A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

741 lines
24 KiB

  1. /*
  2. * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * HMAC low level APIs are deprecated for public use, but still ok for internal
  11. * use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdlib.h>
  15. #include <stdarg.h>
  16. #include <string.h>
  17. #include <openssl/hmac.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/kdf.h>
  20. #include <openssl/core_names.h>
  21. #include <openssl/proverr.h>
  22. #include "internal/cryptlib.h"
  23. #include "internal/numbers.h"
  24. #include "internal/packet.h"
  25. #include "crypto/evp.h"
  26. #include "prov/provider_ctx.h"
  27. #include "prov/providercommon.h"
  28. #include "prov/implementations.h"
  29. #include "prov/provider_util.h"
  30. #include "e_os.h"
  31. #define HKDF_MAXBUF 2048
  32. static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new;
  33. static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free;
  34. static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset;
  35. static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive;
  36. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
  37. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
  38. static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
  39. static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
  40. static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
  41. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
  42. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
  43. static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  44. const unsigned char *salt, size_t salt_len,
  45. const unsigned char *key, size_t key_len,
  46. const unsigned char *info, size_t info_len,
  47. unsigned char *okm, size_t okm_len);
  48. static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  49. const unsigned char *salt, size_t salt_len,
  50. const unsigned char *ikm, size_t ikm_len,
  51. unsigned char *prk, size_t prk_len);
  52. static int HKDF_Expand(const EVP_MD *evp_md,
  53. const unsigned char *prk, size_t prk_len,
  54. const unsigned char *info, size_t info_len,
  55. unsigned char *okm, size_t okm_len);
  56. /* Settable context parameters that are common across HKDF and the TLS KDF */
  57. #define HKDF_COMMON_SETTABLES \
  58. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \
  59. OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \
  60. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \
  61. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \
  62. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \
  63. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0)
  64. typedef struct {
  65. void *provctx;
  66. int mode;
  67. PROV_DIGEST digest;
  68. unsigned char *salt;
  69. size_t salt_len;
  70. unsigned char *key;
  71. size_t key_len;
  72. unsigned char *prefix;
  73. size_t prefix_len;
  74. unsigned char *label;
  75. size_t label_len;
  76. unsigned char *data;
  77. size_t data_len;
  78. unsigned char info[HKDF_MAXBUF];
  79. size_t info_len;
  80. } KDF_HKDF;
  81. static void *kdf_hkdf_new(void *provctx)
  82. {
  83. KDF_HKDF *ctx;
  84. if (!ossl_prov_is_running())
  85. return NULL;
  86. if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
  87. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  88. else
  89. ctx->provctx = provctx;
  90. return ctx;
  91. }
  92. static void kdf_hkdf_free(void *vctx)
  93. {
  94. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  95. if (ctx != NULL) {
  96. kdf_hkdf_reset(ctx);
  97. OPENSSL_free(ctx);
  98. }
  99. }
  100. static void kdf_hkdf_reset(void *vctx)
  101. {
  102. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  103. void *provctx = ctx->provctx;
  104. ossl_prov_digest_reset(&ctx->digest);
  105. OPENSSL_free(ctx->salt);
  106. OPENSSL_free(ctx->prefix);
  107. OPENSSL_free(ctx->label);
  108. OPENSSL_clear_free(ctx->data, ctx->data_len);
  109. OPENSSL_clear_free(ctx->key, ctx->key_len);
  110. OPENSSL_cleanse(ctx->info, ctx->info_len);
  111. memset(ctx, 0, sizeof(*ctx));
  112. ctx->provctx = provctx;
  113. }
  114. static size_t kdf_hkdf_size(KDF_HKDF *ctx)
  115. {
  116. int sz;
  117. const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
  118. if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
  119. return SIZE_MAX;
  120. if (md == NULL) {
  121. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  122. return 0;
  123. }
  124. sz = EVP_MD_get_size(md);
  125. if (sz < 0)
  126. return 0;
  127. return sz;
  128. }
  129. static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
  130. const OSSL_PARAM params[])
  131. {
  132. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  133. OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
  134. const EVP_MD *md;
  135. if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params))
  136. return 0;
  137. md = ossl_prov_digest_md(&ctx->digest);
  138. if (md == NULL) {
  139. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  140. return 0;
  141. }
  142. if (ctx->key == NULL) {
  143. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
  144. return 0;
  145. }
  146. if (keylen == 0) {
  147. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
  148. return 0;
  149. }
  150. switch (ctx->mode) {
  151. case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
  152. default:
  153. return HKDF(libctx, md, ctx->salt, ctx->salt_len,
  154. ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen);
  155. case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
  156. return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len,
  157. ctx->key, ctx->key_len, key, keylen);
  158. case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
  159. return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info,
  160. ctx->info_len, key, keylen);
  161. }
  162. }
  163. static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[])
  164. {
  165. OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
  166. const OSSL_PARAM *p;
  167. int n;
  168. if (params == NULL)
  169. return 1;
  170. if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
  171. return 0;
  172. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) {
  173. if (p->data_type == OSSL_PARAM_UTF8_STRING) {
  174. if (strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) {
  175. ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;
  176. } else if (strcasecmp(p->data, "EXTRACT_ONLY") == 0) {
  177. ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
  178. } else if (strcasecmp(p->data, "EXPAND_ONLY") == 0) {
  179. ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
  180. } else {
  181. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  182. return 0;
  183. }
  184. } else if (OSSL_PARAM_get_int(p, &n)) {
  185. if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
  186. && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY
  187. && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) {
  188. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  189. return 0;
  190. }
  191. ctx->mode = n;
  192. } else {
  193. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  194. return 0;
  195. }
  196. }
  197. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) {
  198. OPENSSL_clear_free(ctx->key, ctx->key_len);
  199. ctx->key = NULL;
  200. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0,
  201. &ctx->key_len))
  202. return 0;
  203. }
  204. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
  205. if (p->data_size != 0 && p->data != NULL) {
  206. OPENSSL_free(ctx->salt);
  207. ctx->salt = NULL;
  208. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0,
  209. &ctx->salt_len))
  210. return 0;
  211. }
  212. }
  213. return 1;
  214. }
  215. static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  216. {
  217. const OSSL_PARAM *p;
  218. KDF_HKDF *ctx = vctx;
  219. if (params == NULL)
  220. return 1;
  221. if (!hkdf_common_set_ctx_params(ctx, params))
  222. return 0;
  223. /* The info fields concatenate, so process them all */
  224. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) {
  225. ctx->info_len = 0;
  226. for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1,
  227. OSSL_KDF_PARAM_INFO)) {
  228. const void *q = ctx->info + ctx->info_len;
  229. size_t sz = 0;
  230. if (p->data_size != 0
  231. && p->data != NULL
  232. && !OSSL_PARAM_get_octet_string(p, (void **)&q,
  233. HKDF_MAXBUF - ctx->info_len,
  234. &sz))
  235. return 0;
  236. ctx->info_len += sz;
  237. }
  238. }
  239. return 1;
  240. }
  241. static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx,
  242. ossl_unused void *provctx)
  243. {
  244. static const OSSL_PARAM known_settable_ctx_params[] = {
  245. HKDF_COMMON_SETTABLES,
  246. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
  247. OSSL_PARAM_END
  248. };
  249. return known_settable_ctx_params;
  250. }
  251. static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
  252. {
  253. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  254. OSSL_PARAM *p;
  255. if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
  256. size_t sz = kdf_hkdf_size(ctx);
  257. if (sz == 0)
  258. return 0;
  259. return OSSL_PARAM_set_size_t(p, sz);
  260. }
  261. return -2;
  262. }
  263. static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
  264. ossl_unused void *provctx)
  265. {
  266. static const OSSL_PARAM known_gettable_ctx_params[] = {
  267. OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
  268. OSSL_PARAM_END
  269. };
  270. return known_gettable_ctx_params;
  271. }
  272. const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = {
  273. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
  274. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
  275. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
  276. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive },
  277. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  278. (void(*)(void))kdf_hkdf_settable_ctx_params },
  279. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_hkdf_set_ctx_params },
  280. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  281. (void(*)(void))kdf_hkdf_gettable_ctx_params },
  282. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
  283. { 0, NULL }
  284. };
  285. /*
  286. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  287. * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and
  288. * "Cryptographic Extraction and Key Derivation: The HKDF Scheme"
  289. * Section 4.2 (https://eprint.iacr.org/2010/264.pdf).
  290. *
  291. * From the paper:
  292. * The scheme HKDF is specified as:
  293. * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t)
  294. *
  295. * where:
  296. * SKM is source key material
  297. * XTS is extractor salt (which may be null or constant)
  298. * CTXinfo is context information (may be null)
  299. * L is the number of key bits to be produced by KDF
  300. * k is the output length in bits of the hash function used with HMAC
  301. * t = ceil(L/k)
  302. * the value K(t) is truncated to its first d = L mod k bits.
  303. *
  304. * From RFC 5869:
  305. * 2.2. Step 1: Extract
  306. * HKDF-Extract(salt, IKM) -> PRK
  307. * 2.3. Step 2: Expand
  308. * HKDF-Expand(PRK, info, L) -> OKM
  309. */
  310. static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  311. const unsigned char *salt, size_t salt_len,
  312. const unsigned char *ikm, size_t ikm_len,
  313. const unsigned char *info, size_t info_len,
  314. unsigned char *okm, size_t okm_len)
  315. {
  316. unsigned char prk[EVP_MAX_MD_SIZE];
  317. int ret, sz;
  318. size_t prk_len;
  319. sz = EVP_MD_get_size(evp_md);
  320. if (sz < 0)
  321. return 0;
  322. prk_len = (size_t)sz;
  323. /* Step 1: HKDF-Extract(salt, IKM) -> PRK */
  324. if (!HKDF_Extract(libctx, evp_md,
  325. salt, salt_len, ikm, ikm_len, prk, prk_len))
  326. return 0;
  327. /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */
  328. ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
  329. OPENSSL_cleanse(prk, sizeof(prk));
  330. return ret;
  331. }
  332. /*
  333. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  334. * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2).
  335. *
  336. * 2.2. Step 1: Extract
  337. *
  338. * HKDF-Extract(salt, IKM) -> PRK
  339. *
  340. * Options:
  341. * Hash a hash function; HashLen denotes the length of the
  342. * hash function output in octets
  343. *
  344. * Inputs:
  345. * salt optional salt value (a non-secret random value);
  346. * if not provided, it is set to a string of HashLen zeros.
  347. * IKM input keying material
  348. *
  349. * Output:
  350. * PRK a pseudorandom key (of HashLen octets)
  351. *
  352. * The output PRK is calculated as follows:
  353. *
  354. * PRK = HMAC-Hash(salt, IKM)
  355. */
  356. static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  357. const unsigned char *salt, size_t salt_len,
  358. const unsigned char *ikm, size_t ikm_len,
  359. unsigned char *prk, size_t prk_len)
  360. {
  361. int sz = EVP_MD_get_size(evp_md);
  362. if (sz < 0)
  363. return 0;
  364. if (prk_len != (size_t)sz) {
  365. ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
  366. return 0;
  367. }
  368. /* calc: PRK = HMAC-Hash(salt, IKM) */
  369. return
  370. EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt,
  371. salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL)
  372. != NULL;
  373. }
  374. /*
  375. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  376. * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3).
  377. *
  378. * 2.3. Step 2: Expand
  379. *
  380. * HKDF-Expand(PRK, info, L) -> OKM
  381. *
  382. * Options:
  383. * Hash a hash function; HashLen denotes the length of the
  384. * hash function output in octets
  385. *
  386. * Inputs:
  387. * PRK a pseudorandom key of at least HashLen octets
  388. * (usually, the output from the extract step)
  389. * info optional context and application specific information
  390. * (can be a zero-length string)
  391. * L length of output keying material in octets
  392. * (<= 255*HashLen)
  393. *
  394. * Output:
  395. * OKM output keying material (of L octets)
  396. *
  397. * The output OKM is calculated as follows:
  398. *
  399. * N = ceil(L/HashLen)
  400. * T = T(1) | T(2) | T(3) | ... | T(N)
  401. * OKM = first L octets of T
  402. *
  403. * where:
  404. * T(0) = empty string (zero length)
  405. * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
  406. * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
  407. * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
  408. * ...
  409. *
  410. * (where the constant concatenated to the end of each T(n) is a
  411. * single octet.)
  412. */
  413. static int HKDF_Expand(const EVP_MD *evp_md,
  414. const unsigned char *prk, size_t prk_len,
  415. const unsigned char *info, size_t info_len,
  416. unsigned char *okm, size_t okm_len)
  417. {
  418. HMAC_CTX *hmac;
  419. int ret = 0, sz;
  420. unsigned int i;
  421. unsigned char prev[EVP_MAX_MD_SIZE];
  422. size_t done_len = 0, dig_len, n;
  423. sz = EVP_MD_get_size(evp_md);
  424. if (sz <= 0)
  425. return 0;
  426. dig_len = (size_t)sz;
  427. /* calc: N = ceil(L/HashLen) */
  428. n = okm_len / dig_len;
  429. if (okm_len % dig_len)
  430. n++;
  431. if (n > 255 || okm == NULL)
  432. return 0;
  433. if ((hmac = HMAC_CTX_new()) == NULL)
  434. return 0;
  435. if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
  436. goto err;
  437. for (i = 1; i <= n; i++) {
  438. size_t copy_len;
  439. const unsigned char ctr = i;
  440. /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */
  441. if (i > 1) {
  442. if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL))
  443. goto err;
  444. if (!HMAC_Update(hmac, prev, dig_len))
  445. goto err;
  446. }
  447. if (!HMAC_Update(hmac, info, info_len))
  448. goto err;
  449. if (!HMAC_Update(hmac, &ctr, 1))
  450. goto err;
  451. if (!HMAC_Final(hmac, prev, NULL))
  452. goto err;
  453. copy_len = (done_len + dig_len > okm_len) ?
  454. okm_len - done_len :
  455. dig_len;
  456. memcpy(okm + done_len, prev, copy_len);
  457. done_len += copy_len;
  458. }
  459. ret = 1;
  460. err:
  461. OPENSSL_cleanse(prev, sizeof(prev));
  462. HMAC_CTX_free(hmac);
  463. return ret;
  464. }
  465. /*
  466. * TLS uses slight variations of the above and for FIPS validation purposes,
  467. * they need to be present here.
  468. * Refer to RFC 8446 section 7 for specific details.
  469. */
  470. /*
  471. * Given a |secret|; a |label| of length |labellen|; and |data| of length
  472. * |datalen| (e.g. typically a hash of the handshake messages), derive a new
  473. * secret |outlen| bytes long and store it in the location pointed to be |out|.
  474. * The |data| value may be zero length. Returns 1 on success and 0 on failure.
  475. */
  476. static int prov_tls13_hkdf_expand(const EVP_MD *md,
  477. const unsigned char *key, size_t keylen,
  478. const unsigned char *prefix, size_t prefixlen,
  479. const unsigned char *label, size_t labellen,
  480. const unsigned char *data, size_t datalen,
  481. unsigned char *out, size_t outlen)
  482. {
  483. size_t hkdflabellen;
  484. unsigned char hkdflabel[HKDF_MAXBUF];
  485. WPACKET pkt;
  486. /*
  487. * 2 bytes for length of derived secret + 1 byte for length of combined
  488. * prefix and label + bytes for the label itself + 1 byte length of hash
  489. * + bytes for the hash itself. We've got the maximum the KDF can handle
  490. * which should always be sufficient.
  491. */
  492. if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
  493. || !WPACKET_put_bytes_u16(&pkt, outlen)
  494. || !WPACKET_start_sub_packet_u8(&pkt)
  495. || !WPACKET_memcpy(&pkt, prefix, prefixlen)
  496. || !WPACKET_memcpy(&pkt, label, labellen)
  497. || !WPACKET_close(&pkt)
  498. || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
  499. || !WPACKET_get_total_written(&pkt, &hkdflabellen)
  500. || !WPACKET_finish(&pkt)) {
  501. WPACKET_cleanup(&pkt);
  502. return 0;
  503. }
  504. return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen,
  505. out, outlen);
  506. }
  507. static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
  508. const EVP_MD *md,
  509. const unsigned char *prevsecret,
  510. size_t prevsecretlen,
  511. const unsigned char *insecret,
  512. size_t insecretlen,
  513. const unsigned char *prefix,
  514. size_t prefixlen,
  515. const unsigned char *label,
  516. size_t labellen,
  517. unsigned char *out, size_t outlen)
  518. {
  519. size_t mdlen;
  520. int ret;
  521. unsigned char preextractsec[EVP_MAX_MD_SIZE];
  522. /* Always filled with zeros */
  523. static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
  524. ret = EVP_MD_get_size(md);
  525. /* Ensure cast to size_t is safe */
  526. if (ret <= 0)
  527. return 0;
  528. mdlen = (size_t)ret;
  529. if (insecret == NULL) {
  530. insecret = default_zeros;
  531. insecretlen = mdlen;
  532. }
  533. if (prevsecret == NULL) {
  534. prevsecret = default_zeros;
  535. prevsecretlen = 0;
  536. } else {
  537. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  538. unsigned char hash[EVP_MAX_MD_SIZE];
  539. /* The pre-extract derive step uses a hash of no messages */
  540. if (mctx == NULL
  541. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  542. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  543. EVP_MD_CTX_free(mctx);
  544. return 0;
  545. }
  546. EVP_MD_CTX_free(mctx);
  547. /* Generate the pre-extract secret */
  548. if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen,
  549. prefix, prefixlen, label, labellen,
  550. hash, mdlen, preextractsec, mdlen))
  551. return 0;
  552. prevsecret = preextractsec;
  553. prevsecretlen = mdlen;
  554. }
  555. ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen,
  556. insecret, insecretlen, out, outlen);
  557. if (prevsecret == preextractsec)
  558. OPENSSL_cleanse(preextractsec, mdlen);
  559. return ret;
  560. }
  561. static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
  562. const OSSL_PARAM params[])
  563. {
  564. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  565. const EVP_MD *md;
  566. if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params))
  567. return 0;
  568. md = ossl_prov_digest_md(&ctx->digest);
  569. if (md == NULL) {
  570. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  571. return 0;
  572. }
  573. switch (ctx->mode) {
  574. default:
  575. return 0;
  576. case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
  577. return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx),
  578. md,
  579. ctx->salt, ctx->salt_len,
  580. ctx->key, ctx->key_len,
  581. ctx->prefix, ctx->prefix_len,
  582. ctx->label, ctx->label_len,
  583. key, keylen);
  584. case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
  585. return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len,
  586. ctx->prefix, ctx->prefix_len,
  587. ctx->label, ctx->label_len,
  588. ctx->data, ctx->data_len,
  589. key, keylen);
  590. }
  591. }
  592. static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  593. {
  594. const OSSL_PARAM *p;
  595. KDF_HKDF *ctx = vctx;
  596. if (params == NULL)
  597. return 1;
  598. if (!hkdf_common_set_ctx_params(ctx, params))
  599. return 0;
  600. if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) {
  601. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  602. return 0;
  603. }
  604. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) {
  605. OPENSSL_free(ctx->prefix);
  606. ctx->prefix = NULL;
  607. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0,
  608. &ctx->prefix_len))
  609. return 0;
  610. }
  611. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) {
  612. OPENSSL_free(ctx->label);
  613. ctx->label = NULL;
  614. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0,
  615. &ctx->label_len))
  616. return 0;
  617. }
  618. OPENSSL_clear_free(ctx->data, ctx->data_len);
  619. ctx->data = NULL;
  620. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL
  621. && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0,
  622. &ctx->data_len))
  623. return 0;
  624. return 1;
  625. }
  626. static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
  627. ossl_unused void *provctx)
  628. {
  629. static const OSSL_PARAM known_settable_ctx_params[] = {
  630. HKDF_COMMON_SETTABLES,
  631. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0),
  632. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0),
  633. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0),
  634. OSSL_PARAM_END
  635. };
  636. return known_settable_ctx_params;
  637. }
  638. const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
  639. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
  640. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
  641. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
  642. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive },
  643. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  644. (void(*)(void))kdf_tls1_3_settable_ctx_params },
  645. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params },
  646. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  647. (void(*)(void))kdf_hkdf_gettable_ctx_params },
  648. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
  649. { 0, NULL }
  650. };