Switch to Go standard library functions where available
Change-Id: I84c157f0a810a3d04e2f58b829073f6a49efdbd6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/76187
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/go.mod b/go.mod
index b308b1e..811bf7d 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,6 @@
require (
filippo.io/edwards25519 v1.1.0
- filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039
golang.org/x/crypto v0.31.0
golang.org/x/net v0.27.0
)
diff --git a/go.sum b/go.sum
index 5683f99..3b0bcfc 100644
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,5 @@
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039 h1:I/alPPIVzEkPeQKVU7Sl5gv/sQ0IC4zgqHiACrSgUW8=
-filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039/go.mod h1:IkpYfciLz5fI/S4/Z0NlhR4cpv6ubCMDnIwAe0XiojA=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
diff --git a/ssl/test/runner/hpke/kem.go b/ssl/test/runner/hpke/kem.go
index 4955433..6bc58a7 100644
--- a/ssl/test/runner/hpke/kem.go
+++ b/ssl/test/runner/hpke/kem.go
@@ -16,10 +16,10 @@
import (
"crypto"
+ "crypto/hkdf"
"crypto/rand"
"golang.org/x/crypto/curve25519"
- "golang.org/x/crypto/hkdf"
)
const (
@@ -44,7 +44,11 @@
labeledIKM = append(labeledIKM, suiteID...)
labeledIKM = append(labeledIKM, label...)
labeledIKM = append(labeledIKM, ikm...)
- return hkdf.Extract(kdfHash.New, labeledIKM, salt)
+ ret, err := hkdf.Extract(kdfHash.New, labeledIKM, salt)
+ if err != nil {
+ panic(err)
+ }
+ return ret
}
func labeledExpand(kdfHash crypto.Hash, prk, suiteID, label, info []byte, length int) []byte {
@@ -60,11 +64,9 @@
labeledInfo = append(labeledInfo, label...)
labeledInfo = append(labeledInfo, info...)
- reader := hkdf.Expand(kdfHash.New, prk, labeledInfo)
- key := make([]uint8, length)
- _, err := reader.Read(key)
+ key, err := hkdf.Expand(kdfHash.New, prk, string(labeledInfo), length)
if err != nil {
- panic("failed to perform HKDF expand operation")
+ panic(err)
}
return key
}
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go
index b5a0e1a..fa57b9f 100644
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@@ -9,6 +9,7 @@
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
+ "crypto/mlkem"
"crypto/rsa"
"crypto/subtle"
"crypto/x509"
@@ -19,7 +20,6 @@
"slices"
"boringssl.googlesource.com/boringssl.git/ssl/test/runner/kyber"
- "filippo.io/mlkem768"
"golang.org/x/crypto/curve25519"
)
@@ -432,23 +432,23 @@
// mlkem768KEM implements ML-KEM-768
type mlkem768KEM struct {
- decapKey *mlkem768.DecapsulationKey
+ decapKey *mlkem.DecapsulationKey768
}
func (e *mlkem768KEM) encapsulationKeySize() int {
- return mlkem768.EncapsulationKeySize
+ return mlkem.EncapsulationKeySize768
}
func (e *mlkem768KEM) ciphertextSize() int {
- return mlkem768.CiphertextSize
+ return mlkem.CiphertextSize768
}
func (m *mlkem768KEM) generate(config *Config) (publicKey []byte, err error) {
- m.decapKey, err = mlkem768.GenerateKey()
+ m.decapKey, err = mlkem.GenerateKey768()
if err != nil {
return
}
- publicKey = m.decapKey.EncapsulationKey()
+ publicKey = m.decapKey.EncapsulationKey().Bytes()
if config.Bugs.MLKEMEncapKeyNotReduced {
// Set the first 12 bits so that the first word is definitely
// not reduced.
@@ -459,11 +459,16 @@
}
func (m *mlkem768KEM) encap(config *Config, peerKey []byte) (ciphertext []byte, secret []byte, err error) {
- return mlkem768.Encapsulate(peerKey)
+ key, err := mlkem.NewEncapsulationKey768(peerKey)
+ if err != nil {
+ return nil, nil, err
+ }
+ secret, ciphertext = key.Encapsulate()
+ return
}
func (m *mlkem768KEM) decap(config *Config, ciphertext []byte) (secret []byte, err error) {
- return mlkem768.Decapsulate(m.decapKey, ciphertext)
+ return m.decapKey.Decapsulate(ciphertext)
}
// concatKEM concatenates two kemImplementations.
diff --git a/ssl/test/runner/kyber/kyber.go b/ssl/test/runner/kyber/kyber.go
index acae886..c3f3a87 100644
--- a/ssl/test/runner/kyber/kyber.go
+++ b/ssl/test/runner/kyber/kyber.go
@@ -17,10 +17,9 @@
// This code is ported from kyber.c.
import (
+ "crypto/sha3"
"crypto/subtle"
"io"
-
- "golang.org/x/crypto/sha3"
)
const (
@@ -255,8 +254,7 @@
}
func (s *scalar) centeredBinomialEta2(input *[33]byte) {
- var entropy [128]byte
- sha3.ShakeSum256(entropy[:], input[:])
+ entropy := sha3.SumSHAKE256(input[:], 128)
for i := 0; i < len(s); i += 2 {
b := uint16(entropy[i/2])
@@ -452,7 +450,7 @@
type matrix [rank][rank]scalar
func (m *matrix) expand(rho *[32]byte) {
- shake := sha3.NewShake128()
+ shake := sha3.NewSHAKE128()
var input [34]byte
copy(input[:], rho[:])
@@ -538,7 +536,7 @@
ciphertext := pub.encryptCPA(entropy, (*[32]byte)(prekeyAndRandomness[32:]))
ciphertextHash := sha3.Sum256(ciphertext[:])
copy(prekeyAndRandomness[32:], ciphertextHash[:])
- sha3.ShakeSum256(outSharedSecret, prekeyAndRandomness[:])
+ copy(outSharedSecret, sha3.SumSHAKE256(prekeyAndRandomness[:], len(outSharedSecret)))
return ciphertext
}
@@ -605,7 +603,7 @@
}
ciphertextHash := sha3.Sum256(ciphertext[:])
- shake := sha3.NewShake256()
+ shake := sha3.NewSHAKE256()
shake.Write(secret[:])
shake.Write(ciphertextHash[:])
shake.Read(outSharedSecret)
diff --git a/ssl/test/runner/kyber/kyber_test.go b/ssl/test/runner/kyber/kyber_test.go
index 2dd20d0..5ad7cae 100644
--- a/ssl/test/runner/kyber/kyber_test.go
+++ b/ssl/test/runner/kyber/kyber_test.go
@@ -17,13 +17,12 @@
import (
"bufio"
"bytes"
+ "crypto/sha3"
"encoding/hex"
"flag"
"os"
"strings"
"testing"
-
- "golang.org/x/crypto/sha3"
)
var testVectorsPath = flag.String("test-vectors", "../../../../crypto/kyber/kyber_tests.txt", "The path to the test vectors to use")
@@ -96,7 +95,7 @@
}
func TestIteration(t *testing.T) {
- h := sha3.NewShake256()
+ h := sha3.NewSHAKE256()
for i := 0; i < 4096; i++ {
var generateEntropy [64]byte
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go
index c497ae9..4585e46 100644
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@@ -6,6 +6,7 @@
import (
"crypto"
+ "crypto/hkdf"
"crypto/hmac"
"crypto/md5"
"crypto/sha1"
@@ -14,7 +15,6 @@
"hash"
"golang.org/x/crypto/cryptobyte"
- "golang.org/x/crypto/hkdf"
)
// copyHash returns a copy of |h|, which must be an instance of |hashType|.
@@ -341,7 +341,11 @@
// addEntropy incorporates ikm into the running TLS 1.3 secret with HKDF-Expand.
func (h *finishedHash) addEntropy(ikm []byte) {
- h.secret = hkdf.Extract(h.suite.hash().New, ikm, h.secret)
+ var err error
+ h.secret, err = hkdf.Extract(h.suite.hash().New, ikm, h.secret)
+ if err != nil {
+ panic(err)
+ }
}
func (h *finishedHash) nextSecret() {
@@ -371,9 +375,9 @@
x = x[len(label):]
x[0] = byte(len(hashValue))
copy(x[1:], hashValue)
- ret := make([]byte, length)
- if n, err := hkdf.Expand(hash.New, secret, hkdfLabel).Read(ret); err != nil || n != length {
- panic("hkdfExpandLabel: hkdf.Expand unexpectedly failed")
+ ret, err := hkdf.Expand(hash.New, secret, string(hkdfLabel), length)
+ if err != nil {
+ panic(err)
}
return ret
}
@@ -414,7 +418,10 @@
// in sections 7.2 and 7.2.1 of draft-ietf-tls-esni-13. The transcript hash is
// computed by concatenating |h| with |extraMessages|.
func (h *finishedHash) echAcceptConfirmation(clientRandom, label, extraMessages []byte) []byte {
- secret := hkdf.Extract(h.suite.hash().New, clientRandom, h.zeroSecret())
+ secret, err := hkdf.Extract(h.suite.hash().New, clientRandom, h.zeroSecret())
+ if err != nil {
+ panic(err)
+ }
hashCopy := copyHash(h.hash, h.suite.hash())
hashCopy.Write(extraMessages)
return hkdfExpandLabel(h.suite.hash(), secret, label, hashCopy.Sum(nil), echAcceptConfirmationLength, h.isDTLS)
diff --git a/ssl/test/runner/spake2plus/spake2plus.go b/ssl/test/runner/spake2plus/spake2plus.go
index 048e12e..abef785 100644
--- a/ssl/test/runner/spake2plus/spake2plus.go
+++ b/ssl/test/runner/spake2plus/spake2plus.go
@@ -18,6 +18,7 @@
import (
"bytes"
"crypto/elliptic"
+ "crypto/hkdf"
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
@@ -26,7 +27,6 @@
"io"
"math/big"
- "golang.org/x/crypto/hkdf"
"golang.org/x/crypto/scrypt"
)
@@ -330,9 +330,10 @@
}
func doHKDF(ikm, info []byte, size int) []byte {
- h := hkdf.New(sha256.New, ikm, nil, info)
- out := make([]byte, size)
- h.Read(out)
+ out, err := hkdf.Key(sha256.New, ikm, nil, string(info), size)
+ if err != nil {
+ panic(err)
+ }
return out
}
diff --git a/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go b/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go
index 98c520d..83691d6 100644
--- a/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go
+++ b/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go
@@ -24,9 +24,12 @@
"crypto/aes"
"crypto/cipher"
"crypto/ed25519"
+ "crypto/hkdf"
"crypto/hmac"
+ "crypto/pbkdf2"
"crypto/rand"
"crypto/sha256"
+ "crypto/sha3"
"crypto/sha512"
"encoding/binary"
"errors"
@@ -37,9 +40,6 @@
"filippo.io/edwards25519"
- "golang.org/x/crypto/hkdf"
- "golang.org/x/crypto/pbkdf2"
- "golang.org/x/crypto/sha3"
"golang.org/x/crypto/xts"
)
@@ -64,16 +64,16 @@
"EDDSA/keyVer": eddsaKeyVer,
"EDDSA/sigGen": eddsaSigGen,
"EDDSA/sigVer": eddsaSigVer,
- "SHAKE-128": shakeAftVot(sha3.NewShake128),
- "SHAKE-128/VOT": shakeAftVot(sha3.NewShake128),
- "SHAKE-128/MCT": shakeMct(sha3.NewShake128),
- "SHAKE-256": shakeAftVot(sha3.NewShake256),
- "SHAKE-256/VOT": shakeAftVot(sha3.NewShake256),
- "SHAKE-256/MCT": shakeMct(sha3.NewShake256),
- "cSHAKE-128": cShakeAft(sha3.NewCShake128),
- "cSHAKE-128/MCT": cShakeMct(sha3.NewCShake128),
- "cSHAKE-256": cShakeAft(sha3.NewCShake256),
- "cSHAKE-256/MCT": cShakeMct(sha3.NewCShake256),
+ "SHAKE-128": shakeAftVot(sha3.NewSHAKE128),
+ "SHAKE-128/VOT": shakeAftVot(sha3.NewSHAKE128),
+ "SHAKE-128/MCT": shakeMct(sha3.NewSHAKE128),
+ "SHAKE-256": shakeAftVot(sha3.NewSHAKE256),
+ "SHAKE-256/VOT": shakeAftVot(sha3.NewSHAKE256),
+ "SHAKE-256/MCT": shakeMct(sha3.NewSHAKE256),
+ "cSHAKE-128": cShakeAft(sha3.NewCSHAKE128),
+ "cSHAKE-128/MCT": cShakeMct(sha3.NewCSHAKE128),
+ "cSHAKE-256": cShakeAft(sha3.NewCSHAKE256),
+ "cSHAKE-256/MCT": cShakeMct(sha3.NewCSHAKE256),
}
func flush(args [][]byte) error {
@@ -428,9 +428,10 @@
length := binary.LittleEndian.Uint32(lengthBytes)
- mac := hkdf.New(sha256.New, key, salt, info)
- ret := make([]byte, length)
- mac.Read(ret)
+ ret, err := hkdf.Key(sha256.New, key, salt, string(info), int(length))
+ if err != nil {
+ return err
+ }
return reply(ret)
}
@@ -615,13 +616,13 @@
case "SHA2-512/256":
h = sha512.New512_256
case "SHA3-224":
- h = sha3.New224
+ h = func() hash.Hash { return sha3.New224() }
case "SHA3-256":
- h = sha3.New256
+ h = func() hash.Hash { return sha3.New256() }
case "SHA3-384":
- h = sha3.New384
+ h = func() hash.Hash { return sha3.New384() }
case "SHA3-512":
- h = sha3.New512
+ h = func() hash.Hash { return sha3.New512() }
default:
return fmt.Errorf("pbkdf unknown HMAC algorithm: %q", hmacName)
}
@@ -629,7 +630,10 @@
salt, password := args[2], args[3]
iterationCount := binary.LittleEndian.Uint32(args[4])
- derivedKey := pbkdf2.Key(password, salt, int(iterationCount), int(keyLen), h)
+ derivedKey, err := pbkdf2.Key(h, string(password), salt, int(iterationCount), int(keyLen))
+ if err != nil {
+ return err
+ }
return reply(derivedKey)
}
@@ -731,7 +735,7 @@
return reply([]byte{1})
}
-func shakeAftVot(digestFn func() sha3.ShakeHash) func([][]byte) error {
+func shakeAftVot(digestFn func() *sha3.SHAKE) func([][]byte) error {
return func(args [][]byte) error {
if len(args) != 2 {
return fmt.Errorf("shakeAftVot received %d args, wanted 2", len(args))
@@ -749,7 +753,7 @@
}
}
-func shakeMct(digestFn func() sha3.ShakeHash) func([][]byte) error {
+func shakeMct(digestFn func() *sha3.SHAKE) func([][]byte) error {
return func(args [][]byte) error {
if len(args) != 4 {
return fmt.Errorf("shakeMct received %d args, wanted 4", len(args))
@@ -797,7 +801,7 @@
}
}
-func cShakeAft(hFn func(N, S []byte) sha3.ShakeHash) func([][]byte) error {
+func cShakeAft(hFn func(N, S []byte) *sha3.SHAKE) func([][]byte) error {
return func(args [][]byte) error {
if len(args) != 4 {
return fmt.Errorf("cShakeAft received %d args, wanted 4", len(args))
@@ -817,7 +821,7 @@
}
}
-func cShakeMct(hFn func(N, S []byte) sha3.ShakeHash) func([][]byte) error {
+func cShakeMct(hFn func(N, S []byte) *sha3.SHAKE) func([][]byte) error {
return func(args [][]byte) error {
if len(args) != 6 {
return fmt.Errorf("cShakeMct received %d args, wanted 6", len(args))
