0.9.8 version of PR#1931 fix.

[oweals/openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 725f7f3c1ff2f1610308ad5fb4e9cc43985b3332..5aa03ee4495df2d60a47c638b2e866a7d3baf6a8 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -115,7 +115,10 @@
  */
 #include <stdio.h>
 #include <openssl/objects.h>
+#ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
+#endif
+
 #include "ssl_locl.h"
 
 #define SSL_ENC_DES_IDX                0
@@ -222,6 +225,7 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+       {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
        };
 
 void ssl_load_ciphers(void)
@@ -515,7 +519,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
                /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+               if ((c != NULL) && c->valid && !IS_MASKED(c)
+                       && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                if ((c != NULL) && c->valid && !IS_MASKED(c))
+#endif
                        {
                        co_list[co_list_num].cipher = c;
                        co_list[co_list_num].next = NULL;
@@ -1054,7 +1063,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
+#ifdef OPENSSL_FIPS
+               if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                if (curr->active)
+#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
@@ -1078,6 +1091,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        *cipher_list_by_id = tmp_cipher_list;
        (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
+       sk_SSL_CIPHER_sort(*cipher_list_by_id);
        return(cipherstack);
        }
 
@@ -1342,7 +1356,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
        comp->method=cm;
        load_builtin_compressions();
        if (ssl_comp_methods
-               && !sk_SSL_COMP_find(ssl_comp_methods,comp))
+               && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
                {
                OPENSSL_free(comp);
                MemCheck_on();