Cleaner check of self test status.
This commit is contained in:
Dr. Stephen Henson
parent
0fd9322af1
commit
03b7b4690c
5 changed files with 41 additions and 7 deletions
|
|
@ -120,9 +120,6 @@
|
|||
|
||||
void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
FIPS_selftest_check();
|
||||
#endif
|
||||
memset(ctx,'\0',sizeof *ctx);
|
||||
}
|
||||
|
||||
|
|
@ -265,6 +262,14 @@ static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
|
|||
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
||||
{
|
||||
M_EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
|
||||
#ifdef OPENSSL_FIPS
|
||||
if(FIPS_selftest_failed())
|
||||
{
|
||||
FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
|
||||
ctx->digest = &bad_md;
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
|
||||
* so this context may already have an ENGINE! Try to avoid releasing
|
||||
|
|
@ -305,6 +310,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
|||
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
|
||||
size_t count)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
FIPS_selftest_check();
|
||||
#endif
|
||||
return ctx->digest->update(ctx,data,count);
|
||||
}
|
||||
|
||||
|
|
@ -321,6 +329,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
|
|||
int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
|
||||
{
|
||||
int ret;
|
||||
#ifdef OPENSSL_FIPS
|
||||
FIPS_selftest_check();
|
||||
#endif
|
||||
|
||||
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
|
||||
ret=ctx->digest->final(ctx,md);
|
||||
|
|
|
|||
|
|
@ -199,6 +199,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
|
|||
enc = 1;
|
||||
ctx->encrypt = enc;
|
||||
}
|
||||
#ifdef OPENSSL_NO_FIPS
|
||||
if(FIPS_selftest_failed())
|
||||
{
|
||||
FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
|
||||
ctx->cipher = &bad_cipher;
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
|
||||
* so this context may already have an ENGINE! Try to avoid releasing
|
||||
|
|
@ -339,6 +347,9 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
|
|||
|
||||
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
FIPS_selftest_check();
|
||||
#endif
|
||||
return ctx->cipher->do_cipher(ctx,out,in,inl);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -66,6 +66,14 @@
|
|||
#endif
|
||||
#include "evp_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define M_do_cipher(ctx, out, in, inl) \
|
||||
EVP_Cipher(ctx,out,in,inl)
|
||||
#else
|
||||
#define M_do_cipher(ctx, out, in, inl) \
|
||||
ctx->cipher->do_cipher(ctx,out,in,inl)
|
||||
#endif
|
||||
|
||||
const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
|
||||
|
|
@ -138,7 +146,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
|||
OPENSSL_assert(inl > 0);
|
||||
if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
|
||||
{
|
||||
if(ctx->cipher->do_cipher(ctx,out,in,inl))
|
||||
if(M_do_cipher(ctx,out,in,inl))
|
||||
{
|
||||
*outl=inl;
|
||||
return 1;
|
||||
|
|
@ -165,7 +173,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
|||
{
|
||||
j=bl-i;
|
||||
memcpy(&(ctx->buf[i]),in,j);
|
||||
if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0;
|
||||
if(!M_do_cipher(ctx,out,ctx->buf,bl)) return 0;
|
||||
inl-=j;
|
||||
in+=j;
|
||||
out+=bl;
|
||||
|
|
@ -178,7 +186,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
|||
inl-=i;
|
||||
if (inl > 0)
|
||||
{
|
||||
if(!ctx->cipher->do_cipher(ctx,out,in,inl)) return 0;
|
||||
if(!M_do_cipher(ctx,out,in,inl)) return 0;
|
||||
*outl+=inl;
|
||||
}
|
||||
|
||||
|
|
@ -222,7 +230,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
|||
n=b-bl;
|
||||
for (i=bl; i<b; i++)
|
||||
ctx->buf[i]=n;
|
||||
ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b);
|
||||
ret=M_do_cipher(ctx,out,ctx->buf,b);
|
||||
|
||||
|
||||
if(ret)
|
||||
|
|
|
|||
|
|
@ -74,6 +74,8 @@ static ERR_STRING_DATA FIPS_str_functs[]=
|
|||
{ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"},
|
||||
{ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
|
||||
{ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
|
||||
{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"},
|
||||
{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_CHECK_INCORE_FINGERPRINT"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "FIPS_CHECK_RSA"},
|
||||
|
|
|
|||
|
|
@ -107,6 +107,8 @@ void ERR_load_FIPS_strings(void);
|
|||
#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
|
||||
#define FIPS_F_DSA_DO_SIGN 102
|
||||
#define FIPS_F_DSA_DO_VERIFY 103
|
||||
#define FIPS_F_EVP_CIPHERINIT_EX 124
|
||||
#define FIPS_F_EVP_DIGESTINIT_EX 125
|
||||
#define FIPS_F_FIPS_CHECK_DSA 104
|
||||
#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
|
||||
#define FIPS_F_FIPS_CHECK_RSA 106
|
||||
|
|
|
|||
Loading…
Reference in a new issue