ANDROID: fips140: add AES-CMAC

AES-CMAC is a FIPS allowed algorithm, and fips140.ko already has arm64 implementations of it. Meanwhile, GKI includes both these arm64 implementations as well as the "cmac" template. Add the "cmac" template to fips140.ko too and add a self-test for AES-CMAC, so that we can include AES-CMAC in the set of algorithms which will be certified. As with a number of the other algorithms, the criteria for which algorithms need to be in the certified set are still not particularly clear, but the latest guidance we've received is to error on the side of including algorithms. Bug: 153614920 Bug: 188620248 Change-Id: I6c1d9281fe848a7101d5ef94ab48e5a41bbcc6f8 Signed-off-by: Eric Biggers <ebiggers@google.com> (cherry picked from commit 038dc9f2cc956cab561bd9d50120920010867b75)
2021-08-04 17:21:59 -07:00 · 2021-08-04 17:21:59 -07:00 · 2ee56aad31
commit 2ee56aad31
parent 2b5843ae2d
5 changed files with 32 additions and 8 deletions
--- a/crypto/Makefile
+++ b/crypto/Makefile
@ -206,8 +206,8 @@ FIPS140_CFLAGS := -D__DISABLE_EXPORTS -DBUILD_FIPS140_KO
 # Create a separate FIPS archive containing a duplicate of each builtin generic
 # module that is in scope for FIPS 140-2 certification
 #
-crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o cts.o gcm.o xts.o hmac.o memneq.o \
-		    gf128mul.o aes_generic.o lib-crypto-aes.o \
+crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o cts.o gcm.o xts.o hmac.o cmac.o \
+		    memneq.o gf128mul.o aes_generic.o lib-crypto-aes.o \
 		    sha1_generic.o sha256_generic.o sha512_generic.o \
 		    lib-sha1.o lib-crypto-sha256.o
 crypto-fips-objs := $(foreach o,$(crypto-fips-objs),$(o:.o=-fips.o))
--- a/crypto/fips140-generated-testvecs.h
+++ b/crypto/fips140-generated-testvecs.h
@ -39,6 +39,9 @@ static const u8 fips_aes_xts_ciphertext[32] __initconst =
 	"\x4f\xf7\x9f\x6c\x00\xa8\x30\xdf\xff\xf3\x25\x9c\xf6\x0b\x1b\xfd"
 	"\x3b\x34\x5e\x67\x7c\xf8\x8b\x68\x9a\xb9\x5a\x89\x51\x51\xbd\x35";

+static const u8 fips_aes_cmac_digest[16] __initconst =
+	"\x0c\x05\xda\x64\x51\x0c\x8e\x6c\x86\x52\x46\xa8\x2d\xb1\xfe\x0f";
+
 static const u8 fips_hmac_key[16] __initconst = "128-bit HMAC key";

 static const u8 fips_sha1_digest[20] __initconst =
--- a/crypto/fips140-module.c
+++ b/crypto/fips140-module.c
@ -79,6 +79,7 @@ static const char * const fips140_algorithms[] __initconst = {
 	"cts(cbc(aes))",
 	"ctr(aes)",
 	"xts(aes)",
+	"cmac(aes)",

 	"hmac(sha1)",
 	"hmac(sha224)",
--- a/crypto/fips140-selftests.c
+++ b/crypto/fips140-selftests.c
@ -599,8 +599,8 @@ static const struct fips_test fips140_selftests[] __initconst = {
 	 * Tests for AES-GCM, a.k.a. "gcm(aes)" in crypto API syntax.
 	 *
 	 * The IG requires that each underlying AES implementation be tested in
-	 * an authenticated mode, if implemented.  We therefore must test the
-	 * "gcm" template composed with each "aes" implementation.
+	 * an authenticated mode, if implemented.  We therefore test the "gcm"
+	 * template composed with each "aes" implementation.
 	 *
 	 * We also must test all standalone implementations of "gcm(aes)" such
 	 * as "gcm-aes-ce", as they don't reuse another full AES implementation
@ -672,11 +672,11 @@ static const struct fips_test fips140_selftests[] __initconst = {
 		}
 	},
 	/*
-	 * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, and AES-XTS.
+	 * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, AES-XTS, and AES-CMAC.
 	 *
-	 * According to the IG, unauthenticated AES modes don't need to have
-	 * their own test as long as both directions of the underlying AES
-	 * implementation are already tested via other modes.
+	 * According to the IG, other AES modes don't need to have their own
+	 * test as long as both directions of the underlying AES implementation
+	 * are already tested via other modes.
 	 *
 	 * However we must still test standalone implementations of these modes,
 	 * as they don't reuse another full AES implementation and thus can't be
@ -762,6 +762,22 @@ static const struct fips_test fips140_selftests[] __initconst = {
 			.ciphertext	= fips_aes_xts_ciphertext,
 			.message_size	= sizeof(fips_message),
 		}
+	}, {
+		.alg		= "cmac(aes)",
+		.impls		= {
+			/* All standalone implementations of "cmac(aes)" */
+			"cmac-aes-neon",
+			"cmac-aes-ce",
+		},
+		.func		= fips_test_hash,
+		.hash		= {
+			.key		= fips_aes_key,
+			.key_size	= sizeof(fips_aes_key),
+			.message	= fips_message,
+			.message_size	= sizeof(fips_message),
+			.digest		= fips_aes_cmac_digest,
+			.digest_size	= sizeof(fips_aes_cmac_digest),
+		}
 	},

 	/* Tests for SHA-1 */
--- a/tools/crypto/gen_fips140_testvecs.py
+++ b/tools/crypto/gen_fips140_testvecs.py
@ -101,6 +101,10 @@ def generate_aes_testvecs():
    ciphertext = xts.update(message) + xts.finalize()
    print_value('aes_xts_ciphertext', ciphertext)

+    cmac = Cryptodome.Hash.CMAC.new(aes_key, ciphermod=Cryptodome.Cipher.AES)
+    cmac.update(message)
+    print_value('aes_cmac_digest', cmac.digest())
+
 def generate_sha_testvecs():
    print_value('hmac_key', hmac_key)
    for alg in ['sha1', 'sha256', 'hmac_sha256', 'sha512']: