diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2011-01-26 15:46:26 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2011-01-26 15:46:26 +0000 |
commit | 20818e00fd718d961ce861e384de768be1bca36f (patch) | |
tree | f57cd6232fbb61042ab85e6adfb19088bf1960e4 /crypto/dsa/dsa_gen.c | |
parent | c553721e8ba2a79c9ee14bf17814271ce1f33d9e (diff) | |
download | openssl-20818e00fd718d961ce861e384de768be1bca36f.zip openssl-20818e00fd718d961ce861e384de768be1bca36f.tar.gz openssl-20818e00fd718d961ce861e384de768be1bca36f.tar.bz2 |
FIPS mode DSA changes:
Check for selftest failures.
Pairwise consistency test for RSA key generation.
Use some EVP macros instead of EVP functions.
Use minimal FIPS EVP where needed.
Key size restrictions.
Diffstat (limited to 'crypto/dsa/dsa_gen.c')
-rw-r--r-- | crypto/dsa/dsa_gen.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index e6a5452..8096a15 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -73,12 +73,18 @@ #ifndef OPENSSL_NO_SHA +#define OPENSSL_FIPSEVP + #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/bn.h> #include <openssl/rand.h> #include <openssl/sha.h> +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif + #include "dsa_locl.h" int DSA_generate_parameters_ex(DSA *ret, int bits, @@ -127,6 +133,21 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, BN_CTX *ctx=NULL; unsigned int h=2; +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, + FIPS_R_FIPS_SELFTEST_FAILED); + goto err; + } + + if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) + { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif + if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ |