From 6558a62def31c4e97eb375641fd1873c2675b3328d1e4734e5ab82174ee17497 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Sat, 22 Jun 2024 09:56:54 +0200
Subject: [PATCH] Sync from SUSE:SLFO:Main openssl-ibmca revision
 dcd2be3a3c4962b567d7c5a703908673

---
 _multibuild                        |   4 +
 openssl-ibmca.changes              |  55 +++++++++++
 openssl-ibmca.spec                 | 150 ++++++++++++++++++++++-------
 openssl1-rename-libica-files.patch |  65 +++++++++++++
 4 files changed, 241 insertions(+), 33 deletions(-)
 create mode 100644 _multibuild
 create mode 100644 openssl1-rename-libica-files.patch

diff --git a/_multibuild b/_multibuild
new file mode 100644
index 0000000..b71bc39
--- /dev/null
+++ b/_multibuild
@@ -0,0 +1,4 @@
+<multibuild>
+  <flavor>engine</flavor>
+  <flavor>provider</flavor>
+</multibuild>
diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes
index 1981e0a..1ec13a8 100644
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file
+- Changed the package names
+  +-------------+---------------------------------+--------------------------+
+  |  Flavor     | Package name                    | Note                     |
+  +-------------+---------------------------------+--------------------------+
+  |  ''         | openssl-ibmca                   | Both engine and provider |
+  |  openssl1_1 | openssl1_1-ibmca                | openssl1 flavor          |
+  |  engine     | openssl-ibmca-engine            | Only engine              |
+  |  provider   | openssl-ibmca-provider          | Only provider            |
+  +-------------+---------------------------------+--------------------------+
+
+-------------------------------------------------------------------
+Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch for openssl1_1 (bsc#1221627)
+  * openssl1-rename-libica-files.patch
+
+-------------------------------------------------------------------
+Tue Apr  9 14:08:05 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) 
+  +------------+---------------------------------+--------------------------+ 
+  |  Flavor    | Package name                    | Note                     |
+  +------------+---------------------------------+--------------------------+ 
+  |  ''        | openssl-ibmca                   | openssl1 flavor          |
+  |  engine    | openssl3-ibmca-engine           | Only engine              |
+  |  provider  | openssl3-ibmca-provider         | Only provider            |
+  |  openssl3  | openssl3-ibmca                  | Both engine and provider |        
+  +------------+---------------------------------+--------------------------+ 
+- Changing/editing 'dynamic_path' after the installation on the target system 
+  * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in
+    /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig
+    for openssl3 flavor
+
+-------------------------------------------------------------------
+Thu Apr  4 07:02:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (bsc#1221627)
+  * Removed the flavors
+  * Removed 'muiltibuild' environment
+  * Removed the 'provider' logic
+
+-------------------------------------------------------------------
+Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file (bsc#1218933, bsc#1221627)
+  * Amended the .spec file to use modulesdir variable 
+- Implemented _multibuild environment (openssl1, engine, provider)
+- Added a flag and logic for provider in the .spec file
+  * When provider is set to 1, it 'configures' the provider
+  * When provider is set to 0, it 'configures' the engine
+
 -------------------------------------------------------------------
 Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec
index 9953aec..d683706 100644
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-ibmca
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2018-2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,58 +15,126 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
-
-%define openssl3 1
-
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
+%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
 
+%global sslengcnf %{_sysconfdir}/ssl/engines3.d
+%global sslengdef %{_sysconfdir}/ssl/engdef3.d
+
+%define         flavor  @BUILD_FLAVOR@%{nil}
+
+%if "%{flavor}" == ""
 Name:           openssl-ibmca
+%endif
+
+%if "%{flavor}" == "engine"
+Name:           openssl-ibmca-engine
+%endif
+
+%if "%{flavor}" == "provider"
+Name:           openssl-ibmca-provider
+%endif
+
+%if "%{flavor}" == "openssl1_1"
+%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d
+%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d
+Name:           openssl1_1-ibmca
+%endif
+
 Version:        2.4.1
 Release:        0
 Summary:        The IBMCA OpenSSL dynamic engine
 License:        Apache-2.0
 Group:          Hardware/Other
 URL:            https://github.com/opencryptoki/openssl-ibmca
-Source:         https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source:         https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz
 Source1:        engine_section.txt
+Source2:        _multibuild
 ###
 BuildRequires:  autoconf
 BuildRequires:  automake
+BuildRequires:  libtool
+###
+%if "%{flavor}" != "openssl1_1"
+BuildRequires:  libopenssl3
+BuildRequires:  libopenssl-3-devel
 BuildRequires:  libica-devel >= 4.0.0
 BuildRequires:  libica-tools >= 4.0.0
-BuildRequires:  libtool
-Requires:       libica4 >= 4
-%if %{openssl3}
-BuildRequires:  openssl-devel > 3.0.0
-Requires:       openssl > 3.0.0
+Requires:       libopenssl3
+Requires:       libica4 >= 4.0.0
 %else
-BuildRequires:  openssl-devel
-Requires:       openssl
+BuildRequires:  openssl
+BuildRequires:  libopenssl1_1
+BuildRequires:  libopenssl-1_1-devel
+BuildRequires:  libica-openssl1_1-devel
+BuildRequires:  libica-openssl1_1-tools
+Requires:       libopenssl1_1
+Requires:       libica4-openssl1_1
 %endif
+###
 ExclusiveArch:  s390x
 
+%if "%{flavor}" == "openssl1_1"
+Patch001:       openssl1-rename-libica-files.patch
+%endif
+
 %description
 This package contains a shared object OpenSSL dynamic engine which interfaces
 to libica, a library enabling the IBM s390/x CPACF crypto instructions.
 
 %prep
-%autosetup -p1
+%autosetup -p1 -n openssl-ibmca-%{version}
  ./bootstrap.sh
 
 %build
 export CFLAGS="%{optflags}"
 export CPPFLAGS="%{optflags}"
+
+%if "%{flavor}" == ""
+%configure \
+  --libdir=%{modulesdir}
+  mkdir -p %{buildroot}/%{enginesdir}
+%endif
+
+%if "%{flavor}" == "engine"
+%configure \
+  --disable-provider \
+  --libdir=%{enginesdir}
+%endif
+
+%if "%{flavor}" == "provider"
+%configure \
+  --disable-engine \
+  --libdir=%{modulesdir}
+%endif
+
+%if "%{flavor}" == "openssl1_1"
 %configure \
   --libdir=%{enginesdir}
+%endif
+
 %make_build
 
 %install
 # Update the sample config file so that the dynamic path points
 # to the correct version of the engines directory.
+%if "%{flavor}" != "provider"
 sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample
+%endif
 
 %make_install
-rm %{buildroot}/%{enginesdir}/ibmca.la
+
+%if "%{flavor}" == "openssl1_1"
+rm -f %{buildroot}/%{enginesdir}/ibmca-provider.*
+%endif
+
+%if "%{flavor}" == ""
+mkdir -p %{buildroot}/%{enginesdir}
+mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/
+%endif
+
+rm -f %{buildroot}/%{enginesdir}/ibmca*.la
+rm -f %{buildroot}/%{modulesdir}/ibmca*.la
 
 # This file contains the declaration of the ibmca engine section. It
 # needs to be on the "real" file system when the postinstall scriptlet
@@ -86,39 +154,55 @@ grep -v "^#" src/engine/openssl.cnf.sample | \
 %post
 #Original fix for bsc#942839 was to update on first install
 #For bsc#966139 update if openssl_def not found
-SSLENGCNF=%{_sysconfdir}/ssl/engines.d
-SSLENGDEF=%{_sysconfdir}/ssl/engdef.d
 
-%if %{openssl3}
-  mkdir -p ${SSLENGCNF}
-  mkdir -p ${SSLENGDEF}
+mkdir -p %{sslengcnf}
+mkdir -p %{sslengdef}
+cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf
+cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf
+
+%if "%{flavor}" == ""
+   cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
+   sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig
+   rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
 %endif
 
-cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt ${SSLENGCNF}/openssl-ibmca.cnf
-cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf ${SSLENGDEF}/openssl-ibmca.cnf
-
 %postun
-SSLENGCNF=%{_sysconfdir}/ssl/engines.d
-SSLENGDEF=%{_sysconfdir}/ssl/engdef.d
 if [ $1 -eq 0 ]; then # last uninstall
-  rm -f ${SSLENGCNF}/openssl-ibmca.cnf
-  rm -f ${SSLENGDEF}/openssl-ibmca.cnf
+  rm -f %{sslengcnf}/openssl-ibmca.cnf
+  rm -f %{sslengdef}/openssl-ibmca.cnf
 fi
 
 %files
 %license LICENSE
 %doc ChangeLog
 %doc README.md
-%doc src/engine/openssl.cnf.sample
-%doc src/engine/ibmca-engine-opensslconfig
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
 %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
-%{enginesdir}/ibmca.*
-%{_mandir}/man5/ibmca.5%{?ext_man}
-%if %{openssl3}
-  %{_mandir}/man5/ibmca-provider.5%{?ext_man}
-  %{enginesdir}/ibmca-provider.*
+%if "%{flavor}" == ""
+    %doc src/engine/ibmca-engine-opensslconfig
+    %doc src/provider/ibmca-provider-opensslconfig
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{modulesdir}/ibmca-provider.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
+    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
+%endif
+%if "%{flavor}" == "provider"
+    %doc src/provider/ibmca-provider-opensslconfig
+    %{modulesdir}/ibmca-provider.*
+    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
+%endif
+%if "%{flavor}" == "engine"
+    %doc src/engine/ibmca-engine-opensslconfig
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
+%endif
+%if "%{flavor}" == "openssl1_1"
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
 %endif
 
 %changelog
diff --git a/openssl1-rename-libica-files.patch b/openssl1-rename-libica-files.patch
new file mode 100644
index 0000000..ba42cb6
--- /dev/null
+++ b/openssl1-rename-libica-files.patch
@@ -0,0 +1,65 @@
+--- openssl-ibmca-2.4.1/configure.ac	2023-09-21 08:52:43.000000000 +0200
++++ changed/configure.ac	2024-04-17 10:13:02.267582864 +0200
+@@ -69,7 +69,7 @@
+ # Checks for header files.
+ AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
+                  string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
+-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
++AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***]))
+ 
+ 
+ # Checks for typedefs, structures, and compiler characteristics.
+@@ -81,15 +81,15 @@
+ # Checks for library functions.
+ AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc])
+ AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [],
+-		AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]),
++		AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]),
+ 		[#include <ica_api.h>])
+ AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION],
+ 		[openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"],
+ 		[#include <openssl/core_names.h>])
+ AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes])
+ 
+-AC_ARG_WITH([libica-cex],
+-	[AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])],
++AC_ARG_WITH([libica-openssl1_1-cex],
++	[AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])],
+ 	[usecexonly=${withval}],
+ 	[])
+ 
+@@ -99,11 +99,11 @@
+ 	[libicaversion=4])
+ 
+ if test "x$usecexonly" = xyes; then
+-	defaultlib="libica-cex.so.$libicaversion"
+-	ica="ica-cex"
++	defaultlib="libica-openssl1_1-cex.so.$libicaversion"
++	ica="ica-openssl1_1-cex"
+ else
+-	defaultlib="libica.so.$libicaversion"
+-	ica="ica"
++	defaultlib="libica-openssl1_1.so.$libicaversion"
++	ica="ica-openssl1_1"
+ fi
+ # In cex-only mode, testing the ciphers does not make any sense since
+ # they will fall back to OpenSSL without the engine.  So remove these
+@@ -135,7 +135,7 @@
+ 
+ 
+ AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"])
+-AC_SUBST([ICA],["$ica"])
++AC_SUBST([ICA],["$ica-openssl1_1"])
+ 
+ AC_CHECK_PROG([openssl_var],[openssl],[yes],[no])
+ if test "x$openssl_var" != xyes; then
+@@ -169,7 +169,7 @@
+ echo "  default library: $defaultlib"
+ echo "IBMCA provider:    $enable_provider"
+ if test "x$useproviderfulllibica" = xyes; then
+-	echo "  libica library:  libica"
++	echo "  libica library:  libica-openssl1_1"
+ else
+-	echo "  libica library:  libica-cex"
++	echo "  libica library:  libica-openssl1_1-cex"
+ fi