diff options
| author | Rich Salz <rsalz@akamai.com> | 2020-06-29 12:20:41 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-06-29 12:20:41 +1000 |
| commit | 31214258309251aff297da67a60a6b60bf4ef27e (patch) | |
| tree | aee548533bd6a7fe25c3c6ebf06b46287dfccb6c /apps | |
| parent | 9afbb681ecd433623fb39db2a110ec3351d271c7 (diff) | |
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/fipsinstall.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index e0fe43e8b7..e76e615bc6 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -15,6 +15,7 @@ #include <openssl/fips_names.h> #include <openssl/core_names.h> #include <openssl/self_test.h> +#include <openssl/fipskey.h> #include "apps.h" #include "progs.h" @@ -266,7 +267,7 @@ end: int fipsinstall_main(int argc, char **argv) { - int ret = 1, verify = 0; + int ret = 1, verify = 0, gotkey = 0, gotdigest = 0; BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL; char *in_fname = NULL, *out_fname = NULL, *prog, *section_name = NULL; char *prov_name = NULL, *module_fname = NULL; @@ -283,6 +284,8 @@ int fipsinstall_main(int argc, char **argv) CONF *conf = NULL; section_name = DEFAULT_FIPS_SECTION; + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; prog = opt_init(argc, argv, fipsinstall_options); while ((o = opt_next()) != OPT_EOF) { @@ -327,10 +330,12 @@ opthelp: mac_name = opt_arg(); break; case OPT_MACOPT: - if (opts == NULL) - opts = sk_OPENSSL_STRING_new_null(); - if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg())) + if (!sk_OPENSSL_STRING_push(opts, opt_arg())) goto opthelp; + if (strncmp(opt_arg(), "hexkey:", 7) == 0) + gotkey = 1; + else if (strncmp(opt_arg(), "digest:", 7) == 0) + gotdigest = 1; break; case OPT_VERIFY: verify = 1; @@ -341,7 +346,6 @@ opthelp: if (module_fname == NULL || (verify && in_fname == NULL) || (!verify && (out_fname == NULL || prov_name == NULL)) - || opts == NULL || argc != 0) goto opthelp; @@ -350,6 +354,12 @@ opthelp: || self_test_corrupt_type != NULL) OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL); + /* Use the default FIPS HMAC digest and key if not specified. */ + if (!gotdigest && !sk_OPENSSL_STRING_push(opts, "digest:SHA256")) + goto end; + if (!gotkey && !sk_OPENSSL_STRING_push(opts, "hexkey:" FIPS_KEY_STRING)) + goto end; + module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY); if (module_bio == NULL) { BIO_printf(bio_err, "Failed to open module file\n"); |