- Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=77
This commit is contained in:
Nikolay Gueorguiev 2024-10-30 08:42:35 +00:00 committed by Git OBS Bridge
commit 2894c35cb4
12 changed files with 1192 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<flavor>engine</flavor>
<flavor>provider</flavor>
</multibuild>

1
engine_section.txt Normal file
View File

@ -0,0 +1 @@
ibmca = ibmca_section

View File

@ -0,0 +1,67 @@
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 8 Jan 2024 08:52:24 +0100
Subject: [PATCH] engine: Enable external AES-GCM IV when libica is in FIPS
mode
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
from being used with an external IV. FIPS requires that the AES-GCM IV is
created libica internally via an approved random source.
The IBMCA engine can not support the internal generation of the AES-GCM IV,
because the engine API for AES-GCM does not allow this. Applications using
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
external IV.
Enable the use of external AES-GCM IVs for libica, if the used libica library
supports this. Newer libica versions support to allow external AES-GCM IVs via
function ica_allow_external_gcm_iv_in_fips_mode().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/e_ibmca.c | 12 +++++++++++-
src/engine/ibmca.h | 1 +
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index 6cbf745..afed3fe 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
ica_aes_gcm_last_t p_ica_aes_gcm_last;
#endif
ica_cleanup_t p_ica_cleanup;
+ica_allow_external_gcm_iv_in_fips_mode_t
+ p_ica_allow_external_gcm_iv_in_fips_mode;
/* save libcrypto's default ec methods */
#ifndef NO_EC
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
BIND(ibmca_dso, ica_ed448_ctx_del);
/* ica_cleanup is not always present and only needed for newer libraries */
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
+ BIND(ibmca_dso, ica_cleanup);
+
+ /*
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
+ * available with newer libraries.
+ */
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
/* disable fallbacks on Libica */
if (BIND(ibmca_dso, ica_set_fallback_mode))
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
index 7281a5b..01465eb 100644
--- a/src/engine/ibmca.h
+++ b/src/engine/ibmca.h
@@ -617,6 +617,7 @@ typedef
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
typedef void (*ica_cleanup_t)(void);
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
/* entry points into libica, filled out at DSO load time */
extern ica_get_functionlist_t p_ica_get_functionlist;

View File

@ -0,0 +1,243 @@
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 10 Jan 2024 15:08:47 +0100
Subject: [PATCH] test/provider: Do not link against libica use dlopen instead
When an application links against libica (via -lica), then the libica library
constructor runs before the program's main function. Libica's library
constructor does initialize OpenSSL and thus parses the config file.
However, the test programs set up some OpenSSL configuration related
environment variables within function check_libica() called from the
main function. If libica has already initialized OpenSSL prior to that,
OpenSSL won't initialize again, and thus these environment variables have
no effect.
Dynamically load libica (via dlopen) only after setting the environment
variables.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 ++
test/provider/Makefile.am | 15 +++++++++------
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
test/provider/eckey.c | 24 ++++++++++++++++++++++--
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
5 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/configure.ac b/configure.ac
index b43a659..09df230 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
[])
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
+AC_SUBST(libicaversion, "$libicaversion")
+
# If compiled against OpenSSL 3.0 or later, build the provider unless
# explicitely disabled.
# If build against OpenSSL 1.1.1, we can not build the provider.
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
index 15a5466..fce06b3 100644
--- a/test/provider/Makefile.am
+++ b/test/provider/Makefile.am
@@ -24,24 +24,27 @@ TESTS = \
check_PROGRAMS = rsakey eckey dhkey threadtest
dhkey_SOURCES = dhkey.c
+dhkey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-dhkey_LDADD = -lcrypto -lica
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-dhkey_LDADD = -lcrypto -lica-cex
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
eckey_SOURCES = eckey.c
+eckey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-eckey_LDADD = -lcrypto -lica
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-eckey_LDADD = -lcrypto -lica-cex
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
rsakey_SOURCES = rsakey.c
+rsakey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-rsakey_LDADD = -lcrypto -lica
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-rsakey_LDADD = -lcrypto -lica-cex
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
threadtest_SOURCES = threadtest.c
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
index 8829ecc..0ec2c03 100644
--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -373,7 +393,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
index b2334d7..b8f47b7 100644
--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -806,7 +826,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
index 366b503..9d6a618 100644
--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -753,7 +773,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);

View File

@ -0,0 +1,61 @@
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 18 Jan 2024 16:35:14 +0100
Subject: [PATCH] test/provider: Explicitly initialize OpenSSL after setting
env vars.
When running with a libica version without commit
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
it is necessary to explicitly initialize OpenSSL before loading libica. Because
otherwise libica's library constructor will initialize OpenSSL the first time,
which in turn will load the IBMCA provider, and it will fall into the same
problem as fixed by above libica commit, i.e. the provider won't be able to
get the supported algorithms from libica an thus will not register any
algorithms.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
test/provider/dhkey.c | 2 ++
test/provider/eckey.c | 2 ++
test/provider/rsakey.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
index 0ec2c03..b1270f5 100644
--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
index b8f47b7..a65bea5 100644
--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
index 9d6a618..874de6d 100644
--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;

View File

@ -0,0 +1,36 @@
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 13 May 2024 08:53:56 +0200
Subject: [PATCH] engine: Fix compile error on Fedora 40
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
from incompatible pointer type [-Wincompatible-pointer-types]
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/ibmca_pkey.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
index 9c8de94c..6cd8fcd9 100644
--- a/src/engine/ibmca_pkey.c
+++ b/src/engine/ibmca_pkey.c
@@ -258,7 +258,7 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t
/* ED25519 */
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
{
return 1;
}
@@ -402,7 +402,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig,
/* ED448 */
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
{
return 1;
}

BIN
openssl-ibmca-2.4.1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

504
openssl-ibmca.changes Normal file
View File

@ -0,0 +1,504 @@
-------------------------------------------------------------------
Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)
-------------------------------------------------------------------
Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied patches(jsc#PED-10292)
* openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
* openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
* openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
* openssl-ibmca-04-engine-Fix-compile-error.patch
-------------------------------------------------------------------
Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file
* Replaced hard-coded '/usr/share' with %{_datadir}
-------------------------------------------------------------------
Mon Jul 15 08:18:35 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1227537)
* 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/..
* Added a check, if there is is /usr/share/doc file to be editted.
-------------------------------------------------------------------
Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file
- Changed the package names
+-------------+---------------------------------+--------------------------+
| Flavor | Package name | Note |
+-------------+---------------------------------+--------------------------+
| '' | openssl-ibmca | Both engine and provider |
| openssl1_1 | openssl1_1-ibmca | openssl1 flavor |
| engine | openssl-ibmca-engine | Only engine |
| provider | openssl-ibmca-provider | Only provider |
+-------------+---------------------------------+--------------------------+
-------------------------------------------------------------------
Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch for openssl1_1 (bsc#1221627)
* openssl1-rename-libica-files.patch
-------------------------------------------------------------------
Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627)
+------------+---------------------------------+--------------------------+
| Flavor | Package name | Note |
+------------+---------------------------------+--------------------------+
| '' | openssl-ibmca | openssl1 flavor |
| engine | openssl3-ibmca-engine | Only engine |
| provider | openssl3-ibmca-provider | Only provider |
| openssl3 | openssl3-ibmca | Both engine and provider |
+------------+---------------------------------+--------------------------+
- Changing/editing 'dynamic_path' after the installation on the target system
* From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in
/usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig
for openssl3 flavor
-------------------------------------------------------------------
Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (bsc#1221627)
* Removed the flavors
* Removed 'muiltibuild' environment
* Removed the 'provider' logic
-------------------------------------------------------------------
Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file (bsc#1218933, bsc#1221627)
* Amended the .spec file to use modulesdir variable
- Implemented _multibuild environment (openssl1, engine, provider)
- Added a flag and logic for provider in the .spec file
* When provider is set to 1, it 'configures' the provider
* When provider is set to 0, it 'configures' the engine
-------------------------------------------------------------------
Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Removed an obsolete patch (implemented in the version 2.4.1)
* openssl-ibmca-engine-noregister.patch
-------------------------------------------------------------------
Fri Oct 6 06:35:00 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade to version 2.4.1 (jsc#PED-5422)
* Provider: Change the default log directory to /tmp
* Bug fixes
-------------------------------------------------------------------
Mon May 22 07:20:32 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file, amended to use libica4 instead of libica
* Requires: libica4 >= 4
-------------------------------------------------------------------
Tue May 2 07:49:24 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file
* uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries
-------------------------------------------------------------------
Tue Apr 25 12:47:39 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file as follow:
* BuildRequires: libica-devel >= 4.0.0
* BuildRequires: libica-tools >= 4.0.0
-------------------------------------------------------------------
Mon Apr 24 09:23:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Added dependency on libica4 (bsc#1209038)
* BuildRequires and Requires statements in .spec file for libica4
-------------------------------------------------------------------
Wed Apr 19 10:52:06 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applies a patch (bsc#1210359)
* openssl-ibmca-engine-noregister.patch
- Updated the '#dynamic_path' line, as it was before, with the comment '#'.
-------------------------------------------------------------------
Thu Apr 6 08:14:25 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059)
* openssl-ibmca 2.4.0
- Provider: Adjustments for OpenSSL versions 3.1 and 3.2
- Provider: Support RSA blinding
- Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding
- Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding
- Provider: Adjustments in OpenSSL config generator and example configs
- Engine: EC: Cache ICA key in EC_KEY object (performance improvement)
- Engine: Enable RSA blinding
-------------------------------------------------------------------
Tue Mar 14 11:35:44 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated .spec file removed '#' from the line containing
'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038)
- Added in %files
* /usr/lib64/engines-3/ibmca-provider.la
* /usr/lib64/engines-3/ibmca-provider.so
-------------------------------------------------------------------
Tue Oct 4 19:33:57 UTC 2022 - Mark Post <mpost@suse.com>
- Upgraded to version 2.3.1 (jsc#PED-597)
* openssl-ibmca 2.3.1
- Adjustments for libica 4.1.0
* openssl-ibmca 2.3.0
- First version including the provider
- Fix for engine build without OpenSSL 3.0 sources
* openssl-ibmca 2.2.3
- Fix PKEY segfault with OpenSSL 3.0
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
- Removed a Requires for libica from the specfile.
- Removed the obsolete baselibs.conf file
-------------------------------------------------------------------
Tue Mar 15 22:00:05 UTC 2022 - Mark Post <mpost@suse.com>
- Completely revamped the postinstall scriptlet so that it doesn't
need to know or care about how many lines are in either
/etc/ssl/openssl.cnf, or the sample file at
/usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample
We're now using the ".include" directive for the openssl.cnf
file, and only modifying that file the minimum necessary to
implement the change. (bsc#1004463)
-------------------------------------------------------------------
Fri Sep 17 19:32:37 UTC 2021 - Mark Post <mpost@suse.com>
- Upgraded to version 2.2.1 (jsc#SLE-18333)
* openssl-ibmca 2.2.1
Bug fixes
* openssl-ibmca 2.2.0
Implement fallbacks based on OpenSSL
Disable software fallbacks from libica
Allow to specify default library (libica vs. libica-cex) to use
Provide "libica" engine ctrl to switch library at load time
Update README.md
Remove libica link dependency
Generate sample configuration files from system configuration
Restructure registration global data
* openssl-ibmca 2.1.3
Bug fix
* openssl-ibmca 2.1.2
Bug fixes
- Modified spec file to
* Define a global variable enginesdir the same was as IBM does
instead of _ENGINE_DIR as we had been doing.
* Implemented %make_build macro according to spec-cleaner
* Changed the package description to match IBM's.
* Removed the redundant "autoreconf --force --install"
-------------------------------------------------------------------
Wed Sep 16 20:06:12 UTC 2020 - Mark Post <mpost@suse.com>
- Upgrade to version 2.1.1 (jsc#SLE-13709)
* Bug fixes
-------------------------------------------------------------------
Tue Sep 10 22:22:49 UTC 2019 - Mark Post <mpost@suse.com>
- Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882)
Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448
-------------------------------------------------------------------
Wed Aug 28 20:56:08 UTC 2019 - Mark Post <mpost@suse.com>
- Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424)
* openssl-ibmca 2.0.3
Add MSA9 CPACF support for ECDSA sign/verify
- Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch
- Changed the ExclusiveArch directive to include s390x only.
- The code in e_ibmca.c does a dlopen for libica.so.3, instead of
linking against the shared library. As a result, if the package
containing libica.so.3 isn't installed, problems occur. Added
a "Requires: libica3" to the spec file to fix this. (bsc#1142286)
- Made a couple of changes to the spec file based on the output
from spec-cleaner.
-------------------------------------------------------------------
Fri Jun 28 18:10:29 UTC 2019 - Mark Post <mpost@suse.com>
- Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch
An Apache HTTP Server was set up with mod_ssl and the openssl
ibmca engine using libica and a CEX6A card. Whenever a worker
process is cleaned up a segmentation fault occurs.
(bsc#1138517)
-------------------------------------------------------------------
Tue Nov 27 17:55:19 UTC 2018 - mpost@suse.com
- Upgraded to version 2.0.2 (Fate#325688)
* openssl-ibmca 2.0.2
Fix doing rsa-me, altough rsa-crt would be possible.
-------------------------------------------------------------------
Thu Nov 15 20:17:04 UTC 2018 - mpost@suse.com
- Upgraded to version 2.0.1 (Fate#325688)
* openssl-ibmca 2.0.1
Dont fail when a libica symbol cannot be resolved.
- Made multiple changes to the spec file based on spec-cleaner output.
-------------------------------------------------------------------
Wed Nov 14 20:18:07 UTC 2018 - mpost@suse.com
- Upgraded to version 2.0.0 (Fate#325688)
* openssl-ibmca 2.0.0
Add ECC support.
Add check and distcheck make-targets.
Project cleanup, code was broken into multiple files and coding style cleanup.
Improvements to compat macros for openssl.
Don't disable libica sw fallbacks.
Fix dlclose logic.
* openssl-ibmca 1.4.1
Fix structure size for aes-256-ecb/cbc/cfb/ofb
Update man page
Switch to ibmca.so filename to allow standalone use
Switch off Libica fallback mode if available
Make sure ibmca_init only runs once
Provide simple macro for DEBUG_PRINTF possibility
Cleanup and slight rework of function set_supported_meths
- Did some cleanup to the spec file, based on spec-cleanup.
- Removed the following obsolete patches:
* openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch
* openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch
* openssl-ibmca-sles15-Update-lib-name-in-documentation.patch
-------------------------------------------------------------------
Fri Aug 31 19:37:39 UTC 2018 - mpost@suse.com
- Added the following patches for bsc#1097463
* openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch
* openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch
* openssl-ibmca-sles15-Update-lib-name-in-documentation.patch
-------------------------------------------------------------------
Fri Sep 22 18:07:10 UTC 2017 - mpost@suse.com
- Upgraded to version 1.4.0
* Re-license to Apache License v2.0
* Fix aes_gcm initialization.
* Update man page.
* Add macros for OpenSSL 0.9.8 compat.
* Remove AC_FUNC_MALLOC from configure.ac
* Add compat macro for OpenSSL 1.0.1e-fips.
* Setting 'foreign' strictness for automake.
* Add AES-GCM support.
* Rework EVP_aes macros.
* Remove dependency of old local OpenSSL headers.
* Fix engine initialization to set function pointers only once.
* Remove blank COPYING and NEWS files.
* Remove INSTALL and move its content to README.md
* Update README.md file to make use of markdown.
* Rename README file to README.md to use markdown
* Add CONTRIBUTING guidelines.
* Adding coding style documentation.
* Enable EVP_MD_FLAG_FIPS flag for SHA-*.
* Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0
* Fix SHA512 EVP digest struct to use
EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0
* Fix wrong parenthesis
* convert libica loading to dlopen() and friends
* Add support to DSO on new API of OpenSSL-1.1.0
- Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch
- Added BuildRequires for autoconf, automake, and libtool.
- Updated BuildRequires for libica-devel to be >= 3.1.1
-------------------------------------------------------------------
Fri Sep 22 07:50:52 UTC 2017 - mpost@suse.com
- Now that the openSSL engines directory is versioned:
* Modified the spec file to query the libcrypto package
for which directory to install the engine into.
* Removed openssl-ibmca-fix-enginepath.patch. Replaced it
with a sed command so that it will provide the correct
versioned engines directory
- Removed openssl-ibmca-configure.patch. It doesn't seem to
be needed any longer.
-------------------------------------------------------------------
Tue Apr 11 15:09:03 UTC 2017 - mpost@suse.com
- Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113)
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Renamed BuildRequires from libica2-devel to libica-devel for the
same reason.
- Tweaked a comment to get rid of an rpmlint warning message.
-------------------------------------------------------------------
Thu Oct 13 09:36:50 UTC 2016 - meissner@suse.com
- fixed ssl configuration merging (bsc#1004463)
- openssl-ibmca-fix-enginepath.patch: fix the engine path
-------------------------------------------------------------------
Wed Apr 6 19:07:43 UTC 2016 - mpluskal@suse.com
- Use macro for configure (fate#319941)
- Use url for source
- Enable parallel building
- Cleanup spec file with spec-cleaner
-------------------------------------------------------------------
Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com
- Upgraded to version 1.3.0 (fate#319941)
- Updated openssl-ibmca-configure.patch to apply cleanly
- Removed obsolete patches
- openssl-ibmca-README.patch
- openssl-ibmca-sha256-digest-length.patch
- openssl-pkey.patch
- openssl-des-ede.patch
- Did some spec file cleanup.
-------------------------------------------------------------------
Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com
- Fixed %post script to update library path (the only dynamic part
of the ibmca configuration) every time the package is installed.
(bsc#966139)
-------------------------------------------------------------------
Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com
- Updated AUTHORS, INSTALL, and README (bsc#942839)
- %post and %postun added to properly update openssl.cnf (bsc#942839)
-------------------------------------------------------------------
Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com
- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138)
-------------------------------------------------------------------
Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com
- Remove dependency on fillup anf insserv; the package provides
neither sysconfig file nor sysvinit script
- Remove depreciated AUTHORS section
- Use %configure macro
- Add openssl-ibmca-configure.patch
-------------------------------------------------------------------
Wed Dec 3 09:22:24 UTC 2014 - meissner@suse.com
- the openssl engines moved to /%_lib/engines bnc#905480
-------------------------------------------------------------------
Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com
- Forced requirement of libica-2_3_0 (bnc#890824)
-------------------------------------------------------------------
Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com
- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922)
- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes
fips self-test during EC key creation (bnc#879922)
- spec file cleaned up a bit
-------------------------------------------------------------------
Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com
- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message
digest length definition in sha256 template (bnc#868275)
-------------------------------------------------------------------
Wed Mar 5 18:51:25 CET 2014 - ro@suse.de
- update to 1.2.0
- removed patches:
ibmca-configure.patch
ibmca-segfault.fix.patch
ibmca-sw-fix.patch
openssl-ibmca-1.0.0.rc2-memset-fix.patch
- make it exclusivearch for s390/s390x as the required libica
is only available for s390/s390x
-------------------------------------------------------------------
Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com
- Made required libica-2_1_0 s390 specific
- Added x86_64 to ExclusiveArch as %ix86 doesn't do it
- Removed libica requirement - allowing build process to find it
-------------------------------------------------------------------
Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com
- Added COPYING to %files
-------------------------------------------------------------------
Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com
- Requiring libica 2.1.0 or greater
-------------------------------------------------------------------
Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com
- enable ppc64le
-------------------------------------------------------------------
Fri Mar 23 11:27:45 UTC 2012 - dvaleev@suse.com
- fix build (add autoconf automake libtool to BuildRequires)
-------------------------------------------------------------------
Thu Mar 24 17:19:11 UTC 2011 - coolo@novell.com
- disable libtool --finish call
-------------------------------------------------------------------
Fri Dec 17 10:56:05 UTC 2010 - coolo@novell.com
- own engines directory
-------------------------------------------------------------------
Mon Feb 1 12:13:29 UTC 2010 - jengelh@medozas.de
- package baselibs.conf
-------------------------------------------------------------------
Wed Jan 7 12:34:56 CET 2009 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Tue Feb 13 12:51:00 CET 2007 - uli@suse.de
- added fixes by IBM (bug #243801):
ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM
object
ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM
object
openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem
-------------------------------------------------------------------
Mon Jun 19 17:22:37 CEST 2006 - uli@suse.de
- updated README (bug #185508)
-------------------------------------------------------------------
Tue Mar 28 14:27:32 CEST 2006 - hare@suse.de
- Fixed configure.in to build correctly
- Fixed spec file
- Initial version from Mike Halcrow

184
openssl-ibmca.spec Normal file
View File

@ -0,0 +1,184 @@
#
# spec file for package openssl-ibmca
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
%global sslengcnf %{_sysconfdir}/ssl/engines3.d
%global sslengdef %{_sysconfdir}/ssl/engdef3.d
%define flavor @BUILD_FLAVOR@%{nil}
%if "%{flavor}" == ""
Name: openssl-ibmca
%endif
%if "%{flavor}" == "engine"
Name: openssl-ibmca-engine
%endif
%if "%{flavor}" == "provider"
Name: openssl-ibmca-provider
%endif
Version: 2.4.1
Release: 0
Summary: The IBMCA OpenSSL dynamic engine
License: Apache-2.0
Group: Hardware/Other
URL: https://github.com/opencryptoki/openssl-ibmca
Source: https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz
Source1: engine_section.txt
Source2: _multibuild
###
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
###
BuildRequires: libica-devel >= 4.0.0
BuildRequires: libica-tools >= 4.0.0
BuildRequires: libopenssl-3-devel
BuildRequires: libopenssl3
Requires: libica4 >= 4.0.0
Requires: libopenssl3
###
ExclusiveArch: s390x
###
Patch10: openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch
###
%description
This package contains a shared object OpenSSL dynamic engine which interfaces
to libica, a library enabling the IBM s390/x CPACF crypto instructions.
%prep
%autosetup -p1 -n openssl-ibmca-%{version}
./bootstrap.sh
%build
export CFLAGS="%{optflags}"
export CPPFLAGS="%{optflags}"
%if "%{flavor}" == ""
%configure \
--libdir=%{modulesdir}
mkdir -p %{buildroot}/%{enginesdir}
%endif
%if "%{flavor}" == "engine"
%configure \
--disable-provider \
--libdir=%{enginesdir}
%endif
%if "%{flavor}" == "provider"
%configure \
--disable-engine \
--libdir=%{modulesdir}
%endif
%make_build
%install
# Update the sample config file so that the dynamic path points
# to the correct version of the engines directory.
%if "%{flavor}" != "provider"
sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample
%endif
%make_install
%if "%{flavor}" == ""
mkdir -p %{buildroot}/%{enginesdir}
mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/
%endif
rm -f %{buildroot}/%{enginesdir}/ibmca*.la
rm -f %{buildroot}/%{modulesdir}/ibmca*.la
# This file contains the declaration of the ibmca engine section. It
# needs to be on the "real" file system when the postinstall scriptlet
# is run. It will be read by the openssl .include directive that points
# to /etc/ssl/engines.d/
mkdir -p %{buildroot}%{_datadir}/%{name}
cp -p %{SOURCE1} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
# This will create the actual engine definition section that will be usable
# by the .include directive of openSSL. That include will be inserted during
# the postinstall phase of the package installation.
grep -v "^#" src/engine/openssl.cnf.sample | \
sed -n -e '/^\[ibmca_section\]/,$ p' | \
sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \
sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
%post
#Original fix for bsc#942839 was to update on first install
#For bsc#966139 update if openssl_def not found
mkdir -p %{sslengcnf}
mkdir -p %{sslengdef}
cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf
cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf
%if "%{flavor}" == ""
if [ -f "%{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig" ]; then
cp -p %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
sed -e 's/ossl-modules/engines-3/' %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig
rm %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
fi
%endif
%postun
if [ $1 -eq 0 ]; then # last uninstall
rm -f %{sslengcnf}/openssl-ibmca.cnf
rm -f %{sslengdef}/openssl-ibmca.cnf
fi
%files
%license LICENSE
%doc ChangeLog
%doc README.md
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
%if "%{flavor}" == ""
%doc src/engine/ibmca-engine-opensslconfig
%doc src/provider/ibmca-provider-opensslconfig
%doc src/engine/openssl.cnf.sample
%{enginesdir}/ibmca.*
%{modulesdir}/ibmca-provider.*
%{_mandir}/man5/ibmca.5%{?ext_man}
%{_mandir}/man5/ibmca-provider.5%{?ext_man}
%endif
%if "%{flavor}" == "provider"
%doc src/provider/ibmca-provider-opensslconfig
%{modulesdir}/ibmca-provider.*
%{_mandir}/man5/ibmca-provider.5%{?ext_man}
%endif
%if "%{flavor}" == "engine"
%doc src/engine/ibmca-engine-opensslconfig
%doc src/engine/openssl.cnf.sample
%{enginesdir}/ibmca.*
%{_mandir}/man5/ibmca.5%{?ext_man}
%endif
%changelog

View File

@ -0,0 +1,65 @@
--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200
+++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200
@@ -69,7 +69,7 @@
# Checks for header files.
AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
+AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***]))
# Checks for typedefs, structures, and compiler characteristics.
@@ -81,15 +81,15 @@
# Checks for library functions.
AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc])
AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [],
- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]),
+ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]),
[#include <ica_api.h>])
AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION],
[openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"],
[#include <openssl/core_names.h>])
AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes])
-AC_ARG_WITH([libica-cex],
- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])],
+AC_ARG_WITH([libica-openssl1_1-cex],
+ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])],
[usecexonly=${withval}],
[])
@@ -99,11 +99,11 @@
[libicaversion=4])
if test "x$usecexonly" = xyes; then
- defaultlib="libica-cex.so.$libicaversion"
- ica="ica-cex"
+ defaultlib="libica-openssl1_1-cex.so.$libicaversion"
+ ica="ica-openssl1_1-cex"
else
- defaultlib="libica.so.$libicaversion"
- ica="ica"
+ defaultlib="libica-openssl1_1.so.$libicaversion"
+ ica="ica-openssl1_1"
fi
# In cex-only mode, testing the ciphers does not make any sense since
# they will fall back to OpenSSL without the engine. So remove these
@@ -135,7 +135,7 @@
AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"])
-AC_SUBST([ICA],["$ica"])
+AC_SUBST([ICA],["$ica-openssl1_1"])
AC_CHECK_PROG([openssl_var],[openssl],[yes],[no])
if test "x$openssl_var" != xyes; then
@@ -169,7 +169,7 @@
echo " default library: $defaultlib"
echo "IBMCA provider: $enable_provider"
if test "x$useproviderfulllibica" = xyes; then
- echo " libica library: libica"
+ echo " libica library: libica-openssl1_1"
else
- echo " libica library: libica-cex"
+ echo " libica library: libica-openssl1_1-cex"
fi