Redirection of ECDSA, ECDH operations to FIPS module.

Also use FIPS EC methods unconditionally for now: might want to use them only in FIPS mode or with a switch later.
2011-06-06 15:39:17 +00:00
parent a6dc77822b
commit 6342b6e332
8 changed files with 67 additions and 2 deletions
--- a/4
+++ b/4
@@ -4,6 +4,10 @@

 Changes between 1.0.0d and 1.0.1  [xx XXX xxxx]

+  *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
+     FIPS EC methods unconditionally for now.
+     [Steve Henson]
+
  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@@ -73,9 +73,16 @@

 #ifndef OPENSSL_NO_EC2M

+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+

 const EC_METHOD *EC_GF2m_simple_method(void)
 	{
+#ifdef OPENSSL_FIPS
+	return fips_ec_gf2m_simple_method();
+#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_characteristic_two_field,
@@ -119,6 +126,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
 		0 /* field_set_to_one */ };

 	return &ret;
+#endif
 	}


--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -65,6 +65,9 @@
 #include "ec_lcl.h"
 #include <openssl/err.h>
 #include <string.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif

 EC_KEY *EC_KEY_new(void)
 	{
@@ -239,6 +242,11 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	BIGNUM	*priv_key = NULL, *order = NULL;
 	EC_POINT *pub_key = NULL;

+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return FIPS_ec_key_generate_key(eckey);
+#endif
+
 	if (!eckey || !eckey->group)
 		{
 		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
--- a/crypto/ec/ecp_mont.c
+++ b/crypto/ec/ecp_mont.c
@@ -63,11 +63,18 @@

 #include <openssl/err.h>

+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "ec_lcl.h"


 const EC_METHOD *EC_GFp_mont_method(void)
 	{
+#ifdef OPENSSL_FIPS
+	return fips_ec_gfp_mont_method();
+#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -107,7 +114,9 @@ const EC_METHOD *EC_GFp_mont_method(void)
 		ec_GFp_mont_field_decode,
 		ec_GFp_mont_field_set_to_one };

+
 	return &ret;
+#endif
 	}


--- a/crypto/ec/ecp_nist.c
+++ b/crypto/ec/ecp_nist.c
@@ -67,8 +67,15 @@
 #include <openssl/obj_mac.h>
 #include "ec_lcl.h"

+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 const EC_METHOD *EC_GFp_nist_method(void)
 	{
+#ifdef OPENSSL_FIPS
+	return fips_ec_gfp_nist_method();
+#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -109,6 +116,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
 		0 /* field_set_to_one */ };

 	return &ret;
+#endif
 	}

 int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -65,10 +65,17 @@
 #include <openssl/err.h>
 #include <openssl/symhacks.h>

+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "ec_lcl.h"

 const EC_METHOD *EC_GFp_simple_method(void)
 	{
+#ifdef OPENSSL_FIPS
+	return fips_ec_gfp_simple_method();
+#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -109,6 +116,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
 		0 /* field_set_to_one */ };

 	return &ret;
+#endif
 	}


--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -73,6 +73,9 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif

 const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT;

@@ -90,7 +93,14 @@ void ECDH_set_default_method(const ECDH_METHOD *meth)
 const ECDH_METHOD *ECDH_get_default_method(void)
 	{
 	if(!default_ECDH_method) 
-		default_ECDH_method = ECDH_OpenSSL();
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			default_ECDH_method = FIPS_ecdh_openssl();
+		else
+#endif
+			default_ECDH_method = ECDH_OpenSSL();
+		}
 	return default_ECDH_method;
 	}

--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -60,6 +60,9 @@
 #endif
 #include <openssl/err.h>
 #include <openssl/bn.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif

 const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT;

@@ -77,7 +80,14 @@ void ECDSA_set_default_method(const ECDSA_METHOD *meth)
 const ECDSA_METHOD *ECDSA_get_default_method(void)
 {
 	if(!default_ECDSA_method) 
-		default_ECDSA_method = ECDSA_OpenSSL();
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			default_ECDSA_method = FIPS_ecdsa_openssl();
+		else
+#endif
+			default_ECDSA_method = ECDSA_OpenSSL();
+		}
 	return default_ECDSA_method;
 }