6 files changed, 55 insertions, 18 deletions

diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 9b3baadf2c..225ff391f9 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -81,6 +81,10 @@
 
 #define DSA_FLAG_CACHE_MONT_P   0x01
 
+#if defined(OPENSSL_FIPS)
+#define FIPS_DSA_SIZE_T int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index dc9c249310..e40afeea51 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -80,6 +80,7 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
+#ifndef OPENSSL_FIPS
 DSA *DSA_generate_parameters(int bits,
                 unsigned char *seed_in, int seed_len,
                 int *counter_ret, unsigned long *h_ret,
@@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits,
         c = BN_CTX_get(ctx2);
         p = BN_CTX_get(ctx2);
         test = BN_CTX_get(ctx2);
+        if (test == NULL) goto err;
 
-        BN_lshift(test,BN_value_one(),bits-1);
+        if (!BN_lshift(test,BN_value_one(),bits-1)) goto err;
 
         for (;;)
                 {
@@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits,
                                 callback(0,counter,cb_arg);
 
                         /* step 7 */
-                        BN_zero(W);
+                        if (!BN_zero(W)) goto err;
                         /* now 'buf' contains "SEED + offset - 1" */
                         for (k=0; k<=n; k++)
                                 {
@@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits,
                                 /* step 8 */
                                 if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
                                         goto err;
-                                BN_lshift(r0,r0,160*k);
-                                BN_add(W,W,r0);
+                                if (!BN_lshift(r0,r0,160*k)) goto err;
+                                if (!BN_add(W,W,r0)) goto err;
                                 }
 
                         /* more of step 8 */
-                        BN_mask_bits(W,bits-1);
-                        BN_copy(X,W); /* this should be ok */
-                        BN_add(X,X,test); /* this should be ok */
+                        if (!BN_mask_bits(W,bits-1)) goto err;
+                        if (!BN_copy(X,W)) goto err;
+                        if (!BN_add(X,X,test)) goto err;
 
                         /* step 9 */
-                        BN_lshift1(r0,q);
-                        BN_mod(c,X,r0,ctx);
-                        BN_sub(r0,c,BN_value_one());
-                        BN_sub(p,X,r0);
+                        if (!BN_lshift1(r0,q)) goto err;
+                        if (!BN_mod(c,X,r0,ctx)) goto err;
+                        if (!BN_sub(r0,c,BN_value_one())) goto err;
+                        if (!BN_sub(p,X,r0)) goto err;
 
                         /* step 10 */
                         if (BN_cmp(p,test) >= 0)
@@ -251,18 +253,18 @@ end:
 
         /* We now need to generate g */
         /* Set r0=(p-1)/q */
-        BN_sub(test,p,BN_value_one());
-        BN_div(r0,NULL,test,q,ctx);
+        if (!BN_sub(test,p,BN_value_one())) goto err;
+        if (!BN_div(r0,NULL,test,q,ctx)) goto err;
 
-        BN_set_word(test,h);
-        BN_MONT_CTX_set(mont,p,ctx);
+        if (!BN_set_word(test,h)) goto err;
+        if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
 
         for (;;)
                 {
                 /* g=test^r0%p */
-                BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+                if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
                 if (!BN_is_one(g)) break;
-                BN_add(test,test,BN_value_one());
+                if (!BN_add(test,test,BN_value_one())) goto err;
                 h++;
                 }
 
@@ -279,6 +281,11 @@ err:
                 ret->p=BN_dup(p);
                 ret->q=BN_dup(q);
                 ret->g=BN_dup(g);
+                if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
+                        {
+                        ok=0;
+                        goto err;
+                        }
                 if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
                 if (counter_ret != NULL) *counter_ret=counter;
                 if (h_ret != NULL) *h_ret=h;
@@ -293,4 +300,6 @@ err:
         if (mont != NULL) BN_MONT_CTX_free(mont);
         return(ok?ret:NULL);
         }
-#endif
+#endif /* ndef OPENSSL_FIPS */
+#endif /* ndef OPENSSL_NO_SHA */
+
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index ef87c3e637..30607ca579 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,6 +64,7 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
+#ifndef OPENSSL_FIPS
 int DSA_generate_key(DSA *dsa)
         {
         int ok=0;
@@ -103,3 +104,4 @@ err:
         return(ok);
         }
 #endif
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index b9e7f3ea5c..f1a85afcde 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,6 +65,7 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 
+#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
         return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 89205026f0..3c9753bac3 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -64,9 +64,17 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return NULL;
+#endif
         return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
         }
 
@@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return 0;
+#endif
         return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index c4aeddd056..8ef0c45025 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -65,10 +65,18 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return -1;
+#endif
         return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
         }