2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/kdf.h>
13 #include <openssl/evp.h>
14 #include "internal/evp_int.h"
16 static int tls1_prf_alg(const EVP_MD
*md
,
17 const unsigned char *sec
, size_t slen
,
18 const unsigned char *seed
, size_t seed_len
,
19 unsigned char *out
, size_t olen
);
21 #define TLS1_PRF_MAXBUF 1024
23 /* TLS KDF pkey context structure */
26 /* Digest to use for PRF */
28 /* Secret value to use for PRF */
31 /* Buffer of concatenated seed data */
32 unsigned char seed
[TLS1_PRF_MAXBUF
];
36 static int pkey_tls1_prf_init(EVP_PKEY_CTX
*ctx
)
38 TLS1_PRF_PKEY_CTX
*kctx
;
40 kctx
= OPENSSL_zalloc(sizeof(*kctx
));
48 static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX
*ctx
)
50 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
51 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
52 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
56 static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
58 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
60 case EVP_PKEY_CTRL_TLS_MD
:
64 case EVP_PKEY_CTRL_TLS_SECRET
:
67 if (kctx
->sec
!= NULL
)
68 OPENSSL_clear_free(kctx
->sec
, kctx
->seclen
);
69 OPENSSL_cleanse(kctx
->seed
, kctx
->seedlen
);
71 kctx
->sec
= OPENSSL_memdup(p2
, p1
);
72 if (kctx
->sec
== NULL
)
77 case EVP_PKEY_CTRL_TLS_SEED
:
78 if (p1
== 0 || p2
== NULL
)
80 if (p1
< 0 || p1
> (int)(TLS1_PRF_MAXBUF
- kctx
->seedlen
))
82 memcpy(kctx
->seed
+ kctx
->seedlen
, p2
, p1
);
92 static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX
*ctx
,
93 const char *type
, const char *value
)
96 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_VALUE_MISSING
);
99 if (strcmp(type
, "md") == 0) {
100 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
102 const EVP_MD
*md
= EVP_get_digestbyname(value
);
104 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_INVALID_DIGEST
);
110 if (strcmp(type
, "secret") == 0)
111 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
112 if (strcmp(type
, "hexsecret") == 0)
113 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SECRET
, value
);
114 if (strcmp(type
, "seed") == 0)
115 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
116 if (strcmp(type
, "hexseed") == 0)
117 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_TLS_SEED
, value
);
119 KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR
, KDF_R_UNKNOWN_PARAMETER_TYPE
);
123 static int pkey_tls1_prf_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
126 TLS1_PRF_PKEY_CTX
*kctx
= ctx
->data
;
127 if (kctx
->md
== NULL
) {
128 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_MESSAGE_DIGEST
);
131 if (kctx
->sec
== NULL
) {
132 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_SECRET
);
135 if (kctx
->seedlen
== 0) {
136 KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE
, KDF_R_MISSING_SEED
);
139 return tls1_prf_alg(kctx
->md
, kctx
->sec
, kctx
->seclen
,
140 kctx
->seed
, kctx
->seedlen
,
144 const EVP_PKEY_METHOD tls1_prf_pkey_meth
= {
149 pkey_tls1_prf_cleanup
,
169 pkey_tls1_prf_derive
,
171 pkey_tls1_prf_ctrl_str
174 static int tls1_prf_P_hash(const EVP_MD
*md
,
175 const unsigned char *sec
, size_t sec_len
,
176 const unsigned char *seed
, size_t seed_len
,
177 unsigned char *out
, size_t olen
)
180 EVP_MD_CTX
*ctx
= NULL
, *ctx_tmp
= NULL
, *ctx_init
= NULL
;
181 EVP_PKEY
*mac_key
= NULL
;
182 unsigned char A1
[EVP_MAX_MD_SIZE
];
186 chunk
= EVP_MD_size(md
);
187 OPENSSL_assert(chunk
>= 0);
189 ctx
= EVP_MD_CTX_new();
190 ctx_tmp
= EVP_MD_CTX_new();
191 ctx_init
= EVP_MD_CTX_new();
192 if (ctx
== NULL
|| ctx_tmp
== NULL
|| ctx_init
== NULL
)
194 EVP_MD_CTX_set_flags(ctx_init
, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
);
195 mac_key
= EVP_PKEY_new_mac_key(EVP_PKEY_HMAC
, NULL
, sec
, sec_len
);
198 if (!EVP_DigestSignInit(ctx_init
, NULL
, md
, NULL
, mac_key
))
200 if (!EVP_MD_CTX_copy_ex(ctx
, ctx_init
))
202 if (seed
!= NULL
&& !EVP_DigestSignUpdate(ctx
, seed
, seed_len
))
204 if (!EVP_DigestSignFinal(ctx
, A1
, &A1_len
))
208 /* Reinit mac contexts */
209 if (!EVP_MD_CTX_copy_ex(ctx
, ctx_init
))
211 if (!EVP_DigestSignUpdate(ctx
, A1
, A1_len
))
213 if (olen
> (size_t)chunk
&& !EVP_MD_CTX_copy_ex(ctx_tmp
, ctx
))
215 if (seed
&& !EVP_DigestSignUpdate(ctx
, seed
, seed_len
))
218 if (olen
> (size_t)chunk
) {
220 if (!EVP_DigestSignFinal(ctx
, out
, &mac_len
))
224 /* calc the next A1 value */
225 if (!EVP_DigestSignFinal(ctx_tmp
, A1
, &A1_len
))
227 } else { /* last one */
229 if (!EVP_DigestSignFinal(ctx
, A1
, &A1_len
))
231 memcpy(out
, A1
, olen
);
237 EVP_PKEY_free(mac_key
);
238 EVP_MD_CTX_free(ctx
);
239 EVP_MD_CTX_free(ctx_tmp
);
240 EVP_MD_CTX_free(ctx_init
);
241 OPENSSL_cleanse(A1
, sizeof(A1
));
245 static int tls1_prf_alg(const EVP_MD
*md
,
246 const unsigned char *sec
, size_t slen
,
247 const unsigned char *seed
, size_t seed_len
,
248 unsigned char *out
, size_t olen
)
251 if (EVP_MD_type(md
) == NID_md5_sha1
) {
254 if (!tls1_prf_P_hash(EVP_md5(), sec
, slen
/2 + (slen
& 1),
255 seed
, seed_len
, out
, olen
))
258 tmp
= OPENSSL_malloc(olen
);
261 if (!tls1_prf_P_hash(EVP_sha1(), sec
+ slen
/2, slen
/2 + (slen
& 1),
262 seed
, seed_len
, tmp
, olen
)) {
263 OPENSSL_clear_free(tmp
, olen
);
266 for (i
= 0; i
< olen
; i
++)
268 OPENSSL_clear_free(tmp
, olen
);
271 if (!tls1_prf_P_hash(md
, sec
, slen
, seed
, seed_len
, out
, olen
))