From 2894c35cb4b83bdaca3a128aed0c4dd800118a88815915c159e0a3bcf1200cba Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 30 Oct 2024 08:42:35 +0000 Subject: [PATCH 1/2] - Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570) OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=77 --- .gitattributes | 23 + .gitignore | 1 + _multibuild | 4 + engine_section.txt | 1 + ...S-GCM-IV-when-libica-is-in-FIPS-mode.patch | 67 +++ ...nk-against-libica-use-dlopen-instead.patch | 243 +++++++++ ...alize-OpenSSL-after-setting-env-vars.patch | 61 +++ ...sl-ibmca-04-engine-Fix-compile-error.patch | 36 ++ openssl-ibmca-2.4.1.tar.gz | 3 + openssl-ibmca.changes | 504 ++++++++++++++++++ openssl-ibmca.spec | 184 +++++++ openssl1-rename-libica-files.patch | 65 +++ 12 files changed, 1192 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _multibuild create mode 100644 engine_section.txt create mode 100644 openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch create mode 100644 openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch create mode 100644 openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch create mode 100644 openssl-ibmca-04-engine-Fix-compile-error.patch create mode 100644 openssl-ibmca-2.4.1.tar.gz create mode 100644 openssl-ibmca.changes create mode 100644 openssl-ibmca.spec create mode 100644 openssl1-rename-libica-files.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..b71bc39 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + engine + provider + diff --git a/engine_section.txt b/engine_section.txt new file mode 100644 index 0000000..dac1711 --- /dev/null +++ b/engine_section.txt @@ -0,0 +1 @@ +ibmca = ibmca_section diff --git a/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch b/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch new file mode 100644 index 0000000..25c2b73 --- /dev/null +++ b/openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch @@ -0,0 +1,67 @@ +From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 8 Jan 2024 08:52:24 +0100 +Subject: [PATCH] engine: Enable external AES-GCM IV when libica is in FIPS + mode + +When the system is in FIPS mode, newer libica versions may prevent AES-GCM +from being used with an external IV. FIPS requires that the AES-GCM IV is +created libica internally via an approved random source. + +The IBMCA engine can not support the internal generation of the AES-GCM IV, +because the engine API for AES-GCM does not allow this. Applications using +OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an +external IV. + +Enable the use of external AES-GCM IVs for libica, if the used libica library +supports this. Newer libica versions support to allow external AES-GCM IVs via +function ica_allow_external_gcm_iv_in_fips_mode(). + +Signed-off-by: Ingo Franzki +--- + src/engine/e_ibmca.c | 12 +++++++++++- + src/engine/ibmca.h | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c +index 6cbf745..afed3fe 100644 +--- a/src/engine/e_ibmca.c ++++ b/src/engine/e_ibmca.c +@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate; + ica_aes_gcm_last_t p_ica_aes_gcm_last; + #endif + ica_cleanup_t p_ica_cleanup; ++ica_allow_external_gcm_iv_in_fips_mode_t ++ p_ica_allow_external_gcm_iv_in_fips_mode; + + /* save libcrypto's default ec methods */ + #ifndef NO_EC +@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e) + BIND(ibmca_dso, ica_ed448_ctx_del); + + /* ica_cleanup is not always present and only needed for newer libraries */ +- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup"); ++ BIND(ibmca_dso, ica_cleanup); ++ ++ /* ++ * Allow external AES-GCM IV when libica runs in FIPS mode. ++ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only ++ * available with newer libraries. ++ */ ++ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode)) ++ p_ica_allow_external_gcm_iv_in_fips_mode(1); + + /* disable fallbacks on Libica */ + if (BIND(ibmca_dso, ica_set_fallback_mode)) +diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h +index 7281a5b..01465eb 100644 +--- a/src/engine/ibmca.h ++++ b/src/engine/ibmca.h +@@ -617,6 +617,7 @@ typedef + int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx); + + typedef void (*ica_cleanup_t)(void); ++typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow); + + /* entry points into libica, filled out at DSO load time */ + extern ica_get_functionlist_t p_ica_get_functionlist; diff --git a/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch b/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch new file mode 100644 index 0000000..4383ee8 --- /dev/null +++ b/openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch @@ -0,0 +1,243 @@ +From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 10 Jan 2024 15:08:47 +0100 +Subject: [PATCH] test/provider: Do not link against libica use dlopen instead + +When an application links against libica (via -lica), then the libica library +constructor runs before the program's main function. Libica's library +constructor does initialize OpenSSL and thus parses the config file. + +However, the test programs set up some OpenSSL configuration related +environment variables within function check_libica() called from the +main function. If libica has already initialized OpenSSL prior to that, +OpenSSL won't initialize again, and thus these environment variables have +no effect. + +Dynamically load libica (via dlopen) only after setting the environment +variables. + +Signed-off-by: Ingo Franzki +--- + configure.ac | 2 ++ + test/provider/Makefile.am | 15 +++++++++------ + test/provider/dhkey.c | 24 ++++++++++++++++++++++-- + test/provider/eckey.c | 24 ++++++++++++++++++++++-- + test/provider/rsakey.c | 24 ++++++++++++++++++++++-- + 5 files changed, 77 insertions(+), 12 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b43a659..09df230 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full], + []) + AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes]) + ++AC_SUBST(libicaversion, "$libicaversion") ++ + # If compiled against OpenSSL 3.0 or later, build the provider unless + # explicitely disabled. + # If build against OpenSSL 1.1.1, we can not build the provider. +diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am +index 15a5466..fce06b3 100644 +--- a/test/provider/Makefile.am ++++ b/test/provider/Makefile.am +@@ -24,24 +24,27 @@ TESTS = \ + check_PROGRAMS = rsakey eckey dhkey threadtest + + dhkey_SOURCES = dhkey.c ++dhkey_LDADD = -lcrypto -ldl + if PROVIDER_FULL_LIBICA +-dhkey_LDADD = -lcrypto -lica ++dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\" + else +-dhkey_LDADD = -lcrypto -lica-cex ++dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\" + endif + + eckey_SOURCES = eckey.c ++eckey_LDADD = -lcrypto -ldl + if PROVIDER_FULL_LIBICA +-eckey_LDADD = -lcrypto -lica ++eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\" + else +-eckey_LDADD = -lcrypto -lica-cex ++eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\" + endif + + rsakey_SOURCES = rsakey.c ++rsakey_LDADD = -lcrypto -ldl + if PROVIDER_FULL_LIBICA +-rsakey_LDADD = -lcrypto -lica ++rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\" + else +-rsakey_LDADD = -lcrypto -lica-cex ++rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\" + endif + + threadtest_SOURCES = threadtest.c +diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c +index 8829ecc..0ec2c03 100644 +--- a/test/provider/dhkey.c ++++ b/test/provider/dhkey.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME }; + static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + ++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *, ++ unsigned int *); ++ + int check_libica() + { + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; ++ void *ibmca_dso; ++ ica_get_functionlist_t p_ica_get_functionlist; + int rc; + +- rc = ica_get_functionlist(NULL, &mech_len); ++ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW); ++ if (ibmca_dso == NULL) { ++ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME); ++ return 77; ++ } ++ ++ p_ica_get_functionlist = ++ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist"); ++ if (p_ica_get_functionlist == NULL) { ++ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n", ++ LIBICA_NAME); ++ return 77; ++ } ++ ++ rc = p_ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; +@@ -373,7 +393,7 @@ int check_libica() + return 77; + } + +- rc = ica_get_functionlist(mech_list, &mech_len); ++ rc = p_ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); +diff --git a/test/provider/eckey.c b/test/provider/eckey.c +index b2334d7..b8f47b7 100644 +--- a/test/provider/eckey.c ++++ b/test/provider/eckey.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN, + static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + ++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *, ++ unsigned int *); ++ + int check_libica() + { + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; ++ void *ibmca_dso; ++ ica_get_functionlist_t p_ica_get_functionlist; + int rc; + +- rc = ica_get_functionlist(NULL, &mech_len); ++ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW); ++ if (ibmca_dso == NULL) { ++ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME); ++ return 77; ++ } ++ ++ p_ica_get_functionlist = ++ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist"); ++ if (p_ica_get_functionlist == NULL) { ++ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n", ++ LIBICA_NAME); ++ return 77; ++ } ++ ++ rc = p_ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; +@@ -806,7 +826,7 @@ int check_libica() + return 77; + } + +- rc = ica_get_functionlist(mech_list, &mech_len); ++ rc = p_ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); +diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c +index 366b503..9d6a618 100644 +--- a/test/provider/rsakey.c ++++ b/test/provider/rsakey.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT }; + static const unsigned int required_ica_mechs_len = + sizeof(required_ica_mechs) / sizeof(unsigned int); + ++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *, ++ unsigned int *); ++ + int check_libica() + { + unsigned int mech_len, i, k, found = 0; + libica_func_list_element *mech_list = NULL; ++ void *ibmca_dso; ++ ica_get_functionlist_t p_ica_get_functionlist; + int rc; + +- rc = ica_get_functionlist(NULL, &mech_len); ++ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW); ++ if (ibmca_dso == NULL) { ++ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME); ++ return 77; ++ } ++ ++ p_ica_get_functionlist = ++ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist"); ++ if (p_ica_get_functionlist == NULL) { ++ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n", ++ LIBICA_NAME); ++ return 77; ++ } ++ ++ rc = p_ica_get_functionlist(NULL, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + return 77; +@@ -753,7 +773,7 @@ int check_libica() + return 77; + } + +- rc = ica_get_functionlist(mech_list, &mech_len); ++ rc = p_ica_get_functionlist(mech_list, &mech_len); + if (rc != 0) { + fprintf(stderr, "Failed to get function list from libica!\n"); + free(mech_list); diff --git a/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch b/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch new file mode 100644 index 0000000..4050976 --- /dev/null +++ b/openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch @@ -0,0 +1,61 @@ +From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 18 Jan 2024 16:35:14 +0100 +Subject: [PATCH] test/provider: Explicitly initialize OpenSSL after setting + env vars. + +When running with a libica version without commit +https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a +it is necessary to explicitly initialize OpenSSL before loading libica. Because +otherwise libica's library constructor will initialize OpenSSL the first time, +which in turn will load the IBMCA provider, and it will fall into the same +problem as fixed by above libica commit, i.e. the provider won't be able to +get the supported algorithms from libica an thus will not register any +algorithms. + +Signed-off-by: Ingo Franzki +--- + test/provider/dhkey.c | 2 ++ + test/provider/eckey.c | 2 ++ + test/provider/rsakey.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c +index 0ec2c03..b1270f5 100644 +--- a/test/provider/dhkey.c ++++ b/test/provider/dhkey.c +@@ -461,6 +461,8 @@ int main(int argc, char **argv) + return 77; + } + ++ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); ++ + ret = check_libica(); + if (ret != 0) + return ret; +diff --git a/test/provider/eckey.c b/test/provider/eckey.c +index b8f47b7..a65bea5 100644 +--- a/test/provider/eckey.c ++++ b/test/provider/eckey.c +@@ -895,6 +895,8 @@ int main(int argc, char **argv) + return 77; + } + ++ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); ++ + ret = check_libica(); + if (ret != 0) + return ret; +diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c +index 9d6a618..874de6d 100644 +--- a/test/provider/rsakey.c ++++ b/test/provider/rsakey.c +@@ -839,6 +839,8 @@ int main(int argc, char **argv) + return 77; + } + ++ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); ++ + ret = check_libica(); + if (ret != 0) + return ret; diff --git a/openssl-ibmca-04-engine-Fix-compile-error.patch b/openssl-ibmca-04-engine-Fix-compile-error.patch new file mode 100644 index 0000000..9241e15 --- /dev/null +++ b/openssl-ibmca-04-engine-Fix-compile-error.patch @@ -0,0 +1,36 @@ +From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 13 May 2024 08:53:56 +0200 +Subject: [PATCH] engine: Fix compile error on Fedora 40 + +ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy' +from incompatible pointer type [-Wincompatible-pointer-types] + 627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy); + +Signed-off-by: Ingo Franzki +--- + src/engine/ibmca_pkey.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c +index 9c8de94c..6cd8fcd9 100644 +--- a/src/engine/ibmca_pkey.c ++++ b/src/engine/ibmca_pkey.c +@@ -258,7 +258,7 @@ static int ibmca_x448_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *key, size_t + + /* ED25519 */ + +-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from) ++static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from) + { + return 1; + } +@@ -402,7 +402,7 @@ static int ibmca_ed25519_verify(EVP_MD_CTX *md_ctx, const unsigned char *sig, + + /* ED448 */ + +-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from) ++static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from) + { + return 1; + } diff --git a/openssl-ibmca-2.4.1.tar.gz b/openssl-ibmca-2.4.1.tar.gz new file mode 100644 index 0000000..277a2fe --- /dev/null +++ b/openssl-ibmca-2.4.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ecc41085e8b2110b3d2819a55faf0c189fb6064c51f872b963cae7a82cfa0c5 +size 215837 diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes new file mode 100644 index 0000000..d7fcfba --- /dev/null +++ b/openssl-ibmca.changes @@ -0,0 +1,504 @@ +------------------------------------------------------------------- +Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev + +- Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570) + +------------------------------------------------------------------- +Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev + +- Applied patches(jsc#PED-10292) + * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch + * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch + * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch + * openssl-ibmca-04-engine-Fix-compile-error.patch + +------------------------------------------------------------------- +Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file + * Replaced hard-coded '/usr/share' with %{_datadir} + +------------------------------------------------------------------- +Mon Jul 15 08:18:35 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1227537) + * 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/.. + * Added a check, if there is is /usr/share/doc file to be editted. + +------------------------------------------------------------------- +Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file +- Changed the package names + +-------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +-------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | Both engine and provider | + | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | + | engine | openssl-ibmca-engine | Only engine | + | provider | openssl-ibmca-provider | Only provider | + +-------------+---------------------------------+--------------------------+ + +------------------------------------------------------------------- +Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev + +- Applied a patch for openssl1_1 (bsc#1221627) + * openssl1-rename-libica-files.patch + +------------------------------------------------------------------- +Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev + +- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) + +------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | openssl1 flavor | + | engine | openssl3-ibmca-engine | Only engine | + | provider | openssl3-ibmca-provider | Only provider | + | openssl3 | openssl3-ibmca | Both engine and provider | + +------------+---------------------------------+--------------------------+ +- Changing/editing 'dynamic_path' after the installation on the target system + * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in + /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig + for openssl3 flavor + +------------------------------------------------------------------- +Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1221627) + * Removed the flavors + * Removed 'muiltibuild' environment + * Removed the 'provider' logic + +------------------------------------------------------------------- +Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev + +- Updated the .spec file (bsc#1218933, bsc#1221627) + * Amended the .spec file to use modulesdir variable +- Implemented _multibuild environment (openssl1, engine, provider) +- Added a flag and logic for provider in the .spec file + * When provider is set to 1, it 'configures' the provider + * When provider is set to 0, it 'configures' the engine + +------------------------------------------------------------------- +Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev + +- Removed an obsolete patch (implemented in the version 2.4.1) + * openssl-ibmca-engine-noregister.patch + +------------------------------------------------------------------- +Fri Oct 6 06:35:00 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 2.4.1 (jsc#PED-5422) + * Provider: Change the default log directory to /tmp + * Bug fixes + +------------------------------------------------------------------- +Mon May 22 07:20:32 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file, amended to use libica4 instead of libica + * Requires: libica4 >= 4 + +------------------------------------------------------------------- +Tue May 2 07:49:24 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file + * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries + +------------------------------------------------------------------- +Tue Apr 25 12:47:39 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file as follow: + * BuildRequires: libica-devel >= 4.0.0 + * BuildRequires: libica-tools >= 4.0.0 + +------------------------------------------------------------------- +Mon Apr 24 09:23:09 UTC 2023 - Nikolay Gueorguiev + +- Added dependency on libica4 (bsc#1209038) + * BuildRequires and Requires statements in .spec file for libica4 + +------------------------------------------------------------------- +Wed Apr 19 10:52:06 UTC 2023 - Nikolay Gueorguiev + +- Applies a patch (bsc#1210359) + * openssl-ibmca-engine-noregister.patch +- Updated the '#dynamic_path' line, as it was before, with the comment '#'. + +------------------------------------------------------------------- +Thu Apr 6 08:14:25 UTC 2023 - Nikolay Gueorguiev + +- Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) + * openssl-ibmca 2.4.0 + - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 + - Provider: Support RSA blinding + - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding + - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding + - Provider: Adjustments in OpenSSL config generator and example configs + - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) + - Engine: Enable RSA blinding + +------------------------------------------------------------------- +Tue Mar 14 11:35:44 UTC 2023 - Nikolay Gueorguiev + +- Updated .spec file removed '#' from the line containing + 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) +- Added in %files + * /usr/lib64/engines-3/ibmca-provider.la + * /usr/lib64/engines-3/ibmca-provider.so + +------------------------------------------------------------------- +Tue Oct 4 19:33:57 UTC 2022 - Mark Post + +- Upgraded to version 2.3.1 (jsc#PED-597) + * openssl-ibmca 2.3.1 + - Adjustments for libica 4.1.0 + * openssl-ibmca 2.3.0 + - First version including the provider + - Fix for engine build without OpenSSL 3.0 sources + * openssl-ibmca 2.2.3 + - Fix PKEY segfault with OpenSSL 3.0 + * openssl-ibmca 2.2.2 + - Fix tests with OpenSSL 3.0 + - Build against libica 4.0 +- Removed a Requires for libica from the specfile. +- Removed the obsolete baselibs.conf file + +------------------------------------------------------------------- +Tue Mar 15 22:00:05 UTC 2022 - Mark Post + +- Completely revamped the postinstall scriptlet so that it doesn't + need to know or care about how many lines are in either + /etc/ssl/openssl.cnf, or the sample file at + /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample + We're now using the ".include" directive for the openssl.cnf + file, and only modifying that file the minimum necessary to + implement the change. (bsc#1004463) + +------------------------------------------------------------------- +Fri Sep 17 19:32:37 UTC 2021 - Mark Post + +- Upgraded to version 2.2.1 (jsc#SLE-18333) + * openssl-ibmca 2.2.1 + Bug fixes + * openssl-ibmca 2.2.0 + Implement fallbacks based on OpenSSL + Disable software fallbacks from libica + Allow to specify default library (libica vs. libica-cex) to use + Provide "libica" engine ctrl to switch library at load time + Update README.md + Remove libica link dependency + Generate sample configuration files from system configuration + Restructure registration global data + * openssl-ibmca 2.1.3 + Bug fix + * openssl-ibmca 2.1.2 + Bug fixes +- Modified spec file to + * Define a global variable enginesdir the same was as IBM does + instead of _ENGINE_DIR as we had been doing. + * Implemented %make_build macro according to spec-cleaner + * Changed the package description to match IBM's. + * Removed the redundant "autoreconf --force --install" + +------------------------------------------------------------------- +Wed Sep 16 20:06:12 UTC 2020 - Mark Post + +- Upgrade to version 2.1.1 (jsc#SLE-13709) + * Bug fixes + +------------------------------------------------------------------- +Tue Sep 10 22:22:49 UTC 2019 - Mark Post + +- Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) + Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 + +------------------------------------------------------------------- +Wed Aug 28 20:56:08 UTC 2019 - Mark Post + +- Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) + * openssl-ibmca 2.0.3 + Add MSA9 CPACF support for ECDSA sign/verify +- Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch +- Changed the ExclusiveArch directive to include s390x only. +- The code in e_ibmca.c does a dlopen for libica.so.3, instead of + linking against the shared library. As a result, if the package + containing libica.so.3 isn't installed, problems occur. Added + a "Requires: libica3" to the spec file to fix this. (bsc#1142286) +- Made a couple of changes to the spec file based on the output + from spec-cleaner. + +------------------------------------------------------------------- +Fri Jun 28 18:10:29 UTC 2019 - Mark Post + +- Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch + An Apache HTTP Server was set up with mod_ssl and the openssl + ibmca engine using libica and a CEX6A card. Whenever a worker + process is cleaned up a segmentation fault occurs. + (bsc#1138517) + +------------------------------------------------------------------- +Tue Nov 27 17:55:19 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.2 (Fate#325688) + * openssl-ibmca 2.0.2 + Fix doing rsa-me, altough rsa-crt would be possible. + +------------------------------------------------------------------- +Thu Nov 15 20:17:04 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.1 (Fate#325688) + * openssl-ibmca 2.0.1 + Dont fail when a libica symbol cannot be resolved. +- Made multiple changes to the spec file based on spec-cleaner output. + +------------------------------------------------------------------- +Wed Nov 14 20:18:07 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.0 (Fate#325688) + * openssl-ibmca 2.0.0 + Add ECC support. + Add check and distcheck make-targets. + Project cleanup, code was broken into multiple files and coding style cleanup. + Improvements to compat macros for openssl. + Don't disable libica sw fallbacks. + Fix dlclose logic. + * openssl-ibmca 1.4.1 + Fix structure size for aes-256-ecb/cbc/cfb/ofb + Update man page + Switch to ibmca.so filename to allow standalone use + Switch off Libica fallback mode if available + Make sure ibmca_init only runs once + Provide simple macro for DEBUG_PRINTF possibility + Cleanup and slight rework of function set_supported_meths +- Did some cleanup to the spec file, based on spec-cleanup. +- Removed the following obsolete patches: + * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch + * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch + * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch + +------------------------------------------------------------------- +Fri Aug 31 19:37:39 UTC 2018 - mpost@suse.com + +- Added the following patches for bsc#1097463 + * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch + * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch + * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch + +------------------------------------------------------------------- +Fri Sep 22 18:07:10 UTC 2017 - mpost@suse.com + +- Upgraded to version 1.4.0 + * Re-license to Apache License v2.0 + * Fix aes_gcm initialization. + * Update man page. + * Add macros for OpenSSL 0.9.8 compat. + * Remove AC_FUNC_MALLOC from configure.ac + * Add compat macro for OpenSSL 1.0.1e-fips. + * Setting 'foreign' strictness for automake. + * Add AES-GCM support. + * Rework EVP_aes macros. + * Remove dependency of old local OpenSSL headers. + * Fix engine initialization to set function pointers only once. + * Remove blank COPYING and NEWS files. + * Remove INSTALL and move its content to README.md + * Update README.md file to make use of markdown. + * Rename README file to README.md to use markdown + * Add CONTRIBUTING guidelines. + * Adding coding style documentation. + * Enable EVP_MD_FLAG_FIPS flag for SHA-*. + * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 + * Fix SHA512 EVP digest struct to use + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 + * Fix wrong parenthesis + * convert libica loading to dlopen() and friends + * Add support to DSO on new API of OpenSSL-1.1.0 +- Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch +- Added BuildRequires for autoconf, automake, and libtool. +- Updated BuildRequires for libica-devel to be >= 3.1.1 + +------------------------------------------------------------------- +Fri Sep 22 07:50:52 UTC 2017 - mpost@suse.com + +- Now that the openSSL engines directory is versioned: + * Modified the spec file to query the libcrypto package + for which directory to install the engine into. + * Removed openssl-ibmca-fix-enginepath.patch. Replaced it + with a sed command so that it will provide the correct + versioned engines directory +- Removed openssl-ibmca-configure.patch. It doesn't seem to + be needed any longer. + +------------------------------------------------------------------- +Tue Apr 11 15:09:03 UTC 2017 - mpost@suse.com + +- Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) +- Added libica-tools to the BuildRequires due to repackaging of libica. +- Renamed BuildRequires from libica2-devel to libica-devel for the + same reason. +- Tweaked a comment to get rid of an rpmlint warning message. + +------------------------------------------------------------------- +Thu Oct 13 09:36:50 UTC 2016 - meissner@suse.com + +- fixed ssl configuration merging (bsc#1004463) +- openssl-ibmca-fix-enginepath.patch: fix the engine path + +------------------------------------------------------------------- +Wed Apr 6 19:07:43 UTC 2016 - mpluskal@suse.com + +- Use macro for configure (fate#319941) +- Use url for source +- Enable parallel building +- Cleanup spec file with spec-cleaner + +------------------------------------------------------------------- +Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com + +- Upgraded to version 1.3.0 (fate#319941) + - Updated openssl-ibmca-configure.patch to apply cleanly + - Removed obsolete patches + - openssl-ibmca-README.patch + - openssl-ibmca-sha256-digest-length.patch + - openssl-pkey.patch + - openssl-des-ede.patch +- Did some spec file cleanup. + +------------------------------------------------------------------- +Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com + +- Fixed %post script to update library path (the only dynamic part + of the ibmca configuration) every time the package is installed. + (bsc#966139) + +------------------------------------------------------------------- +Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com + +- Updated AUTHORS, INSTALL, and README (bsc#942839) +- %post and %postun added to properly update openssl.cnf (bsc#942839) + +------------------------------------------------------------------- +Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com + +- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) + +------------------------------------------------------------------- +Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com + +- Remove dependency on fillup anf insserv; the package provides + neither sysconfig file nor sysvinit script +- Remove depreciated AUTHORS section +- Use %configure macro +- Add openssl-ibmca-configure.patch + +------------------------------------------------------------------- +Wed Dec 3 09:22:24 UTC 2014 - meissner@suse.com + +- the openssl engines moved to /%_lib/engines bnc#905480 + +------------------------------------------------------------------- +Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com + +- Forced requirement of libica-2_3_0 (bnc#890824) + +------------------------------------------------------------------- +Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com + +- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) +- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes + fips self-test during EC key creation (bnc#879922) +- spec file cleaned up a bit + +------------------------------------------------------------------- +Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com + +- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message + digest length definition in sha256 template (bnc#868275) + +------------------------------------------------------------------- +Wed Mar 5 18:51:25 CET 2014 - ro@suse.de + +- update to 1.2.0 +- removed patches: + ibmca-configure.patch + ibmca-segfault.fix.patch + ibmca-sw-fix.patch + openssl-ibmca-1.0.0.rc2-memset-fix.patch +- make it exclusivearch for s390/s390x as the required libica + is only available for s390/s390x + +------------------------------------------------------------------- +Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com + +- Made required libica-2_1_0 s390 specific +- Added x86_64 to ExclusiveArch as %ix86 doesn't do it +- Removed libica requirement - allowing build process to find it + +------------------------------------------------------------------- +Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com + +- Requiring libica 2.1.0 or greater + +------------------------------------------------------------------- +Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com + +- enable ppc64le + +------------------------------------------------------------------- +Fri Mar 23 11:27:45 UTC 2012 - dvaleev@suse.com + +- fix build (add autoconf automake libtool to BuildRequires) + +------------------------------------------------------------------- +Thu Mar 24 17:19:11 UTC 2011 - coolo@novell.com + +- disable libtool --finish call + +------------------------------------------------------------------- +Fri Dec 17 10:56:05 UTC 2010 - coolo@novell.com + +- own engines directory + +------------------------------------------------------------------- +Mon Feb 1 12:13:29 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Tue Feb 13 12:51:00 CET 2007 - uli@suse.de + +- added fixes by IBM (bug #243801): + ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM + object + ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM + object + openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem + +------------------------------------------------------------------- +Mon Jun 19 17:22:37 CEST 2006 - uli@suse.de + +- updated README (bug #185508) + +------------------------------------------------------------------- +Tue Mar 28 14:27:32 CEST 2006 - hare@suse.de + +- Fixed configure.in to build correctly +- Fixed spec file +- Initial version from Mike Halcrow + diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec new file mode 100644 index 0000000..abd03b0 --- /dev/null +++ b/openssl-ibmca.spec @@ -0,0 +1,184 @@ +# +# spec file for package openssl-ibmca +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) +%global modulesdir %(pkg-config --variable=modulesdir libcrypto) + +%global sslengcnf %{_sysconfdir}/ssl/engines3.d +%global sslengdef %{_sysconfdir}/ssl/engdef3.d + +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "" +Name: openssl-ibmca +%endif + +%if "%{flavor}" == "engine" +Name: openssl-ibmca-engine +%endif + +%if "%{flavor}" == "provider" +Name: openssl-ibmca-provider +%endif + +Version: 2.4.1 +Release: 0 +Summary: The IBMCA OpenSSL dynamic engine +License: Apache-2.0 +Group: Hardware/Other +URL: https://github.com/opencryptoki/openssl-ibmca +Source: https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz +Source1: engine_section.txt +Source2: _multibuild +### +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +### +BuildRequires: libica-devel >= 4.0.0 +BuildRequires: libica-tools >= 4.0.0 +BuildRequires: libopenssl-3-devel +BuildRequires: libopenssl3 +Requires: libica4 >= 4.0.0 +Requires: libopenssl3 +### +ExclusiveArch: s390x + +### +Patch10: openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch +Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch +Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch +Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch +### + +%description +This package contains a shared object OpenSSL dynamic engine which interfaces +to libica, a library enabling the IBM s390/x CPACF crypto instructions. + +%prep +%autosetup -p1 -n openssl-ibmca-%{version} + ./bootstrap.sh + +%build +export CFLAGS="%{optflags}" +export CPPFLAGS="%{optflags}" + +%if "%{flavor}" == "" +%configure \ + --libdir=%{modulesdir} + mkdir -p %{buildroot}/%{enginesdir} +%endif + +%if "%{flavor}" == "engine" +%configure \ + --disable-provider \ + --libdir=%{enginesdir} +%endif + +%if "%{flavor}" == "provider" +%configure \ + --disable-engine \ + --libdir=%{modulesdir} +%endif + +%make_build + +%install +# Update the sample config file so that the dynamic path points +# to the correct version of the engines directory. +%if "%{flavor}" != "provider" +sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample +%endif + +%make_install + +%if "%{flavor}" == "" +mkdir -p %{buildroot}/%{enginesdir} +mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ +%endif + +rm -f %{buildroot}/%{enginesdir}/ibmca*.la +rm -f %{buildroot}/%{modulesdir}/ibmca*.la + +# This file contains the declaration of the ibmca engine section. It +# needs to be on the "real" file system when the postinstall scriptlet +# is run. It will be read by the openssl .include directive that points +# to /etc/ssl/engines.d/ +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -p %{SOURCE1} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt + +# This will create the actual engine definition section that will be usable +# by the .include directive of openSSL. That include will be inserted during +# the postinstall phase of the package installation. +grep -v "^#" src/engine/openssl.cnf.sample | \ + sed -n -e '/^\[ibmca_section\]/,$ p' | \ + sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \ + sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf + +%post +#Original fix for bsc#942839 was to update on first install +#For bsc#966139 update if openssl_def not found + +mkdir -p %{sslengcnf} +mkdir -p %{sslengdef} +cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf +cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf + +%if "%{flavor}" == "" +if [ -f "%{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig" ]; then + cp -p %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig + sed -e 's/ossl-modules/engines-3/' %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + rm %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig +fi +%endif + +%postun +if [ $1 -eq 0 ]; then # last uninstall + rm -f %{sslengcnf}/openssl-ibmca.cnf + rm -f %{sslengdef}/openssl-ibmca.cnf +fi + +%files +%license LICENSE +%doc ChangeLog +%doc README.md +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt +%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf +%if "%{flavor}" == "" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/provider/ibmca-provider-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca.5%{?ext_man} + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "provider" + %doc src/provider/ibmca-provider-opensslconfig + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "engine" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} +%endif + +%changelog diff --git a/openssl1-rename-libica-files.patch b/openssl1-rename-libica-files.patch new file mode 100644 index 0000000..ba42cb6 --- /dev/null +++ b/openssl1-rename-libica-files.patch @@ -0,0 +1,65 @@ +--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200 ++++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200 +@@ -69,7 +69,7 @@ + # Checks for header files. + AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ + string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) +-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) ++AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***])) + + + # Checks for typedefs, structures, and compiler characteristics. +@@ -81,15 +81,15 @@ + # Checks for library functions. + AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) + AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [], +- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]), ++ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]), + [#include ]) + AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION], + [openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"], + [#include ]) + AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes]) + +-AC_ARG_WITH([libica-cex], +- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])], ++AC_ARG_WITH([libica-openssl1_1-cex], ++ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])], + [usecexonly=${withval}], + []) + +@@ -99,11 +99,11 @@ + [libicaversion=4]) + + if test "x$usecexonly" = xyes; then +- defaultlib="libica-cex.so.$libicaversion" +- ica="ica-cex" ++ defaultlib="libica-openssl1_1-cex.so.$libicaversion" ++ ica="ica-openssl1_1-cex" + else +- defaultlib="libica.so.$libicaversion" +- ica="ica" ++ defaultlib="libica-openssl1_1.so.$libicaversion" ++ ica="ica-openssl1_1" + fi + # In cex-only mode, testing the ciphers does not make any sense since + # they will fall back to OpenSSL without the engine. So remove these +@@ -135,7 +135,7 @@ + + + AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"]) +-AC_SUBST([ICA],["$ica"]) ++AC_SUBST([ICA],["$ica-openssl1_1"]) + + AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) + if test "x$openssl_var" != xyes; then +@@ -169,7 +169,7 @@ + echo " default library: $defaultlib" + echo "IBMCA provider: $enable_provider" + if test "x$useproviderfulllibica" = xyes; then +- echo " libica library: libica" ++ echo " libica library: libica-openssl1_1" + else +- echo " libica library: libica-cex" ++ echo " libica library: libica-openssl1_1-cex" + fi From bca8475b66d62a31789de7d0e3a67e586d07201c78d7966ebb36c893956e4c7e Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Wed, 30 Oct 2024 08:57:11 +0000 Subject: [PATCH 2/2] - Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570) - Removed obsolete patch * openssl1-rename-libica-files.patch - Applied patches(jsc#PED-10292) * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch * openssl-ibmca-04-engine-Fix-compile-error.patch - Amended the .spec file * Replaced hard-coded '/usr/share' with %{_datadir} - Amended the .spec file (bsc#1227537) * 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/.. * Added a check, if there is is /usr/share/doc file to be editted. - Amended the .spec file - Changed the package names +-------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +-------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | Both engine and provider | | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | | engine | openssl-ibmca-engine | Only engine | | provider | openssl-ibmca-provider | Only provider | +-------------+---------------------------------+--------------------------+ - Applied a patch for openssl1_1 (bsc#1221627) * openssl1-rename-libica-files.patch - Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) +------------+---------------------------------+--------------------------+ | Flavor | Package name | Note | +------------+---------------------------------+--------------------------+ | '' | openssl-ibmca | openssl1 flavor | | engine | openssl3-ibmca-engine | Only engine | | provider | openssl3-ibmca-provider | Only provider | | openssl3 | openssl3-ibmca | Both engine and provider | +------------+---------------------------------+--------------------------+ - Changing/editing 'dynamic_path' after the installation on the target system * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig for openssl3 flavor - Amended the .spec file (bsc#1221627) * Removed the flavors * Removed 'muiltibuild' environment * Removed the 'provider' logic - Updated the .spec file (bsc#1218933, bsc#1221627) * Amended the .spec file to use modulesdir variable - Implemented _multibuild environment (openssl1, engine, provider) - Added a flag and logic for provider in the .spec file * When provider is set to 1, it 'configures' the provider * When provider is set to 0, it 'configures' the engine - Removed an obsolete patch (implemented in the version 2.4.1) * openssl-ibmca-engine-noregister.patch - Upgrade to version 2.4.1 (jsc#PED-5422) * Provider: Change the default log directory to /tmp * Bug fixes - Updated the .spec file, amended to use libica4 instead of libica * Requires: libica4 >= 4 - Updated the .spec file * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries - Updated the .spec file as follow: * BuildRequires: libica-devel >= 4.0.0 * BuildRequires: libica-tools >= 4.0.0 - Added dependency on libica4 (bsc#1209038) * BuildRequires and Requires statements in .spec file for libica4 - Applies a patch (bsc#1210359) * openssl-ibmca-engine-noregister.patch - Updated the '#dynamic_path' line, as it was before, with the comment '#'. - Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) * openssl-ibmca 2.4.0 - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 - Provider: Support RSA blinding - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding - Provider: Adjustments in OpenSSL config generator and example configs - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) - Engine: Enable RSA blinding - Updated .spec file removed '#' from the line containing 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) - Added in %files * /usr/lib64/engines-3/ibmca-provider.la * /usr/lib64/engines-3/ibmca-provider.so - Upgraded to version 2.3.1 (jsc#PED-597) * openssl-ibmca 2.3.1 - Adjustments for libica 4.1.0 * openssl-ibmca 2.3.0 - First version including the provider - Fix for engine build without OpenSSL 3.0 sources * openssl-ibmca 2.2.3 - Fix PKEY segfault with OpenSSL 3.0 * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 - Removed a Requires for libica from the specfile. - Removed the obsolete baselibs.conf file - Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=78 --- openssl-ibmca.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index d7fcfba..fca31be 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -2,6 +2,8 @@ Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev - Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570) +- Removed obsolete patch + * openssl1-rename-libica-files.patch ------------------------------------------------------------------- Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev