Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2002-2015 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2014-2015 Nikos Mavrogiannopoulos |
4 | | * Copyright (C) 2016-2017 Red Hat, Inc. |
5 | | * |
6 | | * Author: Nikos Mavrogiannopoulos |
7 | | * |
8 | | * This file is part of GnuTLS. |
9 | | * |
10 | | * The GnuTLS is free software; you can redistribute it and/or |
11 | | * modify it under the terms of the GNU Lesser General Public License |
12 | | * as published by the Free Software Foundation; either version 2.1 of |
13 | | * the License, or (at your option) any later version. |
14 | | * |
15 | | * This library is distributed in the hope that it will be useful, but |
16 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 | | * Lesser General Public License for more details. |
19 | | * |
20 | | * You should have received a copy of the GNU Lesser General Public License |
21 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
22 | | * |
23 | | */ |
24 | | |
25 | | /* Functions for the TLS PRF handling. |
26 | | */ |
27 | | |
28 | | #include "gnutls_int.h" |
29 | | #include "errors.h" |
30 | | #include "handshake.h" |
31 | | #include "secrets.h" |
32 | | #include "num.h" |
33 | | #include "state.h" |
34 | | #include "algorithms.h" |
35 | | |
36 | | /** |
37 | | * gnutls_prf_raw: |
38 | | * @session: is a #gnutls_session_t type. |
39 | | * @label_size: length of the @label variable. |
40 | | * @label: label used in PRF computation, typically a short string. |
41 | | * @seed_size: length of the @seed variable. |
42 | | * @seed: optional extra data to seed the PRF with. |
43 | | * @outsize: size of pre-allocated output buffer to hold the output. |
44 | | * @out: pre-allocated buffer to hold the generated data. |
45 | | * |
46 | | * Apply the TLS Pseudo-Random-Function (PRF) on the master secret |
47 | | * and the provided data. |
48 | | * |
49 | | * The @label variable usually contains a string denoting the purpose |
50 | | * for the generated data. The @seed usually contains data such as the |
51 | | * client and server random, perhaps together with some additional |
52 | | * data that is added to guarantee uniqueness of the output for a |
53 | | * particular purpose. |
54 | | * |
55 | | * Because the output is not guaranteed to be unique for a particular |
56 | | * session unless @seed includes the client random and server random |
57 | | * fields (the PRF would output the same data on another connection |
58 | | * resumed from the first one), it is not recommended to use this |
59 | | * function directly. The gnutls_prf() function seeds the PRF with the |
60 | | * client and server random fields directly, and is recommended if you |
61 | | * want to generate pseudo random data unique for each session. |
62 | | * |
63 | | * Note: This function will only operate under TLS versions prior to 1.3. |
64 | | * In TLS1.3 the use of PRF is replaced with HKDF and the generic |
65 | | * exporters like gnutls_prf_rfc5705() should be used instead. Under |
66 | | * TLS1.3 this function returns %GNUTLS_E_INVALID_REQUEST. |
67 | | * |
68 | | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. |
69 | | **/ |
70 | | int gnutls_prf_raw(gnutls_session_t session, size_t label_size, |
71 | | const char *label, size_t seed_size, const char *seed, |
72 | | size_t outsize, char *out) |
73 | 0 | { |
74 | 0 | int ret; |
75 | 0 | const version_entry_st *vers = get_version(session); |
76 | |
|
77 | 0 | if (vers && vers->tls13_sem) |
78 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
79 | | |
80 | 0 | if (session->security_parameters.prf == NULL) |
81 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
82 | | |
83 | 0 | ret = _gnutls_prf_raw(session->security_parameters.prf->id, |
84 | 0 | GNUTLS_MASTER_SIZE, |
85 | 0 | session->security_parameters.master_secret, |
86 | 0 | label_size, label, seed_size, (uint8_t *)seed, |
87 | 0 | outsize, out); |
88 | |
|
89 | 0 | return ret; |
90 | 0 | } |
91 | | |
92 | | static int _tls13_derive_exporter(const mac_entry_st *prf, |
93 | | gnutls_session_t session, size_t label_size, |
94 | | const char *label, size_t context_size, |
95 | | const char *context, size_t outsize, |
96 | | char *out, bool early) |
97 | 0 | { |
98 | 0 | uint8_t secret[MAX_HASH_SIZE]; |
99 | 0 | uint8_t digest[MAX_HASH_SIZE]; |
100 | 0 | unsigned digest_size = prf->output_size; |
101 | 0 | int ret; |
102 | |
|
103 | 0 | ret = _tls13_derive_secret2(prf, label, label_size, NULL, 0, |
104 | 0 | session->key.proto.tls13.ap_expkey, secret); |
105 | 0 | if (ret < 0) |
106 | 0 | return gnutls_assert_val(ret); |
107 | | |
108 | 0 | ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id, context, |
109 | 0 | context_size, digest); |
110 | 0 | if (ret < 0) |
111 | 0 | return gnutls_assert_val(ret); |
112 | | |
113 | 0 | return _tls13_expand_secret2(prf, EXPORTER_LABEL, |
114 | 0 | sizeof(EXPORTER_LABEL) - 1, digest, |
115 | 0 | digest_size, secret, outsize, out); |
116 | 0 | } |
117 | | |
118 | | /** |
119 | | * gnutls_prf_rfc5705: |
120 | | * @session: is a #gnutls_session_t type. |
121 | | * @label_size: length of the @label variable. |
122 | | * @label: label used in PRF computation, typically a short string. |
123 | | * @context_size: length of the @extra variable. |
124 | | * @context: optional extra data to seed the PRF with. |
125 | | * @outsize: size of pre-allocated output buffer to hold the output. |
126 | | * @out: pre-allocated buffer to hold the generated data. |
127 | | * |
128 | | * Exports keying material from TLS/DTLS session to an application, as |
129 | | * specified in RFC5705. |
130 | | * |
131 | | * In the TLS versions prior to 1.3, it applies the TLS |
132 | | * Pseudo-Random-Function (PRF) on the master secret and the provided |
133 | | * data, seeded with the client and server random fields. |
134 | | * |
135 | | * In TLS 1.3, it applies HKDF on the exporter master secret derived |
136 | | * from the master secret. |
137 | | * |
138 | | * The @label variable usually contains a string denoting the purpose |
139 | | * for the generated data. |
140 | | * |
141 | | * The @context variable can be used to add more data to the seed, after |
142 | | * the random variables. It can be used to make sure the |
143 | | * generated output is strongly connected to some additional data |
144 | | * (e.g., a string used in user authentication). |
145 | | * |
146 | | * The output is placed in @out, which must be pre-allocated. |
147 | | * |
148 | | * Note that, to provide the RFC5705 context, the @context variable |
149 | | * must be non-null. |
150 | | * |
151 | | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. |
152 | | * |
153 | | * Since: 3.4.4 |
154 | | **/ |
155 | | int gnutls_prf_rfc5705(gnutls_session_t session, size_t label_size, |
156 | | const char *label, size_t context_size, |
157 | | const char *context, size_t outsize, char *out) |
158 | 0 | { |
159 | 0 | const version_entry_st *vers = get_version(session); |
160 | 0 | int ret; |
161 | |
|
162 | 0 | if (session->security_parameters.prf == NULL) |
163 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
164 | | |
165 | 0 | if (vers && vers->tls13_sem) { |
166 | 0 | ret = _tls13_derive_exporter(session->security_parameters.prf, |
167 | 0 | session, label_size, label, |
168 | 0 | context_size, context, outsize, |
169 | 0 | out, 0); |
170 | 0 | } else { |
171 | 0 | char *pctx = NULL; |
172 | |
|
173 | 0 | if (context != NULL && context_size > 65535) { |
174 | 0 | gnutls_assert(); |
175 | 0 | return GNUTLS_E_INVALID_REQUEST; |
176 | 0 | } |
177 | | |
178 | 0 | if (context != NULL) { |
179 | 0 | pctx = gnutls_malloc(context_size + 2); |
180 | 0 | if (!pctx) { |
181 | 0 | gnutls_assert(); |
182 | 0 | return GNUTLS_E_MEMORY_ERROR; |
183 | 0 | } |
184 | | |
185 | 0 | memcpy(pctx + 2, context, context_size); |
186 | 0 | _gnutls_write_uint16(context_size, (void *)pctx); |
187 | 0 | context_size += 2; |
188 | 0 | } |
189 | | |
190 | 0 | ret = gnutls_prf(session, label_size, label, 0, context_size, |
191 | 0 | pctx, outsize, out); |
192 | |
|
193 | 0 | gnutls_free(pctx); |
194 | 0 | } |
195 | | |
196 | 0 | return ret; |
197 | 0 | } |
198 | | |
199 | | /** |
200 | | * gnutls_prf_early: |
201 | | * @session: is a #gnutls_session_t type. |
202 | | * @label_size: length of the @label variable. |
203 | | * @label: label used in PRF computation, typically a short string. |
204 | | * @context_size: length of the @extra variable. |
205 | | * @context: optional extra data to seed the PRF with. |
206 | | * @outsize: size of pre-allocated output buffer to hold the output. |
207 | | * @out: pre-allocated buffer to hold the generated data. |
208 | | * |
209 | | * This function is similar to gnutls_prf_rfc5705(), but only works in |
210 | | * TLS 1.3 or later to export early keying material. |
211 | | * |
212 | | * Note that the keying material is only available after the |
213 | | * ClientHello message is processed and before the application traffic |
214 | | * keys are established. Therefore this function shall be called in a |
215 | | * handshake hook function for %GNUTLS_HANDSHAKE_CLIENT_HELLO. |
216 | | * |
217 | | * The @label variable usually contains a string denoting the purpose |
218 | | * for the generated data. |
219 | | * |
220 | | * The @context variable can be used to add more data to the seed, after |
221 | | * the random variables. It can be used to make sure the |
222 | | * generated output is strongly connected to some additional data |
223 | | * (e.g., a string used in user authentication). |
224 | | * |
225 | | * The output is placed in @out, which must be pre-allocated. |
226 | | * |
227 | | * Note that, to provide the RFC5705 context, the @context variable |
228 | | * must be non-null. |
229 | | * |
230 | | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. |
231 | | * |
232 | | * Since: 3.6.8 |
233 | | **/ |
234 | | int gnutls_prf_early(gnutls_session_t session, size_t label_size, |
235 | | const char *label, size_t context_size, |
236 | | const char *context, size_t outsize, char *out) |
237 | 0 | { |
238 | 0 | if (session->internals.initial_negotiation_completed || |
239 | 0 | session->key.binders[0].prf == NULL) |
240 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
241 | | |
242 | 0 | return _tls13_derive_exporter(session->key.binders[0].prf, session, |
243 | 0 | label_size, label, context_size, context, |
244 | 0 | outsize, out, 1); |
245 | 0 | } |
246 | | |
247 | | /** |
248 | | * gnutls_prf: |
249 | | * @session: is a #gnutls_session_t type. |
250 | | * @label_size: length of the @label variable. |
251 | | * @label: label used in PRF computation, typically a short string. |
252 | | * @server_random_first: non-zero if server random field should be first in seed |
253 | | * @extra_size: length of the @extra variable. |
254 | | * @extra: optional extra data to seed the PRF with. |
255 | | * @outsize: size of pre-allocated output buffer to hold the output. |
256 | | * @out: pre-allocated buffer to hold the generated data. |
257 | | * |
258 | | * Applies the TLS Pseudo-Random-Function (PRF) on the master secret |
259 | | * and the provided data, seeded with the client and server random fields. |
260 | | * For the key expansion specified in RFC5705 see gnutls_prf_rfc5705(). |
261 | | * |
262 | | * The @label variable usually contains a string denoting the purpose |
263 | | * for the generated data. The @server_random_first indicates whether |
264 | | * the client random field or the server random field should be first |
265 | | * in the seed. Non-zero indicates that the server random field is first, |
266 | | * 0 that the client random field is first. |
267 | | * |
268 | | * The @extra variable can be used to add more data to the seed, after |
269 | | * the random variables. It can be used to make sure the |
270 | | * generated output is strongly connected to some additional data |
271 | | * (e.g., a string used in user authentication). |
272 | | * |
273 | | * The output is placed in @out, which must be pre-allocated. |
274 | | * |
275 | | * Note: This function produces identical output with gnutls_prf_rfc5705() |
276 | | * when @server_random_first is set to 0 and @extra is %NULL. Under TLS1.3 |
277 | | * this function will only operate when these conditions are true, or otherwise |
278 | | * return %GNUTLS_E_INVALID_REQUEST. |
279 | | * |
280 | | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. |
281 | | **/ |
282 | | int gnutls_prf(gnutls_session_t session, size_t label_size, const char *label, |
283 | | int server_random_first, size_t extra_size, const char *extra, |
284 | | size_t outsize, char *out) |
285 | 0 | { |
286 | 0 | int ret; |
287 | 0 | uint8_t *seed; |
288 | 0 | const version_entry_st *vers = get_version(session); |
289 | 0 | size_t seedsize = 2 * GNUTLS_RANDOM_SIZE + extra_size; |
290 | |
|
291 | 0 | if (vers && vers->tls13_sem) { |
292 | 0 | if (extra == NULL && server_random_first == 0) |
293 | 0 | return gnutls_prf_rfc5705(session, label_size, label, |
294 | 0 | extra_size, extra, outsize, |
295 | 0 | out); |
296 | 0 | else |
297 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
298 | 0 | } |
299 | | |
300 | 0 | if (session->security_parameters.prf == NULL) |
301 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
302 | | |
303 | 0 | seed = gnutls_malloc(seedsize); |
304 | 0 | if (!seed) { |
305 | 0 | gnutls_assert(); |
306 | 0 | return GNUTLS_E_MEMORY_ERROR; |
307 | 0 | } |
308 | | |
309 | 0 | memcpy(seed, |
310 | 0 | server_random_first ? |
311 | 0 | session->security_parameters.server_random : |
312 | 0 | session->security_parameters.client_random, |
313 | 0 | GNUTLS_RANDOM_SIZE); |
314 | 0 | memcpy(seed + GNUTLS_RANDOM_SIZE, |
315 | 0 | server_random_first ? |
316 | 0 | session->security_parameters.client_random : |
317 | 0 | session->security_parameters.server_random, |
318 | 0 | GNUTLS_RANDOM_SIZE); |
319 | |
|
320 | 0 | if (extra && extra_size) { |
321 | 0 | memcpy(seed + 2 * GNUTLS_RANDOM_SIZE, extra, extra_size); |
322 | 0 | } |
323 | |
|
324 | 0 | ret = _gnutls_prf_raw(session->security_parameters.prf->id, |
325 | 0 | GNUTLS_MASTER_SIZE, |
326 | 0 | session->security_parameters.master_secret, |
327 | 0 | label_size, label, seedsize, seed, outsize, out); |
328 | |
|
329 | 0 | gnutls_free(seed); |
330 | |
|
331 | 0 | return ret; |
332 | 0 | } |