Re: git: 8f37b3a142f2 - main - libcrypto: fix the FIPS provider on amd64

In reply to: Ed Maste : "git: 8f37b3a142f2 - main - libcrypto: fix the FIPS provider on amd64"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Pierre Pronchery <pierre_at_freebsdfoundation.org>
Date: Thu, 21 Sep 2023 16:45:21 UTC
			Hi there,

On 9/21/23 17:38, Ed Maste wrote:
> The branch main has been updated by emaste:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=8f37b3a142f2f7197896cd283c44c7e4fb64aaf3
> 
> commit 8f37b3a142f2f7197896cd283c44c7e4fb64aaf3
> Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
> AuthorDate: 2023-09-04 17:57:35 +0000
> Commit:     Ed Maste <emaste@FreeBSD.org>
> CommitDate: 2023-09-21 15:38:02 +0000
> 
>      libcrypto: fix the FIPS provider on amd64
>      
>      This corrects the list of source files required for the FIPS provider.
>      
>      To test:
>      
>      ```
>      INSTALL PASSED
>      enter AES-128-CBC encryption password:
>      Verifying - enter AES-128-CBC encryption password:
>      U2FsdGVkX1+MGm7LbZou29UWU+KAyBX/PxF5T1pO9VM=
>      ```

The complete test procedure, including the corresponding commands is:

```
# openssl fipsinstall -out /etc/ssl/fipsmodule.cnf \
   -module /usr/lib/ossl-modules/fips.so
[...]
INSTALL PASSED
# vi /etc/ssl/openssl.cnf
[enable the FIPS module]
# echo test | openssl aes-256-cbc -provider fips -a -pbkdf2
enter AES-256-CBC encryption password:
Verifying - enter AES-256-CBC encryption password:
U2FsdGVkX199k8PlM+6jTPK4AARYYVR3BXF+a1bCLCk=
```

HTH,
-- Pierre

>      
>      Reviewed by:    emaste
>      Fixes:          b077aed33b7b ("Merge OpenSSL 3.0.9")
>      Sponsored by:   The FreeBSD Foundation
>      Pull Request:   https://github.com/freebsd/freebsd-src/pull/837
>      Differential Revision: https://reviews.freebsd.org/D41720
> ---
>   secure/lib/libcrypto/modules/fips/Makefile | 20 ++++++++++----------
>   1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/secure/lib/libcrypto/modules/fips/Makefile b/secure/lib/libcrypto/modules/fips/Makefile
> index b674126bb6cf..8843cb9717c9 100644
> --- a/secure/lib/libcrypto/modules/fips/Makefile
> +++ b/secure/lib/libcrypto/modules/fips/Makefile
> @@ -32,25 +32,25 @@ SRCS+=	mem_clr.c
>   .endif
>   
>   # crypto/aes
> -SRCS+=	aes_cbc.c aes_cfb.c aes_ecb.c aes_ige.c aes_misc.c aes_ofb.c aes_wrap.c
> +SRCS+=	aes_cfb.c aes_ecb.c aes_ige.c aes_misc.c aes_ofb.c aes_wrap.c
>   .if defined(ASM_aarch64)
> -SRCS+=	aes_core.c aesv8-armx.S vpaes-armv8.S
> +SRCS+=	aes_cbc.c aes_core.c aesv8-armx.S vpaes-armv8.S
>   ACFLAGS.aesv8-armx.S=	-march=armv8-a+crypto
>   .elif defined(ASM_amd64)
> -SRCS+=	aes_core.c aesni-mb-x86_64.S aesni-sha1-x86_64.S aesni-sha256-x86_64.S
> -SRCS+=	aesni-x86_64.S vpaes-x86_64.S
> +SRCS+=	aes-x86_64.S aesni-mb-x86_64.S aesni-sha1-x86_64.S
> +SRCS+=	aesni-sha256-x86_64.S aesni-x86_64.S bsaes-x86_64.S vpaes-x86_64.S
>   .elif defined(ASM_arm)
> -SRCS+=	aes-armv4.S aesv8-armx.S bsaes-armv7.S
> +SRCS+=	aes_cbc.c aes-armv4.S aesv8-armx.S bsaes-armv7.S
>   .elif defined(ASM_i386)
> -SRCS+=	aes_core.c aesni-x86.S vpaes-x86.S
> +SRCS+=	aes-586.S aesni-x86.S vpaes-x86.S
>   .elif defined(ASM_powerpc)
> -SRCS+=	aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
> +SRCS+=	aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
>   .elif defined(ASM_powerpc64)
> -SRCS+=	aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
> +SRCS+=	aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
>   .elif defined(ASM_powerpc64le)
> -SRCS+=	aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
> +SRCS+=	aes_cbc.c aes_core.c aes-ppc.S vpaes-ppc.S aesp8-ppc.S
>   .else
> -SRCS+=	aes_core.c
> +SRCS+=	aes_cbc.c aes_core.c
>   .endif
>   
>   # crypto/bn
> 
> 

-- 
Pierre Pronchery <pierre@freebsdfoundation.org>