Just pass pointer and length, instead of a gc and return (possibly)
allocated memory. Saves us some gc instantiations and memcpy()s. Exact
same functionality, 19 lines less code.
(Didn't want to delay the TLS EKM reviews for this, so submitted as a
patch afterwards.)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <
20201009144755.39719-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=
20201009144755.39719-1-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
static bool
generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
{
- struct gc_arena gc = gc_new();
- unsigned char *key2data;
-
- key2data = key_state_export_keying_material(session,
- EXPORT_KEY_DATA_LABEL,
- strlen(EXPORT_KEY_DATA_LABEL),
- sizeof(key2->keys),
- &gc);
- if (!key2data)
+ if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
+ strlen(EXPORT_KEY_DATA_LABEL),
+ key2->keys, sizeof(key2->keys)))
{
return false;
}
- memcpy(key2->keys, key2data, sizeof(key2->keys));
- secure_memzero(key2data, sizeof(key2->keys));
key2->n = 2;
- gc_free(&gc);
return true;
}
unsigned int size = session->opt->ekm_size;
struct gc_arena gc = gc_new();
- unsigned char *ekm;
- if ((ekm = key_state_export_keying_material(session,
- session->opt->ekm_label,
- session->opt->ekm_label_size,
- session->opt->ekm_size,
- &gc)))
+ unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
+ if (key_state_export_keying_material(session,
+ session->opt->ekm_label,
+ session->opt->ekm_label_size,
+ ekm, session->opt->ekm_size))
{
unsigned int len = (size * 2) + 2;
* @param session The session associated with the given key_state
* @param label The label to use when exporting the key
* @param label_size The size of the label to use when exporting the key
- * @param ekm_size THe size of the exported/returned key material
- * @param gc gc_arena that might be used to allocate the string
- * returned
- * @returns The exported key material, the caller may zero the
- * string but should not free it
+ * @param ekm Buffer to return the exported key material in
+ * @param ekm_size The size of ekm, in bytes
+ * @returns true if exporting succeeded, false otherwise
*/
-
-unsigned char*
+bool
key_state_export_keying_material(struct tls_session *session,
const char* label, size_t label_size,
- size_t ekm_size,
- struct gc_arena *gc) __attribute__((nonnull));
+ void *ekm, size_t ekm_size);
/**************************************************************************/
/** @addtogroup control_tls
return true;
}
-unsigned char *
+bool
key_state_export_keying_material(struct tls_session *session,
const char* label, size_t label_size,
- size_t ekm_size,
- struct gc_arena *gc)
+ void *ekm, size_t ekm_size)
{
ASSERT(strlen(label) == label_size);
* there is no PRF, in both cases we cannot generate key material */
if (cache->tls_prf_type == MBEDTLS_SSL_TLS_PRF_NONE)
{
- return NULL;
+ return false;
}
- unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret,
sizeof(cache->master_secret),
label, cache->client_server_random,
if (mbed_ok(ret))
{
- return ekm;
+ return true;
}
else
{
secure_memzero(ekm, session->opt->ekm_size);
- return NULL;
+ return false;
}
}
#else
return NULL != ctx->ctx;
}
-unsigned char*
+bool
key_state_export_keying_material(struct tls_session *session,
const char* label, size_t label_size,
- size_t ekm_size,
- struct gc_arena *gc)
+ void *ekm, size_t ekm_size)
{
- unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
-
SSL* ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
label_size, NULL, 0, 0) == 1)
{
- return ekm;
+ return true;
}
else
{
secure_memzero(ekm, ekm_size);
- return NULL;
+ return false;
}
}
projects / thirdparty / openvpn.git / commitdiff
