1 files changed, 15 insertions, 0 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 767f7ab682..42290cce66 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,6 +67,9 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
@@ -77,8 +80,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 * now just because key-generation is part of RSA_METHOD. */
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+                        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                {
+                RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+                return 0;
+                }
+#endif
        if(rsa->meth->rsa_keygen)
                return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+                return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
+#endif
        return rsa_builtin_keygen(rsa, bits, e_value, cb);
        }

diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 767f7ab682..42290cce66 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,6 +67,9 @@
67	#include "cryptlib.h"	67	#include "cryptlib.h"
68	#include <openssl/bn.h>	68	#include <openssl/bn.h>
69	#include <openssl/rsa.h>	69	#include <openssl/rsa.h>
		70	#ifdef OPENSSL_FIPS
		71	#include <openssl/fips.h>
		72	#endif
70		73
71	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);	74	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);
72		75
@@ -77,8 +80,20 @@ static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
77	* now just because key-generation is part of RSA_METHOD. */	80	* now just because key-generation is part of RSA_METHOD. */
78	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)	81	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
79	{	82	{
		83	#ifdef OPENSSL_FIPS
		84	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
		85	&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
		86	{
		87	RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
		88	return 0;
		89	}
		90	#endif
80	if(rsa->meth->rsa_keygen)	91	if(rsa->meth->rsa_keygen)
81	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);	92	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
		93	#ifdef OPENSSL_FIPS
		94	if (FIPS_mode())
		95	return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
		96	#endif
82	return rsa_builtin_keygen(rsa, bits, e_value, cb);	97	return rsa_builtin_keygen(rsa, bits, e_value, cb);
83	}	98	}
84		99