Enforce minimum key sizes in FIPS mode.

author: Dr. Stephen Henson <steve@openssl.org> 2007-08-13 18:02:52 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2007-08-13 18:02:52 +0000
commit: 7f1288da939d17136c2c70af0e3a7d7fe57a07ce (patch)
tree: e0eefa5bec277c0bf18d9be7bcd1c1954806243e /fips-1.0/dh
parent: 0a6e92a88ff02bebd04feec58903cbadcacaec15 (diff)
2 files changed, 13 insertions, 1 deletions
diff --git a/fips-1.0/dh/fips_dh_gen.c b/fips-1.0/dh/fips_dh_gen.c
index a12423c0e7..3f852f1af9 100644
--- a/fips-1.0/dh/fips_dh_gen.c
+++ b/fips-1.0/dh/fips_dh_gen.c
@@ -115,6 +115,12 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB
 		return 0;
 		}
 
+	if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+		{
+		DHerr(DH_F_GENERATE_PARAMETERS, DH_R_KEY_SIZE_TOO_SMALL);
+		goto err;
+		}
+
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
 	BN_CTX_start(ctx);
diff --git a/fips-1.0/dh/fips_dh_key.c b/fips-1.0/dh/fips_dh_key.c
index b30a85f2e4..6c590d0e98 100644
--- a/fips-1.0/dh/fips_dh_key.c
+++ b/fips-1.0/dh/fips_dh_key.c
@@ -194,7 +194,13 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 		DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
 		goto err;
 		}
-	
+
+	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+		{
+		DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+		goto err;
+		}
+
 	if (dh->priv_key == NULL)
 		{
 		DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
author	Dr. Stephen Henson <steve@openssl.org>	2007-08-13 18:02:52 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2007-08-13 18:02:52 +0000
commit	7f1288da939d17136c2c70af0e3a7d7fe57a07ce (patch)
tree	e0eefa5bec277c0bf18d9be7bcd1c1954806243e /fips-1.0/dh
parent	0a6e92a88ff02bebd04feec58903cbadcacaec15 (diff)