diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-12-20 15:36:59 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 08:39:36 +0100 |
| commit | 0bca8ce7c2ed2cdadb52466ae5147ea9cb3997aa (patch) | |
| tree | 79190e3ca998d82c9d98999970ddcd7a12c8c8ec /lib/crypto-api.c | |
| parent | 76bc340c4815e1e6d03390a6cd2ff4f097755255 (diff) | |
| download | gnutls-0bca8ce7c2ed2cdadb52466ae5147ea9cb3997aa.tar.gz | |
fips140: enforcement of hash and MACs use moved to crypto-api.c and hash_int.c
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/crypto-api.c')
| -rw-r--r-- | lib/crypto-api.c | 28 |
1 files changed, 11 insertions, 17 deletions
diff --git a/lib/crypto-api.c b/lib/crypto-api.c index 788627a118..eeb2610a53 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -299,6 +299,7 @@ void gnutls_cipher_deinit(gnutls_cipher_hd_t handle) /* HMAC */ + /** * gnutls_hmac_init: * @dig: is a #gnutls_hmac_hd_t type @@ -323,15 +324,9 @@ gnutls_hmac_init(gnutls_hmac_hd_t * dig, gnutls_mac_algorithm_t algorithm, const void *key, size_t keylen) { -#ifdef ENABLE_FIPS140 /* MD5 is only allowed internally for TLS */ - if (_gnutls_fips_mode_enabled() != 0 && - _gnutls_get_lib_state() != LIB_STATE_SELFTEST) { - - if (algorithm == GNUTLS_MAC_MD5) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - } -#endif + if (is_mac_algo_forbidden(algorithm)) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); *dig = gnutls_malloc(sizeof(mac_hd_st)); if (*dig == NULL) { @@ -446,6 +441,9 @@ gnutls_hmac_fast(gnutls_mac_algorithm_t algorithm, const void *key, size_t keylen, const void *ptext, size_t ptext_len, void *digest) { + if (is_mac_algo_forbidden(algorithm)) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); + return _gnutls_mac_fast(algorithm, key, keylen, ptext, ptext_len, digest); } @@ -470,15 +468,8 @@ int gnutls_hash_init(gnutls_hash_hd_t * dig, gnutls_digest_algorithm_t algorithm) { -#ifdef ENABLE_FIPS140 - /* MD5 is only allowed internally for TLS */ - if (_gnutls_fips_mode_enabled() != 0 && - _gnutls_get_lib_state() != LIB_STATE_SELFTEST) { - - if (algorithm == GNUTLS_DIG_MD5) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - } -#endif + if (is_mac_algo_forbidden(algorithm)) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); *dig = gnutls_malloc(sizeof(digest_hd_st)); if (*dig == NULL) { @@ -573,6 +564,9 @@ int gnutls_hash_fast(gnutls_digest_algorithm_t algorithm, const void *ptext, size_t ptext_len, void *digest) { + if (is_mac_algo_forbidden(algorithm)) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); + return _gnutls_hash_fast(algorithm, ptext, ptext_len, digest); } |