import libica-4.0.0-1.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/libica-4.0.0.tar.gz

.libica.metadata

@@ -0,0 +1 @@
+9c18c8b990f8e21162364006cb60a3c9104eae19 SOURCES/libica-4.0.0.tar.gz

SOURCES/libica-4.0.0-annotate.patch

@@ -0,0 +1,83 @@
+From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Tue, 25 Sep 2018 13:44:32 +0200
+Subject: [libica PATCH] add build note to assembler sources
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When distros use the annobin compiler plugin [1], they have complete overview
+what compiler flags were used for compilation and they are able to perform
+security checks on the produced binaries. Compiling assembler source can't
+provide this kind of information by default, so we need the explicit
+-Wa,--generate-missing-build-notes=yes option during build. When the option is
+missing, then the annocheck tool reports "GAPS" in the resulting binary.
+
+binutils >= 2.31 or older with backport is needed
+
+[1] https://fedoraproject.org/wiki/Changes/Annobin
+
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ configure.ac    | 4 ++++
+ libica.spec     | 2 +-
+ src/Makefile.am | 4 ++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 958371c..b8d0e42 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
+ 	FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
+ fi
+ 
++# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed
++AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"])
++
+ # restore cmdline flags (ignore PROG_AS/PROG_CC defaults)
+ CFLAGS="$cmdline_CFLAGS"
+ CCASFLAGS="$cmdline_CFLAGS"
+ 
+ AC_SUBST([FLAGS], $FLAGS)
+ AC_SUBST([LIBS], $LIBS)
++AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS)
+ AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile])
+ AC_OUTPUT
+ 
+diff --git a/libica.spec b/libica.spec
+index d71890a..e51430e 100644
+--- a/libica.spec
++++ b/libica.spec
+@@ -9,7 +9,7 @@ URL:           https://github.com/opencryptoki/libica
+ Source0:       %{name}-%{version}.tar.gz
+ BuildRoot:     %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ 
+-BuildRequires: autoconf automake libtool openssl-devel
++BuildRequires: autoconf automake libtool openssl-devel autoconf-archive
+ 
+ %description
+ Interface library on Linux for IBM System z to utilize CPACF
+diff --git a/src/Makefile.am b/src/Makefile.am
+index c630048..1b5ec71 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \
+ 		    include/rng.h
+ 
+ libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
+-libica_la_CCASFLAGS = ${AM_CFLAGS}
++libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
+ libica_la_LIBADD = ${LIBS_common}
+ libica_la_LDFLAGS = ${LDFLAGS_common}
+ libica_la_SOURCES = ${SOURCES_common}
+ 
+ libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
+-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
+ libica_cex_la_LIBADD = ${LIBS_common}
+ libica_cex_la_LDFLAGS = ${LDFLAGS_common}
+ libica_cex_la_SOURCES = ${SOURCES_common}
+-- 
+2.31.1
+

SOURCES/libica-4.0.0-fixes.patch

@@ -0,0 +1,646 @@
+From 977fe8ac713f9ff3101ce9882e23d0183fb46ec8 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 15 Dec 2021 16:29:57 +0100
+Subject: [libica PATCH 01/10] RSA: limit RSA key length to 4096
+
+CEX adapters support RSA up to 4096 bits. Although RSA key generation
+in libica is done via openssl, and therefore even greater key lengths
+would be supported, such keys could not be processed on CEX adapters
+afterwards. With the removal of sw fallbacks this is now a hard
+restriction.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ include/ica_api.h |  4 ++++
+ src/ica_api.c     | 13 ++++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/ica_api.h b/include/ica_api.h
+index ce27261..6137c4a 100644
+--- a/include/ica_api.h
++++ b/include/ica_api.h
+@@ -1291,6 +1291,7 @@ int ica_ed448_ctx_del(ICA_ED448_CTX **ctx);
+  *
+  * @return 0 if successful.
+  * EINVAL if at least one invalid parameter is given.
++ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
+  * EFAULT if OpenSSL key generation should fail.
+  */
+ ICA_EXPORT
+@@ -1319,6 +1320,7 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
+  *
+  * @return 0 if successful.
+  * EINVAL if at least one invalid parameter is given.
++ * EPERM if modulus bit length is greater than 4096 (CEX adapter restriction).
+  * EFAULT if OpenSSL key generation should fail.
+  */
+ ICA_EXPORT
+@@ -1346,6 +1348,7 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
+  *
+  * @return 0 if successful.
+  * EINVAL if at least one invalid parameter is given.
++ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
+  * ENOMEM if memory allocation fails.
+  * EIO if the operation fails. This should never happen.
+  */
+@@ -1375,6 +1378,7 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
+  *
+  * @return 0 if successful.
+  * EINVAL if at least one invalid parameter is given.
++ * EPERM if key bit length is greater than 4096 (CEX adapter restriction).
+  * ENOMEM if memory allocation fails.
+  * EIO if the operation fails. This should never happen.
+  */
+diff --git a/src/ica_api.c b/src/ica_api.c
+index 445b0ab..a412052 100644
+--- a/src/ica_api.c
++++ b/src/ica_api.c
+@@ -52,6 +52,8 @@
+ 
+ #define MAX_VERSION_LENGTH 16
+ 
++#define MAX_RSA_KEY_BITS		4096
++
+ #ifndef NO_SW_FALLBACKS
+ int ica_fallbacks_enabled = 1;
+ #else
+@@ -1071,9 +1073,12 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle,
+ 	/* Keys should comply with modulus_bit_length */
+ 	if ((modulus_bit_length + 7) / 8 != public_key->key_length)
+ 		return EINVAL;
+-	/* Minimum length for public exponent is sizeof(unsigned long) */
++	/* Minimum key length is sizeof(unsigned long) */
+ 	if (public_key->key_length < sizeof(unsigned long))
+ 		return EINVAL;
++	/* Max key bit length is 4096 because of CEX adapter restriction */
++	if (modulus_bit_length > MAX_RSA_KEY_BITS)
++		return EPERM;
+ 
+ 	/* OpenSSL takes only exponents of type unsigned long, so we have to
+ 	 * be sure that we give a value of the right size to OpenSSL.
+@@ -1111,6 +1116,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle,
+ 		return EINVAL;
+ 	if (public_key->key_length < sizeof(unsigned long))
+ 		return EINVAL;
++	if (modulus_bit_length > MAX_RSA_KEY_BITS)
++		return EPERM;
+ 
+ 	num_ignored_bytes = public_key->key_length - sizeof(unsigned long);
+ 	public_exponent = public_key->exponent;
+@@ -1145,6 +1152,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
+ 
+ 	if (rsa_key->key_length < sizeof(unsigned long))
+ 		return EINVAL;
++	if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
++		return EPERM;
+ 
+ 	/* fill driver structure */
+ 	rb.inputdata = (unsigned char *)input_data;
+@@ -1264,6 +1273,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
+ 
+ 	if (rsa_key->key_length < sizeof(unsigned long))
+ 		return EINVAL;
++	if (rsa_key->key_length * 8 > MAX_RSA_KEY_BITS)
++		return EPERM;
+ 
+ 	/* fill driver structure */
+ 	rb.inputdata = (unsigned char *)input_data;
+-- 
+2.34.1
+
+
+From 553977ef505b43c7d17056369ed518a971d43d68 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 5 Jan 2022 09:07:51 +0100
+Subject: [libica PATCH 02/10] ECC: fix memory leaks in make_eckey()
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/s390_ecc.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/s390_ecc.c b/src/s390_ecc.c
+index bb13944..af121b0 100644
+--- a/src/s390_ecc.c
++++ b/src/s390_ecc.c
+@@ -146,12 +146,12 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
+ 	EC_GROUP *group = NULL;
+ 	EC_POINT *point = NULL;
+ 	BIGNUM *bn_priv = NULL;
+-	unsigned char *pub_key = NULL;
+-	unsigned int pub_key_len;
+-	point_conversion_form_t form;
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+ 	EC_KEY *ec_key;
+ #else
++	unsigned char *pub_key = NULL;
++	unsigned int pub_key_len;
++	point_conversion_form_t form;
+ 	OSSL_PARAM_BLD *tmpl = NULL;
+ 	int rc;
+ #endif
+@@ -175,18 +175,13 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
+ 		goto err;
+ 	}
+ 
+-	form = EC_GROUP_get_point_conversion_form(group);
+-	pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
+-	if (pub_key_len == 0) {
+-		goto err;
+-	}
+-
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+ 	ec_key = EC_KEY_new_by_curve_name(nid);
+ 	if (ec_key == NULL) {
+ 		goto err;
+ 	}
+ 
++	EC_POINT_free(point);
+ 	point = EC_POINT_new(EC_KEY_get0_group(ec_key));
+ 	if (point == NULL) {
+ 		goto err;
+@@ -209,6 +204,11 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
+ 	}
+ 
+ #else
++	form = EC_GROUP_get_point_conversion_form(group);
++	pub_key_len = EC_POINT_point2buf(group, point, form, &pub_key, NULL);
++	if (pub_key_len == 0) {
++		goto err;
++	}
+ 
+ 	tmpl = OSSL_PARAM_BLD_new();
+ 	if (tmpl == NULL) {
+@@ -243,6 +243,8 @@ err:
+ #else
+ 	if (tmpl)
+ 		OSSL_PARAM_BLD_free(tmpl);
++	if (pub_key)
++		OPENSSL_free(pub_key);
+ #endif
+ 
+ 	if (ok)
+-- 
+2.34.1
+
+
+From b41addd200c0938c6c10202da08ad5f7df940e18 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 5 Jan 2022 09:15:58 +0100
+Subject: [libica PATCH 03/10] ECC: Avoid recursive loop in ec_key_check() with
+ OpenSSL 3.0
+
+Use libica's OpenSSL library context in ec_key_check(), otherwise
+calling EVP_PKEY_fromdata() in build_pkey_from_params() may cause
+a recursive loop, when a provider is used that calls ica_ec_key_init()
+(and thus ec_key_check()) within its key import function.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/s390_ecc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/s390_ecc.c b/src/s390_ecc.c
+index af121b0..c0c1549 100644
+--- a/src/s390_ecc.c
++++ b/src/s390_ecc.c
+@@ -2458,6 +2458,8 @@ int ec_key_check(ICA_EC_KEY *ica_key)
+ 	BIGNUM *d = NULL, *x = NULL, *y = NULL;
+ 	int privlen, rc = EINVAL;
+ 
++	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
++
+ 	if (!ica_key)
+ 		goto done;
+ 
+@@ -2489,6 +2491,7 @@ done:
+ 	if (privkey)
+ 		EVP_PKEY_free(privkey);
+ 
++	END_OPENSSL_LIBCTX(rc);
+ 	return rc;
+ }
+ 
+-- 
+2.34.1
+
+
+From 6031ec80a5ada52609822fed4a6bd2cccafe5563 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 5 Jan 2022 09:26:26 +0100
+Subject: [libica PATCH 04/10] RSA: Fix memory leaks in
+ rsa_key_generate_mod_expo()/crt()
+
+Also fix a compiler warning in rsa_key_generate().
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/s390_rsa.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/s390_rsa.c b/src/s390_rsa.c
+index 360c374..cea2ba2 100644
+--- a/src/s390_rsa.c
++++ b/src/s390_rsa.c
+@@ -128,7 +128,8 @@ EVP_PKEY* rsa_key_generate(unsigned int modulus_bit_length,
+ 		} while (*public_exponent <= 2 || !(*public_exponent % 2));
+ 	}
+ 
+-	e = BN_bin2bn(public_exponent, sizeof(unsigned long), NULL);
++	e = BN_bin2bn((const unsigned char *)public_exponent,
++		      sizeof(unsigned long), NULL);
+ 	if (e == NULL) {
+ 		goto done;
+ 	}
+@@ -259,6 +260,8 @@ err:
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+ 	RSA_free(rsa);
+ #else
++	BN_free(n);
++	BN_free(d);
+ 	EVP_PKEY_free(pkey);
+ #endif
+ 
+@@ -410,6 +413,12 @@ err:
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+ 	RSA_free(rsa);
+ #else
++	BN_free(n);
++	BN_free(p);
++	BN_free(q);
++	BN_free(dmp1);
++	BN_free(dmq1);
++	BN_free(iqmp);
+ 	EVP_PKEY_free(pkey);
+ #endif
+ 
+-- 
+2.34.1
+
+
+From b49cf457659a4baf382b3828d89823497bb00f6e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 13 Jan 2022 10:42:02 +0100
+Subject: [libica PATCH 05/10] EC: Handle unsupported EC curve in
+ ica_ec_key_new()
+
+In case of an unsupported curve nid, privlen_from_nid() returns -1.
+The subsequent calloc() will fail with a size of -3 (0xfffffffffffffffd).
+
+Also free the already allocated key in case of an error to avoid a
+memory leak.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/ica_api.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/ica_api.c b/src/ica_api.c
+index a412052..0a885e2 100644
+--- a/src/ica_api.c
++++ b/src/ica_api.c
+@@ -1336,9 +1336,15 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen)
+ 
+ 	/* allocate clear memory for the 3 key parts */
+ 	len = privlen_from_nid(nid);
++	if (len <= 0) {
++		free(key);
++		return NULL;
++	}
+ 	key->X = calloc(1, 3*len);
+-	if (!key->X)
++	if (!key->X) {
++		free(key);
+ 		return NULL;
++	}
+ 
+ 	key->nid = nid;
+ 	key->Y = key->X + len;
+-- 
+2.34.1
+
+
+From 7e6e303e6aef019047eb6dfcdedbfe7da2a88526 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Tue, 11 Jan 2022 16:04:15 +0100
+Subject: [libica PATCH 06/10] Compute HMAC from installed library
+
+The HMAC hash was computed from the libica in the build tree, but
+the runtime check is run against the installed libica and those 2
+files may be different. E.g. if the runtime one has debuginfo stripped
+(and placed into a separate file), the hashes are different.
+This commit introduces a new make target: fipsinstall, which creates
+the HMAC files in the install directory.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ Makefile.am     | 9 ++++-----
+ src/Makefile.am | 8 +++++++-
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 2d8ab9e..e14abb5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -17,11 +17,8 @@ coverage: check
+ 	cd ${top_builddir}/src && gcov .libs/*.gcda
+ 
+ if ICA_FIPS
+-install-data-hook:
+-	$(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica.so.$(VERSION).hmac $(DESTDIR)$(libdir)
+-	cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION).hmac .libica.so.$(MAJOR).hmac
+-	$(INSTALL) -m 0444 ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION).hmac $(DESTDIR)$(libdir)
+-	cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION).hmac .libica-cex.so.$(MAJOR).hmac
++fipsinstall:
++	 $(AM_V_GEN)$(MAKE) -C src fipsinstall
+ if ICA_OPENSSL3
+ 	test -f $(DESTDIR)$(sysconfdir)/libica || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libica
+ 	test -f $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || $(INSTALL) -m 644 ${top_builddir}/src/openssl3-fips.cnf $(DESTDIR)$(sysconfdir)/libica/openssl3-fips.cnf || true
+@@ -38,3 +35,5 @@ if ICA_OPENSSL3
+ endif
+ endif
+ 
++.PHONY: fipsinstall
++
+diff --git a/src/Makefile.am b/src/Makefile.am
+index c630048..4c92c96 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -47,6 +47,12 @@ mp.S	: mp.pl
+ 	./mp.pl mp.S
+ 
+ if ICA_FIPS
++fipsinstall:
++	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
++	$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
++	$(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
++	$(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -s .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
++
+ hmac-file-lnk: hmac-file
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
+ 	$(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
+@@ -110,4 +116,4 @@ internal_tests_ec_internal_test_SOURCES = \
+ 		    include/rng.h ../test/testcase.h
+ endif
+ 
+-.PHONY: hmac-file hmac-file-lnk
++.PHONY: hmac-file hmac-file-lnk fipsinstall
+-- 
+2.34.1
+
+
+From 28fa931bed9e6847137829952a3e7cc6091bd071 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 24 Jan 2022 10:24:44 +0100
+Subject: [libica PATCH 07/10] Fix compile warnings
+
+... like potentially uninitialized variables or unused functions.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/fips.c     | 4 ++--
+ src/ica_api.c  | 2 +-
+ src/s390_ecc.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/fips.c b/src/fips.c
+index 934f6f7..505dd0b 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -1304,8 +1304,8 @@ rsa_kat(void)
+ 	ica_adapter_handle_t ah;
+ 	const struct rsa_tv *tv;
+ 	size_t i, keylen, crtparamlen;
+-	unsigned char *out;
+-	libica_func_list_element* libica_func_list;
++	unsigned char *out = NULL;
++	libica_func_list_element* libica_func_list = NULL;
+ 	unsigned int count;
+ 
+ 	if (ica_open_adapter(&ah))
+diff --git a/src/ica_api.c b/src/ica_api.c
+index 0a885e2..a10e139 100644
+--- a/src/ica_api.c
++++ b/src/ica_api.c
+@@ -90,6 +90,7 @@ void ica_set_stats_mode(int stats_mode)
+ 	ica_stats_enabled = stats_mode ? 1 : 0;
+ }
+ 
++#ifndef NO_CPACF
+ #ifdef ICA_FIPS
+ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
+ 	if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
+@@ -101,7 +102,6 @@ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
+ }
+ #endif
+ 
+-#ifndef NO_CPACF
+ static unsigned int check_des_parms(unsigned int mode,
+ 				    unsigned long data_length,
+ 				    const unsigned char *in_data,
+diff --git a/src/s390_ecc.c b/src/s390_ecc.c
+index c0c1549..211db01 100644
+--- a/src/s390_ecc.c
++++ b/src/s390_ecc.c
+@@ -147,7 +147,7 @@ static EVP_PKEY *make_eckey(int nid, const unsigned char *p, size_t plen)
+ 	EC_POINT *point = NULL;
+ 	BIGNUM *bn_priv = NULL;
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+-	EC_KEY *ec_key;
++	EC_KEY *ec_key = NULL;
+ #else
+ 	unsigned char *pub_key = NULL;
+ 	unsigned int pub_key_len;
+@@ -262,7 +262,7 @@ static EVP_PKEY *make_public_eckey(int nid, unsigned char *pubkey, size_t publen
+ {
+ 	int ok = 0;
+ #if !OPENSSL_VERSION_PREREQ(3, 0)
+-	EC_KEY *ec_key;
++	EC_KEY *ec_key = NULL;
+ #else
+ 	OSSL_PARAM_BLD *tmpl = NULL;
+ 	int rc;
+-- 
+2.34.1
+
+
+From cc44f18383ec6dc01a05abd6c25a1dec8efe84cb Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 24 Jan 2022 10:32:47 +0100
+Subject: [libica PATCH 08/10] Fix memory leaks in test programs
+
+When configured with --enable-sanitizer some tests fail because
+the address sanitizer reports memory leaks.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ test/ec_keygen_test.c   |  6 +++++-
+ test/ecdh_test.c        | 13 ++++++++++++-
+ test/ecdsa_test.c       |  3 +++
+ test/icastats_test.c.in |  1 +
+ 4 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/test/ec_keygen_test.c b/test/ec_keygen_test.c
+index 43c6092..0445c41 100644
+--- a/test/ec_keygen_test.c
++++ b/test/ec_keygen_test.c
+@@ -115,6 +115,8 @@ int main(int argc, char **argv)
+ 
+ 			rc = ica_ec_key_generate(adapter_handle, eckey);
+ 			if (rc) {
++				ica_ec_key_free(eckey);
++				eckey = NULL;
+ 				if (rc == EPERM) {
+ 					V_(printf("Curve %d not supported on this system, skipping ...\n", eckeygen_tests[i].nid));
+ 					continue;
+@@ -156,12 +158,14 @@ int main(int argc, char **argv)
+ 					}
+ 				}
+ 			}
++
++			ica_ec_key_free(eckey);
++			eckey = NULL;
+ 		}
+ 
+ 		if (test_failed)
+ 			errors++;
+ 
+-		ica_ec_key_free(eckey);
+ 		unset_env_icapath();
+ 	}
+ 
+diff --git a/test/ecdh_test.c b/test/ecdh_test.c
+index 9a81036..e1191d0 100644
+--- a/test/ecdh_test.c
++++ b/test/ecdh_test.c
+@@ -339,6 +339,8 @@ int main(int argc, char **argv)
+ 
+ 		rc = ica_ec_key_init(ecdh_kats[i].xa, ecdh_kats[i].ya, ecdh_kats[i].da, eckey_A);
+ 		if (rc != 0) {
++			ica_ec_key_free(eckey_A);
++			eckey_A = NULL;
+ 			if (rc == EPERM) {
+ 				V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
+ 				continue;
+@@ -350,11 +352,18 @@ int main(int argc, char **argv)
+ 		}
+ 
+ 		eckey_B = ica_ec_key_new(ecdh_kats[i].nid, &privlen);
+-		if (!eckey_B)
++		if (!eckey_B) {
++			ica_ec_key_free(eckey_A);
++			eckey_A = NULL;
+ 			continue;
++		}
+ 
+ 		rc = ica_ec_key_init(ecdh_kats[i].xb, ecdh_kats[i].yb, ecdh_kats[i].db, eckey_B);
+ 		if (rc != 0) {
++			ica_ec_key_free(eckey_B);
++			eckey_B = NULL;
++			ica_ec_key_free(eckey_A);
++			eckey_A = NULL;
+ 			if (rc == EPERM) {
+ 				V_(printf("Curve %d not supported on this system, skipping ...\n", ecdh_kats[i].nid));
+ 				continue;
+@@ -415,7 +424,9 @@ int main(int argc, char **argv)
+ 			errors++;
+ 
+ 		ica_ec_key_free(eckey_A);
++		eckey_A = NULL;
+ 		ica_ec_key_free(eckey_B);
++		eckey_B = NULL;
+ 		unset_env_icapath();
+ 	}
+ 
+diff --git a/test/ecdsa_test.c b/test/ecdsa_test.c
+index 3b6bda3..2393882 100644
+--- a/test/ecdsa_test.c
++++ b/test/ecdsa_test.c
+@@ -225,6 +225,8 @@ int main(int argc, char **argv)
+ 
+ 		rc = ica_ec_key_init(ecdsa_kats[i].x, ecdsa_kats[i].y, ecdsa_kats[i].d, eckey);
+ 		if (rc != 0) {
++			ica_ec_key_free(eckey);
++			eckey = NULL;
+ 			if (rc == EPERM) {
+ 				V_(printf("Curve %d not supported on this system, skipping ...\n", ecdsa_kats[i].nid));
+ 				continue;
+@@ -274,6 +276,7 @@ int main(int argc, char **argv)
+ 			errors++;
+ 
+ 		ica_ec_key_free(eckey);
++		eckey = NULL;
+ 		unset_env_icapath();
+ 	}
+ 
+diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in
+index 98905a9..f0d1212 100644
+--- a/test/icastats_test.c.in
++++ b/test/icastats_test.c.in
+@@ -186,6 +186,7 @@ int is_crypto_card_loaded()
+ 			}
+ 			if((c = fgetc(file)) == '1'){
+ 				fclose(file);
++				closedir(sysDir);
+ 				return 1;
+ 			}
+ 			fclose(file);
+-- 
+2.34.1
+
+
+From 9c6431f49a9fe0d574722954e018b4cba6ab085b Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 24 Jan 2022 14:33:57 +0100
+Subject: [libica PATCH 09/10] FIPS: Calculation of library HMAC may fail
+
+Initialize length variable before calling EVP_DigestSignFinal().
+If hlen is uninitialized it may cause EVP_DigestSignFinal() to fail.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/fips.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index 505dd0b..129a1a7 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -333,6 +333,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 		}
+ 	}
+ 
++	hlen = sizeof(rbuf);
+ 	if (EVP_DigestSignFinal(mdctx, rbuf, &hlen) <= 0)
+ 		goto end;
+ 
+-- 
+2.34.1
+
+
+From 5aa9366c236a6d17570403ef81c65e4f5f91a8af Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 26 Jan 2022 09:29:27 +0100
+Subject: [libica PATCH 10/10] MAKEFILE: Do not install ec_internal_test
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 4c92c96..d6f5c52 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -90,7 +90,7 @@ icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h
+ # internal tests
+ 
+ if ICA_INTERNAL_TESTS
+-bin_PROGRAMS += internal_tests/ec_internal_test
++noinst_PROGRAMS = internal_tests/ec_internal_test
+ 
+ internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \
+ 					 -I${srcdir}/../include	\
+-- 
+2.34.1
+

SPECS/libica.spec

@@ -0,0 +1,336 @@
+%global with_fips 1
+
+Summary: Library for accessing ICA hardware crypto on IBM z Systems
+Name: libica
+Version: 4.0.0
+Release: 1%{?dist}
+License: CPL
+URL: https://github.com/opencryptoki/
+Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+# annotate assembler source
+# https://bugzilla.redhat.com/show_bug.cgi?id=1630582
+# https://github.com/opencryptoki/libica/pull/24
+Patch0: %{name}-4.0.0-annotate.patch
+# post GA fixes, includes HMAC calculation
+Patch1: %{name}-4.0.0-fixes.patch
+BuildRequires: gcc
+BuildRequires: openssl-devel
+BuildRequires: openssl
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
+BuildRequires: autoconf-archive
+BuildRequires: perl(FindBin)
+BuildRequires: perl(lib)
+BuildRequires: make
+ExclusiveArch: s390 s390x
+
+%description
+A library of functions and utilities for accessing ICA hardware crypto on
+IBM z Systems.
+
+
+%package devel
+Summary: Development tools for programs to access ICA hardware crypto on IBM z Systems
+Requires: %{name} = %{version}-%{release}
+Requires: openssl-devel
+
+%description devel
+The libica-devel package contains the header files and static
+libraries necessary for developing programs accessing ICA hardware crypto on
+IBM z Systems.
+
+
+%prep
+%autosetup -p1
+
+sh ./bootstrap.sh
+
+
+%build
+%configure --disable-static \
+%if %{with_fips}
+    --enable-fips
+%else
+    --disable-fips
+%endif
+%make_build
+
+
+%install
+%make_install
+rm %{buildroot}%{_libdir}/libica*.la
+rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
+
+
+%check
+# mock doesn't provide the device, so check here
+# https://github.com/rpm-software-management/mock/issues/33
+if [ -c /dev/hwrng -o -c /dev/prandom ]; then
+    make check
+fi
+
+%if %{with_fips}
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    make fipsinstall DESTDIR=%{buildroot}
+    %{nil}
+%endif
+
+%files
+%doc AUTHORS LICENSE ChangeLog
+%{_bindir}/icainfo
+%{_bindir}/icainfo-cex
+%{_bindir}/icastats
+%if %{with_fips}
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+# openssl 3.0 is available since Fedora 36 and RHEL 9
+%dir %{_sysconfdir}/libica
+%{_sysconfdir}/libica/openssl3-fips.cnf
+%endif
+%{_libdir}/.libica.*.hmac
+%{_libdir}/.libica-cex.*.hmac
+%endif
+%{_libdir}/libica.so.*
+%{_libdir}/libica-cex.so.*
+%{_mandir}/man1/icainfo.1*
+%{_mandir}/man1/icainfo-cex.1*
+%{_mandir}/man1/icastats.1*
+
+%files devel
+%{_includedir}/*
+%{_libdir}/libica.so
+%{_libdir}/libica-cex.so
+
+
+%changelog
+* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
+- updated to 4.0.0 (#2040237)
+- Resolves: #2040237
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.8.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 3.8.0-2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
+- updated to 3.8.0 (#1869532)
+- eliminate SW fallback functions (#1924119)
+- updated for OpenSSL 3.0 (#1952946)
+- disable FIPS support (broken)
+- Resolves: #1869532 #1924119 #1952946
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-3
+- Use make macros (taken from PR#1 by <tstellar at redhat.com>)
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Wed Jul 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-2
+- fix FIPS integrity validation (#1857130)
+
+* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-1
+- updated to 3.7.0
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 26 2019 Dan Horák <dan[at]danny.cz> - 3.6.1-1
+- updated to 3.6.1
+
+* Mon Sep 02 2019 Dan Horák <dan[at]danny.cz> - 3.6.0-1
+- updated to 3.6.0
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 24 2019 Dan Horák <dan[at]danny.cz> - 3.5.0-1
+- updated to 3.5.0
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Nov 16 2018 Dan Horák <dan[at]danny.cz> - 3.4.0-1
+- updated to 3.4.0
+
+* Fri Sep 21 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-4
+- annotate assembler file (#1630582)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jun 13 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-2
+- fix executable stack in assembler code
+
+* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-1
+- updated to 3.3.3
+
+* Tue Apr 17 2018 Dan Horák <dan[at]danny.cz> - 3.3.2-1
+- updated to 3.3.2
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Sep 25 2017 Dan Horák <dan[at]danny.cz> - 3.2.0-1
+- updated to 3.2.0
+
+* Mon Sep 11 2017 Dan Horák <dan[at]danny.cz> - 3.1.1-1
+- updated to 3.1.1
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Apr 18 2017 Dan Horák <dan[at]danny.cz> - 3.0.2-3
+- update BR
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Jan 18 2017 Dan Horák <dan[at]danny.cz> - 3.0.2-1
+- updated to 3.0.2
+
+* Fri Jan 13 2017 Dan Horák <dan[at]danny.cz> - 3.0.1-2
+- check for /dev/prandom before running the test-suite
+
+* Fri Jan 13 2017 Dan Horák <dan[at]danny.cz> - 3.0.1-1
+- updated to 3.0.1
+
+* Tue Apr 12 2016 Dan Horák <dan[at]danny.cz> - 2.6.2-1
+- updated to 2.6.2
+
+* Thu Mar 17 2016 Dan Horák <dan[at]danny.cz> - 2.6.1-1
+- updated to 2.6.1
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Sep 01 2014 Dan Horák <dan[at]danny.cz> - 2.4.2-1
+- updated to 2.4.2
+
+* Wed Jun 11 2014 Dan Horák <dan[at]danny.cz> - 2.3.0-5
+- fix build with recent kernels
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Mar 14 2014 Dan Horák <dan[at]danny.cz> - 2.3.0-3
+- add post release fix (#1066014)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.3.0-1
+- updated to 2.3.0
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Aug 17 2012 Dan Horák <dan[at]danny.cz> - 2.2.0-1
+- updated to 2.2.0
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jan 16 2012 Dan Horák <dan[at]danny.cz> - 2.1.1-1
+- updated to 2.1.1
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.1.0-1
+- updated to 2.1.0 with soname set back to 2.0
+
+* Mon Apr 11 2011 Dan Horák <dan[at]danny.cz> - 2.0.6-1
+- updated to 2.0.6
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 12 2011 Dan Horák <dan[at]danny.cz> - 2.0.4-1
+- Do not use sigill to wrap all HW instructions (#665401)
+- updated to 2.0.4
+
+* Tue Nov  9 2010 Dan Horák <dhorak@redhat.com> - 2.0.3-3
+- Fix the return value of old_api_sha_test() in libica_sha1_test (#624005)
+- Use the right buffer length when operating in 32-bit mode (#640035)
+- Resolves: #624005, #640035
+
+* Fri May 21 2010 Dan Horák <dan[at]danny.cz> - 2.0.3-2
+- rebuilt with -fno-strict-aliasing (#593779)
+- Resolves: #593779
+
+* Thu Apr 22 2010 Dan Horák <dan[at]danny.cz> - 2.0.3-1
+- updated to 2.0.3 (#582607)
+- Resolves: #582607
+
+* Mon Apr 12 2010 Dan Horák <dan[at]danny.cz> - 2.0.2-3
+- add SIGILL handler for add_entropy (#581520)
+- Resolves: #581520
+
+* Tue Feb 16 2010 Dan Horák <dan[at]danny.cz> - 2.0.2-2
+- dropped the utils sub-package
+- Related: #543948
+
+* Tue Dec 08 2009 Dennis Gregorovic <dgregor@redhat.com> - 2.0.2-1.1
+- Rebuilt for RHEL 6
+
+* Mon Aug 17 2009 Dan Horák <dan[at]danny.cz> - 2.0.2-1
+- update to 2.0.2
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Apr  1 2009 Dan Horák <dan[at]danny.cz> - 2.0.1-1
+- update to 2.0.1
+
+* Mon Mar 23 2009 Dan Horák <dan[at]danny.cz> - 2.0-1
+- update to 2.0
+- spec file cleanup before submitting to Fedora
+
+* Sun Sep 14 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-8.el5
+- Added the icainfo tool to libica (#439484)
+
+* Tue Apr 01 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-7.el5
+- Fixed build of libica with latest AES & SHA feature (#439390)
+
+* Tue Jan 15 2008 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-6.el5
+- Added Software Support for CP Assist Instructions AES & SHA (#318971)
+
+* Thu Nov 23 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-5.el5
+- Fixed requires bug where devel packages would get wrong arch lib (#215908)
+
+* Fri Oct 13 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-4
+- Fixed bug where libica fails to initialize when no crypto hardware is
+  available (#210504)
+- Only build libica for s390(x), really only needed there.
+
+* Fri Sep 08 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-3
+- Build for other archs as well due to openCryptoki requirement (#184631)
+
+* Fri Jul 14 2006 Tim Powers <timp@redhat.com> - 1.3.7-2
+- rebuild
+
+* Tue Jun 13 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.7-1
+- Update to libica-1.3.7 final
+- Fixed build on latest devel tree
+
+* Tue Apr 04 2006 Phil Knirsch <pknirsch@redhat.com> - 1.3.6-rc3-1
+- Initial package.