Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 12:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ssl: adapt TLS-PRF to openSSL 3.0

Browse source
This commit is contained in:
Florian Wilkens 2021-10-14 17:45:41 +02:00
parent b8b6ac744e
commit 8393868207
1 changed files with 18 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

37
src/analyzer/protocol/ssl/SSL.cc
View file

@ -12,7 +12,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#ifdef OPENSSL_HAVE_KDF_H #ifdef OPENSSL_HAVE_KDF_H
#include <openssl/kdf.h> #include <openssl/kdf.h>
#include <openssl/core_names.h>
#endif #endif
static void print_hex(std::string name, u_char* data, int len) static void print_hex(std::string name, u_char* data, int len)
@ -160,34 +161,32 @@ bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label
const char* rnd1, size_t rnd1_len, const char* rnd2, size_t rnd2_len, u_char* out, size_t out_len) const char* rnd1, size_t rnd1_len, const char* rnd2, size_t rnd2_len, u_char* out, size_t out_len)
{ {
#ifdef OPENSSL_HAVE_KDF_H #ifdef OPENSSL_HAVE_KDF_H
// alloc buffers // alloc context + params
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
EVP_KDF_CTX *pctx = EVP_KDF_CTX_new(kdf);
OSSL_PARAM params[4], *p = params;
EVP_KDF_free(kdf);
// prepare seed: seed = label + rnd1 + rnd2
size_t seed_len = label.size() + rnd1_len + rnd2_len; size_t seed_len = label.size() + rnd1_len + rnd2_len;
std::string seed{}; std::string seed{};
seed.reserve(seed_len); seed.reserve(seed_len);
// seed = label + rnd1 + rnd2
seed.append(label); seed.append(label);
seed.append(rnd1, rnd1_len); seed.append(rnd1, rnd1_len);
seed.append(rnd2, rnd2_len); seed.append(rnd2, rnd2_len);
if (EVP_PKEY_derive_init(pctx) <= 0) // setup OSSL_PARAM array: digest, secret, seed
goto abort; /* Error */
// FIXME: sha384 should not be hardcoded // FIXME: sha384 should not be hardcoded
if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha384()) <= 0) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_sha384, strlen(SN_sha384));
goto abort; /* Error */ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, (void*)secret.data(), secret.size());
if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, secret.data(), secret.size()) <= 0) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (void*)seed.data(), seed.size());
goto abort; /* Error */ *p = OSSL_PARAM_construct_end();
if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed.data(), seed.size()) <= 0)
goto abort; /* Error */
if (EVP_PKEY_derive(pctx, out, &out_len) <= 0)
goto abort; /* Error */
EVP_PKEY_CTX_free(pctx); // derive key material
return true; bool result = EVP_KDF_derive(pctx, out, out_len, params) <= 0;
EVP_KDF_CTX_free(pctx);
abort: return result;
EVP_PKEY_CTX_free(pctx);
#endif #endif
return false; return false;
} }