From 89cccbea51fa52a1e4784a9ece35d96e4dcbfd30 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Mon, 16 Nov 2020 12:42:18 +1000 Subject: [PATCH 1/1] Add EVP_KDF-X942 to the fips module The X942 KDF had been modified so that it supports all optional fields - not just the fields used by CMS. As there are 2 types of KDF for X942 - this has been made a bit clearer by adding an X942KDF-ASN1 alias. X942KDF-CONCAT has also been added as an alias of X963KDF. This work was instigated as a result of the ACVP tests optionally being able to use keybits for the supp_pubinfo field. Setting the parameter OSSL_KDF_PARAM_X942_USE_KEYBITS to 0 allows this to be disabled. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13418) --- crypto/dh/dh_ctrl.c | 4 +- crypto/dh/dh_kdf.c | 2 +- crypto/err/openssl.txt | 4 +- doc/man1/openssl-kdf.pod.in | 5 +- doc/man7/EVP_KDF-X942-ASN1.pod | 146 +++++++++++++++++ doc/man7/EVP_KDF-X942-CONCAT.pod | 35 ++++ doc/man7/EVP_KDF-X942.pod | 122 -------------- doc/man7/OSSL_PROVIDER-FIPS.pod | 8 + doc/man7/OSSL_PROVIDER-default.pod | 7 +- include/openssl/core_names.h | 26 +-- .../common/include/prov/providercommonerr.h | 2 + providers/common/provider_err.c | 3 + providers/defltprov.c | 6 +- providers/fips/fipsprov.c | 5 +- providers/implementations/exchange/dh_exch.c | 4 +- .../include/prov/implementations.h | 2 - providers/implementations/kdfs/x942kdf.c | 152 ++++++++++++++---- test/evp_kdf_test.c | 2 +- test/evp_test.c | 17 +- test/recipes/30-test_evp.t | 2 +- test/recipes/30-test_evp_data/evpkdf_x942.txt | 54 ++++++- test/recipes/30-test_evp_data/evpkdf_x963.txt | 2 +- 22 files changed, 414 insertions(+), 196 deletions(-) create mode 100644 doc/man7/EVP_KDF-X942-ASN1.pod create mode 100644 doc/man7/EVP_KDF-X942-CONCAT.pod delete mode 100644 doc/man7/EVP_KDF-X942.pod diff --git a/crypto/dh/dh_ctrl.c b/crypto/dh/dh_ctrl.c index 2aa69fd154..291b0ad419 100644 --- a/crypto/dh/dh_ctrl.c +++ b/crypto/dh/dh_ctrl.c @@ -237,7 +237,7 @@ int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf) kdf_type = ""; break; case EVP_PKEY_DH_KDF_X9_42: - kdf_type = OSSL_KDF_NAME_X942KDF; + kdf_type = OSSL_KDF_NAME_X942KDF_ASN1; break; default: return -2; @@ -289,7 +289,7 @@ int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx) if (kdf_type[0] == '\0') return EVP_PKEY_DH_KDF_NONE; - else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF) == 0) + else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF_ASN1) == 0) return EVP_PKEY_DH_KDF_X9_42; return -1; diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c index 9737d4d712..ea2cd6386c 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c @@ -37,7 +37,7 @@ int dh_KDF_X9_42_asn1(unsigned char *out, size_t outlen, OSSL_PARAM params[5], *p = params; const char *mdname = EVP_MD_name(md); - kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF, propq); + kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF_ASN1, propq); kctx = EVP_KDF_CTX_new(kdf); if (kctx == NULL) goto err; diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index ca10840cee..88b6168214 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2879,6 +2879,7 @@ PROV_R_INVALID_MODE:125:invalid mode PROV_R_INVALID_MODE_INT:126:invalid mode int PROV_R_INVALID_PADDING_MODE:168:invalid padding mode PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen +PROV_R_INVALID_PUBINFO:198:invalid pubinfo PROV_R_INVALID_RSA_KEY:217:invalid rsa key PROV_R_INVALID_SALT_LENGTH:112:invalid salt length PROV_R_INVALID_SEED_LENGTH:154:invalid seed length @@ -2886,6 +2887,7 @@ PROV_R_INVALID_SIGNATURE_SIZE:179:invalid signature size PROV_R_INVALID_STATE:212:invalid state PROV_R_INVALID_TAG:110:invalid tag PROV_R_INVALID_TAGLEN:118:invalid taglen +PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest PROV_R_IN_ERROR_STATE:192:in error state PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small @@ -2917,7 +2919,7 @@ PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\ operation not supported for this keytype PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\ - parent cannot generate random numbers + parent cannot generate random numbers PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in index 9c585325ba..3d532ebfc6 100644 --- a/doc/man1/openssl-kdf.pod.in +++ b/doc/man1/openssl-kdf.pod.in @@ -87,7 +87,7 @@ To see the list of supported digests, use the command I. Specifies the name of a supported KDF algorithm which will be used. The supported algorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2, -SSHKDF, X942KDF, X963KDF and SCRYPT. +SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF and SCRYPT. =back @@ -156,7 +156,8 @@ L, L, L, L, -L, +L, +L, L =head1 HISTORY diff --git a/doc/man7/EVP_KDF-X942-ASN1.pod b/doc/man7/EVP_KDF-X942-ASN1.pod new file mode 100644 index 0000000000..3c5c3077ca --- /dev/null +++ b/doc/man7/EVP_KDF-X942-ASN1.pod @@ -0,0 +1,146 @@ +=pod + +=head1 NAME + +EVP_KDF-X942-ASN1 - The X9.42-2003 asn1 EVP_KDF implementation + +=head1 DESCRIPTION + +The EVP_KDF-X942-ASN1 algorithm implements the key derivation function +X942KDF-ASN1. It is used by DH KeyAgreement, to derive a key using input such as +a shared secret key and other info. The other info is DER encoded data that +contains a 32 bit counter as well as optional fields for "partyu-info", +"partyv-info", "supp-pubinfo" and "supp-privinfo". +This kdf is used by Cryptographic Message Syntax (CMS). + +=head2 Identity + +"X942KDF-ASN1" or "X942KDF" is the name for this implementation; it +can be used with the EVP_KDF_fetch() function. + +=head2 Supported parameters + +The supported parameters are: + +=over 4 + +=item "properties" (B) + +=item "digest" (B) + +These parameters work as described in L. + +=item "key" (B) + +The shared secret used for key derivation. This parameter sets the secret. + +=item "partyu-info" (B) + +An optional octet string containing public info contributed by the initiator. + +=item "ukm" (B) + +An alias for "partyu-info". +In CMS this is the user keying material. + +=item "partyv-info" (B) + +An optional octet string containing public info contributed by the responder. + +=item "supp-pubinfo" (B) + +An optional octet string containing some additional, mutually-known public +information. Setting this value also sets "use-keybits" to 0. + +=item "use-keybits" (B) + +The default value of 1 will use the KEK key length (in bits) as the +"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo". + +=item "supp-privinfo" (B) + +An optional octet string containing some additional, mutually-known private +information. + +=item "cekalg" (B) + +This parameter sets the CEK wrapping algorithm name. +Valid values are "AES-128-WRAP", "AES-192-WRAP", "AES-256-WRAP" and "DES3-WRAP". + +=back + +=head1 NOTES + +A context for X942KDF can be obtained by calling: + + EVP_KDF *kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL); + EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); + +The output length of an X942KDF is specified via the I +parameter to the L function. + +=head1 EXAMPLES + +This example derives 24 bytes, with the secret key "secret" and random user +keying material: + + EVP_KDF_CTX *kctx; + EVP_KDF_CTX *kctx; + unsigned char out[192/8]; + unsignred char ukm[64]; + OSSL_PARAM params[5], *p = params; + + if (RAND_bytes(ukm, sizeof(ukm)) <= 0) + error("RAND_bytes"); + + kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL); + if (kctx == NULL) + error("EVP_KDF_fetch"); + kctx = EVP_KDF_CTX_new(kdf); + EVP_KDF_free(kdf); + if (kctx == NULL) + error("EVP_KDF_CTX_new"); + + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + "secret", (size_t)6); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm)); + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, "AES-256-WRAP, 0); + *p = OSSL_PARAM_construct_end(); + if (EVP_KDF_CTX_set_params(kctx, params) <= 0) + error("EVP_KDF_CTX_set_params"); + + if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) + error("EVP_KDF_derive"); + + EVP_KDF_CTX_free(kctx); + +=head1 CONFORMING TO + +ANS1 X9.42-2003 +RFC 2631 + +=head1 SEE ALSO + +L, +L, +L, +L, +L, +L, +L + +=head1 HISTORY + +This functionality was added to OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_KDF-X942-CONCAT.pod b/doc/man7/EVP_KDF-X942-CONCAT.pod new file mode 100644 index 0000000000..9ea6e84dfb --- /dev/null +++ b/doc/man7/EVP_KDF-X942-CONCAT.pod @@ -0,0 +1,35 @@ +=pod + +=head1 NAME + +EVP_KDF-X942-CONCAT - The X942 Concat EVP_KDF implementation + +=head1 DESCRIPTION + +The EVP_KDF-X942-CONCAT algorithm is identical to EVP_KDF-X963. It is +used for key agreement to derive a key using input such as a shared secret key +and shared info. + +=head2 Identity + +"X942KDF_CONCAT" is the name for this implementation; it +can be used with the EVP_KDF_fetch() function. + +This is an alias for "X963KDF". + +See for a list of supported parameters and examples. + +=head1 HISTORY + +This functionality was added to OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_KDF-X942.pod b/doc/man7/EVP_KDF-X942.pod deleted file mode 100644 index 70da41437b..0000000000 --- a/doc/man7/EVP_KDF-X942.pod +++ /dev/null @@ -1,122 +0,0 @@ -=pod - -=head1 NAME - -EVP_KDF-X942 - The X9.42-2001 asn1 EVP_KDF implementation - -=head1 DESCRIPTION - -The EVP_KDF-X942 algorithm implements the key derivation function (X942KDF). -X942KDF is used by Cryptographic Message Syntax (CMS) for DH KeyAgreement, to -derive a key using input such as a shared secret key and other info. The other -info is DER encoded data that contains a 32 bit counter. - -=head2 Identity - -"X942KDF" is the name for this implementation; it -can be used with the EVP_KDF_fetch() function. - -=head2 Supported parameters - -The supported parameters are: - -=over 4 - -=item "properties" (B) - -=item "digest" (B) - -These parameters work as described in L. - -=item "key" (B) - -The shared secret used for key derivation. This parameter sets the secret. - -=item "ukm" (B) - -This parameter is an optional random string that is provided -by the sender called "partyAInfo". -In CMS this is the user keying material. - -=item "cekalg" (B) - -This parameter sets the CEK wrapping algorithm name. - -=back - -=head1 NOTES - -A context for X942KDF can be obtained by calling: - - EVP_KDF *kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL); - EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); - -The output length of an X942KDF is specified via the I -parameter to the L function. - -=head1 EXAMPLES - -This example derives 24 bytes, with the secret key "secret" and a random user -keying material: - - EVP_KDF_CTX *kctx; - EVP_KDF_CTX *kctx; - unsigned char out[192/8]; - unsignred char ukm[64]; - OSSL_PARAM params[5], *p = params; - - if (RAND_bytes(ukm, sizeof(ukm)) <= 0) - error("RAND_bytes"); - - kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL); - if (kctx == NULL) - error("EVP_KDF_fetch"); - kctx = EVP_KDF_CTX_new(kdf); - if (kctx == NULL) - error("EVP_KDF_CTX_new"); - EVP_KDF_free(kdf); - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - SN_sha256, strlen(SN_sha256)); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, - "secret", (size_t)6); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm)); - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, - SN_id_smime_alg_CMS3DESwrap, - strlen(SN_id_smime_alg_CMS3DESwrap)); - *p = OSSL_PARAM_construct_end(); - if (EVP_KDF_CTX_set_params(kctx, params) <= 0) - error("EVP_KDF_CTX_set_params"); - if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) - error("EVP_KDF_derive"); - - EVP_KDF_CTX_free(kctx); - -=head1 CONFORMING TO - -RFC 2631 - -=head1 SEE ALSO - -L, -L, -L, -L, -L, -L, -L - -=head1 HISTORY - -This functionality was added to OpenSSL 3.0. - -=head1 COPYRIGHT - -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index b802efe215..7e2029b3eb 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -90,10 +90,18 @@ The OpenSSL FIPS provider supports these operations and algorithms: =item PBKDF2, see L +=item SSHKDF, see L + =item TLS1-PRF, see L =item KBKDF, see L +=item X942KDF-ASN1, see L + +=item X942KDF-CONCAT, see L + +=item X963KDF, see L + =back =head2 Key Exchange diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index da6185c4d3..96144e2260 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -132,13 +132,16 @@ The OpenSSL default provider supports these operations and algorithms: =item KBKDF, see L -=item X942KDF, see L +=item X942KDF-ASN1, see L + +=item X942KDF-CONCAT, see L + +=item X963KDF, see L =item SCRYPT, see L =item KRB5KDF, see L -=item X963KDF, see L =back diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index d41feeb144..de9d67c078 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -203,18 +203,24 @@ extern "C" { #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ +#define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" +#define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" +#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" +#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" +#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" /* Known KDF names */ -#define OSSL_KDF_NAME_HKDF "HKDF" -#define OSSL_KDF_NAME_PBKDF2 "PBKDF2" -#define OSSL_KDF_NAME_SCRYPT "SCRYPT" -#define OSSL_KDF_NAME_SSHKDF "SSHKDF" -#define OSSL_KDF_NAME_SSKDF "SSKDF" -#define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF" -#define OSSL_KDF_NAME_X942KDF "X942KDF" -#define OSSL_KDF_NAME_X963KDF "X963KDF" -#define OSSL_KDF_NAME_KBKDF "KBKDF" -#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" +#define OSSL_KDF_NAME_HKDF "HKDF" +#define OSSL_KDF_NAME_PBKDF2 "PBKDF2" +#define OSSL_KDF_NAME_SCRYPT "SCRYPT" +#define OSSL_KDF_NAME_SSHKDF "SSHKDF" +#define OSSL_KDF_NAME_SSKDF "SSKDF" +#define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF" +#define OSSL_KDF_NAME_X942KDF_ASN1 "X942KDF-ASN1" +#define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT" +#define OSSL_KDF_NAME_X963KDF "X963KDF" +#define OSSL_KDF_NAME_KBKDF "KBKDF" +#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" /* Known RAND names */ #define OSSL_RAND_PARAM_STATE "state" diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h index 289a7c6857..ad1bd20c53 100644 --- a/providers/common/include/prov/providercommonerr.h +++ b/providers/common/include/prov/providercommonerr.h @@ -105,6 +105,7 @@ int err_load_PROV_strings_int(void); # define PROV_R_INVALID_MODE_INT 126 # define PROV_R_INVALID_PADDING_MODE 168 # define PROV_R_INVALID_PSS_SALTLEN 169 +# define PROV_R_INVALID_PUBINFO 198 # define PROV_R_INVALID_RSA_KEY 217 # define PROV_R_INVALID_SALT_LENGTH 112 # define PROV_R_INVALID_SEED_LENGTH 154 @@ -112,6 +113,7 @@ int err_load_PROV_strings_int(void); # define PROV_R_INVALID_STATE 212 # define PROV_R_INVALID_TAG 110 # define PROV_R_INVALID_TAGLEN 118 +# define PROV_R_INVALID_UKM_LENGTH 200 # define PROV_R_INVALID_X931_DIGEST 170 # define PROV_R_IN_ERROR_STATE 192 # define PROV_R_KEY_SIZE_TOO_SMALL 171 diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index 7bf2a55d99..fed6018387 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -104,6 +104,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "invalid padding mode"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PSS_SALTLEN), "invalid pss saltlen"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PUBINFO), "invalid pubinfo"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_RSA_KEY), "invalid rsa key"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_SALT_LENGTH), "invalid salt length"}, @@ -114,6 +115,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_STATE), "invalid state"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG), "invalid tag"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAGLEN), "invalid taglen"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_UKM_LENGTH), + "invalid ukm length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_X931_DIGEST), "invalid x931 digest"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_IN_ERROR_STATE), "in error state"}, diff --git a/providers/defltprov.c b/providers/defltprov.c index e5d7fe4877..9a662738d8 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -331,12 +331,10 @@ static const OSSL_ALGORITHM deflt_kdfs[] = { { "PBKDF2", "provider=default", ossl_kdf_pbkdf2_functions }, { "PKCS12KDF", "provider=default", ossl_kdf_pkcs12_functions }, { "SSHKDF", "provider=default", ossl_kdf_sshkdf_functions }, - { "X963KDF", "provider=default", ossl_kdf_x963_kdf_functions }, + { "X963KDF:X942KDF-CONCAT", "provider=default", ossl_kdf_x963_kdf_functions }, { "TLS1-PRF", "provider=default", ossl_kdf_tls1_prf_functions }, { "KBKDF", "provider=default", ossl_kdf_kbkdf_functions }, -#ifndef OPENSSL_NO_CMS - { "X942KDF", "provider=default", ossl_kdf_x942_kdf_functions }, -#endif + { "X942KDF-ASN1:X942KDF", "provider=default", ossl_kdf_x942_kdf_functions }, #ifndef OPENSSL_NO_SCRYPT { "SCRYPT:id-scrypt", "provider=default", ossl_kdf_scrypt_functions }, #endif diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index ffb7510054..f59c2c1c91 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -328,7 +328,10 @@ static const OSSL_ALGORITHM fips_kdfs[] = { { "SSKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions }, { "PBKDF2", FIPS_DEFAULT_PROPERTIES, ossl_kdf_pbkdf2_functions }, { "SSHKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions }, - { "X963KDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_x963_kdf_functions }, + { "X963KDF:X942KDF-CONCAT", FIPS_DEFAULT_PROPERTIES, + ossl_kdf_x963_kdf_functions }, + { "X942KDF-ASN1:X942KDF", FIPS_DEFAULT_PROPERTIES, + ossl_kdf_x942_kdf_functions }, { "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_functions }, { "KBKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions }, { NULL, NULL, NULL } diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 3eeac98497..d8689f5c53 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -297,7 +297,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) if (name[0] == '\0') pdhctx->kdf_type = PROV_DH_KDF_NONE; - else if (strcmp(name, OSSL_KDF_NAME_X942KDF) == 0) + else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0) pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1; else return 0; @@ -421,7 +421,7 @@ static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[]) kdf_type = ""; break; case PROV_DH_KDF_X9_42_ASN1: - kdf_type = OSSL_KDF_NAME_X942KDF; + kdf_type = OSSL_KDF_NAME_X942KDF_ASN1; break; default: return 0; diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index ffc23f60d8..00178d4ceb 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -260,9 +260,7 @@ extern const OSSL_DISPATCH ossl_kdf_sshkdf_functions[]; extern const OSSL_DISPATCH ossl_kdf_sskdf_functions[]; extern const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[]; extern const OSSL_DISPATCH ossl_kdf_kbkdf_functions[]; -#ifndef OPENSSL_NO_CMS extern const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[]; -#endif extern const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[]; /* RNGs */ diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index f19e014927..31a69a096e 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -39,11 +39,12 @@ typedef struct { PROV_DIGEST digest; unsigned char *secret; size_t secret_len; - unsigned char *ukm; - size_t ukm_len; + unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo; + size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len; size_t dkm_len; const unsigned char *cek_oid; size_t cek_oid_len; + int use_keybits; } KDF_X942; /* @@ -109,14 +110,23 @@ static int DER_w_keyinfo(WPACKET *pkt, static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen, const unsigned char *der_oid, size_t der_oidlen, - const unsigned char *ukm, size_t ukmlen, + const unsigned char *partyu, size_t partyulen, + const unsigned char *partyv, size_t partyvlen, + const unsigned char *supp_pub, size_t supp_publen, + const unsigned char *supp_priv, size_t supp_privlen, uint32_t keylen_bits, unsigned char **pcounter) { return (buf != NULL ? WPACKET_init_der(pkt, buf, buflen) : WPACKET_init_null_der(pkt)) && ossl_DER_w_begin_sequence(pkt, -1) - && ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits) - && (ukm == NULL || ossl_DER_w_octet_string(pkt, 0, ukm, ukmlen)) + && (supp_priv == NULL + || ossl_DER_w_octet_string(pkt, 3, supp_priv, supp_privlen)) + && (supp_pub == NULL + || ossl_DER_w_octet_string(pkt, 2, supp_pub, supp_publen)) + && (keylen_bits == 0 + || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits)) + && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen)) + && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen)) && DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter) && ossl_DER_w_end_sequence(pkt, -1) && WPACKET_finish(pkt); @@ -125,28 +135,48 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen /* * Encode the other info structure. * - * RFC2631 Section 2.1.2 Contains the following definition for otherinfo + * The ANS X9.42-2003 standard uses OtherInfo: * * OtherInfo ::= SEQUENCE { * keyInfo KeySpecificInfo, - * partyAInfo [0] OCTET STRING OPTIONAL, - * suppPubInfo [2] OCTET STRING + * partyUInfo [0] OCTET STRING OPTIONAL, + * partyVInfo [1] OCTET STRING OPTIONAL, + * suppPubInfo [2] OCTET STRING OPTIONAL, + * suppPrivInfo [3] OCTET STRING OPTIONAL * } - * Note suppPubInfo is the key length (in bits) (stored into 4 bytes) - * * * KeySpecificInfo ::= SEQUENCE { * algorithm OBJECT IDENTIFIER, * counter OCTET STRING SIZE (4..4) * } + * + * RFC2631 Section 2.1.2 Contains the following definition for OtherInfo + * + * OtherInfo ::= SEQUENCE { + * keyInfo KeySpecificInfo, + * partyAInfo [0] OCTET STRING OPTIONAL, + * suppPubInfo [2] OCTET STRING + * } + * Where suppPubInfo is the key length (in bits) (stored into 4 bytes) + * +} * * |keylen| is the length (in bytes) of the generated KEK. It is stored into - * suppPubInfo (in bits). + * suppPubInfo (in bits). It is ignored if the value is 0. * |cek_oid| The oid of the key wrapping algorithm. * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid, - * |ukm| is the optional user keying material that is stored into partyAInfo. It + * |partyu| is the optional public info contributed by the initiator. It + * can be NULL. (It is also used as the ukm by CMS). + * |partyu_len| is the |partyu| length (in bytes). + * |partyv| is the optional public info contributed by the responder. It * can be NULL. - * |ukmlen| is the user keying material length (in bytes). + * |partyv_len| is the |partyv| length (in bytes). + * |supp_pub| is the optional additional, mutually-known public information. It + * can be NULL. |keylen| should be 0 if this is not NULL. + * |supp_pub_len| is the |supp_pub| length (in bytes). + * |supp_priv| is the optional additional, mutually-known private information. It + * can be NULL. + * |supp_priv_len| is the |supp_priv| length (in bytes). * |der| is the returned encoded data. It must be freed by the caller. * |der_len| is the returned size of the encoded data. * |out_ctr| returns a pointer to the counter data which is embedded inside the @@ -155,11 +185,15 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen * Returns: 1 if successfully encoded, or 0 otherwise. * Assumptions: |der|, |der_len| & |out_ctr| are not NULL. */ -static int x942_encode_otherinfo(size_t keylen, - const unsigned char *cek_oid, size_t cek_oidlen, - const unsigned char *ukm, size_t ukmlen, - unsigned char **der, size_t *der_len, - unsigned char **out_ctr) +static int +x942_encode_otherinfo(size_t keylen, + const unsigned char *cek_oid, size_t cek_oidlen, + const unsigned char *partyu, size_t partyu_len, + const unsigned char *partyv, size_t partyv_len, + const unsigned char *supp_pub, size_t supp_pub_len, + const unsigned char *supp_priv, size_t supp_priv_len, + unsigned char **der, size_t *der_len, + unsigned char **out_ctr) { int ret = 0; unsigned char *pcounter = NULL, *der_buf = NULL; @@ -173,7 +207,9 @@ static int x942_encode_otherinfo(size_t keylen, keylen_bits = 8 * keylen; /* Calculate the size of the buffer */ - if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen, ukm, ukmlen, + if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen, + partyu, partyu_len, partyv, partyv_len, + supp_pub, supp_pub_len, supp_priv, supp_priv_len, keylen_bits, NULL) || !WPACKET_get_total_written(&pkt, &der_buflen)) goto err; @@ -184,7 +220,9 @@ static int x942_encode_otherinfo(size_t keylen, goto err; /* Encode into the buffer */ if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oidlen, - ukm, ukmlen, keylen_bits, &pcounter)) + partyu, partyu_len, partyv, partyv_len, + supp_pub, supp_pub_len, supp_priv, supp_priv_len, + keylen_bits, &pcounter)) goto err; /* * Since we allocated the exact size required, the buffer should point to the @@ -287,6 +325,7 @@ static void *x942kdf_new(void *provctx) if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; + ctx->use_keybits = 1; return ctx; } @@ -297,9 +336,13 @@ static void x942kdf_reset(void *vctx) ossl_prov_digest_reset(&ctx->digest); OPENSSL_clear_free(ctx->secret, ctx->secret_len); - OPENSSL_clear_free(ctx->ukm, ctx->ukm_len); + OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len); + OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len); + OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len); + OPENSSL_clear_free(ctx->supp_privinfo, ctx->supp_privinfo_len); memset(ctx, 0, sizeof(*ctx)); ctx->provctx = provctx; + ctx->use_keybits = 1; } static void x942kdf_free(void *vctx) @@ -348,6 +391,15 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) if (!ossl_prov_is_running()) return 0; + /* + * These 2 options encode to the same field so only one of them should be + * active at once. + */ + if (ctx->use_keybits && ctx->supp_pubinfo != NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO); + return 0; + } + if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); return 0; @@ -361,18 +413,21 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG); return 0; } - if (ctx->ukm != NULL && ctx->ukm_len >= X942KDF_MAX_INLEN) { + if (ctx->partyuinfo != NULL && ctx->partyuinfo_len >= X942KDF_MAX_INLEN) { /* - * Note the ukm length MUST be 512 bits. + * Note the ukm length MUST be 512 bits if it is used. * For backwards compatibility the old check is being done. */ - ERR_raise(ERR_LIB_PROV, PROV_R_INAVLID_UKM_LENGTH); + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_UKM_LENGTH); return 0; } /* generate the otherinfo der */ - if (!x942_encode_otherinfo(ctx->dkm_len, + if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0, ctx->cek_oid, ctx->cek_oid_len, - ctx->ukm, ctx->ukm_len, + ctx->partyuinfo, ctx->partyuinfo_len, + ctx->partyvinfo, ctx->partyvinfo_len, + ctx->supp_pubinfo, ctx->supp_pubinfo_len, + ctx->supp_privinfo, ctx->supp_privinfo_len, &der, &der_len, &ctr)) { ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); return 0; @@ -394,16 +449,42 @@ static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) return 0; - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL - || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) - if (!x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p)) - return 0; + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET); + if (p == NULL) + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY); + if (p != NULL && !x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p)) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYUINFO); + if (p == NULL) + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM); + if (p != NULL + && !x942kdf_set_buffer(&ctx->partyuinfo, &ctx->partyuinfo_len, p)) + return 0; - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM)) != NULL) - if (!x942kdf_set_buffer(&ctx->ukm, &ctx->ukm_len, p)) + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYVINFO); + if (p != NULL + && !x942kdf_set_buffer(&ctx->partyvinfo, &ctx->partyvinfo_len, p)) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_USE_KEYBITS); + if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_keybits)) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PUBINFO); + if (p != NULL) { + if (!x942kdf_set_buffer(&ctx->supp_pubinfo, &ctx->supp_pubinfo_len, p)) return 0; + ctx->use_keybits = 0; + } + + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PRIVINFO); + if (p != NULL + && !x942kdf_set_buffer(&ctx->supp_privinfo, &ctx->supp_privinfo_len, p)) + return 0; - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG)) != NULL) { + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG); + if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING) return 0; pq = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_PROPERTIES); @@ -430,6 +511,11 @@ static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *provctx) OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_UKM, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYUINFO, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYVINFO, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PUBINFO, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PRIVINFO, NULL, 0), + OSSL_PARAM_int(OSSL_KDF_PARAM_X942_USE_KEYBITS, NULL), OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0), OSSL_PARAM_END }; diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 2ff43a9c17..d56e14cdb0 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1324,7 +1324,7 @@ static int test_kdf_x942_asn1(void) *p = OSSL_PARAM_construct_end(); ret = - TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF)) + TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1)) && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); diff --git a/test/evp_test.c b/test/evp_test.c index ba26108eb2..d4d60694d4 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -2424,11 +2424,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, t->skip = 1; } } - if (p != NULL && strcmp(name, "cipher") == 0) { - if (is_cipher_disabled(p)) { - TEST_info("skipping, '%s' is disabled", p); - t->skip = 1; - } + if (p != NULL + && (strcmp(name, "cipher") == 0 + || strcmp(name, "cekalg") == 0) + && is_cipher_disabled(p)) { + TEST_info("skipping, '%s' is disabled", p); + t->skip = 1; } OPENSSL_free(name); return 1; @@ -3709,10 +3710,6 @@ static int is_kdf_disabled(const char *name) if (STR_ENDS_WITH(name, "SCRYPT")) return 1; #endif -#ifdef OPENSSL_NO_CMS - if (strcasecmp(name, "X942KDF") == 0) - return 1; -#endif /* OPENSSL_NO_CMS */ return 0; } @@ -3745,6 +3742,8 @@ static int is_cipher_disabled(const char *name) #ifdef OPENSSL_NO_DES if (STR_STARTS_WITH(name, "DES")) return 1; + if (STR_ENDS_WITH(name, "3DESwrap")) + return 1; #endif #ifdef OPENSSL_NO_OCB if (STR_ENDS_WITH(name, "OCB")) diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 9739465f01..df343d4109 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -48,6 +48,7 @@ my @files = qw( evpkdf_ss.txt evpkdf_ssh.txt evpkdf_tls12_prf.txt + evpkdf_x942.txt evpkdf_x963.txt evpmac_common.txt evpmd_sha.txt @@ -89,7 +90,6 @@ my @defltfiles = qw( evpkdf_krb5.txt evpkdf_scrypt.txt evpkdf_tls11_prf.txt - evpkdf_x942.txt evpmac_blake.txt evpmac_poly1305.txt evpmac_siphash.txt diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt index 104fa83026..88f9dd379d 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x942.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt @@ -13,7 +13,8 @@ Title = X9.42 KDF tests (from RFC2631 test vectors) -KDF = X942KDF +Availablein = default +KDF = X942KDF-ASN1 Ctrl.digest = digest:SHA1 Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 Ctrl.cekalg = cekalg:id-smime-alg-CMS3DESwrap @@ -29,7 +30,56 @@ Output = d6d6b094c1027a7de6e3117294a35364 KDF = X942KDF Ctrl.digest = digest:SHA1 -Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.hexkey = hexkey:000102030405060708090a0b0c0d0e0f10111213 Ctrl.cekalg = cekalg:id-aes256-wrap Ctrl.hexukm = hexukm:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0 + +Title = X9.42 KDF tests (generated tests to test different options) + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 +Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0 + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 +Ctrl.use-keybits = use-keybits:0 +Output = 54bd5dbc1fa4c42c951f6fa51ec59e202b8c622bdb179fb2dd691ffb + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexpartyv-info = hexpartyv-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 +Ctrl.use-keybits = use-keybits:0 +Output = 76d566e948ca9ae61bcd4ce076f0bd5fe6789b5b0f288977235ecb12 + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 +Output = ff368c7addb27d7599f8d49bc8d7fbf804540f119491ea419792c82c + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexsupp-privinfo = hexsupp-privinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201 +Output = 6b68b7affe5efc15e77df56e3dd639b22aa39f12eb0685b33fb39c57 + +KDF = X942KDF +Ctrl.digest = digest:SHA1 +Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213 +Ctrl.cekalg = cekalg:id-aes256-wrap +Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdef +Ctrl.hexpartyv-info = hexpartyv-info:fedcba9876543210 +Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:12345678 +Ctrl.hexsupp-privinfo = hexsupp-privinfo:87654321 +Output = 2c5c1f028c6d1fc9ba752e41fdb9edb2ea936f1b2449f214acd56d31 diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt index 0f8920c90f..3791deb354 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x963.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt @@ -105,7 +105,7 @@ Ctrl.hexsecret = hexsecret:0096172bf47d06d544ae98471490cf9e52ee59ea7a2208b33b26c Ctrl.hexinfo = hexinfo:cf3a74ba86af42f1ae85477ead645583 Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7 -KDF = X963KDF +KDF = X942KDF-CONCAT Ctrl.digest = digest:SHA512 Ctrl.hexsecret = hexsecret:0037cd001a0ad87f35ddf58ab355d6144ba2ed0749a7435dab548ba0bfbe723c047e2396b4eef99653412a92c8db74bb5c03063f2eb0525ae87356750ae3676faa86 Ctrl.hexinfo = hexinfo:eb17da8851c41c7ac6710b1c49f324f8 -- 2.34.1