2019-09-11 05:46:44 +08:00
|
|
|
=pod
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
EVP_KDF-KB - The Key-Based EVP_KDF implementation
|
|
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
The EVP_KDF-KB algorithm implements the Key-Based key derivation function
|
|
|
|
|
(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an
|
|
|
|
|
input secret (and other optional values).
|
|
|
|
|
|
2024-10-05 06:41:44 +08:00
|
|
|
The output is considered to be keying material.
|
|
|
|
|
|
2019-09-11 05:46:44 +08:00
|
|
|
=head2 Identity
|
|
|
|
|
|
|
|
|
|
"KBKDF" is the name for this implementation; it can be used with the
|
|
|
|
|
EVP_KDF_fetch() function.
|
|
|
|
|
|
|
|
|
|
=head2 Supported parameters
|
|
|
|
|
|
|
|
|
|
The supported parameters are:
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string>
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2020-10-28 13:33:05 +08:00
|
|
|
The mode parameter determines which flavor of KBKDF to use - currently the
|
|
|
|
|
choices are "counter" and "feedback". "counter" is the default, and will be
|
|
|
|
|
used if unspecified.
|
|
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
=item "mac" (B<OSSL_KDF_PARAM_MAC>) <UTF8 string>
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2022-12-15 16:57:09 +08:00
|
|
|
The value is either CMAC, HMAC, KMAC128 or KMAC256.
|
2020-10-28 13:33:05 +08:00
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2020-10-28 13:33:05 +08:00
|
|
|
=item "cipher" (B<OSSL_KDF_PARAM_CIPHER>) <UTF8 string>
|
|
|
|
|
|
|
|
|
|
=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string>
|
|
|
|
|
|
|
|
|
|
=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
|
|
|
|
|
|
|
|
|
|
=item "info (B<OSSL_KDF_PARAM_INFO>) <octet string>
|
|
|
|
|
|
|
|
|
|
=item "seed" (B<OSSL_KDF_PARAM_SEED>) <octet string>
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2020-10-28 13:33:05 +08:00
|
|
|
The seed parameter is unused in counter mode.
|
|
|
|
|
|
2021-05-06 19:28:13 +08:00
|
|
|
=item "use-l" (B<OSSL_KDF_PARAM_KBKDF_USE_L>) <integer>
|
2020-10-28 13:33:05 +08:00
|
|
|
|
|
|
|
|
Set to B<0> to disable use of the optional Fixed Input data 'L' (see SP800-108).
|
|
|
|
|
The default value of B<1> will be used if unspecified.
|
|
|
|
|
|
2021-05-06 19:28:13 +08:00
|
|
|
=item "use-separator" (B<OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR>) <integer>
|
2020-10-28 13:33:05 +08:00
|
|
|
|
|
|
|
|
Set to B<0> to disable use of the optional Fixed Input data 'zero separator'
|
|
|
|
|
(see SP800-108) that is placed between the Label and Context.
|
|
|
|
|
The default value of B<1> will be used if unspecified.
|
|
|
|
|
|
2021-11-18 17:47:14 +08:00
|
|
|
=item "r" (B<OSSL_KDF_PARAM_KBKDF_R>) <integer>
|
|
|
|
|
|
|
|
|
|
Set the fixed value 'r', indicating the length of the counter in bits.
|
|
|
|
|
|
|
|
|
|
Supported values are B<8>, B<16>, B<24>, and B<32>.
|
|
|
|
|
The default value of B<32> will be used if unspecified.
|
|
|
|
|
|
2024-08-15 14:20:26 +08:00
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
The OpenSSL FIPS provider also supports the following parameters:
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
2024-08-05 13:52:07 +08:00
|
|
|
=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
|
|
|
|
|
|
|
|
|
|
A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
|
2024-08-15 14:20:26 +08:00
|
|
|
This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
|
|
|
|
|
is set to 0 and the check fails.
|
2024-08-05 13:52:07 +08:00
|
|
|
|
|
|
|
|
=item "key-check" (B<OSSL_KDF_PARAM_FIPS_KEY_CHECK>) <integer>
|
|
|
|
|
|
|
|
|
|
The default value of 1 causes an error during EVP_KDF_CTX_set_params() if the
|
|
|
|
|
length of used key-derivation key (B<OSSL_KDF_PARAM_KEY>) is shorter than 112
|
|
|
|
|
bits.
|
|
|
|
|
Setting this to zero will ignore the error and set the approved
|
|
|
|
|
"fips-indicator" to 0.
|
2024-08-15 14:20:26 +08:00
|
|
|
This option breaks FIPS compliance if it causes the approved "fips-indicator"
|
|
|
|
|
to return 0.
|
2024-08-05 13:52:07 +08:00
|
|
|
|
2019-09-11 05:46:44 +08:00
|
|
|
=back
|
|
|
|
|
|
2020-10-28 13:33:05 +08:00
|
|
|
Depending on whether mac is CMAC or HMAC, either digest or cipher is required
|
2022-12-15 16:57:09 +08:00
|
|
|
(respectively) and the other is unused. They are unused for KMAC128 and KMAC256.
|
2019-10-17 10:45:03 +08:00
|
|
|
|
|
|
|
|
The parameters key, salt, info, and seed correspond to KI, Label, Context, and
|
|
|
|
|
IV (respectively) in SP800-108. As in that document, salt, info, and seed are
|
|
|
|
|
optional and may be omitted.
|
|
|
|
|
|
2020-10-28 13:33:05 +08:00
|
|
|
"mac", "digest", cipher" and "properties" are described in
|
|
|
|
|
L<EVP_KDF(3)/PARAMETERS>.
|
2019-09-11 05:46:44 +08:00
|
|
|
|
|
|
|
|
=head1 NOTES
|
|
|
|
|
|
|
|
|
|
A context for KBKDF can be obtained by calling:
|
|
|
|
|
|
|
|
|
|
EVP_KDF *kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
|
2020-06-18 16:30:48 +08:00
|
|
|
EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
|
2019-09-11 05:46:44 +08:00
|
|
|
|
|
|
|
|
The output length of an KBKDF is specified via the C<keylen>
|
|
|
|
|
parameter to the L<EVP_KDF_derive(3)> function.
|
|
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
Note that currently OpenSSL only implements counter and feedback modes. Other
|
2019-09-11 05:46:44 +08:00
|
|
|
variants may be supported in the future.
|
|
|
|
|
|
|
|
|
|
=head1 EXAMPLES
|
|
|
|
|
|
|
|
|
|
This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret",
|
|
|
|
|
Label "label", and Context "context".
|
|
|
|
|
|
|
|
|
|
EVP_KDF *kdf;
|
|
|
|
|
EVP_KDF_CTX *kctx;
|
|
|
|
|
unsigned char out[10];
|
|
|
|
|
OSSL_PARAM params[6], *p = params;
|
|
|
|
|
|
|
|
|
|
kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
|
2020-06-18 16:30:48 +08:00
|
|
|
kctx = EVP_KDF_CTX_new(kdf);
|
2019-09-11 05:46:44 +08:00
|
|
|
EVP_KDF_free(kdf);
|
|
|
|
|
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
2019-10-04 19:46:33 +08:00
|
|
|
"SHA2-256", 0);
|
2019-09-11 05:46:44 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
|
|
|
|
|
"HMAC", 0);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
|
2021-03-07 07:08:08 +08:00
|
|
|
"secret", strlen("secret"));
|
2019-09-11 05:46:44 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
|
|
|
|
|
"label", strlen("label"));
|
2019-11-12 23:59:23 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
|
|
|
|
|
"context", strlen("context"));
|
2019-09-11 05:46:44 +08:00
|
|
|
*p = OSSL_PARAM_construct_end();
|
2021-02-26 08:09:49 +08:00
|
|
|
if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0)
|
2019-09-11 05:46:44 +08:00
|
|
|
error("EVP_KDF_derive");
|
|
|
|
|
|
2020-06-18 16:30:48 +08:00
|
|
|
EVP_KDF_CTX_free(kctx);
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret",
|
|
|
|
|
Label "label", and IV "sixteen bytes iv".
|
|
|
|
|
|
|
|
|
|
EVP_KDF *kdf;
|
|
|
|
|
EVP_KDF_CTX *kctx;
|
|
|
|
|
unsigned char out[10];
|
|
|
|
|
OSSL_PARAM params[8], *p = params;
|
|
|
|
|
unsigned char *iv = "sixteen bytes iv";
|
|
|
|
|
|
|
|
|
|
kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
|
2020-06-18 16:30:48 +08:00
|
|
|
kctx = EVP_KDF_CTX_new(kdf);
|
2019-10-17 10:45:03 +08:00
|
|
|
EVP_KDF_free(kdf);
|
|
|
|
|
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_CIPHER, "AES256", 0);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, "CMAC", 0);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, "FEEDBACK", 0);
|
|
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
|
|
|
|
|
"secret", strlen("secret"));
|
|
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
|
|
|
|
|
"label", strlen("label"));
|
2019-11-12 23:59:23 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
|
|
|
|
|
"context", strlen("context"));
|
2019-10-17 10:45:03 +08:00
|
|
|
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
|
|
|
|
|
iv, strlen(iv));
|
|
|
|
|
*p = OSSL_PARAM_construct_end();
|
2021-03-15 06:23:01 +08:00
|
|
|
if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0)
|
2019-10-17 10:45:03 +08:00
|
|
|
error("EVP_KDF_derive");
|
|
|
|
|
|
2020-06-18 16:30:48 +08:00
|
|
|
EVP_KDF_CTX_free(kctx);
|
2019-10-17 10:45:03 +08:00
|
|
|
|
2019-09-11 05:46:44 +08:00
|
|
|
=head1 CONFORMING TO
|
|
|
|
|
|
2019-10-17 10:45:03 +08:00
|
|
|
NIST SP800-108, IETF RFC 6803, IETF RFC 8009.
|
2019-09-11 05:46:44 +08:00
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
|
|
L<EVP_KDF(3)>,
|
2020-06-18 16:30:48 +08:00
|
|
|
L<EVP_KDF_CTX_free(3)>,
|
2020-10-13 12:30:12 +08:00
|
|
|
L<EVP_KDF_CTX_get_kdf_size(3)>,
|
2019-09-11 05:46:44 +08:00
|
|
|
L<EVP_KDF_derive(3)>,
|
|
|
|
|
L<EVP_KDF(3)/PARAMETERS>
|
|
|
|
|
|
|
|
|
|
=head1 HISTORY
|
|
|
|
|
|
2022-11-17 05:26:06 +08:00
|
|
|
This functionality was added in OpenSSL 3.0.
|
2019-09-11 05:46:44 +08:00
|
|
|
|
2022-12-15 16:57:09 +08:00
|
|
|
Support for KMAC was added in OpenSSL 3.1.
|
|
|
|
|
|
2019-09-11 05:46:44 +08:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
|
2024-09-05 15:35:49 +08:00
|
|
|
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
|
2019-09-11 05:46:44 +08:00
|
|
|
Copyright 2019 Red Hat, Inc.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
|
|
=cut
|
