projects
/
openssl.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
e6b88d0
)
Check fips method flags for ECDH, ECDSA.
author
Dr. Stephen Henson
<steve@openssl.org>
Wed, 8 Jun 2011 14:01:00 +0000
(14:01 +0000)
committer
Dr. Stephen Henson
<steve@openssl.org>
Wed, 8 Jun 2011 14:01:00 +0000
(14:01 +0000)
crypto/ecdh/ecdh.h
patch
|
blob
|
history
crypto/ecdh/ech_err.c
patch
|
blob
|
history
crypto/ecdh/ech_lib.c
patch
|
blob
|
history
crypto/ecdh/ech_locl.h
patch
|
blob
|
history
crypto/ecdsa/ecdsa.h
patch
|
blob
|
history
crypto/ecdsa/ecs_err.c
patch
|
blob
|
history
crypto/ecdsa/ecs_lib.c
patch
|
blob
|
history
crypto/ecdsa/ecs_locl.h
patch
|
blob
|
history
diff --git
a/crypto/ecdh/ecdh.h
b/crypto/ecdh/ecdh.h
index b4b58ee65ba2caee7a968e7a8d7070ea9d94ea01..8887102c0b56ebb9771ca491115db9d0488898fa 100644
(file)
--- a/
crypto/ecdh/ecdh.h
+++ b/
crypto/ecdh/ecdh.h
@@
-109,11
+109,13
@@
void ERR_load_ECDH_strings(void);
/* Error codes for the ECDH functions. */
/* Function codes. */
/* Error codes for the ECDH functions. */
/* Function codes. */
+#define ECDH_F_ECDH_CHECK 102
#define ECDH_F_ECDH_COMPUTE_KEY 100
#define ECDH_F_ECDH_DATA_NEW_METHOD 101
/* Reason codes. */
#define ECDH_R_KDF_FAILED 102
#define ECDH_F_ECDH_COMPUTE_KEY 100
#define ECDH_F_ECDH_DATA_NEW_METHOD 101
/* Reason codes. */
#define ECDH_R_KDF_FAILED 102
+#define ECDH_R_NON_FIPS_METHOD 103
#define ECDH_R_NO_PRIVATE_VALUE 100
#define ECDH_R_POINT_ARITHMETIC_FAILURE 101
#define ECDH_R_NO_PRIVATE_VALUE 100
#define ECDH_R_POINT_ARITHMETIC_FAILURE 101
diff --git
a/crypto/ecdh/ech_err.c
b/crypto/ecdh/ech_err.c
index 6f4b0c99536340a30e21230810204cac0519febd..3bd247398db56c9aba4256c96c5782ef1d737857 100644
(file)
--- a/
crypto/ecdh/ech_err.c
+++ b/
crypto/ecdh/ech_err.c
@@
-1,6
+1,6
@@
/* crypto/ecdh/ech_err.c */
/* ====================================================================
/* crypto/ecdh/ech_err.c */
/* ====================================================================
- * Copyright (c) 1999-20
06
The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-20
11
The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@
-70,6
+70,7
@@
static ERR_STRING_DATA ECDH_str_functs[]=
{
static ERR_STRING_DATA ECDH_str_functs[]=
{
+{ERR_FUNC(ECDH_F_ECDH_CHECK), "ECDH_CHECK"},
{ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"},
{0,NULL}
{ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"},
{0,NULL}
@@
-78,6
+79,7
@@
static ERR_STRING_DATA ECDH_str_functs[]=
static ERR_STRING_DATA ECDH_str_reasons[]=
{
{ERR_REASON(ECDH_R_KDF_FAILED) ,"KDF failed"},
static ERR_STRING_DATA ECDH_str_reasons[]=
{
{ERR_REASON(ECDH_R_KDF_FAILED) ,"KDF failed"},
+{ERR_REASON(ECDH_R_NON_FIPS_METHOD) ,"non fips method"},
{ERR_REASON(ECDH_R_NO_PRIVATE_VALUE) ,"no private value"},
{ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"},
{0,NULL}
{ERR_REASON(ECDH_R_NO_PRIVATE_VALUE) ,"no private value"},
{ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"},
{0,NULL}
diff --git
a/crypto/ecdh/ech_lib.c
b/crypto/ecdh/ech_lib.c
index 49c0e41d1405293d10ea29a04a2dc792df0b93d0..568392bdd406c380c0588123b6b02a3eb2b78484 100644
(file)
--- a/
crypto/ecdh/ech_lib.c
+++ b/
crypto/ecdh/ech_lib.c
@@
-225,6
+225,14
@@
ECDH_DATA *ecdh_check(EC_KEY *key)
}
else
ecdh_data = (ECDH_DATA *)data;
}
else
ecdh_data = (ECDH_DATA *)data;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
+ && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
+ {
+ ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD);
+ return NULL;
+ }
+#endif
return ecdh_data;
return ecdh_data;
diff --git
a/crypto/ecdh/ech_locl.h
b/crypto/ecdh/ech_locl.h
index f658526a7e3a86545da3f28f8cd041016872aa5d..f6cad6a894bc91d2fcaab02b3bc680fcd0c4f137 100644
(file)
--- a/
crypto/ecdh/ech_locl.h
+++ b/
crypto/ecdh/ech_locl.h
@@
-75,6
+75,14
@@
struct ecdh_method
char *app_data;
};
char *app_data;
};
+/* If this flag is set the ECDH method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its responsibility
+ * to ensure the result is compliant.
+ */
+
+#define ECDH_FLAG_FIPS_METHOD 0x1
+
typedef struct ecdh_data_st {
/* EC_KEY_METH_DATA part */
int (*init)(EC_KEY *);
typedef struct ecdh_data_st {
/* EC_KEY_METH_DATA part */
int (*init)(EC_KEY *);
diff --git
a/crypto/ecdsa/ecdsa.h
b/crypto/ecdsa/ecdsa.h
index e61c539812ae8595cf595dd38a70c8347648dbd0..7fb5254b62e61f2bd6a1002140b0d34a1dc8d938 100644
(file)
--- a/
crypto/ecdsa/ecdsa.h
+++ b/
crypto/ecdsa/ecdsa.h
@@
-238,6
+238,7
@@
void ERR_load_ECDSA_strings(void);
/* Error codes for the ECDSA functions. */
/* Function codes. */
/* Error codes for the ECDSA functions. */
/* Function codes. */
+#define ECDSA_F_ECDSA_CHECK 104
#define ECDSA_F_ECDSA_DATA_NEW_METHOD 100
#define ECDSA_F_ECDSA_DO_SIGN 101
#define ECDSA_F_ECDSA_DO_VERIFY 102
#define ECDSA_F_ECDSA_DATA_NEW_METHOD 100
#define ECDSA_F_ECDSA_DO_SIGN 101
#define ECDSA_F_ECDSA_DO_VERIFY 102
@@
-249,6
+250,7
@@
void ERR_load_ECDSA_strings(void);
#define ECDSA_R_ERR_EC_LIB 102
#define ECDSA_R_MISSING_PARAMETERS 103
#define ECDSA_R_NEED_NEW_SETUP_VALUES 106
#define ECDSA_R_ERR_EC_LIB 102
#define ECDSA_R_MISSING_PARAMETERS 103
#define ECDSA_R_NEED_NEW_SETUP_VALUES 106
+#define ECDSA_R_NON_FIPS_METHOD 107
#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
#define ECDSA_R_SIGNATURE_MALLOC_FAILED 105
#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
#define ECDSA_R_SIGNATURE_MALLOC_FAILED 105
diff --git
a/crypto/ecdsa/ecs_err.c
b/crypto/ecdsa/ecs_err.c
index 98e38d537f24c57714de613304a3cb954ba0d08b..81542e6d15394939f98f03974d0374e3d68a1441 100644
(file)
--- a/
crypto/ecdsa/ecs_err.c
+++ b/
crypto/ecdsa/ecs_err.c
@@
-1,6
+1,6
@@
/* crypto/ecdsa/ecs_err.c */
/* ====================================================================
/* crypto/ecdsa/ecs_err.c */
/* ====================================================================
- * Copyright (c) 1999-20
06
The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-20
11
The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@
-70,6
+70,7
@@
static ERR_STRING_DATA ECDSA_str_functs[]=
{
static ERR_STRING_DATA ECDSA_str_functs[]=
{
+{ERR_FUNC(ECDSA_F_ECDSA_CHECK), "ECDSA_CHECK"},
{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_NEW_METHOD"},
{ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN), "ECDSA_do_sign"},
{ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"},
{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_NEW_METHOD"},
{ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN), "ECDSA_do_sign"},
{ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"},
@@
-84,6
+85,7
@@
static ERR_STRING_DATA ECDSA_str_reasons[]=
{ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"},
{ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"},
{ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"},
{ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"},
+{ERR_REASON(ECDSA_R_NON_FIPS_METHOD) ,"non fips method"},
{ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
{ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
{0,NULL}
{ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
{ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
{0,NULL}
diff --git
a/crypto/ecdsa/ecs_lib.c
b/crypto/ecdsa/ecs_lib.c
index 0c5b17a52703e3d50b9b8918a3dc0fae01db4fd2..65aca01767b4bf80b4bad7112bdf5ef33b87de96 100644
(file)
--- a/
crypto/ecdsa/ecs_lib.c
+++ b/
crypto/ecdsa/ecs_lib.c
@@
-203,7
+203,14
@@
ECDSA_DATA *ecdsa_check(EC_KEY *key)
}
else
ecdsa_data = (ECDSA_DATA *)data;
}
else
ecdsa_data = (ECDSA_DATA *)data;
-
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD)
+ && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
+ {
+ ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD);
+ return NULL;
+ }
+#endif
return ecdsa_data;
}
return ecdsa_data;
}
diff --git
a/crypto/ecdsa/ecs_locl.h
b/crypto/ecdsa/ecs_locl.h
index 3a69a840e21176529b511a2e4ca302d70267cbda..cb3be13cfc307025266aff78f47099ff0b5c7971 100644
(file)
--- a/
crypto/ecdsa/ecs_locl.h
+++ b/
crypto/ecdsa/ecs_locl.h
@@
-82,6
+82,14
@@
struct ecdsa_method
char *app_data;
};
char *app_data;
};
+/* If this flag is set the ECDSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its responsibility
+ * to ensure the result is compliant.
+ */
+
+#define ECDSA_FLAG_FIPS_METHOD 0x1
+
typedef struct ecdsa_data_st {
/* EC_KEY_METH_DATA part */
int (*init)(EC_KEY *);
typedef struct ecdsa_data_st {
/* EC_KEY_METH_DATA part */
int (*init)(EC_KEY *);