sshkdf.c 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328
  1. /*
  2. * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <stdarg.h>
  11. #include <string.h>
  12. #include <openssl/evp.h>
  13. #include <openssl/kdf.h>
  14. #include <openssl/core_names.h>
  15. #include <openssl/proverr.h>
  16. #include "internal/cryptlib.h"
  17. #include "internal/numbers.h"
  18. #include "crypto/evp.h"
  19. #include "prov/provider_ctx.h"
  20. #include "prov/providercommon.h"
  21. #include "prov/implementations.h"
  22. #include "prov/provider_util.h"
  23. /* See RFC 4253, Section 7.2 */
  24. static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
  25. static OSSL_FUNC_kdf_dupctx_fn kdf_sshkdf_dup;
  26. static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free;
  27. static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset;
  28. static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive;
  29. static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_sshkdf_settable_ctx_params;
  30. static OSSL_FUNC_kdf_set_ctx_params_fn kdf_sshkdf_set_ctx_params;
  31. static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_sshkdf_gettable_ctx_params;
  32. static OSSL_FUNC_kdf_get_ctx_params_fn kdf_sshkdf_get_ctx_params;
  33. static int SSHKDF(const EVP_MD *evp_md,
  34. const unsigned char *key, size_t key_len,
  35. const unsigned char *xcghash, size_t xcghash_len,
  36. const unsigned char *session_id, size_t session_id_len,
  37. char type, unsigned char *okey, size_t okey_len);
  38. typedef struct {
  39. void *provctx;
  40. PROV_DIGEST digest;
  41. unsigned char *key; /* K */
  42. size_t key_len;
  43. unsigned char *xcghash; /* H */
  44. size_t xcghash_len;
  45. char type; /* X */
  46. unsigned char *session_id;
  47. size_t session_id_len;
  48. } KDF_SSHKDF;
  49. static void *kdf_sshkdf_new(void *provctx)
  50. {
  51. KDF_SSHKDF *ctx;
  52. if (!ossl_prov_is_running())
  53. return NULL;
  54. if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
  55. ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
  56. else
  57. ctx->provctx = provctx;
  58. return ctx;
  59. }
  60. static void kdf_sshkdf_free(void *vctx)
  61. {
  62. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  63. if (ctx != NULL) {
  64. kdf_sshkdf_reset(ctx);
  65. OPENSSL_free(ctx);
  66. }
  67. }
  68. static void kdf_sshkdf_reset(void *vctx)
  69. {
  70. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  71. void *provctx = ctx->provctx;
  72. ossl_prov_digest_reset(&ctx->digest);
  73. OPENSSL_clear_free(ctx->key, ctx->key_len);
  74. OPENSSL_clear_free(ctx->xcghash, ctx->xcghash_len);
  75. OPENSSL_clear_free(ctx->session_id, ctx->session_id_len);
  76. memset(ctx, 0, sizeof(*ctx));
  77. ctx->provctx = provctx;
  78. }
  79. static void *kdf_sshkdf_dup(void *vctx)
  80. {
  81. const KDF_SSHKDF *src = (const KDF_SSHKDF *)vctx;
  82. KDF_SSHKDF *dest;
  83. dest = kdf_sshkdf_new(src->provctx);
  84. if (dest != NULL) {
  85. if (!ossl_prov_memdup(src->key, src->key_len,
  86. &dest->key, &dest->key_len)
  87. || !ossl_prov_memdup(src->xcghash, src->xcghash_len,
  88. &dest->xcghash , &dest->xcghash_len)
  89. || !ossl_prov_memdup(src->session_id, src->session_id_len,
  90. &dest->session_id , &dest->session_id_len)
  91. || !ossl_prov_digest_copy(&dest->digest, &src->digest))
  92. goto err;
  93. dest->type = src->type;
  94. }
  95. return dest;
  96. err:
  97. kdf_sshkdf_free(dest);
  98. return NULL;
  99. }
  100. static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len,
  101. const OSSL_PARAM *p)
  102. {
  103. OPENSSL_clear_free(*dst, *dst_len);
  104. *dst = NULL;
  105. *dst_len = 0;
  106. return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
  107. }
  108. static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
  109. const OSSL_PARAM params[])
  110. {
  111. KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
  112. const EVP_MD *md;
  113. if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params))
  114. return 0;
  115. md = ossl_prov_digest_md(&ctx->digest);
  116. if (md == NULL) {
  117. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
  118. return 0;
  119. }
  120. if (ctx->key == NULL) {
  121. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
  122. return 0;
  123. }
  124. if (ctx->xcghash == NULL) {
  125. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_XCGHASH);
  126. return 0;
  127. }
  128. if (ctx->session_id == NULL) {
  129. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SESSION_ID);
  130. return 0;
  131. }
  132. if (ctx->type == 0) {
  133. ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
  134. return 0;
  135. }
  136. return SSHKDF(md, ctx->key, ctx->key_len,
  137. ctx->xcghash, ctx->xcghash_len,
  138. ctx->session_id, ctx->session_id_len,
  139. ctx->type, key, keylen);
  140. }
  141. static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
  142. {
  143. const OSSL_PARAM *p;
  144. KDF_SSHKDF *ctx = vctx;
  145. OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
  146. if (params == NULL)
  147. return 1;
  148. if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
  149. return 0;
  150. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
  151. if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p))
  152. return 0;
  153. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_XCGHASH))
  154. != NULL)
  155. if (!sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p))
  156. return 0;
  157. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_SESSION_ID))
  158. != NULL)
  159. if (!sshkdf_set_membuf(&ctx->session_id, &ctx->session_id_len, p))
  160. return 0;
  161. if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SSHKDF_TYPE))
  162. != NULL) {
  163. const char *kdftype;
  164. if (!OSSL_PARAM_get_utf8_string_ptr(p, &kdftype))
  165. return 0;
  166. /* Expect one character (byte in this case) */
  167. if (kdftype == NULL || p->data_size != 1)
  168. return 0;
  169. if (kdftype[0] < 65 || kdftype[0] > 70) {
  170. ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR);
  171. return 0;
  172. }
  173. ctx->type = kdftype[0];
  174. }
  175. return 1;
  176. }
  177. static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
  178. ossl_unused void *p_ctx)
  179. {
  180. static const OSSL_PARAM known_settable_ctx_params[] = {
  181. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
  182. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
  183. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
  184. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, NULL, 0),
  185. OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, NULL, 0),
  186. OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, NULL, 0),
  187. OSSL_PARAM_END
  188. };
  189. return known_settable_ctx_params;
  190. }
  191. static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
  192. {
  193. OSSL_PARAM *p;
  194. if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
  195. return OSSL_PARAM_set_size_t(p, SIZE_MAX);
  196. return -2;
  197. }
  198. static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
  199. ossl_unused void *p_ctx)
  200. {
  201. static const OSSL_PARAM known_gettable_ctx_params[] = {
  202. OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
  203. OSSL_PARAM_END
  204. };
  205. return known_gettable_ctx_params;
  206. }
  207. const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = {
  208. { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_sshkdf_new },
  209. { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_sshkdf_dup },
  210. { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_sshkdf_free },
  211. { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_sshkdf_reset },
  212. { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_sshkdf_derive },
  213. { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
  214. (void(*)(void))kdf_sshkdf_settable_ctx_params },
  215. { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_set_ctx_params },
  216. { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
  217. (void(*)(void))kdf_sshkdf_gettable_ctx_params },
  218. { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_sshkdf_get_ctx_params },
  219. { 0, NULL }
  220. };
  221. static int SSHKDF(const EVP_MD *evp_md,
  222. const unsigned char *key, size_t key_len,
  223. const unsigned char *xcghash, size_t xcghash_len,
  224. const unsigned char *session_id, size_t session_id_len,
  225. char type, unsigned char *okey, size_t okey_len)
  226. {
  227. EVP_MD_CTX *md = NULL;
  228. unsigned char digest[EVP_MAX_MD_SIZE];
  229. unsigned int dsize = 0;
  230. size_t cursize = 0;
  231. int ret = 0;
  232. md = EVP_MD_CTX_new();
  233. if (md == NULL)
  234. return 0;
  235. if (!EVP_DigestInit_ex(md, evp_md, NULL))
  236. goto out;
  237. if (!EVP_DigestUpdate(md, key, key_len))
  238. goto out;
  239. if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
  240. goto out;
  241. if (!EVP_DigestUpdate(md, &type, 1))
  242. goto out;
  243. if (!EVP_DigestUpdate(md, session_id, session_id_len))
  244. goto out;
  245. if (!EVP_DigestFinal_ex(md, digest, &dsize))
  246. goto out;
  247. if (okey_len < dsize) {
  248. memcpy(okey, digest, okey_len);
  249. ret = 1;
  250. goto out;
  251. }
  252. memcpy(okey, digest, dsize);
  253. for (cursize = dsize; cursize < okey_len; cursize += dsize) {
  254. if (!EVP_DigestInit_ex(md, evp_md, NULL))
  255. goto out;
  256. if (!EVP_DigestUpdate(md, key, key_len))
  257. goto out;
  258. if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
  259. goto out;
  260. if (!EVP_DigestUpdate(md, okey, cursize))
  261. goto out;
  262. if (!EVP_DigestFinal_ex(md, digest, &dsize))
  263. goto out;
  264. if (okey_len < cursize + dsize) {
  265. memcpy(okey + cursize, digest, okey_len - cursize);
  266. ret = 1;
  267. goto out;
  268. }
  269. memcpy(okey + cursize, digest, dsize);
  270. }
  271. ret = 1;
  272. out:
  273. EVP_MD_CTX_free(md);
  274. OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
  275. return ret;
  276. }