From 8083fd3a183d4c881d6b15727cbc6cb7faeb3280 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Sun, 16 Feb 2020 13:03:46 +1000 Subject: Add FFC param/key validation Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10910) --- crypto/ffc/build.info | 3 +- crypto/ffc/ffc_key_generate.c | 20 ++++--- crypto/ffc/ffc_key_validate.c | 120 +++++++++++++++++++++++++++++++++++++++ crypto/ffc/ffc_params_generate.c | 32 ++++------- crypto/ffc/ffc_params_validate.c | 80 ++++++++++++++++++++++++++ 5 files changed, 227 insertions(+), 28 deletions(-) create mode 100644 crypto/ffc/ffc_key_validate.c create mode 100644 crypto/ffc/ffc_params_validate.c (limited to 'crypto/ffc') diff --git a/crypto/ffc/build.info b/crypto/ffc/build.info index d3314c30d1..c8bc7e9018 100644 --- a/crypto/ffc/build.info +++ b/crypto/ffc/build.info @@ -1,6 +1,7 @@ LIBS=../../libcrypto -$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c +$COMMON=ffc_params.c ffc_params_generate.c ffc_key_generate.c\ + ffc_params_validate.c ffc_key_validate.c SOURCE[../../libcrypto]=$COMMON SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/ffc/ffc_key_generate.c b/crypto/ffc/ffc_key_generate.c index 186245cc87..b8c85480c1 100644 --- a/crypto/ffc/ffc_key_generate.c +++ b/crypto/ffc/ffc_key_generate.c @@ -23,6 +23,19 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params, int N, int s, BIGNUM *priv) { #ifdef FIPS_MODE + return ffc_generate_private_key_fips(ctx, params, N, s, priv); +#else + do { + if (!BN_priv_rand_range_ex(priv, params->q, ctx)) + return 0; + } while (BN_is_zero(priv) || BN_is_one(priv)); + return 1; +#endif /* FIPS_MODE */ +} + +int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params, + int N, int s, BIGNUM *priv) +{ int ret = 0; BIGNUM *m, *two_powN = NULL; @@ -51,11 +64,4 @@ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params, err: BN_free(two_powN); return ret; -#else - do { - if (!BN_priv_rand_range_ex(priv, params->q, ctx)) - return 0; - } while (BN_is_zero(priv) || BN_is_one(priv)); - return 1; -#endif /* FIPS_MODE */ } diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c new file mode 100644 index 0000000000..a35f52e1b9 --- /dev/null +++ b/crypto/ffc/ffc_key_validate.c @@ -0,0 +1,120 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/ffc.h" + +/* + * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation. + * To only be used with ephemeral FFC public keys generated using the approved + * safe-prime groups. (Checks that the public key is in the range [2, p - 1] + * + * ret contains 0 on success, or error flags (see FFC_ERROR_PUBKEY_TOO_SMALL) + */ +int ffc_validate_public_key_partial(const FFC_PARAMS *params, + const BIGNUM *pub_key, int *ret) +{ + int ok = 0; + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + + *ret = 0; + ctx = BN_CTX_new_ex(NULL); + if (ctx == NULL) + goto err; + + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + /* Step(1): Verify pub_key >= 2 */ + if (tmp == NULL + || !BN_set_word(tmp, 1)) + goto err; + if (BN_cmp(pub_key, tmp) <= 0) { + *ret |= FFC_ERROR_PUBKEY_TOO_SMALL; + goto err; + } + /* Step(1): Verify pub_key <= p-2 */ + if (BN_copy(tmp, params->p) == NULL + || !BN_sub_word(tmp, 1)) + goto err; + if (BN_cmp(pub_key, tmp) >= 0) { + *ret |= FFC_ERROR_PUBKEY_TOO_LARGE; + goto err; + } + ok = 1; + err: + if (ctx != NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + return ok; +} + +/* + * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. + */ +int ffc_validate_public_key(const FFC_PARAMS *params, const BIGNUM *pub_key, + int *ret) +{ + int ok = 0; + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + + if (!ffc_validate_public_key_partial(params, pub_key, ret)) + return 0; + + if (params->q != NULL) { + ctx = BN_CTX_new_ex(NULL); + if (ctx == NULL) + goto err; + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + + /* Check pub_key^q == 1 mod p */ + if (tmp == NULL + || !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx)) + goto err; + if (!BN_is_one(tmp)) { + *ret |= FFC_ERROR_PUBKEY_INVALID; + goto err; + } + } + + ok = 1; + err: + if (ctx != NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + return ok; +} + +/* + * See SP800-56Ar3 Section 5.6.2.1.2: Owner assurance of Private key validity. + * Verifies priv_key is in the range [1..upper-1]. The passed in value of upper + * is normally params->q but can be 2^N for approved safe prime groups. + * Note: This assumes that the domain parameters are valid. + */ +int ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, int *ret) +{ + int ok = 0; + + *ret = 0; + + if (BN_cmp(priv, BN_value_one()) < 0) { + *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL; + goto err; + } + if (BN_cmp(priv, upper) >= 0) { + *ret |= FFC_ERROR_PRIVKEY_TOO_LARGE; + goto err; + } + ok = 1; +err: + return ok; +} diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index 54d5c58e09..cb51bf0e76 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -474,10 +474,10 @@ static EVP_MD *fetch_default_md(OPENSSL_CTX *libctx, size_t N) * - FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G if the validation of G succeeded, * but G is unverifiable. */ -int ffc_param_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, - int type, size_t L, size_t N, - const EVP_MD *evpmd, int validate_flags, - int *res, BN_GENCB *cb) +int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, + int type, size_t L, size_t N, + const EVP_MD *evpmd, int validate_flags, + int *res, BN_GENCB *cb) { int ok = FFC_PARAMS_RET_STATUS_FAILED; unsigned char *seed = NULL, *seed_tmp = NULL; @@ -750,10 +750,10 @@ err: return ok; } -int ffc_param_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, - int type, size_t L, size_t N, - const EVP_MD *evpmd, int validate_flags, - int *res, BN_GENCB *cb) +int ffc_params_FIPS186_2_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, + int type, size_t L, size_t N, + const EVP_MD *evpmd, int validate_flags, + int *res, BN_GENCB *cb) { int ok = FFC_PARAMS_RET_STATUS_FAILED; unsigned char seed[SHA256_DIGEST_LENGTH]; @@ -977,8 +977,8 @@ int ffc_params_FIPS186_4_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params, int type, size_t L, size_t N, const EVP_MD *evpmd, int *res, BN_GENCB *cb) { - return ffc_param_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0, - res, cb); + return ffc_params_FIPS186_4_gen_verify(libctx, params, type, L, N, evpmd, 0, + res, cb); } /* This should no longer be used in FIPS mode */ @@ -986,14 +986,6 @@ int ffc_params_FIPS186_2_generate(OPENSSL_CTX *libctx, FFC_PARAMS *params, int type, size_t L, size_t N, const EVP_MD *evpmd, int *res, BN_GENCB *cb) { - return ffc_param_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd, - 0, res, cb); -} - -/* TODO(3.0) - Add this in another PR - just add a stub for now */ -int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont, - const BIGNUM *p, const BIGNUM *q, - const BIGNUM *g, BIGNUM *tmp, int *ret) -{ - return 1; + return ffc_params_FIPS186_2_gen_verify(libctx, params, type, L, N, evpmd, + 0, res, cb); } diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c new file mode 100644 index 0000000000..4d0a4d837f --- /dev/null +++ b/crypto/ffc/ffc_params_validate.c @@ -0,0 +1,80 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Finite Field cryptography (FFC) is used for DSA and DH. + * This file contains methods for validation of FFC parameters. + * It calls the same functions as the generation as the code is very similar. + */ + +#include "internal/ffc.h" + +/* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */ +int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont, + const BIGNUM *p, const BIGNUM *q, + const BIGNUM *g, BIGNUM *tmp, int *ret) +{ + /* + * A.2.2 Step (1) AND + * A.2.4 Step (2) + * Verify that 2 <= g <= (p - 1) + */ + if (BN_cmp(g, BN_value_one()) <= 0 || BN_cmp(g, p) >= 0) { + *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR; + return 0; + } + + /* + * A.2.2 Step (2) AND + * A.2.4 Step (3) + * Check g^q mod p = 1 + */ + if (!BN_mod_exp_mont(tmp, g, q, p, ctx, mont)) + return 0; + if (BN_cmp(tmp, BN_value_one()) != 0) { + *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR; + return 0; + } + return 1; +} + +int ffc_params_FIPS186_4_validate(const FFC_PARAMS *params, int type, + const EVP_MD *evpmd, int validate_flags, + int *res, BN_GENCB *cb) +{ + size_t L, N; + + if (params == NULL || params->p == NULL || params->q == NULL) + return FFC_PARAMS_RET_STATUS_FAILED; + + /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */ + L = BN_num_bits(params->p); + N = BN_num_bits(params->q); + return ffc_params_FIPS186_4_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N, + evpmd, validate_flags, res, cb); +} + +/* This may be used in FIPS mode to validate deprecated FIPS-186-2 Params */ +int ffc_params_FIPS186_2_validate(const FFC_PARAMS *params, int type, + const EVP_MD *evpmd, int validate_flags, + int *res, BN_GENCB *cb) +{ + size_t L, N; + + if (params->p == NULL || params->q == NULL) { + *res = FFC_CHECK_INVALID_PQ; + return FFC_PARAMS_RET_STATUS_FAILED; + } + + /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */ + L = BN_num_bits(params->p); + N = BN_num_bits(params->q); + return ffc_params_FIPS186_2_gen_verify(NULL, (FFC_PARAMS *)params, type, L, N, + evpmd, validate_flags, res, cb); +} -- cgit v1.2.3