Don't set default public key methods in FIPS mode so applications

can switch between modes.

diff --git a/CHANGES b/CHANGES
index 7127003293e65beea9a2357739b1d09517a7280e..cf52b0f3f77f616b16eb63944e041ac51f520826 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 1.0.0e and 1.0.1  [xx XXX xxxx]
 
+  *) For FIPS capable OpenSSL interpret a NULL default public key method
+     as unset and return the appopriate default but do *not* set the default.
+     This means we can return the appopriate method in applications that
+     swicth between FIPS and non-FIPS modes.
+     [Steve Henson]
+
   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
      ENGINE is used then we cannot handle that in the FIPS module so we
      keep original code iff non-FIPS operations are allowed.

diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index edb4bb31fb74c817d97beae2b454e98e08c24e1a..00218f2b92bb51f0b4db1e2bbb7f63d7a100799c 100644 (file)
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -83,10 +83,12 @@ const DH_METHOD *DH_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_DH_method = FIPS_dh_openssl();
+                       return FIPS_dh_openssl();
                else
+                       return DH_OpenSSL();
+#else
+               default_DH_method = DH_OpenSSL();
 #endif
-                       default_DH_method = DH_OpenSSL();
                }
        return default_DH_method;
        }

diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index f7960901a01fc171d085a7deb610a392ecd7a431..e416ef3e128a0b9a49d8e20633d4501ddfd475c2 100644 (file)
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -89,10 +89,12 @@ const DSA_METHOD *DSA_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_DSA_method = FIPS_dsa_openssl();
+                       return FIPS_dsa_openssl();
                else
+                       return DSA_OpenSSL();
+#else
+               default_DSA_method = DSA_OpenSSL();
 #endif
-                       default_DSA_method = DSA_OpenSSL();
                }
        return default_DSA_method;
        }

diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index 568392bdd406c380c0588123b6b02a3eb2b78484..dadbfd3c49f51769d0d0b55fd898de673c3ca5ca 100644 (file)
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -96,10 +96,12 @@ const ECDH_METHOD *ECDH_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_ECDH_method = FIPS_ecdh_openssl();
+                       return FIPS_ecdh_openssl();
                else
+                       return ECDH_OpenSSL();
+#else
+               default_ECDH_method = ECDH_OpenSSL();
 #endif
-                       default_ECDH_method = ECDH_OpenSSL();
                }
        return default_ECDH_method;
        }

diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index 65aca01767b4bf80b4bad7112bdf5ef33b87de96..e477da430babd6c137d698fb1fba361b6b04fce2 100644 (file)
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -83,10 +83,12 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
                {
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_ECDSA_method = FIPS_ecdsa_openssl();
+                       return FIPS_ecdsa_openssl();
                else
+                       return ECDSA_OpenSSL();
+#else
+               default_ECDSA_method = ECDSA_OpenSSL();
 #endif
-                       default_ECDSA_method = ECDSA_OpenSSL();
                }
        return default_ECDSA_method;
 }

diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index e844395482e1b9c57c581b00416ea39de7c5047c..c95ceafc824da915163848592cb84d810442f975 100644 (file)
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -91,18 +91,16 @@ const RSA_METHOD *RSA_get_default_method(void)
        {
        if (default_RSA_meth == NULL)
                {
-#ifdef RSA_NULL
-               default_RSA_meth=RSA_null_method();
-#else
-#if 0 /* was: #ifdef RSAref */
-               default_RSA_meth=RSA_PKCS1_RSAref();
-#else
 #ifdef OPENSSL_FIPS
                if (FIPS_mode())
-                       default_RSA_meth = FIPS_rsa_pkcs1_ssleay();
+                       return FIPS_rsa_pkcs1_ssleay();
                else
-#endif
-                       default_RSA_meth=RSA_PKCS1_SSLeay();
+                       return RSA_PKCS1_SSLeay();
+#else
+#ifdef RSA_NULL
+               default_RSA_meth=RSA_null_method();
+#else
+               default_RSA_meth=RSA_PKCS1_SSLeay();
 #endif
 #endif
                }