Project

General

Profile

Actions
Copy link

action #111581

closed
« Previous | 10 of 16 | Next »

[security][backlog] bsc#1195919 Integrate hkdf funciton test into Strongswan.

Added by rcai almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
rcai
Category:
Enhancement to existing tests
Target version:
-
Start date:
2022-05-25
Due date:
% Done:

100%

Estimated time:
10.00 h
Difficulty:

Description

From Marcus's email:

Hi,

The kdf used by strongswan is the "HKDF".

To test HKDF in openssl use something like:
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump

all test all 3 different HKDF modes:
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt info:ff -pkeyopt key:ff -pkeyopt mode:EXPAND_ONLY -hexdump

FWIW your openssl call below is not testing SSHKDF FWIW.

SSH KDF can be tested more along those lines:
openssl pkeyutl -kdf SSHKDF -kdflen 64 -pkeyopt md:SHA256 -pkeyopt hexkey:ffff -pkeyopt hexsession_id:ffff -pkeyopt hexxcghash:ff -pkeyopt key:A -hexdump

    (but it still seems to miss an option or has an incorrect one,
    it has an error for me.)

That said, for actual strongswan IKE KDF testing...

As it is transparently added to strongswan, regression testing strongswan in FIPS
mode should already covering what we need. :/

the result of executing commands.
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump
0000 - 92 4e 68 ff cc 6c b9 7a-92 af 43 22 22 df 83 61 .Nh..l.z..C""..a
0010 - 55 0c d2 67 2f 37 90 05-6c f3 c9 be 7c 2a f7 c2 U..g/7..l...|..
0020 - 7a cb 5e 8b 64 57 a7 79-03 9d 73 d2 17 53 12 02 z..dW.y..s..S..
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump
0000 - e2 bb 42 56 af 84 ea 52-c7 32 42 af 49 d1 27 5f ..BV...R.2B.I.'_
0010 - dd e2 1e 90 e3 66 dc d5-71 07 50 81 f4 c0 9a 2e .....f..q.P.....
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump
0000 - 92 4e 68 ff cc 6c b9 7a-92 af 43 22 22 df 83 61 .Nh..l.z..C""..a
0010 - 55 0c d2 67 2f 37 90 05-6c f3 c9 be 7c 2a f7 c2 U..g/7..l...|..
0020 - 7a cb 5e 8b 64 57 a7 79-03 9d 73 d2 17 53 12 02 z..dW.y..s..S..
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt info:ff -pkeyopt key:ff -pkeyopt mode:EXPAND_ONLY -hexdump
0000 - 87 c6 5f b2 e8 fe e9 23-99 2f 1d 1e 9e 9b f6 a4 .._....#./......
0010 - 4d ca b0 29 77 3a 92 31-71 a3 90 6a db 86 91 1f M..)w:.1q..j....
0020 - 5c 9b 8e 60 fa 81 d1 ab-1d 8f a4 79 7c 09 bf e6 ..`.......y|...

Actions
Copy link
 #1

Updated by rcai almost 2 years ago

  • Estimated time set to 10.00 h
Actions
Copy link
 #2

Updated by rcai almost 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF