From 6af659130e83c313cef3e45c497934780055091b Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:33:54 +0200 Subject: [PATCH] Fix `openssl speed` running in FIPS mode Resolves: RHEL-89860 --- ...-Make-openssl-speed-run-in-FIPS-mode.patch | 76 +++++++++++++++++++ openssl.spec | 4 + 2 files changed, 80 insertions(+) create mode 100644 0051-Make-openssl-speed-run-in-FIPS-mode.patch diff --git a/0051-Make-openssl-speed-run-in-FIPS-mode.patch b/0051-Make-openssl-speed-run-in-FIPS-mode.patch new file mode 100644 index 0000000..f3874cb --- /dev/null +++ b/0051-Make-openssl-speed-run-in-FIPS-mode.patch @@ -0,0 +1,76 @@ +From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 9 May 2025 15:09:46 +0200 +Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode + +--- + apps/speed.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index 1edf9b8485..d4e707074c 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 16); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC128], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC128_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC128, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC128], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC128_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC128, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + if (doit[D_KMAC256]) { +@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 32); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC256], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC256_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC256, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC256], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC256_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC256, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + for (i = 0; i < loopargs_len; i++) +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index 5b485bd..72cb694 100644 --- a/openssl.spec +++ b/openssl.spec @@ -89,6 +89,8 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch Patch0048: 0048-Current-Rebase-status.patch Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch +Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch + #The patches that are different for RHEL9 and 10 start here Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Patch0101: 0101-FIPS-enable-pkcs12-mac.patch @@ -429,6 +431,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-88910 - PKCS#12 should not default to pbmac1 in FIPS mode in RHEL-9 Resolves: RHEL-88912 +- Fix `openssl speed` running in FIPS mode + Resolves: RHEL-89860 * Wed Apr 16 2025 Dmitry Belyavskiy - 1:3.5.0-1 - Rebasing OpenSSL to 3.5