diff --git a/.gitignore b/.gitignore index be7d21a..0d89bbd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-ibmca-2.3.1.tar.gz +SOURCES/openssl-ibmca-2.4.0.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata index aa192b9..888dcd4 100644 --- a/.openssl-ibmca.metadata +++ b/.openssl-ibmca.metadata @@ -1 +1 @@ -5e5ac182d30787788c94b5dcdf9a3a21d209bbaf SOURCES/openssl-ibmca-2.3.1.tar.gz +d1361eec709c4b6d1760171ac077fa0d21f5a698 SOURCES/openssl-ibmca-2.4.0.tar.gz diff --git a/SOURCES/openssl-ibmca-2.3.1-engine-warning.patch b/SOURCES/openssl-ibmca-2.3.1-engine-warning.patch new file mode 100644 index 0000000..c4d4aec --- /dev/null +++ b/SOURCES/openssl-ibmca-2.3.1-engine-warning.patch @@ -0,0 +1,27 @@ +From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Fri, 13 Jan 2023 18:09:49 +0100 +Subject: [ibmca PATCH] warn the user when configuring the engine + +The engine feature is deprecated in OpenSSL 3.0 and will be removed. +Thus warn the user and recommend using the provider instead. +--- + src/engine/ibmca-engine-opensslconfig.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in +index e4b168b..ec7fbfc 100644 +--- a/src/engine/ibmca-engine-opensslconfig.in ++++ b/src/engine/ibmca-engine-opensslconfig.in +@@ -140,4 +140,8 @@ this file. + |; + } + ++print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n"; ++print "WARNING: It will be removed in the future.\n"; ++print "WARNING: Please use the OpenSSL provider instead.\n"; ++ + generate(); +-- +2.39.0 + diff --git a/SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch b/SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch new file mode 100644 index 0000000..40785b6 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.4.0-engine-defaults.patch @@ -0,0 +1,40 @@ +From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 19 Apr 2023 10:07:01 +0200 +Subject: [PATCH] engine: Only register those algos specified with + default_algorithms + +As part of OpenSSL initialization, the engine(s) configured in the OpenSSL +config file are loaded, and its algorithms (methods) are registered according +to the default_algorithms setting. + +However, later during initialization, ENGINE_register_all_complete() is called +which unconditionally registered all algorithms (methods) of the loaded engines +again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set. + +Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization +to avoid unconditional registration of all algorithms. We only want to register +algorithms specified in the default_algorithms configuration setting. + +Note that if the default_algorithms setting is omitted in the OpenSSL config +file, then no algorithms will be registered. + +Signed-off-by: Ingo Franzki +--- + src/engine/e_ibmca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c +index fe21897..6cbf745 100644 +--- a/src/engine/e_ibmca.c ++++ b/src/engine/e_ibmca.c +@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e) + if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths)) + goto out; + ++ if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)) ++ goto out; ++ + rc = 1; + out: + free(pmech_list); diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index b703db1..e635b32 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -1,23 +1,38 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) +%global modulesdir %(pkg-config --variable=modulesdir libcrypto) -Summary: A dynamic OpenSSL engine for IBMCA +%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 +%global with_openssl3 1 +%endif + + +Summary: OpenSSL engine and provider for IBMCA Name: openssl-ibmca -Version: 2.3.1 -Release: 1%{?dist} +Version: 2.4.0 +Release: 2%{?dist} License: ASL 2.0 -Group: System Environment/Libraries URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -Requires: libica >= 3.8.0 +# post GA fixes +#Patch0: %%{name}-%%{version}-fixes.patch +# warn the user about engine being deprecated +Patch1: %{name}-2.3.1-engine-warning.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2221894 +# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0 +Patch2: %{name}-2.4.0-engine-defaults.patch +Requires: libica >= 4.0.0 +BuildRequires: make BuildRequires: gcc -BuildRequires: libica-devel >= 3.8.0 +BuildRequires: libica-devel >= 4.0.0 BuildRequires: automake libtool -BuildRequires: openssl +BuildRequires: openssl >= 3.0.5 +BuildRequires: perl(FindBin) ExclusiveArch: s390 s390x %description -A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. +A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z +machines to accelerate cryptographic operations. %prep @@ -27,16 +42,22 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines. %build -%configure --libdir=%{enginesdir} --with-libica-version=3 -make %{?_smp_mflags} +%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4 +%make_build %install %make_install -rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la +rm -f %{buildroot}%{enginesdir}/*.la + +%if 0%{?with_openssl3} +# provider is built when openssl3 is available, fix its location +mkdir -p %{buildroot}%{modulesdir} +mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so +%endif pushd src/engine -sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample popd # remove generated sample configs @@ -49,48 +70,97 @@ make check %files %license LICENSE -%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch} +%doc ChangeLog README.md src/engine/openssl.cnf.sample +%doc src/engine/ibmca-engine-opensslconfig +%doc src/provider/ibmca-provider-opensslconfig %{enginesdir}/ibmca.so %{_mandir}/man5/ibmca.5* +%if 0%{?with_openssl3} +%{modulesdir}/ibmca-provider.so +%{_mandir}/man5/ibmca-provider.5* +%endif %changelog -* Fri Jan 06 2023 Dan Horák - 2.3.1-1 -- updated to 2.3.1 (#2110379) -- Resolves: #2110379 +* Tue Jul 11 2023 Dan Horák - 2.4.0-2 +- engine: Only register those algos specified with default_algorithms (#2221894) +- Resolves: #2221894 -* Tue Mar 29 2022 Dan Horák - 2.3.0-1 -- updated to 2.3.0 (#2043842) -- Resolves: #2043842 +* Thu Apr 06 2023 Dan Horák - 2.4.0-1 +- updated to 2.4.0 (#2160084) +- Resolves: #2160084 -* Wed Oct 06 2021 Dan Horák - 2.2.1-1 -- updated to 2.2.1 (#1984971) -- Resolves: #1984971 +* Fri Jan 13 2023 Dan Horák - 2.3.1-2 +- fix provider configuration script (#2140028) +- Resolves: #2140028 + +* Thu Jan 12 2023 Dan Horák - 2.3.1-1 +- updated to 2.3.1 (#2110378) +- Resolves: #2110378 + +* Thu May 19 2022 Dan Horák - 2.3.0-1 +- updated to 2.3.0 (#2044177) +- add provider for openssl 3.x (#2044185) +- Resolves: #2044177 #2044185 + +* Wed Feb 02 2022 Dan Horák - 2.2.2-1 +- updated to 2.2.2 (#2016989) +- Resolves: #2016989 + +* Mon Oct 25 2021 Dan Horák - 2.2.1-1 +- updated to 2.2.1 (#2016989) + +* Mon Aug 09 2021 Mohan Boddu - 2.2.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 * Mon Aug 09 2021 Dan Horák - 2.2.0-2 -- fix DSA and DH registration (#1989064) -- Resolves: #1989064 +- fix DSA and DH registration (#1989380) +- Resolves: #1989380 -* Tue Jul 13 2021 Dan Horák - 2.2.0-1 -- updated to 2.2.0 (#1919222) -- do not use libica software fallbacks (#1922204) -- Resolves: #1919222 #1922204 +* Fri Jun 04 2021 Dan Horák - 2.2.0-1 +- updated to 2.2.0 (#1869531) +- eliminate SW fallback functions (#1924117) +- Resolves: #1869531 #1924117 -* Thu May 21 2020 Dan Horák - 2.1.1-1 -- updated to 2.1.1 (#1780306) -- Resolves: #1780306 +* Wed May 12 2021 Dan Horák - 2.1.2-1 +- updated to 2.1.2 -* Tue Nov 05 2019 Dan Horák - 2.1.0-1 -- updated to 2.1.0 (#1726242) -- Resolves: #1726242, #1723854 +* Fri Apr 16 2021 Mohan Boddu - 2.1.1-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 -* Mon Apr 29 2019 Dan Horák - 2.0.3-1 -- updated to 2.0.3 (#1666622) -- Resolves: #1666622 #1659427 #1683099 +* Tue Jan 26 2021 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Tue Dec 11 2018 Dan Horák - 2.0.0-2 -- Fix doing rsa-me, altough rsa-crt would be possible -- Resolves: #1655654 +* Tue Jul 28 2020 Fedora Release Engineering - 2.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 12 2020 Dan Horák - 2.1.1-1 +- updated to 2.1.1 + +* Wed Jan 29 2020 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Sep 09 2019 Dan Horák - 2.1.0-1 +- updated to 2.1.0 + +* Thu Jul 25 2019 Fedora Release Engineering - 2.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 24 2019 Dan Horák - 2.0.3-1 +- updated to 2.0.3 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 13 2018 Dan Horák - 2.0.2-1 +- updated to 2.0.2 + +* Thu Aug 23 2018 Dan Horák - 2.0.0-3 +- run upstream test-suite during build + +* Fri Jul 13 2018 Fedora Release Engineering - 2.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Mon Jun 18 2018 Dan Horák - 2.0.0-1 - updated to 2.0.0