# HG changeset patch # User M. Sirringhaus # Date 1589854460 -7200 # Tue May 19 04:14:20 2020 +0200 # Node ID ce99bba6375432c55a73c1367f619dfef7c7e9fc # Parent 2c820431829b3e5c7e161bd0bf73b48def9d3822 commit e78f5a6a2124ce88002796d6aaefc6232f132526 Author: Hans Petter Jansson AES Keywrap POST. diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c --- a/lib/freebl/fipsfreebl.c +++ b/lib/freebl/fipsfreebl.c @@ -107,16 +107,19 @@ BOOL WINAPI DllMain( #define FIPS_AES_BLOCK_SIZE 16 /* 128-bits */ #define FIPS_AES_ENCRYPT_LENGTH 16 /* 128-bits */ #define FIPS_AES_DECRYPT_LENGTH 16 /* 128-bits */ #define FIPS_AES_CMAC_LENGTH 16 /* 128-bits */ #define FIPS_AES_128_KEY_SIZE 16 /* 128-bits */ #define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */ #define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */ +/* FIPS preprocessor directives for AES Keywrap */ +#define FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE 24 /* 192-bits */ + /* FIPS preprocessor directives for message digests */ #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ /* FIPS preprocessor directives for RSA. */ #define FIPS_RSA_TYPE siBuffer #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ @@ -296,16 +299,19 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ static const PRUint8 aes_cbc_known_initialization_vector[] = { "SecurityytiruceS" }; /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */ static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" }; static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; + /* AES Keywrap Known Initialization Vector (64 bits) */ + static const PRUint8 aes_key_wrap_iv[] = { "WrapparW" }; + /* AES Known Ciphertext (128-bit key). */ static const PRUint8 aes_ecb128_known_ciphertext[] = { 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, 0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47 }; static const PRUint8 aes_cbc128_known_ciphertext[] = { 0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63, @@ -366,33 +372,56 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ }; static const PRUint8 aes_cmac256_known_ciphertext[] = { 0xc1, 0x26, 0x69, 0x32, 0x51, 0x13, 0x65, 0xac, 0x71, 0x23, 0xe4, 0xe7, 0xb9, 0x0c, 0x88, 0x9f }; + /* AES Keywrap Known Ciphertexts. */ + static const PRUint8 aes_kw128_known_ciphertext[] = { + 0xd7, 0xec, 0x33, 0x3a, 0x35, 0x50, 0x91, 0x4d, + 0x04, 0x69, 0x1f, 0xbc, 0x9b, 0x3a, 0x51, 0x9d, + 0xf3, 0x45, 0x01, 0xec, 0xaa, 0x43, 0x33, 0x42 + }; + + static const PRUint8 aes_kw192_known_ciphertext[] = { + 0x18, 0x44, 0xab, 0x72, 0xbd, 0x35, 0x6c, 0x8f, + 0x34, 0x34, 0x2e, 0x0b, 0xb0, 0x19, 0xd3, 0x46, + 0x3e, 0x53, 0x4f, 0x2f, 0x43, 0xcc, 0xf5, 0x8c + }; + + static const PRUint8 aes_kw256_known_ciphertext[] = { + 0x3e, 0xaf, 0xf3, 0x36, 0xaf, 0xc3, 0x68, 0xab, + 0x5a, 0x07, 0xed, 0x64, 0x5b, 0xf8, 0x81, 0x0d, + 0x9e, 0x67, 0x75, 0xbd, 0x66, 0xe1, 0x52, 0xdc + }; + const PRUint8 *aes_ecb_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext; const PRUint8 *aes_cbc_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext : aes_cbc256_known_ciphertext; const PRUint8 *aes_gcm_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext : aes_gcm256_known_ciphertext; const PRUint8 *aes_cmac_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext; + const PRUint8 *aes_keywrap_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext; + /* AES variables. */ PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; AESContext *aes_context; CMACContext *cmac_context; + AESKeyWrapContext *aes_keywrap_context; unsigned int aes_bytes_encrypted; unsigned int aes_bytes_decrypted; CK_NSS_GCM_PARAMS gcmParams; SECStatus aes_status; /*check if aes_key_size is 128, 192, or 256 bits */ if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && (aes_key_size != FIPS_AES_192_KEY_SIZE) && @@ -609,16 +638,62 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ if ((aes_status != SECSuccess) || (aes_bytes_encrypted != FIPS_AES_CMAC_LENGTH) || (PORT_Memcmp(aes_computed_ciphertext, aes_cmac_known_ciphertext, FIPS_AES_CMAC_LENGTH) != 0)) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return (SECFailure); } + /********************************/ + /* AES Keywrap En/Decrypt Test. */ + /********************************/ + + /* Create encryption context */ + aes_keywrap_context = AESKeyWrap_CreateContext(aes_known_key, aes_key_wrap_iv, PR_TRUE, + aes_key_size); + if (aes_keywrap_context == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (SECFailure); + } + + aes_status = AESKeyWrap_Encrypt(aes_keywrap_context, + aes_computed_ciphertext, &aes_bytes_encrypted, + FIPS_AES_ENCRYPT_LENGTH * 2, + aes_known_plaintext, FIPS_AES_ENCRYPT_LENGTH); + + AESKeyWrap_DestroyContext(aes_keywrap_context, PR_TRUE); + + if ((aes_status != SECSuccess) || + (aes_bytes_encrypted != FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE) || + (PORT_Memcmp (aes_computed_ciphertext, aes_keywrap_known_ciphertext, + FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + + /* Create decryption context */ + aes_keywrap_context = AESKeyWrap_CreateContext(aes_known_key, aes_key_wrap_iv, PR_FALSE, + aes_key_size); + + aes_status = AESKeyWrap_Decrypt(aes_keywrap_context, + aes_computed_plaintext, &aes_bytes_decrypted, + FIPS_AES_ENCRYPT_LENGTH, + aes_computed_ciphertext, aes_bytes_encrypted); + + AESKeyWrap_DestroyContext(aes_keywrap_context, PR_TRUE); + + if ((aes_status != SECSuccess) || + (aes_bytes_decrypted != FIPS_AES_ENCRYPT_LENGTH) || + (PORT_Memcmp (aes_computed_plaintext, aes_known_plaintext, + FIPS_AES_ENCRYPT_LENGTH) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + return (SECSuccess); } /* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */ static const PRUint8 known_hash_message[] = { "The test message for the MD2, MD5, and SHA-1 hashing algorithms." };