diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-06-26 10:21:26 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-08-31 08:12:54 +0200 |
commit | 07c80a2d677e9bebeaab0974deca21693fb173f6 (patch) | |
tree | 5649e5379af9508e9738081b3dca24cd2dccb561 /lib/dh.h | |
parent | f643e418e5e5220fe2e332c99275808229ce59ae (diff) | |
download | gnutls-07c80a2d677e9bebeaab0974deca21693fb173f6.tar.gz |
dhe: check if DH params in SKE match the FIPS approved algorithms
SP800-56A rev. 3 restricts the FIPS compliant clients to use only
approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a
check in the handling of ServerKeyExchange if DHE is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib/dh.h')
-rw-r--r-- | lib/dh.h | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -60,4 +60,10 @@ extern const gnutls_datum_t gnutls_modp_2048_group_q; extern const gnutls_datum_t gnutls_modp_2048_group_generator; extern const unsigned int gnutls_modp_2048_key_bits; +unsigned +_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, + size_t prime_size, + const uint8_t *generator, + size_t generator_size); + #endif /* GNUTLS_LIB_DH_H */ |