From bb1aab38a6a3751bf61319c2aa40a6ffd4ea910c Mon Sep 17 00:00:00 2001 From: slontis Date: Thu, 22 Aug 2024 11:50:17 +1000 Subject: [PATCH] FIPS: Add EDDSA public key validation. EVP_PKEY_public_check() can be used by ED25519 and ED448 in order to determine if the public key is a valid point on the curve. The FIPS ACVP tests require public key validation tests. See https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/EDDSA-KeyVer-1.0/internalProjection.json Note that this is NOT required to be called before EDDSA signature verification since it is done internally. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25265) --- crypto/ec/curve25519.c | 15 +++ crypto/ec/curve448/eddsa.c | 22 ++++ include/crypto/ecx.h | 5 + providers/implementations/keymgmt/ecx_kmgmt.c | 28 ++++- test/acvp_test.c | 95 ++++++++++++++- test/acvp_test.inc | 114 ++++++++++++++++++ 6 files changed, 275 insertions(+), 4 deletions(-) diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index cae2ac101d..a097a225c3 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -5538,6 +5538,21 @@ err: return res; } +/* + * This function should not be necessary since ossl_ed25519_verify() already + * does this check internally. + * For some reason the FIPS ACVP requires a EDDSA KeyVer test. + */ +int +ossl_ed25519_pubkey_verify(const uint8_t *pub, size_t pub_len) +{ + ge_p3 A; + + if (pub_len != ED25519_KEYLEN) + return 0; + return (ge_frombytes_vartime(&A, pub) == 0); +} + static const char allzeroes[15]; int diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index ff7f11dd34..9b5140cb17 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -272,6 +272,17 @@ ossl_c448_ed448_sign_prehash( context, context_len, propq); } +static c448_error_t +c448_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len) +{ + curve448_point_t pk_point; + + if (pub_len != EDDSA_448_PUBLIC_BYTES) + return C448_FAILURE; + + return ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pub); +} + c448_error_t ossl_c448_ed448_verify( OSSL_LIB_CTX *ctx, @@ -380,6 +391,17 @@ ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, propq) == C448_SUCCESS; } +/* + * This function should not be necessary since ossl_ed448_verify() already + * does this check internally. + * For some reason the FIPS ACVP requires a EDDSA KeyVer test. + */ +int +ossl_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len) +{ + return c448_ed448_pubkey_verify(pub, pub_len); +} + int ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index f35b875fb6..8026795739 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -108,6 +108,8 @@ ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len, const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq); int +ossl_ed25519_pubkey_verify(const uint8_t *pub, size_t pub_len); +int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57], const uint8_t private_key[57], const char *propq); int @@ -124,6 +126,9 @@ ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *context, size_t context_len, const uint8_t phflag, const char *propq); +int +ossl_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len); + int ossl_x448(uint8_t out_shared_key[56], const uint8_t private_key[56], const uint8_t peer_public_value[56]); diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index ae11fd4bc0..cd9aac2276 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -865,6 +865,25 @@ static int ecx_key_pairwise_check(const ECX_KEY *ecx, int type) return CRYPTO_memcmp(ecx->pubkey, pub, ecx->keylen) == 0; } +#ifdef FIPS_MODULE +/* + * FIPS ACVP testing requires the ability to check if the public key is valid + * This is not required normally since the ED signature verify does the test + * internally. + */ +static int ecd_key_pub_check(const ECX_KEY *ecx, int type) +{ + switch (type) { + case ECX_KEY_TYPE_ED25519: + return ossl_ed25519_pubkey_verify(ecx->pubkey, ecx->keylen); + case ECX_KEY_TYPE_ED448: + return ossl_ed448_pubkey_verify(ecx->pubkey, ecx->keylen); + default: + return 1; + } +} +#endif + #ifdef FIPS_MODULE static int ecd_key_pairwise_check(const ECX_KEY *ecx, int type) { @@ -893,7 +912,8 @@ static int ecd_key_pairwise_check(const ECX_KEY *ecx, int type) } #endif -static int ecx_validate(const void *keydata, int selection, int type, size_t keylen) +static int ecx_validate(const void *keydata, int selection, int type, + size_t keylen) { const ECX_KEY *ecx = keydata; int ok = keylen == ecx->keylen; @@ -909,8 +929,12 @@ static int ecx_validate(const void *keydata, int selection, int type, size_t key return 0; } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { ok = ok && ecx->haspubkey; +#ifdef FIPS_MODULE + ok = ok && ecd_key_pub_check(ecx, type); +#endif + } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && ecx->privkey != NULL; diff --git a/test/acvp_test.c b/test/acvp_test.c index c3c81f4ad6..1625cedc11 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -345,7 +345,7 @@ err: } #endif /* OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECX) static int pkey_get_octet_bytes(EVP_PKEY *pkey, const char *name, unsigned char **out, size_t *out_len) { @@ -367,6 +367,91 @@ err: OPENSSL_free(buf); return 0; } +#endif /* !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECX) */ + +#ifndef OPENSSL_NO_ECX +static int eddsa_create_pkey(EVP_PKEY **pkey, const char *algname, + const unsigned char *pub, size_t pub_len, + int expected) +{ + int ret = 0; + EVP_PKEY_CTX *ctx = NULL; + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_PUB_KEY, + pub, pub_len) > 0) + || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, NULL)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, pkey, EVP_PKEY_PUBLIC_KEY, + params), expected)) + goto err; + + ret = 1; +err: + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(bld); + EVP_PKEY_CTX_free(ctx); + return ret; +} + +static int eddsa_pub_verify_test(int id) +{ + const struct ecdsa_pub_verify_st *tst = &eddsa_pv_data[id]; + int ret = 0; + EVP_PKEY_CTX *key_ctx = NULL; + EVP_PKEY *pkey = NULL; + + if (!TEST_true(eddsa_create_pkey(&pkey, tst->curve_name, + tst->pub, tst->pub_len, 1))) + goto err; + + if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, "")) + || !TEST_int_eq(EVP_PKEY_public_check(key_ctx), tst->pass)) + goto err; + ret = 1; +err: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(key_ctx); + return ret; +} + +static int eddsa_keygen_test(int id) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + unsigned char *priv = NULL, *pub = NULL; + size_t priv_len = 0, pub_len = 0; + const struct ecdsa_pub_verify_st *tst = &eddsa_pv_data[id]; + + self_test_args.called = 0; + self_test_args.enable = 1; + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, tst->curve_name)) + || !TEST_int_ge(self_test_args.called, 3) + || !TEST_true(pkey_get_octet_bytes(pkey, OSSL_PKEY_PARAM_PRIV_KEY, + &priv, &priv_len)) + || !TEST_true(pkey_get_octet_bytes(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub, + &pub_len))) + goto err; + + test_output_memory("q", pub, pub_len); + test_output_memory("d", priv, priv_len); + ret = 1; +err: + self_test_args.enable = 0; + self_test_args.called = 0; + OPENSSL_clear_free(priv, priv_len); + OPENSSL_free(pub); + EVP_PKEY_free(pkey); + return ret; +} + +#endif /* OPENSSL_NO_ECX */ + +#ifndef OPENSSL_NO_DSA static EVP_PKEY *dsa_paramgen(int L, int N) { @@ -1605,6 +1690,12 @@ int setup_tests(void) ADD_ALL_TESTS(ecdsa_sigver_test, OSSL_NELEM(ecdsa_sigver_data)); #endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_ECX + if (fips_provider_version_ge(libctx, 3, 4, 0)) { + ADD_ALL_TESTS(eddsa_keygen_test, OSSL_NELEM(eddsa_pv_data)); + ADD_ALL_TESTS(eddsa_pub_verify_test, OSSL_NELEM(eddsa_pv_data)); + } +#endif ADD_ALL_TESTS(drbg_test, OSSL_NELEM(drbg_data)); return 1; } diff --git a/test/acvp_test.inc b/test/acvp_test.inc index 8670cfa0ab..5264c57ad1 100644 --- a/test/acvp_test.inc +++ b/test/acvp_test.inc @@ -233,6 +233,120 @@ static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { #endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_ECX + +/* + * Test vectors obtained from + * https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/EDDSA-KeyVer-1.0 + */ +static const unsigned char ed25519_pv_pub0[] = { + 0xBE, 0xE1, 0x6F, 0x5B, 0x4A, 0x24, 0xEF, 0xF8, + 0xA6, 0x54, 0x0C, 0x04, 0x5C, 0xC4, 0x51, 0xCA, + 0x3A, 0x4E, 0x9B, 0x86, 0xDC, 0x5D, 0xE8, 0x12, + 0x0C, 0xDD, 0x1C, 0x23, 0x8E, 0x3F, 0x22, 0x7D +}; +static const unsigned char ed25519_pv_pub1[] = { + 0x1E, 0xE7, 0x74, 0x94, 0x73, 0xA1, 0xB8, 0x98, + 0xBF, 0x8C, 0x81, 0x11, 0x8E, 0x76, 0xEE, 0x8B, + 0xDB, 0xD4, 0x8C, 0x19, 0x29, 0xF7, 0x47, 0x2A, + 0x18, 0xAD, 0xCE, 0xFE, 0x2F, 0x8A, 0x25, 0x69 +}; +static const unsigned char ed25519_pv_pub2[] = { + 0x61, 0x4B, 0xC0, 0xBE, 0x80, 0xE6, 0xC6, 0x35, + 0xDC, 0xF5, 0x65, 0xE6, 0xCE, 0xEE, 0x1C, 0x14, + 0x3C, 0xF4, 0x46, 0xAC, 0x22, 0x82, 0xA0, 0xCE, + 0x28, 0xE6, 0x53, 0x62, 0x48, 0x3D, 0x8B, 0x94 +}; +static const unsigned char ed25519_pv_pub3[] = { + 0x38, 0x95, 0x95, 0x90, 0x4D, 0x7E, 0xDC, 0x9B, + 0xF3, 0xB6, 0xF9, 0x52, 0x40, 0xC4, 0x50, 0xC4, + 0x72, 0xC0, 0x5E, 0x83, 0x8E, 0x84, 0xD5, 0x9A, + 0x10, 0x3D, 0xCC, 0xFA, 0xD6, 0x19, 0x61, 0x07 +}; +static const unsigned char ed448_pv_pub0[] = { + 0xC3, 0xA9, 0x2B, 0xDD, 0xF1, 0x9C, 0x1F, 0xF1, + 0x69, 0x0E, 0xB0, 0x42, 0x73, 0x85, 0xCB, 0x8F, + 0x74, 0xE6, 0x49, 0x63, 0xF0, 0xF3, 0xA6, 0x28, + 0x11, 0xDB, 0x10, 0x54, 0x70, 0x52, 0x38, 0xB6, + 0xCE, 0x62, 0xE0, 0x9F, 0x7A, 0xD5, 0xA2, 0xFF, + 0xA9, 0xB4, 0xA1, 0xCD, 0x5E, 0x67, 0x6E, 0xFB, + 0x1B, 0x1C, 0xAE, 0x58, 0xF5, 0xE1, 0x74, 0x8C, + 0x00 +}; +static const unsigned char ed448_pv_pub1[] = { + 0x94, 0xFE, 0x99, 0x25, 0x2F, 0x5C, 0x05, 0x69, + 0xBF, 0x8B, 0x5B, 0xDD, 0x32, 0x61, 0x50, 0x08, + 0x95, 0x05, 0xEE, 0x44, 0x04, 0xCF, 0x76, 0x44, + 0x17, 0x56, 0x82, 0x03, 0xF1, 0x3A, 0xBB, 0x13, + 0xBB, 0xC6, 0x3E, 0xCE, 0xE2, 0x1F, 0xEC, 0x06, + 0x90, 0xA9, 0x53, 0x10, 0xB6, 0x86, 0x4D, 0x71, + 0x29, 0x1B, 0x12, 0xCE, 0x3A, 0x86, 0xFD, 0xE0, + 0x80 +}; +static const unsigned char ed448_pv_pub2[] = { + 0xD0, 0x88, 0xF0, 0xA9, 0x94, 0x86, 0x31, 0x9A, + 0xC7, 0xD0, 0x8C, 0x7C, 0xE4, 0xEB, 0xA0, 0x6C, + 0xF3, 0xF7, 0x20, 0x3A, 0xA9, 0x4C, 0x85, 0xEC, + 0x30, 0x10, 0xD7, 0x1A, 0x4B, 0x21, 0xA2, 0xFF, + 0x7F, 0x3D, 0xEF, 0xA9, 0x45, 0x28, 0x53, 0x30, + 0x16, 0x34, 0x3C, 0x4F, 0x19, 0xF5, 0xA3, 0x80, + 0xF4, 0x42, 0xFB, 0xE6, 0x3B, 0xEE, 0x35, 0x4D, + 0x80 +}; +static const unsigned char ed448_pv_pub3[] = { + 0x45, 0x42, 0x38, 0x5F, 0x3D, 0xD3, 0x4A, 0x84, + 0x87, 0x74, 0x56, 0x27, 0x62, 0x4E, 0xA2, 0xA9, + 0xE8, 0xB2, 0x45, 0x9E, 0x1A, 0xF4, 0x5D, 0xCB, + 0x70, 0x51, 0xBD, 0xD2, 0xEE, 0x07, 0xB9, 0x32, + 0xFD, 0x5E, 0xCA, 0x47, 0x56, 0xB0, 0x06, 0xC0, + 0xEF, 0xC0, 0x43, 0x5F, 0xE2, 0x1C, 0xAA, 0xE9, + 0x10, 0x6F, 0xD7, 0x16, 0xFC, 0xBE, 0xF4, 0xB8, + 0x80 +}; + +static const struct ecdsa_pub_verify_st eddsa_pv_data[] = { + { + "ED25519", + ITM(ed25519_pv_pub0), + FAIL + }, + { + "ED25519", + ITM(ed25519_pv_pub1), + FAIL + }, + { + "ED25519", + ITM(ed25519_pv_pub2), + PASS + }, + { + "ED25519", + ITM(ed25519_pv_pub3), + PASS + }, + { + "ED448", + ITM(ed448_pv_pub0), + FAIL + }, + { + "ED448", + ITM(ed448_pv_pub1), + FAIL + }, + { + "ED448", + ITM(ed448_pv_pub2), + PASS + }, + { + "ED448", + ITM(ed448_pv_pub3), + PASS + }, +}; +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_DSA