18d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/* 28d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * TLS PRF (SHA1 + MD5) 38d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> 48d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 5c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * This software may be distributed under the terms of the BSD license. 6c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * See README for more details. 78d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 88d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 98d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "includes.h" 108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "common.h" 128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "sha1.h" 138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "md5.h" 148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/** 171f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt * tls_prf_sha1_md5 - Pseudo-Random Function for TLS (TLS-PRF, RFC 2246) 188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @secret: Key for PRF 198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @secret_len: Length of the key in bytes 208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @label: A unique label for each purpose of the PRF 218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @seed: Seed value to bind into the key 228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @seed_len: Length of the seed 238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @out: Buffer for the generated pseudo-random key 248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @outlen: Number of bytes of key to generate 258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * Returns: 0 on success, -1 on failure. 268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * This function is used to derive new, cryptographically separate keys from a 288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * given key in TLS. This PRF is defined in RFC 2246, Chapter 5. 298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 301f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidtint tls_prf_sha1_md5(const u8 *secret, size_t secret_len, const char *label, 311f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t L_S1, L_S2, i; 348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const u8 *S1, *S2; 358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 A_MD5[MD5_MAC_LEN], A_SHA1[SHA1_MAC_LEN]; 368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 P_MD5[MD5_MAC_LEN], P_SHA1[SHA1_MAC_LEN]; 378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int MD5_pos, SHA1_pos; 388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const u8 *MD5_addr[3]; 398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t MD5_len[3]; 408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const unsigned char *SHA1_addr[3]; 418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t SHA1_len[3]; 428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (secret_len & 1) 448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_addr[0] = A_MD5; 478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_len[0] = MD5_MAC_LEN; 488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_addr[1] = (unsigned char *) label; 498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_len[1] = os_strlen(label); 508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_addr[2] = seed; 518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_len[2] = seed_len; 528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_addr[0] = A_SHA1; 548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_len[0] = SHA1_MAC_LEN; 558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_addr[1] = (unsigned char *) label; 568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_len[1] = os_strlen(label); 578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_addr[2] = seed; 588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_len[2] = seed_len; 598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt /* RFC 2246, Chapter 5 618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * A(0) = seed, A(i) = HMAC(secret, A(i-1)) 628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * P_hash = HMAC(secret, A(1) + seed) + HMAC(secret, A(2) + seed) + .. 638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * PRF = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed) 648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt L_S1 = L_S2 = (secret_len + 1) / 2; 678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt S1 = secret; 688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt S2 = secret + L_S1; 698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (secret_len & 1) { 708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt /* The last byte of S1 will be shared with S2 */ 718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt S2--; 728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 7461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt hmac_md5_vector(S1, L_S1, 2, &MD5_addr[1], &MD5_len[1], A_MD5); 758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt hmac_sha1_vector(S2, L_S2, 2, &SHA1_addr[1], &SHA1_len[1], A_SHA1); 768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_pos = MD5_MAC_LEN; 788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_pos = SHA1_MAC_LEN; 798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt for (i = 0; i < outlen; i++) { 808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (MD5_pos == MD5_MAC_LEN) { 8161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt hmac_md5_vector(S1, L_S1, 3, MD5_addr, MD5_len, P_MD5); 828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_pos = 0; 8361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt hmac_md5(S1, L_S1, A_MD5, MD5_MAC_LEN, A_MD5); 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (SHA1_pos == SHA1_MAC_LEN) { 868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt hmac_sha1_vector(S2, L_S2, 3, SHA1_addr, SHA1_len, 878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt P_SHA1); 888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_pos = 0; 898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt hmac_sha1(S2, L_S2, A_SHA1, SHA1_MAC_LEN, A_SHA1); 908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt out[i] = P_MD5[MD5_pos] ^ P_SHA1[SHA1_pos]; 938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt MD5_pos++; 958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt SHA1_pos++; 968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 100