[openssl] allow the AES-NI engine in the FIPS mode

Thu Jun 9 14:23:03 UTC 2011

commit f4fb8490a9a8ce4ed8afee5d9ffe6676e1b19e65
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Jun 9 16:22:08 2011 +0200

    allow the AES-NI engine in the FIPS mode

 openssl-1.0.0-fips-aesni.patch |   47 ++++++++++++++++++++++++++++++++++++++++
 openssl.spec                   |    8 ++++++-
 2 files changed, 54 insertions(+), 1 deletions(-)
---

diff --git a/openssl-1.0.0-fips-aesni.patch b/openssl-1.0.0-fips-aesni.patch
new file mode 100644
index 0000000..c12e93e
--- /dev/null
+++ b/openssl-1.0.0-fips-aesni.patch
@@ -0,0 +1,47 @@
+diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
+--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni	2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/engine/eng_aesni.c	2011-06-08 14:19:22.000000000 +0200
+@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
+ 	EVP_CIPHER_block_size_##umode,			\
+ 	ksize / 8,					\
+ 	AES_BLOCK_SIZE,					\
+-	0 | EVP_CIPH_##umode##_MODE,			\
++	EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE,			\
+ 	aesni_init_key,				\
+ 	aesni_cipher_##lmode,				\
+ 	NULL,						\
+diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
+--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni	2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/fips/fips.c	2011-06-08 17:31:35.000000000 +0200
+@@ -55,6 +55,7 @@
+ #include <openssl/bio.h>
+ #include <openssl/hmac.h>
+ #include <openssl/rsa.h>
++#include <openssl/engine.h>
+ #include <string.h>
+ #include <limits.h>
+ #include <dlfcn.h>
+@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
+ 	    }
+ 
+ 	if(FIPS_selftest())
+-	    fips_set_mode(1);
+-	else
+ 	    {
+-	    fips_selftest_fail = 1;
+-	    ret = 0;
+-	    goto end;
++	    ENGINE_load_aesni();
++	    if (FIPS_selftest_aes())
++		{
++		fips_set_mode(1);
++		ret = 1;
++		goto end;
++		}
+ 	    }
+-	ret = 1;
++	fips_selftest_fail = 1;
++	ret = 0;
+ 	goto end;
+ 	}
+     fips_set_mode(0);
diff --git a/openssl.spec b/openssl.spec
index 15605df..571953e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0d
-Release: 4%{?dist}
+Release: 5%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -71,6 +71,7 @@ Patch58: openssl-1.0.0c-fips-md5-allow.patch
 Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
 Patch60: openssl-1.0.0d-apps-dgst.patch
 Patch61: openssl-1.0.0d-cavs.patch
+Patch62: openssl-1.0.0-fips-aesni.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.0d-padlock64.patch
 
@@ -163,6 +164,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch59 -p1 -b .fips-default
 %patch60 -p1 -b .dgst
 %patch61 -p1 -b .cavs
+%patch62 -p1 -b .fips-aesni
+
 %patch81 -p1 -b .padlock64
 
 # Modify the various perl scripts to reference perl in the right location.
@@ -413,6 +416,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Thu Jun  9 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-5
+- allow the AES-NI engine in the FIPS mode
+
 * Tue May 24 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-4
 - add API necessary for CAVS testing of the new DSA parameter generation
 
