.gitignore

@@ -1 +1 @@
-SOURCES/libica-4.2.3.tar.gz
+SOURCES/libica-4.0.2.tar.gz

.libica.metadata

@@ -0,0 +1 @@
+a9137e070966cefc5a2078893edc4693ee62088f SOURCES/libica-4.0.2.tar.gz

SOURCES/libica-4.0.0-annotate.patch

@@ -0,0 +1,83 @@
+From daad2a867cff48a7c4322716917d63538b083284 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Tue, 25 Sep 2018 13:44:32 +0200
+Subject: [libica PATCH] add build note to assembler sources
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When distros use the annobin compiler plugin [1], they have complete overview
+what compiler flags were used for compilation and they are able to perform
+security checks on the produced binaries. Compiling assembler source can't
+provide this kind of information by default, so we need the explicit
+-Wa,--generate-missing-build-notes=yes option during build. When the option is
+missing, then the annocheck tool reports "GAPS" in the resulting binary.
+
+binutils >= 2.31 or older with backport is needed
+
+[1] https://fedoraproject.org/wiki/Changes/Annobin
+
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ configure.ac    | 4 ++++
+ libica.spec     | 2 +-
+ src/Makefile.am | 4 ++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 958371c..b8d0e42 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -113,12 +113,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
+ 	FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
+ fi
+ 
++# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed
++AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"])
++
+ # restore cmdline flags (ignore PROG_AS/PROG_CC defaults)
+ CFLAGS="$cmdline_CFLAGS"
+ CCASFLAGS="$cmdline_CFLAGS"
+ 
+ AC_SUBST([FLAGS], $FLAGS)
+ AC_SUBST([LIBS], $LIBS)
++AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS)
+ AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile])
+ AC_OUTPUT
+ 
+diff --git a/libica.spec b/libica.spec
+index d71890a..e51430e 100644
+--- a/libica.spec
++++ b/libica.spec
+@@ -9,7 +9,7 @@ URL:           https://github.com/opencryptoki/libica
+ Source0:       %{name}-%{version}.tar.gz
+ BuildRoot:     %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ 
+-BuildRequires: autoconf automake libtool openssl-devel
++BuildRequires: autoconf automake libtool openssl-devel autoconf-archive
+ 
+ %description
+ Interface library on Linux for IBM System z to utilize CPACF
+diff --git a/src/Makefile.am b/src/Makefile.am
+index c630048..1b5ec71 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icastats_shared.c s390_rsa.c \
+ 		    include/rng.h
+ 
+ libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
+-libica_la_CCASFLAGS = ${AM_CFLAGS}
++libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
+ libica_la_LIBADD = ${LIBS_common}
+ libica_la_LDFLAGS = ${LDFLAGS_common}
+ libica_la_SOURCES = ${SOURCES_common}
+ 
+ libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
+-libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
++libica_cex_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
+ libica_cex_la_LIBADD = ${LIBS_common}
+ libica_cex_la_LDFLAGS = ${LDFLAGS_common}
+ libica_cex_la_SOURCES = ${SOURCES_common}
+-- 
+2.31.1
+

SOURCES/libica-4.0.1-annotate.patch

@@ -1,19 +0,0 @@
-diff -up libica-4.0.1/src/Makefile.am.orig libica-4.0.1/src/Makefile.am
---- libica-4.0.1/src/Makefile.am.orig	2022-03-22 13:13:36.186395805 +0100
-+++ libica-4.0.1/src/Makefile.am	2022-03-22 13:13:55.224076905 +0100
-@@ -31,13 +31,13 @@ SOURCES_common = ica_api.c init.c icasta
- 		    include/rng.h
- 
- libica_la_CFLAGS = ${CFLAGS_common} -DLIBNAME=\"libica\"
--libica_la_CCASFLAGS = ${AM_CFLAGS}
-+libica_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
- libica_la_LIBADD = ${LIBS_common}
- libica_la_LDFLAGS = ${LDFLAGS_common}
- libica_la_SOURCES = ${SOURCES_common}
- 
- libica_cex_la_CFLAGS = ${CFLAGS_common} -DNO_CPACF -DLIBNAME=\"libica-cex\"
--libica_cex_la_CCASFLAGS = ${AM_CFLAGS}
-+libica_cex_la_CCASFLAGS = ${AM_CFLAGS} -Wa,--generate-missing-build-notes=yes
- libica_cex_la_LIBADD = ${LIBS_common}
- libica_cex_la_LDFLAGS = ${LDFLAGS_common}
- libica_cex_la_SOURCES = ${SOURCES_common}

SOURCES/libica-4.2.3-fips.patch

@@ -1,35 +0,0 @@
-From ee365a11a4acc667c7a726fbdc3447ba550309b6 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Tue, 10 Oct 2023 14:10:22 +0200
-Subject: [PATCH] fips: use openssl lib context in compute_file_hmac
-
-Before calling any openssl EVP function, libica's own openssl lib ctx
-must be made the current one. This was missing in compute_file_hmac.
-
-Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
----
- src/fips.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/fips.c b/src/fips.c
-index f09dc77..3bbc325 100644
---- a/src/fips.c
-+++ b/src/fips.c
-@@ -400,6 +400,8 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
- 	void *fdata = NULL;
- 	struct stat fdata_stat;
- 
-+	BEGIN_OPENSSL_LIBCTX(openssl_libctx, rc);
-+
- 	pkey = get_pkey();
- 	if (!pkey)
- 		goto end;
-@@ -438,6 +440,7 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
- 		EVP_MD_CTX_destroy(mdctx);
- 
- 	OPENSSL_cleanse(tmp, sizeof(tmp));
-+	END_OPENSSL_LIBCTX(rc);
- 
- 	return rc;
- }

SOURCES/libica-no-fips-config.patch

@@ -0,0 +1,33 @@
+From 56b6ca219ecd37ba2c7e520ddac83eb801ce76ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 16 May 2022 15:44:06 +0200
+Subject: [libica PATCH] FIPS specific openssl config is not required in
+ RHEL/Fedora
+
+---
+ src/fips.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/fips.c b/src/fips.c
+index 129a1a7..6466133 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -235,12 +235,15 @@ fips_init(void)
+ 		FIPS_mode_set(1);
+ #else
+ 		fips = 0;
++		/* FIPS specific openssl config is not required in RHEL/Fedora */
++#if 0
+ 		if (!OSSL_LIB_CTX_load_config(openssl_libctx, LIBICA_FIPS_CONFIG)) {
+ 			syslog(LOG_ERR, "Libica failed to load openssl fips config %s\n",
+ 					LIBICA_FIPS_CONFIG);
+ 			fips |= ICA_FIPS_INTEGRITY;
+ 			return;
+ 		}
++#endif
+ 
+ 		openssl_provider = OSSL_PROVIDER_load(openssl_libctx, "fips");
+ 		if (openssl_provider == NULL) {
+-- 
+2.34.3
+

SPECS/libica.spec

@@ -1,31 +1,29 @@
 %global with_fips 1
-# workaround to keep ABI/soname stable at major version 3
-%global fakeversion 3:99:1
 
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
-Version: 4.2.3
+Version: 4.0.2
 Release: 1%{?dist}
 License: CPL
-Group: System Environment/Libraries
 URL: https://github.com/opencryptoki/
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # annotate assembler source
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630582
-Patch0: %{name}-4.0.1-annotate.patch
-# revert ABI to 3.x
-# - reverted commit 4a3a77232ee85cf9f4eb7ac2d366b613013b9048
-# - partial revert of commit 56b9ac0669e4d204ecb3f23e5404c2351cca96a2
-Patch1: %{name}-4.1.1-revert-abi.patch
-# https://issues.redhat.com/browse/RHEL-14892
-# https//github.com/opencryptoki/libica/commit/ee365a11a4acc667c7a726fbdc3447ba550309b6
-Patch2: %{name}-4.2.3-fips.patch
+# https://github.com/opencryptoki/libica/pull/24
+Patch0: %{name}-4.0.0-annotate.patch
+# FIPS openssl config is not needed on RHEL/Fedora
+# https://bugzilla.redhat.com/show_bug.cgi?id=2084097
+Patch1: %{name}-no-fips-config.patch
 BuildRequires: gcc
-BuildRequires: openssl
 BuildRequires: openssl-devel
+BuildRequires: openssl
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
+BuildRequires: autoconf-archive
+BuildRequires: perl(FindBin)
+BuildRequires: perl(lib)
+BuildRequires: make
 ExclusiveArch: s390 s390x
 
 %description
@@ -35,7 +33,6 @@ IBM z Systems.
 
 %package devel
 Summary: Development tools for programs to access ICA hardware crypto on IBM z Systems
-Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 Requires: openssl-devel
 
@@ -58,11 +55,11 @@ sh ./bootstrap.sh
 %else
     --disable-fips
 %endif
-make %{?_smp_mflags} VERSION=%{fakeversion}
+%make_build
 
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT VERSION=%{fakeversion}
+%make_install
 rm %{buildroot}%{_libdir}/libica*.la
 rm %{buildroot}%{_pkgdocdir}/{INSTALL,README.md}
 
@@ -74,17 +71,12 @@ if [ -c /dev/hwrng -o -c /dev/prandom ]; then
     make check
 fi
 
-
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
 %if %{with_fips}
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
-    make fipsinstall DESTDIR=%{buildroot} VERSION=%{fakeversion}
+    make fipsinstall DESTDIR=%{buildroot}
     %{nil}
 %endif
 
@@ -94,6 +86,9 @@ fi
 %{_bindir}/icainfo-cex
 %{_bindir}/icastats
 %if %{with_fips}
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
+%exclude %{_sysconfdir}/libica/openssl3-fips.cnf
+%endif
 %{_libdir}/.libica.*.hmac
 %{_libdir}/.libica-cex.*.hmac
 %endif
@@ -110,68 +105,76 @@ fi
 
 
 %changelog
-* Fri Oct 27 2023 Dan Horák <dhorak@redhat.com> - 4.2.3-1
-- updated to 4.2.3 (RHEL-11411)
-- fix selfcheck in FIPS mode (RHEL-14892)
-- Resolves: RHEL-11411 RHEL-14892
-
-* Wed Jul 19 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-2
-- icastats: Fix summary option (#2223697)
-- Resolves: #2223697
-
-* Wed May 24 2023 Dan Horák <dhorak@redhat.com> - 4.2.2-1
-- updated to 4.2.2 (#2159718)
-- FIPS 140-3 compliance (#2159748)
-- Resolves: #2159718 #2159748
-
-* Tue Feb 07 2023 Dan Horák <dhorak@redhat.com> - 4.1.1-2
-- fix permissions for shared memory segments (#2167363)
-- Resolves: #2167363
-
-* Tue Oct 25 2022 Dan Horák <dhorak@redhat.com> - 4.1.1-1
-- updated to 4.1.1 (#2110375)
-- Resolves: #2110375
-
 * Thu Jun 30 2022 Dan Horák <dhorak@redhat.com> - 4.0.2-1
-- updated to 4.0.2 (#2101766)
-- Resolves: #2101766
+- updated to 4.0.2 (#2101767)
+- Resolves: #2101767
 
-* Tue Mar 22 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
-- updated to 4.0.1 (#2043843)
-- Resolves: #2043843 #2043904
+* Mon May 16 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-2
+- fix running in FIPS mode (#2084097)
+- Resolves: #2084097
 
-* Tue Feb 08 2022 Dan Horák <dhorak@redhat.com> - 3.9.0-1
-- updated to 3.9.0 (#1984972)
-- Resolves: #1984972
+* Thu May 12 2022 Dan Horák <dhorak@redhat.com> - 4.0.1-1
+- updated to 4.0.1 (#2044178)
+- Resolves: #2044178 #2044174
 
-* Thu Jul 08 2021 Dan Horák <dhorak@redhat.com> - 3.8.0-1
-- updated to 3.8.0 (#1919224)
-- make software fallback call to openSSL/libcrypto (#1922205)
-- Resolves: #1919224 #1922205
+* Tue Feb 01 2022 Dan Horák <dan[at]danny.cz> - 4.0.0-1
+- updated to 4.0.0 (#2040237)
+- Resolves: #2040237
 
-* Mon Jul 20 2020 Dan Horák <dhorak@redhat.com> - 3.7.0-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.8.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 3.8.0-2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri May 21 2021 Dan Horák <dan[at]danny.cz> - 3.8.0-1
+- updated to 3.8.0 (#1869532)
+- eliminate SW fallback functions (#1924119)
+- updated for OpenSSL 3.0 (#1952946)
+- disable FIPS support (broken)
+- Resolves: #1869532 #1924119 #1952946
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.0-6
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-3
+- Use make macros (taken from PR#1 by <tstellar at redhat.com>)
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Wed Jul 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-2
 - fix FIPS integrity validation (#1857130)
-- Resolves: #1857130
 
-* Thu May 21 2020 Dan Horák <dhorak@redhat.com> - 3.7.0-1
-- updated to 3.7.0 (#1780299)
-- Resolves: #1780299
+* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.7.0-1
+- updated to 3.7.0
 
-* Thu Jan 09 2020 Dan Horák <dhorak@redhat.com> - 3.6.1-2
-- fix overflow in icastats counters (#1789052)
-- Resolves: #1789052
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Tue Nov 26 2019 Dan Horák <dhorak@redhat.com> - 3.6.1-1
-- updated to 3.6.1 (#1772402)
-- Resolves: #1772402
+* Tue Nov 26 2019 Dan Horák <dan[at]danny.cz> - 3.6.1-1
+- updated to 3.6.1
 
-* Tue Nov 05 2019 Dan Horák <dhorak@redhat.com> - 3.6.0-1
-- updated to 3.6.0 (#1726244)
-- Resolves: #1726244, #1723862
+* Mon Sep 02 2019 Dan Horák <dan[at]danny.cz> - 3.6.0-1
+- updated to 3.6.0
 
-* Wed Apr 24 2019 Dan Horák <dhorak@redhat.com> - 3.5.0-1
-- updated to 3.5.0 (#1666621)
-- Resolves: #1666621, #1659428, #1673054
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 24 2019 Dan Horák <dan[at]danny.cz> - 3.5.0-1
+- updated to 3.5.0
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Nov 16 2018 Dan Horák <dan[at]danny.cz> - 3.4.0-1
+- updated to 3.4.0
 
 * Fri Sep 21 2018 Dan Horák <dan[at]danny.cz> - 3.3.3-4
 - annotate assembler file (#1630582)