add fips hmac option and fips blocking overrides to command line utilities

author Dr. Stephen Henson <steve@openssl.org>

Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)
diff --git a/apps/dgst.c b/apps/dgst.c

index 9bf38ce73b7ee9110fee01ea264febb7fbf2104e..b08e9a7c786f3059ff5fee8d9b123fcc4a340ebc 100644 (file)
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
  #endif
         char *hmac_key=NULL;
         char *mac_name=NULL;
+       int non_fips_allow = 0;
         STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
  
         apps_startup();
@@ -215,6 +216,10 @@ int MAIN(int argc, char **argv)
                         out_bin = 1;
                 else if (strcmp(*argv,"-d") == 0)
                         debug=1;
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow=1;
+               else if (!strcmp(*argv,"-fips-fingerprint"))
+                       hmac_key = "etaonrishdlcupfm";
                 else if (!strcmp(*argv,"-hmac"))
                         {
                         if (--argc < 1)
@@ -395,6 +400,13 @@ int MAIN(int argc, char **argv)
                         goto end;
                 }
  
+       if (non_fips_allow)
+               {
+               EVP_MD_CTX *md_ctx;
+               BIO_get_md_ctx(bmd,&md_ctx);
+               EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+               }
+
         if (hmac_key)
                 {
                 sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
diff --git a/apps/enc.c b/apps/enc.c

index 076225c4cb560ca8dd81160f54546a9562a713e5..719acc3250530d99b39e9bf66800237643466b73 100644 (file)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
         char *engine = NULL;
  #endif
         const EVP_MD *dgst=NULL;
+       int non_fips_allow = 0;
  
         apps_startup();
  
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         md= *(++argv);
                         }
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow = 1;
                 else if ((argv[0][0] == '-') &&
                         ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
                         {
@@ -589,6 +592,11 @@ bad:
                  */
  
                 BIO_get_cipher_ctx(benc, &ctx);
+
+               if (non_fips_allow)
+                       EVP_CIPHER_CTX_set_flags(ctx,
+                               EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
                 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
                         {
                         BIO_printf(bio_err, "Error setting cipher %s\n",
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 10 Feb 2012 16:46:19 +0000 (16:46 +0000)
apps/dgst.c		patch \| blob \| history
apps/enc.c		patch \| blob \| history