TLSTREE examples for Grasshopper

[openssl-gost/engine.git] / gost_keyexpimp.c

diff --git a/gost_keyexpimp.c b/gost_keyexpimp.c
index 4ef25c5203c0b2d3d6c58d98d06c69d3e461757d..62dd4ae063c7c865c0e430e367d5e6a8aba50e76 100644 (file)
--- a/gost_keyexpimp.c
+++ b/gost_keyexpimp.c
@@ -1,5 +1,7 @@
+#include <arpa/inet.h>
 #include <string.h>
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
 
 #include "gost_lcl.h"
 #include "e_gost_err.h"
@@ -10,10 +12,9 @@
  * */
 int gost_kexp15(const unsigned char *shared_key, const int shared_len,
                 int cipher_nid, const unsigned char *cipher_key,
-                const size_t cipher_key_len, int mac_nid,
-                unsigned char *mac_key, const size_t mac_key_len,
-                const unsigned char *iv, const size_t ivlen, unsigned char *out,
-                int *out_len)
+                int mac_nid, unsigned char *mac_key,
+                const unsigned char *iv, const size_t ivlen,
+                unsigned char *out, int *out_len)
 {
     unsigned char iv_full[16], mac_buf[16];
     unsigned int mac_len;
@@ -43,7 +44,7 @@ int gost_kexp15(const unsigned char *shared_key, const int shared_len,
     }
 
     if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
-        || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, mac_key_len, mac_key) <= 0
+        || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
         || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0
         || EVP_DigestUpdate(mac, iv, ivlen) <= 0
         || EVP_DigestUpdate(mac, shared_key, shared_len) <= 0
@@ -81,14 +82,19 @@ int gost_kexp15(const unsigned char *shared_key, const int shared_len,
     return ret;
 }
 
+/*
+ * Function expects that shared_key is a preallocated buffer
+ * with length defined as expkeylen - mac_len defined by mac_nid
+ * */
 int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
                 int cipher_nid, const unsigned char *cipher_key,
-                const size_t cipher_key_len, int mac_nid, char *mac_key,
-                const size_t mac_key_len, const char *iv, const size_t ivlen,
-                char *shared_key, size_t shared_len)
+                int mac_nid, unsigned char *mac_key,
+                const unsigned char *iv, const size_t ivlen,
+                unsigned char *shared_key)
 {
     unsigned char iv_full[16], out[48], mac_buf[16];
     unsigned int mac_len;
+    const size_t shared_len = 32;
 
     EVP_CIPHER_CTX *ciph = NULL;
     EVP_MD_CTX *mac = NULL;
@@ -108,6 +114,12 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
     memset(iv_full, 0, 16);
     memcpy(iv_full, iv, ivlen);
 
+    ciph = EVP_CIPHER_CTX_new();
+    if (ciph == NULL) {
+        GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
     if (EVP_CipherInit_ex
         (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 0) <= 0
         || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 0) <= 0
@@ -118,8 +130,14 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
     }
     /*Now we have shared key and mac in out[] */
 
+    mac = EVP_MD_CTX_new();
+    if (mac == NULL) {
+        GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
     if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
-        || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, mac_key_len, mac_key) <= 0
+        || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
         || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0
         || EVP_DigestUpdate(mac, iv, ivlen) <= 0
         || EVP_DigestUpdate(mac, out, shared_len) <= 0
@@ -144,13 +162,113 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
     return ret;
 }
 
-/*
- * keyout expected to be 64 bytes
- * */
-int gost_keg(const unsigned char *seckey, const size_t seckey_len,
-             const EC_POINT *pub, const unsigned char *h, unsigned char *keyout)
+int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *label, size_t label_len,
+                         const unsigned char *seed, size_t seed_len,
+                         const size_t representation)
 {
-    return 0;
+    int iters, i = 0;
+    unsigned char zero = 0;
+    unsigned char *ptr = keyout;
+    HMAC_CTX *ctx = NULL;
+    unsigned char *len_ptr = NULL;
+    uint32_t len_repr = htonl(keyout_len * 8);
+    size_t len_repr_len = 4;
+
+    ctx = HMAC_CTX_new();
+    if (ctx == NULL) {
+        GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+
+    if ((keyout_len == 0) || (keyout_len % 32 != 0)) {
+        GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+    iters = keyout_len / 32;
+
+    len_ptr = (unsigned char *)&len_repr;
+    while (*len_ptr == 0) {
+        len_ptr++;
+        len_repr_len--;
+    }
+
+    for (i = 1; i <= iters; i++) {
+        uint32_t iter_net = htonl(i);
+        unsigned char *rep_ptr =
+            ((unsigned char *)&iter_net) + (4 - representation);
+
+        if (HMAC_Init_ex(ctx, key, keylen,
+                         EVP_get_digestbynid(NID_id_GostR3411_2012_256),
+                         NULL) <= 0
+            || HMAC_Update(ctx, rep_ptr, representation) <= 0
+            || HMAC_Update(ctx, label, label_len) <= 0
+            || HMAC_Update(ctx, &zero, 1) <= 0
+            || HMAC_Update(ctx, seed, seed_len) <= 0
+            || HMAC_Update(ctx, len_ptr, len_repr_len) <= 0
+            || HMAC_Final(ctx, ptr, NULL) <= 0) {
+            GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
+            HMAC_CTX_free(ctx);
+            return 0;
+        }
+
+        HMAC_CTX_reset(ctx);
+        ptr += 32;
+    }
+
+    HMAC_CTX_free(ctx);
+
+    return 1;
+}
+
+int gost_tlstree(int cipher_nid, const unsigned char *in, unsigned char *out,
+                 const unsigned char *tlsseq)
+{
+#ifndef L_ENDIAN
+    uint64_t gh_c1 = 0xFFFFFFFF00000000, gh_c2 = 0xFFFFFFFFFFF80000,
+        gh_c3 = 0xFFFFFFFFFFFFFFC0;
+    uint64_t mg_c1 = 0xFFFFFFC000000000, mg_c2 = 0xFFFFFFFFFE000000,
+        mg_c3 = 0xFFFFFFFFFFFFF000;
+#else
+    uint64_t gh_c1 = 0x00000000FFFFFFFF, gh_c2 = 0x0000F8FFFFFFFFFF,
+        gh_c3 = 0xC0FFFFFFFFFFFFFF;
+    uint64_t mg_c1 = 0x00000000C0FFFFFF, mg_c2 = 0x000000FEFFFFFFFF,
+        mg_c3 = 0x00F0FFFFFFFFFFFF;
+#endif
+    uint64_t c1, c2, c3;
+    uint64_t seed1, seed2, seed3;
+    uint64_t seq;
+    unsigned char ko1[32], ko2[32];
+
+    switch (cipher_nid) {
+    case NID_magma_cbc:
+        c1 = mg_c1;
+        c2 = mg_c2;
+        c3 = mg_c3;
+        break;
+    case NID_grasshopper_cbc:
+        c1 = gh_c1;
+        c2 = gh_c2;
+        c3 = gh_c3;
+        break;
+    default:
+        return 0;
+    }
+    memcpy(&seq, tlsseq, 8);
+    seed1 = seq & c1;
+    seed2 = seq & c2;
+    seed3 = seq & c3;
+
+    if (gost_kdftree2012_256(ko1, 32, in, 32, (const unsigned char *)"level1", 6,
+                         (const unsigned char *)&seed1, 8, 1) <= 0
+                         || gost_kdftree2012_256(ko2, 32, ko1, 32, (const unsigned char *)"level2", 6,
+                         (const unsigned char *)&seed2, 8, 1) <= 0
+        || gost_kdftree2012_256(out, 32, ko2, 32, (const unsigned char *)"level3", 6,
+                         (const unsigned char *)&seed3, 8, 1) <= 0)
+                       return 0;
+
+    return 1;
 }
 
 #ifdef ENABLE_UNIT_TESTS
@@ -173,7 +291,7 @@ static void hexdump(FILE *f, const char *title, const unsigned char *s, int l)
 
 int main(void)
 {
-    const unsigned char key[] = {
+    const unsigned char shared_key[] = {
         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
         0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
@@ -196,25 +314,62 @@ int main(void)
 
     const unsigned char magma_iv[] = { 0x67, 0xBE, 0xD6, 0x54 };
 
-    const unsigned char magma_export[] =
-        { 0xCF, 0xD5, 0xA1, 0x2D, 0x5B, 0x81, 0xB6, 0xE1, 0xE9, 0x9C, 0x91,
-        0x6D, 0x07, 0x90, 0x0C, 0x6A,
-        0xC1, 0x27, 0x03, 0xFB, 0x3A, 0xBD, 0xED, 0x55, 0x56, 0x7B, 0xF3, 0x74,
-        0x2C, 0x89, 0x9C, 0x75,
+    const unsigned char magma_export[] = {
+        0xCF, 0xD5, 0xA1, 0x2D, 0x5B, 0x81, 0xB6, 0xE1,
+        0xE9, 0x9C, 0x91, 0x6D, 0x07, 0x90, 0x0C, 0x6A,
+        0xC1, 0x27, 0x03, 0xFB, 0x3A, 0xBD, 0xED, 0x55,
+        0x56, 0x7B, 0xF3, 0x74, 0x2C, 0x89, 0x9C, 0x75,
         0x5D, 0xAF, 0xE7, 0xB4, 0x2E, 0x3A, 0x8B, 0xD9
     };
 
+    unsigned char kdftree_key[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+    };
+
+    unsigned char kdf_label[] = { 0x26, 0xBD, 0xB8, 0x78 };
+    unsigned char kdf_seed[] =
+        { 0xAF, 0x21, 0x43, 0x41, 0x45, 0x65, 0x63, 0x78 };
+    const unsigned char kdf_etalon[] = {
+        0x22, 0xB6, 0x83, 0x78, 0x45, 0xC6, 0xBE, 0xF6,
+        0x5E, 0xA7, 0x16, 0x72, 0xB2, 0x65, 0x83, 0x10,
+        0x86, 0xD3, 0xC7, 0x6A, 0xEB, 0xE6, 0xDA, 0xE9,
+        0x1C, 0xAD, 0x51, 0xD8, 0x3F, 0x79, 0xD1, 0x6B,
+        0x07, 0x4C, 0x93, 0x30, 0x59, 0x9D, 0x7F, 0x8D,
+        0x71, 0x2F, 0xCA, 0x54, 0x39, 0x2F, 0x4D, 0xDD,
+        0xE9, 0x37, 0x51, 0x20, 0x6B, 0x35, 0x84, 0xC8,
+        0xF4, 0x3F, 0x9E, 0x6D, 0xC5, 0x15, 0x31, 0xF9
+    };
+
+    const unsigned char tlstree_gh_etalon[] = {
+        0x50, 0x76, 0x42, 0xd9, 0x58, 0xc5, 0x20, 0xc6,
+        0xd7, 0xee, 0xf5, 0xca, 0x8a, 0x53, 0x16, 0xd4,
+        0xf3, 0x4b, 0x85, 0x5d, 0x2d, 0xd4, 0xbc, 0xbf,
+        0x4e, 0x5b, 0xf0, 0xff, 0x64, 0x1a, 0x19, 0xff,
+    };
+
     unsigned char buf[32 + 16];
     int ret = 0;
     int outlen = 40;
+    unsigned char kdf_result[64];
+
+    unsigned char kroot[32];
+    unsigned char tlsseq[8];
+    unsigned char out[32];
 
     OpenSSL_add_all_algorithms();
     memset(buf, 0, sizeof(buf));
 
-    ret = gost_kexp15(key, 32,
-                      NID_magma_ctr, magma_key, 32,
-                      NID_magma_mac, mac_magma_key, 32,
-                      magma_iv, 4, buf, &outlen);
+    memset(kroot, 0xFF, 32);
+    memset(tlsseq, 0, 8);
+    tlsseq[7] = 63;
+    memset(out, 0, 32);
+
+    ret = gost_kexp15(shared_key, 32,
+                      NID_magma_ctr, magma_key,
+                      NID_magma_mac, mac_magma_key, magma_iv, 4, buf, &outlen);
 
     if (ret <= 0)
         ERR_print_errors_fp(stderr);
@@ -225,6 +380,40 @@ int main(void)
         }
     }
 
+    ret = gost_kimp15(magma_export, 40,
+                      NID_magma_ctr, magma_key,
+                      NID_magma_mac, mac_magma_key, magma_iv, 4, buf);
+
+    if (ret <= 0)
+        ERR_print_errors_fp(stderr);
+    else {
+        hexdump(stdout, "Magma key import", buf, 32);
+        if (memcmp(buf, shared_key, 32) != 0) {
+            fprintf(stdout, "ERROR! test failed\n");
+        }
+    }
+
+    ret = gost_kdftree2012_256(kdf_result, 64, kdftree_key, 32, kdf_label, 4,
+                               kdf_seed, 8, 1);
+    if (ret <= 0)
+        ERR_print_errors_fp(stderr);
+    else {
+        hexdump(stdout, "KDF TREE", kdf_result, 64);
+        if (memcmp(kdf_result, kdf_etalon, 64) != 0) {
+            fprintf(stdout, "ERROR! test failed\n");
+        }
+    }
+
+    ret = gost_tlstree(NID_grasshopper_cbc, kroot, out, tlsseq);
+    if (ret <= 0)
+        ERR_print_errors_fp(stderr);
+    else {
+        hexdump(stdout, "Gost TLSTREE - grasshopper", out, 32);
+        if (memcmp(out, tlstree_gh_etalon, 32) != 0) {
+            fprintf(stdout, "ERROR! test failed\n");
+        }
+    }
+
     return 0;
 }