]>
Commit | Line | Data |
---|---|---|
d2e9e320 | 1 | /* |
fecb3aae | 2 | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. |
aacfb134 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
aacfb134 AG |
8 | */ |
9 | ||
dbde4726 P |
10 | /* |
11 | * HMAC low level APIs are deprecated for public use, but still ok for internal | |
12 | * use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
aacfb134 | 16 | #include <stdlib.h> |
5a285add | 17 | #include <stdarg.h> |
aacfb134 AG |
18 | #include <string.h> |
19 | #include <openssl/hmac.h> | |
aacfb134 | 20 | #include <openssl/evp.h> |
5a285add | 21 | #include <openssl/kdf.h> |
e3405a4a | 22 | #include <openssl/core_names.h> |
2741128e | 23 | #include <openssl/proverr.h> |
aacfb134 | 24 | #include "internal/cryptlib.h" |
cee719c2 | 25 | #include "internal/numbers.h" |
f7d998a2 | 26 | #include "internal/packet.h" |
25f2138b | 27 | #include "crypto/evp.h" |
ddd21319 | 28 | #include "prov/provider_ctx.h" |
2b9e4e95 | 29 | #include "prov/providercommon.h" |
af3e7e1b | 30 | #include "prov/implementations.h" |
ddd21319 | 31 | #include "prov/provider_util.h" |
d5f9166b | 32 | #include "internal/e_os.h" |
aacfb134 | 33 | |
20c2876f | 34 | #define HKDF_MAXBUF 2048 |
aacfb134 | 35 | |
363b1e5d | 36 | static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; |
95bd5ff6 | 37 | static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup; |
363b1e5d DMSP |
38 | static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free; |
39 | static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset; | |
40 | static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive; | |
41 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; | |
42 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; | |
43 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; | |
44 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; | |
f7d998a2 P |
45 | static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; |
46 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; | |
47 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; | |
e3405a4a | 48 | |
0a8a6afd | 49 | static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add DM |
50 | const unsigned char *salt, size_t salt_len, |
51 | const unsigned char *key, size_t key_len, | |
52 | const unsigned char *info, size_t info_len, | |
53 | unsigned char *okm, size_t okm_len); | |
0a8a6afd | 54 | static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 55 | const unsigned char *salt, size_t salt_len, |
e7018588 | 56 | const unsigned char *ikm, size_t ikm_len, |
5a285add DM |
57 | unsigned char *prk, size_t prk_len); |
58 | static int HKDF_Expand(const EVP_MD *evp_md, | |
59 | const unsigned char *prk, size_t prk_len, | |
60 | const unsigned char *info, size_t info_len, | |
61 | unsigned char *okm, size_t okm_len); | |
62 | ||
f7d998a2 P |
63 | /* Settable context parameters that are common across HKDF and the TLS KDF */ |
64 | #define HKDF_COMMON_SETTABLES \ | |
65 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \ | |
66 | OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \ | |
67 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \ | |
68 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \ | |
69 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \ | |
70 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0) | |
71 | ||
e3405a4a P |
72 | typedef struct { |
73 | void *provctx; | |
d2139cf8 | 74 | int mode; |
86f17ed6 | 75 | PROV_DIGEST digest; |
aacfb134 AG |
76 | unsigned char *salt; |
77 | size_t salt_len; | |
78 | unsigned char *key; | |
79 | size_t key_len; | |
f7d998a2 P |
80 | unsigned char *prefix; |
81 | size_t prefix_len; | |
82 | unsigned char *label; | |
83 | size_t label_len; | |
84 | unsigned char *data; | |
85 | size_t data_len; | |
aacfb134 AG |
86 | unsigned char info[HKDF_MAXBUF]; |
87 | size_t info_len; | |
e3405a4a | 88 | } KDF_HKDF; |
aacfb134 | 89 | |
e3405a4a | 90 | static void *kdf_hkdf_new(void *provctx) |
aacfb134 | 91 | { |
e3405a4a | 92 | KDF_HKDF *ctx; |
aacfb134 | 93 | |
2b9e4e95 P |
94 | if (!ossl_prov_is_running()) |
95 | return NULL; | |
96 | ||
e3405a4a P |
97 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) |
98 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
99 | else | |
100 | ctx->provctx = provctx; | |
101 | return ctx; | |
5a285add | 102 | } |
aacfb134 | 103 | |
e3405a4a | 104 | static void kdf_hkdf_free(void *vctx) |
5a285add | 105 | { |
e3405a4a | 106 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
aacfb134 | 107 | |
3c659415 P |
108 | if (ctx != NULL) { |
109 | kdf_hkdf_reset(ctx); | |
110 | OPENSSL_free(ctx); | |
111 | } | |
aacfb134 AG |
112 | } |
113 | ||
e3405a4a | 114 | static void kdf_hkdf_reset(void *vctx) |
aacfb134 | 115 | { |
e3405a4a | 116 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
0577959c | 117 | void *provctx = ctx->provctx; |
aacfb134 | 118 | |
86f17ed6 | 119 | ossl_prov_digest_reset(&ctx->digest); |
e3405a4a | 120 | OPENSSL_free(ctx->salt); |
f7d998a2 P |
121 | OPENSSL_free(ctx->prefix); |
122 | OPENSSL_free(ctx->label); | |
123 | OPENSSL_clear_free(ctx->data, ctx->data_len); | |
e3405a4a P |
124 | OPENSSL_clear_free(ctx->key, ctx->key_len); |
125 | OPENSSL_cleanse(ctx->info, ctx->info_len); | |
126 | memset(ctx, 0, sizeof(*ctx)); | |
0577959c | 127 | ctx->provctx = provctx; |
aacfb134 AG |
128 | } |
129 | ||
95bd5ff6 P |
130 | static void *kdf_hkdf_dup(void *vctx) |
131 | { | |
132 | const KDF_HKDF *src = (const KDF_HKDF *)vctx; | |
133 | KDF_HKDF *dest; | |
134 | ||
135 | dest = kdf_hkdf_new(src->provctx); | |
136 | if (dest != NULL) { | |
137 | if (!ossl_prov_memdup(src->salt, src->salt_len, &dest->salt, | |
138 | &dest->salt_len) | |
139 | || !ossl_prov_memdup(src->key, src->key_len, | |
140 | &dest->key , &dest->key_len) | |
141 | || !ossl_prov_memdup(src->prefix, src->prefix_len, | |
142 | &dest->prefix, &dest->prefix_len) | |
143 | || !ossl_prov_memdup(src->label, src->label_len, | |
144 | &dest->label, &dest->label_len) | |
145 | || !ossl_prov_memdup(src->data, src->data_len, | |
146 | &dest->data, &dest->data_len) | |
147 | || !ossl_prov_digest_copy(&dest->digest, &src->digest)) | |
148 | goto err; | |
149 | memcpy(dest->info, src->info, sizeof(dest->info)); | |
150 | dest->info_len = src->info_len; | |
151 | dest->mode = src->mode; | |
152 | } | |
153 | return dest; | |
154 | ||
155 | err: | |
156 | kdf_hkdf_free(dest); | |
157 | return NULL; | |
158 | } | |
159 | ||
e3405a4a | 160 | static size_t kdf_hkdf_size(KDF_HKDF *ctx) |
ca55d70b | 161 | { |
97cc9c9b | 162 | int sz; |
86f17ed6 | 163 | const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); |
97cc9c9b | 164 | |
e3405a4a | 165 | if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) |
5a285add | 166 | return SIZE_MAX; |
ca55d70b | 167 | |
86f17ed6 | 168 | if (md == NULL) { |
e3405a4a | 169 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
5a285add DM |
170 | return 0; |
171 | } | |
ed576acd | 172 | sz = EVP_MD_get_size(md); |
97cc9c9b SL |
173 | if (sz < 0) |
174 | return 0; | |
175 | ||
176 | return sz; | |
ca55d70b MC |
177 | } |
178 | ||
3469b388 P |
179 | static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, |
180 | const OSSL_PARAM params[]) | |
aacfb134 | 181 | { |
e3405a4a | 182 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; |
0a8a6afd | 183 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
2b9e4e95 P |
184 | const EVP_MD *md; |
185 | ||
3469b388 | 186 | if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params)) |
2b9e4e95 | 187 | return 0; |
e3405a4a | 188 | |
2b9e4e95 | 189 | md = ossl_prov_digest_md(&ctx->digest); |
86f17ed6 | 190 | if (md == NULL) { |
e3405a4a | 191 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
f55129c7 JB |
192 | return 0; |
193 | } | |
e3405a4a P |
194 | if (ctx->key == NULL) { |
195 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); | |
aacfb134 | 196 | return 0; |
e65f6509 | 197 | } |
1cae59d1 JS |
198 | if (keylen == 0) { |
199 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); | |
200 | return 0; | |
201 | } | |
aacfb134 | 202 | |
e3405a4a | 203 | switch (ctx->mode) { |
5a285add | 204 | case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: |
9d300aa2 | 205 | default: |
0a8a6afd DDO |
206 | return HKDF(libctx, md, ctx->salt, ctx->salt_len, |
207 | ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen); | |
d2139cf8 | 208 | |
5a285add | 209 | case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: |
0a8a6afd DDO |
210 | return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len, |
211 | ctx->key, ctx->key_len, key, keylen); | |
d2139cf8 | 212 | |
5a285add | 213 | case EVP_KDF_HKDF_MODE_EXPAND_ONLY: |
86f17ed6 | 214 | return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info, |
e3405a4a | 215 | ctx->info_len, key, keylen); |
aacfb134 | 216 | } |
aacfb134 AG |
217 | } |
218 | ||
f7d998a2 | 219 | static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) |
e3405a4a | 220 | { |
0a8a6afd | 221 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
f7d998a2 | 222 | const OSSL_PARAM *p; |
e3405a4a | 223 | int n; |
86f17ed6 | 224 | |
c983a0e5 P |
225 | if (params == NULL) |
226 | return 1; | |
227 | ||
0a8a6afd | 228 | if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) |
86f17ed6 | 229 | return 0; |
e3405a4a P |
230 | |
231 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { | |
232 | if (p->data_type == OSSL_PARAM_UTF8_STRING) { | |
fba140c7 | 233 | if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) { |
e3405a4a | 234 | ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; |
fba140c7 | 235 | } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) { |
e3405a4a | 236 | ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; |
fba140c7 | 237 | } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) { |
e3405a4a P |
238 | ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; |
239 | } else { | |
240 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
241 | return 0; | |
242 | } | |
243 | } else if (OSSL_PARAM_get_int(p, &n)) { | |
244 | if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND | |
245 | && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY | |
246 | && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) { | |
247 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
248 | return 0; | |
249 | } | |
250 | ctx->mode = n; | |
251 | } else { | |
252 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
253 | return 0; | |
254 | } | |
255 | } | |
256 | ||
257 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) { | |
258 | OPENSSL_clear_free(ctx->key, ctx->key_len); | |
259 | ctx->key = NULL; | |
260 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0, | |
261 | &ctx->key_len)) | |
262 | return 0; | |
263 | } | |
264 | ||
265 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { | |
266 | if (p->data_size != 0 && p->data != NULL) { | |
267 | OPENSSL_free(ctx->salt); | |
268 | ctx->salt = NULL; | |
269 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, | |
270 | &ctx->salt_len)) | |
271 | return 0; | |
272 | } | |
273 | } | |
f7d998a2 P |
274 | |
275 | return 1; | |
276 | } | |
277 | ||
278 | static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) | |
279 | { | |
280 | const OSSL_PARAM *p; | |
281 | KDF_HKDF *ctx = vctx; | |
282 | ||
283 | if (params == NULL) | |
284 | return 1; | |
285 | ||
286 | if (!hkdf_common_set_ctx_params(ctx, params)) | |
287 | return 0; | |
288 | ||
e3405a4a P |
289 | /* The info fields concatenate, so process them all */ |
290 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) { | |
291 | ctx->info_len = 0; | |
292 | for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, | |
293 | OSSL_KDF_PARAM_INFO)) { | |
294 | const void *q = ctx->info + ctx->info_len; | |
295 | size_t sz = 0; | |
296 | ||
297 | if (p->data_size != 0 | |
298 | && p->data != NULL | |
299 | && !OSSL_PARAM_get_octet_string(p, (void **)&q, | |
300 | HKDF_MAXBUF - ctx->info_len, | |
301 | &sz)) | |
302 | return 0; | |
303 | ctx->info_len += sz; | |
304 | } | |
305 | } | |
306 | return 1; | |
307 | } | |
308 | ||
1e8e5c60 P |
309 | static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx, |
310 | ossl_unused void *provctx) | |
e3405a4a P |
311 | { |
312 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
f7d998a2 | 313 | HKDF_COMMON_SETTABLES, |
e3405a4a P |
314 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), |
315 | OSSL_PARAM_END | |
316 | }; | |
317 | return known_settable_ctx_params; | |
318 | } | |
319 | ||
320 | static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) | |
321 | { | |
322 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; | |
323 | OSSL_PARAM *p; | |
324 | ||
9d300aa2 SL |
325 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { |
326 | size_t sz = kdf_hkdf_size(ctx); | |
327 | ||
328 | if (sz == 0) | |
329 | return 0; | |
330 | return OSSL_PARAM_set_size_t(p, sz); | |
331 | } | |
e3405a4a P |
332 | return -2; |
333 | } | |
334 | ||
1e8e5c60 P |
335 | static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, |
336 | ossl_unused void *provctx) | |
e3405a4a P |
337 | { |
338 | static const OSSL_PARAM known_gettable_ctx_params[] = { | |
339 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
340 | OSSL_PARAM_END | |
341 | }; | |
342 | return known_gettable_ctx_params; | |
343 | } | |
344 | ||
1be63951 | 345 | const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = { |
e3405a4a | 346 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, |
95bd5ff6 | 347 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, |
e3405a4a P |
348 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, |
349 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, | |
350 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive }, | |
351 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
352 | (void(*)(void))kdf_hkdf_settable_ctx_params }, | |
353 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_hkdf_set_ctx_params }, | |
354 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
355 | (void(*)(void))kdf_hkdf_gettable_ctx_params }, | |
356 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params }, | |
357 | { 0, NULL } | |
aacfb134 AG |
358 | }; |
359 | ||
e7018588 DM |
360 | /* |
361 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
362 | * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and | |
363 | * "Cryptographic Extraction and Key Derivation: The HKDF Scheme" | |
364 | * Section 4.2 (https://eprint.iacr.org/2010/264.pdf). | |
365 | * | |
366 | * From the paper: | |
367 | * The scheme HKDF is specified as: | |
368 | * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t) | |
369 | * | |
370 | * where: | |
371 | * SKM is source key material | |
372 | * XTS is extractor salt (which may be null or constant) | |
373 | * CTXinfo is context information (may be null) | |
374 | * L is the number of key bits to be produced by KDF | |
375 | * k is the output length in bits of the hash function used with HMAC | |
376 | * t = ceil(L/k) | |
377 | * the value K(t) is truncated to its first d = L mod k bits. | |
378 | * | |
379 | * From RFC 5869: | |
380 | * 2.2. Step 1: Extract | |
381 | * HKDF-Extract(salt, IKM) -> PRK | |
382 | * 2.3. Step 2: Expand | |
383 | * HKDF-Expand(PRK, info, L) -> OKM | |
384 | */ | |
0a8a6afd | 385 | static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 386 | const unsigned char *salt, size_t salt_len, |
e7018588 | 387 | const unsigned char *ikm, size_t ikm_len, |
5a285add DM |
388 | const unsigned char *info, size_t info_len, |
389 | unsigned char *okm, size_t okm_len) | |
aacfb134 AG |
390 | { |
391 | unsigned char prk[EVP_MAX_MD_SIZE]; | |
97cc9c9b SL |
392 | int ret, sz; |
393 | size_t prk_len; | |
394 | ||
ed576acd | 395 | sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
396 | if (sz < 0) |
397 | return 0; | |
398 | prk_len = (size_t)sz; | |
aacfb134 | 399 | |
e7018588 | 400 | /* Step 1: HKDF-Extract(salt, IKM) -> PRK */ |
0a8a6afd DDO |
401 | if (!HKDF_Extract(libctx, evp_md, |
402 | salt, salt_len, ikm, ikm_len, prk, prk_len)) | |
5a285add | 403 | return 0; |
aacfb134 | 404 | |
e7018588 | 405 | /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */ |
d2139cf8 MC |
406 | ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); |
407 | OPENSSL_cleanse(prk, sizeof(prk)); | |
408 | ||
409 | return ret; | |
aacfb134 AG |
410 | } |
411 | ||
e7018588 DM |
412 | /* |
413 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
414 | * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2). | |
415 | * | |
416 | * 2.2. Step 1: Extract | |
417 | * | |
418 | * HKDF-Extract(salt, IKM) -> PRK | |
419 | * | |
420 | * Options: | |
421 | * Hash a hash function; HashLen denotes the length of the | |
422 | * hash function output in octets | |
423 | * | |
424 | * Inputs: | |
425 | * salt optional salt value (a non-secret random value); | |
426 | * if not provided, it is set to a string of HashLen zeros. | |
427 | * IKM input keying material | |
428 | * | |
429 | * Output: | |
430 | * PRK a pseudorandom key (of HashLen octets) | |
431 | * | |
432 | * The output PRK is calculated as follows: | |
433 | * | |
434 | * PRK = HMAC-Hash(salt, IKM) | |
435 | */ | |
0a8a6afd | 436 | static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md, |
5a285add | 437 | const unsigned char *salt, size_t salt_len, |
e7018588 | 438 | const unsigned char *ikm, size_t ikm_len, |
5a285add | 439 | unsigned char *prk, size_t prk_len) |
aacfb134 | 440 | { |
ed576acd | 441 | int sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
442 | |
443 | if (sz < 0) | |
444 | return 0; | |
445 | if (prk_len != (size_t)sz) { | |
e3405a4a | 446 | ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE); |
5a285add DM |
447 | return 0; |
448 | } | |
e7018588 | 449 | /* calc: PRK = HMAC-Hash(salt, IKM) */ |
0a8a6afd | 450 | return |
ed576acd TM |
451 | EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt, |
452 | salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL) | |
0a8a6afd | 453 | != NULL; |
aacfb134 AG |
454 | } |
455 | ||
e7018588 DM |
456 | /* |
457 | * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" | |
458 | * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3). | |
459 | * | |
460 | * 2.3. Step 2: Expand | |
461 | * | |
462 | * HKDF-Expand(PRK, info, L) -> OKM | |
463 | * | |
464 | * Options: | |
465 | * Hash a hash function; HashLen denotes the length of the | |
466 | * hash function output in octets | |
467 | * | |
468 | * Inputs: | |
469 | * PRK a pseudorandom key of at least HashLen octets | |
470 | * (usually, the output from the extract step) | |
471 | * info optional context and application specific information | |
472 | * (can be a zero-length string) | |
473 | * L length of output keying material in octets | |
474 | * (<= 255*HashLen) | |
475 | * | |
476 | * Output: | |
477 | * OKM output keying material (of L octets) | |
478 | * | |
479 | * The output OKM is calculated as follows: | |
480 | * | |
481 | * N = ceil(L/HashLen) | |
482 | * T = T(1) | T(2) | T(3) | ... | T(N) | |
483 | * OKM = first L octets of T | |
484 | * | |
485 | * where: | |
486 | * T(0) = empty string (zero length) | |
487 | * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) | |
488 | * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) | |
489 | * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) | |
490 | * ... | |
491 | * | |
492 | * (where the constant concatenated to the end of each T(n) is a | |
493 | * single octet.) | |
494 | */ | |
5a285add DM |
495 | static int HKDF_Expand(const EVP_MD *evp_md, |
496 | const unsigned char *prk, size_t prk_len, | |
497 | const unsigned char *info, size_t info_len, | |
498 | unsigned char *okm, size_t okm_len) | |
aacfb134 AG |
499 | { |
500 | HMAC_CTX *hmac; | |
97cc9c9b | 501 | int ret = 0, sz; |
aacfb134 | 502 | unsigned int i; |
aacfb134 | 503 | unsigned char prev[EVP_MAX_MD_SIZE]; |
97cc9c9b SL |
504 | size_t done_len = 0, dig_len, n; |
505 | ||
ed576acd | 506 | sz = EVP_MD_get_size(evp_md); |
97cc9c9b SL |
507 | if (sz <= 0) |
508 | return 0; | |
509 | dig_len = (size_t)sz; | |
5a285add | 510 | |
e7018588 DM |
511 | /* calc: N = ceil(L/HashLen) */ |
512 | n = okm_len / dig_len; | |
aacfb134 AG |
513 | if (okm_len % dig_len) |
514 | n++; | |
515 | ||
d2139cf8 | 516 | if (n > 255 || okm == NULL) |
5a285add | 517 | return 0; |
aacfb134 AG |
518 | |
519 | if ((hmac = HMAC_CTX_new()) == NULL) | |
5a285add | 520 | return 0; |
aacfb134 AG |
521 | |
522 | if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) | |
523 | goto err; | |
524 | ||
525 | for (i = 1; i <= n; i++) { | |
526 | size_t copy_len; | |
527 | const unsigned char ctr = i; | |
528 | ||
e7018588 | 529 | /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */ |
aacfb134 AG |
530 | if (i > 1) { |
531 | if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) | |
532 | goto err; | |
533 | ||
534 | if (!HMAC_Update(hmac, prev, dig_len)) | |
535 | goto err; | |
536 | } | |
537 | ||
538 | if (!HMAC_Update(hmac, info, info_len)) | |
539 | goto err; | |
540 | ||
541 | if (!HMAC_Update(hmac, &ctr, 1)) | |
542 | goto err; | |
543 | ||
544 | if (!HMAC_Final(hmac, prev, NULL)) | |
545 | goto err; | |
546 | ||
547 | copy_len = (done_len + dig_len > okm_len) ? | |
548 | okm_len - done_len : | |
549 | dig_len; | |
550 | ||
551 | memcpy(okm + done_len, prev, copy_len); | |
552 | ||
553 | done_len += copy_len; | |
554 | } | |
5a285add | 555 | ret = 1; |
aacfb134 AG |
556 | |
557 | err: | |
64ed55ab | 558 | OPENSSL_cleanse(prev, sizeof(prev)); |
aacfb134 | 559 | HMAC_CTX_free(hmac); |
64ed55ab | 560 | return ret; |
aacfb134 | 561 | } |
f7d998a2 P |
562 | |
563 | /* | |
564 | * TLS uses slight variations of the above and for FIPS validation purposes, | |
565 | * they need to be present here. | |
566 | * Refer to RFC 8446 section 7 for specific details. | |
567 | */ | |
568 | ||
569 | /* | |
570 | * Given a |secret|; a |label| of length |labellen|; and |data| of length | |
571 | * |datalen| (e.g. typically a hash of the handshake messages), derive a new | |
572 | * secret |outlen| bytes long and store it in the location pointed to be |out|. | |
573 | * The |data| value may be zero length. Returns 1 on success and 0 on failure. | |
574 | */ | |
575 | static int prov_tls13_hkdf_expand(const EVP_MD *md, | |
576 | const unsigned char *key, size_t keylen, | |
577 | const unsigned char *prefix, size_t prefixlen, | |
578 | const unsigned char *label, size_t labellen, | |
579 | const unsigned char *data, size_t datalen, | |
580 | unsigned char *out, size_t outlen) | |
581 | { | |
582 | size_t hkdflabellen; | |
583 | unsigned char hkdflabel[HKDF_MAXBUF]; | |
584 | WPACKET pkt; | |
585 | ||
586 | /* | |
587 | * 2 bytes for length of derived secret + 1 byte for length of combined | |
588 | * prefix and label + bytes for the label itself + 1 byte length of hash | |
589 | * + bytes for the hash itself. We've got the maximum the KDF can handle | |
590 | * which should always be sufficient. | |
591 | */ | |
592 | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) | |
593 | || !WPACKET_put_bytes_u16(&pkt, outlen) | |
594 | || !WPACKET_start_sub_packet_u8(&pkt) | |
595 | || !WPACKET_memcpy(&pkt, prefix, prefixlen) | |
596 | || !WPACKET_memcpy(&pkt, label, labellen) | |
597 | || !WPACKET_close(&pkt) | |
598 | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) | |
599 | || !WPACKET_get_total_written(&pkt, &hkdflabellen) | |
600 | || !WPACKET_finish(&pkt)) { | |
601 | WPACKET_cleanup(&pkt); | |
602 | return 0; | |
603 | } | |
604 | ||
605 | return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen, | |
606 | out, outlen); | |
607 | } | |
608 | ||
609 | static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, | |
610 | const EVP_MD *md, | |
611 | const unsigned char *prevsecret, | |
612 | size_t prevsecretlen, | |
613 | const unsigned char *insecret, | |
614 | size_t insecretlen, | |
615 | const unsigned char *prefix, | |
616 | size_t prefixlen, | |
617 | const unsigned char *label, | |
618 | size_t labellen, | |
619 | unsigned char *out, size_t outlen) | |
620 | { | |
621 | size_t mdlen; | |
622 | int ret; | |
623 | unsigned char preextractsec[EVP_MAX_MD_SIZE]; | |
624 | /* Always filled with zeros */ | |
625 | static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; | |
626 | ||
627 | ret = EVP_MD_get_size(md); | |
628 | /* Ensure cast to size_t is safe */ | |
629 | if (ret <= 0) | |
630 | return 0; | |
631 | mdlen = (size_t)ret; | |
632 | ||
633 | if (insecret == NULL) { | |
634 | insecret = default_zeros; | |
635 | insecretlen = mdlen; | |
636 | } | |
637 | if (prevsecret == NULL) { | |
638 | prevsecret = default_zeros; | |
639 | prevsecretlen = 0; | |
640 | } else { | |
641 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); | |
642 | unsigned char hash[EVP_MAX_MD_SIZE]; | |
643 | ||
644 | /* The pre-extract derive step uses a hash of no messages */ | |
645 | if (mctx == NULL | |
646 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 | |
647 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { | |
648 | EVP_MD_CTX_free(mctx); | |
649 | return 0; | |
650 | } | |
651 | EVP_MD_CTX_free(mctx); | |
652 | ||
653 | /* Generate the pre-extract secret */ | |
654 | if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen, | |
655 | prefix, prefixlen, label, labellen, | |
656 | hash, mdlen, preextractsec, mdlen)) | |
657 | return 0; | |
658 | prevsecret = preextractsec; | |
659 | prevsecretlen = mdlen; | |
660 | } | |
661 | ||
662 | ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen, | |
663 | insecret, insecretlen, out, outlen); | |
664 | ||
665 | if (prevsecret == preextractsec) | |
666 | OPENSSL_cleanse(preextractsec, mdlen); | |
667 | return ret; | |
668 | } | |
669 | ||
670 | static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, | |
671 | const OSSL_PARAM params[]) | |
672 | { | |
673 | KDF_HKDF *ctx = (KDF_HKDF *)vctx; | |
674 | const EVP_MD *md; | |
675 | ||
676 | if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params)) | |
677 | return 0; | |
678 | ||
679 | md = ossl_prov_digest_md(&ctx->digest); | |
680 | if (md == NULL) { | |
681 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); | |
682 | return 0; | |
683 | } | |
684 | ||
685 | switch (ctx->mode) { | |
686 | default: | |
687 | return 0; | |
688 | ||
689 | case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: | |
690 | return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx), | |
691 | md, | |
692 | ctx->salt, ctx->salt_len, | |
693 | ctx->key, ctx->key_len, | |
694 | ctx->prefix, ctx->prefix_len, | |
695 | ctx->label, ctx->label_len, | |
696 | key, keylen); | |
697 | ||
698 | case EVP_KDF_HKDF_MODE_EXPAND_ONLY: | |
699 | return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len, | |
700 | ctx->prefix, ctx->prefix_len, | |
701 | ctx->label, ctx->label_len, | |
702 | ctx->data, ctx->data_len, | |
703 | key, keylen); | |
704 | } | |
705 | } | |
706 | ||
707 | static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[]) | |
708 | { | |
709 | const OSSL_PARAM *p; | |
710 | KDF_HKDF *ctx = vctx; | |
711 | ||
712 | if (params == NULL) | |
713 | return 1; | |
714 | ||
715 | if (!hkdf_common_set_ctx_params(ctx, params)) | |
716 | return 0; | |
717 | ||
718 | if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) { | |
719 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); | |
720 | return 0; | |
721 | } | |
722 | ||
723 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) { | |
724 | OPENSSL_free(ctx->prefix); | |
725 | ctx->prefix = NULL; | |
726 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0, | |
727 | &ctx->prefix_len)) | |
728 | return 0; | |
729 | } | |
730 | ||
731 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) { | |
732 | OPENSSL_free(ctx->label); | |
733 | ctx->label = NULL; | |
734 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0, | |
735 | &ctx->label_len)) | |
736 | return 0; | |
737 | } | |
738 | ||
739 | OPENSSL_clear_free(ctx->data, ctx->data_len); | |
740 | ctx->data = NULL; | |
741 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL | |
742 | && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0, | |
743 | &ctx->data_len)) | |
744 | return 0; | |
745 | return 1; | |
746 | } | |
747 | ||
748 | static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, | |
749 | ossl_unused void *provctx) | |
750 | { | |
751 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
752 | HKDF_COMMON_SETTABLES, | |
753 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0), | |
754 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0), | |
755 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0), | |
756 | OSSL_PARAM_END | |
757 | }; | |
758 | return known_settable_ctx_params; | |
759 | } | |
760 | ||
761 | const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { | |
762 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, | |
95bd5ff6 | 763 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, |
f7d998a2 P |
764 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, |
765 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, | |
766 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, | |
767 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
768 | (void(*)(void))kdf_tls1_3_settable_ctx_params }, | |
769 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params }, | |
770 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
771 | (void(*)(void))kdf_hkdf_gettable_ctx_params }, | |
772 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params }, | |
773 | { 0, NULL } | |
774 | }; |