From e49ce5035474f726e14f04c4d34b836f74512c58809f49dff83344f345648949 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 28 Apr 2016 14:54:31 +0000 Subject: [PATCH] Accepting request 390328 from security 1 OBS-URL: https://build.opensuse.org/request/show/390328 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=24 --- openssl-des-ede.patch | 68 ---------------- openssl-ibmca-1.2.0.tar.gz | 3 - openssl-ibmca-1.3.0.tar.bz2 | 3 + openssl-ibmca-README.patch | 65 ---------------- openssl-ibmca-configure.patch | 20 ++--- openssl-ibmca-sha256-digest-length.patch | 22 ------ openssl-ibmca.changes | 43 ++++++++++ openssl-ibmca.spec | 99 ++++++++++++++++-------- openssl-pkey.patch | 31 -------- 9 files changed, 124 insertions(+), 230 deletions(-) delete mode 100644 openssl-des-ede.patch delete mode 100644 openssl-ibmca-1.2.0.tar.gz create mode 100644 openssl-ibmca-1.3.0.tar.bz2 delete mode 100644 openssl-ibmca-README.patch delete mode 100644 openssl-ibmca-sha256-digest-length.patch delete mode 100644 openssl-pkey.patch diff --git a/openssl-des-ede.patch b/openssl-des-ede.patch deleted file mode 100644 index a0e090b..0000000 --- a/openssl-des-ede.patch +++ /dev/null @@ -1,68 +0,0 @@ -commit 83b8ed7b25c809fa36ec86d7041a6350dc516606 -Author: Joy Latten -Date: Wed Mar 19 15:57:10 2014 -0500 - - openssl-ibmca: openssl speed -engine ibmca -evp des-ede3-ofb segfaults - - Signed-off-by: Joy Latten - -diff --git a/e_ibmca.c b/e_ibmca.c -index b1ad975..0acbe5f 100644 ---- a/e_ibmca.c -+++ b/e_ibmca.c -@@ -883,8 +883,7 @@ typedef unsigned int (*ica_sha256_t)(unsigned int, unsigned int, unsigned char * - sha256_context_t *, unsigned char *); - typedef unsigned int (*ica_des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, - unsigned long data_length, const unsigned char *key, -- unsigned int key_length, unsigned char *iv, -- unsigned int direction); -+ unsigned char *iv, unsigned int direction); - typedef unsigned int (*ica_des_cfb_t)(const unsigned char *in_data, unsigned char *out_data, - unsigned long data_length, const unsigned char *key, - unsigned char *iv, unsigned int lcfb, -@@ -894,8 +893,7 @@ typedef unsigned int (*ica_3des_cfb_t)(const unsigned char *, unsigned char *, - unsigned int, unsigned int); - typedef unsigned int (*ica_3des_ofb_t)(const unsigned char *in_data, unsigned char *out_data, - unsigned long data_length, const unsigned char *key, -- unsigned int key_length, unsigned char *iv, -- unsigned int direction); -+ unsigned char *iv, unsigned int direction); - typedef unsigned int (*ica_aes_ofb_t)(const unsigned char *in_data, unsigned char *out_data, - unsigned long data_length, const unsigned char *key, - unsigned int key_length, unsigned char *iv, -@@ -1197,7 +1195,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, - rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv, - 8, ICA_ENCRYPT); - } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { -- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv, -+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv, - ICA_ENCRYPT); - } else { - rv = p_ica_des_encrypt(mode, len, (unsigned char *)in, -@@ -1223,7 +1221,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, - rv = p_ica_des_cfb(in, out, len, pCtx->key, ctx->iv, - 8, ICA_DECRYPT); - } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { -- rv = p_ica_des_ofb(in, out, len, pCtx->key, 8, ctx->iv, -+ rv = p_ica_des_ofb(in, out, len, pCtx->key, ctx->iv, - ICA_DECRYPT); - } else { - /* Protect against decrypt in place */ -@@ -1279,7 +1277,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, - ctx->iv, 8, ICA_ENCRYPT); - } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { - rv = p_ica_3des_ofb(in, out, len, pCtx->key, -- 8, ctx->iv, ICA_ENCRYPT); -+ ctx->iv, ICA_ENCRYPT); - } else { - rv = p_ica_3des_encrypt(mode, len, (unsigned char *)in, - (ica_des_vector_t *) ctx->iv, -@@ -1305,7 +1303,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, - ctx->iv, 8, ICA_DECRYPT); - } else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) { - rv = p_ica_3des_ofb(in, out, len, pCtx->key, -- 8, ctx->iv, ICA_DECRYPT); -+ ctx->iv, ICA_DECRYPT); - } else { - /* Protect against decrypt in place */ - /* FIXME: Again, check if EVP_CIPHER_CTX_iv_length() should be used */ diff --git a/openssl-ibmca-1.2.0.tar.gz b/openssl-ibmca-1.2.0.tar.gz deleted file mode 100644 index c7ed8be..0000000 --- a/openssl-ibmca-1.2.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d36363798e69e19b203126106f0e3f1a08626f96523994dd3c06adfe9c6d27ad -size 26525 diff --git a/openssl-ibmca-1.3.0.tar.bz2 b/openssl-ibmca-1.3.0.tar.bz2 new file mode 100644 index 0000000..a2e0eb4 --- /dev/null +++ b/openssl-ibmca-1.3.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdc5387ab229cf3d74b88fd17b60562c8f76f57dfe70514a35ef243791bcdfb0 +size 274900 diff --git a/openssl-ibmca-README.patch b/openssl-ibmca-README.patch deleted file mode 100644 index c3a6c3f..0000000 --- a/openssl-ibmca-README.patch +++ /dev/null @@ -1,65 +0,0 @@ ---- README -+++ README -@@ -7,45 +7,28 @@ - - ABOUT - --This package contains the dynamic IBMCA engine. -+This package contains the dynamic IBMCA engine. Note that, as of -+OpenSSL version 0.9.8, the IBMCA engine is shipped as a dynamic engine -+in a separate RPM. - - BUILDING - - Requirements: OpenSSL 0.9.8, libICA - -- By default, the build will assume that you have a custom openssl installed --in /usr/local/ssl. -- -- $ configure [--enable-debug] [--with-openssl=/path/to/custom/openssl] \ -- [--with-engines-dir=/path/to/openssl/engines/directory] -- $ make -- # make install -- --Included in this package is a sample openssl.cnf file (openssl.cnf.sample), --which can be used to turn on use of the IBMCA engine in apps where OpenSSL --config support is compiled in. In order to enable the IBMCA engine, the --content from this file should be concatenated to the existing openssl.cnf file --on the host. -- --During the build process, the path to the engines/ directory is substituted in --for the dynamic_path parameter in the ibmca section. By default, this path to --the engines/ directory is relative to the OpenSSL installation target. With no --parameters passed to the ./configure script, this target is /usr/local/ssl, --and so the default entry in the sample openssl.cnf file is: -- --dynamic_path = /usr/local/ssl/lib/engines/libibmca.so -- --If OpenSSL is installed to a different location, then the --with-openssl= --option should be passed to the ./configure script. For instance, if ----with-openssl=/usr is given, then the entry in the sample openssl.cnf file --is: -+Included in this package is a sample openssl.cnf file -+(openssl.cnf.sample), which can be used to enable use of the IBMCA -+engine in apps where OpenSSL config support is compiled in. In order -+to enable the IBMCA engine, the content from this file should be -+concatenated to the existing openssl.cnf file on the host. -+ -+The path to the engines/ directory is /usr/lib/engines; the dynamic -+path to the IBMCA engine for 32-bit binary RPM installations should -+be: - - dynamic_path = /usr/lib/engines/libibmca.so - --If the OpenSSL engines directory is located elsewhere, then that location must --be specified in the --with-engines-dir= option. For instance, if the engines/ --directory is under /usr/lib64, then the ./configure script will need the --option --with-engines-dir=/usr/lib64/engines, which will produce this entry in --the sample openssl.cnf file: -+The dynamic path to the IBMCA engine for 64-bit binary RPM -+installations should be: -+ -+dynamic_path = /usr/lib64/engines/libibmca.so - --dynamic_path = /usr/lib64/engines/libibmca.so -\ No newline at end of file diff --git a/openssl-ibmca-configure.patch b/openssl-ibmca-configure.patch index 4edc828..e66be30 100644 --- a/openssl-ibmca-configure.patch +++ b/openssl-ibmca-configure.patch @@ -1,11 +1,11 @@ ---- configure.in -+++ configure.in -@@ -28,7 +28,7 @@ - # libica is dlopened, so do not add it to LIBS - save_LIBS=$LIBS - AC_CHECK_LIB(ica, ica_open_adapter, [], \ -- AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl]) -+ AC_MSG_ERROR([*** libica-2.x library not found]), [-lssl -lrt -lcrypto -lpthread]) - LIBS=$save_LIBS +--- configure 2016-03-31 18:07:02.238114067 -0400 ++++ configure 2016-03-31 18:09:16.168114067 -0400 +@@ -11511,7 +11511,7 @@ + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +-LIBS="-lica $LIBS" ++LIBS="-lica -lpthread $LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ - # OpenSSL location diff --git a/openssl-ibmca-sha256-digest-length.patch b/openssl-ibmca-sha256-digest-length.patch deleted file mode 100644 index cb5cf8c..0000000 --- a/openssl-ibmca-sha256-digest-length.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit f204aca935dfe45b736e9fb8f822c9e79ec9747c -Author: Ingo Tuchscherer -Date: Fri Mar 7 10:35:33 2014 +0100 - - SHA256: Fixed message digest length definition in sha256 template - - Signed-off-by: Ingo Tuchscherer - Acked-by: John Jolly - -diff --git a/e_ibmca.c b/e_ibmca.c -index 94c44a4..f3fad35 100644 ---- a/e_ibmca.c -+++ b/e_ibmca.c -@@ -727,7 +727,7 @@ static const EVP_MD ibmca_sha1 = { - static const EVP_MD ibmca_sha256 = { - NID_sha256, - NID_sha256WithRSAEncryption, -- SHA_HASH_LENGTH, -+ SHA256_HASH_LENGTH, - 0, - ibmca_sha256_init, - ibmca_sha256_update, diff --git a/openssl-ibmca.changes b/openssl-ibmca.changes index e2114e1..98a3c1e 100644 --- a/openssl-ibmca.changes +++ b/openssl-ibmca.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Wed Apr 6 19:07:43 UTC 2016 - mpluskal@suse.com + +- Use macro for configure +- Use url for source +- Enable parallel building +- Cleanup spec file with spec-cleaner + +------------------------------------------------------------------- +Thu Mar 31 21:20:34 UTC 2016 - mpost@suse.com + +- Upgraded to version 1.3.0 (fate#319941) + - Updated openssl-ibmca-configure.patch to apply cleanly + - Removed obsolete patches + - openssl-ibmca-README.patch + - openssl-ibmca-sha256-digest-length.patch + - openssl-pkey.patch + - openssl-des-ede.patch +- Did some spec file cleanup. + +------------------------------------------------------------------- +Mon Mar 21 20:53:02 UTC 2016 - jjolly@suse.com + +- Fixed %post script to update library path (the only dynamic part + of the ibmca configuration) every time the package is installed. + (bsc#966139) + +------------------------------------------------------------------- +Tue Oct 27 06:36:06 UTC 2015 - jjolly@suse.com + +- Updated AUTHORS, INSTALL, and README (bsc#942839) +- %post and %postun added to properly update openssl.cnf (bsc#942839) + +------------------------------------------------------------------- +Tue Oct 27 03:46:00 UTC 2015 - jjolly@suse.com + +- Updated to used libica2 == v2.4.2 for SLE12-SP1 (bsc#951138) + ------------------------------------------------------------------- Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com @@ -7,6 +45,11 @@ Sun Mar 8 17:15:03 UTC 2015 - p.drouand@gmail.com - Use %configure macro - Add openssl-ibmca-configure.patch +------------------------------------------------------------------- +Wed Dec 3 09:22:24 UTC 2014 - meissner@suse.com + +- the openssl engines moved to /%_lib/engines bnc#905480 + ------------------------------------------------------------------- Thu Aug 14 13:03:44 UTC 2014 - jjolly@suse.com diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 7764d31..ae3a677 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-ibmca # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,29 +17,21 @@ Name: openssl-ibmca -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libica-2_3_0-devel -BuildRequires: libtool -BuildRequires: openssl-devel +Version: 1.3.0 +Release: 0 Summary: The IBMCA OpenSSL dynamic engine License: IPL-1.0 Group: Hardware/Other -Version: 1.2.0 -Release: 0 -Source: openssl-ibmca-1.2.0.tar.gz -Source2: baselibs.conf -Patch1: openssl-ibmca-README.patch -Patch2: openssl-ibmca-configure.patch -Patch3: openssl-ibmca-sha256-digest-length.patch -Patch4: openssl-pkey.patch -Patch5: openssl-des-ede.patch Url: http://sourceforge.net/projects/opencryptoki -BuildRoot: %{_tmppath}/%{name}-%{version}-build -Requires: libica-2_3_0 +Source: http://sourceforge.net/projects/opencryptoki/files/libica%%20OpenSSL%%20Engine/ibmca-%{version}/openssl-ibmca-%{version}.tar.bz2 +Source1: baselibs.conf +Patch1: openssl-ibmca-configure.patch +BuildRequires: libica2-devel >= 2.4.0 +BuildRequires: openssl-devel +Requires: libica2 >= 2.4.0 Requires: openssl +BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: s390 s390x -# %description This package contains a shared object OpenSSL dynamic engine for the @@ -48,26 +40,71 @@ IBM eServer Cryptographic Accelerator (ICA). %prep %setup -q %patch1 -%patch2 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 %build -autoreconf --force --install -%configure --with-engines-dir=%_libdir/engines --libdir=%_libdir/engines -make +export CFLAGS="%{optflags}" +export CPPFLAGS="%{optflags}" +%configure \ + --libdir=/%{_lib}/engines +make %{?_smp_mflags} %install -%makeinstall -#(cd $RPM_BUILD_ROOT; libtool --finish ./%_libdir/engines) -rm ${RPM_BUILD_ROOT}%{_libdir}/engines/libibmca.la +make %{?_smp_mflags} DESTDIR=%{buildroot} install +rm %{buildroot}/%{_lib}/engines/libibmca.la + +%post +#Original fix for bsc#942839 was to update on first install +#For bsc#966139 update if openssl_def not found +SSLCNF=%{_sysconfdir}/ssl/openssl.cnf +SSLSMP=%{_docdir}/${name}/openssl.cnf.sample + +if [ -f ${SSLCNF} -a -f ${SSLSMP} ]; then + if grep '^openssl_conf[[:space:]]*=[[:space:]]*openssl_def$' ${SSLCNF} >/dev/null 2>&1; then + # Config already installed. Update library path if necessary + SECTSTART=$(grep -n '\[ibmca_section\]' ${SSLCNF} | head -n1 | cut -d':' -f1) + REPLINE="" + if [ "z${SECTSTART}" != "z" ]; then + REPLINE=$((SECTSTART - 1 + $(tail -n+${SECTSTART} ${SSLCNF} | grep -n 'dynamic_path' | head -n1 | cut -d':' -f1) )) + fi + if [ "z${REPLINE}" != "z" ]; then + head -n$((REPLINE - 1)) ${SSLCNF} > ${SSLCNF}.temp + grep 'dynamic_path' ${SSLSMP} >> ${SSLCNF}.temp + tail -n+$((REPLINE + 1)) ${SSLCNF} >> ${SSLCNF}.temp + mv ${SSLCNF}.temp ${SSLCNF} + fi + else + CNFSZE=350 # Size in lines of original openssl.cnf + SMPSZE=46 # Size in lines of original sample config file + CNFINS=9 # Line number in openssl.cnf to insert new line + SMPUSE=11 # Line number in sample to copy from + if [ $(wc -l ${SSLCNF} | cut -d ' ' -f 1) -ne ${CNFSZE} ]; then + echo Original ${SSLCNF} incorrect size. Please manually update from ${SSLSMP} + elif [ $(wc -l ${SSLSMP} | cut -d ' ' -f 1) -ne ${SMPSZE} ]; then + echo Original ${SSLSMP} incorrect size. Please manually update to ${SSLCNF} + else + mv ${SSLCNF} ${SSLCNF}.orig + head -n ${CNFINS} ${SSLCNF}.orig > ${SSLCNF} + head -n ${SMPUSE} ${SSLSMP} | tail -n 1 >> ${SSLCNF} + tail -n $((CNFSZE - CNFINS)) ${SSLCNF}.orig >> ${SSLCNF} + head -n $((SMPUSE - 1)) ${SSLSMP} >> ${SSLCNF} + tail -n $((SMPSZE - SMPUSE)) ${SSLSMP} >> ${SSLCNF} + fi + fi +fi + +%postun +if [ $1 -eq 0 ]; then #last uninstall, modify %{_sysconfdir}/openssl.cnf (bsc#942839) + SSLCNF=%{_sysconfdir}/ssl/openssl.cnf + if [ -f ${SSLCNF}.orig ]; then + mv ${SSLCNF}.orig ${SSLCNF} + fi +fi %files %defattr(-, root, root) %doc README COPYING -%doc openssl.cnf.sample -%dir %{_libdir}/engines -%{_libdir}/engines/libibmca.* +%doc src/openssl.cnf.sample +/%{_lib}/engines/libibmca.* +%{_mandir}/man5/ibmca.5%{ext_man} %changelog diff --git a/openssl-pkey.patch b/openssl-pkey.patch deleted file mode 100644 index 1cc5976..0000000 --- a/openssl-pkey.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 6cdca2c3d655ef19d022fb3d8bcbf63491b79db2 -Author: Joy Latten -Date: Wed Mar 19 12:50:14 2014 -0500 - - Add flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE to EVP_MD so that signing method - comes from key type. - - Signed-off-by: Joy Latten - -diff --git a/e_ibmca.c b/e_ibmca.c -index f3fad35..9353470 100644 ---- a/e_ibmca.c -+++ b/e_ibmca.c -@@ -711,7 +711,7 @@ static const EVP_MD ibmca_sha1 = { - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_HASH_LENGTH, -- 0, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE, - ibmca_sha1_init, - ibmca_sha1_update, - ibmca_sha1_final, -@@ -728,7 +728,7 @@ static const EVP_MD ibmca_sha256 = { - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_HASH_LENGTH, -- 0, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE, - ibmca_sha256_init, - ibmca_sha256_update, - ibmca_sha256_final,