Support TLS KDF test for NIAP.

NIAP requires that the TLS KDF be tested by CAVP so this change moves the PRF into crypto/fipsmodule/tls and adds a test harness for it. Like the KAS tests, this is only triggered when “-niap” is passed to run_cavp.go. Change-Id: Iaa4973d915853c8e367e6106d829e44fcf1b4ce5 Reviewed-on: https://boringssl-review.googlesource.com/24666 Reviewed-by: Adam Langley <agl@google.com>
2018-01-05 13:59:09 -08:00 · 2018-01-05 13:59:09 -08:00 · 37c6eb4284
commit 37c6eb4284
parent e80c7c065c
9 changed files with 329 additions and 87 deletions
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@ -87,6 +87,7 @@
 #include "rsa/blinding.c"
 #include "rsa/padding.c"
 #include "rsa/rsa.c"
+#include "tls/kdf.c"
 #include "rsa/rsa_impl.c"
 #include "sha/sha1-altivec.c"
 #include "sha/sha1.c"
--- a/crypto/fipsmodule/tls/internal.h
+++ b/crypto/fipsmodule/tls/internal.h
@ -0,0 +1,39 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// tls1_prf calculates |out_len| bytes of the TLS PDF, using |digest|, and
+// writes them to |out|. It returns one on success and zero on error.
+OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest,
+                                   uint8_t *out, size_t out_len,
+                                   const uint8_t *secret, size_t secret_len,
+                                   const char *label, size_t label_len,
+                                   const uint8_t *seed1, size_t seed1_len,
+                                   const uint8_t *seed2, size_t seed2_len);
+
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H
--- a/crypto/fipsmodule/tls/kdf.c
+++ b/crypto/fipsmodule/tls/kdf.c
@ -0,0 +1,160 @@
+/* ====================================================================
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/hmac.h>
+
+#include "internal.h"
+
+
+// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
+// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
+// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to
+// form the seed parameter. It returns true on success and false on failure.
+static int tls1_P_hash(uint8_t *out, size_t out_len,
+                       const EVP_MD *md,
+                       const uint8_t *secret, size_t secret_len,
+                       const char *label, size_t label_len,
+                       const uint8_t *seed1, size_t seed1_len,
+                       const uint8_t *seed2, size_t seed2_len) {
+  HMAC_CTX ctx, ctx_tmp, ctx_init;
+  uint8_t A1[EVP_MAX_MD_SIZE];
+  unsigned A1_len;
+  int ret = 0;
+
+  const size_t chunk = EVP_MD_size(md);
+  HMAC_CTX_init(&ctx);
+  HMAC_CTX_init(&ctx_tmp);
+  HMAC_CTX_init(&ctx_init);
+
+  if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||
+      !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||
+      !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||
+      !HMAC_Update(&ctx, seed1, seed1_len) ||
+      !HMAC_Update(&ctx, seed2, seed2_len) ||
+      !HMAC_Final(&ctx, A1, &A1_len)) {
+    goto err;
+  }
+
+  for (;;) {
+    unsigned len;
+    uint8_t hmac[EVP_MAX_MD_SIZE];
+    if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||
+        !HMAC_Update(&ctx, A1, A1_len) ||
+        // Save a copy of |ctx| to compute the next A1 value below.
+        (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||
+        !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||
+        !HMAC_Update(&ctx, seed1, seed1_len) ||
+        !HMAC_Update(&ctx, seed2, seed2_len) ||
+        !HMAC_Final(&ctx, hmac, &len)) {
+      goto err;
+    }
+    assert(len == chunk);
+
+    // XOR the result into |out|.
+    if (len > out_len) {
+      len = out_len;
+    }
+    for (unsigned i = 0; i < len; i++) {
+      out[i] ^= hmac[i];
+    }
+    out += len;
+    out_len -= len;
+
+    if (out_len == 0) {
+      break;
+    }
+
+    // Calculate the next A1 value.
+    if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {
+      goto err;
+    }
+  }
+
+  ret = 1;
+
+err:
+  OPENSSL_cleanse(A1, sizeof(A1));
+  HMAC_CTX_cleanup(&ctx);
+  HMAC_CTX_cleanup(&ctx_tmp);
+  HMAC_CTX_cleanup(&ctx_init);
+  return ret;
+}
+
+int CRYPTO_tls1_prf(const EVP_MD *digest,
+                    uint8_t *out, size_t out_len,
+                    const uint8_t *secret, size_t secret_len,
+                    const char *label, size_t label_len,
+                    const uint8_t *seed1, size_t seed1_len,
+                    const uint8_t *seed2, size_t seed2_len) {
+  if (out_len == 0) {
+    return 1;
+  }
+
+  OPENSSL_memset(out, 0, out_len);
+
+  if (digest == EVP_md5_sha1()) {
+    // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
+    size_t secret_half = secret_len - (secret_len / 2);
+    if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label,
+                     label_len, seed1, seed1_len, seed2, seed2_len)) {
+      return 0;
+    }
+
+    // Note that, if |secret_len| is odd, the two halves share a byte.
+    secret += secret_len - secret_half;
+    secret_len = secret_half;
+    digest = EVP_sha1();
+  }
+
+  return tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,
+                     seed1, seed1_len, seed2, seed2_len);
+}
--- a/fipstools/CMakeLists.txt
+++ b/fipstools/CMakeLists.txt
@ -22,6 +22,7 @@ if (FIPS)
    cavp_sha_monte_test.cc
    cavp_sha_test.cc
    cavp_tdes_test.cc
+    cavp_tlskdf_test.cc

    cavp_test_util.cc

--- a/fipstools/cavp_main.cc
+++ b/fipstools/cavp_main.cc
@ -48,6 +48,7 @@ static TestSuite all_test_suites[] = {
    {"rsa2_keygen", &cavp_rsa2_keygen_test_main},
    {"rsa2_siggen", &cavp_rsa2_siggen_test_main},
    {"rsa2_sigver", &cavp_rsa2_sigver_test_main},
+    {"tlskdf", &cavp_tlskdf_test_main},
    {"sha", &cavp_sha_test_main},
    {"sha_monte", &cavp_sha_monte_test_main},
    {"tdes", &cavp_tdes_test_main}
--- a/fipstools/cavp_test_util.h
+++ b/fipstools/cavp_test_util.h
@ -72,6 +72,7 @@ int cavp_rsa2_sigver_test_main(int argc, char **argv);
 int cavp_sha_monte_test_main(int argc, char **argv);
 int cavp_sha_test_main(int argc, char **argv);
 int cavp_tdes_test_main(int argc, char **argv);
+int cavp_tlskdf_test_main(int argc, char **argv);


 #endif  // OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H
--- a/fipstools/cavp_tlskdf_test.cc
+++ b/fipstools/cavp_tlskdf_test.cc
@ -0,0 +1,111 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the
+// corresponding response.
+// See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4.
+
+#include <vector>
+
+#include <openssl/digest.h>
+
+#include "cavp_test_util.h"
+#include "../crypto/fipsmodule/tls/internal.h"
+#include "../crypto/test/file_test.h"
+
+
+static bool TestTLSKDF(FileTest *t, void *arg) {
+  const EVP_MD *md = nullptr;
+
+  if (t->HasInstruction("TLS 1.0/1.1")) {
+    md = EVP_md5_sha1();
+  } else if (t->HasInstruction("TLS 1.2")) {
+    if (t->HasInstruction("SHA-256")) {
+      md = EVP_sha256();
+    } else if (t->HasInstruction("SHA-384")) {
+      md = EVP_sha384();
+    } else if (t->HasInstruction("SHA-512")) {
+      md = EVP_sha512();
+    }
+  }
+
+  if (md == nullptr) {
+    return false;
+  }
+
+  std::string key_block_len_str;
+  std::vector<uint8_t> premaster, server_random, client_random,
+      key_block_server_random, key_block_client_random;
+  if (!t->GetBytes(&premaster, "pre_master_secret") ||
+      !t->GetBytes(&server_random, "serverHello_random") ||
+      !t->GetBytes(&client_random, "clientHello_random") ||
+      // The NIST tests specify different client and server randoms for the
+      // expansion step from the master-secret step. This is impossible in TLS.
+      !t->GetBytes(&key_block_server_random, "server_random") ||
+      !t->GetBytes(&key_block_client_random, "client_random") ||
+      !t->GetInstruction(&key_block_len_str, "key block length") ||
+      // These are ignored.
+      !t->HasAttribute("COUNT") ||
+      !t->HasInstruction("pre-master secret length")) {
+    return false;
+  }
+
+  uint8_t master_secret[48];
+  static const char kMasterSecretLabel[] = "master secret";
+  if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret),
+                       premaster.data(), premaster.size(), kMasterSecretLabel,
+                       sizeof(kMasterSecretLabel) - 1, client_random.data(),
+                       client_random.size(), server_random.data(),
+                       server_random.size())) {
+    return false;
+  }
+
+  errno = 0;
+  const long int key_block_bits =
+      strtol(key_block_len_str.c_str(), nullptr, 10);
+  if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) {
+    return false;
+  }
+  const size_t key_block_len = key_block_bits / 8;
+  std::vector<uint8_t> key_block(key_block_len);
+  static const char kLabel[] = "key expansion";
+  if (!CRYPTO_tls1_prf(
+          md, key_block.data(), key_block.size(), master_secret,
+          sizeof(master_secret), kLabel, sizeof(kLabel) - 1,
+          key_block_server_random.data(), key_block_server_random.size(),
+          key_block_client_random.data(), key_block_client_random.size())) {
+    return false;
+  }
+
+  printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n",
+         t->CurrentTestToString().c_str(),
+         EncodeHex(master_secret, sizeof(master_secret)).c_str(),
+         EncodeHex(key_block.data(), key_block.size()).c_str());
+
+  return true;
+}
+
+int cavp_tlskdf_test_main(int argc, char **argv) {
+  if (argc != 2) {
+    fprintf(stderr, "usage: %s <test file>\n", argv[0]);
+    return 1;
+  }
+
+  FileTest::Options opts;
+  opts.path = argv[1];
+  opts.callback = TestTLSKDF;
+  opts.silent = true;
+  opts.comment_callback = EchoComment;
+  return FileTestMain(opts);
+}
--- a/fipstools/run_cavp.go
+++ b/fipstools/run_cavp.go
@ -316,6 +316,15 @@ var kasTests = testSuite{
 	},
 }

+var tlsKDFTests = testSuite{
+	"KDF135",
+	"tlskdf",
+	nil,
+	[]test{
+		{"tls", nil, false},
+	},
+}
+
 var fipsTestSuites = []*testSuite{
 	&aesGCMTests,
 	&aesTests,
@ -336,6 +345,7 @@ var fipsTestSuites = []*testSuite{

 var niapTestSuites = []*testSuite{
 	&kasTests,
+	&tlsKDFTests,
 }

 // testInstance represents a specific test in a testSuite.
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc
@ -148,102 +148,20 @@
 #include <openssl/nid.h>
 #include <openssl/rand.h>

+#include "../crypto/fipsmodule/tls/internal.h"
 #include "../crypto/internal.h"
 #include "internal.h"


 namespace bssl {

-// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
-// section 5. It XORs |out.size()| bytes to |out|, using |md| as the hash and
-// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to
-// form the seed parameter. It returns true on success and false on failure.
-static bool tls1_P_hash(Span<uint8_t> out, const EVP_MD *md,
-                        Span<const uint8_t> secret, Span<const char> label,
-                        Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
-  ScopedHMAC_CTX ctx, ctx_tmp, ctx_init;
-  uint8_t A1[EVP_MAX_MD_SIZE];
-  unsigned A1_len;
-  bool ret = false;
-
-  size_t chunk = EVP_MD_size(md);
-
-  if (!HMAC_Init_ex(ctx_init.get(), secret.data(), secret.size(), md,
-                    nullptr) ||
-      !HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
-      !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
-                   label.size()) ||
-      !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
-      !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
-      !HMAC_Final(ctx.get(), A1, &A1_len)) {
-    goto err;
-  }
-
-  for (;;) {
-    unsigned len;
-    uint8_t hmac[EVP_MAX_MD_SIZE];
-    if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
-        !HMAC_Update(ctx.get(), A1, A1_len) ||
-        // Save a copy of |ctx| to compute the next A1 value below.
-        (out.size() > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
-        !HMAC_Update(ctx.get(), reinterpret_cast<const uint8_t *>(label.data()),
-                     label.size()) ||
-        !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) ||
-        !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) ||
-        !HMAC_Final(ctx.get(), hmac, &len)) {
-      goto err;
-    }
-    assert(len == chunk);
-
-    // XOR the result into |out|.
-    if (len > out.size()) {
-      len = out.size();
-    }
-    for (unsigned i = 0; i < len; i++) {
-      out[i] ^= hmac[i];
-    }
-    out = out.subspan(len);
-
-    if (out.empty()) {
-      break;
-    }
-
-    // Calculate the next A1 value.
-    if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
-      goto err;
-    }
-  }
-
-  ret = true;
-
-err:
-  OPENSSL_cleanse(A1, sizeof(A1));
-  return ret;
-}
-
 bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
              Span<const uint8_t> secret, Span<const char> label,
              Span<const uint8_t> seed1, Span<const uint8_t> seed2) {
-  if (out.empty()) {
-    return true;
-  }
-
-  OPENSSL_memset(out.data(), 0, out.size());
-
-  if (digest == EVP_md5_sha1()) {
-    // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.
-    size_t secret_half = secret.size() - (secret.size() / 2);
-    if (!tls1_P_hash(out, EVP_md5(), secret.subspan(0, secret_half), label,
-                     seed1, seed2)) {
-      return false;
-    }
-
-    // Note that, if |secret.size()| is odd, the two halves share a byte.
-    secret = secret.subspan(secret.size() - secret_half);
-    digest = EVP_sha1();
-  }
-
-  return tls1_P_hash(out, digest, secret, label, seed1, seed2);
+  return 1 == CRYPTO_tls1_prf(digest, out.data(), out.size(), secret.data(),
+                              secret.size(), label.data(), label.size(),
+                              seed1.data(), seed1.size(), seed2.data(),
+                              seed2.size());
 }

 static bool ssl3_prf(Span<uint8_t> out, Span<const uint8_t> secret,