diff options
author | Nick Mathewson <nickm@torproject.org> | 2018-06-21 08:53:48 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2018-06-21 08:53:48 -0400 |
commit | 27e456cd72f33bff0e940a337877511ab7e5bb72 (patch) | |
tree | bf3d122d4510f574399ecda942f12f5d7f5afa09 | |
parent | 72a5ae8c667fac09a639c46a145c9612424ef301 (diff) | |
parent | 5af29fbb63eed3517e0d57a04072531347e64515 (diff) | |
download | tor-27e456cd72f33bff0e940a337877511ab7e5bb72.tar.gz tor-27e456cd72f33bff0e940a337877511ab7e5bb72.zip |
Merge remote-tracking branch 'rl1987/ticket19979_2'
-rw-r--r-- | changes/ticket19979 | 3 | ||||
-rw-r--r-- | src/common/crypto_hkdf.c | 97 | ||||
-rw-r--r-- | src/test/test_crypto.c | 9 |
3 files changed, 92 insertions, 17 deletions
diff --git a/changes/ticket19979 b/changes/ticket19979 new file mode 100644 index 0000000000..a6bf93f1a4 --- /dev/null +++ b/changes/ticket19979 @@ -0,0 +1,3 @@ + o Minor features (openssl): + - When possible, use RFC5869 HKDF implementation from OpenSSL. + Resolves ticket 19979. diff --git a/src/common/crypto_hkdf.c b/src/common/crypto_hkdf.c index 46c30bc72b..dd29c73cec 100644 --- a/src/common/crypto_hkdf.c +++ b/src/common/crypto_hkdf.c @@ -13,6 +13,14 @@ #include "common/crypto_util.h" #include "common/crypto_digest.h" +#include "crypto_openssl_mgt.h" +#include <openssl/opensslv.h> + +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) +#define HAVE_OPENSSL_HKDF 1 +#include <openssl/kdf.h> +#endif + /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b> * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of @@ -51,15 +59,56 @@ crypto_expand_key_material_TAP(const uint8_t *key_in, size_t key_in_len, return r; } -/** Expand some secret key material according to RFC5869, using SHA256 as the - * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the - * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the - * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt" - * and "info" parameters respectively. On success, write <b>key_out_len</b> - * bytes to <b>key_out</b> and return 0. Assert on failure. +#ifdef HAVE_OPENSSL_HKDF +/** + * Perform RFC5869 HKDF computation using OpenSSL (only to be called from + * crypto_expand_key_material_rfc5869_sha256_openssl). Note that OpenSSL + * requires input key to be nonempty and salt length to be equal or less + * than 1024. */ -int -crypto_expand_key_material_rfc5869_sha256( +static int +crypto_expand_key_material_rfc5869_sha256_openssl( + const uint8_t *key_in, size_t key_in_len, + const uint8_t *salt_in, size_t salt_in_len, + const uint8_t *info_in, size_t info_in_len, + uint8_t *key_out, size_t key_out_len) +{ + int r; + EVP_PKEY_CTX *evp_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + tor_assert(evp_pkey_ctx); + tor_assert(key_in_len != 0); + tor_assert(salt_in_len <= 1024); + + r = EVP_PKEY_derive_init(evp_pkey_ctx); + tor_assert(r == 1); + + r = EVP_PKEY_CTX_set_hkdf_md(evp_pkey_ctx, EVP_sha256()); + tor_assert(r == 1); + + r = EVP_PKEY_CTX_set1_hkdf_salt(evp_pkey_ctx, salt_in, (int)salt_in_len); + tor_assert(r == 1); + + r = EVP_PKEY_CTX_set1_hkdf_key(evp_pkey_ctx, key_in, (int)key_in_len); + tor_assert(r == 1); + + r = EVP_PKEY_CTX_add1_hkdf_info(evp_pkey_ctx, info_in, (int)info_in_len); + tor_assert(r == 1); + + r = EVP_PKEY_derive(evp_pkey_ctx, key_out, &key_out_len); + tor_assert(r == 1); + + EVP_PKEY_CTX_free(evp_pkey_ctx); + return 0; +} + +#else + +/** + * Perform RFC5869 HKDF computation using our own legacy implementation. + * Only to be called from crypto_expand_key_material_rfc5869_sha256_openssl. + */ +static int +crypto_expand_key_material_rfc5869_sha256_legacy( const uint8_t *key_in, size_t key_in_len, const uint8_t *salt_in, size_t salt_in_len, const uint8_t *info_in, size_t info_in_len, @@ -109,4 +158,36 @@ crypto_expand_key_material_rfc5869_sha256( memwipe(mac, 0, sizeof(mac)); return 0; } +#endif + +/** Expand some secret key material according to RFC5869, using SHA256 as the + * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the + * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the + * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt" + * and "info" parameters respectively. On success, write <b>key_out_len</b> + * bytes to <b>key_out</b> and return 0. Assert on failure. + */ +int +crypto_expand_key_material_rfc5869_sha256( + const uint8_t *key_in, size_t key_in_len, + const uint8_t *salt_in, size_t salt_in_len, + const uint8_t *info_in, size_t info_in_len, + uint8_t *key_out, size_t key_out_len) +{ + tor_assert(key_in); + tor_assert(key_in_len > 0); +#ifdef HAVE_OPENSSL_HKDF + return crypto_expand_key_material_rfc5869_sha256_openssl(key_in, + key_in_len, salt_in, + salt_in_len, info_in, + info_in_len, + key_out, key_out_len); +#else + return crypto_expand_key_material_rfc5869_sha256_legacy(key_in, + key_in_len, salt_in, + salt_in_len, info_in, + info_in_len, + key_out, key_out_len); +#endif +} diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index ed4c0b05f2..c580a1945c 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -1822,15 +1822,6 @@ test_crypto_hkdf_sha256(void *arg) key_material, 100) /* Test vectors generated with ntor_ref.py */ - memset(key_material, 0, sizeof(key_material)); - EXPAND(""); - tt_int_op(r, OP_EQ, 0); - test_memeq_hex(key_material, - "d3490ed48b12a48f9547861583573fe3f19aafe3f81dc7fc75" - "eeed96d741b3290f941576c1f9f0b2d463d1ec7ab2c6bf71cd" - "d7f826c6298c00dbfe6711635d7005f0269493edf6046cc7e7" - "dcf6abe0d20c77cf363e8ffe358927817a3d3e73712cee28d8"); - EXPAND("Tor"); tt_int_op(r, OP_EQ, 0); test_memeq_hex(key_material, |