]>
Commit | Line | Data |
---|---|---|
e3405a4a | 1 | /* |
da1c088f | 2 | * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. |
e3405a4a | 3 | * |
a6ed19dc | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
e3405a4a P |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdlib.h> | |
11 | #include <stdarg.h> | |
12 | #include <string.h> | |
13 | #include <openssl/evp.h> | |
14 | #include <openssl/kdf.h> | |
15 | #include <openssl/core_names.h> | |
2741128e | 16 | #include <openssl/proverr.h> |
e3405a4a P |
17 | #include "internal/cryptlib.h" |
18 | #include "internal/numbers.h" | |
25f2138b | 19 | #include "crypto/evp.h" |
ddd21319 | 20 | #include "prov/provider_ctx.h" |
2b9e4e95 | 21 | #include "prov/providercommon.h" |
af3e7e1b | 22 | #include "prov/implementations.h" |
2b9e4e95 | 23 | #include "prov/provider_util.h" |
e3405a4a P |
24 | |
25 | /* See RFC 4253, Section 7.2 */ | |
363b1e5d | 26 | static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new; |
59558f9d | 27 | static OSSL_FUNC_kdf_dupctx_fn kdf_sshkdf_dup; |
363b1e5d DMSP |
28 | static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free; |
29 | static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset; | |
30 | static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive; | |
31 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_sshkdf_settable_ctx_params; | |
32 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_sshkdf_set_ctx_params; | |
33 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_sshkdf_gettable_ctx_params; | |
34 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_sshkdf_get_ctx_params; | |
e3405a4a P |
35 | |
36 | static int SSHKDF(const EVP_MD *evp_md, | |
37 | const unsigned char *key, size_t key_len, | |
38 | const unsigned char *xcghash, size_t xcghash_len, | |
39 | const unsigned char *session_id, size_t session_id_len, | |
40 | char type, unsigned char *okey, size_t okey_len); | |
41 | ||
42 | typedef struct { | |
43 | void *provctx; | |
a1de4680 | 44 | PROV_DIGEST digest; |
e3405a4a P |
45 | unsigned char *key; /* K */ |
46 | size_t key_len; | |
47 | unsigned char *xcghash; /* H */ | |
48 | size_t xcghash_len; | |
49 | char type; /* X */ | |
50 | unsigned char *session_id; | |
51 | size_t session_id_len; | |
52 | } KDF_SSHKDF; | |
53 | ||
54 | static void *kdf_sshkdf_new(void *provctx) | |
55 | { | |
56 | KDF_SSHKDF *ctx; | |
57 | ||
2b9e4e95 P |
58 | if (!ossl_prov_is_running()) |
59 | return NULL; | |
60 | ||
e077455e | 61 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) |
148176ca | 62 | ctx->provctx = provctx; |
e3405a4a P |
63 | return ctx; |
64 | } | |
65 | ||
66 | static void kdf_sshkdf_free(void *vctx) | |
67 | { | |
68 | KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx; | |
69 | ||
3c659415 P |
70 | if (ctx != NULL) { |
71 | kdf_sshkdf_reset(ctx); | |
72 | OPENSSL_free(ctx); | |
73 | } | |
e3405a4a P |
74 | } |
75 | ||
76 | static void kdf_sshkdf_reset(void *vctx) | |
77 | { | |
78 | KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx; | |
0577959c | 79 | void *provctx = ctx->provctx; |
e3405a4a | 80 | |
a1de4680 | 81 | ossl_prov_digest_reset(&ctx->digest); |
e3405a4a P |
82 | OPENSSL_clear_free(ctx->key, ctx->key_len); |
83 | OPENSSL_clear_free(ctx->xcghash, ctx->xcghash_len); | |
84 | OPENSSL_clear_free(ctx->session_id, ctx->session_id_len); | |
85 | memset(ctx, 0, sizeof(*ctx)); | |
0577959c | 86 | ctx->provctx = provctx; |
e3405a4a P |
87 | } |
88 | ||
59558f9d P |
89 | static void *kdf_sshkdf_dup(void *vctx) |
90 | { | |
91 | const KDF_SSHKDF *src = (const KDF_SSHKDF *)vctx; | |
92 | KDF_SSHKDF *dest; | |
93 | ||
94 | dest = kdf_sshkdf_new(src->provctx); | |
95 | if (dest != NULL) { | |
96 | if (!ossl_prov_memdup(src->key, src->key_len, | |
97 | &dest->key, &dest->key_len) | |
98 | || !ossl_prov_memdup(src->xcghash, src->xcghash_len, | |
99 | &dest->xcghash , &dest->xcghash_len) | |
100 | || !ossl_prov_memdup(src->session_id, src->session_id_len, | |
101 | &dest->session_id , &dest->session_id_len) | |
102 | || !ossl_prov_digest_copy(&dest->digest, &src->digest)) | |
103 | goto err; | |
104 | dest->type = src->type; | |
105 | } | |
106 | return dest; | |
107 | ||
108 | err: | |
109 | kdf_sshkdf_free(dest); | |
110 | return NULL; | |
111 | } | |
112 | ||
e3405a4a P |
113 | static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, |
114 | const OSSL_PARAM *p) | |
115 | { | |
116 | OPENSSL_clear_free(*dst, *dst_len); | |
117 | *dst = NULL; | |
d2217c88 | 118 | *dst_len = 0; |
e3405a4a P |
119 | return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); |
120 | } | |
121 | ||
3469b388 P |
122 | static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, |
123 | const OSSL_PARAM params[]) | |
e3405a4a P |
124 | { |
125 | KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx; | |
2b9e4e95 P |
126 | const EVP_MD *md; |
127 | ||
3469b388 | 128 | if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params)) |
2b9e4e95 | 129 | return 0; |
e3405a4a | 130 | |
2b9e4e95 | 131 | md = ossl_prov_digest_md(&ctx->digest); |
a1de4680 | 132 | if (md == NULL) { |
e3405a4a P |
133 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
134 | return 0; | |
135 | } | |
136 | if (ctx->key == NULL) { | |
137 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); | |
138 | return 0; | |
139 | } | |
140 | if (ctx->xcghash == NULL) { | |
141 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_XCGHASH); | |
142 | return 0; | |
143 | } | |
144 | if (ctx->session_id == NULL) { | |
145 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SESSION_ID); | |
146 | return 0; | |
147 | } | |
148 | if (ctx->type == 0) { | |
149 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); | |
150 | return 0; | |
151 | } | |
a1de4680 | 152 | return SSHKDF(md, ctx->key, ctx->key_len, |
e3405a4a P |
153 | ctx->xcghash, ctx->xcghash_len, |
154 | ctx->session_id, ctx->session_id_len, | |
155 | ctx->type, key, keylen); | |
156 | } | |
157 | ||
158 | static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) | |
159 | { | |
160 | const OSSL_PARAM *p; | |
161 | KDF_SSHKDF *ctx = vctx; | |
a829b735 | 162 | OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); |
e3405a4a | 163 | |
c983a0e5 P |
164 | if (params == NULL) |
165 | return 1; | |
166 | ||
a1de4680 P |
167 | if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) |
168 | return 0; | |
e3405a4a P |
169 | |
170 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) | |
171 | if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p)) | |
172 | return 0; | |
173 | ||
174 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_XCGHASH)) | |
175 | != NULL) | |
176 | if (!sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p)) | |
177 | return 0; | |
178 | ||
179 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_SESSION_ID)) | |
180 | != NULL) | |
181 | if (!sshkdf_set_membuf(&ctx->session_id, &ctx->session_id_len, p)) | |
182 | return 0; | |
183 | ||
184 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_TYPE)) | |
185 | != NULL) { | |
270a5ce1 JC |
186 | const char *kdftype; |
187 | ||
188 | if (!OSSL_PARAM_get_utf8_string_ptr(p, &kdftype)) | |
189 | return 0; | |
a8eb71ad RL |
190 | /* Expect one character (byte in this case) */ |
191 | if (kdftype == NULL || p->data_size != 1) | |
e3405a4a | 192 | return 0; |
270a5ce1 | 193 | if (kdftype[0] < 65 || kdftype[0] > 70) { |
e3405a4a P |
194 | ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR); |
195 | return 0; | |
196 | } | |
270a5ce1 | 197 | ctx->type = kdftype[0]; |
e3405a4a P |
198 | } |
199 | return 1; | |
200 | } | |
201 | ||
1e8e5c60 P |
202 | static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, |
203 | ossl_unused void *p_ctx) | |
e3405a4a P |
204 | { |
205 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
206 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), | |
207 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), | |
208 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), | |
209 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, NULL, 0), | |
210 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, NULL, 0), | |
211 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, NULL, 0), | |
212 | OSSL_PARAM_END | |
213 | }; | |
214 | return known_settable_ctx_params; | |
215 | } | |
216 | ||
217 | static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) | |
218 | { | |
219 | OSSL_PARAM *p; | |
220 | ||
221 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) | |
222 | return OSSL_PARAM_set_size_t(p, SIZE_MAX); | |
223 | return -2; | |
224 | } | |
225 | ||
1e8e5c60 P |
226 | static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, |
227 | ossl_unused void *p_ctx) | |
e3405a4a P |
228 | { |
229 | static const OSSL_PARAM known_gettable_ctx_params[] = { | |
230 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
231 | OSSL_PARAM_END | |
232 | }; | |
233 | return known_gettable_ctx_params; | |
234 | } | |
235 | ||
1be63951 | 236 | const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = { |
e3405a4a | 237 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_sshkdf_new }, |
59558f9d | 238 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_sshkdf_dup }, |
e3405a4a P |
239 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_sshkdf_free }, |
240 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_sshkdf_reset }, | |
241 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_sshkdf_derive }, | |
242 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
243 | (void(*)(void))kdf_sshkdf_settable_ctx_params }, | |
244 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_set_ctx_params }, | |
245 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
246 | (void(*)(void))kdf_sshkdf_gettable_ctx_params }, | |
247 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_get_ctx_params }, | |
1e6bd31e | 248 | OSSL_DISPATCH_END |
e3405a4a P |
249 | }; |
250 | ||
251 | static int SSHKDF(const EVP_MD *evp_md, | |
252 | const unsigned char *key, size_t key_len, | |
253 | const unsigned char *xcghash, size_t xcghash_len, | |
254 | const unsigned char *session_id, size_t session_id_len, | |
255 | char type, unsigned char *okey, size_t okey_len) | |
256 | { | |
257 | EVP_MD_CTX *md = NULL; | |
258 | unsigned char digest[EVP_MAX_MD_SIZE]; | |
259 | unsigned int dsize = 0; | |
260 | size_t cursize = 0; | |
261 | int ret = 0; | |
262 | ||
263 | md = EVP_MD_CTX_new(); | |
264 | if (md == NULL) | |
265 | return 0; | |
266 | ||
267 | if (!EVP_DigestInit_ex(md, evp_md, NULL)) | |
268 | goto out; | |
269 | ||
270 | if (!EVP_DigestUpdate(md, key, key_len)) | |
271 | goto out; | |
272 | ||
273 | if (!EVP_DigestUpdate(md, xcghash, xcghash_len)) | |
274 | goto out; | |
275 | ||
276 | if (!EVP_DigestUpdate(md, &type, 1)) | |
277 | goto out; | |
278 | ||
279 | if (!EVP_DigestUpdate(md, session_id, session_id_len)) | |
280 | goto out; | |
281 | ||
282 | if (!EVP_DigestFinal_ex(md, digest, &dsize)) | |
283 | goto out; | |
284 | ||
285 | if (okey_len < dsize) { | |
286 | memcpy(okey, digest, okey_len); | |
287 | ret = 1; | |
288 | goto out; | |
289 | } | |
290 | ||
291 | memcpy(okey, digest, dsize); | |
292 | ||
293 | for (cursize = dsize; cursize < okey_len; cursize += dsize) { | |
294 | ||
295 | if (!EVP_DigestInit_ex(md, evp_md, NULL)) | |
296 | goto out; | |
297 | ||
298 | if (!EVP_DigestUpdate(md, key, key_len)) | |
299 | goto out; | |
300 | ||
301 | if (!EVP_DigestUpdate(md, xcghash, xcghash_len)) | |
302 | goto out; | |
303 | ||
304 | if (!EVP_DigestUpdate(md, okey, cursize)) | |
305 | goto out; | |
306 | ||
307 | if (!EVP_DigestFinal_ex(md, digest, &dsize)) | |
308 | goto out; | |
309 | ||
310 | if (okey_len < cursize + dsize) { | |
311 | memcpy(okey + cursize, digest, okey_len - cursize); | |
312 | ret = 1; | |
313 | goto out; | |
314 | } | |
315 | ||
316 | memcpy(okey + cursize, digest, dsize); | |
317 | } | |
318 | ||
319 | ret = 1; | |
320 | ||
321 | out: | |
322 | EVP_MD_CTX_free(md); | |
323 | OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE); | |
324 | return ret; | |
325 | } | |
326 |