allow the AES-NI engine in the FIPS mode
This commit is contained in:
Tomas Mraz
parent
19062db533
commit
f4fb8490a9
|
|
@ -0,0 +1,47 @@
|
|||
diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
|
||||
--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/engine/eng_aesni.c 2011-06-08 14:19:22.000000000 +0200
|
||||
@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
|
||||
EVP_CIPHER_block_size_##umode, \
|
||||
ksize / 8, \
|
||||
AES_BLOCK_SIZE, \
|
||||
- 0 | EVP_CIPH_##umode##_MODE, \
|
||||
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE, \
|
||||
aesni_init_key, \
|
||||
aesni_cipher_##lmode, \
|
||||
NULL, \
|
||||
diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
|
||||
--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/fips/fips.c 2011-06-08 17:31:35.000000000 +0200
|
||||
@@ -55,6 +55,7 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/rsa.h>
|
||||
+#include <openssl/engine.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
#include <dlfcn.h>
|
||||
@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
|
||||
}
|
||||
|
||||
if(FIPS_selftest())
|
||||
- fips_set_mode(1);
|
||||
- else
|
||||
{
|
||||
- fips_selftest_fail = 1;
|
||||
- ret = 0;
|
||||
- goto end;
|
||||
+ ENGINE_load_aesni();
|
||||
+ if (FIPS_selftest_aes())
|
||||
+ {
|
||||
+ fips_set_mode(1);
|
||||
+ ret = 1;
|
||||
+ goto end;
|
||||
+ }
|
||||
}
|
||||
- ret = 1;
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
goto end;
|
||||
}
|
||||
fips_set_mode(0);
|
||||
|
|
@ -21,7 +21,7 @@
|
|||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.0d
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-usa.tar.bz2
|
||||
|
|
@ -71,6 +71,7 @@ Patch58: openssl-1.0.0c-fips-md5-allow.patch
|
|||
Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
|
||||
Patch60: openssl-1.0.0d-apps-dgst.patch
|
||||
Patch61: openssl-1.0.0d-cavs.patch
|
||||
Patch62: openssl-1.0.0-fips-aesni.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch81: openssl-1.0.0d-padlock64.patch
|
||||
|
||||
|
|
@ -163,6 +164,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch59 -p1 -b .fips-default
|
||||
%patch60 -p1 -b .dgst
|
||||
%patch61 -p1 -b .cavs
|
||||
%patch62 -p1 -b .fips-aesni
|
||||
|
||||
%patch81 -p1 -b .padlock64
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
|
|
@ -413,6 +416,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Jun 9 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-5
|
||||
- allow the AES-NI engine in the FIPS mode
|
||||
|
||||
* Tue May 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-4
|
||||
- add API necessary for CAVS testing of the new DSA parameter generation
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue