Prohibit use of low level digest APIs in FIPS mode.
This commit is contained in:
Dr. Stephen Henson
parent
9ddc574f9a
commit
65300dcfb0
5
CHANGES
5
CHANGES
@ -4,6 +4,11 @@
|
||||
|
||||
Changes between 1.0.0d and 1.0.1 [xx XXX xxxx]
|
||||
|
||||
*) Low level digest APIs are not approved in FIPS mode: any attempt
|
||||
to use these will cause a fatal error. Applications that *really* want
|
||||
to use them can use the private_* version instead.
|
||||
[Steve Henson]
|
||||
|
||||
*) Redirect cipher operations to FIPS module for FIPS builds.
|
||||
[Steve Henson]
|
||||
|
||||
|
||||
@ -552,6 +552,22 @@ int FIPS_mode_set(int r);
|
||||
|
||||
void OPENSSL_init(void);
|
||||
|
||||
#define fips_md_init(alg) fips_md_init_ctx(alg, alg)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define fips_md_init_ctx(alg, cx) \
|
||||
int alg##_Init(cx##_CTX *c) \
|
||||
{ \
|
||||
if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
|
||||
"Low level API call to digest " #alg " forbidden in FIPS mode!"); \
|
||||
return private_##alg##_Init(c); \
|
||||
} \
|
||||
int private_##alg##_Init(cx##_CTX *c)
|
||||
#else
|
||||
#define fips_md_init_ctx(alg, cx) \
|
||||
int alg##_Init(cx##_CTX *c)
|
||||
#endif
|
||||
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
|
||||
@ -343,3 +343,18 @@ struct evp_pkey_method_st
|
||||
} /* EVP_PKEY_METHOD */;
|
||||
|
||||
void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define RIPEMD160_Init private_RIPEMD160_Init
|
||||
#define WHIRLPOOL_Init private_WHIRLPOOL_Init
|
||||
#define MD5_Init private_MD5_Init
|
||||
#define MD4_Init private_MD4_Init
|
||||
#define MD2_Init private_MD2_Init
|
||||
#define MDC2_Init private_MDC2_Init
|
||||
#define SHA_Init private_SHA_Init
|
||||
#define SHA1_Init private_SHA1_Init
|
||||
#define SHA224_Init private_SHA224_Init
|
||||
#define SHA256_Init private_SHA256_Init
|
||||
#define SHA384_Init private_SHA384_Init
|
||||
#define SHA512_Init private_SHA512_Init
|
||||
#endif
|
||||
|
||||
@ -69,6 +69,8 @@
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return MD4_Init(ctx->md_data); }
|
||||
|
||||
|
||||
@ -68,6 +68,7 @@
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return MD5_Init(ctx->md_data); }
|
||||
|
||||
@ -69,6 +69,8 @@
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return MDC2_Init(ctx->md_data); }
|
||||
|
||||
|
||||
@ -68,6 +68,7 @@
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return RIPEMD160_Init(ctx->md_data); }
|
||||
|
||||
@ -67,6 +67,7 @@
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return SHA_Init(ctx->md_data); }
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/whrlpool.h>
|
||||
#include "evp_locl.h"
|
||||
|
||||
static int init(EVP_MD_CTX *ctx)
|
||||
{ return WHIRLPOOL_Init(ctx->md_data); }
|
||||
|
||||
@ -81,6 +81,9 @@ typedef struct MD2state_st
|
||||
} MD2_CTX;
|
||||
|
||||
const char *MD2_options(void);
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD2_Init(MD2_CTX *c);
|
||||
#endif
|
||||
int MD2_Init(MD2_CTX *c);
|
||||
int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
|
||||
int MD2_Final(unsigned char *md, MD2_CTX *c);
|
||||
|
||||
@ -116,7 +116,7 @@ const char *MD2_options(void)
|
||||
return("md2(int)");
|
||||
}
|
||||
|
||||
int MD2_Init(MD2_CTX *c)
|
||||
fips_md_init(MD2)
|
||||
{
|
||||
c->num=0;
|
||||
memset(c->state,0,sizeof c->state);
|
||||
|
||||
@ -105,6 +105,9 @@ typedef struct MD4state_st
|
||||
unsigned int num;
|
||||
} MD4_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD4_Init(MD4_CTX *c);
|
||||
#endif
|
||||
int MD4_Init(MD4_CTX *c);
|
||||
int MD4_Update(MD4_CTX *c, const void *data, size_t len);
|
||||
int MD4_Final(unsigned char *md, MD4_CTX *c);
|
||||
|
||||
@ -57,8 +57,9 @@
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include "md4_locl.h"
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "md4_locl.h"
|
||||
|
||||
const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
@ -70,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
|
||||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||
|
||||
int MD4_Init(MD4_CTX *c)
|
||||
fips_md_init(MD4)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->A=INIT_DATA_A;
|
||||
|
||||
@ -105,6 +105,9 @@ typedef struct MD5state_st
|
||||
unsigned int num;
|
||||
} MD5_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD5_Init(MD5_CTX *c);
|
||||
#endif
|
||||
int MD5_Init(MD5_CTX *c);
|
||||
int MD5_Update(MD5_CTX *c, const void *data, size_t len);
|
||||
int MD5_Final(unsigned char *md, MD5_CTX *c);
|
||||
|
||||
@ -59,6 +59,7 @@
|
||||
#include <stdio.h>
|
||||
#include "md5_locl.h"
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
@ -70,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
|
||||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||
|
||||
int MD5_Init(MD5_CTX *c)
|
||||
fips_md_init(MD5)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->A=INIT_DATA_A;
|
||||
|
||||
@ -81,6 +81,9 @@ typedef struct mdc2_ctx_st
|
||||
} MDC2_CTX;
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MDC2_Init(MDC2_CTX *c);
|
||||
#endif
|
||||
int MDC2_Init(MDC2_CTX *c);
|
||||
int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
|
||||
int MDC2_Final(unsigned char *md, MDC2_CTX *c);
|
||||
|
||||
@ -61,6 +61,7 @@
|
||||
#include <string.h>
|
||||
#include <openssl/des.h>
|
||||
#include <openssl/mdc2.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
#undef c2l
|
||||
#define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \
|
||||
@ -75,7 +76,7 @@
|
||||
*((c)++)=(unsigned char)(((l)>>24L)&0xff))
|
||||
|
||||
static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
|
||||
int MDC2_Init(MDC2_CTX *c)
|
||||
fips_md_init(MDC2)
|
||||
{
|
||||
c->num=0;
|
||||
c->pad_type=1;
|
||||
|
||||
@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st
|
||||
unsigned int num;
|
||||
} RIPEMD160_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_RIPEMD160_Init(RIPEMD160_CTX *c);
|
||||
#endif
|
||||
int RIPEMD160_Init(RIPEMD160_CTX *c);
|
||||
int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
|
||||
int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
|
||||
|
||||
@ -59,6 +59,7 @@
|
||||
#include <stdio.h>
|
||||
#include "rmd_locl.h"
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
@ -69,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
|
||||
void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
|
||||
# endif
|
||||
|
||||
int RIPEMD160_Init(RIPEMD160_CTX *c)
|
||||
fips_md_init(RIPEMD160)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->A=RIPEMD160_A;
|
||||
|
||||
@ -106,6 +106,9 @@ typedef struct SHAstate_st
|
||||
} SHA_CTX;
|
||||
|
||||
#ifndef OPENSSL_NO_SHA0
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_SHA_Init(SHA_CTX *c);
|
||||
#endif
|
||||
int SHA_Init(SHA_CTX *c);
|
||||
int SHA_Update(SHA_CTX *c, const void *data, size_t len);
|
||||
int SHA_Final(unsigned char *md, SHA_CTX *c);
|
||||
@ -113,6 +116,9 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md);
|
||||
void SHA_Transform(SHA_CTX *c, const unsigned char *data);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SHA1
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_SHA1_Init(SHA_CTX *c);
|
||||
#endif
|
||||
int SHA1_Init(SHA_CTX *c);
|
||||
int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
|
||||
int SHA1_Final(unsigned char *md, SHA_CTX *c);
|
||||
@ -135,6 +141,10 @@ typedef struct SHA256state_st
|
||||
} SHA256_CTX;
|
||||
|
||||
#ifndef OPENSSL_NO_SHA256
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_SHA224_Init(SHA256_CTX *c);
|
||||
int private_SHA256_Init(SHA256_CTX *c);
|
||||
#endif
|
||||
int SHA224_Init(SHA256_CTX *c);
|
||||
int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
|
||||
int SHA224_Final(unsigned char *md, SHA256_CTX *c);
|
||||
@ -182,6 +192,10 @@ typedef struct SHA512state_st
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SHA512
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_SHA384_Init(SHA512_CTX *c);
|
||||
int private_SHA512_Init(SHA512_CTX *c);
|
||||
#endif
|
||||
int SHA384_Init(SHA512_CTX *c);
|
||||
int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
|
||||
int SHA384_Final(unsigned char *md, SHA512_CTX *c);
|
||||
|
||||
@ -57,6 +57,7 @@
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/crypto.h>
|
||||
#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
|
||||
|
||||
#undef SHA_0
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
|
||||
const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
int SHA224_Init (SHA256_CTX *c)
|
||||
fips_md_init_ctx(SHA224, SHA256)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
|
||||
@ -27,7 +27,7 @@ int SHA224_Init (SHA256_CTX *c)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int SHA256_Init (SHA256_CTX *c)
|
||||
fips_md_init(SHA256)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
|
||||
|
||||
@ -59,7 +59,7 @@ const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;
|
||||
#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
|
||||
#endif
|
||||
|
||||
int SHA384_Init (SHA512_CTX *c)
|
||||
fips_md_init_ctx(SHA384, SHA512)
|
||||
{
|
||||
#if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
|
||||
/* maintain dword order required by assembler module */
|
||||
@ -88,7 +88,7 @@ int SHA384_Init (SHA512_CTX *c)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int SHA512_Init (SHA512_CTX *c)
|
||||
fips_md_init(SHA512)
|
||||
{
|
||||
#if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
|
||||
/* maintain dword order required by assembler module */
|
||||
|
||||
@ -57,6 +57,7 @@
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/crypto.h>
|
||||
#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
|
||||
|
||||
#undef SHA_1
|
||||
|
||||
@ -122,7 +122,11 @@ void sha1_block_data_order (SHA_CTX *c, const void *p,size_t num);
|
||||
#define INIT_DATA_h3 0x10325476UL
|
||||
#define INIT_DATA_h4 0xc3d2e1f0UL
|
||||
|
||||
int HASH_INIT (SHA_CTX *c)
|
||||
#ifdef SHA_0
|
||||
fips_md_init(SHA)
|
||||
#else
|
||||
fips_md_init_ctx(SHA1, SHA)
|
||||
#endif
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->h0=INIT_DATA_h0;
|
||||
|
||||
@ -24,6 +24,9 @@ typedef struct {
|
||||
} WHIRLPOOL_CTX;
|
||||
|
||||
#ifndef OPENSSL_NO_WHIRLPOOL
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c);
|
||||
#endif
|
||||
int WHIRLPOOL_Init (WHIRLPOOL_CTX *c);
|
||||
int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes);
|
||||
void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits);
|
||||
|
||||
@ -52,9 +52,10 @@
|
||||
*/
|
||||
|
||||
#include "wp_locl.h"
|
||||
#include <openssl/crypto.h>
|
||||
#include <string.h>
|
||||
|
||||
int WHIRLPOOL_Init (WHIRLPOOL_CTX *c)
|
||||
fips_md_init(WHIRLPOOL)
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
return(1);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user