1/* 2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10{- 11use OpenSSL::paramnames qw(produce_param_decoder); 12-} 13 14#include "internal/e_os.h" 15#include <openssl/core_names.h> 16#include <openssl/core_dispatch.h> 17#include <openssl/err.h> 18#include <openssl/evp.h> 19#include <openssl/params.h> 20#include <openssl/proverr.h> 21#include "internal/common.h" 22#include "internal/packet.h" 23#include "internal/der.h" 24#include "internal/nelem.h" 25#include "prov/provider_ctx.h" 26#include "prov/providercommon.h" 27#include "prov/implementations.h" 28#include "prov/provider_util.h" 29#include "prov/securitycheck.h" 30#include "prov/der_wrap.h" 31 32#define X942KDF_MAX_INLEN (1 << 30) 33 34static OSSL_FUNC_kdf_newctx_fn x942kdf_new; 35static OSSL_FUNC_kdf_dupctx_fn x942kdf_dup; 36static OSSL_FUNC_kdf_freectx_fn x942kdf_free; 37static OSSL_FUNC_kdf_reset_fn x942kdf_reset; 38static OSSL_FUNC_kdf_derive_fn x942kdf_derive; 39static OSSL_FUNC_kdf_settable_ctx_params_fn x942kdf_settable_ctx_params; 40static OSSL_FUNC_kdf_set_ctx_params_fn x942kdf_set_ctx_params; 41static OSSL_FUNC_kdf_gettable_ctx_params_fn x942kdf_gettable_ctx_params; 42static OSSL_FUNC_kdf_get_ctx_params_fn x942kdf_get_ctx_params; 43 44typedef struct { 45 void *provctx; 46 PROV_DIGEST digest; 47 unsigned char *secret; 48 size_t secret_len; 49 unsigned char *acvpinfo; 50 size_t acvpinfo_len; 51 unsigned char *partyuinfo, *partyvinfo, *supp_pubinfo, *supp_privinfo; 52 size_t partyuinfo_len, partyvinfo_len, supp_pubinfo_len, supp_privinfo_len; 53 size_t dkm_len; 54 const unsigned char *cek_oid; 55 size_t cek_oid_len; 56 int use_keybits; 57 OSSL_FIPS_IND_DECLARE 58} KDF_X942; 59 60/* 61 * A table of allowed wrapping algorithms, oids and the associated output 62 * lengths. 63 * NOTE: RC2wrap and camellia128_wrap have been removed as there are no 64 * corresponding ciphers for these operations. 65 */ 66static const struct { 67 const char *name; 68 const unsigned char *oid; 69 size_t oid_len; 70 size_t keklen; /* size in bytes */ 71} kek_algs[] = { 72 { "AES-128-WRAP", ossl_der_oid_id_aes128_wrap, DER_OID_SZ_id_aes128_wrap, 73 16 }, 74 { "AES-192-WRAP", ossl_der_oid_id_aes192_wrap, DER_OID_SZ_id_aes192_wrap, 75 24 }, 76 { "AES-256-WRAP", ossl_der_oid_id_aes256_wrap, DER_OID_SZ_id_aes256_wrap, 77 32 }, 78#ifndef FIPS_MODULE 79 { "DES3-WRAP", ossl_der_oid_id_alg_CMS3DESwrap, 80 DER_OID_SZ_id_alg_CMS3DESwrap, 24 }, 81#endif 82}; 83 84static int find_alg_id(OSSL_LIB_CTX *libctx, const char *algname, 85 const char *propq, size_t *id) 86{ 87 int ret = 1; 88 size_t i; 89 EVP_CIPHER *cipher; 90 91 cipher = EVP_CIPHER_fetch(libctx, algname, propq); 92 if (cipher != NULL) { 93 for (i = 0; i < OSSL_NELEM(kek_algs); i++) { 94 if (EVP_CIPHER_is_a(cipher, kek_algs[i].name)) { 95 *id = i; 96 goto end; 97 } 98 } 99 } 100 ret = 0; 101 ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_CEK_ALG); 102end: 103 EVP_CIPHER_free(cipher); 104 return ret; 105} 106 107static int DER_w_keyinfo(WPACKET *pkt, 108 const unsigned char *der_oid, size_t der_oidlen, 109 unsigned char **pcounter) 110{ 111 return ossl_DER_w_begin_sequence(pkt, -1) 112 /* Store the initial value of 1 into the counter */ 113 && ossl_DER_w_octet_string_uint32(pkt, -1, 1) 114 /* Remember where we stored the counter in the buffer */ 115 && (pcounter == NULL 116 || (*pcounter = WPACKET_get_curr(pkt)) != NULL) 117 && ossl_DER_w_precompiled(pkt, -1, der_oid, der_oidlen) 118 && ossl_DER_w_end_sequence(pkt, -1); 119} 120 121static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen, 122 const unsigned char *der_oid, size_t der_oidlen, 123 const unsigned char *acvp, size_t acvplen, 124 const unsigned char *partyu, size_t partyulen, 125 const unsigned char *partyv, size_t partyvlen, 126 const unsigned char *supp_pub, size_t supp_publen, 127 const unsigned char *supp_priv, size_t supp_privlen, 128 uint32_t keylen_bits, unsigned char **pcounter) 129{ 130 return (buf != NULL ? WPACKET_init_der(pkt, buf, buflen) : 131 WPACKET_init_null_der(pkt)) 132 && ossl_DER_w_begin_sequence(pkt, -1) 133 && (supp_priv == NULL 134 || ossl_DER_w_octet_string(pkt, 3, supp_priv, supp_privlen)) 135 && (supp_pub == NULL 136 || ossl_DER_w_octet_string(pkt, 2, supp_pub, supp_publen)) 137 && (keylen_bits == 0 138 || ossl_DER_w_octet_string_uint32(pkt, 2, keylen_bits)) 139 && (partyv == NULL || ossl_DER_w_octet_string(pkt, 1, partyv, partyvlen)) 140 && (partyu == NULL || ossl_DER_w_octet_string(pkt, 0, partyu, partyulen)) 141 && (acvp == NULL || ossl_DER_w_precompiled(pkt, -1, acvp, acvplen)) 142 && DER_w_keyinfo(pkt, der_oid, der_oidlen, pcounter) 143 && ossl_DER_w_end_sequence(pkt, -1) 144 && WPACKET_finish(pkt); 145} 146 147/* 148 * Encode the other info structure. 149 * 150 * The ANS X9.42-2003 standard uses OtherInfo: 151 * 152 * OtherInfo ::= SEQUENCE { 153 * keyInfo KeySpecificInfo, 154 * partyUInfo [0] OCTET STRING OPTIONAL, 155 * partyVInfo [1] OCTET STRING OPTIONAL, 156 * suppPubInfo [2] OCTET STRING OPTIONAL, 157 * suppPrivInfo [3] OCTET STRING OPTIONAL 158 * } 159 * 160 * KeySpecificInfo ::= SEQUENCE { 161 * algorithm OBJECT IDENTIFIER, 162 * counter OCTET STRING SIZE (4..4) 163 * } 164 * 165 * RFC2631 Section 2.1.2 Contains the following definition for OtherInfo 166 * 167 * OtherInfo ::= SEQUENCE { 168 * keyInfo KeySpecificInfo, 169 * partyAInfo [0] OCTET STRING OPTIONAL, 170 * suppPubInfo [2] OCTET STRING 171 * } 172 * Where suppPubInfo is the key length (in bits) (stored into 4 bytes) 173 * 174 * |keylen| is the length (in bytes) of the generated KEK. It is stored into 175 * suppPubInfo (in bits). It is ignored if the value is 0. 176 * |cek_oid| The oid of the key wrapping algorithm. 177 * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid, 178 * |acvp| is the optional blob of DER data representing one or more of the 179 * OtherInfo fields related to |partyu|, |partyv|, |supp_pub| and |supp_priv|. 180 * This field should normally be NULL. If |acvp| is non NULL then |partyu|, 181 * |partyv|, |supp_pub| and |supp_priv| should all be NULL. 182 * |acvp_len| is the |acvp| length (in bytes). 183 * |partyu| is the optional public info contributed by the initiator. 184 * It can be NULL. (It is also used as the ukm by CMS). 185 * |partyu_len| is the |partyu| length (in bytes). 186 * |partyv| is the optional public info contributed by the responder. 187 * It can be NULL. 188 * |partyv_len| is the |partyv| length (in bytes). 189 * |supp_pub| is the optional additional, mutually-known public information. 190 * It can be NULL. |keylen| should be 0 if this is not NULL. 191 * |supp_pub_len| is the |supp_pub| length (in bytes). 192 * |supp_priv| is the optional additional, mutually-known private information. 193 * It can be NULL. 194 * |supp_priv_len| is the |supp_priv| length (in bytes). 195 * |der| is the returned encoded data. It must be freed by the caller. 196 * |der_len| is the returned size of the encoded data. 197 * |out_ctr| returns a pointer to the counter data which is embedded inside the 198 * encoded data. This allows the counter bytes to be updated without 199 * re-encoding. 200 * 201 * Returns: 1 if successfully encoded, or 0 otherwise. 202 * Assumptions: |der|, |der_len| & |out_ctr| are not NULL. 203 */ 204static int 205x942_encode_otherinfo(size_t keylen, 206 const unsigned char *cek_oid, size_t cek_oid_len, 207 const unsigned char *acvp, size_t acvp_len, 208 const unsigned char *partyu, size_t partyu_len, 209 const unsigned char *partyv, size_t partyv_len, 210 const unsigned char *supp_pub, size_t supp_pub_len, 211 const unsigned char *supp_priv, size_t supp_priv_len, 212 unsigned char **der, size_t *der_len, 213 unsigned char **out_ctr) 214{ 215 int ret = 0; 216 unsigned char *pcounter = NULL, *der_buf = NULL; 217 size_t der_buflen = 0; 218 WPACKET pkt; 219 uint32_t keylen_bits; 220 221 /* keylenbits must fit into 4 bytes */ 222 if (keylen > 0xFFFFFF) 223 return 0; 224 keylen_bits = (uint32_t)(8 * keylen); 225 226 /* Calculate the size of the buffer */ 227 if (!der_encode_sharedinfo(&pkt, NULL, 0, cek_oid, cek_oid_len, 228 acvp, acvp_len, 229 partyu, partyu_len, partyv, partyv_len, 230 supp_pub, supp_pub_len, supp_priv, supp_priv_len, 231 keylen_bits, NULL) 232 || !WPACKET_get_total_written(&pkt, &der_buflen)) 233 goto err; 234 WPACKET_cleanup(&pkt); 235 /* Alloc the buffer */ 236 der_buf = OPENSSL_zalloc(der_buflen); 237 if (der_buf == NULL) 238 goto err; 239 /* Encode into the buffer */ 240 if (!der_encode_sharedinfo(&pkt, der_buf, der_buflen, cek_oid, cek_oid_len, 241 acvp, acvp_len, 242 partyu, partyu_len, partyv, partyv_len, 243 supp_pub, supp_pub_len, supp_priv, supp_priv_len, 244 keylen_bits, &pcounter)) 245 goto err; 246 /* 247 * Since we allocated the exact size required, the buffer should point to the 248 * start of the allocated buffer at this point. 249 */ 250 if (WPACKET_get_curr(&pkt) != der_buf) 251 goto err; 252 253 /* 254 * The data for the DER encoded octet string of a 32 bit counter = 1 255 * should be 04 04 00 00 00 01 256 * So just check the header is correct and skip over it. 257 * This counter will be incremented in the kdf update loop. 258 */ 259 if (pcounter == NULL 260 || pcounter[0] != 0x04 261 || pcounter[1] != 0x04) 262 goto err; 263 *out_ctr = (pcounter + 2); 264 *der = der_buf; 265 *der_len = der_buflen; 266 ret = 1; 267err: 268 WPACKET_cleanup(&pkt); 269 return ret; 270} 271 272static int x942kdf_hash_kdm(const EVP_MD *kdf_md, 273 const unsigned char *z, size_t z_len, 274 const unsigned char *other, size_t other_len, 275 unsigned char *ctr, 276 unsigned char *derived_key, size_t derived_key_len) 277{ 278 int ret = 0, hlen; 279 size_t counter, out_len, len = derived_key_len; 280 unsigned char mac[EVP_MAX_MD_SIZE]; 281 unsigned char *out = derived_key; 282 EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; 283 284 if (z_len > X942KDF_MAX_INLEN 285 || other_len > X942KDF_MAX_INLEN 286 || derived_key_len > X942KDF_MAX_INLEN 287 || derived_key_len == 0) { 288 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); 289 return 0; 290 } 291 292 hlen = EVP_MD_get_size(kdf_md); 293 if (hlen <= 0) 294 return 0; 295 out_len = (size_t)hlen; 296 297 ctx = EVP_MD_CTX_create(); 298 ctx_init = EVP_MD_CTX_create(); 299 if (ctx == NULL || ctx_init == NULL) 300 goto end; 301 302 if (!EVP_DigestInit(ctx_init, kdf_md)) 303 goto end; 304 305 for (counter = 1;; counter++) { 306 /* updating the ctr modifies 4 bytes in the 'other' buffer */ 307 ctr[0] = (unsigned char)((counter >> 24) & 0xff); 308 ctr[1] = (unsigned char)((counter >> 16) & 0xff); 309 ctr[2] = (unsigned char)((counter >> 8) & 0xff); 310 ctr[3] = (unsigned char)(counter & 0xff); 311 312 if (!EVP_MD_CTX_copy_ex(ctx, ctx_init) 313 || !EVP_DigestUpdate(ctx, z, z_len) 314 || !EVP_DigestUpdate(ctx, other, other_len)) 315 goto end; 316 if (len >= out_len) { 317 if (!EVP_DigestFinal_ex(ctx, out, NULL)) 318 goto end; 319 out += out_len; 320 len -= out_len; 321 if (len == 0) 322 break; 323 } else { 324 if (!EVP_DigestFinal_ex(ctx, mac, NULL)) 325 goto end; 326 memcpy(out, mac, len); 327 break; 328 } 329 } 330 ret = 1; 331end: 332 EVP_MD_CTX_free(ctx); 333 EVP_MD_CTX_free(ctx_init); 334 OPENSSL_cleanse(mac, sizeof(mac)); 335 return ret; 336} 337 338static void *x942kdf_new(void *provctx) 339{ 340 KDF_X942 *ctx; 341 342 if (!ossl_prov_is_running()) 343 return NULL; 344 345 ctx = OPENSSL_zalloc(sizeof(*ctx)); 346 if (ctx == NULL) 347 return NULL; 348 349 ctx->provctx = provctx; 350 OSSL_FIPS_IND_INIT(ctx) 351 ctx->use_keybits = 1; 352 return ctx; 353} 354 355static void x942kdf_reset(void *vctx) 356{ 357 KDF_X942 *ctx = (KDF_X942 *)vctx; 358 void *provctx = ctx->provctx; 359 360 ossl_prov_digest_reset(&ctx->digest); 361 OPENSSL_clear_free(ctx->secret, ctx->secret_len); 362 OPENSSL_clear_free(ctx->acvpinfo, ctx->acvpinfo_len); 363 OPENSSL_clear_free(ctx->partyuinfo, ctx->partyuinfo_len); 364 OPENSSL_clear_free(ctx->partyvinfo, ctx->partyvinfo_len); 365 OPENSSL_clear_free(ctx->supp_pubinfo, ctx->supp_pubinfo_len); 366 OPENSSL_clear_free(ctx->supp_privinfo, ctx->supp_privinfo_len); 367 memset(ctx, 0, sizeof(*ctx)); 368 ctx->provctx = provctx; 369 ctx->use_keybits = 1; 370} 371 372static void x942kdf_free(void *vctx) 373{ 374 KDF_X942 *ctx = (KDF_X942 *)vctx; 375 376 if (ctx != NULL) { 377 x942kdf_reset(ctx); 378 OPENSSL_free(ctx); 379 } 380} 381 382static void *x942kdf_dup(void *vctx) 383{ 384 const KDF_X942 *src = (const KDF_X942 *)vctx; 385 KDF_X942 *dest; 386 387 dest = x942kdf_new(src->provctx); 388 if (dest != NULL) { 389 if (!ossl_prov_memdup(src->secret, src->secret_len, 390 &dest->secret , &dest->secret_len) 391 || !ossl_prov_memdup(src->acvpinfo, src->acvpinfo_len, 392 &dest->acvpinfo , &dest->acvpinfo_len) 393 || !ossl_prov_memdup(src->partyuinfo, src->partyuinfo_len, 394 &dest->partyuinfo , &dest->partyuinfo_len) 395 || !ossl_prov_memdup(src->partyvinfo, src->partyvinfo_len, 396 &dest->partyvinfo , &dest->partyvinfo_len) 397 || !ossl_prov_memdup(src->supp_pubinfo, src->supp_pubinfo_len, 398 &dest->supp_pubinfo, 399 &dest->supp_pubinfo_len) 400 || !ossl_prov_memdup(src->supp_privinfo, src->supp_privinfo_len, 401 &dest->supp_privinfo, 402 &dest->supp_privinfo_len) 403 || !ossl_prov_digest_copy(&dest->digest, &src->digest)) 404 goto err; 405 dest->cek_oid = src->cek_oid; 406 dest->cek_oid_len = src->cek_oid_len; 407 dest->dkm_len = src->dkm_len; 408 dest->use_keybits = src->use_keybits; 409 OSSL_FIPS_IND_COPY(dest, src) 410 } 411 return dest; 412 413 err: 414 x942kdf_free(dest); 415 return NULL; 416} 417 418static int x942kdf_set_buffer(unsigned char **out, size_t *out_len, 419 const OSSL_PARAM *p) 420{ 421 if (p->data_size == 0 || p->data == NULL) 422 return 1; 423 424 OPENSSL_free(*out); 425 *out = NULL; 426 return OSSL_PARAM_get_octet_string(p, (void **)out, 0, out_len); 427} 428 429static size_t x942kdf_size(KDF_X942 *ctx) 430{ 431 int len; 432 const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); 433 434 if (md == NULL) { 435 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 436 return 0; 437 } 438 len = EVP_MD_get_size(md); 439 return (len <= 0) ? 0 : (size_t)len; 440} 441 442#ifdef FIPS_MODULE 443static int fips_x942kdf_key_check_passed(KDF_X942 *ctx) 444{ 445 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 446 int key_approved = ossl_kdf_check_key_size(ctx->secret_len); 447 448 if (!key_approved) { 449 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 450 libctx, "X942KDF", "Key size", 451 ossl_fips_config_x942kdf_key_check)) { 452 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 453 return 0; 454 } 455 } 456 return 1; 457} 458#endif 459 460static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, 461 const OSSL_PARAM params[]) 462{ 463 KDF_X942 *ctx = (KDF_X942 *)vctx; 464 const EVP_MD *md; 465 int ret = 0; 466 unsigned char *ctr; 467 unsigned char *der = NULL; 468 size_t der_len = 0; 469 470 if (!ossl_prov_is_running() || !x942kdf_set_ctx_params(ctx, params)) 471 return 0; 472 473 /* 474 * These 2 options encode to the same field so only one of them should be 475 * active at once. 476 */ 477 if (ctx->use_keybits && ctx->supp_pubinfo != NULL) { 478 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PUBINFO); 479 return 0; 480 } 481 /* 482 * If the blob of acvp data is used then the individual info fields that it 483 * replaces should not also be defined. 484 */ 485 if (ctx->acvpinfo != NULL 486 && (ctx->partyuinfo != NULL 487 || ctx->partyvinfo != NULL 488 || ctx->supp_pubinfo != NULL 489 || ctx->supp_privinfo != NULL)) { 490 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA); 491 return 0; 492 } 493 if (ctx->secret == NULL) { 494 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 495 return 0; 496 } 497 md = ossl_prov_digest_md(&ctx->digest); 498 if (md == NULL) { 499 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 500 return 0; 501 } 502 if (ctx->cek_oid == NULL || ctx->cek_oid_len == 0) { 503 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG); 504 return 0; 505 } 506 if (ctx->partyuinfo != NULL && ctx->partyuinfo_len >= X942KDF_MAX_INLEN) { 507 /* 508 * Note the ukm length MUST be 512 bits if it is used. 509 * For backwards compatibility the old check is being done. 510 */ 511 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_UKM_LENGTH); 512 return 0; 513 } 514 /* generate the otherinfo der */ 515 if (!x942_encode_otherinfo(ctx->use_keybits ? ctx->dkm_len : 0, 516 ctx->cek_oid, ctx->cek_oid_len, 517 ctx->acvpinfo, ctx->acvpinfo_len, 518 ctx->partyuinfo, ctx->partyuinfo_len, 519 ctx->partyvinfo, ctx->partyvinfo_len, 520 ctx->supp_pubinfo, ctx->supp_pubinfo_len, 521 ctx->supp_privinfo, ctx->supp_privinfo_len, 522 &der, &der_len, &ctr)) { 523 ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); 524 return 0; 525 } 526 ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, 527 der, der_len, ctr, key, keylen); 528 OPENSSL_free(der); 529 return ret; 530} 531 532{- produce_param_decoder('sshkdf_set_ctx_params', 533 (['KDF_PARAM_PROPERTIES', 'propq', 'utf8_string'], 534 ['ALG_PARAM_ENGINE', 'engine', 'utf8_string', 'hidden'], 535 ['KDF_PARAM_DIGEST', 'digest', 'utf8_string'], 536 ['KDF_PARAM_SECRET', 'secret', 'octet_string'], 537 ['KDF_PARAM_KEY', 'secret', 'octet_string'], 538 ['KDF_PARAM_UKM', 'uinfo', 'octet_string'], 539 ['KDF_PARAM_X942_ACVPINFO', 'acvp', 'octet_string'], 540 ['KDF_PARAM_X942_PARTYUINFO', 'uinfo', 'octet_string'], 541 ['KDF_PARAM_X942_PARTYVINFO', 'vinfo', 'octet_string'], 542 ['KDF_PARAM_X942_SUPP_PUBINFO', 'pub', 'octet_string'], 543 ['KDF_PARAM_X942_SUPP_PRIVINFO', 'priv', 'octet_string'], 544 ['KDF_PARAM_X942_USE_KEYBITS', 'kbits', 'int'], 545 ['KDF_PARAM_CEK_ALG', 'cekalg', 'utf8_string'], 546 ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k', 'int', 'fips'], 547 )); -} 548 549static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 550{ 551 struct sshkdf_set_ctx_params_st p; 552 KDF_X942 *ctx = vctx; 553 OSSL_LIB_CTX *provctx; 554 const char *cekalg, *propq = NULL; 555 const EVP_MD *md; 556 size_t id; 557 558 if (ctx == NULL || !sshkdf_set_ctx_params_decoder(params, &p)) 559 return 0; 560 561 provctx = PROV_LIBCTX_OF(ctx->provctx); 562 563 if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, p.ind_k)) 564 return 0; 565 566 if (p.digest != NULL) { 567 if (!ossl_prov_digest_load(&ctx->digest, p.digest, 568 p.propq, p.engine, provctx)) 569 return 0; 570 md = ossl_prov_digest_md(&ctx->digest); 571 if (EVP_MD_xof(md)) { 572 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 573 return 0; 574 } 575 } 576 577 if (p.secret != NULL) { 578 if (!x942kdf_set_buffer(&ctx->secret, &ctx->secret_len, p.secret)) 579 return 0; 580#ifdef FIPS_MODULE 581 if (!fips_x942kdf_key_check_passed(ctx)) 582 return 0; 583#endif 584 } 585 586 if (p.acvp != NULL 587 && !x942kdf_set_buffer(&ctx->acvpinfo, &ctx->acvpinfo_len, p.acvp)) 588 return 0; 589 590 if (p.uinfo != NULL 591 && !x942kdf_set_buffer(&ctx->partyuinfo, &ctx->partyuinfo_len, p.uinfo)) 592 return 0; 593 594 if (p.vinfo != NULL 595 && !x942kdf_set_buffer(&ctx->partyvinfo, &ctx->partyvinfo_len, p.vinfo)) 596 return 0; 597 598 if (p.kbits != NULL && !OSSL_PARAM_get_int(p.kbits, &ctx->use_keybits)) 599 return 0; 600 601 if (p.pub != NULL) { 602 if (!x942kdf_set_buffer(&ctx->supp_pubinfo, &ctx->supp_pubinfo_len, p.pub)) 603 return 0; 604 ctx->use_keybits = 0; 605 } 606 607 if (p.priv != NULL 608 && !x942kdf_set_buffer(&ctx->supp_privinfo, &ctx->supp_privinfo_len, p.priv)) 609 return 0; 610 611 if (p.cekalg != NULL) { 612 if (!OSSL_PARAM_get_utf8_string_ptr(p.cekalg, &cekalg)) 613 return 0; 614 if (p.propq != NULL && !OSSL_PARAM_get_utf8_string_ptr(p.propq, &propq)) 615 return 0; 616 if (find_alg_id(provctx, cekalg, propq, &id) == 0) 617 return 0; 618 ctx->cek_oid = kek_algs[id].oid; 619 ctx->cek_oid_len = kek_algs[id].oid_len; 620 ctx->dkm_len = kek_algs[id].keklen; 621 } 622 return 1; 623} 624 625static const OSSL_PARAM *x942kdf_settable_ctx_params(ossl_unused void *ctx, 626 ossl_unused void *provctx) 627{ 628 return sshkdf_set_ctx_params_list; 629} 630 631{- produce_param_decoder('sshkdf_get_ctx_params', 632 (['KDF_PARAM_SIZE', 'size', 'size_t'], 633 ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind', 'int', 'fips'], 634 )); -} 635 636static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 637{ 638 KDF_X942 *ctx = (KDF_X942 *)vctx; 639 struct sshkdf_get_ctx_params_st p; 640 641 if (ctx == NULL || !sshkdf_get_ctx_params_decoder(params, &p)) 642 return 0; 643 644 if (p.size != NULL && !OSSL_PARAM_set_size_t(p.size, x942kdf_size(ctx))) 645 return 0; 646 647 if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(ctx, p.ind)) 648 return 0; 649 return 1; 650} 651 652static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, 653 ossl_unused void *provctx) 654{ 655 return sshkdf_get_ctx_params_list; 656} 657 658const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[] = { 659 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x942kdf_new }, 660 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))x942kdf_dup }, 661 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))x942kdf_free }, 662 { OSSL_FUNC_KDF_RESET, (void(*)(void))x942kdf_reset }, 663 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x942kdf_derive }, 664 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 665 (void(*)(void))x942kdf_settable_ctx_params }, 666 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))x942kdf_set_ctx_params }, 667 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 668 (void(*)(void))x942kdf_gettable_ctx_params }, 669 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))x942kdf_get_ctx_params }, 670 OSSL_DISPATCH_END 671}; 672