2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include "internal/cryptlib.h"
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/evp_int.h"
17 #include "kdf_local.h"
19 static void kdf_tls1_prf_reset(EVP_KDF_IMPL
*impl
);
20 static int tls1_prf_alg(const EVP_MD
*md
,
21 const unsigned char *sec
, size_t slen
,
22 const unsigned char *seed
, size_t seed_len
,
23 unsigned char *out
, size_t olen
);
25 #define TLS1_PRF_MAXBUF 1024
27 /* TLS KDF kdf context structure */
29 struct evp_kdf_impl_st
{
30 /* Digest to use for PRF */
32 /* Secret value to use for PRF */
35 /* Buffer of concatenated seed data */
36 unsigned char seed
[TLS1_PRF_MAXBUF
];
40 static EVP_KDF_IMPL
*kdf_tls1_prf_new(void)
44 if ((impl
= OPENSSL_zalloc(sizeof(*impl
))) == NULL
)
45 KDFerr(KDF_F_KDF_TLS1_PRF_NEW
, ERR_R_MALLOC_FAILURE
);
49 static void kdf_tls1_prf_free(EVP_KDF_IMPL
*impl
)
51 kdf_tls1_prf_reset(impl
);
55 static void kdf_tls1_prf_reset(EVP_KDF_IMPL
*impl
)
57 OPENSSL_clear_free(impl
->sec
, impl
->seclen
);
58 OPENSSL_cleanse(impl
->seed
, impl
->seedlen
);
59 memset(impl
, 0, sizeof(*impl
));
62 static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL
*impl
, int cmd
, va_list args
)
64 const unsigned char *p
;
69 case EVP_KDF_CTRL_SET_MD
:
70 md
= va_arg(args
, const EVP_MD
*);
77 case EVP_KDF_CTRL_SET_TLS_SECRET
:
78 p
= va_arg(args
, const unsigned char *);
79 len
= va_arg(args
, size_t);
80 OPENSSL_clear_free(impl
->sec
, impl
->seclen
);
81 impl
->sec
= OPENSSL_memdup(p
, len
);
82 if (impl
->sec
== NULL
)
88 case EVP_KDF_CTRL_RESET_TLS_SEED
:
89 OPENSSL_cleanse(impl
->seed
, impl
->seedlen
);
93 case EVP_KDF_CTRL_ADD_TLS_SEED
:
94 p
= va_arg(args
, const unsigned char *);
95 len
= va_arg(args
, size_t);
96 if (len
== 0 || p
== NULL
)
99 if (len
> (TLS1_PRF_MAXBUF
- impl
->seedlen
))
102 memcpy(impl
->seed
+ impl
->seedlen
, p
, len
);
103 impl
->seedlen
+= len
;
111 static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL
*impl
,
112 const char *type
, const char *value
)
115 KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR
, KDF_R_VALUE_MISSING
);
118 if (strcmp(type
, "digest") == 0)
119 return kdf_md2ctrl(impl
, kdf_tls1_prf_ctrl
, EVP_KDF_CTRL_SET_MD
, value
);
121 if (strcmp(type
, "secret") == 0)
122 return kdf_str2ctrl(impl
, kdf_tls1_prf_ctrl
,
123 EVP_KDF_CTRL_SET_TLS_SECRET
, value
);
125 if (strcmp(type
, "hexsecret") == 0)
126 return kdf_hex2ctrl(impl
, kdf_tls1_prf_ctrl
,
127 EVP_KDF_CTRL_SET_TLS_SECRET
, value
);
129 if (strcmp(type
, "seed") == 0)
130 return kdf_str2ctrl(impl
, kdf_tls1_prf_ctrl
, EVP_KDF_CTRL_ADD_TLS_SEED
,
133 if (strcmp(type
, "hexseed") == 0)
134 return kdf_hex2ctrl(impl
, kdf_tls1_prf_ctrl
, EVP_KDF_CTRL_ADD_TLS_SEED
,
140 static int kdf_tls1_prf_derive(EVP_KDF_IMPL
*impl
, unsigned char *key
,
143 if (impl
->md
== NULL
) {
144 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
147 if (impl
->sec
== NULL
) {
148 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE
, KDF_R_MISSING_SECRET
);
151 if (impl
->seedlen
== 0) {
152 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE
, KDF_R_MISSING_SEED
);
155 return tls1_prf_alg(impl
->md
, impl
->sec
, impl
->seclen
,
156 impl
->seed
, impl
->seedlen
,
160 const EVP_KDF tls1_prf_kdf_meth
= {
166 kdf_tls1_prf_ctrl_str
,
171 static int tls1_prf_P_hash(const EVP_MD
*md
,
172 const unsigned char *sec
, size_t sec_len
,
173 const unsigned char *seed
, size_t seed_len
,
174 unsigned char *out
, size_t olen
)
177 EVP_MAC_CTX
*ctx
= NULL
, *ctx_tmp
= NULL
, *ctx_init
= NULL
;
178 unsigned char A1
[EVP_MAX_MD_SIZE
];
182 chunk
= EVP_MD_size(md
);
183 if (!ossl_assert(chunk
> 0))
186 ctx
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
187 ctx_tmp
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
188 ctx_init
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
189 if (ctx
== NULL
|| ctx_tmp
== NULL
|| ctx_init
== NULL
)
191 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_FLAGS
, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
) != 1)
193 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_MD
, md
) != 1)
195 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_KEY
, sec
, sec_len
) != 1)
197 if (!EVP_MAC_init(ctx_init
))
199 if (!EVP_MAC_CTX_copy(ctx
, ctx_init
))
201 if (seed
!= NULL
&& !EVP_MAC_update(ctx
, seed
, seed_len
))
203 if (!EVP_MAC_final(ctx
, A1
, &A1_len
))
207 /* Reinit mac contexts */
208 if (!EVP_MAC_CTX_copy(ctx
, ctx_init
))
210 if (!EVP_MAC_update(ctx
, A1
, A1_len
))
212 if (olen
> (size_t)chunk
&& !EVP_MAC_CTX_copy(ctx_tmp
, ctx
))
214 if (seed
!= NULL
&& !EVP_MAC_update(ctx
, seed
, seed_len
))
217 if (olen
> (size_t)chunk
) {
219 if (!EVP_MAC_final(ctx
, out
, &mac_len
))
223 /* calc the next A1 value */
224 if (!EVP_MAC_final(ctx_tmp
, A1
, &A1_len
))
226 } else { /* last one */
228 if (!EVP_MAC_final(ctx
, A1
, &A1_len
))
230 memcpy(out
, A1
, olen
);
236 EVP_MAC_CTX_free(ctx
);
237 EVP_MAC_CTX_free(ctx_tmp
);
238 EVP_MAC_CTX_free(ctx_init
);
239 OPENSSL_cleanse(A1
, sizeof(A1
));
243 static int tls1_prf_alg(const EVP_MD
*md
,
244 const unsigned char *sec
, size_t slen
,
245 const unsigned char *seed
, size_t seed_len
,
246 unsigned char *out
, size_t olen
)
248 if (EVP_MD_type(md
) == NID_md5_sha1
) {
251 if (!tls1_prf_P_hash(EVP_md5(), sec
, slen
/2 + (slen
& 1),
252 seed
, seed_len
, out
, olen
))
255 if ((tmp
= OPENSSL_malloc(olen
)) == NULL
) {
256 KDFerr(KDF_F_TLS1_PRF_ALG
, ERR_R_MALLOC_FAILURE
);
259 if (!tls1_prf_P_hash(EVP_sha1(), sec
+ slen
/2, slen
/2 + (slen
& 1),
260 seed
, seed_len
, tmp
, olen
)) {
261 OPENSSL_clear_free(tmp
, olen
);
264 for (i
= 0; i
< olen
; i
++)
266 OPENSSL_clear_free(tmp
, olen
);
269 if (!tls1_prf_P_hash(md
, sec
, slen
, seed
, seed_len
, out
, olen
))