Index: openssl-1.0.2i/apps/dgst.c =================================================================== --- openssl-1.0.2i.orig/apps/dgst.c 2016-09-22 12:23:06.000000000 +0200 +++ openssl-1.0.2i/apps/dgst.c 2016-09-23 10:20:02.162323196 +0200 @@ -147,7 +147,7 @@ int MAIN(int argc, char **argv) /* first check the program name */ program_name(argv[0], pname, sizeof pname); - md = EVP_get_digestbyname(pname); + md = EVP_get_digestbyname_fips_disabled(pname); argc--; argv++; @@ -235,7 +235,7 @@ int MAIN(int argc, char **argv) macopts = sk_OPENSSL_STRING_new_null(); if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) break; - } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL) + } else if ((m = EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL) md = m; else break; Index: openssl-1.0.2i/apps/apps.c =================================================================== --- openssl-1.0.2i.orig/apps/apps.c 2016-09-22 12:23:06.000000000 +0200 +++ openssl-1.0.2i/apps/apps.c 2016-09-23 10:20:02.162323196 +0200 @@ -3266,3 +3266,45 @@ int raw_write_stdout(const void *buf, in return write(fileno_stdout(), buf, siz); } #endif + + +const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name) + { + int saved_fips_mode = FIPS_mode(); + EVP_MD *md; + + if (saved_fips_mode) + FIPS_mode_set(0); + + OpenSSL_add_all_digests(); + md=EVP_get_digestbyname(name); + + if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + + return md; + } + +const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name) + { + int saved_fips_mode = FIPS_mode(); + EVP_CIPHER *ciph; + + if (saved_fips_mode) + FIPS_mode_set(0); + + OpenSSL_add_all_ciphers(); + ciph=EVP_get_cipherbyname(name); + + if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + + return ciph; + } + Index: openssl-1.0.2i/apps/apps.h =================================================================== --- openssl-1.0.2i.orig/apps/apps.h 2016-09-22 12:23:06.000000000 +0200 +++ openssl-1.0.2i/apps/apps.h 2016-09-23 10:20:02.162323196 +0200 @@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x void store_setup_crl_download(X509_STORE *st); +const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name); +const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name); + # define FORMAT_UNDEF 0 # define FORMAT_ASN1 1 # define FORMAT_TEXT 2 Index: openssl-1.0.2i/apps/enc.c =================================================================== --- openssl-1.0.2i.orig/apps/enc.c 2016-09-22 12:23:06.000000000 +0200 +++ openssl-1.0.2i/apps/enc.c 2016-09-23 10:20:02.162323196 +0200 @@ -150,7 +150,7 @@ int MAIN(int argc, char **argv) do_zlib = 1; #endif - cipher = EVP_get_cipherbyname(pname); + cipher = EVP_get_cipherbyname_fips_disabled(pname); #ifdef ZLIB if (!do_zlib && !base64 && (cipher == NULL) && (strcmp(pname, "enc") != 0)) @@ -269,7 +269,7 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv, "-non-fips-allow") == 0) non_fips_allow = 1; else if ((argv[0][0] == '-') && - ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { + ((c = EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) { cipher = c; } else if (strcmp(*argv, "-none") == 0) cipher = NULL; @@ -322,6 +322,10 @@ int MAIN(int argc, char **argv) argv++; } + /* drop out of fips mode if we should allow non-fips algos */ + if (non_fips_allow) + FIPS_mode_set(0); + #ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); #endif @@ -338,7 +342,7 @@ int MAIN(int argc, char **argv) goto end; } - if (md && (dgst = EVP_get_digestbyname(md)) == NULL) { + if (md && (dgst = EVP_get_digestbyname_fips_disabled(md)) == NULL) { BIO_printf(bio_err, "%s is an unsupported message digest type\n", md); goto end; }