add fips blocking overrides to command line utilities

author Dr. Stephen Henson <steve@openssl.org>

Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
diff --git a/apps/dgst.c b/apps/dgst.c

index 8a5609f326903f8fcef86914f2f6e458f625eb52..d471dbdabda49e244f5ad13be5a059731fb46b44 100644 (file)
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -128,6 +128,7 @@ int MAIN(int argc, char **argv)
  #endif
         char *hmac_key=NULL;
         char *mac_name=NULL;
+       int non_fips_allow = 0;
         STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
  
         apps_startup();
@@ -220,6 +221,8 @@ int MAIN(int argc, char **argv)
                         debug=1;
                 else if (!strcmp(*argv,"-fips-fingerprint"))
                         hmac_key = "etaonrishdlcupfm";
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow=1;
                 else if (!strcmp(*argv,"-hmac"))
                         {
                         if (--argc < 1)
@@ -405,6 +408,13 @@ int MAIN(int argc, char **argv)
                         goto end;
                 }
  
+       if (non_fips_allow)
+               {
+               EVP_MD_CTX *md_ctx;
+               BIO_get_md_ctx(bmd,&md_ctx);
+               EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+               }
+
         if (hmac_key)
                 {
                 sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
diff --git a/apps/enc.c b/apps/enc.c

index 8c5527783b22550e6648065d4a7645fbef1a03ea..aef8978a9a52c0883530cf4c07711bd13ff420e5 100644 (file)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
         char *engine = NULL;
  #endif
         const EVP_MD *dgst=NULL;
+       int non_fips_allow = 0;
  
         apps_startup();
  
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         md= *(++argv);
                         }
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow = 1;
                 else if ((argv[0][0] == '-') &&
                         ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
                         {
@@ -593,6 +596,11 @@ bad:
                  */
  
                 BIO_get_cipher_ctx(benc, &ctx);
+
+               if (non_fips_allow)
+                       EVP_CIPHER_CTX_set_flags(ctx,
+                               EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
                 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
                         {
                         BIO_printf(bio_err, "Error setting cipher %s\n",
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
apps/dgst.c		patch \| blob \| history
apps/enc.c		patch \| blob \| history