Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl

openssl (1.1.1a-1ubuntu2) disco; urgency=medium * Drop the NEWS entry, not applicable on Ubuntu. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 28 Nov 2018 14:24:28 +0000 openssl (1.1.1a-1ubuntu1) disco; urgency=medium * Merge from Debian unstable, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Further decrease security level from 1 to 0, for compatibility with openssl 1.0.2. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 28 Nov 2018 14:06:04 +0000

Modifications :
  1. Download patch debian/rules

    --- 1.1.1a-1/debian/rules 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/rules 2018-11-28 14:04:44.000000000 +0000 @@ -138,6 +138,15 @@ override_dh_fixperms: fi dh_fixperms -a -X etc/ssl/private +override_dh_compress: + dh_compress + # symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.1/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done + override_dh_perl: dh_perl -d
  2. Download patch debian/control

    --- 1.1.1a-1/debian/control 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/control 2018-11-28 14:04:44.000000000 +0000 @@ -2,7 +2,8 @@ Source: openssl Build-Depends: debhelper (>= 11), m4, bc, dpkg-dev (>= 1.15.7) Section: utils Priority: optional -Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> Uploaders: Christoph Martin <christoph.martin@uni-mainz.de>, Kurt Roeckx <kurt@roeckx.be>, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Standards-Version: 4.2.1 Vcs-Browser: https://salsa.debian.org/debian/openssl
  3. Download patch debian/patches/UBUNTU-Revert-Set-systemwide-default-settings-for-libssl-users.patch

    --- 1.1.1a-1/debian/patches/UBUNTU-Revert-Set-systemwide-default-settings-for-libssl-users.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/patches/UBUNTU-Revert-Set-systemwide-default-settings-for-libssl-users.patch 2018-11-28 14:04:44.000000000 +0000 @@ -0,0 +1,42 @@ +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Tue, 20 Mar 2018 22:07:30 +0100 +Subject: Set systemwide default settings for libssl users + +This config change enforeces a TLS1.2 protocol version as minimum. It +can be overwritten by the system administrator. + +It also changes the default security level from 1 to 2, moving from the 80 bit +security level to the 112 bit security level. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + apps/openssl.cnf | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +Index: openssl-1.1.1/apps/openssl.cnf +=================================================================== +--- openssl-1.1.1.orig/apps/openssl.cnf ++++ openssl-1.1.1/apps/openssl.cnf +@@ -16,9 +16,6 @@ RANDFILE = $ENV::HOME/.rnd + #oid_file = $ENV::HOME/.oid + oid_section = new_oids + +-# System default +-openssl_conf = default_conf +- + # To use this configuration file with the "-extfile" option of the + # "openssl x509" utility, name here the section containing the + # X.509v3 extensions to use: +@@ -353,12 +350,3 @@ ess_cert_id_chain = no # Must the ESS ce + # (optional, default: no) + ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) +-[default_conf] +-ssl_conf = ssl_sect +- +-[ssl_sect] +-system_default = system_default_sect +- +-[system_default_sect] +-MinProtocol = TLSv1.2 +-CipherString = DEFAULT@SECLEVEL=2
  4. Download patch debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch

    --- 1.1.1a-1/debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch 2018-11-28 14:04:44.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Lower TLS Security Level to trust (old) small sized keys + +TLS Security Level sets the minimum acceptable level of supported +combinations of algorithms and key sizes for various TLS protocol +levels. However, raising that to 1 (upstream default), or 2 (debian +ssl.cnf patch), causes connectivity regressions as these levels reject +certs that openssl1.0.2 used to (and still does) accept. + +Index: openssl-1.1.1/include/openssl/tls1.h +=================================================================== +--- openssl-1.1.1.orig/include/openssl/tls1.h ++++ openssl-1.1.1/include/openssl/tls1.h +@@ -21,7 +21,7 @@ extern "C" { + + /* Default security level if not overridden at config time */ + # ifndef OPENSSL_TLS_SECURITY_LEVEL +-# define OPENSSL_TLS_SECURITY_LEVEL 1 ++# define OPENSSL_TLS_SECURITY_LEVEL 0 + # endif + + # define TLS1_VERSION 0x0301
  5. Download patch debian/libssl1.1.postinst

    --- 1.1.1a-1/debian/libssl1.1.postinst 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/libssl1.1.postinst 2018-11-28 14:04:44.000000000 +0000 @@ -57,6 +57,8 @@ filerc() { if [ "$1" = "configure" ] then if [ ! -z "$2" ]; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. if dpkg --compare-versions "$2" lt 1.0.1g-2; then echo -n "Checking for services that may need to be restarted..." check="amanda-server anon-proxy apache2 apache-ssl" @@ -152,7 +154,11 @@ then if [ "x$RET" != xtrue ]; then db_reset libssl1.1/restart-services db_set libssl1.1/restart-services "$services" - db_input critical libssl1.1/restart-services || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libssl1.1/restart-services || true + else + db_input critical libssl1.1/restart-services || true + fi db_go || true db_get libssl1.1/restart-services @@ -200,7 +206,20 @@ then # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/bin/X > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi
  6. Download patch debian/patches/series

    --- 1.1.1a-1/debian/patches/series 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/patches/series 2018-11-28 14:04:44.000000000 +0000 @@ -4,3 +4,5 @@ no-symbolic.patch pic.patch c_rehash-compat.patch Set-systemwide-default-settings-for-libssl-users.patch +UBUNTU-Revert-Set-systemwide-default-settings-for-libssl-users.patch +UBUNTU-lower-tls-security-level-for-compat.patch
  7. Download patch debian/README.debian

    --- 1.1.1a-1/debian/README.debian 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/README.debian 2018-11-28 14:24:28.000000000 +0000 @@ -11,14 +11,6 @@ Instead of `<application>` please call n eg: instead of `req` please call `openssl req` -TLS protovol version and RSA key size -------------------------------------- -The default system global policy is to support TLSv1.2+ and security level two. -Please see - https://www.openssl.org/docs/man1.1.1/man5/config.html - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html#DEFAULT-CALLBACK-BEHAVIOUR -for configurations details of `MinProtocol' and `CipherString' in -/etc/ssl/openssl.cnf case you really require to support legacy systems. PATENT ISSUES -------------
  8. Download patch debian/libssl1.1.NEWS

    --- 1.1.1a-1/debian/libssl1.1.NEWS 2018-11-21 22:42:25.000000000 +0000 +++ 1.1.1a-1ubuntu2/debian/libssl1.1.NEWS 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -openssl (1.1.1-2) unstable; urgency=medium - - Following various security recommendations, the default minimum TLS version - has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple - plan to do same around March 2020. - - The default security level for TLS connections has also be increased from - level 1 to level 2. This moves from the 80 bit security level to the 112 bit - security level and will require 2048 bit or larger RSA and DHE keys, 224 bit - or larger ECC keys, and SHA-2. - - The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications - might also have a way to override the defaults. - - In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString - line. The CipherString can also sets the security level. Information about the - security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. - The list of valid strings for the minimum protocol version can be found in - SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and - config(5ssl). - - Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide - defaults can be done using: - MinProtocol = None - CipherString = DEFAULT - - It's recommended that you contact the remote site in case the defaults cause - problems. - - -- Kurt Roeckx <kurt@roeckx.be> Sun, 28 Oct 2018 20:58:35 +0100

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl-ibmca

openssl-ibmca (2.0.2-0ubuntu1) disco; urgency=medium * New upstream release LP: #1804233 LP: #1806483 * Drop dlopen-soname.patch, applied upstream. * Update watch file to github.com. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Dec 2018 11:21:56 +1100 openssl-ibmca (2.0.0-0ubuntu2) cosmic; urgency=medium * Disable test-suite, as it appears to fail on launchpad builders, yet passes locally when uncontained. -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Fri, 15 Jun 2018 12:44:40 +0100 openssl-ibmca (2.0.0-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776209 * Update debian/copyright to Apache-2 -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Thu, 14 Jun 2018 12:10:32 +0100 openssl-ibmca (1.4.1-0ubuntu1) bionic; urgency=medium * New upstream release * Update watch file to point at github * Build against openssl1.1 with openssl1.1 engine paths LP: #1747626 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 23 Feb 2018 18:06:36 +0000 openssl-ibmca (1.4.0-0ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 17:54:51 +0000 openssl-ibmca (1.4.0-0ubuntu1) artful; urgency=medium * New upstream release * Drop patches applied upstream -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 28 Sep 2017 11:13:14 -0400 openssl-ibmca (1.3.0-0ubuntu5) artful; urgency=medium * Apply upstream patch to resolve crashes when libssl attempts to initialise engine a few times too many. LP: #1543455 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:48:51 +0100 openssl-ibmca (1.3.0-0ubuntu4) zesty; urgency=medium * Build against libica.so.3. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 30 Nov 2016 10:24:29 +0000 openssl-ibmca (1.3.0-0ubuntu3) zesty; urgency=medium * Attempt to dlopen libica.so.2, if libica.so (or ctrl provided one) fails. LP: #1605511 * Add depends on libica2. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Oct 2016 15:25:59 +0100 openssl-ibmca (1.3.0-0ubuntu2) xenial; urgency=medium * Correct license information. LP: 1543682 * Add watch file. * Resolves LP: #1538864 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 15 Feb 2016 16:32:05 +0000 openssl-ibmca (1.3.0-0ubuntu1) xenial; urgency=medium * Initial release. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 05 Feb 2016 06:16:50 +0000

Modifications :
  1. Download patch README.md

    --- 1.4.0-1/README.md 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/README.md 2018-11-27 14:38:37.000000000 +0000 @@ -8,14 +8,14 @@ cryptographic operations. The build requirements are: * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 + * libica-devel >= 3.3.0 * autoconf * automake * libtool The runtime requirements are: * openssl >= 0.9.8 - * libica >= 3.1.1 + * libica >= 3.3.0 ## Installing @@ -27,8 +27,8 @@ $ sudo make install ``` This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere +which is `/usr/local/lib`. It means that the ibmca.so will be installed in +`/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: @@ -48,8 +48,8 @@ in the host by the OpenSSL package. **WA original `openssl.cnf` file before changing it. In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/libibmca.so` by default. However, if the -libibmca.so library has been installed anywhere else, then update the +location, which is `/usr/local/lib/ibmca.so` by default. However, if the +ibmca.so library has been installed anywhere else, then update the *dynamic_path* variable. Locate where the `openssl.cnf` file has been installed in the host and append
  2. Download patch src/ibmca_digest.c
  3. Download patch test/3des-cbc-test.pl

    --- 1.4.0-1/test/3des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/3des-cbc-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cbc", 24, 8);
  4. Download patch test/Makefile.am

    --- 1.4.0-1/test/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/Makefile.am 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,24 @@ +TESTS = \ +des-ecb-test.pl \ +des-cbc-test.pl \ +des-cfb-test.pl \ +des-ofb-test.pl \ +3des-ecb-test.pl \ +3des-cbc-test.pl \ +3des-cfb-test.pl \ +3des-ofb-test.pl \ +aes-128-ecb-test.pl \ +aes-128-cbc-test.pl \ +aes-128-cfb-test.pl \ +aes-128-ofb-test.pl \ +aes-192-ecb-test.pl \ +aes-192-cbc-test.pl \ +aes-192-cfb-test.pl \ +aes-192-ofb-test.pl \ +aes-256-ecb-test.pl \ +aes-256-cbc-test.pl \ +aes-256-cfb-test.pl \ +aes-256-ofb-test.pl + +AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf PERL5LIB=${srcdir}; +EXTRA_DIST = ${TESTS} test.pm openssl-test.cnf
  5. Download patch test/aes-128-ofb-test.pl

    --- 1.4.0-1/test/aes-128-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-128-ofb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ofb", 16, 16);
  6. Download patch src/ibmca_cipher.c
  7. Download patch debian/README.source

    --- 1.4.0-1/debian/README.source 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -# OpenSSL-ibmca - -OpenSSL engine that uses the libica library under s390x to accelerate -cryptographic operations. - - -## Requirements - -The build requirements are: - * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 - * autoconf - * automake - * libtool - -The runtime requirements are: - * openssl >= 0.9.8 - * libica >= 3.1.1 - - -## Installing - -``` -$ ./configure [--enable-debug] -$ make -$ sudo make install -``` - -This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere -else, run "configure" passing the new location via prefix argument, for -example: - -``` -$ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines -``` - - -## Support - -To report a bug please submit a - [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the - following information in the issue description: - -* bug description -* distro release -* openssl-ibmca package version -* libica package version -* steps to reproduce the bug - -Regarding technical or usage questions, send email to - [opencryptoki-tech]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or - [opencryptoki-users]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) - mailing list respectively. - - -## Contributing - -See [CONTRIBUTING.md](https://github.com/opencryptoki/openssl-ibmca/blob/master/CONTRIBUTING.md). - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 11:10:45 -0300
  8. Download patch debian/rules

    --- 1.4.0-1/debian/rules 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/rules 2018-12-10 00:21:56.000000000 +0000 @@ -1,31 +1,15 @@ #!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -#export DH_VERBOSE = 1 - -# see FEATURE AREAS in dpkg-buildflags(1) export DEB_BUILD_MAINT_OPTIONS = hardening=+all -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - %: - dh $@ - -# dh_make generated override targets -# This is example for Cmake (See https://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) + dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/openssl-1.0.2/engines/ + dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/engines-1.1 override_dh_auto_install: dh_auto_install - - # Remove useless files find debian -name '*.la' -delete +override_dh_auto_test: + -dh_auto_test
  9. Download patch test/openssl-test.cnf

    --- 1.4.0-1/test/openssl-test.cnf 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/openssl-test.cnf 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,20 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +ibmca = ibmca_section + +[ibmca_section] +dynamic_path = $ENV::IBMCA_TEST_PATH +engine_id = ibmca +init = 1 + +# OpenSSL < 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +# OpenSSL >= 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +default_algorithms = ALL
  10. Download patch debian/dirs

    --- 1.4.0-1/debian/dirs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib
  11. Download patch debian/patches/libica_soname.patch

    --- 1.4.0-1/debian/patches/libica_soname.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/patches/libica_soname.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Setting libica so name to libica.so.3 -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -46,7 +46,7 @@ - #include "e_ibmca_err.h" - - #define IBMCA_LIB_NAME "ibmca engine" --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - - #define AP_PATH "/sys/devices/ap" -
  12. Download patch src/openssl.cnf.sample

    --- 1.4.0-1/src/openssl.cnf.sample 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/src/openssl.cnf.sample 2018-11-27 14:38:37.000000000 +0000 @@ -20,10 +20,10 @@ ibmca = ibmca_section [ibmca_section] -# The openssl engine path for libibmca.so. -# Set the dynamic_path to where the libibmca.so engine +# The openssl engine path for ibmca.so. +# Set the dynamic_path to where the ibmca.so engine # resides on the system. -dynamic_path = /usr/local/lib/libibmca.so +dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 @@ -36,17 +36,33 @@ init = 1 # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # +# DH +# - DH key exchange +# +# DSA +# - DSA sign and verify +# # RAND # - Hardware random number generation # +# ECDSA (OpenSSL < 1.1.0) +# - Elliptic Curve DSA sign and verify +# +# ECDH (OpenSSL < 1.1.0) +# - Elliptic Curve DH key exchange +# +# EC (OpenSSL >= 1.1.0) +# - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange +# # CIPHERS -# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, -# DES-EDE3-OFB, AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, -# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, -# AES-256-CBC, AES-256-CFB, AES-256-OFB symmetric crypto +# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, +# DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, +# AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, +# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, +# AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # default_algorithms = ALL -#default_algorithms = RAND,RSA,CIPHERS,DIGESTS +#default_algorithms = RAND,RSA,DH,DSA,CIPHERS,DIGESTS
  13. Download patch src/e_ibmca_err.c

    --- 1.4.0-1/src/e_ibmca_err.c 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/src/e_ibmca_err.c 2018-11-27 14:38:37.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,11 +15,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include <stdio.h> #include <openssl/err.h> #include "e_ibmca_err.h" @@ -27,54 +22,73 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA IBMCA_str_functs[] = { - {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, - {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, - {0, NULL} + {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, + {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_EC_KEY_GEN, 0), "IBMCA_EC_KEY_GEN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, 0), "IBMCA_ECDH_COMPUTE_KEY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN, 0), "IBMCA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN_SIG, 0), "IBMCA_ECDSA_SIGN_SIG"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_DO_SIGN, 0), "IBMCA_ECDSA_DO_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY, 0), "IBMCA_ECDSA_VERIFY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, 0), "IBMCA_ECDSA_VERIFY_SIG"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_NEW, 0), "ICA_EC_KEY_NEW"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_INIT, 0), "ICA_EC_KEY_INIT"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GENERATE, 0), "ICA_EC_KEY_GENERATE"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, 0), "ICA_EC_KEY_GET_PUBLIC_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, 0), "ICA_EC_KEY_GET_PRIVATE_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDH_DERIVE_SECRET, 0), "ICA_ECDH_DERIVE_SECRET"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_SIGN, 0), "ICA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "ICA_ECDSA_VERIFY"}, + {0, NULL} }; static ERR_STRING_DATA IBMCA_str_reasons[] = { - {IBMCA_R_ALREADY_LOADED, "already loaded"}, - {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, - {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, - {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, - "ctrl command not implemented"}, - {IBMCA_R_DSO_FAILURE, "dso failure"}, - {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, - {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, - {IBMCA_R_NOT_INITIALISED, "not initialised"}, - {IBMCA_R_NOT_LOADED, "not loaded"}, - {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, - {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, - {IBMCA_R_REQUEST_FAILED, "request failed"}, - {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, - {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, - {IBMCA_R_UNIT_FAILURE, "unit failure"}, - {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, - {0, NULL} + {IBMCA_R_ALREADY_LOADED, "already loaded"}, + {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, + {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, + {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"}, + {IBMCA_R_DSO_FAILURE, "dso failure"}, + {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, + {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, + {IBMCA_R_NOT_INITIALISED, "not initialised"}, + {IBMCA_R_NOT_LOADED, "not loaded"}, + {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, + {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, + {IBMCA_R_REQUEST_FAILED, "request failed"}, + {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, + {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, + {IBMCA_R_UNIT_FAILURE, "unit failure"}, + {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, + {IBMCA_R_EC_INVALID_PARM, "ec invalid parameter"}, + {IBMCA_R_EC_UNSUPPORTED_CURVE, "ec unsupported curve"}, + {IBMCA_R_EC_INTERNAL_ERROR, "ec internal error"}, + {IBMCA_R_EC_ICA_EC_KEY_INIT, "ec ica ec key init"}, + {IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING, "ec curve does not support signing"}, + {0, NULL} }; #endif #ifdef IBMCA_LIB_NAME static ERR_STRING_DATA IBMCA_lib_name[] = { - {0, IBMCA_LIB_NAME}, - {0, NULL} + {0, IBMCA_LIB_NAME}, + {0, NULL} }; #endif @@ -84,43 +98,41 @@ static int IBMCA_error_init = 1; void ERR_load_IBMCA_strings(void) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); - if (IBMCA_error_init) { - IBMCA_error_init = 0; + if (IBMCA_error_init) { + IBMCA_error_init = 0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - IBMCA_lib_name->error = - ERR_PACK(IBMCA_lib_error_code, 0, 0); - ERR_load_strings(0, IBMCA_lib_name); + IBMCA_lib_name->error = ERR_PACK(IBMCA_lib_error_code, 0, 0); + ERR_load_strings(0, IBMCA_lib_name); #endif - } + } } void ERR_unload_IBMCA_strings(void) { - if (IBMCA_error_init == 0) { + if (IBMCA_error_init == 0) { #ifndef OPENSSL_NO_ERR - ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_unload_strings(IBMCA_lib_error_code, - IBMCA_str_reasons); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - ERR_unload_strings(0, IBMCA_lib_name); + ERR_unload_strings(0, IBMCA_lib_name); #endif - IBMCA_error_init = 1; - } + IBMCA_error_init = 1; + } } void ERR_IBMCA_error(int function, int reason, char *file, int line) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); - ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); + ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); }
  14. Download patch debian/control

    --- 1.4.0-1/debian/control 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/control 2018-12-10 00:21:56.000000000 +0000 @@ -1,17 +1,15 @@ Source: openssl-ibmca Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> -Build-Depends: debhelper (>= 10), dh-autoreconf, libica-dev, libssl-dev -Standards-Version: 4.0.0 +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>=10), libica-dev, libssl-dev +Standards-Version: 4.1.4 Section: libs -Homepage: https://github.com/opencryptoki/openssl-ibmca +Homepage: http://sourceforge.net/projects/opencryptoki/files/libica%20OpenSSL%20Engine Package: openssl-ibmca Architecture: s390 s390x Depends: libica3, ${shlibs:Depends}, ${misc:Depends} -Description: libica engine for OpenSSL - This package provides an OpenSSL engine to enable hardware acceleration - of cryptographic functions in OpenSSL, and all applications that use - OpenSSL. - . - This package is specific for s390x architecture. +Description: libica based hardware acceleration engine for OpenSSL + This package provides an OpenSSL engine to enable hardware + acceleration of cryptographic functions in OpenSSL, and all + applications that use OpenSSL.
  15. Download patch test/des-ecb-test.pl

    --- 1.4.0-1/test/des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/des-ecb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ecb", 8, 0);
  16. Download patch test/aes-128-cfb-test.pl

    --- 1.4.0-1/test/aes-128-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-128-cfb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cfb", 16, 16);
  17. Download patch debian/examples

    --- 1.4.0-1/debian/examples 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/examples 2018-12-10 00:21:56.000000000 +0000 @@ -1 +1 @@ - src/openssl.cnf.sample +src/openssl.cnf.sample
  18. Download patch ibmca.map

    --- 1.4.0-1/ibmca.map 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/ibmca.map 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,9 @@ +IBMCA_2.0.0 { + global: + v_check; + bind_engine; + ENGINE_load_ibmca; + + local: + *; +};
  19. Download patch ChangeLog

    --- 1.4.0-1/ChangeLog 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/ChangeLog 2018-11-27 14:38:37.000000000 +0000 @@ -1,3 +1,26 @@ +* openssl-ibmca 2.0.2 +- Fix doing rsa-me, altough rsa-crt would be possible. + +* openssl-ibmca 2.0.1 +- Dont fail when a libica symbol cannot be resolved. + +* openssl-ibmca 2.0.0 +- Add ECC support. +- Add check and distcheck make-targets. +- Project cleanup, code was broken into multiple files and coding style cleanup. +- Improvements to compat macros for openssl. +- Don't disable libica sw fallbacks. +- Fix dlclose logic. + +* openssl-ibmca 1.4.1 +- Fix structure size for aes-256-ecb/cbc/cfb/ofb +- Update man page +- Switch to ibmca.so filename to allow standalone use +- Switch off Libica fallback mode if available +- Make sure ibmca_init only runs once +- Provide simple macro for DEBUG_PRINTF possibility +- Cleanup and slight rework of function set_supported_meths + * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization.
  20. Download patch src/e_ibmca_err.h

    --- 1.4.0-1/src/e_ibmca_err.h 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/src/e_ibmca_err.h 2018-11-27 14:38:37.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,9 +19,6 @@ #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); @@ -30,41 +27,61 @@ void ERR_IBMCA_error(int function, int r /* Error codes for the IBMCA functions. */ /* Function codes. */ -#define IBMCA_F_IBMCA_CTRL 100 -#define IBMCA_F_IBMCA_FINISH 101 -#define IBMCA_F_IBMCA_INIT 102 -#define IBMCA_F_IBMCA_MOD_EXP 103 -#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 -#define IBMCA_F_IBMCA_RAND_BYTES 105 -#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 -#define IBMCA_F_IBMCA_DES_CIPHER 107 -#define IBMCA_F_IBMCA_TDES_CIPHER 108 -#define IBMCA_F_IBMCA_SHA1_UPDATE 109 -#define IBMCA_F_IBMCA_SHA1_FINAL 110 -#define IBMCA_F_IBMCA_AES_128_CIPHER 111 -#define IBMCA_F_IBMCA_AES_192_CIPHER 112 -#define IBMCA_F_IBMCA_AES_256_CIPHER 113 -#define IBMCA_F_IBMCA_SHA256_UPDATE 114 -#define IBMCA_F_IBMCA_SHA256_FINAL 115 -#define IBMCA_F_IBMCA_SHA512_UPDATE 116 -#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_CTRL 100 +#define IBMCA_F_IBMCA_FINISH 101 +#define IBMCA_F_IBMCA_INIT 102 +#define IBMCA_F_IBMCA_MOD_EXP 103 +#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 +#define IBMCA_F_IBMCA_RAND_BYTES 105 +#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 +#define IBMCA_F_IBMCA_DES_CIPHER 107 +#define IBMCA_F_IBMCA_TDES_CIPHER 108 +#define IBMCA_F_IBMCA_SHA1_UPDATE 109 +#define IBMCA_F_IBMCA_SHA1_FINAL 110 +#define IBMCA_F_IBMCA_AES_128_CIPHER 111 +#define IBMCA_F_IBMCA_AES_192_CIPHER 112 +#define IBMCA_F_IBMCA_AES_256_CIPHER 113 +#define IBMCA_F_IBMCA_SHA256_UPDATE 114 +#define IBMCA_F_IBMCA_SHA256_FINAL 115 +#define IBMCA_F_IBMCA_SHA512_UPDATE 116 +#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_EC_KEY_GEN 120 +#define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 +#define IBMCA_F_IBMCA_ECDSA_SIGN 122 +#define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 +#define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 +#define IBMCA_F_IBMCA_ECDSA_VERIFY 125 +#define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 +#define IBMCA_F_ICA_EC_KEY_NEW 127 +#define IBMCA_F_ICA_EC_KEY_INIT 128 +#define IBMCA_F_ICA_EC_KEY_GENERATE 129 +#define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 +#define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 +#define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 +#define IBMCA_F_ICA_ECDSA_SIGN 133 +#define IBMCA_F_ICA_ECDSA_VERIFY 134 /* Reason codes. */ -#define IBMCA_R_ALREADY_LOADED 100 -#define IBMCA_R_BN_CTX_FULL 101 -#define IBMCA_R_BN_EXPAND_FAIL 102 -#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 -#define IBMCA_R_DSO_FAILURE 104 -#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 -#define IBMCA_R_MISSING_KEY_COMPONENTS 105 -#define IBMCA_R_NOT_INITIALISED 106 -#define IBMCA_R_NOT_LOADED 107 -#define IBMCA_R_OPERANDS_TO_LARGE 111 -#define IBMCA_R_OUTLEN_TO_LARGE 112 -#define IBMCA_R_REQUEST_FAILED 108 -#define IBMCA_R_UNDERFLOW_CONDITION 113 -#define IBMCA_R_UNDERFLOW_KEYRECORD 114 -#define IBMCA_R_UNIT_FAILURE 109 -#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_ALREADY_LOADED 100 +#define IBMCA_R_BN_CTX_FULL 101 +#define IBMCA_R_BN_EXPAND_FAIL 102 +#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 +#define IBMCA_R_DSO_FAILURE 104 +#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 +#define IBMCA_R_MISSING_KEY_COMPONENTS 105 +#define IBMCA_R_NOT_INITIALISED 106 +#define IBMCA_R_NOT_LOADED 107 +#define IBMCA_R_OPERANDS_TO_LARGE 111 +#define IBMCA_R_OUTLEN_TO_LARGE 112 +#define IBMCA_R_REQUEST_FAILED 108 +#define IBMCA_R_UNDERFLOW_CONDITION 113 +#define IBMCA_R_UNDERFLOW_KEYRECORD 114 +#define IBMCA_R_UNIT_FAILURE 109 +#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_EC_INVALID_PARM 120 +#define IBMCA_R_EC_UNSUPPORTED_CURVE 121 +#define IBMCA_R_EC_INTERNAL_ERROR 122 +#define IBMCA_R_EC_ICA_EC_KEY_INIT 123 +#define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 #endif
  21. Download patch configure.ac

    --- 1.4.0-1/configure.ac 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/configure.ac 2018-11-27 14:38:37.000000000 +0000 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [1.4.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.0.2], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -23,16 +23,16 @@ fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC -AC_PROG_LIBTOOL +LT_INIT # Checks for libraries. AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 0.9.8 is required ***])) -AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 2.4.0 is required ***])) +AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 3.3.0 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) -AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 2.4.0 is required ***])) +AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.3.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. @@ -44,12 +44,13 @@ AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,ica_get_functionlist,ica_open_adapter,DES_ECB], [], - AC_MSG_ERROR([*** libica >= 2.4.0 and libica-devel >= 2.4.0 are required ***]), + AC_MSG_ERROR([*** libica >= 3.3.0 and libica-devel >= 3.3.0 are required ***]), [#include <ica_api.h>]) AC_CONFIG_FILES([ Makefile src/Makefile + test/Makefile src/doc/Makefile]) AC_OUTPUT
  22. Download patch src/ibmca_dsa.c

    --- 1.4.0-1/src/ibmca_dsa.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/src/ibmca_dsa.c 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,135 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dsa.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DSA + +/* This code was liberated and adapted from the commented-out code in + * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration + * (it doesn't have a CRT form for RSA), this function means that an + * Ibmca system running with a DSA server certificate can handshake + * around 5 or 6 times faster/more than an equivalent system running with + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ +#ifdef OLDER_OPENSSL +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +#else +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +#endif +{ + BIGNUM *t; + int to_return = 0; + + t = BN_new(); + /* let rr = a1 ^ p1 mod m */ + if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) + goto end; + /* let t = a2 ^ p2 mod m */ + if (!ibmca_mod_exp(t, a2, p2, m, ctx)) + goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr, rr, t, m, ctx)) + goto end; + + to_return = 1; + +end: + BN_free(t); + + return to_return; +} + +#ifdef OLDER_OPENSSL +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#else +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#endif +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DSA_METHOD dsa_m = { + "Ibmca DSA method", /* name */ + NULL, /* dsa_do_sign */ + NULL, /* dsa_sign_setup */ + NULL, /* dsa_do_verify */ + ibmca_dsa_mod_exp, /* dsa_mod_exp */ + ibmca_mod_exp_dsa, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1 = DSA_OpenSSL(); + + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; + + return &dsa_m; +} + +#else +static DSA_METHOD *dsa_m = NULL; +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1; + DSA_METHOD *method; + + if (dsa_m != NULL) + goto done; + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) + || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa)) { + DSA_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dsa_m = method; + +done: + return dsa_m; +} + +void ibmca_dsa_destroy(void) +{ + DSA_meth_free(dsa_m); +} +#endif +#endif /* endif OPENSSL_NO_DSA */
  23. Download patch test/des-ofb-test.pl

    --- 1.4.0-1/test/des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/des-ofb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ofb", 8, 8);
  24. Download patch test/aes-128-cbc-test.pl

    --- 1.4.0-1/test/aes-128-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-128-cbc-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cbc", 16, 16);
  25. Download patch test/aes-256-ecb-test.pl

    --- 1.4.0-1/test/aes-256-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-256-ecb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ecb", 32, 0);
  26. Download patch test/aes-192-ecb-test.pl

    --- 1.4.0-1/test/aes-192-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-192-ecb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ecb", 24, 0);
  27. Download patch src/ibmca_rsa.c
  28. Download patch test/aes-256-ofb-test.pl

    --- 1.4.0-1/test/aes-256-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-256-ofb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ofb", 32, 16);
  29. Download patch test/aes-192-ofb-test.pl

    --- 1.4.0-1/test/aes-192-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-192-ofb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ofb", 24, 16);
  30. Download patch src/ibmca_dh.c

    --- 1.4.0-1/src/ibmca_dh.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/src/ibmca_dh.c 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,86 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dh.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DH + +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DH_METHOD dh_m = { + "Ibmca DH method", /* name */ + NULL, /* generate_key */ + NULL, /* compute_key */ + ibmca_mod_exp_dh, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1 = DH_OpenSSL(); + + dh_m.generate_key = meth1->generate_key; + dh_m.compute_key = meth1->compute_key; + + return &dh_m; +} + +#else +static DH_METHOD *dh_m = NULL; +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1; + DH_METHOD *method; + + if (dh_m != NULL) + goto done; + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)) { + DH_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dh_m = method; + +done: + return dh_m; +} + +void ibmca_dh_destroy(void) +{ + DH_meth_free(dh_m); +} +#endif + +#endif /* end OPENSSL_NO_DH */
  31. Download patch src/test/ibmca_mechaList_test.c
  32. Download patch test/test.pm

    --- 1.4.0-1/test/test.pm 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/test.pm 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +package test; + +sub cipher { + my $tests = 50; + my $max_file_size = 1024; + my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; + my @hex = ("a".."f", "0".."9"); + + my ($cipher,$keylen,$ivlen) = @_; + + # skip if engine not loaded + exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); + + for my $i (1..$tests) { + my $bytes = 1 + int(rand($max_file_size)); + my $key = ""; + $key .= $hex[rand(@hex)] for (1..$keylen); + my $iv = ""; + if ($ivlen > 0) { + $iv .= $hex[rand(@hex)] for (1..$ivlen); + $iv = "-iv $iv"; + } + + # engine enc, no-engine dec + `openssl rand $bytes > data.in`; + `$eng openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + + # no-engine enc, engine dec + `openssl rand $bytes > data.in`; + `openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `$eng openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + } + + `rm -f data.in data.enc data.dec`; +} + +1;
  33. Download patch src/Makefile.am

    --- 1.4.0-1/src/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/src/Makefile.am 2018-11-27 14:38:37.000000000 +0000 @@ -1,10 +1,21 @@ -lib_LTLIBRARIES=libibmca.la +VERSION = 2:0:2 -libibmca_la_SOURCES=e_ibmca.c e_ibmca_err.c -libibmca_la_LIBADD=-ldl -libibmca_la_LDFLAGS=-module -version-info 0:2:0 -shared -no-undefined -avoid-version +lib_LTLIBRARIES=ibmca.la -dist_libibmca_la_SOURCES=e_ibmca_err.h e_os.h cryptlib.h +ibmca_la_SOURCES=e_ibmca.c \ + e_ibmca_err.c \ + ibmca_cipher.c \ + ibmca_digest.c \ + ibmca_rsa.c \ + ibmca_dsa.c \ + ibmca_dh.c \ + ibmca_ec.c + +ibmca_la_LIBADD=-ldl +ibmca_la_LDFLAGS=-module -version-info ${VERSION} -shared -no-undefined \ + -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map + +dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4
  34. Download patch test/des-cfb-test.pl

    --- 1.4.0-1/test/des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/des-cfb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cfb", 8, 8);
  35. Download patch test/3des-ecb-test.pl

    --- 1.4.0-1/test/3des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/3des-ecb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3", 24, 0);
  36. Download patch src/e_ibmca.c
  37. Download patch debian/watch

    --- 1.4.0-1/debian/watch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/watch 2018-12-10 00:21:56.000000000 +0000 @@ -1,4 +1,4 @@ version=4 -opts="mode=git, pgpmode=none" \ -https://github.com/opencryptoki/openssl-ibmca.git refs/tags/v?(.*) \ -debian /bin/sh uupdate +opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%openssl-ibmca-$1.tar.gz%" \ + https://github.com/opencryptoki/openssl-ibmca/tags \ + (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
  38. Download patch test/des-cbc-test.pl

    --- 1.4.0-1/test/des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/des-cbc-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cbc", 8, 8);
  39. Download patch debian/patches/series

    --- 1.4.0-1/debian/patches/series 2017-09-20 13:40:30.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/patches/series 2018-12-10 00:21:56.000000000 +0000 @@ -1,2 +1 @@ openssl-config.patch -libica_soname.patch
  40. Download patch test/aes-256-cfb-test.pl

    --- 1.4.0-1/test/aes-256-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-256-cfb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cfb", 32, 16);
  41. Download patch test/aes-192-cfb-test.pl

    --- 1.4.0-1/test/aes-192-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-192-cfb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cfb", 24, 16);
  42. Download patch debian/README.Debian

    --- 1.4.0-1/debian/README.Debian 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -openssl-ibmca for Debian ------------------------ - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location in Debian, which is -/usr/lib/s390x-linux-gnu/openssl-1.0.2/engine/libibmca.so - -Append the `openssl.cnf.sample` file to it `/etc/ssl/openssl.cnf` file; - -``` -$ cat /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample >> /etc/ssl/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the -IBMCA engine and all the supported cryptographic methods. - -``` -$ openssl engine -c -(dynamic) Dynamic engine loading support -(ibmca) Ibmca hardware engine support -[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, - DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, - AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, - AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] -$ -``` - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 10:47:45 -0300
  43. Download patch test/3des-ofb-test.pl

    --- 1.4.0-1/test/3des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/3des-ofb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-ofb", 24, 8);
  44. Download patch debian/patches/openssl-config.patch

    --- 1.4.0-1/debian/patches/openssl-config.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/patches/openssl-config.patch 2018-12-10 00:21:56.000000000 +0000 @@ -1,15 +1,14 @@ -Description: correct engine location to the multiarch location -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - +Description: correct engine location to the multiarch locationIndex: openssl-ibmca-1.3.0/src/openssl.cnf.sample +=================================================================== --- a/src/openssl.cnf.sample +++ b/src/openssl.cnf.sample -@@ -23,7 +23,7 @@ - # The openssl engine path for libibmca.so. - # Set the dynamic_path to where the libibmca.so engine +@@ -23,7 +23,8 @@ + # The openssl engine path for ibmca.so. + # Set the dynamic_path to where the ibmca.so engine # resides on the system. --dynamic_path = /usr/local/lib/libibmca.so -+dynamic_path = /usr/lib/s390x-linux-gnu/openssl-1.0.2/engines/libibmca.so +-dynamic_path = /usr/local/lib/ibmca.so ++dynamic_path = /usr/lib/s390x-linux-gnu/engines-1.1/ibmca.so ++ engine_id = ibmca init = 1
  45. Download patch src/ibmca_ec.c
  46. Download patch test/aes-256-cbc-test.pl

    --- 1.4.0-1/test/aes-256-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-256-cbc-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cbc", 32, 16);
  47. Download patch test/aes-192-cbc-test.pl

    --- 1.4.0-1/test/aes-192-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-192-cbc-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cbc", 24, 16);
  48. Download patch debian/docs

    --- 1.4.0-1/debian/docs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.2-0ubuntu1/debian/docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -debian/README.source -debian/README.Debian
  49. Download patch src/doc/ibmca.man

    --- 1.4.0-1/src/doc/ibmca.man 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/src/doc/ibmca.man 2018-11-27 14:38:37.000000000 +0000 @@ -7,8 +7,7 @@ accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. -The engine can be configured by the IBMCA configuration file. The OpenSSL -configuration file is only needed to attach the engine. +The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes @@ -25,7 +24,7 @@ discover control commands. Options for the IBMCA section in openssl.cnf: .PP dynamic_path = -.I /path/to/libibmca.so +.I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE
  50. Download patch test/3des-cfb-test.pl

    --- 1.4.0-1/test/3des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/3des-cfb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cfb", 24, 8);
  51. Download patch test/aes-128-ecb-test.pl

    --- 1.4.0-1/test/aes-128-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.2-0ubuntu1/test/aes-128-ecb-test.pl 2018-11-27 14:38:37.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ecb", 16, 0);
  52. Download patch Makefile.am

    --- 1.4.0-1/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/Makefile.am 2018-11-27 14:38:37.000000000 +0000 @@ -1,4 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src +SUBDIRS = src test -EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh +EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh
  53. Download patch src/ibmca.h
  54. Download patch openssl-ibmca.spec

    --- 1.4.0-1/openssl-ibmca.spec 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.2-0ubuntu1/openssl-ibmca.spec 2018-11-27 14:38:37.000000000 +0000 @@ -1,19 +1,17 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + Name: openssl-ibmca -Version: 1.4.0 -Release: 0 +Version: 2.0.2 +Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine -Group: Hardware/Other License: ASL 2.0 -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel >= 0.9.8, - libica-devel >= 3.1.1, - autoconf, - automake, - libtool -Requires: openssl >= 0.9.8, - libica >= 3.1.1 +Requires: openssl >= 0.9.8 libica >= 3.3.0 +BuildRequires: openssl-devel >= 0.9.8 libica-devel >= 3.3.0 +BuildRequires: autoconf automake libtool ExclusiveArch: s390 s390x @@ -22,28 +20,52 @@ This package contains a shared object Op to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%setup -q +%setup -q -n %{name}-%{version} + +./bootstrap.sh %build -%configure -make +%configure --libdir=%{enginesdir} +%make_build %install -%makeinstall -rm -f $RPM_BUILD_ROOT%{_libdir}/libibmca.la -mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines -mv $RPM_BUILD_ROOT%{_libdir}/lib* $RPM_BUILD_ROOT%{_libdir}/openssl/engines +%make_install +rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la -%post -p /sbin/ldconfig +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd -%postun -p /sbin/ldconfig %files -%doc README INSTALL src/openssl.cnf.sample -%{_mandir}/man5/* -%{_libdir}/openssl/engines/* +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* %changelog +* Tue Nov 27 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.2 +- Update Version + +* Thu Nov 08 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.1 +- Update Version + +* Wed Jun 06 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2.0.0 +- Update Version +- Update libica version required for building ibmca + +* Wed Feb 21 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 1.4.1 +- Updated to 1.4.1 + +* Thu Jan 25 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> +- Update engine filename +- Spec cleanup + +* Thu Oct 26 2017 Patrick Steuer <patrick.steuer@de.ibm.com> +- Fix build warning about comma and newlines +- Remove INSTALL file from doc +- Fix README name on doc + * Fri Sep 8 2017 Paulo Vital <pvital@linux.vnet.ibm.com> 1.4.0 - Update new License - Update Source and URL pointing to GitHub
  55. Download patch debian/copyright

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: r-cran-openssl

r-cran-openssl (1.0.2+dfsg-1ubuntu1) cosmic; urgency=low * Merge from Debian unstable. Remaining changes: + Disable test_google.R requiring network access -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 25 Sep 2018 11:41:36 +0100

Modifications :
  1. Download patch debian/control

    --- 1.0.2+dfsg-1/debian/control 2018-08-02 01:14:18.000000000 +0000 +++ 1.0.2+dfsg-1ubuntu1/debian/control 2018-08-02 03:49:36.000000000 +0000 @@ -1,5 +1,6 @@ Source: r-cran-openssl -Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> Uploaders: Andreas Tille <tille@debian.org> Section: gnu-r Priority: optional
  2. Download patch debian/tests/run-unit-test

    --- 1.0.2+dfsg-1/debian/tests/run-unit-test 2018-08-02 01:14:18.000000000 +0000 +++ 1.0.2+dfsg-1ubuntu1/debian/tests/run-unit-test 2018-08-02 03:49:36.000000000 +0000 @@ -8,5 +8,6 @@ if [ "$ADTTMP" = "" ] ; then fi cd $ADTTMP cp -a /usr/share/doc/${pkg}/tests/* $ADTTMP +rm -f testthat/test_google.R LC_ALL=C R --no-save < testthat.R rm -fr $ADTTMP/*
  1. openssl
  2. openssl-ibmca
  3. r-cran-openssl