NIST.SP.800-56Cr2 One-Step Key Derivation

crypto/CMakeLists.txt

@@ -733,6 +733,7 @@ if(BUILD_TESTING)
     fipsmodule/ec/ec_test.cc
     fipsmodule/ec/p256-nistz_test.cc
     fipsmodule/ecdsa/ecdsa_test.cc
+    fipsmodule/kdf/kdf_test.cc
     fipsmodule/md5/md5_test.cc
     fipsmodule/modes/gcm_test.cc
     fipsmodule/modes/xts_test.cc

crypto/fipsmodule/bcm.c

@@ -114,6 +114,7 @@
 #include "evp/p_rsa.c"
 #include "hkdf/hkdf.c"
 #include "hmac/hmac.c"
+#include "kdf/sskdf.c"
 #include "md4/md4.c"
 #include "md5/md5.c"
 #include "modes/cbc.c"
@@ -145,7 +146,6 @@
 #include "sshkdf/sshkdf.c"
 #include "tls/kdf.c"
 
-
 #if defined(BORINGSSL_FIPS)
 
 #if !defined(OPENSSL_ASAN)

crypto/fipsmodule/kdf/internal.h

@@ -0,0 +1,38 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#ifndef OPENSSL_HEADER_KDF_INTERNAL_H
+#define OPENSSL_HEADER_KDF_INTERNAL_H
+
+#include <openssl/digest.h>
+#include <openssl/hmac.h>
+
+#define SSKDF_MAX_INPUT_LEN (1 << 30)
+#define SSKDF_COUNTER_SIZE 4
+
+typedef struct {
+  void *data;
+} sskdf_variant_ctx;
+
+typedef struct {
+  const EVP_MD *digest;
+  EVP_MD_CTX *md_ctx;
+} sskdf_variant_digest_ctx;
+
+typedef struct {
+  HMAC_CTX *hmac_ctx;
+} sskdf_variant_hmac_ctx;
+
+typedef struct {
+  size_t (*h_output_bytes)(sskdf_variant_ctx *ctx);
+  int (*compute)(sskdf_variant_ctx *ctx, uint8_t *out, size_t out_len,
+                 const uint8_t counter[SSKDF_COUNTER_SIZE],
+                 const uint8_t *secret, size_t secret_len, const uint8_t *info,
+                 size_t info_len);
+} sskdf_variant;
+
+const sskdf_variant *sskdf_variant_digest(void);
+
+const sskdf_variant *sskdf_variant_hmac(void);
+
+#endif  // OPENSSL_HEADER_KDF_INTERNAL_H

crypto/fipsmodule/kdf/kdf_test.cc

@@ -0,0 +1,114 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include <openssl/digest.h>
+#include <openssl/kdf.h>
+#include <vector>
+#include "../../test/file_test.h"
+#include "../../test/test_util.h"
+
+#include <gtest/gtest.h>
+
+TEST(SSKDFTest, TestVectors) {
+  FileTestGTest("crypto/fipsmodule/kdf/test/sskdf.txt", [](FileTest *t) {
+    const EVP_MD *md;
+    std::string hash;
+    ASSERT_TRUE(t->GetAttribute(&hash, "HASH"));
+    if (hash == "SHA1") {
+      md = EVP_sha1();
+    } else if (hash == "SHA-224") {
+      md = EVP_sha224();
+    } else if (hash == "SHA-256") {
+      md = EVP_sha256();
+    } else if (hash == "SHA-384") {
+      md = EVP_sha384();
+    } else if (hash == "SHA-512") {
+      md = EVP_sha512();
+    } else {
+      FAIL() << "Unknown HASH=" + hash;
+    }
+
+    std::vector<uint8_t> secret, info, expect;
+
+    ASSERT_TRUE(t->GetBytes(&secret, "SECRET"));
+    if (t->HasAttribute("INFO")) {
+      ASSERT_TRUE(t->GetBytes(&info, "INFO"));
+    } else {
+      info = std::vector<uint8_t>(0);
+    }
+    ASSERT_TRUE(t->GetBytes(&expect, "EXPECT"));
+
+    std::vector<uint8_t> out(expect.size());
+
+    std::string variant;
+    ASSERT_TRUE(t->GetAttribute(&variant, "VARIANT"));
+    if (variant == "DIGEST") {
+      ASSERT_TRUE(SSKDF_digest(out.data(), out.size(), md, secret.data(),
+                               secret.size(), info.data(), info.size()));
+    } else if (variant == "HMAC") {
+      if (t->HasAttribute("SALT")) {
+        std::vector<uint8_t> salt;
+        ASSERT_TRUE(t->GetBytes(&salt, "SALT"));
+        ASSERT_TRUE(SSKDF_hmac(out.data(), out.size(), md, secret.data(),
+                               secret.size(), info.data(), info.size(),
+                               salt.data(), salt.size()));
+      } else {
+        ASSERT_TRUE(SSKDF_hmac(out.data(), out.size(), md, secret.data(),
+                               secret.size(), info.data(), info.size(), NULL,
+                               0));
+      }
+    }
+    ASSERT_EQ(Bytes(expect.data(), expect.size()),
+              Bytes(out.data(), out.size()));
+  });
+}
+
+TEST(SSKDFTest, DigestNegativeTests) {
+  const uint8_t secret[16] = {0};
+  std::vector<uint8_t> out(16);
+
+  // NULL output
+  ASSERT_FALSE(SSKDF_digest(NULL, out.size(), EVP_sha256(), &secret[0],
+                            sizeof(secret), NULL, 0));
+
+  // zero-length output
+  ASSERT_FALSE(SSKDF_digest(out.data(), 0, EVP_sha256(), &secret[0],
+                            sizeof(secret), NULL, 0));
+
+  // NULL digest
+  ASSERT_FALSE(SSKDF_digest(out.data(), out.size(), NULL, &secret[0],
+                            sizeof(secret), NULL, 0));
+
+  // NULL secret
+  ASSERT_FALSE(
+      SSKDF_digest(out.data(), out.size(), EVP_sha256(), NULL, 0, NULL, 0));
+
+  // zero-length secret
+  ASSERT_FALSE(SSKDF_digest(out.data(), out.size(), EVP_sha256(), &secret[0], 0,
+                            NULL, 0));
+}
+
+TEST(SSKDFTest, HMACNegativeTests) {
+  const uint8_t secret[16] = {0};
+  std::vector<uint8_t> out(16);
+
+  // NULL output
+  ASSERT_FALSE(SSKDF_hmac(NULL, out.size(), EVP_sha256(), &secret[0],
+                          sizeof(secret), NULL, 0, NULL, 0));
+
+  // zero-length output
+  ASSERT_FALSE(SSKDF_hmac(out.data(), 0, EVP_sha256(), &secret[0],
+                          sizeof(secret), NULL, 0, NULL, 0));
+
+  // NULL digest
+  ASSERT_FALSE(SSKDF_hmac(out.data(), out.size(), NULL, &secret[0],
+                          sizeof(secret), NULL, 0, NULL, 0));
+
+  // NULL secret
+  ASSERT_FALSE(SSKDF_hmac(out.data(), out.size(), EVP_sha256(), NULL, 0, NULL,
+                          0, NULL, 0));
+
+  // zero-length secret
+  ASSERT_FALSE(SSKDF_hmac(out.data(), out.size(), EVP_sha256(), &secret[0], 0,
+                          NULL, 0, NULL, 0));
+}