Move TLS 1.3 KDF functions into the FIPS module.
Change-Id: I32a40a73f96e029ac9096af826d15b22d9dcad28 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58745 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This commit is contained in:
parent
d3acd45456
commit
480344d4fa
@ -946,6 +946,46 @@ static int boringssl_self_test_fast(void) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
// TLS v1.3: derives a dummy client-early-traffic secret.
|
||||
static const uint8_t kTLS13Secret[32] = {
|
||||
0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44,
|
||||
0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7,
|
||||
0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74,
|
||||
};
|
||||
static const uint8_t kTLS13Salt[16] = {
|
||||
0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8,
|
||||
0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61,
|
||||
};
|
||||
static const uint8_t kTLS13Label[] = "c e traffic";
|
||||
static const uint8_t kTLS13ClientHelloHash[32] = {
|
||||
0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf,
|
||||
0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a,
|
||||
0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c,
|
||||
};
|
||||
static const uint8_t kTLS13ExpandLabelOutput[32] = {
|
||||
0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a,
|
||||
0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32,
|
||||
0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd,
|
||||
};
|
||||
uint8_t tls13_extract_output[32];
|
||||
size_t tls13_extract_output_len;
|
||||
uint8_t tls13_expand_label_output[32];
|
||||
if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len,
|
||||
EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret),
|
||||
kTLS13Salt, sizeof(kTLS13Salt)) ||
|
||||
tls13_extract_output_len != sizeof(tls13_extract_output) ||
|
||||
!CRYPTO_tls13_hkdf_expand_label(
|
||||
tls13_expand_label_output, sizeof(tls13_expand_label_output),
|
||||
EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output),
|
||||
kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash,
|
||||
sizeof(kTLS13ClientHelloHash)) ||
|
||||
!check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
|
||||
sizeof(kTLS13ExpandLabelOutput),
|
||||
"CRYPTO_tls13_hkdf_expand_label")) {
|
||||
fprintf(stderr, "TLSv1.3 KDF failed.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
// HKDF
|
||||
static const uint8_t kHKDFSecret[32] = {
|
||||
0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67,
|
||||
|
@ -31,6 +31,14 @@ OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest,
|
||||
const uint8_t *seed1, size_t seed1_len,
|
||||
const uint8_t *seed2, size_t seed2_len);
|
||||
|
||||
// CRYPTO_tls13_hkdf_expand_label computes the TLS 1.3 KDF function of the same
|
||||
// name. See https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
|
||||
OPENSSL_EXPORT int CRYPTO_tls13_hkdf_expand_label(
|
||||
uint8_t *out, size_t out_len, const EVP_MD *digest, //
|
||||
const uint8_t *secret, size_t secret_len, //
|
||||
const uint8_t *label, size_t label_len, //
|
||||
const uint8_t *hash, size_t hash_len);
|
||||
|
||||
|
||||
#if defined(__cplusplus)
|
||||
}
|
||||
|
@ -52,6 +52,7 @@
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
#include <openssl/bytestring.h>
|
||||
#include <openssl/digest.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/mem.h>
|
||||
@ -176,3 +177,34 @@ end:
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len,
|
||||
const EVP_MD *digest, //
|
||||
const uint8_t *secret, size_t secret_len,
|
||||
const uint8_t *label, size_t label_len,
|
||||
const uint8_t *hash, size_t hash_len) {
|
||||
static const uint8_t kProtocolLabel[] = "tls13 ";
|
||||
CBB cbb, child;
|
||||
uint8_t *hkdf_label = NULL;
|
||||
size_t hkdf_label_len;
|
||||
|
||||
CBB_zero(&cbb);
|
||||
if (!CBB_init(&cbb, 2 + 1 + sizeof(kProtocolLabel) - 1 + label_len + 1 +
|
||||
hash_len) ||
|
||||
!CBB_add_u16(&cbb, out_len) ||
|
||||
!CBB_add_u8_length_prefixed(&cbb, &child) ||
|
||||
!CBB_add_bytes(&child, kProtocolLabel, sizeof(kProtocolLabel) - 1) ||
|
||||
!CBB_add_bytes(&child, label, label_len) ||
|
||||
!CBB_add_u8_length_prefixed(&cbb, &child) ||
|
||||
!CBB_add_bytes(&child, hash, hash_len) ||
|
||||
!CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {
|
||||
CBB_cleanup(&cbb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
const int ret = HKDF_expand(out, out_len, digest, secret, secret_len,
|
||||
hkdf_label, hkdf_label_len);
|
||||
OPENSSL_free(hkdf_label);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/mem.h>
|
||||
|
||||
#include "../crypto/fipsmodule/tls/internal.h"
|
||||
#include "../crypto/internal.h"
|
||||
#include "internal.h"
|
||||
|
||||
@ -95,27 +96,10 @@ static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
|
||||
Span<const uint8_t> secret,
|
||||
Span<const char> label,
|
||||
Span<const uint8_t> hash) {
|
||||
Span<const char> protocol_label = label_to_span("tls13 ");
|
||||
ScopedCBB cbb;
|
||||
CBB child;
|
||||
Array<uint8_t> hkdf_label;
|
||||
if (!CBB_init(cbb.get(), 2 + 1 + protocol_label.size() + label.size() + 1 +
|
||||
hash.size()) ||
|
||||
!CBB_add_u16(cbb.get(), out.size()) ||
|
||||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
|
||||
!CBB_add_bytes(&child,
|
||||
reinterpret_cast<const uint8_t *>(protocol_label.data()),
|
||||
protocol_label.size()) ||
|
||||
!CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
|
||||
label.size()) ||
|
||||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
|
||||
!CBB_add_bytes(&child, hash.data(), hash.size()) ||
|
||||
!CBBFinishArray(cbb.get(), &hkdf_label)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return HKDF_expand(out.data(), out.size(), digest, secret.data(),
|
||||
secret.size(), hkdf_label.data(), hkdf_label.size());
|
||||
return CRYPTO_tls13_hkdf_expand_label(
|
||||
out.data(), out.size(), digest, secret.data(), secret.size(),
|
||||
reinterpret_cast<const uint8_t *>(label.data()), label.size(),
|
||||
hash.data(), hash.size()) == 1;
|
||||
}
|
||||
|
||||
static const char kTLS13LabelDerived[] = "derived";
|
||||
|
@ -77,6 +77,8 @@ The other commands are as follows. (Note that you only need to implement the com
|
||||
| ECDSA/sigVer | Curve name, hash name, message, X, Y, R, S | Single-byte validity flag |
|
||||
| FFDH | p, q, g, peer public key, local private key (or empty), local public key (or empty) | Local public key, shared key |
|
||||
| HKDF/<HASH> | key, salt, info, num output bytes | Key |
|
||||
| HKDFExtract | secret, salt | Key |
|
||||
| HKDFExpandLabel | Output length, secret, label, transcript hash | Key |
|
||||
| HMAC-SHA-1 | Value to hash, key | Digest |
|
||||
| HMAC-SHA2-224 | Value to hash, key | Digest |
|
||||
| HMAC-SHA2-256 | Value to hash, key | Digest |
|
||||
|
@ -107,6 +107,7 @@ func NewWithIO(cmd *exec.Cmd, in io.WriteCloser, out io.ReadCloser) *Subprocess
|
||||
"hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
|
||||
"KDF": &kdfPrimitive{},
|
||||
"KDA": &hkdf{},
|
||||
"TLS-v1.3": &tls13{},
|
||||
"CMAC-AES": &keyedMACPrimitive{"CMAC-AES"},
|
||||
"RSA": &rsa{},
|
||||
"kdf-components": &tlsKDF{},
|
||||
|
240
util/fipstools/acvp/acvptool/subprocess/tls13.go
Normal file
240
util/fipstools/acvp/acvptool/subprocess/tls13.go
Normal file
@ -0,0 +1,240 @@
|
||||
// Copyright (c) 2023, Google Inc.
|
||||
//
|
||||
// Permission to use, copy, modify, and/or distribute this software for any
|
||||
// purpose with or without fee is hereby granted, provided that the above
|
||||
// copyright notice and this permission notice appear in all copies.
|
||||
//
|
||||
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
||||
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
||||
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
||||
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
package subprocess
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/sha512"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// The following structures reflect the JSON of TLS 1.3 tests. See
|
||||
// https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html
|
||||
|
||||
type tls13TestVectorSet struct {
|
||||
Groups []tls13TestGroup `json:"testGroups"`
|
||||
}
|
||||
|
||||
type tls13TestGroup struct {
|
||||
ID uint64 `json:"tgId"`
|
||||
HashFunc string `json:"hmacAlg"`
|
||||
Tests []tls13Test `json:"tests"`
|
||||
}
|
||||
|
||||
type tls13Test struct {
|
||||
ID uint64 `json:"tcId"`
|
||||
// Although ACVP refers to these as client and server randoms, these
|
||||
// fields are misnamed and really contain portions of the handshake
|
||||
// transcript. Concatenated in order, they give the transcript up to
|
||||
// the named message. In case of HelloRetryRequest, ClientHelloHex
|
||||
// includes up to the second ClientHello.
|
||||
ClientHelloHex string `json:"helloClientRandom"`
|
||||
ServerHelloHex string `json:"helloServerRandom"`
|
||||
ServerFinishedHex string `json:"finishedServerRandom"`
|
||||
ClientFinishedHex string `json:"finishedClientRandom"`
|
||||
DHEInputHex string `json:"dhe"`
|
||||
PSKInputHex string `json:"psk"`
|
||||
}
|
||||
|
||||
type tls13TestGroupResponse struct {
|
||||
ID uint64 `json:"tgId"`
|
||||
Tests []tls13TestResponse `json:"tests"`
|
||||
}
|
||||
|
||||
type tls13TestResponse struct {
|
||||
ID uint64 `json:"tcId"`
|
||||
ClientEarlyTrafficSecretHex string `json:"clientEarlyTrafficSecret"`
|
||||
EarlyExporterMasterSecretHex string `json:"earlyExporterMasterSecret"`
|
||||
ClientHandshakeTrafficSecretHex string `json:"clientHandshakeTrafficSecret"`
|
||||
ServerHandshakeTrafficSecretHex string `json:"serverHandshakeTrafficSecret"`
|
||||
ClientApplicationTrafficSecretHex string `json:"clientApplicationTrafficSecret"`
|
||||
ServerApplicationTrafficSecretHex string `json:"serverApplicationTrafficSecret"`
|
||||
ExporterMasterSecretHex string `json:"exporterMasterSecret"`
|
||||
ResumptionMasterSecretHex string `json:"resumptionMasterSecret"`
|
||||
}
|
||||
|
||||
type tls13 struct{}
|
||||
|
||||
func (k *tls13) Process(vectorSet []byte, m Transactable) (interface{}, error) {
|
||||
var parsed tls13TestVectorSet
|
||||
if err := json.Unmarshal(vectorSet, &parsed); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var respGroups []tls13TestGroupResponse
|
||||
for _, group := range parsed.Groups {
|
||||
groupResp := tls13TestGroupResponse{ID: group.ID}
|
||||
|
||||
for _, test := range group.Tests {
|
||||
testResp := tls13TestResponse{ID: test.ID}
|
||||
|
||||
clientHello, err := hex.DecodeString(test.ClientHelloHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
serverHello, err := hex.DecodeString(test.ServerHelloHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
serverFinished, err := hex.DecodeString(test.ServerFinishedHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
clientFinished, err := hex.DecodeString(test.ClientFinishedHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// See https://www.rfc-editor.org/rfc/rfc8446#section-7.1
|
||||
var hashLen int
|
||||
var emptyHash []byte
|
||||
switch group.HashFunc {
|
||||
case "SHA2-256":
|
||||
hashLen = 256 / 8
|
||||
digest := sha256.Sum256(nil)
|
||||
emptyHash = digest[:]
|
||||
case "SHA2-384":
|
||||
hashLen = 384 / 8
|
||||
digest := sha512.Sum384(nil)
|
||||
emptyHash = digest[:]
|
||||
default:
|
||||
return nil, fmt.Errorf("hash function %q is not supported for TLS v1.3", group.HashFunc)
|
||||
}
|
||||
hashLenBytes := uint32le(uint32(hashLen))
|
||||
|
||||
psk, err := hex.DecodeString(test.PSKInputHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(psk) == 0 {
|
||||
psk = make([]byte, hashLen)
|
||||
}
|
||||
|
||||
dhe, err := hex.DecodeString(test.DHEInputHex)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(dhe) == 0 {
|
||||
dhe = make([]byte, hashLen)
|
||||
}
|
||||
|
||||
zeros := make([]byte, hashLen)
|
||||
earlySecret, err := m.Transact("HKDFExtract/"+group.HashFunc, 1, psk, zeros)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExtract operation failed: %s", err)
|
||||
}
|
||||
|
||||
hashedToClientHello, err := m.Transact(group.HashFunc, 1, clientHello)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%q operation failed: %s", group.HashFunc, err)
|
||||
}
|
||||
hashedToServerHello, err := m.Transact(group.HashFunc, 1, concat(clientHello, serverHello))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%q operation failed: %s", group.HashFunc, err)
|
||||
}
|
||||
hashedToServerFinished, err := m.Transact(group.HashFunc, 1, concat(clientHello, serverHello, serverFinished))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%q operation failed: %s", group.HashFunc, err)
|
||||
}
|
||||
hashedMessages, err := m.Transact(group.HashFunc, 1, concat(clientHello, serverHello, serverFinished, clientFinished))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%q operation failed: %s", group.HashFunc, err)
|
||||
}
|
||||
|
||||
clientEarlyTrafficSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, earlySecret[0], []byte("c e traffic"), hashedToClientHello[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ClientEarlyTrafficSecretHex = hex.EncodeToString(clientEarlyTrafficSecret[0])
|
||||
|
||||
earlyExporter, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, earlySecret[0], []byte("e exp master"), hashedToClientHello[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.EarlyExporterMasterSecretHex = hex.EncodeToString(earlyExporter[0])
|
||||
|
||||
derivedSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, earlySecret[0], []byte("derived"), emptyHash[:])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
|
||||
handshakeSecret, err := m.Transact("HKDFExtract/"+group.HashFunc, 1, dhe, derivedSecret[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExtract operation failed: %s", err)
|
||||
}
|
||||
|
||||
clientHandshakeTrafficSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, handshakeSecret[0], []byte("c hs traffic"), hashedToServerHello[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ClientHandshakeTrafficSecretHex = hex.EncodeToString(clientHandshakeTrafficSecret[0])
|
||||
|
||||
serverHandshakeTrafficSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, handshakeSecret[0], []byte("s hs traffic"), hashedToServerHello[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ServerHandshakeTrafficSecretHex = hex.EncodeToString(serverHandshakeTrafficSecret[0])
|
||||
|
||||
derivedSecret, err = m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, handshakeSecret[0], []byte("derived"), emptyHash[:])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
|
||||
masterSecret, err := m.Transact("HKDFExtract/"+group.HashFunc, 1, zeros, derivedSecret[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExtract operation failed: %s", err)
|
||||
}
|
||||
|
||||
clientAppTrafficSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, masterSecret[0], []byte("c ap traffic"), hashedToServerFinished[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ClientApplicationTrafficSecretHex = hex.EncodeToString(clientAppTrafficSecret[0])
|
||||
|
||||
serverAppTrafficSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, masterSecret[0], []byte("s ap traffic"), hashedToServerFinished[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ServerApplicationTrafficSecretHex = hex.EncodeToString(serverAppTrafficSecret[0])
|
||||
|
||||
exporterSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, masterSecret[0], []byte("exp master"), hashedToServerFinished[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ExporterMasterSecretHex = hex.EncodeToString(exporterSecret[0])
|
||||
|
||||
resumptionSecret, err := m.Transact("HKDFExpandLabel/"+group.HashFunc, 1, hashLenBytes, masterSecret[0], []byte("res master"), hashedMessages[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("HKDFExpandLabel operation failed: %s", err)
|
||||
}
|
||||
testResp.ResumptionMasterSecretHex = hex.EncodeToString(resumptionSecret[0])
|
||||
|
||||
groupResp.Tests = append(groupResp.Tests, testResp)
|
||||
}
|
||||
respGroups = append(respGroups, groupResp)
|
||||
}
|
||||
|
||||
return respGroups, nil
|
||||
}
|
||||
|
||||
func concat(slices ...[]byte) []byte {
|
||||
var ret []byte
|
||||
for _, slice := range slices {
|
||||
ret = append(ret, slice...)
|
||||
}
|
||||
return ret
|
||||
}
|
BIN
util/fipstools/acvp/acvptool/test/expected/TLS13.bz2
Normal file
BIN
util/fipstools/acvp/acvptool/test/expected/TLS13.bz2
Normal file
Binary file not shown.
@ -30,5 +30,6 @@
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-224.bz2", "Out": "expected/SHA2-224.bz2"},
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-256.bz2", "Out": "expected/SHA2-256.bz2"},
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-384.bz2", "Out": "expected/SHA2-384.bz2"},
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-512.bz2", "Out": "expected/SHA2-512.bz2"}
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-512.bz2", "Out": "expected/SHA2-512.bz2"},
|
||||
{"Wrapper": "modulewrapper", "In": "vectors/TLS13.bz2", "Out": "expected/TLS13.bz2"}
|
||||
]
|
||||
|
BIN
util/fipstools/acvp/acvptool/test/vectors/TLS13.bz2
Normal file
BIN
util/fipstools/acvp/acvptool/test/vectors/TLS13.bz2
Normal file
Binary file not shown.
@ -914,6 +914,20 @@ static bool GetConfig(const Span<const uint8_t> args[], ReplyCallback write_repl
|
||||
"increment": 8
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"algorithm": "TLS-v1.3",
|
||||
"mode": "KDF",
|
||||
"revision": "RFC8446",
|
||||
"hmacAlg": [
|
||||
"SHA2-256",
|
||||
"SHA2-384"
|
||||
],
|
||||
"runningMode": [
|
||||
"DHE",
|
||||
"PSK",
|
||||
"PSK-DHE"
|
||||
]
|
||||
}
|
||||
])";
|
||||
return write_reply({Span<const uint8_t>(
|
||||
@ -1484,6 +1498,49 @@ static bool HKDF(const Span<const uint8_t> args[], ReplyCallback write_reply) {
|
||||
return write_reply({out});
|
||||
}
|
||||
|
||||
template <const EVP_MD *HashFunc()>
|
||||
static bool HKDFExtract(const Span<const uint8_t> args[],
|
||||
ReplyCallback write_reply) {
|
||||
const EVP_MD *const md = HashFunc();
|
||||
const auto secret = args[0];
|
||||
const auto salt = args[1];
|
||||
|
||||
std::vector<uint8_t> out(EVP_MD_size(md));
|
||||
size_t out_len;
|
||||
if (!HKDF_extract(out.data(), &out_len, md, secret.data(), secret.size(),
|
||||
salt.data(), salt.size())) {
|
||||
return false;
|
||||
}
|
||||
assert(out_len == out.size());
|
||||
return write_reply({out});
|
||||
}
|
||||
|
||||
template <const EVP_MD *HashFunc()>
|
||||
static bool HKDFExpandLabel(const Span<const uint8_t> args[],
|
||||
ReplyCallback write_reply) {
|
||||
const EVP_MD *const md = HashFunc();
|
||||
const auto out_len_bytes = args[0];
|
||||
const auto secret = args[1];
|
||||
const auto label = args[2];
|
||||
const auto hash = args[3];
|
||||
|
||||
if (out_len_bytes.size() != sizeof(uint32_t)) {
|
||||
return false;
|
||||
}
|
||||
const uint32_t out_len = CRYPTO_load_u32_le(out_len_bytes.data());
|
||||
if (out_len > (1 << 24)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
std::vector<uint8_t> out(out_len);
|
||||
if (!CRYPTO_tls13_hkdf_expand_label(out.data(), out_len, md, secret.data(),
|
||||
secret.size(), label.data(), label.size(),
|
||||
hash.data(), hash.size())) {
|
||||
return false;
|
||||
}
|
||||
return write_reply({out});
|
||||
}
|
||||
|
||||
template <bool WithReseed>
|
||||
static bool DRBG(const Span<const uint8_t> args[], ReplyCallback write_reply) {
|
||||
const auto out_len_bytes = args[0];
|
||||
@ -2029,6 +2086,10 @@ static constexpr struct {
|
||||
{"HKDF/SHA2-384", 4, HKDF<EVP_sha384>},
|
||||
{"HKDF/SHA2-512", 4, HKDF<EVP_sha512>},
|
||||
{"HKDF/SHA2-512/256", 4, HKDF<EVP_sha512_256>},
|
||||
{"HKDFExpandLabel/SHA2-256", 4, HKDFExpandLabel<EVP_sha256>},
|
||||
{"HKDFExpandLabel/SHA2-384", 4, HKDFExpandLabel<EVP_sha384>},
|
||||
{"HKDFExtract/SHA2-256", 2, HKDFExtract<EVP_sha256>},
|
||||
{"HKDFExtract/SHA2-384", 2, HKDFExtract<EVP_sha384>},
|
||||
{"HMAC-SHA-1", 2, HMAC<EVP_sha1>},
|
||||
{"HMAC-SHA2-224", 2, HMAC<EVP_sha224>},
|
||||
{"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},
|
||||
|
@ -26,6 +26,7 @@ var (
|
||||
"SHA-256": "ff3b857da7236a2baa0f396b51522217",
|
||||
"SHA-512": "212512f8d2ad8322781c6c4d69a9daa1",
|
||||
"TLS-KDF": "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
|
||||
"TLS13-KDF": "024a0d80f357f2499a1244dac26dab66fc13ed85fca71dace146211119525874",
|
||||
"RSA-sign": "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2",
|
||||
"RSA-verify": "abe2cbc13d6bd39d48db5334ddbf8d070a93bdcb104e2cc5d0ee486ee295f6b31bda126c41890b98b73e70e6b65d82f95c663121755a90744c8d1c21148a1960be0eca446e9ff497f1345c537ef8119b9a4398e95c5c6de2b1c955905c5299d8ce7a3b6ab76380d9babdd15f610237e1f3f2aa1c1f1e770b62fbb596381b2ebdd77ecef9c90d4c92f7b6b05fed2936285fa94826e62055322a33b6f04c74ce69e5d8d737fb838b79d2d48e3daf71387531882531a95ac964d02ea413bf85952982bbc089527daff5b845c9a0f4d14ef1956d9c3acae882d12da66da0f35794f5ee32232333517db9315232a183b991654dbea41615345c885325926744a53915",
|
||||
"ECDSA-sign": "1e35930be860d0942ca7bbd6f6ded87f157e4de24f81ed4b875c0e018e89a81f",
|
||||
|
Loading…
x
Reference in New Issue
Block a user