Don't generate DSA keys with key size too small.

3 files changed, 8 insertions, 0 deletions

diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index ebf8cd37f7..702c50d6dc 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -292,6 +292,7 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_D2I_DSA_SIG				 110
 #define DSA_F_DSAPARAMS_PRINT				 100
 #define DSA_F_DSAPARAMS_PRINT_FP			 101
+#define DSA_F_DSA_BUILTIN_KEYGEN			 119
 #define DSA_F_DSA_BUILTIN_PARAMGEN			 118
 #define DSA_F_DSA_DO_SIGN				 112
 #define DSA_F_DSA_DO_VERIFY				 113
diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c
index aa11046c0a..872839af94 100644
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -73,6 +73,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_FUNC(DSA_F_D2I_DSA_SIG),	"d2i_DSA_SIG"},
 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT),	"DSAparams_print"},
 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),	"DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN),	"DSA_BUILTIN_KEYGEN"},
 {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN),	"DSA_BUILTIN_PARAMGEN"},
 {ERR_FUNC(DSA_F_DSA_DO_SIGN),	"DSA_do_sign"},
 {ERR_FUNC(DSA_F_DSA_DO_VERIFY),	"DSA_do_verify"},
diff --git a/fips/dsa/fips_dsa_key.c b/fips/dsa/fips_dsa_key.c
index b43b0c181e..1594dcbe63 100644
--- a/fips/dsa/fips_dsa_key.c
+++ b/fips/dsa/fips_dsa_key.c
@@ -101,6 +101,12 @@ static int dsa_builtin_keygen(DSA *dsa)
 	BN_CTX *ctx=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
+	if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
+		{
+		DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+		goto err;
+		}
+
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 
 	if (dsa->priv_key == NULL)