diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-22 11:49:43 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-27 11:41:44 +0100 |
| commit | f2730cc5e8c4e099c1fb701032aff41dacbb7f8a (patch) | |
| tree | f5253a0a719ee6f2642f4cb7d1578f2c32a9ace1 /lib/nettle/mac.c | |
| parent | eae9fb128c398d421342498a1e5ca1a70ee3885b (diff) | |
| download | gnutls-f2730cc5e8c4e099c1fb701032aff41dacbb7f8a.tar.gz | |
In FIPS140-2 mode disable non-conformant ciphers, MAC and hash algorithms.
Diffstat (limited to 'lib/nettle/mac.c')
| -rw-r--r-- | lib/nettle/mac.c | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c index 73e8c8f18f..9e87a312e3 100644 --- a/lib/nettle/mac.c +++ b/lib/nettle/mac.c @@ -43,12 +43,14 @@ static int wrap_nettle_hash_init(gnutls_digest_algorithm_t algo, struct nettle_hash_ctx { union { struct md5_ctx md5; - struct md2_ctx md2; struct sha224_ctx sha224; struct sha256_ctx sha256; struct sha384_ctx sha384; struct sha512_ctx sha512; struct sha1_ctx sha1; +#ifndef ENABLE_FIPS140 + struct md2_ctx md2; +#endif } ctx; void *ctx_ptr; gnutls_digest_algorithm_t algo; @@ -65,8 +67,10 @@ struct nettle_mac_ctx { struct hmac_sha384_ctx sha384; struct hmac_sha512_ctx sha512; struct hmac_sha1_ctx sha1; +#ifndef ENABLE_FIPS140 struct umac96_ctx umac96; struct umac128_ctx umac128; +#endif } ctx; void *ctx_ptr; @@ -78,6 +82,7 @@ struct nettle_mac_ctx { set_nonce_func set_nonce; }; +#ifndef ENABLE_FIPS140 static void _wrap_umac96_set_key(void *ctx, unsigned len, const uint8_t * key) { @@ -93,6 +98,7 @@ _wrap_umac128_set_key(void *ctx, unsigned len, const uint8_t * key) abort(); umac128_set_key(ctx, key); } +#endif static int _mac_ctx_init(gnutls_mac_algorithm_t algo, struct nettle_mac_ctx *ctx) @@ -141,6 +147,7 @@ static int _mac_ctx_init(gnutls_mac_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.sha512; ctx->length = SHA512_DIGEST_SIZE; break; +#ifndef ENABLE_FIPS140 case GNUTLS_MAC_UMAC_96: ctx->update = (update_func) umac96_update; ctx->digest = (digest_func) umac96_digest; @@ -157,6 +164,7 @@ static int _mac_ctx_init(gnutls_mac_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.umac128; ctx->length = 16; break; +#endif default: gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; @@ -198,8 +206,10 @@ static int wrap_nettle_mac_exists(gnutls_mac_algorithm_t algo) case GNUTLS_MAC_SHA256: case GNUTLS_MAC_SHA384: case GNUTLS_MAC_SHA512: +#ifndef ENABLE_FIPS140 case GNUTLS_MAC_UMAC_96: case GNUTLS_MAC_UMAC_128: +#endif return 1; default: return 0; @@ -308,11 +318,14 @@ static int wrap_nettle_hash_exists(gnutls_digest_algorithm_t algo) switch (algo) { case GNUTLS_DIG_MD5: case GNUTLS_DIG_SHA1: - case GNUTLS_DIG_MD2: + case GNUTLS_DIG_SHA224: case GNUTLS_DIG_SHA256: case GNUTLS_DIG_SHA384: case GNUTLS_DIG_SHA512: +#ifndef ENABLE_FIPS140 + case GNUTLS_DIG_MD2: +#endif return 1; default: return 0; @@ -337,13 +350,6 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.sha1; ctx->length = SHA1_DIGEST_SIZE; break; - case GNUTLS_DIG_MD2: - md2_init(&ctx->ctx.md2); - ctx->update = (update_func) md2_update; - ctx->digest = (digest_func) md2_digest; - ctx->ctx_ptr = &ctx->ctx.md2; - ctx->length = MD2_DIGEST_SIZE; - break; case GNUTLS_DIG_SHA224: sha224_init(&ctx->ctx.sha224); ctx->update = (update_func) sha224_update; @@ -372,6 +378,15 @@ static int _ctx_init(gnutls_digest_algorithm_t algo, ctx->ctx_ptr = &ctx->ctx.sha512; ctx->length = SHA512_DIGEST_SIZE; break; +#ifndef ENABLE_FIPS140 + case GNUTLS_DIG_MD2: + md2_init(&ctx->ctx.md2); + ctx->update = (update_func) md2_update; + ctx->digest = (digest_func) md2_digest; + ctx->ctx_ptr = &ctx->ctx.md2; + ctx->length = MD2_DIGEST_SIZE; + break; +#endif default: gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; |