| 1 |
diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta3/crypto/engine/eng_all.c
|
| 2 |
--- openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
|
| 3 |
+++ openssl-1.0.0-beta3/crypto/engine/eng_all.c 2009-08-11 17:37:16.000000000 +0200
|
| 4 |
@@ -58,9 +58,23 @@
|
| 5 |
|
| 6 |
#include "cryptlib.h"
|
| 7 |
#include "eng_int.h"
|
| 8 |
+#ifdef OPENSSL_FIPS
|
| 9 |
+#include <openssl/fips.h>
|
| 10 |
+#endif
|
| 11 |
|
| 12 |
void ENGINE_load_builtin_engines(void)
|
| 13 |
{
|
| 14 |
+#ifdef OPENSSL_FIPS
|
| 15 |
+ OPENSSL_init_library();
|
| 16 |
+ if (FIPS_mode()) {
|
| 17 |
+ /* We allow loading dynamic engine as a third party
|
| 18 |
+ engine might be FIPS validated.
|
| 19 |
+ User is disallowed to load non-validated engines
|
| 20 |
+ by security policy. */
|
| 21 |
+ ENGINE_load_dynamic();
|
| 22 |
+ return;
|
| 23 |
+ }
|
| 24 |
+#endif
|
| 25 |
#if 0
|
| 26 |
/* There's no longer any need for an "openssl" ENGINE unless, one day,
|
| 27 |
* it is the *only* way for standard builtin implementations to be be
|
| 28 |
diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_allc.c
|
| 29 |
--- openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:48:28.000000000 +0200
|
| 30 |
+++ openssl-1.0.0-beta3/crypto/evp/c_allc.c 2009-08-11 17:42:34.000000000 +0200
|
| 31 |
@@ -65,6 +65,11 @@
|
| 32 |
void OpenSSL_add_all_ciphers(void)
|
| 33 |
{
|
| 34 |
|
| 35 |
+#ifdef OPENSSL_FIPS
|
| 36 |
+ OPENSSL_init_library();
|
| 37 |
+ if(!FIPS_mode())
|
| 38 |
+ {
|
| 39 |
+#endif
|
| 40 |
#ifndef OPENSSL_NO_DES
|
| 41 |
EVP_add_cipher(EVP_des_cfb());
|
| 42 |
EVP_add_cipher(EVP_des_cfb1());
|
| 43 |
@@ -219,4 +224,61 @@ void OpenSSL_add_all_ciphers(void)
|
| 44 |
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
|
| 45 |
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
|
| 46 |
#endif
|
| 47 |
+#ifdef OPENSSL_FIPS
|
| 48 |
+ }
|
| 49 |
+ else
|
| 50 |
+ {
|
| 51 |
+#ifndef OPENSSL_NO_DES
|
| 52 |
+ EVP_add_cipher(EVP_des_ede_cfb());
|
| 53 |
+ EVP_add_cipher(EVP_des_ede3_cfb());
|
| 54 |
+
|
| 55 |
+ EVP_add_cipher(EVP_des_ede_ofb());
|
| 56 |
+ EVP_add_cipher(EVP_des_ede3_ofb());
|
| 57 |
+
|
| 58 |
+ EVP_add_cipher(EVP_des_ede_cbc());
|
| 59 |
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
| 60 |
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
|
| 61 |
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
|
| 62 |
+
|
| 63 |
+ EVP_add_cipher(EVP_des_ede());
|
| 64 |
+ EVP_add_cipher(EVP_des_ede3());
|
| 65 |
+#endif
|
| 66 |
+
|
| 67 |
+#ifndef OPENSSL_NO_AES
|
| 68 |
+ EVP_add_cipher(EVP_aes_128_ecb());
|
| 69 |
+ EVP_add_cipher(EVP_aes_128_cbc());
|
| 70 |
+ EVP_add_cipher(EVP_aes_128_cfb());
|
| 71 |
+ EVP_add_cipher(EVP_aes_128_cfb1());
|
| 72 |
+ EVP_add_cipher(EVP_aes_128_cfb8());
|
| 73 |
+ EVP_add_cipher(EVP_aes_128_ofb());
|
| 74 |
+#if 0
|
| 75 |
+ EVP_add_cipher(EVP_aes_128_ctr());
|
| 76 |
+#endif
|
| 77 |
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
|
| 78 |
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
|
| 79 |
+ EVP_add_cipher(EVP_aes_192_ecb());
|
| 80 |
+ EVP_add_cipher(EVP_aes_192_cbc());
|
| 81 |
+ EVP_add_cipher(EVP_aes_192_cfb());
|
| 82 |
+ EVP_add_cipher(EVP_aes_192_cfb1());
|
| 83 |
+ EVP_add_cipher(EVP_aes_192_cfb8());
|
| 84 |
+ EVP_add_cipher(EVP_aes_192_ofb());
|
| 85 |
+#if 0
|
| 86 |
+ EVP_add_cipher(EVP_aes_192_ctr());
|
| 87 |
+#endif
|
| 88 |
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
|
| 89 |
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
|
| 90 |
+ EVP_add_cipher(EVP_aes_256_ecb());
|
| 91 |
+ EVP_add_cipher(EVP_aes_256_cbc());
|
| 92 |
+ EVP_add_cipher(EVP_aes_256_cfb());
|
| 93 |
+ EVP_add_cipher(EVP_aes_256_cfb1());
|
| 94 |
+ EVP_add_cipher(EVP_aes_256_cfb8());
|
| 95 |
+ EVP_add_cipher(EVP_aes_256_ofb());
|
| 96 |
+#if 0
|
| 97 |
+ EVP_add_cipher(EVP_aes_256_ctr());
|
| 98 |
+#endif
|
| 99 |
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
|
| 100 |
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
|
| 101 |
+#endif
|
| 102 |
+ }
|
| 103 |
+#endif
|
| 104 |
}
|
| 105 |
diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_alld.c
|
| 106 |
--- openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
|
| 107 |
+++ openssl-1.0.0-beta3/crypto/evp/c_alld.c 2009-08-11 17:54:08.000000000 +0200
|
| 108 |
@@ -64,6 +64,11 @@
|
| 109 |
|
| 110 |
void OpenSSL_add_all_digests(void)
|
| 111 |
{
|
| 112 |
+#ifdef OPENSSL_FIPS
|
| 113 |
+ OPENSSL_init_library();
|
| 114 |
+ if (!FIPS_mode())
|
| 115 |
+ {
|
| 116 |
+#endif
|
| 117 |
#ifndef OPENSSL_NO_MD4
|
| 118 |
EVP_add_digest(EVP_md4());
|
| 119 |
#endif
|
| 120 |
@@ -110,5 +115,33 @@ void OpenSSL_add_all_digests(void)
|
| 121 |
#endif
|
| 122 |
#ifndef OPENSSL_NO_WHIRLPOOL
|
| 123 |
EVP_add_digest(EVP_whirlpool());
|
| 124 |
+#endif
|
| 125 |
+#ifdef OPENSSL_FIPS
|
| 126 |
+ }
|
| 127 |
+ else
|
| 128 |
+ {
|
| 129 |
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
| 130 |
+ EVP_add_digest(EVP_sha1());
|
| 131 |
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
| 132 |
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
| 133 |
+#ifndef OPENSSL_NO_DSA
|
| 134 |
+ EVP_add_digest(EVP_dss1());
|
| 135 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
| 136 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
| 137 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
| 138 |
+#endif
|
| 139 |
+#ifndef OPENSSL_NO_ECDSA
|
| 140 |
+ EVP_add_digest(EVP_ecdsa());
|
| 141 |
+#endif
|
| 142 |
+#endif
|
| 143 |
+#ifndef OPENSSL_NO_SHA256
|
| 144 |
+ EVP_add_digest(EVP_sha224());
|
| 145 |
+ EVP_add_digest(EVP_sha256());
|
| 146 |
+#endif
|
| 147 |
+#ifndef OPENSSL_NO_SHA512
|
| 148 |
+ EVP_add_digest(EVP_sha384());
|
| 149 |
+ EVP_add_digest(EVP_sha512());
|
| 150 |
+#endif
|
| 151 |
+ }
|
| 152 |
#endif
|
| 153 |
}
|
| 154 |
diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto/o_init.c
|
| 155 |
--- openssl-1.0.0-beta3/crypto/o_init.c.fipsmode 2009-08-11 17:28:25.000000000 +0200
|
| 156 |
+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 17:39:06.000000000 +0200
|
| 157 |
@@ -59,6 +59,43 @@
|
| 158 |
#include <e_os.h>
|
| 159 |
#include <openssl/err.h>
|
| 160 |
|
| 161 |
+#ifdef OPENSSL_FIPS
|
| 162 |
+#include <sys/types.h>
|
| 163 |
+#include <sys/stat.h>
|
| 164 |
+#include <fcntl.h>
|
| 165 |
+#include <unistd.h>
|
| 166 |
+#include <errno.h>
|
| 167 |
+#include <stdlib.h>
|
| 168 |
+#include <openssl/fips.h>
|
| 169 |
+
|
| 170 |
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
| 171 |
+
|
| 172 |
+static void init_fips_mode(void)
|
| 173 |
+ {
|
| 174 |
+ char buf[2] = "0";
|
| 175 |
+ int fd;
|
| 176 |
+
|
| 177 |
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
| 178 |
+ {
|
| 179 |
+ buf[0] = '1';
|
| 180 |
+ }
|
| 181 |
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
|
| 182 |
+ {
|
| 183 |
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
| 184 |
+ close(fd);
|
| 185 |
+ }
|
| 186 |
+ /* Failure reading the fips mode switch file means just not
|
| 187 |
+ * switching into FIPS mode. We would break too many things
|
| 188 |
+ * otherwise.
|
| 189 |
+ */
|
| 190 |
+
|
| 191 |
+ if (buf[0] == '1')
|
| 192 |
+ {
|
| 193 |
+ FIPS_mode_set(1);
|
| 194 |
+ }
|
| 195 |
+ }
|
| 196 |
+#endif
|
| 197 |
+
|
| 198 |
/* Perform any essential OpenSSL initialization operations.
|
| 199 |
* Currently only sets FIPS callbacks
|
| 200 |
*/
|
| 201 |
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
|
| 202 |
#ifdef CRYPTO_MDEBUG
|
| 203 |
CRYPTO_malloc_debug_init();
|
| 204 |
#endif
|
| 205 |
+ init_fips_mode();
|
| 206 |
done = 1;
|
| 207 |
}
|
| 208 |
#endif
|
| 209 |
diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl_algs.c
|
| 210 |
--- openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
|
| 211 |
+++ openssl-1.0.0-beta3/ssl/ssl_algs.c 2009-08-11 18:01:13.000000000 +0200
|
| 212 |
@@ -64,6 +64,12 @@
|
| 213 |
int SSL_library_init(void)
|
| 214 |
{
|
| 215 |
|
| 216 |
+#ifdef OPENSSL_FIPS
|
| 217 |
+ OPENSSL_init_library();
|
| 218 |
+ if (!FIPS_mode())
|
| 219 |
+ {
|
| 220 |
+#endif
|
| 221 |
+
|
| 222 |
#ifndef OPENSSL_NO_DES
|
| 223 |
EVP_add_cipher(EVP_des_cbc());
|
| 224 |
EVP_add_cipher(EVP_des_ede3_cbc());
|
| 225 |
@@ -115,6 +121,38 @@ int SSL_library_init(void)
|
| 226 |
EVP_add_digest(EVP_sha());
|
| 227 |
EVP_add_digest(EVP_dss());
|
| 228 |
#endif
|
| 229 |
+#ifdef OPENSSL_FIPS
|
| 230 |
+ }
|
| 231 |
+ else
|
| 232 |
+ {
|
| 233 |
+#ifndef OPENSSL_NO_DES
|
| 234 |
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
| 235 |
+#endif
|
| 236 |
+#ifndef OPENSSL_NO_AES
|
| 237 |
+ EVP_add_cipher(EVP_aes_128_cbc());
|
| 238 |
+ EVP_add_cipher(EVP_aes_192_cbc());
|
| 239 |
+ EVP_add_cipher(EVP_aes_256_cbc());
|
| 240 |
+#endif
|
| 241 |
+#ifndef OPENSSL_NO_MD5
|
| 242 |
+ /* needed even in the FIPS mode for TLS MAC */
|
| 243 |
+ EVP_add_digest(EVP_md5());
|
| 244 |
+#endif
|
| 245 |
+#ifndef OPENSSL_NO_SHA
|
| 246 |
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
|
| 247 |
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
| 248 |
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
| 249 |
+#endif
|
| 250 |
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
|
| 251 |
+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
| 252 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
| 253 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
| 254 |
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
| 255 |
+#endif
|
| 256 |
+#ifndef OPENSSL_NO_ECDSA
|
| 257 |
+ EVP_add_digest(EVP_ecdsa());
|
| 258 |
+#endif
|
| 259 |
+ }
|
| 260 |
+#endif
|
| 261 |
#ifndef OPENSSL_NO_COMP
|
| 262 |
/* This will initialise the built-in compression algorithms.
|
| 263 |
The value returned is a STACK_OF(SSL_COMP), but that can
|
Parent Directory
| 
Revision Log