]>
Commit | Line | Data |
---|---|---|
1eff3485 | 1 | /* |
a28d06f3 | 2 | * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. |
1eff3485 | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
1eff3485 DSH |
8 | */ |
9 | ||
0f52d9ed DM |
10 | /* |
11 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
12 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
13 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
14 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
15 | * | |
16 | * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: | |
17 | * | |
18 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
19 | * P_SHA-1(S2, label + seed) | |
20 | * | |
21 | * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are | |
22 | * two halves of the secret (with the possibility of one shared byte, in the | |
23 | * case where the length of the original secret is odd). S1 is taken from the | |
24 | * first half of the secret, S2 from the second half. | |
25 | * | |
26 | * For TLS v1.2 the TLS PRF algorithm is given by: | |
27 | * | |
28 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
29 | * | |
30 | * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as | |
31 | * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, | |
32 | * unless defined otherwise by the cipher suite. | |
33 | * | |
34 | * P_<hash> is an expansion function that uses a single hash function to expand | |
35 | * a secret and seed into an arbitrary quantity of output: | |
36 | * | |
37 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
38 | * HMAC_<hash>(secret, A(2) + seed) + | |
39 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
40 | * | |
41 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
42 | * is necessary to produce the required quantity of data. | |
43 | * | |
44 | * A(i) is defined as: | |
45 | * A(0) = seed | |
46 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
47 | */ | |
1eff3485 | 48 | #include <stdio.h> |
5a285add DM |
49 | #include <stdarg.h> |
50 | #include <string.h> | |
1eff3485 | 51 | #include <openssl/evp.h> |
5a285add | 52 | #include <openssl/kdf.h> |
776796e8 RL |
53 | #include <openssl/core_names.h> |
54 | #include <openssl/params.h> | |
2741128e | 55 | #include <openssl/proverr.h> |
e3405a4a P |
56 | #include "internal/cryptlib.h" |
57 | #include "internal/numbers.h" | |
25f2138b | 58 | #include "crypto/evp.h" |
ddd21319 | 59 | #include "prov/provider_ctx.h" |
2b9e4e95 | 60 | #include "prov/providercommon.h" |
af3e7e1b | 61 | #include "prov/implementations.h" |
ddd21319 | 62 | #include "prov/provider_util.h" |
d5f9166b | 63 | #include "internal/e_os.h" |
e3405a4a | 64 | |
363b1e5d | 65 | static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; |
b9d8ad3f | 66 | static OSSL_FUNC_kdf_dupctx_fn kdf_tls1_prf_dup; |
363b1e5d DMSP |
67 | static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free; |
68 | static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset; | |
69 | static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive; | |
70 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; | |
71 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params; | |
af5e1e85 P |
72 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; |
73 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params; | |
e3405a4a | 74 | |
9a92bf1b | 75 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
76 | const unsigned char *sec, size_t slen, |
77 | const unsigned char *seed, size_t seed_len, | |
78 | unsigned char *out, size_t olen); | |
79 | ||
80 | #define TLS1_PRF_MAXBUF 1024 | |
81 | ||
5a285add | 82 | /* TLS KDF kdf context structure */ |
e3405a4a P |
83 | typedef struct { |
84 | void *provctx; | |
9a92bf1b RL |
85 | |
86 | /* MAC context for the main digest */ | |
87 | EVP_MAC_CTX *P_hash; | |
88 | /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */ | |
89 | EVP_MAC_CTX *P_sha1; | |
90 | ||
1eff3485 DSH |
91 | /* Secret value to use for PRF */ |
92 | unsigned char *sec; | |
93 | size_t seclen; | |
94 | /* Buffer of concatenated seed data */ | |
95 | unsigned char seed[TLS1_PRF_MAXBUF]; | |
96 | size_t seedlen; | |
e3405a4a | 97 | } TLS1_PRF; |
1eff3485 | 98 | |
e3405a4a | 99 | static void *kdf_tls1_prf_new(void *provctx) |
1eff3485 | 100 | { |
e3405a4a | 101 | TLS1_PRF *ctx; |
1eff3485 | 102 | |
2b9e4e95 P |
103 | if (!ossl_prov_is_running()) |
104 | return NULL; | |
105 | ||
e3405a4a P |
106 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) |
107 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
108 | ctx->provctx = provctx; | |
109 | return ctx; | |
5a285add | 110 | } |
1eff3485 | 111 | |
e3405a4a | 112 | static void kdf_tls1_prf_free(void *vctx) |
5a285add | 113 | { |
e3405a4a P |
114 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
115 | ||
3c659415 P |
116 | if (ctx != NULL) { |
117 | kdf_tls1_prf_reset(ctx); | |
118 | OPENSSL_free(ctx); | |
119 | } | |
1eff3485 DSH |
120 | } |
121 | ||
e3405a4a | 122 | static void kdf_tls1_prf_reset(void *vctx) |
1eff3485 | 123 | { |
e3405a4a | 124 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
0577959c | 125 | void *provctx = ctx->provctx; |
e3405a4a | 126 | |
865adf97 MC |
127 | EVP_MAC_CTX_free(ctx->P_hash); |
128 | EVP_MAC_CTX_free(ctx->P_sha1); | |
e3405a4a P |
129 | OPENSSL_clear_free(ctx->sec, ctx->seclen); |
130 | OPENSSL_cleanse(ctx->seed, ctx->seedlen); | |
131 | memset(ctx, 0, sizeof(*ctx)); | |
0577959c | 132 | ctx->provctx = provctx; |
1eff3485 DSH |
133 | } |
134 | ||
b9d8ad3f P |
135 | static void *kdf_tls1_prf_dup(void *vctx) |
136 | { | |
137 | const TLS1_PRF *src = (const TLS1_PRF *)vctx; | |
138 | TLS1_PRF *dest; | |
139 | ||
140 | dest = kdf_tls1_prf_new(src->provctx); | |
141 | if (dest != NULL) { | |
142 | if (src->P_hash != NULL | |
143 | && (dest->P_hash = EVP_MAC_CTX_dup(src->P_hash)) == NULL) | |
144 | goto err; | |
145 | if (src->P_sha1 != NULL | |
146 | && (dest->P_sha1 = EVP_MAC_CTX_dup(src->P_sha1)) == NULL) | |
147 | goto err; | |
148 | if (!ossl_prov_memdup(src->sec, src->seclen, &dest->sec, &dest->seclen)) | |
149 | goto err; | |
150 | memcpy(dest->seed, src->seed, src->seedlen); | |
151 | dest->seedlen = src->seedlen; | |
152 | } | |
153 | return dest; | |
154 | ||
155 | err: | |
156 | kdf_tls1_prf_free(dest); | |
157 | return NULL; | |
158 | } | |
159 | ||
3469b388 P |
160 | static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, |
161 | const OSSL_PARAM params[]) | |
1eff3485 | 162 | { |
e3405a4a | 163 | TLS1_PRF *ctx = (TLS1_PRF *)vctx; |
5a285add | 164 | |
3469b388 | 165 | if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) |
2b9e4e95 P |
166 | return 0; |
167 | ||
9a92bf1b | 168 | if (ctx->P_hash == NULL) { |
e3405a4a P |
169 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); |
170 | return 0; | |
171 | } | |
172 | if (ctx->sec == NULL) { | |
173 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); | |
174 | return 0; | |
175 | } | |
176 | if (ctx->seedlen == 0) { | |
177 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); | |
178 | return 0; | |
179 | } | |
1cae59d1 JS |
180 | if (keylen == 0) { |
181 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); | |
182 | return 0; | |
183 | } | |
9a92bf1b RL |
184 | |
185 | return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, | |
0f0db4dc | 186 | ctx->sec, ctx->seclen, |
e3405a4a P |
187 | ctx->seed, ctx->seedlen, |
188 | key, keylen); | |
189 | } | |
5a285add | 190 | |
e3405a4a P |
191 | static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
192 | { | |
193 | const OSSL_PARAM *p; | |
194 | TLS1_PRF *ctx = vctx; | |
a829b735 | 195 | OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); |
9a92bf1b | 196 | |
c983a0e5 P |
197 | if (params == NULL) |
198 | return 1; | |
199 | ||
9a92bf1b | 200 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { |
9a92bf1b | 201 | if (strcasecmp(p->data, SN_md5_sha1) == 0) { |
4e8b8e47 RL |
202 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, |
203 | OSSL_MAC_NAME_HMAC, | |
204 | NULL, SN_md5, libctx) | |
205 | || !ossl_prov_macctx_load_from_params(&ctx->P_sha1, params, | |
206 | OSSL_MAC_NAME_HMAC, | |
207 | NULL, SN_sha1, libctx)) | |
208 | return 0; | |
9a92bf1b | 209 | } else { |
865adf97 | 210 | EVP_MAC_CTX_free(ctx->P_sha1); |
4e8b8e47 RL |
211 | if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, |
212 | OSSL_MAC_NAME_HMAC, | |
213 | NULL, NULL, libctx)) | |
214 | return 0; | |
9a92bf1b | 215 | } |
e3405a4a | 216 | } |
5a285add | 217 | |
e3405a4a P |
218 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { |
219 | OPENSSL_clear_free(ctx->sec, ctx->seclen); | |
220 | ctx->sec = NULL; | |
221 | if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen)) | |
222 | return 0; | |
1eff3485 | 223 | } |
e3405a4a P |
224 | /* The seed fields concatenate, so process them all */ |
225 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) { | |
e3405a4a P |
226 | for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1, |
227 | OSSL_KDF_PARAM_SEED)) { | |
228 | const void *q = ctx->seed + ctx->seedlen; | |
229 | size_t sz = 0; | |
230 | ||
231 | if (p->data_size != 0 | |
232 | && p->data != NULL | |
233 | && !OSSL_PARAM_get_octet_string(p, (void **)&q, | |
234 | TLS1_PRF_MAXBUF - ctx->seedlen, | |
235 | &sz)) | |
236 | return 0; | |
237 | ctx->seedlen += sz; | |
238 | } | |
239 | } | |
240 | return 1; | |
1eff3485 DSH |
241 | } |
242 | ||
1e8e5c60 P |
243 | static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( |
244 | ossl_unused void *ctx, ossl_unused void *provctx) | |
4e8cb45c | 245 | { |
e3405a4a P |
246 | static const OSSL_PARAM known_settable_ctx_params[] = { |
247 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), | |
248 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), | |
249 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0), | |
250 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0), | |
251 | OSSL_PARAM_END | |
252 | }; | |
253 | return known_settable_ctx_params; | |
254 | } | |
5a285add | 255 | |
e3405a4a P |
256 | static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
257 | { | |
258 | OSSL_PARAM *p; | |
a24a5b8c | 259 | |
e3405a4a P |
260 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) |
261 | return OSSL_PARAM_set_size_t(p, SIZE_MAX); | |
4e8cb45c DSH |
262 | return -2; |
263 | } | |
264 | ||
1e8e5c60 P |
265 | static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( |
266 | ossl_unused void *ctx, ossl_unused void *provctx) | |
1eff3485 | 267 | { |
e3405a4a P |
268 | static const OSSL_PARAM known_gettable_ctx_params[] = { |
269 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
270 | OSSL_PARAM_END | |
271 | }; | |
272 | return known_gettable_ctx_params; | |
1eff3485 DSH |
273 | } |
274 | ||
1be63951 | 275 | const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = { |
e3405a4a | 276 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new }, |
b9d8ad3f | 277 | { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_tls1_prf_dup }, |
e3405a4a P |
278 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free }, |
279 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset }, | |
280 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive }, | |
281 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
282 | (void(*)(void))kdf_tls1_prf_settable_ctx_params }, | |
283 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, | |
284 | (void(*)(void))kdf_tls1_prf_set_ctx_params }, | |
285 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
286 | (void(*)(void))kdf_tls1_prf_gettable_ctx_params }, | |
287 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, | |
288 | (void(*)(void))kdf_tls1_prf_get_ctx_params }, | |
289 | { 0, NULL } | |
1eff3485 DSH |
290 | }; |
291 | ||
0f52d9ed DM |
292 | /* |
293 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
294 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
295 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
296 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
297 | * | |
298 | * P_<hash> is an expansion function that uses a single hash function to expand | |
299 | * a secret and seed into an arbitrary quantity of output: | |
300 | * | |
301 | * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + | |
302 | * HMAC_<hash>(secret, A(2) + seed) + | |
303 | * HMAC_<hash>(secret, A(3) + seed) + ... | |
304 | * | |
305 | * where + indicates concatenation. P_<hash> can be iterated as many times as | |
306 | * is necessary to produce the required quantity of data. | |
307 | * | |
308 | * A(i) is defined as: | |
309 | * A(0) = seed | |
310 | * A(i) = HMAC_<hash>(secret, A(i-1)) | |
311 | */ | |
9a92bf1b | 312 | static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, |
1eff3485 DSH |
313 | const unsigned char *sec, size_t sec_len, |
314 | const unsigned char *seed, size_t seed_len, | |
315 | unsigned char *out, size_t olen) | |
316 | { | |
0f52d9ed | 317 | size_t chunk; |
9a92bf1b | 318 | EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; |
0f52d9ed DM |
319 | unsigned char Ai[EVP_MAX_MD_SIZE]; |
320 | size_t Ai_len; | |
1eff3485 | 321 | int ret = 0; |
776796e8 | 322 | |
2524ec1a | 323 | if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) |
1eff3485 | 324 | goto err; |
90a2576b | 325 | chunk = EVP_MAC_CTX_get_mac_size(ctx_init); |
0f52d9ed | 326 | if (chunk == 0) |
6e94b5ae | 327 | goto err; |
0f52d9ed | 328 | /* A(0) = seed */ |
865adf97 | 329 | ctx_Ai = EVP_MAC_CTX_dup(ctx_init); |
be5fc053 | 330 | if (ctx_Ai == NULL) |
6e94b5ae | 331 | goto err; |
0f52d9ed | 332 | if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) |
1eff3485 DSH |
333 | goto err; |
334 | ||
335 | for (;;) { | |
0f52d9ed | 336 | /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ |
776796e8 | 337 | if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) |
0f52d9ed | 338 | goto err; |
865adf97 | 339 | EVP_MAC_CTX_free(ctx_Ai); |
be5fc053 | 340 | ctx_Ai = NULL; |
0f52d9ed DM |
341 | |
342 | /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ | |
865adf97 | 343 | ctx = EVP_MAC_CTX_dup(ctx_init); |
be5fc053 | 344 | if (ctx == NULL) |
1eff3485 | 345 | goto err; |
0f52d9ed | 346 | if (!EVP_MAC_update(ctx, Ai, Ai_len)) |
1eff3485 | 347 | goto err; |
0f52d9ed | 348 | /* save state for calculating next A(i) value */ |
be5fc053 | 349 | if (olen > chunk) { |
865adf97 | 350 | ctx_Ai = EVP_MAC_CTX_dup(ctx); |
be5fc053 KR |
351 | if (ctx_Ai == NULL) |
352 | goto err; | |
353 | } | |
6e94b5ae | 354 | if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) |
1eff3485 | 355 | goto err; |
0f52d9ed DM |
356 | if (olen <= chunk) { |
357 | /* last chunk - use Ai as temp bounce buffer */ | |
776796e8 | 358 | if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) |
1eff3485 | 359 | goto err; |
0f52d9ed | 360 | memcpy(out, Ai, olen); |
1eff3485 DSH |
361 | break; |
362 | } | |
776796e8 | 363 | if (!EVP_MAC_final(ctx, out, NULL, olen)) |
0f52d9ed | 364 | goto err; |
865adf97 | 365 | EVP_MAC_CTX_free(ctx); |
be5fc053 | 366 | ctx = NULL; |
0f52d9ed DM |
367 | out += chunk; |
368 | olen -= chunk; | |
1eff3485 DSH |
369 | } |
370 | ret = 1; | |
371 | err: | |
865adf97 MC |
372 | EVP_MAC_CTX_free(ctx); |
373 | EVP_MAC_CTX_free(ctx_Ai); | |
0f52d9ed | 374 | OPENSSL_cleanse(Ai, sizeof(Ai)); |
1eff3485 DSH |
375 | return ret; |
376 | } | |
377 | ||
0f52d9ed DM |
378 | /* |
379 | * Refer to "The TLS Protocol Version 1.0" Section 5 | |
380 | * (https://tools.ietf.org/html/rfc2246#section-5) and | |
381 | * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 | |
382 | * (https://tools.ietf.org/html/rfc5246#section-5). | |
383 | * | |
384 | * For TLS v1.0 and TLS v1.1: | |
385 | * | |
386 | * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR | |
387 | * P_SHA-1(S2, label + seed) | |
388 | * | |
389 | * S1 is taken from the first half of the secret, S2 from the second half. | |
390 | * | |
391 | * L_S = length in bytes of secret; | |
392 | * L_S1 = L_S2 = ceil(L_S / 2); | |
393 | * | |
394 | * For TLS v1.2: | |
395 | * | |
396 | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) | |
397 | */ | |
9a92bf1b | 398 | static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, |
1eff3485 DSH |
399 | const unsigned char *sec, size_t slen, |
400 | const unsigned char *seed, size_t seed_len, | |
401 | unsigned char *out, size_t olen) | |
402 | { | |
9a92bf1b | 403 | if (sha1ctx != NULL) { |
0f52d9ed | 404 | /* TLS v1.0 and TLS v1.1 */ |
1eff3485 DSH |
405 | size_t i; |
406 | unsigned char *tmp; | |
0f52d9ed DM |
407 | /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ |
408 | size_t L_S1 = (slen + 1) / 2; | |
409 | size_t L_S2 = L_S1; | |
410 | ||
9a92bf1b | 411 | if (!tls1_prf_P_hash(mdctx, sec, L_S1, |
5a285add | 412 | seed, seed_len, out, olen)) |
1eff3485 DSH |
413 | return 0; |
414 | ||
cdb10bae | 415 | if ((tmp = OPENSSL_malloc(olen)) == NULL) { |
e3405a4a | 416 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); |
1eff3485 | 417 | return 0; |
cdb10bae | 418 | } |
9a92bf1b RL |
419 | |
420 | if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2, | |
5a285add | 421 | seed, seed_len, tmp, olen)) { |
1eff3485 DSH |
422 | OPENSSL_clear_free(tmp, olen); |
423 | return 0; | |
424 | } | |
425 | for (i = 0; i < olen; i++) | |
426 | out[i] ^= tmp[i]; | |
427 | OPENSSL_clear_free(tmp, olen); | |
428 | return 1; | |
429 | } | |
0f52d9ed DM |
430 | |
431 | /* TLS v1.2 */ | |
9a92bf1b | 432 | if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen)) |
1eff3485 DSH |
433 | return 0; |
434 | ||
435 | return 1; | |
436 | } |