1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * HMAC low level APIs are deprecated for public use, but still ok for internal 12 * use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdlib.h> 17 #include <stdarg.h> 18 #include <string.h> 19 #include <openssl/hmac.h> 20 #include <openssl/evp.h> 21 #include <openssl/kdf.h> 22 #include <openssl/core_names.h> 23 #include <openssl/proverr.h> 24 #include "internal/cryptlib.h" 25 #include "internal/numbers.h" 26 #include "internal/packet.h" 27 #include "crypto/evp.h" 28 #include "prov/provider_ctx.h" 29 #include "prov/providercommon.h" 30 #include "prov/implementations.h" 31 #include "prov/provider_util.h" 32 #include "prov/securitycheck.h" 33 #include "internal/e_os.h" 34 #include "internal/params.h" 35 36 #define HKDF_MAXBUF 2048 37 #define HKDF_MAXINFO (32 * 1024) 38 39 static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; 40 static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup; 41 static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free; 42 static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset; 43 static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive; 44 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; 45 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; 46 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; 47 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; 48 static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; 49 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; 50 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; 51 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_3_gettable_ctx_params; 52 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_3_get_ctx_params; 53 54 static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, 55 const unsigned char *salt, size_t salt_len, 56 const unsigned char *key, size_t key_len, 57 const unsigned char *info, size_t info_len, 58 unsigned char *okm, size_t okm_len); 59 static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, 60 const unsigned char *salt, size_t salt_len, 61 const unsigned char *ikm, size_t ikm_len, 62 unsigned char *prk, size_t prk_len); 63 static int HKDF_Expand(const EVP_MD *evp_md, 64 const unsigned char *prk, size_t prk_len, 65 const unsigned char *info, size_t info_len, 66 unsigned char *okm, size_t okm_len); 67 68 /* Settable context parameters that are common across HKDF and the TLS KDF */ 69 #define HKDF_COMMON_SETTABLES \ 70 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \ 71 OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \ 72 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ 73 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ 74 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ 75 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0) 76 77 /* Gettable context parameters that are common across HKDF and the TLS KDF */ 78 #define HKDF_COMMON_GETTABLES \ 79 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), \ 80 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0) 81 82 typedef struct { 83 void *provctx; 84 int mode; 85 PROV_DIGEST digest; 86 unsigned char *salt; 87 size_t salt_len; 88 unsigned char *key; 89 size_t key_len; 90 unsigned char *prefix; 91 size_t prefix_len; 92 unsigned char *label; 93 size_t label_len; 94 unsigned char *data; 95 size_t data_len; 96 unsigned char *info; 97 size_t info_len; 98 OSSL_FIPS_IND_DECLARE 99 } KDF_HKDF; 100 101 static void *kdf_hkdf_new(void *provctx) 102 { 103 KDF_HKDF *ctx; 104 105 if (!ossl_prov_is_running()) 106 return NULL; 107 108 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) { 109 ctx->provctx = provctx; 110 OSSL_FIPS_IND_INIT(ctx) 111 } 112 return ctx; 113 } 114 115 static void kdf_hkdf_free(void *vctx) 116 { 117 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 118 119 if (ctx != NULL) { 120 kdf_hkdf_reset(ctx); 121 OPENSSL_free(ctx); 122 } 123 } 124 125 static void kdf_hkdf_reset(void *vctx) 126 { 127 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 128 void *provctx = ctx->provctx; 129 130 ossl_prov_digest_reset(&ctx->digest); 131 #ifdef OPENSSL_PEDANTIC_ZEROIZATION 132 OPENSSL_clear_free(ctx->salt, ctx->salt_len); 133 #else 134 OPENSSL_free(ctx->salt); 135 #endif 136 OPENSSL_free(ctx->prefix); 137 OPENSSL_free(ctx->label); 138 OPENSSL_clear_free(ctx->data, ctx->data_len); 139 OPENSSL_clear_free(ctx->key, ctx->key_len); 140 OPENSSL_clear_free(ctx->info, ctx->info_len); 141 memset(ctx, 0, sizeof(*ctx)); 142 ctx->provctx = provctx; 143 } 144 145 static void *kdf_hkdf_dup(void *vctx) 146 { 147 const KDF_HKDF *src = (const KDF_HKDF *)vctx; 148 KDF_HKDF *dest; 149 150 dest = kdf_hkdf_new(src->provctx); 151 if (dest != NULL) { 152 if (!ossl_prov_memdup(src->salt, src->salt_len, &dest->salt, 153 &dest->salt_len) 154 || !ossl_prov_memdup(src->key, src->key_len, 155 &dest->key, &dest->key_len) 156 || !ossl_prov_memdup(src->prefix, src->prefix_len, 157 &dest->prefix, &dest->prefix_len) 158 || !ossl_prov_memdup(src->label, src->label_len, 159 &dest->label, &dest->label_len) 160 || !ossl_prov_memdup(src->data, src->data_len, 161 &dest->data, &dest->data_len) 162 || !ossl_prov_memdup(src->info, src->info_len, 163 &dest->info, &dest->info_len) 164 || !ossl_prov_digest_copy(&dest->digest, &src->digest)) 165 goto err; 166 dest->mode = src->mode; 167 OSSL_FIPS_IND_COPY(dest, src) 168 } 169 return dest; 170 171 err: 172 kdf_hkdf_free(dest); 173 return NULL; 174 } 175 176 static size_t kdf_hkdf_size(KDF_HKDF *ctx) 177 { 178 int sz; 179 const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); 180 181 if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) 182 return SIZE_MAX; 183 184 if (md == NULL) { 185 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 186 return 0; 187 } 188 sz = EVP_MD_get_size(md); 189 if (sz <= 0) 190 return 0; 191 192 return sz; 193 } 194 195 #ifdef FIPS_MODULE 196 static int fips_hkdf_key_check_passed(KDF_HKDF *ctx) 197 { 198 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 199 int key_approved = ossl_kdf_check_key_size(ctx->key_len); 200 201 if (!key_approved) { 202 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 203 libctx, "HKDF", "Key size", 204 ossl_fips_config_hkdf_key_check)) { 205 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 206 return 0; 207 } 208 } 209 return 1; 210 } 211 #endif 212 213 static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, 214 const OSSL_PARAM params[]) 215 { 216 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 217 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 218 const EVP_MD *md; 219 220 if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params)) 221 return 0; 222 223 md = ossl_prov_digest_md(&ctx->digest); 224 if (md == NULL) { 225 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 226 return 0; 227 } 228 if (ctx->key == NULL) { 229 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); 230 return 0; 231 } 232 if (keylen == 0) { 233 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 234 return 0; 235 } 236 237 switch (ctx->mode) { 238 case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: 239 default: 240 return HKDF(libctx, md, ctx->salt, ctx->salt_len, 241 ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen); 242 243 case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: 244 return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len, 245 ctx->key, ctx->key_len, key, keylen); 246 247 case EVP_KDF_HKDF_MODE_EXPAND_ONLY: 248 return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info, 249 ctx->info_len, key, keylen); 250 } 251 } 252 253 static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) 254 { 255 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 256 const OSSL_PARAM *p; 257 int n; 258 259 if (ossl_param_is_empty(params)) 260 return 1; 261 262 if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { 263 const EVP_MD *md = NULL; 264 265 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) 266 return 0; 267 268 md = ossl_prov_digest_md(&ctx->digest); 269 if (EVP_MD_xof(md)) { 270 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 271 return 0; 272 } 273 } 274 275 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { 276 if (p->data_type == OSSL_PARAM_UTF8_STRING) { 277 if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) { 278 ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; 279 } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) { 280 ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; 281 } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) { 282 ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; 283 } else { 284 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); 285 return 0; 286 } 287 } else if (OSSL_PARAM_get_int(p, &n)) { 288 if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 289 && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY 290 && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) { 291 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); 292 return 0; 293 } 294 ctx->mode = n; 295 } else { 296 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); 297 return 0; 298 } 299 } 300 301 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { 302 OPENSSL_clear_free(ctx->key, ctx->key_len); 303 ctx->key = NULL; 304 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0, 305 &ctx->key_len)) 306 return 0; 307 } 308 309 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { 310 OPENSSL_free(ctx->salt); 311 ctx->salt = NULL; 312 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, 313 &ctx->salt_len)) 314 return 0; 315 } 316 317 return 1; 318 } 319 320 static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 321 { 322 KDF_HKDF *ctx = vctx; 323 324 if (ossl_param_is_empty(params)) 325 return 1; 326 327 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, 328 OSSL_KDF_PARAM_FIPS_KEY_CHECK)) 329 return 0; 330 331 if (!hkdf_common_set_ctx_params(ctx, params)) 332 return 0; 333 334 if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO, 335 &ctx->info, &ctx->info_len, 336 HKDF_MAXINFO) 337 == 0) 338 return 0; 339 340 #ifdef FIPS_MODULE 341 if (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) 342 if (!fips_hkdf_key_check_passed(ctx)) 343 return 0; 344 #endif 345 346 return 1; 347 } 348 349 static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx, 350 ossl_unused void *provctx) 351 { 352 static const OSSL_PARAM known_settable_ctx_params[] = { 353 HKDF_COMMON_SETTABLES, 354 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), 355 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK) 356 OSSL_PARAM_END 357 }; 358 return known_settable_ctx_params; 359 } 360 361 static int hkdf_common_get_ctx_params(KDF_HKDF *ctx, OSSL_PARAM params[]) 362 { 363 OSSL_PARAM *p; 364 365 if (ossl_param_is_empty(params)) 366 return 1; 367 368 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { 369 size_t sz = kdf_hkdf_size(ctx); 370 371 if (sz == 0) 372 return 0; 373 if (!OSSL_PARAM_set_size_t(p, sz)) 374 return 0; 375 } 376 377 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { 378 if (ctx->info == NULL || ctx->info_len == 0) 379 p->return_size = 0; 380 else if (!OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len)) 381 return 0; 382 } 383 384 return 1; 385 } 386 387 static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 388 { 389 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 390 391 if (ossl_param_is_empty(params)) 392 return 1; 393 394 if (!hkdf_common_get_ctx_params(ctx, params)) 395 return 0; 396 397 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) 398 return 0; 399 400 return 1; 401 } 402 403 static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, 404 ossl_unused void *provctx) 405 { 406 static const OSSL_PARAM known_gettable_ctx_params[] = { 407 HKDF_COMMON_GETTABLES, 408 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 409 OSSL_PARAM_END 410 }; 411 return known_gettable_ctx_params; 412 } 413 414 const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = { 415 { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))kdf_hkdf_new }, 416 { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))kdf_hkdf_dup }, 417 { OSSL_FUNC_KDF_FREECTX, (void (*)(void))kdf_hkdf_free }, 418 { OSSL_FUNC_KDF_RESET, (void (*)(void))kdf_hkdf_reset }, 419 { OSSL_FUNC_KDF_DERIVE, (void (*)(void))kdf_hkdf_derive }, 420 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 421 (void (*)(void))kdf_hkdf_settable_ctx_params }, 422 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void (*)(void))kdf_hkdf_set_ctx_params }, 423 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 424 (void (*)(void))kdf_hkdf_gettable_ctx_params }, 425 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void (*)(void))kdf_hkdf_get_ctx_params }, 426 OSSL_DISPATCH_END 427 }; 428 429 /* 430 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" 431 * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and 432 * "Cryptographic Extraction and Key Derivation: The HKDF Scheme" 433 * Section 4.2 (https://eprint.iacr.org/2010/264.pdf). 434 * 435 * From the paper: 436 * The scheme HKDF is specified as: 437 * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t) 438 * 439 * where: 440 * SKM is source key material 441 * XTS is extractor salt (which may be null or constant) 442 * CTXinfo is context information (may be null) 443 * L is the number of key bits to be produced by KDF 444 * k is the output length in bits of the hash function used with HMAC 445 * t = ceil(L/k) 446 * the value K(t) is truncated to its first d = L mod k bits. 447 * 448 * From RFC 5869: 449 * 2.2. Step 1: Extract 450 * HKDF-Extract(salt, IKM) -> PRK 451 * 2.3. Step 2: Expand 452 * HKDF-Expand(PRK, info, L) -> OKM 453 */ 454 static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, 455 const unsigned char *salt, size_t salt_len, 456 const unsigned char *ikm, size_t ikm_len, 457 const unsigned char *info, size_t info_len, 458 unsigned char *okm, size_t okm_len) 459 { 460 unsigned char prk[EVP_MAX_MD_SIZE]; 461 int ret, sz; 462 size_t prk_len; 463 464 sz = EVP_MD_get_size(evp_md); 465 if (sz <= 0) 466 return 0; 467 prk_len = (size_t)sz; 468 469 /* Step 1: HKDF-Extract(salt, IKM) -> PRK */ 470 if (!HKDF_Extract(libctx, evp_md, 471 salt, salt_len, ikm, ikm_len, prk, prk_len)) 472 return 0; 473 474 /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */ 475 ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); 476 OPENSSL_cleanse(prk, sizeof(prk)); 477 478 return ret; 479 } 480 481 /* 482 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" 483 * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2). 484 * 485 * 2.2. Step 1: Extract 486 * 487 * HKDF-Extract(salt, IKM) -> PRK 488 * 489 * Options: 490 * Hash a hash function; HashLen denotes the length of the 491 * hash function output in octets 492 * 493 * Inputs: 494 * salt optional salt value (a non-secret random value); 495 * if not provided, it is set to a string of HashLen zeros. 496 * IKM input keying material 497 * 498 * Output: 499 * PRK a pseudorandom key (of HashLen octets) 500 * 501 * The output PRK is calculated as follows: 502 * 503 * PRK = HMAC-Hash(salt, IKM) 504 */ 505 static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, 506 const unsigned char *salt, size_t salt_len, 507 const unsigned char *ikm, size_t ikm_len, 508 unsigned char *prk, size_t prk_len) 509 { 510 int sz = EVP_MD_get_size(evp_md); 511 512 if (sz <= 0) 513 return 0; 514 if (prk_len != (size_t)sz) { 515 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE); 516 return 0; 517 } 518 /* calc: PRK = HMAC-Hash(salt, IKM) */ 519 return EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt, 520 salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL) 521 != NULL; 522 } 523 524 /* 525 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" 526 * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3). 527 * 528 * 2.3. Step 2: Expand 529 * 530 * HKDF-Expand(PRK, info, L) -> OKM 531 * 532 * Options: 533 * Hash a hash function; HashLen denotes the length of the 534 * hash function output in octets 535 * 536 * Inputs: 537 * PRK a pseudorandom key of at least HashLen octets 538 * (usually, the output from the extract step) 539 * info optional context and application specific information 540 * (can be a zero-length string) 541 * L length of output keying material in octets 542 * (<= 255*HashLen) 543 * 544 * Output: 545 * OKM output keying material (of L octets) 546 * 547 * The output OKM is calculated as follows: 548 * 549 * N = ceil(L/HashLen) 550 * T = T(1) | T(2) | T(3) | ... | T(N) 551 * OKM = first L octets of T 552 * 553 * where: 554 * T(0) = empty string (zero length) 555 * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) 556 * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) 557 * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) 558 * ... 559 * 560 * (where the constant concatenated to the end of each T(n) is a 561 * single octet.) 562 */ 563 static int HKDF_Expand(const EVP_MD *evp_md, 564 const unsigned char *prk, size_t prk_len, 565 const unsigned char *info, size_t info_len, 566 unsigned char *okm, size_t okm_len) 567 { 568 HMAC_CTX *hmac; 569 int ret = 0, sz; 570 unsigned int i; 571 unsigned char prev[EVP_MAX_MD_SIZE]; 572 size_t done_len = 0, dig_len, n; 573 574 sz = EVP_MD_get_size(evp_md); 575 if (sz <= 0) 576 return 0; 577 dig_len = (size_t)sz; 578 579 /* calc: N = ceil(L/HashLen) */ 580 n = okm_len / dig_len; 581 if (okm_len % dig_len) 582 n++; 583 584 if (n > 255 || okm == NULL) 585 return 0; 586 587 if ((hmac = HMAC_CTX_new()) == NULL) 588 return 0; 589 590 if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) 591 goto err; 592 593 for (i = 1; i <= n; i++) { 594 size_t copy_len; 595 const unsigned char ctr = i; 596 597 /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */ 598 if (i > 1) { 599 if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) 600 goto err; 601 602 if (!HMAC_Update(hmac, prev, dig_len)) 603 goto err; 604 } 605 606 if (!HMAC_Update(hmac, info, info_len)) 607 goto err; 608 609 if (!HMAC_Update(hmac, &ctr, 1)) 610 goto err; 611 612 if (!HMAC_Final(hmac, prev, NULL)) 613 goto err; 614 615 copy_len = (dig_len > okm_len - done_len) ? okm_len - done_len : dig_len; 616 617 memcpy(okm + done_len, prev, copy_len); 618 619 done_len += copy_len; 620 } 621 ret = 1; 622 623 err: 624 OPENSSL_cleanse(prev, sizeof(prev)); 625 HMAC_CTX_free(hmac); 626 return ret; 627 } 628 629 /* 630 * TLS uses slight variations of the above and for FIPS validation purposes, 631 * they need to be present here. 632 * Refer to RFC 8446 section 7 for specific details. 633 */ 634 635 /* 636 * Given a |secret|; a |label| of length |labellen|; and |data| of length 637 * |datalen| (e.g. typically a hash of the handshake messages), derive a new 638 * secret |outlen| bytes long and store it in the location pointed to be |out|. 639 * The |data| value may be zero length. Returns 1 on success and 0 on failure. 640 */ 641 static int prov_tls13_hkdf_expand(const EVP_MD *md, 642 const unsigned char *key, size_t keylen, 643 const unsigned char *prefix, size_t prefixlen, 644 const unsigned char *label, size_t labellen, 645 const unsigned char *data, size_t datalen, 646 unsigned char *out, size_t outlen) 647 { 648 size_t hkdflabellen; 649 unsigned char hkdflabel[HKDF_MAXBUF]; 650 WPACKET pkt; 651 652 /* 653 * 2 bytes for length of derived secret + 1 byte for length of combined 654 * prefix and label + bytes for the label itself + 1 byte length of hash 655 * + bytes for the hash itself. We've got the maximum the KDF can handle 656 * which should always be sufficient. 657 */ 658 if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) 659 || !WPACKET_put_bytes_u16(&pkt, outlen) 660 || !WPACKET_start_sub_packet_u8(&pkt) 661 || !WPACKET_memcpy(&pkt, prefix, prefixlen) 662 || !WPACKET_memcpy(&pkt, label, labellen) 663 || !WPACKET_close(&pkt) 664 || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) 665 || !WPACKET_get_total_written(&pkt, &hkdflabellen) 666 || !WPACKET_finish(&pkt)) { 667 WPACKET_cleanup(&pkt); 668 return 0; 669 } 670 671 return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen, 672 out, outlen); 673 } 674 675 static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, 676 const EVP_MD *md, 677 const unsigned char *prevsecret, 678 size_t prevsecretlen, 679 const unsigned char *insecret, 680 size_t insecretlen, 681 const unsigned char *prefix, 682 size_t prefixlen, 683 const unsigned char *label, 684 size_t labellen, 685 unsigned char *out, size_t outlen) 686 { 687 size_t mdlen; 688 int ret; 689 unsigned char preextractsec[EVP_MAX_MD_SIZE]; 690 /* Always filled with zeros */ 691 static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; 692 693 ret = EVP_MD_get_size(md); 694 /* Ensure cast to size_t is safe */ 695 if (ret <= 0) 696 return 0; 697 mdlen = (size_t)ret; 698 699 if (insecret == NULL) { 700 insecret = default_zeros; 701 insecretlen = mdlen; 702 } 703 if (prevsecret == NULL) { 704 prevsecret = default_zeros; 705 prevsecretlen = mdlen; 706 } else { 707 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 708 unsigned char hash[EVP_MAX_MD_SIZE]; 709 710 /* The pre-extract derive step uses a hash of no messages */ 711 if (mctx == NULL 712 || EVP_DigestInit_ex(mctx, md, NULL) <= 0 713 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 714 EVP_MD_CTX_free(mctx); 715 return 0; 716 } 717 EVP_MD_CTX_free(mctx); 718 719 /* Generate the pre-extract secret */ 720 if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen, 721 prefix, prefixlen, label, labellen, 722 hash, mdlen, preextractsec, mdlen)) 723 return 0; 724 prevsecret = preextractsec; 725 prevsecretlen = mdlen; 726 } 727 728 ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen, 729 insecret, insecretlen, out, outlen); 730 731 if (prevsecret == preextractsec) 732 OPENSSL_cleanse(preextractsec, mdlen); 733 return ret; 734 } 735 736 #ifdef FIPS_MODULE 737 static int fips_tls1_3_digest_check_passed(KDF_HKDF *ctx, const EVP_MD *md) 738 { 739 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 740 /* 741 * Perform digest check 742 * 743 * According to RFC 8446 appendix B.4, the valid hash functions are 744 * specified in FIPS 180-4. However, it only lists SHA2-256 and SHA2-384 in 745 * the table. ACVP also only lists the same set of hash functions. 746 */ 747 int digest_unapproved = !EVP_MD_is_a(md, SN_sha256) 748 && !EVP_MD_is_a(md, SN_sha384); 749 750 if (digest_unapproved) { 751 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 752 libctx, "TLS13 KDF", "Digest", 753 ossl_fips_config_tls13_kdf_digest_check)) { 754 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 755 return 0; 756 } 757 } 758 return 1; 759 } 760 761 /* 762 * Calculate the correct length of the secret key. 763 * 764 * RFC 8446: 765 * If a given secret is not available, then the 0-value consisting of a 766 * string of Hash.length bytes set to zeros is used. 767 */ 768 static size_t fips_tls1_3_key_size(KDF_HKDF *ctx) 769 { 770 const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); 771 size_t key_size = 0; 772 773 if (ctx->key != NULL) 774 key_size = ctx->key_len; 775 else if (md != NULL) 776 key_size = EVP_MD_size(md); 777 778 return key_size; 779 } 780 781 static int fips_tls1_3_key_check_passed(KDF_HKDF *ctx) 782 { 783 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 784 int key_approved = ossl_kdf_check_key_size(fips_tls1_3_key_size(ctx)); 785 786 if (!key_approved) { 787 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, 788 libctx, "TLS13 KDF", "Key size", 789 ossl_fips_config_tls13_kdf_key_check)) { 790 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 791 return 0; 792 } 793 } 794 return 1; 795 } 796 #endif 797 798 static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, 799 const OSSL_PARAM params[]) 800 { 801 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 802 const EVP_MD *md; 803 804 if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params)) 805 return 0; 806 807 md = ossl_prov_digest_md(&ctx->digest); 808 if (md == NULL) { 809 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 810 return 0; 811 } 812 813 switch (ctx->mode) { 814 default: 815 return 0; 816 817 case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: 818 return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx), 819 md, 820 ctx->salt, ctx->salt_len, 821 ctx->key, ctx->key_len, 822 ctx->prefix, ctx->prefix_len, 823 ctx->label, ctx->label_len, 824 key, keylen); 825 826 case EVP_KDF_HKDF_MODE_EXPAND_ONLY: 827 return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len, 828 ctx->prefix, ctx->prefix_len, 829 ctx->label, ctx->label_len, 830 ctx->data, ctx->data_len, 831 key, keylen); 832 } 833 } 834 835 static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 836 { 837 const OSSL_PARAM *p; 838 KDF_HKDF *ctx = vctx; 839 840 if (ossl_param_is_empty(params)) 841 return 1; 842 843 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, 844 OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) 845 return 0; 846 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params, 847 OSSL_KDF_PARAM_FIPS_KEY_CHECK)) 848 return 0; 849 850 if (!hkdf_common_set_ctx_params(ctx, params)) 851 return 0; 852 853 if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) { 854 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); 855 return 0; 856 } 857 858 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) { 859 OPENSSL_free(ctx->prefix); 860 ctx->prefix = NULL; 861 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0, 862 &ctx->prefix_len)) 863 return 0; 864 } 865 866 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) { 867 OPENSSL_free(ctx->label); 868 ctx->label = NULL; 869 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0, 870 &ctx->label_len)) 871 return 0; 872 } 873 874 OPENSSL_clear_free(ctx->data, ctx->data_len); 875 ctx->data = NULL; 876 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL 877 && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0, 878 &ctx->data_len)) 879 return 0; 880 881 #ifdef FIPS_MODULE 882 if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { 883 const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); 884 885 if (!fips_tls1_3_digest_check_passed(ctx, md)) 886 return 0; 887 } 888 889 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) 890 if (!fips_tls1_3_key_check_passed(ctx)) 891 return 0; 892 #endif 893 894 return 1; 895 } 896 897 static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, 898 ossl_unused void *provctx) 899 { 900 static const OSSL_PARAM known_settable_ctx_params[] = { 901 HKDF_COMMON_SETTABLES, 902 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0), 903 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0), 904 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0), 905 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) 906 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK) 907 OSSL_PARAM_END 908 }; 909 return known_settable_ctx_params; 910 } 911 912 static int kdf_tls1_3_get_ctx_params(void *vctx, OSSL_PARAM params[]) 913 { 914 KDF_HKDF *ctx = (KDF_HKDF *)vctx; 915 916 if (ossl_param_is_empty(params)) 917 return 1; 918 919 if (!hkdf_common_get_ctx_params(ctx, params)) 920 return 0; 921 922 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) 923 return 0; 924 925 return 1; 926 } 927 928 static const OSSL_PARAM *kdf_tls1_3_gettable_ctx_params(ossl_unused void *ctx, 929 ossl_unused void *provctx) 930 { 931 static const OSSL_PARAM known_gettable_ctx_params[] = { 932 HKDF_COMMON_GETTABLES, 933 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 934 OSSL_PARAM_END 935 }; 936 return known_gettable_ctx_params; 937 } 938 939 const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { 940 { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))kdf_hkdf_new }, 941 { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))kdf_hkdf_dup }, 942 { OSSL_FUNC_KDF_FREECTX, (void (*)(void))kdf_hkdf_free }, 943 { OSSL_FUNC_KDF_RESET, (void (*)(void))kdf_hkdf_reset }, 944 { OSSL_FUNC_KDF_DERIVE, (void (*)(void))kdf_tls1_3_derive }, 945 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 946 (void (*)(void))kdf_tls1_3_settable_ctx_params }, 947 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void (*)(void))kdf_tls1_3_set_ctx_params }, 948 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 949 (void (*)(void))kdf_tls1_3_gettable_ctx_params }, 950 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void (*)(void))kdf_tls1_3_get_ctx_params }, 951 OSSL_DISPATCH_END 952 }; 953
Indexes created Sat Feb 28 05:31:39 UTC 2026