diff options
| author | Adam Langley <agl@imperialviolet.org> | 2024-03-29 16:53:15 +0000 |
|---|---|---|
| committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2024-04-01 22:15:28 +0000 |
| commit | 077d4d2b1a768028603ae1b26287224d7f985d1f (patch) | |
| tree | 68c1d7b64f4e4afea20783f59047fea04f936f7a | |
| parent | ec6cb3e3a016a8e7ffee42d589d423e6057f21bf (diff) | |
| download | boringssl-077d4d2b1a768028603ae1b26287224d7f985d1f.zip boringssl-077d4d2b1a768028603ae1b26287224d7f985d1f.tar.gz boringssl-077d4d2b1a768028603ae1b26287224d7f985d1f.tar.bz2 | |
Set service indicator for TLS 1.3 KDF.
Change-Id: Ia6fffb4c1fbe9edc62a4c22b45408e41ac6ae086
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67547
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
| -rw-r--r-- | crypto/fipsmodule/service_indicator/service_indicator_test.cc | 15 | ||||
| -rw-r--r-- | crypto/fipsmodule/tls/kdf.c | 7 |
2 files changed, 22 insertions, 0 deletions
diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc index a3f06eb..e7221fa 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc +++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc @@ -1800,6 +1800,21 @@ TEST_P(KDF_ServiceIndicatorTest, TLSKDF) { EXPECT_EQ(approved, test.expect_approved); } +TEST_P(KDF_ServiceIndicatorTest, TLS13KDF) { + const KDFTestVector &test = GetParam(); + + FIPSStatus approved = FIPSStatus::NOT_APPROVED; + + uint8_t output[32]; + ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED( + approved, CRYPTO_tls13_hkdf_expand_label( + output, sizeof(output), test.func(), kTLSSecret, + sizeof(kTLSSecret), /*label=*/kTLSSeed1, sizeof(kTLSSeed1), + /*hash=*/kTLSSeed2, sizeof(kTLSSeed2)))); + + EXPECT_EQ(approved, test.expect_approved); +} + TEST(ServiceIndicatorTest, CMAC) { FIPSStatus approved = FIPSStatus::NOT_APPROVED; diff --git a/crypto/fipsmodule/tls/kdf.c b/crypto/fipsmodule/tls/kdf.c index c4f4976..7a7d12d 100644 --- a/crypto/fipsmodule/tls/kdf.c +++ b/crypto/fipsmodule/tls/kdf.c @@ -189,6 +189,7 @@ int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len, uint8_t *hkdf_label = NULL; size_t hkdf_label_len; + FIPS_service_indicator_lock_state(); CBB_zero(&cbb); if (!CBB_init(&cbb, 2 + 1 + sizeof(kProtocolLabel) - 1 + label_len + 1 + hash_len) || @@ -200,12 +201,18 @@ int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len, !CBB_add_bytes(&child, hash, hash_len) || !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) { CBB_cleanup(&cbb); + FIPS_service_indicator_unlock_state(); return 0; } const int ret = HKDF_expand(out, out_len, digest, secret, secret_len, hkdf_label, hkdf_label_len); OPENSSL_free(hkdf_label); + + FIPS_service_indicator_unlock_state(); + if (ret) { + TLSKDF_verify_service_indicator(digest); + } return ret; } |