diff options
| author | Parménides GV <parmegv@sdf.org> | 2014-06-13 12:13:04 +0200 |
|---|---|---|
| committer | Parménides GV <parmegv@sdf.org> | 2014-06-13 12:13:04 +0200 |
| commit | 3a71bc9e4aa4296f460e2e3c55de74c9852477ad (patch) | |
| tree | f816597a7c4322137f0657e7aa2bf392404d1870 /app/openssl/crypto/dsa/dsa_sign.c | |
| parent | cfe67bfd8260253ce9288225b9e26f666d27133f (diff) | |
| parent | 36247e71df88fa13c6c5a887de3b11d9a883615f (diff) | |
Merge branch 'feature/establish-an-upstream-relationship-with-ics-openvpn-codebase-#5381' into develop
Diffstat (limited to 'app/openssl/crypto/dsa/dsa_sign.c')
| -rw-r--r-- | app/openssl/crypto/dsa/dsa_sign.c | 57 |
1 files changed, 44 insertions, 13 deletions
diff --git a/app/openssl/crypto/dsa/dsa_sign.c b/app/openssl/crypto/dsa/dsa_sign.c index 17555e58..8ace300a 100644 --- a/app/openssl/crypto/dsa/dsa_sign.c +++ b/app/openssl/crypto/dsa/dsa_sign.c @@ -61,30 +61,61 @@ #include "cryptlib.h" #include <openssl/dsa.h> #include <openssl/rand.h> +#include <openssl/bn.h> DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) + && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) + { + DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD); + return NULL; + } +#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } -int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, - unsigned int *siglen, DSA *dsa) +int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - DSA_SIG *s; - RAND_seed(dgst, dlen); - s=DSA_do_sign(dgst,dlen,dsa); - if (s == NULL) +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) + && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { - *siglen=0; - return(0); + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD); + return 0; } - *siglen=i2d_DSA_SIG(s,&sig); - DSA_SIG_free(s); - return(1); +#endif + if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) + { + /* You cannot precompute the DSA nonce if it is required to + * depend on the message. */ + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED); + return 0; + } + return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0); } -int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +DSA_SIG *DSA_SIG_new(void) { - return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); + DSA_SIG *sig; + sig = OPENSSL_malloc(sizeof(DSA_SIG)); + if (!sig) + return NULL; + sig->r = NULL; + sig->s = NULL; + return sig; + } + +void DSA_SIG_free(DSA_SIG *sig) + { + if (sig) + { + if (sig->r) + BN_free(sig->r); + if (sig->s) + BN_free(sig->s); + OPENSSL_free(sig); + } } |