2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
15 * The Single Step KDF algorithm is given by:
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include <openssl/proverr.h>
46 #include "internal/cryptlib.h"
47 #include "internal/numbers.h"
48 #include "crypto/evp.h"
49 #include "prov/provider_ctx.h"
50 #include "prov/providercommon.h"
51 #include "prov/implementations.h"
52 #include "prov/provider_util.h"
56 EVP_MAC_CTX
*macctx
; /* H(x) = HMAC_hash OR H(x) = KMAC */
57 PROV_DIGEST digest
; /* H(x) = hash(x) */
58 unsigned char *secret
;
64 size_t out_len
; /* optional KMAC parameter */
67 #define SSKDF_MAX_INLEN (1<<30)
68 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
69 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
71 /* KMAC uses a Customisation string of 'KDF' */
72 static const unsigned char kmac_custom_str
[] = { 0x4B, 0x44, 0x46 };
74 static OSSL_FUNC_kdf_newctx_fn sskdf_new
;
75 static OSSL_FUNC_kdf_freectx_fn sskdf_free
;
76 static OSSL_FUNC_kdf_reset_fn sskdf_reset
;
77 static OSSL_FUNC_kdf_derive_fn sskdf_derive
;
78 static OSSL_FUNC_kdf_derive_fn x963kdf_derive
;
79 static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params
;
80 static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params
;
81 static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params
;
82 static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params
;
85 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
86 * Section 4. One-Step Key Derivation using H(x) = hash(x)
87 * Note: X9.63 also uses this code with the only difference being that the
88 * counter is appended to the secret 'z'.
90 * result[i] = Hash(counter || z || info) for One Step OR
91 * result[i] = Hash(z || counter || info) for X9.63.
93 static int SSKDF_hash_kdm(const EVP_MD
*kdf_md
,
94 const unsigned char *z
, size_t z_len
,
95 const unsigned char *info
, size_t info_len
,
96 unsigned int append_ctr
,
97 unsigned char *derived_key
, size_t derived_key_len
)
100 size_t counter
, out_len
, len
= derived_key_len
;
102 unsigned char mac
[EVP_MAX_MD_SIZE
];
103 unsigned char *out
= derived_key
;
104 EVP_MD_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
106 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
107 || derived_key_len
> SSKDF_MAX_INLEN
108 || derived_key_len
== 0)
111 hlen
= EVP_MD_size(kdf_md
);
114 out_len
= (size_t)hlen
;
116 ctx
= EVP_MD_CTX_create();
117 ctx_init
= EVP_MD_CTX_create();
118 if (ctx
== NULL
|| ctx_init
== NULL
)
121 if (!EVP_DigestInit(ctx_init
, kdf_md
))
124 for (counter
= 1;; counter
++) {
125 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
126 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
127 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
128 c
[3] = (unsigned char)(counter
& 0xff);
130 if (!(EVP_MD_CTX_copy_ex(ctx
, ctx_init
)
131 && (append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
132 && EVP_DigestUpdate(ctx
, z
, z_len
)
133 && (!append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
134 && EVP_DigestUpdate(ctx
, info
, info_len
)))
136 if (len
>= out_len
) {
137 if (!EVP_DigestFinal_ex(ctx
, out
, NULL
))
144 if (!EVP_DigestFinal_ex(ctx
, mac
, NULL
))
146 memcpy(out
, mac
, len
);
152 EVP_MD_CTX_destroy(ctx
);
153 EVP_MD_CTX_destroy(ctx_init
);
154 OPENSSL_cleanse(mac
, sizeof(mac
));
158 static int kmac_init(EVP_MAC_CTX
*ctx
, const unsigned char *custom
,
159 size_t custom_len
, size_t kmac_out_len
,
160 size_t derived_key_len
, unsigned char **out
)
162 OSSL_PARAM params
[2];
164 /* Only KMAC has custom data - so return if not KMAC */
168 params
[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM
,
169 (void *)custom
, custom_len
);
170 params
[1] = OSSL_PARAM_construct_end();
172 if (!EVP_MAC_CTX_set_params(ctx
, params
))
175 /* By default only do one iteration if kmac_out_len is not specified */
176 if (kmac_out_len
== 0)
177 kmac_out_len
= derived_key_len
;
178 /* otherwise check the size is valid */
179 else if (!(kmac_out_len
== derived_key_len
180 || kmac_out_len
== 20
181 || kmac_out_len
== 28
182 || kmac_out_len
== 32
183 || kmac_out_len
== 48
184 || kmac_out_len
== 64))
187 params
[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE
,
190 if (EVP_MAC_CTX_set_params(ctx
, params
) <= 0)
194 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
195 * alloc a buffer for this case.
197 if (kmac_out_len
> EVP_MAX_MD_SIZE
) {
198 *out
= OPENSSL_zalloc(kmac_out_len
);
206 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
207 * Section 4. One-Step Key Derivation using MAC: i.e either
208 * H(x) = HMAC-hash(salt, x) OR
209 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
211 static int SSKDF_mac_kdm(EVP_MAC_CTX
*ctx_init
,
212 const unsigned char *kmac_custom
,
213 size_t kmac_custom_len
, size_t kmac_out_len
,
214 const unsigned char *salt
, size_t salt_len
,
215 const unsigned char *z
, size_t z_len
,
216 const unsigned char *info
, size_t info_len
,
217 unsigned char *derived_key
, size_t derived_key_len
)
220 size_t counter
, out_len
, len
;
222 unsigned char mac_buf
[EVP_MAX_MD_SIZE
];
223 unsigned char *out
= derived_key
;
224 EVP_MAC_CTX
*ctx
= NULL
;
225 unsigned char *mac
= mac_buf
, *kmac_buffer
= NULL
;
226 OSSL_PARAM params
[2], *p
= params
;
228 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
229 || derived_key_len
> SSKDF_MAX_INLEN
230 || derived_key_len
== 0)
233 *p
++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY
,
234 (void *)salt
, salt_len
);
235 *p
= OSSL_PARAM_construct_end();
237 if (!EVP_MAC_CTX_set_params(ctx_init
, params
))
240 if (!kmac_init(ctx_init
, kmac_custom
, kmac_custom_len
, kmac_out_len
,
241 derived_key_len
, &kmac_buffer
))
243 if (kmac_buffer
!= NULL
)
246 if (!EVP_MAC_init(ctx_init
))
249 out_len
= EVP_MAC_CTX_get_mac_size(ctx_init
); /* output size */
252 len
= derived_key_len
;
254 for (counter
= 1;; counter
++) {
255 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
256 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
257 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
258 c
[3] = (unsigned char)(counter
& 0xff);
260 ctx
= EVP_MAC_CTX_dup(ctx_init
);
262 && EVP_MAC_update(ctx
, c
, sizeof(c
))
263 && EVP_MAC_update(ctx
, z
, z_len
)
264 && EVP_MAC_update(ctx
, info
, info_len
)))
266 if (len
>= out_len
) {
267 if (!EVP_MAC_final(ctx
, out
, NULL
, len
))
274 if (!EVP_MAC_final(ctx
, mac
, NULL
, len
))
276 memcpy(out
, mac
, len
);
279 EVP_MAC_CTX_free(ctx
);
284 if (kmac_buffer
!= NULL
)
285 OPENSSL_clear_free(kmac_buffer
, kmac_out_len
);
287 OPENSSL_cleanse(mac_buf
, sizeof(mac_buf
));
289 EVP_MAC_CTX_free(ctx
);
293 static void *sskdf_new(void *provctx
)
297 if (!ossl_prov_is_running())
300 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
)
301 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
302 ctx
->provctx
= provctx
;
306 static void sskdf_reset(void *vctx
)
308 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
309 void *provctx
= ctx
->provctx
;
311 EVP_MAC_CTX_free(ctx
->macctx
);
312 ossl_prov_digest_reset(&ctx
->digest
);
313 OPENSSL_clear_free(ctx
->secret
, ctx
->secret_len
);
314 OPENSSL_clear_free(ctx
->info
, ctx
->info_len
);
315 OPENSSL_clear_free(ctx
->salt
, ctx
->salt_len
);
316 memset(ctx
, 0, sizeof(*ctx
));
317 ctx
->provctx
= provctx
;
320 static void sskdf_free(void *vctx
)
322 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
330 static int sskdf_set_buffer(unsigned char **out
, size_t *out_len
,
333 if (p
->data
== NULL
|| p
->data_size
== 0)
337 return OSSL_PARAM_get_octet_string(p
, (void **)out
, 0, out_len
);
340 static size_t sskdf_size(KDF_SSKDF
*ctx
)
343 const EVP_MD
*md
= ossl_prov_digest_md(&ctx
->digest
);
346 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
349 len
= EVP_MD_size(md
);
350 return (len
<= 0) ? 0 : (size_t)len
;
353 static int sskdf_derive(void *vctx
, unsigned char *key
, size_t keylen
)
355 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
358 if (!ossl_prov_is_running())
360 if (ctx
->secret
== NULL
) {
361 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
364 md
= ossl_prov_digest_md(&ctx
->digest
);
366 if (ctx
->macctx
!= NULL
) {
367 /* H(x) = KMAC or H(x) = HMAC */
369 const unsigned char *custom
= NULL
;
370 size_t custom_len
= 0;
371 int default_salt_len
;
372 EVP_MAC
*mac
= EVP_MAC_CTX_mac(ctx
->macctx
);
374 if (EVP_MAC_is_a(mac
, OSSL_MAC_NAME_HMAC
)) {
375 /* H(x) = HMAC(x, salt, hash) */
377 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
380 default_salt_len
= EVP_MD_size(md
);
381 if (default_salt_len
<= 0)
383 } else if (EVP_MAC_is_a(mac
, OSSL_MAC_NAME_KMAC128
)
384 || EVP_MAC_is_a(mac
, OSSL_MAC_NAME_KMAC256
)) {
385 /* H(x) = KMACzzz(x, salt, custom) */
386 custom
= kmac_custom_str
;
387 custom_len
= sizeof(kmac_custom_str
);
388 if (EVP_MAC_is_a(mac
, OSSL_MAC_NAME_KMAC128
))
389 default_salt_len
= SSKDF_KMAC128_DEFAULT_SALT_SIZE
;
391 default_salt_len
= SSKDF_KMAC256_DEFAULT_SALT_SIZE
;
393 ERR_raise(ERR_LIB_PROV
, PROV_R_UNSUPPORTED_MAC_TYPE
);
396 /* If no salt is set then use a default_salt of zeros */
397 if (ctx
->salt
== NULL
|| ctx
->salt_len
<= 0) {
398 ctx
->salt
= OPENSSL_zalloc(default_salt_len
);
399 if (ctx
->salt
== NULL
) {
400 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
403 ctx
->salt_len
= default_salt_len
;
405 ret
= SSKDF_mac_kdm(ctx
->macctx
,
406 custom
, custom_len
, ctx
->out_len
,
407 ctx
->salt
, ctx
->salt_len
,
408 ctx
->secret
, ctx
->secret_len
,
409 ctx
->info
, ctx
->info_len
, key
, keylen
);
414 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
417 return SSKDF_hash_kdm(md
, ctx
->secret
, ctx
->secret_len
,
418 ctx
->info
, ctx
->info_len
, 0, key
, keylen
);
422 static int x963kdf_derive(void *vctx
, unsigned char *key
, size_t keylen
)
424 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
427 if (!ossl_prov_is_running())
430 if (ctx
->secret
== NULL
) {
431 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
435 if (ctx
->macctx
!= NULL
) {
436 ERR_raise(ERR_LIB_PROV
, PROV_R_NOT_SUPPORTED
);
441 md
= ossl_prov_digest_md(&ctx
->digest
);
443 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
447 return SSKDF_hash_kdm(md
, ctx
->secret
, ctx
->secret_len
,
448 ctx
->info
, ctx
->info_len
, 1, key
, keylen
);
451 static int sskdf_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
454 KDF_SSKDF
*ctx
= vctx
;
455 OSSL_LIB_CTX
*libctx
= PROV_LIBCTX_OF(ctx
->provctx
);
458 if (!ossl_prov_digest_load_from_params(&ctx
->digest
, params
, libctx
))
461 if (!ossl_prov_macctx_load_from_params(&ctx
->macctx
, params
,
462 NULL
, NULL
, NULL
, libctx
))
465 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SECRET
)) != NULL
466 || (p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_KEY
)) != NULL
)
467 if (!sskdf_set_buffer(&ctx
->secret
, &ctx
->secret_len
, p
))
470 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_INFO
)) != NULL
)
471 if (!sskdf_set_buffer(&ctx
->info
, &ctx
->info_len
, p
))
474 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SALT
)) != NULL
)
475 if (!sskdf_set_buffer(&ctx
->salt
, &ctx
->salt_len
, p
))
478 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_MAC_SIZE
))
480 if (!OSSL_PARAM_get_size_t(p
, &sz
) || sz
== 0)
487 static const OSSL_PARAM
*sskdf_settable_ctx_params(ossl_unused
void *provctx
)
489 static const OSSL_PARAM known_settable_ctx_params
[] = {
490 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET
, NULL
, 0),
491 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY
, NULL
, 0),
492 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO
, NULL
, 0),
493 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES
, NULL
, 0),
494 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST
, NULL
, 0),
495 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC
, NULL
, 0),
496 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT
, NULL
, 0),
497 OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE
, NULL
),
500 return known_settable_ctx_params
;
503 static int sskdf_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
505 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
508 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
)
509 return OSSL_PARAM_set_size_t(p
, sskdf_size(ctx
));
513 static const OSSL_PARAM
*sskdf_gettable_ctx_params(ossl_unused
void *provctx
)
515 static const OSSL_PARAM known_gettable_ctx_params
[] = {
516 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
519 return known_gettable_ctx_params
;
522 const OSSL_DISPATCH ossl_kdf_sskdf_functions
[] = {
523 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
524 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
525 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
526 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))sskdf_derive
},
527 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
528 (void(*)(void))sskdf_settable_ctx_params
},
529 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
530 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
531 (void(*)(void))sskdf_gettable_ctx_params
},
532 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},
536 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions
[] = {
537 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
538 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
539 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
540 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))x963kdf_derive
},
541 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
542 (void(*)(void))sskdf_settable_ctx_params
},
543 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
544 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
545 (void(*)(void))sskdf_gettable_ctx_params
},
546 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},