1 /* $OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
2 /*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4 * 2016.
5 */
6 /* ====================================================================
7 * Copyright (c) 2015 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60 #include <stdlib.h>
61 #include <stdio.h>
62 #include <string.h>
63
64 #include <openssl/err.h>
65 #include <openssl/evp.h>
66 #include <openssl/kdf.h>
67
68 #include "evp_local.h"
69
70 #define TLS1_PRF_MAXBUF 1024
71
72 struct tls1_prf_ctx {
73 const EVP_MD *md;
74 unsigned char *secret;
75 size_t secret_len;
76 unsigned char seed[TLS1_PRF_MAXBUF];
77 size_t seed_len;
78 };
79
80 static int
pkey_tls1_prf_init(EVP_PKEY_CTX * ctx)81 pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
82 {
83 struct tls1_prf_ctx *kctx;
84
85 if ((kctx = calloc(1, sizeof(*kctx))) == NULL) {
86 KDFerror(ERR_R_MALLOC_FAILURE);
87 return 0;
88 }
89 ctx->data = kctx;
90
91 return 1;
92 }
93
94 static void
pkey_tls1_prf_cleanup(EVP_PKEY_CTX * ctx)95 pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
96 {
97 struct tls1_prf_ctx *kctx = ctx->data;
98
99 freezero(kctx->secret, kctx->secret_len);
100 freezero(kctx, sizeof(*kctx));
101 }
102
103 static int
pkey_tls1_prf_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)104 pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
105 {
106 struct tls1_prf_ctx *kctx = ctx->data;
107
108 switch (type) {
109 case EVP_PKEY_CTRL_TLS_MD:
110 kctx->md = p2;
111 return 1;
112
113 case EVP_PKEY_CTRL_TLS_SECRET:
114 if (p1 < 0)
115 return 0;
116
117 freezero(kctx->secret, kctx->secret_len);
118 kctx->secret = NULL;
119 kctx->secret_len = 0;
120
121 explicit_bzero(kctx->seed, kctx->seed_len);
122 kctx->seed_len = 0;
123
124 if (p1 == 0 || p2 == NULL)
125 return 0;
126
127 if ((kctx->secret = calloc(1, p1)) == NULL)
128 return 0;
129 memcpy(kctx->secret, p2, p1);
130 kctx->secret_len = p1;
131
132 return 1;
133
134 case EVP_PKEY_CTRL_TLS_SEED:
135 if (p1 == 0 || p2 == NULL)
136 return 1;
137 if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seed_len))
138 return 0;
139 memcpy(kctx->seed + kctx->seed_len, p2, p1);
140 kctx->seed_len += p1;
141 return 1;
142
143 default:
144 return -2;
145 }
146 }
147
148 static int
pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX * ctx,const char * type,const char * value)149 pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
150 {
151 if (value == NULL) {
152 KDFerror(KDF_R_VALUE_MISSING);
153 return 0;
154 }
155 if (strcmp(type, "md") == 0) {
156 struct tls1_prf_ctx *kctx = ctx->data;
157
158 const EVP_MD *md = EVP_get_digestbyname(value);
159 if (md == NULL) {
160 KDFerror(KDF_R_INVALID_DIGEST);
161 return 0;
162 }
163 kctx->md = md;
164 return 1;
165 }
166 if (strcmp(type, "secret") == 0)
167 return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
168 if (strcmp(type, "hexsecret") == 0)
169 return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
170 if (strcmp(type, "seed") == 0)
171 return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
172 if (strcmp(type, "hexseed") == 0)
173 return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
174
175 KDFerror(KDF_R_UNKNOWN_PARAMETER_TYPE);
176 return -2;
177 }
178
179 static int
tls1_prf_P_hash(const EVP_MD * md,const unsigned char * secret,size_t secret_len,const unsigned char * seed,size_t seed_len,unsigned char * out,size_t out_len)180 tls1_prf_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
181 const unsigned char *seed, size_t seed_len, unsigned char *out, size_t out_len)
182 {
183 int chunk;
184 EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;
185 EVP_PKEY *mac_key = NULL;
186 unsigned char A1[EVP_MAX_MD_SIZE];
187 size_t A1_len;
188 int ret = 0;
189
190 if ((chunk = EVP_MD_size(md)) < 0)
191 goto err;
192
193 if ((ctx = EVP_MD_CTX_new()) == NULL)
194 goto err;
195 if ((ctx_tmp = EVP_MD_CTX_new()) == NULL)
196 goto err;
197 if ((ctx_init = EVP_MD_CTX_new()) == NULL)
198 goto err;
199
200 EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
201
202 if ((mac_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
203 secret, secret_len)) == NULL)
204 goto err;
205
206 if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
207 goto err;
208 if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
209 goto err;
210 if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
211 goto err;
212 if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
213 goto err;
214
215 for (;;) {
216 /* Reinit mac contexts */
217 if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
218 goto err;
219 if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
220 goto err;
221 if (out_len > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
222 goto err;
223 if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
224 goto err;
225
226 if (out_len > (size_t)chunk) {
227 size_t mac_len;
228 if (!EVP_DigestSignFinal(ctx, out, &mac_len))
229 goto err;
230 out += mac_len;
231 out_len -= mac_len;
232 if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
233 goto err;
234 } else {
235 if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
236 goto err;
237 memcpy(out, A1, out_len);
238 break;
239 }
240 }
241
242 ret = 1;
243
244 err:
245 EVP_PKEY_free(mac_key);
246 EVP_MD_CTX_free(ctx);
247 EVP_MD_CTX_free(ctx_tmp);
248 EVP_MD_CTX_free(ctx_init);
249 explicit_bzero(A1, sizeof(A1));
250
251 return ret;
252 }
253
254 static int
tls1_prf_alg(const EVP_MD * md,const unsigned char * secret,size_t secret_len,const unsigned char * seed,size_t seed_len,unsigned char * out,size_t out_len)255 tls1_prf_alg(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
256 const unsigned char *seed, size_t seed_len, unsigned char *out, size_t out_len)
257 {
258 unsigned char *tmp = NULL;
259 size_t half_len;
260 size_t i;
261 int ret = 0;
262
263 if (EVP_MD_type(md) != NID_md5_sha1)
264 return tls1_prf_P_hash(md, secret, secret_len, seed, seed_len,
265 out, out_len);
266
267 half_len = secret_len - secret_len / 2;
268 if (!tls1_prf_P_hash(EVP_md5(), secret, half_len, seed, seed_len,
269 out, out_len))
270 goto err;
271
272 if ((tmp = calloc(1, out_len)) == NULL) {
273 KDFerror(ERR_R_MALLOC_FAILURE);
274 goto err;
275 }
276 secret += secret_len - half_len;
277 if (!tls1_prf_P_hash(EVP_sha1(), secret, half_len, seed, seed_len,
278 tmp, out_len))
279 goto err;
280 for (i = 0; i < out_len; i++)
281 out[i] ^= tmp[i];
282
283 ret = 1;
284
285 err:
286 freezero(tmp, out_len);
287
288 return ret;
289 }
290
291 static int
pkey_tls1_prf_derive(EVP_PKEY_CTX * ctx,unsigned char * key,size_t * key_len)292 pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *key_len)
293 {
294 struct tls1_prf_ctx *kctx = ctx->data;
295
296 if (kctx->md == NULL) {
297 KDFerror(KDF_R_MISSING_MESSAGE_DIGEST);
298 return 0;
299 }
300 if (kctx->secret == NULL) {
301 KDFerror(KDF_R_MISSING_SECRET);
302 return 0;
303 }
304 if (kctx->seed_len == 0) {
305 KDFerror(KDF_R_MISSING_SEED);
306 return 0;
307 }
308
309 return tls1_prf_alg(kctx->md, kctx->secret, kctx->secret_len,
310 kctx->seed, kctx->seed_len, key, *key_len);
311 }
312
313 const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
314 .pkey_id = EVP_PKEY_TLS1_PRF,
315 .flags = 0,
316
317 .init = pkey_tls1_prf_init,
318 .copy = NULL,
319 .cleanup = pkey_tls1_prf_cleanup,
320
321 .paramgen = NULL,
322
323 .keygen = NULL,
324
325 .sign_init = NULL,
326 .sign = NULL,
327
328 .verify_init = NULL,
329 .verify = NULL,
330
331 .verify_recover = NULL,
332
333 .signctx_init = NULL,
334 .signctx = NULL,
335
336 .encrypt = NULL,
337
338 .decrypt = NULL,
339
340 .derive_init = NULL,
341 .derive = pkey_tls1_prf_derive,
342
343 .ctrl = pkey_tls1_prf_ctrl,
344 .ctrl_str = pkey_tls1_prf_ctrl_str,
345 };
346