2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Refer to "The TLS Protocol Version 1.0" Section 5
12 * (https://tools.ietf.org/html/rfc2246#section-5) and
13 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
14 * (https://tools.ietf.org/html/rfc5246#section-5).
16 * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by:
18 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
19 * P_SHA-1(S2, label + seed)
21 * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are
22 * two halves of the secret (with the possibility of one shared byte, in the
23 * case where the length of the original secret is odd). S1 is taken from the
24 * first half of the secret, S2 from the second half.
26 * For TLS v1.2 the TLS PRF algorithm is given by:
28 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
30 * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as
31 * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect,
32 * unless defined otherwise by the cipher suite.
34 * P_<hash> is an expansion function that uses a single hash function to expand
35 * a secret and seed into an arbitrary quantity of output:
37 * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) +
38 * HMAC_<hash>(secret, A(2) + seed) +
39 * HMAC_<hash>(secret, A(3) + seed) + ...
41 * where + indicates concatenation. P_<hash> can be iterated as many times as
42 * is necessary to produce the required quantity of data.
46 * A(i) = HMAC_<hash>(secret, A(i-1))
50 * Low level APIs (such as DH) are deprecated for public use, but still ok for
53 #include "internal/deprecated.h"
58 #include <openssl/evp.h>
59 #include <openssl/kdf.h>
60 #include <openssl/core_names.h>
61 #include <openssl/params.h>
62 #include <openssl/proverr.h>
63 #include "internal/cryptlib.h"
64 #include "internal/numbers.h"
65 #include "crypto/evp.h"
66 #include "prov/provider_ctx.h"
67 #include "prov/providercommon.h"
68 #include "prov/implementations.h"
69 #include "prov/provider_util.h"
70 #include "prov/securitycheck.h"
71 #include "internal/e_os.h"
72 #include "internal/safe_math.h"
74 OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
76 static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new;
77 static OSSL_FUNC_kdf_dupctx_fn kdf_tls1_prf_dup;
78 static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free;
79 static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset;
80 static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive;
81 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
82 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params;
83 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
84 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params;
86 static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
87 const unsigned char *sec, size_t slen,
88 const unsigned char *seed, size_t seed_len,
89 unsigned char *out, size_t olen);
91 #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
92 #define TLS_MD_MASTER_SECRET_CONST_SIZE 13
94 /* TLS KDF kdf context structure */
98 /* MAC context for the main digest */
100 /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */
103 /* Secret value to use for PRF */
106 /* Concatenated seed data */
111 static void *kdf_tls1_prf_new(void *provctx)
115 if (!ossl_prov_is_running())
118 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL)
119 ctx->provctx = provctx;
123 static void kdf_tls1_prf_free(void *vctx)
125 TLS1_PRF *ctx = (TLS1_PRF *)vctx;
128 kdf_tls1_prf_reset(ctx);
133 static void kdf_tls1_prf_reset(void *vctx)
135 TLS1_PRF *ctx = (TLS1_PRF *)vctx;
136 void *provctx = ctx->provctx;
138 EVP_MAC_CTX_free(ctx->P_hash);
139 EVP_MAC_CTX_free(ctx->P_sha1);
140 OPENSSL_clear_free(ctx->sec, ctx->seclen);
141 OPENSSL_clear_free(ctx->seed, ctx->seedlen);
142 memset(ctx, 0, sizeof(*ctx));
143 ctx->provctx = provctx;
146 static void *kdf_tls1_prf_dup(void *vctx)
148 const TLS1_PRF *src = (const TLS1_PRF *)vctx;
151 dest = kdf_tls1_prf_new(src->provctx);
153 if (src->P_hash != NULL
154 && (dest->P_hash = EVP_MAC_CTX_dup(src->P_hash)) == NULL)
156 if (src->P_sha1 != NULL
157 && (dest->P_sha1 = EVP_MAC_CTX_dup(src->P_sha1)) == NULL)
159 if (!ossl_prov_memdup(src->sec, src->seclen, &dest->sec, &dest->seclen))
161 if (!ossl_prov_memdup(src->seed, src->seedlen, &dest->seed,
168 kdf_tls1_prf_free(dest);
172 static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
173 const OSSL_PARAM params[])
175 TLS1_PRF *ctx = (TLS1_PRF *)vctx;
176 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
178 if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params))
181 if (ctx->P_hash == NULL) {
182 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
185 if (ctx->sec == NULL) {
186 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
189 if (ctx->seedlen == 0) {
190 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED);
194 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
199 * The seed buffer is prepended with a label.
200 * If EMS mode is enforced then the label "master secret" is not allowed,
201 * We do the check this way since the PRF is used for other purposes, as well
202 * as "extended master secret".
204 if (ossl_tls1_prf_ems_check_enabled(libctx)) {
205 if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
206 && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
207 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
208 ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
213 return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
214 ctx->sec, ctx->seclen,
215 ctx->seed, ctx->seedlen,
219 static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
222 TLS1_PRF *ctx = vctx;
223 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
228 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) {
229 if (OPENSSL_strcasecmp(p->data, SN_md5_sha1) == 0) {
230 if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params,
232 NULL, SN_md5, libctx)
233 || !ossl_prov_macctx_load_from_params(&ctx->P_sha1, params,
235 NULL, SN_sha1, libctx))
238 EVP_MAC_CTX_free(ctx->P_sha1);
239 if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params,
246 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
247 OPENSSL_clear_free(ctx->sec, ctx->seclen);
249 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->sec, 0, &ctx->seclen))
252 /* The seed fields concatenate, so process them all */
253 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SEED)) != NULL) {
254 for (; p != NULL; p = OSSL_PARAM_locate_const(p + 1,
255 OSSL_KDF_PARAM_SEED)) {
256 if (p->data_size != 0 && p->data != NULL) {
257 const void *val = NULL;
263 if (!OSSL_PARAM_get_octet_string_ptr(p, &val, &sz))
266 seedlen = safe_add_size_t(ctx->seedlen, sz, &err);
270 seed = OPENSSL_clear_realloc(ctx->seed, ctx->seedlen, seedlen);
275 if (ossl_assert(sz != 0))
276 memcpy(ctx->seed + ctx->seedlen, val, sz);
277 ctx->seedlen = seedlen;
284 static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
285 ossl_unused void *ctx, ossl_unused void *provctx)
287 static const OSSL_PARAM known_settable_ctx_params[] = {
288 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
289 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0),
290 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
291 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SEED, NULL, 0),
294 return known_settable_ctx_params;
297 static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
301 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
302 return OSSL_PARAM_set_size_t(p, SIZE_MAX);
306 static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
307 ossl_unused void *ctx, ossl_unused void *provctx)
309 static const OSSL_PARAM known_gettable_ctx_params[] = {
310 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
313 return known_gettable_ctx_params;
316 const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = {
317 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new },
318 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_tls1_prf_dup },
319 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free },
320 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset },
321 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive },
322 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
323 (void(*)(void))kdf_tls1_prf_settable_ctx_params },
324 { OSSL_FUNC_KDF_SET_CTX_PARAMS,
325 (void(*)(void))kdf_tls1_prf_set_ctx_params },
326 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
327 (void(*)(void))kdf_tls1_prf_gettable_ctx_params },
328 { OSSL_FUNC_KDF_GET_CTX_PARAMS,
329 (void(*)(void))kdf_tls1_prf_get_ctx_params },
334 * Refer to "The TLS Protocol Version 1.0" Section 5
335 * (https://tools.ietf.org/html/rfc2246#section-5) and
336 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
337 * (https://tools.ietf.org/html/rfc5246#section-5).
339 * P_<hash> is an expansion function that uses a single hash function to expand
340 * a secret and seed into an arbitrary quantity of output:
342 * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) +
343 * HMAC_<hash>(secret, A(2) + seed) +
344 * HMAC_<hash>(secret, A(3) + seed) + ...
346 * where + indicates concatenation. P_<hash> can be iterated as many times as
347 * is necessary to produce the required quantity of data.
349 * A(i) is defined as:
351 * A(i) = HMAC_<hash>(secret, A(i-1))
353 static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init,
354 const unsigned char *sec, size_t sec_len,
355 const unsigned char *seed, size_t seed_len,
356 unsigned char *out, size_t olen)
359 EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL;
360 unsigned char Ai[EVP_MAX_MD_SIZE];
364 if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL))
366 chunk = EVP_MAC_CTX_get_mac_size(ctx_init);
370 ctx_Ai = EVP_MAC_CTX_dup(ctx_init);
373 if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len))
377 /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */
378 if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai)))
380 EVP_MAC_CTX_free(ctx_Ai);
383 /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */
384 ctx = EVP_MAC_CTX_dup(ctx_init);
387 if (!EVP_MAC_update(ctx, Ai, Ai_len))
389 /* save state for calculating next A(i) value */
391 ctx_Ai = EVP_MAC_CTX_dup(ctx);
395 if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
398 /* last chunk - use Ai as temp bounce buffer */
399 if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai)))
401 memcpy(out, Ai, olen);
404 if (!EVP_MAC_final(ctx, out, NULL, olen))
406 EVP_MAC_CTX_free(ctx);
413 EVP_MAC_CTX_free(ctx);
414 EVP_MAC_CTX_free(ctx_Ai);
415 OPENSSL_cleanse(Ai, sizeof(Ai));
420 * Refer to "The TLS Protocol Version 1.0" Section 5
421 * (https://tools.ietf.org/html/rfc2246#section-5) and
422 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5
423 * (https://tools.ietf.org/html/rfc5246#section-5).
425 * For TLS v1.0 and TLS v1.1:
427 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
428 * P_SHA-1(S2, label + seed)
430 * S1 is taken from the first half of the secret, S2 from the second half.
432 * L_S = length in bytes of secret;
433 * L_S1 = L_S2 = ceil(L_S / 2);
437 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
439 static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
440 const unsigned char *sec, size_t slen,
441 const unsigned char *seed, size_t seed_len,
442 unsigned char *out, size_t olen)
444 if (sha1ctx != NULL) {
445 /* TLS v1.0 and TLS v1.1 */
448 /* calc: L_S1 = L_S2 = ceil(L_S / 2) */
449 size_t L_S1 = (slen + 1) / 2;
452 if (!tls1_prf_P_hash(mdctx, sec, L_S1,
453 seed, seed_len, out, olen))
456 if ((tmp = OPENSSL_malloc(olen)) == NULL)
459 if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2,
460 seed, seed_len, tmp, olen)) {
461 OPENSSL_clear_free(tmp, olen);
464 for (i = 0; i < olen; i++)
466 OPENSSL_clear_free(tmp, olen);
471 if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen))