Hello community, here is the log from the commit of package openssl-ibmca for openSUSE:Factory checked in at 2019-09-07 11:55:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-ibmca (Old) and /work/SRC/openSUSE:Factory/.openssl-ibmca.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-ibmca" Sat Sep 7 11:55:41 2019 rev:33 rq:729046 version:2.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-ibmca/openssl-ibmca.changes 2018-11-28 11:15:18.262738722 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-ibmca.new.7948/openssl-ibmca.changes 2019-09-07 11:55:43.630254614 +0200 @@ -1,0 +2,24 @@ +Wed Aug 28 20:56:08 UTC 2019 - Mark Post <[email protected]> + +- Upgraded to version 2.0.3 (jsc#SLE-6123, jsc#SLE-6424) + * openssl-ibmca 2.0.3 + Add MSA9 CPACF support for ECDSA sign/verify +- Dropped obsolete openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch +- Changed the ExclusiveArch directive to include s390x only. +- The code in e_ibmca.c does a dlopen for libica.so.3, instead of + linking against the shared library. As a result, if the package + containing libica.so.3 isn't installed, problems occur. Added + a "Requires: libica3" to the spec file to fix this. (bsc#1142286) +- Made a couple of changes to the spec file based on the output + from spec-cleaner. + +------------------------------------------------------------------- +Fri Jun 28 18:10:29 UTC 2019 - Mark Post <[email protected]> + +- Added openssl-ibmca-sles15sp1-Move-ERR_load-unload-to-bind_helper-resp-destroy-fun.patch + An Apache HTTP Server was set up with mod_ssl and the openssl + ibmca engine using libica and a CEX6A card. Whenever a worker + process is cleaned up a segmentation fault occurs. + (bsc#1138517) + +------------------------------------------------------------------- Old: ---- openssl-ibmca-2.0.2.tar.gz New: ---- openssl-ibmca-2.0.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-ibmca.spec ++++++ --- /var/tmp/diff_new_pack.WhnJUm/_old 2019-09-07 11:55:44.082254549 +0200 +++ /var/tmp/diff_new_pack.WhnJUm/_new 2019-09-07 11:55:44.082254549 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssl-ibmca # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,29 +17,32 @@ Name: openssl-ibmca -Version: 2.0.2 +Version: 2.0.3 Release: 0 Summary: The IBMCA OpenSSL dynamic engine -License: Apache-2.0 +License: IPL-1.0 Group: Hardware/Other -URL: https://github.com/opencryptoki/openssl-ibmca/ -Source: openssl-ibmca-%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: baselibs.conf + BuildRequires: autoconf BuildRequires: automake BuildRequires: libica-devel >= 3.1.1 BuildRequires: libica-tools >= 2.4.0 BuildRequires: libtool BuildRequires: openssl-devel +Requires: libica3 Requires: openssl -ExclusiveArch: s390 s390x +ExclusiveArch: s390x %description This package contains a shared object OpenSSL dynamic engine for the IBM eServer Cryptographic Accelerator (ICA). %prep -%setup -q +%autosetup +./bootstrap.sh %build # The directory where crypto engines are located is owned by the libcrypto package. @@ -110,7 +113,6 @@ fi %files -%defattr(-, root, root) %license LICENSE %doc README.md %doc src/openssl.cnf.sample ++++++ openssl-ibmca-2.0.2.tar.gz -> openssl-ibmca-2.0.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/ChangeLog new/openssl-ibmca-2.0.3/ChangeLog --- old/openssl-ibmca-2.0.2/ChangeLog 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/ChangeLog 2019-04-23 18:15:44.000000000 +0200 @@ -1,3 +1,6 @@ +* openssl-ibmca 2.0.3 +- Add MSA9 CPACF support for ECDSA sign/verify + * openssl-ibmca 2.0.2 - Fix doing rsa-me, altough rsa-crt would be possible. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/README.md new/openssl-ibmca-2.0.3/README.md --- old/openssl-ibmca-2.0.2/README.md 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/README.md 2019-04-23 18:15:44.000000000 +0200 @@ -38,38 +38,11 @@ ## Enabling IBMCA -Included in this package there is a sample `openssl.cnf` file -(`openssl.cnf.sample`), which can be used to turn on use of the IBMCA engine in -apps where OpenSSL config support is compiled in. +Apps with compiled-in OpenSSL config support can enable the engine via +an OpenSSL configuration file. Refer to config(5). A sample OpenSSL +configuration file (`openssl.cnf.sample`) is included in this package. -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/ibmca.so` by default. However, if the -ibmca.so library has been installed anywhere else, then update the -*dynamic_path* variable. - -Locate where the `openssl.cnf` file has been installed in the host and append -the content of the `openssl.cnf.sample` file to it. - -``` -$ rpm -ql openssl | grep openssl.cnf -$ cat openssl.cnf.sample >> /path/to/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the +If the engine is configured properly, the command below should return the IBMCA engine and all the supported cryptographic methods. ``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/configure.ac new/openssl-ibmca-2.0.3/configure.ac --- old/openssl-ibmca-2.0.2/configure.ac 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/configure.ac 2019-04-23 18:15:44.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [2.0.2], [[email protected]]) +AC_INIT([openssl-ibmca], [2.0.3], [[email protected]]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/openssl-ibmca.spec new/openssl-ibmca-2.0.3/openssl-ibmca.spec --- old/openssl-ibmca-2.0.2/openssl-ibmca.spec 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/openssl-ibmca.spec 2019-04-23 18:15:44.000000000 +0200 @@ -1,7 +1,7 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: openssl-ibmca -Version: 2.0.2 +Version: 2.0.3 Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine @@ -44,6 +44,9 @@ %{_mandir}/man5/ibmca.5* %changelog +* Tue Apr 23 2019 Patrick Steuer <[email protected]> 2.0.3 +- Update Version + * Tue Nov 27 2018 Patrick Steuer <[email protected]> 2.0.2 - Update Version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/Makefile.am new/openssl-ibmca-2.0.3/src/Makefile.am --- old/openssl-ibmca-2.0.2/src/Makefile.am 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/Makefile.am 2019-04-23 18:15:44.000000000 +0200 @@ -1,4 +1,4 @@ -VERSION = 2:0:2 +VERSION = 2:0:3 lib_LTLIBRARIES=ibmca.la @@ -12,7 +12,7 @@ ibmca_ec.c ibmca_la_LIBADD=-ldl -ibmca_la_LDFLAGS=-module -version-info ${VERSION} -shared -no-undefined \ +ibmca_la_LDFLAGS=-module -version-number ${VERSION} -shared -no-undefined \ -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/e_ibmca.c new/openssl-ibmca-2.0.3/src/e_ibmca.c --- old/openssl-ibmca-2.0.2/src/e_ibmca.c 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/e_ibmca.c 2019-04-23 18:15:44.000000000 +0200 @@ -259,6 +259,8 @@ #ifndef NO_EC ibmca_ec_destroy(); #endif + + ERR_unload_IBMCA_strings(); return 1; } @@ -365,9 +367,15 @@ ECDSA_METHOD_set_name(ibmca_ecdsa, "Ibmca ECDSA method"); ECDSA_METHOD_set_sign(ibmca_ecdsa, ibmca_older_ecdsa_do_sign); ECDSA_METHOD_set_verify(ibmca_ecdsa, ibmca_older_ecdsa_do_verify); + #ifdef ECDSA_FLAG_FIPS_METHOD + ECDSA_METHOD_set_flags(ibmca_ecdsa, ECDSA_FLAG_FIPS_METHOD); + #endif ECDH_METHOD_set_name(ibmca_ecdh, "Ibmca ECDH method"); ECDH_METHOD_set_compute_key(ibmca_ecdh, ibmca_older_ecdh_compute_key); + #ifdef ECDH_FLAG_FIPS_METHOD + ECDH_METHOD_set_flags(ibmca_ecdh, ECDH_FLAG_FIPS_METHOD); + #endif if (!ENGINE_set_ECDH(e, ibmca_ecdh)) return 0; @@ -592,7 +600,8 @@ * If no crypto card is available, disable crypto algos that can * only operate on HW on card */ - if ((f->flags & ICA_FLAG_DHW) && !card_loaded) + if ((f->flags & ICA_FLAG_DHW) && !card_loaded + && !(f->flags & ICA_FLAG_SHW)) continue; /* Check if this crypto algorithm is supported by ibmca */ for (j = 0; ibmca_crypto_algos[j]; j++) @@ -634,8 +643,6 @@ if (init) return; - ERR_load_IBMCA_strings(); - ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); if (ibmca_dso == NULL) { DEBUG_PRINTF("%s: dlopen(%s) failed\n", __func__, LIBICA_SHARED_LIB); @@ -751,8 +758,6 @@ __attribute__((destructor)) static void ibmca_destructor(void) { - ERR_unload_IBMCA_strings(); - if (ibmca_dso == NULL) { IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_NOT_LOADED); return; @@ -808,6 +813,8 @@ */ static int bind_helper(ENGINE *e) { + ERR_load_IBMCA_strings(); + if (!ENGINE_set_id(e, engine_ibmca_id) || !ENGINE_set_name(e, engine_ibmca_name) || !ENGINE_set_destroy_function(e, ibmca_destroy) || diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/ibmca_cipher.c new/openssl-ibmca-2.0.3/src/ibmca_cipher.c --- old/openssl-ibmca-2.0.2/src/ibmca_cipher.c 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/ibmca_cipher.c 2019-04-23 18:15:44.000000000 +0200 @@ -231,22 +231,22 @@ #endif DECLARE_TDES_EVP(ecb, sizeof(ica_des_vector_t), sizeof(ica_des_key_triple_t), - sizeof(ica_des_vector_t), EVP_CIPH_ECB_MODE, + sizeof(ica_des_vector_t), EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(cbc, sizeof(ica_des_vector_t), sizeof(ica_des_key_triple_t), - sizeof(ica_des_vector_t), EVP_CIPH_CBC_MODE, + sizeof(ica_des_vector_t), EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(ofb, 1, sizeof(ica_des_key_triple_t), - sizeof(ica_des_vector_t), EVP_CIPH_OFB_MODE, + sizeof(ica_des_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) DECLARE_TDES_EVP(cfb, 1, sizeof(ica_des_key_triple_t), - sizeof(ica_des_vector_t), EVP_CIPH_CFB_MODE, + sizeof(ica_des_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(struct ibmca_des_context), ibmca_init_key, ibmca_3des_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv) @@ -716,21 +716,21 @@ DECLARE_AES_EVP(128, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), - EVP_CIPH_ECB_MODE, sizeof(ICA_AES_128_CTX), + EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_128_t), sizeof(ica_aes_vector_t), - EVP_CIPH_CBC_MODE, sizeof(ICA_AES_128_CTX), + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, ofb, 1, sizeof(ica_aes_key_len_128_t), - sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(128, cfb, 1, sizeof(ica_aes_key_len_128_t), - sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_128_CTX), ibmca_init_key, ibmca_aes_128_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) @@ -740,7 +740,8 @@ EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT - | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER, + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER + | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) @@ -748,21 +749,21 @@ DECLARE_AES_EVP(192, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), - EVP_CIPH_ECB_MODE, sizeof(ICA_AES_192_CTX), + EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_192_t), sizeof(ica_aes_vector_t), - EVP_CIPH_CBC_MODE, sizeof(ICA_AES_192_CTX), + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, ofb, 1, sizeof(ica_aes_key_len_192_t), - sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(192, cfb, 1, sizeof(ica_aes_key_len_192_t), - sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_192_CTX), ibmca_init_key, ibmca_aes_192_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) @@ -772,7 +773,8 @@ EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT - | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER, + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER + | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) @@ -780,21 +782,21 @@ DECLARE_AES_EVP(256, ecb, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), - EVP_CIPH_ECB_MODE, sizeof(ICA_AES_256_CTX), + EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, cbc, sizeof(ica_aes_vector_t), sizeof(ica_aes_key_len_256_t), sizeof(ica_aes_vector_t), - EVP_CIPH_CBC_MODE, sizeof(ICA_AES_256_CTX), + EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, ofb, 1, sizeof(ica_aes_key_len_256_t), - sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) DECLARE_AES_EVP(256, cfb, 1, sizeof(ica_aes_key_len_256_t), - sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE, + sizeof(ica_aes_vector_t), EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_256_CTX), ibmca_init_key, ibmca_aes_256_cipher, ibmca_cipher_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) @@ -804,7 +806,8 @@ EVP_CIPH_GCM_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT - | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER, + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER + | EVP_CIPH_FLAG_FIPS, sizeof(ICA_AES_GCM_CTX), ibmca_aes_gcm_init_key, ibmca_aes_gcm_cipher, NULL, NULL, NULL, ibmca_aes_gcm_ctrl) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/ibmca_dh.c new/openssl-ibmca-2.0.3/src/ibmca_dh.c --- old/openssl-ibmca-2.0.2/src/ibmca_dh.c 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/ibmca_dh.c 2019-04-23 18:15:44.000000000 +0200 @@ -37,7 +37,7 @@ ibmca_mod_exp_dh, /* bn_mod_exp */ NULL, /* init */ NULL, /* finish */ - 0, /* flags */ + DH_FLAG_FIPS_METHOD, /* flags */ NULL /* app_data */ }; @@ -65,7 +65,8 @@ || (meth1 = DH_OpenSSL()) == NULL || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) - || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)) { + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) + || !DH_meth_set_flags(method, DH_FLAG_FIPS_METHOD)) { DH_meth_free(method); method = NULL; meth1 = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/ibmca_dsa.c new/openssl-ibmca-2.0.3/src/ibmca_dsa.c --- old/openssl-ibmca-2.0.2/src/ibmca_dsa.c 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/ibmca_dsa.c 2019-04-23 18:15:44.000000000 +0200 @@ -84,7 +84,7 @@ ibmca_mod_exp_dsa, /* bn_mod_exp */ NULL, /* init */ NULL, /* finish */ - 0, /* flags */ + DSA_FLAG_FIPS_METHOD, /* flags */ NULL /* app_data */ }; @@ -115,7 +115,8 @@ || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) - || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa)) { + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa) + || !DSA_meth_set_flags(method, DSA_FLAG_FIPS_METHOD)) { DSA_meth_free(method); method = NULL; meth1 = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl-ibmca-2.0.2/src/ibmca_rsa.c new/openssl-ibmca-2.0.3/src/ibmca_rsa.c --- old/openssl-ibmca-2.0.2/src/ibmca_rsa.c 2018-11-27 15:38:37.000000000 +0100 +++ new/openssl-ibmca-2.0.3/src/ibmca_rsa.c 2019-04-23 18:15:44.000000000 +0200 @@ -342,7 +342,7 @@ ibmca_mod_exp_mont, /* bn_mod_exp */ ibmca_rsa_init, /* init */ NULL, /* finish */ - 0, /* flags */ + RSA_FLAG_FIPS_METHOD, /* flags */ NULL, /* app_data */ NULL, /* rsa_sign */ NULL, /* rsa_verify */ @@ -386,7 +386,8 @@ || !RSA_meth_set_priv_dec(method, RSA_meth_get_priv_dec(meth1)) || !RSA_meth_set_mod_exp(method, ibmca_rsa_mod_exp) || !RSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_mont) - || !RSA_meth_set_init(method, ibmca_rsa_init)) { + || !RSA_meth_set_init(method, ibmca_rsa_init) + || !RSA_meth_set_flags(method, RSA_FLAG_FIPS_METHOD)) { RSA_meth_free(method); method = NULL; meth1 = NULL;
