diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-05-13 18:40:12 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-05-13 18:40:12 +0000 |
commit | 1dded7f7e8e9f737ef9d7e3c3ef165a78fd7fa1d (patch) | |
tree | 0fcbb557ce0e1398a1564e16545e46fc16a552a7 /crypto/rsa | |
parent | 482f2380693213b219de06357e435186121ca731 (diff) |
Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower perfomance) FIPS implementations outside FIPS mode.
Diffstat (limited to 'crypto/rsa')
-rw-r--r-- | crypto/rsa/rsa_pmeth.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 5b2ecf56ad..b654b00ea8 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -174,10 +174,20 @@ static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx) rv = 0; if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv) return -1; - if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS)) - return rv; + if (rctx->md) + { + const EVP_MD *fmd; + fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md)); + if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS)) + return rv; + } if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) - return rv; + { + const EVP_MD *fmd; + fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md)); + if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS)) + return rv; + } return 1; } #endif |