2
0

hkdf.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * HMAC low level APIs are deprecated for public use, but still ok for internal
  11. * use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdlib.h>
  15. #include <stdarg.h>
  16. #include <string.h>
  17. #include <openssl/hmac.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/kdf.h>
  20. #include <openssl/core_names.h>
  21. #include <openssl/proverr.h>
  22. #include "internal/cryptlib.h"
  23. #include "internal/numbers.h"
  24. #include "internal/packet.h"
  25. #include "crypto/evp.h"
  26. #include "prov/provider_ctx.h"
  27. #include "prov/providercommon.h"
  28. #include "prov/implementations.h"
  29. #include "prov/provider_util.h"
  30. #include "internal/e_os.h"
  31. #define HKDF_MAXBUF 2048
  32. static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new;
  33. static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup;
  34. static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free;
  35. static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset;
  36. static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive;
  37. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
  38. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
  39. static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
  40. static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
  41. static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
  42. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
  43. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
  44. static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  45. const unsigned char *salt, size_t salt_len,
  46. const unsigned char *key, size_t key_len,
  47. const unsigned char *info, size_t info_len,
  48. unsigned char *okm, size_t okm_len);
  49. static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  50. const unsigned char *salt, size_t salt_len,
  51. const unsigned char *ikm, size_t ikm_len,
  52. unsigned char *prk, size_t prk_len);
  53. static int HKDF_Expand(const EVP_MD *evp_md,
  54. const unsigned char *prk, size_t prk_len,
  55. const unsigned char *info, size_t info_len,
  56. unsigned char *okm, size_t okm_len);
  57. /* Settable context parameters that are common across HKDF and the TLS KDF */
  58. #define HKDF_COMMON_SETTABLES \
  59. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_MODE, NULL, 0), \
  60. OSSL_PARAM_int(OSSL_KDF_PARAM_MODE, NULL), \
  61. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), \
  62. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), \
  63. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), \
  64. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0)
  65. typedef struct {
  66. void *provctx;
  67. int mode;
  68. PROV_DIGEST digest;
  69. unsigned char *salt;
  70. size_t salt_len;
  71. unsigned char *key;
  72. size_t key_len;
  73. unsigned char *prefix;
  74. size_t prefix_len;
  75. unsigned char *label;
  76. size_t label_len;
  77. unsigned char *data;
  78. size_t data_len;
  79. unsigned char info[HKDF_MAXBUF];
  80. size_t info_len;
  81. } KDF_HKDF;
  82. static void *kdf_hkdf_new(void *provctx)
  83. {
  84. KDF_HKDF *ctx;
  85. if (!ossl_prov_is_running())
  86. return NULL;
  87. if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
  88. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  89. else
  90. ctx->provctx = provctx;
  91. return ctx;
  92. }
  93. static void kdf_hkdf_free(void *vctx)
  94. {
  95. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  96. if (ctx != NULL) {
  97. kdf_hkdf_reset(ctx);
  98. OPENSSL_free(ctx);
  99. }
  100. }
  101. static void kdf_hkdf_reset(void *vctx)
  102. {
  103. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  104. void *provctx = ctx->provctx;
  105. ossl_prov_digest_reset(&ctx->digest);
  106. OPENSSL_free(ctx->salt);
  107. OPENSSL_free(ctx->prefix);
  108. OPENSSL_free(ctx->label);
  109. OPENSSL_clear_free(ctx->data, ctx->data_len);
  110. OPENSSL_clear_free(ctx->key, ctx->key_len);
  111. OPENSSL_cleanse(ctx->info, ctx->info_len);
  112. memset(ctx, 0, sizeof(*ctx));
  113. ctx->provctx = provctx;
  114. }
  115. static void *kdf_hkdf_dup(void *vctx)
  116. {
  117. const KDF_HKDF *src = (const KDF_HKDF *)vctx;
  118. KDF_HKDF *dest;
  119. dest = kdf_hkdf_new(src->provctx);
  120. if (dest != NULL) {
  121. if (!ossl_prov_memdup(src->salt, src->salt_len, &dest->salt,
  122. &dest->salt_len)
  123. || !ossl_prov_memdup(src->key, src->key_len,
  124. &dest->key , &dest->key_len)
  125. || !ossl_prov_memdup(src->prefix, src->prefix_len,
  126. &dest->prefix, &dest->prefix_len)
  127. || !ossl_prov_memdup(src->label, src->label_len,
  128. &dest->label, &dest->label_len)
  129. || !ossl_prov_memdup(src->data, src->data_len,
  130. &dest->data, &dest->data_len)
  131. || !ossl_prov_digest_copy(&dest->digest, &src->digest))
  132. goto err;
  133. memcpy(dest->info, src->info, sizeof(dest->info));
  134. dest->info_len = src->info_len;
  135. dest->mode = src->mode;
  136. }
  137. return dest;
  138. err:
  139. kdf_hkdf_free(dest);
  140. return NULL;
  141. }
  142. static size_t kdf_hkdf_size(KDF_HKDF *ctx)
  143. {
  144. int sz;
  145. const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
  146. if (ctx->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
  147. return SIZE_MAX;
  148. if (md == NULL) {
  149. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  150. return 0;
  151. }
  152. sz = EVP_MD_get_size(md);
  153. if (sz < 0)
  154. return 0;
  155. return sz;
  156. }
  157. static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
  158. const OSSL_PARAM params[])
  159. {
  160. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  161. OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
  162. const EVP_MD *md;
  163. if (!ossl_prov_is_running() || !kdf_hkdf_set_ctx_params(ctx, params))
  164. return 0;
  165. md = ossl_prov_digest_md(&ctx->digest);
  166. if (md == NULL) {
  167. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  168. return 0;
  169. }
  170. if (ctx->key == NULL) {
  171. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
  172. return 0;
  173. }
  174. if (keylen == 0) {
  175. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
  176. return 0;
  177. }
  178. switch (ctx->mode) {
  179. case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
  180. default:
  181. return HKDF(libctx, md, ctx->salt, ctx->salt_len,
  182. ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen);
  183. case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
  184. return HKDF_Extract(libctx, md, ctx->salt, ctx->salt_len,
  185. ctx->key, ctx->key_len, key, keylen);
  186. case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
  187. return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info,
  188. ctx->info_len, key, keylen);
  189. }
  190. }
  191. static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[])
  192. {
  193. OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
  194. const OSSL_PARAM *p;
  195. int n;
  196. if (params == NULL)
  197. return 1;
  198. if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
  199. return 0;
  200. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) {
  201. if (p->data_type == OSSL_PARAM_UTF8_STRING) {
  202. if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) {
  203. ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;
  204. } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) {
  205. ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
  206. } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) {
  207. ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
  208. } else {
  209. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  210. return 0;
  211. }
  212. } else if (OSSL_PARAM_get_int(p, &n)) {
  213. if (n != EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
  214. && n != EVP_KDF_HKDF_MODE_EXTRACT_ONLY
  215. && n != EVP_KDF_HKDF_MODE_EXPAND_ONLY) {
  216. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  217. return 0;
  218. }
  219. ctx->mode = n;
  220. } else {
  221. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  222. return 0;
  223. }
  224. }
  225. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL) {
  226. OPENSSL_clear_free(ctx->key, ctx->key_len);
  227. ctx->key = NULL;
  228. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->key, 0,
  229. &ctx->key_len))
  230. return 0;
  231. }
  232. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
  233. if (p->data_size != 0 && p->data != NULL) {
  234. OPENSSL_free(ctx->salt);
  235. ctx->salt = NULL;
  236. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0,
  237. &ctx->salt_len))
  238. return 0;
  239. }
  240. }
  241. return 1;
  242. }
  243. static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  244. {
  245. const OSSL_PARAM *p;
  246. KDF_HKDF *ctx = vctx;
  247. if (params == NULL)
  248. return 1;
  249. if (!hkdf_common_set_ctx_params(ctx, params))
  250. return 0;
  251. /* The info fields concatenate, so process them all */
  252. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_INFO)) != NULL) {
  253. ctx->info_len = 0;
  254. for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1,
  255. OSSL_KDF_PARAM_INFO)) {
  256. const void *q = ctx->info + ctx->info_len;
  257. size_t sz = 0;
  258. if (p->data_size != 0
  259. && p->data != NULL
  260. && !OSSL_PARAM_get_octet_string(p, (void **)&q,
  261. HKDF_MAXBUF - ctx->info_len,
  262. &sz))
  263. return 0;
  264. ctx->info_len += sz;
  265. }
  266. }
  267. return 1;
  268. }
  269. static const OSSL_PARAM *kdf_hkdf_settable_ctx_params(ossl_unused void *ctx,
  270. ossl_unused void *provctx)
  271. {
  272. static const OSSL_PARAM known_settable_ctx_params[] = {
  273. HKDF_COMMON_SETTABLES,
  274. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
  275. OSSL_PARAM_END
  276. };
  277. return known_settable_ctx_params;
  278. }
  279. static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
  280. {
  281. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  282. OSSL_PARAM *p;
  283. if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
  284. size_t sz = kdf_hkdf_size(ctx);
  285. if (sz == 0)
  286. return 0;
  287. return OSSL_PARAM_set_size_t(p, sz);
  288. }
  289. return -2;
  290. }
  291. static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
  292. ossl_unused void *provctx)
  293. {
  294. static const OSSL_PARAM known_gettable_ctx_params[] = {
  295. OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
  296. OSSL_PARAM_END
  297. };
  298. return known_gettable_ctx_params;
  299. }
  300. const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = {
  301. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
  302. { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
  303. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
  304. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
  305. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive },
  306. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  307. (void(*)(void))kdf_hkdf_settable_ctx_params },
  308. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_hkdf_set_ctx_params },
  309. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  310. (void(*)(void))kdf_hkdf_gettable_ctx_params },
  311. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
  312. { 0, NULL }
  313. };
  314. /*
  315. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  316. * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and
  317. * "Cryptographic Extraction and Key Derivation: The HKDF Scheme"
  318. * Section 4.2 (https://eprint.iacr.org/2010/264.pdf).
  319. *
  320. * From the paper:
  321. * The scheme HKDF is specified as:
  322. * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t)
  323. *
  324. * where:
  325. * SKM is source key material
  326. * XTS is extractor salt (which may be null or constant)
  327. * CTXinfo is context information (may be null)
  328. * L is the number of key bits to be produced by KDF
  329. * k is the output length in bits of the hash function used with HMAC
  330. * t = ceil(L/k)
  331. * the value K(t) is truncated to its first d = L mod k bits.
  332. *
  333. * From RFC 5869:
  334. * 2.2. Step 1: Extract
  335. * HKDF-Extract(salt, IKM) -> PRK
  336. * 2.3. Step 2: Expand
  337. * HKDF-Expand(PRK, info, L) -> OKM
  338. */
  339. static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  340. const unsigned char *salt, size_t salt_len,
  341. const unsigned char *ikm, size_t ikm_len,
  342. const unsigned char *info, size_t info_len,
  343. unsigned char *okm, size_t okm_len)
  344. {
  345. unsigned char prk[EVP_MAX_MD_SIZE];
  346. int ret, sz;
  347. size_t prk_len;
  348. sz = EVP_MD_get_size(evp_md);
  349. if (sz < 0)
  350. return 0;
  351. prk_len = (size_t)sz;
  352. /* Step 1: HKDF-Extract(salt, IKM) -> PRK */
  353. if (!HKDF_Extract(libctx, evp_md,
  354. salt, salt_len, ikm, ikm_len, prk, prk_len))
  355. return 0;
  356. /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */
  357. ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
  358. OPENSSL_cleanse(prk, sizeof(prk));
  359. return ret;
  360. }
  361. /*
  362. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  363. * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2).
  364. *
  365. * 2.2. Step 1: Extract
  366. *
  367. * HKDF-Extract(salt, IKM) -> PRK
  368. *
  369. * Options:
  370. * Hash a hash function; HashLen denotes the length of the
  371. * hash function output in octets
  372. *
  373. * Inputs:
  374. * salt optional salt value (a non-secret random value);
  375. * if not provided, it is set to a string of HashLen zeros.
  376. * IKM input keying material
  377. *
  378. * Output:
  379. * PRK a pseudorandom key (of HashLen octets)
  380. *
  381. * The output PRK is calculated as follows:
  382. *
  383. * PRK = HMAC-Hash(salt, IKM)
  384. */
  385. static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
  386. const unsigned char *salt, size_t salt_len,
  387. const unsigned char *ikm, size_t ikm_len,
  388. unsigned char *prk, size_t prk_len)
  389. {
  390. int sz = EVP_MD_get_size(evp_md);
  391. if (sz < 0)
  392. return 0;
  393. if (prk_len != (size_t)sz) {
  394. ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
  395. return 0;
  396. }
  397. /* calc: PRK = HMAC-Hash(salt, IKM) */
  398. return
  399. EVP_Q_mac(libctx, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL, salt,
  400. salt_len, ikm, ikm_len, prk, EVP_MD_get_size(evp_md), NULL)
  401. != NULL;
  402. }
  403. /*
  404. * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"
  405. * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3).
  406. *
  407. * 2.3. Step 2: Expand
  408. *
  409. * HKDF-Expand(PRK, info, L) -> OKM
  410. *
  411. * Options:
  412. * Hash a hash function; HashLen denotes the length of the
  413. * hash function output in octets
  414. *
  415. * Inputs:
  416. * PRK a pseudorandom key of at least HashLen octets
  417. * (usually, the output from the extract step)
  418. * info optional context and application specific information
  419. * (can be a zero-length string)
  420. * L length of output keying material in octets
  421. * (<= 255*HashLen)
  422. *
  423. * Output:
  424. * OKM output keying material (of L octets)
  425. *
  426. * The output OKM is calculated as follows:
  427. *
  428. * N = ceil(L/HashLen)
  429. * T = T(1) | T(2) | T(3) | ... | T(N)
  430. * OKM = first L octets of T
  431. *
  432. * where:
  433. * T(0) = empty string (zero length)
  434. * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
  435. * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
  436. * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
  437. * ...
  438. *
  439. * (where the constant concatenated to the end of each T(n) is a
  440. * single octet.)
  441. */
  442. static int HKDF_Expand(const EVP_MD *evp_md,
  443. const unsigned char *prk, size_t prk_len,
  444. const unsigned char *info, size_t info_len,
  445. unsigned char *okm, size_t okm_len)
  446. {
  447. HMAC_CTX *hmac;
  448. int ret = 0, sz;
  449. unsigned int i;
  450. unsigned char prev[EVP_MAX_MD_SIZE];
  451. size_t done_len = 0, dig_len, n;
  452. sz = EVP_MD_get_size(evp_md);
  453. if (sz <= 0)
  454. return 0;
  455. dig_len = (size_t)sz;
  456. /* calc: N = ceil(L/HashLen) */
  457. n = okm_len / dig_len;
  458. if (okm_len % dig_len)
  459. n++;
  460. if (n > 255 || okm == NULL)
  461. return 0;
  462. if ((hmac = HMAC_CTX_new()) == NULL)
  463. return 0;
  464. if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
  465. goto err;
  466. for (i = 1; i <= n; i++) {
  467. size_t copy_len;
  468. const unsigned char ctr = i;
  469. /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */
  470. if (i > 1) {
  471. if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL))
  472. goto err;
  473. if (!HMAC_Update(hmac, prev, dig_len))
  474. goto err;
  475. }
  476. if (!HMAC_Update(hmac, info, info_len))
  477. goto err;
  478. if (!HMAC_Update(hmac, &ctr, 1))
  479. goto err;
  480. if (!HMAC_Final(hmac, prev, NULL))
  481. goto err;
  482. copy_len = (done_len + dig_len > okm_len) ?
  483. okm_len - done_len :
  484. dig_len;
  485. memcpy(okm + done_len, prev, copy_len);
  486. done_len += copy_len;
  487. }
  488. ret = 1;
  489. err:
  490. OPENSSL_cleanse(prev, sizeof(prev));
  491. HMAC_CTX_free(hmac);
  492. return ret;
  493. }
  494. /*
  495. * TLS uses slight variations of the above and for FIPS validation purposes,
  496. * they need to be present here.
  497. * Refer to RFC 8446 section 7 for specific details.
  498. */
  499. /*
  500. * Given a |secret|; a |label| of length |labellen|; and |data| of length
  501. * |datalen| (e.g. typically a hash of the handshake messages), derive a new
  502. * secret |outlen| bytes long and store it in the location pointed to be |out|.
  503. * The |data| value may be zero length. Returns 1 on success and 0 on failure.
  504. */
  505. static int prov_tls13_hkdf_expand(const EVP_MD *md,
  506. const unsigned char *key, size_t keylen,
  507. const unsigned char *prefix, size_t prefixlen,
  508. const unsigned char *label, size_t labellen,
  509. const unsigned char *data, size_t datalen,
  510. unsigned char *out, size_t outlen)
  511. {
  512. size_t hkdflabellen;
  513. unsigned char hkdflabel[HKDF_MAXBUF];
  514. WPACKET pkt;
  515. /*
  516. * 2 bytes for length of derived secret + 1 byte for length of combined
  517. * prefix and label + bytes for the label itself + 1 byte length of hash
  518. * + bytes for the hash itself. We've got the maximum the KDF can handle
  519. * which should always be sufficient.
  520. */
  521. if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
  522. || !WPACKET_put_bytes_u16(&pkt, outlen)
  523. || !WPACKET_start_sub_packet_u8(&pkt)
  524. || !WPACKET_memcpy(&pkt, prefix, prefixlen)
  525. || !WPACKET_memcpy(&pkt, label, labellen)
  526. || !WPACKET_close(&pkt)
  527. || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
  528. || !WPACKET_get_total_written(&pkt, &hkdflabellen)
  529. || !WPACKET_finish(&pkt)) {
  530. WPACKET_cleanup(&pkt);
  531. return 0;
  532. }
  533. return HKDF_Expand(md, key, keylen, hkdflabel, hkdflabellen,
  534. out, outlen);
  535. }
  536. static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
  537. const EVP_MD *md,
  538. const unsigned char *prevsecret,
  539. size_t prevsecretlen,
  540. const unsigned char *insecret,
  541. size_t insecretlen,
  542. const unsigned char *prefix,
  543. size_t prefixlen,
  544. const unsigned char *label,
  545. size_t labellen,
  546. unsigned char *out, size_t outlen)
  547. {
  548. size_t mdlen;
  549. int ret;
  550. unsigned char preextractsec[EVP_MAX_MD_SIZE];
  551. /* Always filled with zeros */
  552. static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
  553. ret = EVP_MD_get_size(md);
  554. /* Ensure cast to size_t is safe */
  555. if (ret <= 0)
  556. return 0;
  557. mdlen = (size_t)ret;
  558. if (insecret == NULL) {
  559. insecret = default_zeros;
  560. insecretlen = mdlen;
  561. }
  562. if (prevsecret == NULL) {
  563. prevsecret = default_zeros;
  564. prevsecretlen = 0;
  565. } else {
  566. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  567. unsigned char hash[EVP_MAX_MD_SIZE];
  568. /* The pre-extract derive step uses a hash of no messages */
  569. if (mctx == NULL
  570. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  571. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  572. EVP_MD_CTX_free(mctx);
  573. return 0;
  574. }
  575. EVP_MD_CTX_free(mctx);
  576. /* Generate the pre-extract secret */
  577. if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen,
  578. prefix, prefixlen, label, labellen,
  579. hash, mdlen, preextractsec, mdlen))
  580. return 0;
  581. prevsecret = preextractsec;
  582. prevsecretlen = mdlen;
  583. }
  584. ret = HKDF_Extract(libctx, md, prevsecret, prevsecretlen,
  585. insecret, insecretlen, out, outlen);
  586. if (prevsecret == preextractsec)
  587. OPENSSL_cleanse(preextractsec, mdlen);
  588. return ret;
  589. }
  590. static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
  591. const OSSL_PARAM params[])
  592. {
  593. KDF_HKDF *ctx = (KDF_HKDF *)vctx;
  594. const EVP_MD *md;
  595. if (!ossl_prov_is_running() || !kdf_tls1_3_set_ctx_params(ctx, params))
  596. return 0;
  597. md = ossl_prov_digest_md(&ctx->digest);
  598. if (md == NULL) {
  599. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  600. return 0;
  601. }
  602. switch (ctx->mode) {
  603. default:
  604. return 0;
  605. case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
  606. return prov_tls13_hkdf_generate_secret(PROV_LIBCTX_OF(ctx->provctx),
  607. md,
  608. ctx->salt, ctx->salt_len,
  609. ctx->key, ctx->key_len,
  610. ctx->prefix, ctx->prefix_len,
  611. ctx->label, ctx->label_len,
  612. key, keylen);
  613. case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
  614. return prov_tls13_hkdf_expand(md, ctx->key, ctx->key_len,
  615. ctx->prefix, ctx->prefix_len,
  616. ctx->label, ctx->label_len,
  617. ctx->data, ctx->data_len,
  618. key, keylen);
  619. }
  620. }
  621. static int kdf_tls1_3_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  622. {
  623. const OSSL_PARAM *p;
  624. KDF_HKDF *ctx = vctx;
  625. if (params == NULL)
  626. return 1;
  627. if (!hkdf_common_set_ctx_params(ctx, params))
  628. return 0;
  629. if (ctx->mode == EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND) {
  630. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);
  631. return 0;
  632. }
  633. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PREFIX)) != NULL) {
  634. OPENSSL_free(ctx->prefix);
  635. ctx->prefix = NULL;
  636. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->prefix, 0,
  637. &ctx->prefix_len))
  638. return 0;
  639. }
  640. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_LABEL)) != NULL) {
  641. OPENSSL_free(ctx->label);
  642. ctx->label = NULL;
  643. if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->label, 0,
  644. &ctx->label_len))
  645. return 0;
  646. }
  647. OPENSSL_clear_free(ctx->data, ctx->data_len);
  648. ctx->data = NULL;
  649. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DATA)) != NULL
  650. && !OSSL_PARAM_get_octet_string(p, (void **)&ctx->data, 0,
  651. &ctx->data_len))
  652. return 0;
  653. return 1;
  654. }
  655. static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
  656. ossl_unused void *provctx)
  657. {
  658. static const OSSL_PARAM known_settable_ctx_params[] = {
  659. HKDF_COMMON_SETTABLES,
  660. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PREFIX, NULL, 0),
  661. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_LABEL, NULL, 0),
  662. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_DATA, NULL, 0),
  663. OSSL_PARAM_END
  664. };
  665. return known_settable_ctx_params;
  666. }
  667. const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
  668. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
  669. { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
  670. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
  671. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
  672. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive },
  673. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  674. (void(*)(void))kdf_tls1_3_settable_ctx_params },
  675. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_tls1_3_set_ctx_params },
  676. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  677. (void(*)(void))kdf_hkdf_gettable_ctx_params },
  678. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_hkdf_get_ctx_params },
  679. { 0, NULL }
  680. };