1 /* Copyright (c) 2020, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/hpke.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/bytestring.h>
22 #include <openssl/curve25519.h>
23 #include <openssl/digest.h>
24 #include <openssl/err.h>
25 #include <openssl/evp_errors.h>
26 #include <openssl/hkdf.h>
27 #include <openssl/rand.h>
28 #include <openssl/sha.h>
29
30 #include "../internal.h"
31
32
33 // This file implements RFC 9180.
34
35 #define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN
36 #define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH
37
38 struct evp_hpke_kem_st {
39 uint16_t id;
40 size_t public_key_len;
41 size_t private_key_len;
42 size_t seed_len;
43 size_t enc_len;
44 int (*init_key)(EVP_HPKE_KEY *key, const uint8_t *priv_key,
45 size_t priv_key_len);
46 int (*generate_key)(EVP_HPKE_KEY *key);
47 int (*encap_with_seed)(const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
48 size_t *out_shared_secret_len, uint8_t *out_enc,
49 size_t *out_enc_len, size_t max_enc,
50 const uint8_t *peer_public_key,
51 size_t peer_public_key_len, const uint8_t *seed,
52 size_t seed_len);
53 int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
54 size_t *out_shared_secret_len, const uint8_t *enc,
55 size_t enc_len);
56 int (*auth_encap_with_seed)(const EVP_HPKE_KEY *key,
57 uint8_t *out_shared_secret,
58 size_t *out_shared_secret_len, uint8_t *out_enc,
59 size_t *out_enc_len, size_t max_enc,
60 const uint8_t *peer_public_key,
61 size_t peer_public_key_len, const uint8_t *seed,
62 size_t seed_len);
63 int (*auth_decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
64 size_t *out_shared_secret_len, const uint8_t *enc,
65 size_t enc_len, const uint8_t *peer_public_key,
66 size_t peer_public_key_len);
67 };
68
69 struct evp_hpke_kdf_st {
70 uint16_t id;
71 // We only support HKDF-based KDFs.
72 const EVP_MD *(*hkdf_md_func)(void);
73 };
74
75 struct evp_hpke_aead_st {
76 uint16_t id;
77 const EVP_AEAD *(*aead_func)(void);
78 };
79
80
81 // Low-level labeled KDF functions.
82
83 static const char kHpkeVersionId[] = "HPKE-v1";
84
add_label_string(CBB * cbb,const char * label)85 static int add_label_string(CBB *cbb, const char *label) {
86 return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
87 }
88
hpke_labeled_extract(const EVP_MD * hkdf_md,uint8_t * out_key,size_t * out_len,const uint8_t * salt,size_t salt_len,const uint8_t * suite_id,size_t suite_id_len,const char * label,const uint8_t * ikm,size_t ikm_len)89 static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
90 size_t *out_len, const uint8_t *salt,
91 size_t salt_len, const uint8_t *suite_id,
92 size_t suite_id_len, const char *label,
93 const uint8_t *ikm, size_t ikm_len) {
94 // labeledIKM = concat("HPKE-v1", suite_id, label, IKM)
95 CBB labeled_ikm;
96 int ok = CBB_init(&labeled_ikm, 0) &&
97 add_label_string(&labeled_ikm, kHpkeVersionId) &&
98 CBB_add_bytes(&labeled_ikm, suite_id, suite_id_len) &&
99 add_label_string(&labeled_ikm, label) &&
100 CBB_add_bytes(&labeled_ikm, ikm, ikm_len) &&
101 HKDF_extract(out_key, out_len, hkdf_md, CBB_data(&labeled_ikm),
102 CBB_len(&labeled_ikm), salt, salt_len);
103 CBB_cleanup(&labeled_ikm);
104 return ok;
105 }
106
hpke_labeled_expand(const EVP_MD * hkdf_md,uint8_t * out_key,size_t out_len,const uint8_t * prk,size_t prk_len,const uint8_t * suite_id,size_t suite_id_len,const char * label,const uint8_t * info,size_t info_len)107 static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
108 size_t out_len, const uint8_t *prk,
109 size_t prk_len, const uint8_t *suite_id,
110 size_t suite_id_len, const char *label,
111 const uint8_t *info, size_t info_len) {
112 // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info)
113 CBB labeled_info;
114 int ok = CBB_init(&labeled_info, 0) &&
115 CBB_add_u16(&labeled_info, out_len) &&
116 add_label_string(&labeled_info, kHpkeVersionId) &&
117 CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&
118 add_label_string(&labeled_info, label) &&
119 CBB_add_bytes(&labeled_info, info, info_len) &&
120 HKDF_expand(out_key, out_len, hkdf_md, prk, prk_len,
121 CBB_data(&labeled_info), CBB_len(&labeled_info));
122 CBB_cleanup(&labeled_info);
123 return ok;
124 }
125
126
127 // KEM implementations.
128
129 // dhkem_extract_and_expand implements the ExtractAndExpand operation in the
130 // DHKEM construction. See section 4.1 of RFC 9180.
dhkem_extract_and_expand(uint16_t kem_id,const EVP_MD * hkdf_md,uint8_t * out_key,size_t out_len,const uint8_t * dh,size_t dh_len,const uint8_t * kem_context,size_t kem_context_len)131 static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
132 uint8_t *out_key, size_t out_len,
133 const uint8_t *dh, size_t dh_len,
134 const uint8_t *kem_context,
135 size_t kem_context_len) {
136 // concat("KEM", I2OSP(kem_id, 2))
137 uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
138 uint8_t prk[EVP_MAX_MD_SIZE];
139 size_t prk_len;
140 return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
141 sizeof(suite_id), "eae_prk", dh, dh_len) &&
142 hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,
143 sizeof(suite_id), "shared_secret", kem_context,
144 kem_context_len);
145 }
146
x25519_init_key(EVP_HPKE_KEY * key,const uint8_t * priv_key,size_t priv_key_len)147 static int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
148 size_t priv_key_len) {
149 if (priv_key_len != X25519_PRIVATE_KEY_LEN) {
150 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
151 return 0;
152 }
153
154 OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);
155 X25519_public_from_private(key->public_key, priv_key);
156 return 1;
157 }
158
x25519_generate_key(EVP_HPKE_KEY * key)159 static int x25519_generate_key(EVP_HPKE_KEY *key) {
160 X25519_keypair(key->public_key, key->private_key);
161 return 1;
162 }
163
x25519_encap_with_seed(const EVP_HPKE_KEM * kem,uint8_t * out_shared_secret,size_t * out_shared_secret_len,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * seed,size_t seed_len)164 static int x25519_encap_with_seed(
165 const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
166 size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
167 size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
168 const uint8_t *seed, size_t seed_len) {
169 if (max_enc < X25519_PUBLIC_VALUE_LEN) {
170 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
171 return 0;
172 }
173 if (seed_len != X25519_PRIVATE_KEY_LEN) {
174 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
175 return 0;
176 }
177 X25519_public_from_private(out_enc, seed);
178
179 uint8_t dh[X25519_SHARED_KEY_LEN];
180 if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
181 !X25519(dh, seed, peer_public_key)) {
182 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
183 return 0;
184 }
185
186 uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
187 OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
188 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
189 X25519_PUBLIC_VALUE_LEN);
190 if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,
191 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
192 kem_context, sizeof(kem_context))) {
193 return 0;
194 }
195
196 *out_enc_len = X25519_PUBLIC_VALUE_LEN;
197 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
198 return 1;
199 }
200
x25519_decap(const EVP_HPKE_KEY * key,uint8_t * out_shared_secret,size_t * out_shared_secret_len,const uint8_t * enc,size_t enc_len)201 static int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
202 size_t *out_shared_secret_len, const uint8_t *enc,
203 size_t enc_len) {
204 uint8_t dh[X25519_SHARED_KEY_LEN];
205 if (enc_len != X25519_PUBLIC_VALUE_LEN ||
206 !X25519(dh, key->private_key, enc)) {
207 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
208 return 0;
209 }
210
211 uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
212 OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
213 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
214 X25519_PUBLIC_VALUE_LEN);
215 if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
216 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
217 kem_context, sizeof(kem_context))) {
218 return 0;
219 }
220
221 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
222 return 1;
223 }
224
x25519_auth_encap_with_seed(const EVP_HPKE_KEY * key,uint8_t * out_shared_secret,size_t * out_shared_secret_len,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * seed,size_t seed_len)225 static int x25519_auth_encap_with_seed(
226 const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
227 size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
228 size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
229 const uint8_t *seed, size_t seed_len) {
230 if (max_enc < X25519_PUBLIC_VALUE_LEN) {
231 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
232 return 0;
233 }
234 if (seed_len != X25519_PRIVATE_KEY_LEN) {
235 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
236 return 0;
237 }
238 X25519_public_from_private(out_enc, seed);
239
240 uint8_t dh[2 * X25519_SHARED_KEY_LEN];
241 if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
242 !X25519(dh, seed, peer_public_key) ||
243 !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
244 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
245 return 0;
246 }
247
248 uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];
249 OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
250 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
251 X25519_PUBLIC_VALUE_LEN);
252 OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, key->public_key,
253 X25519_PUBLIC_VALUE_LEN);
254 if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
255 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
256 kem_context, sizeof(kem_context))) {
257 return 0;
258 }
259
260 *out_enc_len = X25519_PUBLIC_VALUE_LEN;
261 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
262 return 1;
263 }
264
x25519_auth_decap(const EVP_HPKE_KEY * key,uint8_t * out_shared_secret,size_t * out_shared_secret_len,const uint8_t * enc,size_t enc_len,const uint8_t * peer_public_key,size_t peer_public_key_len)265 static int x25519_auth_decap(const EVP_HPKE_KEY *key,
266 uint8_t *out_shared_secret,
267 size_t *out_shared_secret_len, const uint8_t *enc,
268 size_t enc_len, const uint8_t *peer_public_key,
269 size_t peer_public_key_len) {
270 uint8_t dh[2 * X25519_SHARED_KEY_LEN];
271 if (enc_len != X25519_PUBLIC_VALUE_LEN ||
272 peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
273 !X25519(dh, key->private_key, enc) ||
274 !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {
275 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
276 return 0;
277 }
278
279 uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];
280 OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
281 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
282 X25519_PUBLIC_VALUE_LEN);
283 OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, peer_public_key,
284 X25519_PUBLIC_VALUE_LEN);
285 if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
286 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
287 kem_context, sizeof(kem_context))) {
288 return 0;
289 }
290
291 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
292 return 1;
293 }
294
EVP_hpke_x25519_hkdf_sha256(void)295 const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
296 static const EVP_HPKE_KEM kKEM = {
297 /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
298 /*public_key_len=*/X25519_PUBLIC_VALUE_LEN,
299 /*private_key_len=*/X25519_PRIVATE_KEY_LEN,
300 /*seed_len=*/X25519_PRIVATE_KEY_LEN,
301 /*enc_len=*/X25519_PUBLIC_VALUE_LEN,
302 x25519_init_key,
303 x25519_generate_key,
304 x25519_encap_with_seed,
305 x25519_decap,
306 x25519_auth_encap_with_seed,
307 x25519_auth_decap,
308 };
309 return &kKEM;
310 }
311
EVP_HPKE_KEM_id(const EVP_HPKE_KEM * kem)312 uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }
313
EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM * kem)314 size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem) {
315 return kem->public_key_len;
316 }
317
EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM * kem)318 size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem) {
319 return kem->private_key_len;
320 }
321
EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM * kem)322 size_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem) { return kem->enc_len; }
323
EVP_HPKE_KEY_zero(EVP_HPKE_KEY * key)324 void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key) {
325 OPENSSL_memset(key, 0, sizeof(EVP_HPKE_KEY));
326 }
327
EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY * key)328 void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {
329 // Nothing to clean up for now, but we may introduce a cleanup process in the
330 // future.
331 }
332
EVP_HPKE_KEY_new(void)333 EVP_HPKE_KEY *EVP_HPKE_KEY_new(void) {
334 EVP_HPKE_KEY *key = OPENSSL_malloc(sizeof(EVP_HPKE_KEY));
335 if (key == NULL) {
336 return NULL;
337 }
338 EVP_HPKE_KEY_zero(key);
339 return key;
340 }
341
EVP_HPKE_KEY_free(EVP_HPKE_KEY * key)342 void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key) {
343 if (key != NULL) {
344 EVP_HPKE_KEY_cleanup(key);
345 OPENSSL_free(key);
346 }
347 }
348
EVP_HPKE_KEY_copy(EVP_HPKE_KEY * dst,const EVP_HPKE_KEY * src)349 int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {
350 // For now, |EVP_HPKE_KEY| is trivially copyable.
351 OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY));
352 return 1;
353 }
354
EVP_HPKE_KEY_move(EVP_HPKE_KEY * out,EVP_HPKE_KEY * in)355 void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) {
356 EVP_HPKE_KEY_cleanup(out);
357 // For now, |EVP_HPKE_KEY| is trivially movable.
358 // Note that Rust may move this structure. See
359 // bssl-crypto/src/scoped.rs:EvpHpkeKey.
360 OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY));
361 EVP_HPKE_KEY_zero(in);
362 }
363
EVP_HPKE_KEY_init(EVP_HPKE_KEY * key,const EVP_HPKE_KEM * kem,const uint8_t * priv_key,size_t priv_key_len)364 int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,
365 const uint8_t *priv_key, size_t priv_key_len) {
366 EVP_HPKE_KEY_zero(key);
367 key->kem = kem;
368 if (!kem->init_key(key, priv_key, priv_key_len)) {
369 key->kem = NULL;
370 return 0;
371 }
372 return 1;
373 }
374
EVP_HPKE_KEY_generate(EVP_HPKE_KEY * key,const EVP_HPKE_KEM * kem)375 int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem) {
376 EVP_HPKE_KEY_zero(key);
377 key->kem = kem;
378 if (!kem->generate_key(key)) {
379 key->kem = NULL;
380 return 0;
381 }
382 return 1;
383 }
384
EVP_HPKE_KEY_kem(const EVP_HPKE_KEY * key)385 const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key) {
386 return key->kem;
387 }
388
EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY * key,uint8_t * out,size_t * out_len,size_t max_out)389 int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,
390 size_t *out_len, size_t max_out) {
391 if (max_out < key->kem->public_key_len) {
392 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
393 return 0;
394 }
395 OPENSSL_memcpy(out, key->public_key, key->kem->public_key_len);
396 *out_len = key->kem->public_key_len;
397 return 1;
398 }
399
EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY * key,uint8_t * out,size_t * out_len,size_t max_out)400 int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,
401 size_t *out_len, size_t max_out) {
402 if (max_out < key->kem->private_key_len) {
403 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
404 return 0;
405 }
406 OPENSSL_memcpy(out, key->private_key, key->kem->private_key_len);
407 *out_len = key->kem->private_key_len;
408 return 1;
409 }
410
411
412 // Supported KDFs and AEADs.
413
EVP_hpke_hkdf_sha256(void)414 const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void) {
415 static const EVP_HPKE_KDF kKDF = {EVP_HPKE_HKDF_SHA256, &EVP_sha256};
416 return &kKDF;
417 }
418
EVP_HPKE_KDF_id(const EVP_HPKE_KDF * kdf)419 uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf) { return kdf->id; }
420
EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF * kdf)421 const EVP_MD *EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF *kdf) {
422 return kdf->hkdf_md_func();
423 }
424
EVP_hpke_aes_128_gcm(void)425 const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void) {
426 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_128_GCM,
427 &EVP_aead_aes_128_gcm};
428 return &kAEAD;
429 }
430
EVP_hpke_aes_256_gcm(void)431 const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void) {
432 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_256_GCM,
433 &EVP_aead_aes_256_gcm};
434 return &kAEAD;
435 }
436
EVP_hpke_chacha20_poly1305(void)437 const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void) {
438 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_CHACHA20_POLY1305,
439 &EVP_aead_chacha20_poly1305};
440 return &kAEAD;
441 }
442
EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD * aead)443 uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead) { return aead->id; }
444
EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD * aead)445 const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead) {
446 return aead->aead_func();
447 }
448
449
450 // HPKE implementation.
451
452 // This is strlen("HPKE") + 3 * sizeof(uint16_t).
453 #define HPKE_SUITE_ID_LEN 10
454
455 // The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
456 // I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
hpke_build_suite_id(const EVP_HPKE_CTX * ctx,uint8_t out[HPKE_SUITE_ID_LEN])457 static int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,
458 uint8_t out[HPKE_SUITE_ID_LEN]) {
459 CBB cbb;
460 CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN);
461 return add_label_string(&cbb, "HPKE") && //
462 CBB_add_u16(&cbb, ctx->kem->id) && //
463 CBB_add_u16(&cbb, ctx->kdf->id) && //
464 CBB_add_u16(&cbb, ctx->aead->id);
465 }
466
467 #define HPKE_MODE_BASE 0
468 #define HPKE_MODE_AUTH 2
469
hpke_key_schedule(EVP_HPKE_CTX * ctx,uint8_t mode,const uint8_t * shared_secret,size_t shared_secret_len,const uint8_t * info,size_t info_len)470 static int hpke_key_schedule(EVP_HPKE_CTX *ctx, uint8_t mode,
471 const uint8_t *shared_secret,
472 size_t shared_secret_len, const uint8_t *info,
473 size_t info_len) {
474 uint8_t suite_id[HPKE_SUITE_ID_LEN];
475 if (!hpke_build_suite_id(ctx, suite_id)) {
476 return 0;
477 }
478
479 // psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
480 // TODO(davidben): Precompute this value and store it with the EVP_HPKE_KDF.
481 const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
482 uint8_t psk_id_hash[EVP_MAX_MD_SIZE];
483 size_t psk_id_hash_len;
484 if (!hpke_labeled_extract(hkdf_md, psk_id_hash, &psk_id_hash_len, NULL, 0,
485 suite_id, sizeof(suite_id), "psk_id_hash", NULL,
486 0)) {
487 return 0;
488 }
489
490 // info_hash = LabeledExtract("", "info_hash", info)
491 uint8_t info_hash[EVP_MAX_MD_SIZE];
492 size_t info_hash_len;
493 if (!hpke_labeled_extract(hkdf_md, info_hash, &info_hash_len, NULL, 0,
494 suite_id, sizeof(suite_id), "info_hash", info,
495 info_len)) {
496 return 0;
497 }
498
499 // key_schedule_context = concat(mode, psk_id_hash, info_hash)
500 uint8_t context[sizeof(uint8_t) + 2 * EVP_MAX_MD_SIZE];
501 size_t context_len;
502 CBB context_cbb;
503 CBB_init_fixed(&context_cbb, context, sizeof(context));
504 if (!CBB_add_u8(&context_cbb, mode) ||
505 !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
506 !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
507 !CBB_finish(&context_cbb, NULL, &context_len)) {
508 return 0;
509 }
510
511 // secret = LabeledExtract(shared_secret, "secret", psk)
512 uint8_t secret[EVP_MAX_MD_SIZE];
513 size_t secret_len;
514 if (!hpke_labeled_extract(hkdf_md, secret, &secret_len, shared_secret,
515 shared_secret_len, suite_id, sizeof(suite_id),
516 "secret", NULL, 0)) {
517 return 0;
518 }
519
520 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
521 const EVP_AEAD *aead = EVP_HPKE_AEAD_aead(ctx->aead);
522 uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
523 const size_t kKeyLen = EVP_AEAD_key_length(aead);
524 if (!hpke_labeled_expand(hkdf_md, key, kKeyLen, secret, secret_len, suite_id,
525 sizeof(suite_id), "key", context, context_len) ||
526 !EVP_AEAD_CTX_init(&ctx->aead_ctx, aead, key, kKeyLen,
527 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
528 return 0;
529 }
530
531 // base_nonce = LabeledExpand(secret, "base_nonce", key_schedule_context, Nn)
532 if (!hpke_labeled_expand(hkdf_md, ctx->base_nonce,
533 EVP_AEAD_nonce_length(aead), secret, secret_len,
534 suite_id, sizeof(suite_id), "base_nonce", context,
535 context_len)) {
536 return 0;
537 }
538
539 // exporter_secret = LabeledExpand(secret, "exp", key_schedule_context, Nh)
540 if (!hpke_labeled_expand(hkdf_md, ctx->exporter_secret, EVP_MD_size(hkdf_md),
541 secret, secret_len, suite_id, sizeof(suite_id),
542 "exp", context, context_len)) {
543 return 0;
544 }
545
546 return 1;
547 }
548
EVP_HPKE_CTX_zero(EVP_HPKE_CTX * ctx)549 void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx) {
550 OPENSSL_memset(ctx, 0, sizeof(EVP_HPKE_CTX));
551 EVP_AEAD_CTX_zero(&ctx->aead_ctx);
552 }
553
EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX * ctx)554 void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
555 EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);
556 }
557
EVP_HPKE_CTX_new(void)558 EVP_HPKE_CTX *EVP_HPKE_CTX_new(void) {
559 EVP_HPKE_CTX *ctx = OPENSSL_malloc(sizeof(EVP_HPKE_CTX));
560 if (ctx == NULL) {
561 return NULL;
562 }
563 EVP_HPKE_CTX_zero(ctx);
564 return ctx;
565 }
566
EVP_HPKE_CTX_free(EVP_HPKE_CTX * ctx)567 void EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx) {
568 if (ctx != NULL) {
569 EVP_HPKE_CTX_cleanup(ctx);
570 OPENSSL_free(ctx);
571 }
572 }
573
EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEM * kem,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len)574 int EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX *ctx, uint8_t *out_enc,
575 size_t *out_enc_len, size_t max_enc,
576 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf,
577 const EVP_HPKE_AEAD *aead,
578 const uint8_t *peer_public_key,
579 size_t peer_public_key_len, const uint8_t *info,
580 size_t info_len) {
581 uint8_t seed[MAX_SEED_LEN];
582 RAND_bytes(seed, kem->seed_len);
583 return EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
584 ctx, out_enc, out_enc_len, max_enc, kem, kdf, aead, peer_public_key,
585 peer_public_key_len, info, info_len, seed, kem->seed_len);
586 }
587
EVP_HPKE_CTX_setup_sender_with_seed_for_testing(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEM * kem,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len,const uint8_t * seed,size_t seed_len)588 int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
589 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
590 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
591 const uint8_t *peer_public_key, size_t peer_public_key_len,
592 const uint8_t *info, size_t info_len, const uint8_t *seed,
593 size_t seed_len) {
594 EVP_HPKE_CTX_zero(ctx);
595 ctx->is_sender = 1;
596 ctx->kem = kem;
597 ctx->kdf = kdf;
598 ctx->aead = aead;
599 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
600 size_t shared_secret_len;
601 if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,
602 out_enc_len, max_enc, peer_public_key,
603 peer_public_key_len, seed, seed_len) ||
604 !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,
605 info, info_len)) {
606 EVP_HPKE_CTX_cleanup(ctx);
607 return 0;
608 }
609 return 1;
610 }
611
EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX * ctx,const EVP_HPKE_KEY * key,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * enc,size_t enc_len,const uint8_t * info,size_t info_len)612 int EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,
613 const EVP_HPKE_KDF *kdf,
614 const EVP_HPKE_AEAD *aead, const uint8_t *enc,
615 size_t enc_len, const uint8_t *info,
616 size_t info_len) {
617 EVP_HPKE_CTX_zero(ctx);
618 ctx->is_sender = 0;
619 ctx->kem = key->kem;
620 ctx->kdf = kdf;
621 ctx->aead = aead;
622 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
623 size_t shared_secret_len;
624 if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||
625 !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,
626 info, info_len)) {
627 EVP_HPKE_CTX_cleanup(ctx);
628 return 0;
629 }
630 return 1;
631 }
632
633
EVP_HPKE_CTX_setup_auth_sender(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEY * key,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len)634 int EVP_HPKE_CTX_setup_auth_sender(
635 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
636 const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
637 const uint8_t *peer_public_key, size_t peer_public_key_len,
638 const uint8_t *info, size_t info_len) {
639 uint8_t seed[MAX_SEED_LEN];
640 RAND_bytes(seed, key->kem->seed_len);
641 return EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
642 ctx, out_enc, out_enc_len, max_enc, key, kdf, aead, peer_public_key,
643 peer_public_key_len, info, info_len, seed, key->kem->seed_len);
644 }
645
EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEY * key,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len,const uint8_t * seed,size_t seed_len)646 int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(
647 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
648 const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
649 const uint8_t *peer_public_key, size_t peer_public_key_len,
650 const uint8_t *info, size_t info_len, const uint8_t *seed,
651 size_t seed_len) {
652 if (key->kem->auth_encap_with_seed == NULL) {
653 // Not all HPKE KEMs support AuthEncap.
654 OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
655 return 0;
656 }
657
658 EVP_HPKE_CTX_zero(ctx);
659 ctx->is_sender = 1;
660 ctx->kem = key->kem;
661 ctx->kdf = kdf;
662 ctx->aead = aead;
663 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
664 size_t shared_secret_len;
665 if (!key->kem->auth_encap_with_seed(
666 key, shared_secret, &shared_secret_len, out_enc, out_enc_len, max_enc,
667 peer_public_key, peer_public_key_len, seed, seed_len) ||
668 !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,
669 info, info_len)) {
670 EVP_HPKE_CTX_cleanup(ctx);
671 return 0;
672 }
673 return 1;
674 }
675
EVP_HPKE_CTX_setup_auth_recipient(EVP_HPKE_CTX * ctx,const EVP_HPKE_KEY * key,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * enc,size_t enc_len,const uint8_t * info,size_t info_len,const uint8_t * peer_public_key,size_t peer_public_key_len)676 int EVP_HPKE_CTX_setup_auth_recipient(
677 EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,
678 const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,
679 const uint8_t *info, size_t info_len, const uint8_t *peer_public_key,
680 size_t peer_public_key_len) {
681 if (key->kem->auth_decap == NULL) {
682 // Not all HPKE KEMs support AuthDecap.
683 OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
684 return 0;
685 }
686
687 EVP_HPKE_CTX_zero(ctx);
688 ctx->is_sender = 0;
689 ctx->kem = key->kem;
690 ctx->kdf = kdf;
691 ctx->aead = aead;
692 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
693 size_t shared_secret_len;
694 if (!key->kem->auth_decap(key, shared_secret, &shared_secret_len, enc,
695 enc_len, peer_public_key, peer_public_key_len) ||
696 !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,
697 info, info_len)) {
698 EVP_HPKE_CTX_cleanup(ctx);
699 return 0;
700 }
701 return 1;
702 }
703
hpke_nonce(const EVP_HPKE_CTX * ctx,uint8_t * out_nonce,size_t nonce_len)704 static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce,
705 size_t nonce_len) {
706 assert(nonce_len >= 8);
707
708 // Write padded big-endian bytes of |ctx->seq| to |out_nonce|.
709 OPENSSL_memset(out_nonce, 0, nonce_len);
710 uint64_t seq_copy = ctx->seq;
711 for (size_t i = 0; i < 8; i++) {
712 out_nonce[nonce_len - i - 1] = seq_copy & 0xff;
713 seq_copy >>= 8;
714 }
715
716 // XOR the encoded sequence with the |ctx->base_nonce|.
717 for (size_t i = 0; i < nonce_len; i++) {
718 out_nonce[i] ^= ctx->base_nonce[i];
719 }
720 }
721
EVP_HPKE_CTX_open(EVP_HPKE_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)722 int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
723 size_t max_out_len, const uint8_t *in, size_t in_len,
724 const uint8_t *ad, size_t ad_len) {
725 if (ctx->is_sender) {
726 OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
727 return 0;
728 }
729 if (ctx->seq == UINT64_MAX) {
730 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
731 return 0;
732 }
733
734 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
735 const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
736 hpke_nonce(ctx, nonce, nonce_len);
737
738 if (!EVP_AEAD_CTX_open(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
739 nonce_len, in, in_len, ad, ad_len)) {
740 return 0;
741 }
742 ctx->seq++;
743 return 1;
744 }
745
EVP_HPKE_CTX_seal(EVP_HPKE_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)746 int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
747 size_t max_out_len, const uint8_t *in, size_t in_len,
748 const uint8_t *ad, size_t ad_len) {
749 if (!ctx->is_sender) {
750 OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
751 return 0;
752 }
753 if (ctx->seq == UINT64_MAX) {
754 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
755 return 0;
756 }
757
758 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
759 const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
760 hpke_nonce(ctx, nonce, nonce_len);
761
762 if (!EVP_AEAD_CTX_seal(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
763 nonce_len, in, in_len, ad, ad_len)) {
764 return 0;
765 }
766 ctx->seq++;
767 return 1;
768 }
769
EVP_HPKE_CTX_export(const EVP_HPKE_CTX * ctx,uint8_t * out,size_t secret_len,const uint8_t * context,size_t context_len)770 int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,
771 size_t secret_len, const uint8_t *context,
772 size_t context_len) {
773 uint8_t suite_id[HPKE_SUITE_ID_LEN];
774 if (!hpke_build_suite_id(ctx, suite_id)) {
775 return 0;
776 }
777 const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
778 if (!hpke_labeled_expand(hkdf_md, out, secret_len, ctx->exporter_secret,
779 EVP_MD_size(hkdf_md), suite_id, sizeof(suite_id),
780 "sec", context, context_len)) {
781 return 0;
782 }
783 return 1;
784 }
785
EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX * ctx)786 size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx) {
787 assert(ctx->is_sender);
788 return EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(&ctx->aead_ctx));
789 }
790
EVP_HPKE_CTX_kem(const EVP_HPKE_CTX * ctx)791 const EVP_HPKE_KEM *EVP_HPKE_CTX_kem(const EVP_HPKE_CTX *ctx) {
792 return ctx->kem;
793 }
794
EVP_HPKE_CTX_aead(const EVP_HPKE_CTX * ctx)795 const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx) {
796 return ctx->aead;
797 }
798
EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX * ctx)799 const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx) {
800 return ctx->kdf;
801 }
802