2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/kdf.h>
13 #include <openssl/evp.h>
14 #include "internal/evp_int.h"
16 static int tls1_prf_alg(const EVP_MD
*md
,
17 const unsigned char *sec
, size_t slen
,
18 const unsigned char *seed
, size_t seed_len
,
19 unsigned char *out
, size_t olen
);
21 #define TLS1_PRF_MAXBUF 1024
23 /* TLS KDF pkey context structure */
26 /* Digest to use for PRF */
28 /* Secret value to use for PRF */
31 /* Buffer of concatenated seed data */
32 unsigned char seed
[TLS1_PRF_MAXBUF
];
36 static int pkey_tls1_prf_init(EVP_PKEY_CTX
*ctx
)
38 TLS1_PRF_PKEY_CTX
*kctx
;
40 kctx
= OPENSSL_zalloc(sizeof(*kctx
));
48 static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX
*ctx
)
50 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
51 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
52 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
56 static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
58 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
60 case EVP_PKEY_CTRL_TLS_MD
:
64 case EVP_PKEY_CTRL_TLS_SECRET
:
67 if (kctx
->sec
!= NULL
)
68 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
69 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
71 kctx
->sec
= OPENSSL_memdup(p2
, p1
);
72 if (kctx
->sec
== NULL
)
77 case EVP_PKEY_CTRL_TLS_SEED
:
78 if (p1
== 0 || p2
== NULL
)
80 if (p1
< 0 || p1
> (int)(TLS1_PRF_MAXBUF
- kctx
->seedlen
))
82 memcpy(kctx
->seed
+ kctx
->seedlen
, p2
, p1
);
92 static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX
*ctx
,
93 const char *type
, const char *value
)
96 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_VALUE_MISSING
);
99 if (strcmp(type
, "md") == 0) {
100 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
102 const EVP_MD
*md
= EVP_get_digestbyname(value
);
104 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_INVALID_DIGEST
);
110 if (strcmp(type
, "secret") == 0)
111 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
112 if (strcmp(type
, "hexsecret") == 0)
113 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
114 if (strcmp(type
, "seed") == 0)
115 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
116 if (strcmp(type
, "hexseed") == 0)
117 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
121 static int pkey_tls1_prf_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
124 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
125 if (kctx
->md
== NULL
|| kctx
->sec
== NULL
|| kctx
->seedlen
== 0) {
126 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_PARAMETER
);
129 return tls1_prf_alg(kctx
->md
, kctx
->sec
, kctx
->seclen
,
130 kctx
->seed
, kctx
->seedlen
,
134 const EVP_PKEY_METHOD tls1_prf_pkey_meth
= {
139 pkey_tls1_prf_cleanup
,
159 pkey_tls1_prf_derive
,
161 pkey_tls1_prf_ctrl_str
164 static int tls1_prf_P_hash(const EVP_MD
*md
,
165 const unsigned char *sec
, size_t sec_len
,
166 const unsigned char *seed
, size_t seed_len
,
167 unsigned char *out
, size_t olen
)
170 EVP_MD_CTX
*ctx
= NULL
, *ctx_tmp
= NULL
, *ctx_init
= NULL
;
171 EVP_PKEY
*mac_key
= NULL
;
172 unsigned char A1
[EVP_MAX_MD_SIZE
];
176 chunk
= EVP_MD_size(md
);
177 OPENSSL_assert(chunk
>= 0);
179 ctx
= EVP_MD_CTX_new();
180 ctx_tmp
= EVP_MD_CTX_new();
181 ctx_init
= EVP_MD_CTX_new();
182 if (ctx
== NULL
|| ctx_tmp
== NULL
|| ctx_init
== NULL
)
184 EVP_MD_CTX_set_flags(ctx_init
, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
185 mac_key
= EVP_PKEY_new_mac_key(EVP_PKEY_HMAC
, NULL
, sec
, sec_len
);
188 if (!EVP_DigestSignInit(ctx_init
, NULL
, md
, NULL
, mac_key
))
190 if (!EVP_MD_CTX_copy_ex(ctx
, ctx_init
))
192 if (seed
!= NULL
&& !EVP_DigestSignUpdate(ctx
, seed
, seed_len
))
194 if (!EVP_DigestSignFinal(ctx
, A1
, &A1_len
))
198 /* Reinit mac contexts */
199 if (!EVP_MD_CTX_copy_ex(ctx
, ctx_init
))
201 if (!EVP_DigestSignUpdate(ctx
, A1
, A1_len
))
203 if (olen
> (size_t)chunk
&& !EVP_MD_CTX_copy_ex(ctx_tmp
, ctx
))
205 if (seed
&& !EVP_DigestSignUpdate(ctx
, seed
, seed_len
))
208 if (olen
> (size_t)chunk
) {
210 if (!EVP_DigestSignFinal(ctx
, out
, &mac_len
))
214 /* calc the next A1 value */
215 if (!EVP_DigestSignFinal(ctx_tmp
, A1
, &A1_len
))
217 } else { /* last one */
219 if (!EVP_DigestSignFinal(ctx
, A1
, &A1_len
))
221 memcpy(out
, A1
, olen
);
227 EVP_PKEY_free(mac_key
);
228 EVP_MD_CTX_free(ctx
);
229 EVP_MD_CTX_free(ctx_tmp
);
230 EVP_MD_CTX_free(ctx_init
);
231 OPENSSL_cleanse(A1
, sizeof(A1
));
235 static int tls1_prf_alg(const EVP_MD
*md
,
236 const unsigned char *sec
, size_t slen
,
237 const unsigned char *seed
, size_t seed_len
,
238 unsigned char *out
, size_t olen
)
241 if (EVP_MD_type(md
) == NID_md5_sha1
) {
244 if (!tls1_prf_P_hash(EVP_md5(), sec
, slen
/2 + (slen
& 1),
245 seed
, seed_len
, out
, olen
))
248 tmp
= OPENSSL_malloc(olen
);
251 if (!tls1_prf_P_hash(EVP_sha1(), sec
+ slen
/2, slen
/2 + (slen
& 1),
252 seed
, seed_len
, tmp
, olen
)) {
253 OPENSSL_clear_free(tmp
, olen
);
256 for (i
= 0; i
< olen
; i
++)
258 OPENSSL_clear_free(tmp
, olen
);
261 if (!tls1_prf_P_hash(md
, sec
, slen
, seed
, seed_len
, out
, olen
))