Add HKDF algorithms with fixed digests.

Add HKDF-SHA256, HKDF-SHA384 and HKDF-SHA512 which are versions
of HKDF that have the digest pre-set. The digest cannot be changed
for contexts of these types.

RFC 8619 defines algorithm identifiers for these combinations.
These algorithm identifiers will be used in future features, e.g.
KEMRecipientInfo.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from openssl#27247)

Author: danvangeest

CHANGES.md

@@ -112,6 +112,11 @@ OpenSSL 3.6
 
    *Dimitri John Ledkov*
 
+ * HKDF with (SHA-256,SHA-384,SHA-512) has assigned OIDs. Added ability to load
+   HKDF configured with these explicit digests by name or OID.
+
+   *Daniel Van Geest (CryptoNext Security)*
+
 OpenSSL 3.5
 -----------
 

crypto/objects/obj_dat.h

@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[9517] = {
+static const unsigned char so[9550] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1348,9 +1348,12 @@ static const unsigned char so[9517] = {
     0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x2C,  /* [ 9489] OBJ_SLH_DSA_SHAKE_192f_WITH_SHAKE256 */
     0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x2D,  /* [ 9498] OBJ_SLH_DSA_SHAKE_256s_WITH_SHAKE256 */
     0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x2E,  /* [ 9507] OBJ_SLH_DSA_SHAKE_256f_WITH_SHAKE256 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1C,  /* [ 9516] OBJ_HKDF_SHA256 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1D,  /* [ 9527] OBJ_HKDF_SHA384 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1E,  /* [ 9538] OBJ_HKDF_SHA512 */
 };
 
-#define NUM_NID 1496
+#define NUM_NID 1499
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2848,9 +2851,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"AES-128-CBC-HMAC-SHA512-ETM", "aes-128-cbc-hmac-sha512-etm", NID_aes_128_cbc_hmac_sha512_etm},
     {"AES-192-CBC-HMAC-SHA512-ETM", "aes-192-cbc-hmac-sha512-etm", NID_aes_192_cbc_hmac_sha512_etm},
     {"AES-256-CBC-HMAC-SHA512-ETM", "aes-256-cbc-hmac-sha512-etm", NID_aes_256_cbc_hmac_sha512_etm},
+    {"id-alg-hkdf-with-sha256", "HKDF-SHA256", NID_HKDF_SHA256, 11, &so[9516]},
+    {"id-alg-hkdf-with-sha384", "HKDF-SHA384", NID_HKDF_SHA384, 11, &so[9527]},
+    {"id-alg-hkdf-with-sha512", "HKDF-SHA512", NID_HKDF_SHA512, 11, &so[9538]},
 };
 
-#define NUM_SN 1487
+#define NUM_SN 1490
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -3480,6 +3486,9 @@ static const unsigned int sn_objs[NUM_SN] = {
      323,    /* "id-alg-des40" */
      326,    /* "id-alg-dh-pop" */
      325,    /* "id-alg-dh-sig-hmac-sha1" */
+    1496,    /* "id-alg-hkdf-with-sha256" */
+    1497,    /* "id-alg-hkdf-with-sha384" */
+    1498,    /* "id-alg-hkdf-with-sha512" */
     1456,    /* "id-alg-ml-kem-1024" */
     1454,    /* "id-alg-ml-kem-512" */
     1455,    /* "id-alg-ml-kem-768" */
@@ -4341,7 +4350,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1487
+#define NUM_LN 1490
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -4468,6 +4477,9 @@ static const unsigned int ln_objs[NUM_LN] = {
     1472,    /* "HASH-ML-DSA-44-WITH-SHA512" */
     1473,    /* "HASH-ML-DSA-65-WITH-SHA512" */
     1474,    /* "HASH-ML-DSA-87-WITH-SHA512" */
+    1496,    /* "HKDF-SHA256" */
+    1497,    /* "HKDF-SHA384" */
+    1498,    /* "HKDF-SHA512" */
     1156,    /* "HMAC DSTU Gost 34311-95" */
      988,    /* "HMAC GOST 34.11-2012 256 bit" */
      989,    /* "HMAC GOST 34.11-2012 512 bit" */
@@ -5832,7 +5844,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1344
+#define NUM_OBJ 1347
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -7145,6 +7157,9 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      247,    /* OBJ_id_smime_alg_CMSRC2wrap      1 2 840 113549 1 9 16 3 7 */
      125,    /* OBJ_zlib_compression             1 2 840 113549 1 9 16 3 8 */
      893,    /* OBJ_id_alg_PWRI_KEK              1 2 840 113549 1 9 16 3 9 */
+    1496,    /* OBJ_HKDF_SHA256                  1 2 840 113549 1 9 16 3 28 */
+    1497,    /* OBJ_HKDF_SHA384                  1 2 840 113549 1 9 16 3 29 */
+    1498,    /* OBJ_HKDF_SHA512                  1 2 840 113549 1 9 16 3 30 */
      248,    /* OBJ_id_smime_cd_ldap             1 2 840 113549 1 9 16 4 1 */
      249,    /* OBJ_id_smime_spq_ets_sqt_uri     1 2 840 113549 1 9 16 5 1 */
      250,    /* OBJ_id_smime_spq_ets_sqt_unotice 1 2 840 113549 1 9 16 5 2 */

crypto/objects/obj_mac.num

@@ -1493,3 +1493,6 @@ aes_256_cbc_hmac_sha256_etm		1492
 aes_128_cbc_hmac_sha512_etm		1493
 aes_192_cbc_hmac_sha512_etm		1494
 aes_256_cbc_hmac_sha512_etm		1495
+HKDF_SHA256		1496
+HKDF_SHA384		1497
+HKDF_SHA512		1498

crypto/objects/objects.txt

@@ -336,6 +336,9 @@ id-smime-alg 5		: id-smime-alg-ESDH
 id-smime-alg 6		: id-smime-alg-CMS3DESwrap
 id-smime-alg 7		: id-smime-alg-CMSRC2wrap
 id-smime-alg 9		: id-alg-PWRI-KEK
+id-smime-alg 28		: id-alg-hkdf-with-sha256	: HKDF-SHA256
+id-smime-alg 29		: id-alg-hkdf-with-sha384	: HKDF-SHA384
+id-smime-alg 30		: id-alg-hkdf-with-sha512	: HKDF-SHA512
 
 # S/MIME Certificate Distribution
 id-smime-cd 1		: id-smime-cd-ldap

fuzz/oids.txt

@@ -1344,3 +1344,6 @@ OBJ_SLH_DSA_SHAKE_192s_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2B"
 OBJ_SLH_DSA_SHAKE_192f_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2C"
 OBJ_SLH_DSA_SHAKE_256s_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2D"
 OBJ_SLH_DSA_SHAKE_256f_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2E"
+OBJ_HKDF_SHA256="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1C"
+OBJ_HKDF_SHA384="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1D"
+OBJ_HKDF_SHA512="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1E"

include/openssl/core_names.h.in

@@ -66,6 +66,9 @@ extern "C" {
 
 /* Known KDF names */
 # define OSSL_KDF_NAME_HKDF           "HKDF"
+# define OSSL_KDF_NAME_HKDF_SHA256    "HKDF-SHA256"
+# define OSSL_KDF_NAME_HKDF_SHA384    "HKDF-SHA384"
+# define OSSL_KDF_NAME_HKDF_SHA512    "HKDF-SHA512"
 # define OSSL_KDF_NAME_TLS1_3_KDF     "TLS13-KDF"
 # define OSSL_KDF_NAME_PBKDF1         "PBKDF1"
 # define OSSL_KDF_NAME_PBKDF2         "PBKDF2"

include/openssl/obj_mac.h

@@ -1062,6 +1062,21 @@
 #define NID_id_alg_PWRI_KEK             893
 #define OBJ_id_alg_PWRI_KEK             OBJ_id_smime_alg,9L
 
+#define SN_HKDF_SHA256          "id-alg-hkdf-with-sha256"
+#define LN_HKDF_SHA256          "HKDF-SHA256"
+#define NID_HKDF_SHA256         1496
+#define OBJ_HKDF_SHA256         OBJ_id_smime_alg,28L
+
+#define SN_HKDF_SHA384          "id-alg-hkdf-with-sha384"
+#define LN_HKDF_SHA384          "HKDF-SHA384"
+#define NID_HKDF_SHA384         1497
+#define OBJ_HKDF_SHA384         OBJ_id_smime_alg,29L
+
+#define SN_HKDF_SHA512          "id-alg-hkdf-with-sha512"
+#define LN_HKDF_SHA512          "HKDF-SHA512"
+#define NID_HKDF_SHA512         1498
+#define OBJ_HKDF_SHA512         OBJ_id_smime_alg,30L
+
 #define SN_id_smime_cd_ldap             "id-smime-cd-ldap"
 #define NID_id_smime_cd_ldap            248
 #define OBJ_id_smime_cd_ldap            OBJ_id_smime_cd,1L

providers/defltprov.c

@@ -358,6 +358,9 @@ static const OSSL_ALGORITHM deflt_macs[] = {
 
 static const OSSL_ALGORITHM deflt_kdfs[] = {
     { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_functions },
+    { PROV_NAMES_HKDF_SHA256, "provider=default", ossl_kdf_hkdf_sha256_functions },
+    { PROV_NAMES_HKDF_SHA384, "provider=default", ossl_kdf_hkdf_sha384_functions },
+    { PROV_NAMES_HKDF_SHA512, "provider=default", ossl_kdf_hkdf_sha512_functions },
     { PROV_NAMES_TLS1_3_KDF, "provider=default",
       ossl_kdf_tls1_3_kdf_functions },
     { PROV_NAMES_SSKDF, "provider=default", ossl_kdf_sskdf_functions },
@@ -395,6 +398,9 @@ static const OSSL_ALGORITHM deflt_keyexch[] = {
 #endif
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions },
     { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA256, "provider=default", ossl_kdf_hkdf_sha256_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA384, "provider=default", ossl_kdf_hkdf_sha384_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA512, "provider=default", ossl_kdf_hkdf_sha512_keyexch_functions },
     { PROV_NAMES_SCRYPT, "provider=default",
       ossl_kdf_scrypt_keyexch_functions },
     { NULL, NULL, NULL }
@@ -583,6 +589,12 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
       PROV_DESCS_TLS1_PRF_SIGN },
     { PROV_NAMES_HKDF, "provider=default", ossl_kdf_keymgmt_functions,
       PROV_DESCS_HKDF_SIGN },
+    { PROV_NAMES_HKDF_SHA256, "provider=default", ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA256_SIGN },
+    { PROV_NAMES_HKDF_SHA384, "provider=default", ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA384_SIGN },
+    { PROV_NAMES_HKDF_SHA512, "provider=default", ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA512_SIGN },
     { PROV_NAMES_SCRYPT, "provider=default", ossl_kdf_keymgmt_functions,
       PROV_DESCS_SCRYPT_SIGN },
     { PROV_NAMES_HMAC, "provider=default", ossl_mac_legacy_keymgmt_functions,

providers/fips/fipsprov.c

@@ -404,6 +404,9 @@ static const OSSL_ALGORITHM fips_macs_internal[] = {
 
 static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_HKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_functions },
+    { PROV_NAMES_HKDF_SHA256, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha256_functions },
+    { PROV_NAMES_HKDF_SHA384, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha384_functions },
+    { PROV_NAMES_HKDF_SHA512, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha512_functions },
     { PROV_NAMES_TLS1_3_KDF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_3_kdf_functions },
     { PROV_NAMES_SSKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sskdf_functions },
@@ -445,6 +448,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_keyexch_functions },
     { PROV_NAMES_HKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA256, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha256_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA384, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha384_keyexch_functions },
+    { PROV_NAMES_HKDF_SHA512, FIPS_DEFAULT_PROPERTIES, ossl_kdf_hkdf_sha512_keyexch_functions },
     { NULL, NULL, NULL }
 };
 
@@ -612,6 +618,12 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
       PROV_DESCS_TLS1_PRF_SIGN },
     { PROV_NAMES_HKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
       PROV_DESCS_HKDF_SIGN },
+    { PROV_NAMES_HKDF_SHA256, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA256_SIGN },
+    { PROV_NAMES_HKDF_SHA384, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA384_SIGN },
+    { PROV_NAMES_HKDF_SHA512, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+      PROV_DESCS_HKDF_SHA512_SIGN },
     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_mac_legacy_keymgmt_functions,
       PROV_DESCS_HMAC_SIGN },
 #ifndef OPENSSL_NO_CMAC

providers/implementations/exchange/kdf_exch.c

@@ -79,6 +79,9 @@ static void *kdf_newctx(const char *kdfname, void *provctx)
 
 KDF_NEWCTX(tls1_prf, "TLS1-PRF")
 KDF_NEWCTX(hkdf, "HKDF")
+KDF_NEWCTX(hkdf_sha256, "HKDF-SHA256")
+KDF_NEWCTX(hkdf_sha384, "HKDF-SHA384")
+KDF_NEWCTX(hkdf_sha512, "HKDF-SHA512")
 KDF_NEWCTX(scrypt, "SCRYPT")
 
 static int kdf_init(void *vpkdfctx, void *vkdf, const OSSL_PARAM params[])
@@ -206,6 +209,9 @@ static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
 
 KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
 KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
+KDF_SETTABLE_CTX_PARAMS(hkdf_sha256, "HKDF-SHA256")
+KDF_SETTABLE_CTX_PARAMS(hkdf_sha384, "HKDF-SHA384")
+KDF_SETTABLE_CTX_PARAMS(hkdf_sha512, "HKDF-SHA512")
 KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
 
 static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
@@ -234,6 +240,9 @@ static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
 
 KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
 KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
+KDF_GETTABLE_CTX_PARAMS(hkdf_sha256, "HKDF-SHA256")
+KDF_GETTABLE_CTX_PARAMS(hkdf_sha384, "HKDF-SHA384")
+KDF_GETTABLE_CTX_PARAMS(hkdf_sha512, "HKDF-SHA512")
 KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
 
 #define KDF_KEYEXCH_FUNCTIONS(funcname) \
@@ -254,4 +263,7 @@ KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
 
 KDF_KEYEXCH_FUNCTIONS(tls1_prf)
 KDF_KEYEXCH_FUNCTIONS(hkdf)
+KDF_KEYEXCH_FUNCTIONS(hkdf_sha256)
+KDF_KEYEXCH_FUNCTIONS(hkdf_sha384)
+KDF_KEYEXCH_FUNCTIONS(hkdf_sha512)
 KDF_KEYEXCH_FUNCTIONS(scrypt)