root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

import pct: remove import PCTs for most algorithms 

This coveres DH, EC, RSA and SLH-DSA.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
This commit is contained in:
Pauli 2025-09-05 07:23:28 +10:00 committed by Neil Horman
parent 320cdbc8de
commit 7f7f75816f
4 changed files with 2 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
providers/implementations/keymgmt/dh_kmgmt.c
View File

@ -209,18 +209,6 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
#ifdef FIPS_MODULE
/*
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
* consistency check be undertaken on key import. The required test
* is described in SP 800-56Ar3 5.6.2.1.4.
*/
if (ok > 0 && !ossl_fips_self_testing()) {
ok = ossl_dh_check_pairwise(dh, 1);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
}
#endif /* FIPS_MODULE */
}
return ok;

15
providers/implementations/keymgmt/ec_kmgmt.c
View File

@ -431,21 +431,6 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
#ifdef FIPS_MODULE
if (ok > 0
&& !ossl_fips_self_testing()
&& EC_KEY_get0_public_key(ec) != NULL
&& EC_KEY_get0_private_key(ec) != NULL
&& EC_KEY_get0_group(ec) != NULL) {
BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
BN_CTX_free(bnctx);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
}
#endif /* FIPS_MODULE */
return ok;
}

17
providers/implementations/keymgmt/rsa_kmgmt.c
View File

@ -197,23 +197,6 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
}
#ifdef FIPS_MODULE
if (ok > 0 && !ossl_fips_self_testing()) {
const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
RSA_get0_key(rsa, &n, &e, &d);
RSA_get0_crt_params(rsa, &dp, &dq, &iq);
p = RSA_get0_p(rsa);
q = RSA_get0_q(rsa);
/* Check for the public key */
if (n != NULL && e != NULL)
/* Check for private key in straightforward or CRT form */
if (d != NULL || (p != NULL && q != NULL && dp != NULL
&& dq != NULL && iq != NULL))
ok = ossl_rsa_key_pairwise_test(rsa);
}
#endif /* FIPS_MODULE */
return ok;
}

18
providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
View File

@ -119,7 +119,7 @@ static int slh_dsa_validate(const void *key_data, int selection, int check_type)
static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
{
SLH_DSA_KEY *key = keydata;
int include_priv, res;
int include_priv;
struct slh_dsa_import_st p;
if (!ossl_prov_is_running()
@ -131,21 +131,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
return 0;
include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
res = ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
#ifdef FIPS_MODULE
/*
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
* consistency check be undertaken on key import. The required test
* is described in SP 800-56Ar3 5.6.2.1.4.
*/
if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
ossl_slh_dsa_key_reset(key);
res = 0;
}
#endif /* FIPS_MODULE */
return res;
return ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
}
static const OSSL_PARAM *slh_dsa_imexport_types(int selection)