]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 072eea9)
crypto/internal/fips140test: add SSH KDF ACVP tests
authorDaniel McCarney <daniel@binaryparadox.net>
Sun, 15 Dec 2024 22:33:48 +0000 (17:33 -0500)
committerGopher Robot <gobot@golang.org>
Mon, 10 Feb 2025 21:29:40 +0000 (13:29 -0800)
Adds ACVP test coverage for the SP 800-135rev1 SSH KDF based on the NIST
spec:

  https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html

Only SHA1, SHA2-224, SHA2-256, SHA2-384, and SHA2-512 are valid hash
algorithms for the SSH KDF algorithm. We do not include SHA-1 since it
is out of scope for our FIPS module.

Similarly only TDES, AES-128, AES-192 and AES-256 are valid ciphers, and
we do not include TDES.

Updates #69642

Change-Id: I70e45b77a91bd8aa631da30fab54c97e974f433c
Reviewed-on: https://go-review.googlesource.com/c/go/+/636355
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

src/crypto/internal/fips140test/acvp_capabilities.json patch | blob | history
src/crypto/internal/fips140test/acvp_test.config.json patch | blob | history
src/crypto/internal/fips140test/acvp_test.go patch | blob | history

diff --git a/src/crypto/internal/fips140test/acvp_capabilities.json b/src/crypto/internal/fips140test/acvp_capabilities.json
index 020983067404947c4d54bd901572d7dc9fb17014..02940a2e6f4b300b1dfcf8a6a32250ce3d14c87c 100644 (file)
--- a/src/crypto/internal/fips140test/acvp_capabilities.json
+++ b/src/crypto/internal/fips140test/acvp_capabilities.json
@@ -62,5 +62,6 @@
   {"algorithm":"CMAC-AES","capabilities":[{"direction":["gen","ver"],"msgLen":[{"min":0,"max":524288,"increment":8}],"keyLen":[128,256],"macLen":[{"min":8,"max":128,"increment":8}]}],"revision":"1.0"},
 
   {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]},
-  {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]}
+  {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]},
+  {"algorithm":"kdf-components","mode":"ssh","revision":"1.0","hashAlg":["SHA2-224","SHA2-256","SHA2-384","SHA2-512"],"cipher":["AES-128","AES-192","AES-256"]}
 ]
diff --git a/src/crypto/internal/fips140test/acvp_test.config.json b/src/crypto/internal/fips140test/acvp_test.config.json
index 3cfe80cce0117ee6cc2f432a54a3ad265fe3e302..2339c478c8087055622ec384e033e82ba0a0ee90 100644 (file)
--- a/src/crypto/internal/fips140test/acvp_test.config.json
+++ b/src/crypto/internal/fips140test/acvp_test.config.json
@@ -45,5 +45,6 @@
   {"Wrapper": "go", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"},
 
   {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"},
-  {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"}
+  {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"},
+  {"Wrapper": "go", "In": "vectors/kdf-components.bz2", "Out": "expected/kdf-components.bz2"}
 ]
diff --git a/src/crypto/internal/fips140test/acvp_test.go b/src/crypto/internal/fips140test/acvp_test.go
index 2d46ceaf70f5453f66adc61e2b49075f7865392d..ded66b79ae911bd5326b3f267b60c5d3de966010 100644 (file)
--- a/src/crypto/internal/fips140test/acvp_test.go
+++ b/src/crypto/internal/fips140test/acvp_test.go
@@ -36,6 +36,7 @@ import (
        "crypto/internal/fips140/sha256"
        "crypto/internal/fips140/sha3"
        "crypto/internal/fips140/sha512"
+       "crypto/internal/fips140/ssh"
        "crypto/internal/fips140/subtle"
        "crypto/internal/fips140/tls12"
        "crypto/internal/fips140/tls13"
@@ -120,6 +121,8 @@ var (
        //   https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-tls.html#section-7.2
        // TLS 1.3 KDF algorithm capabilities:
        //   https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html#section-7.2
+       // SSH KDF algorithm capabilities:
+       //   https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html#section-7.2
        //go:embed acvp_capabilities.json
        capabilitiesJson []byte
 
@@ -237,6 +240,17 @@ var (
                "TLSKDF/1.2/SHA2-256": cmdTlsKdf12Aft(func() fips140.Hash { return sha256.New() }),
                "TLSKDF/1.2/SHA2-384": cmdTlsKdf12Aft(func() fips140.Hash { return sha512.New384() }),
                "TLSKDF/1.2/SHA2-512": cmdTlsKdf12Aft(func() fips140.Hash { return sha512.New() }),
+
+               // Note: only SHA2-224, SHA2-256, SHA2-384 and SHA2-512 are valid hash functions for SSHKDF.
+               //               See https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html#section-7.2.1
+               "SSHKDF/SHA2-224/client": cmdSshKdfAft(func() fips140.Hash { return sha256.New224() }, ssh.ClientKeys),
+               "SSHKDF/SHA2-224/server": cmdSshKdfAft(func() fips140.Hash { return sha256.New224() }, ssh.ServerKeys),
+               "SSHKDF/SHA2-256/client": cmdSshKdfAft(func() fips140.Hash { return sha256.New() }, ssh.ClientKeys),
+               "SSHKDF/SHA2-256/server": cmdSshKdfAft(func() fips140.Hash { return sha256.New() }, ssh.ServerKeys),
+               "SSHKDF/SHA2-384/client": cmdSshKdfAft(func() fips140.Hash { return sha512.New384() }, ssh.ClientKeys),
+               "SSHKDF/SHA2-384/server": cmdSshKdfAft(func() fips140.Hash { return sha512.New384() }, ssh.ServerKeys),
+               "SSHKDF/SHA2-512/client": cmdSshKdfAft(func() fips140.Hash { return sha512.New() }, ssh.ClientKeys),
+               "SSHKDF/SHA2-512/server": cmdSshKdfAft(func() fips140.Hash { return sha512.New() }, ssh.ServerKeys),
        }
 )
 
@@ -1372,12 +1386,39 @@ func cmdTlsKdf12Aft(h func() fips140.Hash) command {
        }
 }
 
+func cmdSshKdfAft(hFunc func() fips140.Hash, direction ssh.Direction) command {
+       return command{
+               requiredArgs: 4, // K, H, SessionID, cipher
+               handler: func(args [][]byte) ([][]byte, error) {
+                       k := args[0]
+                       h := args[1]
+                       sessionID := args[2]
+                       cipher := string(args[3])
+
+                       var keyLen int
+                       switch cipher {
+                       case "AES-128":
+                               keyLen = 16
+                       case "AES-192":
+                               keyLen = 24
+                       case "AES-256":
+                               keyLen = 32
+                       default:
+                               return nil, fmt.Errorf("unsupported cipher: %q", cipher)
+                       }
+
+                       ivKey, encKey, intKey := ssh.Keys(hFunc, direction, k, h, sessionID, 16, keyLen, hFunc().Size())
+                       return [][]byte{ivKey, encKey, intKey}, nil
+               },
+       }
+}
+
 func TestACVP(t *testing.T) {
        testenv.SkipIfShortAndSlow(t)
 
        const (
                bsslModule    = "boringssl.googlesource.com/boringssl.git"
-               bsslVersion   = "v0.0.0-20250108043213-d3f61eeacbf7"
+               bsslVersion   = "v0.0.0-20250116010235-21f54b2730ee"
                goAcvpModule  = "github.com/cpu/go-acvp"
                goAcvpVersion = "v0.0.0-20250102201911-6839fc40f9f8"
        )
Go GOST TLS 1.3