KDF_TLS1_PRF for TLS v1.0 and v1.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I am using the TLS1_PRF KDF method to derive the master secret for TLS 1.0, 1.1, and 1.2. My code works with TLS 1.2, but for 1.0 and 1.1, the master secret is not correct. I have a snippet of the code below. From what I understand by reading RFC 2246 and  RFC 5246, the input to the PRF function is the same for all three versions of TLS.

In my input test vectors, the digest is SHA-1 for TLS 1.0/1.1 and SHA-256 for TLS 1.2. However looking at:

openssl-3.0.0-src/providers/implementations/kdfs/tls1_prf.c

it looks like the method used to determine TLS version type is if the digest is SN_md5_sha1. I tried passing “MD5-SHA1” as the digest, and EVP_KDF_dereive() returned an error.

What am I missing?

Here os the code snippet:

	    label = "master secret";

	    kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
	    kctx = EVP_KDF_CTX_new(kdf);
	    
	    p = params;
	    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
						    (char *)digest,
						    strlen(digest));
	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
						     preMasterSecret,
						     preMasterSecretLen);
	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
						     label, strlen(label));
	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
						     clientHelloRand,
						     clientHelloRandLen);
	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
						     serverHelloRand,
						     serverHelloRandLen);
						     
	    *p = OSSL_PARAM_construct_end();
	    if (EVP_KDF_derive(kctx, masterSecret,
			       masterSecretLen, params) <= 0) {
		fips_fatal("ERROR: EVP_KDF_derive failed\n");
	    }


Thanks,
Kory






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux