Move HKDF into the FIPS module. Change-Id: I7c5b0a24c26b83779cf889d890e2c18ae13187c3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58725 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index b45256c..cdb5ddc 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt

@@ -168,7 +168,6 @@
   evp/scrypt.c
   evp/sign.c
   ex_data.c
-  hkdf/hkdf.c
   hpke/hpke.c
   hrss/hrss.c
   kyber/keccak.c
@@ -390,13 +389,13 @@
   fipsmodule/ec/ec_test.cc
   fipsmodule/ec/p256-nistz_test.cc
   fipsmodule/ecdsa/ecdsa_test.cc
+  fipsmodule/hkdf/hkdf_test.cc
   fipsmodule/md5/md5_test.cc
   fipsmodule/modes/gcm_test.cc
   fipsmodule/rand/ctrdrbg_test.cc
   fipsmodule/rand/fork_detect_test.cc
   fipsmodule/service_indicator/service_indicator_test.cc
   fipsmodule/sha/sha_test.cc
-  hkdf/hkdf_test.cc
   hpke/hpke_test.cc
   hmac_extra/hmac_test.cc
   hrss/hrss_test.cc

diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index e2e4d90..8231eee 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c

@@ -80,6 +80,7 @@
 #include "ec/simple_mul.c"
 #include "ec/util.c"
 #include "ec/wnaf.c"
+#include "hkdf/hkdf.c"
 #include "hmac/hmac.c"
 #include "md4/md4.c"
 #include "md5/md5.c"

diff --git a/crypto/hkdf/hkdf.c b/crypto/fipsmodule/hkdf/hkdf.c
similarity index 98%
rename from crypto/hkdf/hkdf.c
rename to crypto/fipsmodule/hkdf/hkdf.c
index 23b60af..fa1cc72 100644
--- a/crypto/hkdf/hkdf.c
+++ b/crypto/fipsmodule/hkdf/hkdf.c

@@ -20,7 +20,7 @@
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 
-#include "../internal.h"
+#include "../../internal.h"
 
 
 int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,

diff --git a/crypto/hkdf/hkdf_test.cc b/crypto/fipsmodule/hkdf/hkdf_test.cc
similarity index 98%
rename from crypto/hkdf/hkdf_test.cc
rename to crypto/fipsmodule/hkdf/hkdf_test.cc
index 8aad6c8..dd7dd58 100644
--- a/crypto/hkdf/hkdf_test.cc
+++ b/crypto/fipsmodule/hkdf/hkdf_test.cc

@@ -20,9 +20,9 @@
 
 #include <gtest/gtest.h>
 
-#include "../test/file_test.h"
-#include "../test/test_util.h"
-#include "../test/wycheproof_util.h"
+#include "../../test/file_test.h"
+#include "../../test/test_util.h"
+#include "../../test/wycheproof_util.h"
 
 
 struct HKDFTestVector {

diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c
index 08500e5..8dcc415 100644
--- a/crypto/fipsmodule/self_check/self_check.c
+++ b/crypto/fipsmodule/self_check/self_check.c

@@ -946,6 +946,36 @@
     goto err;
   }
 
+  // HKDF
+  static const uint8_t kHKDFSecret[32] = {
+      0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67,
+      0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30,
+      0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9,
+  };
+  static const uint8_t kHKDFSalt[32] = {
+      0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97,
+      0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a,
+      0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72,
+  };
+  static const uint8_t kHKDFInfo[32] = {
+      0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee,
+      0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a,
+      0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56,
+  };
+  static const uint8_t kHKDFOutput[32] = {
+      0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4,
+      0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9,
+      0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec,
+  };
+  uint8_t hkdf_output[sizeof(kHKDFOutput)];
+  if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret,
+            sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo,
+            sizeof(kHKDFInfo)) ||
+      !check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), "HKDF")) {
+    fprintf(stderr, "HKDF failed.\n");
+    goto err;
+  }
+
   ret = 1;
 
 err:

diff --git a/util/fipstools/acvp/acvptool/subprocess/hkdf.go b/util/fipstools/acvp/acvptool/subprocess/hkdf.go
index 3cd4c32..b124d79 100644
--- a/util/fipstools/acvp/acvptool/subprocess/hkdf.go
+++ b/util/fipstools/acvp/acvptool/subprocess/hkdf.go

@@ -173,6 +173,9 @@
 			if err != nil {
 				return nil, fmt.Errorf("HKDF operation failed: %s", err)
 			}
+			if len(resp[0]) != int(outBytes) {
+				return nil, fmt.Errorf("HKDF operation resulted in %d bytes but wanted %d", len(resp[0]), outBytes)
+			}
 
 			if isValidationTest {
 				passed := bytes.Equal(expected, resp[0])

diff --git a/util/fipstools/acvp/acvptool/test/expected/HKDF.bz2 b/util/fipstools/acvp/acvptool/test/expected/HKDF.bz2
new file mode 100644
index 0000000..791fa7a
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/test/expected/HKDF.bz2
Binary files differ

diff --git a/util/fipstools/acvp/acvptool/test/tests.json b/util/fipstools/acvp/acvptool/test/tests.json
index d1e8eb5..36fdaad 100644
--- a/util/fipstools/acvp/acvptool/test/tests.json
+++ b/util/fipstools/acvp/acvptool/test/tests.json

@@ -18,6 +18,7 @@
 {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-384.bz2", "Out": "expected/HMAC-SHA2-384.bz2"},
 {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512.bz2", "Out": "expected/HMAC-SHA2-512.bz2"},
 {"Wrapper": "modulewrapper", "In": "vectors/HMAC-SHA2-512-256.bz2", "Out": "expected/HMAC-SHA2-512-256.bz2"},
+{"Wrapper": "modulewrapper", "In": "vectors/HKDF.bz2", "Out": "expected/HKDF.bz2"},
 {"Wrapper": "testmodulewrapper", "In": "vectors/hmacDRBG.bz2", "Out": "expected/hmacDRBG.bz2"},
 {"Wrapper": "testmodulewrapper", "In": "vectors/KDA.bz2", "Out": "expected/KDA.bz2"},
 {"Wrapper": "modulewrapper", "In": "vectors/KAS-ECC-SSC.bz2"},

diff --git a/util/fipstools/acvp/acvptool/test/vectors/HKDF.bz2 b/util/fipstools/acvp/acvptool/test/vectors/HKDF.bz2
new file mode 100644
index 0000000..f69a461
--- /dev/null
+++ b/util/fipstools/acvp/acvptool/test/vectors/HKDF.bz2
Binary files differ

diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index 460a8e9..5c4f9b0 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -37,6 +37,7 @@
 #include <openssl/ecdh.h>
 #include <openssl/ecdsa.h>
 #include <openssl/err.h>
+#include <openssl/hkdf.h>
 #include <openssl/hmac.h>
 #include <openssl/obj.h>
 #include <openssl/rsa.h>
@@ -885,6 +886,34 @@
           "FB",
           "FC"
         ]
+      },
+      {
+        "algorithm": "KDA",
+        "mode": "HKDF",
+        "revision": "Sp800-56Cr1",
+        "fixedInfoPattern": "uPartyInfo||vPartyInfo",
+        "encoding": [
+          "concatenation"
+        ],
+        "hmacAlg": [
+          "SHA2-224",
+          "SHA2-256",
+          "SHA2-384",
+          "SHA2-512",
+          "SHA2-512/256"
+        ],
+        "macSaltMethods": [
+          "default",
+          "random"
+        ],
+        "l": 2048,
+        "z": [
+          {
+            "min": 224,
+            "max": 65336,
+            "increment": 8
+          }
+        ]
       }
     ])";
   return write_reply({Span<const uint8_t>(
@@ -1431,6 +1460,30 @@
   return write_reply({Span<const uint8_t>(digest, digest_len)});
 }
 
+template <const EVP_MD *HashFunc()>
+static bool HKDF(const Span<const uint8_t> args[], ReplyCallback write_reply) {
+  const EVP_MD *const md = HashFunc();
+  const auto key = args[0];
+  const auto salt = args[1];
+  const auto info = args[2];
+  const auto out_len_bytes = args[3];
+
+  if (out_len_bytes.size() != sizeof(uint32_t)) {
+    return false;
+  }
+  const uint32_t out_len = CRYPTO_load_u32_le(out_len_bytes.data());
+  if (out_len > (1 << 24)) {
+    return false;
+  }
+
+  std::vector<uint8_t> out(out_len);
+  if (!::HKDF(out.data(), out_len, md, key.data(), key.size(), salt.data(),
+              salt.size(), info.data(), info.size())) {
+    return false;
+  }
+  return write_reply({out});
+}
+
 template <bool WithReseed>
 static bool DRBG(const Span<const uint8_t> args[], ReplyCallback write_reply) {
   const auto out_len_bytes = args[0];
@@ -1971,6 +2024,11 @@
     {"3DES-ECB/decrypt", 3, TDES<false>},
     {"3DES-CBC/encrypt", 4, TDES_CBC<true>},
     {"3DES-CBC/decrypt", 4, TDES_CBC<false>},
+    {"HKDF/SHA2-224", 4, HKDF<EVP_sha224>},
+    {"HKDF/SHA2-256", 4, HKDF<EVP_sha256>},
+    {"HKDF/SHA2-384", 4, HKDF<EVP_sha384>},
+    {"HKDF/SHA2-512", 4, HKDF<EVP_sha512>},
+    {"HKDF/SHA2-512/256", 4, HKDF<EVP_sha512_256>},
     {"HMAC-SHA-1", 2, HMAC<EVP_sha1>},
     {"HMAC-SHA2-224", 2, HMAC<EVP_sha224>},
     {"HMAC-SHA2-256", 2, HMAC<EVP_sha256>},

diff --git a/util/fipstools/break-kat.go b/util/fipstools/break-kat.go
index 6eace5b..ed29bb3 100644
--- a/util/fipstools/break-kat.go
+++ b/util/fipstools/break-kat.go

@@ -21,6 +21,7 @@
 		"AES-GCM-decrypt": "35f3058f875760ff09d3120f70c4bc9ed7a86872e13452202176f7371ae04faae1dd391920f5d13953d896785994823c",
 		"DRBG":            "c4da0740d505f1ee280b95e58c4931ac6de846a0152fbb4a3f174cf4787a4f1a40c2b50babe14aae530be5886d910a27",
 		"DRBG-reseed":     "c7161ca36c2309b716e9859bb96c6d49bdc8352103a18cd24ef42ec97ef46bf446eb1a4576c186e9351803763a7912fe",
+		"HKDF":            "68678504b9b3add17d5967a1a7bd37993fd8a33ce7303071f39c096d1635b3c9",
 		"SHA-1":           "132fd9bad5c1826263bafbb699f707a5",
 		"SHA-256":         "ff3b857da7236a2baa0f396b51522217",
 		"SHA-512":         "212512f8d2ad8322781c6c4d69a9daa1",