Use approved API for EVP digest operations in FIPS builds.

Call OPENSSL_init() in a few more places to make sure it is always called
at least once.

Initial cipher API redirection (incomplete).

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index a0d5763b9265735bb0b675d65b03e65db6052e32..467e6b5ae9cf930775fd8e21c192294a5f2cfab7 100644 (file)
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -244,7 +244,11 @@ skip_to_init:
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
        {
+#ifdef OPENSSL_FIPS
+       return FIPS_digestupdate(ctx, data, count);
+#else
        return ctx->update(ctx,data,count);
+#endif
        }
 
 /* The caller can assume that this removes any secret data from the context */
@@ -259,8 +263,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 /* The caller can assume that this removes any secret data from the context */
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
        {
+#ifdef OPENSSL_FIPS
+       return FIPS_digestfinal(ctx, md, size);
+#else
        int ret;
-
        OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
        ret=ctx->digest->final(ctx,md);
        if (size != NULL)
@@ -272,6 +278,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
                }
        memset(ctx->md_data,0,ctx->digest->ctx_size);
        return ret;
+#endif
        }
 
 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
@@ -365,6 +372,7 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
 /* This call frees resources associated with the context */
 int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
        {
+#ifndef OPENSSL_FIPS
        /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
         * because sometimes only copies of the context are ever finalised.
         */
@@ -377,6 +385,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
                OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
                OPENSSL_free(ctx->md_data);
                }
+#endif
        if (ctx->pctx)
                EVP_PKEY_CTX_free(ctx->pctx);
 #ifndef OPENSSL_NO_ENGINE
@@ -384,6 +393,9 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
                /* The EVP_MD we used belongs to an ENGINE, release the
                 * functional reference we held for this reason. */
                ENGINE_finish(ctx->engine);
+#endif
+#ifdef OPENSSL_FIPS
+       FIPS_md_ctx_cleanup(ctx);
 #endif
        memset(ctx,'\0',sizeof *ctx);
 

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index a0bdf9856c1d07edf2a77012ee33399ef4197d4f..ccb4980e433b33d5e67e211f01dee5c8fa2844de 100644 (file)
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,6 +64,9 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 #include "evp_locl.h"
 
 const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
@@ -155,6 +158,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                        ctx->engine = NULL;
 #endif
 
+#ifdef OPENSSL_FIPS
+               return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+#else
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
                        {
@@ -179,6 +185,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                                return 0;
                                }
                        }
+#endif
                }
        else if(!ctx->cipher)
                {
@@ -188,6 +195,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 #ifndef OPENSSL_NO_ENGINE
 skip_to_init:
 #endif
+#ifdef OPENSSL_FIPS
+       return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+#else
        /* we assume block size is a power of 2 in *cryptUpdate */
        OPENSSL_assert(ctx->cipher->block_size == 1
            || ctx->cipher->block_size == 8
@@ -233,6 +243,7 @@ skip_to_init:
        ctx->final_used=0;
        ctx->block_mask=ctx->cipher->block_size-1;
        return 1;
+#endif
        }
 
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,

diff --git a/crypto/evp/names.c b/crypto/evp/names.c
index f2869f5c7853bdf1f63f6bfa3b78a6ad25dfabf3..67c73c0baba212f3082ec39bf19734cfd6a24770 100644 (file)
--- a/crypto/evp/names.c
+++ b/crypto/evp/names.c
@@ -65,6 +65,7 @@
 int EVP_add_cipher(const EVP_CIPHER *c)
        {
        int r;
+       OPENSSL_init();
 
        r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
        if (r == 0) return(0);
@@ -78,6 +79,7 @@ int EVP_add_digest(const EVP_MD *md)
        {
        int r;
        const char *name;
+       OPENSSL_init();
 
        name=OBJ_nid2sn(md->type);
        r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);

diff --git a/crypto/mem.c b/crypto/mem.c
index 6f80dd33eb740a3822390bae39a40fa7d40d1e80..46a4e6c6dd8a210da5003003153e2f3045c57c08 100644 (file)
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -125,6 +125,7 @@ static long (*get_debug_options_func)(void) = NULL;
 int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
        void (*f)(void *))
        {
+       OPENSSL_init();
        if (!allow_customize)
                return 0;
        if ((m == 0) || (r == 0) || (f == 0))
@@ -184,6 +185,7 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
                                   void (*so)(long),
                                   long (*go)(void))
        {
+       OPENSSL_init();
        if (!allow_customize_debug)
                return 0;
        malloc_debug_func=m;