From 813cfd9c0a55458397bf017f661bf9d97cb29cc2 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sat, 1 Mar 2014 23:01:07 +0000
Subject: Add additional FIPS digests.

Add a few special case digests not returned by FIPS_get_digestbynid().

Thanks to Roumen Petrov <openssl@roumenpetrov.info> for reporting this
issue.
---
 crypto/evp/digest.c   |  3 ++-
 crypto/evp/evp_lib.c  | 19 ++++++++++++++++++-
 crypto/evp/evp_locl.h |  2 ++
 3 files changed, 22 insertions(+), 2 deletions(-)

(limited to 'crypto/evp')

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 87317572fe..af0044ff43 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -119,6 +119,7 @@
 
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
+#include "evp_locl.h"
 #endif
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
@@ -152,7 +153,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 		const EVP_MD *fipsmd;
 		if (type)
 			{
-			fipsmd = FIPS_get_digestbynid(EVP_MD_type(type));
+			fipsmd = evp_get_fips_md(type);
 			if (fipsmd)
 				type = fipsmd;
 			}
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index c5509a9fb9..d548ad1d31 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -62,6 +62,7 @@
 #include <openssl/objects.h>
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
+#include "evp_locl.h"
 #endif
 
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
@@ -298,11 +299,27 @@ int EVP_MD_size(const EVP_MD *md)
 	return md->md_size;
 	}
 
+#ifdef OPENSSL_FIPS
+
+const EVP_MD *evp_get_fips_md(const EVP_MD *md)
+	{
+	int nid = EVP_MD_type(md);
+	if (nid == NID_dsa)
+		return FIPS_evp_dss1();
+	else if (nid == NID_dsaWithSHA)
+		return FIPS_evp_dss();
+	else if (nid == NID_ecdsa_with_SHA1)
+		return FIPS_evp_ecdsa();
+	else
+		return FIPS_get_digestbynid(nid);
+	}
+#endif
+
 unsigned long EVP_MD_flags(const EVP_MD *md)
 	{
 #ifdef OPENSSL_FIPS
 	const EVP_MD *fmd;
-	fmd = FIPS_get_digestbynid(EVP_MD_type(md));
+	fmd = evp_get_fips_md(md);
 	if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
 		return md->flags | EVP_MD_FLAG_FIPS;
 #endif
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 08c0a66d39..f4a943a716 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -348,6 +348,8 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 			     ASN1_TYPE *param,
 			     const EVP_CIPHER *c, const EVP_MD *md, int en_de);
 
+const EVP_MD *evp_get_fips_md(const EVP_MD *md);
+
 #ifdef OPENSSL_FIPS
 
 #ifdef OPENSSL_DOING_MAKEDEPEND
-- 
cgit v1.2.3