mirror of https://github.com/openssl/openssl
Make sure overrides work for RSA/DSA.
This commit is contained in:
Dr. Stephen Henson
parent
383bc117bb
commit
dc03504d09
|
|
@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
|
|||
char *infile,*outfile,*prog,*inrand=NULL;
|
||||
int numbits= -1,num,genkey=0;
|
||||
int need_rand=0;
|
||||
int non_fips_allow = 0;
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
char *engine=NULL;
|
||||
#endif
|
||||
|
|
@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
else if (strcmp(*argv,"-noout") == 0)
|
||||
noout=1;
|
||||
else if (strcmp(*argv,"-non-fips-allow") == 0)
|
||||
non_fips_allow = 1;
|
||||
else if (sscanf(*argv,"%d",&num) == 1)
|
||||
{
|
||||
/* generate a key */
|
||||
|
|
@ -297,6 +300,8 @@ bad:
|
|||
BIO_printf(bio_err,"Error allocating DSA object\n");
|
||||
goto end;
|
||||
}
|
||||
if (non_fips_allow)
|
||||
dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
|
||||
BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
|
||||
BIO_printf(bio_err,"This could take some time\n");
|
||||
#ifdef GENCB_TEST
|
||||
|
|
@ -326,6 +331,7 @@ bad:
|
|||
goto end;
|
||||
}
|
||||
#endif
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err,"Error, DSA key generation failed\n");
|
||||
goto end;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
|
|||
ENGINE *e = NULL;
|
||||
#endif
|
||||
int ret=1;
|
||||
int non_fips_allow = 0;
|
||||
int i,num=DEFBITS;
|
||||
long l;
|
||||
const EVP_CIPHER *enc=NULL;
|
||||
|
|
@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
|
|||
if (--argc < 1) goto bad;
|
||||
passargout= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-non-fips-allow") == 0)
|
||||
non_fips_allow = 1;
|
||||
else
|
||||
break;
|
||||
argv++;
|
||||
|
|
@ -273,6 +276,9 @@ bad:
|
|||
if (!rsa)
|
||||
goto err;
|
||||
|
||||
if (non_fips_allow)
|
||||
rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
|
||||
|
||||
if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
||||
goto err;
|
||||
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
|
|||
ret->method_mont_p=NULL;
|
||||
|
||||
ret->references=1;
|
||||
ret->flags=ret->meth->flags;
|
||||
ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
|
||||
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
|
||||
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
|
|||
|
||||
/* If this flag is set the RSA method is FIPS compliant and can be used
|
||||
* in FIPS mode. This is set in the validated module method. If an
|
||||
* application sets this flag in its own methods it is its reposibility
|
||||
* application sets this flag in its own methods it is its responsibility
|
||||
* to ensure the result is compliant.
|
||||
*/
|
||||
|
||||
|
|
|
|||
|
|
@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
return -1;
|
||||
|
|
@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
return -1;
|
||||
|
|
@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
return -1;
|
||||
|
|
@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
|
||||
&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
return -1;
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
|
|||
ret->blinding=NULL;
|
||||
ret->mt_blinding=NULL;
|
||||
ret->bignum_data=NULL;
|
||||
ret->flags=ret->meth->flags;
|
||||
ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
|
||||
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
|
|
|||
Loading…
Reference in New Issue