FIPS 186-4 RSA Generation & Validation

Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6652)
author: Shane Lontis <shane.lontis@oracle.com> 2018-07-05 09:28:51 +1000
committer: Matt Caswell <matt@openssl.org> 2019-03-12 12:00:52 +0000
commit: 8240d5fa6535fb20e24fbe7eadbb3d6452a8d305 (patch)
tree: 3e785e20a83324c8dab559a5e3da6d533bb82f33 /crypto/rsa/rsa_chk.c
parent: d1229190bfbb19439589557e4d65f9bccab09b2d (diff)
download: openssl-new-8240d5fa6535fb20e24fbe7eadbb3d6452a8d305.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c
index 805f998ff2..4f65dfa64b 100644
--- a/crypto/rsa/rsa_chk.c
+++ b/crypto/rsa/rsa_chk.c
@@ -16,8 +16,21 @@ int RSA_check_key(const RSA *key)
     return RSA_check_key_ex(key, NULL);
 }
 
+/*
+ * NOTE: Key validation requires separate checks to be able to be accessed
+ *  individually. These should be visible from the PKEY API..
+ *  See rsa_sp800_56b_check_public, rsa_sp800_56b_check_private and
+ *      rsa_sp800_56b_check_keypair.
+ */
 int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
 {
+#ifdef FIPS_MODE
+    if (!(rsa_sp800_56b_check_public(key)
+            && rsa_sp800_56b_check_private(key)
+            && rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key))
+        return 0;
+
+#else
     BIGNUM *i, *j, *k, *l, *m;
     BN_CTX *ctx;
     int ret = 1, ex_primes = 0, idx;
@@ -225,4 +238,5 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
     BN_free(m);
     BN_CTX_free(ctx);
     return ret;
+#endif /* FIPS_MODE */
 }
author	Shane Lontis <shane.lontis@oracle.com>	2018-07-05 09:28:51 +1000
committer	Matt Caswell <matt@openssl.org>	2019-03-12 12:00:52 +0000
commit	8240d5fa6535fb20e24fbe7eadbb3d6452a8d305 (patch)
tree	3e785e20a83324c8dab559a5e3da6d533bb82f33 /crypto/rsa/rsa_chk.c
parent	d1229190bfbb19439589557e4d65f9bccab09b2d (diff)
download	openssl-new-8240d5fa6535fb20e24fbe7eadbb3d6452a8d305.tar.gz