Add CAST for SP 800-56Cr2 One-Step function (#1803)

### Description of changes: Adds a cryptographic algorithm self test (CAST) for SP 800-56Cr2 OneStep function. Per the FIPS 140-3 I.G. Guidance Item: > if the module implements an approved KDA (SP 800-56C rev1 or rev2), the module shall perform at least one CAST covering a SP 800-56Crev1 Section 4 one-step KDF (if implemented) and another CAST covering a SP 800-56Crev1 Section 5 two-step KDF (if implemented), including at least one auxiliary function for each. For example, if a module implements both a two-step KDF using either the HMAC or AES-CMAC auxiliary function, and one-step KDF using either the hash or HMAC auxiliary function, then at least two CASTs are required: one for the two-step KDF (with either HMAC or AES-CMAC), and the other for the one-step KDF (with either the hash or HMAC). The implementations of the auxiliary functions used in the KDA CASTs do not require separate CASTs. In addition, the module shall self-test all underlying prerequisite algorithms used in the remaining SP 800-56C rev1 or rev2 schemes implemented in the module, if the same implementations of the underlying algorithms are not already self-tested either on their own or as part of other higher-level algorithm CASTs. I have interpreted this item as requiring us only needing to test either `SSKDF_digest` or `SSKDF_hmac` but aren't required to test both. ### Testing: The KAT used in this test case was sourced from `util/fipstools/acvp/acvptool/test/vectors/KDA-OneStep.bz2` and `util/fipstools/acvp/acvptool/test/expected/KDA-OneStep.bz2`. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Aug 28, 2024 · f3344b8 · f3344b8
1 parent 353228b
commit f3344b8
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
@@ -1202,6 +1202,50 @@ static int boringssl_self_test_fast(void) {
     goto err;
   }
 
+  static const uint8_t kSSKDFDigestInfo[] = {
+      0xaf, 0x85, 0xce, 0x3e, 0xa3, 0x03, 0x35, 0x0a, 0x2a, 0xa1, 0x31,
+      0xb8, 0x79, 0xea, 0x95, 0x4e, 0x1e, 0xe1, 0xe6, 0x85, 0xd2, 0xbf,
+      0x9d, 0xb7, 0x95, 0x42, 0x02, 0xe2, 0xf5, 0xec, 0x30, 0x96};
+  static const uint8_t kSSKDFDigestSharedSecret[] = {
+      0x39, 0xa1, 0xe2, 0xb3, 0x89, 0x9e, 0x87, 0xef, 0xec, 0xf6, 0x27,
+      0x12, 0x82, 0xd8, 0xf8, 0x00, 0x8f, 0x25, 0x26, 0x86, 0xdd, 0x35,
+      0xbf, 0xc3, 0x9a, 0x0f, 0x71, 0x47, 0x8d, 0xa4, 0x8c, 0x69, 0x15,
+      0x65, 0xce, 0xe4, 0x31, 0x25, 0x4d, 0xd5, 0x0c, 0xab, 0x74, 0x62,
+      0xc6, 0xcf, 0x19, 0x9b, 0xe9, 0xbf, 0x5c};
+  static const uint8_t kSSKDFDigestDerivedKey[] = {
+      0x5a, 0x2e, 0x26, 0x64, 0x4d, 0x16, 0x22, 0x2c, 0xd6, 0x36, 0xa1, 0xfd,
+      0xb5, 0x7b, 0xfa, 0xa1, 0x7f, 0x94, 0x44, 0x91, 0x27, 0x61, 0x2b, 0xcd,
+      0x7b, 0xe1, 0xbb, 0x39, 0xcc, 0x18, 0xf3, 0x28, 0x93, 0xd3, 0xc6, 0x48,
+      0xc1, 0x63, 0x72, 0xfb, 0x6e, 0x9c, 0x63, 0xde, 0x54, 0x33, 0xb1, 0xcc,
+      0xde, 0xb5, 0x1b, 0xb5, 0xf1, 0x53, 0x68, 0xc8, 0xa8, 0x49, 0xa1, 0xe5,
+      0xa4, 0xef, 0xc6, 0x66, 0xfd, 0x33, 0xee, 0xb9, 0xf6, 0x72, 0x8b, 0x04,
+      0x79, 0xf7, 0x66, 0x68, 0xcf, 0xaf, 0xc1, 0x3a, 0x91, 0x36, 0x70, 0x74,
+      0xde, 0xf2, 0xb5, 0x0e, 0x9d, 0x9a, 0x91, 0x8a, 0x12, 0x02, 0x10, 0x82,
+      0x41, 0x65, 0xd5, 0x96, 0xad, 0x4f, 0x94, 0xa3, 0x23, 0x6e, 0xf7, 0xcf,
+      0x58, 0x43, 0x28, 0x2a, 0x0a, 0x57, 0xa4, 0x83, 0x81, 0x9f, 0x63, 0xe0,
+      0xcf, 0xb2, 0x08, 0x1d, 0xaf, 0x9c, 0xcf, 0x35, 0xc6, 0x6a, 0x03, 0xe7,
+      0xa0, 0x2d, 0x38, 0x91, 0xf4, 0x50, 0x22, 0xe1, 0xc8, 0x9d, 0x88, 0x8a,
+      0xa8, 0x08, 0x7e, 0x08, 0xf4, 0x5b, 0xab, 0xbc, 0x52, 0x06, 0x2b, 0x18,
+      0xe6, 0xfb, 0x70, 0xc1, 0x2d, 0xcb, 0x29, 0xa1, 0x94, 0xd2, 0x3a, 0xbc,
+      0x35, 0x1c, 0xfb, 0x3c, 0xf4, 0xf1, 0x61, 0xcc, 0x77, 0x5a, 0x3e, 0x71,
+      0x1b, 0xb1, 0x50, 0x2d, 0x69, 0x01, 0xf6, 0x93, 0x14, 0x07, 0xa9, 0xae,
+      0x86, 0x84, 0x76, 0xf9, 0x98, 0xd1, 0xca, 0x4c, 0xca, 0x29, 0x6a, 0x9f,
+      0x14, 0x75, 0x2d, 0x14, 0xf4, 0x74, 0x27, 0xe6, 0x66, 0x28, 0x9f, 0x80,
+      0x89, 0x2a, 0x3d, 0x14, 0xa8, 0x4f, 0xe3, 0x43, 0xfd, 0x78, 0xd0, 0xda,
+      0xdb, 0xde, 0x18, 0x19, 0xac, 0xa9, 0x15, 0xf7, 0xc0, 0xc0, 0x24, 0x37,
+      0x6b, 0x40, 0xcb, 0x34, 0xba, 0xe2, 0xd2, 0x6e, 0x9f, 0x45, 0x52, 0xb6,
+      0xb1, 0xa2, 0x6f, 0xa5};  // 256 bytes
+  uint8_t sskdf_digest_output[sizeof(kSSKDFDigestDerivedKey)];
+  if (!SSKDF_digest(&sskdf_digest_output[0], sizeof(kSSKDFDigestDerivedKey),
+                    EVP_sha256(), &kSSKDFDigestSharedSecret[0],
+                    sizeof(kSSKDFDigestSharedSecret), &kSSKDFDigestInfo[0],
+                    sizeof(kSSKDFDigestInfo)) ||
+      !check_test(kSSKDFDigestDerivedKey, sskdf_digest_output,
+                  sizeof(kSSKDFDigestDerivedKey), "SSKDF_digest KAT")) {
+    fprintf(stderr, "SSKDF_digest failed.\n");
+    goto err;
+  }
+
   ret = 1;
 
 err: