Sync from SUSE:ALP:Source:Standard:1.0 libica revision 32d5d936009018c2001be56cd661ed55
This commit is contained in:
commit
f4c97f7a9b
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
331
README.SUSE
Normal file
331
README.SUSE
Normal file
@ -0,0 +1,331 @@
|
|||||||
|
The following information was provided to us courtesy of the IBM
|
||||||
|
testing team, who tested the functionality of apache with mod_ssl
|
||||||
|
on SUSE LINUX Enterprise Server 9 for S/390 and zSeries.
|
||||||
|
|
||||||
|
It thus refers to testing only from a certain point, and the
|
||||||
|
z90crypt part is of course specific to S/390 and zSeries.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Installation and Configuration of S/390 HW Crypto
|
||||||
|
on SUSE Linux Enterprise Server 9 for S/390 and zSeries:
|
||||||
|
|
||||||
|
1) Installation of the driver packages openCryptoki and libica
|
||||||
|
|
||||||
|
The driver packages are installed during base install in the
|
||||||
|
default selection. If you installed only minimal system or
|
||||||
|
deinstalled the packages, install them now. If the installation
|
||||||
|
source is accessible, you can do it with a single command:
|
||||||
|
|
||||||
|
31bit:
|
||||||
|
yast sw_single openCryptoki openCryptoki-32bit
|
||||||
|
|
||||||
|
64bit:
|
||||||
|
yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit
|
||||||
|
|
||||||
|
This will automatically install the necessary libica packages as
|
||||||
|
well if they are not installed yet.
|
||||||
|
|
||||||
|
|
||||||
|
2) Loading the z90crypt driver:
|
||||||
|
|
||||||
|
systemctl start z90crypt to load z90crypt
|
||||||
|
|
||||||
|
systemctl stop z90crypt to unload z90crypt
|
||||||
|
|
||||||
|
this command will be available only after installation of the
|
||||||
|
crypto driver packages.
|
||||||
|
|
||||||
|
To load the driver automatically at every system boot, integrate it
|
||||||
|
with the other boot scripts issuing
|
||||||
|
|
||||||
|
systemctl enable z90crypt
|
||||||
|
|
||||||
|
|
||||||
|
3) Checking if the z90crypt hardware driver can be accessed
|
||||||
|
|
||||||
|
Run this command:
|
||||||
|
|
||||||
|
openssl speed rsa1024 -engine ibmca -elapsed
|
||||||
|
|
||||||
|
If you get 'can't use that engine', as the first line
|
||||||
|
of output of the command look for the successive line
|
||||||
|
and check:
|
||||||
|
- if running "rcz90crypt restart" gives no error message
|
||||||
|
- the output of command "dmesg" for error messages from the driver
|
||||||
|
- the hardware is indeed available to this instance
|
||||||
|
|
||||||
|
4) Installation and Setup of mod_ssl and apache
|
||||||
|
|
||||||
|
a) ensure that mod_ssl and apache are installed during base
|
||||||
|
install. If the installation source is accessible,
|
||||||
|
the command
|
||||||
|
|
||||||
|
yast sw_single mod_ssl
|
||||||
|
|
||||||
|
will install apache and mod_ssl if they are not installed yet.
|
||||||
|
|
||||||
|
b) to activate the apache ssl support do the following:
|
||||||
|
|
||||||
|
if you did not use yast to install the packages, you have
|
||||||
|
to run manually: SuSEconfig --module apache
|
||||||
|
|
||||||
|
edit /etc/sysconfig/apache:
|
||||||
|
change HTTPD_START_TIMEOUT=2 to 20
|
||||||
|
|
||||||
|
change HTTPD_SEC_MOD_SSL=no to yes
|
||||||
|
|
||||||
|
edit httpd.conf in /etc/httpd:
|
||||||
|
|
||||||
|
in section 2: check that the ServerName and ServerMail in
|
||||||
|
the ServerAdmin section is ok.
|
||||||
|
|
||||||
|
in section 3: set inside <VirtualHost_default_: 443> the
|
||||||
|
ServerName to host name
|
||||||
|
|
||||||
|
add on section <IfModule mod_ssl.c>: SSLCryptoDevice ibmca
|
||||||
|
|
||||||
|
run: SuSEconfig --module apache
|
||||||
|
|
||||||
|
5) Crypto configuration of apache/mod_ssl:
|
||||||
|
|
||||||
|
a) create a certificate (Snake Oil) for the TEST --- THIS
|
||||||
|
CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR
|
||||||
|
TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A
|
||||||
|
CERTIFICATION AUTHORITY FOR PRODUCTION USE.
|
||||||
|
|
||||||
|
go to: cd /usr/share/doc/packages/mod_ssl
|
||||||
|
|
||||||
|
run: ./certificate.sh
|
||||||
|
|
||||||
|
see following questions will come up. Give shown answers
|
||||||
|
and use the pass phrase:
|
||||||
|
|
||||||
|
der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh
|
||||||
|
SSL Certificate Generation Utility (mkcert.sh)
|
||||||
|
Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.
|
||||||
|
|
||||||
|
Generating test certificate signed by Snake Oil CA [TEST]
|
||||||
|
WARNING: Do not use this for real-life/production systems
|
||||||
|
|
||||||
|
STEP 0: Decide the signature algorithm used for certificate
|
||||||
|
The generated X.509 CA certificate can contain either
|
||||||
|
RSA or DSA based ingredients. Select the one you want to use.
|
||||||
|
Signature Algorithm ((R)SA or (D)SA) [R]:R
|
||||||
|
|
||||||
|
|
||||||
|
STEP 1: Generating RSA private key (1024 bit) [server.key]
|
||||||
|
123006 semi-random bytes loaded
|
||||||
|
Generating RSA private key, 1024 bit long modulus
|
||||||
|
..++++++
|
||||||
|
.................++++++
|
||||||
|
e is 65537 (0x10001)
|
||||||
|
|
||||||
|
STEP 2: Generating X.509 certificate signing request
|
||||||
|
[server.csr]
|
||||||
|
Using configuration from .mkcert.cfg
|
||||||
|
You are about to be asked to enter information that will be
|
||||||
|
incorporated
|
||||||
|
into your certificate request.
|
||||||
|
What you are about to enter is what is called a Distinguished
|
||||||
|
Name or a DN.
|
||||||
|
There are quite a few fields but you can leave some blank
|
||||||
|
For some fields there will be a default value,
|
||||||
|
If you enter '.', the field will be left blank.
|
||||||
|
-----
|
||||||
|
1. Country Name (2 letter code) [XY]:DE
|
||||||
|
2. State or Province Name (full name) [Snake Desert]:
|
||||||
|
<enter>
|
||||||
|
3. Locality Name (eg, city) [Snake Town]:
|
||||||
|
<enter>
|
||||||
|
4. Organization Name (eg, company) [Snake Oil, Ltd]:
|
||||||
|
<enter>
|
||||||
|
5. Organizational Unit Name (eg, section) [Webserver Team]:
|
||||||
|
<enter>
|
||||||
|
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
|
||||||
|
<enter>
|
||||||
|
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:
|
||||||
|
<enter>
|
||||||
|
|
||||||
|
STEP 3: Generating X.509 certificate signed by Snake Oil CA
|
||||||
|
[server.crt]
|
||||||
|
Certificate Version (1 or 3) [3]:3
|
||||||
|
Signature ok
|
||||||
|
subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil,
|
||||||
|
Ltd/OU=Webserver
|
||||||
|
Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom
|
||||||
|
Getting CA Private Key
|
||||||
|
Verify: matching certificate & key modulus
|
||||||
|
read RSA key
|
||||||
|
Verify: matching certificate signature
|
||||||
|
/etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake
|
||||||
|
Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil
|
||||||
|
CA/Email=ca@snakeoil.dom
|
||||||
|
error 10 at 1 depth lookup:certificate has expired
|
||||||
|
OK
|
||||||
|
|
||||||
|
STEP 4: Enrypting RSA private key with a pass phrase for
|
||||||
|
security [server.key]
|
||||||
|
The contents of the server.key file (the generated private key)
|
||||||
|
has to be
|
||||||
|
kept secret. So we strongly recommend you to encrypt the
|
||||||
|
server.key file
|
||||||
|
with a Triple-DES cipher and a Pass Phrase.
|
||||||
|
Encrypt the private key now? [Y/n]: Y
|
||||||
|
read RSA key
|
||||||
|
writing RSA key
|
||||||
|
Enter PEM pass phrase: <=== crypto
|
||||||
|
Verifying password - Enter PEM pass phrase: <=== crypto
|
||||||
|
Fine, you're using an encrypted RSA private key.
|
||||||
|
|
||||||
|
RESULT: Server Certification Files
|
||||||
|
|
||||||
|
o conf/ssl.key/server.key
|
||||||
|
|
||||||
|
The PEM-encoded RSA private key file which you
|
||||||
|
configure with the 'SSLCertificateKeyFile' directive
|
||||||
|
(automatically done when you install via APACI). KEEP
|
||||||
|
THIS FILE PRIVATE!
|
||||||
|
|
||||||
|
o conf/ssl.crt/server.crt
|
||||||
|
|
||||||
|
The PEM-encoded X.509 certificate file which you configure
|
||||||
|
with the 'SSLCertificateFile' directive (automatically done
|
||||||
|
when you install via APACI).
|
||||||
|
|
||||||
|
o conf/ssl.csr/server.csr
|
||||||
|
|
||||||
|
The PEM-encoded X.509 certificate signing request file
|
||||||
|
which you can send to an official Certificate Authority
|
||||||
|
(CA) in order to request a real server certificate
|
||||||
|
(signed by this CA instead of our demonstration-only
|
||||||
|
Snake Oil CA) which later can replace the
|
||||||
|
conf/ssl.crt/server.crt file.
|
||||||
|
|
||||||
|
WARNING: Do not use this for real-life/production systems
|
||||||
|
|
||||||
|
der3gbe:/usr/share/doc/packages/mod_ssl #
|
||||||
|
|
||||||
|
6) Start Apache with SSL
|
||||||
|
|
||||||
|
a) start with pass phrase (Changes done to apache modul
|
||||||
|
described in item c)).
|
||||||
|
|
||||||
|
run: rcapache start
|
||||||
|
|
||||||
|
dev3fe01:~ # rcapache start
|
||||||
|
|
||||||
|
Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26
|
||||||
|
mod_ssl/2.8.10 (Pass Phrase Dialog)
|
||||||
|
Some of your private key files are encrypted for security
|
||||||
|
reasons.
|
||||||
|
In order to read them you have to provide us with the pass
|
||||||
|
phrases.
|
||||||
|
|
||||||
|
Server dev3fe01.boeblingen.de.ibm.com:443 (RSA)
|
||||||
|
Enter pass phrase: crypto
|
||||||
|
|
||||||
|
Ok: Pass Phrase Dialog successful.
|
||||||
|
done
|
||||||
|
|
||||||
|
b) start without pass phrase when using apache without
|
||||||
|
ssl-support
|
||||||
|
|
||||||
|
remark: You need to change the apache modul (see
|
||||||
|
item c)). Set the HTTPD_SEC_MOD_SSL=no.
|
||||||
|
|
||||||
|
run: rcapache start
|
||||||
|
|
||||||
|
|
||||||
|
7) Check that ibmca is used and apache is working with http and https:
|
||||||
|
|
||||||
|
a) On a browser enter http://<server-host> or
|
||||||
|
https://<server-host>
|
||||||
|
b) with netstat or netstat -a on the apache server machine you
|
||||||
|
can see if https is used.
|
||||||
|
c) in the log /var/log/httpd/ssl_engine_log you can see if the
|
||||||
|
ibmca engine is started or not.
|
||||||
|
d) during siege test you can see with cat /proc/driver/z90crypt
|
||||||
|
if and what crypto HW is used
|
||||||
|
e) you can check a http connection with telnet <server-host>
|
||||||
|
http. Then enter
|
||||||
|
get / http/1.0
|
||||||
|
and you should get back some stuff after pressing enter
|
||||||
|
twice.
|
||||||
|
|
||||||
|
f) You can check if openssl works with the ibmca engine
|
||||||
|
|
||||||
|
a) Therefore you must create certificates:
|
||||||
|
cd /usr/share/ssl/misc
|
||||||
|
run: ./CA.sh -newcert
|
||||||
|
|
||||||
|
dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert
|
||||||
|
Using configuration from /etc/ssl/openssl.cnf
|
||||||
|
Generating a 1024 bit RSA private key
|
||||||
|
......................++++++
|
||||||
|
.++++++
|
||||||
|
writing new private key to 'newreq.pem'
|
||||||
|
Enter PEM pass phrase: <== geheim
|
||||||
|
Verifying password - Enter PEM pass phrase: <== geheim
|
||||||
|
Verify failure
|
||||||
|
Enter PEM pass phrase:
|
||||||
|
Verifying password - Enter PEM pass phrase:
|
||||||
|
phrase is too short, needs to be at least 4 chars
|
||||||
|
Enter PEM pass phrase:
|
||||||
|
Verifying password - Enter PEM pass phrase:
|
||||||
|
-----
|
||||||
|
You are about to be asked to enter information that will be
|
||||||
|
incorporated
|
||||||
|
into your certificate request.
|
||||||
|
What you are about to enter is what is called a
|
||||||
|
Distinguished Name or a DN.
|
||||||
|
There are quite a few fields but you can leave some blank
|
||||||
|
For some fields there will be a default value,
|
||||||
|
If you enter '.', the field will be left blank.
|
||||||
|
-----
|
||||||
|
Country Name (2 letter code) [AU]:
|
||||||
|
<== press enter
|
||||||
|
State or Province Name (full name) [Some-State]:
|
||||||
|
<== press enter
|
||||||
|
Locality Name (eg, city) []:
|
||||||
|
<== press enter
|
||||||
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
||||||
|
<== press enter
|
||||||
|
Organizational Unit Name (eg, section) []:
|
||||||
|
<== press enter
|
||||||
|
Common Name (eg, YOUR name) []: <== press enter
|
||||||
|
Email Address []: <== press
|
||||||
|
enter
|
||||||
|
Certificate (and private key) is in newreq.pem
|
||||||
|
|
||||||
|
run: ./CA.sh -newca
|
||||||
|
|
||||||
|
dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca
|
||||||
|
CA certificate filename (or enter to create)
|
||||||
|
newreq.pem
|
||||||
|
dev3fe02:
|
||||||
|
|
||||||
|
|
||||||
|
b) Use openssl as a Web-browser and use https connection:
|
||||||
|
openssl s_client \
|
||||||
|
-connect <ip-addr of webserver>:443 -state -debug
|
||||||
|
|
||||||
|
The machine were you start the client is working as
|
||||||
|
your 'browser' connecting to the webserver. You can
|
||||||
|
start commands from the client like get / http/1.0 .
|
||||||
|
|
||||||
|
c) Use openssl as a Web-server and use https connection:
|
||||||
|
openssl s_server \
|
||||||
|
-accept 443 -www -engine ibmca -cert newreq.pem
|
||||||
|
|
||||||
|
The machine is working like a small webserver with full
|
||||||
|
openssl functionality. You can start your browser to
|
||||||
|
this machine and a lot of info will be sent.
|
||||||
|
|
||||||
|
dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443
|
||||||
|
-www -cert newreq.pem -engine ibmca
|
||||||
|
engine "ibmca" set.
|
||||||
|
Using default temp DH parameters
|
||||||
|
Enter PEM pass phrase: <== geheim
|
||||||
|
ACCEPT
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
BIN
libica-4.2.3.tar.gz
(Stored with Git LFS)
Normal file
BIN
libica-4.2.3.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -0,0 +1,55 @@
|
|||||||
|
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
Date: Mon, 7 Jun 2021 21:12:01 +0200
|
||||||
|
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
|
||||||
|
|
||||||
|
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||||
|
---
|
||||||
|
openssl-fipshmac | 12 ++++++++++++
|
||||||
|
src/Makefile.am | 4 ++--
|
||||||
|
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100755 openssl-fipshmac
|
||||||
|
|
||||||
|
diff --git a/openssl-fipshmac b/openssl-fipshmac
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..60fd505
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/openssl-fipshmac
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+#!/bin/sh -e
|
||||||
|
+
|
||||||
|
+if [ "$#" -eq 0 ] ; then
|
||||||
|
+ echo "No library to hash specified." >&2
|
||||||
|
+ exit 22
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+while [ -n "$1" ] ; do
|
||||||
|
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
|
||||||
|
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
|
||||||
|
+ shift
|
||||||
|
+done
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index 4a1ef14..2be01a5 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -47,6 +47,7 @@
|
||||||
|
./mp.pl mp.S
|
||||||
|
|
||||||
|
if ICA_FIPS
|
||||||
|
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
|
||||||
|
fipsinstall:
|
||||||
|
$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
|
||||||
|
$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
|
||||||
|
@@ -58,8 +59,7 @@
|
||||||
|
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
|
||||||
|
|
||||||
|
hmac-file: libica.la libica-cex.la
|
||||||
|
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
|
||||||
|
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
|
||||||
|
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
|
||||||
|
|
||||||
|
hmac_files = hmac-file hmac-file-lnk
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
3
libica-rpmlintrc
Normal file
3
libica-rpmlintrc
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
addFilter("libica-tools.* * devel-file-in-non-devel-package * /usr/lib64/libica.so")
|
||||||
|
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica.so.*.hmac")
|
||||||
|
addFilter("libica*.* hidden-file-or-dir /usr/lib64/.libica-cex.so.*.hmac")
|
15
libica-sles15sp5-FIPS-hmac-key.patch
Normal file
15
libica-sles15sp5-FIPS-hmac-key.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
--- libica-4.3.0/src/fips.c 2020-05-04 17:01:23.238805001 -0400
|
||||||
|
+++ libica-4.3.0/src/fips.c 2020-05-04 16:58:51.352241763 -0400
|
||||||
|
@@ -65,10 +65,9 @@
|
||||||
|
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
|
||||||
|
* The known HMAC is supposed to be provided as hex string in a file
|
||||||
|
* .libica.so.VERSION.hmac in the same directory as the .so module.
|
||||||
|
- */
|
||||||
|
+ /* HMAC key is hexidecimal for: "orboDeJITITejsirpADONivirpUkvarP" */
|
||||||
|
static const char hmackey[] =
|
||||||
|
- "0000000000000000000000000000000000000000000000000000000000000000"
|
||||||
|
- "0000000000000000000000000000000000000000000000000000000000000000";
|
||||||
|
+ "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
|
||||||
|
|
||||||
|
#endif /* ICA_INTERNAL_TEST */
|
||||||
|
|
795
libica.changes
Normal file
795
libica.changes
Normal file
@ -0,0 +1,795 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 4.2.3 (jsc#PED-5446)
|
||||||
|
* Add OPENSSL_init_crypto in libica constructor
|
||||||
|
* Remove deprecated ioctl Z90STAT_STATUS_MASK
|
||||||
|
* Bug fixes
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
|
||||||
|
- [UPDATE] syslog msgs only in error cases
|
||||||
|
- [UPDATE] don't count statistics in fips power-on self tests
|
||||||
|
- [PATCH] various fixes and some new tests
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 28 09:20:08 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 27 16:12:06 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Prefix /etc/libica with %dir to ensure we don't package
|
||||||
|
unversioned files in libica4, as otherwise we violate SLPP.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 27 14:34:27 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Add /etc/libica directory into %files section.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 17 11:08:33 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 4.2.1 (jsc#PED-2872)
|
||||||
|
- [PATCH] fix regression opening shared memory
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 16 13:00:34 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
|
||||||
|
- [FEATURE] Display build info via icainfo -v
|
||||||
|
- [FEATURE] New API function ica_get_build_version()
|
||||||
|
- [FEATURE] Display fips indication via icainfo -f
|
||||||
|
- [FEATURE] New API function ica_get_fips_indicator()
|
||||||
|
- [FEATURE] New API function ica_aes_gcm_initialize_fips()
|
||||||
|
- [FEATURE] New API function ica_aes_gcm_kma_get_iv()
|
||||||
|
- [FEATURE] New API function ica_get_msa_level()
|
||||||
|
- [PATCH] icainfo: check for malloc error when getting functionlist
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 11 20:32:12 UTC 2022 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
|
||||||
|
v4.1.1
|
||||||
|
- [PATCH] Fix aes-xts multi-part operations
|
||||||
|
[PATCH] Fix make dist
|
||||||
|
v4.1.0
|
||||||
|
- [FEATURE] FIPS: make libica FIPS 140-3 compliant
|
||||||
|
[FEATURE] New API function ica_ecdsa_sign_ex()
|
||||||
|
[FEATURE] New icainfo output option -r
|
||||||
|
- [PATCH] Various bug fixes
|
||||||
|
- Removed the following obsolete files:
|
||||||
|
baselibs.conf
|
||||||
|
icaioctl.h
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 12 19:09:59 UTC 2022 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
|
||||||
|
v4.0.3
|
||||||
|
- [PATCH] Reduce the number of open file descriptors
|
||||||
|
- [PATCH] Various bug fixes
|
||||||
|
v4.0.2
|
||||||
|
- [PATCH] Various bug fixes
|
||||||
|
v4.0.1
|
||||||
|
- [PATCH] Various bug fixes
|
||||||
|
- [PATCH] Compute HMAC from installed library
|
||||||
|
v4.0.0
|
||||||
|
- [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
|
||||||
|
[UPDATE] Removed deprecated API functions including tests
|
||||||
|
[UPDATE] Introduced 'const' for some API function parameters
|
||||||
|
[FEATURE] icastats: new parm -k to display detailed counters
|
||||||
|
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
|
||||||
|
version named libica-sles15sp5-FIPS-hmac-key.patch.
|
||||||
|
- Updated the libica-rpmlintrc file to suppress warnings about the
|
||||||
|
libica-cex hmac files being hidden.
|
||||||
|
- Updated the spec file to properly both obsolete and provide two
|
||||||
|
older versions of the package.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 19 21:20:22 UTC 2021 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
|
||||||
|
- [FEATURE] Add support for OpenSSL 3.0
|
||||||
|
- [FEATURE] icainfo: new parm -c to display available EC curves
|
||||||
|
- Replaced the obsolete PreReq: %fillup_prereq
|
||||||
|
with Requires(post): %fillup_prereq
|
||||||
|
in the spec file.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
|
||||||
|
|
||||||
|
- Update to version 3.8.0 (jsc#SLE-18334)
|
||||||
|
- [FEATURE] provide libica-cex module to satisfy special security requirements
|
||||||
|
- [FEATURE] FIPS: enforce the HMAC check
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
||||||
|
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
||||||
|
- libica-sles15sp2-Zeroize-local-variables.patch
|
||||||
|
- Remove patches obsoleted by upstrea developent:
|
||||||
|
* FIPS: Find libica from phdrs.
|
||||||
|
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
||||||
|
* FIPS: enforce the hmac check
|
||||||
|
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
||||||
|
- Fix up tests and hmac generation
|
||||||
|
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||||
|
- Remove obsolete attributes from filelists
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgraded to version 3.7.0 (jsc#SLE-13708)
|
||||||
|
* Version 3.7.0
|
||||||
|
- [FEATURE] FIPS: Add HMAC based library integrity check
|
||||||
|
- [PATCH] icainfo: bugfix for RSA and EC related info for software column.
|
||||||
|
- [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
|
||||||
|
- [PATCH] FIPS: Fix DES and TDES key length
|
||||||
|
- [PATCH] icastats: Fix stats counter format
|
||||||
|
* Version 3.6.1
|
||||||
|
- [PATCH] Fix x25519 and x448 handling of non-canonical values
|
||||||
|
- Removed the following obsolete patches
|
||||||
|
* libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
|
||||||
|
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
|
||||||
|
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
|
||||||
|
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
|
||||||
|
* libica-sles15sp2-Build-with-pthread-flag.patch
|
||||||
|
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||||
|
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
|
||||||
|
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 15 21:08:38 UTC 2020 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
|
||||||
|
* Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
|
||||||
|
* Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
|
||||||
|
- Fix FIPS hmac check (bsc#1175356).
|
||||||
|
* Update FIPS support to upstream
|
||||||
|
- Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||||
|
from upstream.
|
||||||
|
- Add libica-sles15sp2-Build-with-pthread-flag.patch
|
||||||
|
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
|
||||||
|
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
|
||||||
|
- Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
|
||||||
|
* FIPS check should fail when hmac is missing
|
||||||
|
- Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
|
||||||
|
- Create an hmac for the selftest
|
||||||
|
- Check that selftest fails without a hmac
|
||||||
|
- Hash libica.so.3 rather than libica.so.3.6.0
|
||||||
|
* Fix hmac key format. It should be hexadecimal, not ASCII
|
||||||
|
- Refresh libica-sles15sp2-FIPS-hmac-key.patch
|
||||||
|
- Fix Some internal variables used to store sensitive information
|
||||||
|
(keys) were not zeroized before returning to the calling application.
|
||||||
|
(bsc#1175357)
|
||||||
|
* Added libica-sles15sp2-Zeroize-local-variables.patch
|
||||||
|
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
|
||||||
|
being a hidden file. It is supposed to be hidden.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 7 18:01:31 UTC 2020 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Added the following patches for FIPS certification (bsc#1162533)
|
||||||
|
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
|
||||||
|
* libica-sles15sp2-FIPS-hmac-key.patch
|
||||||
|
- Added a BuildRequires for the fipscheck package.
|
||||||
|
- Made a couple of changes to the spec file based upon recommendations
|
||||||
|
by spec-cleaner.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 8 18:55:24 UTC 2020 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Added the following patches for FIPS certification.
|
||||||
|
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
|
||||||
|
(bsc#1166071) Although a DES key has only 56 effective bits,
|
||||||
|
all 64 bits must be considered, because the parity bits are
|
||||||
|
spread over all 8 bytes of the key.
|
||||||
|
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
|
||||||
|
(bsc#1166210) FIPS tests require the output iv to be the iv
|
||||||
|
resulting from decrypting the last block with a zero iv as input.
|
||||||
|
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
|
||||||
|
(bsc#1166224) The output from icainfo never shows 'yes' for
|
||||||
|
RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
|
||||||
|
due to the missing ICA_FLAG_SW flag in the icaList.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 14 22:45:16 UTC 2019 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
|
||||||
|
(bsc#1156768)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 15 18:53:36 UTC 2019 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgraded to version 3.6.0 (jsc#SLE-7584)
|
||||||
|
* [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 30 21:46:50 UTC 2019 - Mark Post <mpost@suse.com>
|
||||||
|
|
||||||
|
- Upgraded to version 3.5.0 (Fate#327840)
|
||||||
|
- [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
|
||||||
|
- Reworked how libica-tools loads and unloads kernel modules to
|
||||||
|
avoid spurious error messages (bsc#1134004):
|
||||||
|
* Converted the boot.z90crypt sysV init script to a systemd unit
|
||||||
|
file.
|
||||||
|
* Removed any references to insserv in the spec file.
|
||||||
|
* Updated the z90crypt script itself to properly load and unload
|
||||||
|
the kernel modules as they exist today.
|
||||||
|
* Eliminated the obsolete libica-SuSE.tar.bz2 archive.
|
||||||
|
- Updated the README.SUSE file to reflect the change from sysV init
|
||||||
|
style script to systemd.
|
||||||
|
- Made numerous changes to the spec file, based on the output from
|
||||||
|
the spec-cleaner command.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 24 10:09:46 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
|
||||||
|
|
||||||
|
- Run testsuite during build
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 15 19:16:30 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
|
- Upgraded to version 3.4.0 (Fate#325690)
|
||||||
|
* v3.4.0
|
||||||
|
[FEATURE] Add SHA-512/224 and SHA-512/256 support
|
||||||
|
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
|
||||||
|
- Made numerous updates to spec file based on spec-cleanup run.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 14 18:01:37 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
|
- Upgraded to version 3.3.3 (Fate#325690)
|
||||||
|
* v3.3.3
|
||||||
|
[PATCH] Various bug fixes
|
||||||
|
* v3.3.2
|
||||||
|
[PATCH] Skip ECC tests if required HW is not available
|
||||||
|
[PATCH] Update spec file
|
||||||
|
* v3.3.1
|
||||||
|
[PATCH] Fix configure.ac to honour CFLAGS
|
||||||
|
* v3.3.0
|
||||||
|
[FEATURE] Add CEX supported elliptic-curve crypto interfaces
|
||||||
|
[FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
|
||||||
|
[FEATURE] Add interface to enable/disable SW fallbacks
|
||||||
|
[FEATURE] Add 'make check' target, test-suite rework
|
||||||
|
* v3.2.1
|
||||||
|
[FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
|
||||||
|
[PATCH] Various bug fixes.
|
||||||
|
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
|
||||||
|
- Removed COPYING from %files, since it is no longer in the tarball.
|
||||||
|
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
|
||||||
|
(bsc#1103493).
|
||||||
|
- Made multiple changes to the spec file based on the output of
|
||||||
|
spec-cleaner
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 22 19:09:13 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
|
||||||
|
fix a problem with upgrading from SLES12 SP2 to either SLES12
|
||||||
|
SP3/SP4, or SLES15. (bsc#1112655)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 11 17:19:57 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added "Obsoletes: libica2" to the libica-tools package to fix
|
||||||
|
a problem with upgrading from SLES12 SP2 to either SLES12
|
||||||
|
SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 18 02:29:29 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
|
||||||
|
- Updated boot.z90crypt script to fix a problem with the modprobe
|
||||||
|
command not being found. (bsc#1040229).
|
||||||
|
- Added "Recommends: libica-tools" (bsc#1046435).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 23 13:53:22 UTC 2017 - rbrown@suse.com
|
||||||
|
|
||||||
|
- Replace references to /var/adm/fillup-templates with new
|
||||||
|
%_fillupdir macro (boo#1069468)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 4 19:22:58 UTC 2017 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added "--enable-fips" to the %configure parms (Fate#324115)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 22 21:27:04 UTC 2017 - mpost@suse.com
|
||||||
|
|
||||||
|
- Upgraded to version 3.2 (Fate#321517)
|
||||||
|
* v3.2.0
|
||||||
|
[FEATURE] New AES-GCM interface.
|
||||||
|
[UPDATE] Add symbol versioning.
|
||||||
|
* v3.1.1
|
||||||
|
[PATCH] Various bug fixes related to old and new AES-GCM implementations.
|
||||||
|
[UPDATE] Add SHA3 test cases. Improved and extended test suite.
|
||||||
|
* v3.1.0
|
||||||
|
[FEATURE] Add KMA support for AES-GCM.
|
||||||
|
[FEATURE] Add SHA-3 support.
|
||||||
|
[PATCH] Reject RSA keys with invalid key-length.
|
||||||
|
[PATCH] Allow zero output length for ica_random_number_generate.
|
||||||
|
[PATCH] icastats: Correct owner of shared segment when root creates it.
|
||||||
|
* Removed the following obsolete patches:
|
||||||
|
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
|
||||||
|
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
|
||||||
|
libica-3.0.2-03-fix-aes-ctr.patch
|
||||||
|
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 13 20:23:05 UTC 2017 - mpost@suse.com
|
||||||
|
|
||||||
|
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
|
||||||
|
- Added the following patches (bsc#1058567)
|
||||||
|
- libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
|
||||||
|
- libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
|
||||||
|
- libica-3.0.2-03-fix-aes-ctr.patch
|
||||||
|
- libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jun 1 14:36:04 UTC 2017 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- baselibs.conf doesn't need any additional provides/conflicts for
|
||||||
|
libica3.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 12 09:07:34 UTC 2017 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update baselibs.conf with proper name for library package name,
|
||||||
|
stop providing/obsoleting libica-2_1_0/libica-2_3-0.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 9 17:23:11 UTC 2017 - mpost@suse.com
|
||||||
|
|
||||||
|
- Upgraded to version 3.0.2 (Fate#322025).
|
||||||
|
- v3.0.2
|
||||||
|
- Fix locking callbacks for openSSL APIs.
|
||||||
|
- v3.0.1
|
||||||
|
- Fixed msa level detection on zEC/BC12 GA1 and predecessors.
|
||||||
|
- v3.0.0
|
||||||
|
- Added FIPS mode.
|
||||||
|
- Sanitized exported symbols.
|
||||||
|
- Removed deprecated APIs. Marked some APIs as deprecated.
|
||||||
|
- Adapted to OpenSSL v1.1.0.
|
||||||
|
- RSA key generation is thread-safe now.
|
||||||
|
- Removed the following obsolete patches:
|
||||||
|
- fix-initialization-of-s390-hardware-switches-1.patch
|
||||||
|
- fix-initialization-of-s390-hardware-switches-2.patch
|
||||||
|
- fix-msa-level-detection.patch
|
||||||
|
- fix-segfault-during-multithread-keygen.patch
|
||||||
|
- rng-performance.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 31 20:45:35 UTC 2017 - mpost@suse.com
|
||||||
|
|
||||||
|
- Made the following packaging changes:
|
||||||
|
- Implemented the shared library packaging guidelines.
|
||||||
|
- Consolidated double invocation of %setup into just one.
|
||||||
|
- Dropped redundant %ifarch, the package is already ExclusiveArch.
|
||||||
|
- Updated descriptions.
|
||||||
|
- Added an libica-rpmlintrc file.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 30 20:04:29 UTC 2016 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added the following two patches:
|
||||||
|
- fix-segfault-during-multithread-keygen.patch (bsc#991485)
|
||||||
|
- fix-msa-level-detection.patch (bsc#1010927)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 2 16:00:30 UTC 2016 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added rng-performance.patch (bsc#990850).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 14 21:03:41 UTC 2016 - mpost@suse.com
|
||||||
|
|
||||||
|
- Updated baselibs.conf to obsolete prior versions of the 32bit
|
||||||
|
package. (bsc#983897):
|
||||||
|
provides "libica-<targettype> = <version>"
|
||||||
|
obsoletes "libica-<targettype> < <version>"
|
||||||
|
provides "libica-2_1_0-<targettype> = <version>"
|
||||||
|
obsoletes "libica-2_1_0-<targettype> < <version>"
|
||||||
|
provides "libica-2_3_0-<targettype> = <version>"
|
||||||
|
obsoletes "libica-2_3_0-<targettype> < <version>"
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 18 16:52:44 UTC 2016 - mpost@suse.com
|
||||||
|
|
||||||
|
- Added fix-initialization-of-s390-hardware-switches-1.patch and
|
||||||
|
fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 22 19:12:49 UTC 2016 - mpost@suse.com
|
||||||
|
|
||||||
|
- Upgraded to version 2.6.2 (FATE#319610).
|
||||||
|
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
|
||||||
|
naming standards.
|
||||||
|
- Found the original location of the icaioctl.h file and downloaded
|
||||||
|
it to replace what we had previously.
|
||||||
|
- Removed the unnecessary libica2.la file
|
||||||
|
- Removed unnecessary Requires for glibc-devel
|
||||||
|
- Added Requires libica2 to the -devel package
|
||||||
|
- Converted call to configure to %configure macro
|
||||||
|
- Removed obsolete and unnecessary INSROOT and bindir parameters
|
||||||
|
from the make install command
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 6 16:02:05 CET 2015 - pth@suse.de
|
||||||
|
|
||||||
|
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
|
||||||
|
SLE12 GA is replaced (bsc#953096).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 4 10:41:19 UTC 2015 - meissner@suse.com
|
||||||
|
|
||||||
|
- move the .so file to the mainpackage, the openssl-ibmca engine
|
||||||
|
will only load "libica.so" (bsc#952871)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 17 21:04:40 UTC 2015 - jjolly@suse.com
|
||||||
|
|
||||||
|
- Update to libica v2.4.2 (FATE#318035)
|
||||||
|
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
|
||||||
|
- Moved init script into libica-SuSE.tar.bz2 archive
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de
|
||||||
|
|
||||||
|
- sanitize release line in specfile
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 13 18:01:15 UTC 2014 - jjolly@suse.com
|
||||||
|
|
||||||
|
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
|
||||||
|
- Removed libica-SuSE.tar.bz2
|
||||||
|
- z90crypt now starts and stops ap kernel module (bnc#888943)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 18 13:21:03 UTC 2014 - jjolly@suse.com
|
||||||
|
|
||||||
|
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
|
||||||
|
fixed 64/31 bit compatibility
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 6 14:51:45 CET 2014 - ro@suse.de
|
||||||
|
|
||||||
|
- add obsoletes and provides for older libica versions
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 5 18:33:02 CET 2014 - ro@suse.de
|
||||||
|
|
||||||
|
- update to 2.3.0 (fate#315342)
|
||||||
|
- obsolete/upstreamed patches:
|
||||||
|
libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
|
||||||
|
libica-2_1_0-msa4-extension.patch
|
||||||
|
libica-2_1_0-synchronize_shared_memory_ref_counting.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 19 06:04:25 UTC 2014 - jjolly@suse.com
|
||||||
|
|
||||||
|
- Added COPYING to %files
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 18 14:33:13 UTC 2014 - jjolly@suse.com
|
||||||
|
|
||||||
|
- Fixed build dependency errors by requiring autoconf, automake
|
||||||
|
and libtool
|
||||||
|
- Changed license to CPL-1.0
|
||||||
|
- Created devel package
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Dec 21 14:49:54 UTC 2012 - uli@suse.com
|
||||||
|
|
||||||
|
- Support for MSA4 extension (bnc#794518, fate#314078)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 6 10:46:26 UTC 2011 - uli@suse.com
|
||||||
|
|
||||||
|
- synchronize shared memory reference counting for library
|
||||||
|
statistics (bnc#719659)
|
||||||
|
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 14 11:50:13 CEST 2011 - uli@suse.de
|
||||||
|
|
||||||
|
- update -> 2.1.0 (fate#311914)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 23 22:40:55 CET 2009 - jjolly@suse.de
|
||||||
|
|
||||||
|
- Moved icainfo into /usr/bin (bnc#448643)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 13 12:34:56 CET 2009 - olh@suse.de
|
||||||
|
|
||||||
|
- obsolete old -XXbit packages (bnc#437293)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 5 01:34:34 CET 2008 - ro@suse.de
|
||||||
|
|
||||||
|
- fix build on all platforms
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Nov 2 01:56:40 CET 2008 - jjolly@suse.de
|
||||||
|
|
||||||
|
- Added CPL license to include/z90crypt.h, removed GPL reference
|
||||||
|
(This patch is upstream)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 15 15:55:55 CEST 2008 - jjolly@suse.de
|
||||||
|
|
||||||
|
- Changed package name to libica-1_3_9 to conform to rpmlint
|
||||||
|
requirements. (bnc#433432)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 25 10:34:00 CEST 2008 - jjolly@suse.de
|
||||||
|
|
||||||
|
- Removed soname filter for rpmlint
|
||||||
|
- Several RPM fixes to help satisfy rpmlint
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 12 06:54:16 CEST 2008 - jjolly@suse.de
|
||||||
|
|
||||||
|
- Updated to libica 1.3.9
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
|
||||||
|
|
||||||
|
- added baselibs.conf file to build xxbit packages
|
||||||
|
for multilib support
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 9 19:20:07 CEST 2007 - olh@suse.de
|
||||||
|
|
||||||
|
- remove inclusion of linux/config.h
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 12 14:02:57 CET 2007 - uli@suse.de
|
||||||
|
|
||||||
|
- z90crypt: handle errors (bug #247799)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 22 08:43:22 CEST 2006 - aj@suse.de
|
||||||
|
|
||||||
|
- Add gcc-c++ to BuildRequires.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 19 16:50:02 CEST 2006 - ro@suse.de
|
||||||
|
|
||||||
|
- fix build for the rest of platforms
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 19 15:34:30 CEST 2006 - hare@suse.de
|
||||||
|
|
||||||
|
- Update to libica 1.3.7 (#160036 - LTC22571)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 21 14:31:10 CEST 2006 - hare@suse.de
|
||||||
|
|
||||||
|
- Increasing # of open handles with symmetric crypto support
|
||||||
|
(#165323 - LTC23095)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 25 21:37:29 CET 2006 - mls@suse.de
|
||||||
|
|
||||||
|
- converted neededforbuild to BuildRequires
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 14 01:30:49 CET 2005 - ro@suse.de
|
||||||
|
|
||||||
|
- include string.h and unistd.h in icalinux.c
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 12 15:09:25 CET 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Port package from SLES9 SP3
|
||||||
|
- Update to libica 1.3.6-rc3.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 2 16:23:24 CET 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Close all filehandles (#130060 - LTC19221).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 5 14:07:28 CEST 2005 - uli@suse.de
|
||||||
|
|
||||||
|
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
|
||||||
|
bug #117336)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 29 12:44:50 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Update to libica 1.3.6 (#117336)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 23 02:05:26 CEST 2005 - ro@suse.de
|
||||||
|
|
||||||
|
- fix implicit declaration
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 31 13:20:55 CEST 2005 - ihno@suse.de
|
||||||
|
|
||||||
|
- Changing the default value from 0 to -1 in rcz90crypt (#114371)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 23 17:52:05 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Finally fix 'reload' messages (#81824 - LTC15733).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 20 12:11:51 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Fix sigill patch.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 18 13:17:39 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Remove printf output from sigill patch (#81829 - LTC15731).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 10 12:56:38 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Use correct default value for z90crypt (#81825 - LTC15732).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 9 14:49:52 CEST 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Fix messages for 'reload' (#81824 - LTC15733).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 8 16:58:02 CET 2005 - hare@suse.de
|
||||||
|
|
||||||
|
- Fixed SIGILL on z900 (#46422).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 23 10:06:08 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 14 08:22:27 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Fix module loading error (#42006).
|
||||||
|
- Add sysconfig variable to set the 'domain' parameter (#42005).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 23 12:58:58 CEST 2004 - uli@suse.de
|
||||||
|
|
||||||
|
- update -> 1.3.5-3 (bug #42122)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 24 18:28:27 CEST 2004 - bk@suse.de
|
||||||
|
|
||||||
|
- Update README.SuSE and correct name as well
|
||||||
|
- Use modprobe instead of insmod and fix module load error(#40526)
|
||||||
|
- Fix error checking for no hardware found case and hw error on load
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 7 15:15:17 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Update Readme again for the correct name (SUSE LINUX Server).
|
||||||
|
- Moved README.SuSE to README.SUSE.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 7 15:00:51 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Update Readme to refer to the correct name (SUSE Linux Server).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 6 09:01:53 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Update to 1.3.5-2 (#38511, #39693).
|
||||||
|
- Update Readme to refer to SUSE Linux Server instead of
|
||||||
|
SuSE Linux Enterprise Server.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 1 09:50:02 CEST 2004 - hare@suse.de
|
||||||
|
|
||||||
|
- Update to 1.3.5
|
||||||
|
- export CFLAGS & CPPFLAGS for configure
|
||||||
|
- Exclude S/390-specific files for other archs (#37183)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 16 01:29:03 CET 2004 - ro@suse.de
|
||||||
|
|
||||||
|
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 13 10:00:42 CET 2004 - adrian@suse.de
|
||||||
|
|
||||||
|
- fix build
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jan 11 21:07:44 CET 2004 - adrian@suse.de
|
||||||
|
|
||||||
|
- build as user
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 30 18:14:08 CEST 2003 - poeml@suse.de
|
||||||
|
|
||||||
|
- update to 1.3.4
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 27 16:37:20 CEST 2003 - poeml@suse.de
|
||||||
|
|
||||||
|
- update to 1.3.2
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 11 11:30:22 CEST 2003 - poeml@suse.de
|
||||||
|
|
||||||
|
- update to 1.3.1:
|
||||||
|
now supports DES, TDES and SHA, as well as RSA.
|
||||||
|
- throw libica.patch away, since autoversion and Makefile.am have
|
||||||
|
similar changes now, and the renaming from _LINUX_S390_ to
|
||||||
|
__s390__ is not really necessary
|
||||||
|
- use %defattr
|
||||||
|
- checked that icaioctl.h is still current
|
||||||
|
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
|
||||||
|
open source meanwhile and comes with the kernel sources
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 31 10:45:00 CET 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- added documentation how to set up crypto hardware support,
|
||||||
|
esp. S/390 and zSeries. (#16011, #22056)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 10 11:07:07 CEST 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
|
||||||
|
actually work. (#20737)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 20 10:52:45 CEST 2002 - mmj@suse.de
|
||||||
|
|
||||||
|
- Correct PreReq
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 31 15:00:23 CEST 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
|
||||||
|
to build on non-s390
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 30 10:56:33 CEST 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- updated to current libica
|
||||||
|
- hacked in icaioctl.h for build, 'til we have the module in the
|
||||||
|
kernel.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Jul 27 16:16:35 CEST 2002 - adrian@suse.de
|
||||||
|
|
||||||
|
- add %run_ldconfig
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 7 14:27:50 CEST 2002 - ro@suse.de
|
||||||
|
|
||||||
|
- fix for current automake/autoconf
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Apr 27 11:12:11 CEST 2002 - ro@suse.de
|
||||||
|
|
||||||
|
- removed old fillup-template and START_ variable
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 27 17:58:50 CET 2002 - ihno@suse.de
|
||||||
|
|
||||||
|
- modified etc/init.d/z90crypt-script to report result at start.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- Added openssl to #neededforbuild, which is needed in addition to
|
||||||
|
openssl-devel
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
|
||||||
|
|
||||||
|
- initial version
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
204
libica.spec
Normal file
204
libica.spec
Normal file
@ -0,0 +1,204 @@
|
|||||||
|
#
|
||||||
|
# spec file for package libica
|
||||||
|
#
|
||||||
|
# Copyright (c) 2023 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||||
|
%if ! %{defined _fillupdir}
|
||||||
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Name: libica
|
||||||
|
Version: 4.2.3
|
||||||
|
Release: 0
|
||||||
|
Summary: Library interface for the IBM Cryptographic Accelerator device driver
|
||||||
|
License: CPL-1.0
|
||||||
|
Group: Hardware/Other
|
||||||
|
URL: https://github.com/opencryptoki/libica
|
||||||
|
Source: https://github.com/opencryptoki/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||||
|
Source1: README.SUSE
|
||||||
|
Source2: sysconfig.z90crypt
|
||||||
|
Source3: z90crypt
|
||||||
|
Source4: z90crypt.service
|
||||||
|
Source5: %{name}-rpmlintrc
|
||||||
|
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
|
||||||
|
Patch99: libica-sles15sp5-FIPS-hmac-key.patch
|
||||||
|
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: fipscheck
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: openssl
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
Requires(post): %fillup_prereq
|
||||||
|
ExclusiveArch: s390 s390x
|
||||||
|
|
||||||
|
%description
|
||||||
|
This package contains the interface library routines used by IBM
|
||||||
|
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||||
|
(ICA).
|
||||||
|
|
||||||
|
%package -n libica4
|
||||||
|
Summary: Library interface for the IBM Cryptographic Accelerator
|
||||||
|
Group: System/Libraries
|
||||||
|
Recommends: libica-tools
|
||||||
|
|
||||||
|
%description -n libica4
|
||||||
|
This package contains the interface library routines used by IBM
|
||||||
|
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||||
|
(ICA).
|
||||||
|
|
||||||
|
%package tools
|
||||||
|
Summary: Utilities for the IBM Cryptographic Accelerator
|
||||||
|
Group: Hardware/Other
|
||||||
|
Obsoletes: libica < %{version}-%{release}
|
||||||
|
Obsoletes: libica-2_3_0 < %{version}-%{release}
|
||||||
|
Obsoletes: libica2 < %{version}-%{release}
|
||||||
|
Obsoletes: libica3 < %{version}-%{release}
|
||||||
|
Provides: libica = %{version}-%{release}
|
||||||
|
Provides: libica-2_3_0 = %{version}-%{release}
|
||||||
|
Provides: libica-plugin = %{version}-%{release}
|
||||||
|
Provides: libica2 = %{version}-%{release}
|
||||||
|
Provides: libica3 = %{version}-%{release}
|
||||||
|
|
||||||
|
%description tools
|
||||||
|
This package contains command-line utilities to inspect the IBM
|
||||||
|
eServer Cryptographic Accelerator (ICA).
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development files for the ICA device driver interface library
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libica4 = %{version}
|
||||||
|
Requires: libopenssl-devel
|
||||||
|
Obsoletes: libica-2_1_0-devel < %{version}-%{release}
|
||||||
|
Provides: libica-2_1_0-devel = %{version}-%{release}
|
||||||
|
Obsoletes: libica-2_3_0-devel < %{version}-%{release}
|
||||||
|
Provides: libica-2_3_0-devel = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package contains the interface library routines used by IBM
|
||||||
|
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||||
|
(ICA).
|
||||||
|
|
||||||
|
This subpackage contains the necessary files to compile and link
|
||||||
|
using the libica library.
|
||||||
|
|
||||||
|
%package devel-static
|
||||||
|
Summary: Static Development files for the ICA device driver interface library
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: libica-devel
|
||||||
|
|
||||||
|
%description devel-static
|
||||||
|
This package contains the interface library routines used by IBM
|
||||||
|
modules to interface with the IBM eServer Cryptographic Accelerator
|
||||||
|
(ICA).
|
||||||
|
|
||||||
|
This RPM contains all the tools necessary to compile and link using
|
||||||
|
the libica library.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p 1
|
||||||
|
|
||||||
|
%build
|
||||||
|
autoreconf --force --install
|
||||||
|
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
|
||||||
|
--enable-fips
|
||||||
|
|
||||||
|
%make_build clean
|
||||||
|
%make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release"
|
||||||
|
|
||||||
|
%define major %(echo %{version} | sed -e 's/[.].*//')
|
||||||
|
|
||||||
|
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install FIPSHMAC=fipshmac
|
||||||
|
make fipsinstall FIPSHMAC=fipshmac DESTDIR=%{buildroot}
|
||||||
|
mkdir -p %{buildroot}%{_includedir}
|
||||||
|
cp -p include/ica_api.h %{buildroot}%{_includedir}
|
||||||
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
|
||||||
|
install -D %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
|
||||||
|
install -D %{SOURCE3} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
|
||||||
|
install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
|
||||||
|
# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
|
||||||
|
# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
|
||||||
|
# and the dangling symlink test would fail
|
||||||
|
chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
|
||||||
|
|
||||||
|
cp -a %{SOURCE1} .
|
||||||
|
rm -vf %{buildroot}%{_libdir}/libica*.la
|
||||||
|
rm -f %{buildroot}%{_datadir}/doc/libica/*
|
||||||
|
rmdir %{buildroot}%{_datadir}/doc/libica
|
||||||
|
rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf
|
||||||
|
rmdir %{buildroot}/%{_sysconfdir}/libica
|
||||||
|
|
||||||
|
%check
|
||||||
|
%make_build check FIPSHMAC=fipshmac
|
||||||
|
|
||||||
|
%pre tools
|
||||||
|
%service_add_pre z90crypt.service
|
||||||
|
|
||||||
|
%post tools
|
||||||
|
%service_add_post z90crypt.service
|
||||||
|
%{fillup_only -n z90crypt}
|
||||||
|
|
||||||
|
%preun tools
|
||||||
|
%service_del_preun z90crypt.service
|
||||||
|
|
||||||
|
%postun tools
|
||||||
|
%service_del_postun z90crypt.service
|
||||||
|
|
||||||
|
%post -n libica4 -p /sbin/ldconfig
|
||||||
|
%postun -n libica4 -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%files -n libica4
|
||||||
|
%{_libdir}/libica.so.%{version}
|
||||||
|
%{_libdir}/libica.so.%{major}
|
||||||
|
%{_libdir}/.libica.so.%{version}.hmac
|
||||||
|
%{_libdir}/.libica.so.%{major}.hmac
|
||||||
|
%{_libdir}/libica-cex.so.%{version}
|
||||||
|
%{_libdir}/libica-cex.so.%{major}
|
||||||
|
%{_libdir}/.libica-cex.so.%{version}.hmac
|
||||||
|
%{_libdir}/.libica-cex.so.%{major}.hmac
|
||||||
|
|
||||||
|
%files tools
|
||||||
|
%license LICENSE
|
||||||
|
%doc README.SUSE
|
||||||
|
%{_sbindir}/rcz90crypt
|
||||||
|
%attr(644,root,root) %{_fillupdir}/sysconfig.z90crypt
|
||||||
|
%{_bindir}/icainfo
|
||||||
|
%{_bindir}/icainfo-cex
|
||||||
|
%{_bindir}/icastats
|
||||||
|
%{_mandir}/man1/icainfo.1%{?ext_man}
|
||||||
|
%{_mandir}/man1/icainfo-cex.1%{?ext_man}
|
||||||
|
%{_mandir}/man1/icastats.1%{?ext_man}
|
||||||
|
%dir %{_prefix}/lib/systemd/scripts
|
||||||
|
%{_prefix}/lib/systemd/scripts/z90crypt
|
||||||
|
%{_prefix}/lib/systemd/system/z90crypt.service
|
||||||
|
# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871
|
||||||
|
%{_libdir}/libica.so
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_includedir}/ica_api.h
|
||||||
|
%{_libdir}/libica-cex.so
|
||||||
|
|
||||||
|
%files devel-static
|
||||||
|
%{_libdir}/libica.a
|
||||||
|
%{_libdir}/libica-cex.a
|
||||||
|
|
||||||
|
%changelog
|
10
sysconfig.z90crypt
Normal file
10
sysconfig.z90crypt
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
## Path: Kernel/z90Crypt
|
||||||
|
## Description: Set domain parameter for z90crypt
|
||||||
|
## Type: integer(-1:15)
|
||||||
|
## Default: -1
|
||||||
|
#
|
||||||
|
# This variable selects the crypto domain to be used,
|
||||||
|
# required if an LPAR owns several crypto domains.
|
||||||
|
# The value of -1 is used for autodetect.
|
||||||
|
#
|
||||||
|
Z90CRYPT_DOMAIN=-1
|
21
z90crypt
Normal file
21
z90crypt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
|
#
|
||||||
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
MODULE_LIST="pkey zcrypt_pcixcc zcrypt_cex2a zcrypt_cex4 zcrypt rng_core"
|
||||||
|
case "${1}" in
|
||||||
|
start) for module in ${MODULE_LIST}
|
||||||
|
do if ! grep -q ^{$module} /proc/modules ; then
|
||||||
|
modprobe ${module}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
stop) for module in ${MODULE_LIST}
|
||||||
|
do if grep -q ^${module} /proc/modules ; then
|
||||||
|
rmmod ${module}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
13
z90crypt.service
Normal file
13
z90crypt.service
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Activate any cryptographic hardware
|
||||||
|
After=systemd-modules-load.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
ExecStart=/usr/lib/systemd/scripts/z90crypt start
|
||||||
|
ExecStop=/usr/lib/systemd/scripts/z90crypt stop
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
Loading…
Reference in New Issue
Block a user