diff options
author | Ben Laurie <ben@openssl.org> | 2003-09-13 21:03:54 +0400 |
---|---|---|
committer | Ben Laurie <ben@openssl.org> | 2003-09-13 21:03:54 +0400 |
commit | c45c8f3f1c8ac86048fefae5470db6420e84c1fb (patch) | |
tree | db3376a886406ef3b4c51add2e6357d151bdb0bb /ssl | |
parent | b09c9a91cb275f5562699ef898ec28abc5fd461b (diff) |
Make TLSv1 work in FIPS mode.
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_clnt.c | 10 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 9 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 9 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 14 | ||||
-rw-r--r-- | ssl/ssltest.c | 34 | ||||
-rw-r--r-- | ssl/t1_enc.c | 20 |
6 files changed, 93 insertions, 3 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index fae8eadada..ee7f357459 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -118,6 +118,7 @@ #include <openssl/evp.h> #include <openssl/md5.h> #include "cryptlib.h" +#include "../fips/fips_locl.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -1166,7 +1167,16 @@ static int ssl3_get_key_exchange(SSL *s) EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); +#ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION && num == 2) + FIPS_allow_md5(1); +#endif + EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); +#ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION && num == 2) + FIPS_allow_md5(1); +#endif q+=i; j+=i; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 37cf730d0e..3dcb511568 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -124,6 +124,7 @@ #include <openssl/krb5_asn.h> #include <openssl/md5.h> #include "cryptlib.h" +#include "../fips/fips_locl.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -1215,8 +1216,16 @@ static int ssl3_send_server_key_exchange(SSL *s) EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(d[4]),n); +#ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION && num == 2) + FIPS_allow_md5(1); +#endif EVP_DigestFinal_ex(&md_ctx,q, (unsigned int *)&i); +#ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION && num == 2) + FIPS_allow_md5(0); +#endif q+=i; j+=i; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index da90078a37..38a458f9b8 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -129,6 +129,7 @@ #include <openssl/pem.h> #include <openssl/x509v3.h> #include "ssl_locl.h" +#include "../fips/fips_locl.h" int SSL_get_ex_data_X509_STORE_CTX_idx(void) { @@ -491,7 +492,15 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) else { #ifndef OPENSSL_NO_X509_VERIFY +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(1); +# endif i=X509_verify_cert(&ctx); +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(0); +# endif #else i=0; ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ddd8114587..2d502d1354 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -122,6 +122,7 @@ #include <openssl/lhash.h> #include <openssl/x509v3.h> #include "cryptlib.h" +#include "../fips/fips_locl.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; @@ -2152,7 +2153,18 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { - return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); + int r; + +#ifdef OPENSSL_FIPS + if(ctx->method->version == TLS1_VERSION) + FIPS_allow_md5(1); +#endif + r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath); +#ifdef OPENSSL_FIPS + if(ctx->method->version == TLS1_VERSION) + FIPS_allow_md5(0); +#endif + return r; } #endif diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 42289c255b..0800d243da 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -133,6 +133,7 @@ #endif #include <openssl/err.h> #include <openssl/rand.h> +#include <openssl/fips.h> #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly on Compaq platforms (at least with DEC C). @@ -198,6 +199,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); +#ifdef OPENSSL_FIPS + fprintf(stderr,"-F - run test in FIPS mode\n"); +#endif fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); fprintf(stderr," -v - more output\n"); @@ -369,6 +373,10 @@ int main(int argc, char *argv[]) clock_t s_time = 0, c_time = 0; int comp = 0; COMP_METHOD *cm = NULL; +#ifdef OPENSSL_FIPS + int fips_mode=0; + const char *path=argv[0]; +#endif verbose = 0; debug = 0; @@ -400,7 +408,16 @@ int main(int argc, char *argv[]) while (argc >= 1) { - if (strcmp(*argv,"-server_auth") == 0) + if(!strcmp(*argv,"-F")) + { +#ifdef OPENSSL_FIPS + fips_mode=1; +#else + fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); + exit(0); +#endif + } + else if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; @@ -534,6 +551,7 @@ bad: goto end; } + if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " @@ -543,6 +561,20 @@ bad: EXIT(1); } +#ifdef OPENSSL_FIPS + if(fips_mode) + { + if(!FIPS_mode_set(1,path)) + { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + exit(1); + } + else + fprintf(stderr,"*** IN FIPS MODE ***\n"); + } +#endif + if (print_time) { if (!bio_pair) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 271e247eea..a03272217f 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -115,6 +115,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> +#include "../fips/fips_locl.h" static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, unsigned char *seed, int seed_len, @@ -177,8 +178,13 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, S2= &(sec[len]); len+=(slen&1); /* add for odd, make longer */ - +#ifdef OPENSSL_FIPS + FIPS_allow_md5(1); +#endif tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); +#ifdef OPENSSL_FIPS + FIPS_allow_md5(0); +#endif tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i=0; i<olen; i++) @@ -656,7 +662,13 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) EVP_MD_CTX_init(&ctx); EVP_MD_CTX_copy_ex(&ctx,in_ctx); +#ifdef OPENSSL_FIPS + FIPS_allow_md5(1); +#endif EVP_DigestFinal_ex(&ctx,out,&ret); +#ifdef OPENSSL_FIPS + FIPS_allow_md5(0); +#endif EVP_MD_CTX_cleanup(&ctx); return((int)ret); } @@ -675,7 +687,13 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, EVP_MD_CTX_init(&ctx); EVP_MD_CTX_copy_ex(&ctx,in1_ctx); +#ifdef OPENSSL_FIPS + FIPS_allow_md5(1); +#endif EVP_DigestFinal_ex(&ctx,q,&i); +#ifdef OPENSSL_FIPS + FIPS_allow_md5(0); +#endif q+=i; EVP_MD_CTX_copy_ex(&ctx,in2_ctx); EVP_DigestFinal_ex(&ctx,q,&i); |