Make sure overrides work for RSA/DSA.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 23 Apr 2011 21:15:05 +0000 (21:15 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 23 Apr 2011 21:15:05 +0000 (21:15 +0000)
apps/dsaparam.c
apps/genrsa.c
crypto/dsa/dsa_lib.c
crypto/rsa/rsa.h
crypto/rsa/rsa_eay.c
crypto/rsa/rsa_lib.c

index fe72c1d..deb4aa9 100644 (file)
@@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
        char *infile,*outfile,*prog,*inrand=NULL;
        int numbits= -1,num,genkey=0;
        int need_rand=0;
+       int non_fips_allow = 0;
 #ifndef OPENSSL_NO_ENGINE
        char *engine=NULL;
 #endif
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
                        }
                else if (strcmp(*argv,"-noout") == 0)
                        noout=1;
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow = 1;
                else if (sscanf(*argv,"%d",&num) == 1)
                        {
                        /* generate a key */
@@ -297,6 +300,8 @@ bad:
                        BIO_printf(bio_err,"Error allocating DSA object\n");
                        goto end;
                        }
+               if (non_fips_allow)
+                       dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
                BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
                BIO_printf(bio_err,"This could take some time\n");
 #ifdef GENCB_TEST
@@ -326,6 +331,7 @@ bad:
                                goto end;
                                }
 #endif
+                       ERR_print_errors(bio_err);
                        BIO_printf(bio_err,"Error, DSA key generation failed\n");
                        goto end;
                        }
index 37e9310..2331024 100644 (file)
@@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
        ENGINE *e = NULL;
 #endif
        int ret=1;
+       int non_fips_allow = 0;
        int i,num=DEFBITS;
        long l;
        const EVP_CIPHER *enc=NULL;
@@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        passargout= *(++argv);
                        }
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow = 1;
                else
                        break;
                argv++;
@@ -273,6 +276,9 @@ bad:
        if (!rsa)
                goto err;
 
+       if (non_fips_allow)
+               rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
+
        if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
                goto err;
                
index 12f83ed..c9b25a0 100644 (file)
@@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
        ret->method_mont_p=NULL;
 
        ret->references=1;
-       ret->flags=ret->meth->flags;
+       ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                {
index 7174f9c..136cffd 100644 (file)
@@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
 
 /* If this flag is set the RSA method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
- * application sets this flag in its own methods it is its reposibility
+ * application sets this flag in its own methods it is its responsibility
  * to ensure the result is compliant.
  */
 
index d47f64e..bb434d7 100644 (file)
@@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+               && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
                return -1;
@@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+               && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
                return -1;
@@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+               && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
                return -1;
@@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
+       if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+               && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
                {
                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
                return -1;
index 3225570..6e43342 100644 (file)
@@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
        ret->blinding=NULL;
        ret->mt_blinding=NULL;
        ret->bignum_data=NULL;
-       ret->flags=ret->meth->flags;
+       ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
        if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
                {
 #ifndef OPENSSL_NO_ENGINE