Check fips method flags for ECDH, ECDSA.

[openssl.git] / crypto / ecdh / ech_lib.c

diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index 49c0e41d1405293d10ea29a04a2dc792df0b93d0..568392bdd406c380c0588123b6b02a3eb2b78484 100644 (file)
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -225,6 +225,14 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
        }
        else
                ecdh_data = (ECDH_DATA *)data;
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
+                       && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
+               {
+               ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD);
+               return NULL;
+               }
+#endif
        
 
        return ecdh_data;