diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go index d8d3fa3c5..c5003e1ad 100644 --- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go +++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go @@ -71,36 +71,37 @@ func NewWithIO(cmd *exec.Cmd, in io.WriteCloser, out io.ReadCloser) *Subprocess } m.primitives = map[string]primitive{ - "SHA-1": &hashPrimitive{"SHA-1", 20}, - "SHA2-224": &hashPrimitive{"SHA2-224", 28}, - "SHA2-256": &hashPrimitive{"SHA2-256", 32}, - "SHA2-384": &hashPrimitive{"SHA2-384", 48}, - "SHA2-512": &hashPrimitive{"SHA2-512", 64}, - "SHA2-512/256": &hashPrimitive{"SHA2-512/256", 32}, - "ACVP-AES-ECB": &blockCipher{"AES", 16, 2, true, false, iterateAES}, - "ACVP-AES-CBC": &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC}, - "ACVP-AES-CBC-CS3": &blockCipher{"AES-CBC-CS3", 16, 1, false, true, iterateAESCBC}, - "ACVP-AES-CTR": &blockCipher{"AES-CTR", 16, 1, false, true, nil}, - "ACVP-AES-XTS": &xts{}, - "ACVP-AES-GCM": &aead{"AES-GCM", false}, - "ACVP-AES-GMAC": &aead{"AES-GCM", false}, - "ACVP-AES-CCM": &aead{"AES-CCM", true}, - "ACVP-AES-KW": &aead{"AES-KW", false}, - "ACVP-AES-KWP": &aead{"AES-KWP", false}, - "HMAC-SHA-1": &hmacPrimitive{"HMAC-SHA-1", 20}, - "HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28}, - "HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32}, - "HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48}, - "HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64}, - "ctrDRBG": &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}}, - "hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}}, - "KDF": &kdfPrimitive{}, - "KAS-KDF": &hkdf{}, - "CMAC-AES": &keyedMACPrimitive{"CMAC-AES"}, - "RSA": &rsa{}, - "kdf-components": &tlsKDF{}, - "KAS-ECC-SSC": &kas{}, - "KAS-FFC-SSC": &kasDH{}, + "SHA-1": &hashPrimitive{"SHA-1", 20}, + "SHA2-224": &hashPrimitive{"SHA2-224", 28}, + "SHA2-256": &hashPrimitive{"SHA2-256", 32}, + "SHA2-384": &hashPrimitive{"SHA2-384", 48}, + "SHA2-512": &hashPrimitive{"SHA2-512", 64}, + "SHA2-512/256": &hashPrimitive{"SHA2-512/256", 32}, + "ACVP-AES-ECB": &blockCipher{"AES", 16, 2, true, false, iterateAES}, + "ACVP-AES-CBC": &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC}, + "ACVP-AES-CBC-CS3": &blockCipher{"AES-CBC-CS3", 16, 1, false, true, iterateAESCBC}, + "ACVP-AES-CTR": &blockCipher{"AES-CTR", 16, 1, false, true, nil}, + "ACVP-AES-XTS": &xts{}, + "ACVP-AES-GCM": &aead{"AES-GCM", false}, + "ACVP-AES-GMAC": &aead{"AES-GCM", false}, + "ACVP-AES-CCM": &aead{"AES-CCM", true}, + "ACVP-AES-KW": &aead{"AES-KW", false}, + "ACVP-AES-KWP": &aead{"AES-KWP", false}, + "HMAC-SHA-1": &hmacPrimitive{"HMAC-SHA-1", 20}, + "HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28}, + "HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32}, + "HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48}, + "HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64}, + "HMAC-SHA2-512/256": &hmacPrimitive{"HMAC-SHA2-512/256", 32}, + "ctrDRBG": &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}}, + "hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}}, + "KDF": &kdfPrimitive{}, + "KAS-KDF": &hkdf{}, + "CMAC-AES": &keyedMACPrimitive{"CMAC-AES"}, + "RSA": &rsa{}, + "kdf-components": &tlsKDF{}, + "KAS-ECC-SSC": &kas{}, + "KAS-FFC-SSC": &kasDH{}, } m.primitives["ECDSA"] = &ecdsa{"ECDSA", map[string]bool{"P-224": true, "P-256": true, "P-384": true, "P-521": true}, m.primitives} diff --git a/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2 b/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2 new file mode 100644 index 000000000..698411581 Binary files /dev/null and b/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-256.bz2 differ diff --git a/util/fipstools/acvp/acvptool/test/tests.json b/util/fipstools/acvp/acvptool/test/tests.json index 514d9d043..5765de179 100644 --- a/util/fipstools/acvp/acvptool/test/tests.json +++ b/util/fipstools/acvp/acvptool/test/tests.json @@ -17,6 +17,7 @@ {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-256.bz2", "Out": "expected/HMAC-SHA2-256.bz2"}, {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-384.bz2", "Out": "expected/HMAC-SHA2-384.bz2"}, {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512.bz2", "Out": "expected/HMAC-SHA2-512.bz2"}, +{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512-256.bz2", "Out": "expected/HMAC-SHA2-512-256.bz2"}, {"Wrapper": "testmodulewrapper", "In": "vectors/hmacDRBG.bz2", "Out": "expected/hmacDRBG.bz2"}, {"Wrapper": "testmodulewrapper", "In": "vectors/KAS-KDF.bz2", "Out": "expected/KAS-KDF.bz2"}, {"Wrapper": "modulewrapper", "In": "vectors/KAS-ECC-SSC.bz2"}, diff --git a/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2 b/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2 new file mode 100644 index 000000000..d9813002d Binary files /dev/null and b/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-256.bz2 differ diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc index 1a01ddbac..b4e556c82 100644 --- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc +++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc @@ -416,6 +416,16 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl "min": 32, "max": 512, "increment": 8 }] }, + { + "algorithm": "HMAC-SHA2-512/256", + "revision": "1.0", + "keyLen": [{ + "min": 8, "max": 2048, "increment": 8 + }], + "macLen": [{ + "min": 32, "max": 256, "increment": 8 + }] + }, { "algorithm": "ctrDRBG", "revision": "1.0", @@ -473,7 +483,8 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl "SHA2-224", "SHA2-256", "SHA2-384", - "SHA2-512" + "SHA2-512", + "SHA2-512/256" ] }] }, @@ -493,7 +504,8 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl "SHA2-224", "SHA2-256", "SHA2-384", - "SHA2-512" + "SHA2-512", + "SHA2-512/256" ] }] }, @@ -587,6 +599,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }] }] },{ @@ -605,6 +620,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }] }] },{ @@ -623,6 +641,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }] }] }] @@ -710,6 +731,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-384", "saltLen": 48 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }, { "hashAlg": "SHA-1", "saltLen": 20 @@ -731,6 +755,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }, { "hashAlg": "SHA-1", "saltLen": 20 @@ -752,6 +779,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }, { "hashAlg": "SHA-1", "saltLen": 20 @@ -773,6 +803,9 @@ static bool GetConfig(const Span args[], ReplyCallback write_repl }, { "hashAlg": "SHA2-512", "saltLen": 64 + }, { + "hashAlg": "SHA2-512/256", + "saltLen": 32 }, { "hashAlg": "SHA-1", "saltLen": 20 @@ -1521,6 +1554,8 @@ static const EVP_MD *HashFromName(Span name) { return EVP_sha384(); } else if (StringEq(name, "SHA2-512")) { return EVP_sha512(); + } else if (StringEq(name, "SHA2-512/256")) { + return EVP_sha512_256(); } else { return nullptr; } @@ -1919,6 +1954,7 @@ static constexpr struct { {"HMAC-SHA2-256", 2, HMAC}, {"HMAC-SHA2-384", 2, HMAC}, {"HMAC-SHA2-512", 2, HMAC}, + {"HMAC-SHA2-512/256", 2, HMAC}, {"ctrDRBG/AES-256", 6, DRBG}, {"ECDSA/keyGen", 1, ECDSAKeyGen}, {"ECDSA/keyVer", 3, ECDSAKeyVer}, @@ -1936,6 +1972,7 @@ static constexpr struct { {"RSA/sigGen/SHA2-256/pss", 2, RSASigGen}, {"RSA/sigGen/SHA2-384/pss", 2, RSASigGen}, {"RSA/sigGen/SHA2-512/pss", 2, RSASigGen}, + {"RSA/sigGen/SHA2-512/256/pss", 2, RSASigGen}, {"RSA/sigGen/SHA-1/pss", 2, RSASigGen}, {"RSA/sigVer/SHA2-224/pkcs1v1.5", 4, RSASigVer}, {"RSA/sigVer/SHA2-256/pkcs1v1.5", 4, RSASigVer}, @@ -1946,6 +1983,7 @@ static constexpr struct { {"RSA/sigVer/SHA2-256/pss", 4, RSASigVer}, {"RSA/sigVer/SHA2-384/pss", 4, RSASigVer}, {"RSA/sigVer/SHA2-512/pss", 4, RSASigVer}, + {"RSA/sigVer/SHA2-512/256/pss", 4, RSASigVer}, {"RSA/sigVer/SHA-1/pss", 4, RSASigVer}, {"TLSKDF/1.0/SHA-1", 5, TLSKDF}, {"TLSKDF/1.2/SHA2-256", 5, TLSKDF},