Add support for the TLS13-KDF algorithm

Author: nicholasberlin

const.go

@@ -48,10 +48,11 @@ const ( //checkheader:ignore
 	_DigestNameSHA2_256 cString = "SHA2-256\x00"
 
 	// KDF names
-	_OSSL_KDF_NAME_HKDF     cString = "HKDF\x00"
-	_OSSL_KDF_NAME_PBKDF2   cString = "PBKDF2\x00"
-	_OSSL_KDF_NAME_TLS1_PRF cString = "TLS1-PRF\x00"
-	_OSSL_MAC_NAME_HMAC     cString = "HMAC\x00"
+	_OSSL_KDF_NAME_HKDF      cString = "HKDF\x00"
+	_OSSL_KDF_NAME_PBKDF2    cString = "PBKDF2\x00"
+	_OSSL_KDF_NAME_TLS1_PRF	 cString = "TLS1-PRF\x00"
+	_OSSL_KDF_NAME_TLS13_KDF cString = "TLS13-KDF\x00"
+	_OSSL_MAC_NAME_HMAC      cString = "HMAC\x00"
 
 	// KDF parameters
 	_OSSL_KDF_PARAM_DIGEST cString = "digest\x00"
@@ -62,6 +63,11 @@ const ( //checkheader:ignore
 	_OSSL_KDF_PARAM_SALT   cString = "salt\x00"
 	_OSSL_KDF_PARAM_MODE   cString = "mode\x00"
 
+	// TLS3-KDF parameters
+	_OSSL_KDF_PARAM_PREFIX cString = "prefix\x00"
+	_OSSL_KDF_PARAM_LABEL  cString = "label\x00"
+	_OSSL_KDF_PARAM_DATA   cString = "data\x00"
+
 	// PKEY parameters
 	_OSSL_PKEY_PARAM_PUB_KEY          cString = "pub\x00"
 	_OSSL_PKEY_PARAM_PRIV_KEY         cString = "priv\x00"

hkdf.go

@@ -4,6 +4,7 @@ package openssl
 
 import "C"
 import (
+	"bytes"
 	"errors"
 	"hash"
 	"io"
@@ -261,6 +262,80 @@ func (c *hkdf3) finalize() {
 	}
 }
 
+// fetchTLS13_KDF fetches the TLS13-KDF algorithm.
+// It is safe to call this function concurrently.
+// The returned EVP_KDF_PTR shouldn't be freed.
+var fetchTLS13_KDF = sync.OnceValues(func() (ossl.EVP_KDF_PTR, error) {
+	checkMajorVersion(3)
+
+	kdf, err := ossl.EVP_KDF_fetch(nil, _OSSL_KDF_NAME_TLS13_KDF.ptr(), nil)
+	if err != nil {
+		return nil, err
+	}
+	return kdf, nil
+})
+
+//
+// https://docs.openssl.org/3.4/man7/EVP_KDF-TLS13_KDF/
+// https://datatracker.ietf.org/doc/html/rfc8446#section-7.1
+//
+// This function parses the info parameter for TLS 1.3 KDF.
+// The info parameter is expected to be in the format:
+//
+//    +--------------+-----------+-------------------+------------+------------------+
+//    | total length | labelLen  | label bytes...    | contextLen | context bytes... |
+//    | 2 bytes      | 1 byte    | labelLen bytes    | 1 byte     | contextLen bytes |
+//    +--------------+-----------+-------------------+------------+------------------+
+//
+// The label bytes are expected to be begin with "tls13 ".
+//
+func ParseForTLS13(info []byte) (isTLS13 bool, label, context []byte) {
+	isTLS13 = false
+	label = nil
+	context = nil
+
+	if len(info) <= 2 {
+		return
+	}
+
+	cursor := 2
+	labelLen := int(info[cursor])
+
+	if labelLen < 7 {
+		return
+	}
+
+	cursor++
+	if cursor+labelLen > len(info) {
+		return
+	}
+
+
+	labelBytes := info[cursor : cursor+labelLen]
+	cursor += labelLen
+
+	if !bytes.HasPrefix(labelBytes, []byte("tls13 ")) {
+		return
+	}
+
+	if cursor >= len(info) {
+		return
+	}
+
+	contextLen := int(info[cursor])
+	cursor++
+	if cursor+contextLen > len(info) {
+		return
+	}
+
+	// Success, set the out parameters
+	label = labelBytes[len("tls13 "):]
+	context = info[cursor : cursor+contextLen]
+	isTLS13 = true
+
+	return
+}
+
 // fetchHKDF3 fetches the HKDF algorithm.
 // It is safe to call this function concurrently.
 // The returned EVP_KDF_PTR shouldn't be freed.
@@ -278,7 +353,14 @@ var fetchHKDF3 = sync.OnceValues(func() (ossl.EVP_KDF_PTR, error) {
 func newHKDFCtx3(md ossl.EVP_MD_PTR, mode int32, secret, salt, pseudorandomKey, info []byte) (_ ossl.EVP_KDF_CTX_PTR, err error) {
 	checkMajorVersion(3)
 
-	kdf, err := fetchHKDF3()
+	useTLS13KDF, label, context := ParseForTLS13(info)
+
+	var kdf ossl.EVP_KDF_PTR
+	if useTLS13KDF {
+		kdf, err = fetchTLS13_KDF()
+	} else {
+		kdf, err = fetchHKDF3()
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -298,17 +380,39 @@ func newHKDFCtx3(md ossl.EVP_MD_PTR, mode int32, secret, salt, pseudorandomKey,
 	}
 	bld.addUTF8String(_OSSL_KDF_PARAM_DIGEST, ossl.EVP_MD_get0_name(md), 0)
 	bld.addInt32(_OSSL_KDF_PARAM_MODE, int32(mode))
-	if len(secret) > 0 {
-		bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
-	}
-	if len(salt) > 0 {
-		bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
-	}
-	if len(pseudorandomKey) > 0 {
-		bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
-	}
-	if len(info) > 0 {
-		bld.addOctetString(_OSSL_KDF_PARAM_INFO, info)
+
+	if useTLS13KDF {
+		if (mode == ossl.EVP_KDF_HKDF_MODE_EXTRACT_ONLY) {
+			//bld.addUTF8String(C.CString("mode"), C.CString("EXTRACT_ONLY"), 0)
+			if len(salt) > 0 {
+				bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
+			}
+			if len(pseudorandomKey) > 0 {
+				bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
+			}
+		} else {
+			//bld.addUTF8String(C.CString("mode"), C.CString("EXPAND_ONLY"), 0)
+			bld.addOctetString(_OSSL_KDF_PARAM_PREFIX, []byte("tls13 "))
+			bld.addOctetString(_OSSL_KDF_PARAM_LABEL, label)
+			bld.addOctetString(_OSSL_KDF_PARAM_DATA, context)
+			if len(pseudorandomKey) > 0 {
+				bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
+			}
+		}
+
+	} else {
+		if len(secret) > 0 {
+			bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
+		}
+		if len(salt) > 0 {
+			bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
+		}
+		if len(pseudorandomKey) > 0 {
+			bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
+		}
+		if len(info) > 0 {
+			bld.addOctetString(_OSSL_KDF_PARAM_INFO, info)
+		}
 	}
 	params, err := bld.build()
 	if err != nil {

hkdf_test.go

@@ -1,6 +1,7 @@
 package openssl_test
 
 import (
+	"encoding/binary"
 	"bytes"
 	"hash"
 	"io"
@@ -448,3 +449,103 @@ func TestExpandHKDFOneShotLimit(t *testing.T) {
 		t.Errorf("expected error for key expansion overflow")
 	}
 }
+
+func makeInfo(fullLabel string, context []byte) []byte {
+	totalLen := 1 + len(fullLabel) + 1 + len(context)
+
+	info := make([]byte, 2+totalLen)
+	binary.BigEndian.PutUint16(info[0:2], uint16(totalLen))
+	info[2] = byte(len(fullLabel))
+	copy(info[3:], fullLabel)
+	info[3+len(fullLabel)] = byte(len(context))
+	copy(info[4+len(fullLabel):], context)
+
+	return info
+}
+
+func TestParseForTLS13_Valid(t *testing.T) {
+	tests := []struct {
+		name         string
+		labelPrefix  string
+		label        string
+		context      []byte
+	}{
+		{"IV", "tls13 ", "iv", []byte{}},
+		{"Traffic Secret", "tls13 ", "c hs traffic", []byte{0xaa, 0xbb}},
+		{"Finished", "tls13 ", "finished", []byte{0x00}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			info := makeInfo(tt.labelPrefix + tt.label, tt.context)
+			isTLS13, label, context := openssl.ParseForTLS13(info)
+			if !isTLS13 {
+				t.Errorf("Expected TLS13 label, got isTLS13=false")
+			}
+			if !bytes.Equal(label, []byte(tt.label)) {
+				t.Errorf("Label mismatch: got %q, want %q", label, tt.label)
+			}
+			if !bytes.Equal(context, tt.context) {
+				t.Errorf("Context mismatch: got %x, want %x", context, tt.context)
+			}
+		})
+	}
+}
+
+func TestParseForTLS13_Invalid(t *testing.T) {
+	tests := []struct {
+		name string
+		info []byte
+	}{
+		{"Missing tls13 prefix", makeInfo("foobar", []byte{0x01})},
+		{"Too short", []byte{0x00}},
+		{"Label length exceeds buffer", []byte{0xFF, 't'}},
+		{"Incomplete prefix", []byte{0x06, 't', 'l', 's', '1', '3', ' ', 0x00 }}, // discovered by the fuzzer
+		{"Correct prefix but missing context", []byte{0x08, 't', 'l', 's', '1', '3', ' ', 'i', 'v'}},
+		{"Correct prefix but truncated context", []byte{0x08, 't', 'l', 's', '1', '3', ' ', 'i', 'v', 0x02}},
+		{"Correct prefix but truncated context", []byte{0x06, 't', 'l', 's', '1', '3', ' ', 'i', 'v', 0x02}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			isTLS13, label, context := openssl.ParseForTLS13(tt.info)
+			if isTLS13 {
+				t.Errorf("Expected isTLS13=false, got true")
+			}
+			if label != nil {
+				t.Errorf("Expected label=nil, got %q", label)
+			}
+			if context != nil {
+				t.Errorf("Expected context=nil, got %x", context)
+			}
+		})
+	}
+}
+
+// run the fuzzer with:
+// go test -fuzz=FuzzParseForTLS13
+func FuzzParseForTLS13(f *testing.F) {
+	// Seed with known-good examples
+	f.Add([]byte{0x08, 't', 'l', 's', '1', '3', ' ', 'i', 'v', 0x00}) // "tls13 iv" + empty context
+	f.Add([]byte{0x0c, 't', 'l', 's', '1', '3', ' ', 'c', ' ', 'h', 's', ' ', 't', 'r', 'a', 'f', 'f', 'i', 'c', 0x02, 0xAA, 0xBB})
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Errorf("panic with input: %x — %v", data, r)
+			}
+		}()
+
+		isTLS13, label, context := openssl.ParseForTLS13(data)
+
+		if isTLS13 {
+			if len(label) == 0 {
+				t.Errorf("isTLS13=true but label is empty (input: %x)", data)
+			}
+			// Context can be 0-length, but shouldn't go out of bounds
+			if context == nil {
+				t.Errorf("isTLS13=true but context is nil (input: %x)", data)
+			}
+		}
+	})
+}