diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-04-23 21:15:05 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-04-23 21:15:05 +0000 |
| commit | dc03504d090d7b4754bdd65f50d71d35ecb08390 (patch) | |
| tree | 527d68e4b54d8047fcb76ca6b03057a08244732b | |
| parent | 383bc117bb90377b2cd8667be8b00150917bb5c9 (diff) | |
Make sure overrides work for RSA/DSA.
| -rw-r--r-- | apps/dsaparam.c | 6 | ||||
| -rw-r--r-- | apps/genrsa.c | 6 | ||||
| -rw-r--r-- | crypto/dsa/dsa_lib.c | 2 | ||||
| -rw-r--r-- | crypto/rsa/rsa.h | 2 | ||||
| -rw-r--r-- | crypto/rsa/rsa_eay.c | 12 | ||||
| -rw-r--r-- | crypto/rsa/rsa_lib.c | 2 |
6 files changed, 23 insertions, 7 deletions
diff --git a/apps/dsaparam.c b/apps/dsaparam.c index fe72c1d3df..deb4aa9444 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -118,6 +118,7 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog,*inrand=NULL; int numbits= -1,num,genkey=0; int need_rand=0; + int non_fips_allow = 0; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -195,6 +196,8 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-noout") == 0) noout=1; + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else if (sscanf(*argv,"%d",&num) == 1) { /* generate a key */ @@ -297,6 +300,8 @@ bad: BIO_printf(bio_err,"Error allocating DSA object\n"); goto end; } + if (non_fips_allow) + dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW; BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num); BIO_printf(bio_err,"This could take some time\n"); #ifdef GENCB_TEST @@ -326,6 +331,7 @@ bad: goto end; } #endif + ERR_print_errors(bio_err); BIO_printf(bio_err,"Error, DSA key generation failed\n"); goto end; } diff --git a/apps/genrsa.c b/apps/genrsa.c index 37e9310910..2331024248 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -93,6 +93,7 @@ int MAIN(int argc, char **argv) ENGINE *e = NULL; #endif int ret=1; + int non_fips_allow = 0; int i,num=DEFBITS; long l; const EVP_CIPHER *enc=NULL; @@ -185,6 +186,8 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else break; argv++; @@ -273,6 +276,9 @@ bad: if (!rsa) goto err; + if (non_fips_allow) + rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW; + if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) goto err; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 12f83ed848..c9b25a0561 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine) ret->method_mont_p=NULL; ret->references=1; - ret->flags=ret->meth->flags; + ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 7174f9cee8..136cffd93a 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa); /* If this flag is set the RSA method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an - * application sets this flag in its own methods it is its reposibility + * application sets this flag in its own methods it is its responsibility * to ensure the result is compliant. */ diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index d47f64e75d..bb434d7328 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; } - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); return -1; @@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); return -1; @@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); return -1; @@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, goto err; } - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); return -1; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 3225570671..6e4334231c 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine) ret->blinding=NULL; ret->mt_blinding=NULL; ret->bignum_data=NULL; - ret->flags=ret->meth->flags; + ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE |