Accepting request 903102 from devel:openSUSE:Factory

- Update to version 3.8.0 (jsc#SLE-18334)
  - [FEATURE] provide libica-cex module to satisfy special security requirements
  - [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
   - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
   - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
   - libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
   * FIPS: Find libica from phdrs.
     - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
   * FIPS: enforce the hmac check
     - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
   + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists

OBS-URL: https://build.opensuse.org/request/show/903102
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libica?expand=0&rev=22
This commit is contained in:
Dominique Leuenberger 2021-07-01 05:05:32 +00:00 committed by Git OBS Bridge
commit 6875eb5be8
10 changed files with 99 additions and 394 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a08fe8a3a5cb1fe75f2488d47f4785e92966c43bf8405f638fa1b2990823a505
size 542422

3
libica-3.8.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dab8dabc40d939fbef7a6e1a88ffb53db433795a38a2dde42ba3063b32195d3b
size 548378

View File

@ -0,0 +1,53 @@
From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Mon, 7 Jun 2021 21:12:01 +0200
Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
openssl-fipshmac | 12 ++++++++++++
src/Makefile.am | 4 ++--
2 files changed, 14 insertions(+), 2 deletions(-)
create mode 100755 openssl-fipshmac
diff --git a/openssl-fipshmac b/openssl-fipshmac
new file mode 100755
index 0000000..60fd505
--- /dev/null
+++ b/openssl-fipshmac
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+if [ "$#" -eq 0 ] ; then
+ echo "No library to hash specified." >&2
+ exit 22
+fi
+
+while [ -n "$1" ] ; do
+ dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
+ echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
+ shift
+done
diff --git a/src/Makefile.am b/src/Makefile.am
index 4a1ef14..2be01a5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -46,13 +46,13 @@ mp.S : mp.pl
./mp.pl mp.S
if ICA_FIPS
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
hmac-file-lnk: hmac-file
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
hmac-file: libica.la libica-cex.la
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
- $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+ $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
hmac_files = hmac-file hmac-file-lnk
--
2.31.1

View File

@ -1,160 +0,0 @@
From 23a647aab7b44442b63345bdf70da0696b7fcd5a Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Fri, 21 Aug 2020 15:29:49 +0200
Subject: [PATCH] FIPS: add SHA3 KATs to fips_powerup_tests
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 26 ++++++++++++++++++-
src/include/test_vec.h | 13 ++++++++++
src/test_vec.c | 59 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 97 insertions(+), 1 deletion(-)
diff --git a/src/fips.c b/src/fips.c
index 2bf11f5..13a550b 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -95,6 +95,29 @@ SHA_KAT(384, 512);
SHA_KAT(512, 512);
#undef SHA_KAT
+#define SHA3_KAT(_sha_, _ctx_) \
+static int sha3_##_sha_##_kat(void) { \
+ sha3_##_ctx_##_context_t ctx; \
+ size_t i; \
+ unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \
+ for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \
+ if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \
+ SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \
+ &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out, \
+ SHA3_##_sha_##_HASH_LENGTH)) { \
+ syslog(LOG_ERR, "Libica SHA-3%d test failed.", \
+ _sha_); \
+ return 1; \
+ } \
+ } \
+ return 0; \
+}
+SHA3_KAT(224, 224);
+SHA3_KAT(256, 256);
+SHA3_KAT(384, 384);
+SHA3_KAT(512, 512);
+#undef SHA3_KAT
+
void
fips_init(void)
{
@@ -328,7 +351,8 @@ fips_powerup_tests(void)
/* Cryptographic algorithm test. */
if (ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512)
|| sha1_kat() || sha224_kat() || sha256_kat() || sha384_kat()
- || sha512_kat() || des3_ecb_kat() || des3_cbc_kat()
+ || sha512_kat() || sha3_224_kat() || sha3_256_kat() || sha3_384_kat()
+ || sha3_512_kat() || des3_ecb_kat() || des3_cbc_kat()
|| des3_cbc_cs_kat() || des3_cfb_kat() || des3_ofb_kat()
|| des3_ctr_kat() || des3_cmac_kat() || aes_ecb_kat()
|| aes_cbc_kat() || aes_cbc_cs_kat() || aes_cfb_kat()
diff --git a/src/include/test_vec.h b/src/include/test_vec.h
index bba6ea9..692afbc 100644
--- a/src/include/test_vec.h
+++ b/src/include/test_vec.h
@@ -366,6 +366,19 @@ extern const size_t SHA384_TV_LEN;
extern const struct sha_tv SHA512_TV[];
extern const size_t SHA512_TV_LEN;
+
+extern const struct sha_tv SHA3_224_TV[];
+extern const size_t SHA3_224_TV_LEN;
+
+extern const struct sha_tv SHA3_256_TV[];
+extern const size_t SHA3_256_TV_LEN;
+
+extern const struct sha_tv SHA3_384_TV[];
+extern const size_t SHA3_384_TV_LEN;
+
+extern const struct sha_tv SHA3_512_TV[];
+extern const size_t SHA3_512_TV_LEN;
+
#endif /* ICA_FIPS */
#ifdef ICA_INTERNAL_TEST_EC
diff --git a/src/test_vec.c b/src/test_vec.c
index ab260dc..f282dbb 100644
--- a/src/test_vec.c
+++ b/src/test_vec.c
@@ -2449,6 +2449,61 @@ const struct sha_tv SHA512_TV[] = {
}
},
};
+
+const struct sha_tv SHA3_224_TV[] = {
+{
+.msg_len = 3,
+.msg = (unsigned char []){
+0x61, 0x62, 0x63,
+},
+.md = (unsigned char []){
+0xe6,0x42,0x82,0x4c,0x3f,0x8c,0xf2,0x4a,0xd0,0x92,0x34,0xee,0x7d,0x3c,0x76,0x6f,
+0xc9,0xa3,0xa5,0x16,0x8d,0x0c,0x94,0xad,0x73,0xb4,0x6f,0xdf,
+}
+},
+};
+
+const struct sha_tv SHA3_256_TV[] = {
+{
+.msg_len = 3,
+.msg = (unsigned char []){
+0x61, 0x62, 0x63,
+},
+.md = (unsigned char []){
+0x3A,0x98,0x5D,0xA7,0x4F,0xE2,0x25,0xB2,0x04,0x5C,0x17,0x2D,0x6B,0xD3,0x90,0xBD,
+0x85,0x5F,0x08,0x6E,0x3E,0x9D,0x52,0x5B,0x46,0xBF,0xE2,0x45,0x11,0x43,0x15,0x32,
+}
+},
+};
+
+const struct sha_tv SHA3_384_TV[] = {
+{
+.msg_len = 3,
+.msg = (unsigned char []){
+0x61, 0x62, 0x63,
+},
+.md = (unsigned char []){
+0xEC,0x01,0x49,0x82,0x88,0x51,0x6F,0xC9,0x26,0x45,0x9F,0x58,0xE2,0xC6,0xAD,0x8D,
+0xF9,0xB4,0x73,0xCB,0x0F,0xC0,0x8C,0x25,0x96,0xDA,0x7C,0xF0,0xE4,0x9B,0xE4,0xB2,
+0x98,0xD8,0x8C,0xEA,0x92,0x7A,0xC7,0xF5,0x39,0xF1,0xED,0xF2,0x28,0x37,0x6D,0x25,
+}
+},
+};
+
+const struct sha_tv SHA3_512_TV[] = {
+{
+.msg_len = 3,
+.msg = (unsigned char []){
+0x61, 0x62, 0x63,
+},
+.md = (unsigned char []){
+0xB7,0x51,0x85,0x0B,0x1A,0x57,0x16,0x8A,0x56,0x93,0xCD,0x92,0x4B,0x6B,0x09,0x6E,
+0x08,0xF6,0x21,0x82,0x74,0x44,0xF7,0x0D,0x88,0x4F,0x5D,0x02,0x40,0xD2,0x71,0x2E,
+0x10,0xE1,0x16,0xE9,0x19,0x2A,0xF3,0xC9,0x1A,0x7E,0xC5,0x76,0x47,0xE3,0x93,0x40,
+0x57,0x34,0x0B,0x4C,0xF4,0x08,0xD5,0xA5,0x65,0x92,0xF8,0x27,0x4E,0xEC,0x53,0xF0,
+}
+},
+};
#endif /* ICA_FIPS */
#ifdef ICA_INTERNAL_TEST_EC
@@ -5759,6 +5814,10 @@ const size_t SHA224_TV_LEN = sizeof(SHA224_TV) / sizeof(SHA224_TV[0]);
const size_t SHA256_TV_LEN = sizeof(SHA256_TV) / sizeof(SHA256_TV[0]);
const size_t SHA384_TV_LEN = sizeof(SHA384_TV) / sizeof(SHA384_TV[0]);
const size_t SHA512_TV_LEN = sizeof(SHA512_TV) / sizeof(SHA512_TV[0]);
+const size_t SHA3_224_TV_LEN = sizeof(SHA3_224_TV) / sizeof(SHA3_224_TV[0]);
+const size_t SHA3_256_TV_LEN = sizeof(SHA3_256_TV) / sizeof(SHA3_256_TV[0]);
+const size_t SHA3_384_TV_LEN = sizeof(SHA3_384_TV) / sizeof(SHA3_384_TV[0]);
+const size_t SHA3_512_TV_LEN = sizeof(SHA3_512_TV) / sizeof(SHA3_512_TV[0]);
#endif /* ICA_FIPS */
#ifdef ICA_INTERNAL_TEST_EC
const size_t ECDSA_TV_LEN = sizeof(ECDSA_TV) / sizeof(ECDSA_TV[0]);
--
2.26.2

View File

@ -1,31 +0,0 @@
From 8acba8fc09a91831172658c9c0810aa45ab39245 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 1 Sep 2020 10:03:38 +0200
Subject: [PATCH] FIPS: fix inconsistent error handling.
when the HMAC file is not present/readable it is also an error.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
src/fips.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index c0055b719bff..71a417e8de40 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -295,10 +295,8 @@ static int FIPSCHECK_verify(const char *path)
return 0;
fp = fopen(hmacpath, "r");
- if (fp == NULL) {
- rc = 1;
+ if (fp == NULL)
goto end;
- }
if (getline(&known_hmac_str, &n, fp) <= 0)
goto end;
--
2.28.0

View File

@ -1,44 +0,0 @@
From 54c1a5341c9a5cb5513e52548ab0490f8dafbff6 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu, 27 Aug 2020 17:08:29 +0200
Subject: [PATCH] FIPS: skip SHA3 tests if running on hardware without SHA3
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/fips.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/fips.c b/src/fips.c
index 13a550b..facffee 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -95,11 +95,26 @@ SHA_KAT(384, 512);
SHA_KAT(512, 512);
#undef SHA_KAT
+static inline int sha3_available(void)
+{
+ sha3_224_context_t sha3_224_context;
+ unsigned char output_hash[SHA3_224_HASH_LENGTH];
+ unsigned char test_data[] = { 0x61,0x62,0x63 };
+ int rc = 0;
+
+ rc = ica_sha3_224(SHA_MSG_PART_ONLY, sizeof(test_data), test_data,
+ &sha3_224_context, output_hash);
+
+ return (rc == ENODEV ? 0 : 1);
+}
+
#define SHA3_KAT(_sha_, _ctx_) \
static int sha3_##_sha_##_kat(void) { \
sha3_##_ctx_##_context_t ctx; \
size_t i; \
unsigned char out[SHA3_##_sha_##_HASH_LENGTH]; \
+ if (!sha3_available()) \
+ return 0; \
for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) { \
if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY, \
SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg, \
--
2.26.2

View File

@ -1,38 +0,0 @@
From 71a04ed492f6cb9dd2de91ff28d0327d17fe702a Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Fri, 28 Aug 2020 14:08:53 +0200
Subject: [PATCH] FIPS: use full library version for hmac filename.
Fixes: 231bba3b32bd ("FIPS: introduce HMAC based library integrity check")
Fixes: f9f148487fad ("fix library filename for FIPS integrity check")
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
src/fips.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index facffee..c0055b7 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -42,7 +42,7 @@
* The hard-coded HMAC key to be optionally provided for the library
* integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
* The known HMAC is supposed to be provided as hex string in a file
- * libica.so.MAJOR.hmac in the same directory as the .so module.
+ * .libica.so.VERSION.hmac in the same directory as the .so module.
*/
static const char hmackey[] =
"0000000000000000000000000000000000000000000000000000000000000000"
@@ -344,7 +344,7 @@ static void fips_lib_integrity_check(void)
{
int rc;
char path[PATH_MAX];
- const char *libname = "libica.so";
+ const char *libname = "libica.so." VERSION;
const char *symbolname = "ica_sha256";
rc = get_library_path(libname, symbolname, path, sizeof(path));
--
2.26.2

View File

@ -1,99 +0,0 @@
From 47a98c0f37af62783d59699b5e10830385817ec2 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Fri, 21 Aug 2020 11:29:11 +0200
Subject: [PATCH] Zeroize local variables
Some internal variables used to store sensitive information (keys)
were not zeroized before returning to the calling application.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/ica_api.c | 8 ++++++++
src/include/s390_aes.h | 4 ++++
src/include/s390_des.h | 8 ++++++++
3 files changed, 20 insertions(+)
diff --git a/src/ica_api.c b/src/ica_api.c
index eb6b154..5bdf24e 100644
--- a/src/ica_api.c
+++ b/src/ica_api.c
@@ -1034,6 +1034,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
if (rc == 0)
stats_increment(ICA_STATS_RSA_ME, hardware, ENCRYPT);
+ OPENSSL_cleanse(&rb, sizeof(rb));
+
return rc;
}
@@ -1089,6 +1091,10 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
free(tmp_buf);
+ BN_clear_free(bn_p);
+ BN_clear_free(bn_q);
+ BN_clear_free(bn_invq);
+
return 1;
}
return 0;
@@ -1147,6 +1153,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
if (rc == 0)
stats_increment(ICA_STATS_RSA_CRT, hardware, ENCRYPT);
+ OPENSSL_cleanse(&rb, sizeof(rb));
+
return rc;
}
diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
index 2e2f325..4a02a4c 100644
--- a/src/include/s390_aes.h
+++ b/src/include/s390_aes.h
@@ -327,6 +327,8 @@ static inline int s390_aes_ecb_sw(unsigned int function_code,
&aes_key, direction);
}
+ OPENSSL_cleanse(&aes_key, sizeof(aes_key));
+
return 0;
}
@@ -388,6 +390,8 @@ static inline int s390_aes_cbc_sw(unsigned int function_code,
AES_cbc_encrypt(input_data, output_data, input_length,
&aes_key, (unsigned char *) iv, direction);
+ OPENSSL_cleanse(&aes_key, sizeof(aes_key));
+
return 0;
}
diff --git a/src/include/s390_des.h b/src/include/s390_des.h
index 811de4d..81d8ed0 100644
--- a/src/include/s390_des.h
+++ b/src/include/s390_des.h
@@ -112,6 +112,10 @@ static inline int s390_des_ecb_sw(unsigned int function_code, unsigned long inpu
break;
}
+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
+
return 0;
}
@@ -193,6 +197,10 @@ static inline int s390_des_cbc_sw(unsigned int function_code,
break;
};
+ OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
+ OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
+
return 0;
}
--
2.26.2

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Jun 7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
- Update to version 3.8.0 (jsc#SLE-18334)
- [FEATURE] provide libica-cex module to satisfy special security requirements
- [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
* FIPS: Find libica from phdrs.
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
* FIPS: enforce the hmac check
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists
-------------------------------------------------------------------
Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package libica
#
# Copyright (c) 2018-2020 SUSE LLC
# Copyright (c) 2018-2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
%endif
Name: libica
Version: 3.7.0
Version: 3.8.0
Release: 0
Summary: Library interface for the IBM Cryptographic Accelerator device driver
License: CPL-1.0
@ -37,11 +37,7 @@ Source4: z90crypt
Source5: z90crypt.service
Source6: baselibs.conf
Source7: %{name}-rpmlintrc
Patch01: libica-sles15sp2-Zeroize-local-variables.patch
Patch02: libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
Patch03: libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
Patch04: libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
Patch05: libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
Patch99: libica-sles15sp2-FIPS-hmac-key.patch
BuildRequires: autoconf
@ -123,14 +119,14 @@ autoreconf --force --install
%configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
--enable-fips
%make_build clean
%make_build
%make_build FIPSHMAC=fipshmac
%define major %(echo %{version} | sed -e 's/[.].*//')
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }}
%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
%install
%make_install
%make_install FIPSHMAC=fipshmac
mkdir -p %{buildroot}%{_includedir}
cp -p include/ica_api.h %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
@ -138,17 +134,18 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
# and the dangling symlink test would fail
chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
cp -a %{SOURCE2} .
rm -f %{buildroot}%{_libdir}/libica.la
rm -vf %{buildroot}%{_libdir}/libica*.la
rm -f %{buildroot}%{_datadir}/doc/libica/*
rmdir %{buildroot}%{_datadir}/doc/libica
%check
echo Tests should fail without a hash file
! %make_build check
fipshmac src/.libs/libica.so.%{major}
%make_build check
%make_build check FIPSHMAC=fipshmac
%pre tools
%service_add_pre z90crypt.service
@ -167,19 +164,25 @@ fipshmac src/.libs/libica.so.%{major}
%postun -n libica3 -p /sbin/ldconfig
%files -n libica3
%defattr(-,root,root)
%{_libdir}/libica.so.%{version}
%{_libdir}/libica.so.%{major}
%{_libdir}/.libica.so.%{version}.hmac
%{_libdir}/.libica.so.%{major}.hmac
%{_libdir}/libica-cex.so.%{version}
%{_libdir}/libica-cex.so.%{major}
%{_libdir}/.libica-cex.so.%{version}.hmac
%{_libdir}/.libica-cex.so.%{major}.hmac
%files tools
%license LICENSE
%doc README.SUSE
%{_sbindir}/rcz90crypt
%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt
%{_fillupdir}/sysconfig.z90crypt
%{_bindir}/icainfo
%{_bindir}/icainfo-cex
%{_bindir}/icastats
%{_mandir}/man1/icainfo.1%{?ext_man}
%{_mandir}/man1/icainfo-cex.1%{?ext_man}
%{_mandir}/man1/icastats.1%{?ext_man}
%dir %{_prefix}/lib/systemd/scripts
%{_prefix}/lib/systemd/scripts/z90crypt
@ -188,9 +191,11 @@ fipshmac src/.libs/libica.so.%{major}
%{_libdir}/libica.so
%files devel
%attr(0644,root,root) %{_includedir}/ica_api.h
%{_includedir}/ica_api.h
%{_libdir}/libica-cex.so
%files devel-static
%attr(0644,root,root) %{_libdir}/libica.a
%{_libdir}/libica.a
%{_libdir}/libica-cex.a
%changelog