1 /*
2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
13 * Section 4.1.
14 *
15 * The Single Step KDF algorithm is given by:
16 *
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
22 *
23 * NOTES:
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
32 *
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
36 */
37 #include <stdlib.h>
38 #include <stdarg.h>
39 #include <string.h>
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include <openssl/proverr.h>
46 #include "internal/cryptlib.h"
47 #include "internal/numbers.h"
48 #include "crypto/evp.h"
49 #include "prov/provider_ctx.h"
50 #include "prov/providercommon.h"
51 #include "prov/implementations.h"
52 #include "prov/provider_util.h"
53 #include "prov/securitycheck.h"
54 #include "internal/params.h"
55
56 typedef struct {
57 void *provctx;
58 EVP_MAC_CTX *macctx; /* H(x) = HMAC_hash OR H(x) = KMAC */
59 PROV_DIGEST digest; /* H(x) = hash(x) */
60 unsigned char *secret;
61 size_t secret_len;
62 unsigned char *info;
63 size_t info_len;
64 unsigned char *salt;
65 size_t salt_len;
66 size_t out_len; /* optional KMAC parameter */
67 int is_kmac;
68 OSSL_FIPS_IND_DECLARE
69 } KDF_SSKDF;
70
71 #define SSKDF_MAX_INLEN (1<<30)
72 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
73 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
74
75 /* KMAC uses a Customisation string of 'KDF' */
76 static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
77
78 static OSSL_FUNC_kdf_newctx_fn sskdf_new;
79 static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
80 static OSSL_FUNC_kdf_freectx_fn sskdf_free;
81 static OSSL_FUNC_kdf_reset_fn sskdf_reset;
82 static OSSL_FUNC_kdf_derive_fn sskdf_derive;
83 static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
84 static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
85 static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
86 static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;
87 static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
88 static OSSL_FUNC_kdf_settable_ctx_params_fn x963kdf_settable_ctx_params;
89 static OSSL_FUNC_kdf_set_ctx_params_fn x963kdf_set_ctx_params;
90 static OSSL_FUNC_kdf_gettable_ctx_params_fn x963kdf_gettable_ctx_params;
91 static OSSL_FUNC_kdf_get_ctx_params_fn x963kdf_get_ctx_params;
92
93 /* Settable context parameters that are common across SSKDF and X963 KDF */
94 #define SSKDF_COMMON_SETTABLES \
95 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), \
96 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \
97 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), \
98 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \
99 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \
100 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0), \
101 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), \
102 OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL)
103
104 /* Gettable context parameters that are common across SSKDF and X963 KDF */
105 #define SSKDF_COMMON_GETTABLES \
106 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL)
107
108 /*
109 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
110 * Section 4. One-Step Key Derivation using H(x) = hash(x)
111 * Note: X9.63 also uses this code with the only difference being that the
112 * counter is appended to the secret 'z'.
113 * i.e.
114 * result[i] = Hash(counter || z || info) for One Step OR
115 * result[i] = Hash(z || counter || info) for X9.63.
116 */
SSKDF_hash_kdm(const EVP_MD * kdf_md,const unsigned char * z,size_t z_len,const unsigned char * info,size_t info_len,unsigned int append_ctr,unsigned char * derived_key,size_t derived_key_len)117 static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
118 const unsigned char *z, size_t z_len,
119 const unsigned char *info, size_t info_len,
120 unsigned int append_ctr,
121 unsigned char *derived_key, size_t derived_key_len)
122 {
123 int ret = 0, hlen;
124 size_t counter, out_len, len = derived_key_len;
125 unsigned char c[4];
126 unsigned char mac[EVP_MAX_MD_SIZE];
127 unsigned char *out = derived_key;
128 EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
129
130 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
131 || derived_key_len > SSKDF_MAX_INLEN
132 || derived_key_len == 0)
133 return 0;
134
135 hlen = EVP_MD_get_size(kdf_md);
136 if (hlen <= 0)
137 return 0;
138 out_len = (size_t)hlen;
139
140 ctx = EVP_MD_CTX_create();
141 ctx_init = EVP_MD_CTX_create();
142 if (ctx == NULL || ctx_init == NULL)
143 goto end;
144
145 if (!EVP_DigestInit(ctx_init, kdf_md))
146 goto end;
147
148 for (counter = 1;; counter++) {
149 c[0] = (unsigned char)((counter >> 24) & 0xff);
150 c[1] = (unsigned char)((counter >> 16) & 0xff);
151 c[2] = (unsigned char)((counter >> 8) & 0xff);
152 c[3] = (unsigned char)(counter & 0xff);
153
154 if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
155 && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
156 && EVP_DigestUpdate(ctx, z, z_len)
157 && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
158 && EVP_DigestUpdate(ctx, info, info_len)))
159 goto end;
160 if (len >= out_len) {
161 if (!EVP_DigestFinal_ex(ctx, out, NULL))
162 goto end;
163 out += out_len;
164 len -= out_len;
165 if (len == 0)
166 break;
167 } else {
168 if (!EVP_DigestFinal_ex(ctx, mac, NULL))
169 goto end;
170 memcpy(out, mac, len);
171 break;
172 }
173 }
174 ret = 1;
175 end:
176 EVP_MD_CTX_destroy(ctx);
177 EVP_MD_CTX_destroy(ctx_init);
178 OPENSSL_cleanse(mac, sizeof(mac));
179 return ret;
180 }
181
kmac_init(EVP_MAC_CTX * ctx,const unsigned char * custom,size_t custom_len,size_t kmac_out_len,size_t derived_key_len,unsigned char ** out)182 static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
183 size_t custom_len, size_t kmac_out_len,
184 size_t derived_key_len, unsigned char **out)
185 {
186 OSSL_PARAM params[2];
187
188 /* Only KMAC has custom data - so return if not KMAC */
189 if (custom == NULL)
190 return 1;
191
192 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
193 (void *)custom, custom_len);
194 params[1] = OSSL_PARAM_construct_end();
195
196 if (!EVP_MAC_CTX_set_params(ctx, params))
197 return 0;
198
199 /* By default only do one iteration if kmac_out_len is not specified */
200 if (kmac_out_len == 0)
201 kmac_out_len = derived_key_len;
202 /* otherwise check the size is valid */
203 else if (!(kmac_out_len == derived_key_len
204 || kmac_out_len == 20
205 || kmac_out_len == 28
206 || kmac_out_len == 32
207 || kmac_out_len == 48
208 || kmac_out_len == 64))
209 return 0;
210
211 params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
212 &kmac_out_len);
213
214 if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
215 return 0;
216
217 /*
218 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
219 * alloc a buffer for this case.
220 */
221 if (kmac_out_len > EVP_MAX_MD_SIZE) {
222 *out = OPENSSL_zalloc(kmac_out_len);
223 if (*out == NULL)
224 return 0;
225 }
226 return 1;
227 }
228
229 /*
230 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
231 * Section 4. One-Step Key Derivation using MAC: i.e either
232 * H(x) = HMAC-hash(salt, x) OR
233 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
234 */
SSKDF_mac_kdm(EVP_MAC_CTX * ctx_init,const unsigned char * kmac_custom,size_t kmac_custom_len,size_t kmac_out_len,const unsigned char * salt,size_t salt_len,const unsigned char * z,size_t z_len,const unsigned char * info,size_t info_len,unsigned char * derived_key,size_t derived_key_len)235 static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
236 const unsigned char *kmac_custom,
237 size_t kmac_custom_len, size_t kmac_out_len,
238 const unsigned char *salt, size_t salt_len,
239 const unsigned char *z, size_t z_len,
240 const unsigned char *info, size_t info_len,
241 unsigned char *derived_key, size_t derived_key_len)
242 {
243 int ret = 0;
244 size_t counter, out_len, len;
245 unsigned char c[4];
246 unsigned char mac_buf[EVP_MAX_MD_SIZE];
247 unsigned char *out = derived_key;
248 EVP_MAC_CTX *ctx = NULL;
249 unsigned char *mac = mac_buf, *kmac_buffer = NULL;
250
251 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
252 || derived_key_len > SSKDF_MAX_INLEN
253 || derived_key_len == 0)
254 return 0;
255
256 if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
257 derived_key_len, &kmac_buffer))
258 goto end;
259 if (kmac_buffer != NULL)
260 mac = kmac_buffer;
261
262 if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
263 goto end;
264
265 out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
266 if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf)))
267 goto end;
268 len = derived_key_len;
269
270 for (counter = 1;; counter++) {
271 c[0] = (unsigned char)((counter >> 24) & 0xff);
272 c[1] = (unsigned char)((counter >> 16) & 0xff);
273 c[2] = (unsigned char)((counter >> 8) & 0xff);
274 c[3] = (unsigned char)(counter & 0xff);
275
276 ctx = EVP_MAC_CTX_dup(ctx_init);
277 if (!(ctx != NULL
278 && EVP_MAC_update(ctx, c, sizeof(c))
279 && EVP_MAC_update(ctx, z, z_len)
280 && EVP_MAC_update(ctx, info, info_len)))
281 goto end;
282 if (len >= out_len) {
283 if (!EVP_MAC_final(ctx, out, NULL, len))
284 goto end;
285 out += out_len;
286 len -= out_len;
287 if (len == 0)
288 break;
289 } else {
290 if (!EVP_MAC_final(ctx, mac, NULL, out_len))
291 goto end;
292 memcpy(out, mac, len);
293 break;
294 }
295 EVP_MAC_CTX_free(ctx);
296 ctx = NULL;
297 }
298 ret = 1;
299 end:
300 if (kmac_buffer != NULL)
301 OPENSSL_clear_free(kmac_buffer, kmac_out_len);
302 else
303 OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
304
305 EVP_MAC_CTX_free(ctx);
306 return ret;
307 }
308
sskdf_new(void * provctx)309 static void *sskdf_new(void *provctx)
310 {
311 KDF_SSKDF *ctx;
312
313 if (!ossl_prov_is_running())
314 return NULL;
315
316 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) {
317 ctx->provctx = provctx;
318 OSSL_FIPS_IND_INIT(ctx)
319 }
320 return ctx;
321 }
322
sskdf_reset(void * vctx)323 static void sskdf_reset(void *vctx)
324 {
325 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
326 void *provctx = ctx->provctx;
327
328 EVP_MAC_CTX_free(ctx->macctx);
329 ossl_prov_digest_reset(&ctx->digest);
330 OPENSSL_clear_free(ctx->secret, ctx->secret_len);
331 OPENSSL_clear_free(ctx->info, ctx->info_len);
332 OPENSSL_clear_free(ctx->salt, ctx->salt_len);
333 memset(ctx, 0, sizeof(*ctx));
334 ctx->provctx = provctx;
335 }
336
sskdf_free(void * vctx)337 static void sskdf_free(void *vctx)
338 {
339 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
340
341 if (ctx != NULL) {
342 sskdf_reset(ctx);
343 OPENSSL_free(ctx);
344 }
345 }
346
sskdf_dup(void * vctx)347 static void *sskdf_dup(void *vctx)
348 {
349 const KDF_SSKDF *src = (const KDF_SSKDF *)vctx;
350 KDF_SSKDF *dest;
351
352 dest = sskdf_new(src->provctx);
353 if (dest != NULL) {
354 if (src->macctx != NULL) {
355 dest->macctx = EVP_MAC_CTX_dup(src->macctx);
356 if (dest->macctx == NULL)
357 goto err;
358 }
359 if (!ossl_prov_memdup(src->info, src->info_len,
360 &dest->info, &dest->info_len)
361 || !ossl_prov_memdup(src->salt, src->salt_len,
362 &dest->salt , &dest->salt_len)
363 || !ossl_prov_memdup(src->secret, src->secret_len,
364 &dest->secret, &dest->secret_len)
365 || !ossl_prov_digest_copy(&dest->digest, &src->digest))
366 goto err;
367 dest->out_len = src->out_len;
368 dest->is_kmac = src->is_kmac;
369 OSSL_FIPS_IND_COPY(dest, src)
370 }
371 return dest;
372
373 err:
374 sskdf_free(dest);
375 return NULL;
376 }
377
sskdf_size(KDF_SSKDF * ctx)378 static size_t sskdf_size(KDF_SSKDF *ctx)
379 {
380 int len;
381 const EVP_MD *md = NULL;
382
383 if (ctx->is_kmac)
384 return SIZE_MAX;
385
386 md = ossl_prov_digest_md(&ctx->digest);
387 if (md == NULL) {
388 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
389 return 0;
390 }
391 len = EVP_MD_get_size(md);
392 return (len <= 0) ? 0 : (size_t)len;
393 }
394
395 #ifdef FIPS_MODULE
fips_sskdf_key_check_passed(KDF_SSKDF * ctx)396 static int fips_sskdf_key_check_passed(KDF_SSKDF *ctx)
397 {
398 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
399 int key_approved = ossl_kdf_check_key_size(ctx->secret_len);
400
401 if (!key_approved) {
402 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
403 libctx, "SSKDF", "Key size",
404 ossl_fips_config_sskdf_key_check)) {
405 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
406 return 0;
407 }
408 }
409 return 1;
410 }
411 #endif
412
sskdf_derive(void * vctx,unsigned char * key,size_t keylen,const OSSL_PARAM params[])413 static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
414 const OSSL_PARAM params[])
415 {
416 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
417 const EVP_MD *md;
418
419 if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
420 return 0;
421 if (ctx->secret == NULL) {
422 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
423 return 0;
424 }
425
426 md = ossl_prov_digest_md(&ctx->digest);
427
428 if (ctx->macctx != NULL) {
429 /* H(x) = KMAC or H(x) = HMAC */
430 int ret;
431 const unsigned char *custom = NULL;
432 size_t custom_len = 0;
433 int default_salt_len;
434 EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);
435
436 if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
437 /* H(x) = HMAC(x, salt, hash) */
438 if (md == NULL) {
439 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
440 return 0;
441 }
442 default_salt_len = EVP_MD_get_size(md);
443 if (default_salt_len <= 0)
444 return 0;
445 } else if (ctx->is_kmac) {
446 /* H(x) = KMACzzz(x, salt, custom) */
447 custom = kmac_custom_str;
448 custom_len = sizeof(kmac_custom_str);
449 if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
450 default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
451 else
452 default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
453 } else {
454 ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
455 return 0;
456 }
457 /* If no salt is set then use a default_salt of zeros */
458 if (ctx->salt == NULL || ctx->salt_len <= 0) {
459 ctx->salt = OPENSSL_zalloc(default_salt_len);
460 if (ctx->salt == NULL)
461 return 0;
462 ctx->salt_len = default_salt_len;
463 }
464 ret = SSKDF_mac_kdm(ctx->macctx,
465 custom, custom_len, ctx->out_len,
466 ctx->salt, ctx->salt_len,
467 ctx->secret, ctx->secret_len,
468 ctx->info, ctx->info_len, key, keylen);
469 return ret;
470 } else {
471 /* H(x) = hash */
472 if (md == NULL) {
473 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
474 return 0;
475 }
476 return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
477 ctx->info, ctx->info_len, 0, key, keylen);
478 }
479 }
480
481 #ifdef FIPS_MODULE
fips_x963kdf_digest_check_passed(KDF_SSKDF * ctx,const EVP_MD * md)482 static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md)
483 {
484 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
485 /*
486 * Perform digest check
487 *
488 * X963KDF is a KDF defined in ANSI-X9.63. According to ACVP specification
489 * section 7.3.1, only SHA-2 and SHA-3 can be regarded as valid hash
490 * functions.
491 */
492 int digest_unapproved = (ctx->is_kmac != 1) && EVP_MD_is_a(md, SN_sha1);
493
494 if (digest_unapproved) {
495 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
496 libctx, "X963KDF", "Digest",
497 ossl_fips_config_x963kdf_digest_check)) {
498 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
499 return 0;
500 }
501 }
502 return 1;
503 }
504
fips_x963kdf_key_check_passed(KDF_SSKDF * ctx)505 static int fips_x963kdf_key_check_passed(KDF_SSKDF *ctx)
506 {
507 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
508 int key_approved = ossl_kdf_check_key_size(ctx->secret_len);
509
510 if (!key_approved) {
511 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
512 libctx, "X963KDF", "Key size",
513 ossl_fips_config_x963kdf_key_check)) {
514 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
515 return 0;
516 }
517 }
518 return 1;
519 }
520 #endif
521
x963kdf_derive(void * vctx,unsigned char * key,size_t keylen,const OSSL_PARAM params[])522 static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
523 const OSSL_PARAM params[])
524 {
525 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
526 const EVP_MD *md;
527
528 if (!ossl_prov_is_running() || !x963kdf_set_ctx_params(ctx, params))
529 return 0;
530
531 if (ctx->secret == NULL) {
532 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
533 return 0;
534 }
535
536 if (ctx->macctx != NULL) {
537 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
538 return 0;
539 }
540
541 /* H(x) = hash */
542 md = ossl_prov_digest_md(&ctx->digest);
543 if (md == NULL) {
544 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
545 return 0;
546 }
547
548 return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
549 ctx->info, ctx->info_len, 1, key, keylen);
550 }
551
sskdf_common_set_ctx_params(KDF_SSKDF * ctx,const OSSL_PARAM params[])552 static int sskdf_common_set_ctx_params(KDF_SSKDF *ctx, const OSSL_PARAM params[])
553 {
554 const OSSL_PARAM *p;
555 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
556 const EVP_MD *md = NULL;
557 size_t sz;
558 int r;
559
560 if (params == NULL)
561 return 1;
562
563 if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
564 NULL, NULL, NULL, libctx))
565 return 0;
566 if (ctx->macctx != NULL) {
567 if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
568 OSSL_MAC_NAME_KMAC128)
569 || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
570 OSSL_MAC_NAME_KMAC256)) {
571 ctx->is_kmac = 1;
572 }
573 }
574
575 if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) {
576 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
577 return 0;
578
579 md = ossl_prov_digest_md(&ctx->digest);
580 if (EVP_MD_xof(md)) {
581 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
582 return 0;
583 }
584 }
585
586 r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET,
587 &ctx->secret, &ctx->secret_len);
588 if (r == -1)
589 r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_KEY,
590 &ctx->secret, &ctx->secret_len);
591 if (r == 0)
592 return 0;
593
594 if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO,
595 &ctx->info, &ctx->info_len, 0) == 0)
596 return 0;
597
598 if (ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SALT,
599 &ctx->salt, &ctx->salt_len) == 0)
600 return 0;
601
602 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
603 != NULL) {
604 if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0)
605 return 0;
606 ctx->out_len = sz;
607 }
608 return 1;
609 }
610
sskdf_set_ctx_params(void * vctx,const OSSL_PARAM params[])611 static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
612 {
613 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
614
615 if (params == NULL)
616 return 1;
617
618 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
619 OSSL_KDF_PARAM_FIPS_KEY_CHECK))
620 return 0;
621
622 if (!sskdf_common_set_ctx_params(ctx, params))
623 return 0;
624
625 #ifdef FIPS_MODULE
626 if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) ||
627 (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL))
628 if (!fips_sskdf_key_check_passed(ctx))
629 return 0;
630 #endif
631
632 return 1;
633 }
634
sskdf_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)635 static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx,
636 ossl_unused void *provctx)
637 {
638 static const OSSL_PARAM known_settable_ctx_params[] = {
639 SSKDF_COMMON_SETTABLES,
640 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK)
641 OSSL_PARAM_END
642 };
643 return known_settable_ctx_params;
644 }
645
sskdf_common_get_ctx_params(KDF_SSKDF * ctx,OSSL_PARAM params[])646 static int sskdf_common_get_ctx_params(KDF_SSKDF *ctx, OSSL_PARAM params[])
647 {
648 OSSL_PARAM *p;
649
650 if (params == NULL)
651 return 1;
652
653 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
654 if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
655 return 0;
656 }
657
658 return 1;
659 }
660
sskdf_get_ctx_params(void * vctx,OSSL_PARAM params[])661 static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
662 {
663 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
664
665 if (params == NULL)
666 return 1;
667
668 if (!sskdf_common_get_ctx_params(ctx, params))
669 return 0;
670
671 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
672 return 0;
673
674 return 1;
675 }
676
sskdf_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)677 static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
678 ossl_unused void *provctx)
679 {
680 static const OSSL_PARAM known_gettable_ctx_params[] = {
681 SSKDF_COMMON_GETTABLES,
682 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
683 OSSL_PARAM_END
684 };
685 return known_gettable_ctx_params;
686 }
687
x963kdf_set_ctx_params(void * vctx,const OSSL_PARAM params[])688 static int x963kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
689 {
690 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
691
692 if (params == NULL)
693 return 1;
694
695 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
696 OSSL_KDF_PARAM_FIPS_DIGEST_CHECK))
697 return 0;
698 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params,
699 OSSL_KDF_PARAM_FIPS_KEY_CHECK))
700 return 0;
701
702 if (!sskdf_common_set_ctx_params(ctx, params))
703 return 0;
704
705 #ifdef FIPS_MODULE
706 if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) {
707 const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
708
709 if (!fips_x963kdf_digest_check_passed(ctx, md))
710 return 0;
711 }
712
713 if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) ||
714 (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL))
715 if (!fips_x963kdf_key_check_passed(ctx))
716 return 0;
717 #endif
718
719 return 1;
720 }
721
x963kdf_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)722 static const OSSL_PARAM *x963kdf_settable_ctx_params(ossl_unused void *ctx,
723 ossl_unused void *provctx)
724 {
725 static const OSSL_PARAM known_settable_ctx_params[] = {
726 SSKDF_COMMON_SETTABLES,
727 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)
728 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK)
729 OSSL_PARAM_END
730 };
731 return known_settable_ctx_params;
732 }
733
x963kdf_get_ctx_params(void * vctx,OSSL_PARAM params[])734 static int x963kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
735 {
736 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
737
738 if (!sskdf_common_get_ctx_params(ctx, params))
739 return 0;
740
741 if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
742 return 0;
743
744 return 1;
745 }
746
x963kdf_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)747 static const OSSL_PARAM *x963kdf_gettable_ctx_params(ossl_unused void *ctx,
748 ossl_unused void *provctx)
749 {
750 static const OSSL_PARAM known_gettable_ctx_params[] = {
751 SSKDF_COMMON_GETTABLES,
752 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
753 OSSL_PARAM_END
754 };
755 return known_gettable_ctx_params;
756 }
757
758 const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
759 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
760 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
761 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
762 { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
763 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
764 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
765 (void(*)(void))sskdf_settable_ctx_params },
766 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
767 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
768 (void(*)(void))sskdf_gettable_ctx_params },
769 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
770 OSSL_DISPATCH_END
771 };
772
773 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
774 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
775 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
776 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
777 { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
778 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
779 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
780 (void(*)(void))x963kdf_settable_ctx_params },
781 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))x963kdf_set_ctx_params },
782 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
783 (void(*)(void))x963kdf_gettable_ctx_params },
784 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))x963kdf_get_ctx_params },
785 OSSL_DISPATCH_END
786 };
787
