In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add functions to set ECDSA_METHOD structure. One on functions is to set flags. Until now ECDSA flags are defined only in non-installed header.
1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch" First patch is cosmetic correction of above mentioned commit - move some declarations after description. 2) "0004-public-flag-ECDSA_FLAG_FIPS_METHOD.patch" Actual patch that moves ECDSA flags to public header. 3) "0005-remove-unused-flag-EC_FLAG_FIPS_CHECKED.patch" OpenSSL describes flag EC_FLAG_FIPS_CHECKED but this flags is not used in fips enabled openssl build. It seems to me is enough to set flag ECDSA_FLAG_FIPS_METHOD to allow ECDSA method to work in fips mode. Regards, Roumen Petrov
>From 4e21555550fb50fc07e1edd38938f3d3c32e8438 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Thu, 14 Jan 2016 20:52:34 +0200 Subject: [PATCH 3/5] move some ECDSA_METHOD declarations after description --- crypto/ecdsa/ecdsa.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index a6f0930..759a9b4 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -288,20 +288,20 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method, const ECDSA_SIG *sig, EC_KEY *eckey)); -void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); - /** Set the flags field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param flags flags value to set */ -void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name); +void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); /** Set the name field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param name name to set */ +void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name); + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes -- 1.8.4
>From c80719cbed504c390c069038e9e3ea7fcd7901ad Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Thu, 14 Jan 2016 20:53:15 +0200 Subject: [PATCH 4/5] public flag ECDSA_FLAG_FIPS_METHOD --- crypto/ecdsa/ecdsa.h | 9 +++++++++ crypto/ecdsa/ecs_locl.h | 9 --------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index 759a9b4..7b432b9 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -295,6 +295,15 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method, void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); +/* + * If this flag is set the ECDSA method is FIPS compliant and can be used in + * FIPS mode. This is set in the validated module method. If an application + * sets this flag in its own methods it is its responsibility to ensure the + * result is compliant. + */ + +# define ECDSA_FLAG_FIPS_METHOD 0x1 + /** Set the name field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param name name to set diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h index d3a5efc..4cd5a21 100644 --- a/crypto/ecdsa/ecs_locl.h +++ b/crypto/ecdsa/ecs_locl.h @@ -86,15 +86,6 @@ struct ecdsa_method { # define ECDSA_METHOD_FLAG_ALLOCATED 0x2 -/* - * If this flag is set the ECDSA method is FIPS compliant and can be used in - * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its responsibility to ensure the - * result is compliant. - */ - -# define ECDSA_FLAG_FIPS_METHOD 0x1 - typedef struct ecdsa_data_st { /* EC_KEY_METH_DATA part */ int (*init) (EC_KEY *); -- 1.8.4
>From f7339510f472eacdafb0343bb14907de15102c18 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Thu, 14 Jan 2016 21:07:47 +0200 Subject: [PATCH 5/5] remove unused flag EC_FLAG_FIPS_CHECKED --- crypto/ec/ec.h | 1 - doc/crypto/EC_KEY_new.pod | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 81e6faf..9146bc3 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -746,7 +746,6 @@ typedef struct ec_key_st EC_KEY; /* some values for the flags field */ # define EC_FLAG_NON_FIPS_ALLOW 0x1 -# define EC_FLAG_FIPS_CHECKED 0x2 /** Creates a new EC_KEY object. * \return EC_KEY object or NULL if an error occurred. diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod index 0fa2de1..00dba25 100644 --- a/doc/crypto/EC_KEY_new.pod +++ b/doc/crypto/EC_KEY_new.pod @@ -73,7 +73,7 @@ of point_conversion_forms please refer to L<EC_POINT_new(3)|EC_POINT_new(3)>. EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the elliptic curve scheme being used with the EC_KEY object. This data is treated as a "black box" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the B<data> parameter, which must have associated functions for duplicating, freeing and "clear_freeing" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and "clear_freeing" the data item must be provided again, and they must be the same as they were when the data item was inserted. -EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state. +EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flag is EC_FLAG_NON_FIPS_ALLOW. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state. EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for further information on the asn1_flag. -- 1.8.4
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev