openssl.c: Avoid OpenSSL latent error in FIPS mode (#528)

File: openssl.c Notes: Avoid initing MD5 digest, which is not permitted in OpenSSL FIPS certified cryptography mode. Credit: Marc
2025-11-20 02:42:09 +03:00 · 2021-05-03 22:49:02 +01:00
parent 35695772d0
commit b853d7a86e
1 changed files with 7 additions and 0 deletions
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -2221,6 +2221,13 @@ _libssh2_sha512(const unsigned char *message, unsigned long len,
 int
 _libssh2_md5_init(libssh2_md5_ctx *ctx)
 {
+    /* MD5 digest is not supported in OpenSSL FIPS mode
+     * Trying to init it will result in a latent OpenSSL error:
+     * "digital envelope routines:FIPS_DIGESTINIT:disabled for fips"
+     * So, just return 0 in FIPS mode
+     */
+     if(FIPS_mode() != 0)
+         return 0;
 #ifdef HAVE_OPAQUE_STRUCTS
    *ctx = EVP_MD_CTX_new();