xref: /freebsd/crypto/openssl/providers/implementations/kdfs/sskdf.c (revision b077aed33b7b6aefca7b17ddb250cf521f938613) 
1 /*
2  * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 /*
12  * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
13  * Section 4.1.
14  *
15  * The Single Step KDF algorithm is given by:
16  *
17  * Result(0) = empty bit string (i.e., the null string).
18  * For i = 1 to reps, do the following:
19  *   Increment counter by 1.
20  *   Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21  * DKM = LeftmostBits(Result(reps), L))
22  *
23  * NOTES:
24  *   Z is a shared secret required to produce the derived key material.
25  *   counter is a 4 byte buffer.
26  *   FixedInfo is a bit string containing context specific data.
27  *   DKM is the output derived key material.
28  *   L is the required size of the DKM.
29  *   reps = [L / H_outputBits]
30  *   H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31  *   H_outputBits is the length of the output of the auxiliary function H(x).
32  *
33  * Currently there is not a comprehensive list of test vectors for this
34  * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35  * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
36  */
37 #include <stdlib.h>
38 #include <stdarg.h>
39 #include <string.h>
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include <openssl/core_names.h>
44 #include <openssl/params.h>
45 #include <openssl/proverr.h>
46 #include "internal/cryptlib.h"
47 #include "internal/numbers.h"
48 #include "crypto/evp.h"
49 #include "prov/provider_ctx.h"
50 #include "prov/providercommon.h"
51 #include "prov/implementations.h"
52 #include "prov/provider_util.h"
53 
54 typedef struct {
55     void *provctx;
56     EVP_MAC_CTX *macctx;         /* H(x) = HMAC_hash OR H(x) = KMAC */
57     PROV_DIGEST digest;          /* H(x) = hash(x) */
58     unsigned char *secret;
59     size_t secret_len;
60     unsigned char *info;
61     size_t info_len;
62     unsigned char *salt;
63     size_t salt_len;
64     size_t out_len; /* optional KMAC parameter */
65     int is_kmac;
66 } KDF_SSKDF;
67 
68 #define SSKDF_MAX_INLEN (1<<30)
69 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
70 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
71 
72 /* KMAC uses a Customisation string of 'KDF' */
73 static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
74 
75 static OSSL_FUNC_kdf_newctx_fn sskdf_new;
76 static OSSL_FUNC_kdf_freectx_fn sskdf_free;
77 static OSSL_FUNC_kdf_reset_fn sskdf_reset;
78 static OSSL_FUNC_kdf_derive_fn sskdf_derive;
79 static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
80 static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
81 static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
82 static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
83 static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;
84 
85 /*
86  * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
87  * Section 4. One-Step Key Derivation using H(x) = hash(x)
88  * Note: X9.63 also uses this code with the only difference being that the
89  * counter is appended to the secret 'z'.
90  * i.e.
91  *   result[i] = Hash(counter || z || info) for One Step OR
92  *   result[i] = Hash(z || counter || info) for X9.63.
93  */
SSKDF_hash_kdm(const EVP_MD * kdf_md,const unsigned char * z,size_t z_len,const unsigned char * info,size_t info_len,unsigned int append_ctr,unsigned char * derived_key,size_t derived_key_len)94 static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
95                           const unsigned char *z, size_t z_len,
96                           const unsigned char *info, size_t info_len,
97                           unsigned int append_ctr,
98                           unsigned char *derived_key, size_t derived_key_len)
99 {
100     int ret = 0, hlen;
101     size_t counter, out_len, len = derived_key_len;
102     unsigned char c[4];
103     unsigned char mac[EVP_MAX_MD_SIZE];
104     unsigned char *out = derived_key;
105     EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
106 
107     if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
108             || derived_key_len > SSKDF_MAX_INLEN
109             || derived_key_len == 0)
110         return 0;
111 
112     hlen = EVP_MD_get_size(kdf_md);
113     if (hlen <= 0)
114         return 0;
115     out_len = (size_t)hlen;
116 
117     ctx = EVP_MD_CTX_create();
118     ctx_init = EVP_MD_CTX_create();
119     if (ctx == NULL || ctx_init == NULL)
120         goto end;
121 
122     if (!EVP_DigestInit(ctx_init, kdf_md))
123         goto end;
124 
125     for (counter = 1;; counter++) {
126         c[0] = (unsigned char)((counter >> 24) & 0xff);
127         c[1] = (unsigned char)((counter >> 16) & 0xff);
128         c[2] = (unsigned char)((counter >> 8) & 0xff);
129         c[3] = (unsigned char)(counter & 0xff);
130 
131         if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
132                 && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
133                 && EVP_DigestUpdate(ctx, z, z_len)
134                 && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
135                 && EVP_DigestUpdate(ctx, info, info_len)))
136             goto end;
137         if (len >= out_len) {
138             if (!EVP_DigestFinal_ex(ctx, out, NULL))
139                 goto end;
140             out += out_len;
141             len -= out_len;
142             if (len == 0)
143                 break;
144         } else {
145             if (!EVP_DigestFinal_ex(ctx, mac, NULL))
146                 goto end;
147             memcpy(out, mac, len);
148             break;
149         }
150     }
151     ret = 1;
152 end:
153     EVP_MD_CTX_destroy(ctx);
154     EVP_MD_CTX_destroy(ctx_init);
155     OPENSSL_cleanse(mac, sizeof(mac));
156     return ret;
157 }
158 
kmac_init(EVP_MAC_CTX * ctx,const unsigned char * custom,size_t custom_len,size_t kmac_out_len,size_t derived_key_len,unsigned char ** out)159 static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
160                      size_t custom_len, size_t kmac_out_len,
161                      size_t derived_key_len, unsigned char **out)
162 {
163     OSSL_PARAM params[2];
164 
165     /* Only KMAC has custom data - so return if not KMAC */
166     if (custom == NULL)
167         return 1;
168 
169     params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
170                                                   (void *)custom, custom_len);
171     params[1] = OSSL_PARAM_construct_end();
172 
173     if (!EVP_MAC_CTX_set_params(ctx, params))
174         return 0;
175 
176     /* By default only do one iteration if kmac_out_len is not specified */
177     if (kmac_out_len == 0)
178         kmac_out_len = derived_key_len;
179     /* otherwise check the size is valid */
180     else if (!(kmac_out_len == derived_key_len
181             || kmac_out_len == 20
182             || kmac_out_len == 28
183             || kmac_out_len == 32
184             || kmac_out_len == 48
185             || kmac_out_len == 64))
186         return 0;
187 
188     params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
189                                             &kmac_out_len);
190 
191     if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
192         return 0;
193 
194     /*
195      * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
196      * alloc a buffer for this case.
197      */
198     if (kmac_out_len > EVP_MAX_MD_SIZE) {
199         *out = OPENSSL_zalloc(kmac_out_len);
200         if (*out == NULL)
201             return 0;
202     }
203     return 1;
204 }
205 
206 /*
207  * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
208  * Section 4. One-Step Key Derivation using MAC: i.e either
209  *     H(x) = HMAC-hash(salt, x) OR
210  *     H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
211  */
SSKDF_mac_kdm(EVP_MAC_CTX * ctx_init,const unsigned char * kmac_custom,size_t kmac_custom_len,size_t kmac_out_len,const unsigned char * salt,size_t salt_len,const unsigned char * z,size_t z_len,const unsigned char * info,size_t info_len,unsigned char * derived_key,size_t derived_key_len)212 static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
213                          const unsigned char *kmac_custom,
214                          size_t kmac_custom_len, size_t kmac_out_len,
215                          const unsigned char *salt, size_t salt_len,
216                          const unsigned char *z, size_t z_len,
217                          const unsigned char *info, size_t info_len,
218                          unsigned char *derived_key, size_t derived_key_len)
219 {
220     int ret = 0;
221     size_t counter, out_len, len;
222     unsigned char c[4];
223     unsigned char mac_buf[EVP_MAX_MD_SIZE];
224     unsigned char *out = derived_key;
225     EVP_MAC_CTX *ctx = NULL;
226     unsigned char *mac = mac_buf, *kmac_buffer = NULL;
227 
228     if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
229             || derived_key_len > SSKDF_MAX_INLEN
230             || derived_key_len == 0)
231         return 0;
232 
233     if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
234                    derived_key_len, &kmac_buffer))
235         goto end;
236     if (kmac_buffer != NULL)
237         mac = kmac_buffer;
238 
239     if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
240         goto end;
241 
242     out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
243     if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf)))
244         goto end;
245     len = derived_key_len;
246 
247     for (counter = 1;; counter++) {
248         c[0] = (unsigned char)((counter >> 24) & 0xff);
249         c[1] = (unsigned char)((counter >> 16) & 0xff);
250         c[2] = (unsigned char)((counter >> 8) & 0xff);
251         c[3] = (unsigned char)(counter & 0xff);
252 
253         ctx = EVP_MAC_CTX_dup(ctx_init);
254         if (!(ctx != NULL
255                 && EVP_MAC_update(ctx, c, sizeof(c))
256                 && EVP_MAC_update(ctx, z, z_len)
257                 && EVP_MAC_update(ctx, info, info_len)))
258             goto end;
259         if (len >= out_len) {
260             if (!EVP_MAC_final(ctx, out, NULL, len))
261                 goto end;
262             out += out_len;
263             len -= out_len;
264             if (len == 0)
265                 break;
266         } else {
267             if (!EVP_MAC_final(ctx, mac, NULL, out_len))
268                 goto end;
269             memcpy(out, mac, len);
270             break;
271         }
272         EVP_MAC_CTX_free(ctx);
273         ctx = NULL;
274     }
275     ret = 1;
276 end:
277     if (kmac_buffer != NULL)
278         OPENSSL_clear_free(kmac_buffer, kmac_out_len);
279     else
280         OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
281 
282     EVP_MAC_CTX_free(ctx);
283     return ret;
284 }
285 
sskdf_new(void * provctx)286 static void *sskdf_new(void *provctx)
287 {
288     KDF_SSKDF *ctx;
289 
290     if (!ossl_prov_is_running())
291         return NULL;
292 
293     if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
294         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
295     ctx->provctx = provctx;
296     return ctx;
297 }
298 
sskdf_reset(void * vctx)299 static void sskdf_reset(void *vctx)
300 {
301     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
302     void *provctx = ctx->provctx;
303 
304     EVP_MAC_CTX_free(ctx->macctx);
305     ossl_prov_digest_reset(&ctx->digest);
306     OPENSSL_clear_free(ctx->secret, ctx->secret_len);
307     OPENSSL_clear_free(ctx->info, ctx->info_len);
308     OPENSSL_clear_free(ctx->salt, ctx->salt_len);
309     memset(ctx, 0, sizeof(*ctx));
310     ctx->provctx = provctx;
311 }
312 
sskdf_free(void * vctx)313 static void sskdf_free(void *vctx)
314 {
315     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
316 
317     if (ctx != NULL) {
318         sskdf_reset(ctx);
319         OPENSSL_free(ctx);
320     }
321 }
322 
sskdf_set_buffer(unsigned char ** out,size_t * out_len,const OSSL_PARAM * p)323 static int sskdf_set_buffer(unsigned char **out, size_t *out_len,
324                             const OSSL_PARAM *p)
325 {
326     if (p->data == NULL || p->data_size == 0)
327         return 1;
328     OPENSSL_free(*out);
329     *out = NULL;
330     return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len);
331 }
332 
sskdf_size(KDF_SSKDF * ctx)333 static size_t sskdf_size(KDF_SSKDF *ctx)
334 {
335     int len;
336     const EVP_MD *md = NULL;
337 
338     if (ctx->is_kmac)
339         return SIZE_MAX;
340 
341     md = ossl_prov_digest_md(&ctx->digest);
342     if (md == NULL) {
343         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
344         return 0;
345     }
346     len = EVP_MD_get_size(md);
347     return (len <= 0) ? 0 : (size_t)len;
348 }
349 
sskdf_derive(void * vctx,unsigned char * key,size_t keylen,const OSSL_PARAM params[])350 static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
351                         const OSSL_PARAM params[])
352 {
353     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
354     const EVP_MD *md;
355 
356     if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
357         return 0;
358     if (ctx->secret == NULL) {
359         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
360         return 0;
361     }
362     md = ossl_prov_digest_md(&ctx->digest);
363 
364     if (ctx->macctx != NULL) {
365         /* H(x) = KMAC or H(x) = HMAC */
366         int ret;
367         const unsigned char *custom = NULL;
368         size_t custom_len = 0;
369         int default_salt_len;
370         EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);
371 
372         if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
373             /* H(x) = HMAC(x, salt, hash) */
374             if (md == NULL) {
375                 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
376                 return 0;
377             }
378             default_salt_len = EVP_MD_get_size(md);
379             if (default_salt_len <= 0)
380                 return 0;
381         } else if (ctx->is_kmac) {
382             /* H(x) = KMACzzz(x, salt, custom) */
383             custom = kmac_custom_str;
384             custom_len = sizeof(kmac_custom_str);
385             if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
386                 default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
387             else
388                 default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
389         } else {
390             ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
391             return 0;
392         }
393         /* If no salt is set then use a default_salt of zeros */
394         if (ctx->salt == NULL || ctx->salt_len <= 0) {
395             ctx->salt = OPENSSL_zalloc(default_salt_len);
396             if (ctx->salt == NULL) {
397                 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
398                 return 0;
399             }
400             ctx->salt_len = default_salt_len;
401         }
402         ret = SSKDF_mac_kdm(ctx->macctx,
403                             custom, custom_len, ctx->out_len,
404                             ctx->salt, ctx->salt_len,
405                             ctx->secret, ctx->secret_len,
406                             ctx->info, ctx->info_len, key, keylen);
407         return ret;
408     } else {
409         /* H(x) = hash */
410         if (md == NULL) {
411             ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
412             return 0;
413         }
414         return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
415                               ctx->info, ctx->info_len, 0, key, keylen);
416     }
417 }
418 
x963kdf_derive(void * vctx,unsigned char * key,size_t keylen,const OSSL_PARAM params[])419 static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
420                           const OSSL_PARAM params[])
421 {
422     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
423     const EVP_MD *md;
424 
425     if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
426         return 0;
427 
428     if (ctx->secret == NULL) {
429         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
430         return 0;
431     }
432 
433     if (ctx->macctx != NULL) {
434         ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
435         return 0;
436     }
437 
438     /* H(x) = hash */
439     md = ossl_prov_digest_md(&ctx->digest);
440     if (md == NULL) {
441         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
442         return 0;
443     }
444 
445     return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
446                           ctx->info, ctx->info_len, 1, key, keylen);
447 }
448 
sskdf_set_ctx_params(void * vctx,const OSSL_PARAM params[])449 static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
450 {
451     const OSSL_PARAM *p;
452     KDF_SSKDF *ctx = vctx;
453     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
454     size_t sz;
455 
456     if (params == NULL)
457         return 1;
458 
459     if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
460                                            NULL, NULL, NULL, libctx))
461         return 0;
462    if (ctx->macctx != NULL) {
463         if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
464                          OSSL_MAC_NAME_KMAC128)
465             || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
466                             OSSL_MAC_NAME_KMAC256)) {
467             ctx->is_kmac = 1;
468         }
469    }
470 
471    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
472        return 0;
473 
474     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL
475         || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
476         if (!sskdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
477             return 0;
478 
479     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL)
480         if (!sskdf_set_buffer(&ctx->info, &ctx->info_len, p))
481             return 0;
482 
483     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
484         if (!sskdf_set_buffer(&ctx->salt, &ctx->salt_len, p))
485             return 0;
486 
487     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
488         != NULL) {
489         if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0)
490             return 0;
491         ctx->out_len = sz;
492     }
493     return 1;
494 }
495 
sskdf_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)496 static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx,
497                                                    ossl_unused void *provctx)
498 {
499     static const OSSL_PARAM known_settable_ctx_params[] = {
500         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
501         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
502         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
503         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
504         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
505         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),
506         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
507         OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL),
508         OSSL_PARAM_END
509     };
510     return known_settable_ctx_params;
511 }
512 
sskdf_get_ctx_params(void * vctx,OSSL_PARAM params[])513 static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
514 {
515     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
516     OSSL_PARAM *p;
517 
518     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
519         return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
520     return -2;
521 }
522 
sskdf_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)523 static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
524                                                    ossl_unused void *provctx)
525 {
526     static const OSSL_PARAM known_gettable_ctx_params[] = {
527         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
528         OSSL_PARAM_END
529     };
530     return known_gettable_ctx_params;
531 }
532 
533 const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
534     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
535     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
536     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
537     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
538     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
539       (void(*)(void))sskdf_settable_ctx_params },
540     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
541     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
542       (void(*)(void))sskdf_gettable_ctx_params },
543     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
544     { 0, NULL }
545 };
546 
547 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
548     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
549     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
550     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
551     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
552     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
553       (void(*)(void))sskdf_settable_ctx_params },
554     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
555     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
556       (void(*)(void))sskdf_gettable_ctx_params },
557     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
558     { 0, NULL }
559 };
560