Tidy up FIPS module dependencies.
This avoids depending the FIPS module on crypto/bytestring and moves
ECDSA_SIG_{new,free} into the module.
Change-Id: I7b45ef07f1140873a0da300501141b6ae272a5d9
Reviewed-on: https://boringssl-review.googlesource.com/15984
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/ec_extra/ec_asn1.c b/crypto/ec_extra/ec_asn1.c
index 277bea8..7621045 100644
--- a/crypto/ec_extra/ec_asn1.c
+++ b/crypto/ec_extra/ec_asn1.c
@@ -408,6 +408,17 @@
return NULL;
}
+int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point,
+ point_conversion_form_t form, BN_CTX *ctx) {
+ size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);
+ if (len == 0) {
+ return 0;
+ }
+ uint8_t *p;
+ return CBB_add_space(out, &p, len) &&
+ EC_POINT_point2oct(group, point, form, p, len, ctx) == len;
+}
+
EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {
/* This function treats its |out| parameter differently from other |d2i|
* functions. If supplied, take the group from |*out|. */
diff --git a/crypto/ecdsa_extra/ecdsa_asn1.c b/crypto/ecdsa_extra/ecdsa_asn1.c
index 6cc8a5d..5d827dc 100644
--- a/crypto/ecdsa_extra/ecdsa_asn1.c
+++ b/crypto/ecdsa_extra/ecdsa_asn1.c
@@ -164,30 +164,6 @@
return ECDSA_SIG_max_len(group_order_size);
}
-ECDSA_SIG *ECDSA_SIG_new(void) {
- ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->r = BN_new();
- sig->s = BN_new();
- if (sig->r == NULL || sig->s == NULL) {
- ECDSA_SIG_free(sig);
- return NULL;
- }
- return sig;
-}
-
-void ECDSA_SIG_free(ECDSA_SIG *sig) {
- if (sig == NULL) {
- return;
- }
-
- BN_free(sig->r);
- BN_free(sig->s);
- OPENSSL_free(sig);
-}
-
ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {
ECDSA_SIG *ret = ECDSA_SIG_new();
if (ret == NULL) {
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index 6dd5105..d75ee99 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -20,7 +20,6 @@
#include <openssl/aes.h>
#include <openssl/base.h>
#include <openssl/bn.h>
-#include <openssl/bytestring.h>
#include <openssl/crypto.h>
#include <openssl/des.h>
#include <openssl/ecdsa.h>
diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c
index 0fae0a1..0ba7f6e 100644
--- a/crypto/fipsmodule/ec/ec_key.c
+++ b/crypto/fipsmodule/ec/ec_key.c
@@ -358,27 +358,19 @@
return 0;
}
- if (!key->priv_key) {
- return 1;
+ if (key->priv_key) {
+ uint8_t data[16] = {0};
+ ECDSA_SIG *sig = ECDSA_do_sign(data, sizeof(data), key);
+ int ok = sig != NULL &&
+ ECDSA_do_verify(data, sizeof(data), sig, key);
+ ECDSA_SIG_free(sig);
+ if (!ok) {
+ OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
+ return 0;
+ }
}
- uint8_t data[16] = {0};
- unsigned sig_len = ECDSA_size(key);
- uint8_t *sig = OPENSSL_malloc(sig_len);
- if (sig == NULL) {
- OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- int ret = 1;
- if (!ECDSA_sign(0, data, sizeof(data), sig, &sig_len, key) ||
- !ECDSA_verify(0, data, sizeof(data), sig, sig_len, key)) {
- OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
- ret = 0;
- }
-
- OPENSSL_free(sig);
- return ret;
+ return 1;
}
int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
diff --git a/crypto/fipsmodule/ec/oct.c b/crypto/fipsmodule/ec/oct.c
index 4e8272d..5071c2e 100644
--- a/crypto/fipsmodule/ec/oct.c
+++ b/crypto/fipsmodule/ec/oct.c
@@ -68,7 +68,6 @@
#include <openssl/ec.h>
#include <openssl/bn.h>
-#include <openssl/bytestring.h>
#include <openssl/err.h>
#include "internal.h"
@@ -269,17 +268,6 @@
return ec_GFp_simple_point2oct(group, point, form, buf, len, ctx);
}
-int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point,
- point_conversion_form_t form, BN_CTX *ctx) {
- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);
- if (len == 0) {
- return 0;
- }
- uint8_t *p;
- return CBB_add_space(out, &p, len) &&
- EC_POINT_point2oct(group, point, form, p, len, ctx) == len;
-}
-
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x,
int y_bit, BN_CTX *ctx) {
diff --git a/crypto/fipsmodule/ecdsa/ecdsa.c b/crypto/fipsmodule/ecdsa/ecdsa.c
index 13b1ea9..37f8223 100644
--- a/crypto/fipsmodule/ecdsa/ecdsa.c
+++ b/crypto/fipsmodule/ecdsa/ecdsa.c
@@ -56,7 +56,6 @@
#include <string.h>
#include <openssl/bn.h>
-#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
@@ -93,6 +92,30 @@
return 1;
}
+ECDSA_SIG *ECDSA_SIG_new(void) {
+ ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
+ if (sig == NULL) {
+ return NULL;
+ }
+ sig->r = BN_new();
+ sig->s = BN_new();
+ if (sig->r == NULL || sig->s == NULL) {
+ ECDSA_SIG_free(sig);
+ return NULL;
+ }
+ return sig;
+}
+
+void ECDSA_SIG_free(ECDSA_SIG *sig) {
+ if (sig == NULL) {
+ return;
+ }
+
+ BN_free(sig->r);
+ BN_free(sig->s);
+ OPENSSL_free(sig);
+}
+
ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,
const EC_KEY *key) {
return ECDSA_do_sign_ex(digest, digest_len, NULL, NULL, key);
