Accepting request 390328 from security

1 OBS-URL: https://build.opensuse.org/request/show/390328 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=24
2016-04-28 14:54:31 +00:00 · 2016-04-28 14:54:31 +00:00 · e49ce50354
commit e49ce50354
parent ca089ef5ad
9 changed files with 124 additions and 230 deletions
--- a/openssl-des-ede.patch
+++ b/openssl-des-ede.patch
@ -1,68 +0,0 @@
-commit 83b8ed7b25c809fa36ec86d7041a6350dc516606
-Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
-Date:   Wed Mar 19 15:57:10 2014 -0500
-
-    openssl-ibmca: openssl speed -engine ibmca -evp des-ede3-ofb segfaults
-    
-    Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
-
-diff --git a/e_ibmca.c b/e_ibmca.c
-index b1ad975..0acbe5f 100644
--- a/e_ibmca.c
-+++ b/e_ibmca.c
-@@ -883,8 +883,7 @@ typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char *
- 			sha256_context_t *, unsigned char *);
- typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
- 			 unsigned long data_length, const unsigned char *key,
-			 unsigned int key_length, unsigned char *iv,
-			 unsigned int direction);
-+			 unsigned char *iv, unsigned int direction);
- typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data,
- 			 unsigned long data_length, const unsigned char *key,
- 			 unsigned char *iv, unsigned int lcfb,
-@@ -894,8 +893,7 @@ typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *,
- 			unsigned int, unsigned int);
- typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
- 			  unsigned long data_length, const unsigned char *key,
-			  unsigned int key_length, unsigned char *iv,
-			  unsigned int direction);
-+			  unsigned char *iv, unsigned int direction);
- typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data,
- 			 unsigned long data_length, const unsigned char *key,
- 			 unsigned int key_length, unsigned char *iv,
-@@ -1197,7 +1195,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 			rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
- 					   8, ICA_ENCRYPT);
- 		} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
-			rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
-+			rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
- 					   ICA_ENCRYPT);
- 		} else {
- 			rv = p_ica_des_encrypt(mode, len, (unsigned char *)in,
-@@ -1223,7 +1221,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 			rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv,
- 					   8, ICA_DECRYPT);
- 		} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
-			rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv,
-+			rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv,
- 					   ICA_DECRYPT);
- 		} else {
- 			/* Protect against decrypt in place */
-@@ -1279,7 +1277,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 					ctx->iv, 8, ICA_ENCRYPT);
- 		} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- 			rv = p_ica_3des_ofb(in, out, len, pCtx->key,
-					8, ctx->iv, ICA_ENCRYPT);
-+					ctx->iv, ICA_ENCRYPT);
- 		} else {
- 			rv = p_ica_3des_encrypt(mode, len, (unsigned char *)in,
- 						(ica_des_vector_t *) ctx->iv,
-@@ -1305,7 +1303,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 					ctx->iv, 8, ICA_DECRYPT);
- 		} else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) {
- 			rv = p_ica_3des_ofb(in, out, len, pCtx->key,
-					8, ctx->iv, ICA_DECRYPT);
-+					ctx->iv, ICA_DECRYPT);
- 		} else {
- 			/* Protect against decrypt in place */
- 			/* FIXME: Again, check if EVP_CIPHER_CTX_iv_length() should be used */
--- a/openssl-ibmca-1.2.0.tar.gz
+++ b/openssl-ibmca-1.2.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d36363798e69e19b203126106f0e3f1a08626f96523994dd3c06adfe9c6d27ad
-size 26525
--- a/openssl-ibmca-1.3.0.tar.bz2
+++ b/openssl-ibmca-1.3.0.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdc5387ab229cf3d74b88fd17b60562c8f76f57dfe70514a35ef243791bcdfb0
+size 274900
--- a/openssl-ibmca-README.patch
+++ b/openssl-ibmca-README.patch
@ -1,65 +0,0 @@
--- README
-+++ README
-@@ -7,45 +7,28 @@
- 
- ABOUT
- 
-This package contains the dynamic IBMCA engine.
-+This package contains the dynamic IBMCA engine. Note that, as of
-+OpenSSL version 0.9.8, the IBMCA engine is shipped as a dynamic engine
-+in a separate RPM.
- 
- BUILDING
- 
-  Requirements: OpenSSL 0.9.8, libICA
- 
- By default, the build will assume that you have a custom openssl installed
-in /usr/local/ssl.
-
- $ configure [--enable-debug] [--with-openssl=/path/to/custom/openssl] \
-             [--with-engines-dir=/path/to/openssl/engines/directory]
- $ make
- # make install
-
-Included in this package is a sample openssl.cnf file (openssl.cnf.sample),
-which can be used to turn on use of the IBMCA engine in apps where OpenSSL
-config support is compiled in. In order to enable the IBMCA engine, the
-content from this file should be concatenated to the existing openssl.cnf file
-on the host.
-
-During the build process, the path to the engines/ directory is substituted in
-for the dynamic_path parameter in the ibmca section. By default, this path to
-the engines/ directory is relative to the OpenSSL installation target. With no
-parameters passed to the ./configure script, this target is /usr/local/ssl,
-and so the default entry in the sample openssl.cnf file is:
-
-dynamic_path = /usr/local/ssl/lib/engines/libibmca.so
-
-If OpenSSL is installed to a different location, then the --with-openssl=
-option should be passed to the ./configure script. For instance, if
---with-openssl=/usr is given, then the entry in the sample openssl.cnf file
-is:
-+Included in this package is a sample openssl.cnf file
-+(openssl.cnf.sample), which can be used to enable use of the IBMCA
-+engine in apps where OpenSSL config support is compiled in. In order
-+to enable the IBMCA engine, the content from this file should be
-+concatenated to the existing openssl.cnf file on the host.
-+
-+The path to the engines/ directory is /usr/lib/engines; the dynamic
-+path to the IBMCA engine for 32-bit binary RPM installations should
-+be:
- 
- dynamic_path = /usr/lib/engines/libibmca.so
- 
-If the OpenSSL engines directory is located elsewhere, then that location must
-be specified in the --with-engines-dir= option. For instance, if the engines/
-directory is under /usr/lib64, then the ./configure script will need the
-option --with-engines-dir=/usr/lib64/engines, which will produce this entry in
-the sample openssl.cnf file:
-+The dynamic path to the IBMCA engine for 64-bit binary RPM
-+installations should be:
-+
-+dynamic_path = /usr/lib64/engines/libibmca.so
- 
-dynamic_path = /usr/lib64/engines/libibmca.so
-\ No newline at end of file
--- a/openssl-ibmca-configure.patch
+++ b/openssl-ibmca-configure.patch
@ -1,11 +1,11 @@
--- configure.in
-+++ configure.in
-@@ -28,7 +28,7 @@
- # libica is dlopened, so do not add it to LIBS
- save_LIBS=$LIBS
- AC_CHECK_LIB(ica, ica_open_adapter, [], \
-             AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl])
-+             AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl -lrt -lcrypto -lpthread])
- LIBS=$save_LIBS
+--- configure	2016-03-31 18:07:02.238114067 -0400
+++ configure	2016-03-31 18:09:16.168114067 -0400
+@@ -11511,7 +11511,7 @@
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lica  $LIBS"
+LIBS="-lica -lpthread $LIBS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
 
- # OpenSSL location
--- a/openssl-ibmca-sha256-digest-length.patch
+++ b/openssl-ibmca-sha256-digest-length.patch
@ -1,22 +0,0 @@
-commit f204aca935dfe45b736e9fb8f822c9e79ec9747c
-Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
-Date:   Fri Mar 7 10:35:33 2014 +0100
-
-    SHA256: Fixed message digest length definition in sha256 template
-    
-    Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
-    Acked-by: John Jolly <jjolly@suse.de>
-
-diff --git a/e_ibmca.c b/e_ibmca.c
-index 94c44a4..f3fad35 100644
--- a/e_ibmca.c
-+++ b/e_ibmca.c
-@@ -727,7 +727,7 @@ static const EVP_MD ibmca_sha1 = {
- static const EVP_MD ibmca_sha256 = {
- 	NID_sha256,
- 	NID_sha256WithRSAEncryption,
-	SHA_HASH_LENGTH,
-+	SHA256_HASH_LENGTH,
- 	0,
- 	ibmca_sha256_init,
- 	ibmca_sha256_update,
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Wed Apr  6 19:07:43 UTC 2016 - mpluskal@suse.com
+
+- Use macro for configure
+- Use url for source
+- Enable parallel building
+- Cleanup spec file with spec-cleaner
+
+-------------------------------------------------------------------
+Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com
+
+- Upgraded to version 1.3.0 (fate#319941)
+  - Updated openssl-ibmca-configure.patch to apply cleanly
+  - Removed obsolete patches
+    - openssl-ibmca-README.patch
+    - openssl-ibmca-sha256-digest-length.patch
+    - openssl-pkey.patch
+    - openssl-des-ede.patch
+- Did some spec file cleanup.
+
+-------------------------------------------------------------------
+Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com
+
+- Fixed %post script to update library path (the only dynamic part
+  of the ibmca configuration) every time the package is installed.
+  (bsc#966139)
+
+-------------------------------------------------------------------
+Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com
+
+- Updated AUTHORS, INSTALL, and README (bsc#942839)
+- %post and %postun added to properly update openssl.cnf (bsc#942839)
+
+-------------------------------------------------------------------
+Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com
+
+- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138)
+
 -------------------------------------------------------------------
 Sun Mar  8 17:15:03 UTC 2015 - p.drouand@gmail.com

@ -7,6 +45,11 @@ Sun Mar  8 17:15:03 UTC 2015 - p.drouand@gmail.com
 - Use %configure macro
 - Add openssl-ibmca-configure.patch

+-------------------------------------------------------------------
+Wed Dec  3 09:22:24 UTC 2014 - meissner@suse.com
+
+- the openssl engines moved to /%_lib/engines bnc#905480
+
 -------------------------------------------------------------------
 Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com

--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-ibmca
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,29 +17,21 @@


 Name:           openssl-ibmca
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libica-2_3_0-devel
-BuildRequires:  libtool
-BuildRequires:  openssl-devel
+Version:        1.3.0
+Release:        0
 Summary:        The IBMCA OpenSSL dynamic engine
 License:        IPL-1.0
 Group:          Hardware/Other
-Version:        1.2.0
-Release:        0
-Source:         openssl-ibmca-1.2.0.tar.gz
-Source2:        baselibs.conf
-Patch1:         openssl-ibmca-README.patch
-Patch2:         openssl-ibmca-configure.patch
-Patch3:         openssl-ibmca-sha256-digest-length.patch
-Patch4:         openssl-pkey.patch
-Patch5:         openssl-des-ede.patch
 Url:            http://sourceforge.net/projects/opencryptoki
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Requires:       libica-2_3_0
+Source:         http://sourceforge.net/projects/opencryptoki/files/libica%%20OpenSSL%%20Engine/ibmca-%{version}/openssl-ibmca-%{version}.tar.bz2
+Source1:        baselibs.conf
+Patch1:         openssl-ibmca-configure.patch
+BuildRequires:  libica2-devel >= 2.4.0
+BuildRequires:  openssl-devel
+Requires:       libica2 >= 2.4.0
 Requires:       openssl
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  s390 s390x
-#

 %description
 This package contains a shared object OpenSSL dynamic engine for the
@ -48,26 +40,71 @@ IBM eServer Cryptographic Accelerator (ICA).
 %prep
 %setup -q
 %patch1
-%patch2
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1

 %build
-autoreconf --force --install
-%configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines
-make
+export CFLAGS="%{optflags}"
+export CPPFLAGS="%{optflags}"
+%configure \
+  --libdir=/%{_lib}/engines
+make %{?_smp_mflags}

 %install
-%makeinstall
-#(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines)
-rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la
+make %{?_smp_mflags} DESTDIR=%{buildroot} install
+rm %{buildroot}/%{_lib}/engines/libibmca.la
+
+%post
+#Original fix for bsc#942839 was to update on first install
+#For bsc#966139 update if openssl_def not found
+SSLCNF=%{_sysconfdir}/ssl/openssl.cnf
+SSLSMP=%{_docdir}/${name}/openssl.cnf.sample
+
+if [ -f ${SSLCNF} -a -f ${SSLSMP} ]; then
+  if grep '^openssl_conf[[:space:]]*=[[:space:]]*openssl_def$' ${SSLCNF} >/dev/null 2>&1; then
+    # Config already installed. Update library path if necessary
+    SECTSTART=$(grep -n '\[ibmca_section\]' ${SSLCNF} | head -n1 | cut -d':' -f1)
+    REPLINE=""
+    if [ "z${SECTSTART}" != "z" ]; then
+      REPLINE=$((SECTSTART - 1 + $(tail -n+${SECTSTART} ${SSLCNF} | grep -n 'dynamic_path' | head -n1 | cut -d':' -f1) ))
+    fi
+    if [ "z${REPLINE}" != "z" ]; then
+      head -n$((REPLINE - 1)) ${SSLCNF} > ${SSLCNF}.temp
+      grep 'dynamic_path' ${SSLSMP} >> ${SSLCNF}.temp
+      tail -n+$((REPLINE + 1)) ${SSLCNF} >> ${SSLCNF}.temp
+      mv ${SSLCNF}.temp ${SSLCNF}
+    fi
+  else
+    CNFSZE=350 # Size in lines of original openssl.cnf
+    SMPSZE=46  # Size in lines of original sample config file
+    CNFINS=9   # Line number in openssl.cnf to insert new line
+    SMPUSE=11  # Line number in sample to copy from
+    if [ $(wc -l ${SSLCNF} | cut -d ' ' -f 1) -ne ${CNFSZE} ]; then
+      echo Original ${SSLCNF} incorrect size. Please manually update from ${SSLSMP}
+    elif [ $(wc -l ${SSLSMP} | cut -d ' ' -f 1) -ne ${SMPSZE} ]; then
+      echo Original ${SSLSMP} incorrect size. Please manually update to ${SSLCNF}
+    else
+      mv ${SSLCNF} ${SSLCNF}.orig
+      head -n ${CNFINS} ${SSLCNF}.orig > ${SSLCNF}
+      head -n ${SMPUSE} ${SSLSMP} | tail -n 1 >> ${SSLCNF}
+      tail -n $((CNFSZE - CNFINS)) ${SSLCNF}.orig >> ${SSLCNF}
+      head -n $((SMPUSE - 1)) ${SSLSMP} >> ${SSLCNF}
+      tail -n $((SMPSZE - SMPUSE)) ${SSLSMP} >> ${SSLCNF}
+    fi
+  fi
+fi
+
+%postun
+if [ $1 -eq 0 ]; then #last uninstall, modify %{_sysconfdir}/openssl.cnf (bsc#942839)
+  SSLCNF=%{_sysconfdir}/ssl/openssl.cnf
+  if [ -f ${SSLCNF}.orig ]; then
+    mv ${SSLCNF}.orig ${SSLCNF}
+  fi
+fi

 %files
 %defattr(-, root, root)
 %doc README COPYING
-%doc openssl.cnf.sample
-%dir %{_libdir}/engines
-%{_libdir}/engines/libibmca.*
+%doc src/openssl.cnf.sample
+/%{_lib}/engines/libibmca.*
+%{_mandir}/man5/ibmca.5%{ext_man}

 %changelog
--- a/openssl-pkey.patch
+++ b/openssl-pkey.patch
@ -1,31 +0,0 @@
-commit 6cdca2c3d655ef19d022fb3d8bcbf63491b79db2
-Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
-Date:   Wed Mar 19 12:50:14 2014 -0500
-
-    Add flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE to EVP_MD so that signing method
-    comes from key type.
-    
-    Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
-
-diff --git a/e_ibmca.c b/e_ibmca.c
-index f3fad35..9353470 100644
--- a/e_ibmca.c
-+++ b/e_ibmca.c
-@@ -711,7 +711,7 @@ static const EVP_MD ibmca_sha1 = {
- 	NID_sha1,
- 	NID_sha1WithRSAEncryption,
- 	SHA_HASH_LENGTH,
-	0,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
- 	ibmca_sha1_init,
- 	ibmca_sha1_update,
- 	ibmca_sha1_final,
-@@ -728,7 +728,7 @@ static const EVP_MD ibmca_sha256 = {
- 	NID_sha256,
- 	NID_sha256WithRSAEncryption,
- 	SHA256_HASH_LENGTH,
-	0,
-+	EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
- 	ibmca_sha256_init,
- 	ibmca_sha256_update,
- 	ibmca_sha256_final,