From: Daniel McCarney Date: Sun, 15 Dec 2024 22:33:48 +0000 (-0500) Subject: crypto/internal/fips140test: add SSH KDF ACVP tests X-Git-Tag: go1.25rc1~1095 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=86aca8778871c02eae6a7c4164ef1f004cd72814;p=gostls13.git crypto/internal/fips140test: add SSH KDF ACVP tests Adds ACVP test coverage for the SP 800-135rev1 SSH KDF based on the NIST spec: https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html Only SHA1, SHA2-224, SHA2-256, SHA2-384, and SHA2-512 are valid hash algorithms for the SSH KDF algorithm. We do not include SHA-1 since it is out of scope for our FIPS module. Similarly only TDES, AES-128, AES-192 and AES-256 are valid ciphers, and we do not include TDES. Updates #69642 Change-Id: I70e45b77a91bd8aa631da30fab54c97e974f433c Reviewed-on: https://go-review.googlesource.com/c/go/+/636355 LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda Reviewed-by: Dmitri Shuralyov Auto-Submit: Filippo Valsorda --- diff --git a/src/crypto/internal/fips140test/acvp_capabilities.json b/src/crypto/internal/fips140test/acvp_capabilities.json index 0209830674..02940a2e6f 100644 --- a/src/crypto/internal/fips140test/acvp_capabilities.json +++ b/src/crypto/internal/fips140test/acvp_capabilities.json @@ -62,5 +62,6 @@ {"algorithm":"CMAC-AES","capabilities":[{"direction":["gen","ver"],"msgLen":[{"min":0,"max":524288,"increment":8}],"keyLen":[128,256],"macLen":[{"min":8,"max":128,"increment":8}]}],"revision":"1.0"}, {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]}, - {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]} + {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]}, + {"algorithm":"kdf-components","mode":"ssh","revision":"1.0","hashAlg":["SHA2-224","SHA2-256","SHA2-384","SHA2-512"],"cipher":["AES-128","AES-192","AES-256"]} ] diff --git a/src/crypto/internal/fips140test/acvp_test.config.json b/src/crypto/internal/fips140test/acvp_test.config.json index 3cfe80cce0..2339c478c8 100644 --- a/src/crypto/internal/fips140test/acvp_test.config.json +++ b/src/crypto/internal/fips140test/acvp_test.config.json @@ -45,5 +45,6 @@ {"Wrapper": "go", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"}, {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"}, - {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"} + {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"}, + {"Wrapper": "go", "In": "vectors/kdf-components.bz2", "Out": "expected/kdf-components.bz2"} ] diff --git a/src/crypto/internal/fips140test/acvp_test.go b/src/crypto/internal/fips140test/acvp_test.go index 2d46ceaf70..ded66b79ae 100644 --- a/src/crypto/internal/fips140test/acvp_test.go +++ b/src/crypto/internal/fips140test/acvp_test.go @@ -36,6 +36,7 @@ import ( "crypto/internal/fips140/sha256" "crypto/internal/fips140/sha3" "crypto/internal/fips140/sha512" + "crypto/internal/fips140/ssh" "crypto/internal/fips140/subtle" "crypto/internal/fips140/tls12" "crypto/internal/fips140/tls13" @@ -120,6 +121,8 @@ var ( // https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-tls.html#section-7.2 // TLS 1.3 KDF algorithm capabilities: // https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html#section-7.2 + // SSH KDF algorithm capabilities: + // https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html#section-7.2 //go:embed acvp_capabilities.json capabilitiesJson []byte @@ -237,6 +240,17 @@ var ( "TLSKDF/1.2/SHA2-256": cmdTlsKdf12Aft(func() fips140.Hash { return sha256.New() }), "TLSKDF/1.2/SHA2-384": cmdTlsKdf12Aft(func() fips140.Hash { return sha512.New384() }), "TLSKDF/1.2/SHA2-512": cmdTlsKdf12Aft(func() fips140.Hash { return sha512.New() }), + + // Note: only SHA2-224, SHA2-256, SHA2-384 and SHA2-512 are valid hash functions for SSHKDF. + // See https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-ssh.html#section-7.2.1 + "SSHKDF/SHA2-224/client": cmdSshKdfAft(func() fips140.Hash { return sha256.New224() }, ssh.ClientKeys), + "SSHKDF/SHA2-224/server": cmdSshKdfAft(func() fips140.Hash { return sha256.New224() }, ssh.ServerKeys), + "SSHKDF/SHA2-256/client": cmdSshKdfAft(func() fips140.Hash { return sha256.New() }, ssh.ClientKeys), + "SSHKDF/SHA2-256/server": cmdSshKdfAft(func() fips140.Hash { return sha256.New() }, ssh.ServerKeys), + "SSHKDF/SHA2-384/client": cmdSshKdfAft(func() fips140.Hash { return sha512.New384() }, ssh.ClientKeys), + "SSHKDF/SHA2-384/server": cmdSshKdfAft(func() fips140.Hash { return sha512.New384() }, ssh.ServerKeys), + "SSHKDF/SHA2-512/client": cmdSshKdfAft(func() fips140.Hash { return sha512.New() }, ssh.ClientKeys), + "SSHKDF/SHA2-512/server": cmdSshKdfAft(func() fips140.Hash { return sha512.New() }, ssh.ServerKeys), } ) @@ -1372,12 +1386,39 @@ func cmdTlsKdf12Aft(h func() fips140.Hash) command { } } +func cmdSshKdfAft(hFunc func() fips140.Hash, direction ssh.Direction) command { + return command{ + requiredArgs: 4, // K, H, SessionID, cipher + handler: func(args [][]byte) ([][]byte, error) { + k := args[0] + h := args[1] + sessionID := args[2] + cipher := string(args[3]) + + var keyLen int + switch cipher { + case "AES-128": + keyLen = 16 + case "AES-192": + keyLen = 24 + case "AES-256": + keyLen = 32 + default: + return nil, fmt.Errorf("unsupported cipher: %q", cipher) + } + + ivKey, encKey, intKey := ssh.Keys(hFunc, direction, k, h, sessionID, 16, keyLen, hFunc().Size()) + return [][]byte{ivKey, encKey, intKey}, nil + }, + } +} + func TestACVP(t *testing.T) { testenv.SkipIfShortAndSlow(t) const ( bsslModule = "boringssl.googlesource.com/boringssl.git" - bsslVersion = "v0.0.0-20250108043213-d3f61eeacbf7" + bsslVersion = "v0.0.0-20250116010235-21f54b2730ee" goAcvpModule = "github.com/cpu/go-acvp" goAcvpVersion = "v0.0.0-20250102201911-6839fc40f9f8" )