From 6588e7dee9de5aa511090bf335f2e24872bc82d0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 29 Mar 2022 15:41:12 -0400 Subject: [PATCH] import openssl-ibmca-2.2.1-1.el8 --- .gitignore | 2 +- .openssl-ibmca.metadata | 2 +- SOURCES/openssl-ibmca-2.2.0-eckey.patch | 31 ------ ...openssl-ibmca-2.2.0-fix-registration.patch | 105 ------------------ SPECS/openssl-ibmca.spec | 13 +-- 5 files changed, 8 insertions(+), 145 deletions(-) delete mode 100644 SOURCES/openssl-ibmca-2.2.0-eckey.patch delete mode 100644 SOURCES/openssl-ibmca-2.2.0-fix-registration.patch diff --git a/.gitignore b/.gitignore index fd8588c..d0d78e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-ibmca-2.2.0.tar.gz +SOURCES/openssl-ibmca-2.2.1.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata index 9bba6dd..5d30504 100644 --- a/.openssl-ibmca.metadata +++ b/.openssl-ibmca.metadata @@ -1 +1 @@ -9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz +1bc8005fdf4af4604b223c5ce9e7cd642be14c94 SOURCES/openssl-ibmca-2.2.1.tar.gz diff --git a/SOURCES/openssl-ibmca-2.2.0-eckey.patch b/SOURCES/openssl-ibmca-2.2.0-eckey.patch deleted file mode 100644 index 6e8d490..0000000 --- a/SOURCES/openssl-ibmca-2.2.0-eckey.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Mon, 31 May 2021 18:00:07 +0200 -Subject: [PATCH] Skip eckey test if needed. - -Without crypto cards on a machine < z15, ibmca might not register with the -EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped -since it is doomed to fail. - -Fixes #69. - -Signed-off-by: Juergen Christ ---- - test/eckey.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/test/eckey.c b/test/eckey.c -index 35b3df2..6d0870b 100644 ---- a/test/eckey.c -+++ b/test/eckey.c -@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name) - fprintf(stderr, "ibmca engine not loaded\n"); - goto out; - } -+ if (ENGINE_get_EC(engine) == NULL) { -+ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n"); -+ exit(77); -+ } - eckey = EC_KEY_new_by_curve_name(nid); - if (eckey == NULL) { - /* curve not supported => test passed */ diff --git a/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch b/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch deleted file mode 100644 index 04122e8..0000000 --- a/SOURCES/openssl-ibmca-2.2.0-fix-registration.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 29 Jul 2021 17:38:59 +0200 -Subject: [PATCH] Fix DSA and DH registration. - -DSA does not provide backups by default. - -Also fix typo in DH initialization. - -Signed-off-by: Juergen Christ ---- - src/ibmca_dh.c | 2 +- - src/ibmca_dsa.c | 26 ++++---------------------- - 2 files changed, 5 insertions(+), 23 deletions(-) - -diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c -index 2459cf1..b2b75a9 100644 ---- a/src/ibmca_dh.c -+++ b/src/ibmca_dh.c -@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void) - - if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL - || (meth1 = DH_OpenSSL()) == NULL -- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL -+ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL - || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) - || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) - || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) -diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c -index f5bf4e4..3b5ac87 100644 ---- a/src/ibmca_dsa.c -+++ b/src/ibmca_dsa.c -@@ -28,18 +28,10 @@ - * RSA. Just check out the "signs" statistics from the RSA and DSA parts - * of "openssl speed -engine ibmca dsa1024 rsa1024". */ - #ifdef OLDER_OPENSSL --static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, -- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, -- BIGNUM *m, BN_CTX *ctx, -- BN_MONT_CTX *in_mont); - static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, - BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, - BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - #else --static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, -- const BIGNUM *p1, const BIGNUM *a2, -- const BIGNUM *p2, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *in_mont); - static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, - const BIGNUM *p1, const BIGNUM *a2, - const BIGNUM *p2, const BIGNUM *m, -@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, - end: - BN_free(t); - -- if (!to_return && ibmca_dsa_mod_exp_backup) -- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont); -+ if (!to_return) -+ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); - return to_return; - } - - #ifdef OLDER_OPENSSL --static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a, -- const BIGNUM *p, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *m_ctx); - - static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx) - #else --static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a, -- const BIGNUM *p, const BIGNUM *m, -- BN_CTX *ctx, BN_MONT_CTX *m_ctx); - - static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx) - #endif - { -- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup) -- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx); -+ if (!ibmca_mod_exp(r, a, p, m, ctx)) -+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); - return 1; - } - -@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void) - { - const DSA_METHOD *meth1 = DSA_OpenSSL(); - -- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp; -- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp; - dsa_m.dsa_do_sign = meth1->dsa_do_sign; - dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; - dsa_m.dsa_do_verify = meth1->dsa_do_verify; -@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void) - - if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL - || (meth1 = DSA_OpenSSL()) == NULL -- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL -- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL - || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) - || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) - || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index e508c83..daa35cb 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -2,17 +2,12 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca -Version: 2.2.0 -Release: 2%{?dist} +Version: 2.2.1 +Release: 1%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240 -Patch0: openssl-ibmca-2.2.0-eckey.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1989064 -# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20 -Patch1: openssl-ibmca-2.2.0-fix-registration.patch Requires: libica >= 3.8.0 BuildRequires: gcc BuildRequires: libica-devel >= 3.8.0 @@ -60,6 +55,10 @@ make check %changelog +* Wed Oct 06 2021 Dan Horák - 2.2.1-1 +- updated to 2.2.1 (#1984971) +- Resolves: #1984971 + * Mon Aug 09 2021 Dan Horák - 2.2.0-2 - fix DSA and DH registration (#1989064) - Resolves: #1989064