X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fecdsa%2Fecs_ossl.c;h=8336bceb673b6fcd96552a8fa7ed2a9e2e50d83a;hb=244ed51a0dad5f52233b46be716defcfe7bc77ff;hp=3518bb02e12350cace57f6c6e7ad05f2f56ebaf3;hpb=cac4fb58e02d8cf799d75212179f56c69e652ec7;p=oweals%2Fopenssl.git

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 3518bb02e1..8336bceb67 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -79,7 +79,7 @@ static ECDSA_METHOD openssl_ecdsa_meth = {
 	NULL, /* init     */
 	NULL, /* finish   */
 #endif
-	0,    /* flags    */
+	ECDSA_FLAG_FIPS_METHOD,    /* flags    */
 	NULL  /* app_data */
 };
 
@@ -151,6 +151,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
 			}
 		while (BN_is_zero(k));
 
+		/* We do not want timing information to leak the length of k,
+		 * so we compute G*k using an equivalent scalar of fixed
+		 * bit-length. */
+
+		if (!BN_add(k, k, order)) goto err;
+		if (BN_num_bits(k) <= BN_num_bits(order))
+			if (!BN_add(k, k, order)) goto err;
+
 		/* compute r the x-coordinate of generator * k */
 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
 		{
@@ -230,6 +238,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 	ECDSA_DATA *ecdsa;
 	const BIGNUM *priv_key;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
+		return NULL;
+		}
+#endif
+
 	ecdsa    = ecdsa_check(eckey);
 	group    = EC_KEY_get0_group(eckey);
 	priv_key = EC_KEY_get0_private_key(eckey);
@@ -365,6 +381,14 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 	const EC_GROUP *group;
 	const EC_POINT *pub_key;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
+		return -1;
+		}
+#endif
+
 	/* check input values */
 	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
 	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)