2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
15 * The Single Step KDF algorithm is given by:
17 * Result(0) = empty bit string (i.e., the null string).
18 * For i = 1 to reps, do the following:
19 * Increment counter by 1.
20 * Result(i) = Result(i – 1) || H(counter || Z || FixedInfo).
21 * DKM = LeftmostBits(Result(reps), L))
24 * Z is a shared secret required to produce the derived key material.
25 * counter is a 4 byte buffer.
26 * FixedInfo is a bit string containing context specific data.
27 * DKM is the output derived key material.
28 * L is the required size of the DKM.
29 * reps = [L / H_outputBits]
30 * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31 * H_outputBits is the length of the output of the auxiliary function H(x).
33 * Currently there is not a comprehensive list of test vectors for this
34 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
40 #include <openssl/hmac.h>
41 #include <openssl/evp.h>
42 #include <openssl/kdf.h>
43 #include "internal/cryptlib.h"
44 #include "internal/evp_int.h"
45 #include "kdf_local.h"
47 struct evp_kdf_impl_st {
48 const EVP_MAC *mac; /* H(x) = HMAC_hash OR H(x) = KMAC */
49 const EVP_MD *md; /* H(x) = hash OR when H(x) = HMAC_hash */
50 unsigned char *secret;
56 size_t out_len; /* optional KMAC parameter */
59 #define SSKDF_MAX_INLEN (1<<30)
60 #define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
61 #define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
63 /* KMAC uses a Customisation string of 'KDF' */
64 static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
67 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
68 * Section 4. One-Step Key Derivation using H(x) = hash(x)
69 * Note: X9.63 also uses this code with the only difference being that the
70 * counter is appended to the secret 'z'.
72 * result[i] = Hash(counter || z || info) for One Step OR
73 * result[i] = Hash(z || counter || info) for X9.63.
75 static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
76 const unsigned char *z, size_t z_len,
77 const unsigned char *info, size_t info_len,
78 unsigned int append_ctr,
79 unsigned char *derived_key, size_t derived_key_len)
82 size_t counter, out_len, len = derived_key_len;
84 unsigned char mac[EVP_MAX_MD_SIZE];
85 unsigned char *out = derived_key;
86 EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
88 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
89 || derived_key_len > SSKDF_MAX_INLEN
90 || derived_key_len == 0)
93 hlen = EVP_MD_size(kdf_md);
96 out_len = (size_t)hlen;
98 ctx = EVP_MD_CTX_create();
99 ctx_init = EVP_MD_CTX_create();
100 if (ctx == NULL || ctx_init == NULL)
103 if (!EVP_DigestInit(ctx_init, kdf_md))
106 for (counter = 1;; counter++) {
107 c[0] = (unsigned char)((counter >> 24) & 0xff);
108 c[1] = (unsigned char)((counter >> 16) & 0xff);
109 c[2] = (unsigned char)((counter >> 8) & 0xff);
110 c[3] = (unsigned char)(counter & 0xff);
112 if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
113 && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
114 && EVP_DigestUpdate(ctx, z, z_len)
115 && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
116 && EVP_DigestUpdate(ctx, info, info_len)))
118 if (len >= out_len) {
119 if (!EVP_DigestFinal_ex(ctx, out, NULL))
126 if (!EVP_DigestFinal_ex(ctx, mac, NULL))
128 memcpy(out, mac, len);
134 EVP_MD_CTX_destroy(ctx);
135 EVP_MD_CTX_destroy(ctx_init);
136 OPENSSL_cleanse(mac, sizeof(mac));
140 static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
141 size_t custom_len, size_t kmac_out_len,
142 size_t derived_key_len, unsigned char **out)
144 /* Only KMAC has custom data - so return if not KMAC */
148 if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_CUSTOM, custom, custom_len) <= 0)
151 /* By default only do one iteration if kmac_out_len is not specified */
152 if (kmac_out_len == 0)
153 kmac_out_len = derived_key_len;
154 /* otherwise check the size is valid */
155 else if (!(kmac_out_len == derived_key_len
156 || kmac_out_len == 20
157 || kmac_out_len == 28
158 || kmac_out_len == 32
159 || kmac_out_len == 48
160 || kmac_out_len == 64))
163 if (EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_SIZE, kmac_out_len) <= 0)
167 * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
168 * alloc a buffer for this case.
170 if (kmac_out_len > EVP_MAX_MD_SIZE) {
171 *out = OPENSSL_zalloc(kmac_out_len);
179 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
180 * Section 4. One-Step Key Derivation using MAC: i.e either
181 * H(x) = HMAC-hash(salt, x) OR
182 * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
184 static int SSKDF_mac_kdm(const EVP_MAC *kdf_mac, const EVP_MD *hmac_md,
185 const unsigned char *kmac_custom,
186 size_t kmac_custom_len, size_t kmac_out_len,
187 const unsigned char *salt, size_t salt_len,
188 const unsigned char *z, size_t z_len,
189 const unsigned char *info, size_t info_len,
190 unsigned char *derived_key, size_t derived_key_len)
193 size_t counter, out_len, len;
195 unsigned char mac_buf[EVP_MAX_MD_SIZE];
196 unsigned char *out = derived_key;
197 EVP_MAC_CTX *ctx = NULL, *ctx_init = NULL;
198 unsigned char *mac = mac_buf, *kmac_buffer = NULL;
200 if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
201 || derived_key_len > SSKDF_MAX_INLEN
202 || derived_key_len == 0)
205 ctx = EVP_MAC_CTX_new(kdf_mac);
206 ctx_init = EVP_MAC_CTX_new(kdf_mac);
207 if (ctx == NULL || ctx_init == NULL)
209 if (hmac_md != NULL &&
210 EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, hmac_md) <= 0)
213 if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, salt, salt_len) <= 0)
216 if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
217 derived_key_len, &kmac_buffer))
219 if (kmac_buffer != NULL)
222 if (!EVP_MAC_init(ctx_init))
225 out_len = EVP_MAC_size(ctx_init); /* output size */
228 len = derived_key_len;
230 for (counter = 1;; counter++) {
231 c[0] = (unsigned char)((counter >> 24) & 0xff);
232 c[1] = (unsigned char)((counter >> 16) & 0xff);
233 c[2] = (unsigned char)((counter >> 8) & 0xff);
234 c[3] = (unsigned char)(counter & 0xff);
236 if (!(EVP_MAC_CTX_copy(ctx, ctx_init)
237 && EVP_MAC_update(ctx, c, sizeof(c))
238 && EVP_MAC_update(ctx, z, z_len)
239 && EVP_MAC_update(ctx, info, info_len)))
241 if (len >= out_len) {
242 if (!EVP_MAC_final(ctx, out, NULL))
249 if (!EVP_MAC_final(ctx, mac, NULL))
251 memcpy(out, mac, len);
257 if (kmac_buffer != NULL)
258 OPENSSL_clear_free(kmac_buffer, kmac_out_len);
260 OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
262 EVP_MAC_CTX_free(ctx);
263 EVP_MAC_CTX_free(ctx_init);
267 static EVP_KDF_IMPL *sskdf_new(void)
271 if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
272 KDFerr(KDF_F_SSKDF_NEW, ERR_R_MALLOC_FAILURE);
276 static void sskdf_reset(EVP_KDF_IMPL *impl)
278 OPENSSL_clear_free(impl->secret, impl->secret_len);
279 OPENSSL_clear_free(impl->info, impl->info_len);
280 OPENSSL_clear_free(impl->salt, impl->salt_len);
281 memset(impl, 0, sizeof(*impl));
284 static void sskdf_free(EVP_KDF_IMPL *impl)
290 static int sskdf_set_buffer(va_list args, unsigned char **out, size_t *out_len)
292 const unsigned char *p;
295 p = va_arg(args, const unsigned char *);
296 len = va_arg(args, size_t);
297 if (len == 0 || p == NULL)
301 *out = OPENSSL_memdup(p, len);
309 static int sskdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
315 case EVP_KDF_CTRL_SET_KEY:
316 return sskdf_set_buffer(args, &impl->secret, &impl->secret_len);
318 case EVP_KDF_CTRL_SET_SSKDF_INFO:
319 return sskdf_set_buffer(args, &impl->info, &impl->info_len);
321 case EVP_KDF_CTRL_SET_MD:
322 md = va_arg(args, const EVP_MD *);
329 case EVP_KDF_CTRL_SET_MAC:
330 mac = va_arg(args, const EVP_MAC *);
337 case EVP_KDF_CTRL_SET_SALT:
338 return sskdf_set_buffer(args, &impl->salt, &impl->salt_len);
340 case EVP_KDF_CTRL_SET_MAC_SIZE:
341 impl->out_len = va_arg(args, size_t);
349 /* Pass a mac to a ctrl */
350 static int sskdf_mac2ctrl(EVP_KDF_IMPL *impl,
351 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
352 int cmd, const char *mac_name)
356 if (mac_name == NULL || (mac = EVP_get_macbyname(mac_name)) == NULL) {
357 KDFerr(KDF_F_SSKDF_MAC2CTRL, KDF_R_INVALID_MAC_TYPE);
360 return call_ctrl(ctrl, impl, cmd, mac);
363 static int sskdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
366 if (strcmp(type, "secret") == 0 || strcmp(type, "key") == 0)
367 return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY,
370 if (strcmp(type, "hexsecret") == 0 || strcmp(type, "hexkey") == 0)
371 return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY,
374 if (strcmp(type, "info") == 0)
375 return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO,
378 if (strcmp(type, "hexinfo") == 0)
379 return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO,
382 if (strcmp(type, "digest") == 0)
383 return kdf_md2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
385 if (strcmp(type, "mac") == 0)
386 return sskdf_mac2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MAC, value);
388 if (strcmp(type, "salt") == 0)
389 return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
391 if (strcmp(type, "hexsalt") == 0)
392 return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
395 if (strcmp(type, "maclen") == 0) {
396 int val = atoi(value);
398 KDFerr(KDF_F_SSKDF_CTRL_STR, KDF_R_VALUE_ERROR);
401 return call_ctrl(sskdf_ctrl, impl, EVP_KDF_CTRL_SET_MAC_SIZE,
407 static size_t sskdf_size(EVP_KDF_IMPL *impl)
411 if (impl->md == NULL) {
412 KDFerr(KDF_F_SSKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
415 len = EVP_MD_size(impl->md);
416 return (len <= 0) ? 0 : (size_t)len;
419 static int sskdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen)
421 if (impl->secret == NULL) {
422 KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_SECRET);
426 if (impl->mac != NULL) {
427 /* H(x) = KMAC or H(x) = HMAC */
429 const unsigned char *custom = NULL;
430 size_t custom_len = 0;
432 int default_salt_len;
434 nid = EVP_MAC_nid(impl->mac);
435 if (nid == EVP_MAC_HMAC) {
436 /* H(x) = HMAC(x, salt, hash) */
437 if (impl->md == NULL) {
438 KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
441 default_salt_len = EVP_MD_block_size(impl->md);
442 if (default_salt_len <= 0)
444 } else if (nid == EVP_MAC_KMAC128 || nid == EVP_MAC_KMAC256) {
445 /* H(x) = KMACzzz(x, salt, custom) */
446 custom = kmac_custom_str;
447 custom_len = sizeof(kmac_custom_str);
448 if (nid == EVP_MAC_KMAC128)
449 default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
451 default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
453 KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_UNSUPPORTED_MAC_TYPE);
456 /* If no salt is set then use a default_salt of zeros */
457 if (impl->salt == NULL || impl->salt_len <= 0) {
458 impl->salt = OPENSSL_zalloc(default_salt_len);
459 if (impl->salt == NULL) {
460 KDFerr(KDF_F_SSKDF_DERIVE, ERR_R_MALLOC_FAILURE);
463 impl->salt_len = default_salt_len;
465 ret = SSKDF_mac_kdm(impl->mac, impl->md,
466 custom, custom_len, impl->out_len,
467 impl->salt, impl->salt_len,
468 impl->secret, impl->secret_len,
469 impl->info, impl->info_len, key, keylen);
473 if (impl->md == NULL) {
474 KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
477 return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len,
478 impl->info, impl->info_len, 0, key, keylen);
482 static int x963kdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen)
484 if (impl->secret == NULL) {
485 KDFerr(KDF_F_X963KDF_DERIVE, KDF_R_MISSING_SECRET);
489 if (impl->mac != NULL) {
490 KDFerr(KDF_F_X963KDF_DERIVE, KDF_R_NOT_SUPPORTED);
494 if (impl->md == NULL) {
495 KDFerr(KDF_F_X963KDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
498 return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len,
499 impl->info, impl->info_len, 1, key, keylen);
503 const EVP_KDF ss_kdf_meth = {
514 const EVP_KDF x963_kdf_meth = {