* be used for all exponents.
*/
+/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
+ * it is then the applications responsibility to ensure the external method
+ * is compliant.
+ */
+
+#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW 0x04
+
#if defined(OPENSSL_FIPS)
#define FIPS_DSA_SIZE_T int
#endif
DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
#ifdef OPENSSL_FIPS
- if(FIPS_mode() && !FIPS_dsa_check(dsa))
+ if(FIPS_mode() && !FIPS_dsa_check(dsa)
+ && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
return NULL;
#endif
return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
#ifdef OPENSSL_FIPS
- if(FIPS_mode() && !FIPS_dsa_check(dsa))
+ if(FIPS_mode() && !FIPS_dsa_check(dsa)
+ && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
return 0;
#endif
return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
DSA *dsa)
{
#ifdef OPENSSL_FIPS
- if(FIPS_mode() && !FIPS_dsa_check(dsa))
+ if(FIPS_mode() && !FIPS_dsa_check(dsa)
+ && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
return -1;
#endif
return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
projects / oweals / openssl.git / commitdiff