summaryrefslogtreecommitdiffstats
path: root/crypto/rsa/rsa_x931g.c
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2011-04-23 19:55:55 +0000
committerDr. Stephen Henson <steve@openssl.org>2011-04-23 19:55:55 +0000
commitcac4fb58e02d8cf799d75212179f56c69e652ec7 (patch)
treed96dd01b03818cc88755fee7fe19d28d3ed9b43e /crypto/rsa/rsa_x931g.c
parent9e5fe439b4e8fb4198f241f2ba16a029a480d5f5 (diff)
Add PRNG security strength checking.
Diffstat (limited to 'crypto/rsa/rsa_x931g.c')
-rw-r--r--crypto/rsa/rsa_x931g.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c
index 1ccd0a1969..819a728954 100644
--- a/crypto/rsa/rsa_x931g.c
+++ b/crypto/rsa/rsa_x931g.c
@@ -210,7 +210,8 @@ int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
BN_CTX *ctx = NULL;
#ifdef OPENSSL_FIPS
- if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
+ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{
FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
return 0;
@@ -227,6 +228,8 @@ int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
return 0;
}
+ if (!fips_check_rsa_prng(rsa, bits))
+ return 0;
#endif
ctx = BN_CTX_new();