7 #include <openssl/evp.h>
8 #include <openssl/hmac.h>
9 #include <openssl/buffer.h>
12 #include "e_gost_err.h"
14 int omac_imit_ctrl(EVP_MD_CTX *ctx, int type, int arg, void *ptr);
16 * Function expects that out is a preallocated buffer of length
17 * defined as sum of shared_len and mac length defined by mac_nid
19 int gost_kexp15(const unsigned char *shared_key, const int shared_len,
20 int cipher_nid, const unsigned char *cipher_key,
21 int mac_nid, unsigned char *mac_key,
22 const unsigned char *iv, const size_t ivlen,
23 unsigned char *out, int *out_len)
25 unsigned char iv_full[16], mac_buf[16];
28 EVP_CIPHER_CTX *ciph = NULL;
29 EVP_MD_CTX *mac = NULL;
34 mac_len = (cipher_nid == NID_magma_ctr) ? 8 :
35 (cipher_nid == NID_grasshopper_ctr) ? 16 : 0;
38 GOSTerr(GOST_F_GOST_KEXP15, GOST_R_INVALID_CIPHER);
42 if (shared_len + mac_len > (unsigned int)(*out_len)) {
43 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
47 /* we expect IV of half length */
48 memset(iv_full, 0, 16);
49 memcpy(iv_full, iv, ivlen);
51 mac = EVP_MD_CTX_new();
53 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
57 if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
58 || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
59 || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
60 || EVP_DigestUpdate(mac, iv, ivlen) <= 0
61 || EVP_DigestUpdate(mac, shared_key, shared_len) <= 0
62 /* As we set MAC length directly, we should not allow overwriting it */
63 || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
64 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
68 ciph = EVP_CIPHER_CTX_new();
70 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
75 (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 1) <= 0
76 || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 1) <= 0
77 || EVP_CipherUpdate(ciph, out, &len, shared_key, shared_len) <= 0
78 || EVP_CipherUpdate(ciph, out + shared_len, &len, mac_buf, mac_len) <= 0
79 || EVP_CipherFinal_ex(ciph, out + shared_len + len, out_len) <= 0) {
80 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
84 *out_len = shared_len + mac_len;
89 OPENSSL_cleanse(mac_buf, mac_len);
91 EVP_CIPHER_CTX_free(ciph);
97 * Function expects that shared_key is a preallocated buffer
98 * with length defined as expkeylen + mac_len defined by mac_nid
100 int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
101 int cipher_nid, const unsigned char *cipher_key,
102 int mac_nid, unsigned char *mac_key,
103 const unsigned char *iv, const size_t ivlen,
104 unsigned char *shared_key)
106 unsigned char iv_full[16], out[48], mac_buf[16];
107 unsigned int mac_len;
108 const size_t shared_len = 32;
110 EVP_CIPHER_CTX *ciph = NULL;
111 EVP_MD_CTX *mac = NULL;
116 mac_len = (cipher_nid == NID_magma_ctr) ? 8 :
117 (cipher_nid == NID_grasshopper_ctr) ? 16 : 0;
120 GOSTerr(GOST_F_GOST_KIMP15, GOST_R_INVALID_CIPHER);
124 if (expkeylen > sizeof(out)) {
125 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
130 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
134 /* we expect IV of half length */
135 memset(iv_full, 0, 16);
136 memcpy(iv_full, iv, ivlen);
138 ciph = EVP_CIPHER_CTX_new();
140 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
144 if (EVP_CipherInit_ex
145 (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 0) <= 0
146 || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 0) <= 0
147 || EVP_CipherUpdate(ciph, out, &len, expkey, expkeylen) <= 0
148 || EVP_CipherFinal_ex(ciph, out + len, &len) <= 0) {
149 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
152 /*Now we have shared key and mac in out[] */
154 mac = EVP_MD_CTX_new();
156 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
160 if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
161 || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
162 || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
163 || EVP_DigestUpdate(mac, iv, ivlen) <= 0
164 || EVP_DigestUpdate(mac, out, shared_len) <= 0
165 /* As we set MAC length directly, we should not allow overwriting it */
166 || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
167 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
171 if (CRYPTO_memcmp(mac_buf, out + shared_len, mac_len) != 0) {
172 GOSTerr(GOST_F_GOST_KIMP15, GOST_R_BAD_MAC);
176 memcpy(shared_key, out, shared_len);
180 OPENSSL_cleanse(out, sizeof(out));
181 EVP_MD_CTX_free(mac);
182 EVP_CIPHER_CTX_free(ciph);
186 int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len,
187 const unsigned char *key, size_t keylen,
188 const unsigned char *label, size_t label_len,
189 const unsigned char *seed, size_t seed_len,
190 const size_t representation)
193 unsigned char zero = 0;
194 unsigned char *ptr = keyout;
196 unsigned char *len_ptr = NULL;
197 uint32_t len_repr = htonl(keyout_len * 8);
198 size_t len_repr_len = 4;
200 ctx = HMAC_CTX_new();
202 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_MALLOC_FAILURE);
206 if ((keyout_len == 0) || (keyout_len % 32 != 0)) {
207 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
210 iters = keyout_len / 32;
212 len_ptr = (unsigned char *)&len_repr;
213 while (*len_ptr == 0) {
218 for (i = 1; i <= iters; i++) {
219 uint32_t iter_net = htonl(i);
220 unsigned char *rep_ptr =
221 ((unsigned char *)&iter_net) + (4 - representation);
223 if (HMAC_Init_ex(ctx, key, keylen,
224 EVP_get_digestbynid(NID_id_GostR3411_2012_256),
226 || HMAC_Update(ctx, rep_ptr, representation) <= 0
227 || HMAC_Update(ctx, label, label_len) <= 0
228 || HMAC_Update(ctx, &zero, 1) <= 0
229 || HMAC_Update(ctx, seed, seed_len) <= 0
230 || HMAC_Update(ctx, len_ptr, len_repr_len) <= 0
231 || HMAC_Final(ctx, ptr, NULL) <= 0) {
232 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
246 int gost_tlstree(int cipher_nid, const unsigned char *in, unsigned char *out,
247 const unsigned char *tlsseq)
249 uint64_t gh_c1 = 0x00000000FFFFFFFF, gh_c2 = 0x0000F8FFFFFFFFFF,
250 gh_c3 = 0xC0FFFFFFFFFFFFFF;
251 uint64_t mg_c1 = 0x00000000C0FFFFFF, mg_c2 = 0x000000FEFFFFFFFF,
252 mg_c3 = 0x00F0FFFFFFFFFFFF;
254 uint64_t seed1, seed2, seed3;
256 unsigned char ko1[32], ko2[32];
258 switch (cipher_nid) {
264 case NID_grasshopper_cbc:
273 BUF_reverse((unsigned char *)&seq, tlsseq, 8);
275 memcpy(&seq, tlsseq, 8);
281 if (gost_kdftree2012_256(ko1, 32, in, 32, (const unsigned char *)"level1", 6,
282 (const unsigned char *)&seed1, 8, 1) <= 0
283 || gost_kdftree2012_256(ko2, 32, ko1, 32, (const unsigned char *)"level2", 6,
284 (const unsigned char *)&seed2, 8, 1) <= 0
285 || gost_kdftree2012_256(out, 32, ko2, 32, (const unsigned char *)"level3", 6,
286 (const unsigned char *)&seed3, 8, 1) <= 0)