diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..015f64d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openssl-ibmca-2.0.0.tar.gz diff --git a/.openssl-ibmca.metadata b/.openssl-ibmca.metadata new file mode 100644 index 0000000..53dfba9 --- /dev/null +++ b/.openssl-ibmca.metadata @@ -0,0 +1 @@ +262bb90b2ecbaa254c963e025d28b6d6b7adf20b SOURCES/openssl-ibmca-2.0.0.tar.gz diff --git a/SOURCES/openssl-ibmca-2.0.0-libica-soname.patch b/SOURCES/openssl-ibmca-2.0.0-libica-soname.patch new file mode 100644 index 0000000..06aa8a3 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.0.0-libica-soname.patch @@ -0,0 +1,12 @@ +diff -up openssl-ibmca-2.0.0/src/e_ibmca.c.orig openssl-ibmca-2.0.0/src/e_ibmca.c +--- openssl-ibmca-2.0.0/src/e_ibmca.c.orig 2018-06-12 12:37:00.803473301 +0200 ++++ openssl-ibmca-2.0.0/src/e_ibmca.c 2018-06-12 12:37:09.263473301 +0200 +@@ -43,7 +43,7 @@ + #ifndef OPENSSL_NO_HW_IBMCA + + #define IBMCA_LIB_NAME "ibmca engine" +-#define LIBICA_SHARED_LIB "libica.so" ++#define LIBICA_SHARED_LIB "libica.so.3" + + #define AP_PATH "/sys/devices/ap" + diff --git a/SOURCES/openssl-ibmca-2.0.0-linking.patch b/SOURCES/openssl-ibmca-2.0.0-linking.patch new file mode 100644 index 0000000..fbc72e6 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.0.0-linking.patch @@ -0,0 +1,27 @@ +From a6a837166e45e6537f35f6d35c38db54c6f4a640 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Tue, 12 Jun 2018 12:51:12 +0200 +Subject: [PATCH] omit version from filename + +The ibmca.so file is a dlopen()-ed module, so having the version info +in the filename is superfluous. +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index fa37e4d..2254379 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -13,7 +13,7 @@ ibmca_la_SOURCES=e_ibmca.c \ + + ibmca_la_LIBADD=-ldl + ibmca_la_LDFLAGS=-module -version-info ${VERSION} -shared -no-undefined \ +- -Wl,--version-script=${srcdir}/../ibmca.map ++ -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map + + dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h + EXTRA_DIST = openssl.cnf.sample +-- +2.14.3 + diff --git a/SOURCES/openssl-ibmca-2.0.0-rsa.patch b/SOURCES/openssl-ibmca-2.0.0-rsa.patch new file mode 100644 index 0000000..66740c3 --- /dev/null +++ b/SOURCES/openssl-ibmca-2.0.0-rsa.patch @@ -0,0 +1,31 @@ +From a0e23d4063bf897dd9136c491d2201de5fbba653 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Thu, 22 Nov 2018 18:47:11 +0100 +Subject: [PATCH] Fix doing rsa-me, altough rsa-crt would be possible + +rsa-crt is preferred to rsa-me when possible for performance reason. +This bug was introduced with commit dc8465b (ibmca >= 1.3.1) for +openssl >= 1.1.0. Commit ed496f6 (ibmca >= 2.0.0) introduced the bug +also for openssl versions < 1.1.0. + +Signed-off-by: Patrick Steuer +--- + src/ibmca_rsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ibmca_rsa.c b/src/ibmca_rsa.c +index a4dd194..d1a95ed 100644 +--- a/src/ibmca_rsa.c ++++ b/src/ibmca_rsa.c +@@ -309,7 +309,7 @@ static int ibmca_rsa_mod_exp(BIGNUM * r0, const BIGNUM * I, RSA * rsa, + RSA_get0_key(rsa, &n, NULL, &d); + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); +- if (!p || !q || !dmp1 || !dmq1 || iqmp) { ++ if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + if (!d || !n) { + IBMCAerr(IBMCA_F_IBMCA_RSA_MOD_EXP, IBMCA_R_MISSING_KEY_COMPONENTS); + goto err; +-- +1.8.3.1 + diff --git a/SPECS/openssl-ibmca.spec b/SPECS/openssl-ibmca.spec new file mode 100644 index 0000000..8107898 --- /dev/null +++ b/SPECS/openssl-ibmca.spec @@ -0,0 +1,163 @@ +Summary: A dynamic OpenSSL engine for IBMCA +Name: openssl-ibmca +Version: 2.0.0 +Release: 2%{?dist} +License: ASL 2.0 +Group: System Environment/Libraries +URL: https://github.com/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=584765 +Patch0: %{name}-2.0.0-libica-soname.patch +# https://github.com/opencryptoki/openssl-ibmca/pull/44 +Patch1: %{name}-2.0.0-linking.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1655620 +Patch2: %{name}-2.0.0-rsa.patch +Requires: libica >= 3.3.0 +BuildRequires: libica-devel >= 3.3.0 +BuildRequires: automake libtool +ExclusiveArch: s390 s390x + +%description +A dynamic OpenSSL engine for IBMCA crypto hardware on IBM zSeries machines. + + +%prep +%setup -q +%patch0 -p1 -b .libica-soname +%patch1 -p1 -b .linking +%patch2 -p1 -b .rsa + +sh ./bootstrap.sh + + +%build +%configure +make %{?_smp_mflags} + + +%install +make install DESTDIR=$RPM_BUILD_ROOT + +rm -f $RPM_BUILD_ROOT%{_libdir}/ibmca.la +mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines +mv $RPM_BUILD_ROOT%{_libdir}/ibmca.so $RPM_BUILD_ROOT%{_libdir}/openssl/engines + +# /etc/pki/tls/openssl.cnf in RHEL <= 7.5 with ibmca enabled refers to libibmca.so +# create symlink for compatibility with openssl-ibmca < 1.4.1 +pushd $RPM_BUILD_ROOT%{_libdir}/openssl/engines +ln -sf ibmca.so libibmca.so +popd + +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd + + +%files +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{_libdir}/openssl/engines/ibmca.so +%{_libdir}/openssl/engines/libibmca.so +%{_mandir}/man5/ibmca.5* + + +%changelog +* Tue Mar 05 2019 Dan Horák - 2.0.0-2 +- Fix doing rsa-me, altough rsa-crt would be possible +- Resolves: #1655620 + +* Tue Jul 10 2018 Dan Horák - 2.0.0-1 +- rebased to 2.0.0 +- Resolves: #1519395 + +* Thu Jun 21 2018 Dan Horák - 1.4.0-2 +- fix dlclose logic +- Resolves: #1585235 + +* Tue Sep 19 2017 Dan Horák - 1.4.0-1 +- update to 1.4.0 +- Resolves: #1456516 + +* Fri Mar 31 2017 Dan Horák - 1.3.0-2 +- add fix for SHA512 EVP digest struct +- Related: #1274385 + +* Tue Feb 14 2017 Dan Horák - 1.3.0-1 +- rebased to 1.3.0 (#1274385) +- Resolves: #1274385 + +* Wed Mar 26 2014 Dan Horák 1.2.0-8 +- Fixed message digest length definition in sha256 template +- Resolves: #1074976 + +* Fri Jan 24 2014 Daniel Mach - 1.2.0-7 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.2.0-6 +- Mass rebuild 2013-12-27 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.2.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 1.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Apr 20 2012 Dan Horák - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jul 07 2011 Dan Horák - 1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Apr 22 2010 Dan Horák - 1.1-2 +- fixed opening of the libica library (#584765) +- Resolves: #584765 + +* Thu Mar 4 2010 Dan Horák - 1.1-1 +- rebased to 1.1 instead of patching +- Resolves: #568847 + +* Thu Feb 18 2010 Dan Horák - 1.0.0-5 +- added patch with port to libica 2.x API +- Related: #543948 + +* Wed Feb 10 2010 Dan Horák - 1.0.0-4 +- added explicit dependency on libica, because it's dlopened +- Related: #543948 + +* Tue Jan 12 2010 Dan Horák - 1.0.0-3 +- rebuild +- Related: #543948 + +* Sat Jul 25 2009 Fedora Release Engineering - 1.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 9 2009 Dan Horak - 1.0.0rc2-1.el5.4 +- Fixed several issues with failure of using ibmca engine (#227644) + +* Tue Dec 12 2006 Phil Knirsch - 1.0.0rc2-1.el5.3 +- Added missing symlinks for libs (#215735) +- Added samle config file (#215735) + +* Thu Nov 23 2006 Phil Knirsch - 1.0.0rc2-1.el5.2 +- Necessary fix so openssl finds the module properly (#215735) + +* Thu May 11 2006 Phil Knirsch - 1.0.0rc2 +- Initial package.