From 6345fc1b786d260983c1152da878b001bbf0b7f478884e5c38ebb8e6def7d4ce Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Thu, 4 Apr 2024 05:23:49 +0000 Subject: [PATCH 01/10] Accepting request 1164459 from home:ngueorguiev:branches:security:tls - Amended the .spec file (bsc#1221627) * Removed the flavors OBS-URL: https://build.opensuse.org/request/show/1164459 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=60 --- _multibuild | 5 ----- openssl-ibmca.changes | 6 ++++++ openssl-ibmca.spec | 46 +++++-------------------------------------- 3 files changed, 11 insertions(+), 46 deletions(-) delete mode 100644 _multibuild diff --git a/_multibuild b/_multibuild deleted file mode 100644 index fb1e135..0000000 --- a/_multibuild +++ /dev/null @@ -1,5 +0,0 @@ - - openssl1 - engine - provider - diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index 6f3e2c9..deca8cd 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Apr 4 04:37:18 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1221627) + * Removed the flavors + ------------------------------------------------------------------- Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 8709b6b..89539ad 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -16,27 +16,7 @@ # -%define flavor @BUILD_FLAVOR@%{nil} - -%if "%{flavor}" == "" %define openssl3 1 -%define provider 0 -%endif - -%if "%{flavor}" == "openssl1" -%define openssl3 0 -%define provider 0 -%endif - -%if "%{flavor}" == "engine" -%define openssl3 1 -%define provider 0 -%endif - -%if "%{flavor}" == "provider" -%define openssl3 1 -%define provider 1 -%endif %global enginesdir %(pkg-config --variable=enginesdir libcrypto) %global modulesdir %(pkg-config --variable=modulesdir libcrypto) @@ -50,7 +30,6 @@ Group: Hardware/Other URL: https://github.com/opencryptoki/openssl-ibmca Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: engine_section.txt -Source2: _multibuild ### BuildRequires: autoconf BuildRequires: automake @@ -79,35 +58,23 @@ to libica, a library enabling the IBM s390/x CPACF crypto instructions. export CFLAGS="%{optflags}" export CPPFLAGS="%{optflags}" -%if %{provider} - %configure \ - --disable-engine \ +%configure \ --libdir=%{modulesdir} -%else - %configure \ - --disable-provider \ - --libdir=%{enginesdir} -%endif + +mkdir -p %{buildroot}/%{enginesdir} %make_build %install -%if %{provider} -# -### -# -%else # Update the sample config file so that the dynamic path points # to the correct version of the engines directory. sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample -%endif %make_install -%if %{provider} + rm -f %{buildroot}/%{modulesdir}/ibmca-provider.la -%else +mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ rm -f %{buildroot}/%{enginesdir}/ibmca.la -%endif # This file contains the declaration of the ibmca engine section. It # needs to be on the "real" file system when the postinstall scriptlet @@ -156,13 +123,10 @@ fi %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %if %{openssl3} - %if %{provider} %{modulesdir}/ibmca-provider.* %{_mandir}/man5/ibmca-provider.5%{?ext_man} - %else %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} - %endif %else %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} From 57d149fac0cb7e339705a0e204cf7d6d993ad1e6ad6e3c031dce09a9929a3b17 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Thu, 4 Apr 2024 07:21:13 +0000 Subject: [PATCH 02/10] Accepting request 1164500 from home:ngueorguiev:branches:security:tls - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/1164500 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=61 --- openssl-ibmca.changes | 4 +++- openssl-ibmca.spec | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index deca8cd..73ccdaf 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,8 +1,10 @@ ------------------------------------------------------------------- -Thu Apr 4 04:37:18 UTC 2024 - Nikolay Gueorguiev +Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev - Amended the .spec file (bsc#1221627) * Removed the flavors + * Removed 'muiltibuild' environment + * Removed the 'provider' logic ------------------------------------------------------------------- Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 89539ad..703afa9 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -118,7 +118,8 @@ fi %doc ChangeLog %doc README.md %doc src/engine/openssl.cnf.sample -%doc src/engine/ibmca-engine-opensslconfig.in +%doc src/engine/ibmca-engine-opensslconfig +%doc src/provider/ibmca-provider-opensslconfig %dir %{_datadir}/%{name} %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf From 81a2f2876eb4d4b84128e5947addc5d3ae17677aaef1492ddb0f0cc73c264e44 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Thu, 4 Apr 2024 14:16:32 +0000 Subject: [PATCH 03/10] Accepting request 1164961 from home:ngueorguiev:branches:security:tls - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/1164961 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=62 --- openssl-ibmca.changes | 2 +- openssl-ibmca.spec | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index 73ccdaf..f1dbf73 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev +Thu Apr 4 13:56:01 UTC 2024 - Nikolay Gueorguiev - Amended the .spec file (bsc#1221627) * Removed the flavors diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 703afa9..cef1a32 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -73,6 +73,7 @@ sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sa %make_install rm -f %{buildroot}/%{modulesdir}/ibmca-provider.la +mkdir -p %{buildroot}/%{enginesdir} mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ rm -f %{buildroot}/%{enginesdir}/ibmca.la @@ -105,6 +106,10 @@ SSLENGDEF=%{_sysconfdir}/ssl/engdef.d cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt ${SSLENGCNF}/openssl-ibmca.cnf cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf ${SSLENGDEF}/openssl-ibmca.cnf +cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig +sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig +rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig + %postun SSLENGCNF=%{_sysconfdir}/ssl/engines.d SSLENGDEF=%{_sysconfdir}/ssl/engdef.d From 5fb994c22219a329cce6aea8afe7d3ce400fdaa3da42dd56e511bb52b5c767a7 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Fri, 5 Apr 2024 06:41:44 +0000 Subject: [PATCH 04/10] Accepting request 1165422 from home:ngueorguiev:branches:security:tls - Changing/editing 'dynamic_path' after the installation on the target system * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/1165422 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=63 --- openssl-ibmca.changes | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index f1dbf73..dd57256 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,5 +1,12 @@ ------------------------------------------------------------------- -Thu Apr 4 13:56:01 UTC 2024 - Nikolay Gueorguiev +Fri Apr 5 06:07:48 UTC 2024 - Nikolay Gueorguiev + +- Changing/editing 'dynamic_path' after the installation on the target system + * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in + /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + +------------------------------------------------------------------- +Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev - Amended the .spec file (bsc#1221627) * Removed the flavors From f97e95c8e8888f39bcc82942f25ec75c1f6802cab53dc98bc60ea4d9d49a71ab Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Tue, 9 Apr 2024 16:08:01 +0000 Subject: [PATCH 05/10] Accepting request 1166481 from home:ngueorguiev:branches:security:tls - Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) +------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | openssl1 flavor | | engine | openssl3-ibmca-engine | Only engine | | provider | openssl3-ibmca-provider | Only provider | | openssl3 | openssl3-ibmca | Both engine and provider | +------------+---------------------------------+--------------------------+ - Changing/editing 'dynamic_path' after the installation on the target system * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig for openssl3 flavor - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/1166481 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=64 --- _multibuild | 5 ++ openssl-ibmca.changes | 14 ++++- openssl-ibmca.spec | 125 ++++++++++++++++++++++++++++++------------ 3 files changed, 108 insertions(+), 36 deletions(-) create mode 100644 _multibuild diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..d8cd31d --- /dev/null +++ b/_multibuild @@ -0,0 +1,5 @@ + + openssl3 + engine + provider + diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index dd57256..8215659 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,9 +1,19 @@ ------------------------------------------------------------------- -Fri Apr 5 06:07:48 UTC 2024 - Nikolay Gueorguiev +Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev +- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) + +------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | openssl1 flavor | + | engine | openssl3-ibmca-engine | Only engine | + | provider | openssl3-ibmca-provider | Only provider | + | openssl3 | openssl3-ibmca | Both engine and provider | + +------------+---------------------------------+--------------------------+ - Changing/editing 'dynamic_path' after the installation on the target system * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in - /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig + for openssl3 flavor ------------------------------------------------------------------- Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index cef1a32..f14a97a 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -16,20 +16,41 @@ # -%define openssl3 1 - %global enginesdir %(pkg-config --variable=enginesdir libcrypto) %global modulesdir %(pkg-config --variable=modulesdir libcrypto) +%global sslengcnf %{_sysconfdir}/ssl/engines3.d +%global sslengdef %{_sysconfdir}/ssl/engdef3.d + +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "" +%global sslengcnf %{_sysconfdir}/ssl/engines.d +%global sslengdef %{_sysconfdir}/ssl/engdef.d Name: openssl-ibmca +%endif + +%if "%{flavor}" == "openssl3" +Name: openssl3-ibmca +%endif + +%if "%{flavor}" == "engine" +Name: openssl3-ibmca-engine +%endif + +%if "%{flavor}" == "provider" +Name: openssl3-ibmca-provider +%endif + Version: 2.4.1 Release: 0 Summary: The IBMCA OpenSSL dynamic engine License: Apache-2.0 Group: Hardware/Other URL: https://github.com/opencryptoki/openssl-ibmca -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source: https://github.com/opencryptoki/opensll-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz Source1: engine_section.txt +Source2: _multibuild ### BuildRequires: autoconf BuildRequires: automake @@ -37,12 +58,12 @@ BuildRequires: libica-devel >= 4.0.0 BuildRequires: libica-tools >= 4.0.0 BuildRequires: libtool Requires: libica4 >= 4 -%if %{openssl3} -BuildRequires: openssl-devel > 3.0.0 -Requires: openssl > 3.0.0 +%if "%{flavor}" != "" +BuildRequires: libopenssl3 +Requires: libopenssl3 %else -BuildRequires: openssl-devel -Requires: openssl +BuildRequires: libopenssl1_1 +Requires: libopenssl1_1 %endif ExclusiveArch: s390x @@ -51,31 +72,58 @@ This package contains a shared object OpenSSL dynamic engine which interfaces to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%autosetup -p1 +%autosetup -p1 -n openssl-ibmca-%{version} ./bootstrap.sh %build export CFLAGS="%{optflags}" export CPPFLAGS="%{optflags}" +%if "%{flavor}" == "openssl3" %configure \ --libdir=%{modulesdir} + mkdir -p %{buildroot}/%{enginesdir} +%endif -mkdir -p %{buildroot}/%{enginesdir} +%if "%{flavor}" == "engine" +%configure \ + --disable-provider \ + --libdir=%{enginesdir} +%endif + +%if "%{flavor}" == "provider" +%configure \ + --disable-engine \ + --libdir=%{modulesdir} +%endif + +%if "%{flavor}" == "" +%configure \ + --libdir=%{enginesdir} +%endif %make_build %install # Update the sample config file so that the dynamic path points # to the correct version of the engines directory. +%if "%{flavor}" != "provider" sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample +%endif %make_install +%if "%{flavor}" == "" +rm -f %{buildroot}/%{enginesdir}/ibmca-provider.* +rm -f %{buildroot}%{_mandir}/man5/ibmca-provider.5.gz +%endif + +%if "%{flavor}" == "openssl3" +rm -f %{buildroot}/%{modulesdir}/ibmca.la rm -f %{buildroot}/%{modulesdir}/ibmca-provider.la mkdir -p %{buildroot}/%{enginesdir} mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ -rm -f %{buildroot}/%{enginesdir}/ibmca.la +%endif # This file contains the declaration of the ibmca engine section. It # needs to be on the "real" file system when the postinstall scriptlet @@ -95,47 +143,56 @@ grep -v "^#" src/engine/openssl.cnf.sample | \ %post #Original fix for bsc#942839 was to update on first install #For bsc#966139 update if openssl_def not found -SSLENGCNF=%{_sysconfdir}/ssl/engines.d -SSLENGDEF=%{_sysconfdir}/ssl/engdef.d -%if %{openssl3} - mkdir -p ${SSLENGCNF} - mkdir -p ${SSLENGDEF} +mkdir -p %{sslengcnf} +mkdir -p %{sslengdef} +cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf +cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf + +%if "%{flavor}" == "openssl3" + cp -p /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig + sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig + rm /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig %endif -cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt ${SSLENGCNF}/openssl-ibmca.cnf -cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf ${SSLENGDEF}/openssl-ibmca.cnf - -cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig -sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig -rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig - %postun -SSLENGCNF=%{_sysconfdir}/ssl/engines.d -SSLENGDEF=%{_sysconfdir}/ssl/engdef.d if [ $1 -eq 0 ]; then # last uninstall - rm -f ${SSLENGCNF}/openssl-ibmca.cnf - rm -f ${SSLENGDEF}/openssl-ibmca.cnf + rm -f %{sslengcnf}/openssl-ibmca.cnf + rm -f %{sslengdef}/openssl-ibmca.cnf fi %files %license LICENSE %doc ChangeLog %doc README.md -%doc src/engine/openssl.cnf.sample -%doc src/engine/ibmca-engine-opensslconfig -%doc src/provider/ibmca-provider-opensslconfig %dir %{_datadir}/%{name} %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf -%if %{openssl3} +%if "%{flavor}" == "openssl3" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/provider/ibmca-provider-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca.5%{?ext_man} + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "provider" + %doc src/provider/ibmca-provider-opensslconfig %{modulesdir}/ibmca-provider.* %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "engine" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/engine/openssl.cnf.sample %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} -%else - %{enginesdir}/ibmca.* - %{_mandir}/man5/ibmca.5%{?ext_man} +%endif +%if "%{flavor}" == "" + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} + %{_mandir}/man5/ibmca-provider.5%{?ext_man} %endif %changelog From 1c1bc15f2dbff4eaef76b36a93516096527a44a7c74dd2c1638c20d1c4ca766a Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 10 Apr 2024 08:01:09 +0000 Subject: [PATCH 06/10] Accepting request 1166593 from home:ngueorguiev:branches:security:tls Re-implemented flavors (openssl3, engine, provider) OBS-URL: https://build.opensuse.org/request/show/1166593 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=65 --- openssl-ibmca.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index f14a97a..c529862 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -48,7 +48,7 @@ Summary: The IBMCA OpenSSL dynamic engine License: Apache-2.0 Group: Hardware/Other URL: https://github.com/opencryptoki/openssl-ibmca -Source: https://github.com/opencryptoki/opensll-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz +Source: https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz Source1: engine_section.txt Source2: _multibuild ### @@ -115,16 +115,16 @@ sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sa %if "%{flavor}" == "" rm -f %{buildroot}/%{enginesdir}/ibmca-provider.* -rm -f %{buildroot}%{_mandir}/man5/ibmca-provider.5.gz %endif %if "%{flavor}" == "openssl3" -rm -f %{buildroot}/%{modulesdir}/ibmca.la -rm -f %{buildroot}/%{modulesdir}/ibmca-provider.la mkdir -p %{buildroot}/%{enginesdir} mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ %endif +rm -f %{buildroot}/%{enginesdir}/ibmca*.la +rm -f %{buildroot}/%{modulesdir}/ibmca*.la + # This file contains the declaration of the ibmca engine section. It # needs to be on the "real" file system when the postinstall scriptlet # is run. It will be read by the openssl .include directive that points From a4456cfb8258bab1b15d6b26bb374ca2a36ee6305e476350d499dda02c6d2485 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 17 Apr 2024 12:50:11 +0000 Subject: [PATCH 07/10] Accepting request 1168543 from home:ngueorguiev:branches:security:tls - Amended the .spec file - Changed the package names +------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +------------+---------------------------------+--------------------------+ | '' | openssl1_1-ibmca | openssl1 flavor | | engine | openssl-ibmca-engine | Only engine | | provider | openssl-ibmca-provider | Only provider | | openssl3 | openssl-ibmca | Both engine and provider | +------------+---------------------------------+--------------------------+ - Applied a patch for openssl1_1 (bsc#1221627) * openssl1-rename-libica-files.patch OBS-URL: https://build.opensuse.org/request/show/1168543 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=66 --- openssl-ibmca.changes | 20 +++++++++ openssl-ibmca.spec | 39 +++++++++++------- openssl1-rename-libica-files.patch | 65 ++++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+), 14 deletions(-) create mode 100644 openssl1-rename-libica-files.patch diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index 8215659..522063d 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Wed Apr 17 10:14:00 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file +- Changed the package names + +------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +------------+---------------------------------+--------------------------+ + | '' | openssl1_1-ibmca | openssl1 flavor | + | engine | openssl-ibmca-engine | Only engine | + | provider | openssl-ibmca-provider | Only provider | + | openssl3 | openssl-ibmca | Both engine and provider | + +------------+---------------------------------+--------------------------+ + +------------------------------------------------------------------- +Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev + +- Applied a patch for openssl1_1 (bsc#1221627) + * openssl1-rename-libica-files.patch + ------------------------------------------------------------------- Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index c529862..adc364c 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl-ibmca +# spec file for package openssl1_1-ibmca # # Copyright (c) 2024 SUSE LLC # @@ -25,21 +25,21 @@ %define flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "" -%global sslengcnf %{_sysconfdir}/ssl/engines.d -%global sslengdef %{_sysconfdir}/ssl/engdef.d -Name: openssl-ibmca +%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d +%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d +Name: openssl1_1-ibmca %endif %if "%{flavor}" == "openssl3" -Name: openssl3-ibmca +Name: openssl-ibmca %endif %if "%{flavor}" == "engine" -Name: openssl3-ibmca-engine +Name: openssl-ibmca-engine %endif %if "%{flavor}" == "provider" -Name: openssl3-ibmca-provider +Name: openssl-ibmca-provider %endif Version: 2.4.1 @@ -54,19 +54,31 @@ Source2: _multibuild ### BuildRequires: autoconf BuildRequires: automake +BuildRequires: libtool +### +%if "%{flavor}" != "" BuildRequires: libica-devel >= 4.0.0 BuildRequires: libica-tools >= 4.0.0 -BuildRequires: libtool -Requires: libica4 >= 4 -%if "%{flavor}" != "" +BuildRequires: libopenssl-3-devel BuildRequires: libopenssl3 +Requires: libica4 >= 4.0.0 Requires: libopenssl3 %else +BuildRequires: libica-openssl1_1-devel +BuildRequires: libica-openssl1_1-tools +BuildRequires: libopenssl-1_1-devel BuildRequires: libopenssl1_1 +BuildRequires: openssl +Requires: libica4-openssl1_1 Requires: libopenssl1_1 %endif +### ExclusiveArch: s390x +%if "%{flavor}" == "" +Patch001: openssl1-rename-libica-files.patch +%endif + %description This package contains a shared object OpenSSL dynamic engine which interfaces to libica, a library enabling the IBM s390/x CPACF crypto instructions. @@ -150,9 +162,9 @@ cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmc cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf %if "%{flavor}" == "openssl3" - cp -p /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig - sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig - rm /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig.orig + cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig + sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig %endif %postun @@ -192,7 +204,6 @@ fi %doc src/engine/openssl.cnf.sample %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} - %{_mandir}/man5/ibmca-provider.5%{?ext_man} %endif %changelog diff --git a/openssl1-rename-libica-files.patch b/openssl1-rename-libica-files.patch new file mode 100644 index 0000000..ba42cb6 --- /dev/null +++ b/openssl1-rename-libica-files.patch @@ -0,0 +1,65 @@ +--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200 ++++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200 +@@ -69,7 +69,7 @@ + # Checks for header files. + AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ + string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) +-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) ++AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***])) + + + # Checks for typedefs, structures, and compiler characteristics. +@@ -81,15 +81,15 @@ + # Checks for library functions. + AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) + AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [], +- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]), ++ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]), + [#include ]) + AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION], + [openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"], + [#include ]) + AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes]) + +-AC_ARG_WITH([libica-cex], +- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])], ++AC_ARG_WITH([libica-openssl1_1-cex], ++ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])], + [usecexonly=${withval}], + []) + +@@ -99,11 +99,11 @@ + [libicaversion=4]) + + if test "x$usecexonly" = xyes; then +- defaultlib="libica-cex.so.$libicaversion" +- ica="ica-cex" ++ defaultlib="libica-openssl1_1-cex.so.$libicaversion" ++ ica="ica-openssl1_1-cex" + else +- defaultlib="libica.so.$libicaversion" +- ica="ica" ++ defaultlib="libica-openssl1_1.so.$libicaversion" ++ ica="ica-openssl1_1" + fi + # In cex-only mode, testing the ciphers does not make any sense since + # they will fall back to OpenSSL without the engine. So remove these +@@ -135,7 +135,7 @@ + + + AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"]) +-AC_SUBST([ICA],["$ica"]) ++AC_SUBST([ICA],["$ica-openssl1_1"]) + + AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) + if test "x$openssl_var" != xyes; then +@@ -169,7 +169,7 @@ + echo " default library: $defaultlib" + echo "IBMCA provider: $enable_provider" + if test "x$useproviderfulllibica" = xyes; then +- echo " libica library: libica" ++ echo " libica library: libica-openssl1_1" + else +- echo " libica library: libica-cex" ++ echo " libica library: libica-openssl1_1-cex" + fi From 01268ca482dd1296786a1834b6edffb6f663737a0b91877e83575f56adb7adc1 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 17 Apr 2024 13:04:59 +0000 Subject: [PATCH 08/10] Accepting request 1168552 from home:ngueorguiev:branches:security:tls - Amended the .spec file - Changed the package names +------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +------------+---------------------------------+--------------------------+ | '' | openssl1_1-ibmca | openssl1 flavor | | engine | openssl-ibmca-engine | Only engine | | provider | openssl-ibmca-provider | Only provider | | openssl3 | openssl-ibmca | Both engine and provider | +------------+---------------------------------+--------------------------+ - Applied a patch for openssl1_1 (bsc#1221627) * openssl1-rename-libica-files.patch OBS-URL: https://build.opensuse.org/request/show/1168552 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=67 --- openssl-ibmca.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index adc364c..a65485c 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl1_1-ibmca +# spec file for package openssl-ibmca # # Copyright (c) 2024 SUSE LLC # From 450c38b5ae5fefb852b3ab197e742c01dadacc22585b6be2981dc5dec3e959f1 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 17 Apr 2024 14:35:05 +0000 Subject: [PATCH 09/10] Accepting request 1168592 from home:ngueorguiev:branches:security:tls - Amended the .spec file - Changed the package names +-------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +-------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | Both engine and provider | | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | | engine | openssl-ibmca-engine | Only engine | | provider | openssl-ibmca-provider | Only provider | +-------------+---------------------------------+--------------------------+ - Applied a patch for openssl1_1 (bsc#1221627) * openssl1-rename-libica-files.patch - Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) +------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | openssl1 flavor | | engine | openssl3-ibmca-engine | Only engine | | provider | openssl3-ibmca-provider | Only provider | | openssl3 | openssl3-ibmca | Both engine and provider | +------------+---------------------------------+--------------------------+ - Changing/editing 'dynamic_path' after the installation on the target system * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig for openssl3 flavor - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/1168592 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=68 --- _multibuild | 2 +- openssl-ibmca.changes | 18 +++++++++--------- openssl-ibmca.spec | 24 ++++++++++++------------ 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/_multibuild b/_multibuild index d8cd31d..52d8253 100644 --- a/_multibuild +++ b/_multibuild @@ -1,5 +1,5 @@ - openssl3 + openssl1_1 engine provider diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index 522063d..1ec13a8 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,16 +1,16 @@ ------------------------------------------------------------------- -Wed Apr 17 10:14:00 UTC 2024 - Nikolay Gueorguiev +Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev - Amended the .spec file - Changed the package names - +------------+---------------------------------+--------------------------+ - | Flavor | Package name | Note | - +------------+---------------------------------+--------------------------+ - | '' | openssl1_1-ibmca | openssl1 flavor | - | engine | openssl-ibmca-engine | Only engine | - | provider | openssl-ibmca-provider | Only provider | - | openssl3 | openssl-ibmca | Both engine and provider | - +------------+---------------------------------+--------------------------+ + +-------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +-------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | Both engine and provider | + | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | + | engine | openssl-ibmca-engine | Only engine | + | provider | openssl-ibmca-provider | Only provider | + +-------------+---------------------------------+--------------------------+ ------------------------------------------------------------------- Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index a65485c..4971a26 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl-ibmca +# spec file for package openssl1_1-ibmca # # Copyright (c) 2024 SUSE LLC # @@ -24,13 +24,13 @@ %define flavor @BUILD_FLAVOR@%{nil} -%if "%{flavor}" == "" +%if "%{flavor}" == "openssl1_1" %global sslengcnf %{_sysconfdir}/ssl/engines1.1.d %global sslengdef %{_sysconfdir}/ssl/engdef1.1.d Name: openssl1_1-ibmca %endif -%if "%{flavor}" == "openssl3" +%if "%{flavor}" == "" Name: openssl-ibmca %endif @@ -56,7 +56,7 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool ### -%if "%{flavor}" != "" +%if "%{flavor}" != "openssl1_1" BuildRequires: libica-devel >= 4.0.0 BuildRequires: libica-tools >= 4.0.0 BuildRequires: libopenssl-3-devel @@ -75,7 +75,7 @@ Requires: libopenssl1_1 ### ExclusiveArch: s390x -%if "%{flavor}" == "" +%if "%{flavor}" == "openssl1_1" Patch001: openssl1-rename-libica-files.patch %endif @@ -91,7 +91,7 @@ to libica, a library enabling the IBM s390/x CPACF crypto instructions. export CFLAGS="%{optflags}" export CPPFLAGS="%{optflags}" -%if "%{flavor}" == "openssl3" +%if "%{flavor}" == "" %configure \ --libdir=%{modulesdir} mkdir -p %{buildroot}/%{enginesdir} @@ -109,7 +109,7 @@ export CPPFLAGS="%{optflags}" --libdir=%{modulesdir} %endif -%if "%{flavor}" == "" +%if "%{flavor}" == "openssl1_1" %configure \ --libdir=%{enginesdir} %endif @@ -125,11 +125,11 @@ sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sa %make_install -%if "%{flavor}" == "" +%if "%{flavor}" == "openssl1_1" rm -f %{buildroot}/%{enginesdir}/ibmca-provider.* %endif -%if "%{flavor}" == "openssl3" +%if "%{flavor}" == "" mkdir -p %{buildroot}/%{enginesdir} mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ %endif @@ -161,7 +161,7 @@ mkdir -p %{sslengdef} cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf -%if "%{flavor}" == "openssl3" +%if "%{flavor}" == "" cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig @@ -180,7 +180,7 @@ fi %dir %{_datadir}/%{name} %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf -%if "%{flavor}" == "openssl3" +%if "%{flavor}" == "" %doc src/engine/ibmca-engine-opensslconfig %doc src/provider/ibmca-provider-opensslconfig %doc src/engine/openssl.cnf.sample @@ -200,7 +200,7 @@ fi %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} %endif -%if "%{flavor}" == "" +%if "%{flavor}" == "openssl1_1" %doc src/engine/openssl.cnf.sample %{enginesdir}/ibmca.* %{_mandir}/man5/ibmca.5%{?ext_man} From 57cb7f51b9c367624ce7eedda8943732d5577312adc2527e8640859f6a33fae7 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 17 Apr 2024 14:49:52 +0000 Subject: [PATCH 10/10] Accepting request 1168603 from home:ngueorguiev:branches:security:tls - Amended the .spec file - Changed the package names +-------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +-------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | Both engine and provider | | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | | engine | openssl-ibmca-engine | Only engine | | provider | openssl-ibmca-provider | Only provider | +-------------+---------------------------------+--------------------------+ OBS-URL: https://build.opensuse.org/request/show/1168603 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=69 --- _multibuild | 1 - openssl-ibmca.spec | 14 +++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/_multibuild b/_multibuild index 52d8253..b71bc39 100644 --- a/_multibuild +++ b/_multibuild @@ -1,5 +1,4 @@ - openssl1_1 engine provider diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 4971a26..e72354d 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl1_1-ibmca +# spec file for package openssl-ibmca # # Copyright (c) 2024 SUSE LLC # @@ -24,12 +24,6 @@ %define flavor @BUILD_FLAVOR@%{nil} -%if "%{flavor}" == "openssl1_1" -%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d -%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d -Name: openssl1_1-ibmca -%endif - %if "%{flavor}" == "" Name: openssl-ibmca %endif @@ -42,6 +36,12 @@ Name: openssl-ibmca-engine Name: openssl-ibmca-provider %endif +%if "%{flavor}" == "openssl1_1" +%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d +%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d +Name: openssl1_1-ibmca +%endif + Version: 2.4.1 Release: 0 Summary: The IBMCA OpenSSL dynamic engine