Add IBMCA Provider for OpenSSL 3.0

opencryptoki / openssl-ibmca

OpenSSL engine and provider for libica.

Apache License 2.0

6 stars 15 forks source link

Add IBMCA Provider for OpenSSL 3.0 #76

Closed ifranzki closed 2 years ago

ifranzki commented 2 years ago

Things to discuss:

Should the provider have the same version number than the Engine? Currently it has 1.1.0 since it is the first version of the provider, but the engine has 2.2.2....
Should we maybe create a new release (i.e. 2.3.0) for this (or even a version - 3.0.0.)?

jschmidb commented 2 years ago

commit title: Prepare provider for implementing cryto operations -> crypto

ifranzki commented 2 years ago

commit title: Prepare provider for implementing cryto operations -> crypto

fixed

ifranzki commented 2 years ago

In general, the Copyright year is everywhere 2021. Should include 2022

Fixed, did not think about updating the Copyright year when the new year stated...

ifranzki commented 2 years ago

Made /var/og/ibmca 777 to allow anyone to write trace files.

ifranzki commented 2 years ago

@juergenchrist I am ready with the changes. Please take a look again and let me know if there is anything else you want me to change.

ifranzki commented 2 years ago

Some files (mostly test files) still miss a copyright header. Could you please add this.

Will do. You should then also update the Engine test files and add a copyright header there as well.

Now I see a copyright header, but with year 2018?

LOL copy & paste ... Will fix.

Couldn't we alternatively specify the full path to the provider library?

Thats what I wanted to say with the sentence "Set the name and optionally the path to the IBMCA provider shared object file". I read somewhere the on some platforms the path can be specified here, but not on all platforms. I guess on Linux you can.

Also, the environment variable is only usable in non-setuid-root binaries.

Right, added "(ignored in set-user-ID and set-group-ID programs)" as it is stated in the OpenSSL man page for that environment variable.

ifranzki commented 2 years ago

@juergenchrist Force pushed, please take a look.

ifranzki commented 2 years ago

Changed test.pm to not use fork() for the tls.pl testcase. Fork causes problems with closing file descriptors when running in the CI where stdin is a socket connection.

ifranzki commented 2 years ago

Fixed a bug in ibmca_keyexch_dh_derive_x942_kdf() to use the resulting plain secret length for applying the KDF, not the prime size.

Please note that there still might be a bug in the OpenSSL provider implementation regarding the use of padded vs un-padded plain secret with X9.42 KDF, see https://github.com/openssl/openssl/issues/17834 If they fix this, the IBMCA provider needs to be fixed as well. Currently the IBMCA provider behaves the same as the default provider (otherwise the dhkey testcase would fail).

ifranzki commented 2 years ago

rebased to current master

ifranzki commented 2 years ago

Rebased again to current master.

Also fixed bug in DH keyexch related to a bug fixed in OpenSSL with PR https://github.com/openssl/openssl/pull/17859. Note that the dhkey testcase will fail until that OpenSSL PR is merged.

ifranzki commented 2 years ago

FYI: OpenSSL PR https://github.com/openssl/openssl/pull/17859 has just been merged.