From 67fd6028c98fd40c13c6cf872a130ffdde1dcead Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 15 May 2024 07:40:00 +0000
Subject: [PATCH] Import from AlmaLinux stable repository

---
 .gitignore                       |  2 +-
 .libica.metadata                 |  2 +-
 SOURCES/libica-4.1.1-shmem.patch | 35 --------------------------------
 SOURCES/libica-4.2.3-fips.patch  | 35 ++++++++++++++++++++++++++++++++
 SPECS/libica.spec                | 24 +++++++++++++++++-----
 5 files changed, 56 insertions(+), 42 deletions(-)
 delete mode 100644 SOURCES/libica-4.1.1-shmem.patch
 create mode 100644 SOURCES/libica-4.2.3-fips.patch

diff --git a/.gitignore b/.gitignore
index b0eec8c..2bb538f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libica-4.1.1.tar.gz
+SOURCES/libica-4.2.3.tar.gz
diff --git a/.libica.metadata b/.libica.metadata
index 6020dad..d1b2ef6 100644
--- a/.libica.metadata
+++ b/.libica.metadata
@@ -1 +1 @@
-a826ac86ded4ed96804fe19634b02838ab78ac86 SOURCES/libica-4.1.1.tar.gz
+2fdb8eaa8985f05aea287b9d6547bb5169863ae4 SOURCES/libica-4.2.3.tar.gz
diff --git a/SOURCES/libica-4.1.1-shmem.patch b/SOURCES/libica-4.1.1-shmem.patch
deleted file mode 100644
index 0343471..0000000
--- a/SOURCES/libica-4.1.1-shmem.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From cd5b2b75554875111bf375b555ebd3b185cff1a0 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Wed, 1 Feb 2023 10:54:33 +0100
-Subject: [libica PATCH] bugfix: permission denied on shared memory segments
-
-A change to the Linux kernel in 4.19 for added security is
-changing the behavior when opening shared memory segments.
-The O_CREAT flag must not be used for existing segments.
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
----
- src/icastats_shared.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/icastats_shared.c b/src/icastats_shared.c
-index bbc8d0e..8290239 100644
---- a/src/icastats_shared.c
-+++ b/src/icastats_shared.c
-@@ -54,9 +54,10 @@ int stats_mmap(int user)
- 	sprintf(shm_id, "icastats_%d",
- 		user == -1 ? geteuid() : (uid_t)user);
- 
--	stats_shm_handle = shm_open(shm_id,
--				    O_CREAT | O_RDWR,
--				    S_IRUSR | S_IWUSR);
-+	stats_shm_handle = shm_open(shm_id, O_RDWR,  S_IRUSR | S_IWUSR);
-+
-+	if (stats_shm_handle == -1)
-+		stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
- 
- 	if (stats_shm_handle == -1)
- 		return rc;
--- 
-2.39.1
-
diff --git a/SOURCES/libica-4.2.3-fips.patch b/SOURCES/libica-4.2.3-fips.patch
new file mode 100644
index 0000000..5bddfb9
--- /dev/null
+++ b/SOURCES/libica-4.2.3-fips.patch
@@ -0,0 +1,35 @@
+From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Tue, 10 Oct 2023 14:10:22 +0200
+Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
+
+Before calling any openssl EVP function, libica's own openssl lib ctx
+must be made the current one. This was missing in compute_file_hmac.
+
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/fips.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index f09dc77..3bbc325 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 	void *fdata = NULL;
+ 	struct stat fdata_stat;
+ 
++	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
++
+ 	pkey = get_pkey();
+ 	if (!pkey)
+ 		goto end;
+@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 		EVP_MD_CTX_destroy(mdctx);
+ 
+ 	OPENSSL_cleanse(tmp, sizeof(tmp));
++	END_OPENSSL_LIBCTX(rc);
+ 
+ 	return rc;
+ }
diff --git a/SPECS/libica.spec b/SPECS/libica.spec
index 5aed378..aa6cf16 100644
--- a/SPECS/libica.spec
+++ b/SPECS/libica.spec
@@ -2,8 +2,8 @@
 
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.1.1
-Release: 2%{?dist}
+Version: 4.2.3
+Release: 1%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -11,9 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
-# fix permissions for shared memory segments
-# https://bugzilla.redhat.com/show_bug.cgi?id=2167364
-Patch1: %{name}-4.1.1-shmem.patch
+# https://issues.redhat.com/browse/RHEL-9918
+# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
+Patch1: %{name}-4.2.3-fips.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@@ -110,6 +110,20 @@ fi
 
 
 %changelog
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
+- updated to 4.2.3 (RHEL-11415)
+- fix selfcheck in FIPS mode (RHEL-9918)
+- Resolves: RHEL-11415 RHEL-9918
+
+* Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
+- icastats: Fix summary option (#2223698)
+- Resolves: #2223698
+
+* Fri May 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
+- updated to 4.2.2 (#2160060)
+- FIPS 140-3 compliance (#2160106)
+- Resolves: #2160060 #2160106
+
 * Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
 - fix permissions for shared memory segments (#2167364)
 - Resolves: #2167364