1/* crypto/dh/dh_kdf.c */ 2/* 3 * Written by Stephen Henson for the OpenSSL project. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * openssl-core@openssl.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 */ 53 54#include <string.h> 55#include <openssl/dh.h> 56#include <openssl/evp.h> 57#include <openssl/asn1.h> 58#include <openssl/cms.h> 59 60/* Key derivation from X9.42/RFC2631 */ 61 62#define DH_KDF_MAX (1L << 30) 63 64/* Skip past an ASN1 structure: for OBJECT skip content octets too */ 65 66static int skip_asn1(unsigned char **pp, long *plen, int exptag) 67{ 68 const unsigned char *q = *pp; 69 int i, tag, xclass; 70 long tmplen; 71 i = ASN1_get_object(&q, &tmplen, &tag, &xclass, *plen); 72 if (i & 0x80) 73 return 0; 74 if (tag != exptag || xclass != V_ASN1_UNIVERSAL) 75 return 0; 76 if (tag == V_ASN1_OBJECT) 77 q += tmplen; 78 *plen -= q - *pp; 79 *pp = (unsigned char *)q; 80 return 1; 81} 82 83/* 84 * Encode the DH shared info structure, return an offset to the counter value 85 * so we can update the structure without reencoding it. 86 */ 87 88static int dh_sharedinfo_encode(unsigned char **pder, unsigned char **pctr, 89 ASN1_OBJECT *key_oid, size_t outlen, 90 const unsigned char *ukm, size_t ukmlen) 91{ 92 unsigned char *p; 93 int derlen; 94 long tlen; 95 /* "magic" value to check offset is sane */ 96 static unsigned char ctr[4] = { 0xF3, 0x17, 0x22, 0x53 }; 97 X509_ALGOR atmp; 98 ASN1_OCTET_STRING ctr_oct, ukm_oct, *pukm_oct; 99 ASN1_TYPE ctr_atype; 100 if (ukmlen > DH_KDF_MAX || outlen > DH_KDF_MAX) 101 return 0; 102 ctr_oct.data = ctr; 103 ctr_oct.length = 4; 104 ctr_oct.flags = 0; 105 ctr_oct.type = V_ASN1_OCTET_STRING; 106 ctr_atype.type = V_ASN1_OCTET_STRING; 107 ctr_atype.value.octet_string = &ctr_oct; 108 atmp.algorithm = key_oid; 109 atmp.parameter = &ctr_atype; 110 if (ukm) { 111 ukm_oct.type = V_ASN1_OCTET_STRING; 112 ukm_oct.flags = 0; 113 ukm_oct.data = (unsigned char *)ukm; 114 ukm_oct.length = ukmlen; 115 pukm_oct = &ukm_oct; 116 } else 117 pukm_oct = NULL; 118 derlen = CMS_SharedInfo_encode(pder, &atmp, pukm_oct, outlen); 119 if (derlen <= 0) 120 return 0; 121 p = *pder; 122 tlen = derlen; 123 if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE)) 124 return 0; 125 if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE)) 126 return 0; 127 if (!skip_asn1(&p, &tlen, V_ASN1_OBJECT)) 128 return 0; 129 if (!skip_asn1(&p, &tlen, V_ASN1_OCTET_STRING)) 130 return 0; 131 if (CRYPTO_memcmp(p, ctr, 4)) 132 return 0; 133 *pctr = p; 134 return derlen; 135} 136 137int DH_KDF_X9_42(unsigned char *out, size_t outlen, 138 const unsigned char *Z, size_t Zlen, 139 ASN1_OBJECT *key_oid, 140 const unsigned char *ukm, size_t ukmlen, const EVP_MD *md) 141{ 142 EVP_MD_CTX mctx; 143 int rv = 0; 144 unsigned int i; 145 size_t mdlen; 146 unsigned char *der = NULL, *ctr; 147 int derlen; 148 if (Zlen > DH_KDF_MAX) 149 return 0; 150 mdlen = EVP_MD_size(md); 151 EVP_MD_CTX_init(&mctx); 152 derlen = dh_sharedinfo_encode(&der, &ctr, key_oid, outlen, ukm, ukmlen); 153 if (derlen == 0) 154 goto err; 155 for (i = 1;; i++) { 156 unsigned char mtmp[EVP_MAX_MD_SIZE]; 157 EVP_DigestInit_ex(&mctx, md, NULL); 158 if (!EVP_DigestUpdate(&mctx, Z, Zlen)) 159 goto err; 160 ctr[3] = i & 0xFF; 161 ctr[2] = (i >> 8) & 0xFF; 162 ctr[1] = (i >> 16) & 0xFF; 163 ctr[0] = (i >> 24) & 0xFF; 164 if (!EVP_DigestUpdate(&mctx, der, derlen)) 165 goto err; 166 if (outlen >= mdlen) { 167 if (!EVP_DigestFinal(&mctx, out, NULL)) 168 goto err; 169 outlen -= mdlen; 170 if (outlen == 0) 171 break; 172 out += mdlen; 173 } else { 174 if (!EVP_DigestFinal(&mctx, mtmp, NULL)) 175 goto err; 176 memcpy(out, mtmp, outlen); 177 OPENSSL_cleanse(mtmp, mdlen); 178 break; 179 } 180 } 181 rv = 1; 182 err: 183 if (der) 184 OPENSSL_free(der); 185 EVP_MD_CTX_cleanup(&mctx); 186 return rv; 187} 188