PageRenderTime 50ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 1ms

/security/nss/cmd/fipstest/fipstest.c

https://bitbucket.org/mkato/mozilla-1.9.0-win64
C | 4903 lines | 3797 code | 360 blank | 746 comment | 1445 complexity | ac6666cf55eeec83bda3ea3b4e6ec112 MD5 | raw file
Possible License(s): LGPL-3.0, MIT, BSD-3-Clause, MPL-2.0-no-copyleft-exception, GPL-2.0, LGPL-2.1

Large files files are truncated, but you can click here to view the full file

    

  1. /* ***** BEGIN LICENSE BLOCK *****
    2. 

  2.  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
    3. 

  3.  *
    4. 

  4.  * The contents of this file are subject to the Mozilla Public License Version
    5. 

  5.  * 1.1 (the "License"); you may not use this file except in compliance with
    6. 

  6.  * the License. You may obtain a copy of the License at
    7. 

  7.  * http://www.mozilla.org/MPL/
    8. 

  8.  *
    9. 

  9.  * Software distributed under the License is distributed on an "AS IS" basis,
    10. 

  10.  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
    11. 

  11.  * for the specific language governing rights and limitations under the
    12. 

  12.  * License.
    13. 

  13.  *
    14. 

  14.  * The Original Code is the Netscape security libraries.
    15. 

  15.  *
    16. 

  16.  * The Initial Developer of the Original Code is
    17. 

  17.  * Netscape Communications Corporation.
    18. 

  18.  * Portions created by the Initial Developer are Copyright (C) 1994-2000
    19. 

  19.  * the Initial Developer. All Rights Reserved.
    20. 

  20.  *
    21. 

  21.  * Contributor(s):
    22. 

  22.  *
    23. 

  23.  * Alternatively, the contents of this file may be used under the terms of
    24. 

  24.  * either the GNU General Public License Version 2 or later (the "GPL"), or
    25. 

  25.  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
    26. 

  26.  * in which case the provisions of the GPL or the LGPL are applicable instead
    27. 

  27.  * of those above. If you wish to allow use of your version of this file only
    28. 

  28.  * under the terms of either the GPL or the LGPL, and not to allow others to
    29. 

  29.  * use your version of this file under the terms of the MPL, indicate your
    30. 

  30.  * decision by deleting the provisions above and replace them with the notice
    31. 

  31.  * and other provisions required by the GPL or the LGPL. If you do not delete
    32. 

  32.  * the provisions above, a recipient may use your version of this file under
    33. 

  33.  * the terms of any one of the MPL, the GPL or the LGPL.
    34. 

  34.  *
    35. 

  35.  * ***** END LICENSE BLOCK ***** */
    36. 

  36. 

  37. #include <stdio.h>
    38. 

  38. #include <stdlib.h>
    39. 

  39. #include <ctype.h>
    40. 

  40. 

  41. #include "secitem.h"
    42. 

  42. #include "blapi.h"
    43. 

  43. #include "nss.h"
    44. 

  44. #include "secerr.h"
    45. 

  45. #include "secder.h"
    46. 

  46. #include "secdig.h"
    47. 

  47. #include "keythi.h"
    48. 

  48. #include "ec.h"
    49. 

  49. #include "hasht.h"
    50. 

  50. #include "lowkeyi.h"
    51. 

  51. #include "softoken.h"
    52. 

  52. 

  53. #if 0
    54. 

  54. #include "../../lib/freebl/mpi/mpi.h"
    55. 

  55. #endif
    56. 

  56. 

  57. #ifdef NSS_ENABLE_ECC
    58. 

  58. extern SECStatus
    59. 

  59. EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
    60. 

  60. extern SECStatus
    61. 

  61. EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
    62. 

  62.               const ECParams *srcParams);
    63. 

  63. #endif
    64. 

  64. 

  65. #define ENCRYPT 1
    66. 

  66. #define DECRYPT 0
    67. 

  67. #define BYTE unsigned char
    68. 

  68. #define DEFAULT_RSA_PUBLIC_EXPONENT   0x10001
    69. 

  69. #define RSA_MAX_TEST_MODULUS_BITS     4096
    70. 

  70. #define RSA_MAX_TEST_MODULUS_BYTES    RSA_MAX_TEST_MODULUS_BITS/8
    71. 

  71. #define RSA_MAX_TEST_EXPONENT_BYTES   8
    72. 

  72. #define PQG_TEST_SEED_BYTES           20
    73. 

  73. 

  74. SECStatus
    75. 

  75. hex_to_byteval(const char *c2, unsigned char *byteval)
    76. 

  76. {
    77. 

  77.     int i;
    78. 

  78.     unsigned char offset;
    79. 

  79.     *byteval = 0;
    80. 

  80.     for (i=0; i<2; i++) {
    81. 

  81. 	if (c2[i] >= '0' && c2[i] <= '9') {
    82. 

  82. 	    offset = c2[i] - '0';
    83. 

  83. 	    *byteval |= offset << 4*(1-i);
    84. 

  84. 	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
    85. 

  85. 	    offset = c2[i] - 'a';
    86. 

  86. 	    *byteval |= (offset + 10) << 4*(1-i);
    87. 

  87. 	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
    88. 

  88. 	    offset = c2[i] - 'A';
    89. 

  89. 	    *byteval |= (offset + 10) << 4*(1-i);
    90. 

  90. 	} else {
    91. 

  91. 	    return SECFailure;
    92. 

  92. 	}
    93. 

  93.     }
    94. 

  94.     return SECSuccess;
    95. 

  95. }
    96. 

  96. 

  97. SECStatus
    98. 

  98. byteval_to_hex(unsigned char byteval, char *c2, char a)
    99. 

  99. {
    100. 

  100.     int i;
    101. 

  101.     unsigned char offset;
    102. 

  102.     for (i=0; i<2; i++) {
    103. 

  103. 	offset = (byteval >> 4*(1-i)) & 0x0f;
    104. 

  104. 	if (offset < 10) {
    105. 

  105. 	    c2[i] = '0' + offset;
    106. 

  106. 	} else {
    107. 

  107. 	    c2[i] = a + offset - 10;
    108. 

  108. 	}
    109. 

  109.     }
    110. 

  110.     return SECSuccess;
    111. 

  111. }
    112. 

  112. 

  113. void
    114. 

  114. to_hex_str(char *str, const unsigned char *buf, unsigned int len)
    115. 

  115. {
    116. 

  116.     unsigned int i;
    117. 

  117.     for (i=0; i<len; i++) {
    118. 

  118. 	byteval_to_hex(buf[i], &str[2*i], 'a');
    119. 

  119.     }
    120. 

  120.     str[2*len] = '\0';
    121. 

  121. }
    122. 

  122. 

  123. void
    124. 

  124. to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
    125. 

  125. {
    126. 

  126.     unsigned int i;
    127. 

  127.     for (i=0; i<len; i++) {
    128. 

  128. 	byteval_to_hex(buf[i], &str[2*i], 'A');
    129. 

  129.     }
    130. 

  130.     str[2*len] = '\0';
    131. 

  131. }
    132. 

  132. 

  133. /*
    134. 

  134.  * Convert a string of hex digits (str) to an array (buf) of len bytes.
    135. 

  135.  * Return PR_TRUE if the hex string can fit in the byte array.  Return
    136. 

  136.  * PR_FALSE if the hex string is empty or is too long.
    137. 

  137.  */
    138. 

  138. PRBool
    139. 

  139. from_hex_str(unsigned char *buf, unsigned int len, const char *str)
    140. 

  140. {
    141. 

  141.     unsigned int nxdigit;  /* number of hex digits in str */
    142. 

  142.     unsigned int i;  /* index into buf */
    143. 

  143.     unsigned int j;  /* index into str */
    144. 

  144. 

  145.     /* count the hex digits */
    146. 

  146.     nxdigit = 0;
    147. 

  147.     for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
    148. 

  148. 	/* empty body */
    149. 

  149.     }
    150. 

  150.     if (nxdigit == 0) {
    151. 

  151. 	return PR_FALSE;
    152. 

  152.     }
    153. 

  153.     if (nxdigit > 2*len) {
    154. 

  154. 	/*
    155. 

  155. 	 * The input hex string is too long, but we allow it if the
    156. 

  156. 	 * extra digits are leading 0's.
    157. 

  157. 	 */
    158. 

  158. 	for (j = 0; j < nxdigit-2*len; j++) {
    159. 

  159. 	    if (str[j] != '0') {
    160. 

  160. 		return PR_FALSE;
    161. 

  161. 	    }
    162. 

  162. 	}
    163. 

  163. 	/* skip leading 0's */
    164. 

  164. 	str += nxdigit-2*len;
    165. 

  165. 	nxdigit = 2*len;
    166. 

  166.     }
    167. 

  167.     for (i=0, j=0; i< len; i++) {
    168. 

  168. 	if (2*i < 2*len-nxdigit) {
    169. 

  169. 	    /* Handle a short input as if we padded it with leading 0's. */
    170. 

  170. 	    if (2*i+1 < 2*len-nxdigit) {
    171. 

  171. 		buf[i] = 0;
    172. 

  172. 	    } else {
    173. 

  173. 		char tmp[2];
    174. 

  174. 		tmp[0] = '0';
    175. 

  175. 		tmp[1] = str[j];
    176. 

  176. 		hex_to_byteval(tmp, &buf[i]);
    177. 

  177. 		j++;
    178. 

  178. 	    }
    179. 

  179. 	} else {
    180. 

  180. 	    hex_to_byteval(&str[j], &buf[i]);
    181. 

  181. 	    j += 2;
    182. 

  182. 	}
    183. 

  183.     }
    184. 

  184.     return PR_TRUE;
    185. 

  185. }
    186. 

  186. 

  187. SECStatus
    188. 

  188. tdea_encrypt_buf(
    189. 

  189.     int mode,
    190. 

  190.     const unsigned char *key, 
    191. 

  191.     const unsigned char *iv,
    192. 

  192.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    193. 

  193.     const unsigned char *input, unsigned int inputlen)
    194. 

  194. {
    195. 

  195.     SECStatus rv = SECFailure;
    196. 

  196.     DESContext *cx;
    197. 

  197.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    198. 

  198.     unsigned int doublechecklen = 0;
    199. 

  199. 

  200.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    201. 

  201.     if (cx == NULL) {
    202. 

  202.         goto loser;
    203. 

  203.     }
    204. 

  204.     rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    205. 

  205.     if (rv != SECSuccess) {
    206. 

  206.         goto loser;
    207. 

  207.     }
    208. 

  208.     if (*outputlen != inputlen) {
    209. 

  209.         goto loser;
    210. 

  210.     }
    211. 

  211.     DES_DestroyContext(cx, PR_TRUE);
    212. 

  212.     cx = NULL;
    213. 

  213. 

  214.     /*
    215. 

  215.      * Doublecheck our result by decrypting the ciphertext and
    216. 

  216.      * compare the output with the input plaintext.
    217. 

  217.      */
    218. 

  218.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    219. 

  219.     if (cx == NULL) {
    220. 

  220.         goto loser;
    221. 

  221.     }
    222. 

  222.     rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    223. 

  223.                     output, *outputlen);
    224. 

  224.     if (rv != SECSuccess) {
    225. 

  225.         goto loser;
    226. 

  226.     }
    227. 

  227.     if (doublechecklen != *outputlen) {
    228. 

  228.         goto loser;
    229. 

  229.     }
    230. 

  230.     DES_DestroyContext(cx, PR_TRUE);
    231. 

  231.     cx = NULL;
    232. 

  232.     if (memcmp(doublecheck, input, inputlen) != 0) {
    233. 

  233.         goto loser;
    234. 

  234.     }
    235. 

  235.     rv = SECSuccess;
    236. 

  236. 

  237. loser:
    238. 

  238.     if (cx != NULL) {
    239. 

  239.         DES_DestroyContext(cx, PR_TRUE);
    240. 

  240.     }
    241. 

  241.     return rv;
    242. 

  242. }
    243. 

  243. 

  244. SECStatus
    245. 

  245. tdea_decrypt_buf(
    246. 

  246.     int mode,
    247. 

  247.     const unsigned char *key, 
    248. 

  248.     const unsigned char *iv,
    249. 

  249.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    250. 

  250.     const unsigned char *input, unsigned int inputlen)
    251. 

  251. {
    252. 

  252.     SECStatus rv = SECFailure;
    253. 

  253.     DESContext *cx;
    254. 

  254.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    255. 

  255.     unsigned int doublechecklen = 0;
    256. 

  256. 

  257.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    258. 

  258.     if (cx == NULL) {
    259. 

  259.         goto loser;
    260. 

  260.     }
    261. 

  261.     rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
    262. 

  262.                     input, inputlen);
    263. 

  263.     if (rv != SECSuccess) {
    264. 

  264.         goto loser;
    265. 

  265.     }
    266. 

  266.     if (*outputlen != inputlen) {
    267. 

  267.         goto loser;
    268. 

  268.     }
    269. 

  269.     DES_DestroyContext(cx, PR_TRUE);
    270. 

  270.     cx = NULL;
    271. 

  271. 

  272.     /*
    273. 

  273.      * Doublecheck our result by encrypting the plaintext and
    274. 

  274.      * compare the output with the input ciphertext.
    275. 

  275.      */
    276. 

  276.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    277. 

  277.     if (cx == NULL) {
    278. 

  278.         goto loser;
    279. 

  279.     }
    280. 

  280.     rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    281. 

  281.         output, *outputlen);
    282. 

  282.     if (rv != SECSuccess) {
    283. 

  283.         goto loser;
    284. 

  284.     }
    285. 

  285.     if (doublechecklen != *outputlen) {
    286. 

  286.         goto loser;
    287. 

  287.     }
    288. 

  288.     DES_DestroyContext(cx, PR_TRUE);
    289. 

  289.     cx = NULL;
    290. 

  290.     if (memcmp(doublecheck, input, inputlen) != 0) {
    291. 

  291.         goto loser;
    292. 

  292.     }
    293. 

  293.     rv = SECSuccess;
    294. 

  294. 

  295. loser:
    296. 

  296.     if (cx != NULL) {
    297. 

  297.         DES_DestroyContext(cx, PR_TRUE);
    298. 

  298.     }
    299. 

  299.     return rv;
    300. 

  300. }
    301. 

  301. 

  302. /*
    303. 

  303.  * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
    304. 

  304.  * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
    305. 

  305.  * and MMT have the same structure: given the key and IV (CBC mode
    306. 

  306.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    307. 

  307.  * So we can handle them the same way.
    308. 

  308.  *
    309. 

  309.  * reqfn is the pathname of the REQUEST file.
    310. 

  310.  *
    311. 

  311.  * The output RESPONSE file is written to stdout.
    312. 

  312.  */
    313. 

  313. void
    314. 

  314. tdea_kat_mmt(char *reqfn)
    315. 

  315. {
    316. 

  316.     char buf[180];      /* holds one line from the input REQUEST file.
    317. 

  317.                          * needs to be large enough to hold the longest
    318. 

  318.                          * line "CIPHERTEXT = <180 hex digits>\n".
    319. 

  319.                          */
    320. 

  320.     FILE *req;       /* input stream from the REQUEST file */
    321. 

  321.     FILE *resp;      /* output stream to the RESPONSE file */
    322. 

  322.     int i, j;
    323. 

  323.     int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
    324. 

  324.     int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
    325. 

  325.     unsigned char key[24];              /* TDEA 3 key bundle */
    326. 

  326.     unsigned int numKeys = 0;
    327. 

  327.     unsigned char iv[8];		/* for all modes except ECB */
    328. 

  328.     unsigned char plaintext[8*20];     /* 1 to 20 blocks */
    329. 

  329.     unsigned int plaintextlen;
    330. 

  330.     unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
    331. 

  331.     unsigned int ciphertextlen;
    332. 

  332.     SECStatus rv;
    333. 

  333. 

  334.     req = fopen(reqfn, "r");
    335. 

  335.     resp = stdout;
    336. 

  336.     while (fgets(buf, sizeof buf, req) != NULL) {
    337. 

  337.         /* a comment or blank line */
    338. 

  338.         if (buf[0] == '#' || buf[0] == '\n') {
    339. 

  339.             fputs(buf, resp);
    340. 

  340.             continue;
    341. 

  341.         }
    342. 

  342.         /* [ENCRYPT] or [DECRYPT] */
    343. 

  343.         if (buf[0] == '[') {
    344. 

  344.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    345. 

  345.                 crypt = ENCRYPT;
    346. 

  346.             } else {
    347. 

  347.                 crypt = DECRYPT;
    348. 

  348.             }
    349. 

  349.             fputs(buf, resp);
    350. 

  350.             continue;
    351. 

  351.         }
    352. 

  352.         /* NumKeys */
    353. 

  353.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    354. 

  354.             i = 7;
    355. 

  355.             while (isspace(buf[i]) || buf[i] == '=') {
    356. 

  356.                 i++;
    357. 

  357.             }
    358. 

  358.             numKeys = buf[i];
    359. 

  359.             fputs(buf, resp);
    360. 

  360.             continue;
    361. 

  361.         }
    362. 

  362.         /* "COUNT = x" begins a new data set */
    363. 

  363.         if (strncmp(buf, "COUNT", 5) == 0) {
    364. 

  364.             /* mode defaults to ECB, if dataset has IV mode will be set CBC */
    365. 

  365.             mode = NSS_DES_EDE3;
    366. 

  366.             /* zeroize the variables for the test with this data set */
    367. 

  367.             memset(key, 0, sizeof key);
    368. 

  368.             memset(iv, 0, sizeof iv);
    369. 

  369.             memset(plaintext, 0, sizeof plaintext);
    370. 

  370.             plaintextlen = 0;
    371. 

  371.             memset(ciphertext, 0, sizeof ciphertext);
    372. 

  372.             ciphertextlen = 0;
    373. 

  373.             fputs(buf, resp);
    374. 

  374.             continue;
    375. 

  375.         }
    376. 

  376.         if (numKeys == 0) {
    377. 

  377.             if (strncmp(buf, "KEYs", 4) == 0) {
    378. 

  378.                 i = 4;
    379. 

  379.                 while (isspace(buf[i]) || buf[i] == '=') {
    380. 

  380.                     i++;
    381. 

  381.                 }
    382. 

  382.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    383. 

  383.                     hex_to_byteval(&buf[i], &key[j]);
    384. 

  384.                     key[j+8] = key[j];
    385. 

  385.                     key[j+16] = key[j];
    386. 

  386.                 }
    387. 

  387.                 fputs(buf, resp);
    388. 

  388.                 continue;
    389. 

  389.             }
    390. 

  390.         } else {
    391. 

  391.             /* KEY1 = ... */
    392. 

  392.             if (strncmp(buf, "KEY1", 4) == 0) {
    393. 

  393.                 i = 4;
    394. 

  394.                 while (isspace(buf[i]) || buf[i] == '=') {
    395. 

  395.                     i++;
    396. 

  396.                 }
    397. 

  397.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    398. 

  398.                     hex_to_byteval(&buf[i], &key[j]);
    399. 

  399.                 }
    400. 

  400.                 fputs(buf, resp);
    401. 

  401.                 continue;
    402. 

  402.             }
    403. 

  403.             /* KEY2 = ... */
    404. 

  404.             if (strncmp(buf, "KEY2", 4) == 0) {
    405. 

  405.                 i = 4;
    406. 

  406.                 while (isspace(buf[i]) || buf[i] == '=') {
    407. 

  407.                     i++;
    408. 

  408.                 }
    409. 

  409.                 for (j=8; isxdigit(buf[i]); i+=2,j++) {
    410. 

  410.                     hex_to_byteval(&buf[i], &key[j]);
    411. 

  411.                 }
    412. 

  412.                 fputs(buf, resp);
    413. 

  413.                 continue;
    414. 

  414.             }
    415. 

  415.             /* KEY3 = ... */
    416. 

  416.             if (strncmp(buf, "KEY3", 4) == 0) {
    417. 

  417.                 i = 4;
    418. 

  418.                 while (isspace(buf[i]) || buf[i] == '=') {
    419. 

  419.                     i++;
    420. 

  420.                 }
    421. 

  421.                 for (j=16; isxdigit(buf[i]); i+=2,j++) {
    422. 

  422.                     hex_to_byteval(&buf[i], &key[j]);
    423. 

  423.                 }
    424. 

  424.                 fputs(buf, resp);
    425. 

  425.                 continue;
    426. 

  426.             }
    427. 

  427.         }
    428. 

  428. 

  429.         /* IV = ... */
    430. 

  430.         if (strncmp(buf, "IV", 2) == 0) {
    431. 

  431.             mode = NSS_DES_EDE3_CBC;
    432. 

  432.             i = 2;
    433. 

  433.             while (isspace(buf[i]) || buf[i] == '=') {
    434. 

  434.                 i++;
    435. 

  435.             }
    436. 

  436.             for (j=0; j<sizeof iv; i+=2,j++) {
    437. 

  437.                 hex_to_byteval(&buf[i], &iv[j]);
    438. 

  438.             }
    439. 

  439.             fputs(buf, resp);
    440. 

  440.             continue;
    441. 

  441.         }
    442. 

  442. 

  443.         /* PLAINTEXT = ... */
    444. 

  444.         if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    445. 

  445.             /* sanity check */
    446. 

  446.             if (crypt != ENCRYPT) {
    447. 

  447.                 goto loser;
    448. 

  448.             }
    449. 

  449.             i = 9;
    450. 

  450.             while (isspace(buf[i]) || buf[i] == '=') {
    451. 

  451.                 i++;
    452. 

  452.             }
    453. 

  453.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    454. 

  454.                 hex_to_byteval(&buf[i], &plaintext[j]);
    455. 

  455.             }
    456. 

  456.             plaintextlen = j;
    457. 

  457.             rv = tdea_encrypt_buf(mode, key,
    458. 

  458.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    459. 

  459.                             ciphertext, &ciphertextlen, sizeof ciphertext,
    460. 

  460.                             plaintext, plaintextlen);
    461. 

  461.             if (rv != SECSuccess) {
    462. 

  462.                 goto loser;
    463. 

  463.             }
    464. 

  464.     
    465. 

  465.             fputs(buf, resp);
    466. 

  466.             fputs("CIPHERTEXT = ", resp);
    467. 

  467.             to_hex_str(buf, ciphertext, ciphertextlen);
    468. 

  468.             fputs(buf, resp);
    469. 

  469.             fputc('\n', resp);
    470. 

  470.             continue;
    471. 

  471.         }
    472. 

  472.         /* CIPHERTEXT = ... */
    473. 

  473.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    474. 

  474.             /* sanity check */
    475. 

  475.             if (crypt != DECRYPT) {
    476. 

  476.                 goto loser;
    477. 

  477.             }
    478. 

  478.  
    479. 

  479.             i = 10;
    480. 

  480.             while (isspace(buf[i]) || buf[i] == '=') {
    481. 

  481.                 i++;
    482. 

  482.             }
    483. 

  483.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    484. 

  484.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    485. 

  485.             }
    486. 

  486.             ciphertextlen = j;
    487. 

  487.  
    488. 

  488.             rv = tdea_decrypt_buf(mode, key,
    489. 

  489.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    490. 

  490.                             plaintext, &plaintextlen, sizeof plaintext,
    491. 

  491.                             ciphertext, ciphertextlen);
    492. 

  492.             if (rv != SECSuccess) {
    493. 

  493.                 goto loser;
    494. 

  494.             }
    495. 

  495.  
    496. 

  496.             fputs(buf, resp);
    497. 

  497.             fputs("PLAINTEXT = ", resp);
    498. 

  498.             to_hex_str(buf, plaintext, plaintextlen);
    499. 

  499.             fputs(buf, resp);
    500. 

  500.             fputc('\n', resp);
    501. 

  501.             continue;
    502. 

  502.         }
    503. 

  503.     }
    504. 

  504. 

  505. loser:
    506. 

  506.     fclose(req);
    507. 

  507. }
    508. 

  508. 

  509. /*
    510. 

  510. * Set the parity bit for the given byte
    511. 

  511. */
    512. 

  512. BYTE odd_parity( BYTE in)
    513. 

  513. {
    514. 

  514.     BYTE out = in;
    515. 

  515.     in ^= in >> 4;
    516. 

  516.     in ^= in >> 2;
    517. 

  517.     in ^= in >> 1;
    518. 

  518.     return (BYTE)(out ^ !(in & 1));
    519. 

  519. }
    520. 

  520. 

  521. /*
    522. 

  522.  * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
    523. 

  523.  * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
    524. 

  524.  */
    525. 

  525. void
    526. 

  526. tdea_mct_next_keys(unsigned char *key,
    527. 

  527.     const unsigned char *text_2, const unsigned char *text_1, 
    528. 

  528.     const unsigned char *text, unsigned int numKeys)
    529. 

  529. {
    530. 

  530.     int k;
    531. 

  531. 

  532.     /* key1[i+1] = key1[i] xor PT/CT[j] */
    533. 

  533.     for (k=0; k<8; k++) {
    534. 

  534.         key[k] ^= text[k];
    535. 

  535.     }
    536. 

  536.     /* key2 */
    537. 

  537.     if (numKeys == 2 || numKeys == 3)  {
    538. 

  538.         /* key2 independent */
    539. 

  539.         for (k=8; k<16; k++) {
    540. 

  540.             /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
    541. 

  541.             key[k] ^= text_1[k-8];
    542. 

  542.         }
    543. 

  543.     } else {
    544. 

  544.         /* key2 == key 1 */
    545. 

  545.         for (k=8; k<16; k++) {
    546. 

  546.             /* key2[i+1] = KEY2[i] xor PT/CT[j] */
    547. 

  547.             key[k] = key[k-8];
    548. 

  548.         }
    549. 

  549.     }
    550. 

  550.     /* key3 */
    551. 

  551.     if (numKeys == 1 || numKeys == 2) {
    552. 

  552.         /* key3 == key 1 */
    553. 

  553.         for (k=16; k<24; k++) {
    554. 

  554.             /* key3[i+1] = KEY3[i] xor PT/CT[j] */
    555. 

  555.             key[k] = key[k-16];
    556. 

  556.         }
    557. 

  557.     } else {
    558. 

  558.         /* key3 independent */ 
    559. 

  559.         for (k=16; k<24; k++) {
    560. 

  560.             /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
    561. 

  561.             key[k] ^= text_2[k-16];
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564.     /* set the parity bits */            
    565. 

  565.     for (k=0; k<24; k++) {
    566. 

  566.         key[k] = odd_parity(key[k]);
    567. 

  567.     }
    568. 

  568. }
    569. 

  569. 

  570. /*
    571. 

  571.  * Perform the Monte Carlo Test
    572. 

  572.  *
    573. 

  573.  * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
    574. 

  574.  * crypt = ENCRYPT || DECRYPT
    575. 

  575.  * inputtext = plaintext or Cyphertext depending on the value of crypt
    576. 

  576.  * inputlength is expected to be size 8 bytes 
    577. 

  577.  * iv = needs to be set for NSS_DES_EDE3_CBC mode
    578. 

  578.  * resp = is the output response file. 
    579. 

  579.  */
    580. 

  580.  void                                                       
    581. 

  581. tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
    582. 

  582.               unsigned int crypt, unsigned char* inputtext, 
    583. 

  583.               unsigned int inputlength, unsigned char* iv, FILE *resp) { 
    584. 

  584. 

  585.     int i, j;
    586. 

  586.     unsigned char outputtext_1[8];      /* PT/CT[j-1] */
    587. 

  587.     unsigned char outputtext_2[8];      /* PT/CT[j-2] */
    588. 

  588.     char buf[80];       /* holds one line from the input REQUEST file. */
    589. 

  589.     unsigned int outputlen;
    590. 

  590.     unsigned char outputtext[8];
    591. 

  591.     
    592. 

  592.         
    593. 

  593.     SECStatus rv;
    594. 

  594. 

  595.     if (mode == NSS_DES_EDE3 && iv != NULL) {
    596. 

  596.         printf("IV must be NULL for NSS_DES_EDE3 mode");
    597. 

  597.         goto loser;
    598. 

  598.     } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
    599. 

  599.         printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
    600. 

  600.         goto loser;
    601. 

  601.     }
    602. 

  602. 

  603.     /* loop 400 times */
    604. 

  604.     for (i=0; i<400; i++) {
    605. 

  605.         /* if i == 0 CV[0] = IV  not necessary */        
    606. 

  606.         /* record the count and key values and plainText */
    607. 

  607.         sprintf(buf, "COUNT = %d\n", i);
    608. 

  608.         fputs(buf, resp);
    609. 

  609.         /* Output KEY1[i] */
    610. 

  610.         fputs("KEY1 = ", resp);
    611. 

  611.         to_hex_str(buf, key, 8);
    612. 

  612.         fputs(buf, resp);
    613. 

  613.         fputc('\n', resp);
    614. 

  614.         /* Output KEY2[i] */
    615. 

  615.         fputs("KEY2 = ", resp);
    616. 

  616.         to_hex_str(buf, &key[8], 8);
    617. 

  617.         fputs(buf, resp);
    618. 

  618.         fputc('\n', resp);
    619. 

  619.         /* Output KEY3[i] */
    620. 

  620.         fputs("KEY3 = ", resp);
    621. 

  621.         to_hex_str(buf, &key[16], 8);
    622. 

  622.         fputs(buf, resp);
    623. 

  623.         fputc('\n', resp);
    624. 

  624.         if (mode == NSS_DES_EDE3_CBC) {
    625. 

  625.             /* Output CV[i] */
    626. 

  626.             fputs("IV = ", resp);
    627. 

  627.             to_hex_str(buf, iv, 8);
    628. 

  628.             fputs(buf, resp);
    629. 

  629.             fputc('\n', resp);
    630. 

  630.         }
    631. 

  631.         if (crypt == ENCRYPT) {
    632. 

  632.             /* Output PT[0] */
    633. 

  633.             fputs("PLAINTEXT = ", resp);
    634. 

  634.         } else {
    635. 

  635.             /* Output CT[0] */
    636. 

  636.             fputs("CIPHERTEXT = ", resp);
    637. 

  637.         }
    638. 

  638. 

  639.         to_hex_str(buf, inputtext, inputlength);
    640. 

  640.         fputs(buf, resp);
    641. 

  641.         fputc('\n', resp);
    642. 

  642. 

  643.         /* loop 10,000 times */
    644. 

  644.         for (j=0; j<10000; j++) {
    645. 

  645. 

  646.             outputlen = 0;
    647. 

  647.             if (crypt == ENCRYPT) {
    648. 

  648.                 /* inputtext == ciphertext outputtext == plaintext*/
    649. 

  649.                 rv = tdea_encrypt_buf(mode, key,
    650. 

  650.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    651. 

  651.                             outputtext, &outputlen, 8,
    652. 

  652.                             inputtext, 8);
    653. 

  653.             } else {
    654. 

  654.                 /* inputtext == plaintext outputtext == ciphertext */
    655. 

  655.                 rv = tdea_decrypt_buf(mode, key,
    656. 

  656.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    657. 

  657.                             outputtext, &outputlen, 8,
    658. 

  658.                             inputtext, 8);
    659. 

  659.             }
    660. 

  660. 

  661.             if (rv != SECSuccess) {
    662. 

  662.                 goto loser;
    663. 

  663.             }
    664. 

  664.             if (outputlen != inputlength) {
    665. 

  665.                 goto loser;
    666. 

  666.             }
    667. 

  667. 

  668.             if (mode == NSS_DES_EDE3_CBC) {
    669. 

  669.                 if (crypt == ENCRYPT) {
    670. 

  670.                     if (j == 0) {
    671. 

  671.                         /*P[j+1] = CV[0] */
    672. 

  672.                         memcpy(inputtext, iv, 8);
    673. 

  673.                     } else {
    674. 

  674.                         /* p[j+1] = C[j-1] */
    675. 

  675.                         memcpy(inputtext, outputtext_1, 8);
    676. 

  676.                     }
    677. 

  677.                     /* CV[j+1] = C[j] */
    678. 

  678.                     memcpy(iv, outputtext, 8);
    679. 

  679.                     if (j != 9999) {
    680. 

  680.                         /* save C[j-1] */
    681. 

  681.                         memcpy(outputtext_1, outputtext, 8);
    682. 

  682.                     }
    683. 

  683.                 } else { /* DECRYPT */
    684. 

  684.                     /* CV[j+1] = C[j] */
    685. 

  685.                     memcpy(iv, inputtext, 8);
    686. 

  686.                     /* C[j+1] = P[j] */
    687. 

  687.                     memcpy(inputtext, outputtext, 8);
    688. 

  688.                 }
    689. 

  689.             } else {
    690. 

  690.                 /* ECB mode PT/CT[j+1] = CT/PT[j] */
    691. 

  691.                 memcpy(inputtext, outputtext, 8);
    692. 

  692.             }
    693. 

  693. 

  694.             /* Save PT/CT[j-2] and PT/CT[j-1] */
    695. 

  695.             if (j==9997) memcpy(outputtext_2, outputtext, 8);
    696. 

  696.             if (j==9998) memcpy(outputtext_1, outputtext, 8);
    697. 

  697.             /* done at the end of the for(j) loop */
    698. 

  698.         }
    699. 

  699. 

  700. 

  701.         if (crypt == ENCRYPT) {
    702. 

  702.             /* Output CT[j] */
    703. 

  703.             fputs("CIPHERTEXT = ", resp);
    704. 

  704.         } else {
    705. 

  705.             /* Output PT[j] */
    706. 

  706.             fputs("PLAINTEXT = ", resp);
    707. 

  707.         }
    708. 

  708.         to_hex_str(buf, outputtext, 8);
    709. 

  709.         fputs(buf, resp);
    710. 

  710.         fputc('\n', resp);
    711. 

  711. 

  712.         /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
    713. 

  713.          *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
    714. 

  714.          */
    715. 

  715.         tdea_mct_next_keys(key, outputtext_2, 
    716. 

  716.                            outputtext_1, outputtext, numKeys);
    717. 

  717. 

  718.         if (mode == NSS_DES_EDE3_CBC) {
    719. 

  719.             /* taken care of in the j=9999 iteration */
    720. 

  720.             if (crypt == ENCRYPT) {
    721. 

  721.                 /* P[i] = C[j-1] */
    722. 

  722.                 /* CV[i] = C[j] */
    723. 

  723.             } else {
    724. 

  724.                 /* taken care of in the j=9999 iteration */
    725. 

  725.                 /* CV[i] = C[j] */
    726. 

  726.                 /* C[i] = P[j]  */
    727. 

  727.             }
    728. 

  728.         } else {
    729. 

  729.             /* ECB PT/CT[i] = PT/CT[j]  */
    730. 

  730.             memcpy(inputtext, outputtext, 8);
    731. 

  731.         }
    732. 

  732.         /* done at the end of the for(i) loop */
    733. 

  733.         fputc('\n', resp);
    734. 

  734.     }
    735. 

  735. 

  736. loser:
    737. 

  737.     return;
    738. 

  738. }
    739. 

  739. 

  740. /*
    741. 

  741.  * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
    742. 

  742.  * by gathering the input from the request file, and then 
    743. 

  743.  * calling tdea_mct_test.
    744. 

  744.  *
    745. 

  745.  * reqfn is the pathname of the input REQUEST file.
    746. 

  746.  *
    747. 

  747.  * The output RESPONSE file is written to stdout.
    748. 

  748.  */
    749. 

  749. void
    750. 

  750. tdea_mct(int mode, char *reqfn)
    751. 

  751. {
    752. 

  752.     int i, j;
    753. 

  753.     char buf[80];    /* holds one line from the input REQUEST file. */
    754. 

  754.     FILE *req;       /* input stream from the REQUEST file */
    755. 

  755.     FILE *resp;      /* output stream to the RESPONSE file */
    756. 

  756.     unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
    757. 

  757.     unsigned char key[24];              /* TDEA 3 key bundle */
    758. 

  758.     unsigned int numKeys = 0;
    759. 

  759.     unsigned char plaintext[8];        /* PT[j] */
    760. 

  760.     unsigned char ciphertext[8];       /* CT[j] */
    761. 

  761.     unsigned char iv[8];
    762. 

  762. 

  763.     /* zeroize the variables for the test with this data set */
    764. 

  764.     memset(key, 0, sizeof key);
    765. 

  765.     memset(plaintext, 0, sizeof plaintext);
    766. 

  766.     memset(ciphertext, 0, sizeof ciphertext);
    767. 

  767.     memset(iv, 0, sizeof iv);
    768. 

  768. 

  769.     req = fopen(reqfn, "r");
    770. 

  770.     resp = stdout;
    771. 

  771.     while (fgets(buf, sizeof buf, req) != NULL) {
    772. 

  772.         /* a comment or blank line */
    773. 

  773.         if (buf[0] == '#' || buf[0] == '\n') {
    774. 

  774.             fputs(buf, resp);
    775. 

  775.             continue;
    776. 

  776.         }
    777. 

  777.         /* [ENCRYPT] or [DECRYPT] */
    778. 

  778.         if (buf[0] == '[') {
    779. 

  779.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    780. 

  780.                 crypt = ENCRYPT;
    781. 

  781.             } else {
    782. 

  782.                 crypt = DECRYPT;
    783. 

  783.            }
    784. 

  784.            fputs(buf, resp);
    785. 

  785.            continue;
    786. 

  786.         }
    787. 

  787.         /* NumKeys */
    788. 

  788.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    789. 

  789.             i = 7;
    790. 

  790.             while (isspace(buf[i]) || buf[i] == '=') {
    791. 

  791.                 i++;
    792. 

  792.             }
    793. 

  793.             numKeys = atoi(&buf[i]);
    794. 

  794.             continue;
    795. 

  795.         }
    796. 

  796.         /* KEY1 = ... */
    797. 

  797.         if (strncmp(buf, "KEY1", 4) == 0) {
    798. 

  798.             i = 4;
    799. 

  799.             while (isspace(buf[i]) || buf[i] == '=') {
    800. 

  800.                 i++;
    801. 

  801.             }
    802. 

  802.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    803. 

  803.                 hex_to_byteval(&buf[i], &key[j]);
    804. 

  804.             }
    805. 

  805.             continue;
    806. 

  806.         }
    807. 

  807.         /* KEY2 = ... */
    808. 

  808.         if (strncmp(buf, "KEY2", 4) == 0) {
    809. 

  809.             i = 4;
    810. 

  810.             while (isspace(buf[i]) || buf[i] == '=') {
    811. 

  811.                 i++;
    812. 

  812.             }
    813. 

  813.             for (j=8; isxdigit(buf[i]); i+=2,j++) {
    814. 

  814.                 hex_to_byteval(&buf[i], &key[j]);
    815. 

  815.             }
    816. 

  816.             continue;
    817. 

  817.         }
    818. 

  818.         /* KEY3 = ... */
    819. 

  819.         if (strncmp(buf, "KEY3", 4) == 0) {
    820. 

  820.             i = 4;
    821. 

  821.             while (isspace(buf[i]) || buf[i] == '=') {
    822. 

  822.                 i++;
    823. 

  823.             }
    824. 

  824.             for (j=16; isxdigit(buf[i]); i+=2,j++) {
    825. 

  825.                 hex_to_byteval(&buf[i], &key[j]);
    826. 

  826.             }
    827. 

  827.             continue;
    828. 

  828.         }
    829. 

  829. 

  830.         /* IV = ... */
    831. 

  831.         if (strncmp(buf, "IV", 2) == 0) {
    832. 

  832.             i = 2;
    833. 

  833.             while (isspace(buf[i]) || buf[i] == '=') {
    834. 

  834.                 i++;
    835. 

  835.             }
    836. 

  836.             for (j=0; j<sizeof iv; i+=2,j++) {
    837. 

  837.                 hex_to_byteval(&buf[i], &iv[j]);
    838. 

  838.             }
    839. 

  839.             continue;
    840. 

  840.         }
    841. 

  841. 

  842.        /* PLAINTEXT = ... */
    843. 

  843.        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    844. 

  844. 

  845.             /* sanity check */
    846. 

  846.             if (crypt != ENCRYPT) {
    847. 

  847.                 goto loser;
    848. 

  848.             }
    849. 

  849.             /* PT[0] = PT */
    850. 

  850.             i = 9;
    851. 

  851.             while (isspace(buf[i]) || buf[i] == '=') {
    852. 

  852.                 i++;
    853. 

  853.             }
    854. 

  854.             for (j=0; j<sizeof plaintext; i+=2,j++) {
    855. 

  855.                 hex_to_byteval(&buf[i], &plaintext[j]);
    856. 

  856.             }                                     
    857. 

  857. 

  858.             /* do the Monte Carlo test */
    859. 

  859.             if (mode==NSS_DES_EDE3) {
    860. 

  860.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
    861. 

  861.             } else {
    862. 

  862.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
    863. 

  863.             }
    864. 

  864.             continue;
    865. 

  865.         }
    866. 

  866.         /* CIPHERTEXT = ... */
    867. 

  867.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    868. 

  868.             /* sanity check */
    869. 

  869.             if (crypt != DECRYPT) {
    870. 

  870.                 goto loser;
    871. 

  871.             }
    872. 

  872.             /* CT[0] = CT */
    873. 

  873.             i = 10;
    874. 

  874.             while (isspace(buf[i]) || buf[i] == '=') {
    875. 

  875.                 i++;
    876. 

  876.             }
    877. 

  877.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    878. 

  878.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    879. 

  879.             }
    880. 

  880.             
    881. 

  881.             /* do the Monte Carlo test */
    882. 

  882.             if (mode==NSS_DES_EDE3) {
    883. 

  883.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
    884. 

  884.             } else {
    885. 

  885.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
    886. 

  886.             }
    887. 

  887.             continue;
    888. 

  888.         }
    889. 

  889.     }
    890. 

  890. 

  891. loser:
    892. 

  892.     fclose(req);
    893. 

  893. }
    894. 

  894. 

  895. 

  896. SECStatus
    897. 

  897. aes_encrypt_buf(
    898. 

  898.     int mode,
    899. 

  899.     const unsigned char *key, unsigned int keysize,
    900. 

  900.     const unsigned char *iv,
    901. 

  901.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    902. 

  902.     const unsigned char *input, unsigned int inputlen)
    903. 

  903. {
    904. 

  904.     SECStatus rv = SECFailure;
    905. 

  905.     AESContext *cx;
    906. 

  906.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    907. 

  907.     unsigned int doublechecklen = 0;
    908. 

  908. 

  909.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    910. 

  910.     if (cx == NULL) {
    911. 

  911. 	goto loser;
    912. 

  912.     }
    913. 

  913.     rv = AES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    914. 

  914.     if (rv != SECSuccess) {
    915. 

  915. 	goto loser;
    916. 

  916.     }
    917. 

  917.     if (*outputlen != inputlen) {
    918. 

  918. 	goto loser;
    919. 

  919.     }
    920. 

  920.     AES_DestroyContext(cx, PR_TRUE);
    921. 

  921.     cx = NULL;
    922. 

  922. 

  923.     /*
    924. 

  924.      * Doublecheck our result by decrypting the ciphertext and
    925. 

  925.      * compare the output with the input plaintext.
    926. 

  926.      */
    927. 

  927.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    928. 

  928.     if (cx == NULL) {
    929. 

  929. 	goto loser;
    930. 

  930.     }
    931. 

  931.     rv = AES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    932. 

  932. 	output, *outputlen);
    933. 

  933.     if (rv != SECSuccess) {
    934. 

  934. 	goto loser;
    935. 

  935.     }
    936. 

  936.     if (doublechecklen != *outputlen) {
    937. 

  937. 	goto loser;
    938. 

  938.     }
    939. 

  939.     AES_DestroyContext(cx, PR_TRUE);
    940. 

  940.     cx = NULL;
    941. 

  941.     if (memcmp(doublecheck, input, inputlen) != 0) {
    942. 

  942. 	goto loser;
    943. 

  943.     }
    944. 

  944.     rv = SECSuccess;
    945. 

  945. 

  946. loser:
    947. 

  947.     if (cx != NULL) {
    948. 

  948. 	AES_DestroyContext(cx, PR_TRUE);
    949. 

  949.     }
    950. 

  950.     return rv;
    951. 

  951. }
    952. 

  952. 

  953. SECStatus
    954. 

  954. aes_decrypt_buf(
    955. 

  955.     int mode,
    956. 

  956.     const unsigned char *key, unsigned int keysize,
    957. 

  957.     const unsigned char *iv,
    958. 

  958.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    959. 

  959.     const unsigned char *input, unsigned int inputlen)
    960. 

  960. {
    961. 

  961.     SECStatus rv = SECFailure;
    962. 

  962.     AESContext *cx;
    963. 

  963.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    964. 

  964.     unsigned int doublechecklen = 0;
    965. 

  965. 

  966.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    967. 

  967.     if (cx == NULL) {
    968. 

  968. 	goto loser;
    969. 

  969.     }
    970. 

  970.     rv = AES_Decrypt(cx, output, outputlen, maxoutputlen,
    971. 

  971. 	input, inputlen);
    972. 

  972.     if (rv != SECSuccess) {
    973. 

  973. 	goto loser;
    974. 

  974.     }
    975. 

  975.     if (*outputlen != inputlen) {
    976. 

  976. 	goto loser;
    977. 

  977.     }
    978. 

  978.     AES_DestroyContext(cx, PR_TRUE);
    979. 

  979.     cx = NULL;
    980. 

  980. 

  981.     /*
    982. 

  982.      * Doublecheck our result by encrypting the plaintext and
    983. 

  983.      * compare the output with the input ciphertext.
    984. 

  984.      */
    985. 

  985.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    986. 

  986.     if (cx == NULL) {
    987. 

  987. 	goto loser;
    988. 

  988.     }
    989. 

  989.     rv = AES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    990. 

  990. 	output, *outputlen);
    991. 

  991.     if (rv != SECSuccess) {
    992. 

  992. 	goto loser;
    993. 

  993.     }
    994. 

  994.     if (doublechecklen != *outputlen) {
    995. 

  995. 	goto loser;
    996. 

  996.     }
    997. 

  997.     AES_DestroyContext(cx, PR_TRUE);
    998. 

  998.     cx = NULL;
    999. 

  999.     if (memcmp(doublecheck, input, inputlen) != 0) {
    1000. 

  1000. 	goto loser;
    1001. 

  1001.     }
    1002. 

  1002.     rv = SECSuccess;
    1003. 

  1003. 

  1004. loser:
    1005. 

  1005.     if (cx != NULL) {
    1006. 

  1006. 	AES_DestroyContext(cx, PR_TRUE);
    1007. 

  1007.     }
    1008. 

  1008.     return rv;
    1009. 

  1009. }
    1010. 

  1010. 

  1011. /*
    1012. 

  1012.  * Perform the AES Known Answer Test (KAT) or Multi-block Message
    1013. 

  1013.  * Test (MMT) in ECB or CBC mode.  The KAT (there are four types)
    1014. 

  1014.  * and MMT have the same structure: given the key and IV (CBC mode
    1015. 

  1015.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    1016. 

  1016.  * So we can handle them the same way.
    1017. 

  1017.  *
    1018. 

  1018.  * reqfn is the pathname of the REQUEST file.
    1019. 

  1019.  *
    1020. 

  1020.  * The output RESPONSE file is written to stdout.
    1021. 

  1021.  */
    1022. 

  1022. void
    1023. 

  1023. aes_kat_mmt(char *reqfn)
    1024. 

  1024. {
    1025. 

  1025.     char buf[512];      /* holds one line from the input REQUEST file.
    1026. 

  1026.                          * needs to be large enough to hold the longest
    1027. 

  1027.                          * line "CIPHERTEXT = <320 hex digits>\n".
    1028. 

  1028.                          */
    1029. 

  1029.     FILE *aesreq;       /* input stream from the REQUEST file */
    1030. 

  1030.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1031. 

  1031.     int i, j;
    1032. 

  1032.     int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
    1033. 

  1033.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1034. 

  1034.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1035. 

  1035.     unsigned int keysize;
    1036. 

  1036.     unsigned char iv[16];		/* for all modes except ECB */
    1037. 

  1037.     unsigned char plaintext[10*16];     /* 1 to 10 blocks */
    1038. 

  1038.     unsigned int plaintextlen;
    1039. 

  1039.     unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
    1040. 

  1040.     unsigned int ciphertextlen;
    1041. 

  1041.     SECStatus rv;
    1042. 

  1042. 

  1043.     aesreq = fopen(reqfn, "r");
    1044. 

  1044.     aesresp = stdout;
    1045. 

  1045.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1046. 

  1046. 	/* a comment or blank line */
    1047. 

  1047. 	if (buf[0] == '#' || buf[0] == '\n') {
    1048. 

  1048. 	    fputs(buf, aesresp);
    1049. 

  1049. 	    continue;
    1050. 

  1050. 	}
    1051. 

  1051. 	/* [ENCRYPT] or [DECRYPT] */
    1052. 

  1052. 	if (buf[0] == '[') {
    1053. 

  1053. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1054. 

  1054. 		encrypt = 1;
    1055. 

  1055. 	    } else {
    1056. 

  1056. 		encrypt = 0;
    1057. 

  1057. 	    }
    1058. 

  1058. 	    fputs(buf, aesresp);
    1059. 

  1059. 	    continue;
    1060. 

  1060. 	}
    1061. 

  1061. 	/* "COUNT = x" begins a new data set */
    1062. 

  1062. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1063. 

  1063. 	    mode = NSS_AES;
    1064. 

  1064. 	    /* zeroize the variables for the test with this data set */
    1065. 

  1065. 	    memset(key, 0, sizeof key);
    1066. 

  1066. 	    keysize = 0;
    1067. 

  1067. 	    memset(iv, 0, sizeof iv);
    1068. 

  1068. 	    memset(plaintext, 0, sizeof plaintext);
    1069. 

  1069. 	    plaintextlen = 0;
    1070. 

  1070. 	    memset(ciphertext, 0, sizeof ciphertext);
    1071. 

  1071. 	    ciphertextlen = 0;
    1072. 

  1072. 	    fputs(buf, aesresp);
    1073. 

  1073. 	    continue;
    1074. 

  1074. 	}
    1075. 

  1075. 	/* KEY = ... */
    1076. 

  1076. 	if (strncmp(buf, "KEY", 3) == 0) {
    1077. 

  1077. 	    i = 3;
    1078. 

  1078. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1079. 

  1079. 		i++;
    1080. 

  1080. 	    }
    1081. 

  1081. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1082. 

  1082. 		hex_to_byteval(&buf[i], &key[j]);
    1083. 

  1083. 	    }
    1084. 

  1084. 	    keysize = j;
    1085. 

  1085. 	    fputs(buf, aesresp);
    1086. 

  1086. 	    continue;
    1087. 

  1087. 	}
    1088. 

  1088. 	/* IV = ... */
    1089. 

  1089. 	if (strncmp(buf, "IV", 2) == 0) {
    1090. 

  1090. 	    mode = NSS_AES_CBC;
    1091. 

  1091. 	    i = 2;
    1092. 

  1092. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1093. 

  1093. 		i++;
    1094. 

  1094. 	    }
    1095. 

  1095. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1096. 

  1096. 		hex_to_byteval(&buf[i], &iv[j]);
    1097. 

  1097. 	    }
    1098. 

  1098. 	    fputs(buf, aesresp);
    1099. 

  1099. 	    continue;
    1100. 

  1100. 	}
    1101. 

  1101. 	/* PLAINTEXT = ... */
    1102. 

  1102. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1103. 

  1103. 	    /* sanity check */
    1104. 

  1104. 	    if (!encrypt) {
    1105. 

  1105. 		goto loser;
    1106. 

  1106. 	    }
    1107. 

  1107. 

  1108. 	    i = 9;
    1109. 

  1109. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1110. 

  1110. 		i++;
    1111. 

  1111. 	    }
    1112. 

  1112. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1113. 

  1113. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1114. 

  1114. 	    }
    1115. 

  1115. 	    plaintextlen = j;
    1116. 

  1116. 

  1117. 	    rv = aes_encrypt_buf(mode, key, keysize,
    1118. 

  1118. 		(mode == NSS_AES) ? NULL : iv,
    1119. 

  1119. 		ciphertext, &ciphertextlen, sizeof ciphertext,
    1120. 

  1120. 		plaintext, plaintextlen);
    1121. 

  1121. 	    if (rv != SECSuccess) {
    1122. 

  1122. 		goto loser;
    1123. 

  1123. 	    }
    1124. 

  1124. 

  1125. 	    fputs(buf, aesresp);
    1126. 

  1126. 	    fputs("CIPHERTEXT = ", aesresp);
    1127. 

  1127. 	    to_hex_str(buf, ciphertext, ciphertextlen);
    1128. 

  1128. 	    fputs(buf, aesresp);
    1129. 

  1129. 	    fputc('\n', aesresp);
    1130. 

  1130. 	    continue;
    1131. 

  1131. 	}
    1132. 

  1132. 	/* CIPHERTEXT = ... */
    1133. 

  1133. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1134. 

  1134. 	    /* sanity check */
    1135. 

  1135. 	    if (encrypt) {
    1136. 

  1136. 		goto loser;
    1137. 

  1137. 	    }
    1138. 

  1138. 

  1139. 	    i = 10;
    1140. 

  1140. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1141. 

  1141. 		i++;
    1142. 

  1142. 	    }
    1143. 

  1143. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1144. 

  1144. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1145. 

  1145. 	    }
    1146. 

  1146. 	    ciphertextlen = j;
    1147. 

  1147. 

  1148. 	    rv = aes_decrypt_buf(mode, key, keysize,
    1149. 

  1149. 		(mode == NSS_AES) ? NULL : iv,
    1150. 

  1150. 		plaintext, &plaintextlen, sizeof plaintext,
    1151. 

  1151. 		ciphertext, ciphertextlen);
    1152. 

  1152. 	    if (rv != SECSuccess) {
    1153. 

  1153. 		goto loser;
    1154. 

  1154. 	    }
    1155. 

  1155. 

  1156. 	    fputs(buf, aesresp);
    1157. 

  1157. 	    fputs("PLAINTEXT = ", aesresp);
    1158. 

  1158. 	    to_hex_str(buf, plaintext, plaintextlen);
    1159. 

  1159. 	    fputs(buf, aesresp);
    1160. 

  1160. 	    fputc('\n', aesresp);
    1161. 

  1161. 	    continue;
    1162. 

  1162. 	}
    1163. 

  1163.     }
    1164. 

  1164. loser:
    1165. 

  1165.     fclose(aesreq);
    1166. 

  1166. }
    1167. 

  1167. 

  1168. /*
    1169. 

  1169.  * Generate Key[i+1] from Key[i], CT[j-1], and CT[j] for AES Monte Carlo
    1170. 

  1170.  * Test (MCT) in ECB and CBC modes.
    1171. 

  1171.  */
    1172. 

  1172. void
    1173. 

  1173. aes_mct_next_key(unsigned char *key, unsigned int keysize,
    1174. 

  1174.     const unsigned char *ciphertext_1, const unsigned char *ciphertext)
    1175. 

  1175. {
    1176. 

  1176.     int k;
    1177. 

  1177. 

  1178.     switch (keysize) {
    1179. 

  1179.     case 16:  /* 128-bit key */
    1180. 

  1180. 	/* Key[i+1] = Key[i] xor CT[j] */
    1181. 

  1181. 	for (k=0; k<16; k++) {
    1182. 

  1182. 	    key[k] ^= ciphertext[k];
    1183. 

  1183. 	}
    1184. 

  1184. 	break;
    1185. 

  1185.     case 24:  /* 192-bit key */
    1186. 

  1186. 	/*
    1187. 

  1187. 	 * Key[i+1] = Key[i] xor (last 64-bits of
    1188. 

  1188. 	 *            CT[j-1] || CT[j])
    1189. 

  1189. 	 */
    1190. 

  1190. 	for (k=0; k<8; k++) {
    1191. 

  1191. 	    key[k] ^= ciphertext_1[k+8];
    1192. 

  1192. 	}
    1193. 

  1193. 	for (k=8; k<24; k++) {
    1194. 

  1194. 	    key[k] ^= ciphertext[k-8];
    1195. 

  1195. 	}
    1196. 

  1196. 	break;
    1197. 

  1197.     case 32:  /* 256-bit key */
    1198. 

  1198. 	/* Key[i+1] = Key[i] xor (CT[j-1] || CT[j]) */
    1199. 

  1199. 	for (k=0; k<16; k++) {
    1200. 

  1200. 	    key[k] ^= ciphertext_1[k];
    1201. 

  1201. 	}
    1202. 

  1202. 	for (k=16; k<32; k++) {
    1203. 

  1203. 	    key[k] ^= ciphertext[k-16];
    1204. 

  1204. 	}
    1205. 

  1205. 	break;
    1206. 

  1206.     }
    1207. 

  1207. }
    1208. 

  1208. 

  1209. /*
    1210. 

  1210.  * Perform the AES Monte Carlo Test (MCT) in ECB mode.  MCT exercises
    1211. 

  1211.  * our AES code in streaming mode because the plaintext or ciphertext
    1212. 

  1212.  * is generated block by block as we go, so we can't collect all the
    1213. 

  1213.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1214. 

  1214.  * one shot.
    1215. 

  1215.  *
    1216. 

  1216.  * reqfn is the pathname of the input REQUEST file.
    1217. 

  1217.  *
    1218. 

  1218.  * The output RESPONSE file is written to stdout.
    1219. 

  1219.  */
    1220. 

  1220. void
    1221. 

  1221. aes_ecb_mct(char *reqfn)
    1222. 

  1222. {
    1223. 

  1223.     char buf[80];       /* holds one line from the input REQUEST file.
    1224. 

  1224.                          * needs to be large enough to hold the longest
    1225. 

  1225.                          * line "KEY = <64 hex digits>\n".
    1226. 

  1226.                          */
    1227. 

  1227.     FILE *aesreq;       /* input stream from the REQUEST file */
    1228. 

  1228.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1229. 

  1229.     int i, j;
    1230. 

  1230.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1231. 

  1231.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1232. 

  1232.     unsigned int keysize;
    1233. 

  1233.     unsigned char plaintext[16];        /* PT[j] */
    1234. 

  1234.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1235. 

  1235.     unsigned char ciphertext[16];       /* CT[j] */
    1236. 

  1236.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1237. 

  1237.     unsigned char doublecheck[16];
    1238. 

  1238.     unsigned int outputlen;
    1239. 

  1239.     AESContext *cx = NULL;	/* the operation being tested */
    1240. 

  1240.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1241. 

  1241.                                  * to doublecheck our result.
    1242. 

  1242.                                  */
    1243. 

  1243.     SECStatus rv;
    1244. 

  1244. 

  1245.     aesreq = fopen(reqfn, "r");
    1246. 

  1246.     aesresp = stdout;
    1247. 

  1247.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1248. 

  1248. 	/* a comment or blank line */
    1249. 

  1249. 	if (buf[0] == '#' || buf[0] == '\n') {
    1250. 

  1250. 	    fputs(buf, aesresp);
    1251. 

  1251. 	    continue;
    1252. 

  1252. 	}
    1253. 

  1253. 	/* [ENCRYPT] or [DECRYPT] */
    1254. 

  1254. 	if (buf[0] == '[') {
    1255. 

  1255. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1256. 

  1256. 		encrypt = 1;
    1257. 

  1257. 	    } else {
    1258. 

  1258. 		encrypt = 0;
    1259. 

  1259. 	    }
    1260. 

  1260. 	    fputs(buf, aesresp);
    1261. 

  1261. 	    continue;
    1262. 

  1262. 	}
    1263. 

  1263. 	/* "COUNT = x" begins a new data set */
    1264. 

  1264. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1265. 

  1265. 	    /* zeroize the variables for the test with this data set */
    1266. 

  1266. 	    memset(key, 0, sizeof key);
    1267. 

  1267. 	    keysize = 0;
    1268. 

  1268. 	    memset(plaintext, 0, sizeof plaintext);
    1269. 

  1269. 	    memset(ciphertext, 0, sizeof ciphertext);
    1270. 

  1270. 	    continue;
    1271. 

  1271. 	}
    1272. 

  1272. 	/* KEY = ... */
    1273. 

  1273. 	if (strncmp(buf, "KEY", 3) == 0) {
    1274. 

  1274. 	    /* Key[0] = Key */
    1275. 

  1275. 	    i = 3;
    1276. 

  1276. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1277. 

  1277. 		i++;
    1278. 

  1278. 	    }
    1279. 

  1279. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1280. 

  1280. 		hex_to_byteval(&buf[i], &key[j]);
    1281. 

  1281. 	    }
    1282. 

  1282. 	    keysize = j;
    1283. 

  1283. 	    continue;
    1284. 

  1284. 	}
    1285. 

  1285. 	/* PLAINTEXT = ... */
    1286. 

  1286. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1287. 

  1287. 	    /* sanity check */
    1288. 

  1288. 	    if (!encrypt) {
    1289. 

  1289. 		goto loser;
    1290. 

  1290. 	    }
    1291. 

  1291. 	    /* PT[0] = PT */
    1292. 

  1292. 	    i = 9;
    1293. 

  1293. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1294. 

  1294. 		i++;
    1295. 

  1295. 	    }
    1296. 

  1296. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1297. 

  1297. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1298. 

  1298. 	    }
    1299. 

  1299. 

  1300. 	    for (i=0; i<100; i++) {
    1301. 

  1301. 		sprintf(buf, "COUNT = %d\n", i);
    1302. 

  1302. 	        fputs(buf, aesresp);
    1303. 

  1303. 		/* Output Key[i] */
    1304. 

  1304. 		fputs("KEY = ", aesresp);
    1305. 

  1305. 		to_hex_str(buf, key, keysize);
    1306. 

  1306. 		fputs(buf, aesresp);
    1307. 

  1307. 		fputc('\n', aesresp);
    1308. 

  1308. 		/* Output PT[0] */
    1309. 

  1309. 		fputs("PLAINTEXT = ", aesresp);
    1310. 

  1310. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1311. 

  1311. 		fputs(buf, aesresp);
    1312. 

  1312. 		fputc('\n', aesresp);
    1313. 

  1313. 

  1314. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1315. 

  1315. 		    PR_TRUE, keysize, 16);
    1316. 

  1316. 		if (cx == NULL) {
    1317. 

  1317. 		    goto loser;
    1318. 

  1318. 		}
    1319. 

  1319. 		/*
    1320. 

  1320. 		 * doublecheck our result by decrypting the result
    1321. 

  1321. 		 * and comparing the output with the plaintext.
    1322. 

  1322. 		 */
    1323. 

  1323. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1324. 

  1324. 		    PR_FALSE, keysize, 16);
    1325. 

  1325. 		if (cx2 == NULL) {
    1326. 

  1326. 		    goto loser;
    1327. 

  1327. 		}
    1328. 

  1328. 		for (j=0; j<1000; j++) {
    1329. 

  1329. 		    /* Save CT[j-1] */
    1330. 

  1330. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1331. 

  1331. 

  1332. 		    /* CT[j] = AES(Key[i], PT[j]) */
    1333. 

  1333. 		    outputlen = 0;
    1334. 

  1334. 		    rv = AES_Encrypt(cx,
    1335. 

  1335. 			ciphertext, &outputlen, sizeof ciphertext,
    1336. 

  1336. 			plaintext, sizeof plaintext);
    1337. 

  1337. 		    if (rv != SECSuccess) {
    1338. 

  1338. 			goto loser;
    1339. 

  1339. 		    }
    1340. 

  1340. 		    if (outputlen != sizeof plaintext) {
    1341. 

  1341. 			goto loser;
    1342. 

  1342. 		    }
    1343. 

  1343. 

  1344. 		    /* doublecheck our result */
    1345. 

  1345. 		    outputlen = 0;
    1346. 

  1346. 		    rv = AES_Decrypt(cx2,
    1347. 

  1347. 			doublecheck, &outputlen, sizeof doublecheck,
    1348. 

  1348. 			ciphertext, sizeof ciphertext);
    1349. 

  1349. 		    if (rv != SECSuccess) {
    1350. 

  1350. 			goto loser;
    1351. 

  1351. 		    }
    1352. 

  1352. 		    if (outputlen != sizeof ciphertext) {
    1353. 

  1353. 			goto loser;
    1354. 

  1354. 		    }
    1355. 

  1355. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1356. 

  1356. 			goto loser;
    1357. 

  1357. 		    }
    1358. 

  1358. 

  1359. 		    /* PT[j+1] = CT[j] */
    1360. 

  1360. 		    memcpy(plaintext, ciphertext, sizeof plaintext);
    1361. 

  1361. 		}
    1362. 

  1362. 		AES_DestroyContext(cx, PR_TRUE);
    1363. 

  1363. 		cx = NULL;
    1364. 

  1364. 		AES_DestroyContext(cx2, PR_TRUE);
    1365. 

  1365. 		cx2 = NULL;
    1366. 

  1366. 

  1367. 		/* Output CT[j] */
    1368. 

  1368. 		fputs("CIPHERTEXT = ", aesresp);
    1369. 

  1369. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1370. 

  1370. 		fputs(buf, aesresp);
    1371. 

  1371. 		fputc('\n', aesresp);
    1372. 

  1372. 

  1373. 		/* Key[i+1] = Key[i] xor ... */
    1374. 

  1374. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1375. 

  1375. 		/* PT[0] = CT[j] */
    1376. 

  1376. 		/* done at the end of the for(j) loop */
    1377. 

  1377. 

  1378. 		fputc('\n', aesresp);
    1379. 

  1379. 	    }
    1380. 

  1380. 

  1381. 	    continue;
    1382. 

  1382. 	}
    1383. 

  1383. 	/* CIPHERTEXT = ... */
    1384. 

  1384. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1385. 

  1385. 	    /* sanity check */
    1386. 

  1386. 	    if (encrypt) {
    1387. 

  1387. 		goto loser;
    1388. 

  1388. 	    }
    1389. 

  1389. 	    /* CT[0] = CT */
    1390. 

  1390. 	    i = 10;
    1391. 

  1391. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1392. 

  1392. 		i++;
    1393. 

  1393. 	    }
    1394. 

  1394. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1395. 

  1395. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1396. 

  1396. 	    }
    1397. 

  1397. 

  1398. 	    for (i=0; i<100; i++) {
    1399. 

  1399. 		sprintf(buf, "COUNT = %d\n", i);
    1400. 

  1400. 	        fputs(buf, aesresp);
    1401. 

  1401. 		/* Output Key[i] */
    1402. 

  1402. 		fputs("KEY = ", aesresp);
    1403. 

  1403. 		to_hex_str(buf, key, keysize);
    1404. 

  1404. 		fputs(buf, aesresp);
    1405. 

  1405. 		fputc('\n', aesresp);
    1406. 

  1406. 		/* Output CT[0] */
    1407. 

  1407. 		fputs("CIPHERTEXT = ", aesresp);
    1408. 

  1408. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1409. 

  1409. 		fputs(buf, aesresp);
    1410. 

  1410. 		fputc('\n', aesresp);
    1411. 

  1411. 

  1412. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1413. 

  1413. 		    PR_FALSE, keysize, 16);
    1414. 

  1414. 		if (cx == NULL) {
    1415. 

  1415. 		    goto loser;
    1416. 

  1416. 		}
    1417. 

  1417. 		/*
    1418. 

  1418. 		 * doublecheck our result by encrypting the result
    1419. 

  1419. 		 * and comparing the output with the ciphertext.
    1420. 

  1420. 		 */
    1421. 

  1421. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1422. 

  1422. 		    PR_TRUE, keysize, 16);
    1423. 

  1423. 		if (cx2 == NULL) {
    1424. 

  1424. 		    goto loser;
    1425. 

  1425. 		}
    1426. 

  1426. 		for (j=0; j<1000; j++) {
    1427. 

  1427. 		    /* Save PT[j-1] */
    1428. 

  1428. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1429. 

  1429. 

  1430. 		    /* PT[j] = AES(Key[i], CT[j]) */
    1431. 

  1431. 		    outputlen = 0;
    1432. 

  1432. 		    rv = AES_Decrypt(cx,
    1433. 

  1433. 			plaintext, &outputlen, sizeof plaintext,
    1434. 

  1434. 			ciphertext, sizeof ciphertext);
    1435. 

  1435. 		    if (rv != SECSuccess) {
    1436. 

  1436. 			goto loser;
    1437. 

  1437. 		    }
    1438. 

  1438. 		    if (outputlen != sizeof ciphertext) {
    1439. 

  1439. 			goto loser;
    1440. 

  1440. 		    }
    1441. 

  1441. 

  1442. 		    /* doublecheck our result */
    1443. 

  1443. 		    outputlen = 0;
    1444. 

  1444. 		    rv = AES_Encrypt(cx2,
    1445. 

  1445. 			doublecheck, &outputlen, sizeof doublecheck,
    1446. 

  1446. 			plaintext, sizeof plaintext);
    1447. 

  1447. 		    if (rv != SECSuccess) {
    1448. 

  1448. 			goto loser;
    1449. 

  1449. 		    }
    1450. 

  1450. 		    if (outputlen != sizeof plaintext) {
    1451. 

  1451. 			goto loser;
    1452. 

  1452. 		    }
    1453. 

  1453. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1454. 

  1454. 			goto loser;
    1455. 

  1455. 		    }
    1456. 

  1456. 

  1457. 		    /* CT[j+1] = PT[j] */
    1458. 

  1458. 		    memcpy(ciphertext, plaintext, sizeof ciphertext);
    1459. 

  1459. 		}
    1460. 

  1460. 		AES_DestroyContext(cx, PR_TRUE);
    1461. 

  1461. 		cx = NULL;
    1462. 

  1462. 		AES_DestroyContext(cx2, PR_TRUE);
    1463. 

  1463. 		cx2 = NULL;
    1464. 

  1464. 

  1465. 		/* Output PT[j] */
    1466. 

  1466. 		fputs("PLAINTEXT = ", aesresp);
    1467. 

  1467. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1468. 

  1468. 		fputs(buf, aesresp);
    1469. 

  1469. 		fputc('\n', aesresp);
    1470. 

  1470. 

  1471. 		/* Key[i+1] = Key[i] xor ... */
    1472. 

  1472. 		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
    1473. 

  1473. 		/* CT[0] = PT[j] */
    1474. 

  1474. 		/* done at the end of the for(j) loop */
    1475. 

  1475. 

  1476. 		fputc('\n', aesresp);
    1477. 

  1477. 	    }
    1478. 

  1478. 

  1479. 	    continue;
    1480. 

  1480. 	}
    1481. 

  1481.     }
    1482. 

  1482. loser:
    1483. 

  1483.     if (cx != NULL) {
    1484. 

  1484. 	AES_DestroyContext(cx, PR_TRUE);
    1485. 

  1485.     }
    1486. 

  1486.     if (cx2 != NULL) {
    1487. 

  1487. 	AES_DestroyContext(cx2, PR_TRUE);
    1488. 

  1488.     }
    1489. 

  1489.     fclose(aesreq);
    1490. 

  1490. }
    1491. 

  1491. 

  1492. /*
    1493. 

  1493.  * Perform the AES Monte Carlo Test (MCT) in CBC mode.  MCT exercises
    1494. 

  1494.  * our AES code in streaming mode because the plaintext or ciphertext
    1495. 

  1495.  * is generated block by block as we go, so we can't collect all the
    1496. 

  1496.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1497. 

  1497.  * one shot.
    1498. 

  1498.  *
    1499. 

  1499.  * reqfn is the pathname of the input REQUEST file.
    1500. 

  1500.  *
    1501. 

  1501.  * The output RESPONSE file is written to stdout.
    1502. 

  1502.  */
    1503. 

  1503. void
    1504. 

  1504. aes_cbc_mct(char *reqfn)
    1505. 

  1505. {
    1506. 

  1506.     char buf[80];       /* holds one line from the input REQUEST file.
    1507. 

  1507.                          * needs to be large enough to hold the longest
    1508. 

  1508.                          * line "KEY = <64 hex digits>\n".
    1509. 

  1509.                          */
    1510. 

  1510.     FILE *aesreq;       /* input stream from the REQUEST file */
    1511. 

  1511.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1512. 

  1512.     int i, j;
    1513. 

  1513.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1514. 

  1514.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1515. 

  1515.     unsigned int keysize;
    1516. 

  1516.     unsigned char iv[16];
    1517. 

  1517.     unsigned char plaintext[16];        /* PT[j] */
    1518. 

  1518.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1519. 

  1519.     unsigned char ciphertext[16];       /* CT[j] */
    1520. 

  1520.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1521. 

  1521.     unsigned char doublecheck[16];
    1522. 

  1522.     unsigned int outputlen;
    1523. 

  1523.     AESContext *cx = NULL;	/* the operation being tested */
    1524. 

  1524.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1525. 

  1525.                                  * to doublecheck our result.
    1526. 

  1526.                                  */
    1527. 

  1527.     SECStatus rv;
    1528. 

  1528. 

  1529.     aesreq = fopen(reqfn, "r");
    1530. 

  1530.     aesresp = stdout;
    1531. 

  1531.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1532. 

  1532. 	/* a comment or blank line */
    1533. 

  1533. 	if (buf[0] == '#' || buf[0] == '\n') {
    1534. 

  1534. 	    fputs(buf, aesresp);
    1535. 

  1535. 	    continue;
    1536. 

  1536. 	}
    1537. 

  1537. 	/* [ENCRYPT] or [DECRYPT] */
    1538. 

  1538. 	if (buf[0] == '[') {
    1539. 

  1539. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1540. 

  1540. 		encrypt = 1;
    1541. 

  1541. 	    } else {
    1542. 

  1542. 		encrypt = 0;
    1543. 

  1543. 	    }
    1544. 

  1544. 	    fputs(buf, aesresp);
    1545. 

  1545. 	    continue;
    1546. 

  1546. 	}
    1547. 

  1547. 	/* "COUNT = x" begins a new data set */
    1548. 

  1548. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1549. 

  1549. 	    /* zeroize the variables for the test with this data set */
    1550. 

  1550. 	    memset(key, 0, sizeof key);
    1551. 

  1551. 	    keysize = 0;
    1552. 

  1552. 	    memset(iv, 0, sizeof iv);
    1553. 

  1553. 	    memset(plaintext, 0, sizeof plaintext);
    1554. 

  1554. 	    memset(ciphertext, 0, sizeof ciphertext);
    1555. 

  1555. 	    continue;
    1556. 

  1556. 	}
    1557. 

  1557. 	/* KEY = ... */
    1558. 

  1558. 	if (strncmp(buf, "KEY", 3) == 0) {
    1559. 

  1559. 	    /* Key[0] = Key */
    1560. 

  1560. 	    i = 3;
    1561. 

  1561. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1562. 

  1562. 		i++;
    1563. 

  1563. 	    }
    1564. 

  1564. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1565. 

  1565. 		hex_to_byteval(&buf[i], &key[j]);
    1566. 

  1566. 	    }
    1567. 

  1567. 	    keysize = j;
    1568. 

  1568. 	    continue;
    1569. 

  1569. 	}
    1570. 

  1570. 	/* IV = ... */
    1571. 

  1571. 	if (strncmp(buf, "IV", 2) == 0) {
    1572. 

  1572. 	    /* IV[0] = IV */
    1573. 

  1573. 	    i = 2;
    1574. 

  1574. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1575. 

  1575. 		i++;
    1576. 

  1576. 	    }
    1577. 

  1577. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1578. 

  1578. 		hex_to_byteval(&buf[i], &iv[j]);
    1579. 

  1579. 	    }
    1580. 

  1580. 	    continue;
    1581. 

  1581. 	}
    1582. 

  1582. 	/* PLAINTEXT = ... */
    1583. 

  1583. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1584. 

  1584. 	    /* sanity check */
    1585. 

  1585. 	    if (!encrypt) {
    1586. 

  1586. 		goto loser;
    1587. 

  1587. 	    }
    1588. 

  1588. 	    /* PT[0] = PT */
    1589. 

  1589. 	    i = 9;
    1590. 

  1590. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1591. 

  1591. 		i++;
    1592. 

  1592. 	    }
    1593. 

  1593. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1594. 

  1594. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1595. 

  1595. 	    }
    1596. 

  1596. 

  1597. 	    for (i=0; i<100; i++) {
    1598. 

  1598. 		sprintf(buf, "COUNT = %d\n", i);
    1599. 

  1599. 	        fputs(buf, aesresp);
    1600. 

  1600. 		/* Output Key[i] */
    1601. 

  1601. 		fputs("KEY = ", aesresp);
    1602. 

  1602. 		to_hex_str(buf, key, keysize);
    1603. 

  1603. 		fputs(buf, aesresp);
    1604. 

  1604. 		fputc('\n', aesresp);
    1605. 

  1605. 		/* Output IV[i] */
    1606. 

  1606. 		fputs("IV = ", aesresp);
    1607. 

  1607. 		to_hex_str(buf, iv, sizeof iv);
    1608. 

  1608. 		fputs(buf, aesresp);
    1609. 

  1609. 		fputc('\n', aesresp);
    1610. 

  1610. 		/* Output PT[0] */
    1611. 

  1611. 		fputs("PLAINTEXT = ", aesresp);
    1612. 

  1612. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1613. 

  1613. 		fputs(buf, aesresp);
    1614. 

  1614. 		fputc('\n', aesresp);
    1615. 

  1615. 

  1616. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1617. 

  1617. 		    PR_TRUE, keysize, 16);
    1618. 

  1618. 		if (cx == NULL) {
    1619. 

  1619. 		    goto loser;
    1620. 

  1620. 		}
    1621. 

  1621. 		/*
    1622. 

  1622. 		 * doublecheck our result by decrypting the result
    1623. 

  1623. 		 * and comparing the output with the plaintext.
    1624. 

  1624. 		 */
    1625. 

  1625. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1626. 

  1626. 		    PR_FALSE, keysize, 16);
    1627. 

  1627. 		if (cx2 == NULL) {
    1628. 

  1628. 		    goto loser;
    1629. 

  1629. 		}
    1630. 

  1630. 		/* CT[-1] = IV[i] */
    1631. 

  1631. 		memcpy(ciphertext, iv, sizeof ciphertext);
    1632. 

  1632. 		for (j=0; j<1000; j++) {
    1633. 

  1633. 		    /* Save CT[j-1] */
    1634. 

  1634. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1635. 

  1635. 		    /*
    1636. 

  1636. 		     * If ( j=0 )
    1637. 

  1637. 		     *      CT[j] = AES(Key[i], IV[i], PT[j])
    1638. 

  1638. 		     *      PT[j+1] = IV[i] (= CT[j-1])
    1639. 

  1639. 		     * Else
    1640. 

  1640. 		     *      CT[j] = AES(Key[i], PT[j])
    1641. 

  1641. 		     *      PT[j+1] = CT[j-1]
    1642. 

  1642. 		     */
    1643. 

  1643. 		    outputlen = 0;
    1644. 

  1644. 		    rv = AES_Encrypt(cx,
    1645. 

  1645. 			ciphertext, &outputlen, sizeof ciphertext,
    1646. 

  1646. 			plaintext, sizeof plaintext);
    1647. 

  1647. 		    if (rv != SECSuccess) {
    1648. 

  1648. 			goto loser;
    1649. 

  1649. 		    }
    1650. 

  1650. 		    if (outputlen != sizeof plaintext) {
    1651. 

  1651. 			goto loser;
    1652. 

  1652. 		    }
    1653. 

  1653. 

  1654. 		    /* doublecheck our result */
    1655. 

  1655. 		    outputlen = 0;
    1656. 

  1656. 		    rv = AES_Decrypt(cx2,
    1657. 

  1657. 			doublecheck, &outputlen, sizeof doublecheck,
    1658. 

  1658. 			ciphertext, sizeof ciphertext);
    1659. 

  1659. 		    if (rv != SECSuccess) {
    1660. 

  1660. 			goto loser;
    1661. 

  1661. 		    }
    1662. 

  1662. 		    if (outputlen != sizeof ciphertext) {
    1663. 

  1663. 			goto loser;
    1664. 

  1664. 		    }
    1665. 

  1665. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1666. 

  1666. 			goto loser;
    1667. 

  1667. 		    }
    1668. 

  1668. 

  1669. 		    memcpy(plaintext, ciphertext_1, sizeof plaintext);
    1670. 

  1670. 		}
    1671. 

  1671. 		AES_DestroyContext(cx, PR_TRUE);
    1672. 

  1672. 		cx = NULL;
    1673. 

  1673. 		AES_DestroyContext(cx2, PR_TRUE);
    1674. 

  1674. 		cx2 = NULL;
    1675. 

  1675. 

  1676. 		/* Output CT[j] */
    1677. 

  1677. 		fputs("CIPHERTEXT = ", aesresp);
    1678. 

  1678. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1679. 

  1679. 		fputs(buf, aesresp);
    1680. 

  1680. 		fputc('\n', aesresp);
    1681. 

  1681. 

  1682. 		/* Key[i+1] = Key[i] xor ... */
    1683. 

  1683. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1684. 

  1684. 		/* IV[i+1] = CT[j] */
    1685. 

  1685. 		memcpy(iv, ciphertext, sizeof iv);
    1686. 

  1686. 		/* PT[0] = CT[j-1] */
    1687. 

  1687. 		/* done at the end of the for(j) loop */
    1688. 

  1688. 

  1689. 		fputc('\n', aesresp);
    1690. 

  1690. 	    }
    1691. 

  1691. 

  1692. 	    continue;
    1693. 

  1693. 	}
    1694. 

  1694. 	/* CIPHERTEXT = ... */
    1695. 

  1695. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1696. 

  1696. 	    /* sanity check */
    1697. 

  1697. 	    if (encrypt) {
    1698. 

  1698. 		goto loser;
    1699. 

  1699. 	    }
    1700. 

  1700. 	    /* CT[0] = CT */
    1701. 

  1701. 	    i = 10;
    1702. 

  1702. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1703. 

  1703. 		i++;
    1704. 

  1704. 	    }
    1705. 

  1705. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1706. 

  1706. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1707. 

  1707. 	    }
    1708. 

  1708. 

  1709. 	    for (i=0; i<100; i++) {
    1710. 

  1710. 		sprintf(buf, "COUNT = %d\n", i);
    1711. 

  1711. 	        fputs(buf, aesresp);
    1712. 

  1712. 		/* Output Key[i] */
    1713. 

  1713. 		fputs("KEY = ", aesresp);
    1714. 

  1714. 		to_hex_str(buf, key, keysize);
    1715. 

  1715. 		fputs(buf, aesresp);
    1716. 

  1716. 		fputc('\n', aesresp);
    1717. 

  1717. 		/* Output IV[i] */
    1718. 

  1718. 		fputs("IV = ", aesresp);
    1719. 

  1719. 		to_hex_str(buf, iv, sizeof iv);
    1720. 

  1720. 		fputs(buf, aesresp);
    1721. 

  1721. 		fputc('\n', aesresp);
    1722. 

  1722. 		/* Output CT[0] */
    1723. 

  1723. 		fputs("CIPHERTEXT = ", aesresp);
    1724. 

  1724. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1725. 

  1725. 		fputs(buf, aesresp);
    1726. 

  1726. 		fputc('\n', aesresp);
    1727. 

  1727. 

  1728. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1729. 

  1729. 		    PR_FALSE, keysize, 16);
    1730. 

  1730. 		if (cx == NULL) {
    1731. 

  1731. 		    goto loser;
    1732. 

  1732. 		}
    1733. 

  1733. 		/*
    1734. 

  1734. 		 * doublecheck our result by encrypting the result
    1735. 

  1735. 		 * and comparing the output with the ciphertext.
    1736. 

  1736. 		 */
    1737. 

  1737. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1738. 

  1738. 		    PR_TRUE, keysize, 16);
    1739. 

  1739. 		if (cx2 == NULL) {
    1740. 

  1740. 		    goto loser;
    1741. 

  1741. 		}
    1742. 

  1742. 		/* PT[-1] = IV[i] */
    1743. 

  1743. 		memcpy(plaintext, iv, sizeof plaintext);
    1744. 

  1744. 		for (j=0; j<1000; j++) {
    1745. 

  1745. 		    /* Save PT[j-1] */
    1746. 

  1746. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1747. 

  1747. 		    /*
    1748. 

  1748. 		     * If ( j=0 )
    1749. 

  1749. 		     *      PT[j] = AES(Key[i], IV[i], CT[j])
    1750. 

  1750. 		     *      CT[j+1] = IV[i] (= PT[j-1])
    1751. 

  1751. 		     * Else
    1752. 

  1752. 		     *      PT[j] = AES(Key[i], CT[j])
    1753. 

  1753. 		     *      CT[j+1] = PT[j-1]
    1754. 

  1754. 		     */
    1755. 

  1755. 		    outputlen = 0;
    1756. 

  1756. 		    rv = AES_Decrypt(cx,
    1757. 

  1757. 			plaintext, &outputlen, sizeof plaintext,
    1758. 

  1758. 			ciphertext, sizeof ciphertext);
    1759. 

  1759. 		    if (rv != SECSuccess) {
    1760. 

  1760. 			goto loser;
    1761. 

  1761. 		    }
    1762. 

  1762. 		    if (outputlen != sizeof ciphertext) {
    1763. 

  1763. 			goto loser;
    1764. 

  1764. 		    }
    1765. 

  1765. 

  1766. 		    /* doublecheck our result */
    1767. 

  1767. 		    outputlen = 0;
    1768. 

  1768. 		    rv = AES_Encrypt(cx2,
    1769. 

  1769. 			doublecheck, &outputlen, sizeof doublecheck,
    1770. 

  1770. 			plaintext, sizeof plaintext);
    1771. 

  1771. 		    if (rv != SECSuccess) {
    1772. 

  1772. 			goto loser;
    1773. 

  1773. 		    }
    1774. 

  1774. 		    if (outputlen != sizeof plaintext) {
    1775. 

  1775. 			goto loser;
    1776. 

  1776. 		    }
    1777. 

  1777. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1778. 

  1778. 			goto loser;
    1779. 

  1779. 		    }
    1780. 

  1780. 

  1781. 		    memcpy(ciphertext, plaintext_1, sizeof ciphertext);
    1782. 

  1782. 		}
    1783. 

  1783. 		AES_DestroyContext(cx, PR_TRUE);
    1784. 

  1784. 		cx = NULL;
    1785. 

  1785. 		AES_DestroyContext(cx2, PR_TRUE);
    1786. 

  1786. 		cx2 = NULL;
    1787. 

  1787. 

  1788. 		/* Output PT[j] */
    1789. 

  1789. 		fputs("…
    1790.

Large files files are truncated, but you can click here to view the full file