crypto/internal/fips140: use hash.Hash

Since package hash is just the interface definition, not an
implementation, we can make a good argument that it doesn't impact the
security of the module and can be imported from outside.

For golang#69521

Change-Id: I6a6a4656b9c3cac8bb9ab8e8df11fa3238dc5d1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/674917
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Daniel McCarney <[email protected]>
Reviewed-by: David Chase <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>

Author: FiloSottile

src/crypto/internal/fips140/ecdsa/ecdsa.go

@@ -11,6 +11,7 @@ import (
 	"crypto/internal/fips140/drbg"
 	"crypto/internal/fips140/nistec"
 	"errors"
+	"hash"
 	"io"
 	"sync"
 )
@@ -271,7 +272,7 @@ type Signature struct {
 // the hash function H) using the private key, priv. If the hash is longer than
 // the bit-length of the private key's curve order, the hash will be truncated
 // to that length.
-func Sign[P Point[P], H fips140.Hash](c *Curve[P], h func() H, priv *PrivateKey, rand io.Reader, hash []byte) (*Signature, error) {
+func Sign[P Point[P], H hash.Hash](c *Curve[P], h func() H, priv *PrivateKey, rand io.Reader, hash []byte) (*Signature, error) {
 	if priv.pub.curve != c.curve {
 		return nil, errors.New("ecdsa: private key does not match curve")
 	}
@@ -304,7 +305,7 @@ func Sign[P Point[P], H fips140.Hash](c *Curve[P], h func() H, priv *PrivateKey,
 // hash is longer than the bit-length of the private key's curve order, the hash
 // will be truncated to that length. This applies Deterministic ECDSA as
 // specified in FIPS 186-5 and RFC 6979.
-func SignDeterministic[P Point[P], H fips140.Hash](c *Curve[P], h func() H, priv *PrivateKey, hash []byte) (*Signature, error) {
+func SignDeterministic[P Point[P], H hash.Hash](c *Curve[P], h func() H, priv *PrivateKey, hash []byte) (*Signature, error) {
 	if priv.pub.curve != c.curve {
 		return nil, errors.New("ecdsa: private key does not match curve")
 	}

src/crypto/internal/fips140/ecdsa/hmacdrbg.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"crypto/internal/fips140"
 	"crypto/internal/fips140/hmac"
+	"hash"
 )
 
 // hmacDRBG is an SP 800-90A Rev. 1 HMAC_DRBG.
@@ -48,7 +49,7 @@ type personalizationString interface {
 	isPersonalizationString()
 }
 
-func newDRBG[H fips140.Hash](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG {
+func newDRBG[H hash.Hash](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG {
 	// HMAC_DRBG_Instantiate_algorithm, per Section 10.1.2.3.
 	fips140.RecordApproved()
 
@@ -121,7 +122,7 @@ func newDRBG[H fips140.Hash](hash func() H, entropy, nonce []byte, s personaliza
 //
 // This should only be used for ACVP testing. hmacDRBG is not intended to be
 // used directly.
-func TestingOnlyNewDRBG(hash func() fips140.Hash, entropy, nonce []byte, s []byte) *hmacDRBG {
+func TestingOnlyNewDRBG(hash func() hash.Hash, entropy, nonce []byte, s []byte) *hmacDRBG {
 	return newDRBG(hash, entropy, nonce, plainPersonalizationString(s))
 }
 

src/crypto/internal/fips140/fips140.go

@@ -7,6 +7,7 @@ package fips140
 import (
 	"crypto/internal/fips140deps/godebug"
 	"errors"
+	"hash"
 	"runtime"
 )
 
@@ -69,3 +70,9 @@ func Version() string {
 	// moved to a different file.
 	return "latest" //mkzip:version
 }
+
+// Hash is a legacy compatibility alias for hash.Hash.
+//
+// It's only here because [crypto/internal/fips140/ecdsa.TestingOnlyNewDRBG]
+// takes a "func() fips140.Hash" in v1.0.0, instead of being generic.
+type Hash = hash.Hash

src/crypto/internal/fips140/hash.go

@@ -7,9 +7,10 @@ package hkdf
 import (
 	"crypto/internal/fips140"
 	"crypto/internal/fips140/hmac"
+	"hash"
 )
 
-func Extract[H fips140.Hash](h func() H, secret, salt []byte) []byte {
+func Extract[H hash.Hash](h func() H, secret, salt []byte) []byte {
 	if len(secret) < 112/8 {
 		fips140.RecordNonApproved()
 	}
@@ -23,7 +24,7 @@ func Extract[H fips140.Hash](h func() H, secret, salt []byte) []byte {
 	return extractor.Sum(nil)
 }
 
-func Expand[H fips140.Hash](h func() H, pseudorandomKey []byte, info string, keyLen int) []byte {
+func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen int) []byte {
 	out := make([]byte, 0, keyLen)
 	expander := hmac.New(h, pseudorandomKey)
 	hmac.MarkAsUsedInKDF(expander)
@@ -50,7 +51,7 @@ func Expand[H fips140.Hash](h func() H, pseudorandomKey []byte, info string, key
 	return out
 }
 
-func Key[H fips140.Hash](h func() H, secret, salt []byte, info string, keyLen int) []byte {
+func Key[H hash.Hash](h func() H, secret, salt []byte, info string, keyLen int) []byte {
 	prk := Extract(h, secret, salt)
 	return Expand(h, prk, info, keyLen)
 }

src/crypto/internal/fips140/hkdf/hkdf.go

@@ -12,6 +12,7 @@ import (
 	"crypto/internal/fips140/sha256"
 	"crypto/internal/fips140/sha3"
 	"crypto/internal/fips140/sha512"
+	"hash"
 )
 
 // key is zero padded to the block size of the hash function
@@ -29,7 +30,7 @@ type marshalable interface {
 
 type HMAC struct {
 	opad, ipad   []byte
-	outer, inner fips140.Hash
+	outer, inner hash.Hash
 
 	// If marshaled is true, then opad and ipad do not contain a padded
 	// copy of the key, but rather the marshaled state of outer/inner after
@@ -127,8 +128,8 @@ func (h *HMAC) Reset() {
 	h.marshaled = true
 }
 
-// New returns a new HMAC hash using the given [fips140.Hash] type and key.
-func New[H fips140.Hash](h func() H, key []byte) *HMAC {
+// New returns a new HMAC hash using the given [hash.Hash] type and key.
+func New[H hash.Hash](h func() H, key []byte) *HMAC {
 	hm := &HMAC{keyLen: len(key)}
 	hm.outer = h()
 	hm.inner = h()

src/crypto/internal/fips140/hmac/hmac.go

@@ -8,6 +8,7 @@ import (
 	"crypto/internal/fips140"
 	"crypto/internal/fips140/hmac"
 	"errors"
+	"hash"
 )
 
 // divRoundUp divides x+y-1 by y, rounding up if the result is not whole.
@@ -19,7 +20,7 @@ func divRoundUp(x, y int) int {
 	return int((int64(x) + int64(y) - 1) / int64(y))
 }
 
-func Key[Hash fips140.Hash](h func() Hash, password string, salt []byte, iter, keyLength int) ([]byte, error) {
+func Key[Hash hash.Hash](h func() Hash, password string, salt []byte, iter, keyLength int) ([]byte, error) {
 	setServiceIndicator(salt, keyLength)
 
 	if keyLength <= 0 {

src/crypto/internal/fips140/pbkdf2/pbkdf2.go

@@ -16,6 +16,7 @@ import (
 	"crypto/internal/fips140/sha512"
 	"crypto/internal/fips140/subtle"
 	"errors"
+	"hash"
 	"io"
 )
 
@@ -48,7 +49,7 @@ func incCounter(c *[4]byte) {
 
 // mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
 // specified in PKCS #1 v2.1.
-func mgf1XOR(out []byte, hash fips140.Hash, seed []byte) {
+func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
 	var counter [4]byte
 	var digest []byte
 
@@ -67,7 +68,7 @@ func mgf1XOR(out []byte, hash fips140.Hash, seed []byte) {
 	}
 }
 
-func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash fips140.Hash) ([]byte, error) {
+func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
 	// See RFC 8017, Section 9.1.1.
 
 	hLen := hash.Size()
@@ -144,7 +145,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash fips140.Hash) ([]
 
 const pssSaltLengthAutodetect = -1
 
-func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash fips140.Hash) error {
+func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
 	// See RFC 8017, Section 9.1.2.
 
 	hLen := hash.Size()
@@ -250,7 +251,7 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash fips140.Hash) error
 
 // PSSMaxSaltLength returns the maximum salt length for a given public key and
 // hash function.
-func PSSMaxSaltLength(pub *PublicKey, hash fips140.Hash) (int, error) {
+func PSSMaxSaltLength(pub *PublicKey, hash hash.Hash) (int, error) {
 	saltLength := (pub.N.BitLen()-1+7)/8 - 2 - hash.Size()
 	if saltLength < 0 {
 		return 0, ErrMessageTooLong
@@ -264,7 +265,7 @@ func PSSMaxSaltLength(pub *PublicKey, hash fips140.Hash) (int, error) {
 }
 
 // SignPSS calculates the signature of hashed using RSASSA-PSS.
-func SignPSS(rand io.Reader, priv *PrivateKey, hash fips140.Hash, hashed []byte, saltLength int) ([]byte, error) {
+func SignPSS(rand io.Reader, priv *PrivateKey, hash hash.Hash, hashed []byte, saltLength int) ([]byte, error) {
 	fipsSelfTest()
 	fips140.RecordApproved()
 	checkApprovedHash(hash)
@@ -311,19 +312,19 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash fips140.Hash, hashed []byte,
 }
 
 // VerifyPSS verifies sig with RSASSA-PSS automatically detecting the salt length.
-func VerifyPSS(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte) error {
+func VerifyPSS(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte) error {
 	return verifyPSS(pub, hash, digest, sig, pssSaltLengthAutodetect)
 }
 
 // VerifyPSS verifies sig with RSASSA-PSS and an expected salt length.
-func VerifyPSSWithSaltLength(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte, saltLength int) error {
+func VerifyPSSWithSaltLength(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte, saltLength int) error {
 	if saltLength < 0 {
 		return errors.New("crypto/rsa: salt length cannot be negative")
 	}
 	return verifyPSS(pub, hash, digest, sig, saltLength)
 }
 
-func verifyPSS(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte, saltLength int) error {
+func verifyPSS(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte, saltLength int) error {
 	fipsSelfTest()
 	fips140.RecordApproved()
 	checkApprovedHash(hash)
@@ -359,7 +360,7 @@ func verifyPSS(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte, sal
 	return emsaPSSVerify(digest, em, emBits, saltLength, hash)
 }
 
-func checkApprovedHash(hash fips140.Hash) {
+func checkApprovedHash(hash hash.Hash) {
 	switch hash.(type) {
 	case *sha256.Digest, *sha512.Digest, *sha3.Digest:
 	default:
@@ -368,7 +369,7 @@ func checkApprovedHash(hash fips140.Hash) {
 }
 
 // EncryptOAEP encrypts the given message with RSAES-OAEP.
-func EncryptOAEP(hash, mgfHash fips140.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) {
+func EncryptOAEP(hash, mgfHash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) {
 	// Note that while we don't commit to deterministic execution with respect
 	// to the random stream, we also don't apply MaybeReadByte, so per Hyrum's
 	// Law it's probably relied upon by some. It's a tolerable promise because a
@@ -411,7 +412,7 @@ func EncryptOAEP(hash, mgfHash fips140.Hash, random io.Reader, pub *PublicKey, m
 }
 
 // DecryptOAEP decrypts ciphertext using RSAES-OAEP.
-func DecryptOAEP(hash, mgfHash fips140.Hash, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
+func DecryptOAEP(hash, mgfHash hash.Hash, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
 	fipsSelfTest()
 	fips140.RecordApproved()
 	checkApprovedHash(hash)

src/crypto/internal/fips140/rsa/pkcs1v22.go

@@ -7,8 +7,8 @@
 package ssh
 
 import (
-	"crypto/internal/fips140"
 	_ "crypto/internal/fips140/check"
+	"hash"
 )
 
 type Direction struct {
@@ -24,7 +24,7 @@ func init() {
 	ClientKeys = Direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
 }
 
-func Keys[Hash fips140.Hash](hash func() Hash, d Direction,
+func Keys[Hash hash.Hash](hash func() Hash, d Direction,
 	K, H, sessionID []byte,
 	ivKeyLen, keyLen, macKeyLen int,
 ) (ivKey, key, macKey []byte) {

src/crypto/internal/fips140/ssh/kdf.go

@@ -9,11 +9,12 @@ import (
 	"crypto/internal/fips140/hmac"
 	"crypto/internal/fips140/sha256"
 	"crypto/internal/fips140/sha512"
+	"hash"
 )
 
 // PRF implements the TLS 1.2 pseudo-random function, as defined in RFC 5246,
 // Section 5 and allowed by SP 800-135, Revision 1, Section 4.2.2.
-func PRF[H fips140.Hash](hash func() H, secret []byte, label string, seed []byte, keyLen int) []byte {
+func PRF[H hash.Hash](hash func() H, secret []byte, label string, seed []byte, keyLen int) []byte {
 	labelAndSeed := make([]byte, len(label)+len(seed))
 	copy(labelAndSeed, label)
 	copy(labelAndSeed[len(label):], seed)
@@ -24,7 +25,7 @@ func PRF[H fips140.Hash](hash func() H, secret []byte, label string, seed []byte
 }
 
 // pHash implements the P_hash function, as defined in RFC 5246, Section 5.
-func pHash[H fips140.Hash](hash func() H, result, secret, seed []byte) {
+func pHash[H hash.Hash](hash func() H, result, secret, seed []byte) {
 	h := hmac.New(hash, secret)
 	h.Write(seed)
 	a := h.Sum(nil)
@@ -48,7 +49,7 @@ const extendedMasterSecretLabel = "extended master secret"
 
 // MasterSecret implements the TLS 1.2 extended master secret derivation, as
 // defined in RFC 7627 and allowed by SP 800-135, Revision 1, Section 4.2.2.
-func MasterSecret[H fips140.Hash](hash func() H, preMasterSecret, transcript []byte) []byte {
+func MasterSecret[H hash.Hash](hash func() H, preMasterSecret, transcript []byte) []byte {
 	// "The TLS 1.2 KDF is an approved KDF when the following conditions are
 	// satisfied: [...] (3) P_HASH uses either SHA-256, SHA-384 or SHA-512."
 	h := hash()