diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-08-29 12:59:04 +1000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-09-18 14:20:38 +0100 |
commit | 341c3e7f28072e3c3cfb072233aa7d68abc73d0a (patch) | |
tree | 63996b9f18c1c302ddbe4cae13efdd3641e6b296 /providers | |
parent | 8d17cca5b8dc0d93a3a612a47461ee4cabb9fc98 (diff) |
Add fips checks for ecdh key agreement
For key agreement only NIST curves that have a security strength of 112 bits or more are allowed.
Fixed tests so they obey these restrictions when testing in fips mode.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
Diffstat (limited to 'providers')
-rw-r--r-- | providers/implementations/exchange/ecdh_exch.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 8e6cf10dc5..83d119b02b 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -24,6 +24,7 @@ #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" +#include "prov/provider_util.h" #include "crypto/ec.h" /* ecdh_KDF_X9_63() */ static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx; @@ -110,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh) pecdhctx->k = vecdh; pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; - return 1; + return ossl_prov_ec_check(vecdh, 1); } static @@ -125,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) return 0; EC_KEY_free(pecdhctx->peerk); pecdhctx->peerk = vecdh; - return 1; + return ossl_prov_ec_check(vecdh, 1); } static @@ -253,7 +254,12 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - +#ifdef FIPS_MODULE + if (!ossl_prov_digest_get_approved_nid(pectx->kdf_md, 1)) { + EVP_MD_free(pectx->kdf_md); + pectx->kdf_md = NULL; + } +#endif if (pectx->kdf_md == NULL) return 0; } |