* [including the GNU Public Licence.]
*/
+#define OPENSSL_FIPSAPI
+
#include <stdio.h>
#include <time.h>
#include "cryptlib.h"
#include <openssl/dsa.h>
#include <openssl/rand.h>
+#ifdef OPENSSL_FIPS
+
+#include <openssl/fips.h>
+#include <openssl/evp.h>
+
+static int fips_check_dsa(DSA *dsa)
+ {
+ EVP_PKEY pk;
+ unsigned char tbs[] = "DSA Pairwise Check Data";
+ pk.type = EVP_PKEY_DSA;
+ pk.pkey.dsa = dsa;
+
+ if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE,
+ &pk, tbs, 0, NULL, 0, NULL, 0, NULL))
+ {
+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
+ return 0;
+ }
+ return 1;
+ }
+
+#endif
+
static int dsa_builtin_keygen(DSA *dsa);
int DSA_generate_key(DSA *dsa)
BN_CTX *ctx=NULL;
BIGNUM *pub_key=NULL,*priv_key=NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
+ {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+ if (!fips_check_dsa_prng(dsa, 0, 0))
+ goto err;
+#endif
+
if ((ctx=BN_CTX_new()) == NULL) goto err;
if (dsa->priv_key == NULL)
dsa->priv_key=priv_key;
dsa->pub_key=pub_key;
+#ifdef OPENSSL_FIPS
+ if(!fips_check_dsa(dsa))
+ {
+ dsa->pub_key = NULL;
+ dsa->priv_key = NULL;
+ goto err;
+ }
+#endif
ok=1;
err: