Don't set default public key methods in FIPS mode so applications
authorDr. Stephen Henson <steve@openssl.org>
Mon, 20 Jun 2011 19:41:13 +0000 (19:41 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 20 Jun 2011 19:41:13 +0000 (19:41 +0000)
can switch between modes.

CHANGES
crypto/dh/dh_lib.c
crypto/dsa/dsa_lib.c
crypto/ecdh/ech_lib.c
crypto/ecdsa/ecs_lib.c
crypto/rsa/rsa_lib.c

diff --git a/CHANGES b/CHANGES
index 7127003..cf52b0f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 1.0.0e and 1.0.1  [xx XXX xxxx]
 
+  *) For FIPS capable OpenSSL interpret a NULL default public key method
+     as unset and return the appopriate default but do *not* set the default.
+     This means we can return the appopriate method in applications that
+     swicth between FIPS and non-FIPS modes.
+     [Steve Henson]
+
   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
      ENGINE is used then we cannot handle that in the FIPS module so we
      keep original code iff non-FIPS operations are allowed.
index edb4bb3..00218f2 100644 (file)
@@ -83,10 +83,12 @@ const DH_METHOD *DH_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_DH_method = FIPS_dh_openssl();
+                       return FIPS_dh_openssl();
                else
+                       return DH_OpenSSL();
+#else
+               default_DH_method = DH_OpenSSL();
 #endif
-                       default_DH_method = DH_OpenSSL();
                }
        return default_DH_method;
        }
index f796090..e416ef3 100644 (file)
@@ -89,10 +89,12 @@ const DSA_METHOD *DSA_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_DSA_method = FIPS_dsa_openssl();
+                       return FIPS_dsa_openssl();
                else
+                       return DSA_OpenSSL();
+#else
+               default_DSA_method = DSA_OpenSSL();
 #endif
-                       default_DSA_method = DSA_OpenSSL();
                }
        return default_DSA_method;
        }
index 568392b..dadbfd3 100644 (file)
@@ -96,10 +96,12 @@ const ECDH_METHOD *ECDH_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_ECDH_method = FIPS_ecdh_openssl();
+                       return FIPS_ecdh_openssl();
                else
+                       return ECDH_OpenSSL();
+#else
+               default_ECDH_method = ECDH_OpenSSL();
 #endif
-                       default_ECDH_method = ECDH_OpenSSL();
                }
        return default_ECDH_method;
        }
index 65aca01..e477da4 100644 (file)
@@ -83,10 +83,12 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_ECDSA_method = FIPS_ecdsa_openssl();
+                       return FIPS_ecdsa_openssl();
                else
+                       return ECDSA_OpenSSL();
+#else
+               default_ECDSA_method = ECDSA_OpenSSL();
 #endif
-                       default_ECDSA_method = ECDSA_OpenSSL();
                }
        return default_ECDSA_method;
 }
index e844395..c95ceaf 100644 (file)
@@ -91,18 +91,16 @@ const RSA_METHOD *RSA_get_default_method(void)
        {
        if (default_RSA_meth == NULL)
                {
-#ifdef RSA_NULL
-               default_RSA_meth=RSA_null_method();
-#else
-#if 0 /* was: #ifdef RSAref */
-               default_RSA_meth=RSA_PKCS1_RSAref();
-#else
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_RSA_meth = FIPS_rsa_pkcs1_ssleay();
+                       return FIPS_rsa_pkcs1_ssleay();
                else
-#endif
-                       default_RSA_meth=RSA_PKCS1_SSLeay();
+                       return RSA_PKCS1_SSLeay();
+#else
+#ifdef RSA_NULL
+               default_RSA_meth=RSA_null_method();
+#else
+               default_RSA_meth=RSA_PKCS1_SSLeay();
 #endif
 #endif
                }