Add option to fipsinstall to disable fips security checks at run time.

Changes merged from a patch by @richsalz. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
author: Shane Lontis <shane.lontis@oracle.com> 2020-09-05 13:08:27 +1000
committer: Matt Caswell <matt@openssl.org> 2020-09-18 14:20:50 +0100
commit: 991a6bb58182d4d2077a68eb813c897b7de73462 (patch)
tree: 738fc724534be090323181dc445cf19e442b827c /providers/common
parent: 7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff)
2 files changed, 4 insertions, 3 deletions
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 624843e3ab..9a425fb630 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -203,7 +203,7 @@ int digest_is_allowed(const EVP_MD *md)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
     if (securitycheck_enabled())
-        return (digest_get_approved_nid(md) != NID_undef);
+        return digest_get_approved_nid(md) != NID_undef;
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
     return 1;
 }
diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
index f73eae9569..94457d6ccf 100644
--- a/providers/common/securitycheck_fips.c
+++ b/providers/common/securitycheck_fips.c
@@ -19,11 +19,12 @@
 #include "prov/securitycheck.h"
 #include "prov/providercommonerr.h"
 
+extern int FIPS_security_check_enabled(void);
+
 int securitycheck_enabled(void)
 {
 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    /* TODO(3.0): make this configurable */
-    return 1;
+    return FIPS_security_check_enabled();
 #else
     return 0;
 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
author	Shane Lontis <shane.lontis@oracle.com>	2020-09-05 13:08:27 +1000
committer	Matt Caswell <matt@openssl.org>	2020-09-18 14:20:50 +0100
commit	991a6bb58182d4d2077a68eb813c897b7de73462 (patch)
tree	738fc724534be090323181dc445cf19e442b827c /providers/common
parent	7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff)