/src/openssl36/providers/implementations/kdfs/tls1_prf.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | /* clang-format off */ |
10 | | |
11 | | /* clang-format on */ |
12 | | |
13 | | /* |
14 | | * Refer to "The TLS Protocol Version 1.0" Section 5 |
15 | | * (https://tools.ietf.org/html/rfc2246#section-5) and |
16 | | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 |
17 | | * (https://tools.ietf.org/html/rfc5246#section-5). |
18 | | * |
19 | | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: |
20 | | * |
21 | | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR |
22 | | * P_SHA-1(S2, label + seed) |
23 | | * |
24 | | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are |
25 | | * two halves of the secret (with the possibility of one shared byte, in the |
26 | | * case where the length of the original secret is odd). S1 is taken from the |
27 | | * first half of the secret, S2 from the second half. |
28 | | * |
29 | | * For TLS v1.2 the TLS PRF algorithm is given by: |
30 | | * |
31 | | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) |
32 | | * |
33 | | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as |
34 | | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, |
35 | | * unless defined otherwise by the cipher suite. |
36 | | * |
37 | | * P_<hash> is an expansion function that uses a single hash function to expand |
38 | | * a secret and seed into an arbitrary quantity of output: |
39 | | * |
40 | | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + |
41 | | * HMAC_<hash>(secret, A(2) + seed) + |
42 | | * HMAC_<hash>(secret, A(3) + seed) + ... |
43 | | * |
44 | | * where + indicates concatenation. P_<hash> can be iterated as many times as |
45 | | * is necessary to produce the required quantity of data. |
46 | | * |
47 | | * A(i) is defined as: |
48 | | * A(0) = seed |
49 | | * A(i) = HMAC_<hash>(secret, A(i-1)) |
50 | | */ |
51 | | |
52 | | /* |
53 | | * Low level APIs (such as DH) are deprecated for public use, but still ok for |
54 | | * internal use. |
55 | | */ |
56 | | #include "internal/deprecated.h" |
57 | | |
58 | | #include <stdio.h> |
59 | | #include <stdarg.h> |
60 | | #include <string.h> |
61 | | #include <openssl/evp.h> |
62 | | #include <openssl/kdf.h> |
63 | | #include <openssl/core_names.h> |
64 | | #include <openssl/params.h> |
65 | | #include <openssl/proverr.h> |
66 | | #include "internal/cryptlib.h" |
67 | | #include "internal/numbers.h" |
68 | | #include "crypto/evp.h" |
69 | | #include "prov/provider_ctx.h" |
70 | | #include "prov/providercommon.h" |
71 | | #include "prov/implementations.h" |
72 | | #include "prov/provider_util.h" |
73 | | #include "prov/securitycheck.h" |
74 | | #include "internal/e_os.h" |
75 | | #include "internal/params.h" |
76 | | #include "internal/safe_math.h" |
77 | | |
78 | | OSSL_SAFE_MATH_UNSIGNED(size_t, size_t) |
79 | | |
80 | | static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; |
81 | | static OSSL_FUNC_kdf_dupctx_fn kdf_tls1_prf_dup; |
82 | | static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free; |
83 | | static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset; |
84 | | static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive; |
85 | | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; |
86 | | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params; |
87 | | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; |
88 | | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params; |
89 | | |
90 | | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
91 | | const unsigned char *sec, size_t slen, |
92 | | const unsigned char *seed, size_t seed_len, |
93 | | unsigned char *out, size_t olen); |
94 | | |
95 | | #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" |
96 | | #define TLS_MD_MASTER_SECRET_CONST_SIZE 13 |
97 | | |
98 | 0 | #define TLSPRF_MAX_SEEDS 6 |
99 | | |
100 | | /* TLS KDF kdf context structure */ |
101 | | typedef struct { |
102 | | void *provctx; |
103 | | |
104 | | /* MAC context for the main digest */ |
105 | | EVP_MAC_CTX *P_hash; |
106 | | /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */ |
107 | | EVP_MAC_CTX *P_sha1; |
108 | | |
109 | | /* Secret value to use for PRF */ |
110 | | unsigned char *sec; |
111 | | size_t seclen; |
112 | | /* Concatenated seed data */ |
113 | | unsigned char *seed; |
114 | | size_t seedlen; |
115 | | |
116 | | OSSL_FIPS_IND_DECLARE |
117 | | } TLS1_PRF; |
118 | | |
119 | | static void *kdf_tls1_prf_new(void *provctx) |
120 | 66.5k | { |
121 | 66.5k | TLS1_PRF *ctx; |
122 | | |
123 | 66.5k | if (!ossl_prov_is_running()) |
124 | 0 | return NULL; |
125 | | |
126 | 66.5k | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) { |
127 | 66.5k | ctx->provctx = provctx; |
128 | 66.5k | OSSL_FIPS_IND_INIT(ctx) |
129 | 66.5k | } |
130 | 66.5k | return ctx; |
131 | 66.5k | } |
132 | | |
133 | | static void kdf_tls1_prf_free(void *vctx) |
134 | 71.6k | { |
135 | 71.6k | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
136 | | |
137 | 71.6k | if (ctx != NULL) { |
138 | 71.6k | kdf_tls1_prf_reset(ctx); |
139 | 71.6k | OPENSSL_free(ctx); |
140 | 71.6k | } |
141 | 71.6k | } |
142 | | |
143 | | static void kdf_tls1_prf_reset(void *vctx) |
144 | 71.6k | { |
145 | 71.6k | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
146 | 71.6k | void *provctx = ctx->provctx; |
147 | | |
148 | 71.6k | EVP_MAC_CTX_free(ctx->P_hash); |
149 | 71.6k | EVP_MAC_CTX_free(ctx->P_sha1); |
150 | 71.6k | OPENSSL_clear_free(ctx->sec, ctx->seclen); |
151 | 71.6k | OPENSSL_clear_free(ctx->seed, ctx->seedlen); |
152 | 71.6k | memset(ctx, 0, sizeof(*ctx)); |
153 | 71.6k | ctx->provctx = provctx; |
154 | 71.6k | } |
155 | | |
156 | | static void *kdf_tls1_prf_dup(void *vctx) |
157 | 0 | { |
158 | 0 | const TLS1_PRF *src = (const TLS1_PRF *)vctx; |
159 | 0 | TLS1_PRF *dest; |
160 | |
|
161 | 0 | dest = kdf_tls1_prf_new(src->provctx); |
162 | 0 | if (dest != NULL) { |
163 | 0 | if (src->P_hash != NULL |
164 | 0 | && (dest->P_hash = EVP_MAC_CTX_dup(src->P_hash)) == NULL) |
165 | 0 | goto err; |
166 | 0 | if (src->P_sha1 != NULL |
167 | 0 | && (dest->P_sha1 = EVP_MAC_CTX_dup(src->P_sha1)) == NULL) |
168 | 0 | goto err; |
169 | 0 | if (!ossl_prov_memdup(src->sec, src->seclen, &dest->sec, &dest->seclen)) |
170 | 0 | goto err; |
171 | 0 | if (!ossl_prov_memdup(src->seed, src->seedlen, &dest->seed, |
172 | 0 | &dest->seedlen)) |
173 | 0 | goto err; |
174 | 0 | OSSL_FIPS_IND_COPY(dest, src) |
175 | 0 | } |
176 | 0 | return dest; |
177 | | |
178 | 0 | err: |
179 | 0 | kdf_tls1_prf_free(dest); |
180 | 0 | return NULL; |
181 | 0 | } |
182 | | |
183 | | #ifdef FIPS_MODULE |
184 | | |
185 | | static int fips_ems_check_passed(TLS1_PRF *ctx) |
186 | | { |
187 | | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
188 | | /* |
189 | | * Check that TLS is using EMS. |
190 | | * |
191 | | * The seed buffer is prepended with a label. |
192 | | * If EMS mode is enforced then the label "master secret" is not allowed, |
193 | | * We do the check this way since the PRF is used for other purposes, as well |
194 | | * as "extended master secret". |
195 | | */ |
196 | | int ems_approved = (ctx->seedlen < TLS_MD_MASTER_SECRET_CONST_SIZE |
197 | | || memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, |
198 | | TLS_MD_MASTER_SECRET_CONST_SIZE) |
199 | | != 0); |
200 | | |
201 | | if (!ems_approved) { |
202 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, |
203 | | libctx, "TLS_PRF", "EMS", |
204 | | ossl_fips_config_tls1_prf_ems_check)) { |
205 | | ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); |
206 | | return 0; |
207 | | } |
208 | | } |
209 | | return 1; |
210 | | } |
211 | | |
212 | | static int fips_digest_check_passed(TLS1_PRF *ctx, const EVP_MD *md) |
213 | | { |
214 | | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
215 | | /* |
216 | | * Perform digest check |
217 | | * |
218 | | * According to NIST SP 800-135r1 section 5.2, the valid hash functions are |
219 | | * specified in FIPS 180-3. ACVP also only lists the same set of hash |
220 | | * functions. |
221 | | */ |
222 | | int digest_unapproved = !EVP_MD_is_a(md, SN_sha256) |
223 | | && !EVP_MD_is_a(md, SN_sha384) |
224 | | && !EVP_MD_is_a(md, SN_sha512); |
225 | | |
226 | | if (digest_unapproved) { |
227 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, |
228 | | libctx, "TLS_PRF", "Digest", |
229 | | ossl_fips_config_tls1_prf_digest_check)) { |
230 | | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); |
231 | | return 0; |
232 | | } |
233 | | } |
234 | | return 1; |
235 | | } |
236 | | |
237 | | static int fips_key_check_passed(TLS1_PRF *ctx) |
238 | | { |
239 | | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
240 | | int key_approved = ossl_kdf_check_key_size(ctx->seclen); |
241 | | |
242 | | if (!key_approved) { |
243 | | if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, |
244 | | libctx, "TLS_PRF", "Key size", |
245 | | ossl_fips_config_tls1_prf_key_check)) { |
246 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
247 | | return 0; |
248 | | } |
249 | | } |
250 | | return 1; |
251 | | } |
252 | | #endif |
253 | | |
254 | | static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, |
255 | | const OSSL_PARAM params[]) |
256 | 54.0k | { |
257 | 54.0k | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
258 | | |
259 | 54.0k | if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) |
260 | 0 | return 0; |
261 | | |
262 | 54.0k | if (ctx->P_hash == NULL) { |
263 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
264 | 0 | return 0; |
265 | 0 | } |
266 | 54.0k | if (ctx->sec == NULL) { |
267 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); |
268 | 0 | return 0; |
269 | 0 | } |
270 | 54.0k | if (ctx->seedlen == 0) { |
271 | 467 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); |
272 | 467 | return 0; |
273 | 467 | } |
274 | 53.6k | if (keylen == 0) { |
275 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
276 | 0 | return 0; |
277 | 0 | } |
278 | | |
279 | | #ifdef FIPS_MODULE |
280 | | if (!fips_ems_check_passed(ctx)) |
281 | | return 0; |
282 | | #endif |
283 | | |
284 | 53.6k | return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, |
285 | 53.6k | ctx->sec, ctx->seclen, |
286 | 53.6k | ctx->seed, ctx->seedlen, |
287 | 53.6k | key, keylen); |
288 | 53.6k | } |
289 | | |
290 | | /* clang-format off */ |
291 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
292 | | #ifndef tls1prf_set_ctx_params_list |
293 | | static const OSSL_PARAM tls1prf_set_ctx_params_list[] = { |
294 | | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), |
295 | | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), |
296 | | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), |
297 | | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0), |
298 | | # if defined(FIPS_MODULE) |
299 | | OSSL_PARAM_int(OSSL_KDF_PARAM_FIPS_EMS_CHECK, NULL), |
300 | | # endif |
301 | | # if defined(FIPS_MODULE) |
302 | | OSSL_PARAM_int(OSSL_KDF_PARAM_FIPS_DIGEST_CHECK, NULL), |
303 | | # endif |
304 | | # if defined(FIPS_MODULE) |
305 | | OSSL_PARAM_int(OSSL_KDF_PARAM_FIPS_KEY_CHECK, NULL), |
306 | | # endif |
307 | | OSSL_PARAM_END |
308 | | }; |
309 | | #endif |
310 | | |
311 | | #ifndef tls1prf_set_ctx_params_st |
312 | | struct tls1prf_set_ctx_params_st { |
313 | | OSSL_PARAM *digest; |
314 | | OSSL_PARAM *engine; |
315 | | # if defined(FIPS_MODULE) |
316 | | OSSL_PARAM *ind_d; |
317 | | # endif |
318 | | # if defined(FIPS_MODULE) |
319 | | OSSL_PARAM *ind_e; |
320 | | # endif |
321 | | # if defined(FIPS_MODULE) |
322 | | OSSL_PARAM *ind_k; |
323 | | # endif |
324 | | OSSL_PARAM *propq; |
325 | | OSSL_PARAM *secret; |
326 | | OSSL_PARAM *seed[TLSPRF_MAX_SEEDS]; |
327 | | int num_seed; |
328 | | }; |
329 | | #endif |
330 | | |
331 | | #ifndef tls1prf_set_ctx_params_decoder |
332 | | static int tls1prf_set_ctx_params_decoder |
333 | | (const OSSL_PARAM *p, struct tls1prf_set_ctx_params_st *r) |
334 | 11.3k | { |
335 | 11.3k | const char *s; |
336 | | |
337 | 11.3k | memset(r, 0, sizeof(*r)); |
338 | 11.3k | if (p != NULL) |
339 | 86.9k | for (; (s = p->key) != NULL; p++) |
340 | 75.8k | switch(s[0]) { |
341 | 0 | default: |
342 | 0 | break; |
343 | 11.1k | case 'd': |
344 | 11.1k | switch(s[1]) { |
345 | 0 | default: |
346 | 0 | break; |
347 | 11.1k | case 'i': |
348 | 11.1k | switch(s[2]) { |
349 | 0 | default: |
350 | 0 | break; |
351 | 11.1k | case 'g': |
352 | 11.1k | switch(s[3]) { |
353 | 0 | default: |
354 | 0 | break; |
355 | 11.1k | case 'e': |
356 | 11.1k | switch(s[4]) { |
357 | 0 | default: |
358 | 0 | break; |
359 | 11.1k | case 's': |
360 | 11.1k | switch(s[5]) { |
361 | 0 | default: |
362 | 0 | break; |
363 | 11.1k | case 't': |
364 | 11.1k | switch(s[6]) { |
365 | 0 | default: |
366 | 0 | break; |
367 | 0 | case '-': |
368 | | # if defined(FIPS_MODULE) |
369 | | if (ossl_likely(strcmp("check", s + 7) == 0)) { |
370 | | /* OSSL_KDF_PARAM_FIPS_DIGEST_CHECK */ |
371 | | if (ossl_unlikely(r->ind_d != NULL)) { |
372 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
373 | | "param %s is repeated", s); |
374 | | return 0; |
375 | | } |
376 | | r->ind_d = (OSSL_PARAM *)p; |
377 | | } |
378 | | # endif |
379 | 0 | break; |
380 | 11.1k | case '\0': |
381 | 11.1k | if (ossl_unlikely(r->digest != NULL)) { |
382 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
383 | 0 | "param %s is repeated", s); |
384 | 0 | return 0; |
385 | 0 | } |
386 | 11.1k | r->digest = (OSSL_PARAM *)p; |
387 | 11.1k | } |
388 | 11.1k | } |
389 | 11.1k | } |
390 | 11.1k | } |
391 | 11.1k | } |
392 | 11.1k | } |
393 | 11.1k | break; |
394 | 11.1k | case 'e': |
395 | 0 | switch(s[1]) { |
396 | 0 | default: |
397 | 0 | break; |
398 | 0 | case 'm': |
399 | | # if defined(FIPS_MODULE) |
400 | | if (ossl_likely(strcmp("s_check", s + 2) == 0)) { |
401 | | /* OSSL_KDF_PARAM_FIPS_EMS_CHECK */ |
402 | | if (ossl_unlikely(r->ind_e != NULL)) { |
403 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
404 | | "param %s is repeated", s); |
405 | | return 0; |
406 | | } |
407 | | r->ind_e = (OSSL_PARAM *)p; |
408 | | } |
409 | | # endif |
410 | 0 | break; |
411 | 0 | case 'n': |
412 | 0 | if (ossl_likely(strcmp("gine", s + 2) == 0)) { |
413 | | /* OSSL_ALG_PARAM_ENGINE */ |
414 | 0 | if (ossl_unlikely(r->engine != NULL)) { |
415 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
416 | 0 | "param %s is repeated", s); |
417 | 0 | return 0; |
418 | 0 | } |
419 | 0 | r->engine = (OSSL_PARAM *)p; |
420 | 0 | } |
421 | 0 | } |
422 | 0 | break; |
423 | 0 | case 'k': |
424 | | # if defined(FIPS_MODULE) |
425 | | if (ossl_likely(strcmp("ey-check", s + 1) == 0)) { |
426 | | /* OSSL_KDF_PARAM_FIPS_KEY_CHECK */ |
427 | | if (ossl_unlikely(r->ind_k != NULL)) { |
428 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
429 | | "param %s is repeated", s); |
430 | | return 0; |
431 | | } |
432 | | r->ind_k = (OSSL_PARAM *)p; |
433 | | } |
434 | | # endif |
435 | 0 | break; |
436 | 647 | case 'p': |
437 | 647 | if (ossl_likely(strcmp("roperties", s + 1) == 0)) { |
438 | | /* OSSL_KDF_PARAM_PROPERTIES */ |
439 | 647 | if (ossl_unlikely(r->propq != NULL)) { |
440 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
441 | 0 | "param %s is repeated", s); |
442 | 0 | return 0; |
443 | 0 | } |
444 | 647 | r->propq = (OSSL_PARAM *)p; |
445 | 647 | } |
446 | 647 | break; |
447 | 64.0k | case 's': |
448 | 64.0k | switch(s[1]) { |
449 | 0 | default: |
450 | 0 | break; |
451 | 64.0k | case 'e': |
452 | 64.0k | switch(s[2]) { |
453 | 0 | default: |
454 | 0 | break; |
455 | 11.1k | case 'c': |
456 | 11.1k | if (ossl_likely(strcmp("ret", s + 3) == 0)) { |
457 | | /* OSSL_KDF_PARAM_SECRET */ |
458 | 11.1k | if (ossl_unlikely(r->secret != NULL)) { |
459 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
460 | 0 | "param %s is repeated", s); |
461 | 0 | return 0; |
462 | 0 | } |
463 | 11.1k | r->secret = (OSSL_PARAM *)p; |
464 | 11.1k | } |
465 | 11.1k | break; |
466 | 52.9k | case 'e': |
467 | 52.9k | if (ossl_likely(strcmp("d", s + 3) == 0)) { |
468 | | /* OSSL_KDF_PARAM_SEED */ |
469 | 52.9k | if (ossl_unlikely(r->num_seed >= TLSPRF_MAX_SEEDS)) { |
470 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS, |
471 | 0 | "param %s present >%d times", s, TLSPRF_MAX_SEEDS); |
472 | 0 | return 0; |
473 | 0 | } |
474 | 52.9k | r->seed[r->num_seed++] = (OSSL_PARAM *)p; |
475 | 52.9k | } |
476 | 64.0k | } |
477 | 64.0k | } |
478 | 75.8k | } |
479 | 11.3k | return 1; |
480 | 11.3k | } |
481 | | #endif |
482 | | /* End of machine generated */ |
483 | | /* clang-format on */ |
484 | | |
485 | | static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
486 | 21.6k | { |
487 | 21.6k | struct tls1prf_set_ctx_params_st p; |
488 | 21.6k | TLS1_PRF *ctx = vctx; |
489 | 21.6k | OSSL_LIB_CTX *libctx; |
490 | | |
491 | 21.6k | if (ctx == NULL || !tls1prf_set_ctx_params_decoder(params, &p)) |
492 | 0 | return 0; |
493 | | |
494 | 21.6k | libctx = PROV_LIBCTX_OF(ctx->provctx); |
495 | | |
496 | 21.6k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, p.ind_e)) |
497 | 0 | return 0; |
498 | 21.6k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, p.ind_d)) |
499 | 0 | return 0; |
500 | 21.6k | if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE2, p.ind_k)) |
501 | 0 | return 0; |
502 | | |
503 | 21.6k | if (p.digest != NULL) { |
504 | 21.2k | PROV_DIGEST digest; |
505 | 21.2k | const EVP_MD *md = NULL; |
506 | 21.2k | const char *dgst; |
507 | | |
508 | 21.2k | if (!OSSL_PARAM_get_utf8_string_ptr(p.digest, &dgst)) |
509 | 0 | return 0; |
510 | | |
511 | 21.2k | if (OPENSSL_strcasecmp(dgst, OSSL_DIGEST_NAME_MD5_SHA1) == 0) { |
512 | 8.54k | if (!ossl_prov_macctx_load(&ctx->P_hash, NULL, NULL, NULL, |
513 | 8.54k | p.propq, p.engine, |
514 | 8.54k | OSSL_MAC_NAME_HMAC, NULL, |
515 | 8.54k | OSSL_DIGEST_NAME_MD5, libctx)) |
516 | 3 | return 0; |
517 | 8.54k | if (!ossl_prov_macctx_load(&ctx->P_sha1, NULL, NULL, NULL, |
518 | 8.54k | p.propq, p.engine, |
519 | 8.54k | OSSL_MAC_NAME_HMAC, NULL, |
520 | 8.54k | OSSL_DIGEST_NAME_SHA1, libctx)) |
521 | 0 | return 0; |
522 | 12.7k | } else { |
523 | 12.7k | EVP_MAC_CTX_free(ctx->P_sha1); |
524 | 12.7k | ctx->P_sha1 = NULL; |
525 | 12.7k | if (!ossl_prov_macctx_load(&ctx->P_hash, NULL, NULL, p.digest, |
526 | 12.7k | p.propq, p.engine, |
527 | 12.7k | OSSL_MAC_NAME_HMAC, NULL, NULL, libctx)) |
528 | 421 | return 0; |
529 | 12.7k | } |
530 | | |
531 | 20.8k | memset(&digest, 0, sizeof(digest)); |
532 | 20.8k | if (!ossl_prov_digest_load(&digest, p.digest, p.propq, p.engine, libctx)) |
533 | 0 | return 0; |
534 | | |
535 | 20.8k | md = ossl_prov_digest_md(&digest); |
536 | 20.8k | if (EVP_MD_xof(md)) { |
537 | 2 | ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); |
538 | 2 | ossl_prov_digest_reset(&digest); |
539 | 2 | return 0; |
540 | 2 | } |
541 | | |
542 | | #ifdef FIPS_MODULE |
543 | | if (!fips_digest_check_passed(ctx, md)) { |
544 | | ossl_prov_digest_reset(&digest); |
545 | | return 0; |
546 | | } |
547 | | #endif |
548 | | |
549 | 20.8k | ossl_prov_digest_reset(&digest); |
550 | 20.8k | } |
551 | | |
552 | 21.1k | if (p.secret != NULL) { |
553 | 20.8k | OPENSSL_clear_free(ctx->sec, ctx->seclen); |
554 | 20.8k | ctx->sec = NULL; |
555 | 20.8k | if (!OSSL_PARAM_get_octet_string(p.secret, (void **)&ctx->sec, 0, |
556 | 20.8k | &ctx->seclen)) |
557 | 0 | return 0; |
558 | | |
559 | | #ifdef FIPS_MODULE |
560 | | if (!fips_key_check_passed(ctx)) |
561 | | return 0; |
562 | | #endif |
563 | 20.8k | } |
564 | | |
565 | | /* |
566 | | * The seed fields concatenate across set calls, so process them all |
567 | | * but only reallocate once. |
568 | | */ |
569 | 21.1k | if (p.num_seed > 0) { |
570 | 20.8k | const void *vals[TLSPRF_MAX_SEEDS]; |
571 | 20.8k | size_t sizes[TLSPRF_MAX_SEEDS]; |
572 | 20.8k | size_t seedlen = ctx->seedlen; |
573 | 20.8k | int i, n = 0; |
574 | | |
575 | 123k | for (i = 0; i < p.num_seed; i++) { |
576 | 102k | sizes[i] = 0; |
577 | 102k | vals[i] = NULL; |
578 | 102k | if (p.seed[i]->data_size != 0 && p.seed[i]->data != NULL) { |
579 | 55.5k | int err = 0; |
580 | | |
581 | 55.5k | if (!OSSL_PARAM_get_octet_string_ptr(p.seed[i], |
582 | 55.5k | vals + n, sizes + n)) |
583 | 0 | return 0; |
584 | | |
585 | 55.5k | seedlen = safe_add_size_t(seedlen, sizes[n], &err); |
586 | 55.5k | if (err) |
587 | 0 | return 0; |
588 | 55.5k | n++; |
589 | 55.5k | } |
590 | 102k | } |
591 | | |
592 | 20.8k | if (seedlen != ctx->seedlen) { |
593 | 20.6k | unsigned char *seed = OPENSSL_clear_realloc(ctx->seed, |
594 | 20.6k | ctx->seedlen, seedlen); |
595 | | |
596 | 20.6k | if (seed == NULL) |
597 | 0 | return 0; |
598 | 20.6k | ctx->seed = seed; |
599 | | |
600 | | /* No errors are possible, so copy them across */ |
601 | 76.2k | for (i = 0; i < n; i++) { |
602 | 55.5k | memcpy(ctx->seed + ctx->seedlen, vals[i], sizes[i]); |
603 | 55.5k | ctx->seedlen += sizes[i]; |
604 | 55.5k | } |
605 | 20.6k | } |
606 | 20.8k | } |
607 | | |
608 | 21.1k | return 1; |
609 | 21.1k | } |
610 | | |
611 | | static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( |
612 | | ossl_unused void *ctx, ossl_unused void *provctx) |
613 | 2.42k | { |
614 | 2.42k | return tls1prf_set_ctx_params_list; |
615 | 2.42k | } |
616 | | |
617 | | /* clang-format off */ |
618 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
619 | | #ifndef tls1prf_get_ctx_params_list |
620 | | static const OSSL_PARAM tls1prf_get_ctx_params_list[] = { |
621 | | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), |
622 | | # if defined(FIPS_MODULE) |
623 | | OSSL_PARAM_int(OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR, NULL), |
624 | | # endif |
625 | | OSSL_PARAM_END |
626 | | }; |
627 | | #endif |
628 | | |
629 | | #ifndef tls1prf_get_ctx_params_st |
630 | | struct tls1prf_get_ctx_params_st { |
631 | | # if defined(FIPS_MODULE) |
632 | | OSSL_PARAM *ind; |
633 | | # endif |
634 | | OSSL_PARAM *size; |
635 | | }; |
636 | | #endif |
637 | | |
638 | | #ifndef tls1prf_get_ctx_params_decoder |
639 | | static int tls1prf_get_ctx_params_decoder |
640 | | (const OSSL_PARAM *p, struct tls1prf_get_ctx_params_st *r) |
641 | 0 | { |
642 | 0 | const char *s; |
643 | |
|
644 | 0 | memset(r, 0, sizeof(*r)); |
645 | 0 | if (p != NULL) |
646 | 0 | for (; (s = p->key) != NULL; p++) |
647 | 0 | switch(s[0]) { |
648 | 0 | default: |
649 | 0 | break; |
650 | 0 | case 'f': |
651 | | # if defined(FIPS_MODULE) |
652 | | if (ossl_likely(strcmp("ips-indicator", s + 1) == 0)) { |
653 | | /* OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR */ |
654 | | if (ossl_unlikely(r->ind != NULL)) { |
655 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
656 | | "param %s is repeated", s); |
657 | | return 0; |
658 | | } |
659 | | r->ind = (OSSL_PARAM *)p; |
660 | | } |
661 | | # endif |
662 | 0 | break; |
663 | 0 | case 's': |
664 | 0 | if (ossl_likely(strcmp("ize", s + 1) == 0)) { |
665 | | /* OSSL_KDF_PARAM_SIZE */ |
666 | 0 | if (ossl_unlikely(r->size != NULL)) { |
667 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
668 | 0 | "param %s is repeated", s); |
669 | 0 | return 0; |
670 | 0 | } |
671 | 0 | r->size = (OSSL_PARAM *)p; |
672 | 0 | } |
673 | 0 | } |
674 | 0 | return 1; |
675 | 0 | } |
676 | | #endif |
677 | | /* End of machine generated */ |
678 | | /* clang-format on */ |
679 | | |
680 | | static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
681 | 0 | { |
682 | 0 | struct tls1prf_get_ctx_params_st p; |
683 | 0 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
684 | |
|
685 | 0 | if (ctx == NULL || !tls1prf_get_ctx_params_decoder(params, &p)) |
686 | 0 | return 0; |
687 | | |
688 | 0 | if (p.size != NULL && !OSSL_PARAM_set_size_t(p.size, SIZE_MAX)) |
689 | 0 | return 0; |
690 | | |
691 | 0 | if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(ctx, p.ind)) |
692 | 0 | return 0; |
693 | 0 | return 1; |
694 | 0 | } |
695 | | |
696 | | static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( |
697 | | ossl_unused void *ctx, ossl_unused void *provctx) |
698 | 0 | { |
699 | 0 | return tls1prf_get_ctx_params_list; |
700 | 0 | } |
701 | | |
702 | | const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = { |
703 | | { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))kdf_tls1_prf_new }, |
704 | | { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))kdf_tls1_prf_dup }, |
705 | | { OSSL_FUNC_KDF_FREECTX, (void (*)(void))kdf_tls1_prf_free }, |
706 | | { OSSL_FUNC_KDF_RESET, (void (*)(void))kdf_tls1_prf_reset }, |
707 | | { OSSL_FUNC_KDF_DERIVE, (void (*)(void))kdf_tls1_prf_derive }, |
708 | | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, |
709 | | (void (*)(void))kdf_tls1_prf_settable_ctx_params }, |
710 | | { OSSL_FUNC_KDF_SET_CTX_PARAMS, |
711 | | (void (*)(void))kdf_tls1_prf_set_ctx_params }, |
712 | | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, |
713 | | (void (*)(void))kdf_tls1_prf_gettable_ctx_params }, |
714 | | { OSSL_FUNC_KDF_GET_CTX_PARAMS, |
715 | | (void (*)(void))kdf_tls1_prf_get_ctx_params }, |
716 | | OSSL_DISPATCH_END |
717 | | }; |
718 | | |
719 | | /* |
720 | | * Refer to "The TLS Protocol Version 1.0" Section 5 |
721 | | * (https://tools.ietf.org/html/rfc2246#section-5) and |
722 | | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 |
723 | | * (https://tools.ietf.org/html/rfc5246#section-5). |
724 | | * |
725 | | * P_<hash> is an expansion function that uses a single hash function to expand |
726 | | * a secret and seed into an arbitrary quantity of output: |
727 | | * |
728 | | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + |
729 | | * HMAC_<hash>(secret, A(2) + seed) + |
730 | | * HMAC_<hash>(secret, A(3) + seed) + ... |
731 | | * |
732 | | * where + indicates concatenation. P_<hash> can be iterated as many times as |
733 | | * is necessary to produce the required quantity of data. |
734 | | * |
735 | | * A(i) is defined as: |
736 | | * A(0) = seed |
737 | | * A(i) = HMAC_<hash>(secret, A(i-1)) |
738 | | */ |
739 | | static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, |
740 | | const unsigned char *sec, size_t sec_len, |
741 | | const unsigned char *seed, size_t seed_len, |
742 | | unsigned char *out, size_t olen) |
743 | 93.8k | { |
744 | 93.8k | size_t chunk; |
745 | 93.8k | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; |
746 | 93.8k | unsigned char Ai[EVP_MAX_MD_SIZE]; |
747 | 93.8k | size_t Ai_len; |
748 | 93.8k | int ret = 0; |
749 | | |
750 | 93.8k | if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) |
751 | 0 | goto err; |
752 | 93.8k | chunk = EVP_MAC_CTX_get_mac_size(ctx_init); |
753 | 93.8k | if (chunk == 0) |
754 | 8 | goto err; |
755 | | /* A(0) = seed */ |
756 | 93.8k | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
757 | 93.8k | if (ctx_Ai == NULL) |
758 | 0 | goto err; |
759 | 93.8k | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
760 | 0 | goto err; |
761 | | |
762 | 245k | for (;;) { |
763 | | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
764 | 245k | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
765 | 0 | goto err; |
766 | 245k | EVP_MAC_CTX_free(ctx_Ai); |
767 | 245k | ctx_Ai = NULL; |
768 | | |
769 | | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ |
770 | 245k | ctx = EVP_MAC_CTX_dup(ctx_init); |
771 | 245k | if (ctx == NULL) |
772 | 0 | goto err; |
773 | 245k | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
774 | 0 | goto err; |
775 | | /* save state for calculating next A(i) value */ |
776 | 245k | if (olen > chunk) { |
777 | 152k | ctx_Ai = EVP_MAC_CTX_dup(ctx); |
778 | 152k | if (ctx_Ai == NULL) |
779 | 0 | goto err; |
780 | 152k | } |
781 | 245k | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
782 | 0 | goto err; |
783 | 245k | if (olen <= chunk) { |
784 | | /* last chunk - use Ai as temp bounce buffer */ |
785 | 93.8k | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
786 | 0 | goto err; |
787 | 93.8k | memcpy(out, Ai, olen); |
788 | 93.8k | break; |
789 | 93.8k | } |
790 | 152k | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
791 | 0 | goto err; |
792 | 152k | EVP_MAC_CTX_free(ctx); |
793 | 152k | ctx = NULL; |
794 | 152k | out += chunk; |
795 | 152k | olen -= chunk; |
796 | 152k | } |
797 | 93.8k | ret = 1; |
798 | 93.8k | err: |
799 | 93.8k | EVP_MAC_CTX_free(ctx); |
800 | 93.8k | EVP_MAC_CTX_free(ctx_Ai); |
801 | 93.8k | OPENSSL_cleanse(Ai, sizeof(Ai)); |
802 | 93.8k | return ret; |
803 | 93.8k | } |
804 | | |
805 | | /* |
806 | | * Refer to "The TLS Protocol Version 1.0" Section 5 |
807 | | * (https://tools.ietf.org/html/rfc2246#section-5) and |
808 | | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 |
809 | | * (https://tools.ietf.org/html/rfc5246#section-5). |
810 | | * |
811 | | * For TLS v1.0 and TLS v1.1: |
812 | | * |
813 | | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR |
814 | | * P_SHA-1(S2, label + seed) |
815 | | * |
816 | | * S1 is taken from the first half of the secret, S2 from the second half. |
817 | | * |
818 | | * L_S = length in bytes of secret; |
819 | | * L_S1 = L_S2 = ceil(L_S / 2); |
820 | | * |
821 | | * For TLS v1.2: |
822 | | * |
823 | | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) |
824 | | */ |
825 | | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
826 | | const unsigned char *sec, size_t slen, |
827 | | const unsigned char *seed, size_t seed_len, |
828 | | unsigned char *out, size_t olen) |
829 | 69.7k | { |
830 | 69.7k | if (sha1ctx != NULL) { |
831 | | /* TLS v1.0 and TLS v1.1 */ |
832 | 24.0k | size_t i; |
833 | 24.0k | unsigned char *tmp; |
834 | | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
835 | 24.0k | size_t L_S1 = (slen + 1) / 2; |
836 | 24.0k | size_t L_S2 = L_S1; |
837 | | |
838 | 24.0k | if (!tls1_prf_P_hash(mdctx, sec, L_S1, |
839 | 24.0k | seed, seed_len, out, olen)) |
840 | 0 | return 0; |
841 | | |
842 | 24.0k | if ((tmp = OPENSSL_malloc(olen)) == NULL) |
843 | 0 | return 0; |
844 | | |
845 | 24.0k | if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2, |
846 | 24.0k | seed, seed_len, tmp, olen)) { |
847 | 0 | OPENSSL_clear_free(tmp, olen); |
848 | 0 | return 0; |
849 | 0 | } |
850 | 1.24M | for (i = 0; i < olen; i++) |
851 | 1.22M | out[i] ^= tmp[i]; |
852 | 24.0k | OPENSSL_clear_free(tmp, olen); |
853 | 24.0k | return 1; |
854 | 24.0k | } |
855 | | |
856 | | /* TLS v1.2 */ |
857 | 45.7k | if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen)) |
858 | 8 | return 0; |
859 | | |
860 | 45.7k | return 1; |
861 | 45.7k | } |