• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include "e_os.h"
11 
12 #ifndef OPENSSL_NO_CMS
13 #include <string.h>
14 #include <openssl/dh.h>
15 #include <openssl/evp.h>
16 #include <openssl/asn1.h>
17 #include <openssl/cms.h>
18 
19 
20 /* Key derivation from X9.42/RFC2631 */
21 /* Uses CMS functions, hence the #ifdef wrapper. */
22 
23 #define DH_KDF_MAX      (1L << 30)
24 
25 /* Skip past an ASN1 structure: for OBJECT skip content octets too */
26 
skip_asn1(unsigned char ** pp,long * plen,int exptag)27 static int skip_asn1(unsigned char **pp, long *plen, int exptag)
28 {
29     const unsigned char *q = *pp;
30     int i, tag, xclass;
31     long tmplen;
32     i = ASN1_get_object(&q, &tmplen, &tag, &xclass, *plen);
33     if (i & 0x80)
34         return 0;
35     if (tag != exptag || xclass != V_ASN1_UNIVERSAL)
36         return 0;
37     if (tag == V_ASN1_OBJECT)
38         q += tmplen;
39     *plen -= q - *pp;
40     *pp = (unsigned char *)q;
41     return 1;
42 }
43 
44 /*
45  * Encode the DH shared info structure, return an offset to the counter value
46  * so we can update the structure without reencoding it.
47  */
48 
dh_sharedinfo_encode(unsigned char ** pder,unsigned char ** pctr,ASN1_OBJECT * key_oid,size_t outlen,const unsigned char * ukm,size_t ukmlen)49 static int dh_sharedinfo_encode(unsigned char **pder, unsigned char **pctr,
50                                 ASN1_OBJECT *key_oid, size_t outlen,
51                                 const unsigned char *ukm, size_t ukmlen)
52 {
53     unsigned char *p;
54     int derlen;
55     long tlen;
56     /* "magic" value to check offset is sane */
57     static unsigned char ctr[4] = { 0xF3, 0x17, 0x22, 0x53 };
58     X509_ALGOR atmp;
59     ASN1_OCTET_STRING ctr_oct, ukm_oct, *pukm_oct;
60     ASN1_TYPE ctr_atype;
61     if (ukmlen > DH_KDF_MAX || outlen > DH_KDF_MAX)
62         return 0;
63     ctr_oct.data = ctr;
64     ctr_oct.length = 4;
65     ctr_oct.flags = 0;
66     ctr_oct.type = V_ASN1_OCTET_STRING;
67     ctr_atype.type = V_ASN1_OCTET_STRING;
68     ctr_atype.value.octet_string = &ctr_oct;
69     atmp.algorithm = key_oid;
70     atmp.parameter = &ctr_atype;
71     if (ukm) {
72         ukm_oct.type = V_ASN1_OCTET_STRING;
73         ukm_oct.flags = 0;
74         ukm_oct.data = (unsigned char *)ukm;
75         ukm_oct.length = ukmlen;
76         pukm_oct = &ukm_oct;
77     } else
78         pukm_oct = NULL;
79     derlen = CMS_SharedInfo_encode(pder, &atmp, pukm_oct, outlen);
80     if (derlen <= 0)
81         return 0;
82     p = *pder;
83     tlen = derlen;
84     if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE))
85         return 0;
86     if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE))
87         return 0;
88     if (!skip_asn1(&p, &tlen, V_ASN1_OBJECT))
89         return 0;
90     if (!skip_asn1(&p, &tlen, V_ASN1_OCTET_STRING))
91         return 0;
92     if (CRYPTO_memcmp(p, ctr, 4))
93         return 0;
94     *pctr = p;
95     return derlen;
96 }
97 
DH_KDF_X9_42(unsigned char * out,size_t outlen,const unsigned char * Z,size_t Zlen,ASN1_OBJECT * key_oid,const unsigned char * ukm,size_t ukmlen,const EVP_MD * md)98 int DH_KDF_X9_42(unsigned char *out, size_t outlen,
99                  const unsigned char *Z, size_t Zlen,
100                  ASN1_OBJECT *key_oid,
101                  const unsigned char *ukm, size_t ukmlen, const EVP_MD *md)
102 {
103     EVP_MD_CTX *mctx = NULL;
104     int rv = 0;
105     unsigned int i;
106     size_t mdlen;
107     unsigned char *der = NULL, *ctr;
108     int derlen;
109     if (Zlen > DH_KDF_MAX)
110         return 0;
111     mctx = EVP_MD_CTX_new();
112     if (mctx == NULL)
113         return 0;
114     mdlen = EVP_MD_size(md);
115     derlen = dh_sharedinfo_encode(&der, &ctr, key_oid, outlen, ukm, ukmlen);
116     if (derlen == 0)
117         goto err;
118     for (i = 1;; i++) {
119         unsigned char mtmp[EVP_MAX_MD_SIZE];
120         if (!EVP_DigestInit_ex(mctx, md, NULL)
121             || !EVP_DigestUpdate(mctx, Z, Zlen))
122             goto err;
123         ctr[3] = i & 0xFF;
124         ctr[2] = (i >> 8) & 0xFF;
125         ctr[1] = (i >> 16) & 0xFF;
126         ctr[0] = (i >> 24) & 0xFF;
127         if (!EVP_DigestUpdate(mctx, der, derlen))
128             goto err;
129         if (outlen >= mdlen) {
130             if (!EVP_DigestFinal(mctx, out, NULL))
131                 goto err;
132             outlen -= mdlen;
133             if (outlen == 0)
134                 break;
135             out += mdlen;
136         } else {
137             if (!EVP_DigestFinal(mctx, mtmp, NULL))
138                 goto err;
139             memcpy(out, mtmp, outlen);
140             OPENSSL_cleanse(mtmp, mdlen);
141             break;
142         }
143     }
144     rv = 1;
145  err:
146     OPENSSL_free(der);
147     EVP_MD_CTX_free(mctx);
148     return rv;
149 }
150 #endif
151