crypto/kdf/sshkdf.c

   1 /*
   2  * Copyright 2018-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdlib.h>
  11 #include <stdarg.h>
  12 #include <string.h>
  13 #include <openssl/evp.h>
  14 #include <openssl/kdf.h>
  15 #include "internal/cryptlib.h"
  16 #include "internal/evp_int.h"
  17 #include "kdf_local.h"
  18
  19 /* See RFC 4253, Section 7.2 */
  20
  21 static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl);
  22 static int SSHKDF(const EVP_MD *evp_md,
  23                   const unsigned char *key, size_t key_len,
  24                   const unsigned char *xcghash, size_t xcghash_len,
  25                   const unsigned char *session_id, size_t session_id_len,
  26                   char type, unsigned char *okey, size_t okey_len);
  27
  28 struct evp_kdf_impl_st {
  29     const EVP_MD *md;
  30     unsigned char *key; /* K */
  31     size_t key_len;
  32     unsigned char *xcghash; /* H */
  33     size_t xcghash_len;
  34     char type; /* X */
  35     unsigned char *session_id;
  36     size_t session_id_len;
  37 };
  38
  39 static EVP_KDF_IMPL *kdf_sshkdf_new(void)
  40 {
  41     EVP_KDF_IMPL *impl;
  42
  43     if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
  44         KDFerr(KDF_F_KDF_SSHKDF_NEW, ERR_R_MALLOC_FAILURE);
  45     return impl;
  46 }
  47
  48 static void kdf_sshkdf_free(EVP_KDF_IMPL *impl)
  49 {
  50     kdf_sshkdf_reset(impl);
  51     OPENSSL_free(impl);
  52 }
  53
  54 static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl)
  55 {
  56     OPENSSL_clear_free(impl->key, impl->key_len);
  57     OPENSSL_clear_free(impl->xcghash, impl->xcghash_len);
  58     OPENSSL_clear_free(impl->session_id, impl->session_id_len);
  59     memset(impl, 0, sizeof(*impl));
  60 }
  61
  62 static int kdf_sshkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len,
  63                                        va_list args)
  64 {
  65     const unsigned char *p;
  66     size_t len;
  67
  68     p = va_arg(args, const unsigned char *);
  69     len = va_arg(args, size_t);
  70     OPENSSL_clear_free(*dst, *dst_len);
  71     *dst = OPENSSL_memdup(p, len);
  72     if (*dst == NULL)
  73         return 0;
  74
  75     *dst_len = len;
  76     return 1;
  77 }
  78
  79 static int kdf_sshkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
  80 {
  81     int t;
  82
  83     switch (cmd) {
  84     case EVP_KDF_CTRL_SET_MD:
  85         impl->md = va_arg(args, const EVP_MD *);
  86         if (impl->md == NULL)
  87             return 0;
  88
  89         return 1;
  90
  91     case EVP_KDF_CTRL_SET_KEY:
  92         return kdf_sshkdf_parse_buffer_arg(&impl->key,
  93                                            &impl->key_len, args);
  94
  95     case EVP_KDF_CTRL_SET_SSHKDF_XCGHASH:
  96         return kdf_sshkdf_parse_buffer_arg(&impl->xcghash,
  97                                            &impl->xcghash_len, args);
  98
  99     case EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID:
 100         return kdf_sshkdf_parse_buffer_arg(&impl->session_id,
 101                                            &impl->session_id_len, args);
 102
 103     case EVP_KDF_CTRL_SET_SSHKDF_TYPE:
 104         t = va_arg(args, int);
 105         if (t < 65 || t > 70) {
 106             KDFerr(KDF_F_KDF_SSHKDF_CTRL, KDF_R_VALUE_ERROR);
 107             return 0;
 108         }
 109
 110         impl->type = (char)t;
 111         return 1;
 112
 113     default:
 114         return -2;
 115
 116     }
 117 }
 118
 119 static int kdf_sshkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
 120                                const char *value)
 121 {
 122     if (value == NULL) {
 123         KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING);
 124         return 0;
 125     }
 126
 127     if (strcmp(type, "md") == 0)
 128         return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
 129
 130     if (strcmp(type, "key") == 0)
 131         return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
 132                             EVP_KDF_CTRL_SET_KEY, value);
 133
 134     if (strcmp(type, "hexkey") == 0)
 135         return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
 136                             EVP_KDF_CTRL_SET_KEY, value);
 137
 138     if (strcmp(type, "xcghash") == 0)
 139         return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
 140                             EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value);
 141
 142     if (strcmp(type, "hexxcghash") == 0)
 143         return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
 144                             EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value);
 145
 146     if (strcmp(type, "session_id") == 0)
 147         return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
 148                             EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value);
 149
 150     if (strcmp(type, "hexsession_id") == 0)
 151         return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
 152                             EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value);
 153
 154     if (strcmp(type, "type") == 0) {
 155         if (strlen(value) != 1) {
 156             KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_ERROR);
 157             return 0;
 158         }
 159
 160         return call_ctrl(kdf_sshkdf_ctrl, impl, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
 161                          (int)value[0]);
 162     }
 163
 164     KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
 165     return -2;
 166 }
 167
 168 static size_t kdf_sshkdf_size(EVP_KDF_IMPL *impl)
 169 {
 170     return SIZE_MAX;
 171 }
 172
 173 static int kdf_sshkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
 174                              size_t keylen)
 175 {
 176     if (impl->md == NULL) {
 177         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
 178         return 0;
 179     }
 180     if (impl->key == NULL) {
 181         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_KEY);
 182         return 0;
 183     }
 184     if (impl->xcghash == NULL) {
 185         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_XCGHASH);
 186         return 0;
 187     }
 188     if (impl->session_id == NULL) {
 189         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_SESSION_ID);
 190         return 0;
 191     }
 192     if (impl->type == 0) {
 193         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE);
 194         return 0;
 195     }
 196     return SSHKDF(impl->md, impl->key, impl->key_len,
 197                   impl->xcghash, impl->xcghash_len,
 198                   impl->session_id, impl->session_id_len,
 199                   impl->type, key, keylen);
 200 }
 201
 202 const EVP_KDF_METHOD sshkdf_kdf_meth = {
 203     EVP_KDF_SSHKDF,
 204     kdf_sshkdf_new,
 205     kdf_sshkdf_free,
 206     kdf_sshkdf_reset,
 207     kdf_sshkdf_ctrl,
 208     kdf_sshkdf_ctrl_str,
 209     kdf_sshkdf_size,
 210     kdf_sshkdf_derive,
 211 };
 212
 213 static int SSHKDF(const EVP_MD *evp_md,
 214                   const unsigned char *key, size_t key_len,
 215                   const unsigned char *xcghash, size_t xcghash_len,
 216                   const unsigned char *session_id, size_t session_id_len,
 217                   char type, unsigned char *okey, size_t okey_len)
 218 {
 219     EVP_MD_CTX *md = NULL;
 220     unsigned char digest[EVP_MAX_MD_SIZE];
 221     unsigned int dsize = 0;
 222     size_t cursize = 0;
 223     int ret = 0;
 224
 225     md = EVP_MD_CTX_new();
 226     if (md == NULL)
 227         return 0;
 228
 229     if (!EVP_DigestInit_ex(md, evp_md, NULL))
 230         goto out;
 231
 232     if (!EVP_DigestUpdate(md, key, key_len))
 233         goto out;
 234
 235     if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
 236         goto out;
 237
 238     if (!EVP_DigestUpdate(md, &type, 1))
 239         goto out;
 240
 241     if (!EVP_DigestUpdate(md, session_id, session_id_len))
 242         goto out;
 243
 244     if (!EVP_DigestFinal_ex(md, digest, &dsize))
 245         goto out;
 246
 247     if (okey_len < dsize) {
 248         memcpy(okey, digest, okey_len);
 249         ret = 1;
 250         goto out;
 251     }
 252
 253     memcpy(okey, digest, dsize);
 254
 255     for (cursize = dsize; cursize < okey_len; cursize += dsize) {
 256
 257         if (!EVP_DigestInit_ex(md, evp_md, NULL))
 258             goto out;
 259
 260         if (!EVP_DigestUpdate(md, key, key_len))
 261             goto out;
 262
 263         if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
 264             goto out;
 265
 266         if (!EVP_DigestUpdate(md, okey, cursize))
 267             goto out;
 268
 269         if (!EVP_DigestFinal_ex(md, digest, &dsize))
 270             goto out;
 271
 272         if (okey_len < cursize + dsize) {
 273             memcpy(okey + cursize, digest, okey_len - cursize);
 274             ret = 1;
 275             goto out;
 276         }
 277
 278         memcpy(okey + cursize, digest, dsize);
 279     }
 280
 281     ret = 1;
 282
 283 out:
 284     EVP_MD_CTX_free(md);
 285     OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
 286     return ret;
 287 }
 288