rpms/openssl-ibmca
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openssl-ibmca-2.3.0-1.el9_1.1

Browse Source
This commit is contained in:
CentOS Sources 2023-02-28 07:53:55 +00:00 committed by Stepan Oksanichenko
parent bec385aa3b
commit aef68a24e6
2 changed files with 125 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
SOURCES/openssl-ibmca-2.3.0-provider-config.patch Normal file
View File

@ -0,0 +1,117 @@
From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 27 Oct 2022 16:13:01 +0200
Subject: [PATCH 1/2] provider: Fix configuration script
Small typo in the configuration script created an invalid configuration.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/provider/ibmca-provider-opensslconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index 21ed6f6..d45428e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -83,7 +83,7 @@ sub generate()
}
if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
print $oh "ibmca_provider = ibmca_provider_section\n";
- print $oh # Make sure that you have configured and activated at least one other provider!\n";
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
print "WARNING: The IBMCA provider was added to section [$providersect].\n";
print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
}
--
2.39.0
From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 2 Nov 2022 14:29:35 +0100
Subject: [PATCH 2/2] provider: Fix order of providers in configuration
Since libica requires a provider that supports HMAC to be loaded and
available, fix the order of providers loaded by our sample configuration
generator. The "default" provider has to come first such that libica can do
the file integrity test with a HMAC provided by this provider when being
loaded via the ibmca provider.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index d45428e..d87fa8e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -30,7 +30,7 @@ use warnings;
sub generate()
{
my ($osslconfpath);
- my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect);
+ my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect);
my ($inalgsect, $algsection);
$osslconfpath = `openssl version -d` || die "Please install openssl binary";
@@ -43,6 +43,7 @@ sub generate()
$defaultcnfsect = undef;
$indefaultsect = 0;
$providersect = undef;
+ $inprovidersect = 0;
while ($line = <$ih>) {
if ($line =~ /openssl_conf\s*=\s*(.*)/) {
$defaultcnfsect = $1;
@@ -67,13 +68,22 @@ sub generate()
} elsif ($inalgsect) {
if ($line =~ /\[\s*\w+\s*\]/) {
print $oh "default_properties = ?provider=ibmca\n";
+ $inalgsect = 0;
} elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) {
print $oh "default_properties = ?provider=ibmca\n";
print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n";
print "WARNING: The default_properties in $algsection was modified by this script.\n";
$line = "# $line";
}
- }
+ } elsif ($inprovidersect) {
+ if ($line =~ /\[\s*\w+\s*\]/) {
+ $inprovidersect = 0;
+ print $oh "ibmca_provider = ibmca_provider_section\n";
+ print $oh "# Make sure that you have configured and activated at least one other provider!\n";
+ print "WARNING: The IBMCA provider was added to section [$providersect].\n";
+ print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+ }
+ }
print $oh "$line";
if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) {
$indefaultsect = 1;
@@ -81,11 +91,8 @@ sub generate()
if ($algsection && $line =~ /\[\s*$algsection\s*\]/) {
$inalgsect = 1;
}
- if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
- print $oh "ibmca_provider = ibmca_provider_section\n";
- print $oh "# Make sure that you have configured and activated at least one other provider!\n";
- print "WARNING: The IBMCA provider was added to section [$providersect].\n";
- print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+ if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
+ $inprovidersect = 1;
}
}
@@ -100,8 +107,8 @@ providers = provider_section
if (!$providersect) {
print $oh qq|
[provider_section]
-ibmca_provider = ibmca_provider_section
default = default_sect
+ibmca_provider = ibmca_provider_section
[default_sect]
activate = 1
--
2.39.0

9
SPECS/openssl-ibmca.spec
View File

@ -13,12 +13,15 @@
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.3.0
Release: 1%{?dist}
Release: 1%{?dist}.1
License: ASL 2.0
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# post GA fixes
Patch0: %{name}-%{version}-fixes.patch
# fix provider config script
# https://bugzilla.redhat.com/show_bug.cgi?id=2160761
Patch1: %{name}-2.3.0-provider-config.patch
Requires: libica >= 4.0.0
BuildRequires: make
BuildRequires: gcc
@ -80,6 +83,10 @@ make check
%changelog
* Wed Jan 18 2023 Dan Horák <dhorak@redhat.com> - 2.3.0-1.1
- fix provider config script (#2160761)
- Resolves: #2160761
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2044177)
- add provider for openssl 3.x (#2044185)