diff -up gnutls-2.12.21/lib/gcrypt/init.c.fips gnutls-2.12.21/lib/gcrypt/init.c

--- gnutls-2.12.21/lib/gcrypt/init.c.fips	2012-01-06 20:06:23.000000000 +0100

+++ gnutls-2.12.21/lib/gcrypt/init.c	2012-11-09 19:57:54.651624659 +0100

@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = {

   .recvmsg = NULL,

 };

+int gnutls_gcrypt_fips;

+

 int

 gnutls_crypto_init (void)

 {

@@ -72,6 +74,8 @@ gnutls_crypto_init (void)

           return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;

         }

+      gnutls_gcrypt_fips = gcry_fips_mode_active();

+

       /* for gcrypt in order to be able to allocate memory */

       gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0);

diff -up gnutls-2.12.21/lib/gnutls_algorithms.c.fips gnutls-2.12.21/lib/gnutls_algorithms.c

--- gnutls-2.12.21/lib/gnutls_algorithms.c.fips	2012-01-06 20:06:23.000000000 +0100

+++ gnutls-2.12.21/lib/gnutls_algorithms.c	2012-11-28 14:19:34.507948036 +0100

@@ -44,11 +44,11 @@ typedef struct

 } gnutls_sec_params_entry;

 static const gnutls_sec_params_entry sec_params[] = {

-  {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128},

-  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},

-  {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},

-  {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},

-  {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512},

+  {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 1024, 1024, 128, 128},

+  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1280, 2048, 160, 160},

+  {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2560, 3072, 224, 224},

+  {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3328, 3072, 256, 256},

+  {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15616, 3072, 512, 512},

   {NULL, 0, 0, 0, 0, 0}

 };

diff -up gnutls-2.12.21/lib/gnutls_priority.c.fips gnutls-2.12.21/lib/gnutls_priority.c

--- gnutls-2.12.21/lib/gnutls_priority.c.fips	2012-11-08 17:11:11.000000000 +0100

+++ gnutls-2.12.21/lib/gnutls_priority.c	2012-11-09 19:57:54.651624659 +0100

@@ -30,6 +30,7 @@

 #include "gnutls_algorithms.h"

 #include "gnutls_errors.h"

 #include <gnutls_num.h>

+#include <gcrypt.h>

 static void

 break_comma_list (char *etag,

@@ -223,6 +224,13 @@ static const int protocol_priority[] = {

   0

 };

+static const int protocol_priority_fips[] = {

+  GNUTLS_TLS1_2,

+  GNUTLS_TLS1_1,

+  GNUTLS_TLS1_0,

+  0

+};

+

 static const int kx_priority_performance[] = {

   GNUTLS_KX_RSA,

   GNUTLS_KX_DHE_RSA,

@@ -269,6 +277,13 @@ static const int cipher_priority_perform

   0

 };

+static const int cipher_priority_performance_fips[] = {

+  GNUTLS_CIPHER_AES_128_CBC,

+  GNUTLS_CIPHER_3DES_CBC,

+  GNUTLS_CIPHER_AES_256_CBC,

+  0

+};

+

 static const int cipher_priority_normal[] = {

   GNUTLS_CIPHER_AES_128_CBC,

 #ifdef	ENABLE_CAMELLIA

@@ -284,6 +299,13 @@ static const int cipher_priority_normal[

   0

 };

+static const int cipher_priority_normal_fips[] = {

+  GNUTLS_CIPHER_AES_128_CBC,

+  GNUTLS_CIPHER_AES_256_CBC,

+  GNUTLS_CIPHER_3DES_CBC,

+  0

+};

+

 static const int cipher_priority_secure128[] = {

   GNUTLS_CIPHER_AES_128_CBC,

 #ifdef	ENABLE_CAMELLIA

@@ -295,6 +317,11 @@ static const int cipher_priority_secure1

   0

 };

+static const int cipher_priority_secure128_fips[] = {

+  GNUTLS_CIPHER_AES_128_CBC,

+  GNUTLS_CIPHER_3DES_CBC,

+  0

+};

 static const int cipher_priority_secure256[] = {

   GNUTLS_CIPHER_AES_256_CBC,

@@ -311,6 +338,13 @@ static const int cipher_priority_secure2

   0

 };

+static const int cipher_priority_secure256_fips[] = {

+  GNUTLS_CIPHER_AES_256_CBC,

+  GNUTLS_CIPHER_AES_128_CBC,

+  GNUTLS_CIPHER_3DES_CBC,

+  0

+};

+

 /* The same as cipher_priority_security_normal + arcfour-40. */

 static const int cipher_priority_export[] = {

   GNUTLS_CIPHER_AES_128_CBC,

@@ -362,6 +396,12 @@ static const int mac_priority_normal[] =

   0

 };

+static const int mac_priority_normal_fips[] = {

+  GNUTLS_MAC_SHA1,

+  GNUTLS_MAC_SHA256,

+  0

+};

+

 static const int mac_priority_secure[] = {

   GNUTLS_MAC_SHA256,

@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se

 #define MAX_ELEMENTS 48

+extern int gnutls_gcrypt_fips;

+

 /**

  * gnutls_priority_init:

  * @priority_cache: is a #gnutls_prioritity_t structure.

@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t

    */

   if (strcasecmp (broken_list[0], "NONE") != 0)

     {

-      _set_priority (&(*priority_cache)->protocol, protocol_priority);

+      _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);

       _set_priority (&(*priority_cache)->compression, comp_priority);

       _set_priority (&(*priority_cache)->cert_type, cert_type_priority_default);

       _set_priority (&(*priority_cache)->sign_algo, sign_priority_default);

@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t

       if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)

         {

           _set_priority (&(*priority_cache)->cipher,

-                         cipher_priority_performance);

+                         gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance);

           _set_priority (&(*priority_cache)->kx, kx_priority_performance);

-          _set_priority (&(*priority_cache)->mac, mac_priority_normal);

+          _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);

           _set_priority (&(*priority_cache)->sign_algo,

                          sign_priority_default);

         }

       else if (strcasecmp (broken_list[i], "NORMAL") == 0)

         {

-          _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);

+          _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);

           _set_priority (&(*priority_cache)->kx, kx_priority_secure);

-          _set_priority (&(*priority_cache)->mac, mac_priority_normal);

+          _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);

           _set_priority (&(*priority_cache)->sign_algo,

                          sign_priority_default);

         }

@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t

                || strcasecmp (broken_list[i], "SECURE") == 0)

         {

           _set_priority (&(*priority_cache)->cipher,

-                         cipher_priority_secure256);

+                         gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256);

           _set_priority (&(*priority_cache)->kx, kx_priority_secure);

           _set_priority (&(*priority_cache)->mac, mac_priority_secure);

           _set_priority (&(*priority_cache)->sign_algo,

@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t

       else if (strcasecmp (broken_list[i], "SECURE128") == 0)

         {

           _set_priority (&(*priority_cache)->cipher,

-                         cipher_priority_secure128);

+                         gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128);

           _set_priority (&(*priority_cache)->kx, kx_priority_secure);

           _set_priority (&(*priority_cache)->mac, mac_priority_secure);

           _set_priority (&(*priority_cache)->sign_algo,

@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t

               if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)

                 {

                   bulk_fn (&(*priority_cache)->protocol,

-                                 protocol_priority);

+                                 gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);

                 }

               else

                 {

@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t

           else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)

             {

                   bulk_fn (&(*priority_cache)->cipher,

-                                cipher_priority_normal);

+                                gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);

             }

           else

             goto error;