mirror of https://github.com/openssl/openssl.git
import pct: remove import PCTs for most algorithms
This coveres DH, EC, RSA and SLH-DSA. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/28447)
This commit is contained in:
Pauli
Neil Horman
parent
320cdbc8de
commit
7f7f75816f
|
|
@ -209,18 +209,6 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||||
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
|
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
|
||||||
|
|
||||||
ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
|
ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
/*
|
|
||||||
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
|
|
||||||
* consistency check be undertaken on key import. The required test
|
|
||||||
* is described in SP 800-56Ar3 5.6.2.1.4.
|
|
||||||
*/
|
|
||||||
if (ok > 0 && !ossl_fips_self_testing()) {
|
|
||||||
ok = ossl_dh_check_pairwise(dh, 1);
|
|
||||||
if (ok <= 0)
|
|
||||||
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return ok;
|
return ok;
|
||||||
|
|
|
||||||
|
|
@ -431,21 +431,6 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
|
||||||
if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
|
if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
|
||||||
ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
|
ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
|
||||||
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
if (ok > 0
|
|
||||||
&& !ossl_fips_self_testing()
|
|
||||||
&& EC_KEY_get0_public_key(ec) != NULL
|
|
||||||
&& EC_KEY_get0_private_key(ec) != NULL
|
|
||||||
&& EC_KEY_get0_group(ec) != NULL) {
|
|
||||||
BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
|
|
||||||
|
|
||||||
ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
|
|
||||||
BN_CTX_free(bnctx);
|
|
||||||
if (ok <= 0)
|
|
||||||
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
return ok;
|
return ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -197,23 +197,6 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||||
ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
|
ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
if (ok > 0 && !ossl_fips_self_testing()) {
|
|
||||||
const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
|
|
||||||
|
|
||||||
RSA_get0_key(rsa, &n, &e, &d);
|
|
||||||
RSA_get0_crt_params(rsa, &dp, &dq, &iq);
|
|
||||||
p = RSA_get0_p(rsa);
|
|
||||||
q = RSA_get0_q(rsa);
|
|
||||||
|
|
||||||
/* Check for the public key */
|
|
||||||
if (n != NULL && e != NULL)
|
|
||||||
/* Check for private key in straightforward or CRT form */
|
|
||||||
if (d != NULL || (p != NULL && q != NULL && dp != NULL
|
|
||||||
&& dq != NULL && iq != NULL))
|
|
||||||
ok = ossl_rsa_key_pairwise_test(rsa);
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
return ok;
|
return ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -119,7 +119,7 @@ static int slh_dsa_validate(const void *key_data, int selection, int check_type)
|
||||||
static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
SLH_DSA_KEY *key = keydata;
|
SLH_DSA_KEY *key = keydata;
|
||||||
int include_priv, res;
|
int include_priv;
|
||||||
struct slh_dsa_import_st p;
|
struct slh_dsa_import_st p;
|
||||||
|
|
||||||
if (!ossl_prov_is_running()
|
if (!ossl_prov_is_running()
|
||||||
|
|
@ -131,21 +131,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
|
include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
|
||||||
res = ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
|
return ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
/*
|
|
||||||
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
|
|
||||||
* consistency check be undertaken on key import. The required test
|
|
||||||
* is described in SP 800-56Ar3 5.6.2.1.4.
|
|
||||||
*/
|
|
||||||
if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
|
|
||||||
if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
|
|
||||||
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
|
|
||||||
ossl_slh_dsa_key_reset(key);
|
|
||||||
res = 0;
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
return res;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *slh_dsa_imexport_types(int selection)
|
static const OSSL_PARAM *slh_dsa_imexport_types(int selection)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue