Blame SOURCES/openssl-1.1.1-krb5-kdf.patch

b63792
diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/err/openssl.txt
b63792
--- openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf	2019-11-14 16:25:09.445914709 +0100
b63792
+++ openssl-1.1.1c/crypto/err/openssl.txt	2019-11-14 16:26:10.333811902 +0100
b63792
@@ -816,6 +816,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
b63792
 EVP_F_SCRYPT_ALG:228:scrypt_alg
b63792
 EVP_F_UPDATE:173:update
b63792
 KDF_F_HKDF_EXTRACT:112:HKDF_Extract
b63792
+KDF_F_KBKDF_CTRL:134:kbkdf_ctrl
b63792
+KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str
b63792
+KDF_F_KBKDF_DERIVE:136:kbkdf_derive
b63792
+KDF_F_KBKDF_NEW:137:kbkdf_new
b63792
+KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl
b63792
 KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
b63792
 KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
b63792
 KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
b63792
@@ -835,6 +840,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
b63792
 KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
b63792
 KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
b63792
 KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
b63792
+KDF_F_KRB5KDF:139:KRB5KDF
b63792
+KDF_F_KRB5KDF_DERIVE:140:krb5kdf_derive
b63792
 KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
b63792
 KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
b63792
 KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
b63792
@@ -848,6 +855,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl
b63792
 KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
b63792
 KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
b63792
 KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
b63792
+KDF_F_SSKDF_DERIVE:141:sskdf_derive
b63792
+KDF_F_SSKDF_NEW:142:sskdf_new
b63792
+KDF_F_SSKDF_SIZE:143:sskdf_size
b63792
 KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
b63792
 OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
b63792
 OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
b63792
@@ -2315,7 +2325,13 @@ EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
b63792
 EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
b63792
 EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
b63792
 EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
b63792
+KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key
b63792
+KDF_R_INVALID_CIPHER:116:invalid cipher
b63792
+KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length
b63792
 KDF_R_INVALID_DIGEST:100:invalid digest
b63792
+KDF_R_INVALID_SEED_LENGTH:117:invalid seed length
b63792
+KDF_R_MISSING_CIPHER:120:missing cipher
b63792
+KDF_R_MISSING_CONSTANT:121:missing constant
b63792
 KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
b63792
 KDF_R_MISSING_KEY:104:missing key
b63792
 KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest
b63792
@@ -2330,6 +2346,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas
b63792
 KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
b63792
 KDF_R_VALUE_ERROR:108:value error
b63792
 KDF_R_VALUE_MISSING:102:value missing
b63792
+KDF_R_WRONG_FINAL_BLOCK_LENGTH:120:wrong final block length
b63792
 KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
b63792
 OBJ_R_OID_EXISTS:102:oid exists
b63792
 OBJ_R_UNKNOWN_NID:101:unknown nid
b63792
diff -up openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1c/crypto/evp/kdf_lib.c
b63792
--- openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf	2019-11-14 16:25:09.445914709 +0100
b63792
+++ openssl-1.1.1c/crypto/evp/kdf_lib.c	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me
b63792
     &tls1_prf_kdf_meth,
b63792
     &hkdf_kdf_meth,
b63792
     &sshkdf_kdf_meth,
b63792
+    &kb_kdf_meth,
b63792
+    &krb5kdf_kdf_meth,
b63792
+    &ss_kdf_meth
b63792
 };
b63792
 
b63792
 DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
b63792
diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1c/crypto/include/internal/evp_int.h
b63792
--- openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf	2019-11-14 16:25:09.446914691 +0100
b63792
+++ openssl-1.1.1c/crypto/include/internal/evp_int.h	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m
b63792
 extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
b63792
 extern const EVP_KDF_METHOD hkdf_kdf_meth;
b63792
 extern const EVP_KDF_METHOD sshkdf_kdf_meth;
b63792
+extern const EVP_KDF_METHOD kb_kdf_meth;
b63792
+extern const EVP_KDF_METHOD krb5kdf_kdf_meth;
b63792
+extern const EVP_KDF_METHOD ss_kdf_meth;
b63792
 
b63792
 struct evp_md_st {
b63792
     int type;
b63792
diff -up openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf openssl-1.1.1c/crypto/kdf/build.info
b63792
--- openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf	2019-11-14 16:25:09.446914691 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/build.info	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -1,3 +1,3 @@
b63792
 LIBS=../../libcrypto
b63792
 SOURCE[../../libcrypto]=\
b63792
-        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c
b63792
+        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c
b63792
diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kbkdf.c
b63792
--- openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf	2019-11-14 16:25:09.475914166 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/kbkdf.c	2019-11-18 17:21:58.326635901 +0100
b63792
@@ -0,0 +1,540 @@
b63792
+/*
b63792
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
b63792
+ * Copyright 2019 Red Hat, Inc.
b63792
+ *
b63792
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
b63792
+ * this file except in compliance with the License.  You can obtain a copy
b63792
+ * in the file LICENSE in the source distribution or at
b63792
+ * https://www.openssl.org/source/license.html
b63792
+ */
b63792
+
b63792
+/*
b63792
+ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final
b63792
+ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC
b63792
+ * and CMAC.  That document does not name the KDFs it defines; the name is
b63792
+ * derived from
b63792
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation
b63792
+ *
b63792
+ * Note that section 5.3 ("double-pipeline mode") is not implemented, though
b63792
+ * it would be possible to do so in the future.
b63792
+ *
b63792
+ * These versions all assume the counter is used.  It would be relatively
b63792
+ * straightforward to expose a configuration handle should the need arise.
b63792
+ *
b63792
+ * Variable names attempt to match those of SP800-108.
b63792
+ */
b63792
+
b63792
+#include <stdarg.h>
b63792
+#include <stdlib.h>
b63792
+#include <string.h>
b63792
+
b63792
+#include <openssl/evp.h>
b63792
+#include <openssl/hmac.h>
b63792
+#include <openssl/cmac.h>
b63792
+#include <openssl/kdf.h>
b63792
+
b63792
+#include "internal/numbers.h"
b63792
+#include "internal/cryptlib.h"
b63792
+#include "internal/evp_int.h"
b63792
+#include "kdf_local.h"
b63792
+
b63792
+#include "e_os.h"
b63792
+
b63792
+#ifdef MIN
b63792
+# undef MIN
b63792
+#endif
b63792
+#define MIN(a, b) ((a) < (b)) ? (a) : (b)
b63792
+
b63792
+typedef struct {
b63792
+    int mac_type;
b63792
+    union {
b63792
+        HMAC_CTX *hmac;
b63792
+        CMAC_CTX *cmac;
b63792
+    } m;
b63792
+} MAC_CTX;
b63792
+
b63792
+/* Our context structure. */
b63792
+struct evp_kdf_impl_st {
b63792
+    int mode;
b63792
+
b63792
+    MAC_CTX *ctx_init;
b63792
+
b63792
+    const EVP_CIPHER *cipher;
b63792
+    const EVP_MD *md;
b63792
+
b63792
+    /* Names are lowercased versions of those found in SP800-108. */
b63792
+    unsigned char *ki;
b63792
+    size_t ki_len;
b63792
+    unsigned char *label;
b63792
+    size_t label_len;
b63792
+    unsigned char *context;
b63792
+    size_t context_len;
b63792
+    unsigned char *iv;
b63792
+    size_t iv_len;
b63792
+};
b63792
+
b63792
+static MAC_CTX *EVP_MAC_CTX_new(int mac_type)
b63792
+{
b63792
+    MAC_CTX *ctx;
b63792
+
b63792
+    ctx = OPENSSL_zalloc(sizeof(*ctx));
b63792
+    if (ctx == NULL)
b63792
+        return NULL;
b63792
+
b63792
+    ctx->mac_type = mac_type;
b63792
+    if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
b63792
+        if ((ctx->m.hmac = HMAC_CTX_new()) == NULL)
b63792
+            goto err;
b63792
+    } else {
b63792
+        if ((ctx->m.cmac = CMAC_CTX_new()) == NULL)
b63792
+            goto err;
b63792
+    }
b63792
+    return ctx;
b63792
+
b63792
+err:
b63792
+    OPENSSL_free(ctx);
b63792
+    return NULL;
b63792
+}
b63792
+
b63792
+static void EVP_MAC_CTX_free(MAC_CTX *ctx)
b63792
+{
b63792
+    if (ctx == NULL)
b63792
+        return;
b63792
+
b63792
+    if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC)
b63792
+        HMAC_CTX_free(ctx->m.hmac);
b63792
+    else
b63792
+        CMAC_CTX_free(ctx->m.cmac);
b63792
+    OPENSSL_free(ctx);
b63792
+}
b63792
+
b63792
+static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx)
b63792
+{
b63792
+    MAC_CTX *ctx;
b63792
+
b63792
+    ctx = OPENSSL_zalloc(sizeof(*sctx));
b63792
+    if (ctx == NULL)
b63792
+        return NULL;
b63792
+
b63792
+    ctx->mac_type = sctx->mac_type;
b63792
+    if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
b63792
+        if ((ctx->m.hmac = HMAC_CTX_new()) == NULL
b63792
+            || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0)
b63792
+            goto err;
b63792
+    } else {
b63792
+        if ((ctx->m.cmac = CMAC_CTX_new()) == NULL
b63792
+            || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0)
b63792
+            goto err;
b63792
+    }
b63792
+    return ctx;
b63792
+
b63792
+err:
b63792
+    EVP_MAC_CTX_free(ctx);
b63792
+    return NULL;
b63792
+}
b63792
+
b63792
+static size_t EVP_MAC_size(MAC_CTX *ctx)
b63792
+{
b63792
+    if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
b63792
+        const EVP_MD *md;
b63792
+
b63792
+        if (ctx->m.hmac == NULL)
b63792
+            return 0;
b63792
+        if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL)
b63792
+            return 0;
b63792
+        return (size_t)EVP_MD_size(md);
b63792
+    } else {
b63792
+        const EVP_CIPHER_CTX *cctx;
b63792
+
b63792
+        if (ctx->m.cmac == NULL)
b63792
+            return 0;
b63792
+        if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL)
b63792
+            return 0;
b63792
+        return EVP_CIPHER_CTX_block_size(cctx);
b63792
+    }
b63792
+}
b63792
+
b63792
+static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data,
b63792
+                          size_t datalen)
b63792
+{
b63792
+    if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC)
b63792
+        return HMAC_Update(ctx->m.hmac, data, datalen);
b63792
+    else
b63792
+        return CMAC_Update(ctx->m.cmac, data, datalen);
b63792
+}
b63792
+
b63792
+static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out,
b63792
+                         size_t *outl, size_t outsize)
b63792
+{
b63792
+    if (outsize != EVP_MAC_size(ctx))
b63792
+        /* we do not cope with anything else */
b63792
+        return 0;
b63792
+
b63792
+    if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
b63792
+        unsigned int intsize = (unsigned int)outsize;
b63792
+        int ret;
b63792
+
b63792
+        ret = HMAC_Final(ctx->m.hmac, out, &intsize);
b63792
+        if (outl != NULL)
b63792
+            *outl = intsize;
b63792
+        return ret;
b63792
+    } else {
b63792
+        size_t size = outsize;
b63792
+        int ret;
b63792
+
b63792
+        ret = CMAC_Final(ctx->m.cmac, out, &size);
b63792
+        if (outl != NULL)
b63792
+            *outl = size;
b63792
+        return ret;
b63792
+    }
b63792
+}
b63792
+
b63792
+static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md,
b63792
+                        const EVP_CIPHER *cipher, unsigned char *key, size_t keylen)
b63792
+{
b63792
+    if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) {
b63792
+        if (md == NULL)
b63792
+            return 0;
b63792
+        return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL);
b63792
+    } else {
b63792
+        if (cipher == NULL)
b63792
+            return 0;
b63792
+        return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL);
b63792
+    }
b63792
+}
b63792
+
b63792
+static void kbkdf_reset(EVP_KDF_IMPL *ctx);
b63792
+
b63792
+/* Not all platforms have htobe32(). */
b63792
+static uint32_t be32(uint32_t host)
b63792
+{
b63792
+    uint32_t big = 0;
b63792
+    const union {
b63792
+        long one;
b63792
+        char little;
b63792
+    } is_endian = { 1 };
b63792
+
b63792
+    if (!is_endian.little)
b63792
+        return host;
b63792
+
b63792
+    big |= (host & 0xff000000) >> 24;
b63792
+    big |= (host & 0x00ff0000) >> 8;
b63792
+    big |= (host & 0x0000ff00) << 8;
b63792
+    big |= (host & 0x000000ff) << 24;
b63792
+    return big;
b63792
+}
b63792
+
b63792
+static EVP_KDF_IMPL *kbkdf_new(void)
b63792
+{
b63792
+    EVP_KDF_IMPL *ctx;
b63792
+
b63792
+    ctx = OPENSSL_zalloc(sizeof(*ctx));
b63792
+    if (ctx == NULL) {
b63792
+        KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE);
b63792
+        return NULL;
b63792
+    }
b63792
+
b63792
+    return ctx;
b63792
+}
b63792
+
b63792
+static void kbkdf_free(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    kbkdf_reset(ctx);
b63792
+    OPENSSL_free(ctx);
b63792
+}
b63792
+
b63792
+static void kbkdf_reset(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    EVP_MAC_CTX_free(ctx->ctx_init);
b63792
+    OPENSSL_clear_free(ctx->context, ctx->context_len);
b63792
+    OPENSSL_clear_free(ctx->label, ctx->label_len);
b63792
+    OPENSSL_clear_free(ctx->ki, ctx->ki_len);
b63792
+    OPENSSL_clear_free(ctx->iv, ctx->iv_len);
b63792
+    memset(ctx, 0, sizeof(*ctx));
b63792
+}
b63792
+
b63792
+/* SP800-108 section 5.1 or section 5.2 depending on mode. */
b63792
+static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv,
b63792
+                  size_t iv_len, unsigned char *label, size_t label_len,
b63792
+                  unsigned char *context, size_t context_len,
b63792
+                  unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko,
b63792
+                  size_t ko_len)
b63792
+{
b63792
+    int ret = 0;
b63792
+    MAC_CTX *ctx = NULL;
b63792
+    size_t written = 0, to_write, k_i_len = iv_len;
b63792
+    const unsigned char zero = 0;
b63792
+    uint32_t counter, i;
b63792
+
b63792
+    /* Setup K(0) for feedback mode. */
b63792
+    if (iv_len > 0)
b63792
+        memcpy(k_i, iv, iv_len);
b63792
+
b63792
+    for (counter = 1; written < ko_len; counter++) {
b63792
+        i = be32(counter);
b63792
+
b63792
+        ctx = EVP_MAC_CTX_dup(ctx_init);
b63792
+        if (ctx == NULL)
b63792
+            goto done;
b63792
+
b63792
+        /* Perform feedback, if appropriate. */
b63792
+        if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len))
b63792
+            goto done;
b63792
+
b63792
+        if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4)
b63792
+            || !EVP_MAC_update(ctx, label, label_len)
b63792
+            || !EVP_MAC_update(ctx, &zero, 1)
b63792
+            || !EVP_MAC_update(ctx, context, context_len)
b63792
+            || !EVP_MAC_update(ctx, (unsigned char *)&l, 4)
b63792
+            || !EVP_MAC_final(ctx, k_i, NULL, h))
b63792
+            goto done;
b63792
+
b63792
+        to_write = ko_len - written;
b63792
+        memcpy(ko + written, k_i, MIN(to_write, h));
b63792
+        written += h;
b63792
+
b63792
+        k_i_len = h;
b63792
+        EVP_MAC_CTX_free(ctx);
b63792
+        ctx = NULL;
b63792
+    }
b63792
+
b63792
+    ret = 1;
b63792
+done:
b63792
+    EVP_MAC_CTX_free(ctx);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen)
b63792
+{
b63792
+    int ret = 0;
b63792
+    unsigned char *k_i = NULL;
b63792
+    uint32_t l = be32(keylen * 8);
b63792
+    size_t h = 0;
b63792
+
b63792
+    /* label, context, and iv are permitted to be empty.  Check everything
b63792
+     * else. */
b63792
+    if (ctx->ctx_init == NULL
b63792
+        || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) {
b63792
+        if (ctx->ki_len == 0 || ctx->ki == NULL) {
b63792
+            KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY);
b63792
+            return 0;
b63792
+        }
b63792
+        /* Could either be missing MAC or missing message digest or missing
b63792
+         * cipher - arbitrarily, I pick this one. */
b63792
+        KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER);
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    h = EVP_MAC_size(ctx->ctx_init);
b63792
+    if (h == 0)
b63792
+        goto done;
b63792
+    if (ctx->iv_len != 0 && ctx->iv_len != h) {
b63792
+        KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH);
b63792
+        goto done;
b63792
+    }
b63792
+
b63792
+    k_i = OPENSSL_zalloc(h);
b63792
+    if (k_i == NULL)
b63792
+        goto done;
b63792
+
b63792
+    ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label,
b63792
+                 ctx->label_len, ctx->context, ctx->context_len, k_i, h, l,
b63792
+                 key, keylen);
b63792
+done:
b63792
+    if (ret != 1)
b63792
+        OPENSSL_cleanse(key, keylen);
b63792
+    OPENSSL_clear_free(k_i, h);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static size_t kbkdf_size(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    return UINT32_MAX/8;
b63792
+}
b63792
+
b63792
+static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len,
b63792
+                                       va_list args)
b63792
+{
b63792
+    const unsigned char *p;
b63792
+    size_t len;
b63792
+
b63792
+    p = va_arg(args, const unsigned char *);
b63792
+    len = va_arg(args, size_t);
b63792
+    OPENSSL_clear_free(*dst, *dst_len);
b63792
+    if (len == 0) {
b63792
+        *dst = NULL;
b63792
+        *dst_len = 0;
b63792
+        return 1;
b63792
+    }
b63792
+
b63792
+    *dst = OPENSSL_memdup(p, len);
b63792
+    if (*dst == NULL)
b63792
+        return 0;
b63792
+
b63792
+    *dst_len = len;
b63792
+    return 1;
b63792
+}
b63792
+
b63792
+static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args)
b63792
+{
b63792
+    int t;
b63792
+
b63792
+    switch (cmd) {
b63792
+    case EVP_KDF_CTRL_SET_MD:
b63792
+        ctx->md = va_arg(args, const EVP_MD *);
b63792
+        if (ctx->md == NULL)
b63792
+            return 0;
b63792
+
b63792
+        return 1;
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_CIPHER:
b63792
+        ctx->cipher = va_arg(args, const EVP_CIPHER *);
b63792
+        if (ctx->cipher == NULL)
b63792
+            return 0;
b63792
+
b63792
+        return 1;
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KEY:
b63792
+        return kbkdf_parse_buffer_arg(&ctx->ki,
b63792
+                                      &ctx->ki_len, args);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_SALT:
b63792
+        return kbkdf_parse_buffer_arg(&ctx->label,
b63792
+                                           &ctx->label_len, args);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KB_INFO:
b63792
+        return kbkdf_parse_buffer_arg(&ctx->context,
b63792
+                                           &ctx->context_len, args);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KB_SEED:
b63792
+        return kbkdf_parse_buffer_arg(&ctx->iv,
b63792
+                                           &ctx->iv_len, args);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KB_MODE:
b63792
+        t = va_arg(args, int);
b63792
+        if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) {
b63792
+            KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR);
b63792
+            return 0;
b63792
+        }
b63792
+        ctx->mode = t;
b63792
+        return 1;
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KB_MAC_TYPE:
b63792
+        t = va_arg(args, int);
b63792
+        if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) {
b63792
+            KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR);
b63792
+            return 0;
b63792
+        }
b63792
+
b63792
+        if (ctx->ctx_init != NULL) {
b63792
+            EVP_MAC_CTX_free(ctx->ctx_init);
b63792
+        }
b63792
+        ctx->ctx_init = EVP_MAC_CTX_new(t);
b63792
+        if (ctx->ctx_init == NULL) {
b63792
+            KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE);
b63792
+            return 0;
b63792
+        }
b63792
+        return 1;
b63792
+
b63792
+    default:
b63792
+        return -2;
b63792
+
b63792
+    }
b63792
+}
b63792
+
b63792
+static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type,
b63792
+                               const char *value)
b63792
+{
b63792
+    if (value == NULL) {
b63792
+        KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING);
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    if (strcmp(type, "digest") == 0)
b63792
+        return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
b63792
+    /* alias, for historical reasons */
b63792
+    if (strcmp(type, "md") == 0)
b63792
+        return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
b63792
+
b63792
+    if (strcmp(type, "cipher") == 0)
b63792
+        return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value);
b63792
+
b63792
+    if (strcmp(type, "key") == 0)
b63792
+        return kdf_str2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KEY, value);
b63792
+
b63792
+    if (strcmp(type, "hexkey") == 0)
b63792
+        return kdf_hex2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KEY, value);
b63792
+
b63792
+    if (strcmp(type, "salt") == 0)
b63792
+        return kdf_str2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_SALT, value);
b63792
+
b63792
+    if (strcmp(type, "hexsalt") == 0)
b63792
+        return kdf_hex2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_SALT, value);
b63792
+
b63792
+    if (strcmp(type, "info") == 0)
b63792
+        return kdf_str2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KB_INFO, value);
b63792
+
b63792
+    if (strcmp(type, "hexinfo") == 0)
b63792
+        return kdf_hex2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KB_INFO, value);
b63792
+
b63792
+    if (strcmp(type, "seed") == 0)
b63792
+        return kdf_str2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KB_SEED, value);
b63792
+
b63792
+    if (strcmp(type, "hexseed") == 0)
b63792
+        return kdf_hex2ctrl(ctx, kbkdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KB_SEED, value);
b63792
+
b63792
+    if (strcmp(type, "mode") == 0) {
b63792
+        int mode;
b63792
+
b63792
+        if (strcasecmp(value, "counter") == 0) {
b63792
+            mode = EVP_KDF_KB_MODE_COUNTER;
b63792
+        } else if (strcasecmp(value, "feedback") == 0) {
b63792
+            mode = EVP_KDF_KB_MODE_FEEDBACK;
b63792
+        } else {
b63792
+            KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR);
b63792
+            return 0;
b63792
+        }
b63792
+
b63792
+        return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE,
b63792
+                         mode);
b63792
+    }
b63792
+
b63792
+    if (strcmp(type, "mac_type") == 0) {
b63792
+        int mac_type;
b63792
+
b63792
+        if (strcasecmp(value, "hmac") == 0) {
b63792
+            mac_type = EVP_KDF_KB_MAC_TYPE_HMAC;
b63792
+        } else if (strcasecmp(value, "cmac") == 0) {
b63792
+            mac_type = EVP_KDF_KB_MAC_TYPE_CMAC;
b63792
+        } else {
b63792
+            KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR);
b63792
+            return 0;
b63792
+        }
b63792
+
b63792
+        return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE,
b63792
+                         mac_type);
b63792
+    }
b63792
+
b63792
+    KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
b63792
+    return -2;
b63792
+}
b63792
+
b63792
+const EVP_KDF_METHOD kb_kdf_meth = {
b63792
+    EVP_KDF_KB,
b63792
+    kbkdf_new,
b63792
+    kbkdf_free,
b63792
+    kbkdf_reset,
b63792
+    kbkdf_ctrl,
b63792
+    kbkdf_ctrl_str,
b63792
+    kbkdf_size,
b63792
+    kbkdf_derive,
b63792
+};
b63792
+
b63792
diff -up openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_err.c
b63792
--- openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf	2019-11-14 16:25:09.446914691 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/kdf_err.c	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -15,6 +15,11 @@
b63792
 
b63792
 static const ERR_STRING_DATA KDF_str_functs[] = {
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"},
b63792
@@ -41,6 +46,8 @@ static const ERR_STRING_DATA KDF_str_fun
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0),
b63792
      "kdf_tls1_prf_derive"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF, 0), "KRB5KDF"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF_DERIVE, 0), "krb5kdf_derive"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"},
b63792
@@ -59,12 +66,22 @@ static const ERR_STRING_DATA KDF_str_fun
b63792
      "pkey_tls1_prf_derive"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_DERIVE, 0), "sskdf_derive"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_NEW, 0), "sskdf_new"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_SIZE, 0), "sskdf_size"},
b63792
     {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"},
b63792
     {0, NULL}
b63792
 };
b63792
 
b63792
 static const ERR_STRING_DATA KDF_str_reasons[] = {
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_FAILED_TO_GENERATE_KEY),
b63792
+    "failed to generate key"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CONSTANT_LENGTH), "invalid constant length"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CIPHER), "missing cipher"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CONSTANT), "missing constant"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT),
b63792
     "missing iteration count"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"},
b63792
@@ -82,6 +99,8 @@ static const ERR_STRING_DATA KDF_str_rea
b63792
     "unknown parameter type"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"},
b63792
+    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_FINAL_BLOCK_LENGTH),
b63792
+    "wrong final block length"},
b63792
     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),
b63792
     "wrong output buffer size"},
b63792
     {0, NULL}
b63792
diff -up openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_local.h
b63792
--- openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf	2019-11-14 16:25:09.438914836 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/kdf_local.h	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
b63792
 int kdf_md2ctrl(EVP_KDF_IMPL *impl,
b63792
                 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
b63792
                 int cmd, const char *md_name);
b63792
-
b63792
+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
b63792
+                    int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
b63792
+                    int cmd, const char *cipher_name);
b63792
diff -up openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_util.c
b63792
--- openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf	2019-11-14 16:25:09.438914836 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/kdf_util.c	2019-11-14 16:25:09.475914166 +0100
b63792
@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl,
b63792
     return call_ctrl(ctrl, impl, cmd, md);
b63792
 }
b63792
 
b63792
+/* Pass a cipher to a ctrl */
b63792
+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
b63792
+                    int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
b63792
+                    int cmd, const char *cipher_name)
b63792
+{
b63792
+    const EVP_CIPHER *cipher;
b63792
+
b63792
+    if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) {
b63792
+        KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER);
b63792
+        return 0;
b63792
+    }
b63792
+    return call_ctrl(ctrl, impl, cmd, cipher);
b63792
+}
b63792
diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/krb5kdf.c
b63792
--- openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf	2019-11-14 16:25:09.476914148 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/krb5kdf.c	2019-11-18 17:18:13.056604404 +0100
b63792
@@ -0,0 +1,423 @@
b63792
+/*
b63792
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
b63792
+ *
b63792
+ * Licensed under the OpenSSL license (the "License").  You may not use
b63792
+ * this file except in compliance with the License.  You can obtain a copy
b63792
+ * in the file LICENSE in the source distribution or at
b63792
+ * https://www.openssl.org/source/license.html
b63792
+ */
b63792
+
b63792
+#include <stdlib.h>
b63792
+#include <stdarg.h>
b63792
+#include <string.h>
b63792
+
b63792
+#include <openssl/des.h>
b63792
+#include <openssl/evp.h>
b63792
+#include <openssl/kdf.h>
b63792
+
b63792
+#include "internal/cryptlib.h"
b63792
+#include "internal/evp_int.h"
b63792
+#include "kdf_local.h"
b63792
+
b63792
+/* KRB5 KDF defined in RFC 3961, Section 5.1 */
b63792
+
b63792
+static int KRB5KDF(const EVP_CIPHER *cipher,
b63792
+                   const unsigned char *key, size_t key_len,
b63792
+                   const unsigned char *constant, size_t constant_len,
b63792
+                   unsigned char *okey, size_t okey_len);
b63792
+
b63792
+struct evp_kdf_impl_st {
b63792
+    const EVP_CIPHER *cipher;
b63792
+    unsigned char *key;
b63792
+    size_t key_len;
b63792
+    unsigned char *constant;
b63792
+    size_t constant_len;
b63792
+};
b63792
+
b63792
+static void krb5kdf_reset(EVP_KDF_IMPL *ctx);
b63792
+
b63792
+static EVP_KDF_IMPL *krb5kdf_new(void)
b63792
+{
b63792
+    EVP_KDF_IMPL *ctx;
b63792
+
b63792
+    if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
b63792
+        KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE);
b63792
+    return ctx;
b63792
+}
b63792
+
b63792
+static void krb5kdf_free(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    krb5kdf_reset(ctx);
b63792
+    OPENSSL_free(ctx);
b63792
+}
b63792
+
b63792
+static void krb5kdf_reset(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    OPENSSL_clear_free(ctx->key, ctx->key_len);
b63792
+    OPENSSL_clear_free(ctx->constant, ctx->constant_len);
b63792
+    memset(ctx, 0, sizeof(*ctx));
b63792
+}
b63792
+
b63792
+static int krb5kdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key,
b63792
+                              size_t keylen)
b63792
+{
b63792
+    if (ctx->cipher == NULL) {
b63792
+        KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CIPHER);
b63792
+        return 0;
b63792
+    }
b63792
+    if (ctx->key == NULL) {
b63792
+        KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_KEY);
b63792
+        return 0;
b63792
+    }
b63792
+    if (ctx->constant == NULL) {
b63792
+        KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CONSTANT);
b63792
+        return 0;
b63792
+    }
b63792
+    return KRB5KDF(ctx->cipher, ctx->key, ctx->key_len,
b63792
+                   ctx->constant, ctx->constant_len,
b63792
+                   key, keylen);
b63792
+}
b63792
+
b63792
+static size_t krb5kdf_size(EVP_KDF_IMPL *ctx)
b63792
+{
b63792
+    if (ctx->cipher != NULL)
b63792
+        return EVP_CIPHER_key_length(ctx->cipher);
b63792
+    else
b63792
+        return EVP_MAX_KEY_LENGTH;
b63792
+}
b63792
+
b63792
+
b63792
+static int krb5kdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len,
b63792
+                                       va_list args)
b63792
+{
b63792
+    const unsigned char *p;
b63792
+    size_t len;
b63792
+
b63792
+    p = va_arg(args, const unsigned char *);
b63792
+    len = va_arg(args, size_t);
b63792
+    OPENSSL_clear_free(*dst, *dst_len);
b63792
+    if (len == 0) {
b63792
+        *dst = NULL;
b63792
+        *dst_len = 0;
b63792
+        return 1;
b63792
+    }
b63792
+
b63792
+    *dst = OPENSSL_memdup(p, len);
b63792
+    if (*dst == NULL)
b63792
+        return 0;
b63792
+
b63792
+    *dst_len = len;
b63792
+    return 1;
b63792
+}
b63792
+
b63792
+static int krb5kdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args)
b63792
+{
b63792
+    switch (cmd) {
b63792
+    case EVP_KDF_CTRL_SET_CIPHER:
b63792
+        ctx->cipher = va_arg(args, const EVP_CIPHER *);
b63792
+        if (ctx->cipher == NULL)
b63792
+            return 0;
b63792
+
b63792
+        return 1;
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KEY:
b63792
+        return krb5kdf_parse_buffer_arg(&ctx->key,
b63792
+                                      &ctx->key_len, args);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT:
b63792
+        return krb5kdf_parse_buffer_arg(&ctx->constant,
b63792
+                                           &ctx->constant_len, args);
b63792
+    default:
b63792
+        return -2;
b63792
+
b63792
+    }
b63792
+}
b63792
+
b63792
+static int krb5kdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type,
b63792
+                               const char *value)
b63792
+{
b63792
+    if (value == NULL) {
b63792
+        KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING);
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    if (strcmp(type, "cipher") == 0)
b63792
+        return kdf_cipher2ctrl(ctx, krb5kdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value);
b63792
+
b63792
+    if (strcmp(type, "key") == 0)
b63792
+        return kdf_str2ctrl(ctx, krb5kdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KEY, value);
b63792
+
b63792
+    if (strcmp(type, "hexkey") == 0)
b63792
+        return kdf_hex2ctrl(ctx, krb5kdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KEY, value);
b63792
+
b63792
+    if (strcmp(type, "constant") == 0)
b63792
+        return kdf_str2ctrl(ctx, krb5kdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value);
b63792
+
b63792
+    if (strcmp(type, "hexconstant") == 0)
b63792
+        return kdf_hex2ctrl(ctx, krb5kdf_ctrl,
b63792
+                            EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value);
b63792
+
b63792
+    KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
b63792
+    return -2;
b63792
+}
b63792
+
b63792
+
b63792
+#ifndef OPENSSL_NO_DES
b63792
+/*
b63792
+ * DES3 is a special case, it requires a random-to-key function and its
b63792
+ * input truncated to 21 bytes of the 24 produced by the cipher.
b63792
+ * See RFC3961 6.3.1
b63792
+ */
b63792
+static int fixup_des3_key(unsigned char *key)
b63792
+{
b63792
+    unsigned char *cblock;
b63792
+    int i, j;
b63792
+
b63792
+    for (i = 2; i >= 0; i--) {
b63792
+        cblock = &key[i * 8];
b63792
+        memmove(cblock, &key[i * 7], 7);
b63792
+        cblock[7] = 0;
b63792
+        for (j = 0; j < 7; j++)
b63792
+            cblock[7] |= (cblock[j] & 1) << (j + 1);
b63792
+        DES_set_odd_parity((DES_cblock *)cblock);
b63792
+    }
b63792
+
b63792
+    /* fail if keys are such that triple des degrades to single des */
b63792
+    if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 ||
b63792
+        CRYPTO_memcmp(&key[8], &key[16], 8) == 0) {
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    return 1;
b63792
+}
b63792
+#endif
b63792
+
b63792
+/*
b63792
+ * N-fold(K) where blocksize is N, and constant_len is K
b63792
+ * Note: Here |= denotes concatenation
b63792
+ *
b63792
+ * L = lcm(N,K)
b63792
+ * R = L/K
b63792
+ *
b63792
+ * for r: 1 -> R
b63792
+ *   s |= constant rot 13*(r-1))
b63792
+ *
b63792
+ * block = 0
b63792
+ * for k: 1 -> K
b63792
+ *   block += s[N(k-1)..(N-1)k] (one's complement addition)
b63792
+ *
b63792
+ * Optimizing for space we compute:
b63792
+ * for each l in L-1 -> 0:
b63792
+ *   s[l] = (constant rot 13*(l/K))[l%k]
b63792
+ *   block[l % N] += s[l] (with carry)
b63792
+ * finally add carry if any
b63792
+ */
b63792
+static void n_fold(unsigned char *block, unsigned int blocksize,
b63792
+                   const unsigned char *constant, size_t constant_len)
b63792
+{
b63792
+    unsigned int tmp, gcd, remainder, lcm, carry;
b63792
+    int b, l;
b63792
+
b63792
+    if (constant_len == blocksize) {
b63792
+        memcpy(block, constant, constant_len);
b63792
+        return;
b63792
+    }
b63792
+
b63792
+    /* Least Common Multiple of lengths: LCM(a,b)*/
b63792
+    gcd = blocksize;
b63792
+    remainder = constant_len;
b63792
+    /* Calculate Great Common Divisor first GCD(a,b) */
b63792
+    while (remainder != 0) {
b63792
+        tmp = gcd % remainder;
b63792
+        gcd = remainder;
b63792
+        remainder = tmp;
b63792
+    }
b63792
+    /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */
b63792
+    lcm = blocksize * constant_len / gcd;
b63792
+
b63792
+    /* now spread out the bits */
b63792
+    memset(block, 0, blocksize);
b63792
+
b63792
+    /* last to first to be able to bring carry forward */
b63792
+    carry = 0;
b63792
+    for (l = lcm - 1; l >= 0; l--) {
b63792
+        unsigned int rotbits, rshift, rbyte;
b63792
+
b63792
+        /* destination byte in block is l % N */
b63792
+        b = l % blocksize;
b63792
+        /* Our virtual s buffer is R = L/K long (K = constant_len) */
b63792
+        /* So we rotate backwards from R-1 to 0 (none) rotations */
b63792
+        rotbits = 13 * (l / constant_len);
b63792
+        /* find the byte on s where rotbits falls onto */
b63792
+        rbyte = l - (rotbits / 8);
b63792
+        /* calculate how much shift on that byte */
b63792
+        rshift = rotbits & 0x07;
b63792
+        /* rbyte % constant_len gives us the unrotated byte in the
b63792
+         * constant buffer, get also the previous byte then
b63792
+         * appropriately shift them to get the rotated byte we need */
b63792
+        tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift)
b63792
+               | constant[rbyte % constant_len] >> rshift)
b63792
+              & 0xff;
b63792
+        /* add with carry to any value placed by previous passes */
b63792
+        tmp += carry + block[b];
b63792
+        block[b] = tmp & 0xff;
b63792
+        /* save any carry that may be left */
b63792
+        carry = tmp >> 8;
b63792
+    }
b63792
+
b63792
+    /* if any carry is left at the end, add it through the number */
b63792
+    for (b = blocksize - 1; b >= 0 && carry != 0; b--) {
b63792
+        carry += block[b];
b63792
+        block[b] = carry & 0xff;
b63792
+        carry >>= 8;
b63792
+    }
b63792
+}
b63792
+
b63792
+static int cipher_init(EVP_CIPHER_CTX *ctx,
b63792
+                       const EVP_CIPHER *cipher,
b63792
+                       const unsigned char *key, size_t key_len)
b63792
+{
b63792
+    int klen, ret;
b63792
+
b63792
+    ret = EVP_EncryptInit_ex(ctx, cipher, NULL, key, NULL);
b63792
+    if (!ret)
b63792
+        goto out;
b63792
+    /* set the key len for the odd variable key len cipher */
b63792
+    klen = EVP_CIPHER_CTX_key_length(ctx);
b63792
+    if (key_len != (size_t)klen) {
b63792
+        ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len);
b63792
+        if (!ret)
b63792
+            goto out;
b63792
+    }
b63792
+    /* we never want padding, either the length requested is a multiple of
b63792
+     * the cipher block size or we are passed a cipher that can cope with
b63792
+     * partial blocks via techniques like cipher text stealing */
b63792
+    ret = EVP_CIPHER_CTX_set_padding(ctx, 0);
b63792
+    if (!ret)
b63792
+        goto out;
b63792
+
b63792
+out:
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int KRB5KDF(const EVP_CIPHER *cipher,
b63792
+                   const unsigned char *key, size_t key_len,
b63792
+                   const unsigned char *constant, size_t constant_len,
b63792
+                   unsigned char *okey, size_t okey_len)
b63792
+{
b63792
+    EVP_CIPHER_CTX *ctx = NULL;
b63792
+    unsigned char block[EVP_MAX_BLOCK_LENGTH * 2];
b63792
+    unsigned char *plainblock, *cipherblock;
b63792
+    size_t blocksize;
b63792
+    size_t cipherlen;
b63792
+    size_t osize;
b63792
+    int des3_no_fixup = 0;
b63792
+    int ret;
b63792
+
b63792
+    if (key_len != okey_len) {
b63792
+        /* special case for 3des, where the caller may be requesting
b63792
+         * the random raw key, instead of the fixed up key  */
b63792
+        if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc &&
b63792
+            key_len == 24 && okey_len == 21) {
b63792
+                des3_no_fixup = 1;
b63792
+        } else {
b63792
+            KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_OUTPUT_BUFFER_SIZE);
b63792
+            return 0;
b63792
+        }
b63792
+    }
b63792
+
b63792
+    ctx = EVP_CIPHER_CTX_new();
b63792
+    if (ctx == NULL)
b63792
+        return 0;
b63792
+
b63792
+    ret = cipher_init(ctx, cipher, key, key_len);
b63792
+    if (!ret)
b63792
+        goto out;
b63792
+
b63792
+    /* Initialize input block */
b63792
+    blocksize = EVP_CIPHER_CTX_block_size(ctx);
b63792
+
b63792
+    if (constant_len == 0 || constant_len > blocksize) {
b63792
+        KDFerr(KDF_F_KRB5KDF, KDF_R_INVALID_CONSTANT_LENGTH);
b63792
+        ret = 0;
b63792
+        goto out;
b63792
+    }
b63792
+
b63792
+    n_fold(block, blocksize, constant, constant_len);
b63792
+    plainblock = block;
b63792
+    cipherblock = block + EVP_MAX_BLOCK_LENGTH;
b63792
+
b63792
+    for (osize = 0; osize < okey_len; osize += cipherlen) {
b63792
+        int olen;
b63792
+
b63792
+        ret = EVP_EncryptUpdate(ctx, cipherblock, &olen,
b63792
+                                plainblock, blocksize);
b63792
+        if (!ret)
b63792
+            goto out;
b63792
+        cipherlen = olen;
b63792
+        ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen);
b63792
+        if (!ret)
b63792
+            goto out;
b63792
+        if (olen != 0) {
b63792
+            KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_FINAL_BLOCK_LENGTH);
b63792
+            ret = 0;
b63792
+            goto out;
b63792
+        }
b63792
+
b63792
+        /* write cipherblock out */
b63792
+        if (cipherlen > okey_len - osize)
b63792
+            cipherlen = okey_len - osize;
b63792
+        memcpy(okey + osize, cipherblock, cipherlen);
b63792
+
b63792
+        if (okey_len > osize + cipherlen) {
b63792
+            /* we need to reinitialize cipher context per spec */
b63792
+            ret = EVP_CIPHER_CTX_reset(ctx);
b63792
+            if (!ret)
b63792
+                goto out;
b63792
+            ret = cipher_init(ctx, cipher, key, key_len);
b63792
+            if (!ret)
b63792
+                goto out;
b63792
+
b63792
+            /* also swap block offsets so last ciphertext becomes new
b63792
+             * plaintext */
b63792
+            plainblock = cipherblock;
b63792
+            if (cipherblock == block) {
b63792
+                cipherblock += EVP_MAX_BLOCK_LENGTH;
b63792
+            } else {
b63792
+                cipherblock = block;
b63792
+            }
b63792
+        }
b63792
+    }
b63792
+
b63792
+#ifndef OPENSSL_NO_DES
b63792
+    if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) {
b63792
+        ret = fixup_des3_key(okey);
b63792
+        if (!ret) {
b63792
+            KDFerr(KDF_F_KRB5KDF, KDF_R_FAILED_TO_GENERATE_KEY);
b63792
+            goto out;
b63792
+        }
b63792
+    }
b63792
+#endif
b63792
+
b63792
+    ret = 1;
b63792
+
b63792
+out:
b63792
+    EVP_CIPHER_CTX_free(ctx);
b63792
+    OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+const EVP_KDF_METHOD krb5kdf_kdf_meth = {
b63792
+    EVP_KDF_KRB5KDF,
b63792
+    krb5kdf_new,
b63792
+    krb5kdf_free,
b63792
+    krb5kdf_reset,
b63792
+    krb5kdf_ctrl,
b63792
+    krb5kdf_ctrl_str,
b63792
+    krb5kdf_size,
b63792
+    krb5kdf_derive,
b63792
+};
b63792
+
b63792
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sshkdf.c
b63792
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf	2019-11-15 14:53:14.769279878 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c	2019-11-18 17:18:25.343388314 +0100
b63792
@@ -69,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u
b63792
     p = va_arg(args, const unsigned char *);
b63792
     len = va_arg(args, size_t);
b63792
     OPENSSL_clear_free(*dst, *dst_len);
b63792
+    if (len == 0) {
b63792
+        *dst = NULL;
b63792
+        *dst_len = 0;
b63792
+        return 1;
b63792
+    }
b63792
+
b63792
     *dst = OPENSSL_memdup(p, len);
b63792
     if (*dst == NULL)
b63792
         return 0;
b63792
diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sskdf.c
b63792
--- openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf	2019-11-14 16:25:09.476914148 +0100
b63792
+++ openssl-1.1.1c/crypto/kdf/sskdf.c	2019-11-18 17:21:40.349952802 +0100
b63792
@@ -0,0 +1,255 @@
b63792
+/*
b63792
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
b63792
+ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
b63792
+ *
b63792
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
b63792
+ * this file except in compliance with the License.  You can obtain a copy
b63792
+ * in the file LICENSE in the source distribution or at
b63792
+ * https://www.openssl.org/source/license.html
b63792
+ */
b63792
+
b63792
+/*
b63792
+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
b63792
+ * Section 4.1.
b63792
+ *
b63792
+ * The Single Step KDF algorithm is given by:
b63792
+ *
b63792
+ * Result(0) = empty bit string (i.e., the null string).
b63792
+ * For i = 1 to reps, do the following:
b63792
+ *   Increment counter by 1.
b63792
+ *   Result(i) = Result(i – 1) || H(counter || Z || FixedInfo).
b63792
+ * DKM = LeftmostBits(Result(reps), L))
b63792
+ *
b63792
+ * NOTES:
b63792
+ *   Z is a shared secret required to produce the derived key material.
b63792
+ *   counter is a 4 byte buffer.
b63792
+ *   FixedInfo is a bit string containing context specific data.
b63792
+ *   DKM is the output derived key material.
b63792
+ *   L is the required size of the DKM.
b63792
+ *   reps = [L / H_outputBits]
b63792
+ *   H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
b63792
+ *   This backported version supports only a hash.
b63792
+ *   H_outputBits is the length of the output of the auxiliary function H(x).
b63792
+ *
b63792
+ * Currently there is not a comprehensive list of test vectors for this
b63792
+ * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
b63792
+ * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
b63792
+ */
b63792
+#include <stdlib.h>
b63792
+#include <stdarg.h>
b63792
+#include <string.h>
b63792
+#include <openssl/hmac.h>
b63792
+#include <openssl/evp.h>
b63792
+#include <openssl/kdf.h>
b63792
+#include "internal/cryptlib.h"
b63792
+#include "internal/evp_int.h"
b63792
+#include "kdf_local.h"
b63792
+
b63792
+struct evp_kdf_impl_st {
b63792
+    const EVP_MD *md;   /* H(x) = hash */
b63792
+    unsigned char *secret;
b63792
+    size_t secret_len;
b63792
+    unsigned char *info;
b63792
+    size_t info_len;
b63792
+};
b63792
+
b63792
+#define SSKDF_MAX_INLEN (1<<30)
b63792
+
b63792
+/*
b63792
+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
b63792
+ * Section 4. One-Step Key Derivation using H(x) = hash(x)
b63792
+ */
b63792
+static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
b63792
+                          const unsigned char *z, size_t z_len,
b63792
+                          const unsigned char *info, size_t info_len,
b63792
+                          unsigned char *derived_key, size_t derived_key_len)
b63792
+{
b63792
+    int ret = 0, hlen;
b63792
+    size_t counter, out_len, len = derived_key_len;
b63792
+    unsigned char c[4];
b63792
+    unsigned char mac[EVP_MAX_MD_SIZE];
b63792
+    unsigned char *out = derived_key;
b63792
+    EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
b63792
+
b63792
+    if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
b63792
+            || derived_key_len > SSKDF_MAX_INLEN
b63792
+            || derived_key_len == 0)
b63792
+        return 0;
b63792
+
b63792
+    hlen = EVP_MD_size(kdf_md);
b63792
+    if (hlen <= 0)
b63792
+        return 0;
b63792
+    out_len = (size_t)hlen;
b63792
+
b63792
+    ctx = EVP_MD_CTX_create();
b63792
+    ctx_init = EVP_MD_CTX_create();
b63792
+    if (ctx == NULL || ctx_init == NULL)
b63792
+        goto end;
b63792
+
b63792
+    if (!EVP_DigestInit(ctx_init, kdf_md))
b63792
+        goto end;
b63792
+
b63792
+    for (counter = 1;; counter++) {
b63792
+        c[0] = (unsigned char)((counter >> 24) & 0xff);
b63792
+        c[1] = (unsigned char)((counter >> 16) & 0xff);
b63792
+        c[2] = (unsigned char)((counter >> 8) & 0xff);
b63792
+        c[3] = (unsigned char)(counter & 0xff);
b63792
+
b63792
+        if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
b63792
+                && EVP_DigestUpdate(ctx, c, sizeof(c))
b63792
+                && EVP_DigestUpdate(ctx, z, z_len)
b63792
+                && EVP_DigestUpdate(ctx, info, info_len)))
b63792
+            goto end;
b63792
+        if (len >= out_len) {
b63792
+            if (!EVP_DigestFinal_ex(ctx, out, NULL))
b63792
+                goto end;
b63792
+            out += out_len;
b63792
+            len -= out_len;
b63792
+            if (len == 0)
b63792
+                break;
b63792
+        } else {
b63792
+            if (!EVP_DigestFinal_ex(ctx, mac, NULL))
b63792
+                goto end;
b63792
+            memcpy(out, mac, len);
b63792
+            break;
b63792
+        }
b63792
+    }
b63792
+    ret = 1;
b63792
+end:
b63792
+    EVP_MD_CTX_destroy(ctx);
b63792
+    EVP_MD_CTX_destroy(ctx_init);
b63792
+    OPENSSL_cleanse(mac, sizeof(mac));
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static EVP_KDF_IMPL *sskdf_new(void)
b63792
+{
b63792
+    EVP_KDF_IMPL *impl;
b63792
+
b63792
+    if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
b63792
+        KDFerr(KDF_F_SSKDF_NEW, ERR_R_MALLOC_FAILURE);
b63792
+    return impl;
b63792
+}
b63792
+
b63792
+static void sskdf_reset(EVP_KDF_IMPL *impl)
b63792
+{
b63792
+    OPENSSL_clear_free(impl->secret, impl->secret_len);
b63792
+    OPENSSL_clear_free(impl->info, impl->info_len);
b63792
+    memset(impl, 0, sizeof(*impl));
b63792
+}
b63792
+
b63792
+static void sskdf_free(EVP_KDF_IMPL *impl)
b63792
+{
b63792
+    sskdf_reset(impl);
b63792
+    OPENSSL_free(impl);
b63792
+}
b63792
+
b63792
+static int sskdf_set_buffer(va_list args, unsigned char **out, size_t *out_len)
b63792
+{
b63792
+    const unsigned char *p;
b63792
+    size_t len;
b63792
+
b63792
+    p = va_arg(args, const unsigned char *);
b63792
+    len = va_arg(args, size_t);
b63792
+    OPENSSL_clear_free(*out, *out_len);
b63792
+    if (len == 0) {
b63792
+        *out = NULL;
b63792
+        *out_len = 0;
b63792
+        return 1;
b63792
+    }
b63792
+
b63792
+    *out = OPENSSL_memdup(p, len);
b63792
+    if (*out == NULL)
b63792
+        return 0;
b63792
+
b63792
+    *out_len = len;
b63792
+    return 1;
b63792
+}
b63792
+
b63792
+static int sskdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
b63792
+{
b63792
+    const EVP_MD *md;
b63792
+
b63792
+    switch (cmd) {
b63792
+    case EVP_KDF_CTRL_SET_KEY:
b63792
+        return sskdf_set_buffer(args, &impl->secret, &impl->secret_len);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_SSKDF_INFO:
b63792
+        return sskdf_set_buffer(args, &impl->info, &impl->info_len);
b63792
+
b63792
+    case EVP_KDF_CTRL_SET_MD:
b63792
+        md = va_arg(args, const EVP_MD *);
b63792
+        if (md == NULL)
b63792
+            return 0;
b63792
+
b63792
+        impl->md = md;
b63792
+        return 1;
b63792
+
b63792
+    default:
b63792
+        return -2;
b63792
+    }
b63792
+}
b63792
+
b63792
+static int sskdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
b63792
+                          const char *value)
b63792
+{
b63792
+    if (strcmp(type, "secret") == 0 || strcmp(type, "key") == 0)
b63792
+         return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY,
b63792
+                             value);
b63792
+
b63792
+    if (strcmp(type, "hexsecret") == 0 || strcmp(type, "hexkey") == 0)
b63792
+        return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY,
b63792
+                            value);
b63792
+
b63792
+    if (strcmp(type, "info") == 0)
b63792
+        return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO,
b63792
+                            value);
b63792
+
b63792
+    if (strcmp(type, "hexinfo") == 0)
b63792
+        return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO,
b63792
+                            value);
b63792
+
b63792
+    if (strcmp(type, "digest") == 0)
b63792
+        return kdf_md2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
b63792
+
b63792
+    return -2;
b63792
+}
b63792
+
b63792
+static size_t sskdf_size(EVP_KDF_IMPL *impl)
b63792
+{
b63792
+    int len;
b63792
+
b63792
+    if (impl->md == NULL) {
b63792
+        KDFerr(KDF_F_SSKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
b63792
+        return 0;
b63792
+    }
b63792
+    len = EVP_MD_size(impl->md);
b63792
+    return (len <= 0) ? 0 : (size_t)len;
b63792
+}
b63792
+
b63792
+static int sskdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen)
b63792
+{
b63792
+    if (impl->secret == NULL) {
b63792
+        KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_SECRET);
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    /* H(x) = hash */
b63792
+    if (impl->md == NULL) {
b63792
+        KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
b63792
+        return 0;
b63792
+    }
b63792
+    return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len,
b63792
+                          impl->info, impl->info_len, key, keylen);
b63792
+}
b63792
+
b63792
+const EVP_KDF_METHOD ss_kdf_meth = {
b63792
+    EVP_KDF_SS,
b63792
+    sskdf_new,
b63792
+    sskdf_free,
b63792
+    sskdf_reset,
b63792
+    sskdf_ctrl,
b63792
+    sskdf_ctrl_str,
b63792
+    sskdf_size,
b63792
+    sskdf_derive
b63792
+};
b63792
diff -up openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1c/crypto/objects/obj_dat.h
b63792
--- openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf	2019-11-14 16:25:09.447914673 +0100
b63792
+++ openssl-1.1.1c/crypto/objects/obj_dat.h	2019-11-14 16:25:09.477914130 +0100
b63792
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
b63792
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D,       /* [ 7753] OBJ_hmacWithSHA512_256 */
b63792
 };
b63792
 
b63792
-#define NUM_NID 1196
b63792
+#define NUM_NID 1199
b63792
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
b63792
     {"UNDEF", "undefined", NID_undef},
b63792
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
b63792
@@ -2276,9 +2276,12 @@ static const ASN1_OBJECT nid_objs[NUM_NI
b63792
     {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
b63792
     {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
b63792
     {"SSHKDF", "sshkdf", NID_sshkdf},
b63792
+    {"KBKDF", "kbkdf", NID_kbkdf},
b63792
+    {"KRB5KDF", "krb5kdf", NID_krb5kdf},
b63792
+    {"SSKDF", "sskdf", NID_sskdf},
b63792
 };
b63792
 
b63792
-#define NUM_SN 1187
b63792
+#define NUM_SN 1190
b63792
 static const unsigned int sn_objs[NUM_SN] = {
b63792
      364,    /* "AD_DVCS" */
b63792
      419,    /* "AES-128-CBC" */
b63792
@@ -2442,7 +2445,9 @@ static const unsigned int sn_objs[NUM_SN
b63792
      183,    /* "ISO-US" */
b63792
      645,    /* "ITU-T" */
b63792
      646,    /* "JOINT-ISO-ITU-T" */
b63792
+    1196,    /* "KBKDF" */
b63792
      773,    /* "KISA" */
b63792
+    1197,    /* "KRB5KDF" */
b63792
     1063,    /* "KxANY" */
b63792
     1039,    /* "KxDHE" */
b63792
     1041,    /* "KxDHE-PSK" */
b63792
@@ -2557,6 +2562,7 @@ static const unsigned int sn_objs[NUM_SN
b63792
      100,    /* "SN" */
b63792
     1006,    /* "SNILS" */
b63792
     1195,    /* "SSHKDF" */
b63792
+    1198,    /* "SSKDF" */
b63792
       16,    /* "ST" */
b63792
      143,    /* "SXNetID" */
b63792
     1062,    /* "SipHash" */
b63792
@@ -3469,7 +3475,7 @@ static const unsigned int sn_objs[NUM_SN
b63792
     1093,    /* "x509ExtAdmission" */
b63792
 };
b63792
 
b63792
-#define NUM_LN 1187
b63792
+#define NUM_LN 1190
b63792
 static const unsigned int ln_objs[NUM_LN] = {
b63792
      363,    /* "AD Time Stamping" */
b63792
      405,    /* "ANSI X9.62" */
b63792
@@ -4262,8 +4268,10 @@ static const unsigned int ln_objs[NUM_LN
b63792
      957,    /* "jurisdictionCountryName" */
b63792
      955,    /* "jurisdictionLocalityName" */
b63792
      956,    /* "jurisdictionStateOrProvinceName" */
b63792
+    1196,    /* "kbkdf" */
b63792
      150,    /* "keyBag" */
b63792
      773,    /* "kisa" */
b63792
+    1197,    /* "krb5kdf" */
b63792
     1063,    /* "kx-any" */
b63792
     1039,    /* "kx-dhe" */
b63792
     1041,    /* "kx-dhe-psk" */
b63792
@@ -4612,6 +4620,7 @@ static const unsigned int ln_objs[NUM_LN
b63792
     1133,    /* "sm4-ecb" */
b63792
     1135,    /* "sm4-ofb" */
b63792
     1195,    /* "sshkdf" */
b63792
+    1198,    /* "sskdf" */
b63792
       16,    /* "stateOrProvinceName" */
b63792
      660,    /* "streetAddress" */
b63792
      498,    /* "subtreeMaximumQuality" */
b63792
diff -up openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1c/crypto/objects/objects.txt
b63792
--- openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf	2019-11-14 16:25:09.447914673 +0100
b63792
+++ openssl-1.1.1c/crypto/objects/objects.txt	2019-11-14 16:25:09.477914130 +0100
b63792
@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor
b63792
 # NID for SSHKDF
b63792
                             : SSHKDF            : sshkdf
b63792
 
b63792
+# NID for KBKDF
b63792
+                            : KBKDF             : kbkdf
b63792
+
b63792
+# NID for KRB5KDF
b63792
+                            : KRB5KDF           : krb5kdf
b63792
+
b63792
+# NID for SSKDF
b63792
+                            : SSKDF              : sskdf
b63792
+
b63792
 # RFC 4556
b63792
 1 3 6 1 5 2 3 : id-pkinit
b63792
 id-pkinit 4                     : pkInitClientAuth      : PKINIT Client Auth
b63792
diff -up openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1c/crypto/objects/obj_mac.num
b63792
--- openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf	2019-11-14 16:25:09.447914673 +0100
b63792
+++ openssl-1.1.1c/crypto/objects/obj_mac.num	2019-11-14 16:25:09.477914130 +0100
b63792
@@ -1193,3 +1193,6 @@ magma_mac		1192
b63792
 hmacWithSHA512_224		1193
b63792
 hmacWithSHA512_256		1194
b63792
 sshkdf		1195
b63792
+kbkdf		1196
b63792
+krb5kdf		1197
b63792
+sskdf		1198
b63792
diff -up openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod
b63792
--- openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf	2019-11-14 16:25:09.439914818 +0100
b63792
+++ openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod	2019-11-14 16:25:09.477914130 +0100
b63792
@@ -140,7 +140,14 @@ The value string is expected to be a dec
b63792
 This control expects one argument: C<EVP_MD *md>
b63792
 
b63792
 For MAC implementations that use a message digest as an underlying computation
b63792
-algorithm, this control set what the digest algorithm should be.
b63792
+algorithm, this control sets what the digest algorithm should be.
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_CIPHER>
b63792
+
b63792
+This control expects one argument: C<EVP_CIPHER *cipher>
b63792
+
b63792
+For MAC implementations that use a cipher as an underlying computation
b63792
+algorithm, this control sets what the cipher algorithm should be.
b63792
 
b63792
 EVP_KDF_ctrl_str() type string: "md"
b63792
 
b63792
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod
b63792
--- openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf	2019-11-14 16:25:09.478914112 +0100
b63792
+++ openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod	2019-11-14 16:25:09.478914112 +0100
b63792
@@ -0,0 +1,173 @@
b63792
+=pod
b63792
+
b63792
+=head1 NAME
b63792
+
b63792
+EVP_KDF_KB - The Key-Based EVP_KDF implementation
b63792
+
b63792
+=head1 DESCRIPTION
b63792
+
b63792
+The EVP_KDF_KB algorithm implements the Key-Based key derivation function
b63792
+(KBKDF).  KBKDF derives a key from repeated application of a keyed MAC to an
b63792
+input secret (and other optional values).
b63792
+
b63792
+=head2 Numeric identity
b63792
+
b63792
+B<EVP_KDF_KB> is the numeric identity for this implementation; it can be used with the
b63792
+EVP_KDF_CTX_new_id() function.
b63792
+
b63792
+=head2 Supported controls
b63792
+
b63792
+The supported controls are:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KB_MODE>
b63792
+
b63792
+This control expects one argument: C<int mode>
b63792
+
b63792
+Sets the mode for the KBKDF operation. There are two supported modes:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<EVP_KDF_KB_MODE_COUNTER>
b63792
+
b63792
+The counter mode of KBKDF should be used. This is the default.
b63792
+
b63792
+=item B<EVP_KDF_KB_MODE_FEEDBACK>
b63792
+
b63792
+The feedback mode of KBKDF should be used.
b63792
+
b63792
+=back
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KB_MAC_TYPE>
b63792
+
b63792
+This control expects one argument: C<int mac_type>
b63792
+
b63792
+Sets the mac type for the KBKDF operation. There are two supported mac types:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<EVP_KDF_KB_MAC_TYPE_HMAC>
b63792
+
b63792
+The HMAC with the digest set by B<EVP_KDF_CTRL_SET_MD> should be used as the mac.
b63792
+
b63792
+=item B<EVP_KDF_KB_MAC_TYPE_CMAC>
b63792
+
b63792
+The CMAC with the cipher set by B<EVP_KDF_CTRL_SET_CIPHER> should be used as the mac.
b63792
+
b63792
+=back
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_MD>
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_CIPHER>
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KEY>
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_SALT>
b63792
+
b63792
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KB_INFO>
b63792
+
b63792
+This control expects two arguments: C<unsigned char *info>, C<size_t infolen>
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KB_SEED>
b63792
+
b63792
+This control expects two arguments: C<unsigned char *seed>, C<size_t seedlen>
b63792
+
b63792
+It is used only in the feedback mode and the length must be the same
b63792
+as the block length of the cipher in CMAC or the size of the digest in HMAC.
b63792
+
b63792
+=back
b63792
+
b63792
+The controls B<EVP_KDF_CTRL_SET_KEY>, B<EVP_KDF_CTRL_SET_SALT>,
b63792
+B<EVP_KDF_CTRL_SET_KB_INFO>, and B<EVP_KDF_CTRL_SET_KB_SEED> 
b63792
+correspond to KI, Label, Context, and IV (respectively) in SP800-108.
b63792
+As in that document, salt, info, and seed are optional and may be
b63792
+omitted.
b63792
+
b63792
+Depending on whether mac is CMAC or HMAC, either digest or cipher is
b63792
+required (respectively) and the other is unused.
b63792
+
b63792
+=head1 NOTES
b63792
+
b63792
+A context for KBKDF can be obtained by calling:
b63792
+
b63792
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
b63792
+
b63792
+The output length of an KBKDF is specified via the C<keylen>
b63792
+parameter to the L<EVP_KDF_derive(3)> function.
b63792
+
b63792
+Note that currently OpenSSL only implements counter and feedback modes.  Other
b63792
+variants may be supported in the future.
b63792
+
b63792
+=head1 EXAMPLES
b63792
+
b63792
+This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret",
b63792
+Label "label", and Context "context".
b63792
+
b63792
+ EVP_KDF_CTX *kctx;
b63792
+ unsigned char out[10];
b63792
+
b63792
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
b63792
+
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256());
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC);
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret"));
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label"));
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context"));
b63792
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
b63792
+     error("EVP_KDF_derive");
b63792
+
b63792
+ EVP_KDF_CTX_free(kctx);
b63792
+
b63792
+This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret",
b63792
+Label "label", Context "context", and IV "sixteen bytes iv".
b63792
+
b63792
+ EVP_KDF_CTX *kctx;
b63792
+ unsigned char out[10];
b63792
+ unsigned char *iv = "sixteen bytes iv";
b63792
+
b63792
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB);
b63792
+
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_cbc());
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC);
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK);
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret"));
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label"));
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context"));
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv));
b63792
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
b63792
+     error("EVP_KDF_derive");
b63792
+
b63792
+ EVP_KDF_CTX_free(kctx);
b63792
+
b63792
+=head1 CONFORMING TO
b63792
+
b63792
+NIST SP800-108, IETF RFC 6803, IETF RFC 8009.
b63792
+
b63792
+=head1 SEE ALSO
b63792
+
b63792
+L<EVP_KDF_CTX(3)>,
b63792
+L<EVP_KDF_CTX_new_id(3)>,
b63792
+L<EVP_KDF_CTX_free(3)>,
b63792
+L<EVP_KDF_ctrl(3)>,
b63792
+L<EVP_KDF_size(3)>,
b63792
+L<EVP_KDF_derive(3)>,
b63792
+L<EVP_KDF_CTX(3)/CONTROLS>
b63792
+
b63792
+=head1 HISTORY
b63792
+
b63792
+This functionality was added to OpenSSL 3.0.
b63792
+
b63792
+=head1 COPYRIGHT
b63792
+
b63792
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
b63792
+Copyright 2019 Red Hat, Inc.
b63792
+
b63792
+Licensed under the Apache License 2.0 (the "License").  You may not use
b63792
+this file except in compliance with the License.  You can obtain a copy
b63792
+in the file LICENSE in the source distribution or at
b63792
+L<https://www.openssl.org/source/license.html>.
b63792
+
b63792
+=cut
b63792
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod
b63792
--- openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf	2019-11-14 16:25:09.478914112 +0100
b63792
+++ openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod	2019-11-14 16:25:09.478914112 +0100
b63792
@@ -0,0 +1,107 @@
b63792
+=pod
b63792
+
b63792
+=head1 NAME
b63792
+
b63792
+EVP_KDF_KRB5KDF - The RFC3961 Krb5 KDF EVP_KDF implementation
b63792
+
b63792
+=head1 DESCRIPTION
b63792
+
b63792
+Support for computing the B<KRB5KDF> KDF through the B<EVP_KDF> API.
b63792
+
b63792
+The B<EVP_KDF_KRB5KDF> algorithm implements the key derivation function defined
b63792
+in RFC 3961, section 5.1 and is used by Krb5 to derive session keys.
b63792
+Three inputs are required to perform key derivation: a cipher, (for example
b63792
+AES-128-CBC), the initial key, and a constant.
b63792
+
b63792
+=head2 Numeric identity
b63792
+
b63792
+B<EVP_KDF_KRB5KDF> is the numeric identity for this implementation; it can be used with the
b63792
+EVP_KDF_CTX_new_id() function.
b63792
+
b63792
+=head2 Supported controls
b63792
+
b63792
+The supported controls are:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_CIPHER>
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KEY>
b63792
+
b63792
+These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT>
b63792
+
b63792
+This control expects two arguments: C<unsigned char *constant>, C<size_t constantlen>
b63792
+
b63792
+This control sets the I<constant> value for the KDF.
b63792
+If a value is already set, the contents are replaced.
b63792
+
b63792
+=back
b63792
+
b63792
+
b63792
+=head1 NOTES
b63792
+
b63792
+A context for KRB5KDF can be obtained by calling:
b63792
+
b63792
+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF);
b63792
+
b63792
+The output length of the KRB5KDF derivation is specified via the I<keylen>
b63792
+parameter to the L<EVP_KDF_derive(3)> function, and MUST match the key
b63792
+length for the chosen cipher or an error is returned. Moreover the
b63792
+I<constant>'s length must not exceed the block size of the cipher.
b63792
+Since the KRB5KDF output length depends on the chosen cipher, calling
b63792
+L<EVP_KDF_size()> to obtain the requisite length returns the correct length
b63792
+only after the cipher is set. Prior to that B<EVP_MAX_KEY_LENGTH> is returned.
b63792
+The caller must allocate a buffer of the correct length for the chosen
b63792
+cipher, and pass that buffer to the L<EVP_KDF_derive(3)> function along
b63792
+with that length.
b63792
+
b63792
+=head1 EXAMPLES
b63792
+
b63792
+This example derives a key using the AES-128-CBC cipher:
b63792
+
b63792
+ EVP_KDF_CTX *kctx;
b63792
+ unsigned char key[16] = "01234...";
b63792
+ unsigned char constant[] = "I'm a constant";
b63792
+ unsigned char out[16];
b63792
+ size_t outlen = sizeof(out);
b63792
+
b63792
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF);
b63792
+
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc());
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, (size_t)16);
b63792
+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, strlen(constant));
b63792
+ if (EVP_KDF_derive(kctx, out, outlen) <= 0)
b63792
+     /* Error */
b63792
+ EVP_KDF_CTX_free(kctx);
b63792
+
b63792
+=head1 CONFORMING TO
b63792
+
b63792
+RFC 3961
b63792
+
b63792
+=head1 SEE ALSO
b63792
+
b63792
+L<EVP_KDF_CTX(3)>,
b63792
+L<EVP_KDF_CTX_new_id(3)>,
b63792
+L<EVP_KDF_CTX_free(3)>,
b63792
+L<EVP_KDF_ctrl(3)>,
b63792
+L<EVP_KDF_size(3)>,
b63792
+L<EVP_KDF_derive(3)>,
b63792
+L<EVP_KDF_CTX(3)/CONTROLS>
b63792
+
b63792
+=head1 HISTORY
b63792
+
b63792
+This functionality was added to OpenSSL 3.0.
b63792
+
b63792
+=head1 COPYRIGHT
b63792
+
b63792
+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
b63792
+
b63792
+Licensed under the OpenSSL license (the "License").  You may not use
b63792
+this file except in compliance with the License.  You can obtain a copy
b63792
+in the file LICENSE in the source distribution or at
b63792
+L<https://www.openssl.org/source/license.html>.
b63792
+
b63792
+=cut
b63792
+
b63792
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod
b63792
--- openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf	2019-11-14 16:25:09.478914112 +0100
b63792
+++ openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod	2019-11-14 16:25:09.478914112 +0100
b63792
@@ -0,0 +1,146 @@
b63792
+=pod
b63792
+
b63792
+=head1 NAME
b63792
+
b63792
+EVP_KDF_SS - The Single Step / One Step EVP_KDF implementation
b63792
+
b63792
+=head1 DESCRIPTION
b63792
+
b63792
+The EVP_KDF_SS algorithm implements the Single Step key derivation function (SSKDF).
b63792
+SSKDF derives a key using input such as a shared secret key (that was generated
b63792
+during the execution of a key establishment scheme) and fixedinfo.
b63792
+SSKDF is also informally referred to as 'Concat KDF'.
b63792
+
b63792
+=head2 Auxilary function
b63792
+
b63792
+The implementation uses a selectable auxiliary function H, which can be in the
b63792
+backported version only a:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<H(x) = hash(x, digest=md)>
b63792
+
b63792
+=back
b63792
+
b63792
+=head2 Numeric identity
b63792
+
b63792
+B<EVP_KDF_SS> is the numeric identity for this implementation; it
b63792
+can be used with the EVP_KDF_CTX_new_id() function.
b63792
+
b63792
+=head2 Supported controls
b63792
+
b63792
+The supported controls are:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_MD>
b63792
+
b63792
+This control works as described in L<EVP_KDF_CTX(3)/CONTROLS>.
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_KEY>
b63792
+
b63792
+This control expects two arguments: C<unsigned char *secret>, C<size_t secretlen>
b63792
+
b63792
+The shared secret used for key derivation.  This control sets the secret.
b63792
+
b63792
+EVP_KDF_ctrl_str() takes two type strings for this control:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item "secret"
b63792
+
b63792
+The value string is used as is.
b63792
+
b63792
+=item "hexsecret"
b63792
+
b63792
+The value string is expected to be a hexadecimal number, which will be
b63792
+decoded before being passed on as the control value.
b63792
+
b63792
+=back
b63792
+
b63792
+=item B<EVP_KDF_CTRL_SET_SSKDF_INFO>
b63792
+
b63792
+This control expects two arguments: C<unsigned char *info>, C<size_t infolen>
b63792
+
b63792
+An optional value for fixedinfo, also known as otherinfo. This control sets the fixedinfo.
b63792
+
b63792
+EVP_KDF_ctrl_str() takes two type strings for this control:
b63792
+
b63792
+=over 4
b63792
+
b63792
+=item "info"
b63792
+
b63792
+The value string is used as is.
b63792
+
b63792
+=item "hexinfo"
b63792
+
b63792
+The value string is expected to be a hexadecimal number, which will be
b63792
+decoded before being passed on as the control value.
b63792
+
b63792
+=back
b63792
+
b63792
+=back
b63792
+
b63792
+=head1 NOTES
b63792
+
b63792
+A context for SSKDF can be obtained by calling:
b63792
+
b63792
+EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
b63792
+
b63792
+The output length of an SSKDF is specified via the C<keylen>
b63792
+parameter to the L<EVP_KDF_derive(3)> function.
b63792
+
b63792
+=head1 EXAMPLE
b63792
+
b63792
+This example derives 10 bytes using H(x) = SHA-256, with the secret key "secret"
b63792
+and fixedinfo value "label":
b63792
+
b63792
+  EVP_KDF_CTX *kctx;
b63792
+  unsigned char out[10];
b63792
+
b63792
+  kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
b63792
+
b63792
+  if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
b63792
+      error("EVP_KDF_CTRL_SET_MD");
b63792
+  }
b63792
+  if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
b63792
+      error("EVP_KDF_CTRL_SET_KEY");
b63792
+  }
b63792
+  if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, "label", (size_t)5) <= 0) {
b63792
+      error("EVP_KDF_CTRL_SET_SSKDF_INFO");
b63792
+  }
b63792
+  if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
b63792
+      error("EVP_KDF_derive");
b63792
+  }
b63792
+
b63792
+  EVP_KDF_CTX_free(kctx);
b63792
+
b63792
+=head1 CONFORMING TO
b63792
+
b63792
+NIST SP800-56Cr1.
b63792
+
b63792
+=head1 SEE ALSO
b63792
+
b63792
+L<EVP_KDF_CTX>,
b63792
+L<EVP_KDF_CTX_new_id(3)>,
b63792
+L<EVP_KDF_CTX_free(3)>,
b63792
+L<EVP_KDF_ctrl(3)>,
b63792
+L<EVP_KDF_size(3)>,
b63792
+L<EVP_KDF_derive(3)>,
b63792
+L<EVP_KDF_CTX(3)/CONTROLS>
b63792
+
b63792
+=head1 HISTORY
b63792
+
b63792
+This functionality was added to OpenSSL 3.0.0.
b63792
+
b63792
+=head1 COPYRIGHT
b63792
+
b63792
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.  Copyright
b63792
+(c) 2019, Oracle and/or its affiliates.  All rights reserved.
b63792
+
b63792
+Licensed under the Apache License 2.0 (the "License").  You may not use
b63792
+this file except in compliance with the License.  You can obtain a copy
b63792
+in the file LICENSE in the source distribution or at
b63792
+L<https://www.openssl.org/source/license.html>.
b63792
+
b63792
+=cut
b63792
diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include/openssl/kdferr.h
b63792
--- openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf	2019-11-14 16:25:09.448914655 +0100
b63792
+++ openssl-1.1.1c/include/openssl/kdferr.h	2019-11-14 16:25:09.478914112 +0100
b63792
@@ -20,6 +20,11 @@ int ERR_load_KDF_strings(void);
b63792
  * KDF function codes.
b63792
  */
b63792
 # define KDF_F_HKDF_EXTRACT                               112
b63792
+# define KDF_F_KBKDF_CTRL                                 134
b63792
+# define KDF_F_KBKDF_CTRL_STR                             135
b63792
+# define KDF_F_KBKDF_DERIVE                               136
b63792
+# define KDF_F_KBKDF_NEW                                  137
b63792
+# define KDF_F_KDF_CIPHER2CTRL                            138
b63792
 # define KDF_F_KDF_HKDF_DERIVE                            113
b63792
 # define KDF_F_KDF_HKDF_NEW                               114
b63792
 # define KDF_F_KDF_HKDF_SIZE                              115
b63792
@@ -39,6 +44,8 @@ int ERR_load_KDF_strings(void);
b63792
 # define KDF_F_KDF_TLS1_PRF_CTRL_STR                      125
b63792
 # define KDF_F_KDF_TLS1_PRF_DERIVE                        126
b63792
 # define KDF_F_KDF_TLS1_PRF_NEW                           127
b63792
+# define KDF_F_KRB5KDF                                    139
b63792
+# define KDF_F_KRB5KDF_DERIVE                             140
b63792
 # define KDF_F_PBKDF2_SET_MEMBUF                          128
b63792
 # define KDF_F_PKEY_HKDF_CTRL_STR                         103
b63792
 # define KDF_F_PKEY_HKDF_DERIVE                           102
b63792
@@ -52,12 +59,21 @@ int ERR_load_KDF_strings(void);
b63792
 # define KDF_F_PKEY_TLS1_PRF_DERIVE                       101
b63792
 # define KDF_F_PKEY_TLS1_PRF_INIT                         110
b63792
 # define KDF_F_SCRYPT_SET_MEMBUF                          129
b63792
+# define KDF_F_SSKDF_DERIVE                               141
b63792
+# define KDF_F_SSKDF_NEW                                  142
b63792
+# define KDF_F_SSKDF_SIZE                                 143
b63792
 # define KDF_F_TLS1_PRF_ALG                               111
b63792
 
b63792
 /*
b63792
  * KDF reason codes.
b63792
  */
b63792
+# define KDF_R_FAILED_TO_GENERATE_KEY                     118
b63792
+# define KDF_R_INVALID_CIPHER                             116
b63792
+# define KDF_R_INVALID_CONSTANT_LENGTH                    119
b63792
 # define KDF_R_INVALID_DIGEST                             100
b63792
+# define KDF_R_INVALID_SEED_LENGTH                        117
b63792
+# define KDF_R_MISSING_CIPHER                             120
b63792
+# define KDF_R_MISSING_CONSTANT                           121
b63792
 # define KDF_R_MISSING_ITERATION_COUNT                    109
b63792
 # define KDF_R_MISSING_KEY                                104
b63792
 # define KDF_R_MISSING_MESSAGE_DIGEST                     105
b63792
@@ -72,6 +88,7 @@ int ERR_load_KDF_strings(void);
b63792
 # define KDF_R_UNKNOWN_PARAMETER_TYPE                     103
b63792
 # define KDF_R_VALUE_ERROR                                108
b63792
 # define KDF_R_VALUE_MISSING                              102
b63792
+# define KDF_R_WRONG_FINAL_BLOCK_LENGTH                   122
b63792
 # define KDF_R_WRONG_OUTPUT_BUFFER_SIZE                   112
b63792
 
b63792
 #endif
b63792
diff -up openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf openssl-1.1.1c/include/openssl/kdf.h
b63792
--- openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf	2019-11-14 16:25:09.448914655 +0100
b63792
+++ openssl-1.1.1c/include/openssl/kdf.h	2019-11-14 16:25:09.478914112 +0100
b63792
@@ -21,6 +21,9 @@ extern "C" {
b63792
 # define EVP_KDF_TLS1_PRF   NID_tls1_prf
b63792
 # define EVP_KDF_HKDF       NID_hkdf
b63792
 # define EVP_KDF_SSHKDF     NID_sshkdf
b63792
+# define EVP_KDF_KB         NID_kbkdf
b63792
+# define EVP_KDF_KRB5KDF    NID_krb5kdf
b63792
+# define EVP_KDF_SS         NID_sskdf
b63792
 
b63792
 EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
b63792
 void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
b63792
@@ -51,6 +54,13 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns
b63792
 # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH    0x10 /* unsigned char *, size_t */
b63792
 # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */
b63792
 # define EVP_KDF_CTRL_SET_SSHKDF_TYPE       0x12 /* int */
b63792
+# define EVP_KDF_CTRL_SET_KB_MODE       0x13 /* int */
b63792
+# define EVP_KDF_CTRL_SET_KB_MAC_TYPE   0x14 /* int */
b63792
+# define EVP_KDF_CTRL_SET_CIPHER        0x15 /* EVP_CIPHER * */
b63792
+# define EVP_KDF_CTRL_SET_KB_INFO       0x16 /* unsigned char *, size_t */
b63792
+# define EVP_KDF_CTRL_SET_KB_SEED       0x17 /* unsigned char *, size_t */
b63792
+# define EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT  0x18 /* unsigned char *, size_t */
b63792
+# define EVP_KDF_CTRL_SET_SSKDF_INFO    0x19 /* unsigned char *, size_t */
b63792
 
b63792
 # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND  0
b63792
 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
b63792
@@ -63,6 +73,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns
b63792
 #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69
b63792
 #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70
b63792
 
b63792
+#define EVP_KDF_KB_MODE_COUNTER     0
b63792
+#define EVP_KDF_KB_MODE_FEEDBACK    1
b63792
+
b63792
+#define EVP_KDF_KB_MAC_TYPE_HMAC    0
b63792
+#define EVP_KDF_KB_MAC_TYPE_CMAC    1
b63792
+
b63792
 /**** The legacy PKEY-based KDF API follows. ****/
b63792
 
b63792
 # define EVP_PKEY_CTRL_TLS_MD                   (EVP_PKEY_ALG_CTRL)
b63792
diff -up openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1c/include/openssl/obj_mac.h
b63792
--- openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf	2019-11-14 16:25:09.449914637 +0100
b63792
+++ openssl-1.1.1c/include/openssl/obj_mac.h	2019-11-14 16:25:09.479914093 +0100
b63792
@@ -4974,6 +4974,18 @@
b63792
 #define LN_sshkdf               "sshkdf"
b63792
 #define NID_sshkdf              1203
b63792
 
b63792
+#define SN_kbkdf               "KBKDF"
b63792
+#define LN_kbkdf               "kbkdf"
b63792
+#define NID_kbkdf              1204
b63792
+
b63792
+#define SN_krb5kdf             "KRB5KDF"
b63792
+#define LN_krb5kdf             "krb5kdf"
b63792
+#define NID_krb5kdf            1205
b63792
+
b63792
+#define SN_sskdf                "SSKDF"
b63792
+#define LN_sskdf                "sskdf"
b63792
+#define NID_sskdf               1206
b63792
+
b63792
 #define SN_id_pkinit            "id-pkinit"
b63792
 #define NID_id_pkinit           1031
b63792
 #define OBJ_id_pkinit           1L,3L,6L,1L,5L,2L,3L
b63792
diff -up openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1c/test/evp_kdf_test.c
b63792
--- openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf	2019-11-14 16:25:09.441914782 +0100
b63792
+++ openssl-1.1.1c/test/evp_kdf_test.c	2019-11-14 16:25:09.479914093 +0100
b63792
@@ -225,13 +225,358 @@ err:
b63792
 }
b63792
 #endif
b63792
 
b63792
+/*
b63792
+ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5)
b63792
+ * section 10.
b63792
+ */
b63792
+static int test_kdf_kbkdf_6803_128(void)
b63792
+{
b63792
+    int ret = 0, i;
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    static unsigned char input_key[] = {
b63792
+        0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3,
b63792
+        0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B,
b63792
+    };
b63792
+    static unsigned char constants[][5] = {
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0x99 },
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0xaa },
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0x55 },
b63792
+    };
b63792
+    static unsigned char outputs[][16] = {
b63792
+        {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0,
b63792
+         0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56},
b63792
+        {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17,
b63792
+         0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB},
b63792
+        {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C,
b63792
+         0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35}
b63792
+    };
b63792
+    static unsigned char iv[16] = { 0 };
b63792
+    unsigned char result[16] = { 0 };
b63792
+
b63792
+    for (i = 0; i < 3; i++) {
b63792
+        ret = 0;
b63792
+        if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
b63792
+            TEST_error("EVP_KDF_KB");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_MODE");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_CIPHER");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_SALT");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_SEED");
b63792
+            goto err;
b63792
+        }
b63792
+        ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
b63792
+            && TEST_mem_eq(result, sizeof(result), outputs[i],
b63792
+                           sizeof(outputs[i]));
b63792
+err:
b63792
+        EVP_KDF_CTX_free(kctx);
b63792
+        if (ret != 1)
b63792
+            return ret;
b63792
+    }
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int test_kdf_kbkdf_6803_256(void)
b63792
+{
b63792
+    int ret = 0, i;
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    static unsigned char input_key[] = {
b63792
+        0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE,
b63792
+        0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6,
b63792
+        0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F,
b63792
+        0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C,
b63792
+    };
b63792
+    static unsigned char constants[][5] = {
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0x99 },
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0xaa },
b63792
+        { 0x00, 0x00, 0x00, 0x02, 0x55 },
b63792
+    };
b63792
+    static unsigned char outputs[][32] = {
b63792
+        {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3,
b63792
+         0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22,
b63792
+         0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6,
b63792
+         0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50,
b63792
+        },
b63792
+        {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F,
b63792
+         0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60,
b63792
+         0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F,
b63792
+         0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04,
b63792
+        },
b63792
+        {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F,
b63792
+         0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB,
b63792
+         0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D,
b63792
+         0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0,
b63792
+        },
b63792
+    };
b63792
+    static unsigned char iv[16] = { 0 };
b63792
+    unsigned char result[32] = { 0 };
b63792
+
b63792
+    for (i = 0; i < 3; i++) {
b63792
+        ret = 0;
b63792
+        if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
b63792
+            TEST_error("EVP_KDF_KB");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_MODE");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_CIPHER");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_SALT");
b63792
+            goto err;
b63792
+        }
b63792
+        if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) {
b63792
+            TEST_error("EVP_KDF_CTRL_SET_KB_SEED");
b63792
+            goto err;
b63792
+        }
b63792
+        ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
b63792
+            && TEST_mem_eq(result, sizeof(result), outputs[i],
b63792
+                           sizeof(outputs[i]));
b63792
+err:
b63792
+        EVP_KDF_CTX_free(kctx);
b63792
+        if (ret != 1)
b63792
+            return ret;
b63792
+    }
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
b63792
+ * 5) appendix A. */
b63792
+static int test_kdf_kbkdf_8009_prf1(void)
b63792
+{
b63792
+    int ret = 0;
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    char *label = "prf", *prf_input = "test";
b63792
+    static unsigned char input_key[] = {
b63792
+        0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
b63792
+        0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
b63792
+    };
b63792
+    static unsigned char output[] = {
b63792
+        0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
b63792
+        0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
b63792
+        0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
b63792
+        0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
b63792
+    };
b63792
+    unsigned char result[sizeof(output)] = { 0 };
b63792
+
b63792
+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
b63792
+        TEST_error("EVP_KDF_KB");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_MD");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_SALT");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KB_INFO");
b63792
+        goto err;
b63792
+    }
b63792
+    ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
b63792
+        && TEST_mem_eq(result, sizeof(result), output,
b63792
+                           sizeof(output));
b63792
+err:
b63792
+    EVP_KDF_CTX_free(kctx);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int test_kdf_kbkdf_8009_prf2(void)
b63792
+{
b63792
+    int ret = 0;
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    char *label = "prf", *prf_input = "test";
b63792
+    static unsigned char input_key[] = {
b63792
+        0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D,
b63792
+        0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
b63792
+        0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0,
b63792
+        0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52,
b63792
+    };
b63792
+    static unsigned char output[] = {
b63792
+        0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6,
b63792
+        0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0,
b63792
+        0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C,
b63792
+        0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D,
b63792
+        0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33,
b63792
+        0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2,
b63792
+    };
b63792
+    unsigned char result[sizeof(output)] = { 0 };
b63792
+
b63792
+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
b63792
+        TEST_error("EVP_KDF_KB");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_MD");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_SALT");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KB_INFO");
b63792
+        goto err;
b63792
+    }
b63792
+    ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0)
b63792
+        && TEST_mem_eq(result, sizeof(result), output,
b63792
+                           sizeof(output));
b63792
+err:
b63792
+    EVP_KDF_CTX_free(kctx);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int test_kdf_krb5kdf(void)
b63792
+{
b63792
+    int ret = 0;
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    unsigned char out[16];
b63792
+    static unsigned char key[] = {
b63792
+        0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
b63792
+        0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
b63792
+    };
b63792
+    static unsigned char constant[] = {
b63792
+        0x00, 0x00, 0x00, 0x02, 0x99
b63792
+    };
b63792
+    static const unsigned char expected[sizeof(out)] = {
b63792
+        0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
b63792
+        0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
b63792
+    };
b63792
+
b63792
+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) {
b63792
+        TEST_error("EVP_KDF_KRB5KDF");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_CIPHER");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+        goto err;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT");
b63792
+        goto err;
b63792
+    }
b63792
+
b63792
+    ret =
b63792
+        TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
b63792
+        && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));
b63792
+
b63792
+err:
b63792
+    EVP_KDF_CTX_free(kctx);
b63792
+    return ret;
b63792
+}
b63792
+
b63792
+static int test_kdf_ss_hash(void)
b63792
+{
b63792
+    EVP_KDF_CTX *kctx;
b63792
+    const unsigned char z[] = {
b63792
+        0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
b63792
+        0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
b63792
+        0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
b63792
+        0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
b63792
+    };
b63792
+    const unsigned char other[] = {
b63792
+        0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
b63792
+        0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
b63792
+        0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
b63792
+        0xe0,0xec,0x3f,0x8d,0xbe
b63792
+    };
b63792
+    const unsigned char expected[] = {
b63792
+        0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
b63792
+    };
b63792
+    unsigned char out[14];
b63792
+
b63792
+    kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
b63792
+
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_MD");
b63792
+        return 0;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_KEY");
b63792
+        return 0;
b63792
+    }
b63792
+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
b63792
+                     sizeof(other)) <= 0) {
b63792
+        TEST_error("EVP_KDF_CTRL_SET_SSKDF_INFO");
b63792
+        return 0;
b63792
+    }
b63792
+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
b63792
+        TEST_error("EVP_KDF_derive");
b63792
+        return 0;
b63792
+    }
b63792
+
b63792
+    if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)))
b63792
+        return 0;
b63792
+
b63792
+    EVP_KDF_CTX_free(kctx);
b63792
+    return 1;
b63792
+}
b63792
+
b63792
 int setup_tests(void)
b63792
 {
b63792
+    ADD_TEST(test_kdf_kbkdf_6803_128);
b63792
+    ADD_TEST(test_kdf_kbkdf_6803_256);
b63792
+    ADD_TEST(test_kdf_kbkdf_8009_prf1);
b63792
+    ADD_TEST(test_kdf_kbkdf_8009_prf2);
b63792
     ADD_TEST(test_kdf_tls1_prf);
b63792
     ADD_TEST(test_kdf_hkdf);
b63792
     ADD_TEST(test_kdf_pbkdf2);
b63792
 #ifndef OPENSSL_NO_SCRYPT
b63792
     ADD_TEST(test_kdf_scrypt);
b63792
 #endif
b63792
+    ADD_TEST(test_kdf_krb5kdf);
b63792
+    ADD_TEST(test_kdf_ss_hash);
b63792
     return 1;
b63792
 }
b63792
diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt
b63792
--- openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf	2019-11-14 16:25:09.451914601 +0100
b63792
+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt	2019-11-14 16:25:09.480914075 +0100
b63792
@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd
b63792
 Ctrl.type = type:A
b63792
 Output = FF
b63792
 Result = KDF_MISMATCH
b63792
+
b63792
+Title = KRB5KDF tests (from RFC 3961 test vectors and krb5 sources)
b63792
+
b63792
+#RFC3961
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92
b63792
+Ctrl.hexconstant = hexconstant:0000000155
b63792
+Output = 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2
b63792
+Ctrl.hexconstant = hexconstant:00000001aa
b63792
+Output = 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc
b63792
+Ctrl.hexconstant = hexconstant:0000000155
b63792
+Output = 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5
b63792
+Ctrl.hexconstant = hexconstant:00000001aa
b63792
+Output = f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb
b63792
+Ctrl.hexconstant = hexconstant:6b65726265726f73
b63792
+Output = 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:c1081649ada74362e6a1459d01dfd30d67c2234c940704da
b63792
+Ctrl.hexconstant = hexconstant:0000000155
b63792
+Output = 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:5d154af238f46713155719d55e2f1f790dd661f279a7917c
b63792
+Ctrl.hexconstant = hexconstant:00000001aa
b63792
+Output = a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:798562e049852f57dc8c343ba17f2ca1d97394efc8adc443
b63792
+Ctrl.hexconstant = hexconstant:0000000155
b63792
+Output = c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:26dce334b545292f2feab9a8701a89a4b99eb9942cecd016
b63792
+Ctrl.hexconstant = hexconstant:00000001aa
b63792
+Output = f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d
b63792
+
b63792
+#Krb5 sources
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E
b63792
+Ctrl.hexconstant = hexconstant:0000000299
b63792
+Output = F78C496D16E6C2DAE0E0B6C24057A84C0426AEEF26FD6DCE
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E
b63792
+Ctrl.hexconstant = hexconstant:00000002AA
b63792
+Output = 5B5723D0B634CB684C3EBA5264E9A70D52E683231AD3C4CE
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E
b63792
+Ctrl.hexconstant = hexconstant:0000000255
b63792
+Output = A77C94980E9B7345A81525C423A737CE67F4CD91B6B3DA45
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-128-CBC
b63792
+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15
b63792
+Ctrl.hexconstant = hexconstant:0000000299
b63792
+Output = 34280A382BC92769B2DA2F9EF066854B
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-128-CBC
b63792
+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15
b63792
+Ctrl.hexconstant = hexconstant:00000002AA
b63792
+Output = 5B14FC4E250E14DDF9DCCF1AF6674F53
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-128-CBC
b63792
+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15
b63792
+Ctrl.hexconstant = hexconstant:0000000255
b63792
+Output = 4ED31063621684F09AE8D89991AF3E8F
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-256-CBC
b63792
+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161
b63792
+Ctrl.hexconstant = hexconstant:0000000299
b63792
+Output = BFAB388BDCB238E9F9C98D6A878304F04D30C82556375AC507A7A852790F4674
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-256-CBC
b63792
+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161
b63792
+Ctrl.hexconstant = hexconstant:00000002AA
b63792
+Output = C7CFD9CD75FE793A586A542D87E0D1396F1134A104BB1A9190B8C90ADA3DDF37
b63792
+
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:AES-256-CBC
b63792
+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161
b63792
+Ctrl.hexconstant = hexconstant:0000000255
b63792
+Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA
b63792
+
b63792
+#Same as the first but with no "fixup"
b63792
+KDF = KRB5KDF
b63792
+Ctrl.cipher = cipher:DES-EDE3-CBC
b63792
+Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92
b63792
+Ctrl.hexconstant = hexconstant:0000000155
b63792
+Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705
b63792
+
b63792
+#There are currently no official test vectors for Single Step KDF
b63792
+#https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors
b63792
+Title = Single Step KDF tests
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:d09a6b1a472f930db4f5e6b967900744
b63792
+Ctrl.hexinfo = hexinfo:b117255ab5f1b6b96fc434b0
b63792
+Output = b5a3c52e97ae6e8c5069954354eab3c7
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:343666c0dd34b756e70f759f14c304f5
b63792
+Ctrl.hexinfo = hexinfo:722b28448d7eab85491bce09
b63792
+Output = 1003b650ddd3f0891a15166db5ec881d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:b84acf03ab08652dd7f82fa956933261
b63792
+Ctrl.hexinfo = hexinfo:3d8773ec068c86053a918565
b63792
+Output = 1635dcd1ce698f736831b4badb68ab2b
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:8cc24ca3f1d1a8b34783780b79890430
b63792
+Ctrl.hexinfo = hexinfo:f08d4f2d9a8e6d7105c0bc16
b63792
+Output = b8e716fb84a420aed4812cd76d9700ee
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:b616905a6f7562cd2689142ce21e42a3
b63792
+Ctrl.hexinfo = hexinfo:ead310159a909da87e7b4b40
b63792
+Output = 1b9201358c50fe5d5d42907c4a9fce78
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:3f57fd3fd56199b3eb33890f7ee28180
b63792
+Ctrl.hexinfo = hexinfo:7a5056ba4fdb034c7cb6c4fe
b63792
+Output = e51ebd30a8c4b8449b0fb29d9adc11af
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:fb9fb108d104e9f662d6593fc84cde69
b63792
+Ctrl.hexinfo = hexinfo:5faf29211c1bdbf1b2696a7c
b63792
+Output = 7a3a7e670656e48c390cdd7c51e167e0
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:237a39981794f4516dccffc3dda28396
b63792
+Ctrl.hexinfo = hexinfo:62ed9528d104c241e0f66275
b63792
+Output = 0c26fc9e90e1c5c5f943428301682045
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:b9b6c45f7279218fa09894e06366a3a1
b63792
+Ctrl.hexinfo = hexinfo:0f384339670aaed4b89ecb7e
b63792
+Output = ee5fad414e32fad5d52a2bf61a7f6c72
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:08b7140e2cd0a4abd79171e4d5a71cad
b63792
+Ctrl.hexinfo = hexinfo:099211f0d8a2e02dbb5958c0
b63792
+Output = 6162f5142e057efafd2c4f2bad5985a1
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a2
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f4853
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759a
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac704
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbe
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf1050
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f3
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8b
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f22
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f227688
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abf
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690
b63792
+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b
b63792
+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d9192
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:d7e6
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 31e798e9931b612a3ad1b9b1008faa8c
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:4646779d
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 139f68bcca879b490e268e569087d04d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:d9811c81d4c6
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 914dc4f09cb633a76e6c389e04c64485
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:8838f9d99ec46f09
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 4f07dfb6f7a5bf348689e08b2e29c948
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:3e0939b33f34e779f30e
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = b42c7a98c23be19d1187ff960e87557f
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:f36230cacca4d245d303058c
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 50f2068d8010d355d56c5e34aaffbc67
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:7005d32c3d4284c73c3aefc70438
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 66fd712ccf5462bbd41e89041ea7ea26
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:c01c83150b7734f8dbd6efd6f54d7365
b63792
+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
b63792
+Output = 5c5edb0ceda9cd0c7f1f3d9e239c67d5
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:9949
b63792
+Output = 33c83f54ed00fb1bccd2113e88550941
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:17144da6
b63792
+Output = a999c28961424cab35ec06015e8c376a
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:dffdee1062eb
b63792
+Output = 4101ad50e626ed6f957bff926dfbb7db
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:9f365043e23b4648
b63792
+Output = 4d3e4b971b88771f229df9f564984832
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:a885a0c4567ddc4f96da
b63792
+Output = bebbc30f5a83df5e9c9b57db33c0c879
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:c9d86183295bfe4c3d85f0fd
b63792
+Output = 87c947e45407db63eb94cbaa02d14e94
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:825fadce46964236a486732c5dad
b63792
+Output = 192370a85ff78e3c0245129d9b398558
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9
b63792
+Ctrl.hexinfo = hexinfo:5c0b5eb3ac9f342347d73d7a521723aa
b63792
+Output = c7b7634fd809383e87c4b1b3e728be56
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:8d7a4e7d5cf34b3f74873b862aeb33b7
b63792
+Output = 6a5594f402f74f69
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:9b208e7ee1e641fac1dff48fc1beb2d2
b63792
+Output = 556ed67e24ac0c7c46cc432da8bdb23c
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:4d2572539fed433211da28c8a0eebac3
b63792
+Output = 5a4054c59c5b92814025578f43c1b79fe84968fc284e240b
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:4e1e70c9886819a31bc29a537911add9
b63792
+Output = ddbfc440449aab4131c6d8aec08ce1496f2702241d0e27cc155c5c7c3cda75b5
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:68f144c952528e540c686dc353b766f2
b63792
+Output = 59ed66bb6f54a9688a0b891d0b2ea6743621d9e1b5cc098cf3a55e6f864f9af8a95e4d945d2f987f
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:b66c9d507c9f837fbe60b6675fdbf38b
b63792
+Output = c282787ddf421a72fc88811be81b08d0d6ab66c92d1011974aa58335a6bbbd62e9e982bfae5929865ea1d517247089d2
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:34e730b49e46c7ed2fb25975a4cccd2d
b63792
+Output = 39e76e6571cb00740260b9070accbdcc4a492c295cbef33d9e37dac21e5e9d07e0f12dc7063d2172641475d4e08b8e3712fb26a10c8376b8
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:e340d87e2d7adbc1b95ec2dbdc3b82be
b63792
+Output = a660c0037a53f76f1e7667043f5869348ad07ac0e272e615ce31f16d4ab90d4b35fe5c370c0010ce79aff45682c6fb8b97f9a05b7d40b5af3c62999a10df9c6d
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA256
b63792
+Ctrl.hexsecret = hexsecret:afc4e154498d4770aa8365f6903dc83b
b63792
+Ctrl.hexinfo = hexinfo:662af20379b29d5ef813e655
b63792
+Output = f0b80d6ae4c1e19e2105a37024e35dc6
b63792
+
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA512
b63792
+Ctrl.hexsecret = hexsecret:108cf63318555c787fa578731dd4f037
b63792
+Ctrl.hexinfo = hexinfo:53191b1dd3f94d83084d61d6
b63792
+Output = 0ad475c1826da3007637970c8b92b993
b63792
+
b63792
+Title = SSKDF Test vectors from RFC 8636 Section 8 (With precoumputed ASN.1 info)
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA1
b63792
+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
b63792
+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030601a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb
b63792
+Output = e6ab38c9413e035bb079201ed0b6b73d8d49a814a737c04ee6649614206f73ad
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA256
b63792
+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
b63792
+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030602a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb
b63792
+Output = 77ef4e48c420ae3fec75109d7981697eed5d295c90c62564f7bfd101fa9bc1d5
b63792
+
b63792
+KDF = SSKDF
b63792
+Ctrl.digest = digest:SHA512
b63792
+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
b63792
+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030603a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020110a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb
b63792
+Output = d3c78b78d75313e9a926f75dfb012363fa17fa01db