Move HKDF into the FIPS module.

Change-Id: I7c5b0a24c26b83779cf889d890e2c18ae13187c3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58725
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Adam Langley 2023-04-12 23:03:11 +00:00 committed by Boringssl LUCI CQ
parent 4ae4fb76c8
commit d3acd45456
11 changed files with 99 additions and 6 deletions

View File

@ -168,7 +168,6 @@ add_library(
evp/scrypt.c
evp/sign.c
ex_data.c
hkdf/hkdf.c
hpke/hpke.c
hrss/hrss.c
kyber/keccak.c
@ -390,13 +389,13 @@ add_executable(
fipsmodule/ec/ec_test.cc
fipsmodule/ec/p256-nistz_test.cc
fipsmodule/ecdsa/ecdsa_test.cc
fipsmodule/hkdf/hkdf_test.cc
fipsmodule/md5/md5_test.cc
fipsmodule/modes/gcm_test.cc
fipsmodule/rand/ctrdrbg_test.cc
fipsmodule/rand/fork_detect_test.cc
fipsmodule/service_indicator/service_indicator_test.cc
fipsmodule/sha/sha_test.cc
hkdf/hkdf_test.cc
hpke/hpke_test.cc
hmac_extra/hmac_test.cc
hrss/hrss_test.cc

View File

@ -80,6 +80,7 @@
#include "ec/simple_mul.c"
#include "ec/util.c"
#include "ec/wnaf.c"
#include "hkdf/hkdf.c"
#include "hmac/hmac.c"
#include "md4/md4.c"
#include "md5/md5.c"

View File

@ -20,7 +20,7 @@
#include <openssl/err.h>
#include <openssl/hmac.h>
#include "../internal.h"
#include "../../internal.h"
int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,

View File

@ -20,9 +20,9 @@
#include <gtest/gtest.h>
#include "../test/file_test.h"
#include "../test/test_util.h"
#include "../test/wycheproof_util.h"
#include "../../test/file_test.h"
#include "../../test/test_util.h"
#include "../../test/wycheproof_util.h"
struct HKDFTestVector {

View File

@ -946,6 +946,36 @@ static int boringssl_self_test_fast(void) {
goto err;
}
// HKDF
static const uint8_t kHKDFSecret[32] = {
0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67,
0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30,
0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9,
};
static const uint8_t kHKDFSalt[32] = {
0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97,
0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a,
0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72,
};
static const uint8_t kHKDFInfo[32] = {
0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee,
0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a,
0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56,
};
static const uint8_t kHKDFOutput[32] = {
0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4,
0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9,
0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec,
};
uint8_t hkdf_output[sizeof(kHKDFOutput)];
if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret,
sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo,
sizeof(kHKDFInfo)) ||
!check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), "HKDF")) {
fprintf(stderr, "HKDF failed.\n");
goto err;
}
ret = 1;
err:

View File

@ -173,6 +173,9 @@ func (k *hkdf) Process(vectorSet []byte, m Transactable) (interface{}, error) {
if err != nil {
return nil, fmt.Errorf("HKDF operation failed: %s", err)
}
if len(resp[0]) != int(outBytes) {
return nil, fmt.Errorf("HKDF operation resulted in %d bytes but wanted %d", len(resp[0]), outBytes)
}
if isValidationTest {
passed := bytes.Equal(expected, resp[0])

Binary file not shown.

View File

@ -18,6 +18,7 @@
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-384.bz2", "Out": "expected/HMAC-SHA2-384.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512.bz2", "Out": "expected/HMAC-SHA2-512.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512-256.bz2", "Out": "expected/HMAC-SHA2-512-256.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/HKDF.bz2", "Out": "expected/HKDF.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/hmacDRBG.bz2", "Out": "expected/hmacDRBG.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/KDA.bz2", "Out": "expected/KDA.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/KAS-ECC-SSC.bz2"},

Binary file not shown.

View File

@ -37,6 +37,7 @@
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/err.h>
#include <openssl/hkdf.h>
#include <openssl/hmac.h>
#include <openssl/obj.h>
#include <openssl/rsa.h>
@ -885,6 +886,34 @@ static bool GetConfig(const Span<const uint8_t> args[], ReplyCallback write_repl
"FB",
"FC"
]
},
{
"algorithm": "KDA",
"mode": "HKDF",
"revision": "Sp800-56Cr1",
"fixedInfoPattern": "uPartyInfo||vPartyInfo",
"encoding": [
"concatenation"
],
"hmacAlg": [
"SHA2-224",
"SHA2-256",
"SHA2-384",
"SHA2-512",
"SHA2-512/256"
],
"macSaltMethods": [
"default",
"random"
],
"l": 2048,
"z": [
{
"min": 224,
"max": 65336,
"increment": 8
}
]
}
])";
return write_reply({Span<const uint8_t>(
@ -1431,6 +1460,30 @@ static bool HMAC(const Span<const uint8_t> args[], ReplyCallback write_reply) {
return write_reply({Span<const uint8_t>(digest, digest_len)});
}
template <const EVP_MD *HashFunc()>
static bool HKDF(const Span<const uint8_t> args[], ReplyCallback write_reply) {
const EVP_MD *const md = HashFunc();
const auto key = args[0];
const auto salt = args[1];
const auto info = args[2];
const auto out_len_bytes = args[3];
if (out_len_bytes.size() != sizeof(uint32_t)) {
return false;
}
const uint32_t out_len = CRYPTO_load_u32_le(out_len_bytes.data());
if (out_len > (1 << 24)) {
return false;
}
std::vector<uint8_t> out(out_len);
if (!::HKDF(out.data(), out_len, md, key.data(), key.size(), salt.data(),
salt.size(), info.data(), info.size())) {
return false;
}
return write_reply({out});
}
template <bool WithReseed>
static bool DRBG(const Span<const uint8_t> args[], ReplyCallback write_reply) {
const auto out_len_bytes = args[0];
@ -1971,6 +2024,11 @@ static constexpr struct {
{"3DES-ECB/decrypt", 3, TDES<false>},
{"3DES-CBC/encrypt", 4, TDES_CBC<true>},
{"3DES-CBC/decrypt", 4, TDES_CBC<false>},
{"HKDF/SHA2-224", 4, HKDF<EVP_sha224>},
{"HKDF/SHA2-256", 4, HKDF<EVP_sha256>},
{"HKDF/SHA2-384", 4, HKDF<EVP_sha384>},
{"HKDF/SHA2-512", 4, HKDF<EVP_sha512>},
{"HKDF/SHA2-512/256", 4, HKDF<EVP_sha512_256>},
{"HMAC-SHA-1", 2, HMAC<EVP_sha1>},
{"HMAC-SHA2-224", 2, HMAC<EVP_sha224>},
{"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},

View File

@ -21,6 +21,7 @@ var (
"AES-GCM-decrypt": "35f3058f875760ff09d3120f70c4bc9ed7a86872e13452202176f7371ae04faae1dd391920f5d13953d896785994823c",
"DRBG": "c4da0740d505f1ee280b95e58c4931ac6de846a0152fbb4a3f174cf4787a4f1a40c2b50babe14aae530be5886d910a27",
"DRBG-reseed": "c7161ca36c2309b716e9859bb96c6d49bdc8352103a18cd24ef42ec97ef46bf446eb1a4576c186e9351803763a7912fe",
"HKDF": "68678504b9b3add17d5967a1a7bd37993fd8a33ce7303071f39c096d1635b3c9",
"SHA-1": "132fd9bad5c1826263bafbb699f707a5",
"SHA-256": "ff3b857da7236a2baa0f396b51522217",
"SHA-512": "212512f8d2ad8322781c6c4d69a9daa1",