FIPS DH changes: selftest checks and key range checks.

1 files changed, 22 insertions, 0 deletions

diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index e7db440342..99c722bf03 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -61,6 +61,9 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
@@ -107,6 +110,14 @@ static int generate_key(DH *dh)
 	BN_MONT_CTX *mont=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+		{
+		DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+		return 0;
+		}
+#endif
+
 	ctx = BN_CTX_new();
 	if (ctx == NULL) goto err;
 
@@ -185,6 +196,14 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 		goto err;
 		}
 
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+		{
+		DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+		goto err;
+		}
+#endif
+
 	ctx = BN_CTX_new();
 	if (ctx == NULL) goto err;
 	BN_CTX_start(ctx);
@@ -251,6 +270,9 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 
 static int dh_init(DH *dh)
 	{
+#ifdef OPENSSL_FIPS
+	FIPS_selftest_check();
+#endif
 	dh->flags |= DH_FLAG_CACHE_MONT_P;
 	return(1);
 	}