Commit 3ad74edc authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new 

strength "FIPS" to represent all FIPS approved ciphersuites without NULL
encryption.
parent 2b7b1cad

ssl/s3_lib.c

+20 −20
Original line number Diff line number Diff line
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_eNULL,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_STRONG_NONE,

	SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	0,

	0,
@@ -326,7 +326,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -375,7 +375,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -472,7 +472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -520,7 +520,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -600,7 +600,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -685,7 +685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_3DES,

	SSL_SHA1,

	SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	168,

	168,
@@ -895,7 +895,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -910,7 +910,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -925,7 +925,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -955,7 +955,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -970,7 +970,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES128,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	128,

	128,
@@ -986,7 +986,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,
@@ -1001,7 +1001,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,
@@ -1017,7 +1017,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,
@@ -1033,7 +1033,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,
@@ -1049,7 +1049,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,
@@ -1065,7 +1065,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	SSL_AES256,

	SSL_SHA1,

	SSL_TLSV1,

	SSL_NOT_EXP|SSL_HIGH,

	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,

	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,

	256,

	256,

ssl/ssl.h

+1 −0
Original line number Diff line number Diff line
@@ -229,6 +229,7 @@ extern "C" { 
#define SSL_TXT_LOW		"LOW"

#define SSL_TXT_MEDIUM		"MEDIUM"

#define SSL_TXT_HIGH		"HIGH"

#define SSL_TXT_FIPS		"FIPS"



#define SSL_TXT_kFZA		"kFZA" /* unused! */

#define	SSL_TXT_aFZA		"aFZA" /* unused! */

ssl/ssl_ciph.c

+2 −0
Original line number Diff line number Diff line
@@ -308,6 +308,8 @@ static const SSL_CIPHER cipher_aliases[]={ 
	{0,SSL_TXT_LOW,0,     0,0,0,0,0,SSL_LOW,   0,0,0},

	{0,SSL_TXT_MEDIUM,0,  0,0,0,0,0,SSL_MEDIUM,0,0,0},

	{0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},

	/* FIPS 140-2 approved ciphersuite */

	{0,SSL_TXT_FIPS,0,    0,0,~SSL_eNULL,0,0,SSL_FIPS,  0,0,0},

	};

/* Search for public key algorithm with given name and 

 * return its pkey_id if it is available. Otherwise return 0

ssl/ssl_locl.h

+2 −1
Original line number Diff line number Diff line
@@ -370,7 +370,7 @@ 
 * be possible.

 */

#define SSL_EXP_MASK		0x00000003L

#define SSL_STRONG_MASK		0x000000fcL

#define SSL_STRONG_MASK		0x000001fcL



#define SSL_NOT_EXP		0x00000001L

#define SSL_EXPORT		0x00000002L
@@ -383,6 +383,7 @@ 
#define SSL_LOW			0x00000020L

#define SSL_MEDIUM		0x00000040L

#define SSL_HIGH		0x00000080L

#define SSL_FIPS		0x00000100L



/* we have used 000000ff - 24 bits left to go */