ANDROID: fips140: add AES-CBC-CTS

AES-CBC-CTS is a FIPS allowed algorithm, and fips140.ko already has
arm64 implementations of it.  Meanwhile, GKI includes both these arm64
implementations as well as the "cts" template.  Add the "cts" template
to fips140.ko too and add a self-test for AES-CBC-CTS, so that we can
include AES-CBC-CTS in the set of algorithms which will be certified.

There appears to be no support for CBC-CTS mode in pycryptodome or
python-cryptography, so I manually added the test vector.

As with a number of the other algorithms, the criteria for which
algorithms need to be in the certified set are still not particularly
clear, but the latest guidance we've received is to error on the side of
including algorithms.  Android uses AES-CBC-CTS for filenames
encryption, which may be relevant (though arguably this use case doesn't
actually require a FIPS approved algorithm).

Bug: 153614920
Bug: 188620248
Change-Id: I53ffbd1d38493592eeaf471bc0007978ec400878
Signed-off-by: Eric Biggers <ebiggers@google.com>
(cherry picked from commit e2cfdfbc51b442a9ca96d5fad8060fb02a364eb4)

crypto/Makefile

@@ -206,7 +206,7 @@ FIPS140_CFLAGS := -D__DISABLE_EXPORTS -DBUILD_FIPS140_KO
 # Create a separate FIPS archive containing a duplicate of each builtin generic
 # module that is in scope for FIPS 140-2 certification
 #
-crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o gcm.o xts.o hmac.o memneq.o \
+crypto-fips-objs := drbg.o ecb.o cbc.o ctr.o cts.o gcm.o xts.o hmac.o memneq.o \
 		    gf128mul.o aes_generic.o lib-crypto-aes.o \
 		    sha1_generic.o sha256_generic.o sha512_generic.o \
 		    lib-sha1.o lib-crypto-sha256.o

crypto/fips140-module.c

@@ -76,6 +76,7 @@ static const char * const fips140_algorithms[] __initconst = {
 
 	"ecb(aes)",
 	"cbc(aes)",
+	"cts(cbc(aes))",
 	"ctr(aes)",
 	"xts(aes)",
 

crypto/fips140-selftests.c

@@ -30,9 +30,10 @@
  * be excluded by one of the rules above.
  *
  * See fips140_selftests[] for the list of tests we've selected.  Currently, all
- * our test vectors except the DRBG ones were generated by the script
- * tools/crypto/gen_fips140_testvecs.py, using the known-good implementations in
- * the Python packages hashlib, pycryptodome, and cryptography.
+ * our test vectors except the AES-CBC-CTS and DRBG ones were generated by the
+ * script tools/crypto/gen_fips140_testvecs.py, using the known-good
+ * implementations in the Python packages hashlib, pycryptodome, and
+ * cryptography.
  *
  * Note that we don't reuse the upstream crypto API's self-tests
  * (crypto/testmgr.{c,h}), for several reasons:
@@ -671,7 +672,7 @@ static const struct fips_test fips140_selftests[] __initconst = {
 		}
 	},
 	/*
-	 * Tests for AES-CBC, AES-CTR, and AES-XTS.
+	 * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, and AES-XTS.
 	 *
 	 * According to the IG, unauthenticated AES modes don't need to have
 	 * their own test as long as both directions of the underlying AES
@@ -699,6 +700,32 @@ static const struct fips_test fips140_selftests[] __initconst = {
 			.ciphertext	= fips_aes_cbc_ciphertext,
 			.message_size	= sizeof(fips_message),
 		}
+	}, {
+		.alg		= "cts(cbc(aes))",
+		.impls		= {
+			/* All standalone implementations of "cts(cbc(aes))" */
+			"cts-cbc-aes-neon",
+			"cts-cbc-aes-ce",
+		},
+		.func		= fips_test_skcipher,
+		/* Test vector taken from RFC 3962 */
+		.skcipher	= {
+			.key    = "\x63\x68\x69\x63\x6b\x65\x6e\x20"
+				  "\x74\x65\x72\x69\x79\x61\x6b\x69",
+			.key_size = 16,
+			.iv	= "\x00\x00\x00\x00\x00\x00\x00\x00"
+				  "\x00\x00\x00\x00\x00\x00\x00\x00",
+			.iv_size = 16,
+			.plaintext = "\x49\x20\x77\x6f\x75\x6c\x64\x20"
+				     "\x6c\x69\x6b\x65\x20\x74\x68\x65"
+				     "\x20\x47\x65\x6e\x65\x72\x61\x6c"
+				     "\x20\x47\x61\x75\x27\x73\x20",
+			.ciphertext = "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1"
+				      "\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
+				      "\x97\x68\x72\x68\xd6\xec\xcc\xc0"
+				      "\xc0\x7b\x25\xe2\x5e\xcf\xe5",
+			.message_size = 31,
+		}
 	}, {
 		.alg		= "ctr(aes)",
 		.impls		= {