diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2011-06-08 14:01:00 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2011-06-08 14:01:00 +0000 |
commit | b6d63b2516f892d007b216b9237f9063b8172d7e (patch) | |
tree | db9709e39663114d70d7f30c9ced736a562e582d /crypto/ecdh | |
parent | e6b88d02bd96f1a357a4941c850cae5da28bc1c0 (diff) |
Check fips method flags for ECDH, ECDSA.
Diffstat (limited to 'crypto/ecdh')
-rw-r--r-- | crypto/ecdh/ecdh.h | 2 | ||||
-rw-r--r-- | crypto/ecdh/ech_err.c | 4 | ||||
-rw-r--r-- | crypto/ecdh/ech_lib.c | 8 | ||||
-rw-r--r-- | crypto/ecdh/ech_locl.h | 8 |
4 files changed, 21 insertions, 1 deletions
diff --git a/crypto/ecdh/ecdh.h b/crypto/ecdh/ecdh.h index b4b58ee65b..8887102c0b 100644 --- a/crypto/ecdh/ecdh.h +++ b/crypto/ecdh/ecdh.h @@ -109,11 +109,13 @@ void ERR_load_ECDH_strings(void); /* Error codes for the ECDH functions. */ /* Function codes. */ +#define ECDH_F_ECDH_CHECK 102 #define ECDH_F_ECDH_COMPUTE_KEY 100 #define ECDH_F_ECDH_DATA_NEW_METHOD 101 /* Reason codes. */ #define ECDH_R_KDF_FAILED 102 +#define ECDH_R_NON_FIPS_METHOD 103 #define ECDH_R_NO_PRIVATE_VALUE 100 #define ECDH_R_POINT_ARITHMETIC_FAILURE 101 diff --git a/crypto/ecdh/ech_err.c b/crypto/ecdh/ech_err.c index 6f4b0c9953..3bd247398d 100644 --- a/crypto/ecdh/ech_err.c +++ b/crypto/ecdh/ech_err.c @@ -1,6 +1,6 @@ /* crypto/ecdh/ech_err.c */ /* ==================================================================== - * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= { +{ERR_FUNC(ECDH_F_ECDH_CHECK), "ECDH_CHECK"}, {ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, {ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"}, {0,NULL} @@ -78,6 +79,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= static ERR_STRING_DATA ECDH_str_reasons[]= { {ERR_REASON(ECDH_R_KDF_FAILED) ,"KDF failed"}, +{ERR_REASON(ECDH_R_NON_FIPS_METHOD) ,"non fips method"}, {ERR_REASON(ECDH_R_NO_PRIVATE_VALUE) ,"no private value"}, {ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"}, {0,NULL} diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index 49c0e41d14..568392bdd4 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -225,6 +225,14 @@ ECDH_DATA *ecdh_check(EC_KEY *key) } else ecdh_data = (ECDH_DATA *)data; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD) + && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) + { + ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD); + return NULL; + } +#endif return ecdh_data; diff --git a/crypto/ecdh/ech_locl.h b/crypto/ecdh/ech_locl.h index f658526a7e..f6cad6a894 100644 --- a/crypto/ecdh/ech_locl.h +++ b/crypto/ecdh/ech_locl.h @@ -75,6 +75,14 @@ struct ecdh_method char *app_data; }; +/* If this flag is set the ECDH method is FIPS compliant and can be used + * in FIPS mode. This is set in the validated module method. If an + * application sets this flag in its own methods it is its responsibility + * to ensure the result is compliant. + */ + +#define ECDH_FLAG_FIPS_METHOD 0x1 + typedef struct ecdh_data_st { /* EC_KEY_METH_DATA part */ int (*init)(EC_KEY *); |