acvptool: Add support for DRBG
Change-Id: Ia9dda0826787aea4d63536524074e343ff6c87d9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38644
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Gurleen Grewal <gurleengrewal@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/util/fipstools/acvp/acvptool/subprocess/drbg.go b/util/fipstools/acvp/acvptool/subprocess/drbg.go
new file mode 100644
index 0000000..b7f93f9
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/subprocess/drbg.go
@@ -0,0 +1,155 @@
+package subprocess
+
+import (
+ "encoding/binary"
+ "encoding/hex"
+ "encoding/json"
+ "fmt"
+)
+
+// The following structures reflect the JSON of ACVP DRBG tests. See
+// https://usnistgov.github.io/ACVP/artifacts/acvp_sub_drbg.html#rfc.section.4
+
+type drbgTestVectorSet struct {
+ Groups []drbgTestGroup `json:"testGroups"`
+}
+
+type drbgTestGroup struct {
+ ID uint64 `json:"tgId"`
+ Mode string `json:"mode"`
+ UseDerivationFunction bool `json:"derFunc,omitempty"`
+ PredictionResistance bool `json:"predResistance"`
+ Reseed bool `json:"reSeed"`
+ EntropyBits uint64 `json:"entropyInputLen"`
+ NonceBits uint64 `json:"nonceLen"`
+ PersonalizationBits uint64 `json:"persoStringLen"`
+ AdditionalDataBits uint64 `json:"additionalInputLen"`
+ RetBits uint64 `json:"returnedBitsLen"`
+ Tests []struct {
+ ID uint64 `json:"tcId"`
+ EntropyHex string `json:"entropyInput"`
+ NonceHex string `json:"nonce"`
+ PersonalizationHex string `json:"persoString"`
+ Other []struct {
+ AdditionalDataHex string `json:"additionalInput"`
+ EntropyHex string `json:"entropyInput"`
+ Use string `json:"intendedUse"`
+ } `json:"otherInput"`
+ } `json:"tests"`
+}
+
+type drbgTestGroupResponse struct {
+ ID uint64 `json:"tgId"`
+ Tests []drbgTestResponse `json:"tests"`
+}
+
+type drbgTestResponse struct {
+ ID uint64 `json:"tcId"`
+ OutHex string `json:"returnedBits,omitempty"`
+}
+
+// drbg implements an ACVP algorithm by making requests to the
+// subprocess to generate random bits with the given entropy and other paramaters.
+type drbg struct {
+ // algo is the ACVP name for this algorithm and also the command name
+ // given to the subprocess to generate random bytes.
+ algo string
+ modes map[string]bool // the supported underlying primitives for the DRBG
+ m *Subprocess
+}
+
+func (d *drbg) Process(vectorSet []byte) (interface{}, error) {
+ var parsed drbgTestVectorSet
+ if err := json.Unmarshal(vectorSet, &parsed); err != nil {
+ return nil, err
+ }
+
+ var ret []drbgTestGroupResponse
+ // See
+ // https://usnistgov.github.io/ACVP/artifacts/acvp_sub_drbg.html#rfc.section.4
+ // for details about the tests.
+ for _, group := range parsed.Groups {
+ response := drbgTestGroupResponse{
+ ID: group.ID,
+ }
+
+ if _, ok := d.modes[group.Mode]; !ok {
+ return nil, fmt.Errorf("test group %d specifies mode %q, which is not supported for the %s algorithm", group.ID, group.Mode, d.algo)
+ }
+
+ if group.PredictionResistance {
+ return nil, fmt.Errorf("Test group %d specifies prediction-resistance mode, which is not supported", group.ID)
+ }
+
+ if group.Reseed {
+ return nil, fmt.Errorf("Test group %d requests re-seeding, which is not supported", group.ID)
+ }
+
+ if group.RetBits%8 != 0 {
+ return nil, fmt.Errorf("Test group %d requests %d-bit outputs, but fractional-bytes are not supported", group.ID, group.RetBits)
+ }
+
+ for _, test := range group.Tests {
+ ent, err := extractField(test.EntropyHex, group.EntropyBits)
+ if err != nil {
+ return nil, fmt.Errorf("failed to extract entropy hex from test case %d/%d: %s", group.ID, test.ID, err)
+ }
+
+ nonce, err := extractField(test.NonceHex, group.NonceBits)
+ if err != nil {
+ return nil, fmt.Errorf("failed to extract nonce hex from test case %d/%d: %s", group.ID, test.ID, err)
+ }
+
+ perso, err := extractField(test.PersonalizationHex, group.PersonalizationBits)
+ if err != nil {
+ return nil, fmt.Errorf("failed to extract personalization hex from test case %d/%d: %s", group.ID, test.ID, err)
+ }
+
+ const numAdditionalInputs = 2
+ if len(test.Other) != numAdditionalInputs {
+ return nil, fmt.Errorf("test case %d/%d provides %d additional inputs, but subprocess only expects %d", group.ID, test.ID, len(test.Other), numAdditionalInputs)
+ }
+
+ var additionalInputs [numAdditionalInputs][]byte
+ for i, other := range test.Other {
+ if other.Use != "generate" {
+ return nil, fmt.Errorf("other %d from test case %d/%d has use %q, but expected 'generate'", i, group.ID, test.ID, other.Use)
+ }
+ additionalInputs[i], err = extractField(other.AdditionalDataHex, group.AdditionalDataBits)
+ if err != nil {
+ return nil, fmt.Errorf("failed to extract additional input %d from test case %d/%d: %s", i, group.ID, test.ID, err)
+ }
+ }
+
+ outLen := group.RetBits / 8
+ var outLenBytes [4]byte
+ binary.LittleEndian.PutUint32(outLenBytes[:], uint32(outLen))
+ result, err := d.m.transact(d.algo+"/"+group.Mode, 1, outLenBytes[:], ent, perso, additionalInputs[0], additionalInputs[1], nonce)
+ if err != nil {
+ return nil, fmt.Errorf("DRBG operation failed: %s", err)
+ }
+
+ if l := uint64(len(result[0])); l != outLen {
+ return nil, fmt.Errorf("wrong length DRBG result: %d bytes but wanted %d", l, outLenBytes)
+ }
+
+ // https://usnistgov.github.io/ACVP/artifacts/acvp_sub_drbg.html#rfc.section.4
+ response.Tests = append(response.Tests, drbgTestResponse{
+ ID: test.ID,
+ OutHex: hex.EncodeToString(result[0]),
+ })
+ }
+
+ ret = append(ret, response)
+ }
+
+ return ret, nil
+}
+
+// validate the length and hex of a JSON field in test vectors
+func extractField(fieldHex string, bits uint64) ([]byte, error) {
+ if uint64(len(fieldHex))*4 != bits {
+ return nil, fmt.Errorf("expected %d bits but have %d-byte hex string", bits, len(fieldHex))
+ }
+ return hex.DecodeString(fieldHex)
+}
diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
index 1f3ff8e..452a422 100644
--- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go
+++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
@@ -61,6 +61,8 @@
"HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32, m},
"HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48, m},
"HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64, m},
+ "ctrDRBG": &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}, m},
+ "hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}, m},
}
return m
diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index e6d8b21..5f3150d 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -28,6 +28,8 @@
#include <openssl/sha.h>
#include <openssl/span.h>
+#include "../../../../crypto/fipsmodule/rand/internal.h"
+
static constexpr size_t kMaxArgs = 8;
static constexpr size_t kMaxArgLength = (1 << 20);
static constexpr size_t kMaxNameLength = 30;
@@ -212,6 +214,23 @@
" \"macLen\": [{"
" \"min\": 32, \"max\": 512, \"increment\": 8"
" }]"
+ "},"
+ "{"
+ " \"algorithm\": \"ctrDRBG\","
+ " \"revision\": \"1.0\","
+ " \"predResistanceEnabled\": [false],"
+ " \"reseedImplemented\": false,"
+ " \"capabilities\": [{"
+ " \"mode\": \"AES-256\","
+ " \"derFuncEnabled\": false,"
+ " \"entropyInputLen\": [384],"
+ " \"nonceLen\": [0],"
+ " \"persoStringLen\": [{\"min\": 0, \"max\": 384, \"increment\": 16}],"
+ " \"additionalInputLen\": ["
+ " {\"min\": 0, \"max\": 384, \"increment\": 16}"
+ " ],"
+ " \"returnedBitsLen\": 2048"
+ " }]"
"}"
"]";
return WriteReply(
@@ -280,6 +299,40 @@
return WriteReply(STDOUT_FILENO, Span<const uint8_t>(digest, digest_len));
}
+static bool DRBG(const Span<const uint8_t> args[]) {
+ const auto out_len_bytes = args[0];
+ const auto entropy = args[1];
+ const auto personalisation = args[2];
+ const auto additional_data1 = args[3];
+ const auto additional_data2 = args[4];
+ const auto nonce = args[5];
+
+ uint32_t out_len;
+ if (out_len_bytes.size() != sizeof(out_len) ||
+ entropy.size() != CTR_DRBG_ENTROPY_LEN ||
+ // nonces are not supported
+ nonce.size() != 0) {
+ return false;
+ }
+ memcpy(&out_len, out_len_bytes.data(), sizeof(out_len));
+ if (out_len > (1 << 24)) {
+ return false;
+ }
+ std::vector<uint8_t> out(out_len);
+
+ CTR_DRBG_STATE drbg;
+ if (!CTR_DRBG_init(&drbg, entropy.data(), personalisation.data(),
+ personalisation.size()) ||
+ !CTR_DRBG_generate(&drbg, out.data(), out_len, additional_data1.data(),
+ additional_data1.size()) ||
+ !CTR_DRBG_generate(&drbg, out.data(), out_len, additional_data2.data(),
+ additional_data2.size())) {
+ return false;
+ }
+
+ return WriteReply(STDOUT_FILENO, Span<const uint8_t>(out));
+}
+
static constexpr struct {
const char name[kMaxNameLength + 1];
uint8_t expected_args;
@@ -300,6 +353,7 @@
{"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},
{"HMAC-SHA2-384", 2, HMAC<EVP_sha384>},
{"HMAC-SHA2-512", 2, HMAC<EVP_sha512>},
+ {"ctrDRBG/AES-256", 6, DRBG},
};
int main() {
