From 87863a0cd49920015faf88d406a01395141f2585 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 23 Dec 2007 20:32:06 +0000 Subject: [PATCH] Update algorithm sanity checks to support KeyPair test. --- fips/dsa/fips_dssvs.c | 122 ++++++++++++++++++++++++++++++++++++++++-- fips/fipsalgtest.pl | 2 +- 2 files changed, 120 insertions(+), 4 deletions(-) diff --git a/fips/dsa/fips_dssvs.c b/fips/dsa/fips_dssvs.c index 6dd3332ad4..5e1575794d 100644 --- a/fips/dsa/fips_dssvs.c +++ b/fips/dsa/fips_dssvs.c @@ -112,7 +112,6 @@ void pqg() } } - void pqgver() { char buf[1024]; @@ -188,6 +187,122 @@ void pqgver() } } +/* Keypair verification routine. NB: this isn't part of the stndard FIPS140-2 + * algorithm tests. It is an additional test to perform sanity checks on the + * output of the KeyPair test. + */ + +static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g, + BN_CTX *ctx) + { + BIGNUM *rem = NULL; + if (BN_num_bits(p) != nmod) + return 0; + if (BN_num_bits(q) != 160) + return 0; + if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1) + return 0; + if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1) + return 0; + rem = BN_new(); + if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem) + || (BN_cmp(g, BN_value_one()) <= 0) + || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem)) + { + BN_free(rem); + return 0; + } + /* Todo: check g */ + BN_free(rem); + return 1; + } + +void keyver() + { + char buf[1024]; + char lbuf[1024]; + char *keyword, *value; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL; + BIGNUM *Y2; + BN_CTX *ctx = NULL; + int nmod=0, paramcheck = 0; + + ctx = BN_CTX_new(); + Y2 = BN_new(); + + while(fgets(buf,sizeof buf,stdin) != NULL) + { + if (!parse_line(&keyword, &value, lbuf, buf)) + { + fputs(buf,stdout); + continue; + } + if(!strcmp(keyword,"[mod")) + { + if (p) + BN_free(p); + p = NULL; + if (q) + BN_free(q); + q = NULL; + if (g) + BN_free(g); + g = NULL; + paramcheck = 0; + nmod=atoi(value); + } + else if(!strcmp(keyword,"P")) + p=hex2bn(value); + else if(!strcmp(keyword,"Q")) + q=hex2bn(value); + else if(!strcmp(keyword,"G")) + g=hex2bn(value); + else if(!strcmp(keyword,"X")) + X=hex2bn(value); + else if(!strcmp(keyword,"Y")) + { + Y=hex2bn(value); + if (!p || !q || !g || !X || !Y) + { + fprintf(stderr, "Parse Error\n"); + exit (1); + } + pbn("P",p); + pbn("Q",q); + pbn("G",g); + pbn("X",X); + pbn("Y",Y); + if (!paramcheck) + { + if (dss_paramcheck(nmod, p, q, g, ctx)) + paramcheck = 1; + else + paramcheck = -1; + } + if (paramcheck != 1) + printf("Result = F\n"); + else + { + if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y)) + printf("Result = F\n"); + else + printf("Result = T\n"); + } + BN_free(X); + BN_free(Y); + X = NULL; + Y = NULL; + } + } + if (p) + BN_free(p); + if (q) + BN_free(q); + if (g) + BN_free(g); + if (Y2) + BN_free(Y2); + } void keypair() { @@ -317,9 +432,8 @@ void sigver() char buf[1024]; char lbuf[1024]; unsigned char msg[1024]; - int n; char *keyword, *value; - int nmod=0; + int nmod=0, n=0; DSA_SIG sg, *sig = &sg; sig->r = NULL; @@ -410,6 +524,8 @@ int main(int argc,char **argv) pqgver(); else if(!strcmp(argv[1],"keypair")) keypair(); + else if(!strcmp(argv[1],"keyver")) + keyver(); else if(!strcmp(argv[1],"siggen")) siggen(); else if(!strcmp(argv[1],"sigver")) diff --git a/fips/fipsalgtest.pl b/fips/fipsalgtest.pl index 982d0729ca..663782f125 100644 --- a/fips/fipsalgtest.pl +++ b/fips/fipsalgtest.pl @@ -305,7 +305,7 @@ my %fips_tests = ( my %verify_special = ( "PQGGen" => "fips_dssvs pqgver", - #"KeyPair" => "fips_dssvs pgqver", + "KeyPair" => "fips_dssvs keyver", "SigGen" => "fips_dssvs sigver", "SigGen15" => "fips_rsavtest", "SigGenRSA" => "fips_rsavtest -x931", -- 2.25.1