Fix fips flag handling.

Don't set the fips flags in cipher and digests as the implementations
aren't suitable for FIPS mode and will be redirected to the FIPS module
versions anyway.

Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation
exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively.

Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be
used to build a FIPS module.

3 files changed, 26 insertions, 17 deletions

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 46c5757af3..4740dab17a 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -56,10 +56,12 @@
 #include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
-#ifndef OPENSSL_FIPS
 #include "modes_lcl.h"
 #include <openssl/rand.h>
 
+#undef EVP_CIPH_FLAG_FIPS
+#define EVP_CIPH_FLAG_FIPS 0
+
 typedef struct
 	{
 	union { double align; AES_KEY ks; } ks;
@@ -1136,11 +1138,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 	case EVP_CTRL_GCM_SET_IVLEN:
 		if (arg <= 0)
 			return 0;
-#ifdef OPENSSL_FIPS
-		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-						 && arg < 12)
-			return 0;
-#endif
 		/* Allocate memory for IV if needed */
 		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
 			{
@@ -1703,15 +1700,6 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 		return 0;
 	if (!out || !in || len<AES_BLOCK_SIZE)
 		return 0;
-#ifdef OPENSSL_FIPS
-	/* Requirement of SP800-38E */
-	if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-			(len > (1UL<<20)*16))
-		{
-		EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-		return 0;
-		}
-#endif
 	if (xctx->stream)
 		(*xctx->stream)(in, out, len,
 				xctx->xts.key1, xctx->xts.key2, ctx->iv);
@@ -1985,5 +1973,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
 	{
 	return &aes_256_wrap;
 	}
-
-#endif
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index fa3b05cf14..24e9fec777 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -65,6 +65,10 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 
+/* Block use of implementations in FIPS mode */
+#undef EVP_CIPH_FLAG_FIPS
+#define EVP_CIPH_FLAG_FIPS	0
+
 typedef struct
 	{
 	union { double align; DES_key_schedule ks[3]; } ks;
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 2a87570b9e..c5509a9fb9 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -60,6 +60,9 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	{
@@ -212,12 +215,22 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
 
 unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
 	{
+#ifdef OPENSSL_FIPS
+	const EVP_CIPHER *fcipher;
+	fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+	if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+		return cipher->flags | EVP_CIPH_FLAG_FIPS;
+#endif
 	return cipher->flags;
 	}
 
 unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
 	{
+#ifdef OPENSSL_FIPS
+	return EVP_CIPHER_flags(ctx->cipher);
+#else
 	return ctx->cipher->flags;
+#endif
 	}
 
 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
@@ -287,6 +300,12 @@ int EVP_MD_size(const EVP_MD *md)
 
 unsigned long EVP_MD_flags(const EVP_MD *md)
 	{
+#ifdef OPENSSL_FIPS
+	const EVP_MD *fmd;
+	fmd = FIPS_get_digestbynid(EVP_MD_type(md));
+	if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+		return md->flags | EVP_MD_FLAG_FIPS;
+#endif
 	return md->flags;
 	}