1 files changed, 0 insertions, 345 deletions
diff --git a/src/lib/libcrypto/kdf/tls1_prf.c b/src/lib/libcrypto/kdf/tls1_prf.c
deleted file mode 100644
index 7d6231e3c7..0000000000
--- a/src/lib/libcrypto/kdf/tls1_prf.c
+++ /dev/null
@@ -1,345 +0,0 @@
-/*      $OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2016.
- */
-/* ====================================================================
- * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/kdf.h>
-#include "evp_local.h"
-#define TLS1_PRF_MAXBUF 1024
-struct tls1_prf_ctx {
-        const EVP_MD *md;
-        unsigned char *secret;
-        size_t secret_len;
-        unsigned char seed[TLS1_PRF_MAXBUF];
-        size_t seed_len;
-};
-static int
-pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
-{
-        struct tls1_prf_ctx *kctx;
-        if ((kctx = calloc(1, sizeof(*kctx))) == NULL) {
-                KDFerror(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        ctx->data = kctx;
-        return 1;
-}
-static void
-pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
-{
-        struct tls1_prf_ctx *kctx = ctx->data;
-        freezero(kctx->secret, kctx->secret_len);
-        freezero(kctx, sizeof(*kctx));
-}
-static int
-pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-        struct tls1_prf_ctx *kctx = ctx->data;
-        switch (type) {
-        case EVP_PKEY_CTRL_TLS_MD:
-                kctx->md = p2;
-                return 1;
-        case EVP_PKEY_CTRL_TLS_SECRET:
-                if (p1 < 0)
-                        return 0;
-                freezero(kctx->secret, kctx->secret_len);
-                kctx->secret = NULL;
-                kctx->secret_len = 0;
-                explicit_bzero(kctx->seed, kctx->seed_len);
-                kctx->seed_len = 0;
-                if (p1 == 0 || p2 == NULL)
-                        return 0;
-                if ((kctx->secret = calloc(1, p1)) == NULL)
-                        return 0;
-                memcpy(kctx->secret, p2, p1);
-                kctx->secret_len = p1;
-                return 1;
-        case EVP_PKEY_CTRL_TLS_SEED:
-                if (p1 == 0 || p2 == NULL)
-                        return 1;
-                if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seed_len))
-                        return 0;
-                memcpy(kctx->seed + kctx->seed_len, p2, p1);
-                kctx->seed_len += p1;
-                return 1;
-        default:
-                return -2;
-        }
-}
-static int
-pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
-{
-        if (value == NULL) {
-                KDFerror(KDF_R_VALUE_MISSING);
-                return 0;
-        }
-        if (strcmp(type, "md") == 0) {
-                struct tls1_prf_ctx *kctx = ctx->data;
-                const EVP_MD *md = EVP_get_digestbyname(value);
-                if (md == NULL) {
-                        KDFerror(KDF_R_INVALID_DIGEST);
-                        return 0;
-                }
-                kctx->md = md;
-                return 1;
-        }
-        if (strcmp(type, "secret") == 0)
-                return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
-        if (strcmp(type, "hexsecret") == 0)
-                return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
-        if (strcmp(type, "seed") == 0)
-                return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
-        if (strcmp(type, "hexseed") == 0)
-                return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
-        KDFerror(KDF_R_UNKNOWN_PARAMETER_TYPE);
-        return -2;
-}
-static int
-tls1_prf_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
-    const unsigned char *seed, size_t seed_len, unsigned char *out, size_t out_len)
-{
-        int chunk;
-        EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;
-        EVP_PKEY *mac_key = NULL;
-        unsigned char A1[EVP_MAX_MD_SIZE];
-        size_t A1_len;
-        int ret = 0;
-        if ((chunk = EVP_MD_size(md)) < 0)
-                goto err;
-        if ((ctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if ((ctx_tmp = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if ((ctx_init = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-        if ((mac_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
-            secret, secret_len)) == NULL)
-                goto err;
-        if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
-                goto err;
-        if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-                goto err;
-        if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
-                goto err;
-        if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-                goto err;
-        for (;;) {
-                /* Reinit mac contexts */
-                if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-                        goto err;
-                if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-                        goto err;
-                if (out_len > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
-                        goto err;
-                if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
-                        goto err;
-                if (out_len > (size_t)chunk) {
-                        size_t mac_len;
-                        if (!EVP_DigestSignFinal(ctx, out, &mac_len))
-                                goto err;
-                        out += mac_len;
-                        out_len -= mac_len;
-                        if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
-                                goto err;
-                } else {
-                        if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-                                goto err;
-                        memcpy(out, A1, out_len);
-                        break;
-                }
-        }
-        ret = 1;
- err:
-        EVP_PKEY_free(mac_key);
-        EVP_MD_CTX_free(ctx);
-        EVP_MD_CTX_free(ctx_tmp);
-        EVP_MD_CTX_free(ctx_init);
-        explicit_bzero(A1, sizeof(A1));
-        return ret;
-}
-static int
-tls1_prf_alg(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
-    const unsigned char *seed, size_t seed_len, unsigned char *out, size_t out_len)
-{
-        unsigned char *tmp = NULL;
-        size_t half_len;
-        size_t i;
-        int ret = 0;
-        if (EVP_MD_type(md) != NID_md5_sha1)
-                return tls1_prf_P_hash(md, secret, secret_len, seed, seed_len,
-                    out, out_len);
-        half_len = secret_len - secret_len / 2;
-        if (!tls1_prf_P_hash(EVP_md5(), secret, half_len, seed, seed_len,
-            out, out_len))
-                goto err;
-        if ((tmp = calloc(1, out_len)) == NULL) {
-                KDFerror(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        secret += secret_len - half_len;
-        if (!tls1_prf_P_hash(EVP_sha1(), secret, half_len, seed, seed_len,
-            tmp, out_len))
-                goto err;
-        for (i = 0; i < out_len; i++)
-                out[i] ^= tmp[i];
-        ret = 1;
- err:
-        freezero(tmp, out_len);
-        return ret;
-}
-static int
-pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *key_len)
-{
-        struct tls1_prf_ctx *kctx = ctx->data;
-        if (kctx->md == NULL) {
-                KDFerror(KDF_R_MISSING_MESSAGE_DIGEST);
-                return 0;
-        }
-        if (kctx->secret == NULL) {
-                KDFerror(KDF_R_MISSING_SECRET);
-                return 0;
-        }
-        if (kctx->seed_len == 0) {
-                KDFerror(KDF_R_MISSING_SEED);
-                return 0;
-        }
-        return tls1_prf_alg(kctx->md, kctx->secret, kctx->secret_len,
-            kctx->seed, kctx->seed_len, key, *key_len);
-}
-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
-        .pkey_id = EVP_PKEY_TLS1_PRF,
-        .flags = 0,
-        .init = pkey_tls1_prf_init,
-        .copy = NULL,
-        .cleanup = pkey_tls1_prf_cleanup,
-        .paramgen = NULL,
-        .keygen = NULL,
-        .sign_init = NULL,
-        .sign = NULL,
-        .verify_init = NULL,
-        .verify = NULL,
-        .verify_recover = NULL,
-        .signctx_init = NULL,
-        .signctx = NULL,
-        .encrypt = NULL,
-        .decrypt = NULL,
-        .derive_init = NULL,
-        .derive = pkey_tls1_prf_derive,
-        .ctrl = pkey_tls1_prf_ctrl,
-        .ctrl_str = pkey_tls1_prf_ctrl_str,
-};

diff --git a/src/lib/libcrypto/kdf/tls1_prf.c b/src/lib/libcrypto/kdf/tls1_prf.c deleted file mode 100644 index 7d6231e3c7..0000000000 --- a/src/lib/libcrypto/kdf/tls1_prf.c +++ /dev/null
@@ -1,345 +0,0 @@
1	/* $OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4	* 2016.
5	*/
6	/* ====================================================================
7	* Copyright (c) 2015 The OpenSSL Project. All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	*
13	* 1. Redistributions of source code must retain the above copyright
14	* notice, this list of conditions and the following disclaimer.
15	*
16	* 2. Redistributions in binary form must reproduce the above copyright
17	* notice, this list of conditions and the following disclaimer in
18	* the documentation and/or other materials provided with the
19	* distribution.
20	*
21	* 3. All advertising materials mentioning features or use of this
22	* software must display the following acknowledgment:
23	* "This product includes software developed by the OpenSSL Project
24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25	*
26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27	* endorse or promote products derived from this software without
28	* prior written permission. For written permission, please contact
29	* licensing@OpenSSL.org.
30	*
31	* 5. Products derived from this software may not be called "OpenSSL"
32	* nor may "OpenSSL" appear in their names without prior written
33	* permission of the OpenSSL Project.
34	*
35	* 6. Redistributions of any form whatsoever must retain the following
36	* acknowledgment:
37	* "This product includes software developed by the OpenSSL Project
38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39	*
40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	* OF THE POSSIBILITY OF SUCH DAMAGE.
52	* ====================================================================
53	*
54	* This product includes cryptographic software written by Eric Young
55	* (eay@cryptsoft.com). This product includes software written by Tim
56	* Hudson (tjh@cryptsoft.com).
57	*
58	*/
59
60	#include <stdlib.h>
61	#include <stdio.h>
62	#include <string.h>
63
64	#include <openssl/err.h>
65	#include <openssl/evp.h>
66	#include <openssl/kdf.h>
67
68	#include "evp_local.h"
69
70	#define TLS1_PRF_MAXBUF 1024
71
72	struct tls1_prf_ctx {
73	const EVP_MD *md;
74	unsigned char *secret;
75	size_t secret_len;
76	unsigned char seed[TLS1_PRF_MAXBUF];
77	size_t seed_len;
78	};
79
80	static int
81	pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
82	{
83	struct tls1_prf_ctx *kctx;
84
85	if ((kctx = calloc(1, sizeof(*kctx))) == NULL) {
86	KDFerror(ERR_R_MALLOC_FAILURE);
87	return 0;
88	}
89	ctx->data = kctx;
90
91	return 1;
92	}
93
94	static void
95	pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
96	{
97	struct tls1_prf_ctx *kctx = ctx->data;
98
99	freezero(kctx->secret, kctx->secret_len);
100	freezero(kctx, sizeof(*kctx));
101	}
102
103	static int
104	pkey_tls1_prf_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
105	{
106	struct tls1_prf_ctx *kctx = ctx->data;
107
108	switch (type) {
109	case EVP_PKEY_CTRL_TLS_MD:
110	kctx->md = p2;
111	return 1;
112
113	case EVP_PKEY_CTRL_TLS_SECRET:
114	if (p1 < 0)
115	return 0;
116
117	freezero(kctx->secret, kctx->secret_len);
118	kctx->secret = NULL;
119	kctx->secret_len = 0;
120
121	explicit_bzero(kctx->seed, kctx->seed_len);
122	kctx->seed_len = 0;
123
124	if (p1 == 0 \|\| p2 == NULL)
125	return 0;
126
127	if ((kctx->secret = calloc(1, p1)) == NULL)
128	return 0;
129	memcpy(kctx->secret, p2, p1);
130	kctx->secret_len = p1;
131
132	return 1;
133
134	case EVP_PKEY_CTRL_TLS_SEED:
135	if (p1 == 0 \|\| p2 == NULL)
136	return 1;
137	if (p1 < 0 \|\| p1 > (int)(TLS1_PRF_MAXBUF - kctx->seed_len))
138	return 0;
139	memcpy(kctx->seed + kctx->seed_len, p2, p1);
140	kctx->seed_len += p1;
141	return 1;
142
143	default:
144	return -2;
145	}
146	}
147
148	static int
149	pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
150	{
151	if (value == NULL) {
152	KDFerror(KDF_R_VALUE_MISSING);
153	return 0;
154	}
155	if (strcmp(type, "md") == 0) {
156	struct tls1_prf_ctx *kctx = ctx->data;
157
158	const EVP_MD *md = EVP_get_digestbyname(value);
159	if (md == NULL) {
160	KDFerror(KDF_R_INVALID_DIGEST);
161	return 0;
162	}
163	kctx->md = md;
164	return 1;
165	}
166	if (strcmp(type, "secret") == 0)
167	return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
168	if (strcmp(type, "hexsecret") == 0)
169	return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
170	if (strcmp(type, "seed") == 0)
171	return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
172	if (strcmp(type, "hexseed") == 0)
173	return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
174
175	KDFerror(KDF_R_UNKNOWN_PARAMETER_TYPE);
176	return -2;
177	}
178
179	static int
180	tls1_prf_P_hash(const EVP_MD md, const unsigned char secret, size_t secret_len,
181	const unsigned char seed, size_t seed_len, unsigned char out, size_t out_len)
182	{
183	int chunk;
184	EVP_MD_CTX ctx = NULL, ctx_tmp = NULL, *ctx_init = NULL;
185	EVP_PKEY *mac_key = NULL;
186	unsigned char A1[EVP_MAX_MD_SIZE];
187	size_t A1_len;
188	int ret = 0;
189
190	if ((chunk = EVP_MD_size(md)) < 0)
191	goto err;
192
193	if ((ctx = EVP_MD_CTX_new()) == NULL)
194	goto err;
195	if ((ctx_tmp = EVP_MD_CTX_new()) == NULL)
196	goto err;
197	if ((ctx_init = EVP_MD_CTX_new()) == NULL)
198	goto err;
199
200	EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
201
202	if ((mac_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
203	secret, secret_len)) == NULL)
204	goto err;
205
206	if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
207	goto err;
208	if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
209	goto err;
210	if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
211	goto err;
212	if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
213	goto err;
214
215	for (;;) {
216	/* Reinit mac contexts */
217	if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
218	goto err;
219	if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
220	goto err;
221	if (out_len > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
222	goto err;
223	if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
224	goto err;
225
226	if (out_len > (size_t)chunk) {
227	size_t mac_len;
228	if (!EVP_DigestSignFinal(ctx, out, &mac_len))
229	goto err;
230	out += mac_len;
231	out_len -= mac_len;
232	if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
233	goto err;
234	} else {
235	if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
236	goto err;
237	memcpy(out, A1, out_len);
238	break;
239	}
240	}
241
242	ret = 1;
243
244	err:
245	EVP_PKEY_free(mac_key);
246	EVP_MD_CTX_free(ctx);
247	EVP_MD_CTX_free(ctx_tmp);
248	EVP_MD_CTX_free(ctx_init);
249	explicit_bzero(A1, sizeof(A1));
250
251	return ret;
252	}
253
254	static int
255	tls1_prf_alg(const EVP_MD md, const unsigned char secret, size_t secret_len,
256	const unsigned char seed, size_t seed_len, unsigned char out, size_t out_len)
257	{
258	unsigned char *tmp = NULL;
259	size_t half_len;
260	size_t i;
261	int ret = 0;
262
263	if (EVP_MD_type(md) != NID_md5_sha1)
264	return tls1_prf_P_hash(md, secret, secret_len, seed, seed_len,
265	out, out_len);
266
267	half_len = secret_len - secret_len / 2;
268	if (!tls1_prf_P_hash(EVP_md5(), secret, half_len, seed, seed_len,
269	out, out_len))
270	goto err;
271
272	if ((tmp = calloc(1, out_len)) == NULL) {
273	KDFerror(ERR_R_MALLOC_FAILURE);
274	goto err;
275	}
276	secret += secret_len - half_len;
277	if (!tls1_prf_P_hash(EVP_sha1(), secret, half_len, seed, seed_len,
278	tmp, out_len))
279	goto err;
280	for (i = 0; i < out_len; i++)
281	out[i] ^= tmp[i];
282
283	ret = 1;
284
285	err:
286	freezero(tmp, out_len);
287
288	return ret;
289	}
290
291	static int
292	pkey_tls1_prf_derive(EVP_PKEY_CTX ctx, unsigned char key, size_t *key_len)
293	{
294	struct tls1_prf_ctx *kctx = ctx->data;
295
296	if (kctx->md == NULL) {
297	KDFerror(KDF_R_MISSING_MESSAGE_DIGEST);
298	return 0;
299	}
300	if (kctx->secret == NULL) {
301	KDFerror(KDF_R_MISSING_SECRET);
302	return 0;
303	}
304	if (kctx->seed_len == 0) {
305	KDFerror(KDF_R_MISSING_SEED);
306	return 0;
307	}
308
309	return tls1_prf_alg(kctx->md, kctx->secret, kctx->secret_len,
310	kctx->seed, kctx->seed_len, key, *key_len);
311	}
312
313	const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
314	.pkey_id = EVP_PKEY_TLS1_PRF,
315	.flags = 0,
316
317	.init = pkey_tls1_prf_init,
318	.copy = NULL,
319	.cleanup = pkey_tls1_prf_cleanup,
320
321	.paramgen = NULL,
322
323	.keygen = NULL,
324
325	.sign_init = NULL,
326	.sign = NULL,
327
328	.verify_init = NULL,
329	.verify = NULL,
330
331	.verify_recover = NULL,
332
333	.signctx_init = NULL,
334	.signctx = NULL,
335
336	.encrypt = NULL,
337
338	.decrypt = NULL,
339
340	.derive_init = NULL,
341	.derive = pkey_tls1_prf_derive,
342
343	.ctrl = pkey_tls1_prf_ctrl,
344	.ctrl_str = pkey_tls1_prf_ctrl_str,
345	};