1/* 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9{- 10use OpenSSL::paramnames qw(produce_param_decoder); 11-} 12 13/* 14 * Refer to "The TLS Protocol Version 1.0" Section 5 15 * (https://tools.ietf.org/html/rfc2246#section-5) and 16 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 17 * (https://tools.ietf.org/html/rfc5246#section-5). 18 * 19 * For TLS v1.0 and TLS v1.1 the TLS PRF algorithm is given by: 20 * 21 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 22 * P_SHA-1(S2, label + seed) 23 * 24 * where P_MD5 and P_SHA-1 are defined by P_<hash>, below, and S1 and S2 are 25 * two halves of the secret (with the possibility of one shared byte, in the 26 * case where the length of the original secret is odd). S1 is taken from the 27 * first half of the secret, S2 from the second half. 28 * 29 * For TLS v1.2 the TLS PRF algorithm is given by: 30 * 31 * PRF(secret, label, seed) = P_<hash>(secret, label + seed) 32 * 33 * where hash is SHA-256 for all cipher suites defined in RFC 5246 as well as 34 * those published prior to TLS v1.2 while the TLS v1.2 protocol is in effect, 35 * unless defined otherwise by the cipher suite. 36 * 37 * P_<hash> is an expansion function that uses a single hash function to expand 38 * a secret and seed into an arbitrary quantity of output: 39 * 40 * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + 41 * HMAC_<hash>(secret, A(2) + seed) + 42 * HMAC_<hash>(secret, A(3) + seed) + ... 43 * 44 * where + indicates concatenation. P_<hash> can be iterated as many times as 45 * is necessary to produce the required quantity of data. 46 * 47 * A(i) is defined as: 48 * A(0) = seed 49 * A(i) = HMAC_<hash>(secret, A(i-1)) 50 */ 51 52/* 53 * Low level APIs (such as DH) are deprecated for public use, but still ok for 54 * internal use. 55 */ 56#include "internal/deprecated.h" 57 58#include <stdio.h> 59#include <stdarg.h> 60#include <string.h> 61#include <openssl/evp.h> 62#include <openssl/kdf.h> 63#include <openssl/core_names.h> 64#include <openssl/params.h> 65#include <openssl/proverr.h> 66#include "internal/cryptlib.h" 67#include "internal/numbers.h" 68#include "crypto/evp.h" 69#include "prov/provider_ctx.h" 70#include "prov/providercommon.h" 71#include "prov/implementations.h" 72#include "prov/provider_util.h" 73#include "prov/securitycheck.h" 74#include "internal/e_os.h" 75#include "internal/params.h" 76#include "internal/safe_math.h" 77 78OSSL_SAFE_MATH_UNSIGNED(size_t, size_t) 79 80static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; 81static OSSL_FUNC_kdf_dupctx_fn kdf_tls1_prf_dup; 82static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free; 83static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset; 84static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive; 85static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; 86static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_prf_set_ctx_params; 87static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; 88static OSSL_FUNC_kdf_get_ctx_params_fn kdf_tls1_prf_get_ctx_params; 89 90static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, 91 const unsigned char *sec, size_t slen, 92 const unsigned char *seed, size_t seed_len, 93 unsigned char *out, size_t olen); 94 95#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" 96#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 97 98#define TLSPRF_MAX_SEEDS 6 99 100/* TLS KDF kdf context structure */ 101typedef struct { 102 void *provctx; 103 104 /* MAC context for the main digest */ 105 EVP_MAC_CTX *P_hash; 106 /* MAC context for SHA1 for the MD5/SHA-1 combined PRF */ 107 EVP_MAC_CTX *P_sha1; 108 109 /* Secret value to use for PRF */ 110 unsigned char *sec; 111 size_t seclen; 112 /* Concatenated seed data */ 113 unsigned char *seed; 114 size_t seedlen; 115 116 OSSL_FIPS_IND_DECLARE 117} TLS1_PRF; 118 119static void *kdf_tls1_prf_new(void *provctx) 120{ 121 TLS1_PRF *ctx; 122 123 if (!ossl_prov_is_running()) 124 return NULL; 125 126 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) != NULL) { 127 ctx->provctx = provctx; 128 OSSL_FIPS_IND_INIT(ctx) 129 } 130 return ctx; 131} 132 133static void kdf_tls1_prf_free(void *vctx) 134{ 135 TLS1_PRF *ctx = (TLS1_PRF *)vctx; 136 137 if (ctx != NULL) { 138 kdf_tls1_prf_reset(ctx); 139 OPENSSL_free(ctx); 140 } 141} 142 143static void kdf_tls1_prf_reset(void *vctx) 144{ 145 TLS1_PRF *ctx = (TLS1_PRF *)vctx; 146 void *provctx = ctx->provctx; 147 148 EVP_MAC_CTX_free(ctx->P_hash); 149 EVP_MAC_CTX_free(ctx->P_sha1); 150 OPENSSL_clear_free(ctx->sec, ctx->seclen); 151 OPENSSL_clear_free(ctx->seed, ctx->seedlen); 152 memset(ctx, 0, sizeof(*ctx)); 153 ctx->provctx = provctx; 154} 155 156static void *kdf_tls1_prf_dup(void *vctx) 157{ 158 const TLS1_PRF *src = (const TLS1_PRF *)vctx; 159 TLS1_PRF *dest; 160 161 dest = kdf_tls1_prf_new(src->provctx); 162 if (dest != NULL) { 163 if (src->P_hash != NULL 164 && (dest->P_hash = EVP_MAC_CTX_dup(src->P_hash)) == NULL) 165 goto err; 166 if (src->P_sha1 != NULL 167 && (dest->P_sha1 = EVP_MAC_CTX_dup(src->P_sha1)) == NULL) 168 goto err; 169 if (!ossl_prov_memdup(src->sec, src->seclen, &dest->sec, &dest->seclen)) 170 goto err; 171 if (!ossl_prov_memdup(src->seed, src->seedlen, &dest->seed, 172 &dest->seedlen)) 173 goto err; 174 OSSL_FIPS_IND_COPY(dest, src) 175 } 176 return dest; 177 178 err: 179 kdf_tls1_prf_free(dest); 180 return NULL; 181} 182 183#ifdef FIPS_MODULE 184 185static int fips_ems_check_passed(TLS1_PRF *ctx) 186{ 187 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 188 /* 189 * Check that TLS is using EMS. 190 * 191 * The seed buffer is prepended with a label. 192 * If EMS mode is enforced then the label "master secret" is not allowed, 193 * We do the check this way since the PRF is used for other purposes, as well 194 * as "extended master secret". 195 */ 196 int ems_approved = (ctx->seedlen < TLS_MD_MASTER_SECRET_CONST_SIZE 197 || memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, 198 TLS_MD_MASTER_SECRET_CONST_SIZE) != 0); 199 200 if (!ems_approved) { 201 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, 202 libctx, "TLS_PRF", "EMS", 203 ossl_fips_config_tls1_prf_ems_check)) { 204 ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); 205 return 0; 206 } 207 } 208 return 1; 209} 210 211static int fips_digest_check_passed(TLS1_PRF *ctx, const EVP_MD *md) 212{ 213 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 214 /* 215 * Perform digest check 216 * 217 * According to NIST SP 800-135r1 section 5.2, the valid hash functions are 218 * specified in FIPS 180-3. ACVP also only lists the same set of hash 219 * functions. 220 */ 221 int digest_unapproved = !EVP_MD_is_a(md, SN_sha256) 222 && !EVP_MD_is_a(md, SN_sha384) 223 && !EVP_MD_is_a(md, SN_sha512); 224 225 if (digest_unapproved) { 226 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, 227 libctx, "TLS_PRF", "Digest", 228 ossl_fips_config_tls1_prf_digest_check)) { 229 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); 230 return 0; 231 } 232 } 233 return 1; 234} 235 236static int fips_key_check_passed(TLS1_PRF *ctx) 237{ 238 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); 239 int key_approved = ossl_kdf_check_key_size(ctx->seclen); 240 241 if (!key_approved) { 242 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, 243 libctx, "TLS_PRF", "Key size", 244 ossl_fips_config_tls1_prf_key_check)) { 245 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 246 return 0; 247 } 248 } 249 return 1; 250} 251#endif 252 253static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, 254 const OSSL_PARAM params[]) 255{ 256 TLS1_PRF *ctx = (TLS1_PRF *)vctx; 257 258 if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) 259 return 0; 260 261 if (ctx->P_hash == NULL) { 262 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); 263 return 0; 264 } 265 if (ctx->sec == NULL) { 266 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); 267 return 0; 268 } 269 if (ctx->seedlen == 0) { 270 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SEED); 271 return 0; 272 } 273 if (keylen == 0) { 274 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 275 return 0; 276 } 277 278#ifdef FIPS_MODULE 279 if (!fips_ems_check_passed(ctx)) 280 return 0; 281#endif 282 283 return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, 284 ctx->sec, ctx->seclen, 285 ctx->seed, ctx->seedlen, 286 key, keylen); 287} 288 289{- produce_param_decoder('tls1prf_set_ctx_params', 290 (['KDF_PARAM_PROPERTIES', 'propq', 'utf8_string'], 291 ['ALG_PARAM_ENGINE', 'engine', 'utf8_string', 'hidden'], 292 ['KDF_PARAM_DIGEST', 'digest', 'utf8_string'], 293 ['KDF_PARAM_SECRET', 'secret', 'octet_string'], 294 ['KDF_PARAM_SEED', 'seed', 'octet_string', TLSPRF_MAX_SEEDS], 295 ['KDF_PARAM_FIPS_EMS_CHECK', 'ind_e', 'int', 'fips'], 296 ['KDF_PARAM_FIPS_DIGEST_CHECK', 'ind_d', 'int', 'fips'], 297 ['KDF_PARAM_FIPS_KEY_CHECK', 'ind_k', 'int', 'fips'], 298 )); -} 299 300static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 301{ 302 struct tls1prf_set_ctx_params_st p; 303 TLS1_PRF *ctx = vctx; 304 OSSL_LIB_CTX *libctx; 305 306 if (ctx == NULL || !tls1prf_set_ctx_params_decoder(params, &p)) 307 return 0; 308 309 libctx = PROV_LIBCTX_OF(ctx->provctx); 310 311 if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, p.ind_e)) 312 return 0; 313 if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE1, p.ind_d)) 314 return 0; 315 if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(ctx, OSSL_FIPS_IND_SETTABLE2, p.ind_k)) 316 return 0; 317 318 if (p.digest != NULL) { 319 PROV_DIGEST digest; 320 const EVP_MD *md = NULL; 321 const char *dgst; 322 323 if (!OSSL_PARAM_get_utf8_string_ptr(p.digest, &dgst)) 324 return 0; 325 326 if (OPENSSL_strcasecmp(dgst, OSSL_DIGEST_NAME_MD5_SHA1) == 0) { 327 if (!ossl_prov_macctx_load(&ctx->P_hash, NULL, NULL, NULL, 328 p.propq, p.engine, 329 OSSL_MAC_NAME_HMAC, NULL, 330 OSSL_DIGEST_NAME_MD5, libctx)) 331 return 0; 332 if (!ossl_prov_macctx_load(&ctx->P_sha1, NULL, NULL, NULL, 333 p.propq, p.engine, 334 OSSL_MAC_NAME_HMAC, NULL, 335 OSSL_DIGEST_NAME_SHA1, libctx)) 336 return 0; 337 } else { 338 EVP_MAC_CTX_free(ctx->P_sha1); 339 if (!ossl_prov_macctx_load(&ctx->P_hash, NULL, NULL, p.digest, 340 p.propq, p.engine, 341 OSSL_MAC_NAME_HMAC, NULL, NULL, libctx)) 342 return 0; 343 } 344 345 memset(&digest, 0, sizeof(digest)); 346 if (!ossl_prov_digest_load(&digest, p.digest, p.propq, p.engine, libctx)) 347 return 0; 348 349 md = ossl_prov_digest_md(&digest); 350 if (EVP_MD_xof(md)) { 351 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); 352 ossl_prov_digest_reset(&digest); 353 return 0; 354 } 355 356#ifdef FIPS_MODULE 357 if (!fips_digest_check_passed(ctx, md)) { 358 ossl_prov_digest_reset(&digest); 359 return 0; 360 } 361#endif 362 363 ossl_prov_digest_reset(&digest); 364 } 365 366 if (p.secret != NULL) { 367 OPENSSL_clear_free(ctx->sec, ctx->seclen); 368 ctx->sec = NULL; 369 if (!OSSL_PARAM_get_octet_string(p.secret, (void **)&ctx->sec, 0, 370 &ctx->seclen)) 371 return 0; 372 373#ifdef FIPS_MODULE 374 if (!fips_key_check_passed(ctx)) 375 return 0; 376#endif 377 } 378 379 /* 380 * The seed fields concatenate across set calls, so process them all 381 * but only reallocate once. 382 */ 383 if (p.num_seed > 0) { 384 const void *vals[TLSPRF_MAX_SEEDS]; 385 size_t sizes[TLSPRF_MAX_SEEDS]; 386 size_t seedlen = ctx->seedlen; 387 int i, n = 0; 388 389 for (i = 0; i < p.num_seed; i++) { 390 sizes[i] = 0; 391 vals[i] = NULL; 392 if (p.seed[i]->data_size != 0 && p.seed[i]->data != NULL) { 393 int err = 0; 394 395 if (!OSSL_PARAM_get_octet_string_ptr(p.seed[i], 396 vals + n, sizes + n)) 397 return 0; 398 399 seedlen = safe_add_size_t(seedlen, sizes[n], &err); 400 if (err) 401 return 0; 402 n++; 403 } 404 } 405 406 if (seedlen != ctx->seedlen) { 407 unsigned char *seed = OPENSSL_clear_realloc(ctx->seed, 408 ctx->seedlen, seedlen); 409 410 if (seed == NULL) 411 return 0; 412 ctx->seed = seed; 413 414 /* No errors are possible, so copy them across */ 415 for (i = 0; i < n; i++) { 416 memcpy(ctx->seed + ctx->seedlen, vals[i], sizes[i]); 417 ctx->seedlen += sizes[i]; 418 } 419 } 420 } 421 422 return 1; 423} 424 425static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( 426 ossl_unused void *ctx, ossl_unused void *provctx) 427{ 428 return tls1prf_set_ctx_params_list; 429} 430 431{- produce_param_decoder('tls1prf_get_ctx_params', 432 (['KDF_PARAM_SIZE', 'size', 'size_t'], 433 ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind', 'int', 'fips'], 434 )); -} 435 436static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) 437{ 438 struct tls1prf_get_ctx_params_st p; 439 TLS1_PRF *ctx = (TLS1_PRF *)vctx; 440 441 if (ctx == NULL || !tls1prf_get_ctx_params_decoder(params, &p)) 442 return 0; 443 444 if (p.size != NULL && !OSSL_PARAM_set_size_t(p.size, SIZE_MAX)) 445 return 0; 446 447 if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(ctx, p.ind)) 448 return 0; 449 return 1; 450} 451 452static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( 453 ossl_unused void *ctx, ossl_unused void *provctx) 454{ 455 return tls1prf_get_ctx_params_list; 456} 457 458const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = { 459 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new }, 460 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_tls1_prf_dup }, 461 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free }, 462 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset }, 463 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive }, 464 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 465 (void(*)(void))kdf_tls1_prf_settable_ctx_params }, 466 { OSSL_FUNC_KDF_SET_CTX_PARAMS, 467 (void(*)(void))kdf_tls1_prf_set_ctx_params }, 468 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 469 (void(*)(void))kdf_tls1_prf_gettable_ctx_params }, 470 { OSSL_FUNC_KDF_GET_CTX_PARAMS, 471 (void(*)(void))kdf_tls1_prf_get_ctx_params }, 472 OSSL_DISPATCH_END 473}; 474 475/* 476 * Refer to "The TLS Protocol Version 1.0" Section 5 477 * (https://tools.ietf.org/html/rfc2246#section-5) and 478 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 479 * (https://tools.ietf.org/html/rfc5246#section-5). 480 * 481 * P_<hash> is an expansion function that uses a single hash function to expand 482 * a secret and seed into an arbitrary quantity of output: 483 * 484 * P_<hash>(secret, seed) = HMAC_<hash>(secret, A(1) + seed) + 485 * HMAC_<hash>(secret, A(2) + seed) + 486 * HMAC_<hash>(secret, A(3) + seed) + ... 487 * 488 * where + indicates concatenation. P_<hash> can be iterated as many times as 489 * is necessary to produce the required quantity of data. 490 * 491 * A(i) is defined as: 492 * A(0) = seed 493 * A(i) = HMAC_<hash>(secret, A(i-1)) 494 */ 495static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, 496 const unsigned char *sec, size_t sec_len, 497 const unsigned char *seed, size_t seed_len, 498 unsigned char *out, size_t olen) 499{ 500 size_t chunk; 501 EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; 502 unsigned char Ai[EVP_MAX_MD_SIZE]; 503 size_t Ai_len; 504 int ret = 0; 505 506 if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) 507 goto err; 508 chunk = EVP_MAC_CTX_get_mac_size(ctx_init); 509 if (chunk == 0) 510 goto err; 511 /* A(0) = seed */ 512 ctx_Ai = EVP_MAC_CTX_dup(ctx_init); 513 if (ctx_Ai == NULL) 514 goto err; 515 if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) 516 goto err; 517 518 for (;;) { 519 /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */ 520 if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) 521 goto err; 522 EVP_MAC_CTX_free(ctx_Ai); 523 ctx_Ai = NULL; 524 525 /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */ 526 ctx = EVP_MAC_CTX_dup(ctx_init); 527 if (ctx == NULL) 528 goto err; 529 if (!EVP_MAC_update(ctx, Ai, Ai_len)) 530 goto err; 531 /* save state for calculating next A(i) value */ 532 if (olen > chunk) { 533 ctx_Ai = EVP_MAC_CTX_dup(ctx); 534 if (ctx_Ai == NULL) 535 goto err; 536 } 537 if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) 538 goto err; 539 if (olen <= chunk) { 540 /* last chunk - use Ai as temp bounce buffer */ 541 if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) 542 goto err; 543 memcpy(out, Ai, olen); 544 break; 545 } 546 if (!EVP_MAC_final(ctx, out, NULL, olen)) 547 goto err; 548 EVP_MAC_CTX_free(ctx); 549 ctx = NULL; 550 out += chunk; 551 olen -= chunk; 552 } 553 ret = 1; 554 err: 555 EVP_MAC_CTX_free(ctx); 556 EVP_MAC_CTX_free(ctx_Ai); 557 OPENSSL_cleanse(Ai, sizeof(Ai)); 558 return ret; 559} 560 561/* 562 * Refer to "The TLS Protocol Version 1.0" Section 5 563 * (https://tools.ietf.org/html/rfc2246#section-5) and 564 * "The Transport Layer Security (TLS) Protocol Version 1.2" Section 5 565 * (https://tools.ietf.org/html/rfc5246#section-5). 566 * 567 * For TLS v1.0 and TLS v1.1: 568 * 569 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR 570 * P_SHA-1(S2, label + seed) 571 * 572 * S1 is taken from the first half of the secret, S2 from the second half. 573 * 574 * L_S = length in bytes of secret; 575 * L_S1 = L_S2 = ceil(L_S / 2); 576 * 577 * For TLS v1.2: 578 * 579 * PRF(secret, label, seed) = P_<hash>(secret, label + seed) 580 */ 581static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, 582 const unsigned char *sec, size_t slen, 583 const unsigned char *seed, size_t seed_len, 584 unsigned char *out, size_t olen) 585{ 586 if (sha1ctx != NULL) { 587 /* TLS v1.0 and TLS v1.1 */ 588 size_t i; 589 unsigned char *tmp; 590 /* calc: L_S1 = L_S2 = ceil(L_S / 2) */ 591 size_t L_S1 = (slen + 1) / 2; 592 size_t L_S2 = L_S1; 593 594 if (!tls1_prf_P_hash(mdctx, sec, L_S1, 595 seed, seed_len, out, olen)) 596 return 0; 597 598 if ((tmp = OPENSSL_malloc(olen)) == NULL) 599 return 0; 600 601 if (!tls1_prf_P_hash(sha1ctx, sec + slen - L_S2, L_S2, 602 seed, seed_len, tmp, olen)) { 603 OPENSSL_clear_free(tmp, olen); 604 return 0; 605 } 606 for (i = 0; i < olen; i++) 607 out[i] ^= tmp[i]; 608 OPENSSL_clear_free(tmp, olen); 609 return 1; 610 } 611 612 /* TLS v1.2 */ 613 if (!tls1_prf_P_hash(mdctx, sec, slen, seed, seed_len, out, olen)) 614 return 0; 615 616 return 1; 617} 618