Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libica for openSUSE:Factory checked in at 2026-06-22 17:44:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libica (Old) and /work/SRC/openSUSE:Factory/.libica.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libica" Mon Jun 22 17:44:50 2026 rev:48 rq:1361134 version:4.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libica/libica.changes 2026-06-02 16:10:59.067452013 +0200 +++ /work/SRC/openSUSE:Factory/.libica.new.1956/libica.changes 2026-06-22 17:45:19.283157609 +0200 @@ -1,0 +2,16 @@ +Mon Jun 22 10:17:33 UTC 2026 - Nikolay Gueorguiev <[email protected]> + +- Upgrade libica to version 4.4.2 + ( besc#1265598, bsc#1265599, bsc#1265600, bsc#1265601, bsc#1265602, bsc#1265603 ) + * [FEATURE] Updates for FIPS 140-3 certification 2026 + * [PATCH] Bug fixes +- Added a patch + * libica-FIPS-SUSE-certification.patch +- Removed obsolete pacthes + * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch + * libica-sles15sp5-FIPS-hmac-key.patch + * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch + * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch + * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch + +------------------------------------------------------------------- Old: ---- libica-4.4.1.tar.gz libica-Block-SHA1-mechanism-for-FIPS-140-3.patch libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch libica-sles15sp5-FIPS-hmac-key.patch New: ---- libica-4.4.2.tar.gz libica-FIPS-SUSE-certification.patch ----------(Old B)---------- Old: * libica-sles15sp5-FIPS-hmac-key.patch * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch Old: * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch Old:- Removed obsolete pacthes * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch * libica-sles15sp5-FIPS-hmac-key.patch Old: * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch Old: * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch * libica-sles15sp5-FIPS-hmac-key.patch * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch ----------(Old E)---------- ----------(New B)---------- New:- Added a patch * libica-FIPS-SUSE-certification.patch - Removed obsolete pacthes ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libica.spec ++++++ --- /var/tmp/diff_new_pack.QTbmf9/_old 2026-06-22 17:45:21.839247197 +0200 +++ /var/tmp/diff_new_pack.QTbmf9/_new 2026-06-22 17:45:21.859247898 +0200 @@ -22,7 +22,7 @@ %endif Name: libica -Version: 4.4.1 +Version: 4.4.2 Release: 0 Summary: Library interface for the IBM Cryptographic Accelerator device driver License: CPL-1.0 @@ -35,12 +35,7 @@ Source4: z90crypt.service Source5: %{name}-rpmlintrc ### -Patch01: libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch -Patch02: libica-sles15sp5-FIPS-hmac-key.patch -### -Patch10: libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch -Patch11: libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch -Patch12: libica-Block-SHA1-mechanism-for-FIPS-140-3.patch +Patch01: libica-FIPS-SUSE-certification.patch ### BuildRequires: autoconf ++++++ libica-4.4.1.tar.gz -> libica-4.4.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/ChangeLog new/libica-4.4.2/ChangeLog --- old/libica-4.4.1/ChangeLog 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/ChangeLog 2026-06-22 10:00:24.000000000 +0200 @@ -1,3 +1,6 @@ +v4.4.2 + [FEATURE] Updates for FIPS 140-3 certification 2026 + [PATCH] Various bug fixes v4.4.1 [PATCH] bug fixes v4.4.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/configure.ac new/libica-4.4.2/configure.ac --- old/libica-4.4.1/configure.ac 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/configure.ac 2026-06-22 10:00:24.000000000 +0200 @@ -1,4 +1,4 @@ -AC_INIT([libica], [4.4.1], [https://github.com/opencryptoki/libica/issues],, [https://github.com/opencryptoki/libica]) +AC_INIT([libica], [4.4.2], [https://github.com/opencryptoki/libica/issues],, [https://github.com/opencryptoki/libica]) # save cmdline flags cmdline_CFLAGS="$CFLAGS" @@ -100,6 +100,13 @@ fi fi +dnl --- with-fips-config +AC_ARG_WITH([fips-config], + AS_HELP_STRING([--with-fips-config=FILE],[OpenSSL FIPS config file name. Default is fipsmodule.cnf]), + [], [with_fips_config=fipsmodule.cnf]) +FIPSCONFIGFILE="$with_fips_config" +AC_SUBST(FIPSCONFIGFILE) + dnl --- enable_sanitizer AC_ARG_ENABLE(sanitizer, [ --enable-sanitizer turn on sanitizer (may not work on all systems)], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/include/ica_api.h new/libica-4.4.2/include/ica_api.h --- old/libica-4.4.1/include/ica_api.h 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/include/ica_api.h 2026-06-22 10:00:24.000000000 +0200 @@ -81,9 +81,18 @@ #define ICA_PROPERTY_AES_128 0x00000001 #define ICA_PROPERTY_AES_192 0x00000002 #define ICA_PROPERTY_AES_256 0x00000004 - -#define ICA_PROPERTY_RSA_ALL 0x0000000F /* All RSA key lengths */ -#define ICA_PROPERTY_RSA_FIPS 0x0000000C /* RSA 2k and higher */ +#define ICA_PROPERTY_RSA_512 0x00000001 +#define ICA_PROPERTY_RSA_1024 0x00000002 +#define ICA_PROPERTY_RSA_2048 0x00000004 +#define ICA_PROPERTY_RSA_4096 0x00000008 +#define ICA_PROPERTY_RSA_3072 0x00020000 +#define ICA_PROPERTY_RSA_ALL (ICA_PROPERTY_RSA_512 | \ + ICA_PROPERTY_RSA_1024 | \ + ICA_PROPERTY_RSA_2048 | \ + ICA_PROPERTY_RSA_3072 | \ + ICA_PROPERTY_RSA_4096) +#define ICA_PROPERTY_RSA_FIPS (ICA_PROPERTY_RSA_3072 | \ + ICA_PROPERTY_RSA_4096) #define ICA_PROPERTY_RSA_NO_SMALL_EXP 0x00010000 /* e >= 65537 */ #define ICA_PROPERTY_EC_BP 0x00000001 /* Brainpool curves */ #define ICA_PROPERTY_EC_NIST 0x00000002 /* NIST curves */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/libica.spec new/libica-4.4.2/libica.spec --- old/libica-4.4.1/libica.spec 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/libica.spec 2026-06-22 10:00:24.000000000 +0200 @@ -1,5 +1,5 @@ Name: libica -Version: 4.4.1 +Version: 4.4.2 Release: 1%{?dist} Summary: Interface library to the ICA device driver @@ -62,6 +62,8 @@ %{_includedir}/ica_api.h %changelog +* Mon Jun 26 2026 Vishnudatha Kanjur <[email protected]> +- Version v4.4.2 * Tue Apr 29 2025 Joerg Schmidbauer <[email protected]> - Version v4.4.1 * Tue Dec 10 2024 Joerg Schmidbauer <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/Makefile.am new/libica-4.4.2/src/Makefile.am --- old/libica-4.4.1/src/Makefile.am 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/Makefile.am 2026-06-22 10:00:24.000000000 +0200 @@ -1,4 +1,4 @@ -VERSION = 4:4:1 +VERSION = 4:4:2 AM_CFLAGS = @FLAGS@ MAJOR := `echo $(VERSION) | cut -d: -f1` @@ -52,9 +52,9 @@ if ICA_FIPS fipsinstall: - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 $(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac hmac-file-lnk: hmac-file @@ -62,8 +62,8 @@ $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac hmac-file: libica.la libica-cex.la - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac + $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac hmac_files = hmac-file hmac-file-lnk diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/fips.c new/libica-4.4.2/src/fips.c --- old/libica-4.4.1/src/fips.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/fips.c 2026-06-22 10:00:24.000000000 +0200 @@ -156,7 +156,6 @@ } \ return 0; \ } -SHA_KAT(1, ); SHA_KAT(224, 256); SHA_KAT(256, 256); SHA_KAT(384, 512); @@ -180,7 +179,6 @@ } \ return 0; \ } -SHA_KAT(1, ); SHA_KAT(224, 256); SHA_KAT(256, 256); SHA_KAT(384, 512); @@ -365,6 +363,9 @@ if (keybuf == NULL) goto end; + if (keylen < 16) + goto end; + pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen); end: if (keybuf) { @@ -596,7 +597,7 @@ { typedef int (*kat_func)(void); kat_func kats[] = { - drbg_kat, sha1_kat, sha224_kat, sha256_kat, sha384_kat, sha512_kat, + drbg_kat, sha224_kat, sha256_kat, sha384_kat, sha512_kat, sha3_224_kat, sha3_256_kat, sha3_384_kat, sha3_512_kat, aes_ecb_kat, aes_cbc_kat, aes_cbc_cs_kat, aes_cfb_kat, aes_ctr_kat, aes_ofb_kat, aes_ccm_kat, aes_gcm_kat, aes_xts_kat, aes_cmac_kat, rsa_kat, @@ -1301,6 +1302,11 @@ for (i = 0; i < RSA_TV_LEN; i++) { tv = &RSA_TV[i]; +#ifdef ICA_FIPS + if ((fips & ICA_FIPS_MODE) && tv->mod < 3072) + continue; +#endif + keylen = (tv->mod + 7) / 8; crtparamlen = (keylen + 1) / 2; @@ -1373,14 +1379,16 @@ DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST, DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, - X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; + X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, SHA1, AES_ECB, + SHA224, SHA512_224, SHA3_224, RSA_KEY_GEN_ME, RSA_KEY_GEN_CRT, -1, -1 }; const size_t FIPS_BLACKLIST_LEN = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]); /* * FIPS service indicator: List of tolerated but non-approved algorithms. */ -int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; +int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, AES_ECB, SHA224, + SHA512_224, SHA3_224, RSA_KEY_GEN_ME, RSA_KEY_GEN_CRT, -1, -1 }; const size_t FIPS_OVERRIDE_LIST_LEN = sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/ica_api.c new/libica-4.4.2/src/ica_api.c --- old/libica-4.4.1/src/ica_api.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/ica_api.c 2026-06-22 10:00:24.000000000 +0200 @@ -413,7 +413,7 @@ int rc; #ifdef ICA_FIPS - if (fips >> 1) + if (fips) return EACCES; #endif /* ICA_FIPS */ @@ -1186,7 +1186,7 @@ return EPERM; #ifdef ICA_FIPS - if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 2048) + if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 3072) return EPERM; #endif @@ -1342,7 +1342,7 @@ return EPERM; #ifdef ICA_FIPS - if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 2048) + if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 3072) return EPERM; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/icainfo.c new/libica-4.4.2/src/icainfo.c --- old/libica-4.4.1/src/icainfo.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/icainfo.c 2026-06-22 10:00:24.000000000 +0200 @@ -176,13 +176,13 @@ int rsa_pubexp_supported_by_openssl(unsigned int pubexp) { - unsigned char modexpo_public_e[256] = { 0 }; - unsigned char modexpo_public_n[256] = { 0 }; - unsigned char crt_private_p[128] = { 0 }; - unsigned char crt_private_q[128] = { 0 }; - unsigned char crt_private_dp[128] = { 0 }; - unsigned char crt_private_dq[128] = { 0 }; - unsigned char crt_private_inv_q[128] = { 0 }; + unsigned char modexpo_public_e[384] = { 0 }; + unsigned char modexpo_public_n[384] = { 0 }; + unsigned char crt_private_p[192] = { 0 }; + unsigned char crt_private_q[192] = { 0 }; + unsigned char crt_private_dp[192] = { 0 }; + unsigned char crt_private_dq[192] = { 0 }; + unsigned char crt_private_inv_q[192] = { 0 }; ica_adapter_handle_t ah; ica_rsa_key_mod_expo_t public_key; ica_rsa_key_crt_t private_key; @@ -194,18 +194,18 @@ public_key.modulus = modexpo_public_n; public_key.exponent = modexpo_public_e; - public_key.key_length = 256; + public_key.key_length = 384; private_key.p = crt_private_p; private_key.q = crt_private_q; private_key.dp = crt_private_dp; private_key.dq = crt_private_dq; private_key.qInverse = crt_private_inv_q; - private_key.key_length = 256; + private_key.key_length = 384; - *(int*)((unsigned char *)public_key.exponent + 256 - sizeof(int)) = pubexp; + *(int*)((unsigned char *)public_key.exponent + 384 - sizeof(int)) = pubexp; - rc = ica_rsa_key_generate_crt(ah, 2048, &public_key, &private_key); + rc = ica_rsa_key_generate_crt(ah, 3072, &public_key, &private_key); ica_close_adapter(ah); @@ -214,7 +214,7 @@ int get_rsa_minlen(void) { - int keylen_array[] = { 57, 512, 1024, 2048, 4096 }; + int keylen_array[] = { 57, 512, 1024, 2048, 3072, 4096 }; size_t i; for (i = 0; i < sizeof(keylen_array) / sizeof(int); i++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/openssl3-fips.cnf.in new/libica-4.4.2/src/openssl3-fips.cnf.in --- old/libica-4.4.1/src/openssl3-fips.cnf.in 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/openssl3-fips.cnf.in 2026-06-22 10:00:24.000000000 +0200 @@ -1,6 +1,6 @@ openssl_conf = openssl_init -.include @FIPSDIR@/fipsmodule.cnf +.include @FIPSDIR@/@FIPSCONFIGFILE@ [openssl_init] providers = provider_sect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/s390_crypto.c new/libica-4.4.2/src/s390_crypto.c --- old/libica-4.4.1/src/s390_crypto.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/s390_crypto.c 2026-06-22 10:00:24.000000000 +0200 @@ -724,7 +724,7 @@ * mode, but not on any hardware, with any openssl, not with any key * length, curve etc. */ if (fips & ICA_FIPS_MODE) { - /* RSA >= 2048 bits in FIPS 140-3 mode */ + /* RSA >= 3072 bits in FIPS 140-3 mode */ switch (pmech_list[x].mech_mode_id) { case RSA_KEY_GEN_ME: case RSA_KEY_GEN_CRT: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/s390_drbg.c new/libica-4.4.2/src/s390_drbg.c --- old/libica-4.4.1/src/s390_drbg.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/s390_drbg.c 2026-06-22 10:00:24.000000000 +0200 @@ -364,12 +364,12 @@ /* step 2 */ pthread_mutex_lock(&(*sh)->lock); status = (*sh)->mech->uninstantiate(&(*sh)->ws, test_mode); + pthread_mutex_unlock(&(*sh)->lock); if(status){ if(0 > status) set_error_state((*sh)->mech, status); return status; /* return uninstantiate status */ } - pthread_mutex_unlock(&(*sh)->lock); pthread_mutex_destroy(&(*sh)->lock); drbg_zmem(*sh, sizeof(ica_drbg_t)); if(test_mode) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/s390_ecc.c new/libica-4.4.2/src/s390_ecc.c --- old/libica-4.4.1/src/s390_ecc.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/s390_ecc.c 2026-06-22 10:00:24.000000000 +0200 @@ -2828,6 +2828,13 @@ for (i = 0; i < ECDSA_TV_LEN; i++) { switch (t->hash) { case SHA1: +#ifdef ICA_FIPS + if (fips & ICA_FIPS_MODE) { + printf("Skipping ECDSA test vector %lu (SHA-1 not FIPS approved)\n", i); + t++; + continue; + } +#endif /* ICA_FIPS */ rc = ica_sha1(SHA_MSG_PART_ONLY, t->msglen, t->msg, &sha_ctx, hash); hashlen = SHA1_HASH_LENGTH; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/src/s390_rsa.c new/libica-4.4.2/src/s390_rsa.c --- old/libica-4.4.1/src/s390_rsa.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/src/s390_rsa.c 2026-06-22 10:00:24.000000000 +0200 @@ -201,7 +201,7 @@ #ifdef ICA_FIPS if ((fips & ICA_FIPS_MODE) && (!openssl_in_fips_mode())) return EACCES; - if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 2048)) + if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 3072)) return EPERM; #endif /* ICA_FIPS */ @@ -311,7 +311,7 @@ #ifdef ICA_FIPS if ((fips & ICA_FIPS_MODE) && (!openssl_in_fips_mode())) return EACCES; - if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 2048)) + if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 3072)) return EPERM; #endif /* ICA_FIPS */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/icastats_test.c.in new/libica-4.4.2/test/icastats_test.c.in --- old/libica-4.4.1/test/icastats_test.c.in 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/icastats_test.c.in 2026-06-22 10:00:24.000000000 +0200 @@ -692,16 +692,24 @@ shake_256_context_t shake_256_context; /* Test SHA-1 */ - rc = system("@builddir@icastats -r"); - if (rc == -1) - return handle_ica_error(rc, "system"); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + V_(printf("icastats SHA-1 test skipped. (SHA-1 not FIPS 140-3 approved)\n")); + } else { +#endif /* ICA_FIPS */ + rc = system("@builddir@icastats -r"); + if (rc == -1) + return handle_ica_error(rc, "system"); - rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, &sha_context0, hash); - if (rc) - return handle_ica_error(rc, "ica_sha1"); - rc = check_icastats(SHA1, "SHA-1"); - if (rc != 0) - return rc; + rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, &sha_context0, hash); + if (rc) + return handle_ica_error(rc, "ica_sha1"); + rc = check_icastats(SHA1, "SHA-1"); + if (rc != 0) + return rc; +#ifdef ICA_FIPS + } +#endif /* ICA_FIPS */ /* Test SHA-224 */ rc = system("@builddir@icastats -r"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/rsa_keygen_test.c new/libica-4.4.2/test/rsa_keygen_test.c --- old/libica-4.4.1/test/rsa_keygen_test.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/rsa_keygen_test.c 2026-06-22 10:00:24.000000000 +0200 @@ -62,9 +62,9 @@ } #ifdef ICA_FIPS - if ((ica_fips_status() & ICA_FIPS_MODE) && key_bit_length < 2048) { + if ((ica_fips_status() & ICA_FIPS_MODE) && key_bit_length < 3072) { printf("RSA-%d keygen test skipped." - " (RSA key lengths smaller than 2048 bits not FIPS 140-3 compliant)\n", + " (RSA key lengths smaller than 3072 bits not FIPS 140-3 compliant)\n", key_bit_length); return TEST_SKIP; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/rsa_test.c new/libica-4.4.2/test/rsa_test.c --- old/libica-4.4.1/test/rsa_test.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/rsa_test.c 2026-06-22 10:00:24.000000000 +0200 @@ -65,7 +65,7 @@ memset(my_result2, 0, sizeof(my_result2)); #ifdef ICA_FIPS - if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 256) { + if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 384) { V_(printf("Skipping test for this modulus size: not FIPS 140-3 approved\n")); continue; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/rsa_test_x.c new/libica-4.4.2/test/rsa_test_x.c --- old/libica-4.4.1/test/rsa_test_x.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/rsa_test_x.c 2026-06-22 10:00:24.000000000 +0200 @@ -77,7 +77,7 @@ V_(printf("\nmodulus size = %d bytes (%d bits)\n", ms, 8 * ms)); #ifdef ICA_FIPS - if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 256) { + if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 384) { V_(printf("Skipping test for this modulus size: not FIPS 140-3 approved\n")); continue; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/sha1_test.c new/libica-4.4.2/test/sha1_test.c --- old/libica-4.4.1/test/sha1_test.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/sha1_test.c 2026-06-22 10:00:24.000000000 +0200 @@ -196,6 +196,14 @@ set_verbosity(argc, argv); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + printf("All SHA-1 tests skipped." + " (SHA-1 not FIPS approved)\n"); + return TEST_SKIP; + } +#endif /* ICA_FIPS */ + rc = new_api_sha_test(); if (rc) { printf("new_api_sha_test failed with rc = %i\n", rc); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libica-4.4.1/test/sha_test.c new/libica-4.4.2/test/sha_test.c --- old/libica-4.4.1/test/sha_test.c 2025-05-14 13:37:56.000000000 +0200 +++ new/libica-4.4.2/test/sha_test.c 2026-06-22 10:00:24.000000000 +0200 @@ -151,6 +151,12 @@ switch (curr_test->type) { case SHA1: V_(printf("SHA1 ...\n")); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + V_(printf("SHA1 test skipped (SHA-1 not FIPS approved)\n")); + rc = TEST_SKIP; + } else +#endif /* ICA_FIPS */ rc = sha1_new_api_test(curr_test); break; case SHA224: @@ -202,6 +208,9 @@ V_(printf("... Passed.\n")); queue.passed++; } + else if (rc == TEST_SKIP) { + V_(printf("... Skipped.\n")); + } else { V_(printf("error: (%x).\n", rc)); queue.failed++; ++++++ libica-FIPS-SUSE-certification.patch ++++++ diff -Naur a/src/fips.c b/src/fips.c --- a/src/fips.c 2026-06-22 10:00:24.000000000 +0200 +++ b/src/fips.c 2026-06-22 13:01:08.228560919 +0200 @@ -76,8 +76,7 @@ * .libica.so.VERSION.hmac in the same directory as the .so module. */ static const char hmackey[] = - "0000000000000000000000000000000000000000000000000000000000000000" - "0000000000000000000000000000000000000000000000000000000000000000"; + "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250"; #endif /* ICA_INTERNAL_TEST */ diff -Naur a/src/Makefile.am b/src/Makefile.am --- a/src/Makefile.am 2026-06-22 10:00:24.000000000 +0200 +++ b/src/Makefile.am 2026-06-22 12:53:44.403091767 +0200 @@ -51,6 +51,7 @@ ./mp.pl mp.S if ICA_FIPS +FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac fipsinstall: $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 $(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > $(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf .libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac @@ -62,8 +63,7 @@ $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf .libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac hmac-file: libica.la libica-cex.la - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 ${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac - $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000000000000000000000000000 ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > ${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac + $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) ${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) hmac_files = hmac-file hmac-file-lnk diff -Naur a/src/openssl-fipshmac b/src/openssl-fipshmac --- a/src/openssl-fipshmac 1970-01-01 01:00:00.000000000 +0100 +++ b/src/openssl-fipshmac 2026-06-22 12:50:36.458497609 +0200 @@ -0,0 +1,12 @@ +#!/bin/sh -e + +if [ "$#" -eq 0 ] ; then + echo "No library to hash specified." >&2 + exit 22 +fi + +while [ -n "$1" ] ; do + dgst="$(openssl dgst -sha256 -mac hmac -macopt hexkey:6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250 "$1")" + echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac + shift +done
