Accepting request 902188 from home:michals

- Update to version 3.8.0 (jsc#SLE-18334)
  - [FEATURE] provide libica-cex module to satisfy special security requirements
  - [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
   - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
   - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
   - libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
   * FIPS: Find libica from phdrs.
     - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
   * FIPS: enforce the hmac check
     - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
   + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists

OBS-URL: https://build.opensuse.org/request/show/902188
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=58

libica-3.7.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a08fe8a3a5cb1fe75f2488d47f4785e92966c43bf8405f638fa1b2990823a505
-size 542422

libica-3.8.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dab8dabc40d939fbef7a6e1a88ffb53db433795a38a2dde42ba3063b32195d3b
+size 548378

libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch

@@ -0,0 +1,53 @@
+From 88d54fd0b867d9ee29d2bb1043d014f93d3dffc9 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Mon, 7 Jun 2021 21:12:01 +0200
+Subject: [PATCH] FIPS: make it possible to specify fipshmac binary.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+ openssl-fipshmac | 12 ++++++++++++
+ src/Makefile.am  |  4 ++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100755 openssl-fipshmac
+
+diff --git a/openssl-fipshmac b/openssl-fipshmac
+new file mode 100755
+index 0000000..60fd505
+--- /dev/null
++++ b/openssl-fipshmac
+@@ -0,0 +1,12 @@
++#!/bin/sh -e
++
++if [ "$#" -eq 0 ] ; then
++    echo "No library to hash specified." >&2
++    exit 22
++fi
++
++while [ -n "$1" ] ; do
++    dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 "$1")"
++    echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
++    shift
++done
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 4a1ef14..2be01a5 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -46,13 +46,13 @@ mp.S	: mp.pl
+ 	./mp.pl mp.S
+ 
+ if ICA_FIPS
++FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
+ hmac-file-lnk: hmac-file
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
+ 
+ hmac-file: libica.la libica-cex.la
+-	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
+-	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
++	$(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
+ 
+ hmac_files = hmac-file hmac-file-lnk
+ 
+-- 
+2.31.1
+

libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch

@@ -1,160 +0,0 @@
-From 23a647aab7b44442b63345bdf70da0696b7fcd5a Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Fri, 21 Aug 2020 15:29:49 +0200
-Subject: [PATCH] FIPS: add SHA3 KATs to fips_powerup_tests
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
----
- src/fips.c             | 26 ++++++++++++++++++-
- src/include/test_vec.h | 13 ++++++++++
- src/test_vec.c         | 59 ++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 97 insertions(+), 1 deletion(-)
-
-diff --git a/src/fips.c b/src/fips.c
-index 2bf11f5..13a550b 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -95,6 +95,29 @@ SHA_KAT(384, 512);
- SHA_KAT(512, 512);
- #undef SHA_KAT
- 
-+#define SHA3_KAT(_sha_, _ctx_)						\
-+static int sha3_##_sha_##_kat(void) {					\
-+	sha3_##_ctx_##_context_t ctx;					\
-+	size_t i;							\
-+	unsigned char out[SHA3_##_sha_##_HASH_LENGTH];			\
-+	for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) {			\
-+		if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY,			\
-+		    SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg,	\
-+		    &ctx, out) || memcmp(SHA3_##_sha_##_TV[i].md, out,	\
-+		    SHA3_##_sha_##_HASH_LENGTH)) {			\
-+			syslog(LOG_ERR, "Libica SHA-3%d test failed.",	\
-+			    _sha_);					\
-+			return 1;					\
-+		}							\
-+	}								\
-+	return 0;							\
-+}
-+SHA3_KAT(224, 224);
-+SHA3_KAT(256, 256);
-+SHA3_KAT(384, 384);
-+SHA3_KAT(512, 512);
-+#undef SHA3_KAT
-+
- void
- fips_init(void)
- {
-@@ -328,7 +351,8 @@ fips_powerup_tests(void)
- 	/* Cryptographic algorithm test. */
- 	if (ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512)
- 	    || sha1_kat() || sha224_kat() || sha256_kat() || sha384_kat()
--	    || sha512_kat() || des3_ecb_kat() || des3_cbc_kat()
-+	    || sha512_kat() || sha3_224_kat() || sha3_256_kat() || sha3_384_kat()
-+	    || sha3_512_kat() || des3_ecb_kat() || des3_cbc_kat()
- 	    || des3_cbc_cs_kat() || des3_cfb_kat() || des3_ofb_kat()
- 	    || des3_ctr_kat() || des3_cmac_kat() || aes_ecb_kat()
- 	    || aes_cbc_kat() || aes_cbc_cs_kat() || aes_cfb_kat()
-diff --git a/src/include/test_vec.h b/src/include/test_vec.h
-index bba6ea9..692afbc 100644
---- a/src/include/test_vec.h
-+++ b/src/include/test_vec.h
-@@ -366,6 +366,19 @@ extern const size_t SHA384_TV_LEN;
- 
- extern const struct sha_tv SHA512_TV[];
- extern const size_t SHA512_TV_LEN;
-+
-+extern const struct sha_tv SHA3_224_TV[];
-+extern const size_t SHA3_224_TV_LEN;
-+
-+extern const struct sha_tv SHA3_256_TV[];
-+extern const size_t SHA3_256_TV_LEN;
-+
-+extern const struct sha_tv SHA3_384_TV[];
-+extern const size_t SHA3_384_TV_LEN;
-+
-+extern const struct sha_tv SHA3_512_TV[];
-+extern const size_t SHA3_512_TV_LEN;
-+
- #endif /* ICA_FIPS */
- 
- #ifdef ICA_INTERNAL_TEST_EC
-diff --git a/src/test_vec.c b/src/test_vec.c
-index ab260dc..f282dbb 100644
---- a/src/test_vec.c
-+++ b/src/test_vec.c
-@@ -2449,6 +2449,61 @@ const struct sha_tv SHA512_TV[] = {
- }
- },
- };
-+
-+const struct sha_tv SHA3_224_TV[] = {
-+{
-+.msg_len = 3,
-+.msg = (unsigned char []){
-+0x61, 0x62, 0x63,
-+},
-+.md = (unsigned char []){
-+0xe6,0x42,0x82,0x4c,0x3f,0x8c,0xf2,0x4a,0xd0,0x92,0x34,0xee,0x7d,0x3c,0x76,0x6f,
-+0xc9,0xa3,0xa5,0x16,0x8d,0x0c,0x94,0xad,0x73,0xb4,0x6f,0xdf,
-+}
-+},
-+};
-+
-+const struct sha_tv SHA3_256_TV[] = {
-+{
-+.msg_len = 3,
-+.msg = (unsigned char []){
-+0x61, 0x62, 0x63,
-+},
-+.md = (unsigned char []){
-+0x3A,0x98,0x5D,0xA7,0x4F,0xE2,0x25,0xB2,0x04,0x5C,0x17,0x2D,0x6B,0xD3,0x90,0xBD,
-+0x85,0x5F,0x08,0x6E,0x3E,0x9D,0x52,0x5B,0x46,0xBF,0xE2,0x45,0x11,0x43,0x15,0x32,
-+}
-+},
-+};
-+
-+const struct sha_tv SHA3_384_TV[] = {
-+{
-+.msg_len = 3,
-+.msg = (unsigned char []){
-+0x61, 0x62, 0x63,
-+},
-+.md = (unsigned char []){
-+0xEC,0x01,0x49,0x82,0x88,0x51,0x6F,0xC9,0x26,0x45,0x9F,0x58,0xE2,0xC6,0xAD,0x8D,
-+0xF9,0xB4,0x73,0xCB,0x0F,0xC0,0x8C,0x25,0x96,0xDA,0x7C,0xF0,0xE4,0x9B,0xE4,0xB2,
-+0x98,0xD8,0x8C,0xEA,0x92,0x7A,0xC7,0xF5,0x39,0xF1,0xED,0xF2,0x28,0x37,0x6D,0x25,
-+}
-+},
-+};
-+
-+const struct sha_tv SHA3_512_TV[] = {
-+{
-+.msg_len = 3,
-+.msg = (unsigned char []){
-+0x61, 0x62, 0x63,
-+},
-+.md = (unsigned char []){
-+0xB7,0x51,0x85,0x0B,0x1A,0x57,0x16,0x8A,0x56,0x93,0xCD,0x92,0x4B,0x6B,0x09,0x6E,
-+0x08,0xF6,0x21,0x82,0x74,0x44,0xF7,0x0D,0x88,0x4F,0x5D,0x02,0x40,0xD2,0x71,0x2E,
-+0x10,0xE1,0x16,0xE9,0x19,0x2A,0xF3,0xC9,0x1A,0x7E,0xC5,0x76,0x47,0xE3,0x93,0x40,
-+0x57,0x34,0x0B,0x4C,0xF4,0x08,0xD5,0xA5,0x65,0x92,0xF8,0x27,0x4E,0xEC,0x53,0xF0,
-+}
-+},
-+};
- #endif /* ICA_FIPS */
- 
- #ifdef ICA_INTERNAL_TEST_EC
-@@ -5759,6 +5814,10 @@ const size_t SHA224_TV_LEN = sizeof(SHA224_TV) / sizeof(SHA224_TV[0]);
- const size_t SHA256_TV_LEN = sizeof(SHA256_TV) / sizeof(SHA256_TV[0]);
- const size_t SHA384_TV_LEN = sizeof(SHA384_TV) / sizeof(SHA384_TV[0]);
- const size_t SHA512_TV_LEN = sizeof(SHA512_TV) / sizeof(SHA512_TV[0]);
-+const size_t SHA3_224_TV_LEN = sizeof(SHA3_224_TV) / sizeof(SHA3_224_TV[0]);
-+const size_t SHA3_256_TV_LEN = sizeof(SHA3_256_TV) / sizeof(SHA3_256_TV[0]);
-+const size_t SHA3_384_TV_LEN = sizeof(SHA3_384_TV) / sizeof(SHA3_384_TV[0]);
-+const size_t SHA3_512_TV_LEN = sizeof(SHA3_512_TV) / sizeof(SHA3_512_TV[0]);
- #endif /* ICA_FIPS */
- #ifdef ICA_INTERNAL_TEST_EC
- const size_t ECDSA_TV_LEN = sizeof(ECDSA_TV) / sizeof(ECDSA_TV[0]);
--- 
-2.26.2
-

libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch

@@ -1,31 +0,0 @@
-From 8acba8fc09a91831172658c9c0810aa45ab39245 Mon Sep 17 00:00:00 2001
-From: Michal Suchanek <msuchanek@suse.de>
-Date: Tue, 1 Sep 2020 10:03:38 +0200
-Subject: [PATCH] FIPS: fix inconsistent error handling.
-
-when the HMAC file is not present/readable it is also an error.
-
-Signed-off-by: Michal Suchanek <msuchanek@suse.de>
----
- src/fips.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/src/fips.c b/src/fips.c
-index c0055b719bff..71a417e8de40 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -295,10 +295,8 @@ static int FIPSCHECK_verify(const char *path)
- 		return 0;
- 
- 	fp = fopen(hmacpath, "r");
--	if (fp == NULL) {
--		rc = 1;
-+	if (fp == NULL)
- 		goto end;
--	}
- 
- 	if (getline(&known_hmac_str, &n, fp) <= 0)
- 		goto end;
--- 
-2.28.0
-

libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch

@@ -1,44 +0,0 @@
-From 54c1a5341c9a5cb5513e52548ab0490f8dafbff6 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Thu, 27 Aug 2020 17:08:29 +0200
-Subject: [PATCH] FIPS: skip SHA3 tests if running on hardware without SHA3
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
----
- src/fips.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/fips.c b/src/fips.c
-index 13a550b..facffee 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -95,11 +95,26 @@ SHA_KAT(384, 512);
- SHA_KAT(512, 512);
- #undef SHA_KAT
- 
-+static inline int sha3_available(void)
-+{
-+	sha3_224_context_t sha3_224_context;
-+	unsigned char output_hash[SHA3_224_HASH_LENGTH];
-+	unsigned char test_data[] = { 0x61,0x62,0x63 };
-+	int rc = 0;
-+
-+	rc = ica_sha3_224(SHA_MSG_PART_ONLY, sizeof(test_data), test_data,
-+			&sha3_224_context, output_hash);
-+
-+	return (rc == ENODEV ? 0 : 1);
-+}
-+
- #define SHA3_KAT(_sha_, _ctx_)						\
- static int sha3_##_sha_##_kat(void) {					\
- 	sha3_##_ctx_##_context_t ctx;					\
- 	size_t i;							\
- 	unsigned char out[SHA3_##_sha_##_HASH_LENGTH];			\
-+	if (!sha3_available()) 						\
-+		return 0; 						\
- 	for (i = 0; i < SHA3_##_sha_##_TV_LEN; i++) {			\
- 		if (ica_sha3_##_sha_(SHA_MSG_PART_ONLY,			\
- 		    SHA3_##_sha_##_TV[i].msg_len, SHA3_##_sha_##_TV[i].msg,	\
--- 
-2.26.2
-

libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch

@@ -1,38 +0,0 @@
-From 71a04ed492f6cb9dd2de91ff28d0327d17fe702a Mon Sep 17 00:00:00 2001
-From: Michal Suchanek <msuchanek@suse.de>
-Date: Fri, 28 Aug 2020 14:08:53 +0200
-Subject: [PATCH] FIPS: use full library version for hmac filename.
-
-Fixes: 231bba3b32bd ("FIPS: introduce HMAC based library integrity check")
-Fixes: f9f148487fad ("fix library filename for FIPS integrity check")
-
-Signed-off-by: Michal Suchanek <msuchanek@suse.de>
----
- src/fips.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/fips.c b/src/fips.c
-index facffee..c0055b7 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -42,7 +42,7 @@
-  * The hard-coded HMAC key to be optionally provided for the library
-  * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
-  * The known HMAC is supposed to be provided as hex string in a file
-- * libica.so.MAJOR.hmac in the same directory as the .so module.
-+ * .libica.so.VERSION.hmac in the same directory as the .so module.
-  */
- static const char hmackey[] =
- 	"0000000000000000000000000000000000000000000000000000000000000000"
-@@ -344,7 +344,7 @@ static void fips_lib_integrity_check(void)
- {
- 	int rc;
- 	char path[PATH_MAX];
--	const char *libname = "libica.so";
-+	const char *libname = "libica.so." VERSION;
- 	const char *symbolname = "ica_sha256";
- 
- 	rc = get_library_path(libname, symbolname, path, sizeof(path));
--- 
-2.26.2
-

libica-sles15sp2-Zeroize-local-variables.patch

@@ -1,99 +0,0 @@
-From 47a98c0f37af62783d59699b5e10830385817ec2 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Fri, 21 Aug 2020 11:29:11 +0200
-Subject: [PATCH] Zeroize local variables
-
-Some internal variables used to store sensitive information (keys)
-were not zeroized before returning to the calling application.
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
----
- src/ica_api.c          | 8 ++++++++
- src/include/s390_aes.h | 4 ++++
- src/include/s390_des.h | 8 ++++++++
- 3 files changed, 20 insertions(+)
-
-diff --git a/src/ica_api.c b/src/ica_api.c
-index eb6b154..5bdf24e 100644
---- a/src/ica_api.c
-+++ b/src/ica_api.c
-@@ -1034,6 +1034,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
- 	if (rc == 0)
- 		stats_increment(ICA_STATS_RSA_ME, hardware, ENCRYPT);
- 
-+	OPENSSL_cleanse(&rb, sizeof(rb));
-+
- 	return rc;
- }
- 
-@@ -1089,6 +1091,10 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
- 
- 		free(tmp_buf);
- 
-+		BN_clear_free(bn_p);
-+		BN_clear_free(bn_q);
-+		BN_clear_free(bn_invq);
-+
- 		return 1;
- 	}
- 	return 0;
-@@ -1147,6 +1153,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
- 	if (rc == 0)
- 		stats_increment(ICA_STATS_RSA_CRT, hardware, ENCRYPT);
- 
-+	OPENSSL_cleanse(&rb, sizeof(rb));
-+
- 	return rc;
- }
- 
-diff --git a/src/include/s390_aes.h b/src/include/s390_aes.h
-index 2e2f325..4a02a4c 100644
---- a/src/include/s390_aes.h
-+++ b/src/include/s390_aes.h
-@@ -327,6 +327,8 @@ static inline int s390_aes_ecb_sw(unsigned int function_code,
- 				&aes_key, direction);
- 	}
- 
-+	OPENSSL_cleanse(&aes_key, sizeof(aes_key));
-+
- 	return 0;
- }
- 
-@@ -388,6 +390,8 @@ static inline int s390_aes_cbc_sw(unsigned int function_code,
- 	AES_cbc_encrypt(input_data, output_data, input_length,
- 			&aes_key, (unsigned char *) iv, direction);
- 
-+	OPENSSL_cleanse(&aes_key, sizeof(aes_key));
-+
- 	return 0;
- }
- 
-diff --git a/src/include/s390_des.h b/src/include/s390_des.h
-index 811de4d..81d8ed0 100644
---- a/src/include/s390_des.h
-+++ b/src/include/s390_des.h
-@@ -112,6 +112,10 @@ static inline int s390_des_ecb_sw(unsigned int function_code, unsigned long inpu
- 		break;
- 	}
- 
-+	OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
-+	OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
-+	OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
-+
- 	return 0;
- }
- 
-@@ -193,6 +197,10 @@ static inline int s390_des_cbc_sw(unsigned int function_code,
- 		break;
- 	};
- 
-+	OPENSSL_cleanse(&key_schedule1, sizeof(key_schedule1));
-+	OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule2));
-+	OPENSSL_cleanse(&key_schedule2, sizeof(key_schedule3));
-+
- 	return 0;
- }
- 
--- 
-2.26.2
-

libica.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jun  7 18:29:04 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
+
+- Update to version 3.8.0 (jsc#SLE-18334)
+  - [FEATURE] provide libica-cex module to satisfy special security requirements
+  - [FEATURE] FIPS: enforce the HMAC check
+- Remove upstreamed patches:
+   - libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
+   - libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
+   - libica-sles15sp2-Zeroize-local-variables.patch
+- Remove patches obsoleted by upstrea developent:
+   * FIPS: Find libica from phdrs.
+     - libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
+   * FIPS: enforce the hmac check
+     - libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
+- Fix up tests and hmac generation
+   + libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
+- Remove obsolete attributes from filelists
+
 -------------------------------------------------------------------
 Fri Sep 18 20:59:39 UTC 2020 - Mark Post <mpost@suse.com>
 

libica.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libica
 #
-# Copyright (c) 2018-2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %endif
 
 Name:           libica
-Version:        3.7.0
+Version:        3.8.0
 Release:        0
 Summary:        Library interface for the IBM Cryptographic Accelerator device driver
 License:        CPL-1.0
@@ -37,11 +37,7 @@ Source4:        z90crypt
 Source5:        z90crypt.service
 Source6:        baselibs.conf
 Source7:        %{name}-rpmlintrc
-Patch01:        libica-sles15sp2-Zeroize-local-variables.patch
-Patch02:        libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
-Patch03:        libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
-Patch04:        libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
-Patch05:        libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
+Patch01:        libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
 Patch99:        libica-sles15sp2-FIPS-hmac-key.patch
 
 BuildRequires:  autoconf
@@ -123,14 +119,14 @@ autoreconf --force --install
 %configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
   --enable-fips
 %make_build clean
-%make_build
+%make_build FIPSHMAC=fipshmac
 
 %define major %(echo %{version} | sed -e 's/[.].*//')
 
-%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{major} }}
+%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.%{version} }}
 
 %install
-%make_install
+%make_install FIPSHMAC=fipshmac
 mkdir -p %{buildroot}%{_includedir}
 cp -p include/ica_api.h %{buildroot}%{_includedir}
 mkdir -p %{buildroot}%{_sbindir}
@@ -138,17 +134,18 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcz90crypt
 install -D %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.z90crypt
 install -D %{SOURCE4} %{buildroot}%{_prefix}/lib/systemd/scripts/z90crypt
 install -D -m 644 %{SOURCE5} %{buildroot}%{_prefix}/lib/systemd/system/z90crypt.service
+# It is installed 444 and then the __os_install_post cannot update it once the debuginfo is stripped
+# We need it early because there is %{buildroot}/%{_libdir}/.*.so.%{major}.hmac symlink pointing at it
+# and the dangling symlink test would fail
+chmod 644 %{buildroot}/%{_libdir}/.*.so.%{version}.hmac
 
 cp -a %{SOURCE2} .
-rm -f %{buildroot}%{_libdir}/libica.la
+rm -vf %{buildroot}%{_libdir}/lib*.la
 rm -f %{buildroot}%{_datadir}/doc/libica/*
 rmdir %{buildroot}%{_datadir}/doc/libica
 
 %check
-echo Tests should fail without a hash file
-! %make_build check
-fipshmac src/.libs/libica.so.%{major}
-%make_build check
+%make_build check FIPSHMAC=fipshmac
 
 %pre tools
 %service_add_pre z90crypt.service
@@ -167,19 +164,25 @@ fipshmac src/.libs/libica.so.%{major}
 %postun -n libica3 -p /sbin/ldconfig
 
 %files -n libica3
-%defattr(-,root,root)
 %{_libdir}/libica.so.%{version}
 %{_libdir}/libica.so.%{major}
+%{_libdir}/.libica.so.%{version}.hmac
 %{_libdir}/.libica.so.%{major}.hmac
+%{_libdir}/libica-cex.so.%{version}
+%{_libdir}/libica-cex.so.%{major}
+%{_libdir}/.libica-cex.so.%{version}.hmac
+%{_libdir}/.libica-cex.so.%{major}.hmac
 
 %files tools
 %license LICENSE
 %doc README.SUSE
 %{_sbindir}/rcz90crypt
-%attr(0644,root,root) %{_fillupdir}/sysconfig.z90crypt
+%{_fillupdir}/sysconfig.z90crypt
 %{_bindir}/icainfo
+%{_bindir}/icainfo-cex
 %{_bindir}/icastats
 %{_mandir}/man1/icainfo.1%{?ext_man}
+%{_mandir}/man1/icainfo-cex.1%{?ext_man}
 %{_mandir}/man1/icastats.1%{?ext_man}
 %dir %{_prefix}/lib/systemd/scripts
 %{_prefix}/lib/systemd/scripts/z90crypt
@@ -188,9 +191,11 @@ fipshmac src/.libs/libica.so.%{major}
 %{_libdir}/libica.so
 
 %files devel
-%attr(0644,root,root) %{_includedir}/ica_api.h
+%{_includedir}/ica_api.h
+%{_libdir}/libica-cex.so
 
 %files devel-static
-%attr(0644,root,root) %{_libdir}/libica.a
+%{_libdir}/libica.a
+%{_libdir}/libica-cex.a
 
 %changelog