884ce33ea7c0.patch +1c3a23e44648524755b74595ad816f5cc881102c.patch +e21a84308c02df63715f8867beb4a2b1036bcb35.patch +96530eea93d27e536f4e93956256cf8dcda7d469.patch +CVE-2017-3738.patch +CVE-2018-0739.patch +rehash-pass-on-dupes.patch +CVE-2018-0495.patch +CVE-2018-0732.patch +CVE-2018-0737-1.patch +CVE-2018-0737-2.patch +CVE-2018-0737-3.patch +CVE-2018-0737-4.patch
  12. Download patch debian/patches/CVE-2018-0732.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0732.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0732.patch 2018-06-20 11:13:08.000000000 +0000 @@ -0,0 +1,42 @@ +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken <guidovranken@gmail.com> +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken <guidovranken@gmail.com> + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff4..58003d7 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.7.4 +
  13. Download patch debian/patches/96530eea93d27e536f4e93956256cf8dcda7d469.patch
  14. Download patch debian/patches/bc4e831ccd81a1d22a7462df645c884ce33ea7c0.patch
  15. Download patch debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch

    --- 1.1.0g-2/debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch 2018-02-27 12:49:07.000000000 +0000 @@ -0,0 +1,36 @@ +From e21a84308c02df63715f8867beb4a2b1036bcb35 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 24 Oct 2017 13:29:40 +0200 +Subject: [PATCH] crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Andy Polyakov <appro@openssl.org> +Reviewed-by: Tim Hudson <tjh@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/4634) +--- + crypto/aes/asm/aes-s390x.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl +index cfbe1321320..bab566223bc 100644 +--- a/crypto/aes/asm/aes-s390x.pl ++++ b/crypto/aes/asm/aes-s390x.pl +@@ -1086,7 +1086,7 @@ () + lhi $t1,16 + cr $t0,$t1 + jl .Lgo +- oill $t0,0x80 # set "decrypt" bit ++ oill $t0,S390X_DECRYPT # set "decrypt" bit + st $t0,240($key) + br $ra + ___ +@@ -1225,7 +1225,7 @@ () + .align 16 + .Lkmc_truncated: + ahi $key,-1 # it's the way it's encoded in mvc +- tmll %r0,0x80 ++ tmll %r0,S390X_DECRYPT + jnz .Lkmc_truncated_dec + lghi %r1,0 + stg %r1,16*$SIZE_T($sp)
  16. Download patch debian/patches/CVE-2017-3738.patch

    --- 1.1.0g-2/debian/patches/CVE-2017-3738.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2017-3738.patch 2018-03-27 17:44:46.000000000 +0000 @@ -0,0 +1,80 @@ +From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001 +From: Andy Polyakov <appro@openssl.org> +Date: Fri, 24 Nov 2017 11:35:50 +0100 +Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in + rsaz_1024_mul_avx2. + +Credit to OSS-Fuzz for finding this. + +CVE-2017-3738 + +Reviewed-by: Rich Salz <rsalz@openssl.org> +--- + crypto/bn/asm/rsaz-avx2.pl | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl +index 0c1b236..46d746b 100755 +--- a/crypto/bn/asm/rsaz-avx2.pl ++++ b/crypto/bn/asm/rsaz-avx2.pl +@@ -246,7 +246,7 @@ $code.=<<___; + vmovdqu 32*8-128($ap), $ACC8 + + lea 192(%rsp), $tp0 # 64+128=192 +- vpbroadcastq .Land_mask(%rip), $AND_MASK ++ vmovdqu .Land_mask(%rip), $AND_MASK + jmp .LOOP_GRANDE_SQR_1024 + + .align 32 +@@ -1077,10 +1077,10 @@ $code.=<<___; + vpmuludq 32*6-128($np),$Yi,$TEMP1 + vpaddq $TEMP1,$ACC6,$ACC6 + vpmuludq 32*7-128($np),$Yi,$TEMP2 +- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 ++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 + vpaddq $TEMP2,$ACC7,$ACC7 + vpmuludq 32*8-128($np),$Yi,$TEMP0 +- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 ++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 + vpaddq $TEMP0,$ACC8,$ACC8 + + mov %rbx, %rax +@@ -1093,7 +1093,9 @@ $code.=<<___; + vmovdqu -8+32*2-128($ap),$TEMP2 + + mov $r1, %rax ++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 + imull $n0, %eax ++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 + and \$0x1fffffff, %eax + + imulq 16-128($ap),%rbx +@@ -1329,15 +1331,12 @@ ___ + # But as we underutilize resources, it's possible to correct in + # each iteration with marginal performance loss. But then, as + # we do it in each iteration, we can correct less digits, and +-# avoid performance penalties completely. Also note that we +-# correct only three digits out of four. This works because +-# most significant digit is subjected to less additions. ++# avoid performance penalties completely. + + $TEMP0 = $ACC9; + $TEMP3 = $Bi; + $TEMP4 = $Yi; + $code.=<<___; +- vpermq \$0, $AND_MASK, $AND_MASK + vpaddq (%rsp), $TEMP1, $ACC0 + + vpsrlq \$29, $ACC0, $TEMP1 +@@ -1770,7 +1769,7 @@ $code.=<<___; + + .align 64 + .Land_mask: +- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 ++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff + .Lscatter_permd: + .long 0,2,4,6,7,7,7,7 + .Lgather_permd: +-- +2.7.4 +
  17. Download patch debian/patches/CVE-2018-0739.patch
  18. Download patch debian/patches/CVE-2018-0495.patch

    --- 1.1.0g-2/debian/patches/CVE-2018-0495.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0g-2ubuntu5/debian/patches/CVE-2018-0495.patch 2018-06-20 11:13:01.000000000 +0000 @@ -0,0 +1,158 @@ +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz <rsalz@openssl.org> +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index bfd0bcd..b749d9e 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,10 @@ +# +# Changes between 1.1.0h and 1.1.0i [xx XXX xxxx] +# +#+ *) Add blinding to an ECDSA signature to protect against side channel attacks +#+ discovered by Keegan Ryan (NCC Group). +#+ [Matt Caswell] +#+ +# *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we +# now allow empty (zero character) pass phrases. +# [Richard Levitte] +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f..449be0e 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey) + { + int ok = 0, i; +- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; ++ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; ++ BIGNUM *blindm = NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_secure_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +-- +2.7.4 +

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl-ibmca

openssl-ibmca (2.0.0-0ubuntu2) cosmic; urgency=medium * Disable test-suite, as it appears to fail on launchpad builders, yet passes locally when uncontained. -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Fri, 15 Jun 2018 12:44:40 +0100 openssl-ibmca (2.0.0-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776209 * Update debian/copyright to Apache-2 -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Thu, 14 Jun 2018 12:10:32 +0100 openssl-ibmca (1.4.1-0ubuntu1) bionic; urgency=medium * New upstream release * Update watch file to point at github * Build against openssl1.1 with openssl1.1 engine paths LP: #1747626 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 23 Feb 2018 18:06:36 +0000 openssl-ibmca (1.4.0-0ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 17:54:51 +0000 openssl-ibmca (1.4.0-0ubuntu1) artful; urgency=medium * New upstream release * Drop patches applied upstream -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 28 Sep 2017 11:13:14 -0400 openssl-ibmca (1.3.0-0ubuntu5) artful; urgency=medium * Apply upstream patch to resolve crashes when libssl attempts to initialise engine a few times too many. LP: #1543455 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:48:51 +0100 openssl-ibmca (1.3.0-0ubuntu4) zesty; urgency=medium * Build against libica.so.3. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 30 Nov 2016 10:24:29 +0000 openssl-ibmca (1.3.0-0ubuntu3) zesty; urgency=medium * Attempt to dlopen libica.so.2, if libica.so (or ctrl provided one) fails. LP: #1605511 * Add depends on libica2. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Oct 2016 15:25:59 +0100 openssl-ibmca (1.3.0-0ubuntu2) xenial; urgency=medium * Correct license information. LP: 1543682 * Add watch file. * Resolves LP: #1538864 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 15 Feb 2016 16:32:05 +0000 openssl-ibmca (1.3.0-0ubuntu1) xenial; urgency=medium * Initial release. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 05 Feb 2016 06:16:50 +0000

Modifications :
  1. Download patch README.md

    --- 1.4.0-1/README.md 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/README.md 2018-06-08 13:47:56.000000000 +0000 @@ -8,14 +8,14 @@ cryptographic operations. The build requirements are: * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 + * libica-devel >= 3.3.0 * autoconf * automake * libtool The runtime requirements are: * openssl >= 0.9.8 - * libica >= 3.1.1 + * libica >= 3.3.0 ## Installing @@ -27,8 +27,8 @@ $ sudo make install ``` This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere +which is `/usr/local/lib`. It means that the ibmca.so will be installed in +`/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: @@ -48,8 +48,8 @@ in the host by the OpenSSL package. **WA original `openssl.cnf` file before changing it. In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/libibmca.so` by default. However, if the -libibmca.so library has been installed anywhere else, then update the +location, which is `/usr/local/lib/ibmca.so` by default. However, if the +ibmca.so library has been installed anywhere else, then update the *dynamic_path* variable. Locate where the `openssl.cnf` file has been installed in the host and append
  2. Download patch src/ibmca_digest.c
  3. Download patch test/3des-cbc-test.pl

    --- 1.4.0-1/test/3des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cbc", 24, 8);
  4. Download patch test/Makefile.am

    --- 1.4.0-1/test/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,24 @@ +TESTS = \ +des-ecb-test.pl \ +des-cbc-test.pl \ +des-cfb-test.pl \ +des-ofb-test.pl \ +3des-ecb-test.pl \ +3des-cbc-test.pl \ +3des-cfb-test.pl \ +3des-ofb-test.pl \ +aes-128-ecb-test.pl \ +aes-128-cbc-test.pl \ +aes-128-cfb-test.pl \ +aes-128-ofb-test.pl \ +aes-192-ecb-test.pl \ +aes-192-cbc-test.pl \ +aes-192-cfb-test.pl \ +aes-192-ofb-test.pl \ +aes-256-ecb-test.pl \ +aes-256-cbc-test.pl \ +aes-256-cfb-test.pl \ +aes-256-ofb-test.pl + +AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf PERL5LIB=${srcdir}; +EXTRA_DIST = ${TESTS} test.pm openssl-test.cnf
  5. Download patch test/aes-128-ofb-test.pl

    --- 1.4.0-1/test/aes-128-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ofb", 16, 16);
  6. Download patch src/ibmca_cipher.c
  7. Download patch debian/README.source

    --- 1.4.0-1/debian/README.source 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -# OpenSSL-ibmca - -OpenSSL engine that uses the libica library under s390x to accelerate -cryptographic operations. - - -## Requirements - -The build requirements are: - * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 - * autoconf - * automake - * libtool - -The runtime requirements are: - * openssl >= 0.9.8 - * libica >= 3.1.1 - - -## Installing - -``` -$ ./configure [--enable-debug] -$ make -$ sudo make install -``` - -This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere -else, run "configure" passing the new location via prefix argument, for -example: - -``` -$ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines -``` - - -## Support - -To report a bug please submit a - [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the - following information in the issue description: - -* bug description -* distro release -* openssl-ibmca package version -* libica package version -* steps to reproduce the bug - -Regarding technical or usage questions, send email to - [opencryptoki-tech]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or - [opencryptoki-users]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) - mailing list respectively. - - -## Contributing - -See [CONTRIBUTING.md](https://github.com/opencryptoki/openssl-ibmca/blob/master/CONTRIBUTING.md). - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 11:10:45 -0300
  8. Download patch debian/rules

    --- 1.4.0-1/debian/rules 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/rules 2018-06-15 11:44:33.000000000 +0000 @@ -1,31 +1,15 @@ #!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -#export DH_VERBOSE = 1 - -# see FEATURE AREAS in dpkg-buildflags(1) export DEB_BUILD_MAINT_OPTIONS = hardening=+all -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - %: - dh $@ - -# dh_make generated override targets -# This is example for Cmake (See https://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) + dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/openssl-1.0.2/engines/ + dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/engines-1.1 override_dh_auto_install: dh_auto_install - - # Remove useless files find debian -name '*.la' -delete +override_dh_auto_test: + -dh_auto_test
  9. Download patch test/openssl-test.cnf

    --- 1.4.0-1/test/openssl-test.cnf 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/openssl-test.cnf 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,20 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +ibmca = ibmca_section + +[ibmca_section] +dynamic_path = $ENV::IBMCA_TEST_PATH +engine_id = ibmca +init = 1 + +# OpenSSL < 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +# OpenSSL >= 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +default_algorithms = ALL
  10. Download patch debian/dirs

    --- 1.4.0-1/debian/dirs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib
  11. Download patch debian/patches/libica_soname.patch

    --- 1.4.0-1/debian/patches/libica_soname.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/libica_soname.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Setting libica so name to libica.so.3 -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -46,7 +46,7 @@ - #include "e_ibmca_err.h" - - #define IBMCA_LIB_NAME "ibmca engine" --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - - #define AP_PATH "/sys/devices/ap" -
  12. Download patch src/openssl.cnf.sample

    --- 1.4.0-1/src/openssl.cnf.sample 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/openssl.cnf.sample 2018-06-08 13:47:56.000000000 +0000 @@ -20,10 +20,10 @@ ibmca = ibmca_section [ibmca_section] -# The openssl engine path for libibmca.so. -# Set the dynamic_path to where the libibmca.so engine +# The openssl engine path for ibmca.so. +# Set the dynamic_path to where the ibmca.so engine # resides on the system. -dynamic_path = /usr/local/lib/libibmca.so +dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 @@ -36,17 +36,33 @@ init = 1 # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # +# DH +# - DH key exchange +# +# DSA +# - DSA sign and verify +# # RAND # - Hardware random number generation # +# ECDSA (OpenSSL < 1.1.0) +# - Elliptic Curve DSA sign and verify +# +# ECDH (OpenSSL < 1.1.0) +# - Elliptic Curve DH key exchange +# +# EC (OpenSSL >= 1.1.0) +# - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange +# # CIPHERS -# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, -# DES-EDE3-OFB, AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, -# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, -# AES-256-CBC, AES-256-CFB, AES-256-OFB symmetric crypto +# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, +# DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, +# AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, +# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, +# AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # default_algorithms = ALL -#default_algorithms = RAND,RSA,CIPHERS,DIGESTS +#default_algorithms = RAND,RSA,DH,DSA,CIPHERS,DIGESTS
  13. Download patch src/e_ibmca_err.c

    --- 1.4.0-1/src/e_ibmca_err.c 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/e_ibmca_err.c 2018-06-08 13:47:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,11 +15,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include <stdio.h> #include <openssl/err.h> #include "e_ibmca_err.h" @@ -27,54 +22,73 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA IBMCA_str_functs[] = { - {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, - {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, - {0, NULL} + {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, + {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_EC_KEY_GEN, 0), "IBMCA_EC_KEY_GEN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, 0), "IBMCA_ECDH_COMPUTE_KEY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN, 0), "IBMCA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN_SIG, 0), "IBMCA_ECDSA_SIGN_SIG"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_DO_SIGN, 0), "IBMCA_ECDSA_DO_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY, 0), "IBMCA_ECDSA_VERIFY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, 0), "IBMCA_ECDSA_VERIFY_SIG"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_NEW, 0), "ICA_EC_KEY_NEW"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_INIT, 0), "ICA_EC_KEY_INIT"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GENERATE, 0), "ICA_EC_KEY_GENERATE"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, 0), "ICA_EC_KEY_GET_PUBLIC_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, 0), "ICA_EC_KEY_GET_PRIVATE_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDH_DERIVE_SECRET, 0), "ICA_ECDH_DERIVE_SECRET"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_SIGN, 0), "ICA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "ICA_ECDSA_VERIFY"}, + {0, NULL} }; static ERR_STRING_DATA IBMCA_str_reasons[] = { - {IBMCA_R_ALREADY_LOADED, "already loaded"}, - {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, - {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, - {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, - "ctrl command not implemented"}, - {IBMCA_R_DSO_FAILURE, "dso failure"}, - {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, - {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, - {IBMCA_R_NOT_INITIALISED, "not initialised"}, - {IBMCA_R_NOT_LOADED, "not loaded"}, - {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, - {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, - {IBMCA_R_REQUEST_FAILED, "request failed"}, - {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, - {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, - {IBMCA_R_UNIT_FAILURE, "unit failure"}, - {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, - {0, NULL} + {IBMCA_R_ALREADY_LOADED, "already loaded"}, + {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, + {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, + {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"}, + {IBMCA_R_DSO_FAILURE, "dso failure"}, + {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, + {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, + {IBMCA_R_NOT_INITIALISED, "not initialised"}, + {IBMCA_R_NOT_LOADED, "not loaded"}, + {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, + {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, + {IBMCA_R_REQUEST_FAILED, "request failed"}, + {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, + {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, + {IBMCA_R_UNIT_FAILURE, "unit failure"}, + {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, + {IBMCA_R_EC_INVALID_PARM, "ec invalid parameter"}, + {IBMCA_R_EC_UNSUPPORTED_CURVE, "ec unsupported curve"}, + {IBMCA_R_EC_INTERNAL_ERROR, "ec internal error"}, + {IBMCA_R_EC_ICA_EC_KEY_INIT, "ec ica ec key init"}, + {IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING, "ec curve does not support signing"}, + {0, NULL} }; #endif #ifdef IBMCA_LIB_NAME static ERR_STRING_DATA IBMCA_lib_name[] = { - {0, IBMCA_LIB_NAME}, - {0, NULL} + {0, IBMCA_LIB_NAME}, + {0, NULL} }; #endif @@ -84,43 +98,41 @@ static int IBMCA_error_init = 1; void ERR_load_IBMCA_strings(void) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); - if (IBMCA_error_init) { - IBMCA_error_init = 0; + if (IBMCA_error_init) { + IBMCA_error_init = 0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - IBMCA_lib_name->error = - ERR_PACK(IBMCA_lib_error_code, 0, 0); - ERR_load_strings(0, IBMCA_lib_name); + IBMCA_lib_name->error = ERR_PACK(IBMCA_lib_error_code, 0, 0); + ERR_load_strings(0, IBMCA_lib_name); #endif - } + } } void ERR_unload_IBMCA_strings(void) { - if (IBMCA_error_init == 0) { + if (IBMCA_error_init == 0) { #ifndef OPENSSL_NO_ERR - ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_unload_strings(IBMCA_lib_error_code, - IBMCA_str_reasons); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - ERR_unload_strings(0, IBMCA_lib_name); + ERR_unload_strings(0, IBMCA_lib_name); #endif - IBMCA_error_init = 1; - } + IBMCA_error_init = 1; + } } void ERR_IBMCA_error(int function, int reason, char *file, int line) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); - ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); + ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); }
  14. Download patch debian/control

    --- 1.4.0-1/debian/control 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/control 2018-06-14 11:10:32.000000000 +0000 @@ -1,17 +1,15 @@ Source: openssl-ibmca Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> -Build-Depends: debhelper (>= 10), dh-autoreconf, libica-dev, libssl-dev -Standards-Version: 4.0.0 +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>=10), libica-dev, libssl-dev +Standards-Version: 4.1.4 Section: libs -Homepage: https://github.com/opencryptoki/openssl-ibmca +Homepage: http://sourceforge.net/projects/opencryptoki/files/libica%20OpenSSL%20Engine Package: openssl-ibmca Architecture: s390 s390x Depends: libica3, ${shlibs:Depends}, ${misc:Depends} -Description: libica engine for OpenSSL - This package provides an OpenSSL engine to enable hardware acceleration - of cryptographic functions in OpenSSL, and all applications that use - OpenSSL. - . - This package is specific for s390x architecture. +Description: libica based hardware acceleration engine for OpenSSL + This package provides an OpenSSL engine to enable hardware + acceleration of cryptographic functions in OpenSSL, and all + applications that use OpenSSL.
  15. Download patch test/des-ecb-test.pl

    --- 1.4.0-1/test/des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ecb", 8, 0);
  16. Download patch debian/patches/dlopen-soname.patch

    --- 1.4.0-1/debian/patches/dlopen-soname.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/dlopen-soname.patch 2018-06-14 11:10:32.000000000 +0000 @@ -0,0 +1,18 @@ +Description: Attempt to dlopen libica.so.3, if libica.so (or ctrl provided one) fails +Author: Dimitri John Ledkov <xnox@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1605511 + +--- a/src/e_ibmca.c ++++ b/src/e_ibmca.c +@@ -666,7 +666,10 @@ + + /* WJH XXX check name translation */ + +- ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); ++ ibmca_dso = dlopen("libica.so.3", RTLD_NOW); ++ if (ibmca_dso == NULL) { ++ ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); ++ } + if (ibmca_dso == NULL) { + DEBUG_PRINTF("%s: dlopen(%s) failed\n", __func__, LIBICA_SHARED_LIB); + IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE);
  17. Download patch test/aes-128-cfb-test.pl

    --- 1.4.0-1/test/aes-128-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cfb", 16, 16);
  18. Download patch debian/examples

    --- 1.4.0-1/debian/examples 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/examples 2016-02-05 07:52:14.000000000 +0000 @@ -1 +1 @@ - src/openssl.cnf.sample +src/openssl.cnf.sample
  19. Download patch ibmca.map

    --- 1.4.0-1/ibmca.map 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/ibmca.map 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,9 @@ +IBMCA_2.0.0 { + global: + v_check; + bind_engine; + ENGINE_load_ibmca; + + local: + *; +};
  20. Download patch ChangeLog

    --- 1.4.0-1/ChangeLog 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/ChangeLog 2018-06-08 13:47:56.000000000 +0000 @@ -1,3 +1,20 @@ +* openssl-ibmca 2.0.0 +- Add ECC support. +- Add check and distcheck make-targets. +- Project cleanup, code was broken into multiple files and coding style cleanup. +- Improvements to compat macros for openssl. +- Don't disable libica sw fallbacks. +- Fix dlclose logic. + +* openssl-ibmca 1.4.1 +- Fix structure size for aes-256-ecb/cbc/cfb/ofb +- Update man page +- Switch to ibmca.so filename to allow standalone use +- Switch off Libica fallback mode if available +- Make sure ibmca_init only runs once +- Provide simple macro for DEBUG_PRINTF possibility +- Cleanup and slight rework of function set_supported_meths + * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization.
  21. Download patch src/e_ibmca_err.h

    --- 1.4.0-1/src/e_ibmca_err.h 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/e_ibmca_err.h 2018-06-08 13:47:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,9 +19,6 @@ #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); @@ -30,41 +27,61 @@ void ERR_IBMCA_error(int function, int r /* Error codes for the IBMCA functions. */ /* Function codes. */ -#define IBMCA_F_IBMCA_CTRL 100 -#define IBMCA_F_IBMCA_FINISH 101 -#define IBMCA_F_IBMCA_INIT 102 -#define IBMCA_F_IBMCA_MOD_EXP 103 -#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 -#define IBMCA_F_IBMCA_RAND_BYTES 105 -#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 -#define IBMCA_F_IBMCA_DES_CIPHER 107 -#define IBMCA_F_IBMCA_TDES_CIPHER 108 -#define IBMCA_F_IBMCA_SHA1_UPDATE 109 -#define IBMCA_F_IBMCA_SHA1_FINAL 110 -#define IBMCA_F_IBMCA_AES_128_CIPHER 111 -#define IBMCA_F_IBMCA_AES_192_CIPHER 112 -#define IBMCA_F_IBMCA_AES_256_CIPHER 113 -#define IBMCA_F_IBMCA_SHA256_UPDATE 114 -#define IBMCA_F_IBMCA_SHA256_FINAL 115 -#define IBMCA_F_IBMCA_SHA512_UPDATE 116 -#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_CTRL 100 +#define IBMCA_F_IBMCA_FINISH 101 +#define IBMCA_F_IBMCA_INIT 102 +#define IBMCA_F_IBMCA_MOD_EXP 103 +#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 +#define IBMCA_F_IBMCA_RAND_BYTES 105 +#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 +#define IBMCA_F_IBMCA_DES_CIPHER 107 +#define IBMCA_F_IBMCA_TDES_CIPHER 108 +#define IBMCA_F_IBMCA_SHA1_UPDATE 109 +#define IBMCA_F_IBMCA_SHA1_FINAL 110 +#define IBMCA_F_IBMCA_AES_128_CIPHER 111 +#define IBMCA_F_IBMCA_AES_192_CIPHER 112 +#define IBMCA_F_IBMCA_AES_256_CIPHER 113 +#define IBMCA_F_IBMCA_SHA256_UPDATE 114 +#define IBMCA_F_IBMCA_SHA256_FINAL 115 +#define IBMCA_F_IBMCA_SHA512_UPDATE 116 +#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_EC_KEY_GEN 120 +#define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 +#define IBMCA_F_IBMCA_ECDSA_SIGN 122 +#define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 +#define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 +#define IBMCA_F_IBMCA_ECDSA_VERIFY 125 +#define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 +#define IBMCA_F_ICA_EC_KEY_NEW 127 +#define IBMCA_F_ICA_EC_KEY_INIT 128 +#define IBMCA_F_ICA_EC_KEY_GENERATE 129 +#define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 +#define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 +#define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 +#define IBMCA_F_ICA_ECDSA_SIGN 133 +#define IBMCA_F_ICA_ECDSA_VERIFY 134 /* Reason codes. */ -#define IBMCA_R_ALREADY_LOADED 100 -#define IBMCA_R_BN_CTX_FULL 101 -#define IBMCA_R_BN_EXPAND_FAIL 102 -#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 -#define IBMCA_R_DSO_FAILURE 104 -#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 -#define IBMCA_R_MISSING_KEY_COMPONENTS 105 -#define IBMCA_R_NOT_INITIALISED 106 -#define IBMCA_R_NOT_LOADED 107 -#define IBMCA_R_OPERANDS_TO_LARGE 111 -#define IBMCA_R_OUTLEN_TO_LARGE 112 -#define IBMCA_R_REQUEST_FAILED 108 -#define IBMCA_R_UNDERFLOW_CONDITION 113 -#define IBMCA_R_UNDERFLOW_KEYRECORD 114 -#define IBMCA_R_UNIT_FAILURE 109 -#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_ALREADY_LOADED 100 +#define IBMCA_R_BN_CTX_FULL 101 +#define IBMCA_R_BN_EXPAND_FAIL 102 +#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 +#define IBMCA_R_DSO_FAILURE 104 +#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 +#define IBMCA_R_MISSING_KEY_COMPONENTS 105 +#define IBMCA_R_NOT_INITIALISED 106 +#define IBMCA_R_NOT_LOADED 107 +#define IBMCA_R_OPERANDS_TO_LARGE 111 +#define IBMCA_R_OUTLEN_TO_LARGE 112 +#define IBMCA_R_REQUEST_FAILED 108 +#define IBMCA_R_UNDERFLOW_CONDITION 113 +#define IBMCA_R_UNDERFLOW_KEYRECORD 114 +#define IBMCA_R_UNIT_FAILURE 109 +#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_EC_INVALID_PARM 120 +#define IBMCA_R_EC_UNSUPPORTED_CURVE 121 +#define IBMCA_R_EC_INTERNAL_ERROR 122 +#define IBMCA_R_EC_ICA_EC_KEY_INIT 123 +#define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 #endif
  22. Download patch configure.ac

    --- 1.4.0-1/configure.ac 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/configure.ac 2018-06-08 13:47:56.000000000 +0000 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [1.4.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.0.0], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -23,16 +23,16 @@ fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC -AC_PROG_LIBTOOL +LT_INIT # Checks for libraries. AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 0.9.8 is required ***])) -AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 2.4.0 is required ***])) +AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 3.3.0 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) -AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 2.4.0 is required ***])) +AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.3.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. @@ -44,12 +44,13 @@ AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,ica_get_functionlist,ica_open_adapter,DES_ECB], [], - AC_MSG_ERROR([*** libica >= 2.4.0 and libica-devel >= 2.4.0 are required ***]), + AC_MSG_ERROR([*** libica >= 3.3.0 and libica-devel >= 3.3.0 are required ***]), [#include <ica_api.h>]) AC_CONFIG_FILES([ Makefile src/Makefile + test/Makefile src/doc/Makefile]) AC_OUTPUT
  23. Download patch src/ibmca_dsa.c

    --- 1.4.0-1/src/ibmca_dsa.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/src/ibmca_dsa.c 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,135 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dsa.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DSA + +/* This code was liberated and adapted from the commented-out code in + * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration + * (it doesn't have a CRT form for RSA), this function means that an + * Ibmca system running with a DSA server certificate can handshake + * around 5 or 6 times faster/more than an equivalent system running with + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ +#ifdef OLDER_OPENSSL +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +#else +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +#endif +{ + BIGNUM *t; + int to_return = 0; + + t = BN_new(); + /* let rr = a1 ^ p1 mod m */ + if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) + goto end; + /* let t = a2 ^ p2 mod m */ + if (!ibmca_mod_exp(t, a2, p2, m, ctx)) + goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr, rr, t, m, ctx)) + goto end; + + to_return = 1; + +end: + BN_free(t); + + return to_return; +} + +#ifdef OLDER_OPENSSL +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#else +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#endif +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DSA_METHOD dsa_m = { + "Ibmca DSA method", /* name */ + NULL, /* dsa_do_sign */ + NULL, /* dsa_sign_setup */ + NULL, /* dsa_do_verify */ + ibmca_dsa_mod_exp, /* dsa_mod_exp */ + ibmca_mod_exp_dsa, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1 = DSA_OpenSSL(); + + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; + + return &dsa_m; +} + +#else +static DSA_METHOD *dsa_m = NULL; +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1; + DSA_METHOD *method; + + if (dsa_m != NULL) + goto done; + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) + || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa)) { + DSA_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dsa_m = method; + +done: + return dsa_m; +} + +void ibmca_dsa_destroy(void) +{ + DSA_meth_free(dsa_m); +} +#endif +#endif /* endif OPENSSL_NO_DSA */
  24. Download patch test/des-ofb-test.pl

    --- 1.4.0-1/test/des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ofb", 8, 8);
  25. Download patch test/aes-128-cbc-test.pl

    --- 1.4.0-1/test/aes-128-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cbc", 16, 16);
  26. Download patch test/aes-256-ecb-test.pl

    --- 1.4.0-1/test/aes-256-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ecb", 32, 0);
  27. Download patch test/aes-192-ecb-test.pl

    --- 1.4.0-1/test/aes-192-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ecb", 24, 0);
  28. Download patch src/ibmca_rsa.c
  29. Download patch test/aes-256-ofb-test.pl

    --- 1.4.0-1/test/aes-256-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ofb", 32, 16);
  30. Download patch test/aes-192-ofb-test.pl

    --- 1.4.0-1/test/aes-192-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ofb", 24, 16);
  31. Download patch src/ibmca_dh.c

    --- 1.4.0-1/src/ibmca_dh.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/src/ibmca_dh.c 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,86 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dh.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DH + +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DH_METHOD dh_m = { + "Ibmca DH method", /* name */ + NULL, /* generate_key */ + NULL, /* compute_key */ + ibmca_mod_exp_dh, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1 = DH_OpenSSL(); + + dh_m.generate_key = meth1->generate_key; + dh_m.compute_key = meth1->compute_key; + + return &dh_m; +} + +#else +static DH_METHOD *dh_m = NULL; +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1; + DH_METHOD *method; + + if (dh_m != NULL) + goto done; + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)) { + DH_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dh_m = method; + +done: + return dh_m; +} + +void ibmca_dh_destroy(void) +{ + DH_meth_free(dh_m); +} +#endif + +#endif /* end OPENSSL_NO_DH */
  32. Download patch src/test/ibmca_mechaList_test.c
  33. Download patch test/test.pm

    --- 1.4.0-1/test/test.pm 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/test.pm 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +package test; + +sub cipher { + my $tests = 50; + my $max_file_size = 1024; + my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; + my @hex = ("a".."f", "0".."9"); + + my ($cipher,$keylen,$ivlen) = @_; + + # skip if engine not loaded + exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); + + for my $i (1..$tests) { + my $bytes = 1 + int(rand($max_file_size)); + my $key = ""; + $key .= $hex[rand(@hex)] for (1..$keylen); + my $iv = ""; + if ($ivlen > 0) { + $iv .= $hex[rand(@hex)] for (1..$ivlen); + $iv = "-iv $iv"; + } + + # engine enc, no-engine dec + `openssl rand $bytes > data.in`; + `$eng openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + + # no-engine enc, engine dec + `openssl rand $bytes > data.in`; + `openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `$eng openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + } + + `rm -f data.in data.enc data.dec`; +} + +1;
  34. Download patch src/Makefile.am

    --- 1.4.0-1/src/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -1,10 +1,21 @@ -lib_LTLIBRARIES=libibmca.la +VERSION = 2:0:0 -libibmca_la_SOURCES=e_ibmca.c e_ibmca_err.c -libibmca_la_LIBADD=-ldl -libibmca_la_LDFLAGS=-module -version-info 0:2:0 -shared -no-undefined -avoid-version +lib_LTLIBRARIES=ibmca.la -dist_libibmca_la_SOURCES=e_ibmca_err.h e_os.h cryptlib.h +ibmca_la_SOURCES=e_ibmca.c \ + e_ibmca_err.c \ + ibmca_cipher.c \ + ibmca_digest.c \ + ibmca_rsa.c \ + ibmca_dsa.c \ + ibmca_dh.c \ + ibmca_ec.c + +ibmca_la_LIBADD=-ldl +ibmca_la_LDFLAGS=-module -version-info ${VERSION} -shared -no-undefined \ + -Wl,--version-script=${srcdir}/../ibmca.map + +dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4
  35. Download patch test/des-cfb-test.pl

    --- 1.4.0-1/test/des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cfb", 8, 8);
  36. Download patch test/3des-ecb-test.pl

    --- 1.4.0-1/test/3des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3", 24, 0);
  37. Download patch src/e_ibmca.c
  38. Download patch debian/watch

    --- 1.4.0-1/debian/watch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/watch 2016-02-15 16:29:52.000000000 +0000 @@ -1,4 +1,2 @@ -version=4 -opts="mode=git, pgpmode=none" \ -https://github.com/opencryptoki/openssl-ibmca.git refs/tags/v?(.*) \ -debian /bin/sh uupdate +version=3 +http://sf.net/opencryptoki/openssl-ibmca-(.+)\.tar.bz2
  39. Download patch test/des-cbc-test.pl

    --- 1.4.0-1/test/des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cbc", 8, 8);
  40. Download patch debian/patches/series

    --- 1.4.0-1/debian/patches/series 2017-09-20 13:40:30.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/series 2017-09-28 15:13:14.000000000 +0000 @@ -1,2 +1,2 @@ openssl-config.patch -libica_soname.patch +dlopen-soname.patch
  41. Download patch test/aes-256-cfb-test.pl

    --- 1.4.0-1/test/aes-256-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cfb", 32, 16);
  42. Download patch test/aes-192-cfb-test.pl

    --- 1.4.0-1/test/aes-192-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cfb", 24, 16);
  43. Download patch debian/README.Debian

    --- 1.4.0-1/debian/README.Debian 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -openssl-ibmca for Debian ------------------------ - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location in Debian, which is -/usr/lib/s390x-linux-gnu/openssl-1.0.2/engine/libibmca.so - -Append the `openssl.cnf.sample` file to it `/etc/ssl/openssl.cnf` file; - -``` -$ cat /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample >> /etc/ssl/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the -IBMCA engine and all the supported cryptographic methods. - -``` -$ openssl engine -c -(dynamic) Dynamic engine loading support -(ibmca) Ibmca hardware engine support -[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, - DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, - AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, - AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] -$ -``` - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 10:47:45 -0300
  44. Download patch test/3des-ofb-test.pl

    --- 1.4.0-1/test/3des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-ofb", 24, 8);
  45. Download patch debian/patches/openssl-config.patch

    --- 1.4.0-1/debian/patches/openssl-config.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/openssl-config.patch 2018-02-23 18:06:36.000000000 +0000 @@ -1,15 +1,14 @@ -Description: correct engine location to the multiarch location -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - +Description: correct engine location to the multiarch locationIndex: openssl-ibmca-1.3.0/src/openssl.cnf.sample +=================================================================== --- a/src/openssl.cnf.sample +++ b/src/openssl.cnf.sample -@@ -23,7 +23,7 @@ - # The openssl engine path for libibmca.so. - # Set the dynamic_path to where the libibmca.so engine +@@ -23,7 +23,8 @@ + # The openssl engine path for ibmca.so. + # Set the dynamic_path to where the ibmca.so engine # resides on the system. --dynamic_path = /usr/local/lib/libibmca.so -+dynamic_path = /usr/lib/s390x-linux-gnu/openssl-1.0.2/engines/libibmca.so +-dynamic_path = /usr/local/lib/ibmca.so ++dynamic_path = /usr/lib/s390x-linux-gnu/engines-1.1/ibmca.so ++ engine_id = ibmca init = 1
  46. Download patch src/ibmca_ec.c
  47. Download patch test/aes-256-cbc-test.pl

    --- 1.4.0-1/test/aes-256-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cbc", 32, 16);
  48. Download patch test/aes-192-cbc-test.pl

    --- 1.4.0-1/test/aes-192-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cbc", 24, 16);
  49. Download patch debian/docs

    --- 1.4.0-1/debian/docs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -debian/README.source -debian/README.Debian
  50. Download patch src/doc/ibmca.man

    --- 1.4.0-1/src/doc/ibmca.man 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/doc/ibmca.man 2018-06-08 13:47:56.000000000 +0000 @@ -7,8 +7,7 @@ accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. -The engine can be configured by the IBMCA configuration file. The OpenSSL -configuration file is only needed to attach the engine. +The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes @@ -25,7 +24,7 @@ discover control commands. Options for the IBMCA section in openssl.cnf: .PP dynamic_path = -.I /path/to/libibmca.so +.I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE
  51. Download patch test/3des-cfb-test.pl

    --- 1.4.0-1/test/3des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cfb", 24, 8);
  52. Download patch test/aes-128-ecb-test.pl

    --- 1.4.0-1/test/aes-128-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ecb", 16, 0);
  53. Download patch Makefile.am

    --- 1.4.0-1/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -1,4 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src +SUBDIRS = src test -EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh +EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh
  54. Download patch src/ibmca.h
  55. Download patch openssl-ibmca.spec

    --- 1.4.0-1/openssl-ibmca.spec 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/openssl-ibmca.spec 2018-06-08 13:47:56.000000000 +0000 @@ -1,19 +1,17 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + Name: openssl-ibmca -Version: 1.4.0 -Release: 0 +Version: 2.0.0 +Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine -Group: Hardware/Other License: ASL 2.0 -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel >= 0.9.8, - libica-devel >= 3.1.1, - autoconf, - automake, - libtool -Requires: openssl >= 0.9.8, - libica >= 3.1.1 +Requires: openssl >= 0.9.8 libica >= 3.3.0 +BuildRequires: openssl-devel >= 0.9.8 libica-devel >= 3.3.0 +BuildRequires: autoconf automake libtool ExclusiveArch: s390 s390x @@ -22,28 +20,46 @@ This package contains a shared object Op to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%setup -q +%setup -q -n %{name}-%{version} + +./bootstrap.sh %build -%configure -make +%configure --libdir=%{enginesdir} +%make_build %install -%makeinstall -rm -f $RPM_BUILD_ROOT%{_libdir}/libibmca.la -mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines -mv $RPM_BUILD_ROOT%{_libdir}/lib* $RPM_BUILD_ROOT%{_libdir}/openssl/engines +%make_install +rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la -%post -p /sbin/ldconfig +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd -%postun -p /sbin/ldconfig %files -%doc README INSTALL src/openssl.cnf.sample -%{_mandir}/man5/* -%{_libdir}/openssl/engines/* +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* %changelog +* Wed Jun 06 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2.0.0 +- Update Version +- Update libica version required for building ibmca + +* Wed Feb 21 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 1.4.1 +- Updated to 1.4.1 + +* Thu Jan 25 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> +- Update engine filename +- Spec cleanup + +* Thu Oct 26 2017 Patrick Steuer <patrick.steuer@de.ibm.com> +- Fix build warning about comma and newlines +- Remove INSTALL file from doc +- Fix README name on doc + * Fri Sep 8 2017 Paulo Vital <pvital@linux.vnet.ibm.com> 1.4.0 - Update new License - Update Source and URL pointing to GitHub
  56. Download patch debian/copyright

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: r-cran-openssl

r-cran-openssl (1.0.1+dfsg-1ubuntu1) cosmic; urgency=medium * Merge with Debian unstable, remaining changes: + Disable test_google.R requiring network access -- Graham Inggs <ginggs@ubuntu.com> Sat, 14 Jul 2018 05:52:44 +0000

Modifications :
  1. Download patch debian/control

    --- 1.0.1+dfsg-1/debian/control 2018-06-17 21:06:44.000000000 +0000 +++ 1.0.1+dfsg-1ubuntu1/debian/control 2018-07-14 05:52:44.000000000 +0000 @@ -1,5 +1,6 @@ Source: r-cran-openssl -Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> Uploaders: Andreas Tille <tille@debian.org> Section: gnu-r Priority: optional
  2. Download patch debian/tests/run-unit-test

    --- 1.0.1+dfsg-1/debian/tests/run-unit-test 2018-06-17 21:06:44.000000000 +0000 +++ 1.0.1+dfsg-1ubuntu1/debian/tests/run-unit-test 2018-07-14 05:52:44.000000000 +0000 @@ -8,5 +8,6 @@ if [ "$ADTTMP" = "" ] ; then fi cd $ADTTMP cp -a /usr/share/doc/${pkg}/tests/* $ADTTMP +rm -f testthat/test_google.R LC_ALL=C R --no-save < testthat.R rm -fr $ADTTMP/*
  1. openssl
  2. openssl-ibmca
  3. r-cran-openssl