Compare commits

...

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

4 changed files with 48 additions and 571 deletions

View File

@ -1 +0,0 @@
8e7fc23ec2253da7d2b6e3181c80843253fcb68c SOURCES/openssl-ibmca-2.4.1.tar.gz

View File

@ -1,27 +0,0 @@
From b72865d57bf129c058bdb4e7301b9cb7ce16938e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Fri, 13 Jan 2023 18:09:49 +0100
Subject: [ibmca PATCH] warn the user when configuring the engine
The engine feature is deprecated in OpenSSL 3.0 and will be removed.
Thus warn the user and recommend using the provider instead.
---
src/engine/ibmca-engine-opensslconfig.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/engine/ibmca-engine-opensslconfig.in b/src/engine/ibmca-engine-opensslconfig.in
index e4b168b..ec7fbfc 100644
--- a/src/engine/ibmca-engine-opensslconfig.in
+++ b/src/engine/ibmca-engine-opensslconfig.in
@@ -140,4 +140,8 @@ this file.
|;
}
+print "WARNING: The OpenSSL engine feature is DEPRECATED since OpenSSL 3.0.\n";
+print "WARNING: It will be removed in the future.\n";
+print "WARNING: Please use the OpenSSL provider instead.\n";
+
generate();
--
2.39.0

View File

@ -1,423 +0,0 @@
From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 8 Jan 2024 08:52:24 +0100
Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
mode
When the system is in FIPS mode, newer libica versions may prevent AES-GCM
from being used with an external IV. FIPS requires that the AES-GCM IV is
created libica internally via an approved random source.
The IBMCA engine can not support the internal generation of the AES-GCM IV,
because the engine API for AES-GCM does not allow this. Applications using
OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
external IV.
Enable the use of external AES-GCM IVs for libica, if the used libica library
supports this. Newer libica versions support to allow external AES-GCM IVs via
function ica_allow_external_gcm_iv_in_fips_mode().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/e_ibmca.c | 12 +++++++++++-
src/engine/ibmca.h | 1 +
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
index 6cbf745..afed3fe 100644
--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
ica_aes_gcm_last_t p_ica_aes_gcm_last;
#endif
ica_cleanup_t p_ica_cleanup;
+ica_allow_external_gcm_iv_in_fips_mode_t
+ p_ica_allow_external_gcm_iv_in_fips_mode;
/* save libcrypto's default ec methods */
#ifndef NO_EC
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
BIND(ibmca_dso, ica_ed448_ctx_del);
/* ica_cleanup is not always present and only needed for newer libraries */
- p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
+ BIND(ibmca_dso, ica_cleanup);
+
+ /*
+ * Allow external AES-GCM IV when libica runs in FIPS mode.
+ * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
+ * available with newer libraries.
+ */
+ if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
+ p_ica_allow_external_gcm_iv_in_fips_mode(1);
/* disable fallbacks on Libica */
if (BIND(ibmca_dso, ica_set_fallback_mode))
diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
index 7281a5b..01465eb 100644
--- a/src/engine/ibmca.h
+++ b/src/engine/ibmca.h
@@ -617,6 +617,7 @@ typedef
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
typedef void (*ica_cleanup_t)(void);
+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
/* entry points into libica, filled out at DSO load time */
extern ica_get_functionlist_t p_ica_get_functionlist;
--
2.45.1
From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 10 Jan 2024 15:08:47 +0100
Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
instead
When an application links against libica (via -lica), then the libica library
constructor runs before the program's main function. Libica's library
constructor does initialize OpenSSL and thus parses the config file.
However, the test programs set up some OpenSSL configuration related
environment variables within function check_libica() called from the
main function. If libica has already initialized OpenSSL prior to that,
OpenSSL won't initialize again, and thus these environment variables have
no effect.
Dynamically load libica (via dlopen) only after setting the environment
variables.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
configure.ac | 2 ++
test/provider/Makefile.am | 15 +++++++++------
test/provider/dhkey.c | 24 ++++++++++++++++++++++--
test/provider/eckey.c | 24 ++++++++++++++++++++++--
test/provider/rsakey.c | 24 ++++++++++++++++++++++--
5 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/configure.ac b/configure.ac
index b43a659..09df230 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
[])
AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
+AC_SUBST(libicaversion, "$libicaversion")
+
# If compiled against OpenSSL 3.0 or later, build the provider unless
# explicitely disabled.
# If build against OpenSSL 1.1.1, we can not build the provider.
diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
index 15a5466..fce06b3 100644
--- a/test/provider/Makefile.am
+++ b/test/provider/Makefile.am
@@ -24,24 +24,27 @@ TESTS = \
check_PROGRAMS = rsakey eckey dhkey threadtest
dhkey_SOURCES = dhkey.c
+dhkey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-dhkey_LDADD = -lcrypto -lica
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-dhkey_LDADD = -lcrypto -lica-cex
+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
eckey_SOURCES = eckey.c
+eckey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-eckey_LDADD = -lcrypto -lica
+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-eckey_LDADD = -lcrypto -lica-cex
+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
rsakey_SOURCES = rsakey.c
+rsakey_LDADD = -lcrypto -ldl
if PROVIDER_FULL_LIBICA
-rsakey_LDADD = -lcrypto -lica
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
else
-rsakey_LDADD = -lcrypto -lica-cex
+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
endif
threadtest_SOURCES = threadtest.c
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
index 8829ecc..0ec2c03 100644
--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -373,7 +393,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
index b2334d7..b8f47b7 100644
--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -806,7 +826,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
index 366b503..9d6a618 100644
--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
@@ -18,6 +18,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <dlfcn.h>
#include <openssl/conf.h>
#include <openssl/evp.h>
@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME, RSA_CRT };
static const unsigned int required_ica_mechs_len =
sizeof(required_ica_mechs) / sizeof(unsigned int);
+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
+ unsigned int *);
+
int check_libica()
{
unsigned int mech_len, i, k, found = 0;
libica_func_list_element *mech_list = NULL;
+ void *ibmca_dso;
+ ica_get_functionlist_t p_ica_get_functionlist;
int rc;
- rc = ica_get_functionlist(NULL, &mech_len);
+ ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
+ if (ibmca_dso == NULL) {
+ fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
+ return 77;
+ }
+
+ p_ica_get_functionlist =
+ (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
+ if (p_ica_get_functionlist == NULL) {
+ fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
+ LIBICA_NAME);
+ return 77;
+ }
+
+ rc = p_ica_get_functionlist(NULL, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
return 77;
@@ -753,7 +773,7 @@ int check_libica()
return 77;
}
- rc = ica_get_functionlist(mech_list, &mech_len);
+ rc = p_ica_get_functionlist(mech_list, &mech_len);
if (rc != 0) {
fprintf(stderr, "Failed to get function list from libica!\n");
free(mech_list);
--
2.45.1
From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 18 Jan 2024 16:35:14 +0100
Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
setting env vars.
When running with a libica version without commit
https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
it is necessary to explicitly initialize OpenSSL before loading libica. Because
otherwise libica's library constructor will initialize OpenSSL the first time,
which in turn will load the IBMCA provider, and it will fall into the same
problem as fixed by above libica commit, i.e. the provider won't be able to
get the supported algorithms from libica an thus will not register any
algorithms.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
test/provider/dhkey.c | 2 ++
test/provider/eckey.c | 2 ++
test/provider/rsakey.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
index 0ec2c03..b1270f5 100644
--- a/test/provider/dhkey.c
+++ b/test/provider/dhkey.c
@@ -461,6 +461,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;
diff --git a/test/provider/eckey.c b/test/provider/eckey.c
index b8f47b7..a65bea5 100644
--- a/test/provider/eckey.c
+++ b/test/provider/eckey.c
@@ -895,6 +895,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;
diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
index 9d6a618..874de6d 100644
--- a/test/provider/rsakey.c
+++ b/test/provider/rsakey.c
@@ -839,6 +839,8 @@ int main(int argc, char **argv)
return 77;
}
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
ret = check_libica();
if (ret != 0)
return ret;
--
2.45.1
From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 13 May 2024 08:53:56 +0200
Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
from incompatible pointer type [-Wincompatible-pointer-types]
627 | EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/engine/ibmca_pkey.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
index 9c8de94..6cd8fcd 100644
--- a/src/engine/ibmca_pkey.c
+++ b/src/engine/ibmca_pkey.c
@@ -258,7 +258,7 @@ ret:
/* ED25519 */
-static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
{
return 1;
}
@@ -402,7 +402,7 @@ ret:
/* ED448 */
-static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
{
return 1;
}
--
2.45.1

View File

@ -1,35 +1,23 @@
%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
%global modulesdir %(pkg-config --variable=modulesdir libcrypto)
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
%global with_openssl3 1
%endif
Summary: OpenSSL engine and provider for IBMCA
Summary: A dynamic OpenSSL engine for IBMCA
Name: openssl-ibmca
Version: 2.4.1
Release: 2%{?dist}
Release: 1%{?dist}
License: ASL 2.0
Group: System Environment/Libraries
URL: https://github.com/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# warn the user about engine being deprecated
Patch1: %{name}-2.3.1-engine-warning.patch
# post GA fixes
Patch2: %{name}-%{version}-fixes.patch
Requires: libica >= 4.0.0
BuildRequires: make
Requires: libica >= 3.8.0
BuildRequires: gcc
BuildRequires: libica-devel >= 4.0.0
BuildRequires: libica-devel >= 3.8.0
BuildRequires: automake libtool
BuildRequires: openssl >= 3.0.5
BuildRequires: perl(FindBin)
BuildRequires: openssl
ExclusiveArch: s390 s390x
%description
A dynamic OpenSSL engine and provider for IBMCA crypto hardware on IBM Z
machines to accelerate cryptographic operations.
A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
%prep
@ -39,22 +27,16 @@ machines to accelerate cryptographic operations.
%build
%configure --libdir=%{enginesdir} --with-libica-cex --with-libica-version=4
%make_build
%configure --libdir=%{enginesdir} --with-libica-version=3
make %{?_smp_mflags}
%install
%make_install
rm -f %{buildroot}%{enginesdir}/*.la
%if 0%{?with_openssl3}
# provider is built when openssl3 is available, fix its location
mkdir -p %{buildroot}%{modulesdir}
mv %{buildroot}%{enginesdir}/ibmca-provider.so %{buildroot}%{modulesdir}/ibmca-provider.so
%endif
rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
pushd src/engine
sed -i -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample
sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
popd
# remove generated sample configs
@ -67,114 +49,60 @@ make check
%files
%license LICENSE
%doc ChangeLog README.md src/engine/openssl.cnf.sample
%doc src/engine/ibmca-engine-opensslconfig
%doc src/provider/ibmca-provider-opensslconfig
%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
%{enginesdir}/ibmca.so
%{_mandir}/man5/ibmca.5*
%if 0%{?with_openssl3}
%{modulesdir}/ibmca-provider.so
%{_mandir}/man5/ibmca-provider.5*
%endif
%changelog
* Thu May 23 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-2
- apply post-2.4.1 fixes (RHEL-23702)
- Resolves: RHEL-23702
* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
- updated to 2.4.1 (RHEL-11410)
- Resolves: RHEL-11410
* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.1-1
- updated to 2.4.1 (RHEL-11414)
- Resolves: RHEL-11414
* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
- engine: Only register those algos specified with default_algorithms (#2221891)
- Resolves: #2221891
* Thu Jul 27 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-4
- provider: RSA: Fix get_params to retrieve max-size, bits, and security-bits (#2222878 #2224568)
- provider: Default debug directory to /tmp but make it configurable (#2160084)
- Resolves: #2222878 #2160084 #2224568
* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
- updated to 2.4.0 (#2159722)
- Resolves: #2159722
* Mon Jul 17 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-3
- provider: Support importing of RSA keys with just ME components (#2222878)
- Resolves: #2222878
* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
- updated to 2.3.1 (#2110379)
- Resolves: #2110379
* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
- engine: Only register those algos specified with default_algorithms (#2221894)
- Resolves: #2221894
* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2043842)
- Resolves: #2043842
* Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
- updated to 2.4.0 (#2160084)
- Resolves: #2160084
* Fri Jan 13 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-2
- fix provider configuration script (#2140028)
- Resolves: #2140028
* Thu Jan 12 2023 Dan Horák <dhorak@redhat.com> - 2.3.1-1
- updated to 2.3.1 (#2110378)
- Resolves: #2110378
* Thu May 19 2022 Dan Horák <dhorak@redhat.com> - 2.3.0-1
- updated to 2.3.0 (#2044177)
- add provider for openssl 3.x (#2044185)
- Resolves: #2044177 #2044185
* Wed Feb 02 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
- updated to 2.2.2 (#2016989)
- Resolves: #2016989
* Mon Oct 25 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
- updated to 2.2.1 (#2016989)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
- updated to 2.2.1 (#1984971)
- Resolves: #1984971
* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
- fix DSA and DH registration (#1989380)
- Resolves: #1989380
- fix DSA and DH registration (#1989064)
- Resolves: #1989064
* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
- updated to 2.2.0 (#1869531)
- eliminate SW fallback functions (#1924117)
- Resolves: #1869531 #1924117
* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
- updated to 2.2.0 (#1919222)
- do not use libica software fallbacks (#1922204)
- Resolves: #1919222 #1922204
* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
- updated to 2.1.2
* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
- updated to 2.1.1 (#1780306)
- Resolves: #1780306
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.1-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
- updated to 2.1.0 (#1726242)
- Resolves: #1726242, #1723854
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
- updated to 2.0.3 (#1666622)
- Resolves: #1666622 #1659427 #1683099
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
- updated to 2.1.1
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
- updated to 2.1.0
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
- updated to 2.0.3
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
- updated to 2.0.2
* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
- run upstream test-suite during build
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
- Fix doing rsa-me, altough rsa-crt would be possible
- Resolves: #1655654
* Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
- updated to 2.0.0