src/openssl.c: Add kdf.derive

daurnimator · daurnimator · commit 8eaf1a460901 · 2019-02-14T16:08:37.000+11:00
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
@@ -1457,6 +1457,37 @@ \section{Modules}
 \end{Module}
 
 
+\begin{Module}{openssl.kdf}
+
+Binds OpenSSL's Key Derivation Function interfaces.
+
+\subsubsection[\fn{kdf.derive}]{\fn{kdf.derive($options$)}}
+
+Derive a key given the table of $options$, different KDF types require different options. Accepted options are:
+
+\begin{ctabular}{ c | c | p{5in}}
+field & type & description\\\hline
+.type & string & key derivation algorithm---``PBKDF2'', ``id-scrypt'', ``hkdf'', ``TLS-PRF1'' or other depending on your version of OpenSSL \\
+.outlen & number & the desired output size \\
+.pass & string & password \\
+.salt & string & salt \\
+.iter & number & iteration count \\
+.md & string & digest to use \\
+.key & string & key \\
+.maxmem\_bytes & number & amount of RAM key derivation may maximally use (in bytes) \\
+.secret & string & TLS1-PRF secret \\
+.seed & string & TLS1-PRF seed \\
+.hkdf\_mode & string & the HKDF mode to use, one of ``extract\_and\_expand'', ``extract\_only'' or ``expand\_only'' \\
+.info & string & HKDF info value \\
+.N & number & scrypt ``N'' parameter to use \\
+.r & number & scrypt ``r'' parameter to use \\
+.p & number & scrypt ``p'' parameter to use
+\end{ctabular}
+
+
+\end{Module}
+
+
 \chapter{Examples}
 
 These examples and others are made available under examples/ in the source tree.
diff --git a/regress/95-kdf.lua b/regress/95-kdf.lua
@@ -0,0 +1,45 @@
+#!/usr/bin/env lua
+
+local regress = require "regress"
+local kdf = require "openssl.kdf"
+
+local function hexstring(str)
+	return (str:gsub("..", function(b) return string.char(tonumber(b, 16)) end))
+end
+
+-- Scrypt Example
+regress.check(kdf.derive{
+	type = "id-scrypt"; -- the nid short-name is id-scrypt
+	pass = "";
+	salt = "";
+	N = 16;
+	r = 1;
+	p = 1;
+	outlen = 64;
+} == hexstring"77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906",
+	"scrypt output doesn't match test vector")
+
+-- PBKDF2 Example
+regress.check(kdf.derive{
+	type = "PBKDF2";
+	pass = "password";
+	salt = "salt";
+	iter = 1;
+	md = "sha1";
+	outlen = 20;
+} == hexstring"0c60c80f961f0e71f3a9b524af6012062fe037a6",
+	"PBKDF2 output doesn't match test vector")
+
+-- TLS1-PRF Example
+regress.check(kdf.derive{
+	type = "TLS1-PRF";
+	md = "md5-sha1";
+	secret = hexstring"bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0";
+	seed = "master secret"
+		.. hexstring"e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693"
+		.. hexstring"135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb2";
+	outlen = 48;
+} == hexstring"2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62",
+	"TLS1-PRF output doesn't match test vector")
+
+regress.say "OK"
diff --git a/regress/regress.lua b/regress/regress.lua
@@ -3,6 +3,7 @@ local require = require -- may be overloaded by regress.require
 local regress = {
 	openssl = require"openssl",
 	bignum = require"openssl.bignum",
+	kdf = require"openssl.kdf",
 	pkey = require"openssl.pkey",
 	x509 = require"openssl.x509",
 	name = require"openssl.x509.name",
diff --git a/src/GNUmakefile b/src/GNUmakefile
@@ -80,6 +80,7 @@ MODS$(1)_$(d) = \
 	$$(DESTDIR)$(3)/openssl.lua \
 	$$(DESTDIR)$(3)/openssl/auxlib.lua \
 	$$(DESTDIR)$(3)/openssl/bignum.lua \
+	$$(DESTDIR)$(3)/openssl/kdf.lua \
 	$$(DESTDIR)$(3)/openssl/ocsp/basic.lua \
 	$$(DESTDIR)$(3)/openssl/ocsp/response.lua \
 	$$(DESTDIR)$(3)/openssl/pkey.lua \
diff --git a/src/openssl.c b/src/openssl.c
diff --git a/src/openssl.kdf.lua b/src/openssl.kdf.lua
