Add DSA Key validation to default provider

author Shane Lontis <shane.lontis@oracle.com>

Tue, 21 Jan 2020 05:57:25 +0000 (15:57 +1000)

committer Shane Lontis <shane.lontis@oracle.com>

Wed, 4 Mar 2020 22:30:22 +0000 (08:30 +1000)
author Shane Lontis <shane.lontis@oracle.com>
Tue, 21 Jan 2020 05:57:25 +0000 (15:57 +1000)
committer Shane Lontis <shane.lontis@oracle.com>
Wed, 4 Mar 2020 22:30:22 +0000 (08:30 +1000)
diff --git a/crypto/dsa/build.info b/crypto/dsa/build.info

index 2cbea9b961e8177df58ba611328a340a14419c1b..35a95a2be152a4f561db1685339e00ce31977724 100644 (file)
--- a/crypto/dsa/build.info
+++ b/crypto/dsa/build.info
@@ -1,9 +1,10 @@
  LIBS=../../libcrypto
  
  LIBS=../../libcrypto
  
-$COMMON=dsa_sign.c dsa_vrf.c dsa_lib.c dsa_ossl.c dsa_aid.c
+$COMMON=dsa_sign.c dsa_vrf.c dsa_lib.c dsa_ossl.c dsa_aid.c dsa_check.c \
+        dsa_key.c
  
  SOURCE[../../libcrypto]=$COMMON\
  
  SOURCE[../../libcrypto]=$COMMON\
-        dsa_gen.c dsa_key.c dsa_asn1.c \
+        dsa_gen.c dsa_asn1.c \
          dsa_err.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c \
          dsa_meth.c
  SOURCE[../../providers/libfips.a]=$COMMON
          dsa_err.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c \
          dsa_meth.c
  SOURCE[../../providers/libfips.a]=$COMMON
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c

index 3b86d2dc7ab63cea56ba416fb4d01173d13d4bfb..611a4e66f6865ed80216f6823ba57c213bf562bd 100644 (file)
--- a/crypto/dsa/dsa_check.c
+++ b/crypto/dsa/dsa_check.c
@@ -15,7 +15,6 @@
  
  int dsa_check_params(const DSA *dsa, int *ret)
  {
  
  int dsa_check_params(const DSA *dsa, int *ret)
  {
-    int nid;
      /*
       * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
       * validity tests.
      /*
       * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
       * validity tests.
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c

index 494f284111d5c12321669263d0da5045525be5d3..a4821f94c3b4a36cdeddf7169ed38dde4fec3482 100644 (file)
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -1,5 +1,5 @@
  /*
  /*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
   *
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
   *
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
@@ -17,12 +17,11 @@
  #include <openssl/core_names.h>
  #include <openssl/bn.h>
  #include <openssl/params.h>
  #include <openssl/core_names.h>
  #include <openssl/bn.h>
  #include <openssl/params.h>
-#include "internal/param_build.h"
-#include "crypto/dsa.h"
  #include "prov/implementations.h"
  #include "prov/providercommon.h"
  #include "prov/provider_ctx.h"
  #include "crypto/dsa.h"
  #include "prov/implementations.h"
  #include "prov/providercommon.h"
  #include "prov/provider_ctx.h"
  #include "crypto/dsa.h"
+#include "internal/param_build.h"
  
  static OSSL_OP_keymgmt_new_fn dsa_newdata;
  static OSSL_OP_keymgmt_free_fn dsa_freedata;
  
  static OSSL_OP_keymgmt_new_fn dsa_newdata;
  static OSSL_OP_keymgmt_free_fn dsa_freedata;
@@ -30,6 +29,7 @@ static OSSL_OP_keymgmt_get_params_fn dsa_get_params;
  static OSSL_OP_keymgmt_gettable_params_fn dsa_gettable_params;
  static OSSL_OP_keymgmt_has_fn dsa_has;
  static OSSL_OP_keymgmt_match_fn dsa_match;
  static OSSL_OP_keymgmt_gettable_params_fn dsa_gettable_params;
  static OSSL_OP_keymgmt_has_fn dsa_has;
  static OSSL_OP_keymgmt_match_fn dsa_match;
+static OSSL_OP_keymgmt_validate_fn dsa_validate;
  static OSSL_OP_keymgmt_import_fn dsa_import;
  static OSSL_OP_keymgmt_import_types_fn dsa_import_types;
  static OSSL_OP_keymgmt_export_fn dsa_export;
  static OSSL_OP_keymgmt_import_fn dsa_import;
  static OSSL_OP_keymgmt_import_types_fn dsa_import_types;
  static OSSL_OP_keymgmt_export_fn dsa_export;
@@ -329,6 +329,55 @@ static const OSSL_PARAM *dsa_gettable_params(void)
      return dsa_params;
  }
  
      return dsa_params;
  }
  
+static int dsa_validate_domparams(DSA *dsa)
+{
+    int status = 0;
+
+    return dsa_check_params(dsa, &status);
+}
+
+static int dsa_validate_public(DSA *dsa)
+{
+    int status = 0;
+    const BIGNUM *pub_key = NULL;
+
+    DSA_get0_key(dsa, &pub_key, NULL);
+    return dsa_check_pub_key(dsa, pub_key, &status);
+}
+
+static int dsa_validate_private(DSA *dsa)
+{
+    int status = 0;
+    const BIGNUM *priv_key = NULL;
+
+    DSA_get0_key(dsa, NULL, &priv_key);
+    return dsa_check_priv_key(dsa, priv_key, &status);
+}
+
+static int dsa_validate(void *keydata, int selection)
+{
+    DSA *dsa = keydata;
+    int ok = 0;
+
+    if ((selection & DSA_POSSIBLE_SELECTIONS) != 0)
+        ok = 1;
+
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
+        ok = ok && dsa_validate_domparams(dsa);
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+        ok = ok && dsa_validate_public(dsa);
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+        ok = ok && dsa_validate_private(dsa);
+
+    /* If the whole key is selected, we do a pairwise validation */
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR)
+        == OSSL_KEYMGMT_SELECT_KEYPAIR)
+        ok = ok && dsa_check_pairwise(dsa);
+    return ok;
+}
+
  const OSSL_DISPATCH dsa_keymgmt_functions[] = {
      { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))dsa_newdata },
      { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))dsa_freedata },
  const OSSL_DISPATCH dsa_keymgmt_functions[] = {
      { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))dsa_newdata },
      { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))dsa_freedata },
@@ -336,6 +385,7 @@ const OSSL_DISPATCH dsa_keymgmt_functions[] = {
      { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))dsa_gettable_params },
      { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))dsa_has },
      { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))dsa_match },
      { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))dsa_gettable_params },
      { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))dsa_has },
      { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))dsa_match },
+    { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))dsa_validate },
      { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))dsa_import },
      { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))dsa_import_types },
      { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))dsa_export },
      { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))dsa_import },
      { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))dsa_import_types },
      { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))dsa_export },
author	Shane Lontis <shane.lontis@oracle.com>
	Tue, 21 Jan 2020 05:57:25 +0000 (15:57 +1000)
committer	Shane Lontis <shane.lontis@oracle.com>
	Wed, 4 Mar 2020 22:30:22 +0000 (08:30 +1000)
crypto/dsa/build.info		patch \| blob \| history
crypto/dsa/dsa_check.c		patch \| blob \| history
providers/implementations/keymgmt/dsa_kmgmt.c		patch \| blob \| history