A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

316 lines
8.0 KiB

  1. /*
  2. * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/hmac.h>
  12. #include <openssl/kdf.h>
  13. #include <openssl/evp.h>
  14. #include "internal/cryptlib.h"
  15. #include "internal/evp_int.h"
  16. #define HKDF_MAXBUF 1024
  17. static unsigned char *HKDF(const EVP_MD *evp_md,
  18. const unsigned char *salt, size_t salt_len,
  19. const unsigned char *key, size_t key_len,
  20. const unsigned char *info, size_t info_len,
  21. unsigned char *okm, size_t okm_len);
  22. static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
  23. const unsigned char *salt, size_t salt_len,
  24. const unsigned char *key, size_t key_len,
  25. unsigned char *prk, size_t *prk_len);
  26. static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
  27. const unsigned char *prk, size_t prk_len,
  28. const unsigned char *info, size_t info_len,
  29. unsigned char *okm, size_t okm_len);
  30. typedef struct {
  31. int mode;
  32. const EVP_MD *md;
  33. unsigned char *salt;
  34. size_t salt_len;
  35. unsigned char *key;
  36. size_t key_len;
  37. unsigned char info[HKDF_MAXBUF];
  38. size_t info_len;
  39. } HKDF_PKEY_CTX;
  40. static int pkey_hkdf_init(EVP_PKEY_CTX *ctx)
  41. {
  42. HKDF_PKEY_CTX *kctx;
  43. kctx = OPENSSL_zalloc(sizeof(*kctx));
  44. if (kctx == NULL)
  45. return 0;
  46. ctx->data = kctx;
  47. return 1;
  48. }
  49. static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
  50. {
  51. HKDF_PKEY_CTX *kctx = ctx->data;
  52. OPENSSL_clear_free(kctx->salt, kctx->salt_len);
  53. OPENSSL_clear_free(kctx->key, kctx->key_len);
  54. OPENSSL_cleanse(kctx->info, kctx->info_len);
  55. OPENSSL_free(kctx);
  56. }
  57. static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
  58. {
  59. HKDF_PKEY_CTX *kctx = ctx->data;
  60. switch (type) {
  61. case EVP_PKEY_CTRL_HKDF_MD:
  62. if (p2 == NULL)
  63. return 0;
  64. kctx->md = p2;
  65. return 1;
  66. case EVP_PKEY_CTRL_HKDF_MODE:
  67. kctx->mode = p1;
  68. return 1;
  69. case EVP_PKEY_CTRL_HKDF_SALT:
  70. if (p1 == 0 || p2 == NULL)
  71. return 1;
  72. if (p1 < 0)
  73. return 0;
  74. if (kctx->salt != NULL)
  75. OPENSSL_clear_free(kctx->salt, kctx->salt_len);
  76. kctx->salt = OPENSSL_memdup(p2, p1);
  77. if (kctx->salt == NULL)
  78. return 0;
  79. kctx->salt_len = p1;
  80. return 1;
  81. case EVP_PKEY_CTRL_HKDF_KEY:
  82. if (p1 < 0)
  83. return 0;
  84. if (kctx->key != NULL)
  85. OPENSSL_clear_free(kctx->key, kctx->key_len);
  86. kctx->key = OPENSSL_memdup(p2, p1);
  87. if (kctx->key == NULL)
  88. return 0;
  89. kctx->key_len = p1;
  90. return 1;
  91. case EVP_PKEY_CTRL_HKDF_INFO:
  92. if (p1 == 0 || p2 == NULL)
  93. return 1;
  94. if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len))
  95. return 0;
  96. memcpy(kctx->info + kctx->info_len, p2, p1);
  97. kctx->info_len += p1;
  98. return 1;
  99. default:
  100. return -2;
  101. }
  102. }
  103. static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
  104. const char *value)
  105. {
  106. if (strcmp(type, "md") == 0)
  107. return EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_get_digestbyname(value));
  108. if (strcmp(type, "salt") == 0)
  109. return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
  110. if (strcmp(type, "hexsalt") == 0)
  111. return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
  112. if (strcmp(type, "key") == 0)
  113. return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
  114. if (strcmp(type, "hexkey") == 0)
  115. return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
  116. if (strcmp(type, "info") == 0)
  117. return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
  118. if (strcmp(type, "hexinfo") == 0)
  119. return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
  120. return -2;
  121. }
  122. static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
  123. size_t *keylen)
  124. {
  125. HKDF_PKEY_CTX *kctx = ctx->data;
  126. if (kctx->md == NULL || kctx->key == NULL)
  127. return 0;
  128. switch (kctx->mode) {
  129. case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND:
  130. return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
  131. kctx->key_len, kctx->info, kctx->info_len, key,
  132. *keylen) != NULL;
  133. case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:
  134. if (key == NULL) {
  135. *keylen = EVP_MD_size(kctx->md);
  136. return 1;
  137. }
  138. return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
  139. kctx->key_len, key, keylen) != NULL;
  140. case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY:
  141. return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info,
  142. kctx->info_len, key, *keylen) != NULL;
  143. default:
  144. return 0;
  145. }
  146. }
  147. const EVP_PKEY_METHOD hkdf_pkey_meth = {
  148. EVP_PKEY_HKDF,
  149. 0,
  150. pkey_hkdf_init,
  151. 0,
  152. pkey_hkdf_cleanup,
  153. 0, 0,
  154. 0, 0,
  155. 0,
  156. 0,
  157. 0,
  158. 0,
  159. 0, 0,
  160. 0, 0, 0, 0,
  161. 0, 0,
  162. 0, 0,
  163. 0,
  164. pkey_hkdf_derive,
  165. pkey_hkdf_ctrl,
  166. pkey_hkdf_ctrl_str
  167. };
  168. static unsigned char *HKDF(const EVP_MD *evp_md,
  169. const unsigned char *salt, size_t salt_len,
  170. const unsigned char *key, size_t key_len,
  171. const unsigned char *info, size_t info_len,
  172. unsigned char *okm, size_t okm_len)
  173. {
  174. unsigned char prk[EVP_MAX_MD_SIZE];
  175. unsigned char *ret;
  176. size_t prk_len;
  177. if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len))
  178. return NULL;
  179. ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
  180. OPENSSL_cleanse(prk, sizeof(prk));
  181. return ret;
  182. }
  183. static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
  184. const unsigned char *salt, size_t salt_len,
  185. const unsigned char *key, size_t key_len,
  186. unsigned char *prk, size_t *prk_len)
  187. {
  188. unsigned int tmp_len;
  189. if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len))
  190. return NULL;
  191. *prk_len = tmp_len;
  192. return prk;
  193. }
  194. static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
  195. const unsigned char *prk, size_t prk_len,
  196. const unsigned char *info, size_t info_len,
  197. unsigned char *okm, size_t okm_len)
  198. {
  199. HMAC_CTX *hmac;
  200. unsigned int i;
  201. unsigned char prev[EVP_MAX_MD_SIZE];
  202. size_t done_len = 0, dig_len = EVP_MD_size(evp_md);
  203. size_t n = okm_len / dig_len;
  204. if (okm_len % dig_len)
  205. n++;
  206. if (n > 255 || okm == NULL)
  207. return NULL;
  208. if ((hmac = HMAC_CTX_new()) == NULL)
  209. return NULL;
  210. if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
  211. goto err;
  212. for (i = 1; i <= n; i++) {
  213. size_t copy_len;
  214. const unsigned char ctr = i;
  215. if (i > 1) {
  216. if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL))
  217. goto err;
  218. if (!HMAC_Update(hmac, prev, dig_len))
  219. goto err;
  220. }
  221. if (!HMAC_Update(hmac, info, info_len))
  222. goto err;
  223. if (!HMAC_Update(hmac, &ctr, 1))
  224. goto err;
  225. if (!HMAC_Final(hmac, prev, NULL))
  226. goto err;
  227. copy_len = (done_len + dig_len > okm_len) ?
  228. okm_len - done_len :
  229. dig_len;
  230. memcpy(okm + done_len, prev, copy_len);
  231. done_len += copy_len;
  232. }
  233. HMAC_CTX_free(hmac);
  234. return okm;
  235. err:
  236. HMAC_CTX_free(hmac);
  237. return NULL;
  238. }