From: Pauli Date: Wed, 26 Oct 2022 00:48:07 +0000 (+1100) Subject: dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1 X-Git-Tag: openssl-3.2.0-alpha1~1813 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b234be4c44f5b178bc69da3d610ae1b70441873;p=thirdparty%2Fopenssl.git dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1 This mandates following SP 800-56A which, in 5.6.2.4, mandates a comparision against a newly calculated public key. Co-authored-by: Randall Steck Co-authored-by: Mark J. Minnoch Co-authored-by: Steve Weymann Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/19510) --- diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 1f951a9d36a..e8c83596341 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -59,6 +59,54 @@ err: return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int dsa_keygen_knownanswer_test(DSA *dsa, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + BIGNUM *pub_key2 = BN_new(); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + goto err; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_DSA); + + if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key2)) + goto err; + + if (BN_num_bytes(pub_key2) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2, bytes); + OSSL_SELF_TEST_oncorrupt_byte(st, bytes); + if (BN_bin2bn(bytes, len, pub_key2) != NULL) + ret = !BN_cmp(dsa->pub_key, pub_key2); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + BN_free(pub_key2); + return ret; +} + static int dsa_keygen(DSA *dsa, int pairwise_test) { int ok = 0; @@ -113,7 +161,8 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg); - ok = dsa_keygen_pairwise_test(dsa, cb, cbarg); + ok = dsa_keygen_pairwise_test(dsa, cb, cbarg) + && dsa_keygen_knownanswer_test(dsa, ctx, cb, cbarg); if (!ok) { ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); BN_free(dsa->pub_key); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 4d0faa64c72..58b283dd8cd 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -237,6 +237,56 @@ int ossl_ec_key_gen(EC_KEY *eckey) return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + EC_POINT *pub_key2 = EC_POINT_new(eckey->group); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + return 0; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_ECDSA); + + /* pub_key = priv_key * G (where G is a point on the curve) */ + if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx)) + goto err; + + if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2->X, bytes); + if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes) + && BN_bin2bn(bytes, len, pub_key2->X) == NULL) + goto err; + ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + EC_POINT_free(pub_key2); + return ret; +} + /* * ECC Key generation. * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" @@ -333,7 +383,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); + ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg) + && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg); } err: /* Step (9): If there is an error return an invalid keypair. */ @@ -530,6 +581,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } + /* Perform a second check on the public key */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } if (!EC_POINT_is_at_infinity(eckey->group, point)) { ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER); goto err;