From 1eff3485b63f84956b5f212aa4d853783bf6c8b5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 19 Jan 2016 13:57:19 +0000 Subject: [PATCH] Add TLS PRF method. Add EVP_PKEY algorithm for TLS1 PRF. Reviewed-by: Matt Caswell --- Makefile.in | 2 +- crypto/evp/pmeth_lib.c | 3 +- crypto/include/internal/evp_int.h | 1 + crypto/kdf/Makefile.in | 57 ++++++ crypto/kdf/tls1_prf.c | 283 ++++++++++++++++++++++++++++++ crypto/objects/obj_dat.h | 9 +- crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 3 + include/openssl/evp.h | 1 + include/openssl/kdf.h | 81 +++++++++ include/openssl/obj_mac.h | 4 + 11 files changed, 440 insertions(+), 5 deletions(-) create mode 100644 crypto/kdf/Makefile.in create mode 100644 crypto/kdf/tls1_prf.c create mode 100644 include/openssl/kdf.h diff --git a/Makefile.in b/Makefile.in index 496f118e11..8dd7f1aaff 100644 --- a/Makefile.in +++ b/Makefile.in @@ -144,7 +144,7 @@ SDIRS= \ bn ec rsa dsa dh dso engine \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \ - cms pqueue ts jpake srp store cmac ct async + cms pqueue ts jpake srp store cmac ct async kdf # keep in mind that the above list is adjusted by ./Configure # according to no-xxx arguments... diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index f5d558feca..1d7d57697c 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -87,8 +87,9 @@ static const EVP_PKEY_METHOD *standard_methods[] = { &hmac_pkey_meth, &cmac_pkey_meth, #ifndef OPENSSL_NO_DH - &dhx_pkey_meth + &dhx_pkey_meth, #endif + &tls1_prf_pkey_meth }; DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index e6be4323c2..da73e70ff1 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -131,6 +131,7 @@ extern const EVP_PKEY_METHOD dsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth; extern const EVP_PKEY_METHOD hmac_pkey_meth; extern const EVP_PKEY_METHOD rsa_pkey_meth; +extern const EVP_PKEY_METHOD tls1_prf_pkey_meth; struct evp_md_st { int type; diff --git a/crypto/kdf/Makefile.in b/crypto/kdf/Makefile.in new file mode 100644 index 0000000000..25798afeec --- /dev/null +++ b/crypto/kdf/Makefile.in @@ -0,0 +1,57 @@ +# +# OpenSSL/crypto/kdf/Makefile +# + +DIR= kdf +TOP= ../.. +CC= cc +INCLUDES= +CFLAG=-g +MAKEFILE= Makefile +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) + +GENERAL=Makefile + +LIB=$(TOP)/libcrypto.a +LIBSRC=tls1_prf.c +LIBOBJ=tls1_prf.o + +SRC= $(LIBSRC) + +HEADER= + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +tags: + ctags $(SRC) + +tests: + +lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +update: depend + +depend: + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +clean: + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + +# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/kdf/tls1_prf.c b/crypto/kdf/tls1_prf.c new file mode 100644 index 0000000000..3c14b904f8 --- /dev/null +++ b/crypto/kdf/tls1_prf.c @@ -0,0 +1,283 @@ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2016. + */ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include "internal/evp_int.h" + +static int tls1_prf_alg(const EVP_MD *md, + const unsigned char *sec, size_t slen, + const unsigned char *seed, size_t seed_len, + unsigned char *out, size_t olen); + +#define TLS1_PRF_MAXBUF 1024 + +/* TLS KDF pkey context structure */ + +typedef struct { + /* Digest to use for PRF */ + const EVP_MD *md; + /* Secret value to use for PRF */ + unsigned char *sec; + size_t seclen; + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; +} TLS1_PRF_PKEY_CTX; + +static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx) +{ + TLS1_PRF_PKEY_CTX *kctx; + + kctx = OPENSSL_zalloc(sizeof(*kctx)); + if (kctx == NULL) + return 0; + ctx->data = kctx; + + return 1; +} + +static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx) +{ + TLS1_PRF_PKEY_CTX *kctx = ctx->data; + OPENSSL_clear_free(kctx->sec, kctx->seclen); + OPENSSL_cleanse(kctx->seed, kctx->seedlen); + OPENSSL_free(kctx); +} + +static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +{ + TLS1_PRF_PKEY_CTX *kctx = ctx->data; + switch (type) { + case EVP_PKEY_CTRL_TLS_MD: + kctx->md = p2; + return 1; + + case EVP_PKEY_CTRL_TLS_SECRET: + if (p1 < 0) + return 0; + if (kctx->sec != NULL) + OPENSSL_clear_free(kctx->sec, kctx->seclen); + OPENSSL_cleanse(kctx->seed, kctx->seedlen); + kctx->seedlen = 0; + kctx->sec = OPENSSL_memdup(p2, p1); + if (kctx->sec == NULL) + return 0; + kctx->seclen = p1; + return 1; + + case EVP_PKEY_CTRL_TLS_SEED: + if (p1 == 0 || p2 == NULL) + return 1; + if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen)) + return 0; + memcpy(kctx->seed + kctx->seedlen, p2, p1); + kctx->seedlen += p1; + return 1; + + default: + return -2; + + } +} + +static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + TLS1_PRF_PKEY_CTX *kctx = ctx->data; + if (kctx->md == NULL || kctx->sec == NULL || kctx->seed == NULL) + return 0; + return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen, + kctx->seed, kctx->seedlen, + key, *keylen); +} + +const EVP_PKEY_METHOD tls1_prf_pkey_meth = { + EVP_PKEY_TLS1_PRF, + 0, + pkey_tls1_prf_init, + 0, + pkey_tls1_prf_cleanup, + + 0, 0, + 0, 0, + + 0, + 0, + + 0, + 0, + + 0, 0, + + 0, 0, 0, 0, + + 0, 0, + + 0, 0, + + 0, + pkey_tls1_prf_derive, + pkey_tls1_prf_ctrl, + 0 +}; + +static int tls1_prf_P_hash(const EVP_MD *md, + const unsigned char *sec, size_t sec_len, + const unsigned char *seed, size_t seed_len, + unsigned char *out, size_t olen) +{ + int chunk; + EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL; + EVP_PKEY *mac_key = NULL; + unsigned char A1[EVP_MAX_MD_SIZE]; + size_t A1_len; + int ret = 0; + + chunk = EVP_MD_size(md); + OPENSSL_assert(chunk >= 0); + + ctx = EVP_MD_CTX_new(); + ctx_tmp = EVP_MD_CTX_new(); + ctx_init = EVP_MD_CTX_new(); + if (ctx == NULL || ctx_tmp == NULL || ctx_init == NULL) + goto err; + EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); + if (mac_key == NULL) + goto err; + if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key)) + goto err; + if (!EVP_MD_CTX_copy_ex(ctx, ctx_init)) + goto err; + if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len)) + goto err; + if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) + goto err; + + for (;;) { + /* Reinit mac contexts */ + if (!EVP_MD_CTX_copy_ex(ctx, ctx_init)) + goto err; + if (!EVP_DigestSignUpdate(ctx, A1, A1_len)) + goto err; + if (olen > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx)) + goto err; + if (seed && !EVP_DigestSignUpdate(ctx, seed, seed_len)) + goto err; + + if (olen > (size_t)chunk) { + size_t mac_len; + if (!EVP_DigestSignFinal(ctx, out, &mac_len)) + goto err; + out += mac_len; + olen -= mac_len; + /* calc the next A1 value */ + if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len)) + goto err; + } else { /* last one */ + + if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) + goto err; + memcpy(out, A1, olen); + break; + } + } + ret = 1; + err: + EVP_PKEY_free(mac_key); + EVP_MD_CTX_free(ctx); + EVP_MD_CTX_free(ctx_tmp); + EVP_MD_CTX_free(ctx_init); + OPENSSL_cleanse(A1, sizeof(A1)); + return ret; +} + +static int tls1_prf_alg(const EVP_MD *md, + const unsigned char *sec, size_t slen, + const unsigned char *seed, size_t seed_len, + unsigned char *out, size_t olen) +{ + + if (EVP_MD_type(md) == NID_md5_sha1) { + size_t i; + unsigned char *tmp; + if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1), + seed, seed_len, out, olen)) + return 0; + + tmp = OPENSSL_malloc(olen); + if (tmp == NULL) + return 0; + if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1), + seed, seed_len, tmp, olen)) { + OPENSSL_clear_free(tmp, olen); + return 0; + } + for (i = 0; i < olen; i++) + out[i] ^= tmp[i]; + OPENSSL_clear_free(tmp, olen); + return 1; + } + if (!tls1_prf_P_hash(md, sec, slen, seed, seed_len, out, olen)) + return 0; + + return 1; +} diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index debf8cccf6..1f13992462 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,9 +62,9 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 1021 -#define NUM_SN 1014 -#define NUM_LN 1014 +#define NUM_NID 1022 +#define NUM_SN 1015 +#define NUM_LN 1015 #define NUM_OBJ 937 static const unsigned char lvalues[6612]={ @@ -2671,6 +2671,7 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ {"ChaCha20-Poly1305","chacha20-poly1305",NID_chacha20_poly1305,0,NULL,0}, {"ChaCha20","chacha20",NID_chacha20,0,NULL,0}, {"tlsfeature","TLS Feature",NID_tlsfeature,8,&(lvalues[6603]),0}, +{"TLS1-PRF","tls1-prf",NID_tls1_prf,0,NULL,0}, }; static const unsigned int sn_objs[NUM_SN]={ @@ -2878,6 +2879,7 @@ static const unsigned int sn_objs[NUM_SN]={ 1006, /* "SNILS" */ 16, /* "ST" */ 143, /* "SXNetID" */ +1021, /* "TLS1-PRF" */ 458, /* "UID" */ 0, /* "UNDEF" */ 11, /* "X500" */ @@ -4674,6 +4676,7 @@ static const unsigned int ln_objs[NUM_LN]={ 459, /* "textEncodedORAddress" */ 293, /* "textNotice" */ 106, /* "title" */ +1021, /* "tls1-prf" */ 682, /* "tpBasis" */ 436, /* "ucl" */ 0, /* "undefined" */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 5c6ffd41af..663e86c10c 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1018,3 +1018,4 @@ grasshopper_mac 1017 chacha20_poly1305 1018 chacha20 1019 tlsfeature 1020 +tls1_prf 1021 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index f34609dd26..1de8e79e5b 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -1428,3 +1428,6 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme # SCRYPT algorithm 1 3 6 1 4 1 11591 4 11 : id-scrypt + +# NID for TLS1 PRF + : TLS1-PRF : tls1-prf diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 80011828cb..2ed9faa24f 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -108,6 +108,7 @@ # define EVP_PKEY_EC NID_X9_62_id_ecPublicKey # define EVP_PKEY_HMAC NID_hmac # define EVP_PKEY_CMAC NID_cmac +# define EVP_PKEY_TLS1_PRF NID_tls1_prf #ifdef __cplusplus extern "C" { diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h new file mode 100644 index 0000000000..96ccf92397 --- /dev/null +++ b/include/openssl/kdf.h @@ -0,0 +1,81 @@ +/* kdf.h */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2016 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#ifndef HEADER_KDF_H +# define HEADER_KDF_H + +#ifdef __cplusplus +extern "C" { +#endif + +# define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) +# define EVP_PKEY_CTRL_TLS_SECRET (EVP_PKEY_ALG_CTRL + 1) +# define EVP_PKEY_CTRL_TLS_SEED (EVP_PKEY_ALG_CTRL + 2) + +# define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_TLS_MD, 0, (void *)md) + +# define EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, seclen) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_TLS_SECRET, seclen, (void *)sec) + +# define EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed, seedlen) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_TLS_SEED, seedlen, (void *)seed) + +#ifdef __cplusplus +} +#endif +#endif diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 5f21fd5a32..04605e07b1 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -4463,3 +4463,7 @@ #define SN_id_scrypt "id-scrypt" #define NID_id_scrypt 973 #define OBJ_id_scrypt 1L,3L,6L,1L,4L,1L,11591L,4L,11L + +#define SN_tls1_prf "TLS1-PRF" +#define LN_tls1_prf "tls1-prf" +#define NID_tls1_prf 1021 -- 2.25.1