Commit 7043fa70 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

add FIPS support to ssl: doesn't do anything on this branch yet as there is no...

add FIPS support to ssl: doesn't do anything on this branch yet as there is no FIPS compilation support
parent f98d2e5c
Loading
Loading
Loading
Loading
+4 −0
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@

 Changes between 1.0.0d and 1.0.1  [xx XXX xxxx]

  *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
     and enable MD5.
     [Steve Henson]

  *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
     FIPS modules versions.
     [Steve Henson]
+16 −0
Original line number Diff line number Diff line
@@ -356,6 +356,14 @@ static int ssl23_client_hello(SSL *s)
			version_major = TLS1_VERSION_MAJOR;
			version_minor = TLS1_VERSION_MINOR;
			}
#ifdef OPENSSL_FIPS
		else if(FIPS_mode())
			{
			SSLerr(SSL_F_SSL23_CLIENT_HELLO,
					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
			return -1;
			}
#endif
		else if (version == SSL3_VERSION)
			{
			version_major = SSL3_VERSION_MAJOR;
@@ -639,6 +647,14 @@ static int ssl23_get_server_hello(SSL *s)
		if ((p[2] == SSL3_VERSION_MINOR) &&
			!(s->options & SSL_OP_NO_SSLv3))
			{
#ifdef OPENSSL_FIPS
			if(FIPS_mode())
				{
				SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
				goto err;
				}
#endif
			s->version=SSL3_VERSION;
			s->method=SSLv3_client_method();
			}
+12 −0
Original line number Diff line number Diff line
@@ -115,6 +115,9 @@
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif

static const SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
@@ -422,6 +425,15 @@ int ssl23_get_client_hello(SSL *s)
			}
		}

#ifdef OPENSSL_FIPS
	if (FIPS_mode() && (s->version < TLS1_VERSION))
		{
		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
					SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		goto err;
		}
#endif

	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
		{
		/* we have SSLv3/TLSv1 in an SSLv2 header
+5 −0
Original line number Diff line number Diff line
@@ -156,6 +156,9 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
@@ -1691,6 +1694,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
			q=md_buf;
			for (num=2; num > 0; num--)
				{
				EVP_MD_CTX_set_flags(&md_ctx,
					EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
				EVP_DigestInit_ex(&md_ctx,(num == 2)
					?s->ctx->md5:s->ctx->sha1, NULL);
				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+9 −0
Original line number Diff line number Diff line
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
#endif
	k=0;
	EVP_MD_CTX_init(&m5);
	EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
	EVP_MD_CTX_init(&s1);
	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
		{
@@ -614,6 +615,13 @@ int ssl3_digest_cached_records(SSL *s)
			{
			s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
			EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
#ifdef OPENSSL_FIPS
			if (EVP_MD_nid(md) == NID_md5)
				{
				EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
						EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
				}
#endif
			EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
			} 
		else 
@@ -669,6 +677,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
		return 0;
	}	
	EVP_MD_CTX_init(&ctx);
	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
	EVP_MD_CTX_copy_ex(&ctx,d);
	n=EVP_MD_CTX_size(&ctx);
	if (n < 0)
Loading