diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index fa0e096ca3..8603cbe382 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -797,14 +797,14 @@ void _HashFree(byte hashId, _hash* hash) #define LENGTH_SZ 4 -int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, +static int wc_SSH_KDF_ex(byte hashId, byte keyId, byte* key, word32 keySz, const byte* k, word32 kSz, const byte* h, word32 hSz, - const byte* sessionId, word32 sessionIdSz) + const byte* sessionId, word32 sessionIdSz, int padK) { word32 blocks, remainder; _hash hash; enum wc_HashType enmhashId = (enum wc_HashType)hashId; - byte kPad = 0; + byte kPadSz = 0; byte pad = 0; byte kSzFlat[LENGTH_SZ]; word32 digestSz; @@ -824,8 +824,8 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, } digestSz = (word32)ret; - if (k[0] & 0x80) kPad = 1; - c32toa(kSz + kPad, kSzFlat); + kPadSz = (k[0] & 0x80) && padK; + c32toa(kSz + kPadSz, kSzFlat); blocks = keySz / digestSz; remainder = keySz % digestSz; @@ -833,8 +833,8 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, ret = _HashInit(enmhashId, &hash); if (ret == 0) ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ); - if (ret == 0 && kPad) - ret = _HashUpdate(enmhashId, &hash, &pad, 1); + if (ret == 0) + ret = _HashUpdate(enmhashId, &hash, &pad, kPadSz); if (ret == 0) ret = _HashUpdate(enmhashId, &hash, k, kSz); if (ret == 0) @@ -864,8 +864,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, if (ret != 0) break; ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ); if (ret != 0) break; - if (kPad) - ret = _HashUpdate(enmhashId, &hash, &pad, 1); + ret = _HashUpdate(enmhashId, &hash, &pad, kPadSz); if (ret != 0) break; ret = _HashUpdate(enmhashId, &hash, k, kSz); if (ret != 0) break; @@ -884,8 +883,8 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, ret = _HashInit(enmhashId, &hash); if (ret == 0) ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ); - if (ret == 0 && kPad) - ret = _HashUpdate(enmhashId, &hash, &pad, 1); + if (ret == 0) + ret = _HashUpdate(enmhashId, &hash, &pad, kPadSz); if (ret == 0) ret = _HashUpdate(enmhashId, &hash, k, kSz); if (ret == 0) @@ -905,6 +904,22 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, return ret; } +int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, + const byte* k, word32 kSz, const byte* h, word32 hSz, + const byte* sessionId, word32 sessionIdSz) +{ + return wc_SSH_KDF_ex(hashId, keyId, key, keySz, + k, kSz, h, hSz, sessionId, sessionIdSz, 1); +} + +int wc_SSH_KDF_NoPad(byte hashId, byte keyId, byte* key, word32 keySz, + const byte* k, word32 kSz, const byte* h, word32 hSz, + const byte* sessionId, word32 sessionIdSz) +{ + return wc_SSH_KDF_ex(hashId, keyId, key, keySz, + k, kSz, h, hSz, sessionId, sessionIdSz, 0); +} + #endif /* WOLFSSL_WOLFSSH */ #ifdef WC_SRTP_KDF diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index c9e10ae5d2..5eca96052e 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -26796,11 +26796,17 @@ typedef struct { word32 sessionIdSz; const byte* expectedKey; word32 expectedKeySz; + int padK; } SshKdfTestVector; -/** Test Vector Set #3: SHA-256 **/ -static const byte sshKdfTvSet3k[] = { +/** Test Vector Data from CAVP Testing: Individual Component Testing **/ +/** SP 800-135: SSH Test Vectors **/ + +/** Test Vector Set #1: SHA-256, COUNT = 0 **/ +/** Shared Secret Length = 2048 **/ +/** IV length = 128, Encrypt Key Length = 128 **/ +static const byte sshKdfTvSet1k[] = { 0x6A, 0xC3, 0x82, 0xEA, 0xAC, 0xA0, 0x93, 0xE1, 0x25, 0xE2, 0x5C, 0x24, 0xBE, 0xBC, 0x84, 0x64, 0x0C, 0x11, 0x98, 0x75, 0x07, 0x34, 0x4B, 0x5C, @@ -26834,78 +26840,179 @@ static const byte sshKdfTvSet3k[] = { 0xAE, 0x1B, 0x0E, 0x7D, 0x36, 0x03, 0xA5, 0x56, 0xA1, 0x32, 0x62, 0xFF, 0x62, 0x8D, 0xE2, 0x22 }; -static const byte sshKdfTvSet3h[] = { +static const byte sshKdfTvSet1h[] = { 0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44, 0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05, 0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3, 0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D }; -static const byte sshKdfTvSet3sid[] = { +static const byte sshKdfTvSet1sid[] = { 0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44, 0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05, 0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3, 0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D }; -static const byte sshKdfTvSet3a[] = { +static const byte sshKdfTvSet1aPadded[] = { 0x81, 0xF0, 0x33, 0x0E, 0xF6, 0xF0, 0x53, 0x61, 0xB3, 0x82, 0x3B, 0xFD, 0xED, 0x6E, 0x1D, 0xE9 }; -static const byte sshKdfTvSet3b[] = { +static const byte sshKdfTvSet1bPadded[] = { 0x3F, 0x6F, 0xD2, 0x06, 0x5E, 0xEB, 0x2B, 0x0B, 0x1D, 0x93, 0x19, 0x5A, 0x1F, 0xED, 0x48, 0xA5 }; -static const byte sshKdfTvSet3c[] = { +static const byte sshKdfTvSet1cPadded[] = { 0xC3, 0x54, 0x71, 0x03, 0x4E, 0x6F, 0xD6, 0x54, 0x76, 0x13, 0x17, 0x8E, 0x23, 0x43, 0x5F, 0x21 }; -static const byte sshKdfTvSet3d[] = { +static const byte sshKdfTvSet1dPadded[] = { 0x7E, 0x9D, 0x79, 0x03, 0x20, 0x90, 0xD9, 0x9F, 0x98, 0xB0, 0x15, 0x63, 0x4D, 0xD9, 0xF4, 0x62 }; -static const byte sshKdfTvSet3e[] = { +static const byte sshKdfTvSet1ePadded[] = { 0x24, 0xEE, 0x55, 0x9A, 0xD7, 0xCE, 0x71, 0x2B, 0x68, 0x5D, 0x0B, 0x22, 0x71, 0xE4, 0x43, 0xC1, 0x7A, 0xB1, 0xD1, 0xDC, 0xEB, 0x5A, 0x36, 0x05, 0x69, 0xD2, 0x5D, 0x5D, 0xC2, 0x43, 0x00, 0x2F }; -static const byte sshKdfTvSet3f[] = { +static const byte sshKdfTvSet1fPadded[] = { 0xC3, 0x41, 0x9C, 0x2B, 0x96, 0x62, 0x35, 0x86, 0x9D, 0x71, 0x4B, 0xA5, 0xAC, 0x48, 0xDD, 0xB7, 0xD9, 0xE3, 0x5C, 0x8C, 0x19, 0xAA, 0xC7, 0x34, 0x22, 0x33, 0x7A, 0x37, 0x34, 0x53, 0x60, 0x7E }; +/** Test Vector Set #2: SHA-256, COUNT = 2 **/ +/** Shared Secret Length = 2048 **/ +/** IV length = 128, Encrypt Key Length = 128 **/ +static const byte sshKdfTvSet2k[] = { + 0x9B, 0x1C, 0x63, 0x72, 0x86, 0x72, 0x0D, 0x11, + 0xA9, 0x03, 0x02, 0x60, 0xE3, 0x57, 0x26, 0x62, + 0x1F, 0x54, 0x11, 0x55, 0x60, 0xC4, 0x43, 0xDE, + 0xD9, 0x8D, 0x56, 0x22, 0xF4, 0x00, 0x7C, 0xB6, + 0x54, 0x27, 0xBA, 0x8A, 0xE0, 0x83, 0x1F, 0x34, + 0x45, 0x23, 0x49, 0x99, 0x3C, 0x74, 0x93, 0x34, + 0x66, 0xF3, 0x30, 0x7E, 0x11, 0x45, 0x21, 0x50, + 0xF4, 0x64, 0x00, 0x10, 0xED, 0x7D, 0x1A, 0xB8, + 0x76, 0x56, 0x23, 0x2D, 0x96, 0x59, 0xD9, 0x98, + 0x2E, 0x82, 0x27, 0xC2, 0x5D, 0x64, 0x81, 0x89, + 0xD2, 0xBD, 0xDA, 0x32, 0x83, 0xAA, 0x5D, 0xEC, + 0x8A, 0x21, 0x05, 0xAF, 0x0F, 0xA8, 0x40, 0x59, + 0x2A, 0x21, 0xD9, 0x6E, 0xEB, 0xB9, 0x32, 0xF8, + 0xFF, 0x36, 0xF9, 0x4A, 0x2E, 0x4F, 0xC3, 0x81, + 0x9D, 0x7C, 0x9F, 0x0D, 0x26, 0xA4, 0x72, 0xFB, + 0x5A, 0xE5, 0xA4, 0x3A, 0x2D, 0x49, 0x06, 0x24, + 0x7D, 0x59, 0xC4, 0x25, 0x12, 0xDD, 0xA2, 0x52, + 0x20, 0x5F, 0x60, 0x04, 0x2E, 0x19, 0x00, 0xE1, + 0x58, 0x11, 0x27, 0xF2, 0x5A, 0xCE, 0x25, 0x3B, + 0x62, 0xA8, 0x3F, 0x62, 0xD4, 0x70, 0x32, 0x81, + 0xA2, 0x94, 0xF2, 0x40, 0xDF, 0x2A, 0xA3, 0x4D, + 0xDF, 0x43, 0x7C, 0x9F, 0x27, 0x82, 0x78, 0x12, + 0x0B, 0xC1, 0x0E, 0x2C, 0xB9, 0x9F, 0x78, 0x04, + 0xEC, 0xD6, 0x74, 0x1B, 0x1B, 0xE5, 0x52, 0x0C, + 0x55, 0x3C, 0xB8, 0x97, 0x47, 0xF7, 0x9B, 0x4E, + 0x4E, 0xFD, 0x3C, 0xF0, 0x9B, 0x48, 0x4E, 0xB1, + 0xEB, 0x03, 0x4D, 0x22, 0x0D, 0xA4, 0x57, 0x54, + 0x6A, 0x2E, 0xBB, 0x28, 0xD7, 0xF2, 0xFA, 0xF6, + 0x7D, 0xE0, 0x63, 0x07, 0x57, 0xB8, 0xAE, 0x05, + 0xE2, 0x7A, 0x76, 0x19, 0x56, 0xD2, 0xE1, 0x90, + 0xFE, 0x3F, 0xB9, 0x3B, 0x1C, 0x7C, 0x14, 0x2F, + 0x62, 0xBA, 0xEB, 0x08, 0x97, 0x21, 0xCE, 0xDC +}; +static const byte sshKdfTvSet2h[] = { + 0xCA, 0xD4, 0x07, 0xA8, 0x23, 0x55, 0x17, 0x26, + 0xF9, 0xBD, 0xCB, 0x78, 0xE8, 0xF3, 0x51, 0x53, + 0x6E, 0x44, 0x06, 0xE8, 0xEE, 0x64, 0x94, 0x7E, + 0xCC, 0x00, 0x74, 0x66, 0x2C, 0x7C, 0x04, 0x62 +}; +static const byte sshKdfTvSet2sid[] = { + 0xA9, 0xC8, 0x20, 0x76, 0x42, 0x62, 0x7E, 0x6E, + 0xE8, 0x72, 0x99, 0x91, 0x23, 0xB2, 0x9E, 0x36, + 0xAB, 0xFD, 0xD0, 0x71, 0xDB, 0xA3, 0x6E, 0xA6, + 0xF0, 0xC1, 0x1D, 0xD5, 0x9E, 0xA4, 0x64, 0x10 +}; +static const byte sshKdfTvSet2aPadded[] = { + 0x32, 0xD2, 0x0A, 0x3F, 0x5E, 0x92, 0xB2, 0x0F, + 0xE1, 0x00, 0xF4, 0xF4, 0x1A, 0x1A, 0xD5, 0x3C +}; +static const byte sshKdfTvSet2bPadded[] = { + 0xC3, 0xA3, 0xFF, 0x57, 0xF9, 0x91, 0x87, 0xBA, + 0x01, 0x1F, 0xD4, 0x22, 0x10, 0x0A, 0xF5, 0x77 +}; +static const byte sshKdfTvSet2cPadded[] = { + 0x85, 0x17, 0x90, 0x3C, 0x49, 0xD5, 0xA5, 0x9A, + 0xD8, 0xEF, 0x7C, 0xD8, 0x59, 0x1C, 0x6B, 0x5E +}; +static const byte sshKdfTvSet2dPadded[] = { + 0xA5, 0xAD, 0x20, 0x11, 0x01, 0xA6, 0x17, 0xF1, + 0xCD, 0x5B, 0x3A, 0x2B, 0xAA, 0x3B, 0x27, 0xF7 +}; +static const byte sshKdfTvSet2ePadded[] = { + 0x16, 0x74, 0x7A, 0x23, 0xFD, 0xDD, 0x72, 0xF7, + 0x85, 0xC5, 0xD6, 0x1D, 0xFB, 0x81, 0xA5, 0xA3, + 0x85, 0x55, 0xF5, 0xD8, 0xFF, 0x1D, 0xC5, 0xAE, + 0x4F, 0xB4, 0x23, 0xB8, 0x2A, 0xDF, 0xE0, 0x5B +}; +static const byte sshKdfTvSet2fPadded[] = { + 0xB1, 0xB1, 0xBB, 0xA8, 0x96, 0xB0, 0xFD, 0x75, + 0xA9, 0x01, 0x87, 0xEA, 0xE6, 0xCD, 0xF7, 0x44, + 0xD2, 0x38, 0x84, 0xCA, 0xA5, 0xF4, 0xCA, 0x97, + 0x9C, 0xED, 0x32, 0x7C, 0xA1, 0x23, 0x97, 0x71 +}; +/** The following check results do not use padding. **/ +static const byte sshKdfTvSet2aAlt[] = { + 0xE2, 0x0E, 0xC3, 0xE5, 0x9E, 0x2A, 0x6B, 0x5D, + 0x05, 0x35, 0x17, 0xAE, 0x38, 0x38, 0x0D, 0x89 +}; +static const byte sshKdfTvSet2bAlt[] = { + 0x66, 0x34, 0xF1, 0x43, 0x24, 0x0B, 0x5C, 0x0C, + 0xCE, 0x6E, 0xB0, 0x1B, 0xFE, 0xF4, 0xC1, 0x25 +}; +static const byte sshKdfTvSet2cAlt[] = { + 0x09, 0x80, 0xC3, 0xA6, 0x9A, 0x66, 0x5C, 0xD3, + 0x36, 0x56, 0xF9, 0x22, 0x64, 0x0D, 0xB5, 0x95 +}; +static const byte sshKdfTvSet2dAlt[] = { + 0x29, 0xDA, 0x40, 0x6F, 0x40, 0x5C, 0x00, 0x40, + 0xA8, 0x64, 0x0A, 0x5D, 0x7E, 0xB1, 0xCE, 0x5F +}; +static const byte sshKdfTvSet2eAlt[] = { + 0x88, 0x35, 0xD1, 0xFF, 0x84, 0xE8, 0x5A, 0x7A, + 0xA1, 0x1B, 0x33, 0x9D, 0xF5, 0x01, 0xFD, 0x67, + 0x8F, 0xD8, 0xFF, 0xDE, 0x51, 0x6E, 0x27, 0x15, + 0x92, 0x10, 0x84, 0xB3, 0x9C, 0x43, 0xF7, 0xEE +}; +static const byte sshKdfTvSet2fAlt[] = { + 0x30, 0x7F, 0x78, 0x37, 0xC8, 0x82, 0x29, 0x0A, + 0xB0, 0xDE, 0xDD, 0x8B, 0x45, 0x37, 0x71, 0xD9, + 0xB1, 0x16, 0x6E, 0x3B, 0x38, 0x89, 0x0F, 0xC6, + 0x66, 0x9D, 0x44, 0x94, 0x5B, 0x2F, 0xA3, 0x93 +}; + +#define SSH_TC_PAD 1 + +#define SSH_TC_COMPOSE_NAME(set,ext) sshKdfTvSet##set##ext +#define SSH_TC_COMPOSE_NAME_VAR(set,ext,var) sshKdfTvSet##set##ext##var +#define SSH_TC_COMPOSE_PAIR(name) name, sizeof(name) +#define SSH_TC_COMPOSE_VEC(val,set,sec,pad,var) \ + {WC_HASH_TYPE_SHA256, val, \ + SSH_TC_COMPOSE_PAIR(SSH_TC_COMPOSE_NAME(set,k)), \ + SSH_TC_COMPOSE_PAIR(SSH_TC_COMPOSE_NAME(set,h)), \ + SSH_TC_COMPOSE_PAIR(SSH_TC_COMPOSE_NAME(set,sid)), \ + SSH_TC_COMPOSE_PAIR(SSH_TC_COMPOSE_NAME_VAR(set,sec,var)), \ + pad} +#define SSH_TC_COMPOSE_VEC_SET(set,pad,var) \ + SSH_TC_COMPOSE_VEC('A',set,a,pad,var),\ + SSH_TC_COMPOSE_VEC('B',set,b,pad,var),\ + SSH_TC_COMPOSE_VEC('C',set,c,pad,var),\ + SSH_TC_COMPOSE_VEC('D',set,d,pad,var),\ + SSH_TC_COMPOSE_VEC('E',set,e,pad,var),\ + SSH_TC_COMPOSE_VEC('F',set,f,pad,var) + static const SshKdfTestVector sshKdfTestVectors[] = { - {WC_HASH_TYPE_SHA256, 'A', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3a, sizeof(sshKdfTvSet3a)}, - {WC_HASH_TYPE_SHA256, 'B', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3b, sizeof(sshKdfTvSet3b)}, - {WC_HASH_TYPE_SHA256, 'C', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3c, sizeof(sshKdfTvSet3c)}, - {WC_HASH_TYPE_SHA256, 'D', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3d, sizeof(sshKdfTvSet3d)}, - {WC_HASH_TYPE_SHA256, 'E', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3e, sizeof(sshKdfTvSet3e)}, - {WC_HASH_TYPE_SHA256, 'F', - sshKdfTvSet3k, sizeof(sshKdfTvSet3k), - sshKdfTvSet3h, sizeof(sshKdfTvSet3h), - sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid), - sshKdfTvSet3f, sizeof(sshKdfTvSet3f)}, + SSH_TC_COMPOSE_VEC_SET(1,SSH_TC_PAD,Padded), + SSH_TC_COMPOSE_VEC_SET(1,!SSH_TC_PAD,Padded), + SSH_TC_COMPOSE_VEC_SET(2,SSH_TC_PAD,Padded), + SSH_TC_COMPOSE_VEC_SET(2,!SSH_TC_PAD,Alt), }; @@ -26920,23 +27027,32 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sshkdf_test(void) /* sId - Session ID, eKey - Expected Key, cKey - Calculated Key */ for (i = 0, tv = sshKdfTestVectors; i < tc; i++, tv++) { - result = wc_SSH_KDF(tv->hashId, tv->keyId, - cKey, tv->expectedKeySz, - tv->k, tv->kSz, tv->h, tv->hSz, - tv->sessionId, tv->sessionIdSz); + if (tv->padK) { + result = wc_SSH_KDF(tv->hashId, tv->keyId, + cKey, tv->expectedKeySz, + tv->k, tv->kSz, tv->h, tv->hSz, + tv->sessionId, tv->sessionIdSz); + } + else { + result = wc_SSH_KDF_NoPad(tv->hashId, tv->keyId, + cKey, tv->expectedKeySz, + tv->k, tv->kSz, tv->h, tv->hSz, + tv->sessionId, tv->sessionIdSz); + } if (result != 0) { - printf("KDF: Could not derive key.\n"); + printf("SSHKDF: Could not derive key.\n"); result = WC_TEST_RET_ENC_EC(result); + break; } else { if (XMEMCMP(cKey, tv->expectedKey, tv->expectedKeySz) != 0) { - printf("KDF: Calculated Key does not match Expected Key.\n"); + printf("SSHKDF: Calculated Key does not " + "match Expected Key.\n"); result = WC_TEST_RET_ENC_EC(result); + break; } } - - if (result != 0) break; } return result; diff --git a/wolfssl/wolfcrypt/kdf.h b/wolfssl/wolfcrypt/kdf.h index 1e731ebc63..4fb05c9667 100644 --- a/wolfssl/wolfcrypt/kdf.h +++ b/wolfssl/wolfcrypt/kdf.h @@ -119,6 +119,12 @@ WOLFSSL_API int wc_SSH_KDF(byte hashId, byte keyId, const byte* h, word32 hSz, const byte* sessionId, word32 sessionIdSz); +WOLFSSL_API int wc_SSH_KDF_NoPad(byte hashId, byte keyId, + byte* key, word32 keySz, + const byte* k, word32 kSz, + const byte* h, word32 hSz, + const byte* sessionId, word32 sessionIdSz); + #endif /* WOLFSSL_WOLFSSH */ #ifdef WC_SRTP_KDF