Accepting request 1088688 from home:ngueorguiev:branches:security:tls

- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
  - [UPDATE] syslog msgs only in error cases
  - [UPDATE] don't count statistics in fips power-on self tests
  - [PATCH] various fixes and some new tests
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
- Prefix /etc/libica with %dir to ensure we don't package
  unversioned files in libica4, as otherwise we violate SLPP.
- Add /etc/libica directory into %files section.
- Upgrade to version 4.2.1 (jsc#PED-2872)
  - [PATCH] fix regression opening shared memory
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
  - [FEATURE] Display build info via icainfo -v
  - [FEATURE] New API function ica_get_build_version()
  - [FEATURE] Display fips indication via icainfo -f
  - [FEATURE] New API function ica_get_fips_indicator()
  - [FEATURE] New API function ica_aes_gcm_initialize_fips()
  - [FEATURE] New API function ica_aes_gcm_kma_get_iv()
  - [FEATURE] New API function ica_get_msa_level()
  - [PATCH] icainfo: check for malloc error when getting functionlist
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
  v4.1.1
   - [PATCH] Fix aes-xts multi-part operations
     [PATCH] Fix make dist
  v4.1.0
   - [FEATURE] FIPS: make libica FIPS 140-3 compliant
     [FEATURE] New API function ica_ecdsa_sign_ex()
     [FEATURE] New icainfo output option -r
   - [PATCH] Various bug fixes
- Removed the following obsolete files:
  baselibs.conf
  icaioctl.h
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
  v4.0.3
   - [PATCH] Reduce the number of open file descriptors
   - [PATCH] Various bug fixes
  v4.0.2
   - [PATCH] Various bug fixes
  v4.0.1
   - [PATCH] Various bug fixes
   - [PATCH] Compute HMAC from installed library
  v4.0.0
   - [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
     [UPDATE] Removed deprecated API functions including tests
     [UPDATE] Introduced 'const' for some API function parameters
     [FEATURE] icastats: new parm -k to display detailed counters
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
  version named libica-sles15sp5-FIPS-hmac-key.patch.
- Updated the libica-rpmlintrc file to suppress warnings about the 
  libica-cex hmac files being hidden.
- Updated the spec file to properly both obsolete and provide two
  older versions of the package.
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
  - [FEATURE] Add support for OpenSSL 3.0
  - [FEATURE] icainfo: new parm -c to display available EC curves
- Replaced the obsolete PreReq: %fillup_prereq
  with                  Requires(post): %fillup_prereq
  in the spec file.
- Update to version 3.8.0 (jsc#SLE-18334)
  - [FEATURE] provide libica-cex module to satisfy special security requirements
  - [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
   - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
   - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
   - libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
   * FIPS: Find libica from phdrs.
     - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
   * FIPS: enforce the hmac check
     - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
   + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists
- Upgraded to version 3.7.0 (jsc#SLE-13708)
  * Version 3.7.0
    - [FEATURE] FIPS: Add HMAC based library integrity check
    - [PATCH] icainfo: bugfix for RSA and EC related info for software column.
    - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
    - [PATCH] FIPS: Fix DES and TDES key length
    - [PATCH] icastats: Fix stats counter format
  * Version 3.6.1
    - [PATCH] Fix x25519 and x448 handling of non-canonical values
- Removed the following obsolete patches
  * libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
  * libica-sles15sp2-Build-with-pthread-flag.patch
  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
  * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
  * libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
  * Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
  * Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- Fix FIPS hmac check (bsc#1175356).
  * Update FIPS support to upstream
    - Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
      from upstream.
    - Add libica-sles15sp2-Build-with-pthread-flag.patch
    - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
    - Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
    - Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
  * FIPS check should fail when hmac is missing
    - Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
    - Create an hmac for the selftest
    - Check that selftest fails without a hmac
    - Hash libica.so.3 rather than libica.so.3.6.0
  * Fix hmac key format. It should be hexadecimal, not ASCII
    - Refresh libica-sles15sp2-FIPS-hmac-key.patch
- Fix Some internal variables used to store sensitive information
  (keys) were not zeroized before returning to the calling application.
  (bsc#1175357)
  * Added libica-sles15sp2-Zeroize-local-variables.patch
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
  being a hidden file. It is supposed to be hidden.
- Added the following patches for FIPS certification (bsc#1162533)
  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
  * libica-sles15sp2-FIPS-hmac-key.patch
- Added a BuildRequires for the fipscheck package.
- Made a couple of changes to the spec file based upon recommendations
  by spec-cleaner.
- Added the following patches for FIPS certification.
  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
    (bsc#1166071) Although a DES key has only 56 effective bits,
     all 64 bits must be considered, because the parity bits are
     spread over all 8 bytes of the key.
  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
    (bsc#1166210) FIPS tests require the output iv to be the iv
    resulting from decrypting the last block with a zero iv as input.
  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
    (bsc#1166224) The output from icainfo never shows 'yes' for
    RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
    due to the missing ICA_FLAG_SW flag in the icaList.
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
  (bsc#1156768)
- Upgraded to version 3.6.0 (jsc#SLE-7584)
  * [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
- Upgraded to version 3.5.0 (Fate#327840)
  - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
- Reworked how libica-tools loads and unloads kernel modules to
  avoid spurious error messages (bsc#1134004):
  * Converted the boot.z90crypt sysV init script to a systemd unit
  file.
  * Removed any references to insserv in the spec file.
  * Updated the z90crypt script itself to properly load and unload
  the kernel modules as they exist today.
  * Eliminated the obsolete libica-SuSE.tar.bz2 archive.
- Updated the README.SUSE file to reflect the change from sysV init
  style script to systemd.
- Made numerous changes to the spec file, based on the output from
  the spec-cleaner command.
- Run testsuite during build
- Upgraded to version 3.4.0 (Fate#325690)
  * v3.4.0
    [FEATURE] Add SHA-512/224 and SHA-512/256 support
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
- Made numerous updates to spec file based on spec-cleanup run.
- Upgraded to version 3.3.3 (Fate#325690)
  * v3.3.3
    [PATCH] Various bug fixes
  * v3.3.2
    [PATCH] Skip ECC tests if required HW is not available
    [PATCH] Update spec file
  * v3.3.1
    [PATCH] Fix configure.ac to honour CFLAGS
  * v3.3.0
    [FEATURE] Add CEX supported elliptic-curve crypto interfaces
    [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
    [FEATURE] Add interface to enable/disable SW fallbacks
    [FEATURE] Add 'make check' target, test-suite rework
  * v3.2.1
    [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
    [PATCH] Various bug fixes.
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
- Removed COPYING from %files, since it is no longer in the tarball.
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
  (bsc#1103493).
- Made multiple changes to the spec file based on the output of
  spec-cleaner
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
  fix a problem with upgrading from SLES12 SP2 to either SLES12
  SP3/SP4, or SLES15. (bsc#1112655)
- Added "Obsoletes: libica2" to the libica-tools package to fix
  a problem with upgrading from SLES12 SP2 to either SLES12
  SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
- Updated boot.z90crypt script to fix a problem with the modprobe
  command not being found. (bsc#1040229).
- Added "Recommends: libica-tools" (bsc#1046435).
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- Added "--enable-fips" to the %configure parms (Fate#324115)
- Upgraded to version 3.2 (Fate#321517)
  * v3.2.0
    [FEATURE] New AES-GCM interface.
    [UPDATE] Add symbol versioning.
  * v3.1.1
    [PATCH] Various bug fixes related to old and new AES-GCM implementations.
    [UPDATE] Add SHA3 test cases. Improved and extended test suite.
  * v3.1.0
    [FEATURE] Add KMA support for AES-GCM.
    [FEATURE] Add SHA-3 support.
    [PATCH] Reject RSA keys with invalid key-length.
    [PATCH] Allow zero output length for ica_random_number_generate.
    [PATCH] icastats: Correct owner of shared segment when root creates it.
  * Removed the following obsolete patches:
    libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
    libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
    libica-3.0.2-03-fix-aes-ctr.patch
    libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
  - Added the following patches (bsc#1058567)
    - libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
    - libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
    - libica-3.0.2-03-fix-aes-ctr.patch
    - libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- baselibs.conf doesn't need any additional provides/conflicts for
  libica3.
- Update baselibs.conf with proper name for library package name,
  stop providing/obsoleting libica-2_1_0/libica-2_3-0.
- Upgraded to version 3.0.2 (Fate#322025).
  - v3.0.2
    - Fix locking callbacks for openSSL APIs.
  - v3.0.1
    - Fixed msa level detection on zEC/BC12 GA1 and predecessors.
  - v3.0.0
    - Added FIPS mode.
    - Sanitized exported symbols.
    - Removed deprecated APIs. Marked some APIs as deprecated.
    - Adapted to OpenSSL v1.1.0.
    - RSA key generation is thread-safe now.
- Removed the following obsolete patches:
  - fix-initialization-of-s390-hardware-switches-1.patch
  - fix-initialization-of-s390-hardware-switches-2.patch
  - fix-msa-level-detection.patch
  - fix-segfault-during-multithread-keygen.patch
  - rng-performance.patch
- Made the following packaging changes:
  - Implemented the shared library packaging guidelines.
  - Consolidated double invocation of %setup into just one.
  - Dropped redundant %ifarch, the package is already ExclusiveArch.
  - Updated descriptions.
- Added an libica-rpmlintrc file.
- Added the following two patches:
  - fix-segfault-during-multithread-keygen.patch (bsc#991485)
  - fix-msa-level-detection.patch (bsc#1010927)
- Added rng-performance.patch (bsc#990850).
- Updated baselibs.conf to obsolete prior versions of the 32bit
  package. (bsc#983897):
   provides "libica-<targettype> = <version>"
   obsoletes "libica-<targettype> < <version>"
   provides "libica-2_1_0-<targettype> = <version>"
   obsoletes "libica-2_1_0-<targettype> < <version>"
   provides "libica-2_3_0-<targettype> = <version>"
   obsoletes "libica-2_3_0-<targettype> < <version>"
- Added fix-initialization-of-s390-hardware-switches-1.patch and
  fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
- Upgraded to version 2.6.2 (FATE#319610).
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
  naming standards.
- Found the original location of the icaioctl.h file and downloaded
  it to replace what we had previously.
- Removed the unnecessary libica2.la file
- Removed unnecessary Requires for glibc-devel
- Added Requires libica2 to the -devel package
- Converted call to configure to %configure macro
- Removed obsolete and unnecessary INSROOT and bindir parameters
  from the make install command
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
  SLE12 GA is replaced (bsc#953096).
- move the .so file to the mainpackage, the openssl-ibmca engine
  will only load "libica.so" (bsc#952871)
- Update to libica v2.4.2 (FATE#318035)
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
- Moved init script into libica-SuSE.tar.bz2 archive
- sanitize release line in specfile
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
- Removed libica-SuSE.tar.bz2
- z90crypt now starts and stops ap kernel module (bnc#888943)
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
  fixed 64/31 bit compatibility
- add obsoletes and provides for older libica versions 
- update to 2.3.0 (fate#315342) 
- obsolete/upstreamed patches:
  libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
  libica-2_1_0-msa4-extension.patch
  libica-2_1_0-synchronize_shared_memory_ref_counting.patch
- Added COPYING to %files
- Fixed build dependency errors by requiring autoconf, automake
  and libtool
- Changed license to CPL-1.0
- Created devel package
- Support for MSA4 extension (bnc#794518, fate#314078)
- synchronize shared memory reference counting for library
  statistics (bnc#719659)
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
- update -> 2.1.0 (fate#311914)
- Moved icainfo into /usr/bin (bnc#448643)
- obsolete old -XXbit packages (bnc#437293)
- fix build on all platforms 
- Added CPL license to include/z90crypt.h, removed GPL reference
  (This patch is upstream)
- Changed package name to libica-1_3_9 to conform to rpmlint
  requirements. (bnc#433432)
- Removed soname filter for rpmlint
- Several RPM fixes to help satisfy rpmlint
- Updated to libica 1.3.9
- added baselibs.conf file to build xxbit packages
  for multilib support
- remove inclusion of linux/config.h
- z90crypt: handle errors (bug #247799)
- Add gcc-c++ to BuildRequires.
- fix build for the rest of platforms 
- Update to libica 1.3.7 (#160036 - LTC22571)
- Increasing # of open handles with symmetric crypto support
  (#165323 - LTC23095)
- converted neededforbuild to BuildRequires
- include string.h and unistd.h in icalinux.c 
- Port package from SLES9 SP3
- Update to libica 1.3.6-rc3.
- Close all filehandles (#130060 - LTC19221).
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
  bug #117336)
- Update to libica 1.3.6 (#117336)
- fix implicit declaration 
- Changing the default value from 0 to -1 in rcz90crypt (#114371) 
- Finally fix 'reload' messages (#81824 - LTC15733).
- Fix sigill patch.
- Remove printf output from sigill patch (#81829 - LTC15731).
- Use correct default value for z90crypt (#81825 - LTC15732).
- Fix messages for 'reload' (#81824 - LTC15733).
- Fixed SIGILL on z900 (#46422).
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
- Fix module loading error (#42006).
- Add sysconfig variable to set the 'domain' parameter (#42005).
- update -> 1.3.5-3 (bug #42122)
- Update README.SuSE and correct name as well
- Use modprobe instead of insmod and fix module load error(#40526)
- Fix error checking for no hardware found case and hw error on load
- Update Readme again for the correct name (SUSE LINUX Server).
- Moved README.SuSE to README.SUSE.
- Update Readme to refer to the correct name (SUSE Linux Server).
- Update to 1.3.5-2 (#38511, #39693).
- Update Readme to refer to SUSE Linux Server instead of
  SuSE Linux Enterprise Server.
- Update to 1.3.5
- export CFLAGS & CPPFLAGS for configure
- Exclude S/390-specific files for other archs (#37183) 
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
- fix build
- build as user
- update to 1.3.4
- update to 1.3.2
- update to 1.3.1:
  now supports DES, TDES and SHA, as well as RSA.
- throw libica.patch away, since autoversion and Makefile.am have
  similar changes now, and the renaming from _LINUX_S390_ to
  __s390__ is not really necessary
- use %defattr
- checked that icaioctl.h is still current
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
  open source meanwhile and comes with the kernel sources
- added documentation how to set up crypto hardware support,
  esp. S/390 and zSeries. (#16011, #22056)
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
  actually work. (#20737)
- Correct PreReq
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
  to build on non-s390
- updated to current libica
- hacked in icaioctl.h for build, 'til we have the module in the
  kernel.
- add %run_ldconfig
- fix for current automake/autoconf
- removed old fillup-template and START_ variable 
- modified etc/init.d/z90crypt-script to report result at start.
- Added openssl to #neededforbuild, which is needed in addition to
  openssl-devel
- initial version

OBS-URL: https://build.opensuse.org/request/show/1088688
OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=12
This commit is contained in:
Nikolay Gueorguiev 2023-05-23 14:33:28 +00:00 committed by Git OBS Bridge
parent 6ed506a7ab
commit 7d0eadbc1e

View File

@ -1,5 +1,5 @@
-------------------------------------------------------------------
Tue May 23 07:19:01 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Tue May 23 14:16:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
- [UPDATE] syslog msgs only in error cases