From: Daniel McCarney <daniel@binaryparadox.net>
Date: Sat, 14 Dec 2024 19:36:21 +0000 (-0500)
Subject: crypto/internal/fips140test: add TLS-v1.3 ACVP tests
X-Git-Tag: go1.25rc1~1107
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=47d0b0f2bf9d507d5bc9ea8f456cc821829fe21c;p=gostls13.git

crypto/internal/fips140test: add TLS-v1.3 ACVP tests

Adds ACVP test coverage for the SP 800-56Crev2 IG 2.4.B TLS v1.3 KDF
based on the NIST spec:

  https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html

Only SHA2-256 and SHA2-384 are valid hash algorithms for the TLS1.3 KDF
algorithm.

The BoringSSL acvptool "lowers" the more complicated TLS 1.3 KDF ACVP
test cases into simple invocations of our module wrapper's pre-existing
HKDF commands, and the new "HKDFExtract/$HASH" and
"HKDFExpandLabel/$HASH" commands added in this branch.

Updates #69642

Change-Id: I5fb1af5b5b33c1845b27cf8968e6523e89bcc589
Reviewed-on: https://go-review.googlesource.com/c/go/+/636117
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---

diff --git a/src/crypto/internal/fips140test/acvp_capabilities.json b/src/crypto/internal/fips140test/acvp_capabilities.json
index 74317deb41..0209830674 100644
--- a/src/crypto/internal/fips140test/acvp_capabilities.json
+++ b/src/crypto/internal/fips140test/acvp_capabilities.json
@@ -61,5 +61,6 @@
   {"algorithm":"ACVP-AES-GCM","direction":["encrypt","decrypt"],"keyLen":[128,192,256],"payloadLen":[{"min":0,"max":65536,"increment":8}],"aadLen":[{"min":0,"max":65536,"increment":8}],"tagLen":[128],"ivLen":[96],"ivGen":"internal","ivGenMode":"8.2.2","revision":"1.0"},
   {"algorithm":"CMAC-AES","capabilities":[{"direction":["gen","ver"],"msgLen":[{"min":0,"max":524288,"increment":8}],"keyLen":[128,256],"macLen":[{"min":8,"max":128,"increment":8}]}],"revision":"1.0"},
 
-  {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]}
+  {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]},
+  {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]}
 ]
diff --git a/src/crypto/internal/fips140test/acvp_test.config.json b/src/crypto/internal/fips140test/acvp_test.config.json
index a25d38fd68..3cfe80cce0 100644
--- a/src/crypto/internal/fips140test/acvp_test.config.json
+++ b/src/crypto/internal/fips140test/acvp_test.config.json
@@ -44,5 +44,6 @@
 
   {"Wrapper": "go", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"},
 
-  {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"}
+  {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"},
+  {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"}
 ]
diff --git a/src/crypto/internal/fips140test/acvp_test.go b/src/crypto/internal/fips140test/acvp_test.go
index 97c0c26aed..2d46ceaf70 100644
--- a/src/crypto/internal/fips140test/acvp_test.go
+++ b/src/crypto/internal/fips140test/acvp_test.go
@@ -38,6 +38,7 @@ import (
 	"crypto/internal/fips140/sha512"
 	"crypto/internal/fips140/subtle"
 	"crypto/internal/fips140/tls12"
+	"crypto/internal/fips140/tls13"
 	"crypto/rand"
 	_ "embed"
 	"encoding/binary"
@@ -117,6 +118,8 @@ var (
 	//   https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-kdf-hkdf.html#section-7.3
 	// TLS 1.2 KDF algorithm capabilities:
 	//   https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-tls.html#section-7.2
+	// TLS 1.3 KDF algorithm capabilities:
+	//   https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html#section-7.2
 	//go:embed acvp_capabilities.json
 	capabilitiesJson []byte
 
@@ -181,6 +184,11 @@ var (
 		"HKDF/SHA3-384":     cmdHkdfAft(func() fips140.Hash { return sha3.New384() }),
 		"HKDF/SHA3-512":     cmdHkdfAft(func() fips140.Hash { return sha3.New512() }),
 
+		"HKDFExtract/SHA2-256":     cmdHkdfExtractAft(func() fips140.Hash { return sha256.New() }),
+		"HKDFExtract/SHA2-384":     cmdHkdfExtractAft(func() fips140.Hash { return sha512.New384() }),
+		"HKDFExpandLabel/SHA2-256": cmdHkdfExpandLabelAft(func() fips140.Hash { return sha256.New() }),
+		"HKDFExpandLabel/SHA2-384": cmdHkdfExpandLabelAft(func() fips140.Hash { return sha512.New384() }),
+
 		"PBKDF": cmdPbkdf(),
 
 		"ML-KEM-768/keyGen":  cmdMlKem768KeyGenAft(),
@@ -537,6 +545,32 @@ func cmdHkdfAft(h func() fips140.Hash) command {
 	}
 }
 
+func cmdHkdfExtractAft(h func() fips140.Hash) command {
+	return command{
+		requiredArgs: 2, // secret, salt
+		handler: func(args [][]byte) ([][]byte, error) {
+			secret := args[0]
+			salt := args[1]
+
+			return [][]byte{hkdf.Extract(h, secret, salt)}, nil
+		},
+	}
+}
+
+func cmdHkdfExpandLabelAft(h func() fips140.Hash) command {
+	return command{
+		requiredArgs: 4, // output length, secret, label, transcript hash
+		handler: func(args [][]byte) ([][]byte, error) {
+			keyLen := int(binary.LittleEndian.Uint32(args[0]))
+			secret := args[1]
+			label := args[2]
+			transcriptHash := args[3]
+
+			return [][]byte{tls13.ExpandLabel(h, secret, string(label), transcriptHash, keyLen)}, nil
+		},
+	}
+}
+
 func cmdPbkdf() command {
 	return command{
 		// Hash name, key length, salt, password, iteration count