From 6558a62def31c4e97eb375641fd1873c2675b3328d1e4734e5ab82174ee17497 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 22 Jun 2024 09:56:54 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main openssl-ibmca revision dcd2be3a3c4962b567d7c5a703908673 --- _multibuild | 4 + openssl-ibmca.changes | 55 +++++++++++ openssl-ibmca.spec | 150 ++++++++++++++++++++++------- openssl1-rename-libica-files.patch | 65 +++++++++++++ 4 files changed, 241 insertions(+), 33 deletions(-) create mode 100644 _multibuild create mode 100644 openssl1-rename-libica-files.patch diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..b71bc39 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + engine + provider + diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index 1981e0a..1ec13a8 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,3 +1,58 @@ +------------------------------------------------------------------- +Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file +- Changed the package names + +-------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +-------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | Both engine and provider | + | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | + | engine | openssl-ibmca-engine | Only engine | + | provider | openssl-ibmca-provider | Only provider | + +-------------+---------------------------------+--------------------------+ + +------------------------------------------------------------------- +Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev + +- Applied a patch for openssl1_1 (bsc#1221627) + * openssl1-rename-libica-files.patch + +------------------------------------------------------------------- +Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev + +- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) + +------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | openssl1 flavor | + | engine | openssl3-ibmca-engine | Only engine | + | provider | openssl3-ibmca-provider | Only provider | + | openssl3 | openssl3-ibmca | Both engine and provider | + +------------+---------------------------------+--------------------------+ +- Changing/editing 'dynamic_path' after the installation on the target system + * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in + /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig + for openssl3 flavor + +------------------------------------------------------------------- +Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1221627) + * Removed the flavors + * Removed 'muiltibuild' environment + * Removed the 'provider' logic + +------------------------------------------------------------------- +Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev + +- Updated the .spec file (bsc#1218933, bsc#1221627) + * Amended the .spec file to use modulesdir variable +- Implemented _multibuild environment (openssl1, engine, provider) +- Added a flag and logic for provider in the .spec file + * When provider is set to 1, it 'configures' the provider + * When provider is set to 0, it 'configures' the engine + ------------------------------------------------------------------- Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 9953aec..d683706 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-ibmca # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2018-2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,58 +15,126 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # - -%define openssl3 1 - %global enginesdir %(pkg-config --variable=enginesdir libcrypto) +%global modulesdir %(pkg-config --variable=modulesdir libcrypto) +%global sslengcnf %{_sysconfdir}/ssl/engines3.d +%global sslengdef %{_sysconfdir}/ssl/engdef3.d + +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "" Name: openssl-ibmca +%endif + +%if "%{flavor}" == "engine" +Name: openssl-ibmca-engine +%endif + +%if "%{flavor}" == "provider" +Name: openssl-ibmca-provider +%endif + +%if "%{flavor}" == "openssl1_1" +%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d +%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d +Name: openssl1_1-ibmca +%endif + Version: 2.4.1 Release: 0 Summary: The IBMCA OpenSSL dynamic engine License: Apache-2.0 Group: Hardware/Other URL: https://github.com/opencryptoki/openssl-ibmca -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source: https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz Source1: engine_section.txt +Source2: _multibuild ### BuildRequires: autoconf BuildRequires: automake +BuildRequires: libtool +### +%if "%{flavor}" != "openssl1_1" +BuildRequires: libopenssl3 +BuildRequires: libopenssl-3-devel BuildRequires: libica-devel >= 4.0.0 BuildRequires: libica-tools >= 4.0.0 -BuildRequires: libtool -Requires: libica4 >= 4 -%if %{openssl3} -BuildRequires: openssl-devel > 3.0.0 -Requires: openssl > 3.0.0 +Requires: libopenssl3 +Requires: libica4 >= 4.0.0 %else -BuildRequires: openssl-devel -Requires: openssl +BuildRequires: openssl +BuildRequires: libopenssl1_1 +BuildRequires: libopenssl-1_1-devel +BuildRequires: libica-openssl1_1-devel +BuildRequires: libica-openssl1_1-tools +Requires: libopenssl1_1 +Requires: libica4-openssl1_1 %endif +### ExclusiveArch: s390x +%if "%{flavor}" == "openssl1_1" +Patch001: openssl1-rename-libica-files.patch +%endif + %description This package contains a shared object OpenSSL dynamic engine which interfaces to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%autosetup -p1 +%autosetup -p1 -n openssl-ibmca-%{version} ./bootstrap.sh %build export CFLAGS="%{optflags}" export CPPFLAGS="%{optflags}" + +%if "%{flavor}" == "" +%configure \ + --libdir=%{modulesdir} + mkdir -p %{buildroot}/%{enginesdir} +%endif + +%if "%{flavor}" == "engine" +%configure \ + --disable-provider \ + --libdir=%{enginesdir} +%endif + +%if "%{flavor}" == "provider" +%configure \ + --disable-engine \ + --libdir=%{modulesdir} +%endif + +%if "%{flavor}" == "openssl1_1" %configure \ --libdir=%{enginesdir} +%endif + %make_build %install # Update the sample config file so that the dynamic path points # to the correct version of the engines directory. +%if "%{flavor}" != "provider" sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample +%endif %make_install -rm %{buildroot}/%{enginesdir}/ibmca.la + +%if "%{flavor}" == "openssl1_1" +rm -f %{buildroot}/%{enginesdir}/ibmca-provider.* +%endif + +%if "%{flavor}" == "" +mkdir -p %{buildroot}/%{enginesdir} +mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ +%endif + +rm -f %{buildroot}/%{enginesdir}/ibmca*.la +rm -f %{buildroot}/%{modulesdir}/ibmca*.la # This file contains the declaration of the ibmca engine section. It # needs to be on the "real" file system when the postinstall scriptlet @@ -86,39 +154,55 @@ grep -v "^#" src/engine/openssl.cnf.sample | \ %post #Original fix for bsc#942839 was to update on first install #For bsc#966139 update if openssl_def not found -SSLENGCNF=%{_sysconfdir}/ssl/engines.d -SSLENGDEF=%{_sysconfdir}/ssl/engdef.d -%if %{openssl3} - mkdir -p ${SSLENGCNF} - mkdir -p ${SSLENGDEF} +mkdir -p %{sslengcnf} +mkdir -p %{sslengdef} +cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf +cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf + +%if "%{flavor}" == "" + cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig + sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig %endif -cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt ${SSLENGCNF}/openssl-ibmca.cnf -cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf ${SSLENGDEF}/openssl-ibmca.cnf - %postun -SSLENGCNF=%{_sysconfdir}/ssl/engines.d -SSLENGDEF=%{_sysconfdir}/ssl/engdef.d if [ $1 -eq 0 ]; then # last uninstall - rm -f ${SSLENGCNF}/openssl-ibmca.cnf - rm -f ${SSLENGDEF}/openssl-ibmca.cnf + rm -f %{sslengcnf}/openssl-ibmca.cnf + rm -f %{sslengdef}/openssl-ibmca.cnf fi %files %license LICENSE %doc ChangeLog %doc README.md -%doc src/engine/openssl.cnf.sample -%doc src/engine/ibmca-engine-opensslconfig %dir %{_datadir}/%{name} %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf -%{enginesdir}/ibmca.* -%{_mandir}/man5/ibmca.5%{?ext_man} -%if %{openssl3} - %{_mandir}/man5/ibmca-provider.5%{?ext_man} - %{enginesdir}/ibmca-provider.* +%if "%{flavor}" == "" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/provider/ibmca-provider-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca.5%{?ext_man} + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "provider" + %doc src/provider/ibmca-provider-opensslconfig + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "engine" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} +%endif +%if "%{flavor}" == "openssl1_1" + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} %endif %changelog diff --git a/openssl1-rename-libica-files.patch b/openssl1-rename-libica-files.patch new file mode 100644 index 0000000..ba42cb6 --- /dev/null +++ b/openssl1-rename-libica-files.patch @@ -0,0 +1,65 @@ +--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200 ++++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200 +@@ -69,7 +69,7 @@ + # Checks for header files. + AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ + string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) +-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) ++AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***])) + + + # Checks for typedefs, structures, and compiler characteristics. +@@ -81,15 +81,15 @@ + # Checks for library functions. + AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) + AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [], +- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]), ++ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]), + [#include ]) + AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION], + [openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"], + [#include ]) + AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes]) + +-AC_ARG_WITH([libica-cex], +- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])], ++AC_ARG_WITH([libica-openssl1_1-cex], ++ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])], + [usecexonly=${withval}], + []) + +@@ -99,11 +99,11 @@ + [libicaversion=4]) + + if test "x$usecexonly" = xyes; then +- defaultlib="libica-cex.so.$libicaversion" +- ica="ica-cex" ++ defaultlib="libica-openssl1_1-cex.so.$libicaversion" ++ ica="ica-openssl1_1-cex" + else +- defaultlib="libica.so.$libicaversion" +- ica="ica" ++ defaultlib="libica-openssl1_1.so.$libicaversion" ++ ica="ica-openssl1_1" + fi + # In cex-only mode, testing the ciphers does not make any sense since + # they will fall back to OpenSSL without the engine. So remove these +@@ -135,7 +135,7 @@ + + + AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"]) +-AC_SUBST([ICA],["$ica"]) ++AC_SUBST([ICA],["$ica-openssl1_1"]) + + AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) + if test "x$openssl_var" != xyes; then +@@ -169,7 +169,7 @@ + echo " default library: $defaultlib" + echo "IBMCA provider: $enable_provider" + if test "x$useproviderfulllibica" = xyes; then +- echo " libica library: libica" ++ echo " libica library: libica-openssl1_1" + else +- echo " libica library: libica-cex" ++ echo " libica library: libica-openssl1_1-cex" + fi