21615321 FIPS validated RSA keygen should be called by default when FIPS mode is enabled
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Thu, 13 Aug 2015 09:08:19 -0700
changeset 4774 dbddfc4fa8f1
parent 4773 66779b2d691b
child 4775 3eeb991f0795
21615321 FIPS validated RSA keygen should be called by default when FIPS mode is enabled
components/openssl/common/patches/042-default_fips_keygen.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/042-default_fips_keygen.patch	Thu Aug 13 09:08:19 2015 -0700
@@ -0,0 +1,27 @@
+#
+# This patch came from the upstream to use x9.31 keygen by default in
+# the FIPS mode. This will be available in the next release.
+#
+--- openssl-1.0.1p/crypto/rsa/rsa_gen.c.orig    Tue Aug 11 10:47:51 2015
++++ openssl-1.0.1p/crypto/rsa/rsa_gen.c Tue Aug 11 10:56:07 2015
[email protected]@ -69,6 +69,8 @@
+ #include <openssl/rsa.h>
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
++                                         BN_GENCB *cb);
+ #endif
+ 
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
[email protected]@ -93,8 +95,9 @@
+     if (rsa->meth->rsa_keygen)
+         return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+ #ifdef OPENSSL_FIPS
+-    if (FIPS_mode())
+-        return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
++    if (FIPS_mode()) {
++        return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
++    }
+ #endif
+     return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }