From 17cb95bc03acaf335ec3f8ac05c0717b198f0f85 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 9 May 2023 05:36:50 +0000
Subject: [PATCH] import libica-4.1.1-2.el9

---
 .gitignore                          |  2 +-
 .libica.metadata                    |  2 +-
 SOURCES/libica-4.1.1-shmem.patch    | 35 +++++++++++++++++++++++++++++
 SOURCES/libica-no-fips-config.patch | 33 ---------------------------
 SPECS/libica.spec                   | 23 ++++++++++++++-----
 5 files changed, 55 insertions(+), 40 deletions(-)
 create mode 100644 SOURCES/libica-4.1.1-shmem.patch
 delete mode 100644 SOURCES/libica-no-fips-config.patch

diff --git a/.gitignore b/.gitignore
index 4330df8..b0eec8c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libica-4.0.2.tar.gz
+SOURCES/libica-4.1.1.tar.gz
diff --git a/.libica.metadata b/.libica.metadata
index 435c11f..6020dad 100644
--- a/.libica.metadata
+++ b/.libica.metadata
@@ -1 +1 @@
-a9137e070966cefc5a2078893edc4693ee62088f SOURCES/libica-4.0.2.tar.gz
+a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz
diff --git a/SOURCES/libica-4.1.1-shmem.patch b/SOURCES/libica-4.1.1-shmem.patch
new file mode 100644
index 0000000..0343471
--- /dev/null
+++ b/SOURCES/libica-4.1.1-shmem.patch
@@ -0,0 +1,35 @@
+From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 1 Feb 2023 10:54:33 +0100
+Subject: [libica PATCH] bugfix: permission denied on shared memory segments
+
+A change to the Linux kernel in 4.19 for added security is
+changing the behavior when opening shared memory segments.
+The O_CREAT flag must not be used for existing segments.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/icastats_shared.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/icastats_shared.c b/src/icastats_shared.c
+index bbc8d0e..8290239 100644
+--- a/src/icastats_shared.c
++++ b/src/icastats_shared.c
+@@ -54,9 +54,10 @@ int stats_mmap(int user)
+ 	sprintf(shm_id, "icastats_%d",
+ 		user == -1 ? geteuid() : (uid_t)user);
+ 
+-	stats_shm_handle = shm_open(shm_id,
+-				    O_CREAT | O_RDWR,
+-				    S_IRUSR | S_IWUSR);
++	stats_shm_handle = shm_open(shm_id, O_RDWR,  S_IRUSR | S_IWUSR);
++
++	if (stats_shm_handle == -1)
++		stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
+ 
+ 	if (stats_shm_handle == -1)
+ 		return rc;
+-- 
+2.39.1
+
diff --git a/SOURCES/libica-no-fips-config.patch b/SOURCES/libica-no-fips-config.patch
deleted file mode 100644
index 04a4885..0000000
--- a/SOURCES/libica-no-fips-config.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 56b6ca219ecd37ba2c7e520ddac83eb801ce76ad Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
-Date: Mon, 16 May 2022 15:44:06 +0200
-Subject: [libica PATCH] FIPS specific openssl config is not required in
- RHEL/Fedora
-
----
- src/fips.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/fips.c b/src/fips.c
-index 129a1a7..6466133 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -235,12 +235,15 @@ fips_init(void)
- 		FIPS_mode_set(1);
- #else
- 		fips = 0;
-+		/* FIPS specific openssl config is not required in RHEL/Fedora */
-+#if 0
- 		if (!OSSL_LIB_CTX_load_config(openssl_libctx, LIBICA_FIPS_CONFIG)) {
- 			syslog(LOG_ERR, "Libica failed to load openssl fips config %s\n",
- 					LIBICA_FIPS_CONFIG);
- 			fips |= ICA_FIPS_INTEGRITY;
- 			return;
- 		}
-+#endif
- 
- 		openssl_provider = OSSL_PROVIDER_load(openssl_libctx, "fips");
- 		if (openssl_provider == NULL) {
--- 
-2.34.3
-
diff --git a/SPECS/libica.spec b/SPECS/libica.spec
index 465ec55..5aed378 100644
--- a/SPECS/libica.spec
+++ b/SPECS/libica.spec
@@ -2,8 +2,8 @@
 
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.0.2
-Release: 1%{?dist}
+Version: 4.1.1
+Release: 2%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -11,9 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
-# FIPS openssl config is not needed on RHEL/Fedora
-# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
-Patch1: %{name}-no-fips-config.patch
+# fix permissions for shared memory segments
+# https://bugzilla.redhat.com/show_bug.cgi?id=2167364
+Patch1: %{name}-4.1.1-shmem.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@@ -49,6 +49,11 @@ sh ./bootstrap.sh
 
 
 %build
+# FIPS openssl config is not needed on RHEL/Fedora
+# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
+CPPFLAGS=-DNO_FIPS_CONFIG_LOAD
+export CPPFLAGS
+
 %configure --disable-static \
 %if %{with_fips}
     --enable-fips
@@ -105,6 +110,14 @@ fi
 
 
 %changelog
+* Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
+- fix permissions for shared memory segments (#2167364)
+- Resolves: #2167364
+
+* Mon Oct 24 2022 Dan Horák <dhorak@redhat.com> - 4.1.1-1
+- updated to 4.1.1 (#2110374)
+- Resolves: #2110374
+
 * Thu Jun 30 2022 Dan Horák <dhorak@redhat.com> - 4.0.2-1
 - updated to 4.0.2 (#2101767)
 - Resolves: #2101767