2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * HMAC low level APIs are deprecated for public use, but still ok for internal
14 #include "internal/deprecated.h"
19 #include <openssl/hmac.h>
20 #include <openssl/evp.h>
21 #include <openssl/kdf.h>
22 #include <openssl/core_names.h>
23 #include <openssl/proverr.h>
24 #include "internal/cryptlib.h"
25 #include "internal/numbers.h"
26 #include "internal/packet.h"
27 #include "crypto/evp.h"
28 #include "prov/provider_ctx.h"
29 #include "prov/providercommon.h"
30 #include "prov/implementations.h"
31 #include "prov/provider_util.h"
32 #include "internal/e_os.h"
34 #define HKDF_MAXBUF 2048
35 #define HKDF_MAXINFO (32*1024)
37 static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new
;
38 static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup
;
39 static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free
;
40 static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset
;
41 static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive
;
42 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params
;
43 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params
;
44 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params
;
45 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params
;
46 static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive
;
47 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params
;
48 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params
;
50 static int HKDF(OSSL_LIB_CTX
*libctx
, const EVP_MD
*evp_md
,
51 const unsigned char *salt
, size_t salt_len
,
52 const unsigned char *key
, size_t key_len
,
53 const unsigned char *info
, size_t info_len
,
54 unsigned char *okm
, size_t okm_len
);
55 static int HKDF_Extract(OSSL_LIB_CTX
*libctx
, const EVP_MD
*evp_md
,
56 const unsigned char *salt
, size_t salt_len
,
57 const unsigned char *ikm
, size_t ikm_len
,
58 unsigned char *prk
, size_t prk_len
);
59 static int HKDF_Expand(const EVP_MD
*evp_md
,
60 const unsigned char *prk
, size_t prk_len
,
61 const unsigned char *info
, size_t info_len
,
62 unsigned char *okm
, size_t okm_len
);
64 /* Settable context parameters that are common across HKDF and the TLS KDF */
65 #define HKDF_COMMON_SETTABLES \
66 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \
67 OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \
68 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \
69 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \
70 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \
71 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0)
81 unsigned char *prefix
;
91 static void *kdf_hkdf_new(void *provctx
)
95 if (!ossl_prov_is_running())
98 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) != NULL
)
99 ctx
->provctx
= provctx
;
103 static void kdf_hkdf_free(void *vctx
)
105 KDF_HKDF
*ctx
= (KDF_HKDF
*)vctx
;
113 static void kdf_hkdf_reset(void *vctx
)
115 KDF_HKDF
*ctx
= (KDF_HKDF
*)vctx
;
116 void *provctx
= ctx
->provctx
;
118 ossl_prov_digest_reset(&ctx
->digest
);
119 OPENSSL_free(ctx
->salt
);
120 OPENSSL_free(ctx
->prefix
);
121 OPENSSL_free(ctx
->label
);
122 OPENSSL_clear_free(ctx
->data
, ctx
->data_len
);
123 OPENSSL_clear_free(ctx
->key
, ctx
->key_len
);
124 OPENSSL_clear_free(ctx
->info
, ctx
->info_len
);
125 memset(ctx
, 0, sizeof(*ctx
));
126 ctx
->provctx
= provctx
;
129 static void *kdf_hkdf_dup(void *vctx
)
131 const KDF_HKDF
*src
= (const KDF_HKDF
*)vctx
;
134 dest
= kdf_hkdf_new(src
->provctx
);
136 if (!ossl_prov_memdup(src
->salt
, src
->salt_len
, &dest
->salt
,
138 || !ossl_prov_memdup(src
->key
, src
->key_len
,
139 &dest
->key
, &dest
->key_len
)
140 || !ossl_prov_memdup(src
->prefix
, src
->prefix_len
,
141 &dest
->prefix
, &dest
->prefix_len
)
142 || !ossl_prov_memdup(src
->label
, src
->label_len
,
143 &dest
->label
, &dest
->label_len
)
144 || !ossl_prov_memdup(src
->data
, src
->data_len
,
145 &dest
->data
, &dest
->data_len
)
146 || !ossl_prov_memdup(src
->info
, src
->info_len
,
147 &dest
->info
, &dest
->info_len
)
148 || !ossl_prov_digest_copy(&dest
->digest
, &src
->digest
))
150 dest
->mode
= src
->mode
;
159 static size_t kdf_hkdf_size(KDF_HKDF
*ctx
)
162 const EVP_MD
*md
= ossl_prov_digest_md(&ctx
->digest
);
164 if (ctx
->mode
!= EVP_KDF_HKDF_MODE_EXTRACT_ONLY
)
168 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
171 sz
= EVP_MD_get_size(md
);
178 static int kdf_hkdf_derive(void *vctx
, unsigned char *key
, size_t keylen
,
179 const OSSL_PARAM params
[])
181 KDF_HKDF
*ctx
= (KDF_HKDF
*)vctx
;
182 OSSL_LIB_CTX
*libctx
= PROV_LIBCTX_OF(ctx
->provctx
);
185 if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx
, params
))
188 md
= ossl_prov_digest_md(&ctx
->digest
);
190 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
193 if (ctx
->key
== NULL
) {
194 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_KEY
);
198 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
203 case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
:
205 return HKDF(libctx
, md
, ctx
->salt
, ctx
->salt_len
,
206 ctx
->key
, ctx
->key_len
, ctx
->info
, ctx
->info_len
, key
, keylen
);
208 case EVP_KDF_HKDF_MODE_EXTRACT_ONLY
:
209 return HKDF_Extract(libctx
, md
, ctx
->salt
, ctx
->salt_len
,
210 ctx
->key
, ctx
->key_len
, key
, keylen
);
212 case EVP_KDF_HKDF_MODE_EXPAND_ONLY
:
213 return HKDF_Expand(md
, ctx
->key
, ctx
->key_len
, ctx
->info
,
214 ctx
->info_len
, key
, keylen
);
218 static int hkdf_common_set_ctx_params(KDF_HKDF
*ctx
, const OSSL_PARAM params
[])
220 OSSL_LIB_CTX
*libctx
= PROV_LIBCTX_OF(ctx
->provctx
);
227 if (!ossl_prov_digest_load_from_params(&ctx
->digest
, params
, libctx
))
230 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_MODE
)) != NULL
) {
231 if (p
->data_type
== OSSL_PARAM_UTF8_STRING
) {
232 if (OPENSSL_strcasecmp(p
->data
, "EXTRACT_AND_EXPAND") == 0) {
233 ctx
->mode
= EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
;
234 } else if (OPENSSL_strcasecmp(p
->data
, "EXTRACT_ONLY") == 0) {
235 ctx
->mode
= EVP_KDF_HKDF_MODE_EXTRACT_ONLY
;
236 } else if (OPENSSL_strcasecmp(p
->data
, "EXPAND_ONLY") == 0) {
237 ctx
->mode
= EVP_KDF_HKDF_MODE_EXPAND_ONLY
;
239 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_MODE
);
242 } else if (OSSL_PARAM_get_int(p
, &n
)) {
243 if (n
!= EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
244 && n
!= EVP_KDF_HKDF_MODE_EXTRACT_ONLY
245 && n
!= EVP_KDF_HKDF_MODE_EXPAND_ONLY
) {
246 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_MODE
);
251 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_MODE
);
256 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_KEY
)) != NULL
) {
257 OPENSSL_clear_free(ctx
->key
, ctx
->key_len
);
259 if (!OSSL_PARAM_get_octet_string(p
, (void **)&ctx
->key
, 0,
264 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SALT
)) != NULL
) {
265 if (p
->data_size
!= 0 && p
->data
!= NULL
) {
266 OPENSSL_free(ctx
->salt
);
268 if (!OSSL_PARAM_get_octet_string(p
, (void **)&ctx
->salt
, 0,
278 * Use WPACKET to concat one or more OSSL_KDF_PARAM_INFO fields into a fixed
279 * out buffer of size *outlen.
280 * If out is NULL then outlen is used to return the required buffer size.
282 static int setinfo_fromparams(const OSSL_PARAM
*p
, unsigned char *out
, size_t *outlen
)
288 if (!WPACKET_init_null(&pkt
, 0))
291 if (!WPACKET_init_static_len(&pkt
, out
, *outlen
, 0))
295 for (; p
!= NULL
; p
= OSSL_PARAM_locate_const(p
+ 1, OSSL_KDF_PARAM_INFO
)) {
296 if (p
->data_type
!= OSSL_PARAM_OCTET_STRING
)
300 && !WPACKET_memcpy(&pkt
, p
->data
, p
->data_size
))
303 if (!WPACKET_get_total_written(&pkt
, outlen
)
304 || !WPACKET_finish(&pkt
))
308 WPACKET_cleanup(&pkt
);
312 static int kdf_hkdf_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
315 KDF_HKDF
*ctx
= vctx
;
320 if (!hkdf_common_set_ctx_params(ctx
, params
))
323 /* The info fields concatenate, so process them all */
324 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_INFO
)) != NULL
) {
327 /* calculate the total size */
328 if (!setinfo_fromparams(p
, NULL
, &sz
))
330 if (sz
> HKDF_MAXINFO
)
333 OPENSSL_clear_free(ctx
->info
, ctx
->info_len
);
337 /* Alloc the buffer */
338 ctx
->info
= OPENSSL_malloc(sz
);
339 if (ctx
->info
== NULL
)
342 /* Concat one or more OSSL_KDF_PARAM_INFO fields */
343 if (!setinfo_fromparams(p
, ctx
->info
, &sz
))
349 static const OSSL_PARAM
*kdf_hkdf_settable_ctx_params(ossl_unused
void *ctx
,
350 ossl_unused
void *provctx
)
352 static const OSSL_PARAM known_settable_ctx_params
[] = {
353 HKDF_COMMON_SETTABLES
,
354 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO
, NULL
, 0),
357 return known_settable_ctx_params
;
360 static int kdf_hkdf_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
362 KDF_HKDF
*ctx
= (KDF_HKDF
*)vctx
;
365 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
) {
366 size_t sz
= kdf_hkdf_size(ctx
);
370 return OSSL_PARAM_set_size_t(p
, sz
);
375 static const OSSL_PARAM
*kdf_hkdf_gettable_ctx_params(ossl_unused
void *ctx
,
376 ossl_unused
void *provctx
)
378 static const OSSL_PARAM known_gettable_ctx_params
[] = {
379 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
382 return known_gettable_ctx_params
;
385 const OSSL_DISPATCH ossl_kdf_hkdf_functions
[] = {
386 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))kdf_hkdf_new
},
387 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))kdf_hkdf_dup
},
388 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))kdf_hkdf_free
},
389 { OSSL_FUNC_KDF_RESET
, (void(*)(void))kdf_hkdf_reset
},
390 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))kdf_hkdf_derive
},
391 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
392 (void(*)(void))kdf_hkdf_settable_ctx_params
},
393 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))kdf_hkdf_set_ctx_params
},
394 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
395 (void(*)(void))kdf_hkdf_gettable_ctx_params
},
396 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))kdf_hkdf_get_ctx_params
},
401 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
402 * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and
403 * "Cryptographic Extraction and Key Derivation: The HKDF Scheme"
404 * Section 4.2 (https://eprint.iacr.org/2010/264.pdf).
407 * The scheme HKDF is specified as:
408 * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t)
411 * SKM is source key material
412 * XTS is extractor salt (which may be null or constant)
413 * CTXinfo is context information (may be null)
414 * L is the number of key bits to be produced by KDF
415 * k is the output length in bits of the hash function used with HMAC
417 * the value K(t) is truncated to its first d = L mod k bits.
420 * 2.2. Step 1: Extract
421 * HKDF-Extract(salt, IKM) -> PRK
422 * 2.3. Step 2: Expand
423 * HKDF-Expand(PRK, info, L) -> OKM
425 static int HKDF(OSSL_LIB_CTX
*libctx
, const EVP_MD
*evp_md
,
426 const unsigned char *salt
, size_t salt_len
,
427 const unsigned char *ikm
, size_t ikm_len
,
428 const unsigned char *info
, size_t info_len
,
429 unsigned char *okm
, size_t okm_len
)
431 unsigned char prk
[EVP_MAX_MD_SIZE
];
435 sz
= EVP_MD_get_size(evp_md
);
438 prk_len
= (size_t)sz
;
440 /* Step 1: HKDF-Extract(salt, IKM) -> PRK */
441 if (!HKDF_Extract(libctx
, evp_md
,
442 salt
, salt_len
, ikm
, ikm_len
, prk
, prk_len
))
445 /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */
446 ret
= HKDF_Expand(evp_md
, prk
, prk_len
, info
, info_len
, okm
, okm_len
);
447 OPENSSL_cleanse(prk
, sizeof(prk
));
453 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
454 * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2).
456 * 2.2. Step 1: Extract
458 * HKDF-Extract(salt, IKM) -> PRK
461 * Hash a hash function; HashLen denotes the length of the
462 * hash function output in octets
465 * salt optional salt value (a non-secret random value);
466 * if not provided, it is set to a string of HashLen zeros.
467 * IKM input keying material
470 * PRK a pseudorandom key (of HashLen octets)
472 * The output PRK is calculated as follows:
474 * PRK = HMAC-Hash(salt, IKM)
476 static int HKDF_Extract(OSSL_LIB_CTX
*libctx
, const EVP_MD
*evp_md
,
477 const unsigned char *salt
, size_t salt_len
,
478 const unsigned char *ikm
, size_t ikm_len
,
479 unsigned char *prk
, size_t prk_len
)
481 int sz
= EVP_MD_get_size(evp_md
);
485 if (prk_len
!= (size_t)sz
) {
486 ERR_raise(ERR_LIB_PROV
, PROV_R_WRONG_OUTPUT_BUFFER_SIZE
);
489 /* calc: PRK = HMAC-Hash(salt, IKM) */
491 EVP_Q_mac(libctx
, "HMAC", NULL
, EVP_MD_get0_name(evp_md
), NULL
, salt
,
492 salt_len
, ikm
, ikm_len
, prk
, EVP_MD_get_size(evp_md
), NULL
)
497 * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
498 * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3).
500 * 2.3. Step 2: Expand
502 * HKDF-Expand(PRK, info, L) -> OKM
505 * Hash a hash function; HashLen denotes the length of the
506 * hash function output in octets
509 * PRK a pseudorandom key of at least HashLen octets
510 * (usually, the output from the extract step)
511 * info optional context and application specific information
512 * (can be a zero-length string)
513 * L length of output keying material in octets
517 * OKM output keying material (of L octets)
519 * The output OKM is calculated as follows:
521 * N = ceil(L/HashLen)
522 * T = T(1) | T(2) | T(3) | ... | T(N)
523 * OKM = first L octets of T
526 * T(0) = empty string (zero length)
527 * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
528 * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
529 * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
532 * (where the constant concatenated to the end of each T(n) is a
535 static int HKDF_Expand(const EVP_MD
*evp_md
,
536 const unsigned char *prk
, size_t prk_len
,
537 const unsigned char *info
, size_t info_len
,
538 unsigned char *okm
, size_t okm_len
)
543 unsigned char prev
[EVP_MAX_MD_SIZE
];
544 size_t done_len
= 0, dig_len
, n
;
546 sz
= EVP_MD_get_size(evp_md
);
549 dig_len
= (size_t)sz
;
551 /* calc: N = ceil(L/HashLen) */
552 n
= okm_len
/ dig_len
;
553 if (okm_len
% dig_len
)
556 if (n
> 255 || okm
== NULL
)
559 if ((hmac
= HMAC_CTX_new()) == NULL
)
562 if (!HMAC_Init_ex(hmac
, prk
, prk_len
, evp_md
, NULL
))
565 for (i
= 1; i
<= n
; i
++) {
567 const unsigned char ctr
= i
;
569 /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */
571 if (!HMAC_Init_ex(hmac
, NULL
, 0, NULL
, NULL
))
574 if (!HMAC_Update(hmac
, prev
, dig_len
))
578 if (!HMAC_Update(hmac
, info
, info_len
))
581 if (!HMAC_Update(hmac
, &ctr
, 1))
584 if (!HMAC_Final(hmac
, prev
, NULL
))
587 copy_len
= (done_len
+ dig_len
> okm_len
) ?
591 memcpy(okm
+ done_len
, prev
, copy_len
);
593 done_len
+= copy_len
;
598 OPENSSL_cleanse(prev
, sizeof(prev
));
604 * TLS uses slight variations of the above and for FIPS validation purposes,
605 * they need to be present here.
606 * Refer to RFC 8446 section 7 for specific details.
610 * Given a |secret|; a |label| of length |labellen|; and |data| of length
611 * |datalen| (e.g. typically a hash of the handshake messages), derive a new
612 * secret |outlen| bytes long and store it in the location pointed to be |out|.
613 * The |data| value may be zero length. Returns 1 on success and 0 on failure.
615 static int prov_tls13_hkdf_expand(const EVP_MD
*md
,
616 const unsigned char *key
, size_t keylen
,
617 const unsigned char *prefix
, size_t prefixlen
,
618 const unsigned char *label
, size_t labellen
,
619 const unsigned char *data
, size_t datalen
,
620 unsigned char *out
, size_t outlen
)
623 unsigned char hkdflabel
[HKDF_MAXBUF
];
627 * 2 bytes for length of derived secret + 1 byte for length of combined
628 * prefix and label + bytes for the label itself + 1 byte length of hash
629 * + bytes for the hash itself. We've got the maximum the KDF can handle
630 * which should always be sufficient.
632 if (!WPACKET_init_static_len(&pkt
, hkdflabel
, sizeof(hkdflabel
), 0)
633 || !WPACKET_put_bytes_u16(&pkt
, outlen
)
634 || !WPACKET_start_sub_packet_u8(&pkt
)
635 || !WPACKET_memcpy(&pkt
, prefix
, prefixlen
)
636 || !WPACKET_memcpy(&pkt
, label
, labellen
)
637 || !WPACKET_close(&pkt
)
638 || !WPACKET_sub_memcpy_u8(&pkt
, data
, (data
== NULL
) ? 0 : datalen
)
639 || !WPACKET_get_total_written(&pkt
, &hkdflabellen
)
640 || !WPACKET_finish(&pkt
)) {
641 WPACKET_cleanup(&pkt
);
645 return HKDF_Expand(md
, key
, keylen
, hkdflabel
, hkdflabellen
,
649 static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX
*libctx
,
651 const unsigned char *prevsecret
,
652 size_t prevsecretlen
,
653 const unsigned char *insecret
,
655 const unsigned char *prefix
,
657 const unsigned char *label
,
659 unsigned char *out
, size_t outlen
)
663 unsigned char preextractsec
[EVP_MAX_MD_SIZE
];
664 /* Always filled with zeros */
665 static const unsigned char default_zeros
[EVP_MAX_MD_SIZE
];
667 ret
= EVP_MD_get_size(md
);
668 /* Ensure cast to size_t is safe */
673 if (insecret
== NULL
) {
674 insecret
= default_zeros
;
677 if (prevsecret
== NULL
) {
678 prevsecret
= default_zeros
;
681 EVP_MD_CTX
*mctx
= EVP_MD_CTX_new();
682 unsigned char hash
[EVP_MAX_MD_SIZE
];
684 /* The pre-extract derive step uses a hash of no messages */
686 || EVP_DigestInit_ex(mctx
, md
, NULL
) <= 0
687 || EVP_DigestFinal_ex(mctx
, hash
, NULL
) <= 0) {
688 EVP_MD_CTX_free(mctx
);
691 EVP_MD_CTX_free(mctx
);
693 /* Generate the pre-extract secret */
694 if (!prov_tls13_hkdf_expand(md
, prevsecret
, mdlen
,
695 prefix
, prefixlen
, label
, labellen
,
696 hash
, mdlen
, preextractsec
, mdlen
))
698 prevsecret
= preextractsec
;
699 prevsecretlen
= mdlen
;
702 ret
= HKDF_Extract(libctx
, md
, prevsecret
, prevsecretlen
,
703 insecret
, insecretlen
, out
, outlen
);
705 if (prevsecret
== preextractsec
)
706 OPENSSL_cleanse(preextractsec
, mdlen
);
710 static int kdf_tls1_3_derive(void *vctx
, unsigned char *key
, size_t keylen
,
711 const OSSL_PARAM params
[])
713 KDF_HKDF
*ctx
= (KDF_HKDF
*)vctx
;
716 if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx
, params
))
719 md
= ossl_prov_digest_md(&ctx
->digest
);
721 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
729 case EVP_KDF_HKDF_MODE_EXTRACT_ONLY
:
730 return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx
->provctx
),
732 ctx
->salt
, ctx
->salt_len
,
733 ctx
->key
, ctx
->key_len
,
734 ctx
->prefix
, ctx
->prefix_len
,
735 ctx
->label
, ctx
->label_len
,
738 case EVP_KDF_HKDF_MODE_EXPAND_ONLY
:
739 return prov_tls13_hkdf_expand(md
, ctx
->key
, ctx
->key_len
,
740 ctx
->prefix
, ctx
->prefix_len
,
741 ctx
->label
, ctx
->label_len
,
742 ctx
->data
, ctx
->data_len
,
747 static int kdf_tls1_3_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
750 KDF_HKDF
*ctx
= vctx
;
755 if (!hkdf_common_set_ctx_params(ctx
, params
))
758 if (ctx
->mode
== EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
) {
759 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_MODE
);
763 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PREFIX
)) != NULL
) {
764 OPENSSL_free(ctx
->prefix
);
766 if (!OSSL_PARAM_get_octet_string(p
, (void **)&ctx
->prefix
, 0,
771 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_LABEL
)) != NULL
) {
772 OPENSSL_free(ctx
->label
);
774 if (!OSSL_PARAM_get_octet_string(p
, (void **)&ctx
->label
, 0,
779 OPENSSL_clear_free(ctx
->data
, ctx
->data_len
);
781 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_DATA
)) != NULL
782 && !OSSL_PARAM_get_octet_string(p
, (void **)&ctx
->data
, 0,
788 static const OSSL_PARAM
*kdf_tls1_3_settable_ctx_params(ossl_unused
void *ctx
,
789 ossl_unused
void *provctx
)
791 static const OSSL_PARAM known_settable_ctx_params
[] = {
792 HKDF_COMMON_SETTABLES
,
793 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX
, NULL
, 0),
794 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL
, NULL
, 0),
795 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA
, NULL
, 0),
798 return known_settable_ctx_params
;
801 const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions
[] = {
802 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))kdf_hkdf_new
},
803 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))kdf_hkdf_dup
},
804 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))kdf_hkdf_free
},
805 { OSSL_FUNC_KDF_RESET
, (void(*)(void))kdf_hkdf_reset
},
806 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))kdf_tls1_3_derive
},
807 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
808 (void(*)(void))kdf_tls1_3_settable_ctx_params
},
809 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))kdf_tls1_3_set_ctx_params
},
810 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
811 (void(*)(void))kdf_hkdf_gettable_ctx_params
},
812 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))kdf_hkdf_get_ctx_params
},