Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,11 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted outside the validated module in the FIPS capable OpenSSL. [Steve Henson] *) Initial TLS v1.2 client support. Add a default signature algorithms extension including all the algorithms we support. Parse new signature format in client key exchange. Relax some ECC signing restrictions for Loading crypto/bn/bn_rand.c +1 −1 Original line number Diff line number Diff line Loading @@ -252,7 +252,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range) * generated. So we just use the second case which is equivalent to * "Generation by Testing Candidates" mentioned in B.1.2 et al. */ else if (!FIPS_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) else if (!FIPS_module_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) #else else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) #endif Loading crypto/dh/dh_gen.c +1 −1 Original line number Diff line number Diff line Loading @@ -118,7 +118,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB return 0; } if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; Loading crypto/dh/dh_key.c +2 −2 Original line number Diff line number Diff line Loading @@ -128,7 +128,7 @@ static int generate_key(DH *dh) BIGNUM *pub_key=NULL,*priv_key=NULL; #ifdef OPENSSL_FIPS if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); return 0; Loading Loading @@ -227,7 +227,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) } #ifdef OPENSSL_FIPS if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); goto err; Loading crypto/dsa/dsa_gen.c +2 −2 Original line number Diff line number Diff line Loading @@ -141,7 +141,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; } if (FIPS_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); Loading Loading @@ -412,7 +412,7 @@ static int dsa2_valid_parameters(size_t L, size_t N) int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N) { int strength; if (!FIPS_mode()) if (!FIPS_module_mode()) return 1; if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED)) Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,11 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted outside the validated module in the FIPS capable OpenSSL. [Steve Henson] *) Initial TLS v1.2 client support. Add a default signature algorithms extension including all the algorithms we support. Parse new signature format in client key exchange. Relax some ECC signing restrictions for Loading
crypto/bn/bn_rand.c +1 −1 Original line number Diff line number Diff line Loading @@ -252,7 +252,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range) * generated. So we just use the second case which is equivalent to * "Generation by Testing Candidates" mentioned in B.1.2 et al. */ else if (!FIPS_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) else if (!FIPS_module_mode() && !BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) #else else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) #endif Loading
crypto/dh/dh_gen.c +1 −1 Original line number Diff line number Diff line Loading @@ -118,7 +118,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB return 0; } if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; Loading
crypto/dh/dh_key.c +2 −2 Original line number Diff line number Diff line Loading @@ -128,7 +128,7 @@ static int generate_key(DH *dh) BIGNUM *pub_key=NULL,*priv_key=NULL; #ifdef OPENSSL_FIPS if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); return 0; Loading Loading @@ -227,7 +227,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) } #ifdef OPENSSL_FIPS if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) if (FIPS_module_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); goto err; Loading
crypto/dsa/dsa_gen.c +2 −2 Original line number Diff line number Diff line Loading @@ -141,7 +141,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; } if (FIPS_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); Loading Loading @@ -412,7 +412,7 @@ static int dsa2_valid_parameters(size_t L, size_t N) int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N) { int strength; if (!FIPS_mode()) if (!FIPS_module_mode()) return 1; if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED)) Loading
