]>
Commit | Line | Data |
---|---|---|
1eff3485 | 1 | /* |
b0edda11 | 2 | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
1eff3485 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
1eff3485 DSH |
8 | */ |
9 | ||
0f52d9ed DM |
10 | /* |
11 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
12 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
13 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
14 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
15 | * | |
16 | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: | |
17 | * | |
18 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
19 | * P_SHA-1(S2, label + seed) | |
20 | * | |
21 | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are | |
22 | * two halves of the secret (with the possibility of one shared byte, in the | |
23 | * case where the length of the original secret is odd). S1 is taken from the | |
24 | * first half of the secret, S2 from the second half. | |
25 | * | |
26 | * For TLS v1.2 the TLS PRF algorithm is given by: | |
27 | * | |
28 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
29 | * | |
30 | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as | |
31 | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, | |
32 | * unless defined otherwise by the cipher suite. | |
33 | * | |
34 | * P_<hash> is an expansion function that uses a single hash function to expand | |
35 | * a secret and seed into an arbitrary quantity of output: | |
36 | * | |
37 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
38 | * HMAC_<hash>(secret, A(2) + seed) + | |
39 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
40 | * | |
41 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
42 | * is necessary to produce the required quantity of data. | |
43 | * | |
44 | * A(i) is defined as: | |
45 | * A(0) = seed | |
46 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
47 | */ | |
1eff3485 | 48 | #include <stdio.h> |
5a285add DM |
49 | #include <stdarg.h> |
50 | #include <string.h> | |
1eff3485 | 51 | #include "internal/cryptlib.h" |
1eff3485 | 52 | #include <openssl/evp.h> |
5a285add | 53 | #include <openssl/kdf.h> |
776796e8 RL |
54 | #include <openssl/core_names.h> |
55 | #include <openssl/params.h> | |
1eff3485 | 56 | #include "internal/evp_int.h" |
5a285add | 57 | #include "kdf_local.h" |
1eff3485 | 58 | |
5a285add | 59 | static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl); |
1eff3485 DSH |
60 | static int tls1_prf_alg(const EVP_MD *md, |
61 | const unsigned char *sec, size_t slen, | |
62 | const unsigned char *seed, size_t seed_len, | |
63 | unsigned char *out, size_t olen); | |
64 | ||
65 | #define TLS1_PRF_MAXBUF 1024 | |
66 | ||
5a285add | 67 | /* TLS KDF kdf context structure */ |
1eff3485 | 68 | |
5a285add | 69 | struct evp_kdf_impl_st { |
1eff3485 DSH |
70 | /* Digest to use for PRF */ |
71 | const EVP_MD *md; | |
72 | /* Secret value to use for PRF */ | |
73 | unsigned char *sec; | |
74 | size_t seclen; | |
75 | /* Buffer of concatenated seed data */ | |
76 | unsigned char seed[TLS1_PRF_MAXBUF]; | |
77 | size_t seedlen; | |
5a285add | 78 | }; |
1eff3485 | 79 | |
5a285add | 80 | static EVP_KDF_IMPL *kdf_tls1_prf_new(void) |
1eff3485 | 81 | { |
5a285add | 82 | EVP_KDF_IMPL *impl; |
1eff3485 | 83 | |
5a285add DM |
84 | if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) |
85 | KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE); | |
86 | return impl; | |
87 | } | |
1eff3485 | 88 | |
5a285add DM |
89 | static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl) |
90 | { | |
91 | kdf_tls1_prf_reset(impl); | |
92 | OPENSSL_free(impl); | |
1eff3485 DSH |
93 | } |
94 | ||
5a285add | 95 | static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl) |
1eff3485 | 96 | { |
5a285add DM |
97 | OPENSSL_clear_free(impl->sec, impl->seclen); |
98 | OPENSSL_cleanse(impl->seed, impl->seedlen); | |
99 | memset(impl, 0, sizeof(*impl)); | |
1eff3485 DSH |
100 | } |
101 | ||
5a285add | 102 | static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) |
1eff3485 | 103 | { |
5a285add DM |
104 | const unsigned char *p; |
105 | size_t len; | |
106 | const EVP_MD *md; | |
1eff3485 | 107 | |
5a285add DM |
108 | switch (cmd) { |
109 | case EVP_KDF_CTRL_SET_MD: | |
110 | md = va_arg(args, const EVP_MD *); | |
111 | if (md == NULL) | |
1eff3485 | 112 | return 0; |
5a285add DM |
113 | |
114 | impl->md = md; | |
115 | return 1; | |
116 | ||
117 | case EVP_KDF_CTRL_SET_TLS_SECRET: | |
118 | p = va_arg(args, const unsigned char *); | |
119 | len = va_arg(args, size_t); | |
120 | OPENSSL_clear_free(impl->sec, impl->seclen); | |
121 | impl->sec = OPENSSL_memdup(p, len); | |
122 | if (impl->sec == NULL) | |
1eff3485 | 123 | return 0; |
5a285add | 124 | |
0f52d9ed | 125 | impl->seclen = len; |
1eff3485 DSH |
126 | return 1; |
127 | ||
5eb43d38 P |
128 | /* TODO: This is only ever called from pkey_kdf and only as part of setting the TLS secret |
129 | consider merging the twe two?? */ | |
5a285add DM |
130 | case EVP_KDF_CTRL_RESET_TLS_SEED: |
131 | OPENSSL_cleanse(impl->seed, impl->seedlen); | |
132 | impl->seedlen = 0; | |
133 | return 1; | |
134 | ||
135 | case EVP_KDF_CTRL_ADD_TLS_SEED: | |
136 | p = va_arg(args, const unsigned char *); | |
137 | len = va_arg(args, size_t); | |
138 | if (len == 0 || p == NULL) | |
1eff3485 | 139 | return 1; |
5a285add DM |
140 | |
141 | if (len > (TLS1_PRF_MAXBUF - impl->seedlen)) | |
1eff3485 | 142 | return 0; |
5a285add DM |
143 | |
144 | memcpy(impl->seed + impl->seedlen, p, len); | |
145 | impl->seedlen += len; | |
1eff3485 DSH |
146 | return 1; |
147 | ||
148 | default: | |
149 | return -2; | |
1eff3485 DSH |
150 | } |
151 | } | |
152 | ||
5a285add DM |
153 | static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl, |
154 | const char *type, const char *value) | |
4e8cb45c | 155 | { |
3e30fa0a | 156 | if (value == NULL) { |
5a285add | 157 | KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); |
4e8cb45c | 158 | return 0; |
3e30fa0a | 159 | } |
5a285add DM |
160 | if (strcmp(type, "digest") == 0) |
161 | return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value); | |
4e8cb45c | 162 | |
4e8cb45c | 163 | if (strcmp(type, "secret") == 0) |
5a285add DM |
164 | return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, |
165 | EVP_KDF_CTRL_SET_TLS_SECRET, value); | |
166 | ||
4e8cb45c | 167 | if (strcmp(type, "hexsecret") == 0) |
5a285add DM |
168 | return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, |
169 | EVP_KDF_CTRL_SET_TLS_SECRET, value); | |
170 | ||
4e8cb45c | 171 | if (strcmp(type, "seed") == 0) |
5a285add DM |
172 | return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, |
173 | value); | |
174 | ||
4e8cb45c | 175 | if (strcmp(type, "hexseed") == 0) |
5a285add DM |
176 | return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, |
177 | value); | |
a24a5b8c | 178 | |
4e8cb45c DSH |
179 | return -2; |
180 | } | |
181 | ||
5a285add DM |
182 | static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key, |
183 | size_t keylen) | |
1eff3485 | 184 | { |
5a285add DM |
185 | if (impl->md == NULL) { |
186 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); | |
f55129c7 JB |
187 | return 0; |
188 | } | |
5a285add DM |
189 | if (impl->sec == NULL) { |
190 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); | |
5b277519 JB |
191 | return 0; |
192 | } | |
5a285add DM |
193 | if (impl->seedlen == 0) { |
194 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); | |
1eff3485 | 195 | return 0; |
3e30fa0a | 196 | } |
5a285add DM |
197 | return tls1_prf_alg(impl->md, impl->sec, impl->seclen, |
198 | impl->seed, impl->seedlen, | |
199 | key, keylen); | |
1eff3485 DSH |
200 | } |
201 | ||
d2ba8123 | 202 | const EVP_KDF tls1_prf_kdf_meth = { |
5a285add DM |
203 | EVP_KDF_TLS1_PRF, |
204 | kdf_tls1_prf_new, | |
205 | kdf_tls1_prf_free, | |
206 | kdf_tls1_prf_reset, | |
207 | kdf_tls1_prf_ctrl, | |
208 | kdf_tls1_prf_ctrl_str, | |
209 | NULL, | |
210 | kdf_tls1_prf_derive | |
1eff3485 DSH |
211 | }; |
212 | ||
0f52d9ed DM |
213 | /* |
214 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
215 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
216 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
217 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
218 | * | |
219 | * P_<hash> is an expansion function that uses a single hash function to expand | |
220 | * a secret and seed into an arbitrary quantity of output: | |
221 | * | |
222 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
223 | * HMAC_<hash>(secret, A(2) + seed) + | |
224 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
225 | * | |
226 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
227 | * is necessary to produce the required quantity of data. | |
228 | * | |
229 | * A(i) is defined as: | |
230 | * A(0) = seed | |
231 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
232 | */ | |
1eff3485 DSH |
233 | static int tls1_prf_P_hash(const EVP_MD *md, |
234 | const unsigned char *sec, size_t sec_len, | |
235 | const unsigned char *seed, size_t seed_len, | |
236 | unsigned char *out, size_t olen) | |
237 | { | |
0f52d9ed | 238 | size_t chunk; |
776796e8 | 239 | EVP_MAC *mac = NULL; |
0f52d9ed DM |
240 | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL, *ctx_init = NULL; |
241 | unsigned char Ai[EVP_MAX_MD_SIZE]; | |
242 | size_t Ai_len; | |
1eff3485 | 243 | int ret = 0; |
776796e8 RL |
244 | OSSL_PARAM params[4]; |
245 | int mac_flags; | |
246 | const char *mdname = EVP_MD_name(md); | |
1eff3485 | 247 | |
81ff9eeb | 248 | mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL); /* Implicit fetch */ |
776796e8 | 249 | ctx_init = EVP_MAC_CTX_new(mac); |
be5fc053 | 250 | if (ctx_init == NULL) |
1eff3485 | 251 | goto err; |
776796e8 RL |
252 | |
253 | /* TODO(3.0) rethink "flags", also see hmac.c in providers */ | |
254 | mac_flags = EVP_MD_CTX_FLAG_NON_FIPS_ALLOW; | |
255 | params[0] = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_FLAGS, &mac_flags); | |
703170d4 | 256 | params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
7f588d20 | 257 | (char *)mdname, 0); |
776796e8 RL |
258 | params[2] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
259 | (void *)sec, sec_len); | |
260 | params[3] = OSSL_PARAM_construct_end(); | |
261 | if (!EVP_MAC_CTX_set_params(ctx_init, params)) | |
1eff3485 | 262 | goto err; |
6e94b5ae | 263 | if (!EVP_MAC_init(ctx_init)) |
1eff3485 | 264 | goto err; |
0f52d9ed DM |
265 | chunk = EVP_MAC_size(ctx_init); |
266 | if (chunk == 0) | |
6e94b5ae | 267 | goto err; |
0f52d9ed | 268 | /* A(0) = seed */ |
be5fc053 KR |
269 | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
270 | if (ctx_Ai == NULL) | |
6e94b5ae | 271 | goto err; |
0f52d9ed | 272 | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
1eff3485 DSH |
273 | goto err; |
274 | ||
275 | for (;;) { | |
0f52d9ed | 276 | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
776796e8 | 277 | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
0f52d9ed | 278 | goto err; |
be5fc053 KR |
279 | EVP_MAC_CTX_free(ctx_Ai); |
280 | ctx_Ai = NULL; | |
0f52d9ed DM |
281 | |
282 | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ | |
be5fc053 KR |
283 | ctx = EVP_MAC_CTX_dup(ctx_init); |
284 | if (ctx == NULL) | |
1eff3485 | 285 | goto err; |
0f52d9ed | 286 | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
1eff3485 | 287 | goto err; |
0f52d9ed | 288 | /* save state for calculating next A(i) value */ |
be5fc053 KR |
289 | if (olen > chunk) { |
290 | ctx_Ai = EVP_MAC_CTX_dup(ctx); | |
291 | if (ctx_Ai == NULL) | |
292 | goto err; | |
293 | } | |
6e94b5ae | 294 | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
1eff3485 | 295 | goto err; |
0f52d9ed DM |
296 | if (olen <= chunk) { |
297 | /* last chunk - use Ai as temp bounce buffer */ | |
776796e8 | 298 | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
1eff3485 | 299 | goto err; |
0f52d9ed | 300 | memcpy(out, Ai, olen); |
1eff3485 DSH |
301 | break; |
302 | } | |
776796e8 | 303 | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
0f52d9ed | 304 | goto err; |
be5fc053 KR |
305 | EVP_MAC_CTX_free(ctx); |
306 | ctx = NULL; | |
0f52d9ed DM |
307 | out += chunk; |
308 | olen -= chunk; | |
1eff3485 DSH |
309 | } |
310 | ret = 1; | |
311 | err: | |
6e94b5ae | 312 | EVP_MAC_CTX_free(ctx); |
0f52d9ed | 313 | EVP_MAC_CTX_free(ctx_Ai); |
6e94b5ae | 314 | EVP_MAC_CTX_free(ctx_init); |
776796e8 | 315 | EVP_MAC_free(mac); |
0f52d9ed | 316 | OPENSSL_cleanse(Ai, sizeof(Ai)); |
1eff3485 DSH |
317 | return ret; |
318 | } | |
319 | ||
0f52d9ed DM |
320 | /* |
321 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
322 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
323 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
324 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
325 | * | |
326 | * For TLS v1.0 and TLS v1.1: | |
327 | * | |
328 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
329 | * P_SHA-1(S2, label + seed) | |
330 | * | |
331 | * S1 is taken from the first half of the secret, S2 from the second half. | |
332 | * | |
333 | * L_S = length in bytes of secret; | |
334 | * L_S1 = L_S2 = ceil(L_S / 2); | |
335 | * | |
336 | * For TLS v1.2: | |
337 | * | |
338 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
339 | */ | |
1eff3485 DSH |
340 | static int tls1_prf_alg(const EVP_MD *md, |
341 | const unsigned char *sec, size_t slen, | |
342 | const unsigned char *seed, size_t seed_len, | |
343 | unsigned char *out, size_t olen) | |
344 | { | |
1eff3485 | 345 | if (EVP_MD_type(md) == NID_md5_sha1) { |
0f52d9ed | 346 | /* TLS v1.0 and TLS v1.1 */ |
1eff3485 DSH |
347 | size_t i; |
348 | unsigned char *tmp; | |
0f52d9ed DM |
349 | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
350 | size_t L_S1 = (slen + 1) / 2; | |
351 | size_t L_S2 = L_S1; | |
352 | ||
353 | if (!tls1_prf_P_hash(EVP_md5(), sec, L_S1, | |
5a285add | 354 | seed, seed_len, out, olen)) |
1eff3485 DSH |
355 | return 0; |
356 | ||
cdb10bae RS |
357 | if ((tmp = OPENSSL_malloc(olen)) == NULL) { |
358 | KDFerr(KDF_F_TLS1_PRF_ALG, ERR_R_MALLOC_FAILURE); | |
1eff3485 | 359 | return 0; |
cdb10bae | 360 | } |
0f52d9ed | 361 | if (!tls1_prf_P_hash(EVP_sha1(), sec + slen - L_S2, L_S2, |
5a285add | 362 | seed, seed_len, tmp, olen)) { |
1eff3485 DSH |
363 | OPENSSL_clear_free(tmp, olen); |
364 | return 0; | |
365 | } | |
366 | for (i = 0; i < olen; i++) | |
367 | out[i] ^= tmp[i]; | |
368 | OPENSSL_clear_free(tmp, olen); | |
369 | return 1; | |
370 | } | |
0f52d9ed DM |
371 | |
372 | /* TLS v1.2 */ | |
1eff3485 DSH |
373 | if (!tls1_prf_P_hash(md, sec, slen, seed, seed_len, out, olen)) |
374 | return 0; | |
375 | ||
376 | return 1; | |
377 | } |