- updated to 1.4.0

.gitignore

@@ -1,3 +1,4 @@
 openssl-ibmca-1.1.tar.gz
 /openssl-ibmca-1.2.0.tar.gz
 /openssl-ibmca-1.3.1.tar.gz
+/openssl-ibmca-1.4.0.tar.gz

openssl-ibmca-1.3.0-libica-soname.patch

@@ -1,21 +0,0 @@
-diff -up openssl-ibmca-1.3.0/src/e_ibmca.c.libica-soname openssl-ibmca-1.3.0/src/e_ibmca.c
---- openssl-ibmca-1.3.0/src/e_ibmca.c.libica-soname	2015-12-01 03:33:52.000000000 +0000
-+++ openssl-ibmca-1.3.0/src/e_ibmca.c	2017-02-13 20:25:03.122555936 +0000
-@@ -127,7 +127,7 @@ typedef struct ibmca_sha512_ctx {
- } IBMCA_SHA512_CTX;
- #endif
- 
--static const char *LIBICA_NAME = "ica";
-+static const char *LIBICA_NAME = "libica.so.3";
- 
- #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
- #define NID_aes_128_cfb NID_aes_128_cfb128
-@@ -1281,7 +1281,7 @@ static int ibmca_init(ENGINE * e)
- 	/* WJH XXX check name translation */
- 
- 	ibmca_dso = DSO_load(NULL, LIBICA_NAME, NULL,
--			     /* DSO_FLAG_NAME_TRANSLATION */ 0);
-+			     /* DSO_FLAG_NO_NAME_TRANSLATION */ 1);
- 	if (ibmca_dso == NULL) {
- 		IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE);
- 		goto err;

openssl-ibmca-1.3.1-openssl11.patch

@@ -1,327 +0,0 @@
-From 170352452f0a1addb78879dea34a3069314fcda0 Mon Sep 17 00:00:00 2001
-From: Paulo Vital <pvital@linux.vnet.ibm.com>
-Date: Tue, 7 Mar 2017 16:22:41 -0300
-Subject: [PATCH] Add support to DSO on new API of OpenSSL-1.1.0
-
-DSO is opaque in OpenSSL-1.1.0 and had to modify includes and
-data structure usage to use it.
-
-On OpenSSL-1.1.0e (or newer), warning messages during compilation
-time can be printed, but they are resolved during link time.
-
-Signed-off-by: Paulo Vital <pvital@linux.vnet.ibm.com>
----
- src/e_ibmca.c | 73 +++++++++++++++++++++++++++++++----------------------------
- 1 file changed, 39 insertions(+), 34 deletions(-)
-
-diff --git a/src/e_ibmca.c b/src/e_ibmca.c
-index a78fb72..57452b1 100644
---- a/src/e_ibmca.c
-+++ b/src/e_ibmca.c
-@@ -66,7 +66,6 @@
- #include <dirent.h>
- #include <openssl/crypto.h>
- #include "cryptlib.h"
--#include <openssl/dso.h>
- #include <openssl/engine.h>
- #include <openssl/evp.h>
- #include <openssl/objects.h>
-@@ -84,6 +83,12 @@
- #include <ica_api.h>
- #include "e_ibmca_err.h"
- 
-+#ifdef OLDER_OPENSSL
-+#include <openssl/dso.h>
-+#else
-+typedef struct dso_st DSO;
-+#endif
-+
- #define IBMCA_LIB_NAME "ibmca engine"
- 
- #define AP_PATH "/sys/devices/ap"
-@@ -1760,7 +1765,7 @@ static int ibmca_ctrl(ENGINE * e, int cmd, long i, void *p, void (*f) ())
- 
- /*
-  * ENGINE calls this to find out how to deal with
-- * a particular NID in the ENGINE. 
-+ * a particular NID in the ENGINE.
-  */
- static int ibmca_engine_ciphers(ENGINE * e, const EVP_CIPHER ** cipher,
- 				const int **nids, int nid)
-@@ -1829,7 +1834,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		mode = MODE_CBC;
- 	} else if ((EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_CFB_MODE) &&
- 		   (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE)) {
--		IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER, 
-+		IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER,
- 				IBMCA_R_CIPHER_MODE_NOT_SUPPORTED);
- 		return 0;
- 	}
-@@ -1866,7 +1871,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER,
- 					IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -1914,7 +1919,7 @@ static int ibmca_des_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_DES_CIPHER,
- 					IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -1955,7 +1960,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		mode = MODE_CBC;
- 	} else if ((EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_CFB_MODE) &&
- 		   (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE)) {
--		IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER, 
-+		IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER,
- 				IBMCA_R_CIPHER_MODE_NOT_SUPPORTED);
- 		return 0;
- 	}
-@@ -1992,7 +1997,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER,
- 					IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2040,7 +2045,7 @@ static int ibmca_tdes_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_TDES_CIPHER,
- 					IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2082,7 +2087,7 @@ static int ibmca_aes_128_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		mode = MODE_CBC;
- 	} else if ((EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_CFB_MODE) &&
- 		   (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE)) {
--		IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER, 
-+		IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER,
- 			 IBMCA_R_CIPHER_MODE_NOT_SUPPORTED);
- 		return 0;
- 	}
-@@ -2123,7 +2128,7 @@ static int ibmca_aes_128_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2175,7 +2180,7 @@ static int ibmca_aes_128_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_128_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2217,7 +2222,7 @@ static int ibmca_aes_192_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		mode = MODE_CBC;
- 	} else if ((EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_CFB_MODE) &&
- 		   (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE)) {
--		IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER, 
-+		IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER,
- 			 IBMCA_R_CIPHER_MODE_NOT_SUPPORTED);
- 		return 0;
- 	}
-@@ -2257,7 +2262,7 @@ static int ibmca_aes_192_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2306,7 +2311,7 @@ static int ibmca_aes_192_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_192_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2347,7 +2352,7 @@ static int ibmca_aes_256_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		mode = MODE_CBC;
- 	} else if ((EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_CFB_MODE) &&
- 		   (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE)) {
--		IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER, 
-+		IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER,
- 			 IBMCA_R_CIPHER_MODE_NOT_SUPPORTED);
- 		return 0;
- 	}
-@@ -2387,7 +2392,7 @@ static int ibmca_aes_256_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2436,7 +2441,7 @@ static int ibmca_aes_256_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
- 		}
- 
- 		if (rv) {
--			IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER, 
-+			IBMCAerr(IBMCA_F_IBMCA_AES_256_CIPHER,
- 				 IBMCA_R_REQUEST_FAILED);
- 			return 0;
- 		} else if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_OFB_MODE) {
-@@ -2538,7 +2543,7 @@ static int ibmca_sha1_update(EVP_MD_CTX * ctx, const void *in_data,
- 					&ibmca_sha_ctx->c,
- 					tmp_hash)) {
- 
--				IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE, 
-+				IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE,
- 						IBMCA_R_REQUEST_FAILED);
- 				return 0;
- 			}
-@@ -2577,7 +2582,7 @@ static int ibmca_sha1_update(EVP_MD_CTX * ctx, const void *in_data,
- 						&ibmca_sha_ctx->c,
- 						tmp_hash)) {
- 
--					IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE, 
-+					IBMCAerr(IBMCA_F_IBMCA_SHA1_UPDATE,
- 							IBMCA_R_REQUEST_FAILED);
- 					return 0;
- 				}
-@@ -2589,8 +2594,8 @@ static int ibmca_sha1_update(EVP_MD_CTX * ctx, const void *in_data,
- 				return 1;
- 			}
- 
--			/* 
--			 * We had to use some of the data from in_data to 
-+			/*
-+			 * We had to use some of the data from in_data to
- 			 * fill out the empty part of save data, so adjust
- 			 * in_data_len
- 			 */
-@@ -2599,7 +2604,7 @@ static int ibmca_sha1_update(EVP_MD_CTX * ctx, const void *in_data,
- 			ibmca_sha_ctx->tail_len = in_data_len & 0x3f;
- 			if(ibmca_sha_ctx->tail_len) {
- 				in_data_len &= ~0x3f;
--				memcpy(ibmca_sha_ctx->tail, 
-+				memcpy(ibmca_sha_ctx->tail,
- 					in_data + fill_size +in_data_len,
- 					ibmca_sha_ctx->tail_len);
- 			}
-@@ -2618,7 +2623,7 @@ static int ibmca_sha1_update(EVP_MD_CTX * ctx, const void *in_data,
- 	}
- 
- 	/* If the data passed in was <64 bytes, in_data_len will be 0 */
--        if( in_data_len && 
-+        if( in_data_len &&
- 		p_ica_sha1(message_part,
- 			(unsigned int)in_data_len, (unsigned char *)(in_data + fill_size),
- 			&ibmca_sha_ctx->c,
-@@ -2674,7 +2679,7 @@ static int ibmca_sha256_init(EVP_MD_CTX *ctx)
- #endif
- 	memset((unsigned char *)ibmca_sha256_ctx, 0, sizeof(*ibmca_sha256_ctx));
- 	return 1;
--}				// end ibmca_sha256_init                                                
-+}				// end ibmca_sha256_init
- 
- static int
- ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
-@@ -2691,7 +2696,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 	if (in_data_len == 0)
- 		return 1;
- 
--	if (ibmca_sha256_ctx->c.runningLength == 0 
-+	if (ibmca_sha256_ctx->c.runningLength == 0
- 	    && ibmca_sha256_ctx->tail_len == 0) {
- 		message_part = SHA_MSG_PART_FIRST;
- 
-@@ -2711,7 +2716,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 
- 		fill_size = SHA256_BLOCK_SIZE - ibmca_sha256_ctx->tail_len;
- 		if (fill_size < in_data_len) {
--			memcpy(ibmca_sha256_ctx->tail 
-+			memcpy(ibmca_sha256_ctx->tail
- 			       + ibmca_sha256_ctx->tail_len, in_data,
- 			       fill_size);
- 
-@@ -2721,7 +2726,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 					ibmca_sha256_ctx->tail,
- 					&ibmca_sha256_ctx->c,
- 					tmp_hash)) {
--				IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE, 
-+				IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE,
- 					 IBMCA_R_REQUEST_FAILED);
- 				return 0;
- 			}
-@@ -2749,7 +2754,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 		if (ibmca_sha256_ctx->tail_len) {
- 			fill_size = SHA256_BLOCK_SIZE - ibmca_sha256_ctx->tail_len;
- 			if (fill_size < in_data_len) {
--				memcpy(ibmca_sha256_ctx->tail 
-+				memcpy(ibmca_sha256_ctx->tail
- 				       + ibmca_sha256_ctx->tail_len, in_data,
- 				       fill_size);
- 
-@@ -2759,7 +2764,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 						ibmca_sha256_ctx->tail,
- 						&ibmca_sha256_ctx->c,
- 						tmp_hash)) {
--					IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE, 
-+					IBMCAerr(IBMCA_F_IBMCA_SHA256_UPDATE,
- 						 IBMCA_R_REQUEST_FAILED);
- 					return 0;
- 				}
-@@ -2771,8 +2776,8 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 				return 1;
- 			}
- 
--			/* 
--			 * We had to use some of the data from in_data to 
-+			/*
-+			 * We had to use some of the data from in_data to
- 			 * fill out the empty part of save data, so adjust
- 			 * in_data_len
- 			 */
-@@ -2781,7 +2786,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 			ibmca_sha256_ctx->tail_len = in_data_len & 0x3f;
- 			if (ibmca_sha256_ctx->tail_len) {
- 				in_data_len &= ~0x3f;
--				memcpy(ibmca_sha256_ctx->tail, 
-+				memcpy(ibmca_sha256_ctx->tail,
- 				       in_data + fill_size + in_data_len,
- 					ibmca_sha256_ctx->tail_len);
- 			}
-@@ -2801,7 +2806,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 	}
- 
- 	/* If the data passed in was <64 bytes, in_data_len will be 0 */
--        if (in_data_len && 
-+        if (in_data_len &&
- 	    p_ica_sha256(message_part,
- 			(unsigned int)in_data_len, (unsigned char *)(in_data + fill_size),
- 			&ibmca_sha256_ctx->c,
-@@ -2811,7 +2816,7 @@ ibmca_sha256_update(EVP_MD_CTX *ctx, const void *in_data, unsigned long inlen)
- 	}
- 
- 	return 1;
--}				// end ibmca_sha256_update                                                 
-+}				// end ibmca_sha256_update
- 
- static int ibmca_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
- {
--- 
-2.12.0
-

openssl-ibmca-1.4.0-libica-soname.patch

@@ -0,0 +1,12 @@
+diff -up openssl-ibmca-1.4.0/src/e_ibmca.c.libica-soname openssl-ibmca-1.4.0/src/e_ibmca.c
+--- openssl-ibmca-1.4.0/src/e_ibmca.c.libica-soname	2017-09-11 13:56:54.144885532 +0200
++++ openssl-ibmca-1.4.0/src/e_ibmca.c	2017-09-11 13:57:09.724885532 +0200
+@@ -46,7 +46,7 @@
+ #include "e_ibmca_err.h"
+ 
+ #define IBMCA_LIB_NAME "ibmca engine"
+-#define LIBICA_SHARED_LIB "libica.so"
++#define LIBICA_SHARED_LIB "libica.so.3"
+ 
+ #define AP_PATH "/sys/devices/ap"
+ 

openssl-ibmca.spec

@@ -1,31 +1,27 @@
 Summary: A dynamic OpenSSL engine for IBMCA
 Name: openssl-ibmca
-Version: 1.3.1
-Release: 3%{?dist}
-License: OpenSSL
+Version: 1.4.0
+Release: 1%{?dist}
+License: ASL 2.0
 Group: System Environment/Libraries
-URL: http://sourceforge.net/projects/opencryptoki
-Source0: http://downloads.sourceforge.net/opencryptoki/%{name}-%{version}.tar.gz
+URL: https://github.com/opencryptoki
+Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # https://bugzilla.redhat.com/show_bug.cgi?id=584765
-Patch0: openssl-ibmca-1.3.0-libica-soname.patch
-# fix build with OpenSSL 1.1
-# https://sourceforge.net/p/opencryptoki/ibmca/ci/170352452f0a1addb78879dea34a3069314fcda0/
-Patch1: openssl-ibmca-1.3.1-openssl11.patch
-Requires: libica >= 3.0.0
-BuildRequires: libica-devel >= 3.0.0
+Patch0: openssl-ibmca-1.4.0-libica-soname.patch
+Requires: libica >= 3.1.0
+BuildRequires: libica-devel >= 3.1.0
 BuildRequires: automake libtool
 ExclusiveArch: s390 s390x
 
 %global enginesdir %{_libdir}/engines-1.1
 
 %description
-A dynamic OpenSSL engine for IBMCA crypto hardware on IBM zSeries machines.
+A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
 
 
 %prep
 %setup -q
 %patch0 -p1 -b .libica-soname
-%patch1 -p1 -b .openssl11
 
 sh ./bootstrap.sh
 
@@ -48,12 +44,15 @@ sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample
 popd
 
 %files
-%doc INSTALL README src/openssl.cnf.sample.%{_arch}
+%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch}
 %{enginesdir}/libibmca.so
 %{_mandir}/man5/ibmca.5*
 
 
 %changelog
+* Mon Sep 11 2017 Dan Horák <dan@danny.cz> - 1.4.0-1
+- updated to 1.4.0
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (openssl-ibmca-1.3.1.tar.gz) = 9c2049b88676a94c292821ea84cf67d41e0fe242fc1822848315564089527b217a270b740239925785215120269f262f8d1fd8c86ef6db1df2c2f26db0db71c0
+SHA512 (openssl-ibmca-1.4.0.tar.gz) = 7e8d7c52b5b5959805823b5349756406bec406581e64732a37558a6d7b6faa3fc7391738a71a9376432a035645347e4cb7288d3a9712e884f954aeb4d74c9795