Support TLS KDF test for NIAP.
NIAP requires that the TLS KDF be tested by CAVP so this change moves
the PRF into crypto/fipsmodule/tls and adds a test harness for it. Like
the KAS tests, this is only triggered when “-niap” is passed to
run_cavp.go.
Change-Id: Iaa4973d915853c8e367e6106d829e44fcf1b4ce5
Reviewed-on: https://boringssl-review.googlesource.com/24666
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index fb16215..1e5742b 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -87,6 +87,7 @@
#include "rsa/blinding.c"
#include "rsa/padding.c"
#include "rsa/rsa.c"
+#include "tls/kdf.c"
#include "rsa/rsa_impl.c"
#include "sha/sha1-altivec.c"
#include "sha/sha1.c"
diff --git a/crypto/fipsmodule/tls/internal.h b/crypto/fipsmodule/tls/internal.h
new file mode 100644
index 0000000..ef642a6
--- /dev/null
+++ b/crypto/fipsmodule/tls/internal.h
@@ -0,0 +1,39 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// tls1_prf calculates |out_len| bytes of the TLS PDF, using |digest|, and
+// writes them to |out|. It returns one on success and zero on error.
+OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest,
+ uint8_t *out, size_t out_len,
+ const uint8_t *secret, size_t secret_len,
+ const char *label, size_t label_len,
+ const uint8_t *seed1, size_t seed1_len,
+ const uint8_t *seed2, size_t seed2_len);
+
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
diff --git a/crypto/fipsmodule/tls/kdf.c b/crypto/fipsmodule/tls/kdf.c
new file mode 100644
index 0000000..120553f
--- /dev/null
+++ b/crypto/fipsmodule/tls/kdf.c
@@ -0,0 +1,160 @@
+/* ====================================================================
+ * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/hmac.h>
+
+#include "internal.h"
+
+
+// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
+// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
+// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to
+// form the seed parameter. It returns true on success and false on failure.
+static int tls1_P_hash(uint8_t *out, size_t out_len,
+ const EVP_MD *md,
+ const uint8_t *secret, size_t secret_len,
+ const char *label, size_t label_len,
+ const uint8_t *seed1, size_t seed1_len,
+ const uint8_t *seed2, size_t seed2_len) {
+ HMAC_CTX ctx, ctx_tmp, ctx_init;
+ uint8_t A1[EVP_MAX_MD_SIZE];
+ unsigned A1_len;
+ int ret = 0;
+
+ const size_t chunk = EVP_MD_size(md);
+ HMAC_CTX_init(&ctx);
+ HMAC_CTX_init(&ctx_tmp);
+ HMAC_CTX_init(&ctx_init);
+
+ if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||
+ !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||
+ !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||
+ !HMAC_Update(&ctx, seed1, seed1_len) ||
+ !HMAC_Update(&ctx, seed2, seed2_len) ||
+ !HMAC_Final(&ctx, A1, &A1_len)) {
+ goto err;
+ }
+
+ for (;;) {
+ unsigned len;
+ uint8_t hmac[EVP_MAX_MD_SIZE];
+ if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||
+ !HMAC_Update(&ctx, A1, A1_len) ||
+ // Save a copy of |ctx| to compute the next A1 value below.
+ (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||
+ !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||
+ !HMAC_Update(&ctx, seed1, seed1_len) ||
+ !HMAC_Update(&ctx, seed2, seed2_len) ||
+ !HMAC_Final(&ctx, hmac, &len)) {
+ goto err;
+ }
+ assert(len == chunk);
+
+ // XOR the result into |out|.
+ if (len > out_len) {
+ len = out_len;
+ }
+ for (unsigned i = 0; i < len; i++) {
+ out[i] ^= hmac[i];
+ }
+ out += len;
+ out_len -= len;
+
+ if (out_len == 0) {
+ break;
+ }
+
+ // Calculate the next A1 value.
+ if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {
+ goto err;
+ }
+ }
+
+ ret = 1;
+
+err:
+ OPENSSL_cleanse(A1, sizeof(A1));
+ HMAC_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&ctx_tmp);
+ HMAC_CTX_cleanup(&ctx_init);
+ return ret;
+}
+
+int CRYPTO_tls1_prf(const EVP_MD *digest,
+ uint8_t *out, size_t out_len,
+ const uint8_t *secret, size_t secret_len,
+ const char *label, size_t label_len,
+ const uint8_t *seed1, size_t seed1_len,
+ const uint8_t *seed2, size_t seed2_len) {
+ if (out_len == 0) {
+ return 1;
+ }
+
+ OPENSSL_memset(out, 0, out_len);
+
+ if (digest == EVP_md5_sha1()) {
+ // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
+ size_t secret_half = secret_len - (secret_len / 2);
+ if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label,
+ label_len, seed1, seed1_len, seed2, seed2_len)) {
+ return 0;
+ }
+
+ // Note that, if |secret_len| is odd, the two halves share a byte.
+ secret += secret_len - secret_half;
+ secret_len = secret_half;
+ digest = EVP_sha1();
+ }
+
+ return tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,
+ seed1, seed1_len, seed2, seed2_len);
+}
diff --git a/fipstools/CMakeLists.txt b/fipstools/CMakeLists.txt
index 3d32538..4831575 100644
--- a/fipstools/CMakeLists.txt
+++ b/fipstools/CMakeLists.txt
@@ -22,6 +22,7 @@
cavp_sha_monte_test.cc
cavp_sha_test.cc
cavp_tdes_test.cc
+ cavp_tlskdf_test.cc
cavp_test_util.cc
diff --git a/fipstools/cavp_main.cc b/fipstools/cavp_main.cc
index 9ed7591..64dbd69 100644
--- a/fipstools/cavp_main.cc
+++ b/fipstools/cavp_main.cc
@@ -48,6 +48,7 @@
{"rsa2_keygen", &cavp_rsa2_keygen_test_main},
{"rsa2_siggen", &cavp_rsa2_siggen_test_main},
{"rsa2_sigver", &cavp_rsa2_sigver_test_main},
+ {"tlskdf", &cavp_tlskdf_test_main},
{"sha", &cavp_sha_test_main},
{"sha_monte", &cavp_sha_monte_test_main},
{"tdes", &cavp_tdes_test_main}
diff --git a/fipstools/cavp_test_util.h b/fipstools/cavp_test_util.h
index 8c0624e..ca9e790 100644
--- a/fipstools/cavp_test_util.h
+++ b/fipstools/cavp_test_util.h
@@ -72,6 +72,7 @@
int cavp_sha_monte_test_main(int argc, char **argv);
int cavp_sha_test_main(int argc, char **argv);
int cavp_tdes_test_main(int argc, char **argv);
+int cavp_tlskdf_test_main(int argc, char **argv);
#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H
diff --git a/fipstools/cavp_tlskdf_test.cc b/fipstools/cavp_tlskdf_test.cc
new file mode 100644
index 0000000..ac0f83f
--- /dev/null
+++ b/fipstools/cavp_tlskdf_test.cc
@@ -0,0 +1,111 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the
+// corresponding response.
+// See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4.
+
+#include <vector>
+
+#include <openssl/digest.h>
+
+#include "cavp_test_util.h"
+#include "../crypto/fipsmodule/tls/internal.h"
+#include "../crypto/test/file_test.h"
+
+
+static bool TestTLSKDF(FileTest *t, void *arg) {
+ const EVP_MD *md = nullptr;
+
+ if (t->HasInstruction("TLS 1.0/1.1")) {
+ md = EVP_md5_sha1();
+ } else if (t->HasInstruction("TLS 1.2")) {
+ if (t->HasInstruction("SHA-256")) {
+ md = EVP_sha256();
+ } else if (t->HasInstruction("SHA-384")) {
+ md = EVP_sha384();
+ } else if (t->HasInstruction("SHA-512")) {
+ md = EVP_sha512();
+ }
+ }
+
+ if (md == nullptr) {
+ return false;
+ }
+
+ std::string key_block_len_str;
+ std::vector<uint8_t> premaster, server_random, client_random,
+ key_block_server_random, key_block_client_random;
+ if (!t->GetBytes(&premaster, "pre_master_secret") ||
+ !t->GetBytes(&server_random, "serverHello_random") ||
+ !t->GetBytes(&client_random, "clientHello_random") ||
+ // The NIST tests specify different client and server randoms for the
+ // expansion step from the master-secret step. This is impossible in TLS.
+ !t->GetBytes(&key_block_server_random, "server_random") ||
+ !t->GetBytes(&key_block_client_random, "client_random") ||
+ !t->GetInstruction(&key_block_len_str, "key block length") ||
+ // These are ignored.
+ !t->HasAttribute("COUNT") ||
+ !t->HasInstruction("pre-master secret length")) {
+ return false;
+ }
+
+ uint8_t master_secret[48];
+ static const char kMasterSecretLabel[] = "master secret";
+ if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret),
+ premaster.data(), premaster.size(), kMasterSecretLabel,
+ sizeof(kMasterSecretLabel) - 1, client_random.data(),
+ client_random.size(), server_random.data(),
+ server_random.size())) {
+ return false;
+ }
+
+ errno = 0;
+ const long int key_block_bits =
+ strtol(key_block_len_str.c_str(), nullptr, 10);
+ if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) {
+ return false;
+ }
+ const size_t key_block_len = key_block_bits / 8;
+ std::vector<uint8_t> key_block(key_block_len);
+ static const char kLabel[] = "key expansion";
+ if (!CRYPTO_tls1_prf(
+ md, key_block.data(), key_block.size(), master_secret,
+ sizeof(master_secret), kLabel, sizeof(kLabel) - 1,
+ key_block_server_random.data(), key_block_server_random.size(),
+ key_block_client_random.data(), key_block_client_random.size())) {
+ return false;
+ }
+
+ printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n",
+ t->CurrentTestToString().c_str(),
+ EncodeHex(master_secret, sizeof(master_secret)).c_str(),
+ EncodeHex(key_block.data(), key_block.size()).c_str());
+
+ return true;
+}
+
+int cavp_tlskdf_test_main(int argc, char **argv) {
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s <test file>\n", argv[0]);
+ return 1;
+ }
+
+ FileTest::Options opts;
+ opts.path = argv[1];
+ opts.callback = TestTLSKDF;
+ opts.silent = true;
+ opts.comment_callback = EchoComment;
+ return FileTestMain(opts);
+}
diff --git a/fipstools/run_cavp.go b/fipstools/run_cavp.go
index 11a01a1..2b1bf6d 100644
--- a/fipstools/run_cavp.go
+++ b/fipstools/run_cavp.go
@@ -316,6 +316,15 @@
},
}
+var tlsKDFTests = testSuite{
+ "KDF135",
+ "tlskdf",
+ nil,
+ []test{
+ {"tls", nil, false},
+ },
+}
+
var fipsTestSuites = []*testSuite{
&aesGCMTests,
&aesTests,
@@ -336,6 +345,7 @@
var niapTestSuites = []*testSuite{
&kasTests,
+ &tlsKDFTests,
}
// testInstance represents a specific test in a testSuite.
diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc
index 6b5447d..7f4f10b 100644
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc
@@ -148,102 +148,20 @@
#include <openssl/nid.h>
#include <openssl/rand.h>
+#include "../crypto/fipsmodule/tls/internal.h"
#include "../crypto/internal.h"
#include "internal.h"
namespace bssl {
-// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
-// section 5. It XORs |out.size()| bytes to |out|, using |md| as the hash and
-// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to
-// form the seed parameter. It returns true on success and false on failure.
-static bool tls1_P_hash(Span<uint8_t> out, const EVP_MD *md,
- Span<const uint8_t> secret, Span<const char> label,
- Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
- ScopedHMAC_CTX ctx, ctx_tmp, ctx_init;
- uint8_t A1[EVP_MAX_MD_SIZE];
- unsigned A1_len;
- bool ret = false;
-
- size_t chunk = EVP_MD_size(md);
-
- if (!HMAC_Init_ex(ctx_init.get(), secret.data(), secret.size(), md,
- nullptr) ||
- !HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
- !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
- label.size()) ||
- !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
- !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
- !HMAC_Final(ctx.get(), A1, &A1_len)) {
- goto err;
- }
-
- for (;;) {
- unsigned len;
- uint8_t hmac[EVP_MAX_MD_SIZE];
- if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
- !HMAC_Update(ctx.get(), A1, A1_len) ||
- // Save a copy of |ctx| to compute the next A1 value below.
- (out.size() > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
- !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
- label.size()) ||
- !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
- !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
- !HMAC_Final(ctx.get(), hmac, &len)) {
- goto err;
- }
- assert(len == chunk);
-
- // XOR the result into |out|.
- if (len > out.size()) {
- len = out.size();
- }
- for (unsigned i = 0; i < len; i++) {
- out[i] ^= hmac[i];
- }
- out = out.subspan(len);
-
- if (out.empty()) {
- break;
- }
-
- // Calculate the next A1 value.
- if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
- goto err;
- }
- }
-
- ret = true;
-
-err:
- OPENSSL_cleanse(A1, sizeof(A1));
- return ret;
-}
-
bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
Span<const uint8_t> secret, Span<const char> label,
Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
- if (out.empty()) {
- return true;
- }
-
- OPENSSL_memset(out.data(), 0, out.size());
-
- if (digest == EVP_md5_sha1()) {
- // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
- size_t secret_half = secret.size() - (secret.size() / 2);
- if (!tls1_P_hash(out, EVP_md5(), secret.subspan(0, secret_half), label,
- seed1, seed2)) {
- return false;
- }
-
- // Note that, if |secret.size()| is odd, the two halves share a byte.
- secret = secret.subspan(secret.size() - secret_half);
- digest = EVP_sha1();
- }
-
- return tls1_P_hash(out, digest, secret, label, seed1, seed2);
+ return 1 == CRYPTO_tls1_prf(digest, out.data(), out.size(), secret.data(),
+ secret.size(), label.data(), label.size(),
+ seed1.data(), seed1.size(), seed2.data(),
+ seed2.size());
}
static bool ssl3_prf(Span<uint8_t> out, Span<const uint8_t> secret,