/* $OpenBSD: tls12_key_schedule.c,v 1.4 2024/02/03 15:58:34 beck Exp $ */
/*
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <stdlib.h>

#include <openssl/evp.h>

#include "bytestring.h"
#include "ssl_local.h"
#include "tls12_internal.h"

struct tls12_key_block {
        CBS client_write_mac_key;
        CBS server_write_mac_key;
        CBS client_write_key;
        CBS server_write_key;
        CBS client_write_iv;
        CBS server_write_iv;

        uint8_t *key_block;
        size_t key_block_len;
};

struct tls12_key_block *
tls12_key_block_new(void)
{
        return calloc(1, sizeof(struct tls12_key_block));
}

static void
tls12_key_block_clear(struct tls12_key_block *kb)
{
        CBS_init(&kb->client_write_mac_key, NULL, 0);
        CBS_init(&kb->server_write_mac_key, NULL, 0);
        CBS_init(&kb->client_write_key, NULL, 0);
        CBS_init(&kb->server_write_key, NULL, 0);
        CBS_init(&kb->client_write_iv, NULL, 0);
        CBS_init(&kb->server_write_iv, NULL, 0);

        freezero(kb->key_block, kb->key_block_len);
        kb->key_block = NULL;
        kb->key_block_len = 0;
}

void
tls12_key_block_free(struct tls12_key_block *kb)
{
        if (kb == NULL)
                return;

        tls12_key_block_clear(kb);

        freezero(kb, sizeof(struct tls12_key_block));
}

void
tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key,
    CBS *key, CBS *iv)
{
        CBS_dup(&kb->client_write_mac_key, mac_key);
        CBS_dup(&kb->client_write_key, key);
        CBS_dup(&kb->client_write_iv, iv);
}

void
tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key,
    CBS *key, CBS *iv)
{
        CBS_dup(&kb->server_write_mac_key, mac_key);
        CBS_dup(&kb->server_write_key, key);
        CBS_dup(&kb->server_write_iv, iv);
}

int
tls12_key_block_generate(struct tls12_key_block *kb, SSL *s,
    const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash)
{
        size_t mac_key_len = 0, key_len = 0, iv_len = 0;
        uint8_t *key_block = NULL;
        size_t key_block_len = 0;
        CBS cbs;

        /*
         * Generate a TLSv1.2 key block and partition into individual secrets,
         * as per RFC 5246 section 6.3.
         */

        tls12_key_block_clear(kb);

        /* Must have AEAD or cipher/MAC pair. */
        if (aead == NULL && (cipher == NULL || mac_hash == NULL))
                goto err;

        if (aead != NULL) {
                key_len = EVP_AEAD_key_length(aead);

                /* AEAD fixed nonce length. */
                if (aead == EVP_aead_aes_128_gcm() ||
                    aead == EVP_aead_aes_256_gcm())
                        iv_len = 4;
                else if (aead == EVP_aead_chacha20_poly1305())
                        iv_len = 12;
                else
                        goto err;
        } else if (cipher != NULL && mac_hash != NULL) {
                /*
                 * A negative integer return value will be detected via the
                 * EVP_MAX_* checks against the size_t variables below.
                 */
                mac_key_len = EVP_MD_size(mac_hash);
                key_len = EVP_CIPHER_key_length(cipher);
                iv_len = EVP_CIPHER_iv_length(cipher);
        }

        if (mac_key_len > EVP_MAX_MD_SIZE)
                goto err;
        if (key_len > EVP_MAX_KEY_LENGTH)
                goto err;
        if (iv_len > EVP_MAX_IV_LENGTH)
                goto err;

        key_block_len = 2 * mac_key_len + 2 * key_len + 2 * iv_len;
        if ((key_block = calloc(1, key_block_len)) == NULL)
                goto err;

        if (!tls1_generate_key_block(s, key_block, key_block_len))
                goto err;

        kb->key_block = key_block;
        kb->key_block_len = key_block_len;
        key_block = NULL;
        key_block_len = 0;

        /* Partition key block into individual secrets. */
        CBS_init(&cbs, kb->key_block, kb->key_block_len);
        if (!CBS_get_bytes(&cbs, &kb->client_write_mac_key, mac_key_len))
                goto err;
        if (!CBS_get_bytes(&cbs, &kb->server_write_mac_key, mac_key_len))
                goto err;
        if (!CBS_get_bytes(&cbs, &kb->client_write_key, key_len))
                goto err;
        if (!CBS_get_bytes(&cbs, &kb->server_write_key, key_len))
                goto err;
        if (!CBS_get_bytes(&cbs, &kb->client_write_iv, iv_len))
                goto err;
        if (!CBS_get_bytes(&cbs, &kb->server_write_iv, iv_len))
                goto err;
        if (CBS_len(&cbs) != 0)
                goto err;

        return 1;

 err:
        tls12_key_block_clear(kb);
        freezero(key_block, key_block_len);

        return 0;
}

struct tls12_reserved_label {
        const char *label;
        size_t label_len;
};

/*
 * RFC 5705 section 6.
 */
static const struct tls12_reserved_label tls12_reserved_labels[] = {
        {
                .label = TLS_MD_CLIENT_FINISH_CONST,
                .label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
        },
        {
                .label = TLS_MD_SERVER_FINISH_CONST,
                .label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
        },
        {
                .label = TLS_MD_MASTER_SECRET_CONST,
                .label_len = TLS_MD_MASTER_SECRET_CONST_SIZE,
        },
        {
                .label = TLS_MD_KEY_EXPANSION_CONST,
                .label_len = TLS_MD_KEY_EXPANSION_CONST_SIZE,
        },
        {
                .label = NULL,
                .label_len = 0,
        },
};

int
tls12_exporter(SSL *s, const uint8_t *label, size_t label_len,
    const uint8_t *context_value, size_t context_value_len, int use_context,
    uint8_t *out, size_t out_len)
{
        uint8_t *data = NULL;
        size_t data_len = 0;
        CBB cbb, context;
        CBS seed;
        size_t i;
        int ret = 0;

        /*
         * RFC 5705 - Key Material Exporters for TLS.
         */

        memset(&cbb, 0, sizeof(cbb));

        if (!SSL_is_init_finished(s)) {
                SSLerror(s, SSL_R_BAD_STATE);
                goto err;
        }

        if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION)
                goto err;

        /*
         * Due to exceptional design choices, we need to build a concatenation
         * of the label and the seed value, before checking for reserved
         * labels. This prevents a reserved label from being split across the
         * label and the seed (that includes the client random), which are
         * concatenated by the PRF.
         */
        if (!CBB_init(&cbb, 0))
                goto err;
        if (!CBB_add_bytes(&cbb, label, label_len))
                goto err;
        if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
                goto err;
        if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
                goto err;
        if (use_context) {
                if (!CBB_add_u16_length_prefixed(&cbb, &context))
                        goto err;
                if (context_value_len > 0) {
                        if (!CBB_add_bytes(&context, context_value,
                            context_value_len))
                                goto err;
                }
        }
        if (!CBB_finish(&cbb, &data, &data_len))
                goto err;

        /*
         * Ensure that the block (label + seed) does not start with a reserved
         * label - in an ideal world we would ensure that the label has an
         * explicitly permitted prefix instead, but of course this also got
         * messed up by the standards.
         */
        for (i = 0; tls12_reserved_labels[i].label != NULL; i++) {
                /* XXX - consider adding/using CBS_has_prefix(). */
                if (tls12_reserved_labels[i].label_len > data_len)
                        goto err;
                if (memcmp(data, tls12_reserved_labels[i].label,
                    tls12_reserved_labels[i].label_len) == 0) {
                        SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
                        goto err;
                }
        }

        CBS_init(&seed, data, data_len);
        if (!CBS_skip(&seed, label_len))
                goto err;

        if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length,
            label, label_len, CBS_data(&seed), CBS_len(&seed), NULL, 0, NULL, 0,
            NULL, 0, out, out_len))
                goto err;

        ret = 1;

 err:
        freezero(data, data_len);
        CBB_cleanup(&cbb);

        return ret;
}