generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add fips hmac option and fips blocking overrides to command line utilities

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-02-10 16:46:19 +00:00
parent 943cc09d8a
commit c944a9696e
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apps/dgst.c
View File

@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
#endif #endif
char *hmac_key=NULL; char *hmac_key=NULL;
char *mac_name=NULL; char *mac_name=NULL;
int non_fips_allow = 0;
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
apps_startup(); apps_startup();
@ -215,6 +216,10 @@ int MAIN(int argc, char **argv)
out_bin = 1; out_bin = 1;
else if (strcmp(*argv,"-d") == 0) else if (strcmp(*argv,"-d") == 0)
debug=1; debug=1;
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow=1;
else if (!strcmp(*argv,"-fips-fingerprint"))
hmac_key = "etaonrishdlcupfm";
else if (!strcmp(*argv,"-hmac")) else if (!strcmp(*argv,"-hmac"))
{ {
if (--argc < 1) if (--argc < 1)
@ -395,6 +400,13 @@ int MAIN(int argc, char **argv)
goto end; goto end;
} }
if (non_fips_allow)
{
EVP_MD_CTX *md_ctx;
BIO_get_md_ctx(bmd,&md_ctx);
EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
if (hmac_key) if (hmac_key)
{ {
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,

8
apps/enc.c
View File

@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
char *engine = NULL; char *engine = NULL;
#endif #endif
const EVP_MD *dgst=NULL; const EVP_MD *dgst=NULL;
int non_fips_allow = 0;
apps_startup(); apps_startup();
@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
md= *(++argv); md= *(++argv);
} }
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else if ((argv[0][0] == '-') && else if ((argv[0][0] == '-') &&
((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
{ {
@ -589,6 +592,11 @@ bad:
*/ */
BIO_get_cipher_ctx(benc, &ctx); BIO_get_cipher_ctx(benc, &ctx);
if (non_fips_allow)
EVP_CIPHER_CTX_set_flags(ctx,
EVP_CIPH_FLAG_NON_FIPS_ALLOW);
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
{ {
BIO_printf(bio_err, "Error setting cipher %s\n", BIO_printf(bio_err, "Error setting cipher %s\n",