diff -up libgcrypt-1.7.3/tests/cavs_driver.pl.cavs libgcrypt-1.7.3/tests/cavs_driver.pl --- libgcrypt-1.7.3/tests/cavs_driver.pl.cavs 2013-03-15 20:25:38.000000000 +0100 +++ libgcrypt-1.7.3/tests/cavs_driver.pl 2016-11-22 17:29:06.067553077 +0100 @@ -1,9 +1,11 @@ #!/usr/bin/env perl # -# $Id: cavs_driver.pl 1497 2009-01-22 14:01:29Z smueller $ +# $Id: cavs_driver.pl 2124 2010-12-20 07:56:30Z smueller $ # # CAVS test driver (based on the OpenSSL driver) # Written by: Stephan Müller +# Werner Koch (libgcrypt interface) +# Tomas Mraz (addition of DSA2) # Copyright (c) atsec information security corporation # # Permission is hereby granted, free of charge, to any person obtaining a copy @@ -85,13 +87,16 @@ # T[CBC|CFB??|ECB|OFB]varkey # T[CBC|CFB??|ECB|OFB]invperm # T[CBC|CFB??|ECB|OFB]vartext +# WARNING: TDES in CFB and OFB mode problems see below # # ANSI X9.31 RNG # ANSI931_AES128MCT # ANSI931_AES128VST # -# DSA +# DSA2 # PQGGen +# PQGVer +# KeyPair # SigGen # SigVer # @@ -101,6 +106,36 @@ # RC4PltBD # RC4REGT # +# +# TDES MCT for CFB and OFB: +# ------------------------- +# The inner loop cannot be handled by this script. If you want to have tests +# for these cipher types, implement your own inner loop and add it to +# crypto_mct. +# +# the value $next_source in crypto_mct is NOT set by the standard implementation +# of this script. It would need to be set as follows for these two (code take +# from fipsdrv.c from libgcrypt - the value input at the end will contain the +# the value for $next_source: +# +# ... inner loop ... +# ... +# get_current_iv (hd, last_iv, blocklen); +# ... encrypt / decrypt (input is the data to be en/decrypted and output is the +# result of operation) ... +# if (encrypt_mode && (cipher_mode == GCRY_CIPHER_MODE_CFB)) +# memcpy (input, last_iv, blocklen); +# else if (cipher_mode == GCRY_CIPHER_MODE_OFB) +# memcpy (input, last_iv, blocklen); +# else if (!encrypt_mode && cipher_mode == GCRY_CIPHER_MODE_CFB) +# { +# /* Reconstruct the output vector. */ +# int i; +# for (i=0; i < blocklen; i++) +# input[i] ^= output[i]; +# } +# ... inner loop ends ... +# ==> now, the value of input is to be put into $next_source use strict; use warnings; @@ -226,6 +261,8 @@ my $hmac; # Generate the P, Q, G, Seed, counter, h (value used to generate g) values # for DSA # $1: modulus size +# $2: q size +# $3: seed (might be empty string) # return: string with the calculated values in hex format, where each value # is separated from the previous with a \n in the following order: # P\n @@ -236,6 +273,19 @@ my $hmac; # h my $dsa_pqggen; +# Generate the G value from P and Q +# for DSA +# $1: modulus size +# $2: q size +# $3: P in hex form +# $4: Q in hex form +# return: string with the calculated values in hex format, where each value +# is separated from the previous with a \n in the following order: +# P\n +# Q\n +# G\n +my $dsa_ggen; + # # Generate an DSA public key from the provided parameters: # $1: Name of file to create @@ -255,16 +305,30 @@ my $dsa_verify; # generate a new DSA key with the following properties: # PEM format -# $1 keyfile name -# return: file created, hash with keys of P, Q, G in hex format +# $1: modulus size +# $2: q size +# $3 keyfile name +# return: file created with key, string with values of P, Q, G in hex format my $gen_dsakey; +# generate a new DSA private key XY parameters in domain: +# PEM format +# $1: P in hex form +# $2: Q in hex form +# $3: G in hex form +# return: string with values of X, Y in hex format +my $gen_dsakey_domain; + # Sign a message with DSA # $1: data to be signed in hex form # $2: Key file in PEM format with the private key # return: hash of digest information in hex format with Y, R, S as keys my $dsa_sign; +my $rsa_keygen; + +my $rsa_keygen_kat; + ################################################################ ##### OpenSSL interface functions ################################################################ @@ -404,6 +468,35 @@ sub libgcrypt_rsa_derive($$$$$$$$) { } +sub libgcrypt_rsa_keygen($) { + my $n = shift; + my $sexp; + + $n = sprintf ("%u", $n); + $sexp = "(genkey(rsa(nbits " . sprintf ("%u:%s", length($n), $n) . ")))\n"; + + return pipe_through_program($sexp, "fipsdrv rsa-keygen"); +} + + +sub libgcrypt_rsa_keygen_kat($$$$) { + my $n = shift; + my $e = shift; + my $p = shift; + my $q = shift; + my $sexp; + + $n = sprintf ("%u", $n); + $sexp = "(genkey(rsa(nbits " . sprintf ("%u:%s", length($n), $n) . ")" + . "(test-parms" + . "(e #$e#)" + . "(p #$p#)" + . "(q #$q#))))\n"; + + return pipe_through_program($sexp, "fipsdrv rsa-keygen-kat"); +} + + sub libgcrypt_rsa_sign($$$) { my $data = shift; my $hashalgo = shift; @@ -500,17 +593,32 @@ sub libgcrypt_hmac($$$$) { return pipe_through_program($msg, $program); } -sub libgcrypt_dsa_pqggen($) { +sub libgcrypt_dsa_pqggen($$$) { + my $mod = shift; + my $qsize = shift; + my $seed = shift; + + my $program = "fipsdrv --keysize $mod --qsize $qsize dsa-pqg-gen"; + return pipe_through_program($seed, $program); +} + +sub libgcrypt_dsa_ggen($$$$) { my $mod = shift; + my $qsize = shift; + my $p = shift; + my $q = shift; + my $domain = "(domain (p #$p#)(q #$q#))"; - my $program = "fipsdrv --keysize $mod dsa-pqg-gen"; + my $program = "fipsdrv --keysize $mod --qsize $qsize --key \'$domain\' dsa-g-gen"; return pipe_through_program("", $program); } -sub libgcrypt_gen_dsakey($) { +sub libgcrypt_gen_dsakey($$$) { + my $mod = shift; + my $qsize = shift; my $file = shift; - my $program = "fipsdrv --keysize 1024 --key $file dsa-gen"; + my $program = "fipsdrv --keysize $mod --qsize $qsize --key $file dsa-gen"; my $tmp; my %ret; @@ -519,10 +627,21 @@ sub libgcrypt_gen_dsakey($) { $tmp = pipe_through_program("", $program); die "dsa key gen failed: file $file not created" if (! -f $file); - @ret{'P', 'Q', 'G', 'Seed', 'c', 'H'} = split(/\n/, $tmp); + @ret{'P', 'Q', 'G'} = split(/\n/, $tmp); return %ret; } +sub libgcrypt_gen_dsakey_domain($$$) { + my $p = shift; + my $q = shift; + my $g = shift; + my $domain = "(domain (p #$p#)(q #$q#)(g #$g#))"; + + my $program = "fipsdrv --key '$domain' dsa-gen-key"; + + return pipe_through_program("", $program); +} + sub libgcrypt_dsa_genpubkey($$$$$) { my $filename = shift; my $p = shift; @@ -1139,7 +1258,7 @@ sub hmac_kat($$$$) { $out .= "Tlen = $tlen\n"; $out .= "Key = $key\n"; $out .= "Msg = $msg\n"; - $out .= "Mac = " . &$hmac($key, $tlen, $msg, $hashtype{$tlen}) . "\n"; + $out .= "Mac = " . lc(&$hmac($key, $tlen, $msg, $hashtype{$tlen})) . "\n"; return $out; } @@ -1205,7 +1324,7 @@ sub crypto_mct($$$$$$$$) { } my ($CO, $CI); my $cipher_imp = &$state_cipher($cipher, $enc, $bufsize, $key1, $iv); - $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/); + $cipher_imp = &$state_cipher_des($cipher, $enc, $bufsize, $key1, $iv) if($cipher =~ /des/ && defined($state_cipher_des)); my $pid = open2($CO, $CI, $cipher_imp); my $calc_data = $iv; # CT[j] @@ -1213,8 +1332,8 @@ sub crypto_mct($$$$$$$$) { my $old_old_calc_data; # CT[j-2] my $next_source; - # TDES inner loop implements logic within driver - if ($cipher =~ /des/) { + # TDES inner loop implements logic within driver of libgcrypt + if ($cipher =~ /des/ && $opt{'I'} && $opt{'I'} eq 'libgcrypt' ) { # Need to provide a dummy IV in case of ECB mode. my $iv_arg = (defined($iv) && $iv ne "") ? bin2hex($iv) @@ -1238,6 +1357,10 @@ sub crypto_mct($$$$$$$$) { $line = <$CO>; } else { for (my $j = 0; $j < $iloop; ++$j) { + if ($cipher =~ /des-ede3-ofb/ || + (!$enc && $cipher =~ /des-ede3-cfb/)) { + die "Implementation lacks support for TDES OFB and TDES CFB in encryption mode - the problem is that we would need to extract the IV of the last round of encryption which would be the input for the next round - see comments in this script for implementation requirements"; + } $old_old_calc_data = $old_calc_data; $old_calc_data = $calc_data; @@ -1429,7 +1552,7 @@ sub rsa_sigver($$$$$) { # $7 xq2 # $8 Xq # return: string formatted as expected by CAVS -sub rsa_keygen($$$$$$$$) { +sub rsa_keygen_x931($$$$$$$$) { my $modulus = shift; my $e = shift; my $xp1 = shift; @@ -1503,21 +1626,23 @@ sub rngx931($$$$) { return $out; } -# DSA PQGGen test +# DSA PQGen test # $1 modulus size -# $2 number of rounds to perform the test +# $2 q size +# $3 number of rounds to perform the test # return: string formatted as expected by CAVS -sub dsa_pqggen_driver($$) { +sub dsa_pqgen_driver($$$) { my $mod = shift; + my $qsize = shift; my $rounds = shift; my $out = ""; for(my $i=0; $i<$rounds; $i++) { - my $ret = &$dsa_pqggen($mod); + my $ret = &$dsa_pqggen($mod, $qsize, ""); my ($P, $Q, $G, $Seed, $c, $H) = split(/\n/, $ret); - die "Return value does not contain all expected values of P, Q, G, Seed, c, H for dsa_pqggen" - if (!defined($P) || !defined($Q) || !defined($G) || - !defined($Seed) || !defined($c) || !defined($H)); + die "Return value does not contain all expected values of P, Q, Seed, c for dsa_pqggen" + if (!defined($P) || !defined($Q) || + !defined($Seed) || !defined($c)); # now change the counter to decimal as CAVS wants decimal # counter value although all other is HEX @@ -1525,15 +1650,166 @@ sub dsa_pqggen_driver($$) { $out .= "P = $P\n"; $out .= "Q = $Q\n"; - $out .= "G = $G\n"; - $out .= "Seed = $Seed\n"; - $out .= "c = $c\n"; - $out .= "H = $H\n\n"; + $out .= "domain_parameter_seed = $Seed\n"; + $out .= "counter = $c\n\n"; } return $out; } +# DSA GGen test +# $1 modulus size +# $2 q size +# $3 p in hex form +# $4 q in hex form +# return: string formatted as expected by CAVS +sub dsa_ggen_driver($$$$) { + my $mod = shift; + my $qsize = shift; + my $p = shift; + my $q = shift; + + my $out = ""; + my $ret = &$dsa_ggen($mod, $qsize, $p, $q); + my ($P, $Q, $G) = split(/\n/, $ret); + die "Return value does not contain all expected values of P, Q, G for dsa_ggen" + if (!defined($P) || !defined($Q) || !defined($G)); + + $out .= "G = $G\n\n"; + + return $out; +} + +sub hexcomp($$) { + my $a = lc shift; + my $b = lc shift; + + if (length $a < length $b) { + my $c = $a; + $a = $b; + $b = $a; + } + + while (length $b < length $a) { + $b = "00$b"; + } + + return $a eq $b; +} + +# DSA PQVer test +# $1 modulus size +# $2 q size +# $3 p in hex form +# $4 q in hex form +# $5 seed in hex form +# $6 c decimal counter +# return: string formatted as expected by CAVS +sub dsa_pqver_driver($$$$$$) { + my $mod = shift; + my $qsize = shift; + my $p = shift; + my $q = shift; + my $seed = shift; + my $c = shift; + + my $out = ""; + my $ret = &$dsa_pqggen($mod, $qsize, $seed); + my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); + die "Return value does not contain all expected values of P, Q, G, seed, c for dsa_pqggen" + if (!defined($P) || !defined($Q) || !defined($G) || + !defined($seed2) || !defined($c2)); + + $c2 = hex($c2); + + $out .= "Seed = $seed\n"; + $out .= "c = $c\n"; + + if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($seed, $seed2) && $c == $c2) { + $out .= "Result = P\n\n"; + } + else { + $out .= "Result = F\n\n"; + } + return $out; +} + +# DSA PQGVer test +# $1 modulus size +# $2 q size +# $3 p in hex form +# $4 q in hex form +# $5 g in hex form +# $6 seed in hex form +# $7 c decimal counter +# $8 h in hex form +# return: string formatted as expected by CAVS +sub dsa_pqgver_driver($$$$$$$$) { + my $mod = shift; + my $qsize = shift; + my $p = shift; + my $q = shift; + my $g = shift; + my $seed = shift; + my $c = shift; + my $h = shift; + + my $out = ""; + my $ret = &$dsa_pqggen($mod, $qsize, $seed); + my ($P, $Q, $G, $seed2, $c2, $h2) = split(/\n/, $ret); + die "Return value does not contain all expected values of P, Q, G, seed, c, H for dsa_pqggen" + if (!defined($P) || !defined($Q) || !defined($G) || + !defined($seed2) || !defined($c2) || !defined($h2)); + + + + $out .= "Seed = $seed\n"; + $out .= "c = $c\n"; + $out .= "H = $h\n"; + + $c2 = hex($c2); + + if (hexcomp($P, $p) && hexcomp($Q, $q) && hexcomp($G, $g) && hexcomp($seed, $seed2) && + $c == $c2 && hex($h) == hex($h2)) { + $out .= "Result = P\n\n"; + } + else { + $out .= "Result = F\n\n"; + } + + return $out; +} + +# DSA Keypair test +# $1 modulus size +# $2 q size +# $3 number of rounds to perform the test +# return: string formatted as expected by CAVS +sub dsa_keypair_driver($$$) { + my $mod = shift; + my $qsize = shift; + my $rounds = shift; + + my $out = ""; + my $tmpkeyfile = "dsa_siggen.tmp.$$"; + my %pqg = &$gen_dsakey($mod, $qsize, $tmpkeyfile); + $out .= "P = " . $pqg{'P'} . "\n"; + $out .= "Q = " . $pqg{'Q'} . "\n"; + $out .= "G = " . $pqg{'G'} . "\n\n"; + unlink($tmpkeyfile); + + for(my $i=0; $i<$rounds; $i++) { + my $ret = &$gen_dsakey_domain($pqg{'P'}, $pqg{'Q'}, $pqg{'G'}); + my ($X, $Y) = split(/\n/, $ret); + die "Return value does not contain all expected values of X, Y for gen_dsakey_domain" + if (!defined($X) || !defined($Y)); + + $out .= "X = $X\n"; + $out .= "Y = $Y\n\n"; + } + + return $out; +} # DSA SigGen test # $1: Message to be signed in hex form @@ -1598,6 +1874,53 @@ sub dsa_sigver($$$$$$$$) { return $out; } +# RSA Keygen RPP test +# $1 modulus size +# $2 number of rounds to perform the test +# return: string formatted as expected by CAVS +sub rsa_keygen_driver($$) { + my $mod = shift; + my $rounds = shift; + + my $out = ""; + + for(my $i=0; $i<$rounds; $i++) { + my $ret = &$rsa_keygen($mod); + my ($e, $p, $q, $n, $d) = split(/\n/, $ret); + die "Return value does not contain all expected values of e, p, q, n, d for rsa_keygen" + if (!defined($e) || !defined($p) || !defined($q) || !defined($n) || !defined($d)); + + $out .= "e = $e\n"; + $out .= "p = $p\n"; + $out .= "q = $q\n"; + $out .= "n = $n\n"; + $out .= "d = $d\n\n"; + } + + return $out; +} + +# RSA RPP Keygen KAT test +# $1 modulus size +# $2 p in hex form +# $3 q in hex form +# return: string formatted as expected by CAVS +sub rsa_keygen_kat_driver($$$) { + my $mod = shift; + my $p = shift; + my $q = shift; + + my $out = ""; + my $ret = &$rsa_keygen_kat($mod, $p, $q); + my ($Result) = split(/\n/, $ret); + die "Return value does not contain all expected values of Result for rsa_keygen_kat" + if (!defined($Result)); + + $out .= "Result = $Result\n\n"; + return $out; +} + + ############################################################## # Parser of input file and generator of result file # @@ -1658,12 +1981,18 @@ sub parse($$) { my $klen = ""; my $tlen = ""; my $modulus = ""; + my $qsize = ""; my $capital_n = 0; + my $num = 0; my $capital_p = ""; my $capital_q = ""; my $capital_g = ""; my $capital_y = ""; my $capital_r = ""; + my $capital_h = ""; + my $c = ""; + my $prandom = ""; + my $qrandom = ""; my $xp1 = ""; my $xp2 = ""; my $Xp = ""; @@ -1700,7 +2029,7 @@ sub parse($$) { ##### Extract cipher # XXX there may be more - to be added - if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA)/) { + if ($tmpline =~ /^#.*(CBC|ECB|OFB|CFB|SHA-|SigGen|SigVer|RC4VS|ANSI X9\.31|Hash sizes tested|PQGGen|KeyGen RSA|KeyGen - Random Probably Prime|KeyPair|PQGVer)/) { if ($tmpline =~ /CBC/) { $mode="cbc"; } elsif ($tmpline =~ /ECB/) { $mode="ecb"; } elsif ($tmpline =~ /OFB/) { $mode="ofb"; } @@ -1749,7 +2078,23 @@ sub parse($$) { if ($tt == 0) { ##### Identify the test type - if ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { + if ($tmpline =~ /KeyGen - Random Probably Prime Known Answer Test/) { + $tt = 19; + die "Interface function rsa_keygen_kat for RSA key generation KAT not defined for tested library" + if (!defined($rsa_keygen_kat)); + } elsif ($tmpline =~ /KeyGen - Random Probably Prime Test/) { + $tt = 18; + die "Interface function rsa_keygen for RSA key generation not defined for tested library" + if (!defined($rsa_keygen)); + } elsif ($tmpline =~ /PQGVer/) { + $tt = 16; + die "Interface function for DSA PQGVer testing not defined for tested library" + if (!defined($dsa_pqggen)); + } elsif ($tmpline =~ /KeyPair/) { + $tt = 14; + die "Interface function dsa_keygen for DSA key generation not defined for tested library" + if (!defined($gen_dsakey_domain)); + } elsif ($tmpline =~ /KeyGen RSA \(X9\.31\)/) { $tt = 13; die "Interface function rsa_derive for RSA key generation not defined for tested library" if (!defined($rsa_derive)); @@ -1760,11 +2105,11 @@ sub parse($$) { } elsif ($tmpline =~ /SigGen/ && $opt{'D'}) { $tt = 11; die "Interface function dsa_sign or gen_dsakey for DSA sign not defined for tested library" - if (!defined($dsa_sign) || !defined($gen_rsakey)); + if (!defined($dsa_sign) || !defined($gen_dsakey)); } elsif ($tmpline =~ /PQGGen/) { $tt = 10; die "Interface function for DSA PQGGen testing not defined for tested library" - if (!defined($dsa_pqggen)); + if (!defined($dsa_pqggen) || !defined($dsa_ggen)); } elsif ($tmpline =~ /Hash sizes tested/) { $tt = 9; die "Interface function hmac for HMAC testing not defined for tested library" @@ -1792,7 +2137,7 @@ sub parse($$) { } elsif ($tmpline =~ /Monte|MCT|Carlo/) { $tt = 2; die "Interface function state_cipher for Stateful Cipher operation defined for tested library" - if (!defined($state_cipher) || !defined($state_cipher_des)); + if (!defined($state_cipher) && !defined($state_cipher_des)); } elsif ($cipher =~ /^sha/) { $tt = 3; die "Interface function hash for Hashing not defined for tested library" @@ -1875,18 +2220,44 @@ sub parse($$) { die "Msg/Seed seen twice - input file crap" if ($pt ne ""); $pt=$2; } - elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests + elsif ($line =~ /^\[A.2.1\s.*\]$/) { # found in DSA2 PQGGen request + $out .= $line . "\n"; # print it + if ($tt == 10) { + # now generate G from PQ + $tt = 15; + } + } + elsif ($line =~ /^\[A.2.2\s.*\]$/) { # found in DSA2 PQGVer request + $out .= $line . "\n"; # print it + if ($tt == 16) { + # now verify PQG + $tt = 17; + } + } + elsif ($line =~ /^\[mod\s*=\s*L=([0-9]*),\s*N=([0-9]*).*\]$/) { # found in DSA2 requests $modulus = $1; + $qsize = $2; $out .= $line . "\n\n"; # print it + # clear eventual PQG + $capital_p = ""; + $capital_q = ""; + $capital_g = ""; # generate the private key with given bit length now # as we have the required key length in bit if ($tt == 11) { $dsa_keyfile = "dsa_siggen.tmp.$$"; - my %pqg = &$gen_dsakey($dsa_keyfile); + my %pqg = &$gen_dsakey($modulus, $qsize, $dsa_keyfile); $out .= "P = " . $pqg{'P'} . "\n"; $out .= "Q = " . $pqg{'Q'} . "\n"; - $out .= "G = " . $pqg{'G'} . "\n"; - } elsif ( $tt == 5 ) { + $out .= "G = " . $pqg{'G'} . "\n\n"; + } + } + elsif ($line =~ /^\[mod\s*=\s*(.*)\]$/) { # found in RSA requests + $modulus = $1; + $out .= $line . "\n\n"; # print it + # generate the private key with given bit length now + # as we have the required key length in bit + if ( $tt == 5 ) { # XXX maybe a secure temp file name is better here # but since it is not run on a security sensitive # system, I hope that this is fine @@ -1907,6 +2278,9 @@ sub parse($$) { } elsif ($line =~ /^e\s*=\s*(.*)/) { # found in RSA requests $e=$1; + if ($tt == 19) { + $out .= $line . "\n"; # print it + } } elsif ($line =~ /^S\s*=\s*(.*)/) { # found in RSA requests die "S seen twice - input file crap" if ($signature ne ""); @@ -1932,11 +2306,16 @@ sub parse($$) { if ($tlen ne ""); $tlen=$1; } - elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA PQGGen + elsif ($line =~ /^N\s*=\s*(.*)/) { #DSA KeyPair die "N seen twice - check input file" if ($capital_n); $capital_n = $1; } + elsif ($line =~ /^Num\s*=\s*(.*)/) { #DSA PQGGen + die "Num seen twice - check input file" + if ($num); + $num = $1; + } elsif ($line =~ /^P\s*=\s*(.*)/) { #DSA SigVer die "P seen twice - check input file" if ($capital_p); @@ -1965,6 +2344,16 @@ sub parse($$) { if ($capital_r); $capital_r = $1; } + elsif ($line =~ /^H\s*=\s*(.*)/) { #DSA PQGVer + die "H seen twice - check input file" + if ($capital_h); + $capital_h = $1; + } + elsif ($line =~ /^c\s*=\s*(.*)/) { #DSA PQGVer + die "c seen twice - check input file" + if ($c); + $c = $1; + } elsif ($line =~ /^xp1\s*=\s*(.*)/) { #RSA key gen die "xp1 seen twice - check input file" if ($xp1); @@ -1995,6 +2384,22 @@ sub parse($$) { if ($Xq); $Xq = $1; } + elsif ($line =~ /^prandom\s*=\s*(.*)/) { #RSA key gen KAT + die "prandom seen twice - check input file" + if ($prandom); + $prandom = $1; + $out .= $line . "\n"; # print it + } + elsif ($line =~ /^qrandom\s*=\s*(.*)/) { #RSA key gen KAT + die "qrandom seen twice - check input file" + if ($qrandom); + $qrandom = $1; + $out .= $line . "\n"; # print it + } + elsif ($tt == 19 && $line =~ /^ / && $qrandom eq "") { #RSA key gen KAT + $qrandom = "00"; + $out .= $line . "\n"; # print it + } else { $out .= $line . "\n"; } @@ -2074,11 +2479,10 @@ sub parse($$) { } } elsif ($tt == 10) { - if ($modulus ne "" && $capital_n > 0) { - $out .= dsa_pqggen_driver($modulus, $capital_n); - #$mod is not resetted - $capital_n = 0; - } + if ($modulus ne "" && $qsize ne "" && $num > 0) { + $out .= dsa_pqgen_driver($modulus, $qsize, $num); + $num = 0; + } } elsif ($tt == 11) { if ($pt ne "" && $dsa_keyfile ne "") { @@ -2124,7 +2528,7 @@ sub parse($$) { $xq1 ne "" && $xq2 ne "" && $Xq ne "") { - $out .= rsa_keygen($modulus, + $out .= rsa_keygen_x931($modulus, $e, $xp1, $xp2, @@ -2141,6 +2545,96 @@ sub parse($$) { $Xq = ""; } } + elsif ($tt == 14) { + if ($modulus ne "" && + $qsize ne "" && + $capital_n > 0) { + $out .= dsa_keypair_driver($modulus, + $qsize, + $capital_n); + $capital_n = 0; + } + } + elsif ($tt == 15) { + if ($modulus ne "" && + $qsize ne "" && + $capital_p ne "" && + $capital_q ne "") { + $out .= dsa_ggen_driver($modulus, + $qsize, + $capital_p, + $capital_q); + $capital_p = ""; + $capital_q = ""; + $num--; + } + } + elsif ($tt == 16) { + if ($modulus ne "" && + $qsize ne "" && + $capital_p ne "" && + $capital_q ne "" && + $pt ne "" && + $c ne "") { + $out .= dsa_pqver_driver($modulus, + $qsize, + $capital_p, + $capital_q, + $pt, + $c); + $capital_p = ""; + $capital_q = ""; + $pt = ""; + $c = ""; + } + } + elsif ($tt == 17) { + if ($modulus ne "" && + $qsize ne "" && + $capital_p ne "" && + $capital_q ne "" && + $capital_g ne "" && + $pt ne "" && + $c ne "" && + $capital_h ne "") { + $out .= dsa_pqgver_driver($modulus, + $qsize, + $capital_p, + $capital_q, + $capital_g, + $pt, + $c, + $capital_h); + $capital_p = ""; + $capital_q = ""; + $capital_g = ""; + $pt = ""; + $c = ""; + $capital_h = ""; + } + } + elsif ($tt == 18) { + if ($modulus ne "" && + $capital_n > 0) { + $out .= rsa_keygen_driver($modulus, + $capital_n); + $capital_n = 0; + } + } + elsif ($tt == 19) { + if ($modulus ne "" && + $e ne "" && + $prandom ne "" && + $qrandom ne "") { + $out .= rsa_keygen_kat_driver($modulus, + $e, + $prandom, + $qrandom); + $prandom = ""; + $qrandom = ""; + $e = ""; + } + } elsif ($tt > 0) { die "Test case $tt not defined"; } @@ -2199,10 +2693,14 @@ sub main() { $state_rng = \&libgcrypt_state_rng; $hmac = \&libgcrypt_hmac; $dsa_pqggen = \&libgcrypt_dsa_pqggen; + $dsa_ggen = \&libgcrypt_dsa_ggen; $gen_dsakey = \&libgcrypt_gen_dsakey; + $gen_dsakey_domain = \&libgcrypt_gen_dsakey_domain; $dsa_sign = \&libgcrypt_dsa_sign; $dsa_verify = \&libgcrypt_dsa_verify; $dsa_genpubkey = \&libgcrypt_dsa_genpubkey; + $rsa_keygen = \&libgcrypt_rsa_keygen; + $rsa_keygen_kat = \&libgcrypt_rsa_keygen_kat; } else { die "Invalid interface option given"; } diff -up libgcrypt-1.7.3/tests/cavs_tests.sh.cavs libgcrypt-1.7.3/tests/cavs_tests.sh --- libgcrypt-1.7.3/tests/cavs_tests.sh.cavs 2013-03-15 20:25:38.000000000 +0100 +++ libgcrypt-1.7.3/tests/cavs_tests.sh 2016-11-22 17:29:06.067553077 +0100 @@ -55,7 +55,7 @@ function run_one_test () { [ -d "$respdir" ] || mkdir "$respdir" [ -f "$rspfile" ] && rm "$rspfile" - if echo "$reqfile" | grep '/DSA/req/' >/dev/null 2>/dev/null; then + if echo "$reqfile" | grep '/DSA.\?/req/' >/dev/null 2>/dev/null; then dflag="-D" fi diff -up libgcrypt-1.7.3/tests/fipsdrv.c.cavs libgcrypt-1.7.3/tests/fipsdrv.c --- libgcrypt-1.7.3/tests/fipsdrv.c.cavs 2016-07-14 11:19:17.000000000 +0200 +++ libgcrypt-1.7.3/tests/fipsdrv.c 2016-11-22 17:33:15.468330859 +0100 @@ -892,6 +892,9 @@ print_mpi_line (gcry_mpi_t a, int no_lz) die ("gcry_mpi_aprint failed: %s\n", gpg_strerror (err)); p = buf; + while (*p) + *p++ = tolower(*p); + p = buf; if (no_lz && p[0] == '0' && p[1] == '0' && p[2]) p += 2; @@ -1765,14 +1768,14 @@ run_rsa_verify (const void *data, size_t /* Generate a DSA key of size KEYSIZE and return the complete S-expression. */ static gcry_sexp_t -dsa_gen (int keysize) +dsa_gen (int keysize, int qsize) { gpg_error_t err; gcry_sexp_t keyspec, key; err = gcry_sexp_build (&keyspec, NULL, - "(genkey (dsa (nbits %d)(use-fips186-2)))", - keysize); + "(genkey (dsa (nbits %d)(qbits %d)(use-fips186)))", + keysize, qsize); if (err) die ("gcry_sexp_build failed for DSA key generation: %s\n", gpg_strerror (err)); @@ -1790,7 +1793,7 @@ dsa_gen (int keysize) /* Generate a DSA key of size KEYSIZE and return the complete S-expression. */ static gcry_sexp_t -dsa_gen_with_seed (int keysize, const void *seed, size_t seedlen) +dsa_gen_with_seed (int keysize, int qsize, const void *seed, size_t seedlen) { gpg_error_t err; gcry_sexp_t keyspec, key; @@ -1799,10 +1802,11 @@ dsa_gen_with_seed (int keysize, const vo "(genkey" " (dsa" " (nbits %d)" - " (use-fips186-2)" + " (qbits %d)" + " (use-fips186)" " (derive-parms" " (seed %b))))", - keysize, (int)seedlen, seed); + keysize, qsize, (int)seedlen, seed); if (err) die ("gcry_sexp_build failed for DSA key generation: %s\n", gpg_strerror (err)); @@ -1810,6 +1814,37 @@ dsa_gen_with_seed (int keysize, const vo err = gcry_pk_genkey (&key, keyspec); if (err) die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); + + gcry_sexp_release (keyspec); + + return key; +} + +/* Generate a DSA key with specified domain parameters and return the complete + S-expression. */ +static gcry_sexp_t +dsa_gen_key (const char *domain) +{ + gpg_error_t err; + gcry_sexp_t keyspec, key, domspec; + + err = gcry_sexp_new (&domspec, domain, strlen(domain), 0); + if (err) + die ("gcry_sexp_build failed for domain spec: %s\n", + gpg_strerror (err)); + + err = gcry_sexp_build (&keyspec, NULL, + "(genkey" + " (dsa" + " (use-fips186)" + " %S))", + domspec); + if (err) + die ("gcry_sexp_build failed for DSA key generation: %s\n", + gpg_strerror (err)); + err = gcry_pk_genkey (&key, keyspec); + if (err) + die ("gcry_pk_genkey failed for DSA: %s\n", gpg_strerror (err)); gcry_sexp_release (keyspec); @@ -1849,7 +1884,7 @@ ecdsa_gen_key (const char *curve) with one parameter per line in hex format using this order: p, q, g, seed, counter, h. */ static void -print_dsa_domain_parameters (gcry_sexp_t key) +print_dsa_domain_parameters (gcry_sexp_t key, int print_misc) { gcry_sexp_t l1, l2; gcry_mpi_t mpi; @@ -1885,6 +1920,9 @@ print_dsa_domain_parameters (gcry_sexp_t } gcry_sexp_release (l1); + if (!print_misc) + return; + /* Extract the seed values. */ l1 = gcry_sexp_find_token (key, "misc-key-info", 0); if (!l1) @@ -1976,38 +2014,106 @@ print_ecdsa_dq (gcry_sexp_t key) } -/* Generate DSA domain parameters for a modulus size of KEYSIZE. The +/* Print just the XY private key parameters. KEY + is the complete key as returned by dsa_gen. We print to stdout + with one parameter per line in hex format using this order: x, y. */ +static void +print_dsa_xy (gcry_sexp_t key) +{ + gcry_sexp_t l1, l2; + gcry_mpi_t mpi; + int idx; + + l1 = gcry_sexp_find_token (key, "private-key", 0); + if (!l1) + die ("private key not found in genkey result\n"); + + l2 = gcry_sexp_find_token (l1, "dsa", 0); + if (!l2) + die ("returned private key not formed as expected\n"); + gcry_sexp_release (l1); + l1 = l2; + + /* Extract the parameters from the S-expression and print them to stdout. */ + for (idx=0; "xy"[idx]; idx++) + { + l2 = gcry_sexp_find_token (l1, "xy"+idx, 1); + if (!l2) + die ("no %c parameter in returned public key\n", "xy"[idx]); + mpi = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); + if (!mpi) + die ("no value for %c parameter in returned private key\n","xy"[idx]); + gcry_sexp_release (l2); + if (standalone_mode) + printf ("%c = ", "XY"[idx]); + print_mpi_line (mpi, 1); + gcry_mpi_release (mpi); + } + + gcry_sexp_release (l1); +} + + +/* Generate DSA pq domain parameters for a modulus size of KEYSIZE. The result is printed to stdout with one parameter per line in hex - format and in this order: p, q, g, seed, counter, h. If SEED is + format and in this order: p, q, seed, counter. If SEED is not NULL this seed value will be used for the generation. */ static void -run_dsa_pqg_gen (int keysize, const void *seed, size_t seedlen) +run_dsa_pqg_gen (int keysize, int qsize, const void *seed, size_t seedlen) { gcry_sexp_t key; if (seed) - key = dsa_gen_with_seed (keysize, seed, seedlen); + key = dsa_gen_with_seed (keysize, qsize, seed, seedlen); else - key = dsa_gen (keysize); - print_dsa_domain_parameters (key); + key = dsa_gen (keysize, qsize); + print_dsa_domain_parameters (key, 1); + gcry_sexp_release (key); +} + + +/* Generate DSA domain parameters for a modulus size of KEYSIZE. The + result is printed to stdout with one parameter per line in hex + format and in this order: p, q, g, seed, counter, h. If SEED is + not NULL this seed value will be used for the generation. */ +static void +run_dsa_g_gen (int keysize, int qsize, const char *domain) +{ + gcry_sexp_t key; + + key = dsa_gen_key (domain); + print_dsa_domain_parameters (key, 0); + gcry_sexp_release (key); +} + +/* Generate a DSA key with specified domain parameters + and print the XY values. */ +static void +run_dsa_gen_key (const char *domain) +{ + gcry_sexp_t key; + + key = dsa_gen_key (domain); + print_dsa_xy (key); + gcry_sexp_release (key); } /* Generate a DSA key of size of KEYSIZE and write the private key to FILENAME. Also write the parameters to stdout in the same way as - run_dsa_pqg_gen. */ + run_dsa_g_gen. */ static void -run_dsa_gen (int keysize, const char *filename) +run_dsa_gen (int keysize, int qsize, const char *filename) { gcry_sexp_t key, private_key; FILE *fp; - key = dsa_gen (keysize); + key = dsa_gen (keysize, qsize); private_key = gcry_sexp_find_token (key, "private-key", 0); if (!private_key) die ("private key not found in genkey result\n"); - print_dsa_domain_parameters (key); + print_dsa_domain_parameters (key, 1); fp = fopen (filename, "wb"); if (!fp) @@ -2020,6 +2126,53 @@ run_dsa_gen (int keysize, const char *fi } +static int +dsa_hash_from_key(gcry_sexp_t s_key) +{ + gcry_sexp_t l1, l2; + gcry_mpi_t q; + unsigned int qbits; + + l1 = gcry_sexp_find_token (s_key, "public-key", 0); + if (!l1) + { + l1 = gcry_sexp_find_token (s_key, "private-key", 0); + if (!l1) + die ("neither private nor public key found in the loaded key\n"); + } + + l2 = gcry_sexp_find_token (l1, "dsa", 0); + if (!l2) + die ("public key not formed as expected - no dsa\n"); + gcry_sexp_release (l1); + l1 = l2; + + l2 = gcry_sexp_find_token (l1, "q", 0); + if (!l2) + die ("public key not formed as expected - no q\n"); + gcry_sexp_release (l1); + l1 = l2; + + q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG); + if (!q) + die ("public key not formed as expected - no mpi in q\n"); + qbits = gcry_mpi_get_nbits(q); + gcry_sexp_release(l1); + gcry_mpi_release(q); + switch(qbits) + { + case 160: + return GCRY_MD_SHA1; + case 224: + return GCRY_MD_SHA224; + case 256: + return GCRY_MD_SHA256; + default: + die("bad number bits (%d) of q in key\n", qbits); + } + return GCRY_MD_NONE; +} + /* Sign DATA of length DATALEN using the key taken from the S-expression encoded KEYFILE. */ @@ -2029,11 +2182,16 @@ run_dsa_sign (const void *data, size_t d { gpg_error_t err; gcry_sexp_t s_data, s_key, s_sig, s_tmp, s_tmp2; - char hash[20]; + char hash[128]; gcry_mpi_t tmpmpi; + int algo; + + s_key = read_sexp_from_file (keyfile); + algo = dsa_hash_from_key(s_key); - gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); - err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); + gcry_md_hash_buffer (algo, hash, data, datalen); + err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, + gcry_md_get_algo_dlen(algo), NULL); if (!err) { err = gcry_sexp_build (&s_data, NULL, @@ -2044,8 +2202,6 @@ run_dsa_sign (const void *data, size_t d die ("gcry_sexp_build failed for DSA data input: %s\n", gpg_strerror (err)); - s_key = read_sexp_from_file (keyfile); - err = gcry_pk_sign (&s_sig, s_data, s_key); if (err) { @@ -2121,13 +2277,18 @@ run_dsa_verify (const void *data, size_t { gpg_error_t err; gcry_sexp_t s_data, s_key, s_sig; - char hash[20]; + char hash[128]; gcry_mpi_t tmpmpi; + int algo; - gcry_md_hash_buffer (GCRY_MD_SHA1, hash, data, datalen); + s_key = read_sexp_from_file (keyfile); + algo = dsa_hash_from_key(s_key); + + gcry_md_hash_buffer (algo, hash, data, datalen); /* Note that we can't simply use %b with HASH to build the S-expression, because that might yield a negative value. */ - err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, 20, NULL); + err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash, + gcry_md_get_algo_dlen(algo), NULL); if (!err) { err = gcry_sexp_build (&s_data, NULL, @@ -2138,7 +2299,6 @@ run_dsa_verify (const void *data, size_t die ("gcry_sexp_build failed for DSA data input: %s\n", gpg_strerror (err)); - s_key = read_sexp_from_file (keyfile); s_sig = read_sexp_from_file (sigfile); err = gcry_pk_verify (s_sig, s_data, s_key); @@ -2304,7 +2464,7 @@ usage (int show_help) "MODE:\n" " encrypt, decrypt, digest, random, hmac-sha,\n" " rsa-{derive,gen,sign,verify},\n" - " dsa-{pqg-gen,gen,sign,verify}, ecdsa-{gen-key,sign,verify}\n" + " dsa-{pq-gen,g-gen,gen,sign,verify}, ecdsa-{gen-key,sign,verify}\n" "OPTIONS:\n" " --verbose Print additional information\n" " --binary Input and output is in binary form\n" @@ -2315,6 +2475,7 @@ usage (int show_help) " --algo NAME Use algorithm NAME\n" " --curve NAME Select ECC curve spec NAME\n" " --keysize N Use a keysize of N bits\n" + " --qize N Use a DSA q parameter size of N bits\n" " --signature NAME Take signature from file NAME\n" " --chunk N Read in chunks of N bytes (implies --binary)\n" " --pkcs1 Use PKCS#1 encoding\n" @@ -2344,6 +2505,7 @@ main (int argc, char **argv) const char *dt_string = NULL; const char *algo_string = NULL; const char *keysize_string = NULL; + const char *qsize_string = NULL; const char *signature_string = NULL; FILE *input; void *data; @@ -2437,6 +2599,14 @@ main (int argc, char **argv) keysize_string = *argv; argc--; argv++; } + else if (!strcmp (*argv, "--qsize")) + { + argc--; argv++; + if (!argc) + usage (0); + qsize_string = *argv; + argc--; argv++; + } else if (!strcmp (*argv, "--signature")) { argc--; argv++; @@ -2792,23 +2962,49 @@ main (int argc, char **argv) } else if (!strcmp (mode_string, "dsa-pqg-gen")) { - int keysize; + int keysize, qsize; + + keysize = keysize_string? atoi (keysize_string) : 0; + if (keysize < 1024 || keysize > 3072) + die ("invalid keysize specified; needs to be 1024 .. 3072\n"); + qsize = qsize_string? atoi (qsize_string) : 0; + if (qsize < 160 || qsize > 256) + die ("invalid qsize specified; needs to be 160 .. 256\n"); + run_dsa_pqg_gen (keysize, qsize, datalen? data:NULL, datalen); + } + else if (!strcmp (mode_string, "dsa-g-gen")) + { + int keysize, qsize; keysize = keysize_string? atoi (keysize_string) : 0; if (keysize < 1024 || keysize > 3072) die ("invalid keysize specified; needs to be 1024 .. 3072\n"); - run_dsa_pqg_gen (keysize, datalen? data:NULL, datalen); + qsize = qsize_string? atoi (qsize_string) : 0; + if (qsize < 160 || qsize > 256) + die ("invalid qsize specified; needs to be 160 .. 256\n"); + if (!key_string) + die ("option --key containing pq domain parameters is required in this mode\n"); + run_dsa_g_gen (keysize, qsize, key_string); + } + else if (!strcmp (mode_string, "dsa-gen-key")) + { + if (!key_string) + die ("option --key containing pqg domain parameters is required in this mode\n"); + run_dsa_gen_key (key_string); } else if (!strcmp (mode_string, "dsa-gen")) { - int keysize; + int keysize, qsize; keysize = keysize_string? atoi (keysize_string) : 0; if (keysize < 1024 || keysize > 3072) die ("invalid keysize specified; needs to be 1024 .. 3072\n"); + qsize = qsize_string? atoi (qsize_string) : 0; + if (qsize < 160 || qsize > 256) + die ("invalid qsize specified; needs to be 160 .. 256\n"); if (!key_string) die ("option --key is required in this mode\n"); - run_dsa_gen (keysize, key_string); + run_dsa_gen (keysize, qsize, key_string); } else if (!strcmp (mode_string, "dsa-sign")) {