[openssl] allow the AES-NI engine in the FIPS mode
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jun 9 14:23:03 UTC 2011
commit f4fb8490a9a8ce4ed8afee5d9ffe6676e1b19e65
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Jun 9 16:22:08 2011 +0200
allow the AES-NI engine in the FIPS mode
openssl-1.0.0-fips-aesni.patch | 47 ++++++++++++++++++++++++++++++++++++++++
openssl.spec | 8 ++++++-
2 files changed, 54 insertions(+), 1 deletions(-)
---
diff --git a/openssl-1.0.0-fips-aesni.patch b/openssl-1.0.0-fips-aesni.patch
new file mode 100644
index 0000000..c12e93e
--- /dev/null
+++ b/openssl-1.0.0-fips-aesni.patch
@@ -0,0 +1,47 @@
+diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
+--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/engine/eng_aesni.c 2011-06-08 14:19:22.000000000 +0200
+@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
+ EVP_CIPHER_block_size_##umode, \
+ ksize / 8, \
+ AES_BLOCK_SIZE, \
+- 0 | EVP_CIPH_##umode##_MODE, \
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE, \
+ aesni_init_key, \
+ aesni_cipher_##lmode, \
+ NULL, \
+diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
+--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/fips/fips.c 2011-06-08 17:31:35.000000000 +0200
+@@ -55,6 +55,7 @@
+ #include <openssl/bio.h>
+ #include <openssl/hmac.h>
+ #include <openssl/rsa.h>
++#include <openssl/engine.h>
+ #include <string.h>
+ #include <limits.h>
+ #include <dlfcn.h>
+@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
+ }
+
+ if(FIPS_selftest())
+- fips_set_mode(1);
+- else
+ {
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
++ ENGINE_load_aesni();
++ if (FIPS_selftest_aes())
++ {
++ fips_set_mode(1);
++ ret = 1;
++ goto end;
++ }
+ }
+- ret = 1;
++ fips_selftest_fail = 1;
++ ret = 0;
+ goto end;
+ }
+ fips_set_mode(0);
diff --git a/openssl.spec b/openssl.spec
index 15605df..571953e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0d
-Release: 4%{?dist}
+Release: 5%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -71,6 +71,7 @@ Patch58: openssl-1.0.0c-fips-md5-allow.patch
Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
Patch60: openssl-1.0.0d-apps-dgst.patch
Patch61: openssl-1.0.0d-cavs.patch
+Patch62: openssl-1.0.0-fips-aesni.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.0d-padlock64.patch
@@ -163,6 +164,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch59 -p1 -b .fips-default
%patch60 -p1 -b .dgst
%patch61 -p1 -b .cavs
+%patch62 -p1 -b .fips-aesni
+
%patch81 -p1 -b .padlock64
# Modify the various perl scripts to reference perl in the right location.
@@ -413,6 +416,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Thu Jun 9 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-5
+- allow the AES-NI engine in the FIPS mode
+
* Tue May 24 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-4
- add API necessary for CAVS testing of the new DSA parameter generation
More information about the scm-commits
mailing list