File openssl-fips-dont-fall-back-to-default-digest.patch of Package openssl.4105
Index: openssl-1.0.1i/apps/dgst.c
===================================================================
--- openssl-1.0.1i.orig/apps/dgst.c 2016-04-28 17:03:42.236194100 +0200
+++ openssl-1.0.1i/apps/dgst.c 2016-04-28 17:04:29.820980047 +0200
@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv)
/* first check the program name */
program_name(argv[0],pname,sizeof pname);
- md=EVP_get_digestbyname(pname);
+ md = EVP_get_digestbyname_fips_disabled(pname);
argc--;
argv++;
@@ -250,7 +250,7 @@ int MAIN(int argc, char **argv)
if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
break;
}
- else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ else if ((m=EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL)
md=m;
else
break;
Index: openssl-1.0.1i/apps/apps.c
===================================================================
--- openssl-1.0.1i.orig/apps/apps.c 2016-04-28 17:03:40.969173173 +0200
+++ openssl-1.0.1i/apps/apps.c 2016-04-28 17:03:42.236194100 +0200
@@ -3096,3 +3096,45 @@ int raw_write_stdout(const void *buf,int
int raw_write_stdout(const void *buf,int siz)
{ return write(fileno(stdout),buf,siz); }
#endif
+
+
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_MD *md;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_digests();
+ md=EVP_get_digestbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return md;
+ }
+
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_CIPHER *ciph;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_ciphers();
+ ciph=EVP_get_cipherbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return ciph;
+ }
+
Index: openssl-1.0.1i/apps/apps.h
===================================================================
--- openssl-1.0.1i.orig/apps/apps.h 2016-04-28 17:03:42.237194116 +0200
+++ openssl-1.0.1i/apps/apps.h 2016-04-28 17:05:12.893691488 +0200
@@ -337,6 +337,9 @@ void jpake_server_auth(BIO *out, BIO *co
unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name);
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name);
+
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
#define FORMAT_TEXT 2
Index: openssl-1.0.1i/apps/enc.c
===================================================================
--- openssl-1.0.1i.orig/apps/enc.c 2016-04-28 17:03:40.970173189 +0200
+++ openssl-1.0.1i/apps/enc.c 2016-04-28 17:07:31.388979155 +0200
@@ -151,7 +151,7 @@ int MAIN(int argc, char **argv)
do_zlib=1;
#endif
- cipher=EVP_get_cipherbyname(pname);
+ cipher=EVP_get_cipherbyname_fips_disabled(pname);
#ifdef ZLIB
if (!do_zlib && !base64 && (cipher == NULL)
&& (strcmp(pname,"enc") != 0))
@@ -287,7 +287,7 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else if ((argv[0][0] == '-') &&
- ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
+ ((c=EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL))
{
cipher=c;
}
@@ -329,6 +329,10 @@ bad:
argv++;
}
+ /* drop out of fips mode if we should allow non-fips algos */
+ if (non_fips_allow)
+ FIPS_mode_set(0);
+
#ifndef OPENSSL_NO_ENGINE
setup_engine(bio_err, engine, 0);
#endif
@@ -345,7 +349,7 @@ bad:
goto end;
}
- if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
+ if (md && (dgst=EVP_get_digestbyname_fips_disabled(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
goto end;
