acvp: add TLS KDF support

Change-Id: I4f4a89f97e2513d8b5b740620989b187a7b44a58
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44386
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

util/fipstools/acvp/acvptool/subprocess/subprocess.go

@@ -71,31 +71,32 @@ func NewWithIO(cmd *exec.Cmd, in io.WriteCloser, out io.ReadCloser) *Subprocess
 	}
 
 	m.primitives = map[string]primitive{
-		"SHA-1":         &hashPrimitive{"SHA-1", 20},
-		"SHA2-224":      &hashPrimitive{"SHA2-224", 28},
-		"SHA2-256":      &hashPrimitive{"SHA2-256", 32},
-		"SHA2-384":      &hashPrimitive{"SHA2-384", 48},
-		"SHA2-512":      &hashPrimitive{"SHA2-512", 64},
-		"SHA2-512/256":  &hashPrimitive{"SHA2-512/256", 32},
-		"ACVP-AES-ECB":  &blockCipher{"AES", 16, 2, true, false, iterateAES},
-		"ACVP-AES-CBC":  &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC},
-		"ACVP-AES-CTR":  &blockCipher{"AES-CTR", 16, 1, false, true, nil},
-		"ACVP-TDES-ECB": &blockCipher{"3DES-ECB", 8, 3, true, false, iterate3DES},
-		"ACVP-TDES-CBC": &blockCipher{"3DES-CBC", 8, 3, true, true, iterate3DESCBC},
-		"ACVP-AES-GCM":  &aead{"AES-GCM", false},
-		"ACVP-AES-CCM":  &aead{"AES-CCM", true},
-		"ACVP-AES-KW":   &aead{"AES-KW", false},
-		"ACVP-AES-KWP":  &aead{"AES-KWP", false},
-		"HMAC-SHA-1":    &hmacPrimitive{"HMAC-SHA-1", 20},
-		"HMAC-SHA2-224": &hmacPrimitive{"HMAC-SHA2-224", 28},
-		"HMAC-SHA2-256": &hmacPrimitive{"HMAC-SHA2-256", 32},
-		"HMAC-SHA2-384": &hmacPrimitive{"HMAC-SHA2-384", 48},
-		"HMAC-SHA2-512": &hmacPrimitive{"HMAC-SHA2-512", 64},
-		"ctrDRBG":       &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}},
-		"hmacDRBG":      &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
-		"KDF":           &kdfPrimitive{},
-		"CMAC-AES":      &keyedMACPrimitive{"CMAC-AES"},
-		"RSA":           &rsa{},
+		"SHA-1":          &hashPrimitive{"SHA-1", 20},
+		"SHA2-224":       &hashPrimitive{"SHA2-224", 28},
+		"SHA2-256":       &hashPrimitive{"SHA2-256", 32},
+		"SHA2-384":       &hashPrimitive{"SHA2-384", 48},
+		"SHA2-512":       &hashPrimitive{"SHA2-512", 64},
+		"SHA2-512/256":   &hashPrimitive{"SHA2-512/256", 32},
+		"ACVP-AES-ECB":   &blockCipher{"AES", 16, 2, true, false, iterateAES},
+		"ACVP-AES-CBC":   &blockCipher{"AES-CBC", 16, 2, true, true, iterateAESCBC},
+		"ACVP-AES-CTR":   &blockCipher{"AES-CTR", 16, 1, false, true, nil},
+		"ACVP-TDES-ECB":  &blockCipher{"3DES-ECB", 8, 3, true, false, iterate3DES},
+		"ACVP-TDES-CBC":  &blockCipher{"3DES-CBC", 8, 3, true, true, iterate3DESCBC},
+		"ACVP-AES-GCM":   &aead{"AES-GCM", false},
+		"ACVP-AES-CCM":   &aead{"AES-CCM", true},
+		"ACVP-AES-KW":    &aead{"AES-KW", false},
+		"ACVP-AES-KWP":   &aead{"AES-KWP", false},
+		"HMAC-SHA-1":     &hmacPrimitive{"HMAC-SHA-1", 20},
+		"HMAC-SHA2-224":  &hmacPrimitive{"HMAC-SHA2-224", 28},
+		"HMAC-SHA2-256":  &hmacPrimitive{"HMAC-SHA2-256", 32},
+		"HMAC-SHA2-384":  &hmacPrimitive{"HMAC-SHA2-384", 48},
+		"HMAC-SHA2-512":  &hmacPrimitive{"HMAC-SHA2-512", 64},
+		"ctrDRBG":        &drbg{"ctrDRBG", map[string]bool{"AES-128": true, "AES-192": true, "AES-256": true}},
+		"hmacDRBG":       &drbg{"hmacDRBG", map[string]bool{"SHA-1": true, "SHA2-224": true, "SHA2-256": true, "SHA2-384": true, "SHA2-512": true}},
+		"KDF":            &kdfPrimitive{},
+		"CMAC-AES":       &keyedMACPrimitive{"CMAC-AES"},
+		"RSA":            &rsa{},
+		"kdf-components": &tlsKDF{},
 	}
 	m.primitives["ECDSA"] = &ecdsa{"ECDSA", map[string]bool{"P-224": true, "P-256": true, "P-384": true, "P-521": true}, m.primitives}
 

util/fipstools/acvp/acvptool/subprocess/tlskdf.go

@@ -0,0 +1,165 @@
+// Copyright (c) 2020, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+package subprocess
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+)
+
+type tlsKDFVectorSet struct {
+	Groups []tlsKDFTestGroup `json:"testGroups"`
+}
+
+type tlsKDFTestGroup struct {
+	ID           uint64       `json:"tgId"`
+	Hash         string       `json:"hashAlg"`
+	TLSVersion   string       `json:"tlsVersion"`
+	KeyBlockBits uint64       `json:"keyBlockLength"`
+	PMSLength    uint64       `json:"preMasterSecretLength"`
+	Tests        []tlsKDFTest `json:"tests"`
+}
+
+type tlsKDFTest struct {
+	ID                   uint64 `json:"tcId"`
+	PMSHex               string `json:"preMasterSecret"`
+	// ClientHelloRandomHex and ServerHelloRandomHex are used for deriving the
+	// master secret. ClientRandomHex and ServerRandomHex are used for deriving the
+	// key block. Having different values for these is not possible in a TLS
+	// handshake unless you squint at a resumption handshake and somehow rederive
+	// the master secret from the session information during resumption.
+	ClientHelloRandomHex string `json:"clientHelloRandom"`
+	ServerHelloRandomHex string `json:"serverHelloRandom"`
+	ClientRandomHex      string `json:"clientRandom"`
+	ServerRandomHex      string `json:"serverRandom"`
+}
+
+type tlsKDFTestGroupResponse struct {
+	ID    uint64               `json:"tgId"`
+	Tests []tlsKDFTestResponse `json:"tests"`
+}
+
+type tlsKDFTestResponse struct {
+	ID              uint64 `json:"tcId"`
+	MasterSecretHex string `json:"masterSecret"`
+	KeyBlockHex     string `json:"keyBlock"`
+}
+
+type tlsKDF struct{}
+
+func (k *tlsKDF) Process(vectorSet []byte, m Transactable) (interface{}, error) {
+	var parsed tlsKDFVectorSet
+	if err := json.Unmarshal(vectorSet, &parsed); err != nil {
+		return nil, err
+	}
+
+	// See https://usnistgov.github.io/ACVP/draft-celi-acvp-kdf-tls.html
+	var ret []tlsKDFTestGroupResponse
+	for _, group := range parsed.Groups {
+		response := tlsKDFTestGroupResponse{
+			ID: group.ID,
+		}
+
+		var tlsVer string
+		switch group.TLSVersion {
+		case "v1.0/1.1":
+			tlsVer = "1.0"
+		case "v1.2":
+			tlsVer = "1.2"
+		default:
+			return nil, fmt.Errorf("unknown TLS version %q", group.TLSVersion)
+		}
+
+		hashIsTLS10 := false
+		switch group.Hash {
+		case "SHA-1":
+			hashIsTLS10 = true
+		case "SHA2-256", "SHA2-384", "SHA2-512":
+			break
+		default:
+			return nil, fmt.Errorf("unknown hash %q", group.Hash)
+		}
+
+		if (tlsVer == "1.0") != hashIsTLS10 {
+			return nil, fmt.Errorf("hash %q not permitted with TLS version %q", group.Hash, group.TLSVersion)
+		}
+
+		if group.KeyBlockBits%8 != 0 {
+			return nil, fmt.Errorf("requested key-block length (%d bits) is not a whole number of bytes", group.KeyBlockBits)
+		}
+
+		method := "TLSKDF/" + tlsVer + "/" + group.Hash
+
+		for _, test := range group.Tests {
+			pms, err := hex.DecodeString(test.PMSHex)
+			if err != nil {
+				return nil, err
+			}
+
+			clientHelloRandom, err := hex.DecodeString(test.ClientHelloRandomHex)
+			if err != nil {
+				return nil, err
+			}
+
+			serverHelloRandom, err := hex.DecodeString(test.ServerHelloRandomHex)
+			if err != nil {
+				return nil, err
+			}
+
+			clientRandom, err := hex.DecodeString(test.ClientRandomHex)
+			if err != nil {
+				return nil, err
+			}
+
+			serverRandom, err := hex.DecodeString(test.ServerRandomHex)
+			if err != nil {
+				return nil, err
+			}
+
+			const (
+				masterSecretLength = 48
+				masterSecretLabel  = "master secret"
+				keyBlockLabel      = "key expansion"
+			)
+
+			var outLenBytes [4]byte
+			binary.LittleEndian.PutUint32(outLenBytes[:], uint32(masterSecretLength))
+			result, err := m.Transact(method, 1, outLenBytes[:], pms, []byte(masterSecretLabel), clientHelloRandom, serverHelloRandom)
+			if err != nil {
+				return nil, err
+			}
+
+			binary.LittleEndian.PutUint32(outLenBytes[:], uint32(group.KeyBlockBits/8))
+			// TLS 1.0, 1.1, and 1.2 use a different order for the client and server
+			// randoms when computing the key block.
+			result2, err := m.Transact(method, 1, outLenBytes[:], result[0], []byte(keyBlockLabel), serverRandom, clientRandom)
+			if err != nil {
+				return nil, err
+			}
+
+			response.Tests = append(response.Tests, tlsKDFTestResponse{
+				ID:              test.ID,
+				MasterSecretHex: hex.EncodeToString(result[0]),
+				KeyBlockHex:     hex.EncodeToString(result2[0]),
+			})
+		}
+
+		ret = append(ret, response)
+	}
+
+	return ret, nil
+}

util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -41,6 +41,7 @@
 #include <openssl/span.h>
 
 #include "../../../../crypto/fipsmodule/rand/internal.h"
+#include "../../../../crypto/fipsmodule/tls/internal.h"
 
 static constexpr size_t kMaxArgs = 8;
 static constexpr size_t kMaxArgLength = (1 << 20);
@@ -702,6 +703,20 @@ static bool GetConfig(const Span<const uint8_t> args[]) {
             "increment": 8
           }]
         }]
+      },
+      {
+        "algorithm": "kdf-components",
+        "revision": "1.0",
+        "mode": "tls",
+        "tlsVersion": [
+          "v1.0/1.1",
+          "v1.2"
+        ],
+        "hashAlg": [
+          "SHA2-256",
+          "SHA2-384",
+          "SHA2-512"
+        ]
       }
     ])";
   return WriteReply(
@@ -1553,6 +1568,32 @@ static bool RSASigVer(const Span<const uint8_t> args[]) {
   return WriteReply(STDOUT_FILENO, Span<const uint8_t>(&ok, 1));
 }
 
+template<const EVP_MD *(MDFunc)()>
+static bool TLSKDF(const Span<const uint8_t> args[]) {
+  const Span<const uint8_t> out_len_bytes = args[0];
+  const Span<const uint8_t> secret = args[1];
+  const Span<const uint8_t> label = args[2];
+  const Span<const uint8_t> seed1 = args[3];
+  const Span<const uint8_t> seed2 = args[4];
+  const EVP_MD *md = MDFunc();
+
+  uint32_t out_len;
+  if (out_len_bytes.size() != sizeof(out_len)) {
+    return 0;
+  }
+  memcpy(&out_len, out_len_bytes.data(), sizeof(out_len));
+
+  std::vector<uint8_t> out(static_cast<size_t>(out_len));
+  if (!CRYPTO_tls1_prf(md, out.data(), out.size(), secret.data(), secret.size(),
+                       reinterpret_cast<const char *>(label.data()),
+                       label.size(), seed1.data(), seed1.size(), seed2.data(),
+                       seed2.size())) {
+    return 0;
+  }
+
+  return WriteReply(STDOUT_FILENO, out);
+}
+
 static constexpr struct {
   const char name[kMaxNameLength + 1];
   uint8_t expected_args;
@@ -1615,6 +1656,10 @@ static constexpr struct {
     {"RSA/sigVer/SHA2-384/pss", 4, RSASigVer<EVP_sha384, true>},
     {"RSA/sigVer/SHA2-512/pss", 4, RSASigVer<EVP_sha512, true>},
     {"RSA/sigVer/SHA-1/pss", 4, RSASigVer<EVP_sha1, true>},
+    {"TLSKDF/1.0/SHA-1", 5, TLSKDF<EVP_md5_sha1>},
+    {"TLSKDF/1.2/SHA2-256", 5, TLSKDF<EVP_sha256>},
+    {"TLSKDF/1.2/SHA2-384", 5, TLSKDF<EVP_sha384>},
+    {"TLSKDF/1.2/SHA2-512", 5, TLSKDF<EVP_sha512>},
 };
 
 int main() {