Loading README.FIPS +1 −130 Original line number Diff line number Diff line Preliminary status and build information for FIPS module v2.0 NB: if you are cross compiling you now need to use the latest "incore" script this can be found at util/incore in the tarballs. If you have any object files from a previous build do: make clean To build the module do: ./config fipscanisteronly make Build should complete without errors. Build test utilities: make build_tests Run test suite: test/fips_test_suite again should complete without errors. Run test vectors: 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips only the fips-2.0 testvector files are usable for complete tests. 2. Extract the files to a suitable directory. 3. Run the test vector perl script, for example: cd fips perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted 4. It should say "passed all tests" at the end. Report full details of any failures. If you wish to use the older 1.2.x testvectors (for example those from 2007) you need the command line switch --disable-v2 to fipsalgtest.pl Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: nm -g --defined-only fips/fipscanister.o | grep -v -i fips If you get *any* output at all from this test (i.e. symbols not starting with fips or FIPS) please report it. Restricted tarball tests. The validated module will have its own tarball containing sufficient code to build fipscanister.o and the associated algorithm tests. You can create a similar tarball yourself for testing purposes using the commands below. Standard restricted tarball: make -f Makefile.fips dist Prime field field only ECC tarball: make NOEC2M=1 -f Makefile.fips dist Once you've created the tarball extract into a fresh directory and do: ./config make You can then run the algorithm tests as above. This build automatically uses fipscanisterbuild and no-ec2m as appropriate. FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. At least initially the test module and FIPS capable OpenSSL may change and by out of sync. You are advised to check for any changes and pull the latest source from CVS if you have problems. See anon CVS and rsync instructions at: http://www.openssl.org/source/repos.html Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/ If required set the environment variable FIPSDIR to an appropriate location to install the test module. If cross compiling set other environment variables too. In this restricted tarball on a Linux or U*ix like system run: ./config make make install On Windows from a VC++ environment do: ms\do_fips This will build and install the test module and some associated files. Now download the latest version of the OpenSSL 1.0.1 branch from either a snapshot or preferably CVS. For Linux do: ./config fips [other args] make For Windows: perl Configure VC-WIN32 fips [other args] ms\do_nasm nmake -f ms\ntdll.mak (or ms\nt.mak for a static build). Where [other args] can be any other arguments you use for an OpenSSL build such as "shared" or "zlib". This will build the fips capable OpenSSL and link it to the test module. You can now try linking and testing applications against the FIPS capable OpenSSL. Please report any problems to either the openssl-dev mailing list or directly to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate reports. Known issues: Code needs extensively reviewing to ensure it builds correctly on supported platforms and is compliant with FIPS 140-2. The "FIPS capable OpenSSL" is still largely untested, it builds and runs some simple tests OK on some systems but needs far more "real world" testing. This release does not support a FIPS 140-2 validated module. apps/dgst.c +2 −13 Original line number Diff line number Diff line Loading @@ -80,7 +80,7 @@ typedef enum OPTION_choice { OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY, OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL, OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_DIGEST } OPTION_CHOICE; Loading @@ -106,7 +106,6 @@ OPTIONS dgst_options[] = { {"d", OPT_DEBUG, '-', "Print debug info"}, {"debug", OPT_DEBUG, '-'}, {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"}, {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, Loading @@ -133,8 +132,7 @@ int dgst_main(int argc, char **argv) const char *sigfile = NULL, *randfile = NULL; OPTION_CHOICE o; int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0, non_fips_allow = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0; unsigned char *buf = NULL, *sigbuf = NULL; int engine_impl = 0; Loading Loading @@ -205,9 +203,6 @@ int dgst_main(int argc, char **argv) case OPT_FIPS_FINGERPRINT: hmac_key = "etaonrishdlcupfm"; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_HMAC: hmac_key = opt_arg(); break; Loading Loading @@ -323,12 +318,6 @@ int dgst_main(int argc, char **argv) goto end; } if (non_fips_allow) { EVP_MD_CTX *md_ctx; BIO_get_md_ctx(bmd, &md_ctx); EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } if (hmac_key) { sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl, (unsigned char *)hmac_key, -1); Loading apps/dsaparam.c +2 −10 Original line number Diff line number Diff line Loading @@ -86,7 +86,7 @@ static int dsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE, OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE, OPT_TIMEBOMB } OPTION_CHOICE; Loading @@ -101,7 +101,6 @@ OPTIONS dsaparam_options[] = { {"noout", OPT_NOOUT, '-', "No output"}, {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, {"rand", OPT_RAND, 's', "Files to use for random number input"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, # ifdef GENCB_TEST {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"}, # endif Loading @@ -116,7 +115,7 @@ int dsaparam_main(int argc, char **argv) DSA *dsa = NULL; BIO *in = NULL, *out = NULL; BN_GENCB *cb = NULL; int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0; int numbits = -1, num = 0, genkey = 0, need_rand = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0; int ret = 1, i, text = 0, private = 0; # ifdef GENCB_TEST Loading Loading @@ -175,9 +174,6 @@ int dsaparam_main(int argc, char **argv) case OPT_NOOUT: noout = 1; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; } } argc = opt_num_rest(); Loading Loading @@ -219,8 +215,6 @@ int dsaparam_main(int argc, char **argv) BIO_printf(bio_err, "Error allocating DSA object\n"); goto end; } if (non_fips_allow) dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW; BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num); BIO_printf(bio_err, "This could take some time\n"); Loading Loading @@ -309,8 +303,6 @@ int dsaparam_main(int argc, char **argv) assert(need_rand); if ((dsakey = DSAparams_dup(dsa)) == NULL) goto end; if (non_fips_allow) dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW; if (!DSA_generate_key(dsakey)) { ERR_print_errors(bio_err); DSA_free(dsakey); Loading apps/enc.c +2 −9 Original line number Diff line number Diff line Loading @@ -84,7 +84,7 @@ typedef enum OPTION_choice { OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER } OPTION_CHOICE; OPTIONS enc_options[] = { Loading @@ -111,7 +111,6 @@ OPTIONS enc_options[] = { {"S", OPT_UPPER_S, 's', "Salt, in hex"}, {"iv", OPT_IV, 's', "IV in hex"}, {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"none", OPT_NONE, '-', "Don't encrypt"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, #ifdef ZLIB Loading Loading @@ -140,7 +139,7 @@ int enc_main(int argc, char **argv) int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; int enc = 1, printkey = 0, i, k; int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; int ret = 1, inl, nopad = 0, non_fips_allow = 0; int ret = 1, inl, nopad = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; unsigned long n; Loading Loading @@ -279,9 +278,6 @@ int enc_main(int argc, char **argv) if (!opt_md(opt_arg(), &dgst)) goto opthelp; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &c)) goto opthelp; Loading Loading @@ -501,9 +497,6 @@ int enc_main(int argc, char **argv) BIO_get_cipher_ctx(benc, &ctx); if (non_fips_allow) EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW); if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", EVP_CIPHER_name(cipher)); Loading apps/genrsa.c +2 −9 Original line number Diff line number Diff line Loading @@ -78,7 +78,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE, OPT_3, OPT_F4, OPT_ENGINE, OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER } OPTION_CHOICE; Loading @@ -87,7 +87,6 @@ OPTIONS genrsa_options[] = { {"3", OPT_3, '-', "Use 3 for the E value"}, {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"out", OPT_OUT, 's', "Output the key to specified file"}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, Loading @@ -108,7 +107,7 @@ int genrsa_main(int argc, char **argv) BIO *out = NULL; RSA *rsa = NULL; const EVP_CIPHER *enc = NULL; int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0; int ret = 1, num = DEFBITS, private = 0; unsigned long f4 = RSA_F4; char *outfile = NULL, *passoutarg = NULL, *passout = NULL; char *inrand = NULL, *prog, *hexe, *dece; Loading Loading @@ -136,9 +135,6 @@ int genrsa_main(int argc, char **argv) case OPT_F4: f4 = RSA_F4; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_OUT: outfile = opt_arg(); break; Loading Loading @@ -188,9 +184,6 @@ int genrsa_main(int argc, char **argv) if (rsa == NULL) goto end; if (non_fips_allow) rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW; if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb)) goto end; Loading Loading
README.FIPS +1 −130 Original line number Diff line number Diff line Preliminary status and build information for FIPS module v2.0 NB: if you are cross compiling you now need to use the latest "incore" script this can be found at util/incore in the tarballs. If you have any object files from a previous build do: make clean To build the module do: ./config fipscanisteronly make Build should complete without errors. Build test utilities: make build_tests Run test suite: test/fips_test_suite again should complete without errors. Run test vectors: 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips only the fips-2.0 testvector files are usable for complete tests. 2. Extract the files to a suitable directory. 3. Run the test vector perl script, for example: cd fips perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted 4. It should say "passed all tests" at the end. Report full details of any failures. If you wish to use the older 1.2.x testvectors (for example those from 2007) you need the command line switch --disable-v2 to fipsalgtest.pl Examine the external symbols in fips/fipscanister.o they should all begin with FIPS or fips. One way to check with GNU nm is: nm -g --defined-only fips/fipscanister.o | grep -v -i fips If you get *any* output at all from this test (i.e. symbols not starting with fips or FIPS) please report it. Restricted tarball tests. The validated module will have its own tarball containing sufficient code to build fipscanister.o and the associated algorithm tests. You can create a similar tarball yourself for testing purposes using the commands below. Standard restricted tarball: make -f Makefile.fips dist Prime field field only ECC tarball: make NOEC2M=1 -f Makefile.fips dist Once you've created the tarball extract into a fresh directory and do: ./config make You can then run the algorithm tests as above. This build automatically uses fipscanisterbuild and no-ec2m as appropriate. FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE. At least initially the test module and FIPS capable OpenSSL may change and by out of sync. You are advised to check for any changes and pull the latest source from CVS if you have problems. See anon CVS and rsync instructions at: http://www.openssl.org/source/repos.html Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/ If required set the environment variable FIPSDIR to an appropriate location to install the test module. If cross compiling set other environment variables too. In this restricted tarball on a Linux or U*ix like system run: ./config make make install On Windows from a VC++ environment do: ms\do_fips This will build and install the test module and some associated files. Now download the latest version of the OpenSSL 1.0.1 branch from either a snapshot or preferably CVS. For Linux do: ./config fips [other args] make For Windows: perl Configure VC-WIN32 fips [other args] ms\do_nasm nmake -f ms\ntdll.mak (or ms\nt.mak for a static build). Where [other args] can be any other arguments you use for an OpenSSL build such as "shared" or "zlib". This will build the fips capable OpenSSL and link it to the test module. You can now try linking and testing applications against the FIPS capable OpenSSL. Please report any problems to either the openssl-dev mailing list or directly to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate reports. Known issues: Code needs extensively reviewing to ensure it builds correctly on supported platforms and is compliant with FIPS 140-2. The "FIPS capable OpenSSL" is still largely untested, it builds and runs some simple tests OK on some systems but needs far more "real world" testing. This release does not support a FIPS 140-2 validated module.
apps/dgst.c +2 −13 Original line number Diff line number Diff line Loading @@ -80,7 +80,7 @@ typedef enum OPTION_choice { OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY, OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL, OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_DIGEST } OPTION_CHOICE; Loading @@ -106,7 +106,6 @@ OPTIONS dgst_options[] = { {"d", OPT_DEBUG, '-', "Print debug info"}, {"debug", OPT_DEBUG, '-'}, {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"}, {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, Loading @@ -133,8 +132,7 @@ int dgst_main(int argc, char **argv) const char *sigfile = NULL, *randfile = NULL; OPTION_CHOICE o; int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0, non_fips_allow = 0; int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0; unsigned char *buf = NULL, *sigbuf = NULL; int engine_impl = 0; Loading Loading @@ -205,9 +203,6 @@ int dgst_main(int argc, char **argv) case OPT_FIPS_FINGERPRINT: hmac_key = "etaonrishdlcupfm"; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_HMAC: hmac_key = opt_arg(); break; Loading Loading @@ -323,12 +318,6 @@ int dgst_main(int argc, char **argv) goto end; } if (non_fips_allow) { EVP_MD_CTX *md_ctx; BIO_get_md_ctx(bmd, &md_ctx); EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } if (hmac_key) { sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl, (unsigned char *)hmac_key, -1); Loading
apps/dsaparam.c +2 −10 Original line number Diff line number Diff line Loading @@ -86,7 +86,7 @@ static int dsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE, OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE, OPT_TIMEBOMB } OPTION_CHOICE; Loading @@ -101,7 +101,6 @@ OPTIONS dsaparam_options[] = { {"noout", OPT_NOOUT, '-', "No output"}, {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, {"rand", OPT_RAND, 's', "Files to use for random number input"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, # ifdef GENCB_TEST {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"}, # endif Loading @@ -116,7 +115,7 @@ int dsaparam_main(int argc, char **argv) DSA *dsa = NULL; BIO *in = NULL, *out = NULL; BN_GENCB *cb = NULL; int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0; int numbits = -1, num = 0, genkey = 0, need_rand = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0; int ret = 1, i, text = 0, private = 0; # ifdef GENCB_TEST Loading Loading @@ -175,9 +174,6 @@ int dsaparam_main(int argc, char **argv) case OPT_NOOUT: noout = 1; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; } } argc = opt_num_rest(); Loading Loading @@ -219,8 +215,6 @@ int dsaparam_main(int argc, char **argv) BIO_printf(bio_err, "Error allocating DSA object\n"); goto end; } if (non_fips_allow) dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW; BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num); BIO_printf(bio_err, "This could take some time\n"); Loading Loading @@ -309,8 +303,6 @@ int dsaparam_main(int argc, char **argv) assert(need_rand); if ((dsakey = DSAparams_dup(dsa)) == NULL) goto end; if (non_fips_allow) dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW; if (!DSA_generate_key(dsakey)) { ERR_print_errors(bio_err); DSA_free(dsakey); Loading
apps/enc.c +2 −9 Original line number Diff line number Diff line Loading @@ -84,7 +84,7 @@ typedef enum OPTION_choice { OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER } OPTION_CHOICE; OPTIONS enc_options[] = { Loading @@ -111,7 +111,6 @@ OPTIONS enc_options[] = { {"S", OPT_UPPER_S, 's', "Salt, in hex"}, {"iv", OPT_IV, 's', "IV in hex"}, {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"none", OPT_NONE, '-', "Don't encrypt"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, #ifdef ZLIB Loading Loading @@ -140,7 +139,7 @@ int enc_main(int argc, char **argv) int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; int enc = 1, printkey = 0, i, k; int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; int ret = 1, inl, nopad = 0, non_fips_allow = 0; int ret = 1, inl, nopad = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; unsigned long n; Loading Loading @@ -279,9 +278,6 @@ int enc_main(int argc, char **argv) if (!opt_md(opt_arg(), &dgst)) goto opthelp; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &c)) goto opthelp; Loading Loading @@ -501,9 +497,6 @@ int enc_main(int argc, char **argv) BIO_get_cipher_ctx(benc, &ctx); if (non_fips_allow) EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW); if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", EVP_CIPHER_name(cipher)); Loading
apps/genrsa.c +2 −9 Original line number Diff line number Diff line Loading @@ -78,7 +78,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE, OPT_3, OPT_F4, OPT_ENGINE, OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER } OPTION_CHOICE; Loading @@ -87,7 +87,6 @@ OPTIONS genrsa_options[] = { {"3", OPT_3, '-', "Use 3 for the E value"}, {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, {"out", OPT_OUT, 's', "Output the key to specified file"}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, Loading @@ -108,7 +107,7 @@ int genrsa_main(int argc, char **argv) BIO *out = NULL; RSA *rsa = NULL; const EVP_CIPHER *enc = NULL; int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0; int ret = 1, num = DEFBITS, private = 0; unsigned long f4 = RSA_F4; char *outfile = NULL, *passoutarg = NULL, *passout = NULL; char *inrand = NULL, *prog, *hexe, *dece; Loading Loading @@ -136,9 +135,6 @@ int genrsa_main(int argc, char **argv) case OPT_F4: f4 = RSA_F4; break; case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; break; case OPT_OUT: outfile = opt_arg(); break; Loading Loading @@ -188,9 +184,6 @@ int genrsa_main(int argc, char **argv) if (rsa == NULL) goto end; if (non_fips_allow) rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW; if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb)) goto end; Loading
Dr. Stephen Henson <steve@openssl.org>Dr. Stephen Henson <steve@openssl.org>