diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2021-02-17 13:00:34 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-02-22 13:31:31 +1000 |
| commit | 4718326a46ad460fefc5cc240a8599af4b5993c7 (patch) | |
| tree | be4beed6f52122d46ebba91baf9fb59ba586f918 /providers/implementations/keymgmt | |
| parent | 681618cfc18b4f01f2c07e823308d30f6f47504b (diff) | |
Add EVP_PKEY_public_check_quick.
Adding the EVP_PKEY_param_check_quick() reminded me that there are also
partial checks for public keys as part of SP800-56A for FFC (DH named safe
prime groups) and ECC. The code was mainly already there and just needed
to be plumbed into the validate methods.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14206)
Diffstat (limited to 'providers/implementations/keymgmt')
| -rw-r--r-- | providers/implementations/keymgmt/dh_kmgmt.c | 13 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/ec_kmgmt.c | 16 |
2 files changed, 22 insertions, 7 deletions
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 96886840f0..a967309644 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -345,14 +345,21 @@ static int dh_set_params(void *key, const OSSL_PARAM params[]) return 1; } -static int dh_validate_public(const DH *dh) +static int dh_validate_public(const DH *dh, int checktype) { const BIGNUM *pub_key = NULL; + int res = 0; DH_get0_key(dh, &pub_key, NULL); if (pub_key == NULL) return 0; - return DH_check_pub_key_ex(dh, pub_key); + + /* The partial test is only valid for named group's with q = (p - 1) / 2 */ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK + && ossl_dh_is_named_safe_prime_group(dh)) + return dh_check_pub_key_partial(dh, pub_key, &res); + + return DH_check_pub_key(dh, pub_key, &res); } static int dh_validate_private(const DH *dh) @@ -390,7 +397,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && dh_validate_public(dh); + ok = ok && dh_validate_public(dh, checktype); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && dh_validate_private(dh); diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 33abdc8692..f612d8ed0e 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -852,8 +852,12 @@ int sm2_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && sm2_key_private_check(eck); @@ -894,8 +898,12 @@ int ec_validate(const void *keydata, int selection, int checktype) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && ec_key_private_check(eck); |