13 ani în urmă · dc03504d09
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
 
				 	char *infile,*outfile,*prog,*inrand=NULL;
			
 
				 	int numbits= -1,num,genkey=0;
			
 
				 	int need_rand=0;
			
 
				+	int non_fips_allow = 0;
			
 
				 #ifndef OPENSSL_NO_ENGINE
			
 
				 	char *engine=NULL;
			
 
				 #endif
			
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
 
				 			}
			
 
				 		else if (strcmp(*argv,"-noout") == 0)
			
 
				 			noout=1;
			
 
				+		else if (strcmp(*argv,"-non-fips-allow") == 0)
			
 
				+			non_fips_allow = 1;
			
 
				 		else if (sscanf(*argv,"%d",&num) == 1)
			
 
				 			{
			
 
				 			/* generate a key */
			
@@ -297,6 +300,8 @@ bad:
 
				 			BIO_printf(bio_err,"Error allocating DSA object\n");
			
 
				 			goto end;
			
 
				 			}
			
 
				+		if (non_fips_allow)
			
 
				+			dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
			
 
				 		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
			
 
				 	        BIO_printf(bio_err,"This could take some time\n");
			
 
				 #ifdef GENCB_TEST
			
@@ -326,6 +331,7 @@ bad:
 
				 				goto end;
			
 
				 				}
			
 
				 #endif
			
 
				+			ERR_print_errors(bio_err);
			
 
				 			BIO_printf(bio_err,"Error, DSA key generation failed\n");
			
 
				 			goto end;
			
 
				 			}
			
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -93,6 +93,7 @@ int MAIN(int argc, char **argv)
 
				 	ENGINE *e = NULL;
			
 
				 #endif
			
 
				 	int ret=1;
			
 
				+	int non_fips_allow = 0;
			
 
				 	int i,num=DEFBITS;
			
 
				 	long l;
			
 
				 	const EVP_CIPHER *enc=NULL;
			
@@ -185,6 +186,8 @@ int MAIN(int argc, char **argv)
 
				 			if (--argc < 1) goto bad;
			
 
				 			passargout= *(++argv);
			
 
				 			}
			
 
				+		else if (strcmp(*argv,"-non-fips-allow") == 0)
			
 
				+			non_fips_allow = 1;
			
 
				 		else
			
 
				 			break;
			
 
				 		argv++;
			
@@ -273,6 +276,9 @@ bad:
 
				 	if (!rsa)
			
 
				 		goto err;
			
 
				 
			
 
				+	if (non_fips_allow)
			
 
				+		rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
			
 
				+
			
 
				 	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
			
 
				 		goto err;
			
 
				 		
			
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -163,7 +163,7 @@ DSA *DSA_new_method(ENGINE *engine)
 
				 	ret->method_mont_p=NULL;
			
 
				 
			
 
				 	ret->references=1;
			
 
				-	ret->flags=ret->meth->flags;
			
 
				+	ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
			
 
				 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
			
 
				 	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
			
 
				 		{
			
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -458,7 +458,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
 
				 
			
 
				 /* If this flag is set the RSA method is FIPS compliant and can be used
			
 
				  * in FIPS mode. This is set in the validated module method. If an
			
 
				- * application sets this flag in its own methods it is its reposibility
			
 
				+ * application sets this flag in its own methods it is its responsibility
			
 
				  * to ensure the result is compliant.
			
 
				  */
			
 
				 
			
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -170,7 +170,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 
				 		goto err;
			
 
				 		}
			
 
				 
			
 
				-	if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				+	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
			
 
				+		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				 		{
			
 
				 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
			
 
				 		return -1;
			
@@ -381,7 +382,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 
				 		goto err;
			
 
				 		}
			
 
				 
			
 
				-	if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				+	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
			
 
				+		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				 		{
			
 
				 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
			
 
				 		return -1;
			
@@ -528,7 +530,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 
				 		goto err;
			
 
				 		}
			
 
				 
			
 
				-	if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				+	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
			
 
				+		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				 		{
			
 
				 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
			
 
				 		return -1;
			
@@ -671,7 +674,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 
				 		goto err;
			
 
				 		}
			
 
				 
			
 
				-	if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				+	if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
			
 
				+		&& (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
			
 
				 		{
			
 
				 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
			
 
				 		return -1;
			
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -181,7 +181,7 @@ RSA *RSA_new_method(ENGINE *engine)
 
				 	ret->blinding=NULL;
			
 
				 	ret->mt_blinding=NULL;
			
 
				 	ret->bignum_data=NULL;
			
 
				-	ret->flags=ret->meth->flags;
			
 
				+	ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
			
 
				 	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
			
 
				 		{
			
 
				 #ifndef OPENSSL_NO_ENGINE