File openssl-1.1.1-evp-kdf.patch of Package openssl-1_1
5239
1
diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt2
--- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf 2021-02-16 16:24:01.000000000 +01003
+++ openssl-1.1.1j/crypto/err/openssl.txt 2021-03-03 14:10:13.729466935 +01004
5
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate6
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex7
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate8
+EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl9
+EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str10
+EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id11
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex12
EVP_F_EVP_MD_SIZE:162:EVP_MD_size13
EVP_F_EVP_OPENINIT:102:EVP_OpenInit14
15
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen16
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen17
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen18
+EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl19
EVP_F_PKEY_SET_TYPE:158:pkey_set_type20
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth21
EVP_F_RC5_CTRL:125:rc5_ctrl22
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key23
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl24
+EVP_F_SCRYPT_ALG:228:scrypt_alg25
EVP_F_UPDATE:173:update26
+KDF_F_HKDF_EXTRACT:112:HKDF_Extract27
+KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive28
+KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new29
+KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size30
+KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl31
+KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str32
+KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive33
+KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new34
+KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str35
+KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint3236
+KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint6437
+KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive38
+KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new39
+KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str40
+KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive41
+KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new42
+KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf43
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str44
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive45
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init46
47
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str48
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive49
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init50
+KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf51
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg52
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object53
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid54
55
operation not supported for this keytype56
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized57
EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow58
+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large59
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers60
EVP_R_PBKDF2_ERROR:181:pbkdf2 error61
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\62
63
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type64
KDF_R_VALUE_ERROR:108:value error65
KDF_R_VALUE_MISSING:102:value missing66
+KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size67
OBJ_R_OID_EXISTS:102:oid exists68
OBJ_R_UNKNOWN_NID:101:unknown nid69
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error70
diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info71
--- openssl-1.1.1j/crypto/evp/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +010072
+++ openssl-1.1.1j/crypto/evp/build.info 2021-03-03 14:08:02.490294839 +010073
74
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \75
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \76
c_allc.c c_alld.c evp_lib.c bio_ok.c \77
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \78
+ evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \79
+ pkey_kdf.c \80
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \81
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \82
e_chacha20_poly1305.c cmeth_lib.c83
diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c84
--- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2021-02-16 16:24:01.000000000 +010085
+++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c 2021-03-03 14:08:02.490294839 +010086
87
88
# include <openssl/evp.h>89
# include <openssl/objects.h>90
-# include "evp_local.h"91
# include "crypto/evp.h"92
# include "crypto/chacha.h"93
+# include "evp_local.h"94
95
typedef struct {96
union {97
diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c98
--- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf 2021-02-16 16:24:01.000000000 +010099
+++ openssl-1.1.1j/crypto/evp/encode.c 2021-03-03 14:08:02.491294847 +0100100
101
#include <limits.h>102
#include "internal/cryptlib.h"103
#include <openssl/evp.h>104
-#include "evp_local.h"105
#include "crypto/evp.h"106
+#include "evp_local.h"107
108
static unsigned char conv_ascii2bin(unsigned char a,109
const unsigned char *table);110
diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c111
--- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf 2021-03-03 14:08:02.469294651 +0100112
+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 14:12:08.272351600 +0100113
114
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),115
"EVP_EncryptFinal_ex"},116
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},117
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"},118
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"},119
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"},120
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},121
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},122
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},123
124
"PKCS5_v2_PBKDF2_keyivgen"},125
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),126
"PKCS5_v2_scrypt_keyivgen"},127
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"},128
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},129
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},130
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},131
{ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),132
"r_32_12_16_init_key"},133
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},134
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},135
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},136
{0, NULL}137
};138
139
"operaton not initialized"},140
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),141
"output would overflow"},142
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),143
+ "parameter too large"},144
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),145
"partially overlapping buffers"},146
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},147
diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h148
--- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf 2021-03-03 14:08:02.362293695 +0100149
+++ openssl-1.1.1j/crypto/evp/evp_local.h 2021-03-03 14:08:02.491294847 +0100150
151
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */152
} /* EVP_CIPHER_CTX */ ;153
154
+struct evp_kdf_ctx_st {155
+ const EVP_KDF_METHOD *kmeth;156
+ EVP_KDF_IMPL *impl; /* Algorithm-specific data */157
+} /* EVP_KDF_CTX */ ;158
+159
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,160
int passlen, ASN1_TYPE *param,161
const EVP_CIPHER *c, const EVP_MD *md,162
diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c163
--- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100164
+++ openssl-1.1.1j/crypto/evp/evp_pbe.c 2021-03-03 14:08:02.491294847 +0100165
166
#include <openssl/evp.h>167
#include <openssl/pkcs12.h>168
#include <openssl/x509.h>169
+#include "crypto/evp.h"170
#include "evp_local.h"171
172
/* Password based encryption (PBE) functions */173
diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c174
--- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100175
+++ openssl-1.1.1j/crypto/evp/kdf_lib.c 2021-03-03 14:08:02.491294847 +0100176
177
+/*178
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.179
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.180
+ *181
+ * Licensed under the Apache License 2.0 (the "License"). You may not use182
+ * this file except in compliance with the License. You can obtain a copy183
+ * in the file LICENSE in the source distribution or at184
+ * https://www.openssl.org/source/license.html185
+ */186
+187
+#include <stdio.h>188
+#include <stdlib.h>189
+#include "internal/cryptlib.h"190
+#include <openssl/engine.h>191
+#include <openssl/evp.h>192
+#include <openssl/x509v3.h>193
+#include <openssl/kdf.h>194
+#include "crypto/asn1.h"195
+#include "crypto/evp.h"196
+#include "internal/numbers.h"197
+#include "evp_local.h"198
+199
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);200
+201
+/* This array needs to be in order of NIDs */202
+static const EVP_KDF_METHOD *standard_methods[] = {203
+ &pbkdf2_kdf_meth,204
+#ifndef OPENSSL_NO_SCRYPT205
+ &scrypt_kdf_meth,206
+#endif207
+ &tls1_prf_kdf_meth,208
+ &hkdf_kdf_meth209
+};210
+211
+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,212
+ kmeth);213
+214
+static int kmeth_cmp(const EVP_KDF_METHOD *const *a,215
+ const EVP_KDF_METHOD *const *b)216
+{217
+ return ((*a)->type - (*b)->type);218
+}219
+220
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,221
+ kmeth);222
+223
+static const EVP_KDF_METHOD *kdf_meth_find(int type)224
+{225
+ EVP_KDF_METHOD tmp;226
+ const EVP_KDF_METHOD *t = &tmp, **ret;227
+228
+ tmp.type = type;229
+ ret = OBJ_bsearch_kmeth(&t, standard_methods,230
+ OSSL_NELEM(standard_methods));231
+ if (ret == NULL || *ret == NULL)232
+ return NULL;233
+234
+ return *ret;235
+}236
+237
+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id)238
+{239
+ EVP_KDF_CTX *ret;240
+ const EVP_KDF_METHOD *kmeth;241
+242
+ kmeth = kdf_meth_find(id);243
+ if (kmeth == NULL) {244
+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM);245
+ return NULL;246
+ }247
+248
+ ret = OPENSSL_zalloc(sizeof(*ret));249
+ if (ret == NULL) {250
+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE);251
+ return NULL;252
+ }253
+254
+ if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) {255
+ EVP_KDF_CTX_free(ret);256
+ return NULL;257
+ }258
+259
+ ret->kmeth = kmeth;260
+ return ret;261
+}262
+263
+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx)264
+{265
+ if (ctx == NULL)266
+ return;267
+268
+ ctx->kmeth->free(ctx->impl);269
+ OPENSSL_free(ctx);270
+}271
+272
+void EVP_KDF_reset(EVP_KDF_CTX *ctx)273
+{274
+ if (ctx == NULL)275
+ return;276
+277
+ if (ctx->kmeth->reset != NULL)278
+ ctx->kmeth->reset(ctx->impl);279
+}280
+281
+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...)282
+{283
+ int ret;284
+ va_list args;285
+286
+ va_start(args, cmd);287
+ ret = EVP_KDF_vctrl(ctx, cmd, args);288
+ va_end(args);289
+290
+ if (ret == -2)291
+ EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED);292
+293
+ return ret;294
+}295
+296
+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args)297
+{298
+ if (ctx == NULL)299
+ return 0;300
+301
+ return ctx->kmeth->ctrl(ctx->impl, cmd, args);302
+}303
+304
+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value)305
+{306
+ int ret;307
+308
+ if (ctx == NULL)309
+ return 0;310
+311
+ if (ctx->kmeth->ctrl_str == NULL) {312
+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);313
+ return -2;314
+ }315
+316
+ ret = ctx->kmeth->ctrl_str(ctx->impl, type, value);317
+ if (ret == -2)318
+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);319
+320
+ return ret;321
+}322
+323
+size_t EVP_KDF_size(EVP_KDF_CTX *ctx)324
+{325
+ if (ctx == NULL)326
+ return 0;327
+328
+ if (ctx->kmeth->size == NULL)329
+ return SIZE_MAX;330
+331
+ return ctx->kmeth->size(ctx->impl);332
+}333
+334
+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen)335
+{336
+ if (ctx == NULL)337
+ return 0;338
+339
+ return ctx->kmeth->derive(ctx->impl, key, keylen);340
+}341
+342
diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c343
--- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100344
+++ openssl-1.1.1j/crypto/evp/p5_crpt2.c 2021-03-03 14:08:02.491294847 +0100345
346
/*347
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.348
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.349
*350
* Licensed under the OpenSSL license (the "License"). You may not use351
* this file except in compliance with the License. You can obtain a copy352
353
#include <stdio.h>354
#include <stdlib.h>355
#include "internal/cryptlib.h"356
-# include <openssl/x509.h>357
-# include <openssl/evp.h>358
-# include <openssl/hmac.h>359
-# include "evp_local.h"360
+#include <openssl/x509.h>361
+#include <openssl/evp.h>362
+#include <openssl/kdf.h>363
+#include <openssl/hmac.h>364
+#include "crypto/evp.h"365
+#include "evp_local.h"366
367
/* set this to print out info about the keygen algorithm */368
/* #define OPENSSL_DEBUG_PKCS5V2 */369
370
-# ifdef OPENSSL_DEBUG_PKCS5V2371
+#ifdef OPENSSL_DEBUG_PKCS5V2372
static void h__dump(const unsigned char *p, int len);373
-# endif374
-375
-/*376
- * This is an implementation of PKCS#5 v2.0 password based encryption key377
- * derivation function PBKDF2. SHA1 version verified against test vectors378
- * posted by Peter Gutmann to the PKCS-TNG mailing list.379
- */380
+#endif381
382
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,383
const unsigned char *salt, int saltlen, int iter,384
const EVP_MD *digest, int keylen, unsigned char *out)385
{386
const char *empty = "";387
- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];388
- int cplen, j, k, tkeylen, mdlen;389
- unsigned long i = 1;390
- HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;391
-392
- mdlen = EVP_MD_size(digest);393
- if (mdlen < 0)394
- return 0;395
+ int rv = 1;396
+ EVP_KDF_CTX *kctx;397
398
- hctx_tpl = HMAC_CTX_new();399
- if (hctx_tpl == NULL)400
- return 0;401
- p = out;402
- tkeylen = keylen;403
+ /* Keep documented behaviour. */404
if (pass == NULL) {405
pass = empty;406
passlen = 0;407
} else if (passlen == -1) {408
passlen = strlen(pass);409
}410
- if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) {411
- HMAC_CTX_free(hctx_tpl);412
- return 0;413
- }414
- hctx = HMAC_CTX_new();415
- if (hctx == NULL) {416
- HMAC_CTX_free(hctx_tpl);417
+ if (salt == NULL && saltlen == 0)418
+ salt = (unsigned char *)empty;419
+420
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);421
+ if (kctx == NULL)422
return 0;423
- }424
- while (tkeylen) {425
- if (tkeylen > mdlen)426
- cplen = mdlen;427
- else428
- cplen = tkeylen;429
- /*430
- * We are unlikely to ever use more than 256 blocks (5120 bits!) but431
- * just in case...432
- */433
- itmp[0] = (unsigned char)((i >> 24) & 0xff);434
- itmp[1] = (unsigned char)((i >> 16) & 0xff);435
- itmp[2] = (unsigned char)((i >> 8) & 0xff);436
- itmp[3] = (unsigned char)(i & 0xff);437
- if (!HMAC_CTX_copy(hctx, hctx_tpl)) {438
- HMAC_CTX_free(hctx);439
- HMAC_CTX_free(hctx_tpl);440
- return 0;441
- }442
- if (!HMAC_Update(hctx, salt, saltlen)443
- || !HMAC_Update(hctx, itmp, 4)444
- || !HMAC_Final(hctx, digtmp, NULL)) {445
- HMAC_CTX_free(hctx);446
- HMAC_CTX_free(hctx_tpl);447
- return 0;448
- }449
- memcpy(p, digtmp, cplen);450
- for (j = 1; j < iter; j++) {451
- if (!HMAC_CTX_copy(hctx, hctx_tpl)) {452
- HMAC_CTX_free(hctx);453
- HMAC_CTX_free(hctx_tpl);454
- return 0;455
- }456
- if (!HMAC_Update(hctx, digtmp, mdlen)457
- || !HMAC_Final(hctx, digtmp, NULL)) {458
- HMAC_CTX_free(hctx);459
- HMAC_CTX_free(hctx_tpl);460
- return 0;461
- }462
- for (k = 0; k < cplen; k++)463
- p[k] ^= digtmp[k];464
- }465
- tkeylen -= cplen;466
- i++;467
- p += cplen;468
- }469
- HMAC_CTX_free(hctx);470
- HMAC_CTX_free(hctx_tpl);471
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1472
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,473
+ salt, (size_t)saltlen) != 1474
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, iter) != 1475
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, digest) != 1476
+ || EVP_KDF_derive(kctx, out, keylen) != 1)477
+ rv = 0;478
+479
+ EVP_KDF_CTX_free(kctx);480
+481
# ifdef OPENSSL_DEBUG_PKCS5V2482
fprintf(stderr, "Password:\n");483
h__dump(pass, passlen);484
485
fprintf(stderr, "Key:\n");486
h__dump(out, keylen);487
# endif488
- return 1;489
+ return rv;490
}491
492
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,493
diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c494
--- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100495
+++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c 2021-03-03 14:08:02.491294847 +0100496
497
* https://www.openssl.org/source/license.html498
*/499
500
-#include <stddef.h>501
-#include <stdio.h>502
-#include <string.h>503
#include <openssl/evp.h>504
#include <openssl/err.h>505
-#include "internal/numbers.h"506
+#include <openssl/kdf.h>507
508
#ifndef OPENSSL_NO_SCRYPT509
510
-#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))511
-static void salsa208_word_specification(uint32_t inout[16])512
-{513
- int i;514
- uint32_t x[16];515
- memcpy(x, inout, sizeof(x));516
- for (i = 8; i > 0; i -= 2) {517
- x[4] ^= R(x[0] + x[12], 7);518
- x[8] ^= R(x[4] + x[0], 9);519
- x[12] ^= R(x[8] + x[4], 13);520
- x[0] ^= R(x[12] + x[8], 18);521
- x[9] ^= R(x[5] + x[1], 7);522
- x[13] ^= R(x[9] + x[5], 9);523
- x[1] ^= R(x[13] + x[9], 13);524
- x[5] ^= R(x[1] + x[13], 18);525
- x[14] ^= R(x[10] + x[6], 7);526
- x[2] ^= R(x[14] + x[10], 9);527
- x[6] ^= R(x[2] + x[14], 13);528
- x[10] ^= R(x[6] + x[2], 18);529
- x[3] ^= R(x[15] + x[11], 7);530
- x[7] ^= R(x[3] + x[15], 9);531
- x[11] ^= R(x[7] + x[3], 13);532
- x[15] ^= R(x[11] + x[7], 18);533
- x[1] ^= R(x[0] + x[3], 7);534
- x[2] ^= R(x[1] + x[0], 9);535
- x[3] ^= R(x[2] + x[1], 13);536
- x[0] ^= R(x[3] + x[2], 18);537
- x[6] ^= R(x[5] + x[4], 7);538
- x[7] ^= R(x[6] + x[5], 9);539
- x[4] ^= R(x[7] + x[6], 13);540
- x[5] ^= R(x[4] + x[7], 18);541
- x[11] ^= R(x[10] + x[9], 7);542
- x[8] ^= R(x[11] + x[10], 9);543
- x[9] ^= R(x[8] + x[11], 13);544
- x[10] ^= R(x[9] + x[8], 18);545
- x[12] ^= R(x[15] + x[14], 7);546
- x[13] ^= R(x[12] + x[15], 9);547
- x[14] ^= R(x[13] + x[12], 13);548
- x[15] ^= R(x[14] + x[13], 18);549
- }550
- for (i = 0; i < 16; ++i)551
- inout[i] += x[i];552
- OPENSSL_cleanse(x, sizeof(x));553
-}554
-555
-static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)556
-{557
- uint64_t i, j;558
- uint32_t X[16], *pB;559
-560
- memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));561
- pB = B;562
- for (i = 0; i < r * 2; i++) {563
- for (j = 0; j < 16; j++)564
- X[j] ^= *pB++;565
- salsa208_word_specification(X);566
- memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));567
- }568
- OPENSSL_cleanse(X, sizeof(X));569
-}570
-571
-static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,572
- uint32_t *X, uint32_t *T, uint32_t *V)573
-{574
- unsigned char *pB;575
- uint32_t *pV;576
- uint64_t i, k;577
-578
- /* Convert from little endian input */579
- for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {580
- *pV = *pB++;581
- *pV |= *pB++ << 8;582
- *pV |= *pB++ << 16;583
- *pV |= (uint32_t)*pB++ << 24;584
- }585
-586
- for (i = 1; i < N; i++, pV += 32 * r)587
- scryptBlockMix(pV, pV - 32 * r, r);588
-589
- scryptBlockMix(X, V + (N - 1) * 32 * r, r);590
-591
- for (i = 0; i < N; i++) {592
- uint32_t j;593
- j = X[16 * (2 * r - 1)] % N;594
- pV = V + 32 * r * j;595
- for (k = 0; k < 32 * r; k++)596
- T[k] = X[k] ^ *pV++;597
- scryptBlockMix(X, T, r);598
- }599
- /* Convert output to little endian */600
- for (i = 0, pB = B; i < 32 * r; i++) {601
- uint32_t xtmp = X[i];602
- *pB++ = xtmp & 0xff;603
- *pB++ = (xtmp >> 8) & 0xff;604
- *pB++ = (xtmp >> 16) & 0xff;605
- *pB++ = (xtmp >> 24) & 0xff;606
- }607
-}608
-609
-#ifndef SIZE_MAX610
-# define SIZE_MAX ((size_t)-1)611
-#endif612
-613
-/*614
- * Maximum power of two that will fit in uint64_t: this should work on615
- * most (all?) platforms.616
- */617
-618
-#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)619
-620
-/*621
- * Maximum value of p * r:622
- * p <= ((2^32-1) * hLen) / MFLen =>623
- * p <= ((2^32-1) * 32) / (128 * r) =>624
- * p * r <= (2^30-1)625
- *626
- */627
-628
-#define SCRYPT_PR_MAX ((1 << 30) - 1)629
-630
/*631
* Maximum permitted memory allow this to be overridden with Configuration632
* option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.633
634
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,635
unsigned char *key, size_t keylen)636
{637
- int rv = 0;638
- unsigned char *B;639
- uint32_t *X, *V, *T;640
- uint64_t i, Blen, Vlen;641
-642
- /* Sanity check parameters */643
- /* initial check, r,p must be non zero, N >= 2 and a power of 2 */644
- if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))645
- return 0;646
- /* Check p * r < SCRYPT_PR_MAX avoiding overflow */647
- if (p > SCRYPT_PR_MAX / r) {648
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);649
- return 0;650
- }651
-652
- /*653
- * Need to check N: if 2^(128 * r / 8) overflows limit this is654
- * automatically satisfied since N <= UINT64_MAX.655
- */656
-657
- if (16 * r <= LOG2_UINT64_MAX) {658
- if (N >= (((uint64_t)1) << (16 * r))) {659
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);660
- return 0;661
- }662
- }663
+ const char *empty = "";664
+ int rv = 1;665
+ EVP_KDF_CTX *kctx;666
667
- /* Memory checks: check total allocated buffer size fits in uint64_t */668
-669
- /*670
- * B size in section 5 step 1.S671
- * Note: we know p * 128 * r < UINT64_MAX because we already checked672
- * p * r < SCRYPT_PR_MAX673
- */674
- Blen = p * 128 * r;675
- /*676
- * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would677
- * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]678
- */679
- if (Blen > INT_MAX) {680
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);681
+ if (r > UINT32_MAX || p > UINT32_MAX) {682
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);683
return 0;684
}685
686
- /*687
- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t688
- * This is combined size V, X and T (section 4)689
- */690
- i = UINT64_MAX / (32 * sizeof(uint32_t));691
- if (N + 2 > i / r) {692
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);693
- return 0;694
+ /* Maintain existing behaviour. */695
+ if (pass == NULL) {696
+ pass = empty;697
+ passlen = 0;698
}699
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);700
-701
- /* check total allocated size fits in uint64_t */702
- if (Blen > UINT64_MAX - Vlen) {703
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);704
- return 0;705
+ if (salt == NULL) {706
+ salt = (const unsigned char *)empty;707
+ saltlen = 0;708
}709
-710
if (maxmem == 0)711
maxmem = SCRYPT_MAX_MEM;712
713
- /* Check that the maximum memory doesn't exceed a size_t limits */714
- if (maxmem > SIZE_MAX)715
- maxmem = SIZE_MAX;716
-717
- if (Blen + Vlen > maxmem) {718
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);719
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);720
+ if (kctx == NULL)721
return 0;722
- }723
724
- /* If no key return to indicate parameters are OK */725
- if (key == NULL)726
- return 1;727
-728
- B = OPENSSL_malloc((size_t)(Blen + Vlen));729
- if (B == NULL) {730
- EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE);731
- return 0;732
- }733
- X = (uint32_t *)(B + Blen);734
- T = X + 32 * r;735
- V = T + 32 * r;736
- if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),737
- (int)Blen, B) == 0)738
- goto err;739
-740
- for (i = 0; i < p; i++)741
- scryptROMix(B + 128 * r * i, r, N, X, T, V);742
-743
- if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),744
- keylen, key) == 0)745
- goto err;746
- rv = 1;747
- err:748
- if (rv == 0)749
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR);750
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1751
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,752
+ salt, (size_t)saltlen) != 1753
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1754
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1755
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1756
+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1757
+ || EVP_KDF_derive(kctx, key, keylen) != 1)758
+ rv = 0;759
760
- OPENSSL_clear_free(B, (size_t)(Blen + Vlen));761
+ EVP_KDF_CTX_free(kctx);762
return rv;763
}764
+765
#endif766
diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c767
--- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100768
+++ openssl-1.1.1j/crypto/evp/pkey_kdf.c 2021-03-03 14:08:02.491294847 +0100769
770
+/*771
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.772
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.773
+ *774
+ * Licensed under the Apache License 2.0 (the "License"). You may not use775
+ * this file except in compliance with the License. You can obtain a copy776
+ * in the file LICENSE in the source distribution or at777
+ * https://www.openssl.org/source/license.html778
+ */779
+780
+#include <string.h>781
+#include <openssl/evp.h>782
+#include <openssl/err.h>783
+#include <openssl/kdf.h>784
+#include "crypto/evp.h"785
+786
+static int pkey_kdf_init(EVP_PKEY_CTX *ctx)787
+{788
+ EVP_KDF_CTX *kctx;789
+790
+ kctx = EVP_KDF_CTX_new_id(ctx->pmeth->pkey_id);791
+ if (kctx == NULL)792
+ return 0;793
+794
+ ctx->data = kctx;795
+ return 1;796
+}797
+798
+static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx)799
+{800
+ EVP_KDF_CTX *kctx = ctx->data;801
+802
+ EVP_KDF_CTX_free(kctx);803
+}804
+805
+static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)806
+{807
+ EVP_KDF_CTX *kctx = ctx->data;808
+ uint64_t u64_value;809
+ int cmd;810
+ int ret;811
+812
+ switch (type) {813
+ case EVP_PKEY_CTRL_PASS:814
+ cmd = EVP_KDF_CTRL_SET_PASS;815
+ break;816
+ case EVP_PKEY_CTRL_HKDF_SALT:817
+ case EVP_PKEY_CTRL_SCRYPT_SALT:818
+ cmd = EVP_KDF_CTRL_SET_SALT;819
+ break;820
+ case EVP_PKEY_CTRL_TLS_MD:821
+ case EVP_PKEY_CTRL_HKDF_MD:822
+ cmd = EVP_KDF_CTRL_SET_MD;823
+ break;824
+ case EVP_PKEY_CTRL_TLS_SECRET:825
+ cmd = EVP_KDF_CTRL_SET_TLS_SECRET;826
+ ret = EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_RESET_TLS_SEED);827
+ if (ret < 1)828
+ return ret;829
+ break;830
+ case EVP_PKEY_CTRL_TLS_SEED:831
+ cmd = EVP_KDF_CTRL_ADD_TLS_SEED;832
+ break;833
+ case EVP_PKEY_CTRL_HKDF_KEY:834
+ cmd = EVP_KDF_CTRL_SET_KEY;835
+ break;836
+ case EVP_PKEY_CTRL_HKDF_INFO:837
+ cmd = EVP_KDF_CTRL_ADD_HKDF_INFO;838
+ break;839
+ case EVP_PKEY_CTRL_HKDF_MODE:840
+ cmd = EVP_KDF_CTRL_SET_HKDF_MODE;841
+ break;842
+ case EVP_PKEY_CTRL_SCRYPT_N:843
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_N;844
+ break;845
+ case EVP_PKEY_CTRL_SCRYPT_R:846
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_R;847
+ break;848
+ case EVP_PKEY_CTRL_SCRYPT_P:849
+ cmd = EVP_KDF_CTRL_SET_SCRYPT_P;850
+ break;851
+ case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:852
+ cmd = EVP_KDF_CTRL_SET_MAXMEM_BYTES;853
+ break;854
+ default:855
+ return -2;856
+ }857
+858
+ switch (cmd) {859
+ case EVP_KDF_CTRL_SET_PASS:860
+ case EVP_KDF_CTRL_SET_SALT:861
+ case EVP_KDF_CTRL_SET_KEY:862
+ case EVP_KDF_CTRL_SET_TLS_SECRET:863
+ case EVP_KDF_CTRL_ADD_TLS_SEED:864
+ case EVP_KDF_CTRL_ADD_HKDF_INFO:865
+ return EVP_KDF_ctrl(kctx, cmd, (const unsigned char *)p2, (size_t)p1);866
+867
+ case EVP_KDF_CTRL_SET_MD:868
+ return EVP_KDF_ctrl(kctx, cmd, (const EVP_MD *)p2);869
+870
+ case EVP_KDF_CTRL_SET_HKDF_MODE:871
+ return EVP_KDF_ctrl(kctx, cmd, (int)p1);872
+873
+ case EVP_KDF_CTRL_SET_SCRYPT_R:874
+ case EVP_KDF_CTRL_SET_SCRYPT_P:875
+ u64_value = *(uint64_t *)p2;876
+ if (u64_value > UINT32_MAX) {877
+ EVPerr(EVP_F_PKEY_KDF_CTRL, EVP_R_PARAMETER_TOO_LARGE);878
+ return 0;879
+ }880
+881
+ return EVP_KDF_ctrl(kctx, cmd, (uint32_t)u64_value);882
+883
+ case EVP_KDF_CTRL_SET_SCRYPT_N:884
+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES:885
+ return EVP_KDF_ctrl(kctx, cmd, *(uint64_t *)p2);886
+887
+ default:888
+ return 0;889
+ }890
+}891
+892
+static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,893
+ const char *value)894
+{895
+ EVP_KDF_CTX *kctx = ctx->data;896
+897
+ if (strcmp(type, "md") == 0)898
+ return EVP_KDF_ctrl_str(kctx, "digest", value);899
+ return EVP_KDF_ctrl_str(kctx, type, value);900
+}901
+902
+static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx)903
+{904
+ EVP_KDF_CTX *kctx = ctx->data;905
+906
+ EVP_KDF_reset(kctx);907
+ return 1;908
+}909
+910
+/*911
+ * For fixed-output algorithms the keylen parameter is an "out" parameter912
+ * otherwise it is an "in" parameter.913
+ */914
+static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,915
+ size_t *keylen)916
+{917
+ EVP_KDF_CTX *kctx = ctx->data;918
+ size_t outlen = EVP_KDF_size(kctx);919
+920
+ if (outlen == 0 || outlen == SIZE_MAX) {921
+ /* Variable-output algorithm */922
+ if (key == NULL)923
+ return 0;924
+ } else {925
+ /* Fixed-output algorithm */926
+ *keylen = outlen;927
+ if (key == NULL)928
+ return 1;929
+ }930
+ return EVP_KDF_derive(kctx, key, *keylen);931
+}932
+933
+#ifndef OPENSSL_NO_SCRYPT934
+const EVP_PKEY_METHOD scrypt_pkey_meth = {935
+ EVP_PKEY_SCRYPT,936
+ 0,937
+ pkey_kdf_init,938
+ 0,939
+ pkey_kdf_cleanup,940
+941
+ 0, 0,942
+ 0, 0,943
+944
+ 0,945
+ 0,946
+947
+ 0,948
+ 0,949
+950
+ 0, 0,951
+952
+ 0, 0, 0, 0,953
+954
+ 0, 0,955
+956
+ 0, 0,957
+958
+ pkey_kdf_derive_init,959
+ pkey_kdf_derive,960
+ pkey_kdf_ctrl,961
+ pkey_kdf_ctrl_str962
+};963
+#endif964
+965
+const EVP_PKEY_METHOD tls1_prf_pkey_meth = {966
+ EVP_PKEY_TLS1_PRF,967
+ EVP_PKEY_FLAG_FIPS,968
+ pkey_kdf_init,969
+ 0,970
+ pkey_kdf_cleanup,971
+972
+ 0, 0,973
+ 0, 0,974
+975
+ 0,976
+ 0,977
+978
+ 0,979
+ 0,980
+981
+ 0, 0,982
+983
+ 0, 0, 0, 0,984
+985
+ 0, 0,986
+987
+ 0, 0,988
+989
+ pkey_kdf_derive_init,990
+ pkey_kdf_derive,991
+ pkey_kdf_ctrl,992
+ pkey_kdf_ctrl_str993
+};994
+995
+const EVP_PKEY_METHOD hkdf_pkey_meth = {996
+ EVP_PKEY_HKDF,997
+ EVP_PKEY_FLAG_FIPS,998
+ pkey_kdf_init,999
+ 0,1000
+ pkey_kdf_cleanup,1001
+1002
+ 0, 0,1003
+ 0, 0,1004
+1005
+ 0,1006
+ 0,1007
+1008
+ 0,1009
+ 0,1010
+1011
+ 0, 0,1012
+1013
+ 0, 0, 0, 0,1014
+1015
+ 0, 0,1016
+1017
+ 0, 0,1018
+1019
+ pkey_kdf_derive_init,1020
+ pkey_kdf_derive,1021
+ pkey_kdf_ctrl,1022
+ pkey_kdf_ctrl_str1023
+};1024
+1025
diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info1026
--- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +01001027
+++ openssl-1.1.1j/crypto/kdf/build.info 2021-03-03 14:08:02.491294847 +01001028
1029
LIBS=../../libcrypto1030
SOURCE[../../libcrypto]=\1031
- tls1_prf.c kdf_err.c hkdf.c scrypt.c1032
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c1033
diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c1034
--- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf 2021-02-16 16:24:01.000000000 +01001035
+++ openssl-1.1.1j/crypto/kdf/hkdf.c 2021-03-03 14:08:02.492294856 +01001036
1037
*/1038
1039
#include <stdlib.h>1040
+#include <stdarg.h>1041
#include <string.h>1042
#include <openssl/hmac.h>1043
#include <openssl/kdf.h>1044
#include <openssl/evp.h>1045
#include "internal/cryptlib.h"1046
#include "crypto/evp.h"1047
+#include "kdf_local.h"1048
1049
#define HKDF_MAXBUF 10241050
1051
-static unsigned char *HKDF(const EVP_MD *evp_md,1052
- const unsigned char *salt, size_t salt_len,1053
- const unsigned char *key, size_t key_len,1054
- const unsigned char *info, size_t info_len,1055
- unsigned char *okm, size_t okm_len);1056
-1057
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,1058
- const unsigned char *salt, size_t salt_len,1059
- const unsigned char *key, size_t key_len,1060
- unsigned char *prk, size_t *prk_len);1061
-1062
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,1063
- const unsigned char *prk, size_t prk_len,1064
- const unsigned char *info, size_t info_len,1065
- unsigned char *okm, size_t okm_len);1066
+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl);1067
+static int HKDF(const EVP_MD *evp_md,1068
+ const unsigned char *salt, size_t salt_len,1069
+ const unsigned char *key, size_t key_len,1070
+ const unsigned char *info, size_t info_len,1071
+ unsigned char *okm, size_t okm_len);1072
+static int HKDF_Extract(const EVP_MD *evp_md,1073
+ const unsigned char *salt, size_t salt_len,1074
+ const unsigned char *key, size_t key_len,1075
+ unsigned char *prk, size_t prk_len);1076
+static int HKDF_Expand(const EVP_MD *evp_md,1077
+ const unsigned char *prk, size_t prk_len,1078
+ const unsigned char *info, size_t info_len,1079
+ unsigned char *okm, size_t okm_len);1080
1081
-typedef struct {1082
+struct evp_kdf_impl_st {1083
int mode;1084
const EVP_MD *md;1085
unsigned char *salt;1086
1087
size_t key_len;1088
unsigned char info[HKDF_MAXBUF];1089
size_t info_len;1090
-} HKDF_PKEY_CTX;1091
+};1092
1093
-static int pkey_hkdf_init(EVP_PKEY_CTX *ctx)1094
+static EVP_KDF_IMPL *kdf_hkdf_new(void)1095
{1096
- HKDF_PKEY_CTX *kctx;1097
-1098
- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {1099
- KDFerr(KDF_F_PKEY_HKDF_INIT, ERR_R_MALLOC_FAILURE);1100
- return 0;1101
- }1102
+ EVP_KDF_IMPL *impl;1103
1104
- ctx->data = kctx;1105
+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)1106
+ KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE);1107
+ return impl;1108
+}1109
1110
- return 1;1111
+static void kdf_hkdf_free(EVP_KDF_IMPL *impl)1112
+{1113
+ kdf_hkdf_reset(impl);1114
+ OPENSSL_free(impl);1115
}1116
1117
-static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)1118
+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl)1119
{1120
- HKDF_PKEY_CTX *kctx = ctx->data;1121
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);1122
- OPENSSL_clear_free(kctx->key, kctx->key_len);1123
- OPENSSL_cleanse(kctx->info, kctx->info_len);1124
- OPENSSL_free(kctx);1125
+ OPENSSL_free(impl->salt);1126
+ OPENSSL_clear_free(impl->key, impl->key_len);1127
+ OPENSSL_cleanse(impl->info, impl->info_len);1128
+ memset(impl, 0, sizeof(*impl));1129
}1130
1131
-static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)1132
+static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)1133
{1134
- HKDF_PKEY_CTX *kctx = ctx->data;1135
+ const unsigned char *p;1136
+ size_t len;1137
+ const EVP_MD *md;1138
1139
- switch (type) {1140
- case EVP_PKEY_CTRL_HKDF_MD:1141
- if (p2 == NULL)1142
+ switch (cmd) {1143
+ case EVP_KDF_CTRL_SET_MD:1144
+ md = va_arg(args, const EVP_MD *);1145
+ if (md == NULL)1146
return 0;1147
1148
- kctx->md = p2;1149
+ impl->md = md;1150
return 1;1151
1152
- case EVP_PKEY_CTRL_HKDF_MODE:1153
- kctx->mode = p1;1154
+ case EVP_KDF_CTRL_SET_HKDF_MODE:1155
+ impl->mode = va_arg(args, int);1156
return 1;1157
1158
- case EVP_PKEY_CTRL_HKDF_SALT:1159
- if (p1 == 0 || p2 == NULL)1160
+ case EVP_KDF_CTRL_SET_SALT:1161
+ p = va_arg(args, const unsigned char *);1162
+ len = va_arg(args, size_t);1163
+ if (len == 0 || p == NULL)1164
return 1;1165
1166
- if (p1 < 0)1167
+ OPENSSL_free(impl->salt);1168
+ impl->salt = OPENSSL_memdup(p, len);1169
+ if (impl->salt == NULL)1170
return 0;1171
1172
- if (kctx->salt != NULL)1173
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);1174
-1175
- kctx->salt = OPENSSL_memdup(p2, p1);1176
- if (kctx->salt == NULL)1177
- return 0;1178
-1179
- kctx->salt_len = p1;1180
+ impl->salt_len = len;1181
return 1;1182
1183
- case EVP_PKEY_CTRL_HKDF_KEY:1184
- if (p1 < 0)1185
+ case EVP_KDF_CTRL_SET_KEY:1186
+ p = va_arg(args, const unsigned char *);1187
+ len = va_arg(args, size_t);1188
+ OPENSSL_clear_free(impl->key, impl->key_len);1189
+ impl->key = OPENSSL_memdup(p, len);1190
+ if (impl->key == NULL)1191
return 0;1192
1193
- if (kctx->key != NULL)1194
- OPENSSL_clear_free(kctx->key, kctx->key_len);1195
-1196
- kctx->key = OPENSSL_memdup(p2, p1);1197
- if (kctx->key == NULL)1198
- return 0;1199
+ impl->key_len = len;1200
+ return 1;1201
1202
- kctx->key_len = p1;1203
+ case EVP_KDF_CTRL_RESET_HKDF_INFO:1204
+ OPENSSL_cleanse(impl->info, impl->info_len);1205
+ impl->info_len = 0;1206
return 1;1207
1208
- case EVP_PKEY_CTRL_HKDF_INFO:1209
- if (p1 == 0 || p2 == NULL)1210
+ case EVP_KDF_CTRL_ADD_HKDF_INFO:1211
+ p = va_arg(args, const unsigned char *);1212
+ len = va_arg(args, size_t);1213
+ if (len == 0 || p == NULL)1214
return 1;1215
1216
- if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len))1217
+ if (len > (HKDF_MAXBUF - impl->info_len))1218
return 0;1219
1220
- memcpy(kctx->info + kctx->info_len, p2, p1);1221
- kctx->info_len += p1;1222
+ memcpy(impl->info + impl->info_len, p, len);1223
+ impl->info_len += len;1224
return 1;1225
1226
default:1227
return -2;1228
-1229
}1230
}1231
1232
-static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,1233
- const char *value)1234
+static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,1235
+ const char *value)1236
{1237
if (strcmp(type, "mode") == 0) {1238
int mode;1239
1240
if (strcmp(value, "EXTRACT_AND_EXPAND") == 0)1241
- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND;1242
+ mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;1243
else if (strcmp(value, "EXTRACT_ONLY") == 0)1244
- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY;1245
+ mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;1246
else if (strcmp(value, "EXPAND_ONLY") == 0)1247
- mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;1248
+ mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;1249
else1250
return 0;1251
1252
- return EVP_PKEY_CTX_hkdf_mode(ctx, mode);1253
+ return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode);1254
}1255
1256
- if (strcmp(type, "md") == 0)1257
- return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE,1258
- EVP_PKEY_CTRL_HKDF_MD, value);1259
+ if (strcmp(type, "digest") == 0)1260
+ return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);1261
1262
if (strcmp(type, "salt") == 0)1263
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);1264
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);1265
1266
if (strcmp(type, "hexsalt") == 0)1267
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);1268
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);1269
1270
if (strcmp(type, "key") == 0)1271
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);1272
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);1273
1274
if (strcmp(type, "hexkey") == 0)1275
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);1276
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);1277
1278
if (strcmp(type, "info") == 0)1279
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);1280
+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,1281
+ value);1282
1283
if (strcmp(type, "hexinfo") == 0)1284
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);1285
+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,1286
+ value);1287
1288
- KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);1289
return -2;1290
}1291
1292
-static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx)1293
+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)1294
{1295
- HKDF_PKEY_CTX *kctx = ctx->data;1296
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)1297
+ return SIZE_MAX;1298
1299
- OPENSSL_clear_free(kctx->key, kctx->key_len);1300
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);1301
- OPENSSL_cleanse(kctx->info, kctx->info_len);1302
- memset(kctx, 0, sizeof(*kctx));1303
-1304
- return 1;1305
+ if (impl->md == NULL) {1306
+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);1307
+ return 0;1308
+ }1309
+ return EVP_MD_size(impl->md);1310
}1311
1312
-static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,1313
- size_t *keylen)1314
+static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,1315
+ size_t keylen)1316
{1317
- HKDF_PKEY_CTX *kctx = ctx->data;1318
-1319
- if (kctx->md == NULL) {1320
- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);1321
+ if (impl->md == NULL) {1322
+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);1323
return 0;1324
}1325
- if (kctx->key == NULL) {1326
- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY);1327
+ if (impl->key == NULL) {1328
+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY);1329
return 0;1330
}1331
1332
- switch (kctx->mode) {1333
- case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND:1334
- return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key,1335
- kctx->key_len, kctx->info, kctx->info_len, key,1336
- *keylen) != NULL;1337
-1338
- case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:1339
- if (key == NULL) {1340
- *keylen = EVP_MD_size(kctx->md);1341
- return 1;1342
- }1343
- return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key,1344
- kctx->key_len, key, keylen) != NULL;1345
-1346
- case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY:1347
- return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info,1348
- kctx->info_len, key, *keylen) != NULL;1349
+ switch (impl->mode) {1350
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:1351
+ return HKDF(impl->md, impl->salt, impl->salt_len, impl->key,1352
+ impl->key_len, impl->info, impl->info_len, key,1353
+ keylen);1354
+1355
+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:1356
+ return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key,1357
+ impl->key_len, key, keylen);1358
+1359
+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:1360
+ return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info,1361
+ impl->info_len, key, keylen);1362
1363
default:1364
return 0;1365
}1366
}1367
1368
-const EVP_PKEY_METHOD hkdf_pkey_meth = {1369
- EVP_PKEY_HKDF,1370
- 0,1371
- pkey_hkdf_init,1372
- 0,1373
- pkey_hkdf_cleanup,1374
-1375
- 0, 0,1376
- 0, 0,1377
-1378
- 0,1379
- 0,1380
-1381
- 0,1382
- 0,1383
-1384
- 0, 0,1385
-1386
- 0, 0, 0, 0,1387
-1388
- 0, 0,1389
-1390
- 0, 0,1391
-1392
- pkey_hkdf_derive_init,1393
- pkey_hkdf_derive,1394
- pkey_hkdf_ctrl,1395
- pkey_hkdf_ctrl_str1396
+const EVP_KDF_METHOD hkdf_kdf_meth = {1397
+ EVP_KDF_HKDF,1398
+ kdf_hkdf_new,1399
+ kdf_hkdf_free,1400
+ kdf_hkdf_reset,1401
+ kdf_hkdf_ctrl,1402
+ kdf_hkdf_ctrl_str,1403
+ kdf_hkdf_size,1404
+ kdf_hkdf_derive1405
};1406
1407
-static unsigned char *HKDF(const EVP_MD *evp_md,1408
- const unsigned char *salt, size_t salt_len,1409
- const unsigned char *key, size_t key_len,1410
- const unsigned char *info, size_t info_len,1411
- unsigned char *okm, size_t okm_len)1412
+static int HKDF(const EVP_MD *evp_md,1413
+ const unsigned char *salt, size_t salt_len,1414
+ const unsigned char *key, size_t key_len,1415
+ const unsigned char *info, size_t info_len,1416
+ unsigned char *okm, size_t okm_len)1417
{1418
unsigned char prk[EVP_MAX_MD_SIZE];1419
- unsigned char *ret;1420
- size_t prk_len;1421
+ int ret;1422
+ size_t prk_len = EVP_MD_size(evp_md);1423
1424
- if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len))1425
- return NULL;1426
+ if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, prk_len))1427
+ return 0;1428
1429
ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);1430
OPENSSL_cleanse(prk, sizeof(prk));1431
1432
return ret;1433
}1434
1435
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,1436
- const unsigned char *salt, size_t salt_len,1437
- const unsigned char *key, size_t key_len,1438
- unsigned char *prk, size_t *prk_len)1439
+static int HKDF_Extract(const EVP_MD *evp_md,1440
+ const unsigned char *salt, size_t salt_len,1441
+ const unsigned char *key, size_t key_len,1442
+ unsigned char *prk, size_t prk_len)1443
{1444
- unsigned int tmp_len;1445
-1446
- if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len))1447
- return NULL;1448
-1449
- *prk_len = tmp_len;1450
- return prk;1451
+ if (prk_len != (size_t)EVP_MD_size(evp_md)) {1452
+ KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE);1453
+ return 0;1454
+ }1455
+ return HMAC(evp_md, salt, salt_len, key, key_len, prk, NULL) != NULL;1456
}1457
1458
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,1459
- const unsigned char *prk, size_t prk_len,1460
- const unsigned char *info, size_t info_len,1461
- unsigned char *okm, size_t okm_len)1462
+static int HKDF_Expand(const EVP_MD *evp_md,1463
+ const unsigned char *prk, size_t prk_len,1464
+ const unsigned char *info, size_t info_len,1465
+ unsigned char *okm, size_t okm_len)1466
{1467
HMAC_CTX *hmac;1468
- unsigned char *ret = NULL;1469
-1470
+ int ret = 0;1471
unsigned int i;1472
-1473
unsigned char prev[EVP_MAX_MD_SIZE];1474
-1475
size_t done_len = 0, dig_len = EVP_MD_size(evp_md);1476
-1477
size_t n = okm_len / dig_len;1478
+1479
if (okm_len % dig_len)1480
n++;1481
1482
if (n > 255 || okm == NULL)1483
- return NULL;1484
+ return 0;1485
1486
if ((hmac = HMAC_CTX_new()) == NULL)1487
- return NULL;1488
+ return 0;1489
1490
if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))1491
goto err;1492
1493
1494
done_len += copy_len;1495
}1496
- ret = okm;1497
+ ret = 1;1498
1499
err:1500
OPENSSL_cleanse(prev, sizeof(prev));1501
diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c1502
--- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf 2021-02-16 16:24:01.000000000 +01001503
+++ openssl-1.1.1j/crypto/kdf/kdf_err.c 2021-03-03 14:08:02.492294856 +01001504
1505
/*1506
* Generated by util/mkerr.pl DO NOT EDIT1507
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.1508
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.1509
*1510
* Licensed under the OpenSSL license (the "License"). You may not use1511
* this file except in compliance with the License. You can obtain a copy1512
1513
#ifndef OPENSSL_NO_ERR1514
1515
static const ERR_STRING_DATA KDF_str_functs[] = {1516
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"},1517
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"},1518
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"},1519
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"},1520
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_MD2CTRL, 0), "kdf_md2ctrl"},1521
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_CTRL_STR, 0),1522
+ "kdf_pbkdf2_ctrl_str"},1523
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_DERIVE, 0), "kdf_pbkdf2_derive"},1524
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_NEW, 0), "kdf_pbkdf2_new"},1525
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_STR, 0),1526
+ "kdf_scrypt_ctrl_str"},1527
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT32, 0),1528
+ "kdf_scrypt_ctrl_uint32"},1529
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT64, 0),1530
+ "kdf_scrypt_ctrl_uint64"},1531
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"},1532
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"},1533
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0),1534
+ "kdf_tls1_prf_ctrl_str"},1535
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0),1536
+ "kdf_tls1_prf_derive"},1537
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"},1538
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"},1539
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"},1540
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"},1541
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"},1542
1543
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_DERIVE, 0),1544
"pkey_tls1_prf_derive"},1545
{ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"},1546
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"},1547
{ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"},1548
{0, NULL}1549
};1550
1551
"unknown parameter type"},1552
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"},1553
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"},1554
+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),1555
+ "wrong output buffer size"},1556
{0, NULL}1557
};1558
1559
diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h1560
--- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf 2021-03-03 14:08:02.492294856 +01001561
+++ openssl-1.1.1j/crypto/kdf/kdf_local.h 2021-03-03 14:08:02.492294856 +01001562
1563
+/*1564
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.1565
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.1566
+ *1567
+ * Licensed under the Apache License 2.0 (the "License"). You may not use1568
+ * this file except in compliance with the License. You can obtain a copy1569
+ * in the file LICENSE in the source distribution or at1570
+ * https://www.openssl.org/source/license.html1571
+ */1572
+1573
+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1574
+ EVP_KDF_IMPL *impl, int cmd, ...);1575
+int kdf_str2ctrl(EVP_KDF_IMPL *impl,1576
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1577
+ int cmd, const char *str);1578
+int kdf_hex2ctrl(EVP_KDF_IMPL *impl,1579
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1580
+ int cmd, const char *hex);1581
+int kdf_md2ctrl(EVP_KDF_IMPL *impl,1582
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1583
+ int cmd, const char *md_name);1584
+1585
diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c1586
--- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf 2021-03-03 14:08:02.492294856 +01001587
+++ openssl-1.1.1j/crypto/kdf/kdf_util.c 2021-03-03 14:08:02.492294856 +01001588
1589
+/*1590
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.1591
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.1592
+ *1593
+ * Licensed under the Apache License 2.0 (the "License"). You may not use1594
+ * this file except in compliance with the License. You can obtain a copy1595
+ * in the file LICENSE in the source distribution or at1596
+ * https://www.openssl.org/source/license.html1597
+ */1598
+1599
+#include <string.h>1600
+#include <stdarg.h>1601
+#include <openssl/kdf.h>1602
+#include <openssl/evp.h>1603
+#include "internal/cryptlib.h"1604
+#include "crypto/evp.h"1605
+#include "internal/numbers.h"1606
+#include "kdf_local.h"1607
+1608
+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1609
+ EVP_KDF_IMPL *impl, int cmd, ...)1610
+{1611
+ int ret;1612
+ va_list args;1613
+1614
+ va_start(args, cmd);1615
+ ret = ctrl(impl, cmd, args);1616
+ va_end(args);1617
+1618
+ return ret;1619
+}1620
+1621
+/* Utility functions to send a string or hex string to a ctrl */1622
+1623
+int kdf_str2ctrl(EVP_KDF_IMPL *impl,1624
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1625
+ int cmd, const char *str)1626
+{1627
+ return call_ctrl(ctrl, impl, cmd, (const unsigned char *)str, strlen(str));1628
+}1629
+1630
+int kdf_hex2ctrl(EVP_KDF_IMPL *impl,1631
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1632
+ int cmd, const char *hex)1633
+{1634
+ unsigned char *bin;1635
+ long binlen;1636
+ int ret = -1;1637
+1638
+ bin = OPENSSL_hexstr2buf(hex, &binlen);1639
+ if (bin == NULL)1640
+ return 0;1641
+1642
+ if (binlen <= INT_MAX)1643
+ ret = call_ctrl(ctrl, impl, cmd, bin, (size_t)binlen);1644
+ OPENSSL_free(bin);1645
+ return ret;1646
+}1647
+1648
+/* Pass a message digest to a ctrl */1649
+int kdf_md2ctrl(EVP_KDF_IMPL *impl,1650
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),1651
+ int cmd, const char *md_name)1652
+{1653
+ const EVP_MD *md;1654
+1655
+ if (md_name == NULL || (md = EVP_get_digestbyname(md_name)) == NULL) {1656
+ KDFerr(KDF_F_KDF_MD2CTRL, KDF_R_INVALID_DIGEST);1657
+ return 0;1658
+ }1659
+ return call_ctrl(ctrl, impl, cmd, md);1660
+}1661
+1662
diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c1663
--- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf 2021-03-03 14:08:02.492294856 +01001664
+++ openssl-1.1.1j/crypto/kdf/pbkdf2.c 2021-03-03 14:08:02.492294856 +01001665
1666
+/*1667
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.1668
+ *1669
+ * Licensed under the Apache License 2.0 (the "License"). You may not use1670
+ * this file except in compliance with the License. You can obtain a copy1671
+ * in the file LICENSE in the source distribution or at1672
+ * https://www.openssl.org/source/license.html1673
+ */1674
+1675
+#include <stdlib.h>1676
+#include <stdarg.h>1677
+#include <string.h>1678
+#include <openssl/hmac.h>1679
+#include <openssl/evp.h>1680
+#include <openssl/kdf.h>1681
+#include "internal/cryptlib.h"1682
+#include "crypto/evp.h"1683
+#include "kdf_local.h"1684
+1685
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);1686
+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl);1687
+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,1688
+ const unsigned char *salt, int saltlen, int iter,1689
+ const EVP_MD *digest, unsigned char *key,1690
+ size_t keylen);1691
+1692
+struct evp_kdf_impl_st {1693
+ unsigned char *pass;1694
+ size_t pass_len;1695
+ unsigned char *salt;1696
+ size_t salt_len;1697
+ int iter;1698
+ const EVP_MD *md;1699
+};1700
+1701
+static EVP_KDF_IMPL *kdf_pbkdf2_new(void)1702
+{1703
+ EVP_KDF_IMPL *impl;1704
+1705
+ impl = OPENSSL_zalloc(sizeof(*impl));1706
+ if (impl == NULL) {1707
+ KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE);1708
+ return NULL;1709
+ }1710
+ kdf_pbkdf2_init(impl);1711
+ return impl;1712
+}1713
+1714
+static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl)1715
+{1716
+ kdf_pbkdf2_reset(impl);1717
+ OPENSSL_free(impl);1718
+}1719
+1720
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl)1721
+{1722
+ OPENSSL_free(impl->salt);1723
+ OPENSSL_clear_free(impl->pass, impl->pass_len);1724
+ memset(impl, 0, sizeof(*impl));1725
+ kdf_pbkdf2_init(impl);1726
+}1727
+1728
+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)1729
+{1730
+ impl->iter = PKCS5_DEFAULT_ITER;1731
+ impl->md = EVP_sha1();1732
+}1733
+1734
+static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,1735
+ const unsigned char *new_buffer,1736
+ size_t new_buflen)1737
+{1738
+ if (new_buffer == NULL)1739
+ return 1;1740
+1741
+ OPENSSL_clear_free(*buffer, *buflen);1742
+1743
+ if (new_buflen > 0) {1744
+ *buffer = OPENSSL_memdup(new_buffer, new_buflen);1745
+ } else {1746
+ *buffer = OPENSSL_malloc(1);1747
+ }1748
+ if (*buffer == NULL) {1749
+ KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE);1750
+ return 0;1751
+ }1752
+1753
+ *buflen = new_buflen;1754
+ return 1;1755
+}1756
+1757
+static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)1758
+{1759
+ int iter;1760
+ const unsigned char *p;1761
+ size_t len;1762
+ const EVP_MD *md;1763
+1764
+ switch (cmd) {1765
+ case EVP_KDF_CTRL_SET_PASS:1766
+ p = va_arg(args, const unsigned char *);1767
+ len = va_arg(args, size_t);1768
+ return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len);1769
+1770
+ case EVP_KDF_CTRL_SET_SALT:1771
+ p = va_arg(args, const unsigned char *);1772
+ len = va_arg(args, size_t);1773
+ return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len);1774
+1775
+ case EVP_KDF_CTRL_SET_ITER:1776
+ iter = va_arg(args, int);1777
+ if (iter < 1)1778
+ return 0;1779
+1780
+ impl->iter = iter;1781
+ return 1;1782
+1783
+ case EVP_KDF_CTRL_SET_MD:1784
+ md = va_arg(args, const EVP_MD *);1785
+ if (md == NULL)1786
+ return 0;1787
+1788
+ impl->md = md;1789
+ return 1;1790
+1791
+ default:1792
+ return -2;1793
+ }1794
+}1795
+1796
+static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type,1797
+ const char *value)1798
+{1799
+ if (value == NULL) {1800
+ KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING);1801
+ return 0;1802
+ }1803
+1804
+ if (strcmp(type, "pass") == 0)1805
+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,1806
+ value);1807
+1808
+ if (strcmp(type, "hexpass") == 0)1809
+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,1810
+ value);1811
+1812
+ if (strcmp(type, "salt") == 0)1813
+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,1814
+ value);1815
+1816
+ if (strcmp(type, "hexsalt") == 0)1817
+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,1818
+ value);1819
+1820
+ if (strcmp(type, "iter") == 0)1821
+ return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER,1822
+ atoi(value));1823
+1824
+ if (strcmp(type, "digest") == 0)1825
+ return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value);1826
+1827
+ return -2;1828
+}1829
+1830
+static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,1831
+ size_t keylen)1832
+{1833
+ if (impl->pass == NULL) {1834
+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS);1835
+ return 0;1836
+ }1837
+1838
+ if (impl->salt == NULL) {1839
+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT);1840
+ return 0;1841
+ }1842
+1843
+ return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,1844
+ impl->salt, impl->salt_len, impl->iter,1845
+ impl->md, key, keylen);1846
+}1847
+1848
+const EVP_KDF_METHOD pbkdf2_kdf_meth = {1849
+ EVP_KDF_PBKDF2,1850
+ kdf_pbkdf2_new,1851
+ kdf_pbkdf2_free,1852
+ kdf_pbkdf2_reset,1853
+ kdf_pbkdf2_ctrl,1854
+ kdf_pbkdf2_ctrl_str,1855
+ NULL,1856
+ kdf_pbkdf2_derive1857
+};1858
+1859
+/*1860
+ * This is an implementation of PKCS#5 v2.0 password based encryption key1861
+ * derivation function PBKDF2. SHA1 version verified against test vectors1862
+ * posted by Peter Gutmann to the PKCS-TNG mailing list.1863
+ */1864
+1865
+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,1866
+ const unsigned char *salt, int saltlen, int iter,1867
+ const EVP_MD *digest, unsigned char *key,1868
+ size_t keylen)1869
+{1870
+ int ret = 0;1871
+ unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];1872
+ int cplen, j, k, tkeylen, mdlen;1873
+ unsigned long i = 1;1874
+ HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;1875
+1876
+ mdlen = EVP_MD_size(digest);1877
+ if (mdlen < 0)1878
+ return 0;1879
+1880
+ hctx_tpl = HMAC_CTX_new();1881
+ if (hctx_tpl == NULL)1882
+ return 0;1883
+ p = key;1884
+ tkeylen = keylen;1885
+ if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))1886
+ goto err;1887
+ hctx = HMAC_CTX_new();1888
+ if (hctx == NULL)1889
+ goto err;1890
+ while (tkeylen) {1891
+ if (tkeylen > mdlen)1892
+ cplen = mdlen;1893
+ else1894
+ cplen = tkeylen;1895
+ /*1896
+ * We are unlikely to ever use more than 256 blocks (5120 bits!) but1897
+ * just in case...1898
+ */1899
+ itmp[0] = (unsigned char)((i >> 24) & 0xff);1900
+ itmp[1] = (unsigned char)((i >> 16) & 0xff);1901
+ itmp[2] = (unsigned char)((i >> 8) & 0xff);1902
+ itmp[3] = (unsigned char)(i & 0xff);1903
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))1904
+ goto err;1905
+ if (!HMAC_Update(hctx, salt, saltlen)1906
+ || !HMAC_Update(hctx, itmp, 4)1907
+ || !HMAC_Final(hctx, digtmp, NULL))1908
+ goto err;1909
+ memcpy(p, digtmp, cplen);1910
+ for (j = 1; j < iter; j++) {1911
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))1912
+ goto err;1913
+ if (!HMAC_Update(hctx, digtmp, mdlen)1914
+ || !HMAC_Final(hctx, digtmp, NULL))1915
+ goto err;1916
+ for (k = 0; k < cplen; k++)1917
+ p[k] ^= digtmp[k];1918
+ }1919
+ tkeylen -= cplen;1920
+ i++;1921
+ p += cplen;1922
+ }1923
+ ret = 1;1924
+1925
+err:1926
+ HMAC_CTX_free(hctx);1927
+ HMAC_CTX_free(hctx_tpl);1928
+ return ret;1929
+}1930
diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c1931
--- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +01001932
+++ openssl-1.1.1j/crypto/kdf/scrypt.c 2021-03-03 14:08:02.492294856 +01001933
1934
*/1935
1936
#include <stdlib.h>1937
+#include <stdarg.h>1938
#include <string.h>1939
#include <openssl/hmac.h>1940
#include <openssl/kdf.h>1941
#include <openssl/evp.h>1942
-#include "internal/cryptlib.h"1943
+#include <openssl/err.h>1944
#include "crypto/evp.h"1945
+#include "internal/numbers.h"1946
+#include "kdf_local.h"1947
1948
#ifndef OPENSSL_NO_SCRYPT1949
1950
+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl);1951
+static void kdf_scrypt_init(EVP_KDF_IMPL *impl);1952
static int atou64(const char *nptr, uint64_t *result);1953
+static int scrypt_alg(const char *pass, size_t passlen,1954
+ const unsigned char *salt, size_t saltlen,1955
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,1956
+ unsigned char *key, size_t keylen);1957
1958
-typedef struct {1959
+struct evp_kdf_impl_st {1960
unsigned char *pass;1961
size_t pass_len;1962
unsigned char *salt;1963
size_t salt_len;1964
- uint64_t N, r, p;1965
+ uint64_t N;1966
+ uint32_t r, p;1967
uint64_t maxmem_bytes;1968
-} SCRYPT_PKEY_CTX;1969
+};1970
1971
/* Custom uint64_t parser since we do not have strtoull */1972
static int atou64(const char *nptr, uint64_t *result)1973
1974
return 1;1975
}1976
1977
-static int pkey_scrypt_init(EVP_PKEY_CTX *ctx)1978
+static EVP_KDF_IMPL *kdf_scrypt_new(void)1979
{1980
- SCRYPT_PKEY_CTX *kctx;1981
+ EVP_KDF_IMPL *impl;1982
1983
- kctx = OPENSSL_zalloc(sizeof(*kctx));1984
- if (kctx == NULL) {1985
- KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE);1986
- return 0;1987
+ impl = OPENSSL_zalloc(sizeof(*impl));1988
+ if (impl == NULL) {1989
+ KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE);1990
+ return NULL;1991
}1992
+ kdf_scrypt_init(impl);1993
+ return impl;1994
+}1995
1996
- /* Default values are the most conservative recommendation given in the1997
- * original paper of C. Percival. Derivation uses roughly 1 GiB of memory1998
- * for this parameter choice (approx. 128 * r * (N + p) bytes).1999
- */2000
- kctx->N = 1 << 20;2001
- kctx->r = 8;2002
- kctx->p = 1;2003
- kctx->maxmem_bytes = 1025 * 1024 * 1024;2004
-2005
- ctx->data = kctx;2006
-2007
- return 1;2008
+static void kdf_scrypt_free(EVP_KDF_IMPL *impl)2009
+{2010
+ kdf_scrypt_reset(impl);2011
+ OPENSSL_free(impl);2012
}2013
2014
-static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx)2015
+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl)2016
{2017
- SCRYPT_PKEY_CTX *kctx = ctx->data;2018
+ OPENSSL_free(impl->salt);2019
+ OPENSSL_clear_free(impl->pass, impl->pass_len);2020
+ memset(impl, 0, sizeof(*impl));2021
+ kdf_scrypt_init(impl);2022
+}2023
2024
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);2025
- OPENSSL_clear_free(kctx->pass, kctx->pass_len);2026
- OPENSSL_free(kctx);2027
+static void kdf_scrypt_init(EVP_KDF_IMPL *impl)2028
+{2029
+ /* Default values are the most conservative recommendation given in the2030
+ * original paper of C. Percival. Derivation uses roughly 1 GiB of memory2031
+ * for this parameter choice (approx. 128 * r * N * p bytes).2032
+ */2033
+ impl->N = 1 << 20;2034
+ impl->r = 8;2035
+ impl->p = 1;2036
+ impl->maxmem_bytes = 1025 * 1024 * 1024;2037
}2038
2039
-static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen,2040
- const unsigned char *new_buffer,2041
- const int new_buflen)2042
+static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,2043
+ const unsigned char *new_buffer,2044
+ size_t new_buflen)2045
{2046
if (new_buffer == NULL)2047
return 1;2048
2049
- if (new_buflen < 0)2050
- return 0;2051
-2052
- if (*buffer != NULL)2053
- OPENSSL_clear_free(*buffer, *buflen);2054
+ OPENSSL_clear_free(*buffer, *buflen);2055
2056
if (new_buflen > 0) {2057
*buffer = OPENSSL_memdup(new_buffer, new_buflen);2058
2059
*buffer = OPENSSL_malloc(1);2060
}2061
if (*buffer == NULL) {2062
- KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);2063
+ KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);2064
return 0;2065
}2066
2067
2068
return (value != 0) && ((value & (value - 1)) == 0);2069
}2070
2071
-static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)2072
+static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)2073
{2074
- SCRYPT_PKEY_CTX *kctx = ctx->data;2075
uint64_t u64_value;2076
+ uint32_t value;2077
+ const unsigned char *p;2078
+ size_t len;2079
+2080
+ switch (cmd) {2081
+ case EVP_KDF_CTRL_SET_PASS:2082
+ p = va_arg(args, const unsigned char *);2083
+ len = va_arg(args, size_t);2084
+ return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len);2085
+2086
+ case EVP_KDF_CTRL_SET_SALT:2087
+ p = va_arg(args, const unsigned char *);2088
+ len = va_arg(args, size_t);2089
+ return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len);2090
2091
- switch (type) {2092
- case EVP_PKEY_CTRL_PASS:2093
- return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1);2094
-2095
- case EVP_PKEY_CTRL_SCRYPT_SALT:2096
- return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1);2097
-2098
- case EVP_PKEY_CTRL_SCRYPT_N:2099
- u64_value = *((uint64_t *)p2);2100
+ case EVP_KDF_CTRL_SET_SCRYPT_N:2101
+ u64_value = va_arg(args, uint64_t);2102
if ((u64_value <= 1) || !is_power_of_two(u64_value))2103
return 0;2104
- kctx->N = u64_value;2105
+2106
+ impl->N = u64_value;2107
return 1;2108
2109
- case EVP_PKEY_CTRL_SCRYPT_R:2110
- u64_value = *((uint64_t *)p2);2111
- if (u64_value < 1)2112
+ case EVP_KDF_CTRL_SET_SCRYPT_R:2113
+ value = va_arg(args, uint32_t);2114
+ if (value < 1)2115
return 0;2116
- kctx->r = u64_value;2117
+2118
+ impl->r = value;2119
return 1;2120
2121
- case EVP_PKEY_CTRL_SCRYPT_P:2122
- u64_value = *((uint64_t *)p2);2123
- if (u64_value < 1)2124
+ case EVP_KDF_CTRL_SET_SCRYPT_P:2125
+ value = va_arg(args, uint32_t);2126
+ if (value < 1)2127
return 0;2128
- kctx->p = u64_value;2129
+2130
+ impl->p = value;2131
return 1;2132
2133
- case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:2134
- u64_value = *((uint64_t *)p2);2135
+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES:2136
+ u64_value = va_arg(args, uint64_t);2137
if (u64_value < 1)2138
return 0;2139
- kctx->maxmem_bytes = u64_value;2140
+2141
+ impl->maxmem_bytes = u64_value;2142
return 1;2143
2144
default:2145
return -2;2146
+ }2147
+}2148
2149
+static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd,2150
+ const char *value)2151
+{2152
+ int int_value = atoi(value);2153
+2154
+ if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) {2155
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR);2156
+ return 0;2157
}2158
+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value);2159
}2160
2161
-static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type,2162
- const char *value)2163
+static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd,2164
+ const char *value)2165
{2166
- uint64_t int_value;2167
+ uint64_t u64_value;2168
2169
- if (!atou64(value, &int_value)) {2170
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);2171
+ if (!atou64(value, &u64_value)) {2172
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);2173
return 0;2174
}2175
- return pkey_scrypt_ctrl(ctx, type, 0, &int_value);2176
+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value);2177
}2178
2179
-static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,2180
- const char *value)2181
+static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type,2182
+ const char *value)2183
{2184
if (value == NULL) {2185
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);2186
+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);2187
return 0;2188
}2189
2190
if (strcmp(type, "pass") == 0)2191
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);2192
+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,2193
+ value);2194
2195
if (strcmp(type, "hexpass") == 0)2196
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);2197
+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,2198
+ value);2199
2200
if (strcmp(type, "salt") == 0)2201
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);2202
+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,2203
+ value);2204
2205
if (strcmp(type, "hexsalt") == 0)2206
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);2207
+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,2208
+ value);2209
2210
if (strcmp(type, "N") == 0)2211
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value);2212
+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value);2213
2214
if (strcmp(type, "r") == 0)2215
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value);2216
+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value);2217
2218
if (strcmp(type, "p") == 0)2219
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value);2220
+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value);2221
2222
if (strcmp(type, "maxmem_bytes") == 0)2223
- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES,2224
- value);2225
+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES,2226
+ value);2227
2228
- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);2229
return -2;2230
}2231
2232
-static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key,2233
- size_t *keylen)2234
+static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key,2235
+ size_t keylen)2236
{2237
- SCRYPT_PKEY_CTX *kctx = ctx->data;2238
-2239
- if (kctx->pass == NULL) {2240
- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS);2241
+ if (impl->pass == NULL) {2242
+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS);2243
return 0;2244
}2245
2246
- if (kctx->salt == NULL) {2247
- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT);2248
+ if (impl->salt == NULL) {2249
+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT);2250
return 0;2251
}2252
2253
- return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt,2254
- kctx->salt_len, kctx->N, kctx->r, kctx->p,2255
- kctx->maxmem_bytes, key, *keylen);2256
+ return scrypt_alg((char *)impl->pass, impl->pass_len, impl->salt,2257
+ impl->salt_len, impl->N, impl->r, impl->p,2258
+ impl->maxmem_bytes, key, keylen);2259
}2260
2261
-const EVP_PKEY_METHOD scrypt_pkey_meth = {2262
- EVP_PKEY_SCRYPT,2263
- 0,2264
- pkey_scrypt_init,2265
- 0,2266
- pkey_scrypt_cleanup,2267
+const EVP_KDF_METHOD scrypt_kdf_meth = {2268
+ EVP_KDF_SCRYPT,2269
+ kdf_scrypt_new,2270
+ kdf_scrypt_free,2271
+ kdf_scrypt_reset,2272
+ kdf_scrypt_ctrl,2273
+ kdf_scrypt_ctrl_str,2274
+ NULL,2275
+ kdf_scrypt_derive2276
+};2277
2278
- 0, 0,2279
- 0, 0,2280
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))2281
+static void salsa208_word_specification(uint32_t inout[16])2282
+{2283
+ int i;2284
+ uint32_t x[16];2285
2286
- 0,2287
- 0,2288
+ memcpy(x, inout, sizeof(x));2289
+ for (i = 8; i > 0; i -= 2) {2290
+ x[4] ^= R(x[0] + x[12], 7);2291
+ x[8] ^= R(x[4] + x[0], 9);2292
+ x[12] ^= R(x[8] + x[4], 13);2293
+ x[0] ^= R(x[12] + x[8], 18);2294
+ x[9] ^= R(x[5] + x[1], 7);2295
+ x[13] ^= R(x[9] + x[5], 9);2296
+ x[1] ^= R(x[13] + x[9], 13);2297
+ x[5] ^= R(x[1] + x[13], 18);2298
+ x[14] ^= R(x[10] + x[6], 7);2299
+ x[2] ^= R(x[14] + x[10], 9);2300
+ x[6] ^= R(x[2] + x[14], 13);2301
+ x[10] ^= R(x[6] + x[2], 18);2302
+ x[3] ^= R(x[15] + x[11], 7);2303
+ x[7] ^= R(x[3] + x[15], 9);2304
+ x[11] ^= R(x[7] + x[3], 13);2305
+ x[15] ^= R(x[11] + x[7], 18);2306
+ x[1] ^= R(x[0] + x[3], 7);2307
+ x[2] ^= R(x[1] + x[0], 9);2308
+ x[3] ^= R(x[2] + x[1], 13);2309
+ x[0] ^= R(x[3] + x[2], 18);2310
+ x[6] ^= R(x[5] + x[4], 7);2311
+ x[7] ^= R(x[6] + x[5], 9);2312
+ x[4] ^= R(x[7] + x[6], 13);2313
+ x[5] ^= R(x[4] + x[7], 18);2314
+ x[11] ^= R(x[10] + x[9], 7);2315
+ x[8] ^= R(x[11] + x[10], 9);2316
+ x[9] ^= R(x[8] + x[11], 13);2317
+ x[10] ^= R(x[9] + x[8], 18);2318
+ x[12] ^= R(x[15] + x[14], 7);2319
+ x[13] ^= R(x[12] + x[15], 9);2320
+ x[14] ^= R(x[13] + x[12], 13);2321
+ x[15] ^= R(x[14] + x[13], 18);2322
+ }2323
+ for (i = 0; i < 16; ++i)2324
+ inout[i] += x[i];2325
+ OPENSSL_cleanse(x, sizeof(x));2326
+}2327
2328
- 0,2329
- 0,2330
+static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)2331
+{2332
+ uint64_t i, j;2333
+ uint32_t X[16], *pB;2334
2335
- 0, 0,2336
+ memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));2337
+ pB = B;2338
+ for (i = 0; i < r * 2; i++) {2339
+ for (j = 0; j < 16; j++)2340
+ X[j] ^= *pB++;2341
+ salsa208_word_specification(X);2342
+ memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));2343
+ }2344
+ OPENSSL_cleanse(X, sizeof(X));2345
+}2346
2347
- 0, 0, 0, 0,2348
+static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,2349
+ uint32_t *X, uint32_t *T, uint32_t *V)2350
+{2351
+ unsigned char *pB;2352
+ uint32_t *pV;2353
+ uint64_t i, k;2354
+2355
+ /* Convert from little endian input */2356
+ for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {2357
+ *pV = *pB++;2358
+ *pV |= *pB++ << 8;2359
+ *pV |= *pB++ << 16;2360
+ *pV |= (uint32_t)*pB++ << 24;2361
+ }2362
2363
- 0, 0,2364
+ for (i = 1; i < N; i++, pV += 32 * r)2365
+ scryptBlockMix(pV, pV - 32 * r, r);2366
2367
- 0, 0,2368
+ scryptBlockMix(X, V + (N - 1) * 32 * r, r);2369
2370
- 0,2371
- pkey_scrypt_derive,2372
- pkey_scrypt_ctrl,2373
- pkey_scrypt_ctrl_str2374
-};2375
+ for (i = 0; i < N; i++) {2376
+ uint32_t j;2377
+ j = X[16 * (2 * r - 1)] % N;2378
+ pV = V + 32 * r * j;2379
+ for (k = 0; k < 32 * r; k++)2380
+ T[k] = X[k] ^ *pV++;2381
+ scryptBlockMix(X, T, r);2382
+ }2383
+ /* Convert output to little endian */2384
+ for (i = 0, pB = B; i < 32 * r; i++) {2385
+ uint32_t xtmp = X[i];2386
+ *pB++ = xtmp & 0xff;2387
+ *pB++ = (xtmp >> 8) & 0xff;2388
+ *pB++ = (xtmp >> 16) & 0xff;2389
+ *pB++ = (xtmp >> 24) & 0xff;2390
+ }2391
+}2392
+2393
+#ifndef SIZE_MAX2394
+# define SIZE_MAX ((size_t)-1)2395
+#endif2396
+2397
+/*2398
+ * Maximum power of two that will fit in uint64_t: this should work on2399
+ * most (all?) platforms.2400
+ */2401
+2402
+#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)2403
+2404
+/*2405
+ * Maximum value of p * r:2406
+ * p <= ((2^32-1) * hLen) / MFLen =>2407
+ * p <= ((2^32-1) * 32) / (128 * r) =>2408
+ * p * r <= (2^30-1)2409
+ */2410
+2411
+#define SCRYPT_PR_MAX ((1 << 30) - 1)2412
+2413
+static int scrypt_alg(const char *pass, size_t passlen,2414
+ const unsigned char *salt, size_t saltlen,2415
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,2416
+ unsigned char *key, size_t keylen)2417
+{2418
+ int rv = 0;2419
+ unsigned char *B;2420
+ uint32_t *X, *V, *T;2421
+ uint64_t i, Blen, Vlen;2422
+2423
+ /* Sanity check parameters */2424
+ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */2425
+ if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))2426
+ return 0;2427
+ /* Check p * r < SCRYPT_PR_MAX avoiding overflow */2428
+ if (p > SCRYPT_PR_MAX / r) {2429
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2430
+ return 0;2431
+ }2432
+2433
+ /*2434
+ * Need to check N: if 2^(128 * r / 8) overflows limit this is2435
+ * automatically satisfied since N <= UINT64_MAX.2436
+ */2437
+2438
+ if (16 * r <= LOG2_UINT64_MAX) {2439
+ if (N >= (((uint64_t)1) << (16 * r))) {2440
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2441
+ return 0;2442
+ }2443
+ }2444
+2445
+ /* Memory checks: check total allocated buffer size fits in uint64_t */2446
+2447
+ /*2448
+ * B size in section 5 step 1.S2449
+ * Note: we know p * 128 * r < UINT64_MAX because we already checked2450
+ * p * r < SCRYPT_PR_MAX2451
+ */2452
+ Blen = p * 128 * r;2453
+ /*2454
+ * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would2455
+ * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]2456
+ */2457
+ if (Blen > INT_MAX) {2458
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2459
+ return 0;2460
+ }2461
+2462
+ /*2463
+ * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t2464
+ * This is combined size V, X and T (section 4)2465
+ */2466
+ i = UINT64_MAX / (32 * sizeof(uint32_t));2467
+ if (N + 2 > i / r) {2468
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2469
+ return 0;2470
+ }2471
+ Vlen = 32 * r * (N + 2) * sizeof(uint32_t);2472
+2473
+ /* check total allocated size fits in uint64_t */2474
+ if (Blen > UINT64_MAX - Vlen) {2475
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2476
+ return 0;2477
+ }2478
+2479
+ /* Check that the maximum memory doesn't exceed a size_t limits */2480
+ if (maxmem > SIZE_MAX)2481
+ maxmem = SIZE_MAX;2482
+2483
+ if (Blen + Vlen > maxmem) {2484
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);2485
+ return 0;2486
+ }2487
+2488
+ /* If no key return to indicate parameters are OK */2489
+ if (key == NULL)2490
+ return 1;2491
+2492
+ B = OPENSSL_malloc((size_t)(Blen + Vlen));2493
+ if (B == NULL) {2494
+ EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE);2495
+ return 0;2496
+ }2497
+ X = (uint32_t *)(B + Blen);2498
+ T = X + 32 * r;2499
+ V = T + 32 * r;2500
+ if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),2501
+ (int)Blen, B) == 0)2502
+ goto err;2503
+2504
+ for (i = 0; i < p; i++)2505
+ scryptROMix(B + 128 * r * i, r, N, X, T, V);2506
+2507
+ if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),2508
+ keylen, key) == 0)2509
+ goto err;2510
+ rv = 1;2511
+ err:2512
+ if (rv == 0)2513
+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR);2514
+2515
+ OPENSSL_clear_free(B, (size_t)(Blen + Vlen));2516
+ return rv;2517
+}2518
2519
#endif2520
diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c2521
--- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf 2021-02-16 16:24:01.000000000 +01002522
+++ openssl-1.1.1j/crypto/kdf/tls1_prf.c 2021-03-03 14:08:02.492294856 +01002523
2524
*/2525
2526
#include <stdio.h>2527
+#include <stdarg.h>2528
+#include <string.h>2529
#include "internal/cryptlib.h"2530
#include <openssl/kdf.h>2531
#include <openssl/evp.h>2532
#include "crypto/evp.h"2533
+#include "kdf_local.h"2534
2535
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);2536
static int tls1_prf_alg(const EVP_MD *md,2537
const unsigned char *sec, size_t slen,2538
const unsigned char *seed, size_t seed_len,2539
2540
2541
#define TLS1_PRF_MAXBUF 10242542
2543
-/* TLS KDF pkey context structure */2544
+/* TLS KDF kdf context structure */2545
2546
-typedef struct {2547
+struct evp_kdf_impl_st {2548
/* Digest to use for PRF */2549
const EVP_MD *md;2550
/* Secret value to use for PRF */2551
2552
/* Buffer of concatenated seed data */2553
unsigned char seed[TLS1_PRF_MAXBUF];2554
size_t seedlen;2555
-} TLS1_PRF_PKEY_CTX;2556
+};2557
2558
-static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)2559
+static EVP_KDF_IMPL *kdf_tls1_prf_new(void)2560
{2561
- TLS1_PRF_PKEY_CTX *kctx;2562
+ EVP_KDF_IMPL *impl;2563
2564
- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {2565
- KDFerr(KDF_F_PKEY_TLS1_PRF_INIT, ERR_R_MALLOC_FAILURE);2566
- return 0;2567
- }2568
- ctx->data = kctx;2569
+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)2570
+ KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE);2571
+ return impl;2572
+}2573
2574
- return 1;2575
+static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl)2576
+{2577
+ kdf_tls1_prf_reset(impl);2578
+ OPENSSL_free(impl);2579
}2580
2581
-static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)2582
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl)2583
{2584
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;2585
- OPENSSL_clear_free(kctx->sec, kctx->seclen);2586
- OPENSSL_cleanse(kctx->seed, kctx->seedlen);2587
- OPENSSL_free(kctx);2588
+ OPENSSL_clear_free(impl->sec, impl->seclen);2589
+ OPENSSL_cleanse(impl->seed, impl->seedlen);2590
+ memset(impl, 0, sizeof(*impl));2591
}2592
2593
-static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)2594
+static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)2595
{2596
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;2597
- switch (type) {2598
- case EVP_PKEY_CTRL_TLS_MD:2599
- kctx->md = p2;2600
- return 1;2601
+ const unsigned char *p;2602
+ size_t len;2603
+ const EVP_MD *md;2604
2605
- case EVP_PKEY_CTRL_TLS_SECRET:2606
- if (p1 < 0)2607
+ switch (cmd) {2608
+ case EVP_KDF_CTRL_SET_MD:2609
+ md = va_arg(args, const EVP_MD *);2610
+ if (md == NULL)2611
return 0;2612
- if (kctx->sec != NULL)2613
- OPENSSL_clear_free(kctx->sec, kctx->seclen);2614
- OPENSSL_cleanse(kctx->seed, kctx->seedlen);2615
- kctx->seedlen = 0;2616
- kctx->sec = OPENSSL_memdup(p2, p1);2617
- if (kctx->sec == NULL)2618
+2619
+ impl->md = md;2620
+ return 1;2621
+2622
+ case EVP_KDF_CTRL_SET_TLS_SECRET:2623
+ p = va_arg(args, const unsigned char *);2624
+ len = va_arg(args, size_t);2625
+ OPENSSL_clear_free(impl->sec, impl->seclen);2626
+ impl->sec = OPENSSL_memdup(p, len);2627
+ if (impl->sec == NULL)2628
return 0;2629
- kctx->seclen = p1;2630
+2631
+ impl->seclen = len;2632
+ return 1;2633
+2634
+ case EVP_KDF_CTRL_RESET_TLS_SEED:2635
+ OPENSSL_cleanse(impl->seed, impl->seedlen);2636
+ impl->seedlen = 0;2637
return 1;2638
2639
- case EVP_PKEY_CTRL_TLS_SEED:2640
- if (p1 == 0 || p2 == NULL)2641
+ case EVP_KDF_CTRL_ADD_TLS_SEED:2642
+ p = va_arg(args, const unsigned char *);2643
+ len = va_arg(args, size_t);2644
+ if (len == 0 || p == NULL)2645
return 1;2646
- if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen))2647
+2648
+ if (len > (TLS1_PRF_MAXBUF - impl->seedlen))2649
return 0;2650
- memcpy(kctx->seed + kctx->seedlen, p2, p1);2651
- kctx->seedlen += p1;2652
+2653
+ memcpy(impl->seed + impl->seedlen, p, len);2654
+ impl->seedlen += len;2655
return 1;2656
2657
default:2658
return -2;2659
-2660
}2661
}2662
2663
-static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,2664
- const char *type, const char *value)2665
+static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl,2666
+ const char *type, const char *value)2667
{2668
if (value == NULL) {2669
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);2670
+ KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);2671
return 0;2672
}2673
- if (strcmp(type, "md") == 0) {2674
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;2675
+ if (strcmp(type, "digest") == 0)2676
+ return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value);2677
2678
- const EVP_MD *md = EVP_get_digestbyname(value);2679
- if (md == NULL) {2680
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST);2681
- return 0;2682
- }2683
- kctx->md = md;2684
- return 1;2685
- }2686
if (strcmp(type, "secret") == 0)2687
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);2688
+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl,2689
+ EVP_KDF_CTRL_SET_TLS_SECRET, value);2690
+2691
if (strcmp(type, "hexsecret") == 0)2692
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);2693
+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl,2694
+ EVP_KDF_CTRL_SET_TLS_SECRET, value);2695
+2696
if (strcmp(type, "seed") == 0)2697
- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);2698
+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,2699
+ value);2700
+2701
if (strcmp(type, "hexseed") == 0)2702
- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);2703
+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,2704
+ value);2705
2706
- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);2707
return -2;2708
}2709
2710
-static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,2711
- size_t *keylen)2712
+static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key,2713
+ size_t keylen)2714
{2715
- TLS1_PRF_PKEY_CTX *kctx = ctx->data;2716
- if (kctx->md == NULL) {2717
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);2718
+ if (impl->md == NULL) {2719
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);2720
return 0;2721
}2722
- if (kctx->sec == NULL) {2723
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);2724
+ if (impl->sec == NULL) {2725
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);2726
return 0;2727
}2728
- if (kctx->seedlen == 0) {2729
- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);2730
+ if (impl->seedlen == 0) {2731
+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);2732
return 0;2733
}2734
- return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen,2735
- kctx->seed, kctx->seedlen,2736
- key, *keylen);2737
+ return tls1_prf_alg(impl->md, impl->sec, impl->seclen,2738
+ impl->seed, impl->seedlen,2739
+ key, keylen);2740
}2741
2742
-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {2743
- EVP_PKEY_TLS1_PRF,2744
- 0,2745
- pkey_tls1_prf_init,2746
- 0,2747
- pkey_tls1_prf_cleanup,2748
-2749
- 0, 0,2750
- 0, 0,2751
-2752
- 0,2753
- 0,2754
-2755
- 0,2756
- 0,2757
-2758
- 0, 0,2759
-2760
- 0, 0, 0, 0,2761
-2762
- 0, 0,2763
-2764
- 0, 0,2765
-2766
- 0,2767
- pkey_tls1_prf_derive,2768
- pkey_tls1_prf_ctrl,2769
- pkey_tls1_prf_ctrl_str2770
+const EVP_KDF_METHOD tls1_prf_kdf_meth = {2771
+ EVP_KDF_TLS1_PRF,2772
+ kdf_tls1_prf_new,2773
+ kdf_tls1_prf_free,2774
+ kdf_tls1_prf_reset,2775
+ kdf_tls1_prf_ctrl,2776
+ kdf_tls1_prf_ctrl_str,2777
+ NULL,2778
+ kdf_tls1_prf_derive2779
};2780
2781
static int tls1_prf_P_hash(const EVP_MD *md,2782
2783
const unsigned char *seed, size_t seed_len,2784
unsigned char *out, size_t olen)2785
{2786
-2787
if (EVP_MD_type(md) == NID_md5_sha1) {2788
size_t i;2789
unsigned char *tmp;2790
if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1),2791
- seed, seed_len, out, olen))2792
+ seed, seed_len, out, olen))2793
return 0;2794
2795
if ((tmp = OPENSSL_malloc(olen)) == NULL) {2796
2797
return 0;2798
}2799
if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1),2800
- seed, seed_len, tmp, olen)) {2801
+ seed, seed_len, tmp, olen)) {2802
OPENSSL_clear_free(tmp, olen);2803
return 0;2804
}2805
diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod2806
--- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2021-03-03 14:08:02.492294856 +01002807
+++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod 2021-03-03 14:08:02.492294856 +01002808
2809
+=pod2810
+2811
+=head1 NAME2812
+2813
+EVP_KDF_CTX, EVP_KDF_CTX_new_id, EVP_KDF_CTX_free, EVP_KDF_reset,2814
+EVP_KDF_ctrl, EVP_KDF_vctrl, EVP_KDF_ctrl_str, EVP_KDF_size,2815
+EVP_KDF_derive - EVP KDF routines2816
+2817
+=head1 SYNOPSIS2818
+2819
+ #include <openssl/kdf.h>2820
+2821
+ typedef struct evp_kdf_ctx_st EVP_KDF_CTX;2822
+2823
+ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);2824
+ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);2825
+ void EVP_KDF_reset(EVP_KDF_CTX *ctx);2826
+ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);2827
+ int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);2828
+ int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);2829
+ size_t EVP_KDF_size(EVP_KDF_CTX *ctx);2830
+ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);2831
+2832
+=head1 DESCRIPTION2833
+2834
+The EVP KDF routines are a high level interface to Key Derivation Function2835
+algorithms and should be used instead of algorithm-specific functions.2836
+2837
+After creating a C<EVP_KDF_CTX> for the required algorithm using2838
+EVP_KDF_CTX_new_id(), inputs to the algorithm are supplied using calls to2839
+EVP_KDF_ctrl(), EVP_KDF_vctrl() or EVP_KDF_ctrl_str() before calling2840
+EVP_KDF_derive() to derive the key.2841
+2842
+=head2 Types2843
+2844
+B<EVP_KDF_CTX> is a context type that holds the algorithm inputs.2845
+2846
+=head2 Context manipulation functions2847
+2848
+EVP_KDF_CTX_new_id() creates a KDF context for the algorithm identified by the2849
+specified NID.2850
+2851
+EVP_KDF_CTX_free() frees up the context C<ctx>. If C<ctx> is C<NULL>, nothing2852
+is done.2853
+2854
+=head2 Computing functions2855
+2856
+EVP_KDF_reset() resets the context to the default state as if the context2857
+had just been created.2858
+2859
+EVP_KDF_ctrl() is used to provide inputs to the KDF algorithm prior to2860
+EVP_KDF_derive() being called. The inputs that may be provided will vary2861
+depending on the KDF algorithm or its implementation. This functions takes2862
+variable arguments, the exact expected arguments depend on C<cmd>.2863
+See L</CONTROLS> below for a description of standard controls.2864
+2865
+EVP_KDF_vctrl() is the variant of EVP_KDF_ctrl() that takes a C<va_list>2866
+argument instead of variadic arguments.2867
+2868
+EVP_KDF_ctrl_str() allows an application to send an algorithm specific control2869
+operation to a context C<ctx> in string form. This is intended to be used for2870
+options specified on the command line or in text files.2871
+2872
+EVP_KDF_size() returns the output size if the algorithm produces a fixed amount2873
+of output and C<SIZE_MAX> otherwise. If an error occurs then 0 is returned.2874
+For some algorithms an error may result if input parameters necessary to2875
+calculate a fixed output size have not yet been supplied.2876
+2877
+EVP_KDF_derive() derives C<keylen> bytes of key material and places it in the2878
+C<key> buffer. If the algorithm produces a fixed amount of output then an2879
+error will occur unless the C<keylen> parameter is equal to that output size,2880
+as returned by EVP_KDF_size().2881
+2882
+=head1 CONTROLS2883
+2884
+The standard controls are:2885
+2886
+=over 42887
+2888
+=item B<EVP_KDF_CTRL_SET_PASS>2889
+2890
+This control expects two arguments: C<unsigned char *pass>, C<size_t passlen>2891
+2892
+Some KDF implementations require a password. For those KDF implementations2893
+that support it, this control sets the password.2894
+2895
+EVP_KDF_ctrl_str() takes two type strings for this control:2896
+2897
+=over 42898
+2899
+=item "pass"2900
+2901
+The value string is used as is.2902
+2903
+=item "hexpass"2904
+2905
+The value string is expected to be a hexadecimal number, which will be2906
+decoded before being passed on as the control value.2907
+2908
+=back2909
+2910
+=item B<EVP_KDF_CTRL_SET_SALT>2911
+2912
+This control expects two arguments: C<unsigned char *salt>, C<size_t saltlen>2913
+2914
+Some KDF implementations can take a salt. For those KDF implementations that2915
+support it, this control sets the salt.2916
+2917
+The default value, if any, is implementation dependent.2918
+2919
+EVP_KDF_ctrl_str() takes two type strings for this control:2920
+2921
+=over 42922
+2923
+=item "salt"2924
+2925
+The value string is used as is.2926
+2927
+=item "hexsalt"2928
+2929
+The value string is expected to be a hexadecimal number, which will be2930
+decoded before being passed on as the control value.2931
+2932
+=back2933
+2934
+=item B<EVP_KDF_CTRL_SET_ITER>2935
+2936
+This control expects one argument: C<int iter>2937
+2938
+Some KDF implementations require an iteration count. For those KDF implementations that support it, this control sets the iteration count.2939
+2940
+The default value, if any, is implementation dependent.2941
+2942
+EVP_KDF_ctrl_str() type string: "iter"2943
+2944
+The value string is expected to be a decimal number.2945
+2946
+=item B<EVP_KDF_CTRL_SET_MD>2947
+2948
+This control expects one argument: C<EVP_MD *md>2949
+2950
+For MAC implementations that use a message digest as an underlying computation2951
+algorithm, this control set what the digest algorithm should be.2952
+2953
+EVP_KDF_ctrl_str() type string: "md"2954
+2955
+The value string is expected to be the name of a digest.2956
+2957
+=item B<EVP_KDF_CTRL_SET_KEY>2958
+2959
+This control expects two arguments: C<unsigned char *key>, C<size_t keylen>2960
+2961
+Some KDF implementations require a key. For those KDF implementations that2962
+support it, this control sets the key.2963
+2964
+EVP_KDF_ctrl_str() takes two type strings for this control:2965
+2966
+=over 42967
+2968
+=item "key"2969
+2970
+The value string is used as is.2971
+2972
+=item "hexkey"2973
+2974
+The value string is expected to be a hexadecimal number, which will be2975
+decoded before being passed on as the control value.2976
+2977
+=back2978
+2979
+=item B<EVP_KDF_CTRL_SET_MAXMEM_BYTES>2980
+2981
+This control expects one argument: C<uint64_t maxmem_bytes>2982
+2983
+Memory-hard password-based KDF algorithms, such as scrypt, use an amount of2984
+memory that depends on the load factors provided as input. For those KDF2985
+implementations that support it, this control sets an upper limit on the amount2986
+of memory that may be consumed while performing a key derivation. If this2987
+memory usage limit is exceeded because the load factors are chosen too high,2988
+the key derivation will fail.2989
+2990
+The default value is implementation dependent.2991
+2992
+EVP_KDF_ctrl_str() type string: "maxmem_bytes"2993
+2994
+The value string is expected to be a decimal number.2995
+2996
+=back2997
+2998
+=head1 RETURN VALUES2999
+3000
+EVP_KDF_CTX_new_id() returns either the newly allocated C<EVP_KDF_CTX>3001
+structure or C<NULL> if an error occurred.3002
+3003
+EVP_KDF_CTX_free() and EVP_KDF_reset() do not return a value.3004
+3005
+EVP_KDF_size() returns the output size. C<SIZE_MAX> is returned to indicate3006
+that the algorithm produces a variable amount of output; 0 to indicate failure.3007
+3008
+The remaining functions return 1 for success and 0 or a negative value for3009
+failure. In particular, a return value of -2 indicates the operation is not3010
+supported by the KDF algorithm.3011
+3012
+=head1 SEE ALSO3013
+3014
+L<EVP_KDF_SCRYPT(7)>3015
+3016
+=head1 COPYRIGHT3017
+3018
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.3019
+3020
+Licensed under the Apache License 2.0 (the "License"). You may not use3021
+this file except in compliance with the License. You can obtain a copy3022
+in the file LICENSE in the source distribution or at3023
+L<https://www.openssl.org/source/license.html>.3024
+3025
+=cut3026
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod3027
--- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +01003028
+++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod 2021-03-03 14:08:02.493294865 +01003029
3030
+=pod3031
+3032
+=head1 NAME3033
+3034
+EVP_KDF_HKDF - The HKDF EVP_KDF implementation3035
+3036
+=head1 DESCRIPTION3037
+3038
+Support for computing the B<HKDF> KDF through the B<EVP_KDF> API.3039
+3040
+The EVP_KDF_HKDF algorithm implements the HKDF key derivation function.3041
+HKDF follows the "extract-then-expand" paradigm, where the KDF logically3042
+consists of two modules. The first stage takes the input keying material3043
+and "extracts" from it a fixed-length pseudorandom key K. The second stage3044
+"expands" the key K into several additional pseudorandom keys (the output3045
+of the KDF).3046
+3047
+=head2 Numeric identity3048
+3049
+B<EVP_KDF_HKDF> is the numeric identity for this implementation; it3050
+can be used with the EVP_KDF_CTX_new_id() function.3051
+3052
+=head2 Supported controls3053
+3054
+The supported controls are:3055
+3056
+=over 43057
+3058
+=item B<EVP_KDF_CTRL_SET_SALT>3059
+3060
+=item B<EVP_KDF_CTRL_SET_MD>3061
+3062
+=item B<EVP_KDF_CTRL_SET_KEY>3063
+3064
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.3065
+3066
+=item B<EVP_KDF_CTRL_RESET_HKDF_INFO>3067
+3068
+This control does not expect any arguments.3069
+3070
+Resets the context info buffer to zero length.3071
+3072
+=item B<EVP_KDF_CTRL_ADD_HKDF_INFO>3073
+3074
+This control expects two arguments: C<unsigned char *info>, C<size_t infolen>3075
+3076
+Sets the info value to the first B<infolen> bytes of the buffer B<info>. If a3077
+value is already set, the contents of the buffer are appended to the existing3078
+value.3079
+3080
+The total length of the context info buffer cannot exceed 1024 bytes;3081
+this should be more than enough for any normal use of HKDF.3082
+3083
+EVP_KDF_ctrl_str() takes two type strings for this control:3084
+3085
+=over 43086
+3087
+=item "info"3088
+3089
+The value string is used as is.3090
+3091
+=item "hexinfo"3092
+3093
+The value string is expected to be a hexadecimal number, which will be3094
+decoded before being passed on as the control value.3095
+3096
+=back3097
+3098
+=item B<EVP_KDF_CTRL_SET_HKDF_MODE>3099
+3100
+This control expects one argument: C<int mode>3101
+3102
+Sets the mode for the HKDF operation. There are three modes that are currently3103
+defined:3104
+3105
+=over 43106
+3107
+=item EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND3108
+3109
+This is the default mode. Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set3110
+up for HKDF will perform an extract followed by an expand operation in one go.3111
+The derived key returned will be the result after the expand operation. The3112
+intermediate fixed-length pseudorandom key K is not returned.3113
+3114
+In this mode the digest, key, salt and info values must be set before a key is3115
+derived otherwise an error will occur.3116
+3117
+=item EVP_KDF_HKDF_MODE_EXTRACT_ONLY3118
+3119
+In this mode calling L<EVP_KDF_derive(3)> will just perform the extract3120
+operation. The value returned will be the intermediate fixed-length pseudorandom3121
+key K. The C<keylen> parameter must match the size of K, which can be looked3122
+up by calling EVP_KDF_size() after setting the mode and digest.3123
+3124
+The digest, key and salt values must be set before a key is derived otherwise3125
+an error will occur.3126
+3127
+=item EVP_KDF_HKDF_MODE_EXPAND_ONLY3128
+3129
+In this mode calling L<EVP_KDF_derive(3)> will just perform the expand3130
+operation. The input key should be set to the intermediate fixed-length3131
+pseudorandom key K returned from a previous extract operation.3132
+3133
+The digest, key and info values must be set before a key is derived otherwise3134
+an error will occur.3135
+3136
+=back3137
+3138
+EVP_KDF_ctrl_str() type string: "mode"3139
+3140
+The value string is expected to be one of: "EXTRACT_AND_EXPAND", "EXTRACT_ONLY"3141
+or "EXPAND_ONLY".3142
+3143
+=back3144
+3145
+=head1 NOTES3146
+3147
+A context for HKDF can be obtained by calling:3148
+3149
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);3150
+3151
+The output length of an HKDF expand operation is specified via the C<keylen>3152
+parameter to the L<EVP_KDF_derive(3)> function. When using3153
+EVP_KDF_HKDF_MODE_EXTRACT_ONLY the C<keylen> parameter must equal the size of3154
+the intermediate fixed-length pseudorandom key otherwise an error will occur.3155
+For that mode, the fixed output size can be looked up by calling EVP_KDF_size()3156
+after setting the mode and digest on the C<EVP_KDF_CTX>.3157
+3158
+=head1 EXAMPLE3159
+3160
+This example derives 10 bytes using SHA-256 with the secret key "secret",3161
+salt value "salt" and info value "label":3162
+3163
+ EVP_KDF_CTX *kctx;3164
+ unsigned char out[10];3165
+3166
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);3167
+3168
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {3169
+ error("EVP_KDF_CTRL_SET_MD");3170
+ }3171
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {3172
+ error("EVP_KDF_CTRL_SET_SALT");3173
+ }3174
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {3175
+ error("EVP_KDF_CTRL_SET_KEY");3176
+ }3177
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label", (size_t)5) <= 0) {3178
+ error("EVP_KDF_CTRL_ADD_HKDF_INFO");3179
+ }3180
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3181
+ error("EVP_KDF_derive");3182
+ }3183
+3184
+ EVP_KDF_CTX_free(kctx);3185
+3186
+=head1 CONFORMING TO3187
+3188
+RFC 58693189
+3190
+=head1 SEE ALSO3191
+3192
+L<EVP_KDF_CTX>,3193
+L<EVP_KDF_CTX_new_id(3)>,3194
+L<EVP_KDF_CTX_free(3)>,3195
+L<EVP_KDF_ctrl(3)>,3196
+L<EVP_KDF_size(3)>,3197
+L<EVP_KDF_derive(3)>,3198
+L<EVP_KDF_CTX(3)/CONTROLS>3199
+3200
+=head1 COPYRIGHT3201
+3202
+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.3203
+3204
+Licensed under the Apache License 2.0 (the "License"). You may not use3205
+this file except in compliance with the License. You can obtain a copy3206
+in the file LICENSE in the source distribution or at3207
+L<https://www.openssl.org/source/license.html>.3208
+3209
+=cut3210
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod3211
--- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2021-03-03 14:08:02.493294865 +01003212
+++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod 2021-03-03 14:08:02.493294865 +01003213
3214
+=pod3215
+3216
+=head1 NAME3217
+3218
+EVP_KDF_PBKDF2 - The PBKDF2 EVP_KDF implementation3219
+3220
+=head1 DESCRIPTION3221
+3222
+Support for computing the B<PBKDF2> password-based KDF through the B<EVP_KDF>3223
+API.3224
+3225
+The EVP_KDF_PBKDF2 algorithm implements the PBKDF2 password-based key3226
+derivation function, as described in RFC 2898; it derives a key from a password3227
+using a salt and iteration count.3228
+3229
+=head2 Numeric identity3230
+3231
+B<EVP_KDF_PBKDF2> is the numeric identity for this implementation; it3232
+can be used with the EVP_KDF_CTX_new_id() function.3233
+3234
+=head2 Supported controls3235
+3236
+The supported controls are:3237
+3238
+=over 43239
+3240
+=item B<EVP_KDF_CTRL_SET_PASS>3241
+3242
+=item B<EVP_KDF_CTRL_SET_SALT>3243
+3244
+=item B<EVP_KDF_CTRL_SET_ITER>3245
+3246
+=item B<EVP_KDF_CTRL_SET_MD>3247
+3248
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.3249
+3250
+B<iter> is the iteration count and its value should be greater than or equal to3251
+1. RFC 2898 suggests an iteration count of at least 1000. The default value is3252
+2048. Any B<iter> less than 1 is treated as a single iteration.3253
+3254
+=back3255
+3256
+=head1 NOTES3257
+3258
+A typical application of this algorithm is to derive keying material for an3259
+encryption algorithm from a password in the B<pass>, a salt in B<salt>,3260
+and an iteration count.3261
+3262
+Increasing the B<iter> parameter slows down the algorithm which makes it3263
+harder for an attacker to perform a brute force attack using a large number3264
+of candidate passwords.3265
+3266
+No assumption is made regarding the given password; it is simply treated as a3267
+byte sequence.3268
+3269
+=head1 CONFORMING TO3270
+3271
+RFC 28983272
+3273
+=head1 SEE ALSO3274
+3275
+L<EVP_KDF_CTX>,3276
+L<EVP_KDF_CTX_new_id(3)>,3277
+L<EVP_KDF_CTX_free(3)>,3278
+L<EVP_KDF_ctrl(3)>,3279
+L<EVP_KDF_derive(3)>,3280
+L<EVP_KDF_CTX(3)/CONTROLS>3281
+3282
+=head1 COPYRIGHT3283
+3284
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.3285
+3286
+Licensed under the Apache License 2.0 (the "License"). You may not use3287
+this file except in compliance with the License. You can obtain a copy3288
+in the file LICENSE in the source distribution or at3289
+L<https://www.openssl.org/source/license.html>.3290
+3291
+=cut3292
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod3293
--- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2021-03-03 14:08:02.493294865 +01003294
+++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod 2021-03-03 14:08:02.493294865 +01003295
3296
+=pod3297
+3298
+=head1 NAME3299
+3300
+EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation3301
+3302
+=head1 DESCRIPTION3303
+3304
+Support for computing the B<scrypt> password-based KDF through the B<EVP_KDF>3305
+API.3306
+3307
+The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key3308
+derivation function, as described in RFC 7914. It is memory-hard in the sense3309
+that it deliberately requires a significant amount of RAM for efficient3310
+computation. The intention of this is to render brute forcing of passwords on3311
+systems that lack large amounts of main memory (such as GPUs or ASICs)3312
+computationally infeasible.3313
+3314
+scrypt provides three work factors that can be customized: N, r and p. N, which3315
+has to be a positive power of two, is the general work factor and scales CPU3316
+time in an approximately linear fashion. r is the block size of the internally3317
+used hash function and p is the parallelization factor. Both r and p need to be3318
+greater than zero. The amount of RAM that scrypt requires for its computation3319
+is roughly (128 * N * r * p) bytes.3320
+3321
+In the original paper of Colin Percival ("Stronger Key Derivation via3322
+Sequential Memory-Hard Functions", 2009), the suggested values that give a3323
+computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =3324
+2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for3325
+this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.53326
+GHz), this computation takes about 3 seconds. When N, r or p are not specified,3327
+they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that3328
+may be used by scrypt defaults to 1025 MiB.3329
+3330
+=head2 Numeric identity3331
+3332
+B<EVP_KDF_SCRYPT> is the numeric identity for this implementation; it3333
+can be used with the EVP_KDF_CTX_new_id() function.3334
+3335
+=head2 Supported controls3336
+3337
+The supported controls are:3338
+3339
+=over 43340
+3341
+=item B<EVP_KDF_CTRL_SET_PASS>3342
+3343
+=item B<EVP_KDF_CTRL_SET_SALT>3344
+3345
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.3346
+3347
+=item B<EVP_KDF_CTRL_SET_SCRYPT_N>3348
+3349
+=item B<EVP_KDF_CTRL_SET_SCRYPT_R>3350
+3351
+=item B<EVP_KDF_CTRL_SET_SCRYPT_P>3352
+3353
+B<EVP_KDF_CTRL_SET_SCRYPT_N> expects one argument: C<uint64_t N>3354
+3355
+B<EVP_KDF_CTRL_SET_SCRYPT_R> expects one argument: C<uint32_t r>3356
+3357
+B<EVP_KDF_CTRL_SET_SCRYPT_P> expects one argument: C<uint32_t p>3358
+3359
+These controls configure the scrypt work factors N, r and p.3360
+3361
+EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively.3362
+3363
+The corresponding value strings are expected to be decimal numbers.3364
+3365
+=back3366
+3367
+=head1 NOTES3368
+3369
+A context for scrypt can be obtained by calling:3370
+3371
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);3372
+3373
+The output length of an scrypt key derivation is specified via the3374
+B<keylen> parameter to the L<EVP_KDF_derive(3)> function.3375
+3376
+=head1 EXAMPLE3377
+3378
+This example derives a 64-byte long test vector using scrypt with the password3379
+"password", salt "NaCl" and N = 1024, r = 8, p = 16.3380
+3381
+ EVP_KDF_CTX *kctx;3382
+ unsigned char out[64];3383
+3384
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);3385
+3386
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {3387
+ error("EVP_KDF_CTRL_SET_PASS");3388
+ }3389
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {3390
+ error("EVP_KDF_CTRL_SET_SALT");3391
+ }3392
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {3393
+ error("EVP_KDF_CTRL_SET_SCRYPT_N");3394
+ }3395
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {3396
+ error("EVP_KDF_CTRL_SET_SCRYPT_R");3397
+ }3398
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {3399
+ error("EVP_KDF_CTRL_SET_SCRYPT_P");3400
+ }3401
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3402
+ error("EVP_KDF_derive");3403
+ }3404
+3405
+ {3406
+ const unsigned char expected[sizeof(out)] = {3407
+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,3408
+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,3409
+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,3410
+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,3411
+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,3412
+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,3413
+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,3414
+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x403415
+ };3416
+3417
+ assert(!memcmp(out, expected, sizeof(out)));3418
+ }3419
+3420
+ EVP_KDF_CTX_free(kctx);3421
+3422
+=head1 CONFORMING TO3423
+3424
+RFC 79143425
+3426
+=head1 SEE ALSO3427
+3428
+L<EVP_KDF_CTX>,3429
+L<EVP_KDF_CTX_new_id(3)>,3430
+L<EVP_KDF_CTX_free(3)>,3431
+L<EVP_KDF_ctrl(3)>,3432
+L<EVP_KDF_derive(3)>,3433
+L<EVP_KDF_CTX(3)/CONTROLS>3434
+3435
+=head1 COPYRIGHT3436
+3437
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.3438
+3439
+Licensed under the OpenSSL license (the "License"). You may not use3440
+this file except in compliance with the License. You can obtain a copy3441
+in the file LICENSE in the source distribution or at3442
+L<https://www.openssl.org/source/license.html>.3443
+3444
+=cut3445
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod3446
--- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +01003447
+++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod 2021-03-03 14:08:02.493294865 +01003448
3449
+=pod3450
+3451
+=head1 NAME3452
+3453
+EVP_KDF_TLS1_PRF - The TLS1 PRF EVP_KDF implementation3454
+3455
+=head1 DESCRIPTION3456
+3457
+Support for computing the B<TLS1> PRF through the B<EVP_KDF> API.3458
+3459
+The EVP_KDF_TLS1_PRF algorithm implements the PRF used by TLS versions up to3460
+and including TLS 1.2.3461
+3462
+=head2 Numeric identity3463
+3464
+B<EVP_KDF_TLS1_PRF> is the numeric identity for this implementation; it3465
+can be used with the EVP_KDF_CTX_new_id() function.3466
+3467
+=head2 Supported controls3468
+3469
+The supported controls are:3470
+3471
+=over 43472
+3473
+=item B<EVP_KDF_CTRL_SET_MD>3474
+3475
+This control works as described in L<EVP_KDF_CTX(3)/CONTROLS>.3476
+3477
+The C<EVP_KDF_CTRL_SET_MD> control is used to set the message digest associated3478
+with the TLS PRF. EVP_md5_sha1() is treated as a special case which uses the3479
+PRF algorithm using both B<MD5> and B<SHA1> as used in TLS 1.0 and 1.1.3480
+3481
+=item B<EVP_KDF_CTRL_SET_TLS_SECRET>3482
+3483
+This control expects two arguments: C<unsigned char *sec>, C<size_t seclen>3484
+3485
+Sets the secret value of the TLS PRF to B<seclen> bytes of the buffer B<sec>.3486
+Any existing secret value is replaced.3487
+3488
+EVP_KDF_ctrl_str() takes two type strings for this control:3489
+3490
+=over 43491
+3492
+=item "secret"3493
+3494
+The value string is used as is.3495
+3496
+=item "hexsecret"3497
+3498
+The value string is expected to be a hexadecimal number, which will be3499
+decoded before being passed on as the control value.3500
+3501
+=back3502
+3503
+=item B<EVP_KDF_CTRL_RESET_TLS_SEED>3504
+3505
+This control does not expect any arguments.3506
+3507
+Resets the context seed buffer to zero length.3508
+3509
+=item B<EVP_KDF_CTRL_ADD_TLS_SEED>3510
+3511
+This control expects two arguments: C<unsigned char *seed>, C<size_t seedlen>3512
+3513
+Sets the seed to B<seedlen> bytes of B<seed>. If a seed is already set it is3514
+appended to the existing value.3515
+3516
+The total length of the context seed buffer cannot exceed 1024 bytes;3517
+this should be more than enough for any normal use of the TLS PRF.3518
+3519
+EVP_KDF_ctrl_str() takes two type strings for this control:3520
+3521
+=over 43522
+3523
+=item "seed"3524
+3525
+The value string is used as is.3526
+3527
+=item "hexseed"3528
+3529
+The value string is expected to be a hexadecimal number, which will be3530
+decoded before being passed on as the control value.3531
+3532
+=back3533
+3534
+=back3535
+3536
+=head1 NOTES3537
+3538
+A context for the TLS PRF can be obtained by calling:3539
+3540
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF, NULL);3541
+3542
+The digest, secret value and seed must be set before a key is derived otherwise3543
+an error will occur.3544
+3545
+The output length of the PRF is specified by the C<keylen> parameter to the3546
+EVP_KDF_derive() function.3547
+3548
+=head1 EXAMPLE3549
+3550
+This example derives 10 bytes using SHA-256 with the secret key "secret"3551
+and seed value "seed":3552
+3553
+ EVP_KDF_CTX *kctx;3554
+ unsigned char out[10];3555
+3556
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF);3557
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {3558
+ error("EVP_KDF_CTRL_SET_MD");3559
+ }3560
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,3561
+ "secret", (size_t)6) <= 0) {3562
+ error("EVP_KDF_CTRL_SET_TLS_SECRET");3563
+ }3564
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {3565
+ error("EVP_KDF_CTRL_ADD_TLS_SEED");3566
+ }3567
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3568
+ error("EVP_KDF_derive");3569
+ }3570
+ EVP_KDF_CTX_free(kctx);3571
+3572
+=head1 SEE ALSO3573
+3574
+L<EVP_KDF_CTX>,3575
+L<EVP_KDF_CTX_new_id(3)>,3576
+L<EVP_KDF_CTX_free(3)>,3577
+L<EVP_KDF_ctrl(3)>,3578
+L<EVP_KDF_derive(3)>,3579
+L<EVP_KDF_CTX(3)/CONTROLS>3580
+3581
+=head1 COPYRIGHT3582
+3583
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.3584
+3585
+Licensed under the Apache License 2.0 (the "License"). You may not use3586
+this file except in compliance with the License. You can obtain a copy3587
+in the file LICENSE in the source distribution or at3588
+L<https://www.openssl.org/source/license.html>.3589
+3590
+=cut3591
diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h3592
--- openssl-1.1.1j/include/crypto/evp.h.evp-kdf 2021-02-16 16:24:01.000000000 +01003593
+++ openssl-1.1.1j/include/crypto/evp.h 2021-03-03 14:08:02.493294865 +01003594
3595
extern const EVP_PKEY_METHOD poly1305_pkey_meth;3596
extern const EVP_PKEY_METHOD siphash_pkey_meth;3597
3598
+/* struct evp_kdf_impl_st is defined by the implementation */3599
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;3600
+typedef struct {3601
+ int type;3602
+ EVP_KDF_IMPL *(*new) (void);3603
+ void (*free) (EVP_KDF_IMPL *impl);3604
+ void (*reset) (EVP_KDF_IMPL *impl);3605
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);3606
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);3607
+ size_t (*size) (EVP_KDF_IMPL *impl);3608
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);3609
+} EVP_KDF_METHOD;3610
+3611
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;3612
+extern const EVP_KDF_METHOD scrypt_kdf_meth;3613
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;3614
+extern const EVP_KDF_METHOD hkdf_kdf_meth;3615
+3616
struct evp_md_st {3617
int type;3618
int pkey_type;3619
diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h3620
--- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf 2021-03-03 14:08:02.477294722 +01003621
+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 14:13:37.587003722 +01003622
3623
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 2193624
# define EVP_F_EVP_ENCRYPTFINAL_EX 1273625
# define EVP_F_EVP_ENCRYPTUPDATE 1673626
+# define EVP_F_EVP_KDF_CTRL 2243627
+# define EVP_F_EVP_KDF_CTRL_STR 2253628
+# define EVP_F_EVP_KDF_CTX_NEW_ID 2263629
# define EVP_F_EVP_MD_CTX_COPY_EX 1103630
# define EVP_F_EVP_MD_SIZE 1623631
# define EVP_F_EVP_OPENINIT 1023632
3633
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 1183634
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 1643635
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 1803636
+# define EVP_F_PKEY_KDF_CTRL 2273637
# define EVP_F_PKEY_SET_TYPE 1583638
# define EVP_F_RC2_MAGIC_TO_METH 1093639
# define EVP_F_RC5_CTRL 1253640
# define EVP_F_R_32_12_16_INIT_KEY 2423641
# define EVP_F_S390X_AES_GCM_CTRL 2013642
+# define EVP_F_SCRYPT_ALG 2283643
# define EVP_F_UPDATE 1733644
3645
/*3646
3647
# define EVP_R_ONLY_ONESHOT_SUPPORTED 1773648
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 1503649
# define EVP_R_OPERATON_NOT_INITIALIZED 1513650
+# define EVP_R_PARAMETER_TOO_LARGE 1873651
# define EVP_R_OUTPUT_WOULD_OVERFLOW 1843652
# define EVP_R_PARTIALLY_OVERLAPPING 1623653
# define EVP_R_PBKDF2_ERROR 1813654
diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h3655
--- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf 2021-02-16 16:24:01.000000000 +01003656
+++ openssl-1.1.1j/include/openssl/kdferr.h 2021-03-03 14:08:02.493294865 +01003657
3658
/*3659
* KDF function codes.3660
*/3661
+# define KDF_F_HKDF_EXTRACT 1123662
+# define KDF_F_KDF_HKDF_DERIVE 1133663
+# define KDF_F_KDF_HKDF_NEW 1143664
+# define KDF_F_KDF_HKDF_SIZE 1153665
+# define KDF_F_KDF_MD2CTRL 1163666
+# define KDF_F_KDF_PBKDF2_CTRL_STR 1173667
+# define KDF_F_KDF_PBKDF2_DERIVE 1183668
+# define KDF_F_KDF_PBKDF2_NEW 1193669
+# define KDF_F_KDF_SCRYPT_CTRL_STR 1203670
+# define KDF_F_KDF_SCRYPT_CTRL_UINT32 1213671
+# define KDF_F_KDF_SCRYPT_CTRL_UINT64 1223672
+# define KDF_F_KDF_SCRYPT_DERIVE 1233673
+# define KDF_F_KDF_SCRYPT_NEW 1243674
+# define KDF_F_KDF_TLS1_PRF_CTRL_STR 1253675
+# define KDF_F_KDF_TLS1_PRF_DERIVE 1263676
+# define KDF_F_KDF_TLS1_PRF_NEW 1273677
+# define KDF_F_PBKDF2_SET_MEMBUF 1283678
# define KDF_F_PKEY_HKDF_CTRL_STR 1033679
# define KDF_F_PKEY_HKDF_DERIVE 1023680
# define KDF_F_PKEY_HKDF_INIT 1083681
3682
# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 1003683
# define KDF_F_PKEY_TLS1_PRF_DERIVE 1013684
# define KDF_F_PKEY_TLS1_PRF_INIT 1103685
+# define KDF_F_SCRYPT_SET_MEMBUF 1293686
# define KDF_F_TLS1_PRF_ALG 1113687
3688
/*3689
3690
# define KDF_R_UNKNOWN_PARAMETER_TYPE 1033691
# define KDF_R_VALUE_ERROR 1083692
# define KDF_R_VALUE_MISSING 1023693
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 1123694
3695
#endif3696
diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h3697
--- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf 2021-02-16 16:24:01.000000000 +01003698
+++ openssl-1.1.1j/include/openssl/kdf.h 2021-03-03 14:08:02.493294865 +01003699
3700
#ifndef HEADER_KDF_H3701
# define HEADER_KDF_H3702
3703
+# include <openssl/ossl_typ.h>3704
# include <openssl/kdferr.h>3705
-#ifdef __cplusplus3706
+# ifdef __cplusplus3707
extern "C" {3708
-#endif3709
+# endif3710
+3711
+# define EVP_KDF_PBKDF2 NID_id_pbkdf23712
+# define EVP_KDF_SCRYPT NID_id_scrypt3713
+# define EVP_KDF_TLS1_PRF NID_tls1_prf3714
+# define EVP_KDF_HKDF NID_hkdf3715
+3716
+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);3717
+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);3718
+3719
+void EVP_KDF_reset(EVP_KDF_CTX *ctx);3720
+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);3721
+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);3722
+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);3723
+size_t EVP_KDF_size(EVP_KDF_CTX *ctx);3724
+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);3725
+3726
+3727
+# define EVP_KDF_CTRL_SET_PASS 0x01 /* unsigned char *, size_t */3728
+# define EVP_KDF_CTRL_SET_SALT 0x02 /* unsigned char *, size_t */3729
+# define EVP_KDF_CTRL_SET_ITER 0x03 /* int */3730
+# define EVP_KDF_CTRL_SET_MD 0x04 /* EVP_MD * */3731
+# define EVP_KDF_CTRL_SET_KEY 0x05 /* unsigned char *, size_t */3732
+# define EVP_KDF_CTRL_SET_MAXMEM_BYTES 0x06 /* uint64_t */3733
+# define EVP_KDF_CTRL_SET_TLS_SECRET 0x07 /* unsigned char *, size_t */3734
+# define EVP_KDF_CTRL_RESET_TLS_SEED 0x083735
+# define EVP_KDF_CTRL_ADD_TLS_SEED 0x09 /* unsigned char *, size_t */3736
+# define EVP_KDF_CTRL_RESET_HKDF_INFO 0x0a3737
+# define EVP_KDF_CTRL_ADD_HKDF_INFO 0x0b /* unsigned char *, size_t */3738
+# define EVP_KDF_CTRL_SET_HKDF_MODE 0x0c /* int */3739
+# define EVP_KDF_CTRL_SET_SCRYPT_N 0x0d /* uint64_t */3740
+# define EVP_KDF_CTRL_SET_SCRYPT_R 0x0e /* uint32_t */3741
+# define EVP_KDF_CTRL_SET_SCRYPT_P 0x0f /* uint32_t */3742
+3743
+# define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 03744
+# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 13745
+# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 23746
+3747
+3748
+/**** The legacy PKEY-based KDF API follows. ****/3749
3750
# define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL)3751
# define EVP_PKEY_CTRL_TLS_SECRET (EVP_PKEY_ALG_CTRL + 1)3752
3753
# define EVP_PKEY_CTRL_SCRYPT_P (EVP_PKEY_ALG_CTRL + 12)3754
# define EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES (EVP_PKEY_ALG_CTRL + 13)3755
3756
-# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 03757
-# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 13758
-# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 23759
+# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND \3760
+ EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND3761
+# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY \3762
+ EVP_KDF_HKDF_MODE_EXTRACT_ONLY3763
+# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY \3764
+ EVP_KDF_HKDF_MODE_EXPAND_ONLY3765
3766
# define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \3767
EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \3768
3769
EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, maxmem_bytes)3770
3771
3772
-# ifdef __cplusplus3773
+# ifdef __cplusplus3774
}3775
# endif3776
#endif3777
diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h3778
--- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf 2021-02-16 16:24:01.000000000 +01003779
+++ openssl-1.1.1j/include/openssl/ossl_typ.h 2021-03-03 14:08:02.493294865 +01003780
3781
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;3782
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;3783
3784
+typedef struct evp_kdf_ctx_st EVP_KDF_CTX;3785
+3786
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;3787
3788
typedef struct hmac_ctx_st HMAC_CTX;3789
diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info3790
--- openssl-1.1.1j/test/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +01003791
+++ openssl-1.1.1j/test/build.info 2021-03-03 14:08:02.493294865 +01003792
3793
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \3794
bio_callback_test bio_memleak_test \3795
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \3796
- pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \3797
+ pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \3798
+ cipherbytes_test \3799
asn1_encode_test asn1_decode_test asn1_string_table_test \3800
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \3801
recordlentest drbgtest sslbuffertest \3802
3803
INCLUDE[pkey_meth_kdf_test]=../include3804
DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a3805
3806
+ SOURCE[evp_kdf_test]=evp_kdf_test.c3807
+ INCLUDE[evp_kdf_test]=../include3808
+ DEPEND[evp_kdf_test]=../libcrypto libtestutil.a3809
+3810
SOURCE[x509_time_test]=x509_time_test.c3811
INCLUDE[x509_time_test]=../include3812
DEPEND[x509_time_test]=../libcrypto libtestutil.a3813
diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c3814
--- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf 2021-03-03 14:08:02.494294874 +01003815
+++ openssl-1.1.1j/test/evp_kdf_test.c 2021-03-03 14:08:02.494294874 +01003816
3817
+/*3818
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.3819
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.3820
+ *3821
+ * Licensed under the Apache License 2.0 (the "License"). You may not use3822
+ * this file except in compliance with the License. You can obtain a copy3823
+ * in the file LICENSE in the source distribution or at3824
+ * https://www.openssl.org/source/license.html3825
+ */3826
+3827
+/* Tests of the EVP_KDF_CTX APIs */3828
+3829
+#include <stdio.h>3830
+#include <string.h>3831
+3832
+#include <openssl/evp.h>3833
+#include <openssl/kdf.h>3834
+#include "testutil.h"3835
+3836
+static int test_kdf_tls1_prf(void)3837
+{3838
+ int ret = 0;3839
+ EVP_KDF_CTX *kctx;3840
+ unsigned char out[16];3841
+3842
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {3843
+ TEST_error("EVP_KDF_TLS1_PRF");3844
+ goto err;3845
+ }3846
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {3847
+ TEST_error("EVP_KDF_CTRL_SET_MD");3848
+ goto err;3849
+ }3850
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,3851
+ "secret", (size_t)6) <= 0) {3852
+ TEST_error("EVP_KDF_CTRL_SET_TLS_SECRET");3853
+ goto err;3854
+ }3855
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {3856
+ TEST_error("EVP_KDF_CTRL_ADD_TLS_SEED");3857
+ goto err;3858
+ }3859
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3860
+ TEST_error("EVP_KDF_derive");3861
+ goto err;3862
+ }3863
+3864
+ {3865
+ const unsigned char expected[sizeof(out)] = {3866
+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,3867
+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc3868
+ };3869
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {3870
+ goto err;3871
+ }3872
+ }3873
+ ret = 1;3874
+err:3875
+ EVP_KDF_CTX_free(kctx);3876
+ return ret;3877
+}3878
+3879
+static int test_kdf_hkdf(void)3880
+{3881
+ int ret = 0;3882
+ EVP_KDF_CTX *kctx;3883
+ unsigned char out[10];3884
+3885
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {3886
+ TEST_error("EVP_KDF_HKDF");3887
+ goto err;3888
+ }3889
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {3890
+ TEST_error("EVP_KDF_CTRL_SET_MD");3891
+ goto err;3892
+ }3893
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {3894
+ TEST_error("EVP_KDF_CTRL_SET_SALT");3895
+ goto err;3896
+ }3897
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {3898
+ TEST_error("EVP_KDF_CTRL_SET_KEY");3899
+ goto err;3900
+ }3901
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,3902
+ "label", (size_t)5) <= 0) {3903
+ TEST_error("EVP_KDF_CTRL_ADD_HKDF_INFO");3904
+ goto err;3905
+ }3906
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3907
+ TEST_error("EVP_KDF_derive");3908
+ goto err;3909
+ }3910
+3911
+ {3912
+ const unsigned char expected[sizeof(out)] = {3913
+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x133914
+ };3915
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {3916
+ goto err;3917
+ }3918
+ }3919
+ ret = 1;3920
+err:3921
+ EVP_KDF_CTX_free(kctx);3922
+ return ret;3923
+}3924
+3925
+static int test_kdf_pbkdf2(void)3926
+{3927
+ int ret = 0;3928
+ EVP_KDF_CTX *kctx;3929
+ unsigned char out[32];3930
+3931
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {3932
+ TEST_error("EVP_KDF_PBKDF2");3933
+ goto err;3934
+ }3935
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {3936
+ TEST_error("EVP_KDF_CTRL_SET_PASS");3937
+ goto err;3938
+ }3939
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {3940
+ TEST_error("EVP_KDF_CTRL_SET_SALT");3941
+ goto err;3942
+ }3943
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {3944
+ TEST_error("EVP_KDF_CTRL_SET_ITER");3945
+ goto err;3946
+ }3947
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {3948
+ TEST_error("EVP_KDF_CTRL_SET_MD");3949
+ goto err;3950
+ }3951
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {3952
+ TEST_error("EVP_KDF_derive");3953
+ goto err;3954
+ }3955
+3956
+ {3957
+ const unsigned char expected[sizeof(out)] = {3958
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,3959
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,3960
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,3961
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x433962
+ };3963
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {3964
+ goto err;3965
+ }3966
+ }3967
+ ret = 1;3968
+err:3969
+ EVP_KDF_CTX_free(kctx);3970
+ return ret;3971
+}3972
+3973
+#ifndef OPENSSL_NO_SCRYPT3974
+static int test_kdf_scrypt(void)3975
+{3976
+ int ret = 0;3977
+ EVP_KDF_CTX *kctx;3978
+ unsigned char out[64];3979
+3980
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT)) == NULL) {3981
+ TEST_error("EVP_KDF_SCRYPT");3982
+ goto err;3983
+ }3984
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {3985
+ TEST_error("EVP_KDF_CTRL_SET_PASS");3986
+ goto err;3987
+ }3988
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {3989
+ TEST_error("EVP_KDF_CTRL_SET_SALT");3990
+ goto err;3991
+ }3992
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {3993
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_N");3994
+ goto err;3995
+ }3996
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {3997
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_R");3998
+ goto err;3999
+ }4000
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {4001
+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_P");4002
+ goto err;4003
+ }4004
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, (uint64_t)16) <= 0) {4005
+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");4006
+ goto err;4007
+ }4008
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) > 0) {4009
+ TEST_error("EVP_KDF_derive should have failed");4010
+ goto err;4011
+ }4012
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,4013
+ (uint64_t)(10 * 1024 * 1024)) <= 0) {4014
+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");4015
+ goto err;4016
+ }4017
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {4018
+ TEST_error("EVP_KDF_derive");4019
+ goto err;4020
+ }4021
+4022
+ {4023
+ const unsigned char expected[sizeof(out)] = {4024
+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,4025
+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,4026
+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,4027
+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,4028
+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,4029
+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,4030
+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,4031
+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x404032
+ };4033
+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {4034
+ goto err;4035
+ }4036
+ }4037
+ ret = 1;4038
+err:4039
+ EVP_KDF_CTX_free(kctx);4040
+ return ret;4041
+}4042
+#endif4043
+4044
+int setup_tests(void)4045
+{4046
+ ADD_TEST(test_kdf_tls1_prf);4047
+ ADD_TEST(test_kdf_hkdf);4048
+ ADD_TEST(test_kdf_pbkdf2);4049
+#ifndef OPENSSL_NO_SCRYPT4050
+ ADD_TEST(test_kdf_scrypt);4051
+#endif4052
+ return 1;4053
+}4054
diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c4055
--- openssl-1.1.1j/test/evp_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +01004056
+++ openssl-1.1.1j/test/evp_test.c 2021-03-03 14:08:02.494294874 +01004057
4058
encode_test_run,4059
};4060
4061
+4062
/**4063
*** KDF TESTS4064
**/4065
4066
typedef struct kdf_data_st {4067
/* Context for this operation */4068
- EVP_PKEY_CTX *ctx;4069
+ EVP_KDF_CTX *ctx;4070
/* Expected output */4071
unsigned char *output;4072
size_t output_len;4073
4074
4075
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))4076
return 0;4077
- kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);4078
+ kdata->ctx = EVP_KDF_CTX_new_id(kdf_nid);4079
if (kdata->ctx == NULL) {4080
OPENSSL_free(kdata);4081
return 0;4082
}4083
- if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {4084
- EVP_PKEY_CTX_free(kdata->ctx);4085
- OPENSSL_free(kdata);4086
- return 0;4087
- }4088
t->data = kdata;4089
return 1;4090
}4091
4092
{4093
KDF_DATA *kdata = t->data;4094
OPENSSL_free(kdata->output);4095
- EVP_PKEY_CTX_free(kdata->ctx);4096
+ EVP_KDF_CTX_free(kdata->ctx);4097
+}4098
+4099
+static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx,4100
+ const char *value)4101
+{4102
+ int rv;4103
+ char *p, *tmpval;4104
+4105
+ if (!TEST_ptr(tmpval = OPENSSL_strdup(value)))4106
+ return 0;4107
+ p = strchr(tmpval, ':');4108
+ if (p != NULL)4109
+ *p++ = '\0';4110
+ rv = EVP_KDF_ctrl_str(kctx, tmpval, p);4111
+ if (rv == -2) {4112
+ t->err = "KDF_CTRL_INVALID";4113
+ rv = 1;4114
+ } else if (p != NULL && rv <= 0) {4115
+ /* If p has an OID and lookup fails assume disabled algorithm */4116
+ int nid = OBJ_sn2nid(p);4117
+4118
+ if (nid == NID_undef)4119
+ nid = OBJ_ln2nid(p);4120
+ if (nid != NID_undef4121
+ && EVP_get_digestbynid(nid) == NULL4122
+ && EVP_get_cipherbynid(nid) == NULL) {4123
+ t->skip = 1;4124
+ rv = 1;4125
+ } else {4126
+ t->err = "KDF_CTRL_ERROR";4127
+ rv = 1;4128
+ }4129
+ }4130
+ OPENSSL_free(tmpval);4131
+ return rv > 0;4132
}4133
4134
static int kdf_test_parse(EVP_TEST *t,4135
4136
if (strcmp(keyword, "Output") == 0)4137
return parse_bin(value, &kdata->output, &kdata->output_len);4138
if (strncmp(keyword, "Ctrl", 4) == 0)4139
- return pkey_test_ctrl(t, kdata->ctx, value);4140
+ return kdf_test_ctrl(t, kdata->ctx, value);4141
return 0;4142
}4143
4144
4145
t->err = "INTERNAL_ERROR";4146
goto err;4147
}4148
- if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {4149
+ if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) {4150
t->err = "KDF_DERIVE_ERROR";4151
goto err;4152
}4153
4154
4155
4156
/**4157
+*** PKEY KDF TESTS4158
+**/4159
+4160
+typedef struct pkey_kdf_data_st {4161
+ /* Context for this operation */4162
+ EVP_PKEY_CTX *ctx;4163
+ /* Expected output */4164
+ unsigned char *output;4165
+ size_t output_len;4166
+} PKEY_KDF_DATA;4167
+4168
+/*4169
+ * Perform public key operation setup: lookup key, allocated ctx and call4170
+ * the appropriate initialisation function4171
+ */4172
+static int pkey_kdf_test_init(EVP_TEST *t, const char *name)4173
+{4174
+ PKEY_KDF_DATA *kdata;4175
+ int kdf_nid = OBJ_sn2nid(name);4176
+4177
+#ifdef OPENSSL_NO_SCRYPT4178
+ if (strcmp(name, "scrypt") == 0) {4179
+ t->skip = 1;4180
+ return 1;4181
+ }4182
+#endif4183
+4184
+ if (kdf_nid == NID_undef)4185
+ kdf_nid = OBJ_ln2nid(name);4186
+4187
+ if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))4188
+ return 0;4189
+ kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);4190
+ if (kdata->ctx == NULL) {4191
+ OPENSSL_free(kdata);4192
+ return 0;4193
+ }4194
+ if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {4195
+ EVP_PKEY_CTX_free(kdata->ctx);4196
+ OPENSSL_free(kdata);4197
+ return 0;4198
+ }4199
+ t->data = kdata;4200
+ return 1;4201
+}4202
+4203
+static void pkey_kdf_test_cleanup(EVP_TEST *t)4204
+{4205
+ PKEY_KDF_DATA *kdata = t->data;4206
+ OPENSSL_free(kdata->output);4207
+ EVP_PKEY_CTX_free(kdata->ctx);4208
+}4209
+4210
+static int pkey_kdf_test_parse(EVP_TEST *t,4211
+ const char *keyword, const char *value)4212
+{4213
+ PKEY_KDF_DATA *kdata = t->data;4214
+4215
+ if (strcmp(keyword, "Output") == 0)4216
+ return parse_bin(value, &kdata->output, &kdata->output_len);4217
+ if (strncmp(keyword, "Ctrl", 4) == 0)4218
+ return pkey_test_ctrl(t, kdata->ctx, value);4219
+ return 0;4220
+}4221
+4222
+static int pkey_kdf_test_run(EVP_TEST *t)4223
+{4224
+ PKEY_KDF_DATA *expected = t->data;4225
+ unsigned char *got = NULL;4226
+ size_t got_len = expected->output_len;4227
+4228
+ if (!TEST_ptr(got = OPENSSL_malloc(got_len))) {4229
+ t->err = "INTERNAL_ERROR";4230
+ goto err;4231
+ }4232
+ if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {4233
+ t->err = "KDF_DERIVE_ERROR";4234
+ goto err;4235
+ }4236
+ if (!TEST_mem_eq(expected->output, expected->output_len, got, got_len)) {4237
+ t->err = "KDF_MISMATCH";4238
+ goto err;4239
+ }4240
+ t->err = NULL;4241
+4242
+ err:4243
+ OPENSSL_free(got);4244
+ return 1;4245
+}4246
+4247
+static const EVP_TEST_METHOD pkey_kdf_test_method = {4248
+ "PKEYKDF",4249
+ pkey_kdf_test_init,4250
+ pkey_kdf_test_cleanup,4251
+ pkey_kdf_test_parse,4252
+ pkey_kdf_test_run4253
+};4254
+4255
+4256
+/**4257
*** KEYPAIR TESTS4258
**/4259
4260
4261
&digestverify_test_method,4262
&encode_test_method,4263
&kdf_test_method,4264
+ &pkey_kdf_test_method,4265
&keypair_test_method,4266
&keygen_test_method,4267
&mac_test_method,4268
diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c4269
--- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +01004270
+++ openssl-1.1.1j/test/pkey_meth_kdf_test.c 2021-03-03 14:08:02.494294874 +01004271
4272
/*4273
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.4274
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.4275
*4276
* Licensed under the OpenSSL license (the "License"). You may not use4277
* this file except in compliance with the License. You can obtain a copy4278
4279
4280
static int test_kdf_tls1_prf(void)4281
{4282
+ int ret = 0;4283
EVP_PKEY_CTX *pctx;4284
unsigned char out[16];4285
size_t outlen = sizeof(out);4286
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);4287
4288
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL)) == NULL) {4289
+ TEST_error("EVP_PKEY_TLS1_PRF");4290
+ goto err;4291
+ }4292
if (EVP_PKEY_derive_init(pctx) <= 0) {4293
TEST_error("EVP_PKEY_derive_init");4294
- return 0;4295
+ goto err;4296
}4297
if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) {4298
TEST_error("EVP_PKEY_CTX_set_tls1_prf_md");4299
- return 0;4300
+ goto err;4301
}4302
if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) {4303
TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");4304
- return 0;4305
+ goto err;4306
}4307
if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) {4308
TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");4309
- return 0;4310
+ goto err;4311
}4312
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {4313
TEST_error("EVP_PKEY_derive");4314
- return 0;4315
+ goto err;4316
}4317
4318
{4319
4320
0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc4321
};4322
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {4323
- return 0;4324
+ goto err;4325
}4326
}4327
+ ret = 1;4328
+err:4329
EVP_PKEY_CTX_free(pctx);4330
- return 1;4331
+ return ret;4332
}4333
4334
static int test_kdf_hkdf(void)4335
{4336
+ int ret = 0;4337
EVP_PKEY_CTX *pctx;4338
unsigned char out[10];4339
size_t outlen = sizeof(out);4340
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);4341
4342
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) {4343
+ TEST_error("EVP_PKEY_HKDF");4344
+ goto err;4345
+ }4346
if (EVP_PKEY_derive_init(pctx) <= 0) {4347
TEST_error("EVP_PKEY_derive_init");4348
- return 0;4349
+ goto err;4350
}4351
if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) {4352
TEST_error("EVP_PKEY_CTX_set_hkdf_md");4353
- return 0;4354
+ goto err;4355
}4356
if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) {4357
TEST_error("EVP_PKEY_CTX_set1_hkdf_salt");4358
- return 0;4359
+ goto err;4360
}4361
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) {4362
TEST_error("EVP_PKEY_CTX_set1_hkdf_key");4363
- return 0;4364
+ goto err;4365
}4366
if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) {4367
TEST_error("EVP_PKEY_CTX_set1_hkdf_info");4368
- return 0;4369
+ goto err;4370
}4371
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {4372
TEST_error("EVP_PKEY_derive");4373
- return 0;4374
+ goto err;4375
}4376
4377
{4378
4379
0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x134380
};4381
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {4382
- return 0;4383
+ goto err;4384
}4385
}4386
+ ret = 1;4387
+err:4388
EVP_PKEY_CTX_free(pctx);4389
- return 1;4390
+ return ret;4391
}4392
4393
#ifndef OPENSSL_NO_SCRYPT4394
static int test_kdf_scrypt(void)4395
{4396
+ int ret = 0;4397
EVP_PKEY_CTX *pctx;4398
unsigned char out[64];4399
size_t outlen = sizeof(out);4400
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);4401
4402
+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL)) == NULL) {4403
+ TEST_error("EVP_PKEY_SCRYPT");4404
+ goto err;4405
+ }4406
if (EVP_PKEY_derive_init(pctx) <= 0) {4407
TEST_error("EVP_PKEY_derive_init");4408
- return 0;4409
+ goto err;4410
}4411
if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {4412
TEST_error("EVP_PKEY_CTX_set1_pbe_pass");4413
- return 0;4414
+ goto err;4415
}4416
if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {4417
TEST_error("EVP_PKEY_CTX_set1_scrypt_salt");4418
- return 0;4419
+ goto err;4420
}4421
if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {4422
TEST_error("EVP_PKEY_CTX_set_scrypt_N");4423
- return 0;4424
+ goto err;4425
}4426
if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {4427
TEST_error("EVP_PKEY_CTX_set_scrypt_r");4428
- return 0;4429
+ goto err;4430
}4431
if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {4432
TEST_error("EVP_PKEY_CTX_set_scrypt_p");4433
- return 0;4434
+ goto err;4435
}4436
if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 16) <= 0) {4437
TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");4438
- return 0;4439
+ goto err;4440
}4441
if (EVP_PKEY_derive(pctx, out, &outlen) > 0) {4442
TEST_error("EVP_PKEY_derive should have failed");4443
- return 0;4444
+ goto err;4445
}4446
if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 10 * 1024 * 1024) <= 0) {4447
TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");4448
- return 0;4449
+ goto err;4450
}4451
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {4452
TEST_error("EVP_PKEY_derive");4453
- return 0;4454
+ goto err;4455
}4456
4457
{4458
4459
0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x404460
};4461
if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {4462
- return 0;4463
+ goto err;4464
}4465
}4466
+ ret = 1;4467
+err:4468
EVP_PKEY_CTX_free(pctx);4469
- return 1;4470
+ return ret;4471
}4472
#endif4473
4474
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt4475
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +01004476
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +01004477
4478
#4479
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.4480
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.4481
#4482
# Licensed under the OpenSSL license (the "License"). You may not use4483
# this file except in compliance with the License. You can obtain a copy4484
4485
Title = TLS1 PRF tests (from NIST test vectors)4486
4487
KDF=TLS1-PRF4488
-Ctrl.md = md:MD5-SHA14489
+Ctrl.digest = digest:MD5-SHA14490
Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d04491
Ctrl.label = seed:master secret4492
Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a8640206934493
4494
Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f624495
4496
KDF=TLS1-PRF4497
-Ctrl.md = md:MD5-SHA14498
+Ctrl.digest = digest:MD5-SHA14499
Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f624500
Ctrl.label = seed:key expansion4501
Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be4502
4503
Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d4504
4505
KDF=TLS1-PRF4506
-Ctrl.md = md:SHA2564507
+Ctrl.digest = digest:SHA2564508
Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc4509
Ctrl.label = seed:master secret4510
Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c4511
4512
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4513
4514
KDF=TLS1-PRF4515
-Ctrl.md = md:SHA2564516
+Ctrl.digest = digest:SHA2564517
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4518
Ctrl.label = seed:key expansion4519
Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f398684520
4521
4522
# As above but use long name for KDF4523
KDF=tls1-prf4524
-Ctrl.md = md:SHA2564525
+Ctrl.digest = digest:SHA2564526
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4527
Ctrl.label = seed:key expansion4528
Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f398684529
4530
4531
# Missing secret.4532
KDF=TLS1-PRF4533
-Ctrl.md = md:MD5-SHA14534
+Ctrl.digest = digest:MD5-SHA14535
Ctrl.Seed = hexseed:024536
Output = 034537
Result = KDF_DERIVE_ERROR4538
4539
Title = HKDF tests (from RFC5869 test vectors)4540
4541
KDF = HKDF4542
-Ctrl.md = md:SHA2564543
+Ctrl.digest = digest:SHA2564544
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4545
Ctrl.salt = hexsalt:000102030405060708090a0b0c4546
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94547
4548
4549
KDF = HKDF4550
Ctrl.mode = mode:EXTRACT_ONLY4551
-Ctrl.md = md:SHA2564552
+Ctrl.digest = digest:SHA2564553
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4554
Ctrl.salt = hexsalt:000102030405060708090a0b0c4555
Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e54556
4557
KDF = HKDF4558
Ctrl.mode = mode:EXPAND_ONLY4559
-Ctrl.md = md:SHA2564560
+Ctrl.digest = digest:SHA2564561
Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e54562
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94563
Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858654564
4565
KDF = HKDF4566
-Ctrl.md = md:SHA2564567
+Ctrl.digest = digest:SHA2564568
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4569
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4570
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4571
4572
4573
KDF = HKDF4574
Ctrl.mode = mode:EXTRACT_ONLY4575
-Ctrl.md = md:SHA2564576
+Ctrl.digest = digest:SHA2564577
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4578
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4579
Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc2444580
4581
KDF = HKDF4582
Ctrl.mode = mode:EXPAND_ONLY4583
-Ctrl.md = md:SHA2564584
+Ctrl.digest = digest:SHA2564585
Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc2444586
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4587
Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d874588
4589
KDF = HKDF4590
-Ctrl.md = md:SHA2564591
+Ctrl.digest = digest:SHA2564592
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4593
Ctrl.salt = salt:4594
Ctrl.info = info:4595
4596
4597
KDF = HKDF4598
Ctrl.mode = mode:EXTRACT_ONLY4599
-Ctrl.md = md:SHA2564600
+Ctrl.digest = digest:SHA2564601
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4602
Ctrl.salt = salt:4603
Ctrl.info = info:4604
4605
4606
KDF = HKDF4607
Ctrl.mode = mode:EXPAND_ONLY4608
-Ctrl.md = md:SHA2564609
+Ctrl.digest = digest:SHA2564610
Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb044611
Ctrl.info = info:4612
Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c84613
4614
KDF = HKDF4615
-Ctrl.md = md:SHA14616
+Ctrl.digest = digest:SHA14617
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b4618
Ctrl.salt = hexsalt:000102030405060708090a0b0c4619
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94620
4621
4622
KDF = HKDF4623
Ctrl.mode = mode:EXTRACT_ONLY4624
-Ctrl.md = md:SHA14625
+Ctrl.digest = digest:SHA14626
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b4627
Ctrl.salt = hexsalt:000102030405060708090a0b0c4628
Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba2434629
4630
KDF = HKDF4631
Ctrl.mode = mode:EXPAND_ONLY4632
-Ctrl.md = md:SHA14633
+Ctrl.digest = digest:SHA14634
Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba2434635
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94636
Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f8964637
4638
KDF = HKDF4639
-Ctrl.md = md:SHA14640
+Ctrl.digest = digest:SHA14641
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4642
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4643
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4644
4645
4646
KDF = HKDF4647
Ctrl.mode = mode:EXTRACT_ONLY4648
-Ctrl.md = md:SHA14649
+Ctrl.digest = digest:SHA14650
Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4651
Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4652
Output = 8adae09a2a307059478d309b26c4115a224cfaf64653
4654
KDF = HKDF4655
Ctrl.mode = mode:EXPAND_ONLY4656
-Ctrl.md = md:SHA14657
+Ctrl.digest = digest:SHA14658
Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf64659
Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4660
Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b44661
4662
KDF = HKDF4663
-Ctrl.md = md:SHA14664
+Ctrl.digest = digest:SHA14665
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4666
Ctrl.salt = salt:4667
Ctrl.info = info:4668
4669
4670
KDF = HKDF4671
Ctrl.mode = mode:EXTRACT_ONLY4672
-Ctrl.md = md:SHA14673
+Ctrl.digest = digest:SHA14674
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4675
Ctrl.salt = salt:4676
Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d014677
4678
KDF = HKDF4679
Ctrl.mode = mode:EXPAND_ONLY4680
-Ctrl.md = md:SHA14681
+Ctrl.digest = digest:SHA14682
Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d014683
Ctrl.info = info:4684
Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d349184685
4686
KDF = HKDF4687
-Ctrl.md = md:SHA14688
+Ctrl.digest = digest:SHA14689
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c4690
Ctrl.salt = salt:4691
Ctrl.info = info:4692
4693
4694
KDF = HKDF4695
Ctrl.mode = mode:EXTRACT_ONLY4696
-Ctrl.md = md:SHA14697
+Ctrl.digest = digest:SHA14698
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c4699
Ctrl.salt = salt:4700
Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd4701
4702
KDF = HKDF4703
Ctrl.mode = mode:EXPAND_ONLY4704
-Ctrl.md = md:SHA14705
+Ctrl.digest = digest:SHA14706
Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd4707
Ctrl.info = info:4708
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc484709
4710
Result = KDF_DERIVE_ERROR4711
4712
KDF = HKDF4713
-Ctrl.md = md:SHA14714
+Ctrl.digest = digest:SHA14715
Ctrl.salt = salt:4716
Ctrl.info = info:4717
Output = 004718
Result = KDF_DERIVE_ERROR4719
4720
KDF = HKDF4721
-Ctrl.md = md:SHA14722
+Ctrl.digest = digest:SHA14723
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c4724
Ctrl.info = info:4725
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc484726
4727
KDF = HKDF4728
-Ctrl.md = md:SHA14729
+Ctrl.digest = digest:SHA14730
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c4731
Ctrl.salt = salt:4732
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc484733
4734
KDF = HKDF4735
Ctrl.mode = mode:EXTRACT_AND_EXPAND4736
-Ctrl.md = md:SHA14737
+Ctrl.digest = digest:SHA14738
Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c4739
Ctrl.salt = salt:4740
Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc484741
4742
Ctrl.p = p:14743
Result = INTERNAL_ERROR4744
4745
+Title = PBKDF2 tests4746
+4747
+KDF = PBKDF24748
+Ctrl.pass = pass:password4749
+Ctrl.salt = salt:salt4750
+Ctrl.iter = iter:14751
+Ctrl.digest = digest:sha14752
+Output = 0c60c80f961f0e71f3a9b524af6012062fe037a64753
+4754
+KDF = PBKDF24755
+Ctrl.pass = pass:password4756
+Ctrl.salt = salt:salt4757
+Ctrl.iter = iter:14758
+Ctrl.digest = digest:sha2564759
+Output = 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b4760
+4761
+KDF = PBKDF24762
+Ctrl.pass = pass:password4763
+Ctrl.salt = salt:salt4764
+Ctrl.iter = iter:14765
+Ctrl.digest = digest:sha5124766
+Output = 867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce4767
+4768
+KDF = PBKDF24769
+Ctrl.pass = pass:password4770
+Ctrl.salt = salt:salt4771
+Ctrl.iter = iter:24772
+Ctrl.digest = digest:sha14773
+Output = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de89574774
+4775
+KDF = PBKDF24776
+Ctrl.pass = pass:password4777
+Ctrl.salt = salt:salt4778
+Ctrl.iter = iter:24779
+Ctrl.digest = digest:sha2564780
+Output = ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c434781
+4782
+KDF = PBKDF24783
+Ctrl.pass = pass:password4784
+Ctrl.salt = salt:salt4785
+Ctrl.iter = iter:24786
+Ctrl.digest = digest:sha5124787
+Output = e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e4788
+4789
+KDF = PBKDF24790
+Ctrl.pass = pass:password4791
+Ctrl.salt = salt:salt4792
+Ctrl.iter = iter:40964793
+Ctrl.digest = digest:sha14794
+Output = 4b007901b765489abead49d926f721d065a429c14795
+4796
+KDF = PBKDF24797
+Ctrl.pass = pass:password4798
+Ctrl.salt = salt:salt4799
+Ctrl.iter = iter:40964800
+Ctrl.digest = digest:sha2564801
+Output = c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a4802
+4803
+KDF = PBKDF24804
+Ctrl.pass = pass:password4805
+Ctrl.salt = salt:salt4806
+Ctrl.iter = iter:40964807
+Ctrl.digest = digest:sha5124808
+Output = d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d54809
+4810
+KDF = PBKDF24811
+Ctrl.pass = pass:passwordPASSWORDpassword4812
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt4813
+Ctrl.iter = iter:40964814
+Ctrl.digest = digest:sha14815
+Output = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f070384816
+4817
+KDF = PBKDF24818
+Ctrl.pass = pass:passwordPASSWORDpassword4819
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt4820
+Ctrl.iter = iter:40964821
+Ctrl.digest = digest:sha2564822
+Output = 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e94823
+4824
+KDF = PBKDF24825
+Ctrl.pass = pass:passwordPASSWORDpassword4826
+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt4827
+Ctrl.iter = iter:40964828
+Ctrl.digest = digest:sha5124829
+Output = 8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b84830
+4831
+KDF = PBKDF24832
+Ctrl.hexpass = hexpass:7061737300776f72644833
+Ctrl.hexsalt = hexsalt:7361006c744834
+Ctrl.iter = iter:40964835
+Ctrl.digest = digest:sha14836
+Output = 56fa6aa75548099dcc37d7f03425e0c34837
+4838
+KDF = PBKDF24839
+Ctrl.hexpass = hexpass:7061737300776f72644840
+Ctrl.hexsalt = hexsalt:7361006c744841
+Ctrl.iter = iter:40964842
+Ctrl.digest = digest:sha2564843
+Output = 89b69d0516f829893c696226650a86874844
+4845
+KDF = PBKDF24846
+Ctrl.hexpass = hexpass:7061737300776f72644847
+Ctrl.hexsalt = hexsalt:7361006c744848
+Ctrl.iter = iter:40964849
+Ctrl.digest = digest:sha5124850
+Output = 9d9e9c4cd21fe4be24d5b8244c7596654851
+4852
+Title = PBKDF2 tests for empty inputs4853
+4854
+KDF = PBKDF24855
+Ctrl.pass = pass:4856
+Ctrl.salt = salt:salt4857
+Ctrl.iter = iter:14858
+Ctrl.digest = digest:sha14859
+Output = a33dddc30478185515311f8752895d36ea4363a24860
+4861
+KDF = PBKDF24862
+Ctrl.pass = pass:4863
+Ctrl.salt = salt:salt4864
+Ctrl.iter = iter:14865
+Ctrl.digest = digest:sha2564866
+Output = f135c27993baf98773c5cdb40a5706ce6a345cde4867
+4868
+KDF = PBKDF24869
+Ctrl.pass = pass:4870
+Ctrl.salt = salt:salt4871
+Ctrl.iter = iter:14872
+Ctrl.digest = digest:sha5124873
+Output = 00ef42cdbfc98d29db20976608e455567fdddf144874
+4875
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt4876
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2021-03-03 14:08:02.494294874 +01004877
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt 2021-03-03 14:08:02.494294874 +01004878
4879
+#4880
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.4881
+#4882
+# Licensed under the Apache License 2.0 (the "License"). You may not use4883
+# this file except in compliance with the License. You can obtain a copy4884
+# in the file LICENSE in the source distribution or at4885
+# https://www.openssl.org/source/license.html4886
+4887
+# Tests start with one of these keywords4888
+# Cipher Decrypt Derive Digest Encoding KDF PKEYKDF MAC PBE4889
+# PrivPubKeyPair Sign Verify VerifyRecover4890
+# and continue until a blank line. Lines starting with a pound sign,4891
+# like this prolog, are ignored.4892
+4893
+Title = TLS1 PRF tests (from NIST test vectors)4894
+4895
+PKEYKDF=TLS1-PRF4896
+Ctrl.md = md:MD5-SHA14897
+Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d04898
+Ctrl.label = seed:master secret4899
+Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a8640206934900
+Ctrl.server_random = hexseed:135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb24901
+Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f624902
+4903
+PKEYKDF=TLS1-PRF4904
+Ctrl.md = md:MD5-SHA14905
+Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f624906
+Ctrl.label = seed:key expansion4907
+Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be4908
+Ctrl.client_random = hexseed:d58a7b1cd4fedaa232159df652ce188f9d997e061b9bf48e83b62990440931f64909
+Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d4910
+4911
+PKEYKDF=TLS1-PRF4912
+Ctrl.md = md:SHA2564913
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc4914
+Ctrl.label = seed:master secret4915
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c4916
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce4917
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4918
+4919
+PKEYKDF=TLS1-PRF4920
+Ctrl.md = md:SHA2564921
+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4922
+Ctrl.label = seed:key expansion4923
+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f398684924
+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b6164925
+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e519284926
+4927
+# As above but use long name for KDF4928
+PKEYKDF=tls1-prf4929
+Ctrl.md = md:SHA2564930
+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf4931
+Ctrl.label = seed:key expansion4932
+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f398684933
+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b6164934
+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e519284935
+4936
+# Missing digest.4937
+PKEYKDF=TLS1-PRF4938
+Ctrl.Secret = hexsecret:014939
+Ctrl.Seed = hexseed:024940
+Output = 034941
+Result = KDF_DERIVE_ERROR4942
+4943
+# Missing secret.4944
+PKEYKDF=TLS1-PRF4945
+Ctrl.md = md:MD5-SHA14946
+Ctrl.Seed = hexseed:024947
+Output = 034948
+Result = KDF_DERIVE_ERROR4949
+4950
+Title = HKDF tests (from RFC5869 test vectors)4951
+4952
+PKEYKDF = HKDF4953
+Ctrl.md = md:SHA2564954
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4955
+Ctrl.salt = hexsalt:000102030405060708090a0b0c4956
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94957
+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858654958
+4959
+PKEYKDF = HKDF4960
+Ctrl.mode = mode:EXTRACT_ONLY4961
+Ctrl.md = md:SHA2564962
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4963
+Ctrl.salt = hexsalt:000102030405060708090a0b0c4964
+Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e54965
+4966
+PKEYKDF = HKDF4967
+Ctrl.mode = mode:EXPAND_ONLY4968
+Ctrl.md = md:SHA2564969
+Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e54970
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f94971
+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858654972
+4973
+PKEYKDF = HKDF4974
+Ctrl.md = md:SHA2564975
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4976
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4977
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4978
+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d874979
+4980
+PKEYKDF = HKDF4981
+Ctrl.mode = mode:EXTRACT_ONLY4982
+Ctrl.md = md:SHA2564983
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f4984
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf4985
+Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc2444986
+4987
+PKEYKDF = HKDF4988
+Ctrl.mode = mode:EXPAND_ONLY4989
+Ctrl.md = md:SHA2564990
+Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc2444991
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff4992
+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d874993
+4994
+PKEYKDF = HKDF4995
+Ctrl.md = md:SHA2564996
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b4997
+Ctrl.salt = salt:4998
+Ctrl.info = info:4999
+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c85000
+5001
+PKEYKDF = HKDF5002
+Ctrl.mode = mode:EXTRACT_ONLY5003
+Ctrl.md = md:SHA2565004
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b5005
+Ctrl.salt = salt:5006
+Ctrl.info = info:5007
+Output = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb045008
+5009
+PKEYKDF = HKDF5010
+Ctrl.mode = mode:EXPAND_ONLY5011
+Ctrl.md = md:SHA2565012
+Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb045013
+Ctrl.info = info:5014
+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c85015
+5016
+PKEYKDF = HKDF5017
+Ctrl.md = md:SHA15018
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b5019
+Ctrl.salt = hexsalt:000102030405060708090a0b0c5020
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f95021
+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f8965022
+5023
+PKEYKDF = HKDF5024
+Ctrl.mode = mode:EXTRACT_ONLY5025
+Ctrl.md = md:SHA15026
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b5027
+Ctrl.salt = hexsalt:000102030405060708090a0b0c5028
+Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba2435029
+5030
+PKEYKDF = HKDF5031
+Ctrl.mode = mode:EXPAND_ONLY5032
+Ctrl.md = md:SHA15033
+Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba2435034
+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f95035
+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f8965036
+5037
+PKEYKDF = HKDF5038
+Ctrl.md = md:SHA15039
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5040
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf5041
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff5042
+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b45043
+5044
+PKEYKDF = HKDF5045
+Ctrl.mode = mode:EXTRACT_ONLY5046
+Ctrl.md = md:SHA15047
+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5048
+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf5049
+Output = 8adae09a2a307059478d309b26c4115a224cfaf65050
+5051
+PKEYKDF = HKDF5052
+Ctrl.mode = mode:EXPAND_ONLY5053
+Ctrl.md = md:SHA15054
+Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf65055
+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff5056
+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b45057
+5058
+PKEYKDF = HKDF5059
+Ctrl.md = md:SHA15060
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b5061
+Ctrl.salt = salt:5062
+Ctrl.info = info:5063
+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d349185064
+5065
+PKEYKDF = HKDF5066
+Ctrl.mode = mode:EXTRACT_ONLY5067
+Ctrl.md = md:SHA15068
+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b5069
+Ctrl.salt = salt:5070
+Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d015071
+5072
+PKEYKDF = HKDF5073
+Ctrl.mode = mode:EXPAND_ONLY5074
+Ctrl.md = md:SHA15075
+Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d015076
+Ctrl.info = info:5077
+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d349185078
+5079
+PKEYKDF = HKDF5080
+Ctrl.md = md:SHA15081
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5082
+Ctrl.salt = salt:5083
+Ctrl.info = info:5084
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc485085
+5086
+PKEYKDF = HKDF5087
+Ctrl.mode = mode:EXTRACT_ONLY5088
+Ctrl.md = md:SHA15089
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5090
+Ctrl.salt = salt:5091
+Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd5092
+5093
+PKEYKDF = HKDF5094
+Ctrl.mode = mode:EXPAND_ONLY5095
+Ctrl.md = md:SHA15096
+Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd5097
+Ctrl.info = info:5098
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc485099
+5100
+PKEYKDF = HKDF5101
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5102
+Ctrl.salt = salt:5103
+Ctrl.info = info:5104
+Output = 005105
+Result = KDF_DERIVE_ERROR5106
+5107
+PKEYKDF = HKDF5108
+Ctrl.md = md:SHA15109
+Ctrl.salt = salt:5110
+Ctrl.info = info:5111
+Output = 005112
+Result = KDF_DERIVE_ERROR5113
+5114
+PKEYKDF = HKDF5115
+Ctrl.md = md:SHA15116
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5117
+Ctrl.info = info:5118
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc485119
+5120
+PKEYKDF = HKDF5121
+Ctrl.md = md:SHA15122
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5123
+Ctrl.salt = salt:5124
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc485125
+5126
+PKEYKDF = HKDF5127
+Ctrl.mode = mode:EXTRACT_AND_EXPAND5128
+Ctrl.md = md:SHA15129
+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c5130
+Ctrl.salt = salt:5131
+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc485132
+5133
+Title = id-scrypt tests (from draft-josefsson-id-scrypt-kdf-03 and others)5134
+5135
+PKEYKDF = scrypt5136
+Ctrl.pass = pass:5137
+Ctrl.salt = salt:5138
+Ctrl.N = N:165139
+Ctrl.r = r:15140
+Ctrl.p = p:15141
+Output = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d189065142
+5143
+PKEYKDF = scrypt5144
+Ctrl.pass = pass:password5145
+Ctrl.salt = salt:NaCl5146
+Ctrl.N = N:10245147
+Ctrl.r = r:85148
+Ctrl.p = p:165149
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc06405150
+5151
+PKEYKDF = scrypt5152
+Ctrl.hexpass = hexpass:70617373776f72645153
+Ctrl.salt = salt:NaCl5154
+Ctrl.N = N:10245155
+Ctrl.r = r:85156
+Ctrl.p = p:165157
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc06405158
+5159
+PKEYKDF = scrypt5160
+Ctrl.pass = pass:password5161
+Ctrl.hexsalt = hexsalt:4e61436c5162
+Ctrl.N = N:10245163
+Ctrl.r = r:85164
+Ctrl.p = p:165165
+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc06405166
+5167
+PKEYKDF = scrypt5168
+Ctrl.pass = pass:pleaseletmein5169
+Ctrl.salt = salt:SodiumChloride5170
+Ctrl.N = N:163845171
+Ctrl.r = r:85172
+Ctrl.p = p:15173
+Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b455758875174
+5175
+# Out of memory5176
+PKEYKDF = scrypt5177
+Ctrl.pass = pass:pleaseletmein5178
+Ctrl.salt = salt:SodiumChloride5179
+Ctrl.N = N:10485765180
+Ctrl.r = r:85181
+Ctrl.p = p:15182
+Result = INTERNAL_ERROR5183
+5184
diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t5185
--- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf 2021-03-03 14:08:02.494294874 +01005186
+++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t 2021-03-03 14:08:02.494294874 +01005187
5188
+#! /usr/bin/env perl5189
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.5190
+# Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.5191
+#5192
+# Licensed under the Apache License 2.0 (the "License"). You may not use5193
+# this file except in compliance with the License. You can obtain a copy5194
+# in the file LICENSE in the source distribution or at5195
+# https://www.openssl.org/source/license.html5196
+5197
+5198
+use OpenSSL::Test::Simple;5199
+5200
+simple_test("test_evp_kdf", "evp_kdf_test");5201
diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t5202
--- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf 2021-02-16 16:24:01.000000000 +01005203
+++ openssl-1.1.1j/test/recipes/30-test_evp.t 2021-03-03 14:08:02.495294883 +01005204
5205
setup("test_evp");5206
5207
my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",5208
- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",5209
+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",5210
"evpcase.txt", "evpccmcavs.txt" );5211
5212
plan tests => scalar(@files);5213
diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num5214
--- openssl-1.1.1j/util/libcrypto.num.evp-kdf 2021-03-03 14:08:02.481294758 +01005215
+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 14:08:02.495294883 +01005216
5217
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:5218
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:5219
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:5220
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:5221
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:5222
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:5223
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:5224
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:5225
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:5226
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:5227
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:5228
diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num5229
--- openssl-1.1.1j/util/private.num.evp-kdf 2021-02-16 16:24:01.000000000 +01005230
+++ openssl-1.1.1j/util/private.num 2021-03-03 14:08:02.495294883 +01005231
5232
CRYPTO_EX_free datatype5233
CRYPTO_EX_new datatype5234
DTLS_timer_cb datatype5235
+EVP_KDF_CTX datatype5236
EVP_PKEY_gen_cb datatype5237
EVP_PKEY_METHOD datatype5238
EVP_PKEY_ASN1_METHOD datatype5239