Implement FIPS_mode and FIPS_mode_set

[openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 132b848e4a2c70a0da9c2312aa78870e710850af..87a9f68ce9d7b68906588ab5f61cb2ef892b91c8 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -709,6 +709,7 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
 
        *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
        *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
+       *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
        *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
        *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
 
@@ -739,6 +740,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
                if ((c != NULL) && c->valid &&
+#ifdef OPENSSL_FIPS
+                   (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
+#endif
                    !(c->algorithm_mkey & disabled_mkey) &&
                    !(c->algorithm_auth & disabled_auth) &&
                    !(c->algorithm_enc & disabled_enc) &&
@@ -1438,7 +1442,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
+#ifdef OPENSSL_FIPS
+               if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                if (curr->active)
+#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG