Add EVP_KDF-X942 to the fips module

The X942 KDF had been modified so that it supports all optional fields - not
just the fields used by CMS.

As there are 2 types of KDF for X942 - this has been made a bit clearer
by adding an X942KDF-ASN1 alias. X942KDF-CONCAT has also been added as an
alias of X963KDF.

This work was instigated as a result of the ACVP tests optionally being
able to use keybits for the supp_pubinfo field.
Setting the parameter OSSL_KDF_PARAM_X942_USE_KEYBITS to 0 allows this
to be disabled.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13418)

crypto/dh/dh_ctrl.c

@@ -237,7 +237,7 @@ int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf)
             kdf_type = "";
             break;
         case EVP_PKEY_DH_KDF_X9_42:
-            kdf_type = OSSL_KDF_NAME_X942KDF;
+            kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
             break;
         default:
             return -2;
@@ -289,7 +289,7 @@ int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx)
 
     if (kdf_type[0] == '\0')
         return EVP_PKEY_DH_KDF_NONE;
-    else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF) == 0)
+    else if (strcmp(kdf_type, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
         return EVP_PKEY_DH_KDF_X9_42;
 
     return -1;

crypto/dh/dh_kdf.c

@@ -37,7 +37,7 @@ int dh_KDF_X9_42_asn1(unsigned char *out, size_t outlen,
     OSSL_PARAM params[5], *p = params;
     const char *mdname = EVP_MD_name(md);
 
-    kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF, propq);
+    kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_X942KDF_ASN1, propq);
     kctx = EVP_KDF_CTX_new(kdf);
     if (kctx == NULL)
         goto err;

crypto/err/openssl.txt

@@ -2879,6 +2879,7 @@ PROV_R_INVALID_MODE:125:invalid mode
 PROV_R_INVALID_MODE_INT:126:invalid mode int
 PROV_R_INVALID_PADDING_MODE:168:invalid padding mode
 PROV_R_INVALID_PSS_SALTLEN:169:invalid pss saltlen
+PROV_R_INVALID_PUBINFO:198:invalid pubinfo
 PROV_R_INVALID_RSA_KEY:217:invalid rsa key
 PROV_R_INVALID_SALT_LENGTH:112:invalid salt length
 PROV_R_INVALID_SEED_LENGTH:154:invalid seed length
@@ -2886,6 +2887,7 @@ PROV_R_INVALID_SIGNATURE_SIZE:179:invalid signature size
 PROV_R_INVALID_STATE:212:invalid state
 PROV_R_INVALID_TAG:110:invalid tag
 PROV_R_INVALID_TAGLEN:118:invalid taglen
+PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length
 PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest
 PROV_R_IN_ERROR_STATE:192:in error state
 PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
@@ -2917,7 +2919,7 @@ PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\
 	operation not supported for this keytype
 PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small
 PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\
-        parent cannot generate random numbers
+	parent cannot generate random numbers
 PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled
 PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak
 PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute

doc/man1/openssl-kdf.pod.in

@@ -87,7 +87,7 @@ To see the list of supported digests, use the command I<list -digest-commands>.
 
 Specifies the name of a supported KDF algorithm which will be used.
 The supported algorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2,
-SSHKDF, X942KDF, X963KDF and SCRYPT.
+SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF and SCRYPT.
 
 =back
 
@@ -156,7 +156,8 @@ L<EVP_KDF-PBKDF2(7)>,
 L<EVP_KDF-HKDF(7)>,
 L<EVP_KDF-SS(7)>,
 L<EVP_KDF-SSHKDF(7)>,
-L<EVP_KDF-X942(7)>,
+L<EVP_KDF-X942-ASN1(7)>,
+L<EVP_KDF-X942-CONCAT(7)>,
 L<EVP_KDF-X963(7)>
 
 =head1 HISTORY

doc/man7/EVP_KDF-X942.pod → doc/man7/EVP_KDF-X942-ASN1.pod

@@ -2,18 +2,20 @@
 
 =head1 NAME
 
-EVP_KDF-X942 - The X9.42-2001 asn1 EVP_KDF implementation
+EVP_KDF-X942-ASN1 - The X9.42-2003 asn1 EVP_KDF implementation
 
 =head1 DESCRIPTION
 
-The EVP_KDF-X942 algorithm implements the key derivation function (X942KDF).
-X942KDF is used by Cryptographic Message Syntax (CMS) for DH KeyAgreement, to
-derive a key using input such as a shared secret key and other info. The other
-info is DER encoded data that contains a 32 bit counter.
+The EVP_KDF-X942-ASN1 algorithm implements the key derivation function
+X942KDF-ASN1. It is used by DH KeyAgreement, to derive a key using input such as
+a shared secret key and other info. The other info is DER encoded data that
+contains a 32 bit counter as well as optional fields for "partyu-info",
+"partyv-info", "supp-pubinfo" and "supp-privinfo".
+This kdf is used by Cryptographic Message Syntax (CMS).
 
 =head2 Identity
 
-"X942KDF" is the name for this implementation; it
+"X942KDF-ASN1" or "X942KDF" is the name for this implementation; it
 can be used with the EVP_KDF_fetch() function.
 
 =head2 Supported parameters
@@ -32,15 +34,38 @@ These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
 
 The shared secret used for key derivation.  This parameter sets the secret.
 
+=item "partyu-info" (B<OSSL_KDF_PARAM_X942_PARTYUINFO>) <octet string>
+
+An optional octet string containing public info contributed by the initiator.
+
 =item "ukm" (B<OSSL_KDF_PARAM_UKM>) <octet string>
 
-This parameter is an optional random string that is provided
-by the sender called "partyAInfo".
+An alias for "partyu-info".
 In CMS this is the user keying material.
 
+=item "partyv-info" (B<OSSL_KDF_PARAM_X942_PARTYVINFO>) <octet string>
+
+An optional octet string containing public info contributed by the responder.
+
+=item "supp-pubinfo" (B<OSSL_KDF_PARAM_X942_SUPP_PUBINFO>) <octet string>
+
+An optional octet string containing some additional, mutually-known public
+information. Setting this value also sets "use-keybits" to 0.
+
+=item "use-keybits" (B<OSSL_KDF_PARAM_X942_SUPP_PRIVINFO>) <integer>
+
+The default value of 1 will use the KEK key length (in bits) as the
+"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo".
+
+=item "supp-privinfo" (B<OSSL_KDF_PARAM_X942_SUPP_PRIVINFO>) <octet string>
+
+An optional octet string containing some additional, mutually-known private
+information.
+
 =item "cekalg" (B<OSSL_KDF_PARAM_CEK_ALG>) <UTF8 string>
 
-This parameter sets the CEK wrapping algorithm name. 
+This parameter sets the CEK wrapping algorithm name.
+Valid values are "AES-128-WRAP", "AES-192-WRAP", "AES-256-WRAP" and "DES3-WRAP".
 
 =back
 
@@ -56,44 +81,43 @@ parameter to the L<EVP_KDF_derive(3)> function.
 
 =head1 EXAMPLES
 
-This example derives 24 bytes, with the secret key "secret" and a random user
+This example derives 24 bytes, with the secret key "secret" and random user
 keying material:
 
   EVP_KDF_CTX *kctx;
   EVP_KDF_CTX *kctx;
   unsigned char out[192/8];
   unsignred char ukm[64];
- OSSL_PARAM params[5], *p = params;
+  OSSL_PARAM params[5], *p = params;
 
   if (RAND_bytes(ukm, sizeof(ukm)) <= 0)
       error("RAND_bytes");
 
- kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
- if (kctx == NULL)
-     error("EVP_KDF_fetch");
- kctx = EVP_KDF_CTX_new(kdf);
- if (kctx == NULL)
-     error("EVP_KDF_CTX_new");
- EVP_KDF_free(kdf);
-
- *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
-                                         SN_sha256, strlen(SN_sha256));
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
-                                          "secret", (size_t)6);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm));
- *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG,
-                                         SN_id_smime_alg_CMS3DESwrap,
-                                         strlen(SN_id_smime_alg_CMS3DESwrap));
- *p = OSSL_PARAM_construct_end();
- if (EVP_KDF_CTX_set_params(kctx, params) <= 0)
-     error("EVP_KDF_CTX_set_params");
- if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
-     error("EVP_KDF_derive");
-
- EVP_KDF_CTX_free(kctx);
+  kdf = EVP_KDF_fetch(NULL, "X942KDF", NULL);
+  if (kctx == NULL)
+      error("EVP_KDF_fetch");
+  kctx = EVP_KDF_CTX_new(kdf);
+  EVP_KDF_free(kdf);
+  if (kctx == NULL)
+      error("EVP_KDF_CTX_new");
+
+  *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0);
+  *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
+                                           "secret", (size_t)6);
+  *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_UKM, ukm, sizeof(ukm));
+  *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CEK_ALG, "AES-256-WRAP, 0);
+  *p = OSSL_PARAM_construct_end();
+  if (EVP_KDF_CTX_set_params(kctx, params) <= 0)
+      error("EVP_KDF_CTX_set_params");
+
+  if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
+      error("EVP_KDF_derive");
+
+  EVP_KDF_CTX_free(kctx);
 
 =head1 CONFORMING TO
 
+ANS1 X9.42-2003
 RFC 2631
 
 =head1 SEE ALSO

doc/man7/EVP_KDF-X942-CONCAT.pod

+=pod
+
+=head1 NAME
+
+EVP_KDF-X942-CONCAT - The X942 Concat EVP_KDF implementation
+
+=head1 DESCRIPTION
+
+The EVP_KDF-X942-CONCAT algorithm is identical to EVP_KDF-X963. It is
+used for key agreement to derive a key using input such as a shared secret key
+and shared info.
+
+=head2 Identity
+
+"X942KDF_CONCAT" is the name for this implementation; it
+can be used with the EVP_KDF_fetch() function.
+
+This is an alias for "X963KDF".
+
+See <EVP_KDF-X963(7)> for a list of supported parameters and examples.
+
+=head1 HISTORY
+
+This functionality was added to OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man7/OSSL_PROVIDER-FIPS.pod

@@ -90,10 +90,18 @@ The OpenSSL FIPS provider supports these operations and algorithms:
 
 =item PBKDF2, see L<EVP_KDF-PBKDF2(7)>
 
+=item SSHKDF, see L<EVP_KDF-SSHKDF(7)>
+
 =item TLS1-PRF, see L<EVP_KDF-TLS1-PRF(7)>
 
 =item KBKDF, see L<EVP_KDF-KBKDF(7)>
 
+=item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
+
+=item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
+
+=item X963KDF, see L<EVP_KDF-X963(7)>
+
 =back
 
 =head2 Key Exchange

doc/man7/OSSL_PROVIDER-default.pod

@@ -132,13 +132,16 @@ The OpenSSL default provider supports these operations and algorithms:
 
 =item KBKDF, see L<EVP_KDF-KB(7)>
 
-=item X942KDF, see L<EVP_KDF-X942(7)>
+=item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
+
+=item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
+
+=item X963KDF, see L<EVP_KDF-X963(7)>
 
 =item SCRYPT, see L<EVP_KDF-SCRYPT(7)>
 
 =item KRB5KDF, see L<EVP_KDF-KRB5KDF(7)>
 
-=item X963KDF, see L<EVP_KDF-X963(7)>
 
 =back
 

include/openssl/core_names.h

@@ -203,18 +203,24 @@ extern "C" {
 #define OSSL_KDF_PARAM_PKCS12_ID    "id"        /* int */
 #define OSSL_KDF_PARAM_KBKDF_USE_L  "use-l"             /* int */
 #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR  "use-separator"     /* int */
+#define OSSL_KDF_PARAM_X942_PARTYUINFO      "partyu-info"
+#define OSSL_KDF_PARAM_X942_PARTYVINFO      "partyv-info"
+#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO    "supp-pubinfo"
+#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO   "supp-privinfo"
+#define OSSL_KDF_PARAM_X942_USE_KEYBITS     "use-keybits"
 
 /* Known KDF names */
-#define OSSL_KDF_NAME_HKDF          "HKDF"
-#define OSSL_KDF_NAME_PBKDF2        "PBKDF2"
-#define OSSL_KDF_NAME_SCRYPT        "SCRYPT"
-#define OSSL_KDF_NAME_SSHKDF        "SSHKDF"
-#define OSSL_KDF_NAME_SSKDF         "SSKDF"
-#define OSSL_KDF_NAME_TLS1_PRF      "TLS1-PRF"
-#define OSSL_KDF_NAME_X942KDF       "X942KDF"
-#define OSSL_KDF_NAME_X963KDF       "X963KDF"
-#define OSSL_KDF_NAME_KBKDF         "KBKDF"
-#define OSSL_KDF_NAME_KRB5KDF       "KRB5KDF"
+#define OSSL_KDF_NAME_HKDF           "HKDF"
+#define OSSL_KDF_NAME_PBKDF2         "PBKDF2"
+#define OSSL_KDF_NAME_SCRYPT         "SCRYPT"
+#define OSSL_KDF_NAME_SSHKDF         "SSHKDF"
+#define OSSL_KDF_NAME_SSKDF          "SSKDF"
+#define OSSL_KDF_NAME_TLS1_PRF       "TLS1-PRF"
+#define OSSL_KDF_NAME_X942KDF_ASN1   "X942KDF-ASN1"
+#define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT"
+#define OSSL_KDF_NAME_X963KDF        "X963KDF"
+#define OSSL_KDF_NAME_KBKDF          "KBKDF"
+#define OSSL_KDF_NAME_KRB5KDF        "KRB5KDF"
 
 /* Known RAND names */
 #define OSSL_RAND_PARAM_STATE                   "state"

providers/common/include/prov/providercommonerr.h

@@ -105,6 +105,7 @@ int err_load_PROV_strings_int(void);
 # define PROV_R_INVALID_MODE_INT                          126
 # define PROV_R_INVALID_PADDING_MODE                      168
 # define PROV_R_INVALID_PSS_SALTLEN                       169
+# define PROV_R_INVALID_PUBINFO                           198
 # define PROV_R_INVALID_RSA_KEY                           217
 # define PROV_R_INVALID_SALT_LENGTH                       112
 # define PROV_R_INVALID_SEED_LENGTH                       154
@@ -112,6 +113,7 @@ int err_load_PROV_strings_int(void);
 # define PROV_R_INVALID_STATE                             212
 # define PROV_R_INVALID_TAG                               110
 # define PROV_R_INVALID_TAGLEN                            118
+# define PROV_R_INVALID_UKM_LENGTH                        200
 # define PROV_R_INVALID_X931_DIGEST                       170
 # define PROV_R_IN_ERROR_STATE                            192
 # define PROV_R_KEY_SIZE_TOO_SMALL                        171

providers/common/provider_err.c

@@ -104,6 +104,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
     "invalid padding mode"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PSS_SALTLEN),
     "invalid pss saltlen"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_PUBINFO), "invalid pubinfo"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_RSA_KEY), "invalid rsa key"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_SALT_LENGTH),
     "invalid salt length"},
@@ -114,6 +115,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_STATE), "invalid state"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAG), "invalid tag"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_TAGLEN), "invalid taglen"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_UKM_LENGTH),
+    "invalid ukm length"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_X931_DIGEST),
     "invalid x931 digest"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_IN_ERROR_STATE), "in error state"},

providers/defltprov.c

@@ -331,12 +331,10 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
     { "PBKDF2", "provider=default", ossl_kdf_pbkdf2_functions },
     { "PKCS12KDF", "provider=default", ossl_kdf_pkcs12_functions },
     { "SSHKDF", "provider=default", ossl_kdf_sshkdf_functions },
-    { "X963KDF", "provider=default", ossl_kdf_x963_kdf_functions },
+    { "X963KDF:X942KDF-CONCAT", "provider=default", ossl_kdf_x963_kdf_functions },
     { "TLS1-PRF", "provider=default", ossl_kdf_tls1_prf_functions },
     { "KBKDF", "provider=default", ossl_kdf_kbkdf_functions },
-#ifndef OPENSSL_NO_CMS
-    { "X942KDF", "provider=default", ossl_kdf_x942_kdf_functions },
-#endif
+    { "X942KDF-ASN1:X942KDF", "provider=default", ossl_kdf_x942_kdf_functions },
 #ifndef OPENSSL_NO_SCRYPT
     { "SCRYPT:id-scrypt", "provider=default", ossl_kdf_scrypt_functions },
 #endif

providers/fips/fipsprov.c

@@ -328,7 +328,10 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { "SSKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions },
     { "PBKDF2", FIPS_DEFAULT_PROPERTIES, ossl_kdf_pbkdf2_functions },
     { "SSHKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
-    { "X963KDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_x963_kdf_functions },
+    { "X963KDF:X942KDF-CONCAT", FIPS_DEFAULT_PROPERTIES,
+      ossl_kdf_x963_kdf_functions },
+    { "X942KDF-ASN1:X942KDF", FIPS_DEFAULT_PROPERTIES,
+      ossl_kdf_x942_kdf_functions },
     { "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_functions },
     { "KBKDF", FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
     { NULL, NULL, NULL }

providers/implementations/exchange/dh_exch.c

@@ -297,7 +297,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
 
         if (name[0] == '\0')
             pdhctx->kdf_type = PROV_DH_KDF_NONE;
-        else if (strcmp(name, OSSL_KDF_NAME_X942KDF) == 0)
+        else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
             pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
         else
             return 0;
@@ -421,7 +421,7 @@ static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
                 kdf_type = "";
                 break;
             case PROV_DH_KDF_X9_42_ASN1:
-                kdf_type = OSSL_KDF_NAME_X942KDF;
+                kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
                 break;
             default:
                 return 0;

providers/implementations/include/prov/implementations.h

@@ -260,9 +260,7 @@ extern const OSSL_DISPATCH ossl_kdf_sshkdf_functions[];
 extern const OSSL_DISPATCH ossl_kdf_sskdf_functions[];
 extern const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[];
 extern const OSSL_DISPATCH ossl_kdf_kbkdf_functions[];
-#ifndef OPENSSL_NO_CMS
 extern const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[];
-#endif
 extern const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[];
 
 /* RNGs */

providers/implementations/kdfs/x942kdf.c

@@ -39,11 +39,12 @@ typedef struct {
     PROV_DIGEST digest;
     unsigned char *secret;
     size_t secret_len;
-    unsigned char *ukm;
-    size_t ukm_len;
+    unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo;
+    size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len;
     size_t dkm_len;
     const unsigned char *cek_oid;
     size_t cek_oid_len;
+    int use_keybits;
 } KDF_X942;
 
 /*
@@ -109,14 +110,23 @@ static int DER_w_keyinfo(WPACKET *pkt,
 
 static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen,
                                  const unsigned char *der_oid, size_t der_oidlen,
-                                 const unsigned char *ukm, size_t ukmlen,
+                                 const unsigned char *partyu, size_t partyulen,
+                                 const unsigned char *partyv, size_t partyvlen,
+                                 const unsigned char *supp_pub, size_t supp_publen,
+                                 const unsigned char *supp_priv, size_t supp_privlen,
                                  uint32_t keylen_bits, unsigned char **pcounter)
 {
     return (buf != NULL ? WPACKET_init_der(pkt, buf, buflen) :
                           WPACKET_init_null_der(pkt))
            && ossl_DER_w_begin_sequence(pkt, -1)
-           && ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits)
-           && (ukm == NULL || ossl_DER_w_octet_string(pkt, 0, ukm, ukmlen))
+           && (supp_priv == NULL
+               || ossl_DER_w_octet_string(pkt, 3, supp_priv, supp_privlen))
+           && (supp_pub == NULL
+               || ossl_DER_w_octet_string(pkt, 2, supp_pub, supp_publen))
+           && (keylen_bits == 0
+               || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits))
+           && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen))
+           && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen))
            && DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter)
            && ossl_DER_w_end_sequence(pkt, -1)
            && WPACKET_finish(pkt);
@@ -125,28 +135,48 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen
 /*
  * Encode the other info structure.
  *
- *  RFC2631 Section 2.1.2 Contains the following definition for otherinfo
+ * The ANS X9.42-2003 standard uses OtherInfo:
  *
  *  OtherInfo ::= SEQUENCE {
  *      keyInfo KeySpecificInfo,
- *      partyAInfo [0] OCTET STRING OPTIONAL,
- *      suppPubInfo [2] OCTET STRING
+ *      partyUInfo [0] OCTET STRING OPTIONAL,
+ *      partyVInfo [1] OCTET STRING OPTIONAL,
+ *      suppPubInfo [2] OCTET STRING OPTIONAL,
+ *      suppPrivInfo [3] OCTET STRING OPTIONAL
  *  }
- *  Note suppPubInfo is the key length (in bits) (stored into 4 bytes)
- *
  *
  *  KeySpecificInfo ::= SEQUENCE {
  *      algorithm OBJECT IDENTIFIER,
  *      counter OCTET STRING SIZE (4..4)
  *  }
+ *
+ *  RFC2631 Section 2.1.2 Contains the following definition for OtherInfo
+ *
+ *  OtherInfo ::= SEQUENCE {
+ *      keyInfo KeySpecificInfo,
+ *      partyAInfo [0] OCTET STRING OPTIONAL,
+ *      suppPubInfo [2] OCTET STRING
+ *  }
+ *  Where suppPubInfo is the key length (in bits) (stored into 4 bytes)
+ *
+}
  *
  * |keylen| is the length (in bytes) of the generated KEK. It is stored into
- * suppPubInfo (in bits).
+ * suppPubInfo (in bits). It is ignored if the value is 0.
  * |cek_oid| The oid of the key wrapping algorithm.
  * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid,
- * |ukm| is the optional user keying material that is stored into partyAInfo. It
+ * |partyu| is the optional public info contributed by the initiator. It
+ * can be NULL. (It is also used as the ukm by CMS).
+ * |partyu_len| is the |partyu| length (in bytes).
+ * |partyv| is the optional public info contributed by the responder. It
  * can be NULL.
- * |ukmlen| is the user keying material length (in bytes).
+ * |partyv_len| is the |partyv| length (in bytes).
+ * |supp_pub| is the optional additional, mutually-known public information. It
+ * can be NULL. |keylen| should be 0 if this is not NULL.
+ * |supp_pub_len| is the |supp_pub| length (in bytes).
+ * |supp_priv| is the optional additional, mutually-known private information. It
+ * can be NULL.
+ * |supp_priv_len| is the |supp_priv| length (in bytes).
  * |der| is the returned encoded data. It must be freed by the caller.
  * |der_len| is the returned size of the encoded data.
  * |out_ctr| returns a pointer to the counter data which is embedded inside the
@@ -155,11 +185,15 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen
  * Returns: 1 if successfully encoded, or 0 otherwise.
  * Assumptions: |der|, |der_len| & |out_ctr| are not NULL.
  */
-static int x942_encode_otherinfo(size_t keylen,
-                                 const unsigned char *cek_oid, size_t cek_oidlen,
-                                 const unsigned char *ukm, size_t ukmlen,
-                                 unsigned char **der, size_t *der_len,
-                                 unsigned char **out_ctr)
+static int
+x942_encode_otherinfo(size_t keylen,
+                      const unsigned char *cek_oid, size_t cek_oidlen,
+                      const unsigned char *partyu, size_t partyu_len,
+                      const unsigned char *partyv, size_t partyv_len,
+                      const unsigned char *supp_pub, size_t supp_pub_len,
+                      const unsigned char *supp_priv, size_t supp_priv_len,
+                      unsigned char **der, size_t *der_len,
+                      unsigned char **out_ctr)
 {
     int ret = 0;
     unsigned char *pcounter = NULL, *der_buf = NULL;
@@ -173,7 +207,9 @@ static int x942_encode_otherinfo(size_t keylen,
     keylen_bits = 8 * keylen;
 
     /* Calculate the size of the buffer */
-    if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen, ukm, ukmlen,
+    if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oidlen,
+                               partyu, partyu_len, partyv, partyv_len,
+                               supp_pub, supp_pub_len, supp_priv, supp_priv_len,
                                keylen_bits, NULL)
         || !WPACKET_get_total_written(&pkt, &der_buflen))
         goto err;
@@ -184,7 +220,9 @@ static int x942_encode_otherinfo(size_t keylen,
         goto err;
     /* Encode into the buffer */
     if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oidlen,
-                               ukm, ukmlen, keylen_bits, &pcounter))
+                               partyu, partyu_len, partyv, partyv_len,
+                               supp_pub, supp_pub_len, supp_priv, supp_priv_len,
+                               keylen_bits, &pcounter))
         goto err;
     /*
      * Since we allocated the exact size required, the buffer should point to the
@@ -287,6 +325,7 @@ static void *x942kdf_new(void *provctx)
     if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
     ctx->provctx = provctx;
+    ctx->use_keybits = 1;
     return ctx;
 }
 
@@ -297,9 +336,13 @@ static void x942kdf_reset(void *vctx)
 
     ossl_prov_digest_reset(&ctx->digest);
     OPENSSL_clear_free(ctx->secret, ctx->secret_len);
-    OPENSSL_clear_free(ctx->ukm, ctx->ukm_len);
+    OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len);
+    OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len);
+    OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len);
+    OPENSSL_clear_free(ctx->supp_privinfo, ctx->supp_privinfo_len);
     memset(ctx, 0, sizeof(*ctx));
     ctx->provctx = provctx;
+    ctx->use_keybits = 1;
 }
 
 static void x942kdf_free(void *vctx)
@@ -348,6 +391,15 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen)
     if (!ossl_prov_is_running())
         return 0;
 
+    /*
+     * These 2 options encode to the same field so only one of them should be
+     * active at once.
+     */
+    if (ctx->use_keybits && ctx->supp_pubinfo != NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO);
+        return 0;
+    }
+
     if (ctx->secret == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
         return 0;
@@ -361,18 +413,21 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen)
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG);
         return 0;
     }
-    if (ctx->ukm != NULL && ctx->ukm_len >= X942KDF_MAX_INLEN) {
+    if (ctx->partyuinfo != NULL && ctx->partyuinfo_len >= X942KDF_MAX_INLEN) {
         /*
-         * Note the ukm length MUST be 512 bits.
+         * Note the ukm length MUST be 512 bits if it is used.
          * For backwards compatibility the old check is being done.
          */
-        ERR_raise(ERR_LIB_PROV, PROV_R_INAVLID_UKM_LENGTH);
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_UKM_LENGTH);
         return 0;
     }
     /* generate the otherinfo der */
-    if (!x942_encode_otherinfo(ctx->dkm_len,
+    if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0,
                                ctx->cek_oid, ctx->cek_oid_len,
-                               ctx->ukm, ctx->ukm_len,
+                               ctx->partyuinfo, ctx->partyuinfo_len,
+                               ctx->partyvinfo, ctx->partyvinfo_len,
+                               ctx->supp_pubinfo, ctx->supp_pubinfo_len,
+                               ctx->supp_privinfo, ctx->supp_privinfo_len,
                                &der, &der_len, &ctr)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
         return 0;
@@ -394,16 +449,42 @@ static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL
-        || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
-        if (!x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
-            return 0;
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET);
+    if (p == NULL)
+        p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY);
+    if (p != NULL && !x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYUINFO);
+    if (p == NULL)
+        p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM);
+    if (p != NULL
+        && !x942kdf_set_buffer(&ctx->partyuinfo, &ctx->partyuinfo_len, p))
+        return 0;
 
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM)) != NULL)
-        if (!x942kdf_set_buffer(&ctx->ukm, &ctx->ukm_len, p))
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYVINFO);
+    if (p != NULL
+        && !x942kdf_set_buffer(&ctx->partyvinfo, &ctx->partyvinfo_len, p))
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_USE_KEYBITS);
+    if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_keybits))
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PUBINFO);
+    if (p != NULL) {
+        if (!x942kdf_set_buffer(&ctx->supp_pubinfo, &ctx->supp_pubinfo_len, p))
             return 0;
+        ctx->use_keybits = 0;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PRIVINFO);
+    if (p != NULL
+        && !x942kdf_set_buffer(&ctx->supp_privinfo, &ctx->supp_privinfo_len, p))
+        return 0;
 
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG)) != NULL) {
+    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
+    if (p != NULL) {
         if (p->data_type != OSSL_PARAM_UTF8_STRING)
             return 0;
         pq = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_PROPERTIES);
@@ -430,6 +511,11 @@ static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *provctx)
         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_UKM, NULL, 0),
+        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYUINFO, NULL, 0),
+        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYVINFO, NULL, 0),
+        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PUBINFO, NULL, 0),
+        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PRIVINFO, NULL, 0),
+        OSSL_PARAM_int(OSSL_KDF_PARAM_X942_USE_KEYBITS, NULL),
         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
         OSSL_PARAM_END
     };

test/evp_kdf_test.c

@@ -1324,7 +1324,7 @@ static int test_kdf_x942_asn1(void)
     *p = OSSL_PARAM_construct_end();
 
     ret =
-        TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF))
+        TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_X942KDF_ASN1))
         && TEST_true(EVP_KDF_CTX_set_params(kctx, params))
         && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0)
         && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected));

test/evp_test.c

@@ -2424,11 +2424,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx,
             t->skip = 1;
         }
     }
-    if (p != NULL && strcmp(name, "cipher") == 0) {
-        if (is_cipher_disabled(p)) {
-            TEST_info("skipping, '%s' is disabled", p);
-            t->skip = 1;
-        }
+    if (p != NULL
+        && (strcmp(name, "cipher") == 0
+            || strcmp(name, "cekalg") == 0)
+        && is_cipher_disabled(p)) {
+        TEST_info("skipping, '%s' is disabled", p);
+        t->skip = 1;
     }
     OPENSSL_free(name);
     return 1;
@@ -3709,10 +3710,6 @@ static int is_kdf_disabled(const char *name)
     if (STR_ENDS_WITH(name, "SCRYPT"))
         return 1;
 #endif
-#ifdef OPENSSL_NO_CMS
-    if (strcasecmp(name, "X942KDF") == 0)
-        return 1;
-#endif /* OPENSSL_NO_CMS */
     return 0;
 }
 
@@ -3745,6 +3742,8 @@ static int is_cipher_disabled(const char *name)
 #ifdef OPENSSL_NO_DES
     if (STR_STARTS_WITH(name, "DES"))
         return 1;
+    if (STR_ENDS_WITH(name, "3DESwrap"))
+        return 1;
 #endif
 #ifdef OPENSSL_NO_OCB
     if (STR_ENDS_WITH(name, "OCB"))

test/recipes/30-test_evp.t

@@ -48,6 +48,7 @@ my @files = qw(
                 evpkdf_ss.txt
                 evpkdf_ssh.txt
                 evpkdf_tls12_prf.txt
+                evpkdf_x942.txt
                 evpkdf_x963.txt
                 evpmac_common.txt
                 evpmd_sha.txt
@@ -89,7 +90,6 @@ my @defltfiles = qw(
                      evpkdf_krb5.txt
                      evpkdf_scrypt.txt
                      evpkdf_tls11_prf.txt
-                     evpkdf_x942.txt
                      evpmac_blake.txt
                      evpmac_poly1305.txt
                      evpmac_siphash.txt

test/recipes/30-test_evp_data/evpkdf_x942.txt

@@ -13,7 +13,8 @@
 
 Title = X9.42 KDF tests (from RFC2631 test vectors)
 
-KDF = X942KDF
+Availablein = default
+KDF = X942KDF-ASN1
 Ctrl.digest = digest:SHA1
 Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
 Ctrl.cekalg = cekalg:id-smime-alg-CMS3DESwrap
@@ -29,7 +30,56 @@ Output = d6d6b094c1027a7de6e3117294a35364
 
 KDF = X942KDF
 Ctrl.digest = digest:SHA1
-Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.hexkey = hexkey:000102030405060708090a0b0c0d0e0f10111213
 Ctrl.cekalg = cekalg:id-aes256-wrap
 Ctrl.hexukm = hexukm:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
 Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0
+
+Title = X9.42 KDF tests (generated tests to test different options)
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = 8890585C4E281A5C1167CAA530BED59B3230D893CBA8F922BD1B56A0
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Ctrl.use-keybits = use-keybits:0
+Output = 54bd5dbc1fa4c42c951f6fa51ec59e202b8c622bdb179fb2dd691ffb
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyv-info = hexpartyv-info:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Ctrl.use-keybits = use-keybits:0
+Output = 76d566e948ca9ae61bcd4ce076f0bd5fe6789b5b0f288977235ecb12
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = ff368c7addb27d7599f8d49bc8d7fbf804540f119491ea419792c82c
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexsupp-privinfo = hexsupp-privinfo:0123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba98765432010123456789abcdeffedcba9876543201
+Output = 6b68b7affe5efc15e77df56e3dd639b22aa39f12eb0685b33fb39c57
+
+KDF = X942KDF
+Ctrl.digest = digest:SHA1
+Ctrl.hexsecret = hexsecret:000102030405060708090a0b0c0d0e0f10111213
+Ctrl.cekalg = cekalg:id-aes256-wrap
+Ctrl.hexpartyu-info = hexpartyu-info:0123456789abcdef
+Ctrl.hexpartyv-info = hexpartyv-info:fedcba9876543210
+Ctrl.hexsupp-pubinfo = hexsupp-pubinfo:12345678
+Ctrl.hexsupp-privinfo = hexsupp-privinfo:87654321
+Output = 2c5c1f028c6d1fc9ba752e41fdb9edb2ea936f1b2449f214acd56d31

test/recipes/30-test_evp_data/evpkdf_x963.txt

@@ -105,7 +105,7 @@ Ctrl.hexsecret = hexsecret:0096172bf47d06d544ae98471490cf9e52ee59ea7a2208b33b26c
 Ctrl.hexinfo = hexinfo:cf3a74ba86af42f1ae85477ead645583
 Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7
 
-KDF = X963KDF
+KDF = X942KDF-CONCAT
 Ctrl.digest = digest:SHA512
 Ctrl.hexsecret = hexsecret:0037cd001a0ad87f35ddf58ab355d6144ba2ed0749a7435dab548ba0bfbe723c047e2396b4eef99653412a92c8db74bb5c03063f2eb0525ae87356750ae3676faa86
 Ctrl.hexinfo = hexinfo:eb17da8851c41c7ac6710b1c49f324f8