diff options
Diffstat (limited to 'openssl/crypto/ecdsa')
-rw-r--r-- | openssl/crypto/ecdsa/ecdsa.h | 2 | ||||
-rw-r--r-- | openssl/crypto/ecdsa/ecdsatest.c | 3 | ||||
-rw-r--r-- | openssl/crypto/ecdsa/ecs_err.c | 4 | ||||
-rw-r--r-- | openssl/crypto/ecdsa/ecs_lib.c | 21 | ||||
-rw-r--r-- | openssl/crypto/ecdsa/ecs_locl.h | 8 | ||||
-rw-r--r-- | openssl/crypto/ecdsa/ecs_ossl.c | 5 |
6 files changed, 39 insertions, 4 deletions
diff --git a/openssl/crypto/ecdsa/ecdsa.h b/openssl/crypto/ecdsa/ecdsa.h index e61c53981..7fb5254b6 100644 --- a/openssl/crypto/ecdsa/ecdsa.h +++ b/openssl/crypto/ecdsa/ecdsa.h @@ -238,6 +238,7 @@ void ERR_load_ECDSA_strings(void); /* Error codes for the ECDSA functions. */ /* Function codes. */ +#define ECDSA_F_ECDSA_CHECK 104 #define ECDSA_F_ECDSA_DATA_NEW_METHOD 100 #define ECDSA_F_ECDSA_DO_SIGN 101 #define ECDSA_F_ECDSA_DO_VERIFY 102 @@ -249,6 +250,7 @@ void ERR_load_ECDSA_strings(void); #define ECDSA_R_ERR_EC_LIB 102 #define ECDSA_R_MISSING_PARAMETERS 103 #define ECDSA_R_NEED_NEW_SETUP_VALUES 106 +#define ECDSA_R_NON_FIPS_METHOD 107 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104 #define ECDSA_R_SIGNATURE_MALLOC_FAILED 105 diff --git a/openssl/crypto/ecdsa/ecdsatest.c b/openssl/crypto/ecdsa/ecdsatest.c index c3c20c38b..537bb3036 100644 --- a/openssl/crypto/ecdsa/ecdsatest.c +++ b/openssl/crypto/ecdsa/ecdsatest.c @@ -262,6 +262,7 @@ int x9_62_tests(BIO *out) "3238135532097973577080787768312505059318910517550078427819" "78505179448783")) goto x962_err; +#ifndef OPENSSL_NO_EC2M if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1, "87194383164871543355722284926904419997237591535066528048", "308992691965804947361541664549085895292153777025772063598")) @@ -272,7 +273,7 @@ int x9_62_tests(BIO *out) "1970303740007316867383349976549972270528498040721988191026" "49413465737174")) goto x962_err; - +#endif ret = 1; x962_err: if (!restore_rand()) diff --git a/openssl/crypto/ecdsa/ecs_err.c b/openssl/crypto/ecdsa/ecs_err.c index 98e38d537..81542e6d1 100644 --- a/openssl/crypto/ecdsa/ecs_err.c +++ b/openssl/crypto/ecdsa/ecs_err.c @@ -1,6 +1,6 @@ /* crypto/ecdsa/ecs_err.c */ /* ==================================================================== - * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,7 @@ static ERR_STRING_DATA ECDSA_str_functs[]= { +{ERR_FUNC(ECDSA_F_ECDSA_CHECK), "ECDSA_CHECK"}, {ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_NEW_METHOD"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN), "ECDSA_do_sign"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"}, @@ -84,6 +85,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= {ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"}, {ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"}, +{ERR_REASON(ECDSA_R_NON_FIPS_METHOD) ,"non fips method"}, {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"}, {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"}, {0,NULL} diff --git a/openssl/crypto/ecdsa/ecs_lib.c b/openssl/crypto/ecdsa/ecs_lib.c index 2ebae3aa2..e477da430 100644 --- a/openssl/crypto/ecdsa/ecs_lib.c +++ b/openssl/crypto/ecdsa/ecs_lib.c @@ -60,6 +60,9 @@ #endif #include <openssl/err.h> #include <openssl/bn.h> +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; @@ -77,7 +80,16 @@ void ECDSA_set_default_method(const ECDSA_METHOD *meth) const ECDSA_METHOD *ECDSA_get_default_method(void) { if(!default_ECDSA_method) + { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return FIPS_ecdsa_openssl(); + else + return ECDSA_OpenSSL(); +#else default_ECDSA_method = ECDSA_OpenSSL(); +#endif + } return default_ECDSA_method; } @@ -193,7 +205,14 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) } else ecdsa_data = (ECDSA_DATA *)data; - +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD) + && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) + { + ECDSAerr(ECDSA_F_ECDSA_CHECK, ECDSA_R_NON_FIPS_METHOD); + return NULL; + } +#endif return ecdsa_data; } diff --git a/openssl/crypto/ecdsa/ecs_locl.h b/openssl/crypto/ecdsa/ecs_locl.h index 3a69a840e..cb3be13cf 100644 --- a/openssl/crypto/ecdsa/ecs_locl.h +++ b/openssl/crypto/ecdsa/ecs_locl.h @@ -82,6 +82,14 @@ struct ecdsa_method char *app_data; }; +/* If this flag is set the ECDSA method is FIPS compliant and can be used + * in FIPS mode. This is set in the validated module method. If an + * application sets this flag in its own methods it is its responsibility + * to ensure the result is compliant. + */ + +#define ECDSA_FLAG_FIPS_METHOD 0x1 + typedef struct ecdsa_data_st { /* EC_KEY_METH_DATA part */ int (*init)(EC_KEY *); diff --git a/openssl/crypto/ecdsa/ecs_ossl.c b/openssl/crypto/ecdsa/ecs_ossl.c index 1bbf328de..772593561 100644 --- a/openssl/crypto/ecdsa/ecs_ossl.c +++ b/openssl/crypto/ecdsa/ecs_ossl.c @@ -167,6 +167,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; } } +#ifndef OPENSSL_NO_EC2M else /* NID_X9_62_characteristic_two_field */ { if (!EC_POINT_get_affine_coordinates_GF2m(group, @@ -176,6 +177,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; } } +#endif if (!BN_nnmod(r, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); @@ -454,6 +456,7 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; } } +#ifndef OPENSSL_NO_EC2M else /* NID_X9_62_characteristic_two_field */ { if (!EC_POINT_get_affine_coordinates_GF2m(group, @@ -463,7 +466,7 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; } } - +#endif if (!BN_nnmod(u1, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); |