2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
15 * The Single Step KDF algorithm is given by:
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include "internal/cryptlib.h"
46 #include "internal/evp_int.h"
47 #include "kdf_local.h"
49 struct evp_kdf_impl_st
{
50 EVP_MAC
*mac
; /* H(x) = HMAC_hash OR H(x) = KMAC */
51 const EVP_MD
*md
; /* H(x) = hash OR when H(x) = HMAC_hash */
52 unsigned char *secret
;
58 size_t out_len
; /* optional KMAC parameter */
61 #define SSKDF_MAX_INLEN (1<<30)
62 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
63 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
65 /* KMAC uses a Customisation string of 'KDF' */
66 static const unsigned char kmac_custom_str
[] = { 0x4B, 0x44, 0x46 };
69 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
70 * Section 4. One-Step Key Derivation using H(x) = hash(x)
71 * Note: X9.63 also uses this code with the only difference being that the
72 * counter is appended to the secret 'z'.
74 * result[i] = Hash(counter || z || info) for One Step OR
75 * result[i] = Hash(z || counter || info) for X9.63.
77 static int SSKDF_hash_kdm(const EVP_MD
*kdf_md
,
78 const unsigned char *z
, size_t z_len
,
79 const unsigned char *info
, size_t info_len
,
80 unsigned int append_ctr
,
81 unsigned char *derived_key
, size_t derived_key_len
)
84 size_t counter
, out_len
, len
= derived_key_len
;
86 unsigned char mac
[EVP_MAX_MD_SIZE
];
87 unsigned char *out
= derived_key
;
88 EVP_MD_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
90 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
91 || derived_key_len
> SSKDF_MAX_INLEN
92 || derived_key_len
== 0)
95 hlen
= EVP_MD_size(kdf_md
);
98 out_len
= (size_t)hlen
;
100 ctx
= EVP_MD_CTX_create();
101 ctx_init
= EVP_MD_CTX_create();
102 if (ctx
== NULL
|| ctx_init
== NULL
)
105 if (!EVP_DigestInit(ctx_init
, kdf_md
))
108 for (counter
= 1;; counter
++) {
109 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
110 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
111 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
112 c
[3] = (unsigned char)(counter
& 0xff);
114 if (!(EVP_MD_CTX_copy_ex(ctx
, ctx_init
)
115 && (append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
116 && EVP_DigestUpdate(ctx
, z
, z_len
)
117 && (!append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
118 && EVP_DigestUpdate(ctx
, info
, info_len
)))
120 if (len
>= out_len
) {
121 if (!EVP_DigestFinal_ex(ctx
, out
, NULL
))
128 if (!EVP_DigestFinal_ex(ctx
, mac
, NULL
))
130 memcpy(out
, mac
, len
);
136 EVP_MD_CTX_destroy(ctx
);
137 EVP_MD_CTX_destroy(ctx_init
);
138 OPENSSL_cleanse(mac
, sizeof(mac
));
142 static int kmac_init(EVP_MAC_CTX
*ctx
, const unsigned char *custom
,
143 size_t custom_len
, size_t kmac_out_len
,
144 size_t derived_key_len
, unsigned char **out
)
146 OSSL_PARAM params
[2];
148 /* Only KMAC has custom data - so return if not KMAC */
152 params
[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM
,
153 (void *)custom
, custom_len
);
154 params
[1] = OSSL_PARAM_construct_end();
156 if (!EVP_MAC_CTX_set_params(ctx
, params
))
159 /* By default only do one iteration if kmac_out_len is not specified */
160 if (kmac_out_len
== 0)
161 kmac_out_len
= derived_key_len
;
162 /* otherwise check the size is valid */
163 else if (!(kmac_out_len
== derived_key_len
164 || kmac_out_len
== 20
165 || kmac_out_len
== 28
166 || kmac_out_len
== 32
167 || kmac_out_len
== 48
168 || kmac_out_len
== 64))
171 params
[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE
,
174 if (EVP_MAC_CTX_set_params(ctx
, params
) <= 0)
178 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
179 * alloc a buffer for this case.
181 if (kmac_out_len
> EVP_MAX_MD_SIZE
) {
182 *out
= OPENSSL_zalloc(kmac_out_len
);
190 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
191 * Section 4. One-Step Key Derivation using MAC: i.e either
192 * H(x) = HMAC-hash(salt, x) OR
193 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
195 static int SSKDF_mac_kdm(EVP_MAC
*kdf_mac
, const EVP_MD
*hmac_md
,
196 const unsigned char *kmac_custom
,
197 size_t kmac_custom_len
, size_t kmac_out_len
,
198 const unsigned char *salt
, size_t salt_len
,
199 const unsigned char *z
, size_t z_len
,
200 const unsigned char *info
, size_t info_len
,
201 unsigned char *derived_key
, size_t derived_key_len
)
204 size_t counter
, out_len
, len
;
206 unsigned char mac_buf
[EVP_MAX_MD_SIZE
];
207 unsigned char *out
= derived_key
;
208 EVP_MAC_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
209 unsigned char *mac
= mac_buf
, *kmac_buffer
= NULL
;
210 OSSL_PARAM params
[3];
213 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
214 || derived_key_len
> SSKDF_MAX_INLEN
215 || derived_key_len
== 0)
218 ctx_init
= EVP_MAC_CTX_new(kdf_mac
);
219 if (ctx_init
== NULL
)
222 if (hmac_md
!= NULL
) {
223 const char *mdname
= EVP_MD_name(hmac_md
);
225 OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
229 OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY
, (void *)salt
,
231 params
[params_n
] = OSSL_PARAM_construct_end();
233 if (!EVP_MAC_CTX_set_params(ctx_init
, params
))
236 if (!kmac_init(ctx_init
, kmac_custom
, kmac_custom_len
, kmac_out_len
,
237 derived_key_len
, &kmac_buffer
))
239 if (kmac_buffer
!= NULL
)
242 if (!EVP_MAC_init(ctx_init
))
245 out_len
= EVP_MAC_size(ctx_init
); /* output size */
248 len
= derived_key_len
;
250 for (counter
= 1;; counter
++) {
251 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
252 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
253 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
254 c
[3] = (unsigned char)(counter
& 0xff);
256 ctx
= EVP_MAC_CTX_dup(ctx_init
);
258 && EVP_MAC_update(ctx
, c
, sizeof(c
))
259 && EVP_MAC_update(ctx
, z
, z_len
)
260 && EVP_MAC_update(ctx
, info
, info_len
)))
262 if (len
>= out_len
) {
263 if (!EVP_MAC_final(ctx
, out
, NULL
, len
))
270 if (!EVP_MAC_final(ctx
, mac
, NULL
, len
))
272 memcpy(out
, mac
, len
);
275 EVP_MAC_CTX_free(ctx
);
280 if (kmac_buffer
!= NULL
)
281 OPENSSL_clear_free(kmac_buffer
, kmac_out_len
);
283 OPENSSL_cleanse(mac_buf
, sizeof(mac_buf
));
285 EVP_MAC_CTX_free(ctx
);
286 EVP_MAC_CTX_free(ctx_init
);
290 static EVP_KDF_IMPL
*sskdf_new(void)
294 if ((impl
= OPENSSL_zalloc(sizeof(*impl
))) == NULL
)
295 KDFerr(KDF_F_SSKDF_NEW
, ERR_R_MALLOC_FAILURE
);
299 static void sskdf_reset(EVP_KDF_IMPL
*impl
)
301 OPENSSL_clear_free(impl
->secret
, impl
->secret_len
);
302 OPENSSL_clear_free(impl
->info
, impl
->info_len
);
303 OPENSSL_clear_free(impl
->salt
, impl
->salt_len
);
304 EVP_MAC_free(impl
->mac
);
305 #if 0 /* TODO(3.0) When we switch to fetched MDs */
306 EVP_MD_meth_free(impl
->md
);
308 memset(impl
, 0, sizeof(*impl
));
311 static void sskdf_free(EVP_KDF_IMPL
*impl
)
317 static int sskdf_set_buffer(va_list args
, unsigned char **out
, size_t *out_len
)
319 const unsigned char *p
;
322 p
= va_arg(args
, const unsigned char *);
323 len
= va_arg(args
, size_t);
324 if (len
== 0 || p
== NULL
)
328 *out
= OPENSSL_memdup(p
, len
);
336 static int sskdf_ctrl(EVP_KDF_IMPL
*impl
, int cmd
, va_list args
)
341 case EVP_KDF_CTRL_SET_KEY
:
342 return sskdf_set_buffer(args
, &impl
->secret
, &impl
->secret_len
);
344 case EVP_KDF_CTRL_SET_SSKDF_INFO
:
345 return sskdf_set_buffer(args
, &impl
->info
, &impl
->info_len
);
347 case EVP_KDF_CTRL_SET_MD
:
348 md
= va_arg(args
, const EVP_MD
*);
352 #if 0 /* TODO(3.0) When we switch to fetched MDs */
353 EVP_MD_meth_free(impl
->md
);
358 case EVP_KDF_CTRL_SET_MAC
:
363 name
= va_arg(args
, const char *);
367 EVP_MAC_free(impl
->mac
);
371 * TODO(3.0) add support for OPENSSL_CTX and properties in KDFs
373 mac
= EVP_MAC_fetch(NULL
, name
, NULL
);
380 case EVP_KDF_CTRL_SET_SALT
:
381 return sskdf_set_buffer(args
, &impl
->salt
, &impl
->salt_len
);
383 case EVP_KDF_CTRL_SET_MAC_SIZE
:
384 impl
->out_len
= va_arg(args
, size_t);
392 static int sskdf_ctrl_str(EVP_KDF_IMPL
*impl
, const char *type
,
395 if (strcmp(type
, "secret") == 0 || strcmp(type
, "key") == 0)
396 return kdf_str2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_KEY
,
399 if (strcmp(type
, "hexsecret") == 0 || strcmp(type
, "hexkey") == 0)
400 return kdf_hex2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_KEY
,
403 if (strcmp(type
, "info") == 0)
404 return kdf_str2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_SSKDF_INFO
,
407 if (strcmp(type
, "hexinfo") == 0)
408 return kdf_hex2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_SSKDF_INFO
,
411 if (strcmp(type
, "digest") == 0)
412 return kdf_md2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_MD
, value
);
414 if (strcmp(type
, "mac") == 0)
415 return kdf_str2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_MAC
, value
);
417 if (strcmp(type
, "salt") == 0)
418 return kdf_str2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_SALT
, value
);
420 if (strcmp(type
, "hexsalt") == 0)
421 return kdf_hex2ctrl(impl
, sskdf_ctrl
, EVP_KDF_CTRL_SET_SALT
, value
);
424 if (strcmp(type
, "maclen") == 0) {
425 int val
= atoi(value
);
427 KDFerr(KDF_F_SSKDF_CTRL_STR
, KDF_R_VALUE_ERROR
);
430 return call_ctrl(sskdf_ctrl
, impl
, EVP_KDF_CTRL_SET_MAC_SIZE
,
436 static size_t sskdf_size(EVP_KDF_IMPL
*impl
)
440 if (impl
->md
== NULL
) {
441 KDFerr(KDF_F_SSKDF_SIZE
, KDF_R_MISSING_MESSAGE_DIGEST
);
444 len
= EVP_MD_size(impl
->md
);
445 return (len
<= 0) ? 0 : (size_t)len
;
448 static int sskdf_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
, size_t keylen
)
450 if (impl
->secret
== NULL
) {
451 KDFerr(KDF_F_SSKDF_DERIVE
, KDF_R_MISSING_SECRET
);
455 if (impl
->mac
!= NULL
) {
456 /* H(x) = KMAC or H(x) = HMAC */
458 const unsigned char *custom
= NULL
;
459 size_t custom_len
= 0;
461 int default_salt_len
;
464 * TODO(3.0) investigate the necessity to have all these controls.
465 * Why does KMAC require a salt length that's shorter than the MD
468 macname
= EVP_MAC_name(impl
->mac
);
469 if (strcmp(macname
, OSSL_MAC_NAME_HMAC
) == 0) {
470 /* H(x) = HMAC(x, salt, hash) */
471 if (impl
->md
== NULL
) {
472 KDFerr(KDF_F_SSKDF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
475 default_salt_len
= EVP_MD_block_size(impl
->md
);
476 if (default_salt_len
<= 0)
478 } else if (strcmp(macname
, OSSL_MAC_NAME_KMAC128
) == 0
479 || strcmp(macname
, OSSL_MAC_NAME_KMAC256
) == 0) {
480 /* H(x) = KMACzzz(x, salt, custom) */
481 custom
= kmac_custom_str
;
482 custom_len
= sizeof(kmac_custom_str
);
483 if (strcmp(macname
, OSSL_MAC_NAME_KMAC128
) == 0)
484 default_salt_len
= SSKDF_KMAC128_DEFAULT_SALT_SIZE
;
486 default_salt_len
= SSKDF_KMAC256_DEFAULT_SALT_SIZE
;
488 KDFerr(KDF_F_SSKDF_DERIVE
, KDF_R_UNSUPPORTED_MAC_TYPE
);
491 /* If no salt is set then use a default_salt of zeros */
492 if (impl
->salt
== NULL
|| impl
->salt_len
<= 0) {
493 impl
->salt
= OPENSSL_zalloc(default_salt_len
);
494 if (impl
->salt
== NULL
) {
495 KDFerr(KDF_F_SSKDF_DERIVE
, ERR_R_MALLOC_FAILURE
);
498 impl
->salt_len
= default_salt_len
;
500 ret
= SSKDF_mac_kdm(impl
->mac
, impl
->md
,
501 custom
, custom_len
, impl
->out_len
,
502 impl
->salt
, impl
->salt_len
,
503 impl
->secret
, impl
->secret_len
,
504 impl
->info
, impl
->info_len
, key
, keylen
);
508 if (impl
->md
== NULL
) {
509 KDFerr(KDF_F_SSKDF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
512 return SSKDF_hash_kdm(impl
->md
, impl
->secret
, impl
->secret_len
,
513 impl
->info
, impl
->info_len
, 0, key
, keylen
);
517 static int x963kdf_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
, size_t keylen
)
519 if (impl
->secret
== NULL
) {
520 KDFerr(KDF_F_X963KDF_DERIVE
, KDF_R_MISSING_SECRET
);
524 if (impl
->mac
!= NULL
) {
525 KDFerr(KDF_F_X963KDF_DERIVE
, KDF_R_NOT_SUPPORTED
);
529 if (impl
->md
== NULL
) {
530 KDFerr(KDF_F_X963KDF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
533 return SSKDF_hash_kdm(impl
->md
, impl
->secret
, impl
->secret_len
,
534 impl
->info
, impl
->info_len
, 1, key
, keylen
);
538 const EVP_KDF ss_kdf_meth
= {
549 const EVP_KDF x963_kdf_meth
= {