1 files changed, 45 insertions, 0 deletions
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 0623ddf1f0..f21c63842c 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
        return EVP_DigestInit_ex(ctx, type, NULL);
        }
+#ifdef OPENSSL_FIPS
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+static int bad_init(EVP_MD_CTX *ctx)
+        { FIPS_ERROR_IGNORED("Digest init"); return 0;}
+static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { FIPS_ERROR_IGNORED("Digest update"); return 0;}
+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
+        { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
+static const EVP_MD bad_md =
+        {
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_update,
+        bad_final,
+        NULL,
+        NULL,
+        NULL,
+        0,
+        {0,0,0,0},
+        };
+#endif
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
        {
        EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
@@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 #endif
        if (ctx->digest != type)
                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        {
+                        if (!(type->flags & EVP_MD_FLAG_FIPS) 
+                         && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+                                {
+                                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
+                                ctx->digest = &bad_md;
+                                return 0;
+                                }
+                        }
+#endif
                if (ctx->digest && ctx->digest->ctx_size)
                        OPENSSL_free(ctx->md_data);
                ctx->digest=type;

diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c index 0623ddf1f0..f21c63842c 100644 --- a/src/lib/libcrypto/evp/digest.c +++ b/src/lib/libcrypto/evp/digest.c
@@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX ctx, const EVP_MD type)
137	return EVP_DigestInit_ex(ctx, type, NULL);	137	return EVP_DigestInit_ex(ctx, type, NULL);
138	}	138	}
139		139
		140	#ifdef OPENSSL_FIPS
		141
		142	/* The purpose of these is to trap programs that attempt to use non FIPS
		143	* algorithms in FIPS mode and ignore the errors.
		144	*/
		145
		146	static int bad_init(EVP_MD_CTX *ctx)
		147	{ FIPS_ERROR_IGNORED("Digest init"); return 0;}
		148
		149	static int bad_update(EVP_MD_CTX ctx,const void data,unsigned long count)
		150	{ FIPS_ERROR_IGNORED("Digest update"); return 0;}
		151
		152	static int bad_final(EVP_MD_CTX ctx,unsigned char md)
		153	{ FIPS_ERROR_IGNORED("Digest Final"); return 0;}
		154
		155	static const EVP_MD bad_md =
		156	{
		157	0,
		158	0,
		159	0,
		160	0,
		161	bad_init,
		162	bad_update,
		163	bad_final,
		164	NULL,
		165	NULL,
		166	NULL,
		167	0,
		168	{0,0,0,0},
		169	};
		170
		171	#endif
		172
140	int EVP_DigestInit_ex(EVP_MD_CTX ctx, const EVP_MD type, ENGINE *impl)	173	int EVP_DigestInit_ex(EVP_MD_CTX ctx, const EVP_MD type, ENGINE *impl)
141	{	174	{
142	EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);	175	EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
@@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX ctx, const EVP_MD type, ENGINE *impl)
195	#endif	228	#endif
196	if (ctx->digest != type)	229	if (ctx->digest != type)
197	{	230	{
		231	#ifdef OPENSSL_FIPS
		232	if (FIPS_mode())
		233	{
		234	if (!(type->flags & EVP_MD_FLAG_FIPS)
		235	&& !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
		236	{
		237	EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
		238	ctx->digest = &bad_md;
		239	return 0;
		240	}
		241	}
		242	#endif
198	if (ctx->digest && ctx->digest->ctx_size)	243	if (ctx->digest && ctx->digest->ctx_size)
199	OPENSSL_free(ctx->md_data);	244	OPENSSL_free(ctx->md_data);
200	ctx->digest=type;	245	ctx->digest=type;