rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

allow the AES-NI engine in the FIPS mode

Browse Source
This commit is contained in:
Tomas Mraz 2011-06-09 16:22:08 +02:00
parent 19062db533
commit f4fb8490a9
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
openssl-1.0.0-fips-aesni.patch Normal file
View File

@ -0,0 +1,47 @@
diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
+++ openssl-1.0.0/crypto/engine/eng_aesni.c 2011-06-08 14:19:22.000000000 +0200
@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
EVP_CIPHER_block_size_##umode, \
ksize / 8, \
AES_BLOCK_SIZE, \
- 0 | EVP_CIPH_##umode##_MODE, \
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE, \
aesni_init_key, \
aesni_cipher_##lmode, \
NULL, \
diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
+++ openssl-1.0.0/crypto/fips/fips.c 2011-06-08 17:31:35.000000000 +0200
@@ -55,6 +55,7 @@
#include <openssl/bio.h>
#include <openssl/hmac.h>
#include <openssl/rsa.h>
+#include <openssl/engine.h>
#include <string.h>
#include <limits.h>
#include <dlfcn.h>
@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
}
if(FIPS_selftest())
- fips_set_mode(1);
- else
{
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
+ ENGINE_load_aesni();
+ if (FIPS_selftest_aes())
+ {
+ fips_set_mode(1);
+ ret = 1;
+ goto end;
+ }
}
- ret = 1;
+ fips_selftest_fail = 1;
+ ret = 0;
goto end;
}
fips_set_mode(0);

8
openssl.spec
View File

@ -21,7 +21,7 @@
Summary: A general purpose cryptography library with TLS implementation Summary: A general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.0d Version: 1.0.0d
Release: 4%{?dist} Release: 5%{?dist}
# We remove certain patented algorithms from the openssl source tarball # We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below. # with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2 Source: openssl-%{version}-usa.tar.bz2
@ -71,6 +71,7 @@ Patch58: openssl-1.0.0c-fips-md5-allow.patch
Patch59: openssl-1.0.0c-pkcs12-fips-default.patch Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
Patch60: openssl-1.0.0d-apps-dgst.patch Patch60: openssl-1.0.0d-apps-dgst.patch
Patch61: openssl-1.0.0d-cavs.patch Patch61: openssl-1.0.0d-cavs.patch
Patch62: openssl-1.0.0-fips-aesni.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch81: openssl-1.0.0d-padlock64.patch Patch81: openssl-1.0.0d-padlock64.patch
@ -163,6 +164,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch59 -p1 -b .fips-default %patch59 -p1 -b .fips-default
%patch60 -p1 -b .dgst %patch60 -p1 -b .dgst
%patch61 -p1 -b .cavs %patch61 -p1 -b .cavs
%patch62 -p1 -b .fips-aesni
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
# Modify the various perl scripts to reference perl in the right location. # Modify the various perl scripts to reference perl in the right location.
@ -413,6 +416,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Thu Jun 9 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-5
- allow the AES-NI engine in the FIPS mode
* Tue May 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-4 * Tue May 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-4
- add API necessary for CAVS testing of the new DSA parameter generation - add API necessary for CAVS testing of the new DSA parameter generation