1 1.1 christos /* 2 1.1 christos * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. 4 1.1 christos * 5 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 6 1.1 christos * this file except in compliance with the License. You can obtain a copy 7 1.1 christos * in the file LICENSE in the source distribution or at 8 1.1 christos * https://www.openssl.org/source/license.html 9 1.1 christos */ 10 1.1 christos 11 1.1 christos /* 12 1.1 christos * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 13 1.1 christos * Section 4.1. 14 1.1 christos * 15 1.1 christos * The Single Step KDF algorithm is given by: 16 1.1 christos * 17 1.1 christos * Result(0) = empty bit string (i.e., the null string). 18 1.1 christos * For i = 1 to reps, do the following: 19 1.1 christos * Increment counter by 1. 20 1.1 christos * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo). 21 1.1 christos * DKM = LeftmostBits(Result(reps), L)) 22 1.1 christos * 23 1.1 christos * NOTES: 24 1.1 christos * Z is a shared secret required to produce the derived key material. 25 1.1 christos * counter is a 4 byte buffer. 26 1.1 christos * FixedInfo is a bit string containing context specific data. 27 1.1 christos * DKM is the output derived key material. 28 1.1 christos * L is the required size of the DKM. 29 1.1 christos * reps = [L / H_outputBits] 30 1.1 christos * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC. 31 1.1 christos * H_outputBits is the length of the output of the auxiliary function H(x). 32 1.1 christos * 33 1.1 christos * Currently there is not a comprehensive list of test vectors for this 34 1.1 christos * algorithm, especially for H(x) = HMAC and H(x) = KMAC. 35 1.1 christos * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests. 36 1.1 christos */ 37 1.1 christos #include <stdlib.h> 38 1.1 christos #include <stdarg.h> 39 1.1 christos #include <string.h> 40 1.1 christos #include <openssl/hmac.h> 41 1.1 christos #include <openssl/evp.h> 42 1.1 christos #include <openssl/kdf.h> 43 1.1 christos #include <openssl/core_names.h> 44 1.1 christos #include <openssl/params.h> 45 1.1 christos #include <openssl/proverr.h> 46 1.1 christos #include "internal/cryptlib.h" 47 1.1 christos #include "internal/numbers.h" 48 1.1 christos #include "crypto/evp.h" 49 1.1 christos #include "prov/provider_ctx.h" 50 1.1 christos #include "prov/providercommon.h" 51 1.1 christos #include "prov/implementations.h" 52 1.1 christos #include "prov/provider_util.h" 53 1.1 christos #include "prov/securitycheck.h" 54 1.1 christos #include "internal/params.h" 55 1.1 christos 56 1.1 christos typedef struct { 57 1.1 christos void *provctx; 58 1.1.1.2 christos EVP_MAC_CTX *macctx; /* H(x) = HMAC_hash OR H(x) = KMAC */ 59 1.1.1.2 christos PROV_DIGEST digest; /* H(x) = hash(x) */ 60 1.1 christos unsigned char *secret; 61 1.1 christos size_t secret_len; 62 1.1 christos unsigned char *info; 63 1.1 christos size_t info_len; 64 1.1 christos unsigned char *salt; 65 1.1 christos size_t salt_len; 66 1.1 christos size_t out_len; /* optional KMAC parameter */ 67 1.1 christos int is_kmac; 68 1.1 christos OSSL_FIPS_IND_DECLARE 69 1.1 christos } KDF_SSKDF; 70 1.1 christos 71 1.1.1.2 christos #define SSKDF_MAX_INLEN (1 << 30) 72 1.1 christos #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4) 73 1.1 christos #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4) 74 1.1 christos 75 1.1 christos /* KMAC uses a Customisation string of 'KDF' */ 76 1.1 christos static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; 77 1.1 christos 78 1.1 christos static OSSL_FUNC_kdf_newctx_fn sskdf_new; 79 1.1 christos static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; 80 1.1 christos static OSSL_FUNC_kdf_freectx_fn sskdf_free; 81 1.1 christos static OSSL_FUNC_kdf_reset_fn sskdf_reset; 82 1.1 christos static OSSL_FUNC_kdf_derive_fn sskdf_derive; 83 1.1 christos static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params; 84 1.1 christos static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params; 85 1.1 christos static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params; 86 1.1 christos static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params; 87 1.1 christos static OSSL_FUNC_kdf_derive_fn x963kdf_derive; 88 1.1 christos static OSSL_FUNC_kdf_settable_ctx_params_fn x963kdf_settable_ctx_params; 89 1.1 christos static OSSL_FUNC_kdf_set_ctx_params_fn x963kdf_set_ctx_params; 90 1.1 christos static OSSL_FUNC_kdf_gettable_ctx_params_fn x963kdf_gettable_ctx_params; 91 1.1 christos static OSSL_FUNC_kdf_get_ctx_params_fn x963kdf_get_ctx_params; 92 1.1 christos 93 1.1 christos /* Settable context parameters that are common across SSKDF and X963 KDF */ 94 1.1 christos #define SSKDF_COMMON_SETTABLES \ 95 1.1 christos OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), \ 96 1.1.1.2 christos OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ 97 1.1.1.2 christos OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), \ 98 1.1.1.2 christos OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ 99 1.1.1.2 christos OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ 100 1.1.1.2 christos OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0), \ 101 1.1.1.2 christos OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), \ 102 1.1.1.2 christos OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL) 103 1.1 christos 104 1.1 christos /* Gettable context parameters that are common across SSKDF and X963 KDF */ 105 1.1.1.2 christos #define SSKDF_COMMON_GETTABLES \ 106 1.1 christos OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL) 107 1.1 christos 108 1.1 christos /* 109 1.1 christos * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 110 1.1 christos * Section 4. One-Step Key Derivation using H(x) = hash(x) 111 1.1 christos * Note: X9.63 also uses this code with the only difference being that the 112 1.1 christos * counter is appended to the secret 'z'. 113 1.1 christos * i.e. 114 1.1 christos * result[i] = Hash(counter || z || info) for One Step OR 115 1.1 christos * result[i] = Hash(z || counter || info) for X9.63. 116 1.1 christos */ 117 1.1 christos static int SSKDF_hash_kdm(const EVP_MD *kdf_md, 118 1.1.1.2 christos const unsigned char *z, size_t z_len, 119 1.1.1.2 christos const unsigned char *info, size_t info_len, 120 1.1.1.2 christos unsigned int append_ctr, 121 1.1.1.2 christos unsigned char *derived_key, size_t derived_key_len) 122 1.1 christos { 123 1.1 christos int ret = 0, hlen; 124 1.1 christos size_t counter, out_len, len = derived_key_len; 125 1.1 christos unsigned char c[4]; 126 1.1 christos unsigned char mac[EVP_MAX_MD_SIZE]; 127 1.1 christos unsigned char *out = derived_key; 128 1.1 christos EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; 129 1.1 christos 130 1.1 christos if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN 131 1.1.1.2 christos || derived_key_len > SSKDF_MAX_INLEN 132 1.1.1.2 christos || derived_key_len == 0) 133 1.1 christos return 0; 134 1.1 christos 135 1.1 christos hlen = EVP_MD_get_size(kdf_md); 136 1.1 christos if (hlen <= 0) 137 1.1 christos return 0; 138 1.1 christos out_len = (size_t)hlen; 139 1.1 christos 140 1.1 christos ctx = EVP_MD_CTX_create(); 141 1.1 christos ctx_init = EVP_MD_CTX_create(); 142 1.1 christos if (ctx == NULL || ctx_init == NULL) 143 1.1 christos goto end; 144 1.1 christos 145 1.1 christos if (!EVP_DigestInit(ctx_init, kdf_md)) 146 1.1 christos goto end; 147 1.1 christos 148 1.1 christos for (counter = 1;; counter++) { 149 1.1 christos c[0] = (unsigned char)((counter >> 24) & 0xff); 150 1.1 christos c[1] = (unsigned char)((counter >> 16) & 0xff); 151 1.1 christos c[2] = (unsigned char)((counter >> 8) & 0xff); 152 1.1 christos c[3] = (unsigned char)(counter & 0xff); 153 1.1 christos 154 1.1 christos if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init) 155 1.1 christos && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c))) 156 1.1 christos && EVP_DigestUpdate(ctx, z, z_len) 157 1.1 christos && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c))) 158 1.1 christos && EVP_DigestUpdate(ctx, info, info_len))) 159 1.1 christos goto end; 160 1.1 christos if (len >= out_len) { 161 1.1 christos if (!EVP_DigestFinal_ex(ctx, out, NULL)) 162 1.1 christos goto end; 163 1.1 christos out += out_len; 164 1.1 christos len -= out_len; 165 1.1 christos if (len == 0) 166 1.1 christos break; 167 1.1 christos } else { 168 1.1 christos if (!EVP_DigestFinal_ex(ctx, mac, NULL)) 169 1.1 christos goto end; 170 1.1 christos memcpy(out, mac, len); 171 1.1 christos break; 172 1.1 christos } 173 1.1 christos } 174 1.1 christos ret = 1; 175 1.1 christos end: 176 1.1 christos EVP_MD_CTX_destroy(ctx); 177 1.1 christos EVP_MD_CTX_destroy(ctx_init); 178 1.1 christos OPENSSL_cleanse(mac, sizeof(mac)); 179 1.1 christos return ret; 180 1.1 christos } 181 1.1 christos 182 1.1 christos static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom, 183 1.1.1.2 christos size_t custom_len, size_t kmac_out_len, 184 1.1.1.2 christos size_t derived_key_len, unsigned char **out) 185 1.1 christos { 186 1.1 christos OSSL_PARAM params[2]; 187 1.1 christos 188 1.1 christos /* Only KMAC has custom data - so return if not KMAC */ 189 1.1 christos if (custom == NULL) 190 1.1 christos return 1; 191 1.1 christos 192 1.1 christos params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM, 193 1.1.1.2 christos (void *)custom, custom_len); 194 1.1 christos params[1] = OSSL_PARAM_construct_end(); 195 1.1 christos 196 1.1 christos if (!EVP_MAC_CTX_set_params(ctx, params)) 197 1.1 christos return 0; 198 1.1 christos 199 1.1 christos /* By default only do one iteration if kmac_out_len is not specified */ 200 1.1 christos if (kmac_out_len == 0) 201 1.1 christos kmac_out_len = derived_key_len; 202 1.1 christos /* otherwise check the size is valid */ 203 1.1 christos else if (!(kmac_out_len == derived_key_len 204 1.1.1.2 christos || kmac_out_len == 20 205 1.1.1.2 christos || kmac_out_len == 28 206 1.1.1.2 christos || kmac_out_len == 32 207 1.1.1.2 christos || kmac_out_len == 48 208 1.1.1.2 christos || kmac_out_len == 64)) 209 1.1 christos return 0; 210 1.1 christos 211 1.1 christos params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, 212 1.1.1.2 christos &kmac_out_len); 213 1.1 christos 214 1.1 christos if (EVP_MAC_CTX_set_params(ctx, params) <= 0) 215 1.1 christos return 0; 216 1.1 christos 217 1.1 christos /* 218 1.1 christos * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so 219 1.1 christos * alloc a buffer for this case. 220 1.1 christos */ 221 1.1 christos if (kmac_out_len > EVP_MAX_MD_SIZE) { 222 1.1 christos *out = OPENSSL_zalloc(kmac_out_len); 223 1.1 christos if (*out == NULL) 224 1.1 christos return 0; 225 1.1 christos } 226 1.1 christos return 1; 227 1.1 christos } 228 1.1 christos 229 1.1 christos /* 230 1.1 christos * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 231 1.1 christos * Section 4. One-Step Key Derivation using MAC: i.e either 232 1.1 christos * H(x) = HMAC-hash(salt, x) OR 233 1.1 christos * H(x) = KMAC#(salt, x, outbits, CustomString='KDF') 234 1.1 christos */ 235 1.1 christos static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init, 236 1.1.1.2 christos const unsigned char *kmac_custom, 237 1.1.1.2 christos size_t kmac_custom_len, size_t kmac_out_len, 238 1.1.1.2 christos const unsigned char *salt, size_t salt_len, 239 1.1.1.2 christos const unsigned char *z, size_t z_len, 240 1.1.1.2 christos const unsigned char *info, size_t info_len, 241 1.1.1.2 christos unsigned char *derived_key, size_t derived_key_len) 242 1.1 christos { 243 1.1 christos int ret = 0; 244 1.1 christos size_t counter, out_len, len; 245 1.1 christos unsigned char c[4]; 246 1.1 christos unsigned char mac_buf[EVP_MAX_MD_SIZE]; 247 1.1 christos unsigned char *out = derived_key; 248 1.1 christos EVP_MAC_CTX *ctx = NULL; 249 1.1 christos unsigned char *mac = mac_buf, *kmac_buffer = NULL; 250 1.1 christos 251 1.1 christos if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN 252 1.1.1.2 christos || derived_key_len > SSKDF_MAX_INLEN 253 1.1.1.2 christos || derived_key_len == 0) 254 1.1 christos return 0; 255 1.1 christos 256 1.1 christos if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len, 257 1.1.1.2 christos derived_key_len, &kmac_buffer)) 258 1.1 christos goto end; 259 1.1 christos if (kmac_buffer != NULL) 260 1.1 christos mac = kmac_buffer; 261 1.1 christos 262 1.1 christos if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL)) 263 1.1 christos goto end; 264 1.1 christos 265 1.1 christos out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */ 266 1.1 christos if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf))) 267 1.1 christos goto end; 268 1.1 christos len = derived_key_len; 269 1.1 christos 270 1.1 christos for (counter = 1;; counter++) { 271 1.1 christos c[0] = (unsigned char)((counter >> 24) & 0xff); 272 1.1 christos c[1] = (unsigned char)((counter >> 16) & 0xff); 273 1.1 christos c[2] = (unsigned char)((counter >> 8) & 0xff); 274 1.1 christos c[3] = (unsigned char)(counter & 0xff); 275 1.1 christos 276 1.1 christos ctx = EVP_MAC_CTX_dup(ctx_init); 277 1.1 christos if (!(ctx != NULL 278 1.1 christos && EVP_MAC_update(ctx, c, sizeof(c)) 279 1.1 christos && EVP_MAC_update(ctx, z, z_len) 280 1.1 christos && EVP_MAC_update(ctx, info, info_len))) 281 1.1 christos goto end; 282 1.1 christos if (len >= out_len) { 283 1.1 christos if (!EVP_MAC_final(ctx, out, NULL, len)) 284 1.1 christos goto end; 285 1.1 christos out += out_len; 286 1.1 christos len -= out_len; 287 1.1 christos if (len == 0) 288 1.1 christos break; 289 1.1 christos } else { 290 1.1 christos if (!EVP_MAC_final(ctx, mac, NULL, out_len)) 291 1.1 christos goto end; 292 1.1 christos memcpy(out, mac, len); 293 1.1 christos break; 294 1.1 christos } 295 1.1 christos EVP_MAC_CTX_free(ctx); 296 1.1 christos ctx = NULL; 297 1.1 christos } 298 1.1 christos ret = 1; 299 1.1 christos end: 300 1.1 christos if (kmac_buffer != NULL) 301 1.1 christos OPENSSL_clear_free(kmac_buffer, kmac_out_len); 302 1.1 christos else 303 1.1 christos OPENSSL_cleanse(mac_buf, sizeof(mac_buf)); 304 1.1 christos 305 1.1 christos EVP_MAC_CTX_free(ctx); 306 1.1 christos return ret; 307 1.1 christos } 308 1.1 christos 309 1.1 christos static void *sskdf_new(void *provctx) 310 1.1 christos { 311 1.1 christos KDF_SSKDF *ctx; 312 1.1 christos 313 1.1 christos if (!ossl_prov_is_running()) 314 1.1 christos return NULL; 315 1.1 christos 316 1.1 christos if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) { 317 1.1 christos ctx->provctx = provctx; 318 1.1 christos OSSL_FIPS_IND_INIT(ctx) 319 1.1 christos } 320 1.1 christos return ctx; 321 1.1 christos } 322 1.1 christos 323 1.1 christos static void sskdf_reset(void *vctx) 324 1.1 christos { 325 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 326 1.1 christos void *provctx = ctx->provctx; 327 1.1 christos 328 1.1 christos EVP_MAC_CTX_free(ctx->macctx); 329 1.1 christos ossl_prov_digest_reset(&ctx->digest); 330 1.1 christos OPENSSL_clear_free(ctx->secret, ctx->secret_len); 331 1.1 christos OPENSSL_clear_free(ctx->info, ctx->info_len); 332 1.1 christos OPENSSL_clear_free(ctx->salt, ctx->salt_len); 333 1.1 christos memset(ctx, 0, sizeof(*ctx)); 334 1.1 christos ctx->provctx = provctx; 335 1.1 christos } 336 1.1 christos 337 1.1 christos static void sskdf_free(void *vctx) 338 1.1 christos { 339 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 340 1.1 christos 341 1.1 christos if (ctx != NULL) { 342 1.1 christos sskdf_reset(ctx); 343 1.1 christos OPENSSL_free(ctx); 344 1.1 christos } 345 1.1 christos } 346 1.1 christos 347 1.1 christos static void *sskdf_dup(void *vctx) 348 1.1 christos { 349 1.1 christos const KDF_SSKDF *src = (const KDF_SSKDF *)vctx; 350 1.1 christos KDF_SSKDF *dest; 351 1.1 christos 352 1.1 christos dest = sskdf_new(src->provctx); 353 1.1 christos if (dest != NULL) { 354 1.1 christos if (src->macctx != NULL) { 355 1.1 christos dest->macctx = EVP_MAC_CTX_dup(src->macctx); 356 1.1 christos if (dest->macctx == NULL) 357 1.1 christos goto err; 358 1.1 christos } 359 1.1 christos if (!ossl_prov_memdup(src->info, src->info_len, 360 1.1.1.2 christos &dest->info, &dest->info_len) 361 1.1.1.2 christos || !ossl_prov_memdup(src->salt, src->salt_len, 362 1.1.1.2 christos &dest->salt, &dest->salt_len) 363 1.1.1.2 christos || !ossl_prov_memdup(src->secret, src->secret_len, 364 1.1.1.2 christos &dest->secret, &dest->secret_len) 365 1.1.1.2 christos || !ossl_prov_digest_copy(&dest->digest, &src->digest)) 366 1.1 christos goto err; 367 1.1 christos dest->out_len = src->out_len; 368 1.1 christos dest->is_kmac = src->is_kmac; 369 1.1 christos OSSL_FIPS_IND_COPY(dest, src) 370 1.1 christos } 371 1.1 christos return dest; 372 1.1 christos 373 1.1.1.2 christos err: 374 1.1 christos sskdf_free(dest); 375 1.1 christos return NULL; 376 1.1 christos } 377 1.1 christos 378 1.1 christos static size_t sskdf_size(KDF_SSKDF *ctx) 379 1.1 christos { 380 1.1 christos int len; 381 1.1 christos const EVP_MD *md = NULL; 382 1.1 christos 383 1.1 christos if (ctx->is_kmac) 384 1.1 christos return SIZE_MAX; 385 1.1 christos 386 1.1 christos md = ossl_prov_digest_md(&ctx->digest); 387 1.1 christos if (md == NULL) { 388 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 389 1.1 christos return 0; 390 1.1 christos } 391 1.1 christos len = EVP_MD_get_size(md); 392 1.1 christos return (len <= 0) ? 0 : (size_t)len; 393 1.1 christos } 394 1.1 christos 395 1.1 christos #ifdef FIPS_MODULE 396 1.1 christos static int fips_sskdf_key_check_passed(KDF_SSKDF *ctx) 397 1.1 christos { 398 1.1 christos OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 399 1.1 christos int key_approved = ossl_kdf_check_key_size(ctx->secret_len); 400 1.1 christos 401 1.1 christos if (!key_approved) { 402 1.1 christos if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 403 1.1.1.2 christos libctx, "SSKDF", "Key size", 404 1.1.1.2 christos ossl_fips_config_sskdf_key_check)) { 405 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 406 1.1 christos return 0; 407 1.1 christos } 408 1.1 christos } 409 1.1 christos return 1; 410 1.1 christos } 411 1.1 christos #endif 412 1.1 christos 413 1.1 christos static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, 414 1.1.1.2 christos const OSSL_PARAM params[]) 415 1.1 christos { 416 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 417 1.1 christos const EVP_MD *md; 418 1.1 christos 419 1.1 christos if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) 420 1.1 christos return 0; 421 1.1 christos if (ctx->secret == NULL) { 422 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 423 1.1 christos return 0; 424 1.1 christos } 425 1.1 christos 426 1.1 christos md = ossl_prov_digest_md(&ctx->digest); 427 1.1 christos 428 1.1 christos if (ctx->macctx != NULL) { 429 1.1 christos /* H(x) = KMAC or H(x) = HMAC */ 430 1.1 christos int ret; 431 1.1 christos const unsigned char *custom = NULL; 432 1.1 christos size_t custom_len = 0; 433 1.1 christos int default_salt_len; 434 1.1 christos EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx); 435 1.1 christos 436 1.1 christos if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) { 437 1.1 christos /* H(x) = HMAC(x, salt, hash) */ 438 1.1 christos if (md == NULL) { 439 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 440 1.1 christos return 0; 441 1.1 christos } 442 1.1 christos default_salt_len = EVP_MD_get_size(md); 443 1.1 christos if (default_salt_len <= 0) 444 1.1 christos return 0; 445 1.1 christos } else if (ctx->is_kmac) { 446 1.1 christos /* H(x) = KMACzzz(x, salt, custom) */ 447 1.1 christos custom = kmac_custom_str; 448 1.1 christos custom_len = sizeof(kmac_custom_str); 449 1.1 christos if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128)) 450 1.1 christos default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE; 451 1.1 christos else 452 1.1 christos default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE; 453 1.1 christos } else { 454 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE); 455 1.1 christos return 0; 456 1.1 christos } 457 1.1 christos /* If no salt is set then use a default_salt of zeros */ 458 1.1 christos if (ctx->salt == NULL || ctx->salt_len <= 0) { 459 1.1 christos ctx->salt = OPENSSL_zalloc(default_salt_len); 460 1.1 christos if (ctx->salt == NULL) 461 1.1 christos return 0; 462 1.1 christos ctx->salt_len = default_salt_len; 463 1.1 christos } 464 1.1 christos ret = SSKDF_mac_kdm(ctx->macctx, 465 1.1.1.2 christos custom, custom_len, ctx->out_len, 466 1.1.1.2 christos ctx->salt, ctx->salt_len, 467 1.1.1.2 christos ctx->secret, ctx->secret_len, 468 1.1.1.2 christos ctx->info, ctx->info_len, key, keylen); 469 1.1 christos return ret; 470 1.1 christos } else { 471 1.1 christos /* H(x) = hash */ 472 1.1 christos if (md == NULL) { 473 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 474 1.1 christos return 0; 475 1.1 christos } 476 1.1 christos return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, 477 1.1.1.2 christos ctx->info, ctx->info_len, 0, key, keylen); 478 1.1 christos } 479 1.1 christos } 480 1.1 christos 481 1.1 christos #ifdef FIPS_MODULE 482 1.1 christos static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md) 483 1.1 christos { 484 1.1 christos OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 485 1.1 christos /* 486 1.1 christos * Perform digest check 487 1.1 christos * 488 1.1 christos * X963KDF is a KDF defined in ANSI-X9.63. According to ACVP specification 489 1.1 christos * section 7.3.1, only SHA-2 and SHA-3 can be regarded as valid hash 490 1.1 christos * functions. 491 1.1 christos */ 492 1.1 christos int digest_unapproved = (ctx->is_kmac != 1) && EVP_MD_is_a(md, SN_sha1); 493 1.1 christos 494 1.1 christos if (digest_unapproved) { 495 1.1 christos if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 496 1.1.1.2 christos libctx, "X963KDF", "Digest", 497 1.1.1.2 christos ossl_fips_config_x963kdf_digest_check)) { 498 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 499 1.1 christos return 0; 500 1.1 christos } 501 1.1 christos } 502 1.1 christos return 1; 503 1.1 christos } 504 1.1 christos 505 1.1 christos static int fips_x963kdf_key_check_passed(KDF_SSKDF *ctx) 506 1.1 christos { 507 1.1 christos OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 508 1.1 christos int key_approved = ossl_kdf_check_key_size(ctx->secret_len); 509 1.1 christos 510 1.1 christos if (!key_approved) { 511 1.1 christos if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, 512 1.1.1.2 christos libctx, "X963KDF", "Key size", 513 1.1.1.2 christos ossl_fips_config_x963kdf_key_check)) { 514 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 515 1.1 christos return 0; 516 1.1 christos } 517 1.1 christos } 518 1.1 christos return 1; 519 1.1 christos } 520 1.1 christos #endif 521 1.1 christos 522 1.1 christos static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, 523 1.1.1.2 christos const OSSL_PARAM params[]) 524 1.1 christos { 525 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 526 1.1 christos const EVP_MD *md; 527 1.1 christos 528 1.1 christos if (!ossl_prov_is_running() || !x963kdf_set_ctx_params(ctx, params)) 529 1.1 christos return 0; 530 1.1 christos 531 1.1 christos if (ctx->secret == NULL) { 532 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 533 1.1 christos return 0; 534 1.1 christos } 535 1.1 christos 536 1.1 christos if (ctx->macctx != NULL) { 537 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED); 538 1.1 christos return 0; 539 1.1 christos } 540 1.1 christos 541 1.1 christos /* H(x) = hash */ 542 1.1 christos md = ossl_prov_digest_md(&ctx->digest); 543 1.1 christos if (md == NULL) { 544 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 545 1.1 christos return 0; 546 1.1 christos } 547 1.1 christos 548 1.1 christos return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, 549 1.1.1.2 christos ctx->info, ctx->info_len, 1, key, keylen); 550 1.1 christos } 551 1.1 christos 552 1.1 christos static int sskdf_common_set_ctx_params(KDF_SSKDF *ctx, const OSSL_PARAM params[]) 553 1.1 christos { 554 1.1 christos const OSSL_PARAM *p; 555 1.1 christos OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 556 1.1 christos const EVP_MD *md = NULL; 557 1.1 christos size_t sz; 558 1.1 christos int r; 559 1.1 christos 560 1.1 christos if (ossl_param_is_empty(params)) 561 1.1 christos return 1; 562 1.1 christos 563 1.1 christos if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params, 564 1.1.1.2 christos NULL, NULL, NULL, libctx)) 565 1.1 christos return 0; 566 1.1 christos if (ctx->macctx != NULL) { 567 1.1.1.2 christos if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), 568 1.1.1.2 christos OSSL_MAC_NAME_KMAC128) 569 1.1.1.2 christos || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), 570 1.1.1.2 christos OSSL_MAC_NAME_KMAC256)) { 571 1.1.1.2 christos ctx->is_kmac = 1; 572 1.1.1.2 christos } 573 1.1 christos } 574 1.1 christos 575 1.1 christos if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { 576 1.1 christos if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) 577 1.1 christos return 0; 578 1.1 christos 579 1.1 christos md = ossl_prov_digest_md(&ctx->digest); 580 1.1 christos if (EVP_MD_xof(md)) { 581 1.1 christos ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 582 1.1 christos return 0; 583 1.1 christos } 584 1.1 christos } 585 1.1 christos 586 1.1 christos r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET, 587 1.1.1.2 christos &ctx->secret, &ctx->secret_len); 588 1.1 christos if (r == -1) 589 1.1 christos r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_KEY, 590 1.1.1.2 christos &ctx->secret, &ctx->secret_len); 591 1.1 christos if (r == 0) 592 1.1 christos return 0; 593 1.1 christos 594 1.1 christos if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO, 595 1.1.1.2 christos &ctx->info, &ctx->info_len, 0) 596 1.1.1.2 christos == 0) 597 1.1 christos return 0; 598 1.1 christos 599 1.1 christos if (ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SALT, 600 1.1.1.2 christos &ctx->salt, &ctx->salt_len) 601 1.1.1.2 christos == 0) 602 1.1.1.2 christos return 0; 603 1.1 christos 604 1.1 christos if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE)) 605 1.1 christos != NULL) { 606 1.1 christos if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0) 607 1.1 christos return 0; 608 1.1 christos ctx->out_len = sz; 609 1.1 christos } 610 1.1 christos return 1; 611 1.1 christos } 612 1.1 christos 613 1.1 christos static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 614 1.1 christos { 615 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 616 1.1 christos 617 1.1 christos if (ossl_param_is_empty(params)) 618 1.1 christos return 1; 619 1.1 christos 620 1.1 christos if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, 621 1.1.1.2 christos OSSL_KDF_PARAM_FIPS_KEY_CHECK)) 622 1.1 christos return 0; 623 1.1 christos 624 1.1 christos if (!sskdf_common_set_ctx_params(ctx, params)) 625 1.1 christos return 0; 626 1.1 christos 627 1.1 christos #ifdef FIPS_MODULE 628 1.1.1.2 christos if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) || (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL)) 629 1.1 christos if (!fips_sskdf_key_check_passed(ctx)) 630 1.1 christos return 0; 631 1.1 christos #endif 632 1.1 christos 633 1.1 christos return 1; 634 1.1 christos } 635 1.1 christos 636 1.1 christos static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx, 637 1.1.1.2 christos ossl_unused void *provctx) 638 1.1 christos { 639 1.1 christos static const OSSL_PARAM known_settable_ctx_params[] = { 640 1.1 christos SSKDF_COMMON_SETTABLES, 641 1.1 christos OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK) 642 1.1.1.2 christos OSSL_PARAM_END 643 1.1 christos }; 644 1.1 christos return known_settable_ctx_params; 645 1.1 christos } 646 1.1 christos 647 1.1 christos static int sskdf_common_get_ctx_params(KDF_SSKDF *ctx, OSSL_PARAM params[]) 648 1.1 christos { 649 1.1 christos OSSL_PARAM *p; 650 1.1 christos 651 1.1 christos if (ossl_param_is_empty(params)) 652 1.1 christos return 1; 653 1.1 christos 654 1.1 christos if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { 655 1.1 christos if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) 656 1.1 christos return 0; 657 1.1 christos } 658 1.1 christos 659 1.1 christos return 1; 660 1.1 christos } 661 1.1 christos 662 1.1 christos static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 663 1.1 christos { 664 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 665 1.1 christos 666 1.1 christos if (ossl_param_is_empty(params)) 667 1.1 christos return 1; 668 1.1 christos 669 1.1 christos if (!sskdf_common_get_ctx_params(ctx, params)) 670 1.1 christos return 0; 671 1.1 christos 672 1.1 christos if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) 673 1.1 christos return 0; 674 1.1 christos 675 1.1 christos return 1; 676 1.1 christos } 677 1.1 christos 678 1.1 christos static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, 679 1.1.1.2 christos ossl_unused void *provctx) 680 1.1 christos { 681 1.1 christos static const OSSL_PARAM known_gettable_ctx_params[] = { 682 1.1 christos SSKDF_COMMON_GETTABLES, 683 1.1 christos OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 684 1.1.1.2 christos OSSL_PARAM_END 685 1.1 christos }; 686 1.1 christos return known_gettable_ctx_params; 687 1.1 christos } 688 1.1 christos 689 1.1 christos static int x963kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 690 1.1 christos { 691 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 692 1.1 christos 693 1.1 christos if (ossl_param_is_empty(params)) 694 1.1 christos return 1; 695 1.1 christos 696 1.1 christos if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, 697 1.1.1.2 christos OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)) 698 1.1 christos return 0; 699 1.1 christos if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params, 700 1.1.1.2 christos OSSL_KDF_PARAM_FIPS_KEY_CHECK)) 701 1.1 christos return 0; 702 1.1 christos 703 1.1 christos if (!sskdf_common_set_ctx_params(ctx, params)) 704 1.1 christos return 0; 705 1.1 christos 706 1.1 christos #ifdef FIPS_MODULE 707 1.1 christos if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) { 708 1.1 christos const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); 709 1.1 christos 710 1.1 christos if (!fips_x963kdf_digest_check_passed(ctx, md)) 711 1.1 christos return 0; 712 1.1 christos } 713 1.1 christos 714 1.1.1.2 christos if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) || (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL)) 715 1.1 christos if (!fips_x963kdf_key_check_passed(ctx)) 716 1.1 christos return 0; 717 1.1 christos #endif 718 1.1 christos 719 1.1 christos return 1; 720 1.1 christos } 721 1.1 christos 722 1.1 christos static const OSSL_PARAM *x963kdf_settable_ctx_params(ossl_unused void *ctx, 723 1.1.1.2 christos ossl_unused void *provctx) 724 1.1 christos { 725 1.1 christos static const OSSL_PARAM known_settable_ctx_params[] = { 726 1.1 christos SSKDF_COMMON_SETTABLES, 727 1.1 christos OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) 728 1.1.1.2 christos OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK) 729 1.1.1.2 christos OSSL_PARAM_END 730 1.1 christos }; 731 1.1 christos return known_settable_ctx_params; 732 1.1 christos } 733 1.1 christos 734 1.1 christos static int x963kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 735 1.1 christos { 736 1.1 christos KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 737 1.1 christos 738 1.1 christos if (!sskdf_common_get_ctx_params(ctx, params)) 739 1.1 christos return 0; 740 1.1 christos 741 1.1 christos if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params)) 742 1.1 christos return 0; 743 1.1 christos 744 1.1 christos return 1; 745 1.1 christos } 746 1.1 christos 747 1.1 christos static const OSSL_PARAM *x963kdf_gettable_ctx_params(ossl_unused void *ctx, 748 1.1.1.2 christos ossl_unused void *provctx) 749 1.1 christos { 750 1.1 christos static const OSSL_PARAM known_gettable_ctx_params[] = { 751 1.1 christos SSKDF_COMMON_GETTABLES, 752 1.1 christos OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 753 1.1.1.2 christos OSSL_PARAM_END 754 1.1 christos }; 755 1.1 christos return known_gettable_ctx_params; 756 1.1 christos } 757 1.1 christos 758 1.1 christos const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { 759 1.1.1.2 christos { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))sskdf_new }, 760 1.1.1.2 christos { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))sskdf_dup }, 761 1.1.1.2 christos { OSSL_FUNC_KDF_FREECTX, (void (*)(void))sskdf_free }, 762 1.1.1.2 christos { OSSL_FUNC_KDF_RESET, (void (*)(void))sskdf_reset }, 763 1.1.1.2 christos { OSSL_FUNC_KDF_DERIVE, (void (*)(void))sskdf_derive }, 764 1.1 christos { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 765 1.1.1.2 christos (void (*)(void))sskdf_settable_ctx_params }, 766 1.1.1.2 christos { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void (*)(void))sskdf_set_ctx_params }, 767 1.1 christos { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 768 1.1.1.2 christos (void (*)(void))sskdf_gettable_ctx_params }, 769 1.1.1.2 christos { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void (*)(void))sskdf_get_ctx_params }, 770 1.1 christos OSSL_DISPATCH_END 771 1.1 christos }; 772 1.1 christos 773 1.1 christos const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { 774 1.1.1.2 christos { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))sskdf_new }, 775 1.1.1.2 christos { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))sskdf_dup }, 776 1.1.1.2 christos { OSSL_FUNC_KDF_FREECTX, (void (*)(void))sskdf_free }, 777 1.1.1.2 christos { OSSL_FUNC_KDF_RESET, (void (*)(void))sskdf_reset }, 778 1.1.1.2 christos { OSSL_FUNC_KDF_DERIVE, (void (*)(void))x963kdf_derive }, 779 1.1 christos { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 780 1.1.1.2 christos (void (*)(void))x963kdf_settable_ctx_params }, 781 1.1.1.2 christos { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void (*)(void))x963kdf_set_ctx_params }, 782 1.1 christos { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 783 1.1.1.2 christos (void (*)(void))x963kdf_gettable_ctx_params }, 784 1.1.1.2 christos { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void (*)(void))x963kdf_get_ctx_params }, 785 1.1 christos OSSL_DISPATCH_END 786 1.1 christos }; 787
Indexes created Sat Feb 28 05:31:39 UTC 2026