public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: KBKDF for Kerberos 5
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : dc9d5caf5e42ae56d849ac6e586bf4f67c444cc0
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-11-12T16:38:11+01:00
Stats : +1254/-0 in 1 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/dc9d5caf5e42ae56d849ac6e586bf4f67c444cc0?branch=rebase_40beta
Log:
KBKDF for Kerberos 5
---
diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch
new file mode 100644
index 0000000..5bf33f6
--- /dev/null
+++ b/openssl-1.1.1-krb5-kdf.patch
@@ -0,0 +1,1254 @@
+diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt
+--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-12 13:30:36.261748973 +0100
++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-12 13:30:36.283748577 +0100
+@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
+ EVP_F_SCRYPT_ALG:228:scrypt_alg
+ EVP_F_UPDATE:173:update
+ KDF_F_HKDF_EXTRACT:112:HKDF_Extract
++KDF_F_KBKDF_CTRL:134:kbkdf_ctrl
++KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str
++KDF_F_KBKDF_DERIVE:136:kbkdf_derive
++KDF_F_KBKDF_NEW:137:kbkdf_new
++KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl
+ KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
+ KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
+ KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
+@@ -2326,6 +2331,8 @@ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mod
+ EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
+ EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
+ KDF_R_INVALID_DIGEST:100:invalid digest
++KDF_R_INVALID_SEED_LENGTH:116:invalid seed length
++KDF_R_MISSING_CIPHER:117:missing cipher
+ KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
+ KDF_R_MISSING_KEY:104:missing key
+ KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest
+diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c
+--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-12 13:30:36.261748973 +0100
++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-12 13:44:04.435282854 +0100
+@@ -31,6 +31,7 @@ static const EVP_KDF_METHOD *standard_me
+ &tls1_prf_kdf_meth,
+ &hkdf_kdf_meth,
+ &sshkdf_kdf_meth,
++ &kb_kdf_meth,
+ };
+
+ DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
+diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h
+--- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-12 13:30:36.261748973 +0100
++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-12 13:30:36.283748577 +0100
+@@ -130,6 +130,7 @@ extern const EVP_KDF_METHOD scrypt_kdf_m
+ extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
+ extern const EVP_KDF_METHOD hkdf_kdf_meth;
+ extern const EVP_KDF_METHOD sshkdf_kdf_meth;
++extern const EVP_KDF_METHOD kb_kdf_meth;
+
+ struct evp_md_st {
+ int type;
+diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info
+--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-12 13:30:36.261748973 +0100
++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-12 13:30:36.284748559 +0100
+@@ -1,3 +1,3 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c
++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c
+diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c
+--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-12 13:30:36.284748559 +0100
++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-12 16:09:32.828238926 +0100
+@@ -0,0 +1,530 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2019 Red Hat, Inc.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/*
++ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final
++ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC
++ * and CMAC. That document does not name the KDFs it defines; the name is
++ * derived from
++ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation
++ *
++ * Note that section 5.3 ("double-pipeline mode") is not implemented, though
++ * it would be possible to do so in the future.
++ *
++ * These versions all assume the counter is used. It would be relatively
++ * straightforward to expose a configuration handle should the need arise.
++ *
++ * Variable names attempt to match those of SP800-108.
++ */
++
++#include <stdarg.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/cmac.h>
++#include <openssl/kdf.h>
++
++#include "internal/cryptlib.h"
++#include "internal/evp_int.h"
++#include "kdf_local.h"
++
++#include "e_os.h"
++
++#define MIN(a, b) ((a) < (b)) ? (a) : (b)
++
++typedef struct {
++ int mac_type;
++ union {
++ HMAC_CTX *hmac;
++ CMAC_CTX *cmac;
++ } m;
++} MAC_CTX;
++
++/* Our context structure. */
++struct evp_kdf_impl_st {
++ int mode;
++
++ MAC_CTX *ctx_init;
++
++ const EVP_CIPHER *cipher;
++ const EVP_MD *md;
++
++ /* Names are lowercased versions of those found in SP800-108. */
++ unsigned char *ki;
++ size_t ki_len;
++ unsigned char *label;
++ size_t label_len;
++ unsigned char *context;
++ size_t context_len;
++ unsigned char *iv;
++ size_t iv_len;
++};
++
++static MAC_CTX *EVP_MAC_CTX_new(int mac_type)
++{
++ MAC_CTX *ctx;
++
++ ctx = OPENSSL_zalloc(sizeof(*ctx));
++ if (ctx == NULL)
++ return NULL;
++
++ ctx->mac_type = mac_type;
++ if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL)
++ goto err;
++ } else {
++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL)
++ goto err;
++ }
++ return ctx;
++
++err:
++ OPENSSL_free(ctx);
++ return NULL;
++}
++
++static void EVP_MAC_CTX_free(MAC_CTX *ctx)
++{
++ if (ctx == NULL)
++ return;
++
++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC)
++ HMAC_CTX_free(ctx->m.hmac);
++ else
++ CMAC_CTX_free(ctx->m.cmac);
++}
++
++static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx)
++{
++ MAC_CTX *ctx;
++
++ ctx = OPENSSL_zalloc(sizeof(*sctx));
++ if (ctx == NULL)
++ return NULL;
++
++ ctx->mac_type = sctx->mac_type;
++ if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL
++ || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0)
++ goto err;
++ } else {
++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL
++ || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0)
++ goto err;
++ }
++ return ctx;
++
++err:
++ EVP_MAC_CTX_free(ctx);
++ return NULL;
++}
++
++static size_t EVP_MAC_size(MAC_CTX *ctx)
++{
++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
++ const EVP_MD *md;
++
++ if (ctx->m.hmac == NULL)
++ return 0;
++ if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL)
++ return 0;
++ return (size_t)EVP_MD_size(md);
++ } else {
++ const EVP_CIPHER_CTX *cctx;
++
++ if (ctx->m.cmac == NULL)
++ return 0;
++ if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL)
++ return 0;
++ return EVP_CIPHER_CTX_block_size(cctx);
++ }
++}
++
++static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data,
++ size_t datalen)
++{
++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC)
++ return HMAC_Update(ctx->m.hmac, data, datalen);
++ else
++ return CMAC_Update(ctx->m.cmac, data, datalen);
++}
++
++static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out,
++ size_t *outl, size_t outsize)
++{
++ if (outsize != EVP_MAC_size(ctx))
++ /* we do not cope with anything else */
++ return 0;
++
++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
++ unsigned int intsize = (unsigned int)outsize;
++ int ret;
++
++ ret = HMAC_Final(ctx->m.hmac, out, &intsize);
++ if (outl != NULL)
++ *outl = intsize;
++ return ret;
++ } else {
++ size_t size = outsize;
++ int ret;
++
++ ret = CMAC_Final(ctx->m.cmac, out, &size);
++ if (outl != NULL)
++ *outl = size;
++ return ret;
++ }
++}
++
++static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md,
++ const EVP_CIPHER *cipher, unsigned char *key, size_t keylen)
++{
++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
++ if (md == NULL)
++ return 0;
++ return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL);
++ } else {
++ if (cipher == NULL)
++ return 0;
++ return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL);
++ }
++}
++
++static void kbkdf_reset(EVP_KDF_IMPL *ctx);
++
++/* Not all platforms have htobe32(). */
++static uint32_t be32(uint32_t host)
++{
++ uint32_t big = 0;
++ const union {
++ long one;
++ char little;
++ } is_endian = { 1 };
++
++ if (!is_endian.little)
++ return host;
++
++ big |= (host & 0xff000000) >> 24;
++ big |= (host & 0x00ff0000) >> 8;
++ big |= (host & 0x0000ff00) << 8;
++ big |= (host & 0x000000ff) << 24;
++ return big;
++}
++
++static EVP_KDF_IMPL *kbkdf_new(void)
++{
++ EVP_KDF_IMPL *ctx;
++
++ ctx = OPENSSL_zalloc(sizeof(*ctx));
++ if (ctx == NULL) {
++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++
++ return ctx;
++}
++
++static void kbkdf_free(EVP_KDF_IMPL *ctx)
++{
++ kbkdf_reset(ctx);
++ OPENSSL_free(ctx);
++}
++
++static void kbkdf_reset(EVP_KDF_IMPL *ctx)
++{
++ EVP_MAC_CTX_free(ctx->ctx_init);
++ OPENSSL_clear_free(ctx->context, ctx->context_len);
++ OPENSSL_clear_free(ctx->label, ctx->label_len);
++ OPENSSL_clear_free(ctx->ki, ctx->ki_len);
++ OPENSSL_clear_free(ctx->iv, ctx->iv_len);
++ memset(ctx, 0, sizeof(*ctx));
++}
++
++/* SP800-108 section 5.1 or section 5.2 depending on mode. */
++static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv,
++ size_t iv_len, unsigned char *label, size_t label_len,
++ unsigned char *context, size_t context_len,
++ unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko,
++ size_t ko_len)
++{
++ int ret = 0;
++ MAC_CTX *ctx = NULL;
++ size_t written = 0, to_write, k_i_len = iv_len;
++ const unsigned char zero = 0;
++ uint32_t counter, i;
++
++ /* Setup K(0) for feedback mode. */
++ if (iv_len > 0)
++ memcpy(k_i, iv, iv_len);
++
++ for (counter = 1; written < ko_len; counter++) {
++ i = be32(counter);
++
++ ctx = EVP_MAC_CTX_dup(ctx_init);
++ if (ctx == NULL)
++ goto done;
++
++ /* Perform feedback, if appropriate. */
++ if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len))
++ goto done;
++
++ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4)
++ || !EVP_MAC_update(ctx, label, label_len)
++ || !EVP_MAC_update(ctx, &zero, 1)
++ || !EVP_MAC_update(ctx, context, context_len)
++ || !EVP_MAC_update(ctx, (unsigned char *)&l, 4)
++ || !EVP_MAC_final(ctx, k_i, NULL, h))
++ goto done;
++
++ to_write = ko_len - written;
++ memcpy(ko + written, k_i, MIN(to_write, h));
++ written += h;
++
++ k_i_len = h;
++ EVP_MAC_CTX_free(ctx);
++ ctx = NULL;
++ }
++
++ ret = 1;
++done:
++ EVP_MAC_CTX_free(ctx);
++ return ret;
++}
++
++static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen)
++{
++ int ret = 0;
++ unsigned char *k_i = NULL;
++ uint32_t l = be32(keylen * 8);
++ size_t h = 0;
++
++ /* label, context, and iv are permitted to be empty. Check everything
++ * else. */
++ if (ctx->ctx_init == NULL
++ || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) {
++ if (ctx->ki_len == 0 || ctx->ki == NULL) {
++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY);
++ return 0;
++ }
++ /* Could either be missing MAC or missing message digest or missing
++ * cipher - arbitrarily, I pick this one. */
++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER);
++ return 0;
++ }
++
++ h = EVP_MAC_size(ctx->ctx_init);
++ if (h == 0)
++ goto done;
++ if (ctx->iv_len != 0 && ctx->iv_len != h) {
++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH);
++ goto done;
++ }
++
++ k_i = OPENSSL_zalloc(h);
++ if (k_i == NULL)
++ goto done;
++
++ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label,
++ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l,
++ key, keylen);
++done:
++ if (ret != 1)
++ OPENSSL_cleanse(key, keylen);
++ OPENSSL_clear_free(k_i, h);
++ return ret;
++}
++
++static size_t kbkdf_size(EVP_KDF_IMPL *ctx)
++{
++ return UINT32_MAX/8;
++}
++
++static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len,
++ va_list args)
++{
++ const unsigned char *p;
++ size_t len;
++
++ p = va_arg(args, const unsigned char *);
++ len = va_arg(args, size_t);
++ OPENSSL_clear_free(*dst, *dst_len);
++ *dst = OPENSSL_memdup(p, len);
++ if (*dst == NULL)
++ return 0;
++
++ *dst_len = len;
++ return 1;
++}
++
++static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args)
++{
++ int t;
++
++ switch (cmd) {
++ case EVP_KDF_CTRL_SET_MD:
++ ctx->md = va_arg(args, const EVP_MD *);
++ if (ctx->md == NULL)
++ return 0;
++
++ return 1;
++
++ case EVP_KDF_CTRL_SET_CIPHER:
++ ctx->cipher = va_arg(args, const EVP_CIPHER *);
++ if (ctx->cipher == NULL)
++ return 0;
++
++ return 1;
++
++ case EVP_KDF_CTRL_SET_KEY:
++ return kbkdf_parse_buffer_arg(&ctx->ki,
++ &ctx->ki_len, args);
++
++ case EVP_KDF_CTRL_SET_SALT:
++ return kbkdf_parse_buffer_arg(&ctx->label,
++ &ctx->label_len, args);
++
++ case EVP_KDF_CTRL_SET_KB_INFO:
++ return kbkdf_parse_buffer_arg(&ctx->context,
++ &ctx->context_len, args);
++
++ case EVP_KDF_CTRL_SET_KB_SEED:
++ return kbkdf_parse_buffer_arg(&ctx->iv,
++ &ctx->iv_len, args);
++
++ case EVP_KDF_CTRL_SET_KB_MODE:
++ t = va_arg(args, int);
++ if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) {
++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR);
++ return 0;
++ }
++ ctx->mode = t;
++ return 1;
++
++ case EVP_KDF_CTRL_SET_KB_MAC_TYPE:
++ t = va_arg(args, int);
++ if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) {
++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR);
++ return 0;
++ }
++
++ if (ctx->ctx_init != NULL) {
++ EVP_MAC_CTX_free(ctx->ctx_init);
++ }
++ ctx->ctx_init = EVP_MAC_CTX_new(t);
++ if (ctx->ctx_init == NULL) {
++ KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ return 1;
++
++ default:
++ return -2;
++
++ }
++}
++
++static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type,
++ const char *value)
++{
++ if (value == NULL) {
++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING);
++ return 0;
++ }
++
++ if (strcmp(type, "digest") == 0)
++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
++ /* alias, for historical reasons */
++ if (strcmp(type, "md") == 0)
++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
++
++ if (strcmp(type, "cipher") == 0)
++ return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value);
++
++ if (strcmp(type, "key") == 0)
++ return kdf_str2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KEY, value);
++
++ if (strcmp(type, "hexkey") == 0)
++ return kdf_hex2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KEY, value);
++
++ if (strcmp(type, "salt") == 0)
++ return kdf_str2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_SALT, value);
++
++ if (strcmp(type, "hexsalt") == 0)
++ return kdf_hex2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_SALT, value);
++
++ if (strcmp(type, "info") == 0)
++ return kdf_str2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KB_INFO, value);
++
++ if (strcmp(type, "hexinfo") == 0)
++ return kdf_hex2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KB_INFO, value);
++
++ if (strcmp(type, "seed") == 0)
++ return kdf_str2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KB_SEED, value);
++
++ if (strcmp(type, "hexseed") == 0)
++ return kdf_hex2ctrl(ctx, kbkdf_ctrl,
++ EVP_KDF_CTRL_SET_KB_SEED, value);
++
++ if (strcmp(type, "mode") == 0) {
++ int mode;
++
++ if (strcasecmp(value, "counter") == 0) {
++ mode = EVP_KDF_KB_MODE_COUNTER;
++ } else if (strcasecmp(value, "feedback") == 0) {
++ mode = EVP_KDF_KB_MODE_FEEDBACK;
++ } else {
++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR);
++ return 0;
++ }
++
++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE,
++ mode);
++ }
++
++ if (strcmp(type, "mac_type") == 0) {
++ int mac_type;
++
++ if (strcasecmp(value, "hmac") == 0) {
++ mac_type = EVP_KDF_KB_MAC_TYPE_HMAC;
++ } else if (strcasecmp(value, "cmac") == 0) {
++ mac_type = EVP_KDF_KB_MAC_TYPE_CMAC;
++ } else {
++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR);
++ return 0;
++ }
++
++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE,
++ mac_type);
++ }
++
++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
++ return -2;
++}
++
++
++const EVP_KDF_METHOD kb_kdf_meth = {
++ EVP_KDF_KB,
++ kbkdf_new,
++ kbkdf_free,
++ kbkdf_reset,
++ kbkdf_ctrl,
++ kbkdf_ctrl_str,
++ kbkdf_size,
++ kbkdf_derive,
++};
++
+diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c
+--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-12 13:30:36.262748955 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-12 13:30:36.284748559 +0100
+@@ -15,6 +15,11 @@
+
+ static const ERR_STRING_DATA KDF_str_functs[] = {
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"},
++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"},
++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"},
++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"},
++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"},
++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"},
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"},
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"},
+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"},
+@@ -64,7 +69,9 @@ static const ERR_STRING_DATA KDF_str_fun
+ };
+
+ static const ERR_STRING_DATA KDF_str_reasons[] = {
++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"},
+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"},
++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"},
+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT),
+ "missing iteration count"},
+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"},
+diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h
+--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-12 13:30:36.253749117 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-12 13:30:36.284748559 +0100
+@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
+ int kdf_md2ctrl(EVP_KDF_IMPL *impl,
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *md_name);
+-
++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++ int cmd, const char *cipher_name);
+diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c
+--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-12 13:30:36.253749117 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-12 13:30:36.284748559 +0100
+@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl,
+ return call_ctrl(ctrl, impl, cmd, md);
+ }
+
++/* Pass a cipher to a ctrl */
++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++ int cmd, const char *cipher_name)
++{
++ const EVP_CIPHER *cipher;
++
++ if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) {
++ KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER);
++ return 0;
++ }
++ return call_ctrl(ctrl, impl, cmd, cipher);
++}
+diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h
+--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100
++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-12 13:30:36.285748541 +0100
+@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
+ };
+
+-#define NUM_NID 1196
++#define NUM_NID 1197
+ static const ASN1_OBJECT nid_objs[NUM_NID] = {
+ {"UNDEF", "undefined", NID_undef},
+ {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
+@@ -2276,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NI
+ {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
+ {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
+ {"SSHKDF", "sshkdf", NID_sshkdf},
++ {"KBKDF", "kbkdf", NID_kbkdf},
+ };
+
+-#define NUM_SN 1187
++#define NUM_SN 1188
+ static const unsigned int sn_objs[NUM_SN] = {
+ 364, /* "AD_DVCS" */
+ 419, /* "AES-128-CBC" */
+@@ -2442,6 +2443,7 @@ static const unsigned int sn_objs[NUM_SN
+ 183, /* "ISO-US" */
+ 645, /* "ITU-T" */
+ 646, /* "JOINT-ISO-ITU-T" */
++ 1196, /* "KBKDF" */
+ 773, /* "KISA" */
+ 1063, /* "KxANY" */
+ 1039, /* "KxDHE" */
+@@ -3469,7 +3471,7 @@ static const unsigned int sn_objs[NUM_SN
+ 1093, /* "x509ExtAdmission" */
+ };
+
+-#define NUM_LN 1187
++#define NUM_LN 1188
+ static const unsigned int ln_objs[NUM_LN] = {
+ 363, /* "AD Time Stamping" */
+ 405, /* "ANSI X9.62" */
+@@ -4262,6 +4264,7 @@ static const unsigned int ln_objs[NUM_LN
+ 957, /* "jurisdictionCountryName" */
+ 955, /* "jurisdictionLocalityName" */
+ 956, /* "jurisdictionStateOrProvinceName" */
++ 1196, /* "kbkdf" */
+ 150, /* "keyBag" */
+ 773, /* "kisa" */
+ 1063, /* "kx-any" */
+diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt
+--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-12 13:30:36.263748937 +0100
++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-12 13:30:36.286748523 +0100
+@@ -1603,6 +1603,9 @@ secg-scheme 14 3 : dhSinglePass-cofactor
+ # NID for SSHKDF
+ : SSHKDF : sshkdf
+
++# NID for KBKDF
++ : KBKDF : kbkdf
++
+ # RFC 4556
+ 1 3 6 1 5 2 3 : id-pkinit
+ id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth
+diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num
+--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-12 13:30:36.263748937 +0100
++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-12 13:30:36.286748523 +0100
+@@ -1193,3 +1193,4 @@ magma_mac 1192
+ hmacWithSHA512_224 1193
+ hmacWithSHA512_256 1194
+ sshkdf 1195
++kbkdf 1196
+diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod
+--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-12 13:30:36.254749099 +0100
++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-12 13:30:36.286748523 +0100
+@@ -140,7 +140,14 @@ The value string is expected to be a dec
+ This control expects one argument: C<EVP_MD *md>
+
+ For MAC implementations that use a message digest as an underlying computation
+-algorithm, this control set what the digest algorithm should be.
++algorithm, this control sets what the digest algorithm should be.
++
++=item B<EVP_KDF_CTRL_SET_CIPHER>
++
++This control expects one argument: C<EVP_CIPHER *cipher>
++
++For MAC implementations that use a cipher as an underlying computation
++algorithm, this control sets what the cipher algorithm should be.
+
+ EVP_KDF_ctrl_str() type string: "md"
+
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod
+--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-12 13:30:36.286748523 +0100
++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-12 13:30:36.286748523 +0100
+@@ -0,0 +1,177 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_KB - The Key-Based EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++The EVP_KDF_KB algorithm implements the Key-Based key derivation function
++(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an
++input secret (and other optional values).
++
++=head2 Numeric identity
++
++B<EVP_KDF_KB> is the numeric identity for this implementation; it can be used with the
++EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_KB_MODE>
++
++This control expects one argument: C<int mode>
++
++Sets the mode for the KBKDF operation. There are two supported modes:
++
++=over 4
++
++=item B<EVP_KDF_KB_MODE_COUNTER>
++
++The counter mode of KBKDF should be used. This is the default.
++
++=item B<EVP_KDF_KB_MODE_FEEDBACK>
++
++The feedback mode of KBKDF should be used.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_KB_MAC_TYPE>
++
++This control expects one argument: C<int mac_type>
++
++Sets the mac type for the KBKDF operation. There are two supported mac types:
++
++=over 4
++
++=item B<EVP_KDF_KB_MAC_TYPE_HMAC>
++
++The HMAC with the digest set by B<EVP_KDF_CTRL_SET_MD> should be used as the mac.
++
++=item B<EVP_KDF_KB_MAC_TYPE_CMAC>
++
++The CMAC with the cipher set by B<EVP_KDF_CTRL_SET_CIPHER> should be used as the mac.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++=item B<EVP_KDF_CTRL_SET_CIPHER>
++
++=item B<EVP_KDF_CTRL_SET_KEY>
++
++=item B<EVP_KDF_CTRL_SET_SALT>
++
++These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++=item B<EVP_KDF_CTRL_SET_KB_INFO>
++
++This control expects two arguments: C<unsigned char *info>, C<size_t infolen>
++
++=item B<EVP_KDF_CTRL_SET_KB_SEED>
++
++This control expects two arguments: C<unsigned char *seed>, C<size_t seedlen>
++
++It is used only in the feedback mode and the length must be the same
++as the block length of the cipher in CMAC or the size of the digest in HMAC.
++
++=back
++
++The controls B<EVP_KDF_CTRL_SET_KEY>, B<EVP_KDF_CTRL_SET_SALT>,
++B<EVP_KDF_CTRL_SET_KB_INFO>, and B<EVP_KDF_CTRL_SET_KB_SEED>
++correspond to KI, Label, Context, and IV (respectively) in SP800-108.
++As in that document, salt, info, and seed are optional and may be
++omitted.
++
++Depending on whether mac is CMAC or HMAC, either digest or cipher is
++required (respectively) and the other is unused.
++
++=head1 NOTES
++
++A context for KBKDF can be obtained by calling:
++
++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
++
++The output length of an KBKDF is specified via the C<keylen>
++parameter to the L<EVP_KDF_derive(3)> function.
++
++Note that currently OpenSSL only implements counter and feedback modes. Other
++variants may be supported in the future.
++
++=head1 EXAMPLES
++
++This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret",
++Label "label", and Context "context".
++
++ EVP_KDF_CTX *kctx;
++ unsigned char out[10];
++
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
++
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256());
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC);
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret"));
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label"));
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context"));
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
++ error("EVP_KDF_derive");
++
++ EVP_KDF_CTX_free(kctx);
++
++This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret",
++Label "label", Context "context", and IV "sixteen bytes iv".
++
++ EVP_KDF_CTX *kctx;
++ unsigned char out[10];
++ unsigned char *iv = "sixteen bytes iv";
++
++ kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
++ kctx = EVP_KDF_CTX_new(kdf);
++ EVP_KDF_free(kdf);
++
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
++
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_ecb());
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC);
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK);
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret"));
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label"));
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context"));
++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv));
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
++ error("EVP_KDF_derive");
++
++ EVP_KDF_CTX_free(kctx);
++
++=head1 CONFORMING TO
++
++NIST SP800-108, IETF RFC 6803, IETF RFC 8009.
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX(3)>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_size(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 HISTORY
++
++This functionality was added to OpenSSL 3.0.
++
++=head1 COPYRIGHT
++
++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++Copyright 2019 Red Hat, Inc.
++
++Licensed under the Apache License 2.0 (the "License"). You may not use
++this file except in compliance with the License. You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h
+--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100
++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-12 13:30:36.286748523 +0100
+@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void);
+ * KDF function codes.
+ */
+ # define KDF_F_HKDF_EXTRACT 112
++# define KDF_F_KBKDF_CTRL 134
++# define KDF_F_KBKDF_CTRL_STR 135
++# define KDF_F_KBKDF_DERIVE 136
++# define KDF_F_KBKDF_NEW 137
++# define KDF_F_KDF_CIPHER2CTRL 138
+ # define KDF_F_KDF_HKDF_DERIVE 113
+ # define KDF_F_KDF_HKDF_NEW 114
+ # define KDF_F_KDF_HKDF_SIZE 115
+@@ -61,7 +66,9 @@ int ERR_load_KDF_strings(void);
+ /*
+ * KDF reason codes.
+ */
++# define KDF_R_INVALID_CIPHER 116
+ # define KDF_R_INVALID_DIGEST 100
++# define KDF_R_INVALID_SEED_LENGTH 117
+ # define KDF_R_MISSING_ITERATION_COUNT 109
+ # define KDF_R_MISSING_KEY 104
+ # define KDF_R_MISSING_MESSAGE_DIGEST 105
+diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h
+--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100
++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-12 13:30:36.287748505 +0100
+@@ -21,6 +21,7 @@ extern "C" {
+ # define EVP_KDF_TLS1_PRF NID_tls1_prf
+ # define EVP_KDF_HKDF NID_hkdf
+ # define EVP_KDF_SSHKDF NID_sshkdf
++# define EVP_KDF_KB NID_kbkdf
+
+ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
+ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
+@@ -51,6 +52,11 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns
+ # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */
+ # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */
+ # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */
++# define EVP_KDF_CTRL_SET_KB_MODE 0x13 /* int */
++# define EVP_KDF_CTRL_SET_KB_MAC_TYPE 0x14 /* int */
++# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */
++# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */
+
+ # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
+@@ -63,6 +69,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns
+ #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69
+ #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70
+
++#define EVP_KDF_KB_MODE_COUNTER 0
++#define EVP_KDF_KB_MODE_FEEDBACK 1
++
++#define EVP_KDF_KB_MAC_TYPE_HMAC 0
++#define EVP_KDF_KB_MAC_TYPE_CMAC 1
++
+ /**** The legacy PKEY-based KDF API follows. ****/
+
+ # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL)
+diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h
+--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100
++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-12 13:30:36.287748505 +0100
+@@ -4974,6 +4974,10 @@
+ #define LN_sshkdf "sshkdf"
+ #define NID_sshkdf 1203
+
++#define SN_kbkdf "KBKDF"
++#define LN_kbkdf "kbkdf"
++#define NID_kbkdf 1204
++
+ #define SN_id_pkinit "id-pkinit"
+ #define NID_id_pkinit 1031
+ #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L
+diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c
+--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-12 13:30:36.257749045 +0100
++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-12 16:35:19.265237664 +0100
+@@ -225,8 +225,261 @@ err:
+ }
+ #endif
+
++/*
++ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
++ * section 10.
++ */
++static int test_kdf_kbkdf_6803_128(void)
++{
++ int ret = 0, i;
++ EVP_KDF_CTX *kctx;
++ static unsigned char input_key[] = {
++ 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
++ 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
++ };
++ static unsigned char constants[][5] = {
++ { 0x00, 0x00, 0x00, 0x02, 0x99 },
++ { 0x00, 0x00, 0x00, 0x02, 0xaa },
++ { 0x00, 0x00, 0x00, 0x02, 0x55 },
++ };
++ static unsigned char outputs[][16] = {
++ {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
++ 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
++ {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
++ 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
++ {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
++ 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
++ };
++ static unsigned char iv[16] = { 0 };
++ unsigned char result[16] = { 0 };
++
++ for (i = 0; i < 3; i++) {
++ ret = 0;
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++ TEST_error("EVP_KDF_KB");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_CIPHER");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KEY");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_SALT");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED");
++ goto err;
++ }
++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
++ && TEST_mem_eq(result, sizeof(result), outputs[i],
++ sizeof(outputs[i]));
++err:
++ EVP_KDF_CTX_free(kctx);
++ if (ret != 1)
++ return ret;
++ }
++ return ret;
++}
++
++static int test_kdf_kbkdf_6803_256(void)
++{
++ int ret = 0, i;
++ EVP_KDF_CTX *kctx;
++ static unsigned char input_key[] = {
++ 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
++ 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
++ 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
++ 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
++ };
++ static unsigned char constants[][5] = {
++ { 0x00, 0x00, 0x00, 0x02, 0x99 },
++ { 0x00, 0x00, 0x00, 0x02, 0xaa },
++ { 0x00, 0x00, 0x00, 0x02, 0x55 },
++ };
++ static unsigned char outputs[][32] = {
++ {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
++ 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
++ 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
++ 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
++ },
++ {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
++ 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
++ 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
++ 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
++ },
++ {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
++ 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
++ 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
++ 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
++ },
++ };
++ static unsigned char iv[16] = { 0 };
++ unsigned char result[32] = { 0 };
++
++ for (i = 0; i < 3; i++) {
++ ret = 0;
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++ TEST_error("EVP_KDF_KB");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_CIPHER");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KEY");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_SALT");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED");
++ goto err;
++ }
++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
++ && TEST_mem_eq(result, sizeof(result), outputs[i],
++ sizeof(outputs[i]));
++err:
++ EVP_KDF_CTX_free(kctx);
++ if (ret != 1)
++ return ret;
++ }
++ return ret;
++}
++
++/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
++ * 5) appendix A. */
++static int test_kdf_kbkdf_8009_prf1(void)
++{
++ int ret = 0;
++ EVP_KDF_CTX *kctx;
++ char *label = "prf", *prf_input = "test";
++ static unsigned char input_key[] = {
++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
++ };
++ static unsigned char output[] = {
++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
++ };
++ unsigned char result[sizeof(output)] = { 0 };
++
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++ TEST_error("EVP_KDF_KB");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_MD");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KEY");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_SALT");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO");
++ goto err;
++ }
++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
++ && TEST_mem_eq(result, sizeof(result), output,
++ sizeof(output));
++err:
++ EVP_KDF_CTX_free(kctx);
++ return ret;
++}
++
++static int test_kdf_kbkdf_8009_prf2(void)
++{
++ int ret = 0;
++ EVP_KDF_CTX *kctx;
++ char *label = "prf", *prf_input = "test";
++ static unsigned char input_key[] = {
++ 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
++ 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
++ 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
++ 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
++ };
++ static unsigned char output[] = {
++ 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
++ 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
++ 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
++ 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
++ 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
++ 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
++ };
++ unsigned char result[sizeof(output)] = { 0 };
++
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++ TEST_error("EVP_KDF_KB");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_MD");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KEY");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_SALT");
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO");
++ goto err;
++ }
++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
++ && TEST_mem_eq(result, sizeof(result), output,
++ sizeof(output));
++err:
++ EVP_KDF_CTX_free(kctx);
++ return ret;
++}
++
+ int setup_tests(void)
+ {
++ ADD_TEST(test_kdf_kbkdf_6803_128);
++ ADD_TEST(test_kdf_kbkdf_6803_256);
++ ADD_TEST(test_kdf_kbkdf_8009_prf1);
++ ADD_TEST(test_kdf_kbkdf_8009_prf2);
+ ADD_TEST(test_kdf_tls1_prf);
+ ADD_TEST(test_kdf_hkdf);
+ ADD_TEST(test_kdf_pbkdf2);
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: KBKDF for Kerberos 5 Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox