FIPS mode support for openssl utility: doesn't work properly yet due
authorDr. Stephen Henson <steve@openssl.org>
Mon, 4 Apr 2011 17:16:28 +0000 (17:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 4 Apr 2011 17:16:28 +0000 (17:16 +0000)
to missing DRBG support in libcrypto.

apps/openssl.c

index dab057b..1c880d9 100644 (file)
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
 /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
  * base prototypes (we cast each variable inside the function to the required
@@ -310,6 +313,19 @@ int main(int Argc, char *ARGV[])
                CRYPTO_set_locking_callback(lock_dbg_cb);
                }
 
+       if(getenv("OPENSSL_FIPS")) {
+#ifdef OPENSSL_FIPS
+               if (!FIPS_mode_set(1)) {
+                       ERR_load_crypto_strings();
+                       ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                       EXIT(1);
+               }
+#else
+               fprintf(stderr, "FIPS mode not supported.\n");
+               EXIT(1);
+#endif
+               }
+
        apps_startup();
 
        /* Lets load up our environment a little */