PageRenderTime 93ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/security/nss/cmd/fipstest/fipstest.c

http://github.com/zpao/v8monkey
C | 5071 lines | 3945 code | 380 blank | 746 comment | 1501 complexity | 8a4f52b3f88f2fb370afaaa2e856fe85 MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, LGPL-3.0, AGPL-1.0, LGPL-2.1, BSD-3-Clause, GPL-2.0, JSON, Apache-2.0, 0BSD 
    

  1. /* ***** BEGIN LICENSE BLOCK *****
    2. 

  2.  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
    3. 

  3.  *
    4. 

  4.  * The contents of this file are subject to the Mozilla Public License Version
    5. 

  5.  * 1.1 (the "License"); you may not use this file except in compliance with
    6. 

  6.  * the License. You may obtain a copy of the License at
    7. 

  7.  * http://www.mozilla.org/MPL/
    8. 

  8.  *
    9. 

  9.  * Software distributed under the License is distributed on an "AS IS" basis,
    10. 

  10.  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
    11. 

  11.  * for the specific language governing rights and limitations under the
    12. 

  12.  * License.
    13. 

  13.  *
    14. 

  14.  * The Original Code is the Netscape security libraries.
    15. 

  15.  *
    16. 

  16.  * The Initial Developer of the Original Code is
    17. 

  17.  * Netscape Communications Corporation.
    18. 

  18.  * Portions created by the Initial Developer are Copyright (C) 1994-2000
    19. 

  19.  * the Initial Developer. All Rights Reserved.
    20. 

  20.  *
    21. 

  21.  * Contributor(s):
    22. 

  22.  *
    23. 

  23.  * Alternatively, the contents of this file may be used under the terms of
    24. 

  24.  * either the GNU General Public License Version 2 or later (the "GPL"), or
    25. 

  25.  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
    26. 

  26.  * in which case the provisions of the GPL or the LGPL are applicable instead
    27. 

  27.  * of those above. If you wish to allow use of your version of this file only
    28. 

  28.  * under the terms of either the GPL or the LGPL, and not to allow others to
    29. 

  29.  * use your version of this file under the terms of the MPL, indicate your
    30. 

  30.  * decision by deleting the provisions above and replace them with the notice
    31. 

  31.  * and other provisions required by the GPL or the LGPL. If you do not delete
    32. 

  32.  * the provisions above, a recipient may use your version of this file under
    33. 

  33.  * the terms of any one of the MPL, the GPL or the LGPL.
    34. 

  34.  *
    35. 

  35.  * ***** END LICENSE BLOCK ***** */
    36. 

  36. 

  37. #include <stdio.h>
    38. 

  38. #include <stdlib.h>
    39. 

  39. #include <ctype.h>
    40. 

  40. 

  41. #include "secitem.h"
    42. 

  42. #include "blapi.h"
    43. 

  43. #include "nssutil.h"
    44. 

  44. #include "secerr.h"
    45. 

  45. #include "secder.h"
    46. 

  46. #include "secdig.h"
    47. 

  47. #include "secoid.h"
    48. 

  48. #include "ec.h"
    49. 

  49. #include "hasht.h"
    50. 

  50. #include "lowkeyi.h"
    51. 

  51. #include "softoken.h"
    52. 

  52. 

  53. #if 0
    54. 

  54. #include "../../lib/freebl/mpi/mpi.h"
    55. 

  55. #endif
    56. 

  56. 

  57. #ifdef NSS_ENABLE_ECC
    58. 

  58. extern SECStatus
    59. 

  59. EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
    60. 

  60. extern SECStatus
    61. 

  61. EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
    62. 

  62.               const ECParams *srcParams);
    63. 

  63. #endif
    64. 

  64. 

  65. #define ENCRYPT 1
    66. 

  66. #define DECRYPT 0
    67. 

  67. #define BYTE unsigned char
    68. 

  68. #define DEFAULT_RSA_PUBLIC_EXPONENT   0x10001
    69. 

  69. #define RSA_MAX_TEST_MODULUS_BITS     4096
    70. 

  70. #define RSA_MAX_TEST_MODULUS_BYTES    RSA_MAX_TEST_MODULUS_BITS/8
    71. 

  71. #define RSA_MAX_TEST_EXPONENT_BYTES   8
    72. 

  72. #define PQG_TEST_SEED_BYTES           20
    73. 

  73. 

  74. SECStatus
    75. 

  75. hex_to_byteval(const char *c2, unsigned char *byteval)
    76. 

  76. {
    77. 

  77.     int i;
    78. 

  78.     unsigned char offset;
    79. 

  79.     *byteval = 0;
    80. 

  80.     for (i=0; i<2; i++) {
    81. 

  81. 	if (c2[i] >= '0' && c2[i] <= '9') {
    82. 

  82. 	    offset = c2[i] - '0';
    83. 

  83. 	    *byteval |= offset << 4*(1-i);
    84. 

  84. 	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
    85. 

  85. 	    offset = c2[i] - 'a';
    86. 

  86. 	    *byteval |= (offset + 10) << 4*(1-i);
    87. 

  87. 	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
    88. 

  88. 	    offset = c2[i] - 'A';
    89. 

  89. 	    *byteval |= (offset + 10) << 4*(1-i);
    90. 

  90. 	} else {
    91. 

  91. 	    return SECFailure;
    92. 

  92. 	}
    93. 

  93.     }
    94. 

  94.     return SECSuccess;
    95. 

  95. }
    96. 

  96. 

  97. SECStatus
    98. 

  98. byteval_to_hex(unsigned char byteval, char *c2, char a)
    99. 

  99. {
    100. 

  100.     int i;
    101. 

  101.     unsigned char offset;
    102. 

  102.     for (i=0; i<2; i++) {
    103. 

  103. 	offset = (byteval >> 4*(1-i)) & 0x0f;
    104. 

  104. 	if (offset < 10) {
    105. 

  105. 	    c2[i] = '0' + offset;
    106. 

  106. 	} else {
    107. 

  107. 	    c2[i] = a + offset - 10;
    108. 

  108. 	}
    109. 

  109.     }
    110. 

  110.     return SECSuccess;
    111. 

  111. }
    112. 

  112. 

  113. void
    114. 

  114. to_hex_str(char *str, const unsigned char *buf, unsigned int len)
    115. 

  115. {
    116. 

  116.     unsigned int i;
    117. 

  117.     for (i=0; i<len; i++) {
    118. 

  118. 	byteval_to_hex(buf[i], &str[2*i], 'a');
    119. 

  119.     }
    120. 

  120.     str[2*len] = '\0';
    121. 

  121. }
    122. 

  122. 

  123. void
    124. 

  124. to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
    125. 

  125. {
    126. 

  126.     unsigned int i;
    127. 

  127.     for (i=0; i<len; i++) {
    128. 

  128. 	byteval_to_hex(buf[i], &str[2*i], 'A');
    129. 

  129.     }
    130. 

  130.     str[2*len] = '\0';
    131. 

  131. }
    132. 

  132. 

  133. /*
    134. 

  134.  * Convert a string of hex digits (str) to an array (buf) of len bytes.
    135. 

  135.  * Return PR_TRUE if the hex string can fit in the byte array.  Return
    136. 

  136.  * PR_FALSE if the hex string is empty or is too long.
    137. 

  137.  */
    138. 

  138. PRBool
    139. 

  139. from_hex_str(unsigned char *buf, unsigned int len, const char *str)
    140. 

  140. {
    141. 

  141.     unsigned int nxdigit;  /* number of hex digits in str */
    142. 

  142.     unsigned int i;  /* index into buf */
    143. 

  143.     unsigned int j;  /* index into str */
    144. 

  144. 

  145.     /* count the hex digits */
    146. 

  146.     nxdigit = 0;
    147. 

  147.     for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
    148. 

  148. 	/* empty body */
    149. 

  149.     }
    150. 

  150.     if (nxdigit == 0) {
    151. 

  151. 	return PR_FALSE;
    152. 

  152.     }
    153. 

  153.     if (nxdigit > 2*len) {
    154. 

  154. 	/*
    155. 

  155. 	 * The input hex string is too long, but we allow it if the
    156. 

  156. 	 * extra digits are leading 0's.
    157. 

  157. 	 */
    158. 

  158. 	for (j = 0; j < nxdigit-2*len; j++) {
    159. 

  159. 	    if (str[j] != '0') {
    160. 

  160. 		return PR_FALSE;
    161. 

  161. 	    }
    162. 

  162. 	}
    163. 

  163. 	/* skip leading 0's */
    164. 

  164. 	str += nxdigit-2*len;
    165. 

  165. 	nxdigit = 2*len;
    166. 

  166.     }
    167. 

  167.     for (i=0, j=0; i< len; i++) {
    168. 

  168. 	if (2*i < 2*len-nxdigit) {
    169. 

  169. 	    /* Handle a short input as if we padded it with leading 0's. */
    170. 

  170. 	    if (2*i+1 < 2*len-nxdigit) {
    171. 

  171. 		buf[i] = 0;
    172. 

  172. 	    } else {
    173. 

  173. 		char tmp[2];
    174. 

  174. 		tmp[0] = '0';
    175. 

  175. 		tmp[1] = str[j];
    176. 

  176. 		hex_to_byteval(tmp, &buf[i]);
    177. 

  177. 		j++;
    178. 

  178. 	    }
    179. 

  179. 	} else {
    180. 

  180. 	    hex_to_byteval(&str[j], &buf[i]);
    181. 

  181. 	    j += 2;
    182. 

  182. 	}
    183. 

  183.     }
    184. 

  184.     return PR_TRUE;
    185. 

  185. }
    186. 

  186. 

  187. SECStatus
    188. 

  188. tdea_encrypt_buf(
    189. 

  189.     int mode,
    190. 

  190.     const unsigned char *key, 
    191. 

  191.     const unsigned char *iv,
    192. 

  192.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    193. 

  193.     const unsigned char *input, unsigned int inputlen)
    194. 

  194. {
    195. 

  195.     SECStatus rv = SECFailure;
    196. 

  196.     DESContext *cx;
    197. 

  197.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    198. 

  198.     unsigned int doublechecklen = 0;
    199. 

  199. 

  200.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    201. 

  201.     if (cx == NULL) {
    202. 

  202.         goto loser;
    203. 

  203.     }
    204. 

  204.     rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    205. 

  205.     if (rv != SECSuccess) {
    206. 

  206.         goto loser;
    207. 

  207.     }
    208. 

  208.     if (*outputlen != inputlen) {
    209. 

  209.         goto loser;
    210. 

  210.     }
    211. 

  211.     DES_DestroyContext(cx, PR_TRUE);
    212. 

  212.     cx = NULL;
    213. 

  213. 

  214.     /*
    215. 

  215.      * Doublecheck our result by decrypting the ciphertext and
    216. 

  216.      * compare the output with the input plaintext.
    217. 

  217.      */
    218. 

  218.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    219. 

  219.     if (cx == NULL) {
    220. 

  220.         goto loser;
    221. 

  221.     }
    222. 

  222.     rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    223. 

  223.                     output, *outputlen);
    224. 

  224.     if (rv != SECSuccess) {
    225. 

  225.         goto loser;
    226. 

  226.     }
    227. 

  227.     if (doublechecklen != *outputlen) {
    228. 

  228.         goto loser;
    229. 

  229.     }
    230. 

  230.     DES_DestroyContext(cx, PR_TRUE);
    231. 

  231.     cx = NULL;
    232. 

  232.     if (memcmp(doublecheck, input, inputlen) != 0) {
    233. 

  233.         goto loser;
    234. 

  234.     }
    235. 

  235.     rv = SECSuccess;
    236. 

  236. 

  237. loser:
    238. 

  238.     if (cx != NULL) {
    239. 

  239.         DES_DestroyContext(cx, PR_TRUE);
    240. 

  240.     }
    241. 

  241.     return rv;
    242. 

  242. }
    243. 

  243. 

  244. SECStatus
    245. 

  245. tdea_decrypt_buf(
    246. 

  246.     int mode,
    247. 

  247.     const unsigned char *key, 
    248. 

  248.     const unsigned char *iv,
    249. 

  249.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    250. 

  250.     const unsigned char *input, unsigned int inputlen)
    251. 

  251. {
    252. 

  252.     SECStatus rv = SECFailure;
    253. 

  253.     DESContext *cx;
    254. 

  254.     unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
    255. 

  255.     unsigned int doublechecklen = 0;
    256. 

  256. 

  257.     cx = DES_CreateContext(key, iv, mode, PR_FALSE);
    258. 

  258.     if (cx == NULL) {
    259. 

  259.         goto loser;
    260. 

  260.     }
    261. 

  261.     rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
    262. 

  262.                     input, inputlen);
    263. 

  263.     if (rv != SECSuccess) {
    264. 

  264.         goto loser;
    265. 

  265.     }
    266. 

  266.     if (*outputlen != inputlen) {
    267. 

  267.         goto loser;
    268. 

  268.     }
    269. 

  269.     DES_DestroyContext(cx, PR_TRUE);
    270. 

  270.     cx = NULL;
    271. 

  271. 

  272.     /*
    273. 

  273.      * Doublecheck our result by encrypting the plaintext and
    274. 

  274.      * compare the output with the input ciphertext.
    275. 

  275.      */
    276. 

  276.     cx = DES_CreateContext(key, iv, mode, PR_TRUE);
    277. 

  277.     if (cx == NULL) {
    278. 

  278.         goto loser;
    279. 

  279.     }
    280. 

  280.     rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    281. 

  281.         output, *outputlen);
    282. 

  282.     if (rv != SECSuccess) {
    283. 

  283.         goto loser;
    284. 

  284.     }
    285. 

  285.     if (doublechecklen != *outputlen) {
    286. 

  286.         goto loser;
    287. 

  287.     }
    288. 

  288.     DES_DestroyContext(cx, PR_TRUE);
    289. 

  289.     cx = NULL;
    290. 

  290.     if (memcmp(doublecheck, input, inputlen) != 0) {
    291. 

  291.         goto loser;
    292. 

  292.     }
    293. 

  293.     rv = SECSuccess;
    294. 

  294. 

  295. loser:
    296. 

  296.     if (cx != NULL) {
    297. 

  297.         DES_DestroyContext(cx, PR_TRUE);
    298. 

  298.     }
    299. 

  299.     return rv;
    300. 

  300. }
    301. 

  301. 

  302. /*
    303. 

  303.  * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
    304. 

  304.  * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
    305. 

  305.  * and MMT have the same structure: given the key and IV (CBC mode
    306. 

  306.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    307. 

  307.  * So we can handle them the same way.
    308. 

  308.  *
    309. 

  309.  * reqfn is the pathname of the REQUEST file.
    310. 

  310.  *
    311. 

  311.  * The output RESPONSE file is written to stdout.
    312. 

  312.  */
    313. 

  313. void
    314. 

  314. tdea_kat_mmt(char *reqfn)
    315. 

  315. {
    316. 

  316.     char buf[180];      /* holds one line from the input REQUEST file.
    317. 

  317.                          * needs to be large enough to hold the longest
    318. 

  318.                          * line "CIPHERTEXT = <180 hex digits>\n".
    319. 

  319.                          */
    320. 

  320.     FILE *req;       /* input stream from the REQUEST file */
    321. 

  321.     FILE *resp;      /* output stream to the RESPONSE file */
    322. 

  322.     int i, j;
    323. 

  323.     int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
    324. 

  324.     int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
    325. 

  325.     unsigned char key[24];              /* TDEA 3 key bundle */
    326. 

  326.     unsigned int numKeys = 0;
    327. 

  327.     unsigned char iv[8];		/* for all modes except ECB */
    328. 

  328.     unsigned char plaintext[8*20];     /* 1 to 20 blocks */
    329. 

  329.     unsigned int plaintextlen;
    330. 

  330.     unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
    331. 

  331.     unsigned int ciphertextlen;
    332. 

  332.     SECStatus rv;
    333. 

  333. 

  334.     req = fopen(reqfn, "r");
    335. 

  335.     resp = stdout;
    336. 

  336.     while (fgets(buf, sizeof buf, req) != NULL) {
    337. 

  337.         /* a comment or blank line */
    338. 

  338.         if (buf[0] == '#' || buf[0] == '\n') {
    339. 

  339.             fputs(buf, resp);
    340. 

  340.             continue;
    341. 

  341.         }
    342. 

  342.         /* [ENCRYPT] or [DECRYPT] */
    343. 

  343.         if (buf[0] == '[') {
    344. 

  344.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    345. 

  345.                 crypt = ENCRYPT;
    346. 

  346.             } else {
    347. 

  347.                 crypt = DECRYPT;
    348. 

  348.             }
    349. 

  349.             fputs(buf, resp);
    350. 

  350.             continue;
    351. 

  351.         }
    352. 

  352.         /* NumKeys */
    353. 

  353.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    354. 

  354.             i = 7;
    355. 

  355.             while (isspace(buf[i]) || buf[i] == '=') {
    356. 

  356.                 i++;
    357. 

  357.             }
    358. 

  358.             numKeys = buf[i];
    359. 

  359.             fputs(buf, resp);
    360. 

  360.             continue;
    361. 

  361.         }
    362. 

  362.         /* "COUNT = x" begins a new data set */
    363. 

  363.         if (strncmp(buf, "COUNT", 5) == 0) {
    364. 

  364.             /* mode defaults to ECB, if dataset has IV mode will be set CBC */
    365. 

  365.             mode = NSS_DES_EDE3;
    366. 

  366.             /* zeroize the variables for the test with this data set */
    367. 

  367.             memset(key, 0, sizeof key);
    368. 

  368.             memset(iv, 0, sizeof iv);
    369. 

  369.             memset(plaintext, 0, sizeof plaintext);
    370. 

  370.             plaintextlen = 0;
    371. 

  371.             memset(ciphertext, 0, sizeof ciphertext);
    372. 

  372.             ciphertextlen = 0;
    373. 

  373.             fputs(buf, resp);
    374. 

  374.             continue;
    375. 

  375.         }
    376. 

  376.         if (numKeys == 0) {
    377. 

  377.             if (strncmp(buf, "KEYs", 4) == 0) {
    378. 

  378.                 i = 4;
    379. 

  379.                 while (isspace(buf[i]) || buf[i] == '=') {
    380. 

  380.                     i++;
    381. 

  381.                 }
    382. 

  382.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    383. 

  383.                     hex_to_byteval(&buf[i], &key[j]);
    384. 

  384.                     key[j+8] = key[j];
    385. 

  385.                     key[j+16] = key[j];
    386. 

  386.                 }
    387. 

  387.                 fputs(buf, resp);
    388. 

  388.                 continue;
    389. 

  389.             }
    390. 

  390.         } else {
    391. 

  391.             /* KEY1 = ... */
    392. 

  392.             if (strncmp(buf, "KEY1", 4) == 0) {
    393. 

  393.                 i = 4;
    394. 

  394.                 while (isspace(buf[i]) || buf[i] == '=') {
    395. 

  395.                     i++;
    396. 

  396.                 }
    397. 

  397.                 for (j=0; isxdigit(buf[i]); i+=2,j++) {
    398. 

  398.                     hex_to_byteval(&buf[i], &key[j]);
    399. 

  399.                 }
    400. 

  400.                 fputs(buf, resp);
    401. 

  401.                 continue;
    402. 

  402.             }
    403. 

  403.             /* KEY2 = ... */
    404. 

  404.             if (strncmp(buf, "KEY2", 4) == 0) {
    405. 

  405.                 i = 4;
    406. 

  406.                 while (isspace(buf[i]) || buf[i] == '=') {
    407. 

  407.                     i++;
    408. 

  408.                 }
    409. 

  409.                 for (j=8; isxdigit(buf[i]); i+=2,j++) {
    410. 

  410.                     hex_to_byteval(&buf[i], &key[j]);
    411. 

  411.                 }
    412. 

  412.                 fputs(buf, resp);
    413. 

  413.                 continue;
    414. 

  414.             }
    415. 

  415.             /* KEY3 = ... */
    416. 

  416.             if (strncmp(buf, "KEY3", 4) == 0) {
    417. 

  417.                 i = 4;
    418. 

  418.                 while (isspace(buf[i]) || buf[i] == '=') {
    419. 

  419.                     i++;
    420. 

  420.                 }
    421. 

  421.                 for (j=16; isxdigit(buf[i]); i+=2,j++) {
    422. 

  422.                     hex_to_byteval(&buf[i], &key[j]);
    423. 

  423.                 }
    424. 

  424.                 fputs(buf, resp);
    425. 

  425.                 continue;
    426. 

  426.             }
    427. 

  427.         }
    428. 

  428. 

  429.         /* IV = ... */
    430. 

  430.         if (strncmp(buf, "IV", 2) == 0) {
    431. 

  431.             mode = NSS_DES_EDE3_CBC;
    432. 

  432.             i = 2;
    433. 

  433.             while (isspace(buf[i]) || buf[i] == '=') {
    434. 

  434.                 i++;
    435. 

  435.             }
    436. 

  436.             for (j=0; j<sizeof iv; i+=2,j++) {
    437. 

  437.                 hex_to_byteval(&buf[i], &iv[j]);
    438. 

  438.             }
    439. 

  439.             fputs(buf, resp);
    440. 

  440.             continue;
    441. 

  441.         }
    442. 

  442. 

  443.         /* PLAINTEXT = ... */
    444. 

  444.         if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    445. 

  445.             /* sanity check */
    446. 

  446.             if (crypt != ENCRYPT) {
    447. 

  447.                 goto loser;
    448. 

  448.             }
    449. 

  449.             i = 9;
    450. 

  450.             while (isspace(buf[i]) || buf[i] == '=') {
    451. 

  451.                 i++;
    452. 

  452.             }
    453. 

  453.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    454. 

  454.                 hex_to_byteval(&buf[i], &plaintext[j]);
    455. 

  455.             }
    456. 

  456.             plaintextlen = j;
    457. 

  457.             rv = tdea_encrypt_buf(mode, key,
    458. 

  458.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    459. 

  459.                             ciphertext, &ciphertextlen, sizeof ciphertext,
    460. 

  460.                             plaintext, plaintextlen);
    461. 

  461.             if (rv != SECSuccess) {
    462. 

  462.                 goto loser;
    463. 

  463.             }
    464. 

  464.     
    465. 

  465.             fputs(buf, resp);
    466. 

  466.             fputs("CIPHERTEXT = ", resp);
    467. 

  467.             to_hex_str(buf, ciphertext, ciphertextlen);
    468. 

  468.             fputs(buf, resp);
    469. 

  469.             fputc('\n', resp);
    470. 

  470.             continue;
    471. 

  471.         }
    472. 

  472.         /* CIPHERTEXT = ... */
    473. 

  473.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    474. 

  474.             /* sanity check */
    475. 

  475.             if (crypt != DECRYPT) {
    476. 

  476.                 goto loser;
    477. 

  477.             }
    478. 

  478.  
    479. 

  479.             i = 10;
    480. 

  480.             while (isspace(buf[i]) || buf[i] == '=') {
    481. 

  481.                 i++;
    482. 

  482.             }
    483. 

  483.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    484. 

  484.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    485. 

  485.             }
    486. 

  486.             ciphertextlen = j;
    487. 

  487.  
    488. 

  488.             rv = tdea_decrypt_buf(mode, key,
    489. 

  489.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    490. 

  490.                             plaintext, &plaintextlen, sizeof plaintext,
    491. 

  491.                             ciphertext, ciphertextlen);
    492. 

  492.             if (rv != SECSuccess) {
    493. 

  493.                 goto loser;
    494. 

  494.             }
    495. 

  495.  
    496. 

  496.             fputs(buf, resp);
    497. 

  497.             fputs("PLAINTEXT = ", resp);
    498. 

  498.             to_hex_str(buf, plaintext, plaintextlen);
    499. 

  499.             fputs(buf, resp);
    500. 

  500.             fputc('\n', resp);
    501. 

  501.             continue;
    502. 

  502.         }
    503. 

  503.     }
    504. 

  504. 

  505. loser:
    506. 

  506.     fclose(req);
    507. 

  507. }
    508. 

  508. 

  509. /*
    510. 

  510. * Set the parity bit for the given byte
    511. 

  511. */
    512. 

  512. BYTE odd_parity( BYTE in)
    513. 

  513. {
    514. 

  514.     BYTE out = in;
    515. 

  515.     in ^= in >> 4;
    516. 

  516.     in ^= in >> 2;
    517. 

  517.     in ^= in >> 1;
    518. 

  518.     return (BYTE)(out ^ !(in & 1));
    519. 

  519. }
    520. 

  520. 

  521. /*
    522. 

  522.  * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
    523. 

  523.  * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
    524. 

  524.  */
    525. 

  525. void
    526. 

  526. tdea_mct_next_keys(unsigned char *key,
    527. 

  527.     const unsigned char *text_2, const unsigned char *text_1, 
    528. 

  528.     const unsigned char *text, unsigned int numKeys)
    529. 

  529. {
    530. 

  530.     int k;
    531. 

  531. 

  532.     /* key1[i+1] = key1[i] xor PT/CT[j] */
    533. 

  533.     for (k=0; k<8; k++) {
    534. 

  534.         key[k] ^= text[k];
    535. 

  535.     }
    536. 

  536.     /* key2 */
    537. 

  537.     if (numKeys == 2 || numKeys == 3)  {
    538. 

  538.         /* key2 independent */
    539. 

  539.         for (k=8; k<16; k++) {
    540. 

  540.             /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
    541. 

  541.             key[k] ^= text_1[k-8];
    542. 

  542.         }
    543. 

  543.     } else {
    544. 

  544.         /* key2 == key 1 */
    545. 

  545.         for (k=8; k<16; k++) {
    546. 

  546.             /* key2[i+1] = KEY2[i] xor PT/CT[j] */
    547. 

  547.             key[k] = key[k-8];
    548. 

  548.         }
    549. 

  549.     }
    550. 

  550.     /* key3 */
    551. 

  551.     if (numKeys == 1 || numKeys == 2) {
    552. 

  552.         /* key3 == key 1 */
    553. 

  553.         for (k=16; k<24; k++) {
    554. 

  554.             /* key3[i+1] = KEY3[i] xor PT/CT[j] */
    555. 

  555.             key[k] = key[k-16];
    556. 

  556.         }
    557. 

  557.     } else {
    558. 

  558.         /* key3 independent */ 
    559. 

  559.         for (k=16; k<24; k++) {
    560. 

  560.             /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
    561. 

  561.             key[k] ^= text_2[k-16];
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564.     /* set the parity bits */            
    565. 

  565.     for (k=0; k<24; k++) {
    566. 

  566.         key[k] = odd_parity(key[k]);
    567. 

  567.     }
    568. 

  568. }
    569. 

  569. 

  570. /*
    571. 

  571.  * Perform the Monte Carlo Test
    572. 

  572.  *
    573. 

  573.  * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
    574. 

  574.  * crypt = ENCRYPT || DECRYPT
    575. 

  575.  * inputtext = plaintext or Cyphertext depending on the value of crypt
    576. 

  576.  * inputlength is expected to be size 8 bytes 
    577. 

  577.  * iv = needs to be set for NSS_DES_EDE3_CBC mode
    578. 

  578.  * resp = is the output response file. 
    579. 

  579.  */
    580. 

  580.  void                                                       
    581. 

  581. tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
    582. 

  582.               unsigned int crypt, unsigned char* inputtext, 
    583. 

  583.               unsigned int inputlength, unsigned char* iv, FILE *resp) { 
    584. 

  584. 

  585.     int i, j;
    586. 

  586.     unsigned char outputtext_1[8];      /* PT/CT[j-1] */
    587. 

  587.     unsigned char outputtext_2[8];      /* PT/CT[j-2] */
    588. 

  588.     char buf[80];       /* holds one line from the input REQUEST file. */
    589. 

  589.     unsigned int outputlen;
    590. 

  590.     unsigned char outputtext[8];
    591. 

  591.     
    592. 

  592.         
    593. 

  593.     SECStatus rv;
    594. 

  594. 

  595.     if (mode == NSS_DES_EDE3 && iv != NULL) {
    596. 

  596.         printf("IV must be NULL for NSS_DES_EDE3 mode");
    597. 

  597.         goto loser;
    598. 

  598.     } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
    599. 

  599.         printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
    600. 

  600.         goto loser;
    601. 

  601.     }
    602. 

  602. 

  603.     /* loop 400 times */
    604. 

  604.     for (i=0; i<400; i++) {
    605. 

  605.         /* if i == 0 CV[0] = IV  not necessary */        
    606. 

  606.         /* record the count and key values and plainText */
    607. 

  607.         sprintf(buf, "COUNT = %d\n", i);
    608. 

  608.         fputs(buf, resp);
    609. 

  609.         /* Output KEY1[i] */
    610. 

  610.         fputs("KEY1 = ", resp);
    611. 

  611.         to_hex_str(buf, key, 8);
    612. 

  612.         fputs(buf, resp);
    613. 

  613.         fputc('\n', resp);
    614. 

  614.         /* Output KEY2[i] */
    615. 

  615.         fputs("KEY2 = ", resp);
    616. 

  616.         to_hex_str(buf, &key[8], 8);
    617. 

  617.         fputs(buf, resp);
    618. 

  618.         fputc('\n', resp);
    619. 

  619.         /* Output KEY3[i] */
    620. 

  620.         fputs("KEY3 = ", resp);
    621. 

  621.         to_hex_str(buf, &key[16], 8);
    622. 

  622.         fputs(buf, resp);
    623. 

  623.         fputc('\n', resp);
    624. 

  624.         if (mode == NSS_DES_EDE3_CBC) {
    625. 

  625.             /* Output CV[i] */
    626. 

  626.             fputs("IV = ", resp);
    627. 

  627.             to_hex_str(buf, iv, 8);
    628. 

  628.             fputs(buf, resp);
    629. 

  629.             fputc('\n', resp);
    630. 

  630.         }
    631. 

  631.         if (crypt == ENCRYPT) {
    632. 

  632.             /* Output PT[0] */
    633. 

  633.             fputs("PLAINTEXT = ", resp);
    634. 

  634.         } else {
    635. 

  635.             /* Output CT[0] */
    636. 

  636.             fputs("CIPHERTEXT = ", resp);
    637. 

  637.         }
    638. 

  638. 

  639.         to_hex_str(buf, inputtext, inputlength);
    640. 

  640.         fputs(buf, resp);
    641. 

  641.         fputc('\n', resp);
    642. 

  642. 

  643.         /* loop 10,000 times */
    644. 

  644.         for (j=0; j<10000; j++) {
    645. 

  645. 

  646.             outputlen = 0;
    647. 

  647.             if (crypt == ENCRYPT) {
    648. 

  648.                 /* inputtext == ciphertext outputtext == plaintext*/
    649. 

  649.                 rv = tdea_encrypt_buf(mode, key,
    650. 

  650.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    651. 

  651.                             outputtext, &outputlen, 8,
    652. 

  652.                             inputtext, 8);
    653. 

  653.             } else {
    654. 

  654.                 /* inputtext == plaintext outputtext == ciphertext */
    655. 

  655.                 rv = tdea_decrypt_buf(mode, key,
    656. 

  656.                             (mode == NSS_DES_EDE3) ? NULL : iv,
    657. 

  657.                             outputtext, &outputlen, 8,
    658. 

  658.                             inputtext, 8);
    659. 

  659.             }
    660. 

  660. 

  661.             if (rv != SECSuccess) {
    662. 

  662.                 goto loser;
    663. 

  663.             }
    664. 

  664.             if (outputlen != inputlength) {
    665. 

  665.                 goto loser;
    666. 

  666.             }
    667. 

  667. 

  668.             if (mode == NSS_DES_EDE3_CBC) {
    669. 

  669.                 if (crypt == ENCRYPT) {
    670. 

  670.                     if (j == 0) {
    671. 

  671.                         /*P[j+1] = CV[0] */
    672. 

  672.                         memcpy(inputtext, iv, 8);
    673. 

  673.                     } else {
    674. 

  674.                         /* p[j+1] = C[j-1] */
    675. 

  675.                         memcpy(inputtext, outputtext_1, 8);
    676. 

  676.                     }
    677. 

  677.                     /* CV[j+1] = C[j] */
    678. 

  678.                     memcpy(iv, outputtext, 8);
    679. 

  679.                     if (j != 9999) {
    680. 

  680.                         /* save C[j-1] */
    681. 

  681.                         memcpy(outputtext_1, outputtext, 8);
    682. 

  682.                     }
    683. 

  683.                 } else { /* DECRYPT */
    684. 

  684.                     /* CV[j+1] = C[j] */
    685. 

  685.                     memcpy(iv, inputtext, 8);
    686. 

  686.                     /* C[j+1] = P[j] */
    687. 

  687.                     memcpy(inputtext, outputtext, 8);
    688. 

  688.                 }
    689. 

  689.             } else {
    690. 

  690.                 /* ECB mode PT/CT[j+1] = CT/PT[j] */
    691. 

  691.                 memcpy(inputtext, outputtext, 8);
    692. 

  692.             }
    693. 

  693. 

  694.             /* Save PT/CT[j-2] and PT/CT[j-1] */
    695. 

  695.             if (j==9997) memcpy(outputtext_2, outputtext, 8);
    696. 

  696.             if (j==9998) memcpy(outputtext_1, outputtext, 8);
    697. 

  697.             /* done at the end of the for(j) loop */
    698. 

  698.         }
    699. 

  699. 

  700. 

  701.         if (crypt == ENCRYPT) {
    702. 

  702.             /* Output CT[j] */
    703. 

  703.             fputs("CIPHERTEXT = ", resp);
    704. 

  704.         } else {
    705. 

  705.             /* Output PT[j] */
    706. 

  706.             fputs("PLAINTEXT = ", resp);
    707. 

  707.         }
    708. 

  708.         to_hex_str(buf, outputtext, 8);
    709. 

  709.         fputs(buf, resp);
    710. 

  710.         fputc('\n', resp);
    711. 

  711. 

  712.         /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
    713. 

  713.          *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
    714. 

  714.          */
    715. 

  715.         tdea_mct_next_keys(key, outputtext_2, 
    716. 

  716.                            outputtext_1, outputtext, numKeys);
    717. 

  717. 

  718.         if (mode == NSS_DES_EDE3_CBC) {
    719. 

  719.             /* taken care of in the j=9999 iteration */
    720. 

  720.             if (crypt == ENCRYPT) {
    721. 

  721.                 /* P[i] = C[j-1] */
    722. 

  722.                 /* CV[i] = C[j] */
    723. 

  723.             } else {
    724. 

  724.                 /* taken care of in the j=9999 iteration */
    725. 

  725.                 /* CV[i] = C[j] */
    726. 

  726.                 /* C[i] = P[j]  */
    727. 

  727.             }
    728. 

  728.         } else {
    729. 

  729.             /* ECB PT/CT[i] = PT/CT[j]  */
    730. 

  730.             memcpy(inputtext, outputtext, 8);
    731. 

  731.         }
    732. 

  732.         /* done at the end of the for(i) loop */
    733. 

  733.         fputc('\n', resp);
    734. 

  734.     }
    735. 

  735. 

  736. loser:
    737. 

  737.     return;
    738. 

  738. }
    739. 

  739. 

  740. /*
    741. 

  741.  * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
    742. 

  742.  * by gathering the input from the request file, and then 
    743. 

  743.  * calling tdea_mct_test.
    744. 

  744.  *
    745. 

  745.  * reqfn is the pathname of the input REQUEST file.
    746. 

  746.  *
    747. 

  747.  * The output RESPONSE file is written to stdout.
    748. 

  748.  */
    749. 

  749. void
    750. 

  750. tdea_mct(int mode, char *reqfn)
    751. 

  751. {
    752. 

  752.     int i, j;
    753. 

  753.     char buf[80];    /* holds one line from the input REQUEST file. */
    754. 

  754.     FILE *req;       /* input stream from the REQUEST file */
    755. 

  755.     FILE *resp;      /* output stream to the RESPONSE file */
    756. 

  756.     unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
    757. 

  757.     unsigned char key[24];              /* TDEA 3 key bundle */
    758. 

  758.     unsigned int numKeys = 0;
    759. 

  759.     unsigned char plaintext[8];        /* PT[j] */
    760. 

  760.     unsigned char ciphertext[8];       /* CT[j] */
    761. 

  761.     unsigned char iv[8];
    762. 

  762. 

  763.     /* zeroize the variables for the test with this data set */
    764. 

  764.     memset(key, 0, sizeof key);
    765. 

  765.     memset(plaintext, 0, sizeof plaintext);
    766. 

  766.     memset(ciphertext, 0, sizeof ciphertext);
    767. 

  767.     memset(iv, 0, sizeof iv);
    768. 

  768. 

  769.     req = fopen(reqfn, "r");
    770. 

  770.     resp = stdout;
    771. 

  771.     while (fgets(buf, sizeof buf, req) != NULL) {
    772. 

  772.         /* a comment or blank line */
    773. 

  773.         if (buf[0] == '#' || buf[0] == '\n') {
    774. 

  774.             fputs(buf, resp);
    775. 

  775.             continue;
    776. 

  776.         }
    777. 

  777.         /* [ENCRYPT] or [DECRYPT] */
    778. 

  778.         if (buf[0] == '[') {
    779. 

  779.             if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    780. 

  780.                 crypt = ENCRYPT;
    781. 

  781.             } else {
    782. 

  782.                 crypt = DECRYPT;
    783. 

  783.            }
    784. 

  784.            fputs(buf, resp);
    785. 

  785.            continue;
    786. 

  786.         }
    787. 

  787.         /* NumKeys */
    788. 

  788.         if (strncmp(&buf[0], "NumKeys", 7) == 0) {
    789. 

  789.             i = 7;
    790. 

  790.             while (isspace(buf[i]) || buf[i] == '=') {
    791. 

  791.                 i++;
    792. 

  792.             }
    793. 

  793.             numKeys = atoi(&buf[i]);
    794. 

  794.             continue;
    795. 

  795.         }
    796. 

  796.         /* KEY1 = ... */
    797. 

  797.         if (strncmp(buf, "KEY1", 4) == 0) {
    798. 

  798.             i = 4;
    799. 

  799.             while (isspace(buf[i]) || buf[i] == '=') {
    800. 

  800.                 i++;
    801. 

  801.             }
    802. 

  802.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    803. 

  803.                 hex_to_byteval(&buf[i], &key[j]);
    804. 

  804.             }
    805. 

  805.             continue;
    806. 

  806.         }
    807. 

  807.         /* KEY2 = ... */
    808. 

  808.         if (strncmp(buf, "KEY2", 4) == 0) {
    809. 

  809.             i = 4;
    810. 

  810.             while (isspace(buf[i]) || buf[i] == '=') {
    811. 

  811.                 i++;
    812. 

  812.             }
    813. 

  813.             for (j=8; isxdigit(buf[i]); i+=2,j++) {
    814. 

  814.                 hex_to_byteval(&buf[i], &key[j]);
    815. 

  815.             }
    816. 

  816.             continue;
    817. 

  817.         }
    818. 

  818.         /* KEY3 = ... */
    819. 

  819.         if (strncmp(buf, "KEY3", 4) == 0) {
    820. 

  820.             i = 4;
    821. 

  821.             while (isspace(buf[i]) || buf[i] == '=') {
    822. 

  822.                 i++;
    823. 

  823.             }
    824. 

  824.             for (j=16; isxdigit(buf[i]); i+=2,j++) {
    825. 

  825.                 hex_to_byteval(&buf[i], &key[j]);
    826. 

  826.             }
    827. 

  827.             continue;
    828. 

  828.         }
    829. 

  829. 

  830.         /* IV = ... */
    831. 

  831.         if (strncmp(buf, "IV", 2) == 0) {
    832. 

  832.             i = 2;
    833. 

  833.             while (isspace(buf[i]) || buf[i] == '=') {
    834. 

  834.                 i++;
    835. 

  835.             }
    836. 

  836.             for (j=0; j<sizeof iv; i+=2,j++) {
    837. 

  837.                 hex_to_byteval(&buf[i], &iv[j]);
    838. 

  838.             }
    839. 

  839.             continue;
    840. 

  840.         }
    841. 

  841. 

  842.        /* PLAINTEXT = ... */
    843. 

  843.        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    844. 

  844. 

  845.             /* sanity check */
    846. 

  846.             if (crypt != ENCRYPT) {
    847. 

  847.                 goto loser;
    848. 

  848.             }
    849. 

  849.             /* PT[0] = PT */
    850. 

  850.             i = 9;
    851. 

  851.             while (isspace(buf[i]) || buf[i] == '=') {
    852. 

  852.                 i++;
    853. 

  853.             }
    854. 

  854.             for (j=0; j<sizeof plaintext; i+=2,j++) {
    855. 

  855.                 hex_to_byteval(&buf[i], &plaintext[j]);
    856. 

  856.             }                                     
    857. 

  857. 

  858.             /* do the Monte Carlo test */
    859. 

  859.             if (mode==NSS_DES_EDE3) {
    860. 

  860.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
    861. 

  861.             } else {
    862. 

  862.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
    863. 

  863.             }
    864. 

  864.             continue;
    865. 

  865.         }
    866. 

  866.         /* CIPHERTEXT = ... */
    867. 

  867.         if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    868. 

  868.             /* sanity check */
    869. 

  869.             if (crypt != DECRYPT) {
    870. 

  870.                 goto loser;
    871. 

  871.             }
    872. 

  872.             /* CT[0] = CT */
    873. 

  873.             i = 10;
    874. 

  874.             while (isspace(buf[i]) || buf[i] == '=') {
    875. 

  875.                 i++;
    876. 

  876.             }
    877. 

  877.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    878. 

  878.                 hex_to_byteval(&buf[i], &ciphertext[j]);
    879. 

  879.             }
    880. 

  880.             
    881. 

  881.             /* do the Monte Carlo test */
    882. 

  882.             if (mode==NSS_DES_EDE3) {
    883. 

  883.                 tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
    884. 

  884.             } else {
    885. 

  885.                 tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
    886. 

  886.             }
    887. 

  887.             continue;
    888. 

  888.         }
    889. 

  889.     }
    890. 

  890. 

  891. loser:
    892. 

  892.     fclose(req);
    893. 

  893. }
    894. 

  894. 

  895. 

  896. SECStatus
    897. 

  897. aes_encrypt_buf(
    898. 

  898.     int mode,
    899. 

  899.     const unsigned char *key, unsigned int keysize,
    900. 

  900.     const unsigned char *iv,
    901. 

  901.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    902. 

  902.     const unsigned char *input, unsigned int inputlen)
    903. 

  903. {
    904. 

  904.     SECStatus rv = SECFailure;
    905. 

  905.     AESContext *cx;
    906. 

  906.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    907. 

  907.     unsigned int doublechecklen = 0;
    908. 

  908. 

  909.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    910. 

  910.     if (cx == NULL) {
    911. 

  911. 	goto loser;
    912. 

  912.     }
    913. 

  913.     rv = AES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
    914. 

  914.     if (rv != SECSuccess) {
    915. 

  915. 	goto loser;
    916. 

  916.     }
    917. 

  917.     if (*outputlen != inputlen) {
    918. 

  918. 	goto loser;
    919. 

  919.     }
    920. 

  920.     AES_DestroyContext(cx, PR_TRUE);
    921. 

  921.     cx = NULL;
    922. 

  922. 

  923.     /*
    924. 

  924.      * Doublecheck our result by decrypting the ciphertext and
    925. 

  925.      * compare the output with the input plaintext.
    926. 

  926.      */
    927. 

  927.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    928. 

  928.     if (cx == NULL) {
    929. 

  929. 	goto loser;
    930. 

  930.     }
    931. 

  931.     rv = AES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    932. 

  932. 	output, *outputlen);
    933. 

  933.     if (rv != SECSuccess) {
    934. 

  934. 	goto loser;
    935. 

  935.     }
    936. 

  936.     if (doublechecklen != *outputlen) {
    937. 

  937. 	goto loser;
    938. 

  938.     }
    939. 

  939.     AES_DestroyContext(cx, PR_TRUE);
    940. 

  940.     cx = NULL;
    941. 

  941.     if (memcmp(doublecheck, input, inputlen) != 0) {
    942. 

  942. 	goto loser;
    943. 

  943.     }
    944. 

  944.     rv = SECSuccess;
    945. 

  945. 

  946. loser:
    947. 

  947.     if (cx != NULL) {
    948. 

  948. 	AES_DestroyContext(cx, PR_TRUE);
    949. 

  949.     }
    950. 

  950.     return rv;
    951. 

  951. }
    952. 

  952. 

  953. SECStatus
    954. 

  954. aes_decrypt_buf(
    955. 

  955.     int mode,
    956. 

  956.     const unsigned char *key, unsigned int keysize,
    957. 

  957.     const unsigned char *iv,
    958. 

  958.     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
    959. 

  959.     const unsigned char *input, unsigned int inputlen)
    960. 

  960. {
    961. 

  961.     SECStatus rv = SECFailure;
    962. 

  962.     AESContext *cx;
    963. 

  963.     unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
    964. 

  964.     unsigned int doublechecklen = 0;
    965. 

  965. 

  966.     cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
    967. 

  967.     if (cx == NULL) {
    968. 

  968. 	goto loser;
    969. 

  969.     }
    970. 

  970.     rv = AES_Decrypt(cx, output, outputlen, maxoutputlen,
    971. 

  971. 	input, inputlen);
    972. 

  972.     if (rv != SECSuccess) {
    973. 

  973. 	goto loser;
    974. 

  974.     }
    975. 

  975.     if (*outputlen != inputlen) {
    976. 

  976. 	goto loser;
    977. 

  977.     }
    978. 

  978.     AES_DestroyContext(cx, PR_TRUE);
    979. 

  979.     cx = NULL;
    980. 

  980. 

  981.     /*
    982. 

  982.      * Doublecheck our result by encrypting the plaintext and
    983. 

  983.      * compare the output with the input ciphertext.
    984. 

  984.      */
    985. 

  985.     cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
    986. 

  986.     if (cx == NULL) {
    987. 

  987. 	goto loser;
    988. 

  988.     }
    989. 

  989.     rv = AES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
    990. 

  990. 	output, *outputlen);
    991. 

  991.     if (rv != SECSuccess) {
    992. 

  992. 	goto loser;
    993. 

  993.     }
    994. 

  994.     if (doublechecklen != *outputlen) {
    995. 

  995. 	goto loser;
    996. 

  996.     }
    997. 

  997.     AES_DestroyContext(cx, PR_TRUE);
    998. 

  998.     cx = NULL;
    999. 

  999.     if (memcmp(doublecheck, input, inputlen) != 0) {
    1000. 

  1000. 	goto loser;
    1001. 

  1001.     }
    1002. 

  1002.     rv = SECSuccess;
    1003. 

  1003. 

  1004. loser:
    1005. 

  1005.     if (cx != NULL) {
    1006. 

  1006. 	AES_DestroyContext(cx, PR_TRUE);
    1007. 

  1007.     }
    1008. 

  1008.     return rv;
    1009. 

  1009. }
    1010. 

  1010. 

  1011. /*
    1012. 

  1012.  * Perform the AES Known Answer Test (KAT) or Multi-block Message
    1013. 

  1013.  * Test (MMT) in ECB or CBC mode.  The KAT (there are four types)
    1014. 

  1014.  * and MMT have the same structure: given the key and IV (CBC mode
    1015. 

  1015.  * only), encrypt the given plaintext or decrypt the given ciphertext.
    1016. 

  1016.  * So we can handle them the same way.
    1017. 

  1017.  *
    1018. 

  1018.  * reqfn is the pathname of the REQUEST file.
    1019. 

  1019.  *
    1020. 

  1020.  * The output RESPONSE file is written to stdout.
    1021. 

  1021.  */
    1022. 

  1022. void
    1023. 

  1023. aes_kat_mmt(char *reqfn)
    1024. 

  1024. {
    1025. 

  1025.     char buf[512];      /* holds one line from the input REQUEST file.
    1026. 

  1026.                          * needs to be large enough to hold the longest
    1027. 

  1027.                          * line "CIPHERTEXT = <320 hex digits>\n".
    1028. 

  1028.                          */
    1029. 

  1029.     FILE *aesreq;       /* input stream from the REQUEST file */
    1030. 

  1030.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1031. 

  1031.     int i, j;
    1032. 

  1032.     int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
    1033. 

  1033.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1034. 

  1034.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1035. 

  1035.     unsigned int keysize;
    1036. 

  1036.     unsigned char iv[16];		/* for all modes except ECB */
    1037. 

  1037.     unsigned char plaintext[10*16];     /* 1 to 10 blocks */
    1038. 

  1038.     unsigned int plaintextlen;
    1039. 

  1039.     unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
    1040. 

  1040.     unsigned int ciphertextlen;
    1041. 

  1041.     SECStatus rv;
    1042. 

  1042. 

  1043.     aesreq = fopen(reqfn, "r");
    1044. 

  1044.     aesresp = stdout;
    1045. 

  1045.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1046. 

  1046. 	/* a comment or blank line */
    1047. 

  1047. 	if (buf[0] == '#' || buf[0] == '\n') {
    1048. 

  1048. 	    fputs(buf, aesresp);
    1049. 

  1049. 	    continue;
    1050. 

  1050. 	}
    1051. 

  1051. 	/* [ENCRYPT] or [DECRYPT] */
    1052. 

  1052. 	if (buf[0] == '[') {
    1053. 

  1053. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1054. 

  1054. 		encrypt = 1;
    1055. 

  1055. 	    } else {
    1056. 

  1056. 		encrypt = 0;
    1057. 

  1057. 	    }
    1058. 

  1058. 	    fputs(buf, aesresp);
    1059. 

  1059. 	    continue;
    1060. 

  1060. 	}
    1061. 

  1061. 	/* "COUNT = x" begins a new data set */
    1062. 

  1062. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1063. 

  1063. 	    mode = NSS_AES;
    1064. 

  1064. 	    /* zeroize the variables for the test with this data set */
    1065. 

  1065. 	    memset(key, 0, sizeof key);
    1066. 

  1066. 	    keysize = 0;
    1067. 

  1067. 	    memset(iv, 0, sizeof iv);
    1068. 

  1068. 	    memset(plaintext, 0, sizeof plaintext);
    1069. 

  1069. 	    plaintextlen = 0;
    1070. 

  1070. 	    memset(ciphertext, 0, sizeof ciphertext);
    1071. 

  1071. 	    ciphertextlen = 0;
    1072. 

  1072. 	    fputs(buf, aesresp);
    1073. 

  1073. 	    continue;
    1074. 

  1074. 	}
    1075. 

  1075. 	/* KEY = ... */
    1076. 

  1076. 	if (strncmp(buf, "KEY", 3) == 0) {
    1077. 

  1077. 	    i = 3;
    1078. 

  1078. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1079. 

  1079. 		i++;
    1080. 

  1080. 	    }
    1081. 

  1081. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1082. 

  1082. 		hex_to_byteval(&buf[i], &key[j]);
    1083. 

  1083. 	    }
    1084. 

  1084. 	    keysize = j;
    1085. 

  1085. 	    fputs(buf, aesresp);
    1086. 

  1086. 	    continue;
    1087. 

  1087. 	}
    1088. 

  1088. 	/* IV = ... */
    1089. 

  1089. 	if (strncmp(buf, "IV", 2) == 0) {
    1090. 

  1090. 	    mode = NSS_AES_CBC;
    1091. 

  1091. 	    i = 2;
    1092. 

  1092. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1093. 

  1093. 		i++;
    1094. 

  1094. 	    }
    1095. 

  1095. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1096. 

  1096. 		hex_to_byteval(&buf[i], &iv[j]);
    1097. 

  1097. 	    }
    1098. 

  1098. 	    fputs(buf, aesresp);
    1099. 

  1099. 	    continue;
    1100. 

  1100. 	}
    1101. 

  1101. 	/* PLAINTEXT = ... */
    1102. 

  1102. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1103. 

  1103. 	    /* sanity check */
    1104. 

  1104. 	    if (!encrypt) {
    1105. 

  1105. 		goto loser;
    1106. 

  1106. 	    }
    1107. 

  1107. 

  1108. 	    i = 9;
    1109. 

  1109. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1110. 

  1110. 		i++;
    1111. 

  1111. 	    }
    1112. 

  1112. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1113. 

  1113. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1114. 

  1114. 	    }
    1115. 

  1115. 	    plaintextlen = j;
    1116. 

  1116. 

  1117. 	    rv = aes_encrypt_buf(mode, key, keysize,
    1118. 

  1118. 		(mode == NSS_AES) ? NULL : iv,
    1119. 

  1119. 		ciphertext, &ciphertextlen, sizeof ciphertext,
    1120. 

  1120. 		plaintext, plaintextlen);
    1121. 

  1121. 	    if (rv != SECSuccess) {
    1122. 

  1122. 		goto loser;
    1123. 

  1123. 	    }
    1124. 

  1124. 

  1125. 	    fputs(buf, aesresp);
    1126. 

  1126. 	    fputs("CIPHERTEXT = ", aesresp);
    1127. 

  1127. 	    to_hex_str(buf, ciphertext, ciphertextlen);
    1128. 

  1128. 	    fputs(buf, aesresp);
    1129. 

  1129. 	    fputc('\n', aesresp);
    1130. 

  1130. 	    continue;
    1131. 

  1131. 	}
    1132. 

  1132. 	/* CIPHERTEXT = ... */
    1133. 

  1133. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1134. 

  1134. 	    /* sanity check */
    1135. 

  1135. 	    if (encrypt) {
    1136. 

  1136. 		goto loser;
    1137. 

  1137. 	    }
    1138. 

  1138. 

  1139. 	    i = 10;
    1140. 

  1140. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1141. 

  1141. 		i++;
    1142. 

  1142. 	    }
    1143. 

  1143. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1144. 

  1144. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1145. 

  1145. 	    }
    1146. 

  1146. 	    ciphertextlen = j;
    1147. 

  1147. 

  1148. 	    rv = aes_decrypt_buf(mode, key, keysize,
    1149. 

  1149. 		(mode == NSS_AES) ? NULL : iv,
    1150. 

  1150. 		plaintext, &plaintextlen, sizeof plaintext,
    1151. 

  1151. 		ciphertext, ciphertextlen);
    1152. 

  1152. 	    if (rv != SECSuccess) {
    1153. 

  1153. 		goto loser;
    1154. 

  1154. 	    }
    1155. 

  1155. 

  1156. 	    fputs(buf, aesresp);
    1157. 

  1157. 	    fputs("PLAINTEXT = ", aesresp);
    1158. 

  1158. 	    to_hex_str(buf, plaintext, plaintextlen);
    1159. 

  1159. 	    fputs(buf, aesresp);
    1160. 

  1160. 	    fputc('\n', aesresp);
    1161. 

  1161. 	    continue;
    1162. 

  1162. 	}
    1163. 

  1163.     }
    1164. 

  1164. loser:
    1165. 

  1165.     fclose(aesreq);
    1166. 

  1166. }
    1167. 

  1167. 

  1168. /*
    1169. 

  1169.  * Generate Key[i+1] from Key[i], CT[j-1], and CT[j] for AES Monte Carlo
    1170. 

  1170.  * Test (MCT) in ECB and CBC modes.
    1171. 

  1171.  */
    1172. 

  1172. void
    1173. 

  1173. aes_mct_next_key(unsigned char *key, unsigned int keysize,
    1174. 

  1174.     const unsigned char *ciphertext_1, const unsigned char *ciphertext)
    1175. 

  1175. {
    1176. 

  1176.     int k;
    1177. 

  1177. 

  1178.     switch (keysize) {
    1179. 

  1179.     case 16:  /* 128-bit key */
    1180. 

  1180. 	/* Key[i+1] = Key[i] xor CT[j] */
    1181. 

  1181. 	for (k=0; k<16; k++) {
    1182. 

  1182. 	    key[k] ^= ciphertext[k];
    1183. 

  1183. 	}
    1184. 

  1184. 	break;
    1185. 

  1185.     case 24:  /* 192-bit key */
    1186. 

  1186. 	/*
    1187. 

  1187. 	 * Key[i+1] = Key[i] xor (last 64-bits of
    1188. 

  1188. 	 *            CT[j-1] || CT[j])
    1189. 

  1189. 	 */
    1190. 

  1190. 	for (k=0; k<8; k++) {
    1191. 

  1191. 	    key[k] ^= ciphertext_1[k+8];
    1192. 

  1192. 	}
    1193. 

  1193. 	for (k=8; k<24; k++) {
    1194. 

  1194. 	    key[k] ^= ciphertext[k-8];
    1195. 

  1195. 	}
    1196. 

  1196. 	break;
    1197. 

  1197.     case 32:  /* 256-bit key */
    1198. 

  1198. 	/* Key[i+1] = Key[i] xor (CT[j-1] || CT[j]) */
    1199. 

  1199. 	for (k=0; k<16; k++) {
    1200. 

  1200. 	    key[k] ^= ciphertext_1[k];
    1201. 

  1201. 	}
    1202. 

  1202. 	for (k=16; k<32; k++) {
    1203. 

  1203. 	    key[k] ^= ciphertext[k-16];
    1204. 

  1204. 	}
    1205. 

  1205. 	break;
    1206. 

  1206.     }
    1207. 

  1207. }
    1208. 

  1208. 

  1209. /*
    1210. 

  1210.  * Perform the AES Monte Carlo Test (MCT) in ECB mode.  MCT exercises
    1211. 

  1211.  * our AES code in streaming mode because the plaintext or ciphertext
    1212. 

  1212.  * is generated block by block as we go, so we can't collect all the
    1213. 

  1213.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1214. 

  1214.  * one shot.
    1215. 

  1215.  *
    1216. 

  1216.  * reqfn is the pathname of the input REQUEST file.
    1217. 

  1217.  *
    1218. 

  1218.  * The output RESPONSE file is written to stdout.
    1219. 

  1219.  */
    1220. 

  1220. void
    1221. 

  1221. aes_ecb_mct(char *reqfn)
    1222. 

  1222. {
    1223. 

  1223.     char buf[80];       /* holds one line from the input REQUEST file.
    1224. 

  1224.                          * needs to be large enough to hold the longest
    1225. 

  1225.                          * line "KEY = <64 hex digits>\n".
    1226. 

  1226.                          */
    1227. 

  1227.     FILE *aesreq;       /* input stream from the REQUEST file */
    1228. 

  1228.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1229. 

  1229.     int i, j;
    1230. 

  1230.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1231. 

  1231.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1232. 

  1232.     unsigned int keysize;
    1233. 

  1233.     unsigned char plaintext[16];        /* PT[j] */
    1234. 

  1234.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1235. 

  1235.     unsigned char ciphertext[16];       /* CT[j] */
    1236. 

  1236.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1237. 

  1237.     unsigned char doublecheck[16];
    1238. 

  1238.     unsigned int outputlen;
    1239. 

  1239.     AESContext *cx = NULL;	/* the operation being tested */
    1240. 

  1240.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1241. 

  1241.                                  * to doublecheck our result.
    1242. 

  1242.                                  */
    1243. 

  1243.     SECStatus rv;
    1244. 

  1244. 

  1245.     aesreq = fopen(reqfn, "r");
    1246. 

  1246.     aesresp = stdout;
    1247. 

  1247.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1248. 

  1248. 	/* a comment or blank line */
    1249. 

  1249. 	if (buf[0] == '#' || buf[0] == '\n') {
    1250. 

  1250. 	    fputs(buf, aesresp);
    1251. 

  1251. 	    continue;
    1252. 

  1252. 	}
    1253. 

  1253. 	/* [ENCRYPT] or [DECRYPT] */
    1254. 

  1254. 	if (buf[0] == '[') {
    1255. 

  1255. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1256. 

  1256. 		encrypt = 1;
    1257. 

  1257. 	    } else {
    1258. 

  1258. 		encrypt = 0;
    1259. 

  1259. 	    }
    1260. 

  1260. 	    fputs(buf, aesresp);
    1261. 

  1261. 	    continue;
    1262. 

  1262. 	}
    1263. 

  1263. 	/* "COUNT = x" begins a new data set */
    1264. 

  1264. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1265. 

  1265. 	    /* zeroize the variables for the test with this data set */
    1266. 

  1266. 	    memset(key, 0, sizeof key);
    1267. 

  1267. 	    keysize = 0;
    1268. 

  1268. 	    memset(plaintext, 0, sizeof plaintext);
    1269. 

  1269. 	    memset(ciphertext, 0, sizeof ciphertext);
    1270. 

  1270. 	    continue;
    1271. 

  1271. 	}
    1272. 

  1272. 	/* KEY = ... */
    1273. 

  1273. 	if (strncmp(buf, "KEY", 3) == 0) {
    1274. 

  1274. 	    /* Key[0] = Key */
    1275. 

  1275. 	    i = 3;
    1276. 

  1276. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1277. 

  1277. 		i++;
    1278. 

  1278. 	    }
    1279. 

  1279. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1280. 

  1280. 		hex_to_byteval(&buf[i], &key[j]);
    1281. 

  1281. 	    }
    1282. 

  1282. 	    keysize = j;
    1283. 

  1283. 	    continue;
    1284. 

  1284. 	}
    1285. 

  1285. 	/* PLAINTEXT = ... */
    1286. 

  1286. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1287. 

  1287. 	    /* sanity check */
    1288. 

  1288. 	    if (!encrypt) {
    1289. 

  1289. 		goto loser;
    1290. 

  1290. 	    }
    1291. 

  1291. 	    /* PT[0] = PT */
    1292. 

  1292. 	    i = 9;
    1293. 

  1293. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1294. 

  1294. 		i++;
    1295. 

  1295. 	    }
    1296. 

  1296. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1297. 

  1297. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1298. 

  1298. 	    }
    1299. 

  1299. 

  1300. 	    for (i=0; i<100; i++) {
    1301. 

  1301. 		sprintf(buf, "COUNT = %d\n", i);
    1302. 

  1302. 	        fputs(buf, aesresp);
    1303. 

  1303. 		/* Output Key[i] */
    1304. 

  1304. 		fputs("KEY = ", aesresp);
    1305. 

  1305. 		to_hex_str(buf, key, keysize);
    1306. 

  1306. 		fputs(buf, aesresp);
    1307. 

  1307. 		fputc('\n', aesresp);
    1308. 

  1308. 		/* Output PT[0] */
    1309. 

  1309. 		fputs("PLAINTEXT = ", aesresp);
    1310. 

  1310. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1311. 

  1311. 		fputs(buf, aesresp);
    1312. 

  1312. 		fputc('\n', aesresp);
    1313. 

  1313. 

  1314. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1315. 

  1315. 		    PR_TRUE, keysize, 16);
    1316. 

  1316. 		if (cx == NULL) {
    1317. 

  1317. 		    goto loser;
    1318. 

  1318. 		}
    1319. 

  1319. 		/*
    1320. 

  1320. 		 * doublecheck our result by decrypting the result
    1321. 

  1321. 		 * and comparing the output with the plaintext.
    1322. 

  1322. 		 */
    1323. 

  1323. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1324. 

  1324. 		    PR_FALSE, keysize, 16);
    1325. 

  1325. 		if (cx2 == NULL) {
    1326. 

  1326. 		    goto loser;
    1327. 

  1327. 		}
    1328. 

  1328. 		for (j=0; j<1000; j++) {
    1329. 

  1329. 		    /* Save CT[j-1] */
    1330. 

  1330. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1331. 

  1331. 

  1332. 		    /* CT[j] = AES(Key[i], PT[j]) */
    1333. 

  1333. 		    outputlen = 0;
    1334. 

  1334. 		    rv = AES_Encrypt(cx,
    1335. 

  1335. 			ciphertext, &outputlen, sizeof ciphertext,
    1336. 

  1336. 			plaintext, sizeof plaintext);
    1337. 

  1337. 		    if (rv != SECSuccess) {
    1338. 

  1338. 			goto loser;
    1339. 

  1339. 		    }
    1340. 

  1340. 		    if (outputlen != sizeof plaintext) {
    1341. 

  1341. 			goto loser;
    1342. 

  1342. 		    }
    1343. 

  1343. 

  1344. 		    /* doublecheck our result */
    1345. 

  1345. 		    outputlen = 0;
    1346. 

  1346. 		    rv = AES_Decrypt(cx2,
    1347. 

  1347. 			doublecheck, &outputlen, sizeof doublecheck,
    1348. 

  1348. 			ciphertext, sizeof ciphertext);
    1349. 

  1349. 		    if (rv != SECSuccess) {
    1350. 

  1350. 			goto loser;
    1351. 

  1351. 		    }
    1352. 

  1352. 		    if (outputlen != sizeof ciphertext) {
    1353. 

  1353. 			goto loser;
    1354. 

  1354. 		    }
    1355. 

  1355. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1356. 

  1356. 			goto loser;
    1357. 

  1357. 		    }
    1358. 

  1358. 

  1359. 		    /* PT[j+1] = CT[j] */
    1360. 

  1360. 		    memcpy(plaintext, ciphertext, sizeof plaintext);
    1361. 

  1361. 		}
    1362. 

  1362. 		AES_DestroyContext(cx, PR_TRUE);
    1363. 

  1363. 		cx = NULL;
    1364. 

  1364. 		AES_DestroyContext(cx2, PR_TRUE);
    1365. 

  1365. 		cx2 = NULL;
    1366. 

  1366. 

  1367. 		/* Output CT[j] */
    1368. 

  1368. 		fputs("CIPHERTEXT = ", aesresp);
    1369. 

  1369. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1370. 

  1370. 		fputs(buf, aesresp);
    1371. 

  1371. 		fputc('\n', aesresp);
    1372. 

  1372. 

  1373. 		/* Key[i+1] = Key[i] xor ... */
    1374. 

  1374. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1375. 

  1375. 		/* PT[0] = CT[j] */
    1376. 

  1376. 		/* done at the end of the for(j) loop */
    1377. 

  1377. 

  1378. 		fputc('\n', aesresp);
    1379. 

  1379. 	    }
    1380. 

  1380. 

  1381. 	    continue;
    1382. 

  1382. 	}
    1383. 

  1383. 	/* CIPHERTEXT = ... */
    1384. 

  1384. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1385. 

  1385. 	    /* sanity check */
    1386. 

  1386. 	    if (encrypt) {
    1387. 

  1387. 		goto loser;
    1388. 

  1388. 	    }
    1389. 

  1389. 	    /* CT[0] = CT */
    1390. 

  1390. 	    i = 10;
    1391. 

  1391. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1392. 

  1392. 		i++;
    1393. 

  1393. 	    }
    1394. 

  1394. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1395. 

  1395. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1396. 

  1396. 	    }
    1397. 

  1397. 

  1398. 	    for (i=0; i<100; i++) {
    1399. 

  1399. 		sprintf(buf, "COUNT = %d\n", i);
    1400. 

  1400. 	        fputs(buf, aesresp);
    1401. 

  1401. 		/* Output Key[i] */
    1402. 

  1402. 		fputs("KEY = ", aesresp);
    1403. 

  1403. 		to_hex_str(buf, key, keysize);
    1404. 

  1404. 		fputs(buf, aesresp);
    1405. 

  1405. 		fputc('\n', aesresp);
    1406. 

  1406. 		/* Output CT[0] */
    1407. 

  1407. 		fputs("CIPHERTEXT = ", aesresp);
    1408. 

  1408. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1409. 

  1409. 		fputs(buf, aesresp);
    1410. 

  1410. 		fputc('\n', aesresp);
    1411. 

  1411. 

  1412. 		cx = AES_CreateContext(key, NULL, NSS_AES,
    1413. 

  1413. 		    PR_FALSE, keysize, 16);
    1414. 

  1414. 		if (cx == NULL) {
    1415. 

  1415. 		    goto loser;
    1416. 

  1416. 		}
    1417. 

  1417. 		/*
    1418. 

  1418. 		 * doublecheck our result by encrypting the result
    1419. 

  1419. 		 * and comparing the output with the ciphertext.
    1420. 

  1420. 		 */
    1421. 

  1421. 		cx2 = AES_CreateContext(key, NULL, NSS_AES,
    1422. 

  1422. 		    PR_TRUE, keysize, 16);
    1423. 

  1423. 		if (cx2 == NULL) {
    1424. 

  1424. 		    goto loser;
    1425. 

  1425. 		}
    1426. 

  1426. 		for (j=0; j<1000; j++) {
    1427. 

  1427. 		    /* Save PT[j-1] */
    1428. 

  1428. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1429. 

  1429. 

  1430. 		    /* PT[j] = AES(Key[i], CT[j]) */
    1431. 

  1431. 		    outputlen = 0;
    1432. 

  1432. 		    rv = AES_Decrypt(cx,
    1433. 

  1433. 			plaintext, &outputlen, sizeof plaintext,
    1434. 

  1434. 			ciphertext, sizeof ciphertext);
    1435. 

  1435. 		    if (rv != SECSuccess) {
    1436. 

  1436. 			goto loser;
    1437. 

  1437. 		    }
    1438. 

  1438. 		    if (outputlen != sizeof ciphertext) {
    1439. 

  1439. 			goto loser;
    1440. 

  1440. 		    }
    1441. 

  1441. 

  1442. 		    /* doublecheck our result */
    1443. 

  1443. 		    outputlen = 0;
    1444. 

  1444. 		    rv = AES_Encrypt(cx2,
    1445. 

  1445. 			doublecheck, &outputlen, sizeof doublecheck,
    1446. 

  1446. 			plaintext, sizeof plaintext);
    1447. 

  1447. 		    if (rv != SECSuccess) {
    1448. 

  1448. 			goto loser;
    1449. 

  1449. 		    }
    1450. 

  1450. 		    if (outputlen != sizeof plaintext) {
    1451. 

  1451. 			goto loser;
    1452. 

  1452. 		    }
    1453. 

  1453. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1454. 

  1454. 			goto loser;
    1455. 

  1455. 		    }
    1456. 

  1456. 

  1457. 		    /* CT[j+1] = PT[j] */
    1458. 

  1458. 		    memcpy(ciphertext, plaintext, sizeof ciphertext);
    1459. 

  1459. 		}
    1460. 

  1460. 		AES_DestroyContext(cx, PR_TRUE);
    1461. 

  1461. 		cx = NULL;
    1462. 

  1462. 		AES_DestroyContext(cx2, PR_TRUE);
    1463. 

  1463. 		cx2 = NULL;
    1464. 

  1464. 

  1465. 		/* Output PT[j] */
    1466. 

  1466. 		fputs("PLAINTEXT = ", aesresp);
    1467. 

  1467. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1468. 

  1468. 		fputs(buf, aesresp);
    1469. 

  1469. 		fputc('\n', aesresp);
    1470. 

  1470. 

  1471. 		/* Key[i+1] = Key[i] xor ... */
    1472. 

  1472. 		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
    1473. 

  1473. 		/* CT[0] = PT[j] */
    1474. 

  1474. 		/* done at the end of the for(j) loop */
    1475. 

  1475. 

  1476. 		fputc('\n', aesresp);
    1477. 

  1477. 	    }
    1478. 

  1478. 

  1479. 	    continue;
    1480. 

  1480. 	}
    1481. 

  1481.     }
    1482. 

  1482. loser:
    1483. 

  1483.     if (cx != NULL) {
    1484. 

  1484. 	AES_DestroyContext(cx, PR_TRUE);
    1485. 

  1485.     }
    1486. 

  1486.     if (cx2 != NULL) {
    1487. 

  1487. 	AES_DestroyContext(cx2, PR_TRUE);
    1488. 

  1488.     }
    1489. 

  1489.     fclose(aesreq);
    1490. 

  1490. }
    1491. 

  1491. 

  1492. /*
    1493. 

  1493.  * Perform the AES Monte Carlo Test (MCT) in CBC mode.  MCT exercises
    1494. 

  1494.  * our AES code in streaming mode because the plaintext or ciphertext
    1495. 

  1495.  * is generated block by block as we go, so we can't collect all the
    1496. 

  1496.  * plaintext or ciphertext in one buffer and encrypt or decrypt it in
    1497. 

  1497.  * one shot.
    1498. 

  1498.  *
    1499. 

  1499.  * reqfn is the pathname of the input REQUEST file.
    1500. 

  1500.  *
    1501. 

  1501.  * The output RESPONSE file is written to stdout.
    1502. 

  1502.  */
    1503. 

  1503. void
    1504. 

  1504. aes_cbc_mct(char *reqfn)
    1505. 

  1505. {
    1506. 

  1506.     char buf[80];       /* holds one line from the input REQUEST file.
    1507. 

  1507.                          * needs to be large enough to hold the longest
    1508. 

  1508.                          * line "KEY = <64 hex digits>\n".
    1509. 

  1509.                          */
    1510. 

  1510.     FILE *aesreq;       /* input stream from the REQUEST file */
    1511. 

  1511.     FILE *aesresp;      /* output stream to the RESPONSE file */
    1512. 

  1512.     int i, j;
    1513. 

  1513.     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
    1514. 

  1514.     unsigned char key[32];              /* 128, 192, or 256 bits */
    1515. 

  1515.     unsigned int keysize;
    1516. 

  1516.     unsigned char iv[16];
    1517. 

  1517.     unsigned char plaintext[16];        /* PT[j] */
    1518. 

  1518.     unsigned char plaintext_1[16];      /* PT[j-1] */
    1519. 

  1519.     unsigned char ciphertext[16];       /* CT[j] */
    1520. 

  1520.     unsigned char ciphertext_1[16];     /* CT[j-1] */
    1521. 

  1521.     unsigned char doublecheck[16];
    1522. 

  1522.     unsigned int outputlen;
    1523. 

  1523.     AESContext *cx = NULL;	/* the operation being tested */
    1524. 

  1524.     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
    1525. 

  1525.                                  * to doublecheck our result.
    1526. 

  1526.                                  */
    1527. 

  1527.     SECStatus rv;
    1528. 

  1528. 

  1529.     aesreq = fopen(reqfn, "r");
    1530. 

  1530.     aesresp = stdout;
    1531. 

  1531.     while (fgets(buf, sizeof buf, aesreq) != NULL) {
    1532. 

  1532. 	/* a comment or blank line */
    1533. 

  1533. 	if (buf[0] == '#' || buf[0] == '\n') {
    1534. 

  1534. 	    fputs(buf, aesresp);
    1535. 

  1535. 	    continue;
    1536. 

  1536. 	}
    1537. 

  1537. 	/* [ENCRYPT] or [DECRYPT] */
    1538. 

  1538. 	if (buf[0] == '[') {
    1539. 

  1539. 	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
    1540. 

  1540. 		encrypt = 1;
    1541. 

  1541. 	    } else {
    1542. 

  1542. 		encrypt = 0;
    1543. 

  1543. 	    }
    1544. 

  1544. 	    fputs(buf, aesresp);
    1545. 

  1545. 	    continue;
    1546. 

  1546. 	}
    1547. 

  1547. 	/* "COUNT = x" begins a new data set */
    1548. 

  1548. 	if (strncmp(buf, "COUNT", 5) == 0) {
    1549. 

  1549. 	    /* zeroize the variables for the test with this data set */
    1550. 

  1550. 	    memset(key, 0, sizeof key);
    1551. 

  1551. 	    keysize = 0;
    1552. 

  1552. 	    memset(iv, 0, sizeof iv);
    1553. 

  1553. 	    memset(plaintext, 0, sizeof plaintext);
    1554. 

  1554. 	    memset(ciphertext, 0, sizeof ciphertext);
    1555. 

  1555. 	    continue;
    1556. 

  1556. 	}
    1557. 

  1557. 	/* KEY = ... */
    1558. 

  1558. 	if (strncmp(buf, "KEY", 3) == 0) {
    1559. 

  1559. 	    /* Key[0] = Key */
    1560. 

  1560. 	    i = 3;
    1561. 

  1561. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1562. 

  1562. 		i++;
    1563. 

  1563. 	    }
    1564. 

  1564. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1565. 

  1565. 		hex_to_byteval(&buf[i], &key[j]);
    1566. 

  1566. 	    }
    1567. 

  1567. 	    keysize = j;
    1568. 

  1568. 	    continue;
    1569. 

  1569. 	}
    1570. 

  1570. 	/* IV = ... */
    1571. 

  1571. 	if (strncmp(buf, "IV", 2) == 0) {
    1572. 

  1572. 	    /* IV[0] = IV */
    1573. 

  1573. 	    i = 2;
    1574. 

  1574. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1575. 

  1575. 		i++;
    1576. 

  1576. 	    }
    1577. 

  1577. 	    for (j=0; j<sizeof iv; i+=2,j++) {
    1578. 

  1578. 		hex_to_byteval(&buf[i], &iv[j]);
    1579. 

  1579. 	    }
    1580. 

  1580. 	    continue;
    1581. 

  1581. 	}
    1582. 

  1582. 	/* PLAINTEXT = ... */
    1583. 

  1583. 	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
    1584. 

  1584. 	    /* sanity check */
    1585. 

  1585. 	    if (!encrypt) {
    1586. 

  1586. 		goto loser;
    1587. 

  1587. 	    }
    1588. 

  1588. 	    /* PT[0] = PT */
    1589. 

  1589. 	    i = 9;
    1590. 

  1590. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1591. 

  1591. 		i++;
    1592. 

  1592. 	    }
    1593. 

  1593. 	    for (j=0; j<sizeof plaintext; i+=2,j++) {
    1594. 

  1594. 		hex_to_byteval(&buf[i], &plaintext[j]);
    1595. 

  1595. 	    }
    1596. 

  1596. 

  1597. 	    for (i=0; i<100; i++) {
    1598. 

  1598. 		sprintf(buf, "COUNT = %d\n", i);
    1599. 

  1599. 	        fputs(buf, aesresp);
    1600. 

  1600. 		/* Output Key[i] */
    1601. 

  1601. 		fputs("KEY = ", aesresp);
    1602. 

  1602. 		to_hex_str(buf, key, keysize);
    1603. 

  1603. 		fputs(buf, aesresp);
    1604. 

  1604. 		fputc('\n', aesresp);
    1605. 

  1605. 		/* Output IV[i] */
    1606. 

  1606. 		fputs("IV = ", aesresp);
    1607. 

  1607. 		to_hex_str(buf, iv, sizeof iv);
    1608. 

  1608. 		fputs(buf, aesresp);
    1609. 

  1609. 		fputc('\n', aesresp);
    1610. 

  1610. 		/* Output PT[0] */
    1611. 

  1611. 		fputs("PLAINTEXT = ", aesresp);
    1612. 

  1612. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1613. 

  1613. 		fputs(buf, aesresp);
    1614. 

  1614. 		fputc('\n', aesresp);
    1615. 

  1615. 

  1616. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1617. 

  1617. 		    PR_TRUE, keysize, 16);
    1618. 

  1618. 		if (cx == NULL) {
    1619. 

  1619. 		    goto loser;
    1620. 

  1620. 		}
    1621. 

  1621. 		/*
    1622. 

  1622. 		 * doublecheck our result by decrypting the result
    1623. 

  1623. 		 * and comparing the output with the plaintext.
    1624. 

  1624. 		 */
    1625. 

  1625. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1626. 

  1626. 		    PR_FALSE, keysize, 16);
    1627. 

  1627. 		if (cx2 == NULL) {
    1628. 

  1628. 		    goto loser;
    1629. 

  1629. 		}
    1630. 

  1630. 		/* CT[-1] = IV[i] */
    1631. 

  1631. 		memcpy(ciphertext, iv, sizeof ciphertext);
    1632. 

  1632. 		for (j=0; j<1000; j++) {
    1633. 

  1633. 		    /* Save CT[j-1] */
    1634. 

  1634. 		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
    1635. 

  1635. 		    /*
    1636. 

  1636. 		     * If ( j=0 )
    1637. 

  1637. 		     *      CT[j] = AES(Key[i], IV[i], PT[j])
    1638. 

  1638. 		     *      PT[j+1] = IV[i] (= CT[j-1])
    1639. 

  1639. 		     * Else
    1640. 

  1640. 		     *      CT[j] = AES(Key[i], PT[j])
    1641. 

  1641. 		     *      PT[j+1] = CT[j-1]
    1642. 

  1642. 		     */
    1643. 

  1643. 		    outputlen = 0;
    1644. 

  1644. 		    rv = AES_Encrypt(cx,
    1645. 

  1645. 			ciphertext, &outputlen, sizeof ciphertext,
    1646. 

  1646. 			plaintext, sizeof plaintext);
    1647. 

  1647. 		    if (rv != SECSuccess) {
    1648. 

  1648. 			goto loser;
    1649. 

  1649. 		    }
    1650. 

  1650. 		    if (outputlen != sizeof plaintext) {
    1651. 

  1651. 			goto loser;
    1652. 

  1652. 		    }
    1653. 

  1653. 

  1654. 		    /* doublecheck our result */
    1655. 

  1655. 		    outputlen = 0;
    1656. 

  1656. 		    rv = AES_Decrypt(cx2,
    1657. 

  1657. 			doublecheck, &outputlen, sizeof doublecheck,
    1658. 

  1658. 			ciphertext, sizeof ciphertext);
    1659. 

  1659. 		    if (rv != SECSuccess) {
    1660. 

  1660. 			goto loser;
    1661. 

  1661. 		    }
    1662. 

  1662. 		    if (outputlen != sizeof ciphertext) {
    1663. 

  1663. 			goto loser;
    1664. 

  1664. 		    }
    1665. 

  1665. 		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
    1666. 

  1666. 			goto loser;
    1667. 

  1667. 		    }
    1668. 

  1668. 

  1669. 		    memcpy(plaintext, ciphertext_1, sizeof plaintext);
    1670. 

  1670. 		}
    1671. 

  1671. 		AES_DestroyContext(cx, PR_TRUE);
    1672. 

  1672. 		cx = NULL;
    1673. 

  1673. 		AES_DestroyContext(cx2, PR_TRUE);
    1674. 

  1674. 		cx2 = NULL;
    1675. 

  1675. 

  1676. 		/* Output CT[j] */
    1677. 

  1677. 		fputs("CIPHERTEXT = ", aesresp);
    1678. 

  1678. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1679. 

  1679. 		fputs(buf, aesresp);
    1680. 

  1680. 		fputc('\n', aesresp);
    1681. 

  1681. 

  1682. 		/* Key[i+1] = Key[i] xor ... */
    1683. 

  1683. 		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
    1684. 

  1684. 		/* IV[i+1] = CT[j] */
    1685. 

  1685. 		memcpy(iv, ciphertext, sizeof iv);
    1686. 

  1686. 		/* PT[0] = CT[j-1] */
    1687. 

  1687. 		/* done at the end of the for(j) loop */
    1688. 

  1688. 

  1689. 		fputc('\n', aesresp);
    1690. 

  1690. 	    }
    1691. 

  1691. 

  1692. 	    continue;
    1693. 

  1693. 	}
    1694. 

  1694. 	/* CIPHERTEXT = ... */
    1695. 

  1695. 	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
    1696. 

  1696. 	    /* sanity check */
    1697. 

  1697. 	    if (encrypt) {
    1698. 

  1698. 		goto loser;
    1699. 

  1699. 	    }
    1700. 

  1700. 	    /* CT[0] = CT */
    1701. 

  1701. 	    i = 10;
    1702. 

  1702. 	    while (isspace(buf[i]) || buf[i] == '=') {
    1703. 

  1703. 		i++;
    1704. 

  1704. 	    }
    1705. 

  1705. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    1706. 

  1706. 		hex_to_byteval(&buf[i], &ciphertext[j]);
    1707. 

  1707. 	    }
    1708. 

  1708. 

  1709. 	    for (i=0; i<100; i++) {
    1710. 

  1710. 		sprintf(buf, "COUNT = %d\n", i);
    1711. 

  1711. 	        fputs(buf, aesresp);
    1712. 

  1712. 		/* Output Key[i] */
    1713. 

  1713. 		fputs("KEY = ", aesresp);
    1714. 

  1714. 		to_hex_str(buf, key, keysize);
    1715. 

  1715. 		fputs(buf, aesresp);
    1716. 

  1716. 		fputc('\n', aesresp);
    1717. 

  1717. 		/* Output IV[i] */
    1718. 

  1718. 		fputs("IV = ", aesresp);
    1719. 

  1719. 		to_hex_str(buf, iv, sizeof iv);
    1720. 

  1720. 		fputs(buf, aesresp);
    1721. 

  1721. 		fputc('\n', aesresp);
    1722. 

  1722. 		/* Output CT[0] */
    1723. 

  1723. 		fputs("CIPHERTEXT = ", aesresp);
    1724. 

  1724. 		to_hex_str(buf, ciphertext, sizeof ciphertext);
    1725. 

  1725. 		fputs(buf, aesresp);
    1726. 

  1726. 		fputc('\n', aesresp);
    1727. 

  1727. 

  1728. 		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
    1729. 

  1729. 		    PR_FALSE, keysize, 16);
    1730. 

  1730. 		if (cx == NULL) {
    1731. 

  1731. 		    goto loser;
    1732. 

  1732. 		}
    1733. 

  1733. 		/*
    1734. 

  1734. 		 * doublecheck our result by encrypting the result
    1735. 

  1735. 		 * and comparing the output with the ciphertext.
    1736. 

  1736. 		 */
    1737. 

  1737. 		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
    1738. 

  1738. 		    PR_TRUE, keysize, 16);
    1739. 

  1739. 		if (cx2 == NULL) {
    1740. 

  1740. 		    goto loser;
    1741. 

  1741. 		}
    1742. 

  1742. 		/* PT[-1] = IV[i] */
    1743. 

  1743. 		memcpy(plaintext, iv, sizeof plaintext);
    1744. 

  1744. 		for (j=0; j<1000; j++) {
    1745. 

  1745. 		    /* Save PT[j-1] */
    1746. 

  1746. 		    memcpy(plaintext_1, plaintext, sizeof plaintext);
    1747. 

  1747. 		    /*
    1748. 

  1748. 		     * If ( j=0 )
    1749. 

  1749. 		     *      PT[j] = AES(Key[i], IV[i], CT[j])
    1750. 

  1750. 		     *      CT[j+1] = IV[i] (= PT[j-1])
    1751. 

  1751. 		     * Else
    1752. 

  1752. 		     *      PT[j] = AES(Key[i], CT[j])
    1753. 

  1753. 		     *      CT[j+1] = PT[j-1]
    1754. 

  1754. 		     */
    1755. 

  1755. 		    outputlen = 0;
    1756. 

  1756. 		    rv = AES_Decrypt(cx,
    1757. 

  1757. 			plaintext, &outputlen, sizeof plaintext,
    1758. 

  1758. 			ciphertext, sizeof ciphertext);
    1759. 

  1759. 		    if (rv != SECSuccess) {
    1760. 

  1760. 			goto loser;
    1761. 

  1761. 		    }
    1762. 

  1762. 		    if (outputlen != sizeof ciphertext) {
    1763. 

  1763. 			goto loser;
    1764. 

  1764. 		    }
    1765. 

  1765. 

  1766. 		    /* doublecheck our result */
    1767. 

  1767. 		    outputlen = 0;
    1768. 

  1768. 		    rv = AES_Encrypt(cx2,
    1769. 

  1769. 			doublecheck, &outputlen, sizeof doublecheck,
    1770. 

  1770. 			plaintext, sizeof plaintext);
    1771. 

  1771. 		    if (rv != SECSuccess) {
    1772. 

  1772. 			goto loser;
    1773. 

  1773. 		    }
    1774. 

  1774. 		    if (outputlen != sizeof plaintext) {
    1775. 

  1775. 			goto loser;
    1776. 

  1776. 		    }
    1777. 

  1777. 		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
    1778. 

  1778. 			goto loser;
    1779. 

  1779. 		    }
    1780. 

  1780. 

  1781. 		    memcpy(ciphertext, plaintext_1, sizeof ciphertext);
    1782. 

  1782. 		}
    1783. 

  1783. 		AES_DestroyContext(cx, PR_TRUE);
    1784. 

  1784. 		cx = NULL;
    1785. 

  1785. 		AES_DestroyContext(cx2, PR_TRUE);
    1786. 

  1786. 		cx2 = NULL;
    1787. 

  1787. 

  1788. 		/* Output PT[j] */
    1789. 

  1789. 		fputs("PLAINTEXT = ", aesresp);
    1790. 

  1790. 		to_hex_str(buf, plaintext, sizeof plaintext);
    1791. 

  1791. 		fputs(buf, aesresp);
    1792. 

  1792. 		fputc('\n', aesresp);
    1793. 

  1793. 

  1794. 		/* Key[i+1] = Key[i] xor ... */
    1795. 

  1795. 		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
    1796. 

  1796. 		/* IV[i+1] = PT[j] */
    1797. 

  1797. 		memcpy(iv, plaintext, sizeof iv);
    1798. 

  1798. 		/* CT[0] = PT[j-1] */
    1799. 

  1799. 		/* done at the end of the for(j) loop */
    1800. 

  1800. 

  1801. 		fputc('\n', aesresp);
    1802. 

  1802. 	    }
    1803. 

  1803. 

  1804. 	    continue;
    1805. 

  1805. 	}
    1806. 

  1806.     }
    1807. 

  1807. loser:
    1808. 

  1808.     if (cx != NULL) {
    1809. 

  1809. 	AES_DestroyContext(cx, PR_TRUE);
    1810. 

  1810.     }
    1811. 

  1811.     if (cx2 != NULL) {
    1812. 

  1812. 	AES_DestroyContext(cx2, PR_TRUE);
    1813. 

  1813.     }
    1814. 

  1814.     fclose(aesreq);
    1815. 

  1815. }
    1816. 

  1816. 

  1817. void write_compact_string(FILE *out, unsigned char *hash, unsigned int len)
    1818. 

  1818. {
    1819. 

  1819.     unsigned int i;
    1820. 

  1820.     int j, count = 0, last = -1, z = 0;
    1821. 

  1821.     long start = ftell(out);
    1822. 

  1822.     for (i=0; i<len; i++) {
    1823. 

  1823. 	for (j=7; j>=0; j--) {
    1824. 

  1824. 	    if (last < 0) {
    1825. 

  1825. 		last = (hash[i] & (1 << j)) ? 1 : 0;
    1826. 

  1826. 		fprintf(out, "%d ", last);
    1827. 

  1827. 		count = 1;
    1828. 

  1828. 	    } else if (hash[i] & (1 << j)) {
    1829. 

  1829. 		if (last) {
    1830. 

  1830. 		    count++; 
    1831. 

  1831. 		} else { 
    1832. 

  1832. 		    last = 0;
    1833. 

  1833. 		    fprintf(out, "%d ", count);
    1834. 

  1834. 		    count = 1;
    1835. 

  1835. 		    z++;
    1836. 

  1836. 		}
    1837. 

  1837. 	    } else {
    1838. 

  1838. 		if (!last) {
    1839. 

  1839. 		    count++; 
    1840. 

  1840. 		} else { 
    1841. 

  1841. 		    last = 1;
    1842. 

  1842. 		    fprintf(out, "%d ", count);
    1843. 

  1843. 		    count = 1;
    1844. 

  1844. 		    z++;
    1845. 

  1845. 		}
    1846. 

  1846. 	    }
    1847. 

  1847. 	}
    1848. 

  1848.     }
    1849. 

  1849.     fprintf(out, "^\n");
    1850. 

  1850.     fseek(out, start, SEEK_SET);
    1851. 

  1851.     fprintf(out, "%d ", z);
    1852. 

  1852.     fseek(out, 0, SEEK_END);
    1853. 

  1853. }
    1854. 

  1854. 

  1855. int get_next_line(FILE *req, char *key, char *val, FILE *rsp)
    1856. 

  1856. {
    1857. 

  1857.     int ignore = 0;
    1858. 

  1858.     char *writeto = key;
    1859. 

  1859.     int w = 0;
    1860. 

  1860.     int c;
    1861. 

  1861.     while ((c = fgetc(req)) != EOF) {
    1862. 

  1862. 	if (ignore) {
    1863. 

  1863. 	    fprintf(rsp, "%c", c);
    1864. 

  1864. 	    if (c == '\n') return ignore;
    1865. 

  1865. 	} else if (c == '\n') {
    1866. 

  1866. 	    break;
    1867. 

  1867. 	} else if (c == '#') {
    1868. 

  1868. 	    ignore = 1;
    1869. 

  1869. 	    fprintf(rsp, "%c", c);
    1870. 

  1870. 	} else if (c == '=') {
    1871. 

  1871. 	    writeto[w] = '\0';
    1872. 

  1872. 	    w = 0;
    1873. 

  1873. 	    writeto = val;
    1874. 

  1874. 	} else if (c == ' ' || c == '[' || c == ']') {
    1875. 

  1875. 	    continue;
    1876. 

  1876. 	} else {
    1877. 

  1877. 	    writeto[w++] = c;
    1878. 

  1878. 	}
    1879. 

  1879.     }
    1880. 

  1880.     writeto[w] = '\0';
    1881. 

  1881.     return (c == EOF) ? -1 : ignore;
    1882. 

  1882. }
    1883. 

  1883. 

  1884. #ifdef NSS_ENABLE_ECC
    1885. 

  1885. typedef struct curveNameTagPairStr {
    1886. 

  1886.     char *curveName;
    1887. 

  1887.     SECOidTag curveOidTag;
    1888. 

  1888. } CurveNameTagPair;
    1889. 

  1889. 

  1890. #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
    1891. 

  1891. /* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
    1892. 

  1892. 

  1893. static CurveNameTagPair nameTagPair[] =
    1894. 

  1894. { 
    1895. 

  1895.   { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
    1896. 

  1896.   { "nistk163", SEC_OID_SECG_EC_SECT163K1},
    1897. 

  1897.   { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
    1898. 

  1898.   { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
    1899. 

  1899.   { "nistb163", SEC_OID_SECG_EC_SECT163R2},
    1900. 

  1900.   { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
    1901. 

  1901.   { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
    1902. 

  1902.   { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
    1903. 

  1903.   { "nistk233", SEC_OID_SECG_EC_SECT233K1},
    1904. 

  1904.   { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
    1905. 

  1905.   { "nistb233", SEC_OID_SECG_EC_SECT233R1},
    1906. 

  1906.   { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
    1907. 

  1907.   { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
    1908. 

  1908.   { "nistk283", SEC_OID_SECG_EC_SECT283K1},
    1909. 

  1909.   { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
    1910. 

  1910.   { "nistb283", SEC_OID_SECG_EC_SECT283R1},
    1911. 

  1911.   { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
    1912. 

  1912.   { "nistk409", SEC_OID_SECG_EC_SECT409K1},
    1913. 

  1913.   { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
    1914. 

  1914.   { "nistb409", SEC_OID_SECG_EC_SECT409R1},
    1915. 

  1915.   { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
    1916. 

  1916.   { "nistk571", SEC_OID_SECG_EC_SECT571K1},
    1917. 

  1917.   { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
    1918. 

  1918.   { "nistb571", SEC_OID_SECG_EC_SECT571R1},
    1919. 

  1919.   { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
    1920. 

  1920.   { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
    1921. 

  1921.   { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
    1922. 

  1922.   { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
    1923. 

  1923.   { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
    1924. 

  1924.   { "nistp192", SEC_OID_SECG_EC_SECP192R1},
    1925. 

  1925.   { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
    1926. 

  1926.   { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
    1927. 

  1927.   { "nistp224", SEC_OID_SECG_EC_SECP224R1},
    1928. 

  1928.   { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
    1929. 

  1929.   { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
    1930. 

  1930.   { "nistp256", SEC_OID_SECG_EC_SECP256R1},
    1931. 

  1931.   { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
    1932. 

  1932.   { "nistp384", SEC_OID_SECG_EC_SECP384R1},
    1933. 

  1933.   { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
    1934. 

  1934.   { "nistp521", SEC_OID_SECG_EC_SECP521R1},
    1935. 

  1935. 

  1936.   { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
    1937. 

  1937.   { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
    1938. 

  1938.   { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
    1939. 

  1939.   { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
    1940. 

  1940.   { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
    1941. 

  1941.   { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
    1942. 

  1942. 

  1943.   { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
    1944. 

  1944.   { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
    1945. 

  1945.   { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
    1946. 

  1946.   { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
    1947. 

  1947.   { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
    1948. 

  1948.   { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
    1949. 

  1949.   { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
    1950. 

  1950.   { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
    1951. 

  1951.   { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
    1952. 

  1952.   { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
    1953. 

  1953.   { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
    1954. 

  1954.   { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
    1955. 

  1955.   { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
    1956. 

  1956.   { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
    1957. 

  1957.   { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
    1958. 

  1958.   { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
    1959. 

  1959.   { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
    1960. 

  1960.   { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
    1961. 

  1961.   { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
    1962. 

  1962.   { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
    1963. 

  1963. 

  1964.   { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
    1965. 

  1965.   { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
    1966. 

  1966.   { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
    1967. 

  1967.   { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
    1968. 

  1968. 

  1969.   { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
    1970. 

  1970.   { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
    1971. 

  1971.   { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
    1972. 

  1972.   { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
    1973. 

  1973. };
    1974. 

  1974. 

  1975. static SECItem * 
    1976. 

  1976. getECParams(const char *curve)
    1977. 

  1977. {
    1978. 

  1978.     SECItem *ecparams;
    1979. 

  1979.     SECOidData *oidData = NULL;
    1980. 

  1980.     SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
    1981. 

  1981.     int i, numCurves;
    1982. 

  1982. 

  1983.     if (curve != NULL) {
    1984. 

  1984.         numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
    1985. 

  1985. 	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
    1986. 

  1986. 	     i++) {
    1987. 

  1987. 	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
    1988. 

  1988. 	        curveOidTag = nameTagPair[i].curveOidTag;
    1989. 

  1989. 	}
    1990. 

  1990.     }
    1991. 

  1991. 

  1992.     /* Return NULL if curve name is not recognized */
    1993. 

  1993.     if ((curveOidTag == SEC_OID_UNKNOWN) || 
    1994. 

  1994. 	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
    1995. 

  1995.         fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
    1996. 

  1996. 	return NULL;
    1997. 

  1997.     }
    1998. 

  1998. 

  1999.     ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
    2000. 

  2000. 

  2001.     /* 
    2002. 

  2002.      * ecparams->data needs to contain the ASN encoding of an object ID (OID)
    2003. 

  2003.      * representing the named curve. The actual OID is in 
    2004. 

  2004.      * oidData->oid.data so we simply prepend 0x06 and OID length
    2005. 

  2005.      */
    2006. 

  2006.     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
    2007. 

  2007.     ecparams->data[1] = oidData->oid.len;
    2008. 

  2008.     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
    2009. 

  2009. 

  2010.     return ecparams;
    2011. 

  2011. }
    2012. 

  2012. 

  2013. /*
    2014. 

  2014.  * Perform the ECDSA Key Pair Generation Test.
    2015. 

  2015.  *
    2016. 

  2016.  * reqfn is the pathname of the REQUEST file.
    2017. 

  2017.  *
    2018. 

  2018.  * The output RESPONSE file is written to stdout.
    2019. 

  2019.  */
    2020. 

  2020. void
    2021. 

  2021. ecdsa_keypair_test(char *reqfn)
    2022. 

  2022. {
    2023. 

  2023.     char buf[256];      /* holds one line from the input REQUEST file
    2024. 

  2024.                          * or to the output RESPONSE file.
    2025. 

  2025.                          * needs to be large enough to hold the longest
    2026. 

  2026.                          * line "Qx = <144 hex digits>\n".
    2027. 

  2027.                          */
    2028. 

  2028.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2029. 

  2029.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2030. 

  2030.     char curve[16];     /* "nistxddd" */
    2031. 

  2031.     ECParams *ecparams;
    2032. 

  2032.     int N;
    2033. 

  2033.     int i;
    2034. 

  2034.     unsigned int len;
    2035. 

  2035. 

  2036.     ecdsareq = fopen(reqfn, "r");
    2037. 

  2037.     ecdsaresp = stdout;
    2038. 

  2038.     strcpy(curve, "nist");
    2039. 

  2039.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2040. 

  2040. 	/* a comment or blank line */
    2041. 

  2041. 	if (buf[0] == '#' || buf[0] == '\n') {
    2042. 

  2042. 	    fputs(buf, ecdsaresp);
    2043. 

  2043. 	    continue;
    2044. 

  2044. 	}
    2045. 

  2045. 	/* [X-ddd] */
    2046. 

  2046. 	if (buf[0] == '[') {
    2047. 

  2047. 	    const char *src;
    2048. 

  2048. 	    char *dst;
    2049. 

  2049. 	    SECItem *encodedparams;
    2050. 

  2050. 

  2051. 	    src = &buf[1];
    2052. 

  2052. 	    dst = &curve[4];
    2053. 

  2053. 	    *dst++ = tolower(*src);
    2054. 

  2054. 	    src += 2;  /* skip the hyphen */
    2055. 

  2055. 	    *dst++ = *src++;
    2056. 

  2056. 	    *dst++ = *src++;
    2057. 

  2057. 	    *dst++ = *src++;
    2058. 

  2058. 	    *dst = '\0';
    2059. 

  2059. 	    encodedparams = getECParams(curve);
    2060. 

  2060. 	    if (encodedparams == NULL) {
    2061. 

  2061. 		goto loser;
    2062. 

  2062. 	    }
    2063. 

  2063. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2064. 

  2064. 		goto loser;
    2065. 

  2065. 	    }
    2066. 

  2066. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2067. 

  2067. 	    fputs(buf, ecdsaresp);
    2068. 

  2068. 	    continue;
    2069. 

  2069. 	}
    2070. 

  2070. 	/* N = x */
    2071. 

  2071. 	if (buf[0] == 'N') {
    2072. 

  2072. 	    if (sscanf(buf, "N = %d", &N) != 1) {
    2073. 

  2073. 		goto loser;
    2074. 

  2074. 	    }
    2075. 

  2075. 	    for (i = 0; i < N; i++) {
    2076. 

  2076. 		ECPrivateKey *ecpriv;
    2077. 

  2077. 

  2078. 		if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
    2079. 

  2079. 		    goto loser;
    2080. 

  2080. 		}
    2081. 

  2081. 		fputs("d = ", ecdsaresp);
    2082. 

  2082. 		to_hex_str(buf, ecpriv->privateValue.data,
    2083. 

  2083. 			   ecpriv->privateValue.len);
    2084. 

  2084. 		fputs(buf, ecdsaresp);
    2085. 

  2085. 		fputc('\n', ecdsaresp);
    2086. 

  2086. 		if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
    2087. 

  2087. 		    != SECSuccess) {
    2088. 

  2088. 		    goto loser;
    2089. 

  2089. 		}
    2090. 

  2090. 		len = ecpriv->publicValue.len;
    2091. 

  2091. 		if (len%2 == 0) {
    2092. 

  2092. 		    goto loser;
    2093. 

  2093. 		}
    2094. 

  2094. 		len = (len-1)/2;
    2095. 

  2095. 		if (ecpriv->publicValue.data[0]
    2096. 

  2096. 		    != EC_POINT_FORM_UNCOMPRESSED) {
    2097. 

  2097. 		    goto loser;
    2098. 

  2098. 		}
    2099. 

  2099. 		fputs("Qx = ", ecdsaresp);
    2100. 

  2100. 		to_hex_str(buf, &ecpriv->publicValue.data[1], len);
    2101. 

  2101. 		fputs(buf, ecdsaresp);
    2102. 

  2102. 		fputc('\n', ecdsaresp);
    2103. 

  2103. 		fputs("Qy = ", ecdsaresp);
    2104. 

  2104. 		to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
    2105. 

  2105. 		fputs(buf, ecdsaresp);
    2106. 

  2106. 		fputc('\n', ecdsaresp);
    2107. 

  2107. 		fputc('\n', ecdsaresp);
    2108. 

  2108. 		PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
    2109. 

  2109. 	    }
    2110. 

  2110. 	    PORT_FreeArena(ecparams->arena, PR_FALSE);
    2111. 

  2111. 	    continue;
    2112. 

  2112. 	}
    2113. 

  2113.     }
    2114. 

  2114. loser:
    2115. 

  2115.     fclose(ecdsareq);
    2116. 

  2116. }
    2117. 

  2117. 

  2118. /*
    2119. 

  2119.  * Perform the ECDSA Public Key Validation Test.
    2120. 

  2120.  *
    2121. 

  2121.  * reqfn is the pathname of the REQUEST file.
    2122. 

  2122.  *
    2123. 

  2123.  * The output RESPONSE file is written to stdout.
    2124. 

  2124.  */
    2125. 

  2125. void
    2126. 

  2126. ecdsa_pkv_test(char *reqfn)
    2127. 

  2127. {
    2128. 

  2128.     char buf[256];      /* holds one line from the input REQUEST file.
    2129. 

  2129.                          * needs to be large enough to hold the longest
    2130. 

  2130.                          * line "Qx = <144 hex digits>\n".
    2131. 

  2131.                          */
    2132. 

  2132.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2133. 

  2133.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2134. 

  2134.     char curve[16];     /* "nistxddd" */
    2135. 

  2135.     ECParams *ecparams = NULL;
    2136. 

  2136.     SECItem pubkey;
    2137. 

  2137.     unsigned int i;
    2138. 

  2138.     unsigned int len;
    2139. 

  2139.     PRBool keyvalid = PR_TRUE;
    2140. 

  2140. 

  2141.     ecdsareq = fopen(reqfn, "r");
    2142. 

  2142.     ecdsaresp = stdout;
    2143. 

  2143.     strcpy(curve, "nist");
    2144. 

  2144.     pubkey.data = NULL;
    2145. 

  2145.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2146. 

  2146. 	/* a comment or blank line */
    2147. 

  2147. 	if (buf[0] == '#' || buf[0] == '\n') {
    2148. 

  2148. 	    fputs(buf, ecdsaresp);
    2149. 

  2149. 	    continue;
    2150. 

  2150. 	}
    2151. 

  2151. 	/* [X-ddd] */
    2152. 

  2152. 	if (buf[0] == '[') {
    2153. 

  2153. 	    const char *src;
    2154. 

  2154. 	    char *dst;
    2155. 

  2155. 	    SECItem *encodedparams;
    2156. 

  2156. 

  2157. 	    src = &buf[1];
    2158. 

  2158. 	    dst = &curve[4];
    2159. 

  2159. 	    *dst++ = tolower(*src);
    2160. 

  2160. 	    src += 2;  /* skip the hyphen */
    2161. 

  2161. 	    *dst++ = *src++;
    2162. 

  2162. 	    *dst++ = *src++;
    2163. 

  2163. 	    *dst++ = *src++;
    2164. 

  2164. 	    *dst = '\0';
    2165. 

  2165. 	    if (ecparams != NULL) {
    2166. 

  2166. 		PORT_FreeArena(ecparams->arena, PR_FALSE);
    2167. 

  2167. 		ecparams = NULL;
    2168. 

  2168. 	    }
    2169. 

  2169. 	    encodedparams = getECParams(curve);
    2170. 

  2170. 	    if (encodedparams == NULL) {
    2171. 

  2171. 		goto loser;
    2172. 

  2172. 	    }
    2173. 

  2173. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2174. 

  2174. 		goto loser;
    2175. 

  2175. 	    }
    2176. 

  2176. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2177. 

  2177. 	    len = (ecparams->fieldID.size + 7) >> 3;
    2178. 

  2178. 	    if (pubkey.data != NULL) {
    2179. 

  2179. 		PORT_Free(pubkey.data);
    2180. 

  2180. 		pubkey.data = NULL;
    2181. 

  2181. 	    }
    2182. 

  2182. 	    SECITEM_AllocItem(NULL, &pubkey, 2*len+1);
    2183. 

  2183. 	    if (pubkey.data == NULL) {
    2184. 

  2184. 		goto loser;
    2185. 

  2185. 	    }
    2186. 

  2186. 	    pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
    2187. 

  2187. 	    fputs(buf, ecdsaresp);
    2188. 

  2188. 	    continue;
    2189. 

  2189. 	}
    2190. 

  2190. 	/* Qx = ... */
    2191. 

  2191. 	if (strncmp(buf, "Qx", 2) == 0) {
    2192. 

  2192. 	    fputs(buf, ecdsaresp);
    2193. 

  2193. 	    i = 2;
    2194. 

  2194. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2195. 

  2195. 		i++;
    2196. 

  2196. 	    }
    2197. 

  2197. 	    keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]);
    2198. 

  2198. 	    continue;
    2199. 

  2199. 	}
    2200. 

  2200. 	/* Qy = ... */
    2201. 

  2201. 	if (strncmp(buf, "Qy", 2) == 0) {
    2202. 

  2202. 	    fputs(buf, ecdsaresp);
    2203. 

  2203. 	    if (!keyvalid) {
    2204. 

  2204. 		fputs("Result = F\n", ecdsaresp);
    2205. 

  2205. 		continue;
    2206. 

  2206. 	    }
    2207. 

  2207. 	    i = 2;
    2208. 

  2208. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2209. 

  2209. 		i++;
    2210. 

  2210. 	    }
    2211. 

  2211. 	    keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]);
    2212. 

  2212. 	    if (!keyvalid) {
    2213. 

  2213. 		fputs("Result = F\n", ecdsaresp);
    2214. 

  2214. 		continue;
    2215. 

  2215. 	    }
    2216. 

  2216. 	    if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) {
    2217. 

  2217. 		fputs("Result = P\n", ecdsaresp);
    2218. 

  2218. 	    } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
    2219. 

  2219. 		fputs("Result = F\n", ecdsaresp);
    2220. 

  2220. 	    } else {
    2221. 

  2221. 		goto loser;
    2222. 

  2222. 	    }
    2223. 

  2223. 	    continue;
    2224. 

  2224. 	}
    2225. 

  2225.     }
    2226. 

  2226. loser:
    2227. 

  2227.     if (ecparams != NULL) {
    2228. 

  2228. 	PORT_FreeArena(ecparams->arena, PR_FALSE);
    2229. 

  2229.     }
    2230. 

  2230.     if (pubkey.data != NULL) {
    2231. 

  2231. 	PORT_Free(pubkey.data);
    2232. 

  2232.     }
    2233. 

  2233.     fclose(ecdsareq);
    2234. 

  2234. }
    2235. 

  2235. 

  2236. /*
    2237. 

  2237.  * Perform the ECDSA Signature Generation Test.
    2238. 

  2238.  *
    2239. 

  2239.  * reqfn is the pathname of the REQUEST file.
    2240. 

  2240.  *
    2241. 

  2241.  * The output RESPONSE file is written to stdout.
    2242. 

  2242.  */
    2243. 

  2243. void
    2244. 

  2244. ecdsa_siggen_test(char *reqfn)
    2245. 

  2245. {
    2246. 

  2246.     char buf[1024];     /* holds one line from the input REQUEST file
    2247. 

  2247.                          * or to the output RESPONSE file.
    2248. 

  2248.                          * needs to be large enough to hold the longest
    2249. 

  2249.                          * line "Msg = <256 hex digits>\n".
    2250. 

  2250.                          */
    2251. 

  2251.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2252. 

  2252.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2253. 

  2253.     char curve[16];     /* "nistxddd" */
    2254. 

  2254.     ECParams *ecparams = NULL;
    2255. 

  2255.     int i, j;
    2256. 

  2256.     unsigned int len;
    2257. 

  2257.     unsigned char msg[512];  /* message to be signed (<= 128 bytes) */
    2258. 

  2258.     unsigned int msglen;
    2259. 

  2259.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    2260. 

  2260.     unsigned char sig[2*MAX_ECKEY_LEN];
    2261. 

  2261.     SECItem signature, digest;
    2262. 

  2262. 

  2263.     ecdsareq = fopen(reqfn, "r");
    2264. 

  2264.     ecdsaresp = stdout;
    2265. 

  2265.     strcpy(curve, "nist");
    2266. 

  2266.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2267. 

  2267. 	/* a comment or blank line */
    2268. 

  2268. 	if (buf[0] == '#' || buf[0] == '\n') {
    2269. 

  2269. 	    fputs(buf, ecdsaresp);
    2270. 

  2270. 	    continue;
    2271. 

  2271. 	}
    2272. 

  2272. 	/* [X-ddd] */
    2273. 

  2273. 	if (buf[0] == '[') {
    2274. 

  2274. 	    const char *src;
    2275. 

  2275. 	    char *dst;
    2276. 

  2276. 	    SECItem *encodedparams;
    2277. 

  2277. 

  2278. 	    src = &buf[1];
    2279. 

  2279. 	    dst = &curve[4];
    2280. 

  2280. 	    *dst++ = tolower(*src);
    2281. 

  2281. 	    src += 2;  /* skip the hyphen */
    2282. 

  2282. 	    *dst++ = *src++;
    2283. 

  2283. 	    *dst++ = *src++;
    2284. 

  2284. 	    *dst++ = *src++;
    2285. 

  2285. 	    *dst = '\0';
    2286. 

  2286. 	    if (ecparams != NULL) {
    2287. 

  2287. 		PORT_FreeArena(ecparams->arena, PR_FALSE);
    2288. 

  2288. 		ecparams = NULL;
    2289. 

  2289. 	    }
    2290. 

  2290. 	    encodedparams = getECParams(curve);
    2291. 

  2291. 	    if (encodedparams == NULL) {
    2292. 

  2292. 		goto loser;
    2293. 

  2293. 	    }
    2294. 

  2294. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2295. 

  2295. 		goto loser;
    2296. 

  2296. 	    }
    2297. 

  2297. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2298. 

  2298. 	    fputs(buf, ecdsaresp);
    2299. 

  2299. 	    continue;
    2300. 

  2300. 	}
    2301. 

  2301. 	/* Msg = ... */
    2302. 

  2302. 	if (strncmp(buf, "Msg", 3) == 0) {
    2303. 

  2303. 	    ECPrivateKey *ecpriv;
    2304. 

  2304. 

  2305. 	    i = 3;
    2306. 

  2306. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2307. 

  2307. 		i++;
    2308. 

  2308. 	    }
    2309. 

  2309. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    2310. 

  2310. 		hex_to_byteval(&buf[i], &msg[j]);
    2311. 

  2311. 	    }
    2312. 

  2312. 	    msglen = j;
    2313. 

  2313. 	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
    2314. 

  2314. 		goto loser;
    2315. 

  2315. 	    }
    2316. 

  2316. 	    fputs(buf, ecdsaresp);
    2317. 

  2317. 

  2318. 	    if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
    2319. 

  2319. 		goto loser;
    2320. 

  2320. 	    }
    2321. 

  2321. 	    if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
    2322. 

  2322. 		!= SECSuccess) {
    2323. 

  2323. 		goto loser;
    2324. 

  2324. 	    }
    2325. 

  2325. 	    len = ecpriv->publicValue.len;
    2326. 

  2326. 	    if (len%2 == 0) {
    2327. 

  2327. 		goto loser;
    2328. 

  2328. 	    }
    2329. 

  2329. 	    len = (len-1)/2;
    2330. 

  2330. 	    if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
    2331. 

  2331. 		goto loser;
    2332. 

  2332. 	    }
    2333. 

  2333. 	    fputs("Qx = ", ecdsaresp);
    2334. 

  2334. 	    to_hex_str(buf, &ecpriv->publicValue.data[1], len);
    2335. 

  2335. 	    fputs(buf, ecdsaresp);
    2336. 

  2336. 	    fputc('\n', ecdsaresp);
    2337. 

  2337. 	    fputs("Qy = ", ecdsaresp);
    2338. 

  2338. 	    to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
    2339. 

  2339. 	    fputs(buf, ecdsaresp);
    2340. 

  2340. 	    fputc('\n', ecdsaresp);
    2341. 

  2341. 

  2342. 	    digest.type = siBuffer;
    2343. 

  2343. 	    digest.data = sha1;
    2344. 

  2344. 	    digest.len = sizeof sha1;
    2345. 

  2345. 	    signature.type = siBuffer;
    2346. 

  2346. 	    signature.data = sig;
    2347. 

  2347. 	    signature.len = sizeof sig;
    2348. 

  2348. 	    if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) {
    2349. 

  2349. 		goto loser;
    2350. 

  2350. 	    }
    2351. 

  2351. 	    len = signature.len;
    2352. 

  2352. 	    if (len%2 != 0) {
    2353. 

  2353. 		goto loser;
    2354. 

  2354. 	    }
    2355. 

  2355. 	    len = len/2;
    2356. 

  2356. 	    fputs("R = ", ecdsaresp);
    2357. 

  2357. 	    to_hex_str(buf, &signature.data[0], len);
    2358. 

  2358. 	    fputs(buf, ecdsaresp);
    2359. 

  2359. 	    fputc('\n', ecdsaresp);
    2360. 

  2360. 	    fputs("S = ", ecdsaresp);
    2361. 

  2361. 	    to_hex_str(buf, &signature.data[len], len);
    2362. 

  2362. 	    fputs(buf, ecdsaresp);
    2363. 

  2363. 	    fputc('\n', ecdsaresp);
    2364. 

  2364. 

  2365. 	    PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
    2366. 

  2366. 	    continue;
    2367. 

  2367. 	}
    2368. 

  2368.     }
    2369. 

  2369. loser:
    2370. 

  2370.     if (ecparams != NULL) {
    2371. 

  2371. 	PORT_FreeArena(ecparams->arena, PR_FALSE);
    2372. 

  2372.     }
    2373. 

  2373.     fclose(ecdsareq);
    2374. 

  2374. }
    2375. 

  2375. 

  2376. /*
    2377. 

  2377.  * Perform the ECDSA Signature Verification Test.
    2378. 

  2378.  *
    2379. 

  2379.  * reqfn is the pathname of the REQUEST file.
    2380. 

  2380.  *
    2381. 

  2381.  * The output RESPONSE file is written to stdout.
    2382. 

  2382.  */
    2383. 

  2383. void
    2384. 

  2384. ecdsa_sigver_test(char *reqfn)
    2385. 

  2385. {
    2386. 

  2386.     char buf[1024];     /* holds one line from the input REQUEST file.
    2387. 

  2387.                          * needs to be large enough to hold the longest
    2388. 

  2388.                          * line "Msg = <256 hex digits>\n".
    2389. 

  2389.                          */
    2390. 

  2390.     FILE *ecdsareq;     /* input stream from the REQUEST file */
    2391. 

  2391.     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
    2392. 

  2392.     char curve[16];     /* "nistxddd" */
    2393. 

  2393.     ECPublicKey ecpub;
    2394. 

  2394.     unsigned int i, j;
    2395. 

  2395.     unsigned int flen;  /* length in bytes of the field size */
    2396. 

  2396.     unsigned int olen;  /* length in bytes of the base point order */
    2397. 

  2397.     unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
    2398. 

  2398.     unsigned int msglen;
    2399. 

  2399.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    2400. 

  2400.     unsigned char sig[2*MAX_ECKEY_LEN];
    2401. 

  2401.     SECItem signature, digest;
    2402. 

  2402.     PRBool keyvalid = PR_TRUE;
    2403. 

  2403.     PRBool sigvalid = PR_TRUE;
    2404. 

  2404. 

  2405.     ecdsareq = fopen(reqfn, "r");
    2406. 

  2406.     ecdsaresp = stdout;
    2407. 

  2407.     ecpub.ecParams.arena = NULL;
    2408. 

  2408.     strcpy(curve, "nist");
    2409. 

  2409.     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
    2410. 

  2410. 	/* a comment or blank line */
    2411. 

  2411. 	if (buf[0] == '#' || buf[0] == '\n') {
    2412. 

  2412. 	    fputs(buf, ecdsaresp);
    2413. 

  2413. 	    continue;
    2414. 

  2414. 	}
    2415. 

  2415. 	/* [X-ddd] */
    2416. 

  2416. 	if (buf[0] == '[') {
    2417. 

  2417. 	    const char *src;
    2418. 

  2418. 	    char *dst;
    2419. 

  2419. 	    SECItem *encodedparams;
    2420. 

  2420. 	    ECParams *ecparams;
    2421. 

  2421. 

  2422. 	    src = &buf[1];
    2423. 

  2423. 	    dst = &curve[4];
    2424. 

  2424. 	    *dst++ = tolower(*src);
    2425. 

  2425. 	    src += 2;  /* skip the hyphen */
    2426. 

  2426. 	    *dst++ = *src++;
    2427. 

  2427. 	    *dst++ = *src++;
    2428. 

  2428. 	    *dst++ = *src++;
    2429. 

  2429. 	    *dst = '\0';
    2430. 

  2430. 	    encodedparams = getECParams(curve);
    2431. 

  2431. 	    if (encodedparams == NULL) {
    2432. 

  2432. 		goto loser;
    2433. 

  2433. 	    }
    2434. 

  2434. 	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
    2435. 

  2435. 		goto loser;
    2436. 

  2436. 	    }
    2437. 

  2437. 	    SECITEM_FreeItem(encodedparams, PR_TRUE);
    2438. 

  2438. 	    if (ecpub.ecParams.arena != NULL) {
    2439. 

  2439. 		PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
    2440. 

  2440. 	    }
    2441. 

  2441. 	    ecpub.ecParams.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    2442. 

  2442. 	    if (ecpub.ecParams.arena == NULL) {
    2443. 

  2443. 		goto loser;
    2444. 

  2444. 	    }
    2445. 

  2445. 	    if (EC_CopyParams(ecpub.ecParams.arena, &ecpub.ecParams, ecparams)
    2446. 

  2446. 		!= SECSuccess) {
    2447. 

  2447. 		goto loser;
    2448. 

  2448. 	    }
    2449. 

  2449. 	    PORT_FreeArena(ecparams->arena, PR_FALSE);
    2450. 

  2450. 	    flen = (ecpub.ecParams.fieldID.size + 7) >> 3;
    2451. 

  2451. 	    olen = ecpub.ecParams.order.len;
    2452. 

  2452. 	    if (2*olen > sizeof sig) {
    2453. 

  2453. 		goto loser;
    2454. 

  2454. 	    }
    2455. 

  2455. 	    ecpub.publicValue.type = siBuffer;
    2456. 

  2456. 	    ecpub.publicValue.data = NULL;
    2457. 

  2457. 	    ecpub.publicValue.len = 0;
    2458. 

  2458. 	    SECITEM_AllocItem(ecpub.ecParams.arena,
    2459. 

  2459. 			      &ecpub.publicValue, 2*flen+1);
    2460. 

  2460. 	    if (ecpub.publicValue.data == NULL) {
    2461. 

  2461. 		goto loser;
    2462. 

  2462. 	    }
    2463. 

  2463. 	    ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED;
    2464. 

  2464. 	    fputs(buf, ecdsaresp);
    2465. 

  2465. 	    continue;
    2466. 

  2466. 	}
    2467. 

  2467. 	/* Msg = ... */
    2468. 

  2468. 	if (strncmp(buf, "Msg", 3) == 0) {
    2469. 

  2469. 	    i = 3;
    2470. 

  2470. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2471. 

  2471. 		i++;
    2472. 

  2472. 	    }
    2473. 

  2473. 	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
    2474. 

  2474. 		hex_to_byteval(&buf[i], &msg[j]);
    2475. 

  2475. 	    }
    2476. 

  2476. 	    msglen = j;
    2477. 

  2477. 	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
    2478. 

  2478. 		goto loser;
    2479. 

  2479. 	    }
    2480. 

  2480. 	    fputs(buf, ecdsaresp);
    2481. 

  2481. 

  2482. 	    digest.type = siBuffer;
    2483. 

  2483. 	    digest.data = sha1;
    2484. 

  2484. 	    digest.len = sizeof sha1;
    2485. 

  2485. 

  2486. 	    continue;
    2487. 

  2487. 	}
    2488. 

  2488. 	/* Qx = ... */
    2489. 

  2489. 	if (strncmp(buf, "Qx", 2) == 0) {
    2490. 

  2490. 	    fputs(buf, ecdsaresp);
    2491. 

  2491. 	    i = 2;
    2492. 

  2492. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2493. 

  2493. 		i++;
    2494. 

  2494. 	    }
    2495. 

  2495. 	    keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen,
    2496. 

  2496. 				    &buf[i]);
    2497. 

  2497. 	    continue;
    2498. 

  2498. 	}
    2499. 

  2499. 	/* Qy = ... */
    2500. 

  2500. 	if (strncmp(buf, "Qy", 2) == 0) {
    2501. 

  2501. 	    fputs(buf, ecdsaresp);
    2502. 

  2502. 	    if (!keyvalid) {
    2503. 

  2503. 		continue;
    2504. 

  2504. 	    }
    2505. 

  2505. 	    i = 2;
    2506. 

  2506. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2507. 

  2507. 		i++;
    2508. 

  2508. 	    }
    2509. 

  2509. 	    keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen,
    2510. 

  2510. 				    &buf[i]);
    2511. 

  2511. 	    if (!keyvalid) {
    2512. 

  2512. 		continue;
    2513. 

  2513. 	    }
    2514. 

  2514. 	    if (EC_ValidatePublicKey(&ecpub.ecParams, &ecpub.publicValue)
    2515. 

  2515. 		!= SECSuccess) {
    2516. 

  2516. 		if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
    2517. 

  2517. 		    keyvalid = PR_FALSE;
    2518. 

  2518. 		} else {
    2519. 

  2519. 		    goto loser;
    2520. 

  2520. 		}
    2521. 

  2521. 	    }
    2522. 

  2522. 	    continue;
    2523. 

  2523. 	}
    2524. 

  2524. 	/* R = ... */
    2525. 

  2525. 	if (buf[0] == 'R') {
    2526. 

  2526. 	    fputs(buf, ecdsaresp);
    2527. 

  2527. 	    i = 1;
    2528. 

  2528. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2529. 

  2529. 		i++;
    2530. 

  2530. 	    }
    2531. 

  2531. 	    sigvalid = from_hex_str(sig, olen, &buf[i]);
    2532. 

  2532. 	    continue;
    2533. 

  2533. 	}
    2534. 

  2534. 	/* S = ... */
    2535. 

  2535. 	if (buf[0] == 'S') {
    2536. 

  2536. 	    fputs(buf, ecdsaresp);
    2537. 

  2537. 	    i = 1;
    2538. 

  2538. 	    while (isspace(buf[i]) || buf[i] == '=') {
    2539. 

  2539. 		i++;
    2540. 

  2540. 	    }
    2541. 

  2541. 	    if (sigvalid) {
    2542. 

  2542. 		sigvalid = from_hex_str(&sig[olen], olen, &buf[i]);
    2543. 

  2543. 	    }
    2544. 

  2544. 	    signature.type = siBuffer;
    2545. 

  2545. 	    signature.data = sig;
    2546. 

  2546. 	    signature.len = 2*olen;
    2547. 

  2547. 

  2548. 	    if (!keyvalid || !sigvalid) {
    2549. 

  2549. 		fputs("Result = F\n", ecdsaresp);
    2550. 

  2550. 	    } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest)
    2551. 

  2551. 		== SECSuccess) {
    2552. 

  2552. 		fputs("Result = P\n", ecdsaresp);
    2553. 

  2553. 	    } else {
    2554. 

  2554. 		fputs("Result = F\n", ecdsaresp);
    2555. 

  2555. 	    }
    2556. 

  2556. 	    continue;
    2557. 

  2557. 	}
    2558. 

  2558.     }
    2559. 

  2559. loser:
    2560. 

  2560.     if (ecpub.ecParams.arena != NULL) {
    2561. 

  2561. 	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
    2562. 

  2562.     }
    2563. 

  2563.     fclose(ecdsareq);
    2564. 

  2564. }
    2565. 

  2565. #endif /* NSS_ENABLE_ECC */
    2566. 

  2566. 

  2567. 

  2568. /*
    2569. 

  2569.  * Read a value from the test and allocate the result.
    2570. 

  2570.  */
    2571. 

  2571. static unsigned char *
    2572. 

  2572. alloc_value(char *buf, int *len)
    2573. 

  2573. {
    2574. 

  2574.     unsigned char * value;
    2575. 

  2575.     int i, count;
    2576. 

  2576. 

  2577.     if (strncmp(buf, "<None>", 6) == 0) {
    2578. 

  2578. 	*len = 0;
    2579. 

  2579. 	return NULL;
    2580. 

  2580.     }
    2581. 

  2581. 

  2582.     /* find the length of the number */
    2583. 

  2583.     for (count = 0; isxdigit(buf[count]); count++);
    2584. 

  2584.     *len = count/2;
    2585. 

  2585. 

  2586.     if (*len == 0) {
    2587. 

  2587. 	return NULL;
    2588. 

  2588.     }
    2589. 

  2589. 

  2590.     value = PORT_Alloc(*len);
    2591. 

  2591.     if (!value) {
    2592. 

  2592. 	*len = 0;
    2593. 

  2593. 	return NULL;
    2594. 

  2594.     }
    2595. 

  2595. 	
    2596. 

  2596.     for (i=0; i<*len; buf+=2 , i++) {
    2597. 

  2597. 	hex_to_byteval(buf, &value[i]);
    2598. 

  2598.     }
    2599. 

  2599.     
    2600. 

  2600. 

  2601.     return value;
    2602. 

  2602. }
    2603. 

  2603. 

  2604. PRBool
    2605. 

  2605. isblankline(char *b)
    2606. 

  2606. {
    2607. 

  2607.    while (isspace(*b)) b++;
    2608. 

  2608.    if ((*b == '\n') || (*b == 0)) {
    2609. 

  2609. 	return PR_TRUE;
    2610. 

  2610.    }
    2611. 

  2611.    return PR_FALSE;
    2612. 

  2612. }
    2613. 

  2613. 

  2614. static int debug = 0;
    2615. 

  2615. 

  2616. /*
    2617. 

  2617.  * Perform the Hash_DRBG (CAVS) for the RNG algorithm
    2618. 

  2618.  *
    2619. 

  2619.  * reqfn is the pathname of the REQUEST file.
    2620. 

  2620.  *
    2621. 

  2621.  * The output RESPONSE file is written to stdout.
    2622. 

  2622.  */
    2623. 

  2623. void
    2624. 

  2624. drbg(char *reqfn)
    2625. 

  2625. {
    2626. 

  2626.     char buf[2000];   /* test case has some very long lines, returned bits
    2627. 

  2627.      * as high as 800 bytes (6400 bits). That 1600 byte
    2628. 

  2628.      * plus a tag */
    2629. 

  2629.     char buf2[2000]; 
    2630. 

  2630.     FILE *rngreq;       /* input stream from the REQUEST file */
    2631. 

  2631.     FILE *rngresp;      /* output stream to the RESPONSE file */
    2632. 

  2632.     
    2633. 

  2633.     unsigned int i, j;
    2634. 

  2634.     PRBool predictionResistance = PR_FALSE;
    2635. 

  2635.     unsigned char *nonce =  NULL;
    2636. 

  2636.     int nonceLen = 0;
    2637. 

  2637.     unsigned char *personalizationString =  NULL;
    2638. 

  2638.     int personalizationStringLen = 0;
    2639. 

  2639.     unsigned char *additionalInput =  NULL;
    2640. 

  2640.     int additionalInputLen = 0;
    2641. 

  2641.     unsigned char *entropyInput = NULL;
    2642. 

  2642.     int entropyInputLen = 0;
    2643. 

  2643.     unsigned char predictedreturn_bytes[SHA256_LENGTH];
    2644. 

  2644.     unsigned char return_bytes[SHA256_LENGTH];
    2645. 

  2645.     int return_bytes_len = SHA256_LENGTH;
    2646. 

  2646.     enum { NONE, INSTANTIATE, GENERATE, RESEED, RESULT } command =
    2647. 

  2647.     NONE;
    2648. 

  2648.     PRBool genResult = PR_FALSE;
    2649. 

  2649.     SECStatus rv;
    2650. 

  2650.     
    2651. 

  2651.     rngreq = fopen(reqfn, "r");
    2652. 

  2652.     rngresp = stdout;
    2653. 

  2653.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    2654. 

  2654.        switch (command) {
    2655. 

  2655.             case INSTANTIATE:
    2656. 

  2656. 		if (debug) {
    2657. 

  2657. 		    fputs("# PRNGTEST_Instantiate(",rngresp);
    2658. 

  2658. 		    to_hex_str(buf2,entropyInput, entropyInputLen);
    2659. 

  2659. 		    fputs(buf2,rngresp);
    2660. 

  2660. 		    fprintf(rngresp,",%d,",entropyInputLen);
    2661. 

  2661. 		    to_hex_str(buf2,nonce, nonceLen);
    2662. 

  2662. 		    fputs(buf2,rngresp);
    2663. 

  2663. 		    fprintf(rngresp,",%d,",nonceLen);
    2664. 

  2664. 		    to_hex_str(buf2,personalizationString, 
    2665. 

  2665. 					personalizationStringLen);
    2666. 

  2666. 		    fputs(buf2,rngresp);
    2667. 

  2667. 		    fprintf(rngresp,",%d)\n", personalizationStringLen);
    2668. 

  2668. 		}
    2669. 

  2669.                 rv = PRNGTEST_Instantiate(entropyInput, entropyInputLen,
    2670. 

  2670.                                           nonce, nonceLen,
    2671. 

  2671.                                           personalizationString, 
    2672. 

  2672. 				          personalizationStringLen);
    2673. 

  2673.                 if (rv != SECSuccess) {
    2674. 

  2674.                     goto loser;
    2675. 

  2675.                 }
    2676. 

  2676.                 break;
    2677. 

  2677.                     
    2678. 

  2678.             case GENERATE:
    2679. 

  2679.             case RESULT:
    2680. 

  2680.                 memset(return_bytes, 0, return_bytes_len);
    2681. 

  2681. 		if (debug) {
    2682. 

  2682. 		    fputs("# PRNGTEST_Generate(returnbytes",rngresp);
    2683. 

  2683. 		    fprintf(rngresp,",%d,", return_bytes_len);
    2684. 

  2684. 		    to_hex_str(buf2,additionalInput, additionalInputLen);
    2685. 

  2685. 		    fputs(buf2,rngresp);
    2686. 

  2686. 		    fprintf(rngresp,",%d)\n",additionalInputLen);
    2687. 

  2687. 		}
    2688. 

  2688.                 rv = PRNGTEST_Generate((PRUint8 *) return_bytes, 
    2689. 

  2689. 					return_bytes_len,
    2690. 

  2690.                                        (PRUint8 *) additionalInput, 
    2691. 

  2691. 					additionalInputLen);
    2692. 

  2692.                 if (rv != SECSuccess) {
    2693. 

  2693.                     goto loser;
    2694. 

  2694.                 }
    2695. 

  2695.                     
    2696. 

  2696.                 if (command == RESULT) {
    2697. 

  2697.                     fputs("ReturnedBits = ", rngresp);
    2698. 

  2698.                     to_hex_str(buf2, return_bytes, return_bytes_len);
    2699. 

  2699.                     fputs(buf2, rngresp);
    2700. 

  2700.                     fputc('\n', rngresp);
    2701. 

  2701. 		    if (debug) {
    2702. 

  2702. 			fputs("# PRNGTEST_Uninstantiate()\n",rngresp);
    2703. 

  2703. 		    }
    2704. 

  2704.                     rv = PRNGTEST_Uninstantiate();
    2705. 

  2705.                     if (rv != SECSuccess) {
    2706. 

  2706.                         goto loser;
    2707. 

  2707.                     }
    2708. 

  2708.                 } else if (debug) {
    2709. 

  2709.                     fputs("#ReturnedBits = ", rngresp);
    2710. 

  2710.                     to_hex_str(buf2, return_bytes, return_bytes_len);
    2711. 

  2711.                     fputs(buf2, rngresp);
    2712. 

  2712.                     fputc('\n', rngresp);
    2713. 

  2713. 		}
    2714. 

  2714.                     
    2715. 

  2715.                 memset(additionalInput, 0, additionalInputLen);
    2716. 

  2716.                 break;
    2717. 

  2717.                     
    2718. 

  2718.             case RESEED:
    2719. 

  2719.                 if (entropyInput || additionalInput) {
    2720. 

  2720. 		    if (debug) {
    2721. 

  2721. 			fputs("# PRNGTEST_Reseed(",rngresp);
    2722. 

  2722. 			fprintf(rngresp,",%d,", return_bytes_len);
    2723. 

  2723. 			to_hex_str(buf2,entropyInput, entropyInputLen);
    2724. 

  2724. 			fputs(buf2,rngresp);
    2725. 

  2725. 			fprintf(rngresp,",%d,", entropyInputLen);
    2726. 

  2726. 			to_hex_str(buf2,additionalInput, additionalInputLen);
    2727. 

  2727. 			fputs(buf2,rngresp);
    2728. 

  2728. 			fprintf(rngresp,",%d)\n",additionalInputLen);
    2729. 

  2729. 		    }	
    2730. 

  2730.                     rv = PRNGTEST_Reseed(entropyInput, entropyInputLen,
    2731. 

  2731.                                              additionalInput, additionalInputLen);
    2732. 

  2732.                     if (rv != SECSuccess) {
    2733. 

  2733.                         goto loser;
    2734. 

  2734.                     }
    2735. 

  2735.                 }
    2736. 

  2736.                 memset(entropyInput, 0, entropyInputLen);
    2737. 

  2737.                 memset(additionalInput, 0, additionalInputLen);
    2738. 

  2738.                 break;
    2739. 

  2739.             case NONE:
    2740. 

  2740.                 break;
    2741. 

  2741.                     
    2742. 

  2742.         } 
    2743. 

  2743.         command = NONE;
    2744. 

  2744.         
    2745. 

  2745.         /* a comment or blank line */
    2746. 

  2746.         if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r' ) {
    2747. 

  2747.             fputs(buf, rngresp);
    2748. 

  2748.             continue;
    2749. 

  2749.         }
    2750. 

  2750.         
    2751. 

  2751.         /* [Hash - SHA256] */
    2752. 

  2752.         if (strncmp(buf, "[SHA-256]", 9) == 0) {
    2753. 

  2753.             fputs(buf, rngresp);
    2754. 

  2754.             continue;
    2755. 

  2755.         }
    2756. 

  2756.         
    2757. 

  2757.         if (strncmp(buf, "[PredictionResistance", 21)  == 0) {
    2758. 

  2758.             i = 21;
    2759. 

  2759.             while (isspace(buf[i]) || buf[i] == '=') {
    2760. 

  2760.                 i++;
    2761. 

  2761.             }    
    2762. 

  2762.             if (strncmp(buf, "False", 5) == 0) {
    2763. 

  2763.                 predictionResistance = PR_FALSE;
    2764. 

  2764.             } else {
    2765. 

  2765.                 predictionResistance = PR_TRUE;
    2766. 

  2766.             }
    2767. 

  2767.             
    2768. 

  2768.             fputs(buf, rngresp);
    2769. 

  2769.             continue;
    2770. 

  2770.         }
    2771. 

  2771.         
    2772. 

  2772.         if (strncmp(buf, "[EntropyInputLen", 16)  == 0) {
    2773. 

  2773.             if (entropyInput) {
    2774. 

  2774.                 PORT_ZFree(entropyInput, entropyInputLen);
    2775. 

  2775.                 entropyInput = NULL;
    2776. 

  2776.                 entropyInputLen = 0;
    2777. 

  2777.             }
    2778. 

  2778.             if (sscanf(buf, "[EntropyInputLen = %d]", &entropyInputLen) != 1) {
    2779. 

  2779.                 goto loser;
    2780. 

  2780.             }
    2781. 

  2781. 	    entropyInputLen = entropyInputLen/8;
    2782. 

  2782.             if (entropyInputLen > 0) {
    2783. 

  2783.                 entropyInput = PORT_Alloc(entropyInputLen);
    2784. 

  2784.             }
    2785. 

  2785.             fputs(buf, rngresp);
    2786. 

  2786.             continue;
    2787. 

  2787.         }
    2788. 

  2788.         
    2789. 

  2789.         if (strncmp(buf, "[NonceLen", 9)  == 0) {
    2790. 

  2790.             if (nonce) {
    2791. 

  2791.                 PORT_ZFree(nonce, nonceLen);
    2792. 

  2792.                 nonce = NULL;
    2793. 

  2793.                 nonceLen = 0;
    2794. 

  2794.             }
    2795. 

  2795.             
    2796. 

  2796.             if (sscanf(buf, "[NonceLen = %d]", &nonceLen) != 1) {
    2797. 

  2797.                 goto loser;
    2798. 

  2798.             }
    2799. 

  2799. 	    nonceLen = nonceLen/8;
    2800. 

  2800.             if (nonceLen > 0) {
    2801. 

  2801.                 nonce = PORT_Alloc(nonceLen);
    2802. 

  2802.             }               
    2803. 

  2803.             fputs(buf, rngresp);
    2804. 

  2804.             continue;
    2805. 

  2805.         }
    2806. 

  2806.         
    2807. 

  2807.         if (strncmp(buf, "[PersonalizationStringLen", 16)  == 0) {
    2808. 

  2808.             if (personalizationString) {
    2809. 

  2809.                 PORT_ZFree(personalizationString, personalizationStringLen);
    2810. 

  2810.                 personalizationString = NULL;
    2811. 

  2811.                 personalizationStringLen = 0;
    2812. 

  2812.             }
    2813. 

  2813.             
    2814. 

  2814.             if (sscanf(buf, "[PersonalizationStringLen = %d]", &personalizationStringLen) != 1) {
    2815. 

  2815.                 goto loser;
    2816. 

  2816.             }
    2817. 

  2817. 	    personalizationStringLen = personalizationStringLen / 8;
    2818. 

  2818.             if (personalizationStringLen > 0) {
    2819. 

  2819.                 personalizationString = PORT_Alloc(personalizationStringLen);
    2820. 

  2820.             }
    2821. 

  2821.             fputs(buf, rngresp);
    2822. 

  2822.             
    2823. 

  2823.             continue;
    2824. 

  2824.         }
    2825. 

  2825.         
    2826. 

  2826.         if (strncmp(buf, "[AdditionalInputLen", 16)  == 0) {
    2827. 

  2827.             if (additionalInput) {
    2828. 

  2828.                 PORT_ZFree(additionalInput, additionalInputLen);
    2829. 

  2829.                 additionalInput = NULL;
    2830. 

  2830.                 additionalInputLen = 0;
    2831. 

  2831.             }
    2832. 

  2832.             
    2833. 

  2833.             if (sscanf(buf, "[AdditionalInputLen = %d]", &additionalInputLen) != 1) {
    2834. 

  2834.                 goto loser;
    2835. 

  2835.             }
    2836. 

  2836. 	    additionalInputLen = additionalInputLen/8;
    2837. 

  2837.             if (additionalInputLen > 0) {
    2838. 

  2838.                 additionalInput = PORT_Alloc(additionalInputLen);
    2839. 

  2839.             }
    2840. 

  2840.             fputs(buf, rngresp);
    2841. 

  2841.             continue;
    2842. 

  2842.         }
    2843. 

  2843.         
    2844. 

  2844.         if (strncmp(buf, "COUNT", 5) == 0) {
    2845. 

  2845.             /* zeroize the variables for the test with this data set */
    2846. 

  2846.             if (entropyInput) {
    2847. 

  2847.                 memset(entropyInput, 0, entropyInputLen);
    2848. 

  2848.             }
    2849. 

  2849.             if (nonce) {
    2850. 

  2850.                 memset(nonce, 0, nonceLen);        
    2851. 

  2851.             }
    2852. 

  2852.             if (personalizationString) {
    2853. 

  2853.                 memset(personalizationString, 0, personalizationStringLen);
    2854. 

  2854.             }
    2855. 

  2855.             if (additionalInput) {
    2856. 

  2856.                 memset(additionalInput, 0, additionalInputLen);
    2857. 

  2857.             }
    2858. 

  2858.             genResult = PR_FALSE;
    2859. 

  2859.             
    2860. 

  2860.             fputs(buf, rngresp);
    2861. 

  2861.             continue;
    2862. 

  2862.         }
    2863. 

  2863.         
    2864. 

  2864.         /* EntropyInputReseed = ... */
    2865. 

  2865.         if (strncmp(buf, "EntropyInputReseed", 18) == 0) {
    2866. 

  2866.             if (entropyInput) {
    2867. 

  2867.                 memset(entropyInput, 0, entropyInputLen);
    2868. 

  2868.                 i = 18;
    2869. 

  2869.                 while (isspace(buf[i]) || buf[i] == '=') {
    2870. 

  2870.                     i++;
    2871. 

  2871.                 }            
    2872. 

  2872.                 
    2873. 

  2873.                 for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
    2874. 

  2874.                     hex_to_byteval(&buf[i], &entropyInput[j]);
    2875. 

  2875.                 }           
    2876. 

  2876.             }
    2877. 

  2877.             fputs(buf, rngresp);
    2878. 

  2878.             continue;
    2879. 

  2879.         }
    2880. 

  2880.         
    2881. 

  2881.         /* AttionalInputReseed  = ... */
    2882. 

  2882.         if (strncmp(buf, "AdditionalInputReseed", 21) == 0) {
    2883. 

  2883.             if (additionalInput) {
    2884. 

  2884.                 memset(additionalInput, 0, additionalInputLen);
    2885. 

  2885.                 i = 21;
    2886. 

  2886.                 while (isspace(buf[i]) || buf[i] == '=') {
    2887. 

  2887.                     i++;
    2888. 

  2888.                 }
    2889. 

  2889.                 for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
    2890. 

  2890.                     hex_to_byteval(&buf[i], &additionalInput[j]);
    2891. 

  2891.                 }    
    2892. 

  2892.             }
    2893. 

  2893.             command = RESEED;
    2894. 

  2894.             fputs(buf, rngresp);
    2895. 

  2895.             continue;
    2896. 

  2896.         }
    2897. 

  2897.         
    2898. 

  2898.         /* Entropy input = ... */
    2899. 

  2899.         if (strncmp(buf, "EntropyInput", 12) == 0) {
    2900. 

  2900.             i = 12;
    2901. 

  2901.             while (isspace(buf[i]) || buf[i] == '=') {
    2902. 

  2902.                 i++;
    2903. 

  2903.             }
    2904. 

  2904.             for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
    2905. 

  2905.                 hex_to_byteval(&buf[i], &entropyInput[j]);
    2906. 

  2906.             }  
    2907. 

  2907.             fputs(buf, rngresp);
    2908. 

  2908.             continue;
    2909. 

  2909.         }
    2910. 

  2910.         
    2911. 

  2911.         /* nouce = ... */
    2912. 

  2912.         if (strncmp(buf, "Nonce", 5) == 0) {
    2913. 

  2913.             i = 5;
    2914. 

  2914.             while (isspace(buf[i]) || buf[i] == '=') {
    2915. 

  2915.                 i++;
    2916. 

  2916.             }
    2917. 

  2917.             for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<nonceLen*/
    2918. 

  2918.                 hex_to_byteval(&buf[i], &nonce[j]);
    2919. 

  2919.             }  
    2920. 

  2920.             fputs(buf, rngresp);
    2921. 

  2921.             continue;
    2922. 

  2922.         }
    2923. 

  2923.         
    2924. 

  2924.         /* Personalization string = ... */
    2925. 

  2925.         if (strncmp(buf, "PersonalizationString", 21) == 0) {
    2926. 

  2926.             if (personalizationString) {
    2927. 

  2927.                 i = 21;
    2928. 

  2928.                 while (isspace(buf[i]) || buf[i] == '=') {
    2929. 

  2929.                     i++;
    2930. 

  2930.                 }
    2931. 

  2931.                 for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<personalizationStringLen*/
    2932. 

  2932.                     hex_to_byteval(&buf[i], &personalizationString[j]);
    2933. 

  2933.                 }
    2934. 

  2934.             }
    2935. 

  2935.             fputs(buf, rngresp);
    2936. 

  2936.             command = INSTANTIATE;
    2937. 

  2937.             continue;
    2938. 

  2938.         }
    2939. 

  2939.         
    2940. 

  2940.         /* Additional input = ... */
    2941. 

  2941.         if (strncmp(buf, "AdditionalInput", 15) == 0) {
    2942. 

  2942.             if (additionalInput) {
    2943. 

  2943.                 i = 15;
    2944. 

  2944.                 while (isspace(buf[i]) || buf[i] == '=') {
    2945. 

  2945.                     i++;
    2946. 

  2946.                 }
    2947. 

  2947.                 for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
    2948. 

  2948.                     hex_to_byteval(&buf[i], &additionalInput[j]);
    2949. 

  2949.                 } 
    2950. 

  2950.             }
    2951. 

  2951.             if (genResult) {
    2952. 

  2952.                 command = RESULT;
    2953. 

  2953.             } else {
    2954. 

  2954.                 command = GENERATE;
    2955. 

  2955.                 genResult = PR_TRUE; /* next time generate result */
    2956. 

  2956.             }
    2957. 

  2957.             fputs(buf, rngresp);
    2958. 

  2958.             continue;
    2959. 

  2959.         }
    2960. 

  2960.         
    2961. 

  2961.         /* Returned bits = ... */
    2962. 

  2962.         if (strncmp(buf, "ReturnedBits", 12) == 0) {
    2963. 

  2963.             i = 12;
    2964. 

  2964.             while (isspace(buf[i]) || buf[i] == '=') {
    2965. 

  2965.                 i++;
    2966. 

  2966.             }
    2967. 

  2967.             for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
    2968. 

  2968.                 hex_to_byteval(&buf[i], &predictedreturn_bytes[j]);
    2969. 

  2969.             }          
    2970. 

  2970. 

  2971.             if (memcmp(return_bytes, 
    2972. 

  2972.                        predictedreturn_bytes, return_bytes_len) != 0) {
    2973. 

  2973. 		if (debug) {
    2974. 

  2974.                 fprintf(rngresp, "# Generate failed:\n");
    2975. 

  2975.                 fputs(  "#   predicted=", rngresp);
    2976. 

  2976.                 to_hex_str(buf, predictedreturn_bytes, 
    2977. 

  2977.                            return_bytes_len);
    2978. 

  2978.                 fputs(buf, rngresp);
    2979. 

  2979.                 fputs("\n#   actual  = ", rngresp);
    2980. 

  2980.                 fputs(buf2, rngresp);
    2981. 

  2981.                 fputc('\n', rngresp);
    2982. 

  2982. 

  2983. 		} else {
    2984. 

  2984.                 fprintf(stderr, "Generate failed:\n");
    2985. 

  2985.                 fputs(  "   predicted=", stderr);
    2986. 

  2986.                 to_hex_str(buf, predictedreturn_bytes, 
    2987. 

  2987.                            return_bytes_len);
    2988. 

  2988.                 fputs(buf, stderr);
    2989. 

  2989.                 fputs("\n   actual  = ", stderr);
    2990. 

  2990.                 fputs(buf2, stderr);
    2991. 

  2991.                 fputc('\n', stderr);
    2992. 

  2992. 		}
    2993. 

  2993.             }
    2994. 

  2994.             memset(predictedreturn_bytes, 0 , sizeof predictedreturn_bytes);
    2995. 

  2995. 

  2996.             continue;
    2997. 

  2997.         }
    2998. 

  2998.     }
    2999. 

  2999. loser:
    3000. 

  3000.     fclose(rngreq);
    3001. 

  3001. }
    3002. 

  3002. 

  3003. /*
    3004. 

  3004.  * Perform the RNG Variable Seed Test (VST) for the RNG algorithm
    3005. 

  3005.  * "DSA - Generation of X", used both as specified and as a generic
    3006. 

  3006.  * purpose RNG.  The presence of "Q = ..." in the REQUEST file
    3007. 

  3007.  * indicates we are using the algorithm as specified.
    3008. 

  3008.  *
    3009. 

  3009.  * reqfn is the pathname of the REQUEST file.
    3010. 

  3010.  *
    3011. 

  3011.  * The output RESPONSE file is written to stdout.
    3012. 

  3012.  */
    3013. 

  3013. void
    3014. 

  3014. rng_vst(char *reqfn)
    3015. 

  3015. {
    3016. 

  3016.     char buf[256];      /* holds one line from the input REQUEST file.
    3017. 

  3017.                          * needs to be large enough to hold the longest
    3018. 

  3018.                          * line "XSeed = <128 hex digits>\n".
    3019. 

  3019.                          */
    3020. 

  3020.     FILE *rngreq;       /* input stream from the REQUEST file */
    3021. 

  3021.     FILE *rngresp;      /* output stream to the RESPONSE file */
    3022. 

  3022.     unsigned int i, j;
    3023. 

  3023.     unsigned char Q[DSA_SUBPRIME_LEN];
    3024. 

  3024.     PRBool hasQ = PR_FALSE;
    3025. 

  3025.     unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
    3026. 

  3026.     unsigned char XKey[512/8];
    3027. 

  3027.     unsigned char XSeed[512/8];
    3028. 

  3028.     unsigned char GENX[2*SHA1_LENGTH];
    3029. 

  3029.     unsigned char DSAX[DSA_SUBPRIME_LEN];
    3030. 

  3030.     SECStatus rv;
    3031. 

  3031. 

  3032.     rngreq = fopen(reqfn, "r");
    3033. 

  3033.     rngresp = stdout;
    3034. 

  3034.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    3035. 

  3035. 	/* a comment or blank line */
    3036. 

  3036. 	if (buf[0] == '#' || buf[0] == '\n') {
    3037. 

  3037. 	    fputs(buf, rngresp);
    3038. 

  3038. 	    continue;
    3039. 

  3039. 	}
    3040. 

  3040. 	/* [Xchange - SHA1] */
    3041. 

  3041. 	if (buf[0] == '[') {
    3042. 

  3042. 	    fputs(buf, rngresp);
    3043. 

  3043. 	    continue;
    3044. 

  3044. 	}
    3045. 

  3045. 	/* Q = ... */
    3046. 

  3046. 	if (buf[0] == 'Q') {
    3047. 

  3047. 	    i = 1;
    3048. 

  3048. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3049. 

  3049. 		i++;
    3050. 

  3050. 	    }
    3051. 

  3051. 	    for (j=0; j<sizeof Q; i+=2,j++) {
    3052. 

  3052. 		hex_to_byteval(&buf[i], &Q[j]);
    3053. 

  3053. 	    }
    3054. 

  3054. 	    fputs(buf, rngresp);
    3055. 

  3055. 	    hasQ = PR_TRUE;
    3056. 

  3056. 	    continue;
    3057. 

  3057. 	}
    3058. 

  3058. 	/* "COUNT = x" begins a new data set */
    3059. 

  3059. 	if (strncmp(buf, "COUNT", 5) == 0) {
    3060. 

  3060. 	    /* zeroize the variables for the test with this data set */
    3061. 

  3061. 	    b = 0;
    3062. 

  3062. 	    memset(XKey, 0, sizeof XKey);
    3063. 

  3063. 	    memset(XSeed, 0, sizeof XSeed);
    3064. 

  3064. 	    fputs(buf, rngresp);
    3065. 

  3065. 	    continue;
    3066. 

  3066. 	}
    3067. 

  3067. 	/* b = ... */
    3068. 

  3068. 	if (buf[0] == 'b') {
    3069. 

  3069. 	    i = 1;
    3070. 

  3070. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3071. 

  3071. 		i++;
    3072. 

  3072. 	    }
    3073. 

  3073. 	    b = atoi(&buf[i]);
    3074. 

  3074. 	    if (b < 160 || b > 512 || b%8 != 0) {
    3075. 

  3075. 		goto loser;
    3076. 

  3076. 	    }
    3077. 

  3077. 	    fputs(buf, rngresp);
    3078. 

  3078. 	    continue;
    3079. 

  3079. 	}
    3080. 

  3080. 	/* XKey = ... */
    3081. 

  3081. 	if (strncmp(buf, "XKey", 4) == 0) {
    3082. 

  3082. 	    i = 4;
    3083. 

  3083. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3084. 

  3084. 		i++;
    3085. 

  3085. 	    }
    3086. 

  3086. 	    for (j=0; j<b/8; i+=2,j++) {
    3087. 

  3087. 		hex_to_byteval(&buf[i], &XKey[j]);
    3088. 

  3088. 	    }
    3089. 

  3089. 	    fputs(buf, rngresp);
    3090. 

  3090. 	    continue;
    3091. 

  3091. 	}
    3092. 

  3092. 	/* XSeed = ... */
    3093. 

  3093. 	if (strncmp(buf, "XSeed", 5) == 0) {
    3094. 

  3094. 	    i = 5;
    3095. 

  3095. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3096. 

  3096. 		i++;
    3097. 

  3097. 	    }
    3098. 

  3098. 	    for (j=0; j<b/8; i+=2,j++) {
    3099. 

  3099. 		hex_to_byteval(&buf[i], &XSeed[j]);
    3100. 

  3100. 	    }
    3101. 

  3101. 	    fputs(buf, rngresp);
    3102. 

  3102. 

  3103. 	    rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
    3104. 

  3104. 	    if (rv != SECSuccess) {
    3105. 

  3105. 		goto loser;
    3106. 

  3106. 	    }
    3107. 

  3107. 	    fputs("X = ", rngresp);
    3108. 

  3108. 	    if (hasQ) {
    3109. 

  3109. 		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
    3110. 

  3110. 		if (rv != SECSuccess) {
    3111. 

  3111. 		    goto loser;
    3112. 

  3112. 		}
    3113. 

  3113. 		to_hex_str(buf, DSAX, sizeof DSAX);
    3114. 

  3114. 	    } else {
    3115. 

  3115. 		to_hex_str(buf, GENX, sizeof GENX);
    3116. 

  3116. 	    }
    3117. 

  3117. 	    fputs(buf, rngresp);
    3118. 

  3118. 	    fputc('\n', rngresp);
    3119. 

  3119. 	    continue;
    3120. 

  3120. 	}
    3121. 

  3121.     }
    3122. 

  3122. loser:
    3123. 

  3123.     fclose(rngreq);
    3124. 

  3124. }
    3125. 

  3125. 

  3126. /*
    3127. 

  3127.  * Perform the RNG Monte Carlo Test (MCT) for the RNG algorithm
    3128. 

  3128.  * "DSA - Generation of X", used both as specified and as a generic
    3129. 

  3129.  * purpose RNG.  The presence of "Q = ..." in the REQUEST file
    3130. 

  3130.  * indicates we are using the algorithm as specified.
    3131. 

  3131.  *
    3132. 

  3132.  * reqfn is the pathname of the REQUEST file.
    3133. 

  3133.  *
    3134. 

  3134.  * The output RESPONSE file is written to stdout.
    3135. 

  3135.  */
    3136. 

  3136. void
    3137. 

  3137. rng_mct(char *reqfn)
    3138. 

  3138. {
    3139. 

  3139.     char buf[256];      /* holds one line from the input REQUEST file.
    3140. 

  3140.                          * needs to be large enough to hold the longest
    3141. 

  3141.                          * line "XSeed = <128 hex digits>\n".
    3142. 

  3142.                          */
    3143. 

  3143.     FILE *rngreq;       /* input stream from the REQUEST file */
    3144. 

  3144.     FILE *rngresp;      /* output stream to the RESPONSE file */
    3145. 

  3145.     unsigned int i, j;
    3146. 

  3146.     unsigned char Q[DSA_SUBPRIME_LEN];
    3147. 

  3147.     PRBool hasQ = PR_FALSE;
    3148. 

  3148.     unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
    3149. 

  3149.     unsigned char XKey[512/8];
    3150. 

  3150.     unsigned char XSeed[512/8];
    3151. 

  3151.     unsigned char GENX[2*SHA1_LENGTH];
    3152. 

  3152.     unsigned char DSAX[DSA_SUBPRIME_LEN];
    3153. 

  3153.     SECStatus rv;
    3154. 

  3154. 

  3155.     rngreq = fopen(reqfn, "r");
    3156. 

  3156.     rngresp = stdout;
    3157. 

  3157.     while (fgets(buf, sizeof buf, rngreq) != NULL) {
    3158. 

  3158. 	/* a comment or blank line */
    3159. 

  3159. 	if (buf[0] == '#' || buf[0] == '\n') {
    3160. 

  3160. 	    fputs(buf, rngresp);
    3161. 

  3161. 	    continue;
    3162. 

  3162. 	}
    3163. 

  3163. 	/* [Xchange - SHA1] */
    3164. 

  3164. 	if (buf[0] == '[') {
    3165. 

  3165. 	    fputs(buf, rngresp);
    3166. 

  3166. 	    continue;
    3167. 

  3167. 	}
    3168. 

  3168. 	/* Q = ... */
    3169. 

  3169. 	if (buf[0] == 'Q') {
    3170. 

  3170. 	    i = 1;
    3171. 

  3171. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3172. 

  3172. 		i++;
    3173. 

  3173. 	    }
    3174. 

  3174. 	    for (j=0; j<sizeof Q; i+=2,j++) {
    3175. 

  3175. 		hex_to_byteval(&buf[i], &Q[j]);
    3176. 

  3176. 	    }
    3177. 

  3177. 	    fputs(buf, rngresp);
    3178. 

  3178. 	    hasQ = PR_TRUE;
    3179. 

  3179. 	    continue;
    3180. 

  3180. 	}
    3181. 

  3181. 	/* "COUNT = x" begins a new data set */
    3182. 

  3182. 	if (strncmp(buf, "COUNT", 5) == 0) {
    3183. 

  3183. 	    /* zeroize the variables for the test with this data set */
    3184. 

  3184. 	    b = 0;
    3185. 

  3185. 	    memset(XKey, 0, sizeof XKey);
    3186. 

  3186. 	    memset(XSeed, 0, sizeof XSeed);
    3187. 

  3187. 	    fputs(buf, rngresp);
    3188. 

  3188. 	    continue;
    3189. 

  3189. 	}
    3190. 

  3190. 	/* b = ... */
    3191. 

  3191. 	if (buf[0] == 'b') {
    3192. 

  3192. 	    i = 1;
    3193. 

  3193. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3194. 

  3194. 		i++;
    3195. 

  3195. 	    }
    3196. 

  3196. 	    b = atoi(&buf[i]);
    3197. 

  3197. 	    if (b < 160 || b > 512 || b%8 != 0) {
    3198. 

  3198. 		goto loser;
    3199. 

  3199. 	    }
    3200. 

  3200. 	    fputs(buf, rngresp);
    3201. 

  3201. 	    continue;
    3202. 

  3202. 	}
    3203. 

  3203. 	/* XKey = ... */
    3204. 

  3204. 	if (strncmp(buf, "XKey", 4) == 0) {
    3205. 

  3205. 	    i = 4;
    3206. 

  3206. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3207. 

  3207. 		i++;
    3208. 

  3208. 	    }
    3209. 

  3209. 	    for (j=0; j<b/8; i+=2,j++) {
    3210. 

  3210. 		hex_to_byteval(&buf[i], &XKey[j]);
    3211. 

  3211. 	    }
    3212. 

  3212. 	    fputs(buf, rngresp);
    3213. 

  3213. 	    continue;
    3214. 

  3214. 	}
    3215. 

  3215. 	/* XSeed = ... */
    3216. 

  3216. 	if (strncmp(buf, "XSeed", 5) == 0) {
    3217. 

  3217. 	    unsigned int k;
    3218. 

  3218. 	    i = 5;
    3219. 

  3219. 	    while (isspace(buf[i]) || buf[i] == '=') {
    3220. 

  3220. 		i++;
    3221. 

  3221. 	    }
    3222. 

  3222. 	    for (j=0; j<b/8; i+=2,j++) {
    3223. 

  3223. 		hex_to_byteval(&buf[i], &XSeed[j]);
    3224. 

  3224. 	    }
    3225. 

  3225. 	    fputs(buf, rngresp);
    3226. 

  3226. 

  3227. 	    for (k = 0; k < 10000; k++) {
    3228. 

  3228. 		rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
    3229. 

  3229. 		if (rv != SECSuccess) {
    3230. 

  3230. 		    goto loser;
    3231. 

  3231. 		}
    3232. 

  3232. 	    }
    3233. 

  3233. 	    fputs("X = ", rngresp);
    3234. 

  3234. 	    if (hasQ) {
    3235. 

  3235. 		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
    3236. 

  3236. 		if (rv != SECSuccess) {
    3237. 

  3237. 		    goto loser;
    3238. 

  3238. 		}
    3239. 

  3239. 		to_hex_str(buf, DSAX, sizeof DSAX);
    3240. 

  3240. 	    } else {
    3241. 

  3241. 		to_hex_str(buf, GENX, sizeof GENX);
    3242. 

  3242. 	    }
    3243. 

  3243. 	    fputs(buf, rngresp);
    3244. 

  3244. 	    fputc('\n', rngresp);
    3245. 

  3245. 	    continue;
    3246. 

  3246. 	}
    3247. 

  3247.     }
    3248. 

  3248. loser:
    3249. 

  3249.     fclose(rngreq);
    3250. 

  3250. }
    3251. 

  3251. 

  3252. /*
    3253. 

  3253.  * Calculate the SHA Message Digest 
    3254. 

  3254.  *
    3255. 

  3255.  * MD = Message digest 
    3256. 

  3256.  * MDLen = length of Message Digest and SHA_Type
    3257. 

  3257.  * msg = message to digest 
    3258. 

  3258.  * msgLen = length of message to digest
    3259. 

  3259.  */
    3260. 

  3260. SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) 
    3261. 

  3261. {    
    3262. 

  3262.     SECStatus   sha_status = SECFailure;
    3263. 

  3263. 

  3264.     if (MDLen == SHA1_LENGTH) {
    3265. 

  3265.         sha_status = SHA1_HashBuf(MD, msg, msgLen);
    3266. 

  3266.     } else if (MDLen == SHA256_LENGTH) {
    3267. 

  3267.         sha_status = SHA256_HashBuf(MD, msg, msgLen);
    3268. 

  3268.     } else if (MDLen == SHA384_LENGTH) {
    3269. 

  3269.         sha_status = SHA384_HashBuf(MD, msg, msgLen);
    3270. 

  3270.     } else if (MDLen == SHA512_LENGTH) {
    3271. 

  3271.         sha_status = SHA512_HashBuf(MD, msg, msgLen);
    3272. 

  3272.     }
    3273. 

  3273. 

  3274.     return sha_status;
    3275. 

  3275. }
    3276. 

  3276. 

  3277. /*
    3278. 

  3278.  * Perform the SHA Monte Carlo Test
    3279. 

  3279.  *
    3280. 

  3280.  * MDLen = length of Message Digest and SHA_Type
    3281. 

  3281.  * seed = input seed value
    3282. 

  3282.  * resp = is the output response file. 
    3283. 

  3283.  */
    3284. 

  3284. SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) 
    3285. 

  3285. {
    3286. 

  3286.     int i, j;
    3287. 

  3287.     unsigned int msgLen = MDLen*3;
    3288. 

  3288.     unsigned char MD_i3[HASH_LENGTH_MAX];  /* MD[i-3] */
    3289. 

  3289.     unsigned char MD_i2[HASH_LENGTH_MAX];  /* MD[i-2] */
    3290. 

  3290.     unsigned char MD_i1[HASH_LENGTH_MAX];  /* MD[i-1] */
    3291. 

  3291.     unsigned char MD_i[HASH_LENGTH_MAX];   /* MD[i] */
    3292. 

  3292.     unsigned char msg[HASH_LENGTH_MAX*3];
    3293. 

  3293.     char buf[HASH_LENGTH_MAX*2 + 1];  /* MAX buf MD_i as a hex string */
    3294. 

  3294. 

  3295.     for (j=0; j<100; j++) {
    3296. 

  3296.         /* MD_0 = MD_1 = MD_2 = seed */
    3297. 

  3297.         memcpy(MD_i3, seed, MDLen);
    3298. 

  3298.         memcpy(MD_i2, seed, MDLen);
    3299. 

  3299.         memcpy(MD_i1, seed, MDLen);
    3300. 

  3300. 

  3301.         for (i=3; i < 1003; i++) {
    3302. 

  3302.             /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */
    3303. 

  3303.             memcpy(msg, MD_i3, MDLen);
    3304. 

  3304.             memcpy(&msg[MDLen], MD_i2, MDLen);
    3305. 

  3305.             memcpy(&msg[MDLen*2], MD_i1,MDLen); 
    3306. 

  3306. 

  3307.             /* MDi = SHA(Msg) */
    3308. 

  3308.             if (sha_calcMD(MD_i, MDLen,   
    3309. 

  3309.                            msg, msgLen) != SECSuccess) {
    3310. 

  3310.                 return SECFailure;
    3311. 

  3311.             }
    3312. 

  3312. 

  3313.             /* save MD[i-3] MD[i-2]  MD[i-1] */
    3314. 

  3314.             memcpy(MD_i3, MD_i2, MDLen);
    3315. 

  3315.             memcpy(MD_i2, MD_i1, MDLen);
    3316. 

  3316.             memcpy(MD_i1, MD_i, MDLen);
    3317. 

  3317. 

  3318.         }
    3319. 

  3319. 

  3320.         /* seed = MD_i */
    3321. 

  3321.         memcpy(seed, MD_i, MDLen);
    3322. 

  3322. 

  3323.         sprintf(buf, "COUNT = %d\n", j);
    3324. 

  3324.         fputs(buf, resp);
    3325. 

  3325. 

  3326.         /* output MD_i */
    3327. 

  3327.         fputs("MD = ", resp);
    3328. 

  3328.         to_hex_str(buf, MD_i, MDLen);
    3329. 

  3329.         fputs(buf, resp);
    3330. 

  3330.         fputc('\n', resp);
    3331. 

  3331.     }
    3332. 

  3332. 

  3333.     return SECSuccess;
    3334. 

  3334. }
    3335. 

  3335. 

  3336. /*
    3337. 

  3337.  * Perform the SHA Tests.
    3338. 

  3338.  *
    3339. 

  3339.  * reqfn is the pathname of the input REQUEST file.
    3340. 

  3340.  *
    3341. 

  3341.  * The output RESPONSE file is written to stdout.
    3342. 

  3342.  */
    3343. 

  3343. void sha_test(char *reqfn) 
    3344. 

  3344. {
    3345. 

  3345.     unsigned int i, j;
    3346. 

  3346.     unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
    3347. 

  3347.     unsigned int msgLen;  /* the length of the input Message in Bytes */
    3348. 

  3348.     unsigned char *msg = NULL; /* holds the message to digest.*/
    3349. 

  3349.     size_t bufSize = 25608; /*MAX buffer size */
    3350. 

  3350.     char *buf = NULL;      /* holds one line from the input REQUEST file.*/
    3351. 

  3351.     unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
    3352. 

  3352.     unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
    3353. 

  3353. 

  3354.     FILE *req = NULL;  /* input stream from the REQUEST file */
    3355. 

  3355.     FILE *resp;        /* output stream to the RESPONSE file */
    3356. 

  3356. 

  3357.     buf = PORT_ZAlloc(bufSize);
    3358. 

  3358.     if (buf == NULL) {
    3359. 

  3359.         goto loser;
    3360. 

  3360.     }      
    3361. 

  3361. 

  3362.     /* zeroize the variables for the test with this data set */
    3363. 

  3363.     memset(seed, 0, sizeof seed);
    3364. 

  3364. 

  3365.     req = fopen(reqfn, "r");
    3366. 

  3366.     resp = stdout;
    3367. 

  3367.     while (fgets(buf, bufSize, req) != NULL) {
    3368. 

  3368. 

  3369.         /* a comment or blank line */
    3370. 

  3370.         if (buf[0] == '#' || buf[0] == '\n') {
    3371. 

  3371.             fputs(buf, resp);
    3372. 

  3372.             continue;
    3373. 

  3373.         }
    3374. 

  3374.         /* [L = Length of the Message Digest and sha_type */
    3375. 

  3375.         if (buf[0] == '[') {
    3376. 

  3376.             if (strncmp(&buf[1], "L ", 1) == 0) {
    3377. 

  3377.                 i = 2;
    3378. 

  3378.                 while (isspace(buf[i]) || buf[i] == '=') {
    3379. 

  3379.                     i++;
    3380. 

  3380.                 }
    3381. 

  3381.                 MDlen = atoi(&buf[i]);
    3382. 

  3382.                 fputs(buf, resp);
    3383. 

  3383.                 continue;
    3384. 

  3384.             }
    3385. 

  3385.         }
    3386. 

  3386.         /* Len = Length of the Input Message Length  ... */
    3387. 

  3387.         if (strncmp(buf, "Len", 3) == 0) {
    3388. 

  3388.             i = 3;
    3389. 

  3389.             while (isspace(buf[i]) || buf[i] == '=') {
    3390. 

  3390.                 i++;
    3391. 

  3391.             }
    3392. 

  3392.             if (msg) {
    3393. 

  3393.                 PORT_ZFree(msg,msgLen);
    3394. 

  3394.                 msg = NULL;
    3395. 

  3395.             }
    3396. 

  3396.             msgLen = atoi(&buf[i]); /* in bits */
    3397. 

  3397.             if (msgLen%8 != 0) {
    3398. 

  3398.                 fprintf(stderr, "SHA tests are incorrectly configured for "
    3399. 

  3399.                     "BIT oriented implementations\n");
    3400. 

  3400.                 goto loser;
    3401. 

  3401.             }
    3402. 

  3402.             msgLen = msgLen/8; /* convert to bytes */
    3403. 

  3403.             fputs(buf, resp);
    3404. 

  3404.             msg = PORT_ZAlloc(msgLen);
    3405. 

  3405.             if (msg == NULL && msgLen != 0) {
    3406. 

  3406.                 goto loser;
    3407. 

  3407.             } 
    3408. 

  3408.             continue;
    3409. 

  3409.         }
    3410. 

  3410.         /* MSG = ... */
    3411. 

  3411.         if (strncmp(buf, "Msg", 3) == 0) {
    3412. 

  3412.             i = 3;
    3413. 

  3413.             while (isspace(buf[i]) || buf[i] == '=') {
    3414. 

  3414.                 i++;
    3415. 

  3415.             }
    3416. 

  3416.             for (j=0; j< msgLen; i+=2,j++) {
    3417. 

  3417.                 hex_to_byteval(&buf[i], &msg[j]);
    3418. 

  3418.             }
    3419. 

  3419.            fputs(buf, resp);
    3420. 

  3420.            /* calculate the Message Digest */ 
    3421. 

  3421.            memset(MD, 0, sizeof MD);
    3422. 

  3422.            if (sha_calcMD(MD, MDlen,   
    3423. 

  3423.                           msg, msgLen) != SECSuccess) {
    3424. 

  3424.                goto loser;
    3425. 

  3425.            }
    3426. 

  3426. 

  3427.            fputs("MD = ", resp);
    3428. 

  3428.            to_hex_str(buf, MD, MDlen);
    3429. 

  3429.            fputs(buf, resp);
    3430. 

  3430.            fputc('\n', resp);
    3431. 

  3431. 

  3432.            continue;
    3433. 

  3433.         }
    3434. 

  3434.         /* Seed = ... */
    3435. 

  3435.         if (strncmp(buf, "Seed", 4) == 0) {
    3436. 

  3436.             i = 4;
    3437. 

  3437.             while (isspace(buf[i]) || buf[i] == '=') {
    3438. 

  3438.                 i++;
    3439. 

  3439.             }
    3440. 

  3440.             for (j=0; j<sizeof seed; i+=2,j++) {
    3441. 

  3441.                 hex_to_byteval(&buf[i], &seed[j]);
    3442. 

  3442.             }                                     
    3443. 

  3443. 

  3444.             fputs(buf, resp);
    3445. 

  3445.             fputc('\n', resp);
    3446. 

  3446. 

  3447.             /* do the Monte Carlo test */
    3448. 

  3448.             if (sha_mct_test(MDlen, seed, resp) != SECSuccess) {
    3449. 

  3449.                 goto loser; 
    3450. 

  3450.             }
    3451. 

  3451. 

  3452.             continue;
    3453. 

  3453.         }
    3454. 

  3454.     }
    3455. 

  3455. loser:
    3456. 

  3456.     if (req) {
    3457. 

  3457.         fclose(req);
    3458. 

  3458.     }  
    3459. 

  3459.     if (buf) {
    3460. 

  3460.         PORT_ZFree(buf, bufSize);
    3461. 

  3461.     }
    3462. 

  3462.     if (msg) {
    3463. 

  3463.         PORT_ZFree(msg, msgLen);
    3464. 

  3464.     }
    3465. 

  3465. }
    3466. 

  3466. 

  3467. /****************************************************/
    3468. 

  3468. /* HMAC SHA-X calc                                  */
    3469. 

  3469. /* hmac_computed - the computed HMAC                */
    3470. 

  3470. /* hmac_length - the length of the computed HMAC    */
    3471. 

  3471. /* secret_key - secret key to HMAC                  */
    3472. 

  3472. /* secret_key_length - length of secret key,        */
    3473. 

  3473. /* message - message to HMAC                        */
    3474. 

  3474. /* message_length - length ofthe message            */
    3475. 

  3475. /****************************************************/
    3476. 

  3476. static SECStatus
    3477. 

  3477. hmac_calc(unsigned char *hmac_computed,
    3478. 

  3478.           const unsigned int hmac_length,
    3479. 

  3479.           const unsigned char *secret_key,
    3480. 

  3480.           const unsigned int secret_key_length,
    3481. 

  3481.           const unsigned char *message,
    3482. 

  3482.           const unsigned int message_length,
    3483. 

  3483.           const HASH_HashType hashAlg )
    3484. 

  3484. {
    3485. 

  3485.     SECStatus hmac_status = SECFailure;
    3486. 

  3486.     HMACContext *cx = NULL;
    3487. 

  3487.     SECHashObject *hashObj = NULL;
    3488. 

  3488.     unsigned int bytes_hashed = 0;
    3489. 

  3489. 

  3490.     hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
    3491. 

  3491.  
    3492. 

  3492.     if (!hashObj) 
    3493. 

  3493.         return( SECFailure );
    3494. 

  3494. 

  3495.     cx = HMAC_Create(hashObj, secret_key, 
    3496. 

  3496.                      secret_key_length, 
    3497. 

  3497.                      PR_TRUE);  /* PR_TRUE for in FIPS mode */
    3498. 

  3498. 

  3499.     if (cx == NULL) 
    3500. 

  3500.         return( SECFailure );
    3501. 

  3501. 

  3502.     HMAC_Begin(cx);
    3503. 

  3503.     HMAC_Update(cx, message, message_length);
    3504. 

  3504.     hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
    3505. 

  3505.                               hmac_length);
    3506. 

  3506. 

  3507.     HMAC_Destroy(cx, PR_TRUE);
    3508. 

  3508. 

  3509.     return( hmac_status );
    3510. 

  3510. }
    3511. 

  3511. 

  3512. /*
    3513. 

  3513.  * Perform the HMAC Tests.
    3514. 

  3514.  *
    3515. 

  3515.  * reqfn is the pathname of the input REQUEST file.
    3516. 

  3516.  *
    3517. 

  3517.  * The output RESPONSE file is written to stdout.
    3518. 

  3518.  */
    3519. 

  3519. void hmac_test(char *reqfn) 
    3520. 

  3520. {
    3521. 

  3521.     unsigned int i, j;
    3522. 

  3522.     size_t bufSize =      400;    /* MAX buffer size */
    3523. 

  3523.     char *buf = NULL;  /* holds one line from the input REQUEST file.*/
    3524. 

  3524.     unsigned int keyLen;          /* Key Length */  
    3525. 

  3525.     unsigned char key[200];       /* key MAX size = 184 */
    3526. 

  3526.     unsigned int msgLen = 128;    /* the length of the input  */
    3527. 

  3527.                                   /*  Message is always 128 Bytes */
    3528. 

  3528.     unsigned char *msg = NULL;    /* holds the message to digest.*/
    3529. 

  3529.     unsigned int HMACLen;         /* the length of the HMAC Bytes  */
    3530. 

  3530.     unsigned int TLen;            /* the length of the requested */
    3531. 

  3531.                                   /* truncated HMAC Bytes */
    3532. 

  3532.     unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
    3533. 

  3533.     unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */ 
    3534. 

  3534.                                                  /* supplied known answer */
    3535. 

  3535.     HASH_HashType hash_alg;       /* HMAC type */
    3536. 

  3536.     
    3537. 

  3537. 

  3538.     FILE *req = NULL;  /* input stream from the REQUEST file */
    3539. 

  3539.     FILE *resp;        /* output stream to the RESPONSE file */
    3540. 

  3540. 

  3541.     buf = PORT_ZAlloc(bufSize);
    3542. 

  3542.     if (buf == NULL) {
    3543. 

  3543.         goto loser;
    3544. 

  3544.     }      
    3545. 

  3545.     msg = PORT_ZAlloc(msgLen);
    3546. 

  3546.     memset(msg, 0, msgLen);
    3547. 

  3547.     if (msg == NULL) {
    3548. 

  3548.         goto loser;
    3549. 

  3549.     } 
    3550. 

  3550. 

  3551.     req = fopen(reqfn, "r");
    3552. 

  3552.     resp = stdout;
    3553. 

  3553.     while (fgets(buf, bufSize, req) != NULL) {
    3554. 

  3554.         if (strncmp(buf, "Mac", 3) == 0) {
    3555. 

  3555.             i = 3;
    3556. 

  3556.             while (isspace(buf[i]) || buf[i] == '=') {
    3557. 

  3557.                 i++;
    3558. 

  3558.             }
    3559. 

  3559.             memset(expectedHMAC, 0, HASH_LENGTH_MAX);
    3560. 

  3560.             for (j=0; isxdigit(buf[i]); i+=2,j++) { 
    3561. 

  3561.                 hex_to_byteval(&buf[i], &expectedHMAC[j]);
    3562. 

  3562.             }
    3563. 

  3563.             if (memcmp(HMAC, expectedHMAC, TLen) != 0) {
    3564. 

  3564.                 fprintf(stderr, "Generate failed:\n");
    3565. 

  3565.                 fputs(  "   expected=", stderr);
    3566. 

  3566.                 to_hex_str(buf, expectedHMAC, 
    3567. 

  3567.                            TLen);
    3568. 

  3568.                 fputs(buf, stderr);
    3569. 

  3569.                 fputs("\n   generated=", stderr);
    3570. 

  3570.                 to_hex_str(buf, HMAC, 
    3571. 

  3571.                            TLen);
    3572. 

  3572.                 fputs(buf, stderr);
    3573. 

  3573.                 fputc('\n', stderr);
    3574. 

  3574.             }
    3575. 

  3575.         }
    3576. 

  3576. 

  3577.         /* a comment or blank line */
    3578. 

  3578.         if (buf[0] == '#' || buf[0] == '\n') {
    3579. 

  3579.             fputs(buf, resp);
    3580. 

  3580.             continue;
    3581. 

  3581.         }
    3582. 

  3582.         /* [L = Length of the MAC and HASH_type */
    3583. 

  3583.         if (buf[0] == '[') {
    3584. 

  3584.             if (strncmp(&buf[1], "L ", 1) == 0) {
    3585. 

  3585.                 i = 2;
    3586. 

  3586.                 while (isspace(buf[i]) || buf[i] == '=') {
    3587. 

  3587.                     i++;
    3588. 

  3588.                 }
    3589. 

  3589.                 /* HMACLen will get reused for Tlen */
    3590. 

  3590.                 HMACLen = atoi(&buf[i]);
    3591. 

  3591.                 /* set the HASH algorithm for HMAC */
    3592. 

  3592.                 if (HMACLen == SHA1_LENGTH) {
    3593. 

  3593.                     hash_alg = HASH_AlgSHA1;
    3594. 

  3594.                 } else if (HMACLen == SHA256_LENGTH) {
    3595. 

  3595.                     hash_alg = HASH_AlgSHA256;
    3596. 

  3596.                 } else if (HMACLen == SHA384_LENGTH) {
    3597. 

  3597.                     hash_alg = HASH_AlgSHA384;
    3598. 

  3598.                 } else if (HMACLen == SHA512_LENGTH) {
    3599. 

  3599.                     hash_alg = HASH_AlgSHA512;
    3600. 

  3600.                 } else {
    3601. 

  3601.                     goto loser;
    3602. 

  3602.                 }
    3603. 

  3603.                 fputs(buf, resp);
    3604. 

  3604.                 continue;
    3605. 

  3605.             }
    3606. 

  3606.         }
    3607. 

  3607.         /* Count = test iteration number*/
    3608. 

  3608.         if (strncmp(buf, "Count ", 5) == 0) {    
    3609. 

  3609.             /* count can just be put into resp file */
    3610. 

  3610.             fputs(buf, resp);
    3611. 

  3611.             /* zeroize the variables for the test with this data set */
    3612. 

  3612.             keyLen = 0; 
    3613. 

  3613.             TLen = 0;
    3614. 

  3614.             memset(key, 0, sizeof key);     
    3615. 

  3615.             memset(msg, 0, sizeof msg);  
    3616. 

  3616.             memset(HMAC, 0, sizeof HMAC);
    3617. 

  3617.             continue;
    3618. 

  3618.         }
    3619. 

  3619.         /* KLen = Length of the Input Secret Key ... */
    3620. 

  3620.         if (strncmp(buf, "Klen", 4) == 0) {
    3621. 

  3621.             i = 4;
    3622. 

  3622.             while (isspace(buf[i]) || buf[i] == '=') {
    3623. 

  3623.                 i++;
    3624. 

  3624.             }
    3625. 

  3625.             keyLen = atoi(&buf[i]); /* in bytes */
    3626. 

  3626.             fputs(buf, resp);
    3627. 

  3627.             continue;
    3628. 

  3628.         }
    3629. 

  3629.         /* key = the secret key for the key to MAC */
    3630. 

  3630.         if (strncmp(buf, "Key", 3) == 0) {
    3631. 

  3631.             i = 3;
    3632. 

  3632.             while (isspace(buf[i]) || buf[i] == '=') {
    3633. 

  3633.                 i++;
    3634. 

  3634.             }
    3635. 

  3635.             for (j=0; j< keyLen; i+=2,j++) {
    3636. 

  3636.                 hex_to_byteval(&buf[i], &key[j]);
    3637. 

  3637.             }
    3638. 

  3638.            fputs(buf, resp);
    3639. 

  3639.         }
    3640. 

  3640.         /* TLen = Length of the calculated HMAC */
    3641. 

  3641.         if (strncmp(buf, "Tlen", 4) == 0) {
    3642. 

  3642.             i = 4;
    3643. 

  3643.             while (isspace(buf[i]) || buf[i] == '=') {
    3644. 

  3644.                 i++;
    3645. 

  3645.             }
    3646. 

  3646.             TLen = atoi(&buf[i]); /* in bytes */
    3647. 

  3647.             fputs(buf, resp);
    3648. 

  3648.             continue;
    3649. 

  3649.         }
    3650. 

  3650.         /* MSG = to HMAC always 128 bytes for these tests */
    3651. 

  3651.         if (strncmp(buf, "Msg", 3) == 0) {
    3652. 

  3652.             i = 3;
    3653. 

  3653.             while (isspace(buf[i]) || buf[i] == '=') {
    3654. 

  3654.                 i++;
    3655. 

  3655.             }
    3656. 

  3656.             for (j=0; j< msgLen; i+=2,j++) {
    3657. 

  3657.                 hex_to_byteval(&buf[i], &msg[j]);
    3658. 

  3658.             }
    3659. 

  3659.            fputs(buf, resp);
    3660. 

  3660.            /* calculate the HMAC and output */ 
    3661. 

  3661.            if (hmac_calc(HMAC, HMACLen, key, keyLen,   
    3662. 

  3662.                          msg, msgLen, hash_alg) != SECSuccess) {
    3663. 

  3663.                goto loser;
    3664. 

  3664.            }
    3665. 

  3665.            fputs("MAC = ", resp);
    3666. 

  3666.            to_hex_str(buf, HMAC, TLen);
    3667. 

  3667.            fputs(buf, resp);
    3668. 

  3668.            fputc('\n', resp);
    3669. 

  3669.            continue;
    3670. 

  3670.         }
    3671. 

  3671.     }
    3672. 

  3672. loser:
    3673. 

  3673.     if (req) {
    3674. 

  3674.         fclose(req);
    3675. 

  3675.     }
    3676. 

  3676.     if (buf) {
    3677. 

  3677.         PORT_ZFree(buf, bufSize);
    3678. 

  3678.     }
    3679. 

  3679.     if (msg) {
    3680. 

  3680.         PORT_ZFree(msg, msgLen);
    3681. 

  3681.     }
    3682. 

  3682. }
    3683. 

  3683. 

  3684. /*
    3685. 

  3685.  * Perform the DSA Key Pair Generation Test.
    3686. 

  3686.  *
    3687. 

  3687.  * reqfn is the pathname of the REQUEST file.
    3688. 

  3688.  *
    3689. 

  3689.  * The output RESPONSE file is written to stdout.
    3690. 

  3690.  */
    3691. 

  3691. void
    3692. 

  3692. dsa_keypair_test(char *reqfn)
    3693. 

  3693. {
    3694. 

  3694.     char buf[260];       /* holds one line from the input REQUEST file
    3695. 

  3695.                          * or to the output RESPONSE file.
    3696. 

  3696.                          * 257 to hold (128 public key (x2 for HEX) + 1'\n'
    3697. 

  3697.                          */
    3698. 

  3698.     FILE *dsareq;     /* input stream from the REQUEST file */
    3699. 

  3699.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3700. 

  3700.     int N;            /* number of time to generate key pair */
    3701. 

  3701.     int modulus;
    3702. 

  3702.     int i;
    3703. 

  3703.     PQGParams *pqg = NULL;
    3704. 

  3704.     PQGVerify *vfy = NULL;
    3705. 

  3705.     int keySizeIndex;   /* index for valid key sizes */
    3706. 

  3706. 

  3707.     dsareq = fopen(reqfn, "r");
    3708. 

  3708.     dsaresp = stdout;
    3709. 

  3709.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3710. 

  3710.         /* a comment or blank line */
    3711. 

  3711.         if (buf[0] == '#' || buf[0] == '\n') {
    3712. 

  3712.             fputs(buf, dsaresp);
    3713. 

  3713.             continue;
    3714. 

  3714.         }
    3715. 

  3715. 

  3716.         /* [Mod = x] */
    3717. 

  3717.         if (buf[0] == '[') {
    3718. 

  3718.             if(pqg!=NULL) {
    3719. 

  3719.                 PQG_DestroyParams(pqg);
    3720. 

  3720.                 pqg = NULL;
    3721. 

  3721.             }
    3722. 

  3722.             if(vfy!=NULL) {
    3723. 

  3723.                 PQG_DestroyVerify(vfy);
    3724. 

  3724.                 vfy = NULL;
    3725. 

  3725.             }
    3726. 

  3726. 

  3727.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3728. 

  3728.                 goto loser;
    3729. 

  3729.             }
    3730. 

  3730.             fputs(buf, dsaresp);
    3731. 

  3731.             fputc('\n', dsaresp);
    3732. 

  3732. 

  3733.             /*****************************************************************
    3734. 

  3734.              * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    3735. 

  3735.              * that points to a valid key size.
    3736. 

  3736.              */
    3737. 

  3737.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    3738. 

  3738.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    3739. 

  3739.                fprintf(dsaresp,
    3740. 

  3740.                     "DSA key size must be a multiple of 64 between 512 "
    3741. 

  3741.                     "and 1024, inclusive");
    3742. 

  3742.                 goto loser;
    3743. 

  3743.             }
    3744. 

  3744. 

  3745.             /* Generate the parameters P, Q, and G */
    3746. 

  3746.             if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    3747. 

  3747.                 &pqg, &vfy) != SECSuccess) {
    3748. 

  3748.                 fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
    3749. 

  3749.                 goto loser;
    3750. 

  3750.             }
    3751. 

  3751. 

  3752.             /* output P, Q, and G */
    3753. 

  3753.             to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    3754. 

  3754.             fprintf(dsaresp, "P = %s\n", buf);
    3755. 

  3755.             to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    3756. 

  3756.             fprintf(dsaresp, "Q = %s\n", buf);
    3757. 

  3757.             to_hex_str(buf, pqg->base.data, pqg->base.len);
    3758. 

  3758.             fprintf(dsaresp, "G = %s\n\n", buf);
    3759. 

  3759.             continue;
    3760. 

  3760.         }
    3761. 

  3761.         /* N = ...*/
    3762. 

  3762.         if (buf[0] == 'N') {
    3763. 

  3763. 

  3764.             if (sscanf(buf, "N = %d", &N) != 1) {
    3765. 

  3765.                 goto loser;
    3766. 

  3766.             }
    3767. 

  3767.             /* Generate a DSA key, and output the key pair for N times */
    3768. 

  3768.             for (i = 0; i < N; i++) {
    3769. 

  3769.                 DSAPrivateKey *dsakey = NULL;
    3770. 

  3770.                 if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
    3771. 

  3771.                     fprintf(dsaresp, "ERROR: Unable to generate DSA key");
    3772. 

  3772.                     goto loser;
    3773. 

  3773.                 }
    3774. 

  3774.                 to_hex_str(buf, dsakey->privateValue.data,
    3775. 

  3775.                            dsakey->privateValue.len);
    3776. 

  3776.                 fprintf(dsaresp, "X = %s\n", buf);
    3777. 

  3777.                 to_hex_str(buf, dsakey->publicValue.data,
    3778. 

  3778.                            dsakey->publicValue.len);
    3779. 

  3779.                 fprintf(dsaresp, "Y = %s\n\n", buf);
    3780. 

  3780.                 PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    3781. 

  3781.                 dsakey = NULL;
    3782. 

  3782.             }
    3783. 

  3783.             continue;
    3784. 

  3784.         }
    3785. 

  3785. 

  3786.     }
    3787. 

  3787. loser:
    3788. 

  3788.     fclose(dsareq);
    3789. 

  3789. }
    3790. 

  3790. 

  3791. /*
    3792. 

  3792.  * Perform the DSA Domain Parameter Validation Test.
    3793. 

  3793.  *
    3794. 

  3794.  * reqfn is the pathname of the REQUEST file.
    3795. 

  3795.  *
    3796. 

  3796.  * The output RESPONSE file is written to stdout.
    3797. 

  3797.  */
    3798. 

  3798. void
    3799. 

  3799. dsa_pqgver_test(char *reqfn)
    3800. 

  3800. {
    3801. 

  3801.     char buf[263];      /* holds one line from the input REQUEST file
    3802. 

  3802.                          * or to the output RESPONSE file.
    3803. 

  3803.                          * 260 to hold (128 public key (x2 for HEX) + P = ...
    3804. 

  3804.                          */
    3805. 

  3805.     FILE *dsareq;     /* input stream from the REQUEST file */
    3806. 

  3806.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3807. 

  3807.     int modulus; 
    3808. 

  3808.     unsigned int i, j;
    3809. 

  3809.     PQGParams pqg;
    3810. 

  3810.     PQGVerify vfy;
    3811. 

  3811.     unsigned int pghSize;        /* size for p, g, and h */
    3812. 

  3812. 

  3813.     dsareq = fopen(reqfn, "r");
    3814. 

  3814.     dsaresp = stdout;
    3815. 

  3815.     memset(&pqg, 0, sizeof(pqg));
    3816. 

  3816.     memset(&vfy, 0, sizeof(vfy));
    3817. 

  3817. 

  3818.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    3819. 

  3819.         /* a comment or blank line */
    3820. 

  3820.         if (buf[0] == '#' || buf[0] == '\n') {
    3821. 

  3821.             fputs(buf, dsaresp);
    3822. 

  3822.             continue;
    3823. 

  3823.         }
    3824. 

  3824. 

  3825.         /* [Mod = x] */
    3826. 

  3826.         if (buf[0] == '[') {
    3827. 

  3827. 

  3828.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    3829. 

  3829.                 goto loser;
    3830. 

  3830.             }
    3831. 

  3831. 

  3832.             if (pqg.prime.data) { /* P */
    3833. 

  3833.                 SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
    3834. 

  3834.             }
    3835. 

  3835.             if (pqg.subPrime.data) { /* Q */
    3836. 

  3836.                 SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
    3837. 

  3837.             }
    3838. 

  3838.             if (pqg.base.data) {    /* G */
    3839. 

  3839.                 SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
    3840. 

  3840.             }
    3841. 

  3841.             if (vfy.seed.data) {   /* seed */
    3842. 

  3842.                 SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
    3843. 

  3843.             }
    3844. 

  3844.             if (vfy.h.data) {     /* H */
    3845. 

  3845.                 SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
    3846. 

  3846.             }
    3847. 

  3847. 

  3848.             fputs(buf, dsaresp);
    3849. 

  3849. 

  3850.             /*calculate the size of p, g, and h then allocate items  */
    3851. 

  3851.             pghSize = modulus/8;
    3852. 

  3852.             SECITEM_AllocItem(NULL, &pqg.prime, pghSize);
    3853. 

  3853.             SECITEM_AllocItem(NULL, &pqg.base, pghSize);
    3854. 

  3854.             SECITEM_AllocItem(NULL, &vfy.h, pghSize);
    3855. 

  3855.             pqg.prime.len = pqg.base.len = vfy.h.len = pghSize;
    3856. 

  3856.             /* seed and q are always 20 bytes */
    3857. 

  3857.             SECITEM_AllocItem(NULL, &vfy.seed, 20);
    3858. 

  3858.             SECITEM_AllocItem(NULL, &pqg.subPrime, 20);
    3859. 

  3859.             vfy.seed.len = pqg.subPrime.len = 20;
    3860. 

  3860.             vfy.counter = 0;
    3861. 

  3861. 

  3862.             continue;
    3863. 

  3863.         }
    3864. 

  3864.         /* P = ... */
    3865. 

  3865.         if (buf[0] == 'P') {
    3866. 

  3866.             i = 1;
    3867. 

  3867.             while (isspace(buf[i]) || buf[i] == '=') {
    3868. 

  3868.                 i++;
    3869. 

  3869.             }
    3870. 

  3870.             for (j=0; j< pqg.prime.len; i+=2,j++) {
    3871. 

  3871.                 hex_to_byteval(&buf[i], &pqg.prime.data[j]);
    3872. 

  3872.             }
    3873. 

  3873. 

  3874.             fputs(buf, dsaresp);
    3875. 

  3875.             continue;
    3876. 

  3876.         }
    3877. 

  3877. 

  3878.         /* Q = ... */
    3879. 

  3879.         if (buf[0] == 'Q') {
    3880. 

  3880.             i = 1;
    3881. 

  3881.             while (isspace(buf[i]) || buf[i] == '=') {
    3882. 

  3882.                 i++;
    3883. 

  3883.             }
    3884. 

  3884.             for (j=0; j< pqg.subPrime.len; i+=2,j++) {
    3885. 

  3885.                 hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
    3886. 

  3886.             }
    3887. 

  3887. 

  3888.             fputs(buf, dsaresp);
    3889. 

  3889.             continue;
    3890. 

  3890.         }
    3891. 

  3891. 

  3892.         /* G = ... */
    3893. 

  3893.         if (buf[0] == 'G') {
    3894. 

  3894.             i = 1;
    3895. 

  3895.             while (isspace(buf[i]) || buf[i] == '=') {
    3896. 

  3896.                 i++;
    3897. 

  3897.             }
    3898. 

  3898.             for (j=0; j< pqg.base.len; i+=2,j++) {
    3899. 

  3899.                 hex_to_byteval(&buf[i], &pqg.base.data[j]);
    3900. 

  3900.             }
    3901. 

  3901. 

  3902.             fputs(buf, dsaresp);
    3903. 

  3903.             continue;
    3904. 

  3904.         }
    3905. 

  3905. 

  3906.         /* Seed = ... */
    3907. 

  3907.         if (strncmp(buf, "Seed", 4) == 0) {
    3908. 

  3908.             i = 4;
    3909. 

  3909.             while (isspace(buf[i]) || buf[i] == '=') {
    3910. 

  3910.                 i++;
    3911. 

  3911.             }
    3912. 

  3912.             for (j=0; j< vfy.seed.len; i+=2,j++) {
    3913. 

  3913.                 hex_to_byteval(&buf[i], &vfy.seed.data[j]);
    3914. 

  3914.             }
    3915. 

  3915. 

  3916.             fputs(buf, dsaresp);
    3917. 

  3917.             continue;
    3918. 

  3918.         }
    3919. 

  3919. 

  3920.         /* c = ... */
    3921. 

  3921.         if (buf[0] == 'c') {
    3922. 

  3922. 

  3923.             if (sscanf(buf, "c = %u", &vfy.counter) != 1) {
    3924. 

  3924.                 goto loser;
    3925. 

  3925.             }
    3926. 

  3926. 

  3927.             fputs(buf, dsaresp);
    3928. 

  3928.             continue;
    3929. 

  3929.         }
    3930. 

  3930. 

  3931.         /* H = ... */
    3932. 

  3932.         if (buf[0] == 'H') {
    3933. 

  3933.             SECStatus rv, result = SECFailure;
    3934. 

  3934. 

  3935.             i = 1;
    3936. 

  3936.             while (isspace(buf[i]) || buf[i] == '=') {
    3937. 

  3937.                 i++;
    3938. 

  3938.             }
    3939. 

  3939.             for (j=0; j< vfy.h.len; i+=2,j++) {
    3940. 

  3940.                 hex_to_byteval(&buf[i], &vfy.h.data[j]);
    3941. 

  3941.             }
    3942. 

  3942.             fputs(buf, dsaresp);
    3943. 

  3943. 

  3944.             /* Verify the Parameters */
    3945. 

  3945.             rv = PQG_VerifyParams(&pqg, &vfy, &result);
    3946. 

  3946.             if (rv != SECSuccess) {
    3947. 

  3947.                 goto loser;
    3948. 

  3948.             }
    3949. 

  3949.             if (result == SECSuccess) {
    3950. 

  3950.                 fprintf(dsaresp, "Result = P\n");
    3951. 

  3951.             } else {
    3952. 

  3952.                 fprintf(dsaresp, "Result = F\n");
    3953. 

  3953.             }
    3954. 

  3954.             continue;
    3955. 

  3955.         }
    3956. 

  3956.     }
    3957. 

  3957. loser:
    3958. 

  3958.     fclose(dsareq);
    3959. 

  3959.     if (pqg.prime.data) { /* P */
    3960. 

  3960.         SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
    3961. 

  3961.     }
    3962. 

  3962.     if (pqg.subPrime.data) { /* Q */
    3963. 

  3963.         SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
    3964. 

  3964.     }
    3965. 

  3965.     if (pqg.base.data) {    /* G */
    3966. 

  3966.         SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
    3967. 

  3967.     }
    3968. 

  3968.     if (vfy.seed.data) {   /* seed */
    3969. 

  3969.         SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
    3970. 

  3970.     }
    3971. 

  3971.     if (vfy.h.data) {     /* H */
    3972. 

  3972.         SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
    3973. 

  3973.     }
    3974. 

  3974. 

  3975. }
    3976. 

  3976. 

  3977. /*
    3978. 

  3978.  * Perform the DSA Public Key Validation Test.
    3979. 

  3979.  *
    3980. 

  3980.  * reqfn is the pathname of the REQUEST file.
    3981. 

  3981.  *
    3982. 

  3982.  * The output RESPONSE file is written to stdout.
    3983. 

  3983.  */
    3984. 

  3984. void
    3985. 

  3985. dsa_pqggen_test(char *reqfn)
    3986. 

  3986. {
    3987. 

  3987.     char buf[263];      /* holds one line from the input REQUEST file
    3988. 

  3988.                          * or to the output RESPONSE file.
    3989. 

  3989.                          * 263 to hold seed = (128 public key (x2 for HEX)
    3990. 

  3990.                          */
    3991. 

  3991.     FILE *dsareq;     /* input stream from the REQUEST file */
    3992. 

  3992.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    3993. 

  3993.     int N;            /* number of times to generate parameters */
    3994. 

  3994.     int modulus; 
    3995. 

  3995.     int i;
    3996. 

  3996.     unsigned int j;
    3997. 

  3997.     PQGParams *pqg = NULL;
    3998. 

  3998.     PQGVerify *vfy = NULL;
    3999. 

  3999.     unsigned int keySizeIndex;
    4000. 

  4000. 

  4001.     dsareq = fopen(reqfn, "r");
    4002. 

  4002.     dsaresp = stdout;
    4003. 

  4003.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    4004. 

  4004.         /* a comment or blank line */
    4005. 

  4005.         if (buf[0] == '#' || buf[0] == '\n') {
    4006. 

  4006.             fputs(buf, dsaresp);
    4007. 

  4007.             continue;
    4008. 

  4008.         }
    4009. 

  4009. 

  4010.         /* [Mod = ... ] */
    4011. 

  4011.         if (buf[0] == '[') {
    4012. 

  4012. 

  4013.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4014. 

  4014.                 goto loser;
    4015. 

  4015.             }
    4016. 

  4016. 

  4017.             fputs(buf, dsaresp);
    4018. 

  4018.             fputc('\n', dsaresp);
    4019. 

  4019. 

  4020.             /****************************************************************
    4021. 

  4021.              * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    4022. 

  4022.              * that points to a valid key size.
    4023. 

  4023.              */
    4024. 

  4024.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    4025. 

  4025.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    4026. 

  4026.                fprintf(dsaresp,
    4027. 

  4027.                     "DSA key size must be a multiple of 64 between 512 "
    4028. 

  4028.                     "and 1024, inclusive");
    4029. 

  4029.                 goto loser;
    4030. 

  4030.             }
    4031. 

  4031. 

  4032.             continue;
    4033. 

  4033.         }
    4034. 

  4034.         /* N = ... */
    4035. 

  4035.         if (buf[0] == 'N') {
    4036. 

  4036. 

  4037.             if (sscanf(buf, "N = %d", &N) != 1) {
    4038. 

  4038.                 goto loser;
    4039. 

  4039.             }
    4040. 

  4040.             for (i = 0; i < N; i++) {
    4041. 

  4041.                 if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    4042. 

  4042.                     &pqg, &vfy) != SECSuccess) {
    4043. 

  4043.                     fprintf(dsaresp,
    4044. 

  4044.                             "ERROR: Unable to generate PQG parameters");
    4045. 

  4045.                     goto loser;
    4046. 

  4046.                 }
    4047. 

  4047.                 to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    4048. 

  4048.                 fprintf(dsaresp, "P = %s\n", buf);
    4049. 

  4049.                 to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    4050. 

  4050.                 fprintf(dsaresp, "Q = %s\n", buf);
    4051. 

  4051.                 to_hex_str(buf, pqg->base.data, pqg->base.len);
    4052. 

  4052.                 fprintf(dsaresp, "G = %s\n", buf);
    4053. 

  4053.                 to_hex_str(buf, vfy->seed.data, vfy->seed.len);
    4054. 

  4054.                 fprintf(dsaresp, "Seed = %s\n", buf);
    4055. 

  4055.                 fprintf(dsaresp, "c = %d\n", vfy->counter);
    4056. 

  4056.                 to_hex_str(buf, vfy->h.data, vfy->h.len);
    4057. 

  4057.                 fputs("H = ", dsaresp);
    4058. 

  4058.                 for (j=vfy->h.len; j<pqg->prime.len; j++) {
    4059. 

  4059.                     fprintf(dsaresp, "00");
    4060. 

  4060.                 }
    4061. 

  4061.                 fprintf(dsaresp, "%s\n", buf);
    4062. 

  4062.                 fputc('\n', dsaresp);
    4063. 

  4063.                 if(pqg!=NULL) {
    4064. 

  4064.                     PQG_DestroyParams(pqg);
    4065. 

  4065.                     pqg = NULL;
    4066. 

  4066.                 }
    4067. 

  4067.                 if(vfy!=NULL) {
    4068. 

  4068.                     PQG_DestroyVerify(vfy);
    4069. 

  4069.                     vfy = NULL;
    4070. 

  4070.                 }
    4071. 

  4071.             }
    4072. 

  4072. 

  4073.             continue;
    4074. 

  4074.         }
    4075. 

  4075. 

  4076.     }
    4077. 

  4077. loser:
    4078. 

  4078.     fclose(dsareq);
    4079. 

  4079.     if(pqg!=NULL) {
    4080. 

  4080.         PQG_DestroyParams(pqg);
    4081. 

  4081.     }
    4082. 

  4082.     if(vfy!=NULL) {
    4083. 

  4083.         PQG_DestroyVerify(vfy);
    4084. 

  4084.     }
    4085. 

  4085. }
    4086. 

  4086. 

  4087. /*
    4088. 

  4088.  * Perform the DSA Signature Generation Test.
    4089. 

  4089.  *
    4090. 

  4090.  * reqfn is the pathname of the REQUEST file.
    4091. 

  4091.  *
    4092. 

  4092.  * The output RESPONSE file is written to stdout.
    4093. 

  4093.  */
    4094. 

  4094. void
    4095. 

  4095. dsa_siggen_test(char *reqfn)
    4096. 

  4096. {
    4097. 

  4097.     char buf[263];       /* holds one line from the input REQUEST file
    4098. 

  4098.                          * or to the output RESPONSE file.
    4099. 

  4099.                          * max for Msg = ....
    4100. 

  4100.                          */
    4101. 

  4101.     FILE *dsareq;     /* input stream from the REQUEST file */
    4102. 

  4102.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    4103. 

  4103.     int modulus;          
    4104. 

  4104.     int i, j;
    4105. 

  4105.     PQGParams *pqg = NULL;
    4106. 

  4106.     PQGVerify *vfy = NULL;
    4107. 

  4107.     DSAPrivateKey *dsakey = NULL;
    4108. 

  4108.     int keySizeIndex;     /* index for valid key sizes */
    4109. 

  4109.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    4110. 

  4110.     unsigned char sig[DSA_SIGNATURE_LEN];
    4111. 

  4111.     SECItem digest, signature;
    4112. 

  4112. 

  4113.     dsareq = fopen(reqfn, "r");
    4114. 

  4114.     dsaresp = stdout;
    4115. 

  4115. 

  4116.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    4117. 

  4117.         /* a comment or blank line */
    4118. 

  4118.         if (buf[0] == '#' || buf[0] == '\n') {
    4119. 

  4119.             fputs(buf, dsaresp);
    4120. 

  4120.             continue;
    4121. 

  4121.         }
    4122. 

  4122. 

  4123.         /* [Mod = x] */
    4124. 

  4124.         if (buf[0] == '[') {
    4125. 

  4125.             if(pqg!=NULL) {
    4126. 

  4126.                 PQG_DestroyParams(pqg);
    4127. 

  4127.                 pqg = NULL;
    4128. 

  4128.             }
    4129. 

  4129.             if(vfy!=NULL) {
    4130. 

  4130.                 PQG_DestroyVerify(vfy);
    4131. 

  4131.                 vfy = NULL;
    4132. 

  4132.             }
    4133. 

  4133.             if (dsakey != NULL) {
    4134. 

  4134.                     PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    4135. 

  4135.                     dsakey = NULL;
    4136. 

  4136.             }
    4137. 

  4137. 

  4138.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4139. 

  4139.                 goto loser;
    4140. 

  4140.             }
    4141. 

  4141.             fputs(buf, dsaresp);
    4142. 

  4142.             fputc('\n', dsaresp);
    4143. 

  4143. 

  4144.             /****************************************************************
    4145. 

  4145.             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
    4146. 

  4146.             * that points to a valid key size.
    4147. 

  4147.             */
    4148. 

  4148.             keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
    4149. 

  4149.             if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
    4150. 

  4150.                 fprintf(dsaresp,
    4151. 

  4151.                     "DSA key size must be a multiple of 64 between 512 "
    4152. 

  4152.                     "and 1024, inclusive");
    4153. 

  4153.                 goto loser;
    4154. 

  4154.             }
    4155. 

  4155. 

  4156.             /* Generate PQG and output PQG */
    4157. 

  4157.             if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
    4158. 

  4158.                 &pqg, &vfy) != SECSuccess) {
    4159. 

  4159.                 fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
    4160. 

  4160.                 goto loser;
    4161. 

  4161.             }
    4162. 

  4162.             to_hex_str(buf, pqg->prime.data, pqg->prime.len);
    4163. 

  4163.             fprintf(dsaresp, "P = %s\n", buf);
    4164. 

  4164.             to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
    4165. 

  4165.             fprintf(dsaresp, "Q = %s\n", buf);
    4166. 

  4166.             to_hex_str(buf, pqg->base.data, pqg->base.len);
    4167. 

  4167.             fprintf(dsaresp, "G = %s\n", buf);
    4168. 

  4168. 

  4169.             /* create DSA Key */
    4170. 

  4170.             if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
    4171. 

  4171.                 fprintf(dsaresp, "ERROR: Unable to generate DSA key");
    4172. 

  4172.                 goto loser;
    4173. 

  4173.             }
    4174. 

  4174.             continue;
    4175. 

  4175.         }
    4176. 

  4176. 

  4177.         /* Msg = ... */
    4178. 

  4178.         if (strncmp(buf, "Msg", 3) == 0) {
    4179. 

  4179.             unsigned char msg[128]; /* MAX msg 128 */
    4180. 

  4180.             unsigned int len = 0;
    4181. 

  4181. 

  4182.             memset(sha1, 0, sizeof sha1);
    4183. 

  4183.             memset(sig,  0, sizeof sig);
    4184. 

  4184. 

  4185.             i = 3;
    4186. 

  4186.             while (isspace(buf[i]) || buf[i] == '=') {
    4187. 

  4187.                 i++;
    4188. 

  4188.             }
    4189. 

  4189.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    4190. 

  4190.                 hex_to_byteval(&buf[i], &msg[j]);
    4191. 

  4191.             }
    4192. 

  4192.             if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
    4193. 

  4193.                  fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
    4194. 

  4194.                  goto loser;
    4195. 

  4195.             }
    4196. 

  4196. 

  4197.             digest.type = siBuffer;
    4198. 

  4198.             digest.data = sha1;
    4199. 

  4199.             digest.len = sizeof sha1;
    4200. 

  4200.             signature.type = siBuffer;
    4201. 

  4201.             signature.data = sig;
    4202. 

  4202.             signature.len = sizeof sig;
    4203. 

  4203. 

  4204.             if (DSA_SignDigest(dsakey, &signature, &digest) != SECSuccess) {
    4205. 

  4205.                 fprintf(dsaresp, "ERROR: Unable to generate DSA signature");
    4206. 

  4206.                 goto loser;
    4207. 

  4207.             }
    4208. 

  4208.             len = signature.len;
    4209. 

  4209.             if (len%2 != 0) {
    4210. 

  4210.                 goto loser;
    4211. 

  4211.             }
    4212. 

  4212.             len = len/2;
    4213. 

  4213. 

  4214.             /* output the orginal Msg, and generated Y, R, and S */
    4215. 

  4215.             fputs(buf, dsaresp);
    4216. 

  4216.             fputc('\n', dsaresp);
    4217. 

  4217.             to_hex_str(buf, dsakey->publicValue.data,
    4218. 

  4218.                        dsakey->publicValue.len);
    4219. 

  4219.             fprintf(dsaresp, "Y = %s\n", buf);
    4220. 

  4220.             to_hex_str(buf, &signature.data[0], len);
    4221. 

  4221.             fprintf(dsaresp, "R = %s\n", buf);
    4222. 

  4222.             to_hex_str(buf, &signature.data[len], len);
    4223. 

  4223.             fprintf(dsaresp, "S = %s\n", buf);
    4224. 

  4224.             continue;
    4225. 

  4225.         }
    4226. 

  4226. 

  4227.     }
    4228. 

  4228. loser:
    4229. 

  4229.     fclose(dsareq);
    4230. 

  4230.     if(pqg != NULL) {
    4231. 

  4231.         PQG_DestroyParams(pqg);
    4232. 

  4232.         pqg = NULL;
    4233. 

  4233.     }
    4234. 

  4234.     if(vfy != NULL) {
    4235. 

  4235.         PQG_DestroyVerify(vfy);
    4236. 

  4236.         vfy = NULL;
    4237. 

  4237.     }
    4238. 

  4238.     if (dsakey) {
    4239. 

  4239.         PORT_FreeArena(dsakey->params.arena, PR_TRUE);
    4240. 

  4240.         dsakey = NULL;
    4241. 

  4241.     }
    4242. 

  4242. }
    4243. 

  4243. 

  4244.  /*
    4245. 

  4245.  * Perform the DSA Signature Verification Test.
    4246. 

  4246.  *
    4247. 

  4247.  * reqfn is the pathname of the REQUEST file.
    4248. 

  4248.  *
    4249. 

  4249.  * The output RESPONSE file is written to stdout.
    4250. 

  4250.  */
    4251. 

  4251. void
    4252. 

  4252. dsa_sigver_test(char *reqfn)
    4253. 

  4253. {
    4254. 

  4254.     char buf[263];       /* holds one line from the input REQUEST file
    4255. 

  4255.                          * or to the output RESPONSE file.
    4256. 

  4256.                          * max for Msg = ....
    4257. 

  4257.                          */
    4258. 

  4258.     FILE *dsareq;     /* input stream from the REQUEST file */
    4259. 

  4259.     FILE *dsaresp;    /* output stream to the RESPONSE file */
    4260. 

  4260.     int modulus;  
    4261. 

  4261.     unsigned int i, j;
    4262. 

  4262.     SECItem digest, signature;
    4263. 

  4263.     DSAPublicKey pubkey;
    4264. 

  4264.     unsigned int pgySize;        /* size for p, g, and y */
    4265. 

  4265.     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
    4266. 

  4266.     unsigned char sig[DSA_SIGNATURE_LEN];
    4267. 

  4267. 

  4268.     dsareq = fopen(reqfn, "r");
    4269. 

  4269.     dsaresp = stdout;
    4270. 

  4270.     memset(&pubkey, 0, sizeof(pubkey));
    4271. 

  4271. 

  4272.     while (fgets(buf, sizeof buf, dsareq) != NULL) {
    4273. 

  4273.         /* a comment or blank line */
    4274. 

  4274.         if (buf[0] == '#' || buf[0] == '\n') {
    4275. 

  4275.             fputs(buf, dsaresp);
    4276. 

  4276.             continue;
    4277. 

  4277.         }
    4278. 

  4278. 

  4279.         /* [Mod = x] */
    4280. 

  4280.         if (buf[0] == '[') {
    4281. 

  4281. 

  4282.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4283. 

  4283.                 goto loser;
    4284. 

  4284.             }
    4285. 

  4285. 

  4286.             if (pubkey.params.prime.data) { /* P */
    4287. 

  4287.                 SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
    4288. 

  4288.             }
    4289. 

  4289.             if (pubkey.params.subPrime.data) { /* Q */
    4290. 

  4290.                 SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
    4291. 

  4291.             }
    4292. 

  4292.             if (pubkey.params.base.data) {    /* G */
    4293. 

  4293.                 SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
    4294. 

  4294.             }
    4295. 

  4295.             if (pubkey.publicValue.data) {    /* Y */
    4296. 

  4296.                 SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
    4297. 

  4297.             }
    4298. 

  4298.             fputs(buf, dsaresp);
    4299. 

  4299. 

  4300.             /* calculate the size of p, g, and y then allocate items */
    4301. 

  4301.             pgySize = modulus/8;
    4302. 

  4302.             SECITEM_AllocItem(NULL, &pubkey.params.prime, pgySize);
    4303. 

  4303.             SECITEM_AllocItem(NULL, &pubkey.params.base, pgySize);
    4304. 

  4304.             SECITEM_AllocItem(NULL, &pubkey.publicValue, pgySize);
    4305. 

  4305.             pubkey.params.prime.len = pubkey.params.base.len = pgySize;
    4306. 

  4306.             pubkey.publicValue.len = pgySize;
    4307. 

  4307. 

  4308.             /* q always 20 bytes */
    4309. 

  4309.             SECITEM_AllocItem(NULL, &pubkey.params.subPrime, 20);
    4310. 

  4310.             pubkey.params.subPrime.len = 20;
    4311. 

  4311. 

  4312.             continue;
    4313. 

  4313.         }
    4314. 

  4314.         /* P = ... */
    4315. 

  4315.         if (buf[0] == 'P') {
    4316. 

  4316.             i = 1;
    4317. 

  4317.             while (isspace(buf[i]) || buf[i] == '=') {
    4318. 

  4318.                 i++;
    4319. 

  4319.             }
    4320. 

  4320.             memset(pubkey.params.prime.data, 0, pubkey.params.prime.len);
    4321. 

  4321.             for (j=0; j< pubkey.params.prime.len; i+=2,j++) {
    4322. 

  4322.                 hex_to_byteval(&buf[i], &pubkey.params.prime.data[j]);
    4323. 

  4323.             }
    4324. 

  4324. 

  4325.             fputs(buf, dsaresp);
    4326. 

  4326.             continue;
    4327. 

  4327.         }
    4328. 

  4328. 

  4329.         /* Q = ... */
    4330. 

  4330.         if (buf[0] == 'Q') {
    4331. 

  4331.             i = 1;
    4332. 

  4332.             while (isspace(buf[i]) || buf[i] == '=') {
    4333. 

  4333.                 i++;
    4334. 

  4334.             }
    4335. 

  4335.             memset(pubkey.params.subPrime.data, 0, pubkey.params.subPrime.len);
    4336. 

  4336.             for (j=0; j< pubkey.params.subPrime.len; i+=2,j++) {
    4337. 

  4337.                 hex_to_byteval(&buf[i], &pubkey.params.subPrime.data[j]);
    4338. 

  4338.             }
    4339. 

  4339. 

  4340.             fputs(buf, dsaresp);
    4341. 

  4341.             continue;
    4342. 

  4342.         }
    4343. 

  4343. 

  4344.         /* G = ... */
    4345. 

  4345.         if (buf[0] == 'G') {
    4346. 

  4346.             i = 1;
    4347. 

  4347.             while (isspace(buf[i]) || buf[i] == '=') {
    4348. 

  4348.                 i++;
    4349. 

  4349.             }
    4350. 

  4350.             memset(pubkey.params.base.data, 0, pubkey.params.base.len);
    4351. 

  4351.             for (j=0; j< pubkey.params.base.len; i+=2,j++) {
    4352. 

  4352.                 hex_to_byteval(&buf[i], &pubkey.params.base.data[j]);
    4353. 

  4353.             }
    4354. 

  4354. 

  4355.             fputs(buf, dsaresp);
    4356. 

  4356.             continue;
    4357. 

  4357.         }
    4358. 

  4358. 

  4359.         /* Msg = ... */
    4360. 

  4360.         if (strncmp(buf, "Msg", 3) == 0) {
    4361. 

  4361.             unsigned char msg[128]; /* MAX msg 128 */
    4362. 

  4362.             memset(sha1, 0, sizeof sha1);
    4363. 

  4363. 

  4364.             i = 3;
    4365. 

  4365.             while (isspace(buf[i]) || buf[i] == '=') {
    4366. 

  4366.                 i++;
    4367. 

  4367.             }
    4368. 

  4368.             for (j=0; isxdigit(buf[i]); i+=2,j++) {
    4369. 

  4369.                 hex_to_byteval(&buf[i], &msg[j]);
    4370. 

  4370.             }
    4371. 

  4371.             if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
    4372. 

  4372.                 fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
    4373. 

  4373.                 goto loser;
    4374. 

  4374.             }
    4375. 

  4375. 

  4376.             fputs(buf, dsaresp);
    4377. 

  4377.             continue;
    4378. 

  4378.         }
    4379. 

  4379. 

  4380.         /* Y = ... */
    4381. 

  4381.         if (buf[0] == 'Y') {
    4382. 

  4382.             i = 1;
    4383. 

  4383.             while (isspace(buf[i]) || buf[i] == '=') {
    4384. 

  4384.                 i++;
    4385. 

  4385.             }
    4386. 

  4386.             memset(pubkey.publicValue.data, 0, pubkey.params.subPrime.len);
    4387. 

  4387.             for (j=0; j< pubkey.publicValue.len; i+=2,j++) {
    4388. 

  4388.                 hex_to_byteval(&buf[i], &pubkey.publicValue.data[j]);
    4389. 

  4389.             }
    4390. 

  4390. 

  4391.             fputs(buf, dsaresp);
    4392. 

  4392.             continue;
    4393. 

  4393.         }
    4394. 

  4394. 

  4395.         /* R = ... */
    4396. 

  4396.         if (buf[0] == 'R') {
    4397. 

  4397.             memset(sig,  0, sizeof sig);
    4398. 

  4398.             i = 1;
    4399. 

  4399.             while (isspace(buf[i]) || buf[i] == '=') {
    4400. 

  4400.                 i++;
    4401. 

  4401.             }
    4402. 

  4402.             for (j=0; j< DSA_SUBPRIME_LEN; i+=2,j++) {
    4403. 

  4403.                 hex_to_byteval(&buf[i], &sig[j]);
    4404. 

  4404.             }
    4405. 

  4405. 

  4406.             fputs(buf, dsaresp);
    4407. 

  4407.             continue;
    4408. 

  4408.         }
    4409. 

  4409. 

  4410.         /* S = ... */
    4411. 

  4411.         if (buf[0] == 'S') {
    4412. 

  4412.             i = 1;
    4413. 

  4413.             while (isspace(buf[i]) || buf[i] == '=') {
    4414. 

  4414.                 i++;
    4415. 

  4415.             }
    4416. 

  4416.             for (j=DSA_SUBPRIME_LEN; j< DSA_SIGNATURE_LEN; i+=2,j++) {
    4417. 

  4417.                 hex_to_byteval(&buf[i], &sig[j]);
    4418. 

  4418.             }
    4419. 

  4419.             fputs(buf, dsaresp);
    4420. 

  4420. 

  4421.             digest.type = siBuffer;
    4422. 

  4422.             digest.data = sha1;
    4423. 

  4423.             digest.len = sizeof sha1;
    4424. 

  4424.             signature.type = siBuffer;
    4425. 

  4425.             signature.data = sig;
    4426. 

  4426.             signature.len = sizeof sig;
    4427. 

  4427. 

  4428.             if (DSA_VerifyDigest(&pubkey, &signature, &digest) == SECSuccess) {
    4429. 

  4429.                 fprintf(dsaresp, "Result = P\n");
    4430. 

  4430.             } else {
    4431. 

  4431.                 fprintf(dsaresp, "Result = F\n");
    4432. 

  4432.             }
    4433. 

  4433.             continue;
    4434. 

  4434.         }
    4435. 

  4435.     }
    4436. 

  4436. loser:
    4437. 

  4437.     fclose(dsareq);
    4438. 

  4438.     if (pubkey.params.prime.data) { /* P */
    4439. 

  4439.         SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
    4440. 

  4440.     }
    4441. 

  4441.     if (pubkey.params.subPrime.data) { /* Q */
    4442. 

  4442.         SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
    4443. 

  4443.     }
    4444. 

  4444.     if (pubkey.params.base.data) {    /* G */
    4445. 

  4445.         SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
    4446. 

  4446.     }
    4447. 

  4447.     if (pubkey.publicValue.data) {    /* Y */
    4448. 

  4448.         SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
    4449. 

  4449.     }
    4450. 

  4450. }
    4451. 

  4451. 

  4452. /*
    4453. 

  4453.  * Perform the RSA Signature Generation Test.
    4454. 

  4454.  *
    4455. 

  4455.  * reqfn is the pathname of the REQUEST file.
    4456. 

  4456.  *
    4457. 

  4457.  * The output RESPONSE file is written to stdout.
    4458. 

  4458.  */
    4459. 

  4459. void
    4460. 

  4460. rsa_siggen_test(char *reqfn)
    4461. 

  4461. {
    4462. 

  4462.     char buf[2*RSA_MAX_TEST_MODULUS_BYTES+1];
    4463. 

  4463.                         /* buf holds one line from the input REQUEST file
    4464. 

  4464.                          * or to the output RESPONSE file.
    4465. 

  4465.                          * 2x for HEX output + 1 for \n
    4466. 

  4466.                          */
    4467. 

  4467.     FILE *rsareq;     /* input stream from the REQUEST file */
    4468. 

  4468.     FILE *rsaresp;    /* output stream to the RESPONSE file */
    4469. 

  4469.     int i, j;
    4470. 

  4470.     unsigned char  sha[HASH_LENGTH_MAX];    /* SHA digest */
    4471. 

  4471.     unsigned int   shaLength = 0;           /* length of SHA */
    4472. 

  4472.     HASH_HashType  shaAlg = HASH_AlgNULL;   /* type of SHA Alg */
    4473. 

  4473.     SECOidTag      shaOid = SEC_OID_UNKNOWN;
    4474. 

  4474.     int modulus;                                /* the Modulus size */
    4475. 

  4475.     int  publicExponent  = DEFAULT_RSA_PUBLIC_EXPONENT;
    4476. 

  4476.     SECItem pe = {0, 0, 0 };
    4477. 

  4477.     unsigned char pubEx[4];
    4478. 

  4478.     int peCount = 0;
    4479. 

  4479. 

  4480.     RSAPrivateKey  *rsaBlapiPrivKey = NULL;   /* holds RSA private and
    4481. 

  4481.                                               * public keys */
    4482. 

  4482.     RSAPublicKey   *rsaBlapiPublicKey = NULL; /* hold RSA public key */
    4483. 

  4483. 

  4484.     rsareq = fopen(reqfn, "r");
    4485. 

  4485.     rsaresp = stdout;
    4486. 

  4486. 

  4487.     /* calculate the exponent */
    4488. 

  4488.     for (i=0; i < 4; i++) {
    4489. 

  4489.         if (peCount || (publicExponent &
    4490. 

  4490.                 ((unsigned long)0xff000000L >> (i*8)))) {
    4491. 

  4491.             pubEx[peCount] =
    4492. 

  4492.                 (unsigned char)((publicExponent >> (3-i)*8) & 0xff);
    4493. 

  4493.             peCount++;
    4494. 

  4494.         }
    4495. 

  4495.     }
    4496. 

  4496.     pe.len = peCount;
    4497. 

  4497.     pe.data = &pubEx[0];
    4498. 

  4498.     pe.type = siBuffer;
    4499. 

  4499. 

  4500.     while (fgets(buf, sizeof buf, rsareq) != NULL) {
    4501. 

  4501.         /* a comment or blank line */
    4502. 

  4502.         if (buf[0] == '#' || buf[0] == '\n') {
    4503. 

  4503.             fputs(buf, rsaresp);
    4504. 

  4504.             continue;
    4505. 

  4505.         }
    4506. 

  4506. 

  4507.         /* [mod = ...] */
    4508. 

  4508.         if (buf[0] == '[') {
    4509. 

  4509. 

  4510.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4511. 

  4511.                 goto loser;
    4512. 

  4512.             }
    4513. 

  4513.             if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
    4514. 

  4514.                 fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
    4515. 

  4515.                 goto loser;
    4516. 

  4516.             }
    4517. 

  4517. 

  4518.             fputs(buf, rsaresp);
    4519. 

  4519. 

  4520.             if (rsaBlapiPrivKey != NULL) {
    4521. 

  4521.                 PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
    4522. 

  4522.                 rsaBlapiPrivKey = NULL;
    4523. 

  4523.                 rsaBlapiPublicKey = NULL;
    4524. 

  4524.             }
    4525. 

  4525. 

  4526.             rsaBlapiPrivKey = RSA_NewKey(modulus, &pe);
    4527. 

  4527.             if (rsaBlapiPrivKey == NULL) {
    4528. 

  4528.                 fprintf(rsaresp, "Error unable to create RSA key\n");
    4529. 

  4529.                 goto loser;
    4530. 

  4530.             }
    4531. 

  4531. 

  4532.             to_hex_str(buf, rsaBlapiPrivKey->modulus.data,
    4533. 

  4533.                        rsaBlapiPrivKey->modulus.len);
    4534. 

  4534.             fprintf(rsaresp, "\nn = %s\n\n", buf);
    4535. 

  4535.             to_hex_str(buf, rsaBlapiPrivKey->publicExponent.data,
    4536. 

  4536.                        rsaBlapiPrivKey->publicExponent.len);
    4537. 

  4537.             fprintf(rsaresp, "e = %s\n", buf);
    4538. 

  4538.             /* convert private key to public key.  Memory
    4539. 

  4539.              * is freed with private key's arena  */
    4540. 

  4540.             rsaBlapiPublicKey = (RSAPublicKey *)PORT_ArenaAlloc(
    4541. 

  4541.                                                   rsaBlapiPrivKey->arena,
    4542. 

  4542.                                                   sizeof(RSAPublicKey));
    4543. 

  4543. 

  4544.             rsaBlapiPublicKey->modulus.len = rsaBlapiPrivKey->modulus.len;
    4545. 

  4545.             rsaBlapiPublicKey->modulus.data = rsaBlapiPrivKey->modulus.data;
    4546. 

  4546.             rsaBlapiPublicKey->publicExponent.len =
    4547. 

  4547.                 rsaBlapiPrivKey->publicExponent.len;
    4548. 

  4548.             rsaBlapiPublicKey->publicExponent.data =
    4549. 

  4549.                 rsaBlapiPrivKey->publicExponent.data;
    4550. 

  4550.             continue;
    4551. 

  4551.         }
    4552. 

  4552. 

  4553.         /* SHAAlg = ... */
    4554. 

  4554.         if (strncmp(buf, "SHAAlg", 6) == 0) {
    4555. 

  4555.            i = 6;
    4556. 

  4556.            while (isspace(buf[i]) || buf[i] == '=') {
    4557. 

  4557.                i++;
    4558. 

  4558.            }
    4559. 

  4559.            /* set the SHA Algorithm */
    4560. 

  4560.            if (strncmp(&buf[i], "SHA1", 4) == 0) {
    4561. 

  4561.                 shaAlg = HASH_AlgSHA1;
    4562. 

  4562.            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
    4563. 

  4563.                 shaAlg = HASH_AlgSHA256;
    4564. 

  4564.            } else if (strncmp(&buf[i], "SHA384", 6)== 0) {
    4565. 

  4565.                shaAlg = HASH_AlgSHA384;
    4566. 

  4566.            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
    4567. 

  4567.                shaAlg = HASH_AlgSHA512;
    4568. 

  4568.            } else {
    4569. 

  4569.                fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
    4570. 

  4570.                goto loser;
    4571. 

  4571.            }
    4572. 

  4572.            fputs(buf, rsaresp);
    4573. 

  4573.            continue;
    4574. 

  4574. 

  4575.         }
    4576. 

  4576.         /* Msg = ... */
    4577. 

  4577.         if (strncmp(buf, "Msg", 3) == 0) {
    4578. 

  4578. 

  4579.             unsigned char msg[128]; /* MAX msg 128 */
    4580. 

  4580.             unsigned int rsa_bytes_signed;
    4581. 

  4581.             unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
    4582. 

  4582.             SECStatus       rv = SECFailure;
    4583. 

  4583.             NSSLOWKEYPublicKey  * rsa_public_key;
    4584. 

  4584.             NSSLOWKEYPrivateKey * rsa_private_key;
    4585. 

  4585.             NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
    4586. 

  4586.                                                 NSSLOWKEYRSAKey, };
    4587. 

  4587.             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
    4588. 

  4588.                                                 NSSLOWKEYRSAKey, };
    4589. 

  4589. 

  4590.             low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
    4591. 

  4591.             low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
    4592. 

  4592. 

  4593.             rsa_private_key = &low_RSA_private_key;
    4594. 

  4594.             rsa_public_key = &low_RSA_public_key;
    4595. 

  4595. 

  4596.             memset(sha, 0, sizeof sha);
    4597. 

  4597.             memset(msg, 0, sizeof msg);
    4598. 

  4598.             rsa_bytes_signed = 0;
    4599. 

  4599.             memset(rsa_computed_signature, 0, sizeof rsa_computed_signature);
    4600. 

  4600. 

  4601.             i = 3;
    4602. 

  4602.             while (isspace(buf[i]) || buf[i] == '=') {
    4603. 

  4603.                 i++;
    4604. 

  4604.             }
    4605. 

  4605.             for (j=0; isxdigit(buf[i]) && j < sizeof(msg); i+=2,j++) {
    4606. 

  4606.                 hex_to_byteval(&buf[i], &msg[j]);
    4607. 

  4607.             }
    4608. 

  4608. 

  4609.             if (shaAlg == HASH_AlgSHA1) {
    4610. 

  4610.                 if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
    4611. 

  4611.                      fprintf(rsaresp, "ERROR: Unable to generate SHA1");
    4612. 

  4612.                      goto loser;
    4613. 

  4613.                 }
    4614. 

  4614.                 shaLength = SHA1_LENGTH;
    4615. 

  4615.                 shaOid = SEC_OID_SHA1;
    4616. 

  4616.             } else if (shaAlg == HASH_AlgSHA256) {
    4617. 

  4617.                 if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
    4618. 

  4618.                      fprintf(rsaresp, "ERROR: Unable to generate SHA256");
    4619. 

  4619.                      goto loser;
    4620. 

  4620.                 }
    4621. 

  4621.                 shaLength = SHA256_LENGTH;
    4622. 

  4622.                 shaOid = SEC_OID_SHA256;
    4623. 

  4623.             } else if (shaAlg == HASH_AlgSHA384) {
    4624. 

  4624.                 if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
    4625. 

  4625.                      fprintf(rsaresp, "ERROR: Unable to generate SHA384");
    4626. 

  4626.                      goto loser;
    4627. 

  4627.                 }
    4628. 

  4628.                 shaLength = SHA384_LENGTH;
    4629. 

  4629.                 shaOid = SEC_OID_SHA384;
    4630. 

  4630.             } else if (shaAlg == HASH_AlgSHA512) {
    4631. 

  4631.                 if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
    4632. 

  4632.                      fprintf(rsaresp, "ERROR: Unable to generate SHA512");
    4633. 

  4633.                      goto loser;
    4634. 

  4634.                 }
    4635. 

  4635.                 shaLength = SHA512_LENGTH;
    4636. 

  4636.                 shaOid = SEC_OID_SHA512;
    4637. 

  4637.             } else {
    4638. 

  4638.                 fprintf(rsaresp, "ERROR: SHAAlg not defined.");
    4639. 

  4639.                 goto loser;
    4640. 

  4640.             }
    4641. 

  4641. 

  4642.             /* Perform RSA signature with the RSA private key. */
    4643. 

  4643.             rv = RSA_HashSign( shaOid,
    4644. 

  4644.                                rsa_private_key,
    4645. 

  4645.                                rsa_computed_signature,
    4646. 

  4646.                                &rsa_bytes_signed,
    4647. 

  4647.                                nsslowkey_PrivateModulusLen(rsa_private_key),
    4648. 

  4648.                                sha,
    4649. 

  4649.                                shaLength);
    4650. 

  4650. 

  4651.             if( rv != SECSuccess ) {
    4652. 

  4652.                  fprintf(rsaresp, "ERROR: RSA_HashSign failed");
    4653. 

  4653.                  goto loser;
    4654. 

  4654.             }
    4655. 

  4655. 

  4656.             /* Output the signature */
    4657. 

  4657.             fputs(buf, rsaresp);
    4658. 

  4658.             to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
    4659. 

  4659.             fprintf(rsaresp, "S = %s\n", buf);
    4660. 

  4660. 

  4661.             /* Perform RSA verification with the RSA public key. */
    4662. 

  4662.             rv = RSA_HashCheckSign( shaOid,
    4663. 

  4663.                                     rsa_public_key,
    4664. 

  4664.                                     rsa_computed_signature,
    4665. 

  4665.                                     rsa_bytes_signed,
    4666. 

  4666.                                     sha,
    4667. 

  4667.                                     shaLength);
    4668. 

  4668.             if( rv != SECSuccess ) {
    4669. 

  4669.                  fprintf(rsaresp, "ERROR: RSA_HashCheckSign failed");
    4670. 

  4670.                  goto loser;
    4671. 

  4671.             }
    4672. 

  4672.             continue;
    4673. 

  4673.         }
    4674. 

  4674.     }
    4675. 

  4675. loser:
    4676. 

  4676.     fclose(rsareq);
    4677. 

  4677. 

  4678.     if (rsaBlapiPrivKey != NULL) {
    4679. 

  4679.         /* frees private and public key */
    4680. 

  4680.         PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
    4681. 

  4681.         rsaBlapiPrivKey = NULL;
    4682. 

  4682.         rsaBlapiPublicKey = NULL;
    4683. 

  4683.     }
    4684. 

  4684. 

  4685. }
    4686. 

  4686. /*
    4687. 

  4687.  * Perform the RSA Signature Verification Test.
    4688. 

  4688.  *
    4689. 

  4689.  * reqfn is the pathname of the REQUEST file.
    4690. 

  4690.  *
    4691. 

  4691.  * The output RESPONSE file is written to stdout.
    4692. 

  4692.  */
    4693. 

  4693. void
    4694. 

  4694. rsa_sigver_test(char *reqfn)
    4695. 

  4695. {
    4696. 

  4696.     char buf[2*RSA_MAX_TEST_MODULUS_BYTES+7];
    4697. 

  4697.                         /* buf holds one line from the input REQUEST file
    4698. 

  4698.                          * or to the output RESPONSE file.
    4699. 

  4699.                          * s = 2x for HEX output + 1 for \n
    4700. 

  4700.                          */
    4701. 

  4701.     FILE *rsareq;     /* input stream from the REQUEST file */
    4702. 

  4702.     FILE *rsaresp;    /* output stream to the RESPONSE file */
    4703. 

  4703.     int i, j;
    4704. 

  4704.     unsigned char   sha[HASH_LENGTH_MAX];   /* SHA digest */
    4705. 

  4705.     unsigned int    shaLength = 0;              /* actual length of the digest */
    4706. 

  4706.     HASH_HashType   shaAlg = HASH_AlgNULL;
    4707. 

  4707.     SECOidTag       shaOid = SEC_OID_UNKNOWN;
    4708. 

  4708.     int modulus = 0;                            /* the Modulus size */
    4709. 

  4709.     unsigned char   signature[513];    /* largest signature size + '\n' */
    4710. 

  4710.     unsigned int    signatureLength = 0;   /* actual length of the signature */
    4711. 

  4711.     PRBool keyvalid = PR_TRUE;
    4712. 

  4712. 

  4713.     RSAPublicKey   rsaBlapiPublicKey; /* hold RSA public key */
    4714. 

  4714. 

  4715.     rsareq = fopen(reqfn, "r");
    4716. 

  4716.     rsaresp = stdout;
    4717. 

  4717.     memset(&rsaBlapiPublicKey, 0, sizeof(RSAPublicKey));
    4718. 

  4718. 

  4719.     while (fgets(buf, sizeof buf, rsareq) != NULL) {
    4720. 

  4720.         /* a comment or blank line */
    4721. 

  4721.         if (buf[0] == '#' || buf[0] == '\n') {
    4722. 

  4722.             fputs(buf, rsaresp);
    4723. 

  4723.             continue;
    4724. 

  4724.         }
    4725. 

  4725. 

  4726.         /* [Mod = ...] */
    4727. 

  4727.         if (buf[0] == '[') {
    4728. 

  4728.             unsigned int flen;  /* length in bytes of the field size */
    4729. 

  4729. 

  4730.             if (rsaBlapiPublicKey.modulus.data) { /* n */
    4731. 

  4731.                 SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
    4732. 

  4732.             }
    4733. 

  4733.             if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
    4734. 

  4734.                 goto loser;
    4735. 

  4735.             }
    4736. 

  4736. 

  4737.             if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
    4738. 

  4738.                 fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
    4739. 

  4739.                 goto loser;
    4740. 

  4740.             }
    4741. 

  4741. 

  4742.             fputs(buf, rsaresp);
    4743. 

  4743. 

  4744.             signatureLength = flen = modulus/8;
    4745. 

  4745. 

  4746.             SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.modulus, flen);
    4747. 

  4747.             if (rsaBlapiPublicKey.modulus.data == NULL) {
    4748. 

  4748.                 goto loser;
    4749. 

  4749.             }
    4750. 

  4750.             continue;
    4751. 

  4751.         }
    4752. 

  4752. 

  4753.         /* n = ... modulus */
    4754. 

  4754.         if (buf[0] == 'n') {
    4755. 

  4755.             i = 1;
    4756. 

  4756.             while (isspace(buf[i]) || buf[i] == '=') {
    4757. 

  4757.                 i++;
    4758. 

  4758.             }
    4759. 

  4759.             keyvalid = from_hex_str(&rsaBlapiPublicKey.modulus.data[0],
    4760. 

  4760.                                     rsaBlapiPublicKey.modulus.len,
    4761. 

  4761.                                     &buf[i]);
    4762. 

  4762. 

  4763.             if (!keyvalid) {
    4764. 

  4764.                 fprintf(rsaresp, "ERROR: rsa_sigver n not valid.\n");
    4765. 

  4765.                                  goto loser;
    4766. 

  4766.             }
    4767. 

  4767.             fputs(buf, rsaresp);
    4768. 

  4768.             continue;
    4769. 

  4769.         }
    4770. 

  4770. 

  4771.         /* SHAAlg = ... */
    4772. 

  4772.         if (strncmp(buf, "SHAAlg", 6) == 0) {
    4773. 

  4773.            i = 6;
    4774. 

  4774.            while (isspace(buf[i]) || buf[i] == '=') {
    4775. 

  4775.                i++;
    4776. 

  4776.            }
    4777. 

  4777.            /* set the SHA Algorithm */
    4778. 

  4778.            if (strncmp(&buf[i], "SHA1", 4) == 0) {
    4779. 

  4779.                 shaAlg = HASH_AlgSHA1;
    4780. 

  4780.            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
    4781. 

  4781.                 shaAlg = HASH_AlgSHA256;
    4782. 

  4782.            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
    4783. 

  4783.                shaAlg = HASH_AlgSHA384;
    4784. 

  4784.            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
    4785. 

  4785.                shaAlg = HASH_AlgSHA512;
    4786. 

  4786.            } else {
    4787. 

  4787.                fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
    4788. 

  4788.                goto loser;
    4789. 

  4789.            }
    4790. 

  4790.            fputs(buf, rsaresp);
    4791. 

  4791.            continue;
    4792. 

  4792.         }
    4793. 

  4793. 

  4794.         /* e = ... public Key */
    4795. 

  4795.         if (buf[0] == 'e') {
    4796. 

  4796.             unsigned char data[RSA_MAX_TEST_EXPONENT_BYTES];
    4797. 

  4797.             unsigned char t;
    4798. 

  4798. 

  4799.             memset(data, 0, sizeof data);
    4800. 

  4800. 

  4801.             if (rsaBlapiPublicKey.publicExponent.data) { /* e */
    4802. 

  4802.                 SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
    4803. 

  4803.             }
    4804. 

  4804. 

  4805.             i = 1;
    4806. 

  4806.             while (isspace(buf[i]) || buf[i] == '=') {
    4807. 

  4807.                 i++;
    4808. 

  4808.             }
    4809. 

  4809.             /* skip leading zero's */
    4810. 

  4810.             while (isxdigit(buf[i])) {
    4811. 

  4811.                 hex_to_byteval(&buf[i], &t);
    4812. 

  4812.                 if (t == 0) {
    4813. 

  4813.                     i+=2;
    4814. 

  4814.                 } else break;
    4815. 

  4815.             }
    4816. 

  4816.         
    4817. 

  4817.             /* get the exponent */
    4818. 

  4818.             for (j=0; isxdigit(buf[i]) && j < sizeof data; i+=2,j++) {
    4819. 

  4819.                 hex_to_byteval(&buf[i], &data[j]);
    4820. 

  4820.             }
    4821. 

  4821. 

  4822.             if (j == 0) { j = 1; }  /* to handle 1 byte length exponents */
    4823. 

  4823. 

  4824.             SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.publicExponent,  j);
    4825. 

  4825.             if (rsaBlapiPublicKey.publicExponent.data == NULL) {
    4826. 

  4826.                 goto loser;
    4827. 

  4827.             }
    4828. 

  4828. 

  4829.             for (i=0; i < j; i++) {
    4830. 

  4830.                 rsaBlapiPublicKey.publicExponent.data[i] = data[i];
    4831. 

  4831.             }
    4832. 

  4832. 

  4833.             fputs(buf, rsaresp);
    4834. 

  4834.             continue;
    4835. 

  4835.         }
    4836. 

  4836. 

  4837.         /* Msg = ... */
    4838. 

  4838.         if (strncmp(buf, "Msg", 3) == 0) {
    4839. 

  4839.             unsigned char msg[128]; /* MAX msg 128 */
    4840. 

  4840. 

  4841.             memset(sha, 0, sizeof sha);
    4842. 

  4842.             memset(msg, 0, sizeof msg);
    4843. 

  4843. 

  4844.             i = 3;
    4845. 

  4845.             while (isspace(buf[i]) || buf[i] == '=') {
    4846. 

  4846.                 i++;
    4847. 

  4847.             }
    4848. 

  4848. 

  4849.             for (j=0; isxdigit(buf[i]) && j < sizeof msg; i+=2,j++) {
    4850. 

  4850.                 hex_to_byteval(&buf[i], &msg[j]);
    4851. 

  4851.             }
    4852. 

  4852. 

  4853.             if (shaAlg == HASH_AlgSHA1) {
    4854. 

  4854.                 if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
    4855. 

  4855.                      fprintf(rsaresp, "ERROR: Unable to generate SHA1");
    4856. 

  4856.                      goto loser;
    4857. 

  4857.                 }
    4858. 

  4858.                 shaLength = SHA1_LENGTH;
    4859. 

  4859.                 shaOid = SEC_OID_SHA1;
    4860. 

  4860.             } else if (shaAlg == HASH_AlgSHA256) {
    4861. 

  4861.                 if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
    4862. 

  4862.                      fprintf(rsaresp, "ERROR: Unable to generate SHA256");
    4863. 

  4863.                      goto loser;
    4864. 

  4864.                 }
    4865. 

  4865.                 shaLength = SHA256_LENGTH;
    4866. 

  4866.                 shaOid = SEC_OID_SHA256;
    4867. 

  4867.             } else if (shaAlg == HASH_AlgSHA384) {
    4868. 

  4868.                 if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
    4869. 

  4869.                      fprintf(rsaresp, "ERROR: Unable to generate SHA384");
    4870. 

  4870.                      goto loser;
    4871. 

  4871.                 }
    4872. 

  4872.                 shaLength = SHA384_LENGTH;
    4873. 

  4873.                 shaOid = SEC_OID_SHA384;
    4874. 

  4874.             } else if (shaAlg == HASH_AlgSHA512) {
    4875. 

  4875.                 if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
    4876. 

  4876.                      fprintf(rsaresp, "ERROR: Unable to generate SHA512");
    4877. 

  4877.                      goto loser;
    4878. 

  4878.                 }
    4879. 

  4879.                 shaLength = SHA512_LENGTH;
    4880. 

  4880.                 shaOid = SEC_OID_SHA512;
    4881. 

  4881.             } else {
    4882. 

  4882.                 fprintf(rsaresp, "ERROR: SHAAlg not defined.");
    4883. 

  4883.                 goto loser;
    4884. 

  4884.             }
    4885. 

  4885. 

  4886.             fputs(buf, rsaresp);
    4887. 

  4887.             continue;
    4888. 

  4888. 

  4889.         }
    4890. 

  4890. 

  4891.         /* S = ... */
    4892. 

  4892.         if (buf[0] == 'S') {
    4893. 

  4893.             SECStatus rv = SECFailure;
    4894. 

  4894.             NSSLOWKEYPublicKey  * rsa_public_key;
    4895. 

  4895.             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
    4896. 

  4896.                                                   NSSLOWKEYRSAKey, };
    4897. 

  4897. 

  4898.             /* convert to a low RSA public key */
    4899. 

  4899.             low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
    4900. 

  4900.             rsa_public_key = &low_RSA_public_key;
    4901. 

  4901. 

  4902.             memset(signature, 0, sizeof(signature));
    4903. 

  4903.             i = 1;
    4904. 

  4904.             while (isspace(buf[i]) || buf[i] == '=') {
    4905. 

  4905.                 i++;
    4906. 

  4906.             }
    4907. 

  4907. 

  4908.             for (j=0; isxdigit(buf[i]) && j < sizeof signature; i+=2,j++) {
    4909. 

  4909.                 hex_to_byteval(&buf[i], &signature[j]);
    4910. 

  4910.             }
    4911. 

  4911. 

  4912.             signatureLength = j;
    4913. 

  4913.             fputs(buf, rsaresp);
    4914. 

  4914. 

  4915.             /* Perform RSA verification with the RSA public key. */
    4916. 

  4916.             rv = RSA_HashCheckSign( shaOid,
    4917. 

  4917.                                     rsa_public_key,
    4918. 

  4918.                                     signature,
    4919. 

  4919.                                     signatureLength,
    4920. 

  4920.                                     sha,
    4921. 

  4921.                                     shaLength);
    4922. 

  4922.             if( rv == SECSuccess ) {
    4923. 

  4923.                 fputs("Result = P\n", rsaresp);
    4924. 

  4924.             } else {
    4925. 

  4925.                 fputs("Result = F\n", rsaresp);
    4926. 

  4926.             }
    4927. 

  4927.             continue;
    4928. 

  4928.         }
    4929. 

  4929.     }
    4930. 

  4930. loser:
    4931. 

  4931.     fclose(rsareq);
    4932. 

  4932.     if (rsaBlapiPublicKey.modulus.data) { /* n */
    4933. 

  4933.         SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
    4934. 

  4934.     }
    4935. 

  4935.     if (rsaBlapiPublicKey.publicExponent.data) { /* e */
    4936. 

  4936.         SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
    4937. 

  4937.     }
    4938. 

  4938. }
    4939. 

  4939. 

  4940. int main(int argc, char **argv)
    4941. 

  4941. {
    4942. 

  4942.     if (argc < 2) exit (-1);
    4943. 

  4943. 

  4944.     /*************/
    4945. 

  4945.     /*   TDEA    */
    4946. 

  4946.     /*************/
    4947. 

  4947.     if (strcmp(argv[1], "tdea") == 0) {
    4948. 

  4948.         /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
    4949. 

  4949.         if (strcmp(argv[2], "kat") == 0) {
    4950. 

  4950.             /* Known Answer Test (KAT) */
    4951. 

  4951.             tdea_kat_mmt(argv[4]);     
    4952. 

  4952.         } else if (strcmp(argv[2], "mmt") == 0) {
    4953. 

  4953.             /* Multi-block Message Test (MMT) */
    4954. 

  4954.                 tdea_kat_mmt(argv[4]);
    4955. 

  4955.         } else if (strcmp(argv[2], "mct") == 0) {
    4956. 

  4956.                 /* Monte Carlo Test (MCT) */
    4957. 

  4957.                 if (strcmp(argv[3], "ecb") == 0) {
    4958. 

  4958.                     /* ECB mode */
    4959. 

  4959.                     tdea_mct(NSS_DES_EDE3, argv[4]); 
    4960. 

  4960.                 } else if (strcmp(argv[3], "cbc") == 0) {
    4961. 

  4961.                     /* CBC mode */
    4962. 

  4962.                     tdea_mct(NSS_DES_EDE3_CBC, argv[4]);
    4963. 

  4963.                 }
    4964. 

  4964.         }
    4965. 

  4965.     /*************/
    4966. 

  4966.     /*   AES     */
    4967. 

  4967.     /*************/
    4968. 

  4968.     } else if (strcmp(argv[1], "aes") == 0) {
    4969. 

  4969. 	/* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
    4970. 

  4970. 	if (       strcmp(argv[2], "kat") == 0) {
    4971. 

  4971. 	    /* Known Answer Test (KAT) */
    4972. 

  4972. 	    aes_kat_mmt(argv[4]);
    4973. 

  4973. 	} else if (strcmp(argv[2], "mmt") == 0) {
    4974. 

  4974. 	    /* Multi-block Message Test (MMT) */
    4975. 

  4975. 	    aes_kat_mmt(argv[4]);
    4976. 

  4976. 	} else if (strcmp(argv[2], "mct") == 0) {
    4977. 

  4977. 	    /* Monte Carlo Test (MCT) */
    4978. 

  4978. 	    if (       strcmp(argv[3], "ecb") == 0) {
    4979. 

  4979. 		/* ECB mode */
    4980. 

  4980. 		aes_ecb_mct(argv[4]);
    4981. 

  4981. 	    } else if (strcmp(argv[3], "cbc") == 0) {
    4982. 

  4982. 		/* CBC mode */
    4983. 

  4983. 		aes_cbc_mct(argv[4]);
    4984. 

  4984. 	    }
    4985. 

  4985. 	}
    4986. 

  4986.     /*************/
    4987. 

  4987.     /*   SHA     */
    4988. 

  4988.     /*************/
    4989. 

  4989.     } else if (strcmp(argv[1], "sha") == 0) {
    4990. 

  4990.         sha_test(argv[2]);
    4991. 

  4991.     /*************/
    4992. 

  4992.     /*   RSA     */
    4993. 

  4993.     /*************/
    4994. 

  4994.     } else if (strcmp(argv[1], "rsa") == 0) {
    4995. 

  4995.         /* argv[2]=siggen|sigver */
    4996. 

  4996.         /* argv[3]=<test name>.req */
    4997. 

  4997.         if (strcmp(argv[2], "siggen") == 0) {
    4998. 

  4998.             /* Signature Generation Test */
    4999. 

  4999.             rsa_siggen_test(argv[3]);
    5000. 

  5000.         } else if (strcmp(argv[2], "sigver") == 0) {
    5001. 

  5001.             /* Signature Verification Test */
    5002. 

  5002.             rsa_sigver_test(argv[3]);
    5003. 

  5003.         }
    5004. 

  5004.     /*************/
    5005. 

  5005.     /*   HMAC    */
    5006. 

  5006.     /*************/
    5007. 

  5007.     } else if (strcmp(argv[1], "hmac") == 0) {
    5008. 

  5008.         hmac_test(argv[2]);
    5009. 

  5009.     /*************/
    5010. 

  5010.     /*   DSA     */
    5011. 

  5011.     /*************/
    5012. 

  5012.     } else if (strcmp(argv[1], "dsa") == 0) {
    5013. 

  5013.         /* argv[2]=keypair|pqggen|pqgver|siggen|sigver */
    5014. 

  5014.         /* argv[3]=<test name>.req */
    5015. 

  5015.         if (strcmp(argv[2], "keypair") == 0) {
    5016. 

  5016.             /* Key Pair Generation Test */
    5017. 

  5017.             dsa_keypair_test(argv[3]);
    5018. 

  5018.         } else if (strcmp(argv[2], "pqggen") == 0) {
    5019. 

  5019.         /* Domain Parameter Generation Test */
    5020. 

  5020.             dsa_pqggen_test(argv[3]);
    5021. 

  5021.         } else if (strcmp(argv[2], "pqgver") == 0) {
    5022. 

  5022.                 /* Domain Parameter Validation Test */
    5023. 

  5023.             dsa_pqgver_test(argv[3]);
    5024. 

  5024.         } else if (strcmp(argv[2], "siggen") == 0) {
    5025. 

  5025.             /* Signature Generation Test */
    5026. 

  5026.             dsa_siggen_test(argv[3]);
    5027. 

  5027.         } else if (strcmp(argv[2], "sigver") == 0) {
    5028. 

  5028.             /* Signature Verification Test */
    5029. 

  5029.             dsa_sigver_test(argv[3]);
    5030. 

  5030.         }
    5031. 

  5031. #ifdef NSS_ENABLE_ECC
    5032. 

  5032.     /*************/
    5033. 

  5033.     /*   ECDSA   */
    5034. 

  5034.     /*************/
    5035. 

  5035.     } else if (strcmp(argv[1], "ecdsa") == 0) {
    5036. 

  5036. 	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
    5037. 

  5037. 	if (       strcmp(argv[2], "keypair") == 0) {
    5038. 

  5038. 	    /* Key Pair Generation Test */
    5039. 

  5039. 	    ecdsa_keypair_test(argv[3]);
    5040. 

  5040. 	} else if (strcmp(argv[2], "pkv") == 0) {
    5041. 

  5041. 	    /* Public Key Validation Test */
    5042. 

  5042. 	    ecdsa_pkv_test(argv[3]);
    5043. 

  5043. 	} else if (strcmp(argv[2], "siggen") == 0) {
    5044. 

  5044. 	    /* Signature Generation Test */
    5045. 

  5045. 	    ecdsa_siggen_test(argv[3]);
    5046. 

  5046. 	} else if (strcmp(argv[2], "sigver") == 0) {
    5047. 

  5047. 	    /* Signature Verification Test */
    5048. 

  5048. 	    ecdsa_sigver_test(argv[3]);
    5049. 

  5049. 	}
    5050. 

  5050. #endif /* NSS_ENABLE_ECC */
    5051. 

  5051.     /*************/
    5052. 

  5052.     /*   RNG     */
    5053. 

  5053.     /*************/
    5054. 

  5054.     } else if (strcmp(argv[1], "rng") == 0) {
    5055. 

  5055. 	/* argv[2]=vst|mct argv[3]=<test name>.req */
    5056. 

  5056. 	if (       strcmp(argv[2], "vst") == 0) {
    5057. 

  5057. 	    /* Variable Seed Test */
    5058. 

  5058. 	    rng_vst(argv[3]);
    5059. 

  5059. 	} else if (strcmp(argv[2], "mct") == 0) {
    5060. 

  5060. 	    /* Monte Carlo Test */
    5061. 

  5061. 	    rng_mct(argv[3]);
    5062. 

  5062. 	}
    5063. 

  5063.     } else if (strcmp(argv[1], "drbg") == 0) {
    5064. 

  5064. 	/* Variable Seed Test */
    5065. 

  5065. 	drbg(argv[2]);
    5066. 

  5066.     } else if (strcmp(argv[1], "ddrbg") == 0) {
    5067. 

  5067. 	debug = 1;
    5068. 

  5068. 	drbg(argv[2]);
    5069. 

  5069.     }
    5070. 

  5070.     return 0;
    5071. 

  5071. }
    5072. 

  5072.