]>
Commit | Line | Data |
---|---|---|
1eff3485 | 1 | /* |
e3405a4a | 2 | * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. |
1eff3485 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
1eff3485 DSH |
8 | */ |
9 | ||
0f52d9ed DM |
10 | /* |
11 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
12 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
13 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
14 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
15 | * | |
16 | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: | |
17 | * | |
18 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
19 | * P_SHA-1(S2, label + seed) | |
20 | * | |
21 | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are | |
22 | * two halves of the secret (with the possibility of one shared byte, in the | |
23 | * case where the length of the original secret is odd). S1 is taken from the | |
24 | * first half of the secret, S2 from the second half. | |
25 | * | |
26 | * For TLS v1.2 the TLS PRF algorithm is given by: | |
27 | * | |
28 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
29 | * | |
30 | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as | |
31 | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, | |
32 | * unless defined otherwise by the cipher suite. | |
33 | * | |
34 | * P_<hash> is an expansion function that uses a single hash function to expand | |
35 | * a secret and seed into an arbitrary quantity of output: | |
36 | * | |
37 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
38 | * HMAC_<hash>(secret, A(2) + seed) + | |
39 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
40 | * | |
41 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
42 | * is necessary to produce the required quantity of data. | |
43 | * | |
44 | * A(i) is defined as: | |
45 | * A(0) = seed | |
46 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
47 | */ | |
1eff3485 | 48 | #include <stdio.h> |
5a285add DM |
49 | #include <stdarg.h> |
50 | #include <string.h> | |
1eff3485 | 51 | #include <openssl/evp.h> |
5a285add | 52 | #include <openssl/kdf.h> |
776796e8 RL |
53 | #include <openssl/core_names.h> |
54 | #include <openssl/params.h> | |
e3405a4a P |
55 | #include "internal/cryptlib.h" |
56 | #include "internal/numbers.h" | |
1eff3485 | 57 | #include "internal/evp_int.h" |
e3405a4a P |
58 | #include "internal/provider_ctx.h" |
59 | #include "internal/providercommonerr.h" | |
60 | #include "internal/provider_algs.h" | |
0f0db4dc | 61 | #include "internal/provider_util.h" |
e3405a4a P |
62 | #include "e_os.h" |
63 | ||
64 | static OSSL_OP_kdf_newctx_fn kdf_tls1_prf_new; | |
65 | static OSSL_OP_kdf_freectx_fn kdf_tls1_prf_free; | |
66 | static OSSL_OP_kdf_reset_fn kdf_tls1_prf_reset; | |
67 | static OSSL_OP_kdf_derive_fn kdf_tls1_prf_derive; | |
68 | static OSSL_OP_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; | |
69 | static OSSL_OP_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params; | |
70 | ||
9a92bf1b | 71 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
72 | const unsigned char *sec, size_t slen, |
73 | const unsigned char *seed, size_t seed_len, | |
74 | unsigned char *out, size_t olen); | |
75 | ||
76 | #define TLS1_PRF_MAXBUF 1024 | |
77 | ||
5a285add | 78 | /* TLS KDF kdf context structure */ |
e3405a4a P |
79 | typedef struct { |
80 | void *provctx; | |
9a92bf1b RL |
81 | |
82 | /* MAC context for the main digest */ | |
83 | EVP_MAC_CTX *P_hash; | |
84 | /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */ | |
85 | EVP_MAC_CTX *P_sha1; | |
86 | ||
1eff3485 DSH |
87 | /* Secret value to use for PRF */ |
88 | unsigned char *sec; | |
89 | size_t seclen; | |
90 | /* Buffer of concatenated seed data */ | |
91 | unsigned char seed[TLS1_PRF_MAXBUF]; | |
92 | size_t seedlen; | |
e3405a4a | 93 | } TLS1_PRF; |
1eff3485 | 94 | |
e3405a4a | 95 | static void *kdf_tls1_prf_new(void *provctx) |
1eff3485 | 96 | { |
e3405a4a | 97 | TLS1_PRF *ctx; |
1eff3485 | 98 | |
e3405a4a P |
99 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) |
100 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
101 | ctx->provctx = provctx; | |
102 | return ctx; | |
5a285add | 103 | } |
1eff3485 | 104 | |
e3405a4a | 105 | static void kdf_tls1_prf_free(void *vctx) |
5a285add | 106 | { |
e3405a4a P |
107 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
108 | ||
109 | kdf_tls1_prf_reset(ctx); | |
e3405a4a | 110 | OPENSSL_free(ctx); |
1eff3485 DSH |
111 | } |
112 | ||
e3405a4a | 113 | static void kdf_tls1_prf_reset(void *vctx) |
1eff3485 | 114 | { |
e3405a4a P |
115 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
116 | ||
9a92bf1b RL |
117 | EVP_MAC_CTX_free(ctx->P_hash); |
118 | EVP_MAC_CTX_free(ctx->P_sha1); | |
e3405a4a P |
119 | OPENSSL_clear_free(ctx->sec, ctx->seclen); |
120 | OPENSSL_cleanse(ctx->seed, ctx->seedlen); | |
121 | memset(ctx, 0, sizeof(*ctx)); | |
1eff3485 DSH |
122 | } |
123 | ||
e3405a4a P |
124 | static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, |
125 | size_t keylen) | |
1eff3485 | 126 | { |
e3405a4a | 127 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
5a285add | 128 | |
9a92bf1b | 129 | if (ctx->P_hash == NULL) { |
e3405a4a P |
130 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
131 | return 0; | |
132 | } | |
133 | if (ctx->sec == NULL) { | |
134 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); | |
135 | return 0; | |
136 | } | |
137 | if (ctx->seedlen == 0) { | |
138 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); | |
139 | return 0; | |
140 | } | |
9a92bf1b RL |
141 | |
142 | return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, | |
0f0db4dc | 143 | ctx->sec, ctx->seclen, |
e3405a4a P |
144 | ctx->seed, ctx->seedlen, |
145 | key, keylen); | |
146 | } | |
5a285add | 147 | |
e3405a4a P |
148 | static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
149 | { | |
150 | const OSSL_PARAM *p; | |
151 | TLS1_PRF *ctx = vctx; | |
9a92bf1b RL |
152 | OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx); |
153 | ||
154 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { | |
9a92bf1b | 155 | if (strcasecmp(p->data, SN_md5_sha1) == 0) { |
4e8b8e47 RL |
156 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, |
157 | OSSL_MAC_NAME_HMAC, | |
158 | NULL, SN_md5, libctx) | |
159 | || !ossl_prov_macctx_load_from_params(&ctx->P_sha1, params, | |
160 | OSSL_MAC_NAME_HMAC, | |
161 | NULL, SN_sha1, libctx)) | |
162 | return 0; | |
9a92bf1b | 163 | } else { |
4e8b8e47 RL |
164 | EVP_MAC_CTX_free(ctx->P_sha1); |
165 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, | |
166 | OSSL_MAC_NAME_HMAC, | |
167 | NULL, NULL, libctx)) | |
168 | return 0; | |
9a92bf1b | 169 | } |
e3405a4a | 170 | } |
5a285add | 171 | |
e3405a4a P |
172 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { |
173 | OPENSSL_clear_free(ctx->sec, ctx->seclen); | |
174 | ctx->sec = NULL; | |
175 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen)) | |
176 | return 0; | |
1eff3485 | 177 | } |
e3405a4a P |
178 | /* The seed fields concatenate, so process them all */ |
179 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) { | |
180 | OPENSSL_cleanse(ctx->seed, ctx->seedlen); | |
181 | ctx->seedlen = 0; | |
182 | ||
183 | for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, | |
184 | OSSL_KDF_PARAM_SEED)) { | |
185 | const void *q = ctx->seed + ctx->seedlen; | |
186 | size_t sz = 0; | |
187 | ||
188 | if (p->data_size != 0 | |
189 | && p->data != NULL | |
190 | && !OSSL_PARAM_get_octet_string(p, (void **)&q, | |
191 | TLS1_PRF_MAXBUF - ctx->seedlen, | |
192 | &sz)) | |
193 | return 0; | |
194 | ctx->seedlen += sz; | |
195 | } | |
196 | } | |
197 | return 1; | |
1eff3485 DSH |
198 | } |
199 | ||
e3405a4a | 200 | static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(void) |
4e8cb45c | 201 | { |
e3405a4a P |
202 | static const OSSL_PARAM known_settable_ctx_params[] = { |
203 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), | |
204 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), | |
205 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), | |
206 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0), | |
207 | OSSL_PARAM_END | |
208 | }; | |
209 | return known_settable_ctx_params; | |
210 | } | |
5a285add | 211 | |
e3405a4a P |
212 | static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
213 | { | |
214 | OSSL_PARAM *p; | |
a24a5b8c | 215 | |
e3405a4a P |
216 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) |
217 | return OSSL_PARAM_set_size_t(p, SIZE_MAX); | |
4e8cb45c DSH |
218 | return -2; |
219 | } | |
220 | ||
e3405a4a | 221 | static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(void) |
1eff3485 | 222 | { |
e3405a4a P |
223 | static const OSSL_PARAM known_gettable_ctx_params[] = { |
224 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
225 | OSSL_PARAM_END | |
226 | }; | |
227 | return known_gettable_ctx_params; | |
1eff3485 DSH |
228 | } |
229 | ||
e3405a4a P |
230 | const OSSL_DISPATCH kdf_tls1_prf_functions[] = { |
231 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new }, | |
232 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free }, | |
233 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset }, | |
234 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive }, | |
235 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
236 | (void(*)(void))kdf_tls1_prf_settable_ctx_params }, | |
237 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, | |
238 | (void(*)(void))kdf_tls1_prf_set_ctx_params }, | |
239 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
240 | (void(*)(void))kdf_tls1_prf_gettable_ctx_params }, | |
241 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, | |
242 | (void(*)(void))kdf_tls1_prf_get_ctx_params }, | |
243 | { 0, NULL } | |
1eff3485 DSH |
244 | }; |
245 | ||
0f52d9ed DM |
246 | /* |
247 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
248 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
249 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
250 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
251 | * | |
252 | * P_<hash> is an expansion function that uses a single hash function to expand | |
253 | * a secret and seed into an arbitrary quantity of output: | |
254 | * | |
255 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
256 | * HMAC_<hash>(secret, A(2) + seed) + | |
257 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
258 | * | |
259 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
260 | * is necessary to produce the required quantity of data. | |
261 | * | |
262 | * A(i) is defined as: | |
263 | * A(0) = seed | |
264 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
265 | */ | |
9a92bf1b | 266 | static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, |
1eff3485 DSH |
267 | const unsigned char *sec, size_t sec_len, |
268 | const unsigned char *seed, size_t seed_len, | |
269 | unsigned char *out, size_t olen) | |
270 | { | |
0f52d9ed | 271 | size_t chunk; |
9a92bf1b | 272 | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; |
0f52d9ed DM |
273 | unsigned char Ai[EVP_MAX_MD_SIZE]; |
274 | size_t Ai_len; | |
1eff3485 | 275 | int ret = 0; |
9a92bf1b | 276 | OSSL_PARAM params[2], *p = params; |
776796e8 | 277 | |
9a92bf1b RL |
278 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
279 | (void *)sec, sec_len); | |
280 | *p = OSSL_PARAM_construct_end(); | |
776796e8 | 281 | if (!EVP_MAC_CTX_set_params(ctx_init, params)) |
1eff3485 | 282 | goto err; |
6e94b5ae | 283 | if (!EVP_MAC_init(ctx_init)) |
1eff3485 | 284 | goto err; |
0f52d9ed DM |
285 | chunk = EVP_MAC_size(ctx_init); |
286 | if (chunk == 0) | |
6e94b5ae | 287 | goto err; |
0f52d9ed | 288 | /* A(0) = seed */ |
be5fc053 KR |
289 | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
290 | if (ctx_Ai == NULL) | |
6e94b5ae | 291 | goto err; |
0f52d9ed | 292 | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
1eff3485 DSH |
293 | goto err; |
294 | ||
295 | for (;;) { | |
0f52d9ed | 296 | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
776796e8 | 297 | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
0f52d9ed | 298 | goto err; |
be5fc053 KR |
299 | EVP_MAC_CTX_free(ctx_Ai); |
300 | ctx_Ai = NULL; | |
0f52d9ed DM |
301 | |
302 | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ | |
be5fc053 KR |
303 | ctx = EVP_MAC_CTX_dup(ctx_init); |
304 | if (ctx == NULL) | |
1eff3485 | 305 | goto err; |
0f52d9ed | 306 | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
1eff3485 | 307 | goto err; |
0f52d9ed | 308 | /* save state for calculating next A(i) value */ |
be5fc053 KR |
309 | if (olen > chunk) { |
310 | ctx_Ai = EVP_MAC_CTX_dup(ctx); | |
311 | if (ctx_Ai == NULL) | |
312 | goto err; | |
313 | } | |
6e94b5ae | 314 | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
1eff3485 | 315 | goto err; |
0f52d9ed DM |
316 | if (olen <= chunk) { |
317 | /* last chunk - use Ai as temp bounce buffer */ | |
776796e8 | 318 | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
1eff3485 | 319 | goto err; |
0f52d9ed | 320 | memcpy(out, Ai, olen); |
1eff3485 DSH |
321 | break; |
322 | } | |
776796e8 | 323 | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
0f52d9ed | 324 | goto err; |
be5fc053 KR |
325 | EVP_MAC_CTX_free(ctx); |
326 | ctx = NULL; | |
0f52d9ed DM |
327 | out += chunk; |
328 | olen -= chunk; | |
1eff3485 DSH |
329 | } |
330 | ret = 1; | |
331 | err: | |
6e94b5ae | 332 | EVP_MAC_CTX_free(ctx); |
0f52d9ed | 333 | EVP_MAC_CTX_free(ctx_Ai); |
0f52d9ed | 334 | OPENSSL_cleanse(Ai, sizeof(Ai)); |
1eff3485 DSH |
335 | return ret; |
336 | } | |
337 | ||
0f52d9ed DM |
338 | /* |
339 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
340 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
341 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
342 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
343 | * | |
344 | * For TLS v1.0 and TLS v1.1: | |
345 | * | |
346 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
347 | * P_SHA-1(S2, label + seed) | |
348 | * | |
349 | * S1 is taken from the first half of the secret, S2 from the second half. | |
350 | * | |
351 | * L_S = length in bytes of secret; | |
352 | * L_S1 = L_S2 = ceil(L_S / 2); | |
353 | * | |
354 | * For TLS v1.2: | |
355 | * | |
356 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
357 | */ | |
9a92bf1b | 358 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
359 | const unsigned char *sec, size_t slen, |
360 | const unsigned char *seed, size_t seed_len, | |
361 | unsigned char *out, size_t olen) | |
362 | { | |
9a92bf1b | 363 | if (sha1ctx != NULL) { |
0f52d9ed | 364 | /* TLS v1.0 and TLS v1.1 */ |
1eff3485 DSH |
365 | size_t i; |
366 | unsigned char *tmp; | |
0f52d9ed DM |
367 | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
368 | size_t L_S1 = (slen + 1) / 2; | |
369 | size_t L_S2 = L_S1; | |
370 | ||
9a92bf1b | 371 | if (!tls1_prf_P_hash(mdctx, sec, L_S1, |
5a285add | 372 | seed, seed_len, out, olen)) |
1eff3485 DSH |
373 | return 0; |
374 | ||
cdb10bae | 375 | if ((tmp = OPENSSL_malloc(olen)) == NULL) { |
e3405a4a | 376 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
1eff3485 | 377 | return 0; |
cdb10bae | 378 | } |
9a92bf1b RL |
379 | |
380 | if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2, | |
5a285add | 381 | seed, seed_len, tmp, olen)) { |
1eff3485 DSH |
382 | OPENSSL_clear_free(tmp, olen); |
383 | return 0; | |
384 | } | |
385 | for (i = 0; i < olen; i++) | |
386 | out[i] ^= tmp[i]; | |
387 | OPENSSL_clear_free(tmp, olen); | |
388 | return 1; | |
389 | } | |
0f52d9ed DM |
390 | |
391 | /* TLS v1.2 */ | |
9a92bf1b | 392 | if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen)) |
1eff3485 DSH |
393 | return 0; |
394 | ||
395 | return 1; | |
396 | } |