Backport libcrypto audit: check return values of EVP functions instead

[openssl.git] / crypto / rsa / rsa_sign.c

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 0be4ec7fb01f08b04e2e6558fc5a9df80d4c8a7a..2ccadb73d850c193389090c2f88ba22ba268c9b3 100644 (file)
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -77,6 +77,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
        const unsigned char *s = NULL;
        X509_ALGOR algor;
        ASN1_OCTET_STRING digest;
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+                       && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+               {
+               RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
+               return 0;
+               }
+#endif
        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
                {
                return rsa->meth->rsa_sign(type, m, m_len,
@@ -153,6 +161,15 @@ int int_rsa_verify(int dtype, const unsigned char *m,
        unsigned char *s;
        X509_SIG *sig=NULL;
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+                       && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+               {
+               RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
+               return 0;
+               }
+#endif
+
        if (siglen != (unsigned int)RSA_size(rsa))
                {
                RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);