Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libica for openSUSE:Factory checked in at 2026-05-18 17:48:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libica (Old) and /work/SRC/openSUSE:Factory/.libica.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libica" Mon May 18 17:48:13 2026 rev:46 rq:1353772 version:4.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libica/libica.changes 2026-03-07 20:13:59.593951722 +0100 +++ /work/SRC/openSUSE:Factory/.libica.new.1966/libica.changes 2026-05-18 17:49:04.430923498 +0200 @@ -1,0 +2,6 @@ +Mon May 18 09:17:52 UTC 2026 - Nikolay Gueorguiev <[email protected]> + +- Applied a patch to block SHA1 mechanism for FIPS 140-3 (bsc#1260938) + * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch + +------------------------------------------------------------------- New: ---- libica-Block-SHA1-mechanism-for-FIPS-140-3.patch ----------(New B)---------- New:- Applied a patch to block SHA1 mechanism for FIPS 140-3 (bsc#1260938) * libica-Block-SHA1-mechanism-for-FIPS-140-3.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libica.spec ++++++ --- /var/tmp/diff_new_pack.0EWuC3/_old 2026-05-18 17:49:05.146953086 +0200 +++ /var/tmp/diff_new_pack.0EWuC3/_new 2026-05-18 17:49:05.150953251 +0200 @@ -40,6 +40,7 @@ ### Patch10: libica-CONFIGURE-Make-the-OpenSSL-FIPS-config-file-name-configurable.patch Patch11: libica-Fix-mutex-thread-lock-in-drbg_uninstantiate-function.patch +Patch12: libica-Block-SHA1-mechanism-for-FIPS-140-3.patch ### BuildRequires: autoconf ++++++ libica-Block-SHA1-mechanism-for-FIPS-140-3.patch ++++++ >From 4d6559dc8f615eb957f227e9587e538e6f0db482 Mon Sep 17 00:00:00 2001 From: Vishnudatha Kanjur <[email protected]> Date: Tue, 5 May 2026 14:54:48 +0200 Subject: [PATCH] Block SHA1 mechanism for FIPS 140-3: This commit removes SHA1 mechanism when FIPS 140-3 is active. Signed-off-by: Vishnudatha Kanjur <[email protected]> --- src/fips.c | 6 ++---- src/ica_api.c | 2 +- src/s390_ecc.c | 7 +++++++ test/icastats_test.c.in | 26 +++++++++++++++++--------- test/sha1_test.c | 8 ++++++++ test/sha_test.c | 9 +++++++++ 6 files changed, 44 insertions(+), 14 deletions(-) diff --git a/src/fips.c b/src/fips.c index 4bac3602..27c548eb 100644 --- a/src/fips.c +++ b/src/fips.c @@ -156,7 +156,6 @@ static int sha##_sha_##_kat(void) { \ } \ return 0; \ } -SHA_KAT(1, ); SHA_KAT(224, 256); SHA_KAT(256, 256); SHA_KAT(384, 512); @@ -180,7 +179,6 @@ static int sha##_sha_##_kat(void) { \ } \ return 0; \ } -SHA_KAT(1, ); SHA_KAT(224, 256); SHA_KAT(256, 256); SHA_KAT(384, 512); @@ -596,7 +594,7 @@ fips_powerup_tests(void) { typedef int (*kat_func)(void); kat_func kats[] = { - drbg_kat, sha1_kat, sha224_kat, sha256_kat, sha384_kat, sha512_kat, + drbg_kat, sha224_kat, sha256_kat, sha384_kat, sha512_kat, sha3_224_kat, sha3_256_kat, sha3_384_kat, sha3_512_kat, aes_ecb_kat, aes_cbc_kat, aes_cbc_cs_kat, aes_cfb_kat, aes_ctr_kat, aes_ofb_kat, aes_ccm_kat, aes_gcm_kat, aes_xts_kat, aes_cmac_kat, rsa_kat, @@ -1373,7 +1371,7 @@ int FIPS_BLACKLIST[] = {DES_ECB, DES_CBC, DES_CBC_CS, DES_OFB, DES3_CBC, DES3_CBC_CS, DES3_OFB, DES3_CFB, DES3_CTR, DES3_CTRLST, DES3_CBC_MAC, DES3_CMAC, ED25519_KEYGEN, ED25519_SIGN, ED25519_VERIFY, ED448_KEYGEN, ED448_SIGN, ED448_VERIFY, X25519_KEYGEN, X25519_DERIVE, - X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, -1, -1 }; + X448_KEYGEN, X448_DERIVE, RSA_ME, RSA_CRT, SHA512_DRNG, SHA1, -1, -1 }; const size_t FIPS_BLACKLIST_LEN = sizeof(FIPS_BLACKLIST) / sizeof(FIPS_BLACKLIST[0]); diff --git a/src/ica_api.c b/src/ica_api.c index de9b2699..a0d2a761 100644 --- a/src/ica_api.c +++ b/src/ica_api.c @@ -413,7 +413,7 @@ unsigned int ica_sha1(unsigned int message_part, int rc; #ifdef ICA_FIPS - if (fips >> 1) + if (fips) return EACCES; #endif /* ICA_FIPS */ diff --git a/src/s390_ecc.c b/src/s390_ecc.c index 7b633144..1f996ce2 100644 --- a/src/s390_ecc.c +++ b/src/s390_ecc.c @@ -2828,6 +2828,13 @@ static void ecdsa_test(void) for (i = 0; i < ECDSA_TV_LEN; i++) { switch (t->hash) { case SHA1: +#ifdef ICA_FIPS + if (fips & ICA_FIPS_MODE) { + printf("Skipping ECDSA test vector %lu (SHA-1 not FIPS approved)\n", i); + t++; + continue; + } +#endif /* ICA_FIPS */ rc = ica_sha1(SHA_MSG_PART_ONLY, t->msglen, t->msg, &sha_ctx, hash); hashlen = SHA1_HASH_LENGTH; diff --git a/test/icastats_test.c.in b/test/icastats_test.c.in index 89e63693..9384c68c 100644 --- a/test/icastats_test.c.in +++ b/test/icastats_test.c.in @@ -692,16 +692,24 @@ static int sha_tests() shake_256_context_t shake_256_context; /* Test SHA-1 */ - rc = system("@builddir@icastats -r"); - if (rc == -1) - return handle_ica_error(rc, "system"); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + V_(printf("icastats SHA-1 test skipped. (SHA-1 not FIPS 140-3 approved)\n")); + } else { +#endif /* ICA_FIPS */ + rc = system("@builddir@icastats -r"); + if (rc == -1) + return handle_ica_error(rc, "system"); - rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, &sha_context0, hash); - if (rc) - return handle_ica_error(rc, "ica_sha1"); - rc = check_icastats(SHA1, "SHA-1"); - if (rc != 0) - return rc; + rc = ica_sha1(SHA_MSG_PART_ONLY, DATA_LENGTH, plain_data, &sha_context0, hash); + if (rc) + return handle_ica_error(rc, "ica_sha1"); + rc = check_icastats(SHA1, "SHA-1"); + if (rc != 0) + return rc; +#ifdef ICA_FIPS + } +#endif /* ICA_FIPS */ /* Test SHA-224 */ rc = system("@builddir@icastats -r"); diff --git a/test/sha1_test.c b/test/sha1_test.c index 5372a4fb..047132c0 100644 --- a/test/sha1_test.c +++ b/test/sha1_test.c @@ -196,6 +196,14 @@ int main(int argc, char **argv) set_verbosity(argc, argv); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + printf("All SHA-1 tests skipped." + " (SHA-1 not FIPS approved)\n"); + return TEST_SKIP; + } +#endif /* ICA_FIPS */ + rc = new_api_sha_test(); if (rc) { printf("new_api_sha_test failed with rc = %i\n", rc); diff --git a/test/sha_test.c b/test/sha_test.c index 9ab55a73..7984e4af 100644 --- a/test/sha_test.c +++ b/test/sha_test.c @@ -151,6 +151,12 @@ int main(int argc, char *argv[]) switch (curr_test->type) { case SHA1: V_(printf("SHA1 ...\n")); +#ifdef ICA_FIPS + if (ica_fips_status() & ICA_FIPS_MODE) { + V_(printf("SHA1 test skipped (SHA-1 not FIPS approved)\n")); + rc = TEST_SKIP; + } else +#endif /* ICA_FIPS */ rc = sha1_new_api_test(curr_test); break; case SHA224: @@ -202,6 +208,9 @@ int main(int argc, char *argv[]) V_(printf("... Passed.\n")); queue.passed++; } + else if (rc == TEST_SKIP) { + V_(printf("... Skipped.\n")); + } else { V_(printf("error: (%x).\n", rc)); queue.failed++;
