]>
Commit | Line | Data |
---|---|---|
1eff3485 | 1 | /* |
fbd2ece1 | 2 | * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. |
1eff3485 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
1eff3485 DSH |
8 | */ |
9 | ||
0f52d9ed DM |
10 | /* |
11 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
12 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
13 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
14 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
15 | * | |
16 | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: | |
17 | * | |
18 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
19 | * P_SHA-1(S2, label + seed) | |
20 | * | |
21 | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are | |
22 | * two halves of the secret (with the possibility of one shared byte, in the | |
23 | * case where the length of the original secret is odd). S1 is taken from the | |
24 | * first half of the secret, S2 from the second half. | |
25 | * | |
26 | * For TLS v1.2 the TLS PRF algorithm is given by: | |
27 | * | |
28 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
29 | * | |
30 | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as | |
31 | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, | |
32 | * unless defined otherwise by the cipher suite. | |
33 | * | |
34 | * P_<hash> is an expansion function that uses a single hash function to expand | |
35 | * a secret and seed into an arbitrary quantity of output: | |
36 | * | |
37 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
38 | * HMAC_<hash>(secret, A(2) + seed) + | |
39 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
40 | * | |
41 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
42 | * is necessary to produce the required quantity of data. | |
43 | * | |
44 | * A(i) is defined as: | |
45 | * A(0) = seed | |
46 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
47 | */ | |
1eff3485 | 48 | #include <stdio.h> |
5a285add DM |
49 | #include <stdarg.h> |
50 | #include <string.h> | |
1eff3485 | 51 | #include <openssl/evp.h> |
5a285add | 52 | #include <openssl/kdf.h> |
776796e8 RL |
53 | #include <openssl/core_names.h> |
54 | #include <openssl/params.h> | |
e3405a4a P |
55 | #include "internal/cryptlib.h" |
56 | #include "internal/numbers.h" | |
25f2138b | 57 | #include "crypto/evp.h" |
ddd21319 | 58 | #include "prov/provider_ctx.h" |
2b9e4e95 | 59 | #include "prov/providercommon.h" |
ddd21319 | 60 | #include "prov/providercommonerr.h" |
af3e7e1b | 61 | #include "prov/implementations.h" |
ddd21319 | 62 | #include "prov/provider_util.h" |
e3405a4a P |
63 | #include "e_os.h" |
64 | ||
363b1e5d DMSP |
65 | static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; |
66 | static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free; | |
67 | static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset; | |
68 | static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive; | |
69 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; | |
70 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params; | |
af5e1e85 P |
71 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; |
72 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params; | |
e3405a4a | 73 | |
9a92bf1b | 74 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
75 | const unsigned char *sec, size_t slen, |
76 | const unsigned char *seed, size_t seed_len, | |
77 | unsigned char *out, size_t olen); | |
78 | ||
79 | #define TLS1_PRF_MAXBUF 1024 | |
80 | ||
5a285add | 81 | /* TLS KDF kdf context structure */ |
e3405a4a P |
82 | typedef struct { |
83 | void *provctx; | |
9a92bf1b RL |
84 | |
85 | /* MAC context for the main digest */ | |
86 | EVP_MAC_CTX *P_hash; | |
87 | /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */ | |
88 | EVP_MAC_CTX *P_sha1; | |
89 | ||
1eff3485 DSH |
90 | /* Secret value to use for PRF */ |
91 | unsigned char *sec; | |
92 | size_t seclen; | |
93 | /* Buffer of concatenated seed data */ | |
94 | unsigned char seed[TLS1_PRF_MAXBUF]; | |
95 | size_t seedlen; | |
e3405a4a | 96 | } TLS1_PRF; |
1eff3485 | 97 | |
e3405a4a | 98 | static void *kdf_tls1_prf_new(void *provctx) |
1eff3485 | 99 | { |
e3405a4a | 100 | TLS1_PRF *ctx; |
1eff3485 | 101 | |
2b9e4e95 P |
102 | if (!ossl_prov_is_running()) |
103 | return NULL; | |
104 | ||
e3405a4a P |
105 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) |
106 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
107 | ctx->provctx = provctx; | |
108 | return ctx; | |
5a285add | 109 | } |
1eff3485 | 110 | |
e3405a4a | 111 | static void kdf_tls1_prf_free(void *vctx) |
5a285add | 112 | { |
e3405a4a P |
113 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
114 | ||
3c659415 P |
115 | if (ctx != NULL) { |
116 | kdf_tls1_prf_reset(ctx); | |
117 | OPENSSL_free(ctx); | |
118 | } | |
1eff3485 DSH |
119 | } |
120 | ||
e3405a4a | 121 | static void kdf_tls1_prf_reset(void *vctx) |
1eff3485 | 122 | { |
e3405a4a | 123 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
0577959c | 124 | void *provctx = ctx->provctx; |
e3405a4a | 125 | |
865adf97 MC |
126 | EVP_MAC_CTX_free(ctx->P_hash); |
127 | EVP_MAC_CTX_free(ctx->P_sha1); | |
e3405a4a P |
128 | OPENSSL_clear_free(ctx->sec, ctx->seclen); |
129 | OPENSSL_cleanse(ctx->seed, ctx->seedlen); | |
130 | memset(ctx, 0, sizeof(*ctx)); | |
0577959c | 131 | ctx->provctx = provctx; |
1eff3485 DSH |
132 | } |
133 | ||
e3405a4a P |
134 | static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, |
135 | size_t keylen) | |
1eff3485 | 136 | { |
e3405a4a | 137 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
5a285add | 138 | |
2b9e4e95 P |
139 | if (!ossl_prov_is_running()) |
140 | return 0; | |
141 | ||
9a92bf1b | 142 | if (ctx->P_hash == NULL) { |
e3405a4a P |
143 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
144 | return 0; | |
145 | } | |
146 | if (ctx->sec == NULL) { | |
147 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); | |
148 | return 0; | |
149 | } | |
150 | if (ctx->seedlen == 0) { | |
151 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); | |
152 | return 0; | |
153 | } | |
1cae59d1 JS |
154 | if (keylen == 0) { |
155 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); | |
156 | return 0; | |
157 | } | |
9a92bf1b RL |
158 | |
159 | return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, | |
0f0db4dc | 160 | ctx->sec, ctx->seclen, |
e3405a4a P |
161 | ctx->seed, ctx->seedlen, |
162 | key, keylen); | |
163 | } | |
5a285add | 164 | |
e3405a4a P |
165 | static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
166 | { | |
167 | const OSSL_PARAM *p; | |
168 | TLS1_PRF *ctx = vctx; | |
b4250010 | 169 | OSSL_LIB_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(ctx->provctx); |
9a92bf1b RL |
170 | |
171 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { | |
9a92bf1b | 172 | if (strcasecmp(p->data, SN_md5_sha1) == 0) { |
4e8b8e47 RL |
173 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, |
174 | OSSL_MAC_NAME_HMAC, | |
175 | NULL, SN_md5, libctx) | |
176 | || !ossl_prov_macctx_load_from_params(&ctx->P_sha1, params, | |
177 | OSSL_MAC_NAME_HMAC, | |
178 | NULL, SN_sha1, libctx)) | |
179 | return 0; | |
9a92bf1b | 180 | } else { |
865adf97 | 181 | EVP_MAC_CTX_free(ctx->P_sha1); |
4e8b8e47 RL |
182 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, |
183 | OSSL_MAC_NAME_HMAC, | |
184 | NULL, NULL, libctx)) | |
185 | return 0; | |
9a92bf1b | 186 | } |
e3405a4a | 187 | } |
5a285add | 188 | |
e3405a4a P |
189 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { |
190 | OPENSSL_clear_free(ctx->sec, ctx->seclen); | |
191 | ctx->sec = NULL; | |
192 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen)) | |
193 | return 0; | |
1eff3485 | 194 | } |
e3405a4a P |
195 | /* The seed fields concatenate, so process them all */ |
196 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) { | |
e3405a4a P |
197 | for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, |
198 | OSSL_KDF_PARAM_SEED)) { | |
199 | const void *q = ctx->seed + ctx->seedlen; | |
200 | size_t sz = 0; | |
201 | ||
202 | if (p->data_size != 0 | |
203 | && p->data != NULL | |
204 | && !OSSL_PARAM_get_octet_string(p, (void **)&q, | |
205 | TLS1_PRF_MAXBUF - ctx->seedlen, | |
206 | &sz)) | |
207 | return 0; | |
208 | ctx->seedlen += sz; | |
209 | } | |
210 | } | |
211 | return 1; | |
1eff3485 DSH |
212 | } |
213 | ||
1017ab21 | 214 | static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(ossl_unused void *ctx) |
4e8cb45c | 215 | { |
e3405a4a P |
216 | static const OSSL_PARAM known_settable_ctx_params[] = { |
217 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), | |
218 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), | |
219 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), | |
220 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0), | |
221 | OSSL_PARAM_END | |
222 | }; | |
223 | return known_settable_ctx_params; | |
224 | } | |
5a285add | 225 | |
e3405a4a P |
226 | static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
227 | { | |
228 | OSSL_PARAM *p; | |
a24a5b8c | 229 | |
e3405a4a P |
230 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) |
231 | return OSSL_PARAM_set_size_t(p, SIZE_MAX); | |
4e8cb45c DSH |
232 | return -2; |
233 | } | |
234 | ||
1017ab21 | 235 | static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(ossl_unused void *ctx) |
1eff3485 | 236 | { |
e3405a4a P |
237 | static const OSSL_PARAM known_gettable_ctx_params[] = { |
238 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
239 | OSSL_PARAM_END | |
240 | }; | |
241 | return known_gettable_ctx_params; | |
1eff3485 DSH |
242 | } |
243 | ||
1be63951 | 244 | const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = { |
e3405a4a P |
245 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new }, |
246 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free }, | |
247 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset }, | |
248 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive }, | |
249 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
250 | (void(*)(void))kdf_tls1_prf_settable_ctx_params }, | |
251 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, | |
252 | (void(*)(void))kdf_tls1_prf_set_ctx_params }, | |
253 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
254 | (void(*)(void))kdf_tls1_prf_gettable_ctx_params }, | |
255 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, | |
256 | (void(*)(void))kdf_tls1_prf_get_ctx_params }, | |
257 | { 0, NULL } | |
1eff3485 DSH |
258 | }; |
259 | ||
0f52d9ed DM |
260 | /* |
261 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
262 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
263 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
264 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
265 | * | |
266 | * P_<hash> is an expansion function that uses a single hash function to expand | |
267 | * a secret and seed into an arbitrary quantity of output: | |
268 | * | |
269 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
270 | * HMAC_<hash>(secret, A(2) + seed) + | |
271 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
272 | * | |
273 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
274 | * is necessary to produce the required quantity of data. | |
275 | * | |
276 | * A(i) is defined as: | |
277 | * A(0) = seed | |
278 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
279 | */ | |
9a92bf1b | 280 | static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, |
1eff3485 DSH |
281 | const unsigned char *sec, size_t sec_len, |
282 | const unsigned char *seed, size_t seed_len, | |
283 | unsigned char *out, size_t olen) | |
284 | { | |
0f52d9ed | 285 | size_t chunk; |
9a92bf1b | 286 | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; |
0f52d9ed DM |
287 | unsigned char Ai[EVP_MAX_MD_SIZE]; |
288 | size_t Ai_len; | |
1eff3485 | 289 | int ret = 0; |
9a92bf1b | 290 | OSSL_PARAM params[2], *p = params; |
776796e8 | 291 | |
9a92bf1b RL |
292 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
293 | (void *)sec, sec_len); | |
294 | *p = OSSL_PARAM_construct_end(); | |
865adf97 | 295 | if (!EVP_MAC_CTX_set_params(ctx_init, params)) |
1eff3485 | 296 | goto err; |
6e94b5ae | 297 | if (!EVP_MAC_init(ctx_init)) |
1eff3485 | 298 | goto err; |
0f52d9ed DM |
299 | chunk = EVP_MAC_size(ctx_init); |
300 | if (chunk == 0) | |
6e94b5ae | 301 | goto err; |
0f52d9ed | 302 | /* A(0) = seed */ |
865adf97 | 303 | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
be5fc053 | 304 | if (ctx_Ai == NULL) |
6e94b5ae | 305 | goto err; |
0f52d9ed | 306 | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
1eff3485 DSH |
307 | goto err; |
308 | ||
309 | for (;;) { | |
0f52d9ed | 310 | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
776796e8 | 311 | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
0f52d9ed | 312 | goto err; |
865adf97 | 313 | EVP_MAC_CTX_free(ctx_Ai); |
be5fc053 | 314 | ctx_Ai = NULL; |
0f52d9ed DM |
315 | |
316 | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ | |
865adf97 | 317 | ctx = EVP_MAC_CTX_dup(ctx_init); |
be5fc053 | 318 | if (ctx == NULL) |
1eff3485 | 319 | goto err; |
0f52d9ed | 320 | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
1eff3485 | 321 | goto err; |
0f52d9ed | 322 | /* save state for calculating next A(i) value */ |
be5fc053 | 323 | if (olen > chunk) { |
865adf97 | 324 | ctx_Ai = EVP_MAC_CTX_dup(ctx); |
be5fc053 KR |
325 | if (ctx_Ai == NULL) |
326 | goto err; | |
327 | } | |
6e94b5ae | 328 | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
1eff3485 | 329 | goto err; |
0f52d9ed DM |
330 | if (olen <= chunk) { |
331 | /* last chunk - use Ai as temp bounce buffer */ | |
776796e8 | 332 | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
1eff3485 | 333 | goto err; |
0f52d9ed | 334 | memcpy(out, Ai, olen); |
1eff3485 DSH |
335 | break; |
336 | } | |
776796e8 | 337 | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
0f52d9ed | 338 | goto err; |
865adf97 | 339 | EVP_MAC_CTX_free(ctx); |
be5fc053 | 340 | ctx = NULL; |
0f52d9ed DM |
341 | out += chunk; |
342 | olen -= chunk; | |
1eff3485 DSH |
343 | } |
344 | ret = 1; | |
345 | err: | |
865adf97 MC |
346 | EVP_MAC_CTX_free(ctx); |
347 | EVP_MAC_CTX_free(ctx_Ai); | |
0f52d9ed | 348 | OPENSSL_cleanse(Ai, sizeof(Ai)); |
1eff3485 DSH |
349 | return ret; |
350 | } | |
351 | ||
0f52d9ed DM |
352 | /* |
353 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
354 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
355 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
356 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
357 | * | |
358 | * For TLS v1.0 and TLS v1.1: | |
359 | * | |
360 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
361 | * P_SHA-1(S2, label + seed) | |
362 | * | |
363 | * S1 is taken from the first half of the secret, S2 from the second half. | |
364 | * | |
365 | * L_S = length in bytes of secret; | |
366 | * L_S1 = L_S2 = ceil(L_S / 2); | |
367 | * | |
368 | * For TLS v1.2: | |
369 | * | |
370 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
371 | */ | |
9a92bf1b | 372 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
373 | const unsigned char *sec, size_t slen, |
374 | const unsigned char *seed, size_t seed_len, | |
375 | unsigned char *out, size_t olen) | |
376 | { | |
9a92bf1b | 377 | if (sha1ctx != NULL) { |
0f52d9ed | 378 | /* TLS v1.0 and TLS v1.1 */ |
1eff3485 DSH |
379 | size_t i; |
380 | unsigned char *tmp; | |
0f52d9ed DM |
381 | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
382 | size_t L_S1 = (slen + 1) / 2; | |
383 | size_t L_S2 = L_S1; | |
384 | ||
9a92bf1b | 385 | if (!tls1_prf_P_hash(mdctx, sec, L_S1, |
5a285add | 386 | seed, seed_len, out, olen)) |
1eff3485 DSH |
387 | return 0; |
388 | ||
cdb10bae | 389 | if ((tmp = OPENSSL_malloc(olen)) == NULL) { |
e3405a4a | 390 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
1eff3485 | 391 | return 0; |
cdb10bae | 392 | } |
9a92bf1b RL |
393 | |
394 | if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2, | |
5a285add | 395 | seed, seed_len, tmp, olen)) { |
1eff3485 DSH |
396 | OPENSSL_clear_free(tmp, olen); |
397 | return 0; | |
398 | } | |
399 | for (i = 0; i < olen; i++) | |
400 | out[i] ^= tmp[i]; | |
401 | OPENSSL_clear_free(tmp, olen); | |
402 | return 1; | |
403 | } | |
0f52d9ed DM |
404 | |
405 | /* TLS v1.2 */ | |
9a92bf1b | 406 | if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen)) |
1eff3485 DSH |
407 | return 0; |
408 | ||
409 | return 1; | |
410 | } |