1 files changed, 13 insertions, 38 deletions
diff --git a/src/lib/libssl/src/fips/dsa/fips_dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index b5f8cfa1d0..9cf669b921 100644
--- a/src/lib/libssl/src/fips/dsa/fips_dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -58,47 +58,34 @@
 #include <stdio.h>
 #include <time.h>
+#include "cryptlib.h"
 #ifndef OPENSSL_NO_SHA
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/fips.h>
-#include "fips_locl.h"
 #ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-static int fips_dsa_pairwise_fail = 0;
+#endif
-void FIPS_corrupt_dsa_keygen(void)
-        {
-        fips_dsa_pairwise_fail = 1;
-        }
 static int dsa_builtin_keygen(DSA *dsa);
-int fips_check_dsa(DSA *dsa)
+int DSA_generate_key(DSA *dsa)
        {
-        EVP_PKEY pk;
+#ifdef OPENSSL_FIPS
-        unsigned char tbs[] = "DSA Pairwise Check Data";
+        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-        pk.type = EVP_PKEY_DSA;
+                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
-        pk.pkey.dsa = dsa;
-        if (!fips_pkey_signature_test(&pk, tbs, -1,
-                                        NULL, 0, EVP_dss1(), 0, NULL))
                {
-                FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
+                DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
-                fips_set_selftest_fail();
                return 0;
                }
-        return 1;
+#endif
-        }
-int DSA_generate_key(DSA *dsa)
-        {
        if(dsa->meth->dsa_keygen)
                return dsa->meth->dsa_keygen(dsa);
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+                return FIPS_dsa_generate_key(dsa);
+#endif
        return dsa_builtin_keygen(dsa);
        }
@@ -108,12 +95,6 @@ static int dsa_builtin_keygen(DSA *dsa)
        BN_CTX *ctx=NULL;
        BIGNUM *pub_key=NULL,*priv_key=NULL;
-        if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-                {
-                DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
-                goto err;
-                }
        if ((ctx=BN_CTX_new()) == NULL) goto err;
        if (dsa->priv_key == NULL)
@@ -152,10 +133,6 @@ static int dsa_builtin_keygen(DSA *dsa)
        dsa->priv_key=priv_key;
        dsa->pub_key=pub_key;
-        if (fips_dsa_pairwise_fail)
-                BN_add_word(dsa->pub_key, 1);
-        if(!fips_check_dsa(dsa))
-            goto err;
        ok=1;
 err:
@@ -165,5 +142,3 @@ err:
        return(ok);
        }
 #endif
-#endif

diff --git a/src/lib/libssl/src/fips/dsa/fips_dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index b5f8cfa1d0..9cf669b921 100644 --- a/src/lib/libssl/src/fips/dsa/fips_dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -58,47 +58,34 @@
58		58
59	#include <stdio.h>	59	#include <stdio.h>
60	#include <time.h>	60	#include <time.h>
		61	#include "cryptlib.h"
61	#ifndef OPENSSL_NO_SHA	62	#ifndef OPENSSL_NO_SHA
62	#include <openssl/bn.h>	63	#include <openssl/bn.h>
63	#include <openssl/dsa.h>	64	#include <openssl/dsa.h>
64	#include <openssl/rand.h>	65	#include <openssl/rand.h>
65	#include <openssl/err.h>
66	#include <openssl/evp.h>
67	#include <openssl/fips.h>
68	#include "fips_locl.h"
69		66
70	#ifdef OPENSSL_FIPS	67	#ifdef OPENSSL_FIPS
71		68	#include <openssl/fips.h>
72	static int fips_dsa_pairwise_fail = 0;	69	#endif
73
74	void FIPS_corrupt_dsa_keygen(void)
75	{
76	fips_dsa_pairwise_fail = 1;
77	}
78		70
79	static int dsa_builtin_keygen(DSA *dsa);	71	static int dsa_builtin_keygen(DSA *dsa);
80		72
81	int fips_check_dsa(DSA *dsa)	73	int DSA_generate_key(DSA *dsa)
82	{	74	{
83	EVP_PKEY pk;	75	#ifdef OPENSSL_FIPS
84	unsigned char tbs[] = "DSA Pairwise Check Data";	76	if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
85	pk.type = EVP_PKEY_DSA;	77	&& !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
86	pk.pkey.dsa = dsa;
87
88	if (!fips_pkey_signature_test(&pk, tbs, -1,
89	NULL, 0, EVP_dss1(), 0, NULL))
90	{	78	{
91	FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);	79	DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
92	fips_set_selftest_fail();
93	return 0;	80	return 0;
94	}	81	}
95	return 1;	82	#endif
96	}
97
98	int DSA_generate_key(DSA *dsa)
99	{
100	if(dsa->meth->dsa_keygen)	83	if(dsa->meth->dsa_keygen)
101	return dsa->meth->dsa_keygen(dsa);	84	return dsa->meth->dsa_keygen(dsa);
		85	#ifdef OPENSSL_FIPS
		86	if (FIPS_mode())
		87	return FIPS_dsa_generate_key(dsa);
		88	#endif
102	return dsa_builtin_keygen(dsa);	89	return dsa_builtin_keygen(dsa);
103	}	90	}
104		91
@@ -108,12 +95,6 @@ static int dsa_builtin_keygen(DSA *dsa)
108	BN_CTX *ctx=NULL;	95	BN_CTX *ctx=NULL;
109	BIGNUM pub_key=NULL,priv_key=NULL;	96	BIGNUM pub_key=NULL,priv_key=NULL;
110		97
111	if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
112	{
113	DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
114	goto err;
115	}
116
117	if ((ctx=BN_CTX_new()) == NULL) goto err;	98	if ((ctx=BN_CTX_new()) == NULL) goto err;
118		99
119	if (dsa->priv_key == NULL)	100	if (dsa->priv_key == NULL)
@@ -152,10 +133,6 @@ static int dsa_builtin_keygen(DSA *dsa)
152		133
153	dsa->priv_key=priv_key;	134	dsa->priv_key=priv_key;
154	dsa->pub_key=pub_key;	135	dsa->pub_key=pub_key;
155	if (fips_dsa_pairwise_fail)
156	BN_add_word(dsa->pub_key, 1);
157	if(!fips_check_dsa(dsa))
158	goto err;
159	ok=1;	136	ok=1;
160		137
161	err:	138	err:
@@ -165,5 +142,3 @@ err:
165	return(ok);	142	return(ok);
166	}	143	}
167	#endif	144	#endif
168
169	#endif