1 | /* |
2 | * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <string.h> |
11 | #include <openssl/err.h> |
12 | #include <openssl/evp.h> |
13 | #include <openssl/engine.h> |
14 | #include <openssl/params.h> |
15 | #include <openssl/core_names.h> |
16 | #include "crypto/evp.h" |
17 | #include "evp_local.h" |
18 | |
19 | /* MAC PKEY context structure */ |
20 | |
21 | typedef struct { |
22 | EVP_MAC_CTX *ctx; |
23 | |
24 | /* |
25 | * We know of two MAC types: |
26 | * |
27 | * 1. those who take a secret in raw form, i.e. raw data as a |
28 | * ASN1_OCTET_STRING embedded in a EVP_PKEY. So far, that's |
29 | * all of them but CMAC. |
30 | * 2. those who take a secret with associated cipher in very generic |
31 | * form, i.e. a complete EVP_MAC_CTX embedded in a PKEY. So far, |
32 | * only CMAC does this. |
33 | * |
34 | * (one might wonder why the second form isn't used for all) |
35 | */ |
36 | #define MAC_TYPE_RAW 1 /* HMAC like MAC type (all but CMAC so far) */ |
37 | #define MAC_TYPE_MAC 2 /* CMAC like MAC type (only CMAC known so far) */ |
38 | int type; |
39 | |
40 | /* The following is only used for MAC_TYPE_RAW implementations */ |
41 | struct { |
42 | const EVP_MD *md; /* temp storage of MD */ |
43 | ASN1_OCTET_STRING ktmp; /* temp storage for key */ |
44 | } raw_data; |
45 | } MAC_PKEY_CTX; |
46 | |
47 | static void pkey_mac_cleanup(EVP_PKEY_CTX *ctx); |
48 | |
49 | static int pkey_mac_init(EVP_PKEY_CTX *ctx) |
50 | { |
51 | MAC_PKEY_CTX *hctx; |
52 | /* We're being smart and using the same base NIDs for PKEY and for MAC */ |
53 | int nid = ctx->pmeth->pkey_id; |
54 | EVP_MAC *mac = EVP_MAC_fetch(NULL, OBJ_nid2sn(nid), NULL); |
55 | |
56 | if ((hctx = OPENSSL_zalloc(sizeof(*hctx))) == NULL) { |
57 | EVPerr(EVP_F_PKEY_MAC_INIT, ERR_R_MALLOC_FAILURE); |
58 | return 0; |
59 | } |
60 | |
61 | hctx->ctx = EVP_MAC_CTX_new(mac); |
62 | if (hctx->ctx == NULL) { |
63 | OPENSSL_free(hctx); |
64 | return 0; |
65 | } |
66 | |
67 | if (nid == EVP_PKEY_CMAC) { |
68 | hctx->type = MAC_TYPE_MAC; |
69 | } else { |
70 | hctx->type = MAC_TYPE_RAW; |
71 | hctx->raw_data.ktmp.type = V_ASN1_OCTET_STRING; |
72 | } |
73 | |
74 | pkey_mac_cleanup(ctx); |
75 | EVP_PKEY_CTX_set_data(ctx, hctx); |
76 | ctx->keygen_info_count = 0; |
77 | |
78 | return 1; |
79 | } |
80 | |
81 | static int pkey_mac_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
82 | { |
83 | MAC_PKEY_CTX *sctx, *dctx; |
84 | |
85 | sctx = EVP_PKEY_CTX_get_data(src); |
86 | if (sctx->ctx->data == NULL) |
87 | return 0; |
88 | |
89 | dctx = OPENSSL_zalloc(sizeof(*dctx)); |
90 | if (dctx == NULL) { |
91 | EVPerr(EVP_F_PKEY_MAC_COPY, ERR_R_MALLOC_FAILURE); |
92 | return 0; |
93 | } |
94 | |
95 | EVP_PKEY_CTX_set_data(dst, dctx); |
96 | dst->keygen_info_count = 0; |
97 | |
98 | dctx->ctx = EVP_MAC_CTX_dup(sctx->ctx); |
99 | if (dctx->ctx == NULL) |
100 | goto err; |
101 | |
102 | /* |
103 | * Normally, nothing special would be done with the MAC method. In |
104 | * this particular case, though, the MAC method was fetched internally |
105 | * by pkey_mac_init() above or by EVP_PKEY_new_CMAC_key() and passed |
106 | * via the EVP_MAC_CTX, so it is effectively like every new EVP_MAC_CTX |
107 | * fetches the MAC method anew in this case. Therefore, its reference |
108 | * count must be adjusted here. |
109 | */ |
110 | if (!EVP_MAC_up_ref(EVP_MAC_CTX_mac(dctx->ctx))) |
111 | goto err; |
112 | |
113 | dctx->type = sctx->type; |
114 | |
115 | switch (dctx->type) { |
116 | case MAC_TYPE_RAW: |
117 | dctx->raw_data.md = sctx->raw_data.md; |
118 | if (ASN1_STRING_get0_data(&sctx->raw_data.ktmp) != NULL && |
119 | !ASN1_STRING_copy(&dctx->raw_data.ktmp, &sctx->raw_data.ktmp)) |
120 | goto err; |
121 | break; |
122 | case MAC_TYPE_MAC: |
123 | /* Nothing more to do */ |
124 | break; |
125 | default: |
126 | /* This should be dead code */ |
127 | return 0; |
128 | } |
129 | return 1; |
130 | err: |
131 | pkey_mac_cleanup(dst); |
132 | return 0; |
133 | } |
134 | |
135 | static void pkey_mac_cleanup(EVP_PKEY_CTX *ctx) |
136 | { |
137 | /* |
138 | * For the exact same reasons the MAC reference count is incremented |
139 | * in pkey_mac_copy() above, it must be explicitly freed here. |
140 | */ |
141 | |
142 | MAC_PKEY_CTX *hctx = ctx == NULL ? NULL : EVP_PKEY_CTX_get_data(ctx); |
143 | |
144 | if (hctx != NULL) { |
145 | EVP_MAC *mac = EVP_MAC_CTX_mac(hctx->ctx); |
146 | |
147 | switch (hctx->type) { |
148 | case MAC_TYPE_RAW: |
149 | OPENSSL_clear_free(hctx->raw_data.ktmp.data, |
150 | hctx->raw_data.ktmp.length); |
151 | break; |
152 | } |
153 | EVP_MAC_CTX_free(hctx->ctx); |
154 | EVP_MAC_free(mac); |
155 | OPENSSL_free(hctx); |
156 | EVP_PKEY_CTX_set_data(ctx, NULL); |
157 | } |
158 | } |
159 | |
160 | static int pkey_mac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
161 | { |
162 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); |
163 | int nid = ctx->pmeth->pkey_id; |
164 | |
165 | switch (hctx->type) { |
166 | case MAC_TYPE_RAW: |
167 | { |
168 | ASN1_OCTET_STRING *hkey = NULL; |
169 | |
170 | if (!hctx->raw_data.ktmp.data) |
171 | return 0; |
172 | hkey = ASN1_OCTET_STRING_dup(&hctx->raw_data.ktmp); |
173 | if (!hkey) |
174 | return 0; |
175 | EVP_PKEY_assign(pkey, nid, hkey); |
176 | } |
177 | break; |
178 | case MAC_TYPE_MAC: |
179 | { |
180 | EVP_MAC_CTX *cmkey = EVP_MAC_CTX_dup(hctx->ctx); |
181 | |
182 | if (cmkey == NULL) |
183 | return 0; |
184 | if (!EVP_MAC_up_ref(EVP_MAC_CTX_mac(hctx->ctx))) |
185 | return 0; |
186 | EVP_PKEY_assign(pkey, nid, cmkey); |
187 | } |
188 | break; |
189 | default: |
190 | /* This should be dead code */ |
191 | return 0; |
192 | } |
193 | |
194 | return 1; |
195 | } |
196 | |
197 | static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count) |
198 | { |
199 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(EVP_MD_CTX_pkey_ctx(ctx)); |
200 | |
201 | if (!EVP_MAC_update(hctx->ctx, data, count)) |
202 | return 0; |
203 | return 1; |
204 | } |
205 | |
206 | static int pkey_mac_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) |
207 | { |
208 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); |
209 | ASN1_OCTET_STRING *key = NULL; |
210 | int rv = 1; |
211 | /* |
212 | * For MACs with the EVP_PKEY_FLAG_SIGCTX_CUSTOM flag set and that |
213 | * gets the key passed as an ASN.1 OCTET STRING, we set the key here, |
214 | * as this may be only time it's set during a DigestSign. |
215 | * |
216 | * MACs that pass around the key in form of EVP_MAC_CTX are setting |
217 | * the key through other mechanisms. (this is only CMAC for now) |
218 | */ |
219 | int set_key = |
220 | hctx->type == MAC_TYPE_RAW |
221 | && (ctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) != 0; |
222 | |
223 | if (set_key) { |
224 | if (!EVP_MAC_is_a(EVP_MAC_CTX_mac(hctx->ctx), |
225 | OBJ_nid2sn(EVP_PKEY_id(EVP_PKEY_CTX_get0_pkey(ctx))))) |
226 | return 0; |
227 | key = EVP_PKEY_get0(EVP_PKEY_CTX_get0_pkey(ctx)); |
228 | if (key == NULL) |
229 | return 0; |
230 | } |
231 | |
232 | EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT); |
233 | EVP_MD_CTX_set_update_fn(mctx, int_update); |
234 | |
235 | /* Some MACs don't support this control... that's fine */ |
236 | { |
237 | OSSL_PARAM params[3]; |
238 | size_t params_n = 0; |
239 | int flags = EVP_MD_CTX_test_flags(mctx, ~EVP_MD_CTX_FLAG_NO_INIT); |
240 | |
241 | /* TODO(3.0) "flags" isn't quite right, i.e. a quick hack for now */ |
242 | params[params_n++] = |
243 | OSSL_PARAM_construct_int(OSSL_MAC_PARAM_FLAGS, &flags); |
244 | if (set_key) |
245 | params[params_n++] = |
246 | OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
247 | key->data, key->length); |
248 | params[params_n++] = OSSL_PARAM_construct_end(); |
249 | rv = EVP_MAC_CTX_set_params(hctx->ctx, params); |
250 | } |
251 | return rv; |
252 | } |
253 | |
254 | static int pkey_mac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, |
255 | size_t *siglen, EVP_MD_CTX *mctx) |
256 | { |
257 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); |
258 | |
259 | return EVP_MAC_final(hctx->ctx, sig, siglen, EVP_MAC_size(hctx->ctx)); |
260 | } |
261 | |
262 | static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
263 | { |
264 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); |
265 | |
266 | switch (type) { |
267 | |
268 | case EVP_PKEY_CTRL_CIPHER: |
269 | switch (hctx->type) { |
270 | case MAC_TYPE_RAW: |
271 | return -2; /* The raw types don't support ciphers */ |
272 | case MAC_TYPE_MAC: |
273 | { |
274 | OSSL_PARAM params[3]; |
275 | size_t params_n = 0; |
276 | char *ciphname = (char *)OBJ_nid2sn(EVP_CIPHER_nid(p2)); |
277 | #ifndef OPENSSL_NO_ENGINE |
278 | char *engineid = (char *)ENGINE_get_id(ctx->engine); |
279 | |
280 | params[params_n++] = |
281 | OSSL_PARAM_construct_utf8_string("engine" , engineid, 0); |
282 | #endif |
283 | params[params_n++] = |
284 | OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER, |
285 | ciphname, 0); |
286 | params[params_n] = OSSL_PARAM_construct_end(); |
287 | |
288 | if (!EVP_MAC_CTX_set_params(hctx->ctx, params) |
289 | || !EVP_MAC_init(hctx->ctx)) |
290 | return 0; |
291 | } |
292 | break; |
293 | default: |
294 | /* This should be dead code */ |
295 | return 0; |
296 | } |
297 | break; |
298 | |
299 | case EVP_PKEY_CTRL_MD: |
300 | switch (hctx->type) { |
301 | case MAC_TYPE_RAW: |
302 | hctx->raw_data.md = p2; |
303 | break; |
304 | case MAC_TYPE_MAC: { |
305 | EVP_MAC_CTX *new_mac_ctx; |
306 | |
307 | if (ctx->pkey == NULL) |
308 | return 0; |
309 | new_mac_ctx = EVP_MAC_CTX_dup((EVP_MAC_CTX *)ctx->pkey |
310 | ->pkey.ptr); |
311 | if (new_mac_ctx == NULL) |
312 | return 0; |
313 | EVP_MAC_CTX_free(hctx->ctx); |
314 | hctx->ctx = new_mac_ctx; |
315 | } |
316 | break; |
317 | default: |
318 | /* This should be dead code */ |
319 | return 0; |
320 | } |
321 | break; |
322 | |
323 | case EVP_PKEY_CTRL_SET_DIGEST_SIZE: |
324 | { |
325 | OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; |
326 | size_t size = (size_t)p1; |
327 | size_t verify = 0; |
328 | |
329 | /* |
330 | * We verify that the length is actually set by getting back |
331 | * the same parameter and checking that it matches what we |
332 | * tried to set. |
333 | * TODO(3.0) when we have a more direct mechanism to check if |
334 | * a parameter was used, we must refactor this to use that. |
335 | */ |
336 | |
337 | params[0] = |
338 | OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &size); |
339 | |
340 | if (!EVP_MAC_CTX_set_params(hctx->ctx, params)) |
341 | return 0; |
342 | |
343 | params[0] = |
344 | OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &verify); |
345 | |
346 | if (!EVP_MAC_CTX_get_params(hctx->ctx, params)) |
347 | return 0; |
348 | |
349 | /* |
350 | * Since EVP_MAC_CTX_{get,set}_params() returned successfully, |
351 | * we can only assume that the size was ignored, i.e. this |
352 | * control is unsupported. |
353 | */ |
354 | if (verify != size) |
355 | return -2; |
356 | } |
357 | break; |
358 | case EVP_PKEY_CTRL_SET_MAC_KEY: |
359 | switch (hctx->type) { |
360 | case MAC_TYPE_RAW: |
361 | if ((!p2 && p1 > 0) || (p1 < -1)) |
362 | return 0; |
363 | if (!ASN1_OCTET_STRING_set(&hctx->raw_data.ktmp, p2, p1)) |
364 | return 0; |
365 | break; |
366 | case MAC_TYPE_MAC: |
367 | { |
368 | OSSL_PARAM params[2]; |
369 | size_t params_n = 0; |
370 | |
371 | params[params_n++] = |
372 | OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
373 | p2, p1); |
374 | params[params_n] = OSSL_PARAM_construct_end(); |
375 | |
376 | return EVP_MAC_CTX_set_params(hctx->ctx, params); |
377 | } |
378 | break; |
379 | default: |
380 | /* This should be dead code */ |
381 | return 0; |
382 | } |
383 | break; |
384 | |
385 | case EVP_PKEY_CTRL_DIGESTINIT: |
386 | switch (hctx->type) { |
387 | case MAC_TYPE_RAW: |
388 | /* Ensure that we have attached the implementation */ |
389 | if (!EVP_MAC_init(hctx->ctx)) |
390 | return 0; |
391 | { |
392 | ASN1_OCTET_STRING *key = |
393 | (ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr; |
394 | OSSL_PARAM params[4]; |
395 | size_t params_n = 0; |
396 | char *mdname = |
397 | (char *)OBJ_nid2sn(EVP_MD_nid(hctx->raw_data.md)); |
398 | #ifndef OPENSSL_NO_ENGINE |
399 | char *engineid = ctx->engine == NULL |
400 | ? NULL : (char *)ENGINE_get_id(ctx->engine); |
401 | |
402 | if (engineid != NULL) |
403 | params[params_n++] = |
404 | OSSL_PARAM_construct_utf8_string("engine" , engineid, 0); |
405 | #endif |
406 | params[params_n++] = |
407 | OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
408 | mdname, 0); |
409 | params[params_n++] = |
410 | OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
411 | key->data, key->length); |
412 | params[params_n] = OSSL_PARAM_construct_end(); |
413 | |
414 | return EVP_MAC_CTX_set_params(hctx->ctx, params); |
415 | } |
416 | break; |
417 | case MAC_TYPE_MAC: |
418 | return -2; /* The mac types don't support ciphers */ |
419 | default: |
420 | /* This should be dead code */ |
421 | return 0; |
422 | } |
423 | break; |
424 | |
425 | default: |
426 | return -2; |
427 | |
428 | } |
429 | return 1; |
430 | } |
431 | |
432 | static int pkey_mac_ctrl_str(EVP_PKEY_CTX *ctx, |
433 | const char *type, const char *value) |
434 | { |
435 | MAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); |
436 | const EVP_MAC *mac = EVP_MAC_CTX_mac(hctx->ctx); |
437 | OSSL_PARAM params[2]; |
438 | int ok = 0; |
439 | |
440 | /* |
441 | * Translation of some control names that are equivalent to a single |
442 | * parameter name. |
443 | * |
444 | * "md" and "digest" are the same thing, we use the single "digest" |
445 | * |
446 | * "digestsize" was a setting control in siphash, but naming wise, |
447 | * it's really the same as "size". |
448 | */ |
449 | if (strcmp(type, "md" ) == 0) |
450 | type = OSSL_MAC_PARAM_DIGEST; |
451 | else if (strcmp(type, "digestsize" ) == 0) |
452 | type = OSSL_MAC_PARAM_SIZE; |
453 | |
454 | if (!OSSL_PARAM_allocate_from_text(¶ms[0], |
455 | EVP_MAC_settable_ctx_params(mac), |
456 | type, value, strlen(value) + 1)) |
457 | return 0; |
458 | params[1] = OSSL_PARAM_construct_end(); |
459 | ok = EVP_MAC_CTX_set_params(hctx->ctx, params); |
460 | OPENSSL_free(params[0].data); |
461 | return ok; |
462 | } |
463 | |
464 | static const EVP_PKEY_METHOD cmac_pkey_meth = { |
465 | EVP_PKEY_CMAC, |
466 | EVP_PKEY_FLAG_SIGCTX_CUSTOM, |
467 | pkey_mac_init, |
468 | pkey_mac_copy, |
469 | pkey_mac_cleanup, |
470 | |
471 | 0, 0, |
472 | |
473 | 0, |
474 | pkey_mac_keygen, |
475 | |
476 | 0, 0, |
477 | |
478 | 0, 0, |
479 | |
480 | 0, 0, |
481 | |
482 | pkey_mac_signctx_init, |
483 | pkey_mac_signctx, |
484 | |
485 | 0, 0, |
486 | |
487 | 0, 0, |
488 | |
489 | 0, 0, |
490 | |
491 | 0, 0, |
492 | |
493 | pkey_mac_ctrl, |
494 | pkey_mac_ctrl_str |
495 | }; |
496 | |
497 | const EVP_PKEY_METHOD *cmac_pkey_method(void) |
498 | { |
499 | return &cmac_pkey_meth; |
500 | } |
501 | |
502 | static const EVP_PKEY_METHOD hmac_pkey_meth = { |
503 | EVP_PKEY_HMAC, |
504 | 0, |
505 | pkey_mac_init, |
506 | pkey_mac_copy, |
507 | pkey_mac_cleanup, |
508 | |
509 | 0, 0, |
510 | |
511 | 0, |
512 | pkey_mac_keygen, |
513 | |
514 | 0, 0, |
515 | |
516 | 0, 0, |
517 | |
518 | 0, 0, |
519 | |
520 | pkey_mac_signctx_init, |
521 | pkey_mac_signctx, |
522 | |
523 | 0, 0, |
524 | |
525 | 0, 0, |
526 | |
527 | 0, 0, |
528 | |
529 | 0, 0, |
530 | |
531 | pkey_mac_ctrl, |
532 | pkey_mac_ctrl_str |
533 | }; |
534 | |
535 | const EVP_PKEY_METHOD *hmac_pkey_method(void) |
536 | { |
537 | return &hmac_pkey_meth; |
538 | } |
539 | |
540 | static const EVP_PKEY_METHOD siphash_pkey_meth = { |
541 | EVP_PKEY_SIPHASH, |
542 | EVP_PKEY_FLAG_SIGCTX_CUSTOM, |
543 | pkey_mac_init, |
544 | pkey_mac_copy, |
545 | pkey_mac_cleanup, |
546 | |
547 | 0, 0, |
548 | |
549 | 0, |
550 | pkey_mac_keygen, |
551 | |
552 | 0, 0, |
553 | |
554 | 0, 0, |
555 | |
556 | 0, 0, |
557 | |
558 | pkey_mac_signctx_init, |
559 | pkey_mac_signctx, |
560 | |
561 | 0, 0, |
562 | |
563 | 0, 0, |
564 | |
565 | 0, 0, |
566 | |
567 | 0, 0, |
568 | |
569 | pkey_mac_ctrl, |
570 | pkey_mac_ctrl_str |
571 | }; |
572 | |
573 | const EVP_PKEY_METHOD *siphash_pkey_method(void) |
574 | { |
575 | return &siphash_pkey_meth; |
576 | } |
577 | |
578 | static const EVP_PKEY_METHOD poly1305_pkey_meth = { |
579 | EVP_PKEY_POLY1305, |
580 | EVP_PKEY_FLAG_SIGCTX_CUSTOM, |
581 | pkey_mac_init, |
582 | pkey_mac_copy, |
583 | pkey_mac_cleanup, |
584 | |
585 | 0, 0, |
586 | |
587 | 0, |
588 | pkey_mac_keygen, |
589 | |
590 | 0, 0, |
591 | |
592 | 0, 0, |
593 | |
594 | 0, 0, |
595 | |
596 | pkey_mac_signctx_init, |
597 | pkey_mac_signctx, |
598 | |
599 | 0, 0, |
600 | |
601 | 0, 0, |
602 | |
603 | 0, 0, |
604 | |
605 | 0, 0, |
606 | |
607 | pkey_mac_ctrl, |
608 | pkey_mac_ctrl_str |
609 | }; |
610 | |
611 | const EVP_PKEY_METHOD *poly1305_pkey_method(void) |
612 | { |
613 | return &poly1305_pkey_meth; |
614 | } |
615 | |