/src/openssl32/providers/implementations/kdfs/sskdf.c

Source (jump to first uncovered line)
/*
 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
 * Section 4.1.
 *
 * The Single Step KDF algorithm is given by:
 *
 * Result(0) = empty bit string (i.e., the null string).
 * For i = 1 to reps, do the following:
 *   Increment counter by 1.
 *   Result(i) = Result(i - 1) || H(counter || Z || FixedInfo).
 * DKM = LeftmostBits(Result(reps), L))
 *
 * NOTES:
 *   Z is a shared secret required to produce the derived key material.
 *   counter is a 4 byte buffer.
 *   FixedInfo is a bit string containing context specific data.
 *   DKM is the output derived key material.
 *   L is the required size of the DKM.
 *   reps = [L / H_outputBits]
 *   H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
 *   H_outputBits is the length of the output of the auxiliary function H(x).
 *
 * Currently there is not a comprehensive list of test vectors for this
 * algorithm, especially for H(x) = HMAC and H(x) = KMAC.
 * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
 */
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/proverr.h>
#include "internal/cryptlib.h"
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "internal/params.h"

typedef struct {
    void *provctx;
    EVP_MAC_CTX *macctx;         /* H(x) = HMAC_hash OR H(x) = KMAC */
    PROV_DIGEST digest;          /* H(x) = hash(x) */
    unsigned char *secret;
    size_t secret_len;
    unsigned char *info;
    size_t info_len;
    unsigned char *salt;
    size_t salt_len;
    size_t out_len; /* optional KMAC parameter */
    int is_kmac;
} KDF_SSKDF;

#define SSKDF_MAX_INLEN (1<<30)
#define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
#define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)

/* KMAC uses a Customisation string of 'KDF' */
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };

static OSSL_FUNC_kdf_newctx_fn sskdf_new;
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
static OSSL_FUNC_kdf_derive_fn sskdf_derive;
static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;

/*
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
 * Section 4. One-Step Key Derivation using H(x) = hash(x)
 * Note: X9.63 also uses this code with the only difference being that the
 * counter is appended to the secret 'z'.
 * i.e.
 *   result[i] = Hash(counter || z || info) for One Step OR
 *   result[i] = Hash(z || counter || info) for X9.63.
 */
static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
                          const unsigned char *z, size_t z_len,
                          const unsigned char *info, size_t info_len,
                          unsigned int append_ctr,
                          unsigned char *derived_key, size_t derived_key_len)
{
    int ret = 0, hlen;
    size_t counter, out_len, len = derived_key_len;
    unsigned char c[4];
    unsigned char mac[EVP_MAX_MD_SIZE];
    unsigned char *out = derived_key;
    EVP_MD_CTX *ctx = NULL, *ctx_init = NULL;

    if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
            || derived_key_len > SSKDF_MAX_INLEN
            || derived_key_len == 0)
        return 0;

    hlen = EVP_MD_get_size(kdf_md);
    if (hlen <= 0)
        return 0;
    out_len = (size_t)hlen;

    ctx = EVP_MD_CTX_create();
    ctx_init = EVP_MD_CTX_create();
    if (ctx == NULL || ctx_init == NULL)
        goto end;

    if (!EVP_DigestInit(ctx_init, kdf_md))
        goto end;

    for (counter = 1;; counter++) {
        c[0] = (unsigned char)((counter >> 24) & 0xff);
        c[1] = (unsigned char)((counter >> 16) & 0xff);
        c[2] = (unsigned char)((counter >> 8) & 0xff);
        c[3] = (unsigned char)(counter & 0xff);

        if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
                && (append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
                && EVP_DigestUpdate(ctx, z, z_len)
                && (!append_ctr || EVP_DigestUpdate(ctx, c, sizeof(c)))
                && EVP_DigestUpdate(ctx, info, info_len)))
            goto end;
        if (len >= out_len) {
            if (!EVP_DigestFinal_ex(ctx, out, NULL))
                goto end;
            out += out_len;
            len -= out_len;
            if (len == 0)
                break;
        } else {
            if (!EVP_DigestFinal_ex(ctx, mac, NULL))
                goto end;
            memcpy(out, mac, len);
            break;
        }
    }
    ret = 1;
end:
    EVP_MD_CTX_destroy(ctx);
    EVP_MD_CTX_destroy(ctx_init);
    OPENSSL_cleanse(mac, sizeof(mac));
    return ret;
}

static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom,
                     size_t custom_len, size_t kmac_out_len,
                     size_t derived_key_len, unsigned char **out)
{
    OSSL_PARAM params[2];

    /* Only KMAC has custom data - so return if not KMAC */
    if (custom == NULL)
        return 1;

    params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
                                                  (void *)custom, custom_len);
    params[1] = OSSL_PARAM_construct_end();

    if (!EVP_MAC_CTX_set_params(ctx, params))
        return 0;

    /* By default only do one iteration if kmac_out_len is not specified */
    if (kmac_out_len == 0)
        kmac_out_len = derived_key_len;
    /* otherwise check the size is valid */
    else if (!(kmac_out_len == derived_key_len
            || kmac_out_len == 20
            || kmac_out_len == 28
            || kmac_out_len == 32
            || kmac_out_len == 48
            || kmac_out_len == 64))
        return 0;

    params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
                                            &kmac_out_len);

    if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
        return 0;

    /*
     * For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
     * alloc a buffer for this case.
     */
    if (kmac_out_len > EVP_MAX_MD_SIZE) {
        *out = OPENSSL_zalloc(kmac_out_len);
        if (*out == NULL)
            return 0;
    }
    return 1;
}

/*
 * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
 * Section 4. One-Step Key Derivation using MAC: i.e either
 *     H(x) = HMAC-hash(salt, x) OR
 *     H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
 */
static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
                         const unsigned char *kmac_custom,
                         size_t kmac_custom_len, size_t kmac_out_len,
                         const unsigned char *salt, size_t salt_len,
                         const unsigned char *z, size_t z_len,
                         const unsigned char *info, size_t info_len,
                         unsigned char *derived_key, size_t derived_key_len)
{
    int ret = 0;
    size_t counter, out_len, len;
    unsigned char c[4];
    unsigned char mac_buf[EVP_MAX_MD_SIZE];
    unsigned char *out = derived_key;
    EVP_MAC_CTX *ctx = NULL;
    unsigned char *mac = mac_buf, *kmac_buffer = NULL;

    if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN
            || derived_key_len > SSKDF_MAX_INLEN
            || derived_key_len == 0)
        return 0;

    if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
                   derived_key_len, &kmac_buffer))
        goto end;
    if (kmac_buffer != NULL)
        mac = kmac_buffer;

    if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
        goto end;

    out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
    if (out_len <= 0 || (mac == mac_buf && out_len > sizeof(mac_buf)))
        goto end;
    len = derived_key_len;

    for (counter = 1;; counter++) {
        c[0] = (unsigned char)((counter >> 24) & 0xff);
        c[1] = (unsigned char)((counter >> 16) & 0xff);
        c[2] = (unsigned char)((counter >> 8) & 0xff);
        c[3] = (unsigned char)(counter & 0xff);

        ctx = EVP_MAC_CTX_dup(ctx_init);
        if (!(ctx != NULL
                && EVP_MAC_update(ctx, c, sizeof(c))
                && EVP_MAC_update(ctx, z, z_len)
                && EVP_MAC_update(ctx, info, info_len)))
            goto end;
        if (len >= out_len) {
            if (!EVP_MAC_final(ctx, out, NULL, len))
                goto end;
            out += out_len;
            len -= out_len;
            if (len == 0)
                break;
        } else {
            if (!EVP_MAC_final(ctx, mac, NULL, out_len))
                goto end;
            memcpy(out, mac, len);
            break;
        }
        EVP_MAC_CTX_free(ctx);
        ctx = NULL;
    }
    ret = 1;
end:
    if (kmac_buffer != NULL)
        OPENSSL_clear_free(kmac_buffer, kmac_out_len);
    else
        OPENSSL_cleanse(mac_buf, sizeof(mac_buf));

    EVP_MAC_CTX_free(ctx);
    return ret;
}

static void *sskdf_new(void *provctx)
{
    KDF_SSKDF *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL)
        ctx->provctx = provctx;
    return ctx;
}

static void sskdf_reset(void *vctx)
{
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
    void *provctx = ctx->provctx;

    EVP_MAC_CTX_free(ctx->macctx);
    ossl_prov_digest_reset(&ctx->digest);
    OPENSSL_clear_free(ctx->secret, ctx->secret_len);
    OPENSSL_clear_free(ctx->info, ctx->info_len);
    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
    memset(ctx, 0, sizeof(*ctx));
    ctx->provctx = provctx;
}

static void sskdf_free(void *vctx)
{
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;

    if (ctx != NULL) {
        sskdf_reset(ctx);
        OPENSSL_free(ctx);
    }
}

static void *sskdf_dup(void *vctx)
{
    const KDF_SSKDF *src = (const KDF_SSKDF *)vctx;
    KDF_SSKDF *dest;

    dest = sskdf_new(src->provctx);
    if (dest != NULL) {
        if (src->macctx != NULL) {
            dest->macctx = EVP_MAC_CTX_dup(src->macctx);
            if (dest->macctx == NULL)
                goto err;
        }
        if (!ossl_prov_memdup(src->info, src->info_len,
                              &dest->info, &dest->info_len)
                || !ossl_prov_memdup(src->salt, src->salt_len,
                                     &dest->salt , &dest->salt_len)
                || !ossl_prov_memdup(src->secret, src->secret_len,
                                     &dest->secret, &dest->secret_len)
                || !ossl_prov_digest_copy(&dest->digest, &src->digest))
            goto err;
        dest->out_len = src->out_len;
        dest->is_kmac = src->is_kmac;
    }
    return dest;

 err:
    sskdf_free(dest);
    return NULL;
}

static size_t sskdf_size(KDF_SSKDF *ctx)
{
    int len;
    const EVP_MD *md = NULL;

    if (ctx->is_kmac)
        return SIZE_MAX;

    md = ossl_prov_digest_md(&ctx->digest);
    if (md == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
        return 0;
    }
    len = EVP_MD_get_size(md);
    return (len <= 0) ? 0 : (size_t)len;
}

static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
                        const OSSL_PARAM params[])
{
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
    const EVP_MD *md;

    if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
        return 0;
    if (ctx->secret == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
        return 0;
    }
    md = ossl_prov_digest_md(&ctx->digest);

    if (ctx->macctx != NULL) {
        /* H(x) = KMAC or H(x) = HMAC */
        int ret;
        const unsigned char *custom = NULL;
        size_t custom_len = 0;
        int default_salt_len;
        EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);

        if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
            /* H(x) = HMAC(x, salt, hash) */
            if (md == NULL) {
                ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
                return 0;
            }
            default_salt_len = EVP_MD_get_size(md);
            if (default_salt_len <= 0)
                return 0;
        } else if (ctx->is_kmac) {
            /* H(x) = KMACzzz(x, salt, custom) */
            custom = kmac_custom_str;
            custom_len = sizeof(kmac_custom_str);
            if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
                default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
            else
                default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
        } else {
            ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
            return 0;
        }
        /* If no salt is set then use a default_salt of zeros */
        if (ctx->salt == NULL || ctx->salt_len <= 0) {
            ctx->salt = OPENSSL_zalloc(default_salt_len);
            if (ctx->salt == NULL)
                return 0;
            ctx->salt_len = default_salt_len;
        }
        ret = SSKDF_mac_kdm(ctx->macctx,
                            custom, custom_len, ctx->out_len,
                            ctx->salt, ctx->salt_len,
                            ctx->secret, ctx->secret_len,
                            ctx->info, ctx->info_len, key, keylen);
        return ret;
    } else {
        /* H(x) = hash */
        if (md == NULL) {
            ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
            return 0;
        }
        return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
                              ctx->info, ctx->info_len, 0, key, keylen);
    }
}

static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
                          const OSSL_PARAM params[])
{
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
    const EVP_MD *md;

    if (!ossl_prov_is_running() || !sskdf_set_ctx_params(ctx, params))
        return 0;

    if (ctx->secret == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
        return 0;
    }

    if (ctx->macctx != NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
        return 0;
    }

    /* H(x) = hash */
    md = ossl_prov_digest_md(&ctx->digest);
    if (md == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
        return 0;
    }

    return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
                          ctx->info, ctx->info_len, 1, key, keylen);
}

static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    const OSSL_PARAM *p;
    KDF_SSKDF *ctx = vctx;
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
    size_t sz;
    int r;

    if (params == NULL)
        return 1;

    if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
                                           NULL, NULL, NULL, libctx))
        return 0;
    if (ctx->macctx != NULL) {
         if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
                          OSSL_MAC_NAME_KMAC128)
             || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
                             OSSL_MAC_NAME_KMAC256)) {
             ctx->is_kmac = 1;
         }
    }

    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
        return 0;

    r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET,
                                     &ctx->secret, &ctx->secret_len);
    if (r == -1)
        r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_KEY,
                                         &ctx->secret, &ctx->secret_len);
    if (r == 0)
        return 0;

    if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO,
                                            &ctx->info, &ctx->info_len, 0) == 0)
        return 0;

    if (ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SALT,
                                     &ctx->salt, &ctx->salt_len) == 0)
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
        != NULL) {
        if (!OSSL_PARAM_get_size_t(p, &sz) || sz == 0)
            return 0;
        ctx->out_len = sz;
    }
    return 1;
}

static const OSSL_PARAM *sskdf_settable_ctx_params(ossl_unused void *ctx,
                                                   ossl_unused void *provctx)
{
    static const OSSL_PARAM known_settable_ctx_params[] = {
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL),
        OSSL_PARAM_END
    };
    return known_settable_ctx_params;
}

static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
    OSSL_PARAM *p;

    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
        return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
    return -2;
}

static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
                                                   ossl_unused void *provctx)
{
    static const OSSL_PARAM known_gettable_ctx_params[] = {
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
        OSSL_PARAM_END
    };
    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
    { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))sskdf_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))sskdf_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
    OSSL_DISPATCH_END
};

const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
    { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))sskdf_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))sskdf_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
    OSSL_DISPATCH_END
};

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3		* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
4		*
5		* Licensed under the Apache License 2.0 (the "License"). You may not use
6		* this file except in compliance with the License. You can obtain a copy
7		* in the file LICENSE in the source distribution or at
8		* https://www.openssl.org/source/license.html
9		*/
10
11		/*
12		* Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
13		* Section 4.1.
14		*
15		* The Single Step KDF algorithm is given by:
16		*
17		* Result(0) = empty bit string (i.e., the null string).
18		* For i = 1 to reps, do the following:
19		* Increment counter by 1.
20		* Result(i) = Result(i - 1) \|\| H(counter \|\| Z \|\| FixedInfo).
21		* DKM = LeftmostBits(Result(reps), L))
22		*
23		* NOTES:
24		* Z is a shared secret required to produce the derived key material.
25		* counter is a 4 byte buffer.
26		* FixedInfo is a bit string containing context specific data.
27		* DKM is the output derived key material.
28		* L is the required size of the DKM.
29		* reps = [L / H_outputBits]
30		* H(x) is the auxiliary function that can be either a hash, HMAC or KMAC.
31		* H_outputBits is the length of the output of the auxiliary function H(x).
32		*
33		* Currently there is not a comprehensive list of test vectors for this
34		* algorithm, especially for H(x) = HMAC and H(x) = KMAC.
35		* Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests.
36		*/
37		#include <stdlib.h>
38		#include <stdarg.h>
39		#include <string.h>
40		#include <openssl/hmac.h>
41		#include <openssl/evp.h>
42		#include <openssl/kdf.h>
43		#include <openssl/core_names.h>
44		#include <openssl/params.h>
45		#include <openssl/proverr.h>
46		#include "internal/cryptlib.h"
47		#include "internal/numbers.h"
48		#include "crypto/evp.h"
49		#include "prov/provider_ctx.h"
50		#include "prov/providercommon.h"
51		#include "prov/implementations.h"
52		#include "prov/provider_util.h"
53		#include "internal/params.h"
54
55		typedef struct {
56		void *provctx;
57		EVP_MAC_CTX macctx; / H(x) = HMAC_hash OR H(x) = KMAC */
58		PROV_DIGEST digest; /* H(x) = hash(x) */
59		unsigned char *secret;
60		size_t secret_len;
61		unsigned char *info;
62		size_t info_len;
63		unsigned char *salt;
64		size_t salt_len;
65		size_t out_len; /* optional KMAC parameter */
66		int is_kmac;
67		} KDF_SSKDF;
68
69	132	#define SSKDF_MAX_INLEN (1<<30)
70	7	#define SSKDF_KMAC128_DEFAULT_SALT_SIZE (168 - 4)
71	8	#define SSKDF_KMAC256_DEFAULT_SALT_SIZE (136 - 4)
72
73		/* KMAC uses a Customisation string of 'KDF' */
74		static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
75
76		static OSSL_FUNC_kdf_newctx_fn sskdf_new;
77		static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
78		static OSSL_FUNC_kdf_freectx_fn sskdf_free;
79		static OSSL_FUNC_kdf_reset_fn sskdf_reset;
80		static OSSL_FUNC_kdf_derive_fn sskdf_derive;
81		static OSSL_FUNC_kdf_derive_fn x963kdf_derive;
82		static OSSL_FUNC_kdf_settable_ctx_params_fn sskdf_settable_ctx_params;
83		static OSSL_FUNC_kdf_set_ctx_params_fn sskdf_set_ctx_params;
84		static OSSL_FUNC_kdf_gettable_ctx_params_fn sskdf_gettable_ctx_params;
85		static OSSL_FUNC_kdf_get_ctx_params_fn sskdf_get_ctx_params;
86
87		/*
88		* Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
89		* Section 4. One-Step Key Derivation using H(x) = hash(x)
90		* Note: X9.63 also uses this code with the only difference being that the
91		* counter is appended to the secret 'z'.
92		* i.e.
93		* result[i] = Hash(counter \|\| z \|\| info) for One Step OR
94		* result[i] = Hash(z \|\| counter \|\| info) for X9.63.
95		*/
96		static int SSKDF_hash_kdm(const EVP_MD *kdf_md,
97		const unsigned char *z, size_t z_len,
98		const unsigned char *info, size_t info_len,
99		unsigned int append_ctr,
100		unsigned char *derived_key, size_t derived_key_len)
101	0	{
102	0	int ret = 0, hlen;
103	0	size_t counter, out_len, len = derived_key_len;
104	0	unsigned char c[4];
105	0	unsigned char mac[EVP_MAX_MD_SIZE];
106	0	unsigned char *out = derived_key;
107	0	EVP_MD_CTX ctx = NULL, ctx_init = NULL;
108
109	0	if (z_len > SSKDF_MAX_INLEN \|\| info_len > SSKDF_MAX_INLEN
110	0	\|\| derived_key_len > SSKDF_MAX_INLEN
111	0	\|\| derived_key_len == 0)
112	0	return 0;
113
114	0	hlen = EVP_MD_get_size(kdf_md);
115	0	if (hlen <= 0)
116	0	return 0;
117	0	out_len = (size_t)hlen;
118
119	0	ctx = EVP_MD_CTX_create();
120	0	ctx_init = EVP_MD_CTX_create();
121	0	if (ctx == NULL \|\| ctx_init == NULL)
122	0	goto end;
123
124	0	if (!EVP_DigestInit(ctx_init, kdf_md))
125	0	goto end;
126
127	0	for (counter = 1;; counter++) {
128	0	c[0] = (unsigned char)((counter >> 24) & 0xff);
129	0	c[1] = (unsigned char)((counter >> 16) & 0xff);
130	0	c[2] = (unsigned char)((counter >> 8) & 0xff);
131	0	c[3] = (unsigned char)(counter & 0xff);
132
133	0	if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init)
134	0	&& (append_ctr \|\| EVP_DigestUpdate(ctx, c, sizeof(c)))
135	0	&& EVP_DigestUpdate(ctx, z, z_len)
136	0	&& (!append_ctr \|\| EVP_DigestUpdate(ctx, c, sizeof(c)))
137	0	&& EVP_DigestUpdate(ctx, info, info_len)))
138	0	goto end;
139	0	if (len >= out_len) {
140	0	if (!EVP_DigestFinal_ex(ctx, out, NULL))
141	0	goto end;
142	0	out += out_len;
143	0	len -= out_len;
144	0	if (len == 0)
145	0	break;
146	0	} else {
147	0	if (!EVP_DigestFinal_ex(ctx, mac, NULL))
148	0	goto end;
149	0	memcpy(out, mac, len);
150	0	break;
151	0	}
152	0	}
153	0	ret = 1;
154	0	end:
155	0	EVP_MD_CTX_destroy(ctx);
156	0	EVP_MD_CTX_destroy(ctx_init);
157	0	OPENSSL_cleanse(mac, sizeof(mac));
158	0	return ret;
159	0	}
160
161		static int kmac_init(EVP_MAC_CTX ctx, const unsigned char custom,
162		size_t custom_len, size_t kmac_out_len,
163		size_t derived_key_len, unsigned char **out)
164	22	{
165	22	OSSL_PARAM params[2];
166
167		/* Only KMAC has custom data - so return if not KMAC */
168	22	if (custom == NULL)
169	7	return 1;
170
171	15	params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM,
172	15	(void *)custom, custom_len);
173	15	params[1] = OSSL_PARAM_construct_end();
174
175	15	if (!EVP_MAC_CTX_set_params(ctx, params))
176	0	return 0;
177
178		/* By default only do one iteration if kmac_out_len is not specified */
179	15	if (kmac_out_len == 0)
180	0	kmac_out_len = derived_key_len;
181		/* otherwise check the size is valid */
182	15	else if (!(kmac_out_len == derived_key_len
183	15	\|\| kmac_out_len == 20
184	15	\|\| kmac_out_len == 28
185	15	\|\| kmac_out_len == 32
186	15	\|\| kmac_out_len == 48
187	15	\|\| kmac_out_len == 64))
188	9	return 0;
189
190	6	params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE,
191	6	&kmac_out_len);
192
193	6	if (EVP_MAC_CTX_set_params(ctx, params) <= 0)
194	0	return 0;
195
196		/*
197		* For kmac the output buffer can be larger than EVP_MAX_MD_SIZE: so
198		* alloc a buffer for this case.
199		*/
200	6	if (kmac_out_len > EVP_MAX_MD_SIZE) {
201	0	*out = OPENSSL_zalloc(kmac_out_len);
202	0	if (*out == NULL)
203	0	return 0;
204	0	}
205	6	return 1;
206	6	}
207
208		/*
209		* Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final
210		* Section 4. One-Step Key Derivation using MAC: i.e either
211		* H(x) = HMAC-hash(salt, x) OR
212		* H(x) = KMAC#(salt, x, outbits, CustomString='KDF')
213		*/
214		static int SSKDF_mac_kdm(EVP_MAC_CTX *ctx_init,
215		const unsigned char *kmac_custom,
216		size_t kmac_custom_len, size_t kmac_out_len,
217		const unsigned char *salt, size_t salt_len,
218		const unsigned char *z, size_t z_len,
219		const unsigned char *info, size_t info_len,
220		unsigned char *derived_key, size_t derived_key_len)
221	22	{
222	22	int ret = 0;
223	22	size_t counter, out_len, len;
224	22	unsigned char c[4];
225	22	unsigned char mac_buf[EVP_MAX_MD_SIZE];
226	22	unsigned char *out = derived_key;
227	22	EVP_MAC_CTX *ctx = NULL;
228	22	unsigned char mac = mac_buf, kmac_buffer = NULL;
229
230	22	if (z_len > SSKDF_MAX_INLEN \|\| info_len > SSKDF_MAX_INLEN
231	22	\|\| derived_key_len > SSKDF_MAX_INLEN
232	22	\|\| derived_key_len == 0)
233	0	return 0;
234
235	22	if (!kmac_init(ctx_init, kmac_custom, kmac_custom_len, kmac_out_len,
236	22	derived_key_len, &kmac_buffer))
237	9	goto end;
238	13	if (kmac_buffer != NULL)
239	0	mac = kmac_buffer;
240
241	13	if (!EVP_MAC_init(ctx_init, salt, salt_len, NULL))
242	1	goto end;
243
244	12	out_len = EVP_MAC_CTX_get_mac_size(ctx_init); /* output size */
245	12	if (out_len <= 0 \|\| (mac == mac_buf && out_len > sizeof(mac_buf)))
246	0	goto end;
247	12	len = derived_key_len;
248
249	20	for (counter = 1;; counter++) {
250	20	c[0] = (unsigned char)((counter >> 24) & 0xff);
251	20	c[1] = (unsigned char)((counter >> 16) & 0xff);
252	20	c[2] = (unsigned char)((counter >> 8) & 0xff);
253	20	c[3] = (unsigned char)(counter & 0xff);
254
255	20	ctx = EVP_MAC_CTX_dup(ctx_init);
256	20	if (!(ctx != NULL
257	20	&& EVP_MAC_update(ctx, c, sizeof(c))
258	20	&& EVP_MAC_update(ctx, z, z_len)
259	20	&& EVP_MAC_update(ctx, info, info_len)))
260	0	goto end;
261	20	if (len >= out_len) {
262	9	if (!EVP_MAC_final(ctx, out, NULL, len))
263	0	goto end;
264	9	out += out_len;
265	9	len -= out_len;
266	9	if (len == 0)
267	1	break;
268	11	} else {
269	11	if (!EVP_MAC_final(ctx, mac, NULL, out_len))
270	0	goto end;
271	11	memcpy(out, mac, len);
272	11	break;
273	11	}
274	8	EVP_MAC_CTX_free(ctx);
275	8	ctx = NULL;
276	8	}
277	12	ret = 1;
278	22	end:
279	22	if (kmac_buffer != NULL)
280	0	OPENSSL_clear_free(kmac_buffer, kmac_out_len);
281	22	else
282	22	OPENSSL_cleanse(mac_buf, sizeof(mac_buf));
283
284	22	EVP_MAC_CTX_free(ctx);
285	22	return ret;
286	12	}
287
288		static void sskdf_new(void provctx)
289	46	{
290	46	KDF_SSKDF *ctx;
291
292	46	if (!ossl_prov_is_running())
293	0	return NULL;
294
295	46	if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL)
296	46	ctx->provctx = provctx;
297	46	return ctx;
298	46	}
299
300		static void sskdf_reset(void *vctx)
301	46	{
302	46	KDF_SSKDF ctx = (KDF_SSKDF )vctx;
303	46	void *provctx = ctx->provctx;
304
305	46	EVP_MAC_CTX_free(ctx->macctx);
306	46	ossl_prov_digest_reset(&ctx->digest);
307	46	OPENSSL_clear_free(ctx->secret, ctx->secret_len);
308	46	OPENSSL_clear_free(ctx->info, ctx->info_len);
309	46	OPENSSL_clear_free(ctx->salt, ctx->salt_len);
310	46	memset(ctx, 0, sizeof(*ctx));
311	46	ctx->provctx = provctx;
312	46	}
313
314		static void sskdf_free(void *vctx)
315	46	{
316	46	KDF_SSKDF ctx = (KDF_SSKDF )vctx;
317
318	46	if (ctx != NULL) {
319	46	sskdf_reset(ctx);
320	46	OPENSSL_free(ctx);
321	46	}
322	46	}
323
324		static void sskdf_dup(void vctx)
325	0	{
326	0	const KDF_SSKDF src = (const KDF_SSKDF )vctx;
327	0	KDF_SSKDF *dest;
328
329	0	dest = sskdf_new(src->provctx);
330	0	if (dest != NULL) {
331	0	if (src->macctx != NULL) {
332	0	dest->macctx = EVP_MAC_CTX_dup(src->macctx);
333	0	if (dest->macctx == NULL)
334	0	goto err;
335	0	}
336	0	if (!ossl_prov_memdup(src->info, src->info_len,
337	0	&dest->info, &dest->info_len)
338	0	\|\| !ossl_prov_memdup(src->salt, src->salt_len,
339	0	&dest->salt , &dest->salt_len)
340	0	\|\| !ossl_prov_memdup(src->secret, src->secret_len,
341	0	&dest->secret, &dest->secret_len)
342	0	\|\| !ossl_prov_digest_copy(&dest->digest, &src->digest))
343	0	goto err;
344	0	dest->out_len = src->out_len;
345	0	dest->is_kmac = src->is_kmac;
346	0	}
347	0	return dest;
348
349	0	err:
350	0	sskdf_free(dest);
351	0	return NULL;
352	0	}
353
354		static size_t sskdf_size(KDF_SSKDF *ctx)
355	0	{
356	0	int len;
357	0	const EVP_MD *md = NULL;
358
359	0	if (ctx->is_kmac)
360	0	return SIZE_MAX;
361
362	0	md = ossl_prov_digest_md(&ctx->digest);
363	0	if (md == NULL) {
364	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
365	0	return 0;
366	0	}
367	0	len = EVP_MD_get_size(md);
368	0	return (len <= 0) ? 0 : (size_t)len;
369	0	}
370
371		static int sskdf_derive(void vctx, unsigned char key, size_t keylen,
372		const OSSL_PARAM params[])
373	25	{
374	25	KDF_SSKDF ctx = (KDF_SSKDF )vctx;
375	25	const EVP_MD *md;
376
377	25	if (!ossl_prov_is_running() \|\| !sskdf_set_ctx_params(ctx, params))
378	0	return 0;
379	25	if (ctx->secret == NULL) {
380	1	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
381	1	return 0;
382	1	}
383	24	md = ossl_prov_digest_md(&ctx->digest);
384
385	24	if (ctx->macctx != NULL) {
386		/* H(x) = KMAC or H(x) = HMAC */
387	24	int ret;
388	24	const unsigned char *custom = NULL;
389	24	size_t custom_len = 0;
390	24	int default_salt_len;
391	24	EVP_MAC *mac = EVP_MAC_CTX_get0_mac(ctx->macctx);
392
393	24	if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_HMAC)) {
394		/* H(x) = HMAC(x, salt, hash) */
395	8	if (md == NULL) {
396	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
397	0	return 0;
398	0	}
399	8	default_salt_len = EVP_MD_get_size(md);
400	8	if (default_salt_len <= 0)
401	1	return 0;
402	16	} else if (ctx->is_kmac) {
403		/* H(x) = KMACzzz(x, salt, custom) */
404	15	custom = kmac_custom_str;
405	15	custom_len = sizeof(kmac_custom_str);
406	15	if (EVP_MAC_is_a(mac, OSSL_MAC_NAME_KMAC128))
407	7	default_salt_len = SSKDF_KMAC128_DEFAULT_SALT_SIZE;
408	8	else
409	8	default_salt_len = SSKDF_KMAC256_DEFAULT_SALT_SIZE;
410	15	} else {
411	1	ERR_raise(ERR_LIB_PROV, PROV_R_UNSUPPORTED_MAC_TYPE);
412	1	return 0;
413	1	}
414		/* If no salt is set then use a default_salt of zeros */
415	22	if (ctx->salt == NULL \|\| ctx->salt_len <= 0) {
416	15	ctx->salt = OPENSSL_zalloc(default_salt_len);
417	15	if (ctx->salt == NULL)
418	0	return 0;
419	15	ctx->salt_len = default_salt_len;
420	15	}
421	22	ret = SSKDF_mac_kdm(ctx->macctx,
422	22	custom, custom_len, ctx->out_len,
423	22	ctx->salt, ctx->salt_len,
424	22	ctx->secret, ctx->secret_len,
425	22	ctx->info, ctx->info_len, key, keylen);
426	22	return ret;
427	22	} else {
428		/* H(x) = hash */
429	0	if (md == NULL) {
430	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
431	0	return 0;
432	0	}
433	0	return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
434	0	ctx->info, ctx->info_len, 0, key, keylen);
435	0	}
436	24	}
437
438		static int x963kdf_derive(void vctx, unsigned char key, size_t keylen,
439		const OSSL_PARAM params[])
440	2	{
441	2	KDF_SSKDF ctx = (KDF_SSKDF )vctx;
442	2	const EVP_MD *md;
443
444	2	if (!ossl_prov_is_running() \|\| !sskdf_set_ctx_params(ctx, params))
445	0	return 0;
446
447	2	if (ctx->secret == NULL) {
448	1	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
449	1	return 0;
450	1	}
451
452	1	if (ctx->macctx != NULL) {
453	1	ERR_raise(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED);
454	1	return 0;
455	1	}
456
457		/* H(x) = hash */
458	0	md = ossl_prov_digest_md(&ctx->digest);
459	0	if (md == NULL) {
460	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
461	0	return 0;
462	0	}
463
464	0	return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
465	0	ctx->info, ctx->info_len, 1, key, keylen);
466	0	}
467
468		static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
469	0	{
470	0	const OSSL_PARAM *p;
471	0	KDF_SSKDF *ctx = vctx;
472	0	OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
473	0	size_t sz;
474	0	int r;
475
476	0	if (params == NULL)
477	0	return 1;
478
479	0	if (!ossl_prov_macctx_load_from_params(&ctx->macctx, params,
480	0	NULL, NULL, NULL, libctx))
481	0	return 0;
482	0	if (ctx->macctx != NULL) {
483	0	if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
484	0	OSSL_MAC_NAME_KMAC128)
485	0	\|\| EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx),
486	0	OSSL_MAC_NAME_KMAC256)) {
487	0	ctx->is_kmac = 1;
488	0	}
489	0	}
490
491	0	if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
492	0	return 0;
493
494	0	r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SECRET,
495	0	&ctx->secret, &ctx->secret_len);
496	0	if (r == -1)
497	0	r = ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_KEY,
498	0	&ctx->secret, &ctx->secret_len);
499	0	if (r == 0)
500	0	return 0;
501
502	0	if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO,
503	0	&ctx->info, &ctx->info_len, 0) == 0)
504	0	return 0;
505
506	0	if (ossl_param_get1_octet_string(params, OSSL_KDF_PARAM_SALT,
507	0	&ctx->salt, &ctx->salt_len) == 0)
508	0	return 0;
509
510	0	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MAC_SIZE))
511	0	!= NULL) {
512	0	if (!OSSL_PARAM_get_size_t(p, &sz) \|\| sz == 0)
513	0	return 0;
514	0	ctx->out_len = sz;
515	0	}
516	0	return 1;
517	0	}
518
519		static const OSSL_PARAM sskdf_settable_ctx_params(ossl_unused void ctx,
520		ossl_unused void *provctx)
521	36	{
522	36	static const OSSL_PARAM known_settable_ctx_params[] = {
523	36	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
524	36	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
525	36	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
526	36	OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
527	36	OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
528	36	OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MAC, NULL, 0),
529	36	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
530	36	OSSL_PARAM_size_t(OSSL_KDF_PARAM_MAC_SIZE, NULL),
531	36	OSSL_PARAM_END
532	36	};
533	36	return known_settable_ctx_params;
534	36	}
535
536		static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
537	0	{
538	0	KDF_SSKDF ctx = (KDF_SSKDF )vctx;
539	0	OSSL_PARAM *p;
540
541	0	if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
542	0	return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
543	0	return -2;
544	0	}
545
546		static const OSSL_PARAM sskdf_gettable_ctx_params(ossl_unused void ctx,
547		ossl_unused void *provctx)
548	0	{
549	0	static const OSSL_PARAM known_gettable_ctx_params[] = {
550	0	OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
551	0	OSSL_PARAM_END
552	0	};
553	0	return known_gettable_ctx_params;
554	0	}
555
556		const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
557		{ OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
558		{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
559		{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
560		{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
561		{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive },
562		{ OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
563		(void(*)(void))sskdf_settable_ctx_params },
564		{ OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
565		{ OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
566		(void(*)(void))sskdf_gettable_ctx_params },
567		{ OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
568		OSSL_DISPATCH_END
569		};
570
571		const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
572		{ OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
573		{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
574		{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
575		{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
576		{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
577		{ OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
578		(void(*)(void))sskdf_settable_ctx_params },
579		{ OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))sskdf_set_ctx_params },
580		{ OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
581		(void(*)(void))sskdf_gettable_ctx_params },
582		{ OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))sskdf_get_ctx_params },
583		OSSL_DISPATCH_END
584		};