2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/kdf.h>
13 #include <openssl/evp.h>
14 #include "internal/evp_int.h"
16 static int tls1_prf_alg(const EVP_MD
*md
,
17 const unsigned char *sec
, size_t slen
,
18 const unsigned char *seed
, size_t seed_len
,
19 unsigned char *out
, size_t olen
);
21 #define TLS1_PRF_MAXBUF 1024
23 /* TLS KDF pkey context structure */
26 /* Digest to use for PRF */
28 /* Secret value to use for PRF */
31 /* Buffer of concatenated seed data */
32 unsigned char seed
[TLS1_PRF_MAXBUF
];
36 static int pkey_tls1_prf_init(EVP_PKEY_CTX
*ctx
)
38 TLS1_PRF_PKEY_CTX
*kctx
;
40 if ((kctx
= OPENSSL_zalloc(sizeof(*kctx
))) == NULL
) {
41 KDFerr(KDF_F_PKEY_TLS1_PRF_INIT
, ERR_R_MALLOC_FAILURE
);
49 static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX
*ctx
)
51 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
52 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
53 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
57 static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
59 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
61 case EVP_PKEY_CTRL_TLS_MD
:
65 case EVP_PKEY_CTRL_TLS_SECRET
:
68 if (kctx
->sec
!= NULL
)
69 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
70 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
72 kctx
->sec
= OPENSSL_memdup(p2
, p1
);
73 if (kctx
->sec
== NULL
)
78 case EVP_PKEY_CTRL_TLS_SEED
:
79 if (p1
== 0 || p2
== NULL
)
81 if (p1
< 0 || p1
> (int)(TLS1_PRF_MAXBUF
- kctx
->seedlen
))
83 memcpy(kctx
->seed
+ kctx
->seedlen
, p2
, p1
);
93 static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX
*ctx
,
94 const char *type
, const char *value
)
97 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_VALUE_MISSING
);
100 if (strcmp(type
, "md") == 0) {
101 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
103 const EVP_MD
*md
= EVP_get_digestbyname(value
);
105 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_INVALID_DIGEST
);
111 if (strcmp(type
, "secret") == 0)
112 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
113 if (strcmp(type
, "hexsecret") == 0)
114 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
115 if (strcmp(type
, "seed") == 0)
116 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
117 if (strcmp(type
, "hexseed") == 0)
118 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
120 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_UNKNOWN_PARAMETER_TYPE
);
124 static int pkey_tls1_prf_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
127 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
128 if (kctx
->md
== NULL
) {
129 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
132 if (kctx
->sec
== NULL
) {
133 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_SECRET
);
136 if (kctx
->seedlen
== 0) {
137 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_SEED
);
140 return tls1_prf_alg(kctx
->md
, kctx
->sec
, kctx
->seclen
,
141 kctx
->seed
, kctx
->seedlen
,
145 const EVP_PKEY_METHOD tls1_prf_pkey_meth
= {
150 pkey_tls1_prf_cleanup
,
170 pkey_tls1_prf_derive
,
172 pkey_tls1_prf_ctrl_str
175 static int tls1_prf_P_hash(const EVP_MD
*md
,
176 const unsigned char *sec
, size_t sec_len
,
177 const unsigned char *seed
, size_t seed_len
,
178 unsigned char *out
, size_t olen
)
181 EVP_MAC_CTX
*ctx
= NULL
, *ctx_tmp
= NULL
, *ctx_init
= NULL
;
182 unsigned char A1
[EVP_MAX_MD_SIZE
];
186 chunk
= EVP_MD_size(md
);
187 if (!ossl_assert(chunk
> 0))
190 ctx
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
191 ctx_tmp
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
192 ctx_init
= EVP_MAC_CTX_new_id(EVP_MAC_HMAC
);
193 if (ctx
== NULL
|| ctx_tmp
== NULL
|| ctx_init
== NULL
)
195 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_FLAGS
, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
) != 1)
197 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_MD
, md
) != 1)
199 if (EVP_MAC_ctrl(ctx_init
, EVP_MAC_CTRL_SET_KEY
, sec
, sec_len
) != 1)
201 if (!EVP_MAC_init(ctx_init
))
203 if (!EVP_MAC_CTX_copy(ctx
, ctx_init
))
205 if (seed
!= NULL
&& !EVP_MAC_update(ctx
, seed
, seed_len
))
207 if (!EVP_MAC_final(ctx
, A1
, &A1_len
))
211 /* Reinit mac contexts */
212 if (!EVP_MAC_CTX_copy(ctx
, ctx_init
))
214 if (!EVP_MAC_update(ctx
, A1
, A1_len
))
216 if (olen
> (size_t)chunk
&& !EVP_MAC_CTX_copy(ctx_tmp
, ctx
))
218 if (seed
!= NULL
&& !EVP_MAC_update(ctx
, seed
, seed_len
))
221 if (olen
> (size_t)chunk
) {
223 if (!EVP_MAC_final(ctx
, out
, &mac_len
))
227 /* calc the next A1 value */
228 if (!EVP_MAC_final(ctx_tmp
, A1
, &A1_len
))
230 } else { /* last one */
232 if (!EVP_MAC_final(ctx
, A1
, &A1_len
))
234 memcpy(out
, A1
, olen
);
240 EVP_MAC_CTX_free(ctx
);
241 EVP_MAC_CTX_free(ctx_tmp
);
242 EVP_MAC_CTX_free(ctx_init
);
243 OPENSSL_cleanse(A1
, sizeof(A1
));
247 static int tls1_prf_alg(const EVP_MD
*md
,
248 const unsigned char *sec
, size_t slen
,
249 const unsigned char *seed
, size_t seed_len
,
250 unsigned char *out
, size_t olen
)
253 if (EVP_MD_type(md
) == NID_md5_sha1
) {
256 if (!tls1_prf_P_hash(EVP_md5(), sec
, slen
/2 + (slen
& 1),
257 seed
, seed_len
, out
, olen
))
260 if ((tmp
= OPENSSL_malloc(olen
)) == NULL
) {
261 KDFerr(KDF_F_TLS1_PRF_ALG
, ERR_R_MALLOC_FAILURE
);
264 if (!tls1_prf_P_hash(EVP_sha1(), sec
+ slen
/2, slen
/2 + (slen
& 1),
265 seed
, seed_len
, tmp
, olen
)) {
266 OPENSSL_clear_free(tmp
, olen
);
269 for (i
= 0; i
< olen
; i
++)
271 OPENSSL_clear_free(tmp
, olen
);
274 if (!tls1_prf_P_hash(md
, sec
, slen
, seed
, seed_len
, out
, olen
))