Blame SOURCES/gnutls-3.3.8-keygen-fix.patch

873a72
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
873a72
index 9017421..ad2b965 100644
873a72
--- a/lib/nettle/pk.c
873a72
+++ b/lib/nettle/pk.c
873a72
@@ -798,50 +798,53 @@ wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
873a72
 				return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
873a72
 
873a72
 #ifdef ENABLE_FIPS140
873a72
-			if (algo==GNUTLS_PK_DSA)
873a72
-				index = 1;
873a72
-			else
873a72
-				index = 2;
873a72
+			if (_gnutls_fips_mode_enabled() != 0) {
873a72
+				if (algo==GNUTLS_PK_DSA)
873a72
+					index = 1;
873a72
+				else
873a72
+					index = 2;
873a72
 
873a72
-			ret =
873a72
-			    dsa_generate_dss_pqg(&pub, &cert,
873a72
+				ret =
873a72
+				    dsa_generate_dss_pqg(&pub, &cert,
873a72
 			    			 index,
873a72
 						 NULL, rnd_func, 
873a72
 						 NULL, NULL,
873a72
 						 level, q_bits);
873a72
-			if (ret != 1) {
873a72
-				gnutls_assert();
873a72
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
-				goto dsa_fail;
873a72
-			}
873a72
+				if (ret != 1) {
873a72
+					gnutls_assert();
873a72
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
+					goto dsa_fail;
873a72
+				}
873a72
 
873a72
-			/* verify the generated parameters */
873a72
-			ret = dsa_validate_dss_pqg(&pub, &cert, index);
873a72
-			if (ret != 1) {
873a72
-				gnutls_assert();
873a72
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
-				goto dsa_fail;
873a72
-			}
873a72
-#else
873a72
-			/* unfortunately nettle only accepts 160 or 256
873a72
-			 * q_bits size. The check below makes sure we handle
873a72
-			 * cases in between by rounding up, but fail when
873a72
-			 * larger numbers are requested. */
873a72
-			if (q_bits < 160)
873a72
-				q_bits = 160;
873a72
-			else if (q_bits > 160 && q_bits <= 256)
873a72
-				q_bits = 256;
873a72
-			ret =
873a72
-			    dsa_generate_keypair(&pub, &priv,
873a72
+				/* verify the generated parameters */
873a72
+				ret = dsa_validate_dss_pqg(&pub, &cert, index);
873a72
+				if (ret != 1) {
873a72
+					gnutls_assert();
873a72
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
+					goto dsa_fail;
873a72
+				}
873a72
+			} else 
873a72
+#endif
873a72
+			{
873a72
+				/* unfortunately nettle only accepts 160 or 256
873a72
+				 * q_bits size. The check below makes sure we handle
873a72
+				 * cases in between by rounding up, but fail when
873a72
+				 * larger numbers are requested. */
873a72
+				if (q_bits < 160)
873a72
+					q_bits = 160;
873a72
+				else if (q_bits > 160 && q_bits <= 256)
873a72
+					q_bits = 256;
873a72
+				ret =
873a72
+				    dsa_generate_keypair(&pub, &priv,
873a72
 						 NULL, rnd_func, 
873a72
 						 NULL, NULL,
873a72
 						 level, q_bits);
873a72
-			if (ret != 1) {
873a72
-				gnutls_assert();
873a72
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
-				goto dsa_fail;
873a72
+				if (ret != 1) {
873a72
+					gnutls_assert();
873a72
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
873a72
+					goto dsa_fail;
873a72
+				}
873a72
 			}
873a72
-#endif
873a72
 
873a72
 			params->params_nr = 0;
873a72
 
873a72
@@ -1148,7 +1151,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
873a72
 	switch (algo) {
873a72
 	case GNUTLS_PK_DSA:
873a72
 #ifdef ENABLE_FIPS140
873a72
-		{
873a72
+		if (_gnutls_fips_mode_enabled() != 0) {
873a72
 			struct dsa_public_key pub;
873a72
 			struct dsa_private_key priv;
873a72
 
873a72
@@ -1272,17 +1275,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
873a72
 			rsa_private_key_init(&priv;;
873a72
 
873a72
 			mpz_set_ui(pub.e, 65537);
873a72
-#ifdef ENABLE_FIPS140
873a72
-			ret =
873a72
-			    rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
873a72
+
873a72
+			if (_gnutls_fips_mode_enabled() != 0) {
873a72
+				ret =
873a72
+				    rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
873a72
 						 rnd_func, NULL, NULL,
873a72
 						 level);
873a72
-#else
873a72
-			ret =
873a72
-			    rsa_generate_keypair(&pub, &priv, NULL,
873a72
+			} else {
873a72
+				ret =
873a72
+				    rsa_generate_keypair(&pub, &priv, NULL,
873a72
 						 rnd_func, NULL, NULL,
873a72
 						 level, 0);
873a72
-#endif
873a72
+			}
873a72
 			if (ret != 1) {
873a72
 				gnutls_assert();
873a72
 				ret = GNUTLS_E_PK_GENERATION_ERROR;