kdf_type = "";
break;
case EVP_PKEY_DH_KDF_X9_42:
- kdf_type = OSSL_KDF_NAME_X942KDF;
+ kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
break;
default:
return -2;
if (kdf_type[0] == '\0')
return EVP_PKEY_DH_KDF_NONE;
- else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF) == 0)
+ else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
return EVP_PKEY_DH_KDF_X9_42;
return -1;
OSSL_PARAM params[5], *p = params;
const char *mdname = EVP_MD_name(md);
- kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF, propq);
+ kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF_ASN1, propq);
kctx = EVP_KDF_CTX_new(kdf);
if (kctx == NULL)
goto err;
PROV_R_INVALID_MODE_INT:126:invalid mode int
PROV_R_INVALID_PADDING_MODE:168:invalid padding mode
PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen
+PROV_R_INVALID_PUBINFO:198:invalid pubinfo
PROV_R_INVALID_RSA_KEY:217:invalid rsa key
PROV_R_INVALID_SALT_LENGTH:112:invalid salt length
PROV_R_INVALID_SEED_LENGTH:154:invalid seed length
PROV_R_INVALID_STATE:212:invalid state
PROV_R_INVALID_TAG:110:invalid tag
PROV_R_INVALID_TAGLEN:118:invalid taglen
+PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length
PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest
PROV_R_IN_ERROR_STATE:192:in error state
PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
operation not supported for this keytype
PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small
PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\
- parent cannot generate random numbers
+ parent cannot generate random numbers
PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled
PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak
PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute
Specifies the name of a supported KDF algorithm which will be used.
The supported algorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2,
-SSHKDF, X942KDF, X963KDF and SCRYPT.
+SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF and SCRYPT.
=back
L<EVP_KDF-HKDF(7)>,
L<EVP_KDF-SS(7)>,
L<EVP_KDF-SSHKDF(7)>,
-L<EVP_KDF-X942(7)>,
+L<EVP_KDF-X942-ASN1(7)>,
+L<EVP_KDF-X942-CONCAT(7)>,
L<EVP_KDF-X963(7)>
=head1 HISTORY
--- /dev/null
+=pod
+
+=head1 NAME
+
+EVP_KDF-X942-ASN1 - The X9.42-2003 asn1 EVP_KDF implementation
+
+=head1 DESCRIPTION
+
+The EVP_KDF-X942-ASN1 algorithm implements the key derivation function
+X942KDF-ASN1. It is used by DH KeyAgreement, to derive a key using input such as
+a shared secret key and other info. The other info is DER encoded data that
+contains a 32 bit counter as well as optional fields for "partyu-info",
+"partyv-info", "supp-pubinfo" and "supp-privinfo".
+This kdf is used by Cryptographic Message Syntax (CMS).
+
+=head2 Identity
+
+"X942KDF-ASN1" or "X942KDF" is the name for this implementation; it
+can be used with the EVP_KDF_fetch() function.
+
+=head2 Supported parameters
+
+The supported parameters are:
+
+=over 4
+
+=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
+
+=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
+
+These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
+
+=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string>
+
+The shared secret used for key derivation. This parameter sets the secret.
+
+=item "partyu-info" (B<OSSL_KDF_PARAM_X942_PARTYUINFO>) <octet string>
+
+An optional octet string containing public info contributed by the initiator.
+
+=item "ukm" (B<OSSL_KDF_PARAM_UKM>) <octet string>
+
+An alias for "partyu-info".
+In CMS this is the user keying material.
+
+=item "partyv-info" (B<OSSL_KDF_PARAM_X942_PARTYVINFO>) <octet string>
+
+An optional octet string containing public info contributed by the responder.
+
+=item "supp-pubinfo" (B<OSSL_KDF_PARAM_X942_SUPP_PUBINFO>) <octet string>
+
+An optional octet string containing some additional, mutually-known public
+information. Setting this value also sets "use-keybits" to 0.
+
+=item "use-keybits" (B<OSSL_KDF_PARAM_X942_SUPP_PRIVINFO>) <integer>
+
+The default value of 1 will use the KEK key length (in bits) as the
+"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo".
+
+=item "supp-privinfo" (B<OSSL_KDF_PARAM_X942_SUPP_PRIVINFO>) <octet string>
+
+An optional octet string containing some additional, mutually-known private
+information.
+
+=item "cekalg" (B<OSSL_KDF_PARAM_CEK_ALG>) <UTF8 string>
+
+This parameter sets the CEK wrapping algorithm name.
+Valid values are "AES-128-WRAP", "AES-192-WRAP", "AES-256-WRAP" and "DES3-WRAP".
+
+=back
+
+=head1 NOTES
+
+A context for X942KDF can be obtained by calling:
+
+ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
+
+The output length of an X942KDF is specified via the I<keylen>
+parameter to the L<EVP_KDF_derive(3)> function.
+
+=head1 EXAMPLES
+
+This example derives 24 bytes, with the secret key "secret" and random user
+keying material:
+
+ EVP_KDF_CTX *kctx;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[192/8];
+ unsignred char ukm[64];
+ OSSL_PARAM params[5], *p = params;
+
+ if (RAND_bytes(ukm, sizeof(ukm)) <= 0)
+ error("RAND_bytes");
+
+ kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
+ if (kctx == NULL)
+ error("EVP_KDF_fetch");
+ kctx = EVP_KDF_CTX_new(kdf);
+ EVP_KDF_free(kdf);
+ if (kctx == NULL)
+ error("EVP_KDF_CTX_new");
+
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
+ "secret", (size_t)6);
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm));
+ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, "AES-256-WRAP, 0);
+ *p = OSSL_PARAM_construct_end();
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0)
+ error("EVP_KDF_CTX_set_params");
+
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
+ error("EVP_KDF_derive");
+
+ EVP_KDF_CTX_free(kctx);
+
+=head1 CONFORMING TO
+
+ANS1 X9.42-2003
+RFC 2631
+
+=head1 SEE ALSO
+
+L<EVP_KDF(3)>,
+L<EVP_KDF_CTX_new(3)>,
+L<EVP_KDF_CTX_free(3)>,
+L<EVP_KDF_CTX_set_params(3)>,
+L<EVP_KDF_CTX_get_kdf_size(3)>,
+L<EVP_KDF_derive(3)>,
+L<EVP_KDF(3)/PARAMETERS>
+
+=head1 HISTORY
+
+This functionality was added to OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--- /dev/null
+=pod
+
+=head1 NAME
+
+EVP_KDF-X942-CONCAT - The X942 Concat EVP_KDF implementation
+
+=head1 DESCRIPTION
+
+The EVP_KDF-X942-CONCAT algorithm is identical to EVP_KDF-X963. It is
+used for key agreement to derive a key using input such as a shared secret key
+and shared info.
+
+=head2 Identity
+
+"X942KDF_CONCAT" is the name for this implementation; it
+can be used with the EVP_KDF_fetch() function.
+
+This is an alias for "X963KDF".
+
+See <EVP_KDF-X963(7)> for a list of supported parameters and examples.
+
+=head1 HISTORY
+
+This functionality was added to OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
+++ /dev/null
-=pod
-
-=head1 NAME
-
-EVP_KDF-X942 - The X9.42-2001 asn1 EVP_KDF implementation
-
-=head1 DESCRIPTION
-
-The EVP_KDF-X942 algorithm implements the key derivation function (X942KDF).
-X942KDF is used by Cryptographic Message Syntax (CMS) for DH KeyAgreement, to
-derive a key using input such as a shared secret key and other info. The other
-info is DER encoded data that contains a 32 bit counter.
-
-=head2 Identity
-
-"X942KDF" is the name for this implementation; it
-can be used with the EVP_KDF_fetch() function.
-
-=head2 Supported parameters
-
-The supported parameters are:
-
-=over 4
-
-=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
-
-=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
-
-These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
-
-=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string>
-
-The shared secret used for key derivation. This parameter sets the secret.
-
-=item "ukm" (B<OSSL_KDF_PARAM_UKM>) <octet string>
-
-This parameter is an optional random string that is provided
-by the sender called "partyAInfo".
-In CMS this is the user keying material.
-
-=item "cekalg" (B<OSSL_KDF_PARAM_CEK_ALG>) <UTF8 string>
-
-This parameter sets the CEK wrapping algorithm name.
-
-=back
-
-=head1 NOTES
-
-A context for X942KDF can be obtained by calling:
-
- EVP_KDF *kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
- EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
-
-The output length of an X942KDF is specified via the I<keylen>
-parameter to the L<EVP_KDF_derive(3)> function.
-
-=head1 EXAMPLES
-
-This example derives 24 bytes, with the secret key "secret" and a random user
-keying material:
-
- EVP_KDF_CTX *kctx;
- EVP_KDF_CTX *kctx;
- unsigned char out[192/8];
- unsignred char ukm[64];
- OSSL_PARAM params[5], *p = params;
-
- if (RAND_bytes(ukm, sizeof(ukm)) <= 0)
- error("RAND_bytes");
-
- kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
- if (kctx == NULL)
- error("EVP_KDF_fetch");
- kctx = EVP_KDF_CTX_new(kdf);
- if (kctx == NULL)
- error("EVP_KDF_CTX_new");
- EVP_KDF_free(kdf);
-
- *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
- SN_sha256, strlen(SN_sha256));
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
- "secret", (size_t)6);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm));
- *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
- SN_id_smime_alg_CMS3DESwrap,
- strlen(SN_id_smime_alg_CMS3DESwrap));
- *p = OSSL_PARAM_construct_end();
- if (EVP_KDF_CTX_set_params(kctx, params) <= 0)
- error("EVP_KDF_CTX_set_params");
- if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
- error("EVP_KDF_derive");
-
- EVP_KDF_CTX_free(kctx);
-
-=head1 CONFORMING TO
-
-RFC 2631
-
-=head1 SEE ALSO
-
-L<EVP_KDF(3)>,
-L<EVP_KDF_CTX_new(3)>,
-L<EVP_KDF_CTX_free(3)>,
-L<EVP_KDF_CTX_set_params(3)>,
-L<EVP_KDF_CTX_get_kdf_size(3)>,
-L<EVP_KDF_derive(3)>,
-L<EVP_KDF(3)/PARAMETERS>
-
-=head1 HISTORY
-
-This functionality was added to OpenSSL 3.0.
-
-=head1 COPYRIGHT
-
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
=item PBKDF2, see L<EVP_KDF-PBKDF2(7)>
+=item SSHKDF, see L<EVP_KDF-SSHKDF(7)>
+
=item TLS1-PRF, see L<EVP_KDF-TLS1-PRF(7)>
=item KBKDF, see L<EVP_KDF-KBKDF(7)>
+=item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
+
+=item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
+
+=item X963KDF, see L<EVP_KDF-X963(7)>
+
=back
=head2 Key Exchange
=item KBKDF, see L<EVP_KDF-KB(7)>
-=item X942KDF, see L<EVP_KDF-X942(7)>
+=item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
+
+=item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
+
+=item X963KDF, see L<EVP_KDF-X963(7)>
=item SCRYPT, see L<EVP_KDF-SCRYPT(7)>
=item KRB5KDF, see L<EVP_KDF-KRB5KDF(7)>
-=item X963KDF, see L<EVP_KDF-X963(7)>
=back
#define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */
#define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */
#define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */
+#define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info"
+#define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info"
+#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
+#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
+#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
/* Known KDF names */
-#define OSSL_KDF_NAME_HKDF "HKDF"
-#define OSSL_KDF_NAME_PBKDF2 "PBKDF2"
-#define OSSL_KDF_NAME_SCRYPT "SCRYPT"
-#define OSSL_KDF_NAME_SSHKDF "SSHKDF"
-#define OSSL_KDF_NAME_SSKDF "SSKDF"
-#define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF"
-#define OSSL_KDF_NAME_X942KDF "X942KDF"
-#define OSSL_KDF_NAME_X963KDF "X963KDF"
-#define OSSL_KDF_NAME_KBKDF "KBKDF"
-#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF"
+#define OSSL_KDF_NAME_HKDF "HKDF"
+#define OSSL_KDF_NAME_PBKDF2 "PBKDF2"
+#define OSSL_KDF_NAME_SCRYPT "SCRYPT"
+#define OSSL_KDF_NAME_SSHKDF "SSHKDF"
+#define OSSL_KDF_NAME_SSKDF "SSKDF"
+#define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF"
+#define OSSL_KDF_NAME_X942KDF_ASN1 "X942KDF-ASN1"
+#define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT"
+#define OSSL_KDF_NAME_X963KDF "X963KDF"
+#define OSSL_KDF_NAME_KBKDF "KBKDF"
+#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF"
/* Known RAND names */
#define OSSL_RAND_PARAM_STATE "state"
# define PROV_R_INVALID_MODE_INT 126
# define PROV_R_INVALID_PADDING_MODE 168
# define PROV_R_INVALID_PSS_SALTLEN 169
+# define PROV_R_INVALID_PUBINFO 198
# define PROV_R_INVALID_RSA_KEY 217
# define PROV_R_INVALID_SALT_LENGTH 112
# define PROV_R_INVALID_SEED_LENGTH 154
# define PROV_R_INVALID_STATE 212
# define PROV_R_INVALID_TAG 110
# define PROV_R_INVALID_TAGLEN 118
+# define PROV_R_INVALID_UKM_LENGTH 200
# define PROV_R_INVALID_X931_DIGEST 170
# define PROV_R_IN_ERROR_STATE 192
# define PROV_R_KEY_SIZE_TOO_SMALL 171
"invalid padding mode"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PSS_SALTLEN),
"invalid pss saltlen"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PUBINFO), "invalid pubinfo"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_RSA_KEY), "invalid rsa key"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_SALT_LENGTH),
"invalid salt length"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_STATE), "invalid state"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG), "invalid tag"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAGLEN), "invalid taglen"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_UKM_LENGTH),
+ "invalid ukm length"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_X931_DIGEST),
"invalid x931 digest"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_IN_ERROR_STATE), "in error state"},
{ "PBKDF2", "provider=default", ossl_kdf_pbkdf2_functions },
{ "PKCS12KDF", "provider=default", ossl_kdf_pkcs12_functions },
{ "SSHKDF", "provider=default", ossl_kdf_sshkdf_functions },
- { "X963KDF", "provider=default", ossl_kdf_x963_kdf_functions },
+ { "X963KDF:X942KDF-CONCAT", "provider=default", ossl_kdf_x963_kdf_functions },
{ "TLS1-PRF", "provider=default", ossl_kdf_tls1_prf_functions },
{ "KBKDF", "provider=default", ossl_kdf_kbkdf_functions },
-#ifndef OPENSSL_NO_CMS
- { "X942KDF", "provider=default", ossl_kdf_x942_kdf_functions },
-#endif
+ { "X942KDF-ASN1:X942KDF", "provider=default", ossl_kdf_x942_kdf_functions },
#ifndef OPENSSL_NO_SCRYPT
{ "SCRYPT:id-scrypt", "provider=default", ossl_kdf_scrypt_functions },
#endif
{ "SSKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions },
{ "PBKDF2", FIPS_DEFAULT_PROPERTIES, ossl_kdf_pbkdf2_functions },
{ "SSHKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
- { "X963KDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_x963_kdf_functions },
+ { "X963KDF:X942KDF-CONCAT", FIPS_DEFAULT_PROPERTIES,
+ ossl_kdf_x963_kdf_functions },
+ { "X942KDF-ASN1:X942KDF", FIPS_DEFAULT_PROPERTIES,
+ ossl_kdf_x942_kdf_functions },
{ "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_functions },
{ "KBKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
{ NULL, NULL, NULL }
if (name[0] == '\0')
pdhctx->kdf_type = PROV_DH_KDF_NONE;
- else if (strcmp(name, OSSL_KDF_NAME_X942KDF) == 0)
+ else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
else
return 0;
kdf_type = "";
break;
case PROV_DH_KDF_X9_42_ASN1:
- kdf_type = OSSL_KDF_NAME_X942KDF;
+ kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
break;
default:
return 0;
extern const OSSL_DISPATCH ossl_kdf_sskdf_functions[];
extern const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[];
extern const OSSL_DISPATCH ossl_kdf_kbkdf_functions[];
-#ifndef OPENSSL_NO_CMS
extern const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[];
-#endif
extern const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[];
/* RNGs */
PROV_DIGEST digest;
unsigned char *secret;
size_t secret_len;
- unsigned char *ukm;
- size_t ukm_len;
+ unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo;
+ size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len;
size_t dkm_len;
const unsigned char *cek_oid;
size_t cek_oid_len;
+ int use_keybits;
} KDF_X942;
/*
static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen,
const unsigned char *der_oid, size_t der_oidlen,
- const unsigned char *ukm, size_t ukmlen,
+ const unsigned char *partyu, size_t partyulen,
+ const unsigned char *partyv, size_t partyvlen,
+ const unsigned char *supp_pub, size_t supp_publen,
+ const unsigned char *supp_priv, size_t supp_privlen,
uint32_t keylen_bits, unsigned char **pcounter)
{
return (buf != NULL ? WPACKET_init_der(pkt, buf, buflen) :
WPACKET_init_null_der(pkt))
&& ossl_DER_w_begin_sequence(pkt, -1)
- && ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits)
- && (ukm == NULL || ossl_DER_w_octet_string(pkt, 0, ukm, ukmlen))
+ && (supp_priv == NULL
+ || ossl_DER_w_octet_string(pkt, 3, supp_priv, supp_privlen))
+ && (supp_pub == NULL
+ || ossl_DER_w_octet_string(pkt, 2, supp_pub, supp_publen))
+ && (keylen_bits == 0
+ || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits))
+ && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen))
+ && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen))
&& DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter)
&& ossl_DER_w_end_sequence(pkt, -1)
&& WPACKET_finish(pkt);
/*
* Encode the other info structure.
*
- * RFC2631 Section 2.1.2 Contains the following definition for otherinfo
+ * The ANS X9.42-2003 standard uses OtherInfo:
*
* OtherInfo ::= SEQUENCE {
* keyInfo KeySpecificInfo,
- * partyAInfo [0] OCTET STRING OPTIONAL,
- * suppPubInfo [2] OCTET STRING
+ * partyUInfo [0] OCTET STRING OPTIONAL,
+ * partyVInfo [1] OCTET STRING OPTIONAL,
+ * suppPubInfo [2] OCTET STRING OPTIONAL,
+ * suppPrivInfo [3] OCTET STRING OPTIONAL
* }
- * Note suppPubInfo is the key length (in bits) (stored into 4 bytes)
- *
*
* KeySpecificInfo ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* counter OCTET STRING SIZE (4..4)
* }
+ *
+ * RFC2631 Section 2.1.2 Contains the following definition for OtherInfo
+ *
+ * OtherInfo ::= SEQUENCE {
+ * keyInfo KeySpecificInfo,
+ * partyAInfo [0] OCTET STRING OPTIONAL,
+ * suppPubInfo [2] OCTET STRING
+ * }
+ * Where suppPubInfo is the key length (in bits) (stored into 4 bytes)
+ *
+}
*
* |keylen| is the length (in bytes) of the generated KEK. It is stored into
- * suppPubInfo (in bits).
+ * suppPubInfo (in bits). It is ignored if the value is 0.
* |cek_oid| The oid of the key wrapping algorithm.
* |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid,
- * |ukm| is the optional user keying material that is stored into partyAInfo. It
+ * |partyu| is the optional public info contributed by the initiator. It
+ * can be NULL. (It is also used as the ukm by CMS).
+ * |partyu_len| is the |partyu| length (in bytes).
+ * |partyv| is the optional public info contributed by the responder. It
* can be NULL.
- * |ukmlen| is the user keying material length (in bytes).
+ * |partyv_len| is the |partyv| length (in bytes).
+ * |supp_pub| is the optional additional, mutually-known public information. It
+ * can be NULL. |keylen| should be 0 if this is not NULL.
+ * |supp_pub_len| is the |supp_pub| length (in bytes).
+ * |supp_priv| is the optional additional, mutually-known private information. It
+ * can be NULL.
+ * |supp_priv_len| is the |supp_priv| length (in bytes).
* |der| is the returned encoded data. It must be freed by the caller.
* |der_len| is the returned size of the encoded data.
* |out_ctr| returns a pointer to the counter data which is embedded inside the
* Returns: 1 if successfully encoded, or 0 otherwise.
* Assumptions: |der|, |der_len| & |out_ctr| are not NULL.
*/
-static int x942_encode_otherinfo(size_t keylen,
- const unsigned char *cek_oid, size_t cek_oidlen,
- const unsigned char *ukm, size_t ukmlen,
- unsigned char **der, size_t *der_len,
- unsigned char **out_ctr)
+static int
+x942_encode_otherinfo(size_t keylen,
+ const unsigned char *cek_oid, size_t cek_oidlen,
+ const unsigned char *partyu, size_t partyu_len,
+ const unsigned char *partyv, size_t partyv_len,
+ const unsigned char *supp_pub, size_t supp_pub_len,
+ const unsigned char *supp_priv, size_t supp_priv_len,
+ unsigned char **der, size_t *der_len,
+ unsigned char **out_ctr)
{
int ret = 0;
unsigned char *pcounter = NULL, *der_buf = NULL;
keylen_bits = 8 * keylen;
/* Calculate the size of the buffer */
- if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen, ukm, ukmlen,
+ if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen,
+ partyu, partyu_len, partyv, partyv_len,
+ supp_pub, supp_pub_len, supp_priv, supp_priv_len,
keylen_bits, NULL)
|| !WPACKET_get_total_written(&pkt, &der_buflen))
goto err;
goto err;
/* Encode into the buffer */
if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oidlen,
- ukm, ukmlen, keylen_bits, &pcounter))
+ partyu, partyu_len, partyv, partyv_len,
+ supp_pub, supp_pub_len, supp_priv, supp_priv_len,
+ keylen_bits, &pcounter))
goto err;
/*
* Since we allocated the exact size required, the buffer should point to the
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
+ ctx->use_keybits = 1;
return ctx;
}
ossl_prov_digest_reset(&ctx->digest);
OPENSSL_clear_free(ctx->secret, ctx->secret_len);
- OPENSSL_clear_free(ctx->ukm, ctx->ukm_len);
+ OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len);
+ OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len);
+ OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len);
+ OPENSSL_clear_free(ctx->supp_privinfo, ctx->supp_privinfo_len);
memset(ctx, 0, sizeof(*ctx));
ctx->provctx = provctx;
+ ctx->use_keybits = 1;
}
static void x942kdf_free(void *vctx)
if (!ossl_prov_is_running())
return 0;
+ /*
+ * These 2 options encode to the same field so only one of them should be
+ * active at once.
+ */
+ if (ctx->use_keybits && ctx->supp_pubinfo != NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO);
+ return 0;
+ }
+
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
return 0;
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG);
return 0;
}
- if (ctx->ukm != NULL && ctx->ukm_len >= X942KDF_MAX_INLEN) {
+ if (ctx->partyuinfo != NULL && ctx->partyuinfo_len >= X942KDF_MAX_INLEN) {
/*
- * Note the ukm length MUST be 512 bits.
+ * Note the ukm length MUST be 512 bits if it is used.
* For backwards compatibility the old check is being done.
*/
- ERR_raise(ERR_LIB_PROV, PROV_R_INAVLID_UKM_LENGTH);
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_UKM_LENGTH);
return 0;
}
/* generate the otherinfo der */
- if (!x942_encode_otherinfo(ctx->dkm_len,
+ if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0,
ctx->cek_oid, ctx->cek_oid_len,
- ctx->ukm, ctx->ukm_len,
+ ctx->partyuinfo, ctx->partyuinfo_len,
+ ctx->partyvinfo, ctx->partyvinfo_len,
+ ctx->supp_pubinfo, ctx->supp_pubinfo_len,
+ ctx->supp_privinfo, ctx->supp_privinfo_len,
&der, &der_len, &ctr)) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
return 0;
if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
return 0;
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL
- || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
- if (!x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
- return 0;
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET);
+ if (p == NULL)
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY);
+ if (p != NULL && !x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYUINFO);
+ if (p == NULL)
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->partyuinfo, &ctx->partyuinfo_len, p))
+ return 0;
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM)) != NULL)
- if (!x942kdf_set_buffer(&ctx->ukm, &ctx->ukm_len, p))
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYVINFO);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->partyvinfo, &ctx->partyvinfo_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_USE_KEYBITS);
+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_keybits))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PUBINFO);
+ if (p != NULL) {
+ if (!x942kdf_set_buffer(&ctx->supp_pubinfo, &ctx->supp_pubinfo_len, p))
return 0;
+ ctx->use_keybits = 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PRIVINFO);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->supp_privinfo, &ctx->supp_privinfo_len, p))
+ return 0;
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG)) != NULL) {
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
+ if (p != NULL) {
if (p->data_type != OSSL_PARAM_UTF8_STRING)
return 0;
pq = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_PROPERTIES);
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_UKM, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYUINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYVINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PUBINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PRIVINFO, NULL, 0),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_X942_USE_KEYBITS, NULL),
OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
OSSL_PARAM_END
};
*p = OSSL_PARAM_construct_end();
ret =
- TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
+ TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
&& TEST_true(EVP_KDF_CTX_set_params(kctx, params))
&& TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
&& TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
t->skip = 1;
}
}
- if (p != NULL && strcmp(name, "cipher") == 0) {
- if (is_cipher_disabled(p)) {
- TEST_info("skipping, '%s' is disabled", p);
- t->skip = 1;
- }
+ if (p != NULL
+ && (strcmp(name, "cipher") == 0
+ || strcmp(name, "cekalg") == 0)
+ && is_cipher_disabled(p)) {
+ TEST_info("skipping, '%s' is disabled", p);
+ t->skip = 1;
}
OPENSSL_free(name);
return 1;
if (STR_ENDS_WITH(name, "SCRYPT"))
return 1;
#endif
-#ifdef OPENSSL_NO_CMS
- if (strcasecmp(name, "X942KDF") == 0)
- return 1;
-#endif /* OPENSSL_NO_CMS */
return 0;
}
#ifdef OPENSSL_NO_DES
if (STR_STARTS_WITH(name, "DES"))
return 1;
+ if (STR_ENDS_WITH(name, "3DESwrap"))
+ return 1;
#endif
#ifdef OPENSSL_NO_OCB
if (STR_ENDS_WITH(name, "OCB"))
evpkdf_ss.txt
evpkdf_ssh.txt
evpkdf_tls12_prf.txt
+ evpkdf_x942.txt
evpkdf_x963.txt
evpmac_common.txt
evpmd_sha.txt
evpkdf_krb5.txt
evpkdf_scrypt.txt
evpkdf_tls11_prf.txt
- evpkdf_x942.txt
evpmac_blake.txt
evpmac_poly1305.txt
evpmac_siphash.txt
Title = X9.42 KDF tests (from RFC2631 test vectors)
-KDF = X942KDF
+Availablein = default
+KDF = X942KDF-ASN1
Ctrl.digest = digest:SHA1
Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
Ctrl.cekalg = cekalg:id-smime-alg-CMS3DESwrap
KDF = X942KDF
Ctrl.digest = digest:SHA1
-Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.hexkey = hexkey:000102030405060708090a0b0c0d0e0f10111213
Ctrl.cekalg = cekalg:id-aes256-wrap
Ctrl.hexukm = hexukm:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0
+
+Title = X9.42 KDF tests (generated tests to test different options)
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Ctrl.use-keybits = use-keybits:0
+Output = 54bd5dbc1fa4c42c951f6fa51ec59e202b8c622bdb179fb2dd691ffb
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyv-info = hexpartyv-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Ctrl.use-keybits = use-keybits:0
+Output = 76d566e948ca9ae61bcd4ce076f0bd5fe6789b5b0f288977235ecb12
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = ff368c7addb27d7599f8d49bc8d7fbf804540f119491ea419792c82c
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexsupp-privinfo = hexsupp-privinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = 6b68b7affe5efc15e77df56e3dd639b22aa39f12eb0685b33fb39c57
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdef
+Ctrl.hexpartyv-info = hexpartyv-info:fedcba9876543210
+Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:12345678
+Ctrl.hexsupp-privinfo = hexsupp-privinfo:87654321
+Output = 2c5c1f028c6d1fc9ba752e41fdb9edb2ea936f1b2449f214acd56d31
Ctrl.hexinfo = hexinfo:cf3a74ba86af42f1ae85477ead645583
Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7
-KDF = X963KDF
+KDF = X942KDF-CONCAT
Ctrl.digest = digest:SHA512
Ctrl.hexsecret = hexsecret:0037cd001a0ad87f35ddf58ab355d6144ba2ed0749a7435dab548ba0bfbe723c047e2396b4eef99653412a92c8db74bb5c03063f2eb0525ae87356750ae3676faa86
Ctrl.hexinfo = hexinfo:eb17da8851c41c7ac6710b1c49f324f8
projects / openssl.git / commitdiff