2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
15 * The Single Step KDF algorithm is given by:
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include "internal/cryptlib.h"
46 #include "internal/numbers.h"
47 #include "internal/evp_int.h"
48 #include "internal/provider_ctx.h"
49 #include "internal/providercommonerr.h"
50 #include "internal/provider_algs.h"
54 EVP_MAC
*mac
; /* H(x) = HMAC_hash OR H(x) = KMAC */
55 EVP_MD
*md
; /* H(x) = hash OR when H(x) = HMAC_hash */
56 unsigned char *secret
;
62 size_t out_len
; /* optional KMAC parameter */
65 #define SSKDF_MAX_INLEN (1<<30)
66 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
67 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
69 /* KMAC uses a Customisation string of 'KDF' */
70 static const unsigned char kmac_custom_str
[] = { 0x4B, 0x44, 0x46 };
72 static OSSL_OP_kdf_newctx_fn sskdf_new
;
73 static OSSL_OP_kdf_freectx_fn sskdf_free
;
74 static OSSL_OP_kdf_reset_fn sskdf_reset
;
75 static OSSL_OP_kdf_derive_fn sskdf_derive
;
76 static OSSL_OP_kdf_derive_fn x963kdf_derive
;
77 static OSSL_OP_kdf_settable_ctx_params_fn sskdf_settable_ctx_params
;
78 static OSSL_OP_kdf_set_ctx_params_fn sskdf_set_ctx_params
;
79 static OSSL_OP_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params
;
80 static OSSL_OP_kdf_get_ctx_params_fn sskdf_get_ctx_params
;
83 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
84 * Section 4. One-Step Key Derivation using H(x) = hash(x)
85 * Note: X9.63 also uses this code with the only difference being that the
86 * counter is appended to the secret 'z'.
88 * result[i] = Hash(counter || z || info) for One Step OR
89 * result[i] = Hash(z || counter || info) for X9.63.
91 static int SSKDF_hash_kdm(const EVP_MD
*kdf_md
,
92 const unsigned char *z
, size_t z_len
,
93 const unsigned char *info
, size_t info_len
,
94 unsigned int append_ctr
,
95 unsigned char *derived_key
, size_t derived_key_len
)
98 size_t counter
, out_len
, len
= derived_key_len
;
100 unsigned char mac
[EVP_MAX_MD_SIZE
];
101 unsigned char *out
= derived_key
;
102 EVP_MD_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
104 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
105 || derived_key_len
> SSKDF_MAX_INLEN
106 || derived_key_len
== 0)
109 hlen
= EVP_MD_size(kdf_md
);
112 out_len
= (size_t)hlen
;
114 ctx
= EVP_MD_CTX_create();
115 ctx_init
= EVP_MD_CTX_create();
116 if (ctx
== NULL
|| ctx_init
== NULL
)
119 if (!EVP_DigestInit(ctx_init
, kdf_md
))
122 for (counter
= 1;; counter
++) {
123 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
124 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
125 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
126 c
[3] = (unsigned char)(counter
& 0xff);
128 if (!(EVP_MD_CTX_copy_ex(ctx
, ctx_init
)
129 && (append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
130 && EVP_DigestUpdate(ctx
, z
, z_len
)
131 && (!append_ctr
|| EVP_DigestUpdate(ctx
, c
, sizeof(c
)))
132 && EVP_DigestUpdate(ctx
, info
, info_len
)))
134 if (len
>= out_len
) {
135 if (!EVP_DigestFinal_ex(ctx
, out
, NULL
))
142 if (!EVP_DigestFinal_ex(ctx
, mac
, NULL
))
144 memcpy(out
, mac
, len
);
150 EVP_MD_CTX_destroy(ctx
);
151 EVP_MD_CTX_destroy(ctx_init
);
152 OPENSSL_cleanse(mac
, sizeof(mac
));
156 static int kmac_init(EVP_MAC_CTX
*ctx
, const unsigned char *custom
,
157 size_t custom_len
, size_t kmac_out_len
,
158 size_t derived_key_len
, unsigned char **out
)
160 OSSL_PARAM params
[2];
162 /* Only KMAC has custom data - so return if not KMAC */
166 params
[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM
,
167 (void *)custom
, custom_len
);
168 params
[1] = OSSL_PARAM_construct_end();
170 if (!EVP_MAC_CTX_set_params(ctx
, params
))
173 /* By default only do one iteration if kmac_out_len is not specified */
174 if (kmac_out_len
== 0)
175 kmac_out_len
= derived_key_len
;
176 /* otherwise check the size is valid */
177 else if (!(kmac_out_len
== derived_key_len
178 || kmac_out_len
== 20
179 || kmac_out_len
== 28
180 || kmac_out_len
== 32
181 || kmac_out_len
== 48
182 || kmac_out_len
== 64))
185 params
[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE
,
188 if (EVP_MAC_CTX_set_params(ctx
, params
) <= 0)
192 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
193 * alloc a buffer for this case.
195 if (kmac_out_len
> EVP_MAX_MD_SIZE
) {
196 *out
= OPENSSL_zalloc(kmac_out_len
);
204 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
205 * Section 4. One-Step Key Derivation using MAC: i.e either
206 * H(x) = HMAC-hash(salt, x) OR
207 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
209 static int SSKDF_mac_kdm(EVP_MAC
*kdf_mac
, const EVP_MD
*hmac_md
,
210 const unsigned char *kmac_custom
,
211 size_t kmac_custom_len
, size_t kmac_out_len
,
212 const unsigned char *salt
, size_t salt_len
,
213 const unsigned char *z
, size_t z_len
,
214 const unsigned char *info
, size_t info_len
,
215 unsigned char *derived_key
, size_t derived_key_len
)
218 size_t counter
, out_len
, len
;
220 unsigned char mac_buf
[EVP_MAX_MD_SIZE
];
221 unsigned char *out
= derived_key
;
222 EVP_MAC_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
223 unsigned char *mac
= mac_buf
, *kmac_buffer
= NULL
;
224 OSSL_PARAM params
[3];
227 if (z_len
> SSKDF_MAX_INLEN
|| info_len
> SSKDF_MAX_INLEN
228 || derived_key_len
> SSKDF_MAX_INLEN
229 || derived_key_len
== 0)
232 ctx_init
= EVP_MAC_CTX_new(kdf_mac
);
233 if (ctx_init
== NULL
)
236 if (hmac_md
!= NULL
) {
237 const char *mdname
= EVP_MD_name(hmac_md
);
239 OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST
,
243 OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY
, (void *)salt
,
245 params
[params_n
] = OSSL_PARAM_construct_end();
247 if (!EVP_MAC_CTX_set_params(ctx_init
, params
))
250 if (!kmac_init(ctx_init
, kmac_custom
, kmac_custom_len
, kmac_out_len
,
251 derived_key_len
, &kmac_buffer
))
253 if (kmac_buffer
!= NULL
)
256 if (!EVP_MAC_init(ctx_init
))
259 out_len
= EVP_MAC_size(ctx_init
); /* output size */
262 len
= derived_key_len
;
264 for (counter
= 1;; counter
++) {
265 c
[0] = (unsigned char)((counter
>> 24) & 0xff);
266 c
[1] = (unsigned char)((counter
>> 16) & 0xff);
267 c
[2] = (unsigned char)((counter
>> 8) & 0xff);
268 c
[3] = (unsigned char)(counter
& 0xff);
270 ctx
= EVP_MAC_CTX_dup(ctx_init
);
272 && EVP_MAC_update(ctx
, c
, sizeof(c
))
273 && EVP_MAC_update(ctx
, z
, z_len
)
274 && EVP_MAC_update(ctx
, info
, info_len
)))
276 if (len
>= out_len
) {
277 if (!EVP_MAC_final(ctx
, out
, NULL
, len
))
284 if (!EVP_MAC_final(ctx
, mac
, NULL
, len
))
286 memcpy(out
, mac
, len
);
289 EVP_MAC_CTX_free(ctx
);
294 if (kmac_buffer
!= NULL
)
295 OPENSSL_clear_free(kmac_buffer
, kmac_out_len
);
297 OPENSSL_cleanse(mac_buf
, sizeof(mac_buf
));
299 EVP_MAC_CTX_free(ctx
);
300 EVP_MAC_CTX_free(ctx_init
);
304 static void *sskdf_new(void *provctx
)
308 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
)
309 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
310 ctx
->provctx
= provctx
;
314 static void sskdf_reset(void *vctx
)
316 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
318 OPENSSL_clear_free(ctx
->secret
, ctx
->secret_len
);
319 OPENSSL_clear_free(ctx
->info
, ctx
->info_len
);
320 OPENSSL_clear_free(ctx
->salt
, ctx
->salt_len
);
321 EVP_MAC_free(ctx
->mac
);
322 memset(ctx
, 0, sizeof(*ctx
));
325 static void sskdf_free(void *vctx
)
327 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
330 EVP_MD_meth_free(ctx
->md
);
331 EVP_MAC_free(ctx
->mac
);
335 static int sskdf_set_buffer(unsigned char **out
, size_t *out_len
,
338 if (p
->data
== NULL
|| p
->data_size
== 0)
342 return OSSL_PARAM_get_octet_string(p
, (void **)out
, 0, out_len
);
345 static size_t sskdf_size(KDF_SSKDF
*ctx
)
349 if (ctx
->md
== NULL
) {
350 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
353 len
= EVP_MD_size(ctx
->md
);
354 return (len
<= 0) ? 0 : (size_t)len
;
357 static int sskdf_derive(void *vctx
, unsigned char *key
, size_t keylen
)
359 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
361 if (ctx
->secret
== NULL
) {
362 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
366 if (ctx
->mac
!= NULL
) {
367 /* H(x) = KMAC or H(x) = HMAC */
369 const unsigned char *custom
= NULL
;
370 size_t custom_len
= 0;
372 int default_salt_len
;
375 * TODO(3.0) investigate the necessity to have all these controls.
376 * Why does KMAC require a salt length that's shorter than the MD
379 macname
= EVP_MAC_name(ctx
->mac
);
380 if (strcmp(macname
, OSSL_MAC_NAME_HMAC
) == 0) {
381 /* H(x) = HMAC(x, salt, hash) */
382 if (ctx
->md
== NULL
) {
383 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
386 default_salt_len
= EVP_MD_block_size(ctx
->md
);
387 if (default_salt_len
<= 0)
389 } else if (strcmp(macname
, OSSL_MAC_NAME_KMAC128
) == 0
390 || strcmp(macname
, OSSL_MAC_NAME_KMAC256
) == 0) {
391 /* H(x) = KMACzzz(x, salt, custom) */
392 custom
= kmac_custom_str
;
393 custom_len
= sizeof(kmac_custom_str
);
394 if (strcmp(macname
, OSSL_MAC_NAME_KMAC128
) == 0)
395 default_salt_len
= SSKDF_KMAC128_DEFAULT_SALT_SIZE
;
397 default_salt_len
= SSKDF_KMAC256_DEFAULT_SALT_SIZE
;
399 ERR_raise(ERR_LIB_PROV
, PROV_R_UNSUPPORTED_MAC_TYPE
);
402 /* If no salt is set then use a default_salt of zeros */
403 if (ctx
->salt
== NULL
|| ctx
->salt_len
<= 0) {
404 ctx
->salt
= OPENSSL_zalloc(default_salt_len
);
405 if (ctx
->salt
== NULL
) {
406 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
409 ctx
->salt_len
= default_salt_len
;
411 ret
= SSKDF_mac_kdm(ctx
->mac
, ctx
->md
,
412 custom
, custom_len
, ctx
->out_len
,
413 ctx
->salt
, ctx
->salt_len
,
414 ctx
->secret
, ctx
->secret_len
,
415 ctx
->info
, ctx
->info_len
, key
, keylen
);
419 if (ctx
->md
== NULL
) {
420 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
423 return SSKDF_hash_kdm(ctx
->md
, ctx
->secret
, ctx
->secret_len
,
424 ctx
->info
, ctx
->info_len
, 0, key
, keylen
);
428 static int x963kdf_derive(void *vctx
, unsigned char *key
, size_t keylen
)
430 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
432 if (ctx
->secret
== NULL
) {
433 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SECRET
);
437 if (ctx
->mac
!= NULL
) {
438 ERR_raise(ERR_LIB_PROV
, PROV_R_NOT_SUPPORTED
);
442 if (ctx
->md
== NULL
) {
443 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_MESSAGE_DIGEST
);
446 return SSKDF_hash_kdm(ctx
->md
, ctx
->secret
, ctx
->secret_len
,
447 ctx
->info
, ctx
->info_len
, 1, key
, keylen
);
451 static int sskdf_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
454 KDF_SSKDF
*ctx
= vctx
;
458 const char *properties
= NULL
;
460 /* Grab search properties, should be before the digest and mac lookups */
461 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PROPERTIES
))
463 if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
)
465 properties
= p
->data
;
467 /* Handle aliasing of digest parameter names */
468 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_DIGEST
)) != NULL
) {
469 if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
)
471 md
= EVP_MD_fetch(PROV_LIBRARY_CONTEXT_OF(ctx
->provctx
), p
->data
,
474 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST
);
477 EVP_MD_meth_free(ctx
->md
);
481 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_MAC
)) != NULL
) {
482 EVP_MAC_free(ctx
->mac
);
485 mac
= EVP_MAC_fetch(PROV_LIBRARY_CONTEXT_OF(ctx
->provctx
), p
->data
,
489 EVP_MAC_free(ctx
->mac
);
493 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SECRET
)) != NULL
494 || (p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_KEY
)) != NULL
)
495 if (!sskdf_set_buffer(&ctx
->secret
, &ctx
->secret_len
, p
))
498 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_INFO
)) != NULL
)
499 if (!sskdf_set_buffer(&ctx
->info
, &ctx
->info_len
, p
))
502 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SALT
)) != NULL
)
503 if (!sskdf_set_buffer(&ctx
->salt
, &ctx
->salt_len
, p
))
506 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_MAC_SIZE
))
508 if (!OSSL_PARAM_get_size_t(p
, &sz
) || sz
== 0)
515 static const OSSL_PARAM
*sskdf_settable_ctx_params(void)
517 static const OSSL_PARAM known_settable_ctx_params
[] = {
518 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET
, NULL
, 0),
519 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY
, NULL
, 0),
520 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO
, NULL
, 0),
521 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES
, NULL
, 0),
522 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST
, NULL
, 0),
523 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC
, NULL
, 0),
524 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT
, NULL
, 0),
525 OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE
, NULL
),
528 return known_settable_ctx_params
;
531 static int sskdf_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
533 KDF_SSKDF
*ctx
= (KDF_SSKDF
*)vctx
;
536 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
)
537 return OSSL_PARAM_set_size_t(p
, sskdf_size(ctx
));
541 static const OSSL_PARAM
*sskdf_gettable_ctx_params(void)
543 static const OSSL_PARAM known_gettable_ctx_params
[] = {
544 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
547 return known_gettable_ctx_params
;
550 const OSSL_DISPATCH kdf_sskdf_functions
[] = {
551 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
552 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
553 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
554 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))sskdf_derive
},
555 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
556 (void(*)(void))sskdf_settable_ctx_params
},
557 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
558 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
559 (void(*)(void))sskdf_gettable_ctx_params
},
560 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},
564 const OSSL_DISPATCH kdf_x963_kdf_functions
[] = {
565 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))sskdf_new
},
566 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))sskdf_free
},
567 { OSSL_FUNC_KDF_RESET
, (void(*)(void))sskdf_reset
},
568 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))x963kdf_derive
},
569 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
570 (void(*)(void))sskdf_settable_ctx_params
},
571 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))sskdf_set_ctx_params
},
572 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
573 (void(*)(void))sskdf_gettable_ctx_params
},
574 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))sskdf_get_ctx_params
},