2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
15 * The Single Step KDF algorithm is given by:
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include <openssl/proverr.h>
46 #include "internal/cryptlib.h"
47 #include "internal/numbers.h"
48 #include "crypto/evp.h"
49 #include "prov/provider_ctx.h"
50 #include "prov/providercommon.h"
51 #include "prov/implementations.h"
52 #include "prov/provider_util.h"
53 #include "internal/params.h"
57 EVP_MAC_CTX
*macctx
; /* H(x) = HMAC_hash OR H(x) = KMAC */
58 PROV_DIGEST digest
; /* H(x) = hash(x) */
59 unsigned char *secret
;
65 size_t out_len
; /* optional KMAC parameter */
69 #define SSKDF_MAX_INLEN (1<<30)
70 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
71 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
73 /* KMAC uses a Customisation string of 'KDF' */
74 static const unsigned char kmac_custom_str
[] = { 0x4B, 0x44, 0x46 };
76 static OSSL_FUNC_kdf_newctx_fn sskdf_new
;
77 static OSSL_FUNC_kdf_dupctx_fn sskdf_dup
;
78 static OSSL_FUNC_kdf_freectx_fn sskdf_free
;
79 static OSSL_FUNC_kdf_reset_fn sskdf_reset
;
80 static OSSL_FUNC_kdf_derive_fn sskdf_derive
;
81 static OSSL_FUNC_kdf_derive_fn x963kdf_derive
;
82 static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params
;
83 static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params
;
84 static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params
;
85 static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params
;
88 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
89 * Section 4. One-Step Key Derivation using H(x) = hash(x)
90 * Note: X9.63 also uses this code with the only difference being that the
91 * counter is appended to the secret 'z'.
93 * result[i] = Hash(counter || z || info) for One Step OR
94 * result[i] = Hash(z || counter || info) for X9.63.
96 static int SSKDF_hash_kdm(const EVP_MD
*kdf_md
,
97 const unsigned char *z
, size_t z_len
,
98 const unsigned char *info
, size_t info_len
,
99 unsigned int append_ctr
,
100 unsigned char *derived_key
, size_t derived_key_len
)
103 size_t counter
, out_len
, len
= derived_key_len
;
105 unsigned char mac
[EVP_MAX_MD_SIZE
];
106 unsigned char *out
= derived_key
;
107 EVP_MD_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
109 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
110 || derived_key_len
> SSKDF_MAX_INLEN
111 || derived_key_len
== 0)
114 hlen
= EVP_MD_get_size(kdf_md
);
117 out_len
= (size_t)hlen
;
119 ctx
= EVP_MD_CTX_create();
120 ctx_init
= EVP_MD_CTX_create();
121 if (ctx
== NULL
|| ctx_init
== NULL
)
124 if (!EVP_DigestInit(ctx_init
, kdf_md
))
127 for (counter
= 1;; counter
++) {
128 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
129 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
130 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
131 c
[3] = (unsigned char)(counter
& 0xff);
133 if (!(EVP_MD_CTX_copy_ex(ctx
, ctx_init
)
134 && (append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
135 && EVP_DigestUpdate(ctx
, z
, z_len
)
136 && (!append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
137 && EVP_DigestUpdate(ctx
, info
, info_len
)))
139 if (len
>= out_len
) {
140 if (!EVP_DigestFinal_ex(ctx
, out
, NULL
))
147 if (!EVP_DigestFinal_ex(ctx
, mac
, NULL
))
149 memcpy(out
, mac
, len
);
155 EVP_MD_CTX_destroy(ctx
);
156 EVP_MD_CTX_destroy(ctx_init
);
157 OPENSSL_cleanse(mac
, sizeof(mac
));
161 static int kmac_init(EVP_MAC_CTX
*ctx
, const unsigned char *custom
,
162 size_t custom_len
, size_t kmac_out_len
,
163 size_t derived_key_len
, unsigned char **out
)
165 OSSL_PARAM params
[2];
167 /* Only KMAC has custom data - so return if not KMAC */
171 params
[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM
,
172 (void *)custom
, custom_len
);
173 params
[1] = OSSL_PARAM_construct_end();
175 if (!EVP_MAC_CTX_set_params(ctx
, params
))
178 /* By default only do one iteration if kmac_out_len is not specified */
179 if (kmac_out_len
== 0)
180 kmac_out_len
= derived_key_len
;
181 /* otherwise check the size is valid */
182 else if (!(kmac_out_len
== derived_key_len
183 || kmac_out_len
== 20
184 || kmac_out_len
== 28
185 || kmac_out_len
== 32
186 || kmac_out_len
== 48
187 || kmac_out_len
== 64))
190 params
[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE
,
193 if (EVP_MAC_CTX_set_params(ctx
, params
) <= 0)
197 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
198 * alloc a buffer for this case.
200 if (kmac_out_len
> EVP_MAX_MD_SIZE
) {
201 *out
= OPENSSL_zalloc(kmac_out_len
);
209 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
210 * Section 4. One-Step Key Derivation using MAC: i.e either
211 * H(x) = HMAC-hash(salt, x) OR
212 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
214 static int SSKDF_mac_kdm(EVP_MAC_CTX
*ctx_init
,
215 const unsigned char *kmac_custom
,
216 size_t kmac_custom_len
, size_t kmac_out_len
,
217 const unsigned char *salt
, size_t salt_len
,
218 const unsigned char *z
, size_t z_len
,
219 const unsigned char *info
, size_t info_len
,
220 unsigned char *derived_key
, size_t derived_key_len
)
223 size_t counter
, out_len
, len
;
225 unsigned char mac_buf
[EVP_MAX_MD_SIZE
];
226 unsigned char *out
= derived_key
;
227 EVP_MAC_CTX
*ctx
= NULL
;
228 unsigned char *mac
= mac_buf
, *kmac_buffer
= NULL
;
230 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
231 || derived_key_len
> SSKDF_MAX_INLEN
232 || derived_key_len
== 0)
235 if (!kmac_init(ctx_init
, kmac_custom
, kmac_custom_len
, kmac_out_len
,
236 derived_key_len
, &kmac_buffer
))
238 if (kmac_buffer
!= NULL
)
241 if (!EVP_MAC_init(ctx_init
, salt
, salt_len
, NULL
))
244 out_len
= EVP_MAC_CTX_get_mac_size(ctx_init
); /* output size */
245 if (out_len
<= 0 || (mac
== mac_buf
&& out_len
> sizeof(mac_buf
)))
247 len
= derived_key_len
;
249 for (counter
= 1;; counter
++) {
250 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
251 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
252 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
253 c
[3] = (unsigned char)(counter
& 0xff);
255 ctx
= EVP_MAC_CTX_dup(ctx_init
);
257 && EVP_MAC_update(ctx
, c
, sizeof(c
))
258 && EVP_MAC_update(ctx
, z
, z_len
)
259 && EVP_MAC_update(ctx
, info
, info_len
)))
261 if (len
>= out_len
) {
262 if (!EVP_MAC_final(ctx
, out
, NULL
, len
))
269 if (!EVP_MAC_final(ctx
, mac
, NULL
, out_len
))
271 memcpy(out
, mac
, len
);
274 EVP_MAC_CTX_free(ctx
);
279 if (kmac_buffer
!= NULL
)
280 OPENSSL_clear_free(kmac_buffer
, kmac_out_len
);
282 OPENSSL_cleanse(mac_buf
, sizeof(mac_buf
));
284 EVP_MAC_CTX_free(ctx
);
288 static void *sskdf_new(void *provctx
)
292 if (!ossl_prov_is_running())
295 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) != NULL
)
296 ctx
->provctx
= provctx
;
300 static void sskdf_reset(void *vctx
)
302 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
303 void *provctx
= ctx
->provctx
;
305 EVP_MAC_CTX_free(ctx
->macctx
);
306 ossl_prov_digest_reset(&ctx
->digest
);
307 OPENSSL_clear_free(ctx
->secret
, ctx
->secret_len
);
308 OPENSSL_clear_free(ctx
->info
, ctx
->info_len
);
309 OPENSSL_clear_free(ctx
->salt
, ctx
->salt_len
);
310 memset(ctx
, 0, sizeof(*ctx
));
311 ctx
->provctx
= provctx
;
314 static void sskdf_free(void *vctx
)
316 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
324 static void *sskdf_dup(void *vctx
)
326 const KDF_SSKDF
*src
= (const KDF_SSKDF
*)vctx
;
329 dest
= sskdf_new(src
->provctx
);
331 if (src
->macctx
!= NULL
) {
332 dest
->macctx
= EVP_MAC_CTX_dup(src
->macctx
);
333 if (dest
->macctx
== NULL
)
336 if (!ossl_prov_memdup(src
->info
, src
->info_len
,
337 &dest
->info
, &dest
->info_len
)
338 || !ossl_prov_memdup(src
->salt
, src
->salt_len
,
339 &dest
->salt
, &dest
->salt_len
)
340 || !ossl_prov_memdup(src
->secret
, src
->secret_len
,
341 &dest
->secret
, &dest
->secret_len
)
342 || !ossl_prov_digest_copy(&dest
->digest
, &src
->digest
))
344 dest
->out_len
= src
->out_len
;
345 dest
->is_kmac
= src
->is_kmac
;
354 static size_t sskdf_size(KDF_SSKDF
*ctx
)
357 const EVP_MD
*md
= NULL
;
362 md
= ossl_prov_digest_md(&ctx
->digest
);
364 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
367 len
= EVP_MD_get_size(md
);
368 return (len
<= 0) ? 0 : (size_t)len
;
371 static int sskdf_derive(void *vctx
, unsigned char *key
, size_t keylen
,
372 const OSSL_PARAM params
[])
374 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
377 if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx
, params
))
379 if (ctx
->secret
== NULL
) {
380 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
383 md
= ossl_prov_digest_md(&ctx
->digest
);
385 if (ctx
->macctx
!= NULL
) {
386 /* H(x) = KMAC or H(x) = HMAC */
388 const unsigned char *custom
= NULL
;
389 size_t custom_len
= 0;
390 int default_salt_len
;
391 EVP_MAC
*mac
= EVP_MAC_CTX_get0_mac(ctx
->macctx
);
393 if (EVP_MAC_is_a(mac
, OSSL_MAC_NAME_HMAC
)) {
394 /* H(x) = HMAC(x, salt, hash) */
396 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
399 default_salt_len
= EVP_MD_get_size(md
);
400 if (default_salt_len
<= 0)
402 } else if (ctx
->is_kmac
) {
403 /* H(x) = KMACzzz(x, salt, custom) */
404 custom
= kmac_custom_str
;
405 custom_len
= sizeof(kmac_custom_str
);
406 if (EVP_MAC_is_a(mac
, OSSL_MAC_NAME_KMAC128
))
407 default_salt_len
= SSKDF_KMAC128_DEFAULT_SALT_SIZE
;
409 default_salt_len
= SSKDF_KMAC256_DEFAULT_SALT_SIZE
;
411 ERR_raise(ERR_LIB_PROV
, PROV_R_UNSUPPORTED_MAC_TYPE
);
414 /* If no salt is set then use a default_salt of zeros */
415 if (ctx
->salt
== NULL
|| ctx
->salt_len
<= 0) {
416 ctx
->salt
= OPENSSL_zalloc(default_salt_len
);
417 if (ctx
->salt
== NULL
)
419 ctx
->salt_len
= default_salt_len
;
421 ret
= SSKDF_mac_kdm(ctx
->macctx
,
422 custom
, custom_len
, ctx
->out_len
,
423 ctx
->salt
, ctx
->salt_len
,
424 ctx
->secret
, ctx
->secret_len
,
425 ctx
->info
, ctx
->info_len
, key
, keylen
);
430 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
433 return SSKDF_hash_kdm(md
, ctx
->secret
, ctx
->secret_len
,
434 ctx
->info
, ctx
->info_len
, 0, key
, keylen
);
438 static int x963kdf_derive(void *vctx
, unsigned char *key
, size_t keylen
,
439 const OSSL_PARAM params
[])
441 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
444 if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx
, params
))
447 if (ctx
->secret
== NULL
) {
448 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
452 if (ctx
->macctx
!= NULL
) {
453 ERR_raise(ERR_LIB_PROV
, PROV_R_NOT_SUPPORTED
);
458 md
= ossl_prov_digest_md(&ctx
->digest
);
460 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
464 return SSKDF_hash_kdm(md
, ctx
->secret
, ctx
->secret_len
,
465 ctx
->info
, ctx
->info_len
, 1, key
, keylen
);
468 static int sskdf_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
471 KDF_SSKDF
*ctx
= vctx
;
472 OSSL_LIB_CTX
*libctx
= PROV_LIBCTX_OF(ctx
->provctx
);
479 if (!ossl_prov_macctx_load_from_params(&ctx
->macctx
, params
,
480 NULL
, NULL
, NULL
, libctx
))
482 if (ctx
->macctx
!= NULL
) {
483 if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx
->macctx
),
484 OSSL_MAC_NAME_KMAC128
)
485 || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx
->macctx
),
486 OSSL_MAC_NAME_KMAC256
)) {
491 if (!ossl_prov_digest_load_from_params(&ctx
->digest
, params
, libctx
))
494 r
= ossl_param_get1_octet_string(params
, OSSL_KDF_PARAM_SECRET
,
495 &ctx
->secret
, &ctx
->secret_len
);
497 r
= ossl_param_get1_octet_string(params
, OSSL_KDF_PARAM_KEY
,
498 &ctx
->secret
, &ctx
->secret_len
);
502 if (ossl_param_get1_concat_octet_string(params
, OSSL_KDF_PARAM_INFO
,
503 &ctx
->info
, &ctx
->info_len
, 0) == 0)
506 if (ossl_param_get1_octet_string(params
, OSSL_KDF_PARAM_SALT
,
507 &ctx
->salt
, &ctx
->salt_len
) == 0)
510 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_MAC_SIZE
))
512 if (!OSSL_PARAM_get_size_t(p
, &sz
) || sz
== 0)
519 static const OSSL_PARAM
*sskdf_settable_ctx_params(ossl_unused
void *ctx
,
520 ossl_unused
void *provctx
)
522 static const OSSL_PARAM known_settable_ctx_params
[] = {
523 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET
, NULL
, 0),
524 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY
, NULL
, 0),
525 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO
, NULL
, 0),
526 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES
, NULL
, 0),
527 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST
, NULL
, 0),
528 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC
, NULL
, 0),
529 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT
, NULL
, 0),
530 OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE
, NULL
),
533 return known_settable_ctx_params
;
536 static int sskdf_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
538 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
541 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
)
542 return OSSL_PARAM_set_size_t(p
, sskdf_size(ctx
));
546 static const OSSL_PARAM
*sskdf_gettable_ctx_params(ossl_unused
void *ctx
,
547 ossl_unused
void *provctx
)
549 static const OSSL_PARAM known_gettable_ctx_params
[] = {
550 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
553 return known_gettable_ctx_params
;
556 const OSSL_DISPATCH ossl_kdf_sskdf_functions
[] = {
557 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
558 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))sskdf_dup
},
559 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
560 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
561 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))sskdf_derive
},
562 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
563 (void(*)(void))sskdf_settable_ctx_params
},
564 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
565 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
566 (void(*)(void))sskdf_gettable_ctx_params
},
567 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},
571 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions
[] = {
572 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
573 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))sskdf_dup
},
574 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
575 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
576 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))x963kdf_derive
},
577 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
578 (void(*)(void))sskdf_settable_ctx_params
},
579 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
580 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
581 (void(*)(void))sskdf_gettable_ctx_params
},
582 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},