+#ifdef _WIN32
+#include <winsock.h>
+#else
#include <arpa/inet.h>
+#endif
#include <string.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include "gost_lcl.h"
#include "e_gost_err.h"
+int omac_imit_ctrl(EVP_MD_CTX *ctx, int type, int arg, void *ptr);
/*
* Function expects that out is a preallocated buffer of length
* defined as sum of shared_len and mac length defined by mac_nid
}
if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
- || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
- || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0
+ || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
+ || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
|| EVP_DigestUpdate(mac, iv, ivlen) <= 0
|| EVP_DigestUpdate(mac, shared_key, shared_len) <= 0
/* As we set MAC length directly, we should not allow overwriting it */
- || EVP_DigestFinal_ex(mac, mac_buf, NULL) <= 0) {
+ || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
goto err;
}
/*
* Function expects that shared_key is a preallocated buffer
- * with length defined as expkeylen - mac_len defined by mac_nid
+ * with length defined as expkeylen + mac_len defined by mac_nid
* */
int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
int cipher_nid, const unsigned char *cipher_key,
}
if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
- || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
- || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0
+ || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
+ || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
|| EVP_DigestUpdate(mac, iv, ivlen) <= 0
|| EVP_DigestUpdate(mac, out, shared_len) <= 0
/* As we set MAC length directly, we should not allow overwriting it */
- || EVP_DigestFinal_ex(mac, mac_buf, NULL) <= 0) {
+ || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
goto err;
}
int iters, i = 0;
unsigned char zero = 0;
unsigned char *ptr = keyout;
- HMAC_CTX *ctx = NULL;
+ HMAC_CTX *ctx;
unsigned char *len_ptr = NULL;
uint32_t len_repr = htonl(keyout_len * 8);
size_t len_repr_len = 4;
return 1;
}
-#ifdef ENABLE_UNIT_TESTS
-# include <stdio.h>
-# include <string.h>
-# include <openssl/obj_mac.h>
-
-static void hexdump(FILE *f, const char *title, const unsigned char *s, int l)
+#define GOST_WRAP_FLAGS EVP_CIPH_CTRL_INIT | EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1
+
+#define MAGMA_MAC_WRAP_LEN 8
+#define KUZNYECHIK_MAC_WRAP_LEN 16
+#define MAX_MAC_WRAP_LEN KUZNYECHIK_MAC_WRAP_LEN
+#define GOSTKEYLEN 32
+#define MAGMA_WRAPPED_KEY_LEN GOSTKEYLEN + MAGMA_MAC_WRAP_LEN
+#define KUZNYECHIK_WRAPPED_KEY_LEN GOSTKEYLEN + KUZNYECHIK_MAC_WRAP_LEN
+#define MAX_WRAPPED_KEY_LEN KUZNYECHIK_WRAPPED_KEY_LEN
+
+typedef struct {
+ unsigned char iv[8]; /* Max IV size is half of base cipher block length */
+ unsigned char key[GOSTKEYLEN*2]; /* Combined cipher and mac keys */
+ unsigned char wrapped[MAX_WRAPPED_KEY_LEN]; /* Max size */
+ size_t wrap_count;
+} GOST_WRAP_CTX;
+
+static int magma_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc)
{
- int n = 0;
+ GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ memset(cctx->wrapped, 0, MAX_WRAPPED_KEY_LEN);
+ cctx->wrap_count = 0;
+
+ if (iv) {
+ memset(cctx->iv, 0, 8);
+ memcpy(cctx->iv, iv, 4);
+ }
+
+ if (key) {
+ memcpy(cctx->key, key, GOSTKEYLEN*2);
+ }
+ return 1;
+}
- fprintf(f, "%s", title);
- for (; n < l; ++n) {
- if ((n % 16) == 0)
- fprintf(f, "\n%04x", n);
- fprintf(f, " %02x", s[n]);
- }
- fprintf(f, "\n");
+static int magma_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0;
+
+ if (out == NULL)
+ return GOSTKEYLEN;
+
+ if (inl <= MAGMA_WRAPPED_KEY_LEN) {
+ if (cctx->wrap_count + inl > MAGMA_WRAPPED_KEY_LEN)
+ return -1;
+
+ if (cctx->wrap_count + inl <= MAGMA_WRAPPED_KEY_LEN)
+ {
+ memcpy(cctx->wrapped+cctx->wrap_count, in, inl);
+ cctx->wrap_count += inl;
+ }
+ }
+
+ if (cctx->wrap_count < MAGMA_WRAPPED_KEY_LEN)
+ return 0;
+
+ if (enc) {
+#if 0
+ return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac,
+ cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl);
+#endif
+ return -1;
+ } else {
+ return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_magma_ctr,
+ cctx->key+GOSTKEYLEN, NID_magma_mac, cctx->key, cctx->iv, 4, out) > 0 ? GOSTKEYLEN : 0;
+ }
+ return 1;
}
-int main(void)
+static int kuznyechik_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc)
{
- const unsigned char shared_key[] = {
- 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
- 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
- 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
- 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF
- };
-
- const unsigned char magma_key[] = {
- 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
- 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F,
- 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F,
- 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
- };
-
- unsigned char mac_magma_key[] = {
- 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
- };
-
- const unsigned char magma_iv[] = { 0x67, 0xBE, 0xD6, 0x54 };
-
- const unsigned char magma_export[] = {
- 0xCF, 0xD5, 0xA1, 0x2D, 0x5B, 0x81, 0xB6, 0xE1,
- 0xE9, 0x9C, 0x91, 0x6D, 0x07, 0x90, 0x0C, 0x6A,
- 0xC1, 0x27, 0x03, 0xFB, 0x3A, 0xBD, 0xED, 0x55,
- 0x56, 0x7B, 0xF3, 0x74, 0x2C, 0x89, 0x9C, 0x75,
- 0x5D, 0xAF, 0xE7, 0xB4, 0x2E, 0x3A, 0x8B, 0xD9
- };
-
- unsigned char kdftree_key[] = {
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
- };
-
- unsigned char kdf_label[] = { 0x26, 0xBD, 0xB8, 0x78 };
- unsigned char kdf_seed[] =
- { 0xAF, 0x21, 0x43, 0x41, 0x45, 0x65, 0x63, 0x78 };
- const unsigned char kdf_etalon[] = {
- 0x22, 0xB6, 0x83, 0x78, 0x45, 0xC6, 0xBE, 0xF6,
- 0x5E, 0xA7, 0x16, 0x72, 0xB2, 0x65, 0x83, 0x10,
- 0x86, 0xD3, 0xC7, 0x6A, 0xEB, 0xE6, 0xDA, 0xE9,
- 0x1C, 0xAD, 0x51, 0xD8, 0x3F, 0x79, 0xD1, 0x6B,
- 0x07, 0x4C, 0x93, 0x30, 0x59, 0x9D, 0x7F, 0x8D,
- 0x71, 0x2F, 0xCA, 0x54, 0x39, 0x2F, 0x4D, 0xDD,
- 0xE9, 0x37, 0x51, 0x20, 0x6B, 0x35, 0x84, 0xC8,
- 0xF4, 0x3F, 0x9E, 0x6D, 0xC5, 0x15, 0x31, 0xF9
- };
-
- const unsigned char tlstree_gh_etalon[] = {
- 0x50, 0x76, 0x42, 0xd9, 0x58, 0xc5, 0x20, 0xc6,
- 0xd7, 0xee, 0xf5, 0xca, 0x8a, 0x53, 0x16, 0xd4,
- 0xf3, 0x4b, 0x85, 0x5d, 0x2d, 0xd4, 0xbc, 0xbf,
- 0x4e, 0x5b, 0xf0, 0xff, 0x64, 0x1a, 0x19, 0xff,
- };
-
- unsigned char buf[32 + 16];
- int ret = 0;
- int outlen = 40;
- unsigned char kdf_result[64];
-
- unsigned char kroot[32];
- unsigned char tlsseq[8];
- unsigned char out[32];
-
- OpenSSL_add_all_algorithms();
- memset(buf, 0, sizeof(buf));
-
- memset(kroot, 0xFF, 32);
- memset(tlsseq, 0, 8);
- tlsseq[7] = 63;
- memset(out, 0, 32);
-
- ret = gost_kexp15(shared_key, 32,
- NID_magma_ctr, magma_key,
- NID_magma_mac, mac_magma_key, magma_iv, 4, buf, &outlen);
-
- if (ret <= 0)
- ERR_print_errors_fp(stderr);
- else {
- hexdump(stdout, "Magma key export", buf, 40);
- if (memcmp(buf, magma_export, 40) != 0) {
- fprintf(stdout, "ERROR! test failed\n");
- }
- }
+ GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ memset(cctx->wrapped, 0, KUZNYECHIK_WRAPPED_KEY_LEN);
+ cctx->wrap_count = 0;
+
+ if (iv) {
+ memset(cctx->iv, 0, 8);
+ memcpy(cctx->iv, iv, 8);
+ }
+
+ if (key) {
+ memcpy(cctx->key, key, GOSTKEYLEN*2);
+ }
+ return 1;
+}
- ret = gost_kimp15(magma_export, 40,
- NID_magma_ctr, magma_key,
- NID_magma_mac, mac_magma_key, magma_iv, 4, buf);
+static int kuznyechik_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0;
+
+ if (out == NULL)
+ return GOSTKEYLEN;
+
+ if (inl <= KUZNYECHIK_WRAPPED_KEY_LEN) {
+ if (cctx->wrap_count + inl > KUZNYECHIK_WRAPPED_KEY_LEN)
+ return -1;
+
+ if (cctx->wrap_count + inl <= KUZNYECHIK_WRAPPED_KEY_LEN)
+ {
+ memcpy(cctx->wrapped+cctx->wrap_count, in, inl);
+ cctx->wrap_count += inl;
+ }
+ }
+
+ if (cctx->wrap_count < KUZNYECHIK_WRAPPED_KEY_LEN)
+ return 0;
+
+ if (enc) {
+#if 0
+ return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac,
+ cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl);
+#endif
+ return -1;
+ } else {
+ return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_kuznyechik_ctr,
+ cctx->key+GOSTKEYLEN, NID_kuznyechik_mac, cctx->key, cctx->iv, 8, out) > 0 ? GOSTKEYLEN : 0;
+ }
+}
- if (ret <= 0)
- ERR_print_errors_fp(stderr);
- else {
- hexdump(stdout, "Magma key import", buf, 32);
- if (memcmp(buf, shared_key, 32) != 0) {
- fprintf(stdout, "ERROR! test failed\n");
- }
- }
+int wrap_ctrl (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
+{
+ switch(type)
+ {
+ case EVP_CTRL_INIT:
+ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+ return 1;
+ default:
+ return -2;
+ }
+}
- ret = gost_kdftree2012_256(kdf_result, 64, kdftree_key, 32, kdf_label, 4,
- kdf_seed, 8, 1);
- if (ret <= 0)
- ERR_print_errors_fp(stderr);
- else {
- hexdump(stdout, "KDF TREE", kdf_result, 64);
- if (memcmp(kdf_result, kdf_etalon, 64) != 0) {
- fprintf(stdout, "ERROR! test failed\n");
- }
- }
+static EVP_CIPHER *hidden_magma_wrap_cipher, *hidden_kuznyechik_wrap_cipher;
- ret = gost_tlstree(NID_grasshopper_cbc, kroot, out, tlsseq);
- if (ret <= 0)
- ERR_print_errors_fp(stderr);
- else {
- hexdump(stdout, "Gost TLSTREE - grasshopper", out, 32);
- if (memcmp(out, tlstree_gh_etalon, 32) != 0) {
- fprintf(stdout, "ERROR! test failed\n");
- }
- }
+const EVP_CIPHER *cipher_magma_wrap(void)
+{
+ if (hidden_magma_wrap_cipher == NULL
+ && ((hidden_magma_wrap_cipher =
+ EVP_CIPHER_meth_new(NID_magma_kexp15, 8 /* block_size */ ,
+ GOSTKEYLEN*2 /* key_size */ )) == NULL
+ || !EVP_CIPHER_meth_set_iv_length(hidden_magma_wrap_cipher, 4)
+ || !EVP_CIPHER_meth_set_flags(hidden_magma_wrap_cipher, GOST_WRAP_FLAGS)
+ || !EVP_CIPHER_meth_set_init(hidden_magma_wrap_cipher, magma_wrap_init)
+ || !EVP_CIPHER_meth_set_ctrl(hidden_magma_wrap_cipher, wrap_ctrl)
+ || !EVP_CIPHER_meth_set_do_cipher(hidden_magma_wrap_cipher, magma_wrap_do)
+ || !EVP_CIPHER_meth_set_impl_ctx_size(hidden_magma_wrap_cipher, sizeof(GOST_WRAP_CTX))
+ || !EVP_add_cipher(hidden_magma_wrap_cipher)
+ )) {
+ EVP_CIPHER_meth_free(hidden_magma_wrap_cipher);
+ hidden_magma_wrap_cipher = NULL;
+ }
+
+ return hidden_magma_wrap_cipher;
+}
- return 0;
+const EVP_CIPHER *cipher_kuznyechik_wrap(void)
+{
+ if (hidden_kuznyechik_wrap_cipher == NULL
+ && ((hidden_kuznyechik_wrap_cipher =
+ EVP_CIPHER_meth_new(NID_kuznyechik_kexp15, 16 /* FIXME block_size */ ,
+ GOSTKEYLEN*2 /* key_size */ )) == NULL
+ || !EVP_CIPHER_meth_set_iv_length(hidden_kuznyechik_wrap_cipher, 8)
+ || !EVP_CIPHER_meth_set_flags(hidden_kuznyechik_wrap_cipher, GOST_WRAP_FLAGS)
+ || !EVP_CIPHER_meth_set_init(hidden_kuznyechik_wrap_cipher, kuznyechik_wrap_init)
+ || !EVP_CIPHER_meth_set_ctrl(hidden_kuznyechik_wrap_cipher, wrap_ctrl)
+ || !EVP_CIPHER_meth_set_do_cipher(hidden_kuznyechik_wrap_cipher, kuznyechik_wrap_do)
+ || !EVP_CIPHER_meth_set_impl_ctx_size(hidden_kuznyechik_wrap_cipher, sizeof(GOST_WRAP_CTX))
+ || !EVP_add_cipher(hidden_kuznyechik_wrap_cipher)
+ )) {
+ EVP_CIPHER_meth_free(hidden_kuznyechik_wrap_cipher);
+ hidden_kuznyechik_wrap_cipher = NULL;
+ }
+
+ return hidden_kuznyechik_wrap_cipher;
}
-#endif
+void wrap_ciphers_destroy(void)
+{
+ EVP_CIPHER_meth_free(hidden_magma_wrap_cipher);
+ hidden_magma_wrap_cipher = NULL;
+
+ EVP_CIPHER_meth_free(hidden_kuznyechik_wrap_cipher);
+ hidden_kuznyechik_wrap_cipher = NULL;
+}