2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include "internal/cryptlib.h"
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include "internal/evp_int.h"
17 #include "kdf_local.h"
19 static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
20 static int tls1_prf_alg(const EVP_MD *md,
21 const unsigned char *sec, size_t slen,
22 const unsigned char *seed, size_t seed_len,
23 unsigned char *out, size_t olen);
25 #define TLS1_PRF_MAXBUF 1024
27 /* TLS KDF kdf context structure */
29 struct evp_kdf_impl_st {
30 /* Digest to use for PRF */
32 /* Secret value to use for PRF */
35 /* Buffer of concatenated seed data */
36 unsigned char seed[TLS1_PRF_MAXBUF];
40 static EVP_KDF_IMPL *kdf_tls1_prf_new(void)
44 if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
45 KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE);
49 static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl)
51 kdf_tls1_prf_reset(impl);
55 static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl)
57 OPENSSL_clear_free(impl->sec, impl->seclen);
58 OPENSSL_cleanse(impl->seed, impl->seedlen);
59 memset(impl, 0, sizeof(*impl));
62 static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
64 const unsigned char *p;
69 case EVP_KDF_CTRL_SET_MD:
70 md = va_arg(args, const EVP_MD *);
77 case EVP_KDF_CTRL_SET_TLS_SECRET:
78 p = va_arg(args, const unsigned char *);
79 len = va_arg(args, size_t);
80 OPENSSL_clear_free(impl->sec, impl->seclen);
81 impl->sec = OPENSSL_memdup(p, len);
82 if (impl->sec == NULL)
88 case EVP_KDF_CTRL_RESET_TLS_SEED:
89 OPENSSL_cleanse(impl->seed, impl->seedlen);
93 case EVP_KDF_CTRL_ADD_TLS_SEED:
94 p = va_arg(args, const unsigned char *);
95 len = va_arg(args, size_t);
96 if (len == 0 || p == NULL)
99 if (len > (TLS1_PRF_MAXBUF - impl->seedlen))
102 memcpy(impl->seed + impl->seedlen, p, len);
103 impl->seedlen += len;
111 static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl,
112 const char *type, const char *value)
115 KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
118 if (strcmp(type, "digest") == 0)
119 return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value);
121 if (strcmp(type, "secret") == 0)
122 return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl,
123 EVP_KDF_CTRL_SET_TLS_SECRET, value);
125 if (strcmp(type, "hexsecret") == 0)
126 return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl,
127 EVP_KDF_CTRL_SET_TLS_SECRET, value);
129 if (strcmp(type, "seed") == 0)
130 return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
133 if (strcmp(type, "hexseed") == 0)
134 return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
140 static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
143 if (impl->md == NULL) {
144 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
147 if (impl->sec == NULL) {
148 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);
151 if (impl->seedlen == 0) {
152 KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
155 return tls1_prf_alg(impl->md, impl->sec, impl->seclen,
156 impl->seed, impl->seedlen,
160 const EVP_KDF_METHOD tls1_prf_kdf_meth = {
166 kdf_tls1_prf_ctrl_str,
171 static int tls1_prf_P_hash(const EVP_MD *md,
172 const unsigned char *sec, size_t sec_len,
173 const unsigned char *seed, size_t seed_len,
174 unsigned char *out, size_t olen)
177 EVP_MAC_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;
178 unsigned char A1[EVP_MAX_MD_SIZE];
182 chunk = EVP_MD_size(md);
183 if (!ossl_assert(chunk > 0))
186 ctx = EVP_MAC_CTX_new_id(EVP_MAC_HMAC);
187 ctx_tmp = EVP_MAC_CTX_new_id(EVP_MAC_HMAC);
188 ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_HMAC);
189 if (ctx == NULL || ctx_tmp == NULL || ctx_init == NULL)
191 if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_FLAGS, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) != 1)
193 if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_MD, md) != 1)
195 if (EVP_MAC_ctrl(ctx_init, EVP_MAC_CTRL_SET_KEY, sec, sec_len) != 1)
197 if (!EVP_MAC_init(ctx_init))
199 if (!EVP_MAC_CTX_copy(ctx, ctx_init))
201 if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
203 if (!EVP_MAC_final(ctx, A1, &A1_len))
207 /* Reinit mac contexts */
208 if (!EVP_MAC_CTX_copy(ctx, ctx_init))
210 if (!EVP_MAC_update(ctx, A1, A1_len))
212 if (olen > (size_t)chunk && !EVP_MAC_CTX_copy(ctx_tmp, ctx))
214 if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
217 if (olen > (size_t)chunk) {
219 if (!EVP_MAC_final(ctx, out, &mac_len))
223 /* calc the next A1 value */
224 if (!EVP_MAC_final(ctx_tmp, A1, &A1_len))
226 } else { /* last one */
228 if (!EVP_MAC_final(ctx, A1, &A1_len))
230 memcpy(out, A1, olen);
236 EVP_MAC_CTX_free(ctx);
237 EVP_MAC_CTX_free(ctx_tmp);
238 EVP_MAC_CTX_free(ctx_init);
239 OPENSSL_cleanse(A1, sizeof(A1));
243 static int tls1_prf_alg(const EVP_MD *md,
244 const unsigned char *sec, size_t slen,
245 const unsigned char *seed, size_t seed_len,
246 unsigned char *out, size_t olen)
248 if (EVP_MD_type(md) == NID_md5_sha1) {
251 if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1),
252 seed, seed_len, out, olen))
255 if ((tmp = OPENSSL_malloc(olen)) == NULL) {
256 KDFerr(KDF_F_TLS1_PRF_ALG, ERR_R_MALLOC_FAILURE);
259 if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1),
260 seed, seed_len, tmp, olen)) {
261 OPENSSL_clear_free(tmp, olen);
264 for (i = 0; i < olen; i++)
266 OPENSSL_clear_free(tmp, olen);
269 if (!tls1_prf_P_hash(md, sec, slen, seed, seed_len, out, olen))
projects / openssl.git / blob