diff options
| author | Richard Levitte <levitte@openssl.org> | 2019-10-10 18:49:28 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2019-10-11 09:52:31 +0200 |
| commit | 47b4ccea9cb9b924d058fd5a8583f073b7a41656 (patch) | |
| tree | d6d85ac59b1e3eaa93addfba5d7bbecd0d551b44 /ssl/s3_enc.c | |
| parent | Fix unused goto label gcc warning (diff) | |
| download | openssl-47b4ccea9cb9b924d058fd5a8583f073b7a41656.tar.xz openssl-47b4ccea9cb9b924d058fd5a8583f073b7a41656.zip | |
Stop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
This is a flag that has lost its relevance. The new mechanism to do
the same thing is to fetch the needed digest explicitly with "-fips"
as property query, i.e. we remove any requirement for that property to
be set when fetching, even if the default property query string
requires its presence.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10138)
Diffstat (limited to 'ssl/s3_enc.c')
| -rw-r--r-- | ssl/s3_enc.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 0b2eb669b0..ea0fb750f1 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -17,6 +17,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) { + EVP_MD *md5; EVP_MD_CTX *m5; EVP_MD_CTX *s1; unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; @@ -28,14 +29,14 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) c = os_toascii[c]; /* 'A' in ASCII */ #endif k = 0; + md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips"); m5 = EVP_MD_CTX_new(); s1 = EVP_MD_CTX_new(); - if (m5 == NULL || s1 == NULL) { + if (md5 == NULL || m5 == NULL || s1 == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; } - EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { k++; if (k > sizeof(buf)) { @@ -55,7 +56,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE) || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE) || !EVP_DigestFinal_ex(s1, smd, NULL) - || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) + || !EVP_DigestInit_ex(m5, md5, NULL) || !EVP_DigestUpdate(m5, s->session->master_key, s->session->master_key_length) || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { @@ -85,6 +86,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) err: EVP_MD_CTX_free(m5); EVP_MD_CTX_free(s1); + EVP_MD_free(md5); return ret; } |