Add DH key exchange to fips provider

[oweals/openssl.git] / crypto / dh / dh_check.c

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 373110d263b0cd6a2c3d00f9591517cb724b9a56..70f083603f4575a4bb6800c5b3af82694cd27466 100644 (file)
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -10,9 +10,7 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
-#include "dh_locl.h"
-
-# define DH_NUMBER_ITERATIONS_FOR_PRIME 64
+#include "dh_local.h"
 
 /*-
  * Check that p and g are suitable enough
@@ -137,7 +135,7 @@ int DH_check(const DH *dh, int *ret)
             if (!BN_is_one(t1))
                 *ret |= DH_NOT_SUITABLE_GENERATOR;
         }
-        r = BN_is_prime_ex(dh->q, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);
+        r = BN_check_prime(dh->q, ctx, NULL);
         if (r < 0)
             goto err;
         if (!r)
@@ -151,7 +149,7 @@ int DH_check(const DH *dh, int *ret)
             *ret |= DH_CHECK_INVALID_J_VALUE;
     }
 
-    r = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);
+    r = BN_check_prime(dh->p, ctx, NULL);
     if (r < 0)
         goto err;
     if (!r)
@@ -159,7 +157,7 @@ int DH_check(const DH *dh, int *ret)
     else if (!dh->q) {
         if (!BN_rshift1(t1, dh->p))
             goto err;
-        r = BN_is_prime_ex(t1, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);
+        r = BN_check_prime(t1, ctx, NULL);
         if (r < 0)
             goto err;
         if (!r)
@@ -176,7 +174,8 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
 {
     int errflags = 0;
 
-    (void)DH_check(dh, &errflags);
+    if (!DH_check_pub_key(dh, pub_key, &errflags))
+        return 0;
 
     if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
         DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_SMALL);