.gitignore

@@ -1 +1 @@
-/openssl-ibmca-*.tar.gz
+SOURCES/openssl-ibmca-2.4.1.tar.gz

SPECS/openssl-ibmca.spec

@@ -1,27 +1,23 @@
-%global modulesdir %%(pkg-config --variable=modulesdir libcrypto)
+%global enginesdir %(pkg-config --variable=enginesdir libcrypto)
 
-Summary: OpenSSL provider for IBMCA
+Summary: A dynamic OpenSSL engine for IBMCA
 Name: openssl-ibmca
 Version: 2.4.1
-Release: 6%{?dist}
+Release: 1%{?dist}
-License: Apache-2.0
+License: ASL 2.0
+Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-# post GA fixes
+Requires: libica >= 3.8.0
-Patch0: %{name}-%{version}-fixes.patch
-Requires: libica >= 4.0.0
-BuildRequires: make
 BuildRequires: gcc
-BuildRequires: libica-devel >= 4.0.0
+BuildRequires: libica-devel >= 3.8.0
 BuildRequires: automake libtool
-BuildRequires: openssl >= 3.0.5
+BuildRequires: openssl
-BuildRequires: perl(FindBin)
 ExclusiveArch: s390 s390x
 
 
 %description
-A dynamic OpenSSL provider for IBMCA crypto hardware on IBM Z machines
+A dynamic OpenSSL engine for IBMCA crypto hardware on IBM z Systems machines.
-to accelerate cryptographic operations.
 
 
 %prep
@@ -31,13 +27,17 @@ to accelerate cryptographic operations.
 
 
 %build
-%configure --disable-engine --enable-provider --libdir=%{modulesdir} --with-libica-cex --with-libica-version=4
+%configure --libdir=%{enginesdir} --with-libica-version=3
-%make_build
+make %{?_smp_mflags}
 
 
 %install
 %make_install
-rm -f %{buildroot}%{modulesdir}/*.la
+rm -f $RPM_BUILD_ROOT%{enginesdir}/*.la
+
+pushd src/engine
+sed -e 's|/usr/local/lib|%{enginesdir}|' openssl.cnf.sample > openssl.cnf.sample.%{_arch}
+popd
 
 # remove generated sample configs
 rm -rf %{buildroot}%{_datadir}/%{name}
@@ -49,120 +49,60 @@ make check
 
 %files
 %license LICENSE
-%doc ChangeLog README.md
+%doc ChangeLog README.md src/engine/openssl.cnf.sample.%{_arch}
-%doc src/provider/ibmca-provider-opensslconfig
+%{enginesdir}/ibmca.so
-%{modulesdir}/ibmca-provider.so
+%{_mandir}/man5/ibmca.5*
-%{_mandir}/man5/ibmca-provider.5*
 
 
 %changelog
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.1-6
+* Fri Oct 27 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.1-1
-- Bump release for October 2024 mass rebuild:
+- updated to 2.4.1 (RHEL-11410)
-  Resolves: RHEL-64018
+- Resolves: RHEL-11410
 
-* Thu Jul 04 2024 Dan Horák <dhorak@redhat.com> - 2.4.1-5
+* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
-- apply post-2.4.1 fixes (RHEL-24084)
+- engine: Only register those algos specified with default_algorithms (#2221891)
-- Resolves: RHEL-24084
+- Resolves: #2221891
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.1-4
+* Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
-- Bump release for June 2024 mass rebuild
+- updated to 2.4.0 (#2159722)
+- Resolves: #2159722
 
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-3
+* Fri Jan 06 2023 Dan Horák <dhorak[at]redhat.com> - 2.3.1-1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- updated to 2.3.1 (#2110379)
+- Resolves: #2110379
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-2
+* Tue Mar 29 2022 Dan Horák <dhorak[at]redhat.com> - 2.3.0-1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- updated to 2.3.0 (#2043842)
+- Resolves: #2043842
 
-* Thu Sep 21 2023 Dan Horák <dan@danny.cz> - 2.4.1-1
+* Wed Oct 06 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.1-1
-- updated to 2.4.1
+- updated to 2.2.1 (#1984971)
+- Resolves: #1984971
 
-* Thu Jul 27 2023 Dan Horák <dan@danny.cz> - 2.4.0-5
+* Mon Aug 09 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-2
-- switch to upstream fix for logging into /tmp
+- fix DSA and DH registration (#1989064)
+- Resolves: #1989064
 
-* Wed Jul 26 2023 Dan Horák <dan@danny.cz> - 2.4.0-4
+* Tue Jul 13 2021 Dan Horák <dhorak[at]redhat.com> - 2.2.0-1
-- one more fix
+- updated to 2.2.0 (#1919222)
+- do not use libica software fallbacks (#1922204)
+- Resolves: #1919222 #1922204
 
-* Wed Jul 26 2023 Dan Horák <dan@danny.cz> - 2.4.0-3
+* Thu May 21 2020 Dan Horák <dhorak[at]redhat.com> - 2.1.1-1
-- add post GA fixes
+- updated to 2.1.1 (#1780306)
-- let provider log into /tmp
+- Resolves: #1780306
 
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
+* Tue Nov 05 2019 Dan Horák <dhorak[at]redhat.com> - 2.1.0-1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+- updated to 2.1.0 (#1726242)
+- Resolves: #1726242, #1723854
 
-* Tue Apr 04 2023 Dan Horák <dan@danny.cz> - 2.4.0-1
+* Mon Apr 29 2019 Dan Horák <dhorak[at]redhat.com> - 2.0.3-1
-- updated to 2.4.0
+- updated to 2.0.3 (#1666622)
+- Resolves: #1666622 #1659427 #1683099
 
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-5
+* Tue Dec 11 2018 Dan Horák <dhorak[at]redhat.com> - 2.0.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+- Fix doing rsa-me, altough rsa-crt would be possible
-
+- Resolves: #1655654
-* Fri Jan 13 2023 Dan Horák <dan@danny.cz> - 2.3.1-4
-- add post GA fixes
-
-* Fri Jan 06 2023 Dan Horák <dan@danny.cz> - 2.3.1-3
-- switch to building only the provider
-
-* Fri Sep 30 2022 Dan Horák <dan@danny.cz> - 2.3.1-1
-- updated to 2.3.1
-
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu May 19 2022 Dan Horák <dan@danny.cz> - 2.3.0-1
-- updated to 2.3.0
-
-* Mon Mar 21 2022 Dan Horák <dan@danny.cz> - 2.2.3-1
-- updated to 2.2.3
-
-* Mon Jan 31 2022 Dan Horák <dan@danny.cz> - 2.2.2-1
-- updated to 2.2.2
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Sep 14 2021 Dan Horák <dan@danny.cz> - 2.2.1-1
-- updated to 2.2.1
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Fri Jun 04 2021 Dan Horák <dan@danny.cz> - 2.2.0-1
-- updated to 2.2.0
-
-* Wed May 12 2021 Dan Horák <dan@danny.cz> - 2.1.2-1
-- updated to 2.1.2
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue May 12 2020 Dan Horák <dan@danny.cz> - 2.1.1-1
-- updated to 2.1.1
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Sep 09 2019 Dan Horák <dan@danny.cz> - 2.1.0-1
-- updated to 2.1.0
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Wed Apr 24 2019 Dan Horák <dan@danny.cz> - 2.0.3-1
-- updated to 2.0.3
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Thu Dec 13 2018 Dan Horák <dan@danny.cz> - 2.0.2-1
-- updated to 2.0.2
-
-* Thu Aug 23 2018 Dan Horák <dan@danny.cz> - 2.0.0-3
-- run upstream test-suite during build
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Mon Jun 18 2018 Dan Horák <dan@danny.cz> - 2.0.0-1
 - updated to 2.0.0

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tier1.functional}

openssl-ibmca-2.4.1-fixes.patch

@@ -1,423 +0,0 @@
-From 7186bff3fa2a3dd939e1bc0fed48e733da4477a7 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Mon, 8 Jan 2024 08:52:24 +0100
-Subject: [PATCH 1/4] engine: Enable external AES-GCM IV when libica is in FIPS
- mode
-
-When the system is in FIPS mode, newer libica versions may prevent AES-GCM
-from being used with an external IV. FIPS requires that the AES-GCM IV is
-created libica internally via an approved random source.
-
-The IBMCA engine can not support the internal generation of the AES-GCM IV,
-because the engine API for AES-GCM does not allow this. Applications using
-OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an
-external IV.
-
-Enable the use of external AES-GCM IVs for libica, if the used libica library
-supports this. Newer libica versions support to allow external AES-GCM IVs via
-function ica_allow_external_gcm_iv_in_fips_mode().
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- src/engine/e_ibmca.c | 12 +++++++++++-
- src/engine/ibmca.h   |  1 +
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
-index 6cbf745..afed3fe 100644
---- a/src/engine/e_ibmca.c
-+++ b/src/engine/e_ibmca.c
-@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t      p_ica_aes_gcm_intermediate;
- ica_aes_gcm_last_t              p_ica_aes_gcm_last;
- #endif
- ica_cleanup_t                   p_ica_cleanup;
-+ica_allow_external_gcm_iv_in_fips_mode_t
-+                                p_ica_allow_external_gcm_iv_in_fips_mode;
- 
- /* save libcrypto's default ec methods */
- #ifndef NO_EC
-@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
-     BIND(ibmca_dso, ica_ed448_ctx_del);
- 
-     /* ica_cleanup is not always present and only needed for newer libraries */
--    p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
-+    BIND(ibmca_dso, ica_cleanup);
-+
-+    /*
-+     * Allow external AES-GCM IV when libica runs in FIPS mode.
-+     * ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
-+     * available with newer libraries.
-+     */
-+    if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
-+        p_ica_allow_external_gcm_iv_in_fips_mode(1);
- 
-     /* disable fallbacks on Libica */
-     if (BIND(ibmca_dso, ica_set_fallback_mode))
-diff --git a/src/engine/ibmca.h b/src/engine/ibmca.h
-index 7281a5b..01465eb 100644
---- a/src/engine/ibmca.h
-+++ b/src/engine/ibmca.h
-@@ -617,6 +617,7 @@ typedef
- int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
- 
- typedef void (*ica_cleanup_t)(void);
-+typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
- 
- /* entry points into libica, filled out at DSO load time */
- extern ica_get_functionlist_t           p_ica_get_functionlist;
--- 
-2.45.1
-
-
-From 2f420ff28cedfea2ca730d7e54dba39fa4e06cbc Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Wed, 10 Jan 2024 15:08:47 +0100
-Subject: [PATCH 2/4] test/provider: Do not link against libica use dlopen
- instead
-
-When an application links against libica (via -lica), then the libica library
-constructor runs before the program's main function. Libica's library
-constructor does initialize OpenSSL and thus parses the config file.
-
-However, the test programs set up some OpenSSL configuration related
-environment variables within function check_libica() called from the
-main function. If libica has already initialized OpenSSL prior to that,
-OpenSSL won't initialize again, and thus these environment variables have
-no effect.
-
-Dynamically load libica (via dlopen) only after setting the environment
-variables.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- configure.ac              |  2 ++
- test/provider/Makefile.am | 15 +++++++++------
- test/provider/dhkey.c     | 24 ++++++++++++++++++++++--
- test/provider/eckey.c     | 24 ++++++++++++++++++++++--
- test/provider/rsakey.c    | 24 ++++++++++++++++++++++--
- 5 files changed, 77 insertions(+), 12 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index b43a659..09df230 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -116,6 +116,8 @@ AC_ARG_WITH([provider-libica-full],
- 	[])
- AM_CONDITIONAL([PROVIDER_FULL_LIBICA], [test "x$useproviderfulllibica" = xyes])
- 
-+AC_SUBST(libicaversion, "$libicaversion")
-+
- # If compiled against OpenSSL 3.0 or later, build the provider unless
- # explicitely disabled. 
- # If build against OpenSSL 1.1.1, we can not build the provider.
-diff --git a/test/provider/Makefile.am b/test/provider/Makefile.am
-index 15a5466..fce06b3 100644
---- a/test/provider/Makefile.am
-+++ b/test/provider/Makefile.am
-@@ -24,24 +24,27 @@ TESTS = \
- check_PROGRAMS = rsakey eckey dhkey threadtest
- 
- dhkey_SOURCES = dhkey.c
-+dhkey_LDADD = -lcrypto -ldl
- if PROVIDER_FULL_LIBICA
--dhkey_LDADD = -lcrypto -lica
-+dhkey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
- else
--dhkey_LDADD = -lcrypto -lica-cex
-+dhkey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
- endif
- 
- eckey_SOURCES = eckey.c
-+eckey_LDADD = -lcrypto -ldl
- if PROVIDER_FULL_LIBICA
--eckey_LDADD = -lcrypto -lica
-+eckey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
- else
--eckey_LDADD = -lcrypto -lica-cex
-+eckey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
- endif
- 
- rsakey_SOURCES = rsakey.c
-+rsakey_LDADD = -lcrypto -ldl
- if PROVIDER_FULL_LIBICA
--rsakey_LDADD = -lcrypto -lica
-+rsakey_CFLAGS = -DLIBICA_NAME=\"libica.so.@libicaversion@\"
- else
--rsakey_LDADD = -lcrypto -lica-cex
-+rsakey_CFLAGS = -DLIBICA_NAME=\"libica-cex.so.@libicaversion@\"
- endif
- 
- threadtest_SOURCES = threadtest.c
-diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
-index 8829ecc..0ec2c03 100644
---- a/test/provider/dhkey.c
-+++ b/test/provider/dhkey.c
-@@ -18,6 +18,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <dlfcn.h>
- 
- #include <openssl/conf.h>
- #include <openssl/evp.h>
-@@ -355,13 +356,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME };
- static const unsigned int required_ica_mechs_len =
-                         sizeof(required_ica_mechs) / sizeof(unsigned int);
- 
-+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
-+                                               unsigned int *);
-+
- int check_libica()
- {
-     unsigned int mech_len, i, k, found = 0;
-     libica_func_list_element *mech_list = NULL;
-+    void *ibmca_dso;
-+    ica_get_functionlist_t p_ica_get_functionlist;
-     int rc;
- 
--    rc = ica_get_functionlist(NULL, &mech_len);
-+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
-+    if (ibmca_dso == NULL) {
-+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    p_ica_get_functionlist =
-+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
-+    if (p_ica_get_functionlist == NULL) {
-+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
-+                LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    rc = p_ica_get_functionlist(NULL, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         return 77;
-@@ -373,7 +393,7 @@ int check_libica()
-         return 77;
-     }
- 
--    rc = ica_get_functionlist(mech_list, &mech_len);
-+    rc = p_ica_get_functionlist(mech_list, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         free(mech_list);
-diff --git a/test/provider/eckey.c b/test/provider/eckey.c
-index b2334d7..b8f47b7 100644
---- a/test/provider/eckey.c
-+++ b/test/provider/eckey.c
-@@ -18,6 +18,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <dlfcn.h>
- 
- #include <openssl/conf.h>
- #include <openssl/evp.h>
-@@ -788,13 +789,32 @@ static const unsigned int required_ica_mechs[] = { EC_DH, EC_DSA_SIGN,
- static const unsigned int required_ica_mechs_len =
-                         sizeof(required_ica_mechs) / sizeof(unsigned int);
- 
-+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
-+                                               unsigned int *);
-+
- int check_libica()
- {
-     unsigned int mech_len, i, k, found = 0;
-     libica_func_list_element *mech_list = NULL;
-+    void *ibmca_dso;
-+    ica_get_functionlist_t p_ica_get_functionlist;
-     int rc;
- 
--    rc = ica_get_functionlist(NULL, &mech_len);
-+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
-+    if (ibmca_dso == NULL) {
-+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    p_ica_get_functionlist =
-+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
-+    if (p_ica_get_functionlist == NULL) {
-+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
-+                LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    rc = p_ica_get_functionlist(NULL, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         return 77;
-@@ -806,7 +826,7 @@ int check_libica()
-         return 77;
-     }
- 
--    rc = ica_get_functionlist(mech_list, &mech_len);
-+    rc = p_ica_get_functionlist(mech_list, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         free(mech_list);
-diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
-index 366b503..9d6a618 100644
---- a/test/provider/rsakey.c
-+++ b/test/provider/rsakey.c
-@@ -18,6 +18,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <dlfcn.h>
- 
- #include <openssl/conf.h>
- #include <openssl/evp.h>
-@@ -735,13 +736,32 @@ static const unsigned int required_ica_mechs[] = { RSA_ME,  RSA_CRT };
- static const unsigned int required_ica_mechs_len =
-                         sizeof(required_ica_mechs) / sizeof(unsigned int);
- 
-+typedef unsigned int (*ica_get_functionlist_t)(libica_func_list_element *,
-+                                               unsigned int *);
-+
- int check_libica()
- {
-     unsigned int mech_len, i, k, found = 0;
-     libica_func_list_element *mech_list = NULL;
-+    void *ibmca_dso;
-+    ica_get_functionlist_t p_ica_get_functionlist;
-     int rc;
- 
--    rc = ica_get_functionlist(NULL, &mech_len);
-+    ibmca_dso = dlopen(LIBICA_NAME, RTLD_NOW);
-+    if (ibmca_dso == NULL) {
-+        fprintf(stderr, "Failed to load libica '%s'!\n", LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    p_ica_get_functionlist =
-+            (ica_get_functionlist_t)dlsym(ibmca_dso, "ica_get_functionlist");
-+    if (p_ica_get_functionlist == NULL) {
-+        fprintf(stderr, "Failed to get ica_get_functionlist from '%s'!\n",
-+                LIBICA_NAME);
-+        return 77;
-+    }
-+
-+    rc = p_ica_get_functionlist(NULL, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         return 77;
-@@ -753,7 +773,7 @@ int check_libica()
-         return 77;
-     }
- 
--    rc = ica_get_functionlist(mech_list, &mech_len);
-+    rc = p_ica_get_functionlist(mech_list, &mech_len);
-     if (rc != 0) {
-         fprintf(stderr, "Failed to get function list from libica!\n");
-         free(mech_list);
--- 
-2.45.1
-
-
-From d2254c6641b1cf34d5f735f335edf9a05ddfd67e Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Thu, 18 Jan 2024 16:35:14 +0100
-Subject: [PATCH 3/4] test/provider: Explicitly initialize OpenSSL after
- setting env vars.
-
-When running with a libica version without commit
-https://github.com/opencryptoki/libica/commit/42e197f61b298c6e6992b080c1923e7e85edea5a
-it is necessary to explicitly initialize OpenSSL before loading libica. Because
-otherwise libica's library constructor will initialize OpenSSL the first time,
-which in turn will load the IBMCA provider, and it will fall into the same
-problem as fixed by above libica commit, i.e. the provider won't be able to
-get the supported algorithms from libica an thus will not register any
-algorithms.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- test/provider/dhkey.c  | 2 ++
- test/provider/eckey.c  | 2 ++
- test/provider/rsakey.c | 2 ++
- 3 files changed, 6 insertions(+)
-
-diff --git a/test/provider/dhkey.c b/test/provider/dhkey.c
-index 0ec2c03..b1270f5 100644
---- a/test/provider/dhkey.c
-+++ b/test/provider/dhkey.c
-@@ -461,6 +461,8 @@ int main(int argc, char **argv)
-         return 77;
-     }
- 
-+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-+
-     ret = check_libica();
-     if (ret != 0)
-         return ret;
-diff --git a/test/provider/eckey.c b/test/provider/eckey.c
-index b8f47b7..a65bea5 100644
---- a/test/provider/eckey.c
-+++ b/test/provider/eckey.c
-@@ -895,6 +895,8 @@ int main(int argc, char **argv)
-         return 77;
-     }
- 
-+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-+
-     ret = check_libica();
-     if (ret != 0)
-         return ret;
-diff --git a/test/provider/rsakey.c b/test/provider/rsakey.c
-index 9d6a618..874de6d 100644
---- a/test/provider/rsakey.c
-+++ b/test/provider/rsakey.c
-@@ -839,6 +839,8 @@ int main(int argc, char **argv)
-         return 77;
-     }
- 
-+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-+
-     ret = check_libica();
-     if (ret != 0)
-         return ret;
--- 
-2.45.1
-
-
-From 4ea48e0682ff9a58340421dc9d896c7ca06a2621 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Mon, 13 May 2024 08:53:56 +0200
-Subject: [PATCH 4/4] engine: Fix compile error on Fedora 40
-
-ibmca_pkey.c:627:47: error: passing argument 2 of 'EVP_PKEY_meth_set_copy'
-from incompatible pointer type [-Wincompatible-pointer-types]
-      627 |     EVP_PKEY_meth_set_copy(ibmca_ed448_pmeth, ibmca_ed448_copy);
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- src/engine/ibmca_pkey.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/engine/ibmca_pkey.c b/src/engine/ibmca_pkey.c
-index 9c8de94..6cd8fcd 100644
---- a/src/engine/ibmca_pkey.c
-+++ b/src/engine/ibmca_pkey.c
-@@ -258,7 +258,7 @@ ret:
- 
- /* ED25519 */
- 
--static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
-+static int ibmca_ed25519_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
- {
-     return 1;
- }
-@@ -402,7 +402,7 @@ ret:
- 
- /* ED448 */
- 
--static int ibmca_ed448_copy(EVP_PKEY_CTX *to, EVP_PKEY_CTX *from)
-+static int ibmca_ed448_copy(EVP_PKEY_CTX *to, const EVP_PKEY_CTX *from)
- {
-     return 1;
- }
--- 
-2.45.1
-

sources

@@ -1 +0,0 @@
-SHA512 (openssl-ibmca-2.4.1.tar.gz) = e48b3fae04b0169001c52b1b959a855314f2e7314c6bd9df5ae31dc4a23525619ccca8c3465bad2966a63e32e3fe2c8f05ede84f8bf3d08386c7898d238331a6