pax_global_header00006660000000000000000000000064142124361420014511gustar00rootroot0000000000000052 comment=93a12d3f3d401247c13ea3f4f47dc3d10fbb6f7b openssl-ibmca-2.2.3/000077500000000000000000000000001421243614200142515ustar00rootroot00000000000000openssl-ibmca-2.2.3/.gitignore000066400000000000000000000003111421243614200162340ustar00rootroot00000000000000build-aux autom4te.cache .deps .libs *.m4 *.lo *.la *.o *.tar.gz ibmca-engine-opensslconfig ibmca_mechaList_test Makefile Makefile.in Makefile.linux config.status config.log configure libtool cscope.* openssl-ibmca-2.2.3/AUTHORS000066400000000000000000000000441421243614200153170ustar00rootroot00000000000000Mike Halcrow openssl-ibmca-2.2.3/CONTRIBUTING.md000066400000000000000000000052271421243614200165100ustar00rootroot00000000000000# How to contribute Patches are more than welcome, even to fix a bug or to add a new feature. Below are a few guidelines we ask of contributors to follow. ## Getting started * Submit a [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) for your issue, assuming one does not already exist. * Clearly describe the issue, including steps to reproduce when it is a bug. * Make sure you fill in the earliest version that you know has the issue. * Include information from your environment (OS, openssl-ibmca version, libica version, and any other related packages version). * Fork the repository on GitHub. ## Making changes These are not mandatory, but try to follow the steps bellow as good practices to contribute to (any open source) project: * Create a topic/issue branch from the `master` branch. ``` $ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. $ git checkout -t -b new_branch Branch new_branch set up to track local branch master. Switched to a new branch 'new_branch' $ ``` * Please avoid working directly on the `master` branch. * If the changes are too big, please separate it into smaller, logical, commits. This will improve commit history and code review. * Follow the [coding style](docs/coding_style.md) guidelines. * Check for unnecessary whitespace with `git diff --check` before committing. * Make sure your commit messages are in the proper format and sign your patch. * Use GitHub [auto-closing]( https://help.github.com/articles/closing-issues-via-commit-messages/) keywords in the commit message, make the commit message body as descriptive as necessary limited to 80 columns, and signoff your patch. Ex: ``` Add CONTRIBUTING guidelines The CONTRIBUTING.md file describes the guidelines that every Contributor must follow to get their code integrated into OpenSSL-ibmca. This will improve Contributors/Maintainers work. Fixes #6 Signed-off-by: YOUR_NAME ``` ## Submitting Changes * [Signoff](https://git-scm.com/docs/git-commit#git-commit---signoff) your commits, as mentioned above. * There are two ways to submit patches: * If you prefer the old school way of sending patches to a mailing-list, then feel free to send your patch to the [technical discussion mailing-list]( https://sourceforge.net/projects/opencryptoki/lists/opencryptoki-tech). We will keep you posted as the code review goes by. * If you like GitHub and all the tools it has (like the Maintainers do), then submit a [Pull Request]( https://help.github.com/articles/creating-a-pull-request/). * Wait for your patch review and the Maintainers feedback about your changes. openssl-ibmca-2.2.3/ChangeLog000066400000000000000000000051721421243614200160300ustar00rootroot00000000000000* openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 * openssl-ibmca 2.2.1 - Bug fixes * openssl-ibmca 2.2.0 - Implement fallbacks based on OpenSSL - Disable software fallbacks from libica - Allow to specify default library (libica vs. libica-cex) to use - Provide "libica" engine ctrl to switch library at load time - Update README.md - Remove libica link dependency - Generate sample configuration files from system configuration - Restructure registration global data * openssl-ibmca 2.1.3 - Bug fix * openssl-ibmca 2.1.2 - Bug fixes * openssl-ibmca 2.1.1 - Bug fixes * openssl-ibmca 2.1.0 - Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 * openssl-ibmca 2.0.3 - Add MSA9 CPACF support for ECDSA sign/verify * openssl-ibmca 2.0.2 - Fix doing rsa-me, altough rsa-crt would be possible. * openssl-ibmca 2.0.1 - Dont fail when a libica symbol cannot be resolved. * openssl-ibmca 2.0.0 - Add ECC support. - Add check and distcheck make-targets. - Project cleanup, code was broken into multiple files and coding style cleanup. - Improvements to compat macros for openssl. - Don't disable libica sw fallbacks. - Fix dlclose logic. * openssl-ibmca 1.4.1 - Fix structure size for aes-256-ecb/cbc/cfb/ofb - Update man page - Switch to ibmca.so filename to allow standalone use - Switch off Libica fallback mode if available - Make sure ibmca_init only runs once - Provide simple macro for DEBUG_PRINTF possibility - Cleanup and slight rework of function set_supported_meths * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization. - Update man page. - Add macros for OpenSSL 0.9.8 compat. - Remove AC_FUNC_MALLOC from configure.ac - Add compat macro for OpenSSL 1.0.1e-fips. - Setting 'foreign' strictness for automake. - Add AES-GCM support. - Rework EVP_aes macros. - Remove dependency of old local OpenSSL headers. - Fix engine initialization to set function pointers only once. - Update .gitignore file. - Remove blank COPYING and NEWS files. - Remove INSTALL and move its content to README.md - Update README.md file to make use of markdown. - Rename README file to README.md to use markdown - Add CONTRIBUTING guidelines. - Adding coding style documentation. - Enable EVP_MD_FLAG_FIPS flag for SHA-*. - Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 - Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 - Fix wrong parenthesis - convert libica loading to dlopen() and friends - Add support to DSO on new API of OpenSSL-1.1.0 * openssl-ibmca 1.3.1 - Support OpenSSL-1.1 and older versions openssl-ibmca-2.2.3/LICENSE000066400000000000000000000220311421243614200152540ustar00rootroot00000000000000Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 1. You must give any other recipients of the Work or Derivative Works a copy of this License; and 2. You must cause any modified files to carry prominent notices stating that You changed the files; and 3. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 4. If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS openssl-ibmca-2.2.3/Makefile.am000066400000000000000000000001441421243614200163040ustar00rootroot00000000000000ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src test EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh openssl-ibmca-2.2.3/README.md000066400000000000000000000074541421243614200155420ustar00rootroot00000000000000# OpenSSL-ibmca OpenSSL engine that uses the libica library under s390x to accelerate cryptographic operations. ## Requirements The build requirements are: * openssl-devel >= 0.9.8 * libica-devel >= 3.3.0 * autoconf * automake * libtool * openssl * perl The runtime requirements are: * openssl >= 0.9.8 * libica >= 3.3.0 ## Installing ``` $ ./configure [--enable-debug] $ make $ sudo make install ``` This will configure, build and install the package in a default location, which is `/usr/local/lib`. It means that the ibmca.so will be installed in `/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: ``` $ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines ``` Additionally, at configure time, you can specify to build against the libica-cex version via the `--with-libica-cex` feature switch. If this switch is not specified, the engine will use the full version of libica by default. To specify the version of libica, use `--with-libica-version=`. The default version is version 4 of libica. To build the engine against version 3 of libica, specify `--with-libica-version=3` at configure time. ## Enabling IBMCA Apps with compiled-in OpenSSL config support can enable the engine via an OpenSSL configuration file. Refer to config(5). A sample OpenSSL configuration file (`openssl.cnf.sample`) is included in this package. If the engine is configured properly, the command below should return the IBMCA engine and all the supported cryptographic methods. ``` $ openssl engine -c (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support [RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] $ ``` ## Configuring OpenSSL-ibmca Since libica 3.8.0, libica provides two libraries. The basic libica.so.3 contains all the features listed above and is the default library unless the `configure` switch `--with-libica-cex` is provided. In that case, libica-cex.so.4 becomes the default library. If both versions of the library are installed on a system, OpenSSL-ibmca can be configured to use either of these two. To use `libica.so.4`, with OpenSSL-ibmca, simply add the directive `libica = libica.so.4` to your OpenSSL configuration file in the engine section before `init = 1`. Similarly, to use `libica-cex.so.4`, add the line `libica = libica-cex.so.4`. The build process of OpenSSL-ibmca will produce the script `ibmca-engine-opensslconfig` which can be used to update an existing OpenSSL configuration to enable the OpenSSL-ibmca engine. By default, this script is not installed. We leave it to the distributions to find the correct place for this script (or not use it at all). ## Support To report a bug please submit a [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the following information in the issue description: * bug description * distro release * openssl-ibmca package version * libica package version * steps to reproduce the bug Regarding technical or usage questions, send email to [opencryptoki-tech]( https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or [opencryptoki-users]( https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) mailing list respectively. ## Limitations The ibmca engine's cipher and digest implementations do not support the processing of messages in arbitrary chunk sizes. All chunks, except the final one, are required to be a multiple of the primitive's block size. ## Contributing See [CONTRIBUTING.md](CONTRIBUTING.md). openssl-ibmca-2.2.3/bootstrap.sh000077500000000000000000000011761421243614200166320ustar00rootroot00000000000000#!/bin/sh # # Copyright [2005-2017] International Business Machines Corp. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # autoreconf -iv openssl-ibmca-2.2.3/cleanup.sh000077500000000000000000000016021421243614200162360ustar00rootroot00000000000000#!/bin/sh # # Copyright [2005-2017] International Business Machines Corp. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -x if [ -f Makefile ] ; then make -k clean fi rm -rf build-aux rm -rf autom4te.cache rm m4/* aclocal.m4 rm configure rm config.* rm libtool find . -name Makefile -exec rm {} \; find . -name Makefile.in -exec rm {} \; find . -depth -name .deps -exec rm -rf {} \; openssl-ibmca-2.2.3/configure.ac000066400000000000000000000051641421243614200165450ustar00rootroot00000000000000# -*- Autoconf -*- # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. AC_INIT([openssl-ibmca], [2.2.3], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) AM_INIT_AUTOMAKE([foreign]) # Cmdline arguments. AC_ARG_ENABLE([debug], [AS_HELP_STRING([--enable-debug], [turn on debugging flags (default is off)])], [enable_debug="yes"],) if test "x$enable_debug" == "xyes"; then CFLAGS="$CFLAGS -O0 -g -DDEBUG -Wall" AC_MSG_RESULT([*** Enabling debugging at user request ***]) else CFLAGS="$CFLAGS -O2 -Wall" fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC LT_INIT # Checks for libraries. AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 1.1.1 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. AC_HEADER_STDBOOL AC_C_INLINE AC_TYPE_SIZE_T AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]), [#include ]) AC_ARG_WITH([libica-cex], [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library])], [usecexonly=${withval}], []) AC_ARG_WITH([libica-version], [AS_HELP_STRING([--with-libica-version],[Use specified libica major version (defaults to 4)])], [libicaversion=${withval}], [libicaversion=4]) if test "x$usecexonly" = xyes; then defaultlib="libica-cex.so.$libicaversion" ica="ica-cex" else defaultlib="libica.so.$libicaversion" ica="ica" fi # In cex-only mode, testing the ciphers does not make any sense since # they will fall back to OpenSSL without the engine. So remove these # tests from that build. AM_CONDITIONAL([FULL_LIBICA], [test "x$usecexonly" != xyes]) AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"]) AC_SUBST([ICA],["$ica"]) AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) if test "x$openssl_var" != xyes; then AC_MSG_ERROR([openssl binary required]); fi AC_CONFIG_FILES([ Makefile src/Makefile src/test/Makefile.linux test/Makefile src/doc/Makefile]) AC_OUTPUT echo "CFLAGS=$CFLAGS" echo "default library: $defaultlib" openssl-ibmca-2.2.3/docs/000077500000000000000000000000001421243614200152015ustar00rootroot00000000000000openssl-ibmca-2.2.3/docs/coding_style.md000066400000000000000000000074201421243614200202110ustar00rootroot00000000000000# Coding Style This document describes the preferred coding style for the openssl-ibmca project. It is based on the OpenCryptoki coding style. Coding style is always of personal taste, but defining one coding style makes the maintenance of the project easier and gives a standard face for the source code. The inspiration and formatting of this document came from the Linux Kernel coding style document, but make no assumption as the coding style differ from each other on some aspects. ## 1. Indentation Tabs are 4 space characters, differently from many projects that define it as 8 characters. The main idea behind this is that 4 characters should give you a clear idea about where a block of control starts and ends. ## 2. Line length To keep the code readable and maintainable, the limit on the length of lines is 80 columns and this is a strongly preferred limit. ## 3. Placing Braces and Spaces Here we follow Kernighan and Ritchie teachings. An opening brace is put last on the line, and put the closing brace first, e.g.: ``` if (x == 0) { do_y(); } ``` This applies to all non-function statement blocks: if, switch, for, while, do. Another example: ``` switch (value) { case 1: return "one"; case 2: return "two"; case 3: return "three"; default: return NULL; } ``` However, there is one special case, functions: their opening brace stays at the beginning of the next line, e.g.: ``` int func(int x) { do_something(); } ``` Follow other examples: ``` do { do_something(); } while (condition); ``` ``` if (x == 1) { do_one(); } else if (x > 1) { do_two(); } else { do_three(); } ``` It is not necessary to use braces when there is only a single statement, e.g.: ``` if (x == 1) do_something(); ``` and ``` if (x == 1) do_something(); else do_something_else(); ``` This does not apply when only one branch in a conditional statement is a single statement. In this, case use braces in all branches, e.g.: ``` if (x == 1) { do_something(); do_something_more(); } else { do_something_else(); } ``` ### 3.1. Spaces Always use a space after these keywords: *if, switch, case, for, do, while*. ``` if (condition) { ... } ``` The following keywords should not have a space between them and their parentheses: *sizeof, typeof*. ``` s = sizeof(struct alg); ``` **Do not** add spaces around (inside) parenthesized expressions, e.g.: ``` if ( x == 1 ) { ... } ``` When declaring a pointer or a function that returns a pointer type, the ``*`` must be put adjacent to the data name or function name, e.g.: ``` int *ptr; void ptrcopy(int *dest, char *src); int *get_address(int *ptr); ``` Use: * one space on each side of the following operators: ``` = + - < > * / % | & ^ <= >= == != ? : ``` * no space after unary operators: ``` & * + - ~ ! ``` * no space before postfix/after prefix increment and decrement operators: ``` ++ -- ``` * no space around the ``.`` and ``->`` structure member operators. **Do not** leave trailing whitespace at the end of lines. ## 4. Naming Avoid using CamelCase. It is preferred to name variables and functions by including an underscore between words, e.g.: ``` int person_counter; ``` ## 5. Commenting Comments in the code make everyone's life easier, but don't be too verbose. Focus on **what** your function does and less on **how** it does. The preferred style for long multi-line comments is: ``` /* * This is a multi-line comment. * * A column of asterisks on the left side, * with beginning and ending almost-blank lines. */ ``` openssl-ibmca-2.2.3/ibmca.map000066400000000000000000000001651421243614200160250ustar00rootroot00000000000000IBMCA_2.0.0 { global: v_check; bind_engine; ENGINE_load_ibmca; local: *; }; openssl-ibmca-2.2.3/m4/000077500000000000000000000000001421243614200145715ustar00rootroot00000000000000openssl-ibmca-2.2.3/m4/.dont_remove000066400000000000000000000002221421243614200171070ustar00rootroot00000000000000REQUIRED FILE, PLEASE DON'T REMOVE IT. The current configure.ac requires the m4 directory, but git don't save empty directories in the repository openssl-ibmca-2.2.3/openssl-ibmca.spec000066400000000000000000000061371421243614200176700ustar00rootroot00000000000000%global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: openssl-ibmca Version: 2.2.3 Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine License: ASL 2.0 URL: https://github.com/opencryptoki/openssl-ibmca Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Requires: openssl >= 1.1.1 libica >= 3.6.0 BuildRequires: openssl-devel >= 1.1.1 libica-devel >= 3.6.0 openssl >= 1.1.1 BuildRequires: autoconf automake libtool perl ExclusiveArch: s390 s390x %description This package contains a shared object OpenSSL dynamic engine which interfaces to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep %setup -q -n %{name}-%{version} ./bootstrap.sh %build %configure --libdir=%{enginesdir} %make_build %install %make_install rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la pushd src sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} popd %files %license LICENSE %doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/ibmca-engine-opensslconfig %{enginesdir}/ibmca.so %{_mandir}/man5/ibmca.5* %changelog * Thu Mar 10 2022 Juergen Christ 2.2.3 - Update Version * Thu Jan 27 2022 Juergen Christ 2.2.2 - Update Version * Mon Sep 13 2021 Juergen Christ 2.2.1 - Update Version * Wed May 19 2021 Juergen Christ 2.2.0 - Update Version * Wed May 19 2021 Juergen Christ 2.1.3 - Update Version * Wed Apr 28 2021 Juergen Christ 2.1.2 - Update Version * Tue May 05 2020 Patrick Steuer 2.1.1 - Update Version * Mon Sep 09 2019 Patrick Steuer 2.1.0 - Update Version * Tue Apr 23 2019 Patrick Steuer 2.0.3 - Update Version * Tue Nov 27 2018 Patrick Steuer 2.0.2 - Update Version * Thu Nov 08 2018 Patrick Steuer 2.0.1 - Update Version * Wed Jun 06 2018 Eduardo Barretto 2.0.0 - Update Version - Update libica version required for building ibmca * Wed Feb 21 2018 Eduardo Barretto 1.4.1 - Updated to 1.4.1 * Thu Jan 25 2018 Eduardo Barretto - Update engine filename - Spec cleanup * Thu Oct 26 2017 Patrick Steuer - Fix build warning about comma and newlines - Remove INSTALL file from doc - Fix README name on doc * Fri Sep 8 2017 Paulo Vital 1.4.0 - Update new License - Update Source and URL pointing to GitHub - Added support to AES-GCM - Fix bugs/issues * Fri Feb 17 2017 Paulo Vital 1.3.1 - Support OpenSSL-1.1 and older versions * Tue Dec 1 2015 Claudio Carvalho 1.3.0 - openssl-ibmca-1.3.0 release * Mon May 2 2011 Kent Yoder 1.2.0 - updates for s390 MSA4 features, engine version 1.2 * Fri Mar 17 2006 Michael A. Halcrow 1.0.0 - initial version openssl-ibmca-2.2.3/src/000077500000000000000000000000001421243614200150405ustar00rootroot00000000000000openssl-ibmca-2.2.3/src/Makefile.am000066400000000000000000000013721421243614200170770ustar00rootroot00000000000000VERSION = 2:2:3 lib_LTLIBRARIES=ibmca.la ibmca_la_SOURCES=e_ibmca.c \ e_ibmca_err.c \ ibmca_cipher.c \ ibmca_digest.c \ ibmca_rsa.c \ ibmca_dsa.c \ ibmca_dh.c \ ibmca_ec.c \ ibmca_pkey.c ibmca_la_LIBADD=-ldl ibmca_la_LDFLAGS=-module -version-number ${VERSION} -shared -no-undefined \ -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4 SUBDIRS = doc ibmca-engine-opensslconfig: ibmca-engine-opensslconfig.in $(AM_V_GEN)@SED@ -e s!\@libdir\@!@libdir@!g < $< > $@-t && \ chmod a+x $@-t && \ $(am__mv) $@-t $@ noinst_SCRIPTS = ibmca-engine-opensslconfig EXTRA_DIST += ibmca-engine-opensslconfig.in openssl-ibmca-2.2.3/src/doc/000077500000000000000000000000001421243614200156055ustar00rootroot00000000000000openssl-ibmca-2.2.3/src/doc/Makefile.am000066400000000000000000000000641421243614200176410ustar00rootroot00000000000000man5_MANS = ibmca.man dist_man5_MANS = $(man5_MANS) openssl-ibmca-2.2.3/src/doc/ibmca.man000066400000000000000000000035511421243614200173610ustar00rootroot00000000000000.\" Process this file with .\" groff -man -Tascii ibmca.5 .TH IBMCA 5 2017-08-24 IBM "IBMCA user manual" .SH NAME IBMCA \- IBMCA is an OpenSSL engine that uses the libica library under s390x to accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes only OpenSSL configuration options for the IBMCA engine. .SS Control Commands Applications that load an OpenSSL engine can optionally send control commands to the engine. Control Commands are key value pairs. The value can be a string, a numeric integer or be null. See the engine(3) manpage for a mechanism to discover control commands. .SH OPTIONS .SS openssl.cnf Options for the IBMCA section in openssl.cnf: .PP dynamic_path = .I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE .PP engine_id = .I name .RS Set the name of the engine. The default name is "ibmca". .RE .IP "init = 0 | 1" OpenSSL will try to initialize the engine if this option is set to 1. If set to 0, OpenSSL will not try to initialize the engine. .PP default_algorithms = ALL | .I mechanisms .RS Redirect all cryptographic operations through the engine or disable types of mechanisms that the engine supports. If ALL is not used, the default_algorithms consists of a comma separated list of .I mechanisms : .B CIPHERS | DIGESTS | RSA | DH | DSA. .PP Only all CIPHERS and/or DIGESTS can be de/activated. Algorithms like AES can not be de/activated independently. .SS Control Command IBMCA does support one optional control command: .PP SO_PATH: .I /path/to/libica.so .RS Replaces the current libica library by an libica library located at SO_PATH. .RE .SH SEE ALSO .B engine(3) openssl-ibmca-2.2.3/src/e_ibmca.c000066400000000000000000001003161421243614200165640ustar00rootroot00000000000000/* * Copyright [2005-2021] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ /* * Digest and Cipher support added by Robert H Burroughs (burrough@us.ibm.com). * * DES/3DES/AES-CFB/OFB support added by Kent Yoder (yoder1@us.ibm.com) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ibmca.h" #include "e_ibmca_err.h" #ifndef OPENSSL_NO_HW #ifndef OPENSSL_NO_HW_IBMCA #define IBMCA_LIB_NAME "ibmca engine" #define AP_PATH "/sys/devices/ap" /* * The default library name. The macro LIBICA_SHARED_LIB is provided * via configure at the command line. */ static const char *LIBICA_NAME = LIBICA_SHARED_LIB; /* * If a ctrl command is used to set libica name, we have to strdup the * argument since the config parser will free and clear the element at * the end of parsing. If the engine is not loaded during * configuration, we will not be able to use the string provided by * the ctrl command since it is cleared. Remember if we strdup'ed the * string such that we free it at the end. */ static int LIBICA_NAME_allocated; /* Constants used when creating the ENGINE */ static const char *engine_ibmca_id = "ibmca"; static const char *engine_ibmca_name = "Ibmca hardware engine support"; /* This is a process-global DSO handle used for loading and unloading * the Ibmca library. NB: This is only set (or unset) during an * init() or finish() call (reference counts permitting) and they're * operating with global locks, so this should be thread-safe * implicitly. */ void *ibmca_dso = NULL; ica_adapter_handle_t ibmca_handle = DRIVER_NOT_LOADED; /* entry points into libica, filled out at DSO load time */ ica_get_functionlist_t p_ica_get_functionlist; ica_set_fallback_mode_t p_ica_set_fallback_mode; ica_open_adapter_t p_ica_open_adapter; ica_close_adapter_t p_ica_close_adapter; ica_rsa_mod_expo_t p_ica_rsa_mod_expo; ica_random_number_generate_t p_ica_random_number_generate; ica_rsa_crt_t p_ica_rsa_crt; ica_sha1_t p_ica_sha1; ica_sha256_t p_ica_sha256; ica_sha512_t p_ica_sha512; ica_des_ecb_t p_ica_des_ecb; ica_des_cbc_t p_ica_des_cbc; ica_des_ofb_t p_ica_des_ofb; ica_des_cfb_t p_ica_des_cfb; ica_3des_ecb_t p_ica_3des_ecb; ica_3des_cbc_t p_ica_3des_cbc; ica_3des_cfb_t p_ica_3des_cfb; ica_3des_ofb_t p_ica_3des_ofb; ica_aes_ecb_t p_ica_aes_ecb; ica_aes_cbc_t p_ica_aes_cbc; ica_aes_ofb_t p_ica_aes_ofb; ica_aes_cfb_t p_ica_aes_cfb; #ifndef OPENSSL_NO_AES_GCM ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize; ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; ica_aes_gcm_last_t p_ica_aes_gcm_last; #endif /* save libcrypto's default ec methods */ #ifndef NO_EC #ifdef OLDER_OPENSSL const ECDSA_METHOD *ossl_ecdsa; const ECDH_METHOD *ossl_ecdh; #else const EC_KEY_METHOD *ossl_ec; #endif #endif /* * ibmca_crypto_algos lists the supported crypto algos by ibmca. * This list is matched against all algo support by libica. Only if * the algo is in this list it is activated in ibmca. * The defines can be found in the libica header file. */ static int ibmca_crypto_algos[] = { SHA1, SHA256, SHA512, P_RNG, RSA_ME, RSA_CRT, DES_ECB, DES_CBC, DES_OFB, DES_CFB, DES3_ECB, DES3_CBC, DES3_OFB, DES3_CFB, DES3_CTR, AES_ECB, AES_CBC, AES_OFB, AES_CFB, AES_GCM_KMA, EC_KGEN, EC_DSA_SIGN, EC_DSA_VERIFY, EC_DH, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, X448_KEYGEN, X448_DERIVE, 0 }; #define MAX_CIPHER_NIDS sizeof(ibmca_crypto_algos) /* * This struct maps one NID to one crypto algo. * So we can tell OpenSSL this NID maps to this function. */ struct crypto_pair { int nids[MAX_CIPHER_NIDS]; const void *crypto_meths[MAX_CIPHER_NIDS]; }; /* We can not say how much crypto algos are * supported by libica. We can only say the * size is not greater as the supported * crypto algos by ibmca. * The actual number of supported crypto algos * is saved to the size_****_nid variabes */ static size_t size_cipher_list = 0; static size_t size_digest_list = 0; static size_t size_pkey_meths_list = 0; static struct registration_helper { int rsa_enabled; int ec_enabled; int ec_kgen_switch; int ec_dh_switch; int ec_dsa_sign_switch; int ec_dsa_verify_switch; int x25519_keygen_switch; int x25519_derive_switch; int x448_keygen_switch; int x448_derive_switch; int ed25519_keygen_switch; int ed25519_sign_switch; int ed25519_verify_switch; int ed448_keygen_switch; int ed448_sign_switch; int ed448_verify_switch; int x25519_switch; int x448_switch; int ed25519_switch; int ed448_switch; } ibmca_registration; static CRYPTO_ONCE bindcountlockinitonce = CRYPTO_ONCE_STATIC_INIT; static CRYPTO_RWLOCK *bindcountlock = NULL; static int bindcount = 0; static struct crypto_pair ibmca_cipher_lists; static struct crypto_pair ibmca_digest_lists; static struct crypto_pair ibmca_pkey_meths_lists; static int ibmca_usable_ciphers(const int **nids); static int ibmca_engine_ciphers(ENGINE * e, const EVP_CIPHER ** cipher, const int **nids, int nid); static int ibmca_usable_digests(const int **nids); static int ibmca_engine_digests(ENGINE * e, const EVP_MD ** digest, const int **nids, int nid); static int ibmca_engine_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, const int **nids, int nid); static int ibmca_usable_pkey_meths(const int **nids); static void bindcountlockinit(void) { bindcountlock = CRYPTO_THREAD_lock_new(); } /* RAND stuff */ static int ibmca_rand_bytes(unsigned char *buf, int num); static int ibmca_rand_status(void); static RAND_METHOD ibmca_rand = { /* "IBMCA RAND method", */ NULL, /* seed */ ibmca_rand_bytes, /* bytes */ NULL, /* cleanup */ NULL, /* add */ ibmca_rand_bytes, /* pseudorand */ ibmca_rand_status, /* status */ }; /* The definitions for control commands specific to this engine */ #define IBMCA_CMD_SO_PATH ENGINE_CMD_BASE #define IBMCA_CMD_LIBICA (ENGINE_CMD_BASE + 1) static const ENGINE_CMD_DEFN ibmca_cmd_defns[] = { {IBMCA_CMD_SO_PATH, "SO_PATH", "Specifies the path to the 'ibmca' shared library", ENGINE_CMD_FLAG_STRING}, {IBMCA_CMD_LIBICA, "libica", "Specifies the path to the 'libica' shared library", ENGINE_CMD_FLAG_STRING}, {0, NULL, NULL, 0} }; /* Destructor (complements the "ENGINE_ibmca()" constructor) */ static int ibmca_destroy(ENGINE *e) { int newbindcount; CRYPTO_atomic_add(&bindcount, -1, &newbindcount, bindcountlock); if (newbindcount) return 1; /* Unload the ibmca error strings so any error state including our * functs or reasons won't lead to a segfault (they simply get displayed * without corresponding string data because none will be found). */ ERR_unload_IBMCA_strings(); return 1; } inline static int set_RSA_prop(ENGINE *e) { if (ibmca_registration.rsa_enabled) { return 1; } if ( #ifndef OPENSSL_NO_RSA !ENGINE_set_RSA(e, ibmca_rsa()) || #endif #ifndef OPENSSL_NO_DSA !ENGINE_set_DSA(e, ibmca_dsa()) || #endif #ifndef OPENSSL_NO_DH !ENGINE_set_DH(e, ibmca_dh()) #endif ) return 0; ibmca_registration.rsa_enabled = 1; return 1; } #ifndef OPENSSL_NO_EC static int set_EC_prop(ENGINE *e) { if (ibmca_registration.ec_enabled) { return 1; } #ifdef OLDER_OPENSSL ossl_ecdh = ECDH_get_default_method(); ossl_ecdsa = ECDSA_get_default_method(); ibmca_ecdh = ECDH_METHOD_new(NULL); ibmca_ecdsa = ECDSA_METHOD_new(NULL); ECDSA_METHOD_set_name(ibmca_ecdsa, "Ibmca ECDSA method"); ECDSA_METHOD_set_sign(ibmca_ecdsa, ibmca_older_ecdsa_do_sign); ECDSA_METHOD_set_verify(ibmca_ecdsa, ibmca_older_ecdsa_do_verify); #ifdef ECDSA_FLAG_FIPS_METHOD ECDSA_METHOD_set_flags(ibmca_ecdsa, ECDSA_FLAG_FIPS_METHOD); #endif ECDH_METHOD_set_name(ibmca_ecdh, "Ibmca ECDH method"); ECDH_METHOD_set_compute_key(ibmca_ecdh, ibmca_older_ecdh_compute_key); #ifdef ECDH_FLAG_FIPS_METHOD ECDH_METHOD_set_flags(ibmca_ecdh, ECDH_FLAG_FIPS_METHOD); #endif if (!ENGINE_set_ECDH(e, ibmca_ecdh)) return 0; if (!ENGINE_set_ECDSA(e, ibmca_ecdsa)) return 0; #else ossl_ec = EC_KEY_get_default_method(); ibmca_ec = EC_KEY_METHOD_new(ibmca_ec); EC_KEY_METHOD_set_keygen(ibmca_ec, ibmca_ec_key_gen); EC_KEY_METHOD_set_compute_key(ibmca_ec, ibmca_ecdh_compute_key); EC_KEY_METHOD_set_sign(ibmca_ec, ibmca_ecdsa_sign, ECDSA_sign_setup, ibmca_ecdsa_sign_sig); EC_KEY_METHOD_set_verify(ibmca_ec, ibmca_ecdsa_verify, ibmca_ecdsa_verify_sig); if (!ENGINE_set_EC(e, ibmca_ec)) return 0; #endif ibmca_registration.ec_enabled = 1; return 1; } #endif /* * dig_nid_cnt and ciph_nid_cnt count the number of enabled crypt mechanims. * dig_nid_cnt and ciph_nid_cnt needs to be pointer, because only * set_engine_prop knows about how much digest or cipher will be set per call. * To count the number of cipher and digest outside of the function is not * feasible */ inline static int set_engine_prop(ENGINE *e, int algo_id, int *dig_nid_cnt, int *ciph_nid_cnt, int *pkey_nid_cnt) { switch (algo_id) { case P_RNG: if (!ENGINE_set_RAND(e, &ibmca_rand)) return 0; break; /* * RSA will be enabled if one of this is set. OpenSSL does not distinguish * between RSA_ME and RSA_CRT. It is not the task of ibmca to route one ME * call to CRT or vice versa. */ case RSA_ME: case RSA_CRT: if (!set_RSA_prop(e)) return 0; break; #ifndef OPENSSL_NO_SHA1 case SHA1: ibmca_digest_lists.nids[*dig_nid_cnt] = NID_sha1; ibmca_digest_lists.crypto_meths[(*dig_nid_cnt)++] = ibmca_sha1(); break; #endif #ifndef OPENSSL_NO_SHA256 case SHA256: ibmca_digest_lists.nids[*dig_nid_cnt] = NID_sha256; ibmca_digest_lists.crypto_meths[(*dig_nid_cnt)++] = ibmca_sha256(); break; #endif #ifndef OPENSSL_NO_SHA512 case SHA512: ibmca_digest_lists.nids[*dig_nid_cnt] = NID_sha512; ibmca_digest_lists.crypto_meths[(*dig_nid_cnt)++] = ibmca_sha512(); break; #endif case DES_ECB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ecb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_des_ecb(); break; case DES_CBC: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_cbc; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_des_cbc(); break; case DES_OFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ofb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_des_ofb(); break; case DES_CFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_cfb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_des_cfb(); break; case DES3_ECB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ede3_ecb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_tdes_ecb(); break; case DES3_CBC: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ede3_cbc; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_tdes_cbc(); break; case DES3_OFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ede3_ofb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_tdes_ofb(); break; case DES3_CFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_des_ede3_cfb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_tdes_cfb(); break; case AES_ECB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_128_ecb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_128_ecb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_192_ecb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_192_ecb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_256_ecb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_256_ecb(); break; case AES_CBC: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_128_cbc; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_128_cbc(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_192_cbc; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_192_cbc(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_256_cbc; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_256_cbc(); break; case AES_OFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_128_ofb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_128_ofb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_192_ofb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_192_ofb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_256_ofb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_256_ofb(); break; case AES_CFB: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_128_cfb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_128_cfb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_192_cfb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_192_cfb(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_256_cfb; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_256_cfb(); break; #ifndef OPENSSL_NO_AES_GCM case AES_GCM_KMA: ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_128_gcm; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_128_gcm(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_192_gcm; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_192_gcm(); ibmca_cipher_lists.nids[*ciph_nid_cnt] = NID_aes_256_gcm; ibmca_cipher_lists.crypto_meths[(*ciph_nid_cnt)++] = ibmca_aes_256_gcm(); break; #endif #ifndef OPENSSL_NO_EC case EC_KGEN: ibmca_registration.ec_kgen_switch = 1; break; case EC_DH: ibmca_registration.ec_dh_switch = 1; break; case EC_DSA_SIGN: ibmca_registration.ec_dsa_sign_switch = 1; break; case EC_DSA_VERIFY: ibmca_registration.ec_dsa_verify_switch = 1; break; #endif case ED25519_KEYGEN: ibmca_registration.ed25519_keygen_switch = 1; break; case ED25519_SIGN: ibmca_registration.ed25519_sign_switch = 1; break; case ED25519_VERIFY: ibmca_registration.ed25519_verify_switch = 1; break; case ED448_KEYGEN: ibmca_registration.ed448_keygen_switch = 1; break; case ED448_SIGN: ibmca_registration.ed448_sign_switch = 1; break; case ED448_VERIFY: ibmca_registration.ed448_verify_switch = 1; break; case X25519_KEYGEN: ibmca_registration.x25519_keygen_switch = 1; break; case X25519_DERIVE: ibmca_registration.x25519_derive_switch = 1; break; case X448_KEYGEN: ibmca_registration.x448_keygen_switch = 1; break; case X448_DERIVE: ibmca_registration.x448_derive_switch = 1; break; default: break; /* do nothing */ } #ifndef OPENSSL_NO_EC if (ibmca_registration.ec_kgen_switch && ibmca_registration.ec_dh_switch && ibmca_registration.ec_dsa_sign_switch && ibmca_registration.ec_dsa_verify_switch) { if (!set_EC_prop(e)) return 0; } #endif if (ibmca_registration.x25519_keygen_switch && ibmca_registration.x25519_derive_switch && !ibmca_registration.x25519_switch) { ibmca_registration.x25519_switch = 1; ibmca_pkey_meths_lists.nids[*pkey_nid_cnt] = NID_X25519; ibmca_pkey_meths_lists.crypto_meths[(*pkey_nid_cnt)++] = ibmca_x25519(); } if (ibmca_registration.x448_keygen_switch && ibmca_registration.x448_derive_switch && !ibmca_registration.x448_switch) { ibmca_registration.x448_switch = 1; ibmca_pkey_meths_lists.nids[*pkey_nid_cnt] = NID_X448; ibmca_pkey_meths_lists.crypto_meths[(*pkey_nid_cnt)++] = ibmca_x448(); } if (ibmca_registration.ed25519_keygen_switch && ibmca_registration.ed25519_sign_switch && ibmca_registration.ed25519_verify_switch && !ibmca_registration.ed25519_switch) { ibmca_registration.ed25519_switch = 1; ibmca_pkey_meths_lists.nids[*pkey_nid_cnt] = NID_ED25519; ibmca_pkey_meths_lists.crypto_meths[(*pkey_nid_cnt)++] = ibmca_ed25519(); } if (ibmca_registration.ed448_keygen_switch && ibmca_registration.ed448_sign_switch && ibmca_registration.ed448_verify_switch && !ibmca_registration.ed448_switch) { ibmca_registration.ed448_switch = 1; ibmca_pkey_meths_lists.nids[*pkey_nid_cnt] = NID_ED448; ibmca_pkey_meths_lists.crypto_meths[(*pkey_nid_cnt)++] = ibmca_ed448(); } size_cipher_list = *ciph_nid_cnt; size_digest_list = *dig_nid_cnt; size_pkey_meths_list = *pkey_nid_cnt; return 1; } static int set_supported_meths(ENGINE *e) { int i, j; unsigned int mech_len; libica_func_list_element *pmech_list; int rc = 0; int dig_nid_cnt = 0; int ciph_nid_cnt = 0; int pkey_nid_cnt = 0; if (p_ica_get_functionlist(NULL, &mech_len)) return 0; pmech_list = malloc(sizeof(libica_func_list_element) * mech_len); if (!pmech_list) return 0; if (p_ica_get_functionlist(pmech_list, &mech_len)) goto out; for (i = 0; i < mech_len; i++) { libica_func_list_element *f = &pmech_list[i]; /* Disable crypto algorithm if not supported in hardware */ if (!(f->flags & (ICA_FLAG_SHW | ICA_FLAG_DHW))) continue; /* Check if this crypto algorithm is supported by ibmca */ for (j = 0; ibmca_crypto_algos[j]; j++) if (ibmca_crypto_algos[j] == f->mech_mode_id) break; if (!ibmca_crypto_algos[j]) continue; /* * This algorith is supported by ibmca and libica * Set NID, ibmca struct and the info for the ENGINE struct */ if (!set_engine_prop(e, ibmca_crypto_algos[j], &dig_nid_cnt, &ciph_nid_cnt, &pkey_nid_cnt)) goto out; } if (dig_nid_cnt > 0) if (!ENGINE_set_digests(e, ibmca_engine_digests)) goto out; if (ciph_nid_cnt > 0) if (!ENGINE_set_ciphers(e, ibmca_engine_ciphers)) goto out; if (pkey_nid_cnt > 0) if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths)) goto out; rc = 1; out: free(pmech_list); return rc; } __attribute__((constructor)) static void ibmca_constructor(void) { DEBUG_PRINTF(">%s\n", __func__); } __attribute__((destructor)) static void ibmca_destructor(void) { if (bindcountlock) CRYPTO_THREAD_lock_free(bindcountlock); if (LIBICA_NAME_allocated) free((void *)LIBICA_NAME); } static void ica_cleanup(void) { if (ibmca_dso && dlclose(ibmca_dso)) { IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE); return; } ibmca_dso = NULL; p_ica_open_adapter = NULL; p_ica_close_adapter = NULL; p_ica_rsa_mod_expo = NULL; p_ica_rsa_crt = NULL; #ifndef OPENSSL_NO_EC p_ica_ec_key_new = NULL; p_ica_ec_key_init = NULL; p_ica_ec_key_generate = NULL; p_ica_ecdh_derive_secret = NULL; p_ica_ecdsa_sign = NULL; p_ica_ecdsa_verify = NULL; p_ica_ec_key_get_public_key = NULL; p_ica_ec_key_get_private_key = NULL; p_ica_ec_key_free = NULL; #endif p_ica_random_number_generate = NULL; p_ica_sha1 = NULL; p_ica_sha256 = NULL; p_ica_sha512 = NULL; p_ica_aes_ecb = NULL; p_ica_des_ecb = NULL; p_ica_3des_ecb = NULL; p_ica_aes_cbc = NULL; p_ica_des_cbc = NULL; p_ica_3des_cbc = NULL; p_ica_aes_ofb = NULL; p_ica_des_ofb = NULL; p_ica_3des_ofb = NULL; p_ica_aes_cfb = NULL; p_ica_des_cfb = NULL; p_ica_3des_cfb = NULL; #ifndef OPENSSL_NO_AES_GCM p_ica_aes_gcm_initialize = NULL; p_ica_aes_gcm_intermediate = NULL; p_ica_aes_gcm_last = NULL; #endif p_ica_x25519_ctx_new = NULL; p_ica_x448_ctx_new = NULL; p_ica_ed25519_ctx_new = NULL; p_ica_ed448_ctx_new = NULL; p_ica_x25519_key_set = NULL; p_ica_x448_key_set = NULL; p_ica_ed25519_key_set = NULL; p_ica_ed448_key_set = NULL; p_ica_x25519_key_get = NULL; p_ica_x448_key_get = NULL; p_ica_ed25519_key_get = NULL; p_ica_ed448_key_get = NULL; p_ica_x25519_key_gen = NULL; p_ica_x448_key_gen = NULL; p_ica_ed25519_key_gen = NULL; p_ica_ed448_key_gen = NULL; p_ica_x25519_derive = NULL; p_ica_x448_derive = NULL; p_ica_ed25519_sign = NULL; p_ica_ed448_sign = NULL; p_ica_ed25519_verify = NULL; p_ica_ed448_verify = NULL; p_ica_x25519_ctx_del = NULL; p_ica_x448_ctx_del = NULL; p_ica_ed25519_ctx_del = NULL; p_ica_ed448_ctx_del = NULL; } static int ibmca_init(ENGINE *e) { ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW); if (ibmca_dso == NULL) { DEBUG_PRINTF("%s: dlopen(%s) failed\n", __func__, LIBICA_NAME); IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE); goto err; } #define BIND(dso, sym) (p_##sym = (sym##_t)dlsym(dso, #sym)) if (!BIND(ibmca_dso, ica_open_adapter) || !BIND(ibmca_dso, ica_close_adapter) || !BIND(ibmca_dso, ica_get_functionlist)) { IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE); DEBUG_PRINTF("%s: function bind failed\n", __func__); goto err; } BIND(ibmca_dso, ica_rsa_mod_expo); BIND(ibmca_dso, ica_rsa_crt); BIND(ibmca_dso, ica_random_number_generate); BIND(ibmca_dso, ica_sha1); BIND(ibmca_dso, ica_sha256); BIND(ibmca_dso, ica_sha512); BIND(ibmca_dso, ica_aes_ecb); BIND(ibmca_dso, ica_des_ecb); BIND(ibmca_dso, ica_3des_ecb); BIND(ibmca_dso, ica_aes_cbc); BIND(ibmca_dso, ica_des_cbc); BIND(ibmca_dso, ica_3des_cbc); BIND(ibmca_dso, ica_aes_ofb); BIND(ibmca_dso, ica_des_ofb); BIND(ibmca_dso, ica_3des_ofb); BIND(ibmca_dso, ica_aes_cfb); BIND(ibmca_dso, ica_des_cfb); BIND(ibmca_dso, ica_3des_cfb); #ifndef OPENSSL_NO_AES_GCM BIND(ibmca_dso, ica_aes_gcm_initialize); BIND(ibmca_dso, ica_aes_gcm_intermediate); BIND(ibmca_dso, ica_aes_gcm_last); #endif #ifndef OPENSSL_NO_EC BIND(ibmca_dso, ica_ec_key_new); BIND(ibmca_dso, ica_ec_key_init); BIND(ibmca_dso, ica_ec_key_generate); BIND(ibmca_dso, ica_ecdh_derive_secret); BIND(ibmca_dso, ica_ecdsa_sign); BIND(ibmca_dso, ica_ecdsa_verify); BIND(ibmca_dso, ica_ec_key_get_public_key); BIND(ibmca_dso, ica_ec_key_get_private_key); BIND(ibmca_dso, ica_ec_key_free); #endif BIND(ibmca_dso, ica_x25519_ctx_new); BIND(ibmca_dso, ica_x448_ctx_new); BIND(ibmca_dso, ica_ed25519_ctx_new); BIND(ibmca_dso, ica_ed448_ctx_new); BIND(ibmca_dso, ica_x25519_key_set); BIND(ibmca_dso, ica_x448_key_set); BIND(ibmca_dso, ica_ed25519_key_set); BIND(ibmca_dso, ica_ed448_key_set); BIND(ibmca_dso, ica_x25519_key_get); BIND(ibmca_dso, ica_x448_key_get); BIND(ibmca_dso, ica_ed25519_key_get); BIND(ibmca_dso, ica_ed448_key_get); BIND(ibmca_dso, ica_x25519_key_gen); BIND(ibmca_dso, ica_x448_key_gen); BIND(ibmca_dso, ica_ed25519_key_gen); BIND(ibmca_dso, ica_ed448_key_gen); BIND(ibmca_dso, ica_x25519_derive); BIND(ibmca_dso, ica_x448_derive); BIND(ibmca_dso, ica_ed25519_sign); BIND(ibmca_dso, ica_ed448_sign); BIND(ibmca_dso, ica_ed25519_verify); BIND(ibmca_dso, ica_ed448_verify); BIND(ibmca_dso, ica_x25519_ctx_del); BIND(ibmca_dso, ica_x448_ctx_del); BIND(ibmca_dso, ica_ed25519_ctx_del); BIND(ibmca_dso, ica_ed448_ctx_del); /* disable fallbacks on Libica */ if (BIND(ibmca_dso, ica_set_fallback_mode)) p_ica_set_fallback_mode(0); if (p_ica_open_adapter(&ibmca_handle)) { IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_UNIT_FAILURE); goto err; } if (!set_supported_meths(e)) goto err; return 1; err: ica_cleanup(); return 0; } static int ibmca_finish(ENGINE *e) { #ifndef OLDER_OPENSSL ibmca_des_ecb_destroy(); ibmca_des_cbc_destroy(); ibmca_des_ofb_destroy(); ibmca_des_cfb_destroy(); ibmca_tdes_ecb_destroy(); ibmca_tdes_cbc_destroy(); ibmca_tdes_ofb_destroy(); ibmca_tdes_cfb_destroy(); ibmca_aes_128_ecb_destroy(); ibmca_aes_128_cbc_destroy(); ibmca_aes_128_ofb_destroy(); ibmca_aes_128_cfb_destroy(); ibmca_aes_192_ecb_destroy(); ibmca_aes_192_cbc_destroy(); ibmca_aes_192_ofb_destroy(); ibmca_aes_192_cfb_destroy(); ibmca_aes_256_ecb_destroy(); ibmca_aes_256_cbc_destroy(); ibmca_aes_256_ofb_destroy(); ibmca_aes_256_cfb_destroy(); #ifndef OPENSSL_NO_AES_GCM ibmca_aes_128_gcm_destroy(); ibmca_aes_192_gcm_destroy(); ibmca_aes_256_gcm_destroy(); #endif #ifndef OPENSSL_NO_SHA1 ibmca_sha1_destroy(); #endif #ifndef OPENSSL_NO_SHA256 ibmca_sha256_destroy(); #endif #ifndef OPENSSL_NO_SHA512 ibmca_sha512_destroy(); #endif #ifndef OPENSSL_NO_RSA ibmca_rsa_destroy(); #endif #ifndef OPENSSL_NO_DSA ibmca_dsa_destroy(); #endif #ifndef OPENSSL_NO_DH ibmca_dh_destroy(); #endif #endif /* !OLDER_OPENSSL */ #ifndef NO_EC ibmca_ec_destroy(); #endif if (p_ica_close_adapter) p_ica_close_adapter(ibmca_handle); ica_cleanup(); memset(&ibmca_registration, 0, sizeof(ibmca_registration)); return 1; } static int ibmca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) ()) { char *tmp; int initialised = ((ibmca_dso == NULL) ? 0 : 1); switch (cmd) { case IBMCA_CMD_SO_PATH: if (p == NULL) { IBMCAerr(IBMCA_F_IBMCA_CTRL, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (initialised) { IBMCAerr(IBMCA_F_IBMCA_CTRL, IBMCA_R_ALREADY_LOADED); return 0; } return 1; case IBMCA_CMD_LIBICA: if (p == NULL) { IBMCAerr(IBMCA_F_IBMCA_CTRL, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (initialised) { IBMCAerr(IBMCA_F_IBMCA_CTRL, IBMCA_R_ALREADY_LOADED); return 0; } tmp = strdup((const char *) p); if (!tmp) { IBMCAerr(IBMCA_F_IBMCA_CTRL, ERR_R_MALLOC_FAILURE); return 0; } if (LIBICA_NAME_allocated) free((void *)LIBICA_NAME); LIBICA_NAME = tmp; LIBICA_NAME_allocated = 1; return 1; default: break; } IBMCAerr(IBMCA_F_IBMCA_CTRL, IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED); return 0; } /* * This internal function is used by ENGINE_ibmca() * and possibly by the "dynamic" ENGINE support too */ static int bind_helper(ENGINE *e) { int ignored; CRYPTO_THREAD_run_once(&bindcountlockinitonce, bindcountlockinit); CRYPTO_atomic_add(&bindcount, 1, &ignored, bindcountlock); ERR_load_IBMCA_strings(); if (!ENGINE_set_id(e, engine_ibmca_id) || !ENGINE_set_name(e, engine_ibmca_name) || !ENGINE_set_destroy_function(e, ibmca_destroy) || !ENGINE_set_init_function(e, ibmca_init) || !ENGINE_set_finish_function(e, ibmca_finish) || !ENGINE_set_ctrl_function(e, ibmca_ctrl) || !ENGINE_set_cmd_defns(e, ibmca_cmd_defns)) return 0; return 1; } static ENGINE *engine_ibmca(void) { ENGINE *ret = ENGINE_new(); if (!ret) return NULL; if (!bind_helper(ret)) { ENGINE_free(ret); return NULL; } return ret; } void ENGINE_load_ibmca(void) { /* Copied from eng_[openssl|dyn].c */ ENGINE *toadd = engine_ibmca(); if (!toadd) return; ENGINE_add(toadd); ENGINE_free(toadd); ERR_clear_error(); } /* * ENGINE calls this to find out how to deal with * a particular NID in the ENGINE. */ static int ibmca_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid) { int i; if (!cipher) return (ibmca_usable_ciphers(nids)); *cipher = NULL; for (i = 0; i < size_cipher_list; i++) if (nid == ibmca_cipher_lists.nids[i]) { *cipher = (EVP_CIPHER *) ibmca_cipher_lists.crypto_meths[i]; break; } /* Check: how can *cipher be NULL? */ return (*cipher != NULL); } static int ibmca_usable_ciphers(const int **nids) { if (nids) *nids = ibmca_cipher_lists.nids; return size_cipher_list; } static int ibmca_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid) { int i; if (!digest) return (ibmca_usable_digests(nids)); *digest = NULL; for (i = 0; i < size_digest_list; i++) if (nid == ibmca_digest_lists.nids[i]) { *digest = (EVP_MD *) ibmca_digest_lists.crypto_meths[i]; break; } return (*digest != NULL); } static int ibmca_usable_digests(const int **nids) { if (nids) *nids = ibmca_digest_lists.nids; return size_digest_list; } static int ibmca_engine_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, const int **nids, int nid) { int i; if (!pmeth) return (ibmca_usable_pkey_meths(nids)); *pmeth = NULL; for (i = 0; i < size_pkey_meths_list; i++) { if (nid == ibmca_pkey_meths_lists.nids[i]) { *pmeth = (EVP_PKEY_METHOD *)ibmca_pkey_meths_lists.crypto_meths[i]; break; } } return (*pmeth != NULL); } static int ibmca_usable_pkey_meths(const int **nids) { if (nids) *nids = ibmca_pkey_meths_lists.nids; return size_pkey_meths_list; } /* Random bytes are good */ static int ibmca_rand_bytes(unsigned char *buf, int num) { unsigned int rc; rc = p_ica_random_number_generate(num, buf); if (rc < 0) { IBMCAerr(IBMCA_F_IBMCA_RAND_BYTES, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_rand_status(void) { return 1; } /* * This stuff is needed if this ENGINE is being * compiled into a self-contained shared-library. */ static int bind_fn(ENGINE *e, const char *id) { if (id && (strcmp(id, engine_ibmca_id) != 0)) { fprintf(stderr, "wrong engine id\n"); return 0; } if (!bind_helper(e)) { fprintf(stderr, "bind failed\n"); return 0; } return 1; } IMPLEMENT_DYNAMIC_CHECK_FN() IMPLEMENT_DYNAMIC_BIND_FN(bind_fn) #endif /* !OPENSSL_NO_HW_IBMCA */ #endif /* !OPENSSL_NO_HW */ openssl-ibmca-2.2.3/src/e_ibmca_err.c000066400000000000000000000135341421243614200174410ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include #include "e_ibmca_err.h" /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA IBMCA_str_functs[] = { {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, {ERR_PACK(0, IBMCA_F_IBMCA_EC_KEY_GEN, 0), "IBMCA_EC_KEY_GEN"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, 0), "IBMCA_ECDH_COMPUTE_KEY"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN, 0), "IBMCA_ECDSA_SIGN"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN_SIG, 0), "IBMCA_ECDSA_SIGN_SIG"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_DO_SIGN, 0), "IBMCA_ECDSA_DO_SIGN"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY, 0), "IBMCA_ECDSA_VERIFY"}, {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, 0), "IBMCA_ECDSA_VERIFY_SIG"}, {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_NEW, 0), "ICA_EC_KEY_NEW"}, {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_INIT, 0), "ICA_EC_KEY_INIT"}, {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GENERATE, 0), "ICA_EC_KEY_GENERATE"}, {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, 0), "ICA_EC_KEY_GET_PUBLIC_KEY"}, {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, 0), "ICA_EC_KEY_GET_PRIVATE_KEY"}, {ERR_PACK(0, IBMCA_F_ICA_ECDH_DERIVE_SECRET, 0), "ICA_ECDH_DERIVE_SECRET"}, {ERR_PACK(0, IBMCA_F_ICA_ECDSA_SIGN, 0), "ICA_ECDSA_SIGN"}, {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "ICA_ECDSA_VERIFY"}, {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "IBMCA_X25519_KEYGEN"}, {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "IBMCA_X25519_DERIVE"}, {0, NULL} }; static ERR_STRING_DATA IBMCA_str_reasons[] = { {IBMCA_R_ALREADY_LOADED, "already loaded"}, {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"}, {IBMCA_R_DSO_FAILURE, "dso failure"}, {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, {IBMCA_R_NOT_INITIALISED, "not initialised"}, {IBMCA_R_NOT_LOADED, "not loaded"}, {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, {IBMCA_R_REQUEST_FAILED, "request failed"}, {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, {IBMCA_R_UNIT_FAILURE, "unit failure"}, {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, {IBMCA_R_EC_INVALID_PARM, "ec invalid parameter"}, {IBMCA_R_EC_UNSUPPORTED_CURVE, "ec unsupported curve"}, {IBMCA_R_EC_INTERNAL_ERROR, "ec internal error"}, {IBMCA_R_EC_ICA_EC_KEY_INIT, "ec ica ec key init"}, {IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING, "ec curve does not support signing"}, {IBMCA_R_PKEY_INTERNAL_ERROR, "internal error"}, {IBMCA_R_PKEY_KEYGEN_FAILED, "keygen failed"}, {IBMCA_R_PKEY_KEYS_NOT_SET, "keys not set"}, {0, NULL} }; #endif #ifdef IBMCA_LIB_NAME static ERR_STRING_DATA IBMCA_lib_name[] = { {0, IBMCA_LIB_NAME}, {0, NULL} }; #endif static int IBMCA_lib_error_code = 0; static int IBMCA_error_init = 1; void ERR_load_IBMCA_strings(void) { if (IBMCA_lib_error_code == 0) IBMCA_lib_error_code = ERR_get_next_error_library(); if (IBMCA_error_init) { IBMCA_error_init = 0; #ifndef OPENSSL_NO_ERR ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME IBMCA_lib_name->error = ERR_PACK(IBMCA_lib_error_code, 0, 0); ERR_load_strings(0, IBMCA_lib_name); #endif } } void ERR_unload_IBMCA_strings(void) { if (IBMCA_error_init == 0) { #ifndef OPENSSL_NO_ERR ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME ERR_unload_strings(0, IBMCA_lib_name); #endif IBMCA_error_init = 1; } } void ERR_IBMCA_error(int function, int reason, char *file, int line) { if (IBMCA_lib_error_code == 0) IBMCA_lib_error_code = ERR_get_next_error_library(); ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); } openssl-ibmca-2.2.3/src/e_ibmca_err.h000066400000000000000000000075751421243614200174560ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #ifndef HEADER_IBMCA_ERR_H #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); #define IBMCAerr(f,r) ERR_IBMCA_error((f),(r),__FILE__,__LINE__) /* Error codes for the IBMCA functions. */ /* Function codes. */ #define IBMCA_F_IBMCA_CTRL 100 #define IBMCA_F_IBMCA_FINISH 101 #define IBMCA_F_IBMCA_INIT 102 #define IBMCA_F_IBMCA_MOD_EXP 103 #define IBMCA_F_IBMCA_MOD_EXP_CRT 104 #define IBMCA_F_IBMCA_RAND_BYTES 105 #define IBMCA_F_IBMCA_RSA_MOD_EXP 106 #define IBMCA_F_IBMCA_DES_CIPHER 107 #define IBMCA_F_IBMCA_TDES_CIPHER 108 #define IBMCA_F_IBMCA_SHA1_UPDATE 109 #define IBMCA_F_IBMCA_SHA1_FINAL 110 #define IBMCA_F_IBMCA_AES_128_CIPHER 111 #define IBMCA_F_IBMCA_AES_192_CIPHER 112 #define IBMCA_F_IBMCA_AES_256_CIPHER 113 #define IBMCA_F_IBMCA_SHA256_UPDATE 114 #define IBMCA_F_IBMCA_SHA256_FINAL 115 #define IBMCA_F_IBMCA_SHA512_UPDATE 116 #define IBMCA_F_IBMCA_SHA512_FINAL 117 #define IBMCA_F_IBMCA_EC_KEY_GEN 120 #define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 #define IBMCA_F_IBMCA_ECDSA_SIGN 122 #define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 #define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 #define IBMCA_F_IBMCA_ECDSA_VERIFY 125 #define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 #define IBMCA_F_ICA_EC_KEY_NEW 127 #define IBMCA_F_ICA_EC_KEY_INIT 128 #define IBMCA_F_ICA_EC_KEY_GENERATE 129 #define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 #define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 #define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 #define IBMCA_F_ICA_ECDSA_SIGN 133 #define IBMCA_F_ICA_ECDSA_VERIFY 134 #define IBMCA_F_IBMCA_X25519_KEYGEN 140 #define IBMCA_F_IBMCA_X25519_DERIVE 141 #define IBMCA_F_IBMCA_X448_KEYGEN 142 #define IBMCA_F_IBMCA_X448_DERIVE 143 #define IBMCA_F_IBMCA_ED25519_KEYGEN 144 #define IBMCA_F_IBMCA_ED448_KEYGEN 145 #define IBMCA_F_IBMCA_ED25519_SIGN 146 #define IBMCA_F_IBMCA_ED448_SIGN 147 #define IBMCA_F_IBMCA_ED25519_VERIFY 148 #define IBMCA_F_IBMCA_ED448_VERIFY 149 /* Reason codes. */ #define IBMCA_R_ALREADY_LOADED 100 #define IBMCA_R_BN_CTX_FULL 101 #define IBMCA_R_BN_EXPAND_FAIL 102 #define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 #define IBMCA_R_DSO_FAILURE 104 #define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 #define IBMCA_R_MISSING_KEY_COMPONENTS 105 #define IBMCA_R_NOT_INITIALISED 106 #define IBMCA_R_NOT_LOADED 107 #define IBMCA_R_OPERANDS_TO_LARGE 111 #define IBMCA_R_OUTLEN_TO_LARGE 112 #define IBMCA_R_REQUEST_FAILED 108 #define IBMCA_R_UNDERFLOW_CONDITION 113 #define IBMCA_R_UNDERFLOW_KEYRECORD 114 #define IBMCA_R_UNIT_FAILURE 109 #define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 #define IBMCA_R_EC_INVALID_PARM 120 #define IBMCA_R_EC_UNSUPPORTED_CURVE 121 #define IBMCA_R_EC_INTERNAL_ERROR 122 #define IBMCA_R_EC_ICA_EC_KEY_INIT 123 #define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 #define IBMCA_R_PKEY_INTERNAL_ERROR 160 #define IBMCA_R_PKEY_KEYGEN_FAILED 161 #define IBMCA_R_PKEY_KEYS_NOT_SET 162 #endif openssl-ibmca-2.2.3/src/ibmca-engine-opensslconfig.in000066400000000000000000000077431421243614200225700ustar00rootroot00000000000000#!/usr/bin/perl # # Copyright 2022 International Business Machines Corp. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # Generate openssl.cnf from the system config file with added engine section # for ibmca engine. # # USE WITH CARE: No automation can replace human knowledge and understanding # of the desired configuration! # use strict; use warnings; sub generate() { my ($osslconfpath); my ($tmp, $ih, $line, $oh, $defaultcnfsect, $indefaultsect, $enginesect); $osslconfpath = `openssl version -d` || die "Please install openssl binary"; $osslconfpath =~ s/OPENSSLDIR: \"([^\"]*)\"$/$1/ || die "Failed to extract OpenSSL configuration directory"; chomp $osslconfpath; open($ih, "<", "$osslconfpath/openssl.cnf") or die "Cannot open $osslconfpath/openssl.cnf"; open($oh, ">", "openssl.cnf.ibmca") or die "Cannot open openssl.cnf.ibmca"; $defaultcnfsect = undef; $indefaultsect = 0; $enginesect = undef; while ($line = <$ih>) { if ($line =~ /openssl_conf\s*=\s*(.*)/) { $defaultcnfsect = $1; chomp $defaultcnfsect; } if ($indefaultsect) { if ($line =~ /\[\s*\w+\s*\]/) { if (!$enginesect) { print $oh "engines = engine_section\n" } $indefaultsect = 0; } elsif ($line =~ /^\s*engines\s*=\s*(\w+)\s*/) { $enginesect = $1; chomp $enginesect; } } print $oh "$line"; if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) { $indefaultsect = 1; } if ($enginesect && $line =~ /\[\s*$enginesect\s*\]/) { print $oh "ibmca = ibmca_section\n" } } if (!$defaultcnfsect) { print $oh, qq| openssl_conf = openssl_init [openssl_init] engines = engine_section |; } if (!$enginesect) { print $oh qq| [engine_section] ibmca = ibmca_section |; } print $oh qq| [ibmca_section] # The openssl engine path for ibmca.so. # Set the dynamic_path to where the ibmca.so engine # resides on the system. dynamic_path = @libdir@/ibmca.so engine_id = ibmca init = 1 # # The following ibmca algorithms will be enabled by these parameters # to the default_algorithms line. Any combination of these is valid, # with "ALL" denoting the same as all of them in a comma separated # list. # # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # # DH # - DH key exchange # # DSA # - DSA sign and verify # # RAND # - Hardware random number generation # # ECDSA (OpenSSL < 1.1.0) # - Elliptic Curve DSA sign and verify # # ECDH (OpenSSL < 1.1.0) # - Elliptic Curve DH key exchange # # EC (OpenSSL >= 1.1.0) # - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange # # CIPHERS # - DES-ECB, DES-CBC, DES-CFB, DES-OFB, # DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, # AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, # AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, # AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # # PKEY_CRYPTO # - X25519, X448, ED25519, ED448 #default_algorithms = ALL default_algorithms = PKEY_CRYPTO,RAND,RSA,DH,DSA,EC |; close($ih); close($oh); print qq| Successfully generated openssl.cnf.ibmca file. Please review this configuration and, if you are happy with the changes, replace $osslconfpath/openssl.cnf with this file. |; } generate(); openssl-ibmca-2.2.3/src/ibmca.h000066400000000000000000000655511421243614200163000ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include #include #include #include #include #if OPENSSL_VERSION_NUMBER < 0x10100000L #define OLDER_OPENSSL #endif /* * Here is a DEBUG_PRINTF macro which expands to nothing * at production level and is active only when the * ibmca build is configured with --enable-debug */ #ifdef DEBUG # define DEBUG_PRINTF(...) fprintf(stderr, __VA_ARGS__) #else # define DEBUG_PRINTF(...) do{} while(0) #endif /* COMPAT MACROS */ #ifdef OLDER_OPENSSL #define EVP_CIPHER_CTX_get_cipher_data(ctx) ((ctx)->cipher_data) #define EVP_CIPHER_CTX_original_iv(ctx) ((ctx)->oiv) #define EVP_CIPHER_CTX_iv_noconst(ctx) ((ctx)->iv) #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) #define EVP_CIPHER_CTX_key_length(ctx) ((ctx)->cipher->key_len) #define EVP_MD_CTX_md_data(ctx) ((ctx)->md_data) #else #define EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN #define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG #define EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG #endif #if !defined(NID_aes_128_gcm) || \ !defined(NID_aes_192_gcm) || \ !defined(NID_aes_256_gcm) #ifndef OPENSSL_NO_AES_GCM #define OPENSSL_NO_AES_GCM #endif #endif #ifndef EVP_AEAD_TLS1_AAD_LEN #define EVP_AEAD_TLS1_AAD_LEN 13 #endif #ifndef EVP_MD_FLAG_PKEY_METHOD_SIGNATURE #define EVP_MD_FLAG_PKEY_METHOD_SIGNATURE 0 #endif /******************************* Cipher stuff *********************************/ typedef struct ibmca_des_context { unsigned char key[sizeof(ica_des_key_triple_t)]; } ICA_DES_CTX; typedef ICA_DES_CTX ICA_TDES_CTX; #define AES_128_KEYLEN AES_KEY_LEN128 typedef struct ibmca_aes_128_context { unsigned char key[sizeof(ica_aes_key_len_128_t)]; } ICA_AES_128_CTX; #define AES_192_KEYLEN AES_KEY_LEN192 typedef struct ibmca_aes_192_context { unsigned char key[sizeof(ica_aes_key_len_192_t)]; } ICA_AES_192_CTX; #define AES_256_KEYLEN AES_KEY_LEN256 typedef struct ibmca_aes_256_context { unsigned char key[sizeof(ica_aes_key_len_256_t)]; } ICA_AES_256_CTX; typedef struct ibmca_aes_gcm_context { unsigned char key[32]; int key_set; int iv_set; unsigned char tag[16]; unsigned char subkey[16]; unsigned char icb[16]; unsigned char ucb[16]; unsigned long long ptlen; unsigned long long aadlen; unsigned char *iv; int ivlen; int taglen; int iv_gen; int tls_aadlen; } ICA_AES_GCM_CTX; #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb) #define NID_aes_128_cfb NID_aes_128_cfb128 #endif #if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb) #define NID_aes_128_ofb NID_aes_128_ofb128 #endif #if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb) #define NID_aes_192_cfb NID_aes_192_cfb128 #endif #if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb) #define NID_aes_192_ofb NID_aes_192_ofb128 #endif #if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb) #define NID_aes_256_cfb NID_aes_256_cfb128 #endif #if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb) #define NID_aes_256_ofb NID_aes_256_ofb128 #endif #if defined(NID_des_ofb64) && ! defined (NID_des_ofb) #define NID_des_ofb NID_des_ofb64 #endif #if defined(NID_des_ede3_ofb64) && ! defined (NID_des_ede3_ofb) #define NID_des_ede3_ofb NID_des_ede3_ofb64 #endif #if defined(NID_des_cfb64) && ! defined (NID_des_cfb) #define NID_des_cfb NID_des_cfb64 #endif #if defined(NID_des_ede3_cfb64) && ! defined (NID_des_ede3_cfb) #define NID_des_ede3_cfb NID_des_ede3_cfb64 #endif const EVP_CIPHER *ibmca_des_ecb(); const EVP_CIPHER *ibmca_des_cbc(); const EVP_CIPHER *ibmca_des_ofb(); const EVP_CIPHER *ibmca_des_cfb(); const EVP_CIPHER *ibmca_tdes_ecb(); const EVP_CIPHER *ibmca_tdes_cbc(); const EVP_CIPHER *ibmca_tdes_ofb(); const EVP_CIPHER *ibmca_tdes_cfb(); const EVP_CIPHER *ibmca_aes_128_ecb(); const EVP_CIPHER *ibmca_aes_128_cbc(); const EVP_CIPHER *ibmca_aes_128_ofb(); const EVP_CIPHER *ibmca_aes_128_cfb(); const EVP_CIPHER *ibmca_aes_192_ecb(); const EVP_CIPHER *ibmca_aes_192_cbc(); const EVP_CIPHER *ibmca_aes_192_ofb(); const EVP_CIPHER *ibmca_aes_192_cfb(); const EVP_CIPHER *ibmca_aes_256_ecb(); const EVP_CIPHER *ibmca_aes_256_cbc(); const EVP_CIPHER *ibmca_aes_256_ofb(); const EVP_CIPHER *ibmca_aes_256_cfb(); #ifndef OPENSSL_NO_AES_GCM const EVP_CIPHER *ibmca_aes_128_gcm(); const EVP_CIPHER *ibmca_aes_192_gcm(); const EVP_CIPHER *ibmca_aes_256_gcm(); #endif #ifndef OLDER_OPENSSL void ibmca_des_ecb_destroy(); void ibmca_des_cbc_destroy(); void ibmca_des_ofb_destroy(); void ibmca_des_cfb_destroy(); void ibmca_tdes_ecb_destroy(); void ibmca_tdes_cbc_destroy(); void ibmca_tdes_ofb_destroy(); void ibmca_tdes_cfb_destroy(); void ibmca_aes_128_ecb_destroy(); void ibmca_aes_128_cbc_destroy(); void ibmca_aes_128_ofb_destroy(); void ibmca_aes_128_cfb_destroy(); void ibmca_aes_192_ecb_destroy(); void ibmca_aes_192_cbc_destroy(); void ibmca_aes_192_ofb_destroy(); void ibmca_aes_192_cfb_destroy(); void ibmca_aes_256_ecb_destroy(); void ibmca_aes_256_cbc_destroy(); void ibmca_aes_256_ofb_destroy(); void ibmca_aes_256_cfb_destroy(); void ibmca_aes_128_gcm_destroy(); void ibmca_aes_192_gcm_destroy(); void ibmca_aes_256_gcm_destroy(); #endif /******************************* Digest stuff *********************************/ #ifndef OPENSSL_NO_SHA1 #define SHA_BLOCK_SIZE 64 typedef struct ibmca_sha1_ctx { sha_context_t c; unsigned char tail[SHA_BLOCK_SIZE]; unsigned int tail_len; } IBMCA_SHA_CTX; const EVP_MD *ibmca_sha1(); #ifndef OLDER_OPENSSL void ibmca_sha1_destroy(); #endif #endif #ifndef OPENSSL_NO_SHA256 #define SHA256_BLOCK_SIZE 64 typedef struct ibmca_sha256_ctx { sha256_context_t c; unsigned char tail[SHA256_BLOCK_SIZE]; unsigned int tail_len; } IBMCA_SHA256_CTX; const EVP_MD *ibmca_sha256(); #ifndef OLDER_OPENSSL void ibmca_sha256_destroy(); #endif #endif #ifndef OPENSSL_NO_SHA512 #define SHA512_BLOCK_SIZE 128 typedef struct ibmca_sha512_ctx { sha512_context_t c; unsigned char tail[SHA512_BLOCK_SIZE]; unsigned int tail_len; } IBMCA_SHA512_CTX; const EVP_MD *ibmca_sha512(); #ifndef OLDER_OPENSSL void ibmca_sha512_destroy(); #endif #endif /******************************** BIGNUM stuff ********************************/ int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); /********************************* RSA stuff **********************************/ #ifndef OPENSSL_NO_RSA RSA_METHOD *ibmca_rsa(); #ifndef OLDER_OPENSSL void ibmca_rsa_destroy(void); #endif #endif extern ica_adapter_handle_t ibmca_handle; /********************************* DSA stuff **********************************/ #ifndef OPENSSL_NO_DSA DSA_METHOD *ibmca_dsa(); #ifndef OLDER_OPENSSL void ibmca_dsa_destroy(void); #endif #endif /********************************** DH stuff **********************************/ #ifndef OPENSSL_NO_DH DH_METHOD *ibmca_dh(); #ifndef OLDER_OPENSSL void ibmca_dh_destroy(void); #endif #endif /********************************** EC stuff **********************************/ /* Either enable or disable ALL ECC */ #ifndef OPENSSL_NO_EC #if defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_ECDSA) #define OPENSSL_NO_EC #endif #endif #define IBMCA_EC_MAX_D_LEN 66 #define IBMCA_EC_MAX_Q_LEN (2 * IBMCA_EC_MAX_D_LEN) #define IBMCA_EC_MAX_SIG_LEN IBMCA_EC_MAX_Q_LEN #define IBMCA_EC_MAX_Z_LEN IBMCA_EC_MAX_D_LEN #ifndef OPENSSL_NO_EC void ibmca_ec_destroy(void); int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen, const EC_POINT *pub_key, const EC_KEY *ecdh); ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey); int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); #ifdef OLDER_OPENSSL extern ECDSA_METHOD *ibmca_ecdsa; extern ECDH_METHOD *ibmca_ecdh; extern const ECDSA_METHOD *ossl_ecdsa; extern const ECDH_METHOD *ossl_ecdh; int ibmca_older_ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)); ECDSA_SIG *ibmca_older_ecdsa_do_sign(const unsigned char *dgst, int dlen, const BIGNUM *, const BIGNUM *, EC_KEY *eckey); int ibmca_older_ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); /* * APIs which are missing in openssl 1.0.2. */ ECDH_METHOD *ECDH_METHOD_new(const ECDH_METHOD *meth); void ECDH_METHOD_set_compute_key(ECDH_METHOD *meth, int (*compute_key)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))); void ECDH_METHOD_get_compute_key(const ECDH_METHOD *meth, int (**compute_key)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))); void ECDH_METHOD_set_name(ECDH_METHOD *meth, char *name); void ECDH_METHOD_free(ECDH_METHOD *meth); void ECDSA_METHOD_get_sign(const ECDSA_METHOD *meth, int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp), ECDSA_SIG *(**psign_sig)(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)); void ECDSA_METHOD_get_verify(const ECDSA_METHOD *meth, int (**pverify_sig)(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey)); #else extern EC_KEY_METHOD *ibmca_ec; extern const EC_KEY_METHOD *ossl_ec; int ibmca_ec_key_gen(EC_KEY *eckey); int ibmca_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig_array, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey); int ibmca_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); #endif #endif const EVP_PKEY_METHOD *ibmca_x25519(void); const EVP_PKEY_METHOD *ibmca_x448(void); const EVP_PKEY_METHOD *ibmca_ed25519(void); const EVP_PKEY_METHOD *ibmca_ed448(void); void ibmca_x25519_destroy(void); void ibmca_x448_destroy(void); void ibmca_ed25519_destroy(void); void ibmca_ed448_destroy(void); /******************************* Libica stuff *********************************/ /* * These are the function pointers that are (un)set when the library has * successfully (un)loaded. */ typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *, unsigned int *); typedef void (*ica_set_fallback_mode_t)(int); typedef unsigned int (*ica_open_adapter_t)(ica_adapter_handle_t *); typedef unsigned int (*ica_close_adapter_t)(ica_adapter_handle_t); typedef unsigned int (*ica_rsa_mod_expo_t)(ica_adapter_handle_t, unsigned char *, ica_rsa_key_mod_expo_t *, unsigned char *); typedef unsigned int (*ica_rsa_crt_t)(ica_adapter_handle_t, unsigned char *, ica_rsa_key_crt_t *, unsigned char *); typedef unsigned int (*ica_random_number_generate_t)(unsigned int, unsigned char *); typedef unsigned int (*ica_sha1_t)(unsigned int, unsigned int, unsigned char *, sha_context_t *, unsigned char *); typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char *, sha256_context_t *, unsigned char *); typedef unsigned int (*ica_sha512_t)(unsigned int, unsigned int, unsigned char *, sha512_context_t *, unsigned char *); typedef unsigned int (*ica_des_ecb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int direction); typedef unsigned int (*ica_des_cbc_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, const unsigned char *key, unsigned char *iv, unsigned int lcfb, unsigned int direction); typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, const unsigned char *key, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_3des_ecb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int direction); typedef unsigned int (*ica_3des_cbc_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *, unsigned long, const unsigned char *, unsigned char *, unsigned int, unsigned int); typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, const unsigned char *key, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_aes_ecb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int key_length, unsigned int direction); typedef unsigned int (*ica_aes_cbc_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, unsigned char *key, unsigned int key_length, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, const unsigned char *key, unsigned int key_length, unsigned char *iv, unsigned int direction); typedef unsigned int (*ica_aes_cfb_t)(const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, const unsigned char *key, unsigned int key_length, unsigned char *iv, unsigned int lcfb, unsigned int direction); typedef unsigned int (*ica_aes_gcm_initialize_t)(const unsigned char *iv, unsigned int iv_length, unsigned char *key, unsigned int key_length, unsigned char *icb, unsigned char *ucb, unsigned char *subkey, unsigned int direction); typedef unsigned int (*ica_aes_gcm_intermediate_t)(unsigned char *plaintext, unsigned long plaintext_length, unsigned char *ciphertext, unsigned char *ucb, unsigned char *aad, unsigned long aad_length, unsigned char *tag, unsigned int tag_length, unsigned char *key, unsigned int key_length, unsigned char *subkey, unsigned int direction); typedef unsigned int (*ica_aes_gcm_last_t)(unsigned char *icb, unsigned long aad_length, unsigned long ciph_length, unsigned char *tag, unsigned char *final_tag, unsigned int final_tag_length, unsigned char *key, unsigned int key_length, unsigned char *subkey, unsigned int direction); #ifndef OPENSSL_NO_EC typedef ICA_EC_KEY* (*ica_ec_key_new_t)(unsigned int nid, unsigned int *privlen); typedef int (*ica_ec_key_init_t)(const unsigned char *X, const unsigned char *Y, const unsigned char *D, ICA_EC_KEY *key); typedef int (*ica_ec_key_generate_t)(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key); typedef int (*ica_ecdh_derive_secret_t)(ica_adapter_handle_t adapter_handle, const ICA_EC_KEY *privkey_A, const ICA_EC_KEY *pubkey_B, unsigned char *z, unsigned int z_length); typedef int (*ica_ecdsa_sign_t)(ica_adapter_handle_t adapter_handle, const ICA_EC_KEY *privkey, const unsigned char *hash, unsigned int hash_length, unsigned char *signature, unsigned int signature_length); typedef int (*ica_ecdsa_verify_t)(ica_adapter_handle_t adapter_handle, const ICA_EC_KEY *pubkey, const unsigned char *hash, unsigned int hash_length, const unsigned char *signature, unsigned int signature_length); typedef int (*ica_ec_key_get_public_key_t)(ICA_EC_KEY *key, unsigned char *q, unsigned int *q_len); typedef int (*ica_ec_key_get_private_key_t)(ICA_EC_KEY *key, unsigned char *d, unsigned int *d_len); typedef void (*ica_ec_key_free_t)(ICA_EC_KEY *key); #endif typedef int (*ica_x25519_ctx_new_t)(ICA_X25519_CTX **ctx); typedef int (*ica_x448_ctx_new_t)(ICA_X448_CTX **ctx); typedef int (*ica_ed25519_ctx_new_t)(ICA_ED25519_CTX **ctx); typedef int (*ica_ed448_ctx_new_t)(ICA_ED448_CTX **ctx); typedef int (*ica_x25519_key_set_t)(ICA_X25519_CTX *ctx, const unsigned char priv[32], const unsigned char pub[32]); typedef int (*ica_x448_key_set_t)(ICA_X448_CTX *ctx, const unsigned char priv[56], const unsigned char pub[56]); typedef int (*ica_ed25519_key_set_t)(ICA_ED25519_CTX *ctx, const unsigned char priv[32], const unsigned char pub[32]); typedef int (*ica_ed448_key_set_t)(ICA_ED448_CTX *ctx, const unsigned char priv[56], const unsigned char pub[56]); typedef int (*ica_x25519_key_get_t)(ICA_X25519_CTX *ctx, unsigned char priv[32], unsigned char pub[32]); typedef int (*ica_x448_key_get_t)(ICA_X448_CTX *ctx, unsigned char priv[56], unsigned char pub[56]); typedef int (*ica_ed25519_key_get_t)(ICA_ED25519_CTX *ctx, unsigned char priv[32], unsigned char pub[32]); typedef int (*ica_ed448_key_get_t)(ICA_ED448_CTX *ctx, unsigned char priv[57], unsigned char pub[57]); typedef int (*ica_x25519_key_gen_t)(ICA_X25519_CTX *ctx); typedef int (*ica_x448_key_gen_t)(ICA_X448_CTX *ctx); typedef int (*ica_ed25519_key_gen_t)(ICA_ED25519_CTX *ctx); typedef int (*ica_ed448_key_gen_t)(ICA_ED448_CTX *ctx); typedef int (*ica_x25519_derive_t)(ICA_X25519_CTX *ctx, unsigned char shared_secret[32], const unsigned char peer_pub[32]); typedef int (*ica_x448_derive_t)(ICA_X448_CTX *ctx, unsigned char shared_secret[56], const unsigned char peer_pub[56]); typedef int (*ica_ed25519_sign_t)(ICA_ED25519_CTX *ctx, unsigned char sig[64], const unsigned char *msg, size_t msglen); typedef int (*ica_ed448_sign_t)(ICA_ED448_CTX *ctx, unsigned char sig[114], const unsigned char *msg, size_t msglen); typedef int (*ica_ed25519_verify_t)(ICA_ED25519_CTX *ctx, const unsigned char sig[64], const unsigned char *msg, size_t msglen); typedef int (*ica_ed448_verify_t)(ICA_ED448_CTX *ctx, const unsigned char sig[114], const unsigned char *msg, size_t msglen); typedef int (*ica_x25519_ctx_del_t)(ICA_X25519_CTX **ctx); typedef int (*ica_x448_ctx_del_t)(ICA_X448_CTX **ctx); typedef int (*ica_ed25519_ctx_del_t)(ICA_ED25519_CTX **ctx); typedef int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); /* entry points into libica, filled out at DSO load time */ extern ica_get_functionlist_t p_ica_get_functionlist; extern ica_set_fallback_mode_t p_ica_set_fallback_mode; extern ica_open_adapter_t p_ica_open_adapter; extern ica_close_adapter_t p_ica_close_adapter; extern ica_rsa_mod_expo_t p_ica_rsa_mod_expo; extern ica_random_number_generate_t p_ica_random_number_generate; extern ica_rsa_crt_t p_ica_rsa_crt; extern ica_sha1_t p_ica_sha1; extern ica_sha256_t p_ica_sha256; extern ica_sha512_t p_ica_sha512; extern ica_des_ecb_t p_ica_des_ecb; extern ica_des_cbc_t p_ica_des_cbc; extern ica_des_ofb_t p_ica_des_ofb; extern ica_des_cfb_t p_ica_des_cfb; extern ica_3des_ecb_t p_ica_3des_ecb; extern ica_3des_cbc_t p_ica_3des_cbc; extern ica_3des_cfb_t p_ica_3des_cfb; extern ica_3des_ofb_t p_ica_3des_ofb; extern ica_aes_ecb_t p_ica_aes_ecb; extern ica_aes_cbc_t p_ica_aes_cbc; extern ica_aes_ofb_t p_ica_aes_ofb; extern ica_aes_cfb_t p_ica_aes_cfb; #ifndef OPENSSL_NO_AES_GCM extern ica_aes_gcm_initialize_t p_ica_aes_gcm_initialize; extern ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; extern ica_aes_gcm_last_t p_ica_aes_gcm_last; #endif #ifndef OPENSSL_NO_EC extern ica_ec_key_new_t p_ica_ec_key_new; extern ica_ec_key_init_t p_ica_ec_key_init; extern ica_ec_key_generate_t p_ica_ec_key_generate; extern ica_ecdh_derive_secret_t p_ica_ecdh_derive_secret; extern ica_ecdsa_sign_t p_ica_ecdsa_sign; extern ica_ecdsa_verify_t p_ica_ecdsa_verify; extern ica_ec_key_get_public_key_t p_ica_ec_key_get_public_key; extern ica_ec_key_get_private_key_t p_ica_ec_key_get_private_key; extern ica_ec_key_free_t p_ica_ec_key_free; #endif extern ica_x25519_ctx_new_t p_ica_x25519_ctx_new; extern ica_x448_ctx_new_t p_ica_x448_ctx_new; extern ica_ed25519_ctx_new_t p_ica_ed25519_ctx_new; extern ica_ed448_ctx_new_t p_ica_ed448_ctx_new; extern ica_x25519_key_set_t p_ica_x25519_key_set; extern ica_x448_key_set_t p_ica_x448_key_set; extern ica_ed25519_key_set_t p_ica_ed25519_key_set; extern ica_ed448_key_set_t p_ica_ed448_key_set; extern ica_x25519_key_get_t p_ica_x25519_key_get; extern ica_x448_key_get_t p_ica_x448_key_get; extern ica_ed25519_key_get_t p_ica_ed25519_key_get; extern ica_ed448_key_get_t p_ica_ed448_key_get; extern ica_x25519_key_gen_t p_ica_x25519_key_gen; extern ica_x448_key_gen_t p_ica_x448_key_gen; extern ica_ed25519_key_gen_t p_ica_ed25519_key_gen; extern ica_ed448_key_gen_t p_ica_ed448_key_gen; extern ica_x25519_derive_t p_ica_x25519_derive; extern ica_x448_derive_t p_ica_x448_derive; extern ica_ed25519_sign_t p_ica_ed25519_sign; extern ica_ed448_sign_t p_ica_ed448_sign; extern ica_ed25519_verify_t p_ica_ed25519_verify; extern ica_ed448_verify_t p_ica_ed448_verify; extern ica_x25519_ctx_del_t p_ica_x25519_ctx_del; extern ica_x448_ctx_del_t p_ica_x448_ctx_del; extern ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; extern ica_ed448_ctx_del_t p_ica_ed448_ctx_del; openssl-ibmca-2.2.3/src/ibmca_cipher.c000066400000000000000000001145731421243614200176240ustar00rootroot00000000000000/* * Copyright [2005-2021] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include #include #include "ibmca.h" #include "e_ibmca_err.h" static int ibmca_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { ICA_DES_CTX *pCtx = (ICA_DES_CTX *) EVP_CIPHER_CTX_get_cipher_data(ctx); memcpy(pCtx->key, key, EVP_CIPHER_CTX_key_length(ctx)); return 1; } static int ibmca_cipher_cleanup(EVP_CIPHER_CTX *ctx) { return 1; } #define IMPLEMENT_IBMCA_DES_CIPHER_FN(name, NAME) \ static int ibmca_##name##_cipher(EVP_CIPHER_CTX *ctx, \ unsigned char *out, \ const unsigned char *in, size_t len) \ { \ ICA_##NAME##_CTX *c = \ (ICA_##NAME##_CTX *)EVP_CIPHER_CTX_get_cipher_data(ctx); \ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); \ const int mode = EVP_CIPHER_CTX_mode(ctx); \ const int enc = EVP_CIPHER_CTX_encrypting(ctx) ? \ ICA_ENCRYPT : ICA_DECRYPT; \ int rv; \ \ switch (mode) { \ case EVP_CIPH_ECB_MODE: \ rv = p_ica_##name##_ecb(in, out, len, c->key, enc); \ break; \ case EVP_CIPH_CBC_MODE: \ rv = p_ica_##name##_cbc(in, out, len, c->key, iv, enc); \ break; \ case EVP_CIPH_CFB_MODE: \ rv = p_ica_##name##_cfb(in, out, len, c->key, iv, 8, enc); \ break; \ case EVP_CIPH_OFB_MODE: \ rv = p_ica_##name##_ofb(in, out, len, c->key, iv, enc); \ break; \ default: \ IBMCAerr(IBMCA_F_IBMCA_##NAME##_CIPHER, \ IBMCA_R_CIPHER_MODE_NOT_SUPPORTED); \ return 0; \ } \ if (rv) { \ IBMCAerr(IBMCA_F_IBMCA_##NAME##_CIPHER, \ IBMCA_R_REQUEST_FAILED); \ return 0; \ } \ return 1; \ } IMPLEMENT_IBMCA_DES_CIPHER_FN(des, DES) IMPLEMENT_IBMCA_DES_CIPHER_FN(3des, TDES) #ifdef OLDER_OPENSSL # define DECLARE_DES_EVP(mode, block_size, key_len, iv_len, flags, \ ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters) \ const EVP_CIPHER des_##mode = { \ NID_des_##mode, \ block_size, \ key_len, \ iv_len, \ flags, \ init, \ do_cipher, \ cleanup, \ ctx_size, \ set_asn1_parameters, \ get_asn1_parameters, \ NULL, \ NULL \ }; \ const EVP_CIPHER *ibmca_des_##mode(void) \ { \ return &des_##mode; \ } #else # define DECLARE_DES_EVP(mode, block_size, key_len, iv_len, flags, \ ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters) \ static EVP_CIPHER *des_##mode = NULL; \ const EVP_CIPHER *ibmca_des_##mode(void) \ { \ EVP_CIPHER *cipher; \ \ if (des_##mode != NULL) \ goto done; \ \ if ((cipher = EVP_CIPHER_meth_new(NID_des_##mode, \ block_size, key_len)) == NULL \ || !EVP_CIPHER_meth_set_iv_length(cipher, iv_len) \ || !EVP_CIPHER_meth_set_flags(cipher, flags) \ || !EVP_CIPHER_meth_set_init(cipher, init) \ || !EVP_CIPHER_meth_set_do_cipher(cipher, do_cipher) \ || !EVP_CIPHER_meth_set_cleanup(cipher, cleanup) \ || !EVP_CIPHER_meth_set_impl_ctx_size(cipher, ctx_size) \ || !EVP_CIPHER_meth_set_set_asn1_params(cipher, \ set_asn1_parameters) \ || !EVP_CIPHER_meth_set_get_asn1_params(cipher, \ get_asn1_parameters)) {\ EVP_CIPHER_meth_free(cipher); \ cipher = NULL; \ } \ des_##mode = cipher; \ done: \ return des_##mode; \ } \ \ void ibmca_des_##mode##_destroy(void) \ { \ EVP_CIPHER_meth_free(des_##mode); \ des_##mode = NULL; \ } #endif DECLARE_DES_EVP(ecb, sizeof(ica_des_vector_t), sizeof(ica_des_key_single_t), sizeof(ica_des_vector_t), EVP_CIPH_ECB_MODE, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_DES_EVP(cbc, sizeof(ica_des_vector_t), sizeof(ica_des_key_single_t), sizeof(ica_des_vector_t), EVP_CIPH_CBC_MODE, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_DES_EVP(ofb, 1, sizeof(ica_des_key_single_t), sizeof(ica_des_vector_t), EVP_CIPH_OFB_MODE, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_DES_EVP(cfb, 1, sizeof(ica_des_key_single_t), sizeof(ica_des_vector_t), EVP_CIPH_CFB_MODE, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) #ifdef OLDER_OPENSSL # define DECLARE_TDES_EVP(mode, block_size, key_len, iv_len, flags, \ ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters) \ const EVP_CIPHER tdes_##mode = { \ NID_des_ede3_##mode, \ block_size, \ key_len, \ iv_len, \ flags, \ init, \ do_cipher, \ cleanup, \ ctx_size, \ set_asn1_parameters, \ get_asn1_parameters, \ NULL, \ NULL \ }; \ const EVP_CIPHER *ibmca_tdes_##mode(void) \ { \ return &tdes_##mode; \ } #else # define DECLARE_TDES_EVP(mode, block_size, key_len, iv_len, flags, \ ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters) \ static EVP_CIPHER *tdes_##mode = NULL; \ const EVP_CIPHER *ibmca_tdes_##mode(void) \ { \ EVP_CIPHER *cipher; \ \ if (tdes_##mode != NULL) \ goto done; \ \ if ((cipher = EVP_CIPHER_meth_new(NID_des_ede3_##mode, \ block_size, key_len)) == NULL \ || !EVP_CIPHER_meth_set_iv_length(cipher, iv_len) \ || !EVP_CIPHER_meth_set_flags(cipher, flags) \ || !EVP_CIPHER_meth_set_init(cipher, init) \ || !EVP_CIPHER_meth_set_do_cipher(cipher, do_cipher) \ || !EVP_CIPHER_meth_set_cleanup(cipher, cleanup) \ || !EVP_CIPHER_meth_set_impl_ctx_size(cipher, ctx_size) \ || !EVP_CIPHER_meth_set_set_asn1_params(cipher, \ set_asn1_parameters) \ || !EVP_CIPHER_meth_set_get_asn1_params(cipher, \ get_asn1_parameters)) {\ EVP_CIPHER_meth_free(cipher); \ cipher = NULL; \ } \ tdes_##mode = cipher; \ done: \ return tdes_##mode; \ } \ \ void ibmca_tdes_##mode##_destroy(void) \ { \ EVP_CIPHER_meth_free(tdes_##mode); \ tdes_##mode = NULL; \ } #endif DECLARE_TDES_EVP(ecb, sizeof(ica_des_vector_t), sizeof(ica_des_key_triple_t), sizeof(ica_des_vector_t), EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(cbc, sizeof(ica_des_vector_t), sizeof(ica_des_key_triple_t), sizeof(ica_des_vector_t), EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(ofb, 1, sizeof(ica_des_key_triple_t), sizeof(ica_des_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(cfb, 1, sizeof(ica_des_key_triple_t), sizeof(ica_des_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) #ifndef OPENSSL_NO_AES_GCM static int ibmca_gcm_aad(ICA_AES_GCM_CTX *ctx, const unsigned char *aad, size_t len, int enc, int keylen) { uint64_t alen = ctx->aadlen; if (ctx->ptlen) return -2; alen += len; if (alen > (1ULL << 61) || (sizeof(len) == 8 && alen < len)) return -1; ctx->aadlen = alen; /* ctx->taglen is not set at this time... and is not needed. The * function only checks, if it's a valid gcm tag length. So we chose 16. */ return !(p_ica_aes_gcm_intermediate(NULL, 0, NULL, ctx->ucb, (unsigned char *) aad, len, ctx->tag, 16, ctx->key, keylen, ctx->subkey, enc)); } static int ibmca_aes_gcm(ICA_AES_GCM_CTX *ctx, const unsigned char *in, unsigned char *out, size_t len, int enc, int keylen) { uint64_t mlen = ctx->ptlen; unsigned char *pt, *ct; int rv; mlen += len; if (mlen > ((1ULL << 36) - 32) || (sizeof(len) == 8 && mlen < len)) return 0; ctx->ptlen = mlen; if (enc) { pt = (unsigned char *) in; ct = out; } else { ct = (unsigned char *) in; pt = out; } /* ctx->taglen is not set at this time... and is not needed. The * function only checks, if it's a valid gcm tag length. So we chose 16. */ rv = p_ica_aes_gcm_intermediate(pt, len, ct, ctx->ucb, NULL, 0, ctx->tag, 16, ctx->key, keylen, ctx->subkey, enc); if (rv) return 0; return 1; } static int ibmca_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(ctx); const int gkeylen = EVP_CIPHER_CTX_key_length(ctx); if (!iv && !key) return 1; if (key) { memcpy(gctx->key, key, gkeylen); if (iv == NULL && gctx->iv_set) iv = gctx->iv; if (iv) { memset(gctx->icb, 0, sizeof(gctx->icb)); memset(gctx->tag, 0, sizeof(gctx->tag)); gctx->aadlen = 0; gctx->ptlen = 0; if (p_ica_aes_gcm_initialize(iv, gctx->ivlen, gctx->key, gkeylen, gctx->icb, gctx->ucb, gctx->subkey, enc)) return 0; gctx->iv_set = 1; } gctx->key_set = 1; } else { if (gctx->key_set) { memset(gctx->icb, 0, sizeof(gctx->icb)); memset(gctx->tag, 0, sizeof(gctx->tag)); gctx->aadlen = 0; gctx->ptlen = 0; if (p_ica_aes_gcm_initialize(iv, gctx->ivlen, gctx->key, gkeylen, gctx->icb, gctx->ucb, gctx->subkey, enc)) return 0; } else { memcpy(gctx->iv, iv, gctx->ivlen); } gctx->iv_set = 1; gctx->iv_gen = 0; } return 1; } static int ibmca_aes_gcm_setiv(EVP_CIPHER_CTX *c) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(c); const int gkeylen = EVP_CIPHER_CTX_key_length(c); int enc = EVP_CIPHER_CTX_encrypting(c); if (!gctx->key_set) return 0; memset(gctx->icb, 0, sizeof(gctx->icb)); memset(gctx->tag, 0, sizeof(gctx->tag)); gctx->aadlen = 0; gctx->ptlen = 0; return !(p_ica_aes_gcm_initialize(gctx->iv, gctx->ivlen, gctx->key, gkeylen, gctx->icb, gctx->ucb, gctx->subkey, enc)); } static int ibmca_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(c); unsigned char *iv_noconst = EVP_CIPHER_CTX_iv_noconst(c); unsigned char *buf_noconst = EVP_CIPHER_CTX_buf_noconst(c); int enc = EVP_CIPHER_CTX_encrypting(c); EVP_CIPHER_CTX *out; ICA_AES_GCM_CTX *gctx_out; unsigned char *iv_noconst_out; unsigned int len; switch (type) { case EVP_CTRL_INIT: gctx->key_set = 0; gctx->iv_set = 0; gctx->ivlen = EVP_CIPHER_CTX_iv_length(c); gctx->iv = iv_noconst; gctx->taglen = -1; gctx->iv_gen = 0; gctx->tls_aadlen = -1; return 1; case EVP_CTRL_GCM_SET_IVLEN: if (arg <= 0) return 0; if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != iv_noconst) OPENSSL_free(gctx->iv); gctx->iv = OPENSSL_malloc(arg); if (gctx->iv == NULL) return 0; } gctx->ivlen = arg; return 1; case EVP_CTRL_GCM_SET_TAG: if (arg <= 0 || arg > 16 || enc) return 0; memcpy(buf_noconst, ptr, arg); gctx->taglen = arg; return 1; case EVP_CTRL_GCM_GET_TAG: if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0) return 0; memcpy(ptr, buf_noconst, arg); return 1; case EVP_CTRL_GCM_SET_IV_FIXED: if (arg == -1) { memcpy(gctx->iv, ptr, gctx->ivlen); gctx->iv_gen = 1; return 1; } if ((arg < 4) || (gctx->ivlen - arg) < 8) return 0; if (arg) memcpy(gctx->iv, ptr, arg); if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) return 0; gctx->iv_gen = 1; return 1; case EVP_CTRL_GCM_IV_GEN: if (gctx->iv_gen == 0 || gctx->key_set == 0) return 0; if (!ibmca_aes_gcm_setiv(c)) return 0; if (arg <= 0 || arg > gctx->ivlen) arg = gctx->ivlen; memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); ++*(uint64_t *) (gctx->iv + gctx->ivlen - 8); gctx->iv_set = 1; return 1; case EVP_CTRL_GCM_SET_IV_INV: if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc) return 0; memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); if (!ibmca_aes_gcm_setiv(c)) return 0; gctx->iv_set = 1; return 1; case EVP_CTRL_AEAD_TLS1_AAD: if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; memcpy(buf_noconst, ptr, arg); gctx->tls_aadlen = arg; len = buf_noconst[arg - 2] << 8 | buf_noconst[arg - 1]; if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) return 0; len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; if (!enc) { if (len < EVP_GCM_TLS_TAG_LEN) return 0; len -= EVP_GCM_TLS_TAG_LEN; } buf_noconst[arg - 2] = len >> 8; buf_noconst[arg - 1] = len & 0xff; return EVP_GCM_TLS_TAG_LEN; case EVP_CTRL_COPY:{ out = ptr; gctx_out = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(out); iv_noconst_out = EVP_CIPHER_CTX_iv_noconst(out); if (gctx->iv == iv_noconst) { gctx_out->iv = iv_noconst_out; } else { gctx_out->iv = OPENSSL_malloc(gctx->ivlen); if (gctx_out->iv == NULL) return 0; memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); } return 1; } default: return -1; } } static int ibmca_gcm_tag(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, int taglen) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(ctx); int enc = EVP_CIPHER_CTX_encrypting(ctx); const int gkeylen = EVP_CIPHER_CTX_key_length(ctx); if (p_ica_aes_gcm_last(gctx->icb, gctx->aadlen, gctx->ptlen, gctx->tag, (unsigned char *) in, taglen, gctx->key, gkeylen, gctx->subkey, enc)) return 0; if (out) memcpy(out, gctx->tag, taglen); return 1; } static int ibmca_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(ctx); unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); int enc = EVP_CIPHER_CTX_encrypting(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); int rv = -1; if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) return -1; if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) goto err; if (!ibmca_gcm_aad(gctx, buf, gctx->tls_aadlen, enc, keylen)) goto err; in += EVP_GCM_TLS_EXPLICIT_IV_LEN; out += EVP_GCM_TLS_EXPLICIT_IV_LEN; len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; if (!ibmca_aes_gcm(gctx, in, out, len, enc, keylen)) goto err; if (enc) { out += len; if (!ibmca_gcm_tag(ctx, out, NULL, EVP_GCM_TLS_TAG_LEN)) { goto err; } rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; } else { if (!ibmca_gcm_tag(ctx, buf, in + len, EVP_GCM_TLS_TAG_LEN)) { OPENSSL_cleanse(out, len); goto err; } rv = len; } err: gctx->iv_set = 0; gctx->tls_aadlen = -1; return rv; } static int ibmca_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { ICA_AES_GCM_CTX *gctx = (ICA_AES_GCM_CTX *) EVP_CIPHER_CTX_get_cipher_data(ctx); unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); int enc = EVP_CIPHER_CTX_encrypting(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); if (!gctx->key_set) return -1; if (gctx->tls_aadlen >= 0) return ibmca_aes_gcm_tls_cipher(ctx, out, in, len); if (!gctx->iv_set) return -1; if (in) { if (out == NULL) { if (!ibmca_gcm_aad(gctx, in, len, enc, keylen)) return -1; } else { if (!ibmca_aes_gcm(gctx, in, out, len, enc, keylen)) return -1; } return len; } else { if (enc) { gctx->taglen = 16; if (!ibmca_gcm_tag(ctx, buf, NULL, gctx->taglen)) return -1; } else { if (gctx->taglen < 0) return -1; if (!ibmca_gcm_tag(ctx, NULL, buf, gctx->taglen)) return -1; } gctx->iv_set = 0; return 0; } } #endif #define IMPLEMENT_IBMCA_AES_CIPHER_FN(name, NAME) \ static int ibmca_##name##_cipher(EVP_CIPHER_CTX *ctx, \ unsigned char *out, \ const unsigned char *in, size_t len) \ { \ ICA_##NAME##_CTX *c = \ (ICA_##NAME##_CTX *)EVP_CIPHER_CTX_get_cipher_data(ctx); \ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); \ const int mode = EVP_CIPHER_CTX_mode(ctx); \ const int enc = EVP_CIPHER_CTX_encrypting(ctx) ? \ ICA_ENCRYPT : ICA_DECRYPT; \ int rv; \ \ switch (mode) { \ case EVP_CIPH_ECB_MODE: \ rv = p_ica_aes_ecb(in, out, len, c->key, NAME##_KEYLEN, enc); \ break; \ case EVP_CIPH_CBC_MODE: \ rv = p_ica_aes_cbc(in, out, len, c->key, NAME##_KEYLEN, \ iv, enc); \ break; \ case EVP_CIPH_CFB_MODE: \ rv = p_ica_aes_cfb(in, out, len, c->key, NAME##_KEYLEN, \ iv, 16, enc); \ break; \ case EVP_CIPH_OFB_MODE: \ rv = p_ica_aes_ofb(in, out, len, c->key, NAME##_KEYLEN, \ iv, enc); \ break; \ default: \ IBMCAerr(IBMCA_F_IBMCA_##NAME##_CIPHER, \ IBMCA_R_CIPHER_MODE_NOT_SUPPORTED); \ return 0; \ } \ if (rv) { \ IBMCAerr(IBMCA_F_IBMCA_##NAME##_CIPHER, \ IBMCA_R_REQUEST_FAILED); \ return 0; \ } \ \ return 1; \ } IMPLEMENT_IBMCA_AES_CIPHER_FN(aes_128, AES_128) IMPLEMENT_IBMCA_AES_CIPHER_FN(aes_192, AES_192) IMPLEMENT_IBMCA_AES_CIPHER_FN(aes_256, AES_256) #ifdef OLDER_OPENSSL # define DECLARE_AES_EVP(kbits, mode, block_size, key_len, iv_len, \ flags, ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters, ctrl)\ const EVP_CIPHER aes_##kbits##_##mode = { \ NID_aes_##kbits##_##mode, \ block_size, \ key_len, \ iv_len, \ flags, \ init, \ do_cipher, \ cleanup, \ ctx_size, \ set_asn1_parameters, \ get_asn1_parameters, \ ctrl, \ NULL \ }; \ const EVP_CIPHER *ibmca_aes_##kbits##_##mode(void) \ { \ return &aes_##kbits##_##mode; \ } #else # define DECLARE_AES_EVP(kbits, mode, block_size, key_len, iv_len, \ flags, ctx_size, init, do_cipher, cleanup, \ set_asn1_parameters, get_asn1_parameters, ctrl)\ static EVP_CIPHER *aes_##kbits##_##mode = NULL; \ const EVP_CIPHER *ibmca_aes_##kbits##_##mode(void) \ { \ EVP_CIPHER *cipher; \ \ if (aes_##kbits##_##mode != NULL) \ goto done; \ \ if ((cipher = EVP_CIPHER_meth_new(NID_aes_##kbits##_##mode, \ block_size, key_len)) == NULL \ || !EVP_CIPHER_meth_set_iv_length(cipher, iv_len) \ || !EVP_CIPHER_meth_set_flags(cipher, flags) \ || !EVP_CIPHER_meth_set_init(cipher, init) \ || !EVP_CIPHER_meth_set_do_cipher(cipher, do_cipher) \ || !EVP_CIPHER_meth_set_cleanup(cipher, cleanup) \ || !EVP_CIPHER_meth_set_impl_ctx_size(cipher, ctx_size) \ || !EVP_CIPHER_meth_set_set_asn1_params(cipher, \ set_asn1_parameters) \ || !EVP_CIPHER_meth_set_get_asn1_params(cipher, \ get_asn1_parameters) \ || !EVP_CIPHER_meth_set_ctrl(cipher, ctrl)) { \ EVP_CIPHER_meth_free(cipher); \ cipher = NULL; \ } \ aes_##kbits##_##mode = cipher; \ done: \ return aes_##kbits##_##mode; \ } \ \ void ibmca_aes_##kbits##_##mode##_destroy(void) \ { \ EVP_CIPHER_meth_free(aes_##kbits##_##mode); \ aes_##kbits##_##mode = NULL; \ } #endif DECLARE_AES_EVP(128, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, ofb, 1, sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, cfb, 1, sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) #ifndef OPENSSL_NO_AES_GCM DECLARE_AES_EVP(128, gcm, 1, sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t) - sizeof(uint32_t), EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) #endif DECLARE_AES_EVP(192, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, ofb, 1, sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, cfb, 1, sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) #ifndef OPENSSL_NO_AES_GCM DECLARE_AES_EVP(192, gcm, 1, sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t) - sizeof(uint32_t), EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) #endif DECLARE_AES_EVP(256, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, ofb, 1, sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, cfb, 1, sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) #ifndef OPENSSL_NO_AES_GCM DECLARE_AES_EVP(256, gcm, 1, sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t) - sizeof(uint32_t), EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) #endif openssl-ibmca-2.2.3/src/ibmca_dh.c000066400000000000000000000055331421243614200167400ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "ibmca.h" #include #ifndef OPENSSL_NO_DH static int (*ibmca_mod_exp_dh_backup)(DH const *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* This function is aliased to mod_exp (with the dh and mont dropped). */ static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dh_backup) return ibmca_mod_exp_dh_backup(dh, r, a, p, m, ctx, m_ctx); return 1; } #ifdef OLDER_OPENSSL static DH_METHOD dh_m = { "Ibmca DH method", /* name */ NULL, /* generate_key */ NULL, /* compute_key */ ibmca_mod_exp_dh, /* bn_mod_exp */ NULL, /* init */ NULL, /* finish */ DH_FLAG_FIPS_METHOD, /* flags */ NULL /* app_data */ }; DH_METHOD *ibmca_dh(void) { const DH_METHOD *meth1 = DH_OpenSSL(); ibmca_mod_exp_dh_backup = meth1->bn_mod_exp; dh_m.generate_key = meth1->generate_key; dh_m.compute_key = meth1->compute_key; return &dh_m; } #else static DH_METHOD *dh_m = NULL; DH_METHOD *ibmca_dh(void) { const DH_METHOD *meth1; DH_METHOD *method; if (dh_m != NULL) goto done; if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL || (meth1 = DH_OpenSSL()) == NULL || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) || !DH_meth_set_flags(method, DH_FLAG_FIPS_METHOD)) { DH_meth_free(method); method = NULL; meth1 = NULL; } dh_m = method; done: return dh_m; } void ibmca_dh_destroy(void) { DH_meth_free(dh_m); } #endif #endif /* end OPENSSL_NO_DH */ openssl-ibmca-2.2.3/src/ibmca_digest.c000066400000000000000000000563201421243614200176240ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include #include #include "ibmca.h" #include "e_ibmca_err.h" #ifndef OPENSSL_NO_SHA1 static int ibmca_sha1_init(EVP_MD_CTX *ctx) { IBMCA_SHA_CTX *ibmca_sha_ctx = (IBMCA_SHA_CTX *) EVP_MD_CTX_md_data(ctx); memset((unsigned char *) ibmca_sha_ctx, 0, sizeof(*ibmca_sha_ctx)); return 1; } static int ibmca_sha1_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen) { IBMCA_SHA_CTX *ibmca_sha_ctx = (IBMCA_SHA_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = SHA_MSG_PART_MIDDLE, fill_size = 0; unsigned long in_data_len = inlen; unsigned char tmp_hash[SHA_HASH_LENGTH]; if (in_data_len == 0) return 1; if (ibmca_sha_ctx->c.runningLength == 0 && ibmca_sha_ctx->tail_len == 0) { message_part = SHA_MSG_PART_FIRST; ibmca_sha_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha_ctx->tail, in_data + in_data_len, ibmca_sha_ctx->tail_len); } } else if (ibmca_sha_ctx->c.runningLength == 0 && ibmca_sha_ctx->tail_len > 0) { /* Here we need to fill out the temporary tail buffer until * it has 64 bytes in it, then call ica_sha1 on that buffer. * If there weren't enough bytes passed in to fill it out, * just copy in what we can and return success without calling * ica_sha1. - KEY */ fill_size = SHA_BLOCK_SIZE - ibmca_sha_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha_ctx->tail + ibmca_sha_ctx->tail_len, in_data, fill_size); /* Submit the filled out tail buffer */ if (p_ica_sha1((unsigned int) SHA_MSG_PART_FIRST, (unsigned int) SHA_BLOCK_SIZE, ibmca_sha_ctx->tail, &ibmca_sha_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha_ctx->tail + ibmca_sha_ctx->tail_len, in_data, in_data_len); ibmca_sha_ctx->tail_len += in_data_len; return 1; } /* We had to use 'fill_size' bytes from in_data to fill out the * empty part of save data, so adjust in_data_len */ in_data_len -= fill_size; ibmca_sha_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha_ctx->tail_len); /* fill_size is added to in_data down below */ } } else if (ibmca_sha_ctx->c.runningLength > 0) { if (ibmca_sha_ctx->tail_len) { fill_size = SHA_BLOCK_SIZE - ibmca_sha_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha_ctx->tail + ibmca_sha_ctx->tail_len, in_data, fill_size); /* Submit the filled out save buffer */ if (p_ica_sha1(message_part, (unsigned int) SHA_BLOCK_SIZE, ibmca_sha_ctx->tail, &ibmca_sha_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha_ctx->tail + ibmca_sha_ctx->tail_len, in_data, in_data_len); ibmca_sha_ctx->tail_len += in_data_len; return 1; } /* * We had to use some of the data from in_data to * fill out the empty part of save data, so adjust * in_data_len */ in_data_len -= fill_size; ibmca_sha_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha_ctx->tail_len); } } else { /* This is the odd case, where we need to go ahead and * send the first X * 64 byte chunks in to be processed * and copy the last <64 byte area into the tail. -KEY */ ibmca_sha_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha_ctx->tail, in_data + in_data_len, ibmca_sha_ctx->tail_len); } } } /* If the data passed in was <64 bytes, in_data_len will be 0 */ if (in_data_len && p_ica_sha1(message_part, (unsigned int) in_data_len, (unsigned char *) (in_data + fill_size), &ibmca_sha_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha1_final(EVP_MD_CTX *ctx, unsigned char *md) { IBMCA_SHA_CTX *ibmca_sha_ctx = (IBMCA_SHA_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = 0; if (ibmca_sha_ctx->c.runningLength) message_part = SHA_MSG_PART_FINAL; else message_part = SHA_MSG_PART_ONLY; if (p_ica_sha1(message_part, ibmca_sha_ctx->tail_len, (unsigned char *) ibmca_sha_ctx->tail, &ibmca_sha_ctx->c, md)) { IBMCAerr(IBMCA_F_IBMCA_SHA1_FINAL, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha1_cleanup(EVP_MD_CTX *ctx) { return 1; } #endif /* OPENSSL_NO_SHA1 */ #ifndef OPENSSL_NO_SHA256 static int ibmca_sha256_init(EVP_MD_CTX *ctx) { IBMCA_SHA256_CTX *ibmca_sha256_ctx = (IBMCA_SHA256_CTX *) EVP_MD_CTX_md_data(ctx); memset((unsigned char *) ibmca_sha256_ctx, 0, sizeof(*ibmca_sha256_ctx)); return 1; } static int ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen) { IBMCA_SHA256_CTX *ibmca_sha256_ctx = (IBMCA_SHA256_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = SHA_MSG_PART_MIDDLE, fill_size = 0; unsigned long in_data_len = inlen; unsigned char tmp_hash[SHA256_HASH_LENGTH]; if (in_data_len == 0) return 1; if (ibmca_sha256_ctx->c.runningLength == 0 && ibmca_sha256_ctx->tail_len == 0) { message_part = SHA_MSG_PART_FIRST; ibmca_sha256_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha256_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha256_ctx->tail, in_data + in_data_len, ibmca_sha256_ctx->tail_len); } } else if (ibmca_sha256_ctx->c.runningLength == 0 && ibmca_sha256_ctx->tail_len > 0) { /* Here we need to fill out the temporary tail buffer * until it has 64 bytes in it, then call ica_sha256 on * that buffer. If there weren't enough bytes passed * in to fill it out, just copy in what we can and * return success without calling ica_sha256. - KEY */ fill_size = SHA256_BLOCK_SIZE - ibmca_sha256_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha256_ctx->tail + ibmca_sha256_ctx->tail_len, in_data, fill_size); /* Submit the filled out tail buffer */ if (p_ica_sha256((unsigned int) SHA_MSG_PART_FIRST, (unsigned int) SHA256_BLOCK_SIZE, ibmca_sha256_ctx->tail, &ibmca_sha256_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha256_ctx->tail + ibmca_sha256_ctx->tail_len, in_data, in_data_len); ibmca_sha256_ctx->tail_len += in_data_len; return 1; } /* We had to use 'fill_size' bytes from in_data to fill out the * empty part of save data, so adjust in_data_len */ in_data_len -= fill_size; ibmca_sha256_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha256_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha256_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha256_ctx->tail_len); /* fill_size is added to in_data down below */ } } else if (ibmca_sha256_ctx->c.runningLength > 0) { if (ibmca_sha256_ctx->tail_len) { fill_size = SHA256_BLOCK_SIZE - ibmca_sha256_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha256_ctx->tail + ibmca_sha256_ctx->tail_len, in_data, fill_size); /* Submit the filled out save buffer */ if (p_ica_sha256(message_part, (unsigned int) SHA256_BLOCK_SIZE, ibmca_sha256_ctx->tail, &ibmca_sha256_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha256_ctx->tail + ibmca_sha256_ctx->tail_len, in_data, in_data_len); ibmca_sha256_ctx->tail_len += in_data_len; return 1; } /* * We had to use some of the data from in_data to * fill out the empty part of save data, so adjust * in_data_len */ in_data_len -= fill_size; ibmca_sha256_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha256_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha256_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha256_ctx->tail_len); } } else { /* This is the odd case, where we need to go * ahead and send the first X * 64 byte chunks * in to be processed and copy the last <64 * byte area into the tail. -KEY */ ibmca_sha256_ctx->tail_len = in_data_len & 0x3f; if (ibmca_sha256_ctx->tail_len) { in_data_len &= ~0x3f; memcpy(ibmca_sha256_ctx->tail, in_data + in_data_len, ibmca_sha256_ctx->tail_len); } } } /* If the data passed in was <64 bytes, in_data_len will be 0 */ if (in_data_len && p_ica_sha256(message_part, (unsigned int) in_data_len, (unsigned char *) (in_data + fill_size), &ibmca_sha256_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha256_final(EVP_MD_CTX *ctx, unsigned char *md) { IBMCA_SHA256_CTX *ibmca_sha256_ctx = (IBMCA_SHA256_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = 0; if (ibmca_sha256_ctx->c.runningLength) message_part = SHA_MSG_PART_FINAL; else message_part = SHA_MSG_PART_ONLY; if (p_ica_sha256(message_part, ibmca_sha256_ctx->tail_len, (unsigned char *) ibmca_sha256_ctx->tail, &ibmca_sha256_ctx->c, md)) { IBMCAerr(IBMCA_F_IBMCA_SHA256_FINAL, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha256_cleanup(EVP_MD_CTX *ctx) { return 1; } #endif /* OPENSSL_NO_SHA256 */ #ifndef OPENSSL_NO_SHA512 static int ibmca_sha512_init(EVP_MD_CTX *ctx) { IBMCA_SHA512_CTX *ibmca_sha512_ctx = (IBMCA_SHA512_CTX *) EVP_MD_CTX_md_data(ctx); memset((unsigned char *) ibmca_sha512_ctx, 0, sizeof(*ibmca_sha512_ctx)); return 1; } static int ibmca_sha512_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen) { IBMCA_SHA512_CTX *ibmca_sha512_ctx = (IBMCA_SHA512_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = SHA_MSG_PART_MIDDLE, fill_size = 0; unsigned long in_data_len = inlen; unsigned char tmp_hash[SHA512_HASH_LENGTH]; if (in_data_len == 0) return 1; if (ibmca_sha512_ctx->c.runningLengthLow == 0 && ibmca_sha512_ctx->tail_len == 0) { message_part = SHA_MSG_PART_FIRST; ibmca_sha512_ctx->tail_len = in_data_len & 0x7f; if (ibmca_sha512_ctx->tail_len) { in_data_len &= ~0x7f; memcpy(ibmca_sha512_ctx->tail, in_data + in_data_len, ibmca_sha512_ctx->tail_len); } } else if (ibmca_sha512_ctx->c.runningLengthLow == 0 && ibmca_sha512_ctx->tail_len > 0) { /* Here we need to fill out the temporary tail buffer * until it has 128 bytes in it, then call ica_sha512 on * that buffer. If there weren't enough bytes passed * in to fill it out, just copy in what we can and * return success without calling ica_sha512. */ fill_size = SHA512_BLOCK_SIZE - ibmca_sha512_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha512_ctx->tail + ibmca_sha512_ctx->tail_len, in_data, fill_size); /* Submit the filled out tail buffer */ if (p_ica_sha512((unsigned int) SHA_MSG_PART_FIRST, (unsigned int) SHA512_BLOCK_SIZE, ibmca_sha512_ctx->tail, &ibmca_sha512_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA512_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha512_ctx->tail + ibmca_sha512_ctx->tail_len, in_data, in_data_len); ibmca_sha512_ctx->tail_len += in_data_len; return 1; } /* We had to use 'fill_size' bytes from in_data to fill out the * empty part of save data, so adjust in_data_len */ in_data_len -= fill_size; ibmca_sha512_ctx->tail_len = in_data_len & 0x7f; if (ibmca_sha512_ctx->tail_len) { in_data_len &= ~0x7f; memcpy(ibmca_sha512_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha512_ctx->tail_len); /* fill_size is added to in_data down below */ } } else if (ibmca_sha512_ctx->c.runningLengthLow > 0) { if (ibmca_sha512_ctx->tail_len) { fill_size = SHA512_BLOCK_SIZE - ibmca_sha512_ctx->tail_len; if (fill_size < in_data_len) { memcpy(ibmca_sha512_ctx->tail + ibmca_sha512_ctx->tail_len, in_data, fill_size); /* Submit the filled out save buffer */ if (p_ica_sha512(message_part, (unsigned int) SHA512_BLOCK_SIZE, ibmca_sha512_ctx->tail, &ibmca_sha512_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA512_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } } else { memcpy(ibmca_sha512_ctx->tail + ibmca_sha512_ctx->tail_len, in_data, in_data_len); ibmca_sha512_ctx->tail_len += in_data_len; return 1; } /* * We had to use some of the data from in_data to * fill out the empty part of save data, so adjust * in_data_len */ in_data_len -= fill_size; ibmca_sha512_ctx->tail_len = in_data_len & 0x7f; if (ibmca_sha512_ctx->tail_len) { in_data_len &= ~0x7f; memcpy(ibmca_sha512_ctx->tail, in_data + fill_size + in_data_len, ibmca_sha512_ctx->tail_len); } } else { /* This is the odd case, where we need to go * ahead and send the first X * 128 byte chunks * in to be processed and copy the last <128 * byte area into the tail. */ ibmca_sha512_ctx->tail_len = in_data_len & 0x7f; if (ibmca_sha512_ctx->tail_len) { in_data_len &= ~0x7f; memcpy(ibmca_sha512_ctx->tail, in_data + in_data_len, ibmca_sha512_ctx->tail_len); } } } /* If the data passed in was <128 bytes, in_data_len will be 0 */ if (in_data_len && p_ica_sha512(message_part, (unsigned int) in_data_len, (unsigned char *) (in_data + fill_size), &ibmca_sha512_ctx->c, tmp_hash)) { IBMCAerr(IBMCA_F_IBMCA_SHA512_UPDATE, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha512_final(EVP_MD_CTX *ctx, unsigned char *md) { IBMCA_SHA512_CTX *ibmca_sha512_ctx = (IBMCA_SHA512_CTX *) EVP_MD_CTX_md_data(ctx); unsigned int message_part = 0; if (ibmca_sha512_ctx->c.runningLengthLow) message_part = SHA_MSG_PART_FINAL; else message_part = SHA_MSG_PART_ONLY; if (p_ica_sha512(message_part, ibmca_sha512_ctx->tail_len, (unsigned char *) ibmca_sha512_ctx->tail, &ibmca_sha512_ctx->c, md)) { IBMCAerr(IBMCA_F_IBMCA_SHA512_FINAL, IBMCA_R_REQUEST_FAILED); return 0; } return 1; } static int ibmca_sha512_cleanup(EVP_MD_CTX *ctx) { return 1; } #endif /* OPENSSL_NO_SHA512 */ #ifdef OLDER_OPENSSL # define DECLARE_SHA_EVP(type, pkey_type, md_size, flags, \ block_size, ctx_size, init, update, \ final, copy, cleanup) \ static const EVP_MD type##_md = { \ NID_##type, \ NID_##pkey_type, \ md_size, \ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|flags, \ init, \ update, \ final, \ copy, \ cleanup, \ EVP_PKEY_RSA_method, \ block_size, \ ctx_size \ }; \ const EVP_MD *ibmca_##type(void) \ { \ return &type##_md; \ } #else # define DECLARE_SHA_EVP(type, pkey_type, md_size, flags, \ block_size, ctx_size, init, update, \ final, copy, cleanup) \ static EVP_MD *type##_md = NULL; \ const EVP_MD *ibmca_##type(void) \ { \ EVP_MD *md; \ \ if (type##_md != NULL) \ goto done; \ \ if ((md = EVP_MD_meth_new(NID_##type, NID_##pkey_type)) == NULL \ || !EVP_MD_meth_set_result_size(md, md_size) \ || !EVP_MD_meth_set_input_blocksize(md, block_size) \ || !EVP_MD_meth_set_app_datasize(md, ctx_size) \ || !EVP_MD_meth_set_flags(md, flags) \ || !EVP_MD_meth_set_init(md, init) \ || !EVP_MD_meth_set_update(md, update) \ || !EVP_MD_meth_set_final(md, final) \ || !EVP_MD_meth_set_cleanup(md, cleanup)) { \ EVP_MD_meth_free(md); \ md = NULL; \ } \ type##_md = md; \ done: \ return type##_md; \ } \ \ void ibmca_##type##_destroy(void) \ { \ EVP_MD_meth_free(type##_md); \ type##_md = NULL; \ } #endif #ifndef OPENSSL_NO_SHA1 DECLARE_SHA_EVP(sha1, sha1WithRSAEncryption, SHA_HASH_LENGTH, EVP_MD_FLAG_FIPS, SHA_BLOCK_SIZE, sizeof(EVP_MD *) + sizeof(struct ibmca_sha1_ctx), ibmca_sha1_init, ibmca_sha1_update, ibmca_sha1_final, NULL, ibmca_sha1_cleanup) #endif #ifndef OPENSSL_NO_SHA256 DECLARE_SHA_EVP(sha256, sha256WithRSAEncryption, SHA256_HASH_LENGTH, EVP_MD_FLAG_FIPS, SHA256_BLOCK_SIZE, sizeof(EVP_MD *) + sizeof(struct ibmca_sha256_ctx), ibmca_sha256_init, ibmca_sha256_update, ibmca_sha256_final, NULL, ibmca_sha256_cleanup) #endif #ifndef OPENSSL_NO_SHA512 DECLARE_SHA_EVP(sha512, sha512WithRSAEncryption, SHA512_HASH_LENGTH, EVP_MD_FLAG_FIPS, SHA512_BLOCK_SIZE, sizeof(EVP_MD *) + sizeof(struct ibmca_sha512_ctx), ibmca_sha512_init, ibmca_sha512_update, ibmca_sha512_final, NULL, ibmca_sha512_cleanup) #endif openssl-ibmca-2.2.3/src/ibmca_dsa.c000066400000000000000000000105041421243614200171060ustar00rootroot00000000000000/* * Copyright [2005-2021] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "ibmca.h" #ifndef OPENSSL_NO_DSA /* This code was liberated and adapted from the commented-out code in * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration * (it doesn't have a CRT form for RSA), this function means that an * Ibmca system running with a DSA server certificate can handshake * around 5 or 6 times faster/more than an equivalent system running with * RSA. Just check out the "signs" statistics from the RSA and DSA parts * of "openssl speed -engine ibmca dsa1024 rsa1024". */ #ifdef OLDER_OPENSSL static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) #else static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) #endif { BIGNUM *t; int to_return = 0; t = BN_new(); /* let rr = a1 ^ p1 mod m */ if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) goto end; /* let t = a2 ^ p2 mod m */ if (!ibmca_mod_exp(t, a2, p2, m, ctx)) goto end; /* let rr = rr * t mod m */ if (!BN_mod_mul(rr, rr, t, m, ctx)) goto end; to_return = 1; end: BN_free(t); if (!to_return) return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); return to_return; } #ifdef OLDER_OPENSSL static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) #else static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) #endif { if (!ibmca_mod_exp(r, a, p, m, ctx)) return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); return 1; } #ifdef OLDER_OPENSSL static DSA_METHOD dsa_m = { "Ibmca DSA method", /* name */ NULL, /* dsa_do_sign */ NULL, /* dsa_sign_setup */ NULL, /* dsa_do_verify */ ibmca_dsa_mod_exp, /* dsa_mod_exp */ ibmca_mod_exp_dsa, /* bn_mod_exp */ NULL, /* init */ NULL, /* finish */ DSA_FLAG_FIPS_METHOD, /* flags */ NULL /* app_data */ }; DSA_METHOD *ibmca_dsa(void) { const DSA_METHOD *meth1 = DSA_OpenSSL(); dsa_m.dsa_do_sign = meth1->dsa_do_sign; dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; dsa_m.dsa_do_verify = meth1->dsa_do_verify; return &dsa_m; } #else static DSA_METHOD *dsa_m = NULL; DSA_METHOD *ibmca_dsa(void) { const DSA_METHOD *meth1; DSA_METHOD *method; if (dsa_m != NULL) goto done; if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL || (meth1 = DSA_OpenSSL()) == NULL || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa) || !DSA_meth_set_flags(method, DSA_FLAG_FIPS_METHOD)) { DSA_meth_free(method); method = NULL; meth1 = NULL; } dsa_m = method; done: return dsa_m; } void ibmca_dsa_destroy(void) { DSA_meth_free(dsa_m); dsa_m = NULL; } #endif #endif /* endif OPENSSL_NO_DSA */ openssl-ibmca-2.2.3/src/ibmca_ec.c000066400000000000000000000702361421243614200167360ustar00rootroot00000000000000/* * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "ibmca.h" #include "e_ibmca_err.h" #ifndef OPENSSL_NO_EC ica_ec_key_new_t p_ica_ec_key_new; ica_ec_key_init_t p_ica_ec_key_init; ica_ec_key_generate_t p_ica_ec_key_generate; ica_ecdh_derive_secret_t p_ica_ecdh_derive_secret; ica_ecdsa_sign_t p_ica_ecdsa_sign; ica_ecdsa_verify_t p_ica_ecdsa_verify; ica_ec_key_get_public_key_t p_ica_ec_key_get_public_key; ica_ec_key_get_private_key_t p_ica_ec_key_get_private_key; ica_ec_key_free_t p_ica_ec_key_free; void ibmca_ec_destroy(void) { #ifdef OLDER_OPENSSL if (ibmca_ecdh) ECDH_METHOD_free(ibmca_ecdh); if (ibmca_ecdh) ECDSA_METHOD_free(ibmca_ecdsa); #else if (ibmca_ec) EC_KEY_METHOD_free(ibmca_ec); #endif } /** * ECDH key derivation method, replaces ossl_ecdh_compute_key. * * @return 1 success * 0 error */ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen, const EC_POINT *pub_key, const EC_KEY *ecdh) { ICA_EC_KEY *ica_pubkey = NULL, *ica_privkey = NULL; const EC_GROUP *group; BIGNUM *bn_d, *bn_x, *bn_y; unsigned int n, privlen; unsigned char X[IBMCA_EC_MAX_D_LEN]; unsigned char Y[IBMCA_EC_MAX_D_LEN]; unsigned char D[IBMCA_EC_MAX_D_LEN]; unsigned char *z_buf = NULL; int rc, ret = 0, nid; #ifndef OLDER_OPENSSL int (*compute_key_sw)(unsigned char **pout, size_t *poutlen, const EC_POINT *pub_key, const EC_KEY *ecdh) = NULL; #endif /* Get group from EC_KEY */ if ((group = EC_KEY_get0_group(ecdh)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INVALID_PARM); return 0; } /* Determine curve nid */ nid = EC_GROUP_get_curve_name(group); if (nid <= 0) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR); return 0; } /* Create ICA_EC_KEY object for public key */ ica_pubkey = p_ica_ec_key_new(nid, &privlen); if (ica_pubkey == NULL) { /* This curve is not supported by libica. */ #ifdef OLDER_OPENSSL return 0; #else /* * EC_KEY_METHOD_get_compute_key misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_compute_key((EC_KEY_METHOD *)ossl_ec, &compute_key_sw); if (compute_key_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR); return 0; } return compute_key_sw(pout, poutlen, pub_key, ecdh); #endif } /* Get (X,Y) from EC_POINT */ bn_x = BN_new(); bn_y = BN_new(); if (!EC_POINT_get_affine_coordinates_GFp(group, pub_key, bn_x, bn_y, NULL)) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Format (X) as char array, with leading zeros if necessary */ n = privlen - BN_num_bytes(bn_x); memset(X, 0, n); BN_bn2bin(bn_x, &(X[n])); /* Format (Y) as char array, with leading zeros if necessary */ n = privlen - BN_num_bytes(bn_y); memset(Y, 0, n); BN_bn2bin(bn_y, &(Y[n])); /* Initialize public ICA_EC_KEY with (X,Y) */ rc = p_ica_ec_key_init(X, Y, NULL, ica_pubkey); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc); goto end; } /* Create ICA_EC_KEY object for private key */ ica_privkey = p_ica_ec_key_new(nid, &privlen); if (!ica_privkey) { IBMCAerr(IBMCA_F_ICA_EC_KEY_NEW, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Get private (D) value from EC_KEY */ bn_d = (BIGNUM*)EC_KEY_get0_private_key((EC_KEY*)ecdh); if (bn_d == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Format (D) as char array, with leading zeros if necessary */ n = privlen - BN_num_bytes(bn_d); memset(D, 0, n); BN_bn2bin(bn_d, &(D[n])); /* Initialize private ICA_EC_KEY with (D) */ rc = p_ica_ec_key_init(NULL, NULL, D, ica_privkey); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc); goto end; } /* Allocate memory for shared secret z, will be freed by caller */ if ((z_buf = OPENSSL_malloc(privlen)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Calculate shared secret z */ rc = p_ica_ecdh_derive_secret(ibmca_handle, ica_privkey, ica_pubkey, z_buf, privlen); if (rc != 0) { /* Possibly no suitable adapter. */ OPENSSL_free(z_buf); #ifdef OLDER_OPENSSL goto end; #else /* * EC_KEY_METHOD_get_compute_key misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_compute_key((EC_KEY_METHOD *)ossl_ec, &compute_key_sw); if (compute_key_sw == NULL) { IBMCAerr(IBMCA_F_ICA_ECDH_DERIVE_SECRET, rc); goto end; } ret = compute_key_sw(pout, poutlen, pub_key, ecdh); goto end; #endif } *pout = z_buf; *poutlen = privlen; ret = 1; end: p_ica_ec_key_free(ica_pubkey); p_ica_ec_key_free(ica_privkey); BN_clear_free(bn_x); BN_clear_free(bn_y); return ret; } /** * ECDSA signing method (replaces ossl_ecdsa_sign_sig). * * @return pointer to a ECDSA_SIG structure or NULL if an error occurred */ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { ECDSA_SIG *sig = NULL; ICA_EC_KEY *icakey = NULL; const EC_GROUP *group; unsigned int privlen; BIGNUM *r, *s, *bn_d, *kinv; unsigned char D[IBMCA_EC_MAX_D_LEN]; unsigned char sigret[IBMCA_EC_MAX_SIG_LEN]; int n, nid, rc; #ifndef OLDER_OPENSSL int (*sign_sw)(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) = NULL; #endif int (*sign_setup_sw)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) = NULL; ECDSA_SIG *(*sign_sig_sw)(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) = NULL; BN_CTX *ctx; /* Check parms: precomputed (k,r) are not supported by ibmca */ if (in_kinv != NULL || in_r != NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INVALID_PARM); return NULL; } /* Get group */ if ((group = EC_KEY_get0_group(eckey)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INVALID_PARM); return NULL; } /* Check if key usable */ #ifndef OLDER_OPENSSL if (!EC_KEY_can_sign(eckey)) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING); return NULL; } #endif /* Get curve nid */ nid = EC_GROUP_get_curve_name(group); if (nid <= 0) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE); return NULL; } /* Create ICA_EC_KEY object */ icakey = p_ica_ec_key_new(nid, &privlen); if (icakey == NULL) { /* This curve is not supported by libica. */ #ifdef OLDER_OPENSSL ECDSA_METHOD_get_sign(ossl_ecdsa, &sign_setup_sw, &sign_sig_sw); #else /* * EC_KEY_METHOD_get_sign misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_sign((EC_KEY_METHOD *)ossl_ec, &sign_sw, &sign_setup_sw, &sign_sig_sw); #endif if (sign_sig_sw == NULL || sign_setup_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INTERNAL_ERROR); return NULL; } kinv = NULL; r = NULL; ctx = BN_CTX_new(); sign_setup_sw(eckey, ctx, &kinv, &r); BN_CTX_free(ctx); sig = sign_sig_sw(dgst, dgst_len, kinv, r, eckey); BN_clear_free(kinv); BN_clear_free(r); return sig; } /* Get private (D) value from EC_KEY */ bn_d = (BIGNUM*)EC_KEY_get0_private_key(eckey); if (bn_d == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Format (D) as char array, with leading zeros if necessary */ n = privlen - BN_num_bytes(bn_d); memset(D, 0, n); BN_bn2bin(bn_d, &(D[n])); /* Initialize private ICA_EC_KEY */ rc = p_ica_ec_key_init(NULL, NULL, D, icakey); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc); goto end; } /* Call libica signing routine */ rc = p_ica_ecdsa_sign(ibmca_handle, icakey, dgst, dgst_len, sigret, sizeof(sigret)); if (rc != 0) { /* Possibly no adapter. */ #ifdef OLDER_OPENSSL ECDSA_METHOD_get_sign(ossl_ecdsa, &sign_setup_sw, &sign_sig_sw); #else /* * EC_KEY_METHOD_get_sign misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_sign((EC_KEY_METHOD *)ossl_ec, &sign_sw, &sign_setup_sw, &sign_sig_sw); #endif if (sign_sig_sw == NULL || sign_setup_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN_SIG, IBMCA_R_EC_INTERNAL_ERROR); return NULL; } kinv = NULL; r = NULL; ctx = BN_CTX_new(); sign_setup_sw(eckey, ctx, &kinv, &r); BN_CTX_free(ctx); sig = sign_sig_sw(dgst, dgst_len, kinv, r, eckey); BN_clear_free(kinv); BN_clear_free(r); goto end2; } /* Construct ECDSA_SIG object from char array */ r = BN_bin2bn(sigret, privlen, NULL); s = BN_bin2bn(sigret + privlen, privlen, NULL); sig = ECDSA_SIG_new(); end: #ifndef OLDER_OPENSSL if (sig) ECDSA_SIG_set0(sig, r, s); #else if (sig) { BN_free(sig->r); sig->r = r; BN_free(sig->s); sig->s = s; } #endif end2: p_ica_ec_key_free(icakey); return sig; } /** * ECDSA verify method (replaces ossl_ecdsa_verify_sig). * * @return * 1: correct signature * 0: incorrect signature * -1: error */ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) { const EC_GROUP *group; const EC_POINT *q; unsigned char x_array[IBMCA_EC_MAX_D_LEN]; unsigned char y_array[IBMCA_EC_MAX_D_LEN]; unsigned char sig_array[IBMCA_EC_MAX_Q_LEN]; BIGNUM *bn_x = NULL, *bn_y = NULL; const BIGNUM *bn_r, *bn_s; unsigned int privlen; ICA_EC_KEY *icakey = NULL; int rc, n, nid; int ret = -1; #ifndef OLDER_OPENSSL int (*verify_sw)(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) = NULL; #endif int (*verify_sig_sw)(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) = NULL; /* Check parms */ if (eckey == NULL || sig == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS); return ret; } /* Check if key usable */ #ifndef OLDER_OPENSSL if (!EC_KEY_can_sign(eckey)) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING); return ret; } #endif /* Get group */ if ((group = EC_KEY_get0_group(eckey)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR); return ret; } /* Get curve nid */ nid = EC_GROUP_get_curve_name(group); if (nid <= 0) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_UNSUPPORTED_CURVE); return ret; } /* Create ICA_EC_KEY object */ icakey = p_ica_ec_key_new(nid, &privlen); if (icakey == NULL) { /* This curve is not supported by libica. */ #ifdef OLDER_OPENSSL ECDSA_METHOD_get_verify(ossl_ecdsa, &verify_sig_sw); #else /* * EC_KEY_METHOD_get_verify misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_verify((EC_KEY_METHOD *)ossl_ec, &verify_sw, &verify_sig_sw); #endif if (verify_sig_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR); return ret; } return verify_sig_sw(dgst, dgst_len, sig, eckey); } /* Provide public key (X,Y) */ bn_x = BN_new(); bn_y = BN_new(); q = EC_KEY_get0_public_key(eckey); if (!EC_POINT_get_affine_coordinates_GFp(group, q, bn_x, bn_y, NULL)) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Format (X) as char array with leading nulls if necessary */ n = privlen - BN_num_bytes(bn_x); memset(x_array, 0, n); BN_bn2bin(bn_x, &(x_array[n])); /* Format (Y) as char array with leading nulls if necessary */ n = privlen - BN_num_bytes(bn_y); memset(y_array, 0, n); BN_bn2bin(bn_y, &(y_array[n])); /* Initialize ICA_EC_KEY */ rc = p_ica_ec_key_init(x_array, y_array, NULL, icakey); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_INIT, rc); goto end; } /* Get (r,s) from ECDSA_SIG */ #ifdef OLDER_OPENSSL bn_r = sig->r; bn_s = sig->s; #else ECDSA_SIG_get0(sig, &bn_r, &bn_s); #endif /* Format r as byte array with leading 0x00's if necessary */ n = privlen - BN_num_bytes(bn_r); memset(sig_array, 0, n); BN_bn2bin(bn_r, &(sig_array[n])); /* Format s as byte array with leading 0x00's if necessary */ n = privlen - BN_num_bytes(bn_s); memset(&(sig_array[privlen]), 0, n); BN_bn2bin(bn_s, &(sig_array[privlen+n])); /* Call libica verify routine */ rc = p_ica_ecdsa_verify(ibmca_handle, icakey, dgst, dgst_len, sig_array, 2 * privlen); switch (rc) { case 0: ret = 1; /* signature valid */ break; case EFAULT: ret = 0; /* signature invalid */ break; default: /* Possibly no suitable adapter. */ #ifdef OLDER_OPENSSL ECDSA_METHOD_get_verify(ossl_ecdsa, &verify_sig_sw); #else /* * EC_KEY_METHOD_get_verify misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_verify((EC_KEY_METHOD *)ossl_ec, &verify_sw, &verify_sig_sw); #endif if (verify_sig_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, IBMCA_R_EC_INTERNAL_ERROR); goto end; } ret = verify_sig_sw(dgst, dgst_len, sig, eckey); break; } end: p_ica_ec_key_free(icakey); BN_clear_free(bn_x); BN_clear_free(bn_y); return ret; } /* --- OLDER_OPENSSL section --- */ #ifdef OLDER_OPENSSL ECDSA_METHOD *ibmca_ecdsa = NULL; ECDH_METHOD *ibmca_ecdh = NULL; /* * This structure is opaque in openssl. However, get/set methods are missing * so we copy its definition and write our own. */ struct ecdh_method { const char *name; int (*compute_key)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)); int flags; void *app_data; }; struct ecdsa_method { const char *name; ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey); int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **r); int (*verify_sig)(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); int flags; void *app_data; }; /** * ECDH key derivation method, replaces ossl_ecdh_compute_key for older openssl. * * @return 1 success * 0 error */ int ibmca_older_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen)) { int rc = 0; unsigned char *temp_p = NULL; size_t temp_len = 0; int (*compute_key_sw)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)) = NULL; rc = ibmca_ecdh_compute_key(&temp_p, &temp_len, pub_key, ecdh); if (!rc) { ECDH_METHOD_get_compute_key(ossl_ecdh, &compute_key_sw); rc = compute_key_sw == NULL ? 0 : compute_key_sw(out, outlen, pub_key, ecdh, KDF); goto end; } if (outlen < temp_len) { rc = 0; goto end; } if (KDF != NULL) { if (KDF(temp_p, temp_len, out, &outlen) == NULL) { rc = 0; goto end; } rc = outlen; } else { if (outlen > temp_len) outlen = temp_len; memcpy(out, temp_p, outlen); rc = outlen; } end: OPENSSL_free(temp_p); return rc; } /** * ECDSA sign method, replaces ecdsa_do_sign for older openssl. */ ECDSA_SIG *ibmca_older_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { if (in_kinv != NULL || in_r != NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_DO_SIGN, IBMCA_R_EC_INVALID_PARM); return NULL; } return ibmca_ecdsa_sign_sig(dgst, dgst_len, NULL, NULL, eckey); } /** * ECDSA verify method, replaces ecdsa_do_verify for older openssl. * * @return 1 success * 0 error */ int ibmca_older_ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) { return ibmca_ecdsa_verify_sig(dgst, dgst_len, sig, eckey); } /* * APIs which are missing in openssl 1.0.2. */ ECDH_METHOD *ECDH_METHOD_new(const ECDH_METHOD *meth) { ECDH_METHOD *out; out = OPENSSL_malloc(sizeof(*out)); if (out == NULL) return NULL; if (meth) memcpy(out, meth, sizeof(*out)); else memset(out, 0, sizeof(*out)); return out; } void ECDH_METHOD_set_compute_key(ECDH_METHOD *meth, int (*compute_key)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))) { meth->compute_key = compute_key; } void ECDH_METHOD_get_compute_key(const ECDH_METHOD *meth, int (**compute_key)(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))) { if (compute_key != NULL) *compute_key = meth->compute_key; } void ECDH_METHOD_set_name(ECDH_METHOD *meth, char *name) { meth->name = name; } void ECDH_METHOD_free(ECDH_METHOD *meth) { OPENSSL_free(meth); } void ECDSA_METHOD_get_sign(const ECDSA_METHOD *meth, int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp), ECDSA_SIG *(**psign_sig)(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)) { if (psign_setup != NULL) *psign_setup = meth->sign_setup; if (psign_sig != NULL) *psign_sig = meth->sign_sig; } void ECDSA_METHOD_get_verify(const ECDSA_METHOD *meth, int (**pverify_sig)(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey)) { if (pverify_sig != NULL) *pverify_sig = meth->verify_sig; } /* --- !OLDER_OPENSSL section --- */ #else EC_KEY_METHOD *ibmca_ec = NULL; /** * EC key generation method, replaces ossl_ec_key_gen. * * @return 1 success * 0 error */ int ibmca_ec_key_gen(EC_KEY *eckey) { ICA_EC_KEY *icakey = NULL; EC_POINT *pubkey = NULL; const EC_GROUP *group; BIGNUM *privkey = NULL, *bn_x = NULL, *bn_y = NULL; unsigned int privlen; int nid, rc, ret = 0; unsigned int q_len, d_len; unsigned char q[IBMCA_EC_MAX_Q_LEN]; unsigned char d[IBMCA_EC_MAX_D_LEN]; int (*keygen_sw)(EC_KEY *key) = NULL; /* Check group */ if ((group = EC_KEY_get0_group(eckey)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INVALID_PARM); return 0; } /* Determine curve nid */ nid = EC_GROUP_get_curve_name(group); if (nid <= 0) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); return 0; } /* Create ICA_EC_KEY object */ icakey = p_ica_ec_key_new(nid, &privlen); if (icakey == NULL) { /* This curve is not supported by libica */ /* * EC_KEY_METHOD_get_keygen misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_keygen((EC_KEY_METHOD *)ossl_ec, &keygen_sw); if (keygen_sw == NULL) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); return 0; } return keygen_sw(eckey); } /* Generate key */ rc = p_ica_ec_key_generate(ibmca_handle, icakey); if (rc != 0) { /* Possibly disabled adapter. */ /* * EC_KEY_METHOD_get_keygen misses the const-qualifier of the * parameter in some openssl versions. */ EC_KEY_METHOD_get_keygen((EC_KEY_METHOD *)ossl_ec, &keygen_sw); if (keygen_sw == NULL) { IBMCAerr(IBMCA_F_ICA_EC_KEY_GENERATE, rc); goto end; } ret = keygen_sw(eckey); goto end; } /* Get public key data from ICA_EC_KEY */ rc = p_ica_ec_key_get_public_key(icakey, (unsigned char*)&q, &q_len); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, rc); goto end; } /* Make EC_POINT */ pubkey = EC_POINT_new(group); if (!pubkey) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Add public key data to EC_POINT */ bn_x = BN_bin2bn((const unsigned char*)&q, q_len / 2, NULL); bn_y = BN_bin2bn((const unsigned char*)&(q[q_len / 2]), q_len / 2, NULL); if (!EC_POINT_set_affine_coordinates_GFp(group, pubkey, bn_x, bn_y, NULL)) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Add EC_POINT to EC_KEY */ if (!EC_KEY_set_public_key(eckey, pubkey)) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); goto end; } /* Get private key data from ICA_EC_KEY */ rc = p_ica_ec_key_get_private_key(icakey, (unsigned char*)&d, &d_len); if (rc != 0) { IBMCAerr(IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, rc); goto end; } /* Add private key data to EC_KEY */ privkey = BN_bin2bn((unsigned char*)&d, d_len, NULL); if (!EC_KEY_set_private_key(eckey, privkey)) { IBMCAerr(IBMCA_F_IBMCA_EC_KEY_GEN, IBMCA_R_EC_INTERNAL_ERROR); goto end; } ret = 1; end: p_ica_ec_key_free(icakey); EC_POINT_free(pubkey); BN_clear_free(privkey); BN_clear_free(bn_x); BN_clear_free(bn_y); return ret; } /** * ECDSA signing method (replaces ossl_ecdsa_sign). * * returns 1 if success * 0 if error */ int ibmca_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig_array, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) { ECDSA_SIG *sig; const BIGNUM *bn_r, *bn_s; const EC_GROUP *group; int n, r_len, rc; /* Check parms: precomputed (k,r) are not supported by ibmca */ if (kinv != NULL || r != NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN, IBMCA_R_EC_INVALID_PARM); return 0; } /* Create signature */ sig = ibmca_ecdsa_sign_sig(dgst, dlen, NULL, NULL, eckey); if (sig == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN, IBMCA_R_EC_INTERNAL_ERROR); *siglen = 0; return 0; } /* Determine r-length */ if ((group = EC_KEY_get0_group(eckey)) == NULL) { IBMCAerr(IBMCA_F_IBMCA_ECDSA_SIGN, IBMCA_R_EC_INTERNAL_ERROR); rc = 0; goto ret; } r_len = (EC_GROUP_get_degree(group) + 7) / 8; /* Get (r,s) from ECDSA_SIG */ ECDSA_SIG_get0(sig, &bn_r, &bn_s); /* Format r as byte array with leading 0x00's if necessary */ n = r_len - BN_num_bytes(bn_r); memset(sig_array, 0, n); BN_bn2bin(bn_r, &(sig_array[n])); /* Format s as byte array with leading 0x00's if necessary */ n = r_len - BN_num_bytes(bn_s); memset(&(sig_array[r_len]), 0, n); BN_bn2bin(bn_s, &(sig_array[r_len + n])); /* Create DER encoding */ *siglen = i2d_ECDSA_SIG(sig, &sig_array); rc = 1; ret: ECDSA_SIG_free(sig); return rc; } /** * ECDSA verify method (replaces ossl_ecdsa_verify). Just create an ECDSA_SIG object * from given byte array and call ibmca_ecdsa_verify_sig. * * @return * 1: correct signature * 0: incorrect signature * -1: error */ int ibmca_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) { ECDSA_SIG *s; const unsigned char *p = sigbuf; unsigned char *der = NULL; int derlen = -1; int ret = -1; s = ECDSA_SIG_new(); if (s == NULL) return ret; if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err; /* Ensure signature uses DER and doesn't have trailing garbage */ derlen = i2d_ECDSA_SIG(s, &der); if (derlen != sig_len || memcmp(sigbuf, der, derlen) != 0) goto err; ret = ibmca_ecdsa_verify_sig(dgst, dgst_len, s, eckey); err: OPENSSL_clear_free(der, derlen); ECDSA_SIG_free(s); return ret; } #endif #else /* non-empty compilation unit */ static void *variable = &variable; #endif openssl-ibmca-2.2.3/src/ibmca_pkey.c000066400000000000000000000435531421243614200173210ustar00rootroot00000000000000/* * Copyright 2019-2021 International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include "ibmca.h" #include "e_ibmca_err.h" #include "openssl-compat.h" ica_x25519_ctx_new_t p_ica_x25519_ctx_new; ica_x448_ctx_new_t p_ica_x448_ctx_new; ica_ed25519_ctx_new_t p_ica_ed25519_ctx_new; ica_ed448_ctx_new_t p_ica_ed448_ctx_new; ica_x25519_key_set_t p_ica_x25519_key_set; ica_x448_key_set_t p_ica_x448_key_set; ica_ed25519_key_set_t p_ica_ed25519_key_set; ica_ed448_key_set_t p_ica_ed448_key_set; ica_x25519_key_get_t p_ica_x25519_key_get; ica_x448_key_get_t p_ica_x448_key_get; ica_ed25519_key_get_t p_ica_ed25519_key_get; ica_ed448_key_get_t p_ica_ed448_key_get; ica_x25519_key_gen_t p_ica_x25519_key_gen; ica_x448_key_gen_t p_ica_x448_key_gen; ica_ed25519_key_gen_t p_ica_ed25519_key_gen; ica_ed448_key_gen_t p_ica_ed448_key_gen; ica_x25519_derive_t p_ica_x25519_derive; ica_x448_derive_t p_ica_x448_derive; ica_ed25519_sign_t p_ica_ed25519_sign; ica_ed448_sign_t p_ica_ed448_sign; ica_ed25519_verify_t p_ica_ed25519_verify; ica_ed448_verify_t p_ica_ed448_verify; ica_x25519_ctx_del_t p_ica_x25519_ctx_del; ica_x448_ctx_del_t p_ica_x448_ctx_del; ica_ed25519_ctx_del_t p_ica_ed25519_ctx_del; ica_ed448_ctx_del_t p_ica_ed448_ctx_del; static EVP_PKEY_METHOD *ibmca_x25519_pmeth = NULL; static EVP_PKEY_METHOD *ibmca_x448_pmeth = NULL; static EVP_PKEY_METHOD *ibmca_ed25519_pmeth = NULL; static EVP_PKEY_METHOD *ibmca_ed448_pmeth = NULL; /* X25519 */ static int ibmca_x25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) { unsigned char priv[32], pub[32], *private = NULL; ECX_KEY *key = NULL; ICA_X25519_CTX *ctx = NULL; int rc = 0; if (p_ica_x25519_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_x25519_key_gen(ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } if (p_ica_x25519_key_get(ctx, priv, pub) != 0) { IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X25519); private = calloc(1, sizeof(priv)); if (key == NULL || private == NULL) { IBMCAerr(IBMCA_F_IBMCA_X25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } memcpy(private, priv, sizeof(priv)); ossl_ecx_copypubkey(key, pub, sizeof(pub)); ossl_ecx_set0_privkey(key, private); EVP_PKEY_assign(pkey, NID_X25519, key); rc = 1; ret: if (rc == 0) { free(key); free(private); } if (ctx != NULL) p_ica_x25519_ctx_del(&ctx); return rc; } static int ibmca_x25519_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { if (type == EVP_PKEY_CTRL_PEER_KEY) return 1; return -2; } static int ibmca_x25519_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t *keylen) { ICA_X25519_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL, *peerkey_ecx = NULL; EVP_PKEY *key_pkey = NULL, *peerkey_pkey = NULL; int rc = 0; *keylen = 32; if (key == NULL) { rc = 1; goto ret; } key_pkey = EVP_PKEY_CTX_get0_pkey(pkey_ctx); peerkey_pkey = EVP_PKEY_CTX_get0_peerkey(pkey_ctx); if (key_pkey == NULL || peerkey_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); peerkey_ecx = EVP_PKEY_get0(peerkey_pkey); if (key_ecx == NULL || peerkey_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_x25519_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_x25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { IBMCAerr(IBMCA_F_IBMCA_X25519_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_x25519_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) goto ret; rc = 1; ret: if (ctx != NULL) p_ica_x25519_ctx_del(&ctx); return rc; } /* X448 */ static int ibmca_x448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) { unsigned char priv[56], pub[56], *private = NULL; ECX_KEY *key = NULL; ICA_X448_CTX *ctx = NULL; int rc = 0; if (p_ica_x448_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_x448_key_gen(ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } if (p_ica_x448_key_get(ctx, priv, pub) != 0) { IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_X448); private = calloc(1, sizeof(priv)); if (key == NULL || private == NULL) { IBMCAerr(IBMCA_F_IBMCA_X448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } memcpy(private, priv, sizeof(priv)); ossl_ecx_copypubkey(key, pub, sizeof(pub)); ossl_ecx_set0_privkey(key, private); EVP_PKEY_assign(pkey, NID_X448, key); rc = 1; ret: if (rc == 0) { free(key); free(private); } if (ctx != NULL) p_ica_x448_ctx_del(&ctx); return rc; } static int ibmca_x448_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { if (type == EVP_PKEY_CTRL_PEER_KEY) return 1; return -2; } static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t *keylen) { ICA_X448_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL, *peerkey_ecx = NULL; EVP_PKEY *key_pkey = NULL, *peerkey_pkey = NULL; int rc = 0; *keylen = 56; if (key == NULL) { rc = 1; goto ret; } key_pkey = EVP_PKEY_CTX_get0_pkey(pkey_ctx); peerkey_pkey = EVP_PKEY_CTX_get0_peerkey(pkey_ctx); if (key_pkey == NULL || peerkey_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); peerkey_ecx = EVP_PKEY_get0(peerkey_pkey); if (key_ecx == NULL || peerkey_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_x448_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_x448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { IBMCAerr(IBMCA_F_IBMCA_X448_DERIVE, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_x448_derive(ctx, key, ossl_ecx_get0_pubkey(peerkey_ecx)) != 0) goto ret; rc = 1; ret: if (ctx != NULL) p_ica_x448_ctx_del(&ctx); return rc; } /* ED25519 */ static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from) { return 1; } static int ibmca_ed25519_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) { unsigned char priv[32], pub[32], *private = NULL; ECX_KEY *key = NULL; ICA_ED25519_CTX *ctx = NULL; int rc = 0; if (p_ica_ed25519_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed25519_key_gen(ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } if (p_ica_ed25519_key_get(ctx, priv, pub) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED25519); private = calloc(1, sizeof(priv)); if (key == NULL || private == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED25519_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } memcpy(private, priv, sizeof(priv)); ossl_ecx_copypubkey(key, pub, sizeof(pub)); ossl_ecx_set0_privkey(key, private); EVP_PKEY_assign(pkey, NID_ED25519, key); rc = 1; ret: if (rc == 0) { free(key); free(private); } if (ctx != NULL) p_ica_ed25519_ctx_del(&ctx); return rc; } static int ibmca_ed25519_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { ICA_ED25519_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL; EVP_PKEY *key_pkey = NULL; int rc = 0; if (sig == NULL) { *siglen = 2 * 32; return 1; } if (*siglen < 2 * 32) goto ret; key_pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(md_ctx)); if (key_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); if (key_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed25519_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed25519_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed25519_sign(ctx, sig, tbs, tbslen) != 0) goto ret; *siglen = 2 * 32; rc = 1; ret: if (ctx != NULL) p_ica_ed25519_ctx_del(&ctx); return rc; } static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbv, size_t tbvlen) { ICA_ED25519_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL; EVP_PKEY *key_pkey = NULL; int rc = 0; if (sig == NULL || siglen != 2 * 32) goto ret; key_pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(md_ctx)); if (key_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); if (key_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed25519_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed25519_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED25519_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed25519_verify(ctx, sig, tbv, tbvlen) != 0) goto ret; rc = 1; ret: if (ctx != NULL) p_ica_ed25519_ctx_del(&ctx); return rc; } /* ED448 */ static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from) { return 1; } static int ibmca_ed448_keygen(EVP_PKEY_CTX *c, EVP_PKEY *pkey) { unsigned char priv[57], pub[57], *private = NULL; ECX_KEY *key = NULL; ICA_ED448_CTX *ctx = NULL; int rc = 0; if (p_ica_ed448_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed448_key_gen(ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } if (p_ica_ed448_key_get(ctx, priv, pub) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } key = ossl_ecx_key_new_simple(ECX_KEY_TYPE_ED448); private = calloc(1, sizeof(priv)); if (key == NULL || private == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED448_KEYGEN, IBMCA_R_PKEY_KEYGEN_FAILED); goto ret; } memcpy(private, priv, sizeof(priv)); ossl_ecx_copypubkey(key, pub, sizeof(pub)); ossl_ecx_set0_privkey(key, private); EVP_PKEY_assign(pkey, NID_ED448, key); rc = 1; ret: if (rc == 0) { free(key); free(private); } if (ctx != NULL) p_ica_ed448_ctx_del(&ctx); return rc; } static int ibmca_ed448_sign(EVP_MD_CTX *md_ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { ICA_ED448_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL; EVP_PKEY *key_pkey = NULL; int rc = 0; if (sig == NULL) { *siglen = 2 * 57; return 1; } if (*siglen < 2 * 57) goto ret; key_pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(md_ctx)); if (key_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); if (key_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed448_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed448_key_set(ctx, ossl_ecx_get0_privkey(key_ecx), NULL) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_SIGN, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed448_sign(ctx, sig, tbs, tbslen) != 0) goto ret; *siglen = 2 * 57; rc = 1; ret: if (ctx != NULL) p_ica_ed448_ctx_del(&ctx); return rc; } static int ibmca_ed448_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbv, size_t tbvlen) { ICA_ED448_CTX *ctx = NULL; ECX_KEY *key_ecx = NULL; EVP_PKEY *key_pkey = NULL; int rc = 0; if (sig == NULL || siglen != 2 * 57) goto ret; key_pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(md_ctx)); if (key_pkey == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } key_ecx = EVP_PKEY_get0(key_pkey); if (key_ecx == NULL) { IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed448_ctx_new(&ctx) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_INTERNAL_ERROR); goto ret; } if (p_ica_ed448_key_set(ctx, NULL, ossl_ecx_get0_pubkey(key_ecx)) != 0) { IBMCAerr(IBMCA_F_IBMCA_ED448_VERIFY, IBMCA_R_PKEY_KEYS_NOT_SET); goto ret; } if (p_ica_ed448_verify(ctx, sig, tbv, tbvlen) != 0) goto ret; rc = 1; ret: if (ctx != NULL) p_ica_ed448_ctx_del(&ctx); return rc; } /* Methods */ static int ibmca_ed_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { switch (type) { case EVP_PKEY_CTRL_MD: /* Only NULL allowed as digest */ if (p2 == NULL || (const EVP_MD *)p2 == EVP_md_null()) return 1; return 0; case EVP_PKEY_CTRL_DIGESTINIT: return 1; } return -2; } const EVP_PKEY_METHOD *ibmca_x25519(void) { if (ibmca_x25519_pmeth != NULL) goto ret; ibmca_x25519_pmeth = EVP_PKEY_meth_new(NID_X25519, 0); if (ibmca_x25519_pmeth == NULL) goto ret; EVP_PKEY_meth_set_ctrl(ibmca_x25519_pmeth, ibmca_x25519_ctrl, NULL); EVP_PKEY_meth_set_keygen(ibmca_x25519_pmeth, NULL, ibmca_x25519_keygen); EVP_PKEY_meth_set_derive(ibmca_x25519_pmeth, NULL, ibmca_x25519_derive); ret: return ibmca_x25519_pmeth; } const EVP_PKEY_METHOD *ibmca_x448(void) { if (ibmca_x448_pmeth != NULL) goto ret; ibmca_x448_pmeth = EVP_PKEY_meth_new(NID_X448, 0); if (ibmca_x448_pmeth == NULL) goto ret; EVP_PKEY_meth_set_ctrl(ibmca_x448_pmeth, ibmca_x448_ctrl, NULL); EVP_PKEY_meth_set_keygen(ibmca_x448_pmeth, NULL, ibmca_x448_keygen); EVP_PKEY_meth_set_derive(ibmca_x448_pmeth, NULL, ibmca_x448_derive); ret: return ibmca_x448_pmeth; } const EVP_PKEY_METHOD *ibmca_ed25519(void) { if (ibmca_ed25519_pmeth != NULL) goto ret; ibmca_ed25519_pmeth = EVP_PKEY_meth_new(NID_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM); if (ibmca_ed25519_pmeth == NULL) goto ret; EVP_PKEY_meth_set_ctrl(ibmca_ed25519_pmeth, ibmca_ed_ctrl, NULL); EVP_PKEY_meth_set_copy(ibmca_ed25519_pmeth, ibmca_ed25519_copy); EVP_PKEY_meth_set_keygen(ibmca_ed25519_pmeth, NULL, ibmca_ed25519_keygen); EVP_PKEY_meth_set_digestsign(ibmca_ed25519_pmeth, ibmca_ed25519_sign); EVP_PKEY_meth_set_digestverify(ibmca_ed25519_pmeth, ibmca_ed25519_verify); ret: return ibmca_ed25519_pmeth; } const EVP_PKEY_METHOD *ibmca_ed448(void) { if (ibmca_ed448_pmeth != NULL) goto ret; ibmca_ed448_pmeth = EVP_PKEY_meth_new(NID_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM); if (ibmca_ed448_pmeth == NULL) goto ret; EVP_PKEY_meth_set_ctrl(ibmca_ed448_pmeth, ibmca_ed_ctrl, NULL); EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy); EVP_PKEY_meth_set_keygen(ibmca_ed448_pmeth, NULL, ibmca_ed448_keygen); EVP_PKEY_meth_set_digestsign(ibmca_ed448_pmeth, ibmca_ed448_sign); EVP_PKEY_meth_set_digestverify(ibmca_ed448_pmeth, ibmca_ed448_verify); ret: return ibmca_ed448_pmeth; } void ibmca_x25519_destroy(void) { if (ibmca_x25519_pmeth != NULL) { EVP_PKEY_meth_free(ibmca_x25519_pmeth); ibmca_x25519_pmeth = NULL; } } void ibmca_x448_destroy(void) { if (ibmca_x448_pmeth != NULL) { EVP_PKEY_meth_free(ibmca_x448_pmeth); ibmca_x448_pmeth = NULL; } } void ibmca_ed25519_destroy(void) { if (ibmca_ed25519_pmeth != NULL) { EVP_PKEY_meth_free(ibmca_ed25519_pmeth); ibmca_ed25519_pmeth = NULL; } } void ibmca_ed448_destroy(void) { if (ibmca_ed448_pmeth != NULL) { EVP_PKEY_meth_free(ibmca_ed448_pmeth); ibmca_ed448_pmeth = NULL; } } openssl-ibmca-2.2.3/src/ibmca_rsa.c000066400000000000000000000310701421243614200171250ustar00rootroot00000000000000/* * Copyright [2005-2021] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "ibmca.h" #include "e_ibmca_err.h" #include /* * Define compat functions for older OpenSSL versions */ #ifdef OLDER_OPENSSL void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) { if (n != NULL) *n = rsa->n; if (e != NULL) *e = rsa->e; if (d != NULL) *d = rsa->d; } void RSA_get0_factors(const RSA *rsa, const BIGNUM **p, const BIGNUM **q) { if (p != NULL) *p = rsa->p; if (q != NULL) *q = rsa->q; } void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp) { if (dmp1 != NULL) *dmp1 = rsa->dmp1; if (dmq1 != NULL) *dmq1 = rsa->dmq1; if (iqmp != NULL) *iqmp = rsa->iqmp; } #endif int ibmca_mod_exp(BIGNUM * r, const BIGNUM * a, const BIGNUM * p, const BIGNUM * m, BN_CTX * ctx) { /* r = (a^p) mod m * r = output * a = input * p = exponent * m = modulus */ unsigned char *input = NULL, *output = NULL; ica_rsa_key_mod_expo_t *key = NULL; unsigned int rc; int plen, mlen, inputlen; /* * make necessary memory allocations * FIXME: Would it be possible to minimize memory allocation overhead by * either allocating it all at once or having a static storage? */ key = (ica_rsa_key_mod_expo_t *) calloc(1, sizeof(ica_rsa_key_mod_expo_t)); if (key == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } key->key_length = mlen = BN_num_bytes(m); key->modulus = (unsigned char *) calloc(1, key->key_length); if (key->modulus == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } plen = BN_num_bytes(p); /* despite plen, key->exponent must be key->key_length in size */ key->exponent = (unsigned char *) calloc(1, key->key_length); if (key->exponent == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } inputlen = BN_num_bytes(a); /* despite inputlen, input and output must be key->key_length in size */ input = (unsigned char *) calloc(1, key->key_length); if (input == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } output = (unsigned char *) calloc(1, key->key_length); if (output == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } /* Now convert from BIGNUM representation. * Everything must be right-justified */ BN_bn2bin(m, key->modulus); BN_bn2bin(p, key->exponent + key->key_length - plen); BN_bn2bin(a, input + key->key_length - inputlen); /* execute the ica mod_exp call */ rc = p_ica_rsa_mod_expo(ibmca_handle, input, key, output); if (rc != 0) { goto err; } else { rc = 1; } /* Convert output to BIGNUM representation. * right-justified output applies */ /* BN_bin2bn((unsigned char *) (output + key->key_length - inputlen), * inputlen, r); */ BN_bin2bn((unsigned char *) output, key->key_length, r); goto end; err: rc = 0; /* error condition */ end: free(key->exponent); free(key->modulus); free(key); free(input); free(output); return rc; } #ifndef OPENSSL_NO_RSA static int ibmca_mod_exp_crt(BIGNUM * r, const BIGNUM * a, const BIGNUM * p, const BIGNUM * q, const BIGNUM * dmp1, const BIGNUM * dmq1, const BIGNUM * iqmp, BN_CTX * ctx) { /* * r = output * a = input * p and q are themselves * dmp1, dmq1 are dp and dq respectively * iqmp is qInverse */ ica_rsa_key_crt_t *key = NULL; unsigned char *output = NULL, *input = NULL; int rc; int plen, qlen, dplen, dqlen, qInvlen; int inputlen; /* * make necessary memory allocations * FIXME: Would it be possible to minimize memory allocation overhead by * either allocating it all at once or having a static storage? */ key = (ica_rsa_key_crt_t *) calloc(1, sizeof(ica_rsa_key_crt_t)); if (key == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } /* buffers pointed by p, q, dp, dq and qInverse in struct * ica_rsa_key_crt_t must be of size key_legth/2 or larger. * p, dp and qInverse have an additional 8-byte padding. */ plen = BN_num_bytes(p); qlen = BN_num_bytes(q); key->key_length = 2 * (plen > qlen ? plen : qlen); key->p = (unsigned char *) calloc(1, (key->key_length / 2) + 8); if (key->p == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } dplen = BN_num_bytes(dmp1); key->dp = (unsigned char *) calloc(1, (key->key_length / 2) + 8); if (key->dp == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } key->q = (unsigned char *) calloc(1, key->key_length / 2); if (key->q == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } dqlen = BN_num_bytes(dmq1); key->dq = (unsigned char *) calloc(1, key->key_length / 2); if (key->dq == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } qInvlen = BN_num_bytes(iqmp); key->qInverse = (unsigned char *) calloc(1, (key->key_length / 2) + 8); if (key->qInverse == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } inputlen = BN_num_bytes(a); if (inputlen > key->key_length) { /* input can't be larger than key */ IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } /* allocate input to the size of key_length in bytes, and * pad front with zero if inputlen < key->key_length */ input = (unsigned char *) calloc(1, key->key_length); if (input == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } /* output must also be key_length in size */ output = (unsigned char *) calloc(1, key->key_length); if (output == NULL) { IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } /* Now convert from BIGNUM representation. * p, dp and qInverse have an additional 8-byte padding, * and everything must be right-justified */ BN_bn2bin(p, key->p + 8 + (key->key_length / 2) - plen); BN_bn2bin(dmp1, key->dp + 8 + (key->key_length / 2) - dplen); BN_bn2bin(q, key->q + (key->key_length / 2) - qlen); BN_bn2bin(dmq1, key->dq + (key->key_length / 2) - dqlen); BN_bn2bin(iqmp, key->qInverse + 8 + (key->key_length / 2) - qInvlen); BN_bn2bin(a, input + key->key_length - inputlen); /* execute the ica crt call */ rc = p_ica_rsa_crt(ibmca_handle, input, key, output); if (rc != 0) { //IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED); goto err; } else { rc = 1; } /* Convert output to BIGNUM representation */ /* BN_bin2bn((unsigned char *) (output + key->key_length - inputlen), * inputlen, r); */ BN_bin2bn((unsigned char *) output, key->key_length, r); goto end; err: rc = 0; /* error condition */ end: free(key->p); free(key->q); free(key->dp); free(key->dq); free(key->qInverse); free(key); free(input); free(output); return rc; } static int ibmca_rsa_init(RSA * rsa) { RSA_blinding_off(rsa); return 1; } static int (*ibmca_rsa_mod_exp_backup)(BIGNUM * r0, const BIGNUM * I, RSA * rsa, BN_CTX * ctx); static int ibmca_rsa_mod_exp(BIGNUM * r0, const BIGNUM * I, RSA * rsa, BN_CTX * ctx) { int to_return = 0, usebackup = 1; const BIGNUM *d, *n, *p, *q, *dmp1, *dmq1, *iqmp; RSA_get0_key(rsa, &n, NULL, &d); RSA_get0_factors(rsa, &p, &q); RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); if (!p || !q || !dmp1 || !dmq1 || !iqmp) { if (!d || !n) { IBMCAerr(IBMCA_F_IBMCA_RSA_MOD_EXP, IBMCA_R_MISSING_KEY_COMPONENTS); usebackup = 0; goto err; } to_return = ibmca_mod_exp(r0, I, d, n, ctx); } else { to_return = ibmca_mod_exp_crt(r0, I, p, q, dmp1, dmq1, iqmp, ctx); } err: if (!to_return && usebackup && ibmca_rsa_mod_exp_backup) return ibmca_rsa_mod_exp_backup(r0, I, rsa, ctx); return to_return; } static int (*ibmca_mod_exp_mont_backup)(BIGNUM * r, const BIGNUM * a, const BIGNUM * p, const BIGNUM * m, BN_CTX * ctx, BN_MONT_CTX * m_ctx); /* This function is aliased to mod_exp (with the mont stuff dropped). */ static int ibmca_mod_exp_mont(BIGNUM * r, const BIGNUM * a, const BIGNUM * p, const BIGNUM * m, BN_CTX * ctx, BN_MONT_CTX * m_ctx) { if (!ibmca_mod_exp(r, a, p, m, ctx)) { if (ibmca_mod_exp_mont_backup) return ibmca_mod_exp_mont_backup(r, a, p, m, ctx, m_ctx); return 0; } return 1; } #ifdef OLDER_OPENSSL static RSA_METHOD rsa_m = { "Ibmca RSA method", /* name */ NULL, /* rsa_pub_enc */ NULL, /* rsa_pub_dec */ NULL, /* rsa_priv_enc */ NULL, /* rsa_priv_dec */ ibmca_rsa_mod_exp, /* rsa_mod_exp */ ibmca_mod_exp_mont, /* bn_mod_exp */ ibmca_rsa_init, /* init */ NULL, /* finish */ RSA_FLAG_FIPS_METHOD, /* flags */ NULL, /* app_data */ NULL, /* rsa_sign */ NULL, /* rsa_verify */ NULL /* rsa_keygen */ }; RSA_METHOD *ibmca_rsa(void) { /* We know that the "PKCS1_SSLeay()" functions hook properly * to the ibmca-specific mod_exp and mod_exp_crt so we use * those functions. NB: We don't use ENGINE_openssl() or * anything "more generic" because something like the RSAref * code may not hook properly, and if you own one of these here * cards then you have the right to do RSA operations on it * anyway! */ const RSA_METHOD *meth1 = RSA_PKCS1_SSLeay(); ibmca_rsa_mod_exp_backup = meth1->rsa_mod_exp; ibmca_mod_exp_mont_backup = meth1->bn_mod_exp; rsa_m.rsa_pub_enc = meth1->rsa_pub_enc; rsa_m.rsa_pub_dec = meth1->rsa_pub_dec; rsa_m.rsa_priv_enc = meth1->rsa_priv_enc; rsa_m.rsa_priv_dec = meth1->rsa_priv_dec; return &rsa_m; } #else static RSA_METHOD *rsa_m = NULL; RSA_METHOD *ibmca_rsa(void) { const RSA_METHOD *meth1; RSA_METHOD *method; if (rsa_m != NULL) goto done; if ((method = RSA_meth_new("Ibmca RSA method", 0)) == NULL || (meth1 = RSA_PKCS1_OpenSSL()) == NULL || (ibmca_rsa_mod_exp_backup = RSA_meth_get_mod_exp(meth1)) == NULL || (ibmca_mod_exp_mont_backup = RSA_meth_get_bn_mod_exp(meth1)) == NULL || !RSA_meth_set_pub_enc(method, RSA_meth_get_pub_enc(meth1)) || !RSA_meth_set_pub_dec(method, RSA_meth_get_pub_dec(meth1)) || !RSA_meth_set_priv_enc(method, RSA_meth_get_priv_enc(meth1)) || !RSA_meth_set_priv_dec(method, RSA_meth_get_priv_dec(meth1)) || !RSA_meth_set_mod_exp(method, ibmca_rsa_mod_exp) || !RSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_mont) || !RSA_meth_set_init(method, ibmca_rsa_init) || !RSA_meth_set_flags(method, RSA_FLAG_FIPS_METHOD)) { RSA_meth_free(method); method = NULL; meth1 = NULL; } rsa_m = method; done: return rsa_m; } void ibmca_rsa_destroy(void) { RSA_meth_free(rsa_m); rsa_m = NULL; } #endif #endif /* endif OPENSSL_NO_RSA */ openssl-ibmca-2.2.3/src/openssl-compat.h000066400000000000000000000055101421243614200201560ustar00rootroot00000000000000/* * Copyright 2022 International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef IBMCA_OPENSSL_COMPAT_H #define IBMCA_OPENSSL_COMPAT_H #include #ifdef OPENSSL_VERSION_PREREQ /* This is 3.x */ #include static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) { ECX_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) return NULL; ret->libctx = NULL; ret->haspubkey = 0; switch (type) { case ECX_KEY_TYPE_X25519: ret->keylen = X25519_KEYLEN; break; case ECX_KEY_TYPE_X448: ret->keylen = X448_KEYLEN; break; case ECX_KEY_TYPE_ED25519: ret->keylen = ED25519_KEYLEN; break; case ECX_KEY_TYPE_ED448: ret->keylen = ED448_KEYLEN; break; } ret->type = type; ret->references = 1; ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) goto err; return ret; err: OPENSSL_free(ret); return NULL; } static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) { key->privkey = privkey; } static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) { return key->privkey; } static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) { return key->pubkey; } static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) { memcpy(key->pubkey, pubkey, len); key->haspubkey = 1; } #else /* This is 1.1.x */ #include /* * copied from evp_int.h: * missing set/get methods for opaque types. */ typedef struct { unsigned char pub[57]; unsigned char *priv; } ECX_KEY; typedef enum { ECX_KEY_TYPE_X25519, ECX_KEY_TYPE_X448, ECX_KEY_TYPE_ED25519, ECX_KEY_TYPE_ED448 } ECX_KEY_TYPE; static inline ECX_KEY *ossl_ecx_key_new_simple(ECX_KEY_TYPE type) { return calloc(1, sizeof(ECX_KEY)); } static inline void ossl_ecx_set0_privkey(ECX_KEY *key, unsigned char *privkey) { key->priv = privkey; } static inline unsigned char *ossl_ecx_get0_privkey(ECX_KEY *key) { return key->priv; } static inline unsigned char *ossl_ecx_get0_pubkey(ECX_KEY *key) { return key->pub; } static inline void ossl_ecx_copypubkey(ECX_KEY *key, unsigned char *pubkey, size_t len) { memcpy(key->pub, pubkey, len); } #endif #endif openssl-ibmca-2.2.3/src/openssl.cnf.sample000066400000000000000000000042021421243614200204710ustar00rootroot00000000000000# # OpenSSL example configuration file. This file will load the IBMCA engine # for all operations that the IBMCA engine implements for all apps that # have OpenSSL config support compiled into them. # # Adding OpenSSL config support is as simple as adding the following line to # the app: # # #define OPENSSL_LOAD_CONF 1 # openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] ibmca = ibmca_section [ibmca_section] # The openssl engine path for ibmca.so. # Set the dynamic_path to where the ibmca.so engine # resides on the system. dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 # # The following ibmca algorithms will be enabled by these parameters # to the default_algorithms line. Any combination of these is valid, # with "ALL" denoting the same as all of them in a comma separated # list. # # Note that IBM Z hardware support for the symmetric crypto # primitives (CIPHERS, DIGESTS) most likely comes natively with your # OpenSSL version. Therefore, this sample configuration excludes them # from the default_algorithms list below. # # Moreover, ibmca's CIPHER and DIGEST implementations do not # support the processing of messages in arbitrary chunk sizes. # All chunks, except the final one, are required to be a multiple # of the primitive's block size. # # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # # DH # - DH key exchange # # DSA # - DSA sign and verify # # RAND # - Hardware random number generation # # ECDSA (OpenSSL < 1.1.0) # - Elliptic Curve DSA sign and verify # # ECDH (OpenSSL < 1.1.0) # - Elliptic Curve DH key exchange # # EC (OpenSSL >= 1.1.0) # - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange # # CIPHERS # - DES-ECB, DES-CBC, DES-CFB, DES-OFB, # DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, # AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, # AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, # AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # # PKEY_CRYPTO # - X25519, X448, ED25519, ED448 default_algorithms = RSA,DH,DSA,RAND openssl-ibmca-2.2.3/src/test/000077500000000000000000000000001421243614200160175ustar00rootroot00000000000000openssl-ibmca-2.2.3/src/test/Makefile.linux.in000066400000000000000000000004721421243614200212250ustar00rootroot00000000000000PTS = -O0 -g -Wall -fprofile-arcs -ftest-coverage -fPIC #OPTS = -O0 -g -Wall -m31 -D_LINUX_S390_ OPTS = -O0 -g -Wall -D_LINUX_S390_ -std=gnu99 TARGETS = ibmca_mechaList_test all: $(TARGETS) # Every target is created from a single .c file. %: %.c gcc $(OPTS) -o $@ $^ -l@ICA@ -lcrypto clean: rm -f $(TARGETS) openssl-ibmca-2.2.3/src/test/ibmca_mechaList_test.c000066400000000000000000000262761421243614200223030ustar00rootroot00000000000000/* * Copyright [2015-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include #include #include #include #include #include #include #include #define CIPH 1 #define DIG 2 #define SET 1 #define UNSET 0 typedef struct { int nid; int ica_id; int dig_ciph; } id_map; #define AP_PATH "/sys/devices/ap" #define IBMCA_PATH "/usr/lib64/openssl/engines/ibmca.so" id_map ica_to_ssl_map[] = { #ifndef OPENSSL_NO_SHA1 {NID_sha1, SHA1, DIG}, #endif #ifndef OPENSSL_NO_SHA256 {NID_sha256, SHA256, DIG}, #endif #ifndef OPENSSL_NO_SHA512 {NID_sha512, SHA512, DIG}, #endif {NID_des_ecb, DES_ECB, CIPH}, {NID_des_cbc, DES_CBC, CIPH}, {NID_des_ofb64, DES_OFB, CIPH}, {NID_des_cfb64, DES_CFB, CIPH}, {NID_des_ede3_ecb, DES3_ECB, CIPH}, {NID_des_ede3_cbc, DES3_CBC, CIPH}, {NID_des_ede3_ofb64, DES3_OFB, CIPH}, {NID_des_ede3_cfb64, DES3_CFB, CIPH}, {NID_aes_128_ecb, AES_ECB, CIPH}, {NID_aes_192_ecb, AES_ECB, CIPH}, {NID_aes_256_ecb, AES_ECB, CIPH}, {NID_aes_128_cbc, AES_CBC, CIPH}, {NID_aes_192_cbc, AES_CBC, CIPH}, {NID_aes_256_cbc, AES_CBC, CIPH}, {NID_aes_128_ofb128, AES_OFB, CIPH}, {NID_aes_192_ofb128, AES_OFB, CIPH}, {NID_aes_256_ofb128, AES_OFB, CIPH}, {NID_aes_128_cfb128, AES_CFB, CIPH}, {NID_aes_192_cfb128, AES_CFB, CIPH}, {NID_aes_256_cfb128, AES_CFB, CIPH}, {0, 0, 0} }; ENGINE *eng; int failure = 0; int init_engine(char *id) { ENGINE_load_builtin_engines(); eng = ENGINE_by_id("dynamic"); if (!eng) { return 1; } if (!ENGINE_ctrl_cmd_string(eng, "SO_PATH", id, 0)) { return 1; } if (!ENGINE_ctrl_cmd_string(eng, "LOAD", NULL, 0)) { return 1; } if (!ENGINE_init(eng)) { return 1; } if (!ENGINE_set_default_RSA(eng)) return 1; ENGINE_set_default_DSA(eng); ENGINE_set_default_RAND(eng); ENGINE_set_default_DH(eng); ENGINE_set_default_ciphers(eng); ENGINE_set_default_digests(eng); return 0; } void exit_engine() { /* Release the functional reference from ENGINE_init() */ ENGINE_finish(eng); /* Release the structural reference from ENGINE_by_id() */ ENGINE_free(eng); } void nid_failure(int nid, int set) { failure++; if (set == SET) { fprintf(stderr, "ERROR: NID %d not set in Engine!\n", nid); } else if (set == UNSET) { fprintf(stderr, "ERROR: NID %d set despite missing hardware support!", nid); } } int is_crypto_card_loaded() { DIR *sysDir; FILE *file; char dev[PATH_MAX] = AP_PATH; struct dirent *direntp; char *type = NULL; size_t size; char c; if ((sysDir = opendir(dev)) == NULL) return 0; while ((direntp = readdir(sysDir)) != NULL) { if (strstr(direntp->d_name, "card") != 0) { snprintf(dev, PATH_MAX, "%s/%s/type", AP_PATH, direntp->d_name); if ((file = fopen(dev, "r")) == NULL) { closedir(sysDir); return 0; } if (getline(&type, &size, file) == -1) { fclose(file); closedir(sysDir); return 0; } /* ignore \n * looking for CEX??A and CEX??C * Skip type CEX??P cards */ if (type[strlen(type) - 2] == 'P') { free(type); type = NULL; fclose(file); continue; } free(type); type = NULL; fclose(file); snprintf(dev, PATH_MAX, "%s/%s/online", AP_PATH, direntp->d_name); if ((file = fopen(dev, "r")) == NULL) { closedir(sysDir); return 0; } if ((c = fgetc(file)) == '1') { fclose(file); return 1; } fclose(file); } } closedir(sysDir); return 0; } void check_mech(int i, int j, libica_func_list_element * pmech_list) { if (!(pmech_list[j].flags & (ICA_FLAG_SHW))) { if (ica_to_ssl_map[i].dig_ciph == CIPH) { if (ENGINE_get_cipher_engine(ica_to_ssl_map[i].nid)) { nid_failure(ica_to_ssl_map[i].nid, UNSET); } else { printf("NID %d not found! SUCCESS\n", ica_to_ssl_map[i].nid); } } else { if (ENGINE_get_digest_engine(ica_to_ssl_map[i].nid)) { nid_failure(ica_to_ssl_map[i].nid, UNSET); } else { printf("NID %d not found! SUCCESS\n", ica_to_ssl_map[i].nid); } } } else { if (ica_to_ssl_map[i].dig_ciph == CIPH) { if (!ENGINE_get_cipher_engine(ica_to_ssl_map[i].nid)) { nid_failure(ica_to_ssl_map[i].nid, SET); } else { printf("NID %d found! SUCCESS %d\n", ica_to_ssl_map[i].nid, j); } } else { if (!ENGINE_get_digest_engine(ica_to_ssl_map[i].nid)) { nid_failure(ica_to_ssl_map[i].nid, SET); } else { printf("NID %d found! SUCCESS %d\n", ica_to_ssl_map[i].nid, j); } } } } int main(int argc, char *argv[]) { int i, j, opt, option_index = 0; int card_loaded; unsigned int mech_len; bool found = false; libica_func_list_element *pmech_list = NULL; char *engine_id = IBMCA_PATH; struct option long_options[] = { {"help", no_argument, 0, 'h'}, {"file", required_argument, 0, 'f'}, {0, 0, 0, 0} }; while ((opt = getopt_long(argc, argv, "hf:", long_options, &option_index)) != -1) { switch (opt) { case 'f': engine_id = optarg; break; case 'h': printf("This test checks with the engine API of libcrypto if a\n" "crypto mechanism is enabled or not.\n" "If one mechanism is not found the NID is returned.\n" "The NID can be mapped to a name in the file \n" "/usr/include/openssl/obj_mac.h\n"); printf("Usage: %s [-f | --file ibmca.so] [-h | --help]\n", argv[0]); exit(EXIT_SUCCESS); default: /* '?' */ fprintf(stderr, "Usage: %s [-t nsecs] [-n] name\n", argv[0]); exit(EXIT_FAILURE); } } printf("This test checks with the engine API of libcrypto if a\n" "crypto mechanism is enabled or not.\n" "If one mechanism is not found the NID is returned.\n" "The NID can be mapped to a name in the file \n" "/usr/include/openssl/obj_mac.h\n"); printf("IBMCA path: %s\n", engine_id); printf("------------------------------------------------------------\n\n"); if (init_engine(engine_id)) { fprintf(stderr, "Could not initialize Ibmca engine\n"); return EXIT_FAILURE; } if (ica_get_functionlist(NULL, &mech_len) != 0) { perror("get_functionlist"); return EXIT_FAILURE; } pmech_list = malloc(sizeof(libica_func_list_element) * mech_len); if (ica_get_functionlist(pmech_list, &mech_len) != 0) { perror("get_functionlist"); free(pmech_list); return EXIT_FAILURE; } card_loaded = is_crypto_card_loaded(); for (i = 0; ica_to_ssl_map[i].nid; i++) { for (j = 0; j < mech_len; j++) { if (ica_to_ssl_map[i].ica_id == pmech_list[j].mech_mode_id) { found = true; check_mech(i, j, pmech_list); break; } } assert(found); found = false; } for (i = 0; i < mech_len; i++) { if (pmech_list[i].mech_mode_id == P_RNG) { if (pmech_list[i].flags & (ICA_FLAG_SHW)) { if (!ENGINE_get_default_RAND()) { failure++; fprintf(stderr, "ERROR: Engine has no enabled PRNG support!\n"); } else { printf("PRNG Support found! SUCCESS\n"); } } else { if (ENGINE_get_default_RAND()) { failure++; fprintf(stderr, "ERROR: Engine has enabled PRNG support" ", despite no hardware support!\n"); } else { printf("PRNG Support not found! SUCCESS\n"); } } } if (pmech_list[i].mech_mode_id == RSA_ME) { if (card_loaded) { if (!ENGINE_get_default_RSA()) { failure++; fprintf(stderr, "ERROR: Engine has no enabeled RSA support!\n"); } else { printf("RSA Support found! SUCCESS\n"); } if (!ENGINE_get_default_DSA()) { failure++; fprintf(stderr, "ERROR: Engine has no enabled DSA support!\n"); } else { printf("DSA Support found! SUCCESS\n"); } if (!ENGINE_get_default_DH()) { failure++; fprintf(stderr, "ERROR: Engine has no enabled DH support!\n"); } else { printf("DH Support found! SUCCESS\n"); } } else { if (ENGINE_get_default_RSA()) { failure++; fprintf(stderr, "ERROR: Engine has enabled RSA support," "despite no hardware support!\n"); } else { printf("RSA Support not found! SUCCESS\n"); } if (ENGINE_get_default_DSA()) { failure++; fprintf(stderr, "ERROR: Engine has no enabled DSA support," "despite no hardware support!\n"); } else { printf("DSA Support not found! SUCCESS\n"); } if (ENGINE_get_default_DH()) { failure++; fprintf(stderr, "ERROR: Engine has no enabled DH support," "despite no hardware support!\n"); } else { printf("DH Support not found! SUCCESS\n"); } } } } printf("\n\n-----------------------------------------------------------\n"); printf("TEST Summary:\n" "Failure Counter: %d\n", failure); if (failure) return EXIT_FAILURE; return EXIT_SUCCESS; } openssl-ibmca-2.2.3/test/000077500000000000000000000000001421243614200152305ustar00rootroot00000000000000openssl-ibmca-2.2.3/test/3des-cbc-test.pl000077500000000000000000000001371421243614200201310ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("des-ede3-cbc", 24, 8); openssl-ibmca-2.2.3/test/3des-cfb-test.pl000077500000000000000000000001371421243614200201340ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("des-ede3-cfb", 24, 8); openssl-ibmca-2.2.3/test/3des-ecb-test.pl000077500000000000000000000002661421243614200201360ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; # No iv needed, but openssl app version 3 somehow requires one... test::cipher("des-ede3", 24, test::osslversion3 ? 8 : 0); openssl-ibmca-2.2.3/test/3des-ofb-test.pl000077500000000000000000000001371421243614200201500ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("des-ede3-ofb", 24, 8); openssl-ibmca-2.2.3/test/Makefile.am000066400000000000000000000041031421243614200172620ustar00rootroot00000000000000TESTS_CIPHERS = \ des-ecb-test.pl \ des-cbc-test.pl \ des-cfb-test.pl \ des-ofb-test.pl \ 3des-ecb-test.pl \ 3des-cbc-test.pl \ 3des-cfb-test.pl \ 3des-ofb-test.pl \ aes-128-ecb-test.pl \ aes-128-cbc-test.pl \ aes-128-cfb-test.pl \ aes-128-ofb-test.pl \ aes-192-ecb-test.pl \ aes-192-cbc-test.pl \ aes-192-cfb-test.pl \ aes-192-ofb-test.pl \ aes-256-ecb-test.pl \ aes-256-cbc-test.pl \ aes-256-cfb-test.pl \ aes-256-ofb-test.pl if FULL_LIBICA TESTS_CIPHERS_EXEC=${TESTS_CIPHERS} endif TESTS_PERL = \ rsa2k.pl \ rsa4k.pl \ rsa8k.pl \ rsa16k.pl \ dsa2k.pl \ dsa4k.pl \ dsa8k.pl \ dsamax.pl TESTS = ${TESTS_PERL} \ ${TESTS_CIPHERS_EXEC} \ loadtest \ loadtest-ec \ threadtest \ libica-link.sh \ eckey \ enginectrl check_PROGRAMS = loadtest loadtest-ec threadtest eckey enginectrl check_SCRIPTS = libica-link.sh loadtest_SOURCES = loadtest.c loadtest_LDADD = -lssl -lcrypto loadtest_ec_SOURCES = loadtest-ec.c loadtest_ec_LDADD = -lssl -lcrypto threadtest_SOURCES = threadtest.c threadtest_LDADD = -lcrypto -lpthread eckey_SOURCES = eckey.c eckey_LDADD = -lcrypto enginectrl_SOURCES = enginectrl.c enginectrl_LDADD = -lcrypto -ldl AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf IBMCA_OPENSSL_TEST_NOINIT_CONF=${srcdir}/openssl-test-noinit.cnf PERL5LIB=${srcdir}; EXTRA_DIST = ${TESTS_PERL} ${TESTS_CIPHERS} test.pm openssl-test.cnf \ dsa2k.key dsa2k_pub.key dsa4k.key dsa4k_pub.key dsa8k.key \ dsa8k_pub.key dsamax.key dsamax_pub.key rsa2k.key rsa4k.key rsa8k.key libica-link.sh: @echo '#!/bin/bash' > libica-link.sh @echo "IBMCA_SO=\"${abs_top_builddir}/src/.libs/ibmca.so\"" > libica-link.sh @echo "if ldd \"\$${IBMCA_SO}\" | grep -q libica; then" >> libica-link.sh @echo " echo \"Linking against libica detected\"" >> libica-link.sh @echo " echo \"Check these ica symbols:\"" >> libica-link.sh @echo " nm --undefined-only \"\$${IBMCA_SO}\" | grep 'ica_'" >> libica-link.sh @echo " exit 99" >> libica-link.sh @echo "fi" >> libica-link.sh @echo "exit 0" >> libica-link.sh @chmod u+x libica-link.sh openssl-ibmca-2.2.3/test/aes-128-cbc-test.pl000077500000000000000000000001371421243614200203530ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-128-cbc", 16, 16); openssl-ibmca-2.2.3/test/aes-128-cfb-test.pl000077500000000000000000000001371421243614200203560ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-128-cfb", 16, 16); openssl-ibmca-2.2.3/test/aes-128-ecb-test.pl000077500000000000000000000001361421243614200203540ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-128-ecb", 16, 0); openssl-ibmca-2.2.3/test/aes-128-ofb-test.pl000077500000000000000000000001371421243614200203720ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-128-ofb", 16, 16); openssl-ibmca-2.2.3/test/aes-192-cbc-test.pl000077500000000000000000000001371421243614200203540ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-192-cbc", 24, 16); openssl-ibmca-2.2.3/test/aes-192-cfb-test.pl000077500000000000000000000001371421243614200203570ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-192-cfb", 24, 16); openssl-ibmca-2.2.3/test/aes-192-ecb-test.pl000077500000000000000000000001361421243614200203550ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-192-ecb", 24, 0); openssl-ibmca-2.2.3/test/aes-192-ofb-test.pl000077500000000000000000000001371421243614200203730ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-192-ofb", 24, 16); openssl-ibmca-2.2.3/test/aes-256-cbc-test.pl000077500000000000000000000001371421243614200203550ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-256-cbc", 32, 16); openssl-ibmca-2.2.3/test/aes-256-cfb-test.pl000077500000000000000000000001371421243614200203600ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-256-cfb", 32, 16); openssl-ibmca-2.2.3/test/aes-256-ecb-test.pl000077500000000000000000000001361421243614200203560ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-256-ecb", 32, 0); openssl-ibmca-2.2.3/test/aes-256-ofb-test.pl000077500000000000000000000001371421243614200203740ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::cipher("aes-256-ofb", 32, 16); openssl-ibmca-2.2.3/test/des-cbc-test.pl000077500000000000000000000003051421243614200200430ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; # Version 3 only supports DES in legacy mode which might not be available. test::osslversion1 || exit (77); test::cipher("des-cbc", 8, 8); openssl-ibmca-2.2.3/test/des-cfb-test.pl000077500000000000000000000003051421243614200200460ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; # Version 3 only supports DES in legacy mode which might not be available. test::osslversion1 || exit (77); test::cipher("des-cfb", 8, 8); openssl-ibmca-2.2.3/test/des-ecb-test.pl000077500000000000000000000003051421243614200200450ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; # Version 3 only supports DES in legacy mode which might not be available. test::osslversion1 || exit (77); test::cipher("des-ecb", 8, 0); openssl-ibmca-2.2.3/test/des-ofb-test.pl000077500000000000000000000003051421243614200200620ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; # Version 3 only supports DES in legacy mode which might not be available. test::osslversion1 || exit (77); test::cipher("des-ofb", 8, 8); openssl-ibmca-2.2.3/test/dsa2k.key000066400000000000000000000023101421243614200167420ustar00rootroot00000000000000-----BEGIN DSA PRIVATE KEY----- MIIDVQIBAAKCAQEA9PsXA/O3soomi8tuZOLnjLSH8lBkpfSvOsnrKjegF/wGafTp AIwxucPyRvC3B03lI6IHH/pTH42/Lbkk46Qnm7nLOQKkBq5SOvx4DecZfewtNXvP Z4KcqrFCs/xjR+qHJ10HntcHBW7yKzoNX7Q2TXj78FUSIQe0f4PCaiHJwMgzibcJ UBfOxegjY38/MQkTGyaOEzFwTrcTCO6O5xokhTmqbPP3Zw2FOqEwcm7vnCXmUU+f fE5Eb6HIpUYOy947A6hEHz4mbFAPx3/IqslKICegqmu6sVtWAVVPhn7BCbjvNFZT znuW3nkp7bGoeOG1q6ssM096OxLs9MZS7aGeOwIhAInYRUBxrHUZ3ji+E3MflNjw T7pWQV50gthrPe8k+Ov/AoIBAQCcqYFWlR3hVHtlLtewB85Wo/vbyq/NvilF+RyT q6Q0U0R+9+1E/wmoBvhRpiyYh75fDVD838rVq8FeCdk3drdZ0PlvnReLQN25AJeO I5uNYWIjAlPwhpsYUA9f/GaD6zJPldCv9xCHeB7KyJwl2L9bcUFs+S0S8IK3Gh2l guURh4byBcPSKUmnZf0EELXe2tf/U+wNd0xJh/inRnFfZ6LgxY3KTun5Xv7efEQh CaXEaSfQDqEDaAfC1VVhJVF+jKTNaqwpwWWe+OWj83IseFOFOyRGz2YrlEFcPDMU bG20FocKan8RjKDAmo8zBD15Ieid9NceJzujetJF8VFGHVd4AoIBAA9Qm42Yz7KA lkTAjVgRsx6x8+Rf6Yc1I46hRd0Ei1qBVxDec95I3YW+zR2eMJPQbjr5uN2/eLNv Dv7Ud4NQfAz0mQOHSJen9OjqZagpYWOe6uYmshHkQPwO15TGsxjdfE4MLGk/1dO8 pUowsMYomCah6QQQhGQSHJaKRx7/2AYOulcsSNdDWLKE0S7uud1OgTynIigCv1q5 vc/u1gM7euE5RMsOofsunBOjP6vRmF9B2I2uveTas4oiCfZSjHtY0gfDCutGx2US FgpWVZLNEiNDQ49Gb4pQafp4QyBa8N9/MFE8L5BfrvXaEchH/phYCt6uLHpf8OzF r8Zg499aMAwCH12/vkIjCtnRI3k85QuQEITQr6ADFQx2K6IOT2vsIk8= -----END DSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/dsa2k.pl000077500000000000000000000001261421243614200165730ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::dsasignverify("2k"); openssl-ibmca-2.2.3/test/dsa2k_pub.key000066400000000000000000000022521421243614200176150ustar00rootroot00000000000000-----BEGIN PUBLIC KEY----- MIIDRzCCAjoGByqGSM44BAEwggItAoIBAQD0+xcD87eyiiaLy25k4ueMtIfyUGSl 9K86yesqN6AX/AZp9OkAjDG5w/JG8LcHTeUjogcf+lMfjb8tuSTjpCebucs5AqQG rlI6/HgN5xl97C01e89ngpyqsUKz/GNH6ocnXQee1wcFbvIrOg1ftDZNePvwVRIh B7R/g8JqIcnAyDOJtwlQF87F6CNjfz8xCRMbJo4TMXBOtxMI7o7nGiSFOaps8/dn DYU6oTBybu+cJeZRT598TkRvocilRg7L3jsDqEQfPiZsUA/Hf8iqyUogJ6Cqa7qx W1YBVU+GfsEJuO80VlPOe5beeSntsah44bWrqywzT3o7Euz0xlLtoZ47AiEAidhF QHGsdRneOL4Tcx+U2PBPulZBXnSC2Gs97yT46/8CggEBAJypgVaVHeFUe2Uu17AH zlaj+9vKr82+KUX5HJOrpDRTRH737UT/CagG+FGmLJiHvl8NUPzfytWrwV4J2Td2 t1nQ+W+dF4tA3bkAl44jm41hYiMCU/CGmxhQD1/8ZoPrMk+V0K/3EId4HsrInCXY v1txQWz5LRLwgrcaHaWC5RGHhvIFw9IpSadl/QQQtd7a1/9T7A13TEmH+KdGcV9n ouDFjcpO6fle/t58RCEJpcRpJ9AOoQNoB8LVVWElUX6MpM1qrCnBZZ745aPzcix4 U4U7JEbPZiuUQVw8MxRsbbQWhwpqfxGMoMCajzMEPXkh6J301x4nO6N60kXxUUYd V3gDggEFAAKCAQAPUJuNmM+ygJZEwI1YEbMesfPkX+mHNSOOoUXdBItagVcQ3nPe SN2Fvs0dnjCT0G46+bjdv3izbw7+1HeDUHwM9JkDh0iXp/To6mWoKWFjnurmJrIR 5ED8DteUxrMY3XxODCxpP9XTvKVKMLDGKJgmoekEEIRkEhyWikce/9gGDrpXLEjX Q1iyhNEu7rndToE8pyIoAr9aub3P7tYDO3rhOUTLDqH7LpwToz+r0ZhfQdiNrr3k 2rOKIgn2Uox7WNIHwwrrRsdlEhYKVlWSzRIjQ0OPRm+KUGn6eEMgWvDffzBRPC+Q X6712hHIR/6YWArerix6X/Dsxa/GYOPfWjAM -----END PUBLIC KEY----- openssl-ibmca-2.2.3/test/dsa4k.key000066400000000000000000000043301421243614200167500ustar00rootroot00000000000000-----BEGIN DSA PRIVATE KEY----- MIIGVQIBAAKCAgEAyJscZddSVlbzJWUul/6UyYNMDQ5Tw1Hw7qCKGWmpAAZlASED 5TPD60SgxOBMZK37oce07VBxe/pqXLdMEGN52Fo7ST1mil5/Rb4JUvexLX9NCyz7 LBNghIXQtb7826dK79Q6t5nXAHmUl/1WeHOIgwSDD9ECU6km/O10CPKrWlN187ob 8lk//zA0uU/J7ZN8jFei8d0+E+tSRRhDtNjJPXw9uHc+Vd2H8rfGh2riP0x7mH/h +32UhcPbKyRtzgweeCYbdS5rLaWCoKAawNg2QbpotFf9LFWqohnkHINpgHQuBCDA uriNeuRX4yNR/SA1BXx/esKRxqnHs34qxSSZzHea1uIWi/IbmU0xFT02tWwZ2MKF pmfrky3eJY/L6wSyIrrbRp42m6sV4R5jjTg8nTOl1d4N/JVe6ttXH4fx/VDc/3vL ktiv69+dKCgsGrEo+vBKpqY/6CXuHFYSVZM+7NTMKGilsT59gP3Oc9I4ApF/Z/Mu N9jvk3Uyz1uUDszbmVYjHhWg5g/O56G8wj+QH4XPfW4IS0AiaHkuo008xJDRcJbB Vzbxz+gxZqL143OQG9ciXxw+imnbSNsyB+a5cpKOEwgoeU3lIRhe8eRtvWfzfT8T 94LN8xU7w6tzoSk0JxLTdIBKHDST17jmato/SA4uwz31uaWA7eU3gv4u1DECIQDH oioDWzjed2EIPznryUN1YsmeTbyn53t4Ud4o4DLOmQKCAgA104Ps34soiOkNr9e+ e8tbkbOhix2Brr2OM2c0V5CGU6Oofjila1hNp0DfoN/jrPzZT/qeiyuIleqVjlpa V/f6PJn2FX9Amx3g8Yhy4ywP3PPU71Orbj+LiP56cHanvHEe941HKxUpXcYSHOsk E6AQgl/pz6leBqfnWUjAPQbO7jeYVhuaz8ovfke7G6gZNDpiVV8BLdJ9c4OF+83S imDJCdFnRYrbtDXsYHCv2FK7bLDaujJEOqjNFjQX5/7OCSb7f17zJtM7BZkAZR89 +N8KuOjQKVqzCFqGaNAB/7VPgzHjzAoi9YGNHoM2Jy+aY0kv1hBjkwdw9m/gnNZA REMotXtVbxnV9+ppHpacA9eqHE1XIeIE7SN8D1snQAGhRmvlOUAuyhnDOnkBvvCX noAmlprDX4P+WtBdGXFDKGkYz7LRZt6jT1GasgXdjscYlEUb/Y7Hklyn56tTlLEV ICpZqWt+mRB0gXrt5NDpq6rvq2Xv7A545H48dQ4Q8HisOkn6VoedhR6jMfXCM93S Ox0lg20cmfYMp3H2OYW1z+j1K4Lgsqdf+RX1t1glvS+1vP/Mp/xqFvc0T8D7YYMY njQjZE8zgDKqlGeeXYKxzD9EOeVAzftS37E2A3TGSG0JOPN/c4jtO1EAIXJobRmP kTFaAbIF7OuseZPHf6QYGuelbgKCAgBdujKVLos71yqssMF6/X+abr+26nSy7n9I WLtKKk8neYEsQ/mcY7e0aFm53fWRpiccSm5psp/EijUZX0c4iGnmuUPW3GjStlYL evTboJ7R8vINeWGZXs8DKrDF2ee0S+OgnGIWgllRSGbA5AwnDX7NoyvBueYdOWCF OMeMyAEpSPE3opJrmVwPy6pBaS1ECzPADR1xOpWC5Th4DtQW8WdbQLcmuAwQKMgd FU1LWXUpMAPwhWXGMyrTGvUTg9hlIsEHpBMc/ae6qJeIO66U/xzWdhU2pP1WDjdQ +fI293+TOs9B3d/icLFxybe5IH8m4CPBCiW8tc6bj5MTBOObhJyx7q97rvRLApar EZqNvIplyz0Zs/bfLux82N2s8nUQn5vuKTRH2Dfz20n+LeqhcAjbRStisGd5aYYg WxeWXB0u+i4LU7c8QqQuK/77ttnE3OhJX+d6ebMAeG5//k/psewwvWwnWE3snaUG goxR2XBB8jyqaf09jKIZQKg3bf0Vk/lLIWvRKZUxPfJFPHnu7ywBNN/xyvpwG5Wi d/1Zr3XuVu4ZJz+H15isN6pMyKlFUyEGTiPjy8GFu1NcQ2RMmRJ8RkJgpO0Q18f3 qQP3LshDCdkseGHV8uL7idbCamR3ylwwrrvFcAWCm1tYO4rQpK2Y0o2k7AC5fMcF OKHpkimzGAIgMBphbTS6CkuHLr29kU+4x7n6j82x3gK9aVgTR/3zVa4= -----END DSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/dsa4k.pl000077500000000000000000000001251421243614200165740ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::dsasignverify("4k"); openssl-ibmca-2.2.3/test/dsa4k_pub.key000066400000000000000000000042721421243614200176230ustar00rootroot00000000000000-----BEGIN PUBLIC KEY----- MIIGRjCCBDkGByqGSM44BAEwggQsAoICAQDImxxl11JWVvMlZS6X/pTJg0wNDlPD UfDuoIoZaakABmUBIQPlM8PrRKDE4Exkrfuhx7TtUHF7+mpct0wQY3nYWjtJPWaK Xn9FvglS97Etf00LLPssE2CEhdC1vvzbp0rv1Dq3mdcAeZSX/VZ4c4iDBIMP0QJT qSb87XQI8qtaU3XzuhvyWT//MDS5T8ntk3yMV6Lx3T4T61JFGEO02Mk9fD24dz5V 3Yfyt8aHauI/THuYf+H7fZSFw9srJG3ODB54Jht1LmstpYKgoBrA2DZBumi0V/0s VaqiGeQcg2mAdC4EIMC6uI165FfjI1H9IDUFfH96wpHGqcezfirFJJnMd5rW4haL 8huZTTEVPTa1bBnYwoWmZ+uTLd4lj8vrBLIiuttGnjabqxXhHmONODydM6XV3g38 lV7q21cfh/H9UNz/e8uS2K/r350oKCwasSj68Eqmpj/oJe4cVhJVkz7s1MwoaKWx Pn2A/c5z0jgCkX9n8y432O+TdTLPW5QOzNuZViMeFaDmD87nobzCP5Afhc99bghL QCJoeS6jTTzEkNFwlsFXNvHP6DFmovXjc5Ab1yJfHD6KadtI2zIH5rlyko4TCCh5 TeUhGF7x5G29Z/N9PxP3gs3zFTvDq3OhKTQnEtN0gEocNJPXuOZq2j9IDi7DPfW5 pYDt5TeC/i7UMQIhAMeiKgNbON53YQg/OevJQ3ViyZ5NvKfne3hR3ijgMs6ZAoIC ADXTg+zfiyiI6Q2v1757y1uRs6GLHYGuvY4zZzRXkIZTo6h+OKVrWE2nQN+g3+Os /NlP+p6LK4iV6pWOWlpX9/o8mfYVf0CbHeDxiHLjLA/c89TvU6tuP4uI/npwdqe8 cR73jUcrFSldxhIc6yQToBCCX+nPqV4Gp+dZSMA9Bs7uN5hWG5rPyi9+R7sbqBk0 OmJVXwEt0n1zg4X7zdKKYMkJ0WdFitu0NexgcK/YUrtssNq6MkQ6qM0WNBfn/s4J Jvt/XvMm0zsFmQBlHz343wq46NApWrMIWoZo0AH/tU+DMePMCiL1gY0egzYnL5pj SS/WEGOTB3D2b+Cc1kBEQyi1e1VvGdX36mkelpwD16ocTVch4gTtI3wPWydAAaFG a+U5QC7KGcM6eQG+8JeegCaWmsNfg/5a0F0ZcUMoaRjPstFm3qNPUZqyBd2OxxiU RRv9jseSXKfnq1OUsRUgKlmpa36ZEHSBeu3k0Omrqu+rZe/sDnjkfjx1DhDweKw6 SfpWh52FHqMx9cIz3dI7HSWDbRyZ9gyncfY5hbXP6PUrguCyp1/5FfW3WCW9L7W8 /8yn/GoW9zRPwPthgxieNCNkTzOAMqqUZ55dgrHMP0Q55UDN+1LfsTYDdMZIbQk4 839ziO07UQAhcmhtGY+RMVoBsgXs66x5k8d/pBga56VuA4ICBQACggIAXboylS6L O9cqrLDBev1/mm6/tup0su5/SFi7SipPJ3mBLEP5nGO3tGhZud31kaYnHEpuabKf xIo1GV9HOIhp5rlD1txo0rZWC3r026Ce0fLyDXlhmV7PAyqwxdnntEvjoJxiFoJZ UUhmwOQMJw1+zaMrwbnmHTlghTjHjMgBKUjxN6KSa5lcD8uqQWktRAszwA0dcTqV guU4eA7UFvFnW0C3JrgMECjIHRVNS1l1KTAD8IVlxjMq0xr1E4PYZSLBB6QTHP2n uqiXiDuulP8c1nYVNqT9Vg43UPnyNvd/kzrPQd3f4nCxccm3uSB/JuAjwQolvLXO m4+TEwTjm4Scse6ve670SwKWqxGajbyKZcs9GbP23y7sfNjdrPJ1EJ+b7ik0R9g3 89tJ/i3qoXAI20UrYrBneWmGIFsXllwdLvouC1O3PEKkLiv++7bZxNzoSV/nenmz AHhuf/5P6bHsML1sJ1hN7J2lBoKMUdlwQfI8qmn9PYyiGUCoN239FZP5SyFr0SmV MT3yRTx57u8sATTf8cr6cBuVonf9Wa917lbuGSc/h9eYrDeqTMipRVMhBk4j48vB hbtTXENkTJkSfEZCYKTtENfH96kD9y7IQwnZLHhh1fLi+4nWwmpkd8pcMK67xXAF gptbWDuK0KStmNKNpOwAuXzHBTih6ZIpsxg= -----END PUBLIC KEY----- openssl-ibmca-2.2.3/test/dsa8k.key000066400000000000000000000103701421243614200167550ustar00rootroot00000000000000-----BEGIN DSA PRIVATE KEY----- MIIMVQIBAAKCBAEA/buSBt58jvUKAG7eazsdnUEmS0JRrgBQj4fLGiFpe2gsDkxF nXiDa5NZQY+2Ui6GrfgB96rED73GH1lDl8FhHYkgc9vSgROc0opeGU760QpN5LCe VADG9WLoBcwGAjrvkDeDm9iHC/HRwkj1au0SKAeSJcM7RT6swnvAnn97SwdVwFt8 n1gTxbAoFBpudjXxjFuaKbsBvJ1ln60llOHywVpk4gkA+tfzIIJzix4fhJmuLWUQ STqA2lKJO5gOxglIpPB3ffPkqvE2WQA/PEyeLChGz6YyDA/EkXt6i0JL3chz/oOB P/KUeJ57HmtSc9HworLb4EB6ANPjVxnAQrs75qFBbA4BhE0UDMNzOI3JDo6VxVPL 46E5unlmZ+XCnJkWZl9FHX/bhxiDMz7jJqef9Sx5NjexKhd9vsbAw2GV0V4kHu4A SIpWA53DOj9dmif8fK9fXRohACKFlzdf44S8zLSUJ5+J9tsDBCjcjNjy+EnF2eEf 9QMzQf5E+vqcoP75xud4BtBSqIIrqjvVPuWJm8RfNg3FyXKwoatXh1BuicHWo+bT bTmVQXWGYQ4Co0asDdoLfsPKrMKeTKVyj8GuxbSWRKbNDXPJCKF05gGx5vr5SpmD 4CJHEf4scDSlBe7ATF24tj9/vpCht4WflXK4nwlfNLdurF9vQaNntT3fEFqtjQsB LF0dEKpetwEBxrGEph3WC3XJT2zZu6Wbvnjg70TMBw9d9PD1poqTQH4l5ca70ct1 9Tc6gtFL2C/nKowV5KZBhfkNe8+01CbenFy+1GPy2+iJq/SQRz+cAXKy+3hEtgk4 AkguzeBqSizYuJPvUujAiHFdbkWzg9fl0dDtJVU3mZRrJK0Znyn1CiEkK9iMdhtA m+SovbhwpLU3f85fTK6+QebD65a7NZucJI6u7v6wbFjkuh6+CBIaZwYsgTV4HjV+ lOaibbbMDxdnTeXaGnxdPnA9s6SyTvRB4YskzgmckE+rmBJpGCDpyIQ/h0Nx1755 ZwhGiZ8rJ7FbTzsa6z6x1Z7j5Dk5f+dkfQPWk8H5xrVsoKNUqODxT2K91eWW0jIa 8+rsbq96t4b2fUilRjY771lQ5lmJju1IvZJRVFztup7H+lD42S9knPmurop52lHK MuiAp62oQKBO34d1ZAtziQnUkhThHDYJWoL/FzNmN09l8ruU8jE6Mr1b+3F0Ggfd bFAzrK0BMANVuCCT4Yh9iLd2/04YImJJF0FdH/GP5ngsGZBsSZd7pjUjkJ6ERrJt 4dvj9i7T3bnVMHWM1xYSIUw/z7b+Q4ED7itoYA1XP3dY0+tIV8BM0/RYnbqlWPcw sknNLiXyRHf8UVcB6rdGQ9FvOVpU/14KCkInbQIhALBSPrcNsGUGR3AOrsvlvhWz 5HJo9c9AeKmlls9Y2rjTAoIEAGxiLBTfQJ2nQUXecIfTJBqQwiBumeMQwEFYXTDd +HtjFMQTBwcMJg+N8MO5iZQcwAvFLYHT+dMHLgyHo41rdvGJtCbB7fPtcRYZNSse YONHs5ga1pN1Mpj5M3yFmQlGR58lWa6MHlXR2bheanmKHQq5h8t85JYHtlrWZg7o ZC9mYQ5EKPfW7ITlpLlEB4rn7Doky3jOPSMtwBfpzU6u5zEgOwVSSnf3GW0ktByG /+DbAkQtQswDUyJYmLo9wc7Y5ye6FSCovtifoKVmduvFOaZe5BI3I0cgt1LtDPOT 2UGkj03exS9DaCZ73YkQCjqof+wEJ4lH/egrTCPNax6E1ggX/z+0+IZFEKXEE5iG nIsShTgl0MDDdBnwA8pfJ3ku5sEtCiUYAja9KIIvY4e2oLTpGjZYP+WMjdVtOWBT +QT+TjPV3Ni8c02nDeNZTZYuIEre8xh2jPizTk/lOcOkY8KPpwgHQ+wlxWFbiaDw i2zfU0Z+op4j/CiHviODH0+7NuZTY7PXextb/ZEIS54vNjWmBiNL+20+/mJR/HWp mOtw8Oj4ggbREBAUpINM/q29ISY4EqXV5Fj7RpWUSCCVrhB51G7AWx9pobmenCD0 qoqQCu/lxSJ3ictDiQ76aYk+MqXsvduRki/KsrcK384vD5MnWSkPLSA0b10I/V4M PqF5x0EKPbjoM1AyAgf5UZzW9PxADrW+ibNvXVqSAka3SYDT88mAlhTfs2FWROGo 7peMzcHFCwtwAoPTnIGIW6IPDswp4aVVZ//0nebg2Dd/L7QN9dYBf2nH8rLBrnk4 HHOhDKmHBv7EJx0krgLds0TaJt9PwfbEpMjHuLoMC46UhIv6qmHTLdZpmTM97aS3 2IvDZdfxRpQ1CiaiKD2WvVv3CKsMJSuMQztNP9nWjDrX4AQwdBTz96wvnxZqdZHr M+wPTKT2TOrsFS9ShfmW8rT5MsUoFivSsuEwps2x3+3g92fmjwdT1+ONDdJ6+Zp/ Tw6hhYUu+IKjqenGY1Ac76NpxjJSS01Yv9g7KImLGuyg0ZryMN+CMEwTdtAZhEjt GFJySi2gR8LiXe2PuQrA4laIjGgIZd9ay8LpOBlInCU2DfmZNVD7p08RGZuYHi2T osjk6RIuAF0gLwnYMHqyuW+bnj8/4wopF5br5/21nDhDN1BjDq8NFBHaCwBnVoiM Q2b4gWdYk/mvKZcH6Tty/ZbcsTzghmJBI9b8nwQJU1erbdVk815FSEtBt+Tp55Yk 9wR2TtV823t9QiWuqnnrOAxurfVamGfsUjxXXMkzplZAosoQI22CEyxQUGQrySDY Q+J3YfSbUsCGzaYadGnf2s/IwBbEitTlLIZgqn/JMnVU71wCggQAX6n2i0rgMJaa TUsTSIgPQDTDBOJSJmPOmExjizbA/C4/d6KbJO1uiLAvBndNPlVmYSJawDFHwWgC a2nJr7LgvS/sI3zA1MJVzUG+TGvcgNj7CHWDt1MJJC1cQTSeSPG/pYE+nVl/IADo VZ89ElJySQotTnKcn0vVs0cqRh+LZH0FXG0aWaE24y+5MPGeZWnaUj4FYMo8DO3/ OJ/NDm37BInS4qHIiTdV8wd/CJCFK3K2w5o1ayxZX4Gmggyky0vf4xaZ0l1LSUQb LSnng+WlHor7jCrQeRFlqSXpENjsA8aVkSaCToW366VVaZ4r2bsuFzQWOk0vG+cv uGZYewaUD1dVuvGUIvWEzaiUK4PntU+Bi0BPAG0XDvVo02lGN5dQN5MswjaY5OtH vjFk0piIKnpDf92bDD1d82/icGBkz0FCJVJJFZv986a4CkAJG+Fupp/mT44zhVjz dYBRBwnw70ydwVn7mMhJnbH1v/8GVeh0MzPBLUSzcQY2kgXodQmoj9T2cTfWdFel O5cgFxs6UXt1x3KyHjofh0FJH4hyH3EP9ouXDuC2OIpYR119IEz1TC9WmK0kZ4+m gWlPXtsihSCpQBy5pW/g3xg6R6+PzbrXIrebWRM1cvDjrtRQC6LJVoEUtxKhhmB4 wv0Q2BgIFQYtWdDwHEWWCtgtJfsRqXmXibsU3u+DGSlJHtXaVOeE7zoRqOgaPKDR aoA/UpYNs4v5Z4Frwn+LuXwtXVGhrlbw0hXEhyNgpsTfl+JfJJ2DsM4d1fJ5csAJ 5dqP+JChWc+ZelTnFtYHvbZef41k4H85d8KA23uwvvY9emh22tQkRSKVL8Iy76D/ Ro4eUM3zEhD0/qBOfz5eu3xnbYacvqsKbYCnnUbbT4ZxpIi/HchocTI37e1ceip4 1XUswWYSRSphtnuJBn29pzsK/EqxQc9CMhihKBDZEqpkOdKxa4oYuKjs568zwTBO FB4nhU9u4bDD/Ga7Jjt+ftGg1dn/YdBL4wWrjga0j8g5Ud2K7+cRPr1pYBK7Y/z9 Zz7o0cYt/v/7VsX/H0ev/+vaUdsKxU00PDin7mAhBoR7ZmNrWdQzzqXv4O43pg2H Yw3600Fbt1Vbv5+2G+tTfgEA06EvVuonxS8q5q/A++ZpmtaGdFF5HRXdNF6aOd4T 0QSYWhUuo4BwgQfuIkLru9xGKUbwZonDGJ/Dy50sSF91T7eENcSUtvK1uEx/4AiM CEmK1VTIC3tH4L1aaE1bT0NutHvjNKbMqALaO62IFTIaCkFvvacFEGrDMwbwShAl vgn2vlGWLq7j3+89CC3gjiYLkFOyK0csAWFWmeBZ4nOdc6aNaFAT3fmzwMLhdjjf nT17/mCifwIgVYRdkbanrkD51REtbqlcqzivMQjunFLlXQ+GEAZL5Rw= -----END DSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/dsa8k.pl000077500000000000000000000001251421243614200166000ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::dsasignverify("8k"); openssl-ibmca-2.2.3/test/dsa8k_pub.key000066400000000000000000000103321421243614200176210ustar00rootroot00000000000000-----BEGIN PUBLIC KEY----- MIIMRjCCCDkGByqGSM44BAEwgggsAoIEAQD9u5IG3nyO9QoAbt5rOx2dQSZLQlGu AFCPh8saIWl7aCwOTEWdeINrk1lBj7ZSLoat+AH3qsQPvcYfWUOXwWEdiSBz29KB E5zSil4ZTvrRCk3ksJ5UAMb1YugFzAYCOu+QN4Ob2IcL8dHCSPVq7RIoB5IlwztF PqzCe8Cef3tLB1XAW3yfWBPFsCgUGm52NfGMW5opuwG8nWWfrSWU4fLBWmTiCQD6 1/MggnOLHh+Ema4tZRBJOoDaUok7mA7GCUik8Hd98+Sq8TZZAD88TJ4sKEbPpjIM D8SRe3qLQkvdyHP+g4E/8pR4nnsea1Jz0fCistvgQHoA0+NXGcBCuzvmoUFsDgGE TRQMw3M4jckOjpXFU8vjoTm6eWZn5cKcmRZmX0Udf9uHGIMzPuMmp5/1LHk2N7Eq F32+xsDDYZXRXiQe7gBIilYDncM6P12aJ/x8r19dGiEAIoWXN1/jhLzMtJQnn4n2 2wMEKNyM2PL4ScXZ4R/1AzNB/kT6+pyg/vnG53gG0FKogiuqO9U+5YmbxF82DcXJ crChq1eHUG6Jwdaj5tNtOZVBdYZhDgKjRqwN2gt+w8qswp5MpXKPwa7FtJZEps0N c8kIoXTmAbHm+vlKmYPgIkcR/ixwNKUF7sBMXbi2P3++kKG3hZ+VcrifCV80t26s X29Bo2e1Pd8QWq2NCwEsXR0Qql63AQHGsYSmHdYLdclPbNm7pZu+eODvRMwHD130 8PWmipNAfiXlxrvRy3X1NzqC0UvYL+cqjBXkpkGF+Q17z7TUJt6cXL7UY/Lb6Imr 9JBHP5wBcrL7eES2CTgCSC7N4GpKLNi4k+9S6MCIcV1uRbOD1+XR0O0lVTeZlGsk rRmfKfUKISQr2Ix2G0Cb5Ki9uHCktTd/zl9Mrr5B5sPrlrs1m5wkjq7u/rBsWOS6 Hr4IEhpnBiyBNXgeNX6U5qJttswPF2dN5doafF0+cD2zpLJO9EHhiyTOCZyQT6uY EmkYIOnIhD+HQ3HXvnlnCEaJnysnsVtPOxrrPrHVnuPkOTl/52R9A9aTwfnGtWyg o1So4PFPYr3V5ZbSMhrz6uxur3q3hvZ9SKVGNjvvWVDmWYmO7Ui9klFUXO26nsf6 UPjZL2Sc+a6uinnaUcoy6ICnrahAoE7fh3VkC3OJCdSSFOEcNglagv8XM2Y3T2Xy u5TyMToyvVv7cXQaB91sUDOsrQEwA1W4IJPhiH2It3b/ThgiYkkXQV0f8Y/meCwZ kGxJl3umNSOQnoRGsm3h2+P2LtPdudUwdYzXFhIhTD/Ptv5DgQPuK2hgDVc/d1jT 60hXwEzT9FiduqVY9zCySc0uJfJEd/xRVwHqt0ZD0W85WlT/XgoKQidtAiEAsFI+ tw2wZQZHcA6uy+W+FbPkcmj1z0B4qaWWz1jauNMCggQAbGIsFN9AnadBRd5wh9Mk GpDCIG6Z4xDAQVhdMN34e2MUxBMHBwwmD43ww7mJlBzAC8UtgdP50wcuDIejjWt2 8Ym0JsHt8+1xFhk1Kx5g40ezmBrWk3UymPkzfIWZCUZHnyVZroweVdHZuF5qeYod CrmHy3zklge2WtZmDuhkL2ZhDkQo99bshOWkuUQHiufsOiTLeM49Iy3AF+nNTq7n MSA7BVJKd/cZbSS0HIb/4NsCRC1CzANTIliYuj3BztjnJ7oVIKi+2J+gpWZ268U5 pl7kEjcjRyC3Uu0M85PZQaSPTd7FL0NoJnvdiRAKOqh/7AQniUf96CtMI81rHoTW CBf/P7T4hkUQpcQTmIacixKFOCXQwMN0GfADyl8neS7mwS0KJRgCNr0ogi9jh7ag tOkaNlg/5YyN1W05YFP5BP5OM9Xc2LxzTacN41lNli4gSt7zGHaM+LNOT+U5w6Rj wo+nCAdD7CXFYVuJoPCLbN9TRn6iniP8KIe+I4MfT7s25lNjs9d7G1v9kQhLni82 NaYGI0v7bT7+YlH8damY63Dw6PiCBtEQEBSkg0z+rb0hJjgSpdXkWPtGlZRIIJWu EHnUbsBbH2mhuZ6cIPSqipAK7+XFIneJy0OJDvppiT4ypey925GSL8qytwrfzi8P kydZKQ8tIDRvXQj9Xgw+oXnHQQo9uOgzUDICB/lRnNb0/EAOtb6Js29dWpICRrdJ gNPzyYCWFN+zYVZE4ajul4zNwcULC3ACg9OcgYhbog8OzCnhpVVn//Sd5uDYN38v tA311gF/acfyssGueTgcc6EMqYcG/sQnHSSuAt2zRNom30/B9sSkyMe4ugwLjpSE i/qqYdMt1mmZMz3tpLfYi8Nl1/FGlDUKJqIoPZa9W/cIqwwlK4xDO00/2daMOtfg BDB0FPP3rC+fFmp1kesz7A9MpPZM6uwVL1KF+ZbytPkyxSgWK9Ky4TCmzbHf7eD3 Z+aPB1PX440N0nr5mn9PDqGFhS74gqOp6cZjUBzvo2nGMlJLTVi/2DsoiYsa7KDR mvIw34IwTBN20BmESO0YUnJKLaBHwuJd7Y+5CsDiVoiMaAhl31rLwuk4GUicJTYN +Zk1UPunTxEZm5geLZOiyOTpEi4AXSAvCdgwerK5b5uePz/jCikXluvn/bWcOEM3 UGMOrw0UEdoLAGdWiIxDZviBZ1iT+a8plwfpO3L9ltyxPOCGYkEj1vyfBAlTV6tt 1WTzXkVIS0G35OnnliT3BHZO1Xzbe31CJa6qees4DG6t9VqYZ+xSPFdcyTOmVkCi yhAjbYITLFBQZCvJINhD4ndh9JtSwIbNphp0ad/az8jAFsSK1OUshmCqf8kydVTv XAOCBAUAAoIEAF+p9otK4DCWmk1LE0iID0A0wwTiUiZjzphMY4s2wPwuP3eimyTt boiwLwZ3TT5VZmEiWsAxR8FoAmtpya+y4L0v7CN8wNTCVc1Bvkxr3IDY+wh1g7dT CSQtXEE0nkjxv6WBPp1ZfyAA6FWfPRJSckkKLU5ynJ9L1bNHKkYfi2R9BVxtGlmh NuMvuTDxnmVp2lI+BWDKPAzt/zifzQ5t+wSJ0uKhyIk3VfMHfwiQhStytsOaNWss WV+BpoIMpMtL3+MWmdJdS0lEGy0p54PlpR6K+4wq0HkRZakl6RDY7APGlZEmgk6F t+ulVWmeK9m7Lhc0FjpNLxvnL7hmWHsGlA9XVbrxlCL1hM2olCuD57VPgYtATwBt Fw71aNNpRjeXUDeTLMI2mOTrR74xZNKYiCp6Q3/dmww9XfNv4nBgZM9BQiVSSRWb /fOmuApACRvhbqaf5k+OM4VY83WAUQcJ8O9MncFZ+5jISZ2x9b//BlXodDMzwS1E s3EGNpIF6HUJqI/U9nE31nRXpTuXIBcbOlF7dcdysh46H4dBSR+Ich9xD/aLlw7g tjiKWEddfSBM9UwvVpitJGePpoFpT17bIoUgqUAcuaVv4N8YOkevj8261yK3m1kT NXLw467UUAuiyVaBFLcSoYZgeML9ENgYCBUGLVnQ8BxFlgrYLSX7Eal5l4m7FN7v gxkpSR7V2lTnhO86EajoGjyg0WqAP1KWDbOL+WeBa8J/i7l8LV1Roa5W8NIVxIcj YKbE35fiXySdg7DOHdXyeXLACeXaj/iQoVnPmXpU5xbWB722Xn+NZOB/OXfCgNt7 sL72PXpodtrUJEUilS/CMu+g/0aOHlDN8xIQ9P6gTn8+Xrt8Z22GnL6rCm2Ap51G 20+GcaSIvx3IaHEyN+3tXHoqeNV1LMFmEkUqYbZ7iQZ9vac7CvxKsUHPQjIYoSgQ 2RKqZDnSsWuKGLio7OevM8EwThQeJ4VPbuGww/xmuyY7fn7RoNXZ/2HQS+MFq44G tI/IOVHdiu/nET69aWASu2P8/Wc+6NHGLf7/+1bF/x9Hr//r2lHbCsVNNDw4p+5g IQaEe2Zja1nUM86l7+DuN6YNh2MN+tNBW7dVW7+fthvrU34BANOhL1bqJ8UvKuav wPvmaZrWhnRReR0V3TRemjneE9EEmFoVLqOAcIEH7iJC67vcRilG8GaJwxifw8ud LEhfdU+3hDXElLbytbhMf+AIjAhJitVUyAt7R+C9WmhNW09DbrR74zSmzKgC2jut iBUyGgpBb72nBRBqwzMG8EoQJb4J9r5Rli6u49/vPQgt4I4mC5BTsitHLAFhVpng WeJznXOmjWhQE935s8DC4XY43509e/5gon8= -----END PUBLIC KEY----- openssl-ibmca-2.2.3/test/dsamax.key000066400000000000000000000122231421243614200172170ustar00rootroot00000000000000-----BEGIN DSA PRIVATE KEY----- MIIO/QIBAAKCBOMAktKbrplsBjCew5j4joSsuBsQT/3RbBXLNzl4ucFO6gsKq020 rVSUVDC097sR3v5gfO52WXVPRfBniZyV/Wv8eK49NCrxHTK2wj5x1TaocPCwyrGL oSdj5VaC2HR5TiiqLE37iBSEXd00ZE3fk9ucdct383p/iYg9CPH6KADASvEnZ0Cb B76/WiP4RjAm41zBAOHkyqSI3N8o67e9UCFk94G/wiSqilqlij2Kj/bD5Y7rLUEw KvT/sUsE1Bv105hLCfMU2zsV5CsTx5N01fw+eiB0NLHyL/k5EPPw52q/S6UQGCcJ xmc6ecPWed70jcscH5XDp7xlBLA/0pkq1u8henzJyUsMUOG/JkQB7dbow4dlVNhr IEDJv+V1wD2jm7YBpp9Oz3Q8PWiEY38+7uzysnQe/K6uHlJ1CXqPyihWkmpqYWtH NePNkydj4ZNLnJfKVqSinUdhJwzhF9erBt0/WCOF3W13iA+1awWjN180KwL6VIsN /EQ0+mll+oWVL5msySbFNnZfXakCwz6jt1+VV86Uoi79yvt9QkWJ+Ka0hF/9iCt7 DlNH1hBBo9L9TF0UHyMapyMxzKrvNaYxTaVCjflspf9nM1QDtI0RGsV/03QKDxBg YkupV+DOf4IUUMv71sKLl5YcX34Nky/uO0TCkH298Ulb7C1hKTCb/iEzYHGlt3Sy 2ehiEMRkjgHI1Tk1REsiOxWx63/jLCWenp7c4FtJOlrsW3GUwQl4haQpjoX5CUU2 jKfX9lX1BTLvmctwZAy6+eOaMYUGxZ183+kDqiJbomSWp2NrNS3gQ9gNPbDkBFCO jqNhNt8dzVst+nvAzIM5wx9kRHikKjjQGr5WsE0ncp8R11CWz1LRPIKj+Ewe6kUW +qF0v4dsxZcIekKkRwEkH0mcHuYO6g5fxUnnWBZUUP+inDjFaJ8NlBrxcKBgZz0d 8537sKSxJYqTWIXWK6UMSVkKqSABAotGdZ8cY6Dv+22ptdvHnK6V2ryq47+xZajp c5bNkvBqCMtNaZOrMv9A1USCN4ej7LWoBmhNUMQd9uQDXlrjR7Rnr8+wO6i91e+I 8yuOHFjOCFKNHka3wXMpeS4WgiH3JTzVhiTs+b81u+G8clrbNdOfLOyfbeRQHXLZ 2DnrrtrWK/WveIgDYzg6Dgj4iJsFyYlVxlFoArGPfs8VhK0WzhPs6iWQYCKhiGoH yX2/awZoOFoYNXxilLE83m1yw8UM67TBUoAR0EPeXECe03dQEhorDwfacNIw+CvR gNQHrXTATAGUDL6VhAsdxY50zOdW6nEOKtOQLR2NRnKSTn4Sa4B23Z9tZo/v4UXV tpG1/Ch1vYy3OGhGSvY6wzcKAR2itnyrXaLoSY/GwwAvh8L70a5+JhOAELqkWmHK g/gmUB1CEhGuV4X87uCahWXD7faAkcj1lPKMEUB4ZqQs055wMd/FUB4T32iIzEU3 7SRfMS5Og0jZ83PJGjrZP2HJLb8b/88AbtoIBevOeKJHtUNDg4MKQlLdpuAYH+5B bjsp9oj8ISvronNueThO3esgyba07E3QgCk6QWjgYZ9+5NP4uIuIqTSQz8K5CFaO T6h7pwetEEFszcYN5YPslFzW8CwYI/N/XlBcfkTK4GBeaYqca0S5SBGndvapNBCA MG410C998pIwA0djM+0CIQDbT+xFXLhaCXDLN3H/3cFfHwrJAysugTkIShrsBA09 qwKCBOJfTR72Koj6uRzwunWH6w8VVmGVLWHQS2mvJ2EnuBaOhkEOUQRPr0pOYLcP Tgk3Lebbz8I2j81fiddo7+mxSp2g2qnp6cspO0oJJj1O6E1NZqj6lVHZux9aC2xg t9MIi754UzHNfLYwGwIYeGXVqpw7JLaYYqZdAvYdwam8KWNtW6tdicPLi7Bi4eU9 pvPdmhyyXWky+7Q8QI0d2ABgZVHKpMZPoXnZ0bAGuQgChATE+u2XymhiORyXr6wk 2qFt09lkq2vE3iFM3Wj2hphF4R5GLZX9aJznjJSUSR/9K4FrG34f0fQ2vjg1qeoz Vis4jAe9ISNtMGAjLS/hujqi3vhDbSAGbgOOk7GQClGnLsjIzp+BYhamUPEKhjwX roNIKJEss7YUxqNDLKb9mMESza8aLag8ZHKzh6oqTqwi5S9k3/cFizAFy3Tvs4oR qhzPUdhnPMtvsPLAaOhJIjl4EEntAMpSYW70aIisW/hZpJqIEbOBr4uQmQFqOpqs BfiY3zJq/APrw57H6tHoCtEVvZBadg2KrZjDVrETzQR1vU6L8tyiB5wLNj0fw+FO jeDdhsZHyvaWzk/1jFCl+thcNI8erz0Yarj/IQEw/FOHjqsJXfGN0mXKxp2chL4a haJJ9DIRG3poFASC4G1GZ5gV8eU/bT/pDY4DgQtNz35hoaVAY8X9LulMhRWLF1GV YNn2JMMS/WCJWL2KDxapReOsAY01RECEEd5/QUIUL3MAWysV5ckNCmr3h6CJvxSQ +GC/b+G/KNofuu20ank80ut6ES0tDyZVMdu+6tLyyPY6DQDyKFMkAK08as4FbIFp GuNUIE351wSxlu05lYIsVw5hY0x3v9b5aGejV89lqp2V9PuWTFs/JqGeGE9bvb6+ 4G2cH8TsSTtx+7wzTAakEaH4yqSRT02GBfI2bwiF6GDSGAiv+raqIHiu9vdqeHBN SIHDGUVOKcssSnDQVQfH/c0OENDuxQNg+/mASckKK6uVs+B2NPuwCprib4en+LWr 2M1YNMUZGmeiZduz8sbUDcZ7rcExKQdwiWQO0GNNBmug9WqtUhdXHwiDMy6/im99 G1PUDrHwUb+Ica70+tSqnGr+A++z72smLYGGsjUHdgMm/xisrCG7yYu3+NJMzq6k 48+zzIz/6YxTRe8DE/5ebLh6YF4DX7BIMp9z/fwvN/HH8UiR/yrYafvJSlveLVuU QwP/74c7mkyP+YHreOREIZQ/TAQ0Vskp5lJsic+Ks24Ymek3GRDC6/GUb5kC2zvR 5kBeRn0cHX1Atjil0Ab1NQNviAoy9oCUvbShI6CC318mQzT3Z7mrzbhUbExKUWzE NhTIji120JCjLIivK+bf2eb0/V+8y42QitAz7tRTqn5feijSHMrlM1IP58kfGOgo YQEj0LFBf+WS8fNaMTQOxFw8q0E1xcG4qpsf1IwTjifAcq+qvsI0Mrme0BFksAoX vlo08StPR0Bblj0+Ghreh1i1c7r0sT3ykdHmEUZABhud0+XfoW8qzbH9djGcQJVD ltGmvEoTj0sbyjavbaNitje+0UVC+UGC0w19g1DI0shYpcvpJ55guX4Ksd6D7lQE eqWA/IzcCdlyvn7piv4VTRT9f0gAy2swPJD4LFxnKsqOjTE25fZfHfPTZUFcbC1G snEWScz1KwKCBOMAhzoWJ9oiA6D2CLIAHraRMOP7ZoQHzaeRIffIp9p6Ld5mFTFw KI+2uhd971zYWAVQO2PWz+m/kJjjeQrdmAYCUnEB69XkXlgKLLr3i0nD0NCE6jZB 23rdv3iiXigZrL5Uuvx0WSwHu71XdIeKw+xWWyluUsWJRsffsOGOgV51LeV+dNjH Ntd2tJ2TNWqGBhLA1r6b8DO1x1hRG+/eepSxInz8+TEH355pqRme6auTBRKqsy2z fxwLjDzaXsgZV7nmhMVeecAfvAkR4aQugqj/ac3bqs/FdAAFf55WGiQWJL/pLwrc K4f0oiGGMU3tGSwUHp+rVsxI1gpSqv1MfX5JXKgRpw23mxMm8JPWIOi/xXzemb1l N+qYzsH0FJ8Xr86cXLoOlzFpHZNHEq3xNIeRhGAk1l8rKqUIduaOKeM9izBRtiLJ ZXckvVxvqPzwW/SPvzl+M3kC5dHlMr8idUVI7Hd4gHFQ11eekCER9j8HGQi+FjBk MF6eOqBuopVeHlUTgDnZ39G//h0ETa/DB0jHZw5IOHSAHGjJIGTELUTrO8/ONZYS 4Tx9TkV2JDikNjD5i8CUOXC7rVXOiuA0P4nhnm17sy31PHIBrKxcncO4ny9go+81 IsLRsZJMwlx2+9YaYbXL6nPiWBmgBQMb1Xqomtvcc079cqQdvME8MvPYfQewrmGG F4aXRQTfTe9/T+8GzGlergHd7kcnX5XC6Eg1f2MDw8zjyvWva+vO/9SNAqBeZuzL PaPSvEFJLMJ6AMA/+7BThmYmqZ+NN04XQZekd/6QVx5WDACCpJTVMY7O9UULk7f3 60ad6zBqBvStS9eG3IXCWukxHfE0+D1fM0PYmX5feC0bI2rz+TSwXfUSIiNpl3at iIR7FcGvUpOcGJuKRX2Vq/FKqfW5tQKgQcfx4P0+qLwHoyxUsPIYBA1NrPNOAnSx F/K/RTIslQIbTtGq8TBRaLAKO0IYAUqKhWFDOte7mt6HOMCklSFGgsMLQG364w9y 26CDkoHUu1S9yHE1lPL9QdSi9pize/ATfs8SuCKnYVlPPT+obSpSvBJs64+ChJHI 8S8r4W8lkYDuSe4UVxjCp9339erx/Ttn2fGk+2A5kn85hTH61q3J3wo1dTML+3fa brYH0p1dD8OeaNa1cKs5iwJf1B8F/2laq53zs5+qUmbhmnbpZfg5ZorjtKzUxAeo 1u5f/Ty8j9Kp1PXNgdtBWKHgMOXrCjm9VJTpWWZFoIf7l2M1yqAqgJTU8OJPn6qh MUIDca/EUzzbFGWRlALhA0ZF0s+QJwzdgUg7vS24Mih0hXcU/WBAe6F6V0oYrEK+ fUGXgPb6kRuh1KaK2aYjwtGTTzuvDYQWqUDobBl4x4BPKQSzq1KZL+Y6RDFt6PNZ H1ZXjM2YJcxHTO3/cLa4S5jBdHCvi9vMy2A0N4QM4t6cdZxF77ErVSCNi2Q2fDLR 0W4Ociaa0TUQLnX171KYpDCJSZn3lYN7uAQ9/kJar7judAhQ/lKKF/gXRhp9hUNw ukB1eUacI0xIzem6QEtMfwfSfiMO3b97yrHHUPxpYmWDkYBhItDKiIv4F5REwFVA Sbnqcyn/s8Bq07rL55lvjqDsQPeLF/n87jHmLb3NeqEGR1rMZ1zEDbxctQj5Kn4O /Tkk3D+Q5SVCEyrPM5ECIQDMTxlHVgocn3b4nBVbW91u9cVkpMzcOuSysDBygGsa UQ== -----END DSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/dsamax.pl000077500000000000000000000001261421243614200170440ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::dsasignverify("max"); openssl-ibmca-2.2.3/test/dsamax_pub.key000066400000000000000000000121601421243614200200650ustar00rootroot00000000000000-----BEGIN PUBLIC KEY----- MIIO7TCCCf0GByqGSM44BAEwggnwAoIE4wCS0puumWwGMJ7DmPiOhKy4GxBP/dFs Fcs3OXi5wU7qCwqrTbStVJRUMLT3uxHe/mB87nZZdU9F8GeJnJX9a/x4rj00KvEd MrbCPnHVNqhw8LDKsYuhJ2PlVoLYdHlOKKosTfuIFIRd3TRkTd+T25x1y3fzen+J iD0I8fooAMBK8SdnQJsHvr9aI/hGMCbjXMEA4eTKpIjc3yjrt71QIWT3gb/CJKqK WqWKPYqP9sPljustQTAq9P+xSwTUG/XTmEsJ8xTbOxXkKxPHk3TV/D56IHQ0sfIv +TkQ8/Dnar9LpRAYJwnGZzp5w9Z53vSNyxwflcOnvGUEsD/SmSrW7yF6fMnJSwxQ 4b8mRAHt1ujDh2VU2GsgQMm/5XXAPaObtgGmn07PdDw9aIRjfz7u7PKydB78rq4e UnUJeo/KKFaSampha0c1482TJ2Phk0ucl8pWpKKdR2EnDOEX16sG3T9YI4XdbXeI D7VrBaM3XzQrAvpUiw38RDT6aWX6hZUvmazJJsU2dl9dqQLDPqO3X5VXzpSiLv3K +31CRYn4prSEX/2IK3sOU0fWEEGj0v1MXRQfIxqnIzHMqu81pjFNpUKN+Wyl/2cz VAO0jREaxX/TdAoPEGBiS6lX4M5/ghRQy/vWwouXlhxffg2TL+47RMKQfb3xSVvs LWEpMJv+ITNgcaW3dLLZ6GIQxGSOAcjVOTVESyI7FbHrf+MsJZ6entzgW0k6Wuxb cZTBCXiFpCmOhfkJRTaMp9f2VfUFMu+Zy3BkDLr545oxhQbFnXzf6QOqIluiZJan Y2s1LeBD2A09sOQEUI6Oo2E23x3NWy36e8DMgznDH2REeKQqONAavlawTSdynxHX UJbPUtE8gqP4TB7qRRb6oXS/h2zFlwh6QqRHASQfSZwe5g7qDl/FSedYFlRQ/6Kc OMVonw2UGvFwoGBnPR3znfuwpLElipNYhdYrpQxJWQqpIAECi0Z1nxxjoO/7bam1 28ecrpXavKrjv7FlqOlzls2S8GoIy01pk6sy/0DVRII3h6PstagGaE1QxB325ANe WuNHtGevz7A7qL3V74jzK44cWM4IUo0eRrfBcyl5LhaCIfclPNWGJOz5vzW74bxy Wts1058s7J9t5FAdctnYOeuu2tYr9a94iANjODoOCPiImwXJiVXGUWgCsY9+zxWE rRbOE+zqJZBgIqGIagfJfb9rBmg4Whg1fGKUsTzebXLDxQzrtMFSgBHQQ95cQJ7T d1ASGisPB9pw0jD4K9GA1AetdMBMAZQMvpWECx3FjnTM51bqcQ4q05AtHY1GcpJO fhJrgHbdn21mj+/hRdW2kbX8KHW9jLc4aEZK9jrDNwoBHaK2fKtdouhJj8bDAC+H wvvRrn4mE4AQuqRaYcqD+CZQHUISEa5Xhfzu4JqFZcPt9oCRyPWU8owRQHhmpCzT nnAx38VQHhPfaIjMRTftJF8xLk6DSNnzc8kaOtk/Ycktvxv/zwBu2ggF6854oke1 Q0ODgwpCUt2m4Bgf7kFuOyn2iPwhK+uic255OE7d6yDJtrTsTdCAKTpBaOBhn37k 0/i4i4ipNJDPwrkIVo5PqHunB60QQWzNxg3lg+yUXNbwLBgj839eUFx+RMrgYF5p ipxrRLlIEad29qk0EIAwbjXQL33ykjADR2Mz7QIhANtP7EVcuFoJcMs3cf/dwV8f CskDKy6BOQhKGuwEDT2rAoIE4l9NHvYqiPq5HPC6dYfrDxVWYZUtYdBLaa8nYSe4 Fo6GQQ5RBE+vSk5gtw9OCTct5tvPwjaPzV+J12jv6bFKnaDaqenpyyk7SgkmPU7o TU1mqPqVUdm7H1oLbGC30wiLvnhTMc18tjAbAhh4ZdWqnDsktphipl0C9h3Bqbwp Y21bq12Jw8uLsGLh5T2m892aHLJdaTL7tDxAjR3YAGBlUcqkxk+hednRsAa5CAKE BMT67ZfKaGI5HJevrCTaoW3T2WSra8TeIUzdaPaGmEXhHkYtlf1onOeMlJRJH/0r gWsbfh/R9Da+ODWp6jNWKziMB70hI20wYCMtL+G6OqLe+ENtIAZuA46TsZAKUacu yMjOn4FiFqZQ8QqGPBeug0gokSyzthTGo0Mspv2YwRLNrxotqDxkcrOHqipOrCLl L2Tf9wWLMAXLdO+zihGqHM9R2Gc8y2+w8sBo6EkiOXgQSe0AylJhbvRoiKxb+Fmk mogRs4Gvi5CZAWo6mqwF+JjfMmr8A+vDnsfq0egK0RW9kFp2DYqtmMNWsRPNBHW9 Tovy3KIHnAs2PR/D4U6N4N2GxkfK9pbOT/WMUKX62Fw0jx6vPRhquP8hATD8U4eO qwld8Y3SZcrGnZyEvhqFokn0MhEbemgUBILgbUZnmBXx5T9tP+kNjgOBC03PfmGh pUBjxf0u6UyFFYsXUZVg2fYkwxL9YIlYvYoPFqlF46wBjTVEQIQR3n9BQhQvcwBb KxXlyQ0KaveHoIm/FJD4YL9v4b8o2h+67bRqeTzS63oRLS0PJlUx277q0vLI9joN APIoUyQArTxqzgVsgWka41QgTfnXBLGW7TmVgixXDmFjTHe/1vloZ6NXz2WqnZX0 +5ZMWz8moZ4YT1u9vr7gbZwfxOxJO3H7vDNMBqQRofjKpJFPTYYF8jZvCIXoYNIY CK/6tqogeK7292p4cE1IgcMZRU4pyyxKcNBVB8f9zQ4Q0O7FA2D7+YBJyQorq5Wz 4HY0+7AKmuJvh6f4tavYzVg0xRkaZ6Jl27PyxtQNxnutwTEpB3CJZA7QY00Ga6D1 aq1SF1cfCIMzLr+Kb30bU9QOsfBRv4hxrvT61Kqcav4D77PvayYtgYayNQd2Ayb/ GKysIbvJi7f40kzOrqTjz7PMjP/pjFNF7wMT/l5suHpgXgNfsEgyn3P9/C838cfx SJH/Kthp+8lKW94tW5RDA//vhzuaTI/5get45EQhlD9MBDRWySnmUmyJz4qzbhiZ 6TcZEMLr8ZRvmQLbO9HmQF5GfRwdfUC2OKXQBvU1A2+ICjL2gJS9tKEjoILfXyZD NPdnuavNuFRsTEpRbMQ2FMiOLXbQkKMsiK8r5t/Z5vT9X7zLjZCK0DPu1FOqfl96 KNIcyuUzUg/nyR8Y6ChhASPQsUF/5ZLx81oxNA7EXDyrQTXFwbiqmx/UjBOOJ8By r6q+wjQyuZ7QEWSwChe+WjTxK09HQFuWPT4aGt6HWLVzuvSxPfKR0eYRRkAGG53T 5d+hbyrNsf12MZxAlUOW0aa8ShOPSxvKNq9to2K2N77RRUL5QYLTDX2DUMjSyFil y+knnmC5fgqx3oPuVAR6pYD8jNwJ2XK+fumK/hVNFP1/SADLazA8kPgsXGcqyo6N MTbl9l8d89NlQVxsLUaycRZJzPUrA4IE6AACggTjAIc6FifaIgOg9giyAB62kTDj +2aEB82nkSH3yKfaei3eZhUxcCiPtroXfe9c2FgFUDtj1s/pv5CY43kK3ZgGAlJx AevV5F5YCiy694tJw9DQhOo2Qdt63b94ol4oGay+VLr8dFksB7u9V3SHisPsVlsp blLFiUbH37DhjoFedS3lfnTYxzbXdrSdkzVqhgYSwNa+m/AztcdYURvv3nqUsSJ8 /PkxB9+eaakZnumrkwUSqrMts38cC4w82l7IGVe55oTFXnnAH7wJEeGkLoKo/2nN 26rPxXQABX+eVhokFiS/6S8K3CuH9KIhhjFN7RksFB6fq1bMSNYKUqr9TH1+SVyo EacNt5sTJvCT1iDov8V83pm9ZTfqmM7B9BSfF6/OnFy6DpcxaR2TRxKt8TSHkYRg JNZfKyqlCHbmjinjPYswUbYiyWV3JL1cb6j88Fv0j785fjN5AuXR5TK/InVFSOx3 eIBxUNdXnpAhEfY/BxkIvhYwZDBenjqgbqKVXh5VE4A52d/Rv/4dBE2vwwdIx2cO SDh0gBxoySBkxC1E6zvPzjWWEuE8fU5FdiQ4pDYw+YvAlDlwu61VzorgND+J4Z5t e7Mt9TxyAaysXJ3DuJ8vYKPvNSLC0bGSTMJcdvvWGmG1y+pz4lgZoAUDG9V6qJrb 3HNO/XKkHbzBPDLz2H0HsK5hhheGl0UE303vf0/vBsxpXq4B3e5HJ1+VwuhINX9j A8PM48r1r2vrzv/UjQKgXmbsyz2j0rxBSSzCegDAP/uwU4ZmJqmfjTdOF0GXpHf+ kFceVgwAgqSU1TGOzvVFC5O39+tGneswagb0rUvXhtyFwlrpMR3xNPg9XzND2Jl+ X3gtGyNq8/k0sF31EiIjaZd2rYiEexXBr1KTnBibikV9lavxSqn1ubUCoEHH8eD9 Pqi8B6MsVLDyGAQNTazzTgJ0sRfyv0UyLJUCG07RqvEwUWiwCjtCGAFKioVhQzrX u5rehzjApJUhRoLDC0Bt+uMPctugg5KB1LtUvchxNZTy/UHUovaYs3vwE37PErgi p2FZTz0/qG0qUrwSbOuPgoSRyPEvK+FvJZGA7knuFFcYwqfd9/Xq8f07Z9nxpPtg OZJ/OYUx+tatyd8KNXUzC/t32m62B9KdXQ/DnmjWtXCrOYsCX9QfBf9pWqud87Of qlJm4Zp26WX4OWaK47Ss1MQHqNbuX/08vI/SqdT1zYHbQVih4DDl6wo5vVSU6Vlm RaCH+5djNcqgKoCU1PDiT5+qoTFCA3GvxFM82xRlkZQC4QNGRdLPkCcM3YFIO70t uDIodIV3FP1gQHuheldKGKxCvn1Bl4D2+pEbodSmitmmI8LRk087rw2EFqlA6GwZ eMeATykEs6tSmS/mOkQxbejzWR9WV4zNmCXMR0zt/3C2uEuYwXRwr4vbzMtgNDeE DOLenHWcRe+xK1UgjYtkNnwy0dFuDnImmtE1EC519e9SmKQwiUmZ95WDe7gEPf5C Wq+47nQIUP5Sihf4F0YafYVDcLpAdXlGnCNMSM3pukBLTH8H0n4jDt2/e8qxx1D8 aWJlg5GAYSLQyoiL+BeURMBVQEm56nMp/7PAatO6y+eZb46g7ED3ixf5/O4x5i29 zXqhBkdazGdcxA28XLUI+Sp+Dv05JNw/kOUlQhMqzzOR -----END PUBLIC KEY----- openssl-ibmca-2.2.3/test/dsaparam2k.key000066400000000000000000000014641421243614200177740ustar00rootroot00000000000000-----BEGIN DSA PARAMETERS----- MIICLQKCAQEA9PsXA/O3soomi8tuZOLnjLSH8lBkpfSvOsnrKjegF/wGafTpAIwx ucPyRvC3B03lI6IHH/pTH42/Lbkk46Qnm7nLOQKkBq5SOvx4DecZfewtNXvPZ4Kc qrFCs/xjR+qHJ10HntcHBW7yKzoNX7Q2TXj78FUSIQe0f4PCaiHJwMgzibcJUBfO xegjY38/MQkTGyaOEzFwTrcTCO6O5xokhTmqbPP3Zw2FOqEwcm7vnCXmUU+ffE5E b6HIpUYOy947A6hEHz4mbFAPx3/IqslKICegqmu6sVtWAVVPhn7BCbjvNFZTznuW 3nkp7bGoeOG1q6ssM096OxLs9MZS7aGeOwIhAInYRUBxrHUZ3ji+E3MflNjwT7pW QV50gthrPe8k+Ov/AoIBAQCcqYFWlR3hVHtlLtewB85Wo/vbyq/NvilF+RyTq6Q0 U0R+9+1E/wmoBvhRpiyYh75fDVD838rVq8FeCdk3drdZ0PlvnReLQN25AJeOI5uN YWIjAlPwhpsYUA9f/GaD6zJPldCv9xCHeB7KyJwl2L9bcUFs+S0S8IK3Gh2lguUR h4byBcPSKUmnZf0EELXe2tf/U+wNd0xJh/inRnFfZ6LgxY3KTun5Xv7efEQhCaXE aSfQDqEDaAfC1VVhJVF+jKTNaqwpwWWe+OWj83IseFOFOyRGz2YrlEFcPDMUbG20 FocKan8RjKDAmo8zBD15Ieid9NceJzujetJF8VFGHVd4 -----END DSA PARAMETERS----- openssl-ibmca-2.2.3/test/dsaparam4k.key000066400000000000000000000027531421243614200200000ustar00rootroot00000000000000-----BEGIN DSA PARAMETERS----- MIIELAKCAgEAyJscZddSVlbzJWUul/6UyYNMDQ5Tw1Hw7qCKGWmpAAZlASED5TPD 60SgxOBMZK37oce07VBxe/pqXLdMEGN52Fo7ST1mil5/Rb4JUvexLX9NCyz7LBNg hIXQtb7826dK79Q6t5nXAHmUl/1WeHOIgwSDD9ECU6km/O10CPKrWlN187ob8lk/ /zA0uU/J7ZN8jFei8d0+E+tSRRhDtNjJPXw9uHc+Vd2H8rfGh2riP0x7mH/h+32U hcPbKyRtzgweeCYbdS5rLaWCoKAawNg2QbpotFf9LFWqohnkHINpgHQuBCDAuriN euRX4yNR/SA1BXx/esKRxqnHs34qxSSZzHea1uIWi/IbmU0xFT02tWwZ2MKFpmfr ky3eJY/L6wSyIrrbRp42m6sV4R5jjTg8nTOl1d4N/JVe6ttXH4fx/VDc/3vLktiv 69+dKCgsGrEo+vBKpqY/6CXuHFYSVZM+7NTMKGilsT59gP3Oc9I4ApF/Z/MuN9jv k3Uyz1uUDszbmVYjHhWg5g/O56G8wj+QH4XPfW4IS0AiaHkuo008xJDRcJbBVzbx z+gxZqL143OQG9ciXxw+imnbSNsyB+a5cpKOEwgoeU3lIRhe8eRtvWfzfT8T94LN 8xU7w6tzoSk0JxLTdIBKHDST17jmato/SA4uwz31uaWA7eU3gv4u1DECIQDHoioD Wzjed2EIPznryUN1YsmeTbyn53t4Ud4o4DLOmQKCAgA104Ps34soiOkNr9e+e8tb kbOhix2Brr2OM2c0V5CGU6Oofjila1hNp0DfoN/jrPzZT/qeiyuIleqVjlpaV/f6 PJn2FX9Amx3g8Yhy4ywP3PPU71Orbj+LiP56cHanvHEe941HKxUpXcYSHOskE6AQ gl/pz6leBqfnWUjAPQbO7jeYVhuaz8ovfke7G6gZNDpiVV8BLdJ9c4OF+83SimDJ CdFnRYrbtDXsYHCv2FK7bLDaujJEOqjNFjQX5/7OCSb7f17zJtM7BZkAZR89+N8K uOjQKVqzCFqGaNAB/7VPgzHjzAoi9YGNHoM2Jy+aY0kv1hBjkwdw9m/gnNZAREMo tXtVbxnV9+ppHpacA9eqHE1XIeIE7SN8D1snQAGhRmvlOUAuyhnDOnkBvvCXnoAm lprDX4P+WtBdGXFDKGkYz7LRZt6jT1GasgXdjscYlEUb/Y7Hklyn56tTlLEVICpZ qWt+mRB0gXrt5NDpq6rvq2Xv7A545H48dQ4Q8HisOkn6VoedhR6jMfXCM93SOx0l g20cmfYMp3H2OYW1z+j1K4Lgsqdf+RX1t1glvS+1vP/Mp/xqFvc0T8D7YYMYnjQj ZE8zgDKqlGeeXYKxzD9EOeVAzftS37E2A3TGSG0JOPN/c4jtO1EAIXJobRmPkTFa AbIF7OuseZPHf6QYGuelbg== -----END DSA PARAMETERS----- openssl-ibmca-2.2.3/test/dsaparam8k.key000066400000000000000000000055241421243614200200030ustar00rootroot00000000000000-----BEGIN DSA PARAMETERS----- MIIILAKCBAEA/buSBt58jvUKAG7eazsdnUEmS0JRrgBQj4fLGiFpe2gsDkxFnXiD a5NZQY+2Ui6GrfgB96rED73GH1lDl8FhHYkgc9vSgROc0opeGU760QpN5LCeVADG 9WLoBcwGAjrvkDeDm9iHC/HRwkj1au0SKAeSJcM7RT6swnvAnn97SwdVwFt8n1gT xbAoFBpudjXxjFuaKbsBvJ1ln60llOHywVpk4gkA+tfzIIJzix4fhJmuLWUQSTqA 2lKJO5gOxglIpPB3ffPkqvE2WQA/PEyeLChGz6YyDA/EkXt6i0JL3chz/oOBP/KU eJ57HmtSc9HworLb4EB6ANPjVxnAQrs75qFBbA4BhE0UDMNzOI3JDo6VxVPL46E5 unlmZ+XCnJkWZl9FHX/bhxiDMz7jJqef9Sx5NjexKhd9vsbAw2GV0V4kHu4ASIpW A53DOj9dmif8fK9fXRohACKFlzdf44S8zLSUJ5+J9tsDBCjcjNjy+EnF2eEf9QMz Qf5E+vqcoP75xud4BtBSqIIrqjvVPuWJm8RfNg3FyXKwoatXh1BuicHWo+bTbTmV QXWGYQ4Co0asDdoLfsPKrMKeTKVyj8GuxbSWRKbNDXPJCKF05gGx5vr5SpmD4CJH Ef4scDSlBe7ATF24tj9/vpCht4WflXK4nwlfNLdurF9vQaNntT3fEFqtjQsBLF0d EKpetwEBxrGEph3WC3XJT2zZu6Wbvnjg70TMBw9d9PD1poqTQH4l5ca70ct19Tc6 gtFL2C/nKowV5KZBhfkNe8+01CbenFy+1GPy2+iJq/SQRz+cAXKy+3hEtgk4Akgu zeBqSizYuJPvUujAiHFdbkWzg9fl0dDtJVU3mZRrJK0Znyn1CiEkK9iMdhtAm+So vbhwpLU3f85fTK6+QebD65a7NZucJI6u7v6wbFjkuh6+CBIaZwYsgTV4HjV+lOai bbbMDxdnTeXaGnxdPnA9s6SyTvRB4YskzgmckE+rmBJpGCDpyIQ/h0Nx1755ZwhG iZ8rJ7FbTzsa6z6x1Z7j5Dk5f+dkfQPWk8H5xrVsoKNUqODxT2K91eWW0jIa8+rs bq96t4b2fUilRjY771lQ5lmJju1IvZJRVFztup7H+lD42S9knPmurop52lHKMuiA p62oQKBO34d1ZAtziQnUkhThHDYJWoL/FzNmN09l8ruU8jE6Mr1b+3F0GgfdbFAz rK0BMANVuCCT4Yh9iLd2/04YImJJF0FdH/GP5ngsGZBsSZd7pjUjkJ6ERrJt4dvj 9i7T3bnVMHWM1xYSIUw/z7b+Q4ED7itoYA1XP3dY0+tIV8BM0/RYnbqlWPcwsknN LiXyRHf8UVcB6rdGQ9FvOVpU/14KCkInbQIhALBSPrcNsGUGR3AOrsvlvhWz5HJo 9c9AeKmlls9Y2rjTAoIEAGxiLBTfQJ2nQUXecIfTJBqQwiBumeMQwEFYXTDd+Htj FMQTBwcMJg+N8MO5iZQcwAvFLYHT+dMHLgyHo41rdvGJtCbB7fPtcRYZNSseYONH s5ga1pN1Mpj5M3yFmQlGR58lWa6MHlXR2bheanmKHQq5h8t85JYHtlrWZg7oZC9m YQ5EKPfW7ITlpLlEB4rn7Doky3jOPSMtwBfpzU6u5zEgOwVSSnf3GW0ktByG/+Db AkQtQswDUyJYmLo9wc7Y5ye6FSCovtifoKVmduvFOaZe5BI3I0cgt1LtDPOT2UGk j03exS9DaCZ73YkQCjqof+wEJ4lH/egrTCPNax6E1ggX/z+0+IZFEKXEE5iGnIsS hTgl0MDDdBnwA8pfJ3ku5sEtCiUYAja9KIIvY4e2oLTpGjZYP+WMjdVtOWBT+QT+ TjPV3Ni8c02nDeNZTZYuIEre8xh2jPizTk/lOcOkY8KPpwgHQ+wlxWFbiaDwi2zf U0Z+op4j/CiHviODH0+7NuZTY7PXextb/ZEIS54vNjWmBiNL+20+/mJR/HWpmOtw 8Oj4ggbREBAUpINM/q29ISY4EqXV5Fj7RpWUSCCVrhB51G7AWx9pobmenCD0qoqQ Cu/lxSJ3ictDiQ76aYk+MqXsvduRki/KsrcK384vD5MnWSkPLSA0b10I/V4MPqF5 x0EKPbjoM1AyAgf5UZzW9PxADrW+ibNvXVqSAka3SYDT88mAlhTfs2FWROGo7peM zcHFCwtwAoPTnIGIW6IPDswp4aVVZ//0nebg2Dd/L7QN9dYBf2nH8rLBrnk4HHOh DKmHBv7EJx0krgLds0TaJt9PwfbEpMjHuLoMC46UhIv6qmHTLdZpmTM97aS32IvD ZdfxRpQ1CiaiKD2WvVv3CKsMJSuMQztNP9nWjDrX4AQwdBTz96wvnxZqdZHrM+wP TKT2TOrsFS9ShfmW8rT5MsUoFivSsuEwps2x3+3g92fmjwdT1+ONDdJ6+Zp/Tw6h hYUu+IKjqenGY1Ac76NpxjJSS01Yv9g7KImLGuyg0ZryMN+CMEwTdtAZhEjtGFJy Si2gR8LiXe2PuQrA4laIjGgIZd9ay8LpOBlInCU2DfmZNVD7p08RGZuYHi2Tosjk 6RIuAF0gLwnYMHqyuW+bnj8/4wopF5br5/21nDhDN1BjDq8NFBHaCwBnVoiMQ2b4 gWdYk/mvKZcH6Tty/ZbcsTzghmJBI9b8nwQJU1erbdVk815FSEtBt+Tp55Yk9wR2 TtV823t9QiWuqnnrOAxurfVamGfsUjxXXMkzplZAosoQI22CEyxQUGQrySDYQ+J3 YfSbUsCGzaYadGnf2s/IwBbEitTlLIZgqn/JMnVU71w= -----END DSA PARAMETERS----- openssl-ibmca-2.2.3/test/dsaparammax.key000066400000000000000000000066721421243614200202530ustar00rootroot00000000000000-----BEGIN DSA PARAMETERS----- MIIJ8AKCBOMAktKbrplsBjCew5j4joSsuBsQT/3RbBXLNzl4ucFO6gsKq020rVSU VDC097sR3v5gfO52WXVPRfBniZyV/Wv8eK49NCrxHTK2wj5x1TaocPCwyrGLoSdj 5VaC2HR5TiiqLE37iBSEXd00ZE3fk9ucdct383p/iYg9CPH6KADASvEnZ0CbB76/ WiP4RjAm41zBAOHkyqSI3N8o67e9UCFk94G/wiSqilqlij2Kj/bD5Y7rLUEwKvT/ sUsE1Bv105hLCfMU2zsV5CsTx5N01fw+eiB0NLHyL/k5EPPw52q/S6UQGCcJxmc6 ecPWed70jcscH5XDp7xlBLA/0pkq1u8henzJyUsMUOG/JkQB7dbow4dlVNhrIEDJ v+V1wD2jm7YBpp9Oz3Q8PWiEY38+7uzysnQe/K6uHlJ1CXqPyihWkmpqYWtHNePN kydj4ZNLnJfKVqSinUdhJwzhF9erBt0/WCOF3W13iA+1awWjN180KwL6VIsN/EQ0 +mll+oWVL5msySbFNnZfXakCwz6jt1+VV86Uoi79yvt9QkWJ+Ka0hF/9iCt7DlNH 1hBBo9L9TF0UHyMapyMxzKrvNaYxTaVCjflspf9nM1QDtI0RGsV/03QKDxBgYkup V+DOf4IUUMv71sKLl5YcX34Nky/uO0TCkH298Ulb7C1hKTCb/iEzYHGlt3Sy2ehi EMRkjgHI1Tk1REsiOxWx63/jLCWenp7c4FtJOlrsW3GUwQl4haQpjoX5CUU2jKfX 9lX1BTLvmctwZAy6+eOaMYUGxZ183+kDqiJbomSWp2NrNS3gQ9gNPbDkBFCOjqNh Nt8dzVst+nvAzIM5wx9kRHikKjjQGr5WsE0ncp8R11CWz1LRPIKj+Ewe6kUW+qF0 v4dsxZcIekKkRwEkH0mcHuYO6g5fxUnnWBZUUP+inDjFaJ8NlBrxcKBgZz0d8537 sKSxJYqTWIXWK6UMSVkKqSABAotGdZ8cY6Dv+22ptdvHnK6V2ryq47+xZajpc5bN kvBqCMtNaZOrMv9A1USCN4ej7LWoBmhNUMQd9uQDXlrjR7Rnr8+wO6i91e+I8yuO HFjOCFKNHka3wXMpeS4WgiH3JTzVhiTs+b81u+G8clrbNdOfLOyfbeRQHXLZ2Dnr rtrWK/WveIgDYzg6Dgj4iJsFyYlVxlFoArGPfs8VhK0WzhPs6iWQYCKhiGoHyX2/ awZoOFoYNXxilLE83m1yw8UM67TBUoAR0EPeXECe03dQEhorDwfacNIw+CvRgNQH rXTATAGUDL6VhAsdxY50zOdW6nEOKtOQLR2NRnKSTn4Sa4B23Z9tZo/v4UXVtpG1 /Ch1vYy3OGhGSvY6wzcKAR2itnyrXaLoSY/GwwAvh8L70a5+JhOAELqkWmHKg/gm UB1CEhGuV4X87uCahWXD7faAkcj1lPKMEUB4ZqQs055wMd/FUB4T32iIzEU37SRf MS5Og0jZ83PJGjrZP2HJLb8b/88AbtoIBevOeKJHtUNDg4MKQlLdpuAYH+5Bbjsp 9oj8ISvronNueThO3esgyba07E3QgCk6QWjgYZ9+5NP4uIuIqTSQz8K5CFaOT6h7 pwetEEFszcYN5YPslFzW8CwYI/N/XlBcfkTK4GBeaYqca0S5SBGndvapNBCAMG41 0C998pIwA0djM+0CIQDbT+xFXLhaCXDLN3H/3cFfHwrJAysugTkIShrsBA09qwKC BOJfTR72Koj6uRzwunWH6w8VVmGVLWHQS2mvJ2EnuBaOhkEOUQRPr0pOYLcPTgk3 Lebbz8I2j81fiddo7+mxSp2g2qnp6cspO0oJJj1O6E1NZqj6lVHZux9aC2xgt9MI i754UzHNfLYwGwIYeGXVqpw7JLaYYqZdAvYdwam8KWNtW6tdicPLi7Bi4eU9pvPd mhyyXWky+7Q8QI0d2ABgZVHKpMZPoXnZ0bAGuQgChATE+u2XymhiORyXr6wk2qFt 09lkq2vE3iFM3Wj2hphF4R5GLZX9aJznjJSUSR/9K4FrG34f0fQ2vjg1qeozVis4 jAe9ISNtMGAjLS/hujqi3vhDbSAGbgOOk7GQClGnLsjIzp+BYhamUPEKhjwXroNI KJEss7YUxqNDLKb9mMESza8aLag8ZHKzh6oqTqwi5S9k3/cFizAFy3Tvs4oRqhzP UdhnPMtvsPLAaOhJIjl4EEntAMpSYW70aIisW/hZpJqIEbOBr4uQmQFqOpqsBfiY 3zJq/APrw57H6tHoCtEVvZBadg2KrZjDVrETzQR1vU6L8tyiB5wLNj0fw+FOjeDd hsZHyvaWzk/1jFCl+thcNI8erz0Yarj/IQEw/FOHjqsJXfGN0mXKxp2chL4ahaJJ 9DIRG3poFASC4G1GZ5gV8eU/bT/pDY4DgQtNz35hoaVAY8X9LulMhRWLF1GVYNn2 JMMS/WCJWL2KDxapReOsAY01RECEEd5/QUIUL3MAWysV5ckNCmr3h6CJvxSQ+GC/ b+G/KNofuu20ank80ut6ES0tDyZVMdu+6tLyyPY6DQDyKFMkAK08as4FbIFpGuNU IE351wSxlu05lYIsVw5hY0x3v9b5aGejV89lqp2V9PuWTFs/JqGeGE9bvb6+4G2c H8TsSTtx+7wzTAakEaH4yqSRT02GBfI2bwiF6GDSGAiv+raqIHiu9vdqeHBNSIHD GUVOKcssSnDQVQfH/c0OENDuxQNg+/mASckKK6uVs+B2NPuwCprib4en+LWr2M1Y NMUZGmeiZduz8sbUDcZ7rcExKQdwiWQO0GNNBmug9WqtUhdXHwiDMy6/im99G1PU DrHwUb+Ica70+tSqnGr+A++z72smLYGGsjUHdgMm/xisrCG7yYu3+NJMzq6k48+z zIz/6YxTRe8DE/5ebLh6YF4DX7BIMp9z/fwvN/HH8UiR/yrYafvJSlveLVuUQwP/ 74c7mkyP+YHreOREIZQ/TAQ0Vskp5lJsic+Ks24Ymek3GRDC6/GUb5kC2zvR5kBe Rn0cHX1Atjil0Ab1NQNviAoy9oCUvbShI6CC318mQzT3Z7mrzbhUbExKUWzENhTI ji120JCjLIivK+bf2eb0/V+8y42QitAz7tRTqn5feijSHMrlM1IP58kfGOgoYQEj 0LFBf+WS8fNaMTQOxFw8q0E1xcG4qpsf1IwTjifAcq+qvsI0Mrme0BFksAoXvlo0 8StPR0Bblj0+Ghreh1i1c7r0sT3ykdHmEUZABhud0+XfoW8qzbH9djGcQJVDltGm vEoTj0sbyjavbaNitje+0UVC+UGC0w19g1DI0shYpcvpJ55guX4Ksd6D7lQEeqWA /IzcCdlyvn7piv4VTRT9f0gAy2swPJD4LFxnKsqOjTE25fZfHfPTZUFcbC1GsnEW Scz1Kw== -----END DSA PARAMETERS----- openssl-ibmca-2.2.3/test/eckey.c000066400000000000000000000101271421243614200164750ustar00rootroot00000000000000#include #include #include #include #include #include void setup(void) { OPENSSL_load_builtin_modules(); ENGINE_load_builtin_engines(); /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and 0.9.8e */ #ifndef CONF_MFLAGS_DEFAULT_SECTION #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0+ takes care of initialization itself */ #else OpenSSL_add_all_algorithms(); #endif } int check_eckey(int nid, const char *name) { int ret = 0; ECDSA_SIG *sig = NULL; EC_KEY *eckey = NULL; unsigned char digest[20]; ENGINE *engine = NULL; memset(digest, 0, sizeof(digest)); engine = ENGINE_by_id("ibmca"); if (engine == NULL) { fprintf(stderr, "ibmca engine not loaded\n"); goto out; } if (ENGINE_get_EC(engine) == NULL) { fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); exit(77); } eckey = EC_KEY_new_by_curve_name(nid); if (eckey == NULL) { /* curve not supported => test passed */ fprintf(stderr, "Curve %s not supported by OpenSSL\n", name); ret = 1; goto out; } if (EC_KEY_get0_engine(eckey) != engine) { fprintf(stderr, "EC_KEY for %s does not use ibmca engine\n", name); goto out; } if (!EC_KEY_generate_key(eckey)) { /* error */ fprintf(stderr, "Failed to generate EC_KEY for %s\n", name); goto out; } sig = ECDSA_do_sign(digest, sizeof(digest), eckey); if (sig == NULL) { /* error */ fprintf(stderr, "Failed to sign with %s\n", name); goto out; } ret = ECDSA_do_verify(digest, sizeof(digest), sig, eckey); if (ret == -1) { /* error */ fprintf(stderr, "Failed to verify signature with %s\n", name); goto out; } else if (ret == 0) { /* incorrect signature */ fprintf(stderr, "Signature incorrect with %s\n", name); goto out; } else { /* signature ok */ ret = 1; } out: if (engine) ENGINE_free(engine); if (sig) ECDSA_SIG_free(sig); if (eckey) EC_KEY_free(eckey); return ret; } int main(int argc, char **argv) { static const struct testparams { int nid; const char *name; } params[] = { {NID_X9_62_prime192v1, "NID_X9_62_prime192v1"}, {NID_secp224r1, "NID_secp224r1"}, {NID_X9_62_prime256v1, "NID_X9_62_prime256v1"}, {NID_secp384r1, "NID_secp384r1"}, {NID_secp521r1, "NID_secp521r1"}, {NID_brainpoolP160r1, "NID_brainpoolP160r1"}, {NID_brainpoolP192r1, "NID_brainpoolP192r1"}, {NID_brainpoolP224r1, "NID_brainpoolP224r1"}, {NID_brainpoolP256r1, "NID_brainpoolP256r1"}, {NID_brainpoolP320r1, "NID_brainpoolP320r1"}, {NID_brainpoolP384r1, "NID_brainpoolP384r1"}, {NID_brainpoolP512r1, "NID_brainpoolP512r1"} }; int ret = 0, i; /* First fix the environment */ char *testcnf = getenv("IBMCA_OPENSSL_TEST_CONF"); /* Do not overwrite a user-provided OPENSSL_CONF in the environment. This allows us to execute this test also on an installation with a user-provided engine configuration. */ if (testcnf && setenv("OPENSSL_CONF", testcnf, 0)) { fprintf(stderr, "Failed to set OPENSSL_CONF environment variable!\n"); return 77; } setup(); for (i = 0; i < sizeof(params) / sizeof(struct testparams); ++i) { if (!check_eckey(params[i].nid, params[i].name)) { fprintf(stderr, "Failure for %s\n", params[i].name); ret = 99; } } return ret; } openssl-ibmca-2.2.3/test/enginectrl.c000066400000000000000000000070151421243614200175310ustar00rootroot00000000000000#include #include #include #include #include #include #include void setup(void) { OPENSSL_load_builtin_modules(); ENGINE_load_builtin_engines(); /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and 0.9.8e */ #ifndef CONF_MFLAGS_DEFAULT_SECTION #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0+ takes care of initialization itself */ #else OpenSSL_add_all_algorithms(); #endif } int initwithlib(ENGINE *e, const char *lib, int checkexists, int expectedinitval) { void *hdl; if (checkexists) { hdl = dlopen(lib, RTLD_LAZY); if (hdl == NULL) { fprintf(stderr, "Skipping initialization with non-existent library \"%s\"\n", lib); return 1; } dlclose(hdl); } if (ENGINE_ctrl_cmd_string(e, "libica", lib, 0) != 1) { fprintf(stderr, "\"libica\" ctrl failed to set \"%s\" on un-initialized ibmca!\n", lib); return 0; } if (ENGINE_init(e) != expectedinitval) { fprintf(stderr, "ibmca unexpted initialization result for libica=%s (expected: %d)!\n", lib, expectedinitval); return 0; } ENGINE_finish(e); return 1; } int testctrl(void) { ENGINE *engine; int ret = 99, i; static const struct testparams { const char *lib; int checkexists; int expectedinitval; } params[] = { {"doesnotexist", 0, 0}, {"libica.so.3", 1, 1}, {"libica-cex.so.3", 1, 1}, {"libica.so.4", 1, 1}, {"libica-cex.so.4", 1, 1} }; engine = ENGINE_by_id("ibmca"); if (engine == NULL) { fprintf(stderr, "ibmca engine not loaded! Skipping...\n"); return 77; } if (!ENGINE_init(engine)) { fprintf(stderr, "ibmca engine initialization failed!\n"); goto out; } /* Engine ctrl "libica" only works if engine is not initialized. */ if (ENGINE_ctrl_cmd_string(engine, "libica", "doesnotexist", 0) == 1) { fprintf(stderr, "\"libica\" ctrl succeeded despite initialized ibmca!\n"); goto out; } ENGINE_finish(engine); ret = 0; for (i = 0; i < sizeof(params) / sizeof(struct testparams); ++i) { if (!initwithlib(engine, params[i].lib, params[i].checkexists, params[i].expectedinitval)) ret = 99; } /* We have to restore the correct libica and init ibmca here to restore the double free above. This might leak resources, but should be okay for a test. */ ENGINE_ctrl_cmd_string(engine, "libica", LIBICA_SHARED_LIB, 0); ENGINE_init(engine); out: ENGINE_free(engine); return ret; } int main(int argc, char **argv) { /* First fix the environment */ char *testcnf = getenv("IBMCA_OPENSSL_TEST_NOINIT_CONF"); /* Do not overwrite a user-provided OPENSSL_CONF in the environment. This allows us to execute this test also on an installation with a user-provided engine configuration. */ if (testcnf && setenv("OPENSSL_CONF", testcnf, 0)) { fprintf(stderr, "Failed to set OPENSSL_CONF environment variable!\n"); return 77; } setup(); return testctrl(); } openssl-ibmca-2.2.3/test/loadtest-ec.c000066400000000000000000000113561421243614200176060ustar00rootroot00000000000000#include #include #include #include #include #include #include #include int setup() { const SSL_METHOD *req_method; SSL_CTX *ctx; EC_KEY *eckey = NULL; ENGINE *ibmca; ENGINE *actual; int ret = 0; /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ OPENSSL_load_builtin_modules(); /* MOD start */ #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES //ENGINE_load_builtin_engines(); #endif ENGINE_load_builtin_engines(); /* MOD end */ /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately that function makes an exit() call on wrongly formatted config files which makes it hard to use in some situations. OPENSSL_config() itself calls CONF_modules_load_file() and we use that instead and we ignore its return code! */ /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and 0.9.8e */ #ifndef CONF_MFLAGS_DEFAULT_SECTION #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0+ takes care of initialization itself */ #else /* Lets get nice error messages */ SSL_load_error_strings(); /* Init the global ciphers and digests */ if(!SSLeay_add_ssl_algorithms()) return 0; OpenSSL_add_all_algorithms(); #endif /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ ibmca = ENGINE_by_id("ibmca"); if (ibmca == NULL) { fprintf(stderr, "Failed to retrieve ibmca engine\n"); goto out; } eckey = EC_KEY_new_by_curve_name(NID_secp384r1); if (eckey == NULL) { /* error */ fprintf(stderr, "Failed to create EC_KEY for secp384r1\n"); goto out; } actual = EC_KEY_get0_engine(eckey); if (ibmca != actual) { fprintf(stderr, "EC_KEY not associated with ibmca\n"); goto out; } /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ req_method = TLS_client_method(); /* This initializes libssl which initializes libcrypto for the second time. */ ctx = SSL_CTX_new(req_method); SSL_CTX_free(ctx); ret = 1; out: if (eckey) EC_KEY_free(eckey); return ret; } int check_globals() { int ret = 0; ECDSA_SIG *sig = NULL; EC_KEY *eckey = NULL; unsigned char digest[20]; ENGINE *ibmca; ENGINE *actual; memset(digest, 0, sizeof(digest)); ibmca = ENGINE_by_id("ibmca"); if (ibmca == NULL) { fprintf(stderr, "Failed to retrieve ibmca engine\n"); goto out; } eckey = EC_KEY_new_by_curve_name(NID_secp384r1); if (eckey == NULL) { /* error */ fprintf(stderr, "Failed to create EC_KEY for secp384r1\n"); goto out; } if (!EC_KEY_generate_key(eckey)) { /* error */ fprintf(stderr, "Failed to generate EC_KEY\n"); goto out; } actual = EC_KEY_get0_engine(eckey); if (ibmca != actual) { fprintf(stderr, "EC_KEY not associated with ibmca\n"); goto out; } sig = ECDSA_do_sign(digest, sizeof(digest), eckey); if (sig == NULL) { /* error */ fprintf(stderr, "Failed to sign\n"); goto out; } ret = ECDSA_do_verify(digest, sizeof(digest), sig, eckey); if (ret == -1) { /* error */ fprintf(stderr, "Failed to verify signature\n"); goto out; } else if (ret == 0) { /* incorrect signature */ fprintf(stderr, "Signature incorrect\n"); goto out; } else { /* signature ok */ ret = 1; } out: if (sig) ECDSA_SIG_free(sig); if (eckey) EC_KEY_free(eckey); return ret; } int main(int argc, char **argv) { /* First fix the environment */ char *testcnf = getenv("IBMCA_OPENSSL_TEST_CONF"); /* Do not overwrite a user-provided OPENSSL_CONF in the environment. This allows us to execute this test also on an installation with a user-provided engine configuration. */ if (testcnf && setenv("OPENSSL_CONF", testcnf, 0)) { fprintf(stderr, "Failed to set OPENSSL_CONF environment variable!\n"); return 77; } if (!setup()) { fprintf(stderr, "Setup failed! Skipping...\n"); return 77; } if (!check_globals()) { fprintf(stderr, "Check for global variables failed!\n"); return 99; } return 0; } openssl-ibmca-2.2.3/test/loadtest.c000066400000000000000000000072231421243614200172170ustar00rootroot00000000000000#include #include #include #include #include #include #include #include int setup() { const SSL_METHOD *req_method; SSL_CTX *ctx; ENGINE *engine; EVP_PKEY_CTX *pctx = NULL; /* Start code copy from libcurl 7.61.1 Curl_ossl_init function */ OPENSSL_load_builtin_modules(); /* MOD start */ #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES //ENGINE_load_builtin_engines(); #endif ENGINE_load_builtin_engines(); /* MOD end */ /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately that function makes an exit() call on wrongly formatted config files which makes it hard to use in some situations. OPENSSL_config() itself calls CONF_modules_load_file() and we use that instead and we ignore its return code! */ /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and 0.9.8e */ #ifndef CONF_MFLAGS_DEFAULT_SECTION #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0+ takes care of initialization itself */ #else /* Lets get nice error messages */ SSL_load_error_strings(); /* Init the global ciphers and digests */ if(!SSLeay_add_ssl_algorithms()) return 0; OpenSSL_add_all_algorithms(); #endif /* End code copy from libcurl 7.61.1 Curl_ossl_init function */ engine = ENGINE_by_id("ibmca"); pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); if (pctx == NULL) { return 0; } EVP_PKEY_CTX_free(pctx); /* Start extraction from libcurl 7.61.1 ossl_connect_step1 */ req_method = TLS_client_method(); /* This initializes libssl which initializes libcrypto for the second time. */ ctx = SSL_CTX_new(req_method); SSL_CTX_free(ctx); return 1; } int check_globals() { int ret = 0; EVP_PKEY *eckey = NULL; ENGINE *engine; EVP_PKEY_CTX *pctx = NULL; engine = ENGINE_by_id("ibmca"); if (engine == NULL) { fprintf(stderr, "Failed to retrieve ibmca engine\n"); goto out; } pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); if (pctx == NULL) { fprintf(stderr, "Failed to create PKEY_CTX\n"); return 0; } if (EVP_PKEY_keygen_init(pctx) != 1 || EVP_PKEY_keygen(pctx, &eckey) != 1) { fprintf(stderr, "keygen initialization failed\n"); goto out; } if (eckey == NULL) { /* error */ fprintf(stderr, "Failed to create ec key for X25519\n"); goto out; } ret = 1; out: if (pctx) EVP_PKEY_CTX_free(pctx); if (eckey) EVP_PKEY_free(eckey); return ret; } int main(int argc, char **argv) { /* First fix the environment */ char *testcnf = getenv("IBMCA_OPENSSL_TEST_CONF"); /* Do not overwrite a user-provided OPENSSL_CONF in the environment. This allows us to execute this test also on an installation with a user-provided engine configuration. */ if (testcnf && setenv("OPENSSL_CONF", testcnf, 0)) { fprintf(stderr, "Failed to set OPENSSL_CONF environment variable!\n"); return 77; } if (!setup()) { fprintf(stderr, "Setup failed! Skipping...\n"); return 77; } if (!check_globals()) { fprintf(stderr, "Check for global variables failed!\n"); return 99; } return 0; } openssl-ibmca-2.2.3/test/openssl-test-noinit.cnf000066400000000000000000000006541421243614200216630ustar00rootroot00000000000000openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] ibmca = ibmca_section [ibmca_section] dynamic_path = $ENV::IBMCA_TEST_PATH engine_id = ibmca init = 0 # OpenSSL < 1.1.0 # ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA # PKEY = PKEY_CRYPTO,PKEY_ASN1 # OpenSSL >= 1.1.0 # ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC # PKEY = PKEY_CRYPTO,PKEY_ASN1 default_algorithms = ALL openssl-ibmca-2.2.3/test/openssl-test.cnf000066400000000000000000000006541421243614200203650ustar00rootroot00000000000000openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] ibmca = ibmca_section [ibmca_section] dynamic_path = $ENV::IBMCA_TEST_PATH engine_id = ibmca init = 1 # OpenSSL < 1.1.0 # ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA # PKEY = PKEY_CRYPTO,PKEY_ASN1 # OpenSSL >= 1.1.0 # ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC # PKEY = PKEY_CRYPTO,PKEY_ASN1 default_algorithms = ALL openssl-ibmca-2.2.3/test/rsa16k.key000066400000000000000000000304731421243614200170600ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIIkJwIBAAKCCAEAwIRvCSL4d3ZS4Wso9xNB11q5z+V95FjbBsqEJLq3FtgXSjWc HH7I7dGp0UmYSONReGhyzMPaJcms9ZSvt9dxUk3vP/wLYFZy/Oxwwtb29LWayRbi K19et0LSZPBUqoGPNpVICJ5nmmEdHA2KeYUIJ1Rv05P8F3/pNL22JLov2ycAGak/ 8Q8LdhE1UtAuZGxx3bDRHp6VUhS+ftWWYX0YpFb/xEBRKxzhZCkDPKo6phGSL6sW 1VjTeWXi+awKLa2wUZI6y7kM8vf5TMFPhCc+3d6lkXS0sURy7622QFRIhOYFTlOM r7kGYdlYsLjXK9+WKRPbVUOmft33gdxITy3yKKVTGA0INvqnUYn9+aLRxrWdADtH iKQYBA0q74LwMQkvpzU0U1LqwJm0TvYH/KSz/TQb6Hlvz7SeMN0ICNbfwZbVuNv6 Kc6h3P6/eJPLpDt9Gd/Sb2vY6tzN2lDLx6I0598isLIYYf9QT5JkLxHmGm8rE/gH 5FT6OS6iL7+29bWvU7zXzBm2VogFPR6V/iTR9Q07UuPkzmaihCb6T4DU7SHGfiY0 U1ZxN//0Q1+wOBS90grq1JgwEnLJZoONgdKHHfrJ1VPz6PmsuGBNF+YD+avGp82r 4pVFysQhv4kxHhigNR2GdLJiIeac2Wol2DAnQl5AUqZK6NgfnTBu/n5IScNBYjbJ oHZ3QWtLy47OziFszepKjsl/hY+xNmdUWd4Fav57JP0ZbFeEuuW5ujVSA8Gex0Vc yAANbsRBkP2Klu1xpRtmNOmEitMFf3hYTUUQE6TdWnBqmvjw4ydkePd1pydqUMDm +oaT2fzdzUqAj4YsjObR6Hz+yP42C33EeEOxwqokpEuN0mdG9dCu0KB6/ndvBc4+ e2vtLjLY+x3YXkzPuQ6MwfzLt3VPSJDjinLojd8U27b+GS2bY3hfaACEfTZ533Is HY/PKbuu9Zws/UJcpaxUrrgYcfMkZMrNCP/Zb1MERSJQU0LU6f/4JMsQADOflknY gcOqBsGnWfQ41UGPYzedUaogAi3qkmEL8ZH86venIc2Z4bdp5kkG4sRADb+Jtxbt 43eMqotY/woYd866TLknMc3v0hqxT737HAsh6xFKLuIQlyvH3mpXa2d0R9WoXuJY QtNb/3uOxtdPRHbGhkdCw71jPZPIR2Oe9kfF25WFvW5Wg7XJx/TXPYD6hSrs/nvZ ZofUA55AanWROYg0V3T6sn9Wsz09STmBPXF1ZPLtuBVjLnlycZLK8xtebXgGARtE 6UJgg7OnDpF1P+xk5GSVxrlIDIbbMG+A26NV+0seCFku7hGS2ORQHYhObxcCqofg 4x90/U8GkCFudmbu9PfxycNGrMfhjUS2urcmUDfEM3aRQq17Epjz6D4QwYlp4stn 5lXH7wIkNdwqc1d5MJU245XUrq1N3yVZHK40+jN2GdW/RS3E/ga8PI12HvGTKli1 PUpnVdZRQ5Aej4vfW9pxfb+LDwaV7r4hfGsucTVSLUErnmF6Ny5xr/pLoO6mKlpG X/R2sNGTfOy7JLDET0vAFPZJhbA/QxQY0DJCL5TNNW05E22f6cOpwEiEXQZmnoxs P+c+UxrJF+dnqjAAukfLMt9bnqmbMCCEYdrVrkLzwUeFYKpiDAsafSN6iKhC0GIq YG6XxiVEolzHdjoHKQu+eg1uOBh5yjvixtuEVLNbSD3FLbLU8nbR5Beu1FtLBlm+ fX4t+c7mlgIL+zffYH1pj9zZPgxZMKeMZdkthuce4McScb8vS8kkZgGMh8Id0T3v KgcdH5qM0eRtxddhPP7+vSI73BkqySPhcq6PQOa2Df5IG4jyr4vBFWGqW03anZyS YX+gn2YXoVLyU+TqwZtxXMZvURh6sNprH8F1JdXWMKZrrqgcvb62738iCTFUeynb uG5Q1lpw/9zs2Bc0bfqM4UiGcOfUDdzaz5uY4mu/bPrTqcl/ltYFON9JeR5sS7+G LmQTOeTjTecTXaHwMls1QhOb0f/Wzo983M9CWgxRoy9ywhB/Ouab5N544daLS/kz smk+aFVS+OoqW1xLJHqWqU0IVoPkPqz1ztv46W/2Aoc3DPgqFErQH2L8xTE0EHx8 m2Pl9knLLRIqE0kQ5GyoTrWWAElxdl6Sp5/H4ndU07+sjQpRkEcbacCzBBgZl2VB iJyzdv6QyvXD608ij4w5zcc6pN+LTSkb62tIwF2KDiaEgx+pT93sEeSw/L/fymdO /AxweORsOJob0oqUFwHa2Yz4JGvhodEJ/YxBO/N1694OXhpNJC4H1V0Xsq5gmpMH +u2sY1Q0/ZikShrt92xFG1x4RVmbCPAP2bydeXlMemyfcFvUrQhbREwaMtNu4FIk XTIbFCL+/Jts0yWq8vIoKRsfA0UBV3Kumv64XLDLgjFyuALt7+d8f38hE2sAdAnW 05iG+W+199Ga77akMkXoIUfsDEQ/EAlHu2BK8jAtO6sYg+e1kiPchMWI56ZSZyth 8p3HOdGMhHrNDOCHDHFO5Vpa/HH5b2b04/WdWrdGm4LoXDUzo10eO5ElKNB1sL1j ciAIFOXwjkJwAtGh6yeAR15WbMRkdjxgt9p3EoTwSqxSErwilichdjBpEEGBZRAy WVE8ZmyLdEk+Nvc4YoCVE7hKGo6HzrLpneoovSkdKNij5COuQ8dM2WiSzfy7y1Rc vSVQTDwx3jxyEu31Y0llbKAyBQnafzgD4UUyJ2nM00ssHYkNcToDIIxEn2kCAwEA AQKCCAACDmgRNOpqfD0OY1KgsPf3EOUDL3RUyA4u2GLo8YWbHNvC0yfDtib3Q1IJ Bjw2KxdnrdXsEft2g9zxEpF96TMwqdxwVoTYlpPL18qsihdBLd9lXnUz+WTNmE0e /uIooBGjh5ypWufIYlkpP4vHGICpyuEW5XG/3oHjKlOTuNliAdyiaYhhTsPUkwJ6 y/Zy5CWjNIxHQ3Jc2hPezvE4QVnOB4/bzMQRLdHKfBWoxDi0JWPmVnF7/eLkXQ47 lHbXXg+QD3vJSUS2I6fqBfaPdsvZGtOx5gk4C38eyEA2F7BemwZbe9D434UN7oBg Atlpgo3cCnZBRuO0XzKRlITBM8BuZrWogBsiWzMGT+8Ch5auBKqUog11jCslf+6B eGiQXYTAyHSynyQawomGfmI/dJLnlXLm3MUw9sDpzLKVRZZGPxIxU0gswiRAdAgf hZSbQHdpm1ZoEkLS32DjgBFtJHJkN6HrOTvBcDSvZOTlC8/lYGKZaADNk4rIqZLZ 57ZQkYw53L6BU5T6/6DusjDv8fy8HVQQ4pZDDh2WQ8RQrROZJM818bqFWVsEOhul zJPZRX9xiuRPOQDqcYdtLOKKDHGdBFy7hpYIWwJZRc4M/0vzkr4gdLXtSaLhM48Y uKJpq+GqL5KMFIuvyQLL37JfyMPilZciStxp+ET+LNJCrZ6gCxHbtrIYoKtNa5P3 rKLQ2NKMsH/zXnuaNZqy9g+UliaAqg8uqfVnjtfAF0wQjRk/KQZFIpyHFlkOYdJB djPQwOCB3vUMg6ICyZY5clOfH6m4S/6BRMoetaH9CyKrmBkNnAIqsqTE8EMMBQNp ee49mjVHm/+J+CvQgcaaANHkZvSzG5Ygmx38rVW4sm3rlIs7xJLPARDxyIlUAP8I T51MBI4DcABY4hZa80nRgJqtk+Sf/039usqkAjSyr0p1levUWoyasmF+P1b7HyIT RYPFgLv0mQ6efyDjtrEg0nm2KuVrpvtYsbEh8ojLpwxDeFfHaMW/mTJS0IA0akUb VNx2iqi5apKnmKWW4F6tCZRTFDgbWmHSnpuSKZ9b8lO8gFQe0XjrF7eawmAiQjLF Jpp0TST4RNICWizBlb9nFqRj/Ep0dE7SiV+b/b+4xHICl6xKSCHwQYKn1BIbfHpd 7VbPaGVeccxowtEYi0eMW6gLAWE/oy02hMMvzPVGyXqzEXmbioXVggUkbzb4guw1 NuRCNQ46EOnMlkeayoCpE5Ap09hpJ58aZEAW8v0h8WtxhU1Q5gNKZ7wosajOP1D9 ethBwoihV+GxqbD3UUluDwLVVb1JXdgIRsuVh2KGJookhpwv25MPtzvTsTZSrlFn oLPJV/gdbbiLayaKGehy1dUN0X77P5gp7WAsIj+3/XWjmwBmx6FC2eHuJeei41mC flGEm+N+jk1AMRFjHh0Fn3VUFbcfSQ2/WkHimJ8awlI47oB9fRSWO0wQRrtjiTC6 PNEYVEk9KAtEPI7MAkhF9f1f2vKNO/QSKvmzK/bAmUZtx2+dMsggQU+nljmgPAhp aqRIn6DoJPZpFoQp4C4A9fRgaV4SNRWNPZq2iCj5TbRzBdAt8f7YNEpB9o6fWGeE BxOdboG0B6pyBn3offvnF6hzt6q1nVpXIyAXAvDcvszBfHpo1xf5uWLGjM14lnWV 8iUacjpgEugefI8Z2sV1d673hvyPbDjldh1Ic0j/TdO9Yc6/j974QECa+2cPoA+P JSQK8SHbn5b+FFYeEZk3K0kxPCiwzllZTuCCH6ye/fcG1WJQ3gulrMonD4yPyuF6 nZk6k3ml0IqJh7yKdf/eIcpVFKw0SfDt5BSBq8aJx8t827gHKstpnimYovD33Wpq vIs2c5cUFIblkPQsmqosLHCd2EJHlW8Vzj/f/aWg8BuUUwRGUKVACMUpiKVXhR+v KT4gqq35pQiMKbIYcsscz5M8dk2zVb9kPTSyGxTl4zeKwKxWjwcVXVsZYwF8vfEy gvmYpfvKDcmlq19YeX/p4GDT1d1aS4BYltE+UlTa2ITkGTAtmrr+gfPBPK+3kgnS OFcprlyHd8/a74rdN6hwktS2Po3CoAq8bKOXvW0AM1B4WVKVNGVxtA+EmjUVRstn rscrPI0NWFGHY6wyunFzuf1gkWEpxTdxez7TT02UyG3+5C94/10U4u8qt2zUGxOP hZ6lVCgb4IxT9Etmd6+e/kq5BDXPsJEI4T9KxMCneUqdg8Q5HlD0nFgWpa1O2f9I wfEmRO+45wgjWpgw6G0Xvlzche+y+laBdUzPZkCj/IYL+ehvfmz8KuNzjo06Vg3Z qn8hF5UXkhYslx8L8QSXJUF68y21x0Y7fnrGxE9j2MvOGFV/7ra14C9++f/KVbr6 qvYh39J/wPac2LqoOOqE6/3CdnLuCnS+KSHqp+q05FSkK1Jh4OdP9o2zvOB+6p17 X0VQbny1d9/V93GsvTSiGC4/vX0KvfsqTBrKC8mC/+DSQF2zMwW3qzKH2n8XqnBl NnUIJ5b9/TNbyuyvAUJNPpauLgm5y3eOU+2y9nmoxC3WypvOEAyAc2RN5bFO2ucr HOaYXy8FMmAdwmuqDQXh0pbWZroNcImQdQUunOTJ37TiV+z+aPprxdu++VwR+Wjz YbSkNuZBMNeJjZ9Mn7uq9roI934JHZFL04+Nvswl7t2ITIF/pNJCPFgFhw3XMtMQ /W0CyeIWboR40ULP5xosLas284y38poasWgJk7do7B+PhijY8QKCBAEA9yqpN3DR /bylS0BmmupuCBP1LTeS5ilXqdMHZupHLMF0cEmSOb7ZJxXYt7K7oeKCSyu6mbmq EltUDZ20nFYBI/okwe3YKP3CJLUUzjMHszHdpxrD81iZvFFiM+2npuXJD89LQ7HW FXEc+2zROoWOaZ5kXctGtTjg5a79TzJeyS6kpFdmFdlb4aEGl+uM/MOACWLTE2k7 97KR1Aa8KDOCO+KJW8qEuH7MoS6LaRkrON7fn7jfjoqm5uydG4P8yDzluh3MDvcT yr/4x81CPxbRwNocV83f5kugrig+Z4ObcgmS+D3uuaAwr2iqnooqGfmosw4u5Pet rlNajUXmTLZceKmWlEa7Kv/hPWeCWdV+6kGk46OOJTnq5Lff1s83vRB9+lVa5Vpb NwE2L6JbOtwveLUUJCAtgOVQ+b/huq8UKo2zuT1Jljf20DtfHivjGjHDV489ovW4 G5k6fn9TcodNxqchUf2E0r2Z1UO0bxADefv3UBlpJLZ/CwqnbgnNBbXxcpD6sn9k UgG+OjIc5dZnC/kWdLw5hocyGSmLOfAzvWa7JBKsmXYAIPZOI5gt28/gpo8M1PXY kOifQyLwhNH79gUfpxTU8AI214VtiAgp5YYHut4jDD1lMYAWrxBiT5g3gFufA7cr N3IzPkS1Fb+yiT2WtoGnK80gTgfgSlLq7ZKDf4e+Asq7lzR5M23P4LjcMsAeM7AB NCxsNQNitm0NXSXhi/BJIPfe8FuwxJVk+GSNk4nIsAJPUkHD+yagAjGz+Ni3gCle 9Tjyj+eZUIATeTZR8iKDgfIRNprrZcnjXUhM8nU/i9gmb8Qaw2HSjrU5AAP3JPW2 /JwB+c6pgPEIA5WQ+pJDpMGwtGVs6trat0a/wOrXJAxRa5oRu+SuHAts17bseSBB B5W7c92fhqxxQiZZNRaHf8vE5LPGhbBjp83Ry86zJL+h+aPbGp3SE+vQHpwWHOgU dN/ymDEXVB20quAqSZODcTx/UELiERnZlUGTril3GcTUetTyEETEw10d9ZUZbkQo L8O3W71PkTyHHmrq99CQGSbrNUI6s/CZyUG4ow4CBHD4/r6+U3TgRPIyIHou9fqB 9+965z5pPlxAIOnB4EQ0zsISrAabSi+tzEOAfAUlgrcUDqVfdr/lajaaZd3X41K+ 1+PezOV3Fau9Az0JFUqcCYkei/w2RHaRXFok/Vfs1GkNeLJ0gERLGHeAOJw8/6v/ VaiUlqY6kqZIcYDtKHaJHlCHbQuW+/rxTgsBUewSX85wZ3B/o2SY4SN50OVhStnI +wEBkb+ZaVCjRhKaJXXpv3ZrGJ5H0gJ8c4uVJbLbBppoJpWPhOFubLgYyIv6yQhh PG7srRFTy1nniwKCBAEAx2XIliFZ2676xQ9G44NMLfAVbaD0aR2R3Uqn8CBhxzSl i2XStL3+qr0911vwwgGlMQ4/DMIAlyI14tFF2TMjFITLHfw2wnL8zsVaFBWIzd09 XZtgoKo0h5rEw385lg4Te1evI47wpgdvCPOpZ34pDJd8UVwM21LbBIZYduDQLT36 bWxSYLY8st4vVadG9a8dkVrnx4sJnCRllcLu0Z0C9KZjCbJ2IV5H7ZYAkurV9fxa 4yS5X3ga6JJi5+k3rjwnmPGSrGd8Chok8NUrz/KXols9DRqybH7WfxfajEl9ZyQ9 1f3XJeAp1ZHEf+4cxeXzZR8ifF7ZC0qFUzjl0jy4wYWZBA62noBfG02hTFmQWn1G CutuNtGlLb5Kx9RlNEca1JfpRf3wbk7BRWMHs0BYJ5NDhh9/jyIa5o1870maAw2U LMIoHBSlc/gkqWEgxCtm1Oxca//T9sgQuWkEDYhluuunmdz7MuH+16xfX4OYiRfe 6ytM67Dvu/cLZMbjPG7OF7BHBNzXrUjdPKZPdIFFpj9ZuolxFBWmR2vsQIEQTpjq yfkJcMxdb0FeMTKG2sne3Q93VcyDxWNponPZGPiAUMMwUsmUqSQfDh7OwQQGioR7 +DiZiTEh5CO/FY+CSpE1QGOyjolvgZSlJMeZz+/AhiLVGOh3VH/Q5SOBKNgpqG1a o4jLU9KJ6SekGIM21q1VuQ45ZonVRHONo3OgOWLoedo3Kp2iFm2MbDQQt1OUFg2o RFHUk5/6mvXaFvMj3VG8+9i/GtQqYNbBjTnp+NfPZonyD6CcSzI1iqR3RJQD/n4W eYKLFB+nuxU2FhrmDUd/LnKLMztopXUVl0hEaPc4j6VQWu1dD+191gLcylnCZlKF DtHhOka0Di0rWDdFo1Qx1nMA7ZvwET0sUwV0wcnUH/vd8F5FWRxFdsA4aPhwbfAu tE3uU6X2u+5XlNnRStRrjeKUU0ZDXh8X/jBuvxVDkOqnzwNCiETb8m/jtHRQnudV OOOztXcXikSXqpNcvQqb2OodeIxDFfVDI1LAw//nQeiZ8TuNKPsxqXvKAZ693OBM EwPfKUfO7TpbpxHJpgg1cnnlejSgciE7TMZJ572i3k7K/j5Feo9VZd3PRzMXK/tK DyBtFl5ypiRV1HCwwBlH7XDiiCs7ShEkcIyG4Oy9xm6ZESWH037DEv9PMIy5807z ALeqEXPIXryrQP1XtKqqODZuvZqB0XvrcMCzRjtX6geCCwSm1aXlxWDa3hPCK+5x mqU0Hx6u5SfgeHrkSzbHJZlH+M4EWy8vjYTHTCHt41BNfRIG75c6IUkMuilK0GbD rZtoAZcv760P8MvpyfgL8+K/0ZkiyhBjE1nKqWATWwKCBAArXwUKgXWXvL6Ukdxv WqusJzRiltnkIWUMm8c0u+95Xwj7my1ZjK+2OBMrSOW75m9OmYHI79d0GSqKqR3E QSM6GO7SSNYhe0XSAyR/elzjiOCILh4sWWPAs9cznYRJuRCrAYkHe/FBGfQn+lRM nJr81ZpvCviBXFW6eBZjC0eurcyeOefj9Zw133e0uNSolfWlr/2x7kljkaYdOoFR 3JgBwiKwRL09UqK9tdkovA3lkNZUxLAV5yaaZvK6nVKCII1/NzNTfO+wKDeTd+Uk BPERkjRfA/VCCAtOBCnPKDziqeNsRBHb6MwiO4+U+lGg9ToxEVARRZTofh/polZj J6zaT4foxPCa/wObLsqk0N3QZWx1tYF/7sXVFJ7mpr31Iyu3/bpRfKV85W2Itkij 73c1CzFZlXvmnlazPIRzqb00KmFbI/IBthhNOd3bAYB8XDcW6j+6lLuVvDGTeOw/ sJZpQXKLXJ0uDa8syRCkXH7/rMMc/xiAJLXuThRLLtUXJ3IS1HXpVIlaCoxC0gBY JGM4qqDSIyVFAfw8hhm0NP4fQiOclNpMo3QqVI4pmM6TP8r/7yIlTG6QHwGzWjIy XFaGOSfwvasP4pOVBgjOUgBoEjjRBaHIyA01vnA8j/dwWBmFII6qrD2dISD00EGm a1j81B3aMK4Q9ZGxn5gv8pTe01LX0g35l3GLet25tI9Bs66QCT5De6L6cMEcHFf6 AvDRY5BMagGrE1O/gZdnJ3/sRljBhu/8Uqtwl7G4JHL3b5lRFVY92wSaqz+FGPLC OXcxUeLXRk8lQkDbABxGZELNX56A/SoFdAxqmFLJ7iRwfkReSFPZ3HQbp5SBLU55 HdJ2LoyeK4RLKOHFBfcyzuyKNJP5WjweSzsOUp7CBcK3kRmsUKD2MD65AgE+t6kC jMfi/6+vrSBhwHPwXct8MhOKoocp6D9vN2FI2QPdi8wNStfeRy1qLR9J0vJS2mpp jDzjryo8dvIdsKv2fYYF0i9oDXXIneYUU4GlfDBtwmN0lKZpLZykyLj0iLdoFbQc nC5pnAFXMvXWNAoZ8mEyqgmSU0H++rpH5TsMGJR1OJESCB3brRUIfMjJpPBAG6eE FdP68onevJk3nr6ACTi+r9cjfMTS/mQyp8WRPFugDtRG6wX00hTMAv0SDR5PfgSD fPtR0igB4HG5CqKdlchAAz5GolrTSdZ4/2Ypw8bFqzYyOOX7CQ97HcdUVJyeQtUM XrlfkWwMKaCt/RuGev4ngUVOmIfGxFIFFciLniYHmeNpvjvl+Bo2dDjcMrT/yks1 O70q0qDR6fr2aeUpEL0xkNYdwGSPlO7yHa4g9yWT/6rM0REoP8fl9t55KE3HoL6/ dCs5AoIEAC0UvQn8VlWNtRKShqNvjuyf6ChWCIwvbEgM1fU7TP/9ziO7DK1ie05c 5LtpBQDH4HI711NqFToWOPqj99fIcPj1oPqRiEvkNXYGNnxt9fUdPP+J3onUkXXL LwtIG1vqqMrtIyK18YCIE7mBZV6JrnwzT58RYbLAg9X9DckqwMZJyfGtWN6WtRh3 lVoXLLrlMZkoZVi+/Zg4vmLipJ3tkrp/V8rcd0rKBxcXH+AXifJIcMAEEIkeHW9R kVz/ZGBXJ1iz3UZvSyL5kDqG55XnMhM5746j540SDCrF2Np4zwpfrj9QWbEtgifQ Ag4uZoDzoVjOdjyKMSYVXhlXttYWdmsCanr5XJ5vRZFltr8NTM64nfpgChYIxgCW kk+lnI/6N32zLsFtTUuTMK0gW6BSPtwLtmt/eZaBznUrrgBnspNYIZUQ/IKExHd4 tck5tW/EpEYlfivItkKILwfMT2dD3EQrfUQTKxPw9m4KgbGVjgoIxJSEwKpU4Y6s pv3M3ZlPL/c5GoVl7Lk3zRUmQLaFd5rDneTHqDIzRtnE87ANvgMXHZY2YMUI32ME 82fKFaUnmOR/16olR/F7rWlWKdI0dMZNqwI8owiuqvrFSldnMpdkpqaTHVtgKVps HoqgXIPBWrnJEJibSAOS+Ndc7VCO0wdAns8316raDv+PTGdQn/J9bs2kYtv7sMRu +vGz0NUucUAakC23oekM+wvmW2Y+D3NlO6293+SUNfhMuS7JjaSCx/VSTu5lcAJS 7VDc/dHO5hxGf8ZwC3jDdRUZ7+Ub3b9AFuMjm9KAcox67KArms+R8EDem9Ub5w8s F4Nd538/F+kHaqNVni4yT4RZiWX15urLJGS6X5z3Q8j78rEpJAOASqb0GqjTTWgb HD6gmHT51x6195LA+8DaBMhsZl5d5ECq8B2lIqan9qiHgvlwmfKxJ84KBIUS87q/ gzubF2+EoSB+BqzhKOABxanph1BaXWFJPFFYWlV2xAeG9oNY/NVAVgs7p+iyGTdg lK2zDXeMC3o6TBlyFMTFI727uutVUxKapRteLGcEi9DWtPAy1Jg4edqeuHibzJPj 6s7V/bI1Duhn2NMNTO0gyEhuWE01mboLNGfQ6mJwP419XZyqV2XRNYg/+4ngJqmb c3BJXhzAWnu7VuwUYh43y/ZKP0BhJfLUFHVE9/WAJliIMn42guAYjGYwIBo8BCQv IcTawlaNc1isLdNeOFWFX9CpMJ8DUbgOpH8bOSD6lf1PDYzCCNdn3HVrPmJ+zGnw 3xY+Kpk6tEGy6wu8gE2hWG31hB2ZWjBXen15cun+Vd0qp9768Pg3E6yPgy9A4Eye 4wi9AYlxNDqanGWl6rCmjc/VMDWlDBsCggQAJRHF6VDdN9eFtD8EYiaoCS1S6WLW 8qQFfYR6Cy69HaSsCVeLGlLTLhi6XG/KR+fky7aUEN8rnjAvP5QAlNxejsVFU/f6 VB9w+Owxj0ETV/TGciCUpV3sm3L3ke/0itOlZ6pGUqoWAlTPbPfU6bctUR1pHBLa RgRuux+Nrd8mVuwRadEHrvQQuh6KbqfVCK7ixoiwrjoYz3szzlszWECqi87tE8/4 Z4PdPH0/uxh7xbf2ZiofPxlmnbHDrjDBOoniX4coNJmme/+ihFUadtfal5zvyHg3 MMFzE7knlF8RoEAgYbaJ87LYA8bwRROrO/X6LSgfL8FCfGsTEBpBSiECidghGOME HiZHLIhAgvYC/wTOXdrutO4j2oWr2VxG115DjIbBPqxAuRSG6fw2LHMmvPk9oOZ7 u79FvSBgiVO3xprLxKM43qXsITQ7P3TFQT4lOLzARciJfq944+iEsqaN9ZxOflEK IrfiENxuv+30O4DS6iXz6HhHPU+nXcbYGoIpkMNrJ64QDje0BVCqOtC2T3KvEB/K J/zOVAX2W06Pe8WWyaRL7FTiWXt6qZuE0fEFJqugOxZWg/lXNs9YQRiUtjWXKVYg eHxUDOc2dWiPNVY/D3xM5b9JhzrBLeNLnWYEXnB7krvgKzrusqpMTPNtH3dzasA0 xVnmUYUgta2g9xfn30Vv/qGkWVhp15wMT7GuRndmPLForNTHHDd5zmG9ewLxPyjA UqORCvds4DaCmXCtdF7iwIgXM+5d2MJ5Z6P6FAPF+QYWDXXxo552LZogD2EQTW06 orcxxnKOHAXD6Ixr4dRiVGqfVy/huodhr0IG4TxkhfuVS7pThVzSgz4FjHXW3T0A i5I8BjvlFl/hH+kRXBjOEYjvrPbm1rjUpUJ2FfZAlj6nXLTGKinGIWWrg1PEzLbE g2TT3C8nKxDSWA/qy+jgqB+sbJaPlv7eVgDTc+orN1pXGkkLtpks/Ec9r2vLpOje riYDjavn8Gcuf1D0o/IPIaxkYU9HJZiRYQhJRkXDTbpRBa7HjgnnDrxgBcPQai0B YHUnWa13GYZKLqaIuvqRJjCDx9W0zdjgFcyt8EaA3v5LQNc/DdeoTlS0VBa8eILi lZvM6BQqEj54HRSLtSD9WORtkYDlhF1QGCplB/4N04YP2Hdo/7OSeVspKP1kmQdW 9jOVhIY2hxsknxHkpq7e2l42j74FxuNLy59699leH+iE2mmFhH524WY2YCMKgdgz z8jm9NyzbAWS2xprajdym+9/iIxitkteLjw4DeEz8qmUKKf7zh/ArT1FehJpbtE1 rGjBtDmK51rM8DDnlxTUq17ZppveCTzIhh7MB9QdWhrrHUleVMbqqvEriw== -----END RSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/rsa16k.pl000077500000000000000000000002011421243614200166700ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::rsaencdec("16k", 2, 2037); test::rsasignverify("16k", 2, 2037); openssl-ibmca-2.2.3/test/rsa2k.key000066400000000000000000000032171421243614200167670ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEApvjwHFoxHNoLvRafqgbcMHXn/kUxe2VxwmkbMg3u9sYXjZ1I UoyKN4GIy6VqLdZDFGfbDL4ijXOh3ak0pGD/H65dbfaaK/+oggfIgpPWbtF+K5VO sXY/fkt+16IcKlxU9+Pzve9eDDFchKr6McVvZBTF0D41XxX3uf9SZkag4W6f0iEj UzOLOLRI1OeVS3Sjiz/qQYxXqcNqAu7AH1yrepCzjCflaSYDX85ivJqoqWsNsBcq iPG2FnkxMtqGBwZzhuldcnLnBG6XNvKEJnw5OkbtukhtE3Clh83E7fs3QN9ZkV1x wtQtPPOOVM/GehpqkhcQLXl+ePV7ZkXr8L1V8wIDAQABAoIBAC71LZnbp5pEnC6G cUrA+SXL0v3Ied0JL5AMPTC7iGvwU+loxVEp4ykvDciv8YeIjX7sokcYJeGAFpKf JoXgHX/MaswlIUCkesBu7e4DI7gwxHn/WI1CAyNCmh6Mob0sEF1Sx1awPdPSAgHx j8F1lBkiWmtxQ1NFe1DcxFCtJkufe5GaOpzX642++1XIzNdD20ueG2HEidPpLxla eQ7rw0Aisg/W92UMLGM5US1ZX7jhq79mwCiLcQfGf74Gd66/lPy+xlZAP/3boj2U BiV9vRl94pv+FJXK8Xli076CCKo3BTevIOJwZTsQp2uZXfPWp7qHVZ/vG4tZvlnj IwQWgjECgYEA0/WHfyrAmxvQWrVHvOGaEoUZUEpP4N1q1FL6rhNtRoTDx6qtPXyp sDFCFKqYF9UFPGaQP/bvz6QAUViifC+Kb0Zy/60dCeYeyvqF9beyCey4IrfXPX4T vWTRA1dSV7L6E/9hNybqwh5CVG+1aqyoAHO+ti7Innt5Y6q2l0mt6okCgYEAyap9 OFTqjM5503j5fovt5KISAMrjPhu9M35057SdClFZDSAJpYVKpkctsnEJCY4OHA3d NHH7xFE6FgdUXQ00tfqoBUeSB8ITZ33Top8EJuWCvEKsEect8TO4XJ67jWvezpwM 6pjIYSsjljO1GG9WDtHBuum/wg03u2ZBvpX0bZsCgYEAwEDQafQpR4du8RfEvfoT egDn+P+ufFPZdkTdw88zKud5fT2+bSsJ7xp+yagC1HsPiL2u0ZX15uzmrOIsX1/v vQa1gFtRH41vGMUrhLjd8EqaqkL+JHSbCwrK2rD1qz5XvpPBZfkSrogrudKpRtzc dayGq1C7/6QXcuOBQrA946ECgYEAlhvPZXTfubufNuffXnCtvPdeSzS5/WsMZB4G ysnH8vwmOvzT8V7L+AUXYLF+tpwEqKExPG5zpueHQwplo3XG/IX9NyDU8+1kIC6q r2uJ3aIMtDE0f4cCzX1gB6EnndbjXAsQGjdrP9iqfo0yiWOmPRWpDIYddEX+bAFr gn+AF20CgYB/oV4xXkWZ4j4jbHPBOLCH41S8eGWfrKDc/8o9uu91w6psKhFTqyLE go0fL/amg122kpGpCL6SHxLDPeeTCvInvaUfLx5LL4l3XgmJuq1kQ1GN3/qm5ObM kfVkgDK18CsQkQQxmWg2sgEnuACCXDCXPNwNQFgd0P6F8CjoL9JPsA== -----END RSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/rsa2k.pl000077500000000000000000000001761421243614200166160ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::rsaencdec("2k", 50, 245); test::rsasignverify("2k", 50, 245); openssl-ibmca-2.2.3/test/rsa4k.key000066400000000000000000000062531421243614200167740ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAmyo9b6ms31MtIvgNYq8FHsv+hTrQrBCkOwBMyfkuXb6/c4tl NLzuY8rpqnq4ndfyciCmzYXSOfaxvpOcGVk7X4S3brj6bITRmh58J54//O0tq6Kz YilvOuRyKE5xG3OhYwlb7SqYf59B8l1+q/M8YfWMl44YfJxSR8gihMIt1jgkdRDh mAyFAEanNrgR4BqrA4tXy/4ncV2gte30MLn8HYUaJb68E9C3tTsytwkT8AR/0c9D 809VGRUL9fhCIUWE8jBd4v6y6k4OU/GcHJWAFkOEzlE2wvaIqogQCV35Kxlo/kWV Js2nkvcda7GzIUDK2+xhegGimI5vNkAB6phoD2D3LzEUrqJBnqyn4gc+vwKdASgY /mg5jDTNGg299pFbzRlZ3tcUJJLxfeH7jPe6g1ARigZ1JRG3MTcN/1hzyYbXu7hT N1+qZlek0FDyHQVJC/T/V/ZAEDeZU9pxAs2N1odIX/fp24yyfoVkevccQBX48efv kDogWOPhDKZCQUkZb33WaG8x230sjFcYHv3wNUxG9FIjoN2Kt7jTZNY8lYnJJCeu eHVtrqDJqB2vjR/Tu18wRlf3IrVUWmZ41zGlVtXWzloRXxZlkSxlyd8WfNdLGP57 QqFvLpr2OuwUMSt94s60jVVW1pScZ+vvB6NsDc96gfgUaR04hJIIkB8QUz0CAwEA AQKCAgAq8h789+50BVZ51kQGK0D0jCuO/n9hEF4UQnn+cOxnX/MnbM5/MUed8TyJ RdwxO+LLucPRIJfWGTSK9dn/nhXz0wzeJW6SeJR23rcoVAGL5K1+UtLpeWRi3XXH OCbQHUnu2llKJD7/G7op9byopPLyff8Ct36Jhs6zNW5wZjo/j1xv1lNKPTTWpbeE SqAP8fGhUoDjYh3Sn8JqeEjc760bEorxJYByz5L5I0BfLrEI/oXOMVqyTiPUhGHC G4taIB6y1bY2rJ4igaYvj7DQrIQ+JUPtwsawYYHkCTK/FPZw+mB3+BRXIBagc6r9 8roMmx1Kj3tPRIKXTNz1G/Qr1TD/mkcnTF4Ms0gZ2kJRlSXA20+/S01eeQWMz8jv YVmtpDI7TXkP5uumfj9xM6tuPqu+VKusQZx4sBaCPJL26R5cCjO9rk1jGhTp6GqS rOzP+P7QUnjvGJr01wf9C0UvF96pTBd3sCzkzDLVQsqnfD1z6l+XxrmFxS0YakHO cpMpPhJaF7w6Gie3oM5At5wS3esQd4WMXIKSOuWrClgx3UXvvRz7V/dT+JWLOEIk 8mk8K4md18jXZoLq4ECBGG4SV3ycKdoG4FbxVq7k4UIchumAX3NXn8vCvElVeiSo j3LNb2jkZBFKBOl2ndCbUROXje0jRb1uBE8IO6mzgLJhzt3plQKCAQEAzmBsF2/z MlOYG/aYfBqUyQYEW2vmNrh3JYrNJ773F7/aTglrGQnBVtFy2Fvc3z8Se9SBggEa Vns78A63ut+Odzisz93jjhiAt5eEcW1L98blW5rGAlzhdc6ZR0731KjHGCEAGsjS BXU8O4LEdFceiYUnLAQo1TAJdeWl98AfAOJvaemu4yzlchp5d9FtlhVTVrIHVugX GoCq8SH/auyuE21c87j1/YW1JX3cmI2o8rCa4UFotayaHK5UqCUA7Jp6Ps/Yg6U/ jgHrxBUzP/fE4Fk2hHxXTiXCgV1b/Qrs/Y8pYuqH2J/aFkSFe19pSD3PyIVXoiND BxlpYtY80xTvYwKCAQEAwHl4ER0646IGIwCFbvsJ9hBEopv+EHNhcyfy2hkJeA76 djwKAZfEqPQIHVS/b28bEjlEHRPiXBDdpo4ZTxAy+vZvV9pmlSai8xn/OzEHG/MC hY9lUatNU5HoaS9qxarMafalAnNKH433T23sjUkH+lhMF2zxOnlQL89i1mXag1Op drLgfnzB35NF5LoP3Z3odQ1iQvT9XvMaSUcB9OQJWPbuv728Kh7vKuqCcq8OzS8w OPdUwkDN2PimiVgS/bb93MlGcn00aVnX9X1YLyxj68VtStolkeuda0S++tgG4fTS 89TGRWmNupqKHAKIpIgOXlZA9oHxZFLp3fn+CQTE3wKCAQEAwkjR2aqht7Is075t xP+9LBZHCc3lV4SHXkdyZcWIlsodeTOyqEqfwdzCEl9A6sZU31CqbzockmfHgHJK k1mcpC4tui7456+3lZ7Fp4auat/K0lc9q8HG2wIZGKGF/KS7ccK3d3+xAERi5N9x lNjjPbGls/Fig3iKn3wHp9otFccV/g5pfyKoCqhTy/HUCeOfplFJSY6LGX8h7ooE C6QvKMjfJe7tXbN/WoFHqDJMZ9TMqdzK96U7HF8eAYF8gkHXbcR730s1LrouO1V9 /u2BYXd7NHReOIqhtumuDOU5QGeDHcUPCGdMh4QQaZnj4oeWUf7+BfzOQCOzK8Hm Vw0xYwKCAQBO27WgtWwiRYjkIFuLC9mZ8jJcuTLPxKYhizWJvAZQJTri5FhpLKhL XKhSdB1253uc7M+GZlYwyEw36DJgXU+12O/ne7jZ1RmgJn+W3dB+2AKpfAXT/y5Q VhB1wBKr5/2WUJJsvZWZ9g1kgrIPdOOK41BRrLXs8jUzUXG6S8LKWaWt1z35NN4t 3uYc/0puzzqlcpVWv49rroiPi0M29ZMK2ykYcAE+9Kui1rAZkrWqxXGpdVRJvklY Yw/AZ9BoGOhL5D8zuy6VF1VO5EsUEMjjmWDc8SHBdlppz6G7nnS7cRZZBk0xtTx3 PsflD/iyCHhymD5HgRfItdvRsZIuWcDbAoIBADk0nMaAqJTzoybcyk102k+oXwY8 mVV0D1DCfrGeQr0Fa64XVyfqizuwDzIRy8+vQiBx+2dgOVxG2KLzMHKagxW+cBfm 5zN5VELXAWB4qaKvIx64mxuM5QyO+EdTdqeGTcD6vanKGcGz6X0Fxsw2wqFHXpPX l1LFd+wTJsgkCX9C3XNWv5SH553WUvCnbZXZw1YwMD8H7N/+0yf/DQeRdNBOWIEV 0/aSNxBP9TBOcegRFMOXy+0s5BXSDAlXC2rID6kDFXDKI/JET4FDWtiohiVaY4RN GMuRV0pcBLfuGtegGeTkqc7Gb0219m8lhGrDHLlH1CddqYweCOG1RaEoMyc= -----END RSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/rsa4k.pl000077500000000000000000000001771421243614200166210ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::rsaencdec("4k", 50, 501); test::rsasignverify("4k", 50, 501); openssl-ibmca-2.2.3/test/rsa8k.key000066400000000000000000000143331421243614200167760ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIISKAIBAAKCBAEAtfz48HrXiXbnyW55fPh6NSns/+eR5pqkbiW2lYKMslcDEuku dk0JORrEnwhB7PPdMlXIfCFIVRASBu8mku2a+Zl027D2LBDhgiaAcztMLAADW0Zl wtSyd0MWTfJD627h18sscKlFIxpN82sSv8EtSkSIwYbNyIqtgulwt2TZtfvGy18n ahAu7CYG0p+S1hJTdrd4YNnb5V5ZPgCBzRsqkhIxILCJBqi29G3Nr7pqp9PKB8ZM Nca6ir0SpBB1pBcyYiyfhPeKf6u1qamRbFRvY7qSIBxHhlzREqxoWm3EHZLMcvLb hOd+xS5dpoaskEQs5HqQBcVjeXeDBldYUYrQCufaXmycHYTvREM1Dk0qDU0mZ6x0 4WH4YGL/yQJ5/fwq9FKxJFlhjlX+7eyiY4oD/prpOOXVSMhCjOr5bTnSXqEFCCx6 fQlJDXnqiHkfs/hnjK60Wq74oE0uZgpMYM0Z4/uhGo7Fz76ycd/4+P0yBALhkjB7 nEmR5Amesx0avFg8Oeb8DM28f+pJ3QNZRLPPAh7wd3v4Ja61vjE0AANCexobJa8H X4GEDqdEAQDgMRCOj665KGgKs59tSrh128VGykcj+OzJCz4qkKLxahiXQvFBahnx qi3dpHrJ8J48M1JXp6kgSHiZByBZwBnItvmqYGnulbNgXPmCJK3AZWNNK/U8M7VT cFc/nroXNRZZ4GwV0Bjp1y1e8KY+H8KihWA4yEskwYMPtYh0HXfZPgJHBzMUYnXH QRNIyGlYoS2zuAsQXXgFFFca5WMt0mIeAuSILb6GTq6CJsLZj9kJ+LqAJ69PZauO CstejmKQLqtA6KticJ9wPDBoS8w40Mf4U8KMAzdC+b/ZKBFxdaDgvOMnH+8nwUoZ 7PaqjKI8c6hfgObsA4JKCu3EYPHbhsQxO3PPMXGnyJCvwp6s4Ym6Fz3B7pvshlf6 nsyMA4nzlGzX/JXWGIdps2G5/WpYiz8nDEOls7SsbEXEIO0dTq2oW5vJ9dOyxrAn vyaRGPusBrzRq8zq09Ry2WjhAAdJ0W+48U6X6fK4uJ41BL5EgJ2yKLGiA6KAdUDO TZBf4VsZLbLAY66veKHGRztNM9+tXl1M6cWpYHlx0v26hSqcoGMjaLSDgq0smYRm V29Ukm7WhguQHJjphC4RqAt2ZdrVbqcf+PvZongcOrle3xJtbNoUKhjXu24Yp+he UaGwNTSPkHAf/Ac1iItnF62+12ai2uZxoA6H0H6sbLhApjUaXq9UJ11SzMroKMX2 JXr2EAqC6KyjlbPE7T9GOn7E9e7zOrgOrdViG05RuI6aew4Nf7guT5afUoag0HkB e6GNhtC291r0iCyjcGDTmKu9mUIvGVIsZ9XcfwIDAQABAoIEADwZlfB88O8xuGw6 Mp7FxD4IYX9Fb1ZznXfOtpR7b5F50McPAMwKttAH+gT3CiaBhnwX/kSYDTYiP4HQ urFtDG//cKsYrsNws7hylJr5azdgrbsX7YVBDsr5+cS2DB4VGTpVm5B9JhrolfOc Wa2/0wAiz/LxXMYsng6Mny/Be3Bw/H6vJuoM/CH6kOg/0JMnrC6ZeoSpjcgat2gV bMhaf12L6nN8OVRcpUbleDbfXlecRqz4nLRps7Mbq6tI0EDndDkduXSE91UgVLb6 C891tu99bsJx9GD4CAedrjym4UxO7XvMnhgvBxuBK2ZSNWzTRuwRWby+KhK0GC4g 7EbJi9j+JoxmW8wX2Zh2hW/6pbeM0fEM7/B6lTbnmsc8LSNmgpz7LgruBZym47CZ JCuxKY6MhBbJN/14PRoig0rB/KpJjMrdPXpLdbegmoaFUaXyk+fOzjrga7Usp/UE 06JoOXOj5tlJayQnOvEGYUeA/mJ6vRm1Ly020po3XxSRuQGYNhN9J6Hm06h+q/P0 JifdJbDynMEozJNNNjHgN+cFLJBQ18RDIDE3KXBZZsjaDC/H4vyqW/VvHpGhRcuW TT3N0Yn9onCTafVvi0kGtqkuA84UtGCgvsFPslGeR1BSQVlFiTMSVFn6kbbbxSf+ m91paA29DhCcE2fA8mzAgLg66gJoxL4pnmnGeO6kSCMUIvI3LymwqJGfVrUGHZKd Y9Ua5TMzWmUZSCJ+Z76ZGro7cRmyKxgh7F1Tdwfwllu4rFDqVOly9OInoMmA+rO9 yoe5AlxGG9jOav8ZD3W7Aa0tGRRDPg1+sYh8XL+rYRuW6EBHzUKs/My5iMxEsD+u R0GWIjMxdZCtB8ilq8Px4yJ/nfoz4E/6EytxO67se0z/odRIRl8EoTMb/ErxOW+8 m2pk9oA2oEa1HWnG0WRjE/TOKwmodEr6+uk5tAN9luJtMSeSRpRYsKHaoAJJucwR dXR1NO4fOEO2D8fvW3QqG65G+pfrPoZwU4WmdKVHLxisWhdulFoENAyHSYDFSOMP HPatnxQXZPCkQgu9EN3w6d+x1iqllTi2FiJgZrcpzgHyWnLqaofCR0YCwyYYm++X 0W8jFKI9ByDK9JmKezo67N5+2VNqtXr6zkpnlDGnXndx4Se5et2yqSmiKq7a1U1e eEQkV4fKju5eSycLCFq5CqvCnlx8cEsRRebvICgPgpG8cVfrj3nOfWprrBwzNAC4 0dZkdmfIRa3c6p3r+Aq/+/UUgg6N6mqI7RpFDaL0QBwiomyc0iScmFZWnHomR3oE wHx0Yl5n2FxTlRc6GUionOA90xAPNs7JrTvzFow4mDTCpwdhIMV+P2Wwieq5/FCH 4Qa8KUECggIBAONfLJ11WB3q4GpzjJWHZUDnTrCltebOTBjkB4KIyFc1FfKxhrHy ddTRqU6UPUtr/LpTY53XLWlvZmsAgVdrWSfNXWkLC2wtMAKN9KTMAMt0VRbipdoJ O07OZqCxSW27iG4+U6gqJXsXo4VEY+tGujoj+Kwnfi4P/qR0JoiYondOJ9A+CRfB QIvYGphXekNMKzKRJUERakoGpSESE/kip5uROjs4dnWkt9RzOFByBJ4KGSIg+lt1 dMg840rceDhJBo9003QxYhSaJxN+hQE3JSbemrv8l6NKMsnFU6ozp51bOMlNsfvT YjTh2VGPclBfZGOmLuGa3symwMxGPLsEsSxomaE0wHgqa7jSPOjLe7RGpzHb2vJm JLD82etA24OSpszONlLA90L/tJyOlyLeAaHO82VWxL+f76GbsGOE18VFkLiycNYG ywDsG+mWrVd9mcei5KQJLP4QxfcrU9DbxkmakAq094+Xllu6CaYL4zMQDQ67hD+a jHHm260Rda+5EeFJKUKXNo8B8ov/1+sZX8/Ljm9bI2occPHXlKI9x6t9PXVSfdWE hEIA31+5DdCfE8Uoa2dCL7sWKaDBl9hSKxCPJlnr6EO5BiHvACxUz83JjzjxCPcc Y+RjlTnTrglzIA/gNz1FBwlZfjcAbqu40YiUds2n0ffiEWc3WoFXFiCfAoICAQDM 5vVPwW36aFX7KV0gbUyB+4o3pvhbwPjHlHqqz0U7sZmZV4PwhLgoFB71XMDc1tjy NvGm1or9yfnsYcssPv14PnFgxnKlR2t1HV1fOLdzd92chjr6BS+mr0v57Nz6g2D8 /SGR+iy6enh9S5P+4a8jIvo1gYA2EodBEAMvsbGMQ49ZugPxCbvTaoZmb3qCLMNr Xcvul4fkg3qpaOb2ppyVo3arsTPhp84N7OcerCqo+OsOomDOBx0a0HrzF8gzbq62 UdY2cSV4GG0aNazwXtkjcZ7ubpwsPY1b9g7cJdQkOJfSMacIeLPUSYPrlMkxr0Ck JAgU5piTKSsmWE+zoPYn8abhrHjuKZFHojdX0iS4ZaDkLOizVNxmJCi+3fOMo9MA i3oz6Vltmlrg1XdsBH0kuddEy92rmYwSnlR4nKV1C558ACbSS7xMLJH9zHLJuTVm 6Cqev1DL/olHFDeLeTx7IuI7FdBGgh9hRxZ14q4g+0NiRW93CqIqJ0qqvqHgnMHo JmPIRu00WRm+MFv83LqjK4w3uopTH4g31TcGMZmK+qQSHR58dkSg4hmKyqMGy/p5 wbT9ZbwMw0fD5zMXbF/OH98qg0ibFeoWbb7hbDV2YmXwE37zQqozrOqNJE/Ipyde faKIl1r0+txstzeoKFaexdSaez4ayx9VY/JHnhtYIQKCAgBfFp6B+2EuodvYqRpS Lp2Z1yKBncvFCuGoRzUc0jd2wSy8oqHCKbQ9nLFBu50mvbKj+dvfVu4W+g/LEBsH hE1059344DWWuA8sAlId2XM7oxsyxva1iMbU3lztNzeOPK+B627xFS83m1s3kLJ4 4stfJUwKMzoB6Y6FGE5FMhA/9N+Rp2AGHzvvQCFfNLZdDq3CKBF8dNwOuVi1y+mu d1/BH6tKuQJRkOGQZ99VRVnI/lAkhcYuGaENXOlxlWJxp5imxiToov5xv0Y4UOEu 8PEIoG/1zl1cXNuAppWmyJOAq3XEOkoFFxIrK4jHI0abdkl1ozpX/3zN+a8HvxgG 3p96AwS89mLH3nXOhZ4TfYXujt29bETUuwL9QcGhMS6ch+haHqN5WFoQGwBduQRc AJyOHw6Lgw4lVa3R2FqcRCI4zi8IDxhBafXcHOJPfkRgIpb9dpJIR84ZMsqX4/bZ khALGCjFUYl2895d3h/K4Y3S/RN45dMZBnlV6UZVysd9BdkEbqRixPp8NERLaGPU XnhDXs3ipCrbZamWeqIed9fZUDczqZwWf6UQNW01ix7L8LtD6POB65wqkco3AL+Q KEz6T+OqF467Q9XcuydHYvDFD1Zmaedl8OmVyk/OL0jJiuwNt6diaEvZDSRLvFKM Xm7Cv9Qvjc+x60l78RpYnSMT4QKCAgEAnC26c6UrD7+xMbSwkAPfWgABtTOmgEFR Hsa0zTcZPUu8mN3U6mIvABV+F2Uwd+OnDtAEVzeWT6VAwwUzWLFWf+2Qe8QnJIWQ iX7taaQQaInHuAO0Nlf3nyRkU8ZQFP5I0eybRuoaZ7Tr3AzcbF1XIgAKGPhxYkWz JEtxMkxN2WyxeiHH2VSi/p1mffOgvFIkTdT7mQuU//+bYj9cNEqAdapXzLxPoENI UuLssztldM/uUoRAJynS7FpWLK5G4bUOpFcyYOLTPXvYxS5+d+TDuzlie7iBf1MX SS3+25xV25nrVsKT32gpIbk7PTh2NlGvgq0YH944E4tAoYSUk4Uvuvh9S+wrbNTw MFqbtmuto4OLJAB7Ch23tH8BM6J3fg5syTCG38SQbnNFq7Ppx8KQJIsmYwDFIIPz +UkHd7tmfhVyIm/3Jzmk96bNTFcmc02hP6PcwI1wp1yHBE+Lmtq4196Z85FH5EZQ ZtRJcWdrdCYwkVn9gQ3w1xKF3ilZt5ukTS/dxI0TRmBXt9iidNVFyRNrWBruTjdt m6j/vM/XidBLeKcLUrDO1JYiA+E6a/bUHzQfoTmHIW9DZzX1gngPekxezMeucs88 UwYphSb2hRqxOlGR5Rc+Jg855IT17ypBXsuCNHyxTqNbmd35JUpB49lEmM8xYjjK 1EpPJHmFvCECggIAPjb46/G3Gq6mRYbkZE0MKHRzq+Od4kEQAbpRV3z45/y1NjG3 qyoTduiY9eVzX0UVUEmtI8wA6xfpejUdv+S9GEAqbTE/fKOObmmWUsRKkWNPHSWp S1WICuuWds1tNomYHqz6lUPAnLzpq5jU22Dr3/2XYuOIHv5aOEPAAz5tlnkLhj8Y am7OWQ0MVJIb181w4eq6ozHlIA2ThoYWMUZzgAwMzPGM+iZZTLnJCIhKU5+nhJaM bTw2aFPkLJikn7r8PGO+4nIiBhJnQ+HPl5k5zO06dnMPna4sXGHkI9oeOFHZBmV3 5bqpKMh1yyukEaNLWRdQoJDV4dSCiv/0iV28WWC7VIX8hgQAxgxPkVkKSAJultaF 1DH06rwe38U7WFaK3hPyXCINU4Bv6KyJyCCi/TA4UmWJSXfO9c9O/Y7Y1seEu3NK NliqoXAqRcve30sVqGFqUIkNFlVhR8PmbjQevzlXJW3dlG47+QZAmSDoZ3UqoCJe yzMWjL79Bv/T7t1tl2EsUYizPaOKfmxWI6SVJC5TKEMV8cDsF/FM23P4ImOOaeLZ IfsCcCZwabE99oQgT0h7N//gREC4omENlb/Ip7YNBVbb4u15zlSQ5zy2F3qLchJP 5TaZeXJQyYTz2Sq/9blLMnQldszylqJTR6LUVQA4KQIMZtGn4ADPHy0ylec= -----END RSA PRIVATE KEY----- openssl-ibmca-2.2.3/test/rsa8k.pl000077500000000000000000000002001421243614200166100ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; use test; test::rsaencdec("8k", 10, 1013); test::rsasignverify("8k", 10, 1013); openssl-ibmca-2.2.3/test/test.pm000066400000000000000000000131541421243614200165510ustar00rootroot00000000000000#!/usr/bin/env perl use strict; use warnings; package test; sub osslversion1 { my $vstr = `openssl version -v`; return $vstr =~ /OpenSSL 1\..*/; } sub osslversion3 { my $vstr = `openssl version -v`; return $vstr =~ /OpenSSL 3\..*/; } sub cipher { my $tests = 50; my $max_file_size = 1024; my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; my @hex = ("a".."f", "0".."9"); my ($cipher,$keylen,$ivlen) = @_; # skip if engine not loaded exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); my $key = ""; $key .= $hex[rand(@hex)] for (1..$keylen); my $iv = ""; if ($ivlen > 0) { $iv .= $hex[rand(@hex)] for (1..$ivlen); $iv = "-iv $iv"; } # engine enc, no-engine dec `openssl rand $bytes > ${cipher}.${i}.data.in`; `$eng openssl $cipher -e -K $key $iv -in ${cipher}.${i}.data.in -out ${cipher}.${i}.data.enc`; `openssl $cipher -d -K $key $iv -in ${cipher}.${i}.data.enc -out ${cipher}.${i}.data.dec`; `cmp ${cipher}.${i}.data.in ${cipher}.${i}.data.dec`; exit(99) if ($?); `rm -f ${cipher}.${i}.data.in ${cipher}.${i}.data.enc ${cipher}.${i}.data.dec`; # no-engine enc, engine dec `openssl rand $bytes > ${cipher}.${i}.data.in`; `openssl $cipher -e -K $key $iv -in ${cipher}.${i}.data.in -out ${cipher}.${i}.data.enc`; `$eng openssl $cipher -d -K $key $iv -in ${cipher}.${i}.data.enc -out ${cipher}.${i}.data.dec`; `cmp ${cipher}.${i}.data.in ${cipher}.${i}.data.dec`; exit(99) if ($?); `rm -f ${cipher}.${i}.data.in ${cipher}.${i}.data.enc ${cipher}.${i}.data.dec`; } } sub rsaencdec { my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; my @hex = ("a".."f", "0".."9"); my ($keylen, $tests, $max_file_size) = @_; # skip if engine not loaded exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); # engine enc, no-engine dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; `$eng openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; `openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; # no-engine enc, engine dec `openssl rand $bytes > rsaencdec.${i}.${keylen}.data.in`; `openssl rsautl -encrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.in -out rsaencdec.${i}.${keylen}.data.out`; `$eng openssl rsautl -decrypt -inkey rsa$keylen.key -in rsaencdec.${i}.${keylen}.data.out -out rsaencdec.${i}.${keylen}.data.dec`; `cmp rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.data.dec`; exit(99) if ($?); `rm -f rsaencdec.${i}.${keylen}.data.in rsaencdec.${i}.${keylen}.out rsaencdec.${i}.${keylen}.dec`; } } sub rsasignverify { my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; my @hex = ("a".."f", "0".."9"); my ($keylen, $tests, $max_file_size) = @_; # skip if engine not loaded exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); my $key = ""; $key .= $hex[rand(@hex)] for (1..$keylen); # engine sign, no-engine verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; `$eng openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; `openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; # no-engine sign, engine verify `openssl rand $bytes > rsasignverify.${i}.${keylen}.data.in`; `openssl rsautl -sign -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.in -out rsasignverify.${i}.${keylen}.data.out`; `$eng openssl rsautl -verify -inkey rsa$keylen.key -in rsasignverify.${i}.${keylen}.data.out -out rsasignverify.${i}.${keylen}.data.rec`; `cmp rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.rec`; exit(99) if ($?); `rm -f rsasignverify.${i}.${keylen}.data.in rsasignverify.${i}.${keylen}.data.out rsasignverify.${i}.${keylen}.data.rec`; } } sub dsasignverify { my $tests = 50; my $max_file_size = 1024; my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; my @hex = ("a".."f", "0".."9"); my ($keylen) = @_; # skip if engine not loaded exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); for my $i (1..$tests) { my $bytes = 1 + int(rand($max_file_size)); # engine sign, no-engine verify `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; `$eng openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; `openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; exit(99) if ($?); `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; # no-engine sign, engine verify `openssl rand $bytes > dsa.${i}.${keylen}.data.in`; `openssl dgst -sign dsa$keylen.key -out dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; `$eng openssl dgst -verify dsa${keylen}_pub.key -signature dsa.${i}.${keylen}.data.out dsa.${i}.${keylen}.data.in`; exit(99) if ($?); `rm -f dsa.${i}.${keylen}.data.in dsa.${i}.${keylen}.data.out`; } } 1; openssl-ibmca-2.2.3/test/threadtest.c000066400000000000000000000111531421243614200175440ustar00rootroot00000000000000#define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include /* This is just a random number of threads to stimulate engine configuration. */ #define DEFAULT_MAX_THREADS 20 static int setup() { ENGINE *engine; EVP_PKEY_CTX *pctx = NULL; OPENSSL_load_builtin_modules(); ENGINE_load_builtin_engines(); /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and 0.9.8e */ #ifndef CONF_MFLAGS_DEFAULT_SECTION #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0+ takes care of initialization itself */ #else OpenSSL_add_all_algorithms(); #endif engine = ENGINE_by_id("ibmca"); pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); if (pctx == NULL) { return 0; } EVP_PKEY_CTX_free(pctx); return 1; } static int check_globals() { int ret = 0; EVP_PKEY *eckey = NULL; ENGINE *engine; EVP_PKEY_CTX *pctx = NULL; engine = ENGINE_by_id("ibmca"); if (engine == NULL) { fprintf(stderr, "Failed to retrieve ibmca engine\n"); goto out; } pctx = EVP_PKEY_CTX_new_id(NID_X25519, engine); if (pctx == NULL) { fprintf(stderr, "Failed to create PKEY_CTX\n"); return 0; } if (EVP_PKEY_keygen_init(pctx) != 1 || EVP_PKEY_keygen(pctx, &eckey) != 1) { fprintf(stderr, "keygen initialization failed\n"); goto out; } if (eckey == NULL) { /* error */ fprintf(stderr, "Failed to create ec key for X25519\n"); goto out; } ret = 1; out: if (pctx) EVP_PKEY_CTX_free(pctx); if (eckey) EVP_PKEY_free(eckey); return ret; } static void *threadfn(void *arg) { unsigned long res = 0; (void) arg; if (check_globals() != 1) { res = 1; } return (void *)res; } int main(int argc, char **argv) { pthread_t *threads; unsigned long int i, maxthreads = 0, errors = 0; int c; pthread_t me; /* First fix the environment */ char *testcnf = getenv("IBMCA_OPENSSL_TEST_CONF"); /* Do not overwrite a user-provided OPENSSL_CONF in the environment. This allows us to execute this test also on an installation with a user-provided engine configuration. */ if (testcnf && setenv("OPENSSL_CONF", testcnf, 0)) { fprintf(stderr, "Failed to set OPENSSL_CONF environment variable!\n"); return 77; } // arg parse while (1) { int option_index; static struct option long_options[] = { {"threads", required_argument, 0, 't'}, {0, 0, 0, 0 } }; c = getopt_long(argc, argv, "t:", long_options, &option_index); if (c == -1) { break; } else if (c == 't') { maxthreads = strtoul(optarg, NULL, 0); } else { fprintf(stderr, "USAGE: %s [-t|--threads ]\n", argv[0]); fprintf(stderr, "where\t specifies the number of threads to use (default: 20)\n"); return 1; } } if (maxthreads == 0) maxthreads = DEFAULT_MAX_THREADS; threads = calloc(sizeof(pthread_t), maxthreads); if (threads == NULL) { fprintf(stderr, "Thread array allocation failed!\n"); return 1; } if (setup() != 1) { fprintf(stderr, "Failed to set up test. Skipping...\n"); return 77; } me = pthread_self(); // Start threads for (i = 0; i < maxthreads; ++i) { int s = pthread_create(&threads[i], NULL, &threadfn, NULL); if (s != 0) { fprintf(stderr, "Failed to create thread %lu: %s\n", i, strerror(s)); threads[i] = me; } } // Now join threads for (i = 0; i < maxthreads; ++i) { if (!pthread_equal(threads[i], me)) { void *retval; int s = pthread_join(threads[i], &retval); if (s != 0) { fprintf(stderr, "Failed to join thread %lu: %s\n", i, strerror(s)); } else if ((unsigned long)retval != 0) { fprintf(stderr, "Error in thread %lu\n", i); ++errors; } } } return errors ? 99 : 0; }