diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-05-13 18:40:12 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-05-13 18:40:12 +0000 |
| commit | 1dded7f7e8e9f737ef9d7e3c3ef165a78fd7fa1d (patch) | |
| tree | 0fcbb557ce0e1398a1564e16545e46fc16a552a7 /crypto/hmac | |
| parent | 482f2380693213b219de06357e435186121ca731 (diff) | |
Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower perfomance) FIPS implementations outside FIPS mode.
Diffstat (limited to 'crypto/hmac')
| -rw-r--r-- | crypto/hmac/hmac.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index ba27cbf56f..45335a1f7a 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -72,6 +72,18 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, unsigned char pad[HMAC_MAX_MD_CBLOCK]; #ifdef OPENSSL_FIPS + /* If FIPS mode switch to approved implementation if possible */ + if (FIPS_mode()) + { + const EVP_MD *fipsmd; + if (md) + { + fipsmd = FIPS_get_digestbynid(EVP_MD_type(md)); + if (fipsmd) + md = fipsmd; + } + } + if (FIPS_mode()) { /* If we have an ENGINE need to allow non FIPS */ |