aboutsummaryrefslogtreecommitdiff
path: root/openssl/crypto/ecdh
diff options
context:
space:
mode:
authormarha <marha@users.sourceforge.net>2012-04-10 11:54:31 +0200
committermarha <marha@users.sourceforge.net>2012-04-10 11:54:31 +0200
commit5564e91e3cf4ba5cb2fbebbc2d63d18f588016b8 (patch)
treec800a66664ea3af61eb13928db45a26275930b0b /openssl/crypto/ecdh
parentd79e641dea89c0d5d651b11971c4c9e14df34629 (diff)
parent67326634496ef21b4acbf4cef2f05040d34aef9b (diff)
downloadvcxsrv-5564e91e3cf4ba5cb2fbebbc2d63d18f588016b8.tar.gz
vcxsrv-5564e91e3cf4ba5cb2fbebbc2d63d18f588016b8.tar.bz2
vcxsrv-5564e91e3cf4ba5cb2fbebbc2d63d18f588016b8.zip
Merge remote-tracking branch 'origin/released'
Conflicts: openssl/Configure openssl/Makefile openssl/crypto/opensslconf.h openssl/util/mk1mf.pl openssl/util/pl/VC-32.pl
Diffstat (limited to 'openssl/crypto/ecdh')
-rw-r--r--openssl/crypto/ecdh/ecdh.h2
-rw-r--r--openssl/crypto/ecdh/ecdhtest.c6
-rw-r--r--openssl/crypto/ecdh/ech_err.c4
-rw-r--r--openssl/crypto/ecdh/ech_lib.c20
-rw-r--r--openssl/crypto/ecdh/ech_locl.h8
-rw-r--r--openssl/crypto/ecdh/ech_ossl.c2
6 files changed, 41 insertions, 1 deletions
diff --git a/openssl/crypto/ecdh/ecdh.h b/openssl/crypto/ecdh/ecdh.h
index b4b58ee65..8887102c0 100644
--- a/openssl/crypto/ecdh/ecdh.h
+++ b/openssl/crypto/ecdh/ecdh.h
@@ -109,11 +109,13 @@ void ERR_load_ECDH_strings(void);
/* Error codes for the ECDH functions. */
/* Function codes. */
+#define ECDH_F_ECDH_CHECK 102
#define ECDH_F_ECDH_COMPUTE_KEY 100
#define ECDH_F_ECDH_DATA_NEW_METHOD 101
/* Reason codes. */
#define ECDH_R_KDF_FAILED 102
+#define ECDH_R_NON_FIPS_METHOD 103
#define ECDH_R_NO_PRIVATE_VALUE 100
#define ECDH_R_POINT_ARITHMETIC_FAILURE 101
diff --git a/openssl/crypto/ecdh/ecdhtest.c b/openssl/crypto/ecdh/ecdhtest.c
index 212a87efa..823d7baa6 100644
--- a/openssl/crypto/ecdh/ecdhtest.c
+++ b/openssl/crypto/ecdh/ecdhtest.c
@@ -158,11 +158,13 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
}
+#ifndef OPENSSL_NO_EC2M
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
}
+#endif
#ifdef NOISY
BIO_puts(out," pri 1=");
BN_print(out,a->priv_key);
@@ -183,11 +185,13 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
}
+#ifndef OPENSSL_NO_EC2M
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
}
+#endif
#ifdef NOISY
BIO_puts(out," pri 2=");
@@ -324,6 +328,7 @@ int main(int argc, char *argv[])
if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
+#ifndef OPENSSL_NO_EC2M
/* NIST BINARY CURVES TESTS */
if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out)) goto err;
@@ -335,6 +340,7 @@ int main(int argc, char *argv[])
if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) goto err;
+#endif
ret = 0;
diff --git a/openssl/crypto/ecdh/ech_err.c b/openssl/crypto/ecdh/ech_err.c
index 6f4b0c995..3bd247398 100644
--- a/openssl/crypto/ecdh/ech_err.c
+++ b/openssl/crypto/ecdh/ech_err.c
@@ -1,6 +1,6 @@
/* crypto/ecdh/ech_err.c */
/* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -70,6 +70,7 @@
static ERR_STRING_DATA ECDH_str_functs[]=
{
+{ERR_FUNC(ECDH_F_ECDH_CHECK), "ECDH_CHECK"},
{ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"},
{0,NULL}
@@ -78,6 +79,7 @@ static ERR_STRING_DATA ECDH_str_functs[]=
static ERR_STRING_DATA ECDH_str_reasons[]=
{
{ERR_REASON(ECDH_R_KDF_FAILED) ,"KDF failed"},
+{ERR_REASON(ECDH_R_NON_FIPS_METHOD) ,"non fips method"},
{ERR_REASON(ECDH_R_NO_PRIVATE_VALUE) ,"no private value"},
{ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"},
{0,NULL}
diff --git a/openssl/crypto/ecdh/ech_lib.c b/openssl/crypto/ecdh/ech_lib.c
index 4d8ea03d3..dadbfd3c4 100644
--- a/openssl/crypto/ecdh/ech_lib.c
+++ b/openssl/crypto/ecdh/ech_lib.c
@@ -73,6 +73,9 @@
#include <openssl/engine.h>
#endif
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT;
@@ -90,7 +93,16 @@ void ECDH_set_default_method(const ECDH_METHOD *meth)
const ECDH_METHOD *ECDH_get_default_method(void)
{
if(!default_ECDH_method)
+ {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return FIPS_ecdh_openssl();
+ else
+ return ECDH_OpenSSL();
+#else
default_ECDH_method = ECDH_OpenSSL();
+#endif
+ }
return default_ECDH_method;
}
@@ -215,6 +227,14 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
}
else
ecdh_data = (ECDH_DATA *)data;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
+ && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW))
+ {
+ ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD);
+ return NULL;
+ }
+#endif
return ecdh_data;
diff --git a/openssl/crypto/ecdh/ech_locl.h b/openssl/crypto/ecdh/ech_locl.h
index f658526a7..f6cad6a89 100644
--- a/openssl/crypto/ecdh/ech_locl.h
+++ b/openssl/crypto/ecdh/ech_locl.h
@@ -75,6 +75,14 @@ struct ecdh_method
char *app_data;
};
+/* If this flag is set the ECDH method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its responsibility
+ * to ensure the result is compliant.
+ */
+
+#define ECDH_FLAG_FIPS_METHOD 0x1
+
typedef struct ecdh_data_st {
/* EC_KEY_METH_DATA part */
int (*init)(EC_KEY *);
diff --git a/openssl/crypto/ecdh/ech_ossl.c b/openssl/crypto/ecdh/ech_ossl.c
index 2a40ff12d..4a30628fb 100644
--- a/openssl/crypto/ecdh/ech_ossl.c
+++ b/openssl/crypto/ecdh/ech_ossl.c
@@ -157,6 +157,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
goto err;
}
}
+#ifndef OPENSSL_NO_EC2M
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx))
@@ -165,6 +166,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
goto err;
}
}
+#endif
buflen = (EC_GROUP_get_degree(group) + 7)/8;
len = BN_num_bytes(x);