crypto: Fix FIPS flags for digests

2 files changed, 29 insertions, 15 deletions

diff --git a/lib/crypto/c_src/digest.c b/lib/crypto/c_src/digest.c
index c987a664d5..0f887ab765 100644
--- a/lib/crypto/c_src/digest.c
+++ b/lib/crypto/c_src/digest.c
@@ -22,7 +22,7 @@
 
 static struct digest_type_t digest_types[] =
 {
-    {{"md4"},
+    {{"md4"}, NO_FIPS_DIGEST,
 #ifdef HAVE_MD4
      {&EVP_md4}
 #else
@@ -30,7 +30,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"md5"},
+    {{"md5"}, NO_FIPS_DIGEST,
 #ifdef HAVE_MD5
      {&EVP_md5}
 #else
@@ -38,7 +38,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"ripemd160"},
+    {{"ripemd160"}, NO_FIPS_DIGEST,
 #ifdef HAVE_RIPEMD160
      {&EVP_ripemd160}
 #else
@@ -46,9 +46,9 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha"}, {&EVP_sha1}},
+    {{"sha"}, 0, {&EVP_sha1}},
 
-    {{"sha224"},
+    {{"sha224"}, 0,
 #ifdef HAVE_SHA224
      {&EVP_sha224}
 #else
@@ -56,7 +56,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha256"},
+    {{"sha256"}, 0,
 #ifdef HAVE_SHA256
      {&EVP_sha256}
 #else
@@ -64,7 +64,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha384"},
+    {{"sha384"}, 0,
 #ifdef HAVE_SHA384
      {&EVP_sha384}
 #else
@@ -72,7 +72,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha512"},
+    {{"sha512"}, 0,
 #ifdef HAVE_SHA512
      {&EVP_sha512}
 #else
@@ -80,7 +80,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_224"},
+    {{"sha3_224"}, 0,
 #ifdef HAVE_SHA3_224
      {&EVP_sha3_224}
 #else
@@ -88,7 +88,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_256"},
+    {{"sha3_256"}, 0,
 #ifdef HAVE_SHA3_256
      {&EVP_sha3_256}
 #else
@@ -96,7 +96,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_384"},
+    {{"sha3_384"}, 0,
 #ifdef HAVE_SHA3_384
      {&EVP_sha3_384}
 #else
@@ -104,7 +104,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha3_512"},
+    {{"sha3_512"}, 0,
 #ifdef HAVE_SHA3_512
      {&EVP_sha3_512}
 #else
@@ -112,7 +112,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"blake2b"},
+    {{"blake2b"}, 0,
 #ifdef HAVE_BLAKE2
      {&EVP_blake2b512}
 #else
@@ -120,7 +120,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"blake2s"},
+    {{"blake2s"}, 0,
 #ifdef HAVE_BLAKE2
      {&EVP_blake2s256}
 #else
@@ -128,7 +128,8 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{NULL}, {NULL}}
+    /*==== End of list ==== */
+    {{NULL}, 0, {NULL}}
 };
 
 void init_digest_types(ErlNifEnv* env)
diff --git a/lib/crypto/c_src/digest.h b/lib/crypto/c_src/digest.h
index 06852416cf..b1f8128a1f 100644
--- a/lib/crypto/c_src/digest.h
+++ b/lib/crypto/c_src/digest.h
@@ -28,12 +28,25 @@ struct digest_type_t {
 	const char*  str;        /* before init, NULL for end-of-table */
 	ERL_NIF_TERM atom;       /* after init, 'false' for end-of-table */
     }type;
+    unsigned flags;
     union {
 	const EVP_MD* (*funcp)(void);  /* before init, NULL if notsup */
 	const EVP_MD* p;               /* after init, NULL if notsup */
     }md;
 };
 
+/* masks in the flags field if digest_type_t */
+#define NO_FIPS_DIGEST 1
+
+#ifdef FIPS_SUPPORT
+/* May have FIPS support, must check dynamically if it is enabled */
+# define DIGEST_FORBIDDEN_IN_FIPS(P) (((P)->flags & NO_FIPS_DIGEST) && FIPS_mode())
+#else
+/* No FIPS support since the symbol FIPS_SUPPORT is undefined */
+# define DIGEST_FORBIDDEN_IN_FIPS(P) 0
+#endif
+
+
 void init_digest_types(ErlNifEnv* env);
 struct digest_type_t* get_digest_type(ERL_NIF_TERM type);