import openssl-0.9.8j

1 files changed, 22 insertions, 2 deletions

diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 71aabeea1b..5488c06f6d 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -90,6 +90,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 i = SSL_SIG_LENGTH;
                 s = m;
         } else {
+        /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+                if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                        {
+                        RSAerr(RSA_F_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                        return 0;
+                        }
+#endif
                 sig.algor= &algor;
                 sig.algor->algorithm=OBJ_nid2obj(type);
                 if (sig.algor->algorithm == NULL)
@@ -167,10 +175,22 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
                 goto err;
                 }
-        if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+        if(dtype == NID_md5_sha1)
+                {
+                if (m_len != SSL_SIG_LENGTH)
+                        {
                         RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
                         goto err;
-        }
+                        }
+                }
+        /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+        else if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                {
+                RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
 
         if (i <= 0) goto err;