MDEV-31474 KDF() function

KDF(key_str, salt [, {info | iterations} [, kdf_name [, width ]]]) kdf_name is "hkdf" or "pbkdf2_hmac" (default). width (in bits) can be any number divisible by 8, by default it's taken from @@block_encryption_mode iterations must be positive, and is 1000 by default OpenSSL 1.0 doesn't support HKDF, so it'll return NULL. This OpenSSL version is still used in SLES 12 and CentOS 7
2025-08-08 11:22:35 +03:00 · 2023-06-19 16:20:21 +02:00
parent 03c68f402f
commit 4f9396b9f8
10 changed files with 481 additions and 0 deletions
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -60,6 +60,7 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
  SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
  SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
  SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
+  SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
  CHANGE_SSL_SETTINGS("bundled")
  ADD_SUBDIRECTORY(extra/wolfssl)
  MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
@@ -158,6 +159,8 @@ MACRO (MYSQL_CHECK_SSL)
                          HAVE_EncryptAes128Gcm)
      CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
                          HAVE_X509_check_host)
+      CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h"
+                          HAVE_hkdf)
      SET(CMAKE_REQUIRED_INCLUDES)
      SET(CMAKE_REQUIRED_LIBRARIES)
      SET(CMAKE_REQUIRED_DEFINITIONS)
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -499,6 +499,7 @@
 #cmakedefine HAVE_COMPRESS 1
 #cmakedefine HAVE_EncryptAes128Ctr 1
 #cmakedefine HAVE_EncryptAes128Gcm 1
+#cmakedefine HAVE_hkdf 1

 /*
  Stuff that always need to be defined (compile breaks without it)
--- a/mysql-test/main/func_kdf,old.rdiff
+++ b/mysql-test/main/func_kdf,old.rdiff
@@ -0,0 +1,64 @@
+--- main/func_kdf.result
+++ main/func_kdf.reject
+@@ -21,10 +21,14 @@
+ 48565B49B42FBF88537AFA1D4C0FA2C6
+ select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+ hex(kdf('foo', 'bar', 'info', 'hkdf'))
+-710583081D40A55F0B573A76E02D8975
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select hex(kdf('foo', 'bar', 'infa', 'hkdf'));
+ hex(kdf('foo', 'bar', 'infa', 'hkdf'))
+-612875F859CFB4EE0DFEFF9F2A18E836
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select hex(kdf('foo', 'bar', 'info', 'pbkdf2_hmac'));
+ hex(kdf('foo', 'bar', 'info', 'pbkdf2_hmac'))
+ NULL
+@@ -55,7 +59,9 @@
+ NULL
+ select hex(kdf('foo', 'bar', NULL, 'hkdf'));
+ hex(kdf('foo', 'bar', NULL, 'hkdf'))
+-4AFD0088E56CAF7CB5C94F6C101D58D5
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select hex(kdf('foo', 'bar', NULL, 'pbkdf2_hmac'));
+ hex(kdf('foo', 'bar', NULL, 'pbkdf2_hmac'))
+ NULL
+@@ -81,10 +87,14 @@
+ set @@block_encryption_mode='aes-192-cbc';
+ select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+ hex(kdf('foo', 'bar', 'info', 'hkdf'))
+-710583081D40A55F0B573A76E02D8975AA11A4595954C0A1
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select hex(kdf('foo', 'bar', 'info', 'hkdf', 256));
+ hex(kdf('foo', 'bar', 'info', 'hkdf', 256))
+-710583081D40A55F0B573A76E02D8975AA11A4595954C0A1487D6D33ABAB93C3
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac'));
+ hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac'))
+ 430D4780B57254EF39EE13CE53DB381A552151AA62A9FA92
+@@ -110,10 +120,14 @@
+ Warning	3047	Invalid argument error: 0 in function kdf.
+ select length(kdf('foo', 'bar', 'info', 'hkdf', 32768));
+ length(kdf('foo', 'bar', 'info', 'hkdf', 32768))
+-4096
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select length(kdf('foo', 'bar', 'info', 'hkdf', 65536));
+ length(kdf('foo', 'bar', 'info', 'hkdf', 65536))
+-8192
+NULL
+Warnings:
+Warning	1235	This version of MariaDB doesn't yet support 'kdf(..., 'hkdf')'
+ select length(kdf('foo', 'bar', 'info', 'hkdf', 65537));
+ length(kdf('foo', 'bar', 'info', 'hkdf', 65537))
+ NULL
--- a/mysql-test/main/func_kdf.combinations
+++ b/mysql-test/main/func_kdf.combinations
@@ -0,0 +1,4 @@
+[new]
+
+[old]
+# remove when no longer building with OpenSSL 1.0
--- a/mysql-test/main/func_kdf.result
+++ b/mysql-test/main/func_kdf.result
@@ -0,0 +1,158 @@
+#
+# MDEV-31474 KDF() function
+#
+select hex(kdf('foo', 'bar'));
+hex(kdf('foo', 'bar'))
+76BA6DEC5C3F6A60704D730A2A4BAA1C
+select hex(kdf('foo', 'bar'));
+hex(kdf('foo', 'bar'))
+76BA6DEC5C3F6A60704D730A2A4BAA1C
+select hex(kdf('faa', 'bar'));
+hex(kdf('faa', 'bar'))
+62A8C6FD3E6FDA7ECE6D37CF1C95E3CC
+select hex(kdf('foo', 'bor'));
+hex(kdf('foo', 'bor'))
+F0FE3B0884C9733A520EC8C2EE711137
+select hex(kdf('foo', 'bar', 10));
+hex(kdf('foo', 'bar', 10))
+1D25A9E01C2078FF10DECEC874B3F21E
+select hex(kdf('foo', 'bar', 11));
+hex(kdf('foo', 'bar', 11))
+48565B49B42FBF88537AFA1D4C0FA2C6
+select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+hex(kdf('foo', 'bar', 'info', 'hkdf'))
+710583081D40A55F0B573A76E02D8975
+select hex(kdf('foo', 'bar', 'infa', 'hkdf'));
+hex(kdf('foo', 'bar', 'infa', 'hkdf'))
+612875F859CFB4EE0DFEFF9F2A18E836
+select hex(kdf('foo', 'bar', 'info', 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar', 'info', 'pbkdf2_hmac'))
+NULL
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: 'info'
+Warning	3047	Invalid argument error: 0 in function kdf.
+select hex(kdf('foo', 'bar', -1, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar', -1, 'pbkdf2_hmac'))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: -1 in function kdf.
+select hex(kdf('foo', 'bar',  0, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar',  0, 'pbkdf2_hmac'))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 0 in function kdf.
+select hex(kdf('foo', 'bar',  1, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar',  1, 'pbkdf2_hmac'))
+DB658012DC3E52AEC1F4933C280B6E10
+select hex(kdf('foo', 'bar', 10, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar', 10, 'pbkdf2_hmac'))
+1D25A9E01C2078FF10DECEC874B3F21E
+select hex(kdf(NULL, 'bar'));
+hex(kdf(NULL, 'bar'))
+NULL
+select hex(kdf('foo', NULL));
+hex(kdf('foo', NULL))
+NULL
+select hex(kdf('foo', 'bar', NULL, 'hkdf'));
+hex(kdf('foo', 'bar', NULL, 'hkdf'))
+4AFD0088E56CAF7CB5C94F6C101D58D5
+select hex(kdf('foo', 'bar', NULL, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar', NULL, 'pbkdf2_hmac'))
+NULL
+select hex(kdf('foo', 'bar', 2000, NULL));
+hex(kdf('foo', 'bar', 2000, NULL))
+NULL
+select hex(kdf('foo', 'bar', 2000, 'foo'));
+hex(kdf('foo', 'bar', 2000, 'foo'))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 'foo' in function kdf.
+select hex(kdf('foo', 'bar', 2000, '\n\n\n\0!!!'));
+hex(kdf('foo', 'bar', 2000, '\n\n\n\0!!!'))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: '
+
+
+\0000!!!' in function kdf.
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', NULL));
+hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', NULL))
+NULL
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', -8));
+hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', -8))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: -8 in function kdf.
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 10));
+hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 10))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 10 in function kdf.
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 16));
+hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 16))
+76BA
+set @@block_encryption_mode='aes-192-cbc';
+select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+hex(kdf('foo', 'bar', 'info', 'hkdf'))
+710583081D40A55F0B573A76E02D8975AA11A4595954C0A1
+select hex(kdf('foo', 'bar', 'info', 'hkdf', 256));
+hex(kdf('foo', 'bar', 'info', 'hkdf', 256))
+710583081D40A55F0B573A76E02D8975AA11A4595954C0A1487D6D33ABAB93C3
+select hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac'));
+hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac'))
+430D4780B57254EF39EE13CE53DB381A552151AA62A9FA92
+select hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac', 256));
+hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac', 256))
+430D4780B57254EF39EE13CE53DB381A552151AA62A9FA922B9949DF270AE10C
+set @key=kdf('password', 'salt', 2048);
+select hex(aes_encrypt('secret', @key, '1234123412341234'));
+hex(aes_encrypt('secret', @key, '1234123412341234'))
+9EED553CDDEE426D5635EF559E015ECA
+select aes_decrypt(x'9EED553CDDEE426D5635EF559E015ECA', @key, '1234123412341234');
+aes_decrypt(x'9EED553CDDEE426D5635EF559E015ECA', @key, '1234123412341234')
+secret
+select length(kdf('foo', 'bar', 'info', 'hkdf', -1));
+length(kdf('foo', 'bar', 'info', 'hkdf', -1))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: -1 in function kdf.
+select length(kdf('foo', 'bar', 'info', 'hkdf', 0));
+length(kdf('foo', 'bar', 'info', 'hkdf', 0))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 0 in function kdf.
+select length(kdf('foo', 'bar', 'info', 'hkdf', 32768));
+length(kdf('foo', 'bar', 'info', 'hkdf', 32768))
+4096
+select length(kdf('foo', 'bar', 'info', 'hkdf', 65536));
+length(kdf('foo', 'bar', 'info', 'hkdf', 65536))
+8192
+select length(kdf('foo', 'bar', 'info', 'hkdf', 65537));
+length(kdf('foo', 'bar', 'info', 'hkdf', 65537))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 65537 in function kdf.
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', -1));
+length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', -1))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: -1 in function kdf.
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 0));
+length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 0))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 0 in function kdf.
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 32768));
+length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 32768))
+4096
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65536));
+length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65536))
+8192
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65537));
+length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65537))
+NULL
+Warnings:
+Warning	3047	Invalid argument error: 65537 in function kdf.
+#
+# End of 11.3 tests
+#
--- a/mysql-test/main/func_kdf.test
+++ b/mysql-test/main/func_kdf.test
@@ -0,0 +1,57 @@
+--echo #
+--echo # MDEV-31474 KDF() function
+--echo #
+select hex(kdf('foo', 'bar'));
+select hex(kdf('foo', 'bar')); # same result every time
+select hex(kdf('faa', 'bar'));
+select hex(kdf('foo', 'bor'));
+
+select hex(kdf('foo', 'bar', 10));
+select hex(kdf('foo', 'bar', 11));
+
+select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+select hex(kdf('foo', 'bar', 'infa', 'hkdf'));
+select hex(kdf('foo', 'bar', 'info', 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar', -1, 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar',  0, 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar',  1, 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar', 10, 'pbkdf2_hmac'));
+
+select hex(kdf(NULL, 'bar'));
+select hex(kdf('foo', NULL));
+select hex(kdf('foo', 'bar', NULL, 'hkdf'));
+select hex(kdf('foo', 'bar', NULL, 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar', 2000, NULL));
+select hex(kdf('foo', 'bar', 2000, 'foo'));
+select hex(kdf('foo', 'bar', 2000, '\n\n\n\0!!!'));
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', NULL));
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', -8));
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 10));
+select hex(kdf('foo', 'bar', 1000, 'pbkdf2_hmac', 16));
+
+set @@block_encryption_mode='aes-192-cbc';
+select hex(kdf('foo', 'bar', 'info', 'hkdf'));
+select hex(kdf('foo', 'bar', 'info', 'hkdf', 256));
+select hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac'));
+select hex(kdf('foo', 'bar', 2000, 'pbkdf2_hmac', 256));
+
+set @key=kdf('password', 'salt', 2048);
+select hex(aes_encrypt('secret', @key, '1234123412341234'));
+select aes_decrypt(x'9EED553CDDEE426D5635EF559E015ECA', @key, '1234123412341234');
+
+select length(kdf('foo', 'bar', 'info', 'hkdf', -1));
+select length(kdf('foo', 'bar', 'info', 'hkdf', 0));
+select length(kdf('foo', 'bar', 'info', 'hkdf', 32768));
+select length(kdf('foo', 'bar', 'info', 'hkdf', 65536));
+select length(kdf('foo', 'bar', 'info', 'hkdf', 65537));
+
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', -1));
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 0));
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 32768));
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65536));
+select length(kdf('foo', 'bar', 100, 'pbkdf2_hmac', 65537));
+
+--echo #
+--echo # End of 11.3 tests
+--echo #
+
--- a/mysql-test/suite.pm
+++ b/mysql-test/suite.pm
@@ -84,6 +84,8 @@ sub skip_combinations {
  $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
    unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "1.0.2";

+  $skip{'main/func_kdf.combinations'} = [ $ssl_lib =~ /OpenSSL 1\.0\./ ? 'new' : 'old' ];
+
  $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
    unless $openssl_ver ge "1.0.2";

--- a/sql/item_create.cc
+++ b/sql/item_create.cc
@@ -155,6 +155,20 @@ protected:
 };


+class Create_func_kdf : public Create_native_func
+{
+public:
+  virtual Item *create_native(THD *thd, const LEX_CSTRING *name,
+                              List<Item> *item_list);
+
+  static Create_func_kdf s_singleton;
+
+protected:
+  Create_func_kdf() = default;
+  virtual ~Create_func_kdf() = default;
+};
+
+
 class Create_func_asin : public Create_func_arg1
 {
 public:
@@ -2986,6 +3000,32 @@ Create_func_aes_decrypt::create_native(THD *thd, const LEX_CSTRING *name,
 }


+Create_func_kdf Create_func_kdf::s_singleton;
+
+Item*
+Create_func_kdf::create_native(THD *thd, const LEX_CSTRING *name,
+                               List<Item> *item_list)
+{
+  uint arg_count= item_list->elements;
+  Item *a[5];
+  for (uint i=0; i < MY_MIN(array_elements(a), arg_count); i++)
+    a[i]= item_list->pop();
+  switch (arg_count)
+  {
+  case 2:
+    return new (thd->mem_root) Item_func_kdf(thd, a[0], a[1]);
+  case 3:
+    return new (thd->mem_root) Item_func_kdf(thd, a[0], a[1], a[2]);
+  case 4:
+    return new (thd->mem_root) Item_func_kdf(thd, a[0], a[1], a[2], a[3]);
+  case 5:
+    return new (thd->mem_root) Item_func_kdf(thd, a[0], a[1], a[2], a[3], a[4]);
+  }
+  my_error(ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT, MYF(0), name->str);
+  return NULL;
+}
+
+
 Create_func_asin Create_func_asin::s_singleton;

 Item*
@@ -5941,6 +5981,7 @@ const Native_func_registry func_array[] =
  { { STRING_WITH_LEN("JSON_UNQUOTE") }, BUILDER(Create_func_json_unquote)},
  { { STRING_WITH_LEN("JSON_VALID") }, BUILDER(Create_func_json_valid)},
  { { STRING_WITH_LEN("JSON_VALUE") }, BUILDER(Create_func_json_value)},
+  { { STRING_WITH_LEN("KDF") }, BUILDER(Create_func_kdf)},
  { { STRING_WITH_LEN("LAST_DAY") }, BUILDER(Create_func_last_day)},
  { { STRING_WITH_LEN("LAST_INSERT_ID") }, BUILDER(Create_func_last_insert_id)},
  { { STRING_WITH_LEN("LCASE") }, BUILDER(Create_func_lcase)},
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -56,6 +56,10 @@ C_MODE_END
 #include "sql_statistics.h"
 #include "strfunc.h"

+#ifdef HAVE_hkdf
+#include <openssl/kdf.h>
+#endif
+
 /* fmtlib include (https://fmt.dev/). */
 #define FMT_STATIC_THOUSANDS_SEPARATOR ','
 #define FMT_HEADER_ONLY 1
@@ -434,6 +438,122 @@ bool Item_func_aes_decrypt::fix_length_and_dec(THD *thd)
  return FALSE;
 }

+bool Item_func_kdf::fix_length_and_dec(THD *thd)
+{
+  if (arg_count > 4 && args[4]->const_item())
+  {
+    if (((key_length= (uint)args[4]->val_int()) % 8) || key_length > 65536)
+      key_length= 0;
+  }
+  else if (arg_count <= 4)
+    key_length= block_encryption_mode_to_key_length(thd->variables.block_encryption_mode);
+  else
+    key_length= 0;
+  key_length/= 8;
+  max_length= key_length ? key_length : 256/8;
+  set_maybe_null();
+  return FALSE;
+}
+
+static void invalid_argument_error(const char *func, const char *val)
+{
+  THD *thd= current_thd;
+  push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
+    ER_STD_INVALID_ARGUMENT, ER_THD(thd, ER_STD_INVALID_ARGUMENT),
+    val, func);
+}
+
+String *Item_func_kdf::val_str(String *buf)
+{
+  // KDF(key_str, salt [, {info | iterations} [, kdf_name [, width ]]])
+  DBUG_ASSERT(fixed());
+  StringBuffer<80> key_buf, salt_buf;
+  String *key= args[0]->val_str(&key_buf);
+  String *salt= args[1]->val_str(&salt_buf);
+  bool use_hkdf= false;
+  size_t klen= key_length;
+  bool ok= false;
+
+  if (!key || !salt)
+    goto ret_null;
+
+  if (arg_count > 3)
+  {
+    if (String *s= args[3]->val_str(buf))
+    {
+      if (strcasecmp(s->c_ptr(), "hkdf") == 0)
+        use_hkdf= true;
+      else if (strcasecmp(s->c_ptr(), "pbkdf2_hmac") != 0)
+      {
+        invalid_argument_error(func_name(), ErrConvStringQ(s).ptr());
+        goto ret_null;
+      }
+    }
+    else
+      goto ret_null;
+  }
+  if (!klen)
+  {
+    klen= args[4]->val_int();
+    if (!klen || klen % 8 || klen > 65536)
+    {
+      if (!args[4]->null_value)
+        invalid_argument_error(func_name(),
+          ErrConvInteger({(ssize_t)klen, args[4]->unsigned_flag}).ptr());
+      goto ret_null;
+    }
+    klen/= 8;
+  }
+  buf->reserve(klen);
+  buf->length(klen);
+
+  if (use_hkdf)
+  {
+#ifdef HAVE_hkdf
+    StringBuffer<80> info_buf;
+    String *info= arg_count > 2 ? args[2]->val_str(&info_buf) : 0;
+
+    EVP_PKEY_CTX *ctx= EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+    ok= EVP_PKEY_derive_init(ctx) > 0 &&
+        EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_sha512()) > 0 &&
+        EVP_PKEY_CTX_set1_hkdf_key(ctx, (const uchar*)key->ptr(), key->length()) > 0 &&
+        EVP_PKEY_CTX_set1_hkdf_salt(ctx, (const uchar*)salt->ptr(), salt->length()) > 0 &&
+        (!info || EVP_PKEY_CTX_add1_hkdf_info(ctx, (const uchar*)info->ptr(), info->length()) > 0) &&
+        EVP_PKEY_derive(ctx, (uchar*)buf->ptr(), &klen) > 0;
+
+    EVP_PKEY_CTX_free(ctx);
+#else
+    THD *thd= current_thd;
+    push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
+      ER_NOT_SUPPORTED_YET, ER_THD(thd, ER_NOT_SUPPORTED_YET),
+      "kdf(..., 'hkdf')");
+#endif
+  }
+  else
+  {
+    longlong iter= arg_count > 2 ? args[2]->val_int() : 1000;
+    if (iter <= 0)
+    {
+      if (!args[2]->null_value)
+        invalid_argument_error(func_name(),
+          ErrConvInteger({iter, args[2]->unsigned_flag}).ptr());
+    }
+    else
+      ok= PKCS5_PBKDF2_HMAC(key->ptr(), key->length(),
+                      (const uchar*)salt->ptr(), salt->length(), (int)iter,
+                      EVP_sha512(), (int)klen, (uchar*)buf->ptr());
+  }
+
+  if (ok)
+  {
+    null_value= 0;
+    return buf;
+  }
+
+ret_null:
+  null_value=1;
+  return 0;
+}

 bool Item_func_to_base64::fix_length_and_dec(THD *thd)
 {
--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -133,6 +133,8 @@ public:
   :Item_str_func(thd, a, b, c) { }
  Item_str_binary_checksum_func(THD *thd, Item *a, Item *b, Item *c, Item *d)
   :Item_str_func(thd, a, b, c, d) { }
+  Item_str_binary_checksum_func(THD *thd, Item *a, Item *b, Item *c, Item *d, Item *e)
+   :Item_str_func(thd, a, b, c, d, e) { }
  bool eq(const Item *item, bool binary_cmp) const
  {
    /*
@@ -295,6 +297,35 @@ public:
  { return get_item_copy<Item_func_aes_decrypt>(thd, this); }
 };

+class Item_func_kdf :public Item_str_binary_checksum_func
+{
+  uint key_length;
+public:
+  Item_func_kdf(THD *thd, Item *a, Item *b)
+   : Item_str_binary_checksum_func(thd, a, b) {}
+  Item_func_kdf(THD *thd, Item *a, Item *b, Item *c)
+   : Item_str_binary_checksum_func(thd, a, b, c) {}
+  Item_func_kdf(THD *thd, Item *a, Item *b, Item *c, Item *d)
+   : Item_str_binary_checksum_func(thd, a, b, c, d) {}
+  Item_func_kdf(THD *thd, Item *a, Item *b, Item *c, Item *d, Item *e)
+   : Item_str_binary_checksum_func(thd, a, b, c, d, e) {}
+  bool fix_length_and_dec(THD *thd) override;
+  String *val_str(String *) override;
+  bool check_vcol_func_processor(void *arg) override
+  {
+    if (arg_count > 4)
+      return FALSE;
+    return mark_unsupported_function(func_name(), "()", arg, VCOL_SESSION_FUNC);
+  }
+  LEX_CSTRING func_name_cstring() const override
+  {
+    static LEX_CSTRING name= {STRING_WITH_LEN("kdf") };
+    return name;
+  }
+  Item *get_copy(THD *thd) override
+  { return get_item_copy<Item_func_kdf>(thd, this); }
+};
+
 class Item_func_natural_sort_key : public Item_str_func
 {
 public: