]>
Commit | Line | Data |
---|---|---|
1eff3485 | 1 | /* |
b0edda11 | 2 | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
1eff3485 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
1eff3485 DSH |
8 | */ |
9 | ||
0f52d9ed DM |
10 | /* |
11 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
12 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
13 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
14 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
15 | * | |
16 | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: | |
17 | * | |
18 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
19 | * P_SHA-1(S2, label + seed) | |
20 | * | |
21 | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are | |
22 | * two halves of the secret (with the possibility of one shared byte, in the | |
23 | * case where the length of the original secret is odd). S1 is taken from the | |
24 | * first half of the secret, S2 from the second half. | |
25 | * | |
26 | * For TLS v1.2 the TLS PRF algorithm is given by: | |
27 | * | |
28 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
29 | * | |
30 | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as | |
31 | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, | |
32 | * unless defined otherwise by the cipher suite. | |
33 | * | |
34 | * P_<hash> is an expansion function that uses a single hash function to expand | |
35 | * a secret and seed into an arbitrary quantity of output: | |
36 | * | |
37 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
38 | * HMAC_<hash>(secret, A(2) + seed) + | |
39 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
40 | * | |
41 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
42 | * is necessary to produce the required quantity of data. | |
43 | * | |
44 | * A(i) is defined as: | |
45 | * A(0) = seed | |
46 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
47 | */ | |
1eff3485 | 48 | #include <stdio.h> |
5a285add DM |
49 | #include <stdarg.h> |
50 | #include <string.h> | |
1eff3485 | 51 | #include "internal/cryptlib.h" |
1eff3485 | 52 | #include <openssl/evp.h> |
5a285add | 53 | #include <openssl/kdf.h> |
776796e8 RL |
54 | #include <openssl/core_names.h> |
55 | #include <openssl/params.h> | |
1eff3485 | 56 | #include "internal/evp_int.h" |
5a285add | 57 | #include "kdf_local.h" |
1eff3485 | 58 | |
5a285add | 59 | static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl); |
1eff3485 DSH |
60 | static int tls1_prf_alg(const EVP_MD *md, |
61 | const unsigned char *sec, size_t slen, | |
62 | const unsigned char *seed, size_t seed_len, | |
63 | unsigned char *out, size_t olen); | |
64 | ||
65 | #define TLS1_PRF_MAXBUF 1024 | |
66 | ||
5a285add | 67 | /* TLS KDF kdf context structure */ |
1eff3485 | 68 | |
5a285add | 69 | struct evp_kdf_impl_st { |
1eff3485 DSH |
70 | /* Digest to use for PRF */ |
71 | const EVP_MD *md; | |
72 | /* Secret value to use for PRF */ | |
73 | unsigned char *sec; | |
74 | size_t seclen; | |
75 | /* Buffer of concatenated seed data */ | |
76 | unsigned char seed[TLS1_PRF_MAXBUF]; | |
77 | size_t seedlen; | |
5a285add | 78 | }; |
1eff3485 | 79 | |
5a285add | 80 | static EVP_KDF_IMPL *kdf_tls1_prf_new(void) |
1eff3485 | 81 | { |
5a285add | 82 | EVP_KDF_IMPL *impl; |
1eff3485 | 83 | |
5a285add DM |
84 | if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) |
85 | KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE); | |
86 | return impl; | |
87 | } | |
1eff3485 | 88 | |
5a285add DM |
89 | static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl) |
90 | { | |
91 | kdf_tls1_prf_reset(impl); | |
92 | OPENSSL_free(impl); | |
1eff3485 DSH |
93 | } |
94 | ||
5a285add | 95 | static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl) |
1eff3485 | 96 | { |
5a285add DM |
97 | OPENSSL_clear_free(impl->sec, impl->seclen); |
98 | OPENSSL_cleanse(impl->seed, impl->seedlen); | |
99 | memset(impl, 0, sizeof(*impl)); | |
1eff3485 DSH |
100 | } |
101 | ||
5a285add | 102 | static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) |
1eff3485 | 103 | { |
5a285add DM |
104 | const unsigned char *p; |
105 | size_t len; | |
106 | const EVP_MD *md; | |
1eff3485 | 107 | |
5a285add DM |
108 | switch (cmd) { |
109 | case EVP_KDF_CTRL_SET_MD: | |
110 | md = va_arg(args, const EVP_MD *); | |
111 | if (md == NULL) | |
1eff3485 | 112 | return 0; |
5a285add DM |
113 | |
114 | impl->md = md; | |
115 | return 1; | |
116 | ||
117 | case EVP_KDF_CTRL_SET_TLS_SECRET: | |
118 | p = va_arg(args, const unsigned char *); | |
119 | len = va_arg(args, size_t); | |
120 | OPENSSL_clear_free(impl->sec, impl->seclen); | |
121 | impl->sec = OPENSSL_memdup(p, len); | |
122 | if (impl->sec == NULL) | |
1eff3485 | 123 | return 0; |
5a285add | 124 | |
0f52d9ed | 125 | impl->seclen = len; |
1eff3485 DSH |
126 | return 1; |
127 | ||
5a285add DM |
128 | case EVP_KDF_CTRL_RESET_TLS_SEED: |
129 | OPENSSL_cleanse(impl->seed, impl->seedlen); | |
130 | impl->seedlen = 0; | |
131 | return 1; | |
132 | ||
133 | case EVP_KDF_CTRL_ADD_TLS_SEED: | |
134 | p = va_arg(args, const unsigned char *); | |
135 | len = va_arg(args, size_t); | |
136 | if (len == 0 || p == NULL) | |
1eff3485 | 137 | return 1; |
5a285add DM |
138 | |
139 | if (len > (TLS1_PRF_MAXBUF - impl->seedlen)) | |
1eff3485 | 140 | return 0; |
5a285add DM |
141 | |
142 | memcpy(impl->seed + impl->seedlen, p, len); | |
143 | impl->seedlen += len; | |
1eff3485 DSH |
144 | return 1; |
145 | ||
146 | default: | |
147 | return -2; | |
1eff3485 DSH |
148 | } |
149 | } | |
150 | ||
5a285add DM |
151 | static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl, |
152 | const char *type, const char *value) | |
4e8cb45c | 153 | { |
3e30fa0a | 154 | if (value == NULL) { |
5a285add | 155 | KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); |
4e8cb45c | 156 | return 0; |
3e30fa0a | 157 | } |
5a285add DM |
158 | if (strcmp(type, "digest") == 0) |
159 | return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value); | |
4e8cb45c | 160 | |
4e8cb45c | 161 | if (strcmp(type, "secret") == 0) |
5a285add DM |
162 | return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, |
163 | EVP_KDF_CTRL_SET_TLS_SECRET, value); | |
164 | ||
4e8cb45c | 165 | if (strcmp(type, "hexsecret") == 0) |
5a285add DM |
166 | return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, |
167 | EVP_KDF_CTRL_SET_TLS_SECRET, value); | |
168 | ||
4e8cb45c | 169 | if (strcmp(type, "seed") == 0) |
5a285add DM |
170 | return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, |
171 | value); | |
172 | ||
4e8cb45c | 173 | if (strcmp(type, "hexseed") == 0) |
5a285add DM |
174 | return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, |
175 | value); | |
a24a5b8c | 176 | |
4e8cb45c DSH |
177 | return -2; |
178 | } | |
179 | ||
5a285add DM |
180 | static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key, |
181 | size_t keylen) | |
1eff3485 | 182 | { |
5a285add DM |
183 | if (impl->md == NULL) { |
184 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); | |
f55129c7 JB |
185 | return 0; |
186 | } | |
5a285add DM |
187 | if (impl->sec == NULL) { |
188 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); | |
5b277519 JB |
189 | return 0; |
190 | } | |
5a285add DM |
191 | if (impl->seedlen == 0) { |
192 | KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); | |
1eff3485 | 193 | return 0; |
3e30fa0a | 194 | } |
5a285add DM |
195 | return tls1_prf_alg(impl->md, impl->sec, impl->seclen, |
196 | impl->seed, impl->seedlen, | |
197 | key, keylen); | |
1eff3485 DSH |
198 | } |
199 | ||
d2ba8123 | 200 | const EVP_KDF tls1_prf_kdf_meth = { |
5a285add DM |
201 | EVP_KDF_TLS1_PRF, |
202 | kdf_tls1_prf_new, | |
203 | kdf_tls1_prf_free, | |
204 | kdf_tls1_prf_reset, | |
205 | kdf_tls1_prf_ctrl, | |
206 | kdf_tls1_prf_ctrl_str, | |
207 | NULL, | |
208 | kdf_tls1_prf_derive | |
1eff3485 DSH |
209 | }; |
210 | ||
0f52d9ed DM |
211 | /* |
212 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
213 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
214 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
215 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
216 | * | |
217 | * P_<hash> is an expansion function that uses a single hash function to expand | |
218 | * a secret and seed into an arbitrary quantity of output: | |
219 | * | |
220 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
221 | * HMAC_<hash>(secret, A(2) + seed) + | |
222 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
223 | * | |
224 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
225 | * is necessary to produce the required quantity of data. | |
226 | * | |
227 | * A(i) is defined as: | |
228 | * A(0) = seed | |
229 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
230 | */ | |
1eff3485 DSH |
231 | static int tls1_prf_P_hash(const EVP_MD *md, |
232 | const unsigned char *sec, size_t sec_len, | |
233 | const unsigned char *seed, size_t seed_len, | |
234 | unsigned char *out, size_t olen) | |
235 | { | |
0f52d9ed | 236 | size_t chunk; |
776796e8 | 237 | EVP_MAC *mac = NULL; |
0f52d9ed DM |
238 | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL, *ctx_init = NULL; |
239 | unsigned char Ai[EVP_MAX_MD_SIZE]; | |
240 | size_t Ai_len; | |
1eff3485 | 241 | int ret = 0; |
776796e8 RL |
242 | OSSL_PARAM params[4]; |
243 | int mac_flags; | |
244 | const char *mdname = EVP_MD_name(md); | |
1eff3485 | 245 | |
81ff9eeb | 246 | mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL); /* Implicit fetch */ |
776796e8 | 247 | ctx_init = EVP_MAC_CTX_new(mac); |
be5fc053 | 248 | if (ctx_init == NULL) |
1eff3485 | 249 | goto err; |
776796e8 RL |
250 | |
251 | /* TODO(3.0) rethink "flags", also see hmac.c in providers */ | |
252 | mac_flags = EVP_MD_CTX_FLAG_NON_FIPS_ALLOW; | |
253 | params[0] = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_FLAGS, &mac_flags); | |
703170d4 | 254 | params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
7f588d20 | 255 | (char *)mdname, 0); |
776796e8 RL |
256 | params[2] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
257 | (void *)sec, sec_len); | |
258 | params[3] = OSSL_PARAM_construct_end(); | |
259 | if (!EVP_MAC_CTX_set_params(ctx_init, params)) | |
1eff3485 | 260 | goto err; |
6e94b5ae | 261 | if (!EVP_MAC_init(ctx_init)) |
1eff3485 | 262 | goto err; |
0f52d9ed DM |
263 | chunk = EVP_MAC_size(ctx_init); |
264 | if (chunk == 0) | |
6e94b5ae | 265 | goto err; |
0f52d9ed | 266 | /* A(0) = seed */ |
be5fc053 KR |
267 | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
268 | if (ctx_Ai == NULL) | |
6e94b5ae | 269 | goto err; |
0f52d9ed | 270 | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
1eff3485 DSH |
271 | goto err; |
272 | ||
273 | for (;;) { | |
0f52d9ed | 274 | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
776796e8 | 275 | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
0f52d9ed | 276 | goto err; |
be5fc053 KR |
277 | EVP_MAC_CTX_free(ctx_Ai); |
278 | ctx_Ai = NULL; | |
0f52d9ed DM |
279 | |
280 | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ | |
be5fc053 KR |
281 | ctx = EVP_MAC_CTX_dup(ctx_init); |
282 | if (ctx == NULL) | |
1eff3485 | 283 | goto err; |
0f52d9ed | 284 | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
1eff3485 | 285 | goto err; |
0f52d9ed | 286 | /* save state for calculating next A(i) value */ |
be5fc053 KR |
287 | if (olen > chunk) { |
288 | ctx_Ai = EVP_MAC_CTX_dup(ctx); | |
289 | if (ctx_Ai == NULL) | |
290 | goto err; | |
291 | } | |
6e94b5ae | 292 | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
1eff3485 | 293 | goto err; |
0f52d9ed DM |
294 | if (olen <= chunk) { |
295 | /* last chunk - use Ai as temp bounce buffer */ | |
776796e8 | 296 | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
1eff3485 | 297 | goto err; |
0f52d9ed | 298 | memcpy(out, Ai, olen); |
1eff3485 DSH |
299 | break; |
300 | } | |
776796e8 | 301 | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
0f52d9ed | 302 | goto err; |
be5fc053 KR |
303 | EVP_MAC_CTX_free(ctx); |
304 | ctx = NULL; | |
0f52d9ed DM |
305 | out += chunk; |
306 | olen -= chunk; | |
1eff3485 DSH |
307 | } |
308 | ret = 1; | |
309 | err: | |
6e94b5ae | 310 | EVP_MAC_CTX_free(ctx); |
0f52d9ed | 311 | EVP_MAC_CTX_free(ctx_Ai); |
6e94b5ae | 312 | EVP_MAC_CTX_free(ctx_init); |
776796e8 | 313 | EVP_MAC_free(mac); |
0f52d9ed | 314 | OPENSSL_cleanse(Ai, sizeof(Ai)); |
1eff3485 DSH |
315 | return ret; |
316 | } | |
317 | ||
0f52d9ed DM |
318 | /* |
319 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
320 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
321 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
322 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
323 | * | |
324 | * For TLS v1.0 and TLS v1.1: | |
325 | * | |
326 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
327 | * P_SHA-1(S2, label + seed) | |
328 | * | |
329 | * S1 is taken from the first half of the secret, S2 from the second half. | |
330 | * | |
331 | * L_S = length in bytes of secret; | |
332 | * L_S1 = L_S2 = ceil(L_S / 2); | |
333 | * | |
334 | * For TLS v1.2: | |
335 | * | |
336 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
337 | */ | |
1eff3485 DSH |
338 | static int tls1_prf_alg(const EVP_MD *md, |
339 | const unsigned char *sec, size_t slen, | |
340 | const unsigned char *seed, size_t seed_len, | |
341 | unsigned char *out, size_t olen) | |
342 | { | |
1eff3485 | 343 | if (EVP_MD_type(md) == NID_md5_sha1) { |
0f52d9ed | 344 | /* TLS v1.0 and TLS v1.1 */ |
1eff3485 DSH |
345 | size_t i; |
346 | unsigned char *tmp; | |
0f52d9ed DM |
347 | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
348 | size_t L_S1 = (slen + 1) / 2; | |
349 | size_t L_S2 = L_S1; | |
350 | ||
351 | if (!tls1_prf_P_hash(EVP_md5(), sec, L_S1, | |
5a285add | 352 | seed, seed_len, out, olen)) |
1eff3485 DSH |
353 | return 0; |
354 | ||
cdb10bae RS |
355 | if ((tmp = OPENSSL_malloc(olen)) == NULL) { |
356 | KDFerr(KDF_F_TLS1_PRF_ALG, ERR_R_MALLOC_FAILURE); | |
1eff3485 | 357 | return 0; |
cdb10bae | 358 | } |
0f52d9ed | 359 | if (!tls1_prf_P_hash(EVP_sha1(), sec + slen - L_S2, L_S2, |
5a285add | 360 | seed, seed_len, tmp, olen)) { |
1eff3485 DSH |
361 | OPENSSL_clear_free(tmp, olen); |
362 | return 0; | |
363 | } | |
364 | for (i = 0; i < olen; i++) | |
365 | out[i] ^= tmp[i]; | |
366 | OPENSSL_clear_free(tmp, olen); | |
367 | return 1; | |
368 | } | |
0f52d9ed DM |
369 | |
370 | /* TLS v1.2 */ | |
1eff3485 DSH |
371 | if (!tls1_prf_P_hash(md, sec, slen, seed, seed_len, out, olen)) |
372 | return 0; | |
373 | ||
374 | return 1; | |
375 | } |