From 57ca171a131e6d55b4c4f6decefedeaa509db702 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 23 May 2019 14:35:42 +0100 Subject: Make the RAND code available from inside the FIPS module Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/9035) --- crypto/hmac/build.info | 7 +++++-- crypto/hmac/hm_meth.c | 10 ++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'crypto/hmac') diff --git a/crypto/hmac/build.info b/crypto/hmac/build.info index f63524d3be..b1c146182c 100644 --- a/crypto/hmac/build.info +++ b/crypto/hmac/build.info @@ -1,3 +1,6 @@ LIBS=../../libcrypto -SOURCE[../../libcrypto]=\ - hmac.c hm_ameth.c hm_meth.c + +$COMMON=hmac.c hm_meth.c + +SOURCE[../../libcrypto]=$COMMON hm_ameth.c +SOURCE[../../providers/fips]=$COMMON diff --git a/crypto/hmac/hm_meth.c b/crypto/hmac/hm_meth.c index db9af95cb7..19278ef67d 100644 --- a/crypto/hmac/hm_meth.c +++ b/crypto/hmac/hm_meth.c @@ -152,6 +152,15 @@ static int hmac_ctrl_str(EVP_MAC_IMPL *hctx, const char *type, { if (!value) return 0; +#ifndef FIPS_MODE + /* + * We don't have EVP_get_digestbyname() in FIPS_MODE. That function returns + * an EVP_MD without an associated provider implementation (i.e. it is + * using "implicit fetch"). We could replace it with an "explicit" fetch + * using EVP_MD_fetch(), but we'd then be required to free the returned + * EVP_MD somewhere. Probably the complexity isn't worth it as we are + * unlikely to need this ctrl in FIPS_MODE anyway. + */ if (strcmp(type, "digest") == 0) { const EVP_MD *d = EVP_get_digestbyname(value); @@ -159,6 +168,7 @@ static int hmac_ctrl_str(EVP_MAC_IMPL *hctx, const char *type, return 0; return hmac_ctrl_int(hctx, EVP_MAC_CTRL_SET_MD, d); } +#endif if (strcmp(type, "key") == 0) return EVP_str2ctrl(hmac_ctrl_str_cb, hctx, EVP_MAC_CTRL_SET_KEY, value); -- cgit v1.2.3