FIPS algorithm blocking.
Non FIPS algorithms are not normally allowed in FIPS mode. Any attempt to use them via high level functions will return an error. The low level non-FIPS algorithm functions cannot return errors so they produce assertion failures. HMAC also has to give an assertion error because it (erroneously) can't return an error either. There are exceptions (such as MD5 in TLS and non cryptographic use of algorithms) and applications can override the blocking and use non FIPS algorithms anyway. For low level functions the override is perfomed by prefixing the algorithm initalization function with "private_" for example private_MD5_Init(). For high level functions an override is performed by setting a flag in the context.
This commit is contained in:
Dr. Stephen Henson
parent
12dfa84310
commit
d0edffc7da
53 changed files with 294 additions and 49 deletions
10
apps/dgst.c
10
apps/dgst.c
|
|
@ -108,6 +108,7 @@ int MAIN(int argc, char **argv)
|
|||
char *engine=NULL;
|
||||
#endif
|
||||
char *hmac_key=NULL;
|
||||
int non_fips_allow = 0;
|
||||
|
||||
apps_startup();
|
||||
|
||||
|
|
@ -192,6 +193,8 @@ int MAIN(int argc, char **argv)
|
|||
out_bin = 1;
|
||||
else if (strcmp(*argv,"-d") == 0)
|
||||
debug=1;
|
||||
else if (strcmp(*argv,"-non-fips-allow") == 0)
|
||||
non_fips_allow=1;
|
||||
else if (!strcmp(*argv,"-hmac"))
|
||||
{
|
||||
if (--argc < 1)
|
||||
|
|
@ -342,6 +345,13 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
|
||||
if (non_fips_allow)
|
||||
{
|
||||
EVP_MD_CTX *md_ctx;
|
||||
BIO_get_md_ctx(bmd,&md_ctx);
|
||||
EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
}
|
||||
|
||||
/* we use md as a filter, reading from 'in' */
|
||||
if (!BIO_set_md(bmd,md))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -109,7 +109,7 @@ int MAIN(int argc, char **argv)
|
|||
int maciter = PKCS12_DEFAULT_ITER;
|
||||
int twopass = 0;
|
||||
int keytype = 0;
|
||||
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
|
||||
int cert_pbe;
|
||||
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
||||
int ret = 1;
|
||||
int macver = 1;
|
||||
|
|
@ -126,6 +126,13 @@ int MAIN(int argc, char **argv)
|
|||
|
||||
apps_startup();
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode())
|
||||
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
||||
else
|
||||
#endif
|
||||
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
|
||||
|
||||
enc = EVP_des_ede3_cbc();
|
||||
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
|
||||
|
||||
|
|
|
|||
|
|
@ -58,11 +58,12 @@
|
|||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/blowfish.h>
|
||||
#include "bf_locl.h"
|
||||
#include "bf_pi.h"
|
||||
|
||||
void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
|
||||
FIPS_NON_FIPS_VCIPHER_Init(BF)
|
||||
{
|
||||
int i;
|
||||
BF_LONG *p,ri,in[2];
|
||||
|
|
|
|||
|
|
@ -104,7 +104,10 @@ typedef struct bf_key_st
|
|||
BF_LONG S[4*256];
|
||||
} BF_KEY;
|
||||
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
|
||||
#endif
|
||||
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
|
||||
|
||||
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
|
||||
|
|
|
|||
|
|
@ -56,7 +56,9 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/cast.h>
|
||||
|
||||
#include "cast_lcl.h"
|
||||
#include "cast_s.h"
|
||||
|
||||
|
|
@ -72,7 +74,7 @@
|
|||
#define S6 CAST_S_table6
|
||||
#define S7 CAST_S_table7
|
||||
|
||||
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
|
||||
FIPS_NON_FIPS_VCIPHER_Init(CAST)
|
||||
{
|
||||
CAST_LONG x[16];
|
||||
CAST_LONG z[16];
|
||||
|
|
|
|||
|
|
@ -81,7 +81,10 @@ typedef struct cast_key_st
|
|||
int short_key; /* Use reduced rounds for short key */
|
||||
} CAST_KEY;
|
||||
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
|
||||
#endif
|
||||
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
|
||||
void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
|
||||
int enc);
|
||||
|
|
|
|||
|
|
@ -439,6 +439,55 @@ void OpenSSLDie(const char *file,int line,const char *assertion);
|
|||
#ifdef OPENSSL_FIPS
|
||||
int FIPS_mode(void);
|
||||
void *FIPS_rand_check(void);
|
||||
|
||||
#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
|
||||
#alg " Algorithm forbidden in FIPS mode");
|
||||
|
||||
#ifdef OPENSSL_FIPS_STRICT
|
||||
#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
|
||||
#else
|
||||
#define FIPS_BAD_ALGORITHM(alg) \
|
||||
{ \
|
||||
FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
|
||||
ERR_add_error_data(2, "Algorithm=", #alg); \
|
||||
return 0; \
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Low level digest API blocking macro */
|
||||
|
||||
#define FIPS_NON_FIPS_MD_Init(alg) \
|
||||
int alg##_Init(alg##_CTX *c) \
|
||||
{ \
|
||||
if (FIPS_mode()) \
|
||||
FIPS_BAD_ALGORITHM(alg) \
|
||||
return private_##alg##_Init(c); \
|
||||
} \
|
||||
int private_##alg##_Init(alg##_CTX *c)
|
||||
|
||||
/* For ciphers the API often varies from cipher to cipher and each needs to
|
||||
* be treated as a special case. Variable key length ciphers (Blowfish, RC4,
|
||||
* CAST) however are very similar and can use a blocking macro.
|
||||
*/
|
||||
|
||||
#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
|
||||
void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
|
||||
{ \
|
||||
if (FIPS_mode()) \
|
||||
FIPS_BAD_ABORT(alg) \
|
||||
private_##alg##_set_key(key, len, data); \
|
||||
} \
|
||||
void private_##alg##_set_key(alg##_KEY *key, int len, \
|
||||
const unsigned char *data)
|
||||
|
||||
#else
|
||||
|
||||
#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
|
||||
void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
|
||||
|
||||
#define FIPS_NON_FIPS_MD_Init(alg) \
|
||||
int alg##_Init(alg##_CTX *c)
|
||||
|
||||
#endif /* def OPENSSL_FIPS */
|
||||
|
||||
/* BEGIN ERROR CODES */
|
||||
|
|
|
|||
|
|
@ -192,13 +192,8 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
ret=0;
|
||||
break;
|
||||
case BIO_C_GET_MD_CTX:
|
||||
if (b->init)
|
||||
{
|
||||
pctx=ptr;
|
||||
*pctx=ctx;
|
||||
}
|
||||
else
|
||||
ret=0;
|
||||
pctx=ptr;
|
||||
*pctx=ctx;
|
||||
break;
|
||||
case BIO_C_SET_MD_CTX:
|
||||
if (b->init)
|
||||
|
|
|
|||
|
|
@ -195,6 +195,17 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
|||
#endif
|
||||
if (ctx->digest != type)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode())
|
||||
{
|
||||
if (!(type->flags & EVP_MD_FLAG_FIPS)
|
||||
&& !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
|
||||
{
|
||||
EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if (ctx->digest && ctx->digest->ctx_size)
|
||||
OPENSSL_free(ctx->md_data);
|
||||
ctx->digest=type;
|
||||
|
|
|
|||
|
|
@ -67,32 +67,32 @@ typedef struct
|
|||
|
||||
IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
|
||||
NID_aes_128, 16, 16, 16, 128,
|
||||
0, aes_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
|
||||
NID_aes_192, 16, 24, 16, 128,
|
||||
0, aes_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
|
||||
NID_aes_256, 16, 32, 16, 128,
|
||||
0, aes_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
|
||||
#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16)
|
||||
#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
|
||||
|
||||
IMPLEMENT_AES_CFBR(128,1)
|
||||
IMPLEMENT_AES_CFBR(192,1)
|
||||
IMPLEMENT_AES_CFBR(256,1)
|
||||
IMPLEMENT_AES_CFBR(128,1,0)
|
||||
IMPLEMENT_AES_CFBR(192,1,0)
|
||||
IMPLEMENT_AES_CFBR(256,1,0)
|
||||
|
||||
IMPLEMENT_AES_CFBR(128,8)
|
||||
IMPLEMENT_AES_CFBR(192,8)
|
||||
IMPLEMENT_AES_CFBR(256,8)
|
||||
IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
|
||||
IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
|
||||
IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
|
||||
|
||||
static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
|
|
|
|||
|
|
@ -127,16 +127,18 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
|||
}
|
||||
|
||||
BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
|
||||
0, des_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, des_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
|
||||
BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL,
|
||||
BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
|
||||
EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,NULL)
|
||||
|
||||
BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL,
|
||||
BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
|
||||
EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,NULL)
|
||||
|
||||
|
|
|
|||
|
|
@ -160,7 +160,7 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
|||
}
|
||||
|
||||
BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
|
||||
0, des_ede_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
|
|
@ -171,18 +171,18 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
|
|||
#define des_ede3_ecb_cipher des_ede_ecb_cipher
|
||||
|
||||
BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
|
||||
0, des_ede3_init_key, NULL,
|
||||
EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,
|
||||
NULL)
|
||||
|
||||
BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0,
|
||||
des_ede3_init_key,NULL,
|
||||
BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
|
||||
EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,NULL)
|
||||
|
||||
BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0,
|
||||
des_ede3_init_key,NULL,
|
||||
BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
|
||||
EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
|
||||
EVP_CIPHER_set_asn1_iv,
|
||||
EVP_CIPHER_get_asn1_iv,NULL)
|
||||
|
||||
|
|
|
|||
|
|
@ -117,6 +117,10 @@
|
|||
#include <openssl/aes.h>
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
#define EVP_RC2_KEY_SIZE 16
|
||||
#define EVP_RC4_KEY_SIZE 16
|
||||
|
|
@ -290,6 +294,7 @@ struct env_md_st
|
|||
|
||||
#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single
|
||||
* block */
|
||||
#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
|
||||
|
||||
#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0}
|
||||
|
||||
|
|
@ -332,6 +337,9 @@ struct env_md_ctx_st
|
|||
#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
|
||||
* in EVP_MD_CTX_cleanup */
|
||||
|
||||
#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
|
||||
* in FIPS mode */
|
||||
|
||||
struct evp_cipher_st
|
||||
{
|
||||
int nid;
|
||||
|
|
@ -373,6 +381,10 @@ struct evp_cipher_st
|
|||
#define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80
|
||||
/* Don't use standard block padding */
|
||||
#define EVP_CIPH_NO_PADDING 0x100
|
||||
/* Note if suitable for use in FIPS mode */
|
||||
#define EVP_CIPH_FLAG_FIPS 0x400
|
||||
/* Allow non FIPS cipher in FIPS mode */
|
||||
#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
|
||||
|
||||
/* ctrl() values */
|
||||
|
||||
|
|
@ -853,12 +865,16 @@ void ERR_load_EVP_strings(void);
|
|||
/* Function codes. */
|
||||
#define EVP_F_AES_INIT_KEY 129
|
||||
#define EVP_F_D2I_PKEY 100
|
||||
#define EVP_F_EVP_ADD_CIPHER 130
|
||||
#define EVP_F_EVP_ADD_DIGEST 131
|
||||
#define EVP_F_EVP_CIPHERINIT 123
|
||||
#define EVP_F_EVP_CIPHER_CTX_CTRL 124
|
||||
#define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
|
||||
#define EVP_F_EVP_DECRYPTFINAL 101
|
||||
#define EVP_F_EVP_DIGESTINIT 128
|
||||
#define EVP_F_EVP_ENCRYPTFINAL 127
|
||||
#define EVP_F_EVP_GET_CIPHERBYNAME 132
|
||||
#define EVP_F_EVP_GET_DIGESTBYNAME 133
|
||||
#define EVP_F_EVP_MD_CTX_COPY 110
|
||||
#define EVP_F_EVP_OPENINIT 102
|
||||
#define EVP_F_EVP_PBE_ALG_ADD 115
|
||||
|
|
@ -894,6 +910,7 @@ void ERR_load_EVP_strings(void);
|
|||
#define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
|
||||
#define EVP_R_DECODE_ERROR 114
|
||||
#define EVP_R_DIFFERENT_KEY_TYPES 101
|
||||
#define EVP_R_DISABLED_FOR_FIPS 141
|
||||
#define EVP_R_ENCODE_ERROR 115
|
||||
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
|
||||
#define EVP_R_EXPECTING_AN_RSA_KEY 127
|
||||
|
|
|
|||
|
|
@ -146,7 +146,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
|
|||
else
|
||||
ctx->engine = NULL;
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode())
|
||||
{
|
||||
if (!(cipher->flags & EVP_CIPH_FLAG_FIPS)
|
||||
& !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
|
||||
{
|
||||
EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
|
||||
ERR_add_error_data(2, "cipher=", EVP_CIPHER_name(cipher));
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
ctx->cipher=cipher;
|
||||
if (ctx->cipher->ctx_size)
|
||||
{
|
||||
|
|
@ -271,6 +282,9 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
|||
int i,j,bl;
|
||||
|
||||
OPENSSL_assert(inl > 0);
|
||||
#ifdef OPENSSL_FIPS
|
||||
OPENSSL_assert(!FIPS_mode() || ctx->cipher->flags & EVP_CIPH_FLAG_FIPS);
|
||||
#endif
|
||||
if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
|
||||
{
|
||||
if(ctx->cipher->do_cipher(ctx,out,in,inl))
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/evp/evp_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
|
@ -68,12 +68,16 @@ static ERR_STRING_DATA EVP_str_functs[]=
|
|||
{
|
||||
{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"},
|
||||
{ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"},
|
||||
{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"},
|
||||
{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"},
|
||||
{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"},
|
||||
{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"},
|
||||
{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"},
|
||||
{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"},
|
||||
{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"},
|
||||
{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"},
|
||||
{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"},
|
||||
{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"},
|
||||
{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"},
|
||||
{ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"},
|
||||
{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"},
|
||||
|
|
@ -112,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
|
|||
{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
|
||||
{EVP_R_DECODE_ERROR ,"decode error"},
|
||||
{EVP_R_DIFFERENT_KEY_TYPES ,"different key types"},
|
||||
{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"},
|
||||
{EVP_R_ENCODE_ERROR ,"encode error"},
|
||||
{EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"},
|
||||
{EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"},
|
||||
|
|
|
|||
|
|
@ -226,11 +226,26 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
|
|||
|
||||
#define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data)
|
||||
|
||||
#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \
|
||||
#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \
|
||||
BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
|
||||
BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
|
||||
NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
|
||||
0, cipher##_init_key, NULL, \
|
||||
flags, cipher##_init_key, NULL, \
|
||||
EVP_CIPHER_set_asn1_iv, \
|
||||
EVP_CIPHER_get_asn1_iv, \
|
||||
NULL)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define RC2_set_key private_RC2_set_key
|
||||
#define RC4_set_key private_RC4_set_key
|
||||
#define CAST_set_key private_CAST_set_key
|
||||
#define RC5_32_set_key private_RC5_32_set_key
|
||||
#define BF_set_key private_BF_set_key
|
||||
|
||||
#define MD5_Init private_MD5_Init
|
||||
#define MD4_Init private_MD4_Init
|
||||
#define MD2_Init private_MD2_Init
|
||||
#define MDC2_Init private_MDC2_Init
|
||||
#define SHA_Init private_SHA_Init
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ static const EVP_MD dsa_md=
|
|||
NID_dsaWithSHA,
|
||||
NID_dsaWithSHA,
|
||||
SHA_DIGEST_LENGTH,
|
||||
0,
|
||||
EVP_MD_FLAG_FIPS,
|
||||
init,
|
||||
update,
|
||||
final,
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@
|
|||
#include <stdio.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include "evp_locl.h"
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/md2.h>
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@
|
|||
#include <stdio.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include "evp_locl.h"
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/md4.h>
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@
|
|||
#include <stdio.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include "evp_locl.h"
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/md5.h>
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@
|
|||
#include <stdio.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include "evp_locl.h"
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/mdc2.h>
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@
|
|||
#include <stdio.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
#include "evp_locl.h"
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ static const EVP_MD sha1_md=
|
|||
NID_sha1,
|
||||
NID_sha1WithRSAEncryption,
|
||||
SHA_DIGEST_LENGTH,
|
||||
0,
|
||||
EVP_MD_FLAG_FIPS,
|
||||
init,
|
||||
update,
|
||||
final,
|
||||
|
|
|
|||
|
|
@ -61,6 +61,9 @@
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#ifdef OPENSSL_FIPS
|
||||
#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
int EVP_add_cipher(const EVP_CIPHER *c)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
|
|||
return(md);
|
||||
}
|
||||
|
||||
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
|
||||
{
|
||||
EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
|
||||
EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
|
||||
EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
|
|||
const unsigned char *d, int n, unsigned char *md,
|
||||
unsigned int *md_len);
|
||||
|
||||
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,10 +57,23 @@
|
|||
*/
|
||||
|
||||
#include <openssl/idea.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "idea_lcl.h"
|
||||
|
||||
static IDEA_INT inverse(unsigned int xin);
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
|
||||
{
|
||||
if (FIPS_mode())
|
||||
FIPS_BAD_ABORT(IDEA)
|
||||
private_idea_set_encrypt_key(key, ks);
|
||||
}
|
||||
void private_idea_set_encrypt_key(const unsigned char *key,
|
||||
IDEA_KEY_SCHEDULE *ks)
|
||||
#else
|
||||
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
|
||||
#endif
|
||||
{
|
||||
int i;
|
||||
register IDEA_INT *kt,*kf,r0,r1,r2;
|
||||
|
|
|
|||
|
|
@ -82,6 +82,10 @@ typedef struct idea_key_st
|
|||
const char *idea_options(void);
|
||||
void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
|
||||
IDEA_KEY_SCHEDULE *ks);
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_idea_set_encrypt_key(const unsigned char *key,
|
||||
IDEA_KEY_SCHEDULE *ks);
|
||||
#endif
|
||||
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
|
||||
void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
|
||||
void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
||||
|
|
|
|||
|
|
@ -80,6 +80,9 @@ typedef struct MD2state_st
|
|||
} MD2_CTX;
|
||||
|
||||
const char *MD2_options(void);
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD2_Init(MD2_CTX *c);
|
||||
#endif
|
||||
int MD2_Init(MD2_CTX *c);
|
||||
int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
|
||||
int MD2_Final(unsigned char *md, MD2_CTX *c);
|
||||
|
|
|
|||
|
|
@ -62,6 +62,8 @@
|
|||
#include <openssl/md2.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
|
|
@ -116,7 +118,7 @@ const char *MD2_options(void)
|
|||
return("md2(int)");
|
||||
}
|
||||
|
||||
int MD2_Init(MD2_CTX *c)
|
||||
FIPS_NON_FIPS_MD_Init(MD2)
|
||||
{
|
||||
c->num=0;
|
||||
memset(c->state,0,sizeof c->state);
|
||||
|
|
|
|||
|
|
@ -559,7 +559,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
|
|||
static const unsigned char end[4]={0x80,0x00,0x00,0x00};
|
||||
const unsigned char *cp=end;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
#if 0
|
||||
if(FIPS_mode() && !FIPS_md5_allowed())
|
||||
{
|
||||
FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
|
||||
|
|
|
|||
|
|
@ -104,6 +104,9 @@ typedef struct MD4state_st
|
|||
int num;
|
||||
} MD4_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD4_Init(MD4_CTX *c);
|
||||
#endif
|
||||
int MD4_Init(MD4_CTX *c);
|
||||
int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
|
||||
int MD4_Final(unsigned char *md, MD4_CTX *c);
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
|
|||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||
|
||||
int MD4_Init(MD4_CTX *c)
|
||||
FIPS_NON_FIPS_MD_Init(MD4)
|
||||
{
|
||||
c->A=INIT_DATA_A;
|
||||
c->B=INIT_DATA_B;
|
||||
|
|
|
|||
|
|
@ -104,6 +104,9 @@ typedef struct MD5state_st
|
|||
int num;
|
||||
} MD5_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MD5_Init(MD5_CTX *c);
|
||||
#endif
|
||||
int MD5_Init(MD5_CTX *c);
|
||||
int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
|
||||
int MD5_Final(unsigned char *md, MD5_CTX *c);
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
|
|||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||
|
||||
int MD5_Init(MD5_CTX *c)
|
||||
FIPS_NON_FIPS_MD_Init(MD5)
|
||||
{
|
||||
c->A=INIT_DATA_A;
|
||||
c->B=INIT_DATA_B;
|
||||
|
|
|
|||
|
|
@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
|
|||
int pad_type; /* either 1 or 2, default 1 */
|
||||
} MDC2_CTX;
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_MDC2_Init(MDC2_CTX *c);
|
||||
#endif
|
||||
int MDC2_Init(MDC2_CTX *c);
|
||||
int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
|
||||
int MDC2_Final(unsigned char *md, MDC2_CTX *c);
|
||||
|
|
|
|||
|
|
@ -60,6 +60,8 @@
|
|||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/des.h>
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/mdc2.h>
|
||||
|
||||
#undef c2l
|
||||
|
|
@ -75,7 +77,7 @@
|
|||
*((c)++)=(unsigned char)(((l)>>24L)&0xff))
|
||||
|
||||
static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len);
|
||||
int MDC2_Init(MDC2_CTX *c)
|
||||
FIPS_NON_FIPS_MD_Init(MDC2)
|
||||
{
|
||||
c->num=0;
|
||||
c->pad_type=1;
|
||||
|
|
|
|||
|
|
@ -79,7 +79,10 @@ typedef struct rc2_key_st
|
|||
RC2_INT data[64];
|
||||
} RC2_KEY;
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
|
||||
int bits);
|
||||
#endif
|
||||
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
|
||||
void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
|
||||
int enc);
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
*/
|
||||
|
||||
#include <openssl/rc2.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "rc2_locl.h"
|
||||
|
||||
static unsigned char key_table[256]={
|
||||
|
|
@ -90,7 +91,19 @@ static unsigned char key_table[256]={
|
|||
* BSAFE uses the 'retarded' version. What I previously shipped is
|
||||
* the same as specifying 1024 for the 'bits' parameter. Bsafe uses
|
||||
* a version where the bits parameter is the same as len*8 */
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
|
||||
{
|
||||
if (FIPS_mode())
|
||||
FIPS_BAD_ABORT(RC2)
|
||||
private_RC2_set_key(key, len, data, bits);
|
||||
}
|
||||
void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
|
||||
int bits)
|
||||
#else
|
||||
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
|
||||
#endif
|
||||
{
|
||||
int i,j;
|
||||
unsigned char *k;
|
||||
|
|
|
|||
|
|
@ -81,6 +81,9 @@ typedef struct rc4_key_st
|
|||
|
||||
|
||||
const char *RC4_options(void);
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
|
||||
#endif
|
||||
void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
|
||||
void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
|
||||
unsigned char *outdata);
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
*/
|
||||
|
||||
#include <openssl/rc4.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "rc4_locl.h"
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
|
|
@ -85,7 +86,7 @@ const char *RC4_options(void)
|
|||
* Date: Wed, 14 Sep 1994 06:35:31 GMT
|
||||
*/
|
||||
|
||||
void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
|
||||
FIPS_NON_FIPS_VCIPHER_Init(RC4)
|
||||
{
|
||||
register RC4_INT tmp;
|
||||
register int id1,id2;
|
||||
|
|
|
|||
|
|
@ -92,7 +92,10 @@ typedef struct rc5_key_st
|
|||
RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
|
||||
} RC5_32_KEY;
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
|
||||
int rounds);
|
||||
#endif
|
||||
void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
|
||||
int rounds);
|
||||
void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key,
|
||||
|
|
|
|||
|
|
@ -56,12 +56,26 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/rc5.h>
|
||||
#include "rc5_locl.h"
|
||||
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
|
||||
int rounds)
|
||||
{
|
||||
if (FIPS_mode())
|
||||
FIPS_BAD_ABORT(RC5)
|
||||
private_RC5_32_set_key(key, len, data, rounds);
|
||||
}
|
||||
void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
|
||||
int rounds)
|
||||
#else
|
||||
void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
|
||||
int rounds)
|
||||
#endif
|
||||
{
|
||||
RC5_32_INT L[64],l,ll,A,B,*S,k;
|
||||
int i,j,m,c,t,ii,jj;
|
||||
|
||||
|
|
|
|||
|
|
@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st
|
|||
int num;
|
||||
} RIPEMD160_CTX;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_RIPEMD160_Init(RIPEMD160_CTX *c);
|
||||
#endif
|
||||
int RIPEMD160_Init(RIPEMD160_CTX *c);
|
||||
int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
|
||||
int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@
|
|||
|
||||
#include <stdio.h>
|
||||
#include "rmd_locl.h"
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
|
||||
|
|
@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
|
|||
void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
|
||||
# endif
|
||||
|
||||
int RIPEMD160_Init(RIPEMD160_CTX *c)
|
||||
FIPS_NON_FIPS_MD_Init(RIPEMD160)
|
||||
{
|
||||
c->A=RIPEMD160_A;
|
||||
c->B=RIPEMD160_B;
|
||||
|
|
|
|||
|
|
@ -105,6 +105,9 @@ typedef struct SHAstate_st
|
|||
} SHA_CTX;
|
||||
|
||||
#ifndef OPENSSL_NO_SHA0
|
||||
#ifdef OPENSSL_FIPS
|
||||
int private_SHA_Init(SHA_CTX *c);
|
||||
#endif
|
||||
int SHA_Init(SHA_CTX *c);
|
||||
int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
|
||||
int SHA_Final(unsigned char *md, SHA_CTX *c);
|
||||
|
|
|
|||
|
|
@ -143,7 +143,11 @@
|
|||
#define INIT_DATA_h3 0x10325476UL
|
||||
#define INIT_DATA_h4 0xc3d2e1f0UL
|
||||
|
||||
#if defined(SHA_0) && defined(OPENSSL_FIPS)
|
||||
FIPS_NON_FIPS_MD_Init(SHA)
|
||||
#else
|
||||
int HASH_INIT (SHA_CTX *c)
|
||||
#endif
|
||||
{
|
||||
c->h0=INIT_DATA_h0;
|
||||
c->h1=INIT_DATA_h1;
|
||||
|
|
|
|||
|
|
@ -322,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
|
|||
{
|
||||
unsigned long ret=0;
|
||||
unsigned char md[16];
|
||||
EVP_MD_CTX md_ctx;
|
||||
|
||||
/* Make sure X509_NAME structure contains valid cached encoding */
|
||||
i2d_X509_NAME(x,NULL);
|
||||
EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
|
||||
EVP_MD_CTX_init(&md_ctx);
|
||||
EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
|
||||
EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
|
||||
EVP_DigestFinal_ex(&md_ctx,md,NULL);
|
||||
EVP_MD_CTX_cleanup(&md_ctx);
|
||||
|
||||
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
|
||||
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
|
||||
|
|
|
|||
|
|
@ -365,7 +365,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
|||
else
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Check a certificate chains extensions for consistency
|
||||
* with the supplied purpose
|
||||
|
|
|
|||
|
|
@ -1162,6 +1162,8 @@ static int ssl3_get_key_exchange(SSL *s)
|
|||
q=md_buf;
|
||||
for (num=2; num > 0; num--)
|
||||
{
|
||||
EVP_MD_CTX_set_flags(&md_ctx,
|
||||
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
||||
?s->ctx->md5:s->ctx->sha1, NULL);
|
||||
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
||||
|
|
|
|||
|
|
@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
|
|||
#endif
|
||||
k=0;
|
||||
EVP_MD_CTX_init(&m5);
|
||||
EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
EVP_MD_CTX_init(&s1);
|
||||
for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
|
||||
{
|
||||
|
|
@ -501,6 +502,8 @@ int ssl3_enc(SSL *s, int send)
|
|||
|
||||
void ssl3_init_finished_mac(SSL *s)
|
||||
{
|
||||
EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
|
||||
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
|
||||
EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1213,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
|
|||
j=0;
|
||||
for (num=2; num > 0; num--)
|
||||
{
|
||||
EVP_MD_CTX_set_flags(&md_ctx,
|
||||
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
||||
?s->ctx->md5:s->ctx->sha1, NULL);
|
||||
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
||||
|
|
|
|||
|
|
@ -132,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
|
|||
|
||||
HMAC_CTX_init(&ctx);
|
||||
HMAC_CTX_init(&ctx_tmp);
|
||||
HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
|
||||
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
|
||||
HMAC_Update(&ctx,seed,seed_len);
|
||||
|
|
|
|||
Loading…
Reference in a new issue