Redirect DH operations to FIPS module. Block non-FIPS methods.
Sync DH error codes with HEAD.
This commit is contained in:
		| @@ -86,6 +86,21 @@ | |||||||
|                                        * be used for all exponents. |                                        * be used for all exponents. | ||||||
|                                        */ |                                        */ | ||||||
|  |  | ||||||
|  | /* If this flag is set the DH method is FIPS compliant and can be used | ||||||
|  |  * in FIPS mode. This is set in the validated module method. If an | ||||||
|  |  * application sets this flag in its own methods it is its reposibility | ||||||
|  |  * to ensure the result is compliant. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #define DH_FLAG_FIPS_METHOD			0x0400 | ||||||
|  |  | ||||||
|  | /* If this flag is set the operations normally disabled in FIPS mode are | ||||||
|  |  * permitted it is then the applications responsibility to ensure that the | ||||||
|  |  * usage is compliant. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #define DH_FLAG_NON_FIPS_ALLOW			0x0400 | ||||||
|  |  | ||||||
| #ifdef  __cplusplus | #ifdef  __cplusplus | ||||||
| extern "C" { | extern "C" { | ||||||
| #endif | #endif | ||||||
| @@ -230,6 +245,8 @@ void ERR_load_DH_strings(void); | |||||||
| #define DH_F_COMPUTE_KEY				 102 | #define DH_F_COMPUTE_KEY				 102 | ||||||
| #define DH_F_DHPARAMS_PRINT_FP				 101 | #define DH_F_DHPARAMS_PRINT_FP				 101 | ||||||
| #define DH_F_DH_BUILTIN_GENPARAMS			 106 | #define DH_F_DH_BUILTIN_GENPARAMS			 106 | ||||||
|  | #define DH_F_DH_COMPUTE_KEY				 114 | ||||||
|  | #define DH_F_DH_GENERATE_KEY				 115 | ||||||
| #define DH_F_DH_NEW_METHOD				 105 | #define DH_F_DH_NEW_METHOD				 105 | ||||||
| #define DH_F_DH_PARAM_DECODE				 107 | #define DH_F_DH_PARAM_DECODE				 107 | ||||||
| #define DH_F_DH_PRIV_DECODE				 110 | #define DH_F_DH_PRIV_DECODE				 110 | ||||||
| @@ -249,7 +266,9 @@ void ERR_load_DH_strings(void); | |||||||
| #define DH_R_DECODE_ERROR				 104 | #define DH_R_DECODE_ERROR				 104 | ||||||
| #define DH_R_INVALID_PUBKEY				 102 | #define DH_R_INVALID_PUBKEY				 102 | ||||||
| #define DH_R_KEYS_NOT_SET				 108 | #define DH_R_KEYS_NOT_SET				 108 | ||||||
|  | #define DH_R_KEY_SIZE_TOO_SMALL				 110 | ||||||
| #define DH_R_MODULUS_TOO_LARGE				 103 | #define DH_R_MODULUS_TOO_LARGE				 103 | ||||||
|  | #define DH_R_NON_FIPS_METHOD				 111 | ||||||
| #define DH_R_NO_PARAMETERS_SET				 107 | #define DH_R_NO_PARAMETERS_SET				 107 | ||||||
| #define DH_R_NO_PRIVATE_VALUE				 100 | #define DH_R_NO_PRIVATE_VALUE				 100 | ||||||
| #define DH_R_PARAMETER_ENCODING_ERROR			 105 | #define DH_R_PARAMETER_ENCODING_ERROR			 105 | ||||||
|   | |||||||
| @@ -1,6 +1,6 @@ | |||||||
| /* crypto/dh/dh_err.c */ | /* crypto/dh/dh_err.c */ | ||||||
| /* ==================================================================== | /* ==================================================================== | ||||||
|  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved. |  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved. | ||||||
|  * |  * | ||||||
|  * Redistribution and use in source and binary forms, with or without |  * Redistribution and use in source and binary forms, with or without | ||||||
|  * modification, are permitted provided that the following conditions |  * modification, are permitted provided that the following conditions | ||||||
| @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= | |||||||
| {ERR_FUNC(DH_F_COMPUTE_KEY),	"COMPUTE_KEY"}, | {ERR_FUNC(DH_F_COMPUTE_KEY),	"COMPUTE_KEY"}, | ||||||
| {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),	"DHparams_print_fp"}, | {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),	"DHparams_print_fp"}, | ||||||
| {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),	"DH_BUILTIN_GENPARAMS"}, | {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),	"DH_BUILTIN_GENPARAMS"}, | ||||||
|  | {ERR_FUNC(DH_F_DH_COMPUTE_KEY),	"DH_compute_key"}, | ||||||
|  | {ERR_FUNC(DH_F_DH_GENERATE_KEY),	"DH_generate_key"}, | ||||||
| {ERR_FUNC(DH_F_DH_NEW_METHOD),	"DH_new_method"}, | {ERR_FUNC(DH_F_DH_NEW_METHOD),	"DH_new_method"}, | ||||||
| {ERR_FUNC(DH_F_DH_PARAM_DECODE),	"DH_PARAM_DECODE"}, | {ERR_FUNC(DH_F_DH_PARAM_DECODE),	"DH_PARAM_DECODE"}, | ||||||
| {ERR_FUNC(DH_F_DH_PRIV_DECODE),	"DH_PRIV_DECODE"}, | {ERR_FUNC(DH_F_DH_PRIV_DECODE),	"DH_PRIV_DECODE"}, | ||||||
| @@ -95,7 +97,9 @@ static ERR_STRING_DATA DH_str_reasons[]= | |||||||
| {ERR_REASON(DH_R_DECODE_ERROR)           ,"decode error"}, | {ERR_REASON(DH_R_DECODE_ERROR)           ,"decode error"}, | ||||||
| {ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"}, | {ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"}, | ||||||
| {ERR_REASON(DH_R_KEYS_NOT_SET)           ,"keys not set"}, | {ERR_REASON(DH_R_KEYS_NOT_SET)           ,"keys not set"}, | ||||||
|  | {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL)     ,"key size too small"}, | ||||||
| {ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"}, | {ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"}, | ||||||
|  | {ERR_REASON(DH_R_NON_FIPS_METHOD)        ,"non fips method"}, | ||||||
| {ERR_REASON(DH_R_NO_PARAMETERS_SET)      ,"no parameters set"}, | {ERR_REASON(DH_R_NO_PARAMETERS_SET)      ,"no parameters set"}, | ||||||
| {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"}, | {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"}, | ||||||
| {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, | {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, | ||||||
|   | |||||||
| @@ -73,11 +73,27 @@ static int dh_finish(DH *dh); | |||||||
|  |  | ||||||
| int DH_generate_key(DH *dh) | int DH_generate_key(DH *dh) | ||||||
| 	{ | 	{ | ||||||
|  | #ifdef OPENSSL_FIPS | ||||||
|  | 	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) | ||||||
|  | 			&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) | ||||||
|  | 		{ | ||||||
|  | 		DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); | ||||||
|  | 		return 0; | ||||||
|  | 		} | ||||||
|  | #endif | ||||||
| 	return dh->meth->generate_key(dh); | 	return dh->meth->generate_key(dh); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) | int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) | ||||||
| 	{ | 	{ | ||||||
|  | #ifdef OPENSSL_FIPS | ||||||
|  | 	if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) | ||||||
|  | 			&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) | ||||||
|  | 		{ | ||||||
|  | 		DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); | ||||||
|  | 		return 0; | ||||||
|  | 		} | ||||||
|  | #endif | ||||||
| 	return dh->meth->compute_key(key, pub_key, dh); | 	return dh->meth->compute_key(key, pub_key, dh); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -64,6 +64,10 @@ | |||||||
| #include <openssl/engine.h> | #include <openssl/engine.h> | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
|  | #ifdef OPENSSL_FIPS | ||||||
|  | #include <openssl/fips.h> | ||||||
|  | #endif | ||||||
|  |  | ||||||
| const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; | const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; | ||||||
|  |  | ||||||
| static const DH_METHOD *default_DH_method = NULL; | static const DH_METHOD *default_DH_method = NULL; | ||||||
| @@ -76,7 +80,14 @@ void DH_set_default_method(const DH_METHOD *meth) | |||||||
| const DH_METHOD *DH_get_default_method(void) | const DH_METHOD *DH_get_default_method(void) | ||||||
| 	{ | 	{ | ||||||
| 	if(!default_DH_method) | 	if(!default_DH_method) | ||||||
| 		default_DH_method = DH_OpenSSL(); | 		{ | ||||||
|  | #ifdef OPENSSL_FIPS | ||||||
|  | 		if (FIPS_mode()) | ||||||
|  | 			default_DH_method = FIPS_dh_openssl(); | ||||||
|  | 		else | ||||||
|  | #endif | ||||||
|  | 			default_DH_method = DH_OpenSSL(); | ||||||
|  | 		} | ||||||
| 	return default_DH_method; | 	return default_DH_method; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -156,7 +167,7 @@ DH *DH_new_method(ENGINE *engine) | |||||||
| 	ret->counter = NULL; | 	ret->counter = NULL; | ||||||
| 	ret->method_mont_p=NULL; | 	ret->method_mont_p=NULL; | ||||||
| 	ret->references = 1; | 	ret->references = 1; | ||||||
| 	ret->flags=ret->meth->flags; | 	ret->flags=ret->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW; | ||||||
| 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); | 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); | ||||||
| 	if ((ret->meth->init != NULL) && !ret->meth->init(ret)) | 	if ((ret->meth->init != NULL) && !ret->meth->init(ret)) | ||||||
| 		{ | 		{ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Dr. Stephen Henson
					Dr. Stephen Henson