public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Multiple fixes
Date: Tue, 09 Jun 2026 12:44:36 GMT [thread overview]
Message-ID: <178100907610.1.12622274832873230652.rpms-openssl-f1c4ba61a3c4@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : f1c4ba61a3c49079c62cb3cdfbac660d46012b6f
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-10-03T17:43:23+02:00
Stats : +178/-8 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/f1c4ba61a3c49079c62cb3cdfbac660d46012b6f?branch=rebase_40beta
Log:
Multiple fixes
re-enable the stitched AES-CBC-SHA implementations
make AES-GCM work in FIPS mode again
enable TLS-1.2 AES-CCM ciphers in FIPS mode
fix openssl speed errors in FIPS mode
---
diff --git a/openssl-1.1.1-aes-asm.patch b/openssl-1.1.1-aes-asm.patch
new file mode 100644
index 0000000..65b8213
--- /dev/null
+++ b/openssl-1.1.1-aes-asm.patch
@@ -0,0 +1,58 @@
+commit 61cc715240d2d3f9511ca88043a3e9797c11482f
+Author: Richard Levitte <levitte@openssl.org>
+Date: Thu Oct 3 08:28:31 2019 +0200
+
+ Define AESNI_ASM if AESNI assembler is included, and use it
+
+ Because we have cases where basic assembler support isn't present, but
+ AESNI asssembler support is, we need a separate macro that indicates
+ that, and use it.
+
+ Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
+ Reviewed-by: Paul Dale <paul.dale@oracle.com>
+ (Merged from https://github.com/openssl/openssl/pull/10080)
+
+diff --git a/Configure b/Configure
+index 811bee81f5..f498ac2f81 100755
+--- a/Configure
++++ b/Configure
+@@ -1376,6 +1376,7 @@ unless ($disabled{asm}) {
+ }
+ if ($target{aes_asm_src}) {
+ push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
++ push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
+ # aes-ctr.fake is not a real file, only indication that assembler
+ # module implements AES_ctr32_encrypt...
+ push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index c9f5969162..27c36b46e7 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -33,7 +33,7 @@ typedef struct {
+
+ #define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
+index d5178313ae..cc622b6faa 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
+@@ -34,7 +34,7 @@ typedef struct {
+
+ # define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+@@ -947,4 +947,4 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
+ {
+ return NULL;
+ }
+-#endif
++#endif /* AESNI_ASM */
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index fd6633d..9063069 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -11,8 +11,8 @@ diff -up openssl-1.1.1d/apps/pkcs12.c.fips openssl-1.1.1d/apps/pkcs12.c
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
---- openssl-1.1.1d/apps/speed.c.fips 2019-09-13 15:13:11.008525884 +0200
-+++ openssl-1.1.1d/apps/speed.c 2019-09-13 15:13:11.022525640 +0200
+--- openssl-1.1.1d/apps/speed.c.fips 2019-10-03 16:51:22.019915908 +0200
++++ openssl-1.1.1d/apps/speed.c 2019-10-03 17:40:09.909994582 +0200
@@ -1595,7 +1595,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
@@ -60,7 +60,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
eddsa_doit[i] = 2;
continue;
}
-@@ -1737,23 +1742,30 @@ int speed_main(int argc, char **argv)
+@@ -1737,23 +1742,31 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -87,16 +87,18 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
ecdsa_doit[loop] = 1;
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
- ecdh_doit[loop] = 1;
+- ecdh_doit[loop] = 1;
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
- eddsa_doit[loop] = 1;
++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
++ ecdh_doit[loop] = 1;
+ if (!FIPS_mode())
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+ eddsa_doit[loop] = 1;
#endif
}
for (i = 0; i < ALGOR_NUM; i++)
-@@ -1801,30 +1813,46 @@ int speed_main(int argc, char **argv)
+@@ -1801,30 +1814,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -153,7 +155,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2122,6 +2150,7 @@ int speed_main(int argc, char **argv)
+@@ -2122,6 +2151,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -461,7 +463,7 @@ diff -up openssl-1.1.1d/crypto/dsa/dsa_gen.c.fips openssl-1.1.1d/crypto/dsa/dsa_
+ goto err;
+ }
+
-+ if (FIPS_mode() && (L != 1024 || N != 160) &&
++ if (FIPS_mode() &&
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
+ (L != 3072 || N != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
@@ -11368,6 +11370,108 @@ diff -up openssl-1.1.1d/include/openssl/rsaerr.h.fips openssl-1.1.1d/include/ope
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
+diff -up openssl-1.1.1d/ssl/s3_lib.c.fips openssl-1.1.1d/ssl/s3_lib.c
+--- openssl-1.1.1d/ssl/s3_lib.c.fips 2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/ssl/s3_lib.c 2019-10-03 16:53:51.140362311 +0200
+@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_HIGH,
++ SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_HIGH,
++ SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384,
+ 256,
+ 256,
+@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
diff -up openssl-1.1.1d/ssl/ssl_ciph.c.fips openssl-1.1.1d/ssl/ssl_ciph.c
--- openssl-1.1.1d/ssl/ssl_ciph.c.fips 2019-09-13 15:13:11.019525692 +0200
+++ openssl-1.1.1d/ssl/ssl_ciph.c 2019-09-13 15:13:11.068524836 +0200
diff --git a/openssl.spec b/openssl.spec
index 2f6fdfc..859f4ea 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1d
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,7 @@ Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-regression-fixes.patch
+Patch55: openssl-1.1.1-aes-asm.patch
License: OpenSSL
URL: http://www.openssl.org/
@@ -168,6 +169,7 @@ cp %{SOURCE13} test/
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch54 -p1 -b .regression
+%patch55 -p1 -b .aes-asm
%build
@@ -454,6 +456,12 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Thu Oct 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-2
+- re-enable the stitched AES-CBC-SHA implementations
+- make AES-GCM work in FIPS mode again
+- enable TLS-1.2 AES-CCM ciphers in FIPS mode
+- fix openssl speed errors in FIPS mode
+
* Fri Sep 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-1
- update to the 1.1.1d release
next reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 12:44 Tomas Mraz [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: Multiple fixes Tomas Mraz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100907610.1.12622274832873230652.rpms-openssl-f1c4ba61a3c4@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox