aboutsummaryrefslogtreecommitdiff
path: root/providers/implementations/kdfs
diff options
context:
space:
mode:
Diffstat (limited to 'providers/implementations/kdfs')
-rw-r--r--providers/implementations/kdfs/build.info38
-rw-r--r--providers/implementations/kdfs/hkdf.c789
-rw-r--r--providers/implementations/kdfs/kbkdf.c395
-rw-r--r--providers/implementations/kdfs/krb5kdf.c470
-rw-r--r--providers/implementations/kdfs/pbkdf1.c250
-rw-r--r--providers/implementations/kdfs/pbkdf2.c363
-rw-r--r--providers/implementations/kdfs/pbkdf2.h14
-rw-r--r--providers/implementations/kdfs/pbkdf2_fips.c20
-rw-r--r--providers/implementations/kdfs/pkcs12kdf.c300
-rw-r--r--providers/implementations/kdfs/scrypt.c518
-rw-r--r--providers/implementations/kdfs/sshkdf.c302
-rw-r--r--providers/implementations/kdfs/sskdf.c559
-rw-r--r--providers/implementations/kdfs/tls1_prf.c411
-rw-r--r--providers/implementations/kdfs/x942kdf.c594
14 files changed, 5023 insertions, 0 deletions
diff --git a/providers/implementations/kdfs/build.info b/providers/implementations/kdfs/build.info
new file mode 100644
index 000000000000..f4620adce2df
--- /dev/null
+++ b/providers/implementations/kdfs/build.info
@@ -0,0 +1,38 @@
+# We make separate GOAL variables for each algorithm, to make it easy to
+# switch each to the Legacy provider when needed.
+
+$TLS1_PRF_GOAL=../../libdefault.a ../../libfips.a
+$HKDF_GOAL=../../libdefault.a ../../libfips.a
+$KBKDF_GOAL=../../libdefault.a ../../libfips.a
+$KRB5KDF_GOAL=../../libdefault.a
+$PBKDF1_GOAL=../../liblegacy.a
+$PBKDF2_GOAL=../../libdefault.a ../../libfips.a
+$PKCS12KDF_GOAL=../../libdefault.a
+$SSKDF_GOAL=../../libdefault.a ../../libfips.a
+$SCRYPT_GOAL=../../libdefault.a
+$SSHKDF_GOAL=../../libdefault.a ../../libfips.a
+$X942KDF_GOAL=../../libdefault.a ../../libfips.a
+
+SOURCE[$TLS1_PRF_GOAL]=tls1_prf.c
+
+SOURCE[$HKDF_GOAL]=hkdf.c
+
+SOURCE[$KBKDF_GOAL]=kbkdf.c
+
+SOURCE[$KRB5KDF_GOAL]=krb5kdf.c
+
+SOURCE[$PBKDF1_GOAL]=pbkdf1.c
+
+SOURCE[$PBKDF2_GOAL]=pbkdf2.c
+# Extra code to satisfy the FIPS and non-FIPS separation.
+# When the PBKDF2 moves to legacy, this can be removed.
+SOURCE[$PBKDF2_GOAL]=pbkdf2_fips.c
+
+SOURCE[$PKCS12KDF_GOAL]=pkcs12kdf.c
+
+SOURCE[$SSKDF_GOAL]=sskdf.c
+
+SOURCE[$SCRYPT_GOAL]=scrypt.c
+SOURCE[$SSHKDF_GOAL]=sshkdf.c
+SOURCE[$X942KDF_GOAL]=x942kdf.c
+DEPEND[x942kdf.o]=../../common/include/prov/der_wrap.h
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
new file mode 100644
index 000000000000..1197a678e935
--- /dev/null
+++ b/providers/implementations/kdfs/hkdf.c
@@ -0,0 +1,789 @@
+/*
+ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * HMAC low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "internal/packet.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+#include "e_os.h"
+
+#define HKDF_MAXBUF 2048
+#define HKDF_MAXINFO (32*1024)
+
+static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free;
+static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
+static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
+
+static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *key, size_t key_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len);
+static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ unsigned char *prk, size_t prk_len);
+static int HKDF_Expand(const EVP_MD *evp_md,
+ const unsigned char *prk, size_t prk_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len);
+
+/* Settable context parameters that are common across HKDF and the TLS KDF */
+#define HKDF_COMMON_SETTABLES \
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \
+ OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0)
+
+typedef struct {
+ void *provctx;
+ int mode;
+ PROV_DIGEST digest;
+ unsigned char *salt;
+ size_t salt_len;
+ unsigned char *key;
+ size_t key_len;
+ unsigned char *prefix;
+ size_t prefix_len;
+ unsigned char *label;
+ size_t label_len;
+ unsigned char *data;
+ size_t data_len;
+ unsigned char *info;
+ size_t info_len;
+} KDF_HKDF;
+
+static void *kdf_hkdf_new(void *provctx)
+{
+ KDF_HKDF *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ else
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void kdf_hkdf_free(void *vctx)
+{
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+
+ if (ctx != NULL) {
+ kdf_hkdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_hkdf_reset(void *vctx)
+{
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ void *provctx = ctx->provctx;
+
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_free(ctx->salt);
+ OPENSSL_free(ctx->prefix);
+ OPENSSL_free(ctx->label);
+ OPENSSL_clear_free(ctx->data, ctx->data_len);
+ OPENSSL_clear_free(ctx->key, ctx->key_len);
+ OPENSSL_clear_free(ctx->info, ctx->info_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+}
+
+static size_t kdf_hkdf_size(KDF_HKDF *ctx)
+{
+ int sz;
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+
+ if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
+ return SIZE_MAX;
+
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ sz = EVP_MD_get_size(md);
+ if (sz < 0)
+ return 0;
+
+ return sz;
+}
+
+static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params))
+ return 0;
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ if (ctx->key == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+ return 0;
+ }
+ if (keylen == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ switch (ctx->mode) {
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+ default:
+ return HKDF(libctx, md, ctx->salt, ctx->salt_len,
+ ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen);
+
+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
+ return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len,
+ ctx->key, ctx->key_len, key, keylen);
+
+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
+ return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info,
+ ctx->info_len, key, keylen);
+ }
+}
+
+static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[])
+{
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+ const OSSL_PARAM *p;
+ int n;
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) {
+ if (p->data_type == OSSL_PARAM_UTF8_STRING) {
+ if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) {
+ ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;
+ } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) {
+ ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
+ } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) {
+ ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
+ } else {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+ return 0;
+ }
+ } else if (OSSL_PARAM_get_int(p, &n)) {
+ if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
+ && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY
+ && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+ return 0;
+ }
+ ctx->mode = n;
+ } else {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+ return 0;
+ }
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) {
+ OPENSSL_clear_free(ctx->key, ctx->key_len);
+ ctx->key = NULL;
+ if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0,
+ &ctx->key_len))
+ return 0;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
+ OPENSSL_free(ctx->salt);
+ ctx->salt = NULL;
+ if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0,
+ &ctx->salt_len))
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * Use WPACKET to concat one or more OSSL_KDF_PARAM_INFO fields into a fixed
+ * out buffer of size *outlen.
+ * If out is NULL then outlen is used to return the required buffer size.
+ */
+static int setinfo_fromparams(const OSSL_PARAM *p, unsigned char *out, size_t *outlen)
+{
+ int ret = 0;
+ WPACKET pkt;
+
+ if (out == NULL) {
+ if (!WPACKET_init_null(&pkt, 0))
+ return 0;
+ } else {
+ if (!WPACKET_init_static_len(&pkt, out, *outlen, 0))
+ return 0;
+ }
+
+ for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, OSSL_KDF_PARAM_INFO)) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING)
+ goto err;
+ if (p->data != NULL
+ && p->data_size != 0
+ && !WPACKET_memcpy(&pkt, p->data, p->data_size))
+ goto err;
+ }
+ if (!WPACKET_get_total_written(&pkt, outlen)
+ || !WPACKET_finish(&pkt))
+ goto err;
+ ret = 1;
+err:
+ WPACKET_cleanup(&pkt);
+ return ret;
+}
+
+static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_HKDF *ctx = vctx;
+
+ if (params == NULL)
+ return 1;
+
+ if (!hkdf_common_set_ctx_params(ctx, params))
+ return 0;
+
+ /* The info fields concatenate, so process them all */
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ size_t sz = 0;
+
+ /* calculate the total size */
+ if (!setinfo_fromparams(p, NULL, &sz))
+ return 0;
+ if (sz > HKDF_MAXINFO)
+ return 0;
+
+ OPENSSL_clear_free(ctx->info, ctx->info_len);
+ ctx->info = NULL;
+ if (sz == 0)
+ return 1;
+ /* Alloc the buffer */
+ ctx->info = OPENSSL_malloc(sz);
+ if (ctx->info == NULL)
+ return 0;
+ ctx->info_len = sz;
+ /* Concat one or more OSSL_KDF_PARAM_INFO fields */
+ if (!setinfo_fromparams(p, ctx->info, &sz))
+ return 0;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ HKDF_COMMON_SETTABLES,
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ size_t sz = kdf_hkdf_size(ctx);
+
+ if (sz == 0)
+ return 0;
+ return OSSL_PARAM_set_size_t(p, sz);
+ }
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ if (ctx->info == NULL || ctx->info_len == 0) {
+ p->return_size = 0;
+ return 1;
+ }
+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+ }
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_hkdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_hkdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_hkdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
+ { 0, NULL }
+};
+
+/*
+ * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
+ * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and
+ * "Cryptographic Extraction and Key Derivation: The HKDF Scheme"
+ * Section 4.2 (https://eprint.iacr.org/2010/264.pdf).
+ *
+ * From the paper:
+ * The scheme HKDF is specified as:
+ * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t)
+ *
+ * where:
+ * SKM is source key material
+ * XTS is extractor salt (which may be null or constant)
+ * CTXinfo is context information (may be null)
+ * L is the number of key bits to be produced by KDF
+ * k is the output length in bits of the hash function used with HMAC
+ * t = ceil(L/k)
+ * the value K(t) is truncated to its first d = L mod k bits.
+ *
+ * From RFC 5869:
+ * 2.2. Step 1: Extract
+ * HKDF-Extract(salt, IKM) -> PRK
+ * 2.3. Step 2: Expand
+ * HKDF-Expand(PRK, info, L) -> OKM
+ */
+static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len)
+{
+ unsigned char prk[EVP_MAX_MD_SIZE];
+ int ret, sz;
+ size_t prk_len;
+
+ sz = EVP_MD_get_size(evp_md);
+ if (sz < 0)
+ return 0;
+ prk_len = (size_t)sz;
+
+ /* Step 1: HKDF-Extract(salt, IKM) -> PRK */
+ if (!HKDF_Extract(libctx, evp_md,
+ salt, salt_len, ikm, ikm_len, prk, prk_len))
+ return 0;
+
+ /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */
+ ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
+ OPENSSL_cleanse(prk, sizeof(prk));
+
+ return ret;
+}
+
+/*
+ * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
+ * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2).
+ *
+ * 2.2. Step 1: Extract
+ *
+ * HKDF-Extract(salt, IKM) -> PRK
+ *
+ * Options:
+ * Hash a hash function; HashLen denotes the length of the
+ * hash function output in octets
+ *
+ * Inputs:
+ * salt optional salt value (a non-secret random value);
+ * if not provided, it is set to a string of HashLen zeros.
+ * IKM input keying material
+ *
+ * Output:
+ * PRK a pseudorandom key (of HashLen octets)
+ *
+ * The output PRK is calculated as follows:
+ *
+ * PRK = HMAC-Hash(salt, IKM)
+ */
+static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ unsigned char *prk, size_t prk_len)
+{
+ int sz = EVP_MD_get_size(evp_md);
+
+ if (sz < 0)
+ return 0;
+ if (prk_len != (size_t)sz) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
+ return 0;
+ }
+ /* calc: PRK = HMAC-Hash(salt, IKM) */
+ return
+ EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt,
+ salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL)
+ != NULL;
+}
+
+/*
+ * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
+ * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3).
+ *
+ * 2.3. Step 2: Expand
+ *
+ * HKDF-Expand(PRK, info, L) -> OKM
+ *
+ * Options:
+ * Hash a hash function; HashLen denotes the length of the
+ * hash function output in octets
+ *
+ * Inputs:
+ * PRK a pseudorandom key of at least HashLen octets
+ * (usually, the output from the extract step)
+ * info optional context and application specific information
+ * (can be a zero-length string)
+ * L length of output keying material in octets
+ * (<= 255*HashLen)
+ *
+ * Output:
+ * OKM output keying material (of L octets)
+ *
+ * The output OKM is calculated as follows:
+ *
+ * N = ceil(L/HashLen)
+ * T = T(1) | T(2) | T(3) | ... | T(N)
+ * OKM = first L octets of T
+ *
+ * where:
+ * T(0) = empty string (zero length)
+ * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
+ * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
+ * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
+ * ...
+ *
+ * (where the constant concatenated to the end of each T(n) is a
+ * single octet.)
+ */
+static int HKDF_Expand(const EVP_MD *evp_md,
+ const unsigned char *prk, size_t prk_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len)
+{
+ HMAC_CTX *hmac;
+ int ret = 0, sz;
+ unsigned int i;
+ unsigned char prev[EVP_MAX_MD_SIZE];
+ size_t done_len = 0, dig_len, n;
+
+ sz = EVP_MD_get_size(evp_md);
+ if (sz <= 0)
+ return 0;
+ dig_len = (size_t)sz;
+
+ /* calc: N = ceil(L/HashLen) */
+ n = okm_len / dig_len;
+ if (okm_len % dig_len)
+ n++;
+
+ if (n > 255 || okm == NULL)
+ return 0;
+
+ if ((hmac = HMAC_CTX_new()) == NULL)
+ return 0;
+
+ if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
+ goto err;
+
+ for (i = 1; i <= n; i++) {
+ size_t copy_len;
+ const unsigned char ctr = i;
+
+ /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */
+ if (i > 1) {
+ if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL))
+ goto err;
+
+ if (!HMAC_Update(hmac, prev, dig_len))
+ goto err;
+ }
+
+ if (!HMAC_Update(hmac, info, info_len))
+ goto err;
+
+ if (!HMAC_Update(hmac, &ctr, 1))
+ goto err;
+
+ if (!HMAC_Final(hmac, prev, NULL))
+ goto err;
+
+ copy_len = (dig_len > okm_len - done_len) ?
+ okm_len - done_len :
+ dig_len;
+
+ memcpy(okm + done_len, prev, copy_len);
+
+ done_len += copy_len;
+ }
+ ret = 1;
+
+ err:
+ OPENSSL_cleanse(prev, sizeof(prev));
+ HMAC_CTX_free(hmac);
+ return ret;
+}
+
+/*
+ * TLS uses slight variations of the above and for FIPS validation purposes,
+ * they need to be present here.
+ * Refer to RFC 8446 section 7 for specific details.
+ */
+
+/*
+ * Given a |secret|; a |label| of length |labellen|; and |data| of length
+ * |datalen| (e.g. typically a hash of the handshake messages), derive a new
+ * secret |outlen| bytes long and store it in the location pointed to be |out|.
+ * The |data| value may be zero length. Returns 1 on success and 0 on failure.
+ */
+static int prov_tls13_hkdf_expand(const EVP_MD *md,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *prefix, size_t prefixlen,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *out, size_t outlen)
+{
+ size_t hkdflabellen;
+ unsigned char hkdflabel[HKDF_MAXBUF];
+ WPACKET pkt;
+
+ /*
+ * 2 bytes for length of derived secret + 1 byte for length of combined
+ * prefix and label + bytes for the label itself + 1 byte length of hash
+ * + bytes for the hash itself. We've got the maximum the KDF can handle
+ * which should always be sufficient.
+ */
+ if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
+ || !WPACKET_put_bytes_u16(&pkt, outlen)
+ || !WPACKET_start_sub_packet_u8(&pkt)
+ || !WPACKET_memcpy(&pkt, prefix, prefixlen)
+ || !WPACKET_memcpy(&pkt, label, labellen)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
+ || !WPACKET_get_total_written(&pkt, &hkdflabellen)
+ || !WPACKET_finish(&pkt)) {
+ WPACKET_cleanup(&pkt);
+ return 0;
+ }
+
+ return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen,
+ out, outlen);
+}
+
+static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
+ const EVP_MD *md,
+ const unsigned char *prevsecret,
+ size_t prevsecretlen,
+ const unsigned char *insecret,
+ size_t insecretlen,
+ const unsigned char *prefix,
+ size_t prefixlen,
+ const unsigned char *label,
+ size_t labellen,
+ unsigned char *out, size_t outlen)
+{
+ size_t mdlen;
+ int ret;
+ unsigned char preextractsec[EVP_MAX_MD_SIZE];
+ /* Always filled with zeros */
+ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
+
+ ret = EVP_MD_get_size(md);
+ /* Ensure cast to size_t is safe */
+ if (ret <= 0)
+ return 0;
+ mdlen = (size_t)ret;
+
+ if (insecret == NULL) {
+ insecret = default_zeros;
+ insecretlen = mdlen;
+ }
+ if (prevsecret == NULL) {
+ prevsecret = default_zeros;
+ prevsecretlen = 0;
+ } else {
+ EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+ unsigned char hash[EVP_MAX_MD_SIZE];
+
+ /* The pre-extract derive step uses a hash of no messages */
+ if (mctx == NULL
+ || EVP_DigestInit_ex(mctx, md, NULL) <= 0
+ || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
+ EVP_MD_CTX_free(mctx);
+ return 0;
+ }
+ EVP_MD_CTX_free(mctx);
+
+ /* Generate the pre-extract secret */
+ if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen,
+ prefix, prefixlen, label, labellen,
+ hash, mdlen, preextractsec, mdlen))
+ return 0;
+ prevsecret = preextractsec;
+ prevsecretlen = mdlen;
+ }
+
+ ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen,
+ insecret, insecretlen, out, outlen);
+
+ if (prevsecret == preextractsec)
+ OPENSSL_cleanse(preextractsec, mdlen);
+ return ret;
+}
+
+static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params))
+ return 0;
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+
+ switch (ctx->mode) {
+ default:
+ return 0;
+
+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
+ return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx),
+ md,
+ ctx->salt, ctx->salt_len,
+ ctx->key, ctx->key_len,
+ ctx->prefix, ctx->prefix_len,
+ ctx->label, ctx->label_len,
+ key, keylen);
+
+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
+ return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len,
+ ctx->prefix, ctx->prefix_len,
+ ctx->label, ctx->label_len,
+ ctx->data, ctx->data_len,
+ key, keylen);
+ }
+}
+
+static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_HKDF *ctx = vctx;
+
+ if (params == NULL)
+ return 1;
+
+ if (!hkdf_common_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+ return 0;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) {
+ OPENSSL_free(ctx->prefix);
+ ctx->prefix = NULL;
+ if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0,
+ &ctx->prefix_len))
+ return 0;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) {
+ OPENSSL_free(ctx->label);
+ ctx->label = NULL;
+ if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0,
+ &ctx->label_len))
+ return 0;
+ }
+
+ OPENSSL_clear_free(ctx->data, ctx->data_len);
+ ctx->data = NULL;
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL
+ && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0,
+ &ctx->data_len))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ HKDF_COMMON_SETTABLES,
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_tls1_3_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_hkdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
+ { 0, NULL }
+};
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
new file mode 100644
index 000000000000..a542f84dfa5b
--- /dev/null
+++ b/providers/implementations/kdfs/kbkdf.c
@@ -0,0 +1,395 @@
+/*
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019 Red Hat, Inc.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final
+ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC
+ * and CMAC. That document does not name the KDFs it defines; the name is
+ * derived from
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation
+ *
+ * Note that section 5.3 ("double-pipeline mode") is not implemented, though
+ * it would be possible to do so in the future.
+ *
+ * These versions all assume the counter is used. It would be relatively
+ * straightforward to expose a configuration handle should the need arise.
+ *
+ * Variable names attempt to match those of SP800-108.
+ */
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/kdf.h>
+#include <openssl/params.h>
+#include <openssl/proverr.h>
+
+#include "internal/cryptlib.h"
+#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "internal/endian.h"
+#include "prov/implementations.h"
+#include "prov/provider_ctx.h"
+#include "prov/provider_util.h"
+#include "prov/providercommon.h"
+
+#include "e_os.h"
+
+#define ossl_min(a, b) ((a) < (b)) ? (a) : (b)
+
+typedef enum {
+ COUNTER = 0,
+ FEEDBACK
+} kbkdf_mode;
+
+/* Our context structure. */
+typedef struct {
+ void *provctx;
+ kbkdf_mode mode;
+ EVP_MAC_CTX *ctx_init;
+
+ /* Names are lowercased versions of those found in SP800-108. */
+ unsigned char *ki;
+ size_t ki_len;
+ unsigned char *label;
+ size_t label_len;
+ unsigned char *context;
+ size_t context_len;
+ unsigned char *iv;
+ size_t iv_len;
+ int use_l;
+ int use_separator;
+} KBKDF;
+
+/* Definitions needed for typechecking. */
+static OSSL_FUNC_kdf_newctx_fn kbkdf_new;
+static OSSL_FUNC_kdf_freectx_fn kbkdf_free;
+static OSSL_FUNC_kdf_reset_fn kbkdf_reset;
+static OSSL_FUNC_kdf_derive_fn kbkdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kbkdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kbkdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kbkdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kbkdf_get_ctx_params;
+
+/* Not all platforms have htobe32(). */
+static uint32_t be32(uint32_t host)
+{
+ uint32_t big = 0;
+ DECLARE_IS_ENDIAN;
+
+ if (!IS_LITTLE_ENDIAN)
+ return host;
+
+ big |= (host & 0xff000000) >> 24;
+ big |= (host & 0x00ff0000) >> 8;
+ big |= (host & 0x0000ff00) << 8;
+ big |= (host & 0x000000ff) << 24;
+ return big;
+}
+
+static void init(KBKDF *ctx)
+{
+ ctx->use_l = 1;
+ ctx->use_separator = 1;
+}
+
+static void *kbkdf_new(void *provctx)
+{
+ KBKDF *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ ctx->provctx = provctx;
+ init(ctx);
+ return ctx;
+}
+
+static void kbkdf_free(void *vctx)
+{
+ KBKDF *ctx = (KBKDF *)vctx;
+
+ if (ctx != NULL) {
+ kbkdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kbkdf_reset(void *vctx)
+{
+ KBKDF *ctx = (KBKDF *)vctx;
+ void *provctx = ctx->provctx;
+
+ EVP_MAC_CTX_free(ctx->ctx_init);
+ OPENSSL_clear_free(ctx->context, ctx->context_len);
+ OPENSSL_clear_free(ctx->label, ctx->label_len);
+ OPENSSL_clear_free(ctx->ki, ctx->ki_len);
+ OPENSSL_clear_free(ctx->iv, ctx->iv_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+ init(ctx);
+}
+
+/* SP800-108 section 5.1 or section 5.2 depending on mode. */
+static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv,
+ size_t iv_len, unsigned char *label, size_t label_len,
+ unsigned char *context, size_t context_len,
+ unsigned char *k_i, size_t h, uint32_t l, int has_separator,
+ unsigned char *ko, size_t ko_len)
+{
+ int ret = 0;
+ EVP_MAC_CTX *ctx = NULL;
+ size_t written = 0, to_write, k_i_len = iv_len;
+ const unsigned char zero = 0;
+ uint32_t counter, i;
+ /*
+ * From SP800-108:
+ * The fixed input data is a concatenation of a Label,
+ * a separation indicator 0x00, the Context, and L.
+ * One or more of these fixed input data fields may be omitted.
+ *
+ * has_separator == 0 means that the separator is omitted.
+ * Passing a value of l == 0 means that L is omitted.
+ * The Context and L are omitted automatically if a NULL buffer is passed.
+ */
+ int has_l = (l != 0);
+
+ /* Setup K(0) for feedback mode. */
+ if (iv_len > 0)
+ memcpy(k_i, iv, iv_len);
+
+ for (counter = 1; written < ko_len; counter++) {
+ i = be32(counter);
+
+ ctx = EVP_MAC_CTX_dup(ctx_init);
+ if (ctx == NULL)
+ goto done;
+
+ /* Perform feedback, if appropriate. */
+ if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len))
+ goto done;
+
+ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4)
+ || !EVP_MAC_update(ctx, label, label_len)
+ || (has_separator && !EVP_MAC_update(ctx, &zero, 1))
+ || !EVP_MAC_update(ctx, context, context_len)
+ || (has_l && !EVP_MAC_update(ctx, (unsigned char *)&l, 4))
+ || !EVP_MAC_final(ctx, k_i, NULL, h))
+ goto done;
+
+ to_write = ko_len - written;
+ memcpy(ko + written, k_i, ossl_min(to_write, h));
+ written += h;
+
+ k_i_len = h;
+ EVP_MAC_CTX_free(ctx);
+ ctx = NULL;
+ }
+
+ ret = 1;
+done:
+ EVP_MAC_CTX_free(ctx);
+ return ret;
+}
+
+static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KBKDF *ctx = (KBKDF *)vctx;
+ int ret = 0;
+ unsigned char *k_i = NULL;
+ uint32_t l = 0;
+ size_t h = 0;
+
+ if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params))
+ return 0;
+
+ /* label, context, and iv are permitted to be empty. Check everything
+ * else. */
+ if (ctx->ctx_init == NULL) {
+ if (ctx->ki_len == 0 || ctx->ki == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+ /* Could either be missing MAC or missing message digest or missing
+ * cipher - arbitrarily, I pick this one. */
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MAC);
+ return 0;
+ }
+
+ /* Fail if the output length is zero */
+ if (keylen == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
+ if (h == 0)
+ goto done;
+ if (ctx->iv_len != 0 && ctx->iv_len != h) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH);
+ goto done;
+ }
+
+ if (ctx->use_l != 0)
+ l = be32(keylen * 8);
+
+ k_i = OPENSSL_zalloc(h);
+ if (k_i == NULL)
+ goto done;
+
+ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label,
+ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l,
+ ctx->use_separator, key, keylen);
+done:
+ if (ret != 1)
+ OPENSSL_cleanse(key, keylen);
+ OPENSSL_clear_free(k_i, h);
+ return ret;
+}
+
+static int kbkdf_set_buffer(unsigned char **out, size_t *out_len,
+ const OSSL_PARAM *p)
+{
+ if (p->data == NULL || p->data_size == 0)
+ return 1;
+
+ OPENSSL_clear_free(*out, *out_len);
+ *out = NULL;
+ return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len);
+}
+
+static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ KBKDF *ctx = (KBKDF *)vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+ const OSSL_PARAM *p;
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_macctx_load_from_params(&ctx->ctx_init, params, NULL,
+ NULL, NULL, libctx))
+ return 0;
+ else if (ctx->ctx_init != NULL
+ && !EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init),
+ OSSL_MAC_NAME_HMAC)
+ && !EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init),
+ OSSL_MAC_NAME_CMAC)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MAC);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
+ if (p != NULL
+ && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
+ ctx->mode = COUNTER;
+ } else if (p != NULL
+ && OPENSSL_strncasecmp("feedback", p->data, p->data_size) == 0) {
+ ctx->mode = FEEDBACK;
+ } else if (p != NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY);
+ if (p != NULL && !kbkdf_set_buffer(&ctx->ki, &ctx->ki_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT);
+ if (p != NULL && !kbkdf_set_buffer(&ctx->label, &ctx->label_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO);
+ if (p != NULL && !kbkdf_set_buffer(&ctx->context, &ctx->context_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED);
+ if (p != NULL && !kbkdf_set_buffer(&ctx->iv, &ctx->iv_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_L);
+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR);
+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator))
+ return 0;
+
+ /* Set up digest context, if we can. */
+ if (ctx->ctx_init != NULL && ctx->ki_len != 0
+ && !EVP_MAC_init(ctx->ctx_init, ctx->ki, ctx->ki_len, NULL))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CIPHER, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL),
+ OSSL_PARAM_END,
+ };
+ return known_settable_ctx_params;
+}
+
+static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
+ if (p == NULL)
+ return -2;
+
+ /* KBKDF can produce results as large as you like. */
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+}
+
+static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] =
+ { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_kbkdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kbkdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kbkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kbkdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kbkdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kbkdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kbkdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kbkdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kbkdf_get_ctx_params },
+ { 0, NULL },
+};
diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c
new file mode 100644
index 000000000000..fc7a3e600cc7
--- /dev/null
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * DES low level APIs are deprecated for public use, but still ok for internal
+ * use. We access the DES_set_odd_parity(3) function here.
+ */
+#include "internal/deprecated.h"
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+
+#include <openssl/core_names.h>
+#include <openssl/des.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/proverr.h>
+
+#include "internal/cryptlib.h"
+#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "prov/implementations.h"
+#include "prov/provider_ctx.h"
+#include "prov/provider_util.h"
+#include "prov/providercommon.h"
+
+/* KRB5 KDF defined in RFC 3961, Section 5.1 */
+
+static OSSL_FUNC_kdf_newctx_fn krb5kdf_new;
+static OSSL_FUNC_kdf_freectx_fn krb5kdf_free;
+static OSSL_FUNC_kdf_reset_fn krb5kdf_reset;
+static OSSL_FUNC_kdf_derive_fn krb5kdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn krb5kdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn krb5kdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn krb5kdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn krb5kdf_get_ctx_params;
+
+static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine,
+ const unsigned char *key, size_t key_len,
+ const unsigned char *constant, size_t constant_len,
+ unsigned char *okey, size_t okey_len);
+
+typedef struct {
+ void *provctx;
+ PROV_CIPHER cipher;
+ unsigned char *key;
+ size_t key_len;
+ unsigned char *constant;
+ size_t constant_len;
+} KRB5KDF_CTX;
+
+static void *krb5kdf_new(void *provctx)
+{
+ KRB5KDF_CTX *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void krb5kdf_free(void *vctx)
+{
+ KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
+
+ if (ctx != NULL) {
+ krb5kdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void krb5kdf_reset(void *vctx)
+{
+ KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
+ void *provctx = ctx->provctx;
+
+ ossl_prov_cipher_reset(&ctx->cipher);
+ OPENSSL_clear_free(ctx->key, ctx->key_len);
+ OPENSSL_clear_free(ctx->constant, ctx->constant_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+}
+
+static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*dst, *dst_len);
+ *dst = NULL;
+ *dst_len = 0;
+ return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
+}
+
+static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
+ const EVP_CIPHER *cipher;
+ ENGINE *engine;
+
+ if (!ossl_prov_is_running() || !krb5kdf_set_ctx_params(ctx, params))
+ return 0;
+
+ cipher = ossl_prov_cipher_cipher(&ctx->cipher);
+ if (cipher == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
+ return 0;
+ }
+ if (ctx->key == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+ return 0;
+ }
+ if (ctx->constant == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT);
+ return 0;
+ }
+ engine = ossl_prov_cipher_engine(&ctx->cipher);
+ return KRB5KDF(cipher, engine, ctx->key, ctx->key_len,
+ ctx->constant, ctx->constant_len,
+ key, keylen);
+}
+
+static int krb5kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KRB5KDF_CTX *ctx = vctx;
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_cipher_load_from_params(&ctx->cipher, params, provctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
+ if (!krb5kdf_set_membuf(&ctx->key, &ctx->key_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CONSTANT))
+ != NULL)
+ if (!krb5kdf_set_membuf(&ctx->constant, &ctx->constant_len, p))
+ return 0;
+
+ return 1;
+}
+
+static const OSSL_PARAM *krb5kdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CIPHER, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_CONSTANT, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int krb5kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
+ const EVP_CIPHER *cipher;
+ size_t len;
+ OSSL_PARAM *p;
+
+ cipher = ossl_prov_cipher_cipher(&ctx->cipher);
+ if (cipher)
+ len = EVP_CIPHER_get_key_length(cipher);
+ else
+ len = EVP_MAX_KEY_LENGTH;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, len);
+ return -2;
+}
+
+static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))krb5kdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))krb5kdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))krb5kdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))krb5kdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))krb5kdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS,
+ (void(*)(void))krb5kdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))krb5kdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS,
+ (void(*)(void))krb5kdf_get_ctx_params },
+ { 0, NULL }
+};
+
+#ifndef OPENSSL_NO_DES
+/*
+ * DES3 is a special case, it requires a random-to-key function and its
+ * input truncated to 21 bytes of the 24 produced by the cipher.
+ * See RFC3961 6.3.1
+ */
+static int fixup_des3_key(unsigned char *key)
+{
+ unsigned char *cblock;
+ int i, j;
+
+ for (i = 2; i >= 0; i--) {
+ cblock = &key[i * 8];
+ memmove(cblock, &key[i * 7], 7);
+ cblock[7] = 0;
+ for (j = 0; j < 7; j++)
+ cblock[7] |= (cblock[j] & 1) << (j + 1);
+ DES_set_odd_parity((DES_cblock *)cblock);
+ }
+
+ /* fail if keys are such that triple des degrades to single des */
+ if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 ||
+ CRYPTO_memcmp(&key[8], &key[16], 8) == 0) {
+ return 0;
+ }
+
+ return 1;
+}
+#endif
+
+/*
+ * N-fold(K) where blocksize is N, and constant_len is K
+ * Note: Here |= denotes concatenation
+ *
+ * L = lcm(N,K)
+ * R = L/K
+ *
+ * for r: 1 -> R
+ * s |= constant rot 13*(r-1))
+ *
+ * block = 0
+ * for k: 1 -> K
+ * block += s[N(k-1)..(N-1)k] (one's complement addition)
+ *
+ * Optimizing for space we compute:
+ * for each l in L-1 -> 0:
+ * s[l] = (constant rot 13*(l/K))[l%k]
+ * block[l % N] += s[l] (with carry)
+ * finally add carry if any
+ */
+static void n_fold(unsigned char *block, unsigned int blocksize,
+ const unsigned char *constant, size_t constant_len)
+{
+ unsigned int tmp, gcd, remainder, lcm, carry;
+ int b, l;
+
+ if (constant_len == blocksize) {
+ memcpy(block, constant, constant_len);
+ return;
+ }
+
+ /* Least Common Multiple of lengths: LCM(a,b)*/
+ gcd = blocksize;
+ remainder = constant_len;
+ /* Calculate Great Common Divisor first GCD(a,b) */
+ while (remainder != 0) {
+ tmp = gcd % remainder;
+ gcd = remainder;
+ remainder = tmp;
+ }
+ /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */
+ lcm = blocksize * constant_len / gcd;
+
+ /* now spread out the bits */
+ memset(block, 0, blocksize);
+
+ /* last to first to be able to bring carry forward */
+ carry = 0;
+ for (l = lcm - 1; l >= 0; l--) {
+ unsigned int rotbits, rshift, rbyte;
+
+ /* destination byte in block is l % N */
+ b = l % blocksize;
+ /* Our virtual s buffer is R = L/K long (K = constant_len) */
+ /* So we rotate backwards from R-1 to 0 (none) rotations */
+ rotbits = 13 * (l / constant_len);
+ /* find the byte on s where rotbits falls onto */
+ rbyte = l - (rotbits / 8);
+ /* calculate how much shift on that byte */
+ rshift = rotbits & 0x07;
+ /* rbyte % constant_len gives us the unrotated byte in the
+ * constant buffer, get also the previous byte then
+ * appropriately shift them to get the rotated byte we need */
+ tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift)
+ | constant[rbyte % constant_len] >> rshift)
+ & 0xff;
+ /* add with carry to any value placed by previous passes */
+ tmp += carry + block[b];
+ block[b] = tmp & 0xff;
+ /* save any carry that may be left */
+ carry = tmp >> 8;
+ }
+
+ /* if any carry is left at the end, add it through the number */
+ for (b = blocksize - 1; b >= 0 && carry != 0; b--) {
+ carry += block[b];
+ block[b] = carry & 0xff;
+ carry >>= 8;
+ }
+}
+
+static int cipher_init(EVP_CIPHER_CTX *ctx,
+ const EVP_CIPHER *cipher, ENGINE *engine,
+ const unsigned char *key, size_t key_len)
+{
+ int klen, ret;
+
+ ret = EVP_EncryptInit_ex(ctx, cipher, engine, NULL, NULL);
+ if (!ret)
+ goto out;
+ /* set the key len for the odd variable key len cipher */
+ klen = EVP_CIPHER_CTX_get_key_length(ctx);
+ if (key_len != (size_t)klen) {
+ ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len);
+ if (ret <= 0) {
+ ret = 0;
+ goto out;
+ }
+ }
+ ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL);
+ if (!ret)
+ goto out;
+ /* we never want padding, either the length requested is a multiple of
+ * the cipher block size or we are passed a cipher that can cope with
+ * partial blocks via techniques like cipher text stealing */
+ ret = EVP_CIPHER_CTX_set_padding(ctx, 0);
+ if (!ret)
+ goto out;
+
+out:
+ return ret;
+}
+
+static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine,
+ const unsigned char *key, size_t key_len,
+ const unsigned char *constant, size_t constant_len,
+ unsigned char *okey, size_t okey_len)
+{
+ EVP_CIPHER_CTX *ctx = NULL;
+ unsigned char block[EVP_MAX_BLOCK_LENGTH * 2];
+ unsigned char *plainblock, *cipherblock;
+ size_t blocksize;
+ size_t cipherlen;
+ size_t osize;
+#ifndef OPENSSL_NO_DES
+ int des3_no_fixup = 0;
+#endif
+ int ret;
+
+ if (key_len != okey_len) {
+#ifndef OPENSSL_NO_DES
+ /* special case for 3des, where the caller may be requesting
+ * the random raw key, instead of the fixed up key */
+ if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc &&
+ key_len == 24 && okey_len == 21) {
+ des3_no_fixup = 1;
+ } else {
+#endif
+ ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
+ return 0;
+#ifndef OPENSSL_NO_DES
+ }
+#endif
+ }
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ return 0;
+
+ ret = cipher_init(ctx, cipher, engine, key, key_len);
+ if (!ret)
+ goto out;
+
+ /* Initialize input block */
+ blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
+
+ if (constant_len > blocksize) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONSTANT_LENGTH);
+ ret = 0;
+ goto out;
+ }
+
+ n_fold(block, blocksize, constant, constant_len);
+ plainblock = block;
+ cipherblock = block + EVP_MAX_BLOCK_LENGTH;
+
+ for (osize = 0; osize < okey_len; osize += cipherlen) {
+ int olen;
+
+ ret = EVP_EncryptUpdate(ctx, cipherblock, &olen,
+ plainblock, blocksize);
+ if (!ret)
+ goto out;
+ cipherlen = olen;
+ ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen);
+ if (!ret)
+ goto out;
+ if (olen != 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+ ret = 0;
+ goto out;
+ }
+
+ /* write cipherblock out */
+ if (cipherlen > okey_len - osize)
+ cipherlen = okey_len - osize;
+ memcpy(okey + osize, cipherblock, cipherlen);
+
+ if (okey_len > osize + cipherlen) {
+ /* we need to reinitialize cipher context per spec */
+ ret = EVP_CIPHER_CTX_reset(ctx);
+ if (!ret)
+ goto out;
+ ret = cipher_init(ctx, cipher, engine, key, key_len);
+ if (!ret)
+ goto out;
+
+ /* also swap block offsets so last ciphertext becomes new
+ * plaintext */
+ plainblock = cipherblock;
+ if (cipherblock == block) {
+ cipherblock += EVP_MAX_BLOCK_LENGTH;
+ } else {
+ cipherblock = block;
+ }
+ }
+ }
+
+#ifndef OPENSSL_NO_DES
+ if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) {
+ ret = fixup_des3_key(okey);
+ if (!ret) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
+ goto out;
+ }
+ }
+#endif
+
+ ret = 1;
+
+out:
+ EVP_CIPHER_CTX_free(ctx);
+ OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2);
+ return ret;
+}
+
diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c
new file mode 100644
index 000000000000..a3d7cf5175ae
--- /dev/null
+++ b/providers/implementations/kdfs/pbkdf1.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/trace.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+
+static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf1_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf1_free;
+static OSSL_FUNC_kdf_reset_fn kdf_pbkdf1_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_pbkdf1_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pbkdf1_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf1_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf1_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf1_get_ctx_params;
+
+typedef struct {
+ void *provctx;
+ PROV_DIGEST digest;
+ unsigned char *pass;
+ size_t pass_len;
+ unsigned char *salt;
+ size_t salt_len;
+ uint64_t iter;
+} KDF_PBKDF1;
+
+/*
+ * PKCS5 PBKDF1 compatible key/IV generation as specified in:
+ * https://tools.ietf.org/html/rfc8018#page-10
+ */
+
+static int kdf_pbkdf1_do_derive(const unsigned char *pass, size_t passlen,
+ const unsigned char *salt, size_t saltlen,
+ uint64_t iter, const EVP_MD *md_type,
+ unsigned char *out, size_t n)
+{
+ uint64_t i;
+ int mdsize, ret = 0;
+ unsigned char md_tmp[EVP_MAX_MD_SIZE];
+ EVP_MD_CTX *ctx = NULL;
+
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (!EVP_DigestInit_ex(ctx, md_type, NULL)
+ || !EVP_DigestUpdate(ctx, pass, passlen)
+ || !EVP_DigestUpdate(ctx, salt, saltlen)
+ || !EVP_DigestFinal_ex(ctx, md_tmp, NULL))
+ goto err;
+ mdsize = EVP_MD_size(md_type);
+ if (mdsize < 0)
+ goto err;
+ if (n > (size_t)mdsize) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
+ goto err;
+ }
+
+ for (i = 1; i < iter; i++) {
+ if (!EVP_DigestInit_ex(ctx, md_type, NULL))
+ goto err;
+ if (!EVP_DigestUpdate(ctx, md_tmp, mdsize))
+ goto err;
+ if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
+ goto err;
+ }
+
+ memcpy(out, md_tmp, n);
+ ret = 1;
+err:
+ OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
+
+static void *kdf_pbkdf1_new(void *provctx)
+{
+ KDF_PBKDF1 *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void kdf_pbkdf1_cleanup(KDF_PBKDF1 *ctx)
+{
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+static void kdf_pbkdf1_free(void *vctx)
+{
+ KDF_PBKDF1 *ctx = (KDF_PBKDF1 *)vctx;
+
+ if (ctx != NULL) {
+ kdf_pbkdf1_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_pbkdf1_reset(void *vctx)
+{
+ KDF_PBKDF1 *ctx = (KDF_PBKDF1 *)vctx;
+ void *provctx = ctx->provctx;
+
+ kdf_pbkdf1_cleanup(ctx);
+ ctx->provctx = provctx;
+}
+
+static int kdf_pbkdf1_set_membuf(unsigned char **buffer, size_t *buflen,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*buffer, *buflen);
+ *buffer = NULL;
+ *buflen = 0;
+
+ if (p->data_size == 0) {
+ if ((*buffer = OPENSSL_malloc(1)) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ } else if (p->data != NULL) {
+ if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
+ return 0;
+ }
+ return 1;
+}
+
+static int kdf_pbkdf1_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_PBKDF1 *ctx = (KDF_PBKDF1 *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_pbkdf1_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->pass == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
+ return 0;
+ }
+
+ if (ctx->salt == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
+ return 0;
+ }
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ return kdf_pbkdf1_do_derive(ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len,
+ ctx->iter, md, key, keylen);
+}
+
+static int kdf_pbkdf1_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_PBKDF1 *ctx = vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+ if (!kdf_pbkdf1_set_membuf(&ctx->pass, &ctx->pass_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
+ if (!kdf_pbkdf1_set_membuf(&ctx->salt, &ctx->salt_len,p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL)
+ if (!OSSL_PARAM_get_uint64(p, &ctx->iter))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_pbkdf1_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_pbkdf1_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_pbkdf1_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_pbkdf1_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf1_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf1_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf1_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf1_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pbkdf1_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf1_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pbkdf1_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf1_get_ctx_params },
+ { 0, NULL }
+};
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
new file mode 100644
index 000000000000..2a0ae63acc32
--- /dev/null
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -0,0 +1,363 @@
+/*
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * HMAC low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+#include "pbkdf2.h"
+
+/* Constants specified in SP800-132 */
+#define KDF_PBKDF2_MIN_KEY_LEN_BITS 112
+#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
+#define KDF_PBKDF2_MIN_ITERATIONS 1000
+#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+
+static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free;
+static OSSL_FUNC_kdf_reset_fn kdf_pbkdf2_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_pbkdf2_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pbkdf2_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf2_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf2_get_ctx_params;
+
+static int pbkdf2_derive(const char *pass, size_t passlen,
+ const unsigned char *salt, int saltlen, uint64_t iter,
+ const EVP_MD *digest, unsigned char *key,
+ size_t keylen, int extra_checks);
+
+typedef struct {
+ void *provctx;
+ unsigned char *pass;
+ size_t pass_len;
+ unsigned char *salt;
+ size_t salt_len;
+ uint64_t iter;
+ PROV_DIGEST digest;
+ int lower_bound_checks;
+} KDF_PBKDF2;
+
+static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx);
+
+static void *kdf_pbkdf2_new(void *provctx)
+{
+ KDF_PBKDF2 *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ kdf_pbkdf2_init(ctx);
+ return ctx;
+}
+
+static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
+{
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+static void kdf_pbkdf2_free(void *vctx)
+{
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
+
+ if (ctx != NULL) {
+ kdf_pbkdf2_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_pbkdf2_reset(void *vctx)
+{
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
+ void *provctx = ctx->provctx;
+
+ kdf_pbkdf2_cleanup(ctx);
+ ctx->provctx = provctx;
+ kdf_pbkdf2_init(ctx);
+}
+
+static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx)
+{
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_sha1, 0);
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
+ /* This is an error, but there is no way to indicate such directly */
+ ossl_prov_digest_reset(&ctx->digest);
+ ctx->iter = PKCS5_DEFAULT_ITER;
+ ctx->lower_bound_checks = ossl_kdf_pbkdf2_default_checks;
+}
+
+static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*buffer, *buflen);
+ *buffer = NULL;
+ *buflen = 0;
+
+ if (p->data_size == 0) {
+ if ((*buffer = OPENSSL_malloc(1)) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ } else if (p->data != NULL) {
+ if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
+ return 0;
+ }
+ return 1;
+}
+
+static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_pbkdf2_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->pass == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
+ return 0;
+ }
+
+ if (ctx->salt == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
+ return 0;
+ }
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ return pbkdf2_derive((char *)ctx->pass, ctx->pass_len,
+ ctx->salt, ctx->salt_len, ctx->iter,
+ md, key, keylen, ctx->lower_bound_checks);
+}
+
+static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_PBKDF2 *ctx = vctx;
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+ int pkcs5;
+ uint64_t iter, min_iter;
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS5)) != NULL) {
+ if (!OSSL_PARAM_get_int(p, &pkcs5))
+ return 0;
+ ctx->lower_bound_checks = pkcs5 == 0;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+ if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
+ if (ctx->lower_bound_checks != 0
+ && p->data_size < KDF_PBKDF2_MIN_SALT_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
+ return 0;
+ }
+ if (!pbkdf2_set_membuf(&ctx->salt, &ctx->salt_len,p))
+ return 0;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
+ if (!OSSL_PARAM_get_uint64(p, &iter))
+ return 0;
+ min_iter = ctx->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1;
+ if (iter < min_iter) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
+ return 0;
+ }
+ ctx->iter = iter;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS5, NULL),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pbkdf2_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pbkdf2_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pbkdf2_get_ctx_params },
+ { 0, NULL }
+};
+
+/*
+ * This is an implementation of PKCS#5 v2.0 password based encryption key
+ * derivation function PBKDF2. SHA1 version verified against test vectors
+ * posted by Peter Gutmann to the PKCS-TNG mailing list.
+ *
+ * The constraints specified by SP800-132 have been added i.e.
+ * - Check the range of the key length.
+ * - Minimum iteration count of 1000.
+ * - Randomly-generated portion of the salt shall be at least 128 bits.
+ */
+static int pbkdf2_derive(const char *pass, size_t passlen,
+ const unsigned char *salt, int saltlen, uint64_t iter,
+ const EVP_MD *digest, unsigned char *key,
+ size_t keylen, int lower_bound_checks)
+{
+ int ret = 0;
+ unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
+ int cplen, k, tkeylen, mdlen;
+ uint64_t j;
+ unsigned long i = 1;
+ HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
+
+ mdlen = EVP_MD_get_size(digest);
+ if (mdlen <= 0)
+ return 0;
+
+ /*
+ * This check should always be done because keylen / mdlen >= (2^32 - 1)
+ * results in an overflow of the loop counter 'i'.
+ */
+ if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ if (lower_bound_checks) {
+ if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+ if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
+ return 0;
+ }
+ if (iter < KDF_PBKDF2_MIN_ITERATIONS) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT);
+ return 0;
+ }
+ }
+
+ hctx_tpl = HMAC_CTX_new();
+ if (hctx_tpl == NULL)
+ return 0;
+ p = key;
+ tkeylen = keylen;
+ if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
+ goto err;
+ hctx = HMAC_CTX_new();
+ if (hctx == NULL)
+ goto err;
+ while (tkeylen) {
+ if (tkeylen > mdlen)
+ cplen = mdlen;
+ else
+ cplen = tkeylen;
+ /*
+ * We are unlikely to ever use more than 256 blocks (5120 bits!) but
+ * just in case...
+ */
+ itmp[0] = (unsigned char)((i >> 24) & 0xff);
+ itmp[1] = (unsigned char)((i >> 16) & 0xff);
+ itmp[2] = (unsigned char)((i >> 8) & 0xff);
+ itmp[3] = (unsigned char)(i & 0xff);
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))
+ goto err;
+ if (!HMAC_Update(hctx, salt, saltlen)
+ || !HMAC_Update(hctx, itmp, 4)
+ || !HMAC_Final(hctx, digtmp, NULL))
+ goto err;
+ memcpy(p, digtmp, cplen);
+ for (j = 1; j < iter; j++) {
+ if (!HMAC_CTX_copy(hctx, hctx_tpl))
+ goto err;
+ if (!HMAC_Update(hctx, digtmp, mdlen)
+ || !HMAC_Final(hctx, digtmp, NULL))
+ goto err;
+ for (k = 0; k < cplen; k++)
+ p[k] ^= digtmp[k];
+ }
+ tkeylen -= cplen;
+ i++;
+ p += cplen;
+ }
+ ret = 1;
+
+err:
+ HMAC_CTX_free(hctx);
+ HMAC_CTX_free(hctx_tpl);
+ return ret;
+}
diff --git a/providers/implementations/kdfs/pbkdf2.h b/providers/implementations/kdfs/pbkdf2.h
new file mode 100644
index 000000000000..7759c03136d5
--- /dev/null
+++ b/providers/implementations/kdfs/pbkdf2.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Available in pbkdfe_fips.c, and compiled with different values depending
+ * on we're in the FIPS module or not.
+ */
+extern const int ossl_kdf_pbkdf2_default_checks;
diff --git a/providers/implementations/kdfs/pbkdf2_fips.c b/providers/implementations/kdfs/pbkdf2_fips.c
new file mode 100644
index 000000000000..e43ef16455f1
--- /dev/null
+++ b/providers/implementations/kdfs/pbkdf2_fips.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "pbkdf2.h"
+
+/*
+ * For backwards compatibility reasons,
+ * Extra checks are done by default in fips mode only.
+ */
+#ifdef FIPS_MODULE
+const int ossl_kdf_pbkdf2_default_checks = 1;
+#else
+const int ossl_kdf_pbkdf2_default_checks = 0;
+#endif /* FIPS_MODULE */
diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c
new file mode 100644
index 000000000000..3218daa781e9
--- /dev/null
+++ b/providers/implementations/kdfs/pkcs12kdf.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/trace.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+
+static OSSL_FUNC_kdf_newctx_fn kdf_pkcs12_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_pkcs12_free;
+static OSSL_FUNC_kdf_reset_fn kdf_pkcs12_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_pkcs12_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pkcs12_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pkcs12_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pkcs12_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pkcs12_get_ctx_params;
+
+typedef struct {
+ void *provctx;
+ PROV_DIGEST digest;
+ unsigned char *pass;
+ size_t pass_len;
+ unsigned char *salt;
+ size_t salt_len;
+ uint64_t iter;
+ int id;
+} KDF_PKCS12;
+
+/* PKCS12 compatible key/IV generation */
+
+static int pkcs12kdf_derive(const unsigned char *pass, size_t passlen,
+ const unsigned char *salt, size_t saltlen,
+ int id, uint64_t iter, const EVP_MD *md_type,
+ unsigned char *out, size_t n)
+{
+ unsigned char *B = NULL, *D = NULL, *I = NULL, *p = NULL, *Ai = NULL;
+ size_t Slen, Plen, Ilen;
+ size_t i, j, k, u, v;
+ uint64_t iter_cnt;
+ int ret = 0, ui, vi;
+ EVP_MD_CTX *ctx = NULL;
+
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+ vi = EVP_MD_get_block_size(md_type);
+ ui = EVP_MD_get_size(md_type);
+ if (ui <= 0 || vi <= 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_SIZE);
+ goto end;
+ }
+ u = (size_t)ui;
+ v = (size_t)vi;
+ D = OPENSSL_malloc(v);
+ Ai = OPENSSL_malloc(u);
+ B = OPENSSL_malloc(v + 1);
+ Slen = v * ((saltlen + v - 1) / v);
+ if (passlen != 0)
+ Plen = v * ((passlen + v - 1) / v);
+ else
+ Plen = 0;
+ Ilen = Slen + Plen;
+ I = OPENSSL_malloc(Ilen);
+ if (D == NULL || Ai == NULL || B == NULL || I == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+ for (i = 0; i < v; i++)
+ D[i] = id;
+ p = I;
+ for (i = 0; i < Slen; i++)
+ *p++ = salt[i % saltlen];
+ for (i = 0; i < Plen; i++)
+ *p++ = pass[i % passlen];
+ for (;;) {
+ if (!EVP_DigestInit_ex(ctx, md_type, NULL)
+ || !EVP_DigestUpdate(ctx, D, v)
+ || !EVP_DigestUpdate(ctx, I, Ilen)
+ || !EVP_DigestFinal_ex(ctx, Ai, NULL))
+ goto end;
+ for (iter_cnt = 1; iter_cnt < iter; iter_cnt++) {
+ if (!EVP_DigestInit_ex(ctx, md_type, NULL)
+ || !EVP_DigestUpdate(ctx, Ai, u)
+ || !EVP_DigestFinal_ex(ctx, Ai, NULL))
+ goto end;
+ }
+ memcpy(out, Ai, n < u ? n : u);
+ if (u >= n) {
+ ret = 1;
+ break;
+ }
+ n -= u;
+ out += u;
+ for (j = 0; j < v; j++)
+ B[j] = Ai[j % u];
+ for (j = 0; j < Ilen; j += v) {
+ unsigned char *Ij = I + j;
+ uint16_t c = 1;
+
+ /* Work out Ij = Ij + B + 1 */
+ for (k = v; k > 0;) {
+ k--;
+ c += Ij[k] + B[k];
+ Ij[k] = (unsigned char)c;
+ c >>= 8;
+ }
+ }
+ }
+
+ end:
+ OPENSSL_free(Ai);
+ OPENSSL_free(B);
+ OPENSSL_free(D);
+ OPENSSL_free(I);
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
+
+static void *kdf_pkcs12_new(void *provctx)
+{
+ KDF_PKCS12 *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void kdf_pkcs12_cleanup(KDF_PKCS12 *ctx)
+{
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+static void kdf_pkcs12_free(void *vctx)
+{
+ KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx;
+
+ if (ctx != NULL) {
+ kdf_pkcs12_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_pkcs12_reset(void *vctx)
+{
+ KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx;
+ void *provctx = ctx->provctx;
+
+ kdf_pkcs12_cleanup(ctx);
+ ctx->provctx = provctx;
+}
+
+static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*buffer, *buflen);
+ *buffer = NULL;
+ *buflen = 0;
+
+ if (p->data_size == 0) {
+ if ((*buffer = OPENSSL_malloc(1)) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ } else if (p->data != NULL) {
+ if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
+ return 0;
+ }
+ return 1;
+}
+
+static int kdf_pkcs12_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_pkcs12_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->pass == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
+ return 0;
+ }
+
+ if (ctx->salt == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
+ return 0;
+ }
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ return pkcs12kdf_derive(ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len,
+ ctx->id, ctx->iter, md, key, keylen);
+}
+
+static int kdf_pkcs12_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_PKCS12 *ctx = vctx;
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+ if (!pkcs12kdf_set_membuf(&ctx->pass, &ctx->pass_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
+ if (!pkcs12kdf_set_membuf(&ctx->salt, &ctx->salt_len,p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PKCS12_ID)) != NULL)
+ if (!OSSL_PARAM_get_int(p, &ctx->id))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL)
+ if (!OSSL_PARAM_get_uint64(p, &ctx->iter))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_pkcs12_settable_ctx_params(
+ ossl_unused void *ctx, ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_uint64(OSSL_KDF_PARAM_ITER, NULL),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_PKCS12_ID, NULL),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_pkcs12_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_pkcs12_gettable_ctx_params(
+ ossl_unused void *ctx, ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_pkcs12_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pkcs12_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pkcs12_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pkcs12_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pkcs12_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pkcs12_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pkcs12_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_pkcs12_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pkcs12_get_ctx_params },
+ { 0, NULL }
+};
diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c
new file mode 100644
index 000000000000..6fa4192600fd
--- /dev/null
+++ b/providers/implementations/kdfs/scrypt.c
@@ -0,0 +1,518 @@
+/*
+ * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/err.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "prov/implementations.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+
+#ifndef OPENSSL_NO_SCRYPT
+
+static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free;
+static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params;
+
+static int scrypt_alg(const char *pass, size_t passlen,
+ const unsigned char *salt, size_t saltlen,
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
+ unsigned char *key, size_t keylen, EVP_MD *sha256,
+ OSSL_LIB_CTX *libctx, const char *propq);
+
+typedef struct {
+ OSSL_LIB_CTX *libctx;
+ char *propq;
+ unsigned char *pass;
+ size_t pass_len;
+ unsigned char *salt;
+ size_t salt_len;
+ uint64_t N;
+ uint64_t r, p;
+ uint64_t maxmem_bytes;
+ EVP_MD *sha256;
+} KDF_SCRYPT;
+
+static void kdf_scrypt_init(KDF_SCRYPT *ctx);
+
+static void *kdf_scrypt_new(void *provctx)
+{
+ KDF_SCRYPT *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->libctx = PROV_LIBCTX_OF(provctx);
+ kdf_scrypt_init(ctx);
+ return ctx;
+}
+
+static void kdf_scrypt_free(void *vctx)
+{
+ KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
+
+ if (ctx != NULL) {
+ OPENSSL_free(ctx->propq);
+ EVP_MD_free(ctx->sha256);
+ kdf_scrypt_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_scrypt_reset(void *vctx)
+{
+ KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
+
+ OPENSSL_free(ctx->salt);
+ ctx->salt = NULL;
+ OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+ ctx->pass = NULL;
+ kdf_scrypt_init(ctx);
+}
+
+static void kdf_scrypt_init(KDF_SCRYPT *ctx)
+{
+ /* Default values are the most conservative recommendation given in the
+ * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
+ * for this parameter choice (approx. 128 * r * N * p bytes).
+ */
+ ctx->N = 1 << 20;
+ ctx->r = 8;
+ ctx->p = 1;
+ ctx->maxmem_bytes = 1025 * 1024 * 1024;
+}
+
+static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*buffer, *buflen);
+ *buffer = NULL;
+ *buflen = 0;
+
+ if (p->data_size == 0) {
+ if ((*buffer = OPENSSL_malloc(1)) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ } else if (p->data != NULL) {
+ if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
+ return 0;
+ }
+ return 1;
+}
+
+static int set_digest(KDF_SCRYPT *ctx)
+{
+ EVP_MD_free(ctx->sha256);
+ ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq);
+ if (ctx->sha256 == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256);
+ return 0;
+ }
+ return 1;
+}
+
+static int set_property_query(KDF_SCRYPT *ctx, const char *propq)
+{
+ OPENSSL_free(ctx->propq);
+ ctx->propq = NULL;
+ if (propq != NULL) {
+ ctx->propq = OPENSSL_strdup(propq);
+ if (ctx->propq == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static int kdf_scrypt_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
+
+ if (!ossl_prov_is_running() || !kdf_scrypt_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->pass == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
+ return 0;
+ }
+
+ if (ctx->salt == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
+ return 0;
+ }
+
+ if (ctx->sha256 == NULL && !set_digest(ctx))
+ return 0;
+
+ return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt,
+ ctx->salt_len, ctx->N, ctx->r, ctx->p,
+ ctx->maxmem_bytes, key, keylen, ctx->sha256,
+ ctx->libctx, ctx->propq);
+}
+
+static int is_power_of_two(uint64_t value)
+{
+ return (value != 0) && ((value & (value - 1)) == 0);
+}
+
+static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_SCRYPT *ctx = vctx;
+ uint64_t u64_value;
+
+ if (params == NULL)
+ return 1;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+ if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
+ if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N))
+ != NULL) {
+ if (!OSSL_PARAM_get_uint64(p, &u64_value)
+ || u64_value <= 1
+ || !is_power_of_two(u64_value))
+ return 0;
+ ctx->N = u64_value;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R))
+ != NULL) {
+ if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
+ return 0;
+ ctx->r = u64_value;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P))
+ != NULL) {
+ if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
+ return 0;
+ ctx->p = u64_value;
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM))
+ != NULL) {
+ if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
+ return 0;
+ ctx->maxmem_bytes = u64_value;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_UTF8_STRING
+ || !set_property_query(ctx, p->data)
+ || !set_digest(ctx))
+ return 0;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL),
+ OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL),
+ OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL),
+ OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_scrypt_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_scrypt_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params },
+ { 0, NULL }
+};
+
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+static void salsa208_word_specification(uint32_t inout[16])
+{
+ int i;
+ uint32_t x[16];
+
+ memcpy(x, inout, sizeof(x));
+ for (i = 8; i > 0; i -= 2) {
+ x[4] ^= R(x[0] + x[12], 7);
+ x[8] ^= R(x[4] + x[0], 9);
+ x[12] ^= R(x[8] + x[4], 13);
+ x[0] ^= R(x[12] + x[8], 18);
+ x[9] ^= R(x[5] + x[1], 7);
+ x[13] ^= R(x[9] + x[5], 9);
+ x[1] ^= R(x[13] + x[9], 13);
+ x[5] ^= R(x[1] + x[13], 18);
+ x[14] ^= R(x[10] + x[6], 7);
+ x[2] ^= R(x[14] + x[10], 9);
+ x[6] ^= R(x[2] + x[14], 13);
+ x[10] ^= R(x[6] + x[2], 18);
+ x[3] ^= R(x[15] + x[11], 7);
+ x[7] ^= R(x[3] + x[15], 9);
+ x[11] ^= R(x[7] + x[3], 13);
+ x[15] ^= R(x[11] + x[7], 18);
+ x[1] ^= R(x[0] + x[3], 7);
+ x[2] ^= R(x[1] + x[0], 9);
+ x[3] ^= R(x[2] + x[1], 13);
+ x[0] ^= R(x[3] + x[2], 18);
+ x[6] ^= R(x[5] + x[4], 7);
+ x[7] ^= R(x[6] + x[5], 9);
+ x[4] ^= R(x[7] + x[6], 13);
+ x[5] ^= R(x[4] + x[7], 18);
+ x[11] ^= R(x[10] + x[9], 7);
+ x[8] ^= R(x[11] + x[10], 9);
+ x[9] ^= R(x[8] + x[11], 13);
+ x[10] ^= R(x[9] + x[8], 18);
+ x[12] ^= R(x[15] + x[14], 7);
+ x[13] ^= R(x[12] + x[15], 9);
+ x[14] ^= R(x[13] + x[12], 13);
+ x[15] ^= R(x[14] + x[13], 18);
+ }
+ for (i = 0; i < 16; ++i)
+ inout[i] += x[i];
+ OPENSSL_cleanse(x, sizeof(x));
+}
+
+static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
+{
+ uint64_t i, j;
+ uint32_t X[16], *pB;
+
+ memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
+ pB = B;
+ for (i = 0; i < r * 2; i++) {
+ for (j = 0; j < 16; j++)
+ X[j] ^= *pB++;
+ salsa208_word_specification(X);
+ memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
+ }
+ OPENSSL_cleanse(X, sizeof(X));
+}
+
+static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
+ uint32_t *X, uint32_t *T, uint32_t *V)
+{
+ unsigned char *pB;
+ uint32_t *pV;
+ uint64_t i, k;
+
+ /* Convert from little endian input */
+ for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
+ *pV = *pB++;
+ *pV |= *pB++ << 8;
+ *pV |= *pB++ << 16;
+ *pV |= (uint32_t)*pB++ << 24;
+ }
+
+ for (i = 1; i < N; i++, pV += 32 * r)
+ scryptBlockMix(pV, pV - 32 * r, r);
+
+ scryptBlockMix(X, V + (N - 1) * 32 * r, r);
+
+ for (i = 0; i < N; i++) {
+ uint32_t j;
+ j = X[16 * (2 * r - 1)] % N;
+ pV = V + 32 * r * j;
+ for (k = 0; k < 32 * r; k++)
+ T[k] = X[k] ^ *pV++;
+ scryptBlockMix(X, T, r);
+ }
+ /* Convert output to little endian */
+ for (i = 0, pB = B; i < 32 * r; i++) {
+ uint32_t xtmp = X[i];
+ *pB++ = xtmp & 0xff;
+ *pB++ = (xtmp >> 8) & 0xff;
+ *pB++ = (xtmp >> 16) & 0xff;
+ *pB++ = (xtmp >> 24) & 0xff;
+ }
+}
+
+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t)-1)
+#endif
+
+/*
+ * Maximum power of two that will fit in uint64_t: this should work on
+ * most (all?) platforms.
+ */
+
+#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
+
+/*
+ * Maximum value of p * r:
+ * p <= ((2^32-1) * hLen) / MFLen =>
+ * p <= ((2^32-1) * 32) / (128 * r) =>
+ * p * r <= (2^30-1)
+ */
+
+#define SCRYPT_PR_MAX ((1 << 30) - 1)
+
+static int scrypt_alg(const char *pass, size_t passlen,
+ const unsigned char *salt, size_t saltlen,
+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
+ unsigned char *key, size_t keylen, EVP_MD *sha256,
+ OSSL_LIB_CTX *libctx, const char *propq)
+{
+ int rv = 0;
+ unsigned char *B;
+ uint32_t *X, *V, *T;
+ uint64_t i, Blen, Vlen;
+
+ /* Sanity check parameters */
+ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
+ if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
+ return 0;
+ /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
+ if (p > SCRYPT_PR_MAX / r) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+
+ /*
+ * Need to check N: if 2^(128 * r / 8) overflows limit this is
+ * automatically satisfied since N <= UINT64_MAX.
+ */
+
+ if (16 * r <= LOG2_UINT64_MAX) {
+ if (N >= (((uint64_t)1) << (16 * r))) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+ }
+
+ /* Memory checks: check total allocated buffer size fits in uint64_t */
+
+ /*
+ * B size in section 5 step 1.S
+ * Note: we know p * 128 * r < UINT64_MAX because we already checked
+ * p * r < SCRYPT_PR_MAX
+ */
+ Blen = p * 128 * r;
+ /*
+ * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
+ * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
+ */
+ if (Blen > INT_MAX) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+
+ /*
+ * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
+ * This is combined size V, X and T (section 4)
+ */
+ i = UINT64_MAX / (32 * sizeof(uint32_t));
+ if (N + 2 > i / r) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+ Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
+
+ /* check total allocated size fits in uint64_t */
+ if (Blen > UINT64_MAX - Vlen) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+
+ /* Check that the maximum memory doesn't exceed a size_t limits */
+ if (maxmem > SIZE_MAX)
+ maxmem = SIZE_MAX;
+
+ if (Blen + Vlen > maxmem) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ return 0;
+ }
+
+ /* If no key return to indicate parameters are OK */
+ if (key == NULL)
+ return 1;
+
+ B = OPENSSL_malloc((size_t)(Blen + Vlen));
+ if (B == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ X = (uint32_t *)(B + Blen);
+ T = X + 32 * r;
+ V = T + 32 * r;
+ if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, 1, sha256,
+ (int)Blen, B, libctx, propq) == 0)
+ goto err;
+
+ for (i = 0; i < p; i++)
+ scryptROMix(B + 128 * r * i, r, N, X, T, V);
+
+ if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, B, (int)Blen, 1, sha256,
+ keylen, key, libctx, propq) == 0)
+ goto err;
+ rv = 1;
+ err:
+ if (rv == 0)
+ ERR_raise(ERR_LIB_EVP, EVP_R_PBKDF2_ERROR);
+
+ OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
+ return rv;
+}
+
+#endif
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
new file mode 100644
index 000000000000..c592ba72f1e0
--- /dev/null
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+
+/* See RFC 4253, Section 7.2 */
+static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free;
+static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_sshkdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_sshkdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_sshkdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_sshkdf_get_ctx_params;
+
+static int SSHKDF(const EVP_MD *evp_md,
+ const unsigned char *key, size_t key_len,
+ const unsigned char *xcghash, size_t xcghash_len,
+ const unsigned char *session_id, size_t session_id_len,
+ char type, unsigned char *okey, size_t okey_len);
+
+typedef struct {
+ void *provctx;
+ PROV_DIGEST digest;
+ unsigned char *key; /* K */
+ size_t key_len;
+ unsigned char *xcghash; /* H */
+ size_t xcghash_len;
+ char type; /* X */
+ unsigned char *session_id;
+ size_t session_id_len;
+} KDF_SSHKDF;
+
+static void *kdf_sshkdf_new(void *provctx)
+{
+ KDF_SSHKDF *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ else
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void kdf_sshkdf_free(void *vctx)
+{
+ KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
+
+ if (ctx != NULL) {
+ kdf_sshkdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_sshkdf_reset(void *vctx)
+{
+ KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
+ void *provctx = ctx->provctx;
+
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_clear_free(ctx->key, ctx->key_len);
+ OPENSSL_clear_free(ctx->xcghash, ctx->xcghash_len);
+ OPENSSL_clear_free(ctx->session_id, ctx->session_id_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+}
+
+static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len,
+ const OSSL_PARAM *p)
+{
+ OPENSSL_clear_free(*dst, *dst_len);
+ *dst = NULL;
+ *dst_len = 0;
+ return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
+}
+
+static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params))
+ return 0;
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ if (ctx->key == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+ return 0;
+ }
+ if (ctx->xcghash == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_XCGHASH);
+ return 0;
+ }
+ if (ctx->session_id == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SESSION_ID);
+ return 0;
+ }
+ if (ctx->type == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
+ return 0;
+ }
+ return SSHKDF(md, ctx->key, ctx->key_len,
+ ctx->xcghash, ctx->xcghash_len,
+ ctx->session_id, ctx->session_id_len,
+ ctx->type, key, keylen);
+}
+
+static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_SSHKDF *ctx = vctx;
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
+ if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_XCGHASH))
+ != NULL)
+ if (!sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_SESSION_ID))
+ != NULL)
+ if (!sshkdf_set_membuf(&ctx->session_id, &ctx->session_id_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_TYPE))
+ != NULL) {
+ const char *kdftype;
+
+ if (!OSSL_PARAM_get_utf8_string_ptr(p, &kdftype))
+ return 0;
+ /* Expect one character (byte in this case) */
+ if (kdftype == NULL || p->data_size != 1)
+ return 0;
+ if (kdftype[0] < 65 || kdftype[0] > 70) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR);
+ return 0;
+ }
+ ctx->type = kdftype[0];
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *p_ctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_sshkdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_sshkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_sshkdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_sshkdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_sshkdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_sshkdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_get_ctx_params },
+ { 0, NULL }
+};
+
+static int SSHKDF(const EVP_MD *evp_md,
+ const unsigned char *key, size_t key_len,
+ const unsigned char *xcghash, size_t xcghash_len,
+ const unsigned char *session_id, size_t session_id_len,
+ char type, unsigned char *okey, size_t okey_len)
+{
+ EVP_MD_CTX *md = NULL;
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ unsigned int dsize = 0;
+ size_t cursize = 0;
+ int ret = 0;
+
+ md = EVP_MD_CTX_new();
+ if (md == NULL)
+ return 0;
+
+ if (!EVP_DigestInit_ex(md, evp_md, NULL))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, key, key_len))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, &type, 1))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, session_id, session_id_len))
+ goto out;
+
+ if (!EVP_DigestFinal_ex(md, digest, &dsize))
+ goto out;
+
+ if (okey_len < dsize) {
+ memcpy(okey, digest, okey_len);
+ ret = 1;
+ goto out;
+ }
+
+ memcpy(okey, digest, dsize);
+
+ for (cursize = dsize; cursize < okey_len; cursize += dsize) {
+
+ if (!EVP_DigestInit_ex(md, evp_md, NULL))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, key, key_len))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
+ goto out;
+
+ if (!EVP_DigestUpdate(md, okey, cursize))
+ goto out;
+
+ if (!EVP_DigestFinal_ex(md, digest, &dsize))
+ goto out;
+
+ if (okey_len < cursize + dsize) {
+ memcpy(okey + cursize, digest, okey_len - cursize);
+ ret = 1;
+ goto out;
+ }
+
+ memcpy(okey + cursize, digest, dsize);
+ }
+
+ ret = 1;
+
+out:
+ EVP_MD_CTX_free(md);
+ OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
+ return ret;
+}
+
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
new file mode 100644
index 000000000000..eb54972e1c44
--- /dev/null
+++ b/providers/implementations/kdfs/sskdf.c
@@ -0,0 +1,559 @@
+/*
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
+ * Section 4.1.
+ *
+ * The Single Step KDF algorithm is given by:
+ *
+ * Result(0) = empty bit string (i.e., the null string).
+ * For i = 1 to reps, do the following:
+ * Increment counter by 1.
+ * Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
+ * DKM = LeftmostBits(Result(reps), L))
+ *
+ * NOTES:
+ * Z is a shared secret required to produce the derived key material.
+ * counter is a 4 byte buffer.
+ * FixedInfo is a bit string containing context specific data.
+ * DKM is the output derived key material.
+ * L is the required size of the DKM.
+ * reps = [L / H_outputBits]
+ * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
+ * H_outputBits is the length of the output of the auxiliary function H(x).
+ *
+ * Currently there is not a comprehensive list of test vectors for this
+ * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
+ * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
+ */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+
+typedef struct {
+ void *provctx;
+ EVP_MAC_CTX *macctx; /* H(x) = HMAC_hash OR H(x) = KMAC */
+ PROV_DIGEST digest; /* H(x) = hash(x) */
+ unsigned char *secret;
+ size_t secret_len;
+ unsigned char *info;
+ size_t info_len;
+ unsigned char *salt;
+ size_t salt_len;
+ size_t out_len; /* optional KMAC parameter */
+ int is_kmac;
+} KDF_SSKDF;
+
+#define SSKDF_MAX_INLEN (1<<30)
+#define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
+#define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
+
+/* KMAC uses a Customisation string of 'KDF' */
+static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
+
+static OSSL_FUNC_kdf_newctx_fn sskdf_new;
+static OSSL_FUNC_kdf_freectx_fn sskdf_free;
+static OSSL_FUNC_kdf_reset_fn sskdf_reset;
+static OSSL_FUNC_kdf_derive_fn sskdf_derive;
+static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;
+
+/*
+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
+ * Section 4. One-Step Key Derivation using H(x) = hash(x)
+ * Note: X9.63 also uses this code with the only difference being that the
+ * counter is appended to the secret 'z'.
+ * i.e.
+ * result[i] = Hash(counter || z || info) for One Step OR
+ * result[i] = Hash(z || counter || info) for X9.63.
+ */
+static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
+ const unsigned char *z, size_t z_len,
+ const unsigned char *info, size_t info_len,
+ unsigned int append_ctr,
+ unsigned char *derived_key, size_t derived_key_len)
+{
+ int ret = 0, hlen;
+ size_t counter, out_len, len = derived_key_len;
+ unsigned char c[4];
+ unsigned char mac[EVP_MAX_MD_SIZE];
+ unsigned char *out = derived_key;
+ EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
+
+ if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
+ || derived_key_len > SSKDF_MAX_INLEN
+ || derived_key_len == 0)
+ return 0;
+
+ hlen = EVP_MD_get_size(kdf_md);
+ if (hlen <= 0)
+ return 0;
+ out_len = (size_t)hlen;
+
+ ctx = EVP_MD_CTX_create();
+ ctx_init = EVP_MD_CTX_create();
+ if (ctx == NULL || ctx_init == NULL)
+ goto end;
+
+ if (!EVP_DigestInit(ctx_init, kdf_md))
+ goto end;
+
+ for (counter = 1;; counter++) {
+ c[0] = (unsigned char)((counter >> 24) & 0xff);
+ c[1] = (unsigned char)((counter >> 16) & 0xff);
+ c[2] = (unsigned char)((counter >> 8) & 0xff);
+ c[3] = (unsigned char)(counter & 0xff);
+
+ if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
+ && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
+ && EVP_DigestUpdate(ctx, z, z_len)
+ && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
+ && EVP_DigestUpdate(ctx, info, info_len)))
+ goto end;
+ if (len >= out_len) {
+ if (!EVP_DigestFinal_ex(ctx, out, NULL))
+ goto end;
+ out += out_len;
+ len -= out_len;
+ if (len == 0)
+ break;
+ } else {
+ if (!EVP_DigestFinal_ex(ctx, mac, NULL))
+ goto end;
+ memcpy(out, mac, len);
+ break;
+ }
+ }
+ ret = 1;
+end:
+ EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctx_init);
+ OPENSSL_cleanse(mac, sizeof(mac));
+ return ret;
+}
+
+static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
+ size_t custom_len, size_t kmac_out_len,
+ size_t derived_key_len, unsigned char **out)
+{
+ OSSL_PARAM params[2];
+
+ /* Only KMAC has custom data - so return if not KMAC */
+ if (custom == NULL)
+ return 1;
+
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
+ (void *)custom, custom_len);
+ params[1] = OSSL_PARAM_construct_end();
+
+ if (!EVP_MAC_CTX_set_params(ctx, params))
+ return 0;
+
+ /* By default only do one iteration if kmac_out_len is not specified */
+ if (kmac_out_len == 0)
+ kmac_out_len = derived_key_len;
+ /* otherwise check the size is valid */
+ else if (!(kmac_out_len == derived_key_len
+ || kmac_out_len == 20
+ || kmac_out_len == 28
+ || kmac_out_len == 32
+ || kmac_out_len == 48
+ || kmac_out_len == 64))
+ return 0;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
+ &kmac_out_len);
+
+ if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
+ return 0;
+
+ /*
+ * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
+ * alloc a buffer for this case.
+ */
+ if (kmac_out_len > EVP_MAX_MD_SIZE) {
+ *out = OPENSSL_zalloc(kmac_out_len);
+ if (*out == NULL)
+ return 0;
+ }
+ return 1;
+}
+
+/*
+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
+ * Section 4. One-Step Key Derivation using MAC: i.e either
+ * H(x) = HMAC-hash(salt, x) OR
+ * H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
+ */
+static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
+ const unsigned char *kmac_custom,
+ size_t kmac_custom_len, size_t kmac_out_len,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *z, size_t z_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *derived_key, size_t derived_key_len)
+{
+ int ret = 0;
+ size_t counter, out_len, len;
+ unsigned char c[4];
+ unsigned char mac_buf[EVP_MAX_MD_SIZE];
+ unsigned char *out = derived_key;
+ EVP_MAC_CTX *ctx = NULL;
+ unsigned char *mac = mac_buf, *kmac_buffer = NULL;
+
+ if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
+ || derived_key_len > SSKDF_MAX_INLEN
+ || derived_key_len == 0)
+ return 0;
+
+ if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
+ derived_key_len, &kmac_buffer))
+ goto end;
+ if (kmac_buffer != NULL)
+ mac = kmac_buffer;
+
+ if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
+ goto end;
+
+ out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
+ if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf)))
+ goto end;
+ len = derived_key_len;
+
+ for (counter = 1;; counter++) {
+ c[0] = (unsigned char)((counter >> 24) & 0xff);
+ c[1] = (unsigned char)((counter >> 16) & 0xff);
+ c[2] = (unsigned char)((counter >> 8) & 0xff);
+ c[3] = (unsigned char)(counter & 0xff);
+
+ ctx = EVP_MAC_CTX_dup(ctx_init);
+ if (!(ctx != NULL
+ && EVP_MAC_update(ctx, c, sizeof(c))
+ && EVP_MAC_update(ctx, z, z_len)
+ && EVP_MAC_update(ctx, info, info_len)))
+ goto end;
+ if (len >= out_len) {
+ if (!EVP_MAC_final(ctx, out, NULL, len))
+ goto end;
+ out += out_len;
+ len -= out_len;
+ if (len == 0)
+ break;
+ } else {
+ if (!EVP_MAC_final(ctx, mac, NULL, out_len))
+ goto end;
+ memcpy(out, mac, len);
+ break;
+ }
+ EVP_MAC_CTX_free(ctx);
+ ctx = NULL;
+ }
+ ret = 1;
+end:
+ if (kmac_buffer != NULL)
+ OPENSSL_clear_free(kmac_buffer, kmac_out_len);
+ else
+ OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
+
+ EVP_MAC_CTX_free(ctx);
+ return ret;
+}
+
+static void *sskdf_new(void *provctx)
+{
+ KDF_SSKDF *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void sskdf_reset(void *vctx)
+{
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ void *provctx = ctx->provctx;
+
+ EVP_MAC_CTX_free(ctx->macctx);
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_clear_free(ctx->secret, ctx->secret_len);
+ OPENSSL_clear_free(ctx->info, ctx->info_len);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+}
+
+static void sskdf_free(void *vctx)
+{
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+
+ if (ctx != NULL) {
+ sskdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static int sskdf_set_buffer(unsigned char **out, size_t *out_len,
+ const OSSL_PARAM *p)
+{
+ if (p->data == NULL || p->data_size == 0)
+ return 1;
+ OPENSSL_free(*out);
+ *out = NULL;
+ return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len);
+}
+
+static size_t sskdf_size(KDF_SSKDF *ctx)
+{
+ int len;
+ const EVP_MD *md = NULL;
+
+ if (ctx->is_kmac)
+ return SIZE_MAX;
+
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ len = EVP_MD_get_size(md);
+ return (len <= 0) ? 0 : (size_t)len;
+}
+
+static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
+ return 0;
+ if (ctx->secret == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
+ return 0;
+ }
+ md = ossl_prov_digest_md(&ctx->digest);
+
+ if (ctx->macctx != NULL) {
+ /* H(x) = KMAC or H(x) = HMAC */
+ int ret;
+ const unsigned char *custom = NULL;
+ size_t custom_len = 0;
+ int default_salt_len;
+ EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);
+
+ if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
+ /* H(x) = HMAC(x, salt, hash) */
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ default_salt_len = EVP_MD_get_size(md);
+ if (default_salt_len <= 0)
+ return 0;
+ } else if (ctx->is_kmac) {
+ /* H(x) = KMACzzz(x, salt, custom) */
+ custom = kmac_custom_str;
+ custom_len = sizeof(kmac_custom_str);
+ if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
+ default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
+ else
+ default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
+ } else {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
+ return 0;
+ }
+ /* If no salt is set then use a default_salt of zeros */
+ if (ctx->salt == NULL || ctx->salt_len <= 0) {
+ ctx->salt = OPENSSL_zalloc(default_salt_len);
+ if (ctx->salt == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ ctx->salt_len = default_salt_len;
+ }
+ ret = SSKDF_mac_kdm(ctx->macctx,
+ custom, custom_len, ctx->out_len,
+ ctx->salt, ctx->salt_len,
+ ctx->secret, ctx->secret_len,
+ ctx->info, ctx->info_len, key, keylen);
+ return ret;
+ } else {
+ /* H(x) = hash */
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+ ctx->info, ctx->info_len, 0, key, keylen);
+ }
+}
+
+static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->secret == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
+ return 0;
+ }
+
+ if (ctx->macctx != NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
+ return 0;
+ }
+
+ /* H(x) = hash */
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+
+ return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+ ctx->info, ctx->info_len, 1, key, keylen);
+}
+
+static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ KDF_SSKDF *ctx = vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+ size_t sz;
+
+ if (params == NULL)
+ return 1;
+
+ if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
+ NULL, NULL, NULL, libctx))
+ return 0;
+ if (ctx->macctx != NULL) {
+ if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
+ OSSL_MAC_NAME_KMAC128)
+ || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
+ OSSL_MAC_NAME_KMAC256)) {
+ ctx->is_kmac = 1;
+ }
+ }
+
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL
+ || (p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
+ if (!sskdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL)
+ if (!sskdf_set_buffer(&ctx->info, &ctx->info_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
+ if (!sskdf_set_buffer(&ctx->salt, &ctx->salt_len, p))
+ return 0;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
+ != NULL) {
+ if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0)
+ return 0;
+ ctx->out_len = sz;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
+ return -2;
+}
+
+static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))sskdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))sskdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
+ { 0, NULL }
+};
+
+const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))sskdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))sskdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
+ { 0, NULL }
+};
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
new file mode 100644
index 000000000000..a4d64b935222
--- /dev/null
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -0,0 +1,411 @@
+/*
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Refer to "The TLS Protocol Version 1.0" Section 5
+ * (https://tools.ietf.org/html/rfc2246#section-5) and
+ * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
+ * (https://tools.ietf.org/html/rfc5246#section-5).
+ *
+ * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by:
+ *
+ * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
+ * P_SHA-1(S2, label + seed)
+ *
+ * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are
+ * two halves of the secret (with the possibility of one shared byte, in the
+ * case where the length of the original secret is odd). S1 is taken from the
+ * first half of the secret, S2 from the second half.
+ *
+ * For TLS v1.2 the TLS PRF algorithm is given by:
+ *
+ * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+ *
+ * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as
+ * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect,
+ * unless defined otherwise by the cipher suite.
+ *
+ * P_<hash> is an expansion function that uses a single hash function to expand
+ * a secret and seed into an arbitrary quantity of output:
+ *
+ * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) +
+ * HMAC_<hash>(secret, A(2) + seed) +
+ * HMAC_<hash>(secret, A(3) + seed) + ...
+ *
+ * where + indicates concatenation. P_<hash> can be iterated as many times as
+ * is necessary to produce the required quantity of data.
+ *
+ * A(i) is defined as:
+ * A(0) = seed
+ * A(i) = HMAC_<hash>(secret, A(i-1))
+ */
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#include <openssl/proverr.h>
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
+#include "crypto/evp.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+#include "e_os.h"
+
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new;
+static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free;
+static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset;
+static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params;
+
+static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
+ const unsigned char *sec, size_t slen,
+ const unsigned char *seed, size_t seed_len,
+ unsigned char *out, size_t olen);
+
+#define TLS1_PRF_MAXBUF 1024
+
+/* TLS KDF kdf context structure */
+typedef struct {
+ void *provctx;
+
+ /* MAC context for the main digest */
+ EVP_MAC_CTX *P_hash;
+ /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */
+ EVP_MAC_CTX *P_sha1;
+
+ /* Secret value to use for PRF */
+ unsigned char *sec;
+ size_t seclen;
+ /* Buffer of concatenated seed data */
+ unsigned char seed[TLS1_PRF_MAXBUF];
+ size_t seedlen;
+} TLS1_PRF;
+
+static void *kdf_tls1_prf_new(void *provctx)
+{
+ TLS1_PRF *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ return ctx;
+}
+
+static void kdf_tls1_prf_free(void *vctx)
+{
+ TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+
+ if (ctx != NULL) {
+ kdf_tls1_prf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static void kdf_tls1_prf_reset(void *vctx)
+{
+ TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+ void *provctx = ctx->provctx;
+
+ EVP_MAC_CTX_free(ctx->P_hash);
+ EVP_MAC_CTX_free(ctx->P_sha1);
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ OPENSSL_cleanse(ctx->seed, ctx->seedlen);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+}
+
+static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+
+ if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params))
+ return 0;
+
+ if (ctx->P_hash == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ if (ctx->sec == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
+ return 0;
+ }
+ if (ctx->seedlen == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED);
+ return 0;
+ }
+ if (keylen == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
+ ctx->sec, ctx->seclen,
+ ctx->seed, ctx->seedlen,
+ key, keylen);
+}
+
+static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+ TLS1_PRF *ctx = vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (params == NULL)
+ return 1;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) {
+ if (OPENSSL_strcasecmp(p->data, SN_md5_sha1) == 0) {
+ if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params,
+ OSSL_MAC_NAME_HMAC,
+ NULL, SN_md5, libctx)
+ || !ossl_prov_macctx_load_from_params(&ctx->P_sha1, params,
+ OSSL_MAC_NAME_HMAC,
+ NULL, SN_sha1, libctx))
+ return 0;
+ } else {
+ EVP_MAC_CTX_free(ctx->P_sha1);
+ if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params,
+ OSSL_MAC_NAME_HMAC,
+ NULL, NULL, libctx))
+ return 0;
+ }
+ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ ctx->sec = NULL;
+ if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen))
+ return 0;
+ }
+ /* The seed fields concatenate, so process them all */
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) {
+ for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1,
+ OSSL_KDF_PARAM_SEED)) {
+ const void *q = ctx->seed + ctx->seedlen;
+ size_t sz = 0;
+
+ if (p->data_size != 0
+ && p->data != NULL
+ && !OSSL_PARAM_get_octet_string(p, (void **)&q,
+ TLS1_PRF_MAXBUF - ctx->seedlen,
+ &sz))
+ return 0;
+ ctx->seedlen += sz;
+ }
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
+ ossl_unused void *ctx, ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return -2;
+}
+
+static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+ ossl_unused void *ctx, ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_tls1_prf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS,
+ (void(*)(void))kdf_tls1_prf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))kdf_tls1_prf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS,
+ (void(*)(void))kdf_tls1_prf_get_ctx_params },
+ { 0, NULL }
+};
+
+/*
+ * Refer to "The TLS Protocol Version 1.0" Section 5
+ * (https://tools.ietf.org/html/rfc2246#section-5) and
+ * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
+ * (https://tools.ietf.org/html/rfc5246#section-5).
+ *
+ * P_<hash> is an expansion function that uses a single hash function to expand
+ * a secret and seed into an arbitrary quantity of output:
+ *
+ * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) +
+ * HMAC_<hash>(secret, A(2) + seed) +
+ * HMAC_<hash>(secret, A(3) + seed) + ...
+ *
+ * where + indicates concatenation. P_<hash> can be iterated as many times as
+ * is necessary to produce the required quantity of data.
+ *
+ * A(i) is defined as:
+ * A(0) = seed
+ * A(i) = HMAC_<hash>(secret, A(i-1))
+ */
+static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init,
+ const unsigned char *sec, size_t sec_len,
+ const unsigned char *seed, size_t seed_len,
+ unsigned char *out, size_t olen)
+{
+ size_t chunk;
+ EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL;
+ unsigned char Ai[EVP_MAX_MD_SIZE];
+ size_t Ai_len;
+ int ret = 0;
+
+ if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL))
+ goto err;
+ chunk = EVP_MAC_CTX_get_mac_size(ctx_init);
+ if (chunk == 0)
+ goto err;
+ /* A(0) = seed */
+ ctx_Ai = EVP_MAC_CTX_dup(ctx_init);
+ if (ctx_Ai == NULL)
+ goto err;
+ if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len))
+ goto err;
+
+ for (;;) {
+ /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */
+ if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai)))
+ goto err;
+ EVP_MAC_CTX_free(ctx_Ai);
+ ctx_Ai = NULL;
+
+ /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */
+ ctx = EVP_MAC_CTX_dup(ctx_init);
+ if (ctx == NULL)
+ goto err;
+ if (!EVP_MAC_update(ctx, Ai, Ai_len))
+ goto err;
+ /* save state for calculating next A(i) value */
+ if (olen > chunk) {
+ ctx_Ai = EVP_MAC_CTX_dup(ctx);
+ if (ctx_Ai == NULL)
+ goto err;
+ }
+ if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
+ goto err;
+ if (olen <= chunk) {
+ /* last chunk - use Ai as temp bounce buffer */
+ if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai)))
+ goto err;
+ memcpy(out, Ai, olen);
+ break;
+ }
+ if (!EVP_MAC_final(ctx, out, NULL, olen))
+ goto err;
+ EVP_MAC_CTX_free(ctx);
+ ctx = NULL;
+ out += chunk;
+ olen -= chunk;
+ }
+ ret = 1;
+ err:
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_CTX_free(ctx_Ai);
+ OPENSSL_cleanse(Ai, sizeof(Ai));
+ return ret;
+}
+
+/*
+ * Refer to "The TLS Protocol Version 1.0" Section 5
+ * (https://tools.ietf.org/html/rfc2246#section-5) and
+ * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
+ * (https://tools.ietf.org/html/rfc5246#section-5).
+ *
+ * For TLS v1.0 and TLS v1.1:
+ *
+ * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
+ * P_SHA-1(S2, label + seed)
+ *
+ * S1 is taken from the first half of the secret, S2 from the second half.
+ *
+ * L_S = length in bytes of secret;
+ * L_S1 = L_S2 = ceil(L_S / 2);
+ *
+ * For TLS v1.2:
+ *
+ * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+ */
+static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
+ const unsigned char *sec, size_t slen,
+ const unsigned char *seed, size_t seed_len,
+ unsigned char *out, size_t olen)
+{
+ if (sha1ctx != NULL) {
+ /* TLS v1.0 and TLS v1.1 */
+ size_t i;
+ unsigned char *tmp;
+ /* calc: L_S1 = L_S2 = ceil(L_S / 2) */
+ size_t L_S1 = (slen + 1) / 2;
+ size_t L_S2 = L_S1;
+
+ if (!tls1_prf_P_hash(mdctx, sec, L_S1,
+ seed, seed_len, out, olen))
+ return 0;
+
+ if ((tmp = OPENSSL_malloc(olen)) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2,
+ seed, seed_len, tmp, olen)) {
+ OPENSSL_clear_free(tmp, olen);
+ return 0;
+ }
+ for (i = 0; i < olen; i++)
+ out[i] ^= tmp[i];
+ OPENSSL_clear_free(tmp, olen);
+ return 1;
+ }
+
+ /* TLS v1.2 */
+ if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen))
+ return 0;
+
+ return 1;
+}
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
new file mode 100644
index 000000000000..b1bc6f7e1ba5
--- /dev/null
+++ b/providers/implementations/kdfs/x942kdf.c
@@ -0,0 +1,594 @@
+/*
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "e_os.h"
+#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/params.h>
+#include <openssl/proverr.h>
+#include "internal/packet.h"
+#include "internal/der.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+#include "prov/der_wrap.h"
+
+#define X942KDF_MAX_INLEN (1 << 30)
+
+static OSSL_FUNC_kdf_newctx_fn x942kdf_new;
+static OSSL_FUNC_kdf_freectx_fn x942kdf_free;
+static OSSL_FUNC_kdf_reset_fn x942kdf_reset;
+static OSSL_FUNC_kdf_derive_fn x942kdf_derive;
+static OSSL_FUNC_kdf_settable_ctx_params_fn x942kdf_settable_ctx_params;
+static OSSL_FUNC_kdf_set_ctx_params_fn x942kdf_set_ctx_params;
+static OSSL_FUNC_kdf_gettable_ctx_params_fn x942kdf_gettable_ctx_params;
+static OSSL_FUNC_kdf_get_ctx_params_fn x942kdf_get_ctx_params;
+
+typedef struct {
+ void *provctx;
+ PROV_DIGEST digest;
+ unsigned char *secret;
+ size_t secret_len;
+ unsigned char *acvpinfo;
+ size_t acvpinfo_len;
+ unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo;
+ size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len;
+ size_t dkm_len;
+ const unsigned char *cek_oid;
+ size_t cek_oid_len;
+ int use_keybits;
+} KDF_X942;
+
+/*
+ * A table of allowed wrapping algorithms, oids and the associated output
+ * lengths.
+ * NOTE: RC2wrap and camellia128_wrap have been removed as there are no
+ * corresponding ciphers for these operations.
+ */
+static const struct {
+ const char *name;
+ const unsigned char *oid;
+ size_t oid_len;
+ size_t keklen; /* size in bytes */
+} kek_algs[] = {
+ { "AES-128-WRAP", ossl_der_oid_id_aes128_wrap, DER_OID_SZ_id_aes128_wrap,
+ 16 },
+ { "AES-192-WRAP", ossl_der_oid_id_aes192_wrap, DER_OID_SZ_id_aes192_wrap,
+ 24 },
+ { "AES-256-WRAP", ossl_der_oid_id_aes256_wrap, DER_OID_SZ_id_aes256_wrap,
+ 32 },
+#ifndef FIPS_MODULE
+ { "DES3-WRAP", ossl_der_oid_id_alg_CMS3DESwrap,
+ DER_OID_SZ_id_alg_CMS3DESwrap, 24 },
+#endif
+};
+
+static int find_alg_id(OSSL_LIB_CTX *libctx, const char *algname,
+ const char *propq, size_t *id)
+{
+ int ret = 1;
+ size_t i;
+ EVP_CIPHER *cipher;
+
+ cipher = EVP_CIPHER_fetch(libctx, algname, propq);
+ if (cipher != NULL) {
+ for (i = 0; i < OSSL_NELEM(kek_algs); i++) {
+ if (EVP_CIPHER_is_a(cipher, kek_algs[i].name)) {
+ *id = i;
+ goto end;
+ }
+ }
+ }
+ ret = 0;
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_CEK_ALG);
+end:
+ EVP_CIPHER_free(cipher);
+ return ret;
+}
+
+static int DER_w_keyinfo(WPACKET *pkt,
+ const unsigned char *der_oid, size_t der_oidlen,
+ unsigned char **pcounter)
+{
+ return ossl_DER_w_begin_sequence(pkt, -1)
+ /* Store the initial value of 1 into the counter */
+ && ossl_DER_w_octet_string_uint32(pkt, -1, 1)
+ /* Remember where we stored the counter in the buffer */
+ && (pcounter == NULL
+ || (*pcounter = WPACKET_get_curr(pkt)) != NULL)
+ && ossl_DER_w_precompiled(pkt, -1, der_oid, der_oidlen)
+ && ossl_DER_w_end_sequence(pkt, -1);
+}
+
+static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen,
+ const unsigned char *der_oid, size_t der_oidlen,
+ const unsigned char *acvp, size_t acvplen,
+ const unsigned char *partyu, size_t partyulen,
+ const unsigned char *partyv, size_t partyvlen,
+ const unsigned char *supp_pub, size_t supp_publen,
+ const unsigned char *supp_priv, size_t supp_privlen,
+ uint32_t keylen_bits, unsigned char **pcounter)
+{
+ return (buf != NULL ? WPACKET_init_der(pkt, buf, buflen) :
+ WPACKET_init_null_der(pkt))
+ && ossl_DER_w_begin_sequence(pkt, -1)
+ && (supp_priv == NULL
+ || ossl_DER_w_octet_string(pkt, 3, supp_priv, supp_privlen))
+ && (supp_pub == NULL
+ || ossl_DER_w_octet_string(pkt, 2, supp_pub, supp_publen))
+ && (keylen_bits == 0
+ || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits))
+ && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen))
+ && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen))
+ && (acvp == NULL || ossl_DER_w_precompiled(pkt, -1, acvp, acvplen))
+ && DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter)
+ && ossl_DER_w_end_sequence(pkt, -1)
+ && WPACKET_finish(pkt);
+}
+
+/*
+ * Encode the other info structure.
+ *
+ * The ANS X9.42-2003 standard uses OtherInfo:
+ *
+ * OtherInfo ::= SEQUENCE {
+ * keyInfo KeySpecificInfo,
+ * partyUInfo [0] OCTET STRING OPTIONAL,
+ * partyVInfo [1] OCTET STRING OPTIONAL,
+ * suppPubInfo [2] OCTET STRING OPTIONAL,
+ * suppPrivInfo [3] OCTET STRING OPTIONAL
+ * }
+ *
+ * KeySpecificInfo ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * counter OCTET STRING SIZE (4..4)
+ * }
+ *
+ * RFC2631 Section 2.1.2 Contains the following definition for OtherInfo
+ *
+ * OtherInfo ::= SEQUENCE {
+ * keyInfo KeySpecificInfo,
+ * partyAInfo [0] OCTET STRING OPTIONAL,
+ * suppPubInfo [2] OCTET STRING
+ * }
+ * Where suppPubInfo is the key length (in bits) (stored into 4 bytes)
+ *
+ * |keylen| is the length (in bytes) of the generated KEK. It is stored into
+ * suppPubInfo (in bits). It is ignored if the value is 0.
+ * |cek_oid| The oid of the key wrapping algorithm.
+ * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid,
+ * |acvp| is the optional blob of DER data representing one or more of the
+ * OtherInfo fields related to |partyu|, |partyv|, |supp_pub| and |supp_priv|.
+ * This field should noramlly be NULL. If |acvp| is non NULL then |partyu|,
+ * |partyv|, |supp_pub| and |supp_priv| should all be NULL.
+ * |acvp_len| is the |acvp| length (in bytes).
+ * |partyu| is the optional public info contributed by the initiator.
+ * It can be NULL. (It is also used as the ukm by CMS).
+ * |partyu_len| is the |partyu| length (in bytes).
+ * |partyv| is the optional public info contributed by the responder.
+ * It can be NULL.
+ * |partyv_len| is the |partyv| length (in bytes).
+ * |supp_pub| is the optional additional, mutually-known public information.
+ * It can be NULL. |keylen| should be 0 if this is not NULL.
+ * |supp_pub_len| is the |supp_pub| length (in bytes).
+ * |supp_priv| is the optional additional, mutually-known private information.
+ * It can be NULL.
+ * |supp_priv_len| is the |supp_priv| length (in bytes).
+ * |der| is the returned encoded data. It must be freed by the caller.
+ * |der_len| is the returned size of the encoded data.
+ * |out_ctr| returns a pointer to the counter data which is embedded inside the
+ * encoded data. This allows the counter bytes to be updated without
+ * re-encoding.
+ *
+ * Returns: 1 if successfully encoded, or 0 otherwise.
+ * Assumptions: |der|, |der_len| & |out_ctr| are not NULL.
+ */
+static int
+x942_encode_otherinfo(size_t keylen,
+ const unsigned char *cek_oid, size_t cek_oid_len,
+ const unsigned char *acvp, size_t acvp_len,
+ const unsigned char *partyu, size_t partyu_len,
+ const unsigned char *partyv, size_t partyv_len,
+ const unsigned char *supp_pub, size_t supp_pub_len,
+ const unsigned char *supp_priv, size_t supp_priv_len,
+ unsigned char **der, size_t *der_len,
+ unsigned char **out_ctr)
+{
+ int ret = 0;
+ unsigned char *pcounter = NULL, *der_buf = NULL;
+ size_t der_buflen = 0;
+ WPACKET pkt;
+ uint32_t keylen_bits;
+
+ /* keylenbits must fit into 4 bytes */
+ if (keylen > 0xFFFFFF)
+ return 0;
+ keylen_bits = 8 * keylen;
+
+ /* Calculate the size of the buffer */
+ if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oid_len,
+ acvp, acvp_len,
+ partyu, partyu_len, partyv, partyv_len,
+ supp_pub, supp_pub_len, supp_priv, supp_priv_len,
+ keylen_bits, NULL)
+ || !WPACKET_get_total_written(&pkt, &der_buflen))
+ goto err;
+ WPACKET_cleanup(&pkt);
+ /* Alloc the buffer */
+ der_buf = OPENSSL_zalloc(der_buflen);
+ if (der_buf == NULL)
+ goto err;
+ /* Encode into the buffer */
+ if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oid_len,
+ acvp, acvp_len,
+ partyu, partyu_len, partyv, partyv_len,
+ supp_pub, supp_pub_len, supp_priv, supp_priv_len,
+ keylen_bits, &pcounter))
+ goto err;
+ /*
+ * Since we allocated the exact size required, the buffer should point to the
+ * start of the alllocated buffer at this point.
+ */
+ if (WPACKET_get_curr(&pkt) != der_buf)
+ goto err;
+
+ /*
+ * The data for the DER encoded octet string of a 32 bit counter = 1
+ * should be 04 04 00 00 00 01
+ * So just check the header is correct and skip over it.
+ * This counter will be incremented in the kdf update loop.
+ */
+ if (pcounter == NULL
+ || pcounter[0] != 0x04
+ || pcounter[1] != 0x04)
+ goto err;
+ *out_ctr = (pcounter + 2);
+ *der = der_buf;
+ *der_len = der_buflen;
+ ret = 1;
+err:
+ WPACKET_cleanup(&pkt);
+ return ret;
+}
+
+static int x942kdf_hash_kdm(const EVP_MD *kdf_md,
+ const unsigned char *z, size_t z_len,
+ const unsigned char *other, size_t other_len,
+ unsigned char *ctr,
+ unsigned char *derived_key, size_t derived_key_len)
+{
+ int ret = 0, hlen;
+ size_t counter, out_len, len = derived_key_len;
+ unsigned char mac[EVP_MAX_MD_SIZE];
+ unsigned char *out = derived_key;
+ EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
+
+ if (z_len > X942KDF_MAX_INLEN
+ || other_len > X942KDF_MAX_INLEN
+ || derived_key_len > X942KDF_MAX_INLEN
+ || derived_key_len == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
+ return 0;
+ }
+
+ hlen = EVP_MD_get_size(kdf_md);
+ if (hlen <= 0)
+ return 0;
+ out_len = (size_t)hlen;
+
+ ctx = EVP_MD_CTX_create();
+ ctx_init = EVP_MD_CTX_create();
+ if (ctx == NULL || ctx_init == NULL)
+ goto end;
+
+ if (!EVP_DigestInit(ctx_init, kdf_md))
+ goto end;
+
+ for (counter = 1;; counter++) {
+ /* updating the ctr modifies 4 bytes in the 'other' buffer */
+ ctr[0] = (unsigned char)((counter >> 24) & 0xff);
+ ctr[1] = (unsigned char)((counter >> 16) & 0xff);
+ ctr[2] = (unsigned char)((counter >> 8) & 0xff);
+ ctr[3] = (unsigned char)(counter & 0xff);
+
+ if (!EVP_MD_CTX_copy_ex(ctx, ctx_init)
+ || !EVP_DigestUpdate(ctx, z, z_len)
+ || !EVP_DigestUpdate(ctx, other, other_len))
+ goto end;
+ if (len >= out_len) {
+ if (!EVP_DigestFinal_ex(ctx, out, NULL))
+ goto end;
+ out += out_len;
+ len -= out_len;
+ if (len == 0)
+ break;
+ } else {
+ if (!EVP_DigestFinal_ex(ctx, mac, NULL))
+ goto end;
+ memcpy(out, mac, len);
+ break;
+ }
+ }
+ ret = 1;
+end:
+ EVP_MD_CTX_free(ctx);
+ EVP_MD_CTX_free(ctx_init);
+ OPENSSL_cleanse(mac, sizeof(mac));
+ return ret;
+}
+
+static void *x942kdf_new(void *provctx)
+{
+ KDF_X942 *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ ctx->provctx = provctx;
+ ctx->use_keybits = 1;
+ return ctx;
+}
+
+static void x942kdf_reset(void *vctx)
+{
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+ void *provctx = ctx->provctx;
+
+ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_clear_free(ctx->secret, ctx->secret_len);
+ OPENSSL_clear_free(ctx->acvpinfo, ctx->acvpinfo_len);
+ OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len);
+ OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len);
+ OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len);
+ OPENSSL_clear_free(ctx->supp_privinfo, ctx->supp_privinfo_len);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+ ctx->use_keybits = 1;
+}
+
+static void x942kdf_free(void *vctx)
+{
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+
+ if (ctx != NULL) {
+ x942kdf_reset(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static int x942kdf_set_buffer(unsigned char **out, size_t *out_len,
+ const OSSL_PARAM *p)
+{
+ if (p->data_size == 0 || p->data == NULL)
+ return 1;
+
+ OPENSSL_free(*out);
+ *out = NULL;
+ return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len);
+}
+
+static size_t x942kdf_size(KDF_X942 *ctx)
+{
+ int len;
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ len = EVP_MD_get_size(md);
+ return (len <= 0) ? 0 : (size_t)len;
+}
+
+static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+{
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+ const EVP_MD *md;
+ int ret = 0;
+ unsigned char *ctr;
+ unsigned char *der = NULL;
+ size_t der_len = 0;
+
+ if (!ossl_prov_is_running() || !x942kdf_set_ctx_params(ctx, params))
+ return 0;
+
+ /*
+ * These 2 options encode to the same field so only one of them should be
+ * active at once.
+ */
+ if (ctx->use_keybits && ctx->supp_pubinfo != NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO);
+ return 0;
+ }
+ /*
+ * If the blob of acvp data is used then the individual info fields that it
+ * replaces should not also be defined.
+ */
+ if (ctx->acvpinfo != NULL
+ && (ctx->partyuinfo != NULL
+ || ctx->partyvinfo != NULL
+ || ctx->supp_pubinfo != NULL
+ || ctx->supp_privinfo != NULL)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
+ return 0;
+ }
+ if (ctx->secret == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
+ return 0;
+ }
+ md = ossl_prov_digest_md(&ctx->digest);
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
+ return 0;
+ }
+ if (ctx->cek_oid == NULL || ctx->cek_oid_len == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG);
+ return 0;
+ }
+ if (ctx->partyuinfo != NULL && ctx->partyuinfo_len >= X942KDF_MAX_INLEN) {
+ /*
+ * Note the ukm length MUST be 512 bits if it is used.
+ * For backwards compatibility the old check is being done.
+ */
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_UKM_LENGTH);
+ return 0;
+ }
+ /* generate the otherinfo der */
+ if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0,
+ ctx->cek_oid, ctx->cek_oid_len,
+ ctx->acvpinfo, ctx->acvpinfo_len,
+ ctx->partyuinfo, ctx->partyuinfo_len,
+ ctx->partyvinfo, ctx->partyvinfo_len,
+ ctx->supp_pubinfo, ctx->supp_pubinfo_len,
+ ctx->supp_privinfo, ctx->supp_privinfo_len,
+ &der, &der_len, &ctr)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
+ return 0;
+ }
+ ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
+ der, der_len, ctr, key, keylen);
+ OPENSSL_free(der);
+ return ret;
+}
+
+static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p, *pq;
+ KDF_X942 *ctx = vctx;
+ OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
+ const char *propq = NULL;
+ size_t id;
+
+ if (params == NULL)
+ return 1;
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET);
+ if (p == NULL)
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY);
+ if (p != NULL && !x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_ACVPINFO);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->acvpinfo, &ctx->acvpinfo_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYUINFO);
+ if (p == NULL)
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_UKM);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->partyuinfo, &ctx->partyuinfo_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_PARTYVINFO);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->partyvinfo, &ctx->partyvinfo_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_USE_KEYBITS);
+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_keybits))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PUBINFO);
+ if (p != NULL) {
+ if (!x942kdf_set_buffer(&ctx->supp_pubinfo, &ctx->supp_pubinfo_len, p))
+ return 0;
+ ctx->use_keybits = 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_X942_SUPP_PRIVINFO);
+ if (p != NULL
+ && !x942kdf_set_buffer(&ctx->supp_privinfo, &ctx->supp_privinfo_len, p))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_UTF8_STRING)
+ return 0;
+ pq = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_PROPERTIES);
+ /*
+ * We already grab the properties during ossl_prov_digest_load_from_params()
+ * so there is no need to check the validity again..
+ */
+ if (pq != NULL)
+ propq = p->data;
+ if (find_alg_id(provctx, p->data, propq, &id) == 0)
+ return 0;
+ ctx->cek_oid = kek_algs[id].oid;
+ ctx->cek_oid_len = kek_algs[id].oid_len;
+ ctx->dkm_len = kek_algs[id].keklen;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_UKM, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_ACVPINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYUINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_PARTYVINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PUBINFO, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_X942_SUPP_PRIVINFO, NULL, 0),
+ OSSL_PARAM_int(OSSL_KDF_PARAM_X942_USE_KEYBITS, NULL),
+ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+ OSSL_PARAM *p;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+ return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
+ return -2;
+}
+
+static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[] = {
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x942kdf_new },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))x942kdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))x942kdf_reset },
+ { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x942kdf_derive },
+ { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
+ (void(*)(void))x942kdf_settable_ctx_params },
+ { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))x942kdf_set_ctx_params },
+ { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
+ (void(*)(void))x942kdf_gettable_ctx_params },
+ { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))x942kdf_get_ctx_params },
+ { 0, NULL }
+};
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-15 20:16:44 +0000