- updated to 2.4.1 (RHEL-11414)

.openssl-ibmca.metadata

@@ -0,0 +1 @@
+8e7fc23ec2253da7d2b6e3181c80843253fcb68c openssl-ibmca-2.4.1.tar.gz

openssl-ibmca-2.4.0-engine-defaults.patch

@@ -1,40 +0,0 @@
-From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Wed, 19 Apr 2023 10:07:01 +0200
-Subject: [PATCH] engine: Only register those algos specified with
- default_algorithms
-
-As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
-config file are loaded, and its algorithms (methods) are registered according
-to the default_algorithms setting.
-
-However, later during initialization, ENGINE_register_all_complete() is called
-which unconditionally registered all algorithms (methods) of the loaded engines
-again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
-
-Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
-to avoid unconditional registration of all algorithms. We only want to register
-algorithms specified in the default_algorithms configuration setting.
-
-Note that if the default_algorithms setting is omitted in the OpenSSL config
-file, then no algorithms will be registered.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- src/engine/e_ibmca.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
-index fe21897..6cbf745 100644
---- a/src/engine/e_ibmca.c
-+++ b/src/engine/e_ibmca.c
-@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
-         if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
-             goto out;
- 
-+    if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
-+        goto out;
-+
-     rc = 1;
- out:
-     free(pmech_list);

openssl-ibmca-2.4.0-log-into-tmp.patch

@@ -1,218 +0,0 @@
-From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Wed, 26 Jul 2023 15:19:55 +0200
-Subject: [PATCH] provider: Default debug directory to /tmp but make it
- configurable
-
-The IBMCA provider debug logs were written to the /var/log/ibmca/ directory,
-but this required that directory to be world-writable, because we don't know
-under which user an application runs that uses the provider.
-A world-writable directory under /var has security implications and should be
-avoided.
-
-Change the default log directory to /tmp which is world-writable anyway.
-Additionally the log directory can now be configured via the 'debug-path'
-option in the IBMCA provider section of the OpenSSL config file, or via
-environment variable 'IBMCA_DEBUG_PATH'.
-
-Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- configure.ac                        |  2 +-
- src/provider/Makefile.am            |  4 ---
- src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------
- src/provider/p_ibmca.c              | 25 ++++++++++++++++++-
- src/provider/p_ibmca.h              |  3 +++
- test/provider/openssl-test.cnf      |  1 +
- 6 files changed, 59 insertions(+), 14 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index cea8ce8f..57b32050 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign])
- 
- AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod])
- 
--logdir=$localstatedir/log/ibmca
-+logdir=/tmp
- AC_SUBST(logdir)
- 
- # Cmdline arguments.
-diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am
-index da45a52e..f2d1d50b 100644
---- a/src/provider/Makefile.am
-+++ b/src/provider/Makefile.am
-@@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4
- SUBDIRS = doc
- 
- noinst_SCRIPTS = ibmca-provider-opensslconfig
--
--install-data-hook:
--	$(MKDIR_P) $(DESTDIR)$(logdir)
--	$(CHMOD) 0777 $(DESTDIR)$(logdir)
-diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man
-index 52350e47..846d6070 100644
---- a/src/provider/doc/ibmca-provider.man
-+++ b/src/provider/doc/ibmca-provider.man
-@@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower.
- .IP "debug = yes | no | stderr"
- .RS
- Enables debug output for the IBMCA provider. If this option is not specified,
--no debuging output is produced. If \fBdebug = stderr\fP is specified,
-+no debugging output is produced. If \fBdebug = stderr\fP is specified,
- debugging messages are printed to stderr. Otherwise the debug output is written
--into a trace file in \fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP,
--where <provider-name> is the name of the IBMCA provider from the identity
--option, and <pid> is the process ID of the current process. You can also
--enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to
--\fBon\fP or \fBstderr\fP.
-+into a trace file in \fB<debug-path>/trace-<provider-name>.<pid>\fP,
-+where <debug-path> is the path name of a directory to where the debug files are
-+written (default: \fB/tmp\fP), <provider-name> is the name of the IBMCA provider
-+from the identity option, and <pid> is the process ID of the current process.
-+You can also enable debugging by setting the environment variable
-+\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP.
-+.RE
-+.PP
-+.IP "debug-path = /dir/to/debug/directory"
-+.RS
-+Sets the directory path to where debug files are written when debug is enabled
-+via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP.
-+You can also set the debug path by setting the environment variable
-+\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user
-+under which the application that uses the IBMCA provider runs has write access
-+to that directory. If this option is not specified, the default debug path is
-+\fB/tmp\fP.
- .RE
- .PP
- .IP "fips = yes | no"
-@@ -153,8 +165,18 @@ If
- .B $IBMCA_DEBUG
- is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled.
- If it is set to \fBon\fP the debug output is written into a trace file in
--\fB[/usr/local]/var/log/ibmca/trace-<provider-name>.<pid>\fP, where <pid> is
--the process ID of the current process.
-+\fB<debug-path>/trace-<provider-name>.<pid>\fP, where <debug-path> is the path
-+name of a directory to where the debug files are written (default: \fB/tmp\fP),
-+<provider-name> is the name of the IBMCA provider from the identity option,
-+and <pid> is the process ID of the current process.
-+.PP
-+.TP
-+.BR IBMCA_DEBUG_PATH
-+Sets the directory path to where debug files are written when debug is enabled
-+via \fBdebug = yes\fP configuration option or via environment variable
-+\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the
-+application that uses the IBMCA provider runs has write access to that
-+directory.
- .PP
- .SH SEE ALSO
- .B provider(1)
-diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c
-index 80f03685..ffb9b5dd 100644
---- a/src/provider/p_ibmca.c
-+++ b/src/provider/p_ibmca.c
-@@ -19,6 +19,7 @@
- #include <stdio.h>
- #include <stdarg.h>
- #include <stddef.h>
-+#include <stdlib.h>
- #include <err.h>
- #include <strings.h>
- #include <string.h>
-@@ -58,6 +59,8 @@ struct ibmca_config_item {
- 
- static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
-                               const char *key, const char *value);
-+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
-+                                   const char *key, const char *value);
- static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
-                              const char *key, const char *value);
- static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx,
-@@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx,
-                                         const char *key, const char *value);
- 
- static const struct ibmca_config_item config_items[] = {
-+    { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path },
-     { IBMCA_CONF_DEBUG, ibmca_config_debug },
-     { IBMCA_CONF_FIPS, ibmca_config_fips },
-     { IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms },
-@@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
-             *p = '_';
- 
-         if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d",
--                     IBMCA_LOGDIR, prov_name, provctx->debug_pid)
-+                     provctx->debug_path != NULL ? provctx->debug_path :
-+                                                   IBMCA_LOGDIR,
-+                     prov_name, provctx->debug_pid)
-                                         >= (int)sizeof(debug_file)) {
-             put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR,
-                           "IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR);
-@@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx,
-     return 1;
- }
- 
-+static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx,
-+                                   const char *key, const char *value)
-+{
-+    /*
-+     * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH
-+     * environment variable) do not override the setting.
-+     */
-+    if (provctx->debug_path != NULL)
-+        return 1;
-+
-+    return ibmca_config_const_string(provctx, key, value,
-+                                     &provctx->debug_path);
-+}
-+
- static int ibmca_config_fips(struct ibmca_prov_ctx *provctx,
-                              const char *key, const char *value)
- {
-@@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
-     ctx->c_free = c_free;
-     ctx->ica_adapter = DRIVER_NOT_LOADED;
- 
-+    val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR);
-+    if (val != NULL)
-+        ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val);
-     val = getenv(IBMCA_DEBUG_ENVVAR);
-     if (val != NULL)
-         ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val);
-diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h
-index 3b3d4f04..c47a6aa9 100644
---- a/src/provider/p_ibmca.h
-+++ b/src/provider/p_ibmca.h
-@@ -27,9 +27,11 @@
- 
- /* Environment variable name to enable debug */
- #define IBMCA_DEBUG_ENVVAR          "IBMCA_DEBUG"
-+#define IBMCA_DEBUG_PATH_ENVVAR     "IBMCA_DEBUG_PATH"
- 
- /* IBMCA provider configuration key words */
- #define IBMCA_CONF_DEBUG            "debug"
-+#define IBMCA_CONF_DEBUG_PATH       "debug-path"
- #define IBMCA_CONF_ALGORITHMS       "algorithms"
- #define IBMCA_CONF_FIPS             "fips"
- #define IBMCA_CONF_FALLBACK_PROPS   "fallback-properties"
-@@ -64,6 +66,7 @@ struct ibmca_prov_ctx {
-     OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free;
-     OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse;
-     bool debug;
-+    const char *debug_path;
-     FILE *debug_file;
-     pid_t debug_pid;
-     pthread_mutex_t debug_mutex;
-diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf
-index 7866f4e9..e8132a6b 100644
---- a/test/provider/openssl-test.cnf
-+++ b/test/provider/openssl-test.cnf
-@@ -16,6 +16,7 @@ identity = ibmca
- module = ibmca-provider.so
- activate = 1
- #debug = yes
-+#debug-path = /dir/to/debug/directory
- #fips=yes
- #algorithms = RSA,EC,DH
- algorithms = ALL

openssl-ibmca.spec

@@ -8,23 +8,13 @@
 
 Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
-Version: 2.4.0
-Release: 4%{?dist}
+Version: 2.4.1
+Release: 1%{?dist}
 License: ASL 2.0
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # warn the user about engine being deprecated
 Patch1: %{name}-2.3.1-engine-warning.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
-# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
-Patch2: %{name}-2.4.0-engine-defaults.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2222878
-# https://github.com/opencryptoki/openssl-ibmca/commit/f8a60b6678b1eb3ccadcb31f36bf7961ed8d5a9a
-# https://github.com/opencryptoki/openssl-ibmca/commit/acba1d936bd84c7090ed7d3849b0bab3c7f18da0
-# https://github.com/opencryptoki/openssl-ibmca/commit/67efa9ad713e8283cb20111a15629f15a8ea8c86
-Patch3: %{name}-2.4.0-rsa-me.patch
-# https://github.com/opencryptoki/openssl-ibmca/commit/2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4
-Patch4: %{name}-2.4.0-log-into-tmp.patch
 Requires: libica >= 4.0.0
 BuildRequires: make
 BuildRequires: gcc
@@ -87,6 +77,10 @@ make check
 
 
 %changelog
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
+- updated to 2.4.1 (RHEL-11414)
+- Resolves: RHEL-11414
+
 * Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
 - provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
 - provider: Default debug directory to /tmp but make it configurable (#2160084)

sources

@@ -1 +1 @@
-SHA512 (openssl-ibmca-2.4.0.tar.gz) = ec886a89e6537bcda5f40c96dd66a6b3e19563c006434e65e5da7b3bdf7526a1cca7b454d3da1df2455625ffd970a9093ca4a0c7deb5e32e69bed9575f20f811
+SHA512 (openssl-ibmca-2.4.1.tar.gz) = e48b3fae04b0169001c52b1b959a855314f2e7314c6bd9df5ae31dc4a23525619ccca8c3465bad2966a63e32e3fe2c8f05ede84f8bf3d08386c7898d238331a6