#include <openssl/fips.h>
#include <openssl/err.h>
+#include "../fips/fips_locl.h"
#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
#error "DATA_ORDER must be defined!"
const unsigned char *cp=end;
#ifdef FIPS
- if(FIPS_mode)
+ if(FIPS_mode && !FIPS_md5_allowed)
{
FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
return 0;
-SHA1(fips.c)= e41f98ed7cd7dbd3c45b91db526dafb7ebc3550c
+SHA1(fips.c)= e7af483a2ca3c0a845b4528b936e143bfdae945e
SHA1(fips_err_wrapper.c)= 527047304bfaa75f6ace20b4f7ac3afb6d89d480
SHA1(fips.h)= 58386539af75f8f622b041a43bf1880fee8642f7
SHA1(fips_err.h)= 8d9fd3ab3e6ca5297c5714e7f6cd9834e22b4cba
#include <openssl/evp.h>
#include <string.h>
#include <limits.h>
+#include "fips_locl.h"
#ifdef FIPS
+int FIPS_md5_allowed;
+
int FIPS_selftest()
{
return FIPS_selftest_sha1()
return 1;
}
+void FIPS_allow_md5(int onoff)
+ {
+ FIPS_md5_allowed=onoff;
+ }
#if 0
/* here just to cause error codes to exist */
#include <openssl/evp.h>
#include <openssl/md5.h>
#include "cryptlib.h"
+#include "../fips/fips_locl.h"
static SSL_METHOD *ssl3_get_client_method(int ver);
static int ssl3_client_hello(SSL *s);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,param,param_len);
+#ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION && num == 2)
+ FIPS_allow_md5(1);
+#endif
+
EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
+#ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION && num == 2)
+ FIPS_allow_md5(1);
+#endif
q+=i;
j+=i;
}
#include <openssl/krb5_asn.h>
#include <openssl/md5.h>
#include "cryptlib.h"
+#include "../fips/fips_locl.h"
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(d[4]),n);
+#ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION && num == 2)
+ FIPS_allow_md5(1);
+#endif
EVP_DigestFinal_ex(&md_ctx,q,
(unsigned int *)&i);
+#ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION && num == 2)
+ FIPS_allow_md5(0);
+#endif
q+=i;
j+=i;
}
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include "ssl_locl.h"
+#include "../fips/fips_locl.h"
int SSL_get_ex_data_X509_STORE_CTX_idx(void)
{
else
{
#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION)
+ FIPS_allow_md5(1);
+# endif
i=X509_verify_cert(&ctx);
+# ifdef OPENSSL_FIPS
+ if(s->version == TLS1_VERSION)
+ FIPS_allow_md5(0);
+# endif
#else
i=0;
ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
#include <openssl/lhash.h>
#include <openssl/x509v3.h>
#include "cryptlib.h"
+#include "../fips/fips_locl.h"
const char *SSL_version_str=OPENSSL_VERSION_TEXT;
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
- return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
+ int r;
+
+#ifdef OPENSSL_FIPS
+ if(ctx->method->version == TLS1_VERSION)
+ FIPS_allow_md5(1);
+#endif
+ r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
+#ifdef OPENSSL_FIPS
+ if(ctx->method->version == TLS1_VERSION)
+ FIPS_allow_md5(0);
+#endif
+ return r;
}
#endif
#endif
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
on Compaq platforms (at least with DEC C).
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -v - more output\n");
clock_t s_time = 0, c_time = 0;
int comp = 0;
COMP_METHOD *cm = NULL;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+ const char *path=argv[0];
+#endif
verbose = 0;
debug = 0;
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ exit(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
goto end;
}
+
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1,path))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ exit(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
+#include "../fips/fips_locl.h"
static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
int sec_len, unsigned char *seed, int seed_len,
S2= &(sec[len]);
len+=(slen&1); /* add for odd, make longer */
-
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(1);
+#endif
tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(0);
+#endif
tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
for (i=0; i<olen; i++)
EVP_MD_CTX_init(&ctx);
EVP_MD_CTX_copy_ex(&ctx,in_ctx);
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(1);
+#endif
EVP_DigestFinal_ex(&ctx,out,&ret);
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(0);
+#endif
EVP_MD_CTX_cleanup(&ctx);
return((int)ret);
}
EVP_MD_CTX_init(&ctx);
EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(1);
+#endif
EVP_DigestFinal_ex(&ctx,q,&i);
+#ifdef OPENSSL_FIPS
+ FIPS_allow_md5(0);
+#endif
q+=i;
EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
EVP_DigestFinal_ex(&ctx,q,&i);
test_ssl: keyU.ss certU.ss certCA.ss
@echo "test SSL protocol"
+ @$(SET_SO_PATHS); sh ./testfipsssl keyU.ss certU.ss certCA.ss
@$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
test_ca:
LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
+ if echo "$(CFLAG)" | grep " -DFIPS" > /dev/null 2> /dev/null; then \
+ $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(SSLTEST); \
+ fi
$(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
--- /dev/null
+#!/bin/sh
+
+if [ "$1" = "" ]; then
+ key=../apps/server.pem
+else
+ key="$1"
+fi
+if [ "$2" = "" ]; then
+ cert=../apps/server.pem
+else
+ cert="$2"
+fi
+
+ciphers="DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA"
+
+ssltest="./ssltest -F -key $key -cert $cert -c_key $key -c_cert $cert -cipher $ciphers"
+
+if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+ dsa_cert=YES
+else
+ dsa_cert=NO
+fi
+
+if [ "$3" = "" ]; then
+ CA="-CApath ../certs"
+else
+ CA="-CAfile $3"
+fi
+
+if [ "$4" = "" ]; then
+ extra=""
+else
+ extra="$4"
+fi
+
+#############################################################################
+
+echo test ssl3 DOESN\'T work
+$ssltest -ssl3 $extra && exit 1
+
+echo test ssl2 DOESN\'T work
+$ssltest -ssl2 $extra && exit 1
+
+echo test tls1
+$ssltest -tls1 $extra || exit 1
+
+echo test tls1 with server authentication
+$ssltest -tls1 -server_auth $CA $extra || exit 1
+
+echo test tls1 with client authentication
+$ssltest -tls1 -client_auth $CA $extra || exit 1
+
+echo test tls1 with both client and server authentication
+$ssltest -tls1 -server_auth -client_auth $CA $extra || exit 1
+
+echo test tls1 via BIO pair
+$ssltest -bio_pair -tls1 $extra || exit 1
+
+echo test tls1 with server authentication via BIO pair
+$ssltest -bio_pair -tls1 -server_auth $CA $extra || exit 1
+
+echo test tls1 with client authentication via BIO pair
+$ssltest -bio_pair -tls1 -client_auth $CA $extra || exit 1
+
+echo test tls1 with both client and server authentication via BIO pair
+$ssltest -bio_pair -tls1 -server_auth -client_auth $CA $extra || exit 1
+
+# note that all the below actually choose TLS...
+
+if [ $dsa_cert = NO ]; then
+ echo test sslv2/sslv3 w/o DHE via BIO pair
+ $ssltest -bio_pair -no_dhe $extra || exit 1
+fi
+
+echo test sslv2/sslv3 with 1024bit DHE via BIO pair
+$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
+
+echo test sslv2/sslv3 with server authentication
+$ssltest -bio_pair -server_auth $CA $extra || exit 1
+
+echo test sslv2/sslv3 with client authentication via BIO pair
+$ssltest -bio_pair -client_auth $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair
+$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
+$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
+
+#############################################################################
+
+if ../apps/openssl no-dh; then
+ echo skipping anonymous DH tests
+else
+ echo test tls1 with 1024bit anonymous DH, multiple handshakes
+ $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+fi
+
+if ../apps/openssl no-rsa; then
+ echo skipping RSA tests
+else
+ echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
+ ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+
+ if ../apps/openssl no-dh; then
+ echo skipping RSA+DHE tests
+ else
+ echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+ ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+ fi
+fi
+
+exit 0
fi
#############################################################################
-
+set -x
echo test sslv2
$ssltest -ssl2 $extra || exit 1
projects / oweals / openssl.git / commitdiff