blob: d2f7572f07ca5ecbc9e84c532f94ea4b5a6436ff [file] [log] [blame]
// Copyright (c) 2019, Google Inc.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
package subprocess
import (
"encoding/binary"
"encoding/hex"
"encoding/json"
"fmt"
)
// The following structures reflect the JSON of ACVP DRBG tests. See
// https://pages.nist.gov/ACVP/draft-vassilev-acvp-drbg.html#name-test-vectors
type drbgTestVectorSet struct {
Groups []drbgTestGroup `json:"testGroups"`
}
type drbgTestGroup struct {
ID uint64 `json:"tgId"`
Mode string `json:"mode"`
UseDerivationFunction bool `json:"derFunc,omitempty"`
PredictionResistance bool `json:"predResistance"`
Reseed bool `json:"reSeed"`
EntropyBits uint64 `json:"entropyInputLen"`
NonceBits uint64 `json:"nonceLen"`
PersonalizationBits uint64 `json:"persoStringLen"`
AdditionalDataBits uint64 `json:"additionalInputLen"`
RetBits uint64 `json:"returnedBitsLen"`
Tests []struct {
ID uint64 `json:"tcId"`
EntropyHex string `json:"entropyInput"`
NonceHex string `json:"nonce"`
PersonalizationHex string `json:"persoString"`
Other []drbgOtherInput `json:"otherInput"`
} `json:"tests"`
}
type drbgOtherInput struct {
Use string `json:"intendedUse"`
AdditionalDataHex string `json:"additionalInput"`
EntropyHex string `json:"entropyInput"`
}
type drbgTestGroupResponse struct {
ID uint64 `json:"tgId"`
Tests []drbgTestResponse `json:"tests"`
}
type drbgTestResponse struct {
ID uint64 `json:"tcId"`
OutHex string `json:"returnedBits,omitempty"`
}
// drbg implements an ACVP algorithm by making requests to the
// subprocess to generate random bits with the given entropy and other paramaters.
type drbg struct {
// algo is the ACVP name for this algorithm and also the command name
// given to the subprocess to generate random bytes.
algo string
modes map[string]bool // the supported underlying primitives for the DRBG
}
func (d *drbg) Process(vectorSet []byte, m Transactable) (interface{}, error) {
var parsed drbgTestVectorSet
if err := json.Unmarshal(vectorSet, &parsed); err != nil {
return nil, err
}
var ret []drbgTestGroupResponse
// See
// https://pages.nist.gov/ACVP/draft-vassilev-acvp-drbg.html#name-test-vectors
// for details about the tests.
for _, group := range parsed.Groups {
response := drbgTestGroupResponse{
ID: group.ID,
}
if _, ok := d.modes[group.Mode]; !ok {
return nil, fmt.Errorf("test group %d specifies mode %q, which is not supported for the %s algorithm", group.ID, group.Mode, d.algo)
}
if group.RetBits%8 != 0 {
return nil, fmt.Errorf("Test group %d requests %d-bit outputs, but fractional-bytes are not supported", group.ID, group.RetBits)
}
for _, test := range group.Tests {
ent, err := extractField(test.EntropyHex, group.EntropyBits)
if err != nil {
return nil, fmt.Errorf("failed to extract entropy hex from test case %d/%d: %s", group.ID, test.ID, err)
}
nonce, err := extractField(test.NonceHex, group.NonceBits)
if err != nil {
return nil, fmt.Errorf("failed to extract nonce hex from test case %d/%d: %s", group.ID, test.ID, err)
}
perso, err := extractField(test.PersonalizationHex, group.PersonalizationBits)
if err != nil {
return nil, fmt.Errorf("failed to extract personalization hex from test case %d/%d: %s", group.ID, test.ID, err)
}
outLen := group.RetBits / 8
var outLenBytes [4]byte
binary.LittleEndian.PutUint32(outLenBytes[:], uint32(outLen))
var result [][]byte
if group.PredictionResistance {
var a1, a2, a3, a4 []byte
if err := extractOtherInputs(test.Other, []drbgOtherInputExpectations{
{"generate", group.AdditionalDataBits, &a1, group.EntropyBits, &a2},
{"generate", group.AdditionalDataBits, &a3, group.EntropyBits, &a4}}); err != nil {
return nil, fmt.Errorf("failed to parse other inputs from test case %d/%d: %s", group.ID, test.ID, err)
}
result, err = m.Transact(d.algo+"-pr/"+group.Mode, 1, outLenBytes[:], ent, perso, a1, a2, a3, a4, nonce)
} else if group.Reseed {
var a1, a2, a3, a4 []byte
if err := extractOtherInputs(test.Other, []drbgOtherInputExpectations{
{"reSeed", group.AdditionalDataBits, &a1, group.EntropyBits, &a2},
{"generate", group.AdditionalDataBits, &a3, 0, nil},
{"generate", group.AdditionalDataBits, &a4, 0, nil}}); err != nil {
return nil, fmt.Errorf("failed to parse other inputs from test case %d/%d: %s", group.ID, test.ID, err)
}
result, err = m.Transact(d.algo+"-reseed/"+group.Mode, 1, outLenBytes[:], ent, perso, a1, a2, a3, a4, nonce)
} else {
var a1, a2 []byte
if err := extractOtherInputs(test.Other, []drbgOtherInputExpectations{
{"generate", group.AdditionalDataBits, &a1, 0, nil},
{"generate", group.AdditionalDataBits, &a2, 0, nil}}); err != nil {
return nil, fmt.Errorf("failed to parse other inputs from test case %d/%d: %s", group.ID, test.ID, err)
}
result, err = m.Transact(d.algo+"/"+group.Mode, 1, outLenBytes[:], ent, perso, a1, a2, nonce)
}
if err != nil {
return nil, fmt.Errorf("DRBG operation failed: %s", err)
}
if l := uint64(len(result[0])); l != outLen {
return nil, fmt.Errorf("wrong length DRBG result: %d bytes but wanted %d", l, outLen)
}
// https://pages.nist.gov/ACVP/draft-vassilev-acvp-drbg.html#name-responses
response.Tests = append(response.Tests, drbgTestResponse{
ID: test.ID,
OutHex: hex.EncodeToString(result[0]),
})
}
ret = append(ret, response)
}
return ret, nil
}
type drbgOtherInputExpectations struct {
use string
additionalInputBitLen uint64
additionalInputOut *[]byte
entropyBitLen uint64
entropyOut *[]byte
}
func extractOtherInputs(inputs []drbgOtherInput, expected []drbgOtherInputExpectations) (err error) {
if len(inputs) != len(expected) {
return fmt.Errorf("found %d other inputs but %d were expected", len(inputs), len(expected))
}
for i := range inputs {
input, expect := &inputs[i], &expected[i]
if input.Use != expect.use {
return fmt.Errorf("other input #%d has type %q but expected %q", i, input.Use, expect.use)
}
if expect.additionalInputBitLen == 0 {
if len(input.AdditionalDataHex) != 0 {
return fmt.Errorf("other input #%d has unexpected additional input", i)
}
} else {
*expect.additionalInputOut, err = extractField(input.AdditionalDataHex, expect.additionalInputBitLen)
if err != nil {
return err
}
}
if expect.entropyBitLen == 0 {
if len(input.EntropyHex) != 0 {
return fmt.Errorf("other input #%d has unexpected entropy value", i)
}
} else {
*expect.entropyOut, err = extractField(input.EntropyHex, expect.entropyBitLen)
if err != nil {
return err
}
}
}
return nil
}
// validate the length and hex of a JSON field in test vectors
func extractField(fieldHex string, bits uint64) ([]byte, error) {
if uint64(len(fieldHex))*4 != bits {
return nil, fmt.Errorf("expected %d bits but have %d-byte hex string", bits, len(fieldHex))
}
return hex.DecodeString(fieldHex)
}