1 files changed, 31 insertions, 2 deletions
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index e7db440342..89a74db4e6 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -73,11 +73,27 @@ static int dh_finish(DH *dh);
 int DH_generate_key(DH *dh)
        {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+                        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
+                {
+                DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
+                return 0;
+                }
+#endif
        return dh->meth->generate_key(dh);
        }
 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
        {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+                        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
+                {
+                DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
+                return 0;
+                }
+#endif
        return dh->meth->compute_key(key, pub_key, dh);
        }
@@ -138,8 +154,21 @@ static int generate_key(DH *dh)
        if (generate_new_key)
                {
-                l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
+                if (dh->q)
-                if (!BN_rand(priv_key, l, 0, 0)) goto err;
+                        {
+                        do
+                                {
+                                if (!BN_rand_range(priv_key, dh->q))
+                                        goto err;
+                                }
+                        while (BN_is_zero(priv_key) || BN_is_one(priv_key));
+                        }
+                else
+                        {
+                        /* secret exponent length */
+                        l = dh->length ? dh->length : BN_num_bits(dh->p)-1;
+                        if (!BN_rand(priv_key, l, 0, 0)) goto err;
+                        }
                }
        {

diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index e7db440342..89a74db4e6 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c
@@ -73,11 +73,27 @@ static int dh_finish(DH *dh);
73		73
74	int DH_generate_key(DH *dh)	74	int DH_generate_key(DH *dh)
75	{	75	{
		76	#ifdef OPENSSL_FIPS
		77	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
		78	&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
		79	{
		80	DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
		81	return 0;
		82	}
		83	#endif
76	return dh->meth->generate_key(dh);	84	return dh->meth->generate_key(dh);
77	}	85	}
78		86
79	int DH_compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)	87	int DH_compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
80	{	88	{
		89	#ifdef OPENSSL_FIPS
		90	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
		91	&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
		92	{
		93	DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
		94	return 0;
		95	}
		96	#endif
81	return dh->meth->compute_key(key, pub_key, dh);	97	return dh->meth->compute_key(key, pub_key, dh);
82	}	98	}
83		99
@@ -138,8 +154,21 @@ static int generate_key(DH *dh)
138		154
139	if (generate_new_key)	155	if (generate_new_key)
140	{	156	{
141	l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */	157	if (dh->q)
142	if (!BN_rand(priv_key, l, 0, 0)) goto err;	158	{
		159	do
		160	{
		161	if (!BN_rand_range(priv_key, dh->q))
		162	goto err;
		163	}
		164	while (BN_is_zero(priv_key) \|\| BN_is_one(priv_key));
		165	}
		166	else
		167	{
		168	/* secret exponent length */
		169	l = dh->length ? dh->length : BN_num_bits(dh->p)-1;
		170	if (!BN_rand(priv_key, l, 0, 0)) goto err;
		171	}
143	}	172	}
144		173
145	{	174	{