Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libica for openSUSE:Factory checked 
in at 2026-06-22 17:44:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libica (Old)
 and      /work/SRC/openSUSE:Factory/.libica.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libica"

Mon Jun 22 17:44:50 2026 rev:48 rq:1361134 version:4.4.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/libica/libica.changes    2026-06-02 
16:10:59.067452013 +0200
+++ /work/SRC/openSUSE:Factory/.libica.new.1956/libica.changes  2026-06-22 
17:45:19.283157609 +0200
@@ -1,0 +2,16 @@
+Mon Jun 22 10:17:33 UTC 2026 - Nikolay Gueorguiev <[email protected]>
+
+- Upgrade libica to version 4.4.2
+  ( besc#1265598, bsc#1265599, bsc#1265600, bsc#1265601, bsc#1265602, 
bsc#1265603 ) 
+  * [FEATURE] Updates for FIPS 140-3 certification 2026
+  * [PATCH] Bug fixes
+- Added a patch
+  * libica-FIPS-SUSE-certification.patch               
+- Removed obsolete pacthes
+  * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
+  * libica-sles15sp5-FIPS-hmac-key.patch
+  * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
+  * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
+  * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch
+
+-------------------------------------------------------------------

Old:
----
  libica-4.4.1.tar.gz
  libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
  libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
  libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
  libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch
  libica-sles15sp5-FIPS-hmac-key.patch

New:
----
  libica-4.4.2.tar.gz
  libica-FIPS-SUSE-certification.patch

----------(Old B)----------
  Old:  * libica-sles15sp5-FIPS-hmac-key.patch
  * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
  * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
  Old:  * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
  * libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
  * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch
  Old:- Removed obsolete pacthes
  * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
  * libica-sles15sp5-FIPS-hmac-key.patch
  Old:  * 
libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
  * libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch
  Old:  * libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
  * libica-sles15sp5-FIPS-hmac-key.patch
  * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
----------(Old E)----------

----------(New B)----------
  New:- Added a patch
  * libica-FIPS-SUSE-certification.patch               
- Removed obsolete pacthes
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libica.spec ++++++
--- /var/tmp/diff_new_pack.QTbmf9/_old  2026-06-22 17:45:21.839247197 +0200
+++ /var/tmp/diff_new_pack.QTbmf9/_new  2026-06-22 17:45:21.859247898 +0200
@@ -22,7 +22,7 @@
 %endif
 
 Name:           libica
-Version:        4.4.1
+Version:        4.4.2
 Release:        0
 Summary:        Library interface for the IBM Cryptographic Accelerator device 
driver
 License:        CPL-1.0
@@ -35,12 +35,7 @@
 Source4:        z90crypt.service
 Source5:        %{name}-rpmlintrc
 ###
-Patch01:        libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
-Patch02:        libica-sles15sp5-FIPS-hmac-key.patch
-###
-Patch10:        
libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch
-Patch11:        
libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch
-Patch12:        libica-Block-SHA1-mechanism-for-FIPS-140-3.patch
+Patch01:        libica-FIPS-SUSE-certification.patch
 ###
 
 BuildRequires:  autoconf

++++++ libica-4.4.1.tar.gz -> libica-4.4.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/ChangeLog new/libica-4.4.2/ChangeLog
--- old/libica-4.4.1/ChangeLog  2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/ChangeLog  2026-06-22 10:00:24.000000000 +0200
@@ -1,3 +1,6 @@
+v4.4.2
+   [FEATURE] Updates for FIPS 140-3 certification 2026
+   [PATCH] Various bug fixes
 v4.4.1
    [PATCH] bug fixes
 v4.4.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/configure.ac 
new/libica-4.4.2/configure.ac
--- old/libica-4.4.1/configure.ac       2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/configure.ac       2026-06-22 10:00:24.000000000 +0200
@@ -1,4 +1,4 @@
-AC_INIT([libica], [4.4.1], [https://github.com/opencryptoki/libica/issues],, 
[https://github.com/opencryptoki/libica])
+AC_INIT([libica], [4.4.2], [https://github.com/opencryptoki/libica/issues],, 
[https://github.com/opencryptoki/libica])
 
 # save cmdline flags
 cmdline_CFLAGS="$CFLAGS"
@@ -100,6 +100,13 @@
     fi
 fi
 
+dnl --- with-fips-config
+AC_ARG_WITH([fips-config],
+       AS_HELP_STRING([--with-fips-config=FILE],[OpenSSL FIPS config file 
name. Default is fipsmodule.cnf]),
+       [], [with_fips_config=fipsmodule.cnf])
+FIPSCONFIGFILE="$with_fips_config"
+AC_SUBST(FIPSCONFIGFILE)
+
 dnl --- enable_sanitizer
 AC_ARG_ENABLE(sanitizer,
               [  --enable-sanitizer      turn on sanitizer (may not work on 
all systems)],
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/include/ica_api.h 
new/libica-4.4.2/include/ica_api.h
--- old/libica-4.4.1/include/ica_api.h  2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/include/ica_api.h  2026-06-22 10:00:24.000000000 +0200
@@ -81,9 +81,18 @@
 #define ICA_PROPERTY_AES_128           0x00000001
 #define ICA_PROPERTY_AES_192           0x00000002
 #define ICA_PROPERTY_AES_256           0x00000004
-
-#define ICA_PROPERTY_RSA_ALL           0x0000000F /* All RSA key lengths */
-#define ICA_PROPERTY_RSA_FIPS          0x0000000C /* RSA 2k and higher */
+#define ICA_PROPERTY_RSA_512           0x00000001
+#define ICA_PROPERTY_RSA_1024          0x00000002
+#define ICA_PROPERTY_RSA_2048          0x00000004
+#define ICA_PROPERTY_RSA_4096          0x00000008
+#define ICA_PROPERTY_RSA_3072          0x00020000
+#define ICA_PROPERTY_RSA_ALL           (ICA_PROPERTY_RSA_512 | \
+                                                                       
ICA_PROPERTY_RSA_1024 | \
+                                                                       
ICA_PROPERTY_RSA_2048 | \
+                                                                       
ICA_PROPERTY_RSA_3072 | \
+                                                                       
ICA_PROPERTY_RSA_4096)
+#define ICA_PROPERTY_RSA_FIPS          (ICA_PROPERTY_RSA_3072 | \
+                                                                       
ICA_PROPERTY_RSA_4096)
 #define ICA_PROPERTY_RSA_NO_SMALL_EXP  0x00010000 /* e >= 65537 */
 #define ICA_PROPERTY_EC_BP                     0x00000001 /* Brainpool curves 
*/
 #define ICA_PROPERTY_EC_NIST           0x00000002 /* NIST curves */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/libica.spec new/libica-4.4.2/libica.spec
--- old/libica-4.4.1/libica.spec        2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/libica.spec        2026-06-22 10:00:24.000000000 +0200
@@ -1,5 +1,5 @@
 Name:          libica
-Version:       4.4.1
+Version:       4.4.2
 Release:       1%{?dist}
 Summary:       Interface library to the ICA device driver
 
@@ -62,6 +62,8 @@
 %{_includedir}/ica_api.h
 
 %changelog
+* Mon Jun 26 2026 Vishnudatha Kanjur <[email protected]>
+- Version v4.4.2
 * Tue Apr 29 2025 Joerg Schmidbauer <[email protected]>
 - Version v4.4.1
 * Tue Dec 10 2024 Joerg Schmidbauer <[email protected]>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/Makefile.am 
new/libica-4.4.2/src/Makefile.am
--- old/libica-4.4.1/src/Makefile.am    2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/Makefile.am    2026-06-22 10:00:24.000000000 +0200
@@ -1,4 +1,4 @@
-VERSION = 4:4:1
+VERSION = 4:4:2
 
 AM_CFLAGS = @FLAGS@
 MAJOR := `echo $(VERSION) | cut -d: -f1`
@@ -52,9 +52,9 @@
 
 if ICA_FIPS
 fipsinstall:
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 
$(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
$(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
+       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
$(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
$(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
        $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf 
.libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 
$(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > 
$(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
+       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
$(DESTDIR)$(libdir)/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > 
$(DESTDIR)$(libdir)/.libica-cex.so.$(VERSION1).hmac
        $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf 
.libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
 
 hmac-file-lnk: hmac-file
@@ -62,8 +62,8 @@
        $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf 
.libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
 
 hmac-file: libica.la libica-cex.la
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 
${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt hexkey:00000000 
${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
+       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
 
 hmac_files = hmac-file hmac-file-lnk
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/fips.c new/libica-4.4.2/src/fips.c
--- old/libica-4.4.1/src/fips.c 2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/fips.c 2026-06-22 10:00:24.000000000 +0200
@@ -156,7 +156,6 @@
        }                                                               \
        return 0;                                                       \
 }
-SHA_KAT(1, );
 SHA_KAT(224, 256);
 SHA_KAT(256, 256);
 SHA_KAT(384, 512);
@@ -180,7 +179,6 @@
        }                                                               \
        return 0;                                                       \
 }
-SHA_KAT(1, );
 SHA_KAT(224, 256);
 SHA_KAT(256, 256);
 SHA_KAT(384, 512);
@@ -365,6 +363,9 @@
        if (keybuf == NULL)
                goto end;
 
+       if (keylen < 16)
+               goto end;
+
        pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, keybuf, (int)keylen);
 end:
        if (keybuf) {
@@ -596,7 +597,7 @@
 {
        typedef int (*kat_func)(void);
        kat_func kats[] = {
-               drbg_kat, sha1_kat, sha224_kat, sha256_kat, sha384_kat, 
sha512_kat,
+               drbg_kat, sha224_kat, sha256_kat, sha384_kat, sha512_kat,
                sha3_224_kat, sha3_256_kat, sha3_384_kat, sha3_512_kat, 
aes_ecb_kat,
                aes_cbc_kat, aes_cbc_cs_kat, aes_cfb_kat, aes_ctr_kat, 
aes_ofb_kat,
                aes_ccm_kat, aes_gcm_kat, aes_xts_kat, aes_cmac_kat, rsa_kat,
@@ -1301,6 +1302,11 @@
        for (i = 0; i < RSA_TV_LEN; i++) {
                tv = &RSA_TV[i];
 
+#ifdef ICA_FIPS
+               if ((fips & ICA_FIPS_MODE) && tv->mod < 3072)
+                       continue;
+#endif
+
                keylen = (tv->mod + 7) / 8;
                crtparamlen = (keylen + 1) / 2;
 
@@ -1373,14 +1379,16 @@
        DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST,
        DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY,
        ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE,
-       X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
+       X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, SHA1, AES_ECB,
+       SHA224, SHA512_224, SHA3_224, RSA_KEY_GEN_ME, RSA_KEY_GEN_CRT, -1, -1 };
 const size_t FIPS_BLACKLIST_LEN
        = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]);
 
 /*
  * FIPS service indicator: List of tolerated but non-approved algorithms.
  */
-int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 };
+int FIPS_OVERRIDE_LIST[] = { RSA_ME, RSA_CRT, SHA512_DRNG, AES_ECB, SHA224,
+       SHA512_224, SHA3_224, RSA_KEY_GEN_ME, RSA_KEY_GEN_CRT, -1, -1 };
 const size_t FIPS_OVERRIDE_LIST_LEN
        = sizeof(FIPS_OVERRIDE_LIST) / sizeof(FIPS_OVERRIDE_LIST[0]);
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/ica_api.c 
new/libica-4.4.2/src/ica_api.c
--- old/libica-4.4.1/src/ica_api.c      2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/ica_api.c      2026-06-22 10:00:24.000000000 +0200
@@ -413,7 +413,7 @@
        int rc;
 
 #ifdef ICA_FIPS
-       if (fips >> 1)
+       if (fips)
                return EACCES;
 #endif /* ICA_FIPS */
 
@@ -1186,7 +1186,7 @@
                return EPERM;
 
 #ifdef ICA_FIPS
-       if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 2048)
+       if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 3072)
                return EPERM;
 #endif
 
@@ -1342,7 +1342,7 @@
                return EPERM;
 
 #ifdef ICA_FIPS
-       if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 2048)
+       if ((fips & ICA_FIPS_MODE) && rsa_key->key_length * 8 < 3072)
                return EPERM;
 #endif
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/icainfo.c 
new/libica-4.4.2/src/icainfo.c
--- old/libica-4.4.1/src/icainfo.c      2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/icainfo.c      2026-06-22 10:00:24.000000000 +0200
@@ -176,13 +176,13 @@
 
 int rsa_pubexp_supported_by_openssl(unsigned int pubexp)
 {
-       unsigned char modexpo_public_e[256] = { 0 };
-       unsigned char modexpo_public_n[256] = { 0 };
-       unsigned char crt_private_p[128] = { 0 };
-       unsigned char crt_private_q[128] = { 0 };
-       unsigned char crt_private_dp[128] = { 0 };
-       unsigned char crt_private_dq[128] = { 0 };
-       unsigned char crt_private_inv_q[128] = { 0 };
+       unsigned char modexpo_public_e[384] = { 0 };
+       unsigned char modexpo_public_n[384] = { 0 };
+       unsigned char crt_private_p[192] = { 0 };
+       unsigned char crt_private_q[192] = { 0 };
+       unsigned char crt_private_dp[192] = { 0 };
+       unsigned char crt_private_dq[192] = { 0 };
+       unsigned char crt_private_inv_q[192] = { 0 };
        ica_adapter_handle_t ah;
        ica_rsa_key_mod_expo_t public_key;
        ica_rsa_key_crt_t private_key;
@@ -194,18 +194,18 @@
 
        public_key.modulus = modexpo_public_n;
        public_key.exponent = modexpo_public_e;
-       public_key.key_length = 256;
+       public_key.key_length = 384;
 
        private_key.p = crt_private_p;
        private_key.q = crt_private_q;
        private_key.dp = crt_private_dp;
        private_key.dq = crt_private_dq;
        private_key.qInverse = crt_private_inv_q;
-       private_key.key_length = 256;
+       private_key.key_length = 384;
 
-       *(int*)((unsigned char *)public_key.exponent + 256 - sizeof(int)) = 
pubexp;
+       *(int*)((unsigned char *)public_key.exponent + 384 - sizeof(int)) = 
pubexp;
 
-       rc = ica_rsa_key_generate_crt(ah, 2048, &public_key, &private_key);
+       rc = ica_rsa_key_generate_crt(ah, 3072, &public_key, &private_key);
 
        ica_close_adapter(ah);
 
@@ -214,7 +214,7 @@
 
 int get_rsa_minlen(void)
 {
-       int keylen_array[] = { 57, 512, 1024, 2048, 4096 };
+       int keylen_array[] = { 57, 512, 1024, 2048, 3072, 4096 };
        size_t i;
 
        for (i = 0; i < sizeof(keylen_array) / sizeof(int); i++) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/openssl3-fips.cnf.in 
new/libica-4.4.2/src/openssl3-fips.cnf.in
--- old/libica-4.4.1/src/openssl3-fips.cnf.in   2025-05-14 13:37:56.000000000 
+0200
+++ new/libica-4.4.2/src/openssl3-fips.cnf.in   2026-06-22 10:00:24.000000000 
+0200
@@ -1,6 +1,6 @@
 openssl_conf = openssl_init
 
-.include @FIPSDIR@/fipsmodule.cnf
+.include @FIPSDIR@/@FIPSCONFIGFILE@
 
 [openssl_init]
 providers = provider_sect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/s390_crypto.c 
new/libica-4.4.2/src/s390_crypto.c
--- old/libica-4.4.1/src/s390_crypto.c  2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/s390_crypto.c  2026-06-22 10:00:24.000000000 +0200
@@ -724,7 +724,7 @@
         * mode, but not on any hardware, with any openssl, not with any key
         * length, curve etc. */
        if (fips & ICA_FIPS_MODE) {
-               /* RSA >= 2048 bits in FIPS 140-3 mode */
+               /* RSA >= 3072 bits in FIPS 140-3 mode */
                switch (pmech_list[x].mech_mode_id) {
                case RSA_KEY_GEN_ME:
                case RSA_KEY_GEN_CRT:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/s390_drbg.c 
new/libica-4.4.2/src/s390_drbg.c
--- old/libica-4.4.1/src/s390_drbg.c    2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/s390_drbg.c    2026-06-22 10:00:24.000000000 +0200
@@ -364,12 +364,12 @@
        /* step 2 */
        pthread_mutex_lock(&(*sh)->lock);
        status = (*sh)->mech->uninstantiate(&(*sh)->ws, test_mode);
+       pthread_mutex_unlock(&(*sh)->lock);
        if(status){
                if(0 > status)
                        set_error_state((*sh)->mech, status);
                return status;  /* return uninstantiate status */
        }
-       pthread_mutex_unlock(&(*sh)->lock);
        pthread_mutex_destroy(&(*sh)->lock);
        drbg_zmem(*sh, sizeof(ica_drbg_t));
        if(test_mode)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/s390_ecc.c 
new/libica-4.4.2/src/s390_ecc.c
--- old/libica-4.4.1/src/s390_ecc.c     2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/s390_ecc.c     2026-06-22 10:00:24.000000000 +0200
@@ -2828,6 +2828,13 @@
        for (i = 0; i < ECDSA_TV_LEN; i++) {
                switch (t->hash) {
                case SHA1:
+#ifdef ICA_FIPS
+                       if (fips & ICA_FIPS_MODE) {
+                               printf("Skipping ECDSA test vector %lu (SHA-1 
not FIPS approved)\n", i);
+                               t++;
+                               continue;
+                       }
+#endif /* ICA_FIPS */
                        rc = ica_sha1(SHA_MSG_PART_ONLY, t->msglen, t->msg,
                                      &sha_ctx, hash);
                        hashlen = SHA1_HASH_LENGTH;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/src/s390_rsa.c 
new/libica-4.4.2/src/s390_rsa.c
--- old/libica-4.4.1/src/s390_rsa.c     2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/src/s390_rsa.c     2026-06-22 10:00:24.000000000 +0200
@@ -201,7 +201,7 @@
 #ifdef ICA_FIPS
        if ((fips & ICA_FIPS_MODE) && (!openssl_in_fips_mode()))
                return EACCES;
-       if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 2048))
+       if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 3072))
                return EPERM;
 #endif /* ICA_FIPS */
 
@@ -311,7 +311,7 @@
 #ifdef ICA_FIPS
        if ((fips & ICA_FIPS_MODE) && (!openssl_in_fips_mode()))
                return EACCES;
-       if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 2048))
+       if ((fips & ICA_FIPS_MODE) && (modulus_bit_length < 3072))
                return EPERM;
 #endif /* ICA_FIPS */
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/icastats_test.c.in 
new/libica-4.4.2/test/icastats_test.c.in
--- old/libica-4.4.1/test/icastats_test.c.in    2025-05-14 13:37:56.000000000 
+0200
+++ new/libica-4.4.2/test/icastats_test.c.in    2026-06-22 10:00:24.000000000 
+0200
@@ -692,16 +692,24 @@
        shake_256_context_t shake_256_context;
 
        /* Test SHA-1 */
-       rc = system("@builddir@icastats -r");
-       if (rc == -1)
-               return handle_ica_error(rc, "system");
+#ifdef ICA_FIPS
+       if (ica_fips_status() & ICA_FIPS_MODE) {
+               V_(printf("icastats SHA-1 test skipped. (SHA-1 not FIPS 140-3 
approved)\n"));
+       } else {
+#endif /* ICA_FIPS */
+               rc = system("@builddir@icastats -r");
+               if (rc == -1)
+                       return handle_ica_error(rc, "system");
 
-       rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, 
&sha_context0, hash);
-       if (rc)
-               return handle_ica_error(rc, "ica_sha1");
-       rc = check_icastats(SHA1, "SHA-1");
-       if (rc != 0)
-               return rc;
+               rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, 
&sha_context0, hash);
+               if (rc)
+                       return handle_ica_error(rc, "ica_sha1");
+               rc = check_icastats(SHA1, "SHA-1");
+               if (rc != 0)
+                       return rc;
+#ifdef ICA_FIPS
+       }
+#endif /* ICA_FIPS */
 
        /* Test SHA-224 */
        rc = system("@builddir@icastats -r");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/rsa_keygen_test.c 
new/libica-4.4.2/test/rsa_keygen_test.c
--- old/libica-4.4.1/test/rsa_keygen_test.c     2025-05-14 13:37:56.000000000 
+0200
+++ new/libica-4.4.2/test/rsa_keygen_test.c     2026-06-22 10:00:24.000000000 
+0200
@@ -62,9 +62,9 @@
        }
 
 #ifdef ICA_FIPS
-       if ((ica_fips_status() & ICA_FIPS_MODE) && key_bit_length < 2048) {
+       if ((ica_fips_status() & ICA_FIPS_MODE) && key_bit_length < 3072) {
                printf("RSA-%d keygen test skipped."
-                   " (RSA key lengths smaller than 2048 bits not FIPS 140-3 
compliant)\n",
+                   " (RSA key lengths smaller than 3072 bits not FIPS 140-3 
compliant)\n",
                        key_bit_length);
                return TEST_SKIP;
        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/rsa_test.c 
new/libica-4.4.2/test/rsa_test.c
--- old/libica-4.4.1/test/rsa_test.c    2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/test/rsa_test.c    2026-06-22 10:00:24.000000000 +0200
@@ -65,7 +65,7 @@
                memset(my_result2, 0, sizeof(my_result2));
 
 #ifdef ICA_FIPS
-               if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 
256) {
+               if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 
384) {
                        V_(printf("Skipping test for this modulus size: not 
FIPS 140-3 approved\n"));
                        continue;
                }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/rsa_test_x.c 
new/libica-4.4.2/test/rsa_test_x.c
--- old/libica-4.4.1/test/rsa_test_x.c  2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/test/rsa_test_x.c  2026-06-22 10:00:24.000000000 +0200
@@ -77,7 +77,7 @@
                V_(printf("\nmodulus size = %d bytes (%d bits)\n", ms, 8 * ms));
 
 #ifdef ICA_FIPS
-               if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 
256) {
+               if ((ica_fips_status() & ICA_FIPS_MODE) && RSA_BYTE_LENGHT[i] < 
384) {
                        V_(printf("Skipping test for this modulus size: not 
FIPS 140-3 approved\n"));
                        continue;
                }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/sha1_test.c 
new/libica-4.4.2/test/sha1_test.c
--- old/libica-4.4.1/test/sha1_test.c   2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/test/sha1_test.c   2026-06-22 10:00:24.000000000 +0200
@@ -196,6 +196,14 @@
 
        set_verbosity(argc, argv);
 
+#ifdef ICA_FIPS
+       if (ica_fips_status() & ICA_FIPS_MODE) {
+               printf("All SHA-1 tests skipped."
+                   " (SHA-1 not FIPS approved)\n");
+               return TEST_SKIP;
+       }
+#endif /* ICA_FIPS */
+
        rc = new_api_sha_test();
        if (rc) {
                printf("new_api_sha_test failed with rc = %i\n", rc);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/libica-4.4.1/test/sha_test.c 
new/libica-4.4.2/test/sha_test.c
--- old/libica-4.4.1/test/sha_test.c    2025-05-14 13:37:56.000000000 +0200
+++ new/libica-4.4.2/test/sha_test.c    2026-06-22 10:00:24.000000000 +0200
@@ -151,6 +151,12 @@
                switch (curr_test->type) {
                case SHA1:
                        V_(printf("SHA1 ...\n"));
+#ifdef ICA_FIPS
+                       if (ica_fips_status() & ICA_FIPS_MODE) {
+                               V_(printf("SHA1 test skipped (SHA-1 not FIPS 
approved)\n"));
+                               rc = TEST_SKIP;
+                       } else
+#endif /* ICA_FIPS */
                        rc = sha1_new_api_test(curr_test);
                        break;
                case SHA224:
@@ -202,6 +208,9 @@
                        V_(printf("... Passed.\n"));
                        queue.passed++;
                }
+               else if (rc == TEST_SKIP) {
+                       V_(printf("... Skipped.\n"));
+               }
                else {
                        V_(printf("error: (%x).\n", rc));
                        queue.failed++;

++++++ libica-FIPS-SUSE-certification.patch ++++++
diff -Naur a/src/fips.c b/src/fips.c
--- a/src/fips.c        2026-06-22 10:00:24.000000000 +0200
+++ b/src/fips.c        2026-06-22 13:01:08.228560919 +0200
@@ -76,8 +76,7 @@
  * .libica.so.VERSION.hmac in the same directory as the .so module.
  */
 static const char hmackey[] =
-       "0000000000000000000000000000000000000000000000000000000000000000"
-       "0000000000000000000000000000000000000000000000000000000000000000";
+       "6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250";
 
 #endif /* ICA_INTERNAL_TEST */
 
diff -Naur a/src/Makefile.am b/src/Makefile.am
--- a/src/Makefile.am   2026-06-22 10:00:24.000000000 +0200
+++ b/src/Makefile.am   2026-06-22 12:53:44.403091767 +0200
@@ -51,6 +51,7 @@
        ./mp.pl mp.S
 
 if ICA_FIPS
+FIPSHMAC ?= ${top_srcdir}/openssl-fipshmac
 fipsinstall:
        $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
$(DESTDIR)$(libdir)/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
$(DESTDIR)$(libdir)/.libica.so.$(VERSION1).hmac
        $(AM_V_GEN) cd $(DESTDIR)$(libdir) && ln -sf 
.libica.so.$(VERSION1).hmac .libica.so.$(MAJOR).hmac
@@ -62,8 +63,7 @@
        $(AM_V_GEN) cd ${top_builddir}/src/.libs && ln -sf 
.libica-cex.so.$(VERSION1).hmac .libica-cex.so.$(MAJOR).hmac
 
 hmac-file: libica.la libica-cex.la
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
${top_builddir}/src/.libs/libica.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica.so.$(VERSION1).hmac
-       $(AM_V_GEN) openssl dgst -sha256 -mac hmac -macopt 
hexkey:00000000000000000000000000000000 
${top_builddir}/src/.libs/libica-cex.so.$(VERSION1) | sed -e 's/^.* //' > 
${top_builddir}/src/.libs/.libica-cex.so.$(VERSION1).hmac
+       $(AM_V_GEN) $(FIPSHMAC) ${top_builddir}/src/.libs/libica.so.$(VERSION1) 
${top_builddir}/src/.libs/libica-cex.so.$(VERSION1)
 
 hmac_files = hmac-file hmac-file-lnk
 
diff -Naur a/src/openssl-fipshmac b/src/openssl-fipshmac
--- a/src/openssl-fipshmac      1970-01-01 01:00:00.000000000 +0100
+++ b/src/openssl-fipshmac      2026-06-22 12:50:36.458497609 +0200
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+if [ "$#" -eq 0 ] ; then
+    echo "No library to hash specified." >&2
+    exit 22
+fi
+
+while [ -n "$1" ] ; do
+    dgst="$(openssl dgst -sha256 -mac hmac -macopt 
hexkey:6f72626f44654a49544954656a7369727041444f4e6976697270556b76617250 "$1")"
+    echo "$dgst" | sed -e 's/^.* //' > "$(dirname "$1")/.$(basename "$1")".hmac
+    shift
+done

Reply via email to