ANDROID: fips140: use full 16-byte IV

By using the initial_value parameter when creating the pycryptodome
AES-CTR instance, we can use any 16-byte IV, like the other AES modes.
Therefore, there's no need for the last 4 bytes of the IV to be 0.
This doesn't really matter, but it seems nice to avoid this quirk.

Bug: 153614920
Bug: 188620248
Change-Id: If33de260b1119f2b3e004164199b08364781ab23
Signed-off-by: Eric Biggers <ebiggers@google.com>
(cherry picked from commit fa5a44b364374dd3ed53215b9edf47ffee8a1a82)

crypto/fips140-generated-testvecs.h

@@ -11,19 +11,19 @@ static const u8 fips_message[32] __initconst =
 
 static const u8 fips_aes_key[16] __initconst = "128-bit AES key";
 
-static const u8 fips_aes_iv[16] __initconst = "ABCDEFGHIJKL";
+static const u8 fips_aes_iv[16] __initconst = "ABCDEFGHIJKLMNOP";
 
 static const u8 fips_aes_cbc_ciphertext[32] __initconst =
-	"\xc4\x6d\xad\xa4\x04\x52\x11\x5a\x7a\xb3\x7c\x68\x85\x8d\x90\xf0"
+	"\x4c\x3e\xeb\x38\x8d\x1f\x28\xfd\xa2\x3b\xa9\xda\x36\xf2\x99\xe2"
-	"\x55\xc3\xd3\x35\xc1\x75\x31\x90\xdf\x90\x4b\x5a\x56\xfd\xa7\x89";
+	"\x84\x84\x66\x37\x0a\x53\x68\x2f\x17\x95\x8d\x7f\xca\x5a\x68\x4e";
 
 static const u8 fips_aes_ecb_ciphertext[32] __initconst =
 	"\xc1\x9d\xe6\xb8\xb2\x90\xff\xfe\xf2\x77\x18\xb0\x55\xd3\xee\xa9"
 	"\xe2\x6f\x4a\x32\x67\xfd\xb7\xa5\x2f\x4b\x6e\x1a\x86\x2b\x6e\x3a";
 
 static const u8 fips_aes_ctr_ciphertext[32] __initconst =
-	"\x92\xbe\x23\xa1\x80\x88\x5d\x31\x27\xb3\x9c\x40\x58\x57\x1d\xde"
+	"\xed\x06\x2c\xd0\xbc\x48\xd1\x2e\x6a\x4e\x13\xe9\xaa\x17\x40\xca"
-	"\xc1\x8d\x5b\xe7\x42\x93\x09\xf8\xd4\xf7\x49\x42\xcf\x40\x62\x7e";
+	"\x00\xb4\xaf\x3b\x4f\xee\x73\xd6\x6c\x41\xf6\x4c\x8b\x0d\x6a\x0f";
 
 static const u8 fips_aes_gcm_assoc[22] __initconst = "associated data string";
 
@@ -36,8 +36,8 @@ static const u8 fips_aes_xts_key[32] __initconst =
 	"This is an AES-128-XTS key.";
 
 static const u8 fips_aes_xts_ciphertext[32] __initconst =
-	"\x5e\xb9\x98\xd6\x26\xb3\x55\xbf\x44\xab\x3e\xae\x73\xc0\x81\xc9"
+	"\x4f\xf7\x9f\x6c\x00\xa8\x30\xdf\xff\xf3\x25\x9c\xf6\x0b\x1b\xfd"
-	"\xf4\x29\x0e\x17\x1e\xc5\xc8\x90\x79\x99\xf1\x43\x3a\x23\x08\x5a";
+	"\x3b\x34\x5e\x67\x7c\xf8\x8b\x68\x9a\xb9\x5a\x89\x51\x51\xbd\x35";
 
 static const u8 fips_hmac_key[16] __initconst = "128-bit HMAC key";
 

tools/crypto/gen_fips140_testvecs.py

@@ -28,7 +28,7 @@ scriptname = os.path.basename(__file__)
 message     = bytes('This is a 32-byte test message.\0', 'ascii')
 aes_key     = bytes('128-bit AES key\0', 'ascii')
 aes_xts_key = bytes('This is an AES-128-XTS key.\0\0\0\0\0', 'ascii')
-aes_iv      = bytes('ABCDEFGHIJKL\0\0\0\0', 'ascii')
+aes_iv      = bytes('ABCDEFGHIJKLMNOP', 'ascii')
 assoc       = bytes('associated data string', 'ascii')
 hmac_key    = bytes('128-bit HMAC key', 'ascii')
 
@@ -82,7 +82,7 @@ def generate_aes_testvecs():
     print_value('aes_ecb_ciphertext', ecb.encrypt(message))
 
     ctr = Cryptodome.Cipher.AES.new(aes_key, Cryptodome.Cipher.AES.MODE_CTR,
-                                    nonce=aes_iv[:12])
+                                    nonce=bytes(), initial_value=aes_iv)
     print_value('aes_ctr_ciphertext', ctr.encrypt(message))
 
     print_value('aes_gcm_assoc', assoc)