PageRenderTime 87ms CodeModel.GetById 27ms RepoModel.GetById 0ms app.codeStats 0ms

/security/nss/cmd/fipstest/fipstest.c

https://bitbucket.org/mkato/mozilla-1.9.0-win64
C | 4903 lines | 3797 code | 360 blank | 746 comment | 1445 complexity | ac6666cf55eeec83bda3ea3b4e6ec112 MD5 | raw file
Possible License(s): LGPL-3.0, MIT, BSD-3-Clause, MPL-2.0-no-copyleft-exception, GPL-2.0, LGPL-2.1 
    

  1. /* ***** BEGIN LICENSE BLOCK *****
    2. 

  2.  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
    3. 

  3.  *
    4. 

  4.  * The contents of this file are subject to the Mozilla Public License Version
    5. 

  5.  * 1.1 (the "License"); you may not use this file except in compliance with
    6. 

  6.  * the License. You may obtain a copy of the License at
    7. 

  7.  * http://www.mozilla.org/MPL/
    8. 

  8.  *
    9. 

  9.  * Software distributed under the License is distributed on an "AS IS" basis,
    10. 

  10.  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
    11. 

  11.  * for the specific language governing rights and limitations under the
    12. 

  12.  * License.
    13. 

  13.  *
    14. 

  14.  * The Original Code is the Netscape security libraries.
    15. 

  15.  *
    16. 

  16.  * The Initial Developer of the Original Code is
    17. 

  17.  * Netscape Communications Corporation.
    18. 

  18.  * Portions created by the Initial Developer are Copyright (C) 1994-2000
    19. 

  19.  * the Initial Developer. All Rights Reserved.
    20. 

  20.  *
    21. 

  21.  * Contributor(s):
    22. 

  22.  *
    23. 

  23.  * Alternatively, the contents of this file may be used under the terms of
    24. 

  24.  * either the GNU General Public License Version 2 or later (the "GPL"), or
    25. 

  25.  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
    26. 

  26.  * in which case the provisions of the GPL or the LGPL are applicable instead
    27. 

  27.  * of those above. If you wish to allow use of your version of this file only
    28. 

  28.  * under the terms of either the GPL or the LGPL, and not to allow others to
    29. 

  29.  * use your version of this file under the terms of the MPL, indicate your
    30. 

  30.  * decision by deleting the provisions above and replace them with the notice
    31. 

  31.  * and other provisions required by the GPL or the LGPL. If you do not delete
    32. 

  32.  * the provisions above, a recipient may use your version of this file under
    33. 

  33.  * the terms of any one of the MPL, the GPL or the LGPL.
    34. 

  34.  *
    35. 

  35.  * ***** END LICENSE BLOCK ***** */
    36. 

  36. 

  37. #include <stdio.h>
    38. 

  38. #include <stdlib.h>
    39. 

  39. #include <ctype.h>
    40. 

  40. 

  41. #include "secitem.h"
    42. 

  42. #include "blapi.h"
    43. 

  43. #include "nss.h"
    44. 

  44. #include "secerr.h"
    45. 

  45. #include "secder.h"
    46. 

  46. #include "secdig.h"
    47. 

  47. #include "keythi.h"
    48. 

  48. #include "ec.h"
    49. 

  49. #include "hasht.h"
    50. 

  50. #include "lowkeyi.h"
    51. 

  51. #include "softoken.h"
    52. 

  52. 

  53. #if 0
    54. 

  54. #include "../../lib/freebl/mpi/mpi.h"
    55. 

  55. #endif
    56. 

  56. 

  57. #ifdef NSS_ENABLE_ECC
    58. 

  58. extern SECStatus
    59. 

  59. EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
    60. 

  60. extern SECStatus
    61. 

  61. EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
    62. 

  62.               const ECParams *srcParams);
    63. 

  63. #endif
    64. 

  64. 

  65. #define ENCRYPT 1
    66. 

  66. #define DECRYPT 0
    67. 

  67. #define BYTE unsigned char
    68. 

  68. #define DEFAULT_RSA_PUBLIC_EXPONENT   0x10001
    69. 

  69. #define RSA_MAX_TEST_MODULUS_BITS     4096
    70. 

  70. #define RSA_MAX_TEST_MODULUS_BYTES    RSA_MAX_TEST_MODULUS_BITS/8
    71. 

  71. #define RSA_MAX_TEST_EXPONENT_BYTES   8
    72. 

  72. #define PQG_TEST_SEED_BYTES           20
    73. 

  73. 

  74. SECStatus
    75. 

  75. hex_to_byteval(const char *c2, unsigned char *byteval)
    76. 

  76. {
    77. 

  77.     int i;
    78. 

  78.     unsigned char offset;
    79. 

  79.     *byteval = 0;
    80. 

  80.     for (i=0; i<2; i++) {
    81. 

  81. 	if (c2[i] >= '0' && c2[i] <= '9') {
    82. 

  82. 	    offset = c2[i] - '0';
    83. 

  83. 	    *byteval |= offset << 4*(1-i);
    84. 

  84. 	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
    85. 

  85. 	    offset = c2[i] - 'a';
    86. 

  86. 	    *byteval |= (offset + 10) << 4*(1-i);
    87. 

  87. 	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
    88. 

  88. 	    offset = c2[i] - 'A';
    89. 

  89. 	    *byteval |= (offset + 10) << 4*(1-i);
    90. 

  90. 	} else {
    91. 

  91. 	    return SECFailure;
    92. 

  92. 	}
    93. 

  93.     }
    94. 

  94.     return SECSuccess;
    95. 

  95. }
    96. 

  96. 

  97. SECStatus
    98. 

  98. byteval_to_hex(unsigned char byteval, char *c2, char a)
    99. 

  99. {
    100. 

  100.     int i;
    101. 

  101.     unsigned char offset;
    102. 

  102.     for (i=0; i<2; i++) {
    103. 

  103. 	offset = (byteval >> 4*(1-i)) & 0x0f;
    104. 

  104. 	if (offset < 10) {
    105. 

  105. 	    c2[i] = '0' + offset;
    106. 

  106. 	} else {
    107. 

  107. 	    c2[i] = a + offset - 10;
    108. 

  108. 	}
    109. 

  109.     }
    110. 

  110.     return SECSuccess;
    111. 

  111. }
    112. 

  112. 

  113. void
    114. 

  114. to_hex_str(char *str, const unsigned char *buf, unsigned int len)
    115. 

  115. {
    116. 

  116.     unsigned int i;
    117. 

  117.     for (i=0; i<len; i++) {
    118. 

  118. 	byteval_to_hex(buf[i], &str[2*i], 'a');
    119. 

  119.     }
    120. 

  120.     str[2*len] = '\0';
    121. 

  121. }
    122. 

  122. 

  123. void
    124. 

  124. to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
    125. 

  125. {
    126. 

  126.     unsigned int i;
    127. 

  127.     for (i=0; i<len; i++) {
    128. 

  128. 	byteval_to_hex(buf[i], &str[2*i], 'A');
    129. 

  129.     }
    130. 

  130.     str[2*len] = '\0';
    131. 

  131. }
    132. 

  132. 

  133. /*
    134. 

  134.  * Convert a string of hex digits (str) to an array (buf) of len bytes.
    135. 

  135.  * Return PR_TRUE if the hex string can fit in the byte array.  Return
    136. 

  136.  * PR_FALSE if the hex string is empty or is too long.
    137. 

  137.  */
    138. 

  138. PRBool
    139. 

  139. from_hex_str(unsigned char *buf, unsigned int len, const char *str)
    140. 

  140. {
    141. 

  141.     unsigned int nxdigit;  /* number of hex digits in str */
    142. 

  142.     unsigned int i;  /* index into buf */
    143. 

  143.     unsigned int j;  /* index into str */
    144. 

  144. 

  145.     /* count the hex digits */
    146. 

  146.     nxdigit = 0;
    147. 

  147.     for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
    148. 

  148. 	/* empty body */
    149. 

  149.     }
    150. 

  150.     if (nxdigit == 0) {
    151. 

  151. 	return PR_FALSE;
    152. 

  152.     }
    153. 

  153.     if (nxdigit > 2*len) {
    154. 

  154. 	/*
    155. 

  155. 	 * The input hex string is too long, but we allow it if the
    156. 

  156. 	 * extra digits are leading 0's.
    157. 

  157. 	 */
    158. 

  158. 	for (j = 0; j < nxdigit-2*len; j++) {
    159. 

  159. 	    if (str[j] != '0') {
    160. 

  160. 		return PR_FALSE;
    161. 

  161. 	    }
    162. 

  162. 	}
    163. 

  163. 	/* skip leading 0's */
    164. 

  164. 	str += nxdigit-2*len;
    165. 

  165. 	nxdigit = 2*len;
    166. 

  166.     }
    167. 

  167.     for (i=0, j=0; i< len; i++) {
    168. 

  168. 	if (2*i < 2*len-nxdigit) {
    169. 

  169. 	    /* Handle a short input as if we padded it with leading 0's. */
    170. 

  170. 	    if (2*i+1 < 2*len-nxdigit) {
    171. 

  171. 		buf[i] = 0;
    172. 

  172. 	    } else {
    173. 

  173. 		char tmp[2];
    174. 

  174. 		tmp[0] = '0';
    175. 

  175. 		tmp[1] = str[j];
    176. 

  176. 		hex_to_byteval(tmp, &buf[i]);
    177. 

  177. 		j++;
    178. 

  178. 	    }
    179. 

  179. 	} else {
    180. 

  180. 	    hex_to_byteval(&str[j], &buf[i]);
    181. 

  181. 	    j += 2;
    182. 

  182. 	}
    183. 

  183.     }
    184. 

  184.     return PR_TRUE;
    185. 

  185. }
    186. 

  186. 

  187. SECStatus
    188. 

  188. tdea_encrypt_buf(
    189. 

  189.     int mode,
    190. 

  190.     const unsigned char *key, 
    191. 

  191.     const unsigned char *iv,
    192. 

  192.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    193. 

  193.     const unsigned char *input, unsigned int inputlen)
    194. 

  194. {
    195. 

  195.     SECStatus rv = SECFailure;
    196. 

  196.     DESContext *cx;
    197. 

  197.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    198. 

  198.     unsigned int doublechecklen = 0;
    199. 

  199. 

  200.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    201. 

  201.     if (cx == NULL) {
    202. 

  202.         goto loser;
    203. 

  203.     }
    204. 

  204.     rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    205. 

  205.     if (rv != SECSuccess) {
    206. 

  206.         goto loser;
    207. 

  207.     }
    208. 

  208.     if (*outputlen != inputlen) {
    209. 

  209.         goto loser;
    210. 

  210.     }
    211. 

  211.     DES_DestroyContext(cx, PR_TRUE);
    212. 

  212.     cx = NULL;
    213. 

  213. 

  214.     /*
    215. 

  215.      * Doublecheck our result by decrypting the ciphertext and
    216. 

  216.      * compare the output with the input plaintext.
    217. 

  217.      */
    218. 

  218.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    219. 

  219.     if (cx == NULL) {
    220. 

  220.         goto loser;
    221. 

  221.     }
    222. 

  222.     rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    223. 

  223.                     output, *outputlen);
    224. 

  224.     if (rv != SECSuccess) {
    225. 

  225.         goto loser;
    226. 

  226.     }
    227. 

  227.     if (doublechecklen != *outputlen) {
    228. 

  228.         goto loser;
    229. 

  229.     }
    230. 

  230.     DES_DestroyContext(cx, PR_TRUE);
    231. 

  231.     cx = NULL;
    232. 

  232.     if (memcmp(doublecheck, input, inputlen) != 0) {
    233. 

  233.         goto loser;
    234. 

  234.     }
    235. 

  235.     rv = SECSuccess;
    236. 

  236. 

  237. loser:
    238. 

  238.     if (cx != NULL) {
    239. 

  239.         DES_DestroyContext(cx, PR_TRUE);
    240. 

  240.     }
    241. 

  241.     return rv;
    242. 

  242. }
    243. 

  243. 

  244. SECStatus
    245. 

  245. tdea_decrypt_buf(
    246. 

  246.     int mode,
    247. 

  247.     const unsigned char *key, 
    248. 

  248.     const unsigned char *iv,
    249. 

  249.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    250. 

  250.     const unsigned char *input, unsigned int inputlen)
    251. 

  251. {
    252. 

  252.     SECStatus rv = SECFailure;
    253. 

  253.     DESContext *cx;
    254. 

  254.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    255. 

  255.     unsigned int doublechecklen = 0;
    256. 

  256. 

  257.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    258. 

  258.     if (cx == NULL) {
    259. 

  259.         goto loser;
    260. 

  260.     }
    261. 

  261.     rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
    262. 

  262.                     input, inputlen);
    263. 

  263.     if (rv != SECSuccess) {
    264. 

  264.         goto loser;
    265. 

  265.     }
    266. 

  266.     if (*outputlen != inputlen) {
    267. 

  267.         goto loser;
    268. 

  268.     }
    269. 

  269.     DES_DestroyContext(cx, PR_TRUE);
    270. 

  270.     cx = NULL;
    271. 

  271. 

  272.     /*
    273. 

  273.      * Doublecheck our result by encrypting the plaintext and
    274. 

  274.      * compare the output with the input ciphertext.
    275. 

  275.      */
    276. 

  276.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    277. 

  277.     if (cx == NULL) {
    278. 

  278.         goto loser;
    279. 

  279.     }
    280. 

  280.     rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    281. 

  281.         output, *outputlen);
    282. 

  282.     if (rv != SECSuccess) {
    283. 

  283.         goto loser;
    284. 

  284.     }
    285. 

  285.     if (doublechecklen != *outputlen) {
    286. 

  286.         goto loser;
    287. 

  287.     }
    288. 

  288.     DES_DestroyContext(cx, PR_TRUE);
    289. 

  289.     cx = NULL;
    290. 

  290.     if (memcmp(doublecheck, input, inputlen) != 0) {
    291. 

  291.         goto loser;
    292. 

  292.     }
    293. 

  293.     rv = SECSuccess;
    294. 

  294. 

  295. loser:
    296. 

  296.     if (cx != NULL) {
    297. 

  297.         DES_DestroyContext(cx, PR_TRUE);
    298. 

  298.     }
    299. 

  299.     return rv;
    300. 

  300. }
    301. 

  301. 

  302. /*
    303. 

  303.  * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
    304. 

  304.  * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
    305. 

  305.  * and MMT have the same structure: given the key and IV (CBC mode
    306. 

  306.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    307. 

  307.  * So we can handle them the same way.
    308. 

  308.  *
    309. 

  309.  * reqfn is the pathname of the REQUEST file.
    310. 

  310.  *
    311. 

  311.  * The output RESPONSE file is written to stdout.
    312. 

  312.  */
    313. 

  313. void
    314. 

  314. tdea_kat_mmt(char *reqfn)
    315. 

  315. {
    316. 

  316.     char buf[180];      /* holds one line from the input REQUEST file.
    317. 

  317.                          * needs to be large enough to hold the longest
    318. 

  318.                          * line "CIPHERTEXT = <180 hex digits>\n".
    319. 

  319.                          */
    320. 

  320.     FILE *req;       /* input stream from the REQUEST file */
    321. 

  321.     FILE *resp;      /* output stream to the RESPONSE file */
    322. 

  322.     int i, j;
    323. 

  323.     int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
    324. 

  324.     int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
    325. 

  325.     unsigned char key[24];              /* TDEA 3 key bundle */
    326. 

  326.     unsigned int numKeys = 0;
    327. 

  327.     unsigned char iv[8];		/* for all modes except ECB */
    328. 

  328.     unsigned char plaintext[8*20];     /* 1 to 20 blocks */
    329. 

  329.     unsigned int plaintextlen;
    330. 

  330.     unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
    331. 

  331.     unsigned int ciphertextlen;
    332. 

  332.     SECStatus rv;
    333. 

  333. 

  334.     req = fopen(reqfn, "r");
    335. 

  335.     resp = stdout;
    336. 

  336.     while (fgets(buf, sizeof buf, req) != NULL) {
    337. 

  337.         /* a comment or blank line */
    338. 

  338.         if (buf[0] == '#' || buf[0] == '\n') {
    339. 

  339.             fputs(buf, resp);
    340. 

  340.             continue;
    341. 

  341.         }
    342. 

  342.         /* [ENCRYPT] or [DECRYPT] */
    343. 

  343.         if (buf[0] == '[') {
    344. 

  344.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    345. 

  345.                 crypt = ENCRYPT;
    346. 

  346.             } else {
    347. 

  347.                 crypt = DECRYPT;
    348. 

  348.             }
    349. 

  349.             fputs(buf, resp);
    350. 

  350.             continue;
    351. 

  351.         }
    352. 

  352.         /* NumKeys */
    353. 

  353.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    354. 

  354.             i = 7;
    355. 

  355.             while (isspace(buf[i]) || buf[i] == '=') {
    356. 

  356.                 i++;
    357. 

  357.             }
    358. 

  358.             numKeys = buf[i];
    359. 

  359.             fputs(buf, resp);
    360. 

  360.             continue;
    361. 

  361.         }
    362. 

  362.         /* "COUNT = x" begins a new data set */
    363. 

  363.         if (strncmp(buf, "COUNT", 5) == 0) {
    364. 

  364.             /* mode defaults to ECB, if dataset has IV mode will be set CBC */
    365. 

  365.             mode = NSS_DES_EDE3;
    366. 

  366.             /* zeroize the variables for the test with this data set */
    367. 

  367.             memset(key, 0, sizeof key);
    368. 

  368.             memset(iv, 0, sizeof iv);
    369. 

  369.             memset(plaintext, 0, sizeof plaintext);
    370. 

  370.             plaintextlen = 0;
    371. 

  371.             memset(ciphertext, 0, sizeof ciphertext);
    372. 

  372.             ciphertextlen = 0;
    373. 

  373.             fputs(buf, resp);
    374. 

  374.             continue;
    375. 

  375.         }
    376. 

  376.         if (numKeys == 0) {
    377. 

  377.             if (strncmp(buf, "KEYs", 4) == 0) {
    378. 

  378.                 i = 4;
    379. 

  379.                 while (isspace(buf[i]) || buf[i] == '=') {
    380. 

  380.                     i++;
    381. 

  381.                 }
    382. 

  382.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    383. 

  383.                     hex_to_byteval(&buf[i], &key[j]);
    384. 

  384.                     key[j+8] = key[j];
    385. 

  385.                     key[j+16] = key[j];
    386. 

  386.                 }
    387. 

  387.                 fputs(buf, resp);
    388. 

  388.                 continue;
    389. 

  389.             }
    390. 

  390.         } else {
    391. 

  391.             /* KEY1 = ... */
    392. 

  392.             if (strncmp(buf, "KEY1", 4) == 0) {
    393. 

  393.                 i = 4;
    394. 

  394.                 while (isspace(buf[i]) || buf[i] == '=') {
    395. 

  395.                     i++;
    396. 

  396.                 }
    397. 

  397.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    398. 

  398.                     hex_to_byteval(&buf[i], &key[j]);
    399. 

  399.                 }
    400. 

  400.                 fputs(buf, resp);
    401. 

  401.                 continue;
    402. 

  402.             }
    403. 

  403.             /* KEY2 = ... */
    404. 

  404.             if (strncmp(buf, "KEY2", 4) == 0) {
    405. 

  405.                 i = 4;
    406. 

  406.                 while (isspace(buf[i]) || buf[i] == '=') {
    407. 

  407.                     i++;
    408. 

  408.                 }
    409. 

  409.                 for (j=8; isxdigit(buf[i]); i+=2,j++) {
    410. 

  410.                     hex_to_byteval(&buf[i], &key[j]);
    411. 

  411.                 }
    412. 

  412.                 fputs(buf, resp);
    413. 

  413.                 continue;
    414. 

  414.             }
    415. 

  415.             /* KEY3 = ... */
    416. 

  416.             if (strncmp(buf, "KEY3", 4) == 0) {
    417. 

  417.                 i = 4;
    418. 

  418.                 while (isspace(buf[i]) || buf[i] == '=') {
    419. 

  419.                     i++;
    420. 

  420.                 }
    421. 

  421.                 for (j=16; isxdigit(buf[i]); i+=2,j++) {
    422. 

  422.                     hex_to_byteval(&buf[i], &key[j]);
    423. 

  423.                 }
    424. 

  424.                 fputs(buf, resp);
    425. 

  425.                 continue;
    426. 

  426.             }
    427. 

  427.         }
    428. 

  428. 

  429.         /* IV = ... */
    430. 

  430.         if (strncmp(buf, "IV", 2) == 0) {
    431. 

  431.             mode = NSS_DES_EDE3_CBC;
    432. 

  432.             i = 2;
    433. 

  433.             while (isspace(buf[i]) || buf[i] == '=') {
    434. 

  434.                 i++;
    435. 

  435.             }
    436. 

  436.             for (j=0; j<sizeof iv; i+=2,j++) {
    437. 

  437.                 hex_to_byteval(&buf[i], &iv[j]);
    438. 

  438.             }
    439. 

  439.             fputs(buf, resp);
    440. 

  440.             continue;
    441. 

  441.         }
    442. 

  442. 

  443.         /* PLAINTEXT = ... */
    444. 

  444.         if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    445. 

  445.             /* sanity check */
    446. 

  446.             if (crypt != ENCRYPT) {
    447. 

  447.                 goto loser;
    448. 

  448.             }
    449. 

  449.             i = 9;
    450. 

  450.             while (isspace(buf[i]) || buf[i] == '=') {
    451. 

  451.                 i++;
    452. 

  452.             }
    453. 

  453.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    454. 

  454.                 hex_to_byteval(&buf[i], &plaintext[j]);
    455. 

  455.             }
    456. 

  456.             plaintextlen = j;
    457. 

  457.             rv = tdea_encrypt_buf(mode, key,
    458. 

  458.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    459. 

  459.                             ciphertext, &ciphertextlen, sizeof ciphertext,
    460. 

  460.                             plaintext, plaintextlen);
    461. 

  461.             if (rv != SECSuccess) {
    462. 

  462.                 goto loser;
    463. 

  463.             }
    464. 

  464.     
    465. 

  465.             fputs(buf, resp);
    466. 

  466.             fputs("CIPHERTEXT = ", resp);
    467. 

  467.             to_hex_str(buf, ciphertext, ciphertextlen);
    468. 

  468.             fputs(buf, resp);
    469. 

  469.             fputc('\n', resp);
    470. 

  470.             continue;
    471. 

  471.         }
    472. 

  472.         /* CIPHERTEXT = ... */
    473. 

  473.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    474. 

  474.             /* sanity check */
    475. 

  475.             if (crypt != DECRYPT) {
    476. 

  476.                 goto loser;
    477. 

  477.             }
    478. 

  478.  
    479. 

  479.             i = 10;
    480. 

  480.             while (isspace(buf[i]) || buf[i] == '=') {
    481. 

  481.                 i++;
    482. 

  482.             }
    483. 

  483.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    484. 

  484.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    485. 

  485.             }
    486. 

  486.             ciphertextlen = j;
    487. 

  487.  
    488. 

  488.             rv = tdea_decrypt_buf(mode, key,
    489. 

  489.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    490. 

  490.                             plaintext, &plaintextlen, sizeof plaintext,
    491. 

  491.                             ciphertext, ciphertextlen);
    492. 

  492.             if (rv != SECSuccess) {
    493. 

  493.                 goto loser;
    494. 

  494.             }
    495. 

  495.  
    496. 

  496.             fputs(buf, resp);
    497. 

  497.             fputs("PLAINTEXT = ", resp);
    498. 

  498.             to_hex_str(buf, plaintext, plaintextlen);
    499. 

  499.             fputs(buf, resp);
    500. 

  500.             fputc('\n', resp);
    501. 

  501.             continue;
    502. 

  502.         }
    503. 

  503.     }
    504. 

  504. 

  505. loser:
    506. 

  506.     fclose(req);
    507. 

  507. }
    508. 

  508. 

  509. /*
    510. 

  510. * Set the parity bit for the given byte
    511. 

  511. */
    512. 

  512. BYTE odd_parity( BYTE in)
    513. 

  513. {
    514. 

  514.     BYTE out = in;
    515. 

  515.     in ^= in >> 4;
    516. 

  516.     in ^= in >> 2;
    517. 

  517.     in ^= in >> 1;
    518. 

  518.     return (BYTE)(out ^ !(in & 1));
    519. 

  519. }
    520. 

  520. 

  521. /*
    522. 

  522.  * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
    523. 

  523.  * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
    524. 

  524.  */
    525. 

  525. void
    526. 

  526. tdea_mct_next_keys(unsigned char *key,
    527. 

  527.     const unsigned char *text_2, const unsigned char *text_1, 
    528. 

  528.     const unsigned char *text, unsigned int numKeys)
    529. 

  529. {
    530. 

  530.     int k;
    531. 

  531. 

  532.     /* key1[i+1] = key1[i] xor PT/CT[j] */
    533. 

  533.     for (k=0; k<8; k++) {
    534. 

  534.         key[k] ^= text[k];
    535. 

  535.     }
    536. 

  536.     /* key2 */
    537. 

  537.     if (numKeys == 2 || numKeys == 3)  {
    538. 

  538.         /* key2 independent */
    539. 

  539.         for (k=8; k<16; k++) {
    540. 

  540.             /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
    541. 

  541.             key[k] ^= text_1[k-8];
    542. 

  542.         }
    543. 

  543.     } else {
    544. 

  544.         /* key2 == key 1 */
    545. 

  545.         for (k=8; k<16; k++) {
    546. 

  546.             /* key2[i+1] = KEY2[i] xor PT/CT[j] */
    547. 

  547.             key[k] = key[k-8];
    548. 

  548.         }
    549. 

  549.     }
    550. 

  550.     /* key3 */
    551. 

  551.     if (numKeys == 1 || numKeys == 2) {
    552. 

  552.         /* key3 == key 1 */
    553. 

  553.         for (k=16; k<24; k++) {
    554. 

  554.             /* key3[i+1] = KEY3[i] xor PT/CT[j] */
    555. 

  555.             key[k] = key[k-16];
    556. 

  556.         }
    557. 

  557.     } else {
    558. 

  558.         /* key3 independent */ 
    559. 

  559.         for (k=16; k<24; k++) {
    560. 

  560.             /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
    561. 

  561.             key[k] ^= text_2[k-16];
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564.     /* set the parity bits */            
    565. 

  565.     for (k=0; k<24; k++) {
    566. 

  566.         key[k] = odd_parity(key[k]);
    567. 

  567.     }
    568. 

  568. }
    569. 

  569. 

  570. /*
    571. 

  571.  * Perform the Monte Carlo Test
    572. 

  572.  *
    573. 

  573.  * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
    574. 

  574.  * crypt = ENCRYPT || DECRYPT
    575. 

  575.  * inputtext = plaintext or Cyphertext depending on the value of crypt
    576. 

  576.  * inputlength is expected to be size 8 bytes 
    577. 

  577.  * iv = needs to be set for NSS_DES_EDE3_CBC mode
    578. 

  578.  * resp = is the output response file. 
    579. 

  579.  */
    580. 

  580.  void                                                       
    581. 

  581. tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
    582. 

  582.               unsigned int crypt, unsigned char* inputtext, 
    583. 

  583.               unsigned int inputlength, unsigned char* iv, FILE *resp) { 
    584. 

  584. 

  585.     int i, j;
    586. 

  586.     unsigned char outputtext_1[8];      /* PT/CT[j-1] */
    587. 

  587.     unsigned char outputtext_2[8];      /* PT/CT[j-2] */
    588. 

  588.     char buf[80];       /* holds one line from the input REQUEST file. */
    589. 

  589.     unsigned int outputlen;
    590. 

  590.     unsigned char outputtext[8];
    591. 

  591.     
    592. 

  592.         
    593. 

  593.     SECStatus rv;
    594. 

  594. 

  595.     if (mode == NSS_DES_EDE3 && iv != NULL) {
    596. 

  596.         printf("IV must be NULL for NSS_DES_EDE3 mode");
    597. 

  597.         goto loser;
    598. 

  598.     } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
    599. 

  599.         printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
    600. 

  600.         goto loser;
    601. 

  601.     }
    602. 

  602. 

  603.     /* loop 400 times */
    604. 

  604.     for (i=0; i<400; i++) {
    605. 

  605.         /* if i == 0 CV[0] = IV  not necessary */        
    606. 

  606.         /* record the count and key values and plainText */
    607. 

  607.         sprintf(buf, "COUNT = %d\n", i);
    608. 

  608.         fputs(buf, resp);
    609. 

  609.         /* Output KEY1[i] */
    610. 

  610.         fputs("KEY1 = ", resp);
    611. 

  611.         to_hex_str(buf, key, 8);
    612. 

  612.         fputs(buf, resp);
    613. 

  613.         fputc('\n', resp);
    614. 

  614.         /* Output KEY2[i] */
    615. 

  615.         fputs("KEY2 = ", resp);
    616. 

  616.         to_hex_str(buf, &key[8], 8);
    617. 

  617.         fputs(buf, resp);
    618. 

  618.         fputc('\n', resp);
    619. 

  619.         /* Output KEY3[i] */
    620. 

  620.         fputs("KEY3 = ", resp);
    621. 

  621.         to_hex_str(buf, &key[16], 8);
    622. 

  622.         fputs(buf, resp);
    623. 

  623.         fputc('\n', resp);
    624. 

  624.         if (mode == NSS_DES_EDE3_CBC) {
    625. 

  625.             /* Output CV[i] */
    626. 

  626.             fputs("IV = ", resp);
    627. 

  627.             to_hex_str(buf, iv, 8);
    628. 

  628.             fputs(buf, resp);
    629. 

  629.             fputc('\n', resp);
    630. 

  630.         }
    631. 

  631.         if (crypt == ENCRYPT) {
    632. 

  632.             /* Output PT[0] */
    633. 

  633.             fputs("PLAINTEXT = ", resp);
    634. 

  634.         } else {
    635. 

  635.             /* Output CT[0] */
    636. 

  636.             fputs("CIPHERTEXT = ", resp);
    637. 

  637.         }
    638. 

  638. 

  639.         to_hex_str(buf, inputtext, inputlength);
    640. 

  640.         fputs(buf, resp);
    641. 

  641.         fputc('\n', resp);
    642. 

  642. 

  643.         /* loop 10,000 times */
    644. 

  644.         for (j=0; j<10000; j++) {
    645. 

  645. 

  646.             outputlen = 0;
    647. 

  647.             if (crypt == ENCRYPT) {
    648. 

  648.                 /* inputtext == ciphertext outputtext == plaintext*/
    649. 

  649.                 rv = tdea_encrypt_buf(mode, key,
    650. 

  650.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    651. 

  651.                             outputtext, &outputlen, 8,
    652. 

  652.                             inputtext, 8);
    653. 

  653.             } else {
    654. 

  654.                 /* inputtext == plaintext outputtext == ciphertext */
    655. 

  655.                 rv = tdea_decrypt_buf(mode, key,
    656. 

  656.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    657. 

  657.                             outputtext, &outputlen, 8,
    658. 

  658.                             inputtext, 8);
    659. 

  659.             }
    660. 

  660. 

  661.             if (rv != SECSuccess) {
    662. 

  662.                 goto loser;
    663. 

  663.             }
    664. 

  664.             if (outputlen != inputlength) {
    665. 

  665.                 goto loser;
    666. 

  666.             }
    667. 

  667. 

  668.             if (mode == NSS_DES_EDE3_CBC) {
    669. 

  669.                 if (crypt == ENCRYPT) {
    670. 

  670.                     if (j == 0) {
    671. 

  671.                         /*P[j+1] = CV[0] */
    672. 

  672.                         memcpy(inputtext, iv, 8);
    673. 

  673.                     } else {
    674. 

  674.                         /* p[j+1] = C[j-1] */
    675. 

  675.                         memcpy(inputtext, outputtext_1, 8);
    676. 

  676.                     }
    677. 

  677.                     /* CV[j+1] = C[j] */
    678. 

  678.                     memcpy(iv, outputtext, 8);
    679. 

  679.                     if (j != 9999) {
    680. 

  680.                         /* save C[j-1] */
    681. 

  681.                         memcpy(outputtext_1, outputtext, 8);
    682. 

  682.                     }
    683. 

  683.                 } else { /* DECRYPT */
    684. 

  684.                     /* CV[j+1] = C[j] */
    685. 

  685.                     memcpy(iv, inputtext, 8);
    686. 

  686.                     /* C[j+1] = P[j] */
    687. 

  687.                     memcpy(inputtext, outputtext, 8);
    688. 

  688.                 }
    689. 

  689.             } else {
    690. 

  690.                 /* ECB mode PT/CT[j+1] = CT/PT[j] */
    691. 

  691.                 memcpy(inputtext, outputtext, 8);
    692. 

  692.             }
    693. 

  693. 

  694.             /* Save PT/CT[j-2] and PT/CT[j-1] */
    695. 

  695.             if (j==9997) memcpy(outputtext_2, outputtext, 8);
    696. 

  696.             if (j==9998) memcpy(outputtext_1, outputtext, 8);
    697. 

  697.             /* done at the end of the for(j) loop */
    698. 

  698.         }
    699. 

  699. 

  700. 

  701.         if (crypt == ENCRYPT) {
    702. 

  702.             /* Output CT[j] */
    703. 

  703.             fputs("CIPHERTEXT = ", resp);
    704. 

  704.         } else {
    705. 

  705.             /* Output PT[j] */
    706. 

  706.             fputs("PLAINTEXT = ", resp);
    707. 

  707.         }
    708. 

  708.         to_hex_str(buf, outputtext, 8);
    709. 

  709.         fputs(buf, resp);
    710. 

  710.         fputc('\n', resp);
    711. 

  711. 

  712.         /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
    713. 

  713.          *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
    714. 

  714.          */
    715. 

  715.         tdea_mct_next_keys(key, outputtext_2, 
    716. 

  716.                            outputtext_1, outputtext, numKeys);
    717. 

  717. 

  718.         if (mode == NSS_DES_EDE3_CBC) {
    719. 

  719.             /* taken care of in the j=9999 iteration */
    720. 

  720.             if (crypt == ENCRYPT) {
    721. 

  721.                 /* P[i] = C[j-1] */
    722. 

  722.                 /* CV[i] = C[j] */
    723. 

  723.             } else {
    724. 

  724.                 /* taken care of in the j=9999 iteration */
    725. 

  725.                 /* CV[i] = C[j] */
    726. 

  726.                 /* C[i] = P[j]  */
    727. 

  727.             }
    728. 

  728.         } else {
    729. 

  729.             /* ECB PT/CT[i] = PT/CT[j]  */
    730. 

  730.             memcpy(inputtext, outputtext, 8);
    731. 

  731.         }
    732. 

  732.         /* done at the end of the for(i) loop */
    733. 

  733.         fputc('\n', resp);
    734. 

  734.     }
    735. 

  735. 

  736. loser:
    737. 

  737.     return;
    738. 

  738. }
    739. 

  739. 

  740. /*
    741. 

  741.  * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
    742. 

  742.  * by gathering the input from the request file, and then 
    743. 

  743.  * calling tdea_mct_test.
    744. 

  744.  *
    745. 

  745.  * reqfn is the pathname of the input REQUEST file.
    746. 

  746.  *
    747. 

  747.  * The output RESPONSE file is written to stdout.
    748. 

  748.  */
    749. 

  749. void
    750. 

  750. tdea_mct(int mode, char *reqfn)
    751. 

  751. {
    752. 

  752.     int i, j;
    753. 

  753.     char buf[80];    /* holds one line from the input REQUEST file. */
    754. 

  754.     FILE *req;       /* input stream from the REQUEST file */
    755. 

  755.     FILE *resp;      /* output stream to the RESPONSE file */
    756. 

  756.     unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
    757. 

  757.     unsigned char key[24];              /* TDEA 3 key bundle */
    758. 

  758.     unsigned int numKeys = 0;
    759. 

  759.     unsigned char plaintext[8];        /* PT[j] */
    760. 

  760.     unsigned char ciphertext[8];       /* CT[j] */
    761. 

  761.     unsigned char iv[8];
    762. 

  762. 

  763.     /* zeroize the variables for the test with this data set */
    764. 

  764.     memset(key, 0, sizeof key);
    765. 

  765.     memset(plaintext, 0, sizeof plaintext);
    766. 

  766.     memset(ciphertext, 0, sizeof ciphertext);
    767. 

  767.     memset(iv, 0, sizeof iv);
    768. 

  768. 

  769.     req = fopen(reqfn, "r");
    770. 

  770.     resp = stdout;
    771. 

  771.     while (fgets(buf, sizeof buf, req) != NULL) {
    772. 

  772.         /* a comment or blank line */
    773. 

  773.         if (buf[0] == '#' || buf[0] == '\n') {
    774. 

  774.             fputs(buf, resp);
    775. 

  775.             continue;
    776. 

  776.         }
    777. 

  777.         /* [ENCRYPT] or [DECRYPT] */
    778. 

  778.         if (buf[0] == '[') {
    779. 

  779.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    780. 

  780.                 crypt = ENCRYPT;
    781. 

  781.             } else {
    782. 

  782.                 crypt = DECRYPT;
    783. 

  783.            }
    784. 

  784.            fputs(buf, resp);
    785. 

  785.            continue;
    786. 

  786.         }
    787. 

  787.         /* NumKeys */
    788. 

  788.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    789. 

  789.             i = 7;
    790. 

  790.             while (isspace(buf[i]) || buf[i] == '=') {
    791. 

  791.                 i++;
    792. 

  792.             }
    793. 

  793.             numKeys = atoi(&buf[i]);
    794. 

  794.             continue;
    795. 

  795.         }
    796. 

  796.         /* KEY1 = ... */
    797. 

  797.         if (strncmp(buf, "KEY1", 4) == 0) {
    798. 

  798.             i = 4;
    799. 

  799.             while (isspace(buf[i]) || buf[i] == '=') {
    800. 

  800.                 i++;
    801. 

  801.             }
    802. 

  802.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    803. 

  803.                 hex_to_byteval(&buf[i], &key[j]);
    804. 

  804.             }
    805. 

  805.             continue;
    806. 

  806.         }
    807. 

  807.         /* KEY2 = ... */
    808. 

  808.         if (strncmp(buf, "KEY2", 4) == 0) {
    809. 

  809.             i = 4;
    810. 

  810.             while (isspace(buf[i]) || buf[i] == '=') {
    811. 

  811.                 i++;
    812. 

  812.             }
    813. 

  813.             for (j=8; isxdigit(buf[i]); i+=2,j++) {
    814. 

  814.                 hex_to_byteval(&buf[i], &key[j]);
    815. 

  815.             }
    816. 

  816.             continue;
    817. 

  817.         }
    818. 

  818.         /* KEY3 = ... */
    819. 

  819.         if (strncmp(buf, "KEY3", 4) == 0) {
    820. 

  820.             i = 4;
    821. 

  821.             while (isspace(buf[i]) || buf[i] == '=') {
    822. 

  822.                 i++;
    823. 

  823.             }
    824. 

  824.             for (j=16; isxdigit(buf[i]); i+=2,j++) {
    825. 

  825.                 hex_to_byteval(&buf[i], &key[j]);
    826. 

  826.             }
    827. 

  827.             continue;
    828. 

  828.         }
    829. 

  829. 

  830.         /* IV = ... */
    831. 

  831.         if (strncmp(buf, "IV", 2) == 0) {
    832. 

  832.             i = 2;
    833. 

  833.             while (isspace(buf[i]) || buf[i] == '=') {
    834. 

  834.                 i++;
    835. 

  835.             }
    836. 

  836.             for (j=0; j<sizeof iv; i+=2,j++) {
    837. 

  837.                 hex_to_byteval(&buf[i], &iv[j]);
    838. 

  838.             }
    839. 

  839.             continue;
    840. 

  840.         }
    841. 

  841. 

  842.        /* PLAINTEXT = ... */
    843. 

  843.        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    844. 

  844. 

  845.             /* sanity check */
    846. 

  846.             if (crypt != ENCRYPT) {
    847. 

  847.                 goto loser;
    848. 

  848.             }
    849. 

  849.             /* PT[0] = PT */
    850. 

  850.             i = 9;
    851. 

  851.             while (isspace(buf[i]) || buf[i] == '=') {
    852. 

  852.                 i++;
    853. 

  853.             }
    854. 

  854.             for (j=0; j<sizeof plaintext; i+=2,j++) {
    855. 

  855.                 hex_to_byteval(&buf[i], &plaintext[j]);
    856. 

  856.             }                                     
    857. 

  857. 

  858.             /* do the Monte Carlo test */
    859. 

  859.             if (mode==NSS_DES_EDE3) {
    860. 

  860.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
    861. 

  861.             } else {
    862. 

  862.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
    863. 

  863.             }
    864. 

  864.             continue;
    865. 

  865.         }
    866. 

  866.         /* CIPHERTEXT = ... */
    867. 

  867.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    868. 

  868.             /* sanity check */
    869. 

  869.             if (crypt != DECRYPT) {
    870. 

  870.                 goto loser;
    871. 

  871.             }
    872. 

  872.             /* CT[0] = CT */
    873. 

  873.             i = 10;
    874. 

  874.             while (isspace(buf[i]) || buf[i] == '=') {
    875. 

  875.                 i++;
    876. 

  876.             }
    877. 

  877.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    878. 

  878.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    879. 

  879.             }
    880. 

  880.             
    881. 

  881.             /* do the Monte Carlo test */
    882. 

  882.             if (mode==NSS_DES_EDE3) {
    883. 

  883.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
    884. 

  884.             } else {
    885. 

  885.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
    886. 

  886.             }
    887. 

  887.             continue;
    888. 

  888.         }
    889. 

  889.     }
    890. 

  890. 

  891. loser:
    892. 

  892.     fclose(req);
    893. 

  893. }
    894. 

  894. 

  895. 

  896. SECStatus
    897. 

  897. aes_encrypt_buf(
    898. 

  898.     int mode,
    899. 

  899.     const unsigned char *key, unsigned int keysize,
    900. 

  900.     const unsigned char *iv,
    901. 

  901.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    902. 

  902.     const unsigned char *input, unsigned int inputlen)
    903. 

  903. {
    904. 

  904.     SECStatus rv = SECFailure;
    905. 

  905.     AESContext *cx;
    906. 

  906.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    907. 

  907.     unsigned int doublechecklen = 0;
    908. 

  908. 

  909.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    910. 

  910.     if (cx == NULL) {
    911. 

  911. 	goto loser;
    912. 

  912.     }
    913. 

  913.     rv = AES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    914. 

  914.     if (rv != SECSuccess) {
    915. 

  915. 	goto loser;
    916. 

  916.     }
    917. 

  917.     if (*outputlen != inputlen) {
    918. 

  918. 	goto loser;
    919. 

  919.     }
    920. 

  920.     AES_DestroyContext(cx, PR_TRUE);
    921. 

  921.     cx = NULL;
    922. 

  922. 

  923.     /*
    924. 

  924.      * Doublecheck our result by decrypting the ciphertext and
    925. 

  925.      * compare the output with the input plaintext.
    926. 

  926.      */
    927. 

  927.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    928. 

  928.     if (cx == NULL) {
    929. 

  929. 	goto loser;
    930. 

  930.     }
    931. 

  931.     rv = AES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    932. 

  932. 	output, *outputlen);
    933. 

  933.     if (rv != SECSuccess) {
    934. 

  934. 	goto loser;
    935. 

  935.     }
    936. 

  936.     if (doublechecklen != *outputlen) {
    937. 

  937. 	goto loser;
    938. 

  938.     }
    939. 

  939.     AES_DestroyContext(cx, PR_TRUE);
    940. 

  940.     cx = NULL;
    941. 

  941.     if (memcmp(doublecheck, input, inputlen) != 0) {
    942. 

  942. 	goto loser;
    943. 

  943.     }
    944. 

  944.     rv = SECSuccess;
    945. 

  945. 

  946. loser:
    947. 

  947.     if (cx != NULL) {
    948. 

  948. 	AES_DestroyContext(cx, PR_TRUE);
    949. 

  949.     }
    950. 

  950.     return rv;
    951. 

  951. }
    952. 

  952. 

  953. SECStatus
    954. 

  954. aes_decrypt_buf(
    955. 

  955.     int mode,
    956. 

  956.     const unsigned char *key, unsigned int keysize,
    957. 

  957.     const unsigned char *iv,
    958. 

  958.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    959. 

  959.     const unsigned char *input, unsigned int inputlen)
    960. 

  960. {
    961. 

  961.     SECStatus rv = SECFailure;
    962. 

  962.     AESContext *cx;
    963. 

  963.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    964. 

  964.     unsigned int doublechecklen = 0;
    965. 

  965. 

  966.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    967. 

  967.     if (cx == NULL) {
    968. 

  968. 	goto loser;
    969. 

  969.     }
    970. 

  970.     rv = AES_Decrypt(cx, output, outputlen, maxoutputlen,
    971. 

  971. 	input, inputlen);
    972. 

  972.     if (rv != SECSuccess) {
    973. 

  973. 	goto loser;
    974. 

  974.     }
    975. 

  975.     if (*outputlen != inputlen) {
    976. 

  976. 	goto loser;
    977. 

  977.     }
    978. 

  978.     AES_DestroyContext(cx, PR_TRUE);
    979. 

  979.     cx = NULL;
    980. 

  980. 

  981.     /*
    982. 

  982.      * Doublecheck our result by encrypting the plaintext and
    983. 

  983.      * compare the output with the input ciphertext.
    984. 

  984.      */
    985. 

  985.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    986. 

  986.     if (cx == NULL) {
    987. 

  987. 	goto loser;
    988. 

  988.     }
    989. 

  989.     rv = AES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    990. 

  990. 	output, *outputlen);
    991. 

  991.     if (rv != SECSuccess) {
    992. 

  992. 	goto loser;
    993. 

  993.     }
    994. 

  994.     if (doublechecklen != *outputlen) {
    995. 

  995. 	goto loser;
    996. 

  996.     }
    997. 

  997.     AES_DestroyContext(cx, PR_TRUE);
    998. 

  998.     cx = NULL;
    999. 

  999.     if (memcmp(doublecheck, input, inputlen) != 0) {
    1000. 

  1000. 	goto loser;
    1001. 

  1001.     }
    1002. 

  1002.     rv = SECSuccess;
    1003. 

  1003. 

  1004. loser:
    1005. 

  1005.     if (cx != NULL) {
    1006. 

  1006. 	AES_DestroyContext(cx, PR_TRUE);
    1007. 

  1007.     }
    1008. 

  1008.     return rv;
    1009. 

  1009. }
    1010. 

  1010. 

  1011. /*
    1012. 

  1012.  * Perform the AES Known Answer Test (KAT) or Multi-block Message
    1013. 

  1013.  * Test (MMT) in ECB or CBC mode.  The KAT (there are four types)
    1014. 

  1014.  * and MMT have the same structure: given the key and IV (CBC mode
    1015. 

  1015.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    1016. 

  1016.  * So we can handle them the same way.
    1017. 

  1017.  *
    1018. 

  1018.  * reqfn is the pathname of the REQUEST file.
    1019. 

  1019.  *
    1020. 

  1020.  * The output RESPONSE file is written to stdout.
    1021. 

  1021.  */
    1022. 

  1022. void
    1023. 

  1023. aes_kat_mmt(char *reqfn)
    1024. 

  1024. {
    1025. 

  1025.     char buf[512];      /* holds one line from the input REQUEST file.
    1026. 

  1026.                          * needs to be large enough to hold the longest
    1027. 

  1027.                          * line "CIPHERTEXT = <320 hex digits>\n".
    1028. 

  1028.                          */
    1029. 

  1029.     FILE *aesreq;       /* input stream from the REQUEST file */
    1030. 

  1030.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1031. 

  1031.     int i, j;
    1032. 

  1032.     int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
    1033. 

  1033.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1034. 

  1034.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1035. 

  1035.     unsigned int keysize;
    1036. 

  1036.     unsigned char iv[16];		/* for all modes except ECB */
    1037. 

  1037.     unsigned char plaintext[10*16];     /* 1 to 10 blocks */
    1038. 

  1038.     unsigned int plaintextlen;
    1039. 

  1039.     unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
    1040. 

  1040.     unsigned int ciphertextlen;
    1041. 

  1041.     SECStatus rv;
    1042. 

  1042. 

  1043.     aesreq = fopen(reqfn, "r");
    1044. 

  1044.     aesresp = stdout;
    1045. 

  1045.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1046. 

  1046. 	/* a comment or blank line */
    1047. 

  1047. 	if (buf[0] == '#' || buf[0] == '\n') {
    1048. 

  1048. 	    fputs(buf, aesresp);
    1049. 

  1049. 	    continue;
    1050. 

  1050. 	}
    1051. 

  1051. 	/* [ENCRYPT] or [DECRYPT] */
    1052. 

  1052. 	if (buf[0] == '[') {
    1053. 

  1053. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1054. 

  1054. 		encrypt = 1;
    1055. 

  1055. 	    } else {
    1056. 

  1056. 		encrypt = 0;
    1057. 

  1057. 	    }
    1058. 

  1058. 	    fputs(buf, aesresp);
    1059. 

  1059. 	    continue;
    1060. 

  1060. 	}
    1061. 

  1061. 	/* "COUNT = x" begins a new data set */
    1062. 

  1062. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1063. 

  1063. 	    mode = NSS_AES;
    1064. 

  1064. 	    /* zeroize the variables for the test with this data set */
    1065. 

  1065. 	    memset(key, 0, sizeof key);
    1066. 

  1066. 	    keysize = 0;
    1067. 

  1067. 	    memset(iv, 0, sizeof iv);
    1068. 

  1068. 	    memset(plaintext, 0, sizeof plaintext);
    1069. 

  1069. 	    plaintextlen = 0;
    1070. 

  1070. 	    memset(ciphertext, 0, sizeof ciphertext);
    1071. 

  1071. 	    ciphertextlen = 0;
    1072. 

  1072. 	    fputs(buf, aesresp);
    1073. 

  1073. 	    continue;
    1074. 

  1074. 	}
    1075. 

  1075. 	/* KEY = ... */
    1076. 

  1076. 	if (strncmp(buf, "KEY", 3) == 0) {
    1077. 

  1077. 	    i = 3;
    1078. 

  1078. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1079. 

  1079. 		i++;
    1080. 

  1080. 	    }
    1081. 

  1081. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1082. 

  1082. 		hex_to_byteval(&buf[i], &key[j]);
    1083. 

  1083. 	    }
    1084. 

  1084. 	    keysize = j;
    1085. 

  1085. 	    fputs(buf, aesresp);
    1086. 

  1086. 	    continue;
    1087. 

  1087. 	}
    1088. 

  1088. 	/* IV = ... */
    1089. 

  1089. 	if (strncmp(buf, "IV", 2) == 0) {
    1090. 

  1090. 	    mode = NSS_AES_CBC;
    1091. 

  1091. 	    i = 2;
    1092. 

  1092. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1093. 

  1093. 		i++;
    1094. 

  1094. 	    }
    1095. 

  1095. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1096. 

  1096. 		hex_to_byteval(&buf[i], &iv[j]);
    1097. 

  1097. 	    }
    1098. 

  1098. 	    fputs(buf, aesresp);
    1099. 

  1099. 	    continue;
    1100. 

  1100. 	}
    1101. 

  1101. 	/* PLAINTEXT = ... */
    1102. 

  1102. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1103. 

  1103. 	    /* sanity check */
    1104. 

  1104. 	    if (!encrypt) {
    1105. 

  1105. 		goto loser;
    1106. 

  1106. 	    }
    1107. 

  1107. 

  1108. 	    i = 9;
    1109. 

  1109. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1110. 

  1110. 		i++;
    1111. 

  1111. 	    }
    1112. 

  1112. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1113. 

  1113. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1114. 

  1114. 	    }
    1115. 

  1115. 	    plaintextlen = j;
    1116. 

  1116. 

  1117. 	    rv = aes_encrypt_buf(mode, key, keysize,
    1118. 

  1118. 		(mode == NSS_AES) ? NULL : iv,
    1119. 

  1119. 		ciphertext, &ciphertextlen, sizeof ciphertext,
    1120. 

  1120. 		plaintext, plaintextlen);
    1121. 

  1121. 	    if (rv != SECSuccess) {
    1122. 

  1122. 		goto loser;
    1123. 

  1123. 	    }
    1124. 

  1124. 

  1125. 	    fputs(buf, aesresp);
    1126. 

  1126. 	    fputs("CIPHERTEXT = ", aesresp);
    1127. 

  1127. 	    to_hex_str(buf, ciphertext, ciphertextlen);
    1128. 

  1128. 	    fputs(buf, aesresp);
    1129. 

  1129. 	    fputc('\n', aesresp);
    1130. 

  1130. 	    continue;
    1131. 

  1131. 	}
    1132. 

  1132. 	/* CIPHERTEXT = ... */
    1133. 

  1133. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1134. 

  1134. 	    /* sanity check */
    1135. 

  1135. 	    if (encrypt) {
    1136. 

  1136. 		goto loser;
    1137. 

  1137. 	    }
    1138. 

  1138. 

  1139. 	    i = 10;
    1140. 

  1140. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1141. 

  1141. 		i++;
    1142. 

  1142. 	    }
    1143. 

  1143. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1144. 

  1144. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1145. 

  1145. 	    }
    1146. 

  1146. 	    ciphertextlen = j;
    1147. 

  1147. 

  1148. 	    rv = aes_decrypt_buf(mode, key, keysize,
    1149. 

  1149. 		(mode == NSS_AES) ? NULL : iv,
    1150. 

  1150. 		plaintext, &plaintextlen, sizeof plaintext,
    1151. 

  1151. 		ciphertext, ciphertextlen);
    1152. 

  1152. 	    if (rv != SECSuccess) {
    1153. 

  1153. 		goto loser;
    1154. 

  1154. 	    }
    1155. 

  1155. 

  1156. 	    fputs(buf, aesresp);
    1157. 

  1157. 	    fputs("PLAINTEXT = ", aesresp);
    1158. 

  1158. 	    to_hex_str(buf, plaintext, plaintextlen);
    1159. 

  1159. 	    fputs(buf, aesresp);
    1160. 

  1160. 	    fputc('\n', aesresp);
    1161. 

  1161. 	    continue;
    1162. 

  1162. 	}
    1163. 

  1163.     }
    1164. 

  1164. loser:
    1165. 

  1165.     fclose(aesreq);
    1166. 

  1166. }
    1167. 

  1167. 

  1168. /*
    1169. 

  1169.  * Generate Key[i+1] from Key[i], CT[j-1], and CT[j] for AES Monte Carlo
    1170. 

  1170.  * Test (MCT) in ECB and CBC modes.
    1171. 

  1171.  */
    1172. 

  1172. void
    1173. 

  1173. aes_mct_next_key(unsigned char *key, unsigned int keysize,
    1174. 

  1174.     const unsigned char *ciphertext_1, const unsigned char *ciphertext)
    1175. 

  1175. {
    1176. 

  1176.     int k;
    1177. 

  1177. 

  1178.     switch (keysize) {
    1179. 

  1179.     case 16:  /* 128-bit key */
    1180. 

  1180. 	/* Key[i+1] = Key[i] xor CT[j] */
    1181. 

  1181. 	for (k=0; k<16; k++) {
    1182. 

  1182. 	    key[k] ^= ciphertext[k];
    1183. 

  1183. 	}
    1184. 

  1184. 	break;
    1185. 

  1185.     case 24:  /* 192-bit key */
    1186. 

  1186. 	/*
    1187. 

  1187. 	 * Key[i+1] = Key[i] xor (last 64-bits of
    1188. 

  1188. 	 *            CT[j-1] || CT[j])
    1189. 

  1189. 	 */
    1190. 

  1190. 	for (k=0; k<8; k++) {
    1191. 

  1191. 	    key[k] ^= ciphertext_1[k+8];
    1192. 

  1192. 	}
    1193. 

  1193. 	for (k=8; k<24; k++) {
    1194. 

  1194. 	    key[k] ^= ciphertext[k-8];
    1195. 

  1195. 	}
    1196. 

  1196. 	break;
    1197. 

  1197.     case 32:  /* 256-bit key */
    1198. 

  1198. 	/* Key[i+1] = Key[i] xor (CT[j-1] || CT[j]) */
    1199. 

  1199. 	for (k=0; k<16; k++) {
    1200. 

  1200. 	    key[k] ^= ciphertext_1[k];
    1201. 

  1201. 	}
    1202. 

  1202. 	for (k=16; k<32; k++) {
    1203. 

  1203. 	    key[k] ^= ciphertext[k-16];
    1204. 

  1204. 	}
    1205. 

  1205. 	break;
    1206. 

  1206.     }
    1207. 

  1207. }
    1208. 

  1208. 

  1209. /*
    1210. 

  1210.  * Perform the AES Monte Carlo Test (MCT) in ECB mode.  MCT exercises
    1211. 

  1211.  * our AES code in streaming mode because the plaintext or ciphertext
    1212. 

  1212.  * is generated block by block as we go, so we can't collect all the
    1213. 

  1213.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1214. 

  1214.  * one shot.
    1215. 

  1215.  *
    1216. 

  1216.  * reqfn is the pathname of the input REQUEST file.
    1217. 

  1217.  *
    1218. 

  1218.  * The output RESPONSE file is written to stdout.
    1219. 

  1219.  */
    1220. 

  1220. void
    1221. 

  1221. aes_ecb_mct(char *reqfn)
    1222. 

  1222. {
    1223. 

  1223.     char buf[80];       /* holds one line from the input REQUEST file.
    1224. 

  1224.                          * needs to be large enough to hold the longest
    1225. 

  1225.                          * line "KEY = <64 hex digits>\n".
    1226. 

  1226.                          */
    1227. 

  1227.     FILE *aesreq;       /* input stream from the REQUEST file */
    1228. 

  1228.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1229. 

  1229.     int i, j;
    1230. 

  1230.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1231. 

  1231.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1232. 

  1232.     unsigned int keysize;
    1233. 

  1233.     unsigned char plaintext[16];        /* PT[j] */
    1234. 

  1234.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1235. 

  1235.     unsigned char ciphertext[16];       /* CT[j] */
    1236. 

  1236.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1237. 

  1237.     unsigned char doublecheck[16];
    1238. 

  1238.     unsigned int outputlen;
    1239. 

  1239.     AESContext *cx = NULL;	/* the operation being tested */
    1240. 

  1240.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1241. 

  1241.                                  * to doublecheck our result.
    1242. 

  1242.                                  */
    1243. 

  1243.     SECStatus rv;
    1244. 

  1244. 

  1245.     aesreq = fopen(reqfn, "r");
    1246. 

  1246.     aesresp = stdout;
    1247. 

  1247.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1248. 

  1248. 	/* a comment or blank line */
    1249. 

  1249. 	if (buf[0] == '#' || buf[0] == '\n') {
    1250. 

  1250. 	    fputs(buf, aesresp);
    1251. 

  1251. 	    continue;
    1252. 

  1252. 	}
    1253. 

  1253. 	/* [ENCRYPT] or [DECRYPT] */
    1254. 

  1254. 	if (buf[0] == '[') {
    1255. 

  1255. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1256. 

  1256. 		encrypt = 1;
    1257. 

  1257. 	    } else {
    1258. 

  1258. 		encrypt = 0;
    1259. 

  1259. 	    }
    1260. 

  1260. 	    fputs(buf, aesresp);
    1261. 

  1261. 	    continue;
    1262. 

  1262. 	}
    1263. 

  1263. 	/* "COUNT = x" begins a new data set */
    1264. 

  1264. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1265. 

  1265. 	    /* zeroize the variables for the test with this data set */
    1266. 

  1266. 	    memset(key, 0, sizeof key);
    1267. 

  1267. 	    keysize = 0;
    1268. 

  1268. 	    memset(plaintext, 0, sizeof plaintext);
    1269. 

  1269. 	    memset(ciphertext, 0, sizeof ciphertext);
    1270. 

  1270. 	    continue;
    1271. 

  1271. 	}
    1272. 

  1272. 	/* KEY = ... */
    1273. 

  1273. 	if (strncmp(buf, "KEY", 3) == 0) {
    1274. 

  1274. 	    /* Key[0] = Key */
    1275. 

  1275. 	    i = 3;
    1276. 

  1276. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1277. 

  1277. 		i++;
    1278. 

  1278. 	    }
    1279. 

  1279. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1280. 

  1280. 		hex_to_byteval(&buf[i], &key[j]);
    1281. 

  1281. 	    }
    1282. 

  1282. 	    keysize = j;
    1283. 

  1283. 	    continue;
    1284. 

  1284. 	}
    1285. 

  1285. 	/* PLAINTEXT = ... */
    1286. 

  1286. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1287. 

  1287. 	    /* sanity check */
    1288. 

  1288. 	    if (!encrypt) {
    1289. 

  1289. 		goto loser;
    1290. 

  1290. 	    }
    1291. 

  1291. 	    /* PT[0] = PT */
    1292. 

  1292. 	    i = 9;
    1293. 

  1293. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1294. 

  1294. 		i++;
    1295. 

  1295. 	    }
    1296. 

  1296. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1297. 

  1297. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1298. 

  1298. 	    }
    1299. 

  1299. 

  1300. 	    for (i=0; i<100; i++) {
    1301. 

  1301. 		sprintf(buf, "COUNT = %d\n", i);
    1302. 

  1302. 	        fputs(buf, aesresp);
    1303. 

  1303. 		/* Output Key[i] */
    1304. 

  1304. 		fputs("KEY = ", aesresp);
    1305. 

  1305. 		to_hex_str(buf, key, keysize);
    1306. 

  1306. 		fputs(buf, aesresp);
    1307. 

  1307. 		fputc('\n', aesresp);
    1308. 

  1308. 		/* Output PT[0] */
    1309. 

  1309. 		fputs("PLAINTEXT = ", aesresp);
    1310. 

  1310. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1311. 

  1311. 		fputs(buf, aesresp);
    1312. 

  1312. 		fputc('\n', aesresp);
    1313. 

  1313. 

  1314. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1315. 

  1315. 		    PR_TRUE, keysize, 16);
    1316. 

  1316. 		if (cx == NULL) {
    1317. 

  1317. 		    goto loser;
    1318. 

  1318. 		}
    1319. 

  1319. 		/*
    1320. 

  1320. 		 * doublecheck our result by decrypting the result
    1321. 

  1321. 		 * and comparing the output with the plaintext.
    1322. 

  1322. 		 */
    1323. 

  1323. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1324. 

  1324. 		    PR_FALSE, keysize, 16);
    1325. 

  1325. 		if (cx2 == NULL) {
    1326. 

  1326. 		    goto loser;
    1327. 

  1327. 		}
    1328. 

  1328. 		for (j=0; j<1000; j++) {
    1329. 

  1329. 		    /* Save CT[j-1] */
    1330. 

  1330. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1331. 

  1331. 

  1332. 		    /* CT[j] = AES(Key[i], PT[j]) */
    1333. 

  1333. 		    outputlen = 0;
    1334. 

  1334. 		    rv = AES_Encrypt(cx,
    1335. 

  1335. 			ciphertext, &outputlen, sizeof ciphertext,
    1336. 

  1336. 			plaintext, sizeof plaintext);
    1337. 

  1337. 		    if (rv != SECSuccess) {
    1338. 

  1338. 			goto loser;
    1339. 

  1339. 		    }
    1340. 

  1340. 		    if (outputlen != sizeof plaintext) {
    1341. 

  1341. 			goto loser;
    1342. 

  1342. 		    }
    1343. 

  1343. 

  1344. 		    /* doublecheck our result */
    1345. 

  1345. 		    outputlen = 0;
    1346. 

  1346. 		    rv = AES_Decrypt(cx2,
    1347. 

  1347. 			doublecheck, &outputlen, sizeof doublecheck,
    1348. 

  1348. 			ciphertext, sizeof ciphertext);
    1349. 

  1349. 		    if (rv != SECSuccess) {
    1350. 

  1350. 			goto loser;
    1351. 

  1351. 		    }
    1352. 

  1352. 		    if (outputlen != sizeof ciphertext) {
    1353. 

  1353. 			goto loser;
    1354. 

  1354. 		    }
    1355. 

  1355. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1356. 

  1356. 			goto loser;
    1357. 

  1357. 		    }
    1358. 

  1358. 

  1359. 		    /* PT[j+1] = CT[j] */
    1360. 

  1360. 		    memcpy(plaintext, ciphertext, sizeof plaintext);
    1361. 

  1361. 		}
    1362. 

  1362. 		AES_DestroyContext(cx, PR_TRUE);
    1363. 

  1363. 		cx = NULL;
    1364. 

  1364. 		AES_DestroyContext(cx2, PR_TRUE);
    1365. 

  1365. 		cx2 = NULL;
    1366. 

  1366. 

  1367. 		/* Output CT[j] */
    1368. 

  1368. 		fputs("CIPHERTEXT = ", aesresp);
    1369. 

  1369. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1370. 

  1370. 		fputs(buf, aesresp);
    1371. 

  1371. 		fputc('\n', aesresp);
    1372. 

  1372. 

  1373. 		/* Key[i+1] = Key[i] xor ... */
    1374. 

  1374. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1375. 

  1375. 		/* PT[0] = CT[j] */
    1376. 

  1376. 		/* done at the end of the for(j) loop */
    1377. 

  1377. 

  1378. 		fputc('\n', aesresp);
    1379. 

  1379. 	    }
    1380. 

  1380. 

  1381. 	    continue;
    1382. 

  1382. 	}
    1383. 

  1383. 	/* CIPHERTEXT = ... */
    1384. 

  1384. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1385. 

  1385. 	    /* sanity check */
    1386. 

  1386. 	    if (encrypt) {
    1387. 

  1387. 		goto loser;
    1388. 

  1388. 	    }
    1389. 

  1389. 	    /* CT[0] = CT */
    1390. 

  1390. 	    i = 10;
    1391. 

  1391. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1392. 

  1392. 		i++;
    1393. 

  1393. 	    }
    1394. 

  1394. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1395. 

  1395. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1396. 

  1396. 	    }
    1397. 

  1397. 

  1398. 	    for (i=0; i<100; i++) {
    1399. 

  1399. 		sprintf(buf, "COUNT = %d\n", i);
    1400. 

  1400. 	        fputs(buf, aesresp);
    1401. 

  1401. 		/* Output Key[i] */
    1402. 

  1402. 		fputs("KEY = ", aesresp);
    1403. 

  1403. 		to_hex_str(buf, key, keysize);
    1404. 

  1404. 		fputs(buf, aesresp);
    1405. 

  1405. 		fputc('\n', aesresp);
    1406. 

  1406. 		/* Output CT[0] */
    1407. 

  1407. 		fputs("CIPHERTEXT = ", aesresp);
    1408. 

  1408. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1409. 

  1409. 		fputs(buf, aesresp);
    1410. 

  1410. 		fputc('\n', aesresp);
    1411. 

  1411. 

  1412. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1413. 

  1413. 		    PR_FALSE, keysize, 16);
    1414. 

  1414. 		if (cx == NULL) {
    1415. 

  1415. 		    goto loser;
    1416. 

  1416. 		}
    1417. 

  1417. 		/*
    1418. 

  1418. 		 * doublecheck our result by encrypting the result
    1419. 

  1419. 		 * and comparing the output with the ciphertext.
    1420. 

  1420. 		 */
    1421. 

  1421. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1422. 

  1422. 		    PR_TRUE, keysize, 16);
    1423. 

  1423. 		if (cx2 == NULL) {
    1424. 

  1424. 		    goto loser;
    1425. 

  1425. 		}
    1426. 

  1426. 		for (j=0; j<1000; j++) {
    1427. 

  1427. 		    /* Save PT[j-1] */
    1428. 

  1428. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1429. 

  1429. 

  1430. 		    /* PT[j] = AES(Key[i], CT[j]) */
    1431. 

  1431. 		    outputlen = 0;
    1432. 

  1432. 		    rv = AES_Decrypt(cx,
    1433. 

  1433. 			plaintext, &outputlen, sizeof plaintext,
    1434. 

  1434. 			ciphertext, sizeof ciphertext);
    1435. 

  1435. 		    if (rv != SECSuccess) {
    1436. 

  1436. 			goto loser;
    1437. 

  1437. 		    }
    1438. 

  1438. 		    if (outputlen != sizeof ciphertext) {
    1439. 

  1439. 			goto loser;
    1440. 

  1440. 		    }
    1441. 

  1441. 

  1442. 		    /* doublecheck our result */
    1443. 

  1443. 		    outputlen = 0;
    1444. 

  1444. 		    rv = AES_Encrypt(cx2,
    1445. 

  1445. 			doublecheck, &outputlen, sizeof doublecheck,
    1446. 

  1446. 			plaintext, sizeof plaintext);
    1447. 

  1447. 		    if (rv != SECSuccess) {
    1448. 

  1448. 			goto loser;
    1449. 

  1449. 		    }
    1450. 

  1450. 		    if (outputlen != sizeof plaintext) {
    1451. 

  1451. 			goto loser;
    1452. 

  1452. 		    }
    1453. 

  1453. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1454. 

  1454. 			goto loser;
    1455. 

  1455. 		    }
    1456. 

  1456. 

  1457. 		    /* CT[j+1] = PT[j] */
    1458. 

  1458. 		    memcpy(ciphertext, plaintext, sizeof ciphertext);
    1459. 

  1459. 		}
    1460. 

  1460. 		AES_DestroyContext(cx, PR_TRUE);
    1461. 

  1461. 		cx = NULL;
    1462. 

  1462. 		AES_DestroyContext(cx2, PR_TRUE);
    1463. 

  1463. 		cx2 = NULL;
    1464. 

  1464. 

  1465. 		/* Output PT[j] */
    1466. 

  1466. 		fputs("PLAINTEXT = ", aesresp);
    1467. 

  1467. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1468. 

  1468. 		fputs(buf, aesresp);
    1469. 

  1469. 		fputc('\n', aesresp);
    1470. 

  1470. 

  1471. 		/* Key[i+1] = Key[i] xor ... */
    1472. 

  1472. 		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
    1473. 

  1473. 		/* CT[0] = PT[j] */
    1474. 

  1474. 		/* done at the end of the for(j) loop */
    1475. 

  1475. 

  1476. 		fputc('\n', aesresp);
    1477. 

  1477. 	    }
    1478. 

  1478. 

  1479. 	    continue;
    1480. 

  1480. 	}
    1481. 

  1481.     }
    1482. 

  1482. loser:
    1483. 

  1483.     if (cx != NULL) {
    1484. 

  1484. 	AES_DestroyContext(cx, PR_TRUE);
    1485. 

  1485.     }
    1486. 

  1486.     if (cx2 != NULL) {
    1487. 

  1487. 	AES_DestroyContext(cx2, PR_TRUE);
    1488. 

  1488.     }
    1489. 

  1489.     fclose(aesreq);
    1490. 

  1490. }
    1491. 

  1491. 

  1492. /*
    1493. 

  1493.  * Perform the AES Monte Carlo Test (MCT) in CBC mode.  MCT exercises
    1494. 

  1494.  * our AES code in streaming mode because the plaintext or ciphertext
    1495. 

  1495.  * is generated block by block as we go, so we can't collect all the
    1496. 

  1496.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1497. 

  1497.  * one shot.
    1498. 

  1498.  *
    1499. 

  1499.  * reqfn is the pathname of the input REQUEST file.
    1500. 

  1500.  *
    1501. 

  1501.  * The output RESPONSE file is written to stdout.
    1502. 

  1502.  */
    1503. 

  1503. void
    1504. 

  1504. aes_cbc_mct(char *reqfn)
    1505. 

  1505. {
    1506. 

  1506.     char buf[80];       /* holds one line from the input REQUEST file.
    1507. 

  1507.                          * needs to be large enough to hold the longest
    1508. 

  1508.                          * line "KEY = <64 hex digits>\n".
    1509. 

  1509.                          */
    1510. 

  1510.     FILE *aesreq;       /* input stream from the REQUEST file */
    1511. 

  1511.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1512. 

  1512.     int i, j;
    1513. 

  1513.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1514. 

  1514.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1515. 

  1515.     unsigned int keysize;
    1516. 

  1516.     unsigned char iv[16];
    1517. 

  1517.     unsigned char plaintext[16];        /* PT[j] */
    1518. 

  1518.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1519. 

  1519.     unsigned char ciphertext[16];       /* CT[j] */
    1520. 

  1520.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1521. 

  1521.     unsigned char doublecheck[16];
    1522. 

  1522.     unsigned int outputlen;
    1523. 

  1523.     AESContext *cx = NULL;	/* the operation being tested */
    1524. 

  1524.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1525. 

  1525.                                  * to doublecheck our result.
    1526. 

  1526.                                  */
    1527. 

  1527.     SECStatus rv;
    1528. 

  1528. 

  1529.     aesreq = fopen(reqfn, "r");
    1530. 

  1530.     aesresp = stdout;
    1531. 

  1531.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1532. 

  1532. 	/* a comment or blank line */
    1533. 

  1533. 	if (buf[0] == '#' || buf[0] == '\n') {
    1534. 

  1534. 	    fputs(buf, aesresp);
    1535. 

  1535. 	    continue;
    1536. 

  1536. 	}
    1537. 

  1537. 	/* [ENCRYPT] or [DECRYPT] */
    1538. 

  1538. 	if (buf[0] == '[') {
    1539. 

  1539. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1540. 

  1540. 		encrypt = 1;
    1541. 

  1541. 	    } else {
    1542. 

  1542. 		encrypt = 0;
    1543. 

  1543. 	    }
    1544. 

  1544. 	    fputs(buf, aesresp);
    1545. 

  1545. 	    continue;
    1546. 

  1546. 	}
    1547. 

  1547. 	/* "COUNT = x" begins a new data set */
    1548. 

  1548. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1549. 

  1549. 	    /* zeroize the variables for the test with this data set */
    1550. 

  1550. 	    memset(key, 0, sizeof key);
    1551. 

  1551. 	    keysize = 0;
    1552. 

  1552. 	    memset(iv, 0, sizeof iv);
    1553. 

  1553. 	    memset(plaintext, 0, sizeof plaintext);
    1554. 

  1554. 	    memset(ciphertext, 0, sizeof ciphertext);
    1555. 

  1555. 	    continue;
    1556. 

  1556. 	}
    1557. 

  1557. 	/* KEY = ... */
    1558. 

  1558. 	if (strncmp(buf, "KEY", 3) == 0) {
    1559. 

  1559. 	    /* Key[0] = Key */
    1560. 

  1560. 	    i = 3;
    1561. 

  1561. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1562. 

  1562. 		i++;
    1563. 

  1563. 	    }
    1564. 

  1564. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1565. 

  1565. 		hex_to_byteval(&buf[i], &key[j]);
    1566. 

  1566. 	    }
    1567. 

  1567. 	    keysize = j;
    1568. 

  1568. 	    continue;
    1569. 

  1569. 	}
    1570. 

  1570. 	/* IV = ... */
    1571. 

  1571. 	if (strncmp(buf, "IV", 2) == 0) {
    1572. 

  1572. 	    /* IV[0] = IV */
    1573. 

  1573. 	    i = 2;
    1574. 

  1574. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1575. 

  1575. 		i++;
    1576. 

  1576. 	    }
    1577. 

  1577. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1578. 

  1578. 		hex_to_byteval(&buf[i], &iv[j]);
    1579. 

  1579. 	    }
    1580. 

  1580. 	    continue;
    1581. 

  1581. 	}
    1582. 

  1582. 	/* PLAINTEXT = ... */
    1583. 

  1583. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1584. 

  1584. 	    /* sanity check */
    1585. 

  1585. 	    if (!encrypt) {
    1586. 

  1586. 		goto loser;
    1587. 

  1587. 	    }
    1588. 

  1588. 	    /* PT[0] = PT */
    1589. 

  1589. 	    i = 9;
    1590. 

  1590. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1591. 

  1591. 		i++;
    1592. 

  1592. 	    }
    1593. 

  1593. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1594. 

  1594. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1595. 

  1595. 	    }
    1596. 

  1596. 

  1597. 	    for (i=0; i<100; i++) {
    1598. 

  1598. 		sprintf(buf, "COUNT = %d\n", i);
    1599. 

  1599. 	        fputs(buf, aesresp);
    1600. 

  1600. 		/* Output Key[i] */
    1601. 

  1601. 		fputs("KEY = ", aesresp);
    1602. 

  1602. 		to_hex_str(buf, key, keysize);
    1603. 

  1603. 		fputs(buf, aesresp);
    1604. 

  1604. 		fputc('\n', aesresp);
    1605. 

  1605. 		/* Output IV[i] */
    1606. 

  1606. 		fputs("IV = ", aesresp);
    1607. 

  1607. 		to_hex_str(buf, iv, sizeof iv);
    1608. 

  1608. 		fputs(buf, aesresp);
    1609. 

  1609. 		fputc('\n', aesresp);
    1610. 

  1610. 		/* Output PT[0] */
    1611. 

  1611. 		fputs("PLAINTEXT = ", aesresp);
    1612. 

  1612. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1613. 

  1613. 		fputs(buf, aesresp);
    1614. 

  1614. 		fputc('\n', aesresp);
    1615. 

  1615. 

  1616. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1617. 

  1617. 		    PR_TRUE, keysize, 16);
    1618. 

  1618. 		if (cx == NULL) {
    1619. 

  1619. 		    goto loser;
    1620. 

  1620. 		}
    1621. 

  1621. 		/*
    1622. 

  1622. 		 * doublecheck our result by decrypting the result
    1623. 

  1623. 		 * and comparing the output with the plaintext.
    1624. 

  1624. 		 */
    1625. 

  1625. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1626. 

  1626. 		    PR_FALSE, keysize, 16);
    1627. 

  1627. 		if (cx2 == NULL) {
    1628. 

  1628. 		    goto loser;
    1629. 

  1629. 		}
    1630. 

  1630. 		/* CT[-1] = IV[i] */
    1631. 

  1631. 		memcpy(ciphertext, iv, sizeof ciphertext);
    1632. 

  1632. 		for (j=0; j<1000; j++) {
    1633. 

  1633. 		    /* Save CT[j-1] */
    1634. 

  1634. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1635. 

  1635. 		    /*
    1636. 

  1636. 		     * If ( j=0 )
    1637. 

  1637. 		     *      CT[j] = AES(Key[i], IV[i], PT[j])
    1638. 

  1638. 		     *      PT[j+1] = IV[i] (= CT[j-1])
    1639. 

  1639. 		     * Else
    1640. 

  1640. 		     *      CT[j] = AES(Key[i], PT[j])
    1641. 

  1641. 		     *      PT[j+1] = CT[j-1]
    1642. 

  1642. 		     */
    1643. 

  1643. 		    outputlen = 0;
    1644. 

  1644. 		    rv = AES_Encrypt(cx,
    1645. 

  1645. 			ciphertext, &outputlen, sizeof ciphertext,
    1646. 

  1646. 			plaintext, sizeof plaintext);
    1647. 

  1647. 		    if (rv != SECSuccess) {
    1648. 

  1648. 			goto loser;
    1649. 

  1649. 		    }
    1650. 

  1650. 		    if (outputlen != sizeof plaintext) {
    1651. 

  1651. 			goto loser;
    1652. 

  1652. 		    }
    1653. 

  1653. 

  1654. 		    /* doublecheck our result */
    1655. 

  1655. 		    outputlen = 0;
    1656. 

  1656. 		    rv = AES_Decrypt(cx2,
    1657. 

  1657. 			doublecheck, &outputlen, sizeof doublecheck,
    1658. 

  1658. 			ciphertext, sizeof ciphertext);
    1659. 

  1659. 		    if (rv != SECSuccess) {
    1660. 

  1660. 			goto loser;
    1661. 

  1661. 		    }
    1662. 

  1662. 		    if (outputlen != sizeof ciphertext) {
    1663. 

  1663. 			goto loser;
    1664. 

  1664. 		    }
    1665. 

  1665. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1666. 

  1666. 			goto loser;
    1667. 

  1667. 		    }
    1668. 

  1668. 

  1669. 		    memcpy(plaintext, ciphertext_1, sizeof plaintext);
    1670. 

  1670. 		}
    1671. 

  1671. 		AES_DestroyContext(cx, PR_TRUE);
    1672. 

  1672. 		cx = NULL;
    1673. 

  1673. 		AES_DestroyContext(cx2, PR_TRUE);
    1674. 

  1674. 		cx2 = NULL;
    1675. 

  1675. 

  1676. 		/* Output CT[j] */
    1677. 

  1677. 		fputs("CIPHERTEXT = ", aesresp);
    1678. 

  1678. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1679. 

  1679. 		fputs(buf, aesresp);
    1680. 

  1680. 		fputc('\n', aesresp);
    1681. 

  1681. 

  1682. 		/* Key[i+1] = Key[i] xor ... */
    1683. 

  1683. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1684. 

  1684. 		/* IV[i+1] = CT[j] */
    1685. 

  1685. 		memcpy(iv, ciphertext, sizeof iv);
    1686. 

  1686. 		/* PT[0] = CT[j-1] */
    1687. 

  1687. 		/* done at the end of the for(j) loop */
    1688. 

  1688. 

  1689. 		fputc('\n', aesresp);
    1690. 

  1690. 	    }
    1691. 

  1691. 

  1692. 	    continue;
    1693. 

  1693. 	}
    1694. 

  1694. 	/* CIPHERTEXT = ... */
    1695. 

  1695. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1696. 

  1696. 	    /* sanity check */
    1697. 

  1697. 	    if (encrypt) {
    1698. 

  1698. 		goto loser;
    1699. 

  1699. 	    }
    1700. 

  1700. 	    /* CT[0] = CT */
    1701. 

  1701. 	    i = 10;
    1702. 

  1702. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1703. 

  1703. 		i++;
    1704. 

  1704. 	    }
    1705. 

  1705. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1706. 

  1706. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1707. 

  1707. 	    }
    1708. 

  1708. 

  1709. 	    for (i=0; i<100; i++) {
    1710. 

  1710. 		sprintf(buf, "COUNT = %d\n", i);
    1711. 

  1711. 	        fputs(buf, aesresp);
    1712. 

  1712. 		/* Output Key[i] */
    1713. 

  1713. 		fputs("KEY = ", aesresp);
    1714. 

  1714. 		to_hex_str(buf, key, keysize);
    1715. 

  1715. 		fputs(buf, aesresp);
    1716. 

  1716. 		fputc('\n', aesresp);
    1717. 

  1717. 		/* Output IV[i] */
    1718. 

  1718. 		fputs("IV = ", aesresp);
    1719. 

  1719. 		to_hex_str(buf, iv, sizeof iv);
    1720. 

  1720. 		fputs(buf, aesresp);
    1721. 

  1721. 		fputc('\n', aesresp);
    1722. 

  1722. 		/* Output CT[0] */
    1723. 

  1723. 		fputs("CIPHERTEXT = ", aesresp);
    1724. 

  1724. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1725. 

  1725. 		fputs(buf, aesresp);
    1726. 

  1726. 		fputc('\n', aesresp);
    1727. 

  1727. 

  1728. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1729. 

  1729. 		    PR_FALSE, keysize, 16);
    1730. 

  1730. 		if (cx == NULL) {
    1731. 

  1731. 		    goto loser;
    1732. 

  1732. 		}
    1733. 

  1733. 		/*
    1734. 

  1734. 		 * doublecheck our result by encrypting the result
    1735. 

  1735. 		 * and comparing the output with the ciphertext.
    1736. 

  1736. 		 */
    1737. 

  1737. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1738. 

  1738. 		    PR_TRUE, keysize, 16);
    1739. 

  1739. 		if (cx2 == NULL) {
    1740. 

  1740. 		    goto loser;
    1741. 

  1741. 		}
    1742. 

  1742. 		/* PT[-1] = IV[i] */
    1743. 

  1743. 		memcpy(plaintext, iv, sizeof plaintext);
    1744. 

  1744. 		for (j=0; j<1000; j++) {
    1745. 

  1745. 		    /* Save PT[j-1] */
    1746. 

  1746. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1747. 

  1747. 		    /*
    1748. 

  1748. 		     * If ( j=0 )
    1749. 

  1749. 		     *      PT[j] = AES(Key[i], IV[i], CT[j])
    1750. 

  1750. 		     *      CT[j+1] = IV[i] (= PT[j-1])
    1751. 

  1751. 		     * Else
    1752. 

  1752. 		     *      PT[j] = AES(Key[i], CT[j])
    1753. 

  1753. 		     *      CT[j+1] = PT[j-1]
    1754. 

  1754. 		     */
    1755. 

  1755. 		    outputlen = 0;
    1756. 

  1756. 		    rv = AES_Decrypt(cx,
    1757. 

  1757. 			plaintext, &outputlen, sizeof plaintext,
    1758. 

  1758. 			ciphertext, sizeof ciphertext);
    1759. 

  1759. 		    if (rv != SECSuccess) {
    1760. 

  1760. 			goto loser;
    1761. 

  1761. 		    }
    1762. 

  1762. 		    if (outputlen != sizeof ciphertext) {
    1763. 

  1763. 			goto loser;
    1764. 

  1764. 		    }
    1765. 

  1765. 

  1766. 		    /* doublecheck our result */
    1767. 

  1767. 		    outputlen = 0;
    1768. 

  1768. 		    rv = AES_Encrypt(cx2,
    1769. 

  1769. 			doublecheck, &outputlen, sizeof doublecheck,
    1770. 

  1770. 			plaintext, sizeof plaintext);
    1771. 

  1771. 		    if (rv != SECSuccess) {
    1772. 

  1772. 			goto loser;
    1773. 

  1773. 		    }
    1774. 

  1774. 		    if (outputlen != sizeof plaintext) {
    1775. 

  1775. 			goto loser;
    1776. 

  1776. 		    }
    1777. 

  1777. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1778. 

  1778. 			goto loser;
    1779. 

  1779. 		    }
    1780. 

  1780. 

  1781. 		    memcpy(ciphertext, plaintext_1, sizeof ciphertext);
    1782. 

  1782. 		}
    1783. 

  1783. 		AES_DestroyContext(cx, PR_TRUE);
    1784. 

  1784. 		cx = NULL;
    1785. 

  1785. 		AES_DestroyContext(cx2, PR_TRUE);
    1786. 

  1786. 		cx2 = NULL;
    1787. 

  1787. 

  1788. 		/* Output PT[j] */
    1789. 

  1789. 		fputs("PLAINTEXT = ", aesresp);
    1790. 

  1790. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1791. 

  1791. 		fputs(buf, aesresp);
    1792. 

  1792. 		fputc('\n', aesresp);
    1793. 

  1793. 

  1794. 		/* Key[i+1] = Key[i] xor ... */
    1795. 

  1795. 		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
    1796. 

  1796. 		/* IV[i+1] = PT[j] */
    1797. 

  1797. 		memcpy(iv, plaintext, sizeof iv);
    1798. 

  1798. 		/* CT[0] = PT[j-1] */
    1799. 

  1799. 		/* done at the end of the for(j) loop */
    1800. 

  1800. 

  1801. 		fputc('\n', aesresp);
    1802. 

  1802. 	    }
    1803. 

  1803. 

  1804. 	    continue;
    1805. 

  1805. 	}
    1806. 

  1806.     }
    1807. 

  1807. loser:
    1808. 

  1808.     if (cx != NULL) {
    1809. 

  1809. 	AES_DestroyContext(cx, PR_TRUE);
    1810. 

  1810.     }
    1811. 

  1811.     if (cx2 != NULL) {
    1812. 

  1812. 	AES_DestroyContext(cx2, PR_TRUE);
    1813. 

  1813.     }
    1814. 

  1814.     fclose(aesreq);
    1815. 

  1815. }
    1816. 

  1816. 

  1817. void write_compact_string(FILE *out, unsigned char *hash, unsigned int len)
    1818. 

  1818. {
    1819. 

  1819.     unsigned int i;
    1820. 

  1820.     int j, count = 0, last = -1, z = 0;
    1821. 

  1821.     long start = ftell(out);
    1822. 

  1822.     for (i=0; i<len; i++) {
    1823. 

  1823. 	for (j=7; j>=0; j--) {
    1824. 

  1824. 	    if (last < 0) {
    1825. 

  1825. 		last = (hash[i] & (1 << j)) ? 1 : 0;
    1826. 

  1826. 		fprintf(out, "%d ", last);
    1827. 

  1827. 		count = 1;
    1828. 

  1828. 	    } else if (hash[i] & (1 << j)) {
    1829. 

  1829. 		if (last) {
    1830. 

  1830. 		    count++; 
    1831. 

  1831. 		} else { 
    1832. 

  1832. 		    last = 0;
    1833. 

  1833. 		    fprintf(out, "%d ", count);
    1834. 

  1834. 		    count = 1;
    1835. 

  1835. 		    z++;
    1836. 

  1836. 		}
    1837. 

  1837. 	    } else {
    1838. 

  1838. 		if (!last) {
    1839. 

  1839. 		    count++; 
    1840. 

  1840. 		} else { 
    1841. 

  1841. 		    last = 1;
    1842. 

  1842. 		    fprintf(out, "%d ", count);
    1843. 

  1843. 		    count = 1;
    1844. 

  1844. 		    z++;
    1845. 

  1845. 		}
    1846. 

  1846. 	    }
    1847. 

  1847. 	}
    1848. 

  1848.     }
    1849. 

  1849.     fprintf(out, "^\n");
    1850. 

  1850.     fseek(out, start, SEEK_SET);
    1851. 

  1851.     fprintf(out, "%d ", z);
    1852. 

  1852.     fseek(out, 0, SEEK_END);
    1853. 

  1853. }
    1854. 

  1854. 

  1855. int get_next_line(FILE *req, char *key, char *val, FILE *rsp)
    1856. 

  1856. {
    1857. 

  1857.     int ignore = 0;
    1858. 

  1858.     char *writeto = key;
    1859. 

  1859.     int w = 0;
    1860. 

  1860.     int c;
    1861. 

  1861.     while ((c = fgetc(req)) != EOF) {
    1862. 

  1862. 	if (ignore) {
    1863. 

  1863. 	    fprintf(rsp, "%c", c);
    1864. 

  1864. 	    if (c == '\n') return ignore;
    1865. 

  1865. 	} else if (c == '\n') {
    1866. 

  1866. 	    break;
    1867. 

  1867. 	} else if (c == '#') {
    1868. 

  1868. 	    ignore = 1;
    1869. 

  1869. 	    fprintf(rsp, "%c", c);
    1870. 

  1870. 	} else if (c == '=') {
    1871. 

  1871. 	    writeto[w] = '\0';
    1872. 

  1872. 	    w = 0;
    1873. 

  1873. 	    writeto = val;
    1874. 

  1874. 	} else if (c == ' ' || c == '[' || c == ']') {
    1875. 

  1875. 	    continue;
    1876. 

  1876. 	} else {
    1877. 

  1877. 	    writeto[w++] = c;
    1878. 

  1878. 	}
    1879. 

  1879.     }
    1880. 

  1880.     writeto[w] = '\0';
    1881. 

  1881.     return (c == EOF) ? -1 : ignore;
    1882. 

  1882. }
    1883. 

  1883. 

  1884. #ifdef NSS_ENABLE_ECC
    1885. 

  1885. typedef struct curveNameTagPairStr {
    1886. 

  1886.     char *curveName;
    1887. 

  1887.     SECOidTag curveOidTag;
    1888. 

  1888. } CurveNameTagPair;
    1889. 

  1889. 

  1890. #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
    1891. 

  1891. /* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
    1892. 

  1892. 

  1893. static CurveNameTagPair nameTagPair[] =
    1894. 

  1894. { 
    1895. 

  1895.   { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
    1896. 

  1896.   { "nistk163", SEC_OID_SECG_EC_SECT163K1},
    1897. 

  1897.   { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
    1898. 

  1898.   { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
    1899. 

  1899.   { "nistb163", SEC_OID_SECG_EC_SECT163R2},
    1900. 

  1900.   { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
    1901. 

  1901.   { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
    1902. 

  1902.   { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
    1903. 

  1903.   { "nistk233", SEC_OID_SECG_EC_SECT233K1},
    1904. 

  1904.   { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
    1905. 

  1905.   { "nistb233", SEC_OID_SECG_EC_SECT233R1},
    1906. 

  1906.   { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
    1907. 

  1907.   { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
    1908. 

  1908.   { "nistk283", SEC_OID_SECG_EC_SECT283K1},
    1909. 

  1909.   { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
    1910. 

  1910.   { "nistb283", SEC_OID_SECG_EC_SECT283R1},
    1911. 

  1911.   { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
    1912. 

  1912.   { "nistk409", SEC_OID_SECG_EC_SECT409K1},
    1913. 

  1913.   { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
    1914. 

  1914.   { "nistb409", SEC_OID_SECG_EC_SECT409R1},
    1915. 

  1915.   { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
    1916. 

  1916.   { "nistk571", SEC_OID_SECG_EC_SECT571K1},
    1917. 

  1917.   { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
    1918. 

  1918.   { "nistb571", SEC_OID_SECG_EC_SECT571R1},
    1919. 

  1919.   { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
    1920. 

  1920.   { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
    1921. 

  1921.   { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
    1922. 

  1922.   { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
    1923. 

  1923.   { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
    1924. 

  1924.   { "nistp192", SEC_OID_SECG_EC_SECP192R1},
    1925. 

  1925.   { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
    1926. 

  1926.   { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
    1927. 

  1927.   { "nistp224", SEC_OID_SECG_EC_SECP224R1},
    1928. 

  1928.   { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
    1929. 

  1929.   { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
    1930. 

  1930.   { "nistp256", SEC_OID_SECG_EC_SECP256R1},
    1931. 

  1931.   { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
    1932. 

  1932.   { "nistp384", SEC_OID_SECG_EC_SECP384R1},
    1933. 

  1933.   { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
    1934. 

  1934.   { "nistp521", SEC_OID_SECG_EC_SECP521R1},
    1935. 

  1935. 

  1936.   { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
    1937. 

  1937.   { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
    1938. 

  1938.   { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
    1939. 

  1939.   { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
    1940. 

  1940.   { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
    1941. 

  1941.   { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
    1942. 

  1942. 

  1943.   { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
    1944. 

  1944.   { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
    1945. 

  1945.   { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
    1946. 

  1946.   { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
    1947. 

  1947.   { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
    1948. 

  1948.   { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
    1949. 

  1949.   { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
    1950. 

  1950.   { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
    1951. 

  1951.   { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
    1952. 

  1952.   { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
    1953. 

  1953.   { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
    1954. 

  1954.   { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
    1955. 

  1955.   { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
    1956. 

  1956.   { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
    1957. 

  1957.   { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
    1958. 

  1958.   { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
    1959. 

  1959.   { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
    1960. 

  1960.   { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
    1961. 

  1961.   { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
    1962. 

  1962.   { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
    1963. 

  1963. 

  1964.   { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
    1965. 

  1965.   { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
    1966. 

  1966.   { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
    1967. 

  1967.   { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
    1968. 

  1968. 

  1969.   { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
    1970. 

  1970.   { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
    1971. 

  1971.   { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
    1972. 

  1972.   { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
    1973. 

  1973. };
    1974. 

  1974. 

  1975. static SECKEYECParams * 
    1976. 

  1976. getECParams(const char *curve)
    1977. 

  1977. {
    1978. 

  1978.     SECKEYECParams *ecparams;
    1979. 

  1979.     SECOidData *oidData = NULL;
    1980. 

  1980.     SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
    1981. 

  1981.     int i, numCurves;
    1982. 

  1982. 

  1983.     if (curve != NULL) {
    1984. 

  1984.         numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
    1985. 

  1985. 	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
    1986. 

  1986. 	     i++) {
    1987. 

  1987. 	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
    1988. 

  1988. 	        curveOidTag = nameTagPair[i].curveOidTag;
    1989. 

  1989. 	}
    1990. 

  1990.     }
    1991. 

  1991. 

  1992.     /* Return NULL if curve name is not recognized */
    1993. 

  1993.     if ((curveOidTag == SEC_OID_UNKNOWN) || 
    1994. 

  1994. 	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
    1995. 

  1995.         fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
    1996. 

  1996. 	return NULL;
    1997. 

  1997.     }
    1998. 

  1998. 

  1999.     ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
    2000. 

  2000. 

  2001.     /* 
    2002. 

  2002.      * ecparams->data needs to contain the ASN encoding of an object ID (OID)
    2003. 

  2003.      * representing the named curve. The actual OID is in 
    2004. 

  2004.      * oidData->oid.data so we simply prepend 0x06 and OID length
    2005. 

  2005.      */
    2006. 

  2006.     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
    2007. 

  2007.     ecparams->data[1] = oidData->oid.len;
    2008. 

  2008.     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
    2009. 

  2009. 

  2010.     return ecparams;
    2011. 

  2011. }
    2012. 

  2012. 

  2013. /*
    2014. 

  2014.  * Perform the ECDSA Key Pair Generation Test.
    2015. 

  2015.  *
    2016. 

  2016.  * reqfn is the pathname of the REQUEST file.
    2017. 

  2017.  *
    2018. 

  2018.  * The output RESPONSE file is written to stdout.
    2019. 

  2019.  */
    2020. 

  2020. void
    2021. 

  2021. ecdsa_keypair_test(char *reqfn)
    2022. 

  2022. {
    2023. 

  2023.     char buf[256];      /* holds one line from the input REQUEST file
    2024. 

  2024.                          * or to the output RESPONSE file.
    2025. 

  2025.                          * needs to be large enough to hold the longest
    2026. 

  2026.                          * line "Qx = <144 hex digits>\n".
    2027. 

  2027.                          */
    2028. 

  2028.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2029. 

  2029.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2030. 

  2030.     char curve[16];     /* "nistxddd" */
    2031. 

  2031.     ECParams *ecparams;
    2032. 

  2032.     int N;
    2033. 

  2033.     int i;
    2034. 

  2034.     unsigned int len;
    2035. 

  2035. 

  2036.     ecdsareq = fopen(reqfn, "r");
    2037. 

  2037.     ecdsaresp = stdout;
    2038. 

  2038.     strcpy(curve, "nist");
    2039. 

  2039.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2040. 

  2040. 	/* a comment or blank line */
    2041. 

  2041. 	if (buf[0] == '#' || buf[0] == '\n') {
    2042. 

  2042. 	    fputs(buf, ecdsaresp);
    2043. 

  2043. 	    continue;
    2044. 

  2044. 	}
    2045. 

  2045. 	/* [X-ddd] */
    2046. 

  2046. 	if (buf[0] == '[') {
    2047. 

  2047. 	    const char *src;
    2048. 

  2048. 	    char *dst;
    2049. 

  2049. 	    SECKEYECParams *encodedparams;
    2050. 

  2050. 

  2051. 	    src = &buf[1];
    2052. 

  2052. 	    dst = &curve[4];
    2053. 

  2053. 	    *dst++ = tolower(*src);
    2054. 

  2054. 	    src += 2;  /* skip the hyphen */
    2055. 

  2055. 	    *dst++ = *src++;
    2056. 

  2056. 	    *dst++ = *src++;
    2057. 

  2057. 	    *dst++ = *src++;
    2058. 

  2058. 	    *dst = '\0';
    2059. 

  2059. 	    encodedparams = getECParams(curve);
    2060. 

  2060. 	    if (encodedparams == NULL) {
    2061. 

  2061. 		goto loser;
    2062. 

  2062. 	    }
    2063. 

  2063. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2064. 

  2064. 		goto loser;
    2065. 

  2065. 	    }
    2066. 

  2066. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2067. 

  2067. 	    fputs(buf, ecdsaresp);
    2068. 

  2068. 	    continue;
    2069. 

  2069. 	}
    2070. 

  2070. 	/* N = x */
    2071. 

  2071. 	if (buf[0] == 'N') {
    2072. 

  2072. 	    if (sscanf(buf, "N = %d", &N) != 1) {
    2073. 

  2073. 		goto loser;
    2074. 

  2074. 	    }
    2075. 

  2075. 	    for (i = 0; i < N; i++) {
    2076. 

  2076. 		ECPrivateKey *ecpriv;
    2077. 

  2077. 

  2078. 		if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
    2079. 

  2079. 		    goto loser;
    2080. 

  2080. 		}
    2081. 

  2081. 		fputs("d = ", ecdsaresp);
    2082. 

  2082. 		to_hex_str(buf, ecpriv->privateValue.data,
    2083. 

  2083. 			   ecpriv->privateValue.len);
    2084. 

  2084. 		fputs(buf, ecdsaresp);
    2085. 

  2085. 		fputc('\n', ecdsaresp);
    2086. 

  2086. 		if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
    2087. 

  2087. 		    != SECSuccess) {
    2088. 

  2088. 		    goto loser;
    2089. 

  2089. 		}
    2090. 

  2090. 		len = ecpriv->publicValue.len;
    2091. 

  2091. 		if (len%2 == 0) {
    2092. 

  2092. 		    goto loser;
    2093. 

  2093. 		}
    2094. 

  2094. 		len = (len-1)/2;
    2095. 

  2095. 		if (ecpriv->publicValue.data[0]
    2096. 

  2096. 		    != EC_POINT_FORM_UNCOMPRESSED) {
    2097. 

  2097. 		    goto loser;
    2098. 

  2098. 		}
    2099. 

  2099. 		fputs("Qx = ", ecdsaresp);
    2100. 

  2100. 		to_hex_str(buf, &ecpriv->publicValue.data[1], len);
    2101. 

  2101. 		fputs(buf, ecdsaresp);
    2102. 

  2102. 		fputc('\n', ecdsaresp);
    2103. 

  2103. 		fputs("Qy = ", ecdsaresp);
    2104. 

  2104. 		to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
    2105. 

  2105. 		fputs(buf, ecdsaresp);
    2106. 

  2106. 		fputc('\n', ecdsaresp);
    2107. 

  2107. 		fputc('\n', ecdsaresp);
    2108. 

  2108. 		PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
    2109. 

  2109. 	    }
    2110. 

  2110. 	    PORT_FreeArena(ecparams->arena, PR_FALSE);
    2111. 

  2111. 	    continue;
    2112. 

  2112. 	}
    2113. 

  2113.     }
    2114. 

  2114. loser:
    2115. 

  2115.     fclose(ecdsareq);
    2116. 

  2116. }
    2117. 

  2117. 

  2118. /*
    2119. 

  2119.  * Perform the ECDSA Public Key Validation Test.
    2120. 

  2120.  *
    2121. 

  2121.  * reqfn is the pathname of the REQUEST file.
    2122. 

  2122.  *
    2123. 

  2123.  * The output RESPONSE file is written to stdout.
    2124. 

  2124.  */
    2125. 

  2125. void
    2126. 

  2126. ecdsa_pkv_test(char *reqfn)
    2127. 

  2127. {
    2128. 

  2128.     char buf[256];      /* holds one line from the input REQUEST file.
    2129. 

  2129.                          * needs to be large enough to hold the longest
    2130. 

  2130.                          * line "Qx = <144 hex digits>\n".
    2131. 

  2131.                          */
    2132. 

  2132.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2133. 

  2133.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2134. 

  2134.     char curve[16];     /* "nistxddd" */
    2135. 

  2135.     ECParams *ecparams = NULL;
    2136. 

  2136.     SECItem pubkey;
    2137. 

  2137.     unsigned int i;
    2138. 

  2138.     unsigned int len;
    2139. 

  2139.     PRBool keyvalid = PR_TRUE;
    2140. 

  2140. 

  2141.     ecdsareq = fopen(reqfn, "r");
    2142. 

  2142.     ecdsaresp = stdout;
    2143. 

  2143.     strcpy(curve, "nist");
    2144. 

  2144.     pubkey.data = NULL;
    2145. 

  2145.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2146. 

  2146. 	/* a comment or blank line */
    2147. 

  2147. 	if (buf[0] == '#' || buf[0] == '\n') {
    2148. 

  2148. 	    fputs(buf, ecdsaresp);
    2149. 

  2149. 	    continue;
    2150. 

  2150. 	}
    2151. 

  2151. 	/* [X-ddd] */
    2152. 

  2152. 	if (buf[0] == '[') {
    2153. 

  2153. 	    const char *src;
    2154. 

  2154. 	    char *dst;
    2155. 

  2155. 	    SECKEYECParams *encodedparams;
    2156. 

  2156. 

  2157. 	    src = &buf[1];
    2158. 

  2158. 	    dst = &curve[4];
    2159. 

  2159. 	    *dst++ = tolower(*src);
    2160. 

  2160. 	    src += 2;  /* skip the hyphen */
    2161. 

  2161. 	    *dst++ = *src++;
    2162. 

  2162. 	    *dst++ = *src++;
    2163. 

  2163. 	    *dst++ = *src++;
    2164. 

  2164. 	    *dst = '\0';
    2165. 

  2165. 	    if (ecparams != NULL) {
    2166. 

  2166. 		PORT_FreeArena(ecparams->arena, PR_FALSE);
    2167. 

  2167. 		ecparams = NULL;
    2168. 

  2168. 	    }
    2169. 

  2169. 	    encodedparams = getECParams(curve);
    2170. 

  2170. 	    if (encodedparams == NULL) {
    2171. 

  2171. 		goto loser;
    2172. 

  2172. 	    }
    2173. 

  2173. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2174. 

  2174. 		goto loser;
    2175. 

  2175. 	    }
    2176. 

  2176. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2177. 

  2177. 	    len = (ecparams->fieldID.size + 7) >> 3;
    2178. 

  2178. 	    if (pubkey.data != NULL) {
    2179. 

  2179. 		PORT_Free(pubkey.data);
    2180. 

  2180. 		pubkey.data = NULL;
    2181. 

  2181. 	    }
    2182. 

  2182. 	    SECITEM_AllocItem(NULL, &pubkey, 2*len+1);
    2183. 

  2183. 	    if (pubkey.data == NULL) {
    2184. 

  2184. 		goto loser;
    2185. 

  2185. 	    }
    2186. 

  2186. 	    pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
    2187. 

  2187. 	    fputs(buf, ecdsaresp);
    2188. 

  2188. 	    continue;
    2189. 

  2189. 	}
    2190. 

  2190. 	/* Qx = ... */
    2191. 

  2191. 	if (strncmp(buf, "Qx", 2) == 0) {
    2192. 

  2192. 	    fputs(buf, ecdsaresp);
    2193. 

  2193. 	    i = 2;
    2194. 

  2194. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2195. 

  2195. 		i++;
    2196. 

  2196. 	    }
    2197. 

  2197. 	    keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]);
    2198. 

  2198. 	    continue;
    2199. 

  2199. 	}
    2200. 

  2200. 	/* Qy = ... */
    2201. 

  2201. 	if (strncmp(buf, "Qy", 2) == 0) {
    2202. 

  2202. 	    fputs(buf, ecdsaresp);
    2203. 

  2203. 	    if (!keyvalid) {
    2204. 

  2204. 		fputs("Result = F\n", ecdsaresp);
    2205. 

  2205. 		continue;
    2206. 

  2206. 	    }
    2207. 

  2207. 	    i = 2;
    2208. 

  2208. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2209. 

  2209. 		i++;
    2210. 

  2210. 	    }
    2211. 

  2211. 	    keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]);
    2212. 

  2212. 	    if (!keyvalid) {
    2213. 

  2213. 		fputs("Result = F\n", ecdsaresp);
    2214. 

  2214. 		continue;
    2215. 

  2215. 	    }
    2216. 

  2216. 	    if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) {
    2217. 

  2217. 		fputs("Result = P\n", ecdsaresp);
    2218. 

  2218. 	    } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
    2219. 

  2219. 		fputs("Result = F\n", ecdsaresp);
    2220. 

  2220. 	    } else {
    2221. 

  2221. 		goto loser;
    2222. 

  2222. 	    }
    2223. 

  2223. 	    continue;
    2224. 

  2224. 	}
    2225. 

  2225.     }
    2226. 

  2226. loser:
    2227. 

  2227.     if (ecparams != NULL) {
    2228. 

  2228. 	PORT_FreeArena(ecparams->arena, PR_FALSE);
    2229. 

  2229.     }
    2230. 

  2230.     if (pubkey.data != NULL) {
    2231. 

  2231. 	PORT_Free(pubkey.data);
    2232. 

  2232.     }
    2233. 

  2233.     fclose(ecdsareq);
    2234. 

  2234. }
    2235. 

  2235. 

  2236. /*
    2237. 

  2237.  * Perform the ECDSA Signature Generation Test.
    2238. 

  2238.  *
    2239. 

  2239.  * reqfn is the pathname of the REQUEST file.
    2240. 

  2240.  *
    2241. 

  2241.  * The output RESPONSE file is written to stdout.
    2242. 

  2242.  */
    2243. 

  2243. void
    2244. 

  2244. ecdsa_siggen_test(char *reqfn)
    2245. 

  2245. {
    2246. 

  2246.     char buf[1024];     /* holds one line from the input REQUEST file
    2247. 

  2247.                          * or to the output RESPONSE file.
    2248. 

  2248.                          * needs to be large enough to hold the longest
    2249. 

  2249.                          * line "Msg = <256 hex digits>\n".
    2250. 

  2250.                          */
    2251. 

  2251.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2252. 

  2252.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2253. 

  2253.     char curve[16];     /* "nistxddd" */
    2254. 

  2254.     ECParams *ecparams = NULL;
    2255. 

  2255.     int i, j;
    2256. 

  2256.     unsigned int len;
    2257. 

  2257.     unsigned char msg[512];  /* message to be signed (<= 128 bytes) */
    2258. 

  2258.     unsigned int msglen;
    2259. 

  2259.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    2260. 

  2260.     unsigned char sig[2*MAX_ECKEY_LEN];
    2261. 

  2261.     SECItem signature, digest;
    2262. 

  2262. 

  2263.     ecdsareq = fopen(reqfn, "r");
    2264. 

  2264.     ecdsaresp = stdout;
    2265. 

  2265.     strcpy(curve, "nist");
    2266. 

  2266.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2267. 

  2267. 	/* a comment or blank line */
    2268. 

  2268. 	if (buf[0] == '#' || buf[0] == '\n') {
    2269. 

  2269. 	    fputs(buf, ecdsaresp);
    2270. 

  2270. 	    continue;
    2271. 

  2271. 	}
    2272. 

  2272. 	/* [X-ddd] */
    2273. 

  2273. 	if (buf[0] == '[') {
    2274. 

  2274. 	    const char *src;
    2275. 

  2275. 	    char *dst;
    2276. 

  2276. 	    SECKEYECParams *encodedparams;
    2277. 

  2277. 

  2278. 	    src = &buf[1];
    2279. 

  2279. 	    dst = &curve[4];
    2280. 

  2280. 	    *dst++ = tolower(*src);
    2281. 

  2281. 	    src += 2;  /* skip the hyphen */
    2282. 

  2282. 	    *dst++ = *src++;
    2283. 

  2283. 	    *dst++ = *src++;
    2284. 

  2284. 	    *dst++ = *src++;
    2285. 

  2285. 	    *dst = '\0';
    2286. 

  2286. 	    if (ecparams != NULL) {
    2287. 

  2287. 		PORT_FreeArena(ecparams->arena, PR_FALSE);
    2288. 

  2288. 		ecparams = NULL;
    2289. 

  2289. 	    }
    2290. 

  2290. 	    encodedparams = getECParams(curve);
    2291. 

  2291. 	    if (encodedparams == NULL) {
    2292. 

  2292. 		goto loser;
    2293. 

  2293. 	    }
    2294. 

  2294. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2295. 

  2295. 		goto loser;
    2296. 

  2296. 	    }
    2297. 

  2297. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2298. 

  2298. 	    fputs(buf, ecdsaresp);
    2299. 

  2299. 	    continue;
    2300. 

  2300. 	}
    2301. 

  2301. 	/* Msg = ... */
    2302. 

  2302. 	if (strncmp(buf, "Msg", 3) == 0) {
    2303. 

  2303. 	    ECPrivateKey *ecpriv;
    2304. 

  2304. 

  2305. 	    i = 3;
    2306. 

  2306. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2307. 

  2307. 		i++;
    2308. 

  2308. 	    }
    2309. 

  2309. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    2310. 

  2310. 		hex_to_byteval(&buf[i], &msg[j]);
    2311. 

  2311. 	    }
    2312. 

  2312. 	    msglen = j;
    2313. 

  2313. 	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
    2314. 

  2314. 		goto loser;
    2315. 

  2315. 	    }
    2316. 

  2316. 	    fputs(buf, ecdsaresp);
    2317. 

  2317. 

  2318. 	    if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
    2319. 

  2319. 		goto loser;
    2320. 

  2320. 	    }
    2321. 

  2321. 	    if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
    2322. 

  2322. 		!= SECSuccess) {
    2323. 

  2323. 		goto loser;
    2324. 

  2324. 	    }
    2325. 

  2325. 	    len = ecpriv->publicValue.len;
    2326. 

  2326. 	    if (len%2 == 0) {
    2327. 

  2327. 		goto loser;
    2328. 

  2328. 	    }
    2329. 

  2329. 	    len = (len-1)/2;
    2330. 

  2330. 	    if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
    2331. 

  2331. 		goto loser;
    2332. 

  2332. 	    }
    2333. 

  2333. 	    fputs("Qx = ", ecdsaresp);
    2334. 

  2334. 	    to_hex_str(buf, &ecpriv->publicValue.data[1], len);
    2335. 

  2335. 	    fputs(buf, ecdsaresp);
    2336. 

  2336. 	    fputc('\n', ecdsaresp);
    2337. 

  2337. 	    fputs("Qy = ", ecdsaresp);
    2338. 

  2338. 	    to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
    2339. 

  2339. 	    fputs(buf, ecdsaresp);
    2340. 

  2340. 	    fputc('\n', ecdsaresp);
    2341. 

  2341. 

  2342. 	    digest.type = siBuffer;
    2343. 

  2343. 	    digest.data = sha1;
    2344. 

  2344. 	    digest.len = sizeof sha1;
    2345. 

  2345. 	    signature.type = siBuffer;
    2346. 

  2346. 	    signature.data = sig;
    2347. 

  2347. 	    signature.len = sizeof sig;
    2348. 

  2348. 	    if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) {
    2349. 

  2349. 		goto loser;
    2350. 

  2350. 	    }
    2351. 

  2351. 	    len = signature.len;
    2352. 

  2352. 	    if (len%2 != 0) {
    2353. 

  2353. 		goto loser;
    2354. 

  2354. 	    }
    2355. 

  2355. 	    len = len/2;
    2356. 

  2356. 	    fputs("R = ", ecdsaresp);
    2357. 

  2357. 	    to_hex_str(buf, &signature.data[0], len);
    2358. 

  2358. 	    fputs(buf, ecdsaresp);
    2359. 

  2359. 	    fputc('\n', ecdsaresp);
    2360. 

  2360. 	    fputs("S = ", ecdsaresp);
    2361. 

  2361. 	    to_hex_str(buf, &signature.data[len], len);
    2362. 

  2362. 	    fputs(buf, ecdsaresp);
    2363. 

  2363. 	    fputc('\n', ecdsaresp);
    2364. 

  2364. 

  2365. 	    PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
    2366. 

  2366. 	    continue;
    2367. 

  2367. 	}
    2368. 

  2368.     }
    2369. 

  2369. loser:
    2370. 

  2370.     if (ecparams != NULL) {
    2371. 

  2371. 	PORT_FreeArena(ecparams->arena, PR_FALSE);
    2372. 

  2372.     }
    2373. 

  2373.     fclose(ecdsareq);
    2374. 

  2374. }
    2375. 

  2375. 

  2376. /*
    2377. 

  2377.  * Perform the ECDSA Signature Verification Test.
    2378. 

  2378.  *
    2379. 

  2379.  * reqfn is the pathname of the REQUEST file.
    2380. 

  2380.  *
    2381. 

  2381.  * The output RESPONSE file is written to stdout.
    2382. 

  2382.  */
    2383. 

  2383. void
    2384. 

  2384. ecdsa_sigver_test(char *reqfn)
    2385. 

  2385. {
    2386. 

  2386.     char buf[1024];     /* holds one line from the input REQUEST file.
    2387. 

  2387.                          * needs to be large enough to hold the longest
    2388. 

  2388.                          * line "Msg = <256 hex digits>\n".
    2389. 

  2389.                          */
    2390. 

  2390.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2391. 

  2391.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2392. 

  2392.     char curve[16];     /* "nistxddd" */
    2393. 

  2393.     ECPublicKey ecpub;
    2394. 

  2394.     unsigned int i, j;
    2395. 

  2395.     unsigned int flen;  /* length in bytes of the field size */
    2396. 

  2396.     unsigned int olen;  /* length in bytes of the base point order */
    2397. 

  2397.     unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
    2398. 

  2398.     unsigned int msglen;
    2399. 

  2399.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    2400. 

  2400.     unsigned char sig[2*MAX_ECKEY_LEN];
    2401. 

  2401.     SECItem signature, digest;
    2402. 

  2402.     PRBool keyvalid = PR_TRUE;
    2403. 

  2403.     PRBool sigvalid = PR_TRUE;
    2404. 

  2404. 

  2405.     ecdsareq = fopen(reqfn, "r");
    2406. 

  2406.     ecdsaresp = stdout;
    2407. 

  2407.     ecpub.ecParams.arena = NULL;
    2408. 

  2408.     strcpy(curve, "nist");
    2409. 

  2409.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2410. 

  2410. 	/* a comment or blank line */
    2411. 

  2411. 	if (buf[0] == '#' || buf[0] == '\n') {
    2412. 

  2412. 	    fputs(buf, ecdsaresp);
    2413. 

  2413. 	    continue;
    2414. 

  2414. 	}
    2415. 

  2415. 	/* [X-ddd] */
    2416. 

  2416. 	if (buf[0] == '[') {
    2417. 

  2417. 	    const char *src;
    2418. 

  2418. 	    char *dst;
    2419. 

  2419. 	    SECKEYECParams *encodedparams;
    2420. 

  2420. 	    ECParams *ecparams;
    2421. 

  2421. 

  2422. 	    src = &buf[1];
    2423. 

  2423. 	    dst = &curve[4];
    2424. 

  2424. 	    *dst++ = tolower(*src);
    2425. 

  2425. 	    src += 2;  /* skip the hyphen */
    2426. 

  2426. 	    *dst++ = *src++;
    2427. 

  2427. 	    *dst++ = *src++;
    2428. 

  2428. 	    *dst++ = *src++;
    2429. 

  2429. 	    *dst = '\0';
    2430. 

  2430. 	    encodedparams = getECParams(curve);
    2431. 

  2431. 	    if (encodedparams == NULL) {
    2432. 

  2432. 		goto loser;
    2433. 

  2433. 	    }
    2434. 

  2434. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2435. 

  2435. 		goto loser;
    2436. 

  2436. 	    }
    2437. 

  2437. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2438. 

  2438. 	    if (ecpub.ecParams.arena != NULL) {
    2439. 

  2439. 		PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
    2440. 

  2440. 	    }
    2441. 

  2441. 	    ecpub.ecParams.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    2442. 

  2442. 	    if (ecpub.ecParams.arena == NULL) {
    2443. 

  2443. 		goto loser;
    2444. 

  2444. 	    }
    2445. 

  2445. 	    if (EC_CopyParams(ecpub.ecParams.arena, &ecpub.ecParams, ecparams)
    2446. 

  2446. 		!= SECSuccess) {
    2447. 

  2447. 		goto loser;
    2448. 

  2448. 	    }
    2449. 

  2449. 	    PORT_FreeArena(ecparams->arena, PR_FALSE);
    2450. 

  2450. 	    flen = (ecpub.ecParams.fieldID.size + 7) >> 3;
    2451. 

  2451. 	    olen = ecpub.ecParams.order.len;
    2452. 

  2452. 	    if (2*olen > sizeof sig) {
    2453. 

  2453. 		goto loser;
    2454. 

  2454. 	    }
    2455. 

  2455. 	    ecpub.publicValue.type = siBuffer;
    2456. 

  2456. 	    ecpub.publicValue.data = NULL;
    2457. 

  2457. 	    ecpub.publicValue.len = 0;
    2458. 

  2458. 	    SECITEM_AllocItem(ecpub.ecParams.arena,
    2459. 

  2459. 			      &ecpub.publicValue, 2*flen+1);
    2460. 

  2460. 	    if (ecpub.publicValue.data == NULL) {
    2461. 

  2461. 		goto loser;
    2462. 

  2462. 	    }
    2463. 

  2463. 	    ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED;
    2464. 

  2464. 	    fputs(buf, ecdsaresp);
    2465. 

  2465. 	    continue;
    2466. 

  2466. 	}
    2467. 

  2467. 	/* Msg = ... */
    2468. 

  2468. 	if (strncmp(buf, "Msg", 3) == 0) {
    2469. 

  2469. 	    i = 3;
    2470. 

  2470. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2471. 

  2471. 		i++;
    2472. 

  2472. 	    }
    2473. 

  2473. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    2474. 

  2474. 		hex_to_byteval(&buf[i], &msg[j]);
    2475. 

  2475. 	    }
    2476. 

  2476. 	    msglen = j;
    2477. 

  2477. 	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
    2478. 

  2478. 		goto loser;
    2479. 

  2479. 	    }
    2480. 

  2480. 	    fputs(buf, ecdsaresp);
    2481. 

  2481. 

  2482. 	    digest.type = siBuffer;
    2483. 

  2483. 	    digest.data = sha1;
    2484. 

  2484. 	    digest.len = sizeof sha1;
    2485. 

  2485. 

  2486. 	    continue;
    2487. 

  2487. 	}
    2488. 

  2488. 	/* Qx = ... */
    2489. 

  2489. 	if (strncmp(buf, "Qx", 2) == 0) {
    2490. 

  2490. 	    fputs(buf, ecdsaresp);
    2491. 

  2491. 	    i = 2;
    2492. 

  2492. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2493. 

  2493. 		i++;
    2494. 

  2494. 	    }
    2495. 

  2495. 	    keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen,
    2496. 

  2496. 				    &buf[i]);
    2497. 

  2497. 	    continue;
    2498. 

  2498. 	}
    2499. 

  2499. 	/* Qy = ... */
    2500. 

  2500. 	if (strncmp(buf, "Qy", 2) == 0) {
    2501. 

  2501. 	    fputs(buf, ecdsaresp);
    2502. 

  2502. 	    if (!keyvalid) {
    2503. 

  2503. 		continue;
    2504. 

  2504. 	    }
    2505. 

  2505. 	    i = 2;
    2506. 

  2506. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2507. 

  2507. 		i++;
    2508. 

  2508. 	    }
    2509. 

  2509. 	    keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen,
    2510. 

  2510. 				    &buf[i]);
    2511. 

  2511. 	    if (!keyvalid) {
    2512. 

  2512. 		continue;
    2513. 

  2513. 	    }
    2514. 

  2514. 	    if (EC_ValidatePublicKey(&ecpub.ecParams, &ecpub.publicValue)
    2515. 

  2515. 		!= SECSuccess) {
    2516. 

  2516. 		if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
    2517. 

  2517. 		    keyvalid = PR_FALSE;
    2518. 

  2518. 		} else {
    2519. 

  2519. 		    goto loser;
    2520. 

  2520. 		}
    2521. 

  2521. 	    }
    2522. 

  2522. 	    continue;
    2523. 

  2523. 	}
    2524. 

  2524. 	/* R = ... */
    2525. 

  2525. 	if (buf[0] == 'R') {
    2526. 

  2526. 	    fputs(buf, ecdsaresp);
    2527. 

  2527. 	    i = 1;
    2528. 

  2528. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2529. 

  2529. 		i++;
    2530. 

  2530. 	    }
    2531. 

  2531. 	    sigvalid = from_hex_str(sig, olen, &buf[i]);
    2532. 

  2532. 	    continue;
    2533. 

  2533. 	}
    2534. 

  2534. 	/* S = ... */
    2535. 

  2535. 	if (buf[0] == 'S') {
    2536. 

  2536. 	    fputs(buf, ecdsaresp);
    2537. 

  2537. 	    i = 1;
    2538. 

  2538. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2539. 

  2539. 		i++;
    2540. 

  2540. 	    }
    2541. 

  2541. 	    if (sigvalid) {
    2542. 

  2542. 		sigvalid = from_hex_str(&sig[olen], olen, &buf[i]);
    2543. 

  2543. 	    }
    2544. 

  2544. 	    signature.type = siBuffer;
    2545. 

  2545. 	    signature.data = sig;
    2546. 

  2546. 	    signature.len = 2*olen;
    2547. 

  2547. 

  2548. 	    if (!keyvalid || !sigvalid) {
    2549. 

  2549. 		fputs("Result = F\n", ecdsaresp);
    2550. 

  2550. 	    } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest)
    2551. 

  2551. 		== SECSuccess) {
    2552. 

  2552. 		fputs("Result = P\n", ecdsaresp);
    2553. 

  2553. 	    } else {
    2554. 

  2554. 		fputs("Result = F\n", ecdsaresp);
    2555. 

  2555. 	    }
    2556. 

  2556. 	    continue;
    2557. 

  2557. 	}
    2558. 

  2558.     }
    2559. 

  2559. loser:
    2560. 

  2560.     if (ecpub.ecParams.arena != NULL) {
    2561. 

  2561. 	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
    2562. 

  2562.     }
    2563. 

  2563.     fclose(ecdsareq);
    2564. 

  2564. }
    2565. 

  2565. #endif /* NSS_ENABLE_ECC */
    2566. 

  2566. 

  2567. 

  2568. /*
    2569. 

  2569.  * Read a value from the test and allocate the result.
    2570. 

  2570.  */
    2571. 

  2571. static unsigned char *
    2572. 

  2572. alloc_value(char *buf, int *len)
    2573. 

  2573. {
    2574. 

  2574.     unsigned char * value;
    2575. 

  2575.     int i, count;
    2576. 

  2576. 

  2577.     if (strncmp(buf, "<None>", 6) == 0) {
    2578. 

  2578. 	*len = 0;
    2579. 

  2579. 	return NULL;
    2580. 

  2580.     }
    2581. 

  2581. 

  2582.     /* find the length of the number */
    2583. 

  2583.     for (count = 0; isxdigit(buf[count]); count++);
    2584. 

  2584.     *len = count/2;
    2585. 

  2585. 

  2586.     if (*len == 0) {
    2587. 

  2587. 	return NULL;
    2588. 

  2588.     }
    2589. 

  2589. 

  2590.     value = PORT_Alloc(*len);
    2591. 

  2591.     if (!value) {
    2592. 

  2592. 	*len = 0;
    2593. 

  2593. 	return NULL;
    2594. 

  2594.     }
    2595. 

  2595. 	
    2596. 

  2596.     for (i=0; i<*len; buf+=2 , i++) {
    2597. 

  2597. 	hex_to_byteval(buf, &value[i]);
    2598. 

  2598.     }
    2599. 

  2599.     return value;
    2600. 

  2600. }
    2601. 

  2601. 

  2602. PRBool
    2603. 

  2603. isblankline(char *b)
    2604. 

  2604. {
    2605. 

  2605.    while (isspace(*b)) b++;
    2606. 

  2606.    if ((*b == '\n') || (*b == 0)) {
    2607. 

  2607. 	return PR_TRUE;
    2608. 

  2608.    }
    2609. 

  2609.    return PR_FALSE;
    2610. 

  2610. }
    2611. 

  2611. 

  2612. /*
    2613. 

  2613.  * Perform the Hash_DRBG (CAVS) for the RNG algorithm
    2614. 

  2614.  *
    2615. 

  2615.  * reqfn is the pathname of the REQUEST file.
    2616. 

  2616.  *
    2617. 

  2617.  * The output RESPONSE file is written to stdout.
    2618. 

  2618.  */
    2619. 

  2619. void
    2620. 

  2620. drbg(char *reqfn)
    2621. 

  2621. {
    2622. 

  2622.     char buf[2000];   /* test case has some very long lines, returned bits
    2623. 

  2623. 		       * as high as 800 bytes (6400 bits). That 1600 byte
    2624. 

  2624. 		       * plus a tag */
    2625. 

  2625.     char buf2[2000]; 
    2626. 

  2626.     FILE *rngreq;       /* input stream from the REQUEST file */
    2627. 

  2627.     FILE *rngresp;      /* output stream to the RESPONSE file */
    2628. 

  2628.     unsigned int i;
    2629. 

  2629.     unsigned char *entropy = NULL;
    2630. 

  2630.     int entropy_len = 0;
    2631. 

  2631.     unsigned char *nonce =  NULL;
    2632. 

  2632.     int nonce_len = 0;
    2633. 

  2633.     unsigned char *personalization_string =  NULL;
    2634. 

  2634.     int ps_len = 0;
    2635. 

  2635.     unsigned char *return_bytes =  NULL;
    2636. 

  2636.     unsigned char *predicted_return_bytes = NULL;
    2637. 

  2637.     int return_bytes_len = 0;
    2638. 

  2638.     unsigned char *additional_input =  NULL;
    2639. 

  2639.     int additional_len = 0;
    2640. 

  2640.     enum { NONE, INSTANTIATE, GENERATE, RESEED, UNINSTANTIATE } command =
    2641. 

  2641. 		NONE;
    2642. 

  2642.     SECStatus rv;
    2643. 

  2643. 

  2644.     rngreq = fopen(reqfn, "r");
    2645. 

  2645.     rngresp = stdout;
    2646. 

  2646.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    2647. 

  2647. 	/* a comment, skip it. */
    2648. 

  2648. 	if (buf[0] == '#') { 
    2649. 

  2649. 	    fputs(buf, rngresp);
    2650. 

  2650. 	    continue;
    2651. 

  2651. 	}
    2652. 

  2652. 

  2653.         if (isblankline(buf)) {
    2654. 

  2654. 	    switch (command) {
    2655. 

  2655. 	    case INSTANTIATE:
    2656. 

  2656. 		rv = PRNGTEST_Instantiate(entropy, entropy_len,
    2657. 

  2657. 				      nonce, nonce_len,
    2658. 

  2658. 				      personalization_string, ps_len);
    2659. 

  2659. 		if (rv != SECSuccess) {
    2660. 

  2660. 		    goto loser;
    2661. 

  2661. 		}
    2662. 

  2662. 		/* clear */
    2663. 

  2663. 		if (entropy) {
    2664. 

  2664. 		    PORT_ZFree(entropy, entropy_len);
    2665. 

  2665. 		    entropy = NULL;
    2666. 

  2666. 		    entropy_len = 0;
    2667. 

  2667. 		}
    2668. 

  2668. 		if (nonce) {
    2669. 

  2669. 		    PORT_ZFree(nonce, nonce_len);
    2670. 

  2670. 		    nonce = NULL;
    2671. 

  2671. 		    nonce_len = 0;
    2672. 

  2672. 		}
    2673. 

  2673. 		if (personalization_string) {
    2674. 

  2674. 		    PORT_ZFree(personalization_string, ps_len);
    2675. 

  2675. 		    personalization_string = NULL;
    2676. 

  2676. 		    ps_len = 0;
    2677. 

  2677. 		}
    2678. 

  2678. 		break;
    2679. 

  2679. 	    case GENERATE:
    2680. 

  2680. 		rv = PRNGTEST_Generate(return_bytes, return_bytes_len,
    2681. 

  2681. 				      additional_input, additional_len);
    2682. 

  2682. 		if (rv != SECSuccess) {
    2683. 

  2683. 		    goto loser;
    2684. 

  2684. 		}
    2685. 

  2685. 		/* clear */
    2686. 

  2686. 		if (predicted_return_bytes) {
    2687. 

  2687. 		    fputc('+', rngresp);
    2688. 

  2688. 		}
    2689. 

  2689. 	   	fputs("Returned bits = ", rngresp);
    2690. 

  2690. 		to_hex_str(buf2, return_bytes, return_bytes_len);
    2691. 

  2691. 		fputs(buf2, rngresp);
    2692. 

  2692. 		fputc('\n', rngresp);
    2693. 

  2693. 

  2694. 		if (predicted_return_bytes) {
    2695. 

  2695. 		    if (memcmp(return_bytes, 
    2696. 

  2696. 			   predicted_return_bytes, return_bytes_len) != 0) {
    2697. 

  2697. 			fprintf(stderr, "Generate failed:\n");
    2698. 

  2698. 			fputs(  "   predicted=", stderr);
    2699. 

  2699. 			to_hex_str(buf, predicted_return_bytes, 
    2700. 

  2700. 							return_bytes_len);
    2701. 

  2701. 			fputs(buf, stderr);
    2702. 

  2702. 			fputs("\n   actual  = ", stderr);
    2703. 

  2703. 			fputs(buf2, stderr);
    2704. 

  2704. 			fputc('\n', stderr);
    2705. 

  2705. 		    }
    2706. 

  2706. 		    PORT_ZFree(predicted_return_bytes, return_bytes_len);
    2707. 

  2707. 		    predicted_return_bytes = NULL;
    2708. 

  2708. 		}
    2709. 

  2709. 			
    2710. 

  2710. 		if (return_bytes) {
    2711. 

  2711. 		    PORT_ZFree(return_bytes, return_bytes_len);
    2712. 

  2712. 		    return_bytes = NULL;
    2713. 

  2713. 		    return_bytes_len = 0;
    2714. 

  2714. 		}
    2715. 

  2715. 		if (additional_input) {
    2716. 

  2716. 		    PORT_ZFree(additional_input, additional_len);
    2717. 

  2717. 		    additional_input = NULL;
    2718. 

  2718. 		    additional_len = 0;
    2719. 

  2719. 		}
    2720. 

  2720. 		
    2721. 

  2721. 		break;
    2722. 

  2722. 	    case RESEED:
    2723. 

  2723. 		rv = PRNGTEST_Reseed(entropy, entropy_len,
    2724. 

  2724. 				      additional_input, additional_len);
    2725. 

  2725. 		if (rv != SECSuccess) {
    2726. 

  2726. 		    goto loser;
    2727. 

  2727. 		}
    2728. 

  2728. 		/* clear */
    2729. 

  2729. 		if (entropy) {
    2730. 

  2730. 		    PORT_ZFree(entropy, entropy_len);
    2731. 

  2731. 		    entropy = NULL;
    2732. 

  2732. 		    entropy_len = 0;
    2733. 

  2733. 		}
    2734. 

  2734. 		if (additional_input) {
    2735. 

  2735. 		    PORT_ZFree(additional_input, additional_len);
    2736. 

  2736. 		    additional_input = NULL;
    2737. 

  2737. 		    additional_len = 0;
    2738. 

  2738. 		}
    2739. 

  2739. 		break;
    2740. 

  2740. 	    case UNINSTANTIATE:
    2741. 

  2741. 		rv = PRNGTEST_Uninstantiate();
    2742. 

  2742. 		if (rv != SECSuccess) {
    2743. 

  2743. 		    goto loser;
    2744. 

  2744. 		}
    2745. 

  2745. 		break;
    2746. 

  2746. 	    } 
    2747. 

  2747. 	    fputs(buf, rngresp);
    2748. 

  2748. 	    command = NONE;
    2749. 

  2749. 	    continue;
    2750. 

  2750. 	}
    2751. 

  2751. 

  2752. 	/* [Hash - SHA256] */
    2753. 

  2753. 	if (buf[0] == '[') {
    2754. 

  2754. 	    fputs(buf, rngresp);
    2755. 

  2755. 	    continue;
    2756. 

  2756. 	}
    2757. 

  2757. 	/* INSTANTIATE */
    2758. 

  2758. 	if (strncmp(buf, "INSTANTIATE", 11) == 0) {
    2759. 

  2759. 	    i = 11;
    2760. 

  2760. 

  2761. 	    command = INSTANTIATE;
    2762. 

  2762. 	    fputs(buf, rngresp);
    2763. 

  2763. 	    continue;
    2764. 

  2764. 	}
    2765. 

  2765. 	/* Generate bytes */
    2766. 

  2766. 	if (strncmp(buf, "GENERATE", 8) == 0) {
    2767. 

  2767. 	    i = 8;
    2768. 

  2768. 	    while (isspace(buf[i])) {
    2769. 

  2769. 		i++;
    2770. 

  2770. 	    }
    2771. 

  2771. 	    return_bytes_len = atoi(&buf[i])/8;
    2772. 

  2772. 	    return_bytes = PORT_Alloc(return_bytes_len);
    2773. 

  2773. 	    command = GENERATE;
    2774. 

  2774. 	    fputs(buf, rngresp);
    2775. 

  2775. 	    continue;
    2776. 

  2776. 	}
    2777. 

  2777. 	if (strncmp(buf, "RESEED", 6) == 0) {
    2778. 

  2778. 	    i = 6;
    2779. 

  2779. 	    command = RESEED;
    2780. 

  2780. 	    fputs(buf, rngresp);
    2781. 

  2781. 	    continue;
    2782. 

  2782. 	}
    2783. 

  2783. 	if (strncmp(buf, "UNINSTANTIATE", 13) == 0) {
    2784. 

  2784. 	    i = 13;
    2785. 

  2785. 	    command = UNINSTANTIATE;
    2786. 

  2786. 	    fputs(buf, rngresp);
    2787. 

  2787. 	    continue;
    2788. 

  2788. 	}
    2789. 

  2789. 	/* Entropy input = ... */
    2790. 

  2790. 	if (strncmp(buf, "Entropy input", 13) == 0) {
    2791. 

  2791. 	    i = 13;
    2792. 

  2792. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2793. 

  2793. 		i++;
    2794. 

  2794. 	    }
    2795. 

  2795. 

  2796. 	    if ((command == INSTANTIATE) || (command == RESEED)) {
    2797. 

  2797. 		entropy = alloc_value(&buf[i], &entropy_len);
    2798. 

  2798. 	    }
    2799. 

  2799. 	    
    2800. 

  2800. 	    fputs(buf, rngresp);
    2801. 

  2801. 	    continue;
    2802. 

  2802. 	}
    2803. 

  2803. 	/* Nonce = ... */
    2804. 

  2804. 	if (strncmp(buf, "Nonce", 5) == 0) {
    2805. 

  2805. 	    i = 5;
    2806. 

  2806. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2807. 

  2807. 		i++;
    2808. 

  2808. 	    }
    2809. 

  2809. 

  2810. 	    if (command == INSTANTIATE) {
    2811. 

  2811. 		nonce = alloc_value(&buf[i], &nonce_len);
    2812. 

  2812. 	    }
    2813. 

  2813. 	    
    2814. 

  2814. 	    fputs(buf, rngresp);
    2815. 

  2815. 	    continue;
    2816. 

  2816. 	}
    2817. 

  2817. 	/* Personalization string = ... */
    2818. 

  2818. 	if (strncmp(buf, "Personalization string", 22) == 0) {
    2819. 

  2819. 	    i = 22;
    2820. 

  2820. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2821. 

  2821. 		i++;
    2822. 

  2822. 	    }
    2823. 

  2823. 

  2824. 	    if (command == INSTANTIATE) {
    2825. 

  2825. 		personalization_string = alloc_value(&buf[i], &ps_len);
    2826. 

  2826. 	    }
    2827. 

  2827. 	    
    2828. 

  2828. 	    fputs(buf, rngresp);
    2829. 

  2829. 	    continue;
    2830. 

  2830. 	}
    2831. 

  2831. 	/* Returned bits = ... */
    2832. 

  2832. 	if (strncmp(buf, "Returned bits", 13) == 0) {
    2833. 

  2833. 	    i = 13;
    2834. 

  2834. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2835. 

  2835. 		i++;
    2836. 

  2836. 	    }
    2837. 

  2837. 

  2838. 	    if (command == GENERATE) {
    2839. 

  2839. 		int len;
    2840. 

  2840. 		predicted_return_bytes = alloc_value(&buf[i], &len);
    2841. 

  2841. 	    }
    2842. 

  2842. 	    
    2843. 

  2843. 	    fputs(buf, rngresp);
    2844. 

  2844. 	    continue;
    2845. 

  2845. 	}
    2846. 

  2846. 	/* Additional input = ... */
    2847. 

  2847. 	if (strncmp(buf, "Additional input", 16) == 0) {
    2848. 

  2848. 	    i = 16;
    2849. 

  2849. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2850. 

  2850. 		i++;
    2851. 

  2851. 	    }
    2852. 

  2852. 

  2853. 	    if ((command == GENERATE) || (command = RESEED)) {
    2854. 

  2854. 		additional_input = alloc_value(&buf[i], &additional_len);
    2855. 

  2855. 	    }
    2856. 

  2856. 	    
    2857. 

  2857. 	    fputs(buf, rngresp);
    2858. 

  2858. 	    continue;
    2859. 

  2859. 	}
    2860. 

  2860.     }
    2861. 

  2861. loser:
    2862. 

  2862.     fclose(rngreq);
    2863. 

  2863. }
    2864. 

  2864. 

  2865. /*
    2866. 

  2866.  * Perform the RNG Variable Seed Test (VST) for the RNG algorithm
    2867. 

  2867.  * "DSA - Generation of X", used both as specified and as a generic
    2868. 

  2868.  * purpose RNG.  The presence of "Q = ..." in the REQUEST file
    2869. 

  2869.  * indicates we are using the algorithm as specified.
    2870. 

  2870.  *
    2871. 

  2871.  * reqfn is the pathname of the REQUEST file.
    2872. 

  2872.  *
    2873. 

  2873.  * The output RESPONSE file is written to stdout.
    2874. 

  2874.  */
    2875. 

  2875. void
    2876. 

  2876. rng_vst(char *reqfn)
    2877. 

  2877. {
    2878. 

  2878.     char buf[256];      /* holds one line from the input REQUEST file.
    2879. 

  2879.                          * needs to be large enough to hold the longest
    2880. 

  2880.                          * line "XSeed = <128 hex digits>\n".
    2881. 

  2881.                          */
    2882. 

  2882.     FILE *rngreq;       /* input stream from the REQUEST file */
    2883. 

  2883.     FILE *rngresp;      /* output stream to the RESPONSE file */
    2884. 

  2884.     unsigned int i, j;
    2885. 

  2885.     unsigned char Q[DSA_SUBPRIME_LEN];
    2886. 

  2886.     PRBool hasQ = PR_FALSE;
    2887. 

  2887.     unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
    2888. 

  2888.     unsigned char XKey[512/8];
    2889. 

  2889.     unsigned char XSeed[512/8];
    2890. 

  2890.     unsigned char GENX[2*SHA1_LENGTH];
    2891. 

  2891.     unsigned char DSAX[DSA_SUBPRIME_LEN];
    2892. 

  2892.     SECStatus rv;
    2893. 

  2893. 

  2894.     rngreq = fopen(reqfn, "r");
    2895. 

  2895.     rngresp = stdout;
    2896. 

  2896.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    2897. 

  2897. 	/* a comment or blank line */
    2898. 

  2898. 	if (buf[0] == '#' || buf[0] == '\n') {
    2899. 

  2899. 	    fputs(buf, rngresp);
    2900. 

  2900. 	    continue;
    2901. 

  2901. 	}
    2902. 

  2902. 	/* [Xchange - SHA1] */
    2903. 

  2903. 	if (buf[0] == '[') {
    2904. 

  2904. 	    fputs(buf, rngresp);
    2905. 

  2905. 	    continue;
    2906. 

  2906. 	}
    2907. 

  2907. 	/* Q = ... */
    2908. 

  2908. 	if (buf[0] == 'Q') {
    2909. 

  2909. 	    i = 1;
    2910. 

  2910. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2911. 

  2911. 		i++;
    2912. 

  2912. 	    }
    2913. 

  2913. 	    for (j=0; j<sizeof Q; i+=2,j++) {
    2914. 

  2914. 		hex_to_byteval(&buf[i], &Q[j]);
    2915. 

  2915. 	    }
    2916. 

  2916. 	    fputs(buf, rngresp);
    2917. 

  2917. 	    hasQ = PR_TRUE;
    2918. 

  2918. 	    continue;
    2919. 

  2919. 	}
    2920. 

  2920. 	/* "COUNT = x" begins a new data set */
    2921. 

  2921. 	if (strncmp(buf, "COUNT", 5) == 0) {
    2922. 

  2922. 	    /* zeroize the variables for the test with this data set */
    2923. 

  2923. 	    b = 0;
    2924. 

  2924. 	    memset(XKey, 0, sizeof XKey);
    2925. 

  2925. 	    memset(XSeed, 0, sizeof XSeed);
    2926. 

  2926. 	    fputs(buf, rngresp);
    2927. 

  2927. 	    continue;
    2928. 

  2928. 	}
    2929. 

  2929. 	/* b = ... */
    2930. 

  2930. 	if (buf[0] == 'b') {
    2931. 

  2931. 	    i = 1;
    2932. 

  2932. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2933. 

  2933. 		i++;
    2934. 

  2934. 	    }
    2935. 

  2935. 	    b = atoi(&buf[i]);
    2936. 

  2936. 	    if (b < 160 || b > 512 || b%8 != 0) {
    2937. 

  2937. 		goto loser;
    2938. 

  2938. 	    }
    2939. 

  2939. 	    fputs(buf, rngresp);
    2940. 

  2940. 	    continue;
    2941. 

  2941. 	}
    2942. 

  2942. 	/* XKey = ... */
    2943. 

  2943. 	if (strncmp(buf, "XKey", 4) == 0) {
    2944. 

  2944. 	    i = 4;
    2945. 

  2945. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2946. 

  2946. 		i++;
    2947. 

  2947. 	    }
    2948. 

  2948. 	    for (j=0; j<b/8; i+=2,j++) {
    2949. 

  2949. 		hex_to_byteval(&buf[i], &XKey[j]);
    2950. 

  2950. 	    }
    2951. 

  2951. 	    fputs(buf, rngresp);
    2952. 

  2952. 	    continue;
    2953. 

  2953. 	}
    2954. 

  2954. 	/* XSeed = ... */
    2955. 

  2955. 	if (strncmp(buf, "XSeed", 5) == 0) {
    2956. 

  2956. 	    i = 5;
    2957. 

  2957. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2958. 

  2958. 		i++;
    2959. 

  2959. 	    }
    2960. 

  2960. 	    for (j=0; j<b/8; i+=2,j++) {
    2961. 

  2961. 		hex_to_byteval(&buf[i], &XSeed[j]);
    2962. 

  2962. 	    }
    2963. 

  2963. 	    fputs(buf, rngresp);
    2964. 

  2964. 

  2965. 	    rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
    2966. 

  2966. 	    if (rv != SECSuccess) {
    2967. 

  2967. 		goto loser;
    2968. 

  2968. 	    }
    2969. 

  2969. 	    fputs("X = ", rngresp);
    2970. 

  2970. 	    if (hasQ) {
    2971. 

  2971. 		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
    2972. 

  2972. 		if (rv != SECSuccess) {
    2973. 

  2973. 		    goto loser;
    2974. 

  2974. 		}
    2975. 

  2975. 		to_hex_str(buf, DSAX, sizeof DSAX);
    2976. 

  2976. 	    } else {
    2977. 

  2977. 		to_hex_str(buf, GENX, sizeof GENX);
    2978. 

  2978. 	    }
    2979. 

  2979. 	    fputs(buf, rngresp);
    2980. 

  2980. 	    fputc('\n', rngresp);
    2981. 

  2981. 	    continue;
    2982. 

  2982. 	}
    2983. 

  2983.     }
    2984. 

  2984. loser:
    2985. 

  2985.     fclose(rngreq);
    2986. 

  2986. }
    2987. 

  2987. 

  2988. /*
    2989. 

  2989.  * Perform the RNG Monte Carlo Test (MCT) for the RNG algorithm
    2990. 

  2990.  * "DSA - Generation of X", used both as specified and as a generic
    2991. 

  2991.  * purpose RNG.  The presence of "Q = ..." in the REQUEST file
    2992. 

  2992.  * indicates we are using the algorithm as specified.
    2993. 

  2993.  *
    2994. 

  2994.  * reqfn is the pathname of the REQUEST file.
    2995. 

  2995.  *
    2996. 

  2996.  * The output RESPONSE file is written to stdout.
    2997. 

  2997.  */
    2998. 

  2998. void
    2999. 

  2999. rng_mct(char *reqfn)
    3000. 

  3000. {
    3001. 

  3001.     char buf[256];      /* holds one line from the input REQUEST file.
    3002. 

  3002.                          * needs to be large enough to hold the longest
    3003. 

  3003.                          * line "XSeed = <128 hex digits>\n".
    3004. 

  3004.                          */
    3005. 

  3005.     FILE *rngreq;       /* input stream from the REQUEST file */
    3006. 

  3006.     FILE *rngresp;      /* output stream to the RESPONSE file */
    3007. 

  3007.     unsigned int i, j;
    3008. 

  3008.     unsigned char Q[DSA_SUBPRIME_LEN];
    3009. 

  3009.     PRBool hasQ = PR_FALSE;
    3010. 

  3010.     unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
    3011. 

  3011.     unsigned char XKey[512/8];
    3012. 

  3012.     unsigned char XSeed[512/8];
    3013. 

  3013.     unsigned char GENX[2*SHA1_LENGTH];
    3014. 

  3014.     unsigned char DSAX[DSA_SUBPRIME_LEN];
    3015. 

  3015.     SECStatus rv;
    3016. 

  3016. 

  3017.     rngreq = fopen(reqfn, "r");
    3018. 

  3018.     rngresp = stdout;
    3019. 

  3019.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    3020. 

  3020. 	/* a comment or blank line */
    3021. 

  3021. 	if (buf[0] == '#' || buf[0] == '\n') {
    3022. 

  3022. 	    fputs(buf, rngresp);
    3023. 

  3023. 	    continue;
    3024. 

  3024. 	}
    3025. 

  3025. 	/* [Xchange - SHA1] */
    3026. 

  3026. 	if (buf[0] == '[') {
    3027. 

  3027. 	    fputs(buf, rngresp);
    3028. 

  3028. 	    continue;
    3029. 

  3029. 	}
    3030. 

  3030. 	/* Q = ... */
    3031. 

  3031. 	if (buf[0] == 'Q') {
    3032. 

  3032. 	    i = 1;
    3033. 

  3033. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3034. 

  3034. 		i++;
    3035. 

  3035. 	    }
    3036. 

  3036. 	    for (j=0; j<sizeof Q; i+=2,j++) {
    3037. 

  3037. 		hex_to_byteval(&buf[i], &Q[j]);
    3038. 

  3038. 	    }
    3039. 

  3039. 	    fputs(buf, rngresp);
    3040. 

  3040. 	    hasQ = PR_TRUE;
    3041. 

  3041. 	    continue;
    3042. 

  3042. 	}
    3043. 

  3043. 	/* "COUNT = x" begins a new data set */
    3044. 

  3044. 	if (strncmp(buf, "COUNT", 5) == 0) {
    3045. 

  3045. 	    /* zeroize the variables for the test with this data set */
    3046. 

  3046. 	    b = 0;
    3047. 

  3047. 	    memset(XKey, 0, sizeof XKey);
    3048. 

  3048. 	    memset(XSeed, 0, sizeof XSeed);
    3049. 

  3049. 	    fputs(buf, rngresp);
    3050. 

  3050. 	    continue;
    3051. 

  3051. 	}
    3052. 

  3052. 	/* b = ... */
    3053. 

  3053. 	if (buf[0] == 'b') {
    3054. 

  3054. 	    i = 1;
    3055. 

  3055. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3056. 

  3056. 		i++;
    3057. 

  3057. 	    }
    3058. 

  3058. 	    b = atoi(&buf[i]);
    3059. 

  3059. 	    if (b < 160 || b > 512 || b%8 != 0) {
    3060. 

  3060. 		goto loser;
    3061. 

  3061. 	    }
    3062. 

  3062. 	    fputs(buf, rngresp);
    3063. 

  3063. 	    continue;
    3064. 

  3064. 	}
    3065. 

  3065. 	/* XKey = ... */
    3066. 

  3066. 	if (strncmp(buf, "XKey", 4) == 0) {
    3067. 

  3067. 	    i = 4;
    3068. 

  3068. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3069. 

  3069. 		i++;
    3070. 

  3070. 	    }
    3071. 

  3071. 	    for (j=0; j<b/8; i+=2,j++) {
    3072. 

  3072. 		hex_to_byteval(&buf[i], &XKey[j]);
    3073. 

  3073. 	    }
    3074. 

  3074. 	    fputs(buf, rngresp);
    3075. 

  3075. 	    continue;
    3076. 

  3076. 	}
    3077. 

  3077. 	/* XSeed = ... */
    3078. 

  3078. 	if (strncmp(buf, "XSeed", 5) == 0) {
    3079. 

  3079. 	    unsigned int k;
    3080. 

  3080. 	    i = 5;
    3081. 

  3081. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3082. 

  3082. 		i++;
    3083. 

  3083. 	    }
    3084. 

  3084. 	    for (j=0; j<b/8; i+=2,j++) {
    3085. 

  3085. 		hex_to_byteval(&buf[i], &XSeed[j]);
    3086. 

  3086. 	    }
    3087. 

  3087. 	    fputs(buf, rngresp);
    3088. 

  3088. 

  3089. 	    for (k = 0; k < 10000; k++) {
    3090. 

  3090. 		rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
    3091. 

  3091. 		if (rv != SECSuccess) {
    3092. 

  3092. 		    goto loser;
    3093. 

  3093. 		}
    3094. 

  3094. 	    }
    3095. 

  3095. 	    fputs("X = ", rngresp);
    3096. 

  3096. 	    if (hasQ) {
    3097. 

  3097. 		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
    3098. 

  3098. 		if (rv != SECSuccess) {
    3099. 

  3099. 		    goto loser;
    3100. 

  3100. 		}
    3101. 

  3101. 		to_hex_str(buf, DSAX, sizeof DSAX);
    3102. 

  3102. 	    } else {
    3103. 

  3103. 		to_hex_str(buf, GENX, sizeof GENX);
    3104. 

  3104. 	    }
    3105. 

  3105. 	    fputs(buf, rngresp);
    3106. 

  3106. 	    fputc('\n', rngresp);
    3107. 

  3107. 	    continue;
    3108. 

  3108. 	}
    3109. 

  3109.     }
    3110. 

  3110. loser:
    3111. 

  3111.     fclose(rngreq);
    3112. 

  3112. }
    3113. 

  3113. 

  3114. /*
    3115. 

  3115.  * Calculate the SHA Message Digest 
    3116. 

  3116.  *
    3117. 

  3117.  * MD = Message digest 
    3118. 

  3118.  * MDLen = length of Message Digest and SHA_Type
    3119. 

  3119.  * msg = message to digest 
    3120. 

  3120.  * msgLen = length of message to digest
    3121. 

  3121.  */
    3122. 

  3122. SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) 
    3123. 

  3123. {    
    3124. 

  3124.     SECStatus   sha_status = SECFailure;
    3125. 

  3125. 

  3126.     if (MDLen == SHA1_LENGTH) {
    3127. 

  3127.         sha_status = SHA1_HashBuf(MD, msg, msgLen);
    3128. 

  3128.     } else if (MDLen == SHA256_LENGTH) {
    3129. 

  3129.         sha_status = SHA256_HashBuf(MD, msg, msgLen);
    3130. 

  3130.     } else if (MDLen == SHA384_LENGTH) {
    3131. 

  3131.         sha_status = SHA384_HashBuf(MD, msg, msgLen);
    3132. 

  3132.     } else if (MDLen == SHA512_LENGTH) {
    3133. 

  3133.         sha_status = SHA512_HashBuf(MD, msg, msgLen);
    3134. 

  3134.     }
    3135. 

  3135. 

  3136.     return sha_status;
    3137. 

  3137. }
    3138. 

  3138. 

  3139. /*
    3140. 

  3140.  * Perform the SHA Monte Carlo Test
    3141. 

  3141.  *
    3142. 

  3142.  * MDLen = length of Message Digest and SHA_Type
    3143. 

  3143.  * seed = input seed value
    3144. 

  3144.  * resp = is the output response file. 
    3145. 

  3145.  */
    3146. 

  3146. SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) 
    3147. 

  3147. {
    3148. 

  3148.     int i, j;
    3149. 

  3149.     unsigned int msgLen = MDLen*3;
    3150. 

  3150.     unsigned char MD_i3[HASH_LENGTH_MAX];  /* MD[i-3] */
    3151. 

  3151.     unsigned char MD_i2[HASH_LENGTH_MAX];  /* MD[i-2] */
    3152. 

  3152.     unsigned char MD_i1[HASH_LENGTH_MAX];  /* MD[i-1] */
    3153. 

  3153.     unsigned char MD_i[HASH_LENGTH_MAX];   /* MD[i] */
    3154. 

  3154.     unsigned char msg[HASH_LENGTH_MAX*3];
    3155. 

  3155.     char buf[HASH_LENGTH_MAX*2 + 1];  /* MAX buf MD_i as a hex string */
    3156. 

  3156. 

  3157.     for (j=0; j<100; j++) {
    3158. 

  3158.         /* MD_0 = MD_1 = MD_2 = seed */
    3159. 

  3159.         memcpy(MD_i3, seed, MDLen);
    3160. 

  3160.         memcpy(MD_i2, seed, MDLen);
    3161. 

  3161.         memcpy(MD_i1, seed, MDLen);
    3162. 

  3162. 

  3163.         for (i=3; i < 1003; i++) {
    3164. 

  3164.             /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */
    3165. 

  3165.             memcpy(msg, MD_i3, MDLen);
    3166. 

  3166.             memcpy(&msg[MDLen], MD_i2, MDLen);
    3167. 

  3167.             memcpy(&msg[MDLen*2], MD_i1,MDLen); 
    3168. 

  3168. 

  3169.             /* MDi = SHA(Msg) */
    3170. 

  3170.             if (sha_calcMD(MD_i, MDLen,   
    3171. 

  3171.                            msg, msgLen) != SECSuccess) {
    3172. 

  3172.                 return SECFailure;
    3173. 

  3173.             }
    3174. 

  3174. 

  3175.             /* save MD[i-3] MD[i-2]  MD[i-1] */
    3176. 

  3176.             memcpy(MD_i3, MD_i2, MDLen);
    3177. 

  3177.             memcpy(MD_i2, MD_i1, MDLen);
    3178. 

  3178.             memcpy(MD_i1, MD_i, MDLen);
    3179. 

  3179. 

  3180.         }
    3181. 

  3181. 

  3182.         /* seed = MD_i */
    3183. 

  3183.         memcpy(seed, MD_i, MDLen);
    3184. 

  3184. 

  3185.         sprintf(buf, "COUNT = %d\n", j);
    3186. 

  3186.         fputs(buf, resp);
    3187. 

  3187. 

  3188.         /* output MD_i */
    3189. 

  3189.         fputs("MD = ", resp);
    3190. 

  3190.         to_hex_str(buf, MD_i, MDLen);
    3191. 

  3191.         fputs(buf, resp);
    3192. 

  3192.         fputc('\n', resp);
    3193. 

  3193.     }
    3194. 

  3194. 

  3195.     return SECSuccess;
    3196. 

  3196. }
    3197. 

  3197. 

  3198. /*
    3199. 

  3199.  * Perform the SHA Tests.
    3200. 

  3200.  *
    3201. 

  3201.  * reqfn is the pathname of the input REQUEST file.
    3202. 

  3202.  *
    3203. 

  3203.  * The output RESPONSE file is written to stdout.
    3204. 

  3204.  */
    3205. 

  3205. void sha_test(char *reqfn) 
    3206. 

  3206. {
    3207. 

  3207.     unsigned int i, j;
    3208. 

  3208.     unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
    3209. 

  3209.     unsigned int msgLen;  /* the length of the input Message in Bytes */
    3210. 

  3210.     unsigned char *msg = NULL; /* holds the message to digest.*/
    3211. 

  3211.     size_t bufSize = 25608; /*MAX buffer size */
    3212. 

  3212.     char *buf = NULL;      /* holds one line from the input REQUEST file.*/
    3213. 

  3213.     unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
    3214. 

  3214.     unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
    3215. 

  3215. 

  3216.     FILE *req = NULL;  /* input stream from the REQUEST file */
    3217. 

  3217.     FILE *resp;        /* output stream to the RESPONSE file */
    3218. 

  3218. 

  3219.     buf = PORT_ZAlloc(bufSize);
    3220. 

  3220.     if (buf == NULL) {
    3221. 

  3221.         goto loser;
    3222. 

  3222.     }      
    3223. 

  3223. 

  3224.     /* zeroize the variables for the test with this data set */
    3225. 

  3225.     memset(seed, 0, sizeof seed);
    3226. 

  3226. 

  3227.     req = fopen(reqfn, "r");
    3228. 

  3228.     resp = stdout;
    3229. 

  3229.     while (fgets(buf, bufSize, req) != NULL) {
    3230. 

  3230. 

  3231.         /* a comment or blank line */
    3232. 

  3232.         if (buf[0] == '#' || buf[0] == '\n') {
    3233. 

  3233.             fputs(buf, resp);
    3234. 

  3234.             continue;
    3235. 

  3235.         }
    3236. 

  3236.         /* [L = Length of the Message Digest and sha_type */
    3237. 

  3237.         if (buf[0] == '[') {
    3238. 

  3238.             if (strncmp(&buf[1], "L ", 1) == 0) {
    3239. 

  3239.                 i = 2;
    3240. 

  3240.                 while (isspace(buf[i]) || buf[i] == '=') {
    3241. 

  3241.                     i++;
    3242. 

  3242.                 }
    3243. 

  3243.                 MDlen = atoi(&buf[i]);
    3244. 

  3244.                 fputs(buf, resp);
    3245. 

  3245.                 continue;
    3246. 

  3246.             }
    3247. 

  3247.         }
    3248. 

  3248.         /* Len = Length of the Input Message Length  ... */
    3249. 

  3249.         if (strncmp(buf, "Len", 3) == 0) {
    3250. 

  3250.             i = 3;
    3251. 

  3251.             while (isspace(buf[i]) || buf[i] == '=') {
    3252. 

  3252.                 i++;
    3253. 

  3253.             }
    3254. 

  3254.             if (msg) {
    3255. 

  3255.                 PORT_ZFree(msg,msgLen);
    3256. 

  3256.                 msg = NULL;
    3257. 

  3257.             }
    3258. 

  3258.             msgLen = atoi(&buf[i]); /* in bits */
    3259. 

  3259.             if (msgLen%8 != 0) {
    3260. 

  3260.                 fprintf(stderr, "SHA tests are incorrectly configured for "
    3261. 

  3261.                     "BIT oriented implementations\n");
    3262. 

  3262.                 goto loser;
    3263. 

  3263.             }
    3264. 

  3264.             msgLen = msgLen/8; /* convert to bytes */
    3265. 

  3265.             fputs(buf, resp);
    3266. 

  3266.             msg = PORT_ZAlloc(msgLen);
    3267. 

  3267.             if (msg == NULL && msgLen != 0) {
    3268. 

  3268.                 goto loser;
    3269. 

  3269.             } 
    3270. 

  3270.             continue;
    3271. 

  3271.         }
    3272. 

  3272.         /* MSG = ... */
    3273. 

  3273.         if (strncmp(buf, "Msg", 3) == 0) {
    3274. 

  3274.             i = 3;
    3275. 

  3275.             while (isspace(buf[i]) || buf[i] == '=') {
    3276. 

  3276.                 i++;
    3277. 

  3277.             }
    3278. 

  3278.             for (j=0; j< msgLen; i+=2,j++) {
    3279. 

  3279.                 hex_to_byteval(&buf[i], &msg[j]);
    3280. 

  3280.             }
    3281. 

  3281.            fputs(buf, resp);
    3282. 

  3282.            /* calculate the Message Digest */ 
    3283. 

  3283.            memset(MD, 0, sizeof MD);
    3284. 

  3284.            if (sha_calcMD(MD, MDlen,   
    3285. 

  3285.                           msg, msgLen) != SECSuccess) {
    3286. 

  3286.                goto loser;
    3287. 

  3287.            }
    3288. 

  3288. 

  3289.            fputs("MD = ", resp);
    3290. 

  3290.            to_hex_str(buf, MD, MDlen);
    3291. 

  3291.            fputs(buf, resp);
    3292. 

  3292.            fputc('\n', resp);
    3293. 

  3293. 

  3294.            continue;
    3295. 

  3295.         }
    3296. 

  3296.         /* Seed = ... */
    3297. 

  3297.         if (strncmp(buf, "Seed", 4) == 0) {
    3298. 

  3298.             i = 4;
    3299. 

  3299.             while (isspace(buf[i]) || buf[i] == '=') {
    3300. 

  3300.                 i++;
    3301. 

  3301.             }
    3302. 

  3302.             for (j=0; j<sizeof seed; i+=2,j++) {
    3303. 

  3303.                 hex_to_byteval(&buf[i], &seed[j]);
    3304. 

  3304.             }                                     
    3305. 

  3305. 

  3306.             fputs(buf, resp);
    3307. 

  3307.             fputc('\n', resp);
    3308. 

  3308. 

  3309.             /* do the Monte Carlo test */
    3310. 

  3310.             if (sha_mct_test(MDlen, seed, resp) != SECSuccess) {
    3311. 

  3311.                 goto loser; 
    3312. 

  3312.             }
    3313. 

  3313. 

  3314.             continue;
    3315. 

  3315.         }
    3316. 

  3316.     }
    3317. 

  3317. loser:
    3318. 

  3318.     if (req) {
    3319. 

  3319.         fclose(req);
    3320. 

  3320.     }  
    3321. 

  3321.     if (buf) {
    3322. 

  3322.         PORT_ZFree(buf, bufSize);
    3323. 

  3323.     }
    3324. 

  3324.     if (msg) {
    3325. 

  3325.         PORT_ZFree(msg, msgLen);
    3326. 

  3326.     }
    3327. 

  3327. }
    3328. 

  3328. 

  3329. /****************************************************/
    3330. 

  3330. /* HMAC SHA-X calc                                  */
    3331. 

  3331. /* hmac_computed - the computed HMAC                */
    3332. 

  3332. /* hmac_length - the length of the computed HMAC    */
    3333. 

  3333. /* secret_key - secret key to HMAC                  */
    3334. 

  3334. /* secret_key_length - length of secret key,        */
    3335. 

  3335. /* message - message to HMAC                        */
    3336. 

  3336. /* message_length - length ofthe message            */
    3337. 

  3337. /****************************************************/
    3338. 

  3338. static SECStatus
    3339. 

  3339. hmac_calc(unsigned char *hmac_computed,
    3340. 

  3340.           const unsigned int hmac_length,
    3341. 

  3341.           const unsigned char *secret_key,
    3342. 

  3342.           const unsigned int secret_key_length,
    3343. 

  3343.           const unsigned char *message,
    3344. 

  3344.           const unsigned int message_length,
    3345. 

  3345.           const HASH_HashType hashAlg )
    3346. 

  3346. {
    3347. 

  3347.     SECStatus hmac_status = SECFailure;
    3348. 

  3348.     HMACContext *cx = NULL;
    3349. 

  3349.     SECHashObject *hashObj = NULL;
    3350. 

  3350.     unsigned int bytes_hashed = 0;
    3351. 

  3351. 

  3352.     hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
    3353. 

  3353.  
    3354. 

  3354.     if (!hashObj) 
    3355. 

  3355.         return( SECFailure );
    3356. 

  3356. 

  3357.     cx = HMAC_Create(hashObj, secret_key, 
    3358. 

  3358.                      secret_key_length, 
    3359. 

  3359.                      PR_TRUE);  /* PR_TRUE for in FIPS mode */
    3360. 

  3360. 

  3361.     if (cx == NULL) 
    3362. 

  3362.         return( SECFailure );
    3363. 

  3363. 

  3364.     HMAC_Begin(cx);
    3365. 

  3365.     HMAC_Update(cx, message, message_length);
    3366. 

  3366.     hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
    3367. 

  3367.                               hmac_length);
    3368. 

  3368. 

  3369.     HMAC_Destroy(cx, PR_TRUE);
    3370. 

  3370. 

  3371.     return( hmac_status );
    3372. 

  3372. }
    3373. 

  3373. 

  3374. /*
    3375. 

  3375.  * Perform the HMAC Tests.
    3376. 

  3376.  *
    3377. 

  3377.  * reqfn is the pathname of the input REQUEST file.
    3378. 

  3378.  *
    3379. 

  3379.  * The output RESPONSE file is written to stdout.
    3380. 

  3380.  */
    3381. 

  3381. void hmac_test(char *reqfn) 
    3382. 

  3382. {
    3383. 

  3383.     unsigned int i, j;
    3384. 

  3384.     size_t bufSize =      288;    /* MAX buffer size */
    3385. 

  3385.     char *buf = NULL;  /* holds one line from the input REQUEST file.*/
    3386. 

  3386.     unsigned int keyLen;          /* Key Length */  
    3387. 

  3387.     unsigned char key[140];       /* key MAX size = 140 */
    3388. 

  3388.     unsigned int msgLen = 128;    /* the length of the input  */
    3389. 

  3389.                                   /*  Message is always 128 Bytes */
    3390. 

  3390.     unsigned char *msg = NULL;    /* holds the message to digest.*/
    3391. 

  3391.     unsigned int HMACLen;         /* the length of the HMAC Bytes  */
    3392. 

  3392.     unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
    3393. 

  3393.     HASH_HashType hash_alg;       /* HMAC type */
    3394. 

  3394. 

  3395.     FILE *req = NULL;  /* input stream from the REQUEST file */
    3396. 

  3396.     FILE *resp;        /* output stream to the RESPONSE file */
    3397. 

  3397. 

  3398.     buf = PORT_ZAlloc(bufSize);
    3399. 

  3399.     if (buf == NULL) {
    3400. 

  3400.         goto loser;
    3401. 

  3401.     }      
    3402. 

  3402.     msg = PORT_ZAlloc(msgLen);
    3403. 

  3403.     memset(msg, 0, msgLen);
    3404. 

  3404.     if (msg == NULL) {
    3405. 

  3405.         goto loser;
    3406. 

  3406.     } 
    3407. 

  3407. 

  3408.     req = fopen(reqfn, "r");
    3409. 

  3409.     resp = stdout;
    3410. 

  3410.     while (fgets(buf, bufSize, req) != NULL) {
    3411. 

  3411. 

  3412.         /* a comment or blank line */
    3413. 

  3413.         if (buf[0] == '#' || buf[0] == '\n') {
    3414. 

  3414.             fputs(buf, resp);
    3415. 

  3415.             continue;
    3416. 

  3416.         }
    3417. 

  3417.         /* [L = Length of the MAC and HASH_type */
    3418. 

  3418.         if (buf[0] == '[') {
    3419. 

  3419.             if (strncmp(&buf[1], "L ", 1) == 0) {
    3420. 

  3420.                 i = 2;
    3421. 

  3421.                 while (isspace(buf[i]) || buf[i] == '=') {
    3422. 

  3422.                     i++;
    3423. 

  3423.                 }
    3424. 

  3424.                 /* HMACLen will get reused for Tlen */
    3425. 

  3425.                 HMACLen = atoi(&buf[i]);
    3426. 

  3426.                 /* set the HASH algorithm for HMAC */
    3427. 

  3427.                 if (HMACLen == SHA1_LENGTH) {
    3428. 

  3428.                     hash_alg = HASH_AlgSHA1;
    3429. 

  3429.                 } else if (HMACLen == SHA256_LENGTH) {
    3430. 

  3430.                     hash_alg = HASH_AlgSHA256;
    3431. 

  3431.                 } else if (HMACLen == SHA384_LENGTH) {
    3432. 

  3432.                     hash_alg = HASH_AlgSHA384;
    3433. 

  3433.                 } else if (HMACLen == SHA512_LENGTH) {
    3434. 

  3434.                     hash_alg = HASH_AlgSHA512;
    3435. 

  3435.                 } else {
    3436. 

  3436.                     goto loser;
    3437. 

  3437.                 }
    3438. 

  3438.                 fputs(buf, resp);
    3439. 

  3439.                 continue;
    3440. 

  3440.             }
    3441. 

  3441.         }
    3442. 

  3442.         /* Count = test iteration number*/
    3443. 

  3443.         if (strncmp(buf, "Count ", 5) == 0) {    
    3444. 

  3444.             /* count can just be put into resp file */
    3445. 

  3445.             fputs(buf, resp);
    3446. 

  3446.             /* zeroize the variables for the test with this data set */
    3447. 

  3447.             keyLen = 0; 
    3448. 

  3448.             HMACLen = 0;
    3449. 

  3449.             memset(key, 0, sizeof key);     
    3450. 

  3450.             memset(msg, 0, sizeof msg);  
    3451. 

  3451.             memset(HMAC, 0, sizeof HMAC);
    3452. 

  3452.             continue;
    3453. 

  3453.         }
    3454. 

  3454.         /* KLen = Length of the Input Secret Key ... */
    3455. 

  3455.         if (strncmp(buf, "Klen", 4) == 0) {
    3456. 

  3456.             i = 4;
    3457. 

  3457.             while (isspace(buf[i]) || buf[i] == '=') {
    3458. 

  3458.                 i++;
    3459. 

  3459.             }
    3460. 

  3460.             keyLen = atoi(&buf[i]); /* in bytes */
    3461. 

  3461.             fputs(buf, resp);
    3462. 

  3462.             continue;
    3463. 

  3463.         }
    3464. 

  3464.         /* key = the secret key for the key to MAC */
    3465. 

  3465.         if (strncmp(buf, "Key", 3) == 0) {
    3466. 

  3466.             i = 3;
    3467. 

  3467.             while (isspace(buf[i]) || buf[i] == '=') {
    3468. 

  3468.                 i++;
    3469. 

  3469.             }
    3470. 

  3470.             for (j=0; j< keyLen; i+=2,j++) {
    3471. 

  3471.                 hex_to_byteval(&buf[i], &key[j]);
    3472. 

  3472.             }
    3473. 

  3473.            fputs(buf, resp);
    3474. 

  3474.         }
    3475. 

  3475.         /* TLen = Length of the calculated HMAC */
    3476. 

  3476.         if (strncmp(buf, "Tlen", 4) == 0) {
    3477. 

  3477.             i = 4;
    3478. 

  3478.             while (isspace(buf[i]) || buf[i] == '=') {
    3479. 

  3479.                 i++;
    3480. 

  3480.             }
    3481. 

  3481.             HMACLen = atoi(&buf[i]); /* in bytes */
    3482. 

  3482.             fputs(buf, resp);
    3483. 

  3483.             continue;
    3484. 

  3484.         }
    3485. 

  3485.         /* MSG = to HMAC always 128 bytes for these tests */
    3486. 

  3486.         if (strncmp(buf, "Msg", 3) == 0) {
    3487. 

  3487.             i = 3;
    3488. 

  3488.             while (isspace(buf[i]) || buf[i] == '=') {
    3489. 

  3489.                 i++;
    3490. 

  3490.             }
    3491. 

  3491.             for (j=0; j< msgLen; i+=2,j++) {
    3492. 

  3492.                 hex_to_byteval(&buf[i], &msg[j]);
    3493. 

  3493.             }
    3494. 

  3494.            fputs(buf, resp);
    3495. 

  3495.            /* calculate the HMAC and output */ 
    3496. 

  3496.            if (hmac_calc(HMAC, HMACLen, key, keyLen,   
    3497. 

  3497.                          msg, msgLen, hash_alg) != SECSuccess) {
    3498. 

  3498.                goto loser;
    3499. 

  3499.            }
    3500. 

  3500.            fputs("MAC = ", resp);
    3501. 

  3501.            to_hex_str(buf, HMAC, HMACLen);
    3502. 

  3502.            fputs(buf, resp);
    3503. 

  3503.            fputc('\n', resp);
    3504. 

  3504.            continue;
    3505. 

  3505.         }
    3506. 

  3506.     }
    3507. 

  3507. loser:
    3508. 

  3508.     if (req) {
    3509. 

  3509.         fclose(req);
    3510. 

  3510.     }
    3511. 

  3511.     if (buf) {
    3512. 

  3512.         PORT_ZFree(buf, bufSize);
    3513. 

  3513.     }
    3514. 

  3514.     if (msg) {
    3515. 

  3515.         PORT_ZFree(msg, msgLen);
    3516. 

  3516.     }
    3517. 

  3517. }
    3518. 

  3518. 

  3519. /*
    3520. 

  3520.  * Perform the DSA Key Pair Generation Test.
    3521. 

  3521.  *
    3522. 

  3522.  * reqfn is the pathname of the REQUEST file.
    3523. 

  3523.  *
    3524. 

  3524.  * The output RESPONSE file is written to stdout.
    3525. 

  3525.  */
    3526. 

  3526. void
    3527. 

  3527. dsa_keypair_test(char *reqfn)
    3528. 

  3528. {
    3529. 

  3529.     char buf[260];       /* holds one line from the input REQUEST file
    3530. 

  3530.                          * or to the output RESPONSE file.
    3531. 

  3531.                          * 257 to hold (128 public key (x2 for HEX) + 1'\n'
    3532. 

  3532.                          */
    3533. 

  3533.     FILE *dsareq;     /* input stream from the REQUEST file */
    3534. 

  3534.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3535. 

  3535.     int N;            /* number of time to generate key pair */
    3536. 

  3536.     int modulus;
    3537. 

  3537.     int i;
    3538. 

  3538.     PQGParams *pqg = NULL;
    3539. 

  3539.     PQGVerify *vfy = NULL;
    3540. 

  3540.     int keySizeIndex;   /* index for valid key sizes */
    3541. 

  3541. 

  3542.     dsareq = fopen(reqfn, "r");
    3543. 

  3543.     dsaresp = stdout;
    3544. 

  3544.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3545. 

  3545.         /* a comment or blank line */
    3546. 

  3546.         if (buf[0] == '#' || buf[0] == '\n') {
    3547. 

  3547.             fputs(buf, dsaresp);
    3548. 

  3548.             continue;
    3549. 

  3549.         }
    3550. 

  3550. 

  3551.         /* [Mod = x] */
    3552. 

  3552.         if (buf[0] == '[') {
    3553. 

  3553.             if(pqg!=NULL) {
    3554. 

  3554.                 PQG_DestroyParams(pqg);
    3555. 

  3555.                 pqg = NULL;
    3556. 

  3556.             }
    3557. 

  3557.             if(vfy!=NULL) {
    3558. 

  3558.                 PQG_DestroyVerify(vfy);
    3559. 

  3559.                 vfy = NULL;
    3560. 

  3560.             }
    3561. 

  3561. 

  3562.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3563. 

  3563.                 goto loser;
    3564. 

  3564.             }
    3565. 

  3565.             fputs(buf, dsaresp);
    3566. 

  3566.             fputc('\n', dsaresp);
    3567. 

  3567. 

  3568.             /*****************************************************************
    3569. 

  3569.              * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    3570. 

  3570.              * that points to a valid key size.
    3571. 

  3571.              */
    3572. 

  3572.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    3573. 

  3573.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    3574. 

  3574.                fprintf(dsaresp,
    3575. 

  3575.                     "DSA key size must be a multiple of 64 between 512 "
    3576. 

  3576.                     "and 1024, inclusive");
    3577. 

  3577.                 goto loser;
    3578. 

  3578.             }
    3579. 

  3579. 

  3580.             /* Generate the parameters P, Q, and G */
    3581. 

  3581.             if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    3582. 

  3582.                 &pqg, &vfy) != SECSuccess) {
    3583. 

  3583.                 fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
    3584. 

  3584.                 goto loser;
    3585. 

  3585.             }
    3586. 

  3586. 

  3587.             /* output P, Q, and G */
    3588. 

  3588.             to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    3589. 

  3589.             fprintf(dsaresp, "P = %s\n", buf);
    3590. 

  3590.             to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    3591. 

  3591.             fprintf(dsaresp, "Q = %s\n", buf);
    3592. 

  3592.             to_hex_str(buf, pqg->base.data, pqg->base.len);
    3593. 

  3593.             fprintf(dsaresp, "G = %s\n\n", buf);
    3594. 

  3594.             continue;
    3595. 

  3595.         }
    3596. 

  3596.         /* N = ...*/
    3597. 

  3597.         if (buf[0] == 'N') {
    3598. 

  3598. 

  3599.             if (sscanf(buf, "N = %d", &N) != 1) {
    3600. 

  3600.                 goto loser;
    3601. 

  3601.             }
    3602. 

  3602.             /* Generate a DSA key, and output the key pair for N times */
    3603. 

  3603.             for (i = 0; i < N; i++) {
    3604. 

  3604.                 DSAPrivateKey *dsakey = NULL;
    3605. 

  3605.                 if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
    3606. 

  3606.                     fprintf(dsaresp, "ERROR: Unable to generate DSA key");
    3607. 

  3607.                     goto loser;
    3608. 

  3608.                 }
    3609. 

  3609.                 to_hex_str(buf, dsakey->privateValue.data,
    3610. 

  3610.                            dsakey->privateValue.len);
    3611. 

  3611.                 fprintf(dsaresp, "X = %s\n", buf);
    3612. 

  3612.                 to_hex_str(buf, dsakey->publicValue.data,
    3613. 

  3613.                            dsakey->publicValue.len);
    3614. 

  3614.                 fprintf(dsaresp, "Y = %s\n\n", buf);
    3615. 

  3615.                 PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    3616. 

  3616.                 dsakey = NULL;
    3617. 

  3617.             }
    3618. 

  3618.             continue;
    3619. 

  3619.         }
    3620. 

  3620. 

  3621.     }
    3622. 

  3622. loser:
    3623. 

  3623.     fclose(dsareq);
    3624. 

  3624. }
    3625. 

  3625. 

  3626. /*
    3627. 

  3627.  * Perform the DSA Domain Parameter Validation Test.
    3628. 

  3628.  *
    3629. 

  3629.  * reqfn is the pathname of the REQUEST file.
    3630. 

  3630.  *
    3631. 

  3631.  * The output RESPONSE file is written to stdout.
    3632. 

  3632.  */
    3633. 

  3633. void
    3634. 

  3634. dsa_pqgver_test(char *reqfn)
    3635. 

  3635. {
    3636. 

  3636.     char buf[263];      /* holds one line from the input REQUEST file
    3637. 

  3637.                          * or to the output RESPONSE file.
    3638. 

  3638.                          * 260 to hold (128 public key (x2 for HEX) + P = ...
    3639. 

  3639.                          */
    3640. 

  3640.     FILE *dsareq;     /* input stream from the REQUEST file */
    3641. 

  3641.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3642. 

  3642.     int modulus; 
    3643. 

  3643.     unsigned int i, j;
    3644. 

  3644.     PQGParams pqg;
    3645. 

  3645.     PQGVerify vfy;
    3646. 

  3646.     unsigned int pghSize;        /* size for p, g, and h */
    3647. 

  3647. 

  3648.     dsareq = fopen(reqfn, "r");
    3649. 

  3649.     dsaresp = stdout;
    3650. 

  3650.     memset(&pqg, 0, sizeof(pqg));
    3651. 

  3651.     memset(&vfy, 0, sizeof(vfy));
    3652. 

  3652. 

  3653.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3654. 

  3654.         /* a comment or blank line */
    3655. 

  3655.         if (buf[0] == '#' || buf[0] == '\n') {
    3656. 

  3656.             fputs(buf, dsaresp);
    3657. 

  3657.             continue;
    3658. 

  3658.         }
    3659. 

  3659. 

  3660.         /* [Mod = x] */
    3661. 

  3661.         if (buf[0] == '[') {
    3662. 

  3662. 

  3663.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3664. 

  3664.                 goto loser;
    3665. 

  3665.             }
    3666. 

  3666. 

  3667.             if (pqg.prime.data) { /* P */
    3668. 

  3668.                 SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
    3669. 

  3669.             }
    3670. 

  3670.             if (pqg.subPrime.data) { /* Q */
    3671. 

  3671.                 SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
    3672. 

  3672.             }
    3673. 

  3673.             if (pqg.base.data) {    /* G */
    3674. 

  3674.                 SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
    3675. 

  3675.             }
    3676. 

  3676.             if (vfy.seed.data) {   /* seed */
    3677. 

  3677.                 SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
    3678. 

  3678.             }
    3679. 

  3679.             if (vfy.h.data) {     /* H */
    3680. 

  3680.                 SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
    3681. 

  3681.             }
    3682. 

  3682. 

  3683.             fputs(buf, dsaresp);
    3684. 

  3684. 

  3685.             /*calculate the size of p, g, and h then allocate items  */
    3686. 

  3686.             pghSize = modulus/8;
    3687. 

  3687.             SECITEM_AllocItem(NULL, &pqg.prime, pghSize);
    3688. 

  3688.             SECITEM_AllocItem(NULL, &pqg.base, pghSize);
    3689. 

  3689.             SECITEM_AllocItem(NULL, &vfy.h, pghSize);
    3690. 

  3690.             pqg.prime.len = pqg.base.len = vfy.h.len = pghSize;
    3691. 

  3691.             /* seed and q are always 20 bytes */
    3692. 

  3692.             SECITEM_AllocItem(NULL, &vfy.seed, 20);
    3693. 

  3693.             SECITEM_AllocItem(NULL, &pqg.subPrime, 20);
    3694. 

  3694.             vfy.seed.len = pqg.subPrime.len = 20;
    3695. 

  3695.             vfy.counter = 0;
    3696. 

  3696. 

  3697.             continue;
    3698. 

  3698.         }
    3699. 

  3699.         /* P = ... */
    3700. 

  3700.         if (buf[0] == 'P') {
    3701. 

  3701.             i = 1;
    3702. 

  3702.             while (isspace(buf[i]) || buf[i] == '=') {
    3703. 

  3703.                 i++;
    3704. 

  3704.             }
    3705. 

  3705.             for (j=0; j< pqg.prime.len; i+=2,j++) {
    3706. 

  3706.                 hex_to_byteval(&buf[i], &pqg.prime.data[j]);
    3707. 

  3707.             }
    3708. 

  3708. 

  3709.             fputs(buf, dsaresp);
    3710. 

  3710.             continue;
    3711. 

  3711.         }
    3712. 

  3712. 

  3713.         /* Q = ... */
    3714. 

  3714.         if (buf[0] == 'Q') {
    3715. 

  3715.             i = 1;
    3716. 

  3716.             while (isspace(buf[i]) || buf[i] == '=') {
    3717. 

  3717.                 i++;
    3718. 

  3718.             }
    3719. 

  3719.             for (j=0; j< pqg.subPrime.len; i+=2,j++) {
    3720. 

  3720.                 hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
    3721. 

  3721.             }
    3722. 

  3722. 

  3723.             fputs(buf, dsaresp);
    3724. 

  3724.             continue;
    3725. 

  3725.         }
    3726. 

  3726. 

  3727.         /* G = ... */
    3728. 

  3728.         if (buf[0] == 'G') {
    3729. 

  3729.             i = 1;
    3730. 

  3730.             while (isspace(buf[i]) || buf[i] == '=') {
    3731. 

  3731.                 i++;
    3732. 

  3732.             }
    3733. 

  3733.             for (j=0; j< pqg.base.len; i+=2,j++) {
    3734. 

  3734.                 hex_to_byteval(&buf[i], &pqg.base.data[j]);
    3735. 

  3735.             }
    3736. 

  3736. 

  3737.             fputs(buf, dsaresp);
    3738. 

  3738.             continue;
    3739. 

  3739.         }
    3740. 

  3740. 

  3741.         /* Seed = ... */
    3742. 

  3742.         if (strncmp(buf, "Seed", 4) == 0) {
    3743. 

  3743.             i = 4;
    3744. 

  3744.             while (isspace(buf[i]) || buf[i] == '=') {
    3745. 

  3745.                 i++;
    3746. 

  3746.             }
    3747. 

  3747.             for (j=0; j< vfy.seed.len; i+=2,j++) {
    3748. 

  3748.                 hex_to_byteval(&buf[i], &vfy.seed.data[j]);
    3749. 

  3749.             }
    3750. 

  3750. 

  3751.             fputs(buf, dsaresp);
    3752. 

  3752.             continue;
    3753. 

  3753.         }
    3754. 

  3754. 

  3755.         /* c = ... */
    3756. 

  3756.         if (buf[0] == 'c') {
    3757. 

  3757. 

  3758.             if (sscanf(buf, "c = %u", &vfy.counter) != 1) {
    3759. 

  3759.                 goto loser;
    3760. 

  3760.             }
    3761. 

  3761. 

  3762.             fputs(buf, dsaresp);
    3763. 

  3763.             continue;
    3764. 

  3764.         }
    3765. 

  3765. 

  3766.         /* H = ... */
    3767. 

  3767.         if (buf[0] == 'H') {
    3768. 

  3768.             SECStatus rv, result = SECFailure;
    3769. 

  3769. 

  3770.             i = 1;
    3771. 

  3771.             while (isspace(buf[i]) || buf[i] == '=') {
    3772. 

  3772.                 i++;
    3773. 

  3773.             }
    3774. 

  3774.             for (j=0; j< vfy.h.len; i+=2,j++) {
    3775. 

  3775.                 hex_to_byteval(&buf[i], &vfy.h.data[j]);
    3776. 

  3776.             }
    3777. 

  3777.             fputs(buf, dsaresp);
    3778. 

  3778. 

  3779.             /* Verify the Parameters */
    3780. 

  3780.             rv = PQG_VerifyParams(&pqg, &vfy, &result);
    3781. 

  3781.             if (rv != SECSuccess) {
    3782. 

  3782.                 goto loser;
    3783. 

  3783.             }
    3784. 

  3784.             if (result == SECSuccess) {
    3785. 

  3785.                 fprintf(dsaresp, "Result = P\n");
    3786. 

  3786.             } else {
    3787. 

  3787.                 fprintf(dsaresp, "Result = F\n");
    3788. 

  3788.             }
    3789. 

  3789.             continue;
    3790. 

  3790.         }
    3791. 

  3791.     }
    3792. 

  3792. loser:
    3793. 

  3793.     fclose(dsareq);
    3794. 

  3794.     if (pqg.prime.data) { /* P */
    3795. 

  3795.         SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
    3796. 

  3796.     }
    3797. 

  3797.     if (pqg.subPrime.data) { /* Q */
    3798. 

  3798.         SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
    3799. 

  3799.     }
    3800. 

  3800.     if (pqg.base.data) {    /* G */
    3801. 

  3801.         SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
    3802. 

  3802.     }
    3803. 

  3803.     if (vfy.seed.data) {   /* seed */
    3804. 

  3804.         SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
    3805. 

  3805.     }
    3806. 

  3806.     if (vfy.h.data) {     /* H */
    3807. 

  3807.         SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
    3808. 

  3808.     }
    3809. 

  3809. 

  3810. }
    3811. 

  3811. 

  3812. /*
    3813. 

  3813.  * Perform the DSA Public Key Validation Test.
    3814. 

  3814.  *
    3815. 

  3815.  * reqfn is the pathname of the REQUEST file.
    3816. 

  3816.  *
    3817. 

  3817.  * The output RESPONSE file is written to stdout.
    3818. 

  3818.  */
    3819. 

  3819. void
    3820. 

  3820. dsa_pqggen_test(char *reqfn)
    3821. 

  3821. {
    3822. 

  3822.     char buf[263];      /* holds one line from the input REQUEST file
    3823. 

  3823.                          * or to the output RESPONSE file.
    3824. 

  3824.                          * 263 to hold seed = (128 public key (x2 for HEX)
    3825. 

  3825.                          */
    3826. 

  3826.     FILE *dsareq;     /* input stream from the REQUEST file */
    3827. 

  3827.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3828. 

  3828.     int N;            /* number of times to generate parameters */
    3829. 

  3829.     int modulus; 
    3830. 

  3830.     int i;
    3831. 

  3831.     unsigned int j;
    3832. 

  3832.     PQGParams *pqg = NULL;
    3833. 

  3833.     PQGVerify *vfy = NULL;
    3834. 

  3834.     unsigned int keySizeIndex;
    3835. 

  3835. 

  3836.     dsareq = fopen(reqfn, "r");
    3837. 

  3837.     dsaresp = stdout;
    3838. 

  3838.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3839. 

  3839.         /* a comment or blank line */
    3840. 

  3840.         if (buf[0] == '#' || buf[0] == '\n') {
    3841. 

  3841.             fputs(buf, dsaresp);
    3842. 

  3842.             continue;
    3843. 

  3843.         }
    3844. 

  3844. 

  3845.         /* [Mod = ... ] */
    3846. 

  3846.         if (buf[0] == '[') {
    3847. 

  3847. 

  3848.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3849. 

  3849.                 goto loser;
    3850. 

  3850.             }
    3851. 

  3851. 

  3852.             fputs(buf, dsaresp);
    3853. 

  3853.             fputc('\n', dsaresp);
    3854. 

  3854. 

  3855.             /****************************************************************
    3856. 

  3856.              * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    3857. 

  3857.              * that points to a valid key size.
    3858. 

  3858.              */
    3859. 

  3859.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    3860. 

  3860.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    3861. 

  3861.                fprintf(dsaresp,
    3862. 

  3862.                     "DSA key size must be a multiple of 64 between 512 "
    3863. 

  3863.                     "and 1024, inclusive");
    3864. 

  3864.                 goto loser;
    3865. 

  3865.             }
    3866. 

  3866. 

  3867.             continue;
    3868. 

  3868.         }
    3869. 

  3869.         /* N = ... */
    3870. 

  3870.         if (buf[0] == 'N') {
    3871. 

  3871. 

  3872.             if (sscanf(buf, "N = %d", &N) != 1) {
    3873. 

  3873.                 goto loser;
    3874. 

  3874.             }
    3875. 

  3875.             for (i = 0; i < N; i++) {
    3876. 

  3876.                 if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    3877. 

  3877.                     &pqg, &vfy) != SECSuccess) {
    3878. 

  3878.                     fprintf(dsaresp,
    3879. 

  3879.                             "ERROR: Unable to generate PQG parameters");
    3880. 

  3880.                     goto loser;
    3881. 

  3881.                 }
    3882. 

  3882.                 to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    3883. 

  3883.                 fprintf(dsaresp, "P = %s\n", buf);
    3884. 

  3884.                 to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    3885. 

  3885.                 fprintf(dsaresp, "Q = %s\n", buf);
    3886. 

  3886.                 to_hex_str(buf, pqg->base.data, pqg->base.len);
    3887. 

  3887.                 fprintf(dsaresp, "G = %s\n", buf);
    3888. 

  3888.                 to_hex_str(buf, vfy->seed.data, vfy->seed.len);
    3889. 

  3889.                 fprintf(dsaresp, "Seed = %s\n", buf);
    3890. 

  3890.                 fprintf(dsaresp, "c = %d\n", vfy->counter);
    3891. 

  3891.                 to_hex_str(buf, vfy->h.data, vfy->h.len);
    3892. 

  3892.                 fputs("H = ", dsaresp);
    3893. 

  3893.                 for (j=vfy->h.len; j<pqg->prime.len; j++) {
    3894. 

  3894.                     fprintf(dsaresp, "00");
    3895. 

  3895.                 }
    3896. 

  3896.                 fprintf(dsaresp, "%s\n", buf);
    3897. 

  3897.                 fputc('\n', dsaresp);
    3898. 

  3898.                 if(pqg!=NULL) {
    3899. 

  3899.                     PQG_DestroyParams(pqg);
    3900. 

  3900.                     pqg = NULL;
    3901. 

  3901.                 }
    3902. 

  3902.                 if(vfy!=NULL) {
    3903. 

  3903.                     PQG_DestroyVerify(vfy);
    3904. 

  3904.                     vfy = NULL;
    3905. 

  3905.                 }
    3906. 

  3906.             }
    3907. 

  3907. 

  3908.             continue;
    3909. 

  3909.         }
    3910. 

  3910. 

  3911.     }
    3912. 

  3912. loser:
    3913. 

  3913.     fclose(dsareq);
    3914. 

  3914.     if(pqg!=NULL) {
    3915. 

  3915.         PQG_DestroyParams(pqg);
    3916. 

  3916.     }
    3917. 

  3917.     if(vfy!=NULL) {
    3918. 

  3918.         PQG_DestroyVerify(vfy);
    3919. 

  3919.     }
    3920. 

  3920. }
    3921. 

  3921. 

  3922. /*
    3923. 

  3923.  * Perform the DSA Signature Generation Test.
    3924. 

  3924.  *
    3925. 

  3925.  * reqfn is the pathname of the REQUEST file.
    3926. 

  3926.  *
    3927. 

  3927.  * The output RESPONSE file is written to stdout.
    3928. 

  3928.  */
    3929. 

  3929. void
    3930. 

  3930. dsa_siggen_test(char *reqfn)
    3931. 

  3931. {
    3932. 

  3932.     char buf[263];       /* holds one line from the input REQUEST file
    3933. 

  3933.                          * or to the output RESPONSE file.
    3934. 

  3934.                          * max for Msg = ....
    3935. 

  3935.                          */
    3936. 

  3936.     FILE *dsareq;     /* input stream from the REQUEST file */
    3937. 

  3937.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3938. 

  3938.     int modulus;          
    3939. 

  3939.     int i, j;
    3940. 

  3940.     PQGParams *pqg = NULL;
    3941. 

  3941.     PQGVerify *vfy = NULL;
    3942. 

  3942.     DSAPrivateKey *dsakey = NULL;
    3943. 

  3943.     int keySizeIndex;     /* index for valid key sizes */
    3944. 

  3944.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    3945. 

  3945.     unsigned char sig[DSA_SIGNATURE_LEN];
    3946. 

  3946.     SECItem digest, signature;
    3947. 

  3947. 

  3948.     dsareq = fopen(reqfn, "r");
    3949. 

  3949.     dsaresp = stdout;
    3950. 

  3950. 

  3951.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3952. 

  3952.         /* a comment or blank line */
    3953. 

  3953.         if (buf[0] == '#' || buf[0] == '\n') {
    3954. 

  3954.             fputs(buf, dsaresp);
    3955. 

  3955.             continue;
    3956. 

  3956.         }
    3957. 

  3957. 

  3958.         /* [Mod = x] */
    3959. 

  3959.         if (buf[0] == '[') {
    3960. 

  3960.             if(pqg!=NULL) {
    3961. 

  3961.                 PQG_DestroyParams(pqg);
    3962. 

  3962.                 pqg = NULL;
    3963. 

  3963.             }
    3964. 

  3964.             if(vfy!=NULL) {
    3965. 

  3965.                 PQG_DestroyVerify(vfy);
    3966. 

  3966.                 vfy = NULL;
    3967. 

  3967.             }
    3968. 

  3968.             if (dsakey != NULL) {
    3969. 

  3969.                     PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    3970. 

  3970.                     dsakey = NULL;
    3971. 

  3971.             }
    3972. 

  3972. 

  3973.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3974. 

  3974.                 goto loser;
    3975. 

  3975.             }
    3976. 

  3976.             fputs(buf, dsaresp);
    3977. 

  3977.             fputc('\n', dsaresp);
    3978. 

  3978. 

  3979.             /****************************************************************
    3980. 

  3980.             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    3981. 

  3981.             * that points to a valid key size.
    3982. 

  3982.             */
    3983. 

  3983.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    3984. 

  3984.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    3985. 

  3985.                 fprintf(dsaresp,
    3986. 

  3986.                     "DSA key size must be a multiple of 64 between 512 "
    3987. 

  3987.                     "and 1024, inclusive");
    3988. 

  3988.                 goto loser;
    3989. 

  3989.             }
    3990. 

  3990. 

  3991.             /* Generate PQG and output PQG */
    3992. 

  3992.             if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    3993. 

  3993.                 &pqg, &vfy) != SECSuccess) {
    3994. 

  3994.                 fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
    3995. 

  3995.                 goto loser;
    3996. 

  3996.             }
    3997. 

  3997.             to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    3998. 

  3998.             fprintf(dsaresp, "P = %s\n", buf);
    3999. 

  3999.             to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    4000. 

  4000.             fprintf(dsaresp, "Q = %s\n", buf);
    4001. 

  4001.             to_hex_str(buf, pqg->base.data, pqg->base.len);
    4002. 

  4002.             fprintf(dsaresp, "G = %s\n", buf);
    4003. 

  4003. 

  4004.             /* create DSA Key */
    4005. 

  4005.             if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
    4006. 

  4006.                 fprintf(dsaresp, "ERROR: Unable to generate DSA key");
    4007. 

  4007.                 goto loser;
    4008. 

  4008.             }
    4009. 

  4009.             continue;
    4010. 

  4010.         }
    4011. 

  4011. 

  4012.         /* Msg = ... */
    4013. 

  4013.         if (strncmp(buf, "Msg", 3) == 0) {
    4014. 

  4014.             unsigned char msg[128]; /* MAX msg 128 */
    4015. 

  4015.             unsigned int len = 0;
    4016. 

  4016. 

  4017.             memset(sha1, 0, sizeof sha1);
    4018. 

  4018.             memset(sig,  0, sizeof sig);
    4019. 

  4019. 

  4020.             i = 3;
    4021. 

  4021.             while (isspace(buf[i]) || buf[i] == '=') {
    4022. 

  4022.                 i++;
    4023. 

  4023.             }
    4024. 

  4024.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    4025. 

  4025.                 hex_to_byteval(&buf[i], &msg[j]);
    4026. 

  4026.             }
    4027. 

  4027.             if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
    4028. 

  4028.                  fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
    4029. 

  4029.                  goto loser;
    4030. 

  4030.             }
    4031. 

  4031. 

  4032.             digest.type = siBuffer;
    4033. 

  4033.             digest.data = sha1;
    4034. 

  4034.             digest.len = sizeof sha1;
    4035. 

  4035.             signature.type = siBuffer;
    4036. 

  4036.             signature.data = sig;
    4037. 

  4037.             signature.len = sizeof sig;
    4038. 

  4038. 

  4039.             if (DSA_SignDigest(dsakey, &signature, &digest) != SECSuccess) {
    4040. 

  4040.                 fprintf(dsaresp, "ERROR: Unable to generate DSA signature");
    4041. 

  4041.                 goto loser;
    4042. 

  4042.             }
    4043. 

  4043.             len = signature.len;
    4044. 

  4044.             if (len%2 != 0) {
    4045. 

  4045.                 goto loser;
    4046. 

  4046.             }
    4047. 

  4047.             len = len/2;
    4048. 

  4048. 

  4049.             /* output the orginal Msg, and generated Y, R, and S */
    4050. 

  4050.             fputs(buf, dsaresp);
    4051. 

  4051.             fputc('\n', dsaresp);
    4052. 

  4052.             to_hex_str(buf, dsakey->publicValue.data,
    4053. 

  4053.                        dsakey->publicValue.len);
    4054. 

  4054.             fprintf(dsaresp, "Y = %s\n", buf);
    4055. 

  4055.             to_hex_str(buf, &signature.data[0], len);
    4056. 

  4056.             fprintf(dsaresp, "R = %s\n", buf);
    4057. 

  4057.             to_hex_str(buf, &signature.data[len], len);
    4058. 

  4058.             fprintf(dsaresp, "S = %s\n", buf);
    4059. 

  4059.             continue;
    4060. 

  4060.         }
    4061. 

  4061. 

  4062.     }
    4063. 

  4063. loser:
    4064. 

  4064.     fclose(dsareq);
    4065. 

  4065.     if(pqg != NULL) {
    4066. 

  4066.         PQG_DestroyParams(pqg);
    4067. 

  4067.         pqg = NULL;
    4068. 

  4068.     }
    4069. 

  4069.     if(vfy != NULL) {
    4070. 

  4070.         PQG_DestroyVerify(vfy);
    4071. 

  4071.         vfy = NULL;
    4072. 

  4072.     }
    4073. 

  4073.     if (dsaKey) {
    4074. 

  4074.         PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    4075. 

  4075.         dsakey = NULL;
    4076. 

  4076.     }
    4077. 

  4077. }
    4078. 

  4078. 

  4079.  /*
    4080. 

  4080.  * Perform the DSA Signature Verification Test.
    4081. 

  4081.  *
    4082. 

  4082.  * reqfn is the pathname of the REQUEST file.
    4083. 

  4083.  *
    4084. 

  4084.  * The output RESPONSE file is written to stdout.
    4085. 

  4085.  */
    4086. 

  4086. void
    4087. 

  4087. dsa_sigver_test(char *reqfn)
    4088. 

  4088. {
    4089. 

  4089.     char buf[263];       /* holds one line from the input REQUEST file
    4090. 

  4090.                          * or to the output RESPONSE file.
    4091. 

  4091.                          * max for Msg = ....
    4092. 

  4092.                          */
    4093. 

  4093.     FILE *dsareq;     /* input stream from the REQUEST file */
    4094. 

  4094.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    4095. 

  4095.     int modulus;  
    4096. 

  4096.     unsigned int i, j;
    4097. 

  4097.     SECItem digest, signature;
    4098. 

  4098.     DSAPublicKey pubkey;
    4099. 

  4099.     unsigned int pgySize;        /* size for p, g, and y */
    4100. 

  4100.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    4101. 

  4101.     unsigned char sig[DSA_SIGNATURE_LEN];
    4102. 

  4102. 

  4103.     dsareq = fopen(reqfn, "r");
    4104. 

  4104.     dsaresp = stdout;
    4105. 

  4105.     memset(&pubkey, 0, sizeof(pubkey));
    4106. 

  4106. 

  4107.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    4108. 

  4108.         /* a comment or blank line */
    4109. 

  4109.         if (buf[0] == '#' || buf[0] == '\n') {
    4110. 

  4110.             fputs(buf, dsaresp);
    4111. 

  4111.             continue;
    4112. 

  4112.         }
    4113. 

  4113. 

  4114.         /* [Mod = x] */
    4115. 

  4115.         if (buf[0] == '[') {
    4116. 

  4116. 

  4117.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4118. 

  4118.                 goto loser;
    4119. 

  4119.             }
    4120. 

  4120. 

  4121.             if (pubkey.params.prime.data) { /* P */
    4122. 

  4122.                 SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
    4123. 

  4123.             }
    4124. 

  4124.             if (pubkey.params.subPrime.data) { /* Q */
    4125. 

  4125.                 SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
    4126. 

  4126.             }
    4127. 

  4127.             if (pubkey.params.base.data) {    /* G */
    4128. 

  4128.                 SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
    4129. 

  4129.             }
    4130. 

  4130.             if (pubkey.publicValue.data) {    /* Y */
    4131. 

  4131.                 SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
    4132. 

  4132.             }
    4133. 

  4133.             fputs(buf, dsaresp);
    4134. 

  4134. 

  4135.             /* calculate the size of p, g, and y then allocate items */
    4136. 

  4136.             pgySize = modulus/8;
    4137. 

  4137.             SECITEM_AllocItem(NULL, &pubkey.params.prime, pgySize);
    4138. 

  4138.             SECITEM_AllocItem(NULL, &pubkey.params.base, pgySize);
    4139. 

  4139.             SECITEM_AllocItem(NULL, &pubkey.publicValue, pgySize);
    4140. 

  4140.             pubkey.params.prime.len = pubkey.params.base.len = pgySize;
    4141. 

  4141.             pubkey.publicValue.len = pgySize;
    4142. 

  4142. 

  4143.             /* q always 20 bytes */
    4144. 

  4144.             SECITEM_AllocItem(NULL, &pubkey.params.subPrime, 20);
    4145. 

  4145.             pubkey.params.subPrime.len = 20;
    4146. 

  4146. 

  4147.             continue;
    4148. 

  4148.         }
    4149. 

  4149.         /* P = ... */
    4150. 

  4150.         if (buf[0] == 'P') {
    4151. 

  4151.             i = 1;
    4152. 

  4152.             while (isspace(buf[i]) || buf[i] == '=') {
    4153. 

  4153.                 i++;
    4154. 

  4154.             }
    4155. 

  4155.             memset(pubkey.params.prime.data, 0, pubkey.params.prime.len);
    4156. 

  4156.             for (j=0; j< pubkey.params.prime.len; i+=2,j++) {
    4157. 

  4157.                 hex_to_byteval(&buf[i], &pubkey.params.prime.data[j]);
    4158. 

  4158.             }
    4159. 

  4159. 

  4160.             fputs(buf, dsaresp);
    4161. 

  4161.             continue;
    4162. 

  4162.         }
    4163. 

  4163. 

  4164.         /* Q = ... */
    4165. 

  4165.         if (buf[0] == 'Q') {
    4166. 

  4166.             i = 1;
    4167. 

  4167.             while (isspace(buf[i]) || buf[i] == '=') {
    4168. 

  4168.                 i++;
    4169. 

  4169.             }
    4170. 

  4170.             memset(pubkey.params.subPrime.data, 0, pubkey.params.subPrime.len);
    4171. 

  4171.             for (j=0; j< pubkey.params.subPrime.len; i+=2,j++) {
    4172. 

  4172.                 hex_to_byteval(&buf[i], &pubkey.params.subPrime.data[j]);
    4173. 

  4173.             }
    4174. 

  4174. 

  4175.             fputs(buf, dsaresp);
    4176. 

  4176.             continue;
    4177. 

  4177.         }
    4178. 

  4178. 

  4179.         /* G = ... */
    4180. 

  4180.         if (buf[0] == 'G') {
    4181. 

  4181.             i = 1;
    4182. 

  4182.             while (isspace(buf[i]) || buf[i] == '=') {
    4183. 

  4183.                 i++;
    4184. 

  4184.             }
    4185. 

  4185.             memset(pubkey.params.base.data, 0, pubkey.params.base.len);
    4186. 

  4186.             for (j=0; j< pubkey.params.base.len; i+=2,j++) {
    4187. 

  4187.                 hex_to_byteval(&buf[i], &pubkey.params.base.data[j]);
    4188. 

  4188.             }
    4189. 

  4189. 

  4190.             fputs(buf, dsaresp);
    4191. 

  4191.             continue;
    4192. 

  4192.         }
    4193. 

  4193. 

  4194.         /* Msg = ... */
    4195. 

  4195.         if (strncmp(buf, "Msg", 3) == 0) {
    4196. 

  4196.             unsigned char msg[128]; /* MAX msg 128 */
    4197. 

  4197.             memset(sha1, 0, sizeof sha1);
    4198. 

  4198. 

  4199.             i = 3;
    4200. 

  4200.             while (isspace(buf[i]) || buf[i] == '=') {
    4201. 

  4201.                 i++;
    4202. 

  4202.             }
    4203. 

  4203.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    4204. 

  4204.                 hex_to_byteval(&buf[i], &msg[j]);
    4205. 

  4205.             }
    4206. 

  4206.             if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
    4207. 

  4207.                 fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
    4208. 

  4208.                 goto loser;
    4209. 

  4209.             }
    4210. 

  4210. 

  4211.             fputs(buf, dsaresp);
    4212. 

  4212.             continue;
    4213. 

  4213.         }
    4214. 

  4214. 

  4215.         /* Y = ... */
    4216. 

  4216.         if (buf[0] == 'Y') {
    4217. 

  4217.             i = 1;
    4218. 

  4218.             while (isspace(buf[i]) || buf[i] == '=') {
    4219. 

  4219.                 i++;
    4220. 

  4220.             }
    4221. 

  4221.             memset(pubkey.publicValue.data, 0, pubkey.params.subPrime.len);
    4222. 

  4222.             for (j=0; j< pubkey.publicValue.len; i+=2,j++) {
    4223. 

  4223.                 hex_to_byteval(&buf[i], &pubkey.publicValue.data[j]);
    4224. 

  4224.             }
    4225. 

  4225. 

  4226.             fputs(buf, dsaresp);
    4227. 

  4227.             continue;
    4228. 

  4228.         }
    4229. 

  4229. 

  4230.         /* R = ... */
    4231. 

  4231.         if (buf[0] == 'R') {
    4232. 

  4232.             memset(sig,  0, sizeof sig);
    4233. 

  4233.             i = 1;
    4234. 

  4234.             while (isspace(buf[i]) || buf[i] == '=') {
    4235. 

  4235.                 i++;
    4236. 

  4236.             }
    4237. 

  4237.             for (j=0; j< DSA_SUBPRIME_LEN; i+=2,j++) {
    4238. 

  4238.                 hex_to_byteval(&buf[i], &sig[j]);
    4239. 

  4239.             }
    4240. 

  4240. 

  4241.             fputs(buf, dsaresp);
    4242. 

  4242.             continue;
    4243. 

  4243.         }
    4244. 

  4244. 

  4245.         /* S = ... */
    4246. 

  4246.         if (buf[0] == 'S') {
    4247. 

  4247.             i = 1;
    4248. 

  4248.             while (isspace(buf[i]) || buf[i] == '=') {
    4249. 

  4249.                 i++;
    4250. 

  4250.             }
    4251. 

  4251.             for (j=DSA_SUBPRIME_LEN; j< DSA_SIGNATURE_LEN; i+=2,j++) {
    4252. 

  4252.                 hex_to_byteval(&buf[i], &sig[j]);
    4253. 

  4253.             }
    4254. 

  4254.             fputs(buf, dsaresp);
    4255. 

  4255. 

  4256.             digest.type = siBuffer;
    4257. 

  4257.             digest.data = sha1;
    4258. 

  4258.             digest.len = sizeof sha1;
    4259. 

  4259.             signature.type = siBuffer;
    4260. 

  4260.             signature.data = sig;
    4261. 

  4261.             signature.len = sizeof sig;
    4262. 

  4262. 

  4263.             if (DSA_VerifyDigest(&pubkey, &signature, &digest) == SECSuccess) {
    4264. 

  4264.                 fprintf(dsaresp, "Result = P\n");
    4265. 

  4265.             } else {
    4266. 

  4266.                 fprintf(dsaresp, "Result = F\n");
    4267. 

  4267.             }
    4268. 

  4268.             continue;
    4269. 

  4269.         }
    4270. 

  4270.     }
    4271. 

  4271. loser:
    4272. 

  4272.     fclose(dsareq);
    4273. 

  4273.     if (pubkey.params.prime.data) { /* P */
    4274. 

  4274.         SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
    4275. 

  4275.     }
    4276. 

  4276.     if (pubkey.params.subPrime.data) { /* Q */
    4277. 

  4277.         SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
    4278. 

  4278.     }
    4279. 

  4279.     if (pubkey.params.base.data) {    /* G */
    4280. 

  4280.         SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
    4281. 

  4281.     }
    4282. 

  4282.     if (pubkey.publicValue.data) {    /* Y */
    4283. 

  4283.         SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
    4284. 

  4284.     }
    4285. 

  4285. }
    4286. 

  4286. 

  4287. /*
    4288. 

  4288.  * Perform the RSA Signature Generation Test.
    4289. 

  4289.  *
    4290. 

  4290.  * reqfn is the pathname of the REQUEST file.
    4291. 

  4291.  *
    4292. 

  4292.  * The output RESPONSE file is written to stdout.
    4293. 

  4293.  */
    4294. 

  4294. void
    4295. 

  4295. rsa_siggen_test(char *reqfn)
    4296. 

  4296. {
    4297. 

  4297.     char buf[2*RSA_MAX_TEST_MODULUS_BYTES+1];
    4298. 

  4298.                         /* buf holds one line from the input REQUEST file
    4299. 

  4299.                          * or to the output RESPONSE file.
    4300. 

  4300.                          * 2x for HEX output + 1 for \n
    4301. 

  4301.                          */
    4302. 

  4302.     FILE *rsareq;     /* input stream from the REQUEST file */
    4303. 

  4303.     FILE *rsaresp;    /* output stream to the RESPONSE file */
    4304. 

  4304.     int i, j;
    4305. 

  4305.     unsigned char  sha[HASH_LENGTH_MAX];    /* SHA digest */
    4306. 

  4306.     unsigned int   shaLength = 0;           /* length of SHA */
    4307. 

  4307.     HASH_HashType  shaAlg = HASH_AlgNULL;   /* type of SHA Alg */
    4308. 

  4308.     SECOidTag      shaOid = SEC_OID_UNKNOWN;
    4309. 

  4309.     int modulus;                                /* the Modulus size */
    4310. 

  4310.     int  publicExponent  = DEFAULT_RSA_PUBLIC_EXPONENT;
    4311. 

  4311.     SECItem pe = {0, 0, 0 };
    4312. 

  4312.     unsigned char pubEx[4];
    4313. 

  4313.     int peCount = 0;
    4314. 

  4314. 

  4315.     RSAPrivateKey  *rsaBlapiPrivKey = NULL;   /* holds RSA private and
    4316. 

  4316.                                               * public keys */
    4317. 

  4317.     RSAPublicKey   *rsaBlapiPublicKey = NULL; /* hold RSA public key */
    4318. 

  4318. 

  4319.     rsareq = fopen(reqfn, "r");
    4320. 

  4320.     rsaresp = stdout;
    4321. 

  4321. 

  4322.     /* calculate the exponent */
    4323. 

  4323.     for (i=0; i < 4; i++) {
    4324. 

  4324.         if (peCount || (publicExponent &
    4325. 

  4325.                 ((unsigned long)0xff000000L >> (i*8)))) {
    4326. 

  4326.             pubEx[peCount] =
    4327. 

  4327.                 (unsigned char)((publicExponent >> (3-i)*8) & 0xff);
    4328. 

  4328.             peCount++;
    4329. 

  4329.         }
    4330. 

  4330.     }
    4331. 

  4331.     pe.len = peCount;
    4332. 

  4332.     pe.data = &pubEx[0];
    4333. 

  4333.     pe.type = siBuffer;
    4334. 

  4334. 

  4335.     while (fgets(buf, sizeof buf, rsareq) != NULL) {
    4336. 

  4336.         /* a comment or blank line */
    4337. 

  4337.         if (buf[0] == '#' || buf[0] == '\n') {
    4338. 

  4338.             fputs(buf, rsaresp);
    4339. 

  4339.             continue;
    4340. 

  4340.         }
    4341. 

  4341. 

  4342.         /* [mod = ...] */
    4343. 

  4343.         if (buf[0] == '[') {
    4344. 

  4344. 

  4345.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4346. 

  4346.                 goto loser;
    4347. 

  4347.             }
    4348. 

  4348.             if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
    4349. 

  4349.                 fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
    4350. 

  4350.                 goto loser;
    4351. 

  4351.             }
    4352. 

  4352. 

  4353.             fputs(buf, rsaresp);
    4354. 

  4354. 

  4355.             if (rsaBlapiPrivKey != NULL) {
    4356. 

  4356.                 PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
    4357. 

  4357.                 rsaBlapiPrivKey = NULL;
    4358. 

  4358.                 rsaBlapiPublicKey = NULL;
    4359. 

  4359.             }
    4360. 

  4360. 

  4361.             rsaBlapiPrivKey = RSA_NewKey(modulus, &pe);
    4362. 

  4362.             if (rsaBlapiPrivKey == NULL) {
    4363. 

  4363.                 fprintf(rsaresp, "Error unable to create RSA key\n");
    4364. 

  4364.                 goto loser;
    4365. 

  4365.             }
    4366. 

  4366. 

  4367.             to_hex_str(buf, rsaBlapiPrivKey->modulus.data,
    4368. 

  4368.                        rsaBlapiPrivKey->modulus.len);
    4369. 

  4369.             fprintf(rsaresp, "\nn = %s\n\n", buf);
    4370. 

  4370.             to_hex_str(buf, rsaBlapiPrivKey->publicExponent.data,
    4371. 

  4371.                        rsaBlapiPrivKey->publicExponent.len);
    4372. 

  4372.             fprintf(rsaresp, "e = %s\n", buf);
    4373. 

  4373.             /* convert private key to public key.  Memory
    4374. 

  4374.              * is freed with private key's arena  */
    4375. 

  4375.             rsaBlapiPublicKey = (RSAPublicKey *)PORT_ArenaAlloc(
    4376. 

  4376.                                                   rsaBlapiPrivKey->arena,
    4377. 

  4377.                                                   sizeof(RSAPublicKey));
    4378. 

  4378. 

  4379.             rsaBlapiPublicKey->modulus.len = rsaBlapiPrivKey->modulus.len;
    4380. 

  4380.             rsaBlapiPublicKey->modulus.data = rsaBlapiPrivKey->modulus.data;
    4381. 

  4381.             rsaBlapiPublicKey->publicExponent.len =
    4382. 

  4382.                 rsaBlapiPrivKey->publicExponent.len;
    4383. 

  4383.             rsaBlapiPublicKey->publicExponent.data =
    4384. 

  4384.                 rsaBlapiPrivKey->publicExponent.data;
    4385. 

  4385.             continue;
    4386. 

  4386.         }
    4387. 

  4387. 

  4388.         /* SHAAlg = ... */
    4389. 

  4389.         if (strncmp(buf, "SHAAlg", 6) == 0) {
    4390. 

  4390.            i = 6;
    4391. 

  4391.            while (isspace(buf[i]) || buf[i] == '=') {
    4392. 

  4392.                i++;
    4393. 

  4393.            }
    4394. 

  4394.            /* set the SHA Algorithm */
    4395. 

  4395.            if (strncmp(&buf[i], "SHA1", 4) == 0) {
    4396. 

  4396.                 shaAlg = HASH_AlgSHA1;
    4397. 

  4397.            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
    4398. 

  4398.                 shaAlg = HASH_AlgSHA256;
    4399. 

  4399.            } else if (strncmp(&buf[i], "SHA384", 6)== 0) {
    4400. 

  4400.                shaAlg = HASH_AlgSHA384;
    4401. 

  4401.            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
    4402. 

  4402.                shaAlg = HASH_AlgSHA512;
    4403. 

  4403.            } else {
    4404. 

  4404.                fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
    4405. 

  4405.                goto loser;
    4406. 

  4406.            }
    4407. 

  4407.            fputs(buf, rsaresp);
    4408. 

  4408.            continue;
    4409. 

  4409. 

  4410.         }
    4411. 

  4411.         /* Msg = ... */
    4412. 

  4412.         if (strncmp(buf, "Msg", 3) == 0) {
    4413. 

  4413. 

  4414.             unsigned char msg[128]; /* MAX msg 128 */
    4415. 

  4415.             unsigned int rsa_bytes_signed;
    4416. 

  4416.             unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
    4417. 

  4417.             SECStatus       rv = SECFailure;
    4418. 

  4418.             NSSLOWKEYPublicKey  * rsa_public_key;
    4419. 

  4419.             NSSLOWKEYPrivateKey * rsa_private_key;
    4420. 

  4420.             NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
    4421. 

  4421.                                                 NSSLOWKEYRSAKey, };
    4422. 

  4422.             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
    4423. 

  4423.                                                 NSSLOWKEYRSAKey, };
    4424. 

  4424. 

  4425.             low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
    4426. 

  4426.             low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
    4427. 

  4427. 

  4428.             rsa_private_key = &low_RSA_private_key;
    4429. 

  4429.             rsa_public_key = &low_RSA_public_key;
    4430. 

  4430. 

  4431.             memset(sha, 0, sizeof sha);
    4432. 

  4432.             memset(msg, 0, sizeof msg);
    4433. 

  4433.             rsa_bytes_signed = 0;
    4434. 

  4434.             memset(rsa_computed_signature, 0, sizeof rsa_computed_signature);
    4435. 

  4435. 

  4436.             i = 3;
    4437. 

  4437.             while (isspace(buf[i]) || buf[i] == '=') {
    4438. 

  4438.                 i++;
    4439. 

  4439.             }
    4440. 

  4440.             for (j=0; isxdigit(buf[i]) && j < sizeof(msg); i+=2,j++) {
    4441. 

  4441.                 hex_to_byteval(&buf[i], &msg[j]);
    4442. 

  4442.             }
    4443. 

  4443. 

  4444.             if (shaAlg == HASH_AlgSHA1) {
    4445. 

  4445.                 if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
    4446. 

  4446.                      fprintf(rsaresp, "ERROR: Unable to generate SHA1");
    4447. 

  4447.                      goto loser;
    4448. 

  4448.                 }
    4449. 

  4449.                 shaLength = SHA1_LENGTH;
    4450. 

  4450.                 shaOid = SEC_OID_SHA1;
    4451. 

  4451.             } else if (shaAlg == HASH_AlgSHA256) {
    4452. 

  4452.                 if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
    4453. 

  4453.                      fprintf(rsaresp, "ERROR: Unable to generate SHA256");
    4454. 

  4454.                      goto loser;
    4455. 

  4455.                 }
    4456. 

  4456.                 shaLength = SHA256_LENGTH;
    4457. 

  4457.                 shaOid = SEC_OID_SHA256;
    4458. 

  4458.             } else if (shaAlg == HASH_AlgSHA384) {
    4459. 

  4459.                 if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
    4460. 

  4460.                      fprintf(rsaresp, "ERROR: Unable to generate SHA384");
    4461. 

  4461.                      goto loser;
    4462. 

  4462.                 }
    4463. 

  4463.                 shaLength = SHA384_LENGTH;
    4464. 

  4464.                 shaOid = SEC_OID_SHA384;
    4465. 

  4465.             } else if (shaAlg == HASH_AlgSHA512) {
    4466. 

  4466.                 if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
    4467. 

  4467.                      fprintf(rsaresp, "ERROR: Unable to generate SHA512");
    4468. 

  4468.                      goto loser;
    4469. 

  4469.                 }
    4470. 

  4470.                 shaLength = SHA512_LENGTH;
    4471. 

  4471.                 shaOid = SEC_OID_SHA512;
    4472. 

  4472.             } else {
    4473. 

  4473.                 fprintf(rsaresp, "ERROR: SHAAlg not defined.");
    4474. 

  4474.                 goto loser;
    4475. 

  4475.             }
    4476. 

  4476. 

  4477.             /* Perform RSA signature with the RSA private key. */
    4478. 

  4478.             rv = RSA_HashSign( shaOid,
    4479. 

  4479.                                rsa_private_key,
    4480. 

  4480.                                rsa_computed_signature,
    4481. 

  4481.                                &rsa_bytes_signed,
    4482. 

  4482.                                nsslowkey_PrivateModulusLen(rsa_private_key),
    4483. 

  4483.                                sha,
    4484. 

  4484.                                shaLength);
    4485. 

  4485. 

  4486.             if( rv != SECSuccess ) {
    4487. 

  4487.                  fprintf(rsaresp, "ERROR: RSA_HashSign failed");
    4488. 

  4488.                  goto loser;
    4489. 

  4489.             }
    4490. 

  4490. 

  4491.             /* Output the signature */
    4492. 

  4492.             fputs(buf, rsaresp);
    4493. 

  4493.             to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
    4494. 

  4494.             fprintf(rsaresp, "S = %s\n", buf);
    4495. 

  4495. 

  4496.             /* Perform RSA verification with the RSA public key. */
    4497. 

  4497.             rv = RSA_HashCheckSign( shaOid,
    4498. 

  4498.                                     rsa_public_key,
    4499. 

  4499.                                     rsa_computed_signature,
    4500. 

  4500.                                     rsa_bytes_signed,
    4501. 

  4501.                                     sha,
    4502. 

  4502.                                     shaLength);
    4503. 

  4503.             if( rv != SECSuccess ) {
    4504. 

  4504.                  fprintf(rsaresp, "ERROR: RSA_HashCheckSign failed");
    4505. 

  4505.                  goto loser;
    4506. 

  4506.             }
    4507. 

  4507.             continue;
    4508. 

  4508.         }
    4509. 

  4509.     }
    4510. 

  4510. loser:
    4511. 

  4511.     fclose(rsareq);
    4512. 

  4512. 

  4513.     if (rsaBlapiPrivKey != NULL) {
    4514. 

  4514.         /* frees private and public key */
    4515. 

  4515.         PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
    4516. 

  4516.         rsaBlapiPrivKey = NULL;
    4517. 

  4517.         rsaBlapiPublicKey = NULL;
    4518. 

  4518.     }
    4519. 

  4519. 

  4520. }
    4521. 

  4521. /*
    4522. 

  4522.  * Perform the RSA Signature Verification Test.
    4523. 

  4523.  *
    4524. 

  4524.  * reqfn is the pathname of the REQUEST file.
    4525. 

  4525.  *
    4526. 

  4526.  * The output RESPONSE file is written to stdout.
    4527. 

  4527.  */
    4528. 

  4528. void
    4529. 

  4529. rsa_sigver_test(char *reqfn)
    4530. 

  4530. {
    4531. 

  4531.     char buf[2*RSA_MAX_TEST_MODULUS_BYTES+7];
    4532. 

  4532.                         /* buf holds one line from the input REQUEST file
    4533. 

  4533.                          * or to the output RESPONSE file.
    4534. 

  4534.                          * s = 2x for HEX output + 1 for \n
    4535. 

  4535.                          */
    4536. 

  4536.     FILE *rsareq;     /* input stream from the REQUEST file */
    4537. 

  4537.     FILE *rsaresp;    /* output stream to the RESPONSE file */
    4538. 

  4538.     int i, j;
    4539. 

  4539.     unsigned char   sha[HASH_LENGTH_MAX];   /* SHA digest */
    4540. 

  4540.     unsigned int    shaLength = 0;              /* actual length of the digest */
    4541. 

  4541.     HASH_HashType   shaAlg = HASH_AlgNULL;
    4542. 

  4542.     SECOidTag       shaOid = SEC_OID_UNKNOWN;
    4543. 

  4543.     int modulus = 0;                            /* the Modulus size */
    4544. 

  4544.     unsigned char   signature[513];    /* largest signature size + '\n' */
    4545. 

  4545.     unsigned int    signatureLength = 0;   /* actual length of the signature */
    4546. 

  4546.     PRBool keyvalid = PR_TRUE;
    4547. 

  4547. 

  4548.     RSAPublicKey   rsaBlapiPublicKey; /* hold RSA public key */
    4549. 

  4549. 

  4550.     rsareq = fopen(reqfn, "r");
    4551. 

  4551.     rsaresp = stdout;
    4552. 

  4552.     memset(&rsaBlapiPublicKey, 0, sizeof(RSAPublicKey));
    4553. 

  4553. 

  4554.     while (fgets(buf, sizeof buf, rsareq) != NULL) {
    4555. 

  4555.         /* a comment or blank line */
    4556. 

  4556.         if (buf[0] == '#' || buf[0] == '\n') {
    4557. 

  4557.             fputs(buf, rsaresp);
    4558. 

  4558.             continue;
    4559. 

  4559.         }
    4560. 

  4560. 

  4561.         /* [Mod = ...] */
    4562. 

  4562.         if (buf[0] == '[') {
    4563. 

  4563.             unsigned int flen;  /* length in bytes of the field size */
    4564. 

  4564. 

  4565.             if (rsaBlapiPublicKey.modulus.data) { /* n */
    4566. 

  4566.                 SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
    4567. 

  4567.             }
    4568. 

  4568.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4569. 

  4569.                 goto loser;
    4570. 

  4570.             }
    4571. 

  4571. 

  4572.             if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
    4573. 

  4573.                 fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
    4574. 

  4574.                 goto loser;
    4575. 

  4575.             }
    4576. 

  4576. 

  4577.             fputs(buf, rsaresp);
    4578. 

  4578. 

  4579.             signatureLength = flen = modulus/8;
    4580. 

  4580. 

  4581.             SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.modulus, flen);
    4582. 

  4582.             if (rsaBlapiPublicKey.modulus.data == NULL) {
    4583. 

  4583.                 goto loser;
    4584. 

  4584.             }
    4585. 

  4585.             continue;
    4586. 

  4586.         }
    4587. 

  4587. 

  4588.         /* n = ... modulus */
    4589. 

  4589.         if (buf[0] == 'n') {
    4590. 

  4590.             i = 1;
    4591. 

  4591.             while (isspace(buf[i]) || buf[i] == '=') {
    4592. 

  4592.                 i++;
    4593. 

  4593.             }
    4594. 

  4594.             keyvalid = from_hex_str(&rsaBlapiPublicKey.modulus.data[0],
    4595. 

  4595.                                     rsaBlapiPublicKey.modulus.len,
    4596. 

  4596.                                     &buf[i]);
    4597. 

  4597. 

  4598.             if (!keyvalid) {
    4599. 

  4599.                 fprintf(rsaresp, "ERROR: rsa_sigver n not valid.\n");
    4600. 

  4600.                                  goto loser;
    4601. 

  4601.             }
    4602. 

  4602.             fputs(buf, rsaresp);
    4603. 

  4603.             continue;
    4604. 

  4604.         }
    4605. 

  4605. 

  4606.         /* SHAAlg = ... */
    4607. 

  4607.         if (strncmp(buf, "SHAAlg", 6) == 0) {
    4608. 

  4608.            i = 6;
    4609. 

  4609.            while (isspace(buf[i]) || buf[i] == '=') {
    4610. 

  4610.                i++;
    4611. 

  4611.            }
    4612. 

  4612.            /* set the SHA Algorithm */
    4613. 

  4613.            if (strncmp(&buf[i], "SHA1", 4) == 0) {
    4614. 

  4614.                 shaAlg = HASH_AlgSHA1;
    4615. 

  4615.            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
    4616. 

  4616.                 shaAlg = HASH_AlgSHA256;
    4617. 

  4617.            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
    4618. 

  4618.                shaAlg = HASH_AlgSHA384;
    4619. 

  4619.            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
    4620. 

  4620.                shaAlg = HASH_AlgSHA512;
    4621. 

  4621.            } else {
    4622. 

  4622.                fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
    4623. 

  4623.                goto loser;
    4624. 

  4624.            }
    4625. 

  4625.            fputs(buf, rsaresp);
    4626. 

  4626.            continue;
    4627. 

  4627.         }
    4628. 

  4628. 

  4629.         /* e = ... public Key */
    4630. 

  4630.         if (buf[0] == 'e') {
    4631. 

  4631.             unsigned char data[RSA_MAX_TEST_EXPONENT_BYTES];
    4632. 

  4632.             unsigned char t;
    4633. 

  4633. 

  4634.             memset(data, 0, sizeof data);
    4635. 

  4635. 

  4636.             if (rsaBlapiPublicKey.publicExponent.data) { /* e */
    4637. 

  4637.                 SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
    4638. 

  4638.             }
    4639. 

  4639. 

  4640.             i = 1;
    4641. 

  4641.             while (isspace(buf[i]) || buf[i] == '=') {
    4642. 

  4642.                 i++;
    4643. 

  4643.             }
    4644. 

  4644.             /* skip leading zero's */
    4645. 

  4645.             while (isxdigit(buf[i])) {
    4646. 

  4646.                 hex_to_byteval(&buf[i], &t);
    4647. 

  4647.                 if (t == 0) {
    4648. 

  4648.                     i+=2;
    4649. 

  4649.                 } else break;
    4650. 

  4650.             }
    4651. 

  4651.         
    4652. 

  4652.             /* get the exponent */
    4653. 

  4653.             for (j=0; isxdigit(buf[i]) && j < sizeof data; i+=2,j++) {
    4654. 

  4654.                 hex_to_byteval(&buf[i], &data[j]);
    4655. 

  4655.             }
    4656. 

  4656. 

  4657.             if (j == 0) { j = 1; }  /* to handle 1 byte length exponents */
    4658. 

  4658. 

  4659.             SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.publicExponent,  j);
    4660. 

  4660.             if (rsaBlapiPublicKey.publicExponent.data == NULL) {
    4661. 

  4661.                 goto loser;
    4662. 

  4662.             }
    4663. 

  4663. 

  4664.             for (i=0; i < j; i++) {
    4665. 

  4665.                 rsaBlapiPublicKey.publicExponent.data[i] = data[i];
    4666. 

  4666.             }
    4667. 

  4667. 

  4668.             fputs(buf, rsaresp);
    4669. 

  4669.             continue;
    4670. 

  4670.         }
    4671. 

  4671. 

  4672.         /* Msg = ... */
    4673. 

  4673.         if (strncmp(buf, "Msg", 3) == 0) {
    4674. 

  4674.             unsigned char msg[128]; /* MAX msg 128 */
    4675. 

  4675. 

  4676.             memset(sha, 0, sizeof sha);
    4677. 

  4677.             memset(msg, 0, sizeof msg);
    4678. 

  4678. 

  4679.             i = 3;
    4680. 

  4680.             while (isspace(buf[i]) || buf[i] == '=') {
    4681. 

  4681.                 i++;
    4682. 

  4682.             }
    4683. 

  4683. 

  4684.             for (j=0; isxdigit(buf[i]) && j < sizeof msg; i+=2,j++) {
    4685. 

  4685.                 hex_to_byteval(&buf[i], &msg[j]);
    4686. 

  4686.             }
    4687. 

  4687. 

  4688.             if (shaAlg == HASH_AlgSHA1) {
    4689. 

  4689.                 if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
    4690. 

  4690.                      fprintf(rsaresp, "ERROR: Unable to generate SHA1");
    4691. 

  4691.                      goto loser;
    4692. 

  4692.                 }
    4693. 

  4693.                 shaLength = SHA1_LENGTH;
    4694. 

  4694.                 shaOid = SEC_OID_SHA1;
    4695. 

  4695.             } else if (shaAlg == HASH_AlgSHA256) {
    4696. 

  4696.                 if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
    4697. 

  4697.                      fprintf(rsaresp, "ERROR: Unable to generate SHA256");
    4698. 

  4698.                      goto loser;
    4699. 

  4699.                 }
    4700. 

  4700.                 shaLength = SHA256_LENGTH;
    4701. 

  4701.                 shaOid = SEC_OID_SHA256;
    4702. 

  4702.             } else if (shaAlg == HASH_AlgSHA384) {
    4703. 

  4703.                 if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
    4704. 

  4704.                      fprintf(rsaresp, "ERROR: Unable to generate SHA384");
    4705. 

  4705.                      goto loser;
    4706. 

  4706.                 }
    4707. 

  4707.                 shaLength = SHA384_LENGTH;
    4708. 

  4708.                 shaOid = SEC_OID_SHA384;
    4709. 

  4709.             } else if (shaAlg == HASH_AlgSHA512) {
    4710. 

  4710.                 if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
    4711. 

  4711.                      fprintf(rsaresp, "ERROR: Unable to generate SHA512");
    4712. 

  4712.                      goto loser;
    4713. 

  4713.                 }
    4714. 

  4714.                 shaLength = SHA512_LENGTH;
    4715. 

  4715.                 shaOid = SEC_OID_SHA512;
    4716. 

  4716.             } else {
    4717. 

  4717.                 fprintf(rsaresp, "ERROR: SHAAlg not defined.");
    4718. 

  4718.                 goto loser;
    4719. 

  4719.             }
    4720. 

  4720. 

  4721.             fputs(buf, rsaresp);
    4722. 

  4722.             continue;
    4723. 

  4723. 

  4724.         }
    4725. 

  4725. 

  4726.         /* S = ... */
    4727. 

  4727.         if (buf[0] == 'S') {
    4728. 

  4728.             SECStatus rv = SECFailure;
    4729. 

  4729.             NSSLOWKEYPublicKey  * rsa_public_key;
    4730. 

  4730.             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
    4731. 

  4731.                                                   NSSLOWKEYRSAKey, };
    4732. 

  4732. 

  4733.             /* convert to a low RSA public key */
    4734. 

  4734.             low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
    4735. 

  4735.             rsa_public_key = &low_RSA_public_key;
    4736. 

  4736. 

  4737.             memset(signature, 0, sizeof(signature));
    4738. 

  4738.             i = 1;
    4739. 

  4739.             while (isspace(buf[i]) || buf[i] == '=') {
    4740. 

  4740.                 i++;
    4741. 

  4741.             }
    4742. 

  4742. 

  4743.             for (j=0; isxdigit(buf[i]) && j < sizeof signature; i+=2,j++) {
    4744. 

  4744.                 hex_to_byteval(&buf[i], &signature[j]);
    4745. 

  4745.             }
    4746. 

  4746. 

  4747.             signatureLength = j;
    4748. 

  4748.             fputs(buf, rsaresp);
    4749. 

  4749. 

  4750.             /* Perform RSA verification with the RSA public key. */
    4751. 

  4751.             rv = RSA_HashCheckSign( shaOid,
    4752. 

  4752.                                     rsa_public_key,
    4753. 

  4753.                                     signature,
    4754. 

  4754.                                     signatureLength,
    4755. 

  4755.                                     sha,
    4756. 

  4756.                                     shaLength);
    4757. 

  4757.             if( rv == SECSuccess ) {
    4758. 

  4758.                 fputs("Result = P\n", rsaresp);
    4759. 

  4759.             } else {
    4760. 

  4760.                 fputs("Result = F\n", rsaresp);
    4761. 

  4761.             }
    4762. 

  4762.             continue;
    4763. 

  4763.         }
    4764. 

  4764.     }
    4765. 

  4765. loser:
    4766. 

  4766.     fclose(rsareq);
    4767. 

  4767.     if (rsaBlapiPublicKey.modulus.data) { /* n */
    4768. 

  4768.         SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
    4769. 

  4769.     }
    4770. 

  4770.     if (rsaBlapiPublicKey.publicExponent.data) { /* e */
    4771. 

  4771.         SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
    4772. 

  4772.     }
    4773. 

  4773. }
    4774. 

  4774. 

  4775. int main(int argc, char **argv)
    4776. 

  4776. {
    4777. 

  4777.     if (argc < 2) exit (-1);
    4778. 

  4778.     NSS_NoDB_Init(NULL);
    4779. 

  4779.     /*************/
    4780. 

  4780.     /*   TDEA    */
    4781. 

  4781.     /*************/
    4782. 

  4782.     if (strcmp(argv[1], "tdea") == 0) {
    4783. 

  4783.         /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
    4784. 

  4784.         if (strcmp(argv[2], "kat") == 0) {
    4785. 

  4785.             /* Known Answer Test (KAT) */
    4786. 

  4786.             tdea_kat_mmt(argv[4]);     
    4787. 

  4787.         } else if (strcmp(argv[2], "mmt") == 0) {
    4788. 

  4788.             /* Multi-block Message Test (MMT) */
    4789. 

  4789.                 tdea_kat_mmt(argv[4]);
    4790. 

  4790.         } else if (strcmp(argv[2], "mct") == 0) {
    4791. 

  4791.                 /* Monte Carlo Test (MCT) */
    4792. 

  4792.                 if (strcmp(argv[3], "ecb") == 0) {
    4793. 

  4793.                     /* ECB mode */
    4794. 

  4794.                     tdea_mct(NSS_DES_EDE3, argv[4]); 
    4795. 

  4795.                 } else if (strcmp(argv[3], "cbc") == 0) {
    4796. 

  4796.                     /* CBC mode */
    4797. 

  4797.                     tdea_mct(NSS_DES_EDE3_CBC, argv[4]);
    4798. 

  4798.                 }
    4799. 

  4799.         }
    4800. 

  4800.     /*************/
    4801. 

  4801.     /*   AES     */
    4802. 

  4802.     /*************/
    4803. 

  4803.     } else if (strcmp(argv[1], "aes") == 0) {
    4804. 

  4804. 	/* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
    4805. 

  4805. 	if (       strcmp(argv[2], "kat") == 0) {
    4806. 

  4806. 	    /* Known Answer Test (KAT) */
    4807. 

  4807. 	    aes_kat_mmt(argv[4]);
    4808. 

  4808. 	} else if (strcmp(argv[2], "mmt") == 0) {
    4809. 

  4809. 	    /* Multi-block Message Test (MMT) */
    4810. 

  4810. 	    aes_kat_mmt(argv[4]);
    4811. 

  4811. 	} else if (strcmp(argv[2], "mct") == 0) {
    4812. 

  4812. 	    /* Monte Carlo Test (MCT) */
    4813. 

  4813. 	    if (       strcmp(argv[3], "ecb") == 0) {
    4814. 

  4814. 		/* ECB mode */
    4815. 

  4815. 		aes_ecb_mct(argv[4]);
    4816. 

  4816. 	    } else if (strcmp(argv[3], "cbc") == 0) {
    4817. 

  4817. 		/* CBC mode */
    4818. 

  4818. 		aes_cbc_mct(argv[4]);
    4819. 

  4819. 	    }
    4820. 

  4820. 	}
    4821. 

  4821.     /*************/
    4822. 

  4822.     /*   SHA     */
    4823. 

  4823.     /*************/
    4824. 

  4824.     } else if (strcmp(argv[1], "sha") == 0) {
    4825. 

  4825.         sha_test(argv[2]);
    4826. 

  4826.     /*************/
    4827. 

  4827.     /*   RSA     */
    4828. 

  4828.     /*************/
    4829. 

  4829.     } else if (strcmp(argv[1], "rsa") == 0) {
    4830. 

  4830.         /* argv[2]=siggen|sigver */
    4831. 

  4831.         /* argv[3]=<test name>.req */
    4832. 

  4832.         if (strcmp(argv[2], "siggen") == 0) {
    4833. 

  4833.             /* Signature Generation Test */
    4834. 

  4834.             rsa_siggen_test(argv[3]);
    4835. 

  4835.         } else if (strcmp(argv[2], "sigver") == 0) {
    4836. 

  4836.             /* Signature Verification Test */
    4837. 

  4837.             rsa_sigver_test(argv[3]);
    4838. 

  4838.         }
    4839. 

  4839.     /*************/
    4840. 

  4840.     /*   HMAC    */
    4841. 

  4841.     /*************/
    4842. 

  4842.     } else if (strcmp(argv[1], "hmac") == 0) {
    4843. 

  4843.         hmac_test(argv[2]);
    4844. 

  4844.     /*************/
    4845. 

  4845.     /*   DSA     */
    4846. 

  4846.     /*************/
    4847. 

  4847.     } else if (strcmp(argv[1], "dsa") == 0) {
    4848. 

  4848.         /* argv[2]=keypair|pqggen|pqgver|siggen|sigver */
    4849. 

  4849.         /* argv[3]=<test name>.req */
    4850. 

  4850.         if (strcmp(argv[2], "keypair") == 0) {
    4851. 

  4851.             /* Key Pair Generation Test */
    4852. 

  4852.             dsa_keypair_test(argv[3]);
    4853. 

  4853.         } else if (strcmp(argv[2], "pqggen") == 0) {
    4854. 

  4854.         /* Domain Parameter Generation Test */
    4855. 

  4855.             dsa_pqggen_test(argv[3]);
    4856. 

  4856.         } else if (strcmp(argv[2], "pqgver") == 0) {
    4857. 

  4857.                 /* Domain Parameter Validation Test */
    4858. 

  4858.             dsa_pqgver_test(argv[3]);
    4859. 

  4859.         } else if (strcmp(argv[2], "siggen") == 0) {
    4860. 

  4860.             /* Signature Generation Test */
    4861. 

  4861.             dsa_siggen_test(argv[3]);
    4862. 

  4862.         } else if (strcmp(argv[2], "sigver") == 0) {
    4863. 

  4863.             /* Signature Verification Test */
    4864. 

  4864.             dsa_sigver_test(argv[3]);
    4865. 

  4865.         }
    4866. 

  4866. #ifdef NSS_ENABLE_ECC
    4867. 

  4867.     /*************/
    4868. 

  4868.     /*   ECDSA   */
    4869. 

  4869.     /*************/
    4870. 

  4870.     } else if (strcmp(argv[1], "ecdsa") == 0) {
    4871. 

  4871. 	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
    4872. 

  4872. 	if (       strcmp(argv[2], "keypair") == 0) {
    4873. 

  4873. 	    /* Key Pair Generation Test */
    4874. 

  4874. 	    ecdsa_keypair_test(argv[3]);
    4875. 

  4875. 	} else if (strcmp(argv[2], "pkv") == 0) {
    4876. 

  4876. 	    /* Public Key Validation Test */
    4877. 

  4877. 	    ecdsa_pkv_test(argv[3]);
    4878. 

  4878. 	} else if (strcmp(argv[2], "siggen") == 0) {
    4879. 

  4879. 	    /* Signature Generation Test */
    4880. 

  4880. 	    ecdsa_siggen_test(argv[3]);
    4881. 

  4881. 	} else if (strcmp(argv[2], "sigver") == 0) {
    4882. 

  4882. 	    /* Signature Verification Test */
    4883. 

  4883. 	    ecdsa_sigver_test(argv[3]);
    4884. 

  4884. 	}
    4885. 

  4885. #endif /* NSS_ENABLE_ECC */
    4886. 

  4886.     /*************/
    4887. 

  4887.     /*   RNG     */
    4888. 

  4888.     /*************/
    4889. 

  4889.     } else if (strcmp(argv[1], "rng") == 0) {
    4890. 

  4890. 	/* argv[2]=vst|mct argv[3]=<test name>.req */
    4891. 

  4891. 	if (       strcmp(argv[2], "vst") == 0) {
    4892. 

  4892. 	    /* Variable Seed Test */
    4893. 

  4893. 	    rng_vst(argv[3]);
    4894. 

  4894. 	} else if (strcmp(argv[2], "mct") == 0) {
    4895. 

  4895. 	    /* Monte Carlo Test */
    4896. 

  4896. 	    rng_mct(argv[3]);
    4897. 

  4897. 	}
    4898. 

  4898.     } else if (strcmp(argv[1], "drbg") == 0) {
    4899. 

  4899. 	/* Variable Seed Test */
    4900. 

  4900. 	drbg(argv[2]);
    4901. 

  4901.     }
    4902. 

  4902.     return 0;
    4903. 

  4903. }
    4904. 

  4904.