wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prohibit low level cipher APIs in FIPS mode.

Browse source 
Not complete: ciphers with assembly language key setup are not
covered yet.
This commit is contained in:
Dr. Stephen Henson 2011-06-01 16:54:06 +00:00
parent c7373c3dee
commit 916bcab28e
16 changed files with 93 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -4,6 +4,9 @@
Changes between 1.0.0d and 1.0.1 [xx XXX xxxx]
*) Add similar low level API blocking to ciphers.
[Steve Henson]
*) Low level digest APIs are not approved in FIPS mode: any attempt
to use these will cause a fatal error. Applications that *really* want
to use them can use the private_* version instead.

9
apps/speed.c
View file

@ -184,6 +184,15 @@
#include <openssl/ecdh.h>
#endif
#ifdef OPENSSL_FIPS
#define BF_set_key private_BF_set_key
#define CAST_set_key private_CAST_set_key
#define idea_set_encrypt_key private_idea_set_encrypt_key
#define SEED_set_key private_SEED_set_key
#define RC2_set_key private_RC2_set_key
#define DES_set_key_unchecked private_DES_set_key_unchecked
#endif
#ifndef HAVE_FORK
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
# define HAVE_FORK 0

8
crypto/bf/bf_skey.c
View file

@ -58,11 +58,19 @@
#include <stdio.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/blowfish.h>
#include "bf_locl.h"
#include "bf_pi.h"
void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(BLOWFISH);
private_BF_set_key(key, len, data);
}
void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data)
#endif
{
int i;
BF_LONG *p,ri,in[2];

4
crypto/bf/blowfish.h
View file

@ -104,7 +104,9 @@ typedef struct bf_key_st
BF_LONG S[4*256];
} BF_KEY;
#ifdef OPENSSL_FIPS
void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
#endif
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);

9
crypto/cast/c_skey.c
View file

@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
#include <openssl/crypto.h>
#include <openssl/cast.h>
#include "cast_lcl.h"
#include "cast_s.h"
@ -71,8 +72,14 @@
#define S5 CAST_S_table5
#define S6 CAST_S_table6
#define S7 CAST_S_table7
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(CAST);
private_CAST_set_key(key, len, data);
}
void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
#endif
{
CAST_LONG x[16];
CAST_LONG z[16];

4
crypto/cast/cast.h
View file

@ -83,7 +83,9 @@ typedef struct cast_key_st
int short_key; /* Use reduced rounds for short key */
} CAST_KEY;
#ifdef OPENSSL_FIPS
void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
#endif
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
int enc);

6
crypto/crypto.h
View file

@ -563,9 +563,15 @@ void OPENSSL_init(void);
return private_##alg##_Init(c); \
} \
int private_##alg##_Init(cx##_CTX *c)
#define fips_cipher_abort(alg) \
if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
"Low level API call to cipher " #alg " forbidden in FIPS mode!")
#else
#define fips_md_init_ctx(alg, cx) \
int alg##_Init(cx##_CTX *c)
#define fips_cipher_abort(alg) while(0)
#endif
/* BEGIN ERROR CODES */

3
crypto/des/des.h
View file

@ -224,6 +224,9 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule);
int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
#ifdef OPENSSL_FIPS
void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
#endif
void DES_string_to_key(const char *str,DES_cblock *key);
void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,

9
crypto/des/set_key.c
View file

@ -65,6 +65,8 @@
*/
#include "des_locl.h"
#include <openssl/crypto.h>
OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */
static const unsigned char odd_parity[256]={
@ -335,6 +337,13 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
}
void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(DES);
private_DES_set_key_unchecked(key, schedule);
}
void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
#endif
{
static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
register DES_LONG c,d,t,s,t2;

8
crypto/evp/evp_locl.h
View file

@ -357,4 +357,12 @@ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
#define SHA256_Init private_SHA256_Init
#define SHA384_Init private_SHA384_Init
#define SHA512_Init private_SHA512_Init
#define BF_set_key private_BF_set_key
#define CAST_set_key private_CAST_set_key
#define idea_set_encrypt_key private_idea_set_encrypt_key
#define SEED_set_key private_SEED_set_key
#define RC2_set_key private_RC2_set_key
#define DES_set_key_unchecked private_DES_set_key_unchecked
#endif

8
crypto/idea/i_skey.c
View file

@ -56,11 +56,19 @@
* [including the GNU Public Licence.]
*/
#include <openssl/crypto.h>
#include <openssl/idea.h>
#include "idea_lcl.h"
static IDEA_INT inverse(unsigned int xin);
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(IDEA);
private_idea_set_encrypt_key(key, ks);
}
void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
#endif
{
int i;
register IDEA_INT *kt,*kf,r0,r1,r2;

3
crypto/idea/idea.h
View file

@ -83,6 +83,9 @@ typedef struct idea_key_st
const char *idea_options(void);
void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
IDEA_KEY_SCHEDULE *ks);
#ifdef OPENSSL_FIPS
void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
#endif
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,

4
crypto/rc2/rc2.h
View file

@ -79,7 +79,9 @@ typedef struct rc2_key_st
RC2_INT data[64];
} RC2_KEY;
#ifdef OPENSSL_FIPS
void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
#endif
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
int enc);

8
crypto/rc2/rc2_skey.c
View file

@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
#include <openssl/crypto.h>
#include <openssl/rc2.h>
#include "rc2_locl.h"
@ -95,6 +96,13 @@ static const unsigned char key_table[256]={
* the same as specifying 1024 for the 'bits' parameter. Bsafe uses
* a version where the bits parameter is the same as len*8 */
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(RC2);
private_RC2_set_key(key, len, data, bits);
}
void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
#endif
{
int i,j;
unsigned char *k;

9
crypto/seed/seed.c
View file

@ -32,6 +32,7 @@
#include <memory.h>
#endif
#include <openssl/crypto.h>
#include <openssl/seed.h>
#include "seed_locl.h"
@ -192,8 +193,14 @@ static const seed_word KC[] = {
KC0, KC1, KC2, KC3, KC4, KC5, KC6, KC7,
KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 };
#endif
void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
#ifdef OPENSSL_FIPS
{
fips_cipher_abort(SEED);
private_SEED_set_key(rawkey, ks);
}
void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
#endif
{
seed_word x1, x2, x3, x4;
seed_word t0, t1;

4
crypto/seed/seed.h
View file

@ -116,7 +116,9 @@ typedef struct seed_key_st {
#endif
} SEED_KEY_SCHEDULE;
#ifdef OPENSSL_FIPS
void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
#endif
void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks);