Skip to content

Commit fc05260

Browse files
Route KDF key-exchange and MAC-signature through wolfProvider directly
1 parent ecdd878 commit fc05260

11 files changed

Lines changed: 668 additions & 126 deletions

File tree

include/wolfprovider/internal.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -217,6 +217,7 @@ int wp_init_cast(int algo);
217217
int wolfssl_prov_get_capabilities(void *provctx, const char *capability,
218218
OSSL_CALLBACK *cb, void *arg);
219219

220+
unsigned char* wp_octet_dup(const unsigned char* data, size_t len);
220221
int wp_name_to_nid(OSSL_LIB_CTX* libCtx, const char* name, const char* propQ);
221222
enum wc_HashType wp_name_to_wc_hash_type(OSSL_LIB_CTX* libCtx, const char* name,
222223
const char* propQ);

src/wp_hkdf.c

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,66 @@ static void wp_kdf_hkdf_reset(wp_HkdfCtx* ctx)
193193
}
194194
}
195195

196+
/**
197+
* Duplicate the HKDF context object.
198+
*
199+
* Deep copies the configured key material so the copy derives identically.
200+
*
201+
* @param [in] src HKDF context object.
202+
* @return New HKDF context object on success.
203+
* @return NULL on failure.
204+
*/
205+
static wp_HkdfCtx* wp_kdf_hkdf_dup(wp_HkdfCtx* src)
206+
{
207+
wp_HkdfCtx* dst = NULL;
208+
209+
if (wolfssl_prov_is_running()) {
210+
dst = wp_kdf_hkdf_new(src->provCtx);
211+
}
212+
if (dst != NULL) {
213+
int ok = 1;
214+
215+
dst->mode = src->mode;
216+
dst->mdType = src->mdType;
217+
dst->mdLen = src->mdLen;
218+
dst->keySz = src->keySz;
219+
dst->saltSz = src->saltSz;
220+
dst->infoSz = src->infoSz;
221+
dst->prefixLen = src->prefixLen;
222+
dst->labelLen = src->labelLen;
223+
dst->dataLen = src->dataLen;
224+
XMEMCPY(dst->info, src->info, src->infoSz);
225+
226+
if (ok && (src->key != NULL)) {
227+
dst->key = wp_octet_dup(src->key, src->keySz);
228+
ok = dst->key != NULL;
229+
}
230+
if (ok && (src->salt != NULL)) {
231+
dst->salt = wp_octet_dup(src->salt, src->saltSz);
232+
ok = dst->salt != NULL;
233+
}
234+
if (ok && (src->prefix != NULL)) {
235+
dst->prefix = wp_octet_dup(src->prefix, src->prefixLen);
236+
ok = dst->prefix != NULL;
237+
}
238+
if (ok && (src->label != NULL)) {
239+
dst->label = wp_octet_dup(src->label, src->labelLen);
240+
ok = dst->label != NULL;
241+
}
242+
if (ok && (src->data != NULL)) {
243+
dst->data = wp_octet_dup(src->data, src->dataLen);
244+
ok = dst->data != NULL;
245+
}
246+
247+
if (!ok) {
248+
wp_kdf_hkdf_free(dst);
249+
dst = NULL;
250+
}
251+
}
252+
253+
return dst;
254+
}
255+
196256
/**
197257
* Derive a key using HKDF.
198258
*
@@ -528,6 +588,7 @@ static const OSSL_PARAM* wp_kdf_hkdf_gettable_ctx_params(wp_HkdfCtx* ctx,
528588
/** Dispatch table for HKDF functions implemented using wolfSSL. */
529589
const OSSL_DISPATCH wp_kdf_hkdf_functions[] = {
530590
{ OSSL_FUNC_KDF_NEWCTX, (DFUNC)wp_kdf_hkdf_new },
591+
{ OSSL_FUNC_KDF_DUPCTX, (DFUNC)wp_kdf_hkdf_dup },
531592
{ OSSL_FUNC_KDF_FREECTX, (DFUNC)wp_kdf_hkdf_free },
532593
{ OSSL_FUNC_KDF_RESET, (DFUNC)wp_kdf_hkdf_reset },
533594
{ OSSL_FUNC_KDF_DERIVE, (DFUNC)wp_kdf_hkdf_derive },
@@ -795,6 +856,7 @@ static const OSSL_PARAM* wp_kdf_tls1_3_settable_ctx_params(wp_HkdfCtx* ctx,
795856
/** Dispatch table for TLS 1.3 HKDF functions implemented using wolfSSL. */
796857
const OSSL_DISPATCH wp_kdf_tls1_3_kdf_functions[] = {
797858
{ OSSL_FUNC_KDF_NEWCTX, (DFUNC)wp_kdf_hkdf_new },
859+
{ OSSL_FUNC_KDF_DUPCTX, (DFUNC)wp_kdf_hkdf_dup },
798860
{ OSSL_FUNC_KDF_FREECTX, (DFUNC)wp_kdf_hkdf_free },
799861
{ OSSL_FUNC_KDF_RESET, (DFUNC)wp_kdf_hkdf_reset },
800862
{ OSSL_FUNC_KDF_DERIVE, (DFUNC)wp_kdf_tls1_3_derive },

src/wp_internal.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -469,6 +469,34 @@ int wp_unlock(wolfSSL_Mutex* mutex)
469469
}
470470

471471

472+
/**
473+
* Duplicate a configured octet buffer.
474+
*
475+
* OPENSSL_memdup() returns NULL for a zero length, so a 1-byte buffer is
476+
* allocated for the empty case. This preserves the non-NULL, zero-length
477+
* state that consumers may distinguish from a NULL (absent) buffer.
478+
*
479+
* @param [in] data Buffer to duplicate. May be NULL.
480+
* @param [in] len Length of buffer in bytes.
481+
* @return Allocated copy on success.
482+
* @return NULL when data is NULL, or on allocation failure.
483+
*/
484+
unsigned char* wp_octet_dup(const unsigned char* data, size_t len)
485+
{
486+
unsigned char* ret;
487+
488+
if (data == NULL) {
489+
ret = NULL;
490+
}
491+
else if (len == 0) {
492+
ret = OPENSSL_zalloc(1);
493+
}
494+
else {
495+
ret = OPENSSL_memdup(data, len);
496+
}
497+
return ret;
498+
}
499+
472500
/**
473501
* Convert the string name of an object to an OpenSSL Numeric ID (NID).
474502
*

0 commit comments

Comments
 (0)