Add SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new

author Dr. Stephen Henson <steve@openssl.org>

Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index 2c0dc7ab14f709846d875559dcf5f55d1f133f80..f09238f187425b4920b2468ff06ab14aa4b9a8c2 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_eNULL,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_STRONG_NONE,
+       SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         0,
         0,
@@ -326,7 +326,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -375,7 +375,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -472,7 +472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -520,7 +520,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -600,7 +600,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -685,7 +685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_3DES,
         SSL_SHA1,
         SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         168,
         168,
@@ -895,7 +895,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -910,7 +910,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -925,7 +925,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -955,7 +955,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -970,7 +970,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES128,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         128,
         128,
@@ -986,7 +986,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
@@ -1001,7 +1001,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
@@ -1017,7 +1017,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
@@ -1033,7 +1033,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
@@ -1049,7 +1049,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
@@ -1065,7 +1065,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_AES256,
         SSL_SHA1,
         SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
         256,
         256,
diff --git a/ssl/ssl.h b/ssl/ssl.h

index ab13f0ddc4fa292f357c9a763f4e5fa79006db95..d3fdccdf89945a365c64240142cc8f5a99743a46 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -229,6 +229,7 @@ extern "C" {
  #define SSL_TXT_LOW            "LOW"
  #define SSL_TXT_MEDIUM         "MEDIUM"
  #define SSL_TXT_HIGH           "HIGH"
+#define SSL_TXT_FIPS           "FIPS"
  
  #define SSL_TXT_kFZA           "kFZA" /* unused! */
  #define        SSL_TXT_aFZA            "aFZA" /* unused! */
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c

index f62f37deb15e389a2373fbd50e5185e3b290ce7d..c31d6e0c782f7545364b11da4f8981a071d60240 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -308,6 +308,8 @@ static const SSL_CIPHER cipher_aliases[]={
         {0,SSL_TXT_LOW,0,     0,0,0,0,0,SSL_LOW,   0,0,0},
         {0,SSL_TXT_MEDIUM,0,  0,0,0,0,0,SSL_MEDIUM,0,0,0},
         {0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
+       /* FIPS 140-2 approved ciphersuite */
+       {0,SSL_TXT_FIPS,0,    0,0,~SSL_eNULL,0,0,SSL_FIPS,  0,0,0},
         };
  /* Search for public key algorithm with given name and 
   * return its pkey_id if it is available. Otherwise return 0
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index fc77fd0bde4de214b67a11f4acb72a1825fe992d..2bbe2c613fa54693380e20b98107a6960fa8d781 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -370,7 +370,7 @@
   * be possible.
   */
  #define SSL_EXP_MASK           0x00000003L
-#define SSL_STRONG_MASK                0x000000fcL
+#define SSL_STRONG_MASK                0x000001fcL
  
  #define SSL_NOT_EXP            0x00000001L
  #define SSL_EXPORT             0x00000002L
@@ -383,6 +383,7 @@
  #define SSL_LOW                        0x00000020L
  #define SSL_MEDIUM             0x00000040L
  #define SSL_HIGH               0x00000080L
+#define SSL_FIPS               0x00000100L
  
  /* we have used 000000ff - 24 bits left to go */
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)
ssl/s3_lib.c		patch \| blob \| history
ssl/ssl.h		patch \| blob \| history
ssl/ssl_ciph.c		patch \| blob \| history
ssl/ssl_locl.h		patch \| blob \| history