Update algorithm sanity checks to support KeyPair test.

diff --git a/fips/dsa/fips_dssvs.c b/fips/dsa/fips_dssvs.c
index 6dd3332ad49072756767cbe0cfcec16c4feaa98c..5e1575794dd6aff87de8bcff0b6cf5ed9f8f7fc0 100644 (file)
--- a/fips/dsa/fips_dssvs.c
+++ b/fips/dsa/fips_dssvs.c
@@ -112,7 +112,6 @@ void pqg()
        }
     }
 
-
 void pqgver()
     {
     char buf[1024];
@@ -188,6 +187,122 @@ void pqgver()
        }
     }
 
+/* Keypair verification routine. NB: this isn't part of the stndard FIPS140-2
+ * algorithm tests. It is an additional test to perform sanity checks on the
+ * output of the KeyPair test.
+ */
+
+static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
+                                                       BN_CTX *ctx)
+    {
+    BIGNUM *rem = NULL;
+    if (BN_num_bits(p) != nmod)
+       return 0;
+    if (BN_num_bits(q) != 160)
+       return 0;
+    if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
+       return 0;
+    if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
+       return 0;
+    rem = BN_new();
+    if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
+       || (BN_cmp(g, BN_value_one()) <= 0)
+       || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
+       {
+       BN_free(rem);
+       return 0;
+       }
+    /* Todo: check g */
+    BN_free(rem);
+    return 1;
+    }
+
+void keyver()
+    {
+    char buf[1024];
+    char lbuf[1024];
+    char *keyword, *value;
+    BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
+    BIGNUM *Y2;
+    BN_CTX *ctx = NULL;
+    int nmod=0, paramcheck = 0;
+
+    ctx = BN_CTX_new();
+    Y2 = BN_new();
+
+    while(fgets(buf,sizeof buf,stdin) != NULL)
+       {
+       if (!parse_line(&keyword, &value, lbuf, buf))
+               {
+               fputs(buf,stdout);
+               continue;
+               }
+       if(!strcmp(keyword,"[mod"))
+           {
+           if (p)
+               BN_free(p);
+           p = NULL;
+           if (q)
+               BN_free(q);
+           q = NULL;
+           if (g)
+               BN_free(g);
+           g = NULL;
+           paramcheck = 0;
+           nmod=atoi(value);
+           }
+       else if(!strcmp(keyword,"P"))
+           p=hex2bn(value);
+       else if(!strcmp(keyword,"Q"))
+           q=hex2bn(value);
+       else if(!strcmp(keyword,"G"))
+           g=hex2bn(value);
+       else if(!strcmp(keyword,"X"))
+           X=hex2bn(value);
+       else if(!strcmp(keyword,"Y"))
+           {
+           Y=hex2bn(value);
+           if (!p || !q || !g || !X || !Y)
+               {
+               fprintf(stderr, "Parse Error\n");
+               exit (1);
+               }
+           pbn("P",p);
+           pbn("Q",q);
+           pbn("G",g);
+           pbn("X",X);
+           pbn("Y",Y);
+           if (!paramcheck)
+               {
+               if (dss_paramcheck(nmod, p, q, g, ctx))
+                       paramcheck = 1;
+               else
+                       paramcheck = -1;
+               }
+           if (paramcheck != 1)
+               printf("Result = F\n");
+           else
+               {
+               if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
+                       printf("Result = F\n");
+               else
+                       printf("Result = T\n");
+               }
+           BN_free(X);
+           BN_free(Y);
+           X = NULL;
+           Y = NULL;
+           }
+       }
+       if (p)
+           BN_free(p);
+       if (q)
+           BN_free(q);
+       if (g)
+           BN_free(g);
+       if (Y2)
+           BN_free(Y2);
+    }
 
 void keypair()
     {
@@ -317,9 +432,8 @@ void sigver()
     char buf[1024];
     char lbuf[1024];
     unsigned char msg[1024];
-    int n;
     char *keyword, *value;
-    int nmod=0;
+    int nmod=0, n=0;
     DSA_SIG sg, *sig = &sg;
 
     sig->r = NULL;
@@ -410,6 +524,8 @@ int main(int argc,char **argv)
        pqgver();
     else if(!strcmp(argv[1],"keypair"))
        keypair();
+    else if(!strcmp(argv[1],"keyver"))
+       keyver();
     else if(!strcmp(argv[1],"siggen"))
        siggen();
     else if(!strcmp(argv[1],"sigver"))

diff --git a/fips/fipsalgtest.pl b/fips/fipsalgtest.pl
index 982d0729ca5019aee099596e916b984f45c99a15..663782f12532ed87d628d1b24bd8919691a556cf 100644 (file)
--- a/fips/fipsalgtest.pl
+++ b/fips/fipsalgtest.pl
@@ -305,7 +305,7 @@ my %fips_tests = (
 my %verify_special = (
     "PQGGen" => "fips_dssvs pqgver",
 
-    #"KeyPair" => "fips_dssvs pgqver",
+    "KeyPair"      => "fips_dssvs keyver",
     "SigGen"        => "fips_dssvs sigver",
     "SigGen15"      => "fips_rsavtest",
     "SigGenRSA"     => "fips_rsavtest -x931",