From 5b234be4c44f5b178bc69da3d610ae1b70441873 Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 26 Oct 2022 11:48:07 +1100 Subject: dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1 This mandates following SP 800-56A which, in 5.6.2.4, mandates a comparision against a newly calculated public key. Co-authored-by: Randall Steck Co-authored-by: Mark J. Minnoch Co-authored-by: Steve Weymann Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/19510) --- crypto/ec/ec_key.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'crypto/ec') diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 4d0faa64c7..58b283dd8c 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -237,6 +237,56 @@ int ossl_ec_key_gen(EC_KEY *eckey) return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + EC_POINT *pub_key2 = EC_POINT_new(eckey->group); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + return 0; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_ECDSA); + + /* pub_key = priv_key * G (where G is a point on the curve) */ + if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx)) + goto err; + + if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2->X, bytes); + if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes) + && BN_bin2bn(bytes, len, pub_key2->X) == NULL) + goto err; + ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + EC_POINT_free(pub_key2); + return ret; +} + /* * ECC Key generation. * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" @@ -333,7 +383,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); + ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg) + && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg); } err: /* Step (9): If there is an error return an invalid keypair. */ @@ -530,6 +581,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } + /* Perform a second check on the public key */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } if (!EC_POINT_is_at_infinity(eckey->group, point)) { ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER); goto err; -- cgit v1.2.3