Browse code
bb11176 - Instruct OpenSSL to allow MD5 when in FIPS-compliant mode
Shawn Webb authored on 2014/11/13 04:30:39Showing 1 changed files
| ... | ... |
@@ -151,6 +151,11 @@ unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned cha |
| 151 | 151 |
return NULL; |
| 152 | 152 |
} |
| 153 | 153 |
|
| 154 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 155 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 156 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 157 |
+#endif |
|
| 158 |
+ |
|
| 154 | 159 |
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
|
| 155 | 160 |
if (!(obuf)) |
| 156 | 161 |
free(ret); |
| ... | ... |
@@ -212,6 +217,11 @@ unsigned char *cl_hash_file_fd(int fd, char *alg, unsigned int *olen) |
| 212 | 212 |
if (!(ctx)) |
| 213 | 213 |
return NULL; |
| 214 | 214 |
|
| 215 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 216 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 217 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 218 |
+#endif |
|
| 219 |
+ |
|
| 215 | 220 |
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
|
| 216 | 221 |
EVP_MD_CTX_destroy(ctx); |
| 217 | 222 |
return NULL; |
| ... | ... |
@@ -321,6 +331,11 @@ int cl_verify_signature_hash(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsi |
| 321 | 321 |
|
| 322 | 322 |
mdsz = EVP_MD_size(md); |
| 323 | 323 |
|
| 324 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 325 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 326 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 327 |
+#endif |
|
| 328 |
+ |
|
| 324 | 329 |
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
|
| 325 | 330 |
EVP_MD_CTX_destroy(ctx); |
| 326 | 331 |
return -1; |
| ... | ... |
@@ -365,6 +380,11 @@ int cl_verify_signature_fd(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsign |
| 365 | 365 |
return -1; |
| 366 | 366 |
} |
| 367 | 367 |
|
| 368 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 369 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 370 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 371 |
+#endif |
|
| 372 |
+ |
|
| 368 | 373 |
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
|
| 369 | 374 |
free(digest); |
| 370 | 375 |
EVP_MD_CTX_destroy(ctx); |
| ... | ... |
@@ -435,6 +455,11 @@ int cl_verify_signature(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned |
| 435 | 435 |
return -1; |
| 436 | 436 |
} |
| 437 | 437 |
|
| 438 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 439 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 440 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 441 |
+#endif |
|
| 442 |
+ |
|
| 438 | 443 |
if (!EVP_VerifyInit_ex(ctx, md, NULL)) {
|
| 439 | 444 |
free(digest); |
| 440 | 445 |
if (decode) |
| ... | ... |
@@ -643,6 +668,11 @@ unsigned char *cl_sign_data(EVP_PKEY *pkey, char *alg, unsigned char *hash, unsi |
| 643 | 643 |
return NULL; |
| 644 | 644 |
} |
| 645 | 645 |
|
| 646 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 647 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 648 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 649 |
+#endif |
|
| 650 |
+ |
|
| 646 | 651 |
if (!EVP_SignInit_ex(ctx, md, NULL)) {
|
| 647 | 652 |
free(sig); |
| 648 | 653 |
EVP_MD_CTX_destroy(ctx); |
| ... | ... |
@@ -1078,6 +1108,11 @@ void *cl_hash_init(const char *alg) |
| 1078 | 1078 |
return NULL; |
| 1079 | 1079 |
} |
| 1080 | 1080 |
|
| 1081 |
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
|
| 1082 |
+ /* we will be using MD5, which is not allowed under FIPS */ |
|
| 1083 |
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
|
| 1084 |
+#endif |
|
| 1085 |
+ |
|
| 1081 | 1086 |
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
|
| 1082 | 1087 |
EVP_MD_CTX_destroy(ctx); |
| 1083 | 1088 |
return NULL; |