Fix fips flag handling.
Don't set the fips flags in cipher and digests as the implementations aren't suitable for FIPS mode and will be redirected to the FIPS module versions anyway. Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively. Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be used to build a FIPS module.
This commit is contained in:
parent
01fb5e133f
commit
5f2329b82a
@ -56,10 +56,12 @@
|
||||
#include <assert.h>
|
||||
#include <openssl/aes.h>
|
||||
#include "evp_locl.h"
|
||||
#ifndef OPENSSL_FIPS
|
||||
#include "modes_lcl.h"
|
||||
#include <openssl/rand.h>
|
||||
|
||||
#undef EVP_CIPH_FLAG_FIPS
|
||||
#define EVP_CIPH_FLAG_FIPS 0
|
||||
|
||||
typedef struct
|
||||
{
|
||||
union { double align; AES_KEY ks; } ks;
|
||||
@ -1136,11 +1138,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
case EVP_CTRL_GCM_SET_IVLEN:
|
||||
if (arg <= 0)
|
||||
return 0;
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
|
||||
&& arg < 12)
|
||||
return 0;
|
||||
#endif
|
||||
/* Allocate memory for IV if needed */
|
||||
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
|
||||
{
|
||||
@ -1703,15 +1700,6 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
return 0;
|
||||
if (!out || !in || len<AES_BLOCK_SIZE)
|
||||
return 0;
|
||||
#ifdef OPENSSL_FIPS
|
||||
/* Requirement of SP800-38E */
|
||||
if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
|
||||
(len > (1UL<<20)*16))
|
||||
{
|
||||
EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
if (xctx->stream)
|
||||
(*xctx->stream)(in, out, len,
|
||||
xctx->xts.key1, xctx->xts.key2, ctx->iv);
|
||||
@ -1985,5 +1973,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
|
||||
{
|
||||
return &aes_256_wrap;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
@ -65,6 +65,10 @@
|
||||
#include <openssl/des.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
/* Block use of implementations in FIPS mode */
|
||||
#undef EVP_CIPH_FLAG_FIPS
|
||||
#define EVP_CIPH_FLAG_FIPS 0
|
||||
|
||||
typedef struct
|
||||
{
|
||||
union { double align; DES_key_schedule ks[3]; } ks;
|
||||
|
@ -60,6 +60,9 @@
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#ifdef OPENSSL_FIPS
|
||||
#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
|
||||
{
|
||||
@ -212,12 +215,22 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
|
||||
|
||||
unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
const EVP_CIPHER *fcipher;
|
||||
fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
|
||||
if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
|
||||
return cipher->flags | EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return cipher->flags;
|
||||
}
|
||||
|
||||
unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
return EVP_CIPHER_flags(ctx->cipher);
|
||||
#else
|
||||
return ctx->cipher->flags;
|
||||
#endif
|
||||
}
|
||||
|
||||
void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
|
||||
@ -287,6 +300,12 @@ int EVP_MD_size(const EVP_MD *md)
|
||||
|
||||
unsigned long EVP_MD_flags(const EVP_MD *md)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
const EVP_MD *fmd;
|
||||
fmd = FIPS_get_digestbynid(EVP_MD_type(md));
|
||||
if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
|
||||
return md->flags | EVP_MD_FLAG_FIPS;
|
||||
#endif
|
||||
return md->flags;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user