[u/mdw/catacomb] / sslprf.c

/* -*-c-*-
 *
 * $Id: sslprf.c,v 1.2 2004/04/08 01:36:15 mdw Exp $
 *
 * The SSL pseudo-random function
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/alloc.h>
#include <mLib/dstr.h>
#include <mLib/sub.h>

#include "arena.h"
#include "ghash.h"
#include "grand.h"
#include "paranoia.h"
#include "sslprf.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @step@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to context structure
 *
 * Returns:	---
 *
 * Use:		Steps the generator.
 */

static void step(sslprf_ctx *c)
{
  octet buf[64];
  size_t n, sz;
  octet x;
  ghash *h, *hh;
  octet *p;

  h = GH_INIT(c->ci);
  x = 'A' + c->i - 1;
  for (sz = c->i++; sz > 0; sz -= n) {
    n = sz;
    if (n > sizeof(buf))
      n = sizeof(buf);
    memset(buf, x, n);
    GH_HASH(h, buf, n);
  }
  GH_HASH(h, c->k, c->ksz);
  GH_HASH(h, c->sd, c->sdsz);
  p = GH_DONE(h, 0);

  hh = GH_INIT(c->co);
  GH_HASH(hh, c->k, c->ksz);
  GH_HASH(hh, p, c->ihashsz);
  c->p = GH_DONE(hh, 0);
  GH_DESTROY(h);

  c->h = hh;
  c->sz = c->ohashsz;
}

/* --- @sslprf_init@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to a context structure
 *		@const gchash *hco, *hci@ = outer and inner hash functions
 *		@const void *k@ = pointer to secret buffer
 *		@size_t ksz@ = size of the secret
 *		@const void *sd@ = pointer to seed buffer
 *		@size_t sdsz@ = size of the seed
 *
 * Returns:	---
 *
 * Use:		Initializes an SSL generator context.
 */

void sslprf_init(sslprf_ctx *c, const gchash *hco, const gchash *hci,
		 const void *k, size_t ksz,
		 const void *sd, size_t sdsz)
{
  c->co = hco; c->ci = hci;
  c->ohashsz = hco->hashsz; c->ihashsz = hci->hashsz;
  c->k = k; c->ksz = ksz; c->sd = sd; c->sdsz = sdsz;
  c->i = 1;
  step(c);
}

/* --- @sslprf_encrypt@ --- *
 *
 * Arguments:	@sslprf_ctx *c@ = pointer to a context structure
 *		@const void *src@ = pointer to source buffer
 *		@void *dest@ = pointer to destination buffer
 *		@size_t sz@ = size of the buffers
 *
 * Returns:	---
 *
 * Use:		Encrypts data using the SSL pseudo-random function.  If the
 *		destination pointer is null, the generator is spun and no
 *		output is produced; if the source pointer is null, raw output
 *		from the generator is written; otherwise, the source data is
 *		XORed with the generator output.
 */

void sslprf_encrypt(sslprf_ctx *c, const void *src, void *dest, size_t sz)
{
  const octet *s = src;
  octet *d = dest;
  size_t i, n;

  while (sz) {
    if (!c->sz) {
      GH_DESTROY(c->h);
      step(c);
    }
    n = c->sz;
    if (n > sz)
      n = sz;
    if (d) {
      if (!s)
	memcpy(d, c->p, n);
      else {
	for (i = 0; i < n; i++) d[i] = s[i] ^ c->p[i];
	s += n;
      }
      d += n;
    }
    c->p += n;
    c->sz -= n;
    sz -= n;
  }
}

/* --- @sslprf_free@ --- *
 *
 * Arguments:	@sslprf_ctx@ = pointer to a context
 *
 * Returns:	---
 *
 * Use:		Frees resources held in an SSL generator context.
 */

void sslprf_free(sslprf_ctx *c)
{
  GH_DESTROY(c->h);
}

/* --- Generic random number generator --- */

typedef struct grctx {
  grand r;
  grand_ops ops;
  sslprf_ctx prf;
} grctx;

static void grdestroy(grand *r)
{
  grctx *g = (grctx *)r;
  xfree((char *)g->ops.name);
  xfree((octet *)g->prf.sd);
  sslprf_free(&g->prf);
  BURN(*g);
  S_DESTROY(g);
}

static void seed(grctx *g, const void *p, size_t sz)
{
  octet *q;
  xfree((octet *)g->prf.sd);
  g->prf.sd = q = xmalloc(sz);
  memcpy(q, p, sz);
  g->prf.sdsz = sz;
}

static int grmisc(grand *r, unsigned op, ...)
{
  grctx *g = (grctx *)r;
  va_list ap;
  int rc = 0;
  uint32 i;
  octet buf[4];
  va_start(ap, op);

  switch (op) {
    case GRAND_CHECK:
      switch (va_arg(ap, unsigned)) {
	case GRAND_CHECK:
	case GRAND_SEEDINT:
	case GRAND_SEEDUINT32:
	case GRAND_SEEDBLOCK:
	case GRAND_SEEDRAND:
	  rc = 1;
	  break;
	default:
	  rc = 0;
	  break;
      }
      break;
    case GRAND_SEEDINT:
      i = va_arg(ap, unsigned);
      STORE32(buf, i);
      seed(g, buf, sizeof(buf));
      break;
    case GRAND_SEEDUINT32:
      i = va_arg(ap, uint32);
      STORE32(buf, i);
      seed(g, buf, sizeof(buf));
      break;
    case GRAND_SEEDBLOCK: {
      const void *p = va_arg(ap, const void *);
      size_t sz = va_arg(ap, size_t);
      seed(g, p, sz);
    } break;
    case GRAND_SEEDRAND: {
      grand *rr = va_arg(ap, grand *);
      octet buf[16];
      rr->ops->fill(rr, buf, sizeof(buf));
      seed(g, buf, sizeof(buf));
    } break;
    default:
      GRAND_BADOP;
      break;
  }

  va_end(ap);
  return (rc);
}

static octet grbyte(grand *r)
{
  grctx *g = (grctx *)r;
  octet o;
  sslprf_encrypt(&g->prf, 0, &o, 1);
  return (o);
}

static uint32 grword(grand *r)
{
  grctx *g = (grctx *)r;
  octet b[4];
  sslprf_encrypt(&g->prf, 0, &b, sizeof(b));
  return (LOAD32(b));
}

static void grfill(grand *r, void *p, size_t sz)
{
  grctx *g = (grctx *)r;
  sslprf_encrypt(&g->prf, 0, p, sz);
}

static const grand_ops grops = {
  "<sslprf-dummy>",
  GRAND_CRYPTO, 0,
  grmisc, grdestroy,
  grword, grbyte, grword, grand_range, grfill
};

/* ---@sslprf_rand@ --- *
 *
 * Arguments:	@const gchash *hco, const gchash *hci@ = hash functions
 *		@const void *k@ = pointer to the key material
 *		@size_t ksz@ = size of the key material
 *		@const void *sd@ = pointer to the seed material
 *		@size_t sdsz@ = size of the seed material
 *
 * Returns:	Pointer to generic random number generator interface.
 *
 * Use:		Creates a generic generator which does TLS data expansion.
 */

grand *sslprf_rand(const gchash *hco, const gchash *hci,
		   const void *k, size_t ksz,
		   const void *sd, size_t sdsz)
{
  grctx *g = S_CREATE(grctx);
  dstr d = DSTR_INIT;
  octet *q = xmalloc(sdsz);
  memcpy(q, sd, sdsz);
  dstr_putf(&d, "sslprf(%s,%s)", hco->name, hci->name);
  g->ops = grops;
  g->ops.name = xstrdup(d.buf);
  g->r.ops = &g->ops;
  dstr_destroy(&d);
  sslprf_init(&g->prf, hco, hci, k, ksz, q, sdsz);
  return (&g->r);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <stdio.h>
#include <string.h>

#include <mLib/quis.h>
#include <mLib/testrig.h>

#include "sha.h"
#include "md5.h"

static int v_generate(dstr *v)
{
  grand *g;
  dstr d = DSTR_INIT;
  int ok = 1;

  g = sslprf_rand(&md5, &sha, v[0].buf, v[0].len, v[1].buf, v[1].len);
  dstr_ensure(&d, v[2].len);
  d.len = v[2].len;
  g->ops->fill(g, d.buf, d.len);
  g->ops->destroy(g);
  if (memcmp(v[2].buf, d.buf, d.len) != 0) {
    ok = 0;
    printf("\nfail sslprf:"
	   "\n\tkey	   = ");
    type_hex.dump(&v[0], stdout);
    printf("\n\tseed	   = "); type_hex.dump(&v[1], stdout);
    printf("\n\texpected   = "); type_hex.dump(&v[2], stdout);
    printf("\n\tcalculated = "); type_hex.dump(&d, stdout);
    putchar('\n');
  }
  return (ok);
}

static test_chunk defs[] = {
  { "sslprf", v_generate, { &type_hex, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  test_run(argc, argv, defs, SRCDIR"/tests/sslprf");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
51a0f805	1	/* --c--
51a0f805	2	*
b817bfc6	3	* $Id: sslprf.c,v 1.2 2004/04/08 01:36:15 mdw Exp $
51a0f805	4	*
	5	* The SSL pseudo-random function
	6	*
	7	* (c) 2001 Straylight/Edgeware
	8	*/
	9
45c0fd36	10	/----- Licensing notice --------------------------------------------------
51a0f805	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
45c0fd36	18	*
51a0f805	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
45c0fd36	23	*
51a0f805	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
51a0f805	30	/----- Header files ------------------------------------------------------/
	31
	32	#include <mLib/alloc.h>
	33	#include <mLib/dstr.h>
	34	#include <mLib/sub.h>
	35
	36	#include "arena.h"
	37	#include "ghash.h"
	38	#include "grand.h"
	39	#include "paranoia.h"
	40	#include "sslprf.h"
	41
	42	/----- Main code ---------------------------------------------------------/
	43
	44	/* --- @step@ --- *
	45	*
	46	* Arguments: @sslprf_ctx *c@ = pointer to context structure
	47	*
	48	* Returns: ---
	49	*
	50	* Use: Steps the generator.
	51	*/
	52
	53	static void step(sslprf_ctx *c)
	54	{
	55	octet buf[64];
	56	size_t n, sz;
	57	octet x;
	58	ghash h, hh;
	59	octet *p;
	60
b817bfc6	61	h = GH_INIT(c->ci);
51a0f805	62	x = 'A' + c->i - 1;
	63	for (sz = c->i++; sz > 0; sz -= n) {
	64	n = sz;
	65	if (n > sizeof(buf))
	66	n = sizeof(buf);
	67	memset(buf, x, n);
b817bfc6	68	GH_HASH(h, buf, n);
51a0f805	69	}
b817bfc6	70	GH_HASH(h, c->k, c->ksz);
	71	GH_HASH(h, c->sd, c->sdsz);
	72	p = GH_DONE(h, 0);
51a0f805	73
b817bfc6	74	hh = GH_INIT(c->co);
	75	GH_HASH(hh, c->k, c->ksz);
	76	GH_HASH(hh, p, c->ihashsz);
	77	c->p = GH_DONE(hh, 0);
	78	GH_DESTROY(h);
51a0f805	79
	80	c->h = hh;
	81	c->sz = c->ohashsz;
	82	}
	83
	84	/* --- @sslprf_init@ --- *
	85	*
	86	* Arguments: @sslprf_ctx *c@ = pointer to a context structure
	87	* @const gchash hco, hci@ = outer and inner hash functions
	88	* @const void *k@ = pointer to secret buffer
	89	* @size_t ksz@ = size of the secret
	90	* @const void *sd@ = pointer to seed buffer
	91	* @size_t sdsz@ = size of the seed
	92	*
	93	* Returns: ---
	94	*
	95	* Use: Initializes an SSL generator context.
	96	*/
	97
	98	void sslprf_init(sslprf_ctx c, const gchash hco, const gchash *hci,
	99	const void *k, size_t ksz,
	100	const void *sd, size_t sdsz)
	101	{
	102	c->co = hco; c->ci = hci;
	103	c->ohashsz = hco->hashsz; c->ihashsz = hci->hashsz;
	104	c->k = k; c->ksz = ksz; c->sd = sd; c->sdsz = sdsz;
	105	c->i = 1;
	106	step(c);
	107	}
	108
	109	/* --- @sslprf_encrypt@ --- *
	110	*
	111	* Arguments: @sslprf_ctx *c@ = pointer to a context structure
	112	* @const void *src@ = pointer to source buffer
	113	* @void *dest@ = pointer to destination buffer
	114	* @size_t sz@ = size of the buffers
	115	*
	116	* Returns: ---
	117	*
	118	* Use: Encrypts data using the SSL pseudo-random function. If the
	119	* destination pointer is null, the generator is spun and no
	120	* output is produced; if the source pointer is null, raw output
	121	* from the generator is written; otherwise, the source data is
	122	* XORed with the generator output.
	123	*/
	124
	125	void sslprf_encrypt(sslprf_ctx c, const void src, void *dest, size_t sz)
	126	{
	127	const octet *s = src;
	128	octet *d = dest;
	129	size_t i, n;
	130
	131	while (sz) {
	132	if (!c->sz) {
b817bfc6	133	GH_DESTROY(c->h);
51a0f805	134	step(c);
	135	}
	136	n = c->sz;
	137	if (n > sz)
	138	n = sz;
	139	if (d) {
	140	if (!s)
	141	memcpy(d, c->p, n);
	142	else {
	143	for (i = 0; i < n; i++) d[i] = s[i] ^ c->p[i];
	144	s += n;
	145	}
	146	d += n;
	147	}
	148	c->p += n;
	149	c->sz -= n;
	150	sz -= n;
	151	}
	152	}
	153
	154	/* --- @sslprf_free@ --- *
	155	*
	156	* Arguments: @sslprf_ctx@ = pointer to a context
	157	*
	158	* Returns: ---
	159	*
	160	* Use: Frees resources held in an SSL generator context.
	161	*/
	162
	163	void sslprf_free(sslprf_ctx *c)
	164	{
b817bfc6	165	GH_DESTROY(c->h);
51a0f805	166	}
	167
	168	/* --- Generic random number generator --- */
	169
	170	typedef struct grctx {
	171	grand r;
	172	grand_ops ops;
	173	sslprf_ctx prf;
	174	} grctx;
	175
	176	static void grdestroy(grand *r)
	177	{
	178	grctx g = (grctx )r;
	179	xfree((char *)g->ops.name);
	180	xfree((octet *)g->prf.sd);
	181	sslprf_free(&g->prf);
	182	BURN(*g);
	183	S_DESTROY(g);
	184	}
	185
	186	static void seed(grctx g, const void p, size_t sz)
	187	{
	188	octet *q;
	189	xfree((octet *)g->prf.sd);
	190	g->prf.sd = q = xmalloc(sz);
	191	memcpy(q, p, sz);
	192	g->prf.sdsz = sz;
	193	}
	194
	195	static int grmisc(grand *r, unsigned op, ...)
	196	{
	197	grctx g = (grctx )r;
	198	va_list ap;
	199	int rc = 0;
	200	uint32 i;
	201	octet buf[4];
	202	va_start(ap, op);
	203
	204	switch (op) {
	205	case GRAND_CHECK:
	206	switch (va_arg(ap, unsigned)) {
	207	case GRAND_CHECK:
	208	case GRAND_SEEDINT:
	209	case GRAND_SEEDUINT32:
	210	case GRAND_SEEDBLOCK:
	211	case GRAND_SEEDRAND:
	212	rc = 1;
	213	break;
	214	default:
	215	rc = 0;
	216	break;
	217	}
	218	break;
	219	case GRAND_SEEDINT:
	220	i = va_arg(ap, unsigned);
	221	STORE32(buf, i);
	222	seed(g, buf, sizeof(buf));
	223	break;
	224	case GRAND_SEEDUINT32:
	225	i = va_arg(ap, uint32);
	226	STORE32(buf, i);
	227	seed(g, buf, sizeof(buf));
	228	break;
	229	case GRAND_SEEDBLOCK: {
230	const void p = va_arg(ap, const void );
231	size_t sz = va_arg(ap, size_t);
232	seed(g, p, sz);
233	} break;
234	case GRAND_SEEDRAND: {
235	grand rr = va_arg(ap, grand );
236	octet buf[16];
237	rr->ops->fill(rr, buf, sizeof(buf));
238	seed(g, buf, sizeof(buf));
239	} break;
240	default:
241	GRAND_BADOP;
45c0fd36	242	break;
51a0f805	243	}
	244
	245	va_end(ap);
	246	return (rc);
	247	}
	248
	249	static octet grbyte(grand *r)
	250	{
	251	grctx g = (grctx )r;
	252	octet o;
	253	sslprf_encrypt(&g->prf, 0, &o, 1);
	254	return (o);
	255	}
	256
	257	static uint32 grword(grand *r)
	258	{
	259	grctx g = (grctx )r;
	260	octet b[4];
	261	sslprf_encrypt(&g->prf, 0, &b, sizeof(b));
	262	return (LOAD32(b));
	263	}
	264
	265	static void grfill(grand r, void p, size_t sz)
	266	{
	267	grctx g = (grctx )r;
	268	sslprf_encrypt(&g->prf, 0, p, sz);
	269	}
	270
	271	static const grand_ops grops = {
	272	"<sslprf-dummy>",
	273	GRAND_CRYPTO, 0,
	274	grmisc, grdestroy,
	275	grword, grbyte, grword, grand_range, grfill
	276	};
	277
	278	/* ---@sslprf_rand@ --- *
	279	*
	280	* Arguments: @const gchash hco, const gchash hci@ = hash functions
	281	* @const void *k@ = pointer to the key material
	282	* @size_t ksz@ = size of the key material
	283	* @const void *sd@ = pointer to the seed material
	284	* @size_t sdsz@ = size of the seed material
	285	*
	286	* Returns: Pointer to generic random number generator interface.
	287	*
	288	* Use: Creates a generic generator which does TLS data expansion.
	289	*/
	290
	291	grand sslprf_rand(const gchash hco, const gchash *hci,
	292	const void *k, size_t ksz,
	293	const void *sd, size_t sdsz)
	294	{
	295	grctx *g = S_CREATE(grctx);
	296	dstr d = DSTR_INIT;
	297	octet *q = xmalloc(sdsz);
	298	memcpy(q, sd, sdsz);
	299	dstr_putf(&d, "sslprf(%s,%s)", hco->name, hci->name);
	300	g->ops = grops;
	301	g->ops.name = xstrdup(d.buf);
	302	g->r.ops = &g->ops;
	303	dstr_destroy(&d);
	304	sslprf_init(&g->prf, hco, hci, k, ksz, q, sdsz);
	305	return (&g->r);
	306	}
307
308	/----- Test rig ----------------------------------------------------------/
309
310	#ifdef TEST_RIG
311
312	#include <stdio.h>
313	#include <string.h>
314
315	#include <mLib/quis.h>
316	#include <mLib/testrig.h>
317
318	#include "sha.h"
319	#include "md5.h"
320
321	static int v_generate(dstr *v)
322	{
323	grand *g;
324	dstr d = DSTR_INIT;
325	int ok = 1;
326
327	g = sslprf_rand(&md5, &sha, v[0].buf, v[0].len, v[1].buf, v[1].len);
328	dstr_ensure(&d, v[2].len);
329	d.len = v[2].len;
330	g->ops->fill(g, d.buf, d.len);
331	g->ops->destroy(g);
332	if (memcmp(v[2].buf, d.buf, d.len) != 0) {
333	ok = 0;
334	printf("\nfail sslprf:"
45c0fd36	335	"\n\tkey = ");
51a0f805	336	type_hex.dump(&v[0], stdout);
45c0fd36	337	printf("\n\tseed = "); type_hex.dump(&v[1], stdout);
51a0f805	338	printf("\n\texpected = "); type_hex.dump(&v[2], stdout);
	339	printf("\n\tcalculated = "); type_hex.dump(&d, stdout);
	340	putchar('\n');
	341	}
	342	return (ok);
	343	}
	344
	345	static test_chunk defs[] = {
	346	{ "sslprf", v_generate, { &type_hex, &type_hex, &type_hex, 0 } },
	347	{ 0, 0, { 0 } }
	348	};
	349
	350	int main(int argc, char *argv[])
	351	{
	352	test_run(argc, argv, defs, SRCDIR"/tests/sslprf");
	353	return (0);
	354	}
	355
	356	#endif
	357
	358	/----- That's all, folks -------------------------------------------------/