Hi Stephan,

My work has asked me to add LNRG to our 4.14.140 kernel that runs on our embedded devices. In looking through the repository and reading past issue tickets I have some questions.

• In the various version directories in the backports directory, there are directories of patches arranged by <lnrg version>-<kernel version>. Up to lnrg version v45, there is a v45-4.14 directory of patches. There is also a directory of patches named v45-4.14.286. After v45 we are seeing kernel versions for 4.14 like this
  v46-4.14.286
  v47-4.14.295
  v48-4.14.302
  v49-4.14.307
  v50-4.14.314
  v50-4.14.320

  • Am I correct in understanding that the kernel version in the directory name is the minimum versions that the directory's patches can be applied to? For example, I could apply patches to my 4.14.140 kernel from the v45-4.14 directory but not from the v45-4.14.286 directory?
  • If, for v45, I can only apply patches from the the v45-4.14 directory then does that mean I can only apply update to v45 since my 4.14.140 kernel version is not high enough to apply the patches from the 4.14.nnn directories in later lnrg versions?

• Another question, many of the patch files in the v45-4.14 directory show they are patching files from later linux kernel versions. Does this mean I will need to copy those base files from the later kernel version into my 4.14.140 kernel tree before applying the patches to them?

Thanks,

Bruce

I used openssl to generate responses but the results are not matching with the expected values ：
Some one test like this one：

"algorithm": "SHA-1",
"revision": "1.0",
"isSample": true,
"testGroups": [
{
"tgId": 1,
"testType": "AFT",
"tests": [
{
"tcId": 1,
"msg": "F6EB4374909131CCCAA2D690D74BE58A11EF7E59B593A83B1212208680",
"len": 226
},

Except：
{
"tcId": 1,
"md": "41CF7C313415517A0A7BEE598C18193E6EC75A91"
}

Generated by the acvpparser:

{"tcId":1,
"md":"d75d30056f682760c88d0310596cad8c11c547fa"
},

I use commandline to test：its like this
echo F6EB4374909131CCCAA2D690D74BE58A11EF7E59B593A83B1212208680 | xxd -r -ps| openssl sha1
(stdin)= d75d30056f682760c88d0310596cad8c11c547fa

Is it about len issue？

Hello -- we have been trying to get our ACVP parser to link to OpenSSL, but the linker complains it isn’t able to link to OpenSSL during the final step when it is being done by visual studio. Do we need to do anything special for linking? We are using OpenSSL 1.1.1 targeting a build for windows platform.

Thank you!

My test vector is:
"algorithm": "RSA",
"mode": "keyGen",
"revision": "FIPS186-4",
"isSample": true,
"testGroups": [
{
"tgId": 1,
"infoGeneratedByServer": true,
"modulo": 2048,
"testType": "AFT",
"keyFormat": "standard",
"primeTest": "tblC2",
"randPQ": "B.3.6",
"pubExp": "random",
"tests": [
{
"tcId": 1,
"bitlens": [
499,
241,
345,
374
],
"xP:".."",
"xQ": "..",
"xP1": "..",
"xP2": "..",
"xQ1": "..",
"xQ2": "..",
"e": ".."
}
I want parse bitlens，xP，xQ and send to openssl_rsa_keygen.
Now, i have add code :
/{"bitlens",..................................................................................................},/
{"e", {.data.buf = &rsa_keygen_vector.e, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT| FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xP", {.data.buf = &rsa_keygen_vector.xp, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT| FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xP1", {.data.buf = &rsa_keygen_vector.xp1, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT | FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xP2", {.data.buf = &rsa_keygen_vector.xp2, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT | FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xQ", {.data.buf = &rsa_keygen_vector.xq, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT| FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xQ1", {.data.buf = &rsa_keygen_vector.xq1, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT | FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
{"xQ2", {.data.buf = &rsa_keygen_vector.xq2, PARSER_BIN},
FLAG_OP_ASYM_TYPE_KEYGEN | FLAG_OP_AFT | FLAG_OP_RSA_PQ_B36_PRIMES | FLAG_OP_RSA_CRT},
}; for empty arrays */
const struct json_array rsa_keygen_test = SET_ARRAY(rsa_keygen_test_entries, &rsa_keygen_testresult);
I have xP, xQ etc correct to openssl_rsa_keygen,but how to parse bitlens to rsa_keygen_vector.bitlen? Thanks!

We built the tool for lrng code. We are testing on Centos 7. Input vector with algorithm SHA-1 is passing. But, input vector with algorithm SHA2-256 fails. Here are more details from verbose:
ACVPParser (22:37:38) Error: Cannot read data from kernel: -22
ACVPParser (22:37:38) Warning: Test execution failed with error -22
ACVPParser (22:37:38) Error: Test execution failed
ACVPParser (22:37:38) Debug: Freeing entry msg with data type 0
ACVPParser (22:37:38) Debug: Freeing entry len with data type 2
ACVPParser (22:37:38) Debug: Freeing entry md with data type 12
ACVPParser (22:37:38) Warning: Searched object: tests
ACVPParser (22:37:38) Error: Parsing processdata failed
ACVPParser (22:37:38) Warning: Searched object: testGroups

Any suggestions to solve this issue? Thanks.

When attempting to implement DH keygen and keyver tests, it was found that parser support was not implemented. A change is needed to support parsing of keygen and keyver tests. An openssl backend implementation is included as well with the fix for this issue.

 Vector set ID 556101 safePrimes           keyGen           FAILED
 Vector set ID 556103 KAS-FFC-SSC          -                FAILED

Could see that "testType": "AFT", Failed in all cases.

What does this Meta info "AFT" say ?

"result": "failed",
"reason": "Z does not match"

Any clue on this failure situation.
what might have failed all the KeyGen .

Could you please share the function flow "testType": "AFT".

I understood that for key gen " _openssl_dh_keygen which calls openssl_dh_set_param to fill the DH structure with PQG and then call DH_generate_key to generate the key"

Regards,

I'm testing the parser on openssl 3.0.8 and getting an error 14 when running safePrime_keyGen vectors.
From what I can tell, the error is coming from a call to _openssl_dsa_keygen.
Attached is the relevant debug logs.
Is this is a known issue? Is this caused by something unrelated to the parser?
safePrimes_keyGen debug log.txt

Hi ,

I tried "make openssl". it gave
gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT="openssl" -g -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fwrapv --param ssp-buffer-size=4 -Iparser -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c:35:10: fatal error: openssl/fips.h: No such file or directory
#include <openssl/fips.h>
^~~~~~~~~~~~~~~~
compilation terminated.

which openssl it will refer ? There is no info available about the location of openssl in Makefile.

Do i need to specify the header files and library location in Makefile ?

When parsing the "running mode" flags tls13, it was found that in "PSK-DHE" mode, the flags would be set incorrectly. Since "PSK" is a substring of "PSK-DHE" and when the flags were sent during processing of "PSK-DHE" requests, both FLAG_OP_TLS13_RUNNING_MODE_PSK and FLAG_OP_TLS13_RUNNING_MODE_PSKDHE were set when they shouldn't be which causes parsing issues.

We have a fix coming which modifies this check to match sure the strings do an exact case-insensitive match.

Function with bug
https://github.com/smuellerDD/acvpparser/blob/master/parser/parser_common.c#L491

"running mode" strings for TLS13
https://github.com/smuellerDD/acvpparser/blob/master/parser/parser_common.c#L693

relevant parser_flags
https://github.com/smuellerDD/acvpparser/blob/master/parser/parser_flags.h#L181

hi,

I tried to compile with command 'make openssl' but not sucessful.

gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT="openssl" -g -std=c11 -Wno-variadic-macros -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fwrapv --param ssp-buffer-size=4 -Iparser -c -o backends/backend_openssl_common.o backends/backend_openssl_common.c
backends/backend_openssl_common.c: In function ‘openssl_mct_update’:
backends/backend_openssl_common.c:756:45: error: invalid use of incomplete typedef ‘EVP_CIPHER_CTX’ {aka ‘struct evp_cipher_ctx_st’}
756 | BN_bn2bin(tweak, ctx->iv + data->iv.len - BN_num_bytes(tweak));

Before compile this, I download the openssl 3.0 and installed and also set the LD_LIBRARY_PATH=/usr/lib64/

the platform is Ubuntu 22.04.2 LTS vm.

Thanks in advance.

i've written a kdf ikev2 backend that's basically just your ikev2 cavs test ported to receive acvp data. The tests pass when Ni and Nr are the same length and their lengths (nInitLength, nRespLength) are divisible by 8, but when I test with vectors where Ni and Nr have different lengths and are not divisible by 8 then I'm not able to generate correct SKEYSEED. I haven't been able to test with vectors where Ni and Nr are different lengths, but their lengths are divisible by 8 because I don't have any tests that match that criteria.

Out of curiosity (and perhaps I'm missing them and they're actually there) is there any intention in making the acvp2cavs or cavs2acvp backends public? It seems like there are references to them in the Makefile and in some of the documentation but I can't seem to build them nor find their source files.

Thanks very much for your time.

Hello,

I am building acvp parser with backend openssl, i am using openssl-1.0.2l with openssl-fips-2.016, but getting below compilation errors.
backends/backend_openssl.c: In function ‘_openssl_dsa_pqg_gen’:
backends/backend_openssl.c:764:14: error: implicit declaration of function ‘FIPS_dsa_generate_pq’; did you mean ‘FIPS_dsa_generate_key’? [-Werror=implicit-function-declaration]
CKINT_O_LOG(FIPS_dsa_generate_pq(ctx, L, N,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:775:15: error: implicit declaration of function ‘FIPS_dsa_generate_g’; did you mean ‘FIPS_dsa_generate_key’? [-Werror=implicit-function-declaration]
CKINT_O_LOG(FIPS_dsa_generate_g(ctx, p, q, &g, &h, NULL),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c: In function ‘openssl_dsa_pq_ver’:
backends/backend_openssl.c:887:14: error: implicit declaration of function ‘FIPS_dsa_builtin_paramgen’; did you mean ‘fips_dsa_builtin_paramgen2’? [-Werror=implicit-function-declaration]
CKINT_O_LOG(FIPS_dsa_builtin_paramgen(dsa, data->L, data->N, NULL,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c: In function ‘openssl_kdf108’:
backends/backend_openssl.c:2850:2: error: unknown type name ‘EVP_KDF_CTX’; did you mean ‘EVP_MD_CTX’?
EVP_KDF_CTX *ctx = NULL;
^~~~~~~~~~~
EVP_MD_CTX
backends/backend_openssl.c:2873:8: error: implicit declaration of function ‘EVP_KDF_CTX_new_id’; did you mean ‘EVP_PKEY_CTX_new_id’? [-Werror=implicit-function-declaration]
ctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
^~~~~~~~~~~~~~~~~~
EVP_PKEY_CTX_new_id
backends/backend_openssl.c:2873:27: error: ‘EVP_KDF_KB’ undeclared (first use in this function); did you mean ‘EVP_PKEY_id’?
ctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
^~~~~~~~~~
EVP_PKEY_id
backends/backend_openssl.c:2873:27: note: each undeclared identifier is reported only once for each function it appears in
backends/backend_openssl.c:2879:14: error: implicit declaration of function ‘EVP_KDF_ctrl’; did you mean ‘SSL_CTX_ctrl’? [-Werror=implicit-function-declaration]
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KB_MODE,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2879:32: error: ‘EVP_KDF_CTRL_SET_KB_MODE’ undeclared (first use in this function); did you mean ‘EVP_PKEY_CTRL_EC_KDF_MD’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KB_MODE,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2881:6: error: ‘EVP_KDF_KB_MODE_COUNTER’ undeclared (first use in this function); did you mean ‘ACVP_KDF_108_COUNTER’?
EVP_KDF_KB_MODE_COUNTER :
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2882:6: error: ‘EVP_KDF_KB_MODE_FEEDBACK’ undeclared (first use in this function); did you mean ‘EVP_KDF_KB_MODE_COUNTER’?
EVP_KDF_KB_MODE_FEEDBACK),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2890:33: error: ‘EVP_KDF_CTRL_SET_MD’ undeclared (first use in this function); did you mean ‘EVP_PKEY_CTRL_GET_MD’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, md),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2892:33: error: ‘EVP_KDF_CTRL_SET_KB_MAC_TYPE’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_KB_MODE’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2893:7: error: ‘EVP_KDF_KB_MAC_TYPE_HMAC’ undeclared (first use in this function); did you mean ‘EVP_KDF_KB_MODE_FEEDBACK’?
EVP_KDF_KB_MAC_TYPE_HMAC),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2900:33: error: ‘EVP_KDF_CTRL_SET_CIPHER’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_MD’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_CIPHER, type),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2903:7: error: ‘EVP_KDF_KB_MAC_TYPE_CMAC’ undeclared (first use in this function); did you mean ‘EVP_KDF_KB_MAC_TYPE_HMAC’?
EVP_KDF_KB_MAC_TYPE_CMAC),
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2908:32: error: ‘EVP_KDF_CTRL_SET_KEY’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_MD’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2926:32: error: ‘EVP_KDF_CTRL_SET_SALT’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_KEY’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SALT, label.buf,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2931:32: error: ‘EVP_KDF_CTRL_SET_KB_INFO’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_KB_MODE’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KB_INFO, context.buf,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2950:33: error: ‘EVP_KDF_CTRL_SET_KB_SEED’ undeclared (first use in this function); did you mean ‘EVP_KDF_CTRL_SET_KB_INFO’?
CKINT_O_LOG(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KB_SEED,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2956:14: error: implicit declaration of function ‘EVP_KDF_DERIVE’; did you mean ‘EVP_PKEY_OP_DERIVE’? [-Werror=implicit-function-declaration]
CKINT_O_LOG(EVP_KDF_DERIVE(ctx, data->derived_key.buf,
^
backends/backend_openssl.c:63:8: note: in definition of macro ‘CKINT_O_LOG’
ret = x;
^
backends/backend_openssl.c:2962:2: error: implicit declaration of function ‘EVP_KDF_CTX_free’; did you mean ‘EVP_PKEY_CTX_free’? [-Werror=implicit-function-declaration]
EVP_KDF_CTX_free(ctx);

Above error functions are not available in openssl-1.0.2l and openssl-fips-2.0.16, where are these defined ? do i need to replace these functions with respective alternatives from openssl-1.0.2l/openssl-fips-2.0.16.

Please let me know how i can resolve this.

Thanks,
Nag

Hi, @smuellerDD.

Is there any way to build acvp-parser against OpenSSL 1.1.1?

I'd like to evaluate implementations of some algorithms in OpenSSL 1.1.1.
But I've encountered a build issue with "make openssl" command.

gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT="openssl" -g -std=c11 -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fwrapv --param ssp-buffer-size=4 -Iparser -c -o backends/backend_openssl_common.o backends/backend_openssl_common.c
In file included from backends/backend_openssl_common.c:24:
backends/backend_openssl_common.h:61:10: fatal error: openssl/fips.h: No such file or directory

Reading the issue #16, I assumed that acvp-parser can work with OpenSSL 1.1.x.

Fipsified OpenSSL 1.0.x, 1.1.x and OpenSSL 2.0.x should work.

Does this means, building acvp-parser requires fipsified OpenSSL 1.1.1?
If so, please tell me where it is.

Thanks.

I don't see the resolution of aes-ctr mode in the implementation of backend and parser. How do I handle the payloadlen variable in the test vector?

I have a acvp parser built for openssl3 and I tried to pass a RSA request and it failed immediately.
A trace shows me it is failed here:
main()
perform_testing
get_algorithm
test_algo
curr_tester->process_req(in, out, cipher); // rsa_tester (parser/parser_rsa.c +682)
logger(LOGGER_WARN, "No RSA backend set\n") // FAILs (parser/parser_rsa.c +359)

Looks like RSA is not one of the supported backends implementations for openssl3.
Is that due? is there a reason it is not supported?

grep "_backend(" backends/backend_openssl3.c

static void openssl_mac_backend(void)
static void openssl_kmac_backend(void)
static void openssl_dh_backend(void)
static void openssl_ecdh_backend(void)
static void openssl_drbg_backend(void)
static void openssl_kdf_tls_backend(void)
static void openssl_kdf_ssh_backend(void)
static void openssl_kdf_108_backend(void)
static void openssl_dsa_backend(void)
static void openssl_ecdsa_backend(void)

Please also find the detailed debug log attached.
acvp-parser_openssl3-fails-to-process-RSA-Json-file.txt

Hi there,

I check here http://www.chronox.de/acvpparser.html and see that the libkcapi was successfully linked with and tested using the ACVP Parser. I tried to build the parser for libkcapi with the below command:
make libkcapi

However, It was failed:

make: *** No rule to make target 'backends/backend_libkcapi.c', needed by 'backends/backend_libkcapi.o'. Stop.

I checked the backends directory and there is no backends/backend_libkcapi.c.
May I ask some questions:

1. Is the backends/backend_libkcapi.c necessary?
2. If (1) is YES, is the backend open source?
3. If (2) is NO, could you please give me some hints to implement the backend?

Waiting for your response.
Thank you and Best Regards,

Hi,

I used this driver code to generate responses but the results are not matching with the expected values , any help in debugging will be useful.

[SHA-1]
[shared secret length = 2048]
[IV length = 128]
[encryption key length = 128]

COUNT = 0
K = 0000010100d6c5f7cbe16912221fa5f7cc4b555e5b254e981236131d23ef9d028419ec7c8e40f928ce293ef2e1f757f687206df047323d282960ad259bfff70876fa524c173d32fbaa5cb2e5a5120ff0a3b5ddf3103ac73923feaec531331325e2a07068cdbac7121e9e37e24102355583aa65ee676e7050e337b4f0d27f8e78df091fb970f1c02d292a3871ef8d7f4e02b03bea5bc28498008c144efb464c7a4e49fe6d6c3088819ade8480376dff01eaac19cd732bb107ee4844c58ffc45f61b766ef6b32c41eb5ae7c12ed6d09bca28214e370715bace6fb7f344cb53637def13913040fb3a288c0f2f31b54aae243563efe2940edde04c36ada233e5a5f283a743bd3f
H = e90db56930f1bcdf26794e02fb8869da484454f9
session_id = e90db56930f1bcdf26794e02fb8869da484454f9

Expected values:

Initial IV (client to server) = 61285844e2f6406b606f583ee72b465f
Initial IV (server to client) = c901351c920e65f358b1a11674bd88b5
Encryption key (client to server) = e79bc63d93d1e503c69975423fea6440
Encryption key (server to client) = e3cd3893a62e2ff288d98d0b84e490bc
Integrity key (client to server) = 9b0d3083f9493b67eec43b69908dac864f090e3f
Integrity key (server to client) = 45cd04bb8c44f468b26237bb673483c65b92279f

generated vaules:

./acvptest-kdf -K 0000010100d6c5f7cbe16912221fa5f7cc4b555e5b254e981236131d23ef9d028419ec7c8e40f928ce293ef2e1f757f687206df047323d282960ad259bfff70876fa524c173d32fbaa5cb2e5a5120ff0a3b5ddf3103ac73923feaec531331325e2a07068cdbac7121e9e37e24102355583aa65ee676e7050e337b4f0d27f8e78df091fb970f1c02d292a3871ef8d7f4e02b03bea5bc28498008c144efb464c7a4e49fe6d6c3088819ade8480376dff01eaac19cd732bb107ee4844c58ffc45f61b766ef6b32c41eb5ae7c12ed6d09bca28214e370715bace6fb7f344cb53637def13913040fb3a288c0f2f31b54aae243563efe2940edde04c36ada233e5a5f283a743bd3f -H e90db56930f1bcdf26794e02fb8869da484454f9 -s e90db56930f1bcdf26794e02fb8869da484454f9 -i 16 -e 16 -m 20
Initial IV (client to server) = a8dd4444b4ea9b9cac43395ad5ce2584
Initial IV (server to client) = dee9d97bd1e4cb28afb515133606d295
Encryption key (client to server) = 3614e50817427dbaf773e3efe496482b
Encryption key (server to client) = 365446cf8e15ac4a52787bf2669fd3f7
Integrity key (client to server) = 995c65feabaf6e3a48cb99e8979fd23ee977e951
Integrity key (server to client) = 36be83ff9918058e7f9db1514f024f56bc713508

Thanks
Nag

Hi, there,

I have been able to build acvp for x86 mac with:

1. brew install gcc
2. make clean
   make CC=/usr/local/bin/gcc-11 openssl

I could build with editing the source file to change some compilation errors.

Then I want to build the Mac Arm:

1. brew tap ArmMbed/homebrew-formulae
   brew install arm-none-eabi-gcc

2. make clean

make CC=/usr/local/bin/arm-none-eabi-gcc openssl

But I have tones of undefined symbol for my openssl lib functions.

My openssl library was built with cc(clang) complier. But if I tried clang with acvp source code, it is not working.

Do u have any suggestions how to make it work?

Thanks.

Hi all,

We've been using the acvpparser framework to facilitate cavs testing using our existing code. In the course of doing this, I modified the Makefile and a few other files to add a makefile target to create shared and static libraries (libacvpparser.so and libacvpparser.a). I have a git repository with these changes, but I'm not sure how to push up my changes at this time. Does this need a new branch?

Thanks,
Dan

I found that the code don`t have the kdf component parser of mode ansix9.63? How to implement the parser of this mode and the backend of it?

An OpenSSL safePrimes test works with the MODP groups, but not the ffdhe groups. Adding the ffdhe groups to the switch statement at https://github.com/smuellerDD/acvpparser/blob/master/backends/backend_openssl.c#L2682 seems to work. Is this the right solution?

Hi Stephan,

Due to https://pages.nist.gov/ACVP/draft-celi-acvp-rsa.html#name-rsa-decryptionprimitive-sp8

acvp-parser currently supports [RSA Decryption Primitive 1.0] to calculate ciphertext to plaintext, e, n and testPassed results but I'm facing test vector running with revision SP800-56Br2 not supported issue. Is there any plan to support it?

I'm trying to make acvp-parser supports RSA decrypt with prime factor in OpenSSL(1.0.2k).

parser_rsa.c input & output definition:

	/* SP800-56Br2  Response */
	const struct json_entry rsa_decryption_primitive_testresult_entries[] = {
		{"pt",		{.data.buf = &rsa_decryption_primitive_vector.pt, WRITER_BIN},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
	};

	const struct json_testresult rsa_decryption_primitive_testresult = SET_ARRAY(rsa_decryption_primitive_testresult_entries, &rsa_decryption_primitive_callbacks);

	/* SP800-56Br2  Request */
	const struct json_entry rsa_decryption_primitive_testresults_entries[] = {
		{"tcId",	{.data.integer = &rsa_decryption_primitive_vector.tcid, PARSER_UINT},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
		{"ct",	{.data.buf = &rsa_decryption_primitive_vector.ct, PARSER_BIN},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
		{"p",	{.data.buf = &rsa_decryption_primitive_vector.p, PARSER_BIN},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
		{"q",	{.data.buf = &rsa_decryption_primitive_vector.q, PARSER_BIN},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
		{"d",	{.data.buf = &rsa_decryption_primitive_vector.d, PARSER_BIN},
			         FLAG_OP_RSA_TYPE_COMPONENT_DEC_PRIMITIVE | FLAG_OP_AFT},
	};
	const struct json_array rsa_decryption_primitive_testresults = SET_ARRAY(rsa_decryption_primitive_testresults_entries, &rsa_decryption_primitive_testresult);

now I get input ct, p, q ,d and output with pt.

Define a new function to generate RSA structure with p, q, d as input:

static int openssl_rsa_keygen_en_new(struct buffer *ebuf, uint32_t modulus,
				 void **privkey, struct buffer *nbuf, struct buffer *dbuf, struct buffer *pbuf, struct buffer *qbuf)
{
	return openssl_rsa_keygen_internal(ebuf, modulus, (RSA **)privkey, nbuf,
					   dbuf, pbuf, qbuf);
}

My question here is focus on class openssl_rsa_keygen_internal.
If I don't care other RSA test cases only need RSA DP result,

openssl_rsa_keygen_internal

        e = BN_bin2bn((const unsigned char *)ebuf->buf, (int)ebuf->len, e);
	CKNULL(e, -ENOMEM);
	p = BN_bin2bn((const unsigned char *)pbuf->buf, (int)pbuf->len, p);
	CKNULL(p, -ENOMEM);
	q = BN_bin2bn((const unsigned char *)qbuf->buf, (int)qbuf->len, q);
	CKNULL(q, -ENOMEM);
	d = BN_bin2bn((const unsigned char *)dbuf->buf, (int)dbuf->len, d);
	CKNULL(d, -ENOMEM);

	BN_CTX *ctx = BN_CTX_new();
        n = BN_new();

        ret = BN_mul(n, p, q, ctx);

        if (ret != 1) {
            printf("Error: failed to calculate n\n");
        return -1;
        }

	BN_CTX_free(ctx);

        if (rsa)
		RSA_free(rsa);

	rsa = RSA_new();
	CKNULL(rsa, -ENOMEM);

	CKINT_O_LOG(openssl_rsa_set0_key(rsa, n, e, d),
			"Assembly of RSA key failed\n");
	CKINT_O_LOG(openssl_rsa_set0_factors(rsa, p, q),
			"Assembly of RSA factors failed\n");

        if (RSA_check_key(rsa) != 1) {
		printf("Error: RSA key is invalid\n");
		ERR_print_errors_fp(stderr);
		/* handle the error */
	}

	if (outkey) {
		*outkey = rsa;
		rsa = NULL;
	}

Is there something I lost to calculate plaintext on it? or there's other function I can refer to?

Regards,
Tony

Hello,

I am trying to generate response for RSA_sigGen, but getting this error.

acvpparser-2.1.3$ ./acvp-parser /home/nagarjun/openssl_sample_vect/651205\ RSA\ sigGen/testvector-request.json /home/nagarjun/openssl_sample_vect/651205\ RSA\ sigGen/testvector-response.json
ACVPParser (04:59:08) Error: EVP_DigestSignFinal failed: error:060A80A3:lib(6):func(168):reason(163)
ACVPParser (04:59:08) Error: Test execution failed
ACVPParser (04:59:08) Error: Parsing processdata failed

I am using FIPS openssl (1.0.2l+2.0.16)
acvpparser-2.1.3$ ldd acvp-parser
linux-vdso.so.1 (0x00007fff6b7ce000)
libcrypto.so.1.0.0 => /home/nagarjun/unpatched_srccode/FIPS/usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f4ea2f3e000)
libssl.so.1.0.0 => /home/nagarjun/unpatched_srccode/FIPS/usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f4ea2ccb000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4ea28da000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4ea26d6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4ea3656000)

Please let me know how to resolve this.

Thanks
Nag

I can't build against openssh. I can't find backend code for openssh. There is an instruction to build.
backend_interfaces/openssh/README
There is no such file. Please suggest.

i tried integrating the acvpparser tool to my openssl 1.0.2 with oopenssl-fips-2.0.16. And i am facing issue like FIPS_dsa_generate_pq ,FIPS_dsa_generate_g not available.

May i know what exactly FIPS_dsa_generate_pq in backend_openssl.c

CKINT_O_LOG(FIPS_dsa_generate_pq(ctx, L, N,
"FIPS_dsa_generate_pq() failed");
"FIPS_dsa_generate_pq() failed %s\n",

HI,
Can you tell me how to use the libkcapi interface to calculate the mac value with aes-cmac .I only saw the use case of pbkdf with cmac in the test case. But I only want to use the interface to calculate the cmac value output, which interface should I invoke?

Waiting for you response.
Thank you!

Hello,
I'm building on Ubuntu with a "FIPS-ified" OpenSSL-1.1.1g and seeing SSH KDF build errors (omitted some for brevity):

gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT=\"openssl\" -g -std=c11 -Wno-variadic-macros -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-all -fwrapv --param ssp-buffer-size=4 -Iparser   -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c: In function ‘openssl_kdf_ssh_internal’:
backends/backend_openssl.c:1329:52: error: ‘EVP_PKEY_SSHKDF’ undeclared (first use in this function)
 # define  EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
                                                    ^

backends/backend_openssl.c:1367:2: error: implicit declaration of function ‘EVP_PKEY_CTX_set_sshkdf_md’ [-Werror=implicit-function-declaration]
  CKINT_O(EVP_KDF_SET_MD(ctx, md));
  ^

I checked in openssl/evp.h and did not find "EVP_PKEY_SSHKDF."

# define EVP_PKEY_NONE   NID_undef
# define EVP_PKEY_RSA    NID_rsaEncryption
# define EVP_PKEY_RSA2   NID_rsa
# define EVP_PKEY_RSA_PSS NID_rsassaPss
# define EVP_PKEY_DSA    NID_dsa
# define EVP_PKEY_DSA1   NID_dsa_2
# define EVP_PKEY_DSA2   NID_dsaWithSHA
# define EVP_PKEY_DSA3   NID_dsaWithSHA1
# define EVP_PKEY_DSA4   NID_dsaWithSHA1_2
# define EVP_PKEY_DH     NID_dhKeyAgreement
# define EVP_PKEY_DHX    NID_dhpublicnumber
# define EVP_PKEY_EC     NID_X9_62_id_ecPublicKey
# define EVP_PKEY_SM2    NID_sm2
# define EVP_PKEY_HMAC   NID_hmac
# define EVP_PKEY_CMAC   NID_cmac
# define EVP_PKEY_SCRYPT NID_id_scrypt
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF   NID_hkdf
# define EVP_PKEY_POLY1305 NID_poly1305
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
# define EVP_PKEY_X448 NID_X448
# define EVP_PKEY_ED448 NID_ED448

I looked for minimum required OpenSSL version in the Prerequisites but did not see it mentioned.

Hi,

On the ACVP page there is a reference to the backend-specific hints with regards to compiling Strongswan, but I didn't see it in the backend_interfaces/strongswan/README -- is this located somewhere else? I saw there was a note in "kdf ikev2 issues #6" that a backend was available.

Thanks for the help!

I'm trying to use the acvp-parser to solve a vector downloaded form the demo server. No response is produced:

[root@localhost acvpparser]# ./acvp-parser ~/vectors/demo/req/hash.req hash.rsp -vvv
ACVPParser (09:51:54) Debug: Request file /root/vectors/demo/req/hash.req read successfully
ACVPParser (09:51:54) Warning: No data found in ACVP server response: [
{
    "jwt":"XXXXXXXXXXXXXXXXXXXX",
    "url":"\/acvp\/v1\/testSessions\/99631",
    "vectorSetUrls":[
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288635",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288636",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288637",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288638",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288639",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288640",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288641",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288642",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288643",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288644",
      "\/acvp\/v1\/testSessions\/99631\/vectorSets\/288645"
    ]
  },
  {
    "vsId":288635,
    "algorithm":"SHA-1",
    "revision":"1.0",
    "isSample":false,
    "testGroups":[
      {
        "tgId":1,
        "testType":"AFT",
        "tests":[
          {
            "tcId":1,
            "msg":"",
            "len":0
          },
          {
            "tcId":2,
            "msg":"",
            "len":0
          },
          {
            "tcId":3,
            "msg":"60",
            "len":8
          },
          {
            "tcId":4,
            "msg":"8CFC",
            "len":16
          },
          {
            "tcId":5,
            "msg":"C4940B",
            "len":24
          },
          {
            "tcId":6,
            "msg":"D09B9678",
            "len":32
          },
          {
            "tcId":7,
            "msg":"A7759D4F9E",
            "len":40
          },
          {
            "tcId":8,
            "msg":"0CC11A3FAAB7",
            "len":48
          },
          {
            "tcId":9,
            "msg":"AA9F3298119F07",
            "len":56
          },
          {
            "tcId":10,
            "msg":"B1864EE187520915",
            "len":64
          },
          {
            "tcId":11,
            "msg":"707E7E087A2B3AF3EC",
            "len":72
          },
          {
            "tcId":12,
            "msg":"0C290728976250CACEF6",
            "len":80
          },
          {
            "tcId":13,
            "msg":"0AF64E6FA10FB04337390F",
            "len":88
          },
          {
            "tcId":14,
            "msg":"2E228A25BD690B80D3CDF95F",
            "len":96
          },
          {
            "tcId":15,
            "msg":"F713A603D2EE928E4040CE4BAC",
            "len":104
          },
          {
            "tcId":16,
            "msg":"B8E7066241A7D2E9ADDE4B79A3AC",
            "len":112
          },
          {
            "tcId":17,
            "msg":"CD44AD099BA5FE38539BF0931DDAB9",
            "len":120
          },
          {
            "tcId":18,
            "msg":"430DFC10D011331F90227F7B0CF6D633",
            "len":128
          },
          {
            "tcId":19,
            "msg":"37665034F50A12B763A4A46B0153231512",
            "len":136
          },
          {
            "tcId":20,
            "msg":"CAACDD5281E62136C2C90D8F3C5C1CCD30B5",
            "len":144
          },
          {
            "tcId":21,
            "msg":"C6FD60432F4A2E8A6D5ECE661ACD1DDD43135E",
            "len":152
          },
          {
            "tcId":22,
            "msg":"90D636683F883AA52BDA2B538E4EB41F5FAD56A1",
            "len":160
          },
          {
            "tcId":23,
            "msg":"ED79D74DA8DDC63F542D0D62B7F061E344EEF496F4",
            "len":168
          },[root@localhost acvpparser]#

I don't see any error and I don't really understand the warning.

Maybe I should be using another command/option?
I expected the acvpparser to create a file "hash.rsp" with the json containing the "md"s of the input file vectors.

Hi,

We are having some issues with some of the outputs in our resp file for RSA Key Gen -- do we need to update the parser to handle the problems below?

1. resp "bitlens" only outputs 0, 0, 0, 0
2. resp file seems to be missing/pruning out xP, xP1, etc. values
3. Our implementation supports a fixed exponent, but when we process the req file with "e": "010001", it outputs random values for "e" in our resp file.

Including some information regarding type of testing done:
"testType": "AFT",
"keyFormat": "standard",
"primeTest": "tblC2",
"randPQ": "B.3.6",
"pubExp": "fixed",
"tests": [ .....

Thank you for your help!

Regards,
Amir

Hello,

I have downloaded the ssh kdf vector from the demo server:

"algorithm": "kdf-components",
"mode": "ssh",
"revision": "1.0",
"isSample": true,
"testGroups": [
{
"tgId": 1,
"cipher": "AES-128",
"hashAlg": "SHA-1",
"testType": "AFT",
"tests": [
{
"tcId": 1,
"k": "0000010100B6E7153B1AF462116B6D33F3689D0827B7A049370E76432408386EE068EA45B8FA3717FA93561CC3FF18ECF5054DDCC054AE0E10BA7100CEE2A99236B8622958633840455E5DD5C5B003A80F4425CE9B6E26439242A8F13B7C7558691CCDC7A827311BD4E84BE7984050B9ABAC7D443A13AE047F0B50897E0C289045F516166AAF558C8960E14973A64EE3CB27FE630DBB4E80323776FEB4BA7BB531BE8EE6231CE0AA108A008993E13CF6090544FAC25A4FD4DC3A334A59661789E9742BAF9D57E81021C0BE5D8F2BBA6582D064CC44652A5D6E2B3E0C2C016BCFE890B44D47BEC76DD18860ECB7BE001A465F4CC535FF199EC2726E65C5B99981AD761B8F45",
"h": "F26C9F7C7AC80976B1E044A452734524CA0177C9",
"sessionId": "E192D647BF44BF5C0FCD1D797E577ED88506CE7A"
},

The vector does not contain IV length and encryption key length parameters , instead contain "cipher" field. Do not how to process the vector . Any input will be help full.

Thanks ,
Nag

I implemetd the backends with libkcapi. When running the AES test, it was found that the AFT tests all passed, but the MCT tests in CBC/OFB modes do not match the expected results, I don't know if it is my implementation problem or the actual calculation result is incorrect. Can you help me see it?
Here is the sample vetcors:

[
{
"acvVersion": "1.0"
},{
"vsId": 644483,
"algorithm": "ACVP-AES-CBC",
"revision": "1.0",
"isSample": true,
"testGroups": [
{
"tgId": 37,
"testType": "MCT",
"direction": "encrypt",
"keyLen": 128,
"tests": [
{
"tcId": 2151,
"iv": "FBEA48BCBCD19F58C03169C756CDE723",
"pt": "29A3226A9E133635358271B6BBD57E46",
"key": "905A7251EE617FDF6221C0812EBFD969"
}
]
}
]
}
].

The first round and second rouund of expected result is :
"tgId": 37,
"tests": [
{
"tcId": 2151,
"resultsArray": [
{
"key": "905A7251EE617FDF6221C0812EBFD969",
"iv": "FBEA48BCBCD19F58C03169C756CDE723",
"pt": "29A3226A9E133635358271B6BBD57E46",
"ct": "578B3B760ACD28C8F02EB6F2D76EAF40"
},
{
"key": "C7D14927E4AC5717920F7673F9D17629",
"iv": "578B3B760ACD28C8F02EB6F2D76EAF40",
"pt": "CA6CCCD7F7BADB5BE9A4B14C2CA6977C",
"ct": "12923C8DF14DF5A7385048D9EFBE3436"
}

But my caculated result for output in first round and second round are :

{
"tcId":2151,
"resultsArray":[
{
"key":"905a7251ee617fdf6221c0812ebfd969",
"pt":"29a3226a9e133635358271b6bbd57e46",
"ct":"cdba8c721049b7840241d988dcabd16d",
"iv":"fbea48bcbcd19f58c03169c756cde723"
},
{
"key":"5de0fe23fe28c85b60601909f2140804",
"pt":"e74fa52d047393844b0a6eb3d8f5e64b",
"ct":"3068eee3242501b467c41bfc85146edd",
"iv":"cdba8c721049b7840241d988dcabd16d"
}

Here is my backends implenmetation with libkcapi:
mct_init with cipher selection in libkcapi libriray.
mct_fini with some log output

BTW, i dont know whether it is right with AES_CTR becasue I didnt find corresonding refernce

How can I locate and solve this problem. Attachment is the debug information of MCT test.
Because the AFT test results are correct, I believe there should be no problem with my crypto module.
mct_1_round.log

Looking for your response , thanks.

Hi Stephan,

Thanks for adding support for RSA backend support for openssl3.

please provide your opinion on these issues as well:

DSA/ECDSA failures:
/bin/acvp-parser_openssl sw/741192_ECDSA_keyGen/testvector-request.json /tmp/res.json
sw/741192_ECDSA_keyGen/testvector-request.json is located at: https://drive.google.com/file/d/1lflXqb_zFeKdZ4gSfz2DMOGdWeIk-NnT/view?usp=sharing

The below test fail
741187_DSA_pqgGen
741192_ECDSA_keyGen

failure logs:
ACVPParser (00:37:58) Verbose [parser/parser_dsa.c:register_dsa_impl:504]: Backend DSA registered // GOOD thing: backend is registered
Failed running /bin/acvp-parser_openssl against 741187_DSA_pqgGen/testvector-request.json: exit code 22 partial

reasons for ECDSA:
ACVPParser (00:37:58) Verbose [parser/parser_ecdsa.c:register_ecdsa_impl:455]: Backend ECDSA registered // GOOD thing: backend is registered

My suspicion:

When looking at 741192_ECDSA_keyGen,
The reason these fail is because acp_parser failed to Process the very First tcId of the tgId:1
It could not find any pertinent data to match against the json_entry { "qx", "qy", "d", "curve", "tests" }. and it true if you look an entry in the json file.

Please see the snippet of json file.
{
"tgId": 1,
"testType": "AFT",
"tests": [
{
"tcId": 1
<<<<<<<<<<<<<<<<<<<<< Missing entry the lets the code decide which callback to call. parser/parser_ecdsa.c +457
},
{
"tcId": 2
},
{
"tcId": 3
}
],
"curve": "P-256",
"secretGenerationMode": "extra bits"
},
Note that sw/741194_ECDSA_sigGen/testvector-request.json does not have the same issue. It works just fine.
https://drive.google.com/file/d/1SqcUmJgNbnEXY8t-fJ8Oh1OGyoi2DyNR/view?usp=sharing

Can you please review and provide you insight?

Thanks,
Mukund J

Hi,

I'm testing out the KTS IFC implementation and received the following error with the following test case. I got the test case manually from ACVP server and tested on fedora 29's openssl.

Error message

ACVPParser (18:34:13) Error: RSA OAEP decryption failed error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error
ACVPParser (18:34:13) Error: Test execution failed
ACVPParser( 18:34:13) Parsing processdata failed

Test case

[
  {
    "acvVersion": "1.0"
  },  
  {
    "testGroups": [
      {
        "tests": [
          {
            "iutN": "8E145689BF9E9D97C9955815B2B9AB4D20041CDB9D8796993BEB5DD338B70B0FD95DD5C1723233B1908FE53A56F4F00D1242EB608CE772CBEEAB54F0C3FDA626841B4274C2C89FA7A9CD9EE4AC34FE043200517F6E0123F66A1643D974173C4CBD0FC785784A0CF27270819937E69246FD060FCADC4B140C11CFBECED6BB8483B1C70217BEB5DD23E68E0035E0E45F61E8A3325C9EB5C7D133FEE36C0C28DF3B66AFDF95B5D2049B85B65B738798D44B35623E717DC51764A42154F157230ABDB40E92BA0FC5FF2DD3CE23F4D651C5FD3C45B2ED7AF62340094CA5B48A0B79C8DA5CF78B2700AF5794F1D8F4DA5C101C8375E0C9430DA5C94559DEB2E9E0DD95",
            "serverC": "6D3B92640E8E8D2EB35BE81729716F5F9A2F8503CB7F3C79F387BE4613E58D3C5D274BC0EB782CDBF3C42F779E19607D9245EB540F9C296004618A70F0A4AA6724930BF1ADE6E948D788EA6D55EB7C62DEAA102E9F1D253B23F4FCF1CCC2EEA6A6B77ABF7713F202019B1E627EA9BA5EA7C3ECFEAC207EA8A63DED3F5B62B7805D684DE8FB3B0E1EB67AAC024BED6E9F49667D9D674C51336CCDD2BE5804AF9D6E88162FA1C71F882DE422BE437DD55EACBD32113601CC8D82FC78A44F74EFA20888226D8A1A39AECCF0883635CA8CFAA687C822E69905059A8AD430006D5EA953874D532B08DC54E28C863806230E69862CF7F56B29F4DFA0F80A753A53BBA8",
            "iutD": "194F2C1DDAC950F074F9464EF35FDB156FC8E462ACB323AD3816C986E85F604BF89B8911B35681F49AC08FDBC205B2F42E2FA93260B8A7F13C2FAEA9EBAC0A61303CCFD7892C6AC18A417D3347AE7D9D6962356BD3D1659BFA37DEC4F362A7D125D8A51745F0FA07A2442D30C12EA34586CA12E64CD4D627AC5BA3B7940396EB215ECC9830BD48C69A919D82EB34FF09ABA071391D3134ACCF5A421ED4C232E4E1AB55DE15A7C9FCFD4218DF7B2C6C44441D8A4960A9E7E226AFF34CD5C8FB77A4C83CF4501267040EBF6160DF08D8CBABF198365B778060C4394AAD8532BB5E93D9481A4DD289AE0E524CD9CB1B5279365335A93291D4B0628D2BFDF0A7F3E7",
            "iutE": "CFE9FA34CAB96F",
            "tcId": 11,
            "iutP": "BF3B6ACAB79735C67408C9C083358A940B70E31613EDB3CCD9BCBC70E47288C2C3F1B14AEEF7D996CBA32FFAEC4426FA0A690700D24EF7718659C1902E006AA402B605A92F95FE1371B5650B5E3A259A4DEB714E168A78C89BE1DFEC0A4A4C30AE8E3411DF73E57BB81E8B4A1792536645CBDB7B31183236C8E41D1510B631FD",
            "iutQ": "BE3330C8A40872723E957A0528203104A5BD52F0C806E20FBDA66C7FAD81D602B73CFD045E6181B0FBA6D846C38F23A9481881854C213FBC388F2925B86E1817DB3E954BCA791C26429F1208C21B9FE7CB25EDC598B1414C88C77E7B88C34F0DAE9B616376EECE36DD1A368D6DC883B60AB2E9087BC6B23DA20B3A99B0FA4179"
          },
        ],
        "modulo": 2048,
        "keyConfirmationDirection": "",
        "tgId": 2,
        "macConfiguration": {
          "keyLen": 128,
          "macLen": 128,
          "macType": "HMAC-SHA2-256"
        },
 
        "l": 512,
        "kasRole": "responder",
        "keyGenerationMethod": "rsakpg2-basic",
        "iutId": "CAFECAFE",
        "ktsConfiguration": {
          "encoding": "concatenation",
          "hashAlg": "SHA2-224",
          "associatedDataPattern": "l||uPartyInfo||vPartyInfo"
        },
        "scheme": "KTS-OAEP-basic",
        "testType": "AFT",
        "serverId": "434156536964",
        "keyConfirmationRole": ""
      }
    ],
    "algorithm": "KTS-IFC",
    "isSample": false,
    "vsId": 123456,
    "revision": "Sp800-56Br2"
  }
]

Thanks,
Michelle

I'm trying to build at tip and I'm getting errors complaining about missing includes.

Two that I know about are "parser_kdf_srtp.h" and "parser_cshake.h". There could be more I imagine.

Could you add the missing files please?

Trying to build the parser for BoringSSL and it fails:

make: *** No rule to make target 'backends/backend_boringssl.c', needed by 'backends/backend_boringssl.o'. Stop.

I checked the backends directory and there is no backend_boringssl.c. Building using 'make boringssl'. I modified the static library path in Makefile as suggested in README. Is there anything I am missing here?

Hi,

Does acvp parser support openssl-1.0.1e ?

Thanks,
Nag

Hello,

Does openssl backend support generating response for KAS-ECC full public key validation ?

Regards,
Nag

There are 2 errors when I try to run "make openssl".

amritha@thorath-vm:~/acvpparser-master$ make openssl
gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -std=gnu99 -Werror -DACVP_PARSER_IUT=\"openssl\" -Wno-gnu-zero-variadic-macro-arguments -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fwrapv --param ssp-buffer-size=4 -Iparser   -c -o parser/binhexbin.o parser/binhexbin.c
...
...
gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -std=gnu99 -Werror -DACVP_PARSER_IUT=\"openssl\" -Wno-gnu-zero-variadic-macro-arguments -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fwrapv --param ssp-buffer-size=4 -Iparser   -c -o parser/parser_common.o parser/parser_common.c
parser/parser_common.c: In function ‘parse_flagblock’:
parser/parser_common.c:433:9: error: ‘string’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
    if (!strncasecmp(string, conv->val.string,
         ^
parser/parser_common.c: At top level:
cc1: error: unrecognized command line option "-Wno-gnu-zero-variadic-macro-arguments" [-Werror]

Also, can you please confirm that the order of commands is correct:

• make openssl

• exec_openssl.sh

After this, response is generated and it is uploaded to server using acvp proxy?

[root@3108f4151d10 acvpparser-2.1.0] ./acvp-parser simple.json exp.json -v
ACVPParser (15:25:30) Warning: No data found in ACVP server response: [
{
"jwt":"6a393a1a14c8f59d032ea353c7931e64c7722cc1ddb3003a4e2a3a1f9acbade1dd42048804458736061f5decb98fc8540bdb4aef89a2f9eee490c8a4b7806f2e06a1807950094e9ff913f20a36c73a2ff5aaafc6adbf2ea5c359b29e640ddd73ac8e0441b4c83c2b122cb5506e6abc8d268803971d784b3b495eb7465d9b624b1f03b4c673ad94865da26e93cebcdcc0286f2354c08c98fdf9051bba28a7f2af91557e3aa4b1496713ce38eea3c14081565fd24fab0b14b614632efa56f145c845deee6a73a9f12551cf6a5255a5105e1d1d19d8073962d065ded9d6657bcf48bc4e462a765a96b6beaed74827fb5a1f17393d949546ae505bcb096a9ceaa240b83d3320fc7c89733bf1a7e18b5ac8a931a7c5cfa5530a0f77516d13e68dc88ac1c82ec4ee85ec753b8cd288fd0fdc66b37d773d3c8a1e80e14c36913109478c3f60cd9ffee0ca8eb4d62c8ad1b5e8363bc8da83da3a132994a111360c6792f950f42865a6f3a9cf366c3319ed1b29a8e0341c2edf54ba9e9cf8e5c5683ea9ddff2ab22001d82554adc6d7fa324623adab452b6765a59d68fea20a60a78438f638782c9e33c5d2372a933b5b393b5be66cd32b84894405c2bb537df96477d937625dc6c14f776a2345",
"url":"/acvp/v1/testSessions/178363",
"vectorSetUrls":[
"/acvp/v1/testSessions/178363/vectorSets/562951"
]
},
{
"vsId":562948,
"algorithm":"ACVP-AES-ECB",
"revision":"1.0",
"isSample":true,
"testGroups":[
{
"tgId":1,
"testType":"AFT",
"direction":"encrypt",
"keyLen":256,
"tests":[
{
"tcId":1,
"pt":"014730F80AC625FE84F026C60BFD547D",
"key":"0000000000000000000000000000000000000000000000000000000000000000"
},
{
"tcId":2,
"pt":"0B24AF36193CE4665F2825D7B4749C98",
"key":"0000000000000000000000000000000000000000000000000000000000000000"
},
{
"tcId":3,
"pt":"761C1FE41A18ACF20D241650611D90F1",
"key":"0000000000000000000000000000000000000000000000000000000000000000"
},
{
"tcId":4,
"pt":"8A560769D605868AD80D819BDBA03771",
"key":"0000000000000000000000000000000000000000000000000000000000000000"
},
{
"tcId":5,
"pt":"91FBEF2D15A97816060BEE1FEAA49AFE",
"key":"0000000000000000000000000000000000000000000000000000000000000000"
}
]
},
{
"tgId":2,
"testType":"AFT",
"direction":"encrypt",
"keyLen":256,
"tests":[
{
"tcId":6,
"pt":"00000000000000000000000000000000",
"key":"C47B0294DBBBEE0FEC4757F22FFEEE3587CA4730C3D33B691DF38BAB076BC558"
},
{
"tcId":7,
"pt":"00000000000000000000000000000000",
"key":"28D46CFFA158533194214A91E712FC2B45B518076675AFFD910EDECA5F41AC64"
},
{
"tcId":8,
"pt":"00000000000000000000000000000000",
"key":"C1CC358B449909A19436CFBB3F852EF8BCB5ED12AC7058325F56E6099AAB1A1C"
},
{
"tcId":9,
"pt":"00000000000000000000000000000000",
"key":"984CA75F4EE8D706F46C2D98C0BF4A45F5B00D791C2DFEB191B5ED8E420FD627"
},
{
"tcId":10,
"pt":"00000000000000000000000000000000",
"key":"1D85A181B54CDE51F0E098095B2962FDC93B51FE9B88602B3F54130BF76A5BD9"
},
{
"tcId":11,
"pt":"00000000000000000000000000000000",
"key":"797F8B3D176DAC5B7E34A2D539C4EF367A16F8635F6264737591C5C07BF57A3E"
},
{
"tcId":12,
"pt":"00000000000000000000000000000000",
"key":"13428B5E4C005E0636DD338405D173AB135DEC2A25C22C5DF0722D69DCC43887"
},
{
"tcId":13,
"pt":"00000000000000000000000000000000",
"key":"B43D08A447AC8609BAADAE4FF12918B9F68FC1653F1269222F123981DED7A92F"
},
{
"tcId":14,
"pt":"00000000000000000000000000000000",
"key":"797F8B3D176DAC5B7E34A2D539C4EF367A16F8635F6264737591C5C07BF57A3E"
},

[root@3108f4151d10 acvpparser-2.1.0] echo $?
22

My origin file is as this , Can you give me some clue to solve it?
req.zip

Hi,
I'm updating the parser code so that I can access each test instance so that I can pass it to my back end implementation to perform necessary operations. I'm using the json-c code which is within the parser directory. Shown my code and error below:

I see the following error:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000416502 in json_object_iter_begin (obj=0x6ba3f0) at /home/amritha/new_parser/code/commander/parsers/parse-json/json-c/json_object_iterator.c:74
74          iter.opaque_ = pTable->head;

My code is shown below:

struct json_object *in = NULL;
struct json_object_iterator it = json_object_iter_init_default();
struct json_object_iterator itEnd = json_object_iter_init_default();

json_read_data(filename, &in); // JSON object stored in json_object type

it = json_object_iter_begin(in); // point to first item
itEnd = json_object_iter_end(in); // point to last item

while (!json_object_iter_equal(&it, &itEnd)) {
       printf("%s\n", json_object_iter_peek_name(&it));
       json_object_iter_next(&it);
      }

I'm trying to extract 1 instance at a time from the request file (this is SHA):

{
      "tcId" : 1,
      "msg" : "A6",
      "len" : 8
}

I'm trying to populate my structure with msg and len values.

Hi Stephan,

I wanna add a function for openssl to about DSA PQGGen with verifiable canonical generation of the generator g.

backend_openssl.c: add a condition to call new function when parsed flags with dsa pqg gen & canonical mode.

static int openssl_dsa_pqg(struct dsa_pqg_data *data, flags_t parsed_flags)
{
	parsed_flags &= ~FLAG_OP_GDT;
	if (parsed_flags ==
	    (FLAG_OP_DSA_TYPE_PQGGEN | FLAG_OP_DSA_PROBABLE_PQ_GEN))
		return openssl_dsa_pq_gen(data, parsed_flags);
	else if (parsed_flags ==
		(FLAG_OP_DSA_TYPE_PQGGEN | FLAG_OP_DSA_CANONICAL_G_GEN))
		return openssl_dsa_g_gen_new(data, parsed_flags);
	else if (parsed_flags ==
		 (FLAG_OP_DSA_TYPE_PQGVER | FLAG_OP_DSA_PROBABLE_PQ_GEN))
		return openssl_dsa_pq_ver(data, parsed_flags);
	else if (parsed_flags ==
		 (FLAG_OP_DSA_TYPE_PQGGEN | FLAG_OP_DSA_UNVERIFIABLE_G_GEN))
		return openssl_dsa_g_gen(data, parsed_flags);
	else if (parsed_flags ==
		 (FLAG_OP_DSA_TYPE_PQGVER | FLAG_OP_DSA_UNVERIFIABLE_G_GEN))
		return openssl_dsa_pqg_ver(data, parsed_flags);
	else {
		logger(LOGGER_WARN,
		       "Unknown DSA PQG generation / verification definition (parsed flags: %" PRIu64 ")\n",
		       parsed_flags);
		return -EINVAL;
	}
}

Copy openssl_dsa_g_gen and get g_canon_index, put index into FIPS_dsa_builtin_paramgen2.

static int openssl_dsa_g_gen_new(struct dsa_pqg_data *data, flags_t parsed_flags)
{
	DSA *dsa = NULL;
	int ret = 0, pqg_consumed = 0;
	const EVP_MD *md = NULL;
	BIGNUM *p = NULL, *q = NULL, *g = NULL;
	const BIGNUM *g_gen;
	unsigned long h;
	int counter;
	unsigned char seed[1024];

	(void)parsed_flags;

	dsa = DSA_new();
	CKNULL_LOG(dsa, -ENOMEM, "DSA_new() failed\n");

	CKINT(left_pad_buf(&data->P, data->L / 8));
	CKINT(left_pad_buf(&data->Q, data->N / 8));

	logger(LOGGER_DEBUG, "L = %u\n", data->L);
	logger(LOGGER_DEBUG, "N = %u\n", data->N);

	logger_binary(LOGGER_DEBUG, data->P.buf, data->P.len, "P");
	logger_binary(LOGGER_DEBUG, data->Q.buf, data->Q.len, "Q");
	logger_binary(LOGGER_DEBUG, data->g_canon_index.buf, data->g_canon_index.len, "idx");

	int index = (int)data->g_canon_index.buf[0];

	p = BN_bin2bn((const unsigned char *)data->P.buf, (int)data->P.len,
		      NULL);
	CKNULL_LOG(p, -ENOMEM, "BN_bin2bn() failed\n");

	q = BN_bin2bn((const unsigned char *)data->Q.buf, (int)data->Q.len,
		      NULL);
	CKNULL_LOG(q, -ENOMEM, "BN_bin2bn() failed\n");

	g = BN_new();
	CKNULL_LOG(g, -ENOMEM, "BN_new() failed\n");

	CKINT_O_LOG(openssl_dsa_set0_pqg(dsa, p, q, g),
		    "DSA_set0_pqg failed\n");
	pqg_consumed = 1;

	logger(LOGGER_DEBUG, "hash = %" PRIu64 "\n", data->cipher);
	CKINT(openssl_md_convert(data->cipher & ACVP_HASHMASK, &md));

	CKINT_O_LOG(FIPS_dsa_builtin_paramgen2(dsa, data->L, data->N, md,
					       NULL, 0, index, seed, &counter, &h,
					       NULL),
		    "FIPS_dsa_generate_pq() failed %s\n",
		    ERR_error_string(ERR_get_error(), NULL));

	openssl_dsa_get0_pqg(dsa, NULL, NULL, &g_gen);
	CKINT(openssl_bn2buffer(g_gen, &data->G));

	logger_binary(LOGGER_DEBUG, data->G.buf, data->G.len, "G");

	ret = 0;

out:
	if (dsa)
		DSA_free(dsa);
	if (!pqg_consumed && p)
		BN_free(p);
	if (!pqg_consumed && q)
		BN_free(q);
	if (!pqg_consumed && g)
		BN_free(g);

	return ret;
}

Please correct me if there's anything wrong from my changes.
Same question that how to support dsa pqg verify for canonical mode?

Thanks,
Tony

Hi,
I want to cross compile acvpparser locally (and then execute it on the embedded arm platform). Is there a mature configuration scheme, or how should I modify it?
Thanks~

@smuellerDD , please list the openssl version requirement for make openssl command

Hi,

I was trying to compile with openssl 1.1.1. This version doesnt have fips canister support (1.0.2 and 3.x has). Due to this, I am getting an error:

In file included from backends/backend_openssl_common.c:24:
backends/backend_openssl_common.h:62:10: fatal error: openssl/fips.h: No such file or directory

Does this mean that openssl 1.1.1 is not supported for the parser?

undefined reference to `kex_derive_keys_bn'
collect2: error: ld returned 1 exit status

"kex_derive_keys_bn" definition is missing , definition is also not present openssh code.

Thanks,
Nag

Hello Team,

I have tried to acvp-parserto run request for safe primes. (safePrimes_keyGen (response.json file not gererated)
safePrimes_keyVer (response.json file not gererated).

I have made few modification to backend_openssl.c for the build.
Could you please clarify me the code part which takes the call for safeprimes ( code part necessary for the response generation of safe prime).

Regards,

Hi , I get the following error:
make: *** No rule to make target 'backends/backend_botan.c', needed by 'backends/backend_botan.o'. Stop.

Please where can i get the backend_botan.c file?

Thanks