import openssl-ibmca-2.2.0-3.el9
This commit is contained in:
commit
98e8f891b5
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/openssl-ibmca-2.2.0.tar.gz
|
1
.openssl-ibmca.metadata
Normal file
1
.openssl-ibmca.metadata
Normal file
@ -0,0 +1 @@
|
||||
9046d41ba698ef6a493bd0807d7456138c9ab436 SOURCES/openssl-ibmca-2.2.0.tar.gz
|
31
SOURCES/openssl-ibmca-2.2.0-eckey.patch
Normal file
31
SOURCES/openssl-ibmca-2.2.0-eckey.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 34965d85fecd73bbd750e63a29d6db743759d240 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
||||
Date: Mon, 31 May 2021 18:00:07 +0200
|
||||
Subject: [PATCH] Skip eckey test if needed.
|
||||
|
||||
Without crypto cards on a machine < z15, ibmca might not register with the
|
||||
EC_KEY subsystem of OpenSSL. In these cases, the eckey test should be skipped
|
||||
since it is doomed to fail.
|
||||
|
||||
Fixes #69.
|
||||
|
||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
||||
---
|
||||
test/eckey.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/test/eckey.c b/test/eckey.c
|
||||
index 35b3df2..6d0870b 100644
|
||||
--- a/test/eckey.c
|
||||
+++ b/test/eckey.c
|
||||
@@ -44,6 +44,10 @@ int check_eckey(int nid, const char *name)
|
||||
fprintf(stderr, "ibmca engine not loaded\n");
|
||||
goto out;
|
||||
}
|
||||
+ if (ENGINE_get_EC(engine) == NULL) {
|
||||
+ fprintf(stderr, "ibmca does not support EC_KEY. Skipping...\n");
|
||||
+ exit(77);
|
||||
+ }
|
||||
eckey = EC_KEY_new_by_curve_name(nid);
|
||||
if (eckey == NULL) {
|
||||
/* curve not supported => test passed */
|
105
SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
Normal file
105
SOURCES/openssl-ibmca-2.2.0-fix-registration.patch
Normal file
@ -0,0 +1,105 @@
|
||||
From 1ab83f99db06ec1f4022d93c9123921c13f67e20 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Christ <jchrist@linux.ibm.com>
|
||||
Date: Thu, 29 Jul 2021 17:38:59 +0200
|
||||
Subject: [PATCH] Fix DSA and DH registration.
|
||||
|
||||
DSA does not provide backups by default.
|
||||
|
||||
Also fix typo in DH initialization.
|
||||
|
||||
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
|
||||
---
|
||||
src/ibmca_dh.c | 2 +-
|
||||
src/ibmca_dsa.c | 26 ++++----------------------
|
||||
2 files changed, 5 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/ibmca_dh.c b/src/ibmca_dh.c
|
||||
index 2459cf1..b2b75a9 100644
|
||||
--- a/src/ibmca_dh.c
|
||||
+++ b/src/ibmca_dh.c
|
||||
@@ -72,7 +72,7 @@ DH_METHOD *ibmca_dh(void)
|
||||
|
||||
if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL
|
||||
|| (meth1 = DH_OpenSSL()) == NULL
|
||||
- || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(method)) == NULL
|
||||
+ || (ibmca_mod_exp_dh_backup = DH_meth_get_bn_mod_exp(meth1)) == NULL
|
||||
|| !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1))
|
||||
|| !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1))
|
||||
|| !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)
|
||||
diff --git a/src/ibmca_dsa.c b/src/ibmca_dsa.c
|
||||
index f5bf4e4..3b5ac87 100644
|
||||
--- a/src/ibmca_dsa.c
|
||||
+++ b/src/ibmca_dsa.c
|
||||
@@ -28,18 +28,10 @@
|
||||
* RSA. Just check out the "signs" statistics from the RSA and DSA parts
|
||||
* of "openssl speed -engine ibmca dsa1024 rsa1024". */
|
||||
#ifdef OLDER_OPENSSL
|
||||
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
|
||||
- BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
|
||||
- BIGNUM *m, BN_CTX *ctx,
|
||||
- BN_MONT_CTX *in_mont);
|
||||
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
|
||||
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
|
||||
BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
|
||||
#else
|
||||
-static int (*ibmca_dsa_mod_exp_backup)(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
|
||||
- const BIGNUM *p1, const BIGNUM *a2,
|
||||
- const BIGNUM *p2, const BIGNUM *m,
|
||||
- BN_CTX *ctx, BN_MONT_CTX *in_mont);
|
||||
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
|
||||
const BIGNUM *p1, const BIGNUM *a2,
|
||||
const BIGNUM *p2, const BIGNUM *m,
|
||||
@@ -65,31 +57,25 @@ static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1,
|
||||
end:
|
||||
BN_free(t);
|
||||
|
||||
- if (!to_return && ibmca_dsa_mod_exp_backup)
|
||||
- return ibmca_dsa_mod_exp_backup(dsa, rr, a1, p1, a2, p2, m, ctx, in_mont);
|
||||
+ if (!to_return)
|
||||
+ return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
|
||||
return to_return;
|
||||
}
|
||||
|
||||
#ifdef OLDER_OPENSSL
|
||||
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, BIGNUM *a,
|
||||
- const BIGNUM *p, const BIGNUM *m,
|
||||
- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
|
||||
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
|
||||
const BIGNUM *p, const BIGNUM *m,
|
||||
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
|
||||
#else
|
||||
-static int (*ibmca_mod_exp_dsa_backup)(DSA *dsa, BIGNUM *r, const BIGNUM *a,
|
||||
- const BIGNUM *p, const BIGNUM *m,
|
||||
- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
|
||||
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *p, const BIGNUM *m,
|
||||
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
|
||||
#endif
|
||||
{
|
||||
- if (!ibmca_mod_exp(r, a, p, m, ctx) && ibmca_mod_exp_dsa_backup)
|
||||
- return ibmca_mod_exp_dsa_backup(dsa, r, a, p, m, ctx, m_ctx);
|
||||
+ if (!ibmca_mod_exp(r, a, p, m, ctx))
|
||||
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -112,8 +98,6 @@ DSA_METHOD *ibmca_dsa(void)
|
||||
{
|
||||
const DSA_METHOD *meth1 = DSA_OpenSSL();
|
||||
|
||||
- ibmca_dsa_mod_exp_backup = dsa->dsa_mod_exp;
|
||||
- ibmca_mod_exp_dsa_backup = dsa->bn_mod_exp;
|
||||
dsa_m.dsa_do_sign = meth1->dsa_do_sign;
|
||||
dsa_m.dsa_sign_setup = meth1->dsa_sign_setup;
|
||||
dsa_m.dsa_do_verify = meth1->dsa_do_verify;
|
||||
@@ -133,8 +117,6 @@ DSA_METHOD *ibmca_dsa(void)
|
||||
|
||||
if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL
|
||||
|| (meth1 = DSA_OpenSSL()) == NULL
|
||||
- || (ibmca_dsa_mod_exp_backup = DSA_meth_get_mod_exp(meth1)) == NULL
|
||||
- || (ibmca_mod_exp_dsa_backup = DSA_meth_get_bn_mod_exp(meth1)) == NULL
|
||||
|| !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1))
|
||||
|| !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1))
|
||||
|| !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1))
|
222
SPECS/openssl-ibmca.spec
Normal file
222
SPECS/openssl-ibmca.spec
Normal file
@ -0,0 +1,222 @@
|
||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||
|
||||
Summary: A dynamic OpenSSL engine for IBMCA
|
||||
Name: openssl-ibmca
|
||||
Version: 2.2.0
|
||||
Release: 3%{?dist}
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
# https://github.com/opencryptoki/openssl-ibmca/commit/34965d85fecd73bbd750e63a29d6db743759d240
|
||||
Patch0: openssl-ibmca-2.2.0-eckey.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1989380
|
||||
# https://github.com/opencryptoki/openssl-ibmca/commit/1ab83f99db06ec1f4022d93c9123921c13f67e20
|
||||
Patch1: openssl-ibmca-2.2.0-fix-registration.patch
|
||||
Requires: libica >= 3.8.0
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libica-devel >= 3.8.0
|
||||
BuildRequires: automake libtool
|
||||
BuildRequires: openssl
|
||||
ExclusiveArch: s390 s390x
|
||||
|
||||
|
||||
%description
|
||||
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
||||
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
./bootstrap.sh
|
||||
|
||||
|
||||
%build
|
||||
%configure --libdir=%{enginesdir} --with-libica-cex
|
||||
%make_build
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
rm -f %{buildroot}%{enginesdir}/*.la
|
||||
|
||||
pushd src
|
||||
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
||||
popd
|
||||
|
||||
# remove generated sample configs
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}
|
||||
|
||||
|
||||
%check
|
||||
make check
|
||||
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} src/gensamplecfg.pl
|
||||
%{enginesdir}/ibmca.so
|
||||
%{_mandir}/man5/ibmca.5*
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||
- fix DSA and DH registration (#1989380)
|
||||
- Resolves: #1989380
|
||||
|
||||
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
||||
- updated to 2.2.0 (#1869531)
|
||||
- eliminate SW fallback functions (#1924117)
|
||||
- Resolves: #1869531 #1924117
|
||||
|
||||
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
||||
- updated to 2.1.2
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
||||
- updated to 2.1.1
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
||||
- updated to 2.1.0
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
||||
- updated to 2.0.3
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
||||
- updated to 2.0.2
|
||||
|
||||
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
||||
- run upstream test-suite during build
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||
- updated to 2.0.0
|
||||
|
||||
* Fri Feb 23 2018 Dan Horák <dan@danny.cz> - 1.4.1-1
|
||||
- updated to 1.4.1
|
||||
|
||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Wed Jan 24 2018 Dan Horák <dan@danny.cz> - 1.4.0-2
|
||||
- update engine filename
|
||||
- spec cleanup
|
||||
|
||||
* Mon Sep 11 2017 Dan Horák <dan@danny.cz> - 1.4.0-1
|
||||
- updated to 1.4.0
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Wed Mar 08 2017 Dan Horák <dan@danny.cz> - 1.3.1-1
|
||||
- updated to 1.3.1 and OpenSSL 1.1
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-13
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-12
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Wed Nov 05 2014 Dan Horák <dan@danny.cz> - 1.2.0-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Wed Mar 19 2014 Dan Horák <dan[at]danny.cz - 1.2.0-8
|
||||
- Set proper key signature flag (#1075474)
|
||||
|
||||
* Fri Mar 14 2014 Dan Horák <dan[at]danny.cz - 1.2.0-7
|
||||
- Fix multilib conflict in sample config file (#1076423)
|
||||
- Fixed message digest length definition in sha256 template (#1074976)
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Fri Apr 20 2012 Dan Horák <dan[at]danny.cz - 1.2.0-3
|
||||
- make the libica dependecies versioned
|
||||
- fix segfaults in OFB mode (#749638)
|
||||
|
||||
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||
|
||||
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz - 1.2.0-1
|
||||
- update to 1.2.0
|
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
||||
* Thu Apr 22 2010 Dan Horák <dhorak@redhat.com> - 1.1-2
|
||||
- fixed opening of the libica library (#584765)
|
||||
- Resolves: #584765
|
||||
|
||||
* Thu Mar 4 2010 Dan Horák <dhorak@redhat.com> - 1.1-1
|
||||
- rebased to 1.1 instead of patching
|
||||
- Resolves: #568847
|
||||
|
||||
* Thu Feb 18 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-5
|
||||
- added patch with port to libica 2.x API
|
||||
- Related: #543948
|
||||
|
||||
* Wed Feb 10 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-4
|
||||
- added explicit dependency on libica, because it's dlopened
|
||||
- Related: #543948
|
||||
|
||||
* Tue Jan 12 2010 Dan Horák <dhorak@redhat.com> - 1.0.0-3
|
||||
- rebuild
|
||||
- Related: #543948
|
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
* Thu Jul 9 2009 Dan Horak <dan[at]danny.cz - 1.0.0-1
|
||||
- update to final 1.0.0
|
||||
- spec file cleanup
|
||||
|
||||
* Thu Jun 21 2007 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.4
|
||||
- Fixed several issues with failure of using ibmca engine (#227644)
|
||||
|
||||
* Tue Dec 12 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.3
|
||||
- Added missing symlinks for libs (#215735)
|
||||
- Added samle config file (#215735)
|
||||
|
||||
* Thu Nov 23 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2-1.el5.2
|
||||
- Necessary fix so openssl finds the module properly (#215735)
|
||||
|
||||
* Thu May 11 2006 Phil Knirsch <pknirsch@redhat.com> - 1.0.0rc2
|
||||
- Initial package.
|
Loading…
Reference in New Issue
Block a user