diff --git a/SOURCES/openssl-ibmca-2.3.0-provider-config.patch b/SOURCES/openssl-ibmca-2.3.0-provider-config.patch new file mode 100644 index 0000000..1aaef50 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.3.0-provider-config.patch @@ -0,0 +1,117 @@ +From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 27 Oct 2022 16:13:01 +0200 +Subject: [PATCH 1/2] provider: Fix configuration script + +Small typo in the configuration script created an invalid configuration. + +Signed-off-by: Juergen Christ +--- + src/provider/ibmca-provider-opensslconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig +index 21ed6f6..d45428e 100755 +--- a/src/provider/ibmca-provider-opensslconfig ++++ b/src/provider/ibmca-provider-opensslconfig +@@ -83,7 +83,7 @@ sub generate() + } + if ($providersect && $line =~ /\[\s*$providersect\s*\]/) { + print $oh "ibmca_provider = ibmca_provider_section\n"; +- print $oh # Make sure that you have configured and activated at least one other provider!\n"; ++ print $oh "# Make sure that you have configured and activated at least one other provider!\n"; + print "WARNING: The IBMCA provider was added to section [$providersect].\n"; + print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n"; + } +-- +2.39.0 + + +From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Wed, 2 Nov 2022 14:29:35 +0100 +Subject: [PATCH 2/2] provider: Fix order of providers in configuration + +Since libica requires a provider that supports HMAC to be loaded and +available, fix the order of providers loaded by our sample configuration +generator. The "default" provider has to come first such that libica can do +the file integrity test with a HMAC provided by this provider when being +loaded via the ibmca provider. + +Signed-off-by: Juergen Christ +--- + src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig +index d45428e..d87fa8e 100755 +--- a/src/provider/ibmca-provider-opensslconfig ++++ b/src/provider/ibmca-provider-opensslconfig +@@ -30,7 +30,7 @@ use warnings; + sub generate() + { + my ($osslconfpath); +- my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect); ++ my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect); + my ($inalgsect, $algsection); + + $osslconfpath = `openssl version -d` || die "Please install openssl binary"; +@@ -43,6 +43,7 @@ sub generate() + $defaultcnfsect = undef; + $indefaultsect = 0; + $providersect = undef; ++ $inprovidersect = 0; + while ($line = <$ih>) { + if ($line =~ /openssl_conf\s*=\s*(.*)/) { + $defaultcnfsect = $1; +@@ -67,13 +68,22 @@ sub generate() + } elsif ($inalgsect) { + if ($line =~ /\[\s*\w+\s*\]/) { + print $oh "default_properties = ?provider=ibmca\n"; ++ $inalgsect = 0; + } elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) { + print $oh "default_properties = ?provider=ibmca\n"; + print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n"; + print "WARNING: The default_properties in $algsection was modified by this script.\n"; + $line = "# $line"; + } +- } ++ } elsif ($inprovidersect) { ++ if ($line =~ /\[\s*\w+\s*\]/) { ++ $inprovidersect = 0; ++ print $oh "ibmca_provider = ibmca_provider_section\n"; ++ print $oh "# Make sure that you have configured and activated at least one other provider!\n"; ++ print "WARNING: The IBMCA provider was added to section [$providersect].\n"; ++ print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n"; ++ } ++ } + print $oh "$line"; + if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) { + $indefaultsect = 1; +@@ -81,11 +91,8 @@ sub generate() + if ($algsection && $line =~ /\[\s*$algsection\s*\]/) { + $inalgsect = 1; + } +- if ($providersect && $line =~ /\[\s*$providersect\s*\]/) { +- print $oh "ibmca_provider = ibmca_provider_section\n"; +- print $oh "# Make sure that you have configured and activated at least one other provider!\n"; +- print "WARNING: The IBMCA provider was added to section [$providersect].\n"; +- print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n"; ++ if ($providersect && $line =~ /\[\s*$providersect\s*\]/) { ++ $inprovidersect = 1; + } + } + +@@ -100,8 +107,8 @@ providers = provider_section + if (!$providersect) { + print $oh qq| + [provider_section] +-ibmca_provider = ibmca_provider_section + default = default_sect ++ibmca_provider = ibmca_provider_section + + [default_sect] + activate = 1 +-- +2.39.0 + diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec index f401ce3..97f0f13 100644 --- a/SPECS/openssl-ibmca.spec +++ b/SPECS/openssl-ibmca.spec @@ -13,12 +13,15 @@ Summary: A dynamic OpenSSL engine for IBMCA Name: openssl-ibmca Version: 2.3.0 -Release: 1%{?dist} +Release: 1%{?dist}.1 License: ASL 2.0 URL: https://github.com/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # post GA fixes Patch0: %{name}-%{version}-fixes.patch +# fix provider config script +# https://bugzilla.redhat.com/show_bug.cgi?id=2160761 +Patch1: %{name}-2.3.0-provider-config.patch Requires: libica >= 4.0.0 BuildRequires: make BuildRequires: gcc @@ -80,6 +83,10 @@ make check %changelog +* Wed Jan 18 2023 Dan Horák - 2.3.0-1.1 +- fix provider config script (#2160761) +- Resolves: #2160761 + * Thu May 19 2022 Dan Horák - 2.3.0-1 - updated to 2.3.0 (#2044177) - add provider for openssl 3.x (#2044185)