From 1fee896d6e5bed70419b87235fbd002c8c7e59e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Wed, 2 Feb 2022 11:45:43 +0100 Subject: [PATCH] - updated to 2.2.2 (#2016989) - Resolves: #2016989 --- openssl-ibmca-2.2.0-eckey.patch | 31 ------ openssl-ibmca-2.2.0-fix-registration.patch | 105 --------------------- openssl-ibmca.spec | 24 ++--- sources | 2 +- 4 files changed, 14 insertions(+), 148 deletions(-) delete mode 100644 openssl-ibmca-2.2.0-eckey.patch delete mode 100644 openssl-ibmca-2.2.0-fix-registration.patch diff --git a/openssl-ibmca-2.2.0-eckey.patch b/openssl-ibmca-2.2.0-eckey.patch deleted file mode 100644 index 6e8d490..0000000 --- a/openssl-ibmca-2.2.0-eckey.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Mon, 31 May 2021 18:00:07 +0200 -Subject: [PATCH] Skip eckey test if needed. - -Without crypto cards on a machine < z15, ibmca might not register with the -EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped -since it is doomed to fail. - -Fixes #69. - -Signed-off-by: Juergen Christ ---- - test/eckey.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/test/eckey.c b/test/eckey.c -index 35b3df2..6d0870b 100644 ---- a/test/eckey.c -+++ b/test/eckey.c -@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name) - fprintf(stderr, "ibmca engine not loaded\n"); - goto out; - } -+ if (ENGINE_get_EC(engine) == NULL) { -+ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); -+ exit(77); -+ } - eckey = EC_KEY_new_by_curve_name(nid); - if (eckey == NULL) { - /* curve not supported => test passed */ diff --git a/openssl-ibmca-2.2.0-fix-registration.patch b/openssl-ibmca-2.2.0-fix-registration.patch deleted file mode 100644 index 04122e8..0000000 --- a/openssl-ibmca-2.2.0-fix-registration.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 29 Jul 2021 17:38:59 +0200 -Subject: [PATCH] Fix DSA and DH registration. - -DSA does not provide backups by default. - -Also fix typo in DH initialization. - -Signed-off-by: Juergen Christ ---- - src/ibmca_dh.c | 2 +- - src/ibmca_dsa.c | 26 ++++---------------------- - 2 files changed, 5 insertions(+), 23 deletions(-) - -diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c -index 2459cf1..b2b75a9 100644 ---- a/src/ibmca_dh.c -+++ b/src/ibmca_dh.c -@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void) - - if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL - || (meth1 = DH_OpenSSL()) == NULL -- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL -+ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL - || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) - || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) - || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) -diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c -index f5bf4e4..3b5ac87 100644 ---- a/src/ibmca_dsa.c -+++ b/src/ibmca_dsa.c -@@ -28,18 +28,10 @@ - * RSA. Just check out the "signs" statistics from the RSA and DSA parts - * of "openssl speed -engine ibmca dsa1024 rsa1024". */ - #ifdef OLDER_OPENSSL --static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, -- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, -- BIGNUM *m, BN_CTX *ctx, -- BN_MONT_CTX *in_mont); - static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, - BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, - BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - #else --static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, -- const BIGNUM *p1, const BIGNUM *a2, -- const BIGNUM *p2, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *in_mont); - static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, - const BIGNUM *p1, const BIGNUM *a2, - const BIGNUM *p2, const BIGNUM *m, -@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, - end: - BN_free(t); - -- if (!to_return && ibmca_dsa_mod_exp_backup) -- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont); -+ if (!to_return) -+ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); - return to_return; - } - - #ifdef OLDER_OPENSSL --static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a, -- const BIGNUM *p, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *m_ctx); - - static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx) - #else --static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a, -- const BIGNUM *p, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *m_ctx); - - static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx) - #endif - { -- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup) -- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx); -+ if (!ibmca_mod_exp(r, a, p, m, ctx)) -+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); - return 1; - } - -@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void) - { - const DSA_METHOD *meth1 = DSA_OpenSSL(); - -- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp; -- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp; - dsa_m.dsa_do_sign = meth1->dsa_do_sign; - dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; - dsa_m.dsa_do_verify = meth1->dsa_do_verify; -@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void) - - if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL - || (meth1 = DSA_OpenSSL()) == NULL -- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL -- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL - || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) - || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) - || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec index 3c38baf..474c07f 100644 --- a/openssl-ibmca.spec +++ b/openssl-ibmca.spec @@ -2,20 +2,15 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.2.0 -Release: 3%{?dist} +Version: 2.2.2 +Release: 1%{?dist} License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 -Patch0: openssl-ibmca-2.2.0-eckey.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1989380 -# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 -Patch1: openssl-ibmca-2.2.0-fix-registration.patch -Requires: libica >= 3.8.0 +Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc -BuildRequires: libica-devel >= 3.8.0 +BuildRequires: libica-devel >= 4.0.0 BuildRequires: automake libtool BuildRequires: openssl ExclusiveArch: s390 s390x @@ -32,7 +27,7 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. %build -%configure --libdir=%{enginesdir} --with-libica-cex +%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4 %make_build @@ -54,12 +49,19 @@ make check %files %license LICENSE -%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/ibmca-engine-opensslconfig %{enginesdir}/ibmca.so %{_mandir}/man5/ibmca.5* %changelog +* Wed Feb 02 2022 Dan Horák - 2.2.2-1 +- updated to 2.2.2 (#2016989) +- Resolves: #2016989 + +* Mon Oct 25 2021 Dan Horák - 2.2.1-1 +- updated to 2.2.1 (#2016989) + * Mon Aug 09 2021 Mohan Boddu - 2.2.0-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 diff --git a/sources b/sources index 780b75b..92008d0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-ibmca-2.2.0.tar.gz) = 1e88c1726a6473045e46fbd8f0edc8c95cb5c6794b9d3535871bdc0cada28392b392b5e0bc96d9cb152b20501e2c60abf8ac5d0df5f4081e64768abea7a818f5 +SHA512 (openssl-ibmca-2.2.2.tar.gz) = c9f2ea35671b9d3915d561b3ce495d9ba8e29c2623f076f291c9165bd118585d023cd39310508cff32d4c8c0acb688b3ade59d5d59b20cb3ac98bc79017c1795