Return error codes for selftest failure instead of hard assertion errors.
[openssl.git] / fips / utl / fips_enc.c
index b3db931..55a880d 100644 (file)
@@ -256,11 +256,15 @@ int FIPS_cipher_ctx_cleanup(EVP_CIPHER_CTX *c)
 int FIPS_cipher_ctx_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 {
        int ret;
+       if (FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_FIPS_CIPHER_CTX_CTRL, FIPS_R_SELFTEST_FAILED);
+               return 0;
+               }
        if(!ctx->cipher) {
                EVPerr(EVP_F_FIPS_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
                return 0;
        }
-       FIPS_selftest_check();
 
        if(!ctx->cipher->ctrl) {
                EVPerr(EVP_F_FIPS_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
@@ -275,10 +279,62 @@ int FIPS_cipher_ctx_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
        return ret;
 }
 
+int FIPS_cipher_ctx_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
+       {
+       if ((in == NULL) || (in->cipher == NULL))
+               {
+               EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
+               return 0;
+               }
+
+       /* Only FIPS ciphers allowed */
+       if (FIPS_mode() && !(in->cipher->flags & EVP_CIPH_FLAG_FIPS) &&
+               !(out->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
+               {
+               EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY, EVP_R_DISABLED_FOR_FIPS);
+               out->cipher = &bad_cipher;
+               return 0;
+               }
+
+       FIPS_cipher_ctx_cleanup(out);
+       memcpy(out,in,sizeof *out);
+
+       if (in->cipher_data && in->cipher->ctx_size)
+               {
+               out->cipher_data=OPENSSL_malloc(in->cipher->ctx_size);
+               if (!out->cipher_data)
+                       {
+                       EVPerr(EVP_F_FIPS_CIPHER_CTX_COPY,ERR_R_MALLOC_FAILURE);
+                       return 0;
+                       }
+               memcpy(out->cipher_data,in->cipher_data,in->cipher->ctx_size);
+               }
+
+       if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
+               return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
+       return 1;
+       }
+
+/* You can't really set the key length with FIPS, so just check that the
+   caller sets the length the context already has. */
+int FIPS_cipher_ctx_set_key_length(EVP_CIPHER_CTX *ctx, int keylen)
+       {
+       if (ctx->key_len == keylen)
+               return 1;
+
+       EVPerr(EVP_F_FIPS_CIPHER_CTX_SET_KEY_LENGTH,EVP_R_INVALID_KEY_LENGTH);
+       return 0;
+       }
+
+
 
 int FIPS_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        const unsigned char *in, unsigned int inl)
        {
-       FIPS_selftest_check();
+       if (FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_FIPS_CIPHER, FIPS_R_SELFTEST_FAILED);
+               return -1;
+               }
        return ctx->cipher->do_cipher(ctx,out,in,inl);
        }