/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* * TLS 1.3 Protocol * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "keyhi.h" #include "pk11func.h" #include "secitem.h" #include "ssl.h" #include "sslt.h" #include "sslerr.h" #include "sslimpl.h" /* This table contains the mapping between TLS hash identifiers and the * PKCS#11 identifiers */ static const struct { SSLHashType hash; CK_MECHANISM_TYPE pkcs11Mech; unsigned int hashSize; } kTlsHkdfInfo[] = { { ssl_hash_none, 0, 0 }, { ssl_hash_md5, 0, 0 }, { ssl_hash_sha1, 0, 0 }, { ssl_hash_sha224, 0 }, { ssl_hash_sha256, CKM_SHA256, 32 }, { ssl_hash_sha384, CKM_SHA384, 48 }, { ssl_hash_sha512, CKM_SHA512, 64 } }; SECStatus tls13_HkdfExtract(PK11SymKey *ikm1, PK11SymKey *ikm2, SSLHashType baseHash, PK11SymKey **prkp) { CK_HKDF_PARAMS params; SECItem paramsi; PK11SymKey *prk; static const PRUint8 zeroKeyBuf[HASH_LENGTH_MAX]; SECItem zeroKeyItem = { siBuffer, CONST_CAST(PRUint8, zeroKeyBuf), kTlsHkdfInfo[baseHash].hashSize }; PK11SlotInfo *slot = NULL; PK11SymKey *newIkm2 = NULL; PK11SymKey *newIkm1 = NULL; SECStatus rv; params.bExtract = CK_TRUE; params.bExpand = CK_FALSE; params.prfHashMechanism = kTlsHkdfInfo[baseHash].pkcs11Mech; params.pInfo = NULL; params.ulInfoLen = 0UL; params.pSalt = NULL; params.ulSaltLen = 0UL; params.hSaltKey = CK_INVALID_HANDLE; if (!ikm1) { /* PKCS #11 v3.0 has and explict NULL value, which equates to * a sequence of zeros equal in length to the HMAC. */ params.ulSaltType = CKF_HKDF_SALT_NULL; } else { /* PKCS #11 v3.0 can take the salt as a key handle */ params.hSaltKey = PK11_GetSymKeyHandle(ikm1); params.ulSaltType = CKF_HKDF_SALT_KEY; /* if we have both keys, make sure they are in the same slot */ if (ikm2) { rv = PK11_SymKeysToSameSlot(CKM_HKDF_DERIVE, CKA_DERIVE, CKA_DERIVE, ikm2, ikm1, &newIkm2, &newIkm1); if (rv != SECSuccess) { SECItem *salt; /* couldn't move the keys, try extracting the salt */ rv = PK11_ExtractKeyValue(ikm1); if (rv != SECSuccess) return rv; salt = PK11_GetKeyData(ikm1); if (!salt) return SECFailure; PORT_Assert(salt->len > 0); /* Set up for Salt as Data instead of Salt as key */ params.pSalt = salt->data; params.ulSaltLen = salt->len; params.ulSaltType = CKF_HKDF_SALT_DATA; } /* use the new keys */ if (newIkm1) { /* we've moved the key, get the handle for the new key */ params.hSaltKey = PK11_GetSymKeyHandle(newIkm1); /* we don't use ikm1 after this, so don't bother setting it */ } if (newIkm2) { /* new ikm2 key, use the new key */ ikm2 = newIkm2; } } } paramsi.data = (unsigned char *)¶ms; paramsi.len = sizeof(params); PORT_Assert(kTlsHkdfInfo[baseHash].pkcs11Mech); PORT_Assert(kTlsHkdfInfo[baseHash].hashSize); PORT_Assert(kTlsHkdfInfo[baseHash].hash == baseHash); /* A zero ikm2 is a key of hash-length 0s. */ if (!ikm2) { /* if we have ikm1, put the zero key in the same slot */ slot = ikm1 ? PK11_GetSlotFromKey(ikm1) : PK11_GetBestSlot(CKM_HKDF_DERIVE, NULL); if (!slot) { return SECFailure; } newIkm2 = PK11_ImportDataKey(slot, CKM_HKDF_DERIVE, PK11_OriginUnwrap, CKA_DERIVE, &zeroKeyItem, NULL); if (!newIkm2) { return SECFailure; } ikm2 = newIkm2; } PORT_Assert(ikm2); PRINT_BUF(50, (NULL, "HKDF Extract: IKM1/Salt", params.pSalt, params.ulSaltLen)); PRINT_KEY(50, (NULL, "HKDF Extract: IKM2", ikm2)); prk = PK11_Derive(ikm2, CKM_HKDF_DERIVE, ¶msi, CKM_HKDF_DERIVE, CKA_DERIVE, 0); PK11_FreeSymKey(newIkm2); PK11_FreeSymKey(newIkm1); if (slot) PK11_FreeSlot(slot); if (!prk) { return SECFailure; } PRINT_KEY(50, (NULL, "HKDF Extract", prk)); *prkp = prk; return SECSuccess; } SECStatus tls13_HkdfExpandLabelGeneral(CK_MECHANISM_TYPE deriveMech, PK11SymKey *prk, SSLHashType baseHash, const PRUint8 *handshakeHash, unsigned int handshakeHashLen, const char *label, unsigned int labelLen, CK_MECHANISM_TYPE algorithm, unsigned int keySize, SSLProtocolVariant variant, PK11SymKey **keyp) { CK_HKDF_PARAMS params; SECItem paramsi = { siBuffer, NULL, 0 }; /* Size of info array needs to be big enough to hold the maximum Prefix, * Label, plus HandshakeHash. If it's ever to small, the code will abort. */ PRUint8 info[256]; sslBuffer infoBuf = SSL_BUFFER(info); PK11SymKey *derived; SECStatus rv; const char *kLabelPrefixTls = "tls13 "; const char *kLabelPrefixDtls = "dtls13"; const unsigned int kLabelPrefixLen = (variant == ssl_variant_stream) ? strlen(kLabelPrefixTls) : strlen(kLabelPrefixDtls); const char *kLabelPrefix = (variant == ssl_variant_stream) ? kLabelPrefixTls : kLabelPrefixDtls; PORT_Assert(prk); PORT_Assert(keyp); if ((handshakeHashLen > 255) || (handshakeHash == NULL && handshakeHashLen > 0) || (labelLen + kLabelPrefixLen > 255)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* * [draft-ietf-tls-tls13-11] Section 7.1: * * HKDF-Expand-Label(Secret, Label, HashValue, Length) = * HKDF-Expand(Secret, HkdfLabel, Length) * * Where HkdfLabel is specified as: * * struct HkdfLabel { * uint16 length; * opaque label<9..255>; * opaque hash_value<0..255>; * }; * * Where: * - HkdfLabel.length is Length * - HkdfLabel.hash_value is HashValue. * - HkdfLabel.label is "TLS 1.3, " + Label * */ rv = sslBuffer_AppendNumber(&infoBuf, keySize, 2); if (rv != SECSuccess) { return SECFailure; } rv = sslBuffer_AppendNumber(&infoBuf, labelLen + kLabelPrefixLen, 1); if (rv != SECSuccess) { return SECFailure; } rv = sslBuffer_Append(&infoBuf, kLabelPrefix, kLabelPrefixLen); if (rv != SECSuccess) { return SECFailure; } rv = sslBuffer_Append(&infoBuf, label, labelLen); if (rv != SECSuccess) { return SECFailure; } rv = sslBuffer_AppendVariable(&infoBuf, handshakeHash, handshakeHashLen, 1); if (rv != SECSuccess) { return SECFailure; } params.bExtract = CK_FALSE; params.bExpand = CK_TRUE; params.prfHashMechanism = kTlsHkdfInfo[baseHash].pkcs11Mech; params.pInfo = SSL_BUFFER_BASE(&infoBuf); params.ulInfoLen = SSL_BUFFER_LEN(&infoBuf); paramsi.data = (unsigned char *)¶ms; paramsi.len = sizeof(params); derived = PK11_DeriveWithFlags(prk, deriveMech, ¶msi, algorithm, CKA_DERIVE, keySize, CKF_SIGN | CKF_VERIFY); if (!derived) { return SECFailure; } *keyp = derived; #ifdef TRACE if (ssl_trace >= 50) { /* Make sure the label is null terminated. */ char labelStr[100]; PORT_Memcpy(labelStr, label, labelLen); labelStr[labelLen] = 0; SSL_TRC(50, ("HKDF Expand: label='tls13 %s',requested length=%d", labelStr, keySize)); } PRINT_KEY(50, (NULL, "PRK", prk)); PRINT_BUF(50, (NULL, "Hash", handshakeHash, handshakeHashLen)); PRINT_BUF(50, (NULL, "Info", SSL_BUFFER_BASE(&infoBuf), SSL_BUFFER_LEN(&infoBuf))); PRINT_KEY(50, (NULL, "Derived key", derived)); #endif return SECSuccess; } SECStatus tls13_HkdfExpandLabel(PK11SymKey *prk, SSLHashType baseHash, const PRUint8 *handshakeHash, unsigned int handshakeHashLen, const char *label, unsigned int labelLen, CK_MECHANISM_TYPE algorithm, unsigned int keySize, SSLProtocolVariant variant, PK11SymKey **keyp) { return tls13_HkdfExpandLabelGeneral(CKM_HKDF_DERIVE, prk, baseHash, handshakeHash, handshakeHashLen, label, labelLen, algorithm, keySize, variant, keyp); } SECStatus tls13_HkdfExpandLabelRaw(PK11SymKey *prk, SSLHashType baseHash, const PRUint8 *handshakeHash, unsigned int handshakeHashLen, const char *label, unsigned int labelLen, SSLProtocolVariant variant, unsigned char *output, unsigned int outputLen) { PK11SymKey *derived = NULL; SECItem *rawkey; SECStatus rv; /* the result is not really a key, it's a data object */ rv = tls13_HkdfExpandLabelGeneral(CKM_HKDF_DATA, prk, baseHash, handshakeHash, handshakeHashLen, label, labelLen, CKM_HKDF_DERIVE, outputLen, variant, &derived); if (rv != SECSuccess || !derived) { goto abort; } rv = PK11_ExtractKeyValue(derived); if (rv != SECSuccess) { goto abort; } rawkey = PK11_GetKeyData(derived); if (!rawkey) { goto abort; } PORT_Assert(rawkey->len == outputLen); memcpy(output, rawkey->data, outputLen); PK11_FreeSymKey(derived); return SECSuccess; abort: if (derived) { PK11_FreeSymKey(derived); } PORT_SetError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); return SECFailure; }