Don't generate DSA keys with key size too small.

author Dr. Stephen Henson <steve@openssl.org>

Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h

index ebf8cd37f73a17cbc4f4d96b6de11f5065ffbf0b..702c50d6dc87d24797796ddf52e7b35b6bb605f6 100644 (file)
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -292,6 +292,7 @@ void ERR_load_DSA_strings(void);
  #define DSA_F_D2I_DSA_SIG                               110
  #define DSA_F_DSAPARAMS_PRINT                           100
  #define DSA_F_DSAPARAMS_PRINT_FP                        101
+#define DSA_F_DSA_BUILTIN_KEYGEN                        119
  #define DSA_F_DSA_BUILTIN_PARAMGEN                      118
  #define DSA_F_DSA_DO_SIGN                               112
  #define DSA_F_DSA_DO_VERIFY                             113
diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c

index aa11046c0a7a95427c780e32a48d17384ee575a6..872839af944b25d037e96f108d91b6beb7beac6e 100644 (file)
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -73,6 +73,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
  {ERR_FUNC(DSA_F_D2I_DSA_SIG),  "d2i_DSA_SIG"},
  {ERR_FUNC(DSA_F_DSAPARAMS_PRINT),      "DSAparams_print"},
  {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),   "DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN),   "DSA_BUILTIN_KEYGEN"},
  {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"},
  {ERR_FUNC(DSA_F_DSA_DO_SIGN),  "DSA_do_sign"},
  {ERR_FUNC(DSA_F_DSA_DO_VERIFY),        "DSA_do_verify"},
diff --git a/fips/dsa/fips_dsa_key.c b/fips/dsa/fips_dsa_key.c

index b43b0c181e8d2fb468d0fbfb891e5aa73fdd3fac..1594dcbe6393a81e823ff5ebce73e859c71e3d82 100644 (file)
--- a/fips/dsa/fips_dsa_key.c
+++ b/fips/dsa/fips_dsa_key.c
@@ -101,6 +101,12 @@ static int dsa_builtin_keygen(DSA *dsa)
         BN_CTX *ctx=NULL;
         BIGNUM *pub_key=NULL,*priv_key=NULL;
  
+       if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
+               {
+               DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+               goto err;
+               }
+
         if ((ctx=BN_CTX_new()) == NULL) goto err;
  
         if (dsa->priv_key == NULL)
author	Dr. Stephen Henson <steve@openssl.org>
	Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sat, 18 Aug 2007 02:36:23 +0000 (02:36 +0000)
crypto/dsa/dsa.h		patch \| blob \| history
crypto/dsa/dsa_err.c		patch \| blob \| history
fips/dsa/fips_dsa_key.c		patch \| blob \| history