acvp: add AES-KWP support. Change-Id: I826d1cf305b3906e0d0ff6ff5389561291065706 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43165 Reviewed-by: David Benjamin <davidben@google.com>

commit: b117a3a0b7bd11fe6ebd503ec6b45d6b910b41a1 [log] [tgz]
author: Adam Langley <alangley@gmail.com> Tue Sep 29 15:36:52 2020 -0700
committer: Adam Langley <agl@google.com> Fri Oct 02 17:03:07 2020 +0000
tree: 80a911b8fcbd3edc8d76eee9b5fb5b0db21132bd
parent: 81658a95c9458c6733d61535038f8aac9a2d2f81 [diff]
diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
index a3b81ae..9c554c2 100644
--- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go
+++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go

@@ -81,6 +81,7 @@
 		"ACVP-AES-CTR":  &blockCipher{"AES-CTR", 16, false, true},
 		"ACVP-AES-GCM":  &aead{"AES-GCM"},
 		"ACVP-AES-KW":   &aead{"AES-KW"},
+		"ACVP-AES-KWP":  &aead{"AES-KWP"},
 		"HMAC-SHA-1":    &hmacPrimitive{"HMAC-SHA-1", 20},
 		"HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28},
 		"HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32},

diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index d4a2207..961eaf7 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -221,6 +221,21 @@
         "payloadLen": [{"min": 128, "max": 1024, "increment": 64}]
       },
       {
+        "algorithm": "ACVP-AES-KWP",
+        "revision": "1.0",
+        "direction": [
+            "encrypt",
+            "decrypt"
+        ],
+        "kwCipher": [
+            "cipher"
+        ],
+        "keyLen": [
+            128, 192, 256
+        ],
+        "payloadLen": [{"min": 8, "max": 1024, "increment": 8}]
+      },
+      {
         "algorithm": "HMAC-SHA-1",
         "revision": "1.0",
         "keyLen": [{
@@ -537,14 +552,23 @@
                     Span<const uint8_t>(out));
 }
 
-static bool AESKeyWrapSetup(AES_KEY *out, bool decrypt, Span<const uint8_t> key,
-                            Span<const uint8_t> input) {
+static bool AESPaddedKeyWrapSetup(AES_KEY *out, bool decrypt,
+                                  Span<const uint8_t> key) {
   if ((decrypt ? AES_set_decrypt_key : AES_set_encrypt_key)(
           key.data(), key.size() * 8, out) != 0) {
-    fprintf(stderr, "Invalid AES key length for AES-KW: %u\n",
+    fprintf(stderr, "Invalid AES key length for AES-KW(P): %u\n",
             static_cast<unsigned>(key.size()));
     return false;
   }
+  return true;
+}
+
+static bool AESKeyWrapSetup(AES_KEY *out, bool decrypt, Span<const uint8_t> key,
+                            Span<const uint8_t> input) {
+  if (!AESPaddedKeyWrapSetup(out, decrypt, key)) {
+    return false;
+  }
+
   if (input.size() % 8) {
     fprintf(stderr, "Invalid AES-KW input length: %u\n",
             static_cast<unsigned>(input.size()));
@@ -598,6 +622,53 @@
                     Span<const uint8_t>(out));
 }
 
+static bool AESPaddedKeyWrapSeal(const Span<const uint8_t> args[]) {
+  Span<const uint8_t> key = args[1];
+  Span<const uint8_t> plaintext = args[2];
+
+  AES_KEY aes;
+  if (!AESPaddedKeyWrapSetup(&aes, /*decrypt=*/false, key) ||
+      plaintext.size() + 15 < 15) {
+    return false;
+  }
+
+  std::vector<uint8_t> out(plaintext.size() + 15);
+  size_t out_len;
+  if (!AES_wrap_key_padded(&aes, out.data(), &out_len, out.size(),
+                           plaintext.data(), plaintext.size())) {
+    fprintf(stderr, "AES-KWP failed\n");
+    return false;
+  }
+
+  out.resize(out_len);
+  return WriteReply(STDOUT_FILENO, Span<const uint8_t>(out));
+}
+
+static bool AESPaddedKeyWrapOpen(const Span<const uint8_t> args[]) {
+  Span<const uint8_t> key = args[1];
+  Span<const uint8_t> ciphertext = args[2];
+
+  AES_KEY aes;
+  if (!AESPaddedKeyWrapSetup(&aes, /*decrypt=*/true, key) ||
+      ciphertext.size() % 8) {
+    return false;
+  }
+
+  std::vector<uint8_t> out(ciphertext.size());
+  size_t out_len;
+  uint8_t success_flag[1] = {0};
+  if (!AES_unwrap_key_padded(&aes, out.data(), &out_len, out.size(),
+                             ciphertext.data(), ciphertext.size())) {
+    return WriteReply(STDOUT_FILENO, Span<const uint8_t>(success_flag),
+                      Span<const uint8_t>());
+  }
+
+  success_flag[0] = 1;
+  out.resize(out_len);
+  return WriteReply(STDOUT_FILENO, Span<const uint8_t>(success_flag),
+                    Span<const uint8_t>(out));
+}
+
 template <const EVP_MD *HashFunc()>
 static bool HMAC(const Span<const uint8_t> args[]) {
   const EVP_MD *const md = HashFunc();
@@ -849,6 +920,8 @@
     {"AES-GCM/open", 5, AESGCMOpen},
     {"AES-KW/seal", 5, AESKeyWrapSeal},
     {"AES-KW/open", 5, AESKeyWrapOpen},
+    {"AES-KWP/seal", 5, AESPaddedKeyWrapSeal},
+    {"AES-KWP/open", 5, AESPaddedKeyWrapOpen},
     {"HMAC-SHA-1", 2, HMAC<EVP_sha1>},
     {"HMAC-SHA2-224", 2, HMAC<EVP_sha224>},
     {"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},
commit	b117a3a0b7bd11fe6ebd503ec6b45d6b910b41a1	[log] [tgz]
author	Adam Langley <alangley@gmail.com>	Tue Sep 29 15:36:52 2020 -0700
committer	Adam Langley <agl@google.com>	Fri Oct 02 17:03:07 2020 +0000
tree	80a911b8fcbd3edc8d76eee9b5fb5b0db21132bd
parent	81658a95c9458c6733d61535038f8aac9a2d2f81 [diff]