From d3bac2d3f38ff39f191d4bd4c927918827268e22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dhorak@redhat.com>
Date: Fri, 27 Oct 2023 11:36:44 +0200
Subject: [PATCH] - updated to 4.2.3 (RHEL-11415)

- fix selfcheck in FIPS mode (RHEL-9918)
- Resolves: RHEL-11415 RHEL-9918
---
 libica-4.2.2-icastats-summary.patch | 231 ----------------------------
 libica-4.2.3-fips.patch             |  35 +++++
 libica.spec                         |  15 +-
 sources                             |   2 +-
 4 files changed, 46 insertions(+), 237 deletions(-)
 delete mode 100644 libica-4.2.2-icastats-summary.patch
 create mode 100644 libica-4.2.3-fips.patch

diff --git a/libica-4.2.2-icastats-summary.patch b/libica-4.2.2-icastats-summary.patch
deleted file mode 100644
index 2558bc0..0000000
--- a/libica-4.2.2-icastats-summary.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Tue, 18 Jul 2023 09:21:54 +0200
-Subject: [libica PATCH] icastats: Fix summary option to display correct
- summary information
-
-The '--summary' option of icastats did not display correct statistics since
-the introduction of per key keysize counters with libica version 4.0.0.
-
-To display the correct summary counters, the all-key-size-counter values of an
-algorithm that supports multiple key sizes must be calculated like it is done
-in get_stats_data(). Adjust get_stats_data() function and friends so that it
-now also can be called from get_stats_sum() and can optionally operate on a
-specified statistics segment (i.e. the one where the summary statistics have
-been calculated in), not just the global one.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- src/icastats.c         |   4 +-
- src/icastats_shared.c  | 102 +++++++++++++++++++++++------------------
- src/include/icastats.h |   5 +-
- 3 files changed, 62 insertions(+), 49 deletions(-)
-
-diff --git a/src/icastats.c b/src/icastats.c
-index e98617f..07b0d50 100644
---- a/src/icastats.c
-+++ b/src/icastats.c
-@@ -302,7 +302,7 @@ int main(int argc, char *argv[])
- 				perror("malloc: ");
- 				return EXIT_FAILURE;
- 			}
--			get_stats_data(entries);
-+			get_stats_data(NULL, entries);
- 			if (json) {
- 				print_stats_json(entries, usr);
- 			} else {
-@@ -358,7 +358,7 @@ int main(int argc, char *argv[])
- 			perror("malloc: ");
- 			return EXIT_FAILURE;
- 		}
--		get_stats_data(stats);
-+		get_stats_data(NULL, stats);
- 		if (json) {
- 			pswd = getpwuid(user == -1 ? geteuid() : (uid_t)user);
- 			if (pswd == NULL) {
-diff --git a/src/icastats_shared.c b/src/icastats_shared.c
-index 8290239..f8e8563 100644
---- a/src/icastats_shared.c
-+++ b/src/icastats_shared.c
-@@ -124,39 +124,46 @@ void stats_munmap(int user, int unlink)
-  * @direction - valid values are ENCRYPT and DECRYPT
-  */
- 
--uint64_t stats_query(stats_fields_t field, int hardware, int direction)
-+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
-+		     int hardware, int direction)
- {
--	if (stats == NULL)
-+	if (source == NULL)
-+		source = stats;
-+
-+	if (source == NULL)
- 		return 0;
- 
- 	if (direction == ENCRYPT)
- 		if (hardware == ALGO_HW)
--			return stats[field].enc.hw;
-+			return source[field].enc.hw;
- 		else
--			return stats[field].enc.sw;
-+			return source[field].enc.sw;
- 	else
- 		if (hardware == ALGO_HW)
--			return stats[field].dec.hw;
-+			return source[field].dec.hw;
- 		else
--			return stats[field].dec.sw;
-+			return source[field].dec.sw;
- }
- 
--static uint64_t calc_summary(stats_fields_t start, unsigned int num,
-+static uint64_t calc_summary(stats_entry_t *source,
-+		             stats_fields_t start, unsigned int num,
- 		             int hardware, int direction)
- {
- 	unsigned int i;
- 	uint64_t sum = 0;
- 
- 	for (i = 0; i < num; i++)
--		sum += stats_query(start + i, hardware, direction);
-+		sum += stats_query(source, start + i, hardware, direction);
- 
- 	return sum;
- }
- 
- /* Returns the statistic data in a stats_entry_t array
-+ * @source - source of the statistics data. If NULL, then the global stats
-+ *           are used, which must have been mapped via stats_mmap() before.
-  * @entries - Needs to be a array of size ICA_NUM_STATS.
-  */
--void get_stats_data(stats_entry_t *entries)
-+void get_stats_data(stats_entry_t *source, stats_entry_t *entries)
- {
- 	unsigned int i;
- 	for (i = 0; i < ICA_NUM_STATS; i++) {
-@@ -168,58 +175,62 @@ void get_stats_data(stats_entry_t *entries)
- 		case ICA_STATS_AES_CTR:
- 		case ICA_STATS_AES_CMAC:
- 		case ICA_STATS_AES_GCM:
--			entries[i].enc.hw = calc_summary(i + 1, 3,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 3,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 3,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 3,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 3,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 3,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 3,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 3,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_AES_XTS:
--			entries[i].enc.hw = calc_summary(i + 1, 2,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 2,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 2,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 2,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 2,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 2,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 2,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 2,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_RSA_ME:
- 		case ICA_STATS_RSA_CRT:
--			entries[i].enc.hw = calc_summary(i + 1, 4,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 4,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 4,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 4,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 4,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 4,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 4,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 4,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		case ICA_STATS_ECDH:
- 		case ICA_STATS_ECDSA_SIGN:
- 		case ICA_STATS_ECDSA_VERIFY:
- 		case ICA_STATS_ECKGEN:
--			entries[i].enc.hw = calc_summary(i + 1, 8,
--					                 ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = calc_summary(i + 1, 8,
--					                 ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = calc_summary(i + 1, 8,
--					                 ALGO_HW, DECRYPT);
--			entries[i].dec.sw = calc_summary(i + 1, 8,
--					                 ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = calc_summary(source, i + 1, 8,
-+							 ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = calc_summary(source, i + 1, 8,
-+							 ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = calc_summary(source, i + 1, 8,
-+							 ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = calc_summary(source, i + 1, 8,
-+							 ALGO_SW, DECRYPT);
- 			break;
- 
- 		default:
--			entries[i].enc.hw = stats_query(i, ALGO_HW, ENCRYPT);
--			entries[i].enc.sw = stats_query(i, ALGO_SW, ENCRYPT);
--			entries[i].dec.hw = stats_query(i, ALGO_HW, DECRYPT);
--			entries[i].dec.sw = stats_query(i, ALGO_SW, DECRYPT);
-+			entries[i].enc.hw = stats_query(source, i,
-+							ALGO_HW, ENCRYPT);
-+			entries[i].enc.sw = stats_query(source, i,
-+							ALGO_SW, ENCRYPT);
-+			entries[i].dec.hw = stats_query(source, i,
-+							ALGO_HW, DECRYPT);
-+			entries[i].dec.sw = stats_query(source, i,
-+							ALGO_SW, DECRYPT);
- 			break;
- 		}
- 	}
-@@ -280,6 +291,7 @@ int get_stats_sum(stats_entry_t *sum)
- 		}
- 	}
- 	closedir(shmDir);
-+	get_stats_data(sum, sum);
- 	return 1;
- }
- 
-diff --git a/src/include/icastats.h b/src/include/icastats.h
-index f1d70ba..136ac0f 100644
---- a/src/include/icastats.h
-+++ b/src/include/icastats.h
-@@ -286,8 +286,9 @@ typedef enum stats_fields {
- 
- int stats_mmap(int user);
- void stats_munmap(int user, int unlink);
--uint64_t stats_query(stats_fields_t field, int hardware, int direction);
--void get_stats_data(stats_entry_t *entries);
-+uint64_t stats_query(stats_entry_t *source, stats_fields_t field,
-+		     int hardware, int direction);
-+void get_stats_data(stats_entry_t *source, stats_entry_t *entries);
- void stats_increment(stats_fields_t field, int hardware, int direction);
- int get_stats_sum(stats_entry_t *sum);
- char *get_next_usr();
--- 
-2.40.1
-
diff --git a/libica-4.2.3-fips.patch b/libica-4.2.3-fips.patch
new file mode 100644
index 0000000..5bddfb9
--- /dev/null
+++ b/libica-4.2.3-fips.patch
@@ -0,0 +1,35 @@
+From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Tue, 10 Oct 2023 14:10:22 +0200
+Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
+
+Before calling any openssl EVP function, libica's own openssl lib ctx
+must be made the current one. This was missing in compute_file_hmac.
+
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/fips.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index f09dc77..3bbc325 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 	void *fdata = NULL;
+ 	struct stat fdata_stat;
+ 
++	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
++
+ 	pkey = get_pkey();
+ 	if (!pkey)
+ 		goto end;
+@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+ 		EVP_MD_CTX_destroy(mdctx);
+ 
+ 	OPENSSL_cleanse(tmp, sizeof(tmp));
++	END_OPENSSL_LIBCTX(rc);
+ 
+ 	return rc;
+ }
diff --git a/libica.spec b/libica.spec
index a435b63..aa6cf16 100644
--- a/libica.spec
+++ b/libica.spec
@@ -2,8 +2,8 @@
 
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.2.2
-Release: 2%{?dist}
+Version: 4.2.3
+Release: 1%{?dist}
 License: CPL
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -11,9 +11,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
 # https://github.com/opencryptoki/libica/pull/24
 Patch0: %{name}-4.0.0-annotate.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2223698
-# https://github.com/opencryptoki/libica/commit/f09f1d0b48f3bf541f1300716fa5bdbbbe80a4a1
-Patch1: %{name}-4.2.2-icastats-summary.patch
+# https://issues.redhat.com/browse/RHEL-9918
+# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
+Patch1: %{name}-4.2.3-fips.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: openssl
@@ -110,6 +110,11 @@ fi
 
 
 %changelog
+* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
+- updated to 4.2.3 (RHEL-11415)
+- fix selfcheck in FIPS mode (RHEL-9918)
+- Resolves: RHEL-11415 RHEL-9918
+
 * Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
 - icastats: Fix summary option (#2223698)
 - Resolves: #2223698
diff --git a/sources b/sources
index 1b7e52f..5ee2876 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (libica-4.2.2.tar.gz) = 29dfe7b68017135867ebae162c2e0584711036b35611efe255c372497cfe69234ff8a7e9aa669ac467853423b7d700e690dd7cd340ab7c8d6119ea13729ff079
+SHA512 (libica-4.2.3.tar.gz) = c370151bfddf58f397932b294394e50db3f6c61a2114315ba3176b8aaeb34253561192c717ca01185371715e9f008fa0ceee8e7ffc559377a51a67f4d47ae035