2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
13 #ifndef OPENSSL_NO_CMS
18 # include <openssl/hmac.h>
19 # include <openssl/cms.h>
20 # include <openssl/evp.h>
21 # include <openssl/kdf.h>
22 # include <openssl/x509.h>
23 # include <openssl/obj_mac.h>
24 # include "internal/cryptlib.h"
25 # include "internal/evp_int.h"
26 # include "kdf_local.h"
28 # define X942KDF_MAX_INLEN (1 << 30)
30 struct evp_kdf_impl_st
{
32 unsigned char *secret
;
40 /* A table of allowed wrapping algorithms and the associated output lengths */
43 size_t keklen
; /* size in bytes */
45 { NID_id_smime_alg_CMS3DESwrap
, 24 },
46 { NID_id_smime_alg_CMSRC2wrap
, 16 },
47 { NID_id_aes128_wrap
, 16 },
48 { NID_id_aes192_wrap
, 24 },
49 { NID_id_aes256_wrap
, 32 },
50 { NID_id_camellia128_wrap
, 16 },
51 { NID_id_camellia192_wrap
, 24 },
52 { NID_id_camellia256_wrap
, 32 }
55 /* Skip past an ASN1 structure: for OBJECT skip content octets too */
56 static int skip_asn1(unsigned char **pp
, long *plen
, int exptag
)
60 const unsigned char *q
= *pp
;
62 i
= ASN1_get_object(&q
, &tmplen
, &tag
, &xclass
, *plen
);
63 if ((i
& 0x80) != 0 || tag
!= exptag
|| xclass
!= V_ASN1_UNIVERSAL
)
65 if (tag
== V_ASN1_OBJECT
)
67 *pp
= (unsigned char *)q
;
73 * Encode the other info structure.
75 * RFC2631 Section 2.1.2 Contains the following definition for otherinfo
77 * OtherInfo ::= SEQUENCE {
78 * keyInfo KeySpecificInfo,
79 * partyAInfo [0] OCTET STRING OPTIONAL,
80 * suppPubInfo [2] OCTET STRING
83 * KeySpecificInfo ::= SEQUENCE {
84 * algorithm OBJECT IDENTIFIER,
85 * counter OCTET STRING SIZE (4..4)
88 * |nid| is the algorithm object identifier.
89 * |keylen| is the length (in bytes) of the generated KEK. It is stored into
90 * suppPubInfo (in bits).
91 * |ukm| is the optional user keying material that is stored into partyAInfo. It
93 * |ukmlen| is the user keying material length (in bytes).
94 * |der| is the returned encoded data. It must be freed by the caller.
95 * |der_len| is the returned size of the encoded data.
96 * |out_ctr| returns a pointer to the counter data which is embedded inside the
97 * encoded data. This allows the counter bytes to be updated without re-encoding.
99 * Returns: 1 if successfully encoded, or 0 otherwise.
100 * Assumptions: |der|, |der_len| & |out_ctr| are not NULL.
102 static int x942_encode_otherinfo(int nid
, size_t keylen
,
103 const unsigned char *ukm
, size_t ukmlen
,
104 unsigned char **der
, size_t *der_len
,
105 unsigned char **out_ctr
)
107 unsigned char *p
, *encoded
= NULL
;
108 int ret
= 0, encoded_len
;
110 /* "magic" value to check offset is sane */
111 static unsigned char ctr
[4] = { 0x00, 0x00, 0x00, 0x01 };
112 X509_ALGOR
*ksi
= NULL
;
113 ASN1_OBJECT
*alg_oid
= NULL
;
114 ASN1_OCTET_STRING
*ctr_oct
= NULL
, *ukm_oct
= NULL
;
116 /* set the KeySpecificInfo - which contains an algorithm oid and counter */
117 ksi
= X509_ALGOR_new();
118 alg_oid
= OBJ_dup(OBJ_nid2obj(nid
));
119 ctr_oct
= ASN1_OCTET_STRING_new();
123 || !ASN1_OCTET_STRING_set(ctr_oct
, ctr
, sizeof(ctr
))
124 || !X509_ALGOR_set0(ksi
, alg_oid
, V_ASN1_OCTET_STRING
, ctr_oct
))
126 /* NULL these as they now belong to ksi */
130 /* Set the optional partyAInfo */
132 ukm_oct
= ASN1_OCTET_STRING_new();
135 ASN1_OCTET_STRING_set(ukm_oct
, (unsigned char *)ukm
, ukmlen
);
137 /* Generate the OtherInfo DER data */
138 encoded_len
= CMS_SharedInfo_encode(&encoded
, ksi
, ukm_oct
, keylen
);
139 if (encoded_len
<= 0)
142 /* Parse the encoded data to find the offset of the counter data */
144 tlen
= (long)encoded_len
;
145 if (skip_asn1(&p
, &tlen
, V_ASN1_SEQUENCE
)
146 && skip_asn1(&p
, &tlen
, V_ASN1_SEQUENCE
)
147 && skip_asn1(&p
, &tlen
, V_ASN1_OBJECT
)
148 && skip_asn1(&p
, &tlen
, V_ASN1_OCTET_STRING
)
149 && CRYPTO_memcmp(p
, ctr
, 4) == 0) {
152 *der_len
= (size_t)encoded_len
;
157 OPENSSL_free(encoded
);
158 ASN1_OCTET_STRING_free(ctr_oct
);
159 ASN1_OCTET_STRING_free(ukm_oct
);
160 ASN1_OBJECT_free(alg_oid
);
161 X509_ALGOR_free(ksi
);
165 static int x942kdf_hash_kdm(const EVP_MD
*kdf_md
,
166 const unsigned char *z
, size_t z_len
,
167 const unsigned char *other
, size_t other_len
,
169 unsigned char *derived_key
, size_t derived_key_len
)
172 size_t counter
, out_len
, len
= derived_key_len
;
173 unsigned char mac
[EVP_MAX_MD_SIZE
];
174 unsigned char *out
= derived_key
;
175 EVP_MD_CTX
*ctx
= NULL
, *ctx_init
= NULL
;
177 if (z_len
> X942KDF_MAX_INLEN
|| other_len
> X942KDF_MAX_INLEN
178 || derived_key_len
> X942KDF_MAX_INLEN
179 || derived_key_len
== 0) {
180 KDFerr(KDF_F_X942KDF_HASH_KDM
, KDF_R_BAD_LENGTH
);
184 hlen
= EVP_MD_size(kdf_md
);
187 out_len
= (size_t)hlen
;
189 ctx
= EVP_MD_CTX_create();
190 ctx_init
= EVP_MD_CTX_create();
191 if (ctx
== NULL
|| ctx_init
== NULL
)
194 if (!EVP_DigestInit(ctx_init
, kdf_md
))
197 for (counter
= 1;; counter
++) {
198 /* updating the ctr modifies 4 bytes in the 'other' buffer */
199 ctr
[0] = (unsigned char)((counter
>> 24) & 0xff);
200 ctr
[1] = (unsigned char)((counter
>> 16) & 0xff);
201 ctr
[2] = (unsigned char)((counter
>> 8) & 0xff);
202 ctr
[3] = (unsigned char)(counter
& 0xff);
204 if (!EVP_MD_CTX_copy_ex(ctx
, ctx_init
)
205 || !EVP_DigestUpdate(ctx
, z
, z_len
)
206 || !EVP_DigestUpdate(ctx
, other
, other_len
))
208 if (len
>= out_len
) {
209 if (!EVP_DigestFinal_ex(ctx
, out
, NULL
))
216 if (!EVP_DigestFinal_ex(ctx
, mac
, NULL
))
218 memcpy(out
, mac
, len
);
224 EVP_MD_CTX_free(ctx
);
225 EVP_MD_CTX_free(ctx_init
);
226 OPENSSL_cleanse(mac
, sizeof(mac
));
230 static EVP_KDF_IMPL
*x942kdf_new(void)
234 if ((impl
= OPENSSL_zalloc(sizeof(*impl
))) == NULL
)
235 KDFerr(KDF_F_X942KDF_NEW
, ERR_R_MALLOC_FAILURE
);
239 static void x942kdf_reset(EVP_KDF_IMPL
*impl
)
241 OPENSSL_clear_free(impl
->secret
, impl
->secret_len
);
242 OPENSSL_clear_free(impl
->ukm
, impl
->ukm_len
);
243 memset(impl
, 0, sizeof(*impl
));
246 static void x942kdf_free(EVP_KDF_IMPL
*impl
)
252 static int x942kdf_set_buffer(va_list args
, unsigned char **out
, size_t *out_len
)
254 const unsigned char *p
;
257 p
= va_arg(args
, const unsigned char *);
258 len
= va_arg(args
, size_t);
259 if (len
== 0 || p
== NULL
)
263 *out
= OPENSSL_memdup(p
, len
);
271 static int x942kdf_ctrl(EVP_KDF_IMPL
*impl
, int cmd
, va_list args
)
274 char *alg_str
= NULL
;
278 case EVP_KDF_CTRL_SET_MD
:
279 md
= va_arg(args
, const EVP_MD
*);
286 case EVP_KDF_CTRL_SET_KEY
:
287 return x942kdf_set_buffer(args
, &impl
->secret
, &impl
->secret_len
);
289 case EVP_KDF_CTRL_SET_UKM
:
290 return x942kdf_set_buffer(args
, &impl
->ukm
, &impl
->ukm_len
);
292 case EVP_KDF_CTRL_SET_CEK_ALG
:
293 alg_str
= va_arg(args
, char *);
296 impl
->cek_nid
= OBJ_sn2nid(alg_str
);
297 for (i
= 0; i
< (size_t)OSSL_NELEM(kek_algs
); ++i
) {
298 if (kek_algs
[i
].nid
== impl
->cek_nid
) {
299 impl
->dkm_len
= kek_algs
[i
].keklen
;
303 KDFerr(KDF_F_X942KDF_CTRL
, KDF_R_UNSUPPORTED_CEK_ALG
);
311 static int x942kdf_ctrl_str(EVP_KDF_IMPL
*impl
, const char *type
,
314 if (strcmp(type
, "digest") == 0)
315 return kdf_md2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_MD
, value
);
317 if (strcmp(type
, "secret") == 0 || strcmp(type
, "key") == 0)
318 return kdf_str2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_KEY
,
321 if (strcmp(type
, "hexsecret") == 0 || strcmp(type
, "hexkey") == 0)
322 return kdf_hex2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_KEY
,
325 if (strcmp(type
, "ukm") == 0)
326 return kdf_str2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_UKM
,
329 if (strcmp(type
, "hexukm") == 0)
330 return kdf_hex2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_UKM
,
333 if (strcmp(type
, "cekalg") == 0)
334 return kdf_str2ctrl(impl
, x942kdf_ctrl
, EVP_KDF_CTRL_SET_CEK_ALG
,
340 static size_t x942kdf_size(EVP_KDF_IMPL
*impl
)
344 if (impl
->md
== NULL
) {
345 KDFerr(KDF_F_X942KDF_SIZE
, KDF_R_MISSING_MESSAGE_DIGEST
);
348 len
= EVP_MD_size(impl
->md
);
349 return (len
<= 0) ? 0 : (size_t)len
;
352 static int x942kdf_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
, size_t keylen
)
356 unsigned char *der
= NULL
;
359 if (impl
->secret
== NULL
) {
360 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_MISSING_SECRET
);
363 if (impl
->md
== NULL
) {
364 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
367 if (impl
->cek_nid
== NID_undef
) {
368 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_MISSING_CEK_ALG
);
371 if (impl
->ukm
!= NULL
&& impl
->ukm_len
>= X942KDF_MAX_INLEN
) {
373 * Note the ukm length MUST be 512 bits.
374 * For backwards compatibility the old check is being done.
376 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_INAVLID_UKM_LEN
);
379 if (keylen
!= impl
->dkm_len
) {
380 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_MISSING_CEK_ALG
);
383 /* generate the otherinfo der */
384 if (!x942_encode_otherinfo(impl
->cek_nid
, impl
->dkm_len
,
385 impl
->ukm
, impl
->ukm_len
,
386 &der
, &der_len
, &ctr
)) {
387 KDFerr(KDF_F_X942KDF_DERIVE
, KDF_R_BAD_ENCODING
);
390 ret
= x942kdf_hash_kdm(impl
->md
, impl
->secret
, impl
->secret_len
,
391 der
, der_len
, ctr
, key
, keylen
);
396 const EVP_KDF x942_kdf_meth
= {
407 #endif /* OPENSSL_NO_CMS */