Experimental multi-implementation support for FIPS capable OpenSSL. (1dded7f7) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,13 @@

		Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]

		*) Experimental multi-implementation support for FIPS capable OpenSSL.
		When in FIPS mode the approved implementations are used as normal,
		when not in FIPS mode the internal unapproved versions are used instead.
		This means that the FIPS capable OpenSSL isn't forced to use the
		(often lower perfomance) FIPS implementations outside FIPS mode.
		[Steve Henson]

		*) Transparently support X9.42 DH parameters when calling
		PEM_read_bio_DHparameters. This means existing applications can handle
		the new parameter format automatically.

+2 −2

Original line number	Diff line number	Diff line
		@@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
		bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
		c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
		evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
		e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
		e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
		e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c

		LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
		@@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
		bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
		c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
		evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
		e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
		e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
		e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o

		SRC= $(LIBSRC)

+13 −0

Original line number	Diff line number	Diff line
		@@ -145,6 +145,19 @@ int EVP_DigestInit(EVP_MD_CTX ctx, const EVP_MD type)
		int EVP_DigestInit_ex(EVP_MD_CTX ctx, const EVP_MD type, ENGINE *impl)
		{
		EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
		#ifdef OPENSSL_FIPS_
		/* If FIPS mode switch to approved implementation if possible */
		if (FIPS_mode())
		{
		const EVP_MD *fipsmd;
		if (type)
		{
		fipsmd = FIPS_get_digestbynid(EVP_MD_type(type));
		if (fipsmd)
		type = fipsmd;
		}
		}
		#endif
		#ifndef OPENSSL_NO_ENGINE
		/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
		* so this context may already have an ENGINE! Try to avoid releasing

+7 −4

Original line number	Diff line number	Diff line
		@@ -56,10 +56,14 @@
		#include <assert.h>
		#include <openssl/aes.h>
		#include "evp_locl.h"
		#ifndef OPENSSL_FIPS
		#include "modes_lcl.h"
		#include <openssl/rand.h>

		#ifndef OPENSSL_FIPSCANISTER
		#undef EVP_CIPH_FLAG_FIPS
		#define EVP_CIPH_FLAG_FIPS 0
		#endif

		typedef struct
		{
		AES_KEY ks;
		@@ -715,7 +719,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)
		case EVP_CTRL_GCM_SET_IVLEN:
		if (arg <= 0)
		return 0;
		#ifdef OPENSSL_FIPS
		#ifdef OPENSSL_FIPSCANISTER
		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
		&& arg < 12)
		return 0;
		@@ -1126,7 +1130,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
		return 0;
		if (!out \|\| !in \|\| len<AES_BLOCK_SIZE)
		return 0;
		#ifdef OPENSSL_FIPS
		#ifdef OPENSSL_FIPSCANISTER
		/* Requirement of SP800-38E */
		if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
		(len > (1UL<<20)*16))
		@@ -1310,4 +1314,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS\|CUSTOM_FLAGS)
		BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS\|CUSTOM_FLAGS)

		#endif
		#endif

+0 −3

Original line number	Diff line number	Diff line
		@@ -65,8 +65,6 @@
		#include <openssl/des.h>
		#include <openssl/rand.h>

		#ifndef OPENSSL_FIPS

		static int des_ede_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
		const unsigned char *iv,int enc);

		@@ -313,4 +311,3 @@ const EVP_CIPHER *EVP_des_ede3(void)
		return &des_ede3_ecb;
		}
		#endif
		#endif