Commit 5f2329b8 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Fix fips flag handling. 

Don't set the fips flags in cipher and digests as the implementations
aren't suitable for FIPS mode and will be redirected to the FIPS module
versions anyway.

Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation
exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively.

Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be
used to build a FIPS module.
parent 01fb5e13

crypto/evp/e_aes.c

+3 −17
Original line number Original line Diff line number Diff line
@@ -56,10 +56,12 @@ 
#include <assert.h>

#include <assert.h>

#include <openssl/aes.h>

#include <openssl/aes.h>

#include "evp_locl.h"

#include "evp_locl.h"

#ifndef OPENSSL_FIPS

#include "modes_lcl.h"

#include "modes_lcl.h"

#include <openssl/rand.h>

#include <openssl/rand.h>





#undef EVP_CIPH_FLAG_FIPS

#define EVP_CIPH_FLAG_FIPS 0



typedef struct

typedef struct

	{

	{

	union { double align; AES_KEY ks; } ks;

	union { double align; AES_KEY ks; } ks;
@@ -1136,11 +1138,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 
	case EVP_CTRL_GCM_SET_IVLEN:

	case EVP_CTRL_GCM_SET_IVLEN:

		if (arg <= 0)

		if (arg <= 0)

			return 0;

			return 0;

#ifdef OPENSSL_FIPS

		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)

						 && arg < 12)

			return 0;

#endif

		/* Allocate memory for IV if needed */

		/* Allocate memory for IV if needed */

		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))

		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))

			{

			{
@@ -1703,15 +1700,6 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
		return 0;

		return 0;

	if (!out || !in || len<AES_BLOCK_SIZE)

	if (!out || !in || len<AES_BLOCK_SIZE)

		return 0;

		return 0;

#ifdef OPENSSL_FIPS

	/* Requirement of SP800-38E */

	if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&

			(len > (1UL<<20)*16))

		{

		EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);

		return 0;

		}

#endif

	if (xctx->stream)

	if (xctx->stream)

		(*xctx->stream)(in, out, len,

		(*xctx->stream)(in, out, len,

				xctx->xts.key1, xctx->xts.key2, ctx->iv);

				xctx->xts.key1, xctx->xts.key2, ctx->iv);
@@ -1985,5 +1973,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) 
	{

	{

	return &aes_256_wrap;

	return &aes_256_wrap;

	}
 
	}
 


#endif

crypto/evp/e_des3.c

+4 −0
Original line number Original line Diff line number Diff line
@@ -65,6 +65,10 @@ 
#include <openssl/des.h>

#include <openssl/des.h>

#include <openssl/rand.h>

#include <openssl/rand.h>





/* Block use of implementations in FIPS mode */

#undef EVP_CIPH_FLAG_FIPS

#define EVP_CIPH_FLAG_FIPS	0



typedef struct

typedef struct

	{

	{

	union { double align; DES_key_schedule ks[3]; } ks;

	union { double align; DES_key_schedule ks[3]; } ks;

crypto/evp/evp_lib.c

+19 −0
Original line number Original line Diff line number Diff line
@@ -60,6 +60,9 @@ 
#include "cryptlib.h"

#include "cryptlib.h"

#include <openssl/evp.h>

#include <openssl/evp.h>

#include <openssl/objects.h>

#include <openssl/objects.h>

#ifdef OPENSSL_FIPS

#include <openssl/fips.h>

#endif





int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)

int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)

	{

	{
@@ -212,12 +215,22 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) 




unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)

unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)

	{

	{

#ifdef OPENSSL_FIPS

	const EVP_CIPHER *fcipher;

	fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));

	if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)

		return cipher->flags | EVP_CIPH_FLAG_FIPS;

#endif

	return cipher->flags;

	return cipher->flags;

	}

	}





unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)

unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)

	{

	{

#ifdef OPENSSL_FIPS

	return EVP_CIPHER_flags(ctx->cipher);

#else

	return ctx->cipher->flags;

	return ctx->cipher->flags;

#endif

	}

	}





void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)

void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
@@ -287,6 +300,12 @@ int EVP_MD_size(const EVP_MD *md) 




unsigned long EVP_MD_flags(const EVP_MD *md)

unsigned long EVP_MD_flags(const EVP_MD *md)

	{

	{

#ifdef OPENSSL_FIPS

	const EVP_MD *fmd;

	fmd = FIPS_get_digestbynid(EVP_MD_type(md));

	if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)

		return md->flags | EVP_MD_FLAG_FIPS;

#endif

	return md->flags;

	return md->flags;

	}

	}