File openssl-fips__0222_dsa_pqver_fixes.diff of Package compat-openssl098.703

diff -rNU 150 ../openssl-0.9.8j-o/fips/dsa/fips_dssvs.c ./fips/dsa/fips_dssvs.c
--- ../openssl-0.9.8j-o/fips/dsa/fips_dssvs.c	2008-10-14 21:05:02.000000000 +0200
+++ ./fips/dsa/fips_dssvs.c	2011-10-28 15:44:37.000000000 +0200
@@ -1,439 +1,442 @@
 #include <openssl/opensslconf.h>
 
 #ifndef OPENSSL_FIPS
 #include <stdio.h>
 
 int main(int argc, char **argv)
 {
     printf("No FIPS DSA support\n");
     return(0);
 }
 #else
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/fips.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <string.h>
 #include <ctype.h>
 
 #include "fips_utl.h"
 
 static void pbn(const char *name, BIGNUM *bn)
 	{
 	int len, i;
 	unsigned char *tmp;
 	len = BN_num_bytes(bn);
 	tmp = OPENSSL_malloc(len);
 	if (!tmp)
 		{
 		fprintf(stderr, "Memory allocation error\n");
 		return;
 		}
 	BN_bn2bin(bn, tmp);
 	printf("%s = ", name);
 	for (i = 0; i < len; i++)
-		printf("%02X", tmp[i]);
+		printf("%02x", tmp[i]);
 	fputs("\n", stdout);
 	OPENSSL_free(tmp);
 	return;
 	}
 
 void primes()
     {
     char buf[10240];
     char lbuf[10240];
     char *keyword, *value;
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	fputs(buf,stdout);
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		continue;
 	if(!strcmp(keyword,"Prime"))
 	    {
 	    BIGNUM *pp;
 
 	    pp=BN_new();
 	    do_hex2bn(&pp,value);
 	    printf("result= %c\n",
 		   BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
 	    }	    
 	}
     }
 
 void pqg()
     {
     char buf[1024];
     char lbuf[1024];
     char *keyword, *value;
     int nmod=0;
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		{
 		fputs(buf,stdout);
 		continue;
 		}
 	if(!strcmp(keyword,"[mod"))
 	    nmod=atoi(value);
 	else if(!strcmp(keyword,"N"))
 	    {
 	    int n=atoi(value);
 
 	    printf("[mod = %d]\n\n",nmod);
 
 	    while(n--)
 		{
 		unsigned char seed[20];
 		DSA *dsa;
 		int counter;
 		unsigned long h;
 		dsa = FIPS_dsa_new();
 
 		if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
 			{
 			do_print_errors();
 			exit(1);
 			}
 		pbn("P",dsa->p);
 		pbn("Q",dsa->q);
 		pbn("G",dsa->g);
 		pv("Seed",seed,20);
 		printf("c = %d\n",counter);
 		printf("H = %lx\n",h);
 		putc('\n',stdout);
 		}
 	    }
 	else
 	    fputs(buf,stdout);
 	}
     }
 
 void pqgver()
     {
     char buf[1024];
     char lbuf[1024];
     char *keyword, *value;
     BIGNUM *p = NULL, *q = NULL, *g = NULL;
     int counter, counter2;
     unsigned long h, h2;
     DSA *dsa=NULL;
     int nmod=0;
     unsigned char seed[1024];
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		{
 		fputs(buf,stdout);
 		continue;
 		}
 	if(!strcmp(keyword,"[mod"))
+	    {
 	    nmod=atoi(value);
+	    printf("[mod = %d]\n\n", nmod);
+	    }
 	else if(!strcmp(keyword,"P"))
 	    p=hex2bn(value);
 	else if(!strcmp(keyword,"Q"))
 	    q=hex2bn(value);
 	else if(!strcmp(keyword,"G"))
 	    g=hex2bn(value);
 	else if(!strcmp(keyword,"Seed"))
 	    {
 	    int slen = hex2bin(value, seed);
 	    if (slen != 20)
 		{
 		fprintf(stderr, "Seed parse length error\n");
 		exit (1);
 		}
 	    }
 	else if(!strcmp(keyword,"c"))
 	    counter =atoi(buf+4);
 	else if(!strcmp(keyword,"H"))
 	    {
 	    h = atoi(value);
 	    if (!p || !q || !g)
 		{
 		fprintf(stderr, "Parse Error\n");
 		exit (1);
 		}
 	    pbn("P",p);
 	    pbn("Q",q);
 	    pbn("G",g);
 	    pv("Seed",seed,20);
 	    printf("c = %d\n",counter);
 	    printf("H = %lx\n",h);
 	    dsa = FIPS_dsa_new();
 	    if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
 			{
 			do_print_errors();
 			exit(1);
 			}
             if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
 		|| (counter != counter2) || (h != h2))
 	    	printf("Result = F\n");
 	    else
-	    	printf("Result = T\n");
+	    	printf("Result = P\n"); 	/* key for pass is "P", not "T" */
 	    BN_free(p);
 	    BN_free(q);
 	    BN_free(g);
 	    p = NULL;
 	    q = NULL;
 	    g = NULL;
 	    FIPS_dsa_free(dsa);
 	    dsa = NULL;
 	    }
 	}
     }
 
 /* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
  * algorithm tests. It is an additional test to perform sanity checks on the
  * output of the KeyPair test.
  */
 
 static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
 							BN_CTX *ctx)
     {
     BIGNUM *rem = NULL;
     if (BN_num_bits(p) != nmod)
 	return 0;
     if (BN_num_bits(q) != 160)
 	return 0;
     if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
 	return 0;
     if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
 	return 0;
     rem = BN_new();
     if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
     	|| (BN_cmp(g, BN_value_one()) <= 0)
 	|| !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
 	{
 	BN_free(rem);
 	return 0;
 	}
     /* Todo: check g */
     BN_free(rem);
     return 1;
     }
 
 void keyver()
     {
     char buf[1024];
     char lbuf[1024];
     char *keyword, *value;
     BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
     BIGNUM *Y2;
     BN_CTX *ctx = NULL;
     int nmod=0, paramcheck = 0;
 
     ctx = BN_CTX_new();
     Y2 = BN_new();
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		{
 		fputs(buf,stdout);
 		continue;
 		}
 	if(!strcmp(keyword,"[mod"))
 	    {
 	    if (p)
 		BN_free(p);
 	    p = NULL;
 	    if (q)
 		BN_free(q);
 	    q = NULL;
 	    if (g)
 		BN_free(g);
 	    g = NULL;
 	    paramcheck = 0;
 	    nmod=atoi(value);
 	    }
 	else if(!strcmp(keyword,"P"))
 	    p=hex2bn(value);
 	else if(!strcmp(keyword,"Q"))
 	    q=hex2bn(value);
 	else if(!strcmp(keyword,"G"))
 	    g=hex2bn(value);
 	else if(!strcmp(keyword,"X"))
 	    X=hex2bn(value);
 	else if(!strcmp(keyword,"Y"))
 	    {
 	    Y=hex2bn(value);
 	    if (!p || !q || !g || !X || !Y)
 		{
 		fprintf(stderr, "Parse Error\n");
 		exit (1);
 		}
 	    pbn("P",p);
 	    pbn("Q",q);
 	    pbn("G",g);
 	    pbn("X",X);
 	    pbn("Y",Y);
 	    if (!paramcheck)
 		{
 		if (dss_paramcheck(nmod, p, q, g, ctx))
 			paramcheck = 1;
 		else
 			paramcheck = -1;
 		}
 	    if (paramcheck != 1)
 	   	printf("Result = F\n");
 	    else
 		{
 		if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
 	    		printf("Result = F\n");
 	        else
-	    		printf("Result = T\n");
+	    		printf("Result = P\n"); 	/* pass is "P", not "T" */
 		}
 	    BN_free(X);
 	    BN_free(Y);
 	    X = NULL;
 	    Y = NULL;
 	    }
 	}
 	if (p)
 	    BN_free(p);
 	if (q)
 	    BN_free(q);
 	if (g)
 	    BN_free(g);
 	if (Y2)
 	    BN_free(Y2);
     }
 
 void keypair()
     {
     char buf[1024];
     char lbuf[1024];
     char *keyword, *value;
     int nmod=0;
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		{
 		fputs(buf,stdout);
 		continue;
 		}
 	if(!strcmp(keyword,"[mod"))
 	    nmod=atoi(value);
 	else if(!strcmp(keyword,"N"))
 	    {
 	    DSA *dsa;
 	    int n=atoi(value);
 
 	    printf("[mod = %d]\n\n",nmod);
 	    dsa = FIPS_dsa_new();
 	    if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
 		{
 		do_print_errors();
 		exit(1);
 		}
 	    pbn("P",dsa->p);
 	    pbn("Q",dsa->q);
 	    pbn("G",dsa->g);
 	    putc('\n',stdout);
 
 	    while(n--)
 		{
 		if (!DSA_generate_key(dsa))
 			{
 			do_print_errors();
 			exit(1);
 			}
 
 		pbn("X",dsa->priv_key);
 		pbn("Y",dsa->pub_key);
 		putc('\n',stdout);
 		}
 	    }
 	}
     }
 
 void siggen()
     {
     char buf[1024];
     char lbuf[1024];
     char *keyword, *value;
     int nmod=0;
     DSA *dsa=NULL;
 
     while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		{
 		fputs(buf,stdout);
 		continue;
 		}
 	if(!strcmp(keyword,"[mod"))
 	    {
 	    nmod=atoi(value);
 	    printf("[mod = %d]\n\n",nmod);
 	    if (dsa)
 		FIPS_dsa_free(dsa);
 	    dsa = FIPS_dsa_new();
 	    if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
 		{
 		do_print_errors();
 		exit(1);
 		}
 	    pbn("P",dsa->p);
 	    pbn("Q",dsa->q);
 	    pbn("G",dsa->g);
 	    putc('\n',stdout);
 	    }
 	else if(!strcmp(keyword,"Msg"))
 	    {
 	    unsigned char msg[1024];
 	    unsigned char sbuf[60];
 	    unsigned int slen;
 	    int n;
 	    EVP_PKEY pk;
 	    EVP_MD_CTX mctx;
 	    DSA_SIG *sig;
 	    EVP_MD_CTX_init(&mctx);
 
 	    n=hex2bin(value,msg);
 	    pv("Msg",msg,n);
 
 	    if (!DSA_generate_key(dsa))
 		{
 		do_print_errors();
 		exit(1);
 		}
 	    pk.type = EVP_PKEY_DSA;
 	    pk.pkey.dsa = dsa;
 	    pbn("Y",dsa->pub_key);
 
 	    EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
 	    EVP_SignUpdate(&mctx, msg, n);
 	    EVP_SignFinal(&mctx, sbuf, &slen, &pk);
 
 	    sig = DSA_SIG_new();
 	    FIPS_dsa_sig_decode(sig, sbuf, slen);
 
 	    pbn("R",sig->r);
 	    pbn("S",sig->s);
 	    putc('\n',stdout);
 	    DSA_SIG_free(sig);
 	    EVP_MD_CTX_cleanup(&mctx);
 	    }
 	}
 	if (dsa)
 		FIPS_dsa_free(dsa);
     }
 
 void sigver()
     {
     DSA *dsa=NULL;
     char buf[1024];
     char lbuf[1024];
     unsigned char msg[1024];
     char *keyword, *value;
     int nmod=0, n=0;
     DSA_SIG sg, *sig = &sg;
 
     sig->r = NULL;