Experimental multi-implementation support for FIPS capable OpenSSL.

When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. This means that the FIPS capable OpenSSL isn't forced to use the (often lower perfomance) FIPS implementations outside FIPS mode.
author: Dr. Stephen Henson <steve@openssl.org> 2012-05-13 18:40:12 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-05-13 18:40:12 +0000
commit: 1dded7f7e8e9f737ef9d7e3c3ef165a78fd7fa1d (patch)
tree: 0fcbb557ce0e1398a1564e16545e46fc16a552a7 /crypto/rsa
parent: 482f2380693213b219de06357e435186121ca731 (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 5b2ecf56ad..b654b00ea8 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -174,10 +174,20 @@ static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
 		rv = 0;
 	if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
 		return -1;
-	if (rctx->md && !(rctx->md->flags & EVP_MD_FLAG_FIPS))
-		return rv;
+	if (rctx->md)
+		{
+		const EVP_MD *fmd;
+		fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md));
+		if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+			return rv;
+		}
 	if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS))
-		return rv;
+		{
+		const EVP_MD *fmd;
+		fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md));
+		if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+			return rv;
+		}
 	return 1;
 	}
 #endif
author	Dr. Stephen Henson <steve@openssl.org>	2012-05-13 18:40:12 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-05-13 18:40:12 +0000
commit	1dded7f7e8e9f737ef9d7e3c3ef165a78fd7fa1d (patch)
tree	0fcbb557ce0e1398a1564e16545e46fc16a552a7 /crypto/rsa
parent	482f2380693213b219de06357e435186121ca731 (diff)