From e832a5fa41daa5070ae3dc512fbddd60c61e1046 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Thu, 4 Sep 2025 17:05:43 +0200
Subject: [PATCH 1/2] Fix globally disabled LTO

Using %define _lto_cflags %{nil} in %check
would zero the LTO flags globally, resulting
in disabled LTO for the entire build instead
of just the tests.

Related: RHEL-111634
---
 openssl.spec | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/openssl.spec b/openssl.spec
index 5024cdb..5ad4729 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -291,9 +291,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
 %{SOURCE1} providers/fips.so
 
-# Disable LTO, build tests, and run them
-%define _lto_cflags %{nil}
-make -s %{?_smp_mflags} build_programs
+# Build tests with LTO disabled and run them
+make -s %{?_smp_mflags} build_programs \
+    CFLAGS="%{build_cflags} -fno-lto" \
+    CXXFLAGS="%{build_cxxflags} -fno-lto"
 make test HARNESS_JOBS=8
 
 # Add generation of HMAC checksum of the final stripped library
@@ -458,6 +459,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri Sep 05 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-5
+- Fix globally disabled LTO
+  Related: RHEL-111634
+
 * Thu Aug 28 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
 - Make openssl speed test signatures without errors
   Resolves: RHEL-95182

From b3a1d7764e515b88398b15b1aeaf3ff47d5026da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Fri, 5 Sep 2025 11:36:44 +0200
Subject: [PATCH 2/2] Initialize reserved and unused memory in aes-s390x.pl

Resolves: RHEL-107479
---
 ...nitialize-reserved-and-unused-memory.patch | 48 +++++++++++++++++++
 openssl.spec                                  |  3 ++
 2 files changed, 51 insertions(+)
 create mode 100644 0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch

diff --git a/0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch b/0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch
new file mode 100644
index 0000000..4ddf1a7
--- /dev/null
+++ b/0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch
@@ -0,0 +1,48 @@
+From 899623b29caa02f25e069acbcef581d19fe0a64e Mon Sep 17 00:00:00 2001
+From: Holger Dengler <dengler@linux.ibm.com>
+Date: Wed, 20 Aug 2025 17:55:43 +0200
+Subject: [PATCH] aes-s390x.pl: Initialize reserved and unused memory
+
+The reserved bytes in the parameter block (bytes 0-11) for the KMA
+instruction should be set to zero to be compatible in case of future
+architecture changes.
+
+While at it, also the following unused parts of the parameter block
+(bytes 48-63) are also cleared to avoid false positives with various
+memory checkers like valgrind.
+
+As it makes - performance wise - no difference to process 12, 48 or 64
+bytes with one XC call, but two XC calls are slower than one call, the
+first 64 bytes of the parameter block will be cleared with a single XC
+call. This will also initialize the counter in the parameter block
+(bytes 12-15), although it is not strictly necessary.
+
+Co-developed-by: Juergen Christ <jchrist@linux.ibm.com>
+Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/28315)
+---
+ crypto/aes/asm/aes-s390x.pl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
+index 78aa6dacfc..891d33bb7d 100644
+--- a/crypto/aes/asm/aes-s390x.pl
++++ b/crypto/aes/asm/aes-s390x.pl
+@@ -1431,6 +1431,9 @@ $code.=<<___ if (!$softonly);
+ 	st${g}	$s3,0($sp)			# backchain
+ 	la	%r1,$stdframe($sp)
+ 
++	xc	$stdframe+0(64,$sp),$stdframe+0($sp)	# clear reserved/unused
++							# in parameter block
++
+ 	lmg	$s2,$s3,0($key)			# copy key
+ 	stg	$s2,$stdframe+80($sp)
+ 	stg	$s3,$stdframe+88($sp)
+-- 
+2.50.1
+
diff --git a/openssl.spec b/openssl.spec
index 5ad4729..70e8da4 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -99,6 +99,7 @@ Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
 Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 Patch0056: 0056-Speed-test-signatures-without-errors.patch
 Patch0057: 0057-Targets-to-skip-build-of-non-installable-programs.patch
+Patch0058: 0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -462,6 +463,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 * Fri Sep 05 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-5
 - Fix globally disabled LTO
   Related: RHEL-111634
+- Initialize reserved and unused memory in aes-s390x.pl
+  Resolves: RHEL-107479
 
 * Thu Aug 28 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
 - Make openssl speed test signatures without errors