Skip to content

Commit 8cbc4d7

Browse files
qmuntalqmuntal
authored
Merge pull request #109 from golang-fips/tlsprf
Add `label` parameter to TLS1PRF
2 parents de9ae4f + f83d8e3 commit 8cbc4d7

File tree

2 files changed

+19
-4
lines changed

2 files changed

+19
-4
lines changed

tls1prf.go

+11-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ func SupportsTLS1PRF() bool {
1616
(vMajor >= 1 && vMinor >= 1 && vPatch >= 1)
1717
}
1818

19-
func TLS1PRF(secret, seed []byte, keyLen int, h func() hash.Hash) ([]byte, error) {
19+
func TLS1PRF(secret, label, seed []byte, keyLen int, h func() hash.Hash) ([]byte, error) {
2020
ch := h()
2121
md := hashToMD(ch)
2222
if md == nil {
@@ -43,6 +43,10 @@ func TLS1PRF(secret, seed []byte, keyLen int, h func() hash.Hash) ([]byte, error
4343
base(secret), C.int(len(secret))) != 1 {
4444
return nil, newOpenSSLError("EVP_PKEY_CTX_set1_tls1_prf_secret")
4545
}
46+
if C.go_openssl_EVP_PKEY_CTX_add1_tls1_prf_seed(ctx,
47+
base(label), C.int(len(label))) != 1 {
48+
return nil, newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed")
49+
}
4650
if C.go_openssl_EVP_PKEY_CTX_add1_tls1_prf_seed(ctx,
4751
base(seed), C.int(len(seed))) != 1 {
4852
return nil, newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed")
@@ -60,6 +64,12 @@ func TLS1PRF(secret, seed []byte, keyLen int, h func() hash.Hash) ([]byte, error
6064
C.int(len(secret)), unsafe.Pointer(base(secret))) != 1 {
6165
return nil, newOpenSSLError("EVP_PKEY_CTX_set1_tls1_prf_secret")
6266
}
67+
if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
68+
C.GO1_EVP_PKEY_OP_DERIVE,
69+
C.GO_EVP_PKEY_CTRL_TLS_SEED,
70+
C.int(len(label)), unsafe.Pointer(base(label))) != 1 {
71+
return nil, newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed")
72+
}
6373
if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
6474
C.GO1_EVP_PKEY_OP_DERIVE,
6575
C.GO_EVP_PKEY_CTRL_TLS_SEED,

tls1prf_test.go

+8-3
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
type tls1prfTest struct {
1414
hash func() hash.Hash
1515
secret []byte
16+
label []byte
1617
seed []byte
1718
out []byte
1819
}
@@ -27,7 +28,8 @@ var tls1prfTests = []tls1prfTest{
2728
},
2829
[]byte{
2930
0x74, 0x65, 0x73, 0x74, 0x20, 0x6c, 0x61, 0x62,
30-
0x65, 0x6c,
31+
0x65, 0x6c},
32+
[]byte{
3133
0xa0, 0xba, 0x9f, 0x93, 0x6c, 0xda, 0x31, 0x18,
3234
0x27, 0xa6, 0xf7, 0x96, 0xff, 0xd5, 0x19, 0x8c,
3335
},
@@ -55,7 +57,8 @@ var tls1prfTests = []tls1prfTest{
5557
},
5658
[]byte{
5759
0x74, 0x65, 0x73, 0x74, 0x20, 0x6c, 0x61, 0x62,
58-
0x65, 0x6c,
60+
0x65, 0x6c},
61+
[]byte{
5962
0xcd, 0x66, 0x5c, 0xf6, 0xa8, 0x44, 0x7d, 0xd6,
6063
0xff, 0x8b, 0x27, 0x55, 0x5e, 0xdb, 0x74, 0x65,
6164
},
@@ -90,6 +93,8 @@ var tls1prfTests = []tls1prfTest{
9093
[]byte{
9194
0x74, 0x65, 0x73, 0x74, 0x20, 0x6c, 0x61, 0x62,
9295
0x65, 0x6c,
96+
},
97+
[]byte{
9398
0xd4, 0x64, 0x0e, 0x12, 0xe4, 0xbc, 0xdb, 0xfb,
9499
0x43, 0x7f, 0x03, 0xe6, 0xae, 0x41, 0x8e, 0xe5,
95100
},
@@ -128,7 +133,7 @@ func TestTLS1PRF(t *testing.T) {
128133
t.Skip("TLS 1.2 PRF is not supported")
129134
}
130135
for i, tt := range tls1prfTests {
131-
out, err := openssl.TLS1PRF(tt.secret, tt.seed, len(tt.out), tt.hash)
136+
out, err := openssl.TLS1PRF(tt.secret, tt.label, tt.seed, len(tt.out), tt.hash)
132137
if err != nil {
133138
t.Errorf("test %d: error deriving TLS 1.2 PRF: %v.", i, err)
134139
}

0 commit comments

Comments
 (0)