From c3d1f9c3159416331c0c852739fb5fd2cf60f708 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Sun, 28 Oct 2018 10:11:21 +0300 Subject: nettle: fix s-boxes selection for rare GOST 28147-89 variants gost28147-89 code contained c&p error, which resulted in using S-BOX CryptoPro-A instead of -B, -C, -D. Fix that. Signed-off-by: Dmitry Eremin-Solenikov --- lib/nettle/cipher.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c index eab1a03588..e28c39038c 100644 --- a/lib/nettle/cipher.c +++ b/lib/nettle/cipher.c @@ -176,21 +176,21 @@ static void _gost28147_set_key_cpb(void *ctx, const uint8_t *key) { gost28147_set_key(ctx, key); - gost28147_set_param(ctx, &gost28147_param_CryptoPro_A); + gost28147_set_param(ctx, &gost28147_param_CryptoPro_B); } static void _gost28147_set_key_cpc(void *ctx, const uint8_t *key) { gost28147_set_key(ctx, key); - gost28147_set_param(ctx, &gost28147_param_CryptoPro_A); + gost28147_set_param(ctx, &gost28147_param_CryptoPro_C); } static void _gost28147_set_key_cpd(void *ctx, const uint8_t *key) { gost28147_set_key(ctx, key); - gost28147_set_param(ctx, &gost28147_param_CryptoPro_A); + gost28147_set_param(ctx, &gost28147_param_CryptoPro_D); } #endif -- cgit v1.2.1 From 48589d36edda9cb80be37a3bbdcf4e055c12292f Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Sun, 28 Oct 2018 10:13:00 +0300 Subject: self-tests: add GOST symmetric algorithms tests Add tests for: - GOST 28147-89 CFB cipher - GOST R 34.11-94 hash function - Streebog-256/-512 hash functions - HMAC using GOST R 34.11-94/Streebog functions Signed-off-by: Dmitry Eremin-Solenikov --- lib/crypto-selftests.c | 197 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c index 19b8210b4e..ba1de66f6a 100644 --- a/lib/crypto-selftests.c +++ b/lib/crypto-selftests.c @@ -420,6 +420,85 @@ const struct cipher_vectors_st aes256_cfb8_vectors[] = { /* NIST 800-38a */ }, }; +/* GOST 28147-89 vectors come from the testsuite contributed to OpenSSL by + * Sergey E. Leontiev. CryptoPro-B test vector is just truncated. + * TC26Z is calculated using Nettle */ +const struct cipher_vectors_st gost28147_cpa_cfb_vectors[] = { + { + STR(key, key_size, + "\x8d\x5a\x2c\x83\xa7\xc7\x0a\x61\xd6\x1b\x34\xb5\x1f\xdf\x42\x68" + "\x66\x71\xa3\x5d\x87\x4c\xfd\x84\x99\x36\x63\xb6\x1e\xd6\x0d\xad"), + STR(plaintext, plaintext_size, + "\xd2\xfd\xf8\x3a\xc1\xb4\x39\x23\x2e\xaa\xcc\x98\x0a\x02\xda\x33"), + .ciphertext = (uint8_t *) + "\x88\xb7\x75\x16\x74\xa5\xee\x2d\x14\xfe\x91\x67\xd0\x5c\xcc\x40", + STR(iv, iv_size, + "\x46\x60\x6f\x0d\x88\x34\x23\x5a"), + }, +}; + +const struct cipher_vectors_st gost28147_cpb_cfb_vectors[] = { + { + STR(key, key_size, + "\x48\x0c\x74\x1b\x02\x6b\x55\xd5\xb6\x6d\xd7\x1d\x40\x48\x05\x6b" + "\x6d\xeb\x3c\x29\x0f\x84\x80\x23\xee\x0d\x47\x77\xe3\xfe\x61\xc9"), + STR(plaintext, plaintext_size, + "\x8c\x9c\x44\x35\xfb\xe9\xa5\xa3\xa0\xae\x28\x56\x91\x10\x8e\x1e" + "\xd2\xbb\x18\x53\x81\x27\x0d\xa6\x68\x59\x36\xc5\x81\x62\x9a\x8e" + "\x7d\x50\xf1\x6f\x97\x62\x29\xec\x80\x51\xe3\x7d\x6c\xc4\x07\x95" + "\x28\x63\xdc\xb4\xb9\x2d\xb8\x13\xb1\x05\xb5\xf9\xeb\x75\x37"), + .ciphertext = (uint8_t *) + "\x23\xc6\x7f\x20\xa1\x23\x58\xbc\x7b\x05\xdb\x21\x15\xcf\x96\x41" + "\xc7\x88\xef\x76\x5c\x49\xdb\x42\xbf\xf3\xc0\xf5\xbd\x5d\xd9\x8e" + "\xaf\x3d\xf4\xe4\xda\x88\xbd\xbc\x47\x5d\x76\x07\xc9\x5f\x54\x1d" + "\x1d\x6a\xa1\x2e\x18\xd6\x60\x84\x02\x18\x37\x92\x92\x15\xab", + STR(iv, iv_size, + "\x1f\x3f\x82\x1e\x0d\xd8\x1e\x22"), + }, +}; + +const struct cipher_vectors_st gost28147_cpc_cfb_vectors[] = { + { + STR(key, key_size, + "\x77\xc3\x45\x8e\xf6\x42\xe7\x04\x8e\xfc\x08\xe4\x70\x96\xd6\x05" + "\x93\x59\x02\x6d\x6f\x97\xca\xe9\xcf\x89\x44\x4b\xde\x6c\x22\x1d"), + STR(plaintext, plaintext_size, + "\x07\x9c\x91\xbe"), + .ciphertext = (uint8_t *) + "\x19\x35\x81\x34", + STR(iv, iv_size, + "\x43\x7c\x3e\x8e\x2f\x2a\x00\x98"), + }, +}; + +const struct cipher_vectors_st gost28147_cpd_cfb_vectors[] = { + { + STR(key, key_size, + "\x38\x9f\xe8\x37\xff\x9c\x5d\x29\xfc\x48\x55\xa0\x87\xea\xe8\x40" + "\x20\x87\x5b\xb2\x01\x15\x55\xa7\xe3\x2d\xcb\x3d\xd6\x59\x04\x73"), + STR(plaintext, plaintext_size, + "\x2f\x31\xd8\x83\xb4\x20\xe8\x6e\xda"), + .ciphertext = (uint8_t *) + "\x6d\xa4\xed\x40\x08\x88\x71\xad\x16", + STR(iv, iv_size, + "\xc5\xa2\xd2\x1f\x2f\xdf\xb8\xeb"), + }, +}; + +const struct cipher_vectors_st gost28147_tc26z_cfb_vectors[] = { + { + STR(key, key_size, + "\x8d\x5a\x2c\x83\xa7\xc7\x0a\x61\xd6\x1b\x34\xb5\x1f\xdf\x42\x68" + "\x66\x71\xa3\x5d\x87\x4c\xfd\x84\x99\x36\x63\xb6\x1e\xd6\x0d\xad"), + STR(plaintext, plaintext_size, + "\xd2\xfd\xf8\x3a\xc1\xb4\x39\x23\x2e\xaa\xcc\x98\x0a\x02\xda\x33"), + .ciphertext = (uint8_t *) + "\xed\xa7\xf1\x41\x01\x9c\xbd\xcd\x44\x6b\x00\x96\x87\xf7\xc7\xe6", + STR(iv, iv_size, + "\x46\x60\x6f\x0d\x88\x34\x23\x5a"), + }, +}; + static int test_cipher(gnutls_cipher_algorithm_t cipher, const struct cipher_vectors_st *vectors, size_t vectors_size, unsigned flags) @@ -1136,6 +1215,47 @@ const struct hash_vectors_st sha3_512_vectors[] = { }, }; +const struct hash_vectors_st gostr_94_vectors[] = { + { + STR(plaintext, plaintext_size, + "The quick brown fox jumps over the lazy dog"), + STR(output, output_size, + "\x90\x04\x29\x4a\x36\x1a\x50\x8c\x58\x6f\xe5\x3d\x1f\x1b\x02\x74\x67\x65\xe7\x1b\x76\x54\x72\x78\x6e\x47\x70\xd5\x65\x83\x0a\x76"), + }, +}; + +/* GOST R 34.11-2012 */ +const struct hash_vectors_st streebog_512_vectors[] = { + { + STR(plaintext, plaintext_size, + "\xd1\xe5\x20\xe2\xe5\xf2\xf0\xe8\x2c\x20\xd1\xf2\xf0\xe8\xe1\xee" + "\xe6\xe8\x20\xe2\xed\xf3\xf6\xe8\x2c\x20\xe2\xe5\xfe\xf2\xfa\x20" + "\xf1\x20\xec\xee\xf0\xff\x20\xf1\xf2\xf0\xe5\xeb\xe0\xec\xe8\x20" + "\xed\xe0\x20\xf5\xf0\xe0\xe1\xf0\xfb\xff\x20\xef\xeb\xfa\xea\xfb" + "\x20\xc8\xe3\xee\xf0\xe5\xe2\xfb"), + STR(output, output_size, + "\x1e\x88\xe6\x22\x26\xbf\xca\x6f\x99\x94\xf1\xf2\xd5\x15\x69\xe0" + "\xda\xf8\x47\x5a\x3b\x0f\xe6\x1a\x53\x00\xee\xe4\x6d\x96\x13\x76" + "\x03\x5f\xe8\x35\x49\xad\xa2\xb8\x62\x0f\xcd\x7c\x49\x6c\xe5\xb3" + "\x3f\x0c\xb9\xdd\xdc\x2b\x64\x60\x14\x3b\x03\xda\xba\xc9\xfb\x28"), + }, +}; + +/* GOST R 34.11-2012 */ +const struct hash_vectors_st streebog_256_vectors[] = { + { + STR(plaintext, plaintext_size, + "\xd1\xe5\x20\xe2\xe5\xf2\xf0\xe8\x2c\x20\xd1\xf2\xf0\xe8\xe1\xee" + "\xe6\xe8\x20\xe2\xed\xf3\xf6\xe8\x2c\x20\xe2\xe5\xfe\xf2\xfa\x20" + "\xf1\x20\xec\xee\xf0\xff\x20\xf1\xf2\xf0\xe5\xeb\xe0\xec\xe8\x20" + "\xed\xe0\x20\xf5\xf0\xe0\xe1\xf0\xfb\xff\x20\xef\xeb\xfa\xea\xfb" + "\x20\xc8\xe3\xee\xf0\xe5\xe2\xfb"), + STR(output, output_size, + "\x9d\xd2\xfe\x4e\x90\x40\x9e\x5d\xa8\x7f\x53\x97\x6d\x74\x05\xb0" + "\xc0\xca\xc6\x28\xfc\x66\x9a\x74\x1d\x50\x06\x3c\x55\x7e\x8f\x50"), + }, +}; + #define HASH_DATA_SIZE 64 /* SHA1 and other hashes */ @@ -1261,6 +1381,50 @@ const struct mac_vectors_st hmac_sha512_vectors[] = { }, }; +/* Calculated */ +const struct mac_vectors_st hmac_gostr_94_vectors[] = { + { + STR(key, key_size, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"), + STR(plaintext, plaintext_size, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00"), + STR(output, output_size, + "\xba\xd7\x0b\x61\xc4\x10\x95\xbc\x47\xe1\x14\x1c\xfa\xed\x42\x72" + "\x6a\x5c\xee\xbd\x62\xce\x75\xdb\xbb\x9a\xd7\x6c\xda\x9f\x72\xf7"), + }, +}; + +/* RFC 7836 */ +const struct mac_vectors_st hmac_streebog_512_vectors[] = { + { + STR(key, key_size, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"), + STR(plaintext, plaintext_size, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00"), + STR(output, output_size, + "\xa5\x9b\xab\x22\xec\xae\x19\xc6\x5f\xbd\xe6\xe5\xf4\xe9\xf5\xd8" + "\x54\x9d\x31\xf0\x37\xf9\xdf\x9b\x90\x55\x00\xe1\x71\x92\x3a\x77" + "\x3d\x5f\x15\x30\xf2\xed\x7e\x96\x4c\xb2\xee\xdc\x29\xe9\xad\x2f" + "\x3a\xfe\x93\xb2\x81\x4f\x79\xf5\x00\x0f\xfc\x03\x66\xc2\x51\xe6"), + }, +}; + +/* RFC 7836 */ +const struct mac_vectors_st hmac_streebog_256_vectors[] = { + { + STR(key, key_size, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"), + STR(plaintext, plaintext_size, + "\x01\x26\xbd\xb8\x78\x00\xaf\x21\x43\x41\x45\x65\x63\x78\x01\x00"), + STR(output, output_size, + "\xa1\xaa\x5f\x7d\xe4\x02\xd7\xb3\xd3\x23\xf2\x99\x1c\x8d\x45\x34" + "\x01\x31\x37\x01\x0a\x83\x75\x4f\xd0\xaf\x6d\x7c\xd4\x92\x2e\xd9"), + }, +}; + static int test_mac(gnutls_mac_algorithm_t mac, const struct mac_vectors_st *vectors, size_t vectors_size, unsigned flags) @@ -1395,6 +1559,23 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher) FALLTHROUGH; CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher, aes256_cfb8_vectors); +#if ENABLE_GOST + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_CIPHER_GOST28147_CPA_CFB, test_cipher, + gost28147_cpa_cfb_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_CIPHER_GOST28147_CPB_CFB, test_cipher, + gost28147_cpb_cfb_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_CIPHER_GOST28147_CPC_CFB, test_cipher, + gost28147_cpc_cfb_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_CIPHER_GOST28147_CPD_CFB, test_cipher, + gost28147_cpd_cfb_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_CIPHER_GOST28147_TC26Z_CFB, test_cipher, + gost28147_tc26z_cfb_vectors); +#endif break; default: return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); @@ -1434,6 +1615,14 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac) CASE(GNUTLS_MAC_SHA384, test_mac, hmac_sha384_vectors); FALLTHROUGH; CASE(GNUTLS_MAC_SHA512, test_mac, hmac_sha512_vectors); +#if ENABLE_GOST + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_MAC_GOSTR_94, test_mac, hmac_gostr_94_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_MAC_STREEBOG_512, test_mac, hmac_streebog_512_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_MAC_STREEBOG_256, test_mac, hmac_streebog_256_vectors); +#endif break; default: @@ -1483,6 +1672,14 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest) CASE(GNUTLS_DIG_SHA3_384, test_digest, sha3_384_vectors); FALLTHROUGH; CASE(GNUTLS_DIG_SHA3_512, test_digest, sha3_512_vectors); +#endif +#if ENABLE_GOST + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_DIG_GOSTR_94, test_digest, gostr_94_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_DIG_STREEBOG_512, test_digest, streebog_512_vectors); + FALLTHROUGH; + NON_FIPS_CASE(GNUTLS_DIG_STREEBOG_256, test_digest, streebog_256_vectors); #endif break; default: -- cgit v1.2.1 From a266e0027a7fd295be9b5d90407083c99660de36 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Sun, 28 Oct 2018 15:44:15 +0300 Subject: NEWS: Add entry mentioning fix of S-BOXes for CryptoPro-B,-C,-D variants Signed-off-by: Dmitry Eremin-Solenikov --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index d6f73255d8..652845d1b1 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,10 @@ See the end for copying conditions. ** p11tool: fix initialization of security officer's PIN with the --initialize-so-pin option (#561) +** In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers + have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D + S-BOXes). They are fixed now. + ** API and ABI modifications: GNUTLS_AUTO_REAUTH: Added GNUTLS_CIPHER_AES_128_CFB8: Added -- cgit v1.2.1