Index: crypto/evp/e_aes.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/e_aes.c,v retrieving revision 1.6.2.10 diff -u -r1.6.2.10 e_aes.c --- crypto/evp/e_aes.c 11 May 2004 12:45:23 -0000 1.6.2.10 +++ crypto/evp/e_aes.c 2 Jul 2004 17:43:14 -0000 @@ -67,32 +67,32 @@ IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, NID_aes_128, 16, 16, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, NID_aes_192, 16, 24, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, NID_aes_256, 16, 32, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16) +#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) -IMPLEMENT_AES_CFBR(128,1) -IMPLEMENT_AES_CFBR(192,1) -IMPLEMENT_AES_CFBR(256,1) - -IMPLEMENT_AES_CFBR(128,8) -IMPLEMENT_AES_CFBR(192,8) -IMPLEMENT_AES_CFBR(256,8) +IMPLEMENT_AES_CFBR(128,1,0) +IMPLEMENT_AES_CFBR(192,1,0) +IMPLEMENT_AES_CFBR(256,1,0) + +IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS) static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) Index: crypto/evp/e_des.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/e_des.c,v retrieving revision 1.5.2.8 diff -u -r1.5.2.8 e_des.c --- crypto/evp/e_des.c 11 May 2004 12:45:23 -0000 1.5.2.8 +++ crypto/evp/e_des.c 2 Jul 2004 17:43:14 -0000 @@ -127,16 +127,18 @@ } BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, - 0, des_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL, +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv,NULL) -BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL, +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv,NULL) Index: crypto/evp/e_des3.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/e_des3.c,v retrieving revision 1.8.2.7 diff -u -r1.8.2.7 e_des3.c --- crypto/evp/e_des3.c 11 May 2004 12:45:23 -0000 1.8.2.7 +++ crypto/evp/e_des3.c 2 Jul 2004 17:43:14 -0000 @@ -160,7 +160,7 @@ } BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - 0, des_ede_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) @@ -171,18 +171,18 @@ #define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - 0, des_ede3_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0, - des_ede3_init_key,NULL, +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv,NULL) -BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0, - des_ede3_init_key,NULL, +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv,NULL) Index: crypto/evp/evp.h =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/evp.h,v retrieving revision 1.86.2.15 diff -u -r1.86.2.15 evp.h --- crypto/evp/evp.h 11 May 2004 12:45:23 -0000 1.86.2.15 +++ crypto/evp/evp.h 2 Jul 2004 17:43:14 -0000 @@ -117,6 +117,10 @@ #include #endif +#ifdef OPENSSL_FIPS +#include +#endif + /* #define EVP_RC2_KEY_SIZE 16 #define EVP_RC4_KEY_SIZE 16 @@ -290,6 +294,7 @@ #define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single * block */ +#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ #define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} @@ -373,6 +378,8 @@ #define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 /* Don't use standard block padding */ #define EVP_CIPH_NO_PADDING 0x100 +/* Note if suitable for use in FIPS mode */ +#define EVP_CIPH_FLAG_FIPS 0x400 /* ctrl() values */ @@ -853,12 +860,16 @@ /* Function codes. */ #define EVP_F_AES_INIT_KEY 129 #define EVP_F_D2I_PKEY 100 +#define EVP_F_EVP_ADD_CIPHER 130 +#define EVP_F_EVP_ADD_DIGEST 131 #define EVP_F_EVP_CIPHERINIT 123 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 #define EVP_F_EVP_DECRYPTFINAL 101 #define EVP_F_EVP_DIGESTINIT 128 #define EVP_F_EVP_ENCRYPTFINAL 127 +#define EVP_F_EVP_GET_CIPHERBYNAME 132 +#define EVP_F_EVP_GET_DIGESTBYNAME 133 #define EVP_F_EVP_MD_CTX_COPY 110 #define EVP_F_EVP_OPENINIT 102 #define EVP_F_EVP_PBE_ALG_ADD 115 @@ -894,6 +905,7 @@ #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 +#define EVP_R_DISABLED_FOR_FIPS 141 #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 Index: crypto/evp/evp_enc.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/evp_enc.c,v retrieving revision 1.28.2.10 diff -u -r1.28.2.10 evp_enc.c --- crypto/evp/evp_enc.c 1 Dec 2003 13:25:39 -0000 1.28.2.10 +++ crypto/evp/evp_enc.c 2 Jul 2004 17:43:14 -0000 @@ -146,7 +146,16 @@ else ctx->engine = NULL; #endif - +#ifdef OPENSSL_FIPS + if (FIPS_mode) + { + if (!(cipher->flags & EVP_CIPH_FLAG_FIPS)) + { + EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -271,6 +280,9 @@ int i,j,bl; OPENSSL_assert(inl > 0); +#ifdef OPENSSL_FIPS + OPENSSL_assert(!FIPS_mode || ctx->cipher->flags & EVP_CIPH_FLAG_FIPS); +#endif if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) { if(ctx->cipher->do_cipher(ctx,out,in,inl)) Index: crypto/evp/evp_locl.h =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/evp_locl.h,v retrieving revision 1.7.2.6 diff -u -r1.7.2.6 evp_locl.h --- crypto/evp/evp_locl.h 11 May 2004 12:45:23 -0000 1.7.2.6 +++ crypto/evp/evp_locl.h 2 Jul 2004 17:43:14 -0000 @@ -226,11 +226,11 @@ #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) -#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \ +#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \ BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ - 0, cipher##_init_key, NULL, \ + flags, cipher##_init_key, NULL, \ EVP_CIPHER_set_asn1_iv, \ EVP_CIPHER_get_asn1_iv, \ NULL) Index: crypto/evp/m_dss.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/m_dss.c,v retrieving revision 1.8 diff -u -r1.8 m_dss.c --- crypto/evp/m_dss.c 7 Sep 2001 12:03:21 -0000 1.8 +++ crypto/evp/m_dss.c 2 Jul 2004 17:43:14 -0000 @@ -77,7 +77,7 @@ NID_dsaWithSHA, NID_dsaWithSHA, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, Index: crypto/evp/m_sha1.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/m_sha1.c,v retrieving revision 1.8 diff -u -r1.8 m_sha1.c --- crypto/evp/m_sha1.c 7 Sep 2001 12:03:24 -0000 1.8 +++ crypto/evp/m_sha1.c 2 Jul 2004 17:43:14 -0000 @@ -77,7 +77,7 @@ NID_sha1, NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, Index: crypto/evp/names.c =================================================================== RCS file: /work/dev/sys/openssl/openssl/crypto/evp/names.c,v retrieving revision 1.7 diff -u -r1.7 names.c --- crypto/evp/names.c 9 Mar 2001 02:50:35 -0000 1.7 +++ crypto/evp/names.c 2 Jul 2004 17:43:14 -0000 @@ -61,11 +61,25 @@ #include #include #include +#ifdef OPENSSL_FIPS +#include +#endif int EVP_add_cipher(const EVP_CIPHER *c) { int r; +#ifdef OPENSSL_FIPS + if (FIPS_mode) + { + if (!(c->flags & EVP_CIPH_FLAG_FIPS)) + { + EVPerr(EVP_F_EVP_ADD_CIPHER, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif + r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c); if (r == 0) return(0); r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c); @@ -77,6 +91,16 @@ int r; const char *name; +#ifdef OPENSSL_FIPS + if (FIPS_mode) + { + if (!(md->flags & EVP_MD_FLAG_FIPS)) + { + EVPerr(EVP_F_EVP_ADD_DIGEST, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(char *)md); if (r == 0) return(0); @@ -99,6 +123,16 @@ const EVP_CIPHER *cp; cp=(const EVP_CIPHER *)OBJ_NAME_get(name,OBJ_NAME_TYPE_CIPHER_METH); +#ifdef OPENSSL_FIPS + if (FIPS_mode) + { + if (!(cp->flags & EVP_CIPH_FLAG_FIPS)) + { + EVPerr(EVP_F_EVP_GET_CIPHERBYNAME, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif return(cp); } @@ -107,6 +141,16 @@ const EVP_MD *cp; cp=(const EVP_MD *)OBJ_NAME_get(name,OBJ_NAME_TYPE_MD_METH); +#ifdef OPENSSL_FIPS + if (FIPS_mode) + { + if (!(cp->flags & EVP_MD_FLAG_FIPS)) + { + EVPerr(EVP_F_EVP_ADD_DIGEST, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif return(cp); }