Update openssl to 1.0.2d

Also update Cryptlib to edk2 r17731

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>

1 files changed, 14 insertions, 2 deletions

diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
index 0b8a5a0a..bebc160e 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
@@ -64,6 +64,10 @@
 # include <openssl/engine.h>
 #endif
 
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
 const char DH_version[] = "Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
 static const DH_METHOD *default_DH_method = NULL;
@@ -75,8 +79,16 @@ void DH_set_default_method(const DH_METHOD *meth)
 
 const DH_METHOD *DH_get_default_method(void)
 {
-    if (!default_DH_method)
+    if (!default_DH_method) {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+            return FIPS_dh_openssl();
+        else
+            return DH_OpenSSL();
+#else
         default_DH_method = DH_OpenSSL();
+#endif
+    }
     return default_DH_method;
 }
 
@@ -153,7 +165,7 @@ DH *DH_new_method(ENGINE *engine)
     ret->counter = NULL;
     ret->method_mont_p = NULL;
     ret->references = 1;
-    ret->flags = ret->meth->flags;
+    ret->flags = ret->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
     CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
 #ifndef OPENSSL_NO_ENGINE