search

smuellerDD / acvpparser

ACVP Parser for invocation of cryptographic implementations using the ACVP JSON test vectors
https://www.chronox.de/acvpparser
Other
36 stars 27 forks source link

Safe primes response not generated (Null json.partial file ) #18

Closed shilpa-1992 closed 3 years ago

shilpa-1992 commented 3 years ago

Hello Team,

I have tried to acvp-parserto run request for safe primes. (safePrimes_keyGen (response.json file not gererated) safePrimes_keyVer (response.json file not gererated).

I have made few modification to backend_openssl.c for the build. Could you please clarify me the code part which takes the call for safeprimes ( code part necessary for the response generation of safe prime).

Regards,

smuellerDD commented 3 years ago

Am Montag, dem 10.05.2021 um 07:35 -0700 schrieb shilpa-1992:

Hello Team,

Hi,

I have tried to acvp-parserto run request for safe primes.  (safePrimes_keyGen (response.json file not gererated) safePrimes_keyVer (response.json file not gererated).

I have made few modification to backend_openssl.c for the build. Could you please clarify me the code part which takes the call for safeprimes ( code part necessary for the response generation of safe prime).

See _openssl_dh_keygen which calls openssl_dh_set_param to fill the DH structure with PQG and then call DH_generate_key to generate the key.

Ciao Stephan

shilpa-1992 commented 3 years ago

/*

Regards,

smuellerDD commented 3 years ago

Am Montag, dem 10.05.2021 um 22:11 -0700 schrieb shilpa-1992:

/          TODO change to          BIGNUM BN_get_rfc3526_prime_2048(BIGNUM bn);          BIGNUM BN_get_rfc3526_prime_3072(BIGNUM bn);          BIGNUM BN_get_rfc3526_prime_4096(BIGNUM bn);          BIGNUM BN_get_rfc3526_prime_6144(BIGNUM bn);          BIGNUM BN_get_rfc3526_prime_8192(BIGNUM bn);          / Could you please let me know the relevance of this code part.

Some distros provide OpenSSL with those APIs making the safeprimes directly accessible instead of adding the PQG values. But this is currently not present in all OpenSSL versions.

Regards,

shilpa-1992 commented 3 years ago

ACVPParser (23:29:56) Error: DSA_generate_key() failed ACVPParser (23:29:56) Error: Test execution failed ACVPParser (23:29:56) Error: Parsing processdata failed

Above log is observed while running testvector-request for "algorithm": "safePrimes", "mode": "keyGen", "revision": "1.0",

Any clue what might have caused the failure. testvector-response.json is with partial output

same time the test vector for "algorithm": "safePrimes", "mode": "keyVer", "revision": "1.0", Generated the response file.

Regards,

smuellerDD commented 3 years ago

Am Dienstag, dem 11.05.2021 um 11:05 -0700 schrieb shilpa-1992:

ACVPParser (23:29:56) Error: DSA_generate_key() failed

This is the issue. -vvv should give you more. If not, add ERR_error_string(ERR_get_error(), NULL) to the log to see why OpenSSL is unhappy.

But when you use such an old OpenSSL library version (FIPS 2.0.16), it is very much possible that the DSA operation cannot handle safe primes.

Ciao Stephan

ACVPParser (23:29:56) Error: Test execution failed ACVPParser (23:29:56) Error: Parsing processdata failed

Above log is observed. Any clue what might have caused the failure. testvector-response.json is with partial output

Regards,  

shilpa-1992 commented 3 years ago

In my openssl APIs making the safeprimes directly accessible instead of adding the PQG values . so i have enabled the below code part

       BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn);
       BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn);
       BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn);
       BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn);
       BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);

Please let me know what all are the changes need to make in code to the values from bn above.

smuellerDD commented 3 years ago

Am Montag, dem 17.05.2021 um 05:06 -0700 schrieb shilpa-1992:

In my openssl  APIs making the safeprimes directly accessible instead of adding the PQG values .  so i have  enabled the below code part              BIGNUM BN_get_rfc3526_prime_2048(BIGNUM bn);            BIGNUM BN_get_rfc3526_prime_3072(BIGNUM bn);            BIGNUM BN_get_rfc3526_prime_4096(BIGNUM bn);            BIGNUM BN_get_rfc3526_prime_6144(BIGNUM bn);            BIGNUM BN_get_rfc3526_prime_8192(BIGNUM bn);

Please let me know what all are the changes need to make in code to the values from bn above.

The backend code contains a marker where those should replace the call to the parser-internal safeprime calls.

shilpa-1992 commented 3 years ago

It is not clear to me , could you please explain a bit more. which all files needs modification ? Is the modification is required only for openssl_dh_set_param (backend_openssl.c ) . where to replace the call to the parser-internal safeprime (could you please mention those function call ) calls ?

smuellerDD commented 3 years ago

Am Montag, dem 17.05.2021 um 05:27 -0700 schrieb shilpa-1992:

It is not clear to me , could you please explain a bit more.

/*

  • TODO change to
  • BIGNUM BN_get_rfc3526_prime_2048(BIGNUM bn);
  • BIGNUM BN_get_rfc3526_prime_3072(BIGNUM bn);
  • BIGNUM BN_get_rfc3526_prime_4096(BIGNUM bn);
  • BIGNUM BN_get_rfc3526_prime_6144(BIGNUM bn);
  • BIGNUM BN_get_rfc3526_prime_8192(BIGNUM bn); / .. } else { struct safeprimes p_safeprime;
            CKINT(acvp_safeprime_get(safeprime, &p_safeprime));

            CKINT_O0(BN_hex2bn(&p, p_safeprime->p));
            CKINT_O0(BN_hex2bn(&q, p_safeprime->q));
            CKINT_O0(BN_hex2bn(&g, p_safeprime->g));

-> get p, g, q from the OpenSSL API

shilpa-1992 commented 3 years ago

"-> get p, g, q from the OpenSSL API " with below code part will that happen or am i missing somthing ( do i need to add something more here)

      BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn);
      BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn);
      BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn);
      BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn);
      BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);
            struct safeprimes *p_safeprime;

            CKINT(acvp_safeprime_get(safeprime, &p_safeprime));

            CKINT_O0(BN_hex2bn(&p, p_safeprime->p));
            CKINT_O0(BN_hex2bn(&q, p_safeprime->q));
            CKINT_O0(BN_hex2bn(&g, p_safeprime->g));
smuellerDD commented 3 years ago

Am Montag, dem 17.05.2021 um 05:38 -0700 schrieb shilpa-1992:

"-> get p, g, q from the OpenSSL API " with below code part will that happen or am i missing somthing  ( do i need to add something more here)

There should nothing else be needed apart from this replacement.

shilpa-1992 commented 3 years ago

For the same test vector i have run more than once and i could see that the ephemeralPublicIutX ,ephemeralPublicIutY and z is different , is that the expected . Any clue, what might have caused this.

smuellerDD commented 3 years ago

Am Montag, dem 17.05.2021 um 06:54 -0700 schrieb shilpa-1992:

For the same test vector i have run more than once and i could see that the ephemeralPublicIutX ,ephemeralPublicIutY and z is different , is that the expected . Any clue, what might have caused this.

Checking the test specification gives hints and considering DH_generate_key.