.openssl-ibmca.metadata

@@ -0,0 +1 @@
+8e7fc23ec2253da7d2b6e3181c80843253fcb68c SOURCES/openssl-ibmca-2.4.1.tar.gz

SOURCES/openssl-ibmca-2.3.1-engine-warning.patch

@@ -0,0 +1,27 @@
+From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Fri, 13 Jan 2023 18:09:49 +0100
+Subject: [ibmca PATCH] warn the user when configuring the engine
+
+The engine feature is deprecated in OpenSSL 3.0 and will be removed.
+Thus warn the user and recommend using the provider instead.
+---
+ src/engine/ibmca-engine-opensslconfig.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
+index e4b168b..ec7fbfc 100644
+--- a/src/engine/ibmca-engine-opensslconfig.in
++++ b/src/engine/ibmca-engine-opensslconfig.in
+@@ -140,4 +140,8 @@ this file.
+ |;
+ }
+ 
++print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
++print "WARNING: It will be removed in the future.\n";
++print "WARNING: Please use the OpenSSL provider instead.\n";
++
+ generate();
+-- 
+2.39.0
+

SOURCES/openssl-ibmca-2.4.1-fixes.patch

@@ -0,0 +1,423 @@
+From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 8 Jan 2024 08:52:24 +0100
+Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
+ mode
+
+When the system is in FIPS mode, newer libica versions may prevent AES-GCM
+from being used with an external IV. FIPS requires that the AES-GCM IV is
+created libica internally via an approved random source.
+
+The IBMCA engine can not support the internal generation of the AES-GCM IV,
+because the engine API for AES-GCM does not allow this. Applications using
+OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
+external IV.
+
+Enable the use of external AES-GCM IVs for libica, if the used libica library
+supports this. Newer libica versions support to allow external AES-GCM IVs via
+function ica_allow_external_gcm_iv_in_fips_mode().
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 12 +++++++++++-
+ src/engine/ibmca.h   |  1 +
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index 6cbf745..afed3fe 100644
+--- a/src/engine/e_ibmca.c
++++ b/src/engine/e_ibmca.c
+@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t      p_ica_aes_gcm_intermediate;
+ ica_aes_gcm_last_t              p_ica_aes_gcm_last;
+ #endif
+ ica_cleanup_t                   p_ica_cleanup;
++ica_allow_external_gcm_iv_in_fips_mode_t
++                                p_ica_allow_external_gcm_iv_in_fips_mode;
+ 
+ /* save libcrypto's default ec methods */
+ #ifndef NO_EC
+@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
+     BIND(ibmca_dso, ica_ed448_ctx_del);
+ 
+     /* ica_cleanup is not always present and only needed for newer libraries */
+-    p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
++    BIND(ibmca_dso, ica_cleanup);
++
++    /*
++     * Allow external AES-GCM IV when libica runs in FIPS mode.
++     * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
++     * available with newer libraries.
++     */
++    if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
++        p_ica_allow_external_gcm_iv_in_fips_mode(1);
+ 
+     /* disable fallbacks on Libica */
+     if (BIND(ibmca_dso, ica_set_fallback_mode))
+diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
+index 7281a5b..01465eb 100644
+--- a/src/engine/ibmca.h
++++ b/src/engine/ibmca.h
+@@ -617,6 +617,7 @@ typedef
+ int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
+ 
+ typedef void (*ica_cleanup_t)(void);
++typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
+ 
+ /* entry points into libica, filled out at DSO load time */
+ extern ica_get_functionlist_t           p_ica_get_functionlist;
+-- 
+2.45.1
+
+
+From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 10 Jan 2024 15:08:47 +0100
+Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
+ instead
+
+When an application links against libica (via -lica), then the libica library
+constructor runs before the program's main function. Libica's library
+constructor does initialize OpenSSL and thus parses the config file.
+
+However, the test programs set up some OpenSSL configuration related
+environment variables within function check_libica() called from the
+main function. If libica has already initialized OpenSSL prior to that,
+OpenSSL won't initialize again, and thus these environment variables have
+no effect.
+
+Dynamically load libica (via dlopen) only after setting the environment
+variables.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ configure.ac              |  2 ++
+ test/provider/Makefile.am | 15 +++++++++------
+ test/provider/dhkey.c     | 24 ++++++++++++++++++++++--
+ test/provider/eckey.c     | 24 ++++++++++++++++++++++--
+ test/provider/rsakey.c    | 24 ++++++++++++++++++++++--
+ 5 files changed, 77 insertions(+), 12 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b43a659..09df230 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
+ 	[])
+ AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
+ 
++AC_SUBST(libicaversion, "$libicaversion")
++
+ # If compiled against OpenSSL 3.0 or later, build the provider unless
+ # explicitely disabled. 
+ # If build against OpenSSL 1.1.1, we can not build the provider.
+diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
+index 15a5466..fce06b3 100644
+--- a/test/provider/Makefile.am
++++ b/test/provider/Makefile.am
+@@ -24,24 +24,27 @@ TESTS = \
+ check_PROGRAMS = rsakey eckey dhkey threadtest
+ 
+ dhkey_SOURCES = dhkey.c
++dhkey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-dhkey_LDADD = -lcrypto -lica
++dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-dhkey_LDADD = -lcrypto -lica-cex
++dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ eckey_SOURCES = eckey.c
++eckey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-eckey_LDADD = -lcrypto -lica
++eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-eckey_LDADD = -lcrypto -lica-cex
++eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ rsakey_SOURCES = rsakey.c
++rsakey_LDADD = -lcrypto -ldl
+ if PROVIDER_FULL_LIBICA
+-rsakey_LDADD = -lcrypto -lica
++rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
+ else
+-rsakey_LDADD = -lcrypto -lica-cex
++rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
+ endif
+ 
+ threadtest_SOURCES = threadtest.c
+diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
+index 8829ecc..0ec2c03 100644
+--- a/test/provider/dhkey.c
++++ b/test/provider/dhkey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
++                                               unsigned int *);
++
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
++    void *ibmca_dso;
++    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
++    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
++    if (ibmca_dso == NULL) {
++        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
++        return 77;
++    }
++
++    p_ica_get_functionlist =
++            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
++    if (p_ica_get_functionlist == NULL) {
++        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
++                LIBICA_NAME);
++        return 77;
++    }
++
++    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -373,7 +393,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
++    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
+diff --git a/test/provider/eckey.c b/test/provider/eckey.c
+index b2334d7..b8f47b7 100644
+--- a/test/provider/eckey.c
++++ b/test/provider/eckey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
++                                               unsigned int *);
++
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
++    void *ibmca_dso;
++    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
++    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
++    if (ibmca_dso == NULL) {
++        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
++        return 77;
++    }
++
++    p_ica_get_functionlist =
++            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
++    if (p_ica_get_functionlist == NULL) {
++        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
++                LIBICA_NAME);
++        return 77;
++    }
++
++    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -806,7 +826,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
++    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
+diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
+index 366b503..9d6a618 100644
+--- a/test/provider/rsakey.c
++++ b/test/provider/rsakey.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <dlfcn.h>
+ 
+ #include <openssl/conf.h>
+ #include <openssl/evp.h>
+@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME,  RSA_CRT };
+ static const unsigned int required_ica_mechs_len =
+                         sizeof(required_ica_mechs) / sizeof(unsigned int);
+ 
++typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
++                                               unsigned int *);
++
+ int check_libica()
+ {
+     unsigned int mech_len, i, k, found = 0;
+     libica_func_list_element *mech_list = NULL;
++    void *ibmca_dso;
++    ica_get_functionlist_t p_ica_get_functionlist;
+     int rc;
+ 
+-    rc = ica_get_functionlist(NULL, &mech_len);
++    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
++    if (ibmca_dso == NULL) {
++        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
++        return 77;
++    }
++
++    p_ica_get_functionlist =
++            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
++    if (p_ica_get_functionlist == NULL) {
++        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
++                LIBICA_NAME);
++        return 77;
++    }
++
++    rc = p_ica_get_functionlist(NULL, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         return 77;
+@@ -753,7 +773,7 @@ int check_libica()
+         return 77;
+     }
+ 
+-    rc = ica_get_functionlist(mech_list, &mech_len);
++    rc = p_ica_get_functionlist(mech_list, &mech_len);
+     if (rc != 0) {
+         fprintf(stderr, "Failed to get function list from libica!\n");
+         free(mech_list);
+-- 
+2.45.1
+
+
+From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 18 Jan 2024 16:35:14 +0100
+Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
+ setting env vars.
+
+When running with a libica version without commit
+https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
+it is necessary to explicitly initialize OpenSSL before loading libica. Because
+otherwise libica's library constructor will initialize OpenSSL the first time,
+which in turn will load the IBMCA provider, and it will fall into the same
+problem as fixed by above libica commit, i.e. the provider won't be able to
+get the supported algorithms from libica an thus will not register any
+algorithms.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ test/provider/dhkey.c  | 2 ++
+ test/provider/eckey.c  | 2 ++
+ test/provider/rsakey.c | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
+index 0ec2c03..b1270f5 100644
+--- a/test/provider/dhkey.c
++++ b/test/provider/dhkey.c
+@@ -461,6 +461,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
++    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
++
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
+diff --git a/test/provider/eckey.c b/test/provider/eckey.c
+index b8f47b7..a65bea5 100644
+--- a/test/provider/eckey.c
++++ b/test/provider/eckey.c
+@@ -895,6 +895,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
++    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
++
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
+diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
+index 9d6a618..874de6d 100644
+--- a/test/provider/rsakey.c
++++ b/test/provider/rsakey.c
+@@ -839,6 +839,8 @@ int main(int argc, char **argv)
+         return 77;
+     }
+ 
++    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
++
+     ret = check_libica();
+     if (ret != 0)
+         return ret;
+-- 
+2.45.1
+
+
+From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 13 May 2024 08:53:56 +0200
+Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
+
+ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
+from incompatible pointer type [-Wincompatible-pointer-types]
+      627 |     EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/ibmca_pkey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
+index 9c8de94..6cd8fcd 100644
+--- a/src/engine/ibmca_pkey.c
++++ b/src/engine/ibmca_pkey.c
+@@ -258,7 +258,7 @@ ret:
+ 
+ /* ED25519 */
+ 
+-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
++static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
+ {
+     return 1;
+ }
+@@ -402,7 +402,7 @@ ret:
+ 
+ /* ED448 */
+ 
+-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
++static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
+ {
+     return 1;
+ }
+-- 
+2.45.1
+

SPECS/openssl-ibmca.spec

@@ -1,23 +1,35 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
+%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
 
-Summary: A dynamic OpenSSL engine for IBMCA
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+%global with_openssl3 1
+%endif
+
+
+Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
 Version: 2.4.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
-Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Requires: libica >= 3.8.0
+# warn the user about engine being deprecated
+Patch1: %{name}-2.3.1-engine-warning.patch
+# post GA fixes
+Patch2: %{name}-%{version}-fixes.patch
+Requires: libica >= 4.0.0
+BuildRequires: make
 BuildRequires: gcc
-BuildRequires: libica-devel >= 3.8.0
+BuildRequires: libica-devel >= 4.0.0
 BuildRequires: automake libtool
-BuildRequires: openssl
+BuildRequires: openssl >= 3.0.5
+BuildRequires: perl(FindBin)
 ExclusiveArch: s390 s390x
 
 
 %description
-A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
+A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
+machines to accelerate cryptographic operations.
 
 
 %prep
@@ -27,16 +39,22 @@ A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
 
 
 %build
-%configure --libdir=%{enginesdir} --with-libica-version=3
-make %{?_smp_mflags}
+%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
+%make_build
 
 
 %install
 %make_install
-rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
+rm -f %{buildroot}%{enginesdir}/*.la
+
+%if 0%{?with_openssl3}
+# provider is built when openssl3 is available, fix its location
+mkdir -p %{buildroot}%{modulesdir}
+mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
+%endif
 
 pushd src/engine
-sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
+sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
 popd
 
 # remove generated sample configs
@@ -49,60 +67,114 @@ make check
 
 %files
 %license LICENSE
-%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
+%doc ChangeLog README.md src/engine/openssl.cnf.sample
+%doc src/engine/ibmca-engine-opensslconfig
+%doc src/provider/ibmca-provider-opensslconfig
 %{enginesdir}/ibmca.so
 %{_mandir}/man5/ibmca.5*
+%if 0%{?with_openssl3}
+%{modulesdir}/ibmca-provider.so
+%{_mandir}/man5/ibmca-provider.5*
+%endif
 
 
 %changelog
-* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
-- updated to 2.4.1 (RHEL-11410)
-- Resolves: RHEL-11410
+* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
+- apply post-2.4.1 fixes (RHEL-23702)
+- Resolves: RHEL-23702
 
-* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
-- engine: Only register those algos specified with default_algorithms (#2221891)
-- Resolves: #2221891
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
+- updated to 2.4.1 (RHEL-11414)
+- Resolves: RHEL-11414
 
-* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
-- updated to 2.4.0 (#2159722)
-- Resolves: #2159722
+* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
+- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
+- provider: Default debug directory to /tmp but make it configurable (#2160084)
+- Resolves: #2222878 #2160084 #2224568
 
-* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
-- updated to 2.3.1 (#2110379)
-- Resolves: #2110379
+* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
+- provider: Support importing of RSA keys with just ME components (#2222878)
+- Resolves: #2222878
 
-* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
-- updated to 2.3.0 (#2043842)
-- Resolves: #2043842
+* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221894)
+- Resolves: #2221894
 
-* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
-- updated to 2.2.1 (#1984971)
-- Resolves: #1984971
+* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
+- updated to 2.4.0 (#2160084)
+- Resolves: #2160084
+
+* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
+- fix provider configuration script (#2140028)
+- Resolves: #2140028
+
+* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
+- updated to 2.3.1 (#2110378)
+- Resolves: #2110378
+
+* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
+- updated to 2.3.0 (#2044177)
+- add provider for openssl 3.x (#2044185)
+- Resolves: #2044177 #2044185
+
+* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
+- updated to 2.2.2 (#2016989)
+- Resolves: #2016989
+
+* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
+- updated to 2.2.1 (#2016989)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
 * Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
-- fix DSA and DH registration (#1989064)
-- Resolves: #1989064
+- fix DSA and DH registration (#1989380)
+- Resolves: #1989380
 
-* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
-- updated to 2.2.0 (#1919222)
-- do not use libica software fallbacks (#1922204)
-- Resolves: #1919222 #1922204
+* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
+- updated to 2.2.0 (#1869531)
+- eliminate SW fallback functions (#1924117)
+- Resolves: #1869531 #1924117
 
-* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
-- updated to 2.1.1 (#1780306)
-- Resolves: #1780306
+* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
+- updated to 2.1.2
 
-* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
-- updated to 2.1.0 (#1726242)
-- Resolves: #1726242, #1723854
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
-- updated to 2.0.3 (#1666622)
-- Resolves: #1666622 #1659427 #1683099
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
-- Fix doing rsa-me, altough rsa-crt would be possible
-- Resolves: #1655654
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
+- updated to 2.1.1
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
+- updated to 2.1.0
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
+- updated to 2.0.3
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
+- updated to 2.0.2
+
+* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
+- run upstream test-suite during build
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
 - updated to 2.0.0