From 293c58c1e7bbeecea2b9a3ba81876034b8820073 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 29 May 2011 15:55:13 +0000 Subject: [PATCH] Use approved API for EVP digest operations in FIPS builds. Call OPENSSL_init() in a few more places to make sure it is always called at least once. Initial cipher API redirection (incomplete). --- crypto/evp/digest.c | 14 +++++++++++++- crypto/evp/evp_enc.c | 11 +++++++++++ crypto/evp/names.c | 2 ++ crypto/mem.c | 2 ++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index a0d5763b92..467e6b5ae9 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -244,7 +244,11 @@ skip_to_init: int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { +#ifdef OPENSSL_FIPS + return FIPS_digestupdate(ctx, data, count); +#else return ctx->update(ctx,data,count); +#endif } /* The caller can assume that this removes any secret data from the context */ @@ -259,8 +263,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { +#ifdef OPENSSL_FIPS + return FIPS_digestfinal(ctx, md, size); +#else int ret; - OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) @@ -272,6 +278,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; +#endif } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) @@ -365,6 +372,7 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { +#ifndef OPENSSL_FIPS /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ @@ -377,6 +385,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } +#endif if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE @@ -384,6 +393,9 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) /* The EVP_MD we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); +#endif +#ifdef OPENSSL_FIPS + FIPS_md_ctx_cleanup(ctx); #endif memset(ctx,'\0',sizeof *ctx); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index a0bdf9856c..ccb4980e43 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -64,6 +64,9 @@ #ifndef OPENSSL_NO_ENGINE #include #endif +#ifdef OPENSSL_FIPS +#include +#endif #include "evp_locl.h" const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -155,6 +158,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp ctx->engine = NULL; #endif +#ifdef OPENSSL_FIPS + return FIPS_cipherinit(ctx, cipher, key, iv, enc); +#else ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -179,6 +185,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp return 0; } } +#endif } else if(!ctx->cipher) { @@ -188,6 +195,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #ifndef OPENSSL_NO_ENGINE skip_to_init: #endif +#ifdef OPENSSL_FIPS + return FIPS_cipherinit(ctx, cipher, key, iv, enc); +#else /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 @@ -233,6 +243,7 @@ skip_to_init: ctx->final_used=0; ctx->block_mask=ctx->cipher->block_size-1; return 1; +#endif } int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, diff --git a/crypto/evp/names.c b/crypto/evp/names.c index f2869f5c78..67c73c0bab 100644 --- a/crypto/evp/names.c +++ b/crypto/evp/names.c @@ -65,6 +65,7 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; + OPENSSL_init(); r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c); if (r == 0) return(0); @@ -78,6 +79,7 @@ int EVP_add_digest(const EVP_MD *md) { int r; const char *name; + OPENSSL_init(); name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); diff --git a/crypto/mem.c b/crypto/mem.c index 6f80dd33eb..46a4e6c6dd 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -125,6 +125,7 @@ static long (*get_debug_options_func)(void) = NULL; int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *)) { + OPENSSL_init(); if (!allow_customize) return 0; if ((m == 0) || (r == 0) || (f == 0)) @@ -184,6 +185,7 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int), void (*so)(long), long (*go)(void)) { + OPENSSL_init(); if (!allow_customize_debug) return 0; malloc_debug_func=m; -- 2.40.0