TLS: Pass version to tls_prf() in preparation for new PRFs

Signed-hostap: Jouni Malinen <j@w1.fi>

src/tls/tlsv1_client.c

@@ -67,7 +67,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
 			  TLS_RANDOM_LEN);
-		if (tls_prf(pre_master_secret, pre_master_secret_len,
+		if (tls_prf(conn->rl.tls_version,
+			    pre_master_secret, pre_master_secret_len,
 			    "master secret", seed, 2 * TLS_RANDOM_LEN,
 			    conn->master_secret, TLS_MASTER_SECRET_LEN)) {
 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
@@ -83,7 +84,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
 	key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len);
 	if (conn->rl.tls_version == TLS_VERSION_1)
 		key_block_len += 2 * conn->rl.iv_size;
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "key expansion", seed, 2 * TLS_RANDOM_LEN,
 		    key_block, key_block_len)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
@@ -536,7 +538,8 @@ int tlsv1_client_prf(struct tlsv1_client *conn, const char *label,
 			  TLS_RANDOM_LEN);
 	}
 
-	return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	return tls_prf(conn->rl.tls_version,
+		       conn->master_secret, TLS_MASTER_SECRET_LEN,
 		       label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
 }
 

src/tls/tlsv1_client_read.c

@@ -844,7 +844,8 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
 	}
 	conn->verify.sha1_server = NULL;
 
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 		    verify_data, TLS_VERIFY_DATA_LEN)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");

src/tls/tlsv1_client_write.c

@@ -621,7 +621,8 @@ static int tls_write_client_finished(struct tlsv1_client *conn,
 	}
 	conn->verify.sha1_client = NULL;
 
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");

src/tls/tlsv1_common.c

@@ -268,7 +268,7 @@ const char * tls_version_str(u16 ver)
 }
 
 
-int tls_prf(const u8 *secret, size_t secret_len, const char *label,
+int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
 	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
 {
 	return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,

src/tls/tlsv1_common.h

@@ -220,7 +220,7 @@ void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
 void tls_verify_hash_free(struct tls_verify_hash *verify);
 int tls_version_ok(u16 ver);
 const char * tls_version_str(u16 ver);
-int tls_prf(const u8 *secret, size_t secret_len, const char *label,
+int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
 	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
 
 #endif /* TLSV1_COMMON_H */

src/tls/tlsv1_server.c

@@ -49,7 +49,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
 		os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
 		os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
 			  TLS_RANDOM_LEN);
-		if (tls_prf(pre_master_secret, pre_master_secret_len,
+		if (tls_prf(conn->rl.tls_version,
+			    pre_master_secret, pre_master_secret_len,
 			    "master secret", seed, 2 * TLS_RANDOM_LEN,
 			    conn->master_secret, TLS_MASTER_SECRET_LEN)) {
 			wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
@@ -64,7 +65,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
 	os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
 	key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
 			     conn->rl.iv_size);
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "key expansion", seed, 2 * TLS_RANDOM_LEN,
 		    key_block, key_block_len)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
@@ -449,7 +451,8 @@ int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
 			  TLS_RANDOM_LEN);
 	}
 
-	return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	return tls_prf(conn->rl.tls_version,
+		       conn->master_secret, TLS_MASTER_SECRET_LEN,
 		       label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
 }
 

src/tls/tlsv1_server_read.c

@@ -1063,7 +1063,8 @@ static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
 	}
 	conn->verify.sha1_client = NULL;
 
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 		    verify_data, TLS_VERIFY_DATA_LEN)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");

src/tls/tlsv1_server_write.c

@@ -609,7 +609,8 @@ static int tls_write_server_finished(struct tlsv1_server *conn,
 	}
 	conn->verify.sha1_server = NULL;
 
-	if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
+	if (tls_prf(conn->rl.tls_version,
+		    conn->master_secret, TLS_MASTER_SECRET_LEN,
 		    "server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
 		    verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");