1 /* Copyright (c) 2020, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/hpke.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <openssl/aead.h>
21 #include <openssl/bytestring.h>
22 #include <openssl/curve25519.h>
23 #include <openssl/digest.h>
24 #include <openssl/err.h>
25 #include <openssl/evp_errors.h>
26 #include <openssl/hkdf.h>
27 #include <openssl/rand.h>
28 #include <openssl/sha.h>
29
30 #include "../internal.h"
31
32
33 // This file implements draft-irtf-cfrg-hpke-08.
34
35 #define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN
36 #define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH
37
38 struct evp_hpke_kem_st {
39 uint16_t id;
40 size_t public_key_len;
41 size_t private_key_len;
42 size_t seed_len;
43 int (*init_key)(EVP_HPKE_KEY *key, const uint8_t *priv_key,
44 size_t priv_key_len);
45 int (*generate_key)(EVP_HPKE_KEY *key);
46 int (*encap_with_seed)(const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
47 size_t *out_shared_secret_len, uint8_t *out_enc,
48 size_t *out_enc_len, size_t max_enc,
49 const uint8_t *peer_public_key,
50 size_t peer_public_key_len, const uint8_t *seed,
51 size_t seed_len);
52 int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
53 size_t *out_shared_secret_len, const uint8_t *enc,
54 size_t enc_len);
55 };
56
57 struct evp_hpke_kdf_st {
58 uint16_t id;
59 // We only support HKDF-based KDFs.
60 const EVP_MD *(*hkdf_md_func)(void);
61 };
62
63 struct evp_hpke_aead_st {
64 uint16_t id;
65 const EVP_AEAD *(*aead_func)(void);
66 };
67
68
69 // Low-level labeled KDF functions.
70
71 static const char kHpkeVersionId[] = "HPKE-v1";
72
add_label_string(CBB * cbb,const char * label)73 static int add_label_string(CBB *cbb, const char *label) {
74 return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));
75 }
76
hpke_labeled_extract(const EVP_MD * hkdf_md,uint8_t * out_key,size_t * out_len,const uint8_t * salt,size_t salt_len,const uint8_t * suite_id,size_t suite_id_len,const char * label,const uint8_t * ikm,size_t ikm_len)77 static int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,
78 size_t *out_len, const uint8_t *salt,
79 size_t salt_len, const uint8_t *suite_id,
80 size_t suite_id_len, const char *label,
81 const uint8_t *ikm, size_t ikm_len) {
82 // labeledIKM = concat("HPKE-v1", suite_id, label, IKM)
83 CBB labeled_ikm;
84 int ok = CBB_init(&labeled_ikm, 0) &&
85 add_label_string(&labeled_ikm, kHpkeVersionId) &&
86 CBB_add_bytes(&labeled_ikm, suite_id, suite_id_len) &&
87 add_label_string(&labeled_ikm, label) &&
88 CBB_add_bytes(&labeled_ikm, ikm, ikm_len) &&
89 HKDF_extract(out_key, out_len, hkdf_md, CBB_data(&labeled_ikm),
90 CBB_len(&labeled_ikm), salt, salt_len);
91 CBB_cleanup(&labeled_ikm);
92 return ok;
93 }
94
hpke_labeled_expand(const EVP_MD * hkdf_md,uint8_t * out_key,size_t out_len,const uint8_t * prk,size_t prk_len,const uint8_t * suite_id,size_t suite_id_len,const char * label,const uint8_t * info,size_t info_len)95 static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,
96 size_t out_len, const uint8_t *prk,
97 size_t prk_len, const uint8_t *suite_id,
98 size_t suite_id_len, const char *label,
99 const uint8_t *info, size_t info_len) {
100 // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info)
101 CBB labeled_info;
102 int ok = CBB_init(&labeled_info, 0) &&
103 CBB_add_u16(&labeled_info, out_len) &&
104 add_label_string(&labeled_info, kHpkeVersionId) &&
105 CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&
106 add_label_string(&labeled_info, label) &&
107 CBB_add_bytes(&labeled_info, info, info_len) &&
108 HKDF_expand(out_key, out_len, hkdf_md, prk, prk_len,
109 CBB_data(&labeled_info), CBB_len(&labeled_info));
110 CBB_cleanup(&labeled_info);
111 return ok;
112 }
113
114
115 // KEM implementations.
116
117 // dhkem_extract_and_expand implements the ExtractAndExpand operation in the
118 // DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-08.
dhkem_extract_and_expand(uint16_t kem_id,const EVP_MD * hkdf_md,uint8_t * out_key,size_t out_len,const uint8_t * dh,size_t dh_len,const uint8_t * kem_context,size_t kem_context_len)119 static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
120 uint8_t *out_key, size_t out_len,
121 const uint8_t *dh, size_t dh_len,
122 const uint8_t *kem_context,
123 size_t kem_context_len) {
124 // concat("KEM", I2OSP(kem_id, 2))
125 uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
126 uint8_t prk[EVP_MAX_MD_SIZE];
127 size_t prk_len;
128 return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
129 sizeof(suite_id), "eae_prk", dh, dh_len) &&
130 hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,
131 sizeof(suite_id), "shared_secret", kem_context,
132 kem_context_len);
133 }
134
x25519_init_key(EVP_HPKE_KEY * key,const uint8_t * priv_key,size_t priv_key_len)135 static int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
136 size_t priv_key_len) {
137 if (priv_key_len != X25519_PRIVATE_KEY_LEN) {
138 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
139 return 0;
140 }
141
142 OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);
143 X25519_public_from_private(key->public_key, priv_key);
144 return 1;
145 }
146
x25519_generate_key(EVP_HPKE_KEY * key)147 static int x25519_generate_key(EVP_HPKE_KEY *key) {
148 X25519_keypair(key->public_key, key->private_key);
149 return 1;
150 }
151
x25519_encap_with_seed(const EVP_HPKE_KEM * kem,uint8_t * out_shared_secret,size_t * out_shared_secret_len,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * seed,size_t seed_len)152 static int x25519_encap_with_seed(
153 const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,
154 size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,
155 size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,
156 const uint8_t *seed, size_t seed_len) {
157 if (max_enc < X25519_PUBLIC_VALUE_LEN) {
158 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
159 return 0;
160 }
161 if (seed_len != X25519_PRIVATE_KEY_LEN) {
162 OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
163 return 0;
164 }
165 X25519_public_from_private(out_enc, seed);
166
167 uint8_t dh[X25519_SHARED_KEY_LEN];
168 if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||
169 !X25519(dh, seed, peer_public_key)) {
170 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
171 return 0;
172 }
173
174 uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
175 OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);
176 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,
177 X25519_PUBLIC_VALUE_LEN);
178 if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,
179 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
180 kem_context, sizeof(kem_context))) {
181 return 0;
182 }
183
184 *out_enc_len = X25519_PUBLIC_VALUE_LEN;
185 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
186 return 1;
187 }
188
x25519_decap(const EVP_HPKE_KEY * key,uint8_t * out_shared_secret,size_t * out_shared_secret_len,const uint8_t * enc,size_t enc_len)189 static int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,
190 size_t *out_shared_secret_len, const uint8_t *enc,
191 size_t enc_len) {
192 uint8_t dh[X25519_SHARED_KEY_LEN];
193 if (enc_len != X25519_PUBLIC_VALUE_LEN ||
194 !X25519(dh, key->private_key, enc)) {
195 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
196 return 0;
197 }
198
199 uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];
200 OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);
201 OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,
202 X25519_PUBLIC_VALUE_LEN);
203 if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,
204 SHA256_DIGEST_LENGTH, dh, sizeof(dh),
205 kem_context, sizeof(kem_context))) {
206 return 0;
207 }
208
209 *out_shared_secret_len = SHA256_DIGEST_LENGTH;
210 return 1;
211 }
212
EVP_hpke_x25519_hkdf_sha256(void)213 const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {
214 static const EVP_HPKE_KEM kKEM = {
215 /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,
216 /*public_key_len=*/X25519_PUBLIC_VALUE_LEN,
217 /*private_key_len=*/X25519_PRIVATE_KEY_LEN,
218 /*seed_len=*/X25519_PRIVATE_KEY_LEN,
219 x25519_init_key,
220 x25519_generate_key,
221 x25519_encap_with_seed,
222 x25519_decap,
223 };
224 return &kKEM;
225 }
226
EVP_HPKE_KEM_id(const EVP_HPKE_KEM * kem)227 uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }
228
EVP_HPKE_KEY_zero(EVP_HPKE_KEY * key)229 void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key) {
230 OPENSSL_memset(key, 0, sizeof(EVP_HPKE_KEY));
231 }
232
EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY * key)233 void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {
234 // Nothing to clean up for now, but we may introduce a cleanup process in the
235 // future.
236 }
237
EVP_HPKE_KEY_new(void)238 EVP_HPKE_KEY *EVP_HPKE_KEY_new(void) {
239 EVP_HPKE_KEY *key = OPENSSL_malloc(sizeof(EVP_HPKE_KEY));
240 if (key == NULL) {
241 OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
242 return NULL;
243 }
244 EVP_HPKE_KEY_zero(key);
245 return key;
246 }
247
EVP_HPKE_KEY_free(EVP_HPKE_KEY * key)248 void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key) {
249 if (key != NULL) {
250 EVP_HPKE_KEY_cleanup(key);
251 OPENSSL_free(key);
252 }
253 }
254
EVP_HPKE_KEY_copy(EVP_HPKE_KEY * dst,const EVP_HPKE_KEY * src)255 int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {
256 // For now, |EVP_HPKE_KEY| is trivially copyable.
257 OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY));
258 return 1;
259 }
260
EVP_HPKE_KEY_init(EVP_HPKE_KEY * key,const EVP_HPKE_KEM * kem,const uint8_t * priv_key,size_t priv_key_len)261 int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,
262 const uint8_t *priv_key, size_t priv_key_len) {
263 EVP_HPKE_KEY_zero(key);
264 key->kem = kem;
265 if (!kem->init_key(key, priv_key, priv_key_len)) {
266 key->kem = NULL;
267 return 0;
268 }
269 return 1;
270 }
271
EVP_HPKE_KEY_generate(EVP_HPKE_KEY * key,const EVP_HPKE_KEM * kem)272 int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem) {
273 EVP_HPKE_KEY_zero(key);
274 key->kem = kem;
275 if (!kem->generate_key(key)) {
276 key->kem = NULL;
277 return 0;
278 }
279 return 1;
280 }
281
EVP_HPKE_KEY_kem(const EVP_HPKE_KEY * key)282 const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key) {
283 return key->kem;
284 }
285
EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY * key,uint8_t * out,size_t * out_len,size_t max_out)286 int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,
287 size_t *out_len, size_t max_out) {
288 if (max_out < key->kem->public_key_len) {
289 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
290 return 0;
291 }
292 OPENSSL_memcpy(out, key->public_key, key->kem->public_key_len);
293 *out_len = key->kem->public_key_len;
294 return 1;
295 }
296
EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY * key,uint8_t * out,size_t * out_len,size_t max_out)297 int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,
298 size_t *out_len, size_t max_out) {
299 if (max_out < key->kem->private_key_len) {
300 OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
301 return 0;
302 }
303 OPENSSL_memcpy(out, key->private_key, key->kem->private_key_len);
304 *out_len = key->kem->private_key_len;
305 return 1;
306 }
307
308
309 // Supported KDFs and AEADs.
310
EVP_hpke_hkdf_sha256(void)311 const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void) {
312 static const EVP_HPKE_KDF kKDF = {EVP_HPKE_HKDF_SHA256, &EVP_sha256};
313 return &kKDF;
314 }
315
EVP_HPKE_KDF_id(const EVP_HPKE_KDF * kdf)316 uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf) { return kdf->id; }
317
EVP_hpke_aes_128_gcm(void)318 const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void) {
319 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_128_GCM,
320 &EVP_aead_aes_128_gcm};
321 return &kAEAD;
322 }
323
EVP_hpke_aes_256_gcm(void)324 const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void) {
325 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_256_GCM,
326 &EVP_aead_aes_256_gcm};
327 return &kAEAD;
328 }
329
EVP_hpke_chacha20_poly1305(void)330 const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void) {
331 static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_CHACHA20_POLY1305,
332 &EVP_aead_chacha20_poly1305};
333 return &kAEAD;
334 }
335
EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD * aead)336 uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead) { return aead->id; }
337
EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD * aead)338 const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead) {
339 return aead->aead_func();
340 }
341
342
343 // HPKE implementation.
344
345 // This is strlen("HPKE") + 3 * sizeof(uint16_t).
346 #define HPKE_SUITE_ID_LEN 10
347
348 // The suite_id for non-KEM pieces of HPKE is defined as concat("HPKE",
349 // I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).
hpke_build_suite_id(const EVP_HPKE_CTX * ctx,uint8_t out[HPKE_SUITE_ID_LEN])350 static int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,
351 uint8_t out[HPKE_SUITE_ID_LEN]) {
352 CBB cbb;
353 int ret = CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN) &&
354 add_label_string(&cbb, "HPKE") &&
355 CBB_add_u16(&cbb, EVP_HPKE_DHKEM_X25519_HKDF_SHA256) &&
356 CBB_add_u16(&cbb, ctx->kdf->id) &&
357 CBB_add_u16(&cbb, ctx->aead->id);
358 CBB_cleanup(&cbb);
359 return ret;
360 }
361
362 #define HPKE_MODE_BASE 0
363
hpke_key_schedule(EVP_HPKE_CTX * ctx,const uint8_t * shared_secret,size_t shared_secret_len,const uint8_t * info,size_t info_len)364 static int hpke_key_schedule(EVP_HPKE_CTX *ctx, const uint8_t *shared_secret,
365 size_t shared_secret_len, const uint8_t *info,
366 size_t info_len) {
367 uint8_t suite_id[HPKE_SUITE_ID_LEN];
368 if (!hpke_build_suite_id(ctx, suite_id)) {
369 return 0;
370 }
371
372 // psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
373 // TODO(davidben): Precompute this value and store it with the EVP_HPKE_KDF.
374 const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
375 uint8_t psk_id_hash[EVP_MAX_MD_SIZE];
376 size_t psk_id_hash_len;
377 if (!hpke_labeled_extract(hkdf_md, psk_id_hash, &psk_id_hash_len, NULL, 0,
378 suite_id, sizeof(suite_id), "psk_id_hash", NULL,
379 0)) {
380 return 0;
381 }
382
383 // info_hash = LabeledExtract("", "info_hash", info)
384 uint8_t info_hash[EVP_MAX_MD_SIZE];
385 size_t info_hash_len;
386 if (!hpke_labeled_extract(hkdf_md, info_hash, &info_hash_len, NULL, 0,
387 suite_id, sizeof(suite_id), "info_hash", info,
388 info_len)) {
389 return 0;
390 }
391
392 // key_schedule_context = concat(mode, psk_id_hash, info_hash)
393 uint8_t context[sizeof(uint8_t) + 2 * EVP_MAX_MD_SIZE];
394 size_t context_len;
395 CBB context_cbb;
396 if (!CBB_init_fixed(&context_cbb, context, sizeof(context)) ||
397 !CBB_add_u8(&context_cbb, HPKE_MODE_BASE) ||
398 !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||
399 !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||
400 !CBB_finish(&context_cbb, NULL, &context_len)) {
401 return 0;
402 }
403
404 // secret = LabeledExtract(shared_secret, "secret", psk)
405 uint8_t secret[EVP_MAX_MD_SIZE];
406 size_t secret_len;
407 if (!hpke_labeled_extract(hkdf_md, secret, &secret_len, shared_secret,
408 shared_secret_len, suite_id, sizeof(suite_id),
409 "secret", NULL, 0)) {
410 return 0;
411 }
412
413 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
414 const EVP_AEAD *aead = EVP_HPKE_AEAD_aead(ctx->aead);
415 uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
416 const size_t kKeyLen = EVP_AEAD_key_length(aead);
417 if (!hpke_labeled_expand(hkdf_md, key, kKeyLen, secret, secret_len, suite_id,
418 sizeof(suite_id), "key", context, context_len) ||
419 !EVP_AEAD_CTX_init(&ctx->aead_ctx, aead, key, kKeyLen,
420 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
421 return 0;
422 }
423
424 // base_nonce = LabeledExpand(secret, "base_nonce", key_schedule_context, Nn)
425 if (!hpke_labeled_expand(hkdf_md, ctx->base_nonce,
426 EVP_AEAD_nonce_length(aead), secret, secret_len,
427 suite_id, sizeof(suite_id), "base_nonce", context,
428 context_len)) {
429 return 0;
430 }
431
432 // exporter_secret = LabeledExpand(secret, "exp", key_schedule_context, Nh)
433 if (!hpke_labeled_expand(hkdf_md, ctx->exporter_secret, EVP_MD_size(hkdf_md),
434 secret, secret_len, suite_id, sizeof(suite_id),
435 "exp", context, context_len)) {
436 return 0;
437 }
438
439 return 1;
440 }
441
EVP_HPKE_CTX_zero(EVP_HPKE_CTX * ctx)442 void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx) {
443 OPENSSL_memset(ctx, 0, sizeof(EVP_HPKE_CTX));
444 EVP_AEAD_CTX_zero(&ctx->aead_ctx);
445 }
446
EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX * ctx)447 void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {
448 EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);
449 }
450
EVP_HPKE_CTX_new(void)451 EVP_HPKE_CTX *EVP_HPKE_CTX_new(void) {
452 EVP_HPKE_CTX *ctx = OPENSSL_malloc(sizeof(EVP_HPKE_CTX));
453 if (ctx == NULL) {
454 OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
455 return NULL;
456 }
457 EVP_HPKE_CTX_zero(ctx);
458 return ctx;
459 }
460
EVP_HPKE_CTX_free(EVP_HPKE_CTX * ctx)461 void EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx) {
462 if (ctx != NULL) {
463 EVP_HPKE_CTX_cleanup(ctx);
464 OPENSSL_free(ctx);
465 }
466 }
467
EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEM * kem,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len)468 int EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX *ctx, uint8_t *out_enc,
469 size_t *out_enc_len, size_t max_enc,
470 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf,
471 const EVP_HPKE_AEAD *aead,
472 const uint8_t *peer_public_key,
473 size_t peer_public_key_len, const uint8_t *info,
474 size_t info_len) {
475 uint8_t seed[MAX_SEED_LEN];
476 RAND_bytes(seed, kem->seed_len);
477 return EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
478 ctx, out_enc, out_enc_len, max_enc, kem, kdf, aead, peer_public_key,
479 peer_public_key_len, info, info_len, seed, kem->seed_len);
480 }
481
EVP_HPKE_CTX_setup_sender_with_seed_for_testing(EVP_HPKE_CTX * ctx,uint8_t * out_enc,size_t * out_enc_len,size_t max_enc,const EVP_HPKE_KEM * kem,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * peer_public_key,size_t peer_public_key_len,const uint8_t * info,size_t info_len,const uint8_t * seed,size_t seed_len)482 int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
483 EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
484 const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
485 const uint8_t *peer_public_key, size_t peer_public_key_len,
486 const uint8_t *info, size_t info_len, const uint8_t *seed,
487 size_t seed_len) {
488 EVP_HPKE_CTX_zero(ctx);
489 ctx->is_sender = 1;
490 ctx->kdf = kdf;
491 ctx->aead = aead;
492 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
493 size_t shared_secret_len;
494 if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,
495 out_enc_len, max_enc, peer_public_key,
496 peer_public_key_len, seed, seed_len) ||
497 !hpke_key_schedule(ctx, shared_secret, shared_secret_len, info,
498 info_len)) {
499 EVP_HPKE_CTX_cleanup(ctx);
500 return 0;
501 }
502 return 1;
503 }
504
EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX * ctx,const EVP_HPKE_KEY * key,const EVP_HPKE_KDF * kdf,const EVP_HPKE_AEAD * aead,const uint8_t * enc,size_t enc_len,const uint8_t * info,size_t info_len)505 int EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,
506 const EVP_HPKE_KDF *kdf,
507 const EVP_HPKE_AEAD *aead, const uint8_t *enc,
508 size_t enc_len, const uint8_t *info,
509 size_t info_len) {
510 EVP_HPKE_CTX_zero(ctx);
511 ctx->is_sender = 0;
512 ctx->kdf = kdf;
513 ctx->aead = aead;
514 uint8_t shared_secret[MAX_SHARED_SECRET_LEN];
515 size_t shared_secret_len;
516 if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||
517 !hpke_key_schedule(ctx, shared_secret, sizeof(shared_secret), info,
518 info_len)) {
519 EVP_HPKE_CTX_cleanup(ctx);
520 return 0;
521 }
522 return 1;
523 }
524
hpke_nonce(const EVP_HPKE_CTX * ctx,uint8_t * out_nonce,size_t nonce_len)525 static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce,
526 size_t nonce_len) {
527 assert(nonce_len >= 8);
528
529 // Write padded big-endian bytes of |ctx->seq| to |out_nonce|.
530 OPENSSL_memset(out_nonce, 0, nonce_len);
531 uint64_t seq_copy = ctx->seq;
532 for (size_t i = 0; i < 8; i++) {
533 out_nonce[nonce_len - i - 1] = seq_copy & 0xff;
534 seq_copy >>= 8;
535 }
536
537 // XOR the encoded sequence with the |ctx->base_nonce|.
538 for (size_t i = 0; i < nonce_len; i++) {
539 out_nonce[i] ^= ctx->base_nonce[i];
540 }
541 }
542
EVP_HPKE_CTX_open(EVP_HPKE_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)543 int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
544 size_t max_out_len, const uint8_t *in, size_t in_len,
545 const uint8_t *ad, size_t ad_len) {
546 if (ctx->is_sender) {
547 OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
548 return 0;
549 }
550 if (ctx->seq == UINT64_MAX) {
551 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
552 return 0;
553 }
554
555 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
556 const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
557 hpke_nonce(ctx, nonce, nonce_len);
558
559 if (!EVP_AEAD_CTX_open(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
560 nonce_len, in, in_len, ad, ad_len)) {
561 return 0;
562 }
563 ctx->seq++;
564 return 1;
565 }
566
EVP_HPKE_CTX_seal(EVP_HPKE_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)567 int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,
568 size_t max_out_len, const uint8_t *in, size_t in_len,
569 const uint8_t *ad, size_t ad_len) {
570 if (!ctx->is_sender) {
571 OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
572 return 0;
573 }
574 if (ctx->seq == UINT64_MAX) {
575 OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);
576 return 0;
577 }
578
579 uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
580 const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);
581 hpke_nonce(ctx, nonce, nonce_len);
582
583 if (!EVP_AEAD_CTX_seal(&ctx->aead_ctx, out, out_len, max_out_len, nonce,
584 nonce_len, in, in_len, ad, ad_len)) {
585 return 0;
586 }
587 ctx->seq++;
588 return 1;
589 }
590
EVP_HPKE_CTX_export(const EVP_HPKE_CTX * ctx,uint8_t * out,size_t secret_len,const uint8_t * context,size_t context_len)591 int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,
592 size_t secret_len, const uint8_t *context,
593 size_t context_len) {
594 uint8_t suite_id[HPKE_SUITE_ID_LEN];
595 if (!hpke_build_suite_id(ctx, suite_id)) {
596 return 0;
597 }
598 const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();
599 if (!hpke_labeled_expand(hkdf_md, out, secret_len, ctx->exporter_secret,
600 EVP_MD_size(hkdf_md), suite_id, sizeof(suite_id),
601 "sec", context, context_len)) {
602 return 0;
603 }
604 return 1;
605 }
606
EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX * ctx)607 size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx) {
608 assert(ctx->is_sender);
609 return EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(&ctx->aead_ctx));
610 }
611
EVP_HPKE_CTX_aead(const EVP_HPKE_CTX * ctx)612 const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx) {
613 return ctx->aead;
614 }
615
EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX * ctx)616 const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx) {
617 return ctx->kdf;
618 }
619