This may be considered a bug. When doing a FIPS build of OpenSSL
1.0.2a, some ciphers leverage the FIPS flavor of the cipher even when
FIPS mode is disabled. This impacts performance since the FIPS ciphers
incur additional overhead. The attached patch changes this behavior to
only invoke the FIPS flavor of a cipher when FIPS mode is enabled.
>From 21abfef3f82621f89073a19e797ae105537cd68c Mon Sep 17 00:00:00 2001
From: jfigus <fol...@cisco.com>
Date: Wed, 15 Apr 2015 14:09:56 -0400
Subject: [PATCH] CSCut84778 - Disable use of FIPS digest and FIPS_cipher()
when FIPS mode is disable. Some unit tests binaries don't use fipsld, in
which case the POST doesn't run and FIPS is not allowed.
---
crypto/evp/digest.c | 35 ++++++++++++++++++++---------------
crypto/evp/evp_enc.c | 10 +++++++---
2 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index f2643f3..f83eade 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -251,10 +251,11 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
#ifdef OPENSSL_FIPS
- return FIPS_digestupdate(ctx, data, count);
-#else
- return ctx->update(ctx, data, count);
+ if (FIPS_mode()) {
+ return FIPS_digestupdate(ctx, data, count);
+ } else
#endif
+ return ctx->update(ctx, data, count);
}
/* The caller can assume that this removes any secret data from the context */
@@ -270,20 +271,24 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
{
#ifdef OPENSSL_FIPS
- return FIPS_digestfinal(ctx, md, size);
-#else
- int ret;
+ if (FIPS_mode()) {
+ return FIPS_digestfinal(ctx, md, size);
+ } else {
+#endif
+ int ret;
- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
- ret = ctx->digest->final(ctx, md);
- if (size != NULL)
- *size = ctx->digest->md_size;
- if (ctx->digest->cleanup) {
- ctx->digest->cleanup(ctx);
- EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret = ctx->digest->final(ctx, md);
+ if (size != NULL)
+ *size = ctx->digest->md_size;
+ if (ctx->digest->cleanup) {
+ ctx->digest->cleanup(ctx);
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+ }
+ memset(ctx->md_data, 0, ctx->digest->ctx_size);
+ return ret;
+#ifdef OPENSSL_FIPS
}
- memset(ctx->md_data, 0, ctx->digest->ctx_size);
- return ret;
#endif
}
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 65f0e02..270cfcf 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -69,11 +69,15 @@
#endif
#include "evp_locl.h"
+static int M_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
+{
#ifdef OPENSSL_FIPS
-# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
-#else
-# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+ if (FIPS_mode()) {
+ return FIPS_cipher(ctx, out, in, inl);
+ } else
#endif
+ return ctx->cipher->do_cipher(ctx, out, in, inl);
+}
const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
--
2.1.2.dirty
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
