1 files changed, 24 insertions, 6 deletions

diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index a7e9920efb..b846913004 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -62,7 +62,7 @@
 #include <openssl/dh.h>
 
 /* Check that p is a safe prime and
- * if g is 2, 3 or 5, check that is is a suitable generator
+ * if g is 2, 3 or 5, check that it is a suitable generator
  * where
  * for 2, p mod 24 == 11
  * for 3, p mod 12 == 5
@@ -70,8 +70,6 @@
  * should hold.
  */
 
-#ifndef OPENSSL_FIPS
-
 int DH_check(const DH *dh, int *ret)
         {
         int ok=0;
@@ -106,12 +104,12 @@ int DH_check(const DH *dh, int *ret)
         else
                 *ret|=DH_UNABLE_TO_CHECK_GENERATOR;
 
-        if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
+        if (!BN_is_prime_ex(dh->p,BN_prime_checks,ctx,NULL))
                 *ret|=DH_CHECK_P_NOT_PRIME;
         else
                 {
                 if (!BN_rshift1(q,dh->p)) goto err;
-                if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+                if (!BN_is_prime_ex(q,BN_prime_checks,ctx,NULL))
                         *ret|=DH_CHECK_P_NOT_SAFE_PRIME;
                 }
         ok=1;
@@ -121,4 +119,24 @@ err:
         return(ok);
         }
 
-#endif
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+        {
+        int ok=0;
+        BIGNUM *q=NULL;
+
+        *ret=0;
+        q=BN_new();
+        if (q == NULL) goto err;
+        BN_set_word(q,1);
+        if (BN_cmp(pub_key,q) <= 0)
+                *ret|=DH_CHECK_PUBKEY_TOO_SMALL;
+        BN_copy(q,dh->p);
+        BN_sub_word(q,1);
+        if (BN_cmp(pub_key,q) >= 0)
+                *ret|=DH_CHECK_PUBKEY_TOO_LARGE;
+
+        ok = 1;
+err:
+        if (q != NULL) BN_free(q);
+        return(ok);
+        }