diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-12-09 12:32:47 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-12-14 13:46:49 +1000 |
| commit | 3dafbd4468b6be4ee5228f1a1ba44c8826eff32d (patch) | |
| tree | b84b62bc9a34bb40d6ada4b047e595ba20547534 /providers/implementations/ciphers | |
| parent | ac7750bb5ec4238c4f6514eb174c1bd584728f05 (diff) | |
Change AES-CTS modes CS2 and CS3 to also be inside the fips module.
The initial thought was that only CS1 mode (the NIST variant) was allowed.
The lab has asked if these other modes should be included.
The algorithm form indicates that these are able to be validated.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13639)
Diffstat (limited to 'providers/implementations/ciphers')
| -rw-r--r-- | providers/implementations/ciphers/build.info | 7 | ||||
| -rw-r--r-- | providers/implementations/ciphers/cipher_aes_cts.c (renamed from providers/implementations/ciphers/cipher_aes_cts_fips.c) | 25 |
2 files changed, 13 insertions, 19 deletions
diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info index 9199ae0a92..a278c2182b 100644 --- a/providers/implementations/ciphers/build.info +++ b/providers/implementations/ciphers/build.info @@ -46,12 +46,13 @@ SOURCE[$AES_GOAL]=\ cipher_aes_ccm.c cipher_aes_ccm_hw.c \ cipher_aes_wrp.c \ cipher_aes_cbc_hmac_sha.c \ - cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c + cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \ + cipher_aes_cts.c # Extra code to satisfy the FIPS and non-FIPS separation. # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed. -SOURCE[../../libfips.a]=cipher_aes_xts_fips.c cipher_aes_cts_fips.c -SOURCE[../../libnonfips.a]=cipher_aes_xts_fips.c cipher_aes_cts_fips.c +SOURCE[../../libfips.a]=cipher_aes_xts_fips.c +SOURCE[../../libnonfips.a]=cipher_aes_xts_fips.c IF[{- !$disabled{siv} -}] SOURCE[$SIV_GOAL]=\ diff --git a/providers/implementations/ciphers/cipher_aes_cts_fips.c b/providers/implementations/ciphers/cipher_aes_cts.c index 48d3ea8b09..1eafa39abb 100644 --- a/providers/implementations/ciphers/cipher_aes_cts_fips.c +++ b/providers/implementations/ciphers/cipher_aes_cts.c @@ -7,7 +7,12 @@ * https://www.openssl.org/source/license.html */ -/* Helper functions for AES CBC CTS ciphers related to fips */ +/* + * Helper functions for AES CBC CTS ciphers. + * + * The function dispatch tables are embedded into cipher_aes.c + * using cipher_aes_cts.inc + */ /* * Refer to SP800-38A-Addendum @@ -66,10 +71,8 @@ typedef struct cts_mode_name2id_st { static CTS_MODE_NAME2ID cts_modes[] = { { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 }, -#ifndef FIPS_MODULE { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 }, { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 }, -#endif }; const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id) @@ -185,7 +188,6 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, return len + AES_BLOCK_SIZE + residue; } -#ifndef FIPS_MODULE static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, unsigned char *out, size_t len) { @@ -305,11 +307,10 @@ static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, /* For partial blocks CS2 is equivalent to CS3 */ return cts128_cs3_decrypt(ctx, in, out, len); } -#endif int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl, - size_t outsize, const unsigned char *in, - size_t inl) + size_t outsize, const unsigned char *in, + size_t inl) { PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; size_t sz = 0; @@ -331,27 +332,19 @@ int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl, return 0; if (ctx->enc) { -#ifdef FIPS_MODULE - sz = cts128_cs1_encrypt(ctx, in, out, inl); -#else if (ctx->cts_mode == CTS_CS1) sz = cts128_cs1_encrypt(ctx, in, out, inl); else if (ctx->cts_mode == CTS_CS2) sz = cts128_cs2_encrypt(ctx, in, out, inl); else if (ctx->cts_mode == CTS_CS3) sz = cts128_cs3_encrypt(ctx, in, out, inl); -#endif } else { -#ifdef FIPS_MODULE - sz = cts128_cs1_decrypt(ctx, in, out, inl); -#else if (ctx->cts_mode == CTS_CS1) sz = cts128_cs1_decrypt(ctx, in, out, inl); else if (ctx->cts_mode == CTS_CS2) sz = cts128_cs2_decrypt(ctx, in, out, inl); else if (ctx->cts_mode == CTS_CS3) sz = cts128_cs3_decrypt(ctx, in, out, inl); -#endif } if (sz == 0) return 0; @@ -361,7 +354,7 @@ int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl, } int ossl_aes_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl, - size_t outsize) + size_t outsize) { *outl = 0; return 1; |