diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2015-10-15 21:16:52 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2015-10-15 21:16:55 +0200 |
commit | d949314986061044dd0c298e1d64315e2b5555ca (patch) | |
tree | 113c69b174a4da4275a831015c7dacc837006f64 | |
parent | 500af2badafb991ff580acd747630ed62902da29 (diff) | |
download | gnutls-d949314986061044dd0c298e1d64315e2b5555ca.tar.gz |
Disable the NULL cipher on runtime when FIPS140 mode is enabled instead of statically
That way the NULL cipher can be used when not in FIPS140 mode.
-rw-r--r-- | lib/algorithms/ciphers.c | 6 | ||||
-rw-r--r-- | lib/cipher_int.c | 11 | ||||
-rw-r--r-- | lib/priority.c | 2 |
3 files changed, 12 insertions, 7 deletions
diff --git a/lib/algorithms/ciphers.c b/lib/algorithms/ciphers.c index e69f54f38f..aaf3773607 100644 --- a/lib/algorithms/ciphers.c +++ b/lib/algorithms/ciphers.c @@ -200,18 +200,12 @@ static const cipher_entry_st algorithms[] = { .type = CIPHER_BLOCK, .explicit_iv = 8, .cipher_iv = 8}, -#ifndef ENABLE_FIPS140 - /* All the other ciphers are disabled on the back-end library. - * This needs to be disabled here as it is merely a placeholder - * rather than an actual cipher. - */ { .name = "NULL", .id = GNUTLS_CIPHER_NULL, .blocksize = 1, .keysize = 0, .type = CIPHER_STREAM }, -#endif {0, 0, 0, 0, 0, 0, 0} }; diff --git a/lib/cipher_int.c b/lib/cipher_int.c index 052d559330..c2113767e0 100644 --- a/lib/cipher_int.c +++ b/lib/cipher_int.c @@ -55,6 +55,17 @@ int _gnutls_cipher_exists(gnutls_cipher_algorithm_t cipher) const gnutls_crypto_cipher_st *cc; int ret; + /* All the other ciphers are disabled on the back-end library. + * The NULL needs to be detected here as it is merely a placeholder + * rather than an actual cipher. + */ + if (cipher == GNUTLS_CIPHER_NULL) { + if (_gnutls_fips_mode_enabled() == 0) + return 1; + else + return 0; + } + cc = _gnutls_get_crypto_cipher(cipher); if (cc != NULL) return 1; diff --git a/lib/priority.c b/lib/priority.c index ea629683eb..bb9493401f 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1145,7 +1145,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, != GNUTLS_MAC_UNKNOWN) { fn(&(*priority_cache)->mac, algo); } else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) { - if (_gnutls_cipher_exists(centry->id) || centry->id == GNUTLS_CIPHER_NULL) { + if (_gnutls_cipher_exists(centry->id)) { fn(&(*priority_cache)->cipher, centry->id); if (centry->type == CIPHER_BLOCK) (*priority_cache)->have_cbc = 1; |