hpke.c 49 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463
  1. /*
  2. * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* An OpenSSL-based HPKE implementation of RFC9180 */
  10. #include <string.h>
  11. #include <openssl/rand.h>
  12. #include <openssl/kdf.h>
  13. #include <openssl/core_names.h>
  14. #include <openssl/hpke.h>
  15. #include <openssl/sha.h>
  16. #include <openssl/evp.h>
  17. #include <openssl/err.h>
  18. #include "internal/hpke_util.h"
  19. #include "internal/nelem.h"
  20. #include "internal/common.h"
  21. /* default buffer size for keys and internal buffers we use */
  22. #define OSSL_HPKE_MAXSIZE 512
  23. /* Define HPKE labels from RFC9180 in hex for EBCDIC compatibility */
  24. /* "HPKE" - "suite_id" label for section 5.1 */
  25. static const char OSSL_HPKE_SEC51LABEL[] = "\x48\x50\x4b\x45";
  26. /* "psk_id_hash" - in key_schedule_context */
  27. static const char OSSL_HPKE_PSKIDHASH_LABEL[] = "\x70\x73\x6b\x5f\x69\x64\x5f\x68\x61\x73\x68";
  28. /* "info_hash" - in key_schedule_context */
  29. static const char OSSL_HPKE_INFOHASH_LABEL[] = "\x69\x6e\x66\x6f\x5f\x68\x61\x73\x68";
  30. /* "base_nonce" - base nonce calc label */
  31. static const char OSSL_HPKE_NONCE_LABEL[] = "\x62\x61\x73\x65\x5f\x6e\x6f\x6e\x63\x65";
  32. /* "exp" - internal exporter secret generation label */
  33. static const char OSSL_HPKE_EXP_LABEL[] = "\x65\x78\x70";
  34. /* "sec" - external label for exporting secret */
  35. static const char OSSL_HPKE_EXP_SEC_LABEL[] = "\x73\x65\x63";
  36. /* "key" - label for use when generating key from shared secret */
  37. static const char OSSL_HPKE_KEY_LABEL[] = "\x6b\x65\x79";
  38. /* "secret" - for generating shared secret */
  39. static const char OSSL_HPKE_SECRET_LABEL[] = "\x73\x65\x63\x72\x65\x74";
  40. /**
  41. * @brief sender or receiver context
  42. */
  43. struct ossl_hpke_ctx_st
  44. {
  45. OSSL_LIB_CTX *libctx; /* library context */
  46. char *propq; /* properties */
  47. int mode; /* HPKE mode */
  48. OSSL_HPKE_SUITE suite; /* suite */
  49. const OSSL_HPKE_KEM_INFO *kem_info;
  50. const OSSL_HPKE_KDF_INFO *kdf_info;
  51. const OSSL_HPKE_AEAD_INFO *aead_info;
  52. EVP_CIPHER *aead_ciph;
  53. int role; /* sender(0) or receiver(1) */
  54. uint64_t seq; /* aead sequence number */
  55. unsigned char *shared_secret; /* KEM output, zz */
  56. size_t shared_secretlen;
  57. unsigned char *key; /* final aead key */
  58. size_t keylen;
  59. unsigned char *nonce; /* aead base nonce */
  60. size_t noncelen;
  61. unsigned char *exportersec; /* exporter secret */
  62. size_t exporterseclen;
  63. char *pskid; /* PSK stuff */
  64. unsigned char *psk;
  65. size_t psklen;
  66. EVP_PKEY *authpriv; /* sender's authentication private key */
  67. unsigned char *authpub; /* auth public key */
  68. size_t authpublen;
  69. unsigned char *ikme; /* IKM for sender deterministic key gen */
  70. size_t ikmelen;
  71. };
  72. /**
  73. * @brief check if KEM uses NIST curve or not
  74. * @param kem_id is the externally supplied kem_id
  75. * @return 1 for NIST curves, 0 for other
  76. */
  77. static int hpke_kem_id_nist_curve(uint16_t kem_id)
  78. {
  79. const OSSL_HPKE_KEM_INFO *kem_info;
  80. kem_info = ossl_HPKE_KEM_INFO_find_id(kem_id);
  81. return kem_info != NULL && kem_info->groupname != NULL;
  82. }
  83. /**
  84. * @brief wrapper to import NIST curve public key as easily as x25519/x448
  85. * @param libctx is the context to use
  86. * @param propq is a properties string
  87. * @param gname is the curve groupname
  88. * @param buf is the binary buffer with the (uncompressed) public value
  89. * @param buflen is the length of the private key buffer
  90. * @return a working EVP_PKEY * or NULL
  91. *
  92. * Note that this could be a useful function to make public in
  93. * future, but would likely require a name change.
  94. */
  95. static EVP_PKEY *evp_pkey_new_raw_nist_public_key(OSSL_LIB_CTX *libctx,
  96. const char *propq,
  97. const char *gname,
  98. const unsigned char *buf,
  99. size_t buflen)
  100. {
  101. OSSL_PARAM params[2];
  102. EVP_PKEY *ret = NULL;
  103. EVP_PKEY_CTX *cctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
  104. params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
  105. (char *)gname, 0);
  106. params[1] = OSSL_PARAM_construct_end();
  107. if (cctx == NULL
  108. || EVP_PKEY_paramgen_init(cctx) <= 0
  109. || EVP_PKEY_CTX_set_params(cctx, params) <= 0
  110. || EVP_PKEY_paramgen(cctx, &ret) <= 0
  111. || EVP_PKEY_set1_encoded_public_key(ret, buf, buflen) != 1) {
  112. EVP_PKEY_CTX_free(cctx);
  113. EVP_PKEY_free(ret);
  114. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  115. return NULL;
  116. }
  117. EVP_PKEY_CTX_free(cctx);
  118. return ret;
  119. }
  120. /**
  121. * @brief do the AEAD decryption
  122. * @param hctx is the context to use
  123. * @param iv is the initialisation vector
  124. * @param aad is the additional authenticated data
  125. * @param aadlen is the length of the aad
  126. * @param ct is the ciphertext buffer
  127. * @param ctlen is the ciphertext length (including tag).
  128. * @param pt is the output buffer
  129. * @param ptlen input/output, better be big enough on input, exact on output
  130. * @return 1 on success, 0 otherwise
  131. */
  132. static int hpke_aead_dec(OSSL_HPKE_CTX *hctx, const unsigned char *iv,
  133. const unsigned char *aad, size_t aadlen,
  134. const unsigned char *ct, size_t ctlen,
  135. unsigned char *pt, size_t *ptlen)
  136. {
  137. int erv = 0;
  138. EVP_CIPHER_CTX *ctx = NULL;
  139. int len = 0;
  140. size_t taglen;
  141. taglen = hctx->aead_info->taglen;
  142. if (ctlen <= taglen || *ptlen < ctlen - taglen) {
  143. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  144. return 0;
  145. }
  146. /* Create and initialise the context */
  147. if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
  148. return 0;
  149. /* Initialise the decryption operation. */
  150. if (EVP_DecryptInit_ex(ctx, hctx->aead_ciph, NULL, NULL, NULL) != 1) {
  151. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  152. goto err;
  153. }
  154. if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
  155. hctx->noncelen, NULL) != 1) {
  156. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  157. goto err;
  158. }
  159. /* Initialise key and IV */
  160. if (EVP_DecryptInit_ex(ctx, NULL, NULL, hctx->key, iv) != 1) {
  161. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  162. goto err;
  163. }
  164. /* Provide AAD. */
  165. if (aadlen != 0 && aad != NULL) {
  166. if (EVP_DecryptUpdate(ctx, NULL, &len, aad, aadlen) != 1) {
  167. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  168. goto err;
  169. }
  170. }
  171. if (EVP_DecryptUpdate(ctx, pt, &len, ct, ctlen - taglen) != 1) {
  172. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  173. goto err;
  174. }
  175. *ptlen = len;
  176. if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
  177. taglen, (void *)(ct + ctlen - taglen))) {
  178. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  179. goto err;
  180. }
  181. /* Finalise decryption. */
  182. if (EVP_DecryptFinal_ex(ctx, pt + len, &len) <= 0) {
  183. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  184. goto err;
  185. }
  186. erv = 1;
  187. err:
  188. if (erv != 1)
  189. OPENSSL_cleanse(pt, *ptlen);
  190. EVP_CIPHER_CTX_free(ctx);
  191. return erv;
  192. }
  193. /**
  194. * @brief do AEAD encryption as per the RFC
  195. * @param hctx is the context to use
  196. * @param iv is the initialisation vector
  197. * @param aad is the additional authenticated data
  198. * @param aadlen is the length of the aad
  199. * @param pt is the plaintext buffer
  200. * @param ptlen is the length of pt
  201. * @param ct is the output buffer
  202. * @param ctlen input/output, needs space for tag on input, exact on output
  203. * @return 1 for success, 0 otherwise
  204. */
  205. static int hpke_aead_enc(OSSL_HPKE_CTX *hctx, const unsigned char *iv,
  206. const unsigned char *aad, size_t aadlen,
  207. const unsigned char *pt, size_t ptlen,
  208. unsigned char *ct, size_t *ctlen)
  209. {
  210. int erv = 0;
  211. EVP_CIPHER_CTX *ctx = NULL;
  212. int len;
  213. size_t taglen = 0;
  214. unsigned char tag[EVP_MAX_AEAD_TAG_LENGTH];
  215. taglen = hctx->aead_info->taglen;
  216. if (*ctlen <= taglen || ptlen > *ctlen - taglen) {
  217. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  218. return 0;
  219. }
  220. if (!ossl_assert(taglen <= sizeof(tag))) {
  221. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  222. return 0;
  223. }
  224. /* Create and initialise the context */
  225. if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
  226. return 0;
  227. /* Initialise the encryption operation. */
  228. if (EVP_EncryptInit_ex(ctx, hctx->aead_ciph, NULL, NULL, NULL) != 1) {
  229. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  230. goto err;
  231. }
  232. if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
  233. hctx->noncelen, NULL) != 1) {
  234. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  235. goto err;
  236. }
  237. /* Initialise key and IV */
  238. if (EVP_EncryptInit_ex(ctx, NULL, NULL, hctx->key, iv) != 1) {
  239. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  240. goto err;
  241. }
  242. /* Provide any AAD data. */
  243. if (aadlen != 0 && aad != NULL) {
  244. if (EVP_EncryptUpdate(ctx, NULL, &len, aad, aadlen) != 1) {
  245. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  246. goto err;
  247. }
  248. }
  249. if (EVP_EncryptUpdate(ctx, ct, &len, pt, ptlen) != 1) {
  250. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  251. goto err;
  252. }
  253. *ctlen = len;
  254. /* Finalise the encryption. */
  255. if (EVP_EncryptFinal_ex(ctx, ct + len, &len) != 1) {
  256. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  257. goto err;
  258. }
  259. *ctlen += len;
  260. /* Get tag. Not a duplicate so needs to be added to the ciphertext */
  261. if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) != 1) {
  262. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  263. goto err;
  264. }
  265. memcpy(ct + *ctlen, tag, taglen);
  266. *ctlen += taglen;
  267. erv = 1;
  268. err:
  269. if (erv != 1)
  270. OPENSSL_cleanse(ct, *ctlen);
  271. EVP_CIPHER_CTX_free(ctx);
  272. return erv;
  273. }
  274. /**
  275. * @brief check mode is in-range and supported
  276. * @param mode is the caller's chosen mode
  277. * @return 1 for good mode, 0 otherwise
  278. */
  279. static int hpke_mode_check(unsigned int mode)
  280. {
  281. switch (mode) {
  282. case OSSL_HPKE_MODE_BASE:
  283. case OSSL_HPKE_MODE_PSK:
  284. case OSSL_HPKE_MODE_AUTH:
  285. case OSSL_HPKE_MODE_PSKAUTH:
  286. break;
  287. default:
  288. return 0;
  289. }
  290. return 1;
  291. }
  292. /**
  293. * @brief check if a suite is supported locally
  294. * @param suite is the suite to check
  295. * @return 1 for good, 0 otherwise
  296. */
  297. static int hpke_suite_check(OSSL_HPKE_SUITE suite,
  298. const OSSL_HPKE_KEM_INFO **kem_info,
  299. const OSSL_HPKE_KDF_INFO **kdf_info,
  300. const OSSL_HPKE_AEAD_INFO **aead_info)
  301. {
  302. const OSSL_HPKE_KEM_INFO *kem_info_;
  303. const OSSL_HPKE_KDF_INFO *kdf_info_;
  304. const OSSL_HPKE_AEAD_INFO *aead_info_;
  305. /* check KEM, KDF and AEAD are supported here */
  306. if ((kem_info_ = ossl_HPKE_KEM_INFO_find_id(suite.kem_id)) == NULL)
  307. return 0;
  308. if ((kdf_info_ = ossl_HPKE_KDF_INFO_find_id(suite.kdf_id)) == NULL)
  309. return 0;
  310. if ((aead_info_ = ossl_HPKE_AEAD_INFO_find_id(suite.aead_id)) == NULL)
  311. return 0;
  312. if (kem_info != NULL)
  313. *kem_info = kem_info_;
  314. if (kdf_info != NULL)
  315. *kdf_info = kdf_info_;
  316. if (aead_info != NULL)
  317. *aead_info = aead_info_;
  318. return 1;
  319. }
  320. /*
  321. * @brief randomly pick a suite
  322. * @param libctx is the context to use
  323. * @param propq is a properties string
  324. * @param suite is the result
  325. * @return 1 for success, 0 otherwise
  326. */
  327. static int hpke_random_suite(OSSL_LIB_CTX *libctx,
  328. const char *propq,
  329. OSSL_HPKE_SUITE *suite)
  330. {
  331. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  332. const OSSL_HPKE_KDF_INFO *kdf_info = NULL;
  333. const OSSL_HPKE_AEAD_INFO *aead_info = NULL;
  334. /* random kem, kdf and aead */
  335. kem_info = ossl_HPKE_KEM_INFO_find_random(libctx);
  336. if (kem_info == NULL)
  337. return 0;
  338. suite->kem_id = kem_info->kem_id;
  339. kdf_info = ossl_HPKE_KDF_INFO_find_random(libctx);
  340. if (kdf_info == NULL)
  341. return 0;
  342. suite->kdf_id = kdf_info->kdf_id;
  343. aead_info = ossl_HPKE_AEAD_INFO_find_random(libctx);
  344. if (aead_info == NULL)
  345. return 0;
  346. suite->aead_id = aead_info->aead_id;
  347. return 1;
  348. }
  349. /*
  350. * @brief tell the caller how big the ciphertext will be
  351. *
  352. * AEAD algorithms add a tag for data authentication.
  353. * Those are almost always, but not always, 16 octets
  354. * long, and who knows what will be true in the future.
  355. * So this function allows a caller to find out how
  356. * much data expansion they will see with a given suite.
  357. *
  358. * "enc" is the name used in RFC9180 for the encapsulated
  359. * public value of the sender, who calls OSSL_HPKE_seal(),
  360. * that is sent to the recipient, who calls OSSL_HPKE_open().
  361. *
  362. * @param suite is the suite to be used
  363. * @param enclen points to what will be enc length
  364. * @param clearlen is the length of plaintext
  365. * @param cipherlen points to what will be ciphertext length (including tag)
  366. * @return 1 for success, 0 otherwise
  367. */
  368. static int hpke_expansion(OSSL_HPKE_SUITE suite,
  369. size_t *enclen,
  370. size_t clearlen,
  371. size_t *cipherlen)
  372. {
  373. const OSSL_HPKE_AEAD_INFO *aead_info = NULL;
  374. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  375. if (cipherlen == NULL || enclen == NULL) {
  376. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  377. return 0;
  378. }
  379. if (hpke_suite_check(suite, &kem_info, NULL, &aead_info) != 1) {
  380. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  381. return 0;
  382. }
  383. *cipherlen = clearlen + aead_info->taglen;
  384. *enclen = kem_info->Nenc;
  385. return 1;
  386. }
  387. /*
  388. * @brief expand and XOR the 64-bit unsigned seq with (nonce) buffer
  389. * @param ctx is the HPKE context
  390. * @param buf is the buffer for the XOR'd seq and nonce
  391. * @param blen is the size of buf
  392. * @return 0 for error, otherwise blen
  393. */
  394. static size_t hpke_seqnonce2buf(OSSL_HPKE_CTX *ctx,
  395. unsigned char *buf, size_t blen)
  396. {
  397. size_t i;
  398. uint64_t seq_copy;
  399. if (ctx == NULL || blen < sizeof(seq_copy) || blen != ctx->noncelen)
  400. return 0;
  401. seq_copy = ctx->seq;
  402. memset(buf, 0, blen);
  403. for (i = 0; i < sizeof(seq_copy); i++) {
  404. buf[blen - i - 1] = seq_copy & 0xff;
  405. seq_copy >>= 8;
  406. }
  407. for (i = 0; i < blen; i++)
  408. buf[i] ^= ctx->nonce[i];
  409. return blen;
  410. }
  411. /*
  412. * @brief call the underlying KEM to encap
  413. * @param ctx is the OSSL_HPKE_CTX
  414. * @param enc is a buffer for the sender's ephemeral public value
  415. * @param enclen is the size of enc on input, number of octets used on output
  416. * @param pub is the recipient's public value
  417. * @param publen is the length of pub
  418. * @return 1 for success, 0 for error
  419. */
  420. static int hpke_encap(OSSL_HPKE_CTX *ctx, unsigned char *enc, size_t *enclen,
  421. const unsigned char *pub, size_t publen)
  422. {
  423. int erv = 0;
  424. OSSL_PARAM params[3], *p = params;
  425. size_t lsslen = 0, lenclen = 0;
  426. EVP_PKEY_CTX *pctx = NULL;
  427. EVP_PKEY *pkR = NULL;
  428. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  429. if (ctx == NULL || enc == NULL || enclen == NULL || *enclen == 0
  430. || pub == NULL || publen == 0) {
  431. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  432. return 0;
  433. }
  434. if (ctx->shared_secret != NULL) {
  435. /* only run the KEM once per OSSL_HPKE_CTX */
  436. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  437. return 0;
  438. }
  439. kem_info = ossl_HPKE_KEM_INFO_find_id(ctx->suite.kem_id);
  440. if (kem_info == NULL) {
  441. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  442. return 0;
  443. }
  444. if (hpke_kem_id_nist_curve(ctx->suite.kem_id) == 1) {
  445. pkR = evp_pkey_new_raw_nist_public_key(ctx->libctx, ctx->propq,
  446. kem_info->groupname,
  447. pub, publen);
  448. } else {
  449. pkR = EVP_PKEY_new_raw_public_key_ex(ctx->libctx,
  450. kem_info->keytype,
  451. ctx->propq, pub, publen);
  452. }
  453. if (pkR == NULL) {
  454. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  455. goto err;
  456. }
  457. pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkR, ctx->propq);
  458. if (pctx == NULL) {
  459. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  460. goto err;
  461. }
  462. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KEM_PARAM_OPERATION,
  463. OSSL_KEM_PARAM_OPERATION_DHKEM,
  464. 0);
  465. if (ctx->ikme != NULL) {
  466. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KEM_PARAM_IKME,
  467. ctx->ikme, ctx->ikmelen);
  468. }
  469. *p = OSSL_PARAM_construct_end();
  470. if (ctx->mode == OSSL_HPKE_MODE_AUTH
  471. || ctx->mode == OSSL_HPKE_MODE_PSKAUTH) {
  472. if (EVP_PKEY_auth_encapsulate_init(pctx, ctx->authpriv,
  473. params) != 1) {
  474. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  475. goto err;
  476. }
  477. } else {
  478. if (EVP_PKEY_encapsulate_init(pctx, params) != 1) {
  479. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  480. goto err;
  481. }
  482. }
  483. lenclen = *enclen;
  484. if (EVP_PKEY_encapsulate(pctx, NULL, &lenclen, NULL, &lsslen) != 1) {
  485. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  486. goto err;
  487. }
  488. if (lenclen > *enclen) {
  489. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  490. goto err;
  491. }
  492. ctx->shared_secret = OPENSSL_malloc(lsslen);
  493. if (ctx->shared_secret == NULL)
  494. goto err;
  495. ctx->shared_secretlen = lsslen;
  496. if (EVP_PKEY_encapsulate(pctx, enc, enclen, ctx->shared_secret,
  497. &ctx->shared_secretlen) != 1) {
  498. ctx->shared_secretlen = 0;
  499. OPENSSL_free(ctx->shared_secret);
  500. ctx->shared_secret = NULL;
  501. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  502. goto err;
  503. }
  504. erv = 1;
  505. err:
  506. EVP_PKEY_CTX_free(pctx);
  507. EVP_PKEY_free(pkR);
  508. return erv;
  509. }
  510. /*
  511. * @brief call the underlying KEM to decap
  512. * @param ctx is the OSSL_HPKE_CTX
  513. * @param enc is a buffer for the sender's ephemeral public value
  514. * @param enclen is the length of enc
  515. * @param priv is the recipient's private value
  516. * @return 1 for success, 0 for error
  517. */
  518. static int hpke_decap(OSSL_HPKE_CTX *ctx,
  519. const unsigned char *enc, size_t enclen,
  520. EVP_PKEY *priv)
  521. {
  522. int erv = 0;
  523. EVP_PKEY_CTX *pctx = NULL;
  524. EVP_PKEY *spub = NULL;
  525. OSSL_PARAM params[2], *p = params;
  526. size_t lsslen = 0;
  527. if (ctx == NULL || enc == NULL || enclen == 0 || priv == NULL) {
  528. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  529. return 0;
  530. }
  531. if (ctx->shared_secret != NULL) {
  532. /* only run the KEM once per OSSL_HPKE_CTX */
  533. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  534. return 0;
  535. }
  536. pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, priv, ctx->propq);
  537. if (pctx == NULL) {
  538. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  539. goto err;
  540. }
  541. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KEM_PARAM_OPERATION,
  542. OSSL_KEM_PARAM_OPERATION_DHKEM,
  543. 0);
  544. *p = OSSL_PARAM_construct_end();
  545. if (ctx->mode == OSSL_HPKE_MODE_AUTH
  546. || ctx->mode == OSSL_HPKE_MODE_PSKAUTH) {
  547. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  548. kem_info = ossl_HPKE_KEM_INFO_find_id(ctx->suite.kem_id);
  549. if (kem_info == NULL) {
  550. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  551. goto err;
  552. }
  553. if (hpke_kem_id_nist_curve(ctx->suite.kem_id) == 1) {
  554. spub = evp_pkey_new_raw_nist_public_key(ctx->libctx, ctx->propq,
  555. kem_info->groupname,
  556. ctx->authpub,
  557. ctx->authpublen);
  558. } else {
  559. spub = EVP_PKEY_new_raw_public_key_ex(ctx->libctx,
  560. kem_info->keytype,
  561. ctx->propq,
  562. ctx->authpub,
  563. ctx->authpublen);
  564. }
  565. if (spub == NULL) {
  566. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  567. goto err;
  568. }
  569. if (EVP_PKEY_auth_decapsulate_init(pctx, spub, params) != 1) {
  570. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  571. goto err;
  572. }
  573. } else {
  574. if (EVP_PKEY_decapsulate_init(pctx, params) != 1) {
  575. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  576. goto err;
  577. }
  578. }
  579. if (EVP_PKEY_decapsulate(pctx, NULL, &lsslen, enc, enclen) != 1) {
  580. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  581. goto err;
  582. }
  583. ctx->shared_secret = OPENSSL_malloc(lsslen);
  584. if (ctx->shared_secret == NULL)
  585. goto err;
  586. if (EVP_PKEY_decapsulate(pctx, ctx->shared_secret, &lsslen,
  587. enc, enclen) != 1) {
  588. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  589. goto err;
  590. }
  591. ctx->shared_secretlen = lsslen;
  592. erv = 1;
  593. err:
  594. EVP_PKEY_CTX_free(pctx);
  595. EVP_PKEY_free(spub);
  596. if (erv == 0) {
  597. OPENSSL_free(ctx->shared_secret);
  598. ctx->shared_secret = NULL;
  599. ctx->shared_secretlen = 0;
  600. }
  601. return erv;
  602. }
  603. /*
  604. * @brief do "middle" of HPKE, between KEM and AEAD
  605. * @param ctx is the OSSL_HPKE_CTX
  606. * @param info is a buffer for the added binding information
  607. * @param infolen is the length of info
  608. * @return 0 for error, 1 for success
  609. *
  610. * This does all the HPKE extracts and expands as defined in RFC9180
  611. * section 5.1, (badly termed there as a "key schedule") and sets the
  612. * ctx fields for the shared_secret, nonce, key and exporter_secret
  613. */
  614. static int hpke_do_middle(OSSL_HPKE_CTX *ctx,
  615. const unsigned char *info, size_t infolen)
  616. {
  617. int erv = 0;
  618. size_t ks_contextlen = OSSL_HPKE_MAXSIZE;
  619. unsigned char ks_context[OSSL_HPKE_MAXSIZE];
  620. size_t halflen = 0;
  621. size_t pskidlen = 0;
  622. const OSSL_HPKE_AEAD_INFO *aead_info = NULL;
  623. const OSSL_HPKE_KDF_INFO *kdf_info = NULL;
  624. size_t secretlen = OSSL_HPKE_MAXSIZE;
  625. unsigned char secret[OSSL_HPKE_MAXSIZE];
  626. EVP_KDF_CTX *kctx = NULL;
  627. unsigned char suitebuf[6];
  628. const char *mdname = NULL;
  629. /* only let this be done once */
  630. if (ctx->exportersec != NULL) {
  631. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  632. return 0;
  633. }
  634. if (ossl_HPKE_KEM_INFO_find_id(ctx->suite.kem_id) == NULL) {
  635. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  636. return 0;
  637. }
  638. aead_info = ossl_HPKE_AEAD_INFO_find_id(ctx->suite.aead_id);
  639. if (aead_info == NULL) {
  640. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  641. return 0;
  642. }
  643. kdf_info = ossl_HPKE_KDF_INFO_find_id(ctx->suite.kdf_id);
  644. if (kdf_info == NULL) {
  645. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  646. return 0;
  647. }
  648. mdname = kdf_info->mdname;
  649. /* create key schedule context */
  650. memset(ks_context, 0, sizeof(ks_context));
  651. ks_context[0] = (unsigned char)(ctx->mode % 256);
  652. ks_contextlen--; /* remaining space */
  653. halflen = kdf_info->Nh;
  654. if ((2 * halflen) > ks_contextlen) {
  655. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  656. return 0;
  657. }
  658. /* check a psk was set if in that mode */
  659. if (ctx->mode == OSSL_HPKE_MODE_PSK
  660. || ctx->mode == OSSL_HPKE_MODE_PSKAUTH) {
  661. if (ctx->psk == NULL || ctx->psklen == 0 || ctx->pskid == NULL) {
  662. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  663. return 0;
  664. }
  665. }
  666. kctx = ossl_kdf_ctx_create("HKDF", mdname, ctx->libctx, ctx->propq);
  667. if (kctx == NULL) {
  668. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  669. return 0;
  670. }
  671. pskidlen = (ctx->psk == NULL ? 0 : strlen(ctx->pskid));
  672. /* full suite details as per RFC9180 sec 5.1 */
  673. suitebuf[0] = ctx->suite.kem_id / 256;
  674. suitebuf[1] = ctx->suite.kem_id % 256;
  675. suitebuf[2] = ctx->suite.kdf_id / 256;
  676. suitebuf[3] = ctx->suite.kdf_id % 256;
  677. suitebuf[4] = ctx->suite.aead_id / 256;
  678. suitebuf[5] = ctx->suite.aead_id % 256;
  679. /* Extract and Expand variously... */
  680. if (ossl_hpke_labeled_extract(kctx, ks_context + 1, halflen,
  681. NULL, 0, OSSL_HPKE_SEC51LABEL,
  682. suitebuf, sizeof(suitebuf),
  683. OSSL_HPKE_PSKIDHASH_LABEL,
  684. (unsigned char *)ctx->pskid, pskidlen) != 1) {
  685. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  686. goto err;
  687. }
  688. if (ossl_hpke_labeled_extract(kctx, ks_context + 1 + halflen, halflen,
  689. NULL, 0, OSSL_HPKE_SEC51LABEL,
  690. suitebuf, sizeof(suitebuf),
  691. OSSL_HPKE_INFOHASH_LABEL,
  692. (unsigned char *)info, infolen) != 1) {
  693. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  694. goto err;
  695. }
  696. ks_contextlen = 1 + 2 * halflen;
  697. secretlen = kdf_info->Nh;
  698. if (secretlen > OSSL_HPKE_MAXSIZE) {
  699. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  700. goto err;
  701. }
  702. if (ossl_hpke_labeled_extract(kctx, secret, secretlen,
  703. ctx->shared_secret, ctx->shared_secretlen,
  704. OSSL_HPKE_SEC51LABEL,
  705. suitebuf, sizeof(suitebuf),
  706. OSSL_HPKE_SECRET_LABEL,
  707. ctx->psk, ctx->psklen) != 1) {
  708. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  709. goto err;
  710. }
  711. if (ctx->suite.aead_id != OSSL_HPKE_AEAD_ID_EXPORTONLY) {
  712. /* we only need nonce/key for non export AEADs */
  713. ctx->noncelen = aead_info->Nn;
  714. ctx->nonce = OPENSSL_malloc(ctx->noncelen);
  715. if (ctx->nonce == NULL)
  716. goto err;
  717. if (ossl_hpke_labeled_expand(kctx, ctx->nonce, ctx->noncelen,
  718. secret, secretlen, OSSL_HPKE_SEC51LABEL,
  719. suitebuf, sizeof(suitebuf),
  720. OSSL_HPKE_NONCE_LABEL,
  721. ks_context, ks_contextlen) != 1) {
  722. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  723. goto err;
  724. }
  725. ctx->keylen = aead_info->Nk;
  726. ctx->key = OPENSSL_malloc(ctx->keylen);
  727. if (ctx->key == NULL)
  728. goto err;
  729. if (ossl_hpke_labeled_expand(kctx, ctx->key, ctx->keylen,
  730. secret, secretlen, OSSL_HPKE_SEC51LABEL,
  731. suitebuf, sizeof(suitebuf),
  732. OSSL_HPKE_KEY_LABEL,
  733. ks_context, ks_contextlen) != 1) {
  734. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  735. goto err;
  736. }
  737. }
  738. ctx->exporterseclen = kdf_info->Nh;
  739. ctx->exportersec = OPENSSL_malloc(ctx->exporterseclen);
  740. if (ctx->exportersec == NULL)
  741. goto err;
  742. if (ossl_hpke_labeled_expand(kctx, ctx->exportersec, ctx->exporterseclen,
  743. secret, secretlen, OSSL_HPKE_SEC51LABEL,
  744. suitebuf, sizeof(suitebuf),
  745. OSSL_HPKE_EXP_LABEL,
  746. ks_context, ks_contextlen) != 1) {
  747. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  748. goto err;
  749. }
  750. erv = 1;
  751. err:
  752. OPENSSL_cleanse(ks_context, OSSL_HPKE_MAXSIZE);
  753. OPENSSL_cleanse(secret, OSSL_HPKE_MAXSIZE);
  754. EVP_KDF_CTX_free(kctx);
  755. return erv;
  756. }
  757. /*
  758. * externally visible functions from below here, API documentation is
  759. * in doc/man3/OSSL_HPKE_CTX_new.pod to avoid duplication
  760. */
  761. OSSL_HPKE_CTX *OSSL_HPKE_CTX_new(int mode, OSSL_HPKE_SUITE suite, int role,
  762. OSSL_LIB_CTX *libctx, const char *propq)
  763. {
  764. OSSL_HPKE_CTX *ctx = NULL;
  765. const OSSL_HPKE_KEM_INFO *kem_info;
  766. const OSSL_HPKE_KDF_INFO *kdf_info;
  767. const OSSL_HPKE_AEAD_INFO *aead_info;
  768. if (hpke_mode_check(mode) != 1) {
  769. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  770. return NULL;
  771. }
  772. if (hpke_suite_check(suite, &kem_info, &kdf_info, &aead_info) != 1) {
  773. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  774. return NULL;
  775. }
  776. if (role != OSSL_HPKE_ROLE_SENDER && role != OSSL_HPKE_ROLE_RECEIVER) {
  777. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  778. return 0;
  779. }
  780. ctx = OPENSSL_zalloc(sizeof(*ctx));
  781. if (ctx == NULL)
  782. return NULL;
  783. ctx->libctx = libctx;
  784. if (propq != NULL) {
  785. ctx->propq = OPENSSL_strdup(propq);
  786. if (ctx->propq == NULL)
  787. goto err;
  788. }
  789. if (suite.aead_id != OSSL_HPKE_AEAD_ID_EXPORTONLY) {
  790. ctx->aead_ciph = EVP_CIPHER_fetch(libctx, aead_info->name, propq);
  791. if (ctx->aead_ciph == NULL) {
  792. ERR_raise(ERR_LIB_CRYPTO, ERR_R_FETCH_FAILED);
  793. goto err;
  794. }
  795. }
  796. ctx->role = role;
  797. ctx->mode = mode;
  798. ctx->suite = suite;
  799. ctx->kem_info = kem_info;
  800. ctx->kdf_info = kdf_info;
  801. ctx->aead_info = aead_info;
  802. return ctx;
  803. err:
  804. EVP_CIPHER_free(ctx->aead_ciph);
  805. OPENSSL_free(ctx);
  806. return NULL;
  807. }
  808. void OSSL_HPKE_CTX_free(OSSL_HPKE_CTX *ctx)
  809. {
  810. if (ctx == NULL)
  811. return;
  812. EVP_CIPHER_free(ctx->aead_ciph);
  813. OPENSSL_free(ctx->propq);
  814. OPENSSL_clear_free(ctx->exportersec, ctx->exporterseclen);
  815. OPENSSL_free(ctx->pskid);
  816. OPENSSL_clear_free(ctx->psk, ctx->psklen);
  817. OPENSSL_clear_free(ctx->key, ctx->keylen);
  818. OPENSSL_clear_free(ctx->nonce, ctx->noncelen);
  819. OPENSSL_clear_free(ctx->shared_secret, ctx->shared_secretlen);
  820. OPENSSL_clear_free(ctx->ikme, ctx->ikmelen);
  821. EVP_PKEY_free(ctx->authpriv);
  822. OPENSSL_free(ctx->authpub);
  823. OPENSSL_free(ctx);
  824. return;
  825. }
  826. int OSSL_HPKE_CTX_set1_psk(OSSL_HPKE_CTX *ctx,
  827. const char *pskid,
  828. const unsigned char *psk, size_t psklen)
  829. {
  830. if (ctx == NULL || pskid == NULL || psk == NULL || psklen == 0) {
  831. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  832. return 0;
  833. }
  834. if (psklen > OSSL_HPKE_MAX_PARMLEN) {
  835. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  836. return 0;
  837. }
  838. if (psklen < OSSL_HPKE_MIN_PSKLEN) {
  839. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  840. return 0;
  841. }
  842. if (strlen(pskid) > OSSL_HPKE_MAX_PARMLEN) {
  843. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  844. return 0;
  845. }
  846. if (strlen(pskid) == 0) {
  847. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  848. return 0;
  849. }
  850. if (ctx->mode != OSSL_HPKE_MODE_PSK
  851. && ctx->mode != OSSL_HPKE_MODE_PSKAUTH) {
  852. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  853. return 0;
  854. }
  855. /* free previous values if any */
  856. OPENSSL_clear_free(ctx->psk, ctx->psklen);
  857. ctx->psk = OPENSSL_memdup(psk, psklen);
  858. if (ctx->psk == NULL)
  859. return 0;
  860. ctx->psklen = psklen;
  861. OPENSSL_free(ctx->pskid);
  862. ctx->pskid = OPENSSL_strdup(pskid);
  863. if (ctx->pskid == NULL) {
  864. OPENSSL_clear_free(ctx->psk, ctx->psklen);
  865. ctx->psk = NULL;
  866. ctx->psklen = 0;
  867. return 0;
  868. }
  869. return 1;
  870. }
  871. int OSSL_HPKE_CTX_set1_ikme(OSSL_HPKE_CTX *ctx,
  872. const unsigned char *ikme, size_t ikmelen)
  873. {
  874. if (ctx == NULL || ikme == NULL) {
  875. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  876. return 0;
  877. }
  878. if (ikmelen == 0 || ikmelen > OSSL_HPKE_MAX_PARMLEN) {
  879. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  880. return 0;
  881. }
  882. if (ctx->role != OSSL_HPKE_ROLE_SENDER) {
  883. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  884. return 0;
  885. }
  886. OPENSSL_clear_free(ctx->ikme, ctx->ikmelen);
  887. ctx->ikme = OPENSSL_memdup(ikme, ikmelen);
  888. if (ctx->ikme == NULL)
  889. return 0;
  890. ctx->ikmelen = ikmelen;
  891. return 1;
  892. }
  893. int OSSL_HPKE_CTX_set1_authpriv(OSSL_HPKE_CTX *ctx, EVP_PKEY *priv)
  894. {
  895. if (ctx == NULL || priv == NULL) {
  896. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  897. return 0;
  898. }
  899. if (ctx->mode != OSSL_HPKE_MODE_AUTH
  900. && ctx->mode != OSSL_HPKE_MODE_PSKAUTH) {
  901. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  902. return 0;
  903. }
  904. if (ctx->role != OSSL_HPKE_ROLE_SENDER) {
  905. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  906. return 0;
  907. }
  908. EVP_PKEY_free(ctx->authpriv);
  909. ctx->authpriv = EVP_PKEY_dup(priv);
  910. if (ctx->authpriv == NULL)
  911. return 0;
  912. return 1;
  913. }
  914. int OSSL_HPKE_CTX_set1_authpub(OSSL_HPKE_CTX *ctx,
  915. const unsigned char *pub, size_t publen)
  916. {
  917. int erv = 0;
  918. EVP_PKEY *pubp = NULL;
  919. unsigned char *lpub = NULL;
  920. size_t lpublen = 0;
  921. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  922. if (ctx == NULL || pub == NULL || publen == 0) {
  923. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  924. return 0;
  925. }
  926. if (ctx->mode != OSSL_HPKE_MODE_AUTH
  927. && ctx->mode != OSSL_HPKE_MODE_PSKAUTH) {
  928. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  929. return 0;
  930. }
  931. if (ctx->role != OSSL_HPKE_ROLE_RECEIVER) {
  932. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  933. return 0;
  934. }
  935. /* check the value seems like a good public key for this kem */
  936. kem_info = ossl_HPKE_KEM_INFO_find_id(ctx->suite.kem_id);
  937. if (kem_info == NULL)
  938. return 0;
  939. if (hpke_kem_id_nist_curve(ctx->suite.kem_id) == 1) {
  940. pubp = evp_pkey_new_raw_nist_public_key(ctx->libctx, ctx->propq,
  941. kem_info->groupname,
  942. pub, publen);
  943. } else {
  944. pubp = EVP_PKEY_new_raw_public_key_ex(ctx->libctx,
  945. kem_info->keytype,
  946. ctx->propq,
  947. pub, publen);
  948. }
  949. if (pubp == NULL) {
  950. /* can happen based on external input - buffer value may be garbage */
  951. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  952. goto err;
  953. }
  954. /*
  955. * extract out the public key in encoded form so we
  956. * should be fine even if given compressed form
  957. */
  958. lpub = OPENSSL_malloc(OSSL_HPKE_MAXSIZE);
  959. if (lpub == NULL)
  960. goto err;
  961. if (EVP_PKEY_get_octet_string_param(pubp,
  962. OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
  963. lpub, OSSL_HPKE_MAXSIZE, &lpublen)
  964. != 1) {
  965. OPENSSL_free(lpub);
  966. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  967. goto err;
  968. }
  969. /* free up old value */
  970. OPENSSL_free(ctx->authpub);
  971. ctx->authpub = lpub;
  972. ctx->authpublen = lpublen;
  973. erv = 1;
  974. err:
  975. EVP_PKEY_free(pubp);
  976. return erv;
  977. }
  978. int OSSL_HPKE_CTX_get_seq(OSSL_HPKE_CTX *ctx, uint64_t *seq)
  979. {
  980. if (ctx == NULL || seq == NULL) {
  981. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  982. return 0;
  983. }
  984. *seq = ctx->seq;
  985. return 1;
  986. }
  987. int OSSL_HPKE_CTX_set_seq(OSSL_HPKE_CTX *ctx, uint64_t seq)
  988. {
  989. if (ctx == NULL) {
  990. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  991. return 0;
  992. }
  993. /*
  994. * We disallow senders from doing this as it's dangerous
  995. * Receivers are ok to use this, as no harm should ensue
  996. * if they go wrong.
  997. */
  998. if (ctx->role == OSSL_HPKE_ROLE_SENDER) {
  999. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1000. return 0;
  1001. }
  1002. ctx->seq = seq;
  1003. return 1;
  1004. }
  1005. int OSSL_HPKE_encap(OSSL_HPKE_CTX *ctx,
  1006. unsigned char *enc, size_t *enclen,
  1007. const unsigned char *pub, size_t publen,
  1008. const unsigned char *info, size_t infolen)
  1009. {
  1010. int erv = 1;
  1011. size_t minenc = 0;
  1012. if (ctx == NULL || enc == NULL || enclen == NULL || *enclen == 0
  1013. || pub == NULL || publen == 0) {
  1014. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1015. return 0;
  1016. }
  1017. if (ctx->role != OSSL_HPKE_ROLE_SENDER) {
  1018. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1019. return 0;
  1020. }
  1021. if (infolen > OSSL_HPKE_MAX_INFOLEN) {
  1022. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1023. return 0;
  1024. }
  1025. if (infolen > 0 && info == NULL) {
  1026. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1027. return 0;
  1028. }
  1029. minenc = OSSL_HPKE_get_public_encap_size(ctx->suite);
  1030. if (minenc == 0 || minenc > *enclen) {
  1031. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1032. return 0;
  1033. }
  1034. if (ctx->shared_secret != NULL) {
  1035. /* only allow one encap per OSSL_HPKE_CTX */
  1036. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1037. return 0;
  1038. }
  1039. if (hpke_encap(ctx, enc, enclen, pub, publen) != 1) {
  1040. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1041. return 0;
  1042. }
  1043. /*
  1044. * note that the info is not part of the context as it
  1045. * only needs to be used once here so doesn't need to
  1046. * be stored
  1047. */
  1048. erv = hpke_do_middle(ctx, info, infolen);
  1049. return erv;
  1050. }
  1051. int OSSL_HPKE_decap(OSSL_HPKE_CTX *ctx,
  1052. const unsigned char *enc, size_t enclen,
  1053. EVP_PKEY *recippriv,
  1054. const unsigned char *info, size_t infolen)
  1055. {
  1056. int erv = 1;
  1057. size_t minenc = 0;
  1058. if (ctx == NULL || enc == NULL || enclen == 0 || recippriv == NULL) {
  1059. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1060. return 0;
  1061. }
  1062. if (ctx->role != OSSL_HPKE_ROLE_RECEIVER) {
  1063. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1064. return 0;
  1065. }
  1066. if (infolen > OSSL_HPKE_MAX_INFOLEN) {
  1067. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1068. return 0;
  1069. }
  1070. if (infolen > 0 && info == NULL) {
  1071. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1072. return 0;
  1073. }
  1074. minenc = OSSL_HPKE_get_public_encap_size(ctx->suite);
  1075. if (minenc == 0 || minenc > enclen) {
  1076. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1077. return 0;
  1078. }
  1079. if (ctx->shared_secret != NULL) {
  1080. /* only allow one encap per OSSL_HPKE_CTX */
  1081. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1082. return 0;
  1083. }
  1084. erv = hpke_decap(ctx, enc, enclen, recippriv);
  1085. if (erv != 1) {
  1086. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1087. return 0;
  1088. }
  1089. /*
  1090. * note that the info is not part of the context as it
  1091. * only needs to be used once here so doesn't need to
  1092. * be stored
  1093. */
  1094. erv = hpke_do_middle(ctx, info, infolen);
  1095. return erv;
  1096. }
  1097. int OSSL_HPKE_seal(OSSL_HPKE_CTX *ctx,
  1098. unsigned char *ct, size_t *ctlen,
  1099. const unsigned char *aad, size_t aadlen,
  1100. const unsigned char *pt, size_t ptlen)
  1101. {
  1102. unsigned char seqbuf[OSSL_HPKE_MAX_NONCELEN];
  1103. size_t seqlen = 0;
  1104. if (ctx == NULL || ct == NULL || ctlen == NULL || *ctlen == 0
  1105. || pt == NULL || ptlen == 0) {
  1106. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1107. return 0;
  1108. }
  1109. if (ctx->role != OSSL_HPKE_ROLE_SENDER) {
  1110. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1111. return 0;
  1112. }
  1113. if ((ctx->seq + 1) == 0) { /* wrap around imminent !!! */
  1114. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1115. return 0;
  1116. }
  1117. if (ctx->key == NULL || ctx->nonce == NULL) {
  1118. /* need to have done an encap first, info can be NULL */
  1119. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1120. return 0;
  1121. }
  1122. seqlen = hpke_seqnonce2buf(ctx, seqbuf, sizeof(seqbuf));
  1123. if (seqlen == 0) {
  1124. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1125. return 0;
  1126. }
  1127. if (hpke_aead_enc(ctx, seqbuf, aad, aadlen, pt, ptlen, ct, ctlen) != 1) {
  1128. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1129. OPENSSL_cleanse(seqbuf, sizeof(seqbuf));
  1130. return 0;
  1131. } else {
  1132. ctx->seq++;
  1133. }
  1134. OPENSSL_cleanse(seqbuf, sizeof(seqbuf));
  1135. return 1;
  1136. }
  1137. int OSSL_HPKE_open(OSSL_HPKE_CTX *ctx,
  1138. unsigned char *pt, size_t *ptlen,
  1139. const unsigned char *aad, size_t aadlen,
  1140. const unsigned char *ct, size_t ctlen)
  1141. {
  1142. unsigned char seqbuf[OSSL_HPKE_MAX_NONCELEN];
  1143. size_t seqlen = 0;
  1144. if (ctx == NULL || pt == NULL || ptlen == NULL || *ptlen == 0
  1145. || ct == NULL || ctlen == 0) {
  1146. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1147. return 0;
  1148. }
  1149. if (ctx->role != OSSL_HPKE_ROLE_RECEIVER) {
  1150. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1151. return 0;
  1152. }
  1153. if ((ctx->seq + 1) == 0) { /* wrap around imminent !!! */
  1154. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1155. return 0;
  1156. }
  1157. if (ctx->key == NULL || ctx->nonce == NULL) {
  1158. /* need to have done an encap first, info can be NULL */
  1159. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1160. return 0;
  1161. }
  1162. seqlen = hpke_seqnonce2buf(ctx, seqbuf, sizeof(seqbuf));
  1163. if (seqlen == 0) {
  1164. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1165. return 0;
  1166. }
  1167. if (hpke_aead_dec(ctx, seqbuf, aad, aadlen, ct, ctlen, pt, ptlen) != 1) {
  1168. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1169. OPENSSL_cleanse(seqbuf, sizeof(seqbuf));
  1170. return 0;
  1171. }
  1172. ctx->seq++;
  1173. OPENSSL_cleanse(seqbuf, sizeof(seqbuf));
  1174. return 1;
  1175. }
  1176. int OSSL_HPKE_export(OSSL_HPKE_CTX *ctx,
  1177. unsigned char *secret, size_t secretlen,
  1178. const unsigned char *label, size_t labellen)
  1179. {
  1180. int erv = 0;
  1181. EVP_KDF_CTX *kctx = NULL;
  1182. unsigned char suitebuf[6];
  1183. const char *mdname = NULL;
  1184. const OSSL_HPKE_KDF_INFO *kdf_info = NULL;
  1185. if (ctx == NULL || secret == NULL || secretlen == 0) {
  1186. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1187. return 0;
  1188. }
  1189. if (labellen > OSSL_HPKE_MAX_PARMLEN) {
  1190. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1191. return 0;
  1192. }
  1193. if (labellen > 0 && label == NULL) {
  1194. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1195. return 0;
  1196. }
  1197. if (ctx->exportersec == NULL) {
  1198. ERR_raise(ERR_LIB_CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1199. return 0;
  1200. }
  1201. kdf_info = ossl_HPKE_KDF_INFO_find_id(ctx->suite.kdf_id);
  1202. if (kdf_info == NULL) {
  1203. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1204. return 0;
  1205. }
  1206. mdname = kdf_info->mdname;
  1207. kctx = ossl_kdf_ctx_create("HKDF", mdname, ctx->libctx, ctx->propq);
  1208. if (kctx == NULL) {
  1209. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1210. return 0;
  1211. }
  1212. /* full suiteid as per RFC9180 sec 5.3 */
  1213. suitebuf[0] = ctx->suite.kem_id / 256;
  1214. suitebuf[1] = ctx->suite.kem_id % 256;
  1215. suitebuf[2] = ctx->suite.kdf_id / 256;
  1216. suitebuf[3] = ctx->suite.kdf_id % 256;
  1217. suitebuf[4] = ctx->suite.aead_id / 256;
  1218. suitebuf[5] = ctx->suite.aead_id % 256;
  1219. erv = ossl_hpke_labeled_expand(kctx, secret, secretlen,
  1220. ctx->exportersec, ctx->exporterseclen,
  1221. OSSL_HPKE_SEC51LABEL,
  1222. suitebuf, sizeof(suitebuf),
  1223. OSSL_HPKE_EXP_SEC_LABEL,
  1224. label, labellen);
  1225. EVP_KDF_CTX_free(kctx);
  1226. if (erv != 1)
  1227. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1228. return erv;
  1229. }
  1230. int OSSL_HPKE_keygen(OSSL_HPKE_SUITE suite,
  1231. unsigned char *pub, size_t *publen, EVP_PKEY **priv,
  1232. const unsigned char *ikm, size_t ikmlen,
  1233. OSSL_LIB_CTX *libctx, const char *propq)
  1234. {
  1235. int erv = 0; /* Our error return value - 1 is success */
  1236. EVP_PKEY_CTX *pctx = NULL;
  1237. EVP_PKEY *skR = NULL;
  1238. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  1239. OSSL_PARAM params[3], *p = params;
  1240. if (pub == NULL || publen == NULL || *publen == 0 || priv == NULL) {
  1241. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1242. return 0;
  1243. }
  1244. if (hpke_suite_check(suite, &kem_info, NULL, NULL) != 1) {
  1245. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1246. return 0;
  1247. }
  1248. if ((ikmlen > 0 && ikm == NULL)
  1249. || (ikmlen == 0 && ikm != NULL)
  1250. || ikmlen > OSSL_HPKE_MAX_PARMLEN) {
  1251. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1252. return 0;
  1253. }
  1254. if (hpke_kem_id_nist_curve(suite.kem_id) == 1) {
  1255. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
  1256. (char *)kem_info->groupname, 0);
  1257. pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
  1258. } else {
  1259. pctx = EVP_PKEY_CTX_new_from_name(libctx, kem_info->keytype, propq);
  1260. }
  1261. if (pctx == NULL
  1262. || EVP_PKEY_keygen_init(pctx) <= 0) {
  1263. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1264. goto err;
  1265. }
  1266. if (ikm != NULL)
  1267. *p++ = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_DHKEM_IKM,
  1268. (char *)ikm, ikmlen);
  1269. *p = OSSL_PARAM_construct_end();
  1270. if (EVP_PKEY_CTX_set_params(pctx, params) <= 0) {
  1271. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1272. goto err;
  1273. }
  1274. if (EVP_PKEY_generate(pctx, &skR) <= 0) {
  1275. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1276. goto err;
  1277. }
  1278. EVP_PKEY_CTX_free(pctx);
  1279. pctx = NULL;
  1280. if (EVP_PKEY_get_octet_string_param(skR, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
  1281. pub, *publen, publen) != 1) {
  1282. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1283. goto err;
  1284. }
  1285. *priv = skR;
  1286. erv = 1;
  1287. err:
  1288. if (erv != 1)
  1289. EVP_PKEY_free(skR);
  1290. EVP_PKEY_CTX_free(pctx);
  1291. return erv;
  1292. }
  1293. int OSSL_HPKE_suite_check(OSSL_HPKE_SUITE suite)
  1294. {
  1295. return hpke_suite_check(suite, NULL, NULL, NULL);
  1296. }
  1297. int OSSL_HPKE_get_grease_value(const OSSL_HPKE_SUITE *suite_in,
  1298. OSSL_HPKE_SUITE *suite,
  1299. unsigned char *enc, size_t *enclen,
  1300. unsigned char *ct, size_t ctlen,
  1301. OSSL_LIB_CTX *libctx, const char *propq)
  1302. {
  1303. OSSL_HPKE_SUITE chosen;
  1304. size_t plen = 0;
  1305. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  1306. const OSSL_HPKE_AEAD_INFO *aead_info = NULL;
  1307. EVP_PKEY *fakepriv = NULL;
  1308. if (enc == NULL || enclen == 0
  1309. || ct == NULL || ctlen == 0 || suite == NULL) {
  1310. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
  1311. return 0;
  1312. }
  1313. if (suite_in == NULL) {
  1314. /* choose a random suite */
  1315. if (hpke_random_suite(libctx, propq, &chosen) != 1) {
  1316. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1317. goto err;
  1318. }
  1319. } else {
  1320. chosen = *suite_in;
  1321. }
  1322. if (hpke_suite_check(chosen, &kem_info, NULL, &aead_info) != 1) {
  1323. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1324. goto err;
  1325. }
  1326. *suite = chosen;
  1327. /* make sure room for tag and one plaintext octet */
  1328. if (aead_info->taglen >= ctlen) {
  1329. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1330. goto err;
  1331. }
  1332. /* publen */
  1333. plen = kem_info->Npk;
  1334. if (plen > *enclen) {
  1335. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1336. goto err;
  1337. }
  1338. /*
  1339. * In order for our enc to look good for sure, we generate and then
  1340. * delete a real key for that curve - bit OTT but it ensures we do
  1341. * get the encoding right (e.g. 0x04 as 1st octet for NIST curves in
  1342. * uncompressed form) and that the value really does map to a point on
  1343. * the relevant curve.
  1344. */
  1345. if (OSSL_HPKE_keygen(chosen, enc, enclen, &fakepriv, NULL, 0,
  1346. libctx, propq) != 1) {
  1347. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1348. goto err;
  1349. }
  1350. EVP_PKEY_free(fakepriv);
  1351. if (RAND_bytes_ex(libctx, ct, ctlen, 0) <= 0) {
  1352. ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
  1353. goto err;
  1354. }
  1355. return 1;
  1356. err:
  1357. return 0;
  1358. }
  1359. int OSSL_HPKE_str2suite(const char *str, OSSL_HPKE_SUITE *suite)
  1360. {
  1361. return ossl_hpke_str2suite(str, suite);
  1362. }
  1363. size_t OSSL_HPKE_get_ciphertext_size(OSSL_HPKE_SUITE suite, size_t clearlen)
  1364. {
  1365. size_t enclen = 0;
  1366. size_t cipherlen = 0;
  1367. if (hpke_expansion(suite, &enclen, clearlen, &cipherlen) != 1)
  1368. return 0;
  1369. return cipherlen;
  1370. }
  1371. size_t OSSL_HPKE_get_public_encap_size(OSSL_HPKE_SUITE suite)
  1372. {
  1373. size_t enclen = 0;
  1374. size_t cipherlen = 0;
  1375. size_t clearlen = 16;
  1376. if (hpke_expansion(suite, &enclen, clearlen, &cipherlen) != 1)
  1377. return 0;
  1378. return enclen;
  1379. }
  1380. size_t OSSL_HPKE_get_recommended_ikmelen(OSSL_HPKE_SUITE suite)
  1381. {
  1382. const OSSL_HPKE_KEM_INFO *kem_info = NULL;
  1383. if (hpke_suite_check(suite, &kem_info, NULL, NULL) != 1)
  1384. return 0;
  1385. if (kem_info == NULL)
  1386. return 0;
  1387. return kem_info->Nsk;
  1388. }