Loading crypto/ec/ec_key.c +0 −87 Original line number Diff line number Diff line Loading @@ -233,71 +233,6 @@ int EC_KEY_up_ref(EC_KEY *r) return ((i > 1) ? 1 : 0); } #ifdef OPENSSL_FIPS #include <openssl/evp.h> #include <openssl/fips.h> #include <openssl/fips_rand.h> static int fips_check_ec(EC_KEY *key) { EVP_PKEY pk; unsigned char tbs[] = "ECDSA Pairwise Check Data"; pk.type = EVP_PKEY_EC; pk.pkey.ec = key; if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE, &pk, tbs, 0, NULL, 0, NULL, 0, NULL)) { FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED); fips_set_selftest_fail(); return 0; } return 1; } int fips_check_ec_prng(EC_KEY *ec) { int bits, strength; if (!FIPS_module_mode()) return 1; if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED)) return 1; if (!ec->group) return 1; bits = BN_num_bits(&ec->group->order); if (bits < 160) { FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT); return 0; } /* Comparable algorithm strengths: from SP800-57 table 2 */ if (bits >= 512) strength = 256; else if (bits >= 384) strength = 192; else if (bits >= 256) strength = 128; else if (bits >= 224) strength = 112; else strength = 80; if (FIPS_rand_strength() >= strength) return 1; FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW); return 0; } #endif int EC_KEY_generate_key(EC_KEY *eckey) { int ok = 0; Loading @@ -305,14 +240,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED); return 0; } #endif if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); Loading @@ -334,11 +261,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) goto err; #endif do if (!BN_rand_range(priv_key, order)) goto err; Loading @@ -359,15 +281,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) eckey->priv_key = priv_key; eckey->pub_key = pub_key; #ifdef OPENSSL_FIPS if(!fips_check_ec(eckey)) { eckey->priv_key = NULL; eckey->pub_key = NULL; goto err; } #endif ok=1; err: Loading crypto/ecdsa/ecdsa.h +0 −16 Original line number Diff line number Diff line Loading @@ -228,22 +228,6 @@ int ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); void *ECDSA_get_ex_data(EC_KEY *d, int idx); #ifdef OPENSSL_FIPS /* Standalone FIPS signature operations */ ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key, const unsigned char *dig, int dlen); ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx); int FIPS_ecdsa_verify_digest(EC_KEY *key, const unsigned char *dig, int dlen, ECDSA_SIG *s); int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s); int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen, const EVP_MD *mhash, ECDSA_SIG *s); ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key, const unsigned char *msg, size_t msglen, const EVP_MD *mhash); #endif /** Allocates and initialize a ECDSA_METHOD structure * \param ecdsa_method pointer to ECDSA_METHOD to copy. (May be NULL) * \return pointer to a ECDSA_METHOD structure or NULL if an error occurred Loading crypto/ecdsa/ecs_ossl.c +0 −26 Original line number Diff line number Diff line Loading @@ -144,11 +144,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) goto err; #endif do { /* get random k */ Loading Loading @@ -289,14 +284,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSA_DATA *ecdsa; const BIGNUM *priv_key; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); return NULL; } #endif ecdsa = ecdsa_check(eckey); group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); Loading @@ -307,11 +294,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, return NULL; } #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) return NULL; #endif ret = ECDSA_SIG_new(); if (!ret) { Loading Loading @@ -432,14 +414,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const EC_GROUP *group; const EC_POINT *pub_key; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); return -1; } #endif /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) Loading Loading
crypto/ec/ec_key.c +0 −87 Original line number Diff line number Diff line Loading @@ -233,71 +233,6 @@ int EC_KEY_up_ref(EC_KEY *r) return ((i > 1) ? 1 : 0); } #ifdef OPENSSL_FIPS #include <openssl/evp.h> #include <openssl/fips.h> #include <openssl/fips_rand.h> static int fips_check_ec(EC_KEY *key) { EVP_PKEY pk; unsigned char tbs[] = "ECDSA Pairwise Check Data"; pk.type = EVP_PKEY_EC; pk.pkey.ec = key; if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE, &pk, tbs, 0, NULL, 0, NULL, 0, NULL)) { FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED); fips_set_selftest_fail(); return 0; } return 1; } int fips_check_ec_prng(EC_KEY *ec) { int bits, strength; if (!FIPS_module_mode()) return 1; if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED)) return 1; if (!ec->group) return 1; bits = BN_num_bits(&ec->group->order); if (bits < 160) { FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT); return 0; } /* Comparable algorithm strengths: from SP800-57 table 2 */ if (bits >= 512) strength = 256; else if (bits >= 384) strength = 192; else if (bits >= 256) strength = 128; else if (bits >= 224) strength = 112; else strength = 80; if (FIPS_rand_strength() >= strength) return 1; FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW); return 0; } #endif int EC_KEY_generate_key(EC_KEY *eckey) { int ok = 0; Loading @@ -305,14 +240,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED); return 0; } #endif if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); Loading @@ -334,11 +261,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) goto err; #endif do if (!BN_rand_range(priv_key, order)) goto err; Loading @@ -359,15 +281,6 @@ int EC_KEY_generate_key(EC_KEY *eckey) eckey->priv_key = priv_key; eckey->pub_key = pub_key; #ifdef OPENSSL_FIPS if(!fips_check_ec(eckey)) { eckey->priv_key = NULL; eckey->pub_key = NULL; goto err; } #endif ok=1; err: Loading
crypto/ecdsa/ecdsa.h +0 −16 Original line number Diff line number Diff line Loading @@ -228,22 +228,6 @@ int ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); void *ECDSA_get_ex_data(EC_KEY *d, int idx); #ifdef OPENSSL_FIPS /* Standalone FIPS signature operations */ ECDSA_SIG * FIPS_ecdsa_sign_digest(EC_KEY *key, const unsigned char *dig, int dlen); ECDSA_SIG * FIPS_ecdsa_sign_ctx(EC_KEY *key, EVP_MD_CTX *ctx); int FIPS_ecdsa_verify_digest(EC_KEY *key, const unsigned char *dig, int dlen, ECDSA_SIG *s); int FIPS_ecdsa_verify_ctx(EC_KEY *key, EVP_MD_CTX *ctx, ECDSA_SIG *s); int FIPS_ecdsa_verify(EC_KEY *key, const unsigned char *msg, size_t msglen, const EVP_MD *mhash, ECDSA_SIG *s); ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key, const unsigned char *msg, size_t msglen, const EVP_MD *mhash); #endif /** Allocates and initialize a ECDSA_METHOD structure * \param ecdsa_method pointer to ECDSA_METHOD to copy. (May be NULL) * \return pointer to a ECDSA_METHOD structure or NULL if an error occurred Loading
crypto/ecdsa/ecs_ossl.c +0 −26 Original line number Diff line number Diff line Loading @@ -144,11 +144,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) goto err; #endif do { /* get random k */ Loading Loading @@ -289,14 +284,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSA_DATA *ecdsa; const BIGNUM *priv_key; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); return NULL; } #endif ecdsa = ecdsa_check(eckey); group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); Loading @@ -307,11 +294,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, return NULL; } #ifdef OPENSSL_FIPS if (!fips_check_ec_prng(eckey)) return NULL; #endif ret = ECDSA_SIG_new(); if (!ret) { Loading Loading @@ -432,14 +414,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const EC_GROUP *group; const EC_POINT *pub_key; #ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); return -1; } #endif /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) Loading
Tim Hudson <tjh@openssl.org>Tim Hudson <tjh@openssl.org>