From 2abc4358d6437287ca9832b91dc0dccc6c048321 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 17 Jun 2019 11:40:56 +0200
Subject: crypto: Rename cipher fips macro

FORBIDDEN_IN_FIPS -> CIPHER_FORBIDDEN_IN_FIPS
---
 lib/crypto/c_src/api_ng.c | 2 +-
 lib/crypto/c_src/cipher.c | 4 ++--
 lib/crypto/c_src/cipher.h | 4 ++--
 lib/crypto/c_src/mac.c    | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/crypto/c_src/api_ng.c b/lib/crypto/c_src/api_ng.c
index 3408ba1b88..a109f444cf 100644
--- a/lib/crypto/c_src/api_ng.c
+++ b/lib/crypto/c_src/api_ng.c
@@ -100,7 +100,7 @@ static int get_init_args(ErlNifEnv* env,
         }
 
 
-    if (FORBIDDEN_IN_FIPS(*cipherp))
+    if (CIPHER_FORBIDDEN_IN_FIPS(*cipherp))
         {
             *return_term = EXCP_NOTSUP(env, "Forbidden in FIPS");
             goto err;
diff --git a/lib/crypto/c_src/cipher.c b/lib/crypto/c_src/cipher.c
index 0532fb7566..e144a891a6 100644
--- a/lib/crypto/c_src/cipher.c
+++ b/lib/crypto/c_src/cipher.c
@@ -214,7 +214,7 @@ ERL_NIF_TERM cipher_info_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
     if ((cipherp = get_cipher_type_no_key(argv[0])) == NULL)
         return enif_make_badarg(env);
 
-    if (FORBIDDEN_IN_FIPS(cipherp))
+    if (CIPHER_FORBIDDEN_IN_FIPS(cipherp))
         return enif_raise_exception(env, atom_notsup);
     if ((cipher = cipherp->cipher.p) == NULL)
         return enif_raise_exception(env, atom_notsup);
@@ -330,7 +330,7 @@ ERL_NIF_TERM cipher_types_as_list(ErlNifEnv* env)
 
     for (p = cipher_types; (p->type.atom & (p->type.atom != atom_false)); p++) {
         if ((prev == p->type.atom) ||
-            FORBIDDEN_IN_FIPS(p) )
+            CIPHER_FORBIDDEN_IN_FIPS(p) )
             continue;
 
         if ((p->cipher.p != NULL) ||
diff --git a/lib/crypto/c_src/cipher.h b/lib/crypto/c_src/cipher.h
index 0e51c410eb..c23e128824 100644
--- a/lib/crypto/c_src/cipher.h
+++ b/lib/crypto/c_src/cipher.h
@@ -52,10 +52,10 @@ struct cipher_type_t {
 
 #ifdef FIPS_SUPPORT
 /* May have FIPS support, must check dynamically if it is enabled */
-# define FORBIDDEN_IN_FIPS(P) (((P)->flags & NO_FIPS_CIPHER) && FIPS_mode())
+# define CIPHER_FORBIDDEN_IN_FIPS(P) (((P)->flags & NO_FIPS_CIPHER) && FIPS_mode())
 #else
 /* No FIPS support since the symbol FIPS_SUPPORT is undefined */
-# define FORBIDDEN_IN_FIPS(P) 0
+# define CIPHER_FORBIDDEN_IN_FIPS(P) 0
 #endif
 
 extern ErlNifResourceType* evp_cipher_ctx_rtype;
diff --git a/lib/crypto/c_src/mac.c b/lib/crypto/c_src/mac.c
index 8b2710b91a..ed09dae8e4 100644
--- a/lib/crypto/c_src/mac.c
+++ b/lib/crypto/c_src/mac.c
@@ -284,7 +284,7 @@ ERL_NIF_TERM mac_one_time(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
                     goto err;
                 }
             
-            if (FORBIDDEN_IN_FIPS(cipherp))
+            if (CIPHER_FORBIDDEN_IN_FIPS(cipherp))
                 {
                     return_term = EXCP_NOTSUP(env, "Cipher algorithm not supported in FIPS");
                     goto err;
@@ -553,7 +553,7 @@ ERL_NIF_TERM mac_init_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
                     goto err;
                 }
             
-            if (FORBIDDEN_IN_FIPS(cipherp))
+            if (CIPHER_FORBIDDEN_IN_FIPS(cipherp))
                 {
                     return_term = EXCP_NOTSUP(env, "Cipher algorithm not supported in FIPS");
                     goto err;
-- 
cgit v1.2.3


From 52944a455694069b0eb22726ba72452065125f1a Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 17 Jun 2019 09:37:35 +0200
Subject: crypto: Fix FIPS flags for digests

---
 lib/crypto/c_src/digest.c | 31 ++++++++++++++++---------------
 lib/crypto/c_src/digest.h | 13 +++++++++++++
 2 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/lib/crypto/c_src/digest.c b/lib/crypto/c_src/digest.c
index c987a664d5..0f887ab765 100644
--- a/lib/crypto/c_src/digest.c
+++ b/lib/crypto/c_src/digest.c
@@ -22,7 +22,7 @@
 
 static struct digest_type_t digest_types[] =
 {
-    {{"md4"},
+    {{"md4"}, NO_FIPS_DIGEST,
 #ifdef HAVE_MD4
      {&EVP_md4}
 #else
@@ -30,7 +30,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"md5"},
+    {{"md5"}, NO_FIPS_DIGEST,
 #ifdef HAVE_MD5
      {&EVP_md5}
 #else
@@ -38,7 +38,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"ripemd160"},
+    {{"ripemd160"}, NO_FIPS_DIGEST,
 #ifdef HAVE_RIPEMD160
      {&EVP_ripemd160}
 #else
@@ -46,9 +46,9 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha"}, {&EVP_sha1}},
+    {{"sha"}, 0, {&EVP_sha1}},
 
-    {{"sha224"},
+    {{"sha224"}, 0,
 #ifdef HAVE_SHA224
      {&EVP_sha224}
 #else
@@ -56,7 +56,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha256"},
+    {{"sha256"}, 0,
 #ifdef HAVE_SHA256
      {&EVP_sha256}
 #else
@@ -64,7 +64,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha384"},
+    {{"sha384"}, 0,
 #ifdef HAVE_SHA384
      {&EVP_sha384}
 #else
@@ -72,7 +72,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha512"},
+    {{"sha512"}, 0,
 #ifdef HAVE_SHA512
      {&EVP_sha512}
 #else
@@ -80,7 +80,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_224"},
+    {{"sha3_224"}, 0,
 #ifdef HAVE_SHA3_224
      {&EVP_sha3_224}
 #else
@@ -88,7 +88,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_256"},
+    {{"sha3_256"}, 0,
 #ifdef HAVE_SHA3_256
      {&EVP_sha3_256}
 #else
@@ -96,7 +96,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_384"},
+    {{"sha3_384"}, 0,
 #ifdef HAVE_SHA3_384
      {&EVP_sha3_384}
 #else
@@ -104,7 +104,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_512"},
+    {{"sha3_512"}, 0,
 #ifdef HAVE_SHA3_512
      {&EVP_sha3_512}
 #else
@@ -112,7 +112,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"blake2b"},
+    {{"blake2b"}, 0,
 #ifdef HAVE_BLAKE2
      {&EVP_blake2b512}
 #else
@@ -120,7 +120,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"blake2s"},
+    {{"blake2s"}, 0,
 #ifdef HAVE_BLAKE2
      {&EVP_blake2s256}
 #else
@@ -128,7 +128,8 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{NULL}, {NULL}}
+    /*==== End of list ==== */
+    {{NULL}, 0, {NULL}}
 };
 
 void init_digest_types(ErlNifEnv* env)
diff --git a/lib/crypto/c_src/digest.h b/lib/crypto/c_src/digest.h
index 06852416cf..b1f8128a1f 100644
--- a/lib/crypto/c_src/digest.h
+++ b/lib/crypto/c_src/digest.h
@@ -28,12 +28,25 @@ struct digest_type_t {
 	const char*  str;        /* before init, NULL for end-of-table */
 	ERL_NIF_TERM atom;       /* after init, 'false' for end-of-table */
     }type;
+    unsigned flags;
     union {
 	const EVP_MD* (*funcp)(void);  /* before init, NULL if notsup */
 	const EVP_MD* p;               /* after init, NULL if notsup */
     }md;
 };
 
+/* masks in the flags field if digest_type_t */
+#define NO_FIPS_DIGEST 1
+
+#ifdef FIPS_SUPPORT
+/* May have FIPS support, must check dynamically if it is enabled */
+# define DIGEST_FORBIDDEN_IN_FIPS(P) (((P)->flags & NO_FIPS_DIGEST) && FIPS_mode())
+#else
+/* No FIPS support since the symbol FIPS_SUPPORT is undefined */
+# define DIGEST_FORBIDDEN_IN_FIPS(P) 0
+#endif
+
+
 void init_digest_types(ErlNifEnv* env);
 struct digest_type_t* get_digest_type(ERL_NIF_TERM type);
 
-- 
cgit v1.2.3