Commit c944a969 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

add fips hmac option and fips blocking overrides to command line utilities

parent 943cc09d

apps/dgst.c

+12 −0
Original line number Diff line number Diff line
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv) 
#endif

	char *hmac_key=NULL;

	char *mac_name=NULL;

	int non_fips_allow = 0;

	STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;



	apps_startup();
@@ -215,6 +216,10 @@ int MAIN(int argc, char **argv) 
			out_bin = 1;

		else if (strcmp(*argv,"-d") == 0)

			debug=1;

		else if (strcmp(*argv,"-non-fips-allow") == 0)

			non_fips_allow=1;

		else if (!strcmp(*argv,"-fips-fingerprint"))

			hmac_key = "etaonrishdlcupfm";

		else if (!strcmp(*argv,"-hmac"))

			{

			if (--argc < 1)
@@ -395,6 +400,13 @@ int MAIN(int argc, char **argv) 
			goto end;

		}



	if (non_fips_allow)

		{

		EVP_MD_CTX *md_ctx;

		BIO_get_md_ctx(bmd,&md_ctx);

		EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);

		}



	if (hmac_key)

		{

		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,

apps/enc.c

+8 −0
Original line number Diff line number Diff line
@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv) 
	char *engine = NULL;

#endif

	const EVP_MD *dgst=NULL;

	int non_fips_allow = 0;



	apps_startup();
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv) 
			if (--argc < 1) goto bad;

			md= *(++argv);

			}

		else if (strcmp(*argv,"-non-fips-allow") == 0)

			non_fips_allow = 1;

		else if	((argv[0][0] == '-') &&

			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))

			{
@@ -589,6 +592,11 @@ bad: 
		 */



		BIO_get_cipher_ctx(benc, &ctx);



		if (non_fips_allow)

			EVP_CIPHER_CTX_set_flags(ctx,

				EVP_CIPH_FLAG_NON_FIPS_ALLOW);



		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))

			{

			BIO_printf(bio_err, "Error setting cipher %s\n",