- Applied patches(jsc#PED-10292)

* openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch * openssl-ibmca-04-engine-Fix-compile-error.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=75
2024-10-29 11:12:32 +00:00 · 2024-10-29 11:12:32 +00:00 · 10906683d5
commit 10906683d5
12 changed files with 1221 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<multibuild>
+  <flavor>engine</flavor>
+  <flavor>provider</flavor>
+</multibuild>
--- a/engine_section.txt
+++ b/engine_section.txt
@ -0,0 +1 @@
+ibmca = ibmca_section
--- a/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+++ b/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
@ -0,0 +1,67 @@
+From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 8 Jan 2024 08:52:24 +0100
+Subject: [PATCH] engine: Enable external AES-GCM IV when libica is in FIPS
+ mode
+
+When the system is in FIPS mode, newer libica versions may prevent AES-GCM
+from being used with an external IV. FIPS requires that the AES-GCM IV is
+created libica internally via an approved random source.
+
+The IBMCA engine can not support the internal generation of the AES-GCM IV,
+because the engine API for AES-GCM does not allow this. Applications using
+OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
+external IV.
+
+Enable the use of external AES-GCM IVs for libica, if the used libica library
+supports this. Newer libica versions support to allow external AES-GCM IVs via
+function ica_allow_external_gcm_iv_in_fips_mode().
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 12 +++++++++++-
+ src/engine/ibmca.h   |  1 +
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index 6cbf745..afed3fe 100644
+--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
+@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t      p_ica_aes_gcm_intermediate;
+ ica_aes_gcm_last_t              p_ica_aes_gcm_last;
+ #endif
+ ica_cleanup_t                   p_ica_cleanup;
+ica_allow_external_gcm_iv_in_fips_mode_t
+                                p_ica_allow_external_gcm_iv_in_fips_mode;
+ 
+ /* save libcrypto's default ec methods */
+ #ifndef NO_EC
+@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
+     BIND(ibmca_dso, ica_ed448_ctx_del);
+ 
+     /* ica_cleanup is not always present and only needed for newer libraries */
+-    p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
+    BIND(ibmca_dso, ica_cleanup);
+
+    /*
+     * Allow external AES-GCM IV when libica runs in FIPS mode.
+     * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
+     * available with newer libraries.
+     */
+    if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
+        p_ica_allow_external_gcm_iv_in_fips_mode(1);
+ 
+     /* disable fallbacks on Libica */
+     if (BIND(ibmca_dso, ica_set_fallback_mode))
+diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
+index 7281a5b..01465eb 100644
+--- a/src/engine/ibmca.h
+++ b/src/engine/ibmca.h
+@@ -617,6 +617,7 @@ typedef
+ int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
+ 
+ typedef void (*ica_cleanup_t)(void);
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
+ 
+ /* entry points into libica, filled out at DSO load time */
+ extern ica_get_functionlist_t           p_ica_get_functionlist;
--- a/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+++ b/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
@ -0,0 +1,243 @@
+From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 10 Jan 2024 15:08:47 +0100
+Subject: [PATCH] test/provider: Do not link against libica use dlopen instead
+
+When an application links against libica (via -lica), then the libica library
+constructor runs before the program's main function. Libica's library
+constructor does initialize OpenSSL and thus parses the config file.
+
+However, the test programs set up some OpenSSL configuration related
+environment variables within function check_libica() called from the
+main function. If libica has already initialized OpenSSL prior to that,
+OpenSSL won't initialize again, and thus these environment variables have
+no effect.
+
+Dynamically load libica (via dlopen) only after setting the environment
+variables.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ configure.ac              |  2 ++
+ test/provider/Makefile.am | 15 +++++++++------
+ test/provider/dhkey.c     | 24 ++++++++++++++++++++++--
+ test/provider/eckey.c     | 24 ++++++++++++++++++++++--
+ test/provider/rsakey.c    | 24 ++++++++++++++++++++++--
+ 5 files changed, 77 insertions(+), 12 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b43a659..09df230 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
+ 	[])
+ AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
+ 
+AC_SUBST(libicaversion, "$libicaversion")
+
+ # If compiled against OpenSSL 3.0 or later, build the provider unless
+ # explicitely disabled. 
+ # If build against OpenSSL 1.1.1, we can not build the provider.
+diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
+index 15a5466..fce06b3 100644
+--- a/test/provider/Makefile.am
+++ b/test/provider/Makefile.am
+@@ -24,24 +24,27 @@ TESTS = \
+ check_PROGRAMS = rsakey eckey dhkey threadtest
+ 
+ dhkey_SOURCES = dhkey.c
+dhkey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-dhkey_LDADD = -lcrypto -lica
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-dhkey_LDADD = -lcrypto -lica-cex
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ eckey_SOURCES = eckey.c
+eckey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-eckey_LDADD = -lcrypto -lica
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-eckey_LDADD = -lcrypto -lica-cex
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ rsakey_SOURCES = rsakey.c
+rsakey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-rsakey_LDADD = -lcrypto -lica
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-rsakey_LDADD = -lcrypto -lica-cex
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ threadtest_SOURCES = threadtest.c
+diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
+index 8829ecc..0ec2c03 100644
+--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+                                               unsigned int *);
+
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
+    void *ibmca_dso;
+    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+    if (ibmca_dso == NULL) {
+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+        return 77;
+    }
+
+    p_ica_get_functionlist =
+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+    if (p_ica_get_functionlist == NULL) {
+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+                LIBICA_NAME);
+        return 77;
+    }
+
+    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -373,7 +393,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
+    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
+diff --git a/test/provider/eckey.c b/test/provider/eckey.c
+index b2334d7..b8f47b7 100644
+--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+                                               unsigned int *);
+
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
+    void *ibmca_dso;
+    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+    if (ibmca_dso == NULL) {
+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+        return 77;
+    }
+
+    p_ica_get_functionlist =
+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+    if (p_ica_get_functionlist == NULL) {
+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+                LIBICA_NAME);
+        return 77;
+    }
+
+    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -806,7 +826,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
+    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
+diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
+index 366b503..9d6a618 100644
+--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME,  RSA_CRT };
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+                                               unsigned int *);
+
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
+    void *ibmca_dso;
+    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+    if (ibmca_dso == NULL) {
+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+        return 77;
+    }
+
+    p_ica_get_functionlist =
+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+    if (p_ica_get_functionlist == NULL) {
+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+                LIBICA_NAME);
+        return 77;
+    }
+
+    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -753,7 +773,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
+    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
--- a/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+++ b/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
@ -0,0 +1,61 @@
+From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 18 Jan 2024 16:35:14 +0100
+Subject: [PATCH] test/provider: Explicitly initialize OpenSSL after setting
+ env vars.
+
+When running with a libica version without commit
+https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
+it is necessary to explicitly initialize OpenSSL before loading libica. Because
+otherwise libica's library constructor will initialize OpenSSL the first time,
+which in turn will load the IBMCA provider, and it will fall into the same
+problem as fixed by above libica commit, i.e. the provider won't be able to
+get the supported algorithms from libica an thus will not register any
+algorithms.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ test/provider/dhkey.c  | 2 ++
+ test/provider/eckey.c  | 2 ++
+ test/provider/rsakey.c | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
+index 0ec2c03..b1270f5 100644
+--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
+@@ -461,6 +461,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
+diff --git a/test/provider/eckey.c b/test/provider/eckey.c
+index b8f47b7..a65bea5 100644
+--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
+@@ -895,6 +895,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
+diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
+index 9d6a618..874de6d 100644
+--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
+@@ -839,6 +839,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
--- a/openssl-ibmca-04-engine-Fix-compile-error.patch
+++ b/openssl-ibmca-04-engine-Fix-compile-error.patch
@ -0,0 +1,36 @@
+From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 13 May 2024 08:53:56 +0200
+Subject: [PATCH] engine: Fix compile error on Fedora 40
+
+ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
+from incompatible pointer type [-Wincompatible-pointer-types]
+      627 |     EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/ibmca_pkey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
+index 9c8de94c..6cd8fcd9 100644
+--- a/src/engine/ibmca_pkey.c
+++ b/src/engine/ibmca_pkey.c
+@@ -258,7 +258,7 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
+ 
+ /* ED25519 */
+ 
+-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
+ {
+     return 1;
+ }
+@@ -402,7 +402,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
+ 
+ /* ED448 */
+ 
+-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
+ {
+     return 1;
+ }
--- a/openssl-ibmca-2.4.1.tar.gz
+++ b/openssl-ibmca-2.4.1.tar.gz
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@ -0,0 +1,499 @@
+-------------------------------------------------------------------
+Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied patches(jsc#PED-10292)
+  * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+  * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+  * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+  * openssl-ibmca-04-engine-Fix-compile-error.patch 
+
+-------------------------------------------------------------------
+Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file
+  * Replaced hard-coded '/usr/share' with %{_datadir}  
+
+-------------------------------------------------------------------
+Mon Jul 15 08:18:35 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (bsc#1227537)
+  * 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/.. 
+  * Added a check, if there is is /usr/share/doc file to be editted.
+
+-------------------------------------------------------------------
+Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file
+- Changed the package names
+  +-------------+---------------------------------+--------------------------+
+  |  Flavor     | Package name                    | Note                     |
+  +-------------+---------------------------------+--------------------------+
+  |  ''         | openssl-ibmca                   | Both engine and provider |
+  |  openssl1_1 | openssl1_1-ibmca                | openssl1 flavor          |
+  |  engine     | openssl-ibmca-engine            | Only engine              |
+  |  provider   | openssl-ibmca-provider          | Only provider            |
+  +-------------+---------------------------------+--------------------------+
+
+-------------------------------------------------------------------
+Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch for openssl1_1 (bsc#1221627)
+  * openssl1-rename-libica-files.patch
+
+-------------------------------------------------------------------
+Tue Apr  9 14:08:05 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) 
+  +------------+---------------------------------+--------------------------+ 
+  |  Flavor    | Package name                    | Note                     |
+  +------------+---------------------------------+--------------------------+ 
+  |  ''        | openssl-ibmca                   | openssl1 flavor          |
+  |  engine    | openssl3-ibmca-engine           | Only engine              |
+  |  provider  | openssl3-ibmca-provider         | Only provider            |
+  |  openssl3  | openssl3-ibmca                  | Both engine and provider |        
+  +------------+---------------------------------+--------------------------+ 
+- Changing/editing 'dynamic_path' after the installation on the target system 
+  * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in
+    /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig
+    for openssl3 flavor
+
+-------------------------------------------------------------------
+Thu Apr  4 07:02:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (bsc#1221627)
+  * Removed the flavors
+  * Removed 'muiltibuild' environment
+  * Removed the 'provider' logic
+
+-------------------------------------------------------------------
+Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file (bsc#1218933, bsc#1221627)
+  * Amended the .spec file to use modulesdir variable 
+- Implemented _multibuild environment (openssl1, engine, provider)
+- Added a flag and logic for provider in the .spec file
+  * When provider is set to 1, it 'configures' the provider
+  * When provider is set to 0, it 'configures' the engine
+
+-------------------------------------------------------------------
+Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Removed an obsolete patch (implemented in the version 2.4.1)
+  * openssl-ibmca-engine-noregister.patch
+
+-------------------------------------------------------------------
+Fri Oct  6 06:35:00 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade to version 2.4.1 (jsc#PED-5422) 
+  * Provider: Change the default log directory to /tmp
+  * Bug fixes
+
+-------------------------------------------------------------------
+Mon May 22 07:20:32 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file, amended to use libica4 instead of libica
+  * Requires:  libica4 >= 4
+
+-------------------------------------------------------------------
+Tue May  2 07:49:24 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file
+  * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries 
+
+-------------------------------------------------------------------
+Tue Apr 25 12:47:39 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file as follow:
+  * BuildRequires:  libica-devel >= 4.0.0
+  * BuildRequires:  libica-tools >= 4.0.0
+
+-------------------------------------------------------------------
+Mon Apr 24 09:23:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Added dependency on libica4 (bsc#1209038)
+  * BuildRequires and Requires statements in .spec file for libica4
+
+-------------------------------------------------------------------
+Wed Apr 19 10:52:06 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applies a patch (bsc#1210359)
+  * openssl-ibmca-engine-noregister.patch
+- Updated the '#dynamic_path' line, as it was before, with the comment '#'.
+
+-------------------------------------------------------------------
+Thu Apr  6 08:14:25 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059)
+  * openssl-ibmca 2.4.0
+    - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 
+    - Provider: Support RSA blinding
+    - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding
+    - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding
+    - Provider: Adjustments in OpenSSL config generator and example configs
+    - Engine: EC: Cache ICA key in EC_KEY object (performance improvement)
+    - Engine: Enable RSA blinding
+
+-------------------------------------------------------------------
+Tue Mar 14 11:35:44 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated .spec file removed '#' from the line containing
+  'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038)
+- Added in %files 
+  * /usr/lib64/engines-3/ibmca-provider.la
+  * /usr/lib64/engines-3/ibmca-provider.so
+
+-------------------------------------------------------------------
+Tue Oct  4 19:33:57 UTC 2022 - Mark Post <mpost@suse.com>
+
+- Upgraded to version 2.3.1 (jsc#PED-597)
+  * openssl-ibmca 2.3.1
+    - Adjustments for libica 4.1.0
+  * openssl-ibmca 2.3.0
+    - First version including the provider
+    - Fix for engine build without OpenSSL 3.0 sources
+  * openssl-ibmca 2.2.3
+    - Fix PKEY segfault with OpenSSL 3.0
+  * openssl-ibmca 2.2.2
+    - Fix tests with OpenSSL 3.0
+    - Build against libica 4.0
+- Removed a Requires for libica from the specfile.
+- Removed the obsolete baselibs.conf file
+
+-------------------------------------------------------------------
+Tue Mar 15 22:00:05 UTC 2022 - Mark Post <mpost@suse.com>
+
+- Completely revamped the postinstall scriptlet so that it doesn't
+  need to know or care about how many lines are in either
+  /etc/ssl/openssl.cnf, or the sample file at
+  /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample
+  We're now using the ".include" directive for the openssl.cnf
+  file, and only modifying that file the minimum necessary to
+  implement the change. (bsc#1004463)
+
+-------------------------------------------------------------------
+Fri Sep 17 19:32:37 UTC 2021 - Mark Post <mpost@suse.com>
+
+- Upgraded to version 2.2.1 (jsc#SLE-18333)
+  * openssl-ibmca 2.2.1
+    Bug fixes
+  * openssl-ibmca 2.2.0
+    Implement fallbacks based on OpenSSL
+    Disable software fallbacks from libica
+    Allow to specify default library (libica vs. libica-cex) to use
+    Provide "libica" engine ctrl to switch library at load time
+    Update README.md
+    Remove libica link dependency
+    Generate sample configuration files from system configuration
+    Restructure registration global data
+  * openssl-ibmca 2.1.3
+    Bug fix
+  * openssl-ibmca 2.1.2
+    Bug fixes
+- Modified spec file to
+  * Define a global variable enginesdir the same was as IBM does
+    instead of _ENGINE_DIR as we had been doing.
+  * Implemented %make_build macro according to spec-cleaner
+  * Changed the package description to match IBM's.
+  * Removed the redundant "autoreconf --force --install"
+
+-------------------------------------------------------------------
+Wed Sep 16 20:06:12 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Upgrade to version 2.1.1 (jsc#SLE-13709)
+  * Bug fixes
+
+-------------------------------------------------------------------
+Tue Sep 10 22:22:49 UTC 2019 - Mark Post <mpost@suse.com>
+
+- Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882)
+  Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448
+
+-------------------------------------------------------------------
+Wed Aug 28 20:56:08 UTC 2019 - Mark Post <mpost@suse.com>
+
+- Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424)
+  * openssl-ibmca 2.0.3
+    Add MSA9 CPACF support for ECDSA sign/verify
+- Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch
+- Changed the ExclusiveArch directive to include s390x only.
+- The code in e_ibmca.c does a dlopen for libica.so.3, instead of
+  linking against the shared library. As a result, if the package
+  containing libica.so.3 isn't installed, problems occur. Added
+  a "Requires: libica3" to the spec file to fix this. (bsc#1142286)
+- Made a couple of changes to the spec file based on the output
+  from spec-cleaner.
+
+-------------------------------------------------------------------
+Fri Jun 28 18:10:29 UTC 2019 - Mark Post <mpost@suse.com>
+
+- Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch
+  An Apache HTTP Server was set up with mod_ssl and the openssl
+  ibmca engine using libica and a CEX6A card. Whenever a worker
+  process is cleaned up a segmentation fault occurs.
+  (bsc#1138517)
+
+-------------------------------------------------------------------
+Tue Nov 27 17:55:19 UTC 2018 - mpost@suse.com
+
+- Upgraded to version 2.0.2 (Fate#325688)
+  * openssl-ibmca 2.0.2
+    Fix doing rsa-me, altough rsa-crt would be possible.
+
+-------------------------------------------------------------------
+Thu Nov 15 20:17:04 UTC 2018 - mpost@suse.com
+
+- Upgraded to version 2.0.1 (Fate#325688)
+  * openssl-ibmca 2.0.1
+    Dont fail when a libica symbol cannot be resolved.
+- Made multiple changes to the spec file based on spec-cleaner output.
+
+-------------------------------------------------------------------
+Wed Nov 14 20:18:07 UTC 2018 - mpost@suse.com
+
+- Upgraded to version 2.0.0 (Fate#325688)
+  * openssl-ibmca 2.0.0
+    Add ECC support.
+    Add check and distcheck make-targets.
+    Project cleanup, code was broken into multiple files and coding style cleanup.
+    Improvements to compat macros for openssl.
+    Don't disable libica sw fallbacks.
+    Fix dlclose logic.
+  * openssl-ibmca 1.4.1
+    Fix structure size for aes-256-ecb/cbc/cfb/ofb
+    Update man page
+    Switch to ibmca.so filename to allow standalone use
+    Switch off Libica fallback mode if available
+    Make sure ibmca_init only runs once
+    Provide simple macro for DEBUG_PRINTF possibility
+    Cleanup and slight rework of function set_supported_meths
+- Did some cleanup to the spec file, based on spec-cleanup.
+- Removed the following obsolete patches:
+  * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch
+  * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch
+  * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch
+
+-------------------------------------------------------------------
+Fri Aug 31 19:37:39 UTC 2018 - mpost@suse.com
+
+- Added the following patches for bsc#1097463
+  * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch
+  * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch
+  * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch
+
+-------------------------------------------------------------------
+Fri Sep 22 18:07:10 UTC 2017 - mpost@suse.com
+
+- Upgraded to version 1.4.0
+  * Re-license to Apache License v2.0
+  * Fix aes_gcm initialization.
+  * Update man page.
+  * Add macros for OpenSSL 0.9.8 compat.
+  * Remove AC_FUNC_MALLOC from configure.ac
+  * Add compat macro for OpenSSL 1.0.1e-fips.
+  * Setting 'foreign' strictness for automake.
+  * Add AES-GCM support.
+  * Rework EVP_aes macros.
+  * Remove dependency of old local OpenSSL headers.
+  * Fix engine initialization to set function pointers only once.
+  * Remove blank COPYING and NEWS files.
+  * Remove INSTALL and move its content to README.md
+  * Update README.md file to make use of markdown.
+  * Rename README file to README.md to use markdown
+  * Add CONTRIBUTING guidelines.
+  * Adding coding style documentation.
+  * Enable EVP_MD_FLAG_FIPS flag for SHA-*.
+  * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0
+  * Fix SHA512 EVP digest struct to use 
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0
+  * Fix wrong parenthesis
+  * convert libica loading to dlopen() and friends
+  * Add support to DSO on new API of OpenSSL-1.1.0
+- Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch
+- Added BuildRequires for autoconf, automake, and libtool.
+- Updated BuildRequires for libica-devel to be >= 3.1.1
+
+-------------------------------------------------------------------
+Fri Sep 22 07:50:52 UTC 2017 - mpost@suse.com
+
+- Now that the openSSL engines directory is versioned:
+  * Modified the spec file to query the libcrypto package
+    for which directory to install the engine into.
+  * Removed openssl-ibmca-fix-enginepath.patch. Replaced it
+    with a sed command so that it will provide the correct
+    versioned engines directory
+- Removed openssl-ibmca-configure.patch. It doesn't seem to
+  be needed any longer.
+
+-------------------------------------------------------------------
+Tue Apr 11 15:09:03 UTC 2017 - mpost@suse.com
+
+- Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113)
+- Added libica-tools to the BuildRequires due to repackaging of libica.
+- Renamed BuildRequires from libica2-devel to libica-devel for the
+  same reason.
+- Tweaked a comment to get rid of an rpmlint warning message.
+
+-------------------------------------------------------------------
+Thu Oct 13 09:36:50 UTC 2016 - meissner@suse.com
+
+- fixed ssl configuration merging (bsc#1004463)
+- openssl-ibmca-fix-enginepath.patch: fix the engine path
+
+-------------------------------------------------------------------
+Wed Apr  6 19:07:43 UTC 2016 - mpluskal@suse.com
+
+- Use macro for configure (fate#319941)
+- Use url for source
+- Enable parallel building
+- Cleanup spec file with spec-cleaner
+
+-------------------------------------------------------------------
+Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com
+
+- Upgraded to version 1.3.0 (fate#319941)
+  - Updated openssl-ibmca-configure.patch to apply cleanly
+  - Removed obsolete patches
+    - openssl-ibmca-README.patch
+    - openssl-ibmca-sha256-digest-length.patch
+    - openssl-pkey.patch
+    - openssl-des-ede.patch
+- Did some spec file cleanup.
+
+-------------------------------------------------------------------
+Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com
+
+- Fixed %post script to update library path (the only dynamic part
+  of the ibmca configuration) every time the package is installed.
+  (bsc#966139)
+
+-------------------------------------------------------------------
+Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com
+
+- Updated AUTHORS, INSTALL, and README (bsc#942839)
+- %post and %postun added to properly update openssl.cnf (bsc#942839)
+
+-------------------------------------------------------------------
+Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com
+
+- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138)
+
+-------------------------------------------------------------------
+Sun Mar  8 17:15:03 UTC 2015 - p.drouand@gmail.com
+
+- Remove dependency on fillup anf insserv; the package provides 
+  neither sysconfig file nor sysvinit script
+- Remove depreciated AUTHORS section
+- Use %configure macro
+- Add openssl-ibmca-configure.patch
+
+-------------------------------------------------------------------
+Wed Dec  3 09:22:24 UTC 2014 - meissner@suse.com
+
+- the openssl engines moved to /%_lib/engines bnc#905480
+
+-------------------------------------------------------------------
+Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com
+
+- Forced requirement of libica-2_3_0 (bnc#890824)
+
+-------------------------------------------------------------------
+Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com
+
+- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) 
+- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes
+  fips self-test during EC key creation (bnc#879922)
+- spec file cleaned up a bit
+
+-------------------------------------------------------------------
+Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com
+
+- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message
+  digest length definition in sha256 template (bnc#868275)
+
+-------------------------------------------------------------------
+Wed Mar  5 18:51:25 CET 2014 - ro@suse.de
+
+- update to 1.2.0
+- removed patches:
+  ibmca-configure.patch
+  ibmca-segfault.fix.patch
+  ibmca-sw-fix.patch
+  openssl-ibmca-1.0.0.rc2-memset-fix.patch
+- make it exclusivearch for s390/s390x as the required libica
+  is only available for s390/s390x
+
+-------------------------------------------------------------------
+Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com
+
+- Made required libica-2_1_0 s390 specific
+- Added x86_64 to ExclusiveArch as %ix86 doesn't do it
+- Removed libica requirement - allowing build process to find it
+
+-------------------------------------------------------------------
+Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com
+
+- Added COPYING to %files
+
+-------------------------------------------------------------------
+Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com
+
+- Requiring libica 2.1.0 or greater
+
+-------------------------------------------------------------------
+Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com
+
+- enable ppc64le 
+
+-------------------------------------------------------------------
+Fri Mar 23 11:27:45 UTC 2012 - dvaleev@suse.com
+
+- fix build (add autoconf automake libtool to BuildRequires) 
+
+-------------------------------------------------------------------
+Thu Mar 24 17:19:11 UTC 2011 - coolo@novell.com
+
+- disable libtool --finish call
+
+-------------------------------------------------------------------
+Fri Dec 17 10:56:05 UTC 2010 - coolo@novell.com
+
+- own engines directory
+
+-------------------------------------------------------------------
+Mon Feb  1 12:13:29 UTC 2010 - jengelh@medozas.de
+
+- package baselibs.conf
+
+-------------------------------------------------------------------
+Wed Jan  7 12:34:56 CET 2009 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
+
+- added baselibs.conf file to build xxbit packages
+  for multilib support
+
+-------------------------------------------------------------------
+Tue Feb 13 12:51:00 CET 2007 - uli@suse.de
+
+- added fixes by IBM (bug #243801):
+  ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM
+  object
+  ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM
+  object
+  openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem
+
+-------------------------------------------------------------------
+Mon Jun 19 17:22:37 CEST 2006 - uli@suse.de
+
+- updated README (bug #185508)
+
+-------------------------------------------------------------------
+Tue Mar 28 14:27:32 CEST 2006 - hare@suse.de
+
+- Fixed configure.in to build correctly
+- Fixed spec file
+- Initial version from Mike Halcrow
+
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -0,0 +1,218 @@
+#
+# spec file for package openssl-ibmca
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
+%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
+
+%global sslengcnf %{_sysconfdir}/ssl/engines3.d
+%global sslengdef %{_sysconfdir}/ssl/engdef3.d
+
+%define         flavor  @BUILD_FLAVOR@%{nil}
+
+%if "%{flavor}" == ""
+Name:           openssl-ibmca
+%endif
+
+%if "%{flavor}" == "engine"
+Name:           openssl-ibmca-engine
+%endif
+
+%if "%{flavor}" == "provider"
+Name:           openssl-ibmca-provider
+%endif
+
+%if "%{flavor}" == "openssl1_1"
+%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d
+%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d
+Name:           openssl1_1-ibmca
+%endif
+
+Version:        2.4.1
+Release:        0
+Summary:        The IBMCA OpenSSL dynamic engine
+License:        Apache-2.0
+Group:          Hardware/Other
+URL:            https://github.com/opencryptoki/openssl-ibmca
+Source:         https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz
+Source1:        engine_section.txt
+Source2:        _multibuild
+###
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+###
+%if "%{flavor}" != "openssl1_1"
+BuildRequires:  libica-devel >= 4.0.0
+BuildRequires:  libica-tools >= 4.0.0
+BuildRequires:  libopenssl-3-devel
+BuildRequires:  libopenssl3
+Requires:       libica4 >= 4.0.0
+Requires:       libopenssl3
+%else
+BuildRequires:  libica-openssl1_1-devel
+BuildRequires:  libica-openssl1_1-tools
+BuildRequires:  libopenssl-1_1-devel
+BuildRequires:  libopenssl1_1
+BuildRequires:  openssl
+Requires:       libica4-openssl1_1
+Requires:       libopenssl1_1
+%endif
+###
+ExclusiveArch:  s390x
+
+%if "%{flavor}" == "openssl1_1"
+Patch001:       openssl1-rename-libica-files.patch
+%endif
+
+###
+Patch10:        openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+Patch11:        openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+Patch12:        openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+Patch13:        openssl-ibmca-04-engine-Fix-compile-error.patch
+###
+
+%description
+This package contains a shared object OpenSSL dynamic engine which interfaces
+to libica, a library enabling the IBM s390/x CPACF crypto instructions.
+
+%prep
+%autosetup -p1 -n openssl-ibmca-%{version}
+ ./bootstrap.sh
+
+%build
+export CFLAGS="%{optflags}"
+export CPPFLAGS="%{optflags}"
+
+%if "%{flavor}" == ""
+%configure \
+  --libdir=%{modulesdir}
+  mkdir -p %{buildroot}/%{enginesdir}
+%endif
+
+%if "%{flavor}" == "engine"
+%configure \
+  --disable-provider \
+  --libdir=%{enginesdir}
+%endif
+
+%if "%{flavor}" == "provider"
+%configure \
+  --disable-engine \
+  --libdir=%{modulesdir}
+%endif
+
+%if "%{flavor}" == "openssl1_1"
+%configure \
+  --libdir=%{enginesdir}
+%endif
+
+%make_build
+
+%install
+# Update the sample config file so that the dynamic path points
+# to the correct version of the engines directory.
+%if "%{flavor}" != "provider"
+sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample
+%endif
+
+%make_install
+
+%if "%{flavor}" == "openssl1_1"
+rm -f %{buildroot}/%{enginesdir}/ibmca-provider.*
+%endif
+
+%if "%{flavor}" == ""
+mkdir -p %{buildroot}/%{enginesdir}
+mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/
+%endif
+
+rm -f %{buildroot}/%{enginesdir}/ibmca*.la
+rm -f %{buildroot}/%{modulesdir}/ibmca*.la
+
+# This file contains the declaration of the ibmca engine section. It
+# needs to be on the "real" file system when the postinstall scriptlet
+# is run. It will be read by the openssl .include directive that points
+# to /etc/ssl/engines.d/
+mkdir -p %{buildroot}%{_datadir}/%{name}
+cp -p %{SOURCE1} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
+
+# This will create the actual engine definition section that will be usable
+# by the .include directive of openSSL. That include will be inserted during
+# the postinstall phase of the package installation.
+grep -v "^#" src/engine/openssl.cnf.sample | \
+    sed -n -e '/^\[ibmca_section\]/,$ p' | \
+    sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \
+    sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
+
+%post
+#Original fix for bsc#942839 was to update on first install
+#For bsc#966139 update if openssl_def not found
+
+mkdir -p %{sslengcnf}
+mkdir -p %{sslengdef}
+cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf
+cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf
+
+%if "%{flavor}" == ""
+if [ -f "%{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig" ]; then
+   cp -p %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
+   sed -e 's/ossl-modules/engines-3/' %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig
+   rm %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
+fi
+%endif
+
+%postun
+if [ $1 -eq 0 ]; then # last uninstall
+  rm -f %{sslengcnf}/openssl-ibmca.cnf
+  rm -f %{sslengdef}/openssl-ibmca.cnf
+fi
+
+%files
+%license LICENSE
+%doc ChangeLog
+%doc README.md
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
+%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
+%if "%{flavor}" == ""
+    %doc src/engine/ibmca-engine-opensslconfig
+    %doc src/provider/ibmca-provider-opensslconfig
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{modulesdir}/ibmca-provider.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
+    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
+%endif
+%if "%{flavor}" == "provider"
+    %doc src/provider/ibmca-provider-opensslconfig
+    %{modulesdir}/ibmca-provider.*
+    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
+%endif
+%if "%{flavor}" == "engine"
+    %doc src/engine/ibmca-engine-opensslconfig
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
+%endif
+%if "%{flavor}" == "openssl1_1"
+    %doc src/engine/openssl.cnf.sample
+    %{enginesdir}/ibmca.*
+    %{_mandir}/man5/ibmca.5%{?ext_man}
+%endif
+
+%changelog
--- a/openssl1-rename-libica-files.patch
+++ b/openssl1-rename-libica-files.patch
@ -0,0 +1,65 @@
+--- openssl-ibmca-2.4.1/configure.ac	2023-09-21 08:52:43.000000000 +0200
+++ changed/configure.ac	2024-04-17 10:13:02.267582864 +0200
+@@ -69,7 +69,7 @@
+ # Checks for header files.
+ AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
+                  string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
+-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
+AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***]))
+ 
+ 
+ # Checks for typedefs, structures, and compiler characteristics.
+@@ -81,15 +81,15 @@
+ # Checks for library functions.
+ AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc])
+ AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [],
+-		AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]),
+		AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]),
+ 		[#include <ica_api.h>])
+ AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION],
+ 		[openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"],
+ 		[#include <openssl/core_names.h>])
+ AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes])
+ 
+-AC_ARG_WITH([libica-cex],
+-	[AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])],
+AC_ARG_WITH([libica-openssl1_1-cex],
+	[AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])],
+ 	[usecexonly=${withval}],
+ 	[])
+ 
+@@ -99,11 +99,11 @@
+ 	[libicaversion=4])
+ 
+ if test "x$usecexonly" = xyes; then
+-	defaultlib="libica-cex.so.$libicaversion"
+-	ica="ica-cex"
+	defaultlib="libica-openssl1_1-cex.so.$libicaversion"
+	ica="ica-openssl1_1-cex"
+ else
+-	defaultlib="libica.so.$libicaversion"
+-	ica="ica"
+	defaultlib="libica-openssl1_1.so.$libicaversion"
+	ica="ica-openssl1_1"
+ fi
+ # In cex-only mode, testing the ciphers does not make any sense since
+ # they will fall back to OpenSSL without the engine.  So remove these
+@@ -135,7 +135,7 @@
+ 
+ 
+ AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"])
+-AC_SUBST([ICA],["$ica"])
+AC_SUBST([ICA],["$ica-openssl1_1"])
+ 
+ AC_CHECK_PROG([openssl_var],[openssl],[yes],[no])
+ if test "x$openssl_var" != xyes; then
+@@ -169,7 +169,7 @@
+ echo "  default library: $defaultlib"
+ echo "IBMCA provider:    $enable_provider"
+ if test "x$useproviderfulllibica" = xyes; then
+-	echo "  libica library:  libica"
+	echo "  libica library:  libica-openssl1_1"
+ else
+-	echo "  libica library:  libica-cex"
+	echo "  libica library:  libica-openssl1_1-cex"
+ fi