diff -up openssl-0.9.8m/crypto/engine/eng_all.c.fipsmode openssl-0.9.8m/crypto/engine/eng_all.c --- openssl-0.9.8m/crypto/engine/eng_all.c.fipsmode 2008-06-04 20:01:39.000000000 +0200 +++ openssl-0.9.8m/crypto/engine/eng_all.c 2010-03-22 18:08:24.000000000 +0100 @@ -58,9 +58,23 @@ #include "cryptlib.h" #include "eng_int.h" +#ifdef OPENSSL_FIPS +#include +#endif void ENGINE_load_builtin_engines(void) { +#ifdef OPENSSL_FIPS + OPENSSL_init(); + if (FIPS_mode()) { + /* We allow loading dynamic engine as a third party + engine might be FIPS validated. + User is disallowed to load non-validated engines + by security policy. */ + ENGINE_load_dynamic(); + return; + } +#endif /* There's no longer any need for an "openssl" ENGINE unless, one day, * it is the *only* way for standard builtin implementations to be be * accessed (ie. it would be possible to statically link binaries with diff -up openssl-0.9.8m/crypto/evp/c_allc.c.fipsmode openssl-0.9.8m/crypto/evp/c_allc.c --- openssl-0.9.8m/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:11:18.000000000 +0100 +++ openssl-0.9.8m/crypto/evp/c_allc.c 2010-03-22 18:10:11.000000000 +0100 @@ -65,6 +65,11 @@ void OpenSSL_add_all_ciphers(void) { +#ifdef OPENSSL_FIPS + OPENSSL_init(); + if(!FIPS_mode()) + { +#endif #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); EVP_add_cipher(EVP_des_cfb1()); @@ -221,6 +226,65 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); #endif +#ifdef OPENSSL_FIPS + } + else + { +#ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_ede_cfb()); + EVP_add_cipher(EVP_des_ede3_cfb()); + EVP_add_cipher(EVP_des_ede3_cfb1()); + EVP_add_cipher(EVP_des_ede3_cfb8()); + + EVP_add_cipher(EVP_des_ede_ofb()); + EVP_add_cipher(EVP_des_ede3_ofb()); + + EVP_add_cipher(EVP_des_ede_cbc()); + EVP_add_cipher(EVP_des_ede3_cbc()); + EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); + EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); + + EVP_add_cipher(EVP_des_ede()); + EVP_add_cipher(EVP_des_ede3()); +#endif + +#ifndef OPENSSL_NO_AES + EVP_add_cipher(EVP_aes_128_ecb()); + EVP_add_cipher(EVP_aes_128_cbc()); + EVP_add_cipher(EVP_aes_128_cfb()); + EVP_add_cipher(EVP_aes_128_cfb1()); + EVP_add_cipher(EVP_aes_128_cfb8()); + EVP_add_cipher(EVP_aes_128_ofb()); +#if 0 + EVP_add_cipher(EVP_aes_128_ctr()); +#endif + EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); + EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); + EVP_add_cipher(EVP_aes_192_ecb()); + EVP_add_cipher(EVP_aes_192_cbc()); + EVP_add_cipher(EVP_aes_192_cfb()); + EVP_add_cipher(EVP_aes_192_cfb1()); + EVP_add_cipher(EVP_aes_192_cfb8()); + EVP_add_cipher(EVP_aes_192_ofb()); +#if 0 + EVP_add_cipher(EVP_aes_192_ctr()); +#endif + EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); + EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); + EVP_add_cipher(EVP_aes_256_ecb()); + EVP_add_cipher(EVP_aes_256_cbc()); + EVP_add_cipher(EVP_aes_256_cfb()); + EVP_add_cipher(EVP_aes_256_cfb1()); + EVP_add_cipher(EVP_aes_256_cfb8()); + EVP_add_cipher(EVP_aes_256_ofb()); +#if 0 + EVP_add_cipher(EVP_aes_256_ctr()); +#endif + EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); + EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); +#endif + } +#endif PKCS12_PBE_add(); PKCS5_PBE_add(); diff -up openssl-0.9.8m/crypto/evp/c_alld.c.fipsmode openssl-0.9.8m/crypto/evp/c_alld.c --- openssl-0.9.8m/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:33:26.000000000 +0200 +++ openssl-0.9.8m/crypto/evp/c_alld.c 2010-03-22 18:10:43.000000000 +0100 @@ -64,6 +64,11 @@ void OpenSSL_add_all_digests(void) { +#ifdef OPENSSL_FIPS + OPENSSL_init(); + if (!FIPS_mode()) + { +#endif #ifndef OPENSSL_NO_MD4 EVP_add_digest(EVP_md4()); #endif @@ -108,4 +113,32 @@ void OpenSSL_add_all_digests(void) EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); #endif +#ifdef OPENSSL_FIPS + } + else + { +#ifndef OPENSSL_NO_SHA + EVP_add_digest(EVP_sha1()); + EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); +#ifndef OPENSSL_NO_DSA + EVP_add_digest(EVP_dss1()); + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); +#endif +#ifndef OPENSSL_NO_ECDSA + EVP_add_digest(EVP_ecdsa()); +#endif +#endif +#ifndef OPENSSL_NO_SHA256 + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); +#endif +#ifndef OPENSSL_NO_SHA512 + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); +#endif + } +#endif } diff -up openssl-0.9.8m/crypto/o_init.c.fipsmode openssl-0.9.8m/crypto/o_init.c --- openssl-0.9.8m/crypto/o_init.c.fipsmode 2010-01-27 14:21:34.000000000 +0100 +++ openssl-0.9.8m/crypto/o_init.c 2010-03-22 18:11:53.000000000 +0100 @@ -64,6 +64,46 @@ extern void int_EVP_MD_init_engine_callb extern void int_EVP_CIPHER_init_engine_callbacks(void ); extern void int_RAND_init_engine_callbacks(void ); + +#ifdef OPENSSL_FIPS +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static void init_fips_mode(void) + { + char buf[2] = "0"; + int fd; + + if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) + { + buf[0] = '1'; + } + else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) + { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); + close(fd); + } + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise. + */ + + if (buf[0] == '1') + { + FIPS_mode_set(1); + } + } +#endif + /* Perform any essential OpenSSL initialization operations. * Currently only sets FIPS callbacks */ diff -up openssl-0.9.8m/ssl/ssl_algs.c.fipsmode openssl-0.9.8m/ssl/ssl_algs.c --- openssl-0.9.8m/ssl/ssl_algs.c.fipsmode 2009-07-08 10:33:27.000000000 +0200 +++ openssl-0.9.8m/ssl/ssl_algs.c 2010-03-22 18:08:24.000000000 +0100 @@ -64,6 +64,10 @@ int SSL_library_init(void) { +#ifdef OPENSSL_FIPS + OPENSSL_init(); +#endif + #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc());