Make ssl code consistent with FIPS branch. The new code has no effect
at present because it asserts either noop flags or is inside OPENSSL_FIPS #ifdef's.
This commit is contained in:
Dr. Stephen Henson
@@ -303,6 +303,8 @@ struct env_md_ctx_st
|
|||||||
* cleaned */
|
* cleaned */
|
||||||
#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
|
#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
|
||||||
* in EVP_MD_CTX_cleanup */
|
* in EVP_MD_CTX_cleanup */
|
||||||
|
#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
|
||||||
|
* in FIPS mode */
|
||||||
|
|
||||||
struct evp_cipher_st
|
struct evp_cipher_st
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
|
|||||||
return(md);
|
return(md);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
|
||||||
|
{
|
||||||
|
EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
|
||||||
|
EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
|
||||||
|
EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
|
||||||
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -100,6 +100,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
|
|||||||
const unsigned char *d, size_t n, unsigned char *md,
|
const unsigned char *d, size_t n, unsigned char *md,
|
||||||
unsigned int *md_len);
|
unsigned int *md_len);
|
||||||
|
|
||||||
|
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
|
|||||||
version_major = TLS1_VERSION_MAJOR;
|
version_major = TLS1_VERSION_MAJOR;
|
||||||
version_minor = TLS1_VERSION_MINOR;
|
version_minor = TLS1_VERSION_MINOR;
|
||||||
}
|
}
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
else if(FIPS_mode())
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
|
||||||
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
else if (version == SSL3_VERSION)
|
else if (version == SSL3_VERSION)
|
||||||
{
|
{
|
||||||
version_major = SSL3_VERSION_MAJOR;
|
version_major = SSL3_VERSION_MAJOR;
|
||||||
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
|
|||||||
if ((p[2] == SSL3_VERSION_MINOR) &&
|
if ((p[2] == SSL3_VERSION_MINOR) &&
|
||||||
!(s->options & SSL_OP_NO_SSLv3))
|
!(s->options & SSL_OP_NO_SSLv3))
|
||||||
{
|
{
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if(FIPS_mode())
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
|
||||||
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
s->version=SSL3_VERSION;
|
s->version=SSL3_VERSION;
|
||||||
s->method=SSLv3_client_method();
|
s->method=SSLv3_client_method();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if (FIPS_mode() && (s->version < TLS1_VERSION))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
|
||||||
|
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
|
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
|
||||||
{
|
{
|
||||||
/* we have SSLv3/TLSv1 in an SSLv2 header
|
/* we have SSLv3/TLSv1 in an SSLv2 header
|
||||||
|
|||||||
@@ -130,6 +130,10 @@
|
|||||||
#include <openssl/objects.h>
|
#include <openssl/objects.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
#include <openssl/fips.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#endif
|
#endif
|
||||||
@@ -1418,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s)
|
|||||||
q=md_buf;
|
q=md_buf;
|
||||||
for (num=2; num > 0; num--)
|
for (num=2; num > 0; num--)
|
||||||
{
|
{
|
||||||
|
EVP_MD_CTX_set_flags(&md_ctx,
|
||||||
|
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
||||||
?s->ctx->md5:s->ctx->sha1, NULL);
|
?s->ctx->md5:s->ctx->sha1, NULL);
|
||||||
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
||||||
|
|||||||
@@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
|
|||||||
#endif
|
#endif
|
||||||
k=0;
|
k=0;
|
||||||
EVP_MD_CTX_init(&m5);
|
EVP_MD_CTX_init(&m5);
|
||||||
|
EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
EVP_MD_CTX_init(&s1);
|
EVP_MD_CTX_init(&s1);
|
||||||
for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
|
for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
|
||||||
{
|
{
|
||||||
@@ -518,6 +519,8 @@ int ssl3_enc(SSL *s, int send)
|
|||||||
|
|
||||||
void ssl3_init_finished_mac(SSL *s)
|
void ssl3_init_finished_mac(SSL *s)
|
||||||
{
|
{
|
||||||
|
EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
|
||||||
|
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
|
EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
|
||||||
EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
|
EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
|
||||||
}
|
}
|
||||||
@@ -554,6 +557,7 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
|
|||||||
EVP_MD_CTX ctx;
|
EVP_MD_CTX ctx;
|
||||||
|
|
||||||
EVP_MD_CTX_init(&ctx);
|
EVP_MD_CTX_init(&ctx);
|
||||||
|
EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
EVP_MD_CTX_copy_ex(&ctx,in_ctx);
|
EVP_MD_CTX_copy_ex(&ctx,in_ctx);
|
||||||
|
|
||||||
n=EVP_MD_CTX_size(&ctx);
|
n=EVP_MD_CTX_size(&ctx);
|
||||||
|
|||||||
40
ssl/s3_lib.c
40
ssl/s3_lib.c
@@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_RSA_NULL_SHA,
|
SSL3_TXT_RSA_NULL_SHA,
|
||||||
SSL3_CK_RSA_NULL_SHA,
|
SSL3_CK_RSA_NULL_SHA,
|
||||||
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
|
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_STRONG_NONE,
|
SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
0,
|
0,
|
||||||
0,
|
0,
|
||||||
@@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_RSA_DES_192_CBC3_SHA,
|
SSL3_TXT_RSA_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_RSA_DES_192_CBC3_SHA,
|
SSL3_CK_RSA_DES_192_CBC3_SHA,
|
||||||
SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
|
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
|
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
|
||||||
SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
|
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
|
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
|
||||||
SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
|
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
|
SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
|
||||||
SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
|
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
|
SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
|
||||||
SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_ADH_DES_192_CBC_SHA,
|
SSL3_TXT_ADH_DES_192_CBC_SHA,
|
||||||
SSL3_CK_ADH_DES_192_CBC_SHA,
|
SSL3_CK_ADH_DES_192_CBC_SHA,
|
||||||
SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -563,7 +563,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL3_TXT_KRB5_DES_192_CBC3_SHA,
|
SSL3_TXT_KRB5_DES_192_CBC3_SHA,
|
||||||
SSL3_CK_KRB5_DES_192_CBC3_SHA,
|
SSL3_CK_KRB5_DES_192_CBC3_SHA,
|
||||||
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
|
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
168,
|
168,
|
||||||
168,
|
168,
|
||||||
@@ -747,7 +747,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_RSA_WITH_AES_128_SHA,
|
TLS1_TXT_RSA_WITH_AES_128_SHA,
|
||||||
TLS1_CK_RSA_WITH_AES_128_SHA,
|
TLS1_CK_RSA_WITH_AES_128_SHA,
|
||||||
SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
|
SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -760,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
|
TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
|
||||||
TLS1_CK_DH_DSS_WITH_AES_128_SHA,
|
TLS1_CK_DH_DSS_WITH_AES_128_SHA,
|
||||||
SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -773,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
|
TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
|
||||||
TLS1_CK_DH_RSA_WITH_AES_128_SHA,
|
TLS1_CK_DH_RSA_WITH_AES_128_SHA,
|
||||||
SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -786,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
|
TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
|
||||||
TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
|
TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
|
||||||
SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -799,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
|
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
|
||||||
TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
|
TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
|
||||||
SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_ADH_WITH_AES_128_SHA,
|
TLS1_TXT_ADH_WITH_AES_128_SHA,
|
||||||
TLS1_CK_ADH_WITH_AES_128_SHA,
|
TLS1_CK_ADH_WITH_AES_128_SHA,
|
||||||
SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
128,
|
128,
|
||||||
128,
|
128,
|
||||||
@@ -826,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_RSA_WITH_AES_256_SHA,
|
TLS1_TXT_RSA_WITH_AES_256_SHA,
|
||||||
TLS1_CK_RSA_WITH_AES_256_SHA,
|
TLS1_CK_RSA_WITH_AES_256_SHA,
|
||||||
SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
|
SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
@@ -839,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
|
TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
|
||||||
TLS1_CK_DH_DSS_WITH_AES_256_SHA,
|
TLS1_CK_DH_DSS_WITH_AES_256_SHA,
|
||||||
SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
@@ -852,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
|
TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
|
||||||
TLS1_CK_DH_RSA_WITH_AES_256_SHA,
|
TLS1_CK_DH_RSA_WITH_AES_256_SHA,
|
||||||
SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
@@ -865,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
|
TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
|
||||||
TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
|
TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
|
||||||
SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
@@ -878,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
|
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
|
||||||
TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
|
TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
|
||||||
SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
@@ -891,7 +891,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
TLS1_TXT_ADH_WITH_AES_256_SHA,
|
TLS1_TXT_ADH_WITH_AES_256_SHA,
|
||||||
TLS1_CK_ADH_WITH_AES_256_SHA,
|
TLS1_CK_ADH_WITH_AES_256_SHA,
|
||||||
SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
|
SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
|
||||||
SSL_NOT_EXP|SSL_HIGH,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
0,
|
0,
|
||||||
256,
|
256,
|
||||||
256,
|
256,
|
||||||
|
|||||||
@@ -1540,6 +1540,8 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
j=0;
|
j=0;
|
||||||
for (num=2; num > 0; num--)
|
for (num=2; num > 0; num--)
|
||||||
{
|
{
|
||||||
|
EVP_MD_CTX_set_flags(&md_ctx,
|
||||||
|
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
EVP_DigestInit_ex(&md_ctx,(num == 2)
|
||||||
?s->ctx->md5:s->ctx->sha1, NULL);
|
?s->ctx->md5:s->ctx->sha1, NULL);
|
||||||
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
|
||||||
|
|||||||
@@ -252,6 +252,7 @@ extern "C" {
|
|||||||
#define SSL_TXT_LOW "LOW"
|
#define SSL_TXT_LOW "LOW"
|
||||||
#define SSL_TXT_MEDIUM "MEDIUM"
|
#define SSL_TXT_MEDIUM "MEDIUM"
|
||||||
#define SSL_TXT_HIGH "HIGH"
|
#define SSL_TXT_HIGH "HIGH"
|
||||||
|
#define SSL_TXT_FIPS "FIPS"
|
||||||
#define SSL_TXT_kFZA "kFZA"
|
#define SSL_TXT_kFZA "kFZA"
|
||||||
#define SSL_TXT_aFZA "aFZA"
|
#define SSL_TXT_aFZA "aFZA"
|
||||||
#define SSL_TXT_eFZA "eFZA"
|
#define SSL_TXT_eFZA "eFZA"
|
||||||
|
|||||||
@@ -222,6 +222,7 @@ static const SSL_CIPHER cipher_aliases[]={
|
|||||||
{0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
|
{0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
|
||||||
{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
|
{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
|
||||||
{0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
|
{0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
|
||||||
|
{0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
|
||||||
};
|
};
|
||||||
|
|
||||||
void ssl_load_ciphers(void)
|
void ssl_load_ciphers(void)
|
||||||
@@ -515,7 +516,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
|
|||||||
c = ssl_method->get_cipher(i);
|
c = ssl_method->get_cipher(i);
|
||||||
#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
|
#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
|
||||||
/* drop those that use any of that is not available */
|
/* drop those that use any of that is not available */
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if ((c != NULL) && c->valid && !IS_MASKED(c)
|
||||||
|
&& (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
|
||||||
|
#else
|
||||||
if ((c != NULL) && c->valid && !IS_MASKED(c))
|
if ((c != NULL) && c->valid && !IS_MASKED(c))
|
||||||
|
#endif
|
||||||
{
|
{
|
||||||
co_list[co_list_num].cipher = c;
|
co_list[co_list_num].cipher = c;
|
||||||
co_list[co_list_num].next = NULL;
|
co_list[co_list_num].next = NULL;
|
||||||
@@ -1054,7 +1060,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|||||||
*/
|
*/
|
||||||
for (curr = head; curr != NULL; curr = curr->next)
|
for (curr = head; curr != NULL; curr = curr->next)
|
||||||
{
|
{
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
|
||||||
|
#else
|
||||||
if (curr->active)
|
if (curr->active)
|
||||||
|
#endif
|
||||||
{
|
{
|
||||||
sk_SSL_CIPHER_push(cipherstack, curr->cipher);
|
sk_SSL_CIPHER_push(cipherstack, curr->cipher);
|
||||||
#ifdef CIPHER_DEBUG
|
#ifdef CIPHER_DEBUG
|
||||||
|
|||||||
@@ -191,7 +191,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|||||||
{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
|
{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
|
{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
|
{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_SET_CLIENT_CERT_ENGINE"},
|
{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
|
{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
|
{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
|
||||||
{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
|
{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
|
||||||
|
|||||||
@@ -1396,6 +1396,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
|
|||||||
return(NULL);
|
return(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if (FIPS_mode() && (meth->version < TLS1_VERSION))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
|
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
|
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
|
||||||
|
|||||||
@@ -330,6 +330,7 @@
|
|||||||
#define SSL_LOW 0x00000020L
|
#define SSL_LOW 0x00000020L
|
||||||
#define SSL_MEDIUM 0x00000040L
|
#define SSL_MEDIUM 0x00000040L
|
||||||
#define SSL_HIGH 0x00000080L
|
#define SSL_HIGH 0x00000080L
|
||||||
|
#define SSL_FIPS 0x00000100L
|
||||||
|
|
||||||
/* we have used 000000ff - 24 bits left to go */
|
/* we have used 000000ff - 24 bits left to go */
|
||||||
|
|
||||||
|
|||||||
@@ -229,6 +229,9 @@ static void sv_usage(void)
|
|||||||
{
|
{
|
||||||
fprintf(stderr,"usage: ssltest [args ...]\n");
|
fprintf(stderr,"usage: ssltest [args ...]\n");
|
||||||
fprintf(stderr,"\n");
|
fprintf(stderr,"\n");
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
fprintf(stderr,"-F - run test in FIPS mode\n");
|
||||||
|
#endif
|
||||||
fprintf(stderr," -server_auth - check server certificate\n");
|
fprintf(stderr," -server_auth - check server certificate\n");
|
||||||
fprintf(stderr," -client_auth - do client authentication\n");
|
fprintf(stderr," -client_auth - do client authentication\n");
|
||||||
fprintf(stderr," -proxy - allow proxy certificates\n");
|
fprintf(stderr," -proxy - allow proxy certificates\n");
|
||||||
@@ -410,7 +413,7 @@ int main(int argc, char *argv[])
|
|||||||
long bytes=256L;
|
long bytes=256L;
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
DH *dh;
|
DH *dh;
|
||||||
int dhe1024 = 0, dhe1024dsa = 0;
|
int dhe1024 = 1, dhe1024dsa = 0;
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_ECDH
|
#ifndef OPENSSL_NO_ECDH
|
||||||
EC_KEY *ecdh = NULL;
|
EC_KEY *ecdh = NULL;
|
||||||
@@ -425,6 +428,9 @@ int main(int argc, char *argv[])
|
|||||||
#endif
|
#endif
|
||||||
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
|
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
|
||||||
int test_cipherlist = 0;
|
int test_cipherlist = 0;
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
int fips_mode=0;
|
||||||
|
#endif
|
||||||
|
|
||||||
verbose = 0;
|
verbose = 0;
|
||||||
debug = 0;
|
debug = 0;
|
||||||
@@ -456,7 +462,16 @@ int main(int argc, char *argv[])
|
|||||||
|
|
||||||
while (argc >= 1)
|
while (argc >= 1)
|
||||||
{
|
{
|
||||||
if (strcmp(*argv,"-server_auth") == 0)
|
if(!strcmp(*argv,"-F"))
|
||||||
|
{
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
fips_mode=1;
|
||||||
|
#else
|
||||||
|
fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
|
||||||
|
EXIT(0);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
else if (strcmp(*argv,"-server_auth") == 0)
|
||||||
server_auth=1;
|
server_auth=1;
|
||||||
else if (strcmp(*argv,"-client_auth") == 0)
|
else if (strcmp(*argv,"-client_auth") == 0)
|
||||||
client_auth=1;
|
client_auth=1;
|
||||||
@@ -638,6 +653,20 @@ bad:
|
|||||||
EXIT(1);
|
EXIT(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if(fips_mode)
|
||||||
|
{
|
||||||
|
if(!FIPS_mode_set(1))
|
||||||
|
{
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
|
||||||
|
EXIT(1);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
fprintf(stderr,"*** IN FIPS MODE ***\n");
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (print_time)
|
if (print_time)
|
||||||
{
|
{
|
||||||
if (!bio_pair)
|
if (!bio_pair)
|
||||||
@@ -2059,15 +2088,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_X509_VERIFY
|
#ifndef OPENSSL_NO_X509_VERIFY
|
||||||
# ifdef OPENSSL_FIPS
|
|
||||||
if(s->version == TLS1_VERSION)
|
|
||||||
FIPS_allow_md5(1);
|
|
||||||
# endif
|
|
||||||
ok = X509_verify_cert(ctx);
|
ok = X509_verify_cert(ctx);
|
||||||
# ifdef OPENSSL_FIPS
|
|
||||||
if(s->version == TLS1_VERSION)
|
|
||||||
FIPS_allow_md5(0);
|
|
||||||
# endif
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (cb_arg->proxy_auth)
|
if (cb_arg->proxy_auth)
|
||||||
|
|||||||
@@ -131,6 +131,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
|
|||||||
|
|
||||||
HMAC_CTX_init(&ctx);
|
HMAC_CTX_init(&ctx);
|
||||||
HMAC_CTX_init(&ctx_tmp);
|
HMAC_CTX_init(&ctx_tmp);
|
||||||
|
HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
|
HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
|
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
|
||||||
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
|
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
|
||||||
HMAC_Update(&ctx,seed,seed_len);
|
HMAC_Update(&ctx,seed,seed_len);
|
||||||
|
|||||||
@@ -2843,7 +2843,7 @@ FIPS_selftest_failed 3284 NOEXIST::FUNCTION:
|
|||||||
sk_is_sorted 3285 EXIST::FUNCTION:
|
sk_is_sorted 3285 EXIST::FUNCTION:
|
||||||
X509_check_ca 3286 EXIST::FUNCTION:
|
X509_check_ca 3286 EXIST::FUNCTION:
|
||||||
private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION:
|
private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION:
|
||||||
HMAC_CTX_set_flags 3288 NOEXIST::FUNCTION:
|
HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC
|
||||||
private_SHA_Init 3289 NOEXIST::FUNCTION:
|
private_SHA_Init 3289 NOEXIST::FUNCTION:
|
||||||
private_CAST_set_key 3290 NOEXIST::FUNCTION:
|
private_CAST_set_key 3290 NOEXIST::FUNCTION:
|
||||||
private_RIPEMD160_Init 3291 NOEXIST::FUNCTION:
|
private_RIPEMD160_Init 3291 NOEXIST::FUNCTION:
|
||||||
|
|||||||
Reference in New Issue
Block a user