From: Dr. Stephen Henson Date: Thu, 9 Jun 2011 15:21:46 +0000 (+0000) Subject: Redirect DH key and parameter generation. X-Git-Tag: OpenSSL_1_0_1-beta1~254 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ed9b0e5cba9ddc41e7b902d925c5b1b836ada366;p=oweals%2Fopenssl.git Redirect DH key and parameter generation. --- diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index b6d367bb6a..ea59e610ef 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -247,6 +247,7 @@ void ERR_load_DH_strings(void); #define DH_F_DH_BUILTIN_GENPARAMS 106 #define DH_F_DH_COMPUTE_KEY 114 #define DH_F_DH_GENERATE_KEY 115 +#define DH_F_DH_GENERATE_PARAMETERS_EX 116 #define DH_F_DH_NEW_METHOD 105 #define DH_F_DH_PARAM_DECODE 107 #define DH_F_DH_PRIV_DECODE 110 diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index 1da2c12cff..56d3df7356 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -75,6 +75,7 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, {ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, {ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"}, +{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"}, {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, {ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"}, {ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"}, diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index cfd5b11868..7b1fe9c9cb 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -66,12 +66,29 @@ #include #include +#ifdef OPENSSL_FIPS +#include +#endif + static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) + && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) + { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif if(ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return FIPS_dh_generate_parameters_ex(ret, prime_len, + generator, cb); +#endif return dh_builtin_genparams(ret, prime_len, generator, cb); } diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index 6a21b2cce2..295470e868 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -287,6 +287,7 @@ void ERR_load_DSA_strings(void); #define DSA_F_DSAPARAMS_PRINT_FP 101 #define DSA_F_DSA_DO_SIGN 112 #define DSA_F_DSA_DO_VERIFY 113 +#define DSA_F_DSA_GENERATE_KEY 124 #define DSA_F_DSA_GENERATE_PARAMETERS_EX 123 #define DSA_F_DSA_NEW_METHOD 103 #define DSA_F_DSA_PARAM_DECODE 119 diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index bada41fcce..6c49523289 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -76,6 +76,7 @@ static ERR_STRING_DATA DSA_str_functs[]= {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"}, {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"}, {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"}, +{ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"}, {ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"}, {ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"}, {ERR_FUNC(DSA_F_DSA_PARAM_DECODE), "DSA_PARAM_DECODE"}, diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index cc73a23724..c398761d0d 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -89,13 +89,14 @@ int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { +#ifdef OPENSSL_FIPS if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); return 0; } - +#endif if(ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index c4aa86bc6d..9cf669b921 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -64,12 +64,28 @@ #include #include +#ifdef OPENSSL_FIPS +#include +#endif + static int dsa_builtin_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) + && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) + { + DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); + return 0; + } +#endif if(dsa->meth->dsa_keygen) return dsa->meth->dsa_keygen(dsa); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return FIPS_dsa_generate_key(dsa); +#endif return dsa_builtin_keygen(dsa); }