[u/mdw/catacomb] / rand / sslprf.c

/* -*-c-*-
 *
 * The SSL pseudo-random function
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/alloc.h>
#include <mLib/dstr.h>
#include <mLib/sub.h>

#include "arena.h"
#include "ghash.h"
#include "grand.h"
#include "paranoia.h"
#include "sslprf.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @step@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to context structure
 *
 * Returns:	---
 *
 * Use:		Steps the generator.
 */

static void step(sslprf_ctx *c)
{
  octet buf[64];
  size_t n, sz;
  octet x;
  ghash *h, *hh;
  octet *p;

  h = GH_INIT(c->ci);
  x = 'A' + c->i - 1;
  for (sz = c->i++; sz > 0; sz -= n) {
    n = sz;
    if (n > sizeof(buf))
      n = sizeof(buf);
    memset(buf, x, n);
    GH_HASH(h, buf, n);
  }
  GH_HASH(h, c->k, c->ksz);
  GH_HASH(h, c->sd, c->sdsz);
  p = GH_DONE(h, 0);

  hh = GH_INIT(c->co);
  GH_HASH(hh, c->k, c->ksz);
  GH_HASH(hh, p, c->ihashsz);
  c->p = GH_DONE(hh, 0);
  GH_DESTROY(h);

  c->h = hh;
  c->sz = c->ohashsz;
}

/* --- @sslprf_init@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to a context structure
 *		@const gchash *hco, *hci@ = outer and inner hash functions
 *		@const void *k@ = pointer to secret buffer
 *		@size_t ksz@ = size of the secret
 *		@const void *sd@ = pointer to seed buffer
 *		@size_t sdsz@ = size of the seed
 *
 * Returns:	---
 *
 * Use:		Initializes an SSL generator context.
 */

void sslprf_init(sslprf_ctx *c, const gchash *hco, const gchash *hci,
		 const void *k, size_t ksz,
		 const void *sd, size_t sdsz)
{
  c->co = hco; c->ci = hci;
  c->ohashsz = hco->hashsz; c->ihashsz = hci->hashsz;
  c->k = k; c->ksz = ksz; c->sd = sd; c->sdsz = sdsz;
  c->i = 1;
  step(c);
}

/* --- @sslprf_encrypt@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to a context structure
 *		@const void *src@ = pointer to source buffer
 *		@void *dest@ = pointer to destination buffer
 *		@size_t sz@ = size of the buffers
 *
 * Returns:	---
 *
 * Use:		Encrypts data using the SSL pseudo-random function.  If the
 *		destination pointer is null, the generator is spun and no
 *		output is produced; if the source pointer is null, raw output
 *		from the generator is written; otherwise, the source data is
 *		XORed with the generator output.
 */

void sslprf_encrypt(sslprf_ctx *c, const void *src, void *dest, size_t sz)
{
  const octet *s = src;
  octet *d = dest;
  size_t i, n;

  while (sz) {
    if (!c->sz) {
      GH_DESTROY(c->h);
      step(c);
    }
    n = c->sz;
    if (n > sz)
      n = sz;
    if (d) {
      if (!s)
	memcpy(d, c->p, n);
      else {
	for (i = 0; i < n; i++) d[i] = s[i] ^ c->p[i];
	s += n;
      }
      d += n;
    }
    c->p += n;
    c->sz -= n;
    sz -= n;
  }
}

/* --- @sslprf_free@ --- *
 *
 * Arguments:	@sslprf_ctx@ = pointer to a context
 *
 * Returns:	---
 *
 * Use:		Frees resources held in an SSL generator context.
 */

void sslprf_free(sslprf_ctx *c)
{
  GH_DESTROY(c->h);
}

/* --- Generic random number generator --- */

typedef struct grctx {
  grand r;
  grand_ops ops;
  sslprf_ctx prf;
} grctx;

static void grdestroy(grand *r)
{
  grctx *g = (grctx *)r;
  xfree((char *)g->ops.name);
  xfree((octet *)g->prf.sd);
  sslprf_free(&g->prf);
  BURN(*g);
  S_DESTROY(g);
}

static void seed(grctx *g, const void *p, size_t sz)
{
  octet *q;
  xfree((octet *)g->prf.sd);
  g->prf.sd = q = xmalloc(sz);
  memcpy(q, p, sz);
  g->prf.sdsz = sz;
}

static int grmisc(grand *r, unsigned op, ...)
{
  grctx *g = (grctx *)r;
  va_list ap;
  int rc = 0;
  uint32 i;
  octet buf[4];
  va_start(ap, op);

  switch (op) {
    case GRAND_CHECK:
      switch (va_arg(ap, unsigned)) {
	case GRAND_CHECK:
	case GRAND_SEEDINT:
	case GRAND_SEEDUINT32:
	case GRAND_SEEDBLOCK:
	case GRAND_SEEDRAND:
	  rc = 1;
	  break;
	default:
	  rc = 0;
	  break;
      }
      break;
    case GRAND_SEEDINT:
      i = va_arg(ap, unsigned);
      STORE32(buf, i);
      seed(g, buf, sizeof(buf));
      break;
    case GRAND_SEEDUINT32:
      i = va_arg(ap, uint32);
      STORE32(buf, i);
      seed(g, buf, sizeof(buf));
      break;
    case GRAND_SEEDBLOCK: {
      const void *p = va_arg(ap, const void *);
      size_t sz = va_arg(ap, size_t);
      seed(g, p, sz);
    } break;
    case GRAND_SEEDRAND: {
      grand *rr = va_arg(ap, grand *);
      octet buf[16];
      rr->ops->fill(rr, buf, sizeof(buf));
      seed(g, buf, sizeof(buf));
    } break;
    default:
      GRAND_BADOP;
      break;
  }

  va_end(ap);
  return (rc);
}

static octet grbyte(grand *r)
{
  grctx *g = (grctx *)r;
  octet o;
  sslprf_encrypt(&g->prf, 0, &o, 1);
  return (o);
}

static uint32 grword(grand *r)
{
  grctx *g = (grctx *)r;
  octet b[4];
  sslprf_encrypt(&g->prf, 0, &b, sizeof(b));
  return (LOAD32(b));
}

static void grfill(grand *r, void *p, size_t sz)
{
  grctx *g = (grctx *)r;
  sslprf_encrypt(&g->prf, 0, p, sz);
}

static const grand_ops grops = {
  "<sslprf-dummy>",
  GRAND_CRYPTO, 0,
  grmisc, grdestroy,
  grword, grbyte, grword, grand_range, grfill
};

/* ---@sslprf_rand@ --- *
 *
 * Arguments:	@const gchash *hco, const gchash *hci@ = hash functions
 *		@const void *k@ = pointer to the key material
 *		@size_t ksz@ = size of the key material
 *		@const void *sd@ = pointer to the seed material
 *		@size_t sdsz@ = size of the seed material
 *
 * Returns:	Pointer to generic random number generator interface.
 *
 * Use:		Creates a generic generator which does TLS data expansion.
 */

grand *sslprf_rand(const gchash *hco, const gchash *hci,
		   const void *k, size_t ksz,
		   const void *sd, size_t sdsz)
{
  grctx *g = S_CREATE(grctx);
  dstr d = DSTR_INIT;
  octet *q = xmalloc(sdsz);
  memcpy(q, sd, sdsz);
  dstr_putf(&d, "sslprf(%s,%s)", hco->name, hci->name);
  g->ops = grops;
  g->ops.name = xstrdup(d.buf);
  g->r.ops = &g->ops;
  dstr_destroy(&d);
  sslprf_init(&g->prf, hco, hci, k, ksz, q, sdsz);
  return (&g->r);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <stdio.h>
#include <string.h>

#include <mLib/quis.h>
#include <mLib/testrig.h>

#include "sha.h"
#include "md5.h"

static int v_generate(dstr *v)
{
  grand *g;
  dstr d = DSTR_INIT;
  int ok = 1;

  g = sslprf_rand(&md5, &sha, v[0].buf, v[0].len, v[1].buf, v[1].len);
  dstr_ensure(&d, v[2].len);
  d.len = v[2].len;
  g->ops->fill(g, d.buf, d.len);
  g->ops->destroy(g);
  if (memcmp(v[2].buf, d.buf, d.len) != 0) {
    ok = 0;
    printf("\nfail sslprf:"
	   "\n\tkey	   = ");
    type_hex.dump(&v[0], stdout);
    printf("\n\tseed	   = "); type_hex.dump(&v[1], stdout);
    printf("\n\texpected   = "); type_hex.dump(&v[2], stdout);
    printf("\n\tcalculated = "); type_hex.dump(&d, stdout);
    putchar('\n');
  }
  return (ok);
}

static test_chunk defs[] = {
  { "sslprf", v_generate, { &type_hex, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  test_run(argc, argv, defs, SRCDIR"/t/sslprf");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
51a0f805	1	/* --c--
51a0f805	2	*
51a0f805	3	* The SSL pseudo-random function
	4	*
	5	* (c) 2001 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
51a0f805	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
51a0f805	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
51a0f805	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
51a0f805	28	/----- Header files ------------------------------------------------------/
	29
	30	#include <mLib/alloc.h>
	31	#include <mLib/dstr.h>
	32	#include <mLib/sub.h>
	33
	34	#include "arena.h"
	35	#include "ghash.h"
	36	#include "grand.h"
	37	#include "paranoia.h"
	38	#include "sslprf.h"
	39
	40	/----- Main code ---------------------------------------------------------/
	41
	42	/* --- @step@ --- *
	43	*
	44	* Arguments: @sslprf_ctx *c@ = pointer to context structure
	45	*
	46	* Returns: ---
	47	*
	48	* Use: Steps the generator.
	49	*/
	50
	51	static void step(sslprf_ctx *c)
	52	{
	53	octet buf[64];
	54	size_t n, sz;
	55	octet x;
	56	ghash h, hh;
	57	octet *p;
	58
b817bfc6	59	h = GH_INIT(c->ci);
51a0f805	60	x = 'A' + c->i - 1;
	61	for (sz = c->i++; sz > 0; sz -= n) {
	62	n = sz;
	63	if (n > sizeof(buf))
	64	n = sizeof(buf);
	65	memset(buf, x, n);
b817bfc6	66	GH_HASH(h, buf, n);
51a0f805	67	}
b817bfc6	68	GH_HASH(h, c->k, c->ksz);
	69	GH_HASH(h, c->sd, c->sdsz);
	70	p = GH_DONE(h, 0);
51a0f805	71
b817bfc6	72	hh = GH_INIT(c->co);
	73	GH_HASH(hh, c->k, c->ksz);
	74	GH_HASH(hh, p, c->ihashsz);
	75	c->p = GH_DONE(hh, 0);
	76	GH_DESTROY(h);
51a0f805	77
	78	c->h = hh;
	79	c->sz = c->ohashsz;
	80	}
	81
	82	/* --- @sslprf_init@ --- *
	83	*
	84	* Arguments: @sslprf_ctx *c@ = pointer to a context structure
	85	* @const gchash hco, hci@ = outer and inner hash functions
	86	* @const void *k@ = pointer to secret buffer
	87	* @size_t ksz@ = size of the secret
	88	* @const void *sd@ = pointer to seed buffer
	89	* @size_t sdsz@ = size of the seed
	90	*
	91	* Returns: ---
	92	*
	93	* Use: Initializes an SSL generator context.
	94	*/
	95
	96	void sslprf_init(sslprf_ctx c, const gchash hco, const gchash *hci,
	97	const void *k, size_t ksz,
	98	const void *sd, size_t sdsz)
	99	{
	100	c->co = hco; c->ci = hci;
	101	c->ohashsz = hco->hashsz; c->ihashsz = hci->hashsz;
	102	c->k = k; c->ksz = ksz; c->sd = sd; c->sdsz = sdsz;
	103	c->i = 1;
	104	step(c);
	105	}
	106
	107	/* --- @sslprf_encrypt@ --- *
	108	*
	109	* Arguments: @sslprf_ctx *c@ = pointer to a context structure
	110	* @const void *src@ = pointer to source buffer
	111	* @void *dest@ = pointer to destination buffer
	112	* @size_t sz@ = size of the buffers
	113	*
	114	* Returns: ---
	115	*
	116	* Use: Encrypts data using the SSL pseudo-random function. If the
	117	* destination pointer is null, the generator is spun and no
	118	* output is produced; if the source pointer is null, raw output
	119	* from the generator is written; otherwise, the source data is
	120	* XORed with the generator output.
	121	*/
	122
	123	void sslprf_encrypt(sslprf_ctx c, const void src, void *dest, size_t sz)
	124	{
	125	const octet *s = src;
	126	octet *d = dest;
	127	size_t i, n;
	128
	129	while (sz) {
	130	if (!c->sz) {
b817bfc6	131	GH_DESTROY(c->h);
51a0f805	132	step(c);
	133	}
	134	n = c->sz;
	135	if (n > sz)
	136	n = sz;
	137	if (d) {
	138	if (!s)
	139	memcpy(d, c->p, n);
	140	else {
	141	for (i = 0; i < n; i++) d[i] = s[i] ^ c->p[i];
	142	s += n;
	143	}
	144	d += n;
	145	}
	146	c->p += n;
	147	c->sz -= n;
	148	sz -= n;
	149	}
	150	}
	151
	152	/* --- @sslprf_free@ --- *
	153	*
	154	* Arguments: @sslprf_ctx@ = pointer to a context
	155	*
	156	* Returns: ---
	157	*
	158	* Use: Frees resources held in an SSL generator context.
	159	*/
	160
	161	void sslprf_free(sslprf_ctx *c)
	162	{
b817bfc6	163	GH_DESTROY(c->h);
51a0f805	164	}
	165
	166	/* --- Generic random number generator --- */
	167
	168	typedef struct grctx {
	169	grand r;
	170	grand_ops ops;
	171	sslprf_ctx prf;
	172	} grctx;
	173
	174	static void grdestroy(grand *r)
	175	{
	176	grctx g = (grctx )r;
	177	xfree((char *)g->ops.name);
	178	xfree((octet *)g->prf.sd);
	179	sslprf_free(&g->prf);
	180	BURN(*g);
	181	S_DESTROY(g);
	182	}
	183
	184	static void seed(grctx g, const void p, size_t sz)
	185	{
	186	octet *q;
	187	xfree((octet *)g->prf.sd);
	188	g->prf.sd = q = xmalloc(sz);
	189	memcpy(q, p, sz);
	190	g->prf.sdsz = sz;
	191	}
	192
	193	static int grmisc(grand *r, unsigned op, ...)
	194	{
	195	grctx g = (grctx )r;
	196	va_list ap;
	197	int rc = 0;
	198	uint32 i;
	199	octet buf[4];
	200	va_start(ap, op);
	201
	202	switch (op) {
	203	case GRAND_CHECK:
	204	switch (va_arg(ap, unsigned)) {
	205	case GRAND_CHECK:
	206	case GRAND_SEEDINT:
	207	case GRAND_SEEDUINT32:
	208	case GRAND_SEEDBLOCK:
	209	case GRAND_SEEDRAND:
	210	rc = 1;
	211	break;
	212	default:
	213	rc = 0;
	214	break;
	215	}
	216	break;
	217	case GRAND_SEEDINT:
	218	i = va_arg(ap, unsigned);
	219	STORE32(buf, i);
	220	seed(g, buf, sizeof(buf));
	221	break;
	222	case GRAND_SEEDUINT32:
	223	i = va_arg(ap, uint32);
	224	STORE32(buf, i);
	225	seed(g, buf, sizeof(buf));
	226	break;
	227	case GRAND_SEEDBLOCK: {
228	const void p = va_arg(ap, const void );
229	size_t sz = va_arg(ap, size_t);
230	seed(g, p, sz);
231	} break;
232	case GRAND_SEEDRAND: {
233	grand rr = va_arg(ap, grand );
234	octet buf[16];
235	rr->ops->fill(rr, buf, sizeof(buf));
236	seed(g, buf, sizeof(buf));
237	} break;
238	default:
239	GRAND_BADOP;
45c0fd36	240	break;
51a0f805	241	}
	242
	243	va_end(ap);
	244	return (rc);
	245	}
	246
	247	static octet grbyte(grand *r)
	248	{
	249	grctx g = (grctx )r;
	250	octet o;
	251	sslprf_encrypt(&g->prf, 0, &o, 1);
	252	return (o);
	253	}
	254
	255	static uint32 grword(grand *r)
	256	{
	257	grctx g = (grctx )r;
	258	octet b[4];
	259	sslprf_encrypt(&g->prf, 0, &b, sizeof(b));
	260	return (LOAD32(b));
	261	}
	262
	263	static void grfill(grand r, void p, size_t sz)
	264	{
	265	grctx g = (grctx )r;
	266	sslprf_encrypt(&g->prf, 0, p, sz);
	267	}
	268
	269	static const grand_ops grops = {
	270	"<sslprf-dummy>",
	271	GRAND_CRYPTO, 0,
	272	grmisc, grdestroy,
	273	grword, grbyte, grword, grand_range, grfill
	274	};
	275
	276	/* ---@sslprf_rand@ --- *
	277	*
	278	* Arguments: @const gchash hco, const gchash hci@ = hash functions
	279	* @const void *k@ = pointer to the key material
	280	* @size_t ksz@ = size of the key material
	281	* @const void *sd@ = pointer to the seed material
	282	* @size_t sdsz@ = size of the seed material
	283	*
	284	* Returns: Pointer to generic random number generator interface.
	285	*
	286	* Use: Creates a generic generator which does TLS data expansion.
	287	*/
	288
	289	grand sslprf_rand(const gchash hco, const gchash *hci,
	290	const void *k, size_t ksz,
	291	const void *sd, size_t sdsz)
	292	{
	293	grctx *g = S_CREATE(grctx);
	294	dstr d = DSTR_INIT;
	295	octet *q = xmalloc(sdsz);
	296	memcpy(q, sd, sdsz);
	297	dstr_putf(&d, "sslprf(%s,%s)", hco->name, hci->name);
	298	g->ops = grops;
	299	g->ops.name = xstrdup(d.buf);
	300	g->r.ops = &g->ops;
	301	dstr_destroy(&d);
	302	sslprf_init(&g->prf, hco, hci, k, ksz, q, sdsz);
	303	return (&g->r);
	304	}
305
306	/----- Test rig ----------------------------------------------------------/
307
308	#ifdef TEST_RIG
309
310	#include <stdio.h>
311	#include <string.h>
312
313	#include <mLib/quis.h>
314	#include <mLib/testrig.h>
315
316	#include "sha.h"
317	#include "md5.h"
318
319	static int v_generate(dstr *v)
320	{
321	grand *g;
322	dstr d = DSTR_INIT;
323	int ok = 1;
324
325	g = sslprf_rand(&md5, &sha, v[0].buf, v[0].len, v[1].buf, v[1].len);
326	dstr_ensure(&d, v[2].len);
327	d.len = v[2].len;
328	g->ops->fill(g, d.buf, d.len);
329	g->ops->destroy(g);
330	if (memcmp(v[2].buf, d.buf, d.len) != 0) {
331	ok = 0;
332	printf("\nfail sslprf:"
45c0fd36	333	"\n\tkey = ");
51a0f805	334	type_hex.dump(&v[0], stdout);
45c0fd36	335	printf("\n\tseed = "); type_hex.dump(&v[1], stdout);
51a0f805	336	printf("\n\texpected = "); type_hex.dump(&v[2], stdout);
	337	printf("\n\tcalculated = "); type_hex.dump(&d, stdout);
	338	putchar('\n');
	339	}
	340	return (ok);
	341	}
	342
	343	static test_chunk defs[] = {
	344	{ "sslprf", v_generate, { &type_hex, &type_hex, &type_hex, 0 } },
	345	{ 0, 0, { 0 } }
	346	};
	347
	348	int main(int argc, char *argv[])
	349	{
0f00dc4c	350	test_run(argc, argv, defs, SRCDIR"/t/sslprf");
51a0f805	351	return (0);
	352	}
	353
	354	#endif
	355
	356	/----- That's all, folks -------------------------------------------------/