Switch to Go standard library functions where available Change-Id: I84c157f0a810a3d04e2f58b829073f6a49efdbd6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/76187 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/go.mod b/go.mod index b308b1e..811bf7d 100644 --- a/go.mod +++ b/go.mod
@@ -4,7 +4,6 @@ require ( filippo.io/edwards25519 v1.1.0 - filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039 golang.org/x/crypto v0.31.0 golang.org/x/net v0.27.0 )
diff --git a/go.sum b/go.sum index 5683f99..3b0bcfc 100644 --- a/go.sum +++ b/go.sum
@@ -1,7 +1,5 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= -filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039 h1:I/alPPIVzEkPeQKVU7Sl5gv/sQ0IC4zgqHiACrSgUW8= -filippo.io/mlkem768 v0.0.0-20241021091500-d85de16e2039/go.mod h1:IkpYfciLz5fI/S4/Z0NlhR4cpv6ubCMDnIwAe0XiojA= golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
diff --git a/ssl/test/runner/hpke/kem.go b/ssl/test/runner/hpke/kem.go index 4955433..6bc58a7 100644 --- a/ssl/test/runner/hpke/kem.go +++ b/ssl/test/runner/hpke/kem.go
@@ -16,10 +16,10 @@ import ( "crypto" + "crypto/hkdf" "crypto/rand" "golang.org/x/crypto/curve25519" - "golang.org/x/crypto/hkdf" ) const ( @@ -44,7 +44,11 @@ labeledIKM = append(labeledIKM, suiteID...) labeledIKM = append(labeledIKM, label...) labeledIKM = append(labeledIKM, ikm...) - return hkdf.Extract(kdfHash.New, labeledIKM, salt) + ret, err := hkdf.Extract(kdfHash.New, labeledIKM, salt) + if err != nil { + panic(err) + } + return ret } func labeledExpand(kdfHash crypto.Hash, prk, suiteID, label, info []byte, length int) []byte { @@ -60,11 +64,9 @@ labeledInfo = append(labeledInfo, label...) labeledInfo = append(labeledInfo, info...) - reader := hkdf.Expand(kdfHash.New, prk, labeledInfo) - key := make([]uint8, length) - _, err := reader.Read(key) + key, err := hkdf.Expand(kdfHash.New, prk, string(labeledInfo), length) if err != nil { - panic("failed to perform HKDF expand operation") + panic(err) } return key }
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go index b5a0e1a..fa57b9f 100644 --- a/ssl/test/runner/key_agreement.go +++ b/ssl/test/runner/key_agreement.go
@@ -9,6 +9,7 @@ "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" + "crypto/mlkem" "crypto/rsa" "crypto/subtle" "crypto/x509" @@ -19,7 +20,6 @@ "slices" "boringssl.googlesource.com/boringssl.git/ssl/test/runner/kyber" - "filippo.io/mlkem768" "golang.org/x/crypto/curve25519" ) @@ -432,23 +432,23 @@ // mlkem768KEM implements ML-KEM-768 type mlkem768KEM struct { - decapKey *mlkem768.DecapsulationKey + decapKey *mlkem.DecapsulationKey768 } func (e *mlkem768KEM) encapsulationKeySize() int { - return mlkem768.EncapsulationKeySize + return mlkem.EncapsulationKeySize768 } func (e *mlkem768KEM) ciphertextSize() int { - return mlkem768.CiphertextSize + return mlkem.CiphertextSize768 } func (m *mlkem768KEM) generate(config *Config) (publicKey []byte, err error) { - m.decapKey, err = mlkem768.GenerateKey() + m.decapKey, err = mlkem.GenerateKey768() if err != nil { return } - publicKey = m.decapKey.EncapsulationKey() + publicKey = m.decapKey.EncapsulationKey().Bytes() if config.Bugs.MLKEMEncapKeyNotReduced { // Set the first 12 bits so that the first word is definitely // not reduced. @@ -459,11 +459,16 @@ } func (m *mlkem768KEM) encap(config *Config, peerKey []byte) (ciphertext []byte, secret []byte, err error) { - return mlkem768.Encapsulate(peerKey) + key, err := mlkem.NewEncapsulationKey768(peerKey) + if err != nil { + return nil, nil, err + } + secret, ciphertext = key.Encapsulate() + return } func (m *mlkem768KEM) decap(config *Config, ciphertext []byte) (secret []byte, err error) { - return mlkem768.Decapsulate(m.decapKey, ciphertext) + return m.decapKey.Decapsulate(ciphertext) } // concatKEM concatenates two kemImplementations.
diff --git a/ssl/test/runner/kyber/kyber.go b/ssl/test/runner/kyber/kyber.go index acae886..c3f3a87 100644 --- a/ssl/test/runner/kyber/kyber.go +++ b/ssl/test/runner/kyber/kyber.go
@@ -17,10 +17,9 @@ // This code is ported from kyber.c. import ( + "crypto/sha3" "crypto/subtle" "io" - - "golang.org/x/crypto/sha3" ) const ( @@ -255,8 +254,7 @@ } func (s *scalar) centeredBinomialEta2(input *[33]byte) { - var entropy [128]byte - sha3.ShakeSum256(entropy[:], input[:]) + entropy := sha3.SumSHAKE256(input[:], 128) for i := 0; i < len(s); i += 2 { b := uint16(entropy[i/2]) @@ -452,7 +450,7 @@ type matrix [rank][rank]scalar func (m *matrix) expand(rho *[32]byte) { - shake := sha3.NewShake128() + shake := sha3.NewSHAKE128() var input [34]byte copy(input[:], rho[:]) @@ -538,7 +536,7 @@ ciphertext := pub.encryptCPA(entropy, (*[32]byte)(prekeyAndRandomness[32:])) ciphertextHash := sha3.Sum256(ciphertext[:]) copy(prekeyAndRandomness[32:], ciphertextHash[:]) - sha3.ShakeSum256(outSharedSecret, prekeyAndRandomness[:]) + copy(outSharedSecret, sha3.SumSHAKE256(prekeyAndRandomness[:], len(outSharedSecret))) return ciphertext } @@ -605,7 +603,7 @@ } ciphertextHash := sha3.Sum256(ciphertext[:]) - shake := sha3.NewShake256() + shake := sha3.NewSHAKE256() shake.Write(secret[:]) shake.Write(ciphertextHash[:]) shake.Read(outSharedSecret)
diff --git a/ssl/test/runner/kyber/kyber_test.go b/ssl/test/runner/kyber/kyber_test.go index 2dd20d0..5ad7cae 100644 --- a/ssl/test/runner/kyber/kyber_test.go +++ b/ssl/test/runner/kyber/kyber_test.go
@@ -17,13 +17,12 @@ import ( "bufio" "bytes" + "crypto/sha3" "encoding/hex" "flag" "os" "strings" "testing" - - "golang.org/x/crypto/sha3" ) var testVectorsPath = flag.String("test-vectors", "../../../../crypto/kyber/kyber_tests.txt", "The path to the test vectors to use") @@ -96,7 +95,7 @@ } func TestIteration(t *testing.T) { - h := sha3.NewShake256() + h := sha3.NewSHAKE256() for i := 0; i < 4096; i++ { var generateEntropy [64]byte
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go index c497ae9..4585e46 100644 --- a/ssl/test/runner/prf.go +++ b/ssl/test/runner/prf.go
@@ -6,6 +6,7 @@ import ( "crypto" + "crypto/hkdf" "crypto/hmac" "crypto/md5" "crypto/sha1" @@ -14,7 +15,6 @@ "hash" "golang.org/x/crypto/cryptobyte" - "golang.org/x/crypto/hkdf" ) // copyHash returns a copy of |h|, which must be an instance of |hashType|. @@ -341,7 +341,11 @@ // addEntropy incorporates ikm into the running TLS 1.3 secret with HKDF-Expand. func (h *finishedHash) addEntropy(ikm []byte) { - h.secret = hkdf.Extract(h.suite.hash().New, ikm, h.secret) + var err error + h.secret, err = hkdf.Extract(h.suite.hash().New, ikm, h.secret) + if err != nil { + panic(err) + } } func (h *finishedHash) nextSecret() { @@ -371,9 +375,9 @@ x = x[len(label):] x[0] = byte(len(hashValue)) copy(x[1:], hashValue) - ret := make([]byte, length) - if n, err := hkdf.Expand(hash.New, secret, hkdfLabel).Read(ret); err != nil || n != length { - panic("hkdfExpandLabel: hkdf.Expand unexpectedly failed") + ret, err := hkdf.Expand(hash.New, secret, string(hkdfLabel), length) + if err != nil { + panic(err) } return ret } @@ -414,7 +418,10 @@ // in sections 7.2 and 7.2.1 of draft-ietf-tls-esni-13. The transcript hash is // computed by concatenating |h| with |extraMessages|. func (h *finishedHash) echAcceptConfirmation(clientRandom, label, extraMessages []byte) []byte { - secret := hkdf.Extract(h.suite.hash().New, clientRandom, h.zeroSecret()) + secret, err := hkdf.Extract(h.suite.hash().New, clientRandom, h.zeroSecret()) + if err != nil { + panic(err) + } hashCopy := copyHash(h.hash, h.suite.hash()) hashCopy.Write(extraMessages) return hkdfExpandLabel(h.suite.hash(), secret, label, hashCopy.Sum(nil), echAcceptConfirmationLength, h.isDTLS)
diff --git a/ssl/test/runner/spake2plus/spake2plus.go b/ssl/test/runner/spake2plus/spake2plus.go index 048e12e..abef785 100644 --- a/ssl/test/runner/spake2plus/spake2plus.go +++ b/ssl/test/runner/spake2plus/spake2plus.go
@@ -18,6 +18,7 @@ import ( "bytes" "crypto/elliptic" + "crypto/hkdf" "crypto/hmac" "crypto/rand" "crypto/sha256" @@ -26,7 +27,6 @@ "io" "math/big" - "golang.org/x/crypto/hkdf" "golang.org/x/crypto/scrypt" ) @@ -330,9 +330,10 @@ } func doHKDF(ikm, info []byte, size int) []byte { - h := hkdf.New(sha256.New, ikm, nil, info) - out := make([]byte, size) - h.Read(out) + out, err := hkdf.Key(sha256.New, ikm, nil, string(info), size) + if err != nil { + panic(err) + } return out }
diff --git a/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go b/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go index 98c520d..83691d6 100644 --- a/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go +++ b/util/fipstools/acvp/acvptool/testmodulewrapper/testmodulewrapper.go
@@ -24,9 +24,12 @@ "crypto/aes" "crypto/cipher" "crypto/ed25519" + "crypto/hkdf" "crypto/hmac" + "crypto/pbkdf2" "crypto/rand" "crypto/sha256" + "crypto/sha3" "crypto/sha512" "encoding/binary" "errors" @@ -37,9 +40,6 @@ "filippo.io/edwards25519" - "golang.org/x/crypto/hkdf" - "golang.org/x/crypto/pbkdf2" - "golang.org/x/crypto/sha3" "golang.org/x/crypto/xts" ) @@ -64,16 +64,16 @@ "EDDSA/keyVer": eddsaKeyVer, "EDDSA/sigGen": eddsaSigGen, "EDDSA/sigVer": eddsaSigVer, - "SHAKE-128": shakeAftVot(sha3.NewShake128), - "SHAKE-128/VOT": shakeAftVot(sha3.NewShake128), - "SHAKE-128/MCT": shakeMct(sha3.NewShake128), - "SHAKE-256": shakeAftVot(sha3.NewShake256), - "SHAKE-256/VOT": shakeAftVot(sha3.NewShake256), - "SHAKE-256/MCT": shakeMct(sha3.NewShake256), - "cSHAKE-128": cShakeAft(sha3.NewCShake128), - "cSHAKE-128/MCT": cShakeMct(sha3.NewCShake128), - "cSHAKE-256": cShakeAft(sha3.NewCShake256), - "cSHAKE-256/MCT": cShakeMct(sha3.NewCShake256), + "SHAKE-128": shakeAftVot(sha3.NewSHAKE128), + "SHAKE-128/VOT": shakeAftVot(sha3.NewSHAKE128), + "SHAKE-128/MCT": shakeMct(sha3.NewSHAKE128), + "SHAKE-256": shakeAftVot(sha3.NewSHAKE256), + "SHAKE-256/VOT": shakeAftVot(sha3.NewSHAKE256), + "SHAKE-256/MCT": shakeMct(sha3.NewSHAKE256), + "cSHAKE-128": cShakeAft(sha3.NewCSHAKE128), + "cSHAKE-128/MCT": cShakeMct(sha3.NewCSHAKE128), + "cSHAKE-256": cShakeAft(sha3.NewCSHAKE256), + "cSHAKE-256/MCT": cShakeMct(sha3.NewCSHAKE256), } func flush(args [][]byte) error { @@ -428,9 +428,10 @@ length := binary.LittleEndian.Uint32(lengthBytes) - mac := hkdf.New(sha256.New, key, salt, info) - ret := make([]byte, length) - mac.Read(ret) + ret, err := hkdf.Key(sha256.New, key, salt, string(info), int(length)) + if err != nil { + return err + } return reply(ret) } @@ -615,13 +616,13 @@ case "SHA2-512/256": h = sha512.New512_256 case "SHA3-224": - h = sha3.New224 + h = func() hash.Hash { return sha3.New224() } case "SHA3-256": - h = sha3.New256 + h = func() hash.Hash { return sha3.New256() } case "SHA3-384": - h = sha3.New384 + h = func() hash.Hash { return sha3.New384() } case "SHA3-512": - h = sha3.New512 + h = func() hash.Hash { return sha3.New512() } default: return fmt.Errorf("pbkdf unknown HMAC algorithm: %q", hmacName) } @@ -629,7 +630,10 @@ salt, password := args[2], args[3] iterationCount := binary.LittleEndian.Uint32(args[4]) - derivedKey := pbkdf2.Key(password, salt, int(iterationCount), int(keyLen), h) + derivedKey, err := pbkdf2.Key(h, string(password), salt, int(iterationCount), int(keyLen)) + if err != nil { + return err + } return reply(derivedKey) } @@ -731,7 +735,7 @@ return reply([]byte{1}) } -func shakeAftVot(digestFn func() sha3.ShakeHash) func([][]byte) error { +func shakeAftVot(digestFn func() *sha3.SHAKE) func([][]byte) error { return func(args [][]byte) error { if len(args) != 2 { return fmt.Errorf("shakeAftVot received %d args, wanted 2", len(args)) @@ -749,7 +753,7 @@ } } -func shakeMct(digestFn func() sha3.ShakeHash) func([][]byte) error { +func shakeMct(digestFn func() *sha3.SHAKE) func([][]byte) error { return func(args [][]byte) error { if len(args) != 4 { return fmt.Errorf("shakeMct received %d args, wanted 4", len(args)) @@ -797,7 +801,7 @@ } } -func cShakeAft(hFn func(N, S []byte) sha3.ShakeHash) func([][]byte) error { +func cShakeAft(hFn func(N, S []byte) *sha3.SHAKE) func([][]byte) error { return func(args [][]byte) error { if len(args) != 4 { return fmt.Errorf("cShakeAft received %d args, wanted 4", len(args)) @@ -817,7 +821,7 @@ } } -func cShakeMct(hFn func(N, S []byte) sha3.ShakeHash) func([][]byte) error { +func cShakeMct(hFn func(N, S []byte) *sha3.SHAKE) func([][]byte) error { return func(args [][]byte) error { if len(args) != 6 { return fmt.Errorf("cShakeMct received %d args, wanted 6", len(args))