X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssltest.c;h=b09c542087ba9afe42cdc9ff5c0c09aa25731544;hb=4e319926d7cb80313d37105b5545fcce28fdddc1;hp=137b68b857351fa16cf55030c1daf3ad2599a726;hpb=45803988ce19ce0e7633d049a38e828828b027a7;p=oweals%2Fopenssl.git

diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 137b68b857..b09c542087 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -229,6 +229,9 @@ static void sv_usage(void)
 	{
 	fprintf(stderr,"usage: ssltest [args ...]\n");
 	fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+	fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
 	fprintf(stderr," -server_auth  - check server certificate\n");
 	fprintf(stderr," -client_auth  - do client authentication\n");
 	fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -410,7 +413,7 @@ int main(int argc, char *argv[])
 	long bytes=256L;
 #ifndef OPENSSL_NO_DH
 	DH *dh;
-	int dhe1024 = 0, dhe1024dsa = 0;
+	int dhe1024 = 1, dhe1024dsa = 0;
 #endif
 #ifndef OPENSSL_NO_ECDH
 	EC_KEY *ecdh = NULL;
@@ -425,6 +428,9 @@ int main(int argc, char *argv[])
 #endif
 	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
 	int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+	int fips_mode=0;
+#endif
 
 	verbose = 0;
 	debug = 0;
@@ -456,7 +462,16 @@ int main(int argc, char *argv[])
 
 	while (argc >= 1)
 		{
-		if	(strcmp(*argv,"-server_auth") == 0)
+		if(!strcmp(*argv,"-F"))
+			{
+#ifdef OPENSSL_FIPS
+			fips_mode=1;
+#else
+			fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+			EXIT(0);
+#endif
+			}
+		else if	(strcmp(*argv,"-server_auth") == 0)
 			server_auth=1;
 		else if	(strcmp(*argv,"-client_auth") == 0)
 			client_auth=1;
@@ -638,6 +653,20 @@ bad:
 		EXIT(1);
 		}
 
+#ifdef OPENSSL_FIPS
+	if(fips_mode)
+		{
+		if(!FIPS_mode_set(1))
+			{
+			ERR_load_crypto_strings();
+			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+			EXIT(1);
+			}
+		else
+			fprintf(stderr,"*** IN FIPS MODE ***\n");
+		}
+#endif
+
 	if (print_time)
 		{
 		if (!bio_pair)
@@ -2059,20 +2088,12 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
 		}
 
 #ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
-	if(s->version == TLS1_VERSION)
-		FIPS_allow_md5(1);
-# endif
 	ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
-	if(s->version == TLS1_VERSION)
-		FIPS_allow_md5(0);
-# endif
 #endif
 
 	if (cb_arg->proxy_auth)
 		{
-		if (ok)
+		if (ok > 0)
 			{
 			const char *cond_end = NULL;
 
@@ -2234,6 +2255,7 @@ static DH *get_dh1024dsa()
 	dh->length = 160;
 	return(dh);
 	}
+#endif
 
 static int do_test_cipherlist(void)
 	{
@@ -2291,4 +2313,3 @@ static int do_test_cipherlist(void)
 
 	return 1;
 	}
-#endif