1 /* 2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 /* 12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 13 * Section 4.1. 14 * 15 * The Single Step KDF algorithm is given by: 16 * 17 * Result(0) = empty bit string (i.e., the null string). 18 * For i = 1 to reps, do the following: 19 * Increment counter by 1. 20 * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo). 21 * DKM = LeftmostBits(Result(reps), L)) 22 * 23 * NOTES: 24 * Z is a shared secret required to produce the derived key material. 25 * counter is a 4 byte buffer. 26 * FixedInfo is a bit string containing context specific data. 27 * DKM is the output derived key material. 28 * L is the required size of the DKM. 29 * reps = [L / H_outputBits] 30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC. 31 * H_outputBits is the length of the output of the auxiliary function H(x). 32 * 33 * Currently there is not a comprehensive list of test vectors for this 34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC. 35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests. 36 */ 37 #include <stdlib.h> 38 #include <stdarg.h> 39 #include <string.h> 40 #include <openssl/hmac.h> 41 #include <openssl/evp.h> 42 #include <openssl/kdf.h> 43 #include <openssl/core_names.h> 44 #include <openssl/params.h> 45 #include <openssl/proverr.h> 46 #include "internal/cryptlib.h" 47 #include "internal/numbers.h" 48 #include "crypto/evp.h" 49 #include "prov/provider_ctx.h" 50 #include "prov/providercommon.h" 51 #include "prov/implementations.h" 52 #include "prov/provider_util.h" 53 54 typedef struct { 55 void *provctx; 56 EVP_MAC_CTX *macctx; /* H(x) = HMAC_hash OR H(x) = KMAC */ 57 PROV_DIGEST digest; /* H(x) = hash(x) */ 58 unsigned char *secret; 59 size_t secret_len; 60 unsigned char *info; 61 size_t info_len; 62 unsigned char *salt; 63 size_t salt_len; 64 size_t out_len; /* optional KMAC parameter */ 65 int is_kmac; 66 } KDF_SSKDF; 67 68 #define SSKDF_MAX_INLEN (1<<30) 69 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4) 70 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4) 71 72 /* KMAC uses a Customisation string of 'KDF' */ 73 static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; 74 75 static OSSL_FUNC_kdf_newctx_fn sskdf_new; 76 static OSSL_FUNC_kdf_freectx_fn sskdf_free; 77 static OSSL_FUNC_kdf_reset_fn sskdf_reset; 78 static OSSL_FUNC_kdf_derive_fn sskdf_derive; 79 static OSSL_FUNC_kdf_derive_fn x963kdf_derive; 80 static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params; 81 static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params; 82 static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params; 83 static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params; 84 85 /* 86 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 87 * Section 4. One-Step Key Derivation using H(x) = hash(x) 88 * Note: X9.63 also uses this code with the only difference being that the 89 * counter is appended to the secret 'z'. 90 * i.e. 91 * result[i] = Hash(counter || z || info) for One Step OR 92 * result[i] = Hash(z || counter || info) for X9.63. 93 */ 94 static int SSKDF_hash_kdm(const EVP_MD *kdf_md, 95 const unsigned char *z, size_t z_len, 96 const unsigned char *info, size_t info_len, 97 unsigned int append_ctr, 98 unsigned char *derived_key, size_t derived_key_len) 99 { 100 int ret = 0, hlen; 101 size_t counter, out_len, len = derived_key_len; 102 unsigned char c[4]; 103 unsigned char mac[EVP_MAX_MD_SIZE]; 104 unsigned char *out = derived_key; 105 EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; 106 107 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN 108 || derived_key_len > SSKDF_MAX_INLEN 109 || derived_key_len == 0) 110 return 0; 111 112 hlen = EVP_MD_get_size(kdf_md); 113 if (hlen <= 0) 114 return 0; 115 out_len = (size_t)hlen; 116 117 ctx = EVP_MD_CTX_create(); 118 ctx_init = EVP_MD_CTX_create(); 119 if (ctx == NULL || ctx_init == NULL) 120 goto end; 121 122 if (!EVP_DigestInit(ctx_init, kdf_md)) 123 goto end; 124 125 for (counter = 1;; counter++) { 126 c[0] = (unsigned char)((counter >> 24) & 0xff); 127 c[1] = (unsigned char)((counter >> 16) & 0xff); 128 c[2] = (unsigned char)((counter >> 8) & 0xff); 129 c[3] = (unsigned char)(counter & 0xff); 130 131 if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init) 132 && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c))) 133 && EVP_DigestUpdate(ctx, z, z_len) 134 && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c))) 135 && EVP_DigestUpdate(ctx, info, info_len))) 136 goto end; 137 if (len >= out_len) { 138 if (!EVP_DigestFinal_ex(ctx, out, NULL)) 139 goto end; 140 out += out_len; 141 len -= out_len; 142 if (len == 0) 143 break; 144 } else { 145 if (!EVP_DigestFinal_ex(ctx, mac, NULL)) 146 goto end; 147 memcpy(out, mac, len); 148 break; 149 } 150 } 151 ret = 1; 152 end: 153 EVP_MD_CTX_destroy(ctx); 154 EVP_MD_CTX_destroy(ctx_init); 155 OPENSSL_cleanse(mac, sizeof(mac)); 156 return ret; 157 } 158 159 static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom, 160 size_t custom_len, size_t kmac_out_len, 161 size_t derived_key_len, unsigned char **out) 162 { 163 OSSL_PARAM params[2]; 164 165 /* Only KMAC has custom data - so return if not KMAC */ 166 if (custom == NULL) 167 return 1; 168 169 params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM, 170 (void *)custom, custom_len); 171 params[1] = OSSL_PARAM_construct_end(); 172 173 if (!EVP_MAC_CTX_set_params(ctx, params)) 174 return 0; 175 176 /* By default only do one iteration if kmac_out_len is not specified */ 177 if (kmac_out_len == 0) 178 kmac_out_len = derived_key_len; 179 /* otherwise check the size is valid */ 180 else if (!(kmac_out_len == derived_key_len 181 || kmac_out_len == 20 182 || kmac_out_len == 28 183 || kmac_out_len == 32 184 || kmac_out_len == 48 185 || kmac_out_len == 64)) 186 return 0; 187 188 params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, 189 &kmac_out_len); 190 191 if (EVP_MAC_CTX_set_params(ctx, params) <= 0) 192 return 0; 193 194 /* 195 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so 196 * alloc a buffer for this case. 197 */ 198 if (kmac_out_len > EVP_MAX_MD_SIZE) { 199 *out = OPENSSL_zalloc(kmac_out_len); 200 if (*out == NULL) 201 return 0; 202 } 203 return 1; 204 } 205 206 /* 207 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final 208 * Section 4. One-Step Key Derivation using MAC: i.e either 209 * H(x) = HMAC-hash(salt, x) OR 210 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF') 211 */ 212 static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init, 213 const unsigned char *kmac_custom, 214 size_t kmac_custom_len, size_t kmac_out_len, 215 const unsigned char *salt, size_t salt_len, 216 const unsigned char *z, size_t z_len, 217 const unsigned char *info, size_t info_len, 218 unsigned char *derived_key, size_t derived_key_len) 219 { 220 int ret = 0; 221 size_t counter, out_len, len; 222 unsigned char c[4]; 223 unsigned char mac_buf[EVP_MAX_MD_SIZE]; 224 unsigned char *out = derived_key; 225 EVP_MAC_CTX *ctx = NULL; 226 unsigned char *mac = mac_buf, *kmac_buffer = NULL; 227 228 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN 229 || derived_key_len > SSKDF_MAX_INLEN 230 || derived_key_len == 0) 231 return 0; 232 233 if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len, 234 derived_key_len, &kmac_buffer)) 235 goto end; 236 if (kmac_buffer != NULL) 237 mac = kmac_buffer; 238 239 if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL)) 240 goto end; 241 242 out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */ 243 if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf))) 244 goto end; 245 len = derived_key_len; 246 247 for (counter = 1;; counter++) { 248 c[0] = (unsigned char)((counter >> 24) & 0xff); 249 c[1] = (unsigned char)((counter >> 16) & 0xff); 250 c[2] = (unsigned char)((counter >> 8) & 0xff); 251 c[3] = (unsigned char)(counter & 0xff); 252 253 ctx = EVP_MAC_CTX_dup(ctx_init); 254 if (!(ctx != NULL 255 && EVP_MAC_update(ctx, c, sizeof(c)) 256 && EVP_MAC_update(ctx, z, z_len) 257 && EVP_MAC_update(ctx, info, info_len))) 258 goto end; 259 if (len >= out_len) { 260 if (!EVP_MAC_final(ctx, out, NULL, len)) 261 goto end; 262 out += out_len; 263 len -= out_len; 264 if (len == 0) 265 break; 266 } else { 267 if (!EVP_MAC_final(ctx, mac, NULL, out_len)) 268 goto end; 269 memcpy(out, mac, len); 270 break; 271 } 272 EVP_MAC_CTX_free(ctx); 273 ctx = NULL; 274 } 275 ret = 1; 276 end: 277 if (kmac_buffer != NULL) 278 OPENSSL_clear_free(kmac_buffer, kmac_out_len); 279 else 280 OPENSSL_cleanse(mac_buf, sizeof(mac_buf)); 281 282 EVP_MAC_CTX_free(ctx); 283 return ret; 284 } 285 286 static void *sskdf_new(void *provctx) 287 { 288 KDF_SSKDF *ctx; 289 290 if (!ossl_prov_is_running()) 291 return NULL; 292 293 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) 294 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 295 ctx->provctx = provctx; 296 return ctx; 297 } 298 299 static void sskdf_reset(void *vctx) 300 { 301 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 302 void *provctx = ctx->provctx; 303 304 EVP_MAC_CTX_free(ctx->macctx); 305 ossl_prov_digest_reset(&ctx->digest); 306 OPENSSL_clear_free(ctx->secret, ctx->secret_len); 307 OPENSSL_clear_free(ctx->info, ctx->info_len); 308 OPENSSL_clear_free(ctx->salt, ctx->salt_len); 309 memset(ctx, 0, sizeof(*ctx)); 310 ctx->provctx = provctx; 311 } 312 313 static void sskdf_free(void *vctx) 314 { 315 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 316 317 if (ctx != NULL) { 318 sskdf_reset(ctx); 319 OPENSSL_free(ctx); 320 } 321 } 322 323 static int sskdf_set_buffer(unsigned char **out, size_t *out_len, 324 const OSSL_PARAM *p) 325 { 326 if (p->data == NULL || p->data_size == 0) 327 return 1; 328 OPENSSL_free(*out); 329 *out = NULL; 330 return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len); 331 } 332 333 static size_t sskdf_size(KDF_SSKDF *ctx) 334 { 335 int len; 336 const EVP_MD *md = NULL; 337 338 if (ctx->is_kmac) 339 return SIZE_MAX; 340 341 md = ossl_prov_digest_md(&ctx->digest); 342 if (md == NULL) { 343 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 344 return 0; 345 } 346 len = EVP_MD_get_size(md); 347 return (len <= 0) ? 0 : (size_t)len; 348 } 349 350 static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, 351 const OSSL_PARAM params[]) 352 { 353 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 354 const EVP_MD *md; 355 356 if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) 357 return 0; 358 if (ctx->secret == NULL) { 359 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 360 return 0; 361 } 362 md = ossl_prov_digest_md(&ctx->digest); 363 364 if (ctx->macctx != NULL) { 365 /* H(x) = KMAC or H(x) = HMAC */ 366 int ret; 367 const unsigned char *custom = NULL; 368 size_t custom_len = 0; 369 int default_salt_len; 370 EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx); 371 372 if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) { 373 /* H(x) = HMAC(x, salt, hash) */ 374 if (md == NULL) { 375 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 376 return 0; 377 } 378 default_salt_len = EVP_MD_get_size(md); 379 if (default_salt_len <= 0) 380 return 0; 381 } else if (ctx->is_kmac) { 382 /* H(x) = KMACzzz(x, salt, custom) */ 383 custom = kmac_custom_str; 384 custom_len = sizeof(kmac_custom_str); 385 if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128)) 386 default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE; 387 else 388 default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE; 389 } else { 390 ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE); 391 return 0; 392 } 393 /* If no salt is set then use a default_salt of zeros */ 394 if (ctx->salt == NULL || ctx->salt_len <= 0) { 395 ctx->salt = OPENSSL_zalloc(default_salt_len); 396 if (ctx->salt == NULL) { 397 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); 398 return 0; 399 } 400 ctx->salt_len = default_salt_len; 401 } 402 ret = SSKDF_mac_kdm(ctx->macctx, 403 custom, custom_len, ctx->out_len, 404 ctx->salt, ctx->salt_len, 405 ctx->secret, ctx->secret_len, 406 ctx->info, ctx->info_len, key, keylen); 407 return ret; 408 } else { 409 /* H(x) = hash */ 410 if (md == NULL) { 411 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 412 return 0; 413 } 414 return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, 415 ctx->info, ctx->info_len, 0, key, keylen); 416 } 417 } 418 419 static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, 420 const OSSL_PARAM params[]) 421 { 422 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 423 const EVP_MD *md; 424 425 if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params)) 426 return 0; 427 428 if (ctx->secret == NULL) { 429 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 430 return 0; 431 } 432 433 if (ctx->macctx != NULL) { 434 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED); 435 return 0; 436 } 437 438 /* H(x) = hash */ 439 md = ossl_prov_digest_md(&ctx->digest); 440 if (md == NULL) { 441 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 442 return 0; 443 } 444 445 return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, 446 ctx->info, ctx->info_len, 1, key, keylen); 447 } 448 449 static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 450 { 451 const OSSL_PARAM *p; 452 KDF_SSKDF *ctx = vctx; 453 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 454 size_t sz; 455 456 if (params == NULL) 457 return 1; 458 459 if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params, 460 NULL, NULL, NULL, libctx)) 461 return 0; 462 if (ctx->macctx != NULL) { 463 if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), 464 OSSL_MAC_NAME_KMAC128) 465 || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), 466 OSSL_MAC_NAME_KMAC256)) { 467 ctx->is_kmac = 1; 468 } 469 } 470 471 if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) 472 return 0; 473 474 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL 475 || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) 476 if (!sskdf_set_buffer(&ctx->secret, &ctx->secret_len, p)) 477 return 0; 478 479 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) 480 if (!sskdf_set_buffer(&ctx->info, &ctx->info_len, p)) 481 return 0; 482 483 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) 484 if (!sskdf_set_buffer(&ctx->salt, &ctx->salt_len, p)) 485 return 0; 486 487 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE)) 488 != NULL) { 489 if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0) 490 return 0; 491 ctx->out_len = sz; 492 } 493 return 1; 494 } 495 496 static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx, 497 ossl_unused void *provctx) 498 { 499 static const OSSL_PARAM known_settable_ctx_params[] = { 500 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), 501 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), 502 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), 503 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), 504 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), 505 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0), 506 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), 507 OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL), 508 OSSL_PARAM_END 509 }; 510 return known_settable_ctx_params; 511 } 512 513 static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 514 { 515 KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; 516 OSSL_PARAM *p; 517 518 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) 519 return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); 520 return -2; 521 } 522 523 static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, 524 ossl_unused void *provctx) 525 { 526 static const OSSL_PARAM known_gettable_ctx_params[] = { 527 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), 528 OSSL_PARAM_END 529 }; 530 return known_gettable_ctx_params; 531 } 532 533 const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { 534 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, 535 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, 536 { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, 537 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive }, 538 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 539 (void(*)(void))sskdf_settable_ctx_params }, 540 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params }, 541 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 542 (void(*)(void))sskdf_gettable_ctx_params }, 543 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params }, 544 { 0, NULL } 545 }; 546 547 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { 548 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, 549 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, 550 { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, 551 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, 552 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 553 (void(*)(void))sskdf_settable_ctx_params }, 554 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params }, 555 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 556 (void(*)(void))sskdf_gettable_ctx_params }, 557 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params }, 558 { 0, NULL } 559 }; 560