File openssl-1.0.1h-fips-engine.patch of Package openssl
Index: openssl-1.0.1h/crypto/evp/digest.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/digest.c
+++ openssl-1.0.1h/crypto/evp/digest.c
@@ -223,6 +223,22 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
ENGINE_finish(impl);
return 0;
}
+#ifdef OPENSSL_FIPS
+ /* If we have an engine, only use it if its FIPS certified, or
+ * non-FIPS stuff is allowed. */
+ if (FIPS_mode()) {
+ if ((d->flags & EVP_MD_FLAG_FIPS)
+ || (ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+ {
+ type = d;
+ }
+ else
+ {
+ ENGINE_finish(impl);
+ }
+ } else
+#endif
+ {
/* We'll use the ENGINE's private digest definition */
type = d;
/* Store the ENGINE functional reference so we know
@@ -230,6 +246,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
* it when done. */
ctx->engine = impl;
}
+ }
else
ctx->engine = NULL;
}
Index: openssl-1.0.1h/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-1.0.1h.orig/crypto/rsa/rsa_lib.c
+++ openssl-1.0.1h/crypto/rsa/rsa_lib.c
@@ -142,6 +142,7 @@ int RSA_set_method(RSA *rsa, const RSA_M
RSA *RSA_new_method(ENGINE *engine)
{
RSA *ret;
+ RSA_METHOD *meth;
ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
if (ret == NULL)
@@ -166,8 +167,8 @@ RSA *RSA_new_method(ENGINE *engine)
ret->engine = ENGINE_get_default_RSA();
if(ret->engine)
{
- ret->meth = ENGINE_get_RSA(ret->engine);
- if(!ret->meth)
+ meth = ENGINE_get_RSA(ret->engine);
+ if(!meth)
{
RSAerr(RSA_F_RSA_NEW_METHOD,
ERR_R_ENGINE_LIB);
@@ -175,6 +176,17 @@ RSA *RSA_new_method(ENGINE *engine)
OPENSSL_free(ret);
return NULL;
}
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode() || (meth->flags & RSA_FLAG_FIPS_METHOD))
+ {
+ ret->meth = meth;
+ }
+ else
+ {
+ ENGINE_finish(ret->engine);
+ ret->engine = NULL;
+ }
+#endif
}
#endif
#ifdef OPENSSL_FIPS
