michael@0: /* tlsprf.c - TLS Pseudo Random Function (PRF) implementation
michael@0:  *
michael@0:  * This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: #include "pkcs11i.h"
michael@0: #include "blapi.h"
michael@0: 
michael@0: #define SFTK_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
michael@0: 
michael@0: static void sftk_TLSPRFNull(void *data, PRBool freeit)
michael@0: {
michael@0:     return;
michael@0: } 
michael@0: 
michael@0: typedef struct {
michael@0:     PRUint32	   cxSize;	/* size of allocated block, in bytes.        */
michael@0:     PRUint32       cxBufSize;   /* sizeof buffer at cxBufPtr.                */
michael@0:     unsigned char *cxBufPtr;	/* points to real buffer, may be cxBuf.      */
michael@0:     PRUint32	   cxKeyLen;	/* bytes of cxBufPtr containing key.         */
michael@0:     PRUint32	   cxDataLen;	/* bytes of cxBufPtr containing data.        */
michael@0:     SECStatus	   cxRv;	/* records failure of void functions.        */
michael@0:     PRBool	   cxIsFIPS;	/* true if conforming to FIPS 198.           */
michael@0:     HASH_HashType  cxHashAlg;	/* hash algorithm to use for TLS 1.2+        */
michael@0:     unsigned char  cxBuf[512];	/* actual size may be larger than 512.       */
michael@0: } TLSPRFContext;
michael@0: 
michael@0: static void
michael@0: sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
michael@0:                         unsigned int data_len)
michael@0: {
michael@0:     PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen;
michael@0: 
michael@0:     if (cx->cxRv != SECSuccess)	/* function has previously failed. */
michael@0:     	return;
michael@0:     if (bytesUsed + data_len > cx->cxBufSize) {
michael@0: 	/* We don't use realloc here because 
michael@0: 	** (a) realloc doesn't zero out the old block, and 
michael@0: 	** (b) if realloc fails, we lose the old block.
michael@0: 	*/
michael@0: 	PRUint32 newBufSize = bytesUsed + data_len + 512;
michael@0:     	unsigned char * newBuf = (unsigned char *)PORT_Alloc(newBufSize);
michael@0: 	if (!newBuf) {
michael@0: 	   cx->cxRv = SECFailure;
michael@0: 	   return;
michael@0: 	}
michael@0: 	PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed);
michael@0: 	if (cx->cxBufPtr != cx->cxBuf) {
michael@0: 	    PORT_ZFree(cx->cxBufPtr, bytesUsed);
michael@0: 	}
michael@0: 	cx->cxBufPtr  = newBuf;
michael@0: 	cx->cxBufSize = newBufSize;
michael@0:     }
michael@0:     PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len);
michael@0:     cx->cxDataLen += data_len;
michael@0: }
michael@0: 
michael@0: static void 
michael@0: sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
michael@0: 	 unsigned int *pDigestLen, unsigned int maxDigestLen)
michael@0: {
michael@0:     *pDigestLen = 0; /* tells Verify that no data has been input yet. */
michael@0: }
michael@0: 
michael@0: /* Compute the PRF values from the data previously input. */
michael@0: static SECStatus
michael@0: sftk_TLSPRFUpdate(TLSPRFContext *cx, 
michael@0:                   unsigned char *sig,		/* output goes here. */
michael@0: 		  unsigned int * sigLen, 	/* how much output.  */
michael@0: 		  unsigned int   maxLen, 	/* output buffer size */
michael@0: 		  unsigned char *hash, 		/* unused. */
michael@0: 		  unsigned int   hashLen)	/* unused. */
michael@0: {
michael@0:     SECStatus rv;
michael@0:     SECItem sigItem;
michael@0:     SECItem seedItem;
michael@0:     SECItem secretItem;
michael@0: 
michael@0:     if (cx->cxRv != SECSuccess)
michael@0:     	return cx->cxRv;
michael@0: 
michael@0:     secretItem.data = cx->cxBufPtr;
michael@0:     secretItem.len  = cx->cxKeyLen;
michael@0: 
michael@0:     seedItem.data = cx->cxBufPtr + cx->cxKeyLen;
michael@0:     seedItem.len  = cx->cxDataLen;
michael@0: 
michael@0:     sigItem.data = sig;
michael@0:     sigItem.len  = maxLen;
michael@0: 
michael@0:     if (cx->cxHashAlg != HASH_AlgNULL) {
michael@0: 	rv = TLS_P_hash(cx->cxHashAlg, &secretItem, NULL, &seedItem, &sigItem,
michael@0: 			cx->cxIsFIPS);
michael@0:     } else {
michael@0: 	rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS);
michael@0:     }
michael@0:     if (rv == SECSuccess && sigLen != NULL)
michael@0:     	*sigLen = sigItem.len;
michael@0:     return rv;
michael@0: 
michael@0: }
michael@0: 
michael@0: static SECStatus
michael@0: sftk_TLSPRFVerify(TLSPRFContext *cx, 
michael@0:                   unsigned char *sig, 		/* input, for comparison. */
michael@0: 		  unsigned int   sigLen,	/* length of sig.         */
michael@0: 		  unsigned char *hash, 		/* data to be verified.   */
michael@0: 		  unsigned int   hashLen)	/* size of hash data.     */
michael@0: {
michael@0:     unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
michael@0:     unsigned int    tmpLen = sigLen;
michael@0:     SECStatus       rv;
michael@0: 
michael@0:     if (!tmp)
michael@0:     	return SECFailure;
michael@0:     if (hashLen) {
michael@0:     	/* hashLen is non-zero when the user does a one-step verify.
michael@0: 	** In this case, none of the data has been input yet.
michael@0: 	*/
michael@0:     	sftk_TLSPRFHashUpdate(cx, hash, hashLen);
michael@0:     }
michael@0:     rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
michael@0:     if (rv == SECSuccess) {
michael@0:     	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
michael@0:     }
michael@0:     PORT_ZFree(tmp, sigLen);
michael@0:     return rv;
michael@0: }
michael@0: 
michael@0: static void
michael@0: sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
michael@0: {
michael@0:     if (freeit) {
michael@0: 	if (cx->cxBufPtr != cx->cxBuf) 
michael@0: 	    PORT_ZFree(cx->cxBufPtr, cx->cxBufSize);
michael@0: 	PORT_ZFree(cx, cx->cxSize);
michael@0:     }
michael@0: }
michael@0: 
michael@0: CK_RV
michael@0: sftk_TLSPRFInit(SFTKSessionContext *context, 
michael@0: 		  SFTKObject *        key, 
michael@0: 		  CK_KEY_TYPE         key_type,
michael@0: 		  HASH_HashType       hash_alg)
michael@0: {
michael@0:     SFTKAttribute * keyVal;
michael@0:     TLSPRFContext * prf_cx;
michael@0:     CK_RV           crv = CKR_HOST_MEMORY;
michael@0:     PRUint32        keySize;
michael@0:     PRUint32        blockSize;
michael@0: 
michael@0:     if (key_type != CKK_GENERIC_SECRET)
michael@0:     	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
michael@0: 
michael@0:     context->multi = PR_TRUE;
michael@0: 
michael@0:     keyVal = sftk_FindAttribute(key, CKA_VALUE);
michael@0:     keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
michael@0:     blockSize = keySize + sizeof(TLSPRFContext);
michael@0:     prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
michael@0:     if (!prf_cx) 
michael@0:     	goto done;
michael@0:     prf_cx->cxSize    = blockSize;
michael@0:     prf_cx->cxKeyLen  = keySize;
michael@0:     prf_cx->cxDataLen = 0;
michael@0:     prf_cx->cxBufSize = blockSize - SFTK_OFFSETOF(TLSPRFContext, cxBuf);
michael@0:     prf_cx->cxRv      = SECSuccess;
michael@0:     prf_cx->cxIsFIPS  = (key->slot->slotID == FIPS_SLOT_ID);
michael@0:     prf_cx->cxBufPtr  = prf_cx->cxBuf;
michael@0:     prf_cx->cxHashAlg = hash_alg;
michael@0:     if (keySize)
michael@0: 	PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize);
michael@0: 
michael@0:     context->hashInfo    = (void *) prf_cx;
michael@0:     context->cipherInfo  = (void *) prf_cx;
michael@0:     context->hashUpdate  = (SFTKHash)    sftk_TLSPRFHashUpdate;
michael@0:     context->end         = (SFTKEnd)     sftk_TLSPRFEnd;
michael@0:     context->update      = (SFTKCipher)  sftk_TLSPRFUpdate;
michael@0:     context->verify      = (SFTKVerify)  sftk_TLSPRFVerify;
michael@0:     context->destroy     = (SFTKDestroy) sftk_TLSPRFNull;
michael@0:     context->hashdestroy = (SFTKDestroy) sftk_TLSPRFHashDestroy;
michael@0:     crv = CKR_OK;
michael@0: 
michael@0: done:
michael@0:     if (keyVal) 
michael@0: 	sftk_FreeAttribute(keyVal);
michael@0:     return crv;
michael@0: }
michael@0: