diff options
author | Pauli <pauli@openssl.org> | 2022-10-26 11:48:07 +1100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2022-11-02 08:42:46 +1100 |
commit | 5b234be4c44f5b178bc69da3d610ae1b70441873 (patch) | |
tree | f2066d96699faa345857a2f6eaa3abcec77a72dd | |
parent | fc0bb3411bd0c6ca264f610303933d0bf4f4682c (diff) |
dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1
This mandates following SP 800-56A which, in 5.6.2.4, mandates a comparision
against a newly calculated public key.
Co-authored-by: Randall Steck <rsteck@thinqsoft.com>
Co-authored-by: Mark J. Minnoch <mark@keypair.us>
Co-authored-by: Steve Weymann <steve@keypair.us>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
-rw-r--r-- | crypto/dsa/dsa_key.c | 51 | ||||
-rw-r--r-- | crypto/ec/ec_key.c | 58 |
2 files changed, 107 insertions, 2 deletions
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 1f951a9d36..e8c8359634 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -59,6 +59,54 @@ err: return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int dsa_keygen_knownanswer_test(DSA *dsa, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + BIGNUM *pub_key2 = BN_new(); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + goto err; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_DSA); + + if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key2)) + goto err; + + if (BN_num_bytes(pub_key2) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2, bytes); + OSSL_SELF_TEST_oncorrupt_byte(st, bytes); + if (BN_bin2bn(bytes, len, pub_key2) != NULL) + ret = !BN_cmp(dsa->pub_key, pub_key2); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + BN_free(pub_key2); + return ret; +} + static int dsa_keygen(DSA *dsa, int pairwise_test) { int ok = 0; @@ -113,7 +161,8 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg); - ok = dsa_keygen_pairwise_test(dsa, cb, cbarg); + ok = dsa_keygen_pairwise_test(dsa, cb, cbarg) + && dsa_keygen_knownanswer_test(dsa, ctx, cb, cbarg); if (!ok) { ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); BN_free(dsa->pub_key); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 4d0faa64c7..58b283dd8c 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -238,6 +238,56 @@ int ossl_ec_key_gen(EC_KEY *eckey) } /* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + EC_POINT *pub_key2 = EC_POINT_new(eckey->group); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + return 0; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_ECDSA); + + /* pub_key = priv_key * G (where G is a point on the curve) */ + if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx)) + goto err; + + if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2->X, bytes); + if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes) + && BN_bin2bn(bytes, len, pub_key2->X) == NULL) + goto err; + ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + EC_POINT_free(pub_key2); + return ret; +} + +/* * ECC Key generation. * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" * @@ -333,7 +383,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); + ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg) + && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg); } err: /* Step (9): If there is an error return an invalid keypair. */ @@ -530,6 +581,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } + /* Perform a second check on the public key */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } if (!EC_POINT_is_at_infinity(eckey->group, point)) { ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER); goto err; |