diff --git a/.gitignore b/.gitignore
index e33f235..9f205c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,21 +1,2 @@
-libica-2.0.3.tar.gz
-/libica-2.0.4.tar.gz
-/libica-2.0.6.tar.gz
-/libica-2.1.0.tar.gz
-/libica-2.1.1.tar.gz
-/libica-2.2.0.tar.gz
-/libica-2.3.0.tar.gz
-/libica-2.4.2.tgz
-/libica-2.6.1.tgz
-/libica-2.6.2.tgz
-/libica-3.0.1.tgz
-/libica-3.0.2.tgz
-/libica-3.1.1.tgz
-/libica-3.2.0.tgz
-/libica-3.3.2.tar.gz
-/libica-3.3.3.tar.gz
-/libica-3.4.0.tar.gz
-/libica-3.5.0.tar.gz
-/libica-3.6.0.tar.gz
-/libica-3.6.1.tar.gz
-/libica-3.7.0.tar.gz
+/libica-*.tgz
+/libica-*.tar.gz
diff --git a/libica-3.7.0-fips.patch b/libica-3.7.0-fips.patch
deleted file mode 100644
index f6b0d7e..0000000
--- a/libica-3.7.0-fips.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 34ae2c50cbe595ae475f5e3491c39f3b2dbe8a67 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
-Date: Wed, 15 Jul 2020 10:58:10 +0200
-Subject: [libica PATCH] fix library filename for FIPS integrity check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://github.com/opencryptoki/libica/issues/45
-
-Signed-off-by: Dan Horák <dan@danny.cz>
----
- src/fips.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/fips.c b/src/fips.c
-index 07310c3..2bf11f5 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -306,7 +306,7 @@ static void fips_lib_integrity_check(void)
- {
- 	int rc;
- 	char path[PATH_MAX];
--	const char *libname = "libica.so";
-+	const char *libname = "libica.so.3";
- 	const char *symbolname = "ica_sha256";
- 
- 	rc = get_library_path(libname, symbolname, path, sizeof(path));
--- 
-2.26.2
-
diff --git a/libica-3.7.0-annotate.patch b/libica-3.8.0-annotate.patch
similarity index 69%
rename from libica-3.7.0-annotate.patch
rename to libica-3.8.0-annotate.patch
index 88c186d..b0cc196 100644
--- a/libica-3.7.0-annotate.patch
+++ b/libica-3.8.0-annotate.patch
@@ -1,7 +1,7 @@
-From cdc316c106722d4107961315d809232f5801338d Mon Sep 17 00:00:00 2001
+From 0e4592f46c6c4a94eef66257af423d57c73af134 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Tue, 25 Sep 2018 13:44:32 +0200
-Subject: [PATCH] add build note to assembler sources
+Subject: [libica PATCH] add build note to assembler sources
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -21,14 +21,14 @@ Signed-off-by: Dan Horák <dan@danny.cz>
 ---
  configure.ac    | 4 ++++
  libica.spec     | 2 +-
- src/Makefile.am | 2 +-
- 3 files changed, 6 insertions(+), 2 deletions(-)
+ src/Makefile.am | 4 ++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index e401afb..071a0e6 100644
+index ae6370c..bc2fff4 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -92,12 +92,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
+@@ -99,12 +99,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
  	FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
  fi
  
@@ -46,7 +46,7 @@ index e401afb..071a0e6 100644
  AC_OUTPUT
  
 diff --git a/libica.spec b/libica.spec
-index f28651f..f6f3e8b 100644
+index 812b73d..3461b65 100644
 --- a/libica.spec
 +++ b/libica.spec
 @@ -9,7 +9,7 @@ URL:           https://github.com/opencryptoki/libica
@@ -59,18 +59,25 @@ index f28651f..f6f3e8b 100644
  %description
  Interface library on Linux for IBM System z to utilize CPACF
 diff --git a/src/Makefile.am b/src/Makefile.am
-index 5e69dab..3a42258 100644
+index 4a1ef14..d6f7f7f 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
-@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la
+@@ -30,13 +30,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \
+ 		    include/rng.h
  
- libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
- 		   -fvisibility=hidden -pthread
+ libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
 -libica_la_CCASFLAGS = ${AM_CFLAGS}
 +libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
- libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl
- libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
- 		    -version-number ${VERSION}
+ libica_la_LIBADD = ${LIBS_common}
+ libica_la_LDFLAGS = ${LDFLAGS_common}
+ libica_la_SOURCES = ${SOURCES_common}
+ 
+ libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DNO_SW_FALLBACKS -DLIBNAME=\"libica-cex\"
+-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
+ libica_cex_la_LIBADD = ${LIBS_common}
+ libica_cex_la_LDFLAGS = ${LDFLAGS_common}
+ libica_cex_la_SOURCES = ${SOURCES_common}
 -- 
-2.26.2
+2.26.3
 
diff --git a/libica-3.8.0-configure.patch b/libica-3.8.0-configure.patch
new file mode 100644
index 0000000..d157510
--- /dev/null
+++ b/libica-3.8.0-configure.patch
@@ -0,0 +1,67 @@
+From a70dfe13b7dd2914ad29175ae026284bd5461e0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 24 May 2021 12:21:55 +0000
+Subject: [PATCH] fix handling of --disable-foo options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently passing eg. --disable-debug actually enables the debug build
+as one would expect from --enable-debug. The fix is to omit setting the
+enable_foo variable as the "action-if-given" parameter of AC_ARG_ENABLE,
+because it handles both the --enable and --disable forms.
+
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ configure.ac | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ae6370c..9dc4786 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,7 @@ FLAGS="-Wall -Wextra -mzarch"
+ dnl --- enable_debug
+ AC_ARG_ENABLE(debug,
+               [  --enable-debug          turn on debugging flags],
+-              [enable_debug="yes"],[enable_debug="no"])
++              [],[enable_debug="no"])
+ AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes)
+ 
+ if test "x$enable_debug" = xyes; then
+@@ -46,7 +46,7 @@ fi
+ dnl --- enable_coverage
+ AC_ARG_ENABLE(coverage,
+               [  --enable-coverage       turn on coverage testing],
+-              [enable_coverage="yes"],[enable_coverage="no"])
++              [],[enable_coverage="no"])
+ AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes)
+ 
+ if test "x$enable_coverage" = xyes; then
+@@ -57,7 +57,7 @@ fi
+ dnl --- enable_fips
+ AC_ARG_ENABLE(fips,
+               [  --enable-fips           built with FIPS mode support],
+-              [enable_fips="yes"],[enable_fips="no"])
++              [],[enable_fips="no"])
+ AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes)
+ 
+ if test "x$enable_fips" = xyes; then
+@@ -74,7 +74,7 @@ fi
+ dnl --- enable_sanitizer
+ AC_ARG_ENABLE(sanitizer,
+               [  --enable-sanitizer      turn on sanitizer (may not work on all systems)],
+-              [enable_sanitizer="yes"],[enable_sanitizer="no"])
++              [],[enable_sanitizer="no"])
+ AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes)
+ 
+ if test "x$enable_sanitizer" = xyes; then
+@@ -86,7 +86,7 @@ fi
+ dnl --- enable_internal tests
+ AC_ARG_ENABLE(internal_tests,
+               [  --enable-internal-tests built internal tests],
+-              [enable_internal_tests="yes"],[enable_internal_tests="no"])
++              [],[enable_internal_tests="no"])
+ AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes)
+ 
+ if test "x$enable_internal_tests" = xyes; then
diff --git a/libica-3.8.0-no-eddsa-test.patch b/libica-3.8.0-no-eddsa-test.patch
new file mode 100644
index 0000000..aec3c14
--- /dev/null
+++ b/libica-3.8.0-no-eddsa-test.patch
@@ -0,0 +1,24 @@
+From 83909cdc63550b3151e76d727fe161a9ef71ab6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 31 May 2021 19:01:01 +0200
+Subject: [libica PATCH] disable eddsa test - broken with OpenSSL 3.0
+
+---
+ test/Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/test/Makefile.am b/test/Makefile.am
+index f889a97..428982d 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -54,7 +54,6 @@ ecdsa1_test.sh \
+ ec_keygen2_test.sh \
+ ecdh2_test.sh \
+ ecdsa2_test.sh \
+-eddsa_test \
+ x_test \
+ mp_test
+ 
+-- 
+2.26.3
+
diff --git a/libica.spec b/libica.spec
index 9441905..902aea8 100644
--- a/libica.spec
+++ b/libica.spec
@@ -1,19 +1,27 @@
+# generally broken in 3.8.0 and also not ready for OpenSSL 3.0
+# https://github.com/opencryptoki/libica/issues/58
+# https://github.com/opencryptoki/libica/issues/62
+%global with_fips 0
+
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 3.7.0
-Release: 6%{?dist}
+Version: 3.8.0
+Release: 1%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # annotate assembler source
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
-Patch0: %{name}-3.7.0-annotate.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1857130
-# https://github.com/opencryptoki/libica/pull/46
-Patch1: %{name}-3.7.0-fips.patch
+Patch0: %{name}-3.8.0-annotate.patch
+# https://github.com/opencryptoki/libica/commit/a70dfe13b7dd2914ad29175ae026284bd5461e0e
+Patch1: %{name}-3.8.0-configure.patch
+# https://github.com/opencryptoki/libica/issues/61
+# temporarily disable (OpenSSL 3.0)
+Patch2: %{name}-3.8.0-no-eddsa-test.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
+BuildRequires: openssl
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@@ -46,13 +54,19 @@ sh ./bootstrap.sh
 
 
 %build
-%configure --disable-static --enable-fips
+%configure --disable-static \
+%if %{with_fips}
+    --enable-fips
+%else
+    --disable-fips
+%endif
 %make_build
 
 
 %install
 %make_install
-rm $RPM_BUILD_ROOT%{_libdir}/libica.la
+rm %{buildroot}%{_libdir}/libica*.la
+rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
 
 
 %check
@@ -65,19 +79,33 @@ fi
 
 %files
 %doc AUTHORS LICENSE ChangeLog
-%exclude %{_pkgdocdir}/{INSTALL,README.md}
 %{_bindir}/icainfo
+%{_bindir}/icainfo-cex
 %{_bindir}/icastats
+%if %{with_fips}
+%{_libdir}/.libica.*.hmac
+%{_libdir}/.libica-cex.*.hmac
+%endif
 %{_libdir}/libica.so.*
+%{_libdir}/libica-cex.so.*
 %{_mandir}/man1/icainfo.1*
+%{_mandir}/man1/icainfo-cex.1*
 %{_mandir}/man1/icastats.1*
 
 %files devel
 %{_includedir}/*
 %{_libdir}/libica.so
+%{_libdir}/libica-cex.so
 
 
 %changelog
+* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
+- updated to 3.8.0 (#1869532)
+- eliminate SW fallback functions (#1924119)
+- updated for OpenSSL 3.0 (#1952946)
+- disable FIPS support (broken)
+- Resolves: #1869532 #1924119 #1952946
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
diff --git a/sources b/sources
index b45f68b..98a29cb 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (libica-3.7.0.tar.gz) = dfb3be2b6e745c19af916acee5ad7fdefdae35d8d0758289f11a5c427455fcb56b193a1c0c7c7a168076bc108120b8d68a811df322d321a2c6911899e93add9e
+SHA512 (libica-3.8.0.tar.gz) = 18441420c5a8a6b79151146c982f6fac4b346f8dfd60c17aee488fc982509281754ae8e81636a653cc094f4e34c007dab2e764f16b6fef022a584ce9110c6994