dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1

This mandates following SP 800-56A which, in 5.6.2.4, mandates a comparision against a newly calculated public key. Co-authored-by: Randall Steck <rsteck@thinqsoft.com> Co-authored-by: Mark J. Minnoch <mark@keypair.us> Co-authored-by: Steve Weymann <steve@keypair.us> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/19510)
2025-02-17 14:32:04 +08:00 · 2022-10-26 11:48:07 +11:00 · 2022-10-26 11:48:07 +11:00 · 5b234be4c4
commit 5b234be4c4
parent fc0bb3411b
2 changed files with 107 additions and 2 deletions
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@ -59,6 +59,54 @@ err:
    return ret;
 }

+/*
+ * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
+ * Perform a KAT by duplicating the public key generation.
+ *
+ * NOTE: This issue requires a background understanding, provided in a separate
+ * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
+ * the key agreement scenario.
+ *
+ * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
+ * key pair, citing the PCT defined in the associated standard. For key
+ * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
+ * the comparison of the original public key to a newly calculated public key.
+ */
+static int dsa_keygen_knownanswer_test(DSA *dsa, BN_CTX *ctx,
+                                       OSSL_CALLBACK *cb, void *cbarg)
+{
+    int len, ret = 0;
+    OSSL_SELF_TEST *st = NULL;
+    unsigned char bytes[512] = {0};
+    BIGNUM *pub_key2 = BN_new();
+
+    if (pub_key2 == NULL)
+        return 0;
+
+    st = OSSL_SELF_TEST_new(cb, cbarg);
+    if (st == NULL)
+        goto err;
+
+    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
+                               OSSL_SELF_TEST_DESC_PCT_DSA);
+
+    if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key2))
+        goto err;
+
+    if (BN_num_bytes(pub_key2) > (int)sizeof(bytes))
+        goto err;
+    len = BN_bn2bin(pub_key2, bytes);
+    OSSL_SELF_TEST_oncorrupt_byte(st, bytes);
+    if (BN_bin2bn(bytes, len, pub_key2) != NULL)
+        ret = !BN_cmp(dsa->pub_key, pub_key2);
+
+err:
+    OSSL_SELF_TEST_onend(st, ret);
+    OSSL_SELF_TEST_free(st);
+    BN_free(pub_key2);
+    return ret;
+}
+
 static int dsa_keygen(DSA *dsa, int pairwise_test)
 {
    int ok = 0;
@ -113,7 +161,8 @@ static int dsa_keygen(DSA *dsa, int pairwise_test)
        void *cbarg = NULL;

        OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg);
-        ok = dsa_keygen_pairwise_test(dsa, cb, cbarg);
+        ok = dsa_keygen_pairwise_test(dsa, cb, cbarg)
+             && dsa_keygen_knownanswer_test(dsa, ctx, cb, cbarg);
        if (!ok) {
            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
            BN_free(dsa->pub_key);
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@ -237,6 +237,56 @@ int ossl_ec_key_gen(EC_KEY *eckey)
    return ret;
 }

+/*
+ * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
+ * Perform a KAT by duplicating the public key generation.
+ *
+ * NOTE: This issue requires a background understanding, provided in a separate
+ * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
+ * the key agreement scenario.
+ *
+ * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
+ * key pair, citing the PCT defined in the associated standard. For key
+ * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
+ * the comparison of the original public key to a newly calculated public key.
+ */
+static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx,
+                                         OSSL_CALLBACK *cb, void *cbarg)
+{
+    int len, ret = 0;
+    OSSL_SELF_TEST *st = NULL;
+    unsigned char bytes[512] = {0};
+    EC_POINT *pub_key2 = EC_POINT_new(eckey->group);
+
+    if (pub_key2 == NULL)
+        return 0;
+
+    st = OSSL_SELF_TEST_new(cb, cbarg);
+    if (st == NULL)
+        return 0;
+
+    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
+                               OSSL_SELF_TEST_DESC_PCT_ECDSA);
+
+    /* pub_key = priv_key * G (where G is a point on the curve) */
+    if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx))
+        goto err;
+
+    if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes))
+        goto err;
+    len = BN_bn2bin(pub_key2->X, bytes);
+    if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes)
+            && BN_bin2bn(bytes, len, pub_key2->X) == NULL)
+        goto err;
+    ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx);
+
+err:
+    OSSL_SELF_TEST_onend(st, ret);
+    OSSL_SELF_TEST_free(st);
+    EC_POINT_free(pub_key2);
+    return ret;
+}
+
 /*
 * ECC Key generation.
 * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
@ -333,7 +383,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
        void *cbarg = NULL;

        OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
-        ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
+        ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg)
+             && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg);
    }
 err:
    /* Step (9): If there is an error return an invalid keypair. */
@ -530,6 +581,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
        goto err;
    }
+    /* Perform a second check on the public key */
+    if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
+        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
+        goto err;
+    }
    if (!EC_POINT_is_at_infinity(eckey->group, point)) {
        ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER);
        goto err;