175 lines
4.5 KiB
C
Executable file
175 lines
4.5 KiB
C
Executable file
/* $OpenBSD: tls12_key_schedule.c,v 1.1 2021/05/05 10:05:27 jsing Exp $ */
|
|
/*
|
|
* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include "bytestring.h"
|
|
#include "ssl_locl.h"
|
|
|
|
struct tls12_key_block {
|
|
CBS client_write_mac_key;
|
|
CBS server_write_mac_key;
|
|
CBS client_write_key;
|
|
CBS server_write_key;
|
|
CBS client_write_iv;
|
|
CBS server_write_iv;
|
|
|
|
uint8_t *key_block;
|
|
size_t key_block_len;
|
|
};
|
|
|
|
struct tls12_key_block *
|
|
tls12_key_block_new(void)
|
|
{
|
|
return calloc(1, sizeof(struct tls12_key_block));
|
|
}
|
|
|
|
static void
|
|
tls12_key_block_clear(struct tls12_key_block *kb)
|
|
{
|
|
CBS_init(&kb->client_write_mac_key, NULL, 0);
|
|
CBS_init(&kb->server_write_mac_key, NULL, 0);
|
|
CBS_init(&kb->client_write_key, NULL, 0);
|
|
CBS_init(&kb->server_write_key, NULL, 0);
|
|
CBS_init(&kb->client_write_iv, NULL, 0);
|
|
CBS_init(&kb->server_write_iv, NULL, 0);
|
|
|
|
freezero(kb->key_block, kb->key_block_len);
|
|
kb->key_block = NULL;
|
|
kb->key_block_len = 0;
|
|
}
|
|
|
|
void
|
|
tls12_key_block_free(struct tls12_key_block *kb)
|
|
{
|
|
if (kb == NULL)
|
|
return;
|
|
|
|
tls12_key_block_clear(kb);
|
|
|
|
freezero(kb, sizeof(struct tls12_key_block));
|
|
}
|
|
|
|
void
|
|
tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key,
|
|
CBS *key, CBS *iv)
|
|
{
|
|
CBS_dup(&kb->client_write_mac_key, mac_key);
|
|
CBS_dup(&kb->client_write_key, key);
|
|
CBS_dup(&kb->client_write_iv, iv);
|
|
}
|
|
|
|
void
|
|
tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key,
|
|
CBS *key, CBS *iv)
|
|
{
|
|
CBS_dup(&kb->server_write_mac_key, mac_key);
|
|
CBS_dup(&kb->server_write_key, key);
|
|
CBS_dup(&kb->server_write_iv, iv);
|
|
}
|
|
|
|
int
|
|
tls12_key_block_generate(struct tls12_key_block *kb, SSL *s,
|
|
const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash)
|
|
{
|
|
size_t mac_key_len = 0, key_len = 0, iv_len = 0;
|
|
uint8_t *key_block = NULL;
|
|
size_t key_block_len = 0;
|
|
CBS cbs;
|
|
|
|
/*
|
|
* Generate a TLSv1.2 key block and partition into individual secrets,
|
|
* as per RFC 5246 section 6.3.
|
|
*/
|
|
|
|
tls12_key_block_clear(kb);
|
|
|
|
/* Must have AEAD or cipher/MAC pair. */
|
|
if (aead == NULL && (cipher == NULL || mac_hash == NULL))
|
|
goto err;
|
|
|
|
if (aead != NULL) {
|
|
key_len = EVP_AEAD_key_length(aead);
|
|
|
|
/* AEAD fixed nonce length. */
|
|
if (aead == EVP_aead_aes_128_gcm() ||
|
|
aead == EVP_aead_aes_256_gcm())
|
|
iv_len = 4;
|
|
else if (aead == EVP_aead_chacha20_poly1305())
|
|
iv_len = 12;
|
|
else
|
|
goto err;
|
|
} else if (cipher != NULL && mac_hash != NULL) {
|
|
/*
|
|
* A negative integer return value will be detected via the
|
|
* EVP_MAX_* checks against the size_t variables below.
|
|
*/
|
|
mac_key_len = EVP_MD_size(mac_hash);
|
|
key_len = EVP_CIPHER_key_length(cipher);
|
|
iv_len = EVP_CIPHER_iv_length(cipher);
|
|
|
|
/* Special handling for GOST... */
|
|
if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC)
|
|
mac_key_len = 32;
|
|
}
|
|
|
|
if (mac_key_len > EVP_MAX_MD_SIZE)
|
|
goto err;
|
|
if (key_len > EVP_MAX_KEY_LENGTH)
|
|
goto err;
|
|
if (iv_len > EVP_MAX_IV_LENGTH)
|
|
goto err;
|
|
|
|
key_block_len = 2 * mac_key_len + 2 * key_len + 2 * iv_len;
|
|
if ((key_block = calloc(1, key_block_len)) == NULL)
|
|
goto err;
|
|
|
|
if (!tls1_generate_key_block(s, key_block, key_block_len))
|
|
goto err;
|
|
|
|
kb->key_block = key_block;
|
|
kb->key_block_len = key_block_len;
|
|
key_block = NULL;
|
|
key_block_len = 0;
|
|
|
|
/* Partition key block into individual secrets. */
|
|
CBS_init(&cbs, kb->key_block, kb->key_block_len);
|
|
if (!CBS_get_bytes(&cbs, &kb->client_write_mac_key, mac_key_len))
|
|
goto err;
|
|
if (!CBS_get_bytes(&cbs, &kb->server_write_mac_key, mac_key_len))
|
|
goto err;
|
|
if (!CBS_get_bytes(&cbs, &kb->client_write_key, key_len))
|
|
goto err;
|
|
if (!CBS_get_bytes(&cbs, &kb->server_write_key, key_len))
|
|
goto err;
|
|
if (!CBS_get_bytes(&cbs, &kb->client_write_iv, iv_len))
|
|
goto err;
|
|
if (!CBS_get_bytes(&cbs, &kb->server_write_iv, iv_len))
|
|
goto err;
|
|
if (CBS_len(&cbs) != 0)
|
|
goto err;
|
|
|
|
return 1;
|
|
|
|
err:
|
|
tls12_key_block_clear(kb);
|
|
freezero(key_block, key_block_len);
|
|
|
|
return 0;
|
|
}
|