acvp: don't include CMAC-AES in regcap dump.
CMAC-AES isn't inside our FIPS module, it's only included in
modulewrapper in order to test acvptool. Mark it with a special tag to
avoid it appearing when dumping regcap JSON because NIST paperwork is
such that it's better not to ACVP test such code.
Change-Id: I0c6d3a38bce9bf5766b889677eb3f7de94262c24
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45465
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/util/fipstools/acvp/acvptool/acvp.go b/util/fipstools/acvp/acvptool/acvp.go
index df627cc..87c2f87 100644
--- a/util/fipstools/acvp/acvptool/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp.go
@@ -279,9 +279,23 @@
}
if *dumpRegcap {
+ nonTestAlgos := make([]map[string]interface{}, 0, len(supportedAlgos))
+ for _, algo := range supportedAlgos {
+ if value, ok := algo["acvptoolTestOnly"]; ok {
+ testOnly, ok := value.(bool)
+ if !ok {
+ log.Fatalf("modulewrapper config contains acvptoolTestOnly field with non-boolean value %#v", value)
+ }
+ if testOnly {
+ continue
+ }
+ }
+ nonTestAlgos = append(nonTestAlgos, algo)
+ }
+
regcap := []map[string]interface{}{
map[string]interface{}{"acvVersion": "1.0"},
- map[string]interface{}{"algorithms": supportedAlgos},
+ map[string]interface{}{"algorithms": nonTestAlgos},
}
regcapBytes, err := json.MarshalIndent(regcap, "", " ")
if err != nil {
diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index b354280..a08e670 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -676,6 +676,7 @@
},
{
"algorithm": "CMAC-AES",
+ "acvptoolTestOnly": true,
"revision": "1.0",
"capabilities": [{
"direction": ["gen", "ver"],