Added new EVP/KDF API.

Changed PKEY/KDF API to call the new API. Added wrappers for PKCS5_PBKDF2_HMAC() and EVP_PBE_scrypt() to call the new EVP KDF APIs. Documentation updated. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #6674)
openssl · Feb 13, 2019 · 5a285ad · 5a285ad
1 parent e0ae058
commit 5a285ad
Show file tree

Hide file tree

Showing 40 changed files with 3,211 additions and 809 deletions.
diff --git a/CHANGES b/CHANGES
@@ -9,6 +9,13 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
 
+  *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
+     implementations.  This includes an EVP_PKEY to EVP_KDF bridge for
+     those algorithms that were already supported through the EVP_PKEY API
+     (scrypt, TLS1 PRF and HKDF).  The low-level KDF functions for PBKDF2
+     and scrypt are now wrappers that call EVP_KDF.
+     [David Makepeace]
+
   *) Build devcrypto engine as a dynamic engine.
      [Eneas U de Queiroz]
 

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
@@ -753,6 +753,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestInit_ex
 EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
 EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
 EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
+EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl
+EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str
+EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id
 EVP_F_EVP_MAC_CTRL:209:EVP_MAC_ctrl
 EVP_F_EVP_MAC_CTRL_STR:210:EVP_MAC_ctrl_str
 EVP_F_EVP_MAC_CTX_COPY:211:EVP_MAC_CTX_copy
@@ -823,14 +826,33 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_keyivgen
 EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
 EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
 EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
+EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl
 EVP_F_PKEY_MAC_INIT:214:pkey_mac_init
 EVP_F_PKEY_SET_TYPE:158:pkey_set_type
 EVP_F_POLY1305_CTRL:216:poly1305_ctrl
 EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
 EVP_F_RC5_CTRL:125:rc5_ctrl
 EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
 EVP_F_S390X_AES_GCM_TLS_CIPHER:208:s390x_aes_gcm_tls_cipher
+EVP_F_SCRYPT_ALG:228:scrypt_alg
 EVP_F_UPDATE:173:update
+KDF_F_HKDF_EXTRACT:112:HKDF_Extract
+KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
+KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
+KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
+KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl
+KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str
+KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive
+KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new
+KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str
+KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32
+KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64
+KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive
+KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new
+KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
+KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
+KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
+KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
 KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
 KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
 KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
@@ -842,6 +864,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_scrypt_set_membuf
 KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
 KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
 KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
+KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
 KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
 OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
 OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
@@ -2284,6 +2307,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
 EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
 	operation not supported for this keytype
 EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
 EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
 EVP_R_PBKDF2_ERROR:181:pbkdf2 error
 EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed
 KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
 KDF_R_VALUE_ERROR:108:value error
 KDF_R_VALUE_MISSING:102:value missing
+KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
 OBJ_R_OID_EXISTS:102:oid exists
 OBJ_R_UNKNOWN_NID:101:unknown nid
 OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error

diff --git a/crypto/evp/build.info b/crypto/evp/build.info
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
         p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
         bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
         c_allc.c c_alld.c evp_lib.c bio_ok.c \
-        evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
+        evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
+        pkey_kdf.c \
         e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
         e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
         e_chacha20_poly1305.c cmeth_lib.c \

diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
@@ -14,8 +14,8 @@
 
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "evp_locl.h"
 # include "internal/evp_int.h"
+# include "evp_locl.h"
 # include "internal/chacha.h"
 
 typedef struct {

diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
@@ -11,8 +11,8 @@
 #include <limits.h>
 #include "internal/cryptlib.h"
 #include <openssl/evp.h>
-#include "evp_locl.h"
 #include "internal/evp_int.h"
+#include "evp_locl.h"
 
 static unsigned char conv_ascii2bin(unsigned char a,
                                     const unsigned char *table);

diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
      "EVP_EncryptFinal_ex"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MAC_CTRL, 0), "EVP_MAC_ctrl"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MAC_CTRL_STR, 0), "EVP_MAC_ctrl_str"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MAC_CTX_COPY, 0), "EVP_MAC_CTX_copy"},
@@ -159,6 +162,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
      "PKCS5_v2_PBKDF2_keyivgen"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
      "PKCS5_v2_scrypt_keyivgen"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_MAC_INIT, 0), "pkey_mac_init"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_POLY1305_CTRL, 0), "poly1305_ctrl"},
@@ -167,6 +171,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
     {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_TLS_CIPHER, 0),
      "s390x_aes_gcm_tls_cipher"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
     {0, NULL}
 };
@@ -254,6 +259,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
     "operation not supported for this keytype"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
     "operaton not initialized"},
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
+    "parameter too large"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
     "partially overlapping buffers"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},

diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
@@ -46,6 +46,11 @@ struct evp_mac_ctx_st {
     void *data;                  /* Individual method data */
 } /* EVP_MAC_CTX */;
 
+struct evp_kdf_ctx_st {
+    const EVP_KDF_METHOD *kmeth;
+    EVP_KDF_IMPL *impl;          /* Algorithm-specific data */
+} /* EVP_KDF_CTX */ ;
+
 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                              int passlen, ASN1_TYPE *param,
                              const EVP_CIPHER *c, const EVP_MD *md,

diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
@@ -12,6 +12,7 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
+#include "internal/evp_int.h"
 #include "evp_locl.h"
 
 /* Password based encryption (PBE) functions */

diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "internal/cryptlib.h"
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/x509v3.h>
+#include <openssl/kdf.h>
+#include "internal/asn1_int.h"
+#include "internal/evp_int.h"
+#include "internal/numbers.h"
+#include "evp_locl.h"
+
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+
+/* This array needs to be in order of NIDs */
+static const EVP_KDF_METHOD *standard_methods[] = {
+    &pbkdf2_kdf_meth,
+#ifndef OPENSSL_NO_SCRYPT
+    &scrypt_kdf_meth,
+#endif
+    &tls1_prf_kdf_meth,
+    &hkdf_kdf_meth
+};
+
+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
+                           kmeth);
+
+static int kmeth_cmp(const EVP_KDF_METHOD *const *a,
+                     const EVP_KDF_METHOD *const *b)
+{
+    return ((*a)->type - (*b)->type);
+}
+
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
+                             kmeth);
+
+static const EVP_KDF_METHOD *kdf_meth_find(int type)
+{
+    EVP_KDF_METHOD tmp;
+    const EVP_KDF_METHOD *t = &tmp, **ret;
+
+    tmp.type = type;
+    ret = OBJ_bsearch_kmeth(&t, standard_methods,
+                            OSSL_NELEM(standard_methods));
+    if (ret == NULL || *ret == NULL)
+        return NULL;
+
+    return *ret;
+}
+
+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id)
+{
+    EVP_KDF_CTX *ret;
+    const EVP_KDF_METHOD *kmeth;
+
+    kmeth = kdf_meth_find(id);
+    if (kmeth == NULL) {
+        EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM);
+        return NULL;
+    }
+
+    ret = OPENSSL_zalloc(sizeof(*ret));
+    if (ret == NULL) {
+        EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) {
+        EVP_KDF_CTX_free(ret);
+        return NULL;
+    }
+
+    ret->kmeth = kmeth;
+    return ret;
+}
+
+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx)
+{
+    if (ctx == NULL)
+        return;
+
+    ctx->kmeth->free(ctx->impl);
+    OPENSSL_free(ctx);
+}
+
+void EVP_KDF_reset(EVP_KDF_CTX *ctx)
+{
+    if (ctx == NULL)
+        return;
+
+    if (ctx->kmeth->reset != NULL)
+        ctx->kmeth->reset(ctx->impl);
+}
+
+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...)
+{
+    int ret;
+    va_list args;
+
+    va_start(args, cmd);
+    ret = EVP_KDF_vctrl(ctx, cmd, args);
+    va_end(args);
+
+    if (ret == -2)
+        EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED);
+
+    return ret;
+}
+
+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args)
+{
+    if (ctx == NULL)
+        return 0;
+
+    return ctx->kmeth->ctrl(ctx->impl, cmd, args);
+}
+
+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value)
+{
+    int ret;
+
+    if (ctx == NULL)
+        return 0;
+
+    if (ctx->kmeth->ctrl_str == NULL) {
+        EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
+        return -2;
+    }
+
+    ret = ctx->kmeth->ctrl_str(ctx->impl, type, value);
+    if (ret == -2)
+        EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
+
+    return ret;
+}
+
+size_t EVP_KDF_size(EVP_KDF_CTX *ctx)
+{
+    if (ctx == NULL)
+        return 0;
+
+    if (ctx->kmeth->size == NULL)
+        return SIZE_MAX;
+
+    return ctx->kmeth->size(ctx->impl);
+}
+
+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen)
+{
+    if (ctx == NULL)
+        return 0;
+
+    return ctx->kmeth->derive(ctx->impl, key, keylen);
+}
+