From: Dr. Stephen Henson <steve@openssl.org>
Date: Fri, 31 Mar 2006 17:09:46 +0000 (+0000)
Subject: Flag to allow use of DSA_METHOD in FIPS mode.
X-Git-Tag: OpenSSL_0_9_7j~10
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6fa6e3e2df566687558ecedae569a1041d99680f;p=oweals%2Fopenssl.git

Flag to allow use of DSA_METHOD in FIPS mode.
---

diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index 925f11cd57..851e3f0445 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -88,6 +88,13 @@
                                               * be used for all exponents.
                                               */
 
+/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
+ * it is then the applications responsibility to ensure the external method
+ * is compliant.
+ */
+
+#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW	0x04
+
 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T	int
 #endif
diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
index 3c9753bac3..46601102b5 100644
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -72,7 +72,8 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa)
+		&& !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
 		return NULL;
 #endif
 	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa)
+		&& !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
 		return 0;
 #endif
 	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c
index 8ef0c45025..608431ca56 100644
--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa)
+		&& !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW))
 		return -1;
 #endif
 	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);