Update references to draft-irtf-cfrg-gcmsiv

It is now RFC 8452. The final RFC also has a few more test vectors, so import those too. Change-Id: Ib7667802973df7733ba981f16ef6a129cb4f62e7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59485 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
2023-05-02 15:03:45 -04:00 · 2023-05-02 15:03:45 -04:00 · 051f891b26
commit 051f891b26
parent 77b6f25935
5 changed files with 119 additions and 9 deletions
--- a/crypto/cipher_extra/test/aes_128_gcm_siv_tests.txt
+++ b/crypto/cipher_extra/test/aes_128_gcm_siv_tests.txt
@ -1,5 +1,5 @@
 # This is the example from
-# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-04#section-8
+# https://www.rfc-editor.org/rfc/rfc8452.html#section-8

 KEY: ee8e1ed9ff2540ae8f2ba9f50bc2f27c
 NONCE: 752abad3e0afb5f434dc4310
@ -9,7 +9,7 @@ CT: 5d349ead175ef6b1def6fd
 TAG: 4fbcdeb7e4793f4a1d7e4faa70100af1

 # Test vectors from
-# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-04#appendix-C
+# https://www.rfc-editor.org/rfc/rfc8452.html#appendix-C

 KEY: 01000000000000000000000000000000
 NONCE: 030000000000000000000000
@ -123,6 +123,62 @@ AD: 0100000000000000000000000000000002000000
 CT: 44d0aaf6fb2f1f34add5e8064e83e12a2ada
 TAG: bff9b2ef00fb47920cc72a0c0f13b9fd

+KEY: e66021d5eb8e4f4066d4adb9c33560e4
+NONCE: f46e44bb3da0015c94f70887
+IN: 
+AD: 
+CT: 
+TAG: a4194b79071b01a87d65f706e3949578
+
+KEY: 36864200e0eaf5284d884a0e77d31646
+NONCE: bae8e37fc83441b16034566b
+IN: 7a806c
+AD: 46bb91c3c5
+CT: af60eb
+TAG: 711bd85bc1e4d3e0a462e074eea428a8
+
+KEY: aedb64a6c590bc84d1a5e269e4b47801
+NONCE: afc0577e34699b9e671fdd4f
+IN: bdc66f146545
+AD: fc880c94a95198874296
+CT: bb93a3e34d3c
+TAG: d6a9c45545cfc11f03ad743dba20f966
+
+KEY: d5cc1fd161320b6920ce07787f86743b
+NONCE: 275d1ab32f6d1f0434d8848c
+IN: 1177441f195495860f
+AD: 046787f3ea22c127aaf195d1894728
+CT: 4f37281f7ad12949d0
+TAG: 1d02fd0cd174c84fc5dae2f60f52fd2b
+
+KEY: b3fed1473c528b8426a582995929a149
+NONCE: 9e9ad8780c8d63d0ab4149c0
+IN: 9f572c614b4745914474e7c7
+AD: c9882e5386fd9f92ec489c8fde2be2cf97e74e93
+CT: f54673c5ddf710c745641c8b
+TAG: c1dc2f871fb7561da1286e655e24b7b0
+
+KEY: 2d4ed87da44102952ef94b02b805249b
+NONCE: ac80e6f61455bfac8308a2d4
+IN: 0d8c8451178082355c9e940fea2f58
+AD: 2950a70d5a1db2316fd568378da107b52b0da55210cc1c1b0a
+CT: c9ff545e07b88a015f05b274540aa1
+TAG: 83b3449b9f39552de99dc214a1190b0b
+
+KEY: bde3b2f204d1e9f8b06bc47f9745b3d1
+NONCE: ae06556fb6aa7890bebc18fe
+IN: 6b3db4da3d57aa94842b9803a96e07fb6de7
+AD: 1860f762ebfbd08284e421702de0de18baa9c9596291b08466f37de21c7f
+CT: 6298b296e24e8cc35dce0bed484b7f30d580
+TAG: 3e377094f04709f64d7b985310a4db84
+
+KEY: f901cfe8a69615a93fdf7a98cad48179
+NONCE: 6245709fb18853f68d833640
+IN: e42a3c02c25b64869e146d7b233987bddfc240871d
+AD: 7576f7028ec6eb5ea7e298342a94d4b202b370ef9768ec6561c4fe6b7e7296fa859c21
+CT: 391cc328d484a4f46406181bcd62efd9b3ee197d05
+TAG: 2d15506c84a9edd65e13e9d24a2a6e70
+
 # Random vectors generated by the reference code.

 KEY: e66021d5eb8e4f4066d4adb9c33560e4
--- a/crypto/cipher_extra/test/aes_256_gcm_siv_tests.txt
+++ b/crypto/cipher_extra/test/aes_256_gcm_siv_tests.txt
@ -1,5 +1,5 @@
 # Test vectors from
-# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-04#appendix-C
+# https://www.rfc-editor.org/rfc/rfc8452.html#appendix-C

 KEY: 0100000000000000000000000000000000000000000000000000000000000000
 NONCE: 030000000000000000000000
@ -113,6 +113,62 @@ AD: 0100000000000000000000000000000002000000
 CT: 462401724b5ce6588d5a54aae5375513a075
 TAG: cfcdf5042112aa29685c912fc2056543

+KEY: e66021d5eb8e4f4066d4adb9c33560e4f46e44bb3da0015c94f7088736864200
+NONCE: e0eaf5284d884a0e77d31646
+IN: 
+AD: 
+CT: 
+TAG: 169fbb2fbf389a995f6390af22228a62
+
+KEY: bae8e37fc83441b16034566b7a806c46bb91c3c5aedb64a6c590bc84d1a5e269
+NONCE: e4b47801afc0577e34699b9e
+IN: 671fdd
+AD: 4fbdc66f14
+CT: 0eaccb
+TAG: 93da9bb81333aee0c785b240d319719d
+
+KEY: 6545fc880c94a95198874296d5cc1fd161320b6920ce07787f86743b275d1ab3
+NONCE: 2f6d1f0434d8848c1177441f
+IN: 195495860f04
+AD: 6787f3ea22c127aaf195
+CT: a254dad4f3f9
+TAG: 6b62b84dc40c84636a5ec12020ec8c2c
+
+KEY: d1894728b3fed1473c528b8426a582995929a1499e9ad8780c8d63d0ab4149c0
+NONCE: 9f572c614b4745914474e7c7
+IN: c9882e5386fd9f92ec
+AD: 489c8fde2be2cf97e74e932d4ed87d
+CT: 0df9e308678244c44b
+TAG: c0fd3dc6628dfe55ebb0b9fb2295c8c2
+
+KEY: a44102952ef94b02b805249bac80e6f61455bfac8308a2d40d8c845117808235
+NONCE: 5c9e940fea2f582950a70d5a
+IN: 1db2316fd568378da107b52b
+AD: 0da55210cc1c1b0abde3b2f204d1e9f8b06bc47f
+CT: 8dbeb9f7255bf5769dd56692
+TAG: 404099c2587f64979f21826706d497d5
+
+KEY: 9745b3d1ae06556fb6aa7890bebc18fe6b3db4da3d57aa94842b9803a96e07fb
+NONCE: 6de71860f762ebfbd08284e4
+IN: 21702de0de18baa9c9596291b08466
+AD: f37de21c7ff901cfe8a69615a93fdf7a98cad481796245709f
+CT: 793576dfa5c0f88729a7ed3c2f1bff
+TAG: b3080d28f6ebb5d3648ce97bd5ba67fd
+
+KEY: b18853f68d833640e42a3c02c25b64869e146d7b233987bddfc240871d7576f7
+NONCE: 028ec6eb5ea7e298342a94d4
+IN: b202b370ef9768ec6561c4fe6b7e7296fa85
+AD: 9c2159058b1f0fe91433a5bdc20e214eab7fecef4454a10ef0657df21ac7
+CT: 857e16a64915a787637687db4a9519635cdd
+TAG: 454fc2a154fea91f8363a39fec7d0a49
+
+KEY: 3c535de192eaed3822a2fbbe2ca9dfc88255e14a661b8aa82cc54236093bbc23
+NONCE: 688089e55540db1872504e1c
+IN: ced532ce4159b035277d4dfbb7db62968b13cd4eec
+AD: 734320ccc9d9bbbb19cb81b2af4ecbc3e72834321f7aa0f70b7282b4f33df23f167541
+CT: 626660c26ea6612fb17ad91e8e767639edd6c9faee
+TAG: 9d6c7029675b89eaf4ba1ded1a286594
+
 # Random vectors generated by the reference code.

 KEY: e66021d5eb8e4f4066d4adb9c33560e4f46e44bb3da0015c94f7088736864200
--- a/crypto/fipsmodule/modes/internal.h
+++ b/crypto/fipsmodule/modes/internal.h
@ -380,7 +380,7 @@ size_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len,
 //
 // POLYVAL is a polynomial authenticator that operates over a field very
 // similar to the one that GHASH uses. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-3.
+// https://www.rfc-editor.org/rfc/rfc8452.html#section-3.

 typedef union {
  uint64_t u[2];
--- a/crypto/fipsmodule/modes/polyval.c
+++ b/crypto/fipsmodule/modes/polyval.c
@ -48,7 +48,7 @@ static void reverse_and_mulX_ghash(polyval_block *b) {
 // ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
 // ByteReverse(X_n))).
 //
-// See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-A.
+// See https://www.rfc-editor.org/rfc/rfc8452.html#appendix-A.

 void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
  polyval_block H;
--- a/include/openssl/aead.h
+++ b/include/openssl/aead.h
@ -138,12 +138,10 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
 // authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);

-// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
+// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See RFC 8452.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);

-// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See
-// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
+// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See RFC 8452.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);

 // EVP_aead_aes_128_gcm_randnonce is AES-128 in Galois Counter Mode with