Add PWCT for RSA and ECDSA for FIPS 140-2. Since only the consumers knows whether an EC key will be used for ECDSA or ECDHE, it is part of the FIPS policy for the consumer to check the validity of the generated key before signing with it. Change-Id: Ie250f655c8fcb6a59cc7210def1e87eb958e9349 Reviewed-on: https://boringssl-review.googlesource.com/14745 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 400d0b7b5ea9cff8e4c4467d391ae7f071997957 [log] [tgz]
author: Steven Valdez <svaldez@google.com> Thu Apr 06 14:55:18 2017 -0400
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Apr 13 17:00:43 2017 +0000
tree: 56307205807966878fa6def71b0398b1225579e6
parent: 89abf7a466725d6e5f7c39b065fd9abb928d89da [diff] [blame]
diff --git a/include/openssl/ec_key.h b/include/openssl/ec_key.h
index 1dbae62..cb7ef10 100644
--- a/include/openssl/ec_key.h
+++ b/include/openssl/ec_key.h

@@ -159,6 +159,10 @@
  * about the problem can be found on the error stack. */
 OPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key);
 
+/* EC_KEY_check_fips performs a signing pairwise consistency test (FIPS 140-2
+ * 4.9.2). It returns one if it passes and zero otherwise. */
+OPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key);
+
 /* EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to
  * (|x|, |y|). It returns one on success and zero otherwise. */
 OPENSSL_EXPORT int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key,
commit	400d0b7b5ea9cff8e4c4467d391ae7f071997957	[log] [tgz]
author	Steven Valdez <svaldez@google.com>	Thu Apr 06 14:55:18 2017 -0400
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu Apr 13 17:00:43 2017 +0000
tree	56307205807966878fa6def71b0398b1225579e6
parent	89abf7a466725d6e5f7c39b065fd9abb928d89da [diff] [blame]