|
|
873a72 |
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
|
|
873a72 |
index 9017421..ad2b965 100644
|
|
|
873a72 |
--- a/lib/nettle/pk.c
|
|
|
873a72 |
+++ b/lib/nettle/pk.c
|
|
|
873a72 |
@@ -798,50 +798,53 @@ wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
|
|
|
873a72 |
return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
|
|
|
873a72 |
|
|
|
873a72 |
#ifdef ENABLE_FIPS140
|
|
|
873a72 |
- if (algo==GNUTLS_PK_DSA)
|
|
|
873a72 |
- index = 1;
|
|
|
873a72 |
- else
|
|
|
873a72 |
- index = 2;
|
|
|
873a72 |
+ if (_gnutls_fips_mode_enabled() != 0) {
|
|
|
873a72 |
+ if (algo==GNUTLS_PK_DSA)
|
|
|
873a72 |
+ index = 1;
|
|
|
873a72 |
+ else
|
|
|
873a72 |
+ index = 2;
|
|
|
873a72 |
|
|
|
873a72 |
- ret =
|
|
|
873a72 |
- dsa_generate_dss_pqg(&pub, &cert,
|
|
|
873a72 |
+ ret =
|
|
|
873a72 |
+ dsa_generate_dss_pqg(&pub, &cert,
|
|
|
873a72 |
index,
|
|
|
873a72 |
NULL, rnd_func,
|
|
|
873a72 |
NULL, NULL,
|
|
|
873a72 |
level, q_bits);
|
|
|
873a72 |
- if (ret != 1) {
|
|
|
873a72 |
- gnutls_assert();
|
|
|
873a72 |
- ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
- goto dsa_fail;
|
|
|
873a72 |
- }
|
|
|
873a72 |
+ if (ret != 1) {
|
|
|
873a72 |
+ gnutls_assert();
|
|
|
873a72 |
+ ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
+ goto dsa_fail;
|
|
|
873a72 |
+ }
|
|
|
873a72 |
|
|
|
873a72 |
- /* verify the generated parameters */
|
|
|
873a72 |
- ret = dsa_validate_dss_pqg(&pub, &cert, index);
|
|
|
873a72 |
- if (ret != 1) {
|
|
|
873a72 |
- gnutls_assert();
|
|
|
873a72 |
- ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
- goto dsa_fail;
|
|
|
873a72 |
- }
|
|
|
873a72 |
-#else
|
|
|
873a72 |
- /* unfortunately nettle only accepts 160 or 256
|
|
|
873a72 |
- * q_bits size. The check below makes sure we handle
|
|
|
873a72 |
- * cases in between by rounding up, but fail when
|
|
|
873a72 |
- * larger numbers are requested. */
|
|
|
873a72 |
- if (q_bits < 160)
|
|
|
873a72 |
- q_bits = 160;
|
|
|
873a72 |
- else if (q_bits > 160 && q_bits <= 256)
|
|
|
873a72 |
- q_bits = 256;
|
|
|
873a72 |
- ret =
|
|
|
873a72 |
- dsa_generate_keypair(&pub, &priv,
|
|
|
873a72 |
+ /* verify the generated parameters */
|
|
|
873a72 |
+ ret = dsa_validate_dss_pqg(&pub, &cert, index);
|
|
|
873a72 |
+ if (ret != 1) {
|
|
|
873a72 |
+ gnutls_assert();
|
|
|
873a72 |
+ ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
+ goto dsa_fail;
|
|
|
873a72 |
+ }
|
|
|
873a72 |
+ } else
|
|
|
873a72 |
+#endif
|
|
|
873a72 |
+ {
|
|
|
873a72 |
+ /* unfortunately nettle only accepts 160 or 256
|
|
|
873a72 |
+ * q_bits size. The check below makes sure we handle
|
|
|
873a72 |
+ * cases in between by rounding up, but fail when
|
|
|
873a72 |
+ * larger numbers are requested. */
|
|
|
873a72 |
+ if (q_bits < 160)
|
|
|
873a72 |
+ q_bits = 160;
|
|
|
873a72 |
+ else if (q_bits > 160 && q_bits <= 256)
|
|
|
873a72 |
+ q_bits = 256;
|
|
|
873a72 |
+ ret =
|
|
|
873a72 |
+ dsa_generate_keypair(&pub, &priv,
|
|
|
873a72 |
NULL, rnd_func,
|
|
|
873a72 |
NULL, NULL,
|
|
|
873a72 |
level, q_bits);
|
|
|
873a72 |
- if (ret != 1) {
|
|
|
873a72 |
- gnutls_assert();
|
|
|
873a72 |
- ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
- goto dsa_fail;
|
|
|
873a72 |
+ if (ret != 1) {
|
|
|
873a72 |
+ gnutls_assert();
|
|
|
873a72 |
+ ret = GNUTLS_E_PK_GENERATION_ERROR;
|
|
|
873a72 |
+ goto dsa_fail;
|
|
|
873a72 |
+ }
|
|
|
873a72 |
}
|
|
|
873a72 |
-#endif
|
|
|
873a72 |
|
|
|
873a72 |
params->params_nr = 0;
|
|
|
873a72 |
|
|
|
873a72 |
@@ -1148,7 +1151,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
|
|
|
873a72 |
switch (algo) {
|
|
|
873a72 |
case GNUTLS_PK_DSA:
|
|
|
873a72 |
#ifdef ENABLE_FIPS140
|
|
|
873a72 |
- {
|
|
|
873a72 |
+ if (_gnutls_fips_mode_enabled() != 0) {
|
|
|
873a72 |
struct dsa_public_key pub;
|
|
|
873a72 |
struct dsa_private_key priv;
|
|
|
873a72 |
|
|
|
873a72 |
@@ -1272,17 +1275,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
|
|
|
873a72 |
rsa_private_key_init(&priv;;
|
|
|
873a72 |
|
|
|
873a72 |
mpz_set_ui(pub.e, 65537);
|
|
|
873a72 |
-#ifdef ENABLE_FIPS140
|
|
|
873a72 |
- ret =
|
|
|
873a72 |
- rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
|
|
|
873a72 |
+
|
|
|
873a72 |
+ if (_gnutls_fips_mode_enabled() != 0) {
|
|
|
873a72 |
+ ret =
|
|
|
873a72 |
+ rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
|
|
|
873a72 |
rnd_func, NULL, NULL,
|
|
|
873a72 |
level);
|
|
|
873a72 |
-#else
|
|
|
873a72 |
- ret =
|
|
|
873a72 |
- rsa_generate_keypair(&pub, &priv, NULL,
|
|
|
873a72 |
+ } else {
|
|
|
873a72 |
+ ret =
|
|
|
873a72 |
+ rsa_generate_keypair(&pub, &priv, NULL,
|
|
|
873a72 |
rnd_func, NULL, NULL,
|
|
|
873a72 |
level, 0);
|
|
|
873a72 |
-#endif
|
|
|
873a72 |
+ }
|
|
|
873a72 |
if (ret != 1) {
|
|
|
873a72 |
gnutls_assert();
|
|
|
873a72 |
ret = GNUTLS_E_PK_GENERATION_ERROR;
|