Only call FIPS_update, FIPS_final in FIPS mode.

RT#3826

Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 5b642b23fc1c62a7e24718d075fdf23a959d56bc..ee4296e467a2e37b4e6b9fa0a92909139c3b8ff4 100644 (file)
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -253,10 +253,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
 #ifdef OPENSSL_FIPS
-    return FIPS_digestupdate(ctx, data, count);
-#else
-    return ctx->update(ctx, data, count);
+    if (FIPS_mode())
+        return FIPS_digestupdate(ctx, data, count);
 #endif
+    return ctx->update(ctx, data, count);
 }
 
 /* The caller can assume that this removes any secret data from the context */
@@ -271,10 +271,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 /* The caller can assume that this removes any secret data from the context */
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 {
-#ifdef OPENSSL_FIPS
-    return FIPS_digestfinal(ctx, md, size);
-#else
     int ret;
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_digestfinal(ctx, md, size);
+#endif
 
     OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
     ret = ctx->digest->final(ctx, md);
@@ -286,7 +287,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
     }
     memset(ctx->md_data, 0, ctx->digest->ctx_size);
     return ret;
-#endif
 }
 
 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)