diff options
| -rw-r--r-- | crypto/dh/dh.h | 15 | ||||
| -rw-r--r-- | crypto/dh/dh_key.c | 2 | ||||
| -rw-r--r-- | fips/fips.h | 15 |
3 files changed, 25 insertions, 7 deletions
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index 63db8c908b..e9f9a540b2 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -88,6 +88,21 @@ * be used for all exponents. */ +/* If this flag is set the DH method is FIPS compliant and can be used + * in FIPS mode. This is set in the validated module method. If an + * application sets this flag in its own methods it is its reposibility + * to ensure the result is compliant. + */ + +#define DH_FLAG_FIPS_METHOD 0x0400 + +/* If this flag is set the operations normally disabled in FIPS mode are + * permitted it is then the applications responsibility to ensure that the + * usage is compliant. + */ + +#define DH_FLAG_NON_FIPS_ALLOW 0x0400 + #ifdef __cplusplus extern "C" { #endif diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index ca2435e75f..e296f453bb 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -108,7 +108,7 @@ compute_key, dh_bn_mod_exp, dh_init, dh_finish, -0, +DH_FLAG_FIPS_METHOD, NULL, NULL }; diff --git a/fips/fips.h b/fips/fips.h index 1e5c759341..6731d692a1 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -74,6 +74,7 @@ struct evp_cipher_st; struct evp_cipher_ctx_st; struct ec_method_st; struct ecdsa_method; +struct dh_method; int FIPS_module_mode_set(int onoff); int FIPS_module_mode(void); @@ -275,16 +276,18 @@ const EVP_MD *FIPS_evp_ecdsa(void); const RSA_METHOD *FIPS_rsa_pkcs1_ssleay(void); int FIPS_rsa_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); -struct ec_method_st *fips_ec_gf2m_simple_method(void); -struct ec_method_st *fips_ec_gfp_simple_method(void); -struct ec_method_st *fips_ec_gfp_mont_method(void); -struct ec_method_st *fips_ec_gfp_nist_method(void); +const struct ec_method_st *fips_ec_gf2m_simple_method(void); +const struct ec_method_st *fips_ec_gfp_simple_method(void); +const struct ec_method_st *fips_ec_gfp_mont_method(void); +const struct ec_method_st *fips_ec_gfp_nist_method(void); -struct ecdsa_method *FIPS_ecdsa_openssl(void); -struct ecdh_method *FIPS_ecdh_openssl(void); +const struct ecdsa_method *FIPS_ecdsa_openssl(void); +const struct ecdh_method *FIPS_ecdh_openssl(void); int FIPS_ec_key_generate_key(struct ec_key_st *key); +const struct dh_method *FIPS_dh_openssl(void); + #endif /* Where necessary redirect standard OpenSSL APIs to FIPS versions */ |