|
@@ -237,6 +237,56 @@ int ossl_ec_key_gen(EC_KEY *eckey)
|
|
|
return ret;
|
|
|
}
|
|
|
|
|
|
+/*
|
|
|
+ * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
|
|
|
+ * Perform a KAT by duplicating the public key generation.
|
|
|
+ *
|
|
|
+ * NOTE: This issue requires a background understanding, provided in a separate
|
|
|
+ * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
|
|
|
+ * the key agreement scenario.
|
|
|
+ *
|
|
|
+ * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
|
|
|
+ * key pair, citing the PCT defined in the associated standard. For key
|
|
|
+ * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
|
|
|
+ * the comparison of the original public key to a newly calculated public key.
|
|
|
+ */
|
|
|
+static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx,
|
|
|
+ OSSL_CALLBACK *cb, void *cbarg)
|
|
|
+{
|
|
|
+ int len, ret = 0;
|
|
|
+ OSSL_SELF_TEST *st = NULL;
|
|
|
+ unsigned char bytes[512] = {0};
|
|
|
+ EC_POINT *pub_key2 = EC_POINT_new(eckey->group);
|
|
|
+
|
|
|
+ if (pub_key2 == NULL)
|
|
|
+ return 0;
|
|
|
+
|
|
|
+ st = OSSL_SELF_TEST_new(cb, cbarg);
|
|
|
+ if (st == NULL)
|
|
|
+ return 0;
|
|
|
+
|
|
|
+ OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
|
|
|
+ OSSL_SELF_TEST_DESC_PCT_ECDSA);
|
|
|
+
|
|
|
+ /* pub_key = priv_key * G (where G is a point on the curve) */
|
|
|
+ if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx))
|
|
|
+ goto err;
|
|
|
+
|
|
|
+ if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes))
|
|
|
+ goto err;
|
|
|
+ len = BN_bn2bin(pub_key2->X, bytes);
|
|
|
+ if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes)
|
|
|
+ && BN_bin2bn(bytes, len, pub_key2->X) == NULL)
|
|
|
+ goto err;
|
|
|
+ ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx);
|
|
|
+
|
|
|
+err:
|
|
|
+ OSSL_SELF_TEST_onend(st, ret);
|
|
|
+ OSSL_SELF_TEST_free(st);
|
|
|
+ EC_POINT_free(pub_key2);
|
|
|
+ return ret;
|
|
|
+}
|
|
|
+
|
|
|
/*
|
|
|
* ECC Key generation.
|
|
|
* See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
|
|
@@ -333,7 +383,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
|
|
|
void *cbarg = NULL;
|
|
|
|
|
|
OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
|
|
|
- ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
|
|
|
+ ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg)
|
|
|
+ && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg);
|
|
|
}
|
|
|
err:
|
|
|
/* Step (9): If there is an error return an invalid keypair. */
|
|
@@ -530,6 +581,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
|
|
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
|
goto err;
|
|
|
}
|
|
|
+ /* Perform a second check on the public key */
|
|
|
+ if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
|
|
|
+ ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
if (!EC_POINT_is_at_infinity(eckey->group, point)) {
|
|
|
ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER);
|
|
|
goto err;
|