summaryrefslogtreecommitdiff
path: root/lib/libssl/tls12_key_schedule.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libssl/tls12_key_schedule.c')
-rw-r--r--lib/libssl/tls12_key_schedule.c175
1 files changed, 175 insertions, 0 deletions
diff --git a/lib/libssl/tls12_key_schedule.c b/lib/libssl/tls12_key_schedule.c
new file mode 100644
index 00000000000..c206460d959
--- /dev/null
+++ b/lib/libssl/tls12_key_schedule.c
@@ -0,0 +1,175 @@
+/* $OpenBSD: tls12_key_schedule.c,v 1.1 2021/05/05 10:05:27 jsing Exp $ */
+/*
+ * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+
+#include <openssl/evp.h>
+
+#include "bytestring.h"
+#include "ssl_locl.h"
+
+struct tls12_key_block {
+ CBS client_write_mac_key;
+ CBS server_write_mac_key;
+ CBS client_write_key;
+ CBS server_write_key;
+ CBS client_write_iv;
+ CBS server_write_iv;
+
+ uint8_t *key_block;
+ size_t key_block_len;
+};
+
+struct tls12_key_block *
+tls12_key_block_new(void)
+{
+ return calloc(1, sizeof(struct tls12_key_block));
+}
+
+static void
+tls12_key_block_clear(struct tls12_key_block *kb)
+{
+ CBS_init(&kb->client_write_mac_key, NULL, 0);
+ CBS_init(&kb->server_write_mac_key, NULL, 0);
+ CBS_init(&kb->client_write_key, NULL, 0);
+ CBS_init(&kb->server_write_key, NULL, 0);
+ CBS_init(&kb->client_write_iv, NULL, 0);
+ CBS_init(&kb->server_write_iv, NULL, 0);
+
+ freezero(kb->key_block, kb->key_block_len);
+ kb->key_block = NULL;
+ kb->key_block_len = 0;
+}
+
+void
+tls12_key_block_free(struct tls12_key_block *kb)
+{
+ if (kb == NULL)
+ return;
+
+ tls12_key_block_clear(kb);
+
+ freezero(kb, sizeof(struct tls12_key_block));
+}
+
+void
+tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key,
+ CBS *key, CBS *iv)
+{
+ CBS_dup(&kb->client_write_mac_key, mac_key);
+ CBS_dup(&kb->client_write_key, key);
+ CBS_dup(&kb->client_write_iv, iv);
+}
+
+void
+tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key,
+ CBS *key, CBS *iv)
+{
+ CBS_dup(&kb->server_write_mac_key, mac_key);
+ CBS_dup(&kb->server_write_key, key);
+ CBS_dup(&kb->server_write_iv, iv);
+}
+
+int
+tls12_key_block_generate(struct tls12_key_block *kb, SSL *s,
+ const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash)
+{
+ size_t mac_key_len = 0, key_len = 0, iv_len = 0;
+ uint8_t *key_block = NULL;
+ size_t key_block_len = 0;
+ CBS cbs;
+
+ /*
+ * Generate a TLSv1.2 key block and partition into individual secrets,
+ * as per RFC 5246 section 6.3.
+ */
+
+ tls12_key_block_clear(kb);
+
+ /* Must have AEAD or cipher/MAC pair. */
+ if (aead == NULL && (cipher == NULL || mac_hash == NULL))
+ goto err;
+
+ if (aead != NULL) {
+ key_len = EVP_AEAD_key_length(aead);
+
+ /* AEAD fixed nonce length. */
+ if (aead == EVP_aead_aes_128_gcm() ||
+ aead == EVP_aead_aes_256_gcm())
+ iv_len = 4;
+ else if (aead == EVP_aead_chacha20_poly1305())
+ iv_len = 12;
+ else
+ goto err;
+ } else if (cipher != NULL && mac_hash != NULL) {
+ /*
+ * A negative integer return value will be detected via the
+ * EVP_MAX_* checks against the size_t variables below.
+ */
+ mac_key_len = EVP_MD_size(mac_hash);
+ key_len = EVP_CIPHER_key_length(cipher);
+ iv_len = EVP_CIPHER_iv_length(cipher);
+
+ /* Special handling for GOST... */
+ if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC)
+ mac_key_len = 32;
+ }
+
+ if (mac_key_len > EVP_MAX_MD_SIZE)
+ goto err;
+ if (key_len > EVP_MAX_KEY_LENGTH)
+ goto err;
+ if (iv_len > EVP_MAX_IV_LENGTH)
+ goto err;
+
+ key_block_len = 2 * mac_key_len + 2 * key_len + 2 * iv_len;
+ if ((key_block = calloc(1, key_block_len)) == NULL)
+ goto err;
+
+ if (!tls1_generate_key_block(s, key_block, key_block_len))
+ goto err;
+
+ kb->key_block = key_block;
+ kb->key_block_len = key_block_len;
+ key_block = NULL;
+ key_block_len = 0;
+
+ /* Partition key block into individual secrets. */
+ CBS_init(&cbs, kb->key_block, kb->key_block_len);
+ if (!CBS_get_bytes(&cbs, &kb->client_write_mac_key, mac_key_len))
+ goto err;
+ if (!CBS_get_bytes(&cbs, &kb->server_write_mac_key, mac_key_len))
+ goto err;
+ if (!CBS_get_bytes(&cbs, &kb->client_write_key, key_len))
+ goto err;
+ if (!CBS_get_bytes(&cbs, &kb->server_write_key, key_len))
+ goto err;
+ if (!CBS_get_bytes(&cbs, &kb->client_write_iv, iv_len))
+ goto err;
+ if (!CBS_get_bytes(&cbs, &kb->server_write_iv, iv_len))
+ goto err;
+ if (CBS_len(&cbs) != 0)
+ goto err;
+
+ return 1;
+
+ err:
+ tls12_key_block_clear(kb);
+ freezero(key_block, key_block_len);
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 16:58:31 +0000