generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make sure overrides work for RSA/DSA.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2011-04-23 21:15:05 +00:00
parent 383bc117bb
commit dc03504d09
6 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/dsaparam.c
View File

@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
char *infile,*outfile,*prog,*inrand=NULL; char *infile,*outfile,*prog,*inrand=NULL;
int numbits= -1,num,genkey=0; int numbits= -1,num,genkey=0;
int need_rand=0; int need_rand=0;
int non_fips_allow = 0;
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
char *engine=NULL; char *engine=NULL;
#endif #endif
@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
} }
else if (strcmp(*argv,"-noout") == 0) else if (strcmp(*argv,"-noout") == 0)
noout=1; noout=1;
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else if (sscanf(*argv,"%d",&num) == 1) else if (sscanf(*argv,"%d",&num) == 1)
{ {
/* generate a key */ /* generate a key */
@ -297,6 +300,8 @@ bad:
BIO_printf(bio_err,"Error allocating DSA object\n"); BIO_printf(bio_err,"Error allocating DSA object\n");
goto end; goto end;
} }
if (non_fips_allow)
dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num); BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
BIO_printf(bio_err,"This could take some time\n"); BIO_printf(bio_err,"This could take some time\n");
#ifdef GENCB_TEST #ifdef GENCB_TEST
@ -326,6 +331,7 @@ bad:
goto end; goto end;
} }
#endif #endif
ERR_print_errors(bio_err);
BIO_printf(bio_err,"Error, DSA key generation failed\n"); BIO_printf(bio_err,"Error, DSA key generation failed\n");
goto end; goto end;
} }

6
apps/genrsa.c
View File

@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
ENGINE *e = NULL; ENGINE *e = NULL;
#endif #endif
int ret=1; int ret=1;
int non_fips_allow = 0;
int i,num=DEFBITS; int i,num=DEFBITS;
long l; long l;
const EVP_CIPHER *enc=NULL; const EVP_CIPHER *enc=NULL;
@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
passargout= *(++argv); passargout= *(++argv);
} }
else if (strcmp(*argv,"-non-fips-allow") == 0)
non_fips_allow = 1;
else else
break; break;
argv++; argv++;
@ -273,6 +276,9 @@ bad:
if (!rsa) if (!rsa)
goto err; goto err;
if (non_fips_allow)
rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
goto err; goto err;

2
crypto/dsa/dsa_lib.c
View File

@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
ret->method_mont_p=NULL; ret->method_mont_p=NULL;
ret->references=1; ret->references=1;
ret->flags=ret->meth->flags; ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{ {

2
crypto/rsa/rsa.h
View File

@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
/* If this flag is set the RSA method is FIPS compliant and can be used /* If this flag is set the RSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an * in FIPS mode. This is set in the validated module method. If an
* application sets this flag in its own methods it is its reposibility * application sets this flag in its own methods it is its responsibility
* to ensure the result is compliant. * to ensure the result is compliant.
*/ */

12
crypto/rsa/rsa_eay.c
View File

@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{ {
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1; return -1;
@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{ {
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1; return -1;
@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{ {
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1; return -1;
@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
{ {
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
return -1; return -1;

2
crypto/rsa/rsa_lib.c
View File

@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
ret->blinding=NULL; ret->blinding=NULL;
ret->mt_blinding=NULL; ret->mt_blinding=NULL;
ret->bignum_data=NULL; ret->bignum_data=NULL;
ret->flags=ret->meth->flags; ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
{ {
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE