Add secure DSA nonce flag.
[openssl.git] / crypto / ec / ec_key.c
index 86e6cec..7a15e5f 100644 (file)
@@ -61,6 +61,8 @@
  * contributed to the OpenSSL project.
  */
 
+#define OPENSSL_FIPSAPI
+
 #include <string.h>
 #include "ec_lcl.h"
 #include <openssl/err.h>
@@ -78,10 +80,12 @@ EC_KEY *EC_KEY_new(void)
                }
 
        ret->version = 1;       
+       ret->flags = 0;
        ret->group   = NULL;
        ret->pub_key = NULL;
        ret->priv_key= NULL;
        ret->enc_flag= 0; 
+       ret->nonce_from_hash_flag = 0;
        ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
        ret->references= 1;
        ret->method_data = NULL;
@@ -195,8 +199,10 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 
        /* copy the rest */
        dest->enc_flag  = src->enc_flag;
+       dest->nonce_from_hash_flag = src->nonce_from_hash_flag;
        dest->conv_form = src->conv_form;
        dest->version   = src->version;
+       dest->flags = src->flags;
 
        return dest;
        }
@@ -230,6 +236,71 @@ int EC_KEY_up_ref(EC_KEY *r)
        return ((i > 1) ? 1 : 0);
        }
 
+#ifdef OPENSSL_FIPS
+
+#include <openssl/evp.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+
+static int fips_check_ec(EC_KEY *key)
+       {
+       EVP_PKEY pk;
+       unsigned char tbs[] = "ECDSA Pairwise Check Data";
+       pk.type = EVP_PKEY_EC;
+       pk.pkey.ec = key;
+
+       if (!fips_pkey_signature_test(FIPS_TEST_PAIRWISE,
+                                       &pk, tbs, 0, NULL, 0, NULL, 0, NULL))
+               {
+               FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
+               fips_set_selftest_fail();
+               return 0;
+               }
+       return 1;
+       }
+
+int fips_check_ec_prng(EC_KEY *ec)
+       {
+       int bits, strength;
+       if (!FIPS_module_mode())
+               return 1;
+
+       if (ec->flags & (EC_FLAG_NON_FIPS_ALLOW|EC_FLAG_FIPS_CHECKED))
+               return 1;
+
+       if (!ec->group)
+               return 1;
+
+       bits = BN_num_bits(&ec->group->order);
+
+       if (bits < 160)
+               {
+               FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_KEY_TOO_SHORT);
+               return 0;
+               }
+       /* Comparable algorithm strengths: from SP800-57 table 2 */
+       if (bits >= 512)
+               strength = 256;
+       else if (bits >= 384)
+               strength = 192;
+       else if (bits >= 256)
+               strength = 128;
+       else if (bits >= 224)
+               strength = 112;
+       else
+               strength = 80;
+
+
+       if (FIPS_rand_strength() >= strength)
+               return 1;
+
+       FIPSerr(FIPS_F_FIPS_CHECK_EC_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW);
+       return 0;
+
+       }
+
+#endif
+
 int EC_KEY_generate_key(EC_KEY *eckey)
        {       
        int     ok = 0;
@@ -237,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        BIGNUM  *priv_key = NULL, *order = NULL;
        EC_POINT *pub_key = NULL;
 
+#ifdef OPENSSL_FIPS
+       if(FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
+               return 0;
+               }
+#endif
+
        if (!eckey || !eckey->group)
                {
                ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
@@ -258,6 +337,11 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        if (!EC_GROUP_get_order(eckey->group, order, ctx))
                goto err;
 
+#ifdef OPENSSL_FIPS
+       if (!fips_check_ec_prng(eckey))
+               goto err;
+#endif
+
        do
                if (!BN_rand_range(priv_key, order))
                        goto err;
@@ -278,6 +362,15 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        eckey->priv_key = priv_key;
        eckey->pub_key  = pub_key;
 
+#ifdef OPENSSL_FIPS
+       if(!fips_check_ec(eckey))
+               {
+               eckey->priv_key = NULL;
+               eckey->pub_key  = NULL;
+               goto err;
+               }
+#endif
+
        ok=1;
 
 err:   
@@ -310,7 +403,7 @@ int EC_KEY_check_key(const EC_KEY *eckey)
                ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY);
                goto err;
                }
-       
+
        if ((ctx = BN_CTX_new()) == NULL)
                goto err;
        if ((point = EC_POINT_new(eckey->group)) == NULL)
@@ -371,6 +464,84 @@ err:
        return(ok);
        }
 
+int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y)
+       {
+       BN_CTX *ctx = NULL;
+       BIGNUM *tx, *ty;
+       EC_POINT *point = NULL;
+       int ok = 0, tmp_nid, is_char_two = 0;
+
+       if (!key || !key->group || !x || !y)
+               {
+               ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
+                                               ERR_R_PASSED_NULL_PARAMETER);
+               return 0;
+               }
+       ctx = BN_CTX_new();
+       if (!ctx)
+               goto err;
+
+       point = EC_POINT_new(key->group);
+
+       if (!point)
+               goto err;
+
+       tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
+
+        if (tmp_nid == NID_X9_62_characteristic_two_field)
+               is_char_two = 1;
+
+       tx = BN_CTX_get(ctx);
+       ty = BN_CTX_get(ctx);
+#ifndef OPENSSL_NO_EC2M
+       if (is_char_two)
+               {
+               if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
+                                                               x, y, ctx))
+                       goto err;
+               if (!EC_POINT_get_affine_coordinates_GF2m(key->group, point,
+                                                               tx, ty, ctx))
+                       goto err;
+               }
+       else
+#endif
+               {
+               if (!EC_POINT_set_affine_coordinates_GFp(key->group, point,
+                                                               x, y, ctx))
+                       goto err;
+               if (!EC_POINT_get_affine_coordinates_GFp(key->group, point,
+                                                               tx, ty, ctx))
+                       goto err;
+               }
+       /* Check if retrieved coordinates match originals and are less than
+        * field order: if not values are out of range.
+        */
+       if (BN_cmp(x, tx) || BN_cmp(y, ty)
+               || (BN_cmp(x, &key->group->field) >= 0)
+               || (BN_cmp(y, &key->group->field) >= 0))
+               {
+               ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
+                       EC_R_COORDINATES_OUT_OF_RANGE);
+               goto err;
+               }
+
+       if (!EC_KEY_set_public_key(key, point))
+               goto err;
+
+       if (EC_KEY_check_key(key) == 0)
+               goto err;
+
+       ok = 1;
+
+       err:
+       if (ctx)
+               BN_CTX_free(ctx);
+       if (point)
+               EC_POINT_free(point);
+       return ok;
+
+       }
+
 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
        {
        return key->group;
@@ -420,6 +591,16 @@ void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
        key->enc_flag = flags;
        }
 
+int EC_KEY_get_nonce_from_hash(const EC_KEY *key)
+       {
+       return key->nonce_from_hash_flag;
+       }
+
+void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on)
+       {
+       key->nonce_from_hash_flag = on != 0;
+       }
+
 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
        {
        return key->conv_form;
@@ -435,18 +616,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
 void *EC_KEY_get_key_method_data(EC_KEY *key,
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
        {
-       return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+       void *ret;
+
+       CRYPTO_r_lock(CRYPTO_LOCK_EC);
+       ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+       CRYPTO_r_unlock(CRYPTO_LOCK_EC);
+
+       return ret;
        }
 
-void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
        {
        EC_EXTRA_DATA *ex_data;
+
        CRYPTO_w_lock(CRYPTO_LOCK_EC);
        ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
        if (ex_data == NULL)
                EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
        CRYPTO_w_unlock(CRYPTO_LOCK_EC);
+
+       return ex_data;
        }
 
 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
@@ -461,3 +651,18 @@ int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
                return 0;
        return EC_GROUP_precompute_mult(key->group, ctx);
        }
+
+int EC_KEY_get_flags(const EC_KEY *key)
+       {
+       return key->flags;
+       }
+
+void EC_KEY_set_flags(EC_KEY *key, int flags)
+       {
+       key->flags |= flags;
+       }
+
+void EC_KEY_clear_flags(EC_KEY *key, int flags)
+       {
+       key->flags &= ~flags;
+       }