From 7951c2699f1b78d5480b9f41a71233fcaf98d18f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 10 Feb 2012 16:47:40 +0000 Subject: [PATCH] add fips blocking overrides to command line utilities --- apps/dgst.c | 10 ++++++++++ apps/enc.c | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/apps/dgst.c b/apps/dgst.c index 8a5609f326..d471dbdabd 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -128,6 +128,7 @@ int MAIN(int argc, char **argv) #endif char *hmac_key=NULL; char *mac_name=NULL; + int non_fips_allow = 0; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; apps_startup(); @@ -220,6 +221,8 @@ int MAIN(int argc, char **argv) debug=1; else if (!strcmp(*argv,"-fips-fingerprint")) hmac_key = "etaonrishdlcupfm"; + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow=1; else if (!strcmp(*argv,"-hmac")) { if (--argc < 1) @@ -405,6 +408,13 @@ int MAIN(int argc, char **argv) goto end; } + if (non_fips_allow) + { + EVP_MD_CTX *md_ctx; + BIO_get_md_ctx(bmd,&md_ctx); + EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } + if (hmac_key) { sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl, diff --git a/apps/enc.c b/apps/enc.c index 8c5527783b..aef8978a9a 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -129,6 +129,7 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif const EVP_MD *dgst=NULL; + int non_fips_allow = 0; apps_startup(); @@ -281,6 +282,8 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; md= *(++argv); } + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { @@ -593,6 +596,11 @@ bad: */ BIO_get_cipher_ctx(benc, &ctx); + + if (non_fips_allow) + EVP_CIPHER_CTX_set_flags(ctx, + EVP_CIPH_FLAG_NON_FIPS_ALLOW); + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n",