|
 |
873a72 |
diff --git a/lib/nettle/int/dsa-fips.h b/lib/nettle/int/dsa-fips.h
|
|
|
873a72 |
index 08fac25..82d545e 100644
|
|
|
873a72 |
--- a/lib/nettle/int/dsa-fips.h
|
|
|
873a72 |
+++ b/lib/nettle/int/dsa-fips.h
|
|
|
873a72 |
@@ -80,7 +80,7 @@ int
|
|
|
873a72 |
_dsa_validate_dss_g(struct dsa_public_key *pub,
|
|
|
873a72 |
unsigned domain_seed_size, const uint8_t *domain_seed, unsigned index);
|
|
|
873a72 |
|
|
|
873a72 |
-unsigned _dsa_check_qp_sizes(unsigned q_bits, unsigned p_bits);
|
|
|
873a72 |
+unsigned _dsa_check_qp_sizes(unsigned q_bits, unsigned p_bits, unsigned generate);
|
|
|
873a72 |
|
|
|
873a72 |
/* The following low-level functions can be used for DH key exchange as well
|
|
|
873a72 |
*/
|
|
|
873a72 |
diff --git a/lib/nettle/int/dsa-keygen-fips186.c b/lib/nettle/int/dsa-keygen-fips186.c
|
|
|
873a72 |
index 2712ddb..1ac9441 100644
|
|
|
873a72 |
--- a/lib/nettle/int/dsa-keygen-fips186.c
|
|
|
873a72 |
+++ b/lib/nettle/int/dsa-keygen-fips186.c
|
|
|
873a72 |
@@ -36,11 +36,11 @@
|
|
|
873a72 |
|
|
|
873a72 |
#include <nettle/bignum.h>
|
|
|
873a72 |
|
|
|
873a72 |
-unsigned _dsa_check_qp_sizes(unsigned q_bits, unsigned p_bits)
|
|
|
873a72 |
+unsigned _dsa_check_qp_sizes(unsigned q_bits, unsigned p_bits, unsigned generate)
|
|
|
873a72 |
{
|
|
|
873a72 |
switch (q_bits) {
|
|
|
873a72 |
case 160:
|
|
|
873a72 |
- if (_gnutls_fips_mode_enabled() != 0)
|
|
|
873a72 |
+ if (_gnutls_fips_mode_enabled() != 0 && generate != 0)
|
|
|
873a72 |
return 0;
|
|
|
873a72 |
|
|
|
873a72 |
if (p_bits != 1024)
|
|
|
873a72 |
@@ -77,7 +77,7 @@ _dsa_generate_dss_pq(struct dsa_public_key *pub,
|
|
|
873a72 |
uint8_t *storage = NULL;
|
|
|
873a72 |
unsigned storage_length = 0;
|
|
|
873a72 |
|
|
|
873a72 |
- ret = _dsa_check_qp_sizes(q_bits, p_bits);
|
|
|
873a72 |
+ ret = _dsa_check_qp_sizes(q_bits, p_bits, 1);
|
|
|
873a72 |
if (ret == 0) {
|
|
|
873a72 |
return 0;
|
|
|
873a72 |
}
|
|
|
873a72 |
@@ -375,7 +375,7 @@ dsa_generate_dss_pqg(struct dsa_public_key *pub,
|
|
|
873a72 |
uint8_t domain_seed[MAX_PVP_SEED_SIZE*3];
|
|
|
873a72 |
unsigned domain_seed_size = 0;
|
|
|
873a72 |
|
|
|
873a72 |
- ret = _dsa_check_qp_sizes(q_bits, p_bits);
|
|
|
873a72 |
+ ret = _dsa_check_qp_sizes(q_bits, p_bits, 1);
|
|
|
873a72 |
if (ret == 0)
|
|
|
873a72 |
return 0;
|
|
|
873a72 |
|
|
|
873a72 |
diff --git a/lib/nettle/int/dsa-validate.c b/lib/nettle/int/dsa-validate.c
|
|
|
873a72 |
index 3f55755..daa39da 100644
|
|
|
873a72 |
--- a/lib/nettle/int/dsa-validate.c
|
|
|
873a72 |
+++ b/lib/nettle/int/dsa-validate.c
|
|
|
873a72 |
@@ -83,7 +83,7 @@ _dsa_validate_dss_g(struct dsa_public_key *pub,
|
|
|
873a72 |
p_bits = mpz_sizeinbase(pub->p, 2);
|
|
|
873a72 |
q_bits = mpz_sizeinbase(pub->q, 2);
|
|
|
873a72 |
|
|
|
873a72 |
- ret = _dsa_check_qp_sizes(q_bits, p_bits);
|
|
|
873a72 |
+ ret = _dsa_check_qp_sizes(q_bits, p_bits, 0);
|
|
|
873a72 |
if (ret == 0) {
|
|
|
873a72 |
return 0;
|
|
|
873a72 |
}
|
|
|
873a72 |
@@ -151,7 +151,7 @@ _dsa_validate_dss_pq(struct dsa_public_key *pub,
|
|
|
873a72 |
p_bits = mpz_sizeinbase(pub->p, 2);
|
|
|
873a72 |
q_bits = mpz_sizeinbase(pub->q, 2);
|
|
|
873a72 |
|
|
|
873a72 |
- ret = _dsa_check_qp_sizes(q_bits, p_bits);
|
|
|
873a72 |
+ ret = _dsa_check_qp_sizes(q_bits, p_bits, 0);
|
|
|
873a72 |
if (ret == 0) {
|
|
|
873a72 |
return 0;
|
|
|
873a72 |
}
|