/* HMAC */
+
/**
* gnutls_hmac_init:
* @dig: is a #gnutls_hmac_hd_t type
gnutls_mac_algorithm_t algorithm,
const void *key, size_t keylen)
{
-#ifdef ENABLE_FIPS140
/* MD5 is only allowed internally for TLS */
- if (_gnutls_fips_mode_enabled() != 0 &&
- _gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
-
- if (algorithm == GNUTLS_MAC_MD5)
- return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- }
-#endif
+ if (is_mac_algo_forbidden(algorithm))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
*dig = gnutls_malloc(sizeof(mac_hd_st));
if (*dig == NULL) {
const void *key, size_t keylen,
const void *ptext, size_t ptext_len, void *digest)
{
+ if (is_mac_algo_forbidden(algorithm))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+
return _gnutls_mac_fast(algorithm, key, keylen, ptext, ptext_len,
digest);
}
gnutls_hash_init(gnutls_hash_hd_t * dig,
gnutls_digest_algorithm_t algorithm)
{
-#ifdef ENABLE_FIPS140
- /* MD5 is only allowed internally for TLS */
- if (_gnutls_fips_mode_enabled() != 0 &&
- _gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
-
- if (algorithm == GNUTLS_DIG_MD5)
- return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- }
-#endif
+ if (is_mac_algo_forbidden(algorithm))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
*dig = gnutls_malloc(sizeof(digest_hd_st));
if (*dig == NULL) {
gnutls_hash_fast(gnutls_digest_algorithm_t algorithm,
const void *ptext, size_t ptext_len, void *digest)
{
+ if (is_mac_algo_forbidden(algorithm))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+
return _gnutls_hash_fast(algorithm, ptext, ptext_len, digest);
}
void _gnutls_lib_simulate_error(void);
void _gnutls_lib_force_operational(void);
+#ifdef ENABLE_FIPS140
+inline
+static unsigned is_mac_algo_forbidden(gnutls_mac_algorithm_t algo)
+{
+ if (_gnutls_fips_mode_enabled() != 0 &&
+ _gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
+
+ switch(algo) {
+ case GNUTLS_MAC_SHA1:
+ case GNUTLS_MAC_SHA256:
+ case GNUTLS_MAC_SHA384:
+ case GNUTLS_MAC_SHA512:
+ case GNUTLS_MAC_SHA224:
+ case GNUTLS_MAC_SHA3_224:
+ case GNUTLS_MAC_SHA3_256:
+ case GNUTLS_MAC_SHA3_384:
+ case GNUTLS_MAC_SHA3_512:
+ return 0;
+ default:
+ return 1;
+ }
+ }
+
+ return 0;
+}
+#else
+# define is_mac_algo_forbidden(x) 0
+#endif
+
#endif /* FIPS_H */
{
const gnutls_crypto_digest_st *cc = NULL;
+ if (is_mac_algo_forbidden(algo))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+
cc = _gnutls_get_crypto_digest(algo);
if (cc != NULL)
return 1;
if (algo == GNUTLS_MAC_AEAD)
return 1;
+ if (is_mac_algo_forbidden(algo))
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+
cc = _gnutls_get_crypto_mac(algo);
if (cc != NULL)
return 1;
#include <nettle/sha3.h>
#include <nettle/hmac.h>
#include <nettle/umac.h>
-#include <fips.h>
typedef void (*update_func) (void *, size_t, const uint8_t *);
typedef void (*digest_func) (void *, size_t, uint8_t *);
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx)
{
+ /* Any FIPS140-2 related enforcement is performed on
+ * gnutls_hash_init() and gnutls_hmac_init() */
+
ctx->set_nonce = NULL;
switch (algo) {
case GNUTLS_MAC_MD5:
ctx->length = SHA512_DIGEST_SIZE;
break;
case GNUTLS_MAC_UMAC_96:
- if (_gnutls_fips_mode_enabled() != 0)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
ctx->update = (update_func) umac96_update;
ctx->digest = (digest_func) umac96_digest;
ctx->set_key = _wrap_umac96_set_key;
ctx->length = 12;
break;
case GNUTLS_MAC_UMAC_128:
- if (_gnutls_fips_mode_enabled() != 0)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
ctx->update = (update_func) umac128_update;
ctx->digest = (digest_func) umac128_digest;
ctx->set_key = _wrap_umac128_set_key;
case GNUTLS_MAC_SHA256:
case GNUTLS_MAC_SHA384:
case GNUTLS_MAC_SHA512:
- return 1;
-
case GNUTLS_MAC_UMAC_96:
case GNUTLS_MAC_UMAC_128:
- if (_gnutls_fips_mode_enabled() != 0)
- return 0;
- else
- return 1;
+ return 1;
default:
return 0;
}
return 0;
#endif
case GNUTLS_DIG_MD2:
- if (_gnutls_fips_mode_enabled() != 0)
- return 0;
- else
- return 1;
+ return 1;
default:
return 0;
}
static int _ctx_init(gnutls_digest_algorithm_t algo,
struct nettle_hash_ctx *ctx)
{
+ /* Any FIPS140-2 related enforcement is performed on
+ * gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) {
case GNUTLS_DIG_MD5:
md5_init(&ctx->ctx.md5);
break;
#endif
case GNUTLS_DIG_MD2:
- if (_gnutls_fips_mode_enabled() != 0)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
md2_init(&ctx->ctx.md2);
ctx->update = (update_func) md2_update;
ctx->digest = (digest_func) md2_digest;
projects / thirdparty / gnutls.git / commitdiff
