Provide a function to query crypto backend for FIPS status

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

3 files changed, 8 insertions, 0 deletions

diff --git a/include/libssh/libcrypto.h b/include/libssh/libcrypto.h
index 8db7d751..27cb6ad9 100644
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -31,6 +31,7 @@
 #include <openssl/md5.h>
 #include <openssl/hmac.h>
 #include <openssl/evp.h>
+#include <openssl/crypto.h>
 
 typedef EVP_MD_CTX* SHACTX;
 typedef EVP_MD_CTX* SHA256CTX;
@@ -102,6 +103,9 @@ typedef BN_CTX* bignum_CTX;
 #define bignum_cmp(num1,num2) BN_cmp(num1,num2)
 #define bignum_rshift1(dest, src) BN_rshift1(dest, src)
 
+/* Returns true if the OpenSSL is operating in FIPS mode */
+#define ssh_fips_mode() (FIPS_mode() != 0)
+
 #endif /* HAVE_LIBCRYPTO */
 
 #endif /* LIBCRYPTO_H_ */
diff --git a/include/libssh/libgcrypt.h b/include/libssh/libgcrypt.h
index 707fd27a..4d98ece3 100644
--- a/include/libssh/libgcrypt.h
+++ b/include/libssh/libgcrypt.h
@@ -102,6 +102,8 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp,
                                 enum gcry_mpi_format informat,
                                 enum gcry_mpi_format outformat);
 
+#define ssh_fips_mode() false
+
 #endif /* HAVE_LIBGCRYPT */
 
 #endif /* LIBGCRYPT_H_ */
diff --git a/include/libssh/libmbedcrypto.h b/include/libssh/libmbedcrypto.h
index c98a50cf..c2afddf5 100644
--- a/include/libssh/libmbedcrypto.h
+++ b/include/libssh/libmbedcrypto.h
@@ -126,5 +126,7 @@ int ssh_mbedtls_random(void *where, int len, int strong);
 ssh_string make_ecpoint_string(const mbedtls_ecp_group *g, const
         mbedtls_ecp_point *p);
 
+#define ssh_fips_mode() false
+
 #endif /* HAVE_LIBMBEDCRYPTO */
 #endif /* LIBMBEDCRYPTO_H_ */