Merge public key FIPS code, RSA, DSA, DH.

[oweals/openssl.git] / crypto / rsa / rsa_sign.c

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 71aabeea1bd73bca46c8a1657273dbedbffad4e0..5488c06f6d8d9df23c756eaf5f4417aab60693b1 100644 (file)
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -90,6 +90,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                i = SSL_SIG_LENGTH;
                s = m;
        } else {
+       /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+               if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                       {
+                       RSAerr(RSA_F_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                       return 0;
+                       }
+#endif
                sig.algor= &algor;
                sig.algor->algorithm=OBJ_nid2obj(type);
                if (sig.algor->algorithm == NULL)
@@ -167,10 +175,22 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
                goto err;
                }
-       if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+       if(dtype == NID_md5_sha1)
+               {
+               if (m_len != SSL_SIG_LENGTH)
+                       {
                        RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
                        goto err;
-       }
+                       }
+               }
+       /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+       else if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+               {
+               RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+               return 0;
+               }
+#endif
        i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
 
        if (i <= 0) goto err;