diff --git a/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch b/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch new file mode 100644 index 0000000..0ed974a --- /dev/null +++ b/libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch @@ -0,0 +1,28 @@ +From 0a7e4c34a0cc58e1242d4b131e9c224736eadef2 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Mon, 28 Oct 2024 13:04:19 +0100 +Subject: [PATCH] fips update: remove sigVer from fips ECDSA kat + +From https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-capabilities.adoc +"The 'componentTest' property is only valid for detECDSA / sigGen / FIPS186-5 and +ECDSA / sigGen / * registrations." i.e., only ECDSA sigGen component can be tested. + +Signed-off-by: Joerg Schmidbauer +--- + src/fips.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/fips.c b/src/fips.c +index 4d1db07..3c26043 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -1240,9 +1240,6 @@ ecdsa_kat(void) + /* adapter handle not needed here, just CPACF */ + rc = ica_ecdsa_sign_ex_internal(0, eckey, tv->hash, tv->hashlen, + sigbuf, tv->siglen, tv->k); +- if (rc) +- goto _err_; +- rc = ica_ecdsa_verify(0, eckey, tv->hash, tv->hashlen, sigbuf, tv->siglen); + if (rc) + goto _err_; + if (memcmp(sigbuf, tv->sig, tv->siglen) != 0) { diff --git a/libica-02-fips-update-Change-service-indicator-implementation.patch b/libica-02-fips-update-Change-service-indicator-implementation.patch new file mode 100644 index 0000000..3a690c5 --- /dev/null +++ b/libica-02-fips-update-Change-service-indicator-implementation.patch @@ -0,0 +1,292 @@ +From 86c400a516a23ce807c1b7a5a3dec3c0ef441733 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Mon, 28 Oct 2024 13:44:11 +0100 +Subject: [PATCH] fips update: Change service indicator implementation + +Perform checks for non-approved algorithms / parameters directly into the +APIs that perform the services. Especially, indicate that using an external +GCM iv in fips mode is non-compliant, but on the exception list. + +Signed-off-by: Joerg Schmidbauer +--- + src/ica_api.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++ + src/icainfo.c | 1 + + src/include/fips.h | 7 ++++-- + 3 files changed, 59 insertions(+), 2 deletions(-) + +diff --git a/src/ica_api.c b/src/ica_api.c +index 0826af8..e0f6c43 100644 +--- a/src/ica_api.c ++++ b/src/ica_api.c +@@ -94,7 +94,12 @@ int ica_external_gcm_iv_in_fips_mode_allowed = 0; + + void ica_allow_external_gcm_iv_in_fips_mode(int allow) + { ++#ifdef ICA_FIPS ++ if (!fips_approved(AES_GCM_EXT_IV) && !fips_override(AES_GCM_EXT_IV)) ++ return; ++ + ica_external_gcm_iv_in_fips_mode_allowed = allow ? 1 : 0; ++#endif + } + + +@@ -399,6 +404,8 @@ unsigned int ica_sha1(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA1) && !fips_override(SHA1)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -454,6 +461,8 @@ unsigned int ica_sha224(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA224) && !fips_override(SHA224)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -501,6 +510,8 @@ unsigned int ica_sha256(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA256) && !fips_override(SHA256)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -548,6 +559,8 @@ unsigned int ica_sha384(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA384) && !fips_override(SHA384)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -596,6 +609,8 @@ unsigned int ica_sha512(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA512) && !fips_override(SHA512)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -644,6 +659,8 @@ unsigned int ica_sha512_224(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA512_224) && !fips_override(SHA512_224)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -692,6 +709,8 @@ unsigned int ica_sha512_256(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA512_256) && !fips_override(SHA512_256)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -740,6 +759,8 @@ unsigned int ica_sha3_224(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA3_224) && !fips_override(SHA3_224)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -787,6 +808,8 @@ unsigned int ica_sha3_256(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA3_256) && !fips_override(SHA3_256)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -834,6 +857,8 @@ unsigned int ica_sha3_384(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA3_384) && !fips_override(SHA3_384)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -882,6 +907,8 @@ unsigned int ica_sha3_512(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHA3_512) && !fips_override(SHA3_512)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -931,6 +958,8 @@ unsigned int ica_shake_128(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHAKE128) && !fips_override(SHAKE128)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -986,6 +1015,8 @@ unsigned int ica_shake_256(unsigned int message_part, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(SHAKE256) && !fips_override(SHAKE256)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -1052,6 +1083,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) ++ return EPERM; + #endif /* ICA_FIPS */ + + if (public_key->key_length != private_key->key_length) +@@ -1094,6 +1127,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + if (public_key->key_length != private_key->key_length) +@@ -1130,6 +1165,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -1193,6 +1230,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key) + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check if p > q */ +@@ -1266,6 +1305,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) ++ return EPERM; + #endif /* ICA_FIPS */ + + /* check for obvious errors in parms */ +@@ -1337,6 +1378,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) + #ifdef ICA_FIPS + if (fips >> 1) + return NULL; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return EPERM; + #endif /* ICA_FIPS */ + + if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL) +@@ -1375,6 +1418,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(key->nid) || + !curve_supported_via_cpacf(key->nid)) { +@@ -1421,6 +1466,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key) + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(key->nid) || + !curve_supported_via_cpacf(key->nid)) +@@ -1494,6 +1541,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_DH) && !fips_override(EC_DH)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(privkey_A->nid) || + !curve_supported_via_cpacf(privkey_A->nid)) +@@ -1563,6 +1612,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(privkey->nid) || + !curve_supported_via_cpacf(privkey->nid)) +@@ -1654,6 +1705,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle, + #ifdef ICA_FIPS + if (fips >> 1) + return EACCES; ++ if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY)) ++ return EPERM; + if (fips & ICA_FIPS_MODE) { + if (!curve_supported_via_openssl(pubkey->nid) || + !curve_supported_via_cpacf(pubkey->nid)) +diff --git a/src/icainfo.c b/src/icainfo.c +index 608994f..b18cbfa 100644 +--- a/src/icainfo.c ++++ b/src/icainfo.c +@@ -556,6 +556,7 @@ void print_fips_indicator(void) + } + } + ++ printf(" GCM ext iv | - | - | - \n"); + printf("------------------------------------------------------\n"); + + done: +diff --git a/src/include/fips.h b/src/include/fips.h +index c0af6b6..ec7f2c9 100644 +--- a/src/include/fips.h ++++ b/src/include/fips.h +@@ -65,6 +65,8 @@ unsigned int ica_aes_gcm_initialize_internal(const unsigned char *iv, + unsigned char *ucb, unsigned char *subkey, + unsigned int direction); + ++#define AES_GCM_EXT_IV 73 ++ + /* + * List of non-fips-approved algorithms + */ +@@ -73,14 +75,15 @@ static const int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, + DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST, + DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, + ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, +- X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG }; ++ X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, AES_GCM_EXT_IV }; + static const size_t FIPS_BLACKLIST_LEN + = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]); + + /* + * FIPS service indicator: List of tolerated but non-approved algorithms. + */ +-static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG }; ++static const int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, ++ AES_GCM_EXT_IV }; + static const size_t FIPS_OVERRIDE_LIST_LEN + = sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]); + diff --git a/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch b/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch new file mode 100644 index 0000000..4bf9c97 --- /dev/null +++ b/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch @@ -0,0 +1,44 @@ +From 6823004d49fad72ccc5a8933cbf8443f08371584 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 6 Nov 2024 13:12:11 +0100 +Subject: [PATCH] fips update: Dynamically update service indicator based on IV + usage + +Fix handling to differentiate if the call to AES-GCM encryption API was approved +or not. If the IV was set externally, it's non-approved, otherwise with internal +IV it's approved. + +Signed-off-by: Joerg Schmidbauer +--- + src/s390_crypto.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/s390_crypto.c b/src/s390_crypto.c +index 623864b..29f2b29 100644 +--- a/src/s390_crypto.c ++++ b/src/s390_crypto.c +@@ -30,6 +30,8 @@ + #include "init.h" + #include "s390_crypto.h" + ++extern int ica_external_gcm_iv_in_fips_mode_allowed; ++ + unsigned long long facility_bits[3]; + unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch, + tdes_switch, aes128_switch, aes192_switch, aes256_switch, +@@ -814,6 +816,15 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list, + indicator_list[i].mech_mode_id = icaList[i].mech_mode_id; + indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id); + indicator_list[i].fips_override = fips_override(icaList[i].mech_mode_id); ++ if (icaList[i].mech_mode_id == AES_GCM || icaList[i].mech_mode_id == AES_GCM_KMA) { ++ if (ica_external_gcm_iv_in_fips_mode_allowed) { ++ indicator_list[i].fips_approved = 0; ++ indicator_list[i].fips_override = 1; ++ } else { ++ indicator_list[i].fips_approved = 1; ++ indicator_list[i].fips_override = 0; ++ } ++ } + } + + return 0; diff --git a/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch b/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch new file mode 100644 index 0000000..3d86174 --- /dev/null +++ b/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch @@ -0,0 +1,94 @@ +From 9e1582dd059d69c86b6f323fadd87956b6034aab Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Wed, 6 Nov 2024 13:17:54 +0100 +Subject: [PATCH] fips update: provide test for dynamic service indicator + +Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode +API to allow and forbid an external GCM IV. Depending on whether the application +allows or forbids external IVs, the service indicator changes dynamically. + +Signed-off-by: Joerg Schmidbauer +--- + test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 62 insertions(+) + +diff --git a/test/fips_test.c b/test/fips_test.c +index 2bd3d40..873c4b0 100644 +--- a/test/fips_test.c ++++ b/test/fips_test.c +@@ -13,6 +13,64 @@ + + #define FIPS_FLAG "/proc/sys/crypto/fips_enabled" + ++#ifdef ICA_FIPS ++static int test_gcm_iv_usage(void) ++{ ++ libica_fips_indicator_element *fips_list = NULL; ++ unsigned int rc, i, fips_len, allow; ++ unsigned int approved_expected, override_expected; ++ ++ for (allow = 0; allow < 2; allow++) { ++ ++ approved_expected = allow == 1 ? 0 : 1; ++ override_expected = allow == 1 ? 1 : 0; ++ ++ /* Check allowance of an external iv in fips mode */ ++ ica_allow_external_gcm_iv_in_fips_mode(allow); ++ ++ /* Get fips indicator list */ ++ if (ica_get_fips_indicator(NULL, &fips_len) != 0){ ++ printf("get_fips_indicator failed\n"); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len); ++ if (!fips_list) { ++ printf("malloc fips_indicator list failed\n"); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){ ++ printf("ica_get_fips_indicator failed\n"); ++ free(fips_list); ++ rc = EXIT_FAILURE; ++ goto done; ++ } ++ ++ for (i = 0; i < fips_len; i++) { ++ if (fips_list[i].mech_mode_id == AES_GCM || ++ fips_list[i].mech_mode_id == AES_GCM_KMA) { ++ if (fips_list[i].fips_approved != approved_expected || ++ fips_list[i].fips_override != override_expected) { ++ rc = EXIT_FAILURE; ++ free(fips_list); ++ goto done; ++ } ++ } ++ } ++ ++ free(fips_list); ++ } ++ ++ rc = 0; ++ ++done: ++ return rc; ++} ++#endif /* ICA_FIPS */ ++ + int + main(void) + { +@@ -68,6 +126,10 @@ main(void) + printf("Libica FIPS integrity check failed.\n"); + rv = EXIT_FAILURE; + } ++ if (test_gcm_iv_usage()) { ++ printf("Libica FIPS gcm iv usage check failed.\n"); ++ rv = EXIT_FAILURE; ++ } + #endif /* ICA_FIPS */ + + printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT); diff --git a/libica-4.2.3.tar.gz b/libica-4.2.3.tar.gz deleted file mode 100644 index d68b553..0000000 --- a/libica-4.2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6f45c5797a2ed14629c1f16e7d55e0252477d7fca880bc0427cdd57dcf275019 -size 574727 diff --git a/libica-4.3.1.tar.gz b/libica-4.3.1.tar.gz new file mode 100644 index 0000000..44590b4 --- /dev/null +++ b/libica-4.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5693fa8858941b68252a94c1f03f098e773b43cd56c10d6d3f15f24fdc623562 +size 576561 diff --git a/libica.changes b/libica.changes index fe20e5a..7a0880f 100644 --- a/libica.changes +++ b/libica.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Nov 6 13:40:24 UTC 2024 - Nikolay Gueorguiev + +- Applied additional patches (bsc#1231302) + * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch + * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch + +------------------------------------------------------------------- +Tue Nov 5 11:51:31 UTC 2024 - Nikolay Gueorguiev + +- Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276) + * Various bug fixes and housekeeping + *** libica version 4.3.0 + * New API function ica_allow_external_gcm_iv_in_fips_mode + * Bug fixes +- Amended the .spec file (bsc#1231999) + * Replaced Recommends libica-tools with Requires +- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305) + * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch + * libica-02-fips-update-Change-service-indicator-implementation.patch + ------------------------------------------------------------------- Fri Oct 6 07:08:03 UTC 2023 - Nikolay Gueorguiev diff --git a/libica.spec b/libica.spec index 65e242d..f6dbd66 100644 --- a/libica.spec +++ b/libica.spec @@ -22,7 +22,7 @@ %endif Name: libica -Version: 4.2.3 +Version: 4.3.1 Release: 0 Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 @@ -34,8 +34,15 @@ Source2: sysconfig.z90crypt Source3: z90crypt Source4: z90crypt.service Source5: %{name}-rpmlintrc +### Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch Patch99: libica-sles15sp5-FIPS-hmac-key.patch +### +Patch110: libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch +Patch111: libica-02-fips-update-Change-service-indicator-implementation.patch +Patch112: libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch +Patch113: libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch +### BuildRequires: autoconf BuildRequires: automake @@ -55,7 +62,8 @@ modules to interface with the IBM eServer Cryptographic Accelerator %package -n libica4 Summary: Library interface for the IBM Cryptographic Accelerator Group: System/Libraries -Recommends: libica-tools +# Recommends: libica-tools +Requires: libica-tools %description -n libica4 This package contains the interface library routines used by IBM @@ -144,8 +152,8 @@ cp -a %{SOURCE1} . rm -vf %{buildroot}%{_libdir}/libica*.la rm -f %{buildroot}%{_datadir}/doc/libica/* rmdir %{buildroot}%{_datadir}/doc/libica -rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf -rmdir %{buildroot}/%{_sysconfdir}/libica +# rm %{buildroot}/%{_sysconfdir}/libica/openssl3-fips.cnf +# rmdir %{buildroot}/%{_sysconfdir}/libica %check %make_build check FIPSHMAC=fipshmac @@ -175,6 +183,10 @@ rmdir %{buildroot}/%{_sysconfdir}/libica %{_libdir}/libica-cex.so.%{major} %{_libdir}/.libica-cex.so.%{version}.hmac %{_libdir}/.libica-cex.so.%{major}.hmac +### Enable FIPS +%dir %{_sysconfdir}/libica +%{_sysconfdir}/libica/openssl3-fips.cnf +### %files tools %license LICENSE