From 4718326a46ad460fefc5cc240a8599af4b5993c7 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Wed, 17 Feb 2021 13:00:34 +1000 Subject: Add EVP_PKEY_public_check_quick. Adding the EVP_PKEY_param_check_quick() reminded me that there are also partial checks for public keys as part of SP800-56A for FFC (DH named safe prime groups) and ECC. The code was mainly already there and just needed to be plumbed into the validate methods. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14206) --- providers/implementations/keymgmt/dh_kmgmt.c | 13 ++++++++++--- providers/implementations/keymgmt/ec_kmgmt.c | 16 ++++++++++++---- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'providers/implementations/keymgmt') diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 96886840f0..a967309644 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -345,14 +345,21 @@ static int dh_set_params(void *key, const OSSL_PARAM params[]) return 1; } -static int dh_validate_public(const DH *dh) +static int dh_validate_public(const DH *dh, int checktype) { const BIGNUM *pub_key = NULL; + int res = 0; DH_get0_key(dh, &pub_key, NULL); if (pub_key == NULL) return 0; - return DH_check_pub_key_ex(dh, pub_key); + + /* The partial test is only valid for named group's with q = (p - 1) / 2 */ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK + && ossl_dh_is_named_safe_prime_group(dh)) + return dh_check_pub_key_partial(dh, pub_key, &res); + + return DH_check_pub_key(dh, pub_key, &res); } static int dh_validate_private(const DH *dh) @@ -390,7 +397,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && dh_validate_public(dh); + ok = ok && dh_validate_public(dh, checktype); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && dh_validate_private(dh); diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 33abdc8692..f612d8ed0e 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -852,8 +852,12 @@ int sm2_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && sm2_key_private_check(eck); @@ -894,8 +898,12 @@ int ec_validate(const void *keydata, int selection, int checktype) ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - ok = ok && ec_key_public_check(eck, ctx); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + ok = ok && ec_key_public_check_quick(eck, ctx); + else + ok = ok && ec_key_public_check(eck, ctx); + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && ec_key_private_check(eck); -- cgit v1.2.3