Switch to new ACVP test for TLS 1.2 KDF.
NIST has deprecated the test that we were using and replaced it with the
one that this change switches BoringSSL to using.
Change-Id: Iff975cda33153f8db42d9c01457d104c502485b9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58787
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/util/fipstools/acvp/ACVP.md b/util/fipstools/acvp/ACVP.md
index 61c6f88..1fd919f 100644
--- a/util/fipstools/acvp/ACVP.md
+++ b/util/fipstools/acvp/ACVP.md
@@ -106,7 +106,7 @@
| SHA2-384/MCT | Initial seed¹ | Digest |
| SHA2-512/MCT | Initial seed¹ | Digest |
| SHA2-512/256/MCT | Initial seed¹ | Digest |
-| TLSKDF/<1.0\|1.2>/<HASH> | Number output bytes, secret, label, seed1, seed2 | Output |
+| TLSKDF/1.2/<HASH> | Number output bytes, secret, label, seed1, seed2 | Output |
¹ The iterated tests would result in excessive numbers of round trips if the module wrapper handled only basic operations. Thus some ACVP logic is pushed down for these tests so that the inner loop can be handled locally. Either read the NIST documentation ([block-ciphers](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html#name-monte-carlo-tests-for-block) [hashes](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html#name-monte-carlo-tests-for-sha-1)) to understand the iteration count and return values or, probably more fruitfully, see how these functions are handled in the `modulewrapper` directory.
diff --git a/util/fipstools/acvp/acvptool/subprocess/subprocess.go b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
index b496982..84152cf 100644
--- a/util/fipstools/acvp/acvptool/subprocess/subprocess.go
+++ b/util/fipstools/acvp/acvptool/subprocess/subprocess.go
@@ -107,10 +107,10 @@
"hmacDRBG": &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
"KDF": &kdfPrimitive{},
"KDA": &hkdf{},
+ "TLS-v1.2": &tlsKDF{},
"TLS-v1.3": &tls13{},
"CMAC-AES": &keyedMACPrimitive{"CMAC-AES"},
"RSA": &rsa{},
- "kdf-components": &tlsKDF{},
"KAS-ECC-SSC": &kas{},
"KAS-FFC-SSC": &kasDH{},
}
diff --git a/util/fipstools/acvp/acvptool/subprocess/tlskdf.go b/util/fipstools/acvp/acvptool/subprocess/tlskdf.go
index 2e2b65d..ad27b54 100644
--- a/util/fipstools/acvp/acvptool/subprocess/tlskdf.go
+++ b/util/fipstools/acvp/acvptool/subprocess/tlskdf.go
@@ -35,17 +35,11 @@
}
type tlsKDFTest struct {
- ID uint64 `json:"tcId"`
- PMSHex string `json:"preMasterSecret"`
- // ClientHelloRandomHex and ServerHelloRandomHex are used for deriving the
- // master secret. ClientRandomHex and ServerRandomHex are used for deriving the
- // key block. Having different values for these is not possible in a TLS
- // handshake unless you squint at a resumption handshake and somehow rederive
- // the master secret from the session information during resumption.
- ClientHelloRandomHex string `json:"clientHelloRandom"`
- ServerHelloRandomHex string `json:"serverHelloRandom"`
- ClientRandomHex string `json:"clientRandom"`
- ServerRandomHex string `json:"serverRandom"`
+ ID uint64 `json:"tcId"`
+ PMSHex string `json:"preMasterSecret"`
+ ClientRandomHex string `json:"clientRandom"`
+ ServerRandomHex string `json:"serverRandom"`
+ SessionHashHex string `json:"sessionHash"`
}
type tlsKDFTestGroupResponse struct {
@@ -74,35 +68,18 @@
ID: group.ID,
}
- var tlsVer string
- switch group.TLSVersion {
- case "v1.0/1.1":
- tlsVer = "1.0"
- case "v1.2":
- tlsVer = "1.2"
- default:
- return nil, fmt.Errorf("unknown TLS version %q", group.TLSVersion)
- }
-
- hashIsTLS10 := false
switch group.Hash {
- case "SHA-1":
- hashIsTLS10 = true
case "SHA2-256", "SHA2-384", "SHA2-512":
break
default:
return nil, fmt.Errorf("unknown hash %q", group.Hash)
}
- if (tlsVer == "1.0") != hashIsTLS10 {
- return nil, fmt.Errorf("hash %q not permitted with TLS version %q", group.Hash, group.TLSVersion)
- }
-
if group.KeyBlockBits%8 != 0 {
return nil, fmt.Errorf("requested key-block length (%d bits) is not a whole number of bytes", group.KeyBlockBits)
}
- method := "TLSKDF/" + tlsVer + "/" + group.Hash
+ method := "TLSKDF/1.2/" + group.Hash
for _, test := range group.Tests {
pms, err := hex.DecodeString(test.PMSHex)
@@ -110,16 +87,6 @@
return nil, err
}
- clientHelloRandom, err := hex.DecodeString(test.ClientHelloRandomHex)
- if err != nil {
- return nil, err
- }
-
- serverHelloRandom, err := hex.DecodeString(test.ServerHelloRandomHex)
- if err != nil {
- return nil, err
- }
-
clientRandom, err := hex.DecodeString(test.ClientRandomHex)
if err != nil {
return nil, err
@@ -130,15 +97,20 @@
return nil, err
}
+ sessionHash, err := hex.DecodeString(test.SessionHashHex)
+ if err != nil {
+ return nil, err
+ }
+
const (
masterSecretLength = 48
- masterSecretLabel = "master secret"
+ masterSecretLabel = "extended master secret"
keyBlockLabel = "key expansion"
)
var outLenBytes [4]byte
binary.LittleEndian.PutUint32(outLenBytes[:], uint32(masterSecretLength))
- result, err := m.Transact(method, 1, outLenBytes[:], pms, []byte(masterSecretLabel), clientHelloRandom, serverHelloRandom)
+ result, err := m.Transact(method, 1, outLenBytes[:], pms, []byte(masterSecretLabel), sessionHash, nil)
if err != nil {
return nil, err
}
diff --git a/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2 b/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2
new file mode 100644
index 0000000..d83b691
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2
Binary files differ
diff --git a/util/fipstools/acvp/acvptool/test/tests.json b/util/fipstools/acvp/acvptool/test/tests.json
index 3e7dbd0..421e253 100644
--- a/util/fipstools/acvp/acvptool/test/tests.json
+++ b/util/fipstools/acvp/acvptool/test/tests.json
@@ -24,12 +24,12 @@
{"Wrapper": "modulewrapper", "In": "vectors/KAS-ECC-SSC.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/KAS-FFC-SSC.bz2"},
{"Wrapper": "testmodulewrapper", "In": "vectors/KDF.bz2"},
-{"Wrapper": "modulewrapper", "In": "vectors/kdf-components.bz2", "Out": "expected/kdf-components.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/RSA.bz2", "Out": "expected/RSA.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/SHA-1.bz2", "Out": "expected/SHA-1.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-224.bz2", "Out": "expected/SHA2-224.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-256.bz2", "Out": "expected/SHA2-256.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-384.bz2", "Out": "expected/SHA2-384.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/SHA2-512.bz2", "Out": "expected/SHA2-512.bz2"},
+{"Wrapper": "modulewrapper", "In": "vectors/TLS12.bz2", "Out": "expected/TLS12.bz2"},
{"Wrapper": "modulewrapper", "In": "vectors/TLS13.bz2", "Out": "expected/TLS13.bz2"}
]
diff --git a/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2 b/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2
new file mode 100644
index 0000000..d1911ab
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2
Binary files differ
diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index 85622c1..f417b64 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -835,20 +835,6 @@
}]
},
{
- "algorithm": "kdf-components",
- "revision": "1.0",
- "mode": "tls",
- "tlsVersion": [
- "v1.0/1.1",
- "v1.2"
- ],
- "hashAlg": [
- "SHA2-256",
- "SHA2-384",
- "SHA2-512"
- ]
- },
- {
"algorithm": "KAS-ECC-SSC",
"revision": "Sp800-56Ar3",
"scheme": {
@@ -916,6 +902,16 @@
]
},
{
+ "algorithm": "TLS-v1.2",
+ "mode": "KDF",
+ "revision": "RFC7627",
+ "hashAlg": [
+ "SHA2-256",
+ "SHA2-384",
+ "SHA2-512"
+ ]
+ },
+ {
"algorithm": "TLS-v1.3",
"mode": "KDF",
"revision": "RFC8446",
@@ -2127,7 +2123,6 @@
{"RSA/sigVer/SHA2-512/pss", 4, RSASigVer<EVP_sha512, true>},
{"RSA/sigVer/SHA2-512/256/pss", 4, RSASigVer<EVP_sha512_256, true>},
{"RSA/sigVer/SHA-1/pss", 4, RSASigVer<EVP_sha1, true>},
- {"TLSKDF/1.0/SHA-1", 5, TLSKDF<EVP_md5_sha1>},
{"TLSKDF/1.2/SHA2-256", 5, TLSKDF<EVP_sha256>},
{"TLSKDF/1.2/SHA2-384", 5, TLSKDF<EVP_sha384>},
{"TLSKDF/1.2/SHA2-512", 5, TLSKDF<EVP_sha512>},
