Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
+ *) Experimental multi-implementation support for FIPS capable OpenSSL.
+ When in FIPS mode the approved implementations are used as normal,
+ when not in FIPS mode the internal unapproved versions are used instead.
+ This means that the FIPS capable OpenSSL isn't forced to use the
+ (often lower perfomance) FIPS implementations outside FIPS mode.
+ [Steve Henson]
+
*) Transparently support X9.42 DH parameters when calling
PEM_read_bio_DHparameters. This means existing applications can handle
the new parameter format automatically.
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
- e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
- e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
SRC= $(LIBSRC)
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+#ifdef OPENSSL_FIPS_
+ /* If FIPS mode switch to approved implementation if possible */
+ if (FIPS_mode())
+ {
+ const EVP_MD *fipsmd;
+ if (type)
+ {
+ fipsmd = FIPS_get_digestbynid(EVP_MD_type(type));
+ if (fipsmd)
+ type = fipsmd;
+ }
+ }
+#endif
#ifndef OPENSSL_NO_ENGINE
/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
* so this context may already have an ENGINE! Try to avoid releasing
#include <assert.h>
#include <openssl/aes.h>
#include "evp_locl.h"
-#ifndef OPENSSL_FIPS
#include "modes_lcl.h"
#include <openssl/rand.h>
+#ifndef OPENSSL_FIPSCANISTER
+#undef EVP_CIPH_FLAG_FIPS
+#define EVP_CIPH_FLAG_FIPS 0
+#endif
+
typedef struct
{
AES_KEY ks;
case EVP_CTRL_GCM_SET_IVLEN:
if (arg <= 0)
return 0;
-#ifdef OPENSSL_FIPS
+#ifdef OPENSSL_FIPSCANISTER
if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
&& arg < 12)
return 0;
return 0;
if (!out || !in || len<AES_BLOCK_SIZE)
return 0;
-#ifdef OPENSSL_FIPS
+#ifdef OPENSSL_FIPSCANISTER
/* Requirement of SP800-38E */
if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
(len > (1UL<<20)*16))
BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
#endif
-#endif
#include <openssl/des.h>
#include <openssl/rand.h>
-#ifndef OPENSSL_FIPS
-
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv,int enc);
return &des_ede3_ecb;
}
#endif
-#endif
#include <openssl/evp.h>
#include <openssl/objects.h>
-#ifndef OPENSSL_FIPS
-
static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv,int enc);
static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
memcpy((char *)out,(const char *)in,inl);
return 1;
}
-#endif
#ifdef OPENSSL_FIPS
if (FIPS_mode())
+ {
+ const EVP_CIPHER *fcipher;
+ if (cipher)
+ fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+ if (fcipher)
+ cipher = fcipher;
return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+ }
#endif
ctx->cipher=cipher;
if (ctx->cipher->ctx_size)
#endif
#ifndef OPENSSL_NO_SHA
-#ifndef OPENSSL_FIPS
static int init(EVP_MD_CTX *ctx)
{ return SHA1_Init(ctx->md_data); }
return(&dsa_md);
}
#endif
-#endif
#include <openssl/dsa.h>
#endif
-#ifndef OPENSSL_FIPS
-
static int init(EVP_MD_CTX *ctx)
{ return SHA1_Init(ctx->md_data); }
return(&dss1_md);
}
#endif
-#endif
#include <openssl/x509.h>
#ifndef OPENSSL_NO_SHA
-#ifndef OPENSSL_FIPS
static int init(EVP_MD_CTX *ctx)
{ return SHA1_Init(ctx->md_data); }
return(&ecdsa_md);
}
#endif
-#endif
#include <stdio.h>
#include "cryptlib.h"
-#ifndef OPENSSL_FIPS
-
#ifndef OPENSSL_NO_SHA
#include <openssl/evp.h>
{ return(&sha512_md); }
#endif /* ifndef OPENSSL_NO_SHA512 */
-#endif
unsigned char pad[HMAC_MAX_MD_CBLOCK];
#ifdef OPENSSL_FIPS
+ /* If FIPS mode switch to approved implementation if possible */
+ if (FIPS_mode())
+ {
+ const EVP_MD *fipsmd;
+ if (md)
+ {
+ fipsmd = FIPS_get_digestbynid(EVP_MD_type(md));
+ if (fipsmd)
+ md = fipsmd;
+ }
+ }
+
if (FIPS_mode())
{
/* If we have an ENGINE need to allow non FIPS */
rv = 0;
if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
return -1;
- if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
- return rv;
+ if (rctx->md)
+ {
+ const EVP_MD *fmd;
+ fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md));
+ if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+ return rv;
+ }
if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
- return rv;
+ {
+ const EVP_MD *fmd;
+ fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md));
+ if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+ return rv;
+ }
return 1;
}
#endif
projects / openssl.git / commitdiff