Blob Blame Raw
diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
+++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
@@ -58,9 +58,23 @@
 
 #include "cryptlib.h"
 #include "eng_int.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
 void ENGINE_load_builtin_engines(void)
 	{
+#ifdef OPENSSL_FIPS
+	OPENSSL_init_library();
+	if (FIPS_mode()) {
+		/* We allow loading dynamic engine as a third party
+		   engine might be FIPS validated.
+		   User is disallowed to load non-validated engines
+		   by security policy. */
+		ENGINE_load_dynamic();
+		return;
+	}
+#endif
 #if 0
 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
 	 * it is the *only* way for standard builtin implementations to be be
diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
+++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
@@ -65,6 +65,11 @@
 void OpenSSL_add_all_ciphers(void)
 	{
 
+#ifdef OPENSSL_FIPS
+	OPENSSL_init_library();
+	if(!FIPS_mode()) 
+		{
+#endif
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cfb());
 	EVP_add_cipher(EVP_des_cfb1());
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
 #endif
+#ifdef OPENSSL_FIPS
+		}
+	else
+		{
+#ifndef OPENSSL_NO_DES
+	EVP_add_cipher(EVP_des_ede_cfb());
+	EVP_add_cipher(EVP_des_ede3_cfb());
+
+	EVP_add_cipher(EVP_des_ede_ofb());
+	EVP_add_cipher(EVP_des_ede3_ofb());
+
+	EVP_add_cipher(EVP_des_ede_cbc());
+	EVP_add_cipher(EVP_des_ede3_cbc());
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+	EVP_add_cipher(EVP_des_ede());
+	EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+	EVP_add_cipher(EVP_aes_128_ecb());
+	EVP_add_cipher(EVP_aes_128_cbc());
+	EVP_add_cipher(EVP_aes_128_cfb());
+	EVP_add_cipher(EVP_aes_128_cfb1());
+	EVP_add_cipher(EVP_aes_128_cfb8());
+	EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+	EVP_add_cipher(EVP_aes_192_ecb());
+	EVP_add_cipher(EVP_aes_192_cbc());
+	EVP_add_cipher(EVP_aes_192_cfb());
+	EVP_add_cipher(EVP_aes_192_cfb1());
+	EVP_add_cipher(EVP_aes_192_cfb8());
+	EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+	EVP_add_cipher(EVP_aes_256_ecb());
+	EVP_add_cipher(EVP_aes_256_cbc());
+	EVP_add_cipher(EVP_aes_256_cfb());
+	EVP_add_cipher(EVP_aes_256_cfb1());
+	EVP_add_cipher(EVP_aes_256_cfb8());
+	EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+	EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+		}
+#endif
 	}
diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
+++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
@@ -64,6 +64,11 @@
 
 void OpenSSL_add_all_digests(void)
 	{
+#ifdef OPENSSL_FIPS
+	OPENSSL_init_library();
+	if (!FIPS_mode())
+		{
+#endif
 #ifndef OPENSSL_NO_MD4
 	EVP_add_digest(EVP_md4());
 #endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
 #ifndef OPENSSL_NO_WHIRLPOOL
 	EVP_add_digest(EVP_whirlpool());
 #endif
+#ifdef OPENSSL_FIPS
+		}
+	else
+		{
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+	EVP_add_digest(EVP_sha1());
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+	EVP_add_digest(EVP_dss1());
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
+		}
+#endif
 	}
diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
--- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
+++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
@@ -59,6 +59,43 @@
 #include <e_os.h>
 #include <openssl/err.h>
 
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+	{
+	char buf[2] = "0";
+	int fd;
+	
+	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+		{
+		buf[0] = '1';
+		}
+	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+		{
+		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+		close(fd);
+		}
+	/* Failure reading the fips mode switch file means just not
+	 * switching into FIPS mode. We would break too many things
+	 * otherwise. 
+	 */
+	
+	if (buf[0] == '1')
+		{
+		FIPS_mode_set(1);
+		}
+	}
+#endif
+
 /* Perform any essential OpenSSL initialization operations.
  * Currently only sets FIPS callbacks
  */
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_malloc_debug_init();
 #endif
+		init_fips_mode();
 		done = 1;
 		}
 #endif
diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
+++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
@@ -64,6 +64,12 @@
 int SSL_library_init(void)
 	{
 
+#ifdef OPENSSL_FIPS
+	OPENSSL_init_library();
+	if (!FIPS_mode())
+		{
+#endif
+
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cbc());
 	EVP_add_cipher(EVP_des_ede3_cbc());
@@ -127,6 +133,48 @@ int SSL_library_init(void)
 	EVP_add_digest(EVP_sha());
 	EVP_add_digest(EVP_dss());
 #endif
+#ifdef OPENSSL_FIPS
+		}
+	else
+		{
+#ifndef OPENSSL_NO_DES
+	EVP_add_cipher(EVP_des_ede3_cbc());
+#endif
+#ifndef OPENSSL_NO_AES
+	EVP_add_cipher(EVP_aes_128_cbc());
+	EVP_add_cipher(EVP_aes_192_cbc());
+	EVP_add_cipher(EVP_aes_256_cbc());
+#endif
+#ifndef OPENSSL_NO_MD5
+	/* needed even in the FIPS mode for TLS MAC */
+	EVP_add_digest(EVP_md5());
+	EVP_add_digest_alias(SN_md5,"ssl2-md5");
+	EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef OPENSSL_NO_SHA
+	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	EVP_add_digest(EVP_ecdsa());
+#endif
+		}
+#endif
 #ifndef OPENSSL_NO_COMP
 	/* This will initialise the built-in compression algorithms.
 	   The value returned is a STACK_OF(SSL_COMP), but that can