Add FFC param/key validation

Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10910)

5 files changed, 227 insertions, 28 deletions

diff --git a/crypto/ffc/build.info b/crypto/ffc/build.info
index d3314c30d1..c8bc7e9018 100644
--- a/crypto/ffc/build.info
+++ b/crypto/ffc/build.info
@@ -1,6 +1,7 @@
 LIBS=../../libcrypto
 
-$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c
+$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c\
+        ffc_params_validate.c ffc_key_validate.c
 
 SOURCE[../../libcrypto]=$COMMON
 SOURCE[../../providers/libfips.a]=$COMMON
diff --git a/crypto/ffc/ffc_key_generate.c b/crypto/ffc/ffc_key_generate.c
index 186245cc87..b8c85480c1 100644
--- a/crypto/ffc/ffc_key_generate.c
+++ b/crypto/ffc/ffc_key_generate.c
@@ -23,6 +23,19 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params,
                              int N, int s, BIGNUM *priv)
 {
 #ifdef FIPS_MODE
+    return ffc_generate_private_key_fips(ctx, params, N, s, priv);
+#else
+    do {
+        if (!BN_priv_rand_range_ex(priv, params->q, ctx))
+            return 0;
+    } while (BN_is_zero(priv) || BN_is_one(priv));
+    return 1;
+#endif /* FIPS_MODE */
+}
+
+int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params,
+                                  int N, int s, BIGNUM *priv)
+{
     int ret = 0;
     BIGNUM *m, *two_powN = NULL;
 
@@ -51,11 +64,4 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params,
 err:
     BN_free(two_powN);
     return ret;
-#else
-    do {
-        if (!BN_priv_rand_range_ex(priv, params->q, ctx))
-            return 0;
-    } while (BN_is_zero(priv) || BN_is_one(priv));
-    return 1;
-#endif /* FIPS_MODE */
 }
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
new file mode 100644
index 0000000000..a35f52e1b9
--- /dev/null
+++ b/crypto/ffc/ffc_key_validate.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/ffc.h"
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation.
+ * To only be used with ephemeral FFC public keys generated using the approved
+ * safe-prime groups. (Checks that the public key is in the range [2, p - 1]
+ *
+ * ret contains 0 on success, or error flags (see FFC_ERROR_PUBKEY_TOO_SMALL)
+ */
+int ffc_validate_public_key_partial(const FFC_PARAMS *params,
+                                    const BIGNUM *pub_key, int *ret)
+{
+    int ok = 0;
+    BIGNUM *tmp = NULL;
+    BN_CTX *ctx = NULL;
+
+    *ret = 0;
+    ctx = BN_CTX_new_ex(NULL);
+    if (ctx == NULL)
+        goto err;
+
+    BN_CTX_start(ctx);
+    tmp = BN_CTX_get(ctx);
+    /* Step(1): Verify pub_key >= 2 */
+    if (tmp == NULL
+        || !BN_set_word(tmp, 1))
+        goto err;
+    if (BN_cmp(pub_key, tmp) <= 0) {
+        *ret |= FFC_ERROR_PUBKEY_TOO_SMALL;
+        goto err;
+    }
+    /* Step(1): Verify pub_key <=  p-2 */
+    if (BN_copy(tmp, params->p) == NULL
+        || !BN_sub_word(tmp, 1))
+        goto err;
+    if (BN_cmp(pub_key, tmp) >= 0) {
+        *ret |= FFC_ERROR_PUBKEY_TOO_LARGE;
+        goto err;
+    }
+    ok = 1;
+ err:
+    if (ctx != NULL) {
+        BN_CTX_end(ctx);
+        BN_CTX_free(ctx);
+    }
+    return ok;
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
+ */
+int ffc_validate_public_key(const FFC_PARAMS *params, const BIGNUM *pub_key,
+                            int *ret)
+{
+    int ok = 0;
+    BIGNUM *tmp = NULL;
+    BN_CTX *ctx = NULL;
+
+    if (!ffc_validate_public_key_partial(params, pub_key, ret))
+        return 0;
+
+    if (params->q != NULL) {
+        ctx = BN_CTX_new_ex(NULL);
+        if (ctx == NULL)
+            goto err;
+        BN_CTX_start(ctx);
+        tmp = BN_CTX_get(ctx);
+
+        /* Check pub_key^q == 1 mod p */
+        if (tmp == NULL
+            || !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx))
+            goto err;
+        if (!BN_is_one(tmp)) {
+            *ret |= FFC_ERROR_PUBKEY_INVALID;
+            goto err;
+        }
+    }
+
+    ok = 1;
+ err:
+    if (ctx != NULL) {
+        BN_CTX_end(ctx);
+        BN_CTX_free(ctx);
+    }
+    return ok;
+}
+
+/*
+ * See SP800-56Ar3 Section 5.6.2.1.2: Owner assurance of Private key validity.
+ * Verifies priv_key is in the range [1..upper-1]. The passed in value of upper
+ * is normally params->q but can be 2^N for approved safe prime groups.
+ * Note: This assumes that the domain parameters are valid.
+ */
+int ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, int *ret)
+{
+    int ok = 0;
+
+    *ret = 0;
+
+    if (BN_cmp(priv, BN_value_one()) < 0) {
+        *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
+        goto err;
+    }
+    if (BN_cmp(priv, upper) >= 0) {
+        *ret |= FFC_ERROR_PRIVKEY_TOO_LARGE;
+        goto err;
+    }
+    ok = 1;
+err:
+    return ok;
+}
diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c
index 54d5c58e09..cb51bf0e76 100644
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@@ -474,10 +474,10 @@ static EVP_MD *fetch_default_md(OPENSSL_CTX *libctx, size_t N)
  *   - FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G if the validation of G succeeded,
  *     but G is unverifiable.
  */
-int ffc_param_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
-                                   int type, size_t L, size_t N,
-                                   const EVP_MD *evpmd, int validate_flags,
-                                   int *res, BN_GENCB *cb)
+int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+                                    int type, size_t L, size_t N,
+                                    const EVP_MD *evpmd, int validate_flags,
+                                    int *res, BN_GENCB *cb)
 {
     int ok = FFC_PARAMS_RET_STATUS_FAILED;
     unsigned char *seed = NULL, *seed_tmp = NULL;
@@ -750,10 +750,10 @@ err:
     return ok;
 }
 
-int ffc_param_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
-                                   int type, size_t L, size_t N,
-                                   const EVP_MD *evpmd, int validate_flags,
-                                   int *res, BN_GENCB *cb)
+int ffc_params_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params,
+                                    int type, size_t L, size_t N,
+                                    const EVP_MD *evpmd, int validate_flags,
+                                    int *res, BN_GENCB *cb)
 {
     int ok = FFC_PARAMS_RET_STATUS_FAILED;
     unsigned char seed[SHA256_DIGEST_LENGTH];
@@ -977,8 +977,8 @@ int ffc_params_FIPS186_4_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params,
                                   int type, size_t L, size_t N,
                                   const EVP_MD *evpmd, int *res, BN_GENCB *cb)
 {
-    return ffc_param_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0,
-                                          res, cb);
+    return ffc_params_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0,
+                                           res, cb);
 }
 
 /* This should no longer be used in FIPS mode */
@@ -986,14 +986,6 @@ int ffc_params_FIPS186_2_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params,
                                   int type, size_t L, size_t N,
                                   const EVP_MD *evpmd, int *res, BN_GENCB *cb)
 {
-    return ffc_param_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd,
-                                          0, res, cb);
-}
-
-/* TODO(3.0) - Add this in another PR -  just add a stub for now */
-int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
-                                       const BIGNUM *p, const BIGNUM *q,
-                                       const BIGNUM *g, BIGNUM *tmp, int *ret)
-{
-    return 1;
+    return ffc_params_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd,
+                                           0, res, cb);
 }
diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c
new file mode 100644
index 0000000000..4d0a4d837f
--- /dev/null
+++ b/crypto/ffc/ffc_params_validate.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Finite Field cryptography (FFC) is used for DSA and DH.
+ * This file contains methods for validation of FFC parameters.
+ * It calls the same functions as the generation as the code is very similar.
+ */
+
+#include "internal/ffc.h"
+
+/* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */
+int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
+                                       const BIGNUM *p, const BIGNUM *q,
+                                       const BIGNUM *g, BIGNUM *tmp, int *ret)
+{
+    /*
+     * A.2.2 Step (1) AND
+     * A.2.4 Step (2)
+     * Verify that 2 <= g <= (p - 1)
+     */
+    if (BN_cmp(g, BN_value_one()) <= 0 || BN_cmp(g, p) >= 0) {
+        *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
+        return 0;
+    }
+
+    /*
+     * A.2.2 Step (2) AND
+     * A.2.4 Step (3)
+     * Check g^q mod p = 1
+     */
+    if (!BN_mod_exp_mont(tmp, g, q, p, ctx, mont))
+        return 0;
+    if (BN_cmp(tmp, BN_value_one()) != 0) {
+        *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
+        return 0;
+    }
+    return 1;
+}
+
+int ffc_params_FIPS186_4_validate(const FFC_PARAMS *params, int type,
+                                  const EVP_MD *evpmd, int validate_flags,
+                                  int *res, BN_GENCB *cb)
+{
+    size_t L, N;
+
+    if (params == NULL || params->p == NULL || params->q == NULL)
+        return FFC_PARAMS_RET_STATUS_FAILED;
+
+    /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
+    L = BN_num_bits(params->p);
+    N = BN_num_bits(params->q);
+    return ffc_params_FIPS186_4_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N,
+                                           evpmd, validate_flags, res, cb);
+}
+
+/* This may be used in FIPS mode to validate deprecated FIPS-186-2 Params */
+int ffc_params_FIPS186_2_validate(const FFC_PARAMS *params, int type,
+                                  const EVP_MD *evpmd, int validate_flags,
+                                  int *res, BN_GENCB *cb)
+{
+    size_t L, N;
+
+    if (params->p == NULL || params->q == NULL) {
+        *res = FFC_CHECK_INVALID_PQ;
+        return FFC_PARAMS_RET_STATUS_FAILED;
+    }
+
+    /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
+    L = BN_num_bits(params->p);
+    N = BN_num_bits(params->q);
+    return ffc_params_FIPS186_2_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N,
+                                           evpmd, validate_flags, res, cb);
+}