Ubuntu
openssl-ibmca package

[22.04 FEAT] [LDP2025] Upgrade openssl-ibmca to latest version (crypto) (2.2.1)

Bug #1958419 reported by bugproxy
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
openssl-ibmca (Ubuntu)
Fix Released
High
Simon Chopin

Bug Description

Upgrade to newest version of openssl-ibmca v 2.2.1

Available here: https://github.com/opencryptoki/openssl-ibmca/

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-196000 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Frank Heimes (fheimes)
affects: linux (Ubuntu) → openssl-ibmca (Ubuntu)
Changed in ubuntu-z-systems:
status: New → Confirmed
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in openssl-ibmca (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Frank Heimes (fheimes)
Revision history for this message
Frank Heimes (fheimes) wrote :

I've created a debdiff for the new version.

Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

I've also compiled the new package successfully using this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1958419

Frank Heimes (fheimes)
tags: added: universe
Changed in ubuntu-z-systems:
status: Confirmed → In Progress
Frank Heimes (fheimes)
tags: added: jammy
Revision history for this message
Frank Heimes (fheimes) wrote :

I did a local build incl. test runs and got the following results:
============================================================================
Testsuite summary for openssl-ibmca 2.2.1
============================================================================
# TOTAL: 34
# PASS: 27
# SKIP: 2
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 5
============================================================================
See test/test-suite.log
Please report to <email address hidden>

I checked these results with upstream and got the information that:
1) the des and 3des errors are known with openssl 3.0
   the config should load the legacy provider here,
   since openssl 3 sees des and 3des as deprecated
   and moved it to the legacy-provider
2) the fact that loadtest and threadtest got skipped is due to our outdated (crypto) hardware

So this is expected (and similar to a test run with the previous version 2.2.0).

Frank Heimes (fheimes)
information type: Private → Public
Revision history for this message
Simon Chopin (schopin) wrote :

Nice work. I'll try to fix the tests and fully enable them at build time, then if I succeed I'll upload the result to the archive. However, I'd rather not upload a package with known test failures.

Changed in openssl-ibmca (Ubuntu):
assignee: Frank Heimes (fheimes) → Simon Chopin (schopin)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

https://launchpad.net/~fheimes/+archive/ubuntu/1958419

Revision history for this message
Simon Chopin (schopin) wrote :

OK, so I've managed to fix *most* of the tests, but the 3DES-ECB one still fails. I'm still investigating it, but the investigation is a bit slow due to having to go through a PPA every time I change something :)

I'm using https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/+packages for those following at home.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-01-24 06:22 EDT-------
For the DES tests, you can simply skip them with openssl 3.0. The 3des-ecb for some reason unknown to me needs an iv with openssl 3.0 just to ignore it. But if it is not there, openssl 3.0 complains. I am in the process of fixing this and also incorporate some changes regarding the configuration update process and the recently release libica version 4.0.

Revision history for this message
Frank Heimes (fheimes) wrote :

Oh, theer is also a new libica (4.0), guess we need to have a look at it ...

Revision history for this message
Simon Chopin (schopin) wrote :

Uploaded this version with the 3DES-EBC test disabled.

Changed in openssl-ibmca (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-ibmca - 2.2.1-0ubuntu1

---------------
openssl-ibmca (2.2.1-0ubuntu1) jammy; urgency=medium

  * New upstream release. LP: #1958419

  [Simon Chopin]
  * d/p/testconf-openssl3.patch: fix the test suite against OpenSSL 3.0
  * d/p/disable-3des-ecb-test.patch: Temporarily disable a failing test
  * d/rules: make the build fail if the tests fail

 -- Frank Heimes <email address hidden> Thu, 20 Jan 2022 15:44:47 +0100

Changed in openssl-ibmca (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in openssl-ibmca (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.