On 29/03/2022 23:49, Kory Hamzeh wrote:
Hi,
I am using the TLS1_PRF KDF method to derive the master secret for TLS 1.0, 1.1, and 1.2. My code works with TLS 1.2, but for 1.0 and 1.1, the master secret is not correct. I have a snippet of the code below. From what I understand by reading RFC 2246 and RFC 5246, the input to the PRF function is the same for all three versions of TLS.
In my input test vectors, the digest is SHA-1 for TLS 1.0/1.1 and SHA-256 for TLS 1.2. However looking at:
openssl-3.0.0-src/providers/implementations/kdfs/tls1_prf.c
it looks like the method used to determine TLS version type is if the digest is SN_md5_sha1. I tried passing “MD5-SHA1” as the digest, and EVP_KDF_dereive() returned an error.
You don't mention it in your question, but you code snippet mentions
FIPS. Are you attempting to do this with the FIPS provider?
The FIPS provider does not support the "MD5-SHA1" digest. Consequently
you cannot support TLSv1.0 or TLSv1.1 with the FIPS provider. Only TLSv1.2.
Matt
What am I missing?
Here os the code snippet:
label = "master secret";
kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
kctx = EVP_KDF_CTX_new(kdf);
p = params;
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
(char *)digest,
strlen(digest));
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
preMasterSecret,
preMasterSecretLen);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
label, strlen(label));
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
clientHelloRand,
clientHelloRandLen);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
serverHelloRand,
serverHelloRandLen);
*p = OSSL_PARAM_construct_end();
if (EVP_KDF_derive(kctx, masterSecret,
masterSecretLen, params) <= 0) {
fips_fatal("ERROR: EVP_KDF_derive failed\n");
}
Thanks,
Kory
