FIPS DH changes: selftest checks and key range checks.

all:	lib

lib:	$(LIBOBJ)

	$(AR) $(LIB) $(LIBOBJ)

	$(ARX) $(LIB) $(LIBOBJ)

	$(RANLIB) $(LIB) || echo Never mind.

	@touch lib

# define OPENSSL_DH_MAX_MODULUS_BITS	10000

#endif

#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

#define DH_FLAG_CACHE_MONT_P     0x01

#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH

                                       * implementation now uses constant time

const DH_METHOD *DH_OpenSSL(void);

#ifdef OPENSSL_FIPS

DH *	FIPS_dh_new(void);

void	FIPS_dh_free(DH *dh);

#endif

void DH_set_default_method(const DH_METHOD *meth);

const DH_METHOD *DH_get_default_method(void);

int DH_set_method(DH *dh, const DH_METHOD *meth);

#define DH_R_DECODE_ERROR				 104

#define DH_R_INVALID_PUBKEY				 102

#define DH_R_KEYS_NOT_SET				 108

#define DH_R_KEY_SIZE_TOO_SMALL				 110

#define DH_R_MODULUS_TOO_LARGE				 103

#define DH_R_NO_PARAMETERS_SET				 107

#define DH_R_NO_PRIVATE_VALUE				 100

/* crypto/dh/dh_err.c */

/* ====================================================================

 * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

{ERR_REASON(DH_R_DECODE_ERROR)           ,"decode error"},

{ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},

{ERR_REASON(DH_R_KEYS_NOT_SET)           ,"keys not set"},

{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL)     ,"key size too small"},

{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},

{ERR_REASON(DH_R_NO_PARAMETERS_SET)      ,"no parameters set"},

{ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},

#include "cryptlib.h"

#include <openssl/bn.h>

#include <openssl/dh.h>

#ifdef OPENSSL_FIPS

#include <openssl/fips.h>

#endif

static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);

	int g,ok= -1;

	BN_CTX *ctx=NULL;

#ifdef OPENSSL_FIPS

	if(FIPS_selftest_failed())

		{

		FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);

		return 0;

		}

	if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))

		{

		DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);

		goto err;

		}

#endif

	ctx=BN_CTX_new();

	if (ctx == NULL) goto err;

	BN_CTX_start(ctx);

#include <openssl/bn.h>

#include <openssl/rand.h>

#include <openssl/dh.h>

#ifdef OPENSSL_FIPS

#include <openssl/fips.h>

#endif

static int generate_key(DH *dh);

static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);

	BN_MONT_CTX *mont=NULL;

	BIGNUM *pub_key=NULL,*priv_key=NULL;

#ifdef OPENSSL_FIPS

	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))

		{

		DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);

		return 0;

		}

#endif

	ctx = BN_CTX_new();

	if (ctx == NULL) goto err;

		goto err;

		}

#ifdef OPENSSL_FIPS

	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))

		{

		DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);

		goto err;

		}

#endif

	ctx = BN_CTX_new();

	if (ctx == NULL) goto err;

	BN_CTX_start(ctx);

static int dh_init(DH *dh)

	{

#ifdef OPENSSL_FIPS

	FIPS_selftest_check();

#endif

	dh->flags |= DH_FLAG_CACHE_MONT_P;

	return(1);

	}