Loading CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 1.0.0d and 1.0.1 [xx XXX xxxx] *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers and enable MD5. [Steve Henson] *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying FIPS modules versions. [Steve Henson] Loading ssl/s23_clnt.c +16 −0 Original line number Diff line number Diff line Loading @@ -356,6 +356,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } #ifdef OPENSSL_FIPS else if(FIPS_mode()) { SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); return -1; } #endif else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; Loading Loading @@ -639,6 +647,14 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { #ifdef OPENSSL_FIPS if(FIPS_mode()) { SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } #endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } Loading ssl/s23_srvr.c +12 −0 Original line number Diff line number Diff line Loading @@ -115,6 +115,9 @@ #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #ifdef OPENSSL_FIPS #include <openssl/fips.h> #endif static const SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); Loading Loading @@ -422,6 +425,15 @@ int ssl23_get_client_hello(SSL *s) } } #ifdef OPENSSL_FIPS if (FIPS_mode() && (s->version < TLS1_VERSION)) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } #endif if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header Loading ssl/s3_clnt.c +5 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,9 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> #ifdef OPENSSL_FIPS #include <openssl/fips.h> #endif #ifndef OPENSSL_NO_DH #include <openssl/dh.h> #endif Loading Loading @@ -1691,6 +1694,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); q=md_buf; for (num=2; num > 0; num--) { EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); Loading ssl/s3_enc.c +9 −0 Original line number Diff line number Diff line Loading @@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) #endif k=0; EVP_MD_CTX_init(&m5); EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_init(&s1); for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH) { Loading Loading @@ -614,6 +615,13 @@ int ssl3_digest_cached_records(SSL *s) { s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); #ifdef OPENSSL_FIPS if (EVP_MD_nid(md) == NID_md5) { EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } #endif EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); } else Loading Loading @@ -669,6 +677,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid, return 0; } EVP_MD_CTX_init(&ctx); EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_copy_ex(&ctx,d); n=EVP_MD_CTX_size(&ctx); if (n < 0) Loading Loading
CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 1.0.0d and 1.0.1 [xx XXX xxxx] *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers and enable MD5. [Steve Henson] *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying FIPS modules versions. [Steve Henson] Loading
ssl/s23_clnt.c +16 −0 Original line number Diff line number Diff line Loading @@ -356,6 +356,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } #ifdef OPENSSL_FIPS else if(FIPS_mode()) { SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); return -1; } #endif else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; Loading Loading @@ -639,6 +647,14 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { #ifdef OPENSSL_FIPS if(FIPS_mode()) { SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } #endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } Loading
ssl/s23_srvr.c +12 −0 Original line number Diff line number Diff line Loading @@ -115,6 +115,9 @@ #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #ifdef OPENSSL_FIPS #include <openssl/fips.h> #endif static const SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); Loading Loading @@ -422,6 +425,15 @@ int ssl23_get_client_hello(SSL *s) } } #ifdef OPENSSL_FIPS if (FIPS_mode() && (s->version < TLS1_VERSION)) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); goto err; } #endif if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header Loading
ssl/s3_clnt.c +5 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,9 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> #ifdef OPENSSL_FIPS #include <openssl/fips.h> #endif #ifndef OPENSSL_NO_DH #include <openssl/dh.h> #endif Loading Loading @@ -1691,6 +1694,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); q=md_buf; for (num=2; num > 0; num--) { EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); Loading
ssl/s3_enc.c +9 −0 Original line number Diff line number Diff line Loading @@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) #endif k=0; EVP_MD_CTX_init(&m5); EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_init(&s1); for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH) { Loading Loading @@ -614,6 +615,13 @@ int ssl3_digest_cached_records(SSL *s) { s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); #ifdef OPENSSL_FIPS if (EVP_MD_nid(md) == NID_md5) { EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } #endif EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); } else Loading Loading @@ -669,6 +677,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid, return 0; } EVP_MD_CTX_init(&ctx); EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_copy_ex(&ctx,d); n=EVP_MD_CTX_size(&ctx); if (n < 0) Loading