Block low level public key signature operations in FIPS mode.

Update self tests for all modes and use EVP. Update pairwise consistency checks.
2007-04-06 00:30:24 +00:00
parent 1729dca9a8
commit a81f337331
24 changed files with 688 additions and 241 deletions
--- a/crypto/rsa/rsa_eng.c
+++ b/crypto/rsa/rsa_eng.c
@@ -80,6 +80,13 @@ RSA *RSA_new(void)

 void RSA_set_default_method(const RSA_METHOD *meth)
 	{
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
+		{
+		RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
+		return;
+		}
+#endif
 	default_RSA_meth = meth;
 	}

@@ -111,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
 	/* NB: The caller is specifically setting a method, so it's not up to us
 	 * to deal with which ENGINE it comes from. */
 	const RSA_METHOD *mtmp;
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
+		{
+		RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
+		return 0;
+		}
+#endif
 	mtmp = rsa->meth;
 	if (mtmp->finish) mtmp->finish(rsa);
 #ifndef OPENSSL_NO_ENGINE
@@ -163,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
 			}
 		}
 #endif
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
+		{
+		RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
+#ifndef OPENSSL_NO_ENGINE
+		if (ret->engine)
+			ENGINE_finish(ret->engine);
+#endif
+		OPENSSL_free(ret);
+		return NULL;
+		}
+#endif

 	ret->pad=0;
 	ret->version=0;