Make the EC code available from inside the FIPS provider

[thirdparty/openssl.git] / crypto / ec / ec_check.c

diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c
index 315b9fd4dfadfed9eb956c47ba2e40d47644fd25..974fcb24462d9789c974632b5980202023f4304e 100644 (file)
--- a/crypto/ec/ec_check.c
+++ b/crypto/ec/ec_check.c
@@ -10,13 +10,30 @@
 #include "ec_lcl.h"
 #include <openssl/err.h>
 
-int EC_GROUP_check_named_curve(const EC_GROUP *group, int nist_only)
+int EC_GROUP_check_named_curve(const EC_GROUP *group, int nist_only,
+                               BN_CTX *ctx)
 {
-    int nid;
+    int nid = NID_undef;
+#ifndef FIPS_MODE
+    BN_CTX *new_ctx = NULL;
+
+    if (ctx == NULL) {
+        ctx = new_ctx = BN_CTX_new();
+        if (ctx == NULL) {
+            ECerr(EC_F_EC_GROUP_CHECK_NAMED_CURVE, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+    }
+#endif
 
-    nid = ec_curve_nid_from_params(group);
+    nid = ec_curve_nid_from_params(group, ctx);
     if (nid > 0 && nist_only && EC_curve_nid2nist(nid) == NULL)
         nid = NID_undef;
+
+#ifndef FIPS_MODE
+ err:
+    BN_CTX_free(ctx);
+#endif
     return nid;
 }
 
@@ -27,7 +44,7 @@ int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)
     * ECC domain parameter validation.
     * See SP800-56A R3 5.5.2 "Assurances of Domain-Parameter Validity" Part 1b.
     */
-    return EC_GROUP_check_named_curve(group, 1) >= 0 ? 1 : 0;
+    return EC_GROUP_check_named_curve(group, 1, ctx) >= 0 ? 1 : 0;
 #else
     int ret = 0;
     const BIGNUM *order;