/src/nss-nspr/nss/lib/softoken/tlsprf.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* tlsprf.c - TLS Pseudo Random Function (PRF) implementation |
2 | | * |
3 | | * This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "pkcs11i.h" |
8 | | #include "blapi.h" |
9 | | #include "secerr.h" |
10 | | |
11 | | static void |
12 | | sftk_TLSPRFNull(void *data, PRBool freeit) |
13 | 0 | { |
14 | 0 | return; |
15 | 0 | } |
16 | | |
17 | | typedef struct { |
18 | | PRUint32 cxSize; /* size of allocated block, in bytes. */ |
19 | | PRUint32 cxBufSize; /* sizeof buffer at cxBufPtr. */ |
20 | | unsigned char *cxBufPtr; /* points to real buffer, may be cxBuf. */ |
21 | | PRUint32 cxKeyLen; /* bytes of cxBufPtr containing key. */ |
22 | | PRUint32 cxDataLen; /* bytes of cxBufPtr containing data. */ |
23 | | SECStatus cxRv; /* records failure of void functions. */ |
24 | | PRBool cxIsFIPS; /* true if conforming to FIPS 198. */ |
25 | | HASH_HashType cxHashAlg; /* hash algorithm to use for TLS 1.2+ */ |
26 | | unsigned int cxOutLen; /* bytes of output if nonzero */ |
27 | | unsigned char cxBuf[512]; /* actual size may be larger than 512. */ |
28 | | } TLSPRFContext; |
29 | | |
30 | | static void |
31 | | sftk_TLSPRFHashUpdate(void *ctx, const unsigned char *data, |
32 | | unsigned int data_len) |
33 | 0 | { |
34 | 0 | TLSPRFContext *cx = ctx; |
35 | 0 | PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen; |
36 | |
|
37 | 0 | if (cx->cxRv != SECSuccess) /* function has previously failed. */ |
38 | 0 | return; |
39 | 0 | if (bytesUsed + data_len > cx->cxBufSize) { |
40 | | /* We don't use realloc here because |
41 | | ** (a) realloc doesn't zero out the old block, and |
42 | | ** (b) if realloc fails, we lose the old block. |
43 | | */ |
44 | 0 | PRUint32 newBufSize = bytesUsed + data_len + 512; |
45 | 0 | unsigned char *newBuf = (unsigned char *)PORT_Alloc(newBufSize); |
46 | 0 | if (!newBuf) { |
47 | 0 | cx->cxRv = SECFailure; |
48 | 0 | return; |
49 | 0 | } |
50 | 0 | PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed); |
51 | 0 | if (cx->cxBufPtr != cx->cxBuf) { |
52 | 0 | PORT_ZFree(cx->cxBufPtr, bytesUsed); |
53 | 0 | } |
54 | 0 | cx->cxBufPtr = newBuf; |
55 | 0 | cx->cxBufSize = newBufSize; |
56 | 0 | } |
57 | 0 | PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len); |
58 | 0 | cx->cxDataLen += data_len; |
59 | 0 | } |
60 | | |
61 | | static void |
62 | | sftk_TLSPRFEnd(void *ctx, unsigned char *hashout, |
63 | | unsigned int *pDigestLen, unsigned int maxDigestLen) |
64 | 0 | { |
65 | 0 | *pDigestLen = 0; /* tells Verify that no data has been input yet. */ |
66 | 0 | } |
67 | | |
68 | | /* Compute the PRF values from the data previously input. */ |
69 | | static SECStatus |
70 | | sftk_TLSPRFUpdate(void *ctx, |
71 | | unsigned char *sig, /* output goes here. */ |
72 | | unsigned int *sigLen, /* how much output. */ |
73 | | unsigned int maxLen, /* output buffer size */ |
74 | | const unsigned char *hash, /* unused. */ |
75 | | unsigned int hashLen) /* unused. */ |
76 | 0 | { |
77 | 0 | TLSPRFContext *cx = ctx; |
78 | 0 | SECStatus rv; |
79 | 0 | SECItem sigItem; |
80 | 0 | SECItem seedItem; |
81 | 0 | SECItem secretItem; |
82 | |
|
83 | 0 | if (cx->cxRv != SECSuccess) |
84 | 0 | return cx->cxRv; |
85 | | |
86 | 0 | secretItem.data = cx->cxBufPtr; |
87 | 0 | secretItem.len = cx->cxKeyLen; |
88 | |
|
89 | 0 | seedItem.data = cx->cxBufPtr + cx->cxKeyLen; |
90 | 0 | seedItem.len = cx->cxDataLen; |
91 | |
|
92 | 0 | sigItem.data = sig; |
93 | 0 | if (cx->cxOutLen == 0) { |
94 | 0 | sigItem.len = maxLen; |
95 | 0 | } else if (cx->cxOutLen <= maxLen) { |
96 | 0 | sigItem.len = cx->cxOutLen; |
97 | 0 | } else { |
98 | 0 | PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
99 | 0 | return SECFailure; |
100 | 0 | } |
101 | | |
102 | 0 | if (cx->cxHashAlg != HASH_AlgNULL) { |
103 | 0 | rv = TLS_P_hash(cx->cxHashAlg, &secretItem, NULL, &seedItem, &sigItem, |
104 | 0 | cx->cxIsFIPS); |
105 | 0 | } else { |
106 | 0 | rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS); |
107 | 0 | } |
108 | 0 | if (rv == SECSuccess && sigLen != NULL) |
109 | 0 | *sigLen = sigItem.len; |
110 | 0 | return rv; |
111 | 0 | } |
112 | | |
113 | | static SECStatus |
114 | | sftk_TLSPRFVerify(void *ctx, |
115 | | const unsigned char *sig, /* input, for comparison. */ |
116 | | unsigned int sigLen, /* length of sig. */ |
117 | | const unsigned char *hash, /* data to be verified. */ |
118 | | unsigned int hashLen) /* size of hash data. */ |
119 | 0 | { |
120 | 0 | TLSPRFContext *cx = ctx; |
121 | 0 | unsigned char *tmp = (unsigned char *)PORT_Alloc(sigLen); |
122 | 0 | unsigned int tmpLen = sigLen; |
123 | 0 | SECStatus rv; |
124 | |
|
125 | 0 | if (!tmp) |
126 | 0 | return SECFailure; |
127 | 0 | if (hashLen) { |
128 | | /* hashLen is non-zero when the user does a one-step verify. |
129 | | ** In this case, none of the data has been input yet. |
130 | | */ |
131 | 0 | sftk_TLSPRFHashUpdate(cx, hash, hashLen); |
132 | 0 | } |
133 | 0 | rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0); |
134 | 0 | if (rv == SECSuccess) { |
135 | 0 | rv = (SECStatus)(1 - !NSS_SecureMemcmp(tmp, sig, sigLen)); |
136 | 0 | } |
137 | 0 | PORT_ZFree(tmp, sigLen); |
138 | 0 | return rv; |
139 | 0 | } |
140 | | |
141 | | static void |
142 | | sftk_TLSPRFHashDestroy(void *ctx, PRBool freeit) |
143 | 0 | { |
144 | 0 | TLSPRFContext *cx = ctx; |
145 | 0 | if (freeit) { |
146 | 0 | if (cx->cxBufPtr != cx->cxBuf) |
147 | 0 | PORT_ZFree(cx->cxBufPtr, cx->cxBufSize); |
148 | 0 | PORT_ZFree(cx, cx->cxSize); |
149 | 0 | } |
150 | 0 | } |
151 | | |
152 | | CK_RV |
153 | | sftk_TLSPRFInit(SFTKSessionContext *context, |
154 | | SFTKObject *key, |
155 | | CK_KEY_TYPE key_type, |
156 | | HASH_HashType hash_alg, |
157 | | unsigned int out_len) |
158 | 0 | { |
159 | 0 | SFTKAttribute *keyVal; |
160 | 0 | TLSPRFContext *prf_cx; |
161 | 0 | CK_RV crv = CKR_HOST_MEMORY; |
162 | 0 | PRUint32 keySize; |
163 | 0 | PRUint32 blockSize; |
164 | |
|
165 | 0 | if (key_type != CKK_GENERIC_SECRET) |
166 | 0 | return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */ |
167 | | |
168 | 0 | context->multi = PR_TRUE; |
169 | |
|
170 | 0 | keyVal = sftk_FindAttribute(key, CKA_VALUE); |
171 | 0 | keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen; |
172 | 0 | blockSize = keySize + sizeof(TLSPRFContext); |
173 | 0 | prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize); |
174 | 0 | if (!prf_cx) |
175 | 0 | goto done; |
176 | 0 | prf_cx->cxSize = blockSize; |
177 | 0 | prf_cx->cxKeyLen = keySize; |
178 | 0 | prf_cx->cxDataLen = 0; |
179 | 0 | prf_cx->cxBufSize = blockSize - offsetof(TLSPRFContext, cxBuf); |
180 | 0 | prf_cx->cxRv = SECSuccess; |
181 | 0 | prf_cx->cxIsFIPS = sftk_isFIPS(key->slot->slotID); |
182 | 0 | prf_cx->cxBufPtr = prf_cx->cxBuf; |
183 | 0 | prf_cx->cxHashAlg = hash_alg; |
184 | 0 | prf_cx->cxOutLen = out_len; |
185 | 0 | if (keySize) |
186 | 0 | PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize); |
187 | |
|
188 | 0 | context->hashInfo = (void *)prf_cx; |
189 | 0 | context->cipherInfo = (void *)prf_cx; |
190 | 0 | context->hashUpdate = sftk_TLSPRFHashUpdate; |
191 | 0 | context->end = sftk_TLSPRFEnd; |
192 | 0 | context->update = sftk_TLSPRFUpdate; |
193 | 0 | context->verify = sftk_TLSPRFVerify; |
194 | 0 | context->destroy = sftk_TLSPRFNull; |
195 | 0 | context->hashdestroy = sftk_TLSPRFHashDestroy; |
196 | 0 | crv = CKR_OK; |
197 | |
|
198 | 0 | done: |
199 | 0 | if (keyVal) |
200 | 0 | sftk_FreeAttribute(keyVal); |
201 | 0 | return crv; |
202 | 0 | } |