File openssl-1.1.1-evp-kdf.patch of Package openssl-1_1
5280
1
Index: openssl-1.1.1d/crypto/err/openssl.txt
2
===================================================================
3
--- openssl-1.1.1d.orig/crypto/err/openssl.txt 2020-01-23 13:45:11.124632385 +0100
4
+++ openssl-1.1.1d/crypto/err/openssl.txt 2020-01-23 13:45:31.704754695 +0100
5
6
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
7
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
8
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
9
+EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl
10
+EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str
11
+EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id
12
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
13
EVP_F_EVP_MD_SIZE:162:EVP_MD_size
14
EVP_F_EVP_OPENINIT:102:EVP_OpenInit
15
16
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
17
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
18
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
19
+EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl
20
EVP_F_PKEY_SET_TYPE:158:pkey_set_type
21
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
22
EVP_F_RC5_CTRL:125:rc5_ctrl
23
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
24
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
25
+EVP_F_SCRYPT_ALG:228:scrypt_alg
26
EVP_F_UPDATE:173:update
27
+KDF_F_HKDF_EXTRACT:112:HKDF_Extract
28
+KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
29
+KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
30
+KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
31
+KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl
32
+KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str
33
+KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive
34
+KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new
35
+KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str
36
+KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32
37
+KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64
38
+KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive
39
+KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new
40
+KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
41
+KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
42
+KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
43
+KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
44
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
45
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
46
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
47
48
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
49
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
50
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
51
+KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
52
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
53
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
54
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
55
56
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
57
operation not supported for this keytype
58
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
59
+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
60
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
61
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
62
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
63
64
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
65
KDF_R_VALUE_ERROR:108:value error
66
KDF_R_VALUE_MISSING:102:value missing
67
+KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
68
OBJ_R_OID_EXISTS:102:oid exists
69
OBJ_R_UNKNOWN_NID:101:unknown nid
70
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
71
Index: openssl-1.1.1d/crypto/evp/build.info
72
===================================================================
73
--- openssl-1.1.1d.orig/crypto/evp/build.info 2019-09-10 15:13:07.000000000 +0200
74
+++ openssl-1.1.1d/crypto/evp/build.info 2020-01-23 13:45:11.468634429 +0100
75
76
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
77
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
78
c_allc.c c_alld.c evp_lib.c bio_ok.c \
79
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
80
+ evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
81
+ pkey_kdf.c \
82
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
83
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
84
e_chacha20_poly1305.c cmeth_lib.c
85
Index: openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c
86
===================================================================
87
--- openssl-1.1.1d.orig/crypto/evp/e_chacha20_poly1305.c 2019-09-10 15:13:07.000000000 +0200
88
+++ openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c 2020-01-23 13:45:11.468634429 +0100
89
90
91
# include <openssl/evp.h>
92
# include <openssl/objects.h>
93
-# include "evp_locl.h"
94
# include "internal/evp_int.h"
95
+# include "evp_locl.h"
96
# include "internal/chacha.h"
97
98
typedef struct {
99
Index: openssl-1.1.1d/crypto/evp/encode.c
100
===================================================================
101
--- openssl-1.1.1d.orig/crypto/evp/encode.c 2019-09-10 15:13:07.000000000 +0200
102
+++ openssl-1.1.1d/crypto/evp/encode.c 2020-01-23 13:45:11.468634429 +0100
103
104
#include <limits.h>
105
#include "internal/cryptlib.h"
106
#include <openssl/evp.h>
107
-#include "evp_locl.h"
108
#include "internal/evp_int.h"
109
+#include "evp_locl.h"
110
111
static unsigned char conv_ascii2bin(unsigned char a,
112
const unsigned char *table);
113
Index: openssl-1.1.1d/crypto/evp/evp_err.c
114
===================================================================
115
--- openssl-1.1.1d.orig/crypto/evp/evp_err.c 2020-01-23 13:45:11.228633003 +0100
116
+++ openssl-1.1.1d/crypto/evp/evp_err.c 2020-01-23 13:45:11.468634429 +0100
117
118
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
119
"EVP_EncryptFinal_ex"},
120
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
121
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"},
122
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"},
123
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"},
124
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
125
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
126
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
127
128
"PKCS5_v2_PBKDF2_keyivgen"},
129
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
130
"PKCS5_v2_scrypt_keyivgen"},
131
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"},
132
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
133
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
134
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
135
{ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
136
"r_32_12_16_init_key"},
137
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
138
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
139
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
140
{0, NULL}
141
};
142
143
"operation not supported for this keytype"},
144
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
145
"operaton not initialized"},
146
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
147
+ "parameter too large"},
148
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
149
"partially overlapping buffers"},
150
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
151
Index: openssl-1.1.1d/crypto/evp/evp_locl.h
152
===================================================================
153
--- openssl-1.1.1d.orig/crypto/evp/evp_locl.h 2019-09-10 15:13:07.000000000 +0200
154
+++ openssl-1.1.1d/crypto/evp/evp_locl.h 2020-01-23 13:45:11.468634429 +0100
155
156
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
157
} /* EVP_CIPHER_CTX */ ;
158
159
+struct evp_kdf_ctx_st {
160
+ const EVP_KDF_METHOD *kmeth;
161
+ EVP_KDF_IMPL *impl; /* Algorithm-specific data */
162
+} /* EVP_KDF_CTX */ ;
163
+
164
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
165
int passlen, ASN1_TYPE *param,
166
const EVP_CIPHER *c, const EVP_MD *md,
167
Index: openssl-1.1.1d/crypto/evp/evp_pbe.c
168
===================================================================
169
--- openssl-1.1.1d.orig/crypto/evp/evp_pbe.c 2019-09-10 15:13:07.000000000 +0200
170
+++ openssl-1.1.1d/crypto/evp/evp_pbe.c 2020-01-23 13:45:11.468634429 +0100
171
172
#include <openssl/evp.h>
173
#include <openssl/pkcs12.h>
174
#include <openssl/x509.h>
175
+#include "internal/evp_int.h"
176
#include "evp_locl.h"
177
178
/* Password based encryption (PBE) functions */
179
Index: openssl-1.1.1d/crypto/evp/kdf_lib.c
180
===================================================================
181
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
182
+++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2020-01-23 13:45:31.704754695 +0100
183
184
+/*
185
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
186
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
187
+ *
188
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
189
+ * this file except in compliance with the License. You can obtain a copy
190
+ * in the file LICENSE in the source distribution or at
191
+ * https://www.openssl.org/source/license.html
192
+ */
193
+
194
+#include <stdio.h>
195
+#include <stdlib.h>
196
+#include "internal/cryptlib.h"
197
+#include <openssl/engine.h>
198
+#include <openssl/evp.h>
199
+#include <openssl/x509v3.h>
200
+#include <openssl/kdf.h>
201
+#include "internal/asn1_int.h"
202
+#include "internal/evp_int.h"
203
+#include "internal/numbers.h"
204
+#include "evp_locl.h"
205
+
206
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
207
+
208
+/* This array needs to be in order of NIDs */
209
+static const EVP_KDF_METHOD *standard_methods[] = {
210
+ &pbkdf2_kdf_meth,
211
+#ifndef OPENSSL_NO_SCRYPT
212
+ &scrypt_kdf_meth,
213
+#endif
214
+ &tls1_prf_kdf_meth,
215
+ &hkdf_kdf_meth
216
+};
217
+
218
+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
219
+ kmeth);
220
+
221
+static int kmeth_cmp(const EVP_KDF_METHOD *const *a,
222
+ const EVP_KDF_METHOD *const *b)
223
+{
224
+ return ((*a)->type - (*b)->type);
225
+}
226
+
227
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
228
+ kmeth);
229
+
230
+static const EVP_KDF_METHOD *kdf_meth_find(int type)
231
+{
232
+ EVP_KDF_METHOD tmp;
233
+ const EVP_KDF_METHOD *t = &tmp, **ret;
234
+
235
+ tmp.type = type;
236
+ ret = OBJ_bsearch_kmeth(&t, standard_methods,
237
+ OSSL_NELEM(standard_methods));
238
+ if (ret == NULL || *ret == NULL)
239
+ return NULL;
240
+
241
+ return *ret;
242
+}
243
+
244
+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id)
245
+{
246
+ EVP_KDF_CTX *ret;
247
+ const EVP_KDF_METHOD *kmeth;
248
+
249
+ kmeth = kdf_meth_find(id);
250
+ if (kmeth == NULL) {
251
+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM);
252
+ return NULL;
253
+ }
254
+
255
+ ret = OPENSSL_zalloc(sizeof(*ret));
256
+ if (ret == NULL) {
257
+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE);
258
+ return NULL;
259
+ }
260
+
261
+ if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) {
262
+ EVP_KDF_CTX_free(ret);
263
+ return NULL;
264
+ }
265
+
266
+ ret->kmeth = kmeth;
267
+ return ret;
268
+}
269
+
270
+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx)
271
+{
272
+ if (ctx == NULL)
273
+ return;
274
+
275
+ ctx->kmeth->free(ctx->impl);
276
+ OPENSSL_free(ctx);
277
+}
278
+
279
+void EVP_KDF_reset(EVP_KDF_CTX *ctx)
280
+{
281
+ if (ctx == NULL)
282
+ return;
283
+
284
+ if (ctx->kmeth->reset != NULL)
285
+ ctx->kmeth->reset(ctx->impl);
286
+}
287
+
288
+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...)
289
+{
290
+ int ret;
291
+ va_list args;
292
+
293
+ va_start(args, cmd);
294
+ ret = EVP_KDF_vctrl(ctx, cmd, args);
295
+ va_end(args);
296
+
297
+ if (ret == -2)
298
+ EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED);
299
+
300
+ return ret;
301
+}
302
+
303
+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args)
304
+{
305
+ if (ctx == NULL)
306
+ return 0;
307
+
308
+ return ctx->kmeth->ctrl(ctx->impl, cmd, args);
309
+}
310
+
311
+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value)
312
+{
313
+ int ret;
314
+
315
+ if (ctx == NULL)
316
+ return 0;
317
+
318
+ if (ctx->kmeth->ctrl_str == NULL) {
319
+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
320
+ return -2;
321
+ }
322
+
323
+ ret = ctx->kmeth->ctrl_str(ctx->impl, type, value);
324
+ if (ret == -2)
325
+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
326
+
327
+ return ret;
328
+}
329
+
330
+size_t EVP_KDF_size(EVP_KDF_CTX *ctx)
331
+{
332
+ if (ctx == NULL)
333
+ return 0;
334
+
335
+ if (ctx->kmeth->size == NULL)
336
+ return SIZE_MAX;
337
+
338
+ return ctx->kmeth->size(ctx->impl);
339
+}
340
+
341
+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen)
342
+{
343
+ if (ctx == NULL)
344
+ return 0;
345
+
346
+ return ctx->kmeth->derive(ctx->impl, key, keylen);
347
+}
348
+
349
Index: openssl-1.1.1d/crypto/evp/p5_crpt2.c
350
===================================================================
351
--- openssl-1.1.1d.orig/crypto/evp/p5_crpt2.c 2019-09-10 15:13:07.000000000 +0200
352
+++ openssl-1.1.1d/crypto/evp/p5_crpt2.c 2020-01-23 13:45:11.468634429 +0100
353
354
/*
355
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
356
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
357
*
358
* Licensed under the OpenSSL license (the "License"). You may not use
359
* this file except in compliance with the License. You can obtain a copy
360
361
#include <stdio.h>
362
#include <stdlib.h>
363
#include "internal/cryptlib.h"
364
-# include <openssl/x509.h>
365
-# include <openssl/evp.h>
366
-# include <openssl/hmac.h>
367
-# include "evp_locl.h"
368
+#include <openssl/x509.h>
369
+#include <openssl/evp.h>
370
+#include <openssl/kdf.h>
371
+#include <openssl/hmac.h>
372
+#include "internal/evp_int.h"
373
+#include "evp_locl.h"
374
375
/* set this to print out info about the keygen algorithm */
376
/* #define OPENSSL_DEBUG_PKCS5V2 */
377
378
-# ifdef OPENSSL_DEBUG_PKCS5V2
379
+#ifdef OPENSSL_DEBUG_PKCS5V2
380
static void h__dump(const unsigned char *p, int len);
381
-# endif
382
-
383
-/*
384
- * This is an implementation of PKCS#5 v2.0 password based encryption key
385
- * derivation function PBKDF2. SHA1 version verified against test vectors
386
- * posted by Peter Gutmann to the PKCS-TNG mailing list.
387
- */
388
+#endif
389
390
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
391
const unsigned char *salt, int saltlen, int iter,
392
const EVP_MD *digest, int keylen, unsigned char *out)
393
{
394
const char *empty = "";
395
- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
396
- int cplen, j, k, tkeylen, mdlen;
397
- unsigned long i = 1;
398
- HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
399
-
400
- mdlen = EVP_MD_size(digest);
401
- if (mdlen < 0)
402
- return 0;
403
+ int rv = 1;
404
+ EVP_KDF_CTX *kctx;
405
406
- hctx_tpl = HMAC_CTX_new();
407
- if (hctx_tpl == NULL)
408
- return 0;
409
- p = out;
410
- tkeylen = keylen;
411
+ /* Keep documented behaviour. */
412
if (pass == NULL) {
413
pass = empty;
414
passlen = 0;
415
} else if (passlen == -1) {
416
passlen = strlen(pass);
417
}
418
- if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) {
419
- HMAC_CTX_free(hctx_tpl);
420
- return 0;
421
- }
422
- hctx = HMAC_CTX_new();
423
- if (hctx == NULL) {
424
- HMAC_CTX_free(hctx_tpl);
425
+ if (salt == NULL && saltlen == 0)
426
+ salt = (unsigned char *)empty;
427
+
428
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);
429
+ if (kctx == NULL)
430
return 0;
431
- }
432
- while (tkeylen) {
433
- if (tkeylen > mdlen)
434
- cplen = mdlen;
435
- else
436
- cplen = tkeylen;
437
- /*
438
- * We are unlikely to ever use more than 256 blocks (5120 bits!) but
439
- * just in case...
440
- */
441
- itmp[0] = (unsigned char)((i >> 24) & 0xff);
442
- itmp[1] = (unsigned char)((i >> 16) & 0xff);
443
- itmp[2] = (unsigned char)((i >> 8) & 0xff);
444
- itmp[3] = (unsigned char)(i & 0xff);
445
- if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
446
- HMAC_CTX_free(hctx);
447
- HMAC_CTX_free(hctx_tpl);
448
- return 0;
449
- }
450
- if (!HMAC_Update(hctx, salt, saltlen)
451
- || !HMAC_Update(hctx, itmp, 4)
452
- || !HMAC_Final(hctx, digtmp, NULL)) {
453
- HMAC_CTX_free(hctx);
454
- HMAC_CTX_free(hctx_tpl);
455
- return 0;
456
- }
457
- memcpy(p, digtmp, cplen);
458
- for (j = 1; j < iter; j++) {
459
- if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
460
- HMAC_CTX_free(hctx);
461
- HMAC_CTX_free(hctx_tpl);
462
- return 0;
463
- }
464
- if (!HMAC_Update(hctx, digtmp, mdlen)
465
- || !HMAC_Final(hctx, digtmp, NULL)) {
466
- HMAC_CTX_free(hctx);
467
- HMAC_CTX_free(hctx_tpl);
468
- return 0;
469
- }
470
- for (k = 0; k < cplen; k++)
471
- p[k] ^= digtmp[k];
472
- }
473
- tkeylen -= cplen;
474
- i++;
475
- p += cplen;
476
- }
477
- HMAC_CTX_free(hctx);
478
- HMAC_CTX_free(hctx_tpl);
479
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
480
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
481
+ salt, (size_t)saltlen) != 1
482
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, iter) != 1
483
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, digest) != 1
484
+ || EVP_KDF_derive(kctx, out, keylen) != 1)
485
+ rv = 0;
486
+
487
+ EVP_KDF_CTX_free(kctx);
488
+
489
# ifdef OPENSSL_DEBUG_PKCS5V2
490
fprintf(stderr, "Password:\n");
491
h__dump(pass, passlen);
492
493
fprintf(stderr, "Key:\n");
494
h__dump(out, keylen);
495
# endif
496
- return 1;
497
+ return rv;
498
}
499
500
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
501
Index: openssl-1.1.1d/crypto/evp/pbe_scrypt.c
502
===================================================================
503
--- openssl-1.1.1d.orig/crypto/evp/pbe_scrypt.c 2019-09-10 15:13:07.000000000 +0200
504
+++ openssl-1.1.1d/crypto/evp/pbe_scrypt.c 2020-01-23 13:45:11.468634429 +0100
505
506
* https://www.openssl.org/source/license.html
507
*/
508
509
-#include <stddef.h>
510
-#include <stdio.h>
511
-#include <string.h>
512
#include <openssl/evp.h>
513
#include <openssl/err.h>
514
-#include "internal/numbers.h"
515
+#include <openssl/kdf.h>
516
517
#ifndef OPENSSL_NO_SCRYPT
518
519
-#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
520
-static void salsa208_word_specification(uint32_t inout[16])
521
-{
522
- int i;
523
- uint32_t x[16];
524
- memcpy(x, inout, sizeof(x));
525
- for (i = 8; i > 0; i -= 2) {
526
- x[4] ^= R(x[0] + x[12], 7);
527
- x[8] ^= R(x[4] + x[0], 9);
528
- x[12] ^= R(x[8] + x[4], 13);
529
- x[0] ^= R(x[12] + x[8], 18);
530
- x[9] ^= R(x[5] + x[1], 7);
531
- x[13] ^= R(x[9] + x[5], 9);
532
- x[1] ^= R(x[13] + x[9], 13);
533
- x[5] ^= R(x[1] + x[13], 18);
534
- x[14] ^= R(x[10] + x[6], 7);
535
- x[2] ^= R(x[14] + x[10], 9);
536
- x[6] ^= R(x[2] + x[14], 13);
537
- x[10] ^= R(x[6] + x[2], 18);
538
- x[3] ^= R(x[15] + x[11], 7);
539
- x[7] ^= R(x[3] + x[15], 9);
540
- x[11] ^= R(x[7] + x[3], 13);
541
- x[15] ^= R(x[11] + x[7], 18);
542
- x[1] ^= R(x[0] + x[3], 7);
543
- x[2] ^= R(x[1] + x[0], 9);
544
- x[3] ^= R(x[2] + x[1], 13);
545
- x[0] ^= R(x[3] + x[2], 18);
546
- x[6] ^= R(x[5] + x[4], 7);
547
- x[7] ^= R(x[6] + x[5], 9);
548
- x[4] ^= R(x[7] + x[6], 13);
549
- x[5] ^= R(x[4] + x[7], 18);
550
- x[11] ^= R(x[10] + x[9], 7);
551
- x[8] ^= R(x[11] + x[10], 9);
552
- x[9] ^= R(x[8] + x[11], 13);
553
- x[10] ^= R(x[9] + x[8], 18);
554
- x[12] ^= R(x[15] + x[14], 7);
555
- x[13] ^= R(x[12] + x[15], 9);
556
- x[14] ^= R(x[13] + x[12], 13);
557
- x[15] ^= R(x[14] + x[13], 18);
558
- }
559
- for (i = 0; i < 16; ++i)
560
- inout[i] += x[i];
561
- OPENSSL_cleanse(x, sizeof(x));
562
-}
563
-
564
-static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
565
-{
566
- uint64_t i, j;
567
- uint32_t X[16], *pB;
568
-
569
- memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
570
- pB = B;
571
- for (i = 0; i < r * 2; i++) {
572
- for (j = 0; j < 16; j++)
573
- X[j] ^= *pB++;
574
- salsa208_word_specification(X);
575
- memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
576
- }
577
- OPENSSL_cleanse(X, sizeof(X));
578
-}
579
-
580
-static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
581
- uint32_t *X, uint32_t *T, uint32_t *V)
582
-{
583
- unsigned char *pB;
584
- uint32_t *pV;
585
- uint64_t i, k;
586
-
587
- /* Convert from little endian input */
588
- for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
589
- *pV = *pB++;
590
- *pV |= *pB++ << 8;
591
- *pV |= *pB++ << 16;
592
- *pV |= (uint32_t)*pB++ << 24;
593
- }
594
-
595
- for (i = 1; i < N; i++, pV += 32 * r)
596
- scryptBlockMix(pV, pV - 32 * r, r);
597
-
598
- scryptBlockMix(X, V + (N - 1) * 32 * r, r);
599
-
600
- for (i = 0; i < N; i++) {
601
- uint32_t j;
602
- j = X[16 * (2 * r - 1)] % N;
603
- pV = V + 32 * r * j;
604
- for (k = 0; k < 32 * r; k++)
605
- T[k] = X[k] ^ *pV++;
606
- scryptBlockMix(X, T, r);
607
- }
608
- /* Convert output to little endian */
609
- for (i = 0, pB = B; i < 32 * r; i++) {
610
- uint32_t xtmp = X[i];
611
- *pB++ = xtmp & 0xff;
612
- *pB++ = (xtmp >> 8) & 0xff;
613
- *pB++ = (xtmp >> 16) & 0xff;
614
- *pB++ = (xtmp >> 24) & 0xff;
615
- }
616
-}
617
-
618
-#ifndef SIZE_MAX
619
-# define SIZE_MAX ((size_t)-1)
620
-#endif
621
-
622
-/*
623
- * Maximum power of two that will fit in uint64_t: this should work on
624
- * most (all?) platforms.
625
- */
626
-
627
-#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
628
-
629
-/*
630
- * Maximum value of p * r:
631
- * p <= ((2^32-1) * hLen) / MFLen =>
632
- * p <= ((2^32-1) * 32) / (128 * r) =>
633
- * p * r <= (2^30-1)
634
- *
635
- */
636
-
637
-#define SCRYPT_PR_MAX ((1 << 30) - 1)
638
-
639
/*
640
* Maximum permitted memory allow this to be overridden with Configuration
641
* option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.
642
643
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
644
unsigned char *key, size_t keylen)
645
{
646
- int rv = 0;
647
- unsigned char *B;
648
- uint32_t *X, *V, *T;
649
- uint64_t i, Blen, Vlen;
650
-
651
- /* Sanity check parameters */
652
- /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
653
- if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
654
- return 0;
655
- /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
656
- if (p > SCRYPT_PR_MAX / r) {
657
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
658
- return 0;
659
- }
660
-
661
- /*
662
- * Need to check N: if 2^(128 * r / 8) overflows limit this is
663
- * automatically satisfied since N <= UINT64_MAX.
664
- */
665
-
666
- if (16 * r <= LOG2_UINT64_MAX) {
667
- if (N >= (((uint64_t)1) << (16 * r))) {
668
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
669
- return 0;
670
- }
671
- }
672
+ const char *empty = "";
673
+ int rv = 1;
674
+ EVP_KDF_CTX *kctx;
675
676
- /* Memory checks: check total allocated buffer size fits in uint64_t */
677
-
678
- /*
679
- * B size in section 5 step 1.S
680
- * Note: we know p * 128 * r < UINT64_MAX because we already checked
681
- * p * r < SCRYPT_PR_MAX
682
- */
683
- Blen = p * 128 * r;
684
- /*
685
- * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
686
- * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
687
- */
688
- if (Blen > INT_MAX) {
689
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
690
+ if (r > UINT32_MAX || p > UINT32_MAX) {
691
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
692
return 0;
693
}
694
695
- /*
696
- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
697
- * This is combined size V, X and T (section 4)
698
- */
699
- i = UINT64_MAX / (32 * sizeof(uint32_t));
700
- if (N + 2 > i / r) {
701
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
702
- return 0;
703
+ /* Maintain existing behaviour. */
704
+ if (pass == NULL) {
705
+ pass = empty;
706
+ passlen = 0;
707
}
708
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
709
-
710
- /* check total allocated size fits in uint64_t */
711
- if (Blen > UINT64_MAX - Vlen) {
712
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
713
- return 0;
714
+ if (salt == NULL) {
715
+ salt = (const unsigned char *)empty;
716
+ saltlen = 0;
717
}
718
-
719
if (maxmem == 0)
720
maxmem = SCRYPT_MAX_MEM;
721
722
- /* Check that the maximum memory doesn't exceed a size_t limits */
723
- if (maxmem > SIZE_MAX)
724
- maxmem = SIZE_MAX;
725
-
726
- if (Blen + Vlen > maxmem) {
727
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
728
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
729
+ if (kctx == NULL)
730
return 0;
731
- }
732
733
- /* If no key return to indicate parameters are OK */
734
- if (key == NULL)
735
- return 1;
736
-
737
- B = OPENSSL_malloc((size_t)(Blen + Vlen));
738
- if (B == NULL) {
739
- EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE);
740
- return 0;
741
- }
742
- X = (uint32_t *)(B + Blen);
743
- T = X + 32 * r;
744
- V = T + 32 * r;
745
- if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
746
- (int)Blen, B) == 0)
747
- goto err;
748
-
749
- for (i = 0; i < p; i++)
750
- scryptROMix(B + 128 * r * i, r, N, X, T, V);
751
-
752
- if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),
753
- keylen, key) == 0)
754
- goto err;
755
- rv = 1;
756
- err:
757
- if (rv == 0)
758
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR);
759
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
760
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
761
+ salt, (size_t)saltlen) != 1
762
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1
763
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1
764
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1
765
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1
766
+ || EVP_KDF_derive(kctx, key, keylen) != 1)
767
+ rv = 0;
768
769
- OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
770
+ EVP_KDF_CTX_free(kctx);
771
return rv;
772
}
773
+
774
#endif
775
Index: openssl-1.1.1d/crypto/evp/pkey_kdf.c
776
===================================================================
777
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
778
+++ openssl-1.1.1d/crypto/evp/pkey_kdf.c 2020-01-23 13:45:11.468634429 +0100
779
780
+/*
781
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
782
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
783
+ *
784
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
785
+ * this file except in compliance with the License. You can obtain a copy
786
+ * in the file LICENSE in the source distribution or at
787
+ * https://www.openssl.org/source/license.html
788
+ */
789
+
790
+#include <string.h>
791
+#include <openssl/evp.h>
792
+#include <openssl/err.h>
793
+#include <openssl/kdf.h>
794
+#include "internal/evp_int.h"
795
+
796
+static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
797
+{
798
+ EVP_KDF_CTX *kctx;
799
+
800
+ kctx = EVP_KDF_CTX_new_id(ctx->pmeth->pkey_id);
801
+ if (kctx == NULL)
802
+ return 0;
803
+
804
+ ctx->data = kctx;
805
+ return 1;
806
+}
807
+
808
+static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx)
809
+{
810
+ EVP_KDF_CTX *kctx = ctx->data;
811
+
812
+ EVP_KDF_CTX_free(kctx);
813
+}
814
+
815
+static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
816
+{
817
+ EVP_KDF_CTX *kctx = ctx->data;
818
+ uint64_t u64_value;
819
+ int cmd;
820
+ int ret;
821
+
822
+ switch (type) {
823
+ case EVP_PKEY_CTRL_PASS:
824
+ cmd = EVP_KDF_CTRL_SET_PASS;
825
+ break;
826
+ case EVP_PKEY_CTRL_HKDF_SALT:
827
+ case EVP_PKEY_CTRL_SCRYPT_SALT:
828
+ cmd = EVP_KDF_CTRL_SET_SALT;
829
+ break;
830
+ case EVP_PKEY_CTRL_TLS_MD:
831
+ case EVP_PKEY_CTRL_HKDF_MD:
832
+ cmd = EVP_KDF_CTRL_SET_MD;
833
+ break;
834
+ case EVP_PKEY_CTRL_TLS_SECRET:
835
+ cmd = EVP_KDF_CTRL_SET_TLS_SECRET;
836
+ ret = EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_RESET_TLS_SEED);
837
+ if (ret < 1)
838
+ return ret;
839
+ break;
840
+ case EVP_PKEY_CTRL_TLS_SEED:
841
+ cmd = EVP_KDF_CTRL_ADD_TLS_SEED;
842
+ break;
843
+ case EVP_PKEY_CTRL_HKDF_KEY:
844
+ cmd = EVP_KDF_CTRL_SET_KEY;
845
+ break;
846
+ case EVP_PKEY_CTRL_HKDF_INFO:
847
+ cmd = EVP_KDF_CTRL_ADD_HKDF_INFO;
848
+ break;
849
+ case EVP_PKEY_CTRL_HKDF_MODE:
850
+ cmd = EVP_KDF_CTRL_SET_HKDF_MODE;
851
+ break;
852
+ case EVP_PKEY_CTRL_SCRYPT_N:
853
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_N;
854
+ break;
855
+ case EVP_PKEY_CTRL_SCRYPT_R:
856
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_R;
857
+ break;
858
+ case EVP_PKEY_CTRL_SCRYPT_P:
859
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_P;
860
+ break;
861
+ case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
862
+ cmd = EVP_KDF_CTRL_SET_MAXMEM_BYTES;
863
+ break;
864
+ default:
865
+ return -2;
866
+ }
867
+
868
+ switch (cmd) {
869
+ case EVP_KDF_CTRL_SET_PASS:
870
+ case EVP_KDF_CTRL_SET_SALT:
871
+ case EVP_KDF_CTRL_SET_KEY:
872
+ case EVP_KDF_CTRL_SET_TLS_SECRET:
873
+ case EVP_KDF_CTRL_ADD_TLS_SEED:
874
+ case EVP_KDF_CTRL_ADD_HKDF_INFO:
875
+ return EVP_KDF_ctrl(kctx, cmd, (const unsigned char *)p2, (size_t)p1);
876
+
877
+ case EVP_KDF_CTRL_SET_MD:
878
+ return EVP_KDF_ctrl(kctx, cmd, (const EVP_MD *)p2);
879
+
880
+ case EVP_KDF_CTRL_SET_HKDF_MODE:
881
+ return EVP_KDF_ctrl(kctx, cmd, (int)p1);
882
+
883
+ case EVP_KDF_CTRL_SET_SCRYPT_R:
884
+ case EVP_KDF_CTRL_SET_SCRYPT_P:
885
+ u64_value = *(uint64_t *)p2;
886
+ if (u64_value > UINT32_MAX) {
887
+ EVPerr(EVP_F_PKEY_KDF_CTRL, EVP_R_PARAMETER_TOO_LARGE);
888
+ return 0;
889
+ }
890
+
891
+ return EVP_KDF_ctrl(kctx, cmd, (uint32_t)u64_value);
892
+
893
+ case EVP_KDF_CTRL_SET_SCRYPT_N:
894
+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES:
895
+ return EVP_KDF_ctrl(kctx, cmd, *(uint64_t *)p2);
896
+
897
+ default:
898
+ return 0;
899
+ }
900
+}
901
+
902
+static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
903
+ const char *value)
904
+{
905
+ EVP_KDF_CTX *kctx = ctx->data;
906
+
907
+ if (strcmp(type, "md") == 0)
908
+ return EVP_KDF_ctrl_str(kctx, "digest", value);
909
+ return EVP_KDF_ctrl_str(kctx, type, value);
910
+}
911
+
912
+static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx)
913
+{
914
+ EVP_KDF_CTX *kctx = ctx->data;
915
+
916
+ EVP_KDF_reset(kctx);
917
+ return 1;
918
+}
919
+
920
+/*
921
+ * For fixed-output algorithms the keylen parameter is an "out" parameter
922
+ * otherwise it is an "in" parameter.
923
+ */
924
+static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
925
+ size_t *keylen)
926
+{
927
+ EVP_KDF_CTX *kctx = ctx->data;
928
+ size_t outlen = EVP_KDF_size(kctx);
929
+
930
+ if (outlen == 0 || outlen == SIZE_MAX) {
931
+ /* Variable-output algorithm */
932
+ if (key == NULL)
933
+ return 0;
934
+ } else {
935
+ /* Fixed-output algorithm */
936
+ *keylen = outlen;
937
+ if (key == NULL)
938
+ return 1;
939
+ }
940
+ return EVP_KDF_derive(kctx, key, *keylen);
941
+}
942
+
943
+#ifndef OPENSSL_NO_SCRYPT
944
+const EVP_PKEY_METHOD scrypt_pkey_meth = {
945
+ EVP_PKEY_SCRYPT,
946
+ 0,
947
+ pkey_kdf_init,
948
+ 0,
949
+ pkey_kdf_cleanup,
950
+
951
+ 0, 0,
952
+ 0, 0,
953
+
954
+ 0,
955
+ 0,
956
+
957
+ 0,
958
+ 0,
959
+
960
+ 0, 0,
961
+
962
+ 0, 0, 0, 0,
963
+
964
+ 0, 0,
965
+
966
+ 0, 0,
967
+
968
+ pkey_kdf_derive_init,
969
+ pkey_kdf_derive,
970
+ pkey_kdf_ctrl,
971
+ pkey_kdf_ctrl_str
972
+};
973
+#endif
974
+
975
+const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
976
+ EVP_PKEY_TLS1_PRF,
977
+ EVP_PKEY_FLAG_FIPS,
978
+ pkey_kdf_init,
979
+ 0,
980
+ pkey_kdf_cleanup,
981
+
982
+ 0, 0,
983
+ 0, 0,
984
+
985
+ 0,
986
+ 0,
987
+
988
+ 0,
989
+ 0,
990
+
991
+ 0, 0,
992
+
993
+ 0, 0, 0, 0,
994
+
995
+ 0, 0,
996
+
997
+ 0, 0,
998
+
999
+ pkey_kdf_derive_init,
1000
+ pkey_kdf_derive,
1001
+ pkey_kdf_ctrl,
1002
+ pkey_kdf_ctrl_str
1003
+};
1004
+
1005
+const EVP_PKEY_METHOD hkdf_pkey_meth = {
1006
+ EVP_PKEY_HKDF,
1007
+ EVP_PKEY_FLAG_FIPS,
1008
+ pkey_kdf_init,
1009
+ 0,
1010
+ pkey_kdf_cleanup,
1011
+
1012
+ 0, 0,
1013
+ 0, 0,
1014
+
1015
+ 0,
1016
+ 0,
1017
+
1018
+ 0,
1019
+ 0,
1020
+
1021
+ 0, 0,
1022
+
1023
+ 0, 0, 0, 0,
1024
+
1025
+ 0, 0,
1026
+
1027
+ 0, 0,
1028
+
1029
+ pkey_kdf_derive_init,
1030
+ pkey_kdf_derive,
1031
+ pkey_kdf_ctrl,
1032
+ pkey_kdf_ctrl_str
1033
+};
1034
+
1035
Index: openssl-1.1.1d/crypto/include/internal/evp_int.h
1036
===================================================================
1037
--- openssl-1.1.1d.orig/crypto/include/internal/evp_int.h 2019-09-10 15:13:07.000000000 +0200
1038
+++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2020-01-23 13:45:31.704754695 +0100
1039
1040
extern const EVP_PKEY_METHOD poly1305_pkey_meth;
1041
extern const EVP_PKEY_METHOD siphash_pkey_meth;
1042
1043
+/* struct evp_kdf_impl_st is defined by the implementation */
1044
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
1045
+typedef struct {
1046
+ int type;
1047
+ EVP_KDF_IMPL *(*new) (void);
1048
+ void (*free) (EVP_KDF_IMPL *impl);
1049
+ void (*reset) (EVP_KDF_IMPL *impl);
1050
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
1051
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
1052
+ size_t (*size) (EVP_KDF_IMPL *impl);
1053
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
1054
+} EVP_KDF_METHOD;
1055
+
1056
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
1057
+extern const EVP_KDF_METHOD scrypt_kdf_meth;
1058
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
1059
+extern const EVP_KDF_METHOD hkdf_kdf_meth;
1060
+
1061
struct evp_md_st {
1062
int type;
1063
int pkey_type;
1064
Index: openssl-1.1.1d/crypto/kdf/build.info
1065
===================================================================
1066
--- openssl-1.1.1d.orig/crypto/kdf/build.info 2019-09-10 15:13:07.000000000 +0200
1067
+++ openssl-1.1.1d/crypto/kdf/build.info 2020-01-23 13:45:31.704754695 +0100
1068
1069
LIBS=../../libcrypto
1070
SOURCE[../../libcrypto]=\
1071
- tls1_prf.c kdf_err.c hkdf.c scrypt.c
1072
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
1073
Index: openssl-1.1.1d/crypto/kdf/hkdf.c
1074
===================================================================
1075
--- openssl-1.1.1d.orig/crypto/kdf/hkdf.c 2019-09-10 15:13:07.000000000 +0200
1076
+++ openssl-1.1.1d/crypto/kdf/hkdf.c 2020-01-23 13:45:11.468634429 +0100
1077
1078
*/
1079
1080
#include <stdlib.h>
1081
+#include <stdarg.h>
1082
#include <string.h>
1083
#include <openssl/hmac.h>
1084
-#include <openssl/kdf.h>
1085
#include <openssl/evp.h>
1086
+#include <openssl/kdf.h>
1087
#include "internal/cryptlib.h"
1088
#include "internal/evp_int.h"
1089
+#include "kdf_local.h"
1090
1091
#define HKDF_MAXBUF 1024
1092
1093
-static unsigned char *HKDF(const EVP_MD *evp_md,
1094
- const unsigned char *salt, size_t salt_len,
1095
- const unsigned char *key, size_t key_len,
1096
- const unsigned char *info, size_t info_len,
1097
- unsigned char *okm, size_t okm_len);
1098
-
1099
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
1100
- const unsigned char *salt, size_t salt_len,
1101
- const unsigned char *key, size_t key_len,
1102
- unsigned char *prk, size_t *prk_len);
1103
-
1104
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
1105
- const unsigned char *prk, size_t prk_len,
1106
- const unsigned char *info, size_t info_len,
1107
- unsigned char *okm, size_t okm_len);
1108
+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl);
1109
+static int HKDF(const EVP_MD *evp_md,
1110
+ const unsigned char *salt, size_t salt_len,
1111
+ const unsigned char *key, size_t key_len,
1112
+ const unsigned char *info, size_t info_len,
1113
+ unsigned char *okm, size_t okm_len);
1114
+static int HKDF_Extract(const EVP_MD *evp_md,
1115
+ const unsigned char *salt, size_t salt_len,
1116
+ const unsigned char *key, size_t key_len,
1117
+ unsigned char *prk, size_t prk_len);
1118
+static int HKDF_Expand(const EVP_MD *evp_md,
1119
+ const unsigned char *prk, size_t prk_len,
1120
+ const unsigned char *info, size_t info_len,
1121
+ unsigned char *okm, size_t okm_len);
1122
1123
-typedef struct {
1124
+struct evp_kdf_impl_st {
1125
int mode;
1126
const EVP_MD *md;
1127
unsigned char *salt;
1128
1129
size_t key_len;
1130
unsigned char info[HKDF_MAXBUF];
1131
size_t info_len;
1132
-} HKDF_PKEY_CTX;
1133
+};
1134
1135
-static int pkey_hkdf_init(EVP_PKEY_CTX *ctx)
1136
+static EVP_KDF_IMPL *kdf_hkdf_new(void)
1137
{
1138
- HKDF_PKEY_CTX *kctx;
1139
-
1140
- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {
1141
- KDFerr(KDF_F_PKEY_HKDF_INIT, ERR_R_MALLOC_FAILURE);
1142
- return 0;
1143
- }
1144
+ EVP_KDF_IMPL *impl;
1145
1146
- ctx->data = kctx;
1147
+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
1148
+ KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE);
1149
+ return impl;
1150
+}
1151
1152
- return 1;
1153
+static void kdf_hkdf_free(EVP_KDF_IMPL *impl)
1154
+{
1155
+ kdf_hkdf_reset(impl);
1156
+ OPENSSL_free(impl);
1157
}
1158
1159
-static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
1160
+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl)
1161
{
1162
- HKDF_PKEY_CTX *kctx = ctx->data;
1163
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
1164
- OPENSSL_clear_free(kctx->key, kctx->key_len);
1165
- OPENSSL_cleanse(kctx->info, kctx->info_len);
1166
- OPENSSL_free(kctx);
1167
+ OPENSSL_free(impl->salt);
1168
+ OPENSSL_clear_free(impl->key, impl->key_len);
1169
+ OPENSSL_cleanse(impl->info, impl->info_len);
1170
+ memset(impl, 0, sizeof(*impl));
1171
}
1172
1173
-static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
1174
+static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
1175
{
1176
- HKDF_PKEY_CTX *kctx = ctx->data;
1177
+ const unsigned char *p;
1178
+ size_t len;
1179
+ const EVP_MD *md;
1180
1181
- switch (type) {
1182
- case EVP_PKEY_CTRL_HKDF_MD:
1183
- if (p2 == NULL)
1184
+ switch (cmd) {
1185
+ case EVP_KDF_CTRL_SET_MD:
1186
+ md = va_arg(args, const EVP_MD *);
1187
+ if (md == NULL)
1188
return 0;
1189
1190
- kctx->md = p2;
1191
+ impl->md = md;
1192
return 1;
1193
1194
- case EVP_PKEY_CTRL_HKDF_MODE:
1195
- kctx->mode = p1;
1196
+ case EVP_KDF_CTRL_SET_HKDF_MODE:
1197
+ impl->mode = va_arg(args, int);
1198
return 1;
1199
1200
- case EVP_PKEY_CTRL_HKDF_SALT:
1201
- if (p1 == 0 || p2 == NULL)
1202
+ case EVP_KDF_CTRL_SET_SALT:
1203
+ p = va_arg(args, const unsigned char *);
1204
+ len = va_arg(args, size_t);
1205
+ if (len == 0 || p == NULL)
1206
return 1;
1207
1208
- if (p1 < 0)
1209
- return 0;
1210
-
1211
- if (kctx->salt != NULL)
1212
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
1213
-
1214
- kctx->salt = OPENSSL_memdup(p2, p1);
1215
- if (kctx->salt == NULL)
1216
+ OPENSSL_free(impl->salt);
1217
+ impl->salt = OPENSSL_memdup(p, len);
1218
+ if (impl->salt == NULL)
1219
return 0;
1220
1221
- kctx->salt_len = p1;
1222
+ impl->salt_len = len;
1223
return 1;
1224
1225
- case EVP_PKEY_CTRL_HKDF_KEY:
1226
- if (p1 < 0)
1227
+ case EVP_KDF_CTRL_SET_KEY:
1228
+ p = va_arg(args, const unsigned char *);
1229
+ len = va_arg(args, size_t);
1230
+ OPENSSL_clear_free(impl->key, impl->key_len);
1231
+ impl->key = OPENSSL_memdup(p, len);
1232
+ if (impl->key == NULL)
1233
return 0;
1234
1235
- if (kctx->key != NULL)
1236
- OPENSSL_clear_free(kctx->key, kctx->key_len);
1237
-
1238
- kctx->key = OPENSSL_memdup(p2, p1);
1239
- if (kctx->key == NULL)
1240
- return 0;
1241
+ impl->key_len = len;
1242
+ return 1;
1243
1244
- kctx->key_len = p1;
1245
+ case EVP_KDF_CTRL_RESET_HKDF_INFO:
1246
+ OPENSSL_cleanse(impl->info, impl->info_len);
1247
+ impl->info_len = 0;
1248
return 1;
1249
1250
- case EVP_PKEY_CTRL_HKDF_INFO:
1251
- if (p1 == 0 || p2 == NULL)
1252
+ case EVP_KDF_CTRL_ADD_HKDF_INFO:
1253
+ p = va_arg(args, const unsigned char *);
1254
+ len = va_arg(args, size_t);
1255
+ if (len == 0 || p == NULL)
1256
return 1;
1257
1258
- if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len))
1259
+ if (len > (HKDF_MAXBUF - impl->info_len))
1260
return 0;
1261
1262
- memcpy(kctx->info + kctx->info_len, p2, p1);
1263
- kctx->info_len += p1;
1264
+ memcpy(impl->info + impl->info_len, p, len);
1265
+ impl->info_len += len;
1266
return 1;
1267
1268
default:
1269
return -2;
1270
-
1271
}
1272
}
1273
1274
-static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
1275
- const char *value)
1276
+static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
1277
+ const char *value)
1278
{
1279
if (strcmp(type, "mode") == 0) {
1280
int mode;
1281
1282
if (strcmp(value, "EXTRACT_AND_EXPAND") == 0)
1283
- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND;
1284
+ mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;
1285
else if (strcmp(value, "EXTRACT_ONLY") == 0)
1286
- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY;
1287
+ mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
1288
else if (strcmp(value, "EXPAND_ONLY") == 0)
1289
- mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
1290
+ mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
1291
else
1292
return 0;
1293
1294
- return EVP_PKEY_CTX_hkdf_mode(ctx, mode);
1295
+ return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode);
1296
}
1297
1298
- if (strcmp(type, "md") == 0)
1299
- return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE,
1300
- EVP_PKEY_CTRL_HKDF_MD, value);
1301
+ if (strcmp(type, "digest") == 0)
1302
+ return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
1303
1304
if (strcmp(type, "salt") == 0)
1305
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
1306
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
1307
1308
if (strcmp(type, "hexsalt") == 0)
1309
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
1310
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
1311
1312
if (strcmp(type, "key") == 0)
1313
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
1314
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);
1315
1316
if (strcmp(type, "hexkey") == 0)
1317
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
1318
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);
1319
1320
if (strcmp(type, "info") == 0)
1321
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
1322
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,
1323
+ value);
1324
1325
if (strcmp(type, "hexinfo") == 0)
1326
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
1327
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,
1328
+ value);
1329
1330
- KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
1331
return -2;
1332
}
1333
1334
-static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx)
1335
+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)
1336
{
1337
- HKDF_PKEY_CTX *kctx = ctx->data;
1338
-
1339
- OPENSSL_clear_free(kctx->key, kctx->key_len);
1340
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
1341
- OPENSSL_cleanse(kctx->info, kctx->info_len);
1342
- memset(kctx, 0, sizeof(*kctx));
1343
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
1344
+ return SIZE_MAX;
1345
1346
- return 1;
1347
+ if (impl->md == NULL) {
1348
+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
1349
+ return 0;
1350
+ }
1351
+ return EVP_MD_size(impl->md);
1352
}
1353
1354
-static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
1355
- size_t *keylen)
1356
+static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
1357
+ size_t keylen)
1358
{
1359
- HKDF_PKEY_CTX *kctx = ctx->data;
1360
-
1361
- if (kctx->md == NULL) {
1362
- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
1363
+ if (impl->md == NULL) {
1364
+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
1365
return 0;
1366
}
1367
- if (kctx->key == NULL) {
1368
- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY);
1369
+ if (impl->key == NULL) {
1370
+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY);
1371
return 0;
1372
}
1373
1374
- switch (kctx->mode) {
1375
- case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND:
1376
- return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
1377
- kctx->key_len, kctx->info, kctx->info_len, key,
1378
- *keylen) != NULL;
1379
-
1380
- case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:
1381
- if (key == NULL) {
1382
- *keylen = EVP_MD_size(kctx->md);
1383
- return 1;
1384
- }
1385
- return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
1386
- kctx->key_len, key, keylen) != NULL;
1387
-
1388
- case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY:
1389
- return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info,
1390
- kctx->info_len, key, *keylen) != NULL;
1391
+ switch (impl->mode) {
1392
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
1393
+ return HKDF(impl->md, impl->salt, impl->salt_len, impl->key,
1394
+ impl->key_len, impl->info, impl->info_len, key,
1395
+ keylen);
1396
+
1397
+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
1398
+ return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key,
1399
+ impl->key_len, key, keylen);
1400
+
1401
+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
1402
+ return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info,
1403
+ impl->info_len, key, keylen);
1404
1405
default:
1406
return 0;
1407
}
1408
}
1409
1410
-const EVP_PKEY_METHOD hkdf_pkey_meth = {
1411
- EVP_PKEY_HKDF,
1412
- 0,
1413
- pkey_hkdf_init,
1414
- 0,
1415
- pkey_hkdf_cleanup,
1416
-
1417
- 0, 0,
1418
- 0, 0,
1419
-
1420
- 0,
1421
- 0,
1422
-
1423
- 0,
1424
- 0,
1425
-
1426
- 0, 0,
1427
-
1428
- 0, 0, 0, 0,
1429
-
1430
- 0, 0,
1431
-
1432
- 0, 0,
1433
-
1434
- pkey_hkdf_derive_init,
1435
- pkey_hkdf_derive,
1436
- pkey_hkdf_ctrl,
1437
- pkey_hkdf_ctrl_str
1438
+const EVP_KDF_METHOD hkdf_kdf_meth = {
1439
+ EVP_KDF_HKDF,
1440
+ kdf_hkdf_new,
1441
+ kdf_hkdf_free,
1442
+ kdf_hkdf_reset,
1443
+ kdf_hkdf_ctrl,
1444
+ kdf_hkdf_ctrl_str,
1445
+ kdf_hkdf_size,
1446
+ kdf_hkdf_derive
1447
};
1448
1449
-static unsigned char *HKDF(const EVP_MD *evp_md,
1450
- const unsigned char *salt, size_t salt_len,
1451
- const unsigned char *key, size_t key_len,
1452
- const unsigned char *info, size_t info_len,
1453
- unsigned char *okm, size_t okm_len)
1454
+static int HKDF(const EVP_MD *evp_md,
1455
+ const unsigned char *salt, size_t salt_len,
1456
+ const unsigned char *key, size_t key_len,
1457
+ const unsigned char *info, size_t info_len,
1458
+ unsigned char *okm, size_t okm_len)
1459
{
1460
unsigned char prk[EVP_MAX_MD_SIZE];
1461
- unsigned char *ret;
1462
- size_t prk_len;
1463
+ int ret;
1464
+ size_t prk_len = EVP_MD_size(evp_md);
1465
1466
- if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len))
1467
- return NULL;
1468
+ if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, prk_len))
1469
+ return 0;
1470
1471
ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
1472
OPENSSL_cleanse(prk, sizeof(prk));
1473
1474
return ret;
1475
}
1476
1477
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
1478
- const unsigned char *salt, size_t salt_len,
1479
- const unsigned char *key, size_t key_len,
1480
- unsigned char *prk, size_t *prk_len)
1481
+static int HKDF_Extract(const EVP_MD *evp_md,
1482
+ const unsigned char *salt, size_t salt_len,
1483
+ const unsigned char *key, size_t key_len,
1484
+ unsigned char *prk, size_t prk_len)
1485
{
1486
- unsigned int tmp_len;
1487
-
1488
- if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len))
1489
- return NULL;
1490
-
1491
- *prk_len = tmp_len;
1492
- return prk;
1493
+ if (prk_len != (size_t)EVP_MD_size(evp_md)) {
1494
+ KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE);
1495
+ return 0;
1496
+ }
1497
+ return HMAC(evp_md, salt, salt_len, key, key_len, prk, NULL) != NULL;
1498
}
1499
1500
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
1501
- const unsigned char *prk, size_t prk_len,
1502
- const unsigned char *info, size_t info_len,
1503
- unsigned char *okm, size_t okm_len)
1504
+static int HKDF_Expand(const EVP_MD *evp_md,
1505
+ const unsigned char *prk, size_t prk_len,
1506
+ const unsigned char *info, size_t info_len,
1507
+ unsigned char *okm, size_t okm_len)
1508
{
1509
HMAC_CTX *hmac;
1510
- unsigned char *ret = NULL;
1511
-
1512
+ int ret = 0;
1513
unsigned int i;
1514
-
1515
unsigned char prev[EVP_MAX_MD_SIZE];
1516
-
1517
size_t done_len = 0, dig_len = EVP_MD_size(evp_md);
1518
-
1519
size_t n = okm_len / dig_len;
1520
+
1521
if (okm_len % dig_len)
1522
n++;
1523
1524
if (n > 255 || okm == NULL)
1525
- return NULL;
1526
+ return 0;
1527
1528
if ((hmac = HMAC_CTX_new()) == NULL)
1529
- return NULL;
1530
+ return 0;
1531
1532
if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
1533
goto err;
1534
1535
1536
done_len += copy_len;
1537
}
1538
- ret = okm;
1539
+ ret = 1;
1540
1541
err:
1542
OPENSSL_cleanse(prev, sizeof(prev));
1543
Index: openssl-1.1.1d/crypto/kdf/kdf_err.c
1544
===================================================================
1545
--- openssl-1.1.1d.orig/crypto/kdf/kdf_err.c 2019-09-10 15:13:07.000000000 +0200
1546
+++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2020-01-23 13:45:31.704754695 +0100
1547
1548
/*
1549
* Generated by util/mkerr.pl DO NOT EDIT
1550
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
1551
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
1552
*
1553
* Licensed under the OpenSSL license (the "License"). You may not use
1554
* this file except in compliance with the License. You can obtain a copy
1555
1556
#ifndef OPENSSL_NO_ERR
1557
1558
static const ERR_STRING_DATA KDF_str_functs[] = {
1559
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"},
1560
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"},
1561
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"},
1562
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"},
1563
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_MD2CTRL, 0), "kdf_md2ctrl"},
1564
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_CTRL_STR, 0),
1565
+ "kdf_pbkdf2_ctrl_str"},
1566
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_DERIVE, 0), "kdf_pbkdf2_derive"},
1567
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_NEW, 0), "kdf_pbkdf2_new"},
1568
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_STR, 0),
1569
+ "kdf_scrypt_ctrl_str"},
1570
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT32, 0),
1571
+ "kdf_scrypt_ctrl_uint32"},
1572
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT64, 0),
1573
+ "kdf_scrypt_ctrl_uint64"},
1574
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"},
1575
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"},
1576
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0),
1577
+ "kdf_tls1_prf_ctrl_str"},
1578
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0),
1579
+ "kdf_tls1_prf_derive"},
1580
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"},
1581
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"},
1582
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"},
1583
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"},
1584
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"},
1585
1586
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_DERIVE, 0),
1587
"pkey_tls1_prf_derive"},
1588
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"},
1589
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"},
1590
{ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"},
1591
{0, NULL}
1592
};
1593
1594
"unknown parameter type"},
1595
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"},
1596
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"},
1597
+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),
1598
+ "wrong output buffer size"},
1599
{0, NULL}
1600
};
1601
1602
Index: openssl-1.1.1d/crypto/kdf/kdf_local.h
1603
===================================================================
1604
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
1605
+++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2020-01-23 13:45:11.468634429 +0100
1606
1607
+/*
1608
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
1609
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
1610
+ *
1611
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
1612
+ * this file except in compliance with the License. You can obtain a copy
1613
+ * in the file LICENSE in the source distribution or at
1614
+ * https://www.openssl.org/source/license.html
1615
+ */
1616
+
1617
+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1618
+ EVP_KDF_IMPL *impl, int cmd, ...);
1619
+int kdf_str2ctrl(EVP_KDF_IMPL *impl,
1620
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1621
+ int cmd, const char *str);
1622
+int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
1623
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1624
+ int cmd, const char *hex);
1625
+int kdf_md2ctrl(EVP_KDF_IMPL *impl,
1626
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1627
+ int cmd, const char *md_name);
1628
+
1629
Index: openssl-1.1.1d/crypto/kdf/kdf_util.c
1630
===================================================================
1631
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
1632
+++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2020-01-23 13:45:11.468634429 +0100
1633
1634
+/*
1635
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
1636
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
1637
+ *
1638
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
1639
+ * this file except in compliance with the License. You can obtain a copy
1640
+ * in the file LICENSE in the source distribution or at
1641
+ * https://www.openssl.org/source/license.html
1642
+ */
1643
+
1644
+#include <string.h>
1645
+#include <stdarg.h>
1646
+#include <openssl/kdf.h>
1647
+#include <openssl/evp.h>
1648
+#include "internal/cryptlib.h"
1649
+#include "internal/evp_int.h"
1650
+#include "internal/numbers.h"
1651
+#include "kdf_local.h"
1652
+
1653
+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1654
+ EVP_KDF_IMPL *impl, int cmd, ...)
1655
+{
1656
+ int ret;
1657
+ va_list args;
1658
+
1659
+ va_start(args, cmd);
1660
+ ret = ctrl(impl, cmd, args);
1661
+ va_end(args);
1662
+
1663
+ return ret;
1664
+}
1665
+
1666
+/* Utility functions to send a string or hex string to a ctrl */
1667
+
1668
+int kdf_str2ctrl(EVP_KDF_IMPL *impl,
1669
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1670
+ int cmd, const char *str)
1671
+{
1672
+ return call_ctrl(ctrl, impl, cmd, (const unsigned char *)str, strlen(str));
1673
+}
1674
+
1675
+int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
1676
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1677
+ int cmd, const char *hex)
1678
+{
1679
+ unsigned char *bin;
1680
+ long binlen;
1681
+ int ret = -1;
1682
+
1683
+ bin = OPENSSL_hexstr2buf(hex, &binlen);
1684
+ if (bin == NULL)
1685
+ return 0;
1686
+
1687
+ if (binlen <= INT_MAX)
1688
+ ret = call_ctrl(ctrl, impl, cmd, bin, (size_t)binlen);
1689
+ OPENSSL_free(bin);
1690
+ return ret;
1691
+}
1692
+
1693
+/* Pass a message digest to a ctrl */
1694
+int kdf_md2ctrl(EVP_KDF_IMPL *impl,
1695
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
1696
+ int cmd, const char *md_name)
1697
+{
1698
+ const EVP_MD *md;
1699
+
1700
+ if (md_name == NULL || (md = EVP_get_digestbyname(md_name)) == NULL) {
1701
+ KDFerr(KDF_F_KDF_MD2CTRL, KDF_R_INVALID_DIGEST);
1702
+ return 0;
1703
+ }
1704
+ return call_ctrl(ctrl, impl, cmd, md);
1705
+}
1706
+
1707
Index: openssl-1.1.1d/crypto/kdf/pbkdf2.c
1708
===================================================================
1709
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
1710
+++ openssl-1.1.1d/crypto/kdf/pbkdf2.c 2020-01-23 13:45:11.468634429 +0100
1711
1712
+/*
1713
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
1714
+ *
1715
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
1716
+ * this file except in compliance with the License. You can obtain a copy
1717
+ * in the file LICENSE in the source distribution or at
1718
+ * https://www.openssl.org/source/license.html
1719
+ */
1720
+
1721
+#include <stdlib.h>
1722
+#include <stdarg.h>
1723
+#include <string.h>
1724
+#include <openssl/hmac.h>
1725
+#include <openssl/evp.h>
1726
+#include <openssl/kdf.h>
1727
+#include "internal/cryptlib.h"
1728
+#include "internal/evp_int.h"
1729
+#include "kdf_local.h"
1730
+
1731
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
1732
+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl);
1733
+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
1734
+ const unsigned char *salt, int saltlen, int iter,
1735
+ const EVP_MD *digest, unsigned char *key,
1736
+ size_t keylen);
1737
+
1738
+struct evp_kdf_impl_st {
1739
+ unsigned char *pass;
1740
+ size_t pass_len;
1741
+ unsigned char *salt;
1742
+ size_t salt_len;
1743
+ int iter;
1744
+ const EVP_MD *md;
1745
+};
1746
+
1747
+static EVP_KDF_IMPL *kdf_pbkdf2_new(void)
1748
+{
1749
+ EVP_KDF_IMPL *impl;
1750
+
1751
+ impl = OPENSSL_zalloc(sizeof(*impl));
1752
+ if (impl == NULL) {
1753
+ KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE);
1754
+ return NULL;
1755
+ }
1756
+ kdf_pbkdf2_init(impl);
1757
+ return impl;
1758
+}
1759
+
1760
+static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl)
1761
+{
1762
+ kdf_pbkdf2_reset(impl);
1763
+ OPENSSL_free(impl);
1764
+}
1765
+
1766
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl)
1767
+{
1768
+ OPENSSL_free(impl->salt);
1769
+ OPENSSL_clear_free(impl->pass, impl->pass_len);
1770
+ memset(impl, 0, sizeof(*impl));
1771
+ kdf_pbkdf2_init(impl);
1772
+}
1773
+
1774
+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)
1775
+{
1776
+ impl->iter = PKCS5_DEFAULT_ITER;
1777
+ impl->md = EVP_sha1();
1778
+}
1779
+
1780
+static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
1781
+ const unsigned char *new_buffer,
1782
+ size_t new_buflen)
1783
+{
1784
+ if (new_buffer == NULL)
1785
+ return 1;
1786
+
1787
+ OPENSSL_clear_free(*buffer, *buflen);
1788
+
1789
+ if (new_buflen > 0) {
1790
+ *buffer = OPENSSL_memdup(new_buffer, new_buflen);
1791
+ } else {
1792
+ *buffer = OPENSSL_malloc(1);
1793
+ }
1794
+ if (*buffer == NULL) {
1795
+ KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
1796
+ return 0;
1797
+ }
1798
+
1799
+ *buflen = new_buflen;
1800
+ return 1;
1801
+}
1802
+
1803
+static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
1804
+{
1805
+ int iter;
1806
+ const unsigned char *p;
1807
+ size_t len;
1808
+ const EVP_MD *md;
1809
+
1810
+ switch (cmd) {
1811
+ case EVP_KDF_CTRL_SET_PASS:
1812
+ p = va_arg(args, const unsigned char *);
1813
+ len = va_arg(args, size_t);
1814
+ return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len);
1815
+
1816
+ case EVP_KDF_CTRL_SET_SALT:
1817
+ p = va_arg(args, const unsigned char *);
1818
+ len = va_arg(args, size_t);
1819
+ return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len);
1820
+
1821
+ case EVP_KDF_CTRL_SET_ITER:
1822
+ iter = va_arg(args, int);
1823
+ if (iter < 1)
1824
+ return 0;
1825
+
1826
+ impl->iter = iter;
1827
+ return 1;
1828
+
1829
+ case EVP_KDF_CTRL_SET_MD:
1830
+ md = va_arg(args, const EVP_MD *);
1831
+ if (md == NULL)
1832
+ return 0;
1833
+
1834
+ impl->md = md;
1835
+ return 1;
1836
+
1837
+ default:
1838
+ return -2;
1839
+ }
1840
+}
1841
+
1842
+static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
1843
+ const char *value)
1844
+{
1845
+ if (value == NULL) {
1846
+ KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING);
1847
+ return 0;
1848
+ }
1849
+
1850
+ if (strcmp(type, "pass") == 0)
1851
+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
1852
+ value);
1853
+
1854
+ if (strcmp(type, "hexpass") == 0)
1855
+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
1856
+ value);
1857
+
1858
+ if (strcmp(type, "salt") == 0)
1859
+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
1860
+ value);
1861
+
1862
+ if (strcmp(type, "hexsalt") == 0)
1863
+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
1864
+ value);
1865
+
1866
+ if (strcmp(type, "iter") == 0)
1867
+ return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER,
1868
+ atoi(value));
1869
+
1870
+ if (strcmp(type, "digest") == 0)
1871
+ return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value);
1872
+
1873
+ return -2;
1874
+}
1875
+
1876
+static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,
1877
+ size_t keylen)
1878
+{
1879
+ if (impl->pass == NULL) {
1880
+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS);
1881
+ return 0;
1882
+ }
1883
+
1884
+ if (impl->salt == NULL) {
1885
+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT);
1886
+ return 0;
1887
+ }
1888
+
1889
+ return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
1890
+ impl->salt, impl->salt_len, impl->iter,
1891
+ impl->md, key, keylen);
1892
+}
1893
+
1894
+const EVP_KDF_METHOD pbkdf2_kdf_meth = {
1895
+ EVP_KDF_PBKDF2,
1896
+ kdf_pbkdf2_new,
1897
+ kdf_pbkdf2_free,
1898
+ kdf_pbkdf2_reset,
1899
+ kdf_pbkdf2_ctrl,
1900
+ kdf_pbkdf2_ctrl_str,
1901
+ NULL,
1902
+ kdf_pbkdf2_derive
1903
+};
1904
+
1905
+/*
1906
+ * This is an implementation of PKCS#5 v2.0 password based encryption key
1907
+ * derivation function PBKDF2. SHA1 version verified against test vectors
1908
+ * posted by Peter Gutmann to the PKCS-TNG mailing list.
1909
+ */
1910
+
1911
+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
1912
+ const unsigned char *salt, int saltlen, int iter,
1913
+ const EVP_MD *digest, unsigned char *key,
1914
+ size_t keylen)
1915
+{
1916
+ int ret = 0;
1917
+ unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
1918
+ int cplen, j, k, tkeylen, mdlen;
1919
+ unsigned long i = 1;
1920
+ HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
1921
+
1922
+ mdlen = EVP_MD_size(digest);
1923
+ if (mdlen < 0)
1924
+ return 0;
1925
+
1926
+ hctx_tpl = HMAC_CTX_new();
1927
+ if (hctx_tpl == NULL)
1928
+ return 0;
1929
+ p = key;
1930
+ tkeylen = keylen;
1931
+ if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
1932
+ goto err;
1933
+ hctx = HMAC_CTX_new();
1934
+ if (hctx == NULL)
1935
+ goto err;
1936
+ while (tkeylen) {
1937
+ if (tkeylen > mdlen)
1938
+ cplen = mdlen;
1939
+ else
1940
+ cplen = tkeylen;
1941
+ /*
1942
+ * We are unlikely to ever use more than 256 blocks (5120 bits!) but
1943
+ * just in case...
1944
+ */
1945
+ itmp[0] = (unsigned char)((i >> 24) & 0xff);
1946
+ itmp[1] = (unsigned char)((i >> 16) & 0xff);
1947
+ itmp[2] = (unsigned char)((i >> 8) & 0xff);
1948
+ itmp[3] = (unsigned char)(i & 0xff);
1949
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))
1950
+ goto err;
1951
+ if (!HMAC_Update(hctx, salt, saltlen)
1952
+ || !HMAC_Update(hctx, itmp, 4)
1953
+ || !HMAC_Final(hctx, digtmp, NULL))
1954
+ goto err;
1955
+ memcpy(p, digtmp, cplen);
1956
+ for (j = 1; j < iter; j++) {
1957
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))
1958
+ goto err;
1959
+ if (!HMAC_Update(hctx, digtmp, mdlen)
1960
+ || !HMAC_Final(hctx, digtmp, NULL))
1961
+ goto err;
1962
+ for (k = 0; k < cplen; k++)
1963
+ p[k] ^= digtmp[k];
1964
+ }
1965
+ tkeylen -= cplen;
1966
+ i++;
1967
+ p += cplen;
1968
+ }
1969
+ ret = 1;
1970
+
1971
+err:
1972
+ HMAC_CTX_free(hctx);
1973
+ HMAC_CTX_free(hctx_tpl);
1974
+ return ret;
1975
+}
1976
Index: openssl-1.1.1d/crypto/kdf/scrypt.c
1977
===================================================================
1978
--- openssl-1.1.1d.orig/crypto/kdf/scrypt.c 2019-09-10 15:13:07.000000000 +0200
1979
+++ openssl-1.1.1d/crypto/kdf/scrypt.c 2020-01-23 13:45:11.472634451 +0100
1980
1981
*/
1982
1983
#include <stdlib.h>
1984
+#include <stdarg.h>
1985
#include <string.h>
1986
-#include <openssl/hmac.h>
1987
-#include <openssl/kdf.h>
1988
#include <openssl/evp.h>
1989
-#include "internal/cryptlib.h"
1990
+#include <openssl/kdf.h>
1991
+#include <openssl/err.h>
1992
#include "internal/evp_int.h"
1993
+#include "internal/numbers.h"
1994
+#include "kdf_local.h"
1995
1996
#ifndef OPENSSL_NO_SCRYPT
1997
1998
+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl);
1999
+static void kdf_scrypt_init(EVP_KDF_IMPL *impl);
2000
static int atou64(const char *nptr, uint64_t *result);
2001
+static int scrypt_alg(const char *pass, size_t passlen,
2002
+ const unsigned char *salt, size_t saltlen,
2003
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
2004
+ unsigned char *key, size_t keylen);
2005
2006
-typedef struct {
2007
+struct evp_kdf_impl_st {
2008
unsigned char *pass;
2009
size_t pass_len;
2010
unsigned char *salt;
2011
size_t salt_len;
2012
- uint64_t N, r, p;
2013
+ uint64_t N;
2014
+ uint32_t r, p;
2015
uint64_t maxmem_bytes;
2016
-} SCRYPT_PKEY_CTX;
2017
+};
2018
2019
/* Custom uint64_t parser since we do not have strtoull */
2020
static int atou64(const char *nptr, uint64_t *result)
2021
2022
return 1;
2023
}
2024
2025
-static int pkey_scrypt_init(EVP_PKEY_CTX *ctx)
2026
+static EVP_KDF_IMPL *kdf_scrypt_new(void)
2027
{
2028
- SCRYPT_PKEY_CTX *kctx;
2029
+ EVP_KDF_IMPL *impl;
2030
2031
- kctx = OPENSSL_zalloc(sizeof(*kctx));
2032
- if (kctx == NULL) {
2033
- KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE);
2034
- return 0;
2035
+ impl = OPENSSL_zalloc(sizeof(*impl));
2036
+ if (impl == NULL) {
2037
+ KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE);
2038
+ return NULL;
2039
}
2040
+ kdf_scrypt_init(impl);
2041
+ return impl;
2042
+}
2043
2044
- /* Default values are the most conservative recommendation given in the
2045
- * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
2046
- * for this parameter choice (approx. 128 * r * (N + p) bytes).
2047
- */
2048
- kctx->N = 1 << 20;
2049
- kctx->r = 8;
2050
- kctx->p = 1;
2051
- kctx->maxmem_bytes = 1025 * 1024 * 1024;
2052
-
2053
- ctx->data = kctx;
2054
-
2055
- return 1;
2056
+static void kdf_scrypt_free(EVP_KDF_IMPL *impl)
2057
+{
2058
+ kdf_scrypt_reset(impl);
2059
+ OPENSSL_free(impl);
2060
}
2061
2062
-static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx)
2063
+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl)
2064
{
2065
- SCRYPT_PKEY_CTX *kctx = ctx->data;
2066
+ OPENSSL_free(impl->salt);
2067
+ OPENSSL_clear_free(impl->pass, impl->pass_len);
2068
+ memset(impl, 0, sizeof(*impl));
2069
+ kdf_scrypt_init(impl);
2070
+}
2071
2072
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
2073
- OPENSSL_clear_free(kctx->pass, kctx->pass_len);
2074
- OPENSSL_free(kctx);
2075
+static void kdf_scrypt_init(EVP_KDF_IMPL *impl)
2076
+{
2077
+ /* Default values are the most conservative recommendation given in the
2078
+ * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
2079
+ * for this parameter choice (approx. 128 * r * N * p bytes).
2080
+ */
2081
+ impl->N = 1 << 20;
2082
+ impl->r = 8;
2083
+ impl->p = 1;
2084
+ impl->maxmem_bytes = 1025 * 1024 * 1024;
2085
}
2086
2087
-static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
2088
- const unsigned char *new_buffer,
2089
- const int new_buflen)
2090
+static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
2091
+ const unsigned char *new_buffer,
2092
+ size_t new_buflen)
2093
{
2094
if (new_buffer == NULL)
2095
return 1;
2096
2097
- if (new_buflen < 0)
2098
- return 0;
2099
-
2100
- if (*buffer != NULL)
2101
- OPENSSL_clear_free(*buffer, *buflen);
2102
+ OPENSSL_clear_free(*buffer, *buflen);
2103
2104
if (new_buflen > 0) {
2105
*buffer = OPENSSL_memdup(new_buffer, new_buflen);
2106
2107
*buffer = OPENSSL_malloc(1);
2108
}
2109
if (*buffer == NULL) {
2110
- KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
2111
+ KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
2112
return 0;
2113
}
2114
2115
2116
return (value != 0) && ((value & (value - 1)) == 0);
2117
}
2118
2119
-static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
2120
+static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
2121
{
2122
- SCRYPT_PKEY_CTX *kctx = ctx->data;
2123
uint64_t u64_value;
2124
+ uint32_t value;
2125
+ const unsigned char *p;
2126
+ size_t len;
2127
+
2128
+ switch (cmd) {
2129
+ case EVP_KDF_CTRL_SET_PASS:
2130
+ p = va_arg(args, const unsigned char *);
2131
+ len = va_arg(args, size_t);
2132
+ return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len);
2133
+
2134
+ case EVP_KDF_CTRL_SET_SALT:
2135
+ p = va_arg(args, const unsigned char *);
2136
+ len = va_arg(args, size_t);
2137
+ return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len);
2138
2139
- switch (type) {
2140
- case EVP_PKEY_CTRL_PASS:
2141
- return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1);
2142
-
2143
- case EVP_PKEY_CTRL_SCRYPT_SALT:
2144
- return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1);
2145
-
2146
- case EVP_PKEY_CTRL_SCRYPT_N:
2147
- u64_value = *((uint64_t *)p2);
2148
+ case EVP_KDF_CTRL_SET_SCRYPT_N:
2149
+ u64_value = va_arg(args, uint64_t);
2150
if ((u64_value <= 1) || !is_power_of_two(u64_value))
2151
return 0;
2152
- kctx->N = u64_value;
2153
+
2154
+ impl->N = u64_value;
2155
return 1;
2156
2157
- case EVP_PKEY_CTRL_SCRYPT_R:
2158
- u64_value = *((uint64_t *)p2);
2159
- if (u64_value < 1)
2160
+ case EVP_KDF_CTRL_SET_SCRYPT_R:
2161
+ value = va_arg(args, uint32_t);
2162
+ if (value < 1)
2163
return 0;
2164
- kctx->r = u64_value;
2165
+
2166
+ impl->r = value;
2167
return 1;
2168
2169
- case EVP_PKEY_CTRL_SCRYPT_P:
2170
- u64_value = *((uint64_t *)p2);
2171
- if (u64_value < 1)
2172
+ case EVP_KDF_CTRL_SET_SCRYPT_P:
2173
+ value = va_arg(args, uint32_t);
2174
+ if (value < 1)
2175
return 0;
2176
- kctx->p = u64_value;
2177
+
2178
+ impl->p = value;
2179
return 1;
2180
2181
- case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
2182
- u64_value = *((uint64_t *)p2);
2183
+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES:
2184
+ u64_value = va_arg(args, uint64_t);
2185
if (u64_value < 1)
2186
return 0;
2187
- kctx->maxmem_bytes = u64_value;
2188
+
2189
+ impl->maxmem_bytes = u64_value;
2190
return 1;
2191
2192
default:
2193
return -2;
2194
+ }
2195
+}
2196
2197
+static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd,
2198
+ const char *value)
2199
+{
2200
+ int int_value = atoi(value);
2201
+
2202
+ if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) {
2203
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR);
2204
+ return 0;
2205
}
2206
+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value);
2207
}
2208
2209
-static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type,
2210
- const char *value)
2211
+static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd,
2212
+ const char *value)
2213
{
2214
- uint64_t int_value;
2215
+ uint64_t u64_value;
2216
2217
- if (!atou64(value, &int_value)) {
2218
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);
2219
+ if (!atou64(value, &u64_value)) {
2220
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);
2221
return 0;
2222
}
2223
- return pkey_scrypt_ctrl(ctx, type, 0, &int_value);
2224
+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value);
2225
}
2226
2227
-static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
2228
- const char *value)
2229
+static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
2230
+ const char *value)
2231
{
2232
if (value == NULL) {
2233
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);
2234
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);
2235
return 0;
2236
}
2237
2238
if (strcmp(type, "pass") == 0)
2239
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
2240
+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,
2241
+ value);
2242
2243
if (strcmp(type, "hexpass") == 0)
2244
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
2245
+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,
2246
+ value);
2247
2248
if (strcmp(type, "salt") == 0)
2249
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
2250
+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,
2251
+ value);
2252
2253
if (strcmp(type, "hexsalt") == 0)
2254
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
2255
+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,
2256
+ value);
2257
2258
if (strcmp(type, "N") == 0)
2259
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value);
2260
+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value);
2261
2262
if (strcmp(type, "r") == 0)
2263
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value);
2264
+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value);
2265
2266
if (strcmp(type, "p") == 0)
2267
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value);
2268
+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value);
2269
2270
if (strcmp(type, "maxmem_bytes") == 0)
2271
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES,
2272
- value);
2273
+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
2274
+ value);
2275
2276
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
2277
return -2;
2278
}
2279
2280
-static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
2281
- size_t *keylen)
2282
+static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key,
2283
+ size_t keylen)
2284
{
2285
- SCRYPT_PKEY_CTX *kctx = ctx->data;
2286
-
2287
- if (kctx->pass == NULL) {
2288
- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
2289
+ if (impl->pass == NULL) {
2290
+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
2291
return 0;
2292
}
2293
2294
- if (kctx->salt == NULL) {
2295
- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
2296
+ if (impl->salt == NULL) {
2297
+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
2298
return 0;
2299
}
2300
2301
- return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt,
2302
- kctx->salt_len, kctx->N, kctx->r, kctx->p,
2303
- kctx->maxmem_bytes, key, *keylen);
2304
+ return scrypt_alg((char *)impl->pass, impl->pass_len, impl->salt,
2305
+ impl->salt_len, impl->N, impl->r, impl->p,
2306
+ impl->maxmem_bytes, key, keylen);
2307
}
2308
2309
-const EVP_PKEY_METHOD scrypt_pkey_meth = {
2310
- EVP_PKEY_SCRYPT,
2311
- 0,
2312
- pkey_scrypt_init,
2313
- 0,
2314
- pkey_scrypt_cleanup,
2315
+const EVP_KDF_METHOD scrypt_kdf_meth = {
2316
+ EVP_KDF_SCRYPT,
2317
+ kdf_scrypt_new,
2318
+ kdf_scrypt_free,
2319
+ kdf_scrypt_reset,
2320
+ kdf_scrypt_ctrl,
2321
+ kdf_scrypt_ctrl_str,
2322
+ NULL,
2323
+ kdf_scrypt_derive
2324
+};
2325
2326
- 0, 0,
2327
- 0, 0,
2328
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
2329
+static void salsa208_word_specification(uint32_t inout[16])
2330
+{
2331
+ int i;
2332
+ uint32_t x[16];
2333
2334
- 0,
2335
- 0,
2336
+ memcpy(x, inout, sizeof(x));
2337
+ for (i = 8; i > 0; i -= 2) {
2338
+ x[4] ^= R(x[0] + x[12], 7);
2339
+ x[8] ^= R(x[4] + x[0], 9);
2340
+ x[12] ^= R(x[8] + x[4], 13);
2341
+ x[0] ^= R(x[12] + x[8], 18);
2342
+ x[9] ^= R(x[5] + x[1], 7);
2343
+ x[13] ^= R(x[9] + x[5], 9);
2344
+ x[1] ^= R(x[13] + x[9], 13);
2345
+ x[5] ^= R(x[1] + x[13], 18);
2346
+ x[14] ^= R(x[10] + x[6], 7);
2347
+ x[2] ^= R(x[14] + x[10], 9);
2348
+ x[6] ^= R(x[2] + x[14], 13);
2349
+ x[10] ^= R(x[6] + x[2], 18);
2350
+ x[3] ^= R(x[15] + x[11], 7);
2351
+ x[7] ^= R(x[3] + x[15], 9);
2352
+ x[11] ^= R(x[7] + x[3], 13);
2353
+ x[15] ^= R(x[11] + x[7], 18);
2354
+ x[1] ^= R(x[0] + x[3], 7);
2355
+ x[2] ^= R(x[1] + x[0], 9);
2356
+ x[3] ^= R(x[2] + x[1], 13);
2357
+ x[0] ^= R(x[3] + x[2], 18);
2358
+ x[6] ^= R(x[5] + x[4], 7);
2359
+ x[7] ^= R(x[6] + x[5], 9);
2360
+ x[4] ^= R(x[7] + x[6], 13);
2361
+ x[5] ^= R(x[4] + x[7], 18);
2362
+ x[11] ^= R(x[10] + x[9], 7);
2363
+ x[8] ^= R(x[11] + x[10], 9);
2364
+ x[9] ^= R(x[8] + x[11], 13);
2365
+ x[10] ^= R(x[9] + x[8], 18);
2366
+ x[12] ^= R(x[15] + x[14], 7);
2367
+ x[13] ^= R(x[12] + x[15], 9);
2368
+ x[14] ^= R(x[13] + x[12], 13);
2369
+ x[15] ^= R(x[14] + x[13], 18);
2370
+ }
2371
+ for (i = 0; i < 16; ++i)
2372
+ inout[i] += x[i];
2373
+ OPENSSL_cleanse(x, sizeof(x));
2374
+}
2375
2376
- 0,
2377
- 0,
2378
+static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
2379
+{
2380
+ uint64_t i, j;
2381
+ uint32_t X[16], *pB;
2382
2383
- 0, 0,
2384
+ memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
2385
+ pB = B;
2386
+ for (i = 0; i < r * 2; i++) {
2387
+ for (j = 0; j < 16; j++)
2388
+ X[j] ^= *pB++;
2389
+ salsa208_word_specification(X);
2390
+ memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
2391
+ }
2392
+ OPENSSL_cleanse(X, sizeof(X));
2393
+}
2394
2395
- 0, 0, 0, 0,
2396
+static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
2397
+ uint32_t *X, uint32_t *T, uint32_t *V)
2398
+{
2399
+ unsigned char *pB;
2400
+ uint32_t *pV;
2401
+ uint64_t i, k;
2402
+
2403
+ /* Convert from little endian input */
2404
+ for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
2405
+ *pV = *pB++;
2406
+ *pV |= *pB++ << 8;
2407
+ *pV |= *pB++ << 16;
2408
+ *pV |= (uint32_t)*pB++ << 24;
2409
+ }
2410
2411
- 0, 0,
2412
+ for (i = 1; i < N; i++, pV += 32 * r)
2413
+ scryptBlockMix(pV, pV - 32 * r, r);
2414
2415
- 0, 0,
2416
+ scryptBlockMix(X, V + (N - 1) * 32 * r, r);
2417
2418
- 0,
2419
- pkey_scrypt_derive,
2420
- pkey_scrypt_ctrl,
2421
- pkey_scrypt_ctrl_str
2422
-};
2423
+ for (i = 0; i < N; i++) {
2424
+ uint32_t j;
2425
+ j = X[16 * (2 * r - 1)] % N;
2426
+ pV = V + 32 * r * j;
2427
+ for (k = 0; k < 32 * r; k++)
2428
+ T[k] = X[k] ^ *pV++;
2429
+ scryptBlockMix(X, T, r);
2430
+ }
2431
+ /* Convert output to little endian */
2432
+ for (i = 0, pB = B; i < 32 * r; i++) {
2433
+ uint32_t xtmp = X[i];
2434
+ *pB++ = xtmp & 0xff;
2435
+ *pB++ = (xtmp >> 8) & 0xff;
2436
+ *pB++ = (xtmp >> 16) & 0xff;
2437
+ *pB++ = (xtmp >> 24) & 0xff;
2438
+ }
2439
+}
2440
+
2441
+#ifndef SIZE_MAX
2442
+# define SIZE_MAX ((size_t)-1)
2443
+#endif
2444
+
2445
+/*
2446
+ * Maximum power of two that will fit in uint64_t: this should work on
2447
+ * most (all?) platforms.
2448
+ */
2449
+
2450
+#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
2451
+
2452
+/*
2453
+ * Maximum value of p * r:
2454
+ * p <= ((2^32-1) * hLen) / MFLen =>
2455
+ * p <= ((2^32-1) * 32) / (128 * r) =>
2456
+ * p * r <= (2^30-1)
2457
+ */
2458
+
2459
+#define SCRYPT_PR_MAX ((1 << 30) - 1)
2460
+
2461
+static int scrypt_alg(const char *pass, size_t passlen,
2462
+ const unsigned char *salt, size_t saltlen,
2463
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
2464
+ unsigned char *key, size_t keylen)
2465
+{
2466
+ int rv = 0;
2467
+ unsigned char *B;
2468
+ uint32_t *X, *V, *T;
2469
+ uint64_t i, Blen, Vlen;
2470
+
2471
+ /* Sanity check parameters */
2472
+ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
2473
+ if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
2474
+ return 0;
2475
+ /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
2476
+ if (p > SCRYPT_PR_MAX / r) {
2477
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2478
+ return 0;
2479
+ }
2480
+
2481
+ /*
2482
+ * Need to check N: if 2^(128 * r / 8) overflows limit this is
2483
+ * automatically satisfied since N <= UINT64_MAX.
2484
+ */
2485
+
2486
+ if (16 * r <= LOG2_UINT64_MAX) {
2487
+ if (N >= (((uint64_t)1) << (16 * r))) {
2488
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2489
+ return 0;
2490
+ }
2491
+ }
2492
+
2493
+ /* Memory checks: check total allocated buffer size fits in uint64_t */
2494
+
2495
+ /*
2496
+ * B size in section 5 step 1.S
2497
+ * Note: we know p * 128 * r < UINT64_MAX because we already checked
2498
+ * p * r < SCRYPT_PR_MAX
2499
+ */
2500
+ Blen = p * 128 * r;
2501
+ /*
2502
+ * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
2503
+ * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
2504
+ */
2505
+ if (Blen > INT_MAX) {
2506
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2507
+ return 0;
2508
+ }
2509
+
2510
+ /*
2511
+ * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
2512
+ * This is combined size V, X and T (section 4)
2513
+ */
2514
+ i = UINT64_MAX / (32 * sizeof(uint32_t));
2515
+ if (N + 2 > i / r) {
2516
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2517
+ return 0;
2518
+ }
2519
+ Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
2520
+
2521
+ /* check total allocated size fits in uint64_t */
2522
+ if (Blen > UINT64_MAX - Vlen) {
2523
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2524
+ return 0;
2525
+ }
2526
+
2527
+ /* Check that the maximum memory doesn't exceed a size_t limits */
2528
+ if (maxmem > SIZE_MAX)
2529
+ maxmem = SIZE_MAX;
2530
+
2531
+ if (Blen + Vlen > maxmem) {
2532
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
2533
+ return 0;
2534
+ }
2535
+
2536
+ /* If no key return to indicate parameters are OK */
2537
+ if (key == NULL)
2538
+ return 1;
2539
+
2540
+ B = OPENSSL_malloc((size_t)(Blen + Vlen));
2541
+ if (B == NULL) {
2542
+ EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE);
2543
+ return 0;
2544
+ }
2545
+ X = (uint32_t *)(B + Blen);
2546
+ T = X + 32 * r;
2547
+ V = T + 32 * r;
2548
+ if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
2549
+ (int)Blen, B) == 0)
2550
+ goto err;
2551
+
2552
+ for (i = 0; i < p; i++)
2553
+ scryptROMix(B + 128 * r * i, r, N, X, T, V);
2554
+
2555
+ if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),
2556
+ keylen, key) == 0)
2557
+ goto err;
2558
+ rv = 1;
2559
+ err:
2560
+ if (rv == 0)
2561
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR);
2562
+
2563
+ OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
2564
+ return rv;
2565
+}
2566
2567
#endif
2568
Index: openssl-1.1.1d/crypto/kdf/tls1_prf.c
2569
===================================================================
2570
--- openssl-1.1.1d.orig/crypto/kdf/tls1_prf.c 2019-09-10 15:13:07.000000000 +0200
2571
+++ openssl-1.1.1d/crypto/kdf/tls1_prf.c 2020-01-23 13:45:11.472634451 +0100
2572
2573
*/
2574
2575
#include <stdio.h>
2576
+#include <stdarg.h>
2577
+#include <string.h>
2578
#include "internal/cryptlib.h"
2579
-#include <openssl/kdf.h>
2580
#include <openssl/evp.h>
2581
+#include <openssl/kdf.h>
2582
#include "internal/evp_int.h"
2583
+#include "kdf_local.h"
2584
2585
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
2586
static int tls1_prf_alg(const EVP_MD *md,
2587
const unsigned char *sec, size_t slen,
2588
const unsigned char *seed, size_t seed_len,
2589
2590
2591
#define TLS1_PRF_MAXBUF 1024
2592
2593
-/* TLS KDF pkey context structure */
2594
+/* TLS KDF kdf context structure */
2595
2596
-typedef struct {
2597
+struct evp_kdf_impl_st {
2598
/* Digest to use for PRF */
2599
const EVP_MD *md;
2600
/* Secret value to use for PRF */
2601
2602
/* Buffer of concatenated seed data */
2603
unsigned char seed[TLS1_PRF_MAXBUF];
2604
size_t seedlen;
2605
-} TLS1_PRF_PKEY_CTX;
2606
+};
2607
2608
-static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
2609
+static EVP_KDF_IMPL *kdf_tls1_prf_new(void)
2610
{
2611
- TLS1_PRF_PKEY_CTX *kctx;
2612
+ EVP_KDF_IMPL *impl;
2613
2614
- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {
2615
- KDFerr(KDF_F_PKEY_TLS1_PRF_INIT, ERR_R_MALLOC_FAILURE);
2616
- return 0;
2617
- }
2618
- ctx->data = kctx;
2619
+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
2620
+ KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE);
2621
+ return impl;
2622
+}
2623
2624
- return 1;
2625
+static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl)
2626
+{
2627
+ kdf_tls1_prf_reset(impl);
2628
+ OPENSSL_free(impl);
2629
}
2630
2631
-static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
2632
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl)
2633
{
2634
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;
2635
- OPENSSL_clear_free(kctx->sec, kctx->seclen);
2636
- OPENSSL_cleanse(kctx->seed, kctx->seedlen);
2637
- OPENSSL_free(kctx);
2638
+ OPENSSL_clear_free(impl->sec, impl->seclen);
2639
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
2640
+ memset(impl, 0, sizeof(*impl));
2641
}
2642
2643
-static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
2644
+static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
2645
{
2646
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;
2647
- switch (type) {
2648
- case EVP_PKEY_CTRL_TLS_MD:
2649
- kctx->md = p2;
2650
- return 1;
2651
+ const unsigned char *p;
2652
+ size_t len;
2653
+ const EVP_MD *md;
2654
2655
- case EVP_PKEY_CTRL_TLS_SECRET:
2656
- if (p1 < 0)
2657
+ switch (cmd) {
2658
+ case EVP_KDF_CTRL_SET_MD:
2659
+ md = va_arg(args, const EVP_MD *);
2660
+ if (md == NULL)
2661
return 0;
2662
- if (kctx->sec != NULL)
2663
- OPENSSL_clear_free(kctx->sec, kctx->seclen);
2664
- OPENSSL_cleanse(kctx->seed, kctx->seedlen);
2665
- kctx->seedlen = 0;
2666
- kctx->sec = OPENSSL_memdup(p2, p1);
2667
- if (kctx->sec == NULL)
2668
+
2669
+ impl->md = md;
2670
+ return 1;
2671
+
2672
+ case EVP_KDF_CTRL_SET_TLS_SECRET:
2673
+ p = va_arg(args, const unsigned char *);
2674
+ len = va_arg(args, size_t);
2675
+ OPENSSL_clear_free(impl->sec, impl->seclen);
2676
+ impl->sec = OPENSSL_memdup(p, len);
2677
+ if (impl->sec == NULL)
2678
return 0;
2679
- kctx->seclen = p1;
2680
+
2681
+ impl->seclen = len;
2682
return 1;
2683
2684
- case EVP_PKEY_CTRL_TLS_SEED:
2685
- if (p1 == 0 || p2 == NULL)
2686
+ case EVP_KDF_CTRL_RESET_TLS_SEED:
2687
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
2688
+ impl->seedlen = 0;
2689
+ return 1;
2690
+
2691
+ case EVP_KDF_CTRL_ADD_TLS_SEED:
2692
+ p = va_arg(args, const unsigned char *);
2693
+ len = va_arg(args, size_t);
2694
+ if (len == 0 || p == NULL)
2695
return 1;
2696
- if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen))
2697
+
2698
+ if (len > (TLS1_PRF_MAXBUF - impl->seedlen))
2699
return 0;
2700
- memcpy(kctx->seed + kctx->seedlen, p2, p1);
2701
- kctx->seedlen += p1;
2702
+
2703
+ memcpy(impl->seed + impl->seedlen, p, len);
2704
+ impl->seedlen += len;
2705
return 1;
2706
2707
default:
2708
return -2;
2709
-
2710
}
2711
}
2712
2713
-static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,
2714
- const char *type, const char *value)
2715
+static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl,
2716
+ const char *type, const char *value)
2717
{
2718
if (value == NULL) {
2719
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
2720
+ KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
2721
return 0;
2722
}
2723
- if (strcmp(type, "md") == 0) {
2724
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;
2725
+ if (strcmp(type, "digest") == 0)
2726
+ return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value);
2727
2728
- const EVP_MD *md = EVP_get_digestbyname(value);
2729
- if (md == NULL) {
2730
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST);
2731
- return 0;
2732
- }
2733
- kctx->md = md;
2734
- return 1;
2735
- }
2736
if (strcmp(type, "secret") == 0)
2737
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
2738
+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl,
2739
+ EVP_KDF_CTRL_SET_TLS_SECRET, value);
2740
+
2741
if (strcmp(type, "hexsecret") == 0)
2742
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
2743
+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl,
2744
+ EVP_KDF_CTRL_SET_TLS_SECRET, value);
2745
+
2746
if (strcmp(type, "seed") == 0)
2747
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
2748
+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
2749
+ value);
2750
+
2751
if (strcmp(type, "hexseed") == 0)
2752
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
2753
+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
2754
+ value);
2755
2756
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
2757
return -2;
2758
}
2759
2760
-static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
2761
- size_t *keylen)
2762
+static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
2763
+ size_t keylen)
2764
{
2765
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;
2766
- if (kctx->md == NULL) {
2767
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
2768
+ if (impl->md == NULL) {
2769
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
2770
return 0;
2771
}
2772
- if (kctx->sec == NULL) {
2773
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);
2774
+ if (impl->sec == NULL) {
2775
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);
2776
return 0;
2777
}
2778
- if (kctx->seedlen == 0) {
2779
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
2780
+ if (impl->seedlen == 0) {
2781
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
2782
return 0;
2783
}
2784
- return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen,
2785
- kctx->seed, kctx->seedlen,
2786
- key, *keylen);
2787
+ return tls1_prf_alg(impl->md, impl->sec, impl->seclen,
2788
+ impl->seed, impl->seedlen,
2789
+ key, keylen);
2790
}
2791
2792
-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
2793
- EVP_PKEY_TLS1_PRF,
2794
- 0,
2795
- pkey_tls1_prf_init,
2796
- 0,
2797
- pkey_tls1_prf_cleanup,
2798
-
2799
- 0, 0,
2800
- 0, 0,
2801
-
2802
- 0,
2803
- 0,
2804
-
2805
- 0,
2806
- 0,
2807
-
2808
- 0, 0,
2809
-
2810
- 0, 0, 0, 0,
2811
-
2812
- 0, 0,
2813
-
2814
- 0, 0,
2815
-
2816
- 0,
2817
- pkey_tls1_prf_derive,
2818
- pkey_tls1_prf_ctrl,
2819
- pkey_tls1_prf_ctrl_str
2820
+const EVP_KDF_METHOD tls1_prf_kdf_meth = {
2821
+ EVP_KDF_TLS1_PRF,
2822
+ kdf_tls1_prf_new,
2823
+ kdf_tls1_prf_free,
2824
+ kdf_tls1_prf_reset,
2825
+ kdf_tls1_prf_ctrl,
2826
+ kdf_tls1_prf_ctrl_str,
2827
+ NULL,
2828
+ kdf_tls1_prf_derive
2829
};
2830
2831
static int tls1_prf_P_hash(const EVP_MD *md,
2832
2833
const unsigned char *seed, size_t seed_len,
2834
unsigned char *out, size_t olen)
2835
{
2836
-
2837
if (EVP_MD_type(md) == NID_md5_sha1) {
2838
size_t i;
2839
unsigned char *tmp;
2840
if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1),
2841
- seed, seed_len, out, olen))
2842
+ seed, seed_len, out, olen))
2843
return 0;
2844
2845
if ((tmp = OPENSSL_malloc(olen)) == NULL) {
2846
2847
return 0;
2848
}
2849
if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1),
2850
- seed, seed_len, tmp, olen)) {
2851
+ seed, seed_len, tmp, olen)) {
2852
OPENSSL_clear_free(tmp, olen);
2853
return 0;
2854
}
2855
Index: openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod
2856
===================================================================
2857
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
2858
+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2020-01-23 13:45:11.472634451 +0100
2859
2860
+=pod
2861
+
2862
+=head1 NAME
2863
+
2864
+EVP_KDF_CTX, EVP_KDF_CTX_new_id, EVP_KDF_CTX_free, EVP_KDF_reset,
2865
+EVP_KDF_ctrl, EVP_KDF_vctrl, EVP_KDF_ctrl_str, EVP_KDF_size,
2866
+EVP_KDF_derive - EVP KDF routines
2867
+
2868
+=head1 SYNOPSIS
2869
+
2870
+ #include <openssl/kdf.h>
2871
+
2872
+ typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
2873
+
2874
+ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
2875
+ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
2876
+ void EVP_KDF_reset(EVP_KDF_CTX *ctx);
2877
+ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);
2878
+ int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);
2879
+ int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);
2880
+ size_t EVP_KDF_size(EVP_KDF_CTX *ctx);
2881
+ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);
2882
+
2883
+=head1 DESCRIPTION
2884
+
2885
+The EVP KDF routines are a high level interface to Key Derivation Function
2886
+algorithms and should be used instead of algorithm-specific functions.
2887
+
2888
+After creating a C<EVP_KDF_CTX> for the required algorithm using
2889
+EVP_KDF_CTX_new_id(), inputs to the algorithm are supplied using calls to
2890
+EVP_KDF_ctrl(), EVP_KDF_vctrl() or EVP_KDF_ctrl_str() before calling
2891
+EVP_KDF_derive() to derive the key.
2892
+
2893
+=head2 Types
2894
+
2895
+B<EVP_KDF_CTX> is a context type that holds the algorithm inputs.
2896
+
2897
+=head2 Context manipulation functions
2898
+
2899
+EVP_KDF_CTX_new_id() creates a KDF context for the algorithm identified by the
2900
+specified NID.
2901
+
2902
+EVP_KDF_CTX_free() frees up the context C<ctx>. If C<ctx> is C<NULL>, nothing
2903
+is done.
2904
+
2905
+=head2 Computing functions
2906
+
2907
+EVP_KDF_reset() resets the context to the default state as if the context
2908
+had just been created.
2909
+
2910
+EVP_KDF_ctrl() is used to provide inputs to the KDF algorithm prior to
2911
+EVP_KDF_derive() being called. The inputs that may be provided will vary
2912
+depending on the KDF algorithm or its implementation. This functions takes
2913
+variable arguments, the exact expected arguments depend on C<cmd>.
2914
+See L</CONTROLS> below for a description of standard controls.
2915
+
2916
+EVP_KDF_vctrl() is the variant of EVP_KDF_ctrl() that takes a C<va_list>
2917
+argument instead of variadic arguments.
2918
+
2919
+EVP_KDF_ctrl_str() allows an application to send an algorithm specific control
2920
+operation to a context C<ctx> in string form. This is intended to be used for
2921
+options specified on the command line or in text files.
2922
+
2923
+EVP_KDF_size() returns the output size if the algorithm produces a fixed amount
2924
+of output and C<SIZE_MAX> otherwise. If an error occurs then 0 is returned.
2925
+For some algorithms an error may result if input parameters necessary to
2926
+calculate a fixed output size have not yet been supplied.
2927
+
2928
+EVP_KDF_derive() derives C<keylen> bytes of key material and places it in the
2929
+C<key> buffer. If the algorithm produces a fixed amount of output then an
2930
+error will occur unless the C<keylen> parameter is equal to that output size,
2931
+as returned by EVP_KDF_size().
2932
+
2933
+=head1 CONTROLS
2934
+
2935
+The standard controls are:
2936
+
2937
+=over 4
2938
+
2939
+=item B<EVP_KDF_CTRL_SET_PASS>
2940
+
2941
+This control expects two arguments: C<unsigned char *pass>, C<size_t passlen>
2942
+
2943
+Some KDF implementations require a password. For those KDF implementations
2944
+that support it, this control sets the password.
2945
+
2946
+EVP_KDF_ctrl_str() takes two type strings for this control:
2947
+
2948
+=over 4
2949
+
2950
+=item "pass"
2951
+
2952
+The value string is used as is.
2953
+
2954
+=item "hexpass"
2955
+
2956
+The value string is expected to be a hexadecimal number, which will be
2957
+decoded before being passed on as the control value.
2958
+
2959
+=back
2960
+
2961
+=item B<EVP_KDF_CTRL_SET_SALT>
2962
+
2963
+This control expects two arguments: C<unsigned char *salt>, C<size_t saltlen>
2964
+
2965
+Some KDF implementations can take a salt. For those KDF implementations that
2966
+support it, this control sets the salt.
2967
+
2968
+The default value, if any, is implementation dependent.
2969
+
2970
+EVP_KDF_ctrl_str() takes two type strings for this control:
2971
+
2972
+=over 4
2973
+
2974
+=item "salt"
2975
+
2976
+The value string is used as is.
2977
+
2978
+=item "hexsalt"
2979
+
2980
+The value string is expected to be a hexadecimal number, which will be
2981
+decoded before being passed on as the control value.
2982
+
2983
+=back
2984
+
2985
+=item B<EVP_KDF_CTRL_SET_ITER>
2986
+
2987
+This control expects one argument: C<int iter>
2988
+
2989
+Some KDF implementations require an iteration count. For those KDF implementations that support it, this control sets the iteration count.
2990
+
2991
+The default value, if any, is implementation dependent.
2992
+
2993
+EVP_KDF_ctrl_str() type string: "iter"
2994
+
2995
+The value string is expected to be a decimal number.
2996
+
2997
+=item B<EVP_KDF_CTRL_SET_MD>
2998
+
2999
+This control expects one argument: C<EVP_MD *md>
3000
+
3001
+For MAC implementations that use a message digest as an underlying computation
3002
+algorithm, this control set what the digest algorithm should be.
3003
+
3004
+EVP_KDF_ctrl_str() type string: "md"
3005
+
3006
+The value string is expected to be the name of a digest.
3007
+
3008
+=item B<EVP_KDF_CTRL_SET_KEY>
3009
+
3010
+This control expects two arguments: C<unsigned char *key>, C<size_t keylen>
3011
+
3012
+Some KDF implementations require a key. For those KDF implementations that
3013
+support it, this control sets the key.
3014
+
3015
+EVP_KDF_ctrl_str() takes two type strings for this control:
3016
+
3017
+=over 4
3018
+
3019
+=item "key"
3020
+
3021
+The value string is used as is.
3022
+
3023
+=item "hexkey"
3024
+
3025
+The value string is expected to be a hexadecimal number, which will be
3026
+decoded before being passed on as the control value.
3027
+
3028
+=back
3029
+
3030
+=item B<EVP_KDF_CTRL_SET_MAXMEM_BYTES>
3031
+
3032
+This control expects one argument: C<uint64_t maxmem_bytes>
3033
+
3034
+Memory-hard password-based KDF algorithms, such as scrypt, use an amount of
3035
+memory that depends on the load factors provided as input. For those KDF
3036
+implementations that support it, this control sets an upper limit on the amount
3037
+of memory that may be consumed while performing a key derivation. If this
3038
+memory usage limit is exceeded because the load factors are chosen too high,
3039
+the key derivation will fail.
3040
+
3041
+The default value is implementation dependent.
3042
+
3043
+EVP_KDF_ctrl_str() type string: "maxmem_bytes"
3044
+
3045
+The value string is expected to be a decimal number.
3046
+
3047
+=back
3048
+
3049
+=head1 RETURN VALUES
3050
+
3051
+EVP_KDF_CTX_new_id() returns either the newly allocated C<EVP_KDF_CTX>
3052
+structure or C<NULL> if an error occurred.
3053
+
3054
+EVP_KDF_CTX_free() and EVP_KDF_reset() do not return a value.
3055
+
3056
+EVP_KDF_size() returns the output size. C<SIZE_MAX> is returned to indicate
3057
+that the algorithm produces a variable amount of output; 0 to indicate failure.
3058
+
3059
+The remaining functions return 1 for success and 0 or a negative value for
3060
+failure. In particular, a return value of -2 indicates the operation is not
3061
+supported by the KDF algorithm.
3062
+
3063
+=head1 SEE ALSO
3064
+
3065
+L<EVP_KDF_SCRYPT(7)>
3066
+
3067
+=head1 COPYRIGHT
3068
+
3069
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3070
+
3071
+Licensed under the Apache License 2.0 (the "License"). You may not use
3072
+this file except in compliance with the License. You can obtain a copy
3073
+in the file LICENSE in the source distribution or at
3074
+L<https://www.openssl.org/source/license.html>.
3075
+
3076
+=cut
3077
Index: openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod
3078
===================================================================
3079
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
3080
+++ openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod 2020-01-23 13:45:11.472634451 +0100
3081
3082
+=pod
3083
+
3084
+=head1 NAME
3085
+
3086
+EVP_KDF_HKDF - The HKDF EVP_KDF implementation
3087
+
3088
+=head1 DESCRIPTION
3089
+
3090
+Support for computing the B<HKDF> KDF through the B<EVP_KDF> API.
3091
+
3092
+The EVP_KDF_HKDF algorithm implements the HKDF key derivation function.
3093
+HKDF follows the "extract-then-expand" paradigm, where the KDF logically
3094
+consists of two modules. The first stage takes the input keying material
3095
+and "extracts" from it a fixed-length pseudorandom key K. The second stage
3096
+"expands" the key K into several additional pseudorandom keys (the output
3097
+of the KDF).
3098
+
3099
+=head2 Numeric identity
3100
+
3101
+B<EVP_KDF_HKDF> is the numeric identity for this implementation; it
3102
+can be used with the EVP_KDF_CTX_new_id() function.
3103
+
3104
+=head2 Supported controls
3105
+
3106
+The supported controls are:
3107
+
3108
+=over 4
3109
+
3110
+=item B<EVP_KDF_CTRL_SET_SALT>
3111
+
3112
+=item B<EVP_KDF_CTRL_SET_MD>
3113
+
3114
+=item B<EVP_KDF_CTRL_SET_KEY>
3115
+
3116
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
3117
+
3118
+=item B<EVP_KDF_CTRL_RESET_HKDF_INFO>
3119
+
3120
+This control does not expect any arguments.
3121
+
3122
+Resets the context info buffer to zero length.
3123
+
3124
+=item B<EVP_KDF_CTRL_ADD_HKDF_INFO>
3125
+
3126
+This control expects two arguments: C<unsigned char *info>, C<size_t infolen>
3127
+
3128
+Sets the info value to the first B<infolen> bytes of the buffer B<info>. If a
3129
+value is already set, the contents of the buffer are appended to the existing
3130
+value.
3131
+
3132
+The total length of the context info buffer cannot exceed 1024 bytes;
3133
+this should be more than enough for any normal use of HKDF.
3134
+
3135
+EVP_KDF_ctrl_str() takes two type strings for this control:
3136
+
3137
+=over 4
3138
+
3139
+=item "info"
3140
+
3141
+The value string is used as is.
3142
+
3143
+=item "hexinfo"
3144
+
3145
+The value string is expected to be a hexadecimal number, which will be
3146
+decoded before being passed on as the control value.
3147
+
3148
+=back
3149
+
3150
+=item B<EVP_KDF_CTRL_SET_HKDF_MODE>
3151
+
3152
+This control expects one argument: C<int mode>
3153
+
3154
+Sets the mode for the HKDF operation. There are three modes that are currently
3155
+defined:
3156
+
3157
+=over 4
3158
+
3159
+=item EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
3160
+
3161
+This is the default mode. Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set
3162
+up for HKDF will perform an extract followed by an expand operation in one go.
3163
+The derived key returned will be the result after the expand operation. The
3164
+intermediate fixed-length pseudorandom key K is not returned.
3165
+
3166
+In this mode the digest, key, salt and info values must be set before a key is
3167
+derived otherwise an error will occur.
3168
+
3169
+=item EVP_KDF_HKDF_MODE_EXTRACT_ONLY
3170
+
3171
+In this mode calling L<EVP_KDF_derive(3)> will just perform the extract
3172
+operation. The value returned will be the intermediate fixed-length pseudorandom
3173
+key K. The C<keylen> parameter must match the size of K, which can be looked
3174
+up by calling EVP_KDF_size() after setting the mode and digest.
3175
+
3176
+The digest, key and salt values must be set before a key is derived otherwise
3177
+an error will occur.
3178
+
3179
+=item EVP_KDF_HKDF_MODE_EXPAND_ONLY
3180
+
3181
+In this mode calling L<EVP_KDF_derive(3)> will just perform the expand
3182
+operation. The input key should be set to the intermediate fixed-length
3183
+pseudorandom key K returned from a previous extract operation.
3184
+
3185
+The digest, key and info values must be set before a key is derived otherwise
3186
+an error will occur.
3187
+
3188
+=back
3189
+
3190
+EVP_KDF_ctrl_str() type string: "mode"
3191
+
3192
+The value string is expected to be one of: "EXTRACT_AND_EXPAND", "EXTRACT_ONLY"
3193
+or "EXPAND_ONLY".
3194
+
3195
+=back
3196
+
3197
+=head1 NOTES
3198
+
3199
+A context for HKDF can be obtained by calling:
3200
+
3201
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);
3202
+
3203
+The output length of an HKDF expand operation is specified via the C<keylen>
3204
+parameter to the L<EVP_KDF_derive(3)> function. When using
3205
+EVP_KDF_HKDF_MODE_EXTRACT_ONLY the C<keylen> parameter must equal the size of
3206
+the intermediate fixed-length pseudorandom key otherwise an error will occur.
3207
+For that mode, the fixed output size can be looked up by calling EVP_KDF_size()
3208
+after setting the mode and digest on the C<EVP_KDF_CTX>.
3209
+
3210
+=head1 EXAMPLE
3211
+
3212
+This example derives 10 bytes using SHA-256 with the secret key "secret",
3213
+salt value "salt" and info value "label":
3214
+
3215
+ EVP_KDF_CTX *kctx;
3216
+ unsigned char out[10];
3217
+
3218
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);
3219
+
3220
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
3221
+ error("EVP_KDF_CTRL_SET_MD");
3222
+ }
3223
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
3224
+ error("EVP_KDF_CTRL_SET_SALT");
3225
+ }
3226
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
3227
+ error("EVP_KDF_CTRL_SET_KEY");
3228
+ }
3229
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label", (size_t)5) <= 0) {
3230
+ error("EVP_KDF_CTRL_ADD_HKDF_INFO");
3231
+ }
3232
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3233
+ error("EVP_KDF_derive");
3234
+ }
3235
+
3236
+ EVP_KDF_CTX_free(kctx);
3237
+
3238
+=head1 CONFORMING TO
3239
+
3240
+RFC 5869
3241
+
3242
+=head1 SEE ALSO
3243
+
3244
+L<EVP_KDF_CTX>,
3245
+L<EVP_KDF_CTX_new_id(3)>,
3246
+L<EVP_KDF_CTX_free(3)>,
3247
+L<EVP_KDF_ctrl(3)>,
3248
+L<EVP_KDF_size(3)>,
3249
+L<EVP_KDF_derive(3)>,
3250
+L<EVP_KDF_CTX(3)/CONTROLS>
3251
+
3252
+=head1 COPYRIGHT
3253
+
3254
+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3255
+
3256
+Licensed under the Apache License 2.0 (the "License"). You may not use
3257
+this file except in compliance with the License. You can obtain a copy
3258
+in the file LICENSE in the source distribution or at
3259
+L<https://www.openssl.org/source/license.html>.
3260
+
3261
+=cut
3262
Index: openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod
3263
===================================================================
3264
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
3265
+++ openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod 2020-01-23 13:45:11.472634451 +0100
3266
3267
+=pod
3268
+
3269
+=head1 NAME
3270
+
3271
+EVP_KDF_PBKDF2 - The PBKDF2 EVP_KDF implementation
3272
+
3273
+=head1 DESCRIPTION
3274
+
3275
+Support for computing the B<PBKDF2> password-based KDF through the B<EVP_KDF>
3276
+API.
3277
+
3278
+The EVP_KDF_PBKDF2 algorithm implements the PBKDF2 password-based key
3279
+derivation function, as described in RFC 2898; it derives a key from a password
3280
+using a salt and iteration count.
3281
+
3282
+=head2 Numeric identity
3283
+
3284
+B<EVP_KDF_PBKDF2> is the numeric identity for this implementation; it
3285
+can be used with the EVP_KDF_CTX_new_id() function.
3286
+
3287
+=head2 Supported controls
3288
+
3289
+The supported controls are:
3290
+
3291
+=over 4
3292
+
3293
+=item B<EVP_KDF_CTRL_SET_PASS>
3294
+
3295
+=item B<EVP_KDF_CTRL_SET_SALT>
3296
+
3297
+=item B<EVP_KDF_CTRL_SET_ITER>
3298
+
3299
+=item B<EVP_KDF_CTRL_SET_MD>
3300
+
3301
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
3302
+
3303
+B<iter> is the iteration count and its value should be greater than or equal to
3304
+1. RFC 2898 suggests an iteration count of at least 1000. The default value is
3305
+2048. Any B<iter> less than 1 is treated as a single iteration.
3306
+
3307
+=back
3308
+
3309
+=head1 NOTES
3310
+
3311
+A typical application of this algorithm is to derive keying material for an
3312
+encryption algorithm from a password in the B<pass>, a salt in B<salt>,
3313
+and an iteration count.
3314
+
3315
+Increasing the B<iter> parameter slows down the algorithm which makes it
3316
+harder for an attacker to perform a brute force attack using a large number
3317
+of candidate passwords.
3318
+
3319
+No assumption is made regarding the given password; it is simply treated as a
3320
+byte sequence.
3321
+
3322
+=head1 CONFORMING TO
3323
+
3324
+RFC 2898
3325
+
3326
+=head1 SEE ALSO
3327
+
3328
+L<EVP_KDF_CTX>,
3329
+L<EVP_KDF_CTX_new_id(3)>,
3330
+L<EVP_KDF_CTX_free(3)>,
3331
+L<EVP_KDF_ctrl(3)>,
3332
+L<EVP_KDF_derive(3)>,
3333
+L<EVP_KDF_CTX(3)/CONTROLS>
3334
+
3335
+=head1 COPYRIGHT
3336
+
3337
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3338
+
3339
+Licensed under the Apache License 2.0 (the "License"). You may not use
3340
+this file except in compliance with the License. You can obtain a copy
3341
+in the file LICENSE in the source distribution or at
3342
+L<https://www.openssl.org/source/license.html>.
3343
+
3344
+=cut
3345
Index: openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod
3346
===================================================================
3347
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
3348
+++ openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod 2020-01-23 13:45:11.472634451 +0100
3349
3350
+=pod
3351
+
3352
+=head1 NAME
3353
+
3354
+EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation
3355
+
3356
+=head1 DESCRIPTION
3357
+
3358
+Support for computing the B<scrypt> password-based KDF through the B<EVP_KDF>
3359
+API.
3360
+
3361
+The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key
3362
+derivation function, as described in RFC 7914. It is memory-hard in the sense
3363
+that it deliberately requires a significant amount of RAM for efficient
3364
+computation. The intention of this is to render brute forcing of passwords on
3365
+systems that lack large amounts of main memory (such as GPUs or ASICs)
3366
+computationally infeasible.
3367
+
3368
+scrypt provides three work factors that can be customized: N, r and p. N, which
3369
+has to be a positive power of two, is the general work factor and scales CPU
3370
+time in an approximately linear fashion. r is the block size of the internally
3371
+used hash function and p is the parallelization factor. Both r and p need to be
3372
+greater than zero. The amount of RAM that scrypt requires for its computation
3373
+is roughly (128 * N * r * p) bytes.
3374
+
3375
+In the original paper of Colin Percival ("Stronger Key Derivation via
3376
+Sequential Memory-Hard Functions", 2009), the suggested values that give a
3377
+computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =
3378
+2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for
3379
+this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5
3380
+GHz), this computation takes about 3 seconds. When N, r or p are not specified,
3381
+they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that
3382
+may be used by scrypt defaults to 1025 MiB.
3383
+
3384
+=head2 Numeric identity
3385
+
3386
+B<EVP_KDF_SCRYPT> is the numeric identity for this implementation; it
3387
+can be used with the EVP_KDF_CTX_new_id() function.
3388
+
3389
+=head2 Supported controls
3390
+
3391
+The supported controls are:
3392
+
3393
+=over 4
3394
+
3395
+=item B<EVP_KDF_CTRL_SET_PASS>
3396
+
3397
+=item B<EVP_KDF_CTRL_SET_SALT>
3398
+
3399
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
3400
+
3401
+=item B<EVP_KDF_CTRL_SET_SCRYPT_N>
3402
+
3403
+=item B<EVP_KDF_CTRL_SET_SCRYPT_R>
3404
+
3405
+=item B<EVP_KDF_CTRL_SET_SCRYPT_P>
3406
+
3407
+B<EVP_KDF_CTRL_SET_SCRYPT_N> expects one argument: C<uint64_t N>
3408
+
3409
+B<EVP_KDF_CTRL_SET_SCRYPT_R> expects one argument: C<uint32_t r>
3410
+
3411
+B<EVP_KDF_CTRL_SET_SCRYPT_P> expects one argument: C<uint32_t p>
3412
+
3413
+These controls configure the scrypt work factors N, r and p.
3414
+
3415
+EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively.
3416
+
3417
+The corresponding value strings are expected to be decimal numbers.
3418
+
3419
+=back
3420
+
3421
+=head1 NOTES
3422
+
3423
+A context for scrypt can be obtained by calling:
3424
+
3425
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
3426
+
3427
+The output length of an scrypt key derivation is specified via the
3428
+B<keylen> parameter to the L<EVP_KDF_derive(3)> function.
3429
+
3430
+=head1 EXAMPLE
3431
+
3432
+This example derives a 64-byte long test vector using scrypt with the password
3433
+"password", salt "NaCl" and N = 1024, r = 8, p = 16.
3434
+
3435
+ EVP_KDF_CTX *kctx;
3436
+ unsigned char out[64];
3437
+
3438
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
3439
+
3440
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
3441
+ error("EVP_KDF_CTRL_SET_PASS");
3442
+ }
3443
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {
3444
+ error("EVP_KDF_CTRL_SET_SALT");
3445
+ }
3446
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {
3447
+ error("EVP_KDF_CTRL_SET_SCRYPT_N");
3448
+ }
3449
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {
3450
+ error("EVP_KDF_CTRL_SET_SCRYPT_R");
3451
+ }
3452
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {
3453
+ error("EVP_KDF_CTRL_SET_SCRYPT_P");
3454
+ }
3455
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3456
+ error("EVP_KDF_derive");
3457
+ }
3458
+
3459
+ {
3460
+ const unsigned char expected[sizeof(out)] = {
3461
+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
3462
+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
3463
+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
3464
+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
3465
+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
3466
+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
3467
+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
3468
+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
3469
+ };
3470
+
3471
+ assert(!memcmp(out, expected, sizeof(out)));
3472
+ }
3473
+
3474
+ EVP_KDF_CTX_free(kctx);
3475
+
3476
+=head1 CONFORMING TO
3477
+
3478
+RFC 7914
3479
+
3480
+=head1 SEE ALSO
3481
+
3482
+L<EVP_KDF_CTX>,
3483
+L<EVP_KDF_CTX_new_id(3)>,
3484
+L<EVP_KDF_CTX_free(3)>,
3485
+L<EVP_KDF_ctrl(3)>,
3486
+L<EVP_KDF_derive(3)>,
3487
+L<EVP_KDF_CTX(3)/CONTROLS>
3488
+
3489
+=head1 COPYRIGHT
3490
+
3491
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
3492
+
3493
+Licensed under the OpenSSL license (the "License"). You may not use
3494
+this file except in compliance with the License. You can obtain a copy
3495
+in the file LICENSE in the source distribution or at
3496
+L<https://www.openssl.org/source/license.html>.
3497
+
3498
+=cut
3499
Index: openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod
3500
===================================================================
3501
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
3502
+++ openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-01-23 13:45:11.472634451 +0100
3503
3504
+=pod
3505
+
3506
+=head1 NAME
3507
+
3508
+EVP_KDF_TLS1_PRF - The TLS1 PRF EVP_KDF implementation
3509
+
3510
+=head1 DESCRIPTION
3511
+
3512
+Support for computing the B<TLS1> PRF through the B<EVP_KDF> API.
3513
+
3514
+The EVP_KDF_TLS1_PRF algorithm implements the PRF used by TLS versions up to
3515
+and including TLS 1.2.
3516
+
3517
+=head2 Numeric identity
3518
+
3519
+B<EVP_KDF_TLS1_PRF> is the numeric identity for this implementation; it
3520
+can be used with the EVP_KDF_CTX_new_id() function.
3521
+
3522
+=head2 Supported controls
3523
+
3524
+The supported controls are:
3525
+
3526
+=over 4
3527
+
3528
+=item B<EVP_KDF_CTRL_SET_MD>
3529
+
3530
+This control works as described in L<EVP_KDF_CTX(3)/CONTROLS>.
3531
+
3532
+The C<EVP_KDF_CTRL_SET_MD> control is used to set the message digest associated
3533
+with the TLS PRF. EVP_md5_sha1() is treated as a special case which uses the
3534
+PRF algorithm using both B<MD5> and B<SHA1> as used in TLS 1.0 and 1.1.
3535
+
3536
+=item B<EVP_KDF_CTRL_SET_TLS_SECRET>
3537
+
3538
+This control expects two arguments: C<unsigned char *sec>, C<size_t seclen>
3539
+
3540
+Sets the secret value of the TLS PRF to B<seclen> bytes of the buffer B<sec>.
3541
+Any existing secret value is replaced.
3542
+
3543
+EVP_KDF_ctrl_str() takes two type strings for this control:
3544
+
3545
+=over 4
3546
+
3547
+=item "secret"
3548
+
3549
+The value string is used as is.
3550
+
3551
+=item "hexsecret"
3552
+
3553
+The value string is expected to be a hexadecimal number, which will be
3554
+decoded before being passed on as the control value.
3555
+
3556
+=back
3557
+
3558
+=item B<EVP_KDF_CTRL_RESET_TLS_SEED>
3559
+
3560
+This control does not expect any arguments.
3561
+
3562
+Resets the context seed buffer to zero length.
3563
+
3564
+=item B<EVP_KDF_CTRL_ADD_TLS_SEED>
3565
+
3566
+This control expects two arguments: C<unsigned char *seed>, C<size_t seedlen>
3567
+
3568
+Sets the seed to B<seedlen> bytes of B<seed>. If a seed is already set it is
3569
+appended to the existing value.
3570
+
3571
+The total length of the context seed buffer cannot exceed 1024 bytes;
3572
+this should be more than enough for any normal use of the TLS PRF.
3573
+
3574
+EVP_KDF_ctrl_str() takes two type strings for this control:
3575
+
3576
+=over 4
3577
+
3578
+=item "seed"
3579
+
3580
+The value string is used as is.
3581
+
3582
+=item "hexseed"
3583
+
3584
+The value string is expected to be a hexadecimal number, which will be
3585
+decoded before being passed on as the control value.
3586
+
3587
+=back
3588
+
3589
+=back
3590
+
3591
+=head1 NOTES
3592
+
3593
+A context for the TLS PRF can be obtained by calling:
3594
+
3595
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF, NULL);
3596
+
3597
+The digest, secret value and seed must be set before a key is derived otherwise
3598
+an error will occur.
3599
+
3600
+The output length of the PRF is specified by the C<keylen> parameter to the
3601
+EVP_KDF_derive() function.
3602
+
3603
+=head1 EXAMPLE
3604
+
3605
+This example derives 10 bytes using SHA-256 with the secret key "secret"
3606
+and seed value "seed":
3607
+
3608
+ EVP_KDF_CTX *kctx;
3609
+ unsigned char out[10];
3610
+
3611
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF);
3612
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
3613
+ error("EVP_KDF_CTRL_SET_MD");
3614
+ }
3615
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
3616
+ "secret", (size_t)6) <= 0) {
3617
+ error("EVP_KDF_CTRL_SET_TLS_SECRET");
3618
+ }
3619
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
3620
+ error("EVP_KDF_CTRL_ADD_TLS_SEED");
3621
+ }
3622
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3623
+ error("EVP_KDF_derive");
3624
+ }
3625
+ EVP_KDF_CTX_free(kctx);
3626
+
3627
+=head1 SEE ALSO
3628
+
3629
+L<EVP_KDF_CTX>,
3630
+L<EVP_KDF_CTX_new_id(3)>,
3631
+L<EVP_KDF_CTX_free(3)>,
3632
+L<EVP_KDF_ctrl(3)>,
3633
+L<EVP_KDF_derive(3)>,
3634
+L<EVP_KDF_CTX(3)/CONTROLS>
3635
+
3636
+=head1 COPYRIGHT
3637
+
3638
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3639
+
3640
+Licensed under the Apache License 2.0 (the "License"). You may not use
3641
+this file except in compliance with the License. You can obtain a copy
3642
+in the file LICENSE in the source distribution or at
3643
+L<https://www.openssl.org/source/license.html>.
3644
+
3645
+=cut
3646
Index: openssl-1.1.1d/include/openssl/evperr.h
3647
===================================================================
3648
--- openssl-1.1.1d.orig/include/openssl/evperr.h 2020-01-23 13:45:11.344633691 +0100
3649
+++ openssl-1.1.1d/include/openssl/evperr.h 2020-01-23 13:45:11.472634451 +0100
3650
3651
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
3652
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
3653
# define EVP_F_EVP_ENCRYPTUPDATE 167
3654
+# define EVP_F_EVP_KDF_CTRL 224
3655
+# define EVP_F_EVP_KDF_CTRL_STR 225
3656
+# define EVP_F_EVP_KDF_CTX_NEW_ID 226
3657
# define EVP_F_EVP_MD_CTX_COPY_EX 110
3658
# define EVP_F_EVP_MD_SIZE 162
3659
# define EVP_F_EVP_OPENINIT 102
3660
3661
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
3662
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
3663
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180
3664
+# define EVP_F_PKEY_KDF_CTRL 227
3665
# define EVP_F_PKEY_SET_TYPE 158
3666
# define EVP_F_RC2_MAGIC_TO_METH 109
3667
# define EVP_F_RC5_CTRL 125
3668
# define EVP_F_R_32_12_16_INIT_KEY 242
3669
# define EVP_F_S390X_AES_GCM_CTRL 201
3670
+# define EVP_F_SCRYPT_ALG 228
3671
# define EVP_F_UPDATE 173
3672
3673
/*
3674
3675
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
3676
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
3677
# define EVP_R_OPERATON_NOT_INITIALIZED 151
3678
+# define EVP_R_PARAMETER_TOO_LARGE 187
3679
# define EVP_R_PARTIALLY_OVERLAPPING 162
3680
# define EVP_R_PBKDF2_ERROR 181
3681
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
3682
Index: openssl-1.1.1d/include/openssl/kdferr.h
3683
===================================================================
3684
--- openssl-1.1.1d.orig/include/openssl/kdferr.h 2019-09-10 15:13:07.000000000 +0200
3685
+++ openssl-1.1.1d/include/openssl/kdferr.h 2020-01-23 13:45:31.704754695 +0100
3686
3687
/*
3688
* KDF function codes.
3689
*/
3690
+# define KDF_F_HKDF_EXTRACT 112
3691
+# define KDF_F_KDF_HKDF_DERIVE 113
3692
+# define KDF_F_KDF_HKDF_NEW 114
3693
+# define KDF_F_KDF_HKDF_SIZE 115
3694
+# define KDF_F_KDF_MD2CTRL 116
3695
+# define KDF_F_KDF_PBKDF2_CTRL_STR 117
3696
+# define KDF_F_KDF_PBKDF2_DERIVE 118
3697
+# define KDF_F_KDF_PBKDF2_NEW 119
3698
+# define KDF_F_KDF_SCRYPT_CTRL_STR 120
3699
+# define KDF_F_KDF_SCRYPT_CTRL_UINT32 121
3700
+# define KDF_F_KDF_SCRYPT_CTRL_UINT64 122
3701
+# define KDF_F_KDF_SCRYPT_DERIVE 123
3702
+# define KDF_F_KDF_SCRYPT_NEW 124
3703
+# define KDF_F_KDF_TLS1_PRF_CTRL_STR 125
3704
+# define KDF_F_KDF_TLS1_PRF_DERIVE 126
3705
+# define KDF_F_KDF_TLS1_PRF_NEW 127
3706
+# define KDF_F_PBKDF2_SET_MEMBUF 128
3707
# define KDF_F_PKEY_HKDF_CTRL_STR 103
3708
# define KDF_F_PKEY_HKDF_DERIVE 102
3709
# define KDF_F_PKEY_HKDF_INIT 108
3710
3711
# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100
3712
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
3713
# define KDF_F_PKEY_TLS1_PRF_INIT 110
3714
+# define KDF_F_SCRYPT_SET_MEMBUF 129
3715
# define KDF_F_TLS1_PRF_ALG 111
3716
3717
/*
3718
3719
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
3720
# define KDF_R_VALUE_ERROR 108
3721
# define KDF_R_VALUE_MISSING 102
3722
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
3723
3724
#endif
3725
Index: openssl-1.1.1d/include/openssl/kdf.h
3726
===================================================================
3727
--- openssl-1.1.1d.orig/include/openssl/kdf.h 2019-09-10 15:13:07.000000000 +0200
3728
+++ openssl-1.1.1d/include/openssl/kdf.h 2020-01-23 13:45:31.704754695 +0100
3729
3730
#ifndef HEADER_KDF_H
3731
# define HEADER_KDF_H
3732
3733
+# include <openssl/ossl_typ.h>
3734
# include <openssl/kdferr.h>
3735
-#ifdef __cplusplus
3736
+# ifdef __cplusplus
3737
extern "C" {
3738
-#endif
3739
+# endif
3740
+
3741
+# define EVP_KDF_PBKDF2 NID_id_pbkdf2
3742
+# define EVP_KDF_SCRYPT NID_id_scrypt
3743
+# define EVP_KDF_TLS1_PRF NID_tls1_prf
3744
+# define EVP_KDF_HKDF NID_hkdf
3745
+
3746
+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
3747
+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
3748
+
3749
+void EVP_KDF_reset(EVP_KDF_CTX *ctx);
3750
+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);
3751
+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);
3752
+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);
3753
+size_t EVP_KDF_size(EVP_KDF_CTX *ctx);
3754
+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);
3755
+
3756
+
3757
+# define EVP_KDF_CTRL_SET_PASS 0x01 /* unsigned char *, size_t */
3758
+# define EVP_KDF_CTRL_SET_SALT 0x02 /* unsigned char *, size_t */
3759
+# define EVP_KDF_CTRL_SET_ITER 0x03 /* int */
3760
+# define EVP_KDF_CTRL_SET_MD 0x04 /* EVP_MD * */
3761
+# define EVP_KDF_CTRL_SET_KEY 0x05 /* unsigned char *, size_t */
3762
+# define EVP_KDF_CTRL_SET_MAXMEM_BYTES 0x06 /* uint64_t */
3763
+# define EVP_KDF_CTRL_SET_TLS_SECRET 0x07 /* unsigned char *, size_t */
3764
+# define EVP_KDF_CTRL_RESET_TLS_SEED 0x08
3765
+# define EVP_KDF_CTRL_ADD_TLS_SEED 0x09 /* unsigned char *, size_t */
3766
+# define EVP_KDF_CTRL_RESET_HKDF_INFO 0x0a
3767
+# define EVP_KDF_CTRL_ADD_HKDF_INFO 0x0b /* unsigned char *, size_t */
3768
+# define EVP_KDF_CTRL_SET_HKDF_MODE 0x0c /* int */
3769
+# define EVP_KDF_CTRL_SET_SCRYPT_N 0x0d /* uint64_t */
3770
+# define EVP_KDF_CTRL_SET_SCRYPT_R 0x0e /* uint32_t */
3771
+# define EVP_KDF_CTRL_SET_SCRYPT_P 0x0f /* uint32_t */
3772
+
3773
+# define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0
3774
+# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
3775
+# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
3776
+
3777
+
3778
+/**** The legacy PKEY-based KDF API follows. ****/
3779
3780
# define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL)
3781
# define EVP_PKEY_CTRL_TLS_SECRET (EVP_PKEY_ALG_CTRL + 1)
3782
3783
# define EVP_PKEY_CTRL_SCRYPT_P (EVP_PKEY_ALG_CTRL + 12)
3784
# define EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES (EVP_PKEY_ALG_CTRL + 13)
3785
3786
-# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0
3787
-# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 1
3788
-# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2
3789
+# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND \
3790
+ EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
3791
+# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY \
3792
+ EVP_KDF_HKDF_MODE_EXTRACT_ONLY
3793
+# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY \
3794
+ EVP_KDF_HKDF_MODE_EXPAND_ONLY
3795
3796
# define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \
3797
EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \
3798
3799
EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, maxmem_bytes)
3800
3801
3802
-# ifdef __cplusplus
3803
+# ifdef __cplusplus
3804
}
3805
# endif
3806
#endif
3807
Index: openssl-1.1.1d/include/openssl/ossl_typ.h
3808
===================================================================
3809
--- openssl-1.1.1d.orig/include/openssl/ossl_typ.h 2019-09-10 15:13:07.000000000 +0200
3810
+++ openssl-1.1.1d/include/openssl/ossl_typ.h 2020-01-23 13:45:11.472634451 +0100
3811
3812
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
3813
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
3814
3815
+typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
3816
+
3817
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
3818
3819
typedef struct hmac_ctx_st HMAC_CTX;
3820
Index: openssl-1.1.1d/test/build.info
3821
===================================================================
3822
--- openssl-1.1.1d.orig/test/build.info 2019-09-10 15:13:07.000000000 +0200
3823
+++ openssl-1.1.1d/test/build.info 2020-01-23 13:45:11.472634451 +0100
3824
3825
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
3826
bio_callback_test bio_memleak_test \
3827
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
3828
- pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \
3829
+ pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \
3830
+ cipherbytes_test \
3831
asn1_encode_test asn1_decode_test asn1_string_table_test \
3832
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
3833
recordlentest drbgtest sslbuffertest \
3834
3835
INCLUDE[pkey_meth_kdf_test]=../include
3836
DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
3837
3838
+ SOURCE[evp_kdf_test]=evp_kdf_test.c
3839
+ INCLUDE[evp_kdf_test]=../include
3840
+ DEPEND[evp_kdf_test]=../libcrypto libtestutil.a
3841
+
3842
SOURCE[x509_time_test]=x509_time_test.c
3843
INCLUDE[x509_time_test]=../include
3844
DEPEND[x509_time_test]=../libcrypto libtestutil.a
3845
Index: openssl-1.1.1d/test/evp_kdf_test.c
3846
===================================================================
3847
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
3848
+++ openssl-1.1.1d/test/evp_kdf_test.c 2020-01-23 13:45:11.472634451 +0100
3849
3850
+/*
3851
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
3852
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
3853
+ *
3854
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
3855
+ * this file except in compliance with the License. You can obtain a copy
3856
+ * in the file LICENSE in the source distribution or at
3857
+ * https://www.openssl.org/source/license.html
3858
+ */
3859
+
3860
+/* Tests of the EVP_KDF_CTX APIs */
3861
+
3862
+#include <stdio.h>
3863
+#include <string.h>
3864
+
3865
+#include <openssl/evp.h>
3866
+#include <openssl/kdf.h>
3867
+#include "testutil.h"
3868
+
3869
+static int test_kdf_tls1_prf(void)
3870
+{
3871
+ int ret = 0;
3872
+ EVP_KDF_CTX *kctx;
3873
+ unsigned char out[16];
3874
+
3875
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {
3876
+ TEST_error("EVP_KDF_TLS1_PRF");
3877
+ goto err;
3878
+ }
3879
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
3880
+ TEST_error("EVP_KDF_CTRL_SET_MD");
3881
+ goto err;
3882
+ }
3883
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
3884
+ "secret", (size_t)6) <= 0) {
3885
+ TEST_error("EVP_KDF_CTRL_SET_TLS_SECRET");
3886
+ goto err;
3887
+ }
3888
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
3889
+ TEST_error("EVP_KDF_CTRL_ADD_TLS_SEED");
3890
+ goto err;
3891
+ }
3892
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3893
+ TEST_error("EVP_KDF_derive");
3894
+ goto err;
3895
+ }
3896
+
3897
+ {
3898
+ const unsigned char expected[sizeof(out)] = {
3899
+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
3900
+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
3901
+ };
3902
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
3903
+ goto err;
3904
+ }
3905
+ }
3906
+ ret = 1;
3907
+err:
3908
+ EVP_KDF_CTX_free(kctx);
3909
+ return ret;
3910
+}
3911
+
3912
+static int test_kdf_hkdf(void)
3913
+{
3914
+ int ret = 0;
3915
+ EVP_KDF_CTX *kctx;
3916
+ unsigned char out[10];
3917
+
3918
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
3919
+ TEST_error("EVP_KDF_HKDF");
3920
+ goto err;
3921
+ }
3922
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
3923
+ TEST_error("EVP_KDF_CTRL_SET_MD");
3924
+ goto err;
3925
+ }
3926
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
3927
+ TEST_error("EVP_KDF_CTRL_SET_SALT");
3928
+ goto err;
3929
+ }
3930
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
3931
+ TEST_error("EVP_KDF_CTRL_SET_KEY");
3932
+ goto err;
3933
+ }
3934
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
3935
+ "label", (size_t)5) <= 0) {
3936
+ TEST_error("EVP_KDF_CTRL_ADD_HKDF_INFO");
3937
+ goto err;
3938
+ }
3939
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3940
+ TEST_error("EVP_KDF_derive");
3941
+ goto err;
3942
+ }
3943
+
3944
+ {
3945
+ const unsigned char expected[sizeof(out)] = {
3946
+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
3947
+ };
3948
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
3949
+ goto err;
3950
+ }
3951
+ }
3952
+ ret = 1;
3953
+err:
3954
+ EVP_KDF_CTX_free(kctx);
3955
+ return ret;
3956
+}
3957
+
3958
+static int test_kdf_pbkdf2(void)
3959
+{
3960
+ int ret = 0;
3961
+ EVP_KDF_CTX *kctx;
3962
+ unsigned char out[32];
3963
+
3964
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
3965
+ TEST_error("EVP_KDF_PBKDF2");
3966
+ goto err;
3967
+ }
3968
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
3969
+ TEST_error("EVP_KDF_CTRL_SET_PASS");
3970
+ goto err;
3971
+ }
3972
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
3973
+ TEST_error("EVP_KDF_CTRL_SET_SALT");
3974
+ goto err;
3975
+ }
3976
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
3977
+ TEST_error("EVP_KDF_CTRL_SET_ITER");
3978
+ goto err;
3979
+ }
3980
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
3981
+ TEST_error("EVP_KDF_CTRL_SET_MD");
3982
+ goto err;
3983
+ }
3984
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
3985
+ TEST_error("EVP_KDF_derive");
3986
+ goto err;
3987
+ }
3988
+
3989
+ {
3990
+ const unsigned char expected[sizeof(out)] = {
3991
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
3992
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
3993
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
3994
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
3995
+ };
3996
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
3997
+ goto err;
3998
+ }
3999
+ }
4000
+ ret = 1;
4001
+err:
4002
+ EVP_KDF_CTX_free(kctx);
4003
+ return ret;
4004
+}
4005
+
4006
+#ifndef OPENSSL_NO_SCRYPT
4007
+static int test_kdf_scrypt(void)
4008
+{
4009
+ int ret = 0;
4010
+ EVP_KDF_CTX *kctx;
4011
+ unsigned char out[64];
4012
+
4013
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT)) == NULL) {
4014
+ TEST_error("EVP_KDF_SCRYPT");
4015
+ goto err;
4016
+ }
4017
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
4018
+ TEST_error("EVP_KDF_CTRL_SET_PASS");
4019
+ goto err;
4020
+ }
4021
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {
4022
+ TEST_error("EVP_KDF_CTRL_SET_SALT");
4023
+ goto err;
4024
+ }
4025
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {
4026
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_N");
4027
+ goto err;
4028
+ }
4029
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {
4030
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_R");
4031
+ goto err;
4032
+ }
4033
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {
4034
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_P");
4035
+ goto err;
4036
+ }
4037
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, (uint64_t)16) <= 0) {
4038
+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");
4039
+ goto err;
4040
+ }
4041
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) > 0) {
4042
+ TEST_error("EVP_KDF_derive should have failed");
4043
+ goto err;
4044
+ }
4045
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
4046
+ (uint64_t)(10 * 1024 * 1024)) <= 0) {
4047
+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");
4048
+ goto err;
4049
+ }
4050
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
4051
+ TEST_error("EVP_KDF_derive");
4052
+ goto err;
4053
+ }
4054
+
4055
+ {
4056
+ const unsigned char expected[sizeof(out)] = {
4057
+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
4058
+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
4059
+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
4060
+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
4061
+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
4062
+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
4063
+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
4064
+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
4065
+ };
4066
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
4067
+ goto err;
4068
+ }
4069
+ }
4070
+ ret = 1;
4071
+err:
4072
+ EVP_KDF_CTX_free(kctx);
4073
+ return ret;
4074
+}
4075
+#endif
4076
+
4077
+int setup_tests(void)
4078
+{
4079
+ ADD_TEST(test_kdf_tls1_prf);
4080
+ ADD_TEST(test_kdf_hkdf);
4081
+ ADD_TEST(test_kdf_pbkdf2);
4082
+#ifndef OPENSSL_NO_SCRYPT
4083
+ ADD_TEST(test_kdf_scrypt);
4084
+#endif
4085
+ return 1;
4086
+}
4087
Index: openssl-1.1.1d/test/evp_test.c
4088
===================================================================
4089
--- openssl-1.1.1d.orig/test/evp_test.c 2019-09-10 15:13:07.000000000 +0200
4090
+++ openssl-1.1.1d/test/evp_test.c 2020-01-23 13:45:11.472634451 +0100
4091
4092
encode_test_run,
4093
};
4094
4095
+
4096
/**
4097
*** KDF TESTS
4098
**/
4099
4100
typedef struct kdf_data_st {
4101
/* Context for this operation */
4102
- EVP_PKEY_CTX *ctx;
4103
+ EVP_KDF_CTX *ctx;
4104
/* Expected output */
4105
unsigned char *output;
4106
size_t output_len;
4107
4108
4109
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
4110
return 0;
4111
- kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);
4112
+ kdata->ctx = EVP_KDF_CTX_new_id(kdf_nid);
4113
if (kdata->ctx == NULL) {
4114
OPENSSL_free(kdata);
4115
return 0;
4116
}
4117
- if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {
4118
- EVP_PKEY_CTX_free(kdata->ctx);
4119
- OPENSSL_free(kdata);
4120
- return 0;
4121
- }
4122
t->data = kdata;
4123
return 1;
4124
}
4125
4126
{
4127
KDF_DATA *kdata = t->data;
4128
OPENSSL_free(kdata->output);
4129
- EVP_PKEY_CTX_free(kdata->ctx);
4130
+ EVP_KDF_CTX_free(kdata->ctx);
4131
+}
4132
+
4133
+static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx,
4134
+ const char *value)
4135
+{
4136
+ int rv;
4137
+ char *p, *tmpval;
4138
+
4139
+ if (!TEST_ptr(tmpval = OPENSSL_strdup(value)))
4140
+ return 0;
4141
+ p = strchr(tmpval, ':');
4142
+ if (p != NULL)
4143
+ *p++ = '\0';
4144
+ rv = EVP_KDF_ctrl_str(kctx, tmpval, p);
4145
+ if (rv == -2) {
4146
+ t->err = "KDF_CTRL_INVALID";
4147
+ rv = 1;
4148
+ } else if (p != NULL && rv <= 0) {
4149
+ /* If p has an OID and lookup fails assume disabled algorithm */
4150
+ int nid = OBJ_sn2nid(p);
4151
+
4152
+ if (nid == NID_undef)
4153
+ nid = OBJ_ln2nid(p);
4154
+ if (nid != NID_undef
4155
+ && EVP_get_digestbynid(nid) == NULL
4156
+ && EVP_get_cipherbynid(nid) == NULL) {
4157
+ t->skip = 1;
4158
+ rv = 1;
4159
+ } else {
4160
+ t->err = "KDF_CTRL_ERROR";
4161
+ rv = 1;
4162
+ }
4163
+ }
4164
+ OPENSSL_free(tmpval);
4165
+ return rv > 0;
4166
}
4167
4168
static int kdf_test_parse(EVP_TEST *t,
4169
4170
if (strcmp(keyword, "Output") == 0)
4171
return parse_bin(value, &kdata->output, &kdata->output_len);
4172
if (strncmp(keyword, "Ctrl", 4) == 0)
4173
- return pkey_test_ctrl(t, kdata->ctx, value);
4174
+ return kdf_test_ctrl(t, kdata->ctx, value);
4175
return 0;
4176
}
4177
4178
4179
t->err = "INTERNAL_ERROR";
4180
goto err;
4181
}
4182
- if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {
4183
+ if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) {
4184
t->err = "KDF_DERIVE_ERROR";
4185
goto err;
4186
}
4187
4188
4189
4190
/**
4191
+*** PKEY KDF TESTS
4192
+**/
4193
+
4194
+typedef struct pkey_kdf_data_st {
4195
+ /* Context for this operation */
4196
+ EVP_PKEY_CTX *ctx;
4197
+ /* Expected output */
4198
+ unsigned char *output;
4199
+ size_t output_len;
4200
+} PKEY_KDF_DATA;
4201
+
4202
+/*
4203
+ * Perform public key operation setup: lookup key, allocated ctx and call
4204
+ * the appropriate initialisation function
4205
+ */
4206
+static int pkey_kdf_test_init(EVP_TEST *t, const char *name)
4207
+{
4208
+ PKEY_KDF_DATA *kdata;
4209
+ int kdf_nid = OBJ_sn2nid(name);
4210
+
4211
+#ifdef OPENSSL_NO_SCRYPT
4212
+ if (strcmp(name, "scrypt") == 0) {
4213
+ t->skip = 1;
4214
+ return 1;
4215
+ }
4216
+#endif
4217
+
4218
+ if (kdf_nid == NID_undef)
4219
+ kdf_nid = OBJ_ln2nid(name);
4220
+
4221
+ if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
4222
+ return 0;
4223
+ kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);
4224
+ if (kdata->ctx == NULL) {
4225
+ OPENSSL_free(kdata);
4226
+ return 0;
4227
+ }
4228
+ if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {
4229
+ EVP_PKEY_CTX_free(kdata->ctx);
4230
+ OPENSSL_free(kdata);
4231
+ return 0;
4232
+ }
4233
+ t->data = kdata;
4234
+ return 1;
4235
+}
4236
+
4237
+static void pkey_kdf_test_cleanup(EVP_TEST *t)
4238
+{
4239
+ PKEY_KDF_DATA *kdata = t->data;
4240
+ OPENSSL_free(kdata->output);
4241
+ EVP_PKEY_CTX_free(kdata->ctx);
4242
+}
4243
+
4244
+static int pkey_kdf_test_parse(EVP_TEST *t,
4245
+ const char *keyword, const char *value)
4246
+{
4247
+ PKEY_KDF_DATA *kdata = t->data;
4248
+
4249
+ if (strcmp(keyword, "Output") == 0)
4250
+ return parse_bin(value, &kdata->output, &kdata->output_len);
4251
+ if (strncmp(keyword, "Ctrl", 4) == 0)
4252
+ return pkey_test_ctrl(t, kdata->ctx, value);
4253
+ return 0;
4254
+}
4255
+
4256
+static int pkey_kdf_test_run(EVP_TEST *t)
4257
+{
4258
+ PKEY_KDF_DATA *expected = t->data;
4259
+ unsigned char *got = NULL;
4260
+ size_t got_len = expected->output_len;
4261
+
4262
+ if (!TEST_ptr(got = OPENSSL_malloc(got_len))) {
4263
+ t->err = "INTERNAL_ERROR";
4264
+ goto err;
4265
+ }
4266
+ if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {
4267
+ t->err = "KDF_DERIVE_ERROR";
4268
+ goto err;
4269
+ }
4270
+ if (!TEST_mem_eq(expected->output, expected->output_len, got, got_len)) {
4271
+ t->err = "KDF_MISMATCH";
4272
+ goto err;
4273
+ }
4274
+ t->err = NULL;
4275
+
4276
+ err:
4277
+ OPENSSL_free(got);
4278
+ return 1;
4279
+}
4280
+
4281
+static const EVP_TEST_METHOD pkey_kdf_test_method = {
4282
+ "PKEYKDF",
4283
+ pkey_kdf_test_init,
4284
+ pkey_kdf_test_cleanup,
4285
+ pkey_kdf_test_parse,
4286
+ pkey_kdf_test_run
4287
+};
4288
+
4289
+
4290
+/**
4291
*** KEYPAIR TESTS
4292
**/
4293
4294
4295
&digestverify_test_method,
4296
&encode_test_method,
4297
&kdf_test_method,
4298
+ &pkey_kdf_test_method,
4299
&keypair_test_method,
4300
&keygen_test_method,
4301
&mac_test_method,
4302
Index: openssl-1.1.1d/test/pkey_meth_kdf_test.c
4303
===================================================================
4304
--- openssl-1.1.1d.orig/test/pkey_meth_kdf_test.c 2019-09-10 15:13:07.000000000 +0200
4305
+++ openssl-1.1.1d/test/pkey_meth_kdf_test.c 2020-01-23 13:45:11.472634451 +0100
4306
4307
/*
4308
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
4309
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
4310
*
4311
* Licensed under the OpenSSL license (the "License"). You may not use
4312
* this file except in compliance with the License. You can obtain a copy
4313
4314
4315
static int test_kdf_tls1_prf(void)
4316
{
4317
+ int ret = 0;
4318
EVP_PKEY_CTX *pctx;
4319
unsigned char out[16];
4320
size_t outlen = sizeof(out);
4321
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
4322
4323
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL)) == NULL) {
4324
+ TEST_error("EVP_PKEY_TLS1_PRF");
4325
+ goto err;
4326
+ }
4327
if (EVP_PKEY_derive_init(pctx) <= 0) {
4328
TEST_error("EVP_PKEY_derive_init");
4329
- return 0;
4330
+ goto err;
4331
}
4332
if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) {
4333
TEST_error("EVP_PKEY_CTX_set_tls1_prf_md");
4334
- return 0;
4335
+ goto err;
4336
}
4337
if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) {
4338
TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
4339
- return 0;
4340
+ goto err;
4341
}
4342
if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) {
4343
TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
4344
- return 0;
4345
+ goto err;
4346
}
4347
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
4348
TEST_error("EVP_PKEY_derive");
4349
- return 0;
4350
+ goto err;
4351
}
4352
4353
{
4354
4355
0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
4356
};
4357
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
4358
- return 0;
4359
+ goto err;
4360
}
4361
}
4362
+ ret = 1;
4363
+err:
4364
EVP_PKEY_CTX_free(pctx);
4365
- return 1;
4366
+ return ret;
4367
}
4368
4369
static int test_kdf_hkdf(void)
4370
{
4371
+ int ret = 0;
4372
EVP_PKEY_CTX *pctx;
4373
unsigned char out[10];
4374
size_t outlen = sizeof(out);
4375
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
4376
4377
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) {
4378
+ TEST_error("EVP_PKEY_HKDF");
4379
+ goto err;
4380
+ }
4381
if (EVP_PKEY_derive_init(pctx) <= 0) {
4382
TEST_error("EVP_PKEY_derive_init");
4383
- return 0;
4384
+ goto err;
4385
}
4386
if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) {
4387
TEST_error("EVP_PKEY_CTX_set_hkdf_md");
4388
- return 0;
4389
+ goto err;
4390
}
4391
if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) {
4392
TEST_error("EVP_PKEY_CTX_set1_hkdf_salt");
4393
- return 0;
4394
+ goto err;
4395
}
4396
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) {
4397
TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
4398
- return 0;
4399
+ goto err;
4400
}
4401
if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) {
4402
TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
4403
- return 0;
4404
+ goto err;
4405
}
4406
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
4407
TEST_error("EVP_PKEY_derive");
4408
- return 0;
4409
+ goto err;
4410
}
4411
4412
{
4413
4414
0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
4415
};
4416
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
4417
- return 0;
4418
+ goto err;
4419
}
4420
}
4421
+ ret = 1;
4422
+err:
4423
EVP_PKEY_CTX_free(pctx);
4424
- return 1;
4425
+ return ret;
4426
}
4427
4428
#ifndef OPENSSL_NO_SCRYPT
4429
static int test_kdf_scrypt(void)
4430
{
4431
+ int ret = 0;
4432
EVP_PKEY_CTX *pctx;
4433
unsigned char out[64];
4434
size_t outlen = sizeof(out);
4435
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
4436
4437
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL)) == NULL) {
4438
+ TEST_error("EVP_PKEY_SCRYPT");
4439
+ goto err;
4440
+ }
4441
if (EVP_PKEY_derive_init(pctx) <= 0) {
4442
TEST_error("EVP_PKEY_derive_init");
4443
- return 0;
4444
+ goto err;
4445
}
4446
if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {
4447
TEST_error("EVP_PKEY_CTX_set1_pbe_pass");
4448
- return 0;
4449
+ goto err;
4450
}
4451
if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {
4452
TEST_error("EVP_PKEY_CTX_set1_scrypt_salt");
4453
- return 0;
4454
+ goto err;
4455
}
4456
if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {
4457
TEST_error("EVP_PKEY_CTX_set_scrypt_N");
4458
- return 0;
4459
+ goto err;
4460
}
4461
if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {
4462
TEST_error("EVP_PKEY_CTX_set_scrypt_r");
4463
- return 0;
4464
+ goto err;
4465
}
4466
if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {
4467
TEST_error("EVP_PKEY_CTX_set_scrypt_p");
4468
- return 0;
4469
+ goto err;
4470
}
4471
if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 16) <= 0) {
4472
TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");
4473
- return 0;
4474
+ goto err;
4475
}
4476
if (EVP_PKEY_derive(pctx, out, &outlen) > 0) {
4477
TEST_error("EVP_PKEY_derive should have failed");
4478
- return 0;
4479
+ goto err;
4480
}
4481
if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 10 * 1024 * 1024) <= 0) {
4482
TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");
4483
- return 0;
4484
+ goto err;
4485
}
4486
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
4487
TEST_error("EVP_PKEY_derive");
4488
- return 0;
4489
+ goto err;
4490
}
4491
4492
{
4493
4494
0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
4495
};
4496
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
4497
- return 0;
4498
+ goto err;
4499
}
4500
}
4501
+ ret = 1;
4502
+err:
4503
EVP_PKEY_CTX_free(pctx);
4504
- return 1;
4505
+ return ret;
4506
}
4507
#endif
4508
4509
Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt
4510
===================================================================
4511
--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evpkdf.txt 2019-09-10 15:13:07.000000000 +0200
4512
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2020-01-23 13:45:31.704754695 +0100
4513
4514
#
4515
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
4516
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
4517
#
4518
# Licensed under the OpenSSL license (the "License"). You may not use
4519
# this file except in compliance with the License. You can obtain a copy
4520
4521
Title = TLS1 PRF tests (from NIST test vectors)
4522
4523
KDF=TLS1-PRF
4524
-Ctrl.md = md:MD5-SHA1
4525
+Ctrl.digest = digest:MD5-SHA1
4526
Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0
4527
Ctrl.label = seed:master secret
4528
Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693
4529
4530
Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
4531
4532
KDF=TLS1-PRF
4533
-Ctrl.md = md:MD5-SHA1
4534
+Ctrl.digest = digest:MD5-SHA1
4535
Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
4536
Ctrl.label = seed:key expansion
4537
Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be
4538
4539
Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d
4540
4541
KDF=TLS1-PRF
4542
-Ctrl.md = md:SHA256
4543
+Ctrl.digest = digest:SHA256
4544
Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
4545
Ctrl.label = seed:master secret
4546
Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
4547
4548
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4549
4550
KDF=TLS1-PRF
4551
-Ctrl.md = md:SHA256
4552
+Ctrl.digest = digest:SHA256
4553
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4554
Ctrl.label = seed:key expansion
4555
Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
4556
4557
4558
# As above but use long name for KDF
4559
KDF=tls1-prf
4560
-Ctrl.md = md:SHA256
4561
+Ctrl.digest = digest:SHA256
4562
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4563
Ctrl.label = seed:key expansion
4564
Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
4565
4566
4567
# Missing secret.
4568
KDF=TLS1-PRF
4569
-Ctrl.md = md:MD5-SHA1
4570
+Ctrl.digest = digest:MD5-SHA1
4571
Ctrl.Seed = hexseed:02
4572
Output = 03
4573
Result = KDF_DERIVE_ERROR
4574
4575
Title = HKDF tests (from RFC5869 test vectors)
4576
4577
KDF = HKDF
4578
-Ctrl.md = md:SHA256
4579
+Ctrl.digest = digest:SHA256
4580
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4581
Ctrl.salt = hexsalt:000102030405060708090a0b0c
4582
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
4583
4584
4585
KDF = HKDF
4586
Ctrl.mode = mode:EXTRACT_ONLY
4587
-Ctrl.md = md:SHA256
4588
+Ctrl.digest = digest:SHA256
4589
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4590
Ctrl.salt = hexsalt:000102030405060708090a0b0c
4591
Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
4592
4593
KDF = HKDF
4594
Ctrl.mode = mode:EXPAND_ONLY
4595
-Ctrl.md = md:SHA256
4596
+Ctrl.digest = digest:SHA256
4597
Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
4598
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
4599
Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
4600
4601
KDF = HKDF
4602
-Ctrl.md = md:SHA256
4603
+Ctrl.digest = digest:SHA256
4604
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
4605
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
4606
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
4607
4608
4609
KDF = HKDF
4610
Ctrl.mode = mode:EXTRACT_ONLY
4611
-Ctrl.md = md:SHA256
4612
+Ctrl.digest = digest:SHA256
4613
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
4614
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
4615
Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
4616
4617
KDF = HKDF
4618
Ctrl.mode = mode:EXPAND_ONLY
4619
-Ctrl.md = md:SHA256
4620
+Ctrl.digest = digest:SHA256
4621
Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
4622
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
4623
Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
4624
4625
KDF = HKDF
4626
-Ctrl.md = md:SHA256
4627
+Ctrl.digest = digest:SHA256
4628
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4629
Ctrl.salt = salt:
4630
Ctrl.info = info:
4631
4632
4633
KDF = HKDF
4634
Ctrl.mode = mode:EXTRACT_ONLY
4635
-Ctrl.md = md:SHA256
4636
+Ctrl.digest = digest:SHA256
4637
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4638
Ctrl.salt = salt:
4639
Ctrl.info = info:
4640
4641
4642
KDF = HKDF
4643
Ctrl.mode = mode:EXPAND_ONLY
4644
-Ctrl.md = md:SHA256
4645
+Ctrl.digest = digest:SHA256
4646
Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
4647
Ctrl.info = info:
4648
Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
4649
4650
KDF = HKDF
4651
-Ctrl.md = md:SHA1
4652
+Ctrl.digest = digest:SHA1
4653
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
4654
Ctrl.salt = hexsalt:000102030405060708090a0b0c
4655
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
4656
4657
4658
KDF = HKDF
4659
Ctrl.mode = mode:EXTRACT_ONLY
4660
-Ctrl.md = md:SHA1
4661
+Ctrl.digest = digest:SHA1
4662
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
4663
Ctrl.salt = hexsalt:000102030405060708090a0b0c
4664
Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
4665
4666
KDF = HKDF
4667
Ctrl.mode = mode:EXPAND_ONLY
4668
-Ctrl.md = md:SHA1
4669
+Ctrl.digest = digest:SHA1
4670
Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
4671
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
4672
Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
4673
4674
KDF = HKDF
4675
-Ctrl.md = md:SHA1
4676
+Ctrl.digest = digest:SHA1
4677
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
4678
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
4679
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
4680
4681
4682
KDF = HKDF
4683
Ctrl.mode = mode:EXTRACT_ONLY
4684
-Ctrl.md = md:SHA1
4685
+Ctrl.digest = digest:SHA1
4686
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
4687
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
4688
Output = 8adae09a2a307059478d309b26c4115a224cfaf6
4689
4690
KDF = HKDF
4691
Ctrl.mode = mode:EXPAND_ONLY
4692
-Ctrl.md = md:SHA1
4693
+Ctrl.digest = digest:SHA1
4694
Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6
4695
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
4696
Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
4697
4698
KDF = HKDF
4699
-Ctrl.md = md:SHA1
4700
+Ctrl.digest = digest:SHA1
4701
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4702
Ctrl.salt = salt:
4703
Ctrl.info = info:
4704
4705
4706
KDF = HKDF
4707
Ctrl.mode = mode:EXTRACT_ONLY
4708
-Ctrl.md = md:SHA1
4709
+Ctrl.digest = digest:SHA1
4710
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4711
Ctrl.salt = salt:
4712
Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
4713
4714
KDF = HKDF
4715
Ctrl.mode = mode:EXPAND_ONLY
4716
-Ctrl.md = md:SHA1
4717
+Ctrl.digest = digest:SHA1
4718
Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
4719
Ctrl.info = info:
4720
Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
4721
4722
KDF = HKDF
4723
-Ctrl.md = md:SHA1
4724
+Ctrl.digest = digest:SHA1
4725
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
4726
Ctrl.salt = salt:
4727
Ctrl.info = info:
4728
4729
4730
KDF = HKDF
4731
Ctrl.mode = mode:EXTRACT_ONLY
4732
-Ctrl.md = md:SHA1
4733
+Ctrl.digest = digest:SHA1
4734
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
4735
Ctrl.salt = salt:
4736
Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd
4737
4738
KDF = HKDF
4739
Ctrl.mode = mode:EXPAND_ONLY
4740
-Ctrl.md = md:SHA1
4741
+Ctrl.digest = digest:SHA1
4742
Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd
4743
Ctrl.info = info:
4744
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
4745
4746
Result = KDF_DERIVE_ERROR
4747
4748
KDF = HKDF
4749
-Ctrl.md = md:SHA1
4750
+Ctrl.digest = digest:SHA1
4751
Ctrl.salt = salt:
4752
Ctrl.info = info:
4753
Output = 00
4754
Result = KDF_DERIVE_ERROR
4755
4756
KDF = HKDF
4757
-Ctrl.md = md:SHA1
4758
+Ctrl.digest = digest:SHA1
4759
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
4760
Ctrl.info = info:
4761
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
4762
4763
KDF = HKDF
4764
-Ctrl.md = md:SHA1
4765
+Ctrl.digest = digest:SHA1
4766
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
4767
Ctrl.salt = salt:
4768
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
4769
4770
KDF = HKDF
4771
Ctrl.mode = mode:EXTRACT_AND_EXPAND
4772
-Ctrl.md = md:SHA1
4773
+Ctrl.digest = digest:SHA1
4774
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
4775
Ctrl.salt = salt:
4776
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
4777
4778
Ctrl.p = p:1
4779
Result = INTERNAL_ERROR
4780
4781
+Title = PBKDF2 tests
4782
+
4783
+KDF = PBKDF2
4784
+Ctrl.pass = pass:password
4785
+Ctrl.salt = salt:salt
4786
+Ctrl.iter = iter:1
4787
+Ctrl.digest = digest:sha1
4788
+Output = 0c60c80f961f0e71f3a9b524af6012062fe037a6
4789
+
4790
+KDF = PBKDF2
4791
+Ctrl.pass = pass:password
4792
+Ctrl.salt = salt:salt
4793
+Ctrl.iter = iter:1
4794
+Ctrl.digest = digest:sha256
4795
+Output = 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b
4796
+
4797
+KDF = PBKDF2
4798
+Ctrl.pass = pass:password
4799
+Ctrl.salt = salt:salt
4800
+Ctrl.iter = iter:1
4801
+Ctrl.digest = digest:sha512
4802
+Output = 867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce
4803
+
4804
+KDF = PBKDF2
4805
+Ctrl.pass = pass:password
4806
+Ctrl.salt = salt:salt
4807
+Ctrl.iter = iter:2
4808
+Ctrl.digest = digest:sha1
4809
+Output = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957
4810
+
4811
+KDF = PBKDF2
4812
+Ctrl.pass = pass:password
4813
+Ctrl.salt = salt:salt
4814
+Ctrl.iter = iter:2
4815
+Ctrl.digest = digest:sha256
4816
+Output = ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c43
4817
+
4818
+KDF = PBKDF2
4819
+Ctrl.pass = pass:password
4820
+Ctrl.salt = salt:salt
4821
+Ctrl.iter = iter:2
4822
+Ctrl.digest = digest:sha512
4823
+Output = e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e
4824
+
4825
+KDF = PBKDF2
4826
+Ctrl.pass = pass:password
4827
+Ctrl.salt = salt:salt
4828
+Ctrl.iter = iter:4096
4829
+Ctrl.digest = digest:sha1
4830
+Output = 4b007901b765489abead49d926f721d065a429c1
4831
+
4832
+KDF = PBKDF2
4833
+Ctrl.pass = pass:password
4834
+Ctrl.salt = salt:salt
4835
+Ctrl.iter = iter:4096
4836
+Ctrl.digest = digest:sha256
4837
+Output = c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a
4838
+
4839
+KDF = PBKDF2
4840
+Ctrl.pass = pass:password
4841
+Ctrl.salt = salt:salt
4842
+Ctrl.iter = iter:4096
4843
+Ctrl.digest = digest:sha512
4844
+Output = d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5
4845
+
4846
+KDF = PBKDF2
4847
+Ctrl.pass = pass:passwordPASSWORDpassword
4848
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
4849
+Ctrl.iter = iter:4096
4850
+Ctrl.digest = digest:sha1
4851
+Output = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038
4852
+
4853
+KDF = PBKDF2
4854
+Ctrl.pass = pass:passwordPASSWORDpassword
4855
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
4856
+Ctrl.iter = iter:4096
4857
+Ctrl.digest = digest:sha256
4858
+Output = 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9
4859
+
4860
+KDF = PBKDF2
4861
+Ctrl.pass = pass:passwordPASSWORDpassword
4862
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
4863
+Ctrl.iter = iter:4096
4864
+Ctrl.digest = digest:sha512
4865
+Output = 8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b8
4866
+
4867
+KDF = PBKDF2
4868
+Ctrl.hexpass = hexpass:7061737300776f7264
4869
+Ctrl.hexsalt = hexsalt:7361006c74
4870
+Ctrl.iter = iter:4096
4871
+Ctrl.digest = digest:sha1
4872
+Output = 56fa6aa75548099dcc37d7f03425e0c3
4873
+
4874
+KDF = PBKDF2
4875
+Ctrl.hexpass = hexpass:7061737300776f7264
4876
+Ctrl.hexsalt = hexsalt:7361006c74
4877
+Ctrl.iter = iter:4096
4878
+Ctrl.digest = digest:sha256
4879
+Output = 89b69d0516f829893c696226650a8687
4880
+
4881
+KDF = PBKDF2
4882
+Ctrl.hexpass = hexpass:7061737300776f7264
4883
+Ctrl.hexsalt = hexsalt:7361006c74
4884
+Ctrl.iter = iter:4096
4885
+Ctrl.digest = digest:sha512
4886
+Output = 9d9e9c4cd21fe4be24d5b8244c759665
4887
+
4888
+Title = PBKDF2 tests for empty inputs
4889
+
4890
+KDF = PBKDF2
4891
+Ctrl.pass = pass:
4892
+Ctrl.salt = salt:salt
4893
+Ctrl.iter = iter:1
4894
+Ctrl.digest = digest:sha1
4895
+Output = a33dddc30478185515311f8752895d36ea4363a2
4896
+
4897
+KDF = PBKDF2
4898
+Ctrl.pass = pass:
4899
+Ctrl.salt = salt:salt
4900
+Ctrl.iter = iter:1
4901
+Ctrl.digest = digest:sha256
4902
+Output = f135c27993baf98773c5cdb40a5706ce6a345cde
4903
+
4904
+KDF = PBKDF2
4905
+Ctrl.pass = pass:
4906
+Ctrl.salt = salt:salt
4907
+Ctrl.iter = iter:1
4908
+Ctrl.digest = digest:sha512
4909
+Output = 00ef42cdbfc98d29db20976608e455567fdddf14
4910
+
4911
Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt
4912
===================================================================
4913
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
4914
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-01-23 13:45:11.476634476 +0100
4915
4916
+#
4917
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
4918
+#
4919
+# Licensed under the Apache License 2.0 (the "License"). You may not use
4920
+# this file except in compliance with the License. You can obtain a copy
4921
+# in the file LICENSE in the source distribution or at
4922
+# https://www.openssl.org/source/license.html
4923
+
4924
+# Tests start with one of these keywords
4925
+# Cipher Decrypt Derive Digest Encoding KDF PKEYKDF MAC PBE
4926
+# PrivPubKeyPair Sign Verify VerifyRecover
4927
+# and continue until a blank line. Lines starting with a pound sign,
4928
+# like this prolog, are ignored.
4929
+
4930
+Title = TLS1 PRF tests (from NIST test vectors)
4931
+
4932
+PKEYKDF=TLS1-PRF
4933
+Ctrl.md = md:MD5-SHA1
4934
+Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0
4935
+Ctrl.label = seed:master secret
4936
+Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693
4937
+Ctrl.server_random = hexseed:135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb2
4938
+Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
4939
+
4940
+PKEYKDF=TLS1-PRF
4941
+Ctrl.md = md:MD5-SHA1
4942
+Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
4943
+Ctrl.label = seed:key expansion
4944
+Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be
4945
+Ctrl.client_random = hexseed:d58a7b1cd4fedaa232159df652ce188f9d997e061b9bf48e83b62990440931f6
4946
+Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d
4947
+
4948
+PKEYKDF=TLS1-PRF
4949
+Ctrl.md = md:SHA256
4950
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
4951
+Ctrl.label = seed:master secret
4952
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
4953
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
4954
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4955
+
4956
+PKEYKDF=TLS1-PRF
4957
+Ctrl.md = md:SHA256
4958
+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4959
+Ctrl.label = seed:key expansion
4960
+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
4961
+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616
4962
+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928
4963
+
4964
+# As above but use long name for KDF
4965
+PKEYKDF=tls1-prf
4966
+Ctrl.md = md:SHA256
4967
+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
4968
+Ctrl.label = seed:key expansion
4969
+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
4970
+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616
4971
+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928
4972
+
4973
+# Missing digest.
4974
+PKEYKDF=TLS1-PRF
4975
+Ctrl.Secret = hexsecret:01
4976
+Ctrl.Seed = hexseed:02
4977
+Output = 03
4978
+Result = KDF_DERIVE_ERROR
4979
+
4980
+# Missing secret.
4981
+PKEYKDF=TLS1-PRF
4982
+Ctrl.md = md:MD5-SHA1
4983
+Ctrl.Seed = hexseed:02
4984
+Output = 03
4985
+Result = KDF_DERIVE_ERROR
4986
+
4987
+Title = HKDF tests (from RFC5869 test vectors)
4988
+
4989
+PKEYKDF = HKDF
4990
+Ctrl.md = md:SHA256
4991
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
4992
+Ctrl.salt = hexsalt:000102030405060708090a0b0c
4993
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
4994
+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
4995
+
4996
+PKEYKDF = HKDF
4997
+Ctrl.mode = mode:EXTRACT_ONLY
4998
+Ctrl.md = md:SHA256
4999
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
5000
+Ctrl.salt = hexsalt:000102030405060708090a0b0c
5001
+Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
5002
+
5003
+PKEYKDF = HKDF
5004
+Ctrl.mode = mode:EXPAND_ONLY
5005
+Ctrl.md = md:SHA256
5006
+Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
5007
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
5008
+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
5009
+
5010
+PKEYKDF = HKDF
5011
+Ctrl.md = md:SHA256
5012
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
5013
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
5014
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
5015
+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
5016
+
5017
+PKEYKDF = HKDF
5018
+Ctrl.mode = mode:EXTRACT_ONLY
5019
+Ctrl.md = md:SHA256
5020
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
5021
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
5022
+Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
5023
+
5024
+PKEYKDF = HKDF
5025
+Ctrl.mode = mode:EXPAND_ONLY
5026
+Ctrl.md = md:SHA256
5027
+Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
5028
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
5029
+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
5030
+
5031
+PKEYKDF = HKDF
5032
+Ctrl.md = md:SHA256
5033
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
5034
+Ctrl.salt = salt:
5035
+Ctrl.info = info:
5036
+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
5037
+
5038
+PKEYKDF = HKDF
5039
+Ctrl.mode = mode:EXTRACT_ONLY
5040
+Ctrl.md = md:SHA256
5041
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
5042
+Ctrl.salt = salt:
5043
+Ctrl.info = info:
5044
+Output = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
5045
+
5046
+PKEYKDF = HKDF
5047
+Ctrl.mode = mode:EXPAND_ONLY
5048
+Ctrl.md = md:SHA256
5049
+Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
5050
+Ctrl.info = info:
5051
+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
5052
+
5053
+PKEYKDF = HKDF
5054
+Ctrl.md = md:SHA1
5055
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
5056
+Ctrl.salt = hexsalt:000102030405060708090a0b0c
5057
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
5058
+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
5059
+
5060
+PKEYKDF = HKDF
5061
+Ctrl.mode = mode:EXTRACT_ONLY
5062
+Ctrl.md = md:SHA1
5063
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
5064
+Ctrl.salt = hexsalt:000102030405060708090a0b0c
5065
+Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
5066
+
5067
+PKEYKDF = HKDF
5068
+Ctrl.mode = mode:EXPAND_ONLY
5069
+Ctrl.md = md:SHA1
5070
+Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
5071
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
5072
+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
5073
+
5074
+PKEYKDF = HKDF
5075
+Ctrl.md = md:SHA1
5076
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
5077
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
5078
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
5079
+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
5080
+
5081
+PKEYKDF = HKDF
5082
+Ctrl.mode = mode:EXTRACT_ONLY
5083
+Ctrl.md = md:SHA1
5084
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
5085
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
5086
+Output = 8adae09a2a307059478d309b26c4115a224cfaf6
5087
+
5088
+PKEYKDF = HKDF
5089
+Ctrl.mode = mode:EXPAND_ONLY
5090
+Ctrl.md = md:SHA1
5091
+Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6
5092
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
5093
+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
5094
+
5095
+PKEYKDF = HKDF
5096
+Ctrl.md = md:SHA1
5097
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
5098
+Ctrl.salt = salt:
5099
+Ctrl.info = info:
5100
+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
5101
+
5102
+PKEYKDF = HKDF
5103
+Ctrl.mode = mode:EXTRACT_ONLY
5104
+Ctrl.md = md:SHA1
5105
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
5106
+Ctrl.salt = salt:
5107
+Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
5108
+
5109
+PKEYKDF = HKDF
5110
+Ctrl.mode = mode:EXPAND_ONLY
5111
+Ctrl.md = md:SHA1
5112
+Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
5113
+Ctrl.info = info:
5114
+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
5115
+
5116
+PKEYKDF = HKDF
5117
+Ctrl.md = md:SHA1
5118
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5119
+Ctrl.salt = salt:
5120
+Ctrl.info = info:
5121
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
5122
+
5123
+PKEYKDF = HKDF
5124
+Ctrl.mode = mode:EXTRACT_ONLY
5125
+Ctrl.md = md:SHA1
5126
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5127
+Ctrl.salt = salt:
5128
+Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd
5129
+
5130
+PKEYKDF = HKDF
5131
+Ctrl.mode = mode:EXPAND_ONLY
5132
+Ctrl.md = md:SHA1
5133
+Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd
5134
+Ctrl.info = info:
5135
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
5136
+
5137
+PKEYKDF = HKDF
5138
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5139
+Ctrl.salt = salt:
5140
+Ctrl.info = info:
5141
+Output = 00
5142
+Result = KDF_DERIVE_ERROR
5143
+
5144
+PKEYKDF = HKDF
5145
+Ctrl.md = md:SHA1
5146
+Ctrl.salt = salt:
5147
+Ctrl.info = info:
5148
+Output = 00
5149
+Result = KDF_DERIVE_ERROR
5150
+
5151
+PKEYKDF = HKDF
5152
+Ctrl.md = md:SHA1
5153
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5154
+Ctrl.info = info:
5155
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
5156
+
5157
+PKEYKDF = HKDF
5158
+Ctrl.md = md:SHA1
5159
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5160
+Ctrl.salt = salt:
5161
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
5162
+
5163
+PKEYKDF = HKDF
5164
+Ctrl.mode = mode:EXTRACT_AND_EXPAND
5165
+Ctrl.md = md:SHA1
5166
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
5167
+Ctrl.salt = salt:
5168
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
5169
+
5170
+Title = id-scrypt tests (from draft-josefsson-id-scrypt-kdf-03 and others)
5171
+
5172
+PKEYKDF = scrypt
5173
+Ctrl.pass = pass:
5174
+Ctrl.salt = salt:
5175
+Ctrl.N = N:16
5176
+Ctrl.r = r:1
5177
+Ctrl.p = p:1
5178
+Output = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906
5179
+
5180
+PKEYKDF = scrypt
5181
+Ctrl.pass = pass:password
5182
+Ctrl.salt = salt:NaCl
5183
+Ctrl.N = N:1024
5184
+Ctrl.r = r:8
5185
+Ctrl.p = p:16
5186
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
5187
+
5188
+PKEYKDF = scrypt
5189
+Ctrl.hexpass = hexpass:70617373776f7264
5190
+Ctrl.salt = salt:NaCl
5191
+Ctrl.N = N:1024
5192
+Ctrl.r = r:8
5193
+Ctrl.p = p:16
5194
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
5195
+
5196
+PKEYKDF = scrypt
5197
+Ctrl.pass = pass:password
5198
+Ctrl.hexsalt = hexsalt:4e61436c
5199
+Ctrl.N = N:1024
5200
+Ctrl.r = r:8
5201
+Ctrl.p = p:16
5202
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
5203
+
5204
+PKEYKDF = scrypt
5205
+Ctrl.pass = pass:pleaseletmein
5206
+Ctrl.salt = salt:SodiumChloride
5207
+Ctrl.N = N:16384
5208
+Ctrl.r = r:8
5209
+Ctrl.p = p:1
5210
+Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887
5211
+
5212
+# Out of memory
5213
+PKEYKDF = scrypt
5214
+Ctrl.pass = pass:pleaseletmein
5215
+Ctrl.salt = salt:SodiumChloride
5216
+Ctrl.N = N:1048576
5217
+Ctrl.r = r:8
5218
+Ctrl.p = p:1
5219
+Result = INTERNAL_ERROR
5220
+
5221
Index: openssl-1.1.1d/test/recipes/30-test_evp_kdf.t
5222
===================================================================
5223
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
5224
+++ openssl-1.1.1d/test/recipes/30-test_evp_kdf.t 2020-01-23 13:45:11.476634476 +0100
5225
5226
+#! /usr/bin/env perl
5227
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
5228
+# Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
5229
+#
5230
+# Licensed under the Apache License 2.0 (the "License"). You may not use
5231
+# this file except in compliance with the License. You can obtain a copy
5232
+# in the file LICENSE in the source distribution or at
5233
+# https://www.openssl.org/source/license.html
5234
+
5235
+
5236
+use OpenSSL::Test::Simple;
5237
+
5238
+simple_test("test_evp_kdf", "evp_kdf_test");
5239
Index: openssl-1.1.1d/test/recipes/30-test_evp.t
5240
===================================================================
5241
--- openssl-1.1.1d.orig/test/recipes/30-test_evp.t 2019-09-10 15:13:07.000000000 +0200
5242
+++ openssl-1.1.1d/test/recipes/30-test_evp.t 2020-01-23 13:45:11.476634476 +0100
5243
5244
setup("test_evp");
5245
5246
my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",
5247
- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
5248
+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
5249
"evpcase.txt", "evpccmcavs.txt" );
5250
5251
plan tests => scalar(@files);
5252
Index: openssl-1.1.1d/util/libcrypto.num
5253
===================================================================
5254
--- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-23 13:45:11.348633716 +0100
5255
+++ openssl-1.1.1d/util/libcrypto.num 2020-01-23 13:45:11.476634476 +0100
5256
5257
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
5258
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
5259
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
5260
+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
5261
+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
5262
+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
5263
+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
5264
+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
5265
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
5266
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
5267
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
5268
Index: openssl-1.1.1d/util/private.num
5269
===================================================================
5270
--- openssl-1.1.1d.orig/util/private.num 2020-01-23 13:45:11.032631836 +0100
5271
+++ openssl-1.1.1d/util/private.num 2020-01-23 13:45:11.476634476 +0100
5272
5273
CRYPTO_EX_free datatype
5274
CRYPTO_EX_new datatype
5275
DTLS_timer_cb datatype
5276
+EVP_KDF_CTX datatype
5277
EVP_PKEY_gen_cb datatype
5278
EVP_PKEY_METHOD datatype
5279
EVP_PKEY_ASN1_METHOD datatype
5280