Add crypto/fipsoracle.

This CL adds utility code to process NIST CAVP test vectors using the
existing FileTest code.

Also add binaries for processing AESAVS (AES) and GCMVS (AES-GCM) vector
files.

Change-Id: I8e5ebf751d7d4b5504bbb52f3e087b0065babbe0
Reviewed-on: https://boringssl-review.googlesource.com/15484
Reviewed-by: Adam Langley <agl@google.com>

crypto/CMakeLists.txt

@@ -122,6 +122,7 @@ add_subdirectory(pkcs8)
 add_subdirectory(test)
 
 add_subdirectory(fipsmodule)
+add_subdirectory(fipsoracle)
 
 add_library(
   crypto_base

crypto/fipsoracle/CMakeLists.txt

@@ -0,0 +1,24 @@
+include_directories(../../include)
+
+if (FIPS)
+  add_executable(
+    cavp_aes_test
+
+    cavp_aes_test.cc
+    cavp_test_util.h
+    cavp_test_util.cc
+    $<TARGET_OBJECTS:test_support>
+  )
+
+  add_executable(
+    cavp_aes_gcm_test
+
+    cavp_aes_gcm_test.cc
+    cavp_test_util.h
+    cavp_test_util.cc
+    $<TARGET_OBJECTS:test_support>
+  )
+
+  target_link_libraries(cavp_aes_test crypto)
+  target_link_libraries(cavp_aes_gcm_test crypto)
+endif()

crypto/fipsoracle/cavp_aes_gcm_test.cc

@@ -0,0 +1,211 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// cavp_aes_gcm_test processes a NIST CAVP AES GCM test vector request file and
+// emits the corresponding response. An optional sample vector file can be
+// passed to verify the result.
+
+#include <stdlib.h>
+
+#include <openssl/aead.h>
+#include <openssl/cipher.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "cavp_test_util.h"
+
+
+struct TestCtx {
+  const EVP_AEAD *aead;
+  std::unique_ptr<FileTest> response_sample;
+};
+
+static const EVP_AEAD *GetAEAD(const std::string &name, const bool enc) {
+  if (name == "aes-128-gcm") {
+    return EVP_aead_aes_128_gcm_fips_testonly();
+  } else if (name == "aes-256-gcm") {
+    return EVP_aead_aes_256_gcm_fips_testonly();
+  }
+  return nullptr;
+}
+
+static bool TestAEADEncrypt(FileTest *t, void *arg) {
+  TestCtx *ctx = reinterpret_cast<TestCtx *>(arg);
+
+  std::string key_len_str, iv_len_str, pt_len_str, aad_len_str, tag_len_str;
+  if (!t->GetInstruction(&key_len_str, "Keylen") ||
+      !t->GetInstruction(&iv_len_str, "IVlen") ||
+      !t->GetInstruction(&pt_len_str, "PTlen") ||
+      !t->GetInstruction(&aad_len_str, "AADlen") ||
+      !t->GetInstruction(&tag_len_str, "Taglen")) {
+    return false;
+  }
+
+  std::string count;
+  std::vector<uint8_t> key, iv, pt, aad, tag, ct;
+  if (!t->GetAttribute(&count, "Count") ||
+      !t->GetBytes(&key, "Key") ||
+      !t->GetBytes(&aad, "AAD") ||
+      !t->GetBytes(&pt, "PT") ||
+      key.size() * 8 != strtoul(key_len_str.c_str(), nullptr, 0) ||
+      pt.size() * 8 != strtoul(pt_len_str.c_str(), nullptr, 0) ||
+      aad.size() * 8 != strtoul(aad_len_str.c_str(), nullptr, 0)) {
+    return false;
+  }
+
+  size_t tag_len = strtoul(tag_len_str.c_str(), nullptr, 0) / 8;
+  if (!AEADEncrypt(ctx->aead, &ct, &tag, tag_len, key, pt, aad, &iv)) {
+    return false;
+  }
+  printf("%s", t->CurrentTestToString().c_str());
+  printf("IV = %s\r\n", EncodeHex(iv.data(), iv.size()).c_str());
+  printf("CT = %s\r\n", EncodeHex(ct.data(), ct.size()).c_str());
+  printf("Tag = %s\r\n\r\n", EncodeHex(tag.data(), tag.size()).c_str());
+
+  // Check if sample response file matches.
+  if (ctx->response_sample) {
+    ctx->response_sample->ReadNext();
+    std::string expected_count;
+    std::vector<uint8_t> expected_iv, expected_ct, expected_tag;
+    if (!ctx->response_sample->GetAttribute(&expected_count, "Count") ||
+        count != expected_count ||
+        !ctx->response_sample->GetBytes(&expected_iv, "IV") ||
+        !t->ExpectBytesEqual(expected_iv.data(), expected_iv.size(), iv.data(),
+                             iv.size()) ||
+        !ctx->response_sample->GetBytes(&expected_ct, "CT") ||
+        !t->ExpectBytesEqual(expected_ct.data(), expected_ct.size(), ct.data(),
+                             ct.size()) ||
+        !ctx->response_sample->GetBytes(&expected_tag, "Tag") ||
+        !t->ExpectBytesEqual(expected_tag.data(), expected_tag.size(),
+                             tag.data(), tag.size())) {
+      t->PrintLine("result doesn't match");
+      return false;
+    }
+  }
+
+  return true;
+}
+
+static bool TestAEADDecrypt(FileTest *t, void *arg) {
+  TestCtx *ctx = reinterpret_cast<TestCtx *>(arg);
+
+  std::string key_len, iv_len, pt_len_str, aad_len_str, tag_len;
+  if (!t->GetInstruction(&key_len, "Keylen") ||
+      !t->GetInstruction(&iv_len, "IVlen") ||
+      !t->GetInstruction(&pt_len_str, "PTlen") ||
+      !t->GetInstruction(&aad_len_str, "AADlen") ||
+      !t->GetInstruction(&tag_len, "Taglen")) {
+    t->PrintLine("Invalid instruction block.");
+    return false;
+  }
+  size_t aad_len = strtoul(aad_len_str.c_str(), nullptr, 0) / 8;
+  size_t pt_len = strtoul(pt_len_str.c_str(), nullptr, 0) / 8;
+
+  std::string count;
+  std::vector<uint8_t> key, iv, ct, aad, tag, pt;
+  if (!t->GetAttribute(&count, "Count") ||
+      !t->GetBytes(&key, "Key") ||
+      !t->GetBytes(&aad, "AAD") ||
+      !t->GetBytes(&tag, "Tag") ||
+      !t->GetBytes(&iv, "IV") ||
+      !t->GetBytes(&ct, "CT") ||
+      key.size() * 8 != strtoul(key_len.c_str(), nullptr, 0) ||
+      iv.size() * 8 != strtoul(iv_len.c_str(), nullptr, 0) ||
+      ct.size() != pt_len ||
+      aad.size() != aad_len ||
+      tag.size() * 8 != strtoul(tag_len.c_str(), nullptr, 0)) {
+    t->PrintLine("Invalid test case");
+    return false;
+  }
+
+  printf("%s", t->CurrentTestToString().c_str());
+  bool aead_result =
+      AEADDecrypt(ctx->aead, &pt, &aad, pt_len, aad_len, key, ct, tag, iv);
+  if (aead_result) {
+    printf("PT = %s\r\n\r\n", EncodeHex(pt.data(), pt.size()).c_str());
+  } else {
+    printf("FAIL\r\n\r\n");
+  }
+
+  // Check if sample response file matches.
+  if (ctx->response_sample) {
+    ctx->response_sample->ReadNext();
+    std::string expected_count;
+    std::vector<uint8_t> expected_pt;
+    if (!ctx->response_sample->GetAttribute(&expected_count, "Count") ||
+        count != expected_count ||
+        (!aead_result && (ctx->response_sample->HasAttribute("PT") ||
+                          !ctx->response_sample->HasAttribute("FAIL"))) ||
+        (aead_result &&
+         (ctx->response_sample->HasAttribute("FAIL") ||
+          !ctx->response_sample->GetBytes(&expected_pt, "PT") ||
+          !t->ExpectBytesEqual(expected_pt.data(), expected_pt.size(),
+                               pt.data(), pt.size())))) {
+      t->PrintLine("result doesn't match");
+      return false;
+    }
+  }
+
+  return true;
+}
+
+static int usage(char *arg) {
+  fprintf(stderr,
+          "usage: %s (enc|dec) <cipher> <test file> [<sample response file>]\n",
+          arg);
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+
+  if (argc < 4 || argc > 5) {
+    return usage(argv[0]);
+  }
+
+  const std::string mode(argv[1]);
+  bool (*test_fn)(FileTest * t, void *arg);
+  if (mode == "enc") {
+    test_fn = &TestAEADEncrypt;
+  } else if (mode == "dec") {
+    test_fn = &TestAEADDecrypt;
+  } else {
+    return usage(argv[0]);
+  }
+
+  const EVP_AEAD *aead = GetAEAD(argv[2], mode == "enc");
+  if (aead == nullptr) {
+    fprintf(stderr, "invalid aead: %s\n", argv[2]);
+    return 1;
+  }
+
+  TestCtx ctx = {aead, nullptr};
+
+  if (argc == 5) {
+    ctx.response_sample.reset(new FileTest(argv[4]));
+    if (!ctx.response_sample->is_open()) {
+      return 1;
+    }
+    ctx.response_sample->SetIgnoreUnusedAttributes(true);
+  }
+
+  printf("# Generated by");
+  for (int i = 0; i < argc; i++) {
+    printf(" %s", argv[i]);
+  }
+  printf("\n\n");
+
+  return FileTestMainSilent(test_fn, &ctx, argv[3]);
+}

crypto/fipsoracle/cavp_aes_test.cc

@@ -0,0 +1,135 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// cavp_aes_test processes a NIST CAVP AES test vector request file and emits
+// the corresponding response. An optional sample vector file can be passed to
+// verify the result.
+
+#include <stdlib.h>
+
+#include <openssl/cipher.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "cavp_test_util.h"
+
+
+struct TestCtx {
+  const EVP_CIPHER *cipher;
+  std::unique_ptr<FileTest> response_sample;
+  bool has_iv;
+};
+
+static bool TestCipher(FileTest *t, void *arg) {
+  TestCtx *ctx = reinterpret_cast<TestCtx *>(arg);
+
+  if (t->HasInstruction("ENCRYPT") == t->HasInstruction("DECRYPT")) {
+    t->PrintLine("Want either ENCRYPT or DECRYPT");
+    return false;
+  }
+  enum {
+    kEncrypt,
+    kDecrypt,
+  } operation = t->HasInstruction("ENCRYPT") ? kEncrypt : kDecrypt;
+
+  std::string count;
+  std::vector<uint8_t> key, iv, in, result;
+  if (!t->GetAttribute(&count, "COUNT") ||
+      !t->GetBytes(&key, "KEY") ||
+      (ctx->has_iv && !t->GetBytes(&iv, "IV"))) {
+    return false;
+  }
+
+  const EVP_CIPHER *cipher = ctx->cipher;
+  if (operation == kEncrypt) {
+    if (!t->GetBytes(&in, "PLAINTEXT") ||
+        !CipherOperation(cipher, &result, true /* encrypt */, key, iv, in)) {
+      return false;
+    }
+    printf("%sCIPHERTEXT = %s\r\n\r\n", t->CurrentTestToString().c_str(),
+           EncodeHex(result.data(), result.size()).c_str());
+  } else {
+    if (!t->GetBytes(&in, "CIPHERTEXT") ||
+        !CipherOperation(cipher, &result, false /* decrypt */, key, iv, in)) {
+      return false;
+    }
+    printf("%sPLAINTEXT = %s\r\n\r\n", t->CurrentTestToString().c_str(),
+           EncodeHex(result.data(), result.size()).c_str());
+  }
+
+  // Check if sample response file matches.
+  if (ctx->response_sample) {
+    if (ctx->response_sample->ReadNext() != FileTest::kReadSuccess) {
+      t->PrintLine("invalid sample file");
+      return false;
+    }
+    std::string expected_count;
+    std::vector<uint8_t> expected_result;
+    if (!ctx->response_sample->GetAttribute(&expected_count, "COUNT") ||
+        count != expected_count ||
+        (operation == kEncrypt &&
+         (!ctx->response_sample->GetBytes(&expected_result, "CIPHERTEXT") ||
+          !t->ExpectBytesEqual(expected_result.data(), expected_result.size(),
+                               result.data(), result.size()))) ||
+        (operation == kDecrypt &&
+         (!ctx->response_sample->GetBytes(&expected_result, "PLAINTEXT") ||
+          !t->ExpectBytesEqual(expected_result.data(), expected_result.size(),
+                               result.data(), result.size())))) {
+      t->PrintLine("result doesn't match");
+      return false;
+    }
+  }
+
+  return true;
+}
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+
+  if (argc < 3 || argc > 4) {
+    fprintf(stderr, "usage: %s <cipher> <test file> [<sample response file>]\n",
+            argv[0]);
+    return 1;
+  }
+
+  const EVP_CIPHER *cipher = GetCipher(argv[1]);
+  if (cipher == nullptr) {
+    fprintf(stderr, "invalid cipher: %s\n", argv[1]);
+    return 1;
+  }
+  const std::string cipher_name(argv[1]);
+  const bool has_iv =
+      (cipher_name != "aes-128-ecb" &&
+       cipher_name != "aes-192-ecb" &&
+       cipher_name != "aes-256-ecb");
+
+  TestCtx ctx = {cipher, nullptr, has_iv};
+
+  if (argc == 4) {
+    ctx.response_sample.reset(new FileTest(argv[3]));
+    if (!ctx.response_sample->is_open()) {
+      return 1;
+    }
+    ctx.response_sample->SetIgnoreUnusedAttributes(true);
+  }
+
+  printf("# Generated by");
+  for (int i = 0; i < argc; i++) {
+    printf(" %s", argv[i]);
+  }
+  printf("\r\n\r\n");
+
+  return FileTestMainSilent(TestCipher, &ctx, argv[2]);
+}

crypto/fipsoracle/cavp_test_util.cc

@@ -0,0 +1,156 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "cavp_test_util.h"
+
+
+std::string EncodeHex(const uint8_t *in, size_t in_len) {
+  static const char kHexDigits[] = "0123456789abcdef";
+  std::string ret;
+  ret.reserve(in_len * 2);
+  for (size_t i = 0; i < in_len; i++) {
+    ret += kHexDigits[in[i] >> 4];
+    ret += kHexDigits[in[i] & 0xf];
+  }
+  return ret;
+}
+
+const EVP_CIPHER *GetCipher(const std::string &name) {
+  if (name == "des-cbc") {
+    return EVP_des_cbc();
+  } else if (name == "des-ecb") {
+    return EVP_des_ecb();
+  } else if (name == "des-ede") {
+    return EVP_des_ede();
+  } else if (name == "des-ede3") {
+    return EVP_des_ede3();
+  } else if (name == "des-ede-cbc") {
+    return EVP_des_ede_cbc();
+  } else if (name == "des-ede3-cbc") {
+    return EVP_des_ede3_cbc();
+  } else if (name == "rc4") {
+    return EVP_rc4();
+  } else if (name == "aes-128-ecb") {
+    return EVP_aes_128_ecb();
+  } else if (name == "aes-256-ecb") {
+    return EVP_aes_256_ecb();
+  } else if (name == "aes-128-cbc") {
+    return EVP_aes_128_cbc();
+  } else if (name == "aes-128-gcm") {
+    return EVP_aes_128_gcm();
+  } else if (name == "aes-128-ofb") {
+    return EVP_aes_128_ofb();
+  } else if (name == "aes-192-cbc") {
+    return EVP_aes_192_cbc();
+  } else if (name == "aes-192-ctr") {
+    return EVP_aes_192_ctr();
+  } else if (name == "aes-192-ecb") {
+    return EVP_aes_192_ecb();
+  } else if (name == "aes-256-cbc") {
+    return EVP_aes_256_cbc();
+  } else if (name == "aes-128-ctr") {
+    return EVP_aes_128_ctr();
+  } else if (name == "aes-256-ctr") {
+    return EVP_aes_256_ctr();
+  } else if (name == "aes-256-gcm") {
+    return EVP_aes_256_gcm();
+  } else if (name == "aes-256-ofb") {
+    return EVP_aes_256_ofb();
+  }
+  return nullptr;
+}
+
+bool CipherOperation(const EVP_CIPHER *cipher, std::vector<uint8_t> *out,
+                     bool encrypt, const std::vector<uint8_t> &key,
+                     const std::vector<uint8_t> &iv,
+                     const std::vector<uint8_t> &in) {
+  bssl::ScopedEVP_CIPHER_CTX ctx;
+  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
+                         encrypt ? 1 : 0)) {
+    return false;
+  }
+  if (!iv.empty() && iv.size() != EVP_CIPHER_CTX_iv_length(ctx.get())) {
+    return false;
+  }
+
+  int result_len1 = 0, result_len2;
+  *out = std::vector<uint8_t>(in.size());
+  if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) ||
+      !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(), iv.data(),
+                         -1) ||
+      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) ||
+      !EVP_CipherUpdate(ctx.get(), out->data(), &result_len1, in.data(),
+                        in.size()) ||
+      !EVP_CipherFinal_ex(ctx.get(), out->data() + result_len1, &result_len2)) {
+    return false;
+  }
+  out->resize(result_len1 + result_len2);
+
+  return true;
+}
+
+bool AEADEncrypt(const EVP_AEAD *aead, std::vector<uint8_t> *ct,
+                 std::vector<uint8_t> *tag, size_t tag_len,
+                 const std::vector<uint8_t> &key,
+                 const std::vector<uint8_t> &pt,
+                 const std::vector<uint8_t> &aad, std::vector<uint8_t> *iv) {
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
+                                        tag->size(), evp_aead_seal)) {
+    return false;
+  }
+
+  std::vector<uint8_t> out;
+  out.resize(pt.size() + EVP_AEAD_max_overhead(aead));
+  size_t out_len;
+  if (!EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
+                         nullptr /* iv */, 0 /* iv_len */, pt.data(), pt.size(),
+                         aad.data(), aad.size())) {
+    return false;
+  }
+
+  static const size_t iv_len = EVP_AEAD_nonce_length(aead);
+  iv->assign(out.begin(), out.begin() + iv_len);
+  ct->assign(out.begin() + iv_len, out.end() - tag_len);
+  tag->assign(out.end() - tag_len, out.end());
+
+  return true;
+}
+
+bool AEADDecrypt(const EVP_AEAD *aead, std::vector<uint8_t> *pt,
+                 std::vector<uint8_t> *aad, size_t pt_len, size_t aad_len,
+                 const std::vector<uint8_t> &key,
+                 const std::vector<uint8_t> &ct,
+                 const std::vector<uint8_t> &tag, std::vector<uint8_t> &iv) {
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
+                                        tag.size(), evp_aead_open)) {
+    return false;
+  }
+  std::vector<uint8_t> in = iv;
+  in.reserve(in.size() + ct.size() + tag.size());
+  in.insert(in.end(), ct.begin(), ct.end());
+  in.insert(in.end(), tag.begin(), tag.end());
+
+  pt->resize(pt_len);
+  aad->resize(aad_len);
+  size_t out_pt_len;
+  if (!EVP_AEAD_CTX_open(ctx.get(), pt->data(), &out_pt_len, pt->size(),
+                         nullptr /* iv */, 0 /* iv_len */, in.data(), in.size(),
+                         aad->data(), aad->size()) ||
+      out_pt_len != pt_len) {
+    return false;
+  }
+  return true;
+}

crypto/fipsoracle/cavp_test_util.h

@@ -0,0 +1,48 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H
+
+#include <stdlib.h>
+#include <string>
+#include <vector>
+
+#include <openssl/aead.h>
+#include <openssl/cipher.h>
+
+
+std::string EncodeHex(const uint8_t *in, size_t in_len);
+
+const EVP_CIPHER *GetCipher(const std::string &name);
+
+bool CipherOperation(const EVP_CIPHER *cipher, std::vector<uint8_t> *out,
+                     bool encrypt, const std::vector<uint8_t> &key,
+                     const std::vector<uint8_t> &iv,
+                     const std::vector<uint8_t> &in);
+
+bool AEADEncrypt(const EVP_AEAD *aead, std::vector<uint8_t> *ct,
+                 std::vector<uint8_t> *tag, size_t tag_len,
+                 const std::vector<uint8_t> &key,
+                 const std::vector<uint8_t> &pt,
+                 const std::vector<uint8_t> &aad, std::vector<uint8_t> *iv);
+
+bool AEADDecrypt(const EVP_AEAD *aead, std::vector<uint8_t> *pt,
+                 std::vector<uint8_t> *aad, size_t pt_len, size_t aad_len,
+                 const std::vector<uint8_t> &key,
+                 const std::vector<uint8_t> &ct,
+                 const std::vector<uint8_t> &tag, std::vector<uint8_t> &iv);
+
+
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H

crypto/test/file_test.cc

@@ -14,6 +14,7 @@
 
 #include "file_test.h"
 
+#include <algorithm>
 #include <memory>
 
 #include <ctype.h>
@@ -60,26 +61,46 @@ static std::string StripSpace(const char *str, size_t len) {
     str++;
     len--;
   }
-  while (len > 0 && isspace(str[len-1])) {
+  while (len > 0 && isspace(str[len - 1])) {
     len--;
   }
   return std::string(str, len);
 }
 
+static std::pair<std::string, std::string> ParseKeyValue(const char *str, const size_t len) {
+  const char *delimiter = FindDelimiter(str);
+  std::string key, value;
+  if (delimiter == nullptr) {
+    key = StripSpace(str, len);
+  } else {
+    key = StripSpace(str, delimiter - str);
+    value = StripSpace(delimiter + 1, str + len - delimiter - 1);
+  }
+  return {key, value};
+}
+
 FileTest::ReadResult FileTest::ReadNext() {
-  // If the previous test had unused attributes, it is an error.
-  if (!unused_attributes_.empty()) {
+  // If the previous test had unused attributes or instructions, it is an error.
+  if (!unused_attributes_.empty() && !ignore_unused_attributes_) {
     for (const std::string &key : unused_attributes_) {
       PrintLine("Unused attribute: %s", key.c_str());
     }
     return kReadError;
   }
+  if (!unused_instructions_.empty() && !ignore_unused_attributes_) {
+    for (const std::string &key : unused_instructions_) {
+      PrintLine("Unused instruction: %s", key.c_str());
+    }
+    return kReadError;
+  }
 
   ClearTest();
 
-  static const size_t kBufLen = 64 + 8192*2;
+  static const size_t kBufLen = 64 + 8192 * 2;
   std::unique_ptr<char[]> buf(new char[kBufLen]);
 
+  bool in_instruction_block = false;
+
   while (true) {
     // Read the next line.
     if (fgets(buf.get(), kBufLen, file_) == nullptr) {
@@ -99,21 +120,51 @@ FileTest::ReadResult FileTest::ReadNext() {
       return kReadError;
     }
 
-    if (buf[0] == '\n' || buf[0] == '\0') {
+    if (buf[0] == '\n' || buf[0] == '\r' || buf[0] == '\0') {
       // Empty lines delimit tests.
       if (start_line_ > 0) {
         return kReadSuccess;
       }
+      if (in_instruction_block) {
+        in_instruction_block = false;
+        // Delimit instruction block from test with a blank line.
+        current_test_ += "\r\n";
+      }
+    } else if (buf[0] == '[') {  // Inside an instruction block.
+      if (start_line_ != 0) {
+        // Instructions should be separate blocks.
+        fprintf(stderr, "Line %u is an instruction in a test case.\n", line_);
+        return kReadError;
+      }
+      if (!in_instruction_block) {
+        ClearInstructions();
+        in_instruction_block = true;
+      }
+
+      // Parse the line as an instruction ("[key = value]" or "[key]").
+      std::string kv = StripSpace(buf.get(), len);
+      if (kv[kv.size() - 1] != ']') {
+        fprintf(stderr, "Line %u, invalid instruction: %s\n", line_,
+                kv.c_str());
+        return kReadError;
+      }
+      current_test_ += kv + "\r\n";
+      kv = std::string(kv.begin() + 1, kv.end() - 1);
+
+      std::string key, value;
+      std::tie(key, value) = ParseKeyValue(kv.c_str(), kv.size());
+      instructions_[key] = value;
     } else if (buf[0] != '#') {  // Comment lines are ignored.
-      // Parse the line as an attribute.
-      const char *delimiter = FindDelimiter(buf.get());
-      if (delimiter == nullptr) {
-        fprintf(stderr, "Line %u: Could not parse attribute.\n", line_);
+      if (in_instruction_block) {
+        // Test cases should be separate blocks.
+        fprintf(stderr, "Line %u is a test case attribute in an instruction block.\n",
+                line_);
         return kReadError;
       }
-      std::string key = StripSpace(buf.get(), delimiter - buf.get());
-      std::string value = StripSpace(delimiter + 1,
-                                     buf.get() + len - delimiter - 1);
+
+      current_test_ += std::string(buf.get(), len);
+      std::string key, value;
+      std::tie(key, value) = ParseKeyValue(buf.get(), len);
 
       unused_attributes_.insert(key);
       attributes_[key] = value;
@@ -122,6 +173,9 @@ FileTest::ReadResult FileTest::ReadNext() {
         type_ = key;
         parameter_ = value;
         start_line_ = line_;
+        for (const auto &kv : instructions_) {
+          unused_instructions_.insert(kv.first);
+        }
       }
     }
   }
@@ -171,6 +225,26 @@ const std::string &FileTest::GetAttributeOrDie(const std::string &key) {
   return attributes_[key];
 }
 
+bool FileTest::HasInstruction(const std::string &key) {
+  OnInstructionUsed(key);
+  return instructions_.count(key) > 0;
+}
+
+bool FileTest::GetInstruction(std::string *out_value, const std::string &key) {
+  OnInstructionUsed(key);
+  auto iter = instructions_.find(key);
+  if (iter == instructions_.end()) {
+    PrintLine("Missing instruction '%s'.", key.c_str());
+    return false;
+  }
+  *out_value = iter->second;
+  return true;
+}
+
+const std::string &FileTest::CurrentTestToString() const {
+  return current_test_;
+}
+
 static bool FromHexDigit(uint8_t *out, char c) {
   if ('0' <= c && c <= '9') {
     *out = c - '0';
@@ -206,7 +280,7 @@ bool FileTest::GetBytes(std::vector<uint8_t> *out, const std::string &key) {
   out->reserve(value.size() / 2);
   for (size_t i = 0; i < value.size(); i += 2) {
     uint8_t hi, lo;
-    if (!FromHexDigit(&hi, value[i]) || !FromHexDigit(&lo, value[i+1])) {
+    if (!FromHexDigit(&hi, value[i]) || !FromHexDigit(&lo, value[i + 1])) {
       PrintLine("Error decoding value: %s", value.c_str());
       return false;
     }
@@ -246,14 +320,28 @@ void FileTest::ClearTest() {
   parameter_.clear();
   attributes_.clear();
   unused_attributes_.clear();
+  current_test_ = "";
+}
+
+void FileTest::ClearInstructions() {
+  instructions_.clear();
+  unused_attributes_.clear();
 }
 
 void FileTest::OnKeyUsed(const std::string &key) {
   unused_attributes_.erase(key);
 }
 
-int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
-                 const char *path) {
+void FileTest::OnInstructionUsed(const std::string &key) {
+  unused_instructions_.erase(key);
+}
+
+void FileTest::SetIgnoreUnusedAttributes(bool ignore) {
+  ignore_unused_attributes_ = ignore;
+}
+
+int FileTestMainSilent(bool (*run_test)(FileTest *t, void *arg), void *arg,
+                       const char *path) {
   FileTest t(path);
   if (!t.is_open()) {
     return 1;
@@ -278,8 +366,8 @@ int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
       uint32_t err = ERR_peek_error();
       if (ERR_reason_error_string(err) != t.GetAttributeOrDie("Error")) {
         t.PrintLine("Unexpected error; wanted '%s', got '%s'.",
-                     t.GetAttributeOrDie("Error").c_str(),
-                     ERR_reason_error_string(err));
+                    t.GetAttributeOrDie("Error").c_str(),
+                    ERR_reason_error_string(err));
         failed = true;
         ERR_clear_error();
         continue;
@@ -295,10 +383,14 @@ int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
     }
   }
 
-  if (failed) {
-    return 1;
-  }
+  return failed ? 1 : 0;
+}
 
-  printf("PASS\n");
-  return 0;
+int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
+                 const char *path) {
+  int result = FileTestMainSilent(run_test, arg, path);
+  if (!result) {
+    printf("PASS\n");
+  }
+  return result;
 }

crypto/test/file_test.h

@@ -21,11 +21,11 @@
 #include <stdio.h>
 
 OPENSSL_MSVC_PRAGMA(warning(push))
-OPENSSL_MSVC_PRAGMA(warning(disable: 4702))
+OPENSSL_MSVC_PRAGMA(warning(disable : 4702))
 
-#include <string>
 #include <map>
 #include <set>
+#include <string>
 #include <vector>
 
 OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -33,31 +33,46 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 // File-based test framework.
 //
 // This module provides a file-based test framework. The file format is based on
-// that of OpenSSL upstream's evp_test and BoringSSL's aead_test. Each input
-// file is a sequence of attributes and blank lines.
+// that of OpenSSL upstream's evp_test and BoringSSL's aead_test. NIST CAVP test
+// vector files are also supported. Each input file is a sequence of attributes,
+// instructions and blank lines.
 //
 // Each attribute has the form:
 //
 //   Name = Value
 //
+// Instructions are enclosed in square brackets and may appear without a value:
+//
+//   [Name = Value]
+//
+// or
+//
+//   [Name]
+//
 // Either '=' or ':' may be used to delimit the name from the value. Both the
 // name and value have leading and trailing spaces stripped.
 //
-// Lines beginning with # are ignored.
+// Each file contains a number of instruction blocks and test cases.
+//
+// An instruction block is a sequence of instructions followed by a blank line.
+// Instructions apply to all test cases following its appearance, until the next
+// instruction block. Instructions are unordered.
+//
+// A test is a sequence of one or more attributes followed by a blank line.  For
+// tests that process multiple kinds of test cases, the first attribute is
+// parsed out as the test's type and parameter. Otherwise, attributes are
+// unordered. The first attribute is also included in the set of attributes, so
+// tests which do not dispatch may ignore this mechanism.
 //
-// A test is a sequence of one or more attributes followed by a blank line.
-// Blank lines are otherwise ignored. For tests that process multiple kinds of
-// test cases, the first attribute is parsed out as the test's type and
-// parameter. Otherwise, attributes are unordered. The first attribute is also
-// included in the set of attributes, so tests which do not dispatch may ignore
-// this mechanism.
+// Additional blank lines and lines beginning with # are ignored.
 //
 // Functions in this module freely output to |stderr| on failure. Tests should
 // also do so, and it is recommended they include the corresponding test's line
 // number in any output. |PrintLine| does this automatically.
 //
-// Each attribute in a test must be consumed. When a test completes, if any
-// attributes haven't been processed, the framework reports an error.
+// Each attribute in a test and all instructions applying to it must be
+// consumed. When a test completes, if any attributes or insturctions haven't
+// been processed, the framework reports an error.
 
 
 class FileTest {
@@ -115,9 +130,28 @@ class FileTest {
   bool ExpectBytesEqual(const uint8_t *expected, size_t expected_len,
                         const uint8_t *actual, size_t actual_len);
 
+  // HasInstruction returns true if the current test has an instruction.
+  bool HasInstruction(const std::string &key);
+
+  // GetInstruction looks up the instruction with key |key|. It sets
+  // |*out_value| to the value (empty string if the instruction has no value)
+  // and returns true if it exists and returns false with an error to |stderr|
+  // otherwise.
+  bool GetInstruction(std::string *out_value, const std::string &key);
+
+  // CurrentTestToString returns the file content parsed for the current test.
+  // If the current test was preceded by an instruction block, the return test
+  // case is preceded by the instruction block and a single blank line. All
+  // other blank or comment lines are omitted.
+  const std::string &CurrentTestToString() const;
+
+  void SetIgnoreUnusedAttributes(bool ignore);
+
  private:
   void ClearTest();
+  void ClearInstructions();
   void OnKeyUsed(const std::string &key);
+  void OnInstructionUsed(const std::string &key);
 
   FILE *file_ = nullptr;
   // line_ is the number of lines read.
@@ -131,12 +165,21 @@ class FileTest {
   std::string parameter_;
   // attributes_ contains all attributes in the test, including the first.
   std::map<std::string, std::string> attributes_;
+  // instructions_ contains all instructions in scope for the test.
+  std::map<std::string, std::string> instructions_;
 
-  // unused_attributes_ is the set of attributes that have been queried.
+  // unused_attributes_ is the set of attributes that have not been queried.
   std::set<std::string> unused_attributes_;
 
-  FileTest(const FileTest&) = delete;
-  FileTest &operator=(const FileTest&) = delete;
+  // unused_instructions_ is the set of instructions that have not been queried.
+  std::set<std::string> unused_instructions_;
+
+  std::string current_test_;
+
+  bool ignore_unused_attributes_ = false;
+
+  FileTest(const FileTest &) = delete;
+  FileTest &operator=(const FileTest &) = delete;
 };
 
 // FileTestMain runs a file-based test out of |path| and returns an exit code
@@ -153,5 +196,9 @@ class FileTest {
 int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
                  const char *path);
 
+// FileTestMainSilent behaves like FileTestMain but does not print a final
+// FAIL/PASS message to stdout.
+int FileTestMainSilent(bool (*run_test)(FileTest *t, void *arg), void *arg,
+                       const char *path);
 
 #endif /* OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H */