1
/*
2
 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
4
 *
5
 * Licensed under the Apache License 2.0 (the "License").  You may not use
6
 * this file except in compliance with the License.  You can obtain a copy
7
 * in the file LICENSE in the source distribution or at
8
 * https://www.openssl.org/source/license.html
9
 */
10

11
/*
12
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
13
 * Section 4.1.
14
 *
15
 * The Single Step KDF algorithm is given by:
16
 *
17
 * Result(0) = empty bit string (i.e., the null string).
18
 * For i = 1 to reps, do the following:
19
 *   Increment counter by 1.
20
 *   Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
21
 * DKM = LeftmostBits(Result(reps), L))
22
 *
23
 * NOTES:
24
 *   Z is a shared secret required to produce the derived key material.
25
 *   counter is a 4 byte buffer.
26
 *   FixedInfo is a bit string containing context specific data.
27
 *   DKM is the output derived key material.
28
 *   L is the required size of the DKM.
29
 *   reps = [L / H_outputBits]
30
 *   H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31
 *   H_outputBits is the length of the output of the auxiliary function H(x).
32
 *
33
 * Currently there is not a comprehensive list of test vectors for this
34
 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35
 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
36
 */
37
#include <stdlib.h>
38
#include <stdarg.h>
39
#include <string.h>
40
#include <openssl/hmac.h>
41
#include <openssl/evp.h>
42
#include <openssl/kdf.h>
43
#include <openssl/core_names.h>
44
#include <openssl/params.h>
45
#include <openssl/proverr.h>
46
#include "internal/cryptlib.h"
47
#include "internal/numbers.h"
48
#include "crypto/evp.h"
49
#include "prov/provider_ctx.h"
50
#include "prov/providercommon.h"
51
#include "prov/implementations.h"
52
#include "prov/provider_util.h"
53
#include "prov/securitycheck.h"
54
#include "internal/params.h"
55

56
typedef struct {
57
    void *provctx;
58
    EVP_MAC_CTX *macctx;         /* H(x) = HMAC_hash OR H(x) = KMAC */
59
    PROV_DIGEST digest;          /* H(x) = hash(x) */
60
    unsigned char *secret;
61
    size_t secret_len;
62
    unsigned char *info;
63
    size_t info_len;
64
    unsigned char *salt;
65
    size_t salt_len;
66
    size_t out_len; /* optional KMAC parameter */
67
    int is_kmac;
68
    OSSL_FIPS_IND_DECLARE
69
} KDF_SSKDF;
70

71
#define SSKDF_MAX_INLEN (1<<30)
72
#define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
73
#define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
74

75
/* KMAC uses a Customisation string of 'KDF' */
76
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
77

78
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
79
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
80
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
81
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
82
static OSSL_FUNC_kdf_derive_fn sskdf_derive;
83
static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
84
static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
85
static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
86
static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;
87
static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
88
static OSSL_FUNC_kdf_settable_ctx_params_fn x963kdf_settable_ctx_params;
89
static OSSL_FUNC_kdf_set_ctx_params_fn x963kdf_set_ctx_params;
90
static OSSL_FUNC_kdf_gettable_ctx_params_fn x963kdf_gettable_ctx_params;
91
static OSSL_FUNC_kdf_get_ctx_params_fn x963kdf_get_ctx_params;
92

93
/* Settable context parameters that are common across SSKDF and X963 KDF */
94
#define SSKDF_COMMON_SETTABLES                                      \
95
    OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),        \
96
    OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),           \
97
    OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),          \
98
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),     \
99
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),         \
100
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),            \
101
    OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),          \
102
    OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL)
103

104
/* Gettable context parameters that are common across SSKDF and X963 KDF */
105
#define SSKDF_COMMON_GETTABLES                                          \
106
    OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL)
107

108
/*
109
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
110
 * Section 4. One-Step Key Derivation using H(x) = hash(x)
111
 * Note: X9.63 also uses this code with the only difference being that the
112
 * counter is appended to the secret 'z'.
113
 * i.e.
114
 *   result[i] = Hash(counter || z || info) for One Step OR
115
 *   result[i] = Hash(z || counter || info) for X9.63.
116
 */
117
static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
118
                          const unsigned char *z, size_t z_len,
119
                          const unsigned char *info, size_t info_len,
120
                          unsigned int append_ctr,
121
                          unsigned char *derived_key, size_t derived_key_len)
122
{
123
    int ret = 0, hlen;
124
    size_t counter, out_len, len = derived_key_len;
125
    unsigned char c[4];
126
    unsigned char mac[EVP_MAX_MD_SIZE];
127
    unsigned char *out = derived_key;
128
    EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;
129

130
    if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
131
            || derived_key_len > SSKDF_MAX_INLEN
132
            || derived_key_len == 0)
133
        return 0;
134

135
    hlen = EVP_MD_get_size(kdf_md);
136
    if (hlen <= 0)
137
        return 0;
138
    out_len = (size_t)hlen;
139

140
    ctx = EVP_MD_CTX_create();
141
    ctx_init = EVP_MD_CTX_create();
142
    if (ctx == NULL || ctx_init == NULL)
143
        goto end;
144

145
    if (!EVP_DigestInit(ctx_init, kdf_md))
146
        goto end;
147

148
    for (counter = 1;; counter++) {
149
        c[0] = (unsigned char)((counter >> 24) & 0xff);
150
        c[1] = (unsigned char)((counter >> 16) & 0xff);
151
        c[2] = (unsigned char)((counter >> 8) & 0xff);
152
        c[3] = (unsigned char)(counter & 0xff);
153

154
        if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
155
                && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
156
                && EVP_DigestUpdate(ctx, z, z_len)
157
                && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
158
                && EVP_DigestUpdate(ctx, info, info_len)))
159
            goto end;
160
        if (len >= out_len) {
161
            if (!EVP_DigestFinal_ex(ctx, out, NULL))
162
                goto end;
163
            out += out_len;
164
            len -= out_len;
165
            if (len == 0)
166
                break;
167
        } else {
168
            if (!EVP_DigestFinal_ex(ctx, mac, NULL))
169
                goto end;
170
            memcpy(out, mac, len);
171
            break;
172
        }
173
    }
174
    ret = 1;
175
end:
176
    EVP_MD_CTX_destroy(ctx);
177
    EVP_MD_CTX_destroy(ctx_init);
178
    OPENSSL_cleanse(mac, sizeof(mac));
179
    return ret;
180
}
181

182
static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
183
                     size_t custom_len, size_t kmac_out_len,
184
                     size_t derived_key_len, unsigned char **out)
185
{
186
    OSSL_PARAM params[2];
187

188
    /* Only KMAC has custom data - so return if not KMAC */
189
    if (custom == NULL)
190
        return 1;
191

192
    params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
193
                                                  (void *)custom, custom_len);
194
    params[1] = OSSL_PARAM_construct_end();
195

196
    if (!EVP_MAC_CTX_set_params(ctx, params))
197
        return 0;
198

199
    /* By default only do one iteration if kmac_out_len is not specified */
200
    if (kmac_out_len == 0)
201
        kmac_out_len = derived_key_len;
202
    /* otherwise check the size is valid */
203
    else if (!(kmac_out_len == derived_key_len
204
            || kmac_out_len == 20
205
            || kmac_out_len == 28
206
            || kmac_out_len == 32
207
            || kmac_out_len == 48
208
            || kmac_out_len == 64))
209
        return 0;
210

211
    params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
212
                                            &kmac_out_len);
213

214
    if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
215
        return 0;
216

217
    /*
218
     * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
219
     * alloc a buffer for this case.
220
     */
221
    if (kmac_out_len > EVP_MAX_MD_SIZE) {
222
        *out = OPENSSL_zalloc(kmac_out_len);
223
        if (*out == NULL)
224
            return 0;
225
    }
226
    return 1;
227
}
228

229
/*
230
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
231
 * Section 4. One-Step Key Derivation using MAC: i.e either
232
 *     H(x) = HMAC-hash(salt, x) OR
233
 *     H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
234
 */
235
static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
236
                         const unsigned char *kmac_custom,
237
                         size_t kmac_custom_len, size_t kmac_out_len,
238
                         const unsigned char *salt, size_t salt_len,
239
                         const unsigned char *z, size_t z_len,
240
                         const unsigned char *info, size_t info_len,
241
                         unsigned char *derived_key, size_t derived_key_len)
242
{
243
    int ret = 0;
244
    size_t counter, out_len, len;
245
    unsigned char c[4];
246
    unsigned char mac_buf[EVP_MAX_MD_SIZE];
247
    unsigned char *out = derived_key;
248
    EVP_MAC_CTX *ctx = NULL;
249
    unsigned char *mac = mac_buf, *kmac_buffer = NULL;
250

251
    if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
252
            || derived_key_len > SSKDF_MAX_INLEN
253
            || derived_key_len == 0)
254
        return 0;
255

256
    if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
257
                   derived_key_len, &kmac_buffer))
258
        goto end;
259
    if (kmac_buffer != NULL)
260
        mac = kmac_buffer;
261

262
    if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
263
        goto end;
264

265
    out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
266
    if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf)))
267
        goto end;
268
    len = derived_key_len;
269

270
    for (counter = 1;; counter++) {
271
        c[0] = (unsigned char)((counter >> 24) & 0xff);
272
        c[1] = (unsigned char)((counter >> 16) & 0xff);
273
        c[2] = (unsigned char)((counter >> 8) & 0xff);
274
        c[3] = (unsigned char)(counter & 0xff);
275

276
        ctx = EVP_MAC_CTX_dup(ctx_init);
277
        if (!(ctx != NULL
278
                && EVP_MAC_update(ctx, c, sizeof(c))
279
                && EVP_MAC_update(ctx, z, z_len)
280
                && EVP_MAC_update(ctx, info, info_len)))
281
            goto end;
282
        if (len >= out_len) {
283
            if (!EVP_MAC_final(ctx, out, NULL, len))
284
                goto end;
285
            out += out_len;
286
            len -= out_len;
287
            if (len == 0)
288
                break;
289
        } else {
290
            if (!EVP_MAC_final(ctx, mac, NULL, out_len))
291
                goto end;
292
            memcpy(out, mac, len);
293
            break;
294
        }
295
        EVP_MAC_CTX_free(ctx);
296
        ctx = NULL;
297
    }
298
    ret = 1;
299
end:
300
    if (kmac_buffer != NULL)
301
        OPENSSL_clear_free(kmac_buffer, kmac_out_len);
302
    else
303
        OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
304

305
    EVP_MAC_CTX_free(ctx);
306
    return ret;
307
}
308

309
static void *sskdf_new(void *provctx)
310
{
311
    KDF_SSKDF *ctx;
312

313
    if (!ossl_prov_is_running())
314
        return NULL;
315

316
    if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) {
317
        ctx->provctx = provctx;
318
        OSSL_FIPS_IND_INIT(ctx)
319
    }
320
    return ctx;
321
}
322

323
static void sskdf_reset(void *vctx)
324
{
325
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
326
    void *provctx = ctx->provctx;
327

328
    EVP_MAC_CTX_free(ctx->macctx);
329
    ossl_prov_digest_reset(&ctx->digest);
330
    OPENSSL_clear_free(ctx->secret, ctx->secret_len);
331
    OPENSSL_clear_free(ctx->info, ctx->info_len);
332
    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
333
    memset(ctx, 0, sizeof(*ctx));
334
    ctx->provctx = provctx;
335
}
336

337
static void sskdf_free(void *vctx)
338
{
339
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
340

341
    if (ctx != NULL) {
342
        sskdf_reset(ctx);
343
        OPENSSL_free(ctx);
344
    }
345
}
346

347
static void *sskdf_dup(void *vctx)
348
{
349
    const KDF_SSKDF *src = (const KDF_SSKDF *)vctx;
350
    KDF_SSKDF *dest;
351

352
    dest = sskdf_new(src->provctx);
353
    if (dest != NULL) {
354
        if (src->macctx != NULL) {
355
            dest->macctx = EVP_MAC_CTX_dup(src->macctx);
356
            if (dest->macctx == NULL)
357
                goto err;
358
        }
359
        if (!ossl_prov_memdup(src->info, src->info_len,
360
                              &dest->info, &dest->info_len)
361
                || !ossl_prov_memdup(src->salt, src->salt_len,
362
                                     &dest->salt , &dest->salt_len)
363
                || !ossl_prov_memdup(src->secret, src->secret_len,
364
                                     &dest->secret, &dest->secret_len)
365
                || !ossl_prov_digest_copy(&dest->digest, &src->digest))
366
            goto err;
367
        dest->out_len = src->out_len;
368
        dest->is_kmac = src->is_kmac;
369
        OSSL_FIPS_IND_COPY(dest, src)
370
    }
371
    return dest;
372

373
 err:
374
    sskdf_free(dest);
375
    return NULL;
376
}
377

378
static size_t sskdf_size(KDF_SSKDF *ctx)
379
{
380
    int len;
381
    const EVP_MD *md = NULL;
382

383
    if (ctx->is_kmac)
384
        return SIZE_MAX;
385

386
    md = ossl_prov_digest_md(&ctx->digest);
387
    if (md == NULL) {
388
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
389
        return 0;
390
    }
391
    len = EVP_MD_get_size(md);
392
    return (len <= 0) ? 0 : (size_t)len;
393
}
394

395
#ifdef FIPS_MODULE
396
static int fips_sskdf_key_check_passed(KDF_SSKDF *ctx)
397
{
398
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
399
    int key_approved = ossl_kdf_check_key_size(ctx->secret_len);
400

401
    if (!key_approved) {
402
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
403
                                         libctx, "SSKDF", "Key size",
404
                                         ossl_fips_config_sskdf_key_check)) {
405
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
406
            return 0;
407
        }
408
    }
409
    return 1;
410
}
411
#endif
412

413
static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
414
                        const OSSL_PARAM params[])
415
{
416
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
417
    const EVP_MD *md;
418

419
    if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
420
        return 0;
421
    if (ctx->secret == NULL) {
422
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
423
        return 0;
424
    }
425

426
    md = ossl_prov_digest_md(&ctx->digest);
427

428
    if (ctx->macctx != NULL) {
429
        /* H(x) = KMAC or H(x) = HMAC */
430
        int ret;
431
        const unsigned char *custom = NULL;
432
        size_t custom_len = 0;
433
        int default_salt_len;
434
        EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);
435

436
        if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
437
            /* H(x) = HMAC(x, salt, hash) */
438
            if (md == NULL) {
439
                ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
440
                return 0;
441
            }
442
            default_salt_len = EVP_MD_get_size(md);
443
            if (default_salt_len <= 0)
444
                return 0;
445
        } else if (ctx->is_kmac) {
446
            /* H(x) = KMACzzz(x, salt, custom) */
447
            custom = kmac_custom_str;
448
            custom_len = sizeof(kmac_custom_str);
449
            if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
450
                default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
451
            else
452
                default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
453
        } else {
454
            ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
455
            return 0;
456
        }
457
        /* If no salt is set then use a default_salt of zeros */
458
        if (ctx->salt == NULL || ctx->salt_len <= 0) {
459
            ctx->salt = OPENSSL_zalloc(default_salt_len);
460
            if (ctx->salt == NULL)
461
                return 0;
462
            ctx->salt_len = default_salt_len;
463
        }
464
        ret = SSKDF_mac_kdm(ctx->macctx,
465
                            custom, custom_len, ctx->out_len,
466
                            ctx->salt, ctx->salt_len,
467
                            ctx->secret, ctx->secret_len,
468
                            ctx->info, ctx->info_len, key, keylen);
469
        return ret;
470
    } else {
471
        /* H(x) = hash */
472
        if (md == NULL) {
473
            ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
474
            return 0;
475
        }
476
        return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
477
                              ctx->info, ctx->info_len, 0, key, keylen);
478
    }
479
}
480

481
#ifdef FIPS_MODULE
482
static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md)
483
{
484
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
485
    /*
486
     * Perform digest check
487
     *
488
     * X963KDF is a KDF defined in ANSI-X9.63. According to ACVP specification
489
     * section 7.3.1, only SHA-2 and SHA-3 can be regarded as valid hash
490
     * functions.
491
     */
492
    int digest_unapproved = (ctx->is_kmac != 1) && EVP_MD_is_a(md, SN_sha1);
493

494
    if (digest_unapproved) {
495
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
496
                                         libctx, "X963KDF", "Digest",
497
                                         ossl_fips_config_x963kdf_digest_check)) {
498
            ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
499
            return 0;
500
        }
501
    }
502
    return 1;
503
}
504

505
static int fips_x963kdf_key_check_passed(KDF_SSKDF *ctx)
506
{
507
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
508
    int key_approved = ossl_kdf_check_key_size(ctx->secret_len);
509

510
    if (!key_approved) {
511
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
512
                                         libctx, "X963KDF", "Key size",
513
                                         ossl_fips_config_x963kdf_key_check)) {
514
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
515
            return 0;
516
        }
517
    }
518
    return 1;
519
}
520
#endif
521

522
static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
523
                          const OSSL_PARAM params[])
524
{
525
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
526
    const EVP_MD *md;
527

528
    if (!ossl_prov_is_running() || !x963kdf_set_ctx_params(ctx, params))
529
        return 0;
530

531
    if (ctx->secret == NULL) {
532
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
533
        return 0;
534
    }
535

536
    if (ctx->macctx != NULL) {
537
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
538
        return 0;
539
    }
540

541
    /* H(x) = hash */
542
    md = ossl_prov_digest_md(&ctx->digest);
543
    if (md == NULL) {
544
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
545
        return 0;
546
    }
547

548
    return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
549
                          ctx->info, ctx->info_len, 1, key, keylen);
550
}
551

552
static int sskdf_common_set_ctx_params(KDF_SSKDF *ctx, const OSSL_PARAM params[])
553
{
554
    const OSSL_PARAM *p;
555
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
556
    const EVP_MD *md = NULL;
557
    size_t sz;
558
    int r;
559

560
    if (ossl_param_is_empty(params))
561
        return 1;
562

563
    if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
564
                                           NULL, NULL, NULL, libctx))
565
        return 0;
566
    if (ctx->macctx != NULL) {
567
         if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
568
                          OSSL_MAC_NAME_KMAC128)
569
             || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
570
                             OSSL_MAC_NAME_KMAC256)) {
571
             ctx->is_kmac = 1;
572
         }
573
    }
574

575
    if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) {
576
        if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
577
            return 0;
578

579
        md = ossl_prov_digest_md(&ctx->digest);
580
        if (EVP_MD_xof(md)) {
581
            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
582
            return 0;
583
        }
584
    }
585

586
    r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET,
587
                                     &ctx->secret, &ctx->secret_len);
588
    if (r == -1)
589
        r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_KEY,
590
                                         &ctx->secret, &ctx->secret_len);
591
    if (r == 0)
592
        return 0;
593

594
    if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO,
595
                                            &ctx->info, &ctx->info_len, 0) == 0)
596
        return 0;
597

598
    if (ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SALT,
599
                                     &ctx->salt, &ctx->salt_len) == 0)
600
            return 0;
601

602
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
603
        != NULL) {
604
        if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0)
605
            return 0;
606
        ctx->out_len = sz;
607
    }
608
    return 1;
609
}
610

611
static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
612
{
613
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
614

615
    if (ossl_param_is_empty(params))
616
        return 1;
617

618
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
619
                                     OSSL_KDF_PARAM_FIPS_KEY_CHECK))
620
        return 0;
621

622
    if (!sskdf_common_set_ctx_params(ctx, params))
623
        return 0;
624

625
#ifdef FIPS_MODULE
626
    if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) ||
627
        (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL))
628
        if (!fips_sskdf_key_check_passed(ctx))
629
            return 0;
630
#endif
631

632
    return 1;
633
}
634

635
static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx,
636
                                                   ossl_unused void *provctx)
637
{
638
    static const OSSL_PARAM known_settable_ctx_params[] = {
639
        SSKDF_COMMON_SETTABLES,
640
        OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK)
641
        OSSL_PARAM_END
642
    };
643
    return known_settable_ctx_params;
644
}
645

646
static int sskdf_common_get_ctx_params(KDF_SSKDF *ctx, OSSL_PARAM params[])
647
{
648
    OSSL_PARAM *p;
649

650
    if (ossl_param_is_empty(params))
651
        return 1;
652

653
    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
654
        if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
655
            return 0;
656
    }
657

658
    return 1;
659
}
660

661
static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
662
{
663
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
664

665
    if (ossl_param_is_empty(params))
666
        return 1;
667

668
    if (!sskdf_common_get_ctx_params(ctx, params))
669
        return 0;
670

671
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
672
        return 0;
673

674
    return 1;
675
}
676

677
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
678
                                                   ossl_unused void *provctx)
679
{
680
    static const OSSL_PARAM known_gettable_ctx_params[] = {
681
        SSKDF_COMMON_GETTABLES,
682
        OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
683
        OSSL_PARAM_END
684
    };
685
    return known_gettable_ctx_params;
686
}
687

688
static int x963kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
689
{
690
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
691

692
    if (ossl_param_is_empty(params))
693
        return 1;
694

695
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
696
                                     OSSL_KDF_PARAM_FIPS_DIGEST_CHECK))
697
        return 0;
698
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, params,
699
                                     OSSL_KDF_PARAM_FIPS_KEY_CHECK))
700
        return 0;
701

702
    if (!sskdf_common_set_ctx_params(ctx, params))
703
        return 0;
704

705
#ifdef FIPS_MODULE
706
    if (OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST) != NULL) {
707
        const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
708

709
        if (!fips_x963kdf_digest_check_passed(ctx, md))
710
            return 0;
711
    }
712

713
    if ((OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY) != NULL) ||
714
        (OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET) != NULL))
715
        if (!fips_x963kdf_key_check_passed(ctx))
716
            return 0;
717
#endif
718

719
    return 1;
720
}
721

722
static const OSSL_PARAM *x963kdf_settable_ctx_params(ossl_unused void *ctx,
723
                                                     ossl_unused void *provctx)
724
{
725
    static const OSSL_PARAM known_settable_ctx_params[] = {
726
        SSKDF_COMMON_SETTABLES,
727
        OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK)
728
        OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_KDF_PARAM_FIPS_KEY_CHECK)
729
        OSSL_PARAM_END
730
    };
731
    return known_settable_ctx_params;
732
}
733

734
static int x963kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
735
{
736
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
737

738
    if (!sskdf_common_get_ctx_params(ctx, params))
739
        return 0;
740

741
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(ctx, params))
742
        return 0;
743

744
    return 1;
745
}
746

747
static const OSSL_PARAM *x963kdf_gettable_ctx_params(ossl_unused void *ctx,
748
                                                     ossl_unused void *provctx)
749
{
750
    static const OSSL_PARAM known_gettable_ctx_params[] = {
751
        SSKDF_COMMON_GETTABLES,
752
        OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
753
        OSSL_PARAM_END
754
    };
755
    return known_gettable_ctx_params;
756
}
757

758
const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
759
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
760
    { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
761
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
762
    { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
763
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
764
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
765
      (void(*)(void))sskdf_settable_ctx_params },
766
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
767
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
768
      (void(*)(void))sskdf_gettable_ctx_params },
769
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
770
    OSSL_DISPATCH_END
771
};
772

773
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
774
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
775
    { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
776
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
777
    { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
778
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
779
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
780
      (void(*)(void))x963kdf_settable_ctx_params },
781
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))x963kdf_set_ctx_params },
782
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
783
      (void(*)(void))x963kdf_gettable_ctx_params },
784
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))x963kdf_get_ctx_params },
785
    OSSL_DISPATCH_END
786
};
787

788