Add FIPS test for SPDM Key Schedule

fix #3082

Signed-off-by: Aaron Li <[email protected]>

Author: Li-Aaron

include/hal/library/requester/psklib.h

@@ -53,6 +53,56 @@ extern bool libspdm_psk_master_secret_hkdf_expand(
     const uint8_t *psk_hint, size_t psk_hint_size,
     const uint8_t *info, size_t info_size,
     uint8_t *out, size_t out_size);
+
+#if LIBSPDM_FIPS_MODE
+/**
+ * Derive HMAC-based Expand key Derivation Function (HKDF) Expand, based upon the negotiated HKDF
+ * algorithm, this API is only used for FIPS test.
+ *
+ * @param  base_hash_algo  Indicates the hash algorithm.
+ * @param  psk             Pointer to the input PSK.
+ * @param  psk_size        PSK size in bytes.
+ * @param  info            Pointer to the application specific info.
+ * @param  info_size       Info size in bytes.
+ * @param  out             Pointer to buffer to receive HKDF value.
+ * @param  out_size        Size of HKDF bytes to generate.
+ *
+ * @retval true   HKDF generated successfully.
+ * @retval false  HKDF generation failed.
+ **/
+extern bool libspdm_psk_handshake_secret_hkdf_expand_ex(
+    spdm_version_number_t spdm_version,
+    uint32_t base_hash_algo,
+    const uint8_t *psk,
+    size_t psk_size,
+    const uint8_t *info,
+    size_t info_size,
+    uint8_t *out, size_t out_size);
+
+/**
+ * Derive HMAC-based Expand key Derivation Function (HKDF) Expand, based upon the negotiated HKDF
+ * algorithm, this API is only used for FIPS test.
+ *
+ * @param  base_hash_algo  Indicates the hash algorithm.
+ * @param  psk             Pointer to the input PSK.
+ * @param  psk_size        PSK size in bytes.
+ * @param  info            Pointer to the application specific info.
+ * @param  info_size       Info size in bytes.
+ * @param  out             Pointer to buffer to receive HKDF value.
+ * @param  out_size        Size of HKDF bytes to generate.
+ *
+ * @retval true   HKDF generated successfully.
+ * @retval false  HKDF generation failed.
+ **/
+extern bool libspdm_psk_master_secret_hkdf_expand_ex(
+    spdm_version_number_t spdm_version,
+    uint32_t base_hash_algo,
+    const uint8_t *psk,
+    size_t psk_size,
+    const uint8_t *info,
+    size_t info_size,
+    uint8_t *out, size_t out_size);
+#endif /* LIBSPDM_FIPS_MODE */
 #endif /* LIBSPDM_ENABLE_CAPABILITY_PSK_CAP */
 
 #endif /* REQUESTER_PSKLIB_H */

include/hal/library/responder/psklib.h

@@ -54,6 +54,56 @@ extern bool libspdm_psk_master_secret_hkdf_expand(
     const uint8_t *psk_hint, size_t psk_hint_size,
     const uint8_t *info, size_t info_size,
     uint8_t *out, size_t out_size);
+
+#if LIBSPDM_FIPS_MODE
+/**
+ * Derive HMAC-based Expand key Derivation Function (HKDF) Expand, based upon the negotiated HKDF
+ * algorithm, this API is only used for FIPS test.
+ *
+ * @param  base_hash_algo  Indicates the hash algorithm.
+ * @param  psk             Pointer to the input PSK.
+ * @param  psk_size        PSK size in bytes.
+ * @param  info            Pointer to the application specific info.
+ * @param  info_size       Info size in bytes.
+ * @param  out             Pointer to buffer to receive HKDF value.
+ * @param  out_size        Size of HKDF bytes to generate.
+ *
+ * @retval true   HKDF generated successfully.
+ * @retval false  HKDF generation failed.
+ **/
+extern bool libspdm_psk_handshake_secret_hkdf_expand_ex(
+    spdm_version_number_t spdm_version,
+    uint32_t base_hash_algo,
+    const uint8_t *psk,
+    size_t psk_size,
+    const uint8_t *info,
+    size_t info_size,
+    uint8_t *out, size_t out_size);
+
+/**
+ * Derive HMAC-based Expand key Derivation Function (HKDF) Expand, based upon the negotiated HKDF
+ * algorithm, this API is only used for FIPS test.
+ *
+ * @param  base_hash_algo  Indicates the hash algorithm.
+ * @param  psk             Pointer to the input PSK.
+ * @param  psk_size        PSK size in bytes.
+ * @param  info            Pointer to the application specific info.
+ * @param  info_size       Info size in bytes.
+ * @param  out             Pointer to buffer to receive HKDF value.
+ * @param  out_size        Size of HKDF bytes to generate.
+ *
+ * @retval true   HKDF generated successfully.
+ * @retval false  HKDF generation failed.
+ **/
+extern bool libspdm_psk_master_secret_hkdf_expand_ex(
+    spdm_version_number_t spdm_version,
+    uint32_t base_hash_algo,
+    const uint8_t *psk,
+    size_t psk_size,
+    const uint8_t *info,
+    size_t info_size,
+    uint8_t *out, size_t out_size);
+#endif /* LIBSPDM_FIPS_MODE */
 #endif /* LIBSPDM_ENABLE_CAPABILITY_PSK_CAP */
 
 #endif /* RESPONDER_PSKLIB_H */

include/internal/libspdm_fips_lib.h

@@ -26,6 +26,7 @@
 #define LIBSPDM_FIPS_SELF_TEST_ML_KEM        0x00020000
 #define LIBSPDM_FIPS_SELF_TEST_ML_DSA        0x00040000
 #define LIBSPDM_FIPS_SELF_TEST_SLH_DSA       0x00080000
+#define LIBSPDM_FIPS_SELF_TEST_KEY_SCHEDULE  0x00100000
 
 #if LIBSPDM_SLH_DSA_SUPPORT
 #define LIBSPDM_FIPS_REQUIRED_BUFFER_SIZE 7856 /* SLH_DSA_SHA2_128S_SIG_SIZE */
@@ -131,4 +132,9 @@ bool libspdm_fips_selftest_mldsa(void *fips_selftest_context);
  **/
 bool libspdm_fips_selftest_slhdsa(void *fips_selftest_context);
 
+/**
+ * SPDM KDF self_test
+ */
+bool libspdm_fips_selftest_key_schedule(void *fips_selftest_context);
+
 #endif/*LIBSPDM_FIPS_MODE*/

library/spdm_crypt_lib/CMakeLists.txt

@@ -39,4 +39,5 @@ target_sources(spdm_crypt_lib
         fips/libspdm_selftest_mldsa_vec.c
         fips/libspdm_selftest_slhdsa.c
         fips/libspdm_selftest_slhdsa_vec.c
+        fips/libspdm_selftest_key_schedule.c
 )

library/spdm_crypt_lib/fips/libspdm_selftest.c

@@ -51,6 +51,8 @@ bool libspdm_fips_run_selftest(void *fips_selftest_context)
 
     libspdm_fips_selftest_slhdsa(context);
 
+    libspdm_fips_selftest_key_schedule(context);
+
     return (context->tested_algo == context->self_test_result);
 }