FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
-#ifdef OPENSSL_FIPS
else if(FIPS_mode())
{
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
return -1;
}
-#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
-#ifdef OPENSSL_FIPS
if(FIPS_mode())
{
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
goto err;
}
-#endif
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
static const SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
goto err;
}
-#ifdef OPENSSL_FIPS
if (FIPS_mode() && (s->version < TLS1_VERSION))
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
goto err;
}
-#endif
if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
{
* which ssl3_cbc_digest_record supports. */
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
{
-#ifdef OPENSSL_FIPS
if (FIPS_mode())
return 0;
-#endif
switch (EVP_MD_CTX_type(ctx))
{
case NID_md5:
EVP_MD_CTX_cleanup(&md_ctx);
}
-#ifdef OPENSSL_FIPS
-
/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
* we can ensure the number of blocks processed is equal for all cases
* by digesting additional data.
EVP_DigestSignUpdate(mac_ctx, data,
(blocks_orig - blocks_data + 1) * block_size);
}
-#endif
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
if ((mask & ssl_get_algorithm2(s)) && md)
{
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
-#ifdef OPENSSL_FIPS
if (EVP_MD_nid(md) == NID_md5)
{
EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
-#endif
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
}
s->ssl_version < TLS1_VERSION)
return 1;
-#ifdef OPENSSL_FIPS
if (FIPS_mode())
return 1;
-#endif
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
!(c->algorithm_mkey & disabled_mkey) &&
!(c->algorithm_auth & disabled_auth) &&
!(c->algorithm_enc & disabled_enc) &&
*/
for (curr = head; curr != NULL; curr = curr->next)
{
-#ifdef OPENSSL_FIPS
if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
- if (curr->active)
-#endif
{
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
{
return(NULL);
}
-#ifdef OPENSSL_FIPS
if (FIPS_mode() && (meth->version < TLS1_VERSION))
{
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
return NULL;
}
-#endif
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
{
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
OPENSSL_assert(t > 0);
-#ifdef OPENSSL_FIPS
if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
tls_fips_digest_extra(
ssl->enc_read_ctx,
mac_ctx, rec->input,
rec->length, rec->orig_len);
-#endif
}
if (!stream_mac)
const EVP_MD *tls12_get_hash(unsigned char hash_alg)
{
const tls12_hash_info *inf;
-#ifndef OPENSSL_FIPS
if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
return NULL;
-#endif
inf = tls12_get_hash_info(hash_alg);
if (!inf || !inf->mfunc)
return NULL;
projects / openssl.git / commitdiff