From a8bb3d0e15001c5270120169bb32ada01a957b1d Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Mon, 17 May 2004 04:31:14 +0000
Subject: [PATCH] When in FIPS mode, use SHA1 to digest the key, rather than
 MD5, as MD5 isn't a FIPS-approved algorithm.

Note: this means the user needs to keep track of this, and we need to
add support for that...
---
 apps/enc.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/apps/enc.c b/apps/enc.c
index 30378a9542..bd1ecfc6ff 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -124,6 +124,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
+	const EVP_MD *dgst=NULL;
 
 	apps_startup();
 
@@ -296,6 +297,14 @@ bad:
         e = setup_engine(bio_err, engine, 0);
 #endif
 
+	if (dgst == NULL)
+		{
+		if (in_FIPS_mode)
+			dgst = EVP_sha1();
+		else
+			dgst = EVP_md5();
+		}
+
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -483,7 +492,7 @@ bad:
 				sptr = salt;
 			}
 
-			EVP_BytesToKey(cipher,EVP_md5(),sptr,
+			EVP_BytesToKey(cipher,dgst,sptr,
 				(unsigned char *)str,
 				strlen(str),1,key,iv);
 			/* zero the complete buffer or the string
-- 
2.25.1