diff options
| author | slontis <shane.lontis@oracle.com> | 2023-02-22 05:16:05 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-04-03 10:31:04 +0200 |
| commit | a76ccb9d0ddc24f6551afbc220b41fb3c4e64c6a (patch) | |
| tree | 93935d36fb68f37c5f3ad61797ba69d6a0cc756a /crypto/dsa | |
| parent | Avoid calling into provider with the same iv_len or key_len (diff) | |
| download | openssl-a76ccb9d0ddc24f6551afbc220b41fb3c4e64c6a.tar.xz openssl-a76ccb9d0ddc24f6551afbc220b41fb3c4e64c6a.zip | |
FFC cleanups
Discovered during coverage testing.
Remove unneccesary check when using ossl_dh_get0_params() and
ossl_dsa_get0_params(). These point to addresses and can not fail
for any existing calls.
Make dsa keygen tests only available in the FIPS module - as they are
not used in the default provider.
Change ossl_ffc_set_digest() to return void as it cannot fail.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20359)
Diffstat (limited to 'crypto/dsa')
| -rw-r--r-- | crypto/dsa/dsa_key.c | 89 | ||||
| -rw-r--r-- | crypto/dsa/dsa_lib.c | 8 |
2 files changed, 45 insertions, 52 deletions
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index e8c8359634..7fc762880b 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -28,8 +28,7 @@ # define MIN_STRENGTH 80 #endif -static int dsa_keygen(DSA *dsa, int pairwise_test); -static int dsa_keygen_pairwise_test(DSA *dsa, OSSL_CALLBACK *cb, void *cbarg); +static int dsa_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) { @@ -37,7 +36,7 @@ int DSA_generate_key(DSA *dsa) if (dsa->meth->dsa_keygen != NULL) return dsa->meth->dsa_keygen(dsa); #endif - return dsa_keygen(dsa, 0); + return dsa_keygen(dsa); } int ossl_dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, @@ -59,6 +58,7 @@ err: return ret; } +#ifdef FIPS_MODULE /* * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 * Perform a KAT by duplicating the public key generation. @@ -107,7 +107,44 @@ err: return ret; } -static int dsa_keygen(DSA *dsa, int pairwise_test) +/* + * FIPS 140-2 IG 9.9 AS09.33 + * Perform a sign/verify operation. + */ +static int dsa_keygen_pairwise_test(DSA *dsa, OSSL_CALLBACK *cb, void *cbarg) +{ + int ret = 0; + unsigned char dgst[16] = {0}; + unsigned int dgst_len = (unsigned int)sizeof(dgst); + DSA_SIG *sig = NULL; + OSSL_SELF_TEST *st = NULL; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + goto err; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, + OSSL_SELF_TEST_DESC_PCT_DSA); + + sig = DSA_do_sign(dgst, (int)dgst_len, dsa); + if (sig == NULL) + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, dgst); + + if (DSA_do_verify(dgst, dgst_len, sig, dsa) != 1) + goto err; + + ret = 1; +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + DSA_SIG_free(sig); + return ret; +} +#endif /* FIPS_MODULE */ + +static int dsa_keygen(DSA *dsa) { int ok = 0; BN_CTX *ctx = NULL; @@ -151,12 +188,9 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) dsa->priv_key = priv_key; dsa->pub_key = pub_key; -#ifdef FIPS_MODULE - pairwise_test = 1; -#endif /* FIPS_MODULE */ - ok = 1; - if (pairwise_test) { +#ifdef FIPS_MODULE + { OSSL_CALLBACK *cb = NULL; void *cbarg = NULL; @@ -173,6 +207,7 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) return ok; } } +#endif dsa->dirty_cnt++; err: @@ -184,39 +219,3 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) return ok; } - -/* - * FIPS 140-2 IG 9.9 AS09.33 - * Perform a sign/verify operation. - */ -static int dsa_keygen_pairwise_test(DSA *dsa, OSSL_CALLBACK *cb, void *cbarg) -{ - int ret = 0; - unsigned char dgst[16] = {0}; - unsigned int dgst_len = (unsigned int)sizeof(dgst); - DSA_SIG *sig = NULL; - OSSL_SELF_TEST *st = NULL; - - st = OSSL_SELF_TEST_new(cb, cbarg); - if (st == NULL) - goto err; - - OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, - OSSL_SELF_TEST_DESC_PCT_DSA); - - sig = DSA_do_sign(dgst, (int)dgst_len, dsa); - if (sig == NULL) - goto err; - - OSSL_SELF_TEST_oncorrupt_byte(st, dgst); - - if (DSA_do_verify(dgst, dgst_len, sig, dsa) != 1) - goto err; - - ret = 1; -err: - OSSL_SELF_TEST_onend(st, ret); - OSSL_SELF_TEST_free(st); - DSA_SIG_free(sig); - return ret; -} diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 333885a01a..bcfd467b1c 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -345,13 +345,7 @@ FFC_PARAMS *ossl_dsa_get0_params(DSA *dsa) int ossl_dsa_ffc_params_fromdata(DSA *dsa, const OSSL_PARAM params[]) { int ret; - FFC_PARAMS *ffc; - - if (dsa == NULL) - return 0; - ffc = ossl_dsa_get0_params(dsa); - if (ffc == NULL) - return 0; + FFC_PARAMS *ffc = ossl_dsa_get0_params(dsa); ret = ossl_ffc_params_fromdata(ffc, params); if (ret) |