Only allow TLS is FIPS mode.

Remove old FIPS_allow_md5() calls.

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index b1db0fb7b2b0a485652f2828fd0e6208b46f90bc..779e94a35c4f84e050e3d35fb34f4da367237d86 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -249,6 +249,14 @@ static int ssl23_client_hello(SSL *s)
                        *(d++)=TLS1_VERSION_MINOR;
                        s->client_version=TLS1_VERSION;
                        }
+#ifdef OPENSSL_FIPS
+               else if(FIPS_mode())
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                       return -1;
+                       }
+#endif
                else if (!(s->options & SSL_OP_NO_SSLv3))
                        {
                        *(d++)=SSL3_VERSION_MAJOR;
@@ -429,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                       if(FIPS_mode())
+                               {
+                               SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                               goto err;
+                               }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index c5404ca0bcd4c015f0273f38e22ef07bffb92585..92f3391f601e1f0dc578c0cccbd5fc79c62af558 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (s->version < TLS1_VERSION))
+               {
+               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               goto err;
+               }
+#endif
+
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index a18be3e2f112cdb5cfbeed30b1fdaa4500146668..a475033f01e761119ec41bc747ef419fd4d0f315 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1169,16 +1169,8 @@ static int ssl3_get_key_exchange(SSL *s)
                                EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,param,param_len);
-#ifdef OPENSSL_FIPS
-                               if(s->version == TLS1_VERSION && num == 2)
-                                       FIPS_allow_md5(1);
-#endif
                                
                                EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
-#ifdef OPENSSL_FIPS
-                               if(s->version == TLS1_VERSION && num == 2)
-                                       FIPS_allow_md5(1);
-#endif
                                q+=i;
                                j+=i;
                                }

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index beb6c64b93342287014ab5d19ed32c00c203fd7d..a012d3f2b5ee3194301bc7c312833763e85639eb 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -644,6 +644,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
        unsigned int n;
 
        EVP_MD_CTX_init(&ctx);
+       EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        for (i=0; i<3; i++)
                {
                EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a7184891cdf6500aa2acdd1f2e7ca806baa8dfb8..0a573c6a4816a27003b2bfac4faf4b9d191fa898 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1220,16 +1220,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                        EVP_DigestUpdate(&md_ctx,&(d[4]),n);
-#ifdef OPENSSL_FIPS
-                                       if(s->version == TLS1_VERSION && num == 2)
-                                               FIPS_allow_md5(1);
-#endif
                                        EVP_DigestFinal_ex(&md_ctx,q,
                                                (unsigned int *)&i);
-#ifdef OPENSSL_FIPS
-                                       if(s->version == TLS1_VERSION && num == 2)
-                                               FIPS_allow_md5(0);
-#endif
                                        q+=i;
                                        j+=i;
                                        }

diff --git a/ssl/ssl.h b/ssl/ssl.h
index ad201f2574375c8130992b1c5ea1140654db8cc5..3ed6b9f6ee05e2c6b139406e079084de5c1ac6dd 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1742,6 +1742,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX                              195
 #define SSL_R_NULL_SSL_METHOD_PASSED                    196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED           197
+#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE             1115
 #define SSL_R_PACKET_LENGTH_TOO_LONG                    198
 #define SSL_R_PATH_TOO_LONG                             270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 199

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0bef96080f2b782a1036615ce2d17e8f856b2dc5..6e98de89031b6a76124d26eeacc038d130f534fc 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -493,15 +493,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
        else
                {
 #ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
-               if(s->version == TLS1_VERSION)
-                       FIPS_allow_md5(1);
-# endif
                i=X509_verify_cert(&ctx);
-# ifdef OPENSSL_FIPS
-               if(s->version == TLS1_VERSION)
-                       FIPS_allow_md5(0);
-# endif
 #else
                i=0;
                ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index d2cb181503223d0b407833e5e67b2b77f4dc9207..65eefee199e7e22f79320e4b37f9b140f6ae01ae 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -334,6 +334,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
 {SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
 {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
+{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE     ,"only tls allowed in fips mode"},
 {SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
 {SSL_R_PATH_TOO_LONG                     ,"path too long"},
 {SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f5705af0f616d5875eebe5162016c3da92b2bba2..1f625cb074b2cb4ea947efdaf32ecdf194d80271 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1293,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                return(NULL);
                }
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               return NULL;
+               }
+#endif
+
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -2158,16 +2166,7 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                const char *CApath)
        {
        int r;
-
-#ifdef OPENSSL_FIPS
-       if(ctx->method->version == TLS1_VERSION)
-           FIPS_allow_md5(1);
-#endif
        r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
-#ifdef OPENSSL_FIPS
-       if(ctx->method->version == TLS1_VERSION)
-           FIPS_allow_md5(0);
-#endif
        return r;
        }
 #endif

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3dec4099cb2538d4a19591fb1fa1e7e540a8d5c9..2c6246abf5403be200f2092dde4aa74a7dba9c32 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -180,13 +180,7 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
        S2= &(sec[len]);
        len+=(slen&1); /* add for odd, make longer */
 
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(1);
-#endif
        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(0);
-#endif
        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
 
        for (i=0; i<olen; i++)
@@ -664,13 +658,7 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
 
        EVP_MD_CTX_init(&ctx);
        EVP_MD_CTX_copy_ex(&ctx,in_ctx);
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(1);
-#endif
        EVP_DigestFinal_ex(&ctx,out,&ret);
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(0);
-#endif
        EVP_MD_CTX_cleanup(&ctx);
        return((int)ret);
        }
@@ -689,13 +677,7 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
 
        EVP_MD_CTX_init(&ctx);
        EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(1);
-#endif
        EVP_DigestFinal_ex(&ctx,q,&i);
-#ifdef OPENSSL_FIPS
-       FIPS_allow_md5(0);
-#endif
        q+=i;
        EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
        EVP_DigestFinal_ex(&ctx,q,&i);