sshkdf.c 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
  1. /*
  2. * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <stdarg.h>
  11. #include <string.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/kdf.h>
  14. #include <openssl/core_names.h>
  15. #include <openssl/proverr.h>
  16. #include "internal/cryptlib.h"
  17. #include "internal/numbers.h"
  18. #include "crypto/evp.h"
  19. #include "prov/provider_ctx.h"
  20. #include "prov/providercommon.h"
  21. #include "prov/implementations.h"
  22. #include "prov/provider_util.h"
  23. /* See RFC 4253, Section 7.2 */
  24. static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
  25. static OSSL_FUNC_kdf_dupctx_fn kdf_sshkdf_dup;
  26. static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free;
  27. static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset;
  28. static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive;
  29. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_sshkdf_settable_ctx_params;
  30. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_sshkdf_set_ctx_params;
  31. static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_sshkdf_gettable_ctx_params;
  32. static OSSL_FUNC_kdf_get_ctx_params_fn kdf_sshkdf_get_ctx_params;
  33. static int SSHKDF(const EVP_MD *evp_md,
  34. const unsigned char *key, size_t key_len,
  35. const unsigned char *xcghash, size_t xcghash_len,
  36. const unsigned char *session_id, size_t session_id_len,
  37. char type, unsigned char *okey, size_t okey_len);
  38. typedef struct {
  39. void *provctx;
  40. PROV_DIGEST digest;
  41. unsigned char *key; /* K */
  42. size_t key_len;
  43. unsigned char *xcghash; /* H */
  44. size_t xcghash_len;
  45. char type; /* X */
  46. unsigned char *session_id;
  47. size_t session_id_len;
  48. } KDF_SSHKDF;
  49. static void *kdf_sshkdf_new(void *provctx)
  50. {
  51. KDF_SSHKDF *ctx;
  52. if (!ossl_prov_is_running())
  53. return NULL;
  54. if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL)
  55. ctx->provctx = provctx;
  56. return ctx;
  57. }
  58. static void kdf_sshkdf_free(void *vctx)
  59. {
  60. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  61. if (ctx != NULL) {
  62. kdf_sshkdf_reset(ctx);
  63. OPENSSL_free(ctx);
  64. }
  65. }
  66. static void kdf_sshkdf_reset(void *vctx)
  67. {
  68. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  69. void *provctx = ctx->provctx;
  70. ossl_prov_digest_reset(&ctx->digest);
  71. OPENSSL_clear_free(ctx->key, ctx->key_len);
  72. OPENSSL_clear_free(ctx->xcghash, ctx->xcghash_len);
  73. OPENSSL_clear_free(ctx->session_id, ctx->session_id_len);
  74. memset(ctx, 0, sizeof(*ctx));
  75. ctx->provctx = provctx;
  76. }
  77. static void *kdf_sshkdf_dup(void *vctx)
  78. {
  79. const KDF_SSHKDF *src = (const KDF_SSHKDF *)vctx;
  80. KDF_SSHKDF *dest;
  81. dest = kdf_sshkdf_new(src->provctx);
  82. if (dest != NULL) {
  83. if (!ossl_prov_memdup(src->key, src->key_len,
  84. &dest->key, &dest->key_len)
  85. || !ossl_prov_memdup(src->xcghash, src->xcghash_len,
  86. &dest->xcghash , &dest->xcghash_len)
  87. || !ossl_prov_memdup(src->session_id, src->session_id_len,
  88. &dest->session_id , &dest->session_id_len)
  89. || !ossl_prov_digest_copy(&dest->digest, &src->digest))
  90. goto err;
  91. dest->type = src->type;
  92. }
  93. return dest;
  94. err:
  95. kdf_sshkdf_free(dest);
  96. return NULL;
  97. }
  98. static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len,
  99. const OSSL_PARAM *p)
  100. {
  101. OPENSSL_clear_free(*dst, *dst_len);
  102. *dst = NULL;
  103. *dst_len = 0;
  104. return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
  105. }
  106. static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
  107. const OSSL_PARAM params[])
  108. {
  109. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  110. const EVP_MD *md;
  111. if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params))
  112. return 0;
  113. md = ossl_prov_digest_md(&ctx->digest);
  114. if (md == NULL) {
  115. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  116. return 0;
  117. }
  118. if (ctx->key == NULL) {
  119. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
  120. return 0;
  121. }
  122. if (ctx->xcghash == NULL) {
  123. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_XCGHASH);
  124. return 0;
  125. }
  126. if (ctx->session_id == NULL) {
  127. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SESSION_ID);
  128. return 0;
  129. }
  130. if (ctx->type == 0) {
  131. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
  132. return 0;
  133. }
  134. return SSHKDF(md, ctx->key, ctx->key_len,
  135. ctx->xcghash, ctx->xcghash_len,
  136. ctx->session_id, ctx->session_id_len,
  137. ctx->type, key, keylen);
  138. }
  139. static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  140. {
  141. const OSSL_PARAM *p;
  142. KDF_SSHKDF *ctx = vctx;
  143. OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
  144. if (params == NULL)
  145. return 1;
  146. if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
  147. return 0;
  148. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
  149. if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p))
  150. return 0;
  151. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_XCGHASH))
  152. != NULL)
  153. if (!sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p))
  154. return 0;
  155. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_SESSION_ID))
  156. != NULL)
  157. if (!sshkdf_set_membuf(&ctx->session_id, &ctx->session_id_len, p))
  158. return 0;
  159. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_TYPE))
  160. != NULL) {
  161. const char *kdftype;
  162. if (!OSSL_PARAM_get_utf8_string_ptr(p, &kdftype))
  163. return 0;
  164. /* Expect one character (byte in this case) */
  165. if (kdftype == NULL || p->data_size != 1)
  166. return 0;
  167. if (kdftype[0] < 65 || kdftype[0] > 70) {
  168. ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR);
  169. return 0;
  170. }
  171. ctx->type = kdftype[0];
  172. }
  173. return 1;
  174. }
  175. static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
  176. ossl_unused void *p_ctx)
  177. {
  178. static const OSSL_PARAM known_settable_ctx_params[] = {
  179. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
  180. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
  181. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
  182. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, NULL, 0),
  183. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, NULL, 0),
  184. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, NULL, 0),
  185. OSSL_PARAM_END
  186. };
  187. return known_settable_ctx_params;
  188. }
  189. static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
  190. {
  191. OSSL_PARAM *p;
  192. if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
  193. return OSSL_PARAM_set_size_t(p, SIZE_MAX);
  194. return -2;
  195. }
  196. static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
  197. ossl_unused void *p_ctx)
  198. {
  199. static const OSSL_PARAM known_gettable_ctx_params[] = {
  200. OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
  201. OSSL_PARAM_END
  202. };
  203. return known_gettable_ctx_params;
  204. }
  205. const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = {
  206. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_sshkdf_new },
  207. { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_sshkdf_dup },
  208. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_sshkdf_free },
  209. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_sshkdf_reset },
  210. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_sshkdf_derive },
  211. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  212. (void(*)(void))kdf_sshkdf_settable_ctx_params },
  213. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_set_ctx_params },
  214. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  215. (void(*)(void))kdf_sshkdf_gettable_ctx_params },
  216. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_get_ctx_params },
  217. { 0, NULL }
  218. };
  219. static int SSHKDF(const EVP_MD *evp_md,
  220. const unsigned char *key, size_t key_len,
  221. const unsigned char *xcghash, size_t xcghash_len,
  222. const unsigned char *session_id, size_t session_id_len,
  223. char type, unsigned char *okey, size_t okey_len)
  224. {
  225. EVP_MD_CTX *md = NULL;
  226. unsigned char digest[EVP_MAX_MD_SIZE];
  227. unsigned int dsize = 0;
  228. size_t cursize = 0;
  229. int ret = 0;
  230. md = EVP_MD_CTX_new();
  231. if (md == NULL)
  232. return 0;
  233. if (!EVP_DigestInit_ex(md, evp_md, NULL))
  234. goto out;
  235. if (!EVP_DigestUpdate(md, key, key_len))
  236. goto out;
  237. if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
  238. goto out;
  239. if (!EVP_DigestUpdate(md, &type, 1))
  240. goto out;
  241. if (!EVP_DigestUpdate(md, session_id, session_id_len))
  242. goto out;
  243. if (!EVP_DigestFinal_ex(md, digest, &dsize))
  244. goto out;
  245. if (okey_len < dsize) {
  246. memcpy(okey, digest, okey_len);
  247. ret = 1;
  248. goto out;
  249. }
  250. memcpy(okey, digest, dsize);
  251. for (cursize = dsize; cursize < okey_len; cursize += dsize) {
  252. if (!EVP_DigestInit_ex(md, evp_md, NULL))
  253. goto out;
  254. if (!EVP_DigestUpdate(md, key, key_len))
  255. goto out;
  256. if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
  257. goto out;
  258. if (!EVP_DigestUpdate(md, okey, cursize))
  259. goto out;
  260. if (!EVP_DigestFinal_ex(md, digest, &dsize))
  261. goto out;
  262. if (okey_len < cursize + dsize) {
  263. memcpy(okey + cursize, digest, okey_len - cursize);
  264. ret = 1;
  265. goto out;
  266. }
  267. memcpy(okey + cursize, digest, dsize);
  268. }
  269. ret = 1;
  270. out:
  271. EVP_MD_CTX_free(md);
  272. OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
  273. return ret;
  274. }