Fix fips flag handling.

Don't set the fips flags in cipher and digests as the implementations
aren't suitable for FIPS mode and will be redirected to the FIPS module
versions anyway.

Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation
exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively.

Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be
used to build a FIPS module.

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 46c5757af3916a8384ff7852ab00123ad80d8c16..4740dab17af7635ed33e2f3e92df02b5493bd247 100644 (file)
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -56,10 +56,12 @@
 #include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
-#ifndef OPENSSL_FIPS
 #include "modes_lcl.h"
 #include <openssl/rand.h>
 
+#undef EVP_CIPH_FLAG_FIPS
+#define EVP_CIPH_FLAG_FIPS 0
+
 typedef struct
        {
        union { double align; AES_KEY ks; } ks;
@@ -1136,11 +1138,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
        case EVP_CTRL_GCM_SET_IVLEN:
                if (arg <= 0)
                        return 0;
-#ifdef OPENSSL_FIPS
-               if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-                                                && arg < 12)
-                       return 0;
-#endif
                /* Allocate memory for IV if needed */
                if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
                        {
@@ -1703,15 +1700,6 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                return 0;
        if (!out || !in || len<AES_BLOCK_SIZE)
                return 0;
-#ifdef OPENSSL_FIPS
-       /* Requirement of SP800-38E */
-       if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-                       (len > (1UL<<20)*16))
-               {
-               EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-               return 0;
-               }
-#endif
        if (xctx->stream)
                (*xctx->stream)(in, out, len,
                                xctx->xts.key1, xctx->xts.key2, ctx->iv);
@@ -1985,5 +1973,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
        {
        return &aes_256_wrap;
        }
-
-#endif

diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index fa3b05cf142c22ebbc3a8419cdddf92749925c27..24e9fec777ce227f07d29cb687382033c92119b3 100644 (file)
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -65,6 +65,10 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 
+/* Block use of implementations in FIPS mode */
+#undef EVP_CIPH_FLAG_FIPS
+#define EVP_CIPH_FLAG_FIPS     0
+
 typedef struct
        {
        union { double align; DES_key_schedule ks[3]; } ks;

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 2a87570b9e4fdd31b5a9f10a6903056ed614e828..c5509a9fb92fbc1fc3bf375a26195aaa49fae0c0 100644 (file)
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -60,6 +60,9 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
        {
@@ -212,12 +215,22 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
 
 unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
        {
+#ifdef OPENSSL_FIPS
+       const EVP_CIPHER *fcipher;
+       fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+       if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+               return cipher->flags | EVP_CIPH_FLAG_FIPS;
+#endif
        return cipher->flags;
        }
 
 unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
        {
+#ifdef OPENSSL_FIPS
+       return EVP_CIPHER_flags(ctx->cipher);
+#else
        return ctx->cipher->flags;
+#endif
        }
 
 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
@@ -287,6 +300,12 @@ int EVP_MD_size(const EVP_MD *md)
 
 unsigned long EVP_MD_flags(const EVP_MD *md)
        {
+#ifdef OPENSSL_FIPS
+       const EVP_MD *fmd;
+       fmd = FIPS_get_digestbynid(EVP_MD_type(md));
+       if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+               return md->flags | EVP_MD_FLAG_FIPS;
+#endif
        return md->flags;
        }