X-Git-Url: http://www.wagner.pp.ru/gitweb/?a=blobdiff_plain;f=gost_keyexpimp.c;h=481d5b5c67853bc5aa8988f5a28b4c7062fa163c;hb=HEAD;hp=bfdefbcaf515f2df9aa09d4100f1470ec69d0a63;hpb=3b27d50d79a9e7bdf3a98910c951c323ce41d6d5;p=openssl-gost%2Fengine.git diff --git a/gost_keyexpimp.c b/gost_keyexpimp.c index bfdefbc..481d5b5 100644 --- a/gost_keyexpimp.c +++ b/gost_keyexpimp.c @@ -1,11 +1,32 @@ -#include +/* + * Copyright (c) 2019 Dmitry Belyavskiy + * Copyright (c) 2020 Vitaly Chikunov + * + * Contents licensed under the terms of the OpenSSL license + * See https://www.openssl.org/source/license.html for details + */ + #include #include #include +#include #include "gost_lcl.h" #include "e_gost_err.h" +static uint32_t be32(uint32_t host) +{ +#ifdef L_ENDIAN + return (host & 0xff000000) >> 24 | + (host & 0x00ff0000) >> 8 | + (host & 0x0000ff00) << 8 | + (host & 0x000000ff) << 24; +#else + return host; +#endif +} + +int omac_imit_ctrl(EVP_MD_CTX *ctx, int type, int arg, void *ptr); /* * Function expects that out is a preallocated buffer of length * defined as sum of shared_len and mac length defined by mac_nid @@ -33,6 +54,11 @@ int gost_kexp15(const unsigned char *shared_key, const int shared_len, goto err; } + if (shared_len + mac_len > (unsigned int)(*out_len)) { + GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR); + goto err; + } + /* we expect IV of half length */ memset(iv_full, 0, 16); memcpy(iv_full, iv, ivlen); @@ -44,12 +70,12 @@ int gost_kexp15(const unsigned char *shared_key, const int shared_len, } if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0 - || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0 - || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0 + || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0 + || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0 || EVP_DigestUpdate(mac, iv, ivlen) <= 0 || EVP_DigestUpdate(mac, shared_key, shared_len) <= 0 /* As we set MAC length directly, we should not allow overwriting it */ - || EVP_DigestFinal_ex(mac, mac_buf, NULL) <= 0) { + || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) { GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR); goto err; } @@ -82,14 +108,19 @@ int gost_kexp15(const unsigned char *shared_key, const int shared_len, return ret; } +/* + * Function expects that shared_key is a preallocated buffer + * with length defined as expkeylen + mac_len defined by mac_nid + * */ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen, int cipher_nid, const unsigned char *cipher_key, int mac_nid, unsigned char *mac_key, const unsigned char *iv, const size_t ivlen, - unsigned char *shared_key, size_t shared_len) + unsigned char *shared_key) { unsigned char iv_full[16], out[48], mac_buf[16]; unsigned int mac_len; + const size_t shared_len = 32; EVP_CIPHER_CTX *ciph = NULL; EVP_MD_CTX *mac = NULL; @@ -105,6 +136,16 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen, goto err; } + if (expkeylen > sizeof(out)) { + GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR); + goto err; + } + + if (ivlen > 16) { + GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR); + goto err; + } + /* we expect IV of half length */ memset(iv_full, 0, 16); memcpy(iv_full, iv, ivlen); @@ -132,12 +173,12 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen, } if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0 - || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0 - || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0 + || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0 + || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0 || EVP_DigestUpdate(mac, iv, ivlen) <= 0 || EVP_DigestUpdate(mac, out, shared_len) <= 0 /* As we set MAC length directly, we should not allow overwriting it */ - || EVP_DigestFinal_ex(mac, mac_buf, NULL) <= 0) { + || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) { GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR); goto err; } @@ -166,9 +207,9 @@ int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len, int iters, i = 0; unsigned char zero = 0; unsigned char *ptr = keyout; - HMAC_CTX *ctx = NULL; + HMAC_CTX *ctx; unsigned char *len_ptr = NULL; - uint32_t len_repr = htonl(keyout_len * 8); + uint32_t len_repr = be32(keyout_len * 8); size_t len_repr_len = 4; ctx = HMAC_CTX_new(); @@ -190,7 +231,7 @@ int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len, } for (i = 1; i <= iters; i++) { - uint32_t iter_net = htonl(i); + uint32_t iter_net = be32(i); unsigned char *rep_ptr = ((unsigned char *)&iter_net) + (4 - representation); @@ -217,124 +258,209 @@ int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len, return 1; } -#ifdef ENABLE_UNIT_TESTS -# include -# include -# include - -static void hexdump(FILE *f, const char *title, const unsigned char *s, int l) +int gost_tlstree(int cipher_nid, const unsigned char *in, unsigned char *out, + const unsigned char *tlsseq) { - int n = 0; - - fprintf(f, "%s", title); - for (; n < l; ++n) { - if ((n % 16) == 0) - fprintf(f, "\n%04x", n); - fprintf(f, " %02x", s[n]); + uint64_t gh_c1 = 0x00000000FFFFFFFF, gh_c2 = 0x0000F8FFFFFFFFFF, + gh_c3 = 0xC0FFFFFFFFFFFFFF; + uint64_t mg_c1 = 0x00000000C0FFFFFF, mg_c2 = 0x000000FEFFFFFFFF, + mg_c3 = 0x00F0FFFFFFFFFFFF; + uint64_t c1, c2, c3; + uint64_t seed1, seed2, seed3; + uint64_t seq; + unsigned char ko1[32], ko2[32]; + + switch (cipher_nid) { + case NID_magma_cbc: + c1 = mg_c1; + c2 = mg_c2; + c3 = mg_c3; + break; + case NID_grasshopper_cbc: + c1 = gh_c1; + c2 = gh_c2; + c3 = gh_c3; + break; + default: + return 0; } - fprintf(f, "\n"); +#ifndef L_ENDIAN + BUF_reverse((unsigned char *)&seq, tlsseq, 8); +#else + memcpy(&seq, tlsseq, 8); +#endif + seed1 = seq & c1; + seed2 = seq & c2; + seed3 = seq & c3; + + if (gost_kdftree2012_256(ko1, 32, in, 32, (const unsigned char *)"level1", 6, + (const unsigned char *)&seed1, 8, 1) <= 0 + || gost_kdftree2012_256(ko2, 32, ko1, 32, (const unsigned char *)"level2", 6, + (const unsigned char *)&seed2, 8, 1) <= 0 + || gost_kdftree2012_256(out, 32, ko2, 32, (const unsigned char *)"level3", 6, + (const unsigned char *)&seed3, 8, 1) <= 0) + return 0; + + return 1; } -int main(void) +#define GOST_WRAP_FLAGS EVP_CIPH_CTRL_INIT | EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 + +#define MAGMA_MAC_WRAP_LEN 8 +#define KUZNYECHIK_MAC_WRAP_LEN 16 +#define MAX_MAC_WRAP_LEN KUZNYECHIK_MAC_WRAP_LEN +#define GOSTKEYLEN 32 +#define MAGMA_WRAPPED_KEY_LEN GOSTKEYLEN + MAGMA_MAC_WRAP_LEN +#define KUZNYECHIK_WRAPPED_KEY_LEN GOSTKEYLEN + KUZNYECHIK_MAC_WRAP_LEN +#define MAX_WRAPPED_KEY_LEN KUZNYECHIK_WRAPPED_KEY_LEN + +typedef struct { + unsigned char iv[8]; /* Max IV size is half of base cipher block length */ + unsigned char key[GOSTKEYLEN*2]; /* Combined cipher and mac keys */ + unsigned char wrapped[MAX_WRAPPED_KEY_LEN]; /* Max size */ + size_t wrap_count; +} GOST_WRAP_CTX; + +static int magma_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) { - const unsigned char shared_key[] = { - 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, - 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF - }; - - const unsigned char magma_key[] = { - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, - 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, - 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, - }; - - unsigned char mac_magma_key[] = { - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, - }; - - const unsigned char magma_iv[] = { 0x67, 0xBE, 0xD6, 0x54 }; - - const unsigned char magma_export[] = { - 0xCF, 0xD5, 0xA1, 0x2D, 0x5B, 0x81, 0xB6, 0xE1, - 0xE9, 0x9C, 0x91, 0x6D, 0x07, 0x90, 0x0C, 0x6A, - 0xC1, 0x27, 0x03, 0xFB, 0x3A, 0xBD, 0xED, 0x55, - 0x56, 0x7B, 0xF3, 0x74, 0x2C, 0x89, 0x9C, 0x75, - 0x5D, 0xAF, 0xE7, 0xB4, 0x2E, 0x3A, 0x8B, 0xD9 - }; - - unsigned char kdftree_key[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, - }; - - unsigned char kdf_label[] = { 0x26, 0xBD, 0xB8, 0x78 }; - unsigned char kdf_seed[] = - { 0xAF, 0x21, 0x43, 0x41, 0x45, 0x65, 0x63, 0x78 }; - const unsigned char kdf_etalon[] = { - 0x22, 0xB6, 0x83, 0x78, 0x45, 0xC6, 0xBE, 0xF6, - 0x5E, 0xA7, 0x16, 0x72, 0xB2, 0x65, 0x83, 0x10, - 0x86, 0xD3, 0xC7, 0x6A, 0xEB, 0xE6, 0xDA, 0xE9, - 0x1C, 0xAD, 0x51, 0xD8, 0x3F, 0x79, 0xD1, 0x6B, - 0x07, 0x4C, 0x93, 0x30, 0x59, 0x9D, 0x7F, 0x8D, - 0x71, 0x2F, 0xCA, 0x54, 0x39, 0x2F, 0x4D, 0xDD, - 0xE9, 0x37, 0x51, 0x20, 0x6B, 0x35, 0x84, 0xC8, - 0xF4, 0x3F, 0x9E, 0x6D, 0xC5, 0x15, 0x31, 0xF9 - }; - - unsigned char buf[32 + 16]; - int ret = 0; - int outlen = 40; - unsigned char kdf_result[64]; - - OpenSSL_add_all_algorithms(); - memset(buf, 0, sizeof(buf)); - - ret = gost_kexp15(shared_key, 32, - NID_magma_ctr, magma_key, - NID_magma_mac, mac_magma_key, magma_iv, 4, buf, &outlen); - - if (ret <= 0) - ERR_print_errors_fp(stderr); - else { - hexdump(stdout, "Magma key export", buf, 40); - if (memcmp(buf, magma_export, 40) != 0) { - fprintf(stdout, "ERROR! test failed\n"); - } - } + GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx); + memset(cctx->wrapped, 0, MAX_WRAPPED_KEY_LEN); + cctx->wrap_count = 0; + + if (iv) { + memset(cctx->iv, 0, 8); + memcpy(cctx->iv, iv, 4); + } + + if (key) { + memcpy(cctx->key, key, GOSTKEYLEN*2); + } + return 1; +} - ret = gost_kimp15(magma_export, 40, - NID_magma_ctr, magma_key, - NID_magma_mac, mac_magma_key, magma_iv, 4, buf, 32); +static int magma_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx); + int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0; + + if (out == NULL) + return GOSTKEYLEN; + + if (inl <= MAGMA_WRAPPED_KEY_LEN) { + if (cctx->wrap_count + inl > MAGMA_WRAPPED_KEY_LEN) + return -1; + + if (cctx->wrap_count + inl <= MAGMA_WRAPPED_KEY_LEN) + { + memcpy(cctx->wrapped+cctx->wrap_count, in, inl); + cctx->wrap_count += inl; + } + } + + if (cctx->wrap_count < MAGMA_WRAPPED_KEY_LEN) + return 0; + + if (enc) { +#if 0 + return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac, + cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl); +#endif + return -1; + } else { + return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_magma_ctr, + cctx->key+GOSTKEYLEN, NID_magma_mac, cctx->key, cctx->iv, 4, out) > 0 ? GOSTKEYLEN : 0; + } +} - if (ret <= 0) - ERR_print_errors_fp(stderr); - else { - hexdump(stdout, "Magma key import", buf, 32); - if (memcmp(buf, shared_key, 32) != 0) { - fprintf(stdout, "ERROR! test failed\n"); - } - } +static int kuznyechik_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx); + memset(cctx->wrapped, 0, KUZNYECHIK_WRAPPED_KEY_LEN); + cctx->wrap_count = 0; + + if (iv) { + memset(cctx->iv, 0, 8); + memcpy(cctx->iv, iv, 8); + } + + if (key) { + memcpy(cctx->key, key, GOSTKEYLEN*2); + } + return 1; +} - ret = gost_kdftree2012_256(kdf_result, 64, kdftree_key, 32, kdf_label, 4, - kdf_seed, 8, 1); - if (ret <= 0) - ERR_print_errors_fp(stderr); - else { - hexdump(stdout, "KDF TREE", kdf_result, 64); - if (memcmp(kdf_result, kdf_etalon, 64) != 0) { - fprintf(stdout, "ERROR! test failed\n"); - } - } +static int kuznyechik_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx); + int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0; + + if (out == NULL) + return GOSTKEYLEN; + + if (inl <= KUZNYECHIK_WRAPPED_KEY_LEN) { + if (cctx->wrap_count + inl > KUZNYECHIK_WRAPPED_KEY_LEN) + return -1; + + if (cctx->wrap_count + inl <= KUZNYECHIK_WRAPPED_KEY_LEN) + { + memcpy(cctx->wrapped+cctx->wrap_count, in, inl); + cctx->wrap_count += inl; + } + } + + if (cctx->wrap_count < KUZNYECHIK_WRAPPED_KEY_LEN) + return 0; + + if (enc) { +#if 0 + return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac, + cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl); +#endif + return -1; + } else { + return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_kuznyechik_ctr, + cctx->key+GOSTKEYLEN, NID_kuznyechik_mac, cctx->key, cctx->iv, 8, out) > 0 ? GOSTKEYLEN : 0; + } +} - return 0; +static int wrap_ctrl (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) +{ + switch(type) + { + case EVP_CTRL_INIT: + EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + return 1; + default: + return -2; + } } -#endif +static GOST_cipher wrap_template_cipher = { + .key_len = GOSTKEYLEN * 2, + .flags = GOST_WRAP_FLAGS, + .ctx_size = sizeof(GOST_WRAP_CTX), + .ctrl = wrap_ctrl, +}; + +GOST_cipher magma_kexp15_cipher = { + .template = &wrap_template_cipher, + .nid = NID_magma_kexp15, + .block_size = 8, + .iv_len = 4, + .init = magma_wrap_init, + .do_cipher = magma_wrap_do, +}; + +GOST_cipher kuznyechik_kexp15_cipher = { + .template = &wrap_template_cipher, + .nid = NID_kuznyechik_kexp15, + .block_size = 16, + .iv_len = 8, + .init = kuznyechik_wrap_init, + .do_cipher = kuznyechik_wrap_do, +}; +/* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */