uint8_t out[8];
uint8_t expected_out[] = { 'q', 'D', 0xfe, '%', '@', 's', 'u', 0x95 };
- int ret = ssl_tls1_PRF((uint8_t *)seed, (int)strlen(seed), (uint8_t *)secret,
- (int)strlen(secret), out, sizeof(out));
+ int ret = ssl_tls1_PRF((uint8_t *)seed, strlen(seed), (uint8_t *)secret,
+ strlen(secret), out, sizeof(out));
return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
}
*
* @return true if successful, false on any error
*/
-bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
- uint8_t *output, int output_len);
+bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+ uint8_t *output, size_t output_len);
#endif /* CRYPTO_BACKEND_H_ */
* from recent versions, so we use our own implementation if necessary. */
#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
- uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+ uint8_t *output, size_t output_len)
{
return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret, secret_len, "", seed,
seed_len, output, output_len));
* @param olen Length of the output buffer
*/
static void
-tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed,
- int seed_len, uint8_t *out, int olen)
+tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, size_t sec_len, const uint8_t *seed,
+ size_t seed_len, uint8_t *out, size_t olen)
{
struct gc_arena gc = gc_new();
uint8_t A1[MAX_HMAC_KEY_LENGTH];
#ifdef ENABLE_DEBUG
/* used by the D_SHOW_KEY_SOURCE, guarded with ENABLE_DEBUG to avoid unused
* variables warnings if compiled with --enable-small */
- const int olen_orig = olen;
+ const size_t olen_orig = olen;
const uint8_t *out_orig = out;
#endif
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
- int chunk = mbedtls_md_get_size(md_kt);
+ unsigned int chunk = mbedtls_md_get_size(md_kt);
unsigned int A1_len = mbedtls_md_get_size(md_kt);
/* This is the only place where we init an HMAC with a key that is not
* (2) The pre-master secret is generated by the client.
*/
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
- int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+ size_t olen)
{
struct gc_arena gc = gc_new();
const md_kt_t *md5 = md_get("MD5");
uint8_t *out2 = (uint8_t *)gc_malloc(olen, false, &gc);
- int len = slen / 2;
+ size_t len = slen / 2;
const uint8_t *S1 = sec;
const uint8_t *S2 = &(sec[len]);
len += (slen & 1); /* add for odd, make longer */
tls1_P_hash(md5, S1, len, label, label_len, out1, olen);
tls1_P_hash(sha1, S2, len, label, label_len, out2, olen);
- for (int i = 0; i < olen; i++)
+ for (size_t i = 0; i < olen; i++)
{
out1[i] ^= out2[i];
}
secure_memzero(out2, olen);
- dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
+ dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%zu]: %s", olen, format_hex(out1, olen, 0, &gc));
gc_free(&gc);
return true;
}
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) && !defined(LIBRESSL_VERSION_NUMBER)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
- uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+ uint8_t *output, size_t output_len)
{
bool ret = true;
EVP_KDF_CTX *kctx = NULL;
params[0] =
OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_md5_sha1, strlen(SN_md5_sha1));
params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, (uint8_t *)secret,
- (size_t)secret_len);
+ secret_len);
params[2] =
- OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, (size_t)seed_len);
+ OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, seed_len);
params[3] = OSSL_PARAM_construct_end();
if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
}
#elif defined(OPENSSL_IS_AWSLC)
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
- int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+ size_t olen)
{
CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
}
#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
- uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+ uint8_t *output, size_t output_len)
{
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
if (!pctx)
* OpenSSL does. As result they will only be able to support
* peers that support TLS EKM like when running with OpenSSL 3.x FIPS */
bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
- int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+ size_t olen)
{
return false;
}
}
static bool
-openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed,
- int client_seed_len, const uint8_t *server_seed, int server_seed_len,
+openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
+ size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
const struct session_id *client_sid, const struct session_id *server_sid,
- uint8_t *output, int output_len)
+ uint8_t *output, size_t output_len)
{
/* concatenate seed components */
uint8_t out[32];
- bool ret = ssl_tls1_PRF(seed, (int)seed_len, secret, (int)secret_len, out, sizeof(out));
+ bool ret = ssl_tls1_PRF(seed, seed_len, secret, secret_len, out, sizeof(out));
#if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL)
/* No TLS1 PRF support in these libraries */
projects / thirdparty / openvpn.git / commitdiff
