PQG generation and verification testing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

PQG generation and verification testing

Stephan Mueller
Hi,

I see the following code in libgcrypt 1.5.3 in function generate_fips186:

      if (deriveparms)
        {
          initial_seed.sexp = gcry_sexp_find_token (deriveparms, "seed", 0);
          if (initial_seed.sexp)
            initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
                                                    &initial_seed.seedlen);
        }
      if (use_fips186_2)
        ec = _gcry_generate_fips186_2_prime (nbits, qbits,
                                           initial_seed.seed,
                                           initial_seed.seedlen,
                                           &prime_q, &prime_p,
                                           r_counter,
                                           r_seed, r_seedlen);
      else if (!domain->p || !domain->q)
        ec = _gcry_generate_fips186_3_prime (nbits, qbits,
                                          initial_seed.seed,
                                          initial_seed.seedlen,
                                          &prime_q, &prime_p,
                                          r_counter,
                                          r_seed, r_seedlen, NULL);


In the current upstream code, it is implemented differently:

      if (deriveparms)
        {
          initial_seed.sexp = sexp_find_token (deriveparms, "seed", 0);
          if (initial_seed.sexp)
            initial_seed.seed = sexp_nth_data (initial_seed.sexp, 1,
                                               &initial_seed.seedlen);
        }

      if (use_fips186_2)
        ec = _gcry_generate_fips186_2_prime (nbits, qbits,
                                             initial_seed.seed,
                                             initial_seed.seedlen,
                                             &prime_q, &prime_p,
                                             r_counter,
                                             r_seed, r_seedlen);
      else
        ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
                                             &prime_q, &prime_p,
                                             r_counter,
                                             r_seed, r_seedlen, NULL);

See 3rd and 4th parameter for _gcry_generate_fips186_3_prime which is now NULL
instead of initial_seed. With that, there is no way to set a pre-defined seed
to verify that the P/Q generation function works correctly.

Is there any other way how to test the P/Q generation by supplying the seed?

If not, could the current upstream code be changed back to the old
implementation?

Thanks.

Ciao
Stephan



_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|

Re: PQG generation and verification testing

Stephan Mueller
Am Dienstag, 22. Mai 2018, 18:29:50 CEST schrieb Stephan Mueller:

Hi,

> Hi,
>
> I see the following code in libgcrypt 1.5.3 in function generate_fips186:

Please disregard this message. I just found out that the Fedora code base
modified the following code path to make it testable:

>       else if (!domain->p || !domain->q)
>         ec = _gcry_generate_fips186_3_prime (nbits, qbits,
>                                           initial_seed.seed,
>                                           initial_seed.seedlen,
>                                           &prime_q, &prime_p,
>                                           r_counter,
>                                           r_seed, r_seedlen, NULL);
>
>

Though, would it make sense to equally change it upstream?

Ciao
Stephan



_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|

Re: PQG generation and verification testing

GnuPG - Libgcrypt - Dev mailing list
On Tue, 22 May 2018 19:40, Stephan Mueller said:

> Please disregard this message. I just found out that the Fedora code base
> modified the following code path to make it testable:
>
>>       else if (!domain->p || !domain->q)
>>         ec = _gcry_generate_fips186_3_prime (nbits, qbits,
[...]
> Though, would it make sense to equally change it upstream?

We have meanwhile incorporated such RedHat changes into the 1.9 branch
and will probably also add more such changes to limit the need for
vendor specific changes.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PQG generation and verification testing

NIIBE Yutaka
In reply to this post by Stephan Mueller
Stephan Mueller <[hidden email]> wrote:
> In the current upstream code, it is implemented differently:
[...]
>         ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
>                                              &prime_q, &prime_p,
>                                              r_counter,
>                                              r_seed, r_seedlen, NULL);
>
> See 3rd and 4th parameter for _gcry_generate_fips186_3_prime which is now NULL
> instead of initial_seed. With that, there is no way to set a pre-defined seed
> to verify that the P/Q generation function works correctly.

FYI, it was fixed in master and 1.9.1, when I merged a patch from Red Hat.
I'm merging their patches.

commit 30ed9593f632c728d918598037358deaeccd1968
Author: NIIBE Yutaka <[hidden email]>
Date:   Tue Jan 19 15:50:31 2021 +0900

    Fix DSA for FIPS 186-3.
   
    * cipher/dsa.c (generate_fips186): Supply INITIAL_SEED to
    _gcry_generate_fips186_3_prime.
...

diff --git a/cipher/dsa.c b/cipher/dsa.c
index b93e385e..d793b9aa 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -458,7 +458,9 @@ generate_fips186 (DSA_secret_key *sk, unsigned int nbits, unsigned int qbits,
                                              r_counter,
                                              r_seed, r_seedlen);
       else
-        ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0,
+        ec = _gcry_generate_fips186_3_prime (nbits, qbits,
+                                             initial_seed.seed,
+                                             initial_seed.seedlen,
                                              &prime_q, &prime_p,
                                              r_counter,
                                              r_seed, r_seedlen, NULL);
--

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel