Coverage Report

Created: 2026-02-22 06:11

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/openssl/providers/implementations/kdfs/sshkdf.c
Line
Count
Source
1
/*
2
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <stdlib.h>
11
#include <stdarg.h>
12
#include <string.h>
13
#include <openssl/evp.h>
14
#include <openssl/kdf.h>
15
#include <openssl/core_names.h>
16
#include <openssl/proverr.h>
17
#include "internal/cryptlib.h"
18
#include "internal/fips.h"
19
#include "internal/numbers.h"
20
#include "crypto/evp.h"
21
#include "prov/provider_ctx.h"
22
#include "prov/providercommon.h"
23
#include "prov/implementations.h"
24
#include "prov/provider_util.h"
25
#include "prov/securitycheck.h"
26
#include "providers/implementations/kdfs/sshkdf.inc"
27
28
/* See RFC 4253, Section 7.2 */
29
static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
30
static OSSL_FUNC_kdf_dupctx_fn kdf_sshkdf_dup;
31
static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free;
32
static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset;
33
static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive;
34
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_sshkdf_settable_ctx_params;
35
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_sshkdf_set_ctx_params;
36
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_sshkdf_gettable_ctx_params;
37
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_sshkdf_get_ctx_params;
38
39
static int SSHKDF(const EVP_MD *evp_md,
40
    const unsigned char *key, size_t key_len,
41
    const unsigned char *xcghash, size_t xcghash_len,
42
    const unsigned char *session_id, size_t session_id_len,
43
    char type, unsigned char *okey, size_t okey_len);
44
45
typedef struct {
46
    void *provctx;
47
    PROV_DIGEST digest;
48
    unsigned char *key; /* K */
49
    size_t key_len;
50
    unsigned char *xcghash; /* H */
51
    size_t xcghash_len;
52
    char type; /* X */
53
    unsigned char *session_id;
54
    size_t session_id_len;
55
    OSSL_FIPS_IND_DECLARE
56
} KDF_SSHKDF;
57
58
static void *kdf_sshkdf_new(void *provctx)
59
0
{
60
0
    KDF_SSHKDF *ctx;
61
62
0
    if (!ossl_prov_is_running())
63
0
        return NULL;
64
65
#ifdef FIPS_MODULE
66
    /*
67
     * Normally we'd want a call to ossl_deferred_self_test() here, but
68
     * according to FIPS 140-3 10.3.A Note18: SSH KDF is not required, since
69
     * it is sufficient to self-test the underlying SHA hash functions.
70
     * The underlying hash functions are implicitly tested when the hash is
71
     * instantiated, so we do not need to have an explicit test here.
72
     */
73
#endif
74
75
0
    if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) {
76
0
        ctx->provctx = provctx;
77
0
        OSSL_FIPS_IND_INIT(ctx)
78
0
    }
79
0
    return ctx;
80
0
}
81
82
static void kdf_sshkdf_free(void *vctx)
83
0
{
84
0
    KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
85
86
0
    if (ctx != NULL) {
87
0
        kdf_sshkdf_reset(ctx);
88
0
        OPENSSL_free(ctx);
89
0
    }
90
0
}
91
92
static void kdf_sshkdf_reset(void *vctx)
93
0
{
94
0
    KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
95
0
    void *provctx = ctx->provctx;
96
97
0
    ossl_prov_digest_reset(&ctx->digest);
98
0
    OPENSSL_clear_free(ctx->key, ctx->key_len);
99
0
    OPENSSL_clear_free(ctx->xcghash, ctx->xcghash_len);
100
0
    OPENSSL_clear_free(ctx->session_id, ctx->session_id_len);
101
0
    memset(ctx, 0, sizeof(*ctx));
102
0
    ctx->provctx = provctx;
103
0
}
104
105
static void *kdf_sshkdf_dup(void *vctx)
106
0
{
107
0
    const KDF_SSHKDF *src = (const KDF_SSHKDF *)vctx;
108
0
    KDF_SSHKDF *dest;
109
110
0
    dest = kdf_sshkdf_new(src->provctx);
111
0
    if (dest != NULL) {
112
0
        if (!ossl_prov_memdup(src->key, src->key_len,
113
0
                &dest->key, &dest->key_len)
114
0
            || !ossl_prov_memdup(src->xcghash, src->xcghash_len,
115
0
                &dest->xcghash, &dest->xcghash_len)
116
0
            || !ossl_prov_memdup(src->session_id, src->session_id_len,
117
0
                &dest->session_id, &dest->session_id_len)
118
0
            || !ossl_prov_digest_copy(&dest->digest, &src->digest))
119
0
            goto err;
120
0
        dest->type = src->type;
121
0
        OSSL_FIPS_IND_COPY(dest, src)
122
0
    }
123
0
    return dest;
124
125
0
err:
126
0
    kdf_sshkdf_free(dest);
127
0
    return NULL;
128
0
}
129
130
static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len,
131
    const OSSL_PARAM *p)
132
0
{
133
0
    OPENSSL_clear_free(*dst, *dst_len);
134
0
    *dst = NULL;
135
0
    *dst_len = 0;
136
0
    return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
137
0
}
138
139
#ifdef FIPS_MODULE
140
static int fips_digest_check_passed(KDF_SSHKDF *ctx, const EVP_MD *md)
141
{
142
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
143
    /*
144
     * Perform digest check
145
     *
146
     * According to NIST SP 800-135r1 section 5.2, the valid hash functions are
147
     * specified in FIPS 180-3. ACVP also only lists the same set of hash
148
     * functions.
149
     */
150
    int digest_unapproved = !EVP_MD_is_a(md, SN_sha1)
151
        && !EVP_MD_is_a(md, SN_sha224)
152
        && !EVP_MD_is_a(md, SN_sha256)
153
        && !EVP_MD_is_a(md, SN_sha384)
154
        && !EVP_MD_is_a(md, SN_sha512);
155
156
    if (digest_unapproved) {
157
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
158
                libctx, "SSHKDF", "Digest",
159
                ossl_fips_config_sshkdf_digest_check)) {
160
            ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
161
            return 0;
162
        }
163
    }
164
    return 1;
165
}
166
167
static int fips_key_check_passed(KDF_SSHKDF *ctx)
168
{
169
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
170
    int key_approved = ossl_kdf_check_key_size(ctx->key_len);
171
172
    if (!key_approved) {
173
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
174
                libctx, "SSHKDF", "Key size",
175
                ossl_fips_config_sshkdf_key_check)) {
176
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
177
            return 0;
178
        }
179
    }
180
    return 1;
181
}
182
#endif
183
184
static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
185
    const OSSL_PARAM params[])
186
0
{
187
0
    KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
188
0
    const EVP_MD *md;
189
190
0
    if (!ossl_prov_is_running() || !kdf_sshkdf_set_ctx_params(ctx, params))
191
0
        return 0;
192
193
0
    md = ossl_prov_digest_md(&ctx->digest);
194
0
    if (md == NULL) {
195
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
196
0
        return 0;
197
0
    }
198
0
    if (ctx->key == NULL) {
199
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
200
0
        return 0;
201
0
    }
202
0
    if (ctx->xcghash == NULL) {
203
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_XCGHASH);
204
0
        return 0;
205
0
    }
206
0
    if (ctx->session_id == NULL) {
207
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SESSION_ID);
208
0
        return 0;
209
0
    }
210
0
    if (ctx->type == 0) {
211
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
212
0
        return 0;
213
0
    }
214
215
0
    return SSHKDF(md, ctx->key, ctx->key_len,
216
0
        ctx->xcghash, ctx->xcghash_len,
217
0
        ctx->session_id, ctx->session_id_len,
218
0
        ctx->type, key, keylen);
219
0
}
220
221
static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
222
0
{
223
0
    struct sshkdf_set_ctx_params_st p;
224
0
    KDF_SSHKDF *ctx = vctx;
225
0
    OSSL_LIB_CTX *provctx;
226
227
0
    if (ctx == NULL || !sshkdf_set_ctx_params_decoder(params, &p))
228
0
        return 0;
229
230
0
    provctx = PROV_LIBCTX_OF(ctx->provctx);
231
232
0
    if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, p.ind_d))
233
0
        return 0;
234
0
    if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, p.ind_k))
235
0
        return 0;
236
237
0
    if (p.digest != NULL) {
238
0
        const EVP_MD *md = NULL;
239
240
0
        if (!ossl_prov_digest_load(&ctx->digest, p.digest, p.propq, provctx))
241
0
            return 0;
242
243
0
        md = ossl_prov_digest_md(&ctx->digest);
244
0
        if (EVP_MD_xof(md)) {
245
0
            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
246
0
            return 0;
247
0
        }
248
249
#ifdef FIPS_MODULE
250
        if (!fips_digest_check_passed(ctx, md))
251
            return 0;
252
#endif
253
0
    }
254
255
0
    if (p.key != NULL) {
256
0
        if (!sshkdf_set_membuf(&ctx->key, &ctx->key_len, p.key))
257
0
            return 0;
258
259
#ifdef FIPS_MODULE
260
        if (!fips_key_check_passed(ctx))
261
            return 0;
262
#endif
263
0
    }
264
265
0
    if (p.xcg != NULL
266
0
        && !sshkdf_set_membuf(&ctx->xcghash, &ctx->xcghash_len, p.xcg))
267
0
        return 0;
268
269
0
    if (p.sid != NULL
270
0
        && !sshkdf_set_membuf(&ctx->session_id, &ctx->session_id_len, p.sid))
271
0
        return 0;
272
273
0
    if (p.type != NULL) {
274
0
        const char *kdftype;
275
276
0
        if (!OSSL_PARAM_get_utf8_string_ptr(p.type, &kdftype))
277
0
            return 0;
278
        /* Expect one character (byte in this case) */
279
0
        if (kdftype == NULL || p.type->data_size != 1)
280
0
            return 0;
281
0
        if (kdftype[0] < 65 || kdftype[0] > 70) {
282
0
            ERR_raise(ERR_LIB_PROV, PROV_R_VALUE_ERROR);
283
0
            return 0;
284
0
        }
285
0
        ctx->type = kdftype[0];
286
0
    }
287
0
    return 1;
288
0
}
289
290
static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
291
    ossl_unused void *p_ctx)
292
0
{
293
0
    return sshkdf_set_ctx_params_list;
294
0
}
295
296
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
297
0
{
298
0
    KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
299
0
    struct sshkdf_get_ctx_params_st p;
300
301
0
    if (ctx == NULL || !sshkdf_get_ctx_params_decoder(params, &p))
302
0
        return 0;
303
304
0
    if (p.size != NULL && !OSSL_PARAM_set_size_t(p.size, SIZE_MAX))
305
0
        return 0;
306
307
0
    if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(ctx, p.ind))
308
0
        return 0;
309
0
    return 1;
310
0
}
311
312
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
313
    ossl_unused void *p_ctx)
314
0
{
315
0
    return sshkdf_get_ctx_params_list;
316
0
}
317
318
const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = {
319
    { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))kdf_sshkdf_new },
320
    { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))kdf_sshkdf_dup },
321
    { OSSL_FUNC_KDF_FREECTX, (void (*)(void))kdf_sshkdf_free },
322
    { OSSL_FUNC_KDF_RESET, (void (*)(void))kdf_sshkdf_reset },
323
    { OSSL_FUNC_KDF_DERIVE, (void (*)(void))kdf_sshkdf_derive },
324
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
325
        (void (*)(void))kdf_sshkdf_settable_ctx_params },
326
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void (*)(void))kdf_sshkdf_set_ctx_params },
327
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
328
        (void (*)(void))kdf_sshkdf_gettable_ctx_params },
329
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void (*)(void))kdf_sshkdf_get_ctx_params },
330
    OSSL_DISPATCH_END
331
};
332
333
static int SSHKDF(const EVP_MD *evp_md,
334
    const unsigned char *key, size_t key_len,
335
    const unsigned char *xcghash, size_t xcghash_len,
336
    const unsigned char *session_id, size_t session_id_len,
337
    char type, unsigned char *okey, size_t okey_len)
338
0
{
339
0
    EVP_MD_CTX *md = NULL;
340
0
    unsigned char digest[EVP_MAX_MD_SIZE];
341
0
    unsigned int dsize = 0;
342
0
    size_t cursize = 0;
343
0
    int ret = 0;
344
345
0
    md = EVP_MD_CTX_new();
346
0
    if (md == NULL)
347
0
        return 0;
348
349
0
    if (!EVP_DigestInit_ex(md, evp_md, NULL))
350
0
        goto out;
351
352
0
    if (!EVP_DigestUpdate(md, key, key_len))
353
0
        goto out;
354
355
0
    if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
356
0
        goto out;
357
358
0
    if (!EVP_DigestUpdate(md, &type, 1))
359
0
        goto out;
360
361
0
    if (!EVP_DigestUpdate(md, session_id, session_id_len))
362
0
        goto out;
363
364
0
    if (!EVP_DigestFinal_ex(md, digest, &dsize))
365
0
        goto out;
366
367
0
    if (okey_len < dsize) {
368
0
        memcpy(okey, digest, okey_len);
369
0
        ret = 1;
370
0
        goto out;
371
0
    }
372
373
0
    memcpy(okey, digest, dsize);
374
375
0
    for (cursize = dsize; cursize < okey_len; cursize += dsize) {
376
377
0
        if (!EVP_DigestInit_ex(md, evp_md, NULL))
378
0
            goto out;
379
380
0
        if (!EVP_DigestUpdate(md, key, key_len))
381
0
            goto out;
382
383
0
        if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
384
0
            goto out;
385
386
0
        if (!EVP_DigestUpdate(md, okey, cursize))
387
0
            goto out;
388
389
0
        if (!EVP_DigestFinal_ex(md, digest, &dsize))
390
0
            goto out;
391
392
0
        if (okey_len < cursize + dsize) {
393
0
            memcpy(okey + cursize, digest, okey_len - cursize);
394
0
            ret = 1;
395
0
            goto out;
396
0
        }
397
398
0
        memcpy(okey + cursize, digest, dsize);
399
0
    }
400
401
0
    ret = 1;
402
403
0
out:
404
0
    EVP_MD_CTX_free(md);
405
0
    OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
406
0
    return ret;
407
0
}