Move TLS 1.3 HKDF-Expand-Label into the FIPS module

Introduces CRYPTO_tls13_hkdf_expand_label in crypto/fipsmodule/tls/kdf.c,
mirroring the CRYPTO_tls1_prf pattern already in that file. The function
builds the HkdfLabel structure (RFC 8446 §7.1) via CBB and calls
HKDF_expand, bracketed by FIPS_service_indicator_lock_state /
unlock_state and a post-success TLS13_KDF_verify_service_indicator call
that approves SHA2-256 and SHA2-384 (matching what the ACVP config
registers).

Consumers now delegate:
  * ssl/tls13_enc.cc's hkdf_expand_label collapses to a thin wrapper.
  * The ACVP modulewrapper's HKDFExpandLabel delegates to the same
    function, so ACVP exercises the actual FIPS-module code path
    instead of a parallel label-construction reimplementation.

A TLS13-KDF KAT (HKDF_extract -> CRYPTO_tls13_hkdf_expand_label, using
the RFC 8448 early-secret / 'c e traffic' derivation) is added to the
FIPS self-test, along with a matching break-kat.go entry. A new
parameterised TLS13KDF_ServiceIndicatorTest covers the approval policy
across SHA-1 / SHA-224 / SHA-256 / SHA-384 / SHA-512.

Author: justsmth

crypto/fipsmodule/self_check/self_check.c

@@ -2873,6 +2873,46 @@ static OPENSSL_NOINLINE int boringssl_self_test_fast(void) {
     goto err;
   }
 
+  // TLS 1.3 KDF KAT: chain HKDF_extract -> CRYPTO_tls13_hkdf_expand_label to
+  // validate the TLS 1.3 HKDF-Expand-Label composite, derived from the sample
+  // early-secret / c-e-traffic chain in RFC 8448.
+  static const uint8_t kTLS13Secret[32] = {
+      0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44,
+      0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7,
+      0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74,
+  };
+  static const uint8_t kTLS13Salt[16] = {
+      0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8,
+      0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61,
+  };
+  static const uint8_t kTLS13Label[] = "c e traffic";
+  static const uint8_t kTLS13ClientHelloHash[32] = {
+      0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf,
+      0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a,
+      0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c,
+  };
+  static const uint8_t kTLS13ExpandLabelOutput[32] = {
+      0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a,
+      0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32,
+      0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd,
+  };
+  uint8_t tls13_extract_output[32];
+  size_t tls13_extract_output_len;
+  uint8_t tls13_expand_label_output[sizeof(kTLS13ExpandLabelOutput)];
+  if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len,
+                    EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret),
+                    kTLS13Salt, sizeof(kTLS13Salt)) ||
+      tls13_extract_output_len != sizeof(tls13_extract_output) ||
+      !CRYPTO_tls13_hkdf_expand_label(
+          tls13_expand_label_output, sizeof(tls13_expand_label_output),
+          EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output),
+          kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash,
+          sizeof(kTLS13ClientHelloHash)) ||
+      !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,
+                  sizeof(kTLS13ExpandLabelOutput), "TLS13-KDF KAT")) {
+    goto err;
+  }
+
   static const uint8_t kPBKDF2Password[] = {
     'A', 'W', 'S', '-', 'L', 'C', 'F', 'I', 'P', 'S', 'p', 'a', 's', 's', 'w',
     'o', 'r', 'd'

crypto/fipsmodule/service_indicator/internal.h

@@ -53,6 +53,7 @@ void PBKDF2_verify_service_indicator(const EVP_MD *evp_md, size_t password_len,
 void SSHKDF_verify_service_indicator(const EVP_MD *evp_md);
 void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label,
                                      size_t label_len);
+void TLS13_KDF_verify_service_indicator(const EVP_MD *dgst);
 void SSKDF_digest_verify_service_indicator(const EVP_MD *dgst);
 void SSKDF_hmac_verify_service_indicator(const EVP_MD *dgst);
 void KBKDF_ctr_hmac_verify_service_indicator(const EVP_MD *dgst, size_t secret_len);
@@ -121,6 +122,9 @@ OPENSSL_INLINE void TLSKDF_verify_service_indicator(
     OPENSSL_UNUSED const char *label,
     OPENSSL_UNUSED size_t label_len) {}
 
+OPENSSL_INLINE void TLS13_KDF_verify_service_indicator(
+    OPENSSL_UNUSED const EVP_MD *dgst) {}
+
 OPENSSL_INLINE void SSKDF_digest_verify_service_indicator(
     OPENSSL_UNUSED const EVP_MD *dgst) {}
 

crypto/fipsmodule/service_indicator/service_indicator.c

@@ -597,6 +597,20 @@ void TLSKDF_verify_service_indicator(const EVP_MD *dgst, const char *label,
   }
 }
 
+void TLS13_KDF_verify_service_indicator(const EVP_MD *dgst) {
+  // Per RFC 8446 and the corresponding FIPS validation, the TLS 1.3 KDF
+  // (HKDF-Expand-Label) is approved with SHA2-256 and SHA2-384 as the
+  // underlying HMAC hash.
+  switch (dgst->type) {
+    case NID_sha256:
+    case NID_sha384:
+      FIPS_service_indicator_update_state();
+      break;
+    default:
+      break;
+  }
+}
+
 // "Whenever a hash function is employed (including as the primitive used by HMAC), an
 // approved hash function shall be used. FIPS 180 and FIPS 202 specify approved hash
 // functions"

crypto/fipsmodule/service_indicator/service_indicator_test.cc

@@ -3397,6 +3397,42 @@ TEST_P(KDF_ServiceIndicatorTest, TLSKDF) {
   EXPECT_EQ(approved, test.expect_approved);
 }
 
+// TLS 1.3 KDF (HKDF-Expand-Label) is approved under SHA2-256 and SHA2-384, and
+// not approved for any other digest. Label / context contents do not affect
+// approval state for TLS 1.3.
+static const struct TLS13KDFTestVector {
+  const EVP_MD *(*func)();
+  const FIPSStatus expect_approved;
+} kTLS13KDFTestVectors[] = {
+    {EVP_sha1, AWSLC_NOT_APPROVED},
+    {EVP_sha224, AWSLC_NOT_APPROVED},
+    {EVP_sha256, AWSLC_APPROVED},
+    {EVP_sha384, AWSLC_APPROVED},
+    {EVP_sha512, AWSLC_NOT_APPROVED},
+};
+
+class TLS13KDF_ServiceIndicatorTest
+    : public TestWithNoErrors<TLS13KDFTestVector> {};
+
+INSTANTIATE_TEST_SUITE_P(All, TLS13KDF_ServiceIndicatorTest,
+                         testing::ValuesIn(kTLS13KDFTestVectors));
+
+TEST_P(TLS13KDF_ServiceIndicatorTest, HKDFExpandLabel) {
+  const TLS13KDFTestVector &test = GetParam();
+
+  static const uint8_t kLabel[] = "c e traffic";
+  static const uint8_t kHash[32] = {0};
+  FIPSStatus approved = AWSLC_NOT_APPROVED;
+
+  uint8_t output[32];
+  CALL_SERVICE_AND_CHECK_APPROVED(
+      approved,
+      ASSERT_TRUE(CRYPTO_tls13_hkdf_expand_label(
+          output, sizeof(output), test.func(), kTLSSecret, sizeof(kTLSSecret),
+          kLabel, sizeof(kLabel) - 1, kHash, sizeof(kHash))));
+  EXPECT_EQ(approved, test.expect_approved);
+}
+
 // PBKDF2 test data from RFC 6070.
 //
 // Set 1 - short password/salt; these are too short for FIPS, so they'll

crypto/fipsmodule/tls/kdf.c

@@ -3,9 +3,11 @@
 
 #include <assert.h>
 
+#include <openssl/bytestring.h>
 #include <openssl/digest.h>
 #include <openssl/hkdf.h>
 #include <openssl/hmac.h>
+#include <openssl/kdf.h>
 #include <openssl/mem.h>
 
 #include "../../internal.h"
@@ -127,3 +129,67 @@ int CRYPTO_tls1_prf(const EVP_MD *digest,
   }
   return ret;
 }
+
+int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len,
+                                   const EVP_MD *digest,
+                                   const uint8_t *secret, size_t secret_len,
+                                   const uint8_t *label, size_t label_len,
+                                   const uint8_t *hash, size_t hash_len) {
+  // Lock the FIPS service indicator so the underlying HKDF-Expand (which
+  // itself locks via HMAC) does not bump the indicator counter. We release and
+  // update based on the digest at the end.
+  FIPS_service_indicator_lock_state();
+  SET_DIT_AUTO_RESET;
+
+  static const uint8_t kProtocolLabel[] = "tls13 ";
+  static const size_t kProtocolLabelLen = sizeof(kProtocolLabel) - 1;
+
+  CBB cbb, child;
+  uint8_t *hkdf_label = NULL;
+  size_t hkdf_label_len = 0;
+  int ret = 0;
+
+  CBB_zero(&cbb);
+  // RFC 8446 Section 7.1 constrains the HkdfLabel.length field to a uint16 and
+  // the HkdfLabel.label field to |opaque label<7..255>|. Since |kProtocolLabel|
+  // ("tls13 ") is 6 bytes, the caller-provided |label| must be at least 1 byte
+  // for the combined label to satisfy the RFC lower bound. The upper bound
+  // (combined label <= 255) and the |hash_len| bound are enforced implicitly by
+  // the CBB length-prefixed calls below.
+  if (out_len > UINT16_MAX || label_len == 0) {
+    goto end;
+  }
+
+  // Construct the HkdfLabel structure per RFC 8446 Section 7.1:
+  //   struct {
+  //       uint16 length = Length;
+  //       opaque label<7..255> = "tls13 " + Label;
+  //       opaque context<0..255> = Context;
+  //   };
+  // The CBB_add_u16 / CBB_add_u8_length_prefixed calls implicitly enforce the
+  // RFC-mandated length upper bounds and will fail if |out_len| does not fit
+  // in a |uint16_t|, if the "tls13 "-prefixed label exceeds 255 bytes, or if
+  // |hash| exceeds 255 bytes.
+  if (!CBB_init(&cbb, 2 + 1 + kProtocolLabelLen + label_len + 1 + hash_len) ||
+      !CBB_add_u16(&cbb, out_len) ||
+      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+      !CBB_add_bytes(&child, kProtocolLabel, kProtocolLabelLen) ||
+      !CBB_add_bytes(&child, label, label_len) ||
+      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+      !CBB_add_bytes(&child, hash, hash_len) ||
+      !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {
+    goto end;
+  }
+
+  ret = HKDF_expand(out, out_len, digest, secret, secret_len, hkdf_label,
+                    hkdf_label_len);
+
+end:
+  CBB_cleanup(&cbb);
+  OPENSSL_free(hkdf_label);
+  FIPS_service_indicator_unlock_state();
+  if (ret) {
+    TLS13_KDF_verify_service_indicator(digest);
+  }
+  return ret;
+}

include/openssl/kdf.h

@@ -25,6 +25,22 @@ OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest,
                                    const uint8_t *seed1, size_t seed1_len,
                                    const uint8_t *seed2, size_t seed2_len);
 
+// CRYPTO_tls13_hkdf_expand_label computes the TLS 1.3 HKDF-Expand-Label
+// function as defined in RFC 8446, Section 7.1. It derives |out_len| bytes of
+// output into |out| using |digest| as the underlying HMAC hash, |secret| as
+// the HKDF pseudorandom key, |label| (which is prefixed with "tls13 "
+// internally) and |hash| (the context/transcript hash). |out_len| must fit in
+// a |uint16_t|, |label_len| must be between 1 and 249 inclusive so that the
+// "tls13 "-prefixed label satisfies the RFC 8446 |opaque label<7..255>|
+// bounds, and |hash_len| must be at most 255. Under FIPS, the operation is
+// approved when |digest| is SHA2-256 or SHA2-384. It returns one on success
+// and zero on error.
+OPENSSL_EXPORT int CRYPTO_tls13_hkdf_expand_label(
+    uint8_t *out, size_t out_len, const EVP_MD *digest,
+    const uint8_t *secret, size_t secret_len,
+    const uint8_t *label, size_t label_len,
+    const uint8_t *hash, size_t hash_len);
+
 // SSKDF_digest computes the One-step key derivation using the
 // provided digest algorithm as the backing PRF. This algorithm
 // may be referred to as "Single-Step KDF" or "NIST Concatenation KDF" by other

ssl/tls13_enc.cc

@@ -14,6 +14,7 @@
 #include <openssl/digest.h>
 #include <openssl/hkdf.h>
 #include <openssl/hmac.h>
+#include <openssl/kdf.h>
 #include <openssl/mem.h>
 
 #include "../crypto/internal.h"
@@ -84,27 +85,10 @@ static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
                               Span<const uint8_t> secret,
                               Span<const char> label,
                               Span<const uint8_t> hash) {
-  Span<const char> protocol_label = label_to_span("tls13 ");
-  ScopedCBB cbb;
-  CBB child;
-  Array<uint8_t> hkdf_label;
-  if (!CBB_init(cbb.get(), 2 + 1 + protocol_label.size() + label.size() + 1 +
-                               hash.size()) ||
-      !CBB_add_u16(cbb.get(), out.size()) ||
-      !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-      !CBB_add_bytes(&child,
-                     reinterpret_cast<const uint8_t *>(protocol_label.data()),
-                     protocol_label.size()) ||
-      !CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
-                     label.size()) ||
-      !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-      !CBB_add_bytes(&child, hash.data(), hash.size()) ||
-      !CBBFinishArray(cbb.get(), &hkdf_label)) {
-    return false;
-  }
-
-  return HKDF_expand(out.data(), out.size(), digest, secret.data(),
-                     secret.size(), hkdf_label.data(), hkdf_label.size());
+  return CRYPTO_tls13_hkdf_expand_label(
+             out.data(), out.size(), digest, secret.data(), secret.size(),
+             reinterpret_cast<const uint8_t *>(label.data()), label.size(),
+             hash.data(), hash.size()) == 1;
 }
 
 static const char kTLS13LabelDerived[] = "derived";

util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -3278,39 +3278,22 @@ static bool HKDFExpandLabel(const Span<const uint8_t> args[],
   }
   memcpy(&out_len, out_len_bytes.data(), sizeof(out_len));
 
-  // Construct the HkdfLabel structure per RFC 8446 Section 7.1:
-  //   struct {
-  //       uint16 length = Length;
-  //       opaque label<7..255> = "tls13 " + Label;
-  //       opaque context<0..255> = Context;
-  //   };
-  static const char kProtocolLabel[] = "tls13 ";
-  const size_t protocol_label_len = sizeof(kProtocolLabel) - 1;
-  const size_t full_label_len = protocol_label_len + label.size();
-
-  // RFC 8446 constrains |length| to uint16, |label| to 7..255 bytes, and
-  // |context| to 0..255 bytes. Reject anything that would not round-trip
-  // through the 1- and 2-byte length fields below.
-  if (out_len > 0xffff || full_label_len > 255 ||
-      transcript_hash.size() > 255) {
+  // RFC 8446 Section 7.1 caps HkdfLabel.length at a uint16_t; reject oversized
+  // requests up front so we don't attempt a multi-GiB |std::vector| allocation
+  // only to have CRYPTO_tls13_hkdf_expand_label reject the size internally.
+  if (out_len > 0xFFFF) {
     return false;
   }
 
-  std::vector<uint8_t> info;
-  info.push_back(static_cast<uint8_t>(out_len >> 8));
-  info.push_back(static_cast<uint8_t>(out_len));
-  info.push_back(static_cast<uint8_t>(full_label_len));
-  info.insert(info.end(), kProtocolLabel, kProtocolLabel + protocol_label_len);
-  info.insert(info.end(), label.data(), label.data() + label.size());
-  info.push_back(static_cast<uint8_t>(transcript_hash.size()));
-  info.insert(info.end(), transcript_hash.data(),
-              transcript_hash.data() + transcript_hash.size());
-
   std::vector<uint8_t> out(out_len);
-  // Qualify with :: to unambiguously select the C library function and avoid
-  // colliding with the same-namespace HKDF_expand template defined below.
-  if (!::HKDF_expand(out.data(), out_len, md, secret.data(), secret.size(),
-                     info.data(), info.size())) {
+  // Delegate the "tls13 " prefix + HkdfLabel construction (RFC 8446 §7.1)
+  // and the RFC-mandated length-bound enforcement to the FIPS-module-internal
+  // CRYPTO_tls13_hkdf_expand_label so ACVP exercises the same code path used
+  // by ssl/tls13_enc.cc.
+  if (!CRYPTO_tls13_hkdf_expand_label(out.data(), out_len, md, secret.data(),
+                                      secret.size(), label.data(),
+                                      label.size(), transcript_hash.data(),
+                                      transcript_hash.size())) {
     return false;
   }
 

util/fipstools/break-kat.go

@@ -27,6 +27,7 @@ var (
 		"SHA3-256":                         "d83c721ee51b060c5a41438a8221e040",
 		"HKDF-SHA-256":                     "ca5e6410e7a52332fe0ab3601212a7d3dbdf55a162af42a5daf38b94f24523477e880dd711508684cc21",
 		"TLS-KDF":                          "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731",
+		"TLS13-KDF":                        "024a0d80f357f2499a1244dac26dab66fc13ed85fca71dace146211119525874",
 		"PBKDF2":                           "4157532d4c434649505370617373776f7264",
 		"SSKDF":                            "39a1e2b3899e87efecf6271282d8f8008f252686dd35bfc39a0f71478da48c691565cee431254dd50cab7462c6cf199be9bf5c",
 		"KBKDF":                            "dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0",

util/fipstools/test_fips.c

@@ -461,6 +461,20 @@ int main(int argc, char **argv) {
   printf("  got ");
   hexdump(tls_output, sizeof(tls_output));
 
+  /* TLS 1.3 KDF (HKDF-Expand-Label) */
+  printf("About to run TLS 1.3 KDF\n");
+  uint8_t tls13_output[32];
+  static const uint8_t kTLS13Label[] = "c e traffic";
+  if (!CRYPTO_tls13_hkdf_expand_label(
+          tls13_output, sizeof(tls13_output), EVP_sha256(), kAESKey,
+          sizeof(kAESKey), kTLS13Label, sizeof(kTLS13Label) - 1,
+          kPlaintextSHA256, sizeof(kPlaintextSHA256))) {
+    fprintf(stderr, "TLS 1.3 KDF failed.\n");
+    goto err;
+  }
+  printf("  got ");
+  hexdump(tls13_output, sizeof(tls13_output));
+
   /* FFDH */
   printf("About to compute FFDH key-agreement:\n");
   DH *dh = DH_get_rfc7919_2048();