From e2496982472bdf233be95c5ea72d1c4dc6c91db3 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Sun, 23 Apr 2023 13:43:47 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20230422'. --- src/lib/libssl/tls12_key_schedule.c | 295 ------------------------------------ 1 file changed, 295 deletions(-) delete mode 100644 src/lib/libssl/tls12_key_schedule.c (limited to 'src/lib/libssl/tls12_key_schedule.c') diff --git a/src/lib/libssl/tls12_key_schedule.c b/src/lib/libssl/tls12_key_schedule.c deleted file mode 100644 index 6d714c1183..0000000000 --- a/src/lib/libssl/tls12_key_schedule.c +++ /dev/null @@ -1,295 +0,0 @@ -/* $OpenBSD: tls12_key_schedule.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */ -/* - * Copyright (c) 2021 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include - -#include "bytestring.h" -#include "ssl_local.h" -#include "tls12_internal.h" - -struct tls12_key_block { - CBS client_write_mac_key; - CBS server_write_mac_key; - CBS client_write_key; - CBS server_write_key; - CBS client_write_iv; - CBS server_write_iv; - - uint8_t *key_block; - size_t key_block_len; -}; - -struct tls12_key_block * -tls12_key_block_new(void) -{ - return calloc(1, sizeof(struct tls12_key_block)); -} - -static void -tls12_key_block_clear(struct tls12_key_block *kb) -{ - CBS_init(&kb->client_write_mac_key, NULL, 0); - CBS_init(&kb->server_write_mac_key, NULL, 0); - CBS_init(&kb->client_write_key, NULL, 0); - CBS_init(&kb->server_write_key, NULL, 0); - CBS_init(&kb->client_write_iv, NULL, 0); - CBS_init(&kb->server_write_iv, NULL, 0); - - freezero(kb->key_block, kb->key_block_len); - kb->key_block = NULL; - kb->key_block_len = 0; -} - -void -tls12_key_block_free(struct tls12_key_block *kb) -{ - if (kb == NULL) - return; - - tls12_key_block_clear(kb); - - freezero(kb, sizeof(struct tls12_key_block)); -} - -void -tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key, - CBS *key, CBS *iv) -{ - CBS_dup(&kb->client_write_mac_key, mac_key); - CBS_dup(&kb->client_write_key, key); - CBS_dup(&kb->client_write_iv, iv); -} - -void -tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key, - CBS *key, CBS *iv) -{ - CBS_dup(&kb->server_write_mac_key, mac_key); - CBS_dup(&kb->server_write_key, key); - CBS_dup(&kb->server_write_iv, iv); -} - -int -tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, - const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash) -{ - size_t mac_key_len = 0, key_len = 0, iv_len = 0; - uint8_t *key_block = NULL; - size_t key_block_len = 0; - CBS cbs; - - /* - * Generate a TLSv1.2 key block and partition into individual secrets, - * as per RFC 5246 section 6.3. - */ - - tls12_key_block_clear(kb); - - /* Must have AEAD or cipher/MAC pair. */ - if (aead == NULL && (cipher == NULL || mac_hash == NULL)) - goto err; - - if (aead != NULL) { - key_len = EVP_AEAD_key_length(aead); - - /* AEAD fixed nonce length. */ - if (aead == EVP_aead_aes_128_gcm() || - aead == EVP_aead_aes_256_gcm()) - iv_len = 4; - else if (aead == EVP_aead_chacha20_poly1305()) - iv_len = 12; - else - goto err; - } else if (cipher != NULL && mac_hash != NULL) { - /* - * A negative integer return value will be detected via the - * EVP_MAX_* checks against the size_t variables below. - */ - mac_key_len = EVP_MD_size(mac_hash); - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); - - /* Special handling for GOST... */ - if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC) - mac_key_len = 32; - } - - if (mac_key_len > EVP_MAX_MD_SIZE) - goto err; - if (key_len > EVP_MAX_KEY_LENGTH) - goto err; - if (iv_len > EVP_MAX_IV_LENGTH) - goto err; - - key_block_len = 2 * mac_key_len + 2 * key_len + 2 * iv_len; - if ((key_block = calloc(1, key_block_len)) == NULL) - goto err; - - if (!tls1_generate_key_block(s, key_block, key_block_len)) - goto err; - - kb->key_block = key_block; - kb->key_block_len = key_block_len; - key_block = NULL; - key_block_len = 0; - - /* Partition key block into individual secrets. */ - CBS_init(&cbs, kb->key_block, kb->key_block_len); - if (!CBS_get_bytes(&cbs, &kb->client_write_mac_key, mac_key_len)) - goto err; - if (!CBS_get_bytes(&cbs, &kb->server_write_mac_key, mac_key_len)) - goto err; - if (!CBS_get_bytes(&cbs, &kb->client_write_key, key_len)) - goto err; - if (!CBS_get_bytes(&cbs, &kb->server_write_key, key_len)) - goto err; - if (!CBS_get_bytes(&cbs, &kb->client_write_iv, iv_len)) - goto err; - if (!CBS_get_bytes(&cbs, &kb->server_write_iv, iv_len)) - goto err; - if (CBS_len(&cbs) != 0) - goto err; - - return 1; - - err: - tls12_key_block_clear(kb); - freezero(key_block, key_block_len); - - return 0; -} - -struct tls12_reserved_label { - const char *label; - size_t label_len; -}; - -/* - * RFC 5705 section 6. - */ -static const struct tls12_reserved_label tls12_reserved_labels[] = { - { - .label = TLS_MD_CLIENT_FINISH_CONST, - .label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - }, - { - .label = TLS_MD_SERVER_FINISH_CONST, - .label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - }, - { - .label = TLS_MD_MASTER_SECRET_CONST, - .label_len = TLS_MD_MASTER_SECRET_CONST_SIZE, - }, - { - .label = TLS_MD_KEY_EXPANSION_CONST, - .label_len = TLS_MD_KEY_EXPANSION_CONST_SIZE, - }, - { - .label = NULL, - .label_len = 0, - }, -}; - -int -tls12_exporter(SSL *s, const uint8_t *label, size_t label_len, - const uint8_t *context_value, size_t context_value_len, int use_context, - uint8_t *out, size_t out_len) -{ - uint8_t *data = NULL; - size_t data_len = 0; - CBB cbb, context; - CBS seed; - size_t i; - int ret = 0; - - /* - * RFC 5705 - Key Material Exporters for TLS. - */ - - memset(&cbb, 0, sizeof(cbb)); - - if (!SSL_is_init_finished(s)) { - SSLerror(s, SSL_R_BAD_STATE); - goto err; - } - - if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) - goto err; - - /* - * Due to exceptional design choices, we need to build a concatenation - * of the label and the seed value, before checking for reserved - * labels. This prevents a reserved label from being split across the - * label and the seed (that includes the client random), which are - * concatenated by the PRF. - */ - if (!CBB_init(&cbb, 0)) - goto err; - if (!CBB_add_bytes(&cbb, label, label_len)) - goto err; - if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) - goto err; - if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) - goto err; - if (use_context) { - if (!CBB_add_u16_length_prefixed(&cbb, &context)) - goto err; - if (context_value_len > 0) { - if (!CBB_add_bytes(&context, context_value, - context_value_len)) - goto err; - } - } - if (!CBB_finish(&cbb, &data, &data_len)) - goto err; - - /* - * Ensure that the block (label + seed) does not start with a reserved - * label - in an ideal world we would ensure that the label has an - * explicitly permitted prefix instead, but of course this also got - * messed up by the standards. - */ - for (i = 0; tls12_reserved_labels[i].label != NULL; i++) { - /* XXX - consider adding/using CBS_has_prefix(). */ - if (tls12_reserved_labels[i].label_len > data_len) - goto err; - if (memcmp(data, tls12_reserved_labels[i].label, - tls12_reserved_labels[i].label_len) == 0) { - SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); - goto err; - } - } - - CBS_init(&seed, data, data_len); - if (!CBS_skip(&seed, label_len)) - goto err; - - if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length, - label, label_len, CBS_data(&seed), CBS_len(&seed), NULL, 0, NULL, 0, - NULL, 0, out, out_len)) - goto err; - - ret = 1; - - err: - freezero(data, data_len); - CBB_cleanup(&cbb); - - return ret; -} -- cgit v1.2.3-55-g6feb