2 * Copyright (c) 2019 Dmitry Belyavskiy <beldmit@gmail.com>
3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
5 * Contents licensed under the terms of the OpenSSL license
6 * See https://www.openssl.org/source/license.html for details
11 #include <arpa/inet.h>
14 #include <openssl/evp.h>
15 #include <openssl/hmac.h>
16 #include <openssl/buffer.h>
19 #include "e_gost_err.h"
21 int omac_imit_ctrl(EVP_MD_CTX *ctx, int type, int arg, void *ptr);
23 * Function expects that out is a preallocated buffer of length
24 * defined as sum of shared_len and mac length defined by mac_nid
26 int gost_kexp15(const unsigned char *shared_key, const int shared_len,
27 int cipher_nid, const unsigned char *cipher_key,
28 int mac_nid, unsigned char *mac_key,
29 const unsigned char *iv, const size_t ivlen,
30 unsigned char *out, int *out_len)
32 unsigned char iv_full[16], mac_buf[16];
35 EVP_CIPHER_CTX *ciph = NULL;
36 EVP_MD_CTX *mac = NULL;
41 mac_len = (cipher_nid == NID_magma_ctr) ? 8 :
42 (cipher_nid == NID_grasshopper_ctr) ? 16 : 0;
45 GOSTerr(GOST_F_GOST_KEXP15, GOST_R_INVALID_CIPHER);
49 if (shared_len + mac_len > (unsigned int)(*out_len)) {
50 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
54 /* we expect IV of half length */
55 memset(iv_full, 0, 16);
56 memcpy(iv_full, iv, ivlen);
58 mac = EVP_MD_CTX_new();
60 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
64 if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
65 || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
66 || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
67 || EVP_DigestUpdate(mac, iv, ivlen) <= 0
68 || EVP_DigestUpdate(mac, shared_key, shared_len) <= 0
69 /* As we set MAC length directly, we should not allow overwriting it */
70 || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
71 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
75 ciph = EVP_CIPHER_CTX_new();
77 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
82 (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 1) <= 0
83 || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 1) <= 0
84 || EVP_CipherUpdate(ciph, out, &len, shared_key, shared_len) <= 0
85 || EVP_CipherUpdate(ciph, out + shared_len, &len, mac_buf, mac_len) <= 0
86 || EVP_CipherFinal_ex(ciph, out + shared_len + len, out_len) <= 0) {
87 GOSTerr(GOST_F_GOST_KEXP15, ERR_R_INTERNAL_ERROR);
91 *out_len = shared_len + mac_len;
96 OPENSSL_cleanse(mac_buf, mac_len);
98 EVP_CIPHER_CTX_free(ciph);
104 * Function expects that shared_key is a preallocated buffer
105 * with length defined as expkeylen + mac_len defined by mac_nid
107 int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
108 int cipher_nid, const unsigned char *cipher_key,
109 int mac_nid, unsigned char *mac_key,
110 const unsigned char *iv, const size_t ivlen,
111 unsigned char *shared_key)
113 unsigned char iv_full[16], out[48], mac_buf[16];
114 unsigned int mac_len;
115 const size_t shared_len = 32;
117 EVP_CIPHER_CTX *ciph = NULL;
118 EVP_MD_CTX *mac = NULL;
123 mac_len = (cipher_nid == NID_magma_ctr) ? 8 :
124 (cipher_nid == NID_grasshopper_ctr) ? 16 : 0;
127 GOSTerr(GOST_F_GOST_KIMP15, GOST_R_INVALID_CIPHER);
131 if (expkeylen > sizeof(out)) {
132 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
137 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
141 /* we expect IV of half length */
142 memset(iv_full, 0, 16);
143 memcpy(iv_full, iv, ivlen);
145 ciph = EVP_CIPHER_CTX_new();
147 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
151 if (EVP_CipherInit_ex
152 (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 0) <= 0
153 || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 0) <= 0
154 || EVP_CipherUpdate(ciph, out, &len, expkey, expkeylen) <= 0
155 || EVP_CipherFinal_ex(ciph, out + len, &len) <= 0) {
156 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
159 /*Now we have shared key and mac in out[] */
161 mac = EVP_MD_CTX_new();
163 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_MALLOC_FAILURE);
167 if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
168 || omac_imit_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
169 || omac_imit_ctrl(mac, EVP_MD_CTRL_XOF_LEN, mac_len, NULL) <= 0
170 || EVP_DigestUpdate(mac, iv, ivlen) <= 0
171 || EVP_DigestUpdate(mac, out, shared_len) <= 0
172 /* As we set MAC length directly, we should not allow overwriting it */
173 || EVP_DigestFinalXOF(mac, mac_buf, mac_len) <= 0) {
174 GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
178 if (CRYPTO_memcmp(mac_buf, out + shared_len, mac_len) != 0) {
179 GOSTerr(GOST_F_GOST_KIMP15, GOST_R_BAD_MAC);
183 memcpy(shared_key, out, shared_len);
187 OPENSSL_cleanse(out, sizeof(out));
188 EVP_MD_CTX_free(mac);
189 EVP_CIPHER_CTX_free(ciph);
193 int gost_kdftree2012_256(unsigned char *keyout, size_t keyout_len,
194 const unsigned char *key, size_t keylen,
195 const unsigned char *label, size_t label_len,
196 const unsigned char *seed, size_t seed_len,
197 const size_t representation)
200 unsigned char zero = 0;
201 unsigned char *ptr = keyout;
203 unsigned char *len_ptr = NULL;
204 uint32_t len_repr = htonl(keyout_len * 8);
205 size_t len_repr_len = 4;
207 ctx = HMAC_CTX_new();
209 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_MALLOC_FAILURE);
213 if ((keyout_len == 0) || (keyout_len % 32 != 0)) {
214 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
217 iters = keyout_len / 32;
219 len_ptr = (unsigned char *)&len_repr;
220 while (*len_ptr == 0) {
225 for (i = 1; i <= iters; i++) {
226 uint32_t iter_net = htonl(i);
227 unsigned char *rep_ptr =
228 ((unsigned char *)&iter_net) + (4 - representation);
230 if (HMAC_Init_ex(ctx, key, keylen,
231 EVP_get_digestbynid(NID_id_GostR3411_2012_256),
233 || HMAC_Update(ctx, rep_ptr, representation) <= 0
234 || HMAC_Update(ctx, label, label_len) <= 0
235 || HMAC_Update(ctx, &zero, 1) <= 0
236 || HMAC_Update(ctx, seed, seed_len) <= 0
237 || HMAC_Update(ctx, len_ptr, len_repr_len) <= 0
238 || HMAC_Final(ctx, ptr, NULL) <= 0) {
239 GOSTerr(GOST_F_GOST_KDFTREE2012_256, ERR_R_INTERNAL_ERROR);
253 int gost_tlstree(int cipher_nid, const unsigned char *in, unsigned char *out,
254 const unsigned char *tlsseq, int mode)
256 uint64_t gh_c1 = 0x00000000FFFFFFFF, gh_c2 = 0x0000F8FFFFFFFFFF,
257 gh_c3 = 0xC0FFFFFFFFFFFFFF;
258 uint64_t mg_c1 = 0x00000000C0FFFFFF, mg_c2 = 0x000000FEFFFFFFFF,
259 mg_c3 = 0x00F0FFFFFFFFFFFF;
261 uint64_t seed1, seed2, seed3;
263 unsigned char ko1[32], ko2[32];
265 switch (cipher_nid) {
271 case NID_grasshopper_cbc:
278 case TLSTREE_MODE_S: // TLS_GOSTR341112_256_WITH_MAGMA_MGM_S
279 c1 = 0x000000fcffffffff;
280 c2 = 0x00e0ffffffffffff;
281 c3 = 0xffffffffffffffff;
283 case TLSTREE_MODE_L: // TLS_GOSTR341112_256_WITH_MAGMA_MGM_L
284 c1 = 0x000000000000e0ff;
285 c2 = 0x000000c0ffffffff;
286 c3 = 0x80ffffffffffffff;
292 case NID_kuznyechik_mgm:
294 case TLSTREE_MODE_S: // TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S
295 c1 = 0x000000e0ffffffff;
296 c2 = 0x0000ffffffffffff;
297 c3 = 0xf8ffffffffffffff;
299 case TLSTREE_MODE_L: // TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L
300 c1 = 0x00000000000000f8;
301 c2 = 0x00000000f0ffffff;
302 c3 = 0x00e0ffffffffffff;
311 BUF_reverse((unsigned char *)&seq, tlsseq, 8);
313 memcpy(&seq, tlsseq, 8);
319 if (gost_kdftree2012_256(ko1, 32, in, 32, (const unsigned char *)"level1", 6,
320 (const unsigned char *)&seed1, 8, 1) <= 0
321 || gost_kdftree2012_256(ko2, 32, ko1, 32, (const unsigned char *)"level2", 6,
322 (const unsigned char *)&seed2, 8, 1) <= 0
323 || gost_kdftree2012_256(out, 32, ko2, 32, (const unsigned char *)"level3", 6,
324 (const unsigned char *)&seed3, 8, 1) <= 0)
330 #define GOST_WRAP_FLAGS EVP_CIPH_CTRL_INIT | EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1
332 #define MAGMA_MAC_WRAP_LEN 8
333 #define KUZNYECHIK_MAC_WRAP_LEN 16
334 #define MAX_MAC_WRAP_LEN KUZNYECHIK_MAC_WRAP_LEN
335 #define GOSTKEYLEN 32
336 #define MAGMA_WRAPPED_KEY_LEN GOSTKEYLEN + MAGMA_MAC_WRAP_LEN
337 #define KUZNYECHIK_WRAPPED_KEY_LEN GOSTKEYLEN + KUZNYECHIK_MAC_WRAP_LEN
338 #define MAX_WRAPPED_KEY_LEN KUZNYECHIK_WRAPPED_KEY_LEN
341 unsigned char iv[8]; /* Max IV size is half of base cipher block length */
342 unsigned char key[GOSTKEYLEN*2]; /* Combined cipher and mac keys */
343 unsigned char wrapped[MAX_WRAPPED_KEY_LEN]; /* Max size */
347 static int magma_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
348 const unsigned char *iv, int enc)
350 GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
351 memset(cctx->wrapped, 0, MAX_WRAPPED_KEY_LEN);
352 cctx->wrap_count = 0;
355 memset(cctx->iv, 0, 8);
356 memcpy(cctx->iv, iv, 4);
360 memcpy(cctx->key, key, GOSTKEYLEN*2);
365 static int magma_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
366 const unsigned char *in, size_t inl)
368 GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
369 int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0;
374 if (inl <= MAGMA_WRAPPED_KEY_LEN) {
375 if (cctx->wrap_count + inl > MAGMA_WRAPPED_KEY_LEN)
378 if (cctx->wrap_count + inl <= MAGMA_WRAPPED_KEY_LEN)
380 memcpy(cctx->wrapped+cctx->wrap_count, in, inl);
381 cctx->wrap_count += inl;
385 if (cctx->wrap_count < MAGMA_WRAPPED_KEY_LEN)
390 return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac,
391 cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl);
395 return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_magma_ctr,
396 cctx->key+GOSTKEYLEN, NID_magma_mac, cctx->key, cctx->iv, 4, out) > 0 ? GOSTKEYLEN : 0;
401 static int kuznyechik_wrap_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
402 const unsigned char *iv, int enc)
404 GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
405 memset(cctx->wrapped, 0, KUZNYECHIK_WRAPPED_KEY_LEN);
406 cctx->wrap_count = 0;
409 memset(cctx->iv, 0, 8);
410 memcpy(cctx->iv, iv, 8);
414 memcpy(cctx->key, key, GOSTKEYLEN*2);
419 static int kuznyechik_wrap_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
420 const unsigned char *in, size_t inl)
422 GOST_WRAP_CTX *cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
423 int enc = EVP_CIPHER_CTX_encrypting(ctx) ? 1 : 0;
428 if (inl <= KUZNYECHIK_WRAPPED_KEY_LEN) {
429 if (cctx->wrap_count + inl > KUZNYECHIK_WRAPPED_KEY_LEN)
432 if (cctx->wrap_count + inl <= KUZNYECHIK_WRAPPED_KEY_LEN)
434 memcpy(cctx->wrapped+cctx->wrap_count, in, inl);
435 cctx->wrap_count += inl;
439 if (cctx->wrap_count < KUZNYECHIK_WRAPPED_KEY_LEN)
444 return gost_kexp15(cctx->key, 32, NID_magma_ctr, in, NID_magma_mac,
445 cctx->key, /* FIXME mac_key, */ cctx->iv, 4, out, &outl);
449 return gost_kimp15(cctx->wrapped, cctx->wrap_count, NID_kuznyechik_ctr,
450 cctx->key+GOSTKEYLEN, NID_kuznyechik_mac, cctx->key, cctx->iv, 8, out) > 0 ? GOSTKEYLEN : 0;
454 static int wrap_ctrl (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
459 EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
466 static GOST_cipher wrap_template_cipher = {
467 .key_len = GOSTKEYLEN * 2,
468 .flags = GOST_WRAP_FLAGS,
469 .ctx_size = sizeof(GOST_WRAP_CTX),
473 GOST_cipher magma_kexp15_cipher = {
474 .template = &wrap_template_cipher,
475 .nid = NID_magma_kexp15,
478 .init = magma_wrap_init,
479 .do_cipher = magma_wrap_do,
482 GOST_cipher kuznyechik_kexp15_cipher = {
483 .template = &wrap_template_cipher,
484 .nid = NID_kuznyechik_kexp15,
487 .init = kuznyechik_wrap_init,
488 .do_cipher = kuznyechik_wrap_do,
490 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */