More fixes for DSA FIPS overrides.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 23 Apr 2011 21:59:12 +0000 (21:59 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 23 Apr 2011 21:59:12 +0000 (21:59 +0000)
apps/dsaparam.c
crypto/dsa/dsa_ossl.c

index deb4aa9444b29f23a424de12b4de31478a9fb6b8..03e33f9f7eb0fed47f177a4ee52acb6af7368c78 100644 (file)
@@ -435,13 +435,21 @@ bad:
 
                assert(need_rand);
                if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
-               if (!DSA_generate_key(dsakey)) goto end;
+               if (non_fips_allow)
+                       dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
+               if (!DSA_generate_key(dsakey))
+                       {
+                       ERR_print_errors(bio_err);
+                       DSA_free(dsakey);
+                       goto end;
+                       }
                if      (outformat == FORMAT_ASN1)
                        i=i2d_DSAPrivateKey_bio(out,dsakey);
                else if (outformat == FORMAT_PEM)
                        i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
                else    {
                        BIO_printf(bio_err,"bad output format specified for outfile\n");
+                       DSA_free(dsakey);
                        goto end;
                        }
                DSA_free(dsakey);
index acf7af95c40d676af1cc52bd59508b02f1cc693f..38f667f4e7cc6a2d4c56358379d8c6e225923992 100644 (file)
@@ -353,7 +353,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
            return -1;
            }
 
-       if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
+               && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
                {
                DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
                return -1;