Prohibit low level cipher APIs in FIPS mode.

[openssl.git] / crypto / crypto.h

diff --git a/crypto/crypto.h b/crypto/crypto.h
index da3e27bc2f815089146aa9bb6bf05d871def8a8e..6aeda0a9ace31b4cec2d817745045eae0bc471b9 100644 (file)
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -563,9 +563,15 @@ void OPENSSL_init(void);
        return private_##alg##_Init(c); \
        } \
        int private_##alg##_Init(cx##_CTX *c)
+
+#define fips_cipher_abort(alg) \
+       if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+               "Low level API call to cipher " #alg " forbidden in FIPS mode!")
+
 #else
 #define fips_md_init_ctx(alg, cx) \
        int alg##_Init(cx##_CTX *c)
+#define fips_cipher_abort(alg) while(0)
 #endif
 
 /* BEGIN ERROR CODES */