Sync changes to SLFO-1.2 branch

2025-08-20 09:38:22 +02:00
5 changed files with 62 additions and 56 deletions
--- a/libica-4.4.0.tar.gz
+++ b/libica-4.4.0.tar.gz
--- a/libica-4.4.1.tar.gz
+++ b/libica-4.4.1.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:edc755494797331427c5f7900c7eecd8b5ecd3e69b7502313bf764f490b8e87a
-size 579706
--- a/libica-fips-update-Fix-bug-in-condition-logic.patch
+++ b/libica-fips-update-Fix-bug-in-condition-logic.patch
@@ -0,0 +1,30 @@
+From ff35d0226e72251ae495913aeb758bd141a3db19 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 18 Dec 2024 17:09:33 +0100
+Subject: [PATCH] Fix bug in condition logic
+
+This bug causes an incorrect indication of the availability of algos
+in fips mode.
+
+Fixes: https://github.com/opencryptoki/libica/commit/a9288f578b402851d41da579a78e3cbd9d1bab98
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/s390_crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/s390_crypto.c b/src/s390_crypto.c
+index 58e082a..e05c7e7 100644
+--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
+@@ -709,8 +709,8 @@ int s390_get_functionlist(libica_func_list_element *pmech_list,
+ 	 *   approved.
+ 	 * - We are in an error state.
+ 	 * */
+-	if (((fips & ICA_FIPS_MODE) && !fips_approved(pmech_list[x].mech_mode_id &&
+-		!fips_override(pmech_list[x].mech_mode_id)))
+	if (((fips & ICA_FIPS_MODE) && !fips_approved(pmech_list[x].mech_mode_id) &&
+		!fips_override(pmech_list[x].mech_mode_id))
+ 	    || fips >> 1) {
+ 		pmech_list[x].flags = 0;
+ 		pmech_list[x].property = 0;
--- a/libica.changes
+++ b/libica.changes
@@ -1,37 +1,29 @@
 -------------------------------------------------------------------
-Wed Jul 30 06:53:05 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Fri Aug  1 05:18:15 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

 - Applied a patch (bsc#1247287)
  * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
- Added '--with-fips-config=fips_local.cnf' in "%configure" 
+- Added '--with-fips-config=fips_local.cnf' in "%configure"

 -------------------------------------------------------------------
-Mon Jul 28 10:40:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Mon Jul 28 10:21:12 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

- Amended the .spec file (bsc#1246541)
+- Amended the .spec file (bsc#1246541) 
  * Added a flag '-DNO_FIPS_CONFIG_LOAD' to CPPFLAGS and CFLAGS
-  * Do not ship the config file '/etc/libica/openssl3-fips.cnf'
+  * Do not ship the config file '/etc/libica/openssl3-fips.cnf' 

 -------------------------------------------------------------------
-Fri May 30 09:40:05 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Fri Feb  7 07:09:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

- Upgrade libica to version 4.4.1
-  * Bug fixes 
- Removed obsolete patch
+- Applied a patch (jsc#PED-10289, jsc#PED-3277)
  * libica-fips-update-Fix-bug-in-condition-logic.patch

 -------------------------------------------------------------------
-Fri Feb  7 06:58:32 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
-
- Applied a patch (jsc#PED-10289, jsc#PED-3277) 
-  * libica-fips-update-Fix-bug-in-condition-logic.patch
-
-------------------------------------------------------------------
-Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Tue Dec 31 11:06:05 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

 - Upgrade libica to version 4.4.0 (jsc#PED-3277, jsc#PED-10289)
  * Updates for FIPS 140-3 certification 2024
-  * Various bug fixes and housekeeping 
+  * Various bug fixes and housekeeping
 - Removed obsolete patches
  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
  * libica-02-fips-update-Change-service-indicator-implementation.patch
@@ -39,13 +31,14 @@ Tue Dec 31 10:44:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

 -------------------------------------------------------------------
-Wed Dec  4 07:05:18 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Wed Dec  4 07:12:38 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

 - Amended the .spec file (bsc#1234117, bsc#1231999)
+  * moved .so symlink to main libica4 / libica4-openssl1 packages
  * downgraded libica tools requires down to recommends again

 -------------------------------------------------------------------
-Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Fri Nov 15 13:08:21 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

 - Applied updated patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
  * libica-02-fips-update-Change-service-indicator-implementation.patch
@@ -53,43 +46,25 @@ Wed Nov 13 08:57:23 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

 -------------------------------------------------------------------
-Tue Nov  5 12:07:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Wed Nov  6 13:40:24 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
-  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
-  * libica-02-fips-update-Change-service-indicator-implementation.patch
+- Applied additional patches (bsc#1231302)
+  * libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch
+  * libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

 -------------------------------------------------------------------
-Tue Oct 29 06:22:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Tue Nov  5 11:51:31 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

 - Upgrade libica to version 4.3.1 (jsc#PED-9560, jsc#PED-10289, jsc#PED-3276)
  *  Various bug fixes and housekeeping
- Removed obsolete patches
-  * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
-  * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
-  * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
-
-------------------------------------------------------------------
-Wed Oct 23 09:05:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
-
- Amended the .spec file (bsc#1231999)
-  * Replaced Recommends libica-tools with Requires
-
-------------------------------------------------------------------
-Wed Jul  3 10:51:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
-
- Applied patches
-  * libica-4.3.0-01-disable-CEX-usage-in-OpenSSL-for-all-tests.patch
-  * libica-4.3.0-02-correct-rc-handling-with-s390_pcc-function.patch
-  * libica-4.3.0-03-Use-__asm__-instead-of-asm.patch
- Amended the .spec file to enable FIPS
-
-------------------------------------------------------------------
-Mon Jan 29 07:52:34 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
-
- Upgrade libica to version 2.3.0 (jsc#PED-5446)
+  *** libica version 4.3.0
  * New API function ica_allow_external_gcm_iv_in_fips_mode
  * Bug fixes
+- Amended the .spec file (bsc#1231999)
+  * Replaced Recommends libica-tools with Requires
+- Applied patches (bsc#1231302, bsc#1231303, bsc#1231304, bsc#1231305)
+  * libica-01-fips-update-remove-sigVer-from-fips-ECDSA-kat.patch
+  * libica-02-fips-update-Change-service-indicator-implementation.patch

 -------------------------------------------------------------------
 Fri Oct  6 07:08:03 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
--- a/libica.spec
+++ b/libica.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libica
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %endif

 Name:           libica
-Version:        4.4.1
+Version:        4.4.0
 Release:        0
 Summary:        Library interface for the IBM Cryptographic Accelerator device driver
 License:        CPL-1.0
@@ -37,6 +37,7 @@ Source5:        %{name}-rpmlintrc
 ###
 Patch01:        libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
 Patch02:        libica-sles15sp5-FIPS-hmac-key.patch
+Patch03:        libica-fips-update-Fix-bug-in-condition-logic.patch
 ###
 Patch10:        libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
 ###
@@ -120,7 +121,7 @@ the libica library.
 %build
 autoreconf --force --install
 %configure CPPFLAGS="-Iinclude -fPIC -DNO_FIPS_CONFIG_LOAD" CFLAGS="%{optflags} -fPIC -DNO_FIPS_CONFIG_LOAD" \
-  --enable-fips --with-fips-config=fips_local.cnf
+  --enable-fips  --with-fips-config=fips_local.cnf

 %make_build clean
 %make_build FIPSHMAC=fipshmac BUILD_VERSION="FIPS-SUSE-%version-%release"
@@ -174,6 +175,8 @@ rmdir %{buildroot}%{_datadir}/doc/libica
 %files -n libica4
 %{_libdir}/libica.so.%{version}
 %{_libdir}/libica.so.%{major}
+# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871
+%{_libdir}/libica.so
 %{_libdir}/.libica.so.%{version}.hmac
 %{_libdir}/.libica.so.%{major}.hmac
 %{_libdir}/libica-cex.so.%{version}
@@ -199,8 +202,6 @@ rmdir %{buildroot}%{_datadir}/doc/libica
 %dir %{_prefix}/lib/systemd/scripts
 %{_prefix}/lib/systemd/scripts/z90crypt
 %{_prefix}/lib/systemd/system/z90crypt.service
-# Must be in here, otherwise openssl-ibmca does not find it via DSO_load() bsc#952871
-%{_libdir}/libica.so

 %files devel
 %{_includedir}/ica_api.h