TLS/SSL and crypto library
Revision | 03b7b4690c772a1f92f57969e08ff4ac1fb7570d (tree) |
---|---|
Zeit | 2007-08-19 21:49:07 |
Autor | Dr. Stephen Henson <steve@open...> |
Commiter | Dr. Stephen Henson |
Cleaner check of self test status.
@@ -120,9 +120,6 @@ | ||
120 | 120 | |
121 | 121 | void EVP_MD_CTX_init(EVP_MD_CTX *ctx) |
122 | 122 | { |
123 | -#ifdef OPENSSL_FIPS | |
124 | - FIPS_selftest_check(); | |
125 | -#endif | |
126 | 123 | memset(ctx,'\0',sizeof *ctx); |
127 | 124 | } |
128 | 125 |
@@ -265,6 +262,14 @@ static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl) | ||
265 | 262 | int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) |
266 | 263 | { |
267 | 264 | M_EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); |
265 | +#ifdef OPENSSL_FIPS | |
266 | + if(FIPS_selftest_failed()) | |
267 | + { | |
268 | + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); | |
269 | + ctx->digest = &bad_md; | |
270 | + return 0; | |
271 | + } | |
272 | +#endif | |
268 | 273 | #ifndef OPENSSL_NO_ENGINE |
269 | 274 | /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts |
270 | 275 | * so this context may already have an ENGINE! Try to avoid releasing |
@@ -305,6 +310,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) | ||
305 | 310 | int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, |
306 | 311 | size_t count) |
307 | 312 | { |
313 | +#ifdef OPENSSL_FIPS | |
314 | + FIPS_selftest_check(); | |
315 | +#endif | |
308 | 316 | return ctx->digest->update(ctx,data,count); |
309 | 317 | } |
310 | 318 |
@@ -321,6 +329,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) | ||
321 | 329 | int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) |
322 | 330 | { |
323 | 331 | int ret; |
332 | +#ifdef OPENSSL_FIPS | |
333 | + FIPS_selftest_check(); | |
334 | +#endif | |
324 | 335 | |
325 | 336 | OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); |
326 | 337 | ret=ctx->digest->final(ctx,md); |
@@ -199,6 +199,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp | ||
199 | 199 | enc = 1; |
200 | 200 | ctx->encrypt = enc; |
201 | 201 | } |
202 | +#ifdef OPENSSL_NO_FIPS | |
203 | + if(FIPS_selftest_failed()) | |
204 | + { | |
205 | + FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); | |
206 | + ctx->cipher = &bad_cipher; | |
207 | + return 0; | |
208 | + } | |
209 | +#endif | |
202 | 210 | #ifndef OPENSSL_NO_ENGINE |
203 | 211 | /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts |
204 | 212 | * so this context may already have an ENGINE! Try to avoid releasing |
@@ -339,6 +347,9 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) | ||
339 | 347 | |
340 | 348 | int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) |
341 | 349 | { |
350 | +#ifdef OPENSSL_FIPS | |
351 | + FIPS_selftest_check(); | |
352 | +#endif | |
342 | 353 | return ctx->cipher->do_cipher(ctx,out,in,inl); |
343 | 354 | } |
344 | 355 |
@@ -66,6 +66,14 @@ | ||
66 | 66 | #endif |
67 | 67 | #include "evp_locl.h" |
68 | 68 | |
69 | +#ifdef OPENSSL_FIPS | |
70 | + #define M_do_cipher(ctx, out, in, inl) \ | |
71 | + EVP_Cipher(ctx,out,in,inl) | |
72 | +#else | |
73 | + #define M_do_cipher(ctx, out, in, inl) \ | |
74 | + ctx->cipher->do_cipher(ctx,out,in,inl) | |
75 | +#endif | |
76 | + | |
69 | 77 | const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; |
70 | 78 | |
71 | 79 | EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) |
@@ -138,7 +146,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, | ||
138 | 146 | OPENSSL_assert(inl > 0); |
139 | 147 | if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) |
140 | 148 | { |
141 | - if(ctx->cipher->do_cipher(ctx,out,in,inl)) | |
149 | + if(M_do_cipher(ctx,out,in,inl)) | |
142 | 150 | { |
143 | 151 | *outl=inl; |
144 | 152 | return 1; |
@@ -165,7 +173,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, | ||
165 | 173 | { |
166 | 174 | j=bl-i; |
167 | 175 | memcpy(&(ctx->buf[i]),in,j); |
168 | - if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0; | |
176 | + if(!M_do_cipher(ctx,out,ctx->buf,bl)) return 0; | |
169 | 177 | inl-=j; |
170 | 178 | in+=j; |
171 | 179 | out+=bl; |
@@ -178,7 +186,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, | ||
178 | 186 | inl-=i; |
179 | 187 | if (inl > 0) |
180 | 188 | { |
181 | - if(!ctx->cipher->do_cipher(ctx,out,in,inl)) return 0; | |
189 | + if(!M_do_cipher(ctx,out,in,inl)) return 0; | |
182 | 190 | *outl+=inl; |
183 | 191 | } |
184 | 192 |
@@ -222,7 +230,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) | ||
222 | 230 | n=b-bl; |
223 | 231 | for (i=bl; i<b; i++) |
224 | 232 | ctx->buf[i]=n; |
225 | - ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b); | |
233 | + ret=M_do_cipher(ctx,out,ctx->buf,b); | |
226 | 234 | |
227 | 235 | |
228 | 236 | if(ret) |
@@ -74,6 +74,8 @@ static ERR_STRING_DATA FIPS_str_functs[]= | ||
74 | 74 | {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"}, |
75 | 75 | {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, |
76 | 76 | {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, |
77 | +{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, | |
78 | +{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, | |
77 | 79 | {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"}, |
78 | 80 | {ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_CHECK_INCORE_FINGERPRINT"}, |
79 | 81 | {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "FIPS_CHECK_RSA"}, |
@@ -107,6 +107,8 @@ void ERR_load_FIPS_strings(void); | ||
107 | 107 | #define FIPS_F_DSA_BUILTIN_PARAMGEN 101 |
108 | 108 | #define FIPS_F_DSA_DO_SIGN 102 |
109 | 109 | #define FIPS_F_DSA_DO_VERIFY 103 |
110 | +#define FIPS_F_EVP_CIPHERINIT_EX 124 | |
111 | +#define FIPS_F_EVP_DIGESTINIT_EX 125 | |
110 | 112 | #define FIPS_F_FIPS_CHECK_DSA 104 |
111 | 113 | #define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 |
112 | 114 | #define FIPS_F_FIPS_CHECK_RSA 106 |