import openssl-ibmca-2.2.1-1.el8

2022-03-29 15:41:12 -04:00 · 2022-03-29 15:41:12 -04:00 · 6588e7dee9
commit 6588e7dee9
parent 76e92345d6
5 changed files with 8 additions and 145 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/openssl-ibmca-2.2.0.tar.gz
+SOURCES/openssl-ibmca-2.2.1.tar.gz
--- a/.openssl-ibmca.metadata
+++ b/.openssl-ibmca.metadata
@ -1 +1 @@
-9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz
+1bc8005fdf4af4604b223c5ce9e7cd642be14c94 SOURCES/openssl-ibmca-2.2.1.tar.gz
--- a/SOURCES/openssl-ibmca-2.2.0-eckey.patch
+++ b/SOURCES/openssl-ibmca-2.2.0-eckey.patch
@ -1,31 +0,0 @@
-From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001
-From: Juergen Christ <jchrist@linux.ibm.com>
-Date: Mon, 31 May 2021 18:00:07 +0200
-Subject: [PATCH] Skip eckey test if needed.
-
-Without crypto cards on a machine < z15, ibmca might not register with the
-EC_KEY subsystem of OpenSSL.  In these cases, the eckey test should be skipped
-since it is doomed to fail.
-
-Fixes #69.
-
-Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
- test/eckey.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/test/eckey.c b/test/eckey.c
-index 35b3df2..6d0870b 100644
--- a/test/eckey.c
-+++ b/test/eckey.c
-@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
-         fprintf(stderr, "ibmca engine not loaded\n");
-         goto out;
-     }
-+    if (ENGINE_get_EC(engine) == NULL) {
-+        fprintf(stderr, "ibmca does not support EC_KEY.  Skipping...\n");
-+        exit(77);
-+    }
-     eckey = EC_KEY_new_by_curve_name(nid);
-     if (eckey == NULL) {
-         /* curve not supported => test passed */
--- a/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
+++ b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
@ -1,105 +0,0 @@
-From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001
-From: Juergen Christ <jchrist@linux.ibm.com>
-Date: Thu, 29 Jul 2021 17:38:59 +0200
-Subject: [PATCH] Fix DSA and DH registration.
-
-DSA does not provide backups by default.
-
-Also fix typo in DH initialization.
-
-Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
- src/ibmca_dh.c  |  2 +-
- src/ibmca_dsa.c | 26 ++++----------------------
- 2 files changed, 5 insertions(+), 23 deletions(-)
-
-diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c
-index 2459cf1..b2b75a9 100644
--- a/src/ibmca_dh.c
-+++ b/src/ibmca_dh.c
-@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void)
- 
-     if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL
-         || (meth1 = DH_OpenSSL()) == NULL
-	    || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL
-+	    || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL
-         || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1))
-         || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1))
-         || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)
-diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c
-index f5bf4e4..3b5ac87 100644
--- a/src/ibmca_dsa.c
-+++ b/src/ibmca_dsa.c
-@@ -28,18 +28,10 @@
-  * RSA. Just check out the "signs" statistics from the RSA and DSA parts
-  * of "openssl speed -engine ibmca dsa1024 rsa1024". */
- #ifdef OLDER_OPENSSL
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
-                                       BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
-                                       BIGNUM *m, BN_CTX *ctx,
-                                       BN_MONT_CTX *in_mont);
- static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
-                              BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
-                              BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
- #else
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
-                                       const BIGNUM *p1, const BIGNUM *a2,
-                                       const BIGNUM *p2, const BIGNUM *m,
-                                       BN_CTX *ctx, BN_MONT_CTX *in_mont);
- static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
-                              const BIGNUM *p1, const BIGNUM *a2,
-                              const BIGNUM *p2, const BIGNUM *m,
-@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
- end:
-     BN_free(t);
- 
-    if (!to_return && ibmca_dsa_mod_exp_backup)
-        return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont);
-+    if (!to_return)
-+        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
-     return to_return;
- }
- 
- #ifdef OLDER_OPENSSL
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a,
-                       const BIGNUM *p, const BIGNUM *m,
-                       BN_CTX *ctx, BN_MONT_CTX *m_ctx);
- 
- static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
-                              const BIGNUM *p, const BIGNUM *m,
-                              BN_CTX *ctx, BN_MONT_CTX *m_ctx)
- #else
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a,
-                       const BIGNUM *p, const BIGNUM *m,
-                       BN_CTX *ctx, BN_MONT_CTX *m_ctx);
- 
- static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a,
-                              const BIGNUM *p, const BIGNUM *m,
-                              BN_CTX *ctx, BN_MONT_CTX *m_ctx)
- #endif
- {
-    if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup)
-        return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx);
-+    if (!ibmca_mod_exp(r, a, p, m, ctx))
-+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
-     return 1;
- }
- 
-@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void)
- {
-     const DSA_METHOD *meth1 = DSA_OpenSSL();
- 
-    ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp;
-    ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp;
-     dsa_m.dsa_do_sign = meth1->dsa_do_sign;
-     dsa_m.dsa_sign_setup = meth1->dsa_sign_setup;
-     dsa_m.dsa_do_verify = meth1->dsa_do_verify;
-@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void)
- 
-     if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL
-         || (meth1 = DSA_OpenSSL()) == NULL
-        || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL
-        || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL
-         || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1))
-         || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1))
-         || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1))
--- a/SPECS/openssl-ibmca.spec
+++ b/SPECS/openssl-ibmca.spec
@ -2,17 +2,12 @@

 Summary: A dynamic OpenSSL engine for IBMCA
 Name: openssl-ibmca
-Version: 2.2.0
-Release: 2%{?dist}
+Version: 2.2.1
+Release: 1%{?dist}
 License: ASL 2.0
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240
-Patch0: openssl-ibmca-2.2.0-eckey.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1989064
-# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20
-Patch1: openssl-ibmca-2.2.0-fix-registration.patch
 Requires: libica >= 3.8.0
 BuildRequires: gcc
 BuildRequires: libica-devel >= 3.8.0
@ -60,6 +55,10 @@ make check


 %changelog
+* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
+- updated to 2.2.1 (#1984971)
+- Resolves: #1984971
+
 * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
 - fix DSA and DH registration (#1989064)
 - Resolves: #1989064