Implement FIPS_mode and FIPS_mode_set

[openssl.git] / ssl / s3_enc.c

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 00fad17b9aa08cd070933e999a5ef4c1cec1bbbb..9f5574a01ed5d2f905d60192179fc8c602eda161 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 #endif
        k=0;
        EVP_MD_CTX_init(&m5);
+       EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_MD_CTX_init(&s1);
        for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
                {
@@ -214,7 +215,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 int ssl3_change_cipher_state(SSL *s, int which)
        {
-       unsigned char *p,*key_block,*mac_secret;
+       unsigned char *p,*mac_secret;
        unsigned char exp_key[EVP_MAX_KEY_LENGTH];
        unsigned char exp_iv[EVP_MAX_IV_LENGTH];
        unsigned char *ms,*key,*iv,*er1,*er2;
@@ -239,7 +240,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
        else
                comp=s->s3->tmp.new_compression->method;
 #endif
-       key_block=s->s3->tmp.key_block;
 
        if (which & SSL3_CC_READ)
                {
@@ -604,17 +604,24 @@ int ssl3_digest_cached_records(SSL *s)
        hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
        if (hdatalen <= 0)
                {
-               SSLerr(SSL_F_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
+               SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
                return 0;
                }
 
        /* Loop through bitso of algorithm2 field and create MD_CTX-es */
        for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++) 
                {
-               if ((mask & s->s3->tmp.new_cipher->algorithm2) && md) 
+               if ((mask & ssl_get_algorithm2(s)) && md) 
                        {
                        s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
                        EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
+#ifdef OPENSSL_FIPS
+                       if (EVP_MD_nid(md) == NID_md5)
+                               {
+                               EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
+                                               EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+                               }
+#endif
                        EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
                        } 
                else 
@@ -655,7 +662,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
                if (!ssl3_digest_cached_records(s))
                        return 0;
 
-       /* Search for djgest of specified type  in the handshake_dgst
+       /* Search for digest of specified type in the handshake_dgst
         * array*/
        for (i=0;i<SSL_MAX_DIGEST;i++) 
                {
@@ -670,6 +677,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
                return 0;
        }       
        EVP_MD_CTX_init(&ctx);
+       EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_MD_CTX_copy_ex(&ctx,d);
        n=EVP_MD_CTX_size(&ctx);
        if (n < 0)