]>
Commit | Line | Data |
---|---|---|
d2e9e320 | 1 | /* |
da1c088f | 2 | * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. |
aacfb134 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
aacfb134 AG |
8 | */ |
9 | ||
dbde4726 P |
10 | /* |
11 | * HMAC low level APIs are deprecated for public use, but still ok for internal | |
12 | * use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
aacfb134 | 16 | #include <stdlib.h> |
5a285add | 17 | #include <stdarg.h> |
aacfb134 AG |
18 | #include <string.h> |
19 | #include <openssl/hmac.h> | |
aacfb134 | 20 | #include <openssl/evp.h> |
5a285add | 21 | #include <openssl/kdf.h> |
e3405a4a | 22 | #include <openssl/core_names.h> |
2741128e | 23 | #include <openssl/proverr.h> |
aacfb134 | 24 | #include "internal/cryptlib.h" |
cee719c2 | 25 | #include "internal/numbers.h" |
f7d998a2 | 26 | #include "internal/packet.h" |
25f2138b | 27 | #include "crypto/evp.h" |
ddd21319 | 28 | #include "prov/provider_ctx.h" |
2b9e4e95 | 29 | #include "prov/providercommon.h" |
af3e7e1b | 30 | #include "prov/implementations.h" |
ddd21319 | 31 | #include "prov/provider_util.h" |
d5f9166b | 32 | #include "internal/e_os.h" |
345b42be | 33 | #include "internal/params.h" |
aacfb134 | 34 | |
20c2876f | 35 | #define HKDF_MAXBUF 2048 |
e8115bd1 | 36 | #define HKDF_MAXINFO (32*1024) |
aacfb134 | 37 | |
363b1e5d | 38 | static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; |
95bd5ff6 | 39 | static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup; |
363b1e5d DMSP |
40 | static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free; |
41 | static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset; | |
42 | static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive; | |
43 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; | |
44 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; | |
45 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; | |
46 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; | |
f7d998a2 P |
47 | static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; |
48 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; | |
49 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; | |
e3405a4a | 50 | |
0a8a6afd | 51 | static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add DM |
52 | const unsigned char *salt, size_t salt_len, |
53 | const unsigned char *key, size_t key_len, | |
54 | const unsigned char *info, size_t info_len, | |
55 | unsigned char *okm, size_t okm_len); | |
0a8a6afd | 56 | static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 57 | const unsigned char *salt, size_t salt_len, |
e7018588 | 58 | const unsigned char *ikm, size_t ikm_len, |
5a285add DM |
59 | unsigned char *prk, size_t prk_len); |
60 | static int HKDF_Expand(const EVP_MD *evp_md, | |
61 | const unsigned char *prk, size_t prk_len, | |
62 | const unsigned char *info, size_t info_len, | |
63 | unsigned char *okm, size_t okm_len); | |
64 | ||
f7d998a2 P |
65 | /* Settable context parameters that are common across HKDF and the TLS KDF */ |
66 | #define HKDF_COMMON_SETTABLES \ | |
67 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \ | |
68 | OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \ | |
69 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ | |
70 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ | |
71 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ | |
72 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0) | |
73 | ||
e3405a4a P |
74 | typedef struct { |
75 | void *provctx; | |
d2139cf8 | 76 | int mode; |
86f17ed6 | 77 | PROV_DIGEST digest; |
aacfb134 AG |
78 | unsigned char *salt; |
79 | size_t salt_len; | |
80 | unsigned char *key; | |
81 | size_t key_len; | |
f7d998a2 P |
82 | unsigned char *prefix; |
83 | size_t prefix_len; | |
84 | unsigned char *label; | |
85 | size_t label_len; | |
86 | unsigned char *data; | |
87 | size_t data_len; | |
e8115bd1 | 88 | unsigned char *info; |
aacfb134 | 89 | size_t info_len; |
e3405a4a | 90 | } KDF_HKDF; |
aacfb134 | 91 | |
e3405a4a | 92 | static void *kdf_hkdf_new(void *provctx) |
aacfb134 | 93 | { |
e3405a4a | 94 | KDF_HKDF *ctx; |
aacfb134 | 95 | |
2b9e4e95 P |
96 | if (!ossl_prov_is_running()) |
97 | return NULL; | |
98 | ||
e077455e | 99 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) |
e3405a4a P |
100 | ctx->provctx = provctx; |
101 | return ctx; | |
5a285add | 102 | } |
aacfb134 | 103 | |
e3405a4a | 104 | static void kdf_hkdf_free(void *vctx) |
5a285add | 105 | { |
e3405a4a | 106 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
aacfb134 | 107 | |
3c659415 P |
108 | if (ctx != NULL) { |
109 | kdf_hkdf_reset(ctx); | |
110 | OPENSSL_free(ctx); | |
111 | } | |
aacfb134 AG |
112 | } |
113 | ||
e3405a4a | 114 | static void kdf_hkdf_reset(void *vctx) |
aacfb134 | 115 | { |
e3405a4a | 116 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
0577959c | 117 | void *provctx = ctx->provctx; |
aacfb134 | 118 | |
86f17ed6 | 119 | ossl_prov_digest_reset(&ctx->digest); |
e3405a4a | 120 | OPENSSL_free(ctx->salt); |
f7d998a2 P |
121 | OPENSSL_free(ctx->prefix); |
122 | OPENSSL_free(ctx->label); | |
123 | OPENSSL_clear_free(ctx->data, ctx->data_len); | |
e3405a4a | 124 | OPENSSL_clear_free(ctx->key, ctx->key_len); |
e8115bd1 | 125 | OPENSSL_clear_free(ctx->info, ctx->info_len); |
e3405a4a | 126 | memset(ctx, 0, sizeof(*ctx)); |
0577959c | 127 | ctx->provctx = provctx; |
aacfb134 AG |
128 | } |
129 | ||
95bd5ff6 P |
130 | static void *kdf_hkdf_dup(void *vctx) |
131 | { | |
132 | const KDF_HKDF *src = (const KDF_HKDF *)vctx; | |
133 | KDF_HKDF *dest; | |
134 | ||
135 | dest = kdf_hkdf_new(src->provctx); | |
136 | if (dest != NULL) { | |
137 | if (!ossl_prov_memdup(src->salt, src->salt_len, &dest->salt, | |
138 | &dest->salt_len) | |
139 | || !ossl_prov_memdup(src->key, src->key_len, | |
140 | &dest->key , &dest->key_len) | |
141 | || !ossl_prov_memdup(src->prefix, src->prefix_len, | |
142 | &dest->prefix, &dest->prefix_len) | |
143 | || !ossl_prov_memdup(src->label, src->label_len, | |
144 | &dest->label, &dest->label_len) | |
145 | || !ossl_prov_memdup(src->data, src->data_len, | |
146 | &dest->data, &dest->data_len) | |
e8115bd1 | 147 | || !ossl_prov_memdup(src->info, src->info_len, |
148 | &dest->info, &dest->info_len) | |
95bd5ff6 P |
149 | || !ossl_prov_digest_copy(&dest->digest, &src->digest)) |
150 | goto err; | |
95bd5ff6 P |
151 | dest->mode = src->mode; |
152 | } | |
153 | return dest; | |
154 | ||
155 | err: | |
156 | kdf_hkdf_free(dest); | |
157 | return NULL; | |
158 | } | |
159 | ||
e3405a4a | 160 | static size_t kdf_hkdf_size(KDF_HKDF *ctx) |
ca55d70b | 161 | { |
97cc9c9b | 162 | int sz; |
86f17ed6 | 163 | const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); |
97cc9c9b | 164 | |
e3405a4a | 165 | if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) |
5a285add | 166 | return SIZE_MAX; |
ca55d70b | 167 | |
86f17ed6 | 168 | if (md == NULL) { |
e3405a4a | 169 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
5a285add DM |
170 | return 0; |
171 | } | |
ed576acd | 172 | sz = EVP_MD_get_size(md); |
97cc9c9b SL |
173 | if (sz < 0) |
174 | return 0; | |
175 | ||
176 | return sz; | |
ca55d70b MC |
177 | } |
178 | ||
3469b388 P |
179 | static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, |
180 | const OSSL_PARAM params[]) | |
aacfb134 | 181 | { |
e3405a4a | 182 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
0a8a6afd | 183 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
2b9e4e95 P |
184 | const EVP_MD *md; |
185 | ||
3469b388 | 186 | if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params)) |
2b9e4e95 | 187 | return 0; |
e3405a4a | 188 | |
2b9e4e95 | 189 | md = ossl_prov_digest_md(&ctx->digest); |
86f17ed6 | 190 | if (md == NULL) { |
e3405a4a | 191 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
f55129c7 JB |
192 | return 0; |
193 | } | |
e3405a4a P |
194 | if (ctx->key == NULL) { |
195 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); | |
aacfb134 | 196 | return 0; |
e65f6509 | 197 | } |
1cae59d1 JS |
198 | if (keylen == 0) { |
199 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); | |
200 | return 0; | |
201 | } | |
aacfb134 | 202 | |
e3405a4a | 203 | switch (ctx->mode) { |
5a285add | 204 | case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: |
9d300aa2 | 205 | default: |
0a8a6afd DDO |
206 | return HKDF(libctx, md, ctx->salt, ctx->salt_len, |
207 | ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen); | |
d2139cf8 | 208 | |
5a285add | 209 | case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: |
0a8a6afd DDO |
210 | return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len, |
211 | ctx->key, ctx->key_len, key, keylen); | |
d2139cf8 | 212 | |
5a285add | 213 | case EVP_KDF_HKDF_MODE_EXPAND_ONLY: |
86f17ed6 | 214 | return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info, |
e3405a4a | 215 | ctx->info_len, key, keylen); |
aacfb134 | 216 | } |
aacfb134 AG |
217 | } |
218 | ||
f7d998a2 | 219 | static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) |
e3405a4a | 220 | { |
0a8a6afd | 221 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
f7d998a2 | 222 | const OSSL_PARAM *p; |
e3405a4a | 223 | int n; |
86f17ed6 | 224 | |
c983a0e5 P |
225 | if (params == NULL) |
226 | return 1; | |
227 | ||
0a8a6afd | 228 | if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) |
86f17ed6 | 229 | return 0; |
e3405a4a P |
230 | |
231 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { | |
232 | if (p->data_type == OSSL_PARAM_UTF8_STRING) { | |
fba140c7 | 233 | if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) { |
e3405a4a | 234 | ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; |
fba140c7 | 235 | } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) { |
e3405a4a | 236 | ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; |
fba140c7 | 237 | } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) { |
e3405a4a P |
238 | ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; |
239 | } else { | |
240 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
241 | return 0; | |
242 | } | |
243 | } else if (OSSL_PARAM_get_int(p, &n)) { | |
244 | if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND | |
245 | && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY | |
246 | && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) { | |
247 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
248 | return 0; | |
249 | } | |
250 | ctx->mode = n; | |
251 | } else { | |
252 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
253 | return 0; | |
254 | } | |
255 | } | |
256 | ||
257 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { | |
258 | OPENSSL_clear_free(ctx->key, ctx->key_len); | |
259 | ctx->key = NULL; | |
260 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0, | |
261 | &ctx->key_len)) | |
262 | return 0; | |
263 | } | |
264 | ||
265 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { | |
266 | if (p->data_size != 0 && p->data != NULL) { | |
267 | OPENSSL_free(ctx->salt); | |
268 | ctx->salt = NULL; | |
269 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, | |
270 | &ctx->salt_len)) | |
271 | return 0; | |
272 | } | |
273 | } | |
f7d998a2 P |
274 | |
275 | return 1; | |
276 | } | |
277 | ||
278 | static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) | |
279 | { | |
f7d998a2 P |
280 | KDF_HKDF *ctx = vctx; |
281 | ||
282 | if (params == NULL) | |
283 | return 1; | |
284 | ||
285 | if (!hkdf_common_set_ctx_params(ctx, params)) | |
286 | return 0; | |
287 | ||
345b42be P |
288 | if (ossl_param_get1_concat_octet_string(params, OSSL_KDF_PARAM_INFO, |
289 | &ctx->info, &ctx->info_len, | |
290 | HKDF_MAXINFO) == 0) | |
291 | return 0; | |
e8115bd1 | 292 | |
e3405a4a P |
293 | return 1; |
294 | } | |
295 | ||
1e8e5c60 P |
296 | static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx, |
297 | ossl_unused void *provctx) | |
e3405a4a P |
298 | { |
299 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
f7d998a2 | 300 | HKDF_COMMON_SETTABLES, |
e3405a4a P |
301 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), |
302 | OSSL_PARAM_END | |
303 | }; | |
304 | return known_settable_ctx_params; | |
305 | } | |
306 | ||
307 | static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) | |
308 | { | |
309 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; | |
310 | OSSL_PARAM *p; | |
311 | ||
9d300aa2 SL |
312 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { |
313 | size_t sz = kdf_hkdf_size(ctx); | |
314 | ||
315 | if (sz == 0) | |
316 | return 0; | |
317 | return OSSL_PARAM_set_size_t(p, sz); | |
318 | } | |
6b566687 TS |
319 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { |
320 | if (ctx->info == NULL || ctx->info_len == 0) { | |
321 | p->return_size = 0; | |
322 | return 1; | |
323 | } | |
324 | return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); | |
325 | } | |
e3405a4a P |
326 | return -2; |
327 | } | |
328 | ||
1e8e5c60 P |
329 | static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, |
330 | ossl_unused void *provctx) | |
e3405a4a P |
331 | { |
332 | static const OSSL_PARAM known_gettable_ctx_params[] = { | |
333 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
6b566687 | 334 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), |
e3405a4a P |
335 | OSSL_PARAM_END |
336 | }; | |
337 | return known_gettable_ctx_params; | |
338 | } | |
339 | ||
1be63951 | 340 | const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = { |
e3405a4a | 341 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, |
95bd5ff6 | 342 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, |
e3405a4a P |
343 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, |
344 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, | |
345 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive }, | |
346 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
347 | (void(*)(void))kdf_hkdf_settable_ctx_params }, | |
348 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_hkdf_set_ctx_params }, | |
349 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
350 | (void(*)(void))kdf_hkdf_gettable_ctx_params }, | |
351 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params }, | |
1e6bd31e | 352 | OSSL_DISPATCH_END |
aacfb134 AG |
353 | }; |
354 | ||
e7018588 DM |
355 | /* |
356 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
357 | * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and | |
358 | * "Cryptographic Extraction and Key Derivation: The HKDF Scheme" | |
359 | * Section 4.2 (https://eprint.iacr.org/2010/264.pdf). | |
360 | * | |
361 | * From the paper: | |
362 | * The scheme HKDF is specified as: | |
363 | * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t) | |
364 | * | |
365 | * where: | |
366 | * SKM is source key material | |
367 | * XTS is extractor salt (which may be null or constant) | |
368 | * CTXinfo is context information (may be null) | |
369 | * L is the number of key bits to be produced by KDF | |
370 | * k is the output length in bits of the hash function used with HMAC | |
371 | * t = ceil(L/k) | |
372 | * the value K(t) is truncated to its first d = L mod k bits. | |
373 | * | |
374 | * From RFC 5869: | |
375 | * 2.2. Step 1: Extract | |
376 | * HKDF-Extract(salt, IKM) -> PRK | |
377 | * 2.3. Step 2: Expand | |
378 | * HKDF-Expand(PRK, info, L) -> OKM | |
379 | */ | |
0a8a6afd | 380 | static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 381 | const unsigned char *salt, size_t salt_len, |
e7018588 | 382 | const unsigned char *ikm, size_t ikm_len, |
5a285add DM |
383 | const unsigned char *info, size_t info_len, |
384 | unsigned char *okm, size_t okm_len) | |
aacfb134 AG |
385 | { |
386 | unsigned char prk[EVP_MAX_MD_SIZE]; | |
97cc9c9b SL |
387 | int ret, sz; |
388 | size_t prk_len; | |
389 | ||
ed576acd | 390 | sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
391 | if (sz < 0) |
392 | return 0; | |
393 | prk_len = (size_t)sz; | |
aacfb134 | 394 | |
e7018588 | 395 | /* Step 1: HKDF-Extract(salt, IKM) -> PRK */ |
0a8a6afd DDO |
396 | if (!HKDF_Extract(libctx, evp_md, |
397 | salt, salt_len, ikm, ikm_len, prk, prk_len)) | |
5a285add | 398 | return 0; |
aacfb134 | 399 | |
e7018588 | 400 | /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */ |
d2139cf8 MC |
401 | ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); |
402 | OPENSSL_cleanse(prk, sizeof(prk)); | |
403 | ||
404 | return ret; | |
aacfb134 AG |
405 | } |
406 | ||
e7018588 DM |
407 | /* |
408 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
409 | * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2). | |
410 | * | |
411 | * 2.2. Step 1: Extract | |
412 | * | |
413 | * HKDF-Extract(salt, IKM) -> PRK | |
414 | * | |
415 | * Options: | |
416 | * Hash a hash function; HashLen denotes the length of the | |
417 | * hash function output in octets | |
418 | * | |
419 | * Inputs: | |
420 | * salt optional salt value (a non-secret random value); | |
421 | * if not provided, it is set to a string of HashLen zeros. | |
422 | * IKM input keying material | |
423 | * | |
424 | * Output: | |
425 | * PRK a pseudorandom key (of HashLen octets) | |
426 | * | |
427 | * The output PRK is calculated as follows: | |
428 | * | |
429 | * PRK = HMAC-Hash(salt, IKM) | |
430 | */ | |
0a8a6afd | 431 | static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 432 | const unsigned char *salt, size_t salt_len, |
e7018588 | 433 | const unsigned char *ikm, size_t ikm_len, |
5a285add | 434 | unsigned char *prk, size_t prk_len) |
aacfb134 | 435 | { |
ed576acd | 436 | int sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
437 | |
438 | if (sz < 0) | |
439 | return 0; | |
440 | if (prk_len != (size_t)sz) { | |
e3405a4a | 441 | ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE); |
5a285add DM |
442 | return 0; |
443 | } | |
e7018588 | 444 | /* calc: PRK = HMAC-Hash(salt, IKM) */ |
0a8a6afd | 445 | return |
ed576acd TM |
446 | EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt, |
447 | salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL) | |
0a8a6afd | 448 | != NULL; |
aacfb134 AG |
449 | } |
450 | ||
e7018588 DM |
451 | /* |
452 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
453 | * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3). | |
454 | * | |
455 | * 2.3. Step 2: Expand | |
456 | * | |
457 | * HKDF-Expand(PRK, info, L) -> OKM | |
458 | * | |
459 | * Options: | |
460 | * Hash a hash function; HashLen denotes the length of the | |
461 | * hash function output in octets | |
462 | * | |
463 | * Inputs: | |
464 | * PRK a pseudorandom key of at least HashLen octets | |
465 | * (usually, the output from the extract step) | |
466 | * info optional context and application specific information | |
467 | * (can be a zero-length string) | |
468 | * L length of output keying material in octets | |
469 | * (<= 255*HashLen) | |
470 | * | |
471 | * Output: | |
472 | * OKM output keying material (of L octets) | |
473 | * | |
474 | * The output OKM is calculated as follows: | |
475 | * | |
476 | * N = ceil(L/HashLen) | |
477 | * T = T(1) | T(2) | T(3) | ... | T(N) | |
478 | * OKM = first L octets of T | |
479 | * | |
480 | * where: | |
481 | * T(0) = empty string (zero length) | |
482 | * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) | |
483 | * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) | |
484 | * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) | |
485 | * ... | |
486 | * | |
487 | * (where the constant concatenated to the end of each T(n) is a | |
488 | * single octet.) | |
489 | */ | |
5a285add DM |
490 | static int HKDF_Expand(const EVP_MD *evp_md, |
491 | const unsigned char *prk, size_t prk_len, | |
492 | const unsigned char *info, size_t info_len, | |
493 | unsigned char *okm, size_t okm_len) | |
aacfb134 AG |
494 | { |
495 | HMAC_CTX *hmac; | |
97cc9c9b | 496 | int ret = 0, sz; |
aacfb134 | 497 | unsigned int i; |
aacfb134 | 498 | unsigned char prev[EVP_MAX_MD_SIZE]; |
97cc9c9b SL |
499 | size_t done_len = 0, dig_len, n; |
500 | ||
ed576acd | 501 | sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
502 | if (sz <= 0) |
503 | return 0; | |
504 | dig_len = (size_t)sz; | |
5a285add | 505 | |
e7018588 DM |
506 | /* calc: N = ceil(L/HashLen) */ |
507 | n = okm_len / dig_len; | |
aacfb134 AG |
508 | if (okm_len % dig_len) |
509 | n++; | |
510 | ||
d2139cf8 | 511 | if (n > 255 || okm == NULL) |
5a285add | 512 | return 0; |
aacfb134 AG |
513 | |
514 | if ((hmac = HMAC_CTX_new()) == NULL) | |
5a285add | 515 | return 0; |
aacfb134 AG |
516 | |
517 | if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) | |
518 | goto err; | |
519 | ||
520 | for (i = 1; i <= n; i++) { | |
521 | size_t copy_len; | |
522 | const unsigned char ctr = i; | |
523 | ||
e7018588 | 524 | /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */ |
aacfb134 AG |
525 | if (i > 1) { |
526 | if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) | |
527 | goto err; | |
528 | ||
529 | if (!HMAC_Update(hmac, prev, dig_len)) | |
530 | goto err; | |
531 | } | |
532 | ||
533 | if (!HMAC_Update(hmac, info, info_len)) | |
534 | goto err; | |
535 | ||
536 | if (!HMAC_Update(hmac, &ctr, 1)) | |
537 | goto err; | |
538 | ||
539 | if (!HMAC_Final(hmac, prev, NULL)) | |
540 | goto err; | |
541 | ||
56a51b5a | 542 | copy_len = (dig_len > okm_len - done_len) ? |
aacfb134 AG |
543 | okm_len - done_len : |
544 | dig_len; | |
545 | ||
546 | memcpy(okm + done_len, prev, copy_len); | |
547 | ||
548 | done_len += copy_len; | |
549 | } | |
5a285add | 550 | ret = 1; |
aacfb134 AG |
551 | |
552 | err: | |
64ed55ab | 553 | OPENSSL_cleanse(prev, sizeof(prev)); |
aacfb134 | 554 | HMAC_CTX_free(hmac); |
64ed55ab | 555 | return ret; |
aacfb134 | 556 | } |
f7d998a2 P |
557 | |
558 | /* | |
559 | * TLS uses slight variations of the above and for FIPS validation purposes, | |
560 | * they need to be present here. | |
561 | * Refer to RFC 8446 section 7 for specific details. | |
562 | */ | |
563 | ||
564 | /* | |
565 | * Given a |secret|; a |label| of length |labellen|; and |data| of length | |
566 | * |datalen| (e.g. typically a hash of the handshake messages), derive a new | |
567 | * secret |outlen| bytes long and store it in the location pointed to be |out|. | |
568 | * The |data| value may be zero length. Returns 1 on success and 0 on failure. | |
569 | */ | |
570 | static int prov_tls13_hkdf_expand(const EVP_MD *md, | |
571 | const unsigned char *key, size_t keylen, | |
572 | const unsigned char *prefix, size_t prefixlen, | |
573 | const unsigned char *label, size_t labellen, | |
574 | const unsigned char *data, size_t datalen, | |
575 | unsigned char *out, size_t outlen) | |
576 | { | |
577 | size_t hkdflabellen; | |
578 | unsigned char hkdflabel[HKDF_MAXBUF]; | |
579 | WPACKET pkt; | |
580 | ||
581 | /* | |
582 | * 2 bytes for length of derived secret + 1 byte for length of combined | |
583 | * prefix and label + bytes for the label itself + 1 byte length of hash | |
584 | * + bytes for the hash itself. We've got the maximum the KDF can handle | |
585 | * which should always be sufficient. | |
586 | */ | |
587 | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) | |
588 | || !WPACKET_put_bytes_u16(&pkt, outlen) | |
589 | || !WPACKET_start_sub_packet_u8(&pkt) | |
590 | || !WPACKET_memcpy(&pkt, prefix, prefixlen) | |
591 | || !WPACKET_memcpy(&pkt, label, labellen) | |
592 | || !WPACKET_close(&pkt) | |
593 | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) | |
594 | || !WPACKET_get_total_written(&pkt, &hkdflabellen) | |
595 | || !WPACKET_finish(&pkt)) { | |
596 | WPACKET_cleanup(&pkt); | |
597 | return 0; | |
598 | } | |
599 | ||
600 | return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen, | |
601 | out, outlen); | |
602 | } | |
603 | ||
604 | static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, | |
605 | const EVP_MD *md, | |
606 | const unsigned char *prevsecret, | |
607 | size_t prevsecretlen, | |
608 | const unsigned char *insecret, | |
609 | size_t insecretlen, | |
610 | const unsigned char *prefix, | |
611 | size_t prefixlen, | |
612 | const unsigned char *label, | |
613 | size_t labellen, | |
614 | unsigned char *out, size_t outlen) | |
615 | { | |
616 | size_t mdlen; | |
617 | int ret; | |
618 | unsigned char preextractsec[EVP_MAX_MD_SIZE]; | |
619 | /* Always filled with zeros */ | |
620 | static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; | |
621 | ||
622 | ret = EVP_MD_get_size(md); | |
623 | /* Ensure cast to size_t is safe */ | |
624 | if (ret <= 0) | |
625 | return 0; | |
626 | mdlen = (size_t)ret; | |
627 | ||
628 | if (insecret == NULL) { | |
629 | insecret = default_zeros; | |
630 | insecretlen = mdlen; | |
631 | } | |
632 | if (prevsecret == NULL) { | |
633 | prevsecret = default_zeros; | |
634 | prevsecretlen = 0; | |
635 | } else { | |
636 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); | |
637 | unsigned char hash[EVP_MAX_MD_SIZE]; | |
638 | ||
639 | /* The pre-extract derive step uses a hash of no messages */ | |
640 | if (mctx == NULL | |
641 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 | |
642 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { | |
643 | EVP_MD_CTX_free(mctx); | |
644 | return 0; | |
645 | } | |
646 | EVP_MD_CTX_free(mctx); | |
647 | ||
648 | /* Generate the pre-extract secret */ | |
649 | if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen, | |
650 | prefix, prefixlen, label, labellen, | |
651 | hash, mdlen, preextractsec, mdlen)) | |
652 | return 0; | |
653 | prevsecret = preextractsec; | |
654 | prevsecretlen = mdlen; | |
655 | } | |
656 | ||
657 | ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen, | |
658 | insecret, insecretlen, out, outlen); | |
659 | ||
660 | if (prevsecret == preextractsec) | |
661 | OPENSSL_cleanse(preextractsec, mdlen); | |
662 | return ret; | |
663 | } | |
664 | ||
665 | static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, | |
666 | const OSSL_PARAM params[]) | |
667 | { | |
668 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; | |
669 | const EVP_MD *md; | |
670 | ||
671 | if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params)) | |
672 | return 0; | |
673 | ||
674 | md = ossl_prov_digest_md(&ctx->digest); | |
675 | if (md == NULL) { | |
676 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); | |
677 | return 0; | |
678 | } | |
679 | ||
680 | switch (ctx->mode) { | |
681 | default: | |
682 | return 0; | |
683 | ||
684 | case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: | |
685 | return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx), | |
686 | md, | |
687 | ctx->salt, ctx->salt_len, | |
688 | ctx->key, ctx->key_len, | |
689 | ctx->prefix, ctx->prefix_len, | |
690 | ctx->label, ctx->label_len, | |
691 | key, keylen); | |
692 | ||
693 | case EVP_KDF_HKDF_MODE_EXPAND_ONLY: | |
694 | return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len, | |
695 | ctx->prefix, ctx->prefix_len, | |
696 | ctx->label, ctx->label_len, | |
697 | ctx->data, ctx->data_len, | |
698 | key, keylen); | |
699 | } | |
700 | } | |
701 | ||
702 | static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[]) | |
703 | { | |
704 | const OSSL_PARAM *p; | |
705 | KDF_HKDF *ctx = vctx; | |
706 | ||
707 | if (params == NULL) | |
708 | return 1; | |
709 | ||
710 | if (!hkdf_common_set_ctx_params(ctx, params)) | |
711 | return 0; | |
712 | ||
713 | if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) { | |
714 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
715 | return 0; | |
716 | } | |
717 | ||
718 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) { | |
719 | OPENSSL_free(ctx->prefix); | |
720 | ctx->prefix = NULL; | |
721 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0, | |
722 | &ctx->prefix_len)) | |
723 | return 0; | |
724 | } | |
725 | ||
726 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) { | |
727 | OPENSSL_free(ctx->label); | |
728 | ctx->label = NULL; | |
729 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0, | |
730 | &ctx->label_len)) | |
731 | return 0; | |
732 | } | |
733 | ||
734 | OPENSSL_clear_free(ctx->data, ctx->data_len); | |
735 | ctx->data = NULL; | |
736 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL | |
737 | && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0, | |
738 | &ctx->data_len)) | |
739 | return 0; | |
740 | return 1; | |
741 | } | |
742 | ||
743 | static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, | |
744 | ossl_unused void *provctx) | |
745 | { | |
746 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
747 | HKDF_COMMON_SETTABLES, | |
748 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0), | |
749 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0), | |
750 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0), | |
751 | OSSL_PARAM_END | |
752 | }; | |
753 | return known_settable_ctx_params; | |
754 | } | |
755 | ||
756 | const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { | |
757 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, | |
95bd5ff6 | 758 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, |
f7d998a2 P |
759 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, |
760 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, | |
761 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, | |
762 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
763 | (void(*)(void))kdf_tls1_3_settable_ctx_params }, | |
764 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params }, | |
765 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
766 | (void(*)(void))kdf_hkdf_gettable_ctx_params }, | |
767 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params }, | |
1e6bd31e | 768 | OSSL_DISPATCH_END |
f7d998a2 | 769 | }; |