mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 12:04:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make sure overrides work for RSA/DSA.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2011-04-23 21:15:05 +00:00
parent 383bc117bb
commit dc03504d09
6 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/dsaparam.c
View File

@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
char *infile,*outfile,*prog,*inrand=NULL;
int numbits= -1,num,genkey=0;
int need_rand=0;
int non_fips_allow = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
}
else if (strcmp(*argv,"-noout") == 0)
noout=1;
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else if (sscanf(*argv,"%d",&num) == 1)
{
/* generate a key */
@ -297,6 +300,8 @@ bad:
BIO_printf(bio_err,"Error allocating DSA object\n");
goto end;
}
if (non_fips_allow)
dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
BIO_printf(bio_err,"This could take some time\n");
#ifdef GENCB_TEST
@ -326,6 +331,7 @@ bad:
goto end;
}
#endif
ERR_print_errors(bio_err);
BIO_printf(bio_err,"Error, DSA key generation failed\n");
goto end;
}

6
apps/genrsa.c
View File

@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
ENGINE *e = NULL;
#endif
int ret=1;
int non_fips_allow = 0;
int i,num=DEFBITS;
long l;
const EVP_CIPHER *enc=NULL;
@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
passargout= *(++argv);
}
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else
break;
argv++;
@ -273,6 +276,9 @@ bad:
if (!rsa)
goto err;
if (non_fips_allow)
rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
goto err;

2
crypto/dsa/dsa_lib.c
View File

@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
ret->method_mont_p=NULL;
ret->references=1;
ret->flags=ret->meth->flags;
ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{

2
crypto/rsa/rsa.h
View File

@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
/* If this flag is set the RSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
* application sets this flag in its own methods it is its reposibility
* application sets this flag in its own methods it is its responsibility
* to ensure the result is compliant.
*/

12
crypto/rsa/rsa_eay.c
View File

@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
goto err;
}
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
goto err;
}
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto err;
}
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
goto err;
}
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;

2
crypto/rsa/rsa_lib.c
View File

@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
ret->blinding=NULL;
ret->mt_blinding=NULL;
ret->bignum_data=NULL;
ret->flags=ret->meth->flags;
ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
{
#ifndef OPENSSL_NO_ENGINE