Accepting request 962257 from home:markkp:branches:security:tls

- Completely revamped the postinstall scriptlet so that it doesn't need to know or care about how many lines are in either /etc/ssl/openssl.cnf, or the sample file at /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample We're now using the ".include" directive for the openssl.cnf file, and only modifying that file the minimum necessary to implement the change. (bsc#1004463) - Upgraded to version 2.2.1 (jsc#SLE-18333) * openssl-ibmca 2.2.1 Bug fixes * openssl-ibmca 2.2.0 Implement fallbacks based on OpenSSL Disable software fallbacks from libica Allow to specify default library (libica vs. libica-cex) to use Provide "libica" engine ctrl to switch library at load time Update README.md Remove libica link dependency Generate sample configuration files from system configuration Restructure registration global data * openssl-ibmca 2.1.3 Bug fix * openssl-ibmca 2.1.2 Bug fixes - Modified spec file to * Define a global variable enginesdir the same was as IBM does instead of _ENGINE_DIR as we had been doing. * Implemented %make_build macro according to spec-cleaner * Changed the package description to match IBM's. * Removed the redundant "autoreconf --force --install" - Upgrade to version 2.1.1 (jsc#SLE-13709) * Bug fixes - Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 - Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) * openssl-ibmca 2.0.3 Add MSA9 CPACF support for ECDSA sign/verify - Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch - Changed the ExclusiveArch directive to include s390x only. - The code in e_ibmca.c does a dlopen for libica.so.3, instead of linking against the shared library. As a result, if the package containing libica.so.3 isn't installed, problems occur. Added a "Requires: libica3" to the spec file to fix this. (bsc#1142286) - Made a couple of changes to the spec file based on the output from spec-cleaner. - Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch An Apache HTTP Server was set up with mod_ssl and the openssl ibmca engine using libica and a CEX6A card. Whenever a worker process is cleaned up a segmentation fault occurs. (bsc#1138517) - Upgraded to version 2.0.2 (Fate#325688) * openssl-ibmca 2.0.2 Fix doing rsa-me, altough rsa-crt would be possible. - Upgraded to version 2.0.1 (Fate#325688) * openssl-ibmca 2.0.1 Dont fail when a libica symbol cannot be resolved. - Made multiple changes to the spec file based on spec-cleaner output. - Upgraded to version 2.0.0 (Fate#325688) * openssl-ibmca 2.0.0 Add ECC support. Add check and distcheck make-targets. Project cleanup, code was broken into multiple files and coding style cleanup. Improvements to compat macros for openssl. Don't disable libica sw fallbacks. Fix dlclose logic. * openssl-ibmca 1.4.1 Fix structure size for aes-256-ecb/cbc/cfb/ofb Update man page Switch to ibmca.so filename to allow standalone use Switch off Libica fallback mode if available Make sure ibmca_init only runs once Provide simple macro for DEBUG_PRINTF possibility Cleanup and slight rework of function set_supported_meths - Did some cleanup to the spec file, based on spec-cleanup. - Removed the following obsolete patches: * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Added the following patches for bsc#1097463 * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch - Upgraded to version 1.4.0 * Re-license to Apache License v2.0 * Fix aes_gcm initialization. * Update man page. * Add macros for OpenSSL 0.9.8 compat. * Remove AC_FUNC_MALLOC from configure.ac * Add compat macro for OpenSSL 1.0.1e-fips. * Setting 'foreign' strictness for automake. * Add AES-GCM support. * Rework EVP_aes macros. * Remove dependency of old local OpenSSL headers. * Fix engine initialization to set function pointers only once. * Remove blank COPYING and NEWS files. * Remove INSTALL and move its content to README.md * Update README.md file to make use of markdown. * Rename README file to README.md to use markdown * Add CONTRIBUTING guidelines. * Adding coding style documentation. * Enable EVP_MD_FLAG_FIPS flag for SHA-*. * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 * Fix SHA512 EVP digest struct to use EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 * Fix wrong parenthesis * convert libica loading to dlopen() and friends * Add support to DSO on new API of OpenSSL-1.1.0 - Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch - Added BuildRequires for autoconf, automake, and libtool. - Updated BuildRequires for libica-devel to be >= 3.1.1 - Now that the openSSL engines directory is versioned: * Modified the spec file to query the libcrypto package for which directory to install the engine into. * Removed openssl-ibmca-fix-enginepath.patch. Replaced it with a sed command so that it will provide the correct versioned engines directory - Removed openssl-ibmca-configure.patch. It doesn't seem to be needed any longer. - Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) - Added libica-tools to the BuildRequires due to repackaging of libica. - Renamed BuildRequires from libica2-devel to libica-devel for the same reason. - Tweaked a comment to get rid of an rpmlint warning message. - fixed ssl configuration merging (bsc#1004463) - openssl-ibmca-fix-enginepath.patch: fix the engine path - Use macro for configure (fate#319941) - Use url for source - Enable parallel building - Cleanup spec file with spec-cleaner - Upgraded to version 1.3.0 (fate#319941) - Updated openssl-ibmca-configure.patch to apply cleanly - Removed obsolete patches - openssl-ibmca-README.patch - openssl-ibmca-sha256-digest-length.patch - openssl-pkey.patch - openssl-des-ede.patch - Did some spec file cleanup. - Fixed %post script to update library path (the only dynamic part of the ibmca configuration) every time the package is installed. (bsc#966139) - Updated AUTHORS, INSTALL, and README (bsc#942839) - %post and %postun added to properly update openssl.cnf (bsc#942839) - Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) - Remove dependency on fillup anf insserv; the package provides neither sysconfig file nor sysvinit script - Remove depreciated AUTHORS section - Use %configure macro - Add openssl-ibmca-configure.patch - the openssl engines moved to /%_lib/engines bnc#905480 - Forced requirement of libica-2_3_0 (bnc#890824) - openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) - openssl-pkey.patch: defer HMAC signing to pkey framework, fixes fips self-test during EC key creation (bnc#879922) - spec file cleaned up a bit - openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message digest length definition in sha256 template (bnc#868275) - update to 1.2.0 - removed patches: ibmca-configure.patch ibmca-segfault.fix.patch ibmca-sw-fix.patch openssl-ibmca-1.0.0.rc2-memset-fix.patch - make it exclusivearch for s390/s390x as the required libica is only available for s390/s390x - Made required libica-2_1_0 s390 specific - Added x86_64 to ExclusiveArch as %ix86 doesn't do it - Removed libica requirement - allowing build process to find it - Added COPYING to %files - Requiring libica 2.1.0 or greater - enable ppc64le - fix build (add autoconf automake libtool to BuildRequires) - disable libtool --finish call - own engines directory - package baselibs.conf - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - added fixes by IBM (bug #243801): ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM object ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM object openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem - updated README (bug #185508) - Fixed configure.in to build correctly - Fixed spec file - Initial version from Mike Halcrow OBS-URL: https://build.opensuse.org/request/show/962257 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=32
2022-03-16 17:58:14 +00:00 · 2022-03-16 17:58:14 +00:00 · 39c822489c
commit 39c822489c
parent 15e938deea
3 changed files with 41 additions and 42 deletions
--- a/engine_section.txt
+++ b/engine_section.txt
@ -0,0 +1 @@
+ibmca = ibmca_section
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Mar 15 22:00:05 UTC 2022 - Mark Post <mpost@suse.com>
+
+- Completely revamped the postinstall scriptlet so that it doesn't
+  need to know or care about how many lines are in either
+  /etc/ssl/openssl.cnf, or the sample file at
+  /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample
+  We're now using the ".include" directive for the openssl.cnf
+  file, and only modifying that file the minimum necessary to
+  implement the change. (bsc#1004463)
+
 -------------------------------------------------------------------
 Fri Sep 17 19:32:37 UTC 2021 - Mark Post <mpost@suse.com>

@ -18,7 +29,7 @@ Fri Sep 17 19:32:37 UTC 2021 - Mark Post <mpost@suse.com>
  * openssl-ibmca 2.1.2
    Bug fixes
 - Modified spec file to
-  * Define a global variable enginedir the same was as IBM does
+  * Define a global variable enginesdir the same was as IBM does
    instead of _ENGINE_DIR as we had been doing.
  * Implemented %make_build macro according to spec-cleaner
  * Changed the package description to match IBM's.
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-ibmca
 #
-# Copyright (c) 2018-2021 SUSE LLC
+# Copyright (c) 2018-2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -27,6 +27,7 @@ Group:          Hardware/Other
 URL:            https://github.com/opencryptoki/openssl-ibmca
 Source:         https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
+Source2:        engine_section.txt

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -61,52 +62,36 @@ sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/openssl.cnf.sample
 %make_install
 rm %{buildroot}/%{enginesdir}/ibmca.la

+# This file contains the declaration of the ibmca engine section. It
+# needs to be on the "real" file system when the postinstall scriptlet
+# is run. It will be read by the openssl .include directive that points
+# to /etc/ssl/engines.d/
+mkdir -p %{buildroot}%{_datadir}/%{name}
+cp -p %{SOURCE2} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
+
+# This will create the actual engine definition section that will be usable
+# by the .include directive of openSSL. That include will be inserted during
+# the postinstall phase of the package installation.
+grep -v "^#" src/openssl.cnf.sample | \
+    sed -n -e '/^\[ibmca_section\]/,$ p' | \
+    sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \
+    sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
+
 %post
 #Original fix for bsc#942839 was to update on first install
 #For bsc#966139 update if openssl_def not found
-SSLCNF=%{_sysconfdir}/ssl/openssl.cnf
-SSLSMP=%{_docdir}/%{name}/openssl.cnf.sample
+SSLENGCNF=%{_sysconfdir}/ssl/engines.d
+SSLENGDEF=%{_sysconfdir}/ssl/engdef.d

-if [ -f ${SSLCNF} -a -f ${SSLSMP} ]; then
-  if grep '^openssl_conf[[:space:]]*=[[:space:]]*openssl_def$' ${SSLCNF} >/dev/null 2>&1; then
-    # Config already installed. Update library path if necessary
-    SECTSTART=$(grep -n '\[ibmca_section\]' ${SSLCNF} | head -n1 | cut -d':' -f1)
-    REPLINE=""
-    if [ "z${SECTSTART}" != "z" ]; then
-      REPLINE=$((SECTSTART - 1 + $(tail -n+${SECTSTART} ${SSLCNF} | grep -n 'dynamic_path' | head -n1 | cut -d':' -f1) ))
-    fi
-    if [ "z${REPLINE}" != "z" ]; then
-      head -n$((REPLINE - 1)) ${SSLCNF} > ${SSLCNF}.temp
-      grep 'dynamic_path' ${SSLSMP} >> ${SSLCNF}.temp
-      tail -n+$((REPLINE + 1)) ${SSLCNF} >> ${SSLCNF}.temp
-      mv ${SSLCNF}.temp ${SSLCNF}
-    fi
-  else
-    CNFSZE=350 # Size in lines of original openssl.cnf
-    SMPSZE=52  # Size in lines of original sample config file
-    CNFINS=9   # Line number in openssl.cnf to insert new line
-    SMPUSE=11  # Line number in sample to copy from
-    if [ $(wc -l ${SSLCNF} | cut -d ' ' -f 1) -ne ${CNFSZE} ]; then
-      echo Original ${SSLCNF} incorrect size. Please manually update from ${SSLSMP}
-    elif [ $(wc -l ${SSLSMP} | cut -d ' ' -f 1) -ne ${SMPSZE} ]; then
-      echo Original ${SSLSMP} incorrect size. Please manually update to ${SSLCNF}
-    else
-      mv ${SSLCNF} ${SSLCNF}.orig
-      head -n ${CNFINS} ${SSLCNF}.orig > ${SSLCNF}
-      head -n ${SMPUSE} ${SSLSMP} | tail -n 1 >> ${SSLCNF}
-      tail -n $((CNFSZE - CNFINS)) ${SSLCNF}.orig >> ${SSLCNF}
-      head -n $((SMPUSE - 1)) ${SSLSMP} >> ${SSLCNF}
-      tail -n $((SMPSZE - SMPUSE)) ${SSLSMP} >> ${SSLCNF}
-    fi
-  fi
-fi
+cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt ${SSLENGCNF}/openssl-ibmca.cnf
+cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf ${SSLENGDEF}/openssl-ibmca.cnf

 %postun
-if [ $1 -eq 0 ]; then # last uninstall, modify %%{_sysconfdir}/openssl.cnf (bsc#942839)
-  SSLCNF=%{_sysconfdir}/ssl/openssl.cnf
-  if [ -f ${SSLCNF}.orig ]; then
-    mv ${SSLCNF}.orig ${SSLCNF}
-  fi
+SSLENGCNF=%{_sysconfdir}/ssl/engines.d
+SSLENGDEF=%{_sysconfdir}/ssl/engdef.d
+if [ $1 -eq 0 ]; then # last uninstall
+  rm -f ${SSLENGCNF}/openssl-ibmca.cnf
+  rm -f ${SSLENGDEF}/openssl-ibmca.cnf
 fi

 %files
@ -118,6 +103,8 @@ fi
 %doc src/openssl.cnf.libica-cex
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/openssl.cnf.*
+%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
+%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
 %{enginesdir}/ibmca.*
 %{_mandir}/man5/ibmca.5%{?ext_man}