[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Sun Feb 16 03:08:14 UTC 2020
The branch master has been updated
via 8083fd3a183d4c881d6b15727cbc6cb7faeb3280 (commit)
from 98ad3fe82bd3e7e7f929dd1fa4ef3915426002c0 (commit)
- Log -----------------------------------------------------------------
commit 8083fd3a183d4c881d6b15727cbc6cb7faeb3280
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Sun Feb 16 13:03:46 2020 +1000
Add FFC param/key validation
Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10910)
-----------------------------------------------------------------------
Summary of changes:
crypto/dh/dh_check.c | 123 +++-
crypto/dh/dh_gen.c | 5 +-
crypto/dh/dh_group_params.c | 41 +-
crypto/dh/dh_key.c | 104 ++--
crypto/dh/dh_lib.c | 27 +-
crypto/dh/dh_local.h | 1 +
crypto/dsa/dsa_check.c | 85 +++
crypto/dsa/dsa_gen.c | 30 +-
crypto/dsa/dsa_key.c | 49 +-
crypto/dsa/dsa_lib.c | 26 +-
crypto/dsa/dsa_local.h | 4 +-
crypto/dsa/dsa_ossl.c | 7 +-
crypto/dsa/dsa_sign.c | 8 +-
crypto/ffc/build.info | 3 +-
crypto/ffc/ffc_key_generate.c | 20 +-
crypto/ffc/ffc_key_validate.c | 120 ++++
crypto/ffc/ffc_params_generate.c | 32 +-
crypto/ffc/ffc_params_validate.c | 80 +++
include/crypto/dh.h | 14 +-
include/crypto/dsa.h | 19 +-
include/internal/ffc.h | 41 +-
providers/implementations/exchange/dh_exch.c | 4 +-
providers/implementations/keymgmt/dh_kmgmt.c | 5 +-
providers/implementations/keymgmt/dsa_kmgmt.c | 2 +-
providers/implementations/signature/dsa.c | 3 +-
test/build.info | 7 +-
test/ffc_internal_test.c | 650 +++++++++++++++++++++
.../{01-test_sanity.t => 03-test_internal_ffc.t} | 5 +-
28 files changed, 1291 insertions(+), 224 deletions(-)
create mode 100644 crypto/dsa/dsa_check.c
create mode 100644 crypto/ffc/ffc_key_validate.c
create mode 100644 crypto/ffc/ffc_params_validate.c
create mode 100644 test/ffc_internal_test.c
copy test/recipes/{01-test_sanity.t => 03-test_internal_ffc.t} (72%)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 8bb245207b..4832230f6c 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -11,6 +11,7 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include "dh_local.h"
+#include "crypto/dh.h"
/*-
* Check that p and g are suitable enough
@@ -37,6 +38,28 @@ int DH_check_params_ex(const DH *dh)
return errflags == 0;
}
+#ifdef FIPS_MODE
+int DH_check_params(const DH *dh, int *ret)
+{
+ int nid;
+
+ *ret = 0;
+ /*
+ * SP800-56A R3 Section 5.5.2 Assurances of Domain Parameter Validity
+ * (1a) The domain parameters correspond to any approved safe prime group.
+ */
+ nid = DH_get_nid((DH *)dh);
+ if (nid != NID_undef)
+ return 1;
+ /*
+ * OR
+ * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+ * validity tests.
+ */
+ return ffc_params_FIPS186_4_validate(&dh->params, FFC_PARAM_TYPE_DH, NULL,
+ FFC_PARAMS_VALIDATE_ALL, ret, NULL);
+}
+#else
int DH_check_params(const DH *dh, int *ret)
{
int ok = 0;
@@ -73,6 +96,7 @@ int DH_check_params(const DH *dh, int *ret)
BN_CTX_free(ctx);
return ok;
}
+#endif /* FIPS_MODE */
/*-
* Check that p is a safe prime and
@@ -107,11 +131,20 @@ int DH_check_ex(const DH *dh)
return errflags == 0;
}
+/* Note: according to documentation - this only checks the params */
int DH_check(const DH *dh, int *ret)
{
+#ifdef FIPS_MODE
+ return DH_check_params(dh, ret);
+#else
int ok = 0, r;
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ int nid = DH_get_nid((DH *)dh);
+
+ *ret = 0;
+ if (nid != NID_undef)
+ return 1;
if (!DH_check_params(dh, ret))
return 0;
@@ -171,6 +204,7 @@ int DH_check(const DH *dh, int *ret)
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ok;
+#endif /* FIPS_MODE */
}
int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
@@ -190,38 +224,83 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
return errflags == 0;
}
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
+ */
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+{
+ return ffc_validate_public_key(&dh->params, pub_key, ret);
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation.
+ * To only be used with ephemeral FFC public keys generated using the approved
+ * safe-prime groups.
+ */
+int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret)
+{
+ return ffc_validate_public_key_partial(&dh->params, pub_key, ret);
+}
+
+int dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)
{
int ok = 0;
- BIGNUM *tmp = NULL;
- BN_CTX *ctx = NULL;
+ BIGNUM *two_powN = NULL, *upper;
*ret = 0;
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
- BN_CTX_start(ctx);
- tmp = BN_CTX_get(ctx);
- if (tmp == NULL || !BN_set_word(tmp, 1))
- goto err;
- if (BN_cmp(pub_key, tmp) <= 0)
- *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
- if (BN_copy(tmp, dh->params.p) == NULL || !BN_sub_word(tmp, 1))
+ two_powN = BN_new();
+ if (two_powN == NULL)
+ return 0;
+ if (dh->params.q == NULL)
goto err;
- if (BN_cmp(pub_key, tmp) >= 0)
- *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+ upper = dh->params.q;
- if (dh->params.q != NULL) {
- /* Check pub_key^q == 1 mod p */
- if (!BN_mod_exp(tmp, pub_key, dh->params.q, dh->params.p, ctx))
+ /* Is it from an approved Safe prime group ?*/
+ if (DH_get_nid((DH *)dh) != NID_undef) {
+ if (!BN_lshift(two_powN, BN_value_one(), dh->length))
goto err;
- if (!BN_is_one(tmp))
- *ret |= DH_CHECK_PUBKEY_INVALID;
+ if (BN_cmp(two_powN, dh->params.q) < 0)
+ upper = two_powN;
}
+ if (!ffc_validate_private_key(upper, priv_key, ret))
+ goto err;
ok = 1;
- err:
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
+err:
+ BN_free(two_powN);
return ok;
}
+
+/*
+ * FFC pairwise check from SP800-56A R3.
+ * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
+ */
+int dh_check_pairwise(DH *dh)
+{
+ int ret = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL;
+
+ if (dh->params.p == NULL
+ || dh->params.g == NULL
+ || dh->priv_key == NULL
+ || dh->pub_key == NULL)
+ return 0;
+
+ ctx = BN_CTX_new_ex(dh->libctx);
+ if (ctx == NULL)
+ goto err;
+ pub_key = BN_new();
+ if (pub_key == NULL)
+ goto err;
+
+ /* recalculate the public key = (g ^ priv) mod p */
+ if (!dh_generate_public_key(ctx, dh, dh->priv_key, pub_key))
+ goto err;
+ /* check it matches the existing pubic_key */
+ ret = BN_cmp(pub_key, dh->pub_key) == 0;
+err:
+ BN_free(pub_key);
+ BN_CTX_free(ctx);
+ return ret;
+}
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 3d3bcb22b2..89264e9fa8 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -27,7 +27,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
* TODO(3.0): keygen should be able to use this method to do a FIPS186-4 style
* paramgen.
*/
-int dh_generate_ffc_parameters(OPENSSL_CTX *libctx, DH *dh, int bits,
+int dh_generate_ffc_parameters(DH *dh, int bits,
int qbits, int gindex, BN_GENCB *cb)
{
int ret, res;
@@ -38,7 +38,8 @@ int dh_generate_ffc_parameters(OPENSSL_CTX *libctx, DH *dh, int bits,
qbits = EVP_MD_size(evpmd) * 8;
}
dh->params.gindex = gindex;
- ret = ffc_params_FIPS186_4_generate(libctx, &dh->params, FFC_PARAM_TYPE_DH,
+ ret = ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
+ FFC_PARAM_TYPE_DH,
bits, qbits, NULL, &res, cb);
if (ret > 0)
dh->dirty_cnt++;
diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c
index 4996e854f5..6c057d1f1f 100644
--- a/crypto/dh/dh_group_params.c
+++ b/crypto/dh/dh_group_params.c
@@ -15,11 +15,16 @@
#include <openssl/bn.h>
#include <openssl/objects.h>
#include "crypto/bn_dh.h"
+#include "crypto/dh.h"
-static DH *dh_param_init(int nid, const BIGNUM *p, int32_t nbits)
+#ifndef FIPS_MODE
+static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid);
+
+static DH *dh_param_init(OPENSSL_CTX *libctx, int nid, const BIGNUM *p,
+ int32_t nbits)
{
BIGNUM *q = NULL;
- DH *dh = DH_new();
+ DH *dh = dh_new_with_ctx(libctx);
if (dh == NULL)
return NULL;
@@ -41,7 +46,7 @@ static DH *dh_param_init(int nid, const BIGNUM *p, int32_t nbits)
return dh;
}
-DH *DH_new_by_nid(int nid)
+static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid)
{
/*
* The last parameter specified in these fields is
@@ -50,35 +55,41 @@ DH *DH_new_by_nid(int nid)
*/
switch (nid) {
case NID_ffdhe2048:
- return dh_param_init(nid, &_bignum_ffdhe2048_p, 225);
+ return dh_param_init(libctx, nid, &_bignum_ffdhe2048_p, 225);
case NID_ffdhe3072:
- return dh_param_init(nid, &_bignum_ffdhe3072_p, 275);
+ return dh_param_init(libctx, nid, &_bignum_ffdhe3072_p, 275);
case NID_ffdhe4096:
- return dh_param_init(nid, &_bignum_ffdhe4096_p, 325);
+ return dh_param_init(libctx, nid, &_bignum_ffdhe4096_p, 325);
case NID_ffdhe6144:
- return dh_param_init(nid, &_bignum_ffdhe6144_p, 375);
+ return dh_param_init(libctx, nid, &_bignum_ffdhe6144_p, 375);
case NID_ffdhe8192:
- return dh_param_init(nid, &_bignum_ffdhe8192_p, 400);
+ return dh_param_init(libctx, nid, &_bignum_ffdhe8192_p, 400);
#ifndef FIPS_MODE
case NID_modp_1536:
- return dh_param_init(nid, &_bignum_modp_1536_p, 190);
+ return dh_param_init(libctx, nid, &_bignum_modp_1536_p, 190);
#endif
case NID_modp_2048:
- return dh_param_init(nid, &_bignum_modp_2048_p, 225);
+ return dh_param_init(libctx, nid, &_bignum_modp_2048_p, 225);
case NID_modp_3072:
- return dh_param_init(nid, &_bignum_modp_3072_p, 275);
+ return dh_param_init(libctx, nid, &_bignum_modp_3072_p, 275);
case NID_modp_4096:
- return dh_param_init(nid, &_bignum_modp_4096_p, 325);
+ return dh_param_init(libctx, nid, &_bignum_modp_4096_p, 325);
case NID_modp_6144:
- return dh_param_init(nid, &_bignum_modp_6144_p, 375);
+ return dh_param_init(libctx, nid, &_bignum_modp_6144_p, 375);
case NID_modp_8192:
- return dh_param_init(nid, &_bignum_modp_8192_p, 400);
+ return dh_param_init(libctx, nid, &_bignum_modp_8192_p, 400);
default:
- DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID);
+ DHerr(0, DH_R_INVALID_PARAMETER_NID);
return NULL;
}
}
+DH *DH_new_by_nid(int nid)
+{
+ return dh_new_by_nid_with_ctx(NULL, nid);
+}
+#endif
+
int DH_get_nid(DH *dh)
{
int nid = dh->params.nid;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 0bee75c058..14d35466f1 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -20,8 +20,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
static int dh_init(DH *dh);
static int dh_finish(DH *dh);
-int dh_compute_key(OPENSSL_CTX *libctx, unsigned char *key,
- const BIGNUM *pub_key, DH *dh)
+static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL;
@@ -41,7 +40,7 @@ int dh_compute_key(OPENSSL_CTX *libctx, unsigned char *key,
return 0;
}
- ctx = BN_CTX_new_ex(libctx);
+ ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
BN_CTX_start(ctx);
@@ -81,18 +80,21 @@ int dh_compute_key(OPENSSL_CTX *libctx, unsigned char *key,
return ret;
}
-static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
- return dh_compute_key(NULL, key, pub_key, dh);
+#ifdef FIPS_MODE
+ return compute_key(key, pub_key, dh);
+#else
+ return dh->meth->compute_key(key, pub_key, dh);
+#endif
}
-int dh_compute_key_padded(OPENSSL_CTX *libctx, unsigned char *key,
- const BIGNUM *pub_key, DH *dh)
+int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
int rv, pad;
#ifdef FIPS_MODE
- rv = dh_compute_key(libctx, key, pub_key, dh);
+ rv = compute_key(key, pub_key, dh);
#else
rv = dh->meth->compute_key(key, pub_key, dh);
#endif
@@ -106,18 +108,6 @@ int dh_compute_key_padded(OPENSSL_CTX *libctx, unsigned char *key,
return rv + pad;
}
-#ifndef FIPS_MODE
-int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-{
- return dh->meth->compute_key(key, pub_key, dh);
-}
-
-int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-{
- return dh_compute_key_padded(NULL, key, pub_key, dh);
-}
-#endif
-
static DH_METHOD dh_ossl = {
"OpenSSL DH Method",
generate_key,
@@ -168,14 +158,46 @@ void DH_set_default_method(const DH_METHOD *meth)
{
default_DH_method = meth;
}
+#endif /* FIPS_MODE */
int DH_generate_key(DH *dh)
{
+#ifdef FIPS_MODE
+ return generate_key(dh);
+#else
return dh->meth->generate_key(dh);
+#endif
}
-#endif /* FIPS_MODE */
-static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
+int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key,
+ BIGNUM *pub_key)
+{
+ int ret = 0;
+ BIGNUM *prk = BN_new();
+ BN_MONT_CTX *mont = NULL;
+
+ if (prk == NULL)
+ return 0;
+
+ if (dh->flags & DH_FLAG_CACHE_MONT_P) {
+ mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
+ dh->lock, dh->params.p, ctx);
+ if (mont == NULL)
+ goto err;
+ }
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+
+ /* pub_key = g^priv_key mod p */
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
+ ctx, mont))
+ goto err;
+ ret = 1;
+err:
+ BN_clear_free(prk);
+ return ret;
+}
+
+static int generate_key(DH *dh)
{
int ok = 0;
int generate_new_key = 0;
@@ -183,7 +205,6 @@ static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
unsigned l;
#endif
BN_CTX *ctx = NULL;
- BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
@@ -196,7 +217,7 @@ static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
return 0;
}
- ctx = BN_CTX_new_ex(libctx);
+ ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
@@ -205,23 +226,17 @@ static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
if (priv_key == NULL)
goto err;
generate_new_key = 1;
- } else
+ } else {
priv_key = dh->priv_key;
+ }
if (dh->pub_key == NULL) {
pub_key = BN_new();
if (pub_key == NULL)
goto err;
- } else
+ } else {
pub_key = dh->pub_key;
-
- if (dh->flags & DH_FLAG_CACHE_MONT_P) {
- mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
- dh->lock, dh->params.p, ctx);
- if (!mont)
- goto err;
}
-
if (generate_new_key) {
/* Is it an approved safe prime ?*/
if (DH_get_nid(dh) != NID_undef) {
@@ -274,22 +289,8 @@ static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
}
}
- {
- BIGNUM *prk = BN_new();
-
- if (prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-
- /* pub_key = g^priv_key mod p */
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
- ctx, mont)) {
- BN_clear_free(prk);
- goto err;
- }
- /* We MUST free prk before any further use of priv_key */
- BN_clear_free(prk);
- }
+ if (!dh_generate_public_key(ctx, dh, priv_key, pub_key))
+ goto err;
dh->pub_key = pub_key;
dh->priv_key = priv_key;
@@ -307,11 +308,6 @@ static int dh_generate_key(OPENSSL_CTX *libctx, DH *dh)
return ok;
}
-static int generate_key(DH *dh)
-{
- return dh_generate_key(NULL, dh);
-}
-
int dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
{
int err_reason = DH_R_BN_ERROR;
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 0c1cccb5db..e6fc3ef2c5 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -16,6 +16,8 @@
#include "crypto/dh.h"
#include "dh_local.h"
+static DH *dh_new_intern(ENGINE *engine, OPENSSL_CTX *libctx);
+
#ifndef FIPS_MODE
int DH_set_method(DH *dh, const DH_METHOD *meth)
{
@@ -36,36 +38,47 @@ int DH_set_method(DH *dh, const DH_METHOD *meth)
meth->init(dh);
return 1;
}
-#endif /* !FIPS_MODE */
DH *DH_new(void)
{
- return DH_new_method(NULL);
+ return dh_new_intern(NULL, NULL);
}
DH *DH_new_method(ENGINE *engine)
+{
+ return dh_new_intern(engine, NULL);
+}
+#endif /* !FIPS_MODE */
+
+DH *dh_new_with_ctx(OPENSSL_CTX *libctx)
+{
+ return dh_new_intern(NULL, libctx);
+}
+
+static DH *dh_new_intern(ENGINE *engine, OPENSSL_CTX *libctx)
{
DH *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
- DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+ DHerr(0, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->references = 1;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
- DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+ DHerr(0, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
+ ret->libctx = libctx;
ret->meth = DH_get_default_method();
#if !defined(FIPS_MODE) && !defined(OPENSSL_NO_ENGINE)
ret->flags = ret->meth->flags; /* early default init */
if (engine) {
if (!ENGINE_init(engine)) {
- DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
+ DHerr(0, ERR_R_ENGINE_LIB);
goto err;
}
ret->engine = engine;
@@ -74,7 +87,7 @@ DH *DH_new_method(ENGINE *engine)
if (ret->engine) {
ret->meth = ENGINE_get_DH(ret->engine);
if (ret->meth == NULL) {
- DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
+ DHerr(0, ERR_R_ENGINE_LIB);
goto err;
}
}
@@ -88,7 +101,7 @@ DH *DH_new_method(ENGINE *engine)
#endif /* FIPS_MODE */
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
- DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL);
+ DHerr(0, ERR_R_INIT_FAIL);
goto err;
}
diff --git a/crypto/dh/dh_local.h b/crypto/dh/dh_local.h
index 57d9d3489f..7fefcf76f3 100644
--- a/crypto/dh/dh_local.h
+++ b/crypto/dh/dh_local.h
@@ -31,6 +31,7 @@ struct dh_st {
CRYPTO_EX_DATA ex_data;
ENGINE *engine;
#endif
+ OPENSSL_CTX *libctx;
const DH_METHOD *meth;
CRYPTO_RWLOCK *lock;
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
new file mode 100644
index 0000000000..3b86d2dc7a
--- /dev/null
+++ b/crypto/dsa/dsa_check.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/bn.h>
+#include "dsa_local.h"
+#include "crypto/dsa.h"
+
+int dsa_check_params(const DSA *dsa, int *ret)
+{
+ int nid;
+ /*
+ * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+ * validity tests.
+ */
+ return ffc_params_FIPS186_4_validate(&dsa->params, FFC_PARAM_TYPE_DSA, NULL,
+ FFC_PARAMS_VALIDATE_ALL, ret, NULL);
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
+ */
+int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+{
+ return ffc_validate_public_key(&dsa->params, pub_key, ret);
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation.
+ * To only be used with ephemeral FFC public keys generated using the approved
+ * safe-prime groups.
+ */
+int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+{
+ return ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
+}
+
+int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+{
+ *ret = 0;
+
+ return (dsa->params.q != NULL
+ && ffc_validate_private_key(dsa->params.q, priv_key, ret));
+}
+
+/*
+ * FFC pairwise check from SP800-56A R3.
+ * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
+ */
+int dsa_check_pairwise(const DSA *dsa)
+{
+ int ret = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL;
+
+ if (dsa->params.p == NULL
+ || dsa->params.g == NULL
+ || dsa->priv_key == NULL
+ || dsa->pub_key == NULL)
+ return 0;
+
+ ctx = BN_CTX_new_ex(dsa->libctx);
+ if (ctx == NULL)
+ goto err;
+ pub_key = BN_new();
+ if (pub_key == NULL)
+ goto err;
+
+ /* recalculate the public key = (g ^ priv) mod p */
+ if (!dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key))
+ goto err;
+ /* check it matches the existing pubic_key */
+ ret = BN_cmp(pub_key, dsa->pub_key) == 0;
+err:
+ BN_free(pub_key);
+ BN_CTX_free(ctx);
+ return ret;
+}
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index ac5907c4f8..2148a1a487 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -23,7 +23,7 @@
#include "crypto/dsa.h"
#include "dsa_local.h"
-int dsa_generate_ffc_parameters(OPENSSL_CTX *libctx, DSA *dsa, int type,
+int dsa_generate_ffc_parameters(DSA *dsa, int type,
int pbits, int qbits, int gindex,
BN_GENCB *cb)
{
@@ -37,12 +37,12 @@ int dsa_generate_ffc_parameters(OPENSSL_CTX *libctx, DSA *dsa, int type,
dsa->params.gindex = gindex;
#ifndef FIPS_MODE
if (type == DSA_PARAMGEN_TYPE_FIPS_186_2)
- ret = ffc_params_FIPS186_2_generate(libctx, &dsa->params,
+ ret = ffc_params_FIPS186_2_generate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA,
pbits, qbits, NULL, &res, cb);
else
#endif
- ret = ffc_params_FIPS186_4_generate(libctx, &dsa->params,
+ ret = ffc_params_FIPS186_4_generate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA,
pbits, qbits, NULL, &res, cb);
if (ret > 0)
@@ -50,10 +50,10 @@ int dsa_generate_ffc_parameters(OPENSSL_CTX *libctx, DSA *dsa, int type,
return ret;
}
-int dsa_generate_parameters_ctx(OPENSSL_CTX *libctx, DSA *dsa, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb)
+int DSA_generate_parameters_ex(DSA *dsa, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb)
{
#ifndef FIPS_MODE
if (dsa->meth->dsa_paramgen)
@@ -67,15 +67,13 @@ int dsa_generate_parameters_ctx(OPENSSL_CTX *libctx, DSA *dsa, int bits,
#ifndef FIPS_MODE
/* The old code used FIPS 186-2 DSA Parameter generation */
if (bits <= 1024 && seed_len == 20) {
- if (!dsa_generate_ffc_parameters(libctx, dsa,
- DSA_PARAMGEN_TYPE_FIPS_186_2,
+ if (!dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_2,
bits, 160, -1, cb))
return 0;
} else
#endif
{
- if (!dsa_generate_ffc_parameters(libctx, dsa,
- DSA_PARAMGEN_TYPE_FIPS_186_4,
+ if (!dsa_generate_ffc_parameters(dsa, DSA_PARAMGEN_TYPE_FIPS_186_4,
bits, -1, -1, cb))
return 0;
}
@@ -86,13 +84,3 @@ int dsa_generate_parameters_ctx(OPENSSL_CTX *libctx, DSA *dsa, int bits,
*h_ret = dsa->params.h;
return 1;
}
-
-int DSA_generate_parameters_ex(DSA *dsa, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb)
-{
- return dsa_generate_parameters_ctx(NULL, dsa, bits,
- seed_in, seed_len,
- counter_ret, h_ret, cb);
-}
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index 00e7213b97..c93ea15b76 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -20,31 +20,43 @@
#include "crypto/dsa.h"
#include "dsa_local.h"
-static int dsa_builtin_keygen(OPENSSL_CTX *libctx, DSA *dsa);
+static int dsa_builtin_keygen(DSA *dsa);
int DSA_generate_key(DSA *dsa)
{
+#ifndef FIPS_MODE
if (dsa->meth->dsa_keygen != NULL)
return dsa->meth->dsa_keygen(dsa);
- return dsa_builtin_keygen(NULL, dsa);
+#endif
+ return dsa_builtin_keygen(dsa);
}
-int dsa_generate_key_ctx(OPENSSL_CTX *libctx, DSA *dsa)
+int dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, const BIGNUM *priv_key,
+ BIGNUM *pub_key)
{
-#ifndef FIPS_MODE
- if (dsa->meth->dsa_keygen != NULL)
- return dsa->meth->dsa_keygen(dsa);
-#endif
- return dsa_builtin_keygen(libctx, dsa);
+ int ret = 0;
+ BIGNUM *prk = BN_new();
+
+ if (prk == NULL)
+ return 0;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+
+ /* pub_key = g ^ priv_key mod p */
+ if (!BN_mod_exp(pub_key, dsa->params.g, prk, dsa->params.p, ctx))
+ goto err;
+ ret = 1;
+err:
+ BN_clear_free(prk);
+ return ret;
}
-static int dsa_builtin_keygen(OPENSSL_CTX *libctx, DSA *dsa)
+static int dsa_builtin_keygen(DSA *dsa)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
- if ((ctx = BN_CTX_new_ex(libctx)) == NULL)
+ if ((ctx = BN_CTX_new_ex(dsa->libctx)) == NULL)
goto err;
if (dsa->priv_key == NULL) {
@@ -65,21 +77,8 @@ static int dsa_builtin_keygen(OPENSSL_CTX *libctx, DSA *dsa)
pub_key = dsa->pub_key;
}
- {
- BIGNUM *prk = BN_new();
-
- if (prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-
- /* pub_key = g ^ priv_key mod p */
- if (!BN_mod_exp(pub_key, dsa->params.g, prk, dsa->params.p, ctx)) {
- BN_free(prk);
- goto err;
- }
- /* We MUST free prk before any further use of priv_key */
- BN_free(prk);
- }
+ if (!dsa_generate_public_key(ctx, dsa, priv_key, pub_key))
+ goto err;
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index 11f09891b2..4b048d48c5 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -23,6 +23,8 @@
#include "crypto/dsa.h"
#include "crypto/dh.h" /* required by DSA_dup_DH() */
+static DSA *dsa_new_intern(ENGINE *engine, OPENSSL_CTX *libctx);
+
#ifndef FIPS_MODE
int DSA_set_ex_data(DSA *d, int idx, void *arg)
@@ -128,29 +130,30 @@ const DSA_METHOD *DSA_get_method(DSA *d)
return d->meth;
}
-static DSA *dsa_new_method(OPENSSL_CTX *libctx, ENGINE *engine)
+static DSA *dsa_new_intern(ENGINE *engine, OPENSSL_CTX *libctx)
{
DSA *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
- DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+ DSAerr(0, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->references = 1;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
- DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+ DSAerr(0, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
+ ret->libctx = libctx;
ret->meth = DSA_get_default_method();
#if !defined(FIPS_MODE) && !defined(OPENSSL_NO_ENGINE)
ret->flags = ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW; /* early default init */
if (engine) {
if (!ENGINE_init(engine)) {
- DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_ENGINE_LIB);
+ DSAerr(0, ERR_R_ENGINE_LIB);
goto err;
}
ret->engine = engine;
@@ -159,7 +162,7 @@ static DSA *dsa_new_method(OPENSSL_CTX *libctx, ENGINE *engine)
if (ret->engine) {
ret->meth = ENGINE_get_DSA(ret->engine);
if (ret->meth == NULL) {
- DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_ENGINE_LIB);
+ DSAerr(0, ERR_R_ENGINE_LIB);
goto err;
}
}
@@ -173,7 +176,7 @@ static DSA *dsa_new_method(OPENSSL_CTX *libctx, ENGINE *engine)
#endif
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
- DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_INIT_FAIL);
+ DSAerr(0, ERR_R_INIT_FAIL);
goto err;
}
@@ -186,13 +189,20 @@ static DSA *dsa_new_method(OPENSSL_CTX *libctx, ENGINE *engine)
DSA *DSA_new_method(ENGINE *engine)
{
- return dsa_new_method(NULL, engine);
+ return dsa_new_intern(engine, NULL);
+}
+
+DSA *dsa_new_with_ctx(OPENSSL_CTX *libctx)
+{
+ return dsa_new_intern(NULL, libctx);
}
+#ifndef FIPS_MODE
DSA *DSA_new(void)
{
- return DSA_new_method(NULL);
+ return dsa_new_intern(NULL, NULL);
}
+#endif
void DSA_free(DSA *r)
{
diff --git a/crypto/dsa/dsa_local.h b/crypto/dsa/dsa_local.h
index f01b0aae8c..f68ae2d05b 100644
--- a/crypto/dsa/dsa_local.h
+++ b/crypto/dsa/dsa_local.h
@@ -32,6 +32,7 @@ struct dsa_st {
/* functional reference if 'meth' is ENGINE-provided */
ENGINE *engine;
CRYPTO_RWLOCK *lock;
+ OPENSSL_CTX *libctx;
/* Provider data */
size_t dirty_cnt; /* If any key material changes, increment this */
@@ -68,5 +69,4 @@ struct dsa_method {
int (*dsa_keygen) (DSA *dsa);
};
-DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst,
- int dlen, DSA *dsa);
+DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa);
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 6ff22e8c87..a87493a061 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -67,8 +67,7 @@ const DSA_METHOD *DSA_OpenSSL(void)
return &openssl_dsa_meth;
}
-DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst,
- int dlen, DSA *dsa)
+DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa)
{
BIGNUM *kinv = NULL;
BIGNUM *m, *blind, *blindm, *tmp;
@@ -96,7 +95,7 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst,
if (ret->r == NULL || ret->s == NULL)
goto err;
- ctx = BN_CTX_new_ex(libctx);
+ ctx = BN_CTX_new_ex(dsa->libctx);
if (ctx == NULL)
goto err;
m = BN_CTX_get(ctx);
@@ -186,7 +185,7 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst,
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
- return dsa_do_sign_int(NULL, dgst, dlen, dsa);
+ return dsa_do_sign_int(dgst, dlen, dsa);
}
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
index 1ee9272ced..9ef8f30f1e 100644
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -148,16 +148,16 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
return 1;
}
-int dsa_sign_int(OPENSSL_CTX *libctx, int type, const unsigned char *dgst,
+int dsa_sign_int(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa)
{
DSA_SIG *s;
/* legacy case uses the method table */
- if (libctx == NULL || dsa->meth != DSA_get_default_method())
+ if (dsa->libctx == NULL || dsa->meth != DSA_get_default_method())
s = DSA_do_sign(dgst, dlen, dsa);
else
- s = dsa_do_sign_int(libctx, dgst, dlen, dsa);
+ s = dsa_do_sign_int(dgst, dlen, dsa);
if (s == NULL) {
*siglen = 0;
return 0;
@@ -170,7 +170,7 @@ int dsa_sign_int(OPENSSL_CTX *libctx, int type, const unsigned char *dgst,
int DSA_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen, DSA *dsa)
{
- return dsa_sign_int(NULL, type, dgst, dlen, sig, siglen, dsa);
+ return dsa_sign_int(type, dgst, dlen, sig, siglen, dsa);
}
/* data has already been hashed (probably with SHA or SHA-1). */
diff --git a/crypto/ffc/build.info b/crypto/ffc/build.info
index d3314c30d1..c8bc7e9018 100644
--- a/crypto/ffc/build.info
+++ b/crypto/ffc/build.info
@@ -1,6 +1,7 @@
LIBS=../../libcrypto
-$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c
+$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c\
+ ffc_params_validate.c ffc_key_validate.c
SOURCE[../../libcrypto]=$COMMON
SOURCE[../../providers/libfips.a]=$COMMON
diff --git a/crypto/ffc/ffc_key_generate.c b/crypto/ffc/ffc_key_generate.c
index 186245cc87..b8c85480c1 100644
--- a/crypto/ffc/ffc_key_generate.c
+++ b/crypto/ffc/ffc_key_generate.c
@@ -23,6 +23,19 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params,
int N, int s, BIGNUM *priv)
{
#ifdef FIPS_MODE
+ return ffc_generate_private_key_fips(ctx, params, N, s, priv);
+#else
+ do {
+ if (!BN_priv_rand_range_ex(priv, params->q, ctx))
+ return 0;
+ } while (BN_is_zero(priv) || BN_is_one(priv));
+ return 1;
+#endif /* FIPS_MODE */
+}
+
+int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params,
+ int N, int s, BIGNUM *priv)
+{
int ret = 0;
BIGNUM *m, *two_powN = NULL;
@@ -51,11 +64,4 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params,
err:
BN_free(two_powN);
return ret;
-#else
- do {
- if (!BN_priv_rand_range_ex(priv, params->q, ctx))
- return 0;
- } while (BN_is_zero(priv) || BN_is_one(priv));
- return 1;
-#endif /* FIPS_MODE */
}
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
new file mode 100644
index 0000000000..a35f52e1b9
--- /dev/null
+++ b/crypto/ffc/ffc_key_validate.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/ffc.h"
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation.
+ * To only be used with ephemeral FFC public keys generated using the approved
+ * safe-prime groups. (Checks that the public key is in the range [2, p - 1]
+ *
+ * ret contains 0 on success, or error flags (see FFC_ERROR_PUBKEY_TOO_SMALL)
+ */
+int ffc_validate_public_key_partial(const FFC_PARAMS *params,
+ const BIGNUM *pub_key, int *ret)
+{
+ int ok = 0;
+ BIGNUM *tmp = NULL;
+ BN_CTX *ctx = NULL;
+
+ *ret = 0;
+ ctx = BN_CTX_new_ex(NULL);
+ if (ctx == NULL)
+ goto err;
+
+ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+ /* Step(1): Verify pub_key >= 2 */
+ if (tmp == NULL
+ || !BN_set_word(tmp, 1))
+ goto err;
+ if (BN_cmp(pub_key, tmp) <= 0) {
+ *ret |= FFC_ERROR_PUBKEY_TOO_SMALL;
+ goto err;
+ }
+ /* Step(1): Verify pub_key <= p-2 */
+ if (BN_copy(tmp, params->p) == NULL
+ || !BN_sub_word(tmp, 1))
+ goto err;
+ if (BN_cmp(pub_key, tmp) >= 0) {
+ *ret |= FFC_ERROR_PUBKEY_TOO_LARGE;
+ goto err;
+ }
+ ok = 1;
+ err:
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+ return ok;
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
+ */
+int ffc_validate_public_key(const FFC_PARAMS *params, const BIGNUM *pub_key,
+ int *ret)
+{
+ int ok = 0;
+ BIGNUM *tmp = NULL;
+ BN_CTX *ctx = NULL;
+
+ if (!ffc_validate_public_key_partial(params, pub_key, ret))
+ return 0;
+
+ if (params->q != NULL) {
+ ctx = BN_CTX_new_ex(NULL);
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+
+ /* Check pub_key^q == 1 mod p */
+ if (tmp == NULL
+ || !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx))
+ goto err;
+ if (!BN_is_one(tmp)) {
+ *ret |= FFC_ERROR_PUBKEY_INVALID;
+ goto err;
+ }
+ }
+
+ ok = 1;
+ err:
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+ return ok;
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.1.2: Owner assurance of Private key validity.
+ * Verifies priv_key is in the range [1..upper-1]. The passed in value of upper
+ * is normally params->q but can be 2^N for approved safe prime groups.
+ * Note: This assumes that the domain parameters are valid.
+ */
+int ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, int *ret)
+{
+ int ok = 0;
+
+ *ret = 0;
+
+ if (BN_cmp(priv, BN_value_one()) < 0) {
+ *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
+ goto err;
+ }
+ if (BN_cmp(priv, upper) >= 0) {
+ *ret |= FFC_ERROR_PRIVKEY_TOO_LARGE;
+ goto err;
+ }
+ ok = 1;
+err:
+ return ok;
+}
diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c
index 54d5c58e09..cb51bf0e76 100644
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@@ -474,10 +474,10 @@ static EVP_MD *fetch_default_md(OPENSSL_CTX *libctx, size_t N)
* - FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G if the validation of G succeeded,
* but G is unverifiable.
*/
-int ffc_param_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
- int type, size_t L, size_t N,
- const EVP_MD *evpmd, int validate_flags,
- int *res, BN_GENCB *cb)
+int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+ int type, size_t L, size_t N,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb)
{
int ok = FFC_PARAMS_RET_STATUS_FAILED;
unsigned char *seed = NULL, *seed_tmp = NULL;
@@ -750,10 +750,10 @@ err:
return ok;
}
-int ffc_param_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
- int type, size_t L, size_t N,
- const EVP_MD *evpmd, int validate_flags,
- int *res, BN_GENCB *cb)
+int ffc_params_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+ int type, size_t L, size_t N,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb)
{
int ok = FFC_PARAMS_RET_STATUS_FAILED;
unsigned char seed[SHA256_DIGEST_LENGTH];
@@ -977,8 +977,8 @@ int ffc_params_FIPS186_4_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params,
int type, size_t L, size_t N,
const EVP_MD *evpmd, int *res, BN_GENCB *cb)
{
- return ffc_param_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0,
- res, cb);
+ return ffc_params_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0,
+ res, cb);
}
/* This should no longer be used in FIPS mode */
@@ -986,14 +986,6 @@ int ffc_params_FIPS186_2_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params,
int type, size_t L, size_t N,
const EVP_MD *evpmd, int *res, BN_GENCB *cb)
{
- return ffc_param_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd,
- 0, res, cb);
-}
-
-/* TODO(3.0) - Add this in another PR - just add a stub for now */
-int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
- const BIGNUM *p, const BIGNUM *q,
- const BIGNUM *g, BIGNUM *tmp, int *ret)
-{
- return 1;
+ return ffc_params_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd,
+ 0, res, cb);
}
diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c
new file mode 100644
index 0000000000..4d0a4d837f
--- /dev/null
+++ b/crypto/ffc/ffc_params_validate.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Finite Field cryptography (FFC) is used for DSA and DH.
+ * This file contains methods for validation of FFC parameters.
+ * It calls the same functions as the generation as the code is very similar.
+ */
+
+#include "internal/ffc.h"
+
+/* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */
+int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
+ const BIGNUM *p, const BIGNUM *q,
+ const BIGNUM *g, BIGNUM *tmp, int *ret)
+{
+ /*
+ * A.2.2 Step (1) AND
+ * A.2.4 Step (2)
+ * Verify that 2 <= g <= (p - 1)
+ */
+ if (BN_cmp(g, BN_value_one()) <= 0 || BN_cmp(g, p) >= 0) {
+ *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
+ return 0;
+ }
+
+ /*
+ * A.2.2 Step (2) AND
+ * A.2.4 Step (3)
+ * Check g^q mod p = 1
+ */
+ if (!BN_mod_exp_mont(tmp, g, q, p, ctx, mont))
+ return 0;
+ if (BN_cmp(tmp, BN_value_one()) != 0) {
+ *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
+ return 0;
+ }
+ return 1;
+}
+
+int ffc_params_FIPS186_4_validate(const FFC_PARAMS *params, int type,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb)
+{
+ size_t L, N;
+
+ if (params == NULL || params->p == NULL || params->q == NULL)
+ return FFC_PARAMS_RET_STATUS_FAILED;
+
+ /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
+ L = BN_num_bits(params->p);
+ N = BN_num_bits(params->q);
+ return ffc_params_FIPS186_4_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N,
+ evpmd, validate_flags, res, cb);
+}
+
+/* This may be used in FIPS mode to validate deprecated FIPS-186-2 Params */
+int ffc_params_FIPS186_2_validate(const FFC_PARAMS *params, int type,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb)
+{
+ size_t L, N;
+
+ if (params->p == NULL || params->q == NULL) {
+ *res = FFC_CHECK_INVALID_PQ;
+ return FFC_PARAMS_RET_STATUS_FAILED;
+ }
+
+ /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
+ L = BN_num_bits(params->p);
+ N = BN_num_bits(params->q);
+ return ffc_params_FIPS186_2_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N,
+ evpmd, validate_flags, res, cb);
+}
diff --git a/include/crypto/dh.h b/include/crypto/dh.h
index 2b48b5d905..3af3c5222e 100644
--- a/include/crypto/dh.h
+++ b/include/crypto/dh.h
@@ -10,12 +10,16 @@
#include <openssl/dh.h>
#include "internal/ffc.h"
-int dh_generate_ffc_parameters(OPENSSL_CTX *libctx, DH *dh, int bits,
+DH *dh_new_with_ctx(OPENSSL_CTX *libctx);
+
+int dh_generate_ffc_parameters(DH *dh, int bits,
int qbits, int gindex, BN_GENCB *cb);
+int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key,
+ BIGNUM *pub_key);
-int dh_compute_key(OPENSSL_CTX *ctx, unsigned char *key, const BIGNUM *pub_key,
- DH *dh);
-int dh_compute_key_padded(OPENSSL_CTX *ctx, unsigned char *key,
- const BIGNUM *pub_key, DH *dh);
FFC_PARAMS *dh_get0_params(DH *dh);
int dh_get0_nid(const DH *dh);
+
+int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret);
+int dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret);
+int dh_check_pairwise(DH *dh);
diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h
index 1865fe0f77..1da23a8a7b 100644
--- a/include/crypto/dsa.h
+++ b/include/crypto/dsa.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,16 +12,19 @@
#define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */
#define DSA_PARAMGEN_TYPE_FIPS_186_4 2 /* Use FIPS186-4 standard */
-int dsa_generate_parameters_ctx(OPENSSL_CTX *libctx, DSA *dsa, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb);
+DSA *dsa_new_with_ctx(OPENSSL_CTX *libctx);
-int dsa_generate_ffc_parameters(OPENSSL_CTX *libctx, DSA *dsa, int type,
+int dsa_generate_ffc_parameters(DSA *dsa, int type,
int pbits, int qbits, int gindex,
BN_GENCB *cb);
-int dsa_sign_int(OPENSSL_CTX *libctx, int type, const unsigned char *dgst,
+int dsa_sign_int(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa);
-int dsa_generate_key_ctx(OPENSSL_CTX *libctx, DSA *dsa);
const unsigned char *dsa_algorithmidentifier_encoding(int md_nid, size_t *len);
+int dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, const BIGNUM *priv_key,
+ BIGNUM *pub_key);
+int dsa_check_params(const DSA *dsa, int *ret);
+int dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret);
+int dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret);
+int dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret);
+int dsa_check_pairwise(const DSA *dsa);
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
index 67282fd807..006be73d8c 100644
--- a/include/internal/ffc.h
+++ b/include/internal/ffc.h
@@ -56,6 +56,14 @@
# define FFC_CHECK_G_MISMATCH 0x08000
# define FFC_CHECK_COUNTER_MISMATCH 0x10000
+/* Validation Return codes */
+# define FFC_ERROR_PUBKEY_TOO_SMALL 0x01
+# define FFC_ERROR_PUBKEY_TOO_LARGE 0x02
+# define FFC_ERROR_PUBKEY_INVALID 0x04
+# define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
+# define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10
+# define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20
+
/*
* Finite field cryptography (FFC) domain parameters are used by DH and DSA.
* Refer to FIPS186_4 Appendix A & B.
@@ -113,20 +121,37 @@ int ffc_params_FIPS186_2_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params,
int type, size_t L, size_t N,
const EVP_MD *evpmd, int *res, BN_GENCB *cb);
-int ffc_param_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
- int type, size_t L, size_t N,
- const EVP_MD *evpmd, int validate_flags,
- int *res, BN_GENCB *cb);
-int ffc_param_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
- int type, size_t L, size_t N,
- const EVP_MD *evpmd, int validate_flags,
- int *res, BN_GENCB *cb);
+int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+ int type, size_t L, size_t N,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb);
+int ffc_params_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+ int type, size_t L, size_t N,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb);
+
+int ffc_params_FIPS186_4_validate(const FFC_PARAMS *params, int type,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb);
+int ffc_params_FIPS186_2_validate(const FFC_PARAMS *params, int type,
+ const EVP_MD *evpmd, int validate_flags,
+ int *res, BN_GENCB *cb);
+
int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params,
int N, int s, BIGNUM *priv);
+int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params,
+ int N, int s, BIGNUM *priv);
int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
const BIGNUM *p, const BIGNUM *q,
const BIGNUM *g, BIGNUM *tmp, int *ret);
+int ffc_validate_public_key(const FFC_PARAMS *params, const BIGNUM *pub_key,
+ int *ret);
+int ffc_validate_public_key_partial(const FFC_PARAMS *params,
+ const BIGNUM *pub_key, int *ret);
+int ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv_key,
+ int *ret);
+
#endif /* OSSL_INTERNAL_FFC_H */
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 94c232965f..418896e46d 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -92,9 +92,9 @@ static int dh_derive(void *vpdhctx, unsigned char *secret, size_t *secretlen,
DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
if (pdhctx->pad)
- ret = dh_compute_key_padded(pdhctx->libctx, secret, pub_key, pdhctx->dh);
+ ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
else
- ret = dh_compute_key(pdhctx->libctx, secret, pub_key, pdhctx->dh);
+ ret = DH_compute_key(secret, pub_key, pdhctx->dh);
if (ret <= 0)
return 0;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 9a1734bd57..1694421c3c 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -10,12 +10,13 @@
#include <openssl/core_numbers.h>
#include <openssl/core_names.h>
#include <openssl/bn.h>
-#include <openssl/dh.h>
#include <openssl/params.h>
#include "internal/param_build.h"
#include "crypto/dh.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
+#include "prov/provider_ctx.h"
+#include "crypto/dh.h"
static OSSL_OP_keymgmt_new_fn dh_newdata;
static OSSL_OP_keymgmt_free_fn dh_freedata;
@@ -137,7 +138,7 @@ static int key_to_params(DH *dh, OSSL_PARAM_BLD *tmpl)
static void *dh_newdata(void *provctx)
{
- return DH_new();
+ return dh_new_with_ctx(PROV_LIBRARY_CONTEXT_OF(provctx));
}
static void dh_freedata(void *keydata)
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
index 78c479e671..1855474c85 100644
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -150,7 +150,7 @@ static int key_to_params(DSA *dsa, OSSL_PARAM_BLD *tmpl)
static void *dsa_newdata(void *provctx)
{
- return DSA_new();
+ return dsa_new_with_ctx(PROV_LIBRARY_CONTEXT_OF(provctx));
}
static void dsa_freedata(void *keydata)
diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c
index 6c5550bf42..99183e8f86 100644
--- a/providers/implementations/signature/dsa.c
+++ b/providers/implementations/signature/dsa.c
@@ -200,8 +200,7 @@ static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen,
if (mdsize != 0 && tbslen != mdsize)
return 0;
- ret = dsa_sign_int(pdsactx->libctx, 0, tbs, tbslen, sig, &sltmp,
- pdsactx->dsa);
+ ret = dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa);
if (ret <= 0)
return 0;
diff --git a/test/build.info b/test/build.info
index dfeabdbc5d..c35bed086c 100644
--- a/test/build.info
+++ b/test/build.info
@@ -493,9 +493,10 @@ IF[{- !$disabled{tests} -}]
tls13encryptiontest wpackettest ctype_internal_test \
rdrand_sanitytest property_test ideatest \
rsa_sp800_56b_test bn_internal_test ecdsatest \
- rc2test rc4test rc5test hmactest \
+ rc2test rc4test rc5test hmactest ffc_internal_test \
asn1_dsa_internal_test dsatest dsa_no_digest_size_test
+
IF[{- !$disabled{poly1305} -}]
PROGRAMS{noinst}=poly1305_internal_test
ENDIF
@@ -636,6 +637,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[keymgmt_internal_test]=.. ../include ../apps/include
DEPEND[keymgmt_internal_test]=../libcrypto.a libtestutil.a
+ SOURCE[ffc_internal_test]=ffc_internal_test.c
+ INCLUDE[ffc_internal_test]=.. ../include ../apps/include ../crypto/include
+ DEPEND[ffc_internal_test]=../libcrypto.a libtestutil.a
+
IF[{- !$disabled{mdc2} -}]
PROGRAMS{noinst}=mdc2_internal_test
ENDIF
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
new file mode 100644
index 0000000000..4aa23944af
--- /dev/null
+++ b/test/ffc_internal_test.c
@@ -0,0 +1,650 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2019-2020, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include "testutil.h"
+
+#include "internal/ffc.h"
+
+#ifndef OPENSSL_NO_DSA
+static const unsigned char dsa_2048_224_sha224_p[] = {
+ 0x93, 0x57, 0x93, 0x62, 0x1b, 0x9a, 0x10, 0x9b, 0xc1, 0x56, 0x0f, 0x24,
+ 0x71, 0x76, 0x4e, 0xd3, 0xed, 0x78, 0x78, 0x7a, 0xbf, 0x89, 0x71, 0x67,
+ 0x8e, 0x03, 0xd8, 0x5b, 0xcd, 0x22, 0x8f, 0x70, 0x74, 0xff, 0x22, 0x05,
+ 0x07, 0x0c, 0x4c, 0x60, 0xed, 0x41, 0xe1, 0x9e, 0x9c, 0xaa, 0x3e, 0x19,
+ 0x5c, 0x3d, 0x80, 0x58, 0xb2, 0x7f, 0x5f, 0x89, 0xec, 0xb5, 0x19, 0xdb,
+ 0x06, 0x11, 0xe9, 0x78, 0x5c, 0xf9, 0xa0, 0x9e, 0x70, 0x62, 0x14, 0x7b,
+ 0xda, 0x92, 0xbf, 0xb2, 0x6b, 0x01, 0x6f, 0xb8, 0x68, 0x9c, 0x89, 0x36,
+ 0x89, 0x72, 0x79, 0x49, 0x93, 0x3d, 0x14, 0xb2, 0x2d, 0xbb, 0xf0, 0xdf,
+ 0x94, 0x45, 0x0b, 0x5f, 0xf1, 0x75, 0x37, 0xeb, 0x49, 0xb9, 0x2d, 0xce,
+ 0xb7, 0xf4, 0x95, 0x77, 0xc2, 0xe9, 0x39, 0x1c, 0x4e, 0x0c, 0x40, 0x62,
+ 0x33, 0x0a, 0xe6, 0x29, 0x6f, 0xba, 0xef, 0x02, 0xdd, 0x0d, 0xe4, 0x04,
+ 0x01, 0x70, 0x40, 0xb9, 0xc9, 0x7e, 0x2f, 0x10, 0x37, 0xe9, 0xde, 0xb0,
+ 0xf6, 0xeb, 0x71, 0x7f, 0x9c, 0x35, 0x16, 0xf3, 0x0d, 0xc4, 0xe8, 0x02,
+ 0x37, 0x6c, 0xdd, 0xb3, 0x8d, 0x2d, 0x1e, 0x28, 0x13, 0x22, 0x89, 0x40,
+ 0xe5, 0xfa, 0x16, 0x67, 0xd6, 0xda, 0x12, 0xa2, 0x38, 0x83, 0x25, 0xcc,
+ 0x26, 0xc1, 0x27, 0x74, 0xfe, 0xf6, 0x7a, 0xb6, 0xa1, 0xe4, 0xe8, 0xdf,
+ 0x5d, 0xd2, 0x9c, 0x2f, 0xec, 0xea, 0x08, 0xca, 0x48, 0xdb, 0x18, 0x4b,
+ 0x12, 0xee, 0x16, 0x9b, 0xa6, 0x00, 0xa0, 0x18, 0x98, 0x7d, 0xce, 0x6c,
+ 0x6d, 0xf8, 0xfc, 0x95, 0x51, 0x1b, 0x0a, 0x40, 0xb6, 0xfc, 0xe5, 0xe2,
+ 0xb0, 0x26, 0x53, 0x4c, 0xd7, 0xfe, 0xaa, 0x6d, 0xbc, 0xdd, 0xc0, 0x61,
+ 0x65, 0xe4, 0x89, 0x44, 0x18, 0x6f, 0xd5, 0x39, 0xcf, 0x75, 0x6d, 0x29,
+ 0xcc, 0xf8, 0x40, 0xab
+};
+static const unsigned char dsa_2048_224_sha224_q[] = {
+ 0xf2, 0x5e, 0x4e, 0x9a, 0x15, 0xa8, 0x13, 0xdf, 0xa3, 0x17, 0x90, 0xc6,
+ 0xd6, 0x5e, 0xb1, 0xfb, 0x31, 0xf8, 0xb5, 0xb1, 0x4b, 0xa7, 0x6d, 0xde,
+ 0x57, 0x76, 0x6f, 0x11
+};
+static const unsigned char dsa_2048_224_sha224_seed[] = {
+ 0xd2, 0xb1, 0x36, 0xd8, 0x5b, 0x8e, 0xa4, 0xb2, 0x6a, 0xab, 0x4e, 0x85,
+ 0x8b, 0x49, 0xf9, 0xdd, 0xe6, 0xa1, 0xcd, 0xad, 0x49, 0x52, 0xe9, 0xb3,
+ 0x36, 0x17, 0x06, 0xcf
+};
+static const unsigned char dsa_2048_224_sha224_bad_seed[] = {
+ 0xd2, 0xb1, 0x36, 0xd8, 0x5b, 0x8e, 0xa4, 0xb2, 0x6a, 0xab, 0x4e, 0x85,
+ 0x8b, 0x49, 0xf9, 0xdd, 0xe6, 0xa1, 0xcd, 0xad, 0x49, 0x52, 0xe9, 0xb3,
+ 0x36, 0x17, 0x06, 0xd0
+};
+static int dsa_2048_224_sha224_counter = 2878;
+
+static const unsigned char dsa_3072_256_sha512_p[] = {
+ 0x9a, 0x82, 0x8b, 0x8d, 0xea, 0xd0, 0x56, 0x23, 0x88, 0x2d, 0x5d, 0x41,
+ 0x42, 0x4c, 0x13, 0x5a, 0x15, 0x81, 0x59, 0x02, 0xc5, 0x00, 0x82, 0x28,
+ 0x01, 0xee, 0x8f, 0x99, 0xfd, 0x6a, 0x95, 0xf2, 0x0f, 0xae, 0x34, 0x77,
+ 0x29, 0xcc, 0xc7, 0x50, 0x0e, 0x03, 0xef, 0xb0, 0x4d, 0xe5, 0x10, 0x00,
+ 0xa8, 0x7b, 0xce, 0x8c, 0xc6, 0xb2, 0x01, 0x74, 0x23, 0x1b, 0x7f, 0xe8,
+ 0xf9, 0x71, 0x28, 0x39, 0xcf, 0x18, 0x04, 0xb2, 0x95, 0x61, 0x2d, 0x11,
+ 0x71, 0x6b, 0xdd, 0x0d, 0x0b, 0xf0, 0xe6, 0x97, 0x52, 0x29, 0x9d, 0x45,
+ 0xb1, 0x23, 0xda, 0xb0, 0xd5, 0xcb, 0x51, 0x71, 0x8e, 0x40, 0x9c, 0x97,
+ 0x13, 0xea, 0x1f, 0x4b, 0x32, 0x5d, 0x27, 0x74, 0x81, 0x8d, 0x47, 0x8a,
+ 0x08, 0xce, 0xf4, 0xd1, 0x28, 0xa2, 0x0f, 0x9b, 0x2e, 0xc9, 0xa3, 0x0e,
+ 0x5d, 0xde, 0x47, 0x19, 0x6d, 0x5f, 0x98, 0xe0, 0x8e, 0x7f, 0x60, 0x8f,
+ 0x25, 0xa7, 0xa4, 0xeb, 0xb9, 0xf3, 0x24, 0xa4, 0x9e, 0xc1, 0xbd, 0x14,
+ 0x27, 0x7c, 0x27, 0xc8, 0x4f, 0x5f, 0xed, 0xfd, 0x86, 0xc8, 0xf1, 0xd7,
+ 0x82, 0xe2, 0xeb, 0xe5, 0xd2, 0xbe, 0xb0, 0x65, 0x28, 0xab, 0x99, 0x9e,
+ 0xcd, 0xd5, 0x22, 0xf8, 0x1b, 0x3b, 0x01, 0xe9, 0x20, 0x3d, 0xe4, 0x98,
+ 0x22, 0xfe, 0xfc, 0x09, 0x7e, 0x95, 0x20, 0xda, 0xb6, 0x12, 0x2c, 0x94,
+ 0x5c, 0xea, 0x74, 0x71, 0xbd, 0x19, 0xac, 0x78, 0x43, 0x02, 0x51, 0xb8,
+ 0x5f, 0x06, 0x1d, 0xea, 0xc8, 0xa4, 0x3b, 0xc9, 0x78, 0xa3, 0x2b, 0x09,
+ 0xdc, 0x76, 0x74, 0xc4, 0x23, 0x14, 0x48, 0x2e, 0x84, 0x2b, 0xa3, 0x82,
+ 0xc1, 0xba, 0x0b, 0x39, 0x2a, 0x9f, 0x24, 0x7b, 0xd6, 0xc2, 0xea, 0x5a,
+ 0xb6, 0xbd, 0x15, 0x82, 0x21, 0x85, 0xe0, 0x6b, 0x12, 0x4f, 0x8d, 0x64,
+ 0x75, 0xeb, 0x7e, 0xa1, 0xdb, 0xe0, 0x9d, 0x25, 0xae, 0x3b, 0xe9, 0x9b,
+ 0x21, 0x7f, 0x9a, 0x3d, 0x66, 0xd0, 0x52, 0x1d, 0x39, 0x8b, 0xeb, 0xfc,
+ 0xec, 0xbe, 0x72, 0x20, 0x5a, 0xdf, 0x1b, 0x00, 0xf1, 0x0e, 0xed, 0xc6,
+ 0x78, 0x6f, 0xc9, 0xab, 0xe4, 0xd6, 0x81, 0x8b, 0xcc, 0xf6, 0xd4, 0x6a,
+ 0x31, 0x62, 0x08, 0xd9, 0x38, 0x21, 0x8f, 0xda, 0x9e, 0xb1, 0x2b, 0x9c,
+ 0xc0, 0xbe, 0xf7, 0x9a, 0x43, 0x2d, 0x07, 0x59, 0x46, 0x0e, 0xd5, 0x23,
+ 0x4e, 0xaa, 0x4a, 0x04, 0xc2, 0xde, 0x33, 0xa6, 0x34, 0xba, 0xac, 0x4f,
+ 0x78, 0xd8, 0xca, 0x76, 0xce, 0x5e, 0xd4, 0xf6, 0x85, 0x4c, 0x6a, 0x60,
+ 0x08, 0x5d, 0x0e, 0x34, 0x8b, 0xf2, 0xb6, 0xe3, 0xb7, 0x51, 0xca, 0x43,
+ 0xaa, 0x68, 0x7b, 0x0a, 0x6e, 0xea, 0xce, 0x1e, 0x2c, 0x34, 0x8e, 0x0f,
+ 0xe2, 0xcc, 0x38, 0xf2, 0x9a, 0x98, 0xef, 0xe6, 0x7f, 0xf6, 0x62, 0xbb
+};
+static const unsigned char dsa_3072_256_sha512_q[] = {
+ 0xc1, 0xdb, 0xc1, 0x21, 0x50, 0x49, 0x63, 0xa3, 0x77, 0x6d, 0x4c, 0x92,
+ 0xed, 0x58, 0x9e, 0x98, 0xea, 0xac, 0x7a, 0x90, 0x13, 0x24, 0xf7, 0xcd,
+ 0xd7, 0xe6, 0xd4, 0x8f, 0xf0, 0x45, 0x4b, 0xf7
+};
+static const unsigned char dsa_3072_256_sha512_seed[] = {
+ 0x35, 0x24, 0xb5, 0x59, 0xd5, 0x27, 0x58, 0x10, 0xf6, 0xa2, 0x7c, 0x9a,
+ 0x0d, 0xc2, 0x70, 0x8a, 0xb0, 0x41, 0x4a, 0x84, 0x0b, 0xfe, 0x66, 0xf5,
+ 0x3a, 0xbf, 0x4a, 0xa9, 0xcb, 0xfc, 0xa6, 0x22
+};
+static int dsa_3072_256_sha512_counter = 1604;
+
+static const unsigned char dsa_2048_224_sha256_p[] = {
+ 0xe9, 0x13, 0xbc, 0xf2, 0x14, 0x5d, 0xf9, 0x79, 0xd6, 0x6d, 0xf5, 0xc5,
+ 0xbe, 0x7b, 0x6f, 0x90, 0x63, 0xd0, 0xfd, 0xee, 0x4f, 0xc4, 0x65, 0x83,
+ 0xbf, 0xec, 0xc3, 0x2c, 0x5d, 0x30, 0xc8, 0xa4, 0x3b, 0x2f, 0x3b, 0x29,
+ 0x43, 0x69, 0xfb, 0x6e, 0xa9, 0xa4, 0x07, 0x6c, 0xcd, 0xb0, 0xd2, 0xd9,
+ 0xd3, 0xe6, 0xf4, 0x87, 0x16, 0xb7, 0xe5, 0x06, 0xb9, 0xba, 0xd6, 0x87,
+ 0xbc, 0x01, 0x9e, 0xba, 0xc2, 0xcf, 0x39, 0xb6, 0xec, 0xdc, 0x75, 0x07,
+ 0xc1, 0x39, 0x2d, 0x6a, 0x95, 0x31, 0x97, 0xda, 0x54, 0x20, 0x29, 0xe0,
+ 0x1b, 0xf9, 0x74, 0x65, 0xaa, 0xc1, 0x47, 0xd3, 0x9e, 0xb4, 0x3c, 0x1d,
+ 0xe0, 0xdc, 0x2d, 0x21, 0xab, 0x12, 0x3b, 0xa5, 0x51, 0x1e, 0xc6, 0xbc,
+ 0x6b, 0x4c, 0x22, 0xd1, 0x7c, 0xc6, 0xce, 0xcb, 0x8c, 0x1d, 0x1f, 0xce,
+ 0x1c, 0xe2, 0x75, 0x49, 0x6d, 0x2c, 0xee, 0x7f, 0x5f, 0xb8, 0x74, 0x42,
+ 0x5c, 0x96, 0x77, 0x13, 0xff, 0x80, 0xf3, 0x05, 0xc7, 0xfe, 0x08, 0x3b,
+ 0x25, 0x36, 0x46, 0xa2, 0xc4, 0x26, 0xb4, 0xb0, 0x3b, 0xd5, 0xb2, 0x4c,
+ 0x13, 0x29, 0x0e, 0x47, 0x31, 0x66, 0x7d, 0x78, 0x57, 0xe6, 0xc2, 0xb5,
+ 0x9f, 0x46, 0x17, 0xbc, 0xa9, 0x9a, 0x49, 0x1c, 0x0f, 0x45, 0xe0, 0x88,
+ 0x97, 0xa1, 0x30, 0x7c, 0x42, 0xb7, 0x2c, 0x0a, 0xce, 0xb3, 0xa5, 0x7a,
+ 0x61, 0x8e, 0xab, 0x44, 0xc1, 0xdc, 0x70, 0xe5, 0xda, 0x78, 0x2a, 0xb4,
+ 0xe6, 0x3c, 0xa0, 0x58, 0xda, 0x62, 0x0a, 0xb2, 0xa9, 0x3d, 0xaa, 0x49,
+ 0x7e, 0x7f, 0x9a, 0x19, 0x67, 0xee, 0xd6, 0xe3, 0x67, 0x13, 0xe8, 0x6f,
+ 0x79, 0x50, 0x76, 0xfc, 0xb3, 0x9d, 0x7e, 0x9e, 0x3e, 0x6e, 0x47, 0xb1,
+ 0x11, 0x5e, 0xc8, 0x83, 0x3a, 0x3c, 0xfc, 0x82, 0x5c, 0x9d, 0x34, 0x65,
+ 0x73, 0xb4, 0x56, 0xd5
+};
+static const unsigned char dsa_2048_224_sha256_q[] = {
+ 0xb0, 0xdf, 0xa1, 0x7b, 0xa4, 0x77, 0x64, 0x0e, 0xb9, 0x28, 0xbb, 0xbc,
+ 0xd4, 0x60, 0x02, 0xaf, 0x21, 0x8c, 0xb0, 0x69, 0x0f, 0x8a, 0x7b, 0xc6,
+ 0x80, 0xcb, 0x0a, 0x45
+};
+static const unsigned char dsa_2048_224_sha256_g[] = {
+ 0x11, 0x7c, 0x5f, 0xf6, 0x99, 0x44, 0x67, 0x5b, 0x69, 0xa3, 0x83, 0xef,
+ 0xb5, 0x85, 0xa2, 0x19, 0x35, 0x18, 0x2a, 0xf2, 0x58, 0xf4, 0xc9, 0x58,
+ 0x9e, 0xb9, 0xe8, 0x91, 0x17, 0x2f, 0xb0, 0x60, 0x85, 0x95, 0xa6, 0x62,
+ 0x36, 0xd0, 0xff, 0x94, 0xb9, 0xa6, 0x50, 0xad, 0xa6, 0xf6, 0x04, 0x28,
+ 0xc2, 0xc9, 0xb9, 0x75, 0xf3, 0x66, 0xb4, 0xeb, 0xf6, 0xd5, 0x06, 0x13,
+ 0x01, 0x64, 0x82, 0xa9, 0xf1, 0xd5, 0x41, 0xdc, 0xf2, 0x08, 0xfc, 0x2f,
+ 0xc4, 0xa1, 0x21, 0xee, 0x7d, 0xbc, 0xda, 0x5a, 0xa4, 0xa2, 0xb9, 0x68,
+ 0x87, 0x36, 0xba, 0x53, 0x9e, 0x14, 0x4e, 0x76, 0x5c, 0xba, 0x79, 0x3d,
+ 0x0f, 0xe5, 0x99, 0x1c, 0x27, 0xfc, 0xaf, 0x10, 0x63, 0x87, 0x68, 0x0e,
+ 0x3e, 0x6e, 0xaa, 0xf3, 0xdf, 0x76, 0x7e, 0x02, 0x9a, 0x41, 0x96, 0xa1,
+ 0x6c, 0xbb, 0x67, 0xee, 0x0c, 0xad, 0x72, 0x65, 0xf1, 0x70, 0xb0, 0x39,
+ 0x9b, 0x54, 0x5f, 0xd7, 0x6c, 0xc5, 0x9a, 0x90, 0x53, 0x18, 0xde, 0x5e,
+ 0x62, 0x89, 0xb9, 0x2f, 0x66, 0x59, 0x3a, 0x3d, 0x10, 0xeb, 0xa5, 0x99,
+ 0xf6, 0x21, 0x7d, 0xf2, 0x7b, 0x42, 0x15, 0x1c, 0x55, 0x79, 0x15, 0xaa,
+ 0xa4, 0x17, 0x2e, 0x48, 0xc3, 0xa8, 0x36, 0xf5, 0x1a, 0x97, 0xce, 0xbd,
+ 0x72, 0xef, 0x1d, 0x50, 0x5b, 0xb1, 0x60, 0x0a, 0x5c, 0x0b, 0xa6, 0x21,
+ 0x38, 0x28, 0x4e, 0x89, 0x33, 0x1d, 0xb5, 0x7e, 0x5c, 0xf1, 0x6b, 0x2c,
+ 0xbd, 0xad, 0x84, 0xb2, 0x8e, 0x96, 0xe2, 0x30, 0xe7, 0x54, 0xb8, 0xc9,
+ 0x70, 0xcb, 0x10, 0x30, 0x63, 0x90, 0xf4, 0x45, 0x64, 0x93, 0x09, 0x38,
+ 0x6a, 0x47, 0x58, 0x31, 0x04, 0x1a, 0x18, 0x04, 0x1a, 0xe0, 0xd7, 0x0b,
+ 0x3c, 0xbe, 0x2a, 0x9c, 0xec, 0xcc, 0x0d, 0x0c, 0xed, 0xde, 0x54, 0xbc,
+ 0xe6, 0x93, 0x59, 0xfc
+};
+
+static int ffc_params_validate_g_unverified_test(void)
+{
+ int ret = 0, res;
+ FFC_PARAMS params;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
+ BIGNUM *p1 = NULL, *g1 = NULL;
+
+ ffc_params_init(¶ms);
+
+ if (!TEST_ptr(p = BN_bin2bn(dsa_2048_224_sha256_p,
+ sizeof(dsa_2048_224_sha256_p), NULL)))
+ goto err;
+ p1 = p;
+ if (!TEST_ptr(q = BN_bin2bn(dsa_2048_224_sha256_q,
+ sizeof(dsa_2048_224_sha256_q), NULL)))
+ goto err;
+ if (!TEST_ptr(g = BN_bin2bn(dsa_2048_224_sha256_g,
+ sizeof(dsa_2048_224_sha256_g), NULL)))
+ goto err;
+ g1 = g;
+
+ /* Fail if g is NULL */
+ ffc_params_set0_pqg(¶ms, p, q, NULL);
+ p = NULL;
+ q = NULL;
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha256(),
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL)))
+ goto err;
+
+ ffc_params_set0_pqg(¶ms, p, q, g);
+ g = NULL;
+ if (!TEST_true(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha256(),
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL)))
+ goto err;
+
+ /* incorrect g */
+ BN_add_word(g1, 1);
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha256(),
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL)))
+ goto err;
+
+ /* fail if g < 2 */
+ BN_set_word(g1, 1);
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha256(),
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL)))
+ goto err;
+
+ BN_copy(g1, p1);
+ /* Fail if g >= p */
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha256(),
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL)))
+ goto err;
+
+ ret = 1;
+err:
+ ffc_params_cleanup(¶ms);
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ return ret;
+}
+
+static int ffc_params_validate_pq_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS params;
+ BIGNUM *p = NULL, *q = NULL;
+
+ ffc_params_init(¶ms);
+ if (!TEST_ptr(p = BN_bin2bn(dsa_2048_224_sha224_p,
+ sizeof(dsa_2048_224_sha224_p),
+ NULL)))
+ goto err;
+ if (!TEST_ptr(q = BN_bin2bn(dsa_2048_224_sha224_q,
+ sizeof(dsa_2048_224_sha224_q),
+ NULL)))
+ goto err;
+
+ /* No p */
+ ffc_params_set0_pqg(¶ms, NULL, q, NULL);
+ q = NULL;
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha224(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ /* Test valid case */
+ ffc_params_set0_pqg(¶ms, p, NULL, NULL);
+ p = NULL;
+ ffc_params_set_validate_params(¶ms, dsa_2048_224_sha224_seed,
+ sizeof(dsa_2048_224_sha224_seed),
+ dsa_2048_224_sha224_counter);
+ if (!TEST_true(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha224(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ /* Bad counter - so p is not prime */
+ ffc_params_set_validate_params(¶ms, dsa_2048_224_sha224_seed,
+ sizeof(dsa_2048_224_sha224_seed),
+ 1);
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha224(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ /* seedlen smaller than N */
+ ffc_params_set_validate_params(¶ms, dsa_2048_224_sha224_seed,
+ sizeof(dsa_2048_224_sha224_seed)-1,
+ dsa_2048_224_sha224_counter);
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha224(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ /* Provided seed doesnt produce a valid prime q */
+ ffc_params_set_validate_params(¶ms, dsa_2048_224_sha224_bad_seed,
+ sizeof(dsa_2048_224_sha224_bad_seed),
+ dsa_2048_224_sha224_counter);
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha224(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ if (!TEST_ptr(p = BN_bin2bn(dsa_3072_256_sha512_p,
+ sizeof(dsa_3072_256_sha512_p), NULL)))
+ goto err;
+ if (!TEST_ptr(q = BN_bin2bn(dsa_3072_256_sha512_q,
+ sizeof(dsa_3072_256_sha512_q),
+ NULL)))
+ goto err;
+
+
+ ffc_params_set0_pqg(¶ms, p, q, NULL);
+ p = q = NULL;
+ ffc_params_set_validate_params(¶ms, dsa_3072_256_sha512_seed,
+ sizeof(dsa_3072_256_sha512_seed),
+ dsa_3072_256_sha512_counter);
+ /* Q doesn't div P-1 */
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ EVP_sha512(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ /* Bad L/N for FIPS DH */
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DH,
+ EVP_sha512(),
+ FFC_PARAMS_VALIDATE_PQ, &res,
+ NULL)))
+ goto err;
+
+ ret = 1;
+err:
+ ffc_params_cleanup(¶ms);
+ BN_free(p);
+ BN_free(q);
+ return ret;
+}
+#endif /* OPENSSL_NO_DSA */
+
+#ifndef OPENSSL_NO_DH
+static int ffc_params_gen_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS params;
+
+ ffc_params_init(¶ms);
+ if (!TEST_true(ffc_params_FIPS186_4_generate(NULL, ¶ms, FFC_PARAM_TYPE_DH,
+ 2048, 256, NULL, &res, NULL)))
+ goto err;
+ if (!TEST_true(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DH,
+ NULL,
+ FFC_PARAMS_VALIDATE_ALL, &res,
+ NULL)))
+ goto err;
+
+ ret = 1;
+err:
+ ffc_params_cleanup(¶ms);
+ return ret;
+}
+
+static int ffc_params_gen_canonicalg_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS params;
+
+ ffc_params_init(¶ms);
+ params.gindex = 1;
+ if (!TEST_true(ffc_params_FIPS186_4_generate(NULL, ¶ms, FFC_PARAM_TYPE_DH,
+ 2048, 256, NULL, &res, NULL)))
+ goto err;
+ if (!TEST_true(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DH,
+ NULL,
+ FFC_PARAMS_VALIDATE_ALL, &res,
+ NULL)))
+ goto err;
+
+ if (!TEST_true(ffc_params_print(bio_out, ¶ms, 4)))
+ goto err;
+
+ ret = 1;
+err:
+ ffc_params_cleanup(¶ms);
+ return ret;
+}
+
+static int ffc_params_fips186_2_gen_validate_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS params;
+ BIGNUM *bn = NULL;
+
+ if (!TEST_ptr(bn = BN_new()))
+ goto err;
+ ffc_params_init(¶ms);
+ if (!TEST_true(ffc_params_FIPS186_2_generate(NULL, ¶ms, FFC_PARAM_TYPE_DH,
+ 1024, 160, NULL, &res, NULL)))
+ goto err;
+ if (!TEST_true(ffc_params_FIPS186_2_validate(¶ms, FFC_PARAM_TYPE_DH,
+ NULL,
+ FFC_PARAMS_VALIDATE_ALL, &res,
+ NULL)))
+ goto err;
+ /* FIPS 186-4 L,N pair test will fail for DH */
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DH,
+ NULL,
+ FFC_PARAMS_VALIDATE_ALL, &res,
+ NULL)))
+ goto err;
+ if (!TEST_int_eq(res, FFC_CHECK_BAD_LN_PAIR))
+ goto err;
+
+ /*
+ * The fips186-2 generation should produce a different q compared to
+ * fips 186-4 given the same seed value. So validation of q will fail.
+ */
+ if (!TEST_false(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ NULL,
+ FFC_PARAMS_VALIDATE_ALL, &res,
+ NULL)))
+ goto err;
+ /* As the params are randomly generated the error is one of the following */
+ if (!TEST_true(res == FFC_CHECK_Q_MISMATCH || res == FFC_CHECK_Q_NOT_PRIME))
+ goto err;
+
+ /* Partially valid g test will still pass */
+ if (!TEST_int_eq(ffc_params_FIPS186_4_validate(¶ms, FFC_PARAM_TYPE_DSA,
+ NULL,
+ FFC_PARAMS_VALIDATE_G, &res,
+ NULL), 2))
+ goto err;
+
+ if (!TEST_true(ffc_params_print(bio_out, ¶ms, 4)))
+ goto err;
+
+ ret = 1;
+err:
+ BN_free(bn);
+ ffc_params_cleanup(¶ms);
+ return ret;
+}
+
+extern FFC_PARAMS *dh_get0_params(DH *dh);
+
+static int ffc_public_validate_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS *params;
+ BIGNUM *pub = NULL;
+ DH *dh = NULL;
+
+ if (!TEST_ptr(pub = BN_new()))
+ goto err;
+
+ if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048)))
+ goto err;
+ params = dh_get0_params(dh);
+
+ if (!TEST_true(BN_set_word(pub, 1)))
+ goto err;
+ BN_set_negative(pub, 1);
+ /* Fail if public key is negative */
+ if (!TEST_false(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
+ goto err;
+ if (!TEST_true(BN_set_word(pub, 0)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
+ goto err;
+ /* Fail if public key is zero */
+ if (!TEST_false(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
+ goto err;
+ /* Fail if public key is 1 */
+ if (!TEST_false(ffc_validate_public_key(params, BN_value_one(), &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
+ goto err;
+ if (!TEST_true(BN_add_word(pub, 2)))
+ goto err;
+ /* Pass if public key >= 2 */
+ if (!TEST_true(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+
+ if (!TEST_ptr(BN_copy(pub, params->p)))
+ goto err;
+ /* Fail if public key = p */
+ if (!TEST_false(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res))
+ goto err;
+
+ if (!TEST_true(BN_sub_word(pub, 1)))
+ goto err;
+ /* Fail if public key = p - 1 */
+ if (!TEST_false(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res))
+ goto err;
+
+ if (!TEST_true(BN_sub_word(pub, 1)))
+ goto err;
+ /* Fail if public key is not related to p & q */
+ if (!TEST_false(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PUBKEY_INVALID, res))
+ goto err;
+
+ if (!TEST_true(BN_sub_word(pub, 5)))
+ goto err;
+ /* Pass if public key is valid */
+ if (!TEST_true(ffc_validate_public_key(params, pub, &res)))
+ goto err;
+
+ ret = 1;
+err:
+ DH_free(dh);
+ BN_free(pub);
+ return ret;
+}
+
+static int ffc_private_validate_test(void)
+{
+ int ret = 0, res = -1;
+ FFC_PARAMS *params;
+ BIGNUM *priv = NULL;
+ DH *dh = NULL;
+
+ if (!TEST_ptr(priv = BN_new()))
+ goto err;
+
+ if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048)))
+ goto err;
+ params = dh_get0_params(dh);
+
+ if (!TEST_true(BN_set_word(priv, 1)))
+ goto err;
+ BN_set_negative(priv, 1);
+ /* Fail if priv key is negative */
+ if (!TEST_false(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PRIVKEY_TOO_SMALL, res))
+ goto err;
+
+ if (!TEST_true(BN_set_word(priv, 0)))
+ goto err;
+ /* Fail if priv key is zero */
+ if (!TEST_false(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PRIVKEY_TOO_SMALL, res))
+ goto err;
+
+ /* Pass if priv key >= 1 */
+ if (!TEST_true(ffc_validate_private_key(params->q, BN_value_one(), &res)))
+ goto err;
+
+ if (!TEST_ptr(BN_copy(priv, params->q)))
+ goto err;
+ /* Fail if priv key = upper */
+ if (!TEST_false(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+ if (!TEST_int_eq(FFC_ERROR_PRIVKEY_TOO_LARGE, res))
+ goto err;
+
+ if (!TEST_true(BN_sub_word(priv, 1)))
+ goto err;
+ /* Pass if priv key <= upper - 1 */
+ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+
+ ret = 1;
+err:
+ DH_free(dh);
+ BN_free(priv);
+ return ret;
+}
+
+static int ffc_private_gen_test(int index)
+{
+ int ret = 0, res = -1, N;
+ FFC_PARAMS *params;
+ BIGNUM *priv = NULL;
+ DH *dh = NULL;
+ BN_CTX *ctx = NULL;
+
+ if (!TEST_ptr(ctx = BN_CTX_new_ex(NULL)))
+ goto err;
+
+ if (!TEST_ptr(priv = BN_new()))
+ goto err;
+
+ if (!TEST_ptr(dh = DH_new_by_nid(NID_ffdhe2048)))
+ goto err;
+ params = dh_get0_params(dh);
+
+ N = BN_num_bits(params->q);
+ /* Fail since N < 2*s - where s = 112*/
+ if (!TEST_false(ffc_generate_private_key_fips(ctx, params, 220, 112, priv)))
+ goto err;
+ /* fail since N > len(q) */
+ if (!TEST_false(ffc_generate_private_key_fips(ctx, params, N + 1, 112, priv)))
+ goto err;
+ /* pass since 2s <= N <= len(q) */
+ if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N, 112, priv)))
+ goto err;
+ /* pass since N = len(q) */
+ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+ /* pass since 2s <= N < len(q) */
+ if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N / 2, 112, priv)))
+ goto err;
+ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+
+ /* N and s are ignored in this case */
+ if (!TEST_true(ffc_generate_private_key(ctx, params, 0, 0, priv)))
+ goto err;
+ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
+ goto err;
+
+ ret = 1;
+err:
+ DH_free(dh);
+ BN_free(priv);
+ BN_CTX_free(ctx);
+ return ret;
+}
+#endif /* OPENSSL_NO_DH */
+
+int setup_tests(void)
+{
+#ifndef OPENSSL_NO_DSA
+ ADD_TEST(ffc_params_validate_pq_test);
+ ADD_TEST(ffc_params_validate_g_unverified_test);
+#endif /* OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_DH
+ ADD_TEST(ffc_params_gen_test);
+ ADD_TEST(ffc_params_gen_canonicalg_test);
+ ADD_TEST(ffc_params_fips186_2_gen_validate_test);
+ ADD_TEST(ffc_public_validate_test);
+ ADD_TEST(ffc_private_validate_test);
+ ADD_ALL_TESTS(ffc_private_gen_test, 10);
+#endif /* OPENSSL_NO_DH */
+ return 1;
+}
diff --git a/test/recipes/01-test_sanity.t b/test/recipes/03-test_internal_ffc.t
similarity index 72%
copy from test/recipes/01-test_sanity.t
copy to test/recipes/03-test_internal_ffc.t
index f674f3edc7..aa64213bc0 100644
--- a/test/recipes/01-test_sanity.t
+++ b/test/recipes/03-test_internal_ffc.t
@@ -1,12 +1,11 @@
#! /usr/bin/env perl
-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-
use OpenSSL::Test::Simple;
-simple_test("test_sanity", "sanitytest");
+simple_test("test_internal_ffc", "ffc_internal_test");
More information about the openssl-commits
mailing list