From: Dr. Stephen Henson Date: Sat, 22 Oct 2011 17:24:27 +0000 (+0000) Subject: Check for selftest failure in various places. X-Git-Tag: OpenSSL-fips-2_0-rc1~10 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5fd722600b3c53f31900442b9a0f9d0ce7dfc629 Check for selftest failure in various places. --- diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index ef22737b0e..f3331e1ce5 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -306,6 +306,14 @@ int EC_KEY_generate_key(EC_KEY *eckey) BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } +#endif + if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c index f93dfcb4f7..94a8f4b696 100644 --- a/crypto/ecdh/ech_ossl.c +++ b/crypto/ecdh/ech_ossl.c @@ -119,6 +119,14 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, size_t buflen, len; unsigned char *buf=NULL; +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_ECDH_COMPUTE_KEY,FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } +#endif + if (outlen > INT_MAX) { ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */ diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index acdeea83d4..8336bceb67 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -238,6 +238,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSA_DATA *ecdsa; const BIGNUM *priv_key; +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } +#endif + ecdsa = ecdsa_check(eckey); group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); @@ -373,6 +381,14 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const EC_GROUP *group; const EC_POINT *pub_key; +#ifdef OPENSSL_FIPS + if(FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } +#endif + /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) diff --git a/crypto/fips_err.h b/crypto/fips_err.h index c671691b47..ec6a1d5fd0 100644 --- a/crypto/fips_err.h +++ b/crypto/fips_err.h @@ -77,6 +77,10 @@ static ERR_STRING_DATA FIPS_str_functs[]= {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"}, {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, +{ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, +{ERR_FUNC(FIPS_F_ECDSA_DO_SIGN), "ECDSA_do_sign"}, +{ERR_FUNC(FIPS_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"}, +{ERR_FUNC(FIPS_F_EC_KEY_GENERATE_KEY), "EC_KEY_generate_key"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA_PRNG), "fips_check_dsa_prng"}, {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "FIPS_CHECK_EC"}, diff --git a/fips/fips.h b/fips/fips.h index 06809c7dcb..4cadbd26fd 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -349,6 +349,10 @@ void ERR_load_FIPS_strings(void); #define FIPS_F_DSA_BUILTIN_PARAMGEN2 102 #define FIPS_F_DSA_DO_SIGN 103 #define FIPS_F_DSA_DO_VERIFY 104 +#define FIPS_F_ECDH_COMPUTE_KEY 163 +#define FIPS_F_ECDSA_DO_SIGN 164 +#define FIPS_F_ECDSA_DO_VERIFY 165 +#define FIPS_F_EC_KEY_GENERATE_KEY 166 #define FIPS_F_FIPS_CHECK_DSA 105 #define FIPS_F_FIPS_CHECK_DSA_PRNG 151 #define FIPS_F_FIPS_CHECK_EC 106 diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c index 32e4b83c5e..1596977fd5 100644 --- a/fips/rand/fips_drbg_lib.c +++ b/fips/rand/fips_drbg_lib.c @@ -386,6 +386,12 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, { int r = 0; + if (FIPS_selftest_failed()) + { + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); + return 0; + } + if (!fips_drbg_check(dctx)) return 0;