Update from HEAD.

[oweals/openssl.git] / crypto / dsa / dsa.h

diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index b12db98b1303a60fc62284433747c9d4ae3f72ca..702c50d6dc87d24797796ddf52e7b35b6bb605f6 100644 (file)
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -84,6 +84,12 @@
 #endif
 #endif
 
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
+# define OPENSSL_DSA_MAX_MODULUS_BITS  10000
+#endif
+
+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
+
 #define DSA_FLAG_CACHE_MONT_P  0x01
 #define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
                                               * implementation now uses constant time
@@ -93,6 +99,25 @@
                                               * be used for all exponents.
                                               */
 
+/* If this flag is set the DSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its reposibility
+ * to ensure the result is compliant.
+ */
+
+#define DSA_FLAG_FIPS_METHOD                   0x0400
+
+/* If this flag is set the operations normally disabled in FIPS mode are
+ * permitted it is then the applications responsibility to ensure that the
+ * usage is compliant.
+ */
+
+#define DSA_FLAG_NON_FIPS_ALLOW                        0x0400
+
+#ifdef OPENSSL_FIPS
+#define FIPS_DSA_SIZE_T        int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -185,6 +210,11 @@ void       DSA_set_default_method(const DSA_METHOD *);
 const DSA_METHOD *DSA_get_default_method(void);
 int    DSA_set_method(DSA *dsa, const DSA_METHOD *);
 
+#ifdef OPENSSL_FIPS
+DSA *  FIPS_dsa_new(void);
+void   FIPS_dsa_free (DSA *r);
+#endif
+
 DSA *  DSA_new(void);
 DSA *  DSA_new_method(ENGINE *engine);
 void   DSA_free (DSA *r);
@@ -245,6 +275,11 @@ int        DSA_print_fp(FILE *bp, const DSA *x, int off);
 DH *DSA_dup_DH(const DSA *r);
 #endif
 
+#ifdef OPENSSL_FIPS
+int FIPS_dsa_sig_encode(unsigned char *out, DSA_SIG *sig);
+int FIPS_dsa_sig_decode(DSA_SIG *sig, const unsigned char *in, int inlen);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -257,11 +292,16 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_D2I_DSA_SIG                               110
 #define DSA_F_DSAPARAMS_PRINT                           100
 #define DSA_F_DSAPARAMS_PRINT_FP                        101
+#define DSA_F_DSA_BUILTIN_KEYGEN                        119
+#define DSA_F_DSA_BUILTIN_PARAMGEN                      118
 #define DSA_F_DSA_DO_SIGN                               112
 #define DSA_F_DSA_DO_VERIFY                             113
+#define DSA_F_DSA_GENERATE_PARAMETERS                   117
 #define DSA_F_DSA_NEW_METHOD                            103
 #define DSA_F_DSA_PRINT                                         104
 #define DSA_F_DSA_PRINT_FP                              105
+#define DSA_F_DSA_SET_DEFAULT_METHOD                    115
+#define DSA_F_DSA_SET_METHOD                            116
 #define DSA_F_DSA_SIGN                                  106
 #define DSA_F_DSA_SIGN_SETUP                            107
 #define DSA_F_DSA_SIG_NEW                               109
@@ -270,8 +310,13 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_SIG_CB                                    114
 
 /* Reason codes. */
+#define DSA_R_BAD_Q_VALUE                               102
 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE               100
+#define DSA_R_KEY_SIZE_TOO_SMALL                        106
 #define DSA_R_MISSING_PARAMETERS                        101
+#define DSA_R_MODULUS_TOO_LARGE                                 103
+#define DSA_R_NON_FIPS_METHOD                           104
+#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE        105
 
 #ifdef  __cplusplus
 }