Google Git
Sign in
boringssl/boringssl.git/e796cc65025982ed1fb9ef41b3f74e8115092816^!/.
commit
e796cc65025982ed1fb9ef41b3f74e8115092816
[log]
author
Adam Langley <alangley@gmail.com>
Wed Oct 07 14:48:48 2020 -0700
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Thu Oct 22 21:40:29 2020 +0000
tree
7139c913572246dfa9a06b603fa757153b3684c7
parent
043fba24112eddaa2d73c5bc36dc80014c8ef132 [diff]
acvp: add 3DES-ECB support

Change-Id: I4ffa2572acce1fdccdf4d3c33680e6d0114bd42b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43405
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/util/fipstools/acvp/acvptool/subprocess/block.go b/util/fipstools/acvp/acvptool/subprocess/block.go
index 365399e..35c2133 100644
--- a/util/fipstools/acvp/acvptool/subprocess/block.go
+++ b/util/fipstools/acvp/acvptool/subprocess/block.go

@@ -18,6 +18,7 @@
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"math/bits"
 )
 
 // aesKeyShuffle is the "AES Monte Carlo Key Shuffle" from the ACVP
@@ -140,6 +141,68 @@
 	return mctResults
 }
 
+// xorKeyWithOddParityLSB XORs value into key while setting the LSB of each bit
+// to establish odd parity. This embedding of a parity check in a DES key is an
+// old tradition and something that NIST's tests require (despite being
+// undocumented).
+func xorKeyWithOddParityLSB(key, value []byte) {
+	for i := range key {
+		v := key[i] ^ value[i]
+		// Use LSB to establish odd parity.
+		v ^= byte((bits.OnesCount8(v) & 1)) ^ 1
+		key[i] = v
+	}
+}
+
+// desKeyShuffle implements the manipulation of the Key arrays in the "TDES
+// Monte Carlo Test - ECB mode" algorithm from the ACVP specification.
+func keyShuffle3DES(key, result, prevResult, prevPrevResult []byte) {
+	xorKeyWithOddParityLSB(key[:8], result)
+	xorKeyWithOddParityLSB(key[8:16], prevResult)
+	xorKeyWithOddParityLSB(key[16:], prevPrevResult)
+}
+
+// iterate3DES implements "TDES Monte Carlo Test - ECB mode" from the ACVP
+// specification.
+func iterate3DES(transact func(n int, args ...[]byte) ([][]byte, error), encrypt bool, key, input, iv []byte) (mctResults []blockCipherMCTResult) {
+	for i := 0; i < 400; i++ {
+		var iteration blockCipherMCTResult
+		keyHex := hex.EncodeToString(key)
+		iteration.Key1Hex = keyHex[:16]
+		iteration.Key2Hex = keyHex[16:32]
+		iteration.Key3Hex = keyHex[32:]
+
+		if encrypt {
+			iteration.PlaintextHex = hex.EncodeToString(input)
+		} else {
+			iteration.CiphertextHex = hex.EncodeToString(input)
+		}
+
+		var result, prevResult, prevPrevResult []byte
+		for j := 0; j < 10000; j++ {
+			prevPrevResult = prevResult
+			prevResult = input
+			result, err := transact(1, key, input)
+			if err != nil {
+				panic("block operation failed")
+			}
+			input = result[0]
+		}
+		result = input
+
+		if encrypt {
+			iteration.CiphertextHex = hex.EncodeToString(result)
+		} else {
+			iteration.PlaintextHex = hex.EncodeToString(result)
+		}
+
+		keyShuffle3DES(key, result, prevResult, prevPrevResult)
+		mctResults = append(mctResults, iteration)
+	}
+
+	return mctResults
+}
+
 // blockCipher implements an ACVP algorithm by making requests to the subprocess
 // to encrypt and decrypt with a block cipher.
 type blockCipher struct {
@@ -165,6 +228,11 @@
 		CiphertextHex string `json:"ct"`
 		IVHex         string `json:"iv"`
 		KeyHex        string `json:"key"`
+
+		// 3DES tests serialise the key differently.
+		Key1Hex string `json:"key1"`
+		Key2Hex string `json:"key2"`
+		Key3Hex string `json:"key3"`
 	} `json:"tests"`
 }
 
@@ -181,10 +249,15 @@
 }
 
 type blockCipherMCTResult struct {
-	KeyHex        string `json:"key"`
+	KeyHex        string `json:"key,omitempty"`
 	PlaintextHex  string `json:"pt"`
 	CiphertextHex string `json:"ct"`
 	IVHex         string `json:"iv,omitempty"`
+
+	// 3DES tests serialise the key differently.
+	Key1Hex string `json:"key1"`
+	Key2Hex string `json:"key2"`
+	Key3Hex string `json:"key3"`
 }
 
 func (b *blockCipher) Process(vectorSet []byte, m Transactable) (interface{}, error) {
@@ -230,6 +303,11 @@
 			return nil, fmt.Errorf("test group %d has unknown type %q", group.ID, group.Type)
 		}
 
+		if group.KeyBits == 0 {
+			// 3DES tests fail to set this parameter.
+			group.KeyBits = 192
+		}
+
 		if group.KeyBits%8 != 0 {
 			return nil, fmt.Errorf("test group %d contains non-byte-multiple key length %d", group.ID, group.KeyBits)
 		}
@@ -240,6 +318,11 @@
 		}
 
 		for _, test := range group.Tests {
+			if len(test.KeyHex) == 0 && len(test.Key1Hex) > 0 {
+				// 3DES encodes the key differently.
+				test.KeyHex = test.Key1Hex + test.Key2Hex + test.Key3Hex
+			}
+
 			if len(test.KeyHex) != keyBytes*2 {
 				return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits)
 			}

diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
index 05d7fb5..3c04981 100644
--- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go
+++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go

@@ -79,6 +79,7 @@
 		"ACVP-AES-ECB":  &blockCipher{"AES", 16, true, false, iterateAES},
 		"ACVP-AES-CBC":  &blockCipher{"AES-CBC", 16, true, true, iterateAESCBC},
 		"ACVP-AES-CTR":  &blockCipher{"AES-CTR", 16, false, true, nil},
+		"ACVP-TDES-ECB": &blockCipher{"3DES-ECB", 8, true, false, iterate3DES},
 		"ACVP-AES-GCM":  &aead{"AES-GCM", false},
 		"ACVP-AES-CCM":  &aead{"AES-CCM", true},
 		"ACVP-AES-KW":   &aead{"AES-KW", false},

diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index 1ffb432..d97ea91 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -26,6 +26,7 @@
 #include <openssl/aead.h>
 #include <openssl/aes.h>
 #include <openssl/bn.h>
+#include <openssl/cipher.h>
 #include <openssl/cmac.h>
 #include <openssl/digest.h>
 #include <openssl/ec.h>
@@ -251,6 +252,13 @@
         "aadLen": [{"min": 0, "max": 1024, "increment": 8}]
       },
       {
+        "algorithm": "ACVP-TDES-ECB",
+        "revision": "1.0",
+        "direction": ["encrypt", "decrypt"],
+        "keyLen": [192],
+        "keyingOption": [1]
+      },
+      {
         "algorithm": "HMAC-SHA-1",
         "revision": "1.0",
         "keyLen": [{
@@ -720,6 +728,39 @@
                     Span<const uint8_t>(out));
 }
 
+template<bool Encrypt>
+static bool TDES(const Span<const uint8_t> args[]) {
+  const EVP_CIPHER *cipher = EVP_des_ede3();
+
+  if (args[0].size() != 24) {
+    fprintf(stderr, "Bad key length %u for 3DES.\n",
+            static_cast<unsigned>(args[0].size()));
+    return false;
+  }
+  if (args[1].size() % 8) {
+    fprintf(stderr, "Bad input length %u for 3DES.\n",
+            static_cast<unsigned>(args[1].size()));
+    return false;
+  }
+
+  std::vector<uint8_t> out;
+  out.resize(args[1].size());
+
+  bssl::ScopedEVP_CIPHER_CTX ctx;
+  int out_len, out_len2;
+  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, args[0].data(), nullptr,
+                         Encrypt ? 1 : 0) ||
+      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) ||
+      !EVP_CipherUpdate(ctx.get(), out.data(), &out_len, args[1].data(),
+                        args[1].size()) ||
+      !EVP_CipherFinal_ex(ctx.get(), out.data() + out_len, &out_len2) ||
+      (out_len + out_len2) != static_cast<int>(out.size())) {
+    return false;
+  }
+
+  return WriteReply(STDOUT_FILENO, Span<const uint8_t>(out));
+}
+
 template <const EVP_MD *HashFunc()>
 static bool HMAC(const Span<const uint8_t> args[]) {
   const EVP_MD *const md = HashFunc();
@@ -975,6 +1016,8 @@
     {"AES-KWP/open", 5, AESPaddedKeyWrapOpen},
     {"AES-CCM/seal", 5, AEADSeal<AESCCMSetup>},
     {"AES-CCM/open", 5, AEADOpen<AESCCMSetup>},
+    {"3DES-ECB/encrypt", 2, TDES<true>},
+    {"3DES-ECB/decrypt", 2, TDES<false>},
     {"HMAC-SHA-1", 2, HMAC<EVP_sha1>},
     {"HMAC-SHA2-224", 2, HMAC<EVP_sha224>},
     {"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},