import CS openssl-ibmca-2.4.0-2.el9

2023-10-20 12:27:57 +00:00 · 2023-10-20 12:27:57 +00:00 · a1661c8192
commit a1661c8192
parent 6e9381b63d
5 changed files with 179 additions and 42 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/openssl-ibmca-2.3.1.tar.gz
+SOURCES/openssl-ibmca-2.4.0.tar.gz
--- a/.openssl-ibmca.metadata
+++ b/.openssl-ibmca.metadata
@ -1 +1 @@
-5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz
+d1361eec709c4b6d1760171ac077fa0d21f5a698 SOURCES/openssl-ibmca-2.4.0.tar.gz
--- a/SOURCES/openssl-ibmca-2.3.1-engine-warning.patch
+++ b/SOURCES/openssl-ibmca-2.3.1-engine-warning.patch
@ -0,0 +1,27 @@
+From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Fri, 13 Jan 2023 18:09:49 +0100
+Subject: [ibmca PATCH] warn the user when configuring the engine
+
+The engine feature is deprecated in OpenSSL 3.0 and will be removed.
+Thus warn the user and recommend using the provider instead.
+---
+ src/engine/ibmca-engine-opensslconfig.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
+index e4b168b..ec7fbfc 100644
+--- a/src/engine/ibmca-engine-opensslconfig.in
+++ b/src/engine/ibmca-engine-opensslconfig.in
+@@ -140,4 +140,8 @@ this file.
+ |;
+ }
+ 
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
+print "WARNING: It will be removed in the future.\n";
+print "WARNING: Please use the OpenSSL provider instead.\n";
+
+ generate();
+-- 
+2.39.0
+
--- a/SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch
+++ b/SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch
@ -0,0 +1,40 @@
+From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 19 Apr 2023 10:07:01 +0200
+Subject: [PATCH] engine: Only register those algos specified with
+ default_algorithms
+
+As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
+config file are loaded, and its algorithms (methods) are registered according
+to the default_algorithms setting.
+
+However, later during initialization, ENGINE_register_all_complete() is called
+which unconditionally registered all algorithms (methods) of the loaded engines
+again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
+
+Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
+to avoid unconditional registration of all algorithms. We only want to register
+algorithms specified in the default_algorithms configuration setting.
+
+Note that if the default_algorithms setting is omitted in the OpenSSL config
+file, then no algorithms will be registered.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index fe21897..6cbf745 100644
+--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
+@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
+         if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
+             goto out;
+ 
+    if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
+        goto out;
+
+     rc = 1;
+ out:
+     free(pmech_list);
--- a/SPECS/openssl-ibmca.spec
+++ b/SPECS/openssl-ibmca.spec
@ -1,23 +1,38 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
+%global modulesdir %(pkg-config --variable=modulesdir libcrypto)

-Summary: A dynamic OpenSSL engine for IBMCA
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+%global with_openssl3 1
+%endif
+
+
+Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
-Version: 2.3.1
-Release: 1%{?dist}
+Version: 2.4.0
+Release: 2%{?dist}
 License: ASL 2.0
-Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Requires: libica >= 3.8.0
+# post GA fixes
+#Patch0: %%{name}-%%{version}-fixes.patch
+# warn the user about engine being deprecated
+Patch1: %{name}-2.3.1-engine-warning.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
+# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
+Patch2: %{name}-2.4.0-engine-defaults.patch
+Requires: libica >= 4.0.0
+BuildRequires: make
 BuildRequires: gcc
-BuildRequires: libica-devel >= 3.8.0
+BuildRequires: libica-devel >= 4.0.0
 BuildRequires: automake libtool
-BuildRequires: openssl
+BuildRequires: openssl >= 3.0.5
+BuildRequires: perl(FindBin)
 ExclusiveArch: s390 s390x


 %description
-A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
+A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
+machines to accelerate cryptographic operations.


 %prep
@ -27,16 +42,22 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.


 %build
-%configure --libdir=%{enginesdir} --with-libica-version=3
-make %{?_smp_mflags}
+%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
+%make_build


 %install
 %make_install
-rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
+rm -f %{buildroot}%{enginesdir}/*.la
+
+%if 0%{?with_openssl3}
+# provider is built when openssl3 is available, fix its location
+mkdir -p %{buildroot}%{modulesdir}
+mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
+%endif

 pushd src/engine
-sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
+sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
 popd

 # remove generated sample configs
@ -49,48 +70,97 @@ make check

 %files
 %license LICENSE
-%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
+%doc ChangeLog README.md src/engine/openssl.cnf.sample
+%doc src/engine/ibmca-engine-opensslconfig
+%doc src/provider/ibmca-provider-opensslconfig
 %{enginesdir}/ibmca.so
 %{_mandir}/man5/ibmca.5*
+%if 0%{?with_openssl3}
+%{modulesdir}/ibmca-provider.so
+%{_mandir}/man5/ibmca-provider.5*
+%endif


 %changelog
-* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
- updated to 2.3.1 (#2110379)
- Resolves: #2110379
+* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221894)
+- Resolves: #2221894

-* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2043842)
- Resolves: #2043842
+* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
+- updated to 2.4.0 (#2160084)
+- Resolves: #2160084

-* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
- updated to 2.2.1 (#1984971)
- Resolves: #1984971
+* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
+- fix provider configuration script (#2140028)
+- Resolves: #2140028
+
+* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
+- updated to 2.3.1 (#2110378)
+- Resolves: #2110378
+
+* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
+- updated to 2.3.0 (#2044177)
+- add provider for openssl 3.x (#2044185)
+- Resolves: #2044177 #2044185
+
+* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
+- updated to 2.2.2 (#2016989)
+- Resolves: #2016989
+
+* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
+- updated to 2.2.1 (#2016989)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

 * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
- fix DSA and DH registration (#1989064)
- Resolves: #1989064
+- fix DSA and DH registration (#1989380)
+- Resolves: #1989380

-* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
- updated to 2.2.0 (#1919222)
- do not use libica software fallbacks (#1922204)
- Resolves: #1919222 #1922204
+* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
+- updated to 2.2.0 (#1869531)
+- eliminate SW fallback functions (#1924117)
+- Resolves: #1869531 #1924117

-* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
- updated to 2.1.1 (#1780306)
- Resolves: #1780306
+* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
+- updated to 2.1.2

-* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
- updated to 2.1.0 (#1726242)
- Resolves: #1726242, #1723854
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

-* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
- updated to 2.0.3 (#1666622)
- Resolves: #1666622 #1659427 #1683099
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

-* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
- Fix doing rsa-me, altough rsa-crt would be possible
- Resolves: #1655654
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
+- updated to 2.1.1
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
+- updated to 2.1.0
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
+- updated to 2.0.3
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
+- updated to 2.0.2
+
+* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
+- run upstream test-suite during build
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

 * Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
 - updated to 2.0.0