diff --git a/.gitignore b/.gitignore index bfbbf309a0a..958f3f8af93 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ deps/aws-lc-sys/src/bindings.rs **/target /Cargo.lock + +lcov.info diff --git a/aws-lc-rs/Makefile b/aws-lc-rs/Makefile index c5149eaf7fa..e032b2e37a7 100644 --- a/aws-lc-rs/Makefile +++ b/aws-lc-rs/Makefile @@ -21,7 +21,7 @@ asan-fips: RUST_BACKTRACE=1 ASAN_OPTIONS=detect_leaks=1 RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address cargo +nightly test --lib --bins --tests --examples --target `rustc -vV | sed -n 's|host: ||p'` --no-default-features --features fips,asan coverage: - cargo llvm-cov --no-fail-fast --fail-under-lines 95 --ignore-filename-regex "aws-lc-sys/*" + cargo llvm-cov --no-fail-fast --fail-under-lines 95 --ignore-filename-regex "aws-lc-sys/*" --lcov --output-path lcov.info test: cargo test --all-targets --features ring-benchmarks diff --git a/aws-lc-rs/src/key_wrap.rs b/aws-lc-rs/src/key_wrap.rs new file mode 100644 index 00000000000..21761a88de3 --- /dev/null +++ b/aws-lc-rs/src/key_wrap.rs @@ -0,0 +1,354 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +//! Key Wrap Algorithm [NIST SP 800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf) +//! +//! # Examples +//! ```rust +//! # use std::error::Error; +//! # fn main() -> Result<(), Box> { +//! use aws_lc_rs::key_wrap::{KeyEncryptionKey, WrappingMode, AES_128}; +//! +//! const KEY: &[u8] = &[ +//! 0xa8, 0xe0, 0x6d, 0xa6, 0x25, 0xa6, 0x5b, 0x25, 0xcf, 0x50, 0x30, 0x82, 0x68, 0x30, 0xb6, +//! 0x61, +//! ]; +//! const PLAINTEXT: &[u8] = &[0x43, 0xac, 0xff, 0x29, 0x31, 0x20, 0xdd, 0x5d]; +//! +//! let kek = KeyEncryptionKey::new(&AES_128, KEY, WrappingMode::Padded)?; +//! +//! let mut output = vec![0u8; PLAINTEXT.len() + 15]; +//! +//! let ciphertext = kek.wrap(PLAINTEXT, &mut output)?; +//! +//! let kek = KeyEncryptionKey::new(&AES_128, KEY, WrappingMode::Padded)?; +//! +//! let mut output = vec![0u8; ciphertext.len()]; +//! +//! let plaintext = kek.unwrap(&*ciphertext, &mut output)?; +//! +//! assert_eq!(PLAINTEXT, plaintext); +//! +//! Ok(()) +//! # } +//! ``` +use std::{fmt::Debug, mem::MaybeUninit, ptr::null}; + +use aws_lc::{ + AES_set_decrypt_key, AES_set_encrypt_key, AES_unwrap_key, AES_unwrap_key_padded, AES_wrap_key, + AES_wrap_key_padded, AES_KEY, +}; + +use crate::{error::Unspecified, fips::indicator_check}; + +mod tests; + +/// The Key Wrapping Algorithm +pub struct Algorithm { + id: AlgorithmId, + key_len: usize, +} + +impl Algorithm { + /// Returns the algorithm identifier. + #[inline] + #[must_use] + pub fn id(&self) -> AlgorithmId { + self.id + } + + /// Returns the algorithm key length. + #[inline] + #[must_use] + fn key_len(&self) -> usize { + self.key_len + } +} + +impl Debug for Algorithm { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + Debug::fmt(&self.id, f) + } +} + +/// The Key Wrapping Algorithm Identifier +#[derive(Debug, PartialEq, Eq, Clone, Copy)] +pub enum AlgorithmId { + /// AES-128 Key Wrap + Aes128, + + /// AES-256 Key Wrap + Aes256, +} + +/// AES-128 Key Wrapping +pub const AES_128: Algorithm = Algorithm { + id: AlgorithmId::Aes128, + key_len: 16, +}; + +/// AES-256 Key Wrapping +pub const AES_256: Algorithm = Algorithm { + id: AlgorithmId::Aes256, + key_len: 32, +}; + +/// The mode of operation for the wrapping algorithm. +#[derive(Debug, PartialEq, Eq, Clone, Copy)] +pub enum WrappingMode { + /// Key Wrap with Padding + Padded, + + /// Key Wrap + Unpadded, +} + +impl WrappingMode { + fn wrap<'output>( + self, + key: &[u8], + input: &[u8], + output: &'output mut [u8], + ) -> Result<&'output mut [u8], Unspecified> { + // For most checks we can count on AWS-LC, but in this instance + // it expects that output is sufficiently sized. So we must check it here. + if self == WrappingMode::Unpadded && output.len() < input.len() + 8 { + return Err(Unspecified); + } + + let mut aes_key = MaybeUninit::::uninit(); + + let key_bits: u32 = (key.len() * 8).try_into().map_err(|_| Unspecified)?; + + if 0 != unsafe { AES_set_encrypt_key(key.as_ptr(), key_bits, aes_key.as_mut_ptr()) } { + return Err(Unspecified); + } + + let aes_key = unsafe { aes_key.assume_init() }; + + let out_len = match self { + WrappingMode::Padded => { + let mut out_len: usize = 0; + + // AWS-LC validates the following: + // * in_len != 0 + // * in_len <= INT_MAX + // * max_out >= required_padding + 8 + if 1 != indicator_check!(unsafe { + AES_wrap_key_padded( + &aes_key, + output.as_mut_ptr(), + &mut out_len, + output.len(), + input.as_ptr(), + input.len(), + ) + }) { + return Err(Unspecified); + } + + out_len + } + WrappingMode::Unpadded => { + // AWS-LC validates the following: + // * in_len <= INT_MAX - 8 + // * in_len >= 16 + // * in_len % 8 == 0 + let out_len = indicator_check!(unsafe { + AES_wrap_key( + &aes_key, + null(), + output.as_mut_ptr(), + input.as_ptr(), + input.len(), + ) + }); + + if out_len == -1 { + return Err(Unspecified); + } + + let out_len: usize = out_len.try_into().map_err(|_| Unspecified)?; + + debug_assert_eq!(out_len, input.len() + 8); + + out_len + } + }; + + Ok(&mut output[..out_len]) + } + + fn unwrap<'output>( + self, + key: &[u8], + input: &[u8], + output: &'output mut [u8], + ) -> Result<&'output mut [u8], Unspecified> { + if self == WrappingMode::Unpadded && output.len() < input.len() - 8 { + return Err(Unspecified); + } + + let mut aes_key = MaybeUninit::::uninit(); + + if 0 != unsafe { + AES_set_decrypt_key( + key.as_ptr(), + (key.len() * 8).try_into().map_err(|_| Unspecified)?, + aes_key.as_mut_ptr(), + ) + } { + return Err(Unspecified); + } + + let aes_key = unsafe { aes_key.assume_init() }; + + let out_len = match self { + WrappingMode::Padded => { + let mut out_len: usize = 0; + + // AWS-LC validates the following: + // * in_len >= AES_BLOCK_SIZE + // * max_out >= in_len - 8 + if 1 != indicator_check!(unsafe { + AES_unwrap_key_padded( + &aes_key, + output.as_mut_ptr(), + &mut out_len, + output.len(), + input.as_ptr(), + input.len(), + ) + }) { + return Err(Unspecified); + }; + + out_len + } + WrappingMode::Unpadded => { + // AWS-LC validates the following: + // * in_len < INT_MAX + // * in_len > 24 + // * in_len % 8 == 0 + let out_len = indicator_check!(unsafe { + AES_unwrap_key( + &aes_key, + null(), + output.as_mut_ptr(), + input.as_ptr(), + input.len(), + ) + }); + + if out_len == -1 { + return Err(Unspecified); + } + + let out_len: usize = out_len.try_into().map_err(|_| Unspecified)?; + + debug_assert_eq!(out_len, input.len() - 8); + + out_len + } + }; + + Ok(&mut output[..out_len]) + } +} + +/// The key-encryption key used with the selected cipher algorithn to wrap or unwrap a key. +pub struct KeyEncryptionKey { + algorithm: &'static Algorithm, + key: Box<[u8]>, + mode: WrappingMode, +} + +impl KeyEncryptionKey { + /// Creates a new `KeyEncryptionKey` using the provider cipher algorithm, key bytes, and wrapping mode. + /// + /// # Errors + /// * [`Unspecified`]: Returned if `key_bytes.len()` does not match the size expected for the provided algorithm. + pub fn new( + algorithm: &'static Algorithm, + key_bytes: &[u8], + mode: WrappingMode, + ) -> Result { + if algorithm.key_len() != key_bytes.len() { + return Err(Unspecified); + } + + let key = Vec::from(key_bytes).into_boxed_slice(); + + Ok(Self { + algorithm, + key, + mode, + }) + } + + /// Peforms the key wrap encryption algorithm using `KeyEncryptionKey`'s configured cipher algorithm + /// and wrapping operation mode. It wraps the provided `input` plaintext and writes the + /// ciphertext to `output`. + /// + /// If `WrappingMode::Unpadded` is the configured mode, then `input.len()` must be a multiple of 8 and non-zero. + /// + /// # Sizing `output` + /// `output` must be sized appropriately depending on the configured [`WrappingMode`]. + /// * [`WrappingMode::Padded`]: `output.len() >= (input.len() + 15)` + /// * [`WrappingMode::Unpadded`]: `output.len() >= (input.len() + 8)` + /// + /// # Errors + /// * [`Unspecified`]: An error occurred either due to `output` being insufficiently sized, `input` exceeding + /// the allowed input size, or for other unspecified reasons. + pub fn wrap<'output>( + self, + input: &[u8], + output: &'output mut [u8], + ) -> Result<&'output mut [u8], Unspecified> { + self.mode.wrap(&self.key, input, output) + } + + /// Peforms the key wrap decryption algorithm using `KeyEncryptionKey`'s configured cipher algorithm + /// and wrapping operation mode. It unwraps the provided `input` ciphertext and writes the + /// plaintext to `output`. + /// + /// If `WrappingMode::Unpadded` is the configured mode, then `input.len()` must be a multiple of 8. + /// + /// # Sizing `output` + /// `output` must be sized appropriately depending on the configured [`WrappingMode`]. + /// * [`WrappingMode::Padded`]: `output.len() >= input.len()` + /// * [`WrappingMode::Unpadded`]: `output.len() >= (input.len() - 8)` + /// + /// # Errors + /// * [`Unspecified`]: An error occurred either due to `output` being insufficiently sized, `input` exceeding + /// the allowed input size, or for other unspecified reasons. + pub fn unwrap<'output>( + self, + input: &[u8], + output: &'output mut [u8], + ) -> Result<&'output mut [u8], Unspecified> { + self.mode.unwrap(&self.key, input, output) + } + + /// Returns the configured `Algorithm`. + #[must_use] + pub fn algorithm(&self) -> &'static Algorithm { + self.algorithm + } + + /// Returns the configured `WrappingMode`. + #[must_use] + pub fn wrapping_mode(&self) -> WrappingMode { + self.mode + } +} + +#[allow(clippy::missing_fields_in_debug)] +impl Debug for KeyEncryptionKey { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("KeyEncryptionKey") + .field("algorithm", &self.algorithm) + .field("mode", &self.mode) + .finish() + } +} diff --git a/aws-lc-rs/src/key_wrap/tests.rs b/aws-lc-rs/src/key_wrap/tests.rs new file mode 100644 index 00000000000..948d08af0ea --- /dev/null +++ b/aws-lc-rs/src/key_wrap/tests.rs @@ -0,0 +1,628 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +#![cfg(test)] + +#[cfg(feature = "fips")] +mod fips; + +use super::{Algorithm, AlgorithmId, KeyEncryptionKey, WrappingMode, AES_128, AES_256}; + +macro_rules! algorithm_test { + ($name:ident, $alg:expr, $id:expr, $key_len:literal) => { + #[test] + fn $name() { + let x: &'static Algorithm = $alg; + assert_eq!($id, x.id()); + assert_eq!($alg.key_len(), $key_len); + } + }; +} + +algorithm_test!(aes_128_algorithm, &AES_128, AlgorithmId::Aes128, 16); +algorithm_test!(aes_256_algorithm, &AES_256, AlgorithmId::Aes256, 32); + +#[test] +fn key_encryption_key_debug_impl() { + let kek = + KeyEncryptionKey::new(&AES_128, &[42u8; 16], WrappingMode::Padded).expect("key created"); + + assert_eq!( + "KeyEncryptionKey { algorithm: Aes128, mode: Padded }", + format!("{kek:?}") + ); +} + +macro_rules! key_wrap_test { + ($name:ident, $alg:expr, $mode:expr, $key:expr, $plaintext:expr, $expect:expr) => { + #[test] + fn $name() { + const K: &[u8] = $key; + const P: &[u8] = $plaintext; + const C: &[u8] = $expect; + + let kek = KeyEncryptionKey::new($alg, K, $mode).expect("key creation successful"); + + assert_eq!($alg.id(), kek.algorithm().id()); + assert_eq!($mode, kek.wrapping_mode()); + + let mut output = vec![0u8; C.len()]; + + let wrapped = Vec::from(kek.wrap(P, &mut output).expect("wrap successful")); + + assert_eq!(wrapped, C); + + let kek = KeyEncryptionKey::new($alg, K, $mode).expect("key creation successful"); + + let mut output = vec![ + 0u8; + if P.len() % 8 != 0 { + P.len() + (8 - (P.len() % 8)) + } else { + P.len() + } + ]; + + let unwrapped = kek.unwrap(&wrapped, &mut output).expect("wrap successful"); + + assert_eq!(unwrapped, P); + } + }; +} + +macro_rules! key_unwrap_test { + ($name:ident, $alg:expr, $mode:expr, $key:expr, $ciphertext:expr) => { + #[test] + fn $name() { + const K: &[u8] = $key; + const C: &[u8] = $ciphertext; + + let kek = KeyEncryptionKey::new($alg, K, $mode).expect("key creation successful"); + + let mut output = vec![0u8; C.len()]; + + kek.unwrap(C, &mut output).expect_err("unwrap to fail"); + } + }; + ($name:ident, $alg:expr, $mode:expr, $key:expr, $ciphertext:expr, $expect:expr) => { + #[test] + fn $name() { + const K: &[u8] = $key; + const C: &[u8] = $ciphertext; + const P: &[u8] = $expect; + + let kek = KeyEncryptionKey::new($alg, K, $mode).expect("key creation successful"); + + let mut output = vec![ + 0u8; + if P.len() % 8 != 0 { + P.len() + (8 - (P.len() % 8)) + } else { + P.len() + } + ]; + + let unwrapped = Vec::from(kek.unwrap(C, &mut output).expect("unwrap successful")); + + assert_eq!(unwrapped, P); + + let kek = KeyEncryptionKey::new($alg, K, $mode).expect("key creation successful"); + + let mut output = vec![0u8; C.len()]; + + let wrapped = kek.wrap(&unwrapped, &mut output).expect("wrap successful"); + + assert_eq!(wrapped, C); + } + }; +} + +key_wrap_test!( + kwp_ae_aes128_8bit_len, + &AES_128, + WrappingMode::Padded, + &[ + 0x6d, 0xec, 0xf1, 0x0a, 0x1c, 0xaf, 0x8e, 0x3b, 0x80, 0xc7, 0xa4, 0xbe, 0x8c, 0x9c, 0x84, + 0xe8, + ], + &[0x49], + &[ + 0x01, 0xa7, 0xd6, 0x57, 0xfc, 0x4a, 0x5b, 0x21, 0x6f, 0x26, 0x1c, 0xca, 0x4d, 0x05, 0x2c, + 0x2b, + ] +); + +key_wrap_test!( + kwp_ae_aes128_248bit_len, + &AES_128, + WrappingMode::Padded, + &[ + 0xbe, 0x96, 0xdc, 0x19, 0x5e, 0xc0, 0x34, 0xd6, 0x16, 0x48, 0x6e, 0xd7, 0x0e, 0x97, 0xfe, + 0x83 + ], + &[ + 0x85, 0xb5, 0x43, 0x7b, 0x63, 0x35, 0xeb, 0xba, 0x76, 0x35, 0x90, 0x3a, 0x44, 0x93, 0xd1, + 0x2a, 0x77, 0xd9, 0x35, 0x7a, 0x9e, 0x0d, 0xbc, 0x01, 0x34, 0x56, 0xd8, 0x5f, 0x1d, 0x32, + 0x01 + ], + &[ + 0x97, 0x47, 0x69, 0xb3, 0xa7, 0xb4, 0xd5, 0xd3, 0x29, 0x85, 0xf8, 0x7f, 0xdd, 0xf9, 0x99, + 0x06, 0x31, 0xe5, 0x61, 0x0f, 0xbf, 0xb2, 0x78, 0x38, 0x7b, 0x58, 0xb1, 0xf4, 0x8e, 0x05, + 0xc7, 0x7d, 0x2f, 0xb7, 0x57, 0x5c, 0x51, 0x69, 0xeb, 0x0e + ] +); + +key_unwrap_test!( + kwp_ad_aes128_8bit_len, + &AES_128, + WrappingMode::Padded, + &[ + 0x49, 0x31, 0x9c, 0x33, 0x12, 0x31, 0xcd, 0x6b, 0xf7, 0x4c, 0x2f, 0x70, 0xb0, 0x7f, 0xcc, + 0x5c + ], + &[ + 0x9c, 0x21, 0x1f, 0x32, 0xf8, 0xb3, 0x41, 0xf3, 0x2b, 0x05, 0x2f, 0xed, 0x5f, 0x31, 0xa3, + 0x87 + ], + &[0xe4] +); + +key_unwrap_test!( + kwp_ad_aes128_8bit_len_fail, + &AES_128, + WrappingMode::Padded, + &[ + 0x7a, 0x3f, 0x4d, 0x97, 0x05, 0x01, 0xbf, 0x86, 0x14, 0x7e, 0x91, 0x5f, 0xe1, 0xb9, 0x03, + 0x18 + ], + &[ + 0xad, 0xd7, 0x0b, 0xaf, 0xaf, 0xb1, 0x5e, 0x79, 0xc3, 0xa8, 0x5c, 0xe1, 0xde, 0x55, 0x82, + 0x72 + ] +); + +key_unwrap_test!( + kwp_ad_aes128_248bit_len, + &AES_128, + WrappingMode::Padded, + &[ + 0x28, 0x90, 0x23, 0x37, 0x90, 0x78, 0xb8, 0x21, 0xfc, 0x24, 0xf7, 0x18, 0xbd, 0xc9, 0x43, + 0x31 + ], + &[ + 0xff, 0x51, 0xb7, 0xae, 0x52, 0x46, 0x23, 0x44, 0xfc, 0x45, 0x5f, 0x72, 0xbe, 0x05, 0x9b, + 0x56, 0xa9, 0x8c, 0xc8, 0x33, 0xa1, 0xcf, 0x3b, 0x20, 0xb6, 0x88, 0x71, 0x12, 0xf5, 0xa4, + 0x3f, 0xd4, 0x5e, 0x9c, 0x5f, 0x51, 0xe7, 0xc6, 0x62, 0xf4 + ], + &[ + 0xbe, 0xd5, 0x24, 0xc6, 0x40, 0x2e, 0xeb, 0x77, 0x38, 0x69, 0x6f, 0x31, 0x06, 0x99, 0x9f, + 0xc9, 0x31, 0xbe, 0xd6, 0x76, 0x88, 0x38, 0x34, 0x5d, 0x18, 0xba, 0x44, 0xe1, 0xb0, 0x32, + 0xb8 + ] +); + +key_unwrap_test!( + kwp_ad_aes128_248bit_len_fail, + &AES_128, + WrappingMode::Padded, + &[ + 0x69, 0x29, 0x11, 0x7e, 0x6c, 0xb1, 0x8e, 0xa4, 0xa2, 0x98, 0x58, 0x86, 0xf0, 0x8c, 0x0a, + 0xe1 + ], + &[ + 0x5f, 0xd9, 0xe7, 0x7c, 0x37, 0x04, 0x1c, 0x2e, 0xbd, 0x4c, 0x34, 0x6d, 0x5b, 0x6c, 0x78, + 0xf7, 0xb4, 0x85, 0xca, 0x58, 0x9d, 0x6b, 0x0b, 0x54, 0x16, 0xd0, 0x28, 0x7a, 0x6d, 0xb3, + 0x6b, 0x39, 0xbd, 0xc9, 0x61, 0xb4, 0xdc, 0x2f, 0xec, 0xbc + ] +); + +key_wrap_test!( + kw_ae_aes128_128bit_len, + &AES_128, + WrappingMode::Unpadded, + &[ + 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2, 0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, + 0xa6 + ], + &[ + 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea, 0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, + 0x3f + ], + &[ + 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d, 0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, + 0xa3, 0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb + ] +); + +key_wrap_test!( + kw_ae_aes128_256bit_len, + &AES_128, + WrappingMode::Unpadded, + &[ + 0xe5, 0xd0, 0x58, 0xe7, 0xf1, 0xc2, 0x2c, 0x01, 0x6c, 0x4e, 0x1c, 0xc9, 0xb2, 0x6b, 0x9f, + 0x8f + ], + &[ + 0x7f, 0x60, 0x4e, 0x9b, 0x8d, 0x39, 0xd3, 0xc9, 0x1e, 0x19, 0x3f, 0xe6, 0xf1, 0x96, 0xc1, + 0xe3, 0xda, 0x62, 0x11, 0xa7, 0xc9, 0xa3, 0x3b, 0x88, 0x73, 0xb6, 0x4b, 0x13, 0x8d, 0x18, + 0x03, 0xe4 + ], + &[ + 0x60, 0xb9, 0xf8, 0xac, 0x79, 0x7c, 0x56, 0xe0, 0x1e, 0x9b, 0x5f, 0x84, 0xd6, 0x58, 0x16, + 0xa9, 0x80, 0x77, 0x78, 0x69, 0xf6, 0x79, 0x91, 0xa0, 0xe6, 0xdc, 0x19, 0xb8, 0xcd, 0x75, + 0xc9, 0xb5, 0x4d, 0xb4, 0xa3, 0x84, 0x56, 0xbb, 0xd6, 0xf3 + ] +); + +key_unwrap_test!( + kw_ad_aes128_128bit_len, + &AES_128, + WrappingMode::Unpadded, + &[ + 0x1c, 0xbd, 0x2f, 0x79, 0x07, 0x8b, 0x95, 0x00, 0xfa, 0xe2, 0x36, 0x96, 0x31, 0x19, 0x53, + 0xeb + ], + &[ + 0xec, 0xbd, 0x7a, 0x17, 0xc5, 0xda, 0x3c, 0xfd, 0xfe, 0x22, 0x25, 0xd2, 0xbf, 0x9a, 0xc7, + 0xab, 0xce, 0x78, 0xc2, 0xb2, 0xae, 0xfa, 0x6e, 0xac + ], + &[ + 0x9c, 0x4e, 0x67, 0x52, 0x77, 0xa3, 0xbd, 0xc3, 0xa0, 0x71, 0x04, 0x8b, 0x32, 0x7a, 0x01, + 0x1e + ] +); + +key_unwrap_test!( + kw_ad_aes128_128bit_len_fail, + &AES_128, + WrappingMode::Unpadded, + &[ + 0x5e, 0xa3, 0x0c, 0x21, 0xdb, 0x36, 0xc0, 0x57, 0x72, 0x94, 0xcc, 0x70, 0xd3, 0xb8, 0x69, + 0x70 + ], + &[ + 0x37, 0xe4, 0x81, 0x3d, 0x9c, 0x40, 0xc9, 0x16, 0x5b, 0x7f, 0x12, 0x0c, 0xec, 0x34, 0xa8, + 0x5d, 0x3b, 0xf5, 0x6a, 0xe0, 0x7f, 0xad, 0x8f, 0x40 + ] +); + +key_unwrap_test!( + kw_ad_aes128_256bit_len, + &AES_128, + WrappingMode::Unpadded, + &[ + 0x83, 0xda, 0x6e, 0x02, 0x40, 0x4d, 0x5a, 0xbf, 0xd4, 0x7d, 0x15, 0xda, 0x59, 0x18, 0x40, + 0xe2 + ], + &[ + 0x3f, 0x4c, 0xbf, 0x3a, 0x98, 0x02, 0x92, 0x43, 0xda, 0x87, 0xa7, 0x56, 0xb3, 0xc5, 0x25, + 0x53, 0xf9, 0x13, 0x66, 0xf4, 0xff, 0x4b, 0x10, 0x3b, 0x2c, 0x73, 0xe6, 0x8a, 0xa8, 0xca, + 0x81, 0xf0, 0x1e, 0xbd, 0xa3, 0x5d, 0x71, 0x87, 0x41, 0xac + ], + &[ + 0x67, 0xdf, 0xd6, 0x27, 0x34, 0x6e, 0xbd, 0x21, 0x78, 0x49, 0xa5, 0xba, 0x5b, 0xca, 0x6e, + 0x9c, 0xe0, 0x7a, 0x77, 0x47, 0xbe, 0xd1, 0xba, 0x11, 0x9e, 0xc0, 0x15, 0x03, 0x20, 0x2a, + 0x07, 0x5a + ] +); + +key_unwrap_test!( + kw_ad_aes128_256bit_len_fail, + &AES_128, + WrappingMode::Unpadded, + &[ + 0x84, 0xbc, 0x6c, 0xe7, 0xee, 0x4f, 0xd9, 0xdb, 0x51, 0x25, 0x36, 0x66, 0x9d, 0x06, 0x86, + 0xda + ], + &[ + 0xc3, 0x83, 0xdb, 0x93, 0x0f, 0xfd, 0x02, 0xc0, 0x07, 0x3a, 0xc2, 0xcc, 0x79, 0xec, 0x28, + 0x9e, 0x68, 0x66, 0xbd, 0xcc, 0x6a, 0x13, 0x5a, 0x3b, 0x77, 0x6a, 0xa4, 0x2f, 0x14, 0xee, + 0x04, 0xf9, 0xcc, 0xa0, 0x6e, 0xd6, 0xc0, 0xb2, 0x29, 0x01 + ] +); + +key_wrap_test!( + kwp_ae_aes256_8bit_len, + &AES_256, + WrappingMode::Padded, + &[ + 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5, 0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, + 0x6f, 0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae, 0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, + 0x22, 0x5a + ], + &[0xd1], + &[ + 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd, 0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, + 0xc4 + ] +); + +key_wrap_test!( + kwp_ae_aes256_248bit_len, + &AES_256, + WrappingMode::Padded, + &[ + 0xe9, 0xbb, 0x7f, 0x44, 0xc7, 0xba, 0xaf, 0xbf, 0x39, 0x2a, 0xb9, 0x12, 0x58, 0x9a, 0x2f, + 0x8d, 0xb5, 0x32, 0x68, 0x10, 0x6e, 0xaf, 0xb7, 0x46, 0x89, 0xbb, 0x18, 0x33, 0x13, 0x6e, + 0x61, 0x13 + ], + &[ + 0xff, 0xe9, 0x52, 0x60, 0x48, 0x34, 0xbf, 0xf8, 0x99, 0xe6, 0x36, 0x58, 0xf3, 0x42, 0x46, + 0x81, 0x5c, 0x91, 0x59, 0x7e, 0xb4, 0x0a, 0x21, 0x72, 0x9e, 0x0a, 0x8a, 0x95, 0x9b, 0x61, + 0xf2 + ], + &[ + 0x15, 0xb9, 0xf0, 0x6f, 0xbc, 0x76, 0x5e, 0x5e, 0x3d, 0x55, 0xd6, 0xb8, 0x24, 0x61, 0x6f, + 0x21, 0x92, 0x1d, 0x2a, 0x69, 0x18, 0xee, 0x7b, 0xf1, 0x40, 0x6b, 0x52, 0x42, 0x74, 0xe1, + 0x70, 0xb4, 0xa7, 0x83, 0x33, 0xca, 0x5e, 0xe9, 0x2a, 0xf5 + ] +); + +key_unwrap_test!( + kwp_ad_aes256_8bit_len, + &AES_256, + WrappingMode::Padded, + &[ + 0x20, 0xe4, 0xff, 0x6a, 0x88, 0xff, 0xa9, 0xa2, 0x81, 0x8b, 0x81, 0x70, 0x27, 0x93, 0xd8, + 0xa0, 0x16, 0x72, 0x2c, 0x2f, 0xa1, 0xff, 0x44, 0x5f, 0x24, 0xb9, 0xdb, 0x29, 0x3c, 0xb1, + 0x20, 0x69 + ], + &[ + 0x85, 0x01, 0x1d, 0xc9, 0x27, 0xb1, 0x67, 0xf4, 0x11, 0xb0, 0xb8, 0xe2, 0x1b, 0x11, 0xd8, + 0x19 + ], + &[0xd2] +); + +key_unwrap_test!( + kwp_ad_aes256_8bit_len_fail, + &AES_256, + WrappingMode::Padded, + &[ + 0xc3, 0x2c, 0xb3, 0xe1, 0xe4, 0x1a, 0x4b, 0x9f, 0x4d, 0xe7, 0x99, 0x89, 0x95, 0x78, 0x66, + 0xf5, 0xdd, 0x48, 0xdb, 0xa3, 0x8c, 0x22, 0xa6, 0xeb, 0xb8, 0x0e, 0x14, 0xc8, 0x4b, 0xdd, + 0x95, 0x34 + ], + &[ + 0xc2, 0x9b, 0x05, 0xc2, 0x61, 0x9a, 0x58, 0xec, 0xc1, 0xd2, 0x39, 0xe7, 0xa3, 0x42, 0x73, + 0xcd + ] +); + +key_unwrap_test!( + kwp_ad_aes256_248bit_len, + &AES_256, + WrappingMode::Padded, + &[ + 0x09, 0xab, 0x42, 0x86, 0xa8, 0x45, 0xc1, 0x8b, 0xb4, 0x81, 0xda, 0x91, 0xc3, 0x9a, 0x58, + 0xfd, 0x52, 0xed, 0x78, 0xd5, 0x49, 0x73, 0xfc, 0x41, 0xf2, 0x51, 0x63, 0xa0, 0xc3, 0x3f, + 0x47, 0x27 + ], + &[ + 0x0a, 0x18, 0x0a, 0x84, 0xb0, 0x1f, 0xc1, 0xe4, 0x4b, 0x9f, 0x93, 0x01, 0xcc, 0x89, 0xaf, + 0x95, 0xde, 0x75, 0x82, 0x19, 0x01, 0x5a, 0xbc, 0x86, 0xc3, 0xe4, 0x8e, 0x76, 0x4e, 0x73, + 0x79, 0x24, 0x6a, 0xe7, 0x20, 0x9a, 0xaa, 0x4f, 0x88, 0x9d + ], + &[ + 0x4c, 0x1b, 0x6a, 0xcc, 0xb4, 0x92, 0xc8, 0x8b, 0x10, 0xa5, 0x6a, 0x56, 0xeb, 0x9b, 0x6d, + 0x6e, 0xd9, 0x79, 0x70, 0x56, 0xa5, 0x59, 0xfe, 0x3f, 0x0c, 0x7c, 0x04, 0x29, 0xa2, 0x00, + 0xaf + ] +); + +key_unwrap_test!( + kwp_ad_aes256_248bit_len_fail, + &AES_256, + WrappingMode::Padded, + &[ + 0x8c, 0x35, 0xfb, 0x77, 0x76, 0x6d, 0x04, 0xf4, 0x8d, 0x5b, 0x52, 0x27, 0x5c, 0x5c, 0x5f, + 0x31, 0xf5, 0x68, 0x07, 0x84, 0x19, 0xe5, 0xc2, 0x33, 0x59, 0x18, 0x96, 0x5f, 0xbe, 0x53, + 0xce, 0xdd + ], + &[ + 0xba, 0xcc, 0xcb, 0x17, 0x14, 0xdb, 0xaa, 0x49, 0x08, 0xc2, 0x65, 0x4a, 0xa8, 0xdb, 0xb1, + 0xdd, 0xbd, 0xdd, 0x8a, 0xb8, 0x19, 0x42, 0x9b, 0x02, 0x66, 0x19, 0xfb, 0x1c, 0x0f, 0xa7, + 0x5a, 0x82, 0x47, 0x37, 0x2b, 0x2f, 0xee, 0xab, 0x1e, 0x1d + ] +); + +key_wrap_test!( + kw_ae_aes256_128bit_len, + &AES_256, + WrappingMode::Unpadded, + &[ + 0xf5, 0x97, 0x82, 0xf1, 0xdc, 0xeb, 0x05, 0x44, 0xa8, 0xda, 0x06, 0xb3, 0x49, 0x69, 0xb9, + 0x21, 0x2b, 0x55, 0xce, 0x6d, 0xcb, 0xdd, 0x09, 0x75, 0xa3, 0x3f, 0x4b, 0x3f, 0x88, 0xb5, + 0x38, 0xda + ], + &[ + 0x73, 0xd3, 0x30, 0x60, 0xb5, 0xf9, 0xf2, 0xeb, 0x57, 0x85, 0xc0, 0x70, 0x3d, 0xdf, 0xa7, + 0x04 + ], + &[ + 0x2e, 0x63, 0x94, 0x6e, 0xa3, 0xc0, 0x90, 0x90, 0x2f, 0xa1, 0x55, 0x83, 0x75, 0xfd, 0xb2, + 0x90, 0x77, 0x42, 0xac, 0x74, 0xe3, 0x94, 0x03, 0xfc + ] +); + +key_wrap_test!( + kw_ae_aes256_256bit_len, + &AES_256, + WrappingMode::Unpadded, + &[ + 0x8b, 0x54, 0xe6, 0xbc, 0x3d, 0x20, 0xe8, 0x23, 0xd9, 0x63, 0x43, 0xdc, 0x77, 0x6c, 0x0d, + 0xb1, 0x0c, 0x51, 0x70, 0x8c, 0xee, 0xcc, 0x9a, 0x38, 0xa1, 0x4b, 0xeb, 0x4c, 0xa5, 0xb8, + 0xb2, 0x21 + ], + &[ + 0xd6, 0x19, 0x26, 0x35, 0xc6, 0x20, 0xde, 0xe3, 0x05, 0x4e, 0x09, 0x63, 0x39, 0x6b, 0x26, + 0x0a, 0xf5, 0xc6, 0xf0, 0x26, 0x95, 0xa5, 0x20, 0x5f, 0x15, 0x95, 0x41, 0xb4, 0xbc, 0x58, + 0x4b, 0xac + ], + &[ + 0xb1, 0x3e, 0xeb, 0x76, 0x19, 0xfa, 0xb8, 0x18, 0xf1, 0x51, 0x92, 0x66, 0x51, 0x6c, 0xeb, + 0x82, 0xab, 0xc0, 0xe6, 0x99, 0xa7, 0x15, 0x3c, 0xf2, 0x6e, 0xdc, 0xb8, 0xae, 0xb8, 0x79, + 0xf4, 0xc0, 0x11, 0xda, 0x90, 0x68, 0x41, 0xfc, 0x59, 0x56 + ] +); + +key_unwrap_test!( + kw_ad_aes256_128bit_len, + &AES_256, + WrappingMode::Unpadded, + &[ + 0x80, 0xaa, 0x99, 0x73, 0x27, 0xa4, 0x80, 0x6b, 0x6a, 0x7a, 0x41, 0xa5, 0x2b, 0x86, 0xc3, + 0x71, 0x03, 0x86, 0xf9, 0x32, 0x78, 0x6e, 0xf7, 0x96, 0x76, 0xfa, 0xfb, 0x90, 0xb8, 0x26, + 0x3c, 0x5f + ], + &[ + 0x42, 0x3c, 0x96, 0x0d, 0x8a, 0x2a, 0xc4, 0xc1, 0xd3, 0x3d, 0x3d, 0x97, 0x7b, 0xf0, 0xa9, + 0x15, 0x59, 0xf9, 0x9c, 0x8a, 0xcd, 0x29, 0x3d, 0x43 + ], + &[ + 0x0a, 0x25, 0x6b, 0xa7, 0x5c, 0xfa, 0x03, 0xaa, 0xa0, 0x2b, 0xa9, 0x42, 0x03, 0xf1, 0x5b, + 0xaa + ] +); + +key_unwrap_test!( + kw_ad_aes256_128bit_len_fail, + &AES_256, + WrappingMode::Unpadded, + &[ + 0x08, 0xc9, 0x36, 0xb2, 0x5b, 0x56, 0x7a, 0x0a, 0xa6, 0x79, 0xc2, 0x9f, 0x20, 0x1b, 0xf8, + 0xb1, 0x90, 0x32, 0x7d, 0xf0, 0xc2, 0x56, 0x3e, 0x39, 0xce, 0xe0, 0x61, 0xf1, 0x49, 0xf4, + 0xd9, 0x1b + ], + &[ + 0xe2, 0x27, 0xeb, 0x8a, 0xe9, 0xd2, 0x39, 0xcc, 0xd8, 0x92, 0x8a, 0xde, 0xc3, 0x9c, 0x28, + 0x81, 0x0c, 0xa9, 0xb3, 0xdc, 0x1f, 0x36, 0x64, 0x44 + ] +); + +key_unwrap_test!( + kw_ad_aes256_256bit_len, + &AES_256, + WrappingMode::Unpadded, + &[ + 0x04, 0x9c, 0x7b, 0xcb, 0xa0, 0x3e, 0x04, 0x39, 0x5c, 0x2a, 0x22, 0xe6, 0xa9, 0x21, 0x5c, + 0xda, 0xe0, 0xf7, 0x62, 0xb0, 0x77, 0xb1, 0x24, 0x4b, 0x44, 0x31, 0x47, 0xf5, 0x69, 0x57, + 0x99, 0xfa + ], + &[ + 0x77, 0x6b, 0x1e, 0x91, 0xe9, 0x35, 0xd1, 0xf8, 0x0a, 0x53, 0x79, 0x02, 0x18, 0x6d, 0x6b, + 0x00, 0xdf, 0xc6, 0xaf, 0xc1, 0x20, 0x00, 0xf1, 0xbd, 0xe9, 0x13, 0xdf, 0x5d, 0x67, 0x40, + 0x70, 0x61, 0xdb, 0x82, 0x27, 0xfc, 0xd0, 0x89, 0x53, 0xd4 + ], + &[ + 0xe6, 0x17, 0x83, 0x1c, 0x7d, 0xb8, 0x03, 0x8f, 0xda, 0x4c, 0x59, 0x40, 0x37, 0x75, 0xc3, + 0xd4, 0x35, 0x13, 0x6a, 0x56, 0x6f, 0x35, 0x09, 0xc2, 0x73, 0xe1, 0xda, 0x1e, 0xf9, 0xf5, + 0x0a, 0xea + ] +); + +key_unwrap_test!( + kw_ad_aes256_256bit_len_fail, + &AES_256, + WrappingMode::Unpadded, + &[ + 0x3c, 0x7c, 0x55, 0x9f, 0xb9, 0x9d, 0x2e, 0x3f, 0x82, 0x80, 0xc9, 0xbe, 0x14, 0xb0, 0xf7, + 0xb6, 0x76, 0xa3, 0x20, 0x53, 0xeb, 0xa8, 0xf7, 0xaf, 0xbb, 0x43, 0x04, 0xc1, 0x17, 0xa6, + 0x50, 0x69 + ], + &[ + 0x86, 0x1b, 0x0a, 0x15, 0xbf, 0x59, 0x07, 0xb5, 0x51, 0xbc, 0x94, 0x82, 0xbc, 0x4d, 0xe3, + 0x61, 0xde, 0x64, 0x5f, 0x18, 0xf9, 0x7f, 0xd8, 0x0f, 0xff, 0xa5, 0xb9, 0x68, 0x79, 0x23, + 0x82, 0x59, 0xc6, 0x67, 0x7e, 0xb5, 0x05, 0x96, 0x20, 0x5b + ] +); + +macro_rules! wrap_input_output_invalid_test { + ($name:ident, $mode:expr, $input_len:expr, $output_len:expr) => { + #[test] + fn $name() { + let kek = KeyEncryptionKey::new(&AES_128, &[16u8; 16], $mode) + .expect("key creation successful"); + + let input_len: usize = $input_len.try_into().unwrap(); + let output_len: usize = $output_len.try_into().unwrap(); + + let input = vec![42u8; input_len]; + let mut output = vec![0u8; output_len]; + + kek.wrap(input.as_slice(), output.as_mut_slice()) + .expect_err("failure"); + } + }; +} + +// Input length < 16 +wrap_input_output_invalid_test!(wrap_input_len_less_than_min, WrappingMode::Unpadded, 15, 23); + +// Input length % 8 != 0 +wrap_input_output_invalid_test!( + wrap_input_len_not_multiple_of_eight, + WrappingMode::Unpadded, + 17, + 25 +); + +// Output length < Input length - 8 +wrap_input_output_invalid_test!(wrap_output_len_too_small, WrappingMode::Unpadded, 16, 8); + +// Input Length == 0 +wrap_input_output_invalid_test!(wrap_padded_input_len_zero, WrappingMode::Padded, 0, 8); + +macro_rules! unwrap_input_output_invalid_test { + ($name:ident, $mode:expr, $input_len:expr, $output_len:expr) => { + #[test] + fn $name() { + let kek = KeyEncryptionKey::new(&AES_128, &[16u8; 16], $mode) + .expect("key creation successful"); + + let input_len: usize = $input_len.try_into().unwrap(); + let output_len: usize = $output_len.try_into().unwrap(); + + let input = vec![42u8; input_len]; + let mut output = vec![0u8; output_len]; + + kek.unwrap(input.as_slice(), output.as_mut_slice()) + .expect_err("failure"); + } + }; +} + +// Input length < 24 +unwrap_input_output_invalid_test!( + unwrap_input_len_smaller_than_min, + WrappingMode::Unpadded, + 16, + 16 +); + +// Input length % 8 != 0 +unwrap_input_output_invalid_test!( + unwrap_input_len_not_multiple_of_eight, + WrappingMode::Unpadded, + 31, + 31 +); + +// Output length < Input length - 8 +unwrap_input_output_invalid_test!(unwrap_output_len_too_small, WrappingMode::Unpadded, 24, 15); + +// Input length < 16 (AES Block Length) +unwrap_input_output_invalid_test!( + unwrap_padded_input_len_smaller_than_min, + WrappingMode::Padded, + 15, + 15 +); + +// Output length < Input length - 8 +unwrap_input_output_invalid_test!( + unwrap_padded_output_len_too_small, + WrappingMode::Padded, + 24, + 15 +); diff --git a/aws-lc-rs/src/key_wrap/tests/fips.rs b/aws-lc-rs/src/key_wrap/tests/fips.rs new file mode 100644 index 00000000000..ce54ed9214d --- /dev/null +++ b/aws-lc-rs/src/key_wrap/tests/fips.rs @@ -0,0 +1,59 @@ +#![cfg(debug_assertions)] + +use crate::{ + fips::{assert_fips_status_indicator, FipsServiceStatus}, + key_wrap::{KeyEncryptionKey, WrappingMode, AES_128, AES_256}, +}; + +const K_128: &[u8] = &[ + 0x60, 0x43, 0xb2, 0x73, 0xe9, 0x71, 0x26, 0x5e, 0x53, 0x8a, 0x6c, 0xcd, 0x5d, 0x5a, 0x11, 0xe4, +]; + +const K_256: &[u8] = &[ + 0x15, 0x52, 0x45, 0x0c, 0x60, 0xf3, 0x10, 0xfb, 0xc8, 0x41, 0x98, 0xe5, 0xfd, 0x70, 0x7d, 0x04, + 0x8f, 0x81, 0xbf, 0x9a, 0xdc, 0x63, 0x90, 0xed, 0xe5, 0xb0, 0x4b, 0x3c, 0xe4, 0x06, 0x54, 0xba, +]; + +const P: &[u8] = &[ + 0xf2, 0x64, 0x5b, 0xa4, 0xba, 0xed, 0xa7, 0xec, 0xbc, 0x12, 0xa6, 0xad, 0x46, 0x76, 0x95, 0xa0, +]; + +macro_rules! key_wrap_test { + ($name:ident, $alg:expr, $mode:expr, $key:expr, $plaintext:expr) => { + #[test] + fn $name() { + let k = $key; + let p = $plaintext; + + let kek = KeyEncryptionKey::new($alg, k, $mode).expect("key creation successful"); + + let mut output = vec![0u8; p.len() + 15]; + + let wrapped = Vec::from(assert_fips_status_indicator!( + kek.wrap(P, &mut output).expect("wrap successful"), + FipsServiceStatus::Approved + )); + + let kek = KeyEncryptionKey::new($alg, k, $mode).expect("key creation successful"); + + let mut output = vec![ + 0u8; + if p.len() % 8 != 0 { + p.len() + (8 - (p.len() % 8)) + } else { + p.len() + } + ]; + + let _unwrapped = assert_fips_status_indicator!( + kek.unwrap(&wrapped, &mut output).expect("wrap successful"), + FipsServiceStatus::Approved + ); + } + }; +} + +key_wrap_test!(kwp_aes128, &AES_128, WrappingMode::Padded, K_128, P); +key_wrap_test!(kw_aes128, &AES_128, WrappingMode::Unpadded, K_128, P); +key_wrap_test!(kwp_aes256, &AES_256, WrappingMode::Padded, K_256, P); +key_wrap_test!(kw_aes256, &AES_256, WrappingMode::Unpadded, K_256, P); diff --git a/aws-lc-rs/src/lib.rs b/aws-lc-rs/src/lib.rs index 3e714283bf3..fa8aa4f9eff 100644 --- a/aws-lc-rs/src/lib.rs +++ b/aws-lc-rs/src/lib.rs @@ -109,6 +109,7 @@ pub mod hkdf; pub mod hmac; #[cfg(feature = "ring-io")] pub mod io; +pub mod key_wrap; pub mod pbkdf2; pub mod pkcs8; pub mod rand;