Split TLS 1.0 and 1.2 self checks.

Cherry-picked direct to UDC branches for FIPS certification, these changes already landed in main as part of change I29bdd7d2dd6800e9dbcb5da82deb4faf36cc43d9. While it's the same code path, NIST may consider these different functions and thus want separate checks for them. Bug: 295523306 Test: mm Change-Id: Ic391b5e656b22c5e11d94ec22398346669833bd9 Merged-In: I29bdd7d2dd6800e9dbcb5da82deb4faf36cc43d9 (cherry picked from commit 7ae2b910c13017b63f1a8bd6c8decfce692869b0)
author: Adam Langley <agl@google.com> 2023-07-31 21:55:28 +0000
committer: Pete Bentley <prb@google.com> 2023-08-11 16:23:15 +0100
commit: 9face09a03c8921bf46d0707a013717a4e3e0102 (patch)
tree: b4d6c212f5f510a8b08661c6c8a28b9a3679c164
parent: 8f0d203ff4baaec115f7fa9d736919ef2459e6d4 (diff)
download: boringssl-9face09a03c8921bf46d0707a013717a4e3e0102.tar.gz
3 files changed, 54 insertions, 19 deletions
diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c
index 525cd169..edfef6d4 100644
--- a/src/crypto/fipsmodule/self_check/self_check.c
+++ b/src/crypto/fipsmodule/self_check/self_check.c
@@ -918,11 +918,6 @@ static int boringssl_self_test_fast(void) {
   }
 
   // TLS KDF KAT
-  static const uint8_t kTLSSecret[32] = {
-      0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
-      0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
-      0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
-  };
   static const char kTLSLabel[] = "FIPS self test";
   static const uint8_t kTLSSeed1[16] = {
       0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,
@@ -932,17 +927,45 @@ static int boringssl_self_test_fast(void) {
       0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,
       0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,
   };
-  static const uint8_t kTLSOutput[32] = {
-      0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb,
-      0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a,
-      0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88,
+
+  static const uint8_t kTLS10Secret[32] = {
+      0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,
+      0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,
+      0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,
+  };
+  static const uint8_t kTLS10Output[32] = {
+      0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90,
+      0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f,
+      0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8,
+  };
+  uint8_t tls10_output[sizeof(kTLS10Output)];
+  if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
+                       kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel,
+                       sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+                       kTLSSeed2, sizeof(kTLSSeed2)) ||
+      !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output),
+                  "TLS10-KDF KAT")) {
+    fprintf(stderr, "TLS KDF failed.\n");
+    goto err;
+  }
+
+  static const uint8_t kTLS12Secret[32] = {
+      0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9,
+      0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc,
+      0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81,
+  };
+  static const uint8_t kTLS12Output[32] = {
+      0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1,
+      0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85,
+      0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51,
   };
-  uint8_t tls_output[sizeof(kTLSOutput)];
-  if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret,
-                       sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel),
-                       kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2,
-                       sizeof(kTLSSeed2)) ||
-      !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) {
+  uint8_t tls12_output[sizeof(kTLS12Output)];
+  if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output),
+                       kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel,
+                       sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),
+                       kTLSSeed2, sizeof(kTLSSeed2)) ||
+      !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output),
+                  "TLS12-KDF KAT")) {
     fprintf(stderr, "TLS KDF failed.\n");
     goto err;
   }
@@ -983,7 +1006,7 @@ static int boringssl_self_test_fast(void) {
       !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
                   sizeof(kTLS13ExpandLabelOutput),
                   "CRYPTO_tls13_hkdf_expand_label")) {
-    fprintf(stderr, "TLSv1.3 KDF failed.\n");
+    fprintf(stderr, "TLS13-KDF failed.\n");
     goto err;
   }
 
diff --git a/src/util/fipstools/break-kat.go b/src/util/fipstools/break-kat.go
index e4d323ab..67c33002 100644
--- a/src/util/fipstools/break-kat.go
+++ b/src/util/fipstools/break-kat.go
@@ -1,5 +1,3 @@
-//go:build
-
 // break-kat corrupts a known-answer-test input in a binary and writes the
 // corrupted binary to stdout. This is used to demonstrate that the KATs in the
 // binary notice the error.
@@ -27,7 +25,8 @@ var (
 		"SHA-1":           "132fd9bad5c1826263bafbb699f707a5",
 		"SHA-256":         "ff3b857da7236a2baa0f396b51522217",
 		"SHA-512":         "212512f8d2ad8322781c6c4d69a9daa1",
-		"TLS-KDF":         "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
+		"TLS10-KDF":       "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
+		"TLS12-KDF":       "c5438ee26fd4acbd259fc91855dc69bf884ee29322fcbfd2966a4623d42ec781",
 		"TLS13-KDF":       "024a0d80f357f2499a1244dac26dab66fc13ed85fca71dace146211119525874",
 		"RSA-sign":        "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2",
 		"RSA-verify":      "abe2cbc13d6bd39d48db5334ddbf8d070a93bdcb104e2cc5d0ee486ee295f6b31bda126c41890b98b73e70e6b65d82f95c663121755a90744c8d1c21148a1960be0eca446e9ff497f1345c537ef8119b9a4398e95c5c6de2b1c955905c5299d8ce7a3b6ab76380d9babdd15f610237e1f3f2aa1c1f1e770b62fbb596381b2ebdd77ecef9c90d4c92f7b6b05fed2936285fa94826e62055322a33b6f04c74ce69e5d8d737fb838b79d2d48e3daf71387531882531a95ac964d02ea413bf85952982bbc089527daff5b845c9a0f4d14ef1956d9c3acae882d12da66da0f35794f5ee32232333517db9315232a183b991654dbea41615345c885325926744a53915",
diff --git a/src/util/fipstools/test_fips.c b/src/util/fipstools/test_fips.c
index 3a1f7fce..13b8d7d3 100644
--- a/src/util/fipstools/test_fips.c
+++ b/src/util/fipstools/test_fips.c
@@ -291,6 +291,19 @@ int main(int argc, char **argv) {
   printf("  got ");
   hexdump(hkdf_output, sizeof(hkdf_output));
 
+  /* TLS v1.0 KDF */
+  printf("About to run TLS v1.0 KDF\n");
+  uint8_t tls10_output[32];
+  if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),
+                       kAESKey, sizeof(kAESKey), "foo", 3, kPlaintextSHA256,
+                       sizeof(kPlaintextSHA256), kPlaintextSHA256,
+                       sizeof(kPlaintextSHA256))) {
+    fprintf(stderr, "TLS v1.0 KDF failed.\n");
+    goto err;
+  }
+  printf("  got ");
+  hexdump(tls10_output, sizeof(tls10_output));
+
   /* TLS v1.2 KDF */
   printf("About to run TLS v1.2 KDF\n");
   uint8_t tls12_output[32];
author	Adam Langley <agl@google.com>	2023-07-31 21:55:28 +0000
committer	Pete Bentley <prb@google.com>	2023-08-11 16:23:15 +0100
commit	9face09a03c8921bf46d0707a013717a4e3e0102 (patch)
tree	b4d6c212f5f510a8b08661c6c8a28b9a3679c164
parent	8f0d203ff4baaec115f7fa9d736919ef2459e6d4 (diff)
download	boringssl-9face09a03c8921bf46d0707a013717a4e3e0102.tar.gz