10 files changed, 196 insertions, 46 deletions

diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 8073c4ecfe..5fef4ca5ad 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -99,8 +99,9 @@ dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dsa_asn1.o: ../../include/openssl/opensslconf.h
 dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_asn1.c
+dsa_asn1.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_asn1.o: ../cryptlib.h dsa_asn1.c
 dsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -189,7 +190,7 @@ dsa_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dsa_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dsa_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_prn.o: ../cryptlib.h dsa_prn.c
-dsa_sign.o: ../../e_os.h ../../include/openssl/bio.h
+dsa_sign.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index ac50a5c846..a6f6d0b0b2 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -97,6 +97,21 @@
                                               * be used for all exponents.
                                               */
 
+/* If this flag is set the DSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its reposibility
+ * to ensure the result is compliant.
+ */
+
+#define DSA_FLAG_FIPS_METHOD                    0x0400
+
+/* If this flag is set the operations normally disabled in FIPS mode are
+ * permitted it is then the applications responsibility to ensure that the
+ * usage is compliant.
+ */
+
+#define DSA_FLAG_NON_FIPS_ALLOW                 0x0400
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -272,6 +287,8 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_DSAPARAMS_PRINT_FP                         101
 #define DSA_F_DSA_DO_SIGN                                112
 #define DSA_F_DSA_DO_VERIFY                              113
+#define DSA_F_DSA_GENERATE_KEY                           124
+#define DSA_F_DSA_GENERATE_PARAMETERS_EX                 123
 #define DSA_F_DSA_NEW_METHOD                             103
 #define DSA_F_DSA_PARAM_DECODE                           119
 #define DSA_F_DSA_PRINT_FP                               105
@@ -282,6 +299,7 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_DSA_SIGN                                   106
 #define DSA_F_DSA_SIGN_SETUP                             107
 #define DSA_F_DSA_SIG_NEW                                109
+#define DSA_F_DSA_SIG_PRINT                              125
 #define DSA_F_DSA_VERIFY                                 108
 #define DSA_F_I2D_DSA_SIG                                111
 #define DSA_F_OLD_DSA_PRIV_DECODE                        122
@@ -298,6 +316,8 @@ void ERR_load_DSA_strings(void);
 #define DSA_R_INVALID_DIGEST_TYPE                        106
 #define DSA_R_MISSING_PARAMETERS                         101
 #define DSA_R_MODULUS_TOO_LARGE                          103
+#define DSA_R_NEED_NEW_SETUP_VALUES                      110
+#define DSA_R_NON_FIPS_DSA_METHOD                        111
 #define DSA_R_NO_PARAMETERS_SET                          107
 #define DSA_R_PARAMETER_ENCODING_ERROR                   105
 
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index c37460b2d6..6058534374 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -61,6 +61,7 @@
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
+#include <openssl/rand.h>
 
 /* Override the default new methods */
 static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -87,7 +88,7 @@ ASN1_SEQUENCE_cb(DSA_SIG, sig_cb) = {
         ASN1_SIMPLE(DSA_SIG, s, CBIGNUM)
 } ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG)
 
-IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG)
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA_SIG, DSA_SIG, DSA_SIG)
 
 /* Override the default free and new methods */
 static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -148,3 +149,40 @@ DSA *DSAparams_dup(DSA *dsa)
         {
         return ASN1_item_dup(ASN1_ITEM_rptr(DSAparams), dsa);
         }
+
+int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
+             unsigned int *siglen, DSA *dsa)
+        {
+        DSA_SIG *s;
+        RAND_seed(dgst, dlen);
+        s=DSA_do_sign(dgst,dlen,dsa);
+        if (s == NULL)
+                {
+                *siglen=0;
+                return(0);
+                }
+        *siglen=i2d_DSA_SIG(s,&sig);
+        DSA_SIG_free(s);
+        return(1);
+        }
+
+/* data has already been hashed (probably with SHA or SHA-1). */
+/* returns
+ *      1: correct signature
+ *      0: incorrect signature
+ *     -1: error
+ */
+int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+             const unsigned char *sigbuf, int siglen, DSA *dsa)
+        {
+        DSA_SIG *s;
+        int ret=-1;
+
+        s = DSA_SIG_new();
+        if (s == NULL) return(ret);
+        if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
+        ret=DSA_do_verify(dgst,dgst_len,s,dsa);
+err:
+        DSA_SIG_free(s);
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index bba984e92e..00545b7b9f 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -76,6 +76,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),    "DSAparams_print_fp"},
 {ERR_FUNC(DSA_F_DSA_DO_SIGN),   "DSA_do_sign"},
 {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_GENERATE_KEY),      "DSA_generate_key"},
+{ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX),    "DSA_generate_parameters_ex"},
 {ERR_FUNC(DSA_F_DSA_NEW_METHOD),        "DSA_new_method"},
 {ERR_FUNC(DSA_F_DSA_PARAM_DECODE),      "DSA_PARAM_DECODE"},
 {ERR_FUNC(DSA_F_DSA_PRINT_FP),  "DSA_print_fp"},
@@ -86,6 +88,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_FUNC(DSA_F_DSA_SIGN),      "DSA_sign"},
 {ERR_FUNC(DSA_F_DSA_SIGN_SETUP),        "DSA_sign_setup"},
 {ERR_FUNC(DSA_F_DSA_SIG_NEW),   "DSA_SIG_new"},
+{ERR_FUNC(DSA_F_DSA_SIG_PRINT), "DSA_SIG_PRINT"},
 {ERR_FUNC(DSA_F_DSA_VERIFY),    "DSA_verify"},
 {ERR_FUNC(DSA_F_I2D_DSA_SIG),   "i2d_DSA_SIG"},
 {ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE),   "OLD_DSA_PRIV_DECODE"},
@@ -105,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]=
 {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE)   ,"invalid digest type"},
 {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
+{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
+{ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD)   ,"non fips dsa method"},
 {ERR_REASON(DSA_R_NO_PARAMETERS_SET)     ,"no parameters set"},
 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
 {0,NULL}
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index cb0b4538a4..c398761d0d 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,13 +81,33 @@
 #include <openssl/sha.h>
 #include "dsa_locl.h"
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 int DSA_generate_parameters_ex(DSA *ret, int bits,
                 const unsigned char *seed_in, int seed_len,
                 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
         {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
+                        && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
+                return 0;
+                }
+#endif
         if(ret->meth->dsa_paramgen)
                 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
                                 counter_ret, h_ret, cb);
+#ifdef OPENSSL_FIPS
+        else if (FIPS_mode())
+                {
+                return FIPS_dsa_generate_parameters_ex(ret, bits, 
+                                                        seed_in, seed_len,
+                                                        counter_ret, h_ret, cb);
+                }
+#endif
         else
                 {
                 const EVP_MD *evpmd;
@@ -105,12 +125,13 @@ int DSA_generate_parameters_ex(DSA *ret, int bits,
                         }
 
                 return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
-                                seed_in, seed_len, counter_ret, h_ret, cb);
+                        seed_in, seed_len, NULL, counter_ret, h_ret, cb);
                 }
         }
 
 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
         const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
+        unsigned char *seed_out,
         int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
         {
         int ok=0;
@@ -201,8 +222,10 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                                 }
 
                         /* step 2 */
-                        EVP_Digest(seed, qsize, md,   NULL, evpmd, NULL);
-                        EVP_Digest(buf,  qsize, buf2, NULL, evpmd, NULL);
+                        if (!EVP_Digest(seed, qsize, md,   NULL, evpmd, NULL))
+                                goto err;
+                        if (!EVP_Digest(buf,  qsize, buf2, NULL, evpmd, NULL))
+                                goto err;
                         for (i = 0; i < qsize; i++)
                                 md[i]^=buf2[i];
 
@@ -251,7 +274,9 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                                                 break;
                                         }
 
-                                EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
+                                if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
+                                                                        NULL))
+                                        goto err;
 
                                 /* step 8 */
                                 if (!BN_bin2bn(md, qsize, r0))
@@ -332,6 +357,8 @@ err:
                         }
                 if (counter_ret != NULL) *counter_ret=counter;
                 if (h_ret != NULL) *h_ret=h;
+                if (seed_out)
+                        memcpy(seed_out, seed, qsize);
                 }
         if(ctx)
                 {
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index c4aa86bc6d..9cf669b921 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,12 +64,28 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 static int dsa_builtin_keygen(DSA *dsa);
 
 int DSA_generate_key(DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
+                return 0;
+                }
+#endif
         if(dsa->meth->dsa_keygen)
                 return dsa->meth->dsa_keygen(dsa);
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+                return FIPS_dsa_generate_key(dsa);
+#endif
         return dsa_builtin_keygen(dsa);
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index e9b75902db..96d8d0c4b4 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,6 +70,10 @@
 #include <openssl/dh.h>
 #endif
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
 
 static const DSA_METHOD *default_DSA_method = NULL;
@@ -82,7 +86,16 @@ void DSA_set_default_method(const DSA_METHOD *meth)
 const DSA_METHOD *DSA_get_default_method(void)
         {
         if(!default_DSA_method)
+                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        return FIPS_dsa_openssl();
+                else
+                        return DSA_OpenSSL();
+#else
                 default_DSA_method = DSA_OpenSSL();
+#endif
+                }
         return default_DSA_method;
         }
 
@@ -163,7 +176,7 @@ DSA *DSA_new_method(ENGINE *engine)
         ret->method_mont_p=NULL;
 
         ret->references=1;
-        ret->flags=ret->meth->flags;
+        ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
@@ -276,7 +289,8 @@ void *DSA_get_ex_data(DSA *d, int idx)
 DH *DSA_dup_DH(const DSA *r)
         {
         /* DSA has p, q, g, optional pub_key, optional priv_key.
-         * DH has p, optional length, g, optional pub_key, optional priv_key.
+         * DH has p, optional length, g, optional pub_key, optional priv_key,
+         * optional q.
          */ 
 
         DH *ret = NULL;
@@ -290,7 +304,11 @@ DH *DSA_dup_DH(const DSA *r)
                 if ((ret->p = BN_dup(r->p)) == NULL)
                         goto err;
         if (r->q != NULL)
+                {
                 ret->length = BN_num_bits(r->q);
+                if ((ret->q = BN_dup(r->q)) == NULL)
+                        goto err;
+                }
         if (r->g != NULL)
                 if ((ret->g = BN_dup(r->g)) == NULL)
                         goto err;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index a3ddd7d281..b3d78e524c 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -136,6 +136,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         BN_CTX *ctx=NULL;
         int reason=ERR_R_BN_LIB;
         DSA_SIG *ret=NULL;
+        int noredo = 0;
 
         BN_init(&m);
         BN_init(&xr);
@@ -150,7 +151,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         if (s == NULL) goto err;
         ctx=BN_CTX_new();
         if (ctx == NULL) goto err;
-
+redo:
         if ((dsa->kinv == NULL) || (dsa->r == NULL))
                 {
                 if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
@@ -161,6 +162,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                 dsa->kinv=NULL;
                 r=dsa->r;
                 dsa->r=NULL;
+                noredo = 1;
                 }
 
         
@@ -181,6 +183,18 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
         ret=DSA_SIG_new();
         if (ret == NULL) goto err;
+        /* Redo if r or s is zero as required by FIPS 186-3: this is
+         * very unlikely.
+         */
+        if (BN_is_zero(r) || BN_is_zero(s))
+                {
+                if (noredo)
+                        {
+                        reason = DSA_R_NEED_NEW_SETUP_VALUES;
+                        goto err;
+                        }
+                goto redo;
+                }
         ret->r = r;
         ret->s = s;
         
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 17555e5892..c3cc3642ce 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -61,30 +61,54 @@
 #include "cryptlib.h"
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
+#include <openssl/bn.h>
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
+                return NULL;
+                }
+#endif
         return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
         }
 
-int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
-             unsigned int *siglen, DSA *dsa)
+int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
-        DSA_SIG *s;
-        RAND_seed(dgst, dlen);
-        s=DSA_do_sign(dgst,dlen,dsa);
-        if (s == NULL)
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
                 {
-                *siglen=0;
-                return(0);
+                DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
+                return 0;
                 }
-        *siglen=i2d_DSA_SIG(s,&sig);
-        DSA_SIG_free(s);
-        return(1);
+#endif
+        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
         }
 
-int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+DSA_SIG *DSA_SIG_new(void)
         {
-        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
+        DSA_SIG *sig;
+        sig = OPENSSL_malloc(sizeof(DSA_SIG));
+        if (!sig)
+                return NULL;
+        sig->r = NULL;
+        sig->s = NULL;
+        return sig;
+        }
+
+void DSA_SIG_free(DSA_SIG *sig)
+        {
+        if (sig)
+                {
+                if (sig->r)
+                        BN_free(sig->r);
+                if (sig->s)
+                        BN_free(sig->s);
+                OPENSSL_free(sig);
+                }
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 226a75ff3f..674cb5fa5f 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,26 +64,13 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+                        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
+                return -1;
+                }
+#endif
         return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
         }
-
-/* data has already been hashed (probably with SHA or SHA-1). */
-/* returns
- *      1: correct signature
- *      0: incorrect signature
- *     -1: error
- */
-int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
-             const unsigned char *sigbuf, int siglen, DSA *dsa)
-        {
-        DSA_SIG *s;
-        int ret=-1;
-
-        s = DSA_SIG_new();
-        if (s == NULL) return(ret);
-        if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
-        ret=DSA_do_verify(dgst,dgst_len,s,dsa);
-err:
-        DSA_SIG_free(s);
-        return(ret);
-        }