util/fipstools/acvp/acvptool/subprocess/aead.go - boringssl - Git at Google

 // Copyright (c) 2020, Google Inc.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
 // purpose with or without fee is hereby granted, provided that the above
 // copyright notice and this permission notice appear in all copies.
 //
 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 package subprocess

 import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 )

 // aead implements an ACVP algorithm by making requests to the subprocess
 // to encrypt and decrypt with an AEAD.
 type aead struct {
 	algo                    string
 	tagMergedWithCiphertext bool
 }

 type aeadVectorSet struct {
 	Groups []aeadTestGroup `json:"testGroups"`
 }

 type aeadTestGroup struct {
 	ID        uint64 `json:"tgId"`
 	Type      string `json:"testType"`
 	Direction string `json:"direction"`
 	KeyBits   int    `json:"keyLen"`
 	TagBits   int    `json:"tagLen"`
 	Tests     []struct {
 		ID            uint64 `json:"tcId"`
 		PlaintextHex  string `json:"pt"`
 		CiphertextHex string `json:"ct"`
 		IVHex         string `json:"iv"`
 		KeyHex        string `json:"key"`
 		AADHex        string `json:"aad"`
 		TagHex        string `json:"tag"`
 	} `json:"tests"`
 }

 type aeadTestGroupResponse struct {
 	ID    uint64             `json:"tgId"`
 	Tests []aeadTestResponse `json:"tests"`
 }

 type aeadTestResponse struct {
 	ID            uint64  `json:"tcId"`
 	CiphertextHex *string `json:"ct,omitempty"`
 	TagHex        string  `json:"tag,omitempty"`
 	PlaintextHex  *string `json:"pt,omitempty"`
 	Passed        *bool   `json:"testPassed,omitempty"`
 }

 func (a *aead) Process(vectorSet []byte, m Transactable) (interface{}, error) {
 	var parsed aeadVectorSet
 	if err := json.Unmarshal(vectorSet, &parsed); err != nil {
 		return nil, err
 	}

 	var ret []aeadTestGroupResponse
 	// See draft-celi-acvp-symmetric.html#table-6. (NIST no longer publish HTML
 	// versions of the ACVP documents. You can find fragments in
 	// https://github.com/usnistgov/ACVP.)
 	for _, group := range parsed.Groups {
 		response := aeadTestGroupResponse{
 			ID: group.ID,
 		}

 		var encrypt bool
 		switch group.Direction {
 		case "encrypt":
 			encrypt = true
 		case "decrypt":
 			encrypt = false
 		default:
 			return nil, fmt.Errorf("test group %d has unknown direction %q", group.ID, group.Direction)
 		}

 		op := a.algo + "/seal"
 		if !encrypt {
 			op = a.algo + "/open"
 		}

 		if group.KeyBits%8 != 0 || group.KeyBits < 0 {
 			return nil, fmt.Errorf("test group %d contains non-byte-multiple key length %d", group.ID, group.KeyBits)
 		}
 		keyBytes := group.KeyBits / 8

 		if group.TagBits%8 != 0 || group.TagBits < 0 {
 			return nil, fmt.Errorf("test group %d contains non-byte-multiple tag length %d", group.ID, group.TagBits)
 		}
 		tagBytes := group.TagBits / 8

 		for _, test := range group.Tests {
 			if len(test.KeyHex) != keyBytes*2 {
 				return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits)
 			}

 			key, err := hex.DecodeString(test.KeyHex)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode key in test case %d/%d: %s", group.ID, test.ID, err)
 			}

 			nonce, err := hex.DecodeString(test.IVHex)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode nonce in test case %d/%d: %s", group.ID, test.ID, err)
 			}

 			aad, err := hex.DecodeString(test.AADHex)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode aad in test case %d/%d: %s", group.ID, test.ID, err)
 			}

 			var inputHex, otherHex string
 			if encrypt {
 				inputHex, otherHex = test.PlaintextHex, test.CiphertextHex
 			} else {
 				inputHex, otherHex = test.CiphertextHex, test.PlaintextHex
 			}

 			if len(otherHex) != 0 {
 				return nil, fmt.Errorf("test case %d/%d has unexpected plain/ciphertext input", group.ID, test.ID)
 			}

 			input, err := hex.DecodeString(inputHex)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode hex in test case %d/%d: %s", group.ID, test.ID, err)
 			}

 			var tag []byte
 			if a.tagMergedWithCiphertext {
 				if len(test.TagHex) != 0 {
 					return nil, fmt.Errorf("test case %d/%d has unexpected tag input (should be merged into ciphertext)", group.ID, test.ID)
 				}
 				if !encrypt && len(input) < tagBytes {
 					return nil, fmt.Errorf("test case %d/%d has ciphertext shorter than the tag, but the tag should be included in it", group.ID, test.ID)
 				}
 			} else {
 				if !encrypt {
 					if tag, err = hex.DecodeString(test.TagHex); err != nil {
 						return nil, fmt.Errorf("failed to decode tag in test case %d/%d: %s", group.ID, test.ID, err)
 					}
 					if len(tag) != tagBytes {
 						return nil, fmt.Errorf("tag in test case %d/%d is %d bytes long, but should be %d", group.ID, test.ID, len(tag), tagBytes)
 					}
 				} else if len(test.TagHex) != 0 {
 					return nil, fmt.Errorf("test case %d/%d has unexpected tag input", group.ID, test.ID)
 				}
 			}

 			testResp := aeadTestResponse{ID: test.ID}

 			if encrypt {
 				result, err := m.Transact(op, 1, uint32le(uint32(tagBytes)), key, input, nonce, aad)
 				if err != nil {
 					return nil, err
 				}

 				if len(result[0]) < tagBytes {
 					return nil, fmt.Errorf("ciphertext from subprocess for test case %d/%d is shorter than the tag (%d vs %d)", group.ID, test.ID, len(result[0]), tagBytes)
 				}

 				if a.tagMergedWithCiphertext {
 					ciphertextHex := hex.EncodeToString(result[0])
 					testResp.CiphertextHex = &ciphertextHex
 				} else {
 					ciphertext := result[0][:len(result[0])-tagBytes]
 					ciphertextHex := hex.EncodeToString(ciphertext)
 					testResp.CiphertextHex = &ciphertextHex
 					tag := result[0][len(result[0])-tagBytes:]
 					testResp.TagHex = hex.EncodeToString(tag)
 				}
 			} else {
 				result, err := m.Transact(op, 2, uint32le(uint32(tagBytes)), key, append(input, tag...), nonce, aad)
 				if err != nil {
 					return nil, err
 				}

 				if len(result[0]) != 1 || (result[0][0]&0xfe) != 0 {
 					return nil, fmt.Errorf("invalid AEAD status result from subprocess")
 				}
 				passed := result[0][0] == 1
 				testResp.Passed = &passed
 				if passed {
 					plaintextHex := hex.EncodeToString(result[1])
 					testResp.PlaintextHex = &plaintextHex
 				}
 			}

 			response.Tests = append(response.Tests, testResp)
 		}

 		ret = append(ret, response)
 	}

 	return ret, nil
 }
	// Copyright (c) 2020, Google Inc.
	//
	// Permission to use, copy, modify, and/or distribute this software for any
	// purpose with or without fee is hereby granted, provided that the above
	// copyright notice and this permission notice appear in all copies.
	//
	// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

	package subprocess

	import (
	"encoding/hex"
	"encoding/json"
	"fmt"
	)

	// aead implements an ACVP algorithm by making requests to the subprocess
	// to encrypt and decrypt with an AEAD.
	type aead struct {
	algo string
	tagMergedWithCiphertext bool
	}

	type aeadVectorSet struct {
	Groups []aeadTestGroup `json:"testGroups"`
	}

	type aeadTestGroup struct {
	ID uint64 `json:"tgId"`
	Type string `json:"testType"`
	Direction string `json:"direction"`
	KeyBits int `json:"keyLen"`
	TagBits int `json:"tagLen"`
	Tests []struct {
	ID uint64 `json:"tcId"`
	PlaintextHex string `json:"pt"`
	CiphertextHex string `json:"ct"`
	IVHex string `json:"iv"`
	KeyHex string `json:"key"`
	AADHex string `json:"aad"`
	TagHex string `json:"tag"`
	} `json:"tests"`
	}

	type aeadTestGroupResponse struct {
	ID uint64 `json:"tgId"`
	Tests []aeadTestResponse `json:"tests"`
	}

	type aeadTestResponse struct {
	ID uint64 `json:"tcId"`
	CiphertextHex *string `json:"ct,omitempty"`
	TagHex string `json:"tag,omitempty"`
	PlaintextHex *string `json:"pt,omitempty"`
	Passed *bool `json:"testPassed,omitempty"`
	}

	func (a *aead) Process(vectorSet []byte, m Transactable) (interface{}, error) {
	var parsed aeadVectorSet
	if err := json.Unmarshal(vectorSet, &parsed); err != nil {
	return nil, err
	}

	var ret []aeadTestGroupResponse
	// See draft-celi-acvp-symmetric.html#table-6. (NIST no longer publish HTML
	// versions of the ACVP documents. You can find fragments in
	// https://github.com/usnistgov/ACVP.)
	for _, group := range parsed.Groups {
	response := aeadTestGroupResponse{
	ID: group.ID,
	}

	var encrypt bool
	switch group.Direction {
	case "encrypt":
	encrypt = true
	case "decrypt":
	encrypt = false
	default:
	return nil, fmt.Errorf("test group %d has unknown direction %q", group.ID, group.Direction)
	}

	op := a.algo + "/seal"
	if !encrypt {
	op = a.algo + "/open"
	}

	if group.KeyBits%8 != 0 \|\| group.KeyBits < 0 {
	return nil, fmt.Errorf("test group %d contains non-byte-multiple key length %d", group.ID, group.KeyBits)
	}
	keyBytes := group.KeyBits / 8

	if group.TagBits%8 != 0 \|\| group.TagBits < 0 {
	return nil, fmt.Errorf("test group %d contains non-byte-multiple tag length %d", group.ID, group.TagBits)
	}
	tagBytes := group.TagBits / 8

	for _, test := range group.Tests {
	if len(test.KeyHex) != keyBytes*2 {
	return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits)
	}

	key, err := hex.DecodeString(test.KeyHex)
	if err != nil {
	return nil, fmt.Errorf("failed to decode key in test case %d/%d: %s", group.ID, test.ID, err)
	}

	nonce, err := hex.DecodeString(test.IVHex)
	if err != nil {
	return nil, fmt.Errorf("failed to decode nonce in test case %d/%d: %s", group.ID, test.ID, err)
	}

	aad, err := hex.DecodeString(test.AADHex)
	if err != nil {
	return nil, fmt.Errorf("failed to decode aad in test case %d/%d: %s", group.ID, test.ID, err)
	}

	var inputHex, otherHex string
	if encrypt {
	inputHex, otherHex = test.PlaintextHex, test.CiphertextHex
	} else {
	inputHex, otherHex = test.CiphertextHex, test.PlaintextHex
	}

	if len(otherHex) != 0 {
	return nil, fmt.Errorf("test case %d/%d has unexpected plain/ciphertext input", group.ID, test.ID)
	}

	input, err := hex.DecodeString(inputHex)
	if err != nil {
	return nil, fmt.Errorf("failed to decode hex in test case %d/%d: %s", group.ID, test.ID, err)
	}

	var tag []byte
	if a.tagMergedWithCiphertext {
	if len(test.TagHex) != 0 {
	return nil, fmt.Errorf("test case %d/%d has unexpected tag input (should be merged into ciphertext)", group.ID, test.ID)
	}
	if !encrypt && len(input) < tagBytes {
	return nil, fmt.Errorf("test case %d/%d has ciphertext shorter than the tag, but the tag should be included in it", group.ID, test.ID)
	}
	} else {
	if !encrypt {
	if tag, err = hex.DecodeString(test.TagHex); err != nil {
	return nil, fmt.Errorf("failed to decode tag in test case %d/%d: %s", group.ID, test.ID, err)
	}
	if len(tag) != tagBytes {
	return nil, fmt.Errorf("tag in test case %d/%d is %d bytes long, but should be %d", group.ID, test.ID, len(tag), tagBytes)
	}
	} else if len(test.TagHex) != 0 {
	return nil, fmt.Errorf("test case %d/%d has unexpected tag input", group.ID, test.ID)
	}
	}

	testResp := aeadTestResponse{ID: test.ID}

	if encrypt {
	result, err := m.Transact(op, 1, uint32le(uint32(tagBytes)), key, input, nonce, aad)
	if err != nil {
	return nil, err
	}

	if len(result[0]) < tagBytes {
	return nil, fmt.Errorf("ciphertext from subprocess for test case %d/%d is shorter than the tag (%d vs %d)", group.ID, test.ID, len(result[0]), tagBytes)
	}

	if a.tagMergedWithCiphertext {
	ciphertextHex := hex.EncodeToString(result[0])
	testResp.CiphertextHex = &ciphertextHex
	} else {
	ciphertext := result[0][:len(result[0])-tagBytes]
	ciphertextHex := hex.EncodeToString(ciphertext)
	testResp.CiphertextHex = &ciphertextHex
	tag := result[0][len(result[0])-tagBytes:]
	testResp.TagHex = hex.EncodeToString(tag)
	}
	} else {
	result, err := m.Transact(op, 2, uint32le(uint32(tagBytes)), key, append(input, tag...), nonce, aad)
	if err != nil {
	return nil, err
	}

	if len(result[0]) != 1 \|\| (result[0][0]&0xfe) != 0 {
	return nil, fmt.Errorf("invalid AEAD status result from subprocess")
	}
	passed := result[0][0] == 1
	testResp.Passed = &passed
	if passed {
	plaintextHex := hex.EncodeToString(result[1])
	testResp.PlaintextHex = &plaintextHex
	}
	}

	response.Tests = append(response.Tests, testResp)
	}

	ret = append(ret, response)
	}

	return ret, nil
	}