Merge pull request #236 from BridgerVoss/bug_fix

disables MD5 on FIPS builds and adds WP_ALLOW_NON_FIPS flag

Author: padelsbach

src/wp_des.c

@@ -31,7 +31,7 @@
 
 
 #if defined(WP_HAVE_DES3CBC)
-
+#if !defined(HAVE_FIPS) || defined(WP_ALLOW_NON_FIPS)
 /**
  * Data structure for DES3 ciphers that are block based.
  */
@@ -283,7 +283,6 @@ static int wp_des3_block_init(wp_Des3BlockCtx *ctx, const unsigned char *key,
     if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
-
     if (ok && (iv != NULL) && (ctx->mode != EVP_CIPH_ECB_MODE) &&
             (!wp_des3_init_iv(ctx, iv, ivLen))) {
         ok = 0;
@@ -866,6 +865,33 @@ IMPLEMENT_DES3_BLOCK_DISPATCH(lcmode, kBits, ivBits)
 /** wp_des3cbc_functions_functions */
 IMPLEMENT_DES3_BLOCK(cbc, CBC, 192, 64)
 
+#else /* defined(HAVE_FIPS) && !defined(WP_ALLOW_NON_FIPS */
+
+#define IMPLEMENT_DES3_BLOCK_NULL(mode)                                        \
+const OSSL_DISPATCH wp_des3##mode##_functions[] = {                            \
+    { OSSL_FUNC_CIPHER_NEWCTX,          (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_FREECTX,         (DFUNC)wp_des3_void                 }, \
+    { OSSL_FUNC_CIPHER_DUPCTX,          (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT,    (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT,    (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_UPDATE,          (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_FINAL,           (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_CIPHER,          (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_GET_PARAMS,      (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,  (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,  (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, (DFUNC)wp_des3_null                 }, \
+    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
+                              (DFUNC)wp_des3_null                           }, \
+    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
+                              (DFUNC)wp_des3_null                           }, \
+    { 0, NULL }                                                                \
+};
+static int wp_des3_null(void) { return 0; }
+static void wp_des3_void(void) {}
+
+IMPLEMENT_DES3_BLOCK_NULL(cbc)
 
-#endif /* WP_HAVE_AESCBC || WP_HAVE_AESECB */
+#endif
+#endif /* WP_HAVE_DES3CBC */
 

src/wp_digests.c

@@ -220,6 +220,24 @@ const OSSL_DISPATCH name##_functions[] = {                                     \
     { 0,                                NULL                                }  \
 };
 
+#if defined(HAVE_FIPS) && !defined(WP_ALLOW_NON_FIPS)
+#define IMPLEMENT_DIGEST_NULL(name)                                            \
+/** Dispatch table for digest algorithms. */                                   \
+const OSSL_DISPATCH name##_functions[] = {                                     \
+    { OSSL_FUNC_DIGEST_NEWCTX,          (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_INIT,            (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_UPDATE,          (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_FINAL,           (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_FREECTX,         (DFUNC)wp_digest_void               }, \
+    { OSSL_FUNC_DIGEST_DUPCTX,          (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_GET_PARAMS,      (DFUNC)wp_digest_null               }, \
+    { OSSL_FUNC_DIGEST_GETTABLE_PARAMS, (DFUNC)wp_digest_null               }, \
+    { 0,                                NULL                                }  \
+};
+
+static int wp_digest_null(void) { return 0; }
+static void wp_digest_void(void) {}
+#endif
 
 /**
  * Get parameters of a digest algorithm.
@@ -292,18 +310,23 @@ static const OSSL_PARAM* wp_digest_gettable_params(void* provCtx)
  ******************************************************************************/
 
 #ifdef WP_HAVE_MD5
+#if defined(HAVE_FIPS) && !defined(WP_ALLOW_NON_FIPS)
+IMPLEMENT_DIGEST_NULL(wp_md5)
+#else
 IMPLEMENT_DIGEST(wp_md5, wc_Md5,
                  WC_MD5_BLOCK_SIZE, WC_MD5_DIGEST_SIZE,
                  0,
                  wc_InitMd5_ex, wc_Md5Update, wc_Md5Final,
                  wc_Md5Copy, wc_Md5Free)
 #endif
+#endif
 
 /*******************************************************************************
  * SHA1-MD5
  ******************************************************************************/
 
 #ifdef WP_HAVE_MD5_SHA1
+#if !defined(HAVE_FIPS) || defined(WP_ALLOW_NON_FIPS)
 /**
  * Combined MD5 and SHA-1 digest.
  */
@@ -326,7 +349,6 @@ typedef struct wp_Md5Sha {
 static int wp_InitMd5Sha_ex(wp_Md5Sha* dgst, void* heap, int devId)
 {
     int rc;
-
     rc = wc_InitMd5_ex(&dgst->md5, heap, devId);
     if (rc == 0) {
         rc = wc_InitSha_ex(&dgst->sha, heap, devId);
@@ -411,12 +433,14 @@ static void wp_Md5ShaFree(wp_Md5Sha* d)
         wc_ShaFree(&d->sha);
     }
 }
-
 IMPLEMENT_DIGEST(wp_md5_sha1, wp_Md5Sha,
                  WC_MD5_BLOCK_SIZE, WC_MD5_DIGEST_SIZE + WC_SHA_DIGEST_SIZE,
                  0,
                  wp_InitMd5Sha_ex, wp_Md5ShaUpdate, wp_Md5ShaFinal,
                  wp_Md5ShaCopy, wp_Md5ShaFree)
+#else   /* defined(HAVE_FIPS) && !defined(WP_ALLOW_NON_FIPS) */
+IMPLEMENT_DIGEST_NULL(wp_md5_sha1)
+#endif
 #endif
 
 /*******************************************************************************

test/unit.c

@@ -106,8 +106,10 @@ TEST_CASE test_case[] = {
     TEST_DECL(test_krb5kdf, NULL),
 #endif
 #ifdef WP_HAVE_DES3CBC
-    TEST_DECL(test_des3_cbc, NULL),
-    TEST_DECL(test_des3_cbc_stream, NULL),
+    #if !defined(HAVE_FIPS) || defined(WP_ALLOW_NON_FIPS)
+        TEST_DECL(test_des3_cbc, NULL),
+        TEST_DECL(test_des3_cbc_stream, NULL),
+    #endif
 #endif
 #ifdef WP_HAVE_AESECB
     TEST_DECL(test_aes128_ecb, NULL),
@@ -296,7 +298,9 @@ TEST_CASE test_case[] = {
 #endif /* WP_HAVE_ECDSA */
 
 #ifdef WP_HAVE_PBE
-    TEST_DECL(test_pbe, NULL),
+    #if !defined(HAVE_FIPS) || defined(WP_ALLOW_NON_FIPS)
+        TEST_DECL(test_pbe, NULL),
+    #endif
 #endif
 
 #if defined(WP_HAVE_ED25519) || defined(WP_HAVE_ED448)