pkey_kdf.c 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414
  1. /*
  2. * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include <string.h>
  11. #include <openssl/evp.h>
  12. #include <openssl/err.h>
  13. #include <openssl/buffer.h>
  14. #include <openssl/kdf.h>
  15. #include <openssl/core.h>
  16. #include <openssl/core_names.h>
  17. #include <openssl/params.h>
  18. #include "internal/numbers.h"
  19. #include "crypto/evp.h"
  20. #define MAX_PARAM 20
  21. typedef struct {
  22. EVP_KDF_CTX *kctx;
  23. /*
  24. * EVP_PKEY implementations collect bits of certain data
  25. */
  26. BUF_MEM *collected_seed;
  27. BUF_MEM *collected_info;
  28. } EVP_PKEY_KDF_CTX;
  29. static void pkey_kdf_free_collected(EVP_PKEY_KDF_CTX *pkctx)
  30. {
  31. BUF_MEM_free(pkctx->collected_seed);
  32. pkctx->collected_seed = NULL;
  33. BUF_MEM_free(pkctx->collected_info);
  34. pkctx->collected_info = NULL;
  35. }
  36. static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
  37. {
  38. EVP_PKEY_KDF_CTX *pkctx;
  39. EVP_KDF_CTX *kctx;
  40. const char *kdf_name = OBJ_nid2sn(ctx->pmeth->pkey_id);
  41. EVP_KDF *kdf;
  42. pkctx = OPENSSL_zalloc(sizeof(*pkctx));
  43. if (pkctx == NULL)
  44. return 0;
  45. kdf = EVP_KDF_fetch(NULL, kdf_name, NULL);
  46. kctx = EVP_KDF_CTX_new(kdf);
  47. EVP_KDF_free(kdf);
  48. if (kctx == NULL) {
  49. OPENSSL_free(pkctx);
  50. return 0;
  51. }
  52. pkctx->kctx = kctx;
  53. ctx->data = pkctx;
  54. return 1;
  55. }
  56. static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx)
  57. {
  58. EVP_PKEY_KDF_CTX *pkctx = ctx->data;
  59. EVP_KDF_CTX_free(pkctx->kctx);
  60. pkey_kdf_free_collected(pkctx);
  61. OPENSSL_free(pkctx);
  62. }
  63. static int collect(BUF_MEM **collector, void *data, size_t datalen)
  64. {
  65. size_t i;
  66. if (*collector == NULL)
  67. *collector = BUF_MEM_new();
  68. if (*collector == NULL) {
  69. ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
  70. return 0;
  71. }
  72. if (data != NULL && datalen > 0) {
  73. i = (*collector)->length; /* BUF_MEM_grow() changes it! */
  74. if (!BUF_MEM_grow(*collector, i + datalen))
  75. return 0;
  76. memcpy((*collector)->data + i, data, datalen);
  77. }
  78. return 1;
  79. }
  80. static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
  81. {
  82. EVP_PKEY_KDF_CTX *pkctx = ctx->data;
  83. EVP_KDF_CTX *kctx = pkctx->kctx;
  84. enum { T_OCTET_STRING, T_UINT64, T_DIGEST, T_INT } cmd;
  85. const char *name, *mdname;
  86. BUF_MEM **collector = NULL;
  87. OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
  88. switch (type) {
  89. case EVP_PKEY_CTRL_PASS:
  90. cmd = T_OCTET_STRING;
  91. name = OSSL_KDF_PARAM_PASSWORD;
  92. break;
  93. case EVP_PKEY_CTRL_HKDF_SALT:
  94. case EVP_PKEY_CTRL_SCRYPT_SALT:
  95. cmd = T_OCTET_STRING;
  96. name = OSSL_KDF_PARAM_SALT;
  97. break;
  98. case EVP_PKEY_CTRL_TLS_MD:
  99. case EVP_PKEY_CTRL_HKDF_MD:
  100. cmd = T_DIGEST;
  101. name = OSSL_KDF_PARAM_DIGEST;
  102. break;
  103. case EVP_PKEY_CTRL_TLS_SECRET:
  104. cmd = T_OCTET_STRING;
  105. name = OSSL_KDF_PARAM_SECRET;
  106. /*
  107. * Perform the semantics described in
  108. * EVP_PKEY_CTX_add1_tls1_prf_seed(3)
  109. */
  110. if (ctx->pmeth->pkey_id == NID_tls1_prf) {
  111. BUF_MEM_free(pkctx->collected_seed);
  112. pkctx->collected_seed = NULL;
  113. }
  114. break;
  115. case EVP_PKEY_CTRL_TLS_SEED:
  116. cmd = T_OCTET_STRING;
  117. name = OSSL_KDF_PARAM_SEED;
  118. collector = &pkctx->collected_seed;
  119. break;
  120. case EVP_PKEY_CTRL_HKDF_KEY:
  121. cmd = T_OCTET_STRING;
  122. name = OSSL_KDF_PARAM_KEY;
  123. break;
  124. case EVP_PKEY_CTRL_HKDF_INFO:
  125. cmd = T_OCTET_STRING;
  126. name = OSSL_KDF_PARAM_INFO;
  127. collector = &pkctx->collected_info;
  128. break;
  129. case EVP_PKEY_CTRL_HKDF_MODE:
  130. cmd = T_INT;
  131. name = OSSL_KDF_PARAM_MODE;
  132. break;
  133. case EVP_PKEY_CTRL_SCRYPT_N:
  134. cmd = T_UINT64;
  135. name = OSSL_KDF_PARAM_SCRYPT_N;
  136. break;
  137. case EVP_PKEY_CTRL_SCRYPT_R:
  138. cmd = T_UINT64; /* Range checking occurs on the provider side */
  139. name = OSSL_KDF_PARAM_SCRYPT_R;
  140. break;
  141. case EVP_PKEY_CTRL_SCRYPT_P:
  142. cmd = T_UINT64; /* Range checking occurs on the provider side */
  143. name = OSSL_KDF_PARAM_SCRYPT_P;
  144. break;
  145. case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
  146. cmd = T_UINT64;
  147. name = OSSL_KDF_PARAM_SCRYPT_MAXMEM;
  148. break;
  149. default:
  150. return -2;
  151. }
  152. if (collector != NULL) {
  153. switch (cmd) {
  154. case T_OCTET_STRING:
  155. return collect(collector, p2, p1);
  156. default:
  157. OPENSSL_assert("You shouldn't be here");
  158. break;
  159. }
  160. return 1;
  161. }
  162. switch (cmd) {
  163. case T_OCTET_STRING:
  164. params[0] =
  165. OSSL_PARAM_construct_octet_string(name, (unsigned char *)p2,
  166. (size_t)p1);
  167. break;
  168. case T_DIGEST:
  169. mdname = EVP_MD_name((const EVP_MD *)p2);
  170. params[0] = OSSL_PARAM_construct_utf8_string(name, (char *)mdname,
  171. strlen(mdname) + 1);
  172. break;
  173. /*
  174. * These are special because the helper macros pass a pointer to the
  175. * stack, so a local copy is required.
  176. */
  177. case T_INT:
  178. params[0] = OSSL_PARAM_construct_int(name, &p1);
  179. break;
  180. case T_UINT64:
  181. params[0] = OSSL_PARAM_construct_uint64(name, (uint64_t *)p2);
  182. break;
  183. }
  184. return EVP_KDF_CTX_set_params(kctx, params);
  185. }
  186. static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
  187. const char *value)
  188. {
  189. EVP_PKEY_KDF_CTX *pkctx = ctx->data;
  190. EVP_KDF_CTX *kctx = pkctx->kctx;
  191. const EVP_KDF *kdf = EVP_KDF_CTX_kdf(kctx);
  192. BUF_MEM **collector = NULL;
  193. const OSSL_PARAM *defs = EVP_KDF_settable_ctx_params(kdf);
  194. OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
  195. int ok = 0;
  196. /* Deal with ctrl name aliasing */
  197. if (strcmp(type, "md") == 0)
  198. type = OSSL_KDF_PARAM_DIGEST;
  199. /* scrypt uses 'N', params uses 'n' */
  200. if (strcmp(type, "N") == 0)
  201. type = OSSL_KDF_PARAM_SCRYPT_N;
  202. if (!OSSL_PARAM_allocate_from_text(&params[0], defs, type,
  203. value, strlen(value)))
  204. return 0;
  205. /*
  206. * We do the same special casing of seed and info here as in
  207. * pkey_kdf_ctrl()
  208. */
  209. if (strcmp(params[0].key, OSSL_KDF_PARAM_SEED) == 0)
  210. collector = &pkctx->collected_seed;
  211. else if (strcmp(params[0].key, OSSL_KDF_PARAM_INFO) == 0)
  212. collector = &pkctx->collected_info;
  213. if (collector != NULL)
  214. ok = collect(collector, params[0].data, params[0].data_size);
  215. else
  216. ok = EVP_KDF_CTX_set_params(kctx, params);
  217. OPENSSL_free(params[0].data);
  218. return ok;
  219. }
  220. static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx)
  221. {
  222. EVP_PKEY_KDF_CTX *pkctx = ctx->data;
  223. pkey_kdf_free_collected(pkctx);
  224. if (pkctx->kctx != NULL)
  225. EVP_KDF_reset(pkctx->kctx);
  226. return 1;
  227. }
  228. /*
  229. * For fixed-output algorithms the keylen parameter is an "out" parameter
  230. * otherwise it is an "in" parameter.
  231. */
  232. static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
  233. size_t *keylen)
  234. {
  235. EVP_PKEY_KDF_CTX *pkctx = ctx->data;
  236. EVP_KDF_CTX *kctx = pkctx->kctx;
  237. size_t outlen = EVP_KDF_size(kctx);
  238. int r;
  239. if (pkctx->collected_seed != NULL) {
  240. OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
  241. params[0] =
  242. OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
  243. pkctx->collected_seed->data,
  244. pkctx->collected_seed->length);
  245. r = EVP_KDF_CTX_set_params(kctx, params);
  246. pkey_kdf_free_collected(pkctx);
  247. if (!r)
  248. return 0;
  249. }
  250. if (pkctx->collected_info != NULL) {
  251. OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
  252. params[0] =
  253. OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
  254. pkctx->collected_info->data,
  255. pkctx->collected_info->length);
  256. r = EVP_KDF_CTX_set_params(kctx, params);
  257. pkey_kdf_free_collected(pkctx);
  258. if (!r)
  259. return 0;
  260. }
  261. if (outlen == 0 || outlen == SIZE_MAX) {
  262. /* Variable-output algorithm */
  263. if (key == NULL)
  264. return 0;
  265. } else {
  266. /* Fixed-output algorithm */
  267. *keylen = outlen;
  268. if (key == NULL)
  269. return 1;
  270. }
  271. return EVP_KDF_derive(kctx, key, *keylen);
  272. }
  273. #ifndef OPENSSL_NO_SCRYPT
  274. static const EVP_PKEY_METHOD scrypt_pkey_meth = {
  275. EVP_PKEY_SCRYPT,
  276. 0,
  277. pkey_kdf_init,
  278. 0,
  279. pkey_kdf_cleanup,
  280. 0, 0,
  281. 0, 0,
  282. 0,
  283. 0,
  284. 0,
  285. 0,
  286. 0, 0,
  287. 0, 0, 0, 0,
  288. 0, 0,
  289. 0, 0,
  290. pkey_kdf_derive_init,
  291. pkey_kdf_derive,
  292. pkey_kdf_ctrl,
  293. pkey_kdf_ctrl_str
  294. };
  295. const EVP_PKEY_METHOD *scrypt_pkey_method(void)
  296. {
  297. return &scrypt_pkey_meth;
  298. }
  299. #endif
  300. static const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
  301. EVP_PKEY_TLS1_PRF,
  302. 0,
  303. pkey_kdf_init,
  304. 0,
  305. pkey_kdf_cleanup,
  306. 0, 0,
  307. 0, 0,
  308. 0,
  309. 0,
  310. 0,
  311. 0,
  312. 0, 0,
  313. 0, 0, 0, 0,
  314. 0, 0,
  315. 0, 0,
  316. pkey_kdf_derive_init,
  317. pkey_kdf_derive,
  318. pkey_kdf_ctrl,
  319. pkey_kdf_ctrl_str
  320. };
  321. const EVP_PKEY_METHOD *tls1_prf_pkey_method(void)
  322. {
  323. return &tls1_prf_pkey_meth;
  324. }
  325. static const EVP_PKEY_METHOD hkdf_pkey_meth = {
  326. EVP_PKEY_HKDF,
  327. 0,
  328. pkey_kdf_init,
  329. 0,
  330. pkey_kdf_cleanup,
  331. 0, 0,
  332. 0, 0,
  333. 0,
  334. 0,
  335. 0,
  336. 0,
  337. 0, 0,
  338. 0, 0, 0, 0,
  339. 0, 0,
  340. 0, 0,
  341. pkey_kdf_derive_init,
  342. pkey_kdf_derive,
  343. pkey_kdf_ctrl,
  344. pkey_kdf_ctrl_str
  345. };
  346. const EVP_PKEY_METHOD *hkdf_pkey_method(void)
  347. {
  348. return &hkdf_pkey_meth;
  349. }