Skip to content

Commit

Permalink
Make sure overrides work for RSA/DSA.
Browse files Browse the repository at this point in the history
  • Loading branch information
@snhenson
snhenson committed Apr 23, 2011
1 parent 383bc11 commit dc03504
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 7 deletions.
6 changes: 6 additions & 0 deletions apps/dsaparam.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
char *infile,*outfile,*prog,*inrand=NULL;
int numbits= -1,num,genkey=0;
int need_rand=0;
int non_fips_allow = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
Expand Down Expand Up @@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
}
else if (strcmp(*argv,"-noout") == 0)
noout=1;
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else if (sscanf(*argv,"%d",&num) == 1)
{
/* generate a key */
Expand Down Expand Up @@ -297,6 +300,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,"Error allocating DSA object\n");
goto end;
}
if (non_fips_allow)
dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
BIO_printf(bio_err,"This could take some time\n");
#ifdef GENCB_TEST
Expand Down Expand Up @@ -326,6 +331,7 @@ int MAIN(int argc, char **argv)
goto end;
}
#endif
ERR_print_errors(bio_err);
BIO_printf(bio_err,"Error, DSA key generation failed\n");
goto end;
}
Expand Down
6 changes: 6 additions & 0 deletions apps/genrsa.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
ENGINE *e = NULL;
#endif
int ret=1;
int non_fips_allow = 0;
int i,num=DEFBITS;
long l;
const EVP_CIPHER *enc=NULL;
Expand Down Expand Up @@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
passargout= *(++argv);
}
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else
break;
argv++;
Expand Down Expand Up @@ -273,6 +276,9 @@ int MAIN(int argc, char **argv)
if (!rsa)
goto err;

if (non_fips_allow)
rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;

if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
goto err;

Expand Down
2 changes: 1 addition & 1 deletion crypto/dsa/dsa_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
ret->method_mont_p=NULL;

ret->references=1;
ret->flags=ret->meth->flags;
ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{
Expand Down
2 changes: 1 addition & 1 deletion crypto/rsa/rsa.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);

/* If this flag is set the RSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
* application sets this flag in its own methods it is its reposibility
* application sets this flag in its own methods it is its responsibility
* to ensure the result is compliant.
*/

Expand Down
12 changes: 8 additions & 4 deletions crypto/rsa/rsa_eay.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
goto err;
}

if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
Expand Down Expand Up @@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
goto err;
}

if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
Expand Down Expand Up @@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto err;
}

if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
Expand Down Expand Up @@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
goto err;
}

if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
Expand Down
2 changes: 1 addition & 1 deletion crypto/rsa/rsa_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
ret->blinding=NULL;
ret->mt_blinding=NULL;
ret->bignum_data=NULL;
ret->flags=ret->meth->flags;
ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
{
#ifndef OPENSSL_NO_ENGINE
Expand Down

0 comments on commit dc03504

Please sign in to comment.