.gitignore

@@ -1 +1 @@
-SOURCES/openssl-ibmca-2.4.1.tar.gz
+SOURCES/openssl-ibmca-2.5.0.tar.gz

.openssl-ibmca.metadata

@@ -0,0 +1 @@
+cf856afc3c70973f0766aa8e107c95d35912f0f3 SOURCES/openssl-ibmca-2.5.0.tar.gz

SOURCES/openssl-ibmca-2.3.1-engine-warning.patch

@@ -0,0 +1,27 @@
+From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Fri, 13 Jan 2023 18:09:49 +0100
+Subject: [ibmca PATCH] warn the user when configuring the engine
+
+The engine feature is deprecated in OpenSSL 3.0 and will be removed.
+Thus warn the user and recommend using the provider instead.
+---
+ src/engine/ibmca-engine-opensslconfig.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
+index e4b168b..ec7fbfc 100644
+--- a/src/engine/ibmca-engine-opensslconfig.in
++++ b/src/engine/ibmca-engine-opensslconfig.in
+@@ -140,4 +140,8 @@ this file.
+ |;
+ }
+ 
++print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
++print "WARNING: It will be removed in the future.\n";
++print "WARNING: Please use the OpenSSL provider instead.\n";
++
+ generate();
+-- 
+2.39.0
+

SOURCES/openssl-ibmca-2.5.0-fixes.patch

@@ -0,0 +1,137 @@
+From 7f798a4a525fcd4cc03360ad8867a856961b8556 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 16 Apr 2025 10:43:23 +0200
+Subject: [PATCH 1/2] TRAVIS: Make sure to produce output for long taking steps
+
+Avoid errors like "No output has been received in the last 10m0s, this
+potentially indicates a stalled build or something wrong with the build
+itself."
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ .travis.yml | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/.travis.yml b/.travis.yml
+index 42fc99f..a7d6e53 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -5,7 +5,7 @@ language: c
+ 
+ before_install:
+     - sudo apt-get -qq update
+-    - sudo apt-get install -y libica3 libica-dev
++    - sudo apt-get install -y libica3 libica-dev pv
+ 
+ jobs:
+     include:
+@@ -19,26 +19,26 @@ before_script:
+     - git clone https://github.com/openssl/openssl.git
+     - pushd openssl
+     - git checkout master
+-    - ./config -w
+-    - make -j 5 -s
++    - ./config -w 2> >(tee)
++    - make -j 5 -s | pv -t -i 1 -f 2> >(tee)
+     - export OPENSSL_DIR=$PWD
+     - export PATH=$OPENSSL_DIR/apps/:$PATH
+     - export LD_LIBRARY_PATH=$OPENSSL_DIR/:$LD_LIBRARY_PATH
+     - popd
+-    - openssl version
++    - openssl version 2> >(tee)
+     - git clone https://github.com/opencryptoki/libica.git
+     - pushd libica
+-    - ./bootstrap.sh
+-    - ./configure CFLAGS="-I$OPENSSL_DIR/include -L$OPENSSL_DIR"
+-    - make -j 5 V=0
++    - ./bootstrap.sh 2> >(tee)
++    - ./configure CFLAGS="-I$OPENSSL_DIR/include -L$OPENSSL_DIR" 2> >(tee)
++    - make -j 5 V=0 2> >(tee)
+     - export LIBICA_DIR=$PWD
+     - export LD_LIBRARY_PATH=$LIBICA_DIR/src/.libs:$LD_LIBRARY_PATH
+     - popd
+-    - $LIBICA_DIR/src/icainfo
++    - $LIBICA_DIR/src/icainfo 2> >(tee)
+ 
+ script:
+-    - ./bootstrap.sh
+-    - ./configure CFLAGS="-I$OPENSSL_DIR/include -L$OPENSSL_DIR -I$LIBICA_DIR/include -L$LIBICA_DIR/src/.libs" $CONFIG_OPTS
+-    - make -j 5 V=0
+-    - make check V=0
++    - ./bootstrap.sh 2> >(tee)
++    - ./configure CFLAGS="-I$OPENSSL_DIR/include -L$OPENSSL_DIR -I$LIBICA_DIR/include -L$LIBICA_DIR/src/.libs" $CONFIG_OPTS 2> >(tee)
++    - make -j 5 V=0 2> >(tee)
++    - make check V=0 | pv -t -i 1 -f 2> >(tee)
+ 
+-- 
+2.52.0
+
+
+From 5c569950da3a592ba77974bb0cd1ffe7ad03372e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 14 May 2025 15:22:11 +0200
+Subject: [PATCH 2/2] configure: Check for openssl/engine.h and disable engine
+ if not available
+
+Newer distributions do not install the include file openssl/engine.h anymore
+to actively hinder one from building and using engines.
+
+Check if openssl/engine.h exists, and only enable the engine build if so.
+If the engine is explicitly enabled via '--enable-engine' then the configure
+step fails with an error message. Otherwise the engine is silently disabled.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ configure.ac | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c1b16f8..f8a435c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -31,13 +31,13 @@ AC_ARG_ENABLE([sanitizer],
+ 		[enable_sanitizer=no])
+ 
+ AC_ARG_ENABLE([engine],
+-		[AS_HELP_STRING([--enable-engine], [build IBMCA engine (OpenSSL 1.1.1, default is yes)])],
++		[AS_HELP_STRING([--enable-engine], [build IBMCA engine (OpenSSL >= 1.1.1, default is yes, if openssl/engine.h is available, else the default is false)])],
+ 		[if test "x$enableval" = "xyes" ; then
+ 			enable_engine="yes"
+ 		 else
+ 		 	enable_engine="no"
+ 		 fi],
+-		[enable_engine="yes"])
++		[enable_engine="check"])
+ 
+ AC_ARG_ENABLE([provider],
+ 		[AS_HELP_STRING([--enable-provider], [build IBMCA provider (OpenSSL >= 3.0, default is yes if built against OpenSSL 3.0 or later, else the default is false)])],
+@@ -75,6 +75,7 @@ AC_CHECK_LIB([crypto], [OSSL_LIB_CTX_new], [openssl_3_0="yes"], [openssl_3_0="no
+ AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \
+                  string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
+ AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***]))
++AC_CHECK_HEADER([openssl/engine.h], [has_engine_h="yes"], [has_engine_h="no"])
+ 
+ 
+ # Checks for typedefs, structures, and compiler characteristics.
+@@ -137,6 +138,18 @@ else
+ 	enable_provider=no
+ fi
+ 
++# If <openssl/engine.h> is not available, do not build the engine
++if test "x$has_engine_h" = xyes; then
++	if test "x$enable_engine" != xno; then
++		enable_engine=yes
++	fi
++else
++	if test "x$enable_engine" = xyes; then
++		AC_MSG_ERROR([*** openssl/engine.h is required to build the IBMCA engine ***]);
++	fi
++	enable_engine=no
++fi
++
+ AM_CONDITIONAL([IBMCA_ENGINE], [test "x$enable_engine" == xyes])
+ AM_CONDITIONAL([IBMCA_PROVIDER], [test "x$enable_provider" == xyes])
+ 
+-- 
+2.52.0
+

SPECS/openssl-ibmca.spec

@@ -1,23 +1,35 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
+%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
 
-Summary: A dynamic OpenSSL engine for IBMCA
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+%global with_openssl3 1
+%endif
+
+
+Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
-Version: 2.4.1
+Version: 2.5.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
-Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Requires: libica >= 3.8.0
+# warn the user about engine being deprecated
+Patch1: %{name}-2.3.1-engine-warning.patch
+# post GA fixes
+Patch2: %{name}-%{version}-fixes.patch
+Requires: libica >= 4.0.0
+BuildRequires: make
 BuildRequires: gcc
-BuildRequires: libica-devel >= 3.8.0
+BuildRequires: libica-devel >= 4.0.0
 BuildRequires: automake libtool
-BuildRequires: openssl
+BuildRequires: openssl >= 3.0.5
+BuildRequires: perl(FindBin)
 ExclusiveArch: s390 s390x
 
 
 %description
-A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
+A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
+machines to accelerate cryptographic operations.
 
 
 %prep
@@ -27,16 +39,22 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
 
 
 %build
-%configure --libdir=%{enginesdir} --with-libica-version=3
+%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
-make %{?_smp_mflags}
+%make_build
 
 
 %install
 %make_install
-rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
+rm -f %{buildroot}%{enginesdir}/*.la
+
+%if 0%{?with_openssl3}
+# provider is built when openssl3 is available, fix its location
+mkdir -p %{buildroot}%{modulesdir}
+mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
+%endif
 
 pushd src/engine
-sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
+sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
 popd
 
 # remove generated sample configs
@@ -49,60 +67,122 @@ make check
 
 %files
 %license LICENSE
-%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
+%doc ChangeLog README.md src/engine/openssl.cnf.sample
+%doc src/engine/ibmca-engine-opensslconfig
+%doc src/provider/ibmca-provider-opensslconfig
 %{enginesdir}/ibmca.so
 %{_mandir}/man5/ibmca.5*
+%if 0%{?with_openssl3}
+%{modulesdir}/ibmca-provider.so
+%{_mandir}/man5/ibmca-provider.5*
+%endif
 
 
 %changelog
-* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
+* Tue Dec 09 2025 Dan Horák <dhorak@redhat.com> - 2.5.0-2
-- updated to 2.4.1 (RHEL-11410)
+- post GA fixes (RHEL-100125)
-- Resolves: RHEL-11410
+- Resolves: RHEL-100125
 
-* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+* Thu Jun 05 2025 Dan Horák <dhorak@redhat.com> - 2.5.0-1
-- engine: Only register those algos specified with default_algorithms (#2221891)
+- rebased to 2.5.0 (RHEL-73354)
-- Resolves: #2221891
+- Resolves: RHEL-73354
 
-* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
+* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
-- updated to 2.4.0 (#2159722)
+- apply post-2.4.1 fixes (RHEL-23702)
-- Resolves: #2159722
+- Resolves: RHEL-23702
 
-* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
-- updated to 2.3.1 (#2110379)
+- updated to 2.4.1 (RHEL-11414)
-- Resolves: #2110379
+- Resolves: RHEL-11414
 
-* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
+* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
-- updated to 2.3.0 (#2043842)
+- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
-- Resolves: #2043842
+- provider: Default debug directory to /tmp but make it configurable (#2160084)
+- Resolves: #2222878 #2160084 #2224568
 
-* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
+* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
-- updated to 2.2.1 (#1984971)
+- provider: Support importing of RSA keys with just ME components (#2222878)
-- Resolves: #1984971
+- Resolves: #2222878
+
+* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221894)
+- Resolves: #2221894
+
+* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
+- updated to 2.4.0 (#2160084)
+- Resolves: #2160084
+
+* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
+- fix provider configuration script (#2140028)
+- Resolves: #2140028
+
+* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
+- updated to 2.3.1 (#2110378)
+- Resolves: #2110378
+
+* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
+- updated to 2.3.0 (#2044177)
+- add provider for openssl 3.x (#2044185)
+- Resolves: #2044177 #2044185
+
+* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
+- updated to 2.2.2 (#2016989)
+- Resolves: #2016989
+
+* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
+- updated to 2.2.1 (#2016989)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
 * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
-- fix DSA and DH registration (#1989064)
+- fix DSA and DH registration (#1989380)
-- Resolves: #1989064
+- Resolves: #1989380
 
-* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
+* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
-- updated to 2.2.0 (#1919222)
+- updated to 2.2.0 (#1869531)
-- do not use libica software fallbacks (#1922204)
+- eliminate SW fallback functions (#1924117)
-- Resolves: #1919222 #1922204
+- Resolves: #1869531 #1924117
 
-* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
+* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
-- updated to 2.1.1 (#1780306)
+- updated to 2.1.2
-- Resolves: #1780306
 
-* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
-- updated to 2.1.0 (#1726242)
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- Resolves: #1726242, #1723854
 
-* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
-- updated to 2.0.3 (#1666622)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-- Resolves: #1666622 #1659427 #1683099
 
-* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
-- Fix doing rsa-me, altough rsa-crt would be possible
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-- Resolves: #1655654
+
+* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
+- updated to 2.1.1
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
+- updated to 2.1.0
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
+- updated to 2.0.3
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
+- updated to 2.0.2
+
+* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
+- run upstream test-suite during build
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
 - updated to 2.0.0