Don't set default public key methods in FIPS mode so applications

can switch between modes.
2011-06-20 19:41:13 +00:00 · 2011-06-20 19:41:13 +00:00 · 3a5b97b7f1
commit 3a5b97b7f1
parent 45bf825066
6 changed files with 29 additions and 17 deletions
--- a/6
+++ b/6
@ -4,6 +4,12 @@

 Changes between 1.0.0e and 1.0.1  [xx XXX xxxx]

+  *) For FIPS capable OpenSSL interpret a NULL default public key method
+     as unset and return the appopriate default but do *not* set the default.
+     This means we can return the appopriate method in applications that
+     swicth between FIPS and non-FIPS modes.
+     [Steve Henson]
+
  *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
     ENGINE is used then we cannot handle that in the FIPS module so we
     keep original code iff non-FIPS operations are allowed.
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@ -83,10 +83,12 @@ const DH_METHOD *DH_get_default_method(void)
 		{
 #ifdef OPENSSL_FIPS
 		if (FIPS_mode())
-			default_DH_method = FIPS_dh_openssl();
+			return FIPS_dh_openssl();
 		else
+			return DH_OpenSSL();
+#else
+		default_DH_method = DH_OpenSSL();
 #endif
-			default_DH_method = DH_OpenSSL();
 		}
 	return default_DH_method;
 	}
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@ -89,10 +89,12 @@ const DSA_METHOD *DSA_get_default_method(void)
 		{
 #ifdef OPENSSL_FIPS
 		if (FIPS_mode())
-			default_DSA_method = FIPS_dsa_openssl();
+			return FIPS_dsa_openssl();
 		else
+			return DSA_OpenSSL();
+#else
+		default_DSA_method = DSA_OpenSSL();
 #endif
-			default_DSA_method = DSA_OpenSSL();
 		}
 	return default_DSA_method;
 	}
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@ -96,10 +96,12 @@ const ECDH_METHOD *ECDH_get_default_method(void)
 		{
 #ifdef OPENSSL_FIPS
 		if (FIPS_mode())
-			default_ECDH_method = FIPS_ecdh_openssl();
+			return FIPS_ecdh_openssl();
 		else
+			return ECDH_OpenSSL();
+#else
+		default_ECDH_method = ECDH_OpenSSL();
 #endif
-			default_ECDH_method = ECDH_OpenSSL();
 		}
 	return default_ECDH_method;
 	}
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@ -83,10 +83,12 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
 		{
 #ifdef OPENSSL_FIPS
 		if (FIPS_mode())
-			default_ECDSA_method = FIPS_ecdsa_openssl();
+			return FIPS_ecdsa_openssl();
 		else
+			return ECDSA_OpenSSL();
+#else
+		default_ECDSA_method = ECDSA_OpenSSL();
 #endif
-			default_ECDSA_method = ECDSA_OpenSSL();
 		}
 	return default_ECDSA_method;
 }
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@ -91,18 +91,16 @@ const RSA_METHOD *RSA_get_default_method(void)
 	{
 	if (default_RSA_meth == NULL)
 		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			return FIPS_rsa_pkcs1_ssleay();
+		else
+			return RSA_PKCS1_SSLeay();
+#else
 #ifdef RSA_NULL
 		default_RSA_meth=RSA_null_method();
 #else
-#if 0 /* was: #ifdef RSAref */
-		default_RSA_meth=RSA_PKCS1_RSAref();
-#else
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			default_RSA_meth = FIPS_rsa_pkcs1_ssleay();
-		else
-#endif
-			default_RSA_meth=RSA_PKCS1_SSLeay();
+		default_RSA_meth=RSA_PKCS1_SSLeay();
 #endif
 #endif
 		}