X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fdsa%2Fdsa_key.c;h=c7589873a48628f04ee8ea56d975269e0f883075;hp=5ba885e1e24ef3cc25c2700928279f38192bafe0;hb=a6311f856b9ed7d71460872148a735335338918e;hpb=46a643763de6d8e39ecf6f76fa79b4d04885aa59 diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 5ba885e1e2..c7589873a4 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ +#define OPENSSL_FIPSAPI + #include #include #include "cryptlib.h" @@ -64,6 +66,30 @@ #include #include +#ifdef OPENSSL_FIPS + +#include +#include + +static int fips_check_dsa(DSA *dsa) + { + EVP_PKEY pk; + unsigned char tbs[] = "DSA Pairwise Check Data"; + pk.type = EVP_PKEY_DSA; + pk.pkey.dsa = dsa; + + if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE, + &pk, tbs, -1, NULL, 0, NULL, 0, NULL)) + { + FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + fips_set_selftest_fail(); + return 0; + } + return 1; + } + +#endif + static int dsa_builtin_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) @@ -79,6 +105,14 @@ static int dsa_builtin_keygen(DSA *dsa) BN_CTX *ctx=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) + { + DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif + if ((ctx=BN_CTX_new()) == NULL) goto err; if (dsa->priv_key == NULL) @@ -105,8 +139,9 @@ static int dsa_builtin_keygen(DSA *dsa) if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { + BN_init(&local_prk); prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); } else prk = priv_key; @@ -116,6 +151,14 @@ static int dsa_builtin_keygen(DSA *dsa) dsa->priv_key=priv_key; dsa->pub_key=pub_key; +#ifdef OPENSSL_FIPS + if(!fips_check_dsa(dsa)) + { + dsa->pub_key = NULL; + dsa->priv_key = NULL; + goto err; + } +#endif ok=1; err: