[openssl-dev] [openssl.org #4249] ECDSA method flags

Roumen Petrov via RT Sat, 16 Jan 2016 07:38:48 -0800

In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add 
functions to set ECDSA_METHOD structure.
One on functions is to set flags. Until now ECDSA flags are defined only 
in non-installed header.



1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch"
First patch is cosmetic correction of above mentioned commit - move some 
declarations after description.

2) "0004-public-flag-ECDSA_FLAG_FIPS_METHOD.patch"
Actual patch that moves ECDSA flags to public header.

3) "0005-remove-unused-flag-EC_FLAG_FIPS_CHECKED.patch"

OpenSSL describes flag EC_FLAG_FIPS_CHECKED but this flags is not used 
in fips enabled openssl build. It seems to me is enough to set flag 
ECDSA_FLAG_FIPS_METHOD to allow ECDSA method to work in fips mode.


Regards,
Roumen Petrov

>From 4e21555550fb50fc07e1edd38938f3d3c32e8438 Mon Sep 17 00:00:00 2001
From: Roumen Petrov <open...@roumenpetrov.info>
Date: Thu, 14 Jan 2016 20:52:34 +0200
Subject: [PATCH 3/5] move some ECDSA_METHOD declarations after description

---
 crypto/ecdsa/ecdsa.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index a6f0930..759a9b4 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -288,20 +288,20 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method,
                                                      const ECDSA_SIG *sig,
                                                      EC_KEY *eckey));
 
-void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
-
 /**  Set the flags field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  flags flags value to set
  */
 
-void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name);
+void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
 
 /**  Set the name field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  name name to set
  */
 
+void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name);
+
 /* BEGIN ERROR CODES */
 /*
  * The following lines are auto generated by the script mkerr.pl. Any changes
-- 
1.8.4

>From c80719cbed504c390c069038e9e3ea7fcd7901ad Mon Sep 17 00:00:00 2001
From: Roumen Petrov <open...@roumenpetrov.info>
Date: Thu, 14 Jan 2016 20:53:15 +0200
Subject: [PATCH 4/5] public flag ECDSA_FLAG_FIPS_METHOD

---
 crypto/ecdsa/ecdsa.h    | 9 +++++++++
 crypto/ecdsa/ecs_locl.h | 9 ---------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index 759a9b4..7b432b9 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -295,6 +295,15 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method,
 
 void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
 
+/*
+ * If this flag is set the ECDSA method is FIPS compliant and can be used in
+ * FIPS mode. This is set in the validated module method. If an application
+ * sets this flag in its own methods it is its responsibility to ensure the
+ * result is compliant.
+ */
+
+# define ECDSA_FLAG_FIPS_METHOD  0x1
+
 /**  Set the name field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  name name to set
diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h
index d3a5efc..4cd5a21 100644
--- a/crypto/ecdsa/ecs_locl.h
+++ b/crypto/ecdsa/ecs_locl.h
@@ -86,15 +86,6 @@ struct ecdsa_method {
 
 # define ECDSA_METHOD_FLAG_ALLOCATED 0x2
 
-/*
- * If this flag is set the ECDSA method is FIPS compliant and can be used in
- * FIPS mode. This is set in the validated module method. If an application
- * sets this flag in its own methods it is its responsibility to ensure the
- * result is compliant.
- */
-
-# define ECDSA_FLAG_FIPS_METHOD  0x1
-
 typedef struct ecdsa_data_st {
     /* EC_KEY_METH_DATA part */
     int (*init) (EC_KEY *);
-- 
1.8.4

>From f7339510f472eacdafb0343bb14907de15102c18 Mon Sep 17 00:00:00 2001
From: Roumen Petrov <open...@roumenpetrov.info>
Date: Thu, 14 Jan 2016 21:07:47 +0200
Subject: [PATCH 5/5] remove unused flag EC_FLAG_FIPS_CHECKED

---
 crypto/ec/ec.h            | 1 -
 doc/crypto/EC_KEY_new.pod | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 81e6faf..9146bc3 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -746,7 +746,6 @@ typedef struct ec_key_st EC_KEY;
 
 /* some values for the flags field */
 # define EC_FLAG_NON_FIPS_ALLOW  0x1
-# define EC_FLAG_FIPS_CHECKED    0x2
 
 /** Creates a new EC_KEY object.
  *  \return EC_KEY object or NULL if an error occurred.
diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod
index 0fa2de1..00dba25 100644
--- a/doc/crypto/EC_KEY_new.pod
+++ b/doc/crypto/EC_KEY_new.pod
@@ -73,7 +73,7 @@ of point_conversion_forms please refer to L<EC_POINT_new(3)|EC_POINT_new(3)>.
 EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the
 elliptic curve scheme being used with the EC_KEY object. This data is treated as a "black box" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the B<data> parameter, which must have associated functions for duplicating, freeing and "clear_freeing" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and "clear_freeing" the data item must be provided again, and they must be the same as they were when the data item was inserted.
 
-EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state.
+EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flag is EC_FLAG_NON_FIPS_ALLOW. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state.
 
 EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for further information on the asn1_flag.
 
-- 
1.8.4

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4249] ECDSA method flags

Reply via email to