Split TLS 1.0 and 1.2 self checks.
While it's the same code path, NIST may consider these different
functions and thus want separate checks for them.
Change-Id: Ic391b5e656b22c5e11d94ec22398346669833bd9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62087
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
index 525cd16..edfef6d 100644
--- a/crypto/fipsmodule/self_check/self_check.c
+++ b/crypto/fipsmodule/self_check/self_check.c
@@ -918,11 +918,6 @@
}
// TLS KDF KAT
- static const uint8_t kTLSSecret[32] = {
- 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
- 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
- 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
- };
static const char kTLSLabel[] = "FIPS self test";
static const uint8_t kTLSSeed1[16] = {
0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
@@ -932,17 +927,45 @@
0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
};
- static const uint8_t kTLSOutput[32] = {
- 0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb,
- 0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a,
- 0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88,
+
+ static const uint8_t kTLS10Secret[32] = {
+ 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
+ 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
+ 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
};
- uint8_t tls_output[sizeof(kTLSOutput)];
- if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret,
- sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel),
- kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2,
- sizeof(kTLSSeed2)) ||
- !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) {
+ static const uint8_t kTLS10Output[32] = {
+ 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90,
+ 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f,
+ 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8,
+ };
+ uint8_t tls10_output[sizeof(kTLS10Output)];
+ if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
+ kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel,
+ sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+ kTLSSeed2, sizeof(kTLSSeed2)) ||
+ !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output),
+ "TLS10-KDF KAT")) {
+ fprintf(stderr, "TLS KDF failed.\n");
+ goto err;
+ }
+
+ static const uint8_t kTLS12Secret[32] = {
+ 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9,
+ 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc,
+ 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81,
+ };
+ static const uint8_t kTLS12Output[32] = {
+ 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1,
+ 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85,
+ 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51,
+ };
+ uint8_t tls12_output[sizeof(kTLS12Output)];
+ if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output),
+ kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel,
+ sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+ kTLSSeed2, sizeof(kTLSSeed2)) ||
+ !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output),
+ "TLS12-KDF KAT")) {
fprintf(stderr, "TLS KDF failed.\n");
goto err;
}
@@ -983,7 +1006,7 @@
!check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
sizeof(kTLS13ExpandLabelOutput),
"CRYPTO_tls13_hkdf_expand_label")) {
- fprintf(stderr, "TLSv1.3 KDF failed.\n");
+ fprintf(stderr, "TLS13-KDF failed.\n");
goto err;
}
diff --git a/util/fipstools/break-kat.go b/util/fipstools/break-kat.go
index e4d323a..67c3300 100644
--- a/util/fipstools/break-kat.go
+++ b/util/fipstools/break-kat.go
@@ -1,5 +1,3 @@
-//go:build
-
// break-kat corrupts a known-answer-test input in a binary and writes the
// corrupted binary to stdout. This is used to demonstrate that the KATs in the
// binary notice the error.
@@ -27,7 +25,8 @@
"SHA-1": "132fd9bad5c1826263bafbb699f707a5",
"SHA-256": "ff3b857da7236a2baa0f396b51522217",
"SHA-512": "212512f8d2ad8322781c6c4d69a9daa1",
- "TLS-KDF": "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
+ "TLS10-KDF": "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
+ "TLS12-KDF": "c5438ee26fd4acbd259fc91855dc69bf884ee29322fcbfd2966a4623d42ec781",
"TLS13-KDF": "024a0d80f357f2499a1244dac26dab66fc13ed85fca71dace146211119525874",
"RSA-sign": "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2",
"RSA-verify": "abe2cbc13d6bd39d48db5334ddbf8d070a93bdcb104e2cc5d0ee486ee295f6b31bda126c41890b98b73e70e6b65d82f95c663121755a90744c8d1c21148a1960be0eca446e9ff497f1345c537ef8119b9a4398e95c5c6de2b1c955905c5299d8ce7a3b6ab76380d9babdd15f610237e1f3f2aa1c1f1e770b62fbb596381b2ebdd77ecef9c90d4c92f7b6b05fed2936285fa94826e62055322a33b6f04c74ce69e5d8d737fb838b79d2d48e3daf71387531882531a95ac964d02ea413bf85952982bbc089527daff5b845c9a0f4d14ef1956d9c3acae882d12da66da0f35794f5ee32232333517db9315232a183b991654dbea41615345c885325926744a53915",
diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c
index 3a1f7fc..13b8d7d 100644
--- a/util/fipstools/test_fips.c
+++ b/util/fipstools/test_fips.c
@@ -291,6 +291,19 @@
printf(" got ");
hexdump(hkdf_output, sizeof(hkdf_output));
+ /* TLS v1.0 KDF */
+ printf("About to run TLS v1.0 KDF\n");
+ uint8_t tls10_output[32];
+ if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
+ kAESKey, sizeof(kAESKey), "foo", 3, kPlaintextSHA256,
+ sizeof(kPlaintextSHA256), kPlaintextSHA256,
+ sizeof(kPlaintextSHA256))) {
+ fprintf(stderr, "TLS v1.0 KDF failed.\n");
+ goto err;
+ }
+ printf(" got ");
+ hexdump(tls10_output, sizeof(tls10_output));
+
/* TLS v1.2 KDF */
printf("About to run TLS v1.2 KDF\n");
uint8_t tls12_output[32];
