Pairwise check for EC keys import as part of FIPS

nikolapajkovsky · nikolapajkovsky · commit 9a0993bbf0b2 · 2025-07-29T15:06:25.000+02:00
the self_test_digest_sig() test fails when EC PCT is enabled because ossl_ec_key_pairwise_check() consumes entropy when generator * priv_key = pub_key is calculated in EC_POINT_mul(). #0 RAND_priv_bytes_ex openssl#1 bnrand openssl#2 BN_priv_rand_ex openssl#3 ec_GF2m_simple_ladder_pre openssl#4 ec_point_ladder_pre openssl#5 ossl_ec_scalar_mul_ladder openssl#6 ec_GF2m_simple_points_mul openssl#7 EC_POINT_mul openssl#8 ossl_ec_key_pairwise_check which led to the different signature then expected in the ecdsa_prime_expected_sig. Moving set_kat_drbg() after the EVP_PKEY_fromdata() fixed the problem. Fixes openssl/project#1302 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c
@@ -486,6 +486,12 @@ int ossl_ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_priv
         && !EC_KEY_set_public_key(ec, pub_point))
         goto err;
 
+#ifdef FIPS_MODULE
+    if (priv_key != NULL && pub_key != NULL)
+        if (ossl_ec_key_pairwise_check(ec, ctx) == 0)
+            goto err;
+#endif
+
     ok = 1;
 
  err:
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
@@ -548,12 +548,6 @@ static int self_test_digest_sign(const ST_KAT_SIGN *t,
 
     OSSL_SELF_TEST_onbegin(st, typ, t->desc);
 
-    if (t->entropy != NULL) {
-        if (!set_kat_drbg(libctx, t->entropy, t->entropy_len,
-                          t->nonce, t->nonce_len, t->persstr, t->persstr_len))
-            goto err;
-    }
-
     paramskey = kat_params_to_ossl_params(libctx, t->key, NULL);
     paramsinit = kat_params_to_ossl_params(libctx, t->init, NULL);
     paramsverify = kat_params_to_ossl_params(libctx, t->verify, NULL);
@@ -577,6 +571,12 @@ static int self_test_digest_sign(const ST_KAT_SIGN *t,
 
     digested = ((t->mode & SIGNATURE_MODE_DIGESTED) != 0);
 
+    if (t->entropy != NULL) {
+        if (!set_kat_drbg(libctx, t->entropy, t->entropy_len,
+                          t->nonce, t->nonce_len, t->persstr, t->persstr_len))
+            goto err;
+    }
+
     if ((t->mode & SIGNATURE_MODE_VERIFY_ONLY) != 0) {
         siglen = t->sig_expected_len;
         memcpy(psig, t->sig_expected, siglen);
