Non FIPS algorithms are not normally allowed in FIPS mode.
Any attempt to use them via high level functions will return an error.
The low level non-FIPS algorithm functions cannot return errors so they
produce assertion failures. HMAC also has to give an assertion error because
it (erroneously) can't return an error either.
There are exceptions (such as MD5 in TLS and non cryptographic use of
algorithms) and applications can override the blocking and use non FIPS
algorithms anyway.
For low level functions the override is perfomed by prefixing the algorithm
initalization function with "private_" for example private_MD5_Init().
For high level functions an override is performed by setting a flag in
the context.
char *engine=NULL;
#endif
char *hmac_key=NULL;
+ int non_fips_allow = 0;
apps_startup();
out_bin = 1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
+ else if (strcmp(*argv,"-non-fips-allow") == 0)
+ non_fips_allow=1;
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
}
}
+ if (non_fips_allow)
+ {
+ EVP_MD_CTX *md_ctx;
+ BIO_get_md_ctx(bmd,&md_ctx);
+ EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ }
+
/* we use md as a filter, reading from 'in' */
if (!BIO_set_md(bmd,md))
{
int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0;
int keytype = 0;
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1;
int macver = 1;
apps_startup();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ else
+#endif
+ cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
#include <stdio.h>
#include <string.h>
+#include <openssl/crypto.h>
#include <openssl/blowfish.h>
#include "bf_locl.h"
#include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
{
int i;
BF_LONG *p,ri,in[2];
BF_LONG S[4*256];
} BF_KEY;
-
+
+#ifdef OPENSSL_FIPS
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
* [including the GNU Public Licence.]
*/
+#include <openssl/crypto.h>
#include <openssl/cast.h>
+
#include "cast_lcl.h"
#include "cast_s.h"
#define S6 CAST_S_table6
#define S7 CAST_S_table7
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(CAST)
{
CAST_LONG x[16];
CAST_LONG z[16];
int short_key; /* Use reduced rounds for short key */
} CAST_KEY;
-
+
+#ifdef OPENSSL_FIPS
+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+#endif
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
int enc);
#ifdef OPENSSL_FIPS
int FIPS_mode(void);
void *FIPS_rand_check(void);
+
+#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
+ #alg " Algorithm forbidden in FIPS mode");
+
+#ifdef OPENSSL_FIPS_STRICT
+#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
+#else
+#define FIPS_BAD_ALGORITHM(alg) \
+ { \
+ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
+ ERR_add_error_data(2, "Algorithm=", #alg); \
+ return 0; \
+ }
+#endif
+
+/* Low level digest API blocking macro */
+
+#define FIPS_NON_FIPS_MD_Init(alg) \
+ int alg##_Init(alg##_CTX *c) \
+ { \
+ if (FIPS_mode()) \
+ FIPS_BAD_ALGORITHM(alg) \
+ return private_##alg##_Init(c); \
+ } \
+ int private_##alg##_Init(alg##_CTX *c)
+
+/* For ciphers the API often varies from cipher to cipher and each needs to
+ * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
+ * CAST) however are very similar and can use a blocking macro.
+ */
+
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
+ { \
+ if (FIPS_mode()) \
+ FIPS_BAD_ABORT(alg) \
+ private_##alg##_set_key(key, len, data); \
+ } \
+ void private_##alg##_set_key(alg##_KEY *key, int len, \
+ const unsigned char *data)
+
+#else
+
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
+
+#define FIPS_NON_FIPS_MD_Init(alg) \
+ int alg##_Init(alg##_CTX *c)
+
#endif /* def OPENSSL_FIPS */
/* BEGIN ERROR CODES */
ret=0;
break;
case BIO_C_GET_MD_CTX:
- if (b->init)
- {
- pctx=ptr;
- *pctx=ctx;
- }
- else
- ret=0;
+ pctx=ptr;
+ *pctx=ctx;
break;
case BIO_C_SET_MD_CTX:
if (b->init)
#endif
if (ctx->digest != type)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+ {
+ EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+#endif
if (ctx->digest && ctx->digest->ctx_size)
OPENSSL_free(ctx->md_data);
ctx->digest=type;
IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
NID_aes_128, 16, 16, 16, 128,
- 0, aes_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
NID_aes_192, 16, 24, 16, 128,
- 0, aes_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
NID_aes_256, 16, 32, 16, 128,
- 0, aes_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
-#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16)
+#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
-IMPLEMENT_AES_CFBR(128,1)
-IMPLEMENT_AES_CFBR(192,1)
-IMPLEMENT_AES_CFBR(256,1)
+IMPLEMENT_AES_CFBR(128,1,0)
+IMPLEMENT_AES_CFBR(192,1,0)
+IMPLEMENT_AES_CFBR(256,1,0)
-IMPLEMENT_AES_CFBR(128,8)
-IMPLEMENT_AES_CFBR(192,8)
-IMPLEMENT_AES_CFBR(256,8)
+IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
}
BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
- 0, des_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, des_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
-BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
+ EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,NULL)
-BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
+ EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,NULL)
}
BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
- 0, des_ede_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
#define des_ede3_ecb_cipher des_ede_ecb_cipher
BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
- 0, des_ede3_init_key, NULL,
+ EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
-BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0,
- des_ede3_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
+ EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,NULL)
-BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0,
- des_ede3_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
+ EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,NULL)
#include <openssl/aes.h>
#endif
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
/*
#define EVP_RC2_KEY_SIZE 16
#define EVP_RC4_KEY_SIZE 16
#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single
* block */
+#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0}
#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
* in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
+ * in FIPS mode */
+
struct evp_cipher_st
{
int nid;
#define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80
/* Don't use standard block padding */
#define EVP_CIPH_NO_PADDING 0x100
+/* Note if suitable for use in FIPS mode */
+#define EVP_CIPH_FLAG_FIPS 0x400
+/* Allow non FIPS cipher in FIPS mode */
+#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
/* ctrl() values */
/* Function codes. */
#define EVP_F_AES_INIT_KEY 129
#define EVP_F_D2I_PKEY 100
+#define EVP_F_EVP_ADD_CIPHER 130
+#define EVP_F_EVP_ADD_DIGEST 131
#define EVP_F_EVP_CIPHERINIT 123
#define EVP_F_EVP_CIPHER_CTX_CTRL 124
#define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
#define EVP_F_EVP_DECRYPTFINAL 101
#define EVP_F_EVP_DIGESTINIT 128
#define EVP_F_EVP_ENCRYPTFINAL 127
+#define EVP_F_EVP_GET_CIPHERBYNAME 132
+#define EVP_F_EVP_GET_DIGESTBYNAME 133
#define EVP_F_EVP_MD_CTX_COPY 110
#define EVP_F_EVP_OPENINIT 102
#define EVP_F_EVP_PBE_ALG_ADD 115
#define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
#define EVP_R_DECODE_ERROR 114
#define EVP_R_DIFFERENT_KEY_TYPES 101
+#define EVP_R_DISABLED_FOR_FIPS 141
#define EVP_R_ENCODE_ERROR 115
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
else
ctx->engine = NULL;
#endif
-
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ if (!(cipher->flags & EVP_CIPH_FLAG_FIPS)
+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
+ {
+ EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
+ ERR_add_error_data(2, "cipher=", EVP_CIPHER_name(cipher));
+ return 0;
+ }
+ }
+#endif
ctx->cipher=cipher;
if (ctx->cipher->ctx_size)
{
int i,j,bl;
OPENSSL_assert(inl > 0);
+#ifdef OPENSSL_FIPS
+ OPENSSL_assert(!FIPS_mode() || ctx->cipher->flags & EVP_CIPH_FLAG_FIPS);
+#endif
if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
{
if(ctx->cipher->do_cipher(ctx,out,in,inl))
/* crypto/evp/evp_err.c */
/* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
{
{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"},
{ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"},
+{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"},
+{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"},
{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"},
{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"},
{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"},
{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"},
{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"},
{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"},
+{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"},
+{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"},
{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"},
{ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"},
{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"},
{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
{EVP_R_DECODE_ERROR ,"decode error"},
{EVP_R_DIFFERENT_KEY_TYPES ,"different key types"},
+{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"},
{EVP_R_ENCODE_ERROR ,"encode error"},
{EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"},
{EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"},
#define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data)
-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \
BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
- 0, cipher##_init_key, NULL, \
+ flags, cipher##_init_key, NULL, \
EVP_CIPHER_set_asn1_iv, \
EVP_CIPHER_get_asn1_iv, \
NULL)
+
+#ifdef OPENSSL_FIPS
+#define RC2_set_key private_RC2_set_key
+#define RC4_set_key private_RC4_set_key
+#define CAST_set_key private_CAST_set_key
+#define RC5_32_set_key private_RC5_32_set_key
+#define BF_set_key private_BF_set_key
+
+#define MD5_Init private_MD5_Init
+#define MD4_Init private_MD4_Init
+#define MD2_Init private_MD2_Init
+#define MDC2_Init private_MDC2_Init
+#define SHA_Init private_SHA_Init
+
+#endif
NID_dsaWithSHA,
NID_dsaWithSHA,
SHA_DIGEST_LENGTH,
- 0,
+ EVP_MD_FLAG_FIPS,
init,
update,
final,
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#include "evp_locl.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/md2.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#include "evp_locl.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/md4.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#include "evp_locl.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/md5.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#include "evp_locl.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/mdc2.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#include "evp_locl.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
NID_sha1,
NID_sha1WithRSAEncryption,
SHA_DIGEST_LENGTH,
- 0,
+ EVP_MD_FLAG_FIPS,
init,
update,
final,
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
int EVP_add_cipher(const EVP_CIPHER *c)
{
return(md);
}
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+ {
+ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+ EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+ }
+
const unsigned char *d, int n, unsigned char *md,
unsigned int *md_len);
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
#ifdef __cplusplus
}
*/
#include <openssl/idea.h>
+#include <openssl/crypto.h>
#include "idea_lcl.h"
static IDEA_INT inverse(unsigned int xin);
+
+#ifdef OPENSSL_FIPS
+void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
+ {
+ if (FIPS_mode())
+ FIPS_BAD_ABORT(IDEA)
+ private_idea_set_encrypt_key(key, ks);
+ }
+void private_idea_set_encrypt_key(const unsigned char *key,
+ IDEA_KEY_SCHEDULE *ks)
+#else
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
+#endif
{
int i;
register IDEA_INT *kt,*kf,r0,r1,r2;
const char *idea_options(void);
void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
IDEA_KEY_SCHEDULE *ks);
+#ifdef OPENSSL_FIPS
+void private_idea_set_encrypt_key(const unsigned char *key,
+ IDEA_KEY_SCHEDULE *ks);
+#endif
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
} MD2_CTX;
const char *MD2_options(void);
+#ifdef OPENSSL_FIPS
+int private_MD2_Init(MD2_CTX *c);
+#endif
int MD2_Init(MD2_CTX *c);
int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
int MD2_Final(unsigned char *md, MD2_CTX *c);
#include <openssl/md2.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
return("md2(int)");
}
-int MD2_Init(MD2_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD2)
{
c->num=0;
memset(c->state,0,sizeof c->state);
static const unsigned char end[4]={0x80,0x00,0x00,0x00};
const unsigned char *cp=end;
-#ifdef OPENSSL_FIPS
+#if 0
if(FIPS_mode() && !FIPS_md5_allowed())
{
FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
int num;
} MD4_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD4_Init(MD4_CTX *c);
+#endif
int MD4_Init(MD4_CTX *c);
int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
int MD4_Final(unsigned char *md, MD4_CTX *c);
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
-int MD4_Init(MD4_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD4)
{
c->A=INIT_DATA_A;
c->B=INIT_DATA_B;
int num;
} MD5_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD5_Init(MD5_CTX *c);
+#endif
int MD5_Init(MD5_CTX *c);
int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
int MD5_Final(unsigned char *md, MD5_CTX *c);
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
-int MD5_Init(MD5_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD5)
{
c->A=INIT_DATA_A;
c->B=INIT_DATA_B;
int pad_type; /* either 1 or 2, default 1 */
} MDC2_CTX;
-
+#ifdef OPENSSL_FIPS
+int private_MDC2_Init(MDC2_CTX *c);
+#endif
int MDC2_Init(MDC2_CTX *c);
int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
int MDC2_Final(unsigned char *md, MDC2_CTX *c);
#include <stdlib.h>
#include <string.h>
#include <openssl/des.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
#include <openssl/mdc2.h>
#undef c2l
*((c)++)=(unsigned char)(((l)>>24L)&0xff))
static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len);
-int MDC2_Init(MDC2_CTX *c)
+FIPS_NON_FIPS_MD_Init(MDC2)
{
c->num=0;
c->pad_type=1;
RC2_INT data[64];
} RC2_KEY;
-
+#ifdef OPENSSL_FIPS
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+ int bits);
+#endif
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
int enc);
*/
#include <openssl/rc2.h>
+#include <openssl/crypto.h>
#include "rc2_locl.h"
static unsigned char key_table[256]={
* BSAFE uses the 'retarded' version. What I previously shipped is
* the same as specifying 1024 for the 'bits' parameter. Bsafe uses
* a version where the bits parameter is the same as len*8 */
+
+#ifdef OPENSSL_FIPS
+void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+ {
+ if (FIPS_mode())
+ FIPS_BAD_ABORT(RC2)
+ private_RC2_set_key(key, len, data, bits);
+ }
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+ int bits)
+#else
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+#endif
{
int i,j;
unsigned char *k;
const char *RC4_options(void);
+#ifdef OPENSSL_FIPS
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+#endif
void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
unsigned char *outdata);
*/
#include <openssl/rc4.h>
+#include <openssl/crypto.h>
#include "rc4_locl.h"
#include <openssl/opensslv.h>
* Date: Wed, 14 Sep 1994 06:35:31 GMT
*/
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(RC4)
{
register RC4_INT tmp;
register int id1,id2;
RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
} RC5_32_KEY;
-
+#ifdef OPENSSL_FIPS
+void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+ int rounds);
+#endif
void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
int rounds);
void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key,
* [including the GNU Public Licence.]
*/
+#include <openssl/crypto.h>
#include <openssl/rc5.h>
#include "rc5_locl.h"
+
+#ifdef OPENSSL_FIPS
+void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+ int rounds)
+ {
+ if (FIPS_mode())
+ FIPS_BAD_ABORT(RC5)
+ private_RC5_32_set_key(key, len, data, rounds);
+ }
+void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+ int rounds)
+#else
void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
int rounds)
+#endif
{
RC5_32_INT L[64],l,ll,A,B,*S,k;
int i,j,m,c,t,ii,jj;
int num;
} RIPEMD160_CTX;
+#ifdef OPENSSL_FIPS
+int private_RIPEMD160_Init(RIPEMD160_CTX *c);
+#endif
int RIPEMD160_Init(RIPEMD160_CTX *c);
int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
#include <stdio.h>
#include "rmd_locl.h"
+#include <openssl/fips.h>
#include <openssl/opensslv.h>
const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
# endif
-int RIPEMD160_Init(RIPEMD160_CTX *c)
+FIPS_NON_FIPS_MD_Init(RIPEMD160)
{
c->A=RIPEMD160_A;
c->B=RIPEMD160_B;
} SHA_CTX;
#ifndef OPENSSL_NO_SHA0
+#ifdef OPENSSL_FIPS
+int private_SHA_Init(SHA_CTX *c);
+#endif
int SHA_Init(SHA_CTX *c);
int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
int SHA_Final(unsigned char *md, SHA_CTX *c);
#define INIT_DATA_h3 0x10325476UL
#define INIT_DATA_h4 0xc3d2e1f0UL
+#if defined(SHA_0) && defined(OPENSSL_FIPS)
+FIPS_NON_FIPS_MD_Init(SHA)
+#else
int HASH_INIT (SHA_CTX *c)
+#endif
{
c->h0=INIT_DATA_h0;
c->h1=INIT_DATA_h1;
{
unsigned long ret=0;
unsigned char md[16];
+ EVP_MD_CTX md_ctx;
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+ EVP_MD_CTX_init(&md_ctx);
+ EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+ EVP_DigestFinal_ex(&md_ctx,md,NULL);
+ EVP_MD_CTX_cleanup(&md_ctx);
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
else
return 0;
}
-
+
/* Check a certificate chains extensions for consistency
* with the supplied purpose
q=md_buf;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
#endif
k=0;
EVP_MD_CTX_init(&m5);
+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_init(&s1);
for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
{
void ssl3_init_finished_mac(SSL *s)
{
+ EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
}
j=0;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
HMAC_CTX_init(&ctx);
HMAC_CTX_init(&ctx_tmp);
+ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
HMAC_Update(&ctx,seed,seed_len);
projects / oweals / openssl.git / commitdiff