action #111581
closed[security][backlog] bsc#1195919 Integrate hkdf funciton test into Strongswan.
100%
Description
From Marcus's email:
Hi,
The kdf used by strongswan is the "HKDF".
To test HKDF in openssl use something like:
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump
all test all 3 different HKDF modes:
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump
openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt info:ff -pkeyopt key:ff -pkeyopt mode:EXPAND_ONLY -hexdump
FWIW your openssl call below is not testing SSHKDF FWIW.
SSH KDF can be tested more along those lines:
openssl pkeyutl -kdf SSHKDF -kdflen 64 -pkeyopt md:SHA256 -pkeyopt hexkey:ffff -pkeyopt hexsession_id:ffff -pkeyopt hexxcghash:ff -pkeyopt key:A -hexdump
(but it still seems to miss an option or has an incorrect one,
it has an error for me.)
That said, for actual strongswan IKE KDF testing...
As it is transparently added to strongswan, regression testing strongswan in FIPS
mode should already covering what we need. :/
the result of executing commands.
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump
0000 - 92 4e 68 ff cc 6c b9 7a-92 af 43 22 22 df 83 61 .Nh..l.z..C""..a
0010 - 55 0c d2 67 2f 37 90 05-6c f3 c9 be 7c 2a f7 c2 U..g/7..l...|..
0020 - 7a cb 5e 8b 64 57 a7 79-03 9d 73 d2 17 53 12 02 z..dW.y..s..S..
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump
0000 - e2 bb 42 56 af 84 ea 52-c7 32 42 af 49 d1 27 5f ..BV...R.2B.I.'_
0010 - dd e2 1e 90 e3 66 dc d5-71 07 50 81 f4 c0 9a 2e .....f..q.P.....
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump
0000 - 92 4e 68 ff cc 6c b9 7a-92 af 43 22 22 df 83 61 .Nh..l.z..C""..a
0010 - 55 0c d2 67 2f 37 90 05-6c f3 c9 be 7c 2a f7 c2 U..g/7..l...|..
0020 - 7a cb 5e 8b 64 57 a7 79-03 9d 73 d2 17 53 12 02 z..dW.y..s..S..
susetest:~ # openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt info:ff -pkeyopt key:ff -pkeyopt mode:EXPAND_ONLY -hexdump
0000 - 87 c6 5f b2 e8 fe e9 23-99 2f 1d 1e 9e 9b f6 a4 .._....#./......
0010 - 4d ca b0 29 77 3a 92 31-71 a3 90 6a db 86 91 1f M..)w:.1q..j....
0020 - 5c 9b 8e 60 fa 81 d1 ab-1d 8f a4 79 7c 09 bf e6 ..`.......y|...
Updated by rcai almost 2 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100