dh_kdf.c revision 325337
1/* crypto/dh/dh_kdf.c */ 2/* 3 * Written by Stephen Henson for the OpenSSL project. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * openssl-core@openssl.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 */ 53 54#include <e_os.h> 55 56#ifndef OPENSSL_NO_CMS 57#include <string.h> 58#include <openssl/dh.h> 59#include <openssl/evp.h> 60#include <openssl/asn1.h> 61#include <openssl/cms.h> 62 63/* Key derivation from X9.42/RFC2631 */ 64 65#define DH_KDF_MAX (1L << 30) 66 67/* Skip past an ASN1 structure: for OBJECT skip content octets too */ 68 69static int skip_asn1(unsigned char **pp, long *plen, int exptag) 70{ 71 const unsigned char *q = *pp; 72 int i, tag, xclass; 73 long tmplen; 74 i = ASN1_get_object(&q, &tmplen, &tag, &xclass, *plen); 75 if (i & 0x80) 76 return 0; 77 if (tag != exptag || xclass != V_ASN1_UNIVERSAL) 78 return 0; 79 if (tag == V_ASN1_OBJECT) 80 q += tmplen; 81 *plen -= q - *pp; 82 *pp = (unsigned char *)q; 83 return 1; 84} 85 86/* 87 * Encode the DH shared info structure, return an offset to the counter value 88 * so we can update the structure without reencoding it. 89 */ 90 91static int dh_sharedinfo_encode(unsigned char **pder, unsigned char **pctr, 92 ASN1_OBJECT *key_oid, size_t outlen, 93 const unsigned char *ukm, size_t ukmlen) 94{ 95 unsigned char *p; 96 int derlen; 97 long tlen; 98 /* "magic" value to check offset is sane */ 99 static unsigned char ctr[4] = { 0xF3, 0x17, 0x22, 0x53 }; 100 X509_ALGOR atmp; 101 ASN1_OCTET_STRING ctr_oct, ukm_oct, *pukm_oct; 102 ASN1_TYPE ctr_atype; 103 if (ukmlen > DH_KDF_MAX || outlen > DH_KDF_MAX) 104 return 0; 105 ctr_oct.data = ctr; 106 ctr_oct.length = 4; 107 ctr_oct.flags = 0; 108 ctr_oct.type = V_ASN1_OCTET_STRING; 109 ctr_atype.type = V_ASN1_OCTET_STRING; 110 ctr_atype.value.octet_string = &ctr_oct; 111 atmp.algorithm = key_oid; 112 atmp.parameter = &ctr_atype; 113 if (ukm) { 114 ukm_oct.type = V_ASN1_OCTET_STRING; 115 ukm_oct.flags = 0; 116 ukm_oct.data = (unsigned char *)ukm; 117 ukm_oct.length = ukmlen; 118 pukm_oct = &ukm_oct; 119 } else 120 pukm_oct = NULL; 121 derlen = CMS_SharedInfo_encode(pder, &atmp, pukm_oct, outlen); 122 if (derlen <= 0) 123 return 0; 124 p = *pder; 125 tlen = derlen; 126 if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE)) 127 return 0; 128 if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE)) 129 return 0; 130 if (!skip_asn1(&p, &tlen, V_ASN1_OBJECT)) 131 return 0; 132 if (!skip_asn1(&p, &tlen, V_ASN1_OCTET_STRING)) 133 return 0; 134 if (CRYPTO_memcmp(p, ctr, 4)) 135 return 0; 136 *pctr = p; 137 return derlen; 138} 139 140int DH_KDF_X9_42(unsigned char *out, size_t outlen, 141 const unsigned char *Z, size_t Zlen, 142 ASN1_OBJECT *key_oid, 143 const unsigned char *ukm, size_t ukmlen, const EVP_MD *md) 144{ 145 EVP_MD_CTX mctx; 146 int rv = 0; 147 unsigned int i; 148 size_t mdlen; 149 unsigned char *der = NULL, *ctr; 150 int derlen; 151 if (Zlen > DH_KDF_MAX) 152 return 0; 153 mdlen = EVP_MD_size(md); 154 EVP_MD_CTX_init(&mctx); 155 derlen = dh_sharedinfo_encode(&der, &ctr, key_oid, outlen, ukm, ukmlen); 156 if (derlen == 0) 157 goto err; 158 for (i = 1;; i++) { 159 unsigned char mtmp[EVP_MAX_MD_SIZE]; 160 EVP_DigestInit_ex(&mctx, md, NULL); 161 if (!EVP_DigestUpdate(&mctx, Z, Zlen)) 162 goto err; 163 ctr[3] = i & 0xFF; 164 ctr[2] = (i >> 8) & 0xFF; 165 ctr[1] = (i >> 16) & 0xFF; 166 ctr[0] = (i >> 24) & 0xFF; 167 if (!EVP_DigestUpdate(&mctx, der, derlen)) 168 goto err; 169 if (outlen >= mdlen) { 170 if (!EVP_DigestFinal(&mctx, out, NULL)) 171 goto err; 172 outlen -= mdlen; 173 if (outlen == 0) 174 break; 175 out += mdlen; 176 } else { 177 if (!EVP_DigestFinal(&mctx, mtmp, NULL)) 178 goto err; 179 memcpy(out, mtmp, outlen); 180 OPENSSL_cleanse(mtmp, mdlen); 181 break; 182 } 183 } 184 rv = 1; 185 err: 186 if (der) 187 OPENSSL_free(der); 188 EVP_MD_CTX_cleanup(&mctx); 189 return rv; 190} 191#endif 192