yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add implementation of TLS-1.2 PRF

Browse source
This commit is contained in:
Hanno Becker 2018-10-09 17:33:01 +01:00
parent 79250c255f
commit c8a41d71cb
2 changed files with 270 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
include/psa/crypto_struct.h
View file

@ -144,6 +144,35 @@ typedef struct
uint8_t block_number;
} psa_hkdf_generator_t;
typedef struct psa_tls12_prf_generator_s
{
/* The TLS 1.2 PRF uses the key for each HMAC iteration,
* hence we must store it for the lifetime of the generator.
* This is different from HKDF, where the key is only used
* in the extraction phase, but not during expansion. */
unsigned char *key;
size_t key_len;
/* `A(i) + seed` in the notation of RFC 5246, Sect. 5 */
uint8_t Ai_with_seed[PSA_HASH_MAX_SIZE + 64];
size_t seed_length;
/* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
uint8_t output_block[PSA_HASH_MAX_SIZE];
#if PSA_HASH_MAX_SIZE > 0xff
#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
#endif
/* Indicates how many bytes in the current HMAC block have
* already been read by the user. */
uint8_t offset_in_block;
/* The 1-based number of the block. */
uint8_t block_number;
} psa_tls12_prf_generator_t;
struct psa_crypto_generator_s
{
psa_algorithm_t alg;
@ -157,6 +186,7 @@ struct psa_crypto_generator_s
} buffer;
#if defined(MBEDTLS_MD_C)
psa_hkdf_generator_t hkdf;
psa_tls12_prf_generator_t tls12_prf;
#endif
} ctx;
};

240
library/psa_crypto.c
View file

@ -1506,6 +1506,12 @@ static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
mbedtls_zeroize( hmac->opad, sizeof( hmac->opad ) );
return( psa_hash_abort( &hmac->hash_ctx ) );
}
static void psa_hmac_init_internal( psa_hmac_internal_data *hmac )
{
/* Instances of psa_hash_operation_s can be initialized by zeroization. */
memset( hmac, 0, sizeof( *hmac ) );
}
#endif /* MBEDTLS_MD_C */
psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
@ -3258,6 +3264,15 @@ psa_status_t psa_generator_abort( psa_crypto_generator_t *generator )
mbedtls_free( generator->ctx.hkdf.info );
status = psa_hmac_abort_internal( &generator->ctx.hkdf.hmac );
}
else if( PSA_ALG_IS_TLS12_PRF( generator->alg ) )
{
if( generator->ctx.tls12_prf.key != NULL )
{
mbedtls_zeroize( generator->ctx.tls12_prf.key,
generator->ctx.tls12_prf.key_len );
mbedtls_free( generator->ctx.tls12_prf.key );
}
}
else
#endif /* MBEDTLS_MD_C */
{
@ -3340,6 +3355,172 @@ static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf,
return( PSA_SUCCESS );
}
static psa_status_t psa_generator_tls12_prf_generate_next_block(
psa_tls12_prf_generator_t *tls12_prf,
psa_algorithm_t alg )
{
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
psa_hmac_internal_data hmac;
psa_status_t status, cleanup_status;
/* We can't be wanting more output after block 0xff, otherwise
* the capacity check in psa_generator_read() would have
* prevented this call. It could happen only if the generator
* object was corrupted or if this function is called directly
* inside the library. */
if( tls12_prf->block_number == 0xff )
return( PSA_ERROR_BAD_STATE );
/* We need a new block */
++tls12_prf->block_number;
tls12_prf->offset_in_block = 0;
/* Recall the definition of the TLS-1.2-PRF from RFC 5246:
*
* PRF(secret, label, seed) = P_<hash>(secret, label + seed)
*
* P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
* HMAC_hash(secret, A(2) + seed) +
* HMAC_hash(secret, A(3) + seed) + ...
*
* A(0) = seed
* A(i) = HMAC_hash( secret, A(i-1) )
*
* The `psa_tls12_prf_generator` structures saves the block
* `HMAC_hash(secret, A(i) + seed)` from which the output
* is currently extracted as `output_block`, while
* `A(i) + seed` is stored in `Ai_with_seed`.
*
* Generating a new block means recalculating `Ai_with_seed`
* from the A(i)-part of it, and afterwards recalculating
* `output_block`.
*
* A(0) is computed at setup time.
*
*/
psa_hmac_init_internal( &hmac );
/* We must distinguish the calculation of A(1) from those
* of A(2) and higher, because A(0)=seed has a different
* length than the other A(i). */
if( tls12_prf->block_number == 1 )
{
/* Compute A(1) = HMAC_hash(secret, label + seed) */
status = psa_hmac_setup_internal( &hmac,
tls12_prf->key,
tls12_prf->key_len,
hash_alg );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hash_update( &hmac.hash_ctx,
/* This omits the (so far undefined)
* first hash_length bytes. */
tls12_prf->Ai_with_seed + hash_length,
tls12_prf->seed_length );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hmac_finish_internal( &hmac,
tls12_prf->Ai_with_seed,
hash_length );
if( status != PSA_SUCCESS )
goto cleanup;
}
else
{
/* Compute A(i+1) = HMAC_hash(secret, A(i)) */
status = psa_hmac_setup_internal( &hmac,
tls12_prf->key,
tls12_prf->key_len,
hash_alg );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hash_update( &hmac.hash_ctx,
tls12_prf->Ai_with_seed,
/* This omits the seed part of A(i) */
hash_length );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hmac_finish_internal( &hmac,
tls12_prf->Ai_with_seed,
hash_length );
if( status != PSA_SUCCESS )
goto cleanup;
}
/* Compute the next block `HMAC_hash(secret, A(i+1) + seed)`. */
status = psa_hmac_setup_internal( &hmac,
tls12_prf->key,
tls12_prf->key_len,
hash_alg );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hash_update( &hmac.hash_ctx,
tls12_prf->Ai_with_seed,
hash_length + tls12_prf->seed_length );
if( status != PSA_SUCCESS )
goto cleanup;
status = psa_hmac_finish_internal( &hmac,
tls12_prf->output_block,
hash_length );
if( status != PSA_SUCCESS )
goto cleanup;
cleanup:
cleanup_status = psa_hmac_abort_internal( &hmac );
if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS )
status = cleanup_status;
return( status );
}
/* Read some bytes from an TLS-1.2-PRF-based generator.
* See Section 5 of RFC 5246. */
static psa_status_t psa_generator_tls12_prf_read(
psa_tls12_prf_generator_t *tls12_prf,
psa_algorithm_t alg,
uint8_t *output,
size_t output_length )
{
psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
psa_status_t status;
while( output_length != 0 )
{
/* Copy what remains of the current block */
uint8_t n = hash_length - tls12_prf->offset_in_block;
/* Check if we have fully processed the current block. */
if( n == 0 )
{
status = psa_generator_tls12_prf_generate_next_block( tls12_prf,
alg );
if( status != PSA_SUCCESS )
return( status );
continue;
}
if( n > output_length )
n = (uint8_t) output_length;
memcpy( output, tls12_prf->output_block + tls12_prf->offset_in_block,
n );
output += n;
output_length -= n;
tls12_prf->offset_in_block += n;
}
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_MD_C */
psa_status_t psa_generator_read( psa_crypto_generator_t *generator,
@ -3393,6 +3574,12 @@ psa_status_t psa_generator_read( psa_crypto_generator_t *generator,
status = psa_generator_hkdf_read( &generator->ctx.hkdf, hash_alg,
output, output_length );
}
else if( PSA_ALG_IS_TLS12_PRF( generator->alg ) )
{
status = psa_generator_tls12_prf_read( &generator->ctx.tls12_prf,
generator->alg, output,
output_length );
}
else
#endif /* MBEDTLS_MD_C */
{
@ -3495,6 +3682,41 @@ static psa_status_t psa_generator_hkdf_setup( psa_hkdf_generator_t *hkdf,
return( PSA_SUCCESS );
}
/* Set up a TLS-1.2-prf-based generator (see RFC 5246, Section 5). */
static psa_status_t psa_generator_tls12_prf_setup(
psa_tls12_prf_generator_t *tls12_prf,
const unsigned char *key,
size_t key_len,
psa_algorithm_t hash_alg,
const uint8_t *salt,
size_t salt_length,
const uint8_t *label,
size_t label_length )
{
uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
tls12_prf->key = mbedtls_calloc( 1, key_len );
if( tls12_prf->key == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY );
tls12_prf->key_len = key_len;
memcpy( tls12_prf->key, key, key_len );
/* Write `label + seed' at the end of the `A(i) + seed` buffer,
* leaving the initial `hash_length` bytes unspecified for now. */
memcpy( tls12_prf->Ai_with_seed + hash_length, label, label_length );
memcpy( tls12_prf->Ai_with_seed + hash_length + label_length,
salt, salt_length );
tls12_prf->seed_length = label_length + salt_length;
/* The first block gets generated when
* psa_generator_read() is called. */
tls12_prf->block_number = 0;
tls12_prf->offset_in_block = hash_length;
return( PSA_SUCCESS );
}
static psa_status_t psa_key_derivation_internal(
psa_crypto_generator_t *generator,
const uint8_t *secret, size_t secret_length,
@ -3538,6 +3760,24 @@ static psa_status_t psa_key_derivation_internal(
salt, salt_length,
label, label_length );
}
else if( PSA_ALG_IS_TLS12_PRF( alg ) )
{
psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
size_t hash_size = PSA_HASH_SIZE( hash_alg );
/* TLS-1.2 PRF supports only SHA-256 and SHA-384. */
if( hash_alg != PSA_ALG_SHA_256 &&
hash_alg != PSA_ALG_SHA_384 )
{
return( PSA_ERROR_NOT_SUPPORTED );
}
max_capacity = 255 * hash_size;
status = psa_generator_tls12_prf_setup( &generator->ctx.tls12_prf,
secret, secret_length,
hash_alg, salt, salt_length,
label, label_length );
}
else
#endif
{