crypto/internal/fips140test: add TLS-v1.3 ACVP tests

Adds ACVP test coverage for the SP 800-56Crev2 IG 2.4.B TLS v1.3 KDF
based on the NIST spec:

  https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html

Only SHA2-256 and SHA2-384 are valid hash algorithms for the TLS1.3 KDF
algorithm.

The BoringSSL acvptool "lowers" the more complicated TLS 1.3 KDF ACVP
test cases into simple invocations of our module wrapper's pre-existing
HKDF commands, and the new "HKDFExtract/$HASH" and
"HKDFExpandLabel/$HASH" commands added in this branch.

Updates #69642

Change-Id: I5fb1af5b5b33c1845b27cf8968e6523e89bcc589
Reviewed-on: https://go-review.googlesource.com/c/go/+/636117
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

Author: cpu

src/crypto/internal/fips140test/acvp_capabilities.json

@@ -61,5 +61,6 @@
   {"algorithm":"ACVP-AES-GCM","direction":["encrypt","decrypt"],"keyLen":[128,192,256],"payloadLen":[{"min":0,"max":65536,"increment":8}],"aadLen":[{"min":0,"max":65536,"increment":8}],"tagLen":[128],"ivLen":[96],"ivGen":"internal","ivGenMode":"8.2.2","revision":"1.0"},
   {"algorithm":"CMAC-AES","capabilities":[{"direction":["gen","ver"],"msgLen":[{"min":0,"max":524288,"increment":8}],"keyLen":[128,256],"macLen":[{"min":8,"max":128,"increment":8}]}],"revision":"1.0"},
 
-  {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]}
+  {"algorithm":"TLS-v1.2","mode":"KDF","revision":"RFC7627","hashAlg":["SHA2-256","SHA2-384","SHA2-512"]},
+  {"algorithm":"TLS-v1.3","mode":"KDF","revision":"RFC8446","hmacAlg":["SHA2-256","SHA2-384"],"runningMode":["DHE","PSK","PSK-DHE"]}
 ]

src/crypto/internal/fips140test/acvp_test.config.json

@@ -44,5 +44,6 @@
 
   {"Wrapper": "go", "In": "vectors/CMAC-AES.bz2", "Out": "expected/CMAC-AES.bz2"},
 
-  {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"}
+  {"Wrapper": "go", "In": "vectors/TLS-v1.2.bz2", "Out": "expected/TLS-v1.2.bz2"},
+  {"Wrapper": "go", "In": "vectors/TLS-v1.3.bz2", "Out": "expected/TLS-v1.3.bz2"}
 ]

src/crypto/internal/fips140test/acvp_test.go

@@ -38,6 +38,7 @@ import (
 	"crypto/internal/fips140/sha512"
 	"crypto/internal/fips140/subtle"
 	"crypto/internal/fips140/tls12"
+	"crypto/internal/fips140/tls13"
 	"crypto/rand"
 	_ "embed"
 	"encoding/binary"
@@ -117,6 +118,8 @@ var (
 	//   https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-kdf-hkdf.html#section-7.3
 	// TLS 1.2 KDF algorithm capabilities:
 	//   https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-tls.html#section-7.2
+	// TLS 1.3 KDF algorithm capabilities:
+	//   https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html#section-7.2
 	//go:embed acvp_capabilities.json
 	capabilitiesJson []byte
 
@@ -181,6 +184,11 @@ var (
 		"HKDF/SHA3-384":     cmdHkdfAft(func() fips140.Hash { return sha3.New384() }),
 		"HKDF/SHA3-512":     cmdHkdfAft(func() fips140.Hash { return sha3.New512() }),
 
+		"HKDFExtract/SHA2-256":     cmdHkdfExtractAft(func() fips140.Hash { return sha256.New() }),
+		"HKDFExtract/SHA2-384":     cmdHkdfExtractAft(func() fips140.Hash { return sha512.New384() }),
+		"HKDFExpandLabel/SHA2-256": cmdHkdfExpandLabelAft(func() fips140.Hash { return sha256.New() }),
+		"HKDFExpandLabel/SHA2-384": cmdHkdfExpandLabelAft(func() fips140.Hash { return sha512.New384() }),
+
 		"PBKDF": cmdPbkdf(),
 
 		"ML-KEM-768/keyGen":  cmdMlKem768KeyGenAft(),
@@ -537,6 +545,32 @@ func cmdHkdfAft(h func() fips140.Hash) command {
 	}
 }
 
+func cmdHkdfExtractAft(h func() fips140.Hash) command {
+	return command{
+		requiredArgs: 2, // secret, salt
+		handler: func(args [][]byte) ([][]byte, error) {
+			secret := args[0]
+			salt := args[1]
+
+			return [][]byte{hkdf.Extract(h, secret, salt)}, nil
+		},
+	}
+}
+
+func cmdHkdfExpandLabelAft(h func() fips140.Hash) command {
+	return command{
+		requiredArgs: 4, // output length, secret, label, transcript hash
+		handler: func(args [][]byte) ([][]byte, error) {
+			keyLen := int(binary.LittleEndian.Uint32(args[0]))
+			secret := args[1]
+			label := args[2]
+			transcriptHash := args[3]
+
+			return [][]byte{tls13.ExpandLabel(h, secret, string(label), transcriptHash, keyLen)}, nil
+		},
+	}
+}
+
 func cmdPbkdf() command {
 	return command{
 		// Hash name, key length, salt, password, iteration count