From: Dr. Stephen Henson Date: Thu, 27 Feb 2014 18:48:41 +0000 (+0000) Subject: Fix fips flag handling. X-Git-Tag: OpenSSL_1_0_2-beta2~299 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5f2329b82a89c2ff03bd1f2ae8a13a4113e36fc6;p=oweals%2Fopenssl.git Fix fips flag handling. Don't set the fips flags in cipher and digests as the implementations aren't suitable for FIPS mode and will be redirected to the FIPS module versions anyway. Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively. Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be used to build a FIPS module. --- diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 46c5757af3..4740dab17a 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -56,10 +56,12 @@ #include #include #include "evp_locl.h" -#ifndef OPENSSL_FIPS #include "modes_lcl.h" #include +#undef EVP_CIPH_FLAG_FIPS +#define EVP_CIPH_FLAG_FIPS 0 + typedef struct { union { double align; AES_KEY ks; } ks; @@ -1136,11 +1138,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_GCM_SET_IVLEN: if (arg <= 0) return 0; -#ifdef OPENSSL_FIPS - if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) - && arg < 12) - return 0; -#endif /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { @@ -1703,15 +1700,6 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 0; if (!out || !in || lenflags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && - (len > (1UL<<20)*16)) - { - EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); - return 0; - } -#endif if (xctx->stream) (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, ctx->iv); @@ -1985,5 +1973,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) { return &aes_256_wrap; } - -#endif diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index fa3b05cf14..24e9fec777 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -65,6 +65,10 @@ #include #include +/* Block use of implementations in FIPS mode */ +#undef EVP_CIPH_FLAG_FIPS +#define EVP_CIPH_FLAG_FIPS 0 + typedef struct { union { double align; DES_key_schedule ks[3]; } ks; diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 2a87570b9e..c5509a9fb9 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -60,6 +60,9 @@ #include "cryptlib.h" #include #include +#ifdef OPENSSL_FIPS +#include +#endif int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { @@ -212,12 +215,22 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) { +#ifdef OPENSSL_FIPS + const EVP_CIPHER *fcipher; + fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher)); + if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS) + return cipher->flags | EVP_CIPH_FLAG_FIPS; +#endif return cipher->flags; } unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) { +#ifdef OPENSSL_FIPS + return EVP_CIPHER_flags(ctx->cipher); +#else return ctx->cipher->flags; +#endif } void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) @@ -287,6 +300,12 @@ int EVP_MD_size(const EVP_MD *md) unsigned long EVP_MD_flags(const EVP_MD *md) { +#ifdef OPENSSL_FIPS + const EVP_MD *fmd; + fmd = FIPS_get_digestbynid(EVP_MD_type(md)); + if (fmd && fmd->flags & EVP_MD_FLAG_FIPS) + return md->flags | EVP_MD_FLAG_FIPS; +#endif return md->flags; }