dsa_key.c 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. /*
  2. * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * DSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include <time.h>
  16. #include "internal/cryptlib.h"
  17. #include <openssl/bn.h>
  18. #include <openssl/self_test.h>
  19. #include "prov/providercommon.h"
  20. #include "crypto/dsa.h"
  21. #include "dsa_local.h"
  22. #ifdef FIPS_MODULE
  23. # define MIN_STRENGTH 112
  24. #else
  25. # define MIN_STRENGTH 80
  26. #endif
  27. static int dsa_keygen(DSA *dsa);
  28. int DSA_generate_key(DSA *dsa)
  29. {
  30. #ifndef FIPS_MODULE
  31. if (dsa->meth->dsa_keygen != NULL)
  32. return dsa->meth->dsa_keygen(dsa);
  33. #endif
  34. return dsa_keygen(dsa);
  35. }
  36. int ossl_dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa,
  37. const BIGNUM *priv_key, BIGNUM *pub_key)
  38. {
  39. int ret = 0;
  40. BIGNUM *prk = BN_new();
  41. if (prk == NULL)
  42. return 0;
  43. BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
  44. /* pub_key = g ^ priv_key mod p */
  45. if (!BN_mod_exp(pub_key, dsa->params.g, prk, dsa->params.p, ctx))
  46. goto err;
  47. ret = 1;
  48. err:
  49. BN_clear_free(prk);
  50. return ret;
  51. }
  52. #ifdef FIPS_MODULE
  53. /*
  54. * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
  55. * Perform a KAT by duplicating the public key generation.
  56. *
  57. * NOTE: This issue requires a background understanding, provided in a separate
  58. * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
  59. * the key agreement scenario.
  60. *
  61. * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
  62. * key pair, citing the PCT defined in the associated standard. For key
  63. * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
  64. * the comparison of the original public key to a newly calculated public key.
  65. */
  66. static int dsa_keygen_knownanswer_test(DSA *dsa, BN_CTX *ctx,
  67. OSSL_CALLBACK *cb, void *cbarg)
  68. {
  69. int len, ret = 0;
  70. OSSL_SELF_TEST *st = NULL;
  71. unsigned char bytes[512] = {0};
  72. BIGNUM *pub_key2 = BN_new();
  73. if (pub_key2 == NULL)
  74. return 0;
  75. st = OSSL_SELF_TEST_new(cb, cbarg);
  76. if (st == NULL)
  77. goto err;
  78. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
  79. OSSL_SELF_TEST_DESC_PCT_DSA);
  80. if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key2))
  81. goto err;
  82. if (BN_num_bytes(pub_key2) > (int)sizeof(bytes))
  83. goto err;
  84. len = BN_bn2bin(pub_key2, bytes);
  85. OSSL_SELF_TEST_oncorrupt_byte(st, bytes);
  86. if (BN_bin2bn(bytes, len, pub_key2) != NULL)
  87. ret = !BN_cmp(dsa->pub_key, pub_key2);
  88. err:
  89. OSSL_SELF_TEST_onend(st, ret);
  90. OSSL_SELF_TEST_free(st);
  91. BN_free(pub_key2);
  92. return ret;
  93. }
  94. /*
  95. * FIPS 140-2 IG 9.9 AS09.33
  96. * Perform a sign/verify operation.
  97. */
  98. static int dsa_keygen_pairwise_test(DSA *dsa, OSSL_CALLBACK *cb, void *cbarg)
  99. {
  100. int ret = 0;
  101. unsigned char dgst[16] = {0};
  102. unsigned int dgst_len = (unsigned int)sizeof(dgst);
  103. DSA_SIG *sig = NULL;
  104. OSSL_SELF_TEST *st = NULL;
  105. st = OSSL_SELF_TEST_new(cb, cbarg);
  106. if (st == NULL)
  107. goto err;
  108. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
  109. OSSL_SELF_TEST_DESC_PCT_DSA);
  110. sig = DSA_do_sign(dgst, (int)dgst_len, dsa);
  111. if (sig == NULL)
  112. goto err;
  113. OSSL_SELF_TEST_oncorrupt_byte(st, dgst);
  114. if (DSA_do_verify(dgst, dgst_len, sig, dsa) != 1)
  115. goto err;
  116. ret = 1;
  117. err:
  118. OSSL_SELF_TEST_onend(st, ret);
  119. OSSL_SELF_TEST_free(st);
  120. DSA_SIG_free(sig);
  121. return ret;
  122. }
  123. #endif /* FIPS_MODULE */
  124. static int dsa_keygen(DSA *dsa)
  125. {
  126. int ok = 0;
  127. BN_CTX *ctx = NULL;
  128. BIGNUM *pub_key = NULL, *priv_key = NULL;
  129. if ((ctx = BN_CTX_new_ex(dsa->libctx)) == NULL)
  130. goto err;
  131. if (dsa->priv_key == NULL) {
  132. if ((priv_key = BN_secure_new()) == NULL)
  133. goto err;
  134. } else {
  135. priv_key = dsa->priv_key;
  136. }
  137. /* Do a partial check for invalid p, q, g */
  138. if (!ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
  139. FFC_PARAM_TYPE_DSA, NULL))
  140. goto err;
  141. /*
  142. * For FFC FIPS 186-4 keygen
  143. * security strength s = 112,
  144. * Max Private key size N = len(q)
  145. */
  146. if (!ossl_ffc_generate_private_key(ctx, &dsa->params,
  147. BN_num_bits(dsa->params.q),
  148. MIN_STRENGTH, priv_key))
  149. goto err;
  150. if (dsa->pub_key == NULL) {
  151. if ((pub_key = BN_new()) == NULL)
  152. goto err;
  153. } else {
  154. pub_key = dsa->pub_key;
  155. }
  156. if (!ossl_dsa_generate_public_key(ctx, dsa, priv_key, pub_key))
  157. goto err;
  158. dsa->priv_key = priv_key;
  159. dsa->pub_key = pub_key;
  160. ok = 1;
  161. #ifdef FIPS_MODULE
  162. {
  163. OSSL_CALLBACK *cb = NULL;
  164. void *cbarg = NULL;
  165. OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg);
  166. ok = dsa_keygen_pairwise_test(dsa, cb, cbarg)
  167. && dsa_keygen_knownanswer_test(dsa, ctx, cb, cbarg);
  168. if (!ok) {
  169. ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
  170. BN_free(dsa->pub_key);
  171. BN_clear_free(dsa->priv_key);
  172. dsa->pub_key = NULL;
  173. dsa->priv_key = NULL;
  174. BN_CTX_free(ctx);
  175. return ok;
  176. }
  177. }
  178. #endif
  179. dsa->dirty_cnt++;
  180. err:
  181. if (pub_key != dsa->pub_key)
  182. BN_free(pub_key);
  183. if (priv_key != dsa->priv_key)
  184. BN_free(priv_key);
  185. BN_CTX_free(ctx);
  186. return ok;
  187. }