Accepting request 801383 from home:markkp:branches:devel:openSUSE:Factory

- Added the following patches for FIPS certification (bsc#1162533)
  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
  * libica-sles15sp2-FIPS-hmac-key.patch
- Added a BuildRequires for the fipscheck package.
- Made a couple of changes to the spec file based upon recommendations
  by spec-cleaner.
- Added the following patches for FIPS certification.
  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
    (bsc#1166071) Although a DES key has only 56 effective bits,
     all 64 bits must be considered, because the parity bits are
     spread over all 8 bytes of the key.
  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
    (bsc#1166210) FIPS tests require the output iv to be the iv
    resulting from decrypting the last block with a zero iv as input.
  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
    (bsc#1166224) The output from icainfo never shows 'yes' for
    RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
    due to the missing ICA_FLAG_SW flag in the icaList.

OBS-URL: https://build.opensuse.org/request/show/801383
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/libica?expand=0&rev=42

libica-sles15sp2-FIPS-hmac-key.patch

@@ -0,0 +1,12 @@
+--- libica-3.6.0/src/fips.c	2020-05-04 17:01:23.238805001 -0400
++++ libica-3.6.0/src/fips.c	2020-05-04 16:58:51.352241763 -0400
+@@ -45,8 +45,7 @@
+  * libica.so.MAJOR.hmac in the same directory as the .so module.
+  */
+ static const char hmackey[] =
+-	"0000000000000000000000000000000000000000000000000000000000000000"
+-	"0000000000000000000000000000000000000000000000000000000000000000";
++	"orboDeJITITejsirpADONivirpUkvarP";
+ 
+ int fips;
+ 

libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch

@@ -0,0 +1,354 @@
+From 231bba3b32bd246d8286f1c7dc231d836ea92bd9 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Mon, 27 Apr 2020 11:18:26 +0200
+Subject: [PATCH] FIPS: introduce HMAC based library integrity check
+
+When in FIPS mode, perform an integrity check on libica.so by calculating
+an HMAC from the file contents using a static HMAC key, and comparing it
+to a pre-calculated HMAC in a separate file. The HMAC key and HMAC file
+may be provided by a Distributor when building the packet. The test
+succeeds if the HMAC file is not present.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ include/ica_api.h  |   2 +-
+ src/Makefile.am    |   4 +-
+ src/fips.c         | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ src/include/fips.h |   4 +-
+ test/fips_test.c   |   4 +
+ 5 files changed, 232 insertions(+), 6 deletions(-)
+
+diff --git a/include/ica_api.h b/include/ica_api.h
+index 91bf0be..8221f55 100644
+--- a/include/ica_api.h
++++ b/include/ica_api.h
+@@ -216,7 +216,7 @@ typedef ica_adapter_handle_t ICA_ADAPTER_HANDLE;
+  */
+ /* Cryptographic algorithm test (KAT or pair-wise consistency test) */
+ #define ICA_FIPS_CRYPTOALG	2
+-/* Software/Firmware integrity test (not implemented yet) */
++/* Software/Firmware integrity test */
+ #define ICA_FIPS_INTEGRITY	4
+ /* Critical functions test (N/A) */
+ #define ICA_FIPS_CRITICALFUNC	8
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 65f471f..9e4ef52 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -9,7 +9,7 @@
+ libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
+ 		   -fvisibility=hidden
+ libica_la_CCASFLAGS = ${AM_CFLAGS}
+-libica_la_LIBADD = @LIBS@ -lrt -lcrypto
++libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl
+ libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
+ 		    -version-number ${VERSION}
+ libica_la_SOURCES = ica_api.c init.c icastats_shared.c s390_rsa.c \
+@@ -53,7 +53,7 @@
+ 					 -DICA_INTERNAL_TEST \
+ 					 -DICA_INTERNAL_TEST_EC
+ internal_tests_ec_internal_test_CCASFLAGS = ${AM_CFLAGS}
+-internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread
++internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread -ldl
+ internal_tests_ec_internal_test_SOURCES = \
+ 		    ica_api.c init.c icastats_shared.c s390_rsa.c \
+ 		    s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \
+diff --git a/src/fips.c b/src/fips.c
+index d09a553..bab00db 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -13,11 +13,13 @@
+ 
+ #include <errno.h>
+ #include <openssl/crypto.h>
++#include <openssl/evp.h>
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <syslog.h>
++#include <dlfcn.h>
+ 
+ #include <openssl/opensslconf.h>
+ #ifdef OPENSSL_FIPS
+@@ -28,6 +30,24 @@
+ #include "ica_api.h"
+ #include "test_vec.h"
+ 
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
++#define HMAC_PREFIX "."
++#define HMAC_SUFFIX ".hmac"
++#define READ_BUFFER_LENGTH 16384
++
++/*
++ * The hard-coded HMAC key to be optionally provided for the library
++ * integrity test. The recommended key size for HMAC-SHA256 is 64 bytes.
++ * The known HMAC is supposed to be provided as hex string in a file
++ * libica.so.MAJOR.hmac in the same directory as the .so module.
++ */
++static const char hmackey[] =
++	"0000000000000000000000000000000000000000000000000000000000000000"
++	"0000000000000000000000000000000000000000000000000000000000000000";
++
+ int fips;
+ 
+ static int aes_ecb_kat(void);
+@@ -101,6 +121,206 @@ fips_init(void)
+ 		FIPS_mode_set(1);
+ 	}
+ }
++static int get_library_path(const char *libname, const char *symbolname,
++							char *path, size_t pathlen)
++{
++	Dl_info info;
++	void *dl, *sym;
++	int rc = -1;
++
++	dl = dlopen(libname, RTLD_LAZY);
++	if (dl == NULL)
++		goto done;
++
++	sym = dlsym(dl, symbolname);
++	if (sym != NULL && dladdr(sym, &info)) {
++		if (strlen(info.dli_fname) < pathlen)
++			strcpy(path, info.dli_fname);
++		else
++			goto done;
++	}
++
++	rc = 0;
++
++done:
++	if (dl != NULL)
++		dlclose(dl);
++
++	return rc;
++}
++
++static char *make_hmac_path(const char *origpath)
++{
++	char *path;
++	const char *fn;
++
++	path = calloc(1,sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath) + 1);
++	if (path == NULL)
++		return NULL;
++
++	fn = strrchr(origpath, '/');
++	if (fn == NULL) {
++		fn = origpath;
++	} else {
++		++fn;
++	}
++
++	strncpy(path, origpath, fn - origpath);
++	strcat(path, HMAC_PREFIX);
++	strcat(path, fn);
++	strcat(path, HMAC_SUFFIX);
++
++	return path;
++}
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++	FILE *fp = NULL;
++	int rc = -1;
++	unsigned char rbuf[READ_BUFFER_LENGTH];
++	unsigned char *keybuf;
++	EVP_MD_CTX *mdctx = NULL;
++	EVP_PKEY *pkey = NULL;
++	size_t hlen, len;
++	long keylen;
++
++	keybuf = OPENSSL_hexstr2buf(hmackey, &keylen);
++	pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen);
++	if (!pkey)
++		goto end;
++
++	mdctx = EVP_MD_CTX_create();
++	if (!mdctx)
++		goto end;
++
++	fp = fopen(path, "r");
++	if (fp == NULL)
++		goto end;
++
++	if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey) <= 0)
++		goto end;
++
++	while ((len = fread(rbuf, 1, sizeof(rbuf), fp)) != 0) {
++		if (EVP_DigestSignUpdate(mdctx, rbuf, len) <= 0) {
++			goto end;
++		}
++	}
++
++	if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
++		goto end;
++
++	*buf = malloc(hlen);
++	if (*buf == NULL)
++		goto end;
++
++	*hmaclen = hlen;
++
++	memcpy(*buf, rbuf, hlen);
++
++	rc = 0;
++
++end:
++
++	if (pkey != NULL)
++		EVP_PKEY_free(pkey);
++
++	free(keybuf);
++	EVP_MD_CTX_destroy(mdctx);
++	if (fp)
++		fclose(fp);
++
++	return rc;
++}
++
++/**
++ * Performs the FIPS check.
++ *
++ * @return  1 if check succeeded
++ *          0 otherwise
++ */
++static int FIPSCHECK_verify(const char *path)
++{
++	int rc = 0;
++	FILE *fp;
++	unsigned char *hmac_buf = NULL;
++	long hmaclen;
++	char *hmacpath, *p;
++	char *hmac_str = NULL;
++	size_t n, buflen;
++	void *buf = NULL;
++
++	hmacpath = make_hmac_path(path);
++	if (hmacpath == NULL)
++		return 0;
++
++	fp = fopen(hmacpath, "r");
++	if (fp == NULL) {
++		rc = 1;
++		goto end;
++	}
++
++	if (getline(&hmac_str, &n, fp) <= 0)
++		goto end;
++
++	if ((p = strchr(hmac_str, '\n')) != NULL)
++		*p = '\0';
++
++	hmac_buf = OPENSSL_hexstr2buf(hmac_str, &hmaclen);
++
++	if (compute_file_hmac(path, &buf, &buflen) != 0)
++		goto end;
++
++	if (memcmp(buf, hmac_buf, hmaclen) != 0)
++		goto end;
++
++	rc = 1;
++
++end:
++
++	free(buf);
++	free(hmac_str);
++	free(hmacpath);
++
++	OPENSSL_free(hmac_buf);
++
++	if (fp)
++		fclose(fp);
++
++	return rc;
++}
++
++static const char msg1[] = "Libica FIPS library integrity check failed. Cannot determine library path.\n";
++static const char msg2[] = "Libica FIPS library integrity check failed. Module %s probably corrupted.\n";
++static const char msg3[] = "Libica FIPS library integrity check passed.\n";
++
++/*
++ * Perform an integrity check on libica.so by calculating an HMAC from
++ * the file contents using a static HMAC key, and comparing it to a
++ * pre-calculated HMAC in a separate file. The HMAC key and HMAC file
++ * may be provided by a Distributor when building the packet.
++ */
++static void fips_lib_integrity_check(void)
++{
++	int rc;
++	char path[PATH_MAX];
++	const char *libname = "libica.so";
++	const char *symbolname = "ica_sha256";
++
++	rc = get_library_path(libname, symbolname, path, sizeof(path));
++	if (rc != 0) {
++		syslog(LOG_ERR, msg1);
++		fips |= ICA_FIPS_INTEGRITY;
++		return;
++	}
++
++	if (!FIPSCHECK_verify(path)) {
++		syslog(LOG_ERR, msg2, path);
++		fips |= ICA_FIPS_INTEGRITY;
++		return;
++	}
++
++	syslog(LOG_INFO, msg3);
++}
+ 
+ void
+ fips_powerup_tests(void)
+@@ -117,6 +337,9 @@ fips_powerup_tests(void)
+ 		fips |= ICA_FIPS_CRYPTOALG;
+ 		return;
+ 	}
++
++	/* Library integrity test */
++	fips_lib_integrity_check();
+ }
+ 
+ static int
+@@ -933,5 +1156,4 @@ _err_:
+ 	syslog(LOG_ERR, "Libica RSA test failed.");
+ 	return 1;
+ }
+-
+ #endif /* FIPS_H */
+diff --git a/src/include/fips.h b/src/include/fips.h
+index 421be4c..0ffdef6 100644
+--- a/src/include/fips.h
++++ b/src/include/fips.h
+@@ -27,8 +27,8 @@ extern int fips;			/* module status */
+ void fips_init(void);
+ 
+ /*
+- * Powerup tests: crypto algorithm test, SW/FW integrity test (not implemented
+- * yet), critical function test (no critical functions). The tests set the
++ * Powerup tests: crypto algorithm test, SW/FW integrity test, critical
++ * function test (no critical functions). The tests set the
+  * corresponding status flags.
+  */
+ void fips_powerup_tests(void);
+diff --git a/test/fips_test.c b/test/fips_test.c
+index 06563e3..0f1940d 100644
+--- a/test/fips_test.c
++++ b/test/fips_test.c
+@@ -57,6 +57,10 @@ main(void)
+ 		printf("Libica FIPS powerup test failed.\n");
+ 		rv = EXIT_FAILURE;
+ 	}
++	if (fips & ICA_FIPS_INTEGRITY) {
++		printf("Libica FIPS integrity check failed.\n");
++		rv = EXIT_FAILURE;
++	}
+ #endif /* ICA_FIPS */
+ 
+ 	printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
+-- 
+2.16.4
+

libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch

@@ -0,0 +1,41 @@
+From b687f1514b3d371cdc44b5b3b02d5ddd9ac4eb54 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 25 Mar 2020 10:07:10 +0100
+Subject: [PATCH] FIPS: provide output iv as required by FIPS tests
+
+This fix is introduced to satisfy FIPS tests. They require the
+output iv to be the iv resulting from decrypting the last block
+with a zero iv as input. But note that this is not described
+in the NIST standard for CBC-CS. According to the standard,
+the output iv is simply undefined.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/include/s390_cbccs.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/include/s390_cbccs.h b/src/include/s390_cbccs.h
+index aa29bff..f6626dc 100644
+--- a/src/include/s390_cbccs.h
++++ b/src/include/s390_cbccs.h
+@@ -287,6 +287,17 @@ s390_aes_cbccs_dec(unsigned int fc, const unsigned char *in_data,
+ 	block_xor(out_data + tmp_data_length + AES_BLOCK_SIZE,
+ 		  tmp_in_data, tmp_out_data, rest_data_length);
+ 
++	/*
++	 * This fix was introduced to satisfy FIPS tests. They require the
++	 * output iv to be the iv resulting from decrypting the last block
++	 * with a zero iv as input, which is tmp_iv here. But note that this
++	 * is not described in the NIST standard for CBC-CS. According to the
++	 * standard, the output iv is simply undefined.
++	 */
++#ifdef ICA_FIPS
++	memcpy(iv, tmp_iv, AES_BLOCK_SIZE);
++#endif /* ICA_FIPS */
++
+ 	return 0;
+ }
+ 
+-- 
+2.16.4
+

libica-sles15sp2-Fix-DES-and-TDES-key-length.patch

@@ -0,0 +1,43 @@
+From db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 18 Mar 2020 16:48:43 +0100
+Subject: [PATCH] Fix DES and TDES key length.
+
+Although a DES key has only 56 effective bits, all 64 bits must be
+considered, because the parity bits are spread over all 8 bytes of
+the key.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/ica_api.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/ica_api.c b/src/ica_api.c
+index b80c6e3..eb6b154 100644
+--- a/src/ica_api.c
++++ b/src/ica_api.c
+@@ -48,6 +48,8 @@
+ #define DEFAULT2_CRYPT_DEVICE "/dev/z90crypt"
+ #define DEFAULT3_CRYPT_DEVICE "/dev/zcrypt"
+ 
++#define DES_KEY_LEN64		(64/8)
++
+ #define MAX_VERSION_LENGTH 16
+ 
+ int ica_fallbacks_enabled = 1;
+@@ -125,9 +127,9 @@ static unsigned int check_des_parms(unsigned int mode,
+ 
+ #ifdef ICA_FIPS
+ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
+-	if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LENGTH)
+-	    | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LENGTH)
+-	    | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LENGTH))
++	if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
++	    | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64)
++	    | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64))
+ 		return EINVAL;
+ 
+ 	return 0;
+-- 
+2.16.4
+

libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch

@@ -0,0 +1,48 @@
+From a4a9381d1597b78374925385a6d71cf8ccb16c21 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Fri, 27 Mar 2020 15:25:33 +0100
+Subject: [PATCH] icainfo: bugfix for RSA and EC related info for software
+ column.
+
+The software column did never show 'yes' for RSA ME, RSA CRT, ECDH,
+ECDSA sign, ECDSA verify, and ECKGEN, due to the missing ICA_FLAG_SW
+flag in the icaList.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/s390_crypto.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/s390_crypto.c b/src/s390_crypto.c
+index ab7a269..8fb5662 100644
+--- a/src/s390_crypto.c
++++ b/src/s390_crypto.c
+@@ -489,10 +489,10 @@ libica_func_list_element_int icaList[] = {
+  {AES_GCM_KMA,  MSA8, AES_128_GCM_ENCRYPT,       0, 0},
+  {AES_XTS,      MSA4, AES_128_XTS_ENCRYPT,       0, 0},
+  {P_RNG,        ADAPTER, 0, ICA_FLAG_SHW | ICA_FLAG_SW, 0}, // SHW (CPACF) + SW
+- {EC_DH,        ADAPTER, 0, 0, 0},
+- {EC_DSA_SIGN,	ADAPTER, 0, 0, 0},
+- {EC_DSA_VERIFY, ADAPTER, 0, 0, 0},
+- {EC_KGEN,      ADAPTER, 0, 0, 0},
++ {EC_DH,        ADAPTER, 0, ICA_FLAG_SW, 0},
++ {EC_DSA_SIGN,	ADAPTER, 0, ICA_FLAG_SW, 0},
++ {EC_DSA_VERIFY, ADAPTER, 0, ICA_FLAG_SW, 0},
++ {EC_KGEN,      ADAPTER, 0, ICA_FLAG_SW, 0},
+  {ED25519_KEYGEN, MSA9, SCALAR_MULTIPLY_ED25519, 0, 0},
+  {ED25519_SIGN,   MSA9, EDDSA_SIGN_ED25519, 0, 0},
+  {ED25519_VERIFY, MSA9, EDDSA_VERIFY_ED25519, 0, 0},
+@@ -503,8 +503,8 @@ libica_func_list_element_int icaList[] = {
+  {X25519_DERIVE,   MSA9, SCALAR_MULTIPLY_X25519, 0, 0},
+  {X448_KEYGEN,   MSA9, SCALAR_MULTIPLY_X448, 0, 0},
+  {X448_DERIVE,   MSA9, SCALAR_MULTIPLY_X448, 0, 0},
+- {RSA_ME,       ADAPTER, 0, 0, 0},
+- {RSA_CRT,      ADAPTER, 0, 0, 0},
++ {RSA_ME,       ADAPTER, 0, ICA_FLAG_SW, 0},
++ {RSA_CRT,      ADAPTER, 0, ICA_FLAG_SW, 0},
+  {RSA_KEY_GEN_ME, ADAPTER, 0, ICA_FLAG_SW, 0},  // SW (openssl)
+  {RSA_KEY_GEN_CRT, ADAPTER, 0, ICA_FLAG_SW, 0}, // SW (openssl)
+ 
+-- 
+2.16.4
+

libica.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Thu May  7 18:01:31 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Added the following patches for FIPS certification (bsc#1162533)
+  * libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
+  * libica-sles15sp2-FIPS-hmac-key.patch
+- Added a BuildRequires for the fipscheck package.
+- Made a couple of changes to the spec file based upon recommendations
+  by spec-cleaner.
+
+-------------------------------------------------------------------
+Wed Apr  8 18:55:24 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Added the following patches for FIPS certification.
+  * libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
+    (bsc#1166071) Although a DES key has only 56 effective bits,
+     all 64 bits must be considered, because the parity bits are
+     spread over all 8 bytes of the key.
+  * libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
+    (bsc#1166210) FIPS tests require the output iv to be the iv
+    resulting from decrypting the last block with a zero iv as input.
+  * libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
+    (bsc#1166224) The output from icainfo never shows 'yes' for
+    RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
+    due to the missing ICA_FLAG_SW flag in the icaList.
+
 -------------------------------------------------------------------
 Thu Nov 14 22:45:16 UTC 2019 - Mark Post <mpost@suse.com>
 

libica.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libica
 #
-# Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018-2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,8 +38,15 @@ Source5:        z90crypt.service
 Source6:        baselibs.conf
 Source7:        %{name}-rpmlintrc
 Patch1:         libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
+Patch2:         libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
+Patch3:         libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
+Patch4:         libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
+Patch5:         libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
+Patch6:         libica-sles15sp2-FIPS-hmac-key.patch
+
 BuildRequires:  autoconf
 BuildRequires:  automake
+BuildRequires:  fipscheck
 BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  openssl-devel
@@ -115,8 +122,10 @@ cp %{SOURCE1} include/linux/
 autoreconf --force --install
 %configure CPPFLAGS="-Iinclude -fPIC" CFLAGS="%{optflags} -fPIC" \
   --enable-fips
-make %{?_smp_mflags} clean
-make %{?_smp_mflags}
+%make_build clean
+%make_build
+
+%{expand:%%global __os_install_post {%__os_install_post fipshmac %{buildroot}/%{_libdir}/*.so.?.*  }}
 
 %install
 %make_install
@@ -134,7 +143,7 @@ rm -f %{buildroot}%{_datadir}/doc/libica/*
 rmdir %{buildroot}%{_datadir}/doc/libica
 
 %check
-make check
+%make_build check
 
 %pre tools
 %service_add_pre z90crypt.service
@@ -155,6 +164,7 @@ make check
 %files -n libica3
 %defattr(-,root,root)
 %{_libdir}/libica.so.3*
+%{_libdir}/.libica.so.3*hmac
 
 %files tools
 %license LICENSE