crypto_hkdf.c 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
  1. /* Copyright (c) 2001, Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file crypto_hkdf.c
  8. * \brief Block of functions related with HKDF utilities and operations.
  9. **/
  10. #include "lib/crypt_ops/crypto_hkdf.h"
  11. #include "lib/crypt_ops/crypto_util.h"
  12. #include "lib/crypt_ops/crypto_digest.h"
  13. #include "lib/crypt_ops/crypto_openssl_mgt.h"
  14. #include "lib/intmath/cmp.h"
  15. #include "lib/log/util_bug.h"
  16. #ifdef ENABLE_OPENSSL
  17. #include <openssl/opensslv.h>
  18. #if defined(HAVE_ERR_LOAD_KDF_STRINGS)
  19. #include <openssl/kdf.h>
  20. #define HAVE_OPENSSL_HKDF 1
  21. #endif
  22. #endif
  23. #include <string.h>
  24. /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
  25. * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
  26. * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
  27. * H(K | [00]) | H(K | [01]) | ....
  28. *
  29. * This is the key expansion algorithm used in the "TAP" circuit extension
  30. * mechanism; it shouldn't be used for new protocols.
  31. *
  32. * Return 0 on success, -1 on failure.
  33. */
  34. int
  35. crypto_expand_key_material_TAP(const uint8_t *key_in, size_t key_in_len,
  36. uint8_t *key_out, size_t key_out_len)
  37. {
  38. int i, r = -1;
  39. uint8_t *cp, *tmp = tor_malloc(key_in_len+1);
  40. uint8_t digest[DIGEST_LEN];
  41. /* If we try to get more than this amount of key data, we'll repeat blocks.*/
  42. tor_assert(key_out_len <= DIGEST_LEN*256);
  43. memcpy(tmp, key_in, key_in_len);
  44. for (cp = key_out, i=0; cp < key_out+key_out_len;
  45. ++i, cp += DIGEST_LEN) {
  46. tmp[key_in_len] = i;
  47. if (crypto_digest((char*)digest, (const char *)tmp, key_in_len+1) < 0)
  48. goto exit;
  49. memcpy(cp, digest, MIN(DIGEST_LEN, key_out_len-(cp-key_out)));
  50. }
  51. r = 0;
  52. exit:
  53. memwipe(tmp, 0, key_in_len+1);
  54. tor_free(tmp);
  55. memwipe(digest, 0, sizeof(digest));
  56. return r;
  57. }
  58. #ifdef HAVE_OPENSSL_HKDF
  59. /**
  60. * Perform RFC5869 HKDF computation using OpenSSL (only to be called from
  61. * crypto_expand_key_material_rfc5869_sha256_openssl). Note that OpenSSL
  62. * requires input key to be nonempty and salt length to be equal or less
  63. * than 1024.
  64. */
  65. static int
  66. crypto_expand_key_material_rfc5869_sha256_openssl(
  67. const uint8_t *key_in, size_t key_in_len,
  68. const uint8_t *salt_in, size_t salt_in_len,
  69. const uint8_t *info_in, size_t info_in_len,
  70. uint8_t *key_out, size_t key_out_len)
  71. {
  72. int r;
  73. EVP_PKEY_CTX *evp_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
  74. tor_assert(evp_pkey_ctx);
  75. tor_assert(key_in_len != 0);
  76. tor_assert(salt_in_len <= 1024);
  77. r = EVP_PKEY_derive_init(evp_pkey_ctx);
  78. tor_assert(r == 1);
  79. r = EVP_PKEY_CTX_set_hkdf_md(evp_pkey_ctx, EVP_sha256());
  80. tor_assert(r == 1);
  81. r = EVP_PKEY_CTX_set1_hkdf_salt(evp_pkey_ctx, salt_in, (int)salt_in_len);
  82. tor_assert(r == 1);
  83. r = EVP_PKEY_CTX_set1_hkdf_key(evp_pkey_ctx, key_in, (int)key_in_len);
  84. tor_assert(r == 1);
  85. r = EVP_PKEY_CTX_add1_hkdf_info(evp_pkey_ctx, info_in, (int)info_in_len);
  86. tor_assert(r == 1);
  87. r = EVP_PKEY_derive(evp_pkey_ctx, key_out, &key_out_len);
  88. tor_assert(r == 1);
  89. EVP_PKEY_CTX_free(evp_pkey_ctx);
  90. return 0;
  91. }
  92. #else
  93. /**
  94. * Perform RFC5869 HKDF computation using our own legacy implementation.
  95. * Only to be called from crypto_expand_key_material_rfc5869_sha256_openssl.
  96. */
  97. static int
  98. crypto_expand_key_material_rfc5869_sha256_legacy(
  99. const uint8_t *key_in, size_t key_in_len,
  100. const uint8_t *salt_in, size_t salt_in_len,
  101. const uint8_t *info_in, size_t info_in_len,
  102. uint8_t *key_out, size_t key_out_len)
  103. {
  104. uint8_t prk[DIGEST256_LEN];
  105. uint8_t tmp[DIGEST256_LEN + 128 + 1];
  106. uint8_t mac[DIGEST256_LEN];
  107. int i;
  108. uint8_t *outp;
  109. size_t tmp_len;
  110. crypto_hmac_sha256((char*)prk,
  111. (const char*)salt_in, salt_in_len,
  112. (const char*)key_in, key_in_len);
  113. /* If we try to get more than this amount of key data, we'll repeat blocks.*/
  114. tor_assert(key_out_len <= DIGEST256_LEN * 256);
  115. tor_assert(info_in_len <= 128);
  116. memset(tmp, 0, sizeof(tmp));
  117. outp = key_out;
  118. i = 1;
  119. while (key_out_len) {
  120. size_t n;
  121. if (i > 1) {
  122. memcpy(tmp, mac, DIGEST256_LEN);
  123. memcpy(tmp+DIGEST256_LEN, info_in, info_in_len);
  124. tmp[DIGEST256_LEN+info_in_len] = i;
  125. tmp_len = DIGEST256_LEN + info_in_len + 1;
  126. } else {
  127. memcpy(tmp, info_in, info_in_len);
  128. tmp[info_in_len] = i;
  129. tmp_len = info_in_len + 1;
  130. }
  131. crypto_hmac_sha256((char*)mac,
  132. (const char*)prk, DIGEST256_LEN,
  133. (const char*)tmp, tmp_len);
  134. n = key_out_len < DIGEST256_LEN ? key_out_len : DIGEST256_LEN;
  135. memcpy(outp, mac, n);
  136. key_out_len -= n;
  137. outp += n;
  138. ++i;
  139. }
  140. memwipe(tmp, 0, sizeof(tmp));
  141. memwipe(mac, 0, sizeof(mac));
  142. return 0;
  143. }
  144. #endif
  145. /** Expand some secret key material according to RFC5869, using SHA256 as the
  146. * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
  147. * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
  148. * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
  149. * and "info" parameters respectively. On success, write <b>key_out_len</b>
  150. * bytes to <b>key_out</b> and return 0. Assert on failure.
  151. */
  152. int
  153. crypto_expand_key_material_rfc5869_sha256(
  154. const uint8_t *key_in, size_t key_in_len,
  155. const uint8_t *salt_in, size_t salt_in_len,
  156. const uint8_t *info_in, size_t info_in_len,
  157. uint8_t *key_out, size_t key_out_len)
  158. {
  159. tor_assert(key_in);
  160. tor_assert(key_in_len > 0);
  161. #ifdef HAVE_OPENSSL_HKDF
  162. return crypto_expand_key_material_rfc5869_sha256_openssl(key_in,
  163. key_in_len, salt_in,
  164. salt_in_len, info_in,
  165. info_in_len,
  166. key_out, key_out_len);
  167. #else
  168. return crypto_expand_key_material_rfc5869_sha256_legacy(key_in,
  169. key_in_len, salt_in,
  170. salt_in_len, info_in,
  171. info_in_len,
  172. key_out, key_out_len);
  173. #endif
  174. }