Accepting request 1296164 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1296164
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=59

_multibuild

@@ -1,4 +0,0 @@
-<multibuild>
-  <flavor>engine</flavor>
-  <flavor>provider</flavor>
-</multibuild>

engine_section.txt

@@ -1 +0,0 @@
-ibmca = ibmca_section

openssl-ibmca-2.5.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5903c029ef3fc98e17e4209450df554819ceee548b3a6eeb6d55983a1d55843c
+size 225937

openssl-ibmca.changes

@@ -1,3 +1,72 @@
+-------------------------------------------------------------------
+Mon Jul 28 06:30:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (bsc#1246931)
+  * removed obsolete engine-related content(files), IBMCA engine is deprecated
+  * removed sub-packages
+    - openssl-ibmca-engine
+    - openssl-ibmca-provider
+- Removed multibuild and sources:
+  * Source1:        engine_section.txt
+  * Source2:        _multibuild
+
+-------------------------------------------------------------------
+Wed Apr 23 08:33:06 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openssl-ibmca to version 2.5.0
+  * Provider: Add support for OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ on import
+  * Provider: Add support for SignMessage and VerifyMessage API for ECDSA and RSA
+  * Provider: Allow the DHKEM-IKM option for EC keygen, but use fallback provider
+  * Provider: Allow ECDSA deterministic signatures, but use fallback
+  * Engine: Enable external AES-GCM IV when libica is in FIPS mode
+  * Bug fixes   
+- Removed obsolete patches
+  * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+  * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+  * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+  * openssl-ibmca-04-engine-Fix-compile-error.patch
+  * openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
+  * openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+  * openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
+  * openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
+
+-------------------------------------------------------------------
+Wed Feb 19 13:25:55 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied additonal patches(bsc#1237344)
+  * openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
+  * openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
+
+-------------------------------------------------------------------
+Wed Feb  5 10:28:31 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied additional patch (bsc#1236770)
+ * openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+   for Provider: Fix segfault with 'openssl list  -signature-algorithms -verbose'
+
+-------------------------------------------------------------------
+Tue Feb  4 09:00:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1236770) 
+  * openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch 
+    for openssl list -key-managers -verbose causes core dump
+
+-------------------------------------------------------------------
+Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Adapted the openssl-ibmca package for the openssl-1_1 removal(bsc#1232570)
+- Removed obsolete patch
+  * openssl1-rename-libica-files.patch
+
+-------------------------------------------------------------------
+Tue Oct 29 11:08:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied patches(jsc#PED-10292)
+  * openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-is-in-FIPS-mode.patch
+  * openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
+  * openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
+  * openssl-ibmca-04-engine-Fix-compile-error.patch 
+
 -------------------------------------------------------------------
 Tue Jul 16 06:11:44 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 

openssl-ibmca.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-ibmca
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,72 +16,33 @@
 #
 
 
-%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
 %global modulesdir %(pkg-config --variable=modulesdir libcrypto)
 
-%global sslengcnf %{_sysconfdir}/ssl/engines3.d
-%global sslengdef %{_sysconfdir}/ssl/engdef3.d
-
-%define         flavor  @BUILD_FLAVOR@%{nil}
-
-%if "%{flavor}" == ""
 Name:           openssl-ibmca
-%endif
-
-%if "%{flavor}" == "engine"
-Name:           openssl-ibmca-engine
-%endif
-
-%if "%{flavor}" == "provider"
-Name:           openssl-ibmca-provider
-%endif
-
-%if "%{flavor}" == "openssl1_1"
-%global sslengcnf %{_sysconfdir}/ssl/engines1.1.d
-%global sslengdef %{_sysconfdir}/ssl/engdef1.1.d
-Name:           openssl1_1-ibmca
-%endif
-
-Version:        2.4.1
+Version:        2.5.0
 Release:        0
-Summary:        The IBMCA OpenSSL dynamic engine
+Summary:        OpenSSL engine and provider for libica
 License:        Apache-2.0
 Group:          Hardware/Other
 URL:            https://github.com/opencryptoki/openssl-ibmca
 Source:         https://github.com/opencryptoki/openssl-ibmca/archive/v%{version}.tar.gz#/openssl-ibmca-%{version}.tar.gz
-Source1:        engine_section.txt
-Source2:        _multibuild
 ###
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 ###
-%if "%{flavor}" != "openssl1_1"
 BuildRequires:  libica-devel >= 4.0.0
 BuildRequires:  libica-tools >= 4.0.0
 BuildRequires:  libopenssl-3-devel
 BuildRequires:  libopenssl3
 Requires:       libica4 >= 4.0.0
 Requires:       libopenssl3
-%else
-BuildRequires:  libica-openssl1_1-devel
-BuildRequires:  libica-openssl1_1-tools
-BuildRequires:  libopenssl-1_1-devel
-BuildRequires:  libopenssl1_1
-BuildRequires:  openssl
-Requires:       libica4-openssl1_1
-Requires:       libopenssl1_1
-%endif
 ###
 ExclusiveArch:  s390x
-
-%if "%{flavor}" == "openssl1_1"
-Patch001:       openssl1-rename-libica-files.patch
-%endif
+###
 
 %description
-This package contains a shared object OpenSSL dynamic engine which interfaces
-to libica, a library enabling the IBM s390/x CPACF crypto instructions.
+OpenSSL engine and provider that uses the libica library under s390x to accelerate cryptographic operations
 
 %prep
 %autosetup -p1 -n openssl-ibmca-%{version}
@@ -91,121 +52,26 @@ to libica, a library enabling the IBM s390/x CPACF crypto instructions.
 export CFLAGS="%{optflags}"
 export CPPFLAGS="%{optflags}"
 
-%if "%{flavor}" == ""
-%configure \
-  --libdir=%{modulesdir}
-  mkdir -p %{buildroot}/%{enginesdir}
-%endif
-
-%if "%{flavor}" == "engine"
-%configure \
-  --disable-provider \
-  --libdir=%{enginesdir}
-%endif
-
-%if "%{flavor}" == "provider"
 %configure \
   --disable-engine \
   --libdir=%{modulesdir}
-%endif
-
-%if "%{flavor}" == "openssl1_1"
-%configure \
-  --libdir=%{enginesdir}
-%endif
 
 %make_build
 
 %install
-# Update the sample config file so that the dynamic path points
-# to the correct version of the engines directory.
-%if "%{flavor}" != "provider"
-sed -i -e "/^dynamic_path/s, = .*/, = %{enginesdir}/," src/engine/openssl.cnf.sample
-%endif
 
 %make_install
 
-%if "%{flavor}" == "openssl1_1"
-rm -f %{buildroot}/%{enginesdir}/ibmca-provider.*
-%endif
-
-%if "%{flavor}" == ""
-mkdir -p %{buildroot}/%{enginesdir}
-mv %{buildroot}/%{modulesdir}/ibmca.* %{buildroot}/%{enginesdir}/
-%endif
-
-rm -f %{buildroot}/%{enginesdir}/ibmca*.la
-rm -f %{buildroot}/%{modulesdir}/ibmca*.la
-
-# This file contains the declaration of the ibmca engine section. It
-# needs to be on the "real" file system when the postinstall scriptlet
-# is run. It will be read by the openssl .include directive that points
-# to /etc/ssl/engines.d/
-mkdir -p %{buildroot}%{_datadir}/%{name}
-cp -p %{SOURCE1} %{buildroot}%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
-
-# This will create the actual engine definition section that will be usable
-# by the .include directive of openSSL. That include will be inserted during
-# the postinstall phase of the package installation.
-grep -v "^#" src/engine/openssl.cnf.sample | \
-    sed -n -e '/^\[ibmca_section\]/,$ p' | \
-    sed -e '/^$/ {N;N;s/\n\n/\n/g;}' | \
-    sed -e 's/^dynamic_path/#dynamic_path/' > %{buildroot}%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
-
 %post
-#Original fix for bsc#942839 was to update on first install
-#For bsc#966139 update if openssl_def not found
-
-mkdir -p %{sslengcnf}
-mkdir -p %{sslengdef}
-cp -p %{_datadir}/%{name}/openssl-ibmca.sectiondef.txt %{sslengcnf}/openssl-ibmca.cnf
-cp -p %{_datadir}/%{name}/openssl-ibmca.enginedef.cnf %{sslengdef}/openssl-ibmca.cnf
-
-%if "%{flavor}" == ""
-if [ -f "%{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig" ]; then
-   cp -p %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
-   sed -e 's/ossl-modules/engines-3/' %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig > %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig
-   rm %{_datadir}/doc/packages/openssl-ibmca/ibmca-engine-opensslconfig.orig
-fi
-%endif
 
 %postun
-if [ $1 -eq 0 ]; then # last uninstall
-  rm -f %{sslengcnf}/openssl-ibmca.cnf
-  rm -f %{sslengdef}/openssl-ibmca.cnf
-fi
 
 %files
 %license LICENSE
 %doc ChangeLog
 %doc README.md
-%dir %{_datadir}/%{name}
-%{_datadir}/%{name}/openssl-ibmca.sectiondef.txt
-%{_datadir}/%{name}/openssl-ibmca.enginedef.cnf
-%if "%{flavor}" == ""
-    %doc src/engine/ibmca-engine-opensslconfig
-    %doc src/provider/ibmca-provider-opensslconfig
-    %doc src/engine/openssl.cnf.sample
-    %{enginesdir}/ibmca.*
-    %{modulesdir}/ibmca-provider.*
-    %{_mandir}/man5/ibmca.5%{?ext_man}
-    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
-%endif
-%if "%{flavor}" == "provider"
-    %doc src/provider/ibmca-provider-opensslconfig
-    %{modulesdir}/ibmca-provider.*
-    %{_mandir}/man5/ibmca-provider.5%{?ext_man}
-%endif
-%if "%{flavor}" == "engine"
-    %doc src/engine/ibmca-engine-opensslconfig
-    %doc src/engine/openssl.cnf.sample
-    %{enginesdir}/ibmca.*
-    %{_mandir}/man5/ibmca.5%{?ext_man}
-%endif
-%if "%{flavor}" == "openssl1_1"
-    %doc src/engine/openssl.cnf.sample
-    %{enginesdir}/ibmca.*
-    %{_mandir}/man5/ibmca.5%{?ext_man}
-%endif
+%doc src/provider/ibmca-provider-opensslconfig
+%{modulesdir}/ibmca-provider.*
+%{_mandir}/man5/ibmca-provider.5%{?ext_man}
 
 %changelog

openssl1-rename-libica-files.patch

@@ -1,65 +0,0 @@
---- openssl-ibmca-2.4.1/configure.ac	2023-09-21 08:52:43.000000000 +0200
-+++ changed/configure.ac	2024-04-17 10:13:02.267582864 +0200
-@@ -69,7 +69,7 @@
- # Checks for header files.
- AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
-                  string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
--AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
-+AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 is required ***]))
- 
- 
- # Checks for typedefs, structures, and compiler characteristics.
-@@ -81,15 +81,15 @@
- # Checks for library functions.
- AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc])
- AC_CHECK_DECLS([ICA_FLAG_DHW,DES_ECB], [],
--		AC_MSG_ERROR([*** libica-devel >= 3.6.0 are required ***]),
-+		AC_MSG_ERROR([*** libica-openssl1_1-devel >= 3.6.0 are required ***]),
- 		[#include <ica_api.h>])
- AC_CHECK_DECLS([OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION],
- 		[openssl_implicit_rejection="yes"], [openssl_implicit_rejection="no"],
- 		[#include <openssl/core_names.h>])
- AM_CONDITIONAL([OPENSSL_IMPLICIT_REJECTION], [test "x$openssl_implicit_rejection" = xyes])
- 
--AC_ARG_WITH([libica-cex],
--	[AS_HELP_STRING([--with-libica-cex],[Use libica-cex as default library for the IBMCA engine])],
-+AC_ARG_WITH([libica-openssl1_1-cex],
-+	[AS_HELP_STRING([--with-libica-openssl1_1-cex],[Use libica-openssl1_1-cex as default library for the IBMCA engine])],
- 	[usecexonly=${withval}],
- 	[])
- 
-@@ -99,11 +99,11 @@
- 	[libicaversion=4])
- 
- if test "x$usecexonly" = xyes; then
--	defaultlib="libica-cex.so.$libicaversion"
--	ica="ica-cex"
-+	defaultlib="libica-openssl1_1-cex.so.$libicaversion"
-+	ica="ica-openssl1_1-cex"
- else
--	defaultlib="libica.so.$libicaversion"
--	ica="ica"
-+	defaultlib="libica-openssl1_1.so.$libicaversion"
-+	ica="ica-openssl1_1"
- fi
- # In cex-only mode, testing the ciphers does not make any sense since
- # they will fall back to OpenSSL without the engine.  So remove these
-@@ -135,7 +135,7 @@
- 
- 
- AC_DEFINE_UNQUOTED([LIBICA_SHARED_LIB],["$defaultlib"])
--AC_SUBST([ICA],["$ica"])
-+AC_SUBST([ICA],["$ica-openssl1_1"])
- 
- AC_CHECK_PROG([openssl_var],[openssl],[yes],[no])
- if test "x$openssl_var" != xyes; then
-@@ -169,7 +169,7 @@
- echo "  default library: $defaultlib"
- echo "IBMCA provider:    $enable_provider"
- if test "x$useproviderfulllibica" = xyes; then
--	echo "  libica library:  libica"
-+	echo "  libica library:  libica-openssl1_1"
- else
--	echo "  libica library:  libica-cex"
-+	echo "  libica library:  libica-openssl1_1-cex"
- fi