[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Sat May 8 12:14:10 UTC 2021
The branch master has been updated
via a1230dea4d255a1ea27b18af7a178fe2501e7dad (commit)
from 839261592ca447aa083403cee7b0ced97cef6159 (commit)
- Log -----------------------------------------------------------------
commit a1230dea4d255a1ea27b18af7a178fe2501e7dad
Author: Pauli <pauli at openssl.org>
Date: Fri May 7 16:58:16 2021 +1000
apps: add mac, cipher and digest arguments to the kdf applet.
This adds -digest, -mac and -cipher which correspond to -kdfopt digest: and
-kdfopt mac: and -kdfopt cipher: respectively.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15190)
-----------------------------------------------------------------------
Summary of changes:
apps/kdf.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
doc/man1/openssl-kdf.pod.in | 33 +++++++++++++++++++++++++++++++--
test/recipes/20-test_kdf.t | 38 ++++++++++++++++++++++++++++++++++++--
3 files changed, 111 insertions(+), 4 deletions(-)
diff --git a/apps/kdf.c b/apps/kdf.c
index b3865d9e87..7b016051f1 100644
--- a/apps/kdf.c
+++ b/apps/kdf.c
@@ -20,6 +20,7 @@
typedef enum OPTION_choice {
OPT_COMMON,
OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
+ OPT_CIPHER, OPT_DIGEST, OPT_MAC,
OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -29,6 +30,9 @@ const OPTIONS kdf_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form"},
+ {"cipher", OPT_CIPHER, 's', "Cipher"},
+ {"digest", OPT_DIGEST, 's', "Digest"},
+ {"mac", OPT_MAC, 's', "MAC"},
{OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n"},
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
@@ -44,6 +48,24 @@ const OPTIONS kdf_options[] = {
{NULL}
};
+static char *alloc_kdf_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
+ const char *name, const char *arg)
+{
+ size_t len = strlen(name) + strlen(arg) + 2;
+ char *res = app_malloc(len, "algorithm name");
+
+ if (*optp == NULL)
+ *optp = sk_OPENSSL_STRING_new_null();
+ if (*optp == NULL)
+ return NULL;
+
+ BIO_snprintf(res, len, "%s:%s", name, arg);
+ if (sk_OPENSSL_STRING_push(*optp, res))
+ return res;
+ OPENSSL_free(res);
+ return NULL;
+}
+
int kdf_main(int argc, char **argv)
{
int ret = 1, out_bin = 0;
@@ -56,6 +78,7 @@ int kdf_main(int argc, char **argv)
BIO *out = NULL;
EVP_KDF *kdf = NULL;
EVP_KDF_CTX *ctx = NULL;
+ char *digest = NULL, *cipher = NULL, *mac = NULL;
prog = opt_init(argc, argv, kdf_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -83,6 +106,24 @@ opthelp:
if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg()))
goto opthelp;
break;
+ case OPT_CIPHER:
+ OPENSSL_free(cipher);
+ cipher = alloc_kdf_algorithm_name(&opts, "cipher", opt_arg());
+ if (cipher == NULL)
+ goto opthelp;
+ break;
+ case OPT_DIGEST:
+ OPENSSL_free(digest);
+ digest = alloc_kdf_algorithm_name(&opts, "digest", opt_arg());
+ if (digest == NULL)
+ goto opthelp;
+ break;
+ case OPT_MAC:
+ OPENSSL_free(mac);
+ mac = alloc_kdf_algorithm_name(&opts, "mac", opt_arg());
+ if (mac == NULL)
+ goto opthelp;
+ break;
case OPT_PROV_CASES:
if (!opt_provider(o))
goto err;
@@ -161,5 +202,8 @@ err:
EVP_KDF_CTX_free(ctx);
BIO_free(out);
OPENSSL_free(hexout);
+ OPENSSL_free(cipher);
+ OPENSSL_free(digest);
+ OPENSSL_free(mac);
return ret;
}
diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in
index 3d532ebfc6..bc0fa82a88 100644
--- a/doc/man1/openssl-kdf.pod.in
+++ b/doc/man1/openssl-kdf.pod.in
@@ -9,6 +9,9 @@ openssl-kdf - perform Key Derivation Function operations
B<openssl kdf>
[B<-help>]
+[B<-cipher>]
+[B<-digest>]
+[B<-mac>]
[B<-kdfopt> I<nm>:I<v>]
[B<-keylen> I<num>]
[B<-out> I<filename>]
@@ -41,6 +44,25 @@ Filename to output to, or standard output by default.
Output the derived key in binary form. Uses hexadecimal text format if not specified.
+=item B<-cipher> I<name>
+
+Specify the cipher to be used by the KDF.
+Not all KDFs require a cipher and it is an error to use this option in such
+cases.
+
+=item B<-digest> I<name>
+
+Specify the digest to be used by the KDF.
+Not all KDFs require a digest and it is an error to use this option in such
+cases.
+To see the list of supported digests, use C<openssl list -digest-commands>.
+
+=item B<-mac> I<name>
+
+Specify the MAC to be used by the KDF.
+Not all KDFs require a MAC and it is an error to use this option in such
+cases.
+
=item B<-kdfopt> I<nm>:I<v>
Passes options to the KDF algorithm.
@@ -76,8 +98,15 @@ The password must be specified for PBKDF2 and scrypt.
=item B<digest:>I<string>
-Specifies the name of a digest as an alphanumeric string.
-To see the list of supported digests, use the command I<list -digest-commands>.
+This option is identical to the B<-digest> option.
+
+=item B<cipher:>I<string>
+
+This option is identical to the B<-cipher> option.
+
+=item B<mac:>I<string>
+
+This option is identical to the B<-mac> option.
=back
diff --git a/test/recipes/20-test_kdf.t b/test/recipes/20-test_kdf.t
index d0ea07ee9a..47b0632888 100755
--- a/test/recipes/20-test_kdf.t
+++ b/test/recipes/20-test_kdf.t
@@ -16,6 +16,32 @@ use OpenSSL::Test::Utils;
setup("test_kdf");
my @kdf_tests = (
+ { cmd => [qw{openssl kdf -keylen 16 -digest SHA256 -kdfopt secret:secret -kdfopt seed:seed TLS1-PRF}],
+ expected => '8E:4D:93:25:30:D7:65:A0:AA:E9:74:C3:04:73:5E:CC',
+ desc => 'TLS1-PRF SHA256' },
+ { cmd => [qw{openssl kdf -keylen 16 -digest MD5-SHA1 -kdfopt secret:secret -kdfopt seed:seed TLS1-PRF}],
+ expected => '65:6F:31:CB:04:03:D6:51:E2:E8:71:F8:20:04:AB:BA',
+ desc => 'TLS1-PRF MD5-SHA1' },
+ { cmd => [qw{openssl kdf -keylen 10 -digest SHA256 -kdfopt key:secret -kdfopt salt:salt -kdfopt info:label HKDF}],
+ expected => '2a:c4:36:9f:52:59:96:f8:de:13',
+ desc => 'HKDF SHA256' },
+ { cmd => [qw{openssl kdf -keylen 25 -digest SHA256 -kdfopt pass:passwordPASSWORDpassword -kdfopt salt:saltSALTsaltSALTsaltSALTsaltSALTsalt -kdfopt iter:4096 PBKDF2}],
+ expected => '34:8C:89:DB:CB:D3:2B:2F:32:D8:14:B8:11:6E:84:CF:2B:17:34:7E:BC:18:00:18:1C',
+ desc => 'PBKDF2 SHA256'},
+ { cmd => [qw{openssl kdf -keylen 64 -mac KMAC128 -kdfopt maclen:20 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ expected => 'e9:c1:84:53:a0:62:b5:3b:db:fc:bb:5a:34:bd:b8:e5:e7:07:ee:bb:5d:d1:34:42:43:d8:cf:c2:c2:e6:33:2f:91:bd:a5:86:f3:7d:e4:8a:65:d4:c5:14:fd:ef:aa:1e:67:54:f3:73:d2:38:e1:95:ae:15:7e:1d:e8:14:98:03',
+ desc => 'SSKDF KMAC128'},
+ { cmd => [qw{openssl kdf -keylen 16 -mac HMAC -digest SHA256 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ expected => '44:f6:76:e8:5c:1b:1a:8b:bc:3d:31:92:18:63:1c:a3',
+ desc => 'SSKDF HMAC SHA256'},
+ { cmd => [qw{openssl kdf -keylen 14 -digest SHA224 -kdfopt hexkey:6dbdc23f045488e4062757b06b9ebae183fc5a5946d80db93fec6f62ec07e3727f0126aed12ce4b262f47d48d54287f81d474c7c3b1850e9 -kdfopt hexinfo:a1b2c3d4e54341565369643c832e9849dcdba71e9a3139e606e095de3c264a66e98a165854cd07989b1ee0ec3f8dbe SSKDF}],
+ expected => 'a4:62:de:16:a8:9d:e8:46:6e:f5:46:0b:47:b8',
+ desc => 'SSKDF HASH SHA224'},
+ { cmd => [qw{openssl kdf -keylen 16 -digest SHA256 -kdfopt hexkey:0102030405 -kdfopt hexxcghash:06090A -kdfopt hexsession_id:01020304 -kdfopt type:A SSHKDF}],
+ expected => '5C:49:94:47:3B:B1:53:3A:58:EB:19:42:04:D3:78:16',
+ desc => 'SSHKDF SHA256'},
+
+ # Using the -kdfopt digest: option instead of -digest
{ cmd => [qw{openssl kdf -keylen 16 -kdfopt digest:SHA256 -kdfopt secret:secret -kdfopt seed:seed TLS1-PRF}],
expected => '8E:4D:93:25:30:D7:65:A0:AA:E9:74:C3:04:73:5E:CC',
desc => 'TLS1-PRF SHA256' },
@@ -28,10 +54,10 @@ my @kdf_tests = (
{ cmd => [qw{openssl kdf -keylen 25 -kdfopt digest:SHA256 -kdfopt pass:passwordPASSWORDpassword -kdfopt salt:saltSALTsaltSALTsaltSALTsaltSALTsalt -kdfopt iter:4096 PBKDF2}],
expected => '34:8C:89:DB:CB:D3:2B:2F:32:D8:14:B8:11:6E:84:CF:2B:17:34:7E:BC:18:00:18:1C',
desc => 'PBKDF2 SHA256'},
- { cmd => [qw{openssl kdf -keylen 64 -kdfopt mac:KMAC128 -kdfopt maclen:20 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ { cmd => [qw{openssl kdf -keylen 64 -mac KMAC128 -kdfopt maclen:20 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
expected => 'e9:c1:84:53:a0:62:b5:3b:db:fc:bb:5a:34:bd:b8:e5:e7:07:ee:bb:5d:d1:34:42:43:d8:cf:c2:c2:e6:33:2f:91:bd:a5:86:f3:7d:e4:8a:65:d4:c5:14:fd:ef:aa:1e:67:54:f3:73:d2:38:e1:95:ae:15:7e:1d:e8:14:98:03',
desc => 'SSKDF KMAC128'},
- { cmd => [qw{openssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA256 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ { cmd => [qw{openssl kdf -keylen 16 -mac HMAC -kdfopt digest:SHA256 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
expected => '44:f6:76:e8:5c:1b:1a:8b:bc:3d:31:92:18:63:1c:a3',
desc => 'SSKDF HMAC SHA256'},
{ cmd => [qw{openssl kdf -keylen 14 -kdfopt digest:SHA224 -kdfopt hexkey:6dbdc23f045488e4062757b06b9ebae183fc5a5946d80db93fec6f62ec07e3727f0126aed12ce4b262f47d48d54287f81d474c7c3b1850e9 -kdfopt hexinfo:a1b2c3d4e54341565369643c832e9849dcdba71e9a3139e606e095de3c264a66e98a165854cd07989b1ee0ec3f8dbe SSKDF}],
@@ -40,6 +66,14 @@ my @kdf_tests = (
{ cmd => [qw{openssl kdf -keylen 16 -kdfopt digest:SHA256 -kdfopt hexkey:0102030405 -kdfopt hexxcghash:06090A -kdfopt hexsession_id:01020304 -kdfopt type:A SSHKDF}],
expected => '5C:49:94:47:3B:B1:53:3A:58:EB:19:42:04:D3:78:16',
desc => 'SSHKDF SHA256'},
+
+ # Additionally using -kdfopt mac: instead of -mac
+ { cmd => [qw{openssl kdf -keylen 64 -kdfopt mac:KMAC128 -kdfopt maclen:20 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ expected => 'e9:c1:84:53:a0:62:b5:3b:db:fc:bb:5a:34:bd:b8:e5:e7:07:ee:bb:5d:d1:34:42:43:d8:cf:c2:c2:e6:33:2f:91:bd:a5:86:f3:7d:e4:8a:65:d4:c5:14:fd:ef:aa:1e:67:54:f3:73:d2:38:e1:95:ae:15:7e:1d:e8:14:98:03',
+ desc => 'SSKDF KMAC128'},
+ { cmd => [qw{openssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA256 -kdfopt hexkey:b74a149a161546f8c20b06ac4ed4 -kdfopt hexinfo:348a37a27ef1282f5f020dcc -kdfopt hexsalt:3638271ccd68a25dc24ecddd39ef3f89 SSKDF}],
+ expected => '44:f6:76:e8:5c:1b:1a:8b:bc:3d:31:92:18:63:1c:a3',
+ desc => 'SSKDF HMAC SHA256'},
);
my @scrypt_tests = (
More information about the openssl-commits
mailing list