diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index fb16215f78..1e5742b12b 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -87,6 +87,7 @@ #include "rsa/blinding.c" #include "rsa/padding.c" #include "rsa/rsa.c" +#include "tls/kdf.c" #include "rsa/rsa_impl.c" #include "sha/sha1-altivec.c" #include "sha/sha1.c" diff --git a/crypto/fipsmodule/tls/internal.h b/crypto/fipsmodule/tls/internal.h new file mode 100644 index 0000000000..ef642a6cd5 --- /dev/null +++ b/crypto/fipsmodule/tls/internal.h @@ -0,0 +1,39 @@ +/* Copyright (c) 2018, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// tls1_prf calculates |out_len| bytes of the TLS PDF, using |digest|, and +// writes them to |out|. It returns one on success and zero on error. +OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest, + uint8_t *out, size_t out_len, + const uint8_t *secret, size_t secret_len, + const char *label, size_t label_len, + const uint8_t *seed1, size_t seed1_len, + const uint8_t *seed2, size_t seed2_len); + + +#if defined(__cplusplus) +} +#endif + +#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H diff --git a/crypto/fipsmodule/tls/kdf.c b/crypto/fipsmodule/tls/kdf.c new file mode 100644 index 0000000000..120553f92c --- /dev/null +++ b/crypto/fipsmodule/tls/kdf.c @@ -0,0 +1,160 @@ +/* ==================================================================== + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ + +#include + +#include "internal.h" + + +// tls1_P_hash computes the TLS P_ function as described in RFC 5246, +// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and +// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to +// form the seed parameter. It returns true on success and false on failure. +static int tls1_P_hash(uint8_t *out, size_t out_len, + const EVP_MD *md, + const uint8_t *secret, size_t secret_len, + const char *label, size_t label_len, + const uint8_t *seed1, size_t seed1_len, + const uint8_t *seed2, size_t seed2_len) { + HMAC_CTX ctx, ctx_tmp, ctx_init; + uint8_t A1[EVP_MAX_MD_SIZE]; + unsigned A1_len; + int ret = 0; + + const size_t chunk = EVP_MD_size(md); + HMAC_CTX_init(&ctx); + HMAC_CTX_init(&ctx_tmp); + HMAC_CTX_init(&ctx_init); + + if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) || + !HMAC_CTX_copy_ex(&ctx, &ctx_init) || + !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || + !HMAC_Update(&ctx, seed1, seed1_len) || + !HMAC_Update(&ctx, seed2, seed2_len) || + !HMAC_Final(&ctx, A1, &A1_len)) { + goto err; + } + + for (;;) { + unsigned len; + uint8_t hmac[EVP_MAX_MD_SIZE]; + if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) || + !HMAC_Update(&ctx, A1, A1_len) || + // Save a copy of |ctx| to compute the next A1 value below. + (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) || + !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || + !HMAC_Update(&ctx, seed1, seed1_len) || + !HMAC_Update(&ctx, seed2, seed2_len) || + !HMAC_Final(&ctx, hmac, &len)) { + goto err; + } + assert(len == chunk); + + // XOR the result into |out|. + if (len > out_len) { + len = out_len; + } + for (unsigned i = 0; i < len; i++) { + out[i] ^= hmac[i]; + } + out += len; + out_len -= len; + + if (out_len == 0) { + break; + } + + // Calculate the next A1 value. + if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) { + goto err; + } + } + + ret = 1; + +err: + OPENSSL_cleanse(A1, sizeof(A1)); + HMAC_CTX_cleanup(&ctx); + HMAC_CTX_cleanup(&ctx_tmp); + HMAC_CTX_cleanup(&ctx_init); + return ret; +} + +int CRYPTO_tls1_prf(const EVP_MD *digest, + uint8_t *out, size_t out_len, + const uint8_t *secret, size_t secret_len, + const char *label, size_t label_len, + const uint8_t *seed1, size_t seed1_len, + const uint8_t *seed2, size_t seed2_len) { + if (out_len == 0) { + return 1; + } + + OPENSSL_memset(out, 0, out_len); + + if (digest == EVP_md5_sha1()) { + // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1. + size_t secret_half = secret_len - (secret_len / 2); + if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label, + label_len, seed1, seed1_len, seed2, seed2_len)) { + return 0; + } + + // Note that, if |secret_len| is odd, the two halves share a byte. + secret += secret_len - secret_half; + secret_len = secret_half; + digest = EVP_sha1(); + } + + return tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len, + seed1, seed1_len, seed2, seed2_len); +} diff --git a/fipstools/CMakeLists.txt b/fipstools/CMakeLists.txt index 3d32538e2e..4831575b16 100644 --- a/fipstools/CMakeLists.txt +++ b/fipstools/CMakeLists.txt @@ -22,6 +22,7 @@ if (FIPS) cavp_sha_monte_test.cc cavp_sha_test.cc cavp_tdes_test.cc + cavp_tlskdf_test.cc cavp_test_util.cc diff --git a/fipstools/cavp_main.cc b/fipstools/cavp_main.cc index 9ed7591429..64dbd69d4a 100644 --- a/fipstools/cavp_main.cc +++ b/fipstools/cavp_main.cc @@ -48,6 +48,7 @@ static TestSuite all_test_suites[] = { {"rsa2_keygen", &cavp_rsa2_keygen_test_main}, {"rsa2_siggen", &cavp_rsa2_siggen_test_main}, {"rsa2_sigver", &cavp_rsa2_sigver_test_main}, + {"tlskdf", &cavp_tlskdf_test_main}, {"sha", &cavp_sha_test_main}, {"sha_monte", &cavp_sha_monte_test_main}, {"tdes", &cavp_tdes_test_main} diff --git a/fipstools/cavp_test_util.h b/fipstools/cavp_test_util.h index 8c0624e4cf..ca9e790cb7 100644 --- a/fipstools/cavp_test_util.h +++ b/fipstools/cavp_test_util.h @@ -72,6 +72,7 @@ int cavp_rsa2_sigver_test_main(int argc, char **argv); int cavp_sha_monte_test_main(int argc, char **argv); int cavp_sha_test_main(int argc, char **argv); int cavp_tdes_test_main(int argc, char **argv); +int cavp_tlskdf_test_main(int argc, char **argv); #endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_CAVP_TEST_UTIL_H diff --git a/fipstools/cavp_tlskdf_test.cc b/fipstools/cavp_tlskdf_test.cc new file mode 100644 index 0000000000..ac0f83f7fc --- /dev/null +++ b/fipstools/cavp_tlskdf_test.cc @@ -0,0 +1,111 @@ +/* Copyright (c) 2018, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +// cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the +// corresponding response. +// See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4. + +#include + +#include + +#include "cavp_test_util.h" +#include "../crypto/fipsmodule/tls/internal.h" +#include "../crypto/test/file_test.h" + + +static bool TestTLSKDF(FileTest *t, void *arg) { + const EVP_MD *md = nullptr; + + if (t->HasInstruction("TLS 1.0/1.1")) { + md = EVP_md5_sha1(); + } else if (t->HasInstruction("TLS 1.2")) { + if (t->HasInstruction("SHA-256")) { + md = EVP_sha256(); + } else if (t->HasInstruction("SHA-384")) { + md = EVP_sha384(); + } else if (t->HasInstruction("SHA-512")) { + md = EVP_sha512(); + } + } + + if (md == nullptr) { + return false; + } + + std::string key_block_len_str; + std::vector premaster, server_random, client_random, + key_block_server_random, key_block_client_random; + if (!t->GetBytes(&premaster, "pre_master_secret") || + !t->GetBytes(&server_random, "serverHello_random") || + !t->GetBytes(&client_random, "clientHello_random") || + // The NIST tests specify different client and server randoms for the + // expansion step from the master-secret step. This is impossible in TLS. + !t->GetBytes(&key_block_server_random, "server_random") || + !t->GetBytes(&key_block_client_random, "client_random") || + !t->GetInstruction(&key_block_len_str, "key block length") || + // These are ignored. + !t->HasAttribute("COUNT") || + !t->HasInstruction("pre-master secret length")) { + return false; + } + + uint8_t master_secret[48]; + static const char kMasterSecretLabel[] = "master secret"; + if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret), + premaster.data(), premaster.size(), kMasterSecretLabel, + sizeof(kMasterSecretLabel) - 1, client_random.data(), + client_random.size(), server_random.data(), + server_random.size())) { + return false; + } + + errno = 0; + const long int key_block_bits = + strtol(key_block_len_str.c_str(), nullptr, 10); + if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) { + return false; + } + const size_t key_block_len = key_block_bits / 8; + std::vector key_block(key_block_len); + static const char kLabel[] = "key expansion"; + if (!CRYPTO_tls1_prf( + md, key_block.data(), key_block.size(), master_secret, + sizeof(master_secret), kLabel, sizeof(kLabel) - 1, + key_block_server_random.data(), key_block_server_random.size(), + key_block_client_random.data(), key_block_client_random.size())) { + return false; + } + + printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n", + t->CurrentTestToString().c_str(), + EncodeHex(master_secret, sizeof(master_secret)).c_str(), + EncodeHex(key_block.data(), key_block.size()).c_str()); + + return true; +} + +int cavp_tlskdf_test_main(int argc, char **argv) { + if (argc != 2) { + fprintf(stderr, "usage: %s \n", argv[0]); + return 1; + } + + FileTest::Options opts; + opts.path = argv[1]; + opts.callback = TestTLSKDF; + opts.silent = true; + opts.comment_callback = EchoComment; + return FileTestMain(opts); +} diff --git a/fipstools/run_cavp.go b/fipstools/run_cavp.go index 11a01a1877..2b1bf6d424 100644 --- a/fipstools/run_cavp.go +++ b/fipstools/run_cavp.go @@ -316,6 +316,15 @@ var kasTests = testSuite{ }, } +var tlsKDFTests = testSuite{ + "KDF135", + "tlskdf", + nil, + []test{ + {"tls", nil, false}, + }, +} + var fipsTestSuites = []*testSuite{ &aesGCMTests, &aesTests, @@ -336,6 +345,7 @@ var fipsTestSuites = []*testSuite{ var niapTestSuites = []*testSuite{ &kasTests, + &tlsKDFTests, } // testInstance represents a specific test in a testSuite. diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc index 6b5447d936..7f4f10b744 100644 --- a/ssl/t1_enc.cc +++ b/ssl/t1_enc.cc @@ -148,102 +148,20 @@ #include #include +#include "../crypto/fipsmodule/tls/internal.h" #include "../crypto/internal.h" #include "internal.h" namespace bssl { -// tls1_P_hash computes the TLS P_ function as described in RFC 5246, -// section 5. It XORs |out.size()| bytes to |out|, using |md| as the hash and -// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to -// form the seed parameter. It returns true on success and false on failure. -static bool tls1_P_hash(Span out, const EVP_MD *md, - Span secret, Span label, - Span seed1, Span seed2) { - ScopedHMAC_CTX ctx, ctx_tmp, ctx_init; - uint8_t A1[EVP_MAX_MD_SIZE]; - unsigned A1_len; - bool ret = false; - - size_t chunk = EVP_MD_size(md); - - if (!HMAC_Init_ex(ctx_init.get(), secret.data(), secret.size(), md, - nullptr) || - !HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) || - !HMAC_Update(ctx.get(), reinterpret_cast(label.data()), - label.size()) || - !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) || - !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) || - !HMAC_Final(ctx.get(), A1, &A1_len)) { - goto err; - } - - for (;;) { - unsigned len; - uint8_t hmac[EVP_MAX_MD_SIZE]; - if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) || - !HMAC_Update(ctx.get(), A1, A1_len) || - // Save a copy of |ctx| to compute the next A1 value below. - (out.size() > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) || - !HMAC_Update(ctx.get(), reinterpret_cast(label.data()), - label.size()) || - !HMAC_Update(ctx.get(), seed1.data(), seed1.size()) || - !HMAC_Update(ctx.get(), seed2.data(), seed2.size()) || - !HMAC_Final(ctx.get(), hmac, &len)) { - goto err; - } - assert(len == chunk); - - // XOR the result into |out|. - if (len > out.size()) { - len = out.size(); - } - for (unsigned i = 0; i < len; i++) { - out[i] ^= hmac[i]; - } - out = out.subspan(len); - - if (out.empty()) { - break; - } - - // Calculate the next A1 value. - if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) { - goto err; - } - } - - ret = true; - -err: - OPENSSL_cleanse(A1, sizeof(A1)); - return ret; -} - bool tls1_prf(const EVP_MD *digest, Span out, Span secret, Span label, Span seed1, Span seed2) { - if (out.empty()) { - return true; - } - - OPENSSL_memset(out.data(), 0, out.size()); - - if (digest == EVP_md5_sha1()) { - // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1. - size_t secret_half = secret.size() - (secret.size() / 2); - if (!tls1_P_hash(out, EVP_md5(), secret.subspan(0, secret_half), label, - seed1, seed2)) { - return false; - } - - // Note that, if |secret.size()| is odd, the two halves share a byte. - secret = secret.subspan(secret.size() - secret_half); - digest = EVP_sha1(); - } - - return tls1_P_hash(out, digest, secret, label, seed1, seed2); + return 1 == CRYPTO_tls1_prf(digest, out.data(), out.size(), secret.data(), + secret.size(), label.data(), label.size(), + seed1.data(), seed1.size(), seed2.data(), + seed2.size()); } static bool ssl3_prf(Span out, Span secret,