#include <openssl/bn.h>
#include <openssl/err.h>
-#include "rsa_locl.h"
+#include "rsa_local.h"
int RSA_check_key(const RSA *key)
{
return RSA_check_key_ex(key, NULL);
}
+/*
+ * NOTE: Key validation requires separate checks to be able to be accessed
+ * individually. These should be visible from the PKEY API..
+ * See rsa_sp800_56b_check_public, rsa_sp800_56b_check_private and
+ * rsa_sp800_56b_check_keypair.
+ */
int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
{
+#ifdef FIPS_MODE
+ return rsa_sp800_56b_check_public(key)
+ && rsa_sp800_56b_check_private(key)
+ && rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key));
+#else
BIGNUM *i, *j, *k, *l, *m;
BN_CTX *ctx;
int ret = 1, ex_primes = 0, idx;
}
/* p prime? */
- if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, cb) != 1) {
+ if (BN_check_prime(key->p, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME);
}
/* q prime? */
- if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, cb) != 1) {
+ if (BN_check_prime(key->q, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME);
}
/* r_i prime? */
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
- if (BN_is_prime_ex(pinfo->r, BN_prime_checks, NULL, cb) != 1) {
+ if (BN_check_prime(pinfo->r, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME);
}
BN_free(m);
BN_CTX_free(ctx);
return ret;
+#endif /* FIPS_MODE */
}