From dcb5b26c8a7ac840741c2de137eb380e1441c546ebb7c6c42d7ebefff5ca32c2 Mon Sep 17 00:00:00 2001 From: Nikolay Gueorguiev Date: Mon, 15 Jul 2024 09:12:50 +0000 Subject: [PATCH] - Amended the .spec file (bsc#1227537) * 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/.. * Added a check, if there is is /usr/share/doc file to be editted. OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-ibmca?expand=0&rev=71 --- .gitattributes | 23 ++ .gitignore | 1 + _multibuild | 4 + engine_section.txt | 1 + openssl-ibmca-2.4.1.tar.gz | 3 + openssl-ibmca.changes | 484 +++++++++++++++++++++++++++++ openssl-ibmca.spec | 211 +++++++++++++ openssl1-rename-libica-files.patch | 65 ++++ 8 files changed, 792 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _multibuild create mode 100644 engine_section.txt create mode 100644 openssl-ibmca-2.4.1.tar.gz create mode 100644 openssl-ibmca.changes create mode 100644 openssl-ibmca.spec create mode 100644 openssl1-rename-libica-files.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..b71bc39 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + engine + provider + diff --git a/engine_section.txt b/engine_section.txt new file mode 100644 index 0000000..dac1711 --- /dev/null +++ b/engine_section.txt @@ -0,0 +1 @@ +ibmca = ibmca_section diff --git a/openssl-ibmca-2.4.1.tar.gz b/openssl-ibmca-2.4.1.tar.gz new file mode 100644 index 0000000..277a2fe --- /dev/null +++ b/openssl-ibmca-2.4.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ecc41085e8b2110b3d2819a55faf0c189fb6064c51f872b963cae7a82cfa0c5 +size 215837 diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes new file mode 100644 index 0000000..744c755 --- /dev/null +++ b/openssl-ibmca.changes @@ -0,0 +1,484 @@ +------------------------------------------------------------------- +Mon Jul 15 08:18:35 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1227537) + * 'rpm.install.excludedocs = yes' in zypp.conf excludes the /usr/share/doc/.. + * Added a check, if there is is /usr/share/doc file to be editted. + +------------------------------------------------------------------- +Wed Apr 17 14:04:14 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file +- Changed the package names + +-------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +-------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | Both engine and provider | + | openssl1_1 | openssl1_1-ibmca | openssl1 flavor | + | engine | openssl-ibmca-engine | Only engine | + | provider | openssl-ibmca-provider | Only provider | + +-------------+---------------------------------+--------------------------+ + +------------------------------------------------------------------- +Wed Apr 17 08:41:08 UTC 2024 - Nikolay Gueorguiev + +- Applied a patch for openssl1_1 (bsc#1221627) + * openssl1-rename-libica-files.patch + +------------------------------------------------------------------- +Tue Apr 9 14:08:05 UTC 2024 - Nikolay Gueorguiev + +- Re-implemented flavors (openssl3, engine, provider) (bsc#1221627) + +------------+---------------------------------+--------------------------+ + | Flavor | Package name | Note | + +------------+---------------------------------+--------------------------+ + | '' | openssl-ibmca | openssl1 flavor | + | engine | openssl3-ibmca-engine | Only engine | + | provider | openssl3-ibmca-provider | Only provider | + | openssl3 | openssl3-ibmca | Both engine and provider | + +------------+---------------------------------+--------------------------+ +- Changing/editing 'dynamic_path' after the installation on the target system + * From /usr/lib64/ossl-modules to /usr/lib64/engines-3 in + /usr/share/doc/packages/openssl3-ibmca/ibmca-engine-opensslconfig + for openssl3 flavor + +------------------------------------------------------------------- +Thu Apr 4 07:02:23 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file (bsc#1221627) + * Removed the flavors + * Removed 'muiltibuild' environment + * Removed the 'provider' logic + +------------------------------------------------------------------- +Mon Mar 18 19:18:47 UTC 2024 - Nikolay Gueorguiev + +- Updated the .spec file (bsc#1218933, bsc#1221627) + * Amended the .spec file to use modulesdir variable +- Implemented _multibuild environment (openssl1, engine, provider) +- Added a flag and logic for provider in the .spec file + * When provider is set to 1, it 'configures' the provider + * When provider is set to 0, it 'configures' the engine + +------------------------------------------------------------------- +Fri Oct 13 10:39:42 UTC 2023 - Nikolay Gueorguiev + +- Removed an obsolete patch (implemented in the version 2.4.1) + * openssl-ibmca-engine-noregister.patch + +------------------------------------------------------------------- +Fri Oct 6 06:35:00 UTC 2023 - Nikolay Gueorguiev + +- Upgrade to version 2.4.1 (jsc#PED-5422) + * Provider: Change the default log directory to /tmp + * Bug fixes + +------------------------------------------------------------------- +Mon May 22 07:20:32 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file, amended to use libica4 instead of libica + * Requires: libica4 >= 4 + +------------------------------------------------------------------- +Tue May 2 07:49:24 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file + * uses a flag openssl3 (1 or 0) to include or not the openssl3 libraries + +------------------------------------------------------------------- +Tue Apr 25 12:47:39 UTC 2023 - Nikolay Gueorguiev + +- Updated the .spec file as follow: + * BuildRequires: libica-devel >= 4.0.0 + * BuildRequires: libica-tools >= 4.0.0 + +------------------------------------------------------------------- +Mon Apr 24 09:23:09 UTC 2023 - Nikolay Gueorguiev + +- Added dependency on libica4 (bsc#1209038) + * BuildRequires and Requires statements in .spec file for libica4 + +------------------------------------------------------------------- +Wed Apr 19 10:52:06 UTC 2023 - Nikolay Gueorguiev + +- Applies a patch (bsc#1210359) + * openssl-ibmca-engine-noregister.patch +- Updated the '#dynamic_path' line, as it was before, with the comment '#'. + +------------------------------------------------------------------- +Thu Apr 6 08:14:25 UTC 2023 - Nikolay Gueorguiev + +- Upgraded openssl-ibmca to version 2.4.0 (bsc#1210059) + * openssl-ibmca 2.4.0 + - Provider: Adjustments for OpenSSL versions 3.1 and 3.2 + - Provider: Support RSA blinding + - Provider: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding + - Provider: Support "implicit rejection" option for RSA PKCS#1 v1.5 padding + - Provider: Adjustments in OpenSSL config generator and example configs + - Engine: EC: Cache ICA key in EC_KEY object (performance improvement) + - Engine: Enable RSA blinding + +------------------------------------------------------------------- +Tue Mar 14 11:35:44 UTC 2023 - Nikolay Gueorguiev + +- Updated .spec file removed '#' from the line containing + 'sed -e 's/^dynamic_path/#dynamic_path/' (bsc#1209038) +- Added in %files + * /usr/lib64/engines-3/ibmca-provider.la + * /usr/lib64/engines-3/ibmca-provider.so + +------------------------------------------------------------------- +Tue Oct 4 19:33:57 UTC 2022 - Mark Post + +- Upgraded to version 2.3.1 (jsc#PED-597) + * openssl-ibmca 2.3.1 + - Adjustments for libica 4.1.0 + * openssl-ibmca 2.3.0 + - First version including the provider + - Fix for engine build without OpenSSL 3.0 sources + * openssl-ibmca 2.2.3 + - Fix PKEY segfault with OpenSSL 3.0 + * openssl-ibmca 2.2.2 + - Fix tests with OpenSSL 3.0 + - Build against libica 4.0 +- Removed a Requires for libica from the specfile. +- Removed the obsolete baselibs.conf file + +------------------------------------------------------------------- +Tue Mar 15 22:00:05 UTC 2022 - Mark Post + +- Completely revamped the postinstall scriptlet so that it doesn't + need to know or care about how many lines are in either + /etc/ssl/openssl.cnf, or the sample file at + /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample + We're now using the ".include" directive for the openssl.cnf + file, and only modifying that file the minimum necessary to + implement the change. (bsc#1004463) + +------------------------------------------------------------------- +Fri Sep 17 19:32:37 UTC 2021 - Mark Post + +- Upgraded to version 2.2.1 (jsc#SLE-18333) + * openssl-ibmca 2.2.1 + Bug fixes + * openssl-ibmca 2.2.0 + Implement fallbacks based on OpenSSL + Disable software fallbacks from libica + Allow to specify default library (libica vs. libica-cex) to use + Provide "libica" engine ctrl to switch library at load time + Update README.md + Remove libica link dependency + Generate sample configuration files from system configuration + Restructure registration global data + * openssl-ibmca 2.1.3 + Bug fix + * openssl-ibmca 2.1.2 + Bug fixes +- Modified spec file to + * Define a global variable enginesdir the same was as IBM does + instead of _ENGINE_DIR as we had been doing. + * Implemented %make_build macro according to spec-cleaner + * Changed the package description to match IBM's. + * Removed the redundant "autoreconf --force --install" + +------------------------------------------------------------------- +Wed Sep 16 20:06:12 UTC 2020 - Mark Post + +- Upgrade to version 2.1.1 (jsc#SLE-13709) + * Bug fixes + +------------------------------------------------------------------- +Tue Sep 10 22:22:49 UTC 2019 - Mark Post + +- Upgrade to version 2.1.0 (jsc#SLE-7852, jsc#SLE-7882) + Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 + +------------------------------------------------------------------- +Wed Aug 28 20:56:08 UTC 2019 - Mark Post + +- Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) + * openssl-ibmca 2.0.3 + Add MSA9 CPACF support for ECDSA sign/verify +- Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch +- Changed the ExclusiveArch directive to include s390x only. +- The code in e_ibmca.c does a dlopen for libica.so.3, instead of + linking against the shared library. As a result, if the package + containing libica.so.3 isn't installed, problems occur. Added + a "Requires: libica3" to the spec file to fix this. (bsc#1142286) +- Made a couple of changes to the spec file based on the output + from spec-cleaner. + +------------------------------------------------------------------- +Fri Jun 28 18:10:29 UTC 2019 - Mark Post + +- Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch + An Apache HTTP Server was set up with mod_ssl and the openssl + ibmca engine using libica and a CEX6A card. Whenever a worker + process is cleaned up a segmentation fault occurs. + (bsc#1138517) + +------------------------------------------------------------------- +Tue Nov 27 17:55:19 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.2 (Fate#325688) + * openssl-ibmca 2.0.2 + Fix doing rsa-me, altough rsa-crt would be possible. + +------------------------------------------------------------------- +Thu Nov 15 20:17:04 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.1 (Fate#325688) + * openssl-ibmca 2.0.1 + Dont fail when a libica symbol cannot be resolved. +- Made multiple changes to the spec file based on spec-cleaner output. + +------------------------------------------------------------------- +Wed Nov 14 20:18:07 UTC 2018 - mpost@suse.com + +- Upgraded to version 2.0.0 (Fate#325688) + * openssl-ibmca 2.0.0 + Add ECC support. + Add check and distcheck make-targets. + Project cleanup, code was broken into multiple files and coding style cleanup. + Improvements to compat macros for openssl. + Don't disable libica sw fallbacks. + Fix dlclose logic. + * openssl-ibmca 1.4.1 + Fix structure size for aes-256-ecb/cbc/cfb/ofb + Update man page + Switch to ibmca.so filename to allow standalone use + Switch off Libica fallback mode if available + Make sure ibmca_init only runs once + Provide simple macro for DEBUG_PRINTF possibility + Cleanup and slight rework of function set_supported_meths +- Did some cleanup to the spec file, based on spec-cleanup. +- Removed the following obsolete patches: + * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch + * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch + * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch + +------------------------------------------------------------------- +Fri Aug 31 19:37:39 UTC 2018 - mpost@suse.com + +- Added the following patches for bsc#1097463 + * openssl-ibmca-sles15-Switch-to-ibmca.so-filename-to-allow-a-standalone-us.patch + * openssl-ibmca-sles15-Fix-lib-name-in-test-code.patch + * openssl-ibmca-sles15-Update-lib-name-in-documentation.patch + +------------------------------------------------------------------- +Fri Sep 22 18:07:10 UTC 2017 - mpost@suse.com + +- Upgraded to version 1.4.0 + * Re-license to Apache License v2.0 + * Fix aes_gcm initialization. + * Update man page. + * Add macros for OpenSSL 0.9.8 compat. + * Remove AC_FUNC_MALLOC from configure.ac + * Add compat macro for OpenSSL 1.0.1e-fips. + * Setting 'foreign' strictness for automake. + * Add AES-GCM support. + * Rework EVP_aes macros. + * Remove dependency of old local OpenSSL headers. + * Fix engine initialization to set function pointers only once. + * Remove blank COPYING and NEWS files. + * Remove INSTALL and move its content to README.md + * Update README.md file to make use of markdown. + * Rename README file to README.md to use markdown + * Add CONTRIBUTING guidelines. + * Adding coding style documentation. + * Enable EVP_MD_FLAG_FIPS flag for SHA-*. + * Initialize rsa_keygen in RSA_METHOD for openssl < 1.1.0 + * Fix SHA512 EVP digest struct to use + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE when using OpenSSL 1.0 + * Fix wrong parenthesis + * convert libica loading to dlopen() and friends + * Add support to DSO on new API of OpenSSL-1.1.0 +- Removed obsolete openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch +- Added BuildRequires for autoconf, automake, and libtool. +- Updated BuildRequires for libica-devel to be >= 3.1.1 + +------------------------------------------------------------------- +Fri Sep 22 07:50:52 UTC 2017 - mpost@suse.com + +- Now that the openSSL engines directory is versioned: + * Modified the spec file to query the libcrypto package + for which directory to install the engine into. + * Removed openssl-ibmca-fix-enginepath.patch. Replaced it + with a sed command so that it will provide the correct + versioned engines directory +- Removed openssl-ibmca-configure.patch. It doesn't seem to + be needed any longer. + +------------------------------------------------------------------- +Tue Apr 11 15:09:03 UTC 2017 - mpost@suse.com + +- Added openssl-ibmca-fix-sha512-evp-digest-to-use-evp_md_flag_pkey_method_signature.patch (bsc#1032113) +- Added libica-tools to the BuildRequires due to repackaging of libica. +- Renamed BuildRequires from libica2-devel to libica-devel for the + same reason. +- Tweaked a comment to get rid of an rpmlint warning message. + +------------------------------------------------------------------- +Thu Oct 13 09:36:50 UTC 2016 - meissner@suse.com + +- fixed ssl configuration merging (bsc#1004463) +- openssl-ibmca-fix-enginepath.patch: fix the engine path + +------------------------------------------------------------------- +Wed Apr 6 19:07:43 UTC 2016 - mpluskal@suse.com + +- Use macro for configure (fate#319941) +- Use url for source +- Enable parallel building +- Cleanup spec file with spec-cleaner + +------------------------------------------------------------------- +Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com + +- Upgraded to version 1.3.0 (fate#319941) + - Updated openssl-ibmca-configure.patch to apply cleanly + - Removed obsolete patches + - openssl-ibmca-README.patch + - openssl-ibmca-sha256-digest-length.patch + - openssl-pkey.patch + - openssl-des-ede.patch +- Did some spec file cleanup. + +------------------------------------------------------------------- +Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com + +- Fixed %post script to update library path (the only dynamic part + of the ibmca configuration) every time the package is installed. + (bsc#966139) + +------------------------------------------------------------------- +Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com + +- Updated AUTHORS, INSTALL, and README (bsc#942839) +- %post and %postun added to properly update openssl.cnf (bsc#942839) + +------------------------------------------------------------------- +Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com + +- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) + +------------------------------------------------------------------- +Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com + +- Remove dependency on fillup anf insserv; the package provides + neither sysconfig file nor sysvinit script +- Remove depreciated AUTHORS section +- Use %configure macro +- Add openssl-ibmca-configure.patch + +------------------------------------------------------------------- +Wed Dec 3 09:22:24 UTC 2014 - meissner@suse.com + +- the openssl engines moved to /%_lib/engines bnc#905480 + +------------------------------------------------------------------- +Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com + +- Forced requirement of libica-2_3_0 (bnc#890824) + +------------------------------------------------------------------- +Thu Jun 26 07:35:34 UTC 2014 - meissner@suse.com + +- openssl-des-ede.patch: fixed a crash during benchmark (bnc#879922) +- openssl-pkey.patch: defer HMAC signing to pkey framework, fixes + fips self-test during EC key creation (bnc#879922) +- spec file cleaned up a bit + +------------------------------------------------------------------- +Tue Mar 18 12:33:49 UTC 2014 - jjolly@suse.com + +- openssl-ibmca-sha256-digest-length.patch: SHA256: Fixed message + digest length definition in sha256 template (bnc#868275) + +------------------------------------------------------------------- +Wed Mar 5 18:51:25 CET 2014 - ro@suse.de + +- update to 1.2.0 +- removed patches: + ibmca-configure.patch + ibmca-segfault.fix.patch + ibmca-sw-fix.patch + openssl-ibmca-1.0.0.rc2-memset-fix.patch +- make it exclusivearch for s390/s390x as the required libica + is only available for s390/s390x + +------------------------------------------------------------------- +Wed Feb 19 14:02:44 UTC 2014 - jjolly@suse.com + +- Made required libica-2_1_0 s390 specific +- Added x86_64 to ExclusiveArch as %ix86 doesn't do it +- Removed libica requirement - allowing build process to find it + +------------------------------------------------------------------- +Wed Feb 19 06:10:42 UTC 2014 - jjolly@suse.com + +- Added COPYING to %files + +------------------------------------------------------------------- +Tue Feb 18 14:47:27 UTC 2014 - jjolly@suse.com + +- Requiring libica 2.1.0 or greater + +------------------------------------------------------------------- +Tue Dec 10 20:55:24 UTC 2013 - dvaleev@suse.com + +- enable ppc64le + +------------------------------------------------------------------- +Fri Mar 23 11:27:45 UTC 2012 - dvaleev@suse.com + +- fix build (add autoconf automake libtool to BuildRequires) + +------------------------------------------------------------------- +Thu Mar 24 17:19:11 UTC 2011 - coolo@novell.com + +- disable libtool --finish call + +------------------------------------------------------------------- +Fri Dec 17 10:56:05 UTC 2010 - coolo@novell.com + +- own engines directory + +------------------------------------------------------------------- +Mon Feb 1 12:13:29 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Tue Feb 13 12:51:00 CET 2007 - uli@suse.de + +- added fixes by IBM (bug #243801): + ibmca-segfault.fix: rewrite ibmca_mod_expto remove improper use of BIGNUM + object + ibmca-sw-fix: rewrite ibmca_mod_exp_crtto remove improper use of BIGNUM + object + openssl-ibmca-1.0.0.rc2-memset-fix.patch: fix memory initialization problem + +------------------------------------------------------------------- +Mon Jun 19 17:22:37 CEST 2006 - uli@suse.de + +- updated README (bug #185508) + +------------------------------------------------------------------- +Tue Mar 28 14:27:32 CEST 2006 - hare@suse.de + +- Fixed configure.in to build correctly +- Fixed spec file +- Initial version from Mike Halcrow + diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec new file mode 100644 index 0000000..0208754 --- /dev/null +++ b/openssl-ibmca.spec @@ -0,0 +1,211 @@ +# +# spec file for package openssl-ibmca +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) +%global modulesdir %(pkg-config --variable=modulesdir libcrypto) + +%global sslengcnf %{_sysconfdir}/ssl/engines3.d +%global sslengdef %{_sysconfdir}/ssl/engdef3.d + +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "" +Name: openssl-ibmca +%endif + +%if "%{flavor}" == "engine" +Name: openssl-ibmca-engine +%endif + +%if "%{flavor}" == "provider" +Name: openssl-ibmca-provider +%endif + +%if "%{flavor}" == "openssl1_1" +%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d +%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d +Name: openssl1_1-ibmca +%endif + +Version: 2.4.1 +Release: 0 +Summary: The IBMCA OpenSSL dynamic engine +License: Apache-2.0 +Group: Hardware/Other +URL: https://github.com/opencryptoki/openssl-ibmca +Source: https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz +Source1: engine_section.txt +Source2: _multibuild +### +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +### +%if "%{flavor}" != "openssl1_1" +BuildRequires: libica-devel >= 4.0.0 +BuildRequires: libica-tools >= 4.0.0 +BuildRequires: libopenssl-3-devel +BuildRequires: libopenssl3 +Requires: libica4 >= 4.0.0 +Requires: libopenssl3 +%else +BuildRequires: libica-openssl1_1-devel +BuildRequires: libica-openssl1_1-tools +BuildRequires: libopenssl-1_1-devel +BuildRequires: libopenssl1_1 +BuildRequires: openssl +Requires: libica4-openssl1_1 +Requires: libopenssl1_1 +%endif +### +ExclusiveArch: s390x + +%if "%{flavor}" == "openssl1_1" +Patch001: openssl1-rename-libica-files.patch +%endif + +%description +This package contains a shared object OpenSSL dynamic engine which interfaces +to libica, a library enabling the IBM s390/x CPACF crypto instructions. + +%prep +%autosetup -p1 -n openssl-ibmca-%{version} + ./bootstrap.sh + +%build +export CFLAGS="%{optflags}" +export CPPFLAGS="%{optflags}" + +%if "%{flavor}" == "" +%configure \ + --libdir=%{modulesdir} + mkdir -p %{buildroot}/%{enginesdir} +%endif + +%if "%{flavor}" == "engine" +%configure \ + --disable-provider \ + --libdir=%{enginesdir} +%endif + +%if "%{flavor}" == "provider" +%configure \ + --disable-engine \ + --libdir=%{modulesdir} +%endif + +%if "%{flavor}" == "openssl1_1" +%configure \ + --libdir=%{enginesdir} +%endif + +%make_build + +%install +# Update the sample config file so that the dynamic path points +# to the correct version of the engines directory. +%if "%{flavor}" != "provider" +sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample +%endif + +%make_install + +%if "%{flavor}" == "openssl1_1" +rm -f %{buildroot}/%{enginesdir}/ibmca-provider.* +%endif + +%if "%{flavor}" == "" +mkdir -p %{buildroot}/%{enginesdir} +mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/ +%endif + +rm -f %{buildroot}/%{enginesdir}/ibmca*.la +rm -f %{buildroot}/%{modulesdir}/ibmca*.la + +# This file contains the declaration of the ibmca engine section. It +# needs to be on the "real" file system when the postinstall scriptlet +# is run. It will be read by the openssl .include directive that points +# to /etc/ssl/engines.d/ +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -p %{SOURCE1} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt + +# This will create the actual engine definition section that will be usable +# by the .include directive of openSSL. That include will be inserted during +# the postinstall phase of the package installation. +grep -v "^#" src/engine/openssl.cnf.sample | \ + sed -n -e '/^\[ibmca_section\]/,$ p' | \ + sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \ + sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf + +%post +#Original fix for bsc#942839 was to update on first install +#For bsc#966139 update if openssl_def not found + +mkdir -p %{sslengcnf} +mkdir -p %{sslengdef} +cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf +cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf + +%if "%{flavor}" == "" +if [ -f "/usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig" ]; then + cp -p /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig + sed -e 's/ossl-modules/engines-3/' /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig + rm /usr/share/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig +fi +%endif + +%postun +if [ $1 -eq 0 ]; then # last uninstall + rm -f %{sslengcnf}/openssl-ibmca.cnf + rm -f %{sslengdef}/openssl-ibmca.cnf +fi + +%files +%license LICENSE +%doc ChangeLog +%doc README.md +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt +%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf +%if "%{flavor}" == "" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/provider/ibmca-provider-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca.5%{?ext_man} + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "provider" + %doc src/provider/ibmca-provider-opensslconfig + %{modulesdir}/ibmca-provider.* + %{_mandir}/man5/ibmca-provider.5%{?ext_man} +%endif +%if "%{flavor}" == "engine" + %doc src/engine/ibmca-engine-opensslconfig + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} +%endif +%if "%{flavor}" == "openssl1_1" + %doc src/engine/openssl.cnf.sample + %{enginesdir}/ibmca.* + %{_mandir}/man5/ibmca.5%{?ext_man} +%endif + +%changelog diff --git a/openssl1-rename-libica-files.patch b/openssl1-rename-libica-files.patch new file mode 100644 index 0000000..ba42cb6 --- /dev/null +++ b/openssl1-rename-libica-files.patch @@ -0,0 +1,65 @@ +--- openssl-ibmca-2.4.1/configure.ac 2023-09-21 08:52:43.000000000 +0200 ++++ changed/configure.ac 2024-04-17 10:13:02.267582864 +0200 +@@ -69,7 +69,7 @@ + # Checks for header files. + AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ + string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) +-AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) ++AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***])) + + + # Checks for typedefs, structures, and compiler characteristics. +@@ -81,15 +81,15 @@ + # Checks for library functions. + AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) + AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [], +- AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]), ++ AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]), + [#include ]) + AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION], + [openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"], + [#include ]) + AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes]) + +-AC_ARG_WITH([libica-cex], +- [AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])], ++AC_ARG_WITH([libica-openssl1_1-cex], ++ [AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])], + [usecexonly=${withval}], + []) + +@@ -99,11 +99,11 @@ + [libicaversion=4]) + + if test "x$usecexonly" = xyes; then +- defaultlib="libica-cex.so.$libicaversion" +- ica="ica-cex" ++ defaultlib="libica-openssl1_1-cex.so.$libicaversion" ++ ica="ica-openssl1_1-cex" + else +- defaultlib="libica.so.$libicaversion" +- ica="ica" ++ defaultlib="libica-openssl1_1.so.$libicaversion" ++ ica="ica-openssl1_1" + fi + # In cex-only mode, testing the ciphers does not make any sense since + # they will fall back to OpenSSL without the engine. So remove these +@@ -135,7 +135,7 @@ + + + AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"]) +-AC_SUBST([ICA],["$ica"]) ++AC_SUBST([ICA],["$ica-openssl1_1"]) + + AC_CHECK_PROG([openssl_var],[openssl],[yes],[no]) + if test "x$openssl_var" != xyes; then +@@ -169,7 +169,7 @@ + echo " default library: $defaultlib" + echo "IBMCA provider: $enable_provider" + if test "x$useproviderfulllibica" = xyes; then +- echo " libica library: libica" ++ echo " libica library: libica-openssl1_1" + else +- echo " libica library: libica-cex" ++ echo " libica library: libica-openssl1_1-cex" + fi