{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":92067382,"defaultBranch":"master","name":"openssl-ibmca","ownerLogin":"opencryptoki","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-05-22T15:10:53.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/28867206?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1695279310.0","currentOid":""},"activityList":{"items":[{"before":"d2254c6641b1cf34d5f735f335edf9a05ddfd67e","after":"4ea48e0682ff9a58340421dc9d896c7ca06a2621","ref":"refs/heads/master","pushedAt":"2024-05-13T11:37:53.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"engine: Fix compile error on Fedora 40\n\nibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'\nfrom incompatible pointer type [-Wincompatible-pointer-types]\n 627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"engine: Fix compile error on Fedora 40"}},{"before":"2f420ff28cedfea2ca730d7e54dba39fa4e06cbc","after":"d2254c6641b1cf34d5f735f335edf9a05ddfd67e","ref":"refs/heads/master","pushedAt":"2024-01-19T08:22:10.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"test/provider: Explicitly initialize OpenSSL after setting env vars.\n\nWhen running with a libica version without commit\nhttps://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a\nit is necessary to explicitly initialize OpenSSL before loading libica. Because\notherwise libica's library constructor will initialize OpenSSL the first time,\nwhich in turn will load the IBMCA provider, and it will fall into the same\nproblem as fixed by above libica commit, i.e. the provider won't be able to\nget the supported algorithms from libica an thus will not register any\nalgorithms.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"test/provider: Explicitly initialize OpenSSL after setting env vars."}},{"before":"7186bff3fa2a3dd939e1bc0fed48e733da4477a7","after":"2f420ff28cedfea2ca730d7e54dba39fa4e06cbc","ref":"refs/heads/master","pushedAt":"2024-01-17T09:53:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"test/provider: Do not link against libica use dlopen instead\n\nWhen an application links against libica (via -lica), then the libica library\nconstructor runs before the program's main function. Libica's library\nconstructor does initialize OpenSSL and thus parses the config file.\n\nHowever, the test programs set up some OpenSSL configuration related\nenvironment variables within function check_libica() called from the\nmain function. If libica has already initialized OpenSSL prior to that,\nOpenSSL won't initialize again, and thus these environment variables have\nno effect.\n\nDynamically load libica (via dlopen) only after setting the environment\nvariables.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"test/provider: Do not link against libica use dlopen instead"}},{"before":"727304ae0190dada506fb4f36fd277ac56f396e1","after":"7186bff3fa2a3dd939e1bc0fed48e733da4477a7","ref":"refs/heads/master","pushedAt":"2024-01-08T10:22:26.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"engine: Enable external AES-GCM IV when libica is in FIPS mode\n\nWhen the system is in FIPS mode, newer libica versions may prevent AES-GCM\nfrom being used with an external IV. FIPS requires that the AES-GCM IV is\ncreated libica internally via an approved random source.\n\nThe IBMCA engine can not support the internal generation of the AES-GCM IV,\nbecause the engine API for AES-GCM does not allow this. Applications using\nOpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an\nexternal IV.\n\nEnable the use of external AES-GCM IVs for libica, if the used libica library\nsupports this. Newer libica versions support to allow external AES-GCM IVs via\nfunction ica_allow_external_gcm_iv_in_fips_mode().\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"engine: Enable external AES-GCM IV when libica is in FIPS mode"}},{"before":"2262b3d7b76abc24fe4676f4550d4cbfec327191","after":"727304ae0190dada506fb4f36fd277ac56f396e1","ref":"refs/heads/master","pushedAt":"2023-09-21T06:52:43.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"Update to version 2.4.1\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"Update to version 2.4.1"}},{"before":"2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4","after":"2262b3d7b76abc24fe4676f4550d4cbfec327191","ref":"refs/heads/master","pushedAt":"2023-09-13T09:30:09.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"Makefile: Updates to make 'make distcheck' work\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"Makefile: Updates to make 'make distcheck' work"}},{"before":"67efa9ad713e8283cb20111a15629f15a8ea8c86","after":"2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4","ref":"refs/heads/master","pushedAt":"2023-07-27T06:53:32.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider: Default debug directory to /tmp but make it configurable\n\nThe IBMCA provider debug logs were written to the /var/log/ibmca/ directory,\nbut this required that directory to be world-writable, because we don't know\nunder which user an application runs that uses the provider.\nA world-writable directory under /var has security implications and should be\navoided.\n\nChange the default log directory to /tmp which is world-writable anyway.\nAdditionally the log directory can now be configured via the 'debug-path'\noption in the IBMCA provider section of the OpenSSL config file, or via\nenvironment variable 'IBMCA_DEBUG_PATH'.\n\nCloses: https://github.com/opencryptoki/openssl-ibmca/issues/107\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider: Default debug directory to /tmp but make it configurable"}},{"before":"acba1d936bd84c7090ed7d3849b0bab3c7f18da0","after":"67efa9ad713e8283cb20111a15629f15a8ea8c86","ref":"refs/heads/master","pushedAt":"2023-07-26T11:30:05.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits\n\nThe RSA key management's get_params() function should be able to return the\nvalues for max-size, bits, and security-bits if at least the public key is\navailable.\n\nThe detection whether the key is 'empty', i.e. has neither the public nor the\nprivate key components was wrong. This leads to the fact that those parameters\nwere not returned when only the public key was available.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider: RSA: Fix get_params to retrieve max-size, bits, and securit…"}},{"before":"f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a","after":"acba1d936bd84c7090ed7d3849b0bab3c7f18da0","ref":"refs/heads/master","pushedAt":"2023-07-14T07:24:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider: Support importing of RSA keys with just ME components\n\nRSA private keys may contain just CRT (p, q, dp, dq, qinv) or ME (d)\ncomponents, or all of them. If an application imports a private RSA key\nfrom just the ME components (m, e, and private d), then the IBMCA provider\ncan not use ica_rsa_crt() to perform private key operations.\n\nTherefore let an RSA key also contain the private key components in ME\nformat, and use ica_rsa_mod_expo() if only the ME components are available.\nRSA keys are still always generated in CRT format, but it now allows to\nimport an RSA private key in ME format.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider: Support importing of RSA keys with just ME components"}},{"before":"3ea8f4ed58e075e097856437c0732e11771931d0","after":"f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a","ref":"refs/heads/master","pushedAt":"2023-04-26T13:03:50.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider: rsa: Check RSA keys with p < q at key generation and import\n\nSince OpenSSL 3.0 the OpenSSL RSA key generation taking place within libica\nmay generate RSA keys where p < q (privileged form). While such a key is\nautomatically corrected with the first call to libica's ica_rsa_crt(), such\ncorrection modifies the libica RSA key object and may cause concurrency\nproblems when the same key object is used by multiple threads.\n\nCheck and correct such keys right after key generation or during import,\nso that it is ensured that p > q whenever the key is used afterwards, and\nthus no correction is applied by ica_rsa_crt() later on.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider: rsa: Check RSA keys with p < q at key generation and import"}},{"before":"e8983a442f53e56e49c9143babeacb5c0206c1bd","after":"3ea8f4ed58e075e097856437c0732e11771931d0","ref":"refs/heads/master","pushedAt":"2023-04-19T12:46:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"engine: Only register those algos specified with default_algorithms\n\nAs part of OpenSSL initialization, the engine(s) configured in the OpenSSL\nconfig file are loaded, and its algorithms (methods) are registered according\nto the default_algorithms setting.\n\nHowever, later during initialization, ENGINE_register_all_complete() is called\nwhich unconditionally registered all algorithms (methods) of the loaded engines\nagain, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.\n\nSet the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization\nto avoid unconditional registration of all algorithms. We only want to register\nalgorithms specified in the default_algorithms configuration setting.\n\nNote that if the default_algorithms setting is omitted in the OpenSSL config\nfile, then no algorithms will be registered.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"engine: Only register those algos specified with default_algorithms"}},{"before":"a0e43ee33f54ae2aa9e0f95a8e2ebd89e6f200af","after":"e8983a442f53e56e49c9143babeacb5c0206c1bd","ref":"refs/heads/master","pushedAt":"2023-04-17T12:28:13.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"bootstrap: add --force option to autoreconf\n\nConsider all files as obsolete and make all of them new.\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"bootstrap: add --force option to autoreconf"}},{"before":"41d5fd03a270e8b302b6254f00a51ab50019cc88","after":"a0e43ee33f54ae2aa9e0f95a8e2ebd89e6f200af","ref":"refs/heads/master","pushedAt":"2023-03-30T09:12:41.075Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"Update to version 2.4.0\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"Update to version 2.4.0"}},{"before":"5c8de9c3dcb232be605bed2f06c3470d6107282d","after":"41d5fd03a270e8b302b6254f00a51ab50019cc88","ref":"refs/heads/master","pushedAt":"2023-03-29T06:45:46.393Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider config generator: White-space fixes\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider config generator: White-space fixes"}},{"before":"b631a37eb26513a7337f05ba85ad977b83d2c324","after":"5c8de9c3dcb232be605bed2f06c3470d6107282d","ref":"refs/heads/master","pushedAt":"2023-03-29T06:45:31.887Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"engine: Enable RSA blinding and offload blinding setup to libica\n\nFor whatever reason RSA blinding was disabled for the IBMCA engine. One\npossible reason is that setting up the blinding factors also requires a\nmod-expo operation, and this operation does not get offloaded to libica,\nunless a Montgomery context for the public key (modulus) was setup before.\n\nDo no longer disable blinding, but make sure that the Montgomery contexts\nfor the public and private keys are cached, like it is done without an\nengine. That way the mod-expo operation used for setting up the blinding\ncontext is also offloaded via ibmca_mod_exp().\n\nNote: Due to a bug in OpenSSL code, the offloading of the mod-expo for the\nblinding setup does currently not work for private decrypt operations, but\nonly for private encrypt (signature create) operations. Once that bug is fixed\nin OpenSSL, it will also work for private decrypt operations without an\nadditional change in the IBMCA engine.\nRelated OpenSSL issue: https://github.com/openssl/openssl/issues/20579\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"engine: Enable RSA blinding and offload blinding setup to libica"}},{"before":"66a89733ea36d446bd3cd6d40c7e328e9e88a4a9","after":"b631a37eb26513a7337f05ba85ad977b83d2c324","ref":"refs/heads/master","pushedAt":"2023-03-22T15:51:47.000Z","pushType":"pr_merge","commitsCount":7,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"provider: Perform mod-expo for blinding setup via libica\n\nProvide a montgomery context and the bn_mode_expo callback function to\nBN_BLINDING_create_param() so that it calls the callback for the\nmod-expo operation when setting up blinding.\n\nFor the constant-time unblind function ossl_bn_rsa_do_unblind() the\nblinding_mont_ctx_n0 value must be calculated, because it is required\nwhen a montgomery context is available. This is calculated the same way\nas in BN_MONT_CTX_set().\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"provider: Perform mod-expo for blinding setup via libica"}},{"before":"31ef5613f472f4e4bd0add171ccdfce17b085b53","after":"66a89733ea36d446bd3cd6d40c7e328e9e88a4a9","ref":"refs/heads/master","pushedAt":"2023-03-22T15:21:23.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ifranzki","name":"Ingo Franzki","path":"/ifranzki","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/28868064?s=80&v=4"},"commit":{"message":"travis: Add support for building in travis\n\nSigned-off-by: Ingo Franzki ","shortMessageHtmlLink":"travis: Add support for building in travis"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNS0xM1QxMTozNzo1My4wMDAwMDBazwAAAARIVR_n","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNS0xM1QxMTozNzo1My4wMDAwMDBazwAAAARIVR_n","endCursor":"Y3Vyc29yOnYyOpK7MjAyMy0wMy0yMlQxNToyMToyMy4wMDAwMDBazwAAAAMI-HlQ"}},"title":"Activity · opencryptoki/openssl-ibmca"}