summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/freebl/tlsprfalg.c
blob: 1e5e67886c4be10562a14f53ee6822e607844ed4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/* tlsprfalg.c - TLS Pseudo Random Function (PRF) implementation
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif

#include "blapi.h"
#include "hasht.h"
#include "alghmac.h"

#define PHASH_STATE_MAX_LEN HASH_LENGTH_MAX

/* TLS P_hash function */
SECStatus
TLS_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label,
           SECItem *seed, SECItem *result, PRBool isFIPS)
{
    unsigned char state[PHASH_STATE_MAX_LEN];
    unsigned char outbuf[PHASH_STATE_MAX_LEN];
    unsigned int state_len = 0, label_len = 0, outbuf_len = 0, chunk_size;
    unsigned int remaining;
    unsigned char *res;
    SECStatus status;
    HMACContext *cx;
    SECStatus rv = SECFailure;
    const SECHashObject *hashObj = HASH_GetRawHashObject(hashType);

    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
    PORT_Assert((seed != NULL) && (seed->data != NULL));
    PORT_Assert((result != NULL) && (result->data != NULL));

    remaining = result->len;
    res = result->data;

    if (label != NULL)
        label_len = PORT_Strlen(label);

    cx = HMAC_Create(hashObj, secret->data, secret->len, isFIPS);
    if (cx == NULL)
        goto loser;

    /* initialize the state = A(1) = HMAC_hash(secret, seed) */
    HMAC_Begin(cx);
    HMAC_Update(cx, (unsigned char *)label, label_len);
    HMAC_Update(cx, seed->data, seed->len);
    status = HMAC_Finish(cx, state, &state_len, sizeof(state));
    if (status != SECSuccess)
        goto loser;

    /* generate a block at a time until we're done */
    while (remaining > 0) {

        HMAC_Begin(cx);
        HMAC_Update(cx, state, state_len);
        if (label_len)
            HMAC_Update(cx, (unsigned char *)label, label_len);
        HMAC_Update(cx, seed->data, seed->len);
        status = HMAC_Finish(cx, outbuf, &outbuf_len, sizeof(outbuf));
        if (status != SECSuccess)
            goto loser;

        /* Update the state = A(i) = HMAC_hash(secret, A(i-1)) */
        HMAC_Begin(cx);
        HMAC_Update(cx, state, state_len);
        status = HMAC_Finish(cx, state, &state_len, sizeof(state));
        if (status != SECSuccess)
            goto loser;

        chunk_size = PR_MIN(outbuf_len, remaining);
        PORT_Memcpy(res, &outbuf, chunk_size);
        res += chunk_size;
        remaining -= chunk_size;
    }

    rv = SECSuccess;

loser:
    /* clear out state so it's not left on the stack */
    if (cx)
        HMAC_Destroy(cx, PR_TRUE);
    PORT_Memset(state, 0, sizeof(state));
    PORT_Memset(outbuf, 0, sizeof(outbuf));
    return rv;
}

SECStatus
TLS_PRF(const SECItem *secret, const char *label, SECItem *seed,
        SECItem *result, PRBool isFIPS)
{
    SECStatus rv = SECFailure, status;
    unsigned int i;
    SECItem tmp = { siBuffer, NULL, 0 };
    SECItem S1;
    SECItem S2;

    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
    PORT_Assert((seed != NULL) && (seed->data != NULL));
    PORT_Assert((result != NULL) && (result->data != NULL));

    S1.type = siBuffer;
    S1.len = (secret->len / 2) + (secret->len & 1);
    S1.data = secret->data;

    S2.type = siBuffer;
    S2.len = S1.len;
    S2.data = secret->data + (secret->len - S2.len);

    tmp.data = (unsigned char *)PORT_Alloc(result->len);
    if (tmp.data == NULL)
        goto loser;
    tmp.len = result->len;

    status = TLS_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS);
    if (status != SECSuccess)
        goto loser;

    status = TLS_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS);
    if (status != SECSuccess)
        goto loser;

    for (i = 0; i < result->len; i++)
        result->data[i] ^= tmp.data[i];

    rv = SECSuccess;

loser:
    if (tmp.data != NULL)
        PORT_ZFree(tmp.data, tmp.len);
    return rv;
}