KDF_TLS1_PRF for TLS v1.0 and v1.1

Matt Caswell matt at openssl.org
Wed Mar 30 15:37:01 UTC 2022



On 29/03/2022 23:49, Kory Hamzeh wrote:
> Hi,
> 
> I am using the TLS1_PRF KDF method to derive the master secret for TLS 1.0, 1.1, and 1.2. My code works with TLS 1.2, but for 1.0 and 1.1, the master secret is not correct. I have a snippet of the code below. From what I understand by reading RFC 2246 and  RFC 5246, the input to the PRF function is the same for all three versions of TLS.
> 
> In my input test vectors, the digest is SHA-1 for TLS 1.0/1.1 and SHA-256 for TLS 1.2. However looking at:
> 
> openssl-3.0.0-src/providers/implementations/kdfs/tls1_prf.c
> 
> it looks like the method used to determine TLS version type is if the digest is SN_md5_sha1. I tried passing “MD5-SHA1” as the digest, and EVP_KDF_dereive() returned an error.

You don't mention it in your question, but you code snippet mentions 
FIPS. Are you attempting to do this with the FIPS provider?

The FIPS provider does not support the "MD5-SHA1" digest. Consequently 
you cannot support TLSv1.0 or TLSv1.1 with the FIPS provider. Only TLSv1.2.

Matt



> 
> What am I missing?
> 
> Here os the code snippet:
> 
> 	    label = "master secret";
> 
> 	    kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
> 	    kctx = EVP_KDF_CTX_new(kdf);
> 	
> 	    p = params;
> 	    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
> 						    (char *)digest,
> 						    strlen(digest));
> 	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
> 						     preMasterSecret,
> 						     preMasterSecretLen);
> 	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
> 						     label, strlen(label));
> 	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
> 						     clientHelloRand,
> 						     clientHelloRandLen);
> 	    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
> 						     serverHelloRand,
> 						     serverHelloRandLen);
> 						
> 	    *p = OSSL_PARAM_construct_end();
> 	    if (EVP_KDF_derive(kctx, masterSecret,
> 			       masterSecretLen, params) <= 0) {
> 		fips_fatal("ERROR: EVP_KDF_derive failed\n");
> 	    }
> 
> 
> Thanks,
> Kory
> 
> 


More information about the openssl-users mailing list