OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y

The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-01 16:31:45 +03:00
parent 266cf4a0bc
commit 276a3c44dd
3 changed files with 24 additions and 2 deletions

View file

@ -297,6 +297,8 @@ void aes_decrypt_deinit(void *ctx)
} }
#ifndef CONFIG_FIPS
int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
{ {
AES_KEY actx; AES_KEY actx;
@ -323,6 +325,8 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
return res <= 0 ? -1 : 0; return res <= 0 ? -1 : 0;
} }
#endif /* CONFIG_FIPS */
int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{ {

View file

@ -1136,6 +1136,15 @@ AESOBJS += src/crypto/aes-internal.c src/crypto/aes-internal-dec.c
endif endif
ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), openssl)
NEED_INTERNAL_AES_WRAP=y
endif
ifdef CONFIG_FIPS
# Have to use internal AES key wrap routines to use OpenSSL EVP since the
# OpenSSL AES_wrap_key()/AES_unwrap_key() API is not available in FIPS mode.
NEED_INTERNAL_AES_WRAP=y
endif
ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += src/crypto/aes-unwrap.c AESOBJS += src/crypto/aes-unwrap.c
endif endif
ifdef NEED_AES_EAX ifdef NEED_AES_EAX
@ -1158,7 +1167,7 @@ endif
endif endif
ifdef NEED_AES_WRAP ifdef NEED_AES_WRAP
NEED_AES_ENC=y NEED_AES_ENC=y
ifneq ($(CONFIG_TLS), openssl) ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += src/crypto/aes-wrap.c AESOBJS += src/crypto/aes-wrap.c
endif endif
endif endif

View file

@ -1148,6 +1148,15 @@ AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-dec.o
endif endif
ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), openssl)
NEED_INTERNAL_AES_WRAP=y
endif
ifdef CONFIG_FIPS
# Have to use internal AES key wrap routines to use OpenSSL EVP since the
# OpenSSL AES_wrap_key()/AES_unwrap_key() API is not available in FIPS mode.
NEED_INTERNAL_AES_WRAP=y
endif
ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += ../src/crypto/aes-unwrap.o AESOBJS += ../src/crypto/aes-unwrap.o
endif endif
ifdef NEED_AES_EAX ifdef NEED_AES_EAX
@ -1173,7 +1182,7 @@ AESOBJS += ../src/crypto/aes-siv.o
endif endif
ifdef NEED_AES_WRAP ifdef NEED_AES_WRAP
NEED_AES_ENC=y NEED_AES_ENC=y
ifneq ($(CONFIG_TLS), openssl) ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += ../src/crypto/aes-wrap.o AESOBJS += ../src/crypto/aes-wrap.o
endif endif
endif endif