Compare commits
No commits in common. "c9-beta" and "c8" have entirely different histories.
@ -1 +0,0 @@
|
||||
8e7fc23ec2253da7d2b6e3181c80843253fcb68c SOURCES/openssl-ibmca-2.4.1.tar.gz
|
@ -1,27 +0,0 @@
|
||||
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
||||
Date: Fri, 13 Jan 2023 18:09:49 +0100
|
||||
Subject: [ibmca PATCH] warn the user when configuring the engine
|
||||
|
||||
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
|
||||
Thus warn the user and recommend using the provider instead.
|
||||
---
|
||||
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
|
||||
index e4b168b..ec7fbfc 100644
|
||||
--- a/src/engine/ibmca-engine-opensslconfig.in
|
||||
+++ b/src/engine/ibmca-engine-opensslconfig.in
|
||||
@@ -140,4 +140,8 @@ this file.
|
||||
|;
|
||||
}
|
||||
|
||||
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
|
||||
+print "WARNING: It will be removed in the future.\n";
|
||||
+print "WARNING: Please use the OpenSSL provider instead.\n";
|
||||
+
|
||||
generate();
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,423 +0,0 @@
|
||||
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon, 8 Jan 2024 08:52:24 +0100
|
||||
Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
|
||||
mode
|
||||
|
||||
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
|
||||
from being used with an external IV. FIPS requires that the AES-GCM IV is
|
||||
created libica internally via an approved random source.
|
||||
|
||||
The IBMCA engine can not support the internal generation of the AES-GCM IV,
|
||||
because the engine API for AES-GCM does not allow this. Applications using
|
||||
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
|
||||
external IV.
|
||||
|
||||
Enable the use of external AES-GCM IVs for libica, if the used libica library
|
||||
supports this. Newer libica versions support to allow external AES-GCM IVs via
|
||||
function ica_allow_external_gcm_iv_in_fips_mode().
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/e_ibmca.c | 12 +++++++++++-
|
||||
src/engine/ibmca.h | 1 +
|
||||
2 files changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
|
||||
index 6cbf745..afed3fe 100644
|
||||
--- a/src/engine/e_ibmca.c
|
||||
+++ b/src/engine/e_ibmca.c
|
||||
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
|
||||
ica_aes_gcm_last_t p_ica_aes_gcm_last;
|
||||
#endif
|
||||
ica_cleanup_t p_ica_cleanup;
|
||||
+ica_allow_external_gcm_iv_in_fips_mode_t
|
||||
+ p_ica_allow_external_gcm_iv_in_fips_mode;
|
||||
|
||||
/* save libcrypto's default ec methods */
|
||||
#ifndef NO_EC
|
||||
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
|
||||
BIND(ibmca_dso, ica_ed448_ctx_del);
|
||||
|
||||
/* ica_cleanup is not always present and only needed for newer libraries */
|
||||
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
|
||||
+ BIND(ibmca_dso, ica_cleanup);
|
||||
+
|
||||
+ /*
|
||||
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
|
||||
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
|
||||
+ * available with newer libraries.
|
||||
+ */
|
||||
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
|
||||
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
|
||||
|
||||
/* disable fallbacks on Libica */
|
||||
if (BIND(ibmca_dso, ica_set_fallback_mode))
|
||||
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
|
||||
index 7281a5b..01465eb 100644
|
||||
--- a/src/engine/ibmca.h
|
||||
+++ b/src/engine/ibmca.h
|
||||
@@ -617,6 +617,7 @@ typedef
|
||||
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
|
||||
|
||||
typedef void (*ica_cleanup_t)(void);
|
||||
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
|
||||
|
||||
/* entry points into libica, filled out at DSO load time */
|
||||
extern ica_get_functionlist_t p_ica_get_functionlist;
|
||||
--
|
||||
2.45.1
|
||||
|
||||
|
||||
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed, 10 Jan 2024 15:08:47 +0100
|
||||
Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
|
||||
instead
|
||||
|
||||
When an application links against libica (via -lica), then the libica library
|
||||
constructor runs before the program's main function. Libica's library
|
||||
constructor does initialize OpenSSL and thus parses the config file.
|
||||
|
||||
However, the test programs set up some OpenSSL configuration related
|
||||
environment variables within function check_libica() called from the
|
||||
main function. If libica has already initialized OpenSSL prior to that,
|
||||
OpenSSL won't initialize again, and thus these environment variables have
|
||||
no effect.
|
||||
|
||||
Dynamically load libica (via dlopen) only after setting the environment
|
||||
variables.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
configure.ac | 2 ++
|
||||
test/provider/Makefile.am | 15 +++++++++------
|
||||
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
|
||||
test/provider/eckey.c | 24 ++++++++++++++++++++++--
|
||||
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
|
||||
5 files changed, 77 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index b43a659..09df230 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
|
||||
[])
|
||||
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
|
||||
|
||||
+AC_SUBST(libicaversion, "$libicaversion")
|
||||
+
|
||||
# If compiled against OpenSSL 3.0 or later, build the provider unless
|
||||
# explicitely disabled.
|
||||
# If build against OpenSSL 1.1.1, we can not build the provider.
|
||||
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
|
||||
index 15a5466..fce06b3 100644
|
||||
--- a/test/provider/Makefile.am
|
||||
+++ b/test/provider/Makefile.am
|
||||
@@ -24,24 +24,27 @@ TESTS = \
|
||||
check_PROGRAMS = rsakey eckey dhkey threadtest
|
||||
|
||||
dhkey_SOURCES = dhkey.c
|
||||
+dhkey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-dhkey_LDADD = -lcrypto -lica
|
||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-dhkey_LDADD = -lcrypto -lica-cex
|
||||
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
eckey_SOURCES = eckey.c
|
||||
+eckey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-eckey_LDADD = -lcrypto -lica
|
||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-eckey_LDADD = -lcrypto -lica-cex
|
||||
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
rsakey_SOURCES = rsakey.c
|
||||
+rsakey_LDADD = -lcrypto -ldl
|
||||
if PROVIDER_FULL_LIBICA
|
||||
-rsakey_LDADD = -lcrypto -lica
|
||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
|
||||
else
|
||||
-rsakey_LDADD = -lcrypto -lica-cex
|
||||
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
|
||||
endif
|
||||
|
||||
threadtest_SOURCES = threadtest.c
|
||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||
index 8829ecc..0ec2c03 100644
|
||||
--- a/test/provider/dhkey.c
|
||||
+++ b/test/provider/dhkey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -373,7 +393,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||
index b2334d7..b8f47b7 100644
|
||||
--- a/test/provider/eckey.c
|
||||
+++ b/test/provider/eckey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -806,7 +826,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||
index 366b503..9d6a618 100644
|
||||
--- a/test/provider/rsakey.c
|
||||
+++ b/test/provider/rsakey.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <dlfcn.h>
|
||||
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
|
||||
static const unsigned int required_ica_mechs_len =
|
||||
sizeof(required_ica_mechs) / sizeof(unsigned int);
|
||||
|
||||
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
|
||||
+ unsigned int *);
|
||||
+
|
||||
int check_libica()
|
||||
{
|
||||
unsigned int mech_len, i, k, found = 0;
|
||||
libica_func_list_element *mech_list = NULL;
|
||||
+ void *ibmca_dso;
|
||||
+ ica_get_functionlist_t p_ica_get_functionlist;
|
||||
int rc;
|
||||
|
||||
- rc = ica_get_functionlist(NULL, &mech_len);
|
||||
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
|
||||
+ if (ibmca_dso == NULL) {
|
||||
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ p_ica_get_functionlist =
|
||||
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
|
||||
+ if (p_ica_get_functionlist == NULL) {
|
||||
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
|
||||
+ LIBICA_NAME);
|
||||
+ return 77;
|
||||
+ }
|
||||
+
|
||||
+ rc = p_ica_get_functionlist(NULL, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
return 77;
|
||||
@@ -753,7 +773,7 @@ int check_libica()
|
||||
return 77;
|
||||
}
|
||||
|
||||
- rc = ica_get_functionlist(mech_list, &mech_len);
|
||||
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
|
||||
if (rc != 0) {
|
||||
fprintf(stderr, "Failed to get function list from libica!\n");
|
||||
free(mech_list);
|
||||
--
|
||||
2.45.1
|
||||
|
||||
|
||||
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu, 18 Jan 2024 16:35:14 +0100
|
||||
Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
|
||||
setting env vars.
|
||||
|
||||
When running with a libica version without commit
|
||||
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
|
||||
it is necessary to explicitly initialize OpenSSL before loading libica. Because
|
||||
otherwise libica's library constructor will initialize OpenSSL the first time,
|
||||
which in turn will load the IBMCA provider, and it will fall into the same
|
||||
problem as fixed by above libica commit, i.e. the provider won't be able to
|
||||
get the supported algorithms from libica an thus will not register any
|
||||
algorithms.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
test/provider/dhkey.c | 2 ++
|
||||
test/provider/eckey.c | 2 ++
|
||||
test/provider/rsakey.c | 2 ++
|
||||
3 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
|
||||
index 0ec2c03..b1270f5 100644
|
||||
--- a/test/provider/dhkey.c
|
||||
+++ b/test/provider/dhkey.c
|
||||
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
|
||||
index b8f47b7..a65bea5 100644
|
||||
--- a/test/provider/eckey.c
|
||||
+++ b/test/provider/eckey.c
|
||||
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
|
||||
index 9d6a618..874de6d 100644
|
||||
--- a/test/provider/rsakey.c
|
||||
+++ b/test/provider/rsakey.c
|
||||
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
|
||||
return 77;
|
||||
}
|
||||
|
||||
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
+
|
||||
ret = check_libica();
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
--
|
||||
2.45.1
|
||||
|
||||
|
||||
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon, 13 May 2024 08:53:56 +0200
|
||||
Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
|
||||
|
||||
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
|
||||
from incompatible pointer type [-Wincompatible-pointer-types]
|
||||
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
src/engine/ibmca_pkey.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
|
||||
index 9c8de94..6cd8fcd 100644
|
||||
--- a/src/engine/ibmca_pkey.c
|
||||
+++ b/src/engine/ibmca_pkey.c
|
||||
@@ -258,7 +258,7 @@ ret:
|
||||
|
||||
/* ED25519 */
|
||||
|
||||
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@@ -402,7 +402,7 @@ ret:
|
||||
|
||||
/* ED448 */
|
||||
|
||||
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
|
||||
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.45.1
|
||||
|
@ -1,35 +1,23 @@
|
||||
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
|
||||
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
|
||||
|
||||
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
|
||||
%global with_openssl3 1
|
||||
%endif
|
||||
|
||||
|
||||
Summary: OpenSSL engine and provider for IBMCA
|
||||
Summary: A dynamic OpenSSL engine for IBMCA
|
||||
Name: openssl-ibmca
|
||||
Version: 2.4.1
|
||||
Release: 2%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: ASL 2.0
|
||||
Group: System Environment/Libraries
|
||||
URL: https://github.com/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
# warn the user about engine being deprecated
|
||||
Patch1: %{name}-2.3.1-engine-warning.patch
|
||||
# post GA fixes
|
||||
Patch2: %{name}-%{version}-fixes.patch
|
||||
Requires: libica >= 4.0.0
|
||||
BuildRequires: make
|
||||
Requires: libica >= 3.8.0
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libica-devel >= 4.0.0
|
||||
BuildRequires: libica-devel >= 3.8.0
|
||||
BuildRequires: automake libtool
|
||||
BuildRequires: openssl >= 3.0.5
|
||||
BuildRequires: perl(FindBin)
|
||||
BuildRequires: openssl
|
||||
ExclusiveArch: s390 s390x
|
||||
|
||||
|
||||
%description
|
||||
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
|
||||
machines to accelerate cryptographic operations.
|
||||
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
|
||||
|
||||
|
||||
%prep
|
||||
@ -39,22 +27,16 @@ machines to accelerate cryptographic operations.
|
||||
|
||||
|
||||
%build
|
||||
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
|
||||
%make_build
|
||||
%configure --libdir=%{enginesdir} --with-libica-version=3
|
||||
make %{?_smp_mflags}
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
rm -f %{buildroot}%{enginesdir}/*.la
|
||||
|
||||
%if 0%{?with_openssl3}
|
||||
# provider is built when openssl3 is available, fix its location
|
||||
mkdir -p %{buildroot}%{modulesdir}
|
||||
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
|
||||
%endif
|
||||
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
|
||||
|
||||
pushd src/engine
|
||||
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
|
||||
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
|
||||
popd
|
||||
|
||||
# remove generated sample configs
|
||||
@ -67,114 +49,60 @@ make check
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample
|
||||
%doc src/engine/ibmca-engine-opensslconfig
|
||||
%doc src/provider/ibmca-provider-opensslconfig
|
||||
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
|
||||
%{enginesdir}/ibmca.so
|
||||
%{_mandir}/man5/ibmca.5*
|
||||
%if 0%{?with_openssl3}
|
||||
%{modulesdir}/ibmca-provider.so
|
||||
%{_mandir}/man5/ibmca-provider.5*
|
||||
%endif
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
|
||||
- apply post-2.4.1 fixes (RHEL-23702)
|
||||
- Resolves: RHEL-23702
|
||||
* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
|
||||
- updated to 2.4.1 (RHEL-11410)
|
||||
- Resolves: RHEL-11410
|
||||
|
||||
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
|
||||
- updated to 2.4.1 (RHEL-11414)
|
||||
- Resolves: RHEL-11414
|
||||
* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
||||
- engine: Only register those algos specified with default_algorithms (#2221891)
|
||||
- Resolves: #2221891
|
||||
|
||||
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
|
||||
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
|
||||
- provider: Default debug directory to /tmp but make it configurable (#2160084)
|
||||
- Resolves: #2222878 #2160084 #2224568
|
||||
* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
|
||||
- updated to 2.4.0 (#2159722)
|
||||
- Resolves: #2159722
|
||||
|
||||
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
|
||||
- provider: Support importing of RSA keys with just ME components (#2222878)
|
||||
- Resolves: #2222878
|
||||
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
|
||||
- updated to 2.3.1 (#2110379)
|
||||
- Resolves: #2110379
|
||||
|
||||
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
|
||||
- engine: Only register those algos specified with default_algorithms (#2221894)
|
||||
- Resolves: #2221894
|
||||
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
|
||||
- updated to 2.3.0 (#2043842)
|
||||
- Resolves: #2043842
|
||||
|
||||
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
|
||||
- updated to 2.4.0 (#2160084)
|
||||
- Resolves: #2160084
|
||||
|
||||
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
|
||||
- fix provider configuration script (#2140028)
|
||||
- Resolves: #2140028
|
||||
|
||||
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
|
||||
- updated to 2.3.1 (#2110378)
|
||||
- Resolves: #2110378
|
||||
|
||||
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
|
||||
- updated to 2.3.0 (#2044177)
|
||||
- add provider for openssl 3.x (#2044185)
|
||||
- Resolves: #2044177 #2044185
|
||||
|
||||
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
|
||||
- updated to 2.2.2 (#2016989)
|
||||
- Resolves: #2016989
|
||||
|
||||
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
|
||||
- updated to 2.2.1 (#2016989)
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
|
||||
- updated to 2.2.1 (#1984971)
|
||||
- Resolves: #1984971
|
||||
|
||||
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
|
||||
- fix DSA and DH registration (#1989380)
|
||||
- Resolves: #1989380
|
||||
- fix DSA and DH registration (#1989064)
|
||||
- Resolves: #1989064
|
||||
|
||||
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
|
||||
- updated to 2.2.0 (#1869531)
|
||||
- eliminate SW fallback functions (#1924117)
|
||||
- Resolves: #1869531 #1924117
|
||||
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
|
||||
- updated to 2.2.0 (#1919222)
|
||||
- do not use libica software fallbacks (#1922204)
|
||||
- Resolves: #1919222 #1922204
|
||||
|
||||
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
|
||||
- updated to 2.1.2
|
||||
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
|
||||
- updated to 2.1.1 (#1780306)
|
||||
- Resolves: #1780306
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
|
||||
- updated to 2.1.0 (#1726242)
|
||||
- Resolves: #1726242, #1723854
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
|
||||
- updated to 2.0.3 (#1666622)
|
||||
- Resolves: #1666622 #1659427 #1683099
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
|
||||
- updated to 2.1.1
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
|
||||
- updated to 2.1.0
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
|
||||
- updated to 2.0.3
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
|
||||
- updated to 2.0.2
|
||||
|
||||
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
|
||||
- run upstream test-suite during build
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
|
||||
- Fix doing rsa-me, altough rsa-crt would be possible
|
||||
- Resolves: #1655654
|
||||
|
||||
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
|
||||
- updated to 2.0.0
|
||||
|
Loading…
Reference in New Issue
Block a user