add fips blocking overrides to command line utilities
authorDr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 10 Feb 2012 16:47:40 +0000 (16:47 +0000)
apps/dgst.c
apps/enc.c

index 8a5609f326903f8fcef86914f2f6e458f625eb52..d471dbdabda49e244f5ad13be5a059731fb46b44 100644 (file)
@@ -128,6 +128,7 @@ int MAIN(int argc, char **argv)
 #endif
        char *hmac_key=NULL;
        char *mac_name=NULL;
+       int non_fips_allow = 0;
        STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
 
        apps_startup();
@@ -220,6 +221,8 @@ int MAIN(int argc, char **argv)
                        debug=1;
                else if (!strcmp(*argv,"-fips-fingerprint"))
                        hmac_key = "etaonrishdlcupfm";
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow=1;
                else if (!strcmp(*argv,"-hmac"))
                        {
                        if (--argc < 1)
@@ -405,6 +408,13 @@ int MAIN(int argc, char **argv)
                        goto end;
                }
 
+       if (non_fips_allow)
+               {
+               EVP_MD_CTX *md_ctx;
+               BIO_get_md_ctx(bmd,&md_ctx);
+               EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+               }
+
        if (hmac_key)
                {
                sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
index 8c5527783b22550e6648065d4a7645fbef1a03ea..aef8978a9a52c0883530cf4c07711bd13ff420e5 100644 (file)
@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
        char *engine = NULL;
 #endif
        const EVP_MD *dgst=NULL;
+       int non_fips_allow = 0;
 
        apps_startup();
 
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        md= *(++argv);
                        }
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow = 1;
                else if ((argv[0][0] == '-') &&
                        ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
                        {
@@ -593,6 +596,11 @@ bad:
                 */
 
                BIO_get_cipher_ctx(benc, &ctx);
+
+               if (non_fips_allow)
+                       EVP_CIPHER_CTX_set_flags(ctx,
+                               EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
                if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
                        {
                        BIO_printf(bio_err, "Error setting cipher %s\n",